7 #ifndef SECP256K1_ECMULT_IMPL_H 8 #define SECP256K1_ECMULT_IMPL_H 16 #if defined(EXHAUSTIVE_TEST_ORDER) 20 # if EXHAUSTIVE_TEST_ORDER > 128 23 # elif EXHAUSTIVE_TEST_ORDER > 8 35 #ifdef USE_ENDOMORPHISM 45 #define ECMULT_TABLE_SIZE(w) (1 << ((w)-2)) 59 secp256k1_gej_double_var(&d, a, NULL);
69 secp256k1_ge_set_gej_zinv(&a_ge, a, &d.
z);
76 for (i = 1; i < n; i++) {
77 secp256k1_gej_add_ge_var(&prej[i], &prej[i-1], &d_ge, &zr[i]);
84 secp256k1_fe_mul(&prej[n-1].z, &prej[n-1].z, &d.
z);
119 secp256k1_ecmult_odd_multiples_table(n, prej, zr, a);
121 secp256k1_ge_set_table_gej_var(prea, prej, zr, n);
123 for (i = 0; i < n; i++) {
124 secp256k1_ge_to_storage(&pre[i], &prea[i]);
134 #define ECMULT_TABLE_GET_GE(r,pre,n,w) do { \ 135 VERIFY_CHECK(((n) & 1) == 1); \ 136 VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ 137 VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ 139 *(r) = (pre)[((n)-1)/2]; \ 141 secp256k1_ge_neg((r), &(pre)[(-(n)-1)/2]); \ 145 #define ECMULT_TABLE_GET_GE_STORAGE(r,pre,n,w) do { \ 146 VERIFY_CHECK(((n) & 1) == 1); \ 147 VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ 148 VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ 150 secp256k1_ge_from_storage((r), &(pre)[((n)-1)/2]); \ 152 secp256k1_ge_from_storage((r), &(pre)[(-(n)-1)/2]); \ 153 secp256k1_ge_neg((r), (r)); \ 159 #ifdef USE_ENDOMORPHISM 160 ctx->pre_g_128 = NULL;
167 if (ctx->
pre_g != NULL) {
172 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
179 #ifdef USE_ENDOMORPHISM 188 for (i = 0; i < 128; i++) {
189 secp256k1_gej_double_var(&g_128j, &g_128j, NULL);
198 if (src->
pre_g == NULL) {
205 #ifdef USE_ENDOMORPHISM 206 if (src->pre_g_128 == NULL) {
207 dst->pre_g_128 = NULL;
211 memcpy(dst->pre_g_128, src->pre_g_128, size);
217 return ctx->
pre_g != NULL;
222 #ifdef USE_ENDOMORPHISM 223 free(ctx->pre_g_128);
225 secp256k1_ecmult_context_init(ctx);
235 static int secp256k1_ecmult_wnaf(
int *wnaf,
int len,
const secp256k1_scalar *a,
int w) {
237 int last_set_bit = -1;
247 memset(wnaf, 0, len *
sizeof(wnaf[0]));
249 if (secp256k1_scalar_get_bits(&s, 255, 1)) {
250 secp256k1_scalar_negate(&s, &s);
257 if (secp256k1_scalar_get_bits(&s, bit, 1) == (
unsigned int)carry) {
263 if (now > len - bit) {
267 word = secp256k1_scalar_get_bits_var(&s, bit, now) + carry;
269 carry = (word >> (w-1)) & 1;
272 wnaf[bit] = sign * word;
280 CHECK(secp256k1_scalar_get_bits(&s, bit++, 1) == 0);
283 return last_set_bit + 1;
290 #ifdef USE_ENDOMORPHISM 296 int wnaf_na_lam[130];
301 int wnaf_ng_128[129];
312 #ifdef USE_ENDOMORPHISM 314 secp256k1_scalar_split_lambda(&na_1, &na_lam, na);
317 bits_na_1 = secp256k1_ecmult_wnaf(wnaf_na_1, 130, &na_1,
WINDOW_A);
318 bits_na_lam = secp256k1_ecmult_wnaf(wnaf_na_lam, 130, &na_lam,
WINDOW_A);
322 if (bits_na_lam > bits) {
327 bits_na = secp256k1_ecmult_wnaf(wnaf_na, 256, na,
WINDOW_A);
341 secp256k1_ecmult_odd_multiples_table_globalz_windowa(pre_a, &Z, a);
343 #ifdef USE_ENDOMORPHISM 345 secp256k1_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]);
349 secp256k1_scalar_split_128(&ng_1, &ng_128, ng);
352 bits_ng_1 = secp256k1_ecmult_wnaf(wnaf_ng_1, 129, &ng_1,
WINDOW_G);
353 bits_ng_128 = secp256k1_ecmult_wnaf(wnaf_ng_128, 129, &ng_128,
WINDOW_G);
354 if (bits_ng_1 > bits) {
357 if (bits_ng_128 > bits) {
361 bits_ng = secp256k1_ecmult_wnaf(wnaf_ng, 256, ng,
WINDOW_G);
362 if (bits_ng > bits) {
367 secp256k1_gej_set_infinity(r);
369 for (i = bits - 1; i >= 0; i--) {
371 secp256k1_gej_double_var(r, r, NULL);
372 #ifdef USE_ENDOMORPHISM 373 if (i < bits_na_1 && (n = wnaf_na_1[i])) {
375 secp256k1_gej_add_ge_var(r, r, &tmpa, NULL);
377 if (i < bits_na_lam && (n = wnaf_na_lam[i])) {
379 secp256k1_gej_add_ge_var(r, r, &tmpa, NULL);
381 if (i < bits_ng_1 && (n = wnaf_ng_1[i])) {
383 secp256k1_gej_add_zinv_var(r, r, &tmpa, &Z);
385 if (i < bits_ng_128 && (n = wnaf_ng_128[i])) {
387 secp256k1_gej_add_zinv_var(r, r, &tmpa, &Z);
390 if (i < bits_na && (n = wnaf_na[i])) {
392 secp256k1_gej_add_ge_var(r, r, &tmpa, NULL);
394 if (i < bits_ng && (n = wnaf_ng[i])) {
396 secp256k1_gej_add_zinv_var(r, r, &tmpa, &Z);
402 secp256k1_fe_mul(&r->
z, &r->
z, &Z);
#define VERIFY_CHECK(cond)
#define ECMULT_TABLE_GET_GE_STORAGE(r, pre, n, w)
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
A group element of the secp256k1 curve, in jacobian coordinates.
#define WINDOW_G
larger numbers may result in slightly better performance, at the cost of exponentially larger precomp...
A group element of the secp256k1 curve, in affine coordinates.
A scalar modulo the group order of the secp256k1 curve.
#define ECMULT_TABLE_GET_GE(r, pre, n, w)
The following two macro retrieves a particular odd multiple from a table of precomputed multiples...
void * memcpy(void *a, const void *b, size_t c)
secp256k1_ge_storage(* pre_g)[]