/root/bitcoin/src/secp256k1/src/field.h
Line | Count | Source |
1 | | /*********************************************************************** |
2 | | * Copyright (c) 2013, 2014 Pieter Wuille * |
3 | | * Distributed under the MIT software license, see the accompanying * |
4 | | * file COPYING or https://www.opensource.org/licenses/mit-license.php.* |
5 | | ***********************************************************************/ |
6 | | |
7 | | #ifndef SECP256K1_FIELD_H |
8 | | #define SECP256K1_FIELD_H |
9 | | |
10 | | #include "util.h" |
11 | | |
12 | | /* This file defines the generic interface for working with secp256k1_fe |
13 | | * objects, which represent field elements (integers modulo 2^256 - 2^32 - 977). |
14 | | * |
15 | | * The actual definition of the secp256k1_fe type depends on the chosen field |
16 | | * implementation; see the field_5x52.h and field_10x26.h files for details. |
17 | | * |
18 | | * All secp256k1_fe objects have implicit properties that determine what |
19 | | * operations are permitted on it. These are purely a function of what |
20 | | * secp256k1_fe_ operations are applied on it, generally (implicitly) fixed at |
21 | | * compile time, and do not depend on the chosen field implementation. Despite |
22 | | * that, what these properties actually entail for the field representation |
23 | | * values depends on the chosen field implementation. These properties are: |
24 | | * - magnitude: an integer in [0,32] |
25 | | * - normalized: 0 or 1; normalized=1 implies magnitude <= 1. |
26 | | * |
27 | | * In VERIFY mode, they are materialized explicitly as fields in the struct, |
28 | | * allowing run-time verification of these properties. In that case, the field |
29 | | * implementation also provides a secp256k1_fe_verify routine to verify that |
30 | | * these fields match the run-time value and perform internal consistency |
31 | | * checks. */ |
32 | | #ifdef VERIFY |
33 | | # define SECP256K1_FE_VERIFY_FIELDS \ |
34 | | int magnitude; \ |
35 | | int normalized; |
36 | | #else |
37 | | # define SECP256K1_FE_VERIFY_FIELDS |
38 | | #endif |
39 | | |
40 | | #if defined(SECP256K1_WIDEMUL_INT128) |
41 | | #include "field_5x52.h" |
42 | | #elif defined(SECP256K1_WIDEMUL_INT64) |
43 | | #include "field_10x26.h" |
44 | | #else |
45 | | #error "Please select wide multiplication implementation" |
46 | | #endif |
47 | | |
48 | | #ifdef VERIFY |
49 | | /* Magnitude and normalized value for constants. */ |
50 | | #define SECP256K1_FE_VERIFY_CONST(d7, d6, d5, d4, d3, d2, d1, d0) \ |
51 | | /* Magnitude is 0 for constant 0; 1 otherwise. */ \ |
52 | | , (((d7) | (d6) | (d5) | (d4) | (d3) | (d2) | (d1) | (d0)) != 0) \ |
53 | | /* Normalized is 1 unless sum(d_i<<(32*i) for i=0..7) exceeds field modulus. */ \ |
54 | | , (!(((d7) & (d6) & (d5) & (d4) & (d3) & (d2)) == 0xfffffffful && ((d1) == 0xfffffffful || ((d1) == 0xfffffffe && (d0 >= 0xfffffc2f))))) |
55 | | #else |
56 | | #define SECP256K1_FE_VERIFY_CONST(d7, d6, d5, d4, d3, d2, d1, d0) |
57 | | #endif |
58 | | |
59 | | /** This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p. |
60 | | * |
61 | | * It has magnitude 1, unless d_i are all 0, in which case the magnitude is 0. |
62 | | * It is normalized, unless sum(2^(i*32) * d_i, i=0..7) >= p. |
63 | | * |
64 | | * SECP256K1_FE_CONST_INNER is provided by the implementation. |
65 | | */ |
66 | | #define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {SECP256K1_FE_CONST_INNER((d7), (d6), (d5), (d4), (d3), (d2), (d1), (d0)) SECP256K1_FE_VERIFY_CONST((d7), (d6), (d5), (d4), (d3), (d2), (d1), (d0)) } |
67 | | |
68 | | static const secp256k1_fe secp256k1_fe_one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); |
69 | | static const secp256k1_fe secp256k1_const_beta = SECP256K1_FE_CONST( |
70 | | 0x7ae96a2bul, 0x657c0710ul, 0x6e64479eul, 0xac3434e9ul, |
71 | | 0x9cf04975ul, 0x12f58995ul, 0xc1396c28ul, 0x719501eeul |
72 | | ); |
73 | | |
74 | | #ifndef VERIFY |
75 | | /* In non-VERIFY mode, we #define the fe operations to be identical to their |
76 | | * internal field implementation, to avoid the potential overhead of a |
77 | | * function call (even though presumably inlinable). */ |
78 | 0 | # define secp256k1_fe_normalize secp256k1_fe_impl_normalize |
79 | 0 | # define secp256k1_fe_normalize_weak secp256k1_fe_impl_normalize_weak |
80 | 0 | # define secp256k1_fe_normalize_var secp256k1_fe_impl_normalize_var |
81 | 0 | # define secp256k1_fe_normalizes_to_zero secp256k1_fe_impl_normalizes_to_zero |
82 | 0 | # define secp256k1_fe_normalizes_to_zero_var secp256k1_fe_impl_normalizes_to_zero_var |
83 | 0 | # define secp256k1_fe_set_int secp256k1_fe_impl_set_int |
84 | 0 | # define secp256k1_fe_is_zero secp256k1_fe_impl_is_zero |
85 | 0 | # define secp256k1_fe_is_odd secp256k1_fe_impl_is_odd |
86 | 0 | # define secp256k1_fe_cmp_var secp256k1_fe_impl_cmp_var |
87 | 0 | # define secp256k1_fe_set_b32_mod secp256k1_fe_impl_set_b32_mod |
88 | 0 | # define secp256k1_fe_set_b32_limit secp256k1_fe_impl_set_b32_limit |
89 | 0 | # define secp256k1_fe_get_b32 secp256k1_fe_impl_get_b32 |
90 | | # define secp256k1_fe_negate_unchecked secp256k1_fe_impl_negate_unchecked |
91 | | # define secp256k1_fe_mul_int_unchecked secp256k1_fe_impl_mul_int_unchecked |
92 | 0 | # define secp256k1_fe_add secp256k1_fe_impl_add |
93 | 0 | # define secp256k1_fe_mul secp256k1_fe_impl_mul |
94 | 0 | # define secp256k1_fe_sqr secp256k1_fe_impl_sqr |
95 | 0 | # define secp256k1_fe_cmov secp256k1_fe_impl_cmov |
96 | 0 | # define secp256k1_fe_to_storage secp256k1_fe_impl_to_storage |
97 | 0 | # define secp256k1_fe_from_storage secp256k1_fe_impl_from_storage |
98 | 0 | # define secp256k1_fe_inv secp256k1_fe_impl_inv |
99 | 0 | # define secp256k1_fe_inv_var secp256k1_fe_impl_inv_var |
100 | | # define secp256k1_fe_get_bounds secp256k1_fe_impl_get_bounds |
101 | 0 | # define secp256k1_fe_half secp256k1_fe_impl_half |
102 | 0 | # define secp256k1_fe_add_int secp256k1_fe_impl_add_int |
103 | 0 | # define secp256k1_fe_is_square_var secp256k1_fe_impl_is_square_var |
104 | | #endif /* !defined(VERIFY) */ |
105 | | |
106 | | /** Normalize a field element. |
107 | | * |
108 | | * On input, r must be a valid field element. |
109 | | * On output, r represents the same value but has normalized=1 and magnitude=1. |
110 | | */ |
111 | | static void secp256k1_fe_normalize(secp256k1_fe *r); |
112 | | |
113 | | /** Give a field element magnitude 1. |
114 | | * |
115 | | * On input, r must be a valid field element. |
116 | | * On output, r represents the same value but has magnitude=1. Normalized is unchanged. |
117 | | */ |
118 | | static void secp256k1_fe_normalize_weak(secp256k1_fe *r); |
119 | | |
120 | | /** Normalize a field element, without constant-time guarantee. |
121 | | * |
122 | | * Identical in behavior to secp256k1_fe_normalize, but not constant time in r. |
123 | | */ |
124 | | static void secp256k1_fe_normalize_var(secp256k1_fe *r); |
125 | | |
126 | | /** Determine whether r represents field element 0. |
127 | | * |
128 | | * On input, r must be a valid field element. |
129 | | * Returns whether r = 0 (mod p). |
130 | | */ |
131 | | static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r); |
132 | | |
133 | | /** Determine whether r represents field element 0, without constant-time guarantee. |
134 | | * |
135 | | * Identical in behavior to secp256k1_normalizes_to_zero, but not constant time in r. |
136 | | */ |
137 | | static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r); |
138 | | |
139 | | /** Set a field element to an integer in range [0,0x7FFF]. |
140 | | * |
141 | | * On input, r does not need to be initialized, a must be in [0,0x7FFF]. |
142 | | * On output, r represents value a, is normalized and has magnitude (a!=0). |
143 | | */ |
144 | | static void secp256k1_fe_set_int(secp256k1_fe *r, int a); |
145 | | |
146 | | /** Clear a field element to prevent leaking sensitive information. */ |
147 | | static void secp256k1_fe_clear(secp256k1_fe *a); |
148 | | |
149 | | /** Determine whether a represents field element 0. |
150 | | * |
151 | | * On input, a must be a valid normalized field element. |
152 | | * Returns whether a = 0 (mod p). |
153 | | * |
154 | | * This behaves identical to secp256k1_normalizes_to_zero{,_var}, but requires |
155 | | * normalized input (and is much faster). |
156 | | */ |
157 | | static int secp256k1_fe_is_zero(const secp256k1_fe *a); |
158 | | |
159 | | /** Determine whether a (mod p) is odd. |
160 | | * |
161 | | * On input, a must be a valid normalized field element. |
162 | | * Returns (int(a) mod p) & 1. |
163 | | */ |
164 | | static int secp256k1_fe_is_odd(const secp256k1_fe *a); |
165 | | |
166 | | /** Determine whether two field elements are equal. |
167 | | * |
168 | | * On input, a and b must be valid field elements with magnitudes not exceeding |
169 | | * 1 and 31, respectively. |
170 | | * Returns a = b (mod p). |
171 | | */ |
172 | | static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b); |
173 | | |
174 | | /** Compare the values represented by 2 field elements, without constant-time guarantee. |
175 | | * |
176 | | * On input, a and b must be valid normalized field elements. |
177 | | * Returns 1 if a > b, -1 if a < b, and 0 if a = b (comparisons are done as integers |
178 | | * in range 0..p-1). |
179 | | */ |
180 | | static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b); |
181 | | |
182 | | /** Set a field element equal to the element represented by a provided 32-byte big endian value |
183 | | * interpreted modulo p. |
184 | | * |
185 | | * On input, r does not need to be initialized. a must be a pointer to an initialized 32-byte array. |
186 | | * On output, r = a (mod p). It will have magnitude 1, and not be normalized. |
187 | | */ |
188 | | static void secp256k1_fe_set_b32_mod(secp256k1_fe *r, const unsigned char *a); |
189 | | |
190 | | /** Set a field element equal to a provided 32-byte big endian value, checking for overflow. |
191 | | * |
192 | | * On input, r does not need to be initialized. a must be a pointer to an initialized 32-byte array. |
193 | | * On output, r = a if (a < p), it will be normalized with magnitude 1, and 1 is returned. |
194 | | * If a >= p, 0 is returned, and r will be made invalid (and must not be used without overwriting). |
195 | | */ |
196 | | static int secp256k1_fe_set_b32_limit(secp256k1_fe *r, const unsigned char *a); |
197 | | |
198 | | /** Convert a field element to 32-byte big endian byte array. |
199 | | * On input, a must be a valid normalized field element, and r a pointer to a 32-byte array. |
200 | | * On output, r = a (mod p). |
201 | | */ |
202 | | static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a); |
203 | | |
204 | | /** Negate a field element. |
205 | | * |
206 | | * On input, r does not need to be initialized. a must be a valid field element with |
207 | | * magnitude not exceeding m. m must be an integer constant expression in [0,31]. |
208 | | * Performs {r = -a}. |
209 | | * On output, r will not be normalized, and will have magnitude m+1. |
210 | | */ |
211 | 0 | #define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) |
212 | | |
213 | | /** Like secp256k1_fe_negate_unchecked but m is not checked to be an integer constant expression. |
214 | | * |
215 | | * Should not be called directly outside of tests. |
216 | | */ |
217 | | static void secp256k1_fe_negate_unchecked(secp256k1_fe *r, const secp256k1_fe *a, int m); |
218 | | |
219 | | /** Add a small integer to a field element. |
220 | | * |
221 | | * Performs {r += a}. The magnitude of r increases by 1, and normalized is cleared. |
222 | | * a must be in range [0,0x7FFF]. |
223 | | */ |
224 | | static void secp256k1_fe_add_int(secp256k1_fe *r, int a); |
225 | | |
226 | | /** Multiply a field element with a small integer. |
227 | | * |
228 | | * On input, r must be a valid field element. a must be an integer constant expression in [0,32]. |
229 | | * The magnitude of r times a must not exceed 32. |
230 | | * Performs {r *= a}. |
231 | | * On output, r's magnitude is multiplied by a, and r will not be normalized. |
232 | | */ |
233 | 0 | #define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) |
234 | | |
235 | | /** Like secp256k1_fe_mul_int but a is not checked to be an integer constant expression. |
236 | | * |
237 | | * Should not be called directly outside of tests. |
238 | | */ |
239 | | static void secp256k1_fe_mul_int_unchecked(secp256k1_fe *r, int a); |
240 | | |
241 | | /** Increment a field element by another. |
242 | | * |
243 | | * On input, r and a must be valid field elements, not necessarily normalized. |
244 | | * The sum of their magnitudes must not exceed 32. |
245 | | * Performs {r += a}. |
246 | | * On output, r will not be normalized, and will have magnitude incremented by a's. |
247 | | */ |
248 | | static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a); |
249 | | |
250 | | /** Multiply two field elements. |
251 | | * |
252 | | * On input, a and b must be valid field elements; r does not need to be initialized. |
253 | | * r and a may point to the same object, but neither may point to the object pointed |
254 | | * to by b. The magnitudes of a and b must not exceed 8. |
255 | | * Performs {r = a * b} |
256 | | * On output, r will have magnitude 1, but won't be normalized. |
257 | | */ |
258 | | static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe * SECP256K1_RESTRICT b); |
259 | | |
260 | | /** Square a field element. |
261 | | * |
262 | | * On input, a must be a valid field element; r does not need to be initialized. The magnitude |
263 | | * of a must not exceed 8. |
264 | | * Performs {r = a**2} |
265 | | * On output, r will have magnitude 1, but won't be normalized. |
266 | | */ |
267 | | static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a); |
268 | | |
269 | | /** Compute a square root of a field element. |
270 | | * |
271 | | * On input, a must be a valid field element with magnitude<=8; r need not be initialized. |
272 | | * If sqrt(a) exists, performs {r = sqrt(a)} and returns 1. |
273 | | * Otherwise, sqrt(-a) exists. The function performs {r = sqrt(-a)} and returns 0. |
274 | | * The resulting value represented by r will be a square itself. |
275 | | * Variables r and a must not point to the same object. |
276 | | * On output, r will have magnitude 1 but will not be normalized. |
277 | | */ |
278 | | static int secp256k1_fe_sqrt(secp256k1_fe * SECP256K1_RESTRICT r, const secp256k1_fe * SECP256K1_RESTRICT a); |
279 | | |
280 | | /** Compute the modular inverse of a field element. |
281 | | * |
282 | | * On input, a must be a valid field element; r need not be initialized. |
283 | | * Performs {r = a**(p-2)} (which maps 0 to 0, and every other element to its |
284 | | * inverse). |
285 | | * On output, r will have magnitude (a.magnitude != 0) and be normalized. |
286 | | */ |
287 | | static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a); |
288 | | |
289 | | /** Compute the modular inverse of a field element, without constant-time guarantee. |
290 | | * |
291 | | * Behaves identically to secp256k1_fe_inv, but is not constant-time in a. |
292 | | */ |
293 | | static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a); |
294 | | |
295 | | /** Convert a field element to secp256k1_fe_storage. |
296 | | * |
297 | | * On input, a must be a valid normalized field element. |
298 | | * Performs {r = a}. |
299 | | */ |
300 | | static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a); |
301 | | |
302 | | /** Convert a field element back from secp256k1_fe_storage. |
303 | | * |
304 | | * On input, r need not be initialized. |
305 | | * Performs {r = a}. |
306 | | * On output, r will be normalized and will have magnitude 1. |
307 | | */ |
308 | | static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a); |
309 | | |
310 | | /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/ |
311 | | static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag); |
312 | | |
313 | | /** Conditionally move a field element in constant time. |
314 | | * |
315 | | * On input, both r and a must be valid field elements. Flag must be 0 or 1. |
316 | | * Performs {r = flag ? a : r}. |
317 | | * |
318 | | * On output, r's magnitude will be the maximum of both input magnitudes. |
319 | | * It will be normalized if and only if both inputs were normalized. |
320 | | */ |
321 | | static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag); |
322 | | |
323 | | /** Halve the value of a field element modulo the field prime in constant-time. |
324 | | * |
325 | | * On input, r must be a valid field element. |
326 | | * On output, r will be normalized and have magnitude floor(m/2) + 1 where m is |
327 | | * the magnitude of r on input. |
328 | | */ |
329 | | static void secp256k1_fe_half(secp256k1_fe *r); |
330 | | |
331 | | /** Sets r to a field element with magnitude m, normalized if (and only if) m==0. |
332 | | * The value is chosen so that it is likely to trigger edge cases related to |
333 | | * internal overflows. */ |
334 | | static void secp256k1_fe_get_bounds(secp256k1_fe *r, int m); |
335 | | |
336 | | /** Determine whether a is a square (modulo p). |
337 | | * |
338 | | * On input, a must be a valid field element. |
339 | | */ |
340 | | static int secp256k1_fe_is_square_var(const secp256k1_fe *a); |
341 | | |
342 | | /** Check invariants on a field element (no-op unless VERIFY is enabled). */ |
343 | | static void secp256k1_fe_verify(const secp256k1_fe *a); |
344 | 0 | #define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) |
345 | | |
346 | | /** Check that magnitude of a is at most m (no-op unless VERIFY is enabled). */ |
347 | | static void secp256k1_fe_verify_magnitude(const secp256k1_fe *a, int m); |
348 | 0 | #define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) |
349 | | |
350 | | #endif /* SECP256K1_FIELD_H */ |