#include "field.h"

Include dependency graph for group.h:

This graph shows which files directly or indirectly include this file:

Classes
struct	secp256k1_ge
	A group element of the secp256k1 curve, in affine coordinates. More...

struct	secp256k1_gej
	A group element of the secp256k1 curve, in jacobian coordinates. More...

struct	secp256k1_ge_storage

Macros
#define	SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), 0}

#define	SECP256K1_GE_CONST_INFINITY {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1}

#define	SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), 0}

#define	SECP256K1_GEJ_CONST_INFINITY {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1}

#define	SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) {SECP256K1_FE_STORAGE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_STORAGE_CONST((i),(j),(k),(l),(m),(n),(o),(p))}

#define	SECP256K1_GE_STORAGE_CONST_GET(t) SECP256K1_FE_STORAGE_CONST_GET(t.x), SECP256K1_FE_STORAGE_CONST_GET(t.y)

Functions
static void	secp256k1_ge_set_xy (secp256k1_ge r, const secp256k1_fe x, const secp256k1_fe *y)
	Set a group element equal to the point with given X and Y coordinates. More...

static int	secp256k1_ge_set_xquad (secp256k1_ge r, const secp256k1_fe x)
	Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that is a quadratic residue modulo p. More...

static int	secp256k1_ge_set_xo_var (secp256k1_ge r, const secp256k1_fe x, int odd)
	Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y. More...

static int	secp256k1_ge_is_infinity (const secp256k1_ge *a)
	Check whether a group element is the point at infinity. More...

static int	secp256k1_ge_is_valid_var (const secp256k1_ge *a)
	Check whether a group element is valid (i.e., on the curve). More...

static void	secp256k1_ge_neg (secp256k1_ge r, const secp256k1_ge a)
	Set r equal to the inverse of a (i.e., mirrored around the X axis) More...

static void	secp256k1_ge_set_gej (secp256k1_ge r, secp256k1_gej a)
	Set a group element equal to another which is given in jacobian coordinates. More...

static void	secp256k1_ge_set_gej_var (secp256k1_ge r, secp256k1_gej a)
	Set a group element equal to another which is given in jacobian coordinates. More...

static void	secp256k1_ge_set_all_gej_var (secp256k1_ge r, const secp256k1_gej a, size_t len)
	Set a batch of group elements equal to the inputs given in jacobian coordinates. More...

static void	secp256k1_ge_globalz_set_table_gej (size_t len, secp256k1_ge r, secp256k1_fe globalz, const secp256k1_gej a, const secp256k1_fe zr)
	Bring a batch inputs given in jacobian coordinates (with known z-ratios) to the same global z "denominator". More...

static void	secp256k1_ge_set_infinity (secp256k1_ge *r)
	Set a group element (affine) equal to the point at infinity. More...

static void	secp256k1_gej_set_infinity (secp256k1_gej *r)
	Set a group element (jacobian) equal to the point at infinity. More...

static void	secp256k1_gej_set_ge (secp256k1_gej r, const secp256k1_ge a)
	Set a group element (jacobian) equal to another which is given in affine coordinates. More...

static int	secp256k1_gej_eq_x_var (const secp256k1_fe x, const secp256k1_gej a)
	Compare the X coordinate of a group element (jacobian). More...

static void	secp256k1_gej_neg (secp256k1_gej r, const secp256k1_gej a)
	Set r equal to the inverse of a (i.e., mirrored around the X axis) More...

static int	secp256k1_gej_is_infinity (const secp256k1_gej *a)
	Check whether a group element is the point at infinity. More...

static int	secp256k1_gej_has_quad_y_var (const secp256k1_gej *a)
	Check whether a group element's y coordinate is a quadratic residue. More...

static void	secp256k1_gej_double (secp256k1_gej r, const secp256k1_gej a)
	Set r equal to the double of a. More...

static void	secp256k1_gej_double_var (secp256k1_gej r, const secp256k1_gej a, secp256k1_fe *rzr)
	Set r equal to the double of a. More...

static void	secp256k1_gej_add_var (secp256k1_gej r, const secp256k1_gej a, const secp256k1_gej b, secp256k1_fe rzr)
	Set r equal to the sum of a and b. More...

static void	secp256k1_gej_add_ge (secp256k1_gej r, const secp256k1_gej a, const secp256k1_ge *b)
	Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity). More...

static void	secp256k1_gej_add_ge_var (secp256k1_gej r, const secp256k1_gej a, const secp256k1_ge b, secp256k1_fe rzr)
	Set r equal to the sum of a and b (with b given in affine coordinates). More...

static void	secp256k1_gej_add_zinv_var (secp256k1_gej r, const secp256k1_gej a, const secp256k1_ge b, const secp256k1_fe bzinv)
	Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv). More...

static void	secp256k1_ge_mul_lambda (secp256k1_ge r, const secp256k1_ge a)
	Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast. More...

static void	secp256k1_gej_clear (secp256k1_gej *r)
	Clear a secp256k1_gej to prevent leaking sensitive information. More...

static void	secp256k1_ge_clear (secp256k1_ge *r)
	Clear a secp256k1_ge to prevent leaking sensitive information. More...

static void	secp256k1_ge_to_storage (secp256k1_ge_storage r, const secp256k1_ge a)
	Convert a group element to the storage type. More...

static void	secp256k1_ge_from_storage (secp256k1_ge r, const secp256k1_ge_storage a)
	Convert a group element back from the storage type. More...

static void	secp256k1_ge_storage_cmov (secp256k1_ge_storage r, const secp256k1_ge_storage a, int flag)
	If flag is true, set r equal to a; otherwise leave it. More...

static void	secp256k1_gej_rescale (secp256k1_gej r, const secp256k1_fe b)
	Rescale a jacobian point by b which must be non-zero. More...

static int	secp256k1_ge_is_in_correct_subgroup (const secp256k1_ge *ge)
	Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve. More...

Macro Definition Documentation

◆ SECP256K1_GE_CONST

#define SECP256K1_GE_CONST	(	a,
		b,
		c,
		d,
		e,
		f,
		g,
		h,
		i,
		j,
		k,
		l,
		m,
		n,
		o,
		p
	)	{SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), 0}

Definition at line 19 of file group.h.

◆ SECP256K1_GE_CONST_INFINITY

#define SECP256K1_GE_CONST_INFINITY {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1}

Definition at line 20 of file group.h.

◆ SECP256K1_GE_STORAGE_CONST

#define SECP256K1_GE_STORAGE_CONST	(	a,
		b,
		c,
		d,
		e,
		f,
		g,
		h,
		i,
		j,
		k,
		l,
		m,
		n,
		o,
		p
	)	{SECP256K1_FE_STORAGE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_STORAGE_CONST((i),(j),(k),(l),(m),(n),(o),(p))}

Definition at line 38 of file group.h.

◆ SECP256K1_GE_STORAGE_CONST_GET

#define SECP256K1_GE_STORAGE_CONST_GET ( t ) SECP256K1_FE_STORAGE_CONST_GET(t.x), SECP256K1_FE_STORAGE_CONST_GET(t.y)

Definition at line 40 of file group.h.

◆ SECP256K1_GEJ_CONST

#define SECP256K1_GEJ_CONST	(	a,
		b,
		c,
		d,
		e,
		f,
		g,
		h,
		i,
		j,
		k,
		l,
		m,
		n,
		o,
		p
	)	{SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), 0}

Definition at line 30 of file group.h.

◆ SECP256K1_GEJ_CONST_INFINITY

#define SECP256K1_GEJ_CONST_INFINITY {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1}

Definition at line 31 of file group.h.

Function Documentation

◆ secp256k1_ge_clear()

static void secp256k1_ge_clear ( secp256k1_ge * r )

static

Clear a secp256k1_ge to prevent leaking sensitive information.

Here is the caller graph for this function:

◆ secp256k1_ge_from_storage()

static void secp256k1_ge_from_storage	(	secp256k1_ge *	r,
		const secp256k1_ge_storage *	a
	)

static

Convert a group element back from the storage type.

Here is the caller graph for this function:

◆ secp256k1_ge_globalz_set_table_gej()

static void secp256k1_ge_globalz_set_table_gej	(	size_t	len,
		secp256k1_ge *	r,
		secp256k1_fe *	globalz,
		const secp256k1_gej *	a,
		const secp256k1_fe *	zr
	)

static

Bring a batch inputs given in jacobian coordinates (with known z-ratios) to the same global z "denominator".

zr must contain the known z-ratios such that mul(a[i].z, zr[i+1]) == a[i+1].z. zr[0] is ignored. The x and y coordinates of the result are stored in r, the common z coordinate is stored in globalz.

Here is the caller graph for this function:

◆ secp256k1_ge_is_in_correct_subgroup()

static int secp256k1_ge_is_in_correct_subgroup ( const secp256k1_ge * ge )

static

Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.

In normal mode, the used group is secp256k1, which has cofactor=1 meaning that every point on the curve is in the group, and this function returns always true.

When compiling in exhaustive test mode, a slightly different curve equation is used, leading to a group with a (very) small subgroup, and that subgroup is what is used for all cryptographic operations. In that mode, this function checks whether a point that is on the curve is in fact also in that subgroup.

Here is the caller graph for this function:

◆ secp256k1_ge_is_infinity()

static int secp256k1_ge_is_infinity ( const secp256k1_ge * a )

static

Check whether a group element is the point at infinity.

Here is the caller graph for this function:

◆ secp256k1_ge_is_valid_var()

static int secp256k1_ge_is_valid_var ( const secp256k1_ge * a )

static

Check whether a group element is valid (i.e., on the curve).

Here is the caller graph for this function:

◆ secp256k1_ge_mul_lambda()

static void secp256k1_ge_mul_lambda	(	secp256k1_ge *	r,
		const secp256k1_ge *	a
	)

static

Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.

Here is the caller graph for this function:

◆ secp256k1_ge_neg()

static void secp256k1_ge_neg	(	secp256k1_ge *	r,
		const secp256k1_ge *	a
	)

static

Set r equal to the inverse of a (i.e., mirrored around the X axis)

Here is the caller graph for this function:

◆ secp256k1_ge_set_all_gej_var()

static void secp256k1_ge_set_all_gej_var	(	secp256k1_ge *	r,
		const secp256k1_gej *	a,
		size_t	len
	)

static

Set a batch of group elements equal to the inputs given in jacobian coordinates.

Here is the caller graph for this function:

◆ secp256k1_ge_set_gej()

static void secp256k1_ge_set_gej	(	secp256k1_ge *	r,
		secp256k1_gej *	a
	)

static

Set a group element equal to another which is given in jacobian coordinates.

Constant time.

Here is the caller graph for this function:

◆ secp256k1_ge_set_gej_var()

static void secp256k1_ge_set_gej_var	(	secp256k1_ge *	r,
		secp256k1_gej *	a
	)

static

Set a group element equal to another which is given in jacobian coordinates.

Here is the caller graph for this function:

◆ secp256k1_ge_set_infinity()

static void secp256k1_ge_set_infinity ( secp256k1_ge * r )

static

Set a group element (affine) equal to the point at infinity.

Here is the caller graph for this function:

◆ secp256k1_ge_set_xo_var()

static int secp256k1_ge_set_xo_var	(	secp256k1_ge *	r,
		const secp256k1_fe *	x,
		int	odd
	)

static

Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.

Return value indicates whether the result is valid.

Here is the caller graph for this function:

◆ secp256k1_ge_set_xquad()

static int secp256k1_ge_set_xquad	(	secp256k1_ge *	r,
		const secp256k1_fe *	x
	)

static

Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that is a quadratic residue modulo p.

The return value is true iff a coordinate with the given X coordinate exists.

Here is the caller graph for this function:

◆ secp256k1_ge_set_xy()

static void secp256k1_ge_set_xy	(	secp256k1_ge *	r,
		const secp256k1_fe *	x,
		const secp256k1_fe *	y
	)

static

Set a group element equal to the point with given X and Y coordinates.

Here is the caller graph for this function:

◆ secp256k1_ge_storage_cmov()

static void secp256k1_ge_storage_cmov	(	secp256k1_ge_storage *	r,
		const secp256k1_ge_storage *	a,
		int	flag
	)

static

If flag is true, set *r equal to *a; otherwise leave it.

Constant-time. Both *r and *a must be initialized.

Here is the caller graph for this function:

◆ secp256k1_ge_to_storage()

static void secp256k1_ge_to_storage	(	secp256k1_ge_storage *	r,
		const secp256k1_ge *	a
	)

static

Convert a group element to the storage type.

Here is the caller graph for this function:

◆ secp256k1_gej_add_ge()

static void secp256k1_gej_add_ge	(	secp256k1_gej *	r,
		const secp256k1_gej *	a,
		const secp256k1_ge *	b
	)

static

Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).

Here is the caller graph for this function:

◆ secp256k1_gej_add_ge_var()

static void secp256k1_gej_add_ge_var	(	secp256k1_gej *	r,
		const secp256k1_gej *	a,
		const secp256k1_ge *	b,
		secp256k1_fe *	rzr
	)

static

Set r equal to the sum of a and b (with b given in affine coordinates).

This is more efficient than secp256k1_gej_add_var. It is identical to secp256k1_gej_add_ge but without constant-time guarantee, and b is allowed to be infinity. If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case).

Here is the caller graph for this function:

◆ secp256k1_gej_add_var()

static void secp256k1_gej_add_var	(	secp256k1_gej *	r,
		const secp256k1_gej *	a,
		const secp256k1_gej *	b,
		secp256k1_fe *	rzr
	)

static

Set r equal to the sum of a and b.

If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case).

Here is the caller graph for this function:

◆ secp256k1_gej_add_zinv_var()

static void secp256k1_gej_add_zinv_var	(	secp256k1_gej *	r,
		const secp256k1_gej *	a,
		const secp256k1_ge *	b,
		const secp256k1_fe *	bzinv
	)

static

Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).

Here is the caller graph for this function:

◆ secp256k1_gej_clear()

static void secp256k1_gej_clear ( secp256k1_gej * r )

static

Clear a secp256k1_gej to prevent leaking sensitive information.

Here is the caller graph for this function:

◆ secp256k1_gej_double()

static void secp256k1_gej_double	(	secp256k1_gej *	r,
		const secp256k1_gej *	a
	)

static

Set r equal to the double of a.

Constant time.

Here is the caller graph for this function:

◆ secp256k1_gej_double_var()

static void secp256k1_gej_double_var	(	secp256k1_gej *	r,
		const secp256k1_gej *	a,
		secp256k1_fe *	rzr
	)

static

Set r equal to the double of a.

If rzr is not-NULL this sets *rzr such that r->z == a->z * *rzr (where infinity means an implicit z = 0).

Here is the caller graph for this function:

◆ secp256k1_gej_eq_x_var()

static int secp256k1_gej_eq_x_var	(	const secp256k1_fe *	x,
		const secp256k1_gej *	a
	)

static

Compare the X coordinate of a group element (jacobian).

Here is the caller graph for this function:

◆ secp256k1_gej_has_quad_y_var()

static int secp256k1_gej_has_quad_y_var ( const secp256k1_gej * a )

static

Check whether a group element's y coordinate is a quadratic residue.

Here is the caller graph for this function:

◆ secp256k1_gej_is_infinity()

static int secp256k1_gej_is_infinity ( const secp256k1_gej * a )

static

Check whether a group element is the point at infinity.

Here is the caller graph for this function:

◆ secp256k1_gej_neg()

static void secp256k1_gej_neg	(	secp256k1_gej *	r,
		const secp256k1_gej *	a
	)

static

Set r equal to the inverse of a (i.e., mirrored around the X axis)

Here is the caller graph for this function:

◆ secp256k1_gej_rescale()

static void secp256k1_gej_rescale	(	secp256k1_gej *	r,
		const secp256k1_fe *	b
	)

static

Rescale a jacobian point by b which must be non-zero.

Constant-time.

Here is the caller graph for this function:

◆ secp256k1_gej_set_ge()

static void secp256k1_gej_set_ge	(	secp256k1_gej *	r,
		const secp256k1_ge *	a
	)

static

Set a group element (jacobian) equal to another which is given in affine coordinates.

Here is the caller graph for this function:

◆ secp256k1_gej_set_infinity()

static void secp256k1_gej_set_infinity ( secp256k1_gej * r )

static

Set a group element (jacobian) equal to the point at infinity.

Here is the caller graph for this function:

Classes

Macros

Functions

Macro Definition Documentation

◆ SECP256K1_GE_CONST

◆ SECP256K1_GE_CONST_INFINITY

◆ SECP256K1_GE_STORAGE_CONST

◆ SECP256K1_GE_STORAGE_CONST_GET

◆ SECP256K1_GEJ_CONST

◆ SECP256K1_GEJ_CONST_INFINITY

Function Documentation

◆ secp256k1_ge_clear()

◆ secp256k1_ge_from_storage()

◆ secp256k1_ge_globalz_set_table_gej()

◆ secp256k1_ge_is_in_correct_subgroup()

◆ secp256k1_ge_is_infinity()

◆ secp256k1_ge_is_valid_var()

◆ secp256k1_ge_mul_lambda()

◆ secp256k1_ge_neg()

◆ secp256k1_ge_set_all_gej_var()

◆ secp256k1_ge_set_gej()

◆ secp256k1_ge_set_gej_var()

◆ secp256k1_ge_set_infinity()

◆ secp256k1_ge_set_xo_var()

◆ secp256k1_ge_set_xquad()

◆ secp256k1_ge_set_xy()

◆ secp256k1_ge_storage_cmov()

◆ secp256k1_ge_to_storage()

◆ secp256k1_gej_add_ge()

◆ secp256k1_gej_add_ge_var()

◆ secp256k1_gej_add_var()

◆ secp256k1_gej_add_zinv_var()

◆ secp256k1_gej_clear()

◆ secp256k1_gej_double()

◆ secp256k1_gej_double_var()

◆ secp256k1_gej_eq_x_var()

◆ secp256k1_gej_has_quad_y_var()

◆ secp256k1_gej_is_infinity()

◆ secp256k1_gej_neg()

◆ secp256k1_gej_rescale()

◆ secp256k1_gej_set_ge()

◆ secp256k1_gej_set_infinity()