group_impl.h File Reference

#include "field.h"
#include "group.h"

Include dependency graph for group_impl.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions
static void	secp256k1_ge_set_gej_zinv (secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi)
static void	secp256k1_ge_set_xy (secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
static int	secp256k1_ge_is_infinity (const secp256k1_ge *a)
static void	secp256k1_ge_neg (secp256k1_ge *r, const secp256k1_ge *a)
static void	secp256k1_ge_set_gej (secp256k1_ge *r, secp256k1_gej *a)
static void	secp256k1_ge_set_gej_var (secp256k1_ge *r, secp256k1_gej *a)
static void	secp256k1_ge_set_all_gej_var (secp256k1_ge *r, const secp256k1_gej *a, size_t len)
static void	secp256k1_ge_globalz_set_table_gej (size_t len, secp256k1_ge *r, secp256k1_fe *globalz, const secp256k1_gej *a, const secp256k1_fe *zr)
static void	secp256k1_gej_set_infinity (secp256k1_gej *r)
static void	secp256k1_ge_set_infinity (secp256k1_ge *r)
static void	secp256k1_gej_clear (secp256k1_gej *r)
static void	secp256k1_ge_clear (secp256k1_ge *r)
static int	secp256k1_ge_set_xquad (secp256k1_ge *r, const secp256k1_fe *x)
static int	secp256k1_ge_set_xo_var (secp256k1_ge *r, const secp256k1_fe *x, int odd)
static void	secp256k1_gej_set_ge (secp256k1_gej *r, const secp256k1_ge *a)
static int	secp256k1_gej_eq_x_var (const secp256k1_fe *x, const secp256k1_gej *a)
static void	secp256k1_gej_neg (secp256k1_gej *r, const secp256k1_gej *a)
static int	secp256k1_gej_is_infinity (const secp256k1_gej *a)
static int	secp256k1_ge_is_valid_var (const secp256k1_ge *a)
static SECP256K1_INLINE void	secp256k1_gej_double (secp256k1_gej *r, const secp256k1_gej *a)
static void	secp256k1_gej_double_var (secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
static void	secp256k1_gej_add_var (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
static void	secp256k1_gej_add_ge_var (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
static void	secp256k1_gej_add_zinv_var (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
static void	secp256k1_gej_add_ge (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
static void	secp256k1_gej_rescale (secp256k1_gej *r, const secp256k1_fe *s)
static void	secp256k1_ge_to_storage (secp256k1_ge_storage *r, const secp256k1_ge *a)
static void	secp256k1_ge_from_storage (secp256k1_ge *r, const secp256k1_ge_storage *a)
static SECP256K1_INLINE void	secp256k1_ge_storage_cmov (secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
static void	secp256k1_ge_mul_lambda (secp256k1_ge *r, const secp256k1_ge *a)
static int	secp256k1_gej_has_quad_y_var (const secp256k1_gej *a)
static int	secp256k1_ge_is_in_correct_subgroup (const secp256k1_ge *ge)

Variables
static const secp256k1_ge	secp256k1_ge_const_g
	Generator for secp256k1, value 'g' defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. More...
static const secp256k1_fe	secp256k1_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 7)

Function Documentation

secp256k1_ge_clear()

static void secp256k1_ge_clear ( secp256k1_ge *  r )

static

Definition at line 203 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_from_storage()

static void secp256k1_ge_from_storage ( secp256k1_ge *  r, const secp256k1_ge_storage *  a  )

static

Definition at line 637 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_globalz_set_table_gej()

static void secp256k1_ge_globalz_set_table_gej ( size_t  len, secp256k1_ge *  r, secp256k1_fe *  globalz, const secp256k1_gej *  a, const secp256k1_fe *  zr  )

static

Definition at line 158 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_is_in_correct_subgroup()

static int secp256k1_ge_is_in_correct_subgroup ( const secp256k1_ge *  ge )

static

Definition at line 671 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_is_infinity()

static int secp256k1_ge_is_infinity ( const secp256k1_ge *  a )

static

Definition at line 78 of file group_impl.h.

secp256k1_ge_is_valid_var()

static int secp256k1_ge_is_valid_var ( const secp256k1_ge *  a )

static

Definition at line 259 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_mul_lambda()

static void secp256k1_ge_mul_lambda ( secp256k1_ge *  r, const secp256k1_ge *  a  )

static

Definition at line 648 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_neg()

static void secp256k1_ge_neg ( secp256k1_ge *  r, const secp256k1_ge *  a  )

static

Definition at line 82 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_set_all_gej_var()

static void secp256k1_ge_set_all_gej_var ( secp256k1_ge *  r, const secp256k1_gej *  a, size_t  len  )

static

Definition at line 117 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_set_gej()

static void secp256k1_ge_set_gej ( secp256k1_ge *  r, secp256k1_gej *  a  )

static

Definition at line 88 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_set_gej_var()

static void secp256k1_ge_set_gej_var ( secp256k1_ge *  r, secp256k1_gej *  a  )

static

Definition at line 101 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_set_gej_zinv()

static void secp256k1_ge_set_gej_zinv ( secp256k1_ge *  r, const secp256k1_gej *  a, const secp256k1_fe *  zi  )

static

Definition at line 62 of file group_impl.h.

Here is the call graph for this function:

Here is the caller graph for this function:

secp256k1_ge_set_infinity()

static void secp256k1_ge_set_infinity ( secp256k1_ge *  r )

static

Definition at line 190 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_set_xo_var()

static int secp256k1_ge_set_xo_var ( secp256k1_ge *  r, const secp256k1_fe *  x, int  odd  )

static

Definition at line 219 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_set_xquad()

static int secp256k1_ge_set_xquad ( secp256k1_ge *  r, const secp256k1_fe *  x  )

static

Definition at line 209 of file group_impl.h.

Here is the call graph for this function:

Here is the caller graph for this function:

secp256k1_ge_set_xy()

static void secp256k1_ge_set_xy ( secp256k1_ge *  r, const secp256k1_fe *  x, const secp256k1_fe *  y  )

static

Definition at line 72 of file group_impl.h.

secp256k1_ge_storage_cmov()

static SECP256K1_INLINE void secp256k1_ge_storage_cmov ( secp256k1_ge_storage *  r, const secp256k1_ge_storage *  a, int  flag  )

static

Definition at line 643 of file group_impl.h.

Here is the call graph for this function:

secp256k1_ge_to_storage()

static void secp256k1_ge_to_storage ( secp256k1_ge_storage *  r, const secp256k1_ge *  a  )

static

Definition at line 626 of file group_impl.h.

Here is the call graph for this function:

secp256k1_gej_add_ge()

static void secp256k1_gej_add_ge ( secp256k1_gej *  r, const secp256k1_gej *  a, const secp256k1_ge *  b  )

static

In: Eric Brier and Marc Joye, Weierstrass Elliptic Curves and Side-Channel Attacks. In D. Naccache and P. Paillier, Eds., Public Key Cryptography, vol. 2274 of Lecture Notes in Computer Science, pages 335-345. Springer-Verlag, 2002. we find as solution for a unified addition/doubling formula: lambda = ((x1 + x2)^2 - x1 * x2 + a) / (y1 + y2), with a = 0 for secp256k1's curve equation. x3 = lambda^2 - (x1 + x2) 2*y3 = lambda * (x1 + x2 - 2 * x3) - (y1 + y2).

Substituting x_i = Xi / Zi^2 and yi = Yi / Zi^3, for i=1,2,3, gives: U1 = X1*Z2^2, U2 = X2*Z1^2 S1 = Y1*Z2^3, S2 = Y2*Z1^3 Z = Z1*Z2 T = U1+U2 M = S1+S2 Q = T*M^2 R = T^2-U1*U2 X3 = 4*(R^2-Q) Y3 = 4*(R*(3*Q-2*R^2)-M^4) Z3 = 2*M*Z (Note that the paper uses xi = Xi / Zi and yi = Yi / Zi instead.)

This formula has the benefit of being the same for both addition of distinct points and doubling. However, it breaks down in the case that either point is infinity, or that y1 = -y2. We handle these cases in the following ways:

• If b is infinity we simply bail by means of a VERIFY_CHECK.
• If a is infinity, we detect this, and at the end of the computation replace the result (which will be meaningless, but we compute to be constant-time) with b.x : b.y : 1.
• If a = -b, we have y1 = -y2, which is a degenerate case. But here the answer is infinity, so we simply set the infinity flag of the result, overriding the computed values without even needing to cmov.
• If y1 = -y2 but x1 != x2, which does occur thanks to certain properties of our curve (specifically, 1 has nontrivial cube roots in our field, and the curve equation has no x coefficient) then the answer is not infinity but also not given by the above equation. In this case, we cmov in place an alternate expression for lambda. Specifically (y1 - y2)/(x1 - x2). Where both these expressions for lambda are defined, they are equal, and can be obtained from each other by multiplication by (y1 + y2)/(y1 + y2) then substitution of x^3 + 7 for y^2 (using the curve equation). For all pairs of nonzero points (a, b) at least one is defined, so this covers everything.

If lambda = R/M = 0/0 we have a problem (except in the "trivial" case that Z = z1z2 = 0, and this is special-cased later on).

In case a->infinity == 1, replace r with (b->x, b->y, 1).

Definition at line 493 of file group_impl.h.

Here is the call graph for this function:

secp256k1_gej_add_ge_var()

static void secp256k1_gej_add_ge_var ( secp256k1_gej *  r, const secp256k1_gej *  a, const secp256k1_ge *  b, secp256k1_fe *  rzr  )

static

Definition at line 387 of file group_impl.h.

Here is the call graph for this function:

Here is the caller graph for this function:

secp256k1_gej_add_var()

static void secp256k1_gej_add_var ( secp256k1_gej *  r, const secp256k1_gej *  a, const secp256k1_gej *  b, secp256k1_fe *  rzr  )

static

Definition at line 334 of file group_impl.h.

Here is the call graph for this function:

secp256k1_gej_add_zinv_var()

static void secp256k1_gej_add_zinv_var ( secp256k1_gej *  r, const secp256k1_gej *  a, const secp256k1_ge *  b, const secp256k1_fe *  bzinv  )

static

We need to calculate (rx,ry,rz) = (ax,ay,az) + (bx,by,1/bzinv). Due to secp256k1's isomorphism we can multiply the Z coordinates on both sides by bzinv, and get: (rx,ry,rz*bzinv) = (ax,ay,az*bzinv) + (bx,by,1). This means that (rx,ry,rz) can be calculated as (ax,ay,az*bzinv) + (bx,by,1), when not applying the bzinv factor to rz. The variable az below holds the modified Z coordinate for a, which is used for the computation of rx and ry, but not for rz.

Definition at line 436 of file group_impl.h.

Here is the call graph for this function:

secp256k1_gej_clear()

static void secp256k1_gej_clear ( secp256k1_gej *  r )

static

Definition at line 196 of file group_impl.h.

Here is the call graph for this function:

secp256k1_gej_double()

static SECP256K1_INLINE void secp256k1_gej_double ( secp256k1_gej *  r, const secp256k1_gej *  a  )

static

Definition at line 272 of file group_impl.h.

Here is the call graph for this function:

Here is the caller graph for this function:

secp256k1_gej_double_var()

static void secp256k1_gej_double_var ( secp256k1_gej *  r, const secp256k1_gej *  a, secp256k1_fe *  rzr  )

static

For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity, Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p.

Having said this, if this function receives a point on a sextic twist, e.g. by a fault attack, it is possible for y to be 0. This happens for y^2 = x^3 + 6, since -6 does have a cube root mod p. For this point, this function will not set the infinity flag even though the point doubles to infinity, and the result point will be gibberish (z = 0 but infinity = 0).

Definition at line 306 of file group_impl.h.

Here is the call graph for this function:

Here is the caller graph for this function:

secp256k1_gej_eq_x_var()

static int secp256k1_gej_eq_x_var ( const secp256k1_fe *  x, const secp256k1_gej *  a  )

static

Definition at line 238 of file group_impl.h.

Here is the call graph for this function:

secp256k1_gej_has_quad_y_var()

static int secp256k1_gej_has_quad_y_var ( const secp256k1_gej *  a )

static

Definition at line 657 of file group_impl.h.

Here is the call graph for this function:

secp256k1_gej_is_infinity()

static int secp256k1_gej_is_infinity ( const secp256k1_gej *  a )

static

Definition at line 255 of file group_impl.h.

Here is the caller graph for this function:

secp256k1_gej_neg()

static void secp256k1_gej_neg ( secp256k1_gej *  r, const secp256k1_gej *  a  )

static

Definition at line 246 of file group_impl.h.

Here is the call graph for this function:

secp256k1_gej_rescale()

static void secp256k1_gej_rescale ( secp256k1_gej *  r, const secp256k1_fe *  s  )

static

Definition at line 615 of file group_impl.h.

Here is the call graph for this function:

secp256k1_gej_set_ge()

static void secp256k1_gej_set_ge ( secp256k1_gej *  r, const secp256k1_ge *  a  )

static

Definition at line 231 of file group_impl.h.

Here is the call graph for this function:

Here is the caller graph for this function:

secp256k1_gej_set_infinity()

static void secp256k1_gej_set_infinity ( secp256k1_gej *  r )

static

Definition at line 183 of file group_impl.h.

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

secp256k1_fe_const_b

const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 7)

static

Definition at line 59 of file group_impl.h.

secp256k1_ge_const_g

const secp256k1_ge secp256k1_ge_const_g

static

Initial value:

= SECP256K1_GE_CONST(
    0x79BE667EUL, 0xF9DCBBACUL, 0x55A06295UL, 0xCE870B07UL,
    0x029BFCDBUL, 0x2DCE28D9UL, 0x59F2815BUL, 0x16F81798UL,
    0x483ADA77UL, 0x26A3C465UL, 0x5DA4FBFCUL, 0x0E1108A8UL,
    0xFD17B448UL, 0xA6855419UL, 0x9C47D08FUL, 0xFB10D4B8UL
)

Generator for secp256k1, value 'g' defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1.

Definition at line 52 of file group_impl.h.