Bitcoin ABC 0.32.8
P2P Digital Currency
group_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_GROUP_IMPL_H
8#define SECP256K1_GROUP_IMPL_H
9
10#include "field.h"
11#include "group.h"
12
13#define SECP256K1_G_ORDER_13 SECP256K1_GE_CONST(\
14 0xc3459c3d, 0x35326167, 0xcd86cce8, 0x07a2417f,\
15 0x5b8bd567, 0xde8538ee, 0x0d507b0c, 0xd128f5bb,\
16 0x8e467fec, 0xcd30000a, 0x6cc1184e, 0x25d382c2,\
17 0xa2f4494e, 0x2fbe9abc, 0x8b64abac, 0xd005fb24\
18)
19#define SECP256K1_G_ORDER_199 SECP256K1_GE_CONST(\
20 0x226e653f, 0xc8df7744, 0x9bacbf12, 0x7d1dcbf9,\
21 0x87f05b2a, 0xe7edbd28, 0x1f564575, 0xc48dcf18,\
22 0xa13872c2, 0xe933bb17, 0x5d9ffd5b, 0xb5b6e10c,\
23 0x57fe3c00, 0xbaaaa15a, 0xe003ec3e, 0x9c269bae\
24)
28#define SECP256K1_G SECP256K1_GE_CONST(\
29 0x79BE667EUL, 0xF9DCBBACUL, 0x55A06295UL, 0xCE870B07UL,\
30 0x029BFCDBUL, 0x2DCE28D9UL, 0x59F2815BUL, 0x16F81798UL,\
31 0x483ADA77UL, 0x26A3C465UL, 0x5DA4FBFCUL, 0x0E1108A8UL,\
32 0xFD17B448UL, 0xA6855419UL, 0x9C47D08FUL, 0xFB10D4B8UL\
33)
34/* These exhaustive group test orders and generators are chosen such that:
35 * - The field size is equal to that of secp256k1, so field code is the same.
36 * - The curve equation is of the form y^2=x^3+B for some constant B.
37 * - The subgroup has a generator 2*P, where P.x=1.
38 * - The subgroup has size less than 1000 to permit exhaustive testing.
39 * - The subgroup admits an endomorphism of the form lambda*(x,y) == (beta*x,y).
40 *
41 * These parameters are generated using sage/gen_exhaustive_groups.sage.
42 */
43#if defined(EXHAUSTIVE_TEST_ORDER)
44# if EXHAUSTIVE_TEST_ORDER == 13
45static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G_ORDER_13;
46
47static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(
48 0x3d3486b2, 0x159a9ca5, 0xc75638be, 0xb23a69bc,
49 0x946a45ab, 0x24801247, 0xb4ed2b8e, 0x26b6a417
50);
51# elif EXHAUSTIVE_TEST_ORDER == 199
52static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G_ORDER_199;
53
54static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(
55 0x2cca28fa, 0xfc614b80, 0x2a3db42b, 0x00ba00b1,
56 0xbea8d943, 0xdace9ab2, 0x9536daea, 0x0074defb
57);
58# else
59# error No known generator for the specified exhaustive test group order.
60# endif
61#else
62static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G;
63
64static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 7);
65#endif
66
67static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) {
68 secp256k1_fe zi2;
69 secp256k1_fe zi3;
70 VERIFY_CHECK(!a->infinity);
71 secp256k1_fe_sqr(&zi2, zi);
72 secp256k1_fe_mul(&zi3, &zi2, zi);
73 secp256k1_fe_mul(&r->x, &a->x, &zi2);
74 secp256k1_fe_mul(&r->y, &a->y, &zi3);
75 r->infinity = a->infinity;
76}
77
78static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y) {
79 r->infinity = 0;
80 r->x = *x;
81 r->y = *y;
82}
83
84static int secp256k1_ge_is_infinity(const secp256k1_ge *a) {
85 return a->infinity;
86}
87
88static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a) {
89 *r = *a;
90 secp256k1_fe_normalize_weak(&r->y);
91 secp256k1_fe_negate(&r->y, &r->y, 1);
92}
93
94static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a) {
95 secp256k1_fe z2, z3;
96 r->infinity = a->infinity;
97 secp256k1_fe_inv(&a->z, &a->z);
98 secp256k1_fe_sqr(&z2, &a->z);
99 secp256k1_fe_mul(&z3, &a->z, &z2);
100 secp256k1_fe_mul(&a->x, &a->x, &z2);
101 secp256k1_fe_mul(&a->y, &a->y, &z3);
102 secp256k1_fe_set_int(&a->z, 1);
103 r->x = a->x;
104 r->y = a->y;
105}
106
107static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a) {
108 secp256k1_fe z2, z3;
109 if (a->infinity) {
110 secp256k1_ge_set_infinity(r);
111 return;
112 }
113 secp256k1_fe_inv_var(&a->z, &a->z);
114 secp256k1_fe_sqr(&z2, &a->z);
115 secp256k1_fe_mul(&z3, &a->z, &z2);
116 secp256k1_fe_mul(&a->x, &a->x, &z2);
117 secp256k1_fe_mul(&a->y, &a->y, &z3);
118 secp256k1_fe_set_int(&a->z, 1);
119 secp256k1_ge_set_xy(r, &a->x, &a->y);
120}
121
122static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len) {
123 secp256k1_fe u;
124 size_t i;
125 size_t last_i = SIZE_MAX;
126
127 for (i = 0; i < len; i++) {
128 if (a[i].infinity) {
129 secp256k1_ge_set_infinity(&r[i]);
130 } else {
131 /* Use destination's x coordinates as scratch space */
132 if (last_i == SIZE_MAX) {
133 r[i].x = a[i].z;
134 } else {
135 secp256k1_fe_mul(&r[i].x, &r[last_i].x, &a[i].z);
136 }
137 last_i = i;
138 }
139 }
140 if (last_i == SIZE_MAX) {
141 return;
142 }
143 secp256k1_fe_inv_var(&u, &r[last_i].x);
144
145 i = last_i;
146 while (i > 0) {
147 i--;
148 if (!a[i].infinity) {
149 secp256k1_fe_mul(&r[last_i].x, &r[i].x, &u);
150 secp256k1_fe_mul(&u, &u, &a[last_i].z);
151 last_i = i;
152 }
153 }
154 VERIFY_CHECK(!a[last_i].infinity);
155 r[last_i].x = u;
156
157 for (i = 0; i < len; i++) {
158 if (!a[i].infinity) {
159 secp256k1_ge_set_gej_zinv(&r[i], &a[i], &r[i].x);
160 }
161 }
162}
163
164static void secp256k1_ge_table_set_globalz(size_t len, secp256k1_ge *a, const secp256k1_fe *zr) {
165 size_t i = len - 1;
166 secp256k1_fe zs;
167
168 if (len > 0) {
169 /* Ensure all y values are in weak normal form for fast negation of points */
170 secp256k1_fe_normalize_weak(&a[i].y);
171 zs = zr[i];
172
173 /* Work our way backwards, using the z-ratios to scale the x/y values. */
174 while (i > 0) {
175 secp256k1_gej tmpa;
176 if (i != len - 1) {
177 secp256k1_fe_mul(&zs, &zs, &zr[i]);
178 }
179 i--;
180 tmpa.x = a[i].x;
181 tmpa.y = a[i].y;
182 tmpa.infinity = 0;
183 secp256k1_ge_set_gej_zinv(&a[i], &tmpa, &zs);
184 }
185 }
186}
187
188static void secp256k1_gej_set_infinity(secp256k1_gej *r) {
189 r->infinity = 1;
190 secp256k1_fe_clear(&r->x);
191 secp256k1_fe_clear(&r->y);
192 secp256k1_fe_clear(&r->z);
193}
194
195static void secp256k1_ge_set_infinity(secp256k1_ge *r) {
196 r->infinity = 1;
197 secp256k1_fe_clear(&r->x);
198 secp256k1_fe_clear(&r->y);
199}
200
201static void secp256k1_gej_clear(secp256k1_gej *r) {
202 r->infinity = 0;
203 secp256k1_fe_clear(&r->x);
204 secp256k1_fe_clear(&r->y);
205 secp256k1_fe_clear(&r->z);
206}
207
208static void secp256k1_ge_clear(secp256k1_ge *r) {
209 r->infinity = 0;
210 secp256k1_fe_clear(&r->x);
211 secp256k1_fe_clear(&r->y);
212}
213
214static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x) {
215 secp256k1_fe x2, x3;
216 r->x = *x;
217 secp256k1_fe_sqr(&x2, x);
218 secp256k1_fe_mul(&x3, x, &x2);
219 r->infinity = 0;
220 secp256k1_fe_add(&x3, &secp256k1_fe_const_b);
221 return secp256k1_fe_sqrt(&r->y, &x3);
222}
223
224static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd) {
225 if (!secp256k1_ge_set_xquad(r, x)) {
226 return 0;
227 }
228 secp256k1_fe_normalize_var(&r->y);
229 if (secp256k1_fe_is_odd(&r->y) != odd) {
230 secp256k1_fe_negate(&r->y, &r->y, 1);
231 }
232 return 1;
233
234}
235
236static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a) {
237 r->infinity = a->infinity;
238 r->x = a->x;
239 r->y = a->y;
240 secp256k1_fe_set_int(&r->z, 1);
241}
242
243static int secp256k1_gej_eq_x_var(const secp256k1_fe *x, const secp256k1_gej *a) {
244 secp256k1_fe r, r2;
245 VERIFY_CHECK(!a->infinity);
246 secp256k1_fe_sqr(&r, &a->z); secp256k1_fe_mul(&r, &r, x);
247 r2 = a->x; secp256k1_fe_normalize_weak(&r2);
248 return secp256k1_fe_equal_var(&r, &r2);
249}
250
251static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a) {
252 r->infinity = a->infinity;
253 r->x = a->x;
254 r->y = a->y;
255 r->z = a->z;
256 secp256k1_fe_normalize_weak(&r->y);
257 secp256k1_fe_negate(&r->y, &r->y, 1);
258}
259
260static int secp256k1_gej_is_infinity(const secp256k1_gej *a) {
261 return a->infinity;
262}
263
264static int secp256k1_ge_is_valid_var(const secp256k1_ge *a) {
265 secp256k1_fe y2, x3;
266 if (a->infinity) {
267 return 0;
268 }
269 /* y^2 = x^3 + 7 */
270 secp256k1_fe_sqr(&y2, &a->y);
271 secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x);
272 secp256k1_fe_add(&x3, &secp256k1_fe_const_b);
273 secp256k1_fe_normalize_weak(&x3);
274 return secp256k1_fe_equal_var(&y2, &x3);
275}
276
277static SECP256K1_INLINE void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a) {
278 /* Operations: 3 mul, 4 sqr, 8 add/half/mul_int/negate */
279 secp256k1_fe l, s, t;
280
281 r->infinity = a->infinity;
282
283 /* Formula used:
284 * L = (3/2) * X1^2
285 * S = Y1^2
286 * T = -X1*S
287 * X3 = L^2 + 2*T
288 * Y3 = -(L*(X3 + T) + S^2)
289 * Z3 = Y1*Z1
290 */
291
292 secp256k1_fe_mul(&r->z, &a->z, &a->y); /* Z3 = Y1*Z1 (1) */
293 secp256k1_fe_sqr(&s, &a->y); /* S = Y1^2 (1) */
294 secp256k1_fe_sqr(&l, &a->x); /* L = X1^2 (1) */
295 secp256k1_fe_mul_int(&l, 3); /* L = 3*X1^2 (3) */
296 secp256k1_fe_half(&l); /* L = 3/2*X1^2 (2) */
297 secp256k1_fe_negate(&t, &s, 1); /* T = -S (2) */
298 secp256k1_fe_mul(&t, &t, &a->x); /* T = -X1*S (1) */
299 secp256k1_fe_sqr(&r->x, &l); /* X3 = L^2 (1) */
300 secp256k1_fe_add(&r->x, &t); /* X3 = L^2 + T (2) */
301 secp256k1_fe_add(&r->x, &t); /* X3 = L^2 + 2*T (3) */
302 secp256k1_fe_sqr(&s, &s); /* S' = S^2 (1) */
303 secp256k1_fe_add(&t, &r->x); /* T' = X3 + T (4) */
304 secp256k1_fe_mul(&r->y, &t, &l); /* Y3 = L*(X3 + T) (1) */
305 secp256k1_fe_add(&r->y, &s); /* Y3 = L*(X3 + T) + S^2 (2) */
306 secp256k1_fe_negate(&r->y, &r->y, 2); /* Y3 = -(L*(X3 + T) + S^2) (3) */
307}
308
309static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr) {
320 if (a->infinity) {
321 secp256k1_gej_set_infinity(r);
322 if (rzr != NULL) {
323 secp256k1_fe_set_int(rzr, 1);
324 }
325 return;
326 }
327
328 if (rzr != NULL) {
329 *rzr = a->y;
330 secp256k1_fe_normalize_weak(rzr);
331 }
332
333 secp256k1_gej_double(r, a);
334}
335
336static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr) {
337 /* 12 mul, 4 sqr, 11 add/negate/normalizes_to_zero (ignoring special cases) */
338 secp256k1_fe z22, z12, u1, u2, s1, s2, h, i, h2, h3, t;
339
340 if (a->infinity) {
341 VERIFY_CHECK(rzr == NULL);
342 *r = *b;
343 return;
344 }
345 if (b->infinity) {
346 if (rzr != NULL) {
347 secp256k1_fe_set_int(rzr, 1);
348 }
349 *r = *a;
350 return;
351 }
352
353 secp256k1_fe_sqr(&z22, &b->z);
354 secp256k1_fe_sqr(&z12, &a->z);
355 secp256k1_fe_mul(&u1, &a->x, &z22);
356 secp256k1_fe_mul(&u2, &b->x, &z12);
357 secp256k1_fe_mul(&s1, &a->y, &z22); secp256k1_fe_mul(&s1, &s1, &b->z);
358 secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z);
359 secp256k1_fe_negate(&h, &u1, 1); secp256k1_fe_add(&h, &u2);
360 secp256k1_fe_negate(&i, &s2, 1); secp256k1_fe_add(&i, &s1);
361 if (secp256k1_fe_normalizes_to_zero_var(&h)) {
362 if (secp256k1_fe_normalizes_to_zero_var(&i)) {
363 secp256k1_gej_double_var(r, a, rzr);
364 } else {
365 if (rzr != NULL) {
366 secp256k1_fe_set_int(rzr, 0);
367 }
368 secp256k1_gej_set_infinity(r);
369 }
370 return;
371 }
372
373 r->infinity = 0;
374 secp256k1_fe_mul(&t, &h, &b->z);
375 if (rzr != NULL) {
376 *rzr = t;
377 }
378 secp256k1_fe_mul(&r->z, &a->z, &t);
379
380 secp256k1_fe_sqr(&h2, &h);
381 secp256k1_fe_negate(&h2, &h2, 1);
382 secp256k1_fe_mul(&h3, &h2, &h);
383 secp256k1_fe_mul(&t, &u1, &h2);
384
385 secp256k1_fe_sqr(&r->x, &i);
386 secp256k1_fe_add(&r->x, &h3);
387 secp256k1_fe_add(&r->x, &t);
388 secp256k1_fe_add(&r->x, &t);
389
390 secp256k1_fe_add(&t, &r->x);
391 secp256k1_fe_mul(&r->y, &t, &i);
392 secp256k1_fe_mul(&h3, &h3, &s1);
393 secp256k1_fe_add(&r->y, &h3);
394}
395
396static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr) {
397 /* 8 mul, 3 sqr, 13 add/negate/normalize_weak/normalizes_to_zero (ignoring special cases) */
398 secp256k1_fe z12, u1, u2, s1, s2, h, i, h2, h3, t;
399 if (a->infinity) {
400 VERIFY_CHECK(rzr == NULL);
401 secp256k1_gej_set_ge(r, b);
402 return;
403 }
404 if (b->infinity) {
405 if (rzr != NULL) {
406 secp256k1_fe_set_int(rzr, 1);
407 }
408 *r = *a;
409 return;
410 }
411
412 secp256k1_fe_sqr(&z12, &a->z);
413 u1 = a->x; secp256k1_fe_normalize_weak(&u1);
414 secp256k1_fe_mul(&u2, &b->x, &z12);
415 s1 = a->y; secp256k1_fe_normalize_weak(&s1);
416 secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z);
417 secp256k1_fe_negate(&h, &u1, 1); secp256k1_fe_add(&h, &u2);
418 secp256k1_fe_negate(&i, &s2, 1); secp256k1_fe_add(&i, &s1);
419 if (secp256k1_fe_normalizes_to_zero_var(&h)) {
420 if (secp256k1_fe_normalizes_to_zero_var(&i)) {
421 secp256k1_gej_double_var(r, a, rzr);
422 } else {
423 if (rzr != NULL) {
424 secp256k1_fe_set_int(rzr, 0);
425 }
426 secp256k1_gej_set_infinity(r);
427 }
428 return;
429 }
430
431 r->infinity = 0;
432 if (rzr != NULL) {
433 *rzr = h;
434 }
435 secp256k1_fe_mul(&r->z, &a->z, &h);
436
437 secp256k1_fe_sqr(&h2, &h);
438 secp256k1_fe_negate(&h2, &h2, 1);
439 secp256k1_fe_mul(&h3, &h2, &h);
440 secp256k1_fe_mul(&t, &u1, &h2);
441
442 secp256k1_fe_sqr(&r->x, &i);
443 secp256k1_fe_add(&r->x, &h3);
444 secp256k1_fe_add(&r->x, &t);
445 secp256k1_fe_add(&r->x, &t);
446
447 secp256k1_fe_add(&t, &r->x);
448 secp256k1_fe_mul(&r->y, &t, &i);
449 secp256k1_fe_mul(&h3, &h3, &s1);
450 secp256k1_fe_add(&r->y, &h3);
451}
452
453static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv) {
454 /* 9 mul, 3 sqr, 13 add/negate/normalize_weak/normalizes_to_zero (ignoring special cases) */
455 secp256k1_fe az, z12, u1, u2, s1, s2, h, i, h2, h3, t;
456
457 if (a->infinity) {
458 secp256k1_fe bzinv2, bzinv3;
459 r->infinity = b->infinity;
460 secp256k1_fe_sqr(&bzinv2, bzinv);
461 secp256k1_fe_mul(&bzinv3, &bzinv2, bzinv);
462 secp256k1_fe_mul(&r->x, &b->x, &bzinv2);
463 secp256k1_fe_mul(&r->y, &b->y, &bzinv3);
464 secp256k1_fe_set_int(&r->z, 1);
465 return;
466 }
467 if (b->infinity) {
468 *r = *a;
469 return;
470 }
471
480 secp256k1_fe_mul(&az, &a->z, bzinv);
481
482 secp256k1_fe_sqr(&z12, &az);
483 u1 = a->x; secp256k1_fe_normalize_weak(&u1);
484 secp256k1_fe_mul(&u2, &b->x, &z12);
485 s1 = a->y; secp256k1_fe_normalize_weak(&s1);
486 secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &az);
487 secp256k1_fe_negate(&h, &u1, 1); secp256k1_fe_add(&h, &u2);
488 secp256k1_fe_negate(&i, &s2, 1); secp256k1_fe_add(&i, &s1);
489 if (secp256k1_fe_normalizes_to_zero_var(&h)) {
490 if (secp256k1_fe_normalizes_to_zero_var(&i)) {
491 secp256k1_gej_double_var(r, a, NULL);
492 } else {
493 secp256k1_gej_set_infinity(r);
494 }
495 return;
496 }
497
498 r->infinity = 0;
499 secp256k1_fe_mul(&r->z, &a->z, &h);
500
501 secp256k1_fe_sqr(&h2, &h);
502 secp256k1_fe_negate(&h2, &h2, 1);
503 secp256k1_fe_mul(&h3, &h2, &h);
504 secp256k1_fe_mul(&t, &u1, &h2);
505
506 secp256k1_fe_sqr(&r->x, &i);
507 secp256k1_fe_add(&r->x, &h3);
508 secp256k1_fe_add(&r->x, &t);
509 secp256k1_fe_add(&r->x, &t);
510
511 secp256k1_fe_add(&t, &r->x);
512 secp256k1_fe_mul(&r->y, &t, &i);
513 secp256k1_fe_mul(&h3, &h3, &s1);
514 secp256k1_fe_add(&r->y, &h3);
515}
516
517
518static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b) {
519 /* Operations: 7 mul, 5 sqr, 24 add/cmov/half/mul_int/negate/normalize_weak/normalizes_to_zero */
520 secp256k1_fe zz, u1, u2, s1, s2, t, tt, m, n, q, rr;
521 secp256k1_fe m_alt, rr_alt;
522 int infinity, degenerate;
523 VERIFY_CHECK(!b->infinity);
524 VERIFY_CHECK(a->infinity == 0 || a->infinity == 1);
525
576 secp256k1_fe_sqr(&zz, &a->z); /* z = Z1^2 */
577 u1 = a->x; secp256k1_fe_normalize_weak(&u1); /* u1 = U1 = X1*Z2^2 (1) */
578 secp256k1_fe_mul(&u2, &b->x, &zz); /* u2 = U2 = X2*Z1^2 (1) */
579 s1 = a->y; secp256k1_fe_normalize_weak(&s1); /* s1 = S1 = Y1*Z2^3 (1) */
580 secp256k1_fe_mul(&s2, &b->y, &zz); /* s2 = Y2*Z1^2 (1) */
581 secp256k1_fe_mul(&s2, &s2, &a->z); /* s2 = S2 = Y2*Z1^3 (1) */
582 t = u1; secp256k1_fe_add(&t, &u2); /* t = T = U1+U2 (2) */
583 m = s1; secp256k1_fe_add(&m, &s2); /* m = M = S1+S2 (2) */
584 secp256k1_fe_sqr(&rr, &t); /* rr = T^2 (1) */
585 secp256k1_fe_negate(&m_alt, &u2, 1); /* Malt = -X2*Z1^2 */
586 secp256k1_fe_mul(&tt, &u1, &m_alt); /* tt = -U1*U2 (2) */
587 secp256k1_fe_add(&rr, &tt); /* rr = R = T^2-U1*U2 (3) */
590 degenerate = secp256k1_fe_normalizes_to_zero(&m) &
591 secp256k1_fe_normalizes_to_zero(&rr);
592 /* This only occurs when y1 == -y2 and x1^3 == x2^3, but x1 != x2.
593 * This means either x1 == beta*x2 or beta*x1 == x2, where beta is
594 * a nontrivial cube root of one. In either case, an alternate
595 * non-indeterminate expression for lambda is (y1 - y2)/(x1 - x2),
596 * so we set R/M equal to this. */
597 rr_alt = s1;
598 secp256k1_fe_mul_int(&rr_alt, 2); /* rr = Y1*Z2^3 - Y2*Z1^3 (2) */
599 secp256k1_fe_add(&m_alt, &u1); /* Malt = X1*Z2^2 - X2*Z1^2 */
600
601 secp256k1_fe_cmov(&rr_alt, &rr, !degenerate);
602 secp256k1_fe_cmov(&m_alt, &m, !degenerate);
603 /* Now Ralt / Malt = lambda and is guaranteed not to be 0/0.
604 * From here on out Ralt and Malt represent the numerator
605 * and denominator of lambda; R and M represent the explicit
606 * expressions x1^2 + x2^2 + x1x2 and y1 + y2. */
607 secp256k1_fe_sqr(&n, &m_alt); /* n = Malt^2 (1) */
608 secp256k1_fe_negate(&q, &t, 2); /* q = -T (3) */
609 secp256k1_fe_mul(&q, &q, &n); /* q = Q = -T*Malt^2 (1) */
610 /* These two lines use the observation that either M == Malt or M == 0,
611 * so M^3 * Malt is either Malt^4 (which is computed by squaring), or
612 * zero (which is "computed" by cmov). So the cost is one squaring
613 * versus two multiplications. */
614 secp256k1_fe_sqr(&n, &n);
615 secp256k1_fe_cmov(&n, &m, degenerate); /* n = M^3 * Malt (2) */
616 secp256k1_fe_sqr(&t, &rr_alt); /* t = Ralt^2 (1) */
617 secp256k1_fe_mul(&r->z, &a->z, &m_alt); /* r->z = Z3 = Malt*Z (1) */
618 infinity = secp256k1_fe_normalizes_to_zero(&r->z) & ~a->infinity;
619 secp256k1_fe_add(&t, &q); /* t = Ralt^2 + Q (2) */
620 r->x = t; /* r->x = X3 = Ralt^2 + Q (2) */
621 secp256k1_fe_mul_int(&t, 2); /* t = 2*X3 (4) */
622 secp256k1_fe_add(&t, &q); /* t = 2*X3 + Q (5) */
623 secp256k1_fe_mul(&t, &t, &rr_alt); /* t = Ralt*(2*X3 + Q) (1) */
624 secp256k1_fe_add(&t, &n); /* t = Ralt*(2*X3 + Q) + M^3*Malt (3) */
625 secp256k1_fe_negate(&r->y, &t, 3); /* r->y = -(Ralt*(2*X3 + Q) + M^3*Malt) (4) */
626 secp256k1_fe_half(&r->y); /* r->y = Y3 = -(Ralt*(2*X3 + Q) + M^3*Malt)/2 (3) */
627
629 secp256k1_fe_cmov(&r->x, &b->x, a->infinity);
630 secp256k1_fe_cmov(&r->y, &b->y, a->infinity);
631 secp256k1_fe_cmov(&r->z, &secp256k1_fe_one, a->infinity);
632 r->infinity = infinity;
633}
634
635static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *s) {
636 /* Operations: 4 mul, 1 sqr */
637 secp256k1_fe zz;
638 VERIFY_CHECK(!secp256k1_fe_is_zero(s));
639 secp256k1_fe_sqr(&zz, s);
640 secp256k1_fe_mul(&r->x, &r->x, &zz); /* r->x *= s^2 */
641 secp256k1_fe_mul(&r->y, &r->y, &zz);
642 secp256k1_fe_mul(&r->y, &r->y, s); /* r->y *= s^3 */
643 secp256k1_fe_mul(&r->z, &r->z, s); /* r->z *= s */
644}
645
646static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a) {
647 secp256k1_fe x, y;
648 VERIFY_CHECK(!a->infinity);
649 x = a->x;
650 secp256k1_fe_normalize(&x);
651 y = a->y;
652 secp256k1_fe_normalize(&y);
653 secp256k1_fe_to_storage(&r->x, &x);
654 secp256k1_fe_to_storage(&r->y, &y);
655}
656
657static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a) {
658 secp256k1_fe_from_storage(&r->x, &a->x);
659 secp256k1_fe_from_storage(&r->y, &a->y);
660 r->infinity = 0;
661}
662
663static SECP256K1_INLINE void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag) {
664 secp256k1_fe_cmov(&r->x, &a->x, flag);
665 secp256k1_fe_cmov(&r->y, &a->y, flag);
666 secp256k1_fe_cmov(&r->z, &a->z, flag);
667
668 r->infinity ^= (r->infinity ^ a->infinity) & flag;
669}
670
671static SECP256K1_INLINE void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag) {
672 secp256k1_fe_storage_cmov(&r->x, &a->x, flag);
673 secp256k1_fe_storage_cmov(&r->y, &a->y, flag);
674}
675
676static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a) {
677 *r = *a;
678 secp256k1_fe_mul(&r->x, &r->x, &secp256k1_const_beta);
679}
680
681static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a) {
682 secp256k1_fe yz;
683
684 if (a->infinity) {
685 return 0;
686 }
687
688 /* We rely on the fact that the Jacobi symbol of 1 / a->z^3 is the same as
689 * that of a->z. Thus a->y / a->z^3 is a quadratic residue iff a->y * a->z
690 is */
691 secp256k1_fe_mul(&yz, &a->y, &a->z);
692 return secp256k1_fe_is_quad_var(&yz);
693}
694
695static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge* ge) {
696#ifdef EXHAUSTIVE_TEST_ORDER
697 secp256k1_gej out;
698 int i;
699
700 /* A very simple EC multiplication ladder that avoids a dependency on ecmult. */
701 secp256k1_gej_set_infinity(&out);
702 for (i = 0; i < 32; ++i) {
703 secp256k1_gej_double_var(&out, &out, NULL);
704 if ((((uint32_t)EXHAUSTIVE_TEST_ORDER) >> (31 - i)) & 1) {
705 secp256k1_gej_add_ge_var(&out, &out, ge, NULL);
706 }
707 }
708 return secp256k1_gej_is_infinity(&out);
709#else
710 (void)ge;
711 /* The real secp256k1 group has cofactor 1, so the subgroup is the entire curve. */
712 return 1;
713#endif
714}
715
716#endif /* SECP256K1_GROUP_IMPL_H */
secp256k1_fe_inv_var
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a)
Potentially faster version of secp256k1_fe_inv, without constant-time guarantee.
secp256k1_fe_normalizes_to_zero_var
static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r)
Verify whether a field element represents zero i.e.
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don't fully normalize.
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Same as secp256k1_fe_equal, but may be variable time.
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *r, const secp256k1_fe *a)
If a has a square root, it is computed in r and 1 is returned.
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_fe_clear
static void secp256k1_fe_clear(secp256k1_fe *a)
Sets a field element equal to zero, initializing all fields.
secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the (modular) inverse of another.
secp256k1_fe_cmov
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_mul_int
static void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Multiplies the passed field element with a small integer constant.
secp256k1_fe_negate
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Set a field element equal to the additive inverse of another.
secp256k1_fe_is_odd
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
Check the "oddness" of a field element.
secp256k1_const_beta
static const secp256k1_fe secp256k1_const_beta
Definition: field.h:36
secp256k1_fe_set_int
static void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Set a field element equal to a small (not greater than 0x7FFF), non-negative integer.
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
secp256k1_fe_from_storage
static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Convert a field element back from the storage type.
secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the square of another.
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Field element module.
Definition: field.h:35
secp256k1_fe_normalizes_to_zero
static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r)
Verify whether a field element represents zero i.e.
secp256k1_fe_add
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Normalize a field element.
secp256k1_fe_half
static void secp256k1_fe_half(secp256k1_fe *r)
Halves the value of a field element modulo the field prime.
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Convert a field element to the storage type.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:40
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Definition: group_impl.h:309
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Definition: group_impl.h:453
SECP256K1_G_ORDER_13
#define SECP256K1_G_ORDER_13
Definition: group_impl.h:13
secp256k1_gej_clear
static void secp256k1_gej_clear(secp256k1_gej *r)
Definition: group_impl.h:201
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Definition: group_impl.h:676
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Definition: group_impl.h:188
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Definition: group_impl.h:260
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Definition: group_impl.h:208
secp256k1_ge_set_xy
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Definition: group_impl.h:78
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Definition: group_impl.h:224
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Definition: group_impl.h:396
secp256k1_gej_cmov
static SECP256K1_INLINE void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
Definition: group_impl.h:663
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Definition: group_impl.h:518
SECP256K1_G
#define SECP256K1_G
Generator for secp256k1, value 'g' defined in "Standards for Efficient Cryptography" (SEC2) 2....
Definition: group_impl.h:28
secp256k1_ge_set_gej_zinv
static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi)
Definition: group_impl.h:67
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Definition: group_impl.h:264
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Definition: group_impl.h:657
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Definition: group_impl.h:336
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *s)
Definition: group_impl.h:635
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Definition: group_impl.h:214
secp256k1_gej_eq_x_var
static int secp256k1_gej_eq_x_var(const secp256k1_fe *x, const secp256k1_gej *a)
Definition: group_impl.h:243
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Definition: group_impl.h:94
secp256k1_ge_is_in_correct_subgroup
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Definition: group_impl.h:695
secp256k1_ge_table_set_globalz
static void secp256k1_ge_table_set_globalz(size_t len, secp256k1_ge *a, const secp256k1_fe *zr)
Definition: group_impl.h:164
secp256k1_fe_const_b
static const secp256k1_fe secp256k1_fe_const_b
Definition: group_impl.h:64
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Definition: group_impl.h:88
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:62
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Definition: group_impl.h:84
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Definition: group_impl.h:195
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Definition: group_impl.h:122
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Definition: group_impl.h:236
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Definition: group_impl.h:646
secp256k1_ge_storage_cmov
static SECP256K1_INLINE void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
Definition: group_impl.h:671
SECP256K1_G_ORDER_199
#define SECP256K1_G_ORDER_199
Definition: group_impl.h:19
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Definition: group_impl.h:107
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Definition: group_impl.h:681
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Definition: group_impl.h:251
secp256k1_gej_double
static SECP256K1_INLINE void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Definition: group_impl.h:277
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:100
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: secp256k1.h:127
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ge_storage::x
secp256k1_fe_storage x
Definition: group.h:39
secp256k1_ge_storage::y
secp256k1_fe_storage y
Definition: group.h:40
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
EXHAUSTIVE_TEST_ORDER
#define EXHAUSTIVE_TEST_ORDER
Definition: tests_exhaustive.c:17
Generated on Fri Feb 13 2026 20:17:44 for Bitcoin ABC by doxygen 1.9.4