Bitcoin ABC 0.32.10
P2P Digital Currency
modinv64_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2020 Peter Dettman *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
6
7#ifndef SECP256K1_MODINV64_IMPL_H
8#define SECP256K1_MODINV64_IMPL_H
9
10#include "int128.h"
11#include "modinv64.h"
12
13/* This file implements modular inversion based on the paper "Fast constant-time gcd computation and
14 * modular inversion" by Daniel J. Bernstein and Bo-Yin Yang.
15 *
16 * For an explanation of the algorithm, see doc/safegcd_implementation.md. This file contains an
17 * implementation for N=62, using 62-bit signed limbs represented as int64_t.
18 */
19
20/* Data type for transition matrices (see section 3 of explanation).
21 *
22 * t = [ u v ]
23 * [ q r ]
24 */
25typedef struct {
26 int64_t u, v, q, r;
27} secp256k1_modinv64_trans2x2;
28
29#ifdef VERIFY
30/* Helper function to compute the absolute value of an int64_t.
31 * (we don't use abs/labs/llabs as it depends on the int sizes). */
32static int64_t secp256k1_modinv64_abs(int64_t v) {
33 VERIFY_CHECK(v > INT64_MIN);
34 if (v < 0) return -v;
35 return v;
36}
37
38static const secp256k1_modinv64_signed62 SECP256K1_SIGNED62_ONE = {{1}};
39
40/* Compute a*factor and put it in r. All but the top limb in r will be in range [0,2^62). */
41static void secp256k1_modinv64_mul_62(secp256k1_modinv64_signed62 *r, const secp256k1_modinv64_signed62 *a, int alen, int64_t factor) {
42 const uint64_t M62 = UINT64_MAX >> 2;
43 secp256k1_int128 c, d;
44 int i;
45 secp256k1_i128_from_i64(&c, 0);
46 for (i = 0; i < 4; ++i) {
47 if (i < alen) secp256k1_i128_accum_mul(&c, a->v[i], factor);
48 r->v[i] = secp256k1_i128_to_u64(&c) & M62; secp256k1_i128_rshift(&c, 62);
49 }
50 if (4 < alen) secp256k1_i128_accum_mul(&c, a->v[4], factor);
51 secp256k1_i128_from_i64(&d, secp256k1_i128_to_i64(&c));
52 VERIFY_CHECK(secp256k1_i128_eq_var(&c, &d));
53 r->v[4] = secp256k1_i128_to_i64(&c);
54}
55
56/* Return -1 for a<b*factor, 0 for a==b*factor, 1 for a>b*factor. A has alen limbs; b has 5. */
57static int secp256k1_modinv64_mul_cmp_62(const secp256k1_modinv64_signed62 *a, int alen, const secp256k1_modinv64_signed62 *b, int64_t factor) {
58 int i;
59 secp256k1_modinv64_signed62 am, bm;
60 secp256k1_modinv64_mul_62(&am, a, alen, 1); /* Normalize all but the top limb of a. */
61 secp256k1_modinv64_mul_62(&bm, b, 5, factor);
62 for (i = 0; i < 4; ++i) {
63 /* Verify that all but the top limb of a and b are normalized. */
64 VERIFY_CHECK(am.v[i] >> 62 == 0);
65 VERIFY_CHECK(bm.v[i] >> 62 == 0);
66 }
67 for (i = 4; i >= 0; --i) {
68 if (am.v[i] < bm.v[i]) return -1;
69 if (am.v[i] > bm.v[i]) return 1;
70 }
71 return 0;
72}
73
74/* Check if the determinant of t is equal to 1 << n. */
75static int secp256k1_modinv64_det_check_pow2(const secp256k1_modinv64_trans2x2 *t, unsigned int n) {
76 secp256k1_int128 a;
77 secp256k1_i128_det(&a, t->u, t->v, t->q, t->r);
78 return secp256k1_i128_check_pow2(&a, n);
79}
80#endif
81
82/* Take as input a signed62 number in range (-2*modulus,modulus), and add a multiple of the modulus
83 * to it to bring it to range [0,modulus). If sign < 0, the input will also be negated in the
84 * process. The input must have limbs in range (-2^62,2^62). The output will have limbs in range
85 * [0,2^62). */
86static void secp256k1_modinv64_normalize_62(secp256k1_modinv64_signed62 *r, int64_t sign, const secp256k1_modinv64_modinfo *modinfo) {
87 const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
88 int64_t r0 = r->v[0], r1 = r->v[1], r2 = r->v[2], r3 = r->v[3], r4 = r->v[4];
89 volatile int64_t cond_add, cond_negate;
90
91#ifdef VERIFY
92 /* Verify that all limbs are in range (-2^62,2^62). */
93 int i;
94 for (i = 0; i < 5; ++i) {
95 VERIFY_CHECK(r->v[i] >= -M62);
96 VERIFY_CHECK(r->v[i] <= M62);
97 }
98 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, -2) > 0); /* r > -2*modulus */
99 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, 1) < 0); /* r < modulus */
100#endif
101
102 /* In a first step, add the modulus if the input is negative, and then negate if requested.
103 * This brings r from range (-2*modulus,modulus) to range (-modulus,modulus). As all input
104 * limbs are in range (-2^62,2^62), this cannot overflow an int64_t. Note that the right
105 * shifts below are signed sign-extending shifts (see assumptions.h for tests that that is
106 * indeed the behavior of the right shift operator). */
107 cond_add = r4 >> 63;
108 r0 += modinfo->modulus.v[0] & cond_add;
109 r1 += modinfo->modulus.v[1] & cond_add;
110 r2 += modinfo->modulus.v[2] & cond_add;
111 r3 += modinfo->modulus.v[3] & cond_add;
112 r4 += modinfo->modulus.v[4] & cond_add;
113 cond_negate = sign >> 63;
114 r0 = (r0 ^ cond_negate) - cond_negate;
115 r1 = (r1 ^ cond_negate) - cond_negate;
116 r2 = (r2 ^ cond_negate) - cond_negate;
117 r3 = (r3 ^ cond_negate) - cond_negate;
118 r4 = (r4 ^ cond_negate) - cond_negate;
119 /* Propagate the top bits, to bring limbs back to range (-2^62,2^62). */
120 r1 += r0 >> 62; r0 &= M62;
121 r2 += r1 >> 62; r1 &= M62;
122 r3 += r2 >> 62; r2 &= M62;
123 r4 += r3 >> 62; r3 &= M62;
124
125 /* In a second step add the modulus again if the result is still negative, bringing
126 * r to range [0,modulus). */
127 cond_add = r4 >> 63;
128 r0 += modinfo->modulus.v[0] & cond_add;
129 r1 += modinfo->modulus.v[1] & cond_add;
130 r2 += modinfo->modulus.v[2] & cond_add;
131 r3 += modinfo->modulus.v[3] & cond_add;
132 r4 += modinfo->modulus.v[4] & cond_add;
133 /* And propagate again. */
134 r1 += r0 >> 62; r0 &= M62;
135 r2 += r1 >> 62; r1 &= M62;
136 r3 += r2 >> 62; r2 &= M62;
137 r4 += r3 >> 62; r3 &= M62;
138
139 r->v[0] = r0;
140 r->v[1] = r1;
141 r->v[2] = r2;
142 r->v[3] = r3;
143 r->v[4] = r4;
144
145#ifdef VERIFY
146 VERIFY_CHECK(r0 >> 62 == 0);
147 VERIFY_CHECK(r1 >> 62 == 0);
148 VERIFY_CHECK(r2 >> 62 == 0);
149 VERIFY_CHECK(r3 >> 62 == 0);
150 VERIFY_CHECK(r4 >> 62 == 0);
151 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, 0) >= 0); /* r >= 0 */
152 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, 1) < 0); /* r < modulus */
153#endif
154}
155
156/* Compute the transition matrix and eta for 59 divsteps (where zeta=-(delta+1/2)).
157 * Note that the transformation matrix is scaled by 2^62 and not 2^59.
158 *
159 * Input: zeta: initial zeta
160 * f0: bottom limb of initial f
161 * g0: bottom limb of initial g
162 * Output: t: transition matrix
163 * Return: final zeta
164 *
165 * Implements the divsteps_n_matrix function from the explanation.
166 */
167static int64_t secp256k1_modinv64_divsteps_59(int64_t zeta, uint64_t f0, uint64_t g0, secp256k1_modinv64_trans2x2 *t) {
168 /* u,v,q,r are the elements of the transformation matrix being built up,
169 * starting with the identity matrix times 8 (because the caller expects
170 * a result scaled by 2^62). Semantically they are signed integers
171 * in range [-2^62,2^62], but here represented as unsigned mod 2^64. This
172 * permits left shifting (which is UB for negative numbers). The range
173 * being inside [-2^63,2^63) means that casting to signed works correctly.
174 */
175 uint64_t u = 8, v = 0, q = 0, r = 8;
176 volatile uint64_t c1, c2;
177 uint64_t mask1, mask2, f = f0, g = g0, x, y, z;
178 int i;
179
180 for (i = 3; i < 62; ++i) {
181 VERIFY_CHECK((f & 1) == 1); /* f must always be odd */
182 VERIFY_CHECK((u * f0 + v * g0) == f << i);
183 VERIFY_CHECK((q * f0 + r * g0) == g << i);
184 /* Compute conditional masks for (zeta < 0) and for (g & 1). */
185 c1 = zeta >> 63;
186 mask1 = c1;
187 c2 = g & 1;
188 mask2 = -c2;
189 /* Compute x,y,z, conditionally negated versions of f,u,v. */
190 x = (f ^ mask1) - mask1;
191 y = (u ^ mask1) - mask1;
192 z = (v ^ mask1) - mask1;
193 /* Conditionally add x,y,z to g,q,r. */
194 g += x & mask2;
195 q += y & mask2;
196 r += z & mask2;
197 /* In what follows, c1 is a condition mask for (zeta < 0) and (g & 1). */
198 mask1 &= mask2;
199 /* Conditionally change zeta into -zeta-2 or zeta-1. */
200 zeta = (zeta ^ mask1) - 1;
201 /* Conditionally add g,q,r to f,u,v. */
202 f += g & mask1;
203 u += q & mask1;
204 v += r & mask1;
205 /* Shifts */
206 g >>= 1;
207 u <<= 1;
208 v <<= 1;
209 /* Bounds on zeta that follow from the bounds on iteration count (max 10*59 divsteps). */
210 VERIFY_CHECK(zeta >= -591 && zeta <= 591);
211 }
212 /* Return data in t and return value. */
213 t->u = (int64_t)u;
214 t->v = (int64_t)v;
215 t->q = (int64_t)q;
216 t->r = (int64_t)r;
217#ifdef VERIFY
218 /* The determinant of t must be a power of two. This guarantees that multiplication with t
219 * does not change the gcd of f and g, apart from adding a power-of-2 factor to it (which
220 * will be divided out again). As each divstep's individual matrix has determinant 2, the
221 * aggregate of 59 of them will have determinant 2^59. Multiplying with the initial
222 * 8*identity (which has determinant 2^6) means the overall outputs has determinant
223 * 2^65. */
224 VERIFY_CHECK(secp256k1_modinv64_det_check_pow2(t, 65));
225#endif
226 return zeta;
227}
228
229/* Compute the transition matrix and eta for 62 divsteps (variable time, eta=-delta).
230 *
231 * Input: eta: initial eta
232 * f0: bottom limb of initial f
233 * g0: bottom limb of initial g
234 * Output: t: transition matrix
235 * Return: final eta
236 *
237 * Implements the divsteps_n_matrix_var function from the explanation.
238 */
239static int64_t secp256k1_modinv64_divsteps_62_var(int64_t eta, uint64_t f0, uint64_t g0, secp256k1_modinv64_trans2x2 *t) {
240 /* Transformation matrix; see comments in secp256k1_modinv64_divsteps_62. */
241 uint64_t u = 1, v = 0, q = 0, r = 1;
242 uint64_t f = f0, g = g0, m;
243 uint32_t w;
244 int i = 62, limit, zeros;
245
246 for (;;) {
247 /* Use a sentinel bit to count zeros only up to i. */
248 zeros = secp256k1_ctz64_var(g | (UINT64_MAX << i));
249 /* Perform zeros divsteps at once; they all just divide g by two. */
250 g >>= zeros;
251 u <<= zeros;
252 v <<= zeros;
253 eta -= zeros;
254 i -= zeros;
255 /* We're done once we've done 62 divsteps. */
256 if (i == 0) break;
257 VERIFY_CHECK((f & 1) == 1);
258 VERIFY_CHECK((g & 1) == 1);
259 VERIFY_CHECK((u * f0 + v * g0) == f << (62 - i));
260 VERIFY_CHECK((q * f0 + r * g0) == g << (62 - i));
261 /* Bounds on eta that follow from the bounds on iteration count (max 12*62 divsteps). */
262 VERIFY_CHECK(eta >= -745 && eta <= 745);
263 /* If eta is negative, negate it and replace f,g with g,-f. */
264 if (eta < 0) {
265 uint64_t tmp;
266 eta = -eta;
267 tmp = f; f = g; g = -tmp;
268 tmp = u; u = q; q = -tmp;
269 tmp = v; v = r; r = -tmp;
270 /* Use a formula to cancel out up to 6 bits of g. Also, no more than i can be cancelled
271 * out (as we'd be done before that point), and no more than eta+1 can be done as its
272 * will flip again once that happens. */
273 limit = ((int)eta + 1) > i ? i : ((int)eta + 1);
274 VERIFY_CHECK(limit > 0 && limit <= 62);
275 /* m is a mask for the bottom min(limit, 6) bits. */
276 m = (UINT64_MAX >> (64 - limit)) & 63U;
277 /* Find what multiple of f must be added to g to cancel its bottom min(limit, 6)
278 * bits. */
279 w = (f * g * (f * f - 2)) & m;
280 } else {
281 /* In this branch, use a simpler formula that only lets us cancel up to 4 bits of g, as
282 * eta tends to be smaller here. */
283 limit = ((int)eta + 1) > i ? i : ((int)eta + 1);
284 VERIFY_CHECK(limit > 0 && limit <= 62);
285 /* m is a mask for the bottom min(limit, 4) bits. */
286 m = (UINT64_MAX >> (64 - limit)) & 15U;
287 /* Find what multiple of f must be added to g to cancel its bottom min(limit, 4)
288 * bits. */
289 w = f + (((f + 1) & 4) << 1);
290 w = (-w * g) & m;
291 }
292 g += f * w;
293 q += u * w;
294 r += v * w;
295 VERIFY_CHECK((g & m) == 0);
296 }
297 /* Return data in t and return value. */
298 t->u = (int64_t)u;
299 t->v = (int64_t)v;
300 t->q = (int64_t)q;
301 t->r = (int64_t)r;
302#ifdef VERIFY
303 /* The determinant of t must be a power of two. This guarantees that multiplication with t
304 * does not change the gcd of f and g, apart from adding a power-of-2 factor to it (which
305 * will be divided out again). As each divstep's individual matrix has determinant 2, the
306 * aggregate of 62 of them will have determinant 2^62. */
307 VERIFY_CHECK(secp256k1_modinv64_det_check_pow2(t, 62));
308#endif
309 return eta;
310}
311
312/* Compute (t/2^62) * [d, e] mod modulus, where t is a transition matrix scaled by 2^62.
313 *
314 * On input and output, d and e are in range (-2*modulus,modulus). All output limbs will be in range
315 * (-2^62,2^62).
316 *
317 * This implements the update_de function from the explanation.
318 */
319static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp256k1_modinv64_signed62 *e, const secp256k1_modinv64_trans2x2 *t, const secp256k1_modinv64_modinfo* modinfo) {
320 const uint64_t M62 = UINT64_MAX >> 2;
321 const int64_t d0 = d->v[0], d1 = d->v[1], d2 = d->v[2], d3 = d->v[3], d4 = d->v[4];
322 const int64_t e0 = e->v[0], e1 = e->v[1], e2 = e->v[2], e3 = e->v[3], e4 = e->v[4];
323 const int64_t u = t->u, v = t->v, q = t->q, r = t->r;
324 int64_t md, me, sd, se;
325 secp256k1_int128 cd, ce;
326#ifdef VERIFY
327 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, -2) > 0); /* d > -2*modulus */
328 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, 1) < 0); /* d < modulus */
329 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, -2) > 0); /* e > -2*modulus */
330 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, 1) < 0); /* e < modulus */
331 VERIFY_CHECK((secp256k1_modinv64_abs(u) + secp256k1_modinv64_abs(v)) >= 0); /* |u|+|v| doesn't overflow */
332 VERIFY_CHECK((secp256k1_modinv64_abs(q) + secp256k1_modinv64_abs(r)) >= 0); /* |q|+|r| doesn't overflow */
333 VERIFY_CHECK((secp256k1_modinv64_abs(u) + secp256k1_modinv64_abs(v)) <= (int64_t)1 << 62); /* |u|+|v| <= 2^62 */
334 VERIFY_CHECK((secp256k1_modinv64_abs(q) + secp256k1_modinv64_abs(r)) <= (int64_t)1 << 62); /* |q|+|r| <= 2^62 */
335#endif
336 /* [md,me] start as zero; plus [u,q] if d is negative; plus [v,r] if e is negative. */
337 sd = d4 >> 63;
338 se = e4 >> 63;
339 md = (u & sd) + (v & se);
340 me = (q & sd) + (r & se);
341 /* Begin computing t*[d,e]. */
342 secp256k1_i128_mul(&cd, u, d0);
343 secp256k1_i128_accum_mul(&cd, v, e0);
344 secp256k1_i128_mul(&ce, q, d0);
345 secp256k1_i128_accum_mul(&ce, r, e0);
346 /* Correct md,me so that t*[d,e]+modulus*[md,me] has 62 zero bottom bits. */
347 md -= (modinfo->modulus_inv62 * secp256k1_i128_to_u64(&cd) + md) & M62;
348 me -= (modinfo->modulus_inv62 * secp256k1_i128_to_u64(&ce) + me) & M62;
349 /* Update the beginning of computation for t*[d,e]+modulus*[md,me] now md,me are known. */
350 secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[0], md);
351 secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[0], me);
352 /* Verify that the low 62 bits of the computation are indeed zero, and then throw them away. */
353 VERIFY_CHECK((secp256k1_i128_to_u64(&cd) & M62) == 0); secp256k1_i128_rshift(&cd, 62);
354 VERIFY_CHECK((secp256k1_i128_to_u64(&ce) & M62) == 0); secp256k1_i128_rshift(&ce, 62);
355 /* Compute limb 1 of t*[d,e]+modulus*[md,me], and store it as output limb 0 (= down shift). */
356 secp256k1_i128_accum_mul(&cd, u, d1);
357 secp256k1_i128_accum_mul(&cd, v, e1);
358 secp256k1_i128_accum_mul(&ce, q, d1);
359 secp256k1_i128_accum_mul(&ce, r, e1);
360 if (modinfo->modulus.v[1]) { /* Optimize for the case where limb of modulus is zero. */
361 secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[1], md);
362 secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[1], me);
363 }
364 d->v[0] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
365 e->v[0] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
366 /* Compute limb 2 of t*[d,e]+modulus*[md,me], and store it as output limb 1. */
367 secp256k1_i128_accum_mul(&cd, u, d2);
368 secp256k1_i128_accum_mul(&cd, v, e2);
369 secp256k1_i128_accum_mul(&ce, q, d2);
370 secp256k1_i128_accum_mul(&ce, r, e2);
371 if (modinfo->modulus.v[2]) { /* Optimize for the case where limb of modulus is zero. */
372 secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[2], md);
373 secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[2], me);
374 }
375 d->v[1] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
376 e->v[1] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
377 /* Compute limb 3 of t*[d,e]+modulus*[md,me], and store it as output limb 2. */
378 secp256k1_i128_accum_mul(&cd, u, d3);
379 secp256k1_i128_accum_mul(&cd, v, e3);
380 secp256k1_i128_accum_mul(&ce, q, d3);
381 secp256k1_i128_accum_mul(&ce, r, e3);
382 if (modinfo->modulus.v[3]) { /* Optimize for the case where limb of modulus is zero. */
383 secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[3], md);
384 secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[3], me);
385 }
386 d->v[2] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
387 e->v[2] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
388 /* Compute limb 4 of t*[d,e]+modulus*[md,me], and store it as output limb 3. */
389 secp256k1_i128_accum_mul(&cd, u, d4);
390 secp256k1_i128_accum_mul(&cd, v, e4);
391 secp256k1_i128_accum_mul(&ce, q, d4);
392 secp256k1_i128_accum_mul(&ce, r, e4);
393 secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[4], md);
394 secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[4], me);
395 d->v[3] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
396 e->v[3] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
397 /* What remains is limb 5 of t*[d,e]+modulus*[md,me]; store it as output limb 4. */
398 d->v[4] = secp256k1_i128_to_i64(&cd);
399 e->v[4] = secp256k1_i128_to_i64(&ce);
400#ifdef VERIFY
401 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, -2) > 0); /* d > -2*modulus */
402 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, 1) < 0); /* d < modulus */
403 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, -2) > 0); /* e > -2*modulus */
404 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, 1) < 0); /* e < modulus */
405#endif
406}
407
408/* Compute (t/2^62) * [f, g], where t is a transition matrix scaled by 2^62.
409 *
410 * This implements the update_fg function from the explanation.
411 */
412static void secp256k1_modinv64_update_fg_62(secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t) {
413 const uint64_t M62 = UINT64_MAX >> 2;
414 const int64_t f0 = f->v[0], f1 = f->v[1], f2 = f->v[2], f3 = f->v[3], f4 = f->v[4];
415 const int64_t g0 = g->v[0], g1 = g->v[1], g2 = g->v[2], g3 = g->v[3], g4 = g->v[4];
416 const int64_t u = t->u, v = t->v, q = t->q, r = t->r;
417 secp256k1_int128 cf, cg;
418 /* Start computing t*[f,g]. */
419 secp256k1_i128_mul(&cf, u, f0);
420 secp256k1_i128_accum_mul(&cf, v, g0);
421 secp256k1_i128_mul(&cg, q, f0);
422 secp256k1_i128_accum_mul(&cg, r, g0);
423 /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */
424 VERIFY_CHECK((secp256k1_i128_to_u64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62);
425 VERIFY_CHECK((secp256k1_i128_to_u64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62);
426 /* Compute limb 1 of t*[f,g], and store it as output limb 0 (= down shift). */
427 secp256k1_i128_accum_mul(&cf, u, f1);
428 secp256k1_i128_accum_mul(&cf, v, g1);
429 secp256k1_i128_accum_mul(&cg, q, f1);
430 secp256k1_i128_accum_mul(&cg, r, g1);
431 f->v[0] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
432 g->v[0] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
433 /* Compute limb 2 of t*[f,g], and store it as output limb 1. */
434 secp256k1_i128_accum_mul(&cf, u, f2);
435 secp256k1_i128_accum_mul(&cf, v, g2);
436 secp256k1_i128_accum_mul(&cg, q, f2);
437 secp256k1_i128_accum_mul(&cg, r, g2);
438 f->v[1] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
439 g->v[1] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
440 /* Compute limb 3 of t*[f,g], and store it as output limb 2. */
441 secp256k1_i128_accum_mul(&cf, u, f3);
442 secp256k1_i128_accum_mul(&cf, v, g3);
443 secp256k1_i128_accum_mul(&cg, q, f3);
444 secp256k1_i128_accum_mul(&cg, r, g3);
445 f->v[2] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
446 g->v[2] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
447 /* Compute limb 4 of t*[f,g], and store it as output limb 3. */
448 secp256k1_i128_accum_mul(&cf, u, f4);
449 secp256k1_i128_accum_mul(&cf, v, g4);
450 secp256k1_i128_accum_mul(&cg, q, f4);
451 secp256k1_i128_accum_mul(&cg, r, g4);
452 f->v[3] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
453 g->v[3] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
454 /* What remains is limb 5 of t*[f,g]; store it as output limb 4. */
455 f->v[4] = secp256k1_i128_to_i64(&cf);
456 g->v[4] = secp256k1_i128_to_i64(&cg);
457}
458
459/* Compute (t/2^62) * [f, g], where t is a transition matrix for 62 divsteps.
460 *
461 * Version that operates on a variable number of limbs in f and g.
462 *
463 * This implements the update_fg function from the explanation.
464 */
465static void secp256k1_modinv64_update_fg_62_var(int len, secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t) {
466 const uint64_t M62 = UINT64_MAX >> 2;
467 const int64_t u = t->u, v = t->v, q = t->q, r = t->r;
468 int64_t fi, gi;
469 secp256k1_int128 cf, cg;
470 int i;
471 VERIFY_CHECK(len > 0);
472 /* Start computing t*[f,g]. */
473 fi = f->v[0];
474 gi = g->v[0];
475 secp256k1_i128_mul(&cf, u, fi);
476 secp256k1_i128_accum_mul(&cf, v, gi);
477 secp256k1_i128_mul(&cg, q, fi);
478 secp256k1_i128_accum_mul(&cg, r, gi);
479 /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */
480 VERIFY_CHECK((secp256k1_i128_to_u64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62);
481 VERIFY_CHECK((secp256k1_i128_to_u64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62);
482 /* Now iteratively compute limb i=1..len of t*[f,g], and store them in output limb i-1 (shifting
483 * down by 62 bits). */
484 for (i = 1; i < len; ++i) {
485 fi = f->v[i];
486 gi = g->v[i];
487 secp256k1_i128_accum_mul(&cf, u, fi);
488 secp256k1_i128_accum_mul(&cf, v, gi);
489 secp256k1_i128_accum_mul(&cg, q, fi);
490 secp256k1_i128_accum_mul(&cg, r, gi);
491 f->v[i - 1] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
492 g->v[i - 1] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
493 }
494 /* What remains is limb (len) of t*[f,g]; store it as output limb (len-1). */
495 f->v[len - 1] = secp256k1_i128_to_i64(&cf);
496 g->v[len - 1] = secp256k1_i128_to_i64(&cg);
497}
498
499/* Compute the inverse of x modulo modinfo->modulus, and replace x with it (constant time in x). */
500static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo) {
501 /* Start with d=0, e=1, f=modulus, g=x, zeta=-1. */
502 secp256k1_modinv64_signed62 d = {{0, 0, 0, 0, 0}};
503 secp256k1_modinv64_signed62 e = {{1, 0, 0, 0, 0}};
504 secp256k1_modinv64_signed62 f = modinfo->modulus;
505 secp256k1_modinv64_signed62 g = *x;
506 int i;
507 int64_t zeta = -1; /* zeta = -(delta+1/2); delta starts at 1/2. */
508
509 /* Do 10 iterations of 59 divsteps each = 590 divsteps. This suffices for 256-bit inputs. */
510 for (i = 0; i < 10; ++i) {
511 /* Compute transition matrix and new zeta after 59 divsteps. */
512 secp256k1_modinv64_trans2x2 t;
513 zeta = secp256k1_modinv64_divsteps_59(zeta, f.v[0], g.v[0], &t);
514 /* Update d,e using that transition matrix. */
515 secp256k1_modinv64_update_de_62(&d, &e, &t, modinfo);
516 /* Update f,g using that transition matrix. */
517#ifdef VERIFY
518 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, -1) > 0); /* f > -modulus */
519 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, 1) <= 0); /* f <= modulus */
520 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, -1) > 0); /* g > -modulus */
521 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, 1) < 0); /* g < modulus */
522#endif
523 secp256k1_modinv64_update_fg_62(&f, &g, &t);
524#ifdef VERIFY
525 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, -1) > 0); /* f > -modulus */
526 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, 1) <= 0); /* f <= modulus */
527 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, -1) > 0); /* g > -modulus */
528 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, 1) < 0); /* g < modulus */
529#endif
530 }
531
532 /* At this point sufficient iterations have been performed that g must have reached 0
533 * and (if g was not originally 0) f must now equal +/- GCD of the initial f, g
534 * values i.e. +/- 1, and d now contains +/- the modular inverse. */
535#ifdef VERIFY
536 /* g == 0 */
537 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &SECP256K1_SIGNED62_ONE, 0) == 0);
538 /* |f| == 1, or (x == 0 and d == 0 and |f|=modulus) */
539 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &SECP256K1_SIGNED62_ONE, -1) == 0 ||
540 secp256k1_modinv64_mul_cmp_62(&f, 5, &SECP256K1_SIGNED62_ONE, 1) == 0 ||
541 (secp256k1_modinv64_mul_cmp_62(x, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 &&
542 secp256k1_modinv64_mul_cmp_62(&d, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 &&
543 (secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, 1) == 0 ||
544 secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, -1) == 0)));
545#endif
546
547 /* Optionally negate d, normalize to [0,modulus), and return it. */
548 secp256k1_modinv64_normalize_62(&d, f.v[4], modinfo);
549 *x = d;
550}
551
552/* Compute the inverse of x modulo modinfo->modulus, and replace x with it (variable time). */
553static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo) {
554 /* Start with d=0, e=1, f=modulus, g=x, eta=-1. */
555 secp256k1_modinv64_signed62 d = {{0, 0, 0, 0, 0}};
556 secp256k1_modinv64_signed62 e = {{1, 0, 0, 0, 0}};
557 secp256k1_modinv64_signed62 f = modinfo->modulus;
558 secp256k1_modinv64_signed62 g = *x;
559#ifdef VERIFY
560 int i = 0;
561#endif
562 int j, len = 5;
563 int64_t eta = -1; /* eta = -delta; delta is initially 1 */
564 int64_t cond, fn, gn;
565
566 /* Do iterations of 62 divsteps each until g=0. */
567 while (1) {
568 /* Compute transition matrix and new eta after 62 divsteps. */
569 secp256k1_modinv64_trans2x2 t;
570 eta = secp256k1_modinv64_divsteps_62_var(eta, f.v[0], g.v[0], &t);
571 /* Update d,e using that transition matrix. */
572 secp256k1_modinv64_update_de_62(&d, &e, &t, modinfo);
573 /* Update f,g using that transition matrix. */
574#ifdef VERIFY
575 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, -1) > 0); /* f > -modulus */
576 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */
577 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, -1) > 0); /* g > -modulus */
578 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */
579#endif
580 secp256k1_modinv64_update_fg_62_var(len, &f, &g, &t);
581 /* If the bottom limb of g is zero, there is a chance that g=0. */
582 if (g.v[0] == 0) {
583 cond = 0;
584 /* Check if the other limbs are also 0. */
585 for (j = 1; j < len; ++j) {
586 cond |= g.v[j];
587 }
588 /* If so, we're done. */
589 if (cond == 0) break;
590 }
591
592 /* Determine if len>1 and limb (len-1) of both f and g is 0 or -1. */
593 fn = f.v[len - 1];
594 gn = g.v[len - 1];
595 cond = ((int64_t)len - 2) >> 63;
596 cond |= fn ^ (fn >> 63);
597 cond |= gn ^ (gn >> 63);
598 /* If so, reduce length, propagating the sign of f and g's top limb into the one below. */
599 if (cond == 0) {
600 f.v[len - 2] |= (uint64_t)fn << 62;
601 g.v[len - 2] |= (uint64_t)gn << 62;
602 --len;
603 }
604#ifdef VERIFY
605 VERIFY_CHECK(++i < 12); /* We should never need more than 12*62 = 744 divsteps */
606 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, -1) > 0); /* f > -modulus */
607 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */
608 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, -1) > 0); /* g > -modulus */
609 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */
610#endif
611 }
612
613 /* At this point g is 0 and (if g was not originally 0) f must now equal +/- GCD of
614 * the initial f, g values i.e. +/- 1, and d now contains +/- the modular inverse. */
615#ifdef VERIFY
616 /* g == 0 */
617 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &SECP256K1_SIGNED62_ONE, 0) == 0);
618 /* |f| == 1, or (x == 0 and d == 0 and |f|=modulus) */
619 VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &SECP256K1_SIGNED62_ONE, -1) == 0 ||
620 secp256k1_modinv64_mul_cmp_62(&f, len, &SECP256K1_SIGNED62_ONE, 1) == 0 ||
621 (secp256k1_modinv64_mul_cmp_62(x, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 &&
622 secp256k1_modinv64_mul_cmp_62(&d, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 &&
623 (secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) == 0 ||
624 secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, -1) == 0)));
625#endif
626
627 /* Optionally negate d, normalize to [0,modulus), and return it. */
628 secp256k1_modinv64_normalize_62(&d, f.v[len - 1], modinfo);
629 *x = d;
630}
631
632#endif /* SECP256K1_MODINV64_IMPL_H */
secp256k1_int128
int128_t secp256k1_int128
Definition: int128_native.h:17
secp256k1_i128_det
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
Definition: int128_native_impl.h:58
secp256k1_i128_rshift
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:65
secp256k1_i128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:70
secp256k1_i128_from_i64
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
Definition: int128_native_impl.h:79
secp256k1_i128_eq_var
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
Definition: int128_native_impl.h:83
secp256k1_i128_to_i64
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:74
secp256k1_i128_mul
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:48
secp256k1_i128_check_pow2
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:87
secp256k1_i128_accum_mul
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:52
secp256k1_modinv64_divsteps_62_var
static int64_t secp256k1_modinv64_divsteps_62_var(int64_t eta, uint64_t f0, uint64_t g0, secp256k1_modinv64_trans2x2 *t)
Definition: modinv64_impl.h:239
secp256k1_modinv64_normalize_62
static void secp256k1_modinv64_normalize_62(secp256k1_modinv64_signed62 *r, int64_t sign, const secp256k1_modinv64_modinfo *modinfo)
Definition: modinv64_impl.h:86
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
Definition: modinv64_impl.h:500
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
Definition: modinv64_impl.h:553
secp256k1_modinv64_update_fg_62_var
static void secp256k1_modinv64_update_fg_62_var(int len, secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t)
Definition: modinv64_impl.h:465
secp256k1_modinv64_divsteps_59
static int64_t secp256k1_modinv64_divsteps_59(int64_t zeta, uint64_t f0, uint64_t g0, secp256k1_modinv64_trans2x2 *t)
Definition: modinv64_impl.h:167
secp256k1_modinv64_update_fg_62
static void secp256k1_modinv64_update_fg_62(secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t)
Definition: modinv64_impl.h:412
secp256k1_modinv64_update_de_62
static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp256k1_modinv64_signed62 *e, const secp256k1_modinv64_trans2x2 *t, const secp256k1_modinv64_modinfo *modinfo)
Definition: modinv64_impl.h:319
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:308
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:96
secp256k1_modinv64_modinfo
Definition: modinv64.h:23
secp256k1_modinv64_modinfo::modulus_inv62
uint64_t modulus_inv62
Definition: modinv64.h:28
secp256k1_modinv64_modinfo::modulus
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:25
secp256k1_modinv64_signed62
Definition: modinv64.h:19
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:20
secp256k1_modinv64_trans2x2
Definition: modinv64_impl.h:25
secp256k1_modinv64_trans2x2::q
int64_t q
Definition: modinv64_impl.h:26
secp256k1_modinv64_trans2x2::r
int64_t r
Definition: modinv64_impl.h:26
secp256k1_modinv64_trans2x2::u
int64_t u
Definition: modinv64_impl.h:26
secp256k1_modinv64_trans2x2::v
int64_t v
Definition: modinv64_impl.h:26
Generated on Sun Mar 8 2026 22:35:13 for Bitcoin ABC by doxygen 1.9.4