Switch to exhaustive groups with small B coefficient

src/group_impl.h

@@ -10,59 +10,83 @@
 #include "field.h"
 #include "group.h"
 
+/* Begin of section generated by sage/gen_exhaustive_groups.sage. */
+#define SECP256K1_G_ORDER_7 SECP256K1_GE_CONST(\
+    0x66625d13, 0x317ffe44, 0x63d32cff, 0x1ca02b9b,\
+    0xe5c6d070, 0x50b4b05e, 0x81cc30db, 0xf5166f0a,\
+    0x1e60e897, 0xa7c00c7c, 0x2df53eb6, 0x98274ff4,\
+    0x64252f42, 0x8ca44e17, 0x3b25418c, 0xff4ab0cf\
+)
 #define SECP256K1_G_ORDER_13 SECP256K1_GE_CONST(\
-    0xc3459c3d, 0x35326167, 0xcd86cce8, 0x07a2417f,\
-    0x5b8bd567, 0xde8538ee, 0x0d507b0c, 0xd128f5bb,\
-    0x8e467fec, 0xcd30000a, 0x6cc1184e, 0x25d382c2,\
-    0xa2f4494e, 0x2fbe9abc, 0x8b64abac, 0xd005fb24\
+    0xa2482ff8, 0x4bf34edf, 0xa51262fd, 0xe57921db,\
+    0xe0dd2cb7, 0xa5914790, 0xbc71631f, 0xc09704fb,\
+    0x942536cb, 0xa3e49492, 0x3a701cc3, 0xee3e443f,\
+    0xdf182aa9, 0x15b8aa6a, 0x166d3b19, 0xba84b045\
 )
 #define SECP256K1_G_ORDER_199 SECP256K1_GE_CONST(\
-    0x226e653f, 0xc8df7744, 0x9bacbf12, 0x7d1dcbf9,\
-    0x87f05b2a, 0xe7edbd28, 0x1f564575, 0xc48dcf18,\
-    0xa13872c2, 0xe933bb17, 0x5d9ffd5b, 0xb5b6e10c,\
-    0x57fe3c00, 0xbaaaa15a, 0xe003ec3e, 0x9c269bae\
+    0x7fb07b5c, 0xd07c3bda, 0x553902e2, 0x7a87ea2c,\
+    0x35108a7f, 0x051f41e5, 0xb76abad5, 0x1f2703ad,\
+    0x0a251539, 0x5b4c4438, 0x952a634f, 0xac10dd4d,\
+    0x6d6f4745, 0x98990c27, 0x3a4f3116, 0xd32ff969\
 )
 /** Generator for secp256k1, value 'g' defined in
  *  "Standards for Efficient Cryptography" (SEC2) 2.7.1.
  */
 #define SECP256K1_G SECP256K1_GE_CONST(\
-    0x79BE667EUL, 0xF9DCBBACUL, 0x55A06295UL, 0xCE870B07UL,\
-    0x029BFCDBUL, 0x2DCE28D9UL, 0x59F2815BUL, 0x16F81798UL,\
-    0x483ADA77UL, 0x26A3C465UL, 0x5DA4FBFCUL, 0x0E1108A8UL,\
-    0xFD17B448UL, 0xA6855419UL, 0x9C47D08FUL, 0xFB10D4B8UL\
+    0x79be667e, 0xf9dcbbac, 0x55a06295, 0xce870b07,\
+    0x029bfcdb, 0x2dce28d9, 0x59f2815b, 0x16f81798,\
+    0x483ada77, 0x26a3c465, 0x5da4fbfc, 0x0e1108a8,\
+    0xfd17b448, 0xa6855419, 0x9c47d08f, 0xfb10d4b8\
 )
 /* These exhaustive group test orders and generators are chosen such that:
  * - The field size is equal to that of secp256k1, so field code is the same.
- * - The curve equation is of the form y^2=x^3+B for some constant B.
- * - The subgroup has a generator 2*P, where P.x=1.
+ * - The curve equation is of the form y^2=x^3+B for some small constant B.
+ * - The subgroup has a generator 2*P, where P.x is as small as possible.
  * - The subgroup has size less than 1000 to permit exhaustive testing.
  * - The subgroup admits an endomorphism of the form lambda*(x,y) == (beta*x,y).
- *
- * These parameters are generated using sage/gen_exhaustive_groups.sage.
  */
 #if defined(EXHAUSTIVE_TEST_ORDER)
-#  if EXHAUSTIVE_TEST_ORDER == 13
+#  if EXHAUSTIVE_TEST_ORDER == 7
+
+static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G_ORDER_7;
+
+static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(
+    0x00000000, 0x00000000, 0x00000000, 0x00000000,
+    0x00000000, 0x00000000, 0x00000000, 0x00000006
+);
+
+#  elif EXHAUSTIVE_TEST_ORDER == 13
+
 static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G_ORDER_13;
 
 static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(
-    0x3d3486b2, 0x159a9ca5, 0xc75638be, 0xb23a69bc,
-    0x946a45ab, 0x24801247, 0xb4ed2b8e, 0x26b6a417
+    0x00000000, 0x00000000, 0x00000000, 0x00000000,
+    0x00000000, 0x00000000, 0x00000000, 0x00000002
 );
+
 #  elif EXHAUSTIVE_TEST_ORDER == 199
+
 static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G_ORDER_199;
 
 static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(
-    0x2cca28fa, 0xfc614b80, 0x2a3db42b, 0x00ba00b1,
-    0xbea8d943, 0xdace9ab2, 0x9536daea, 0x0074defb
+    0x00000000, 0x00000000, 0x00000000, 0x00000000,
+    0x00000000, 0x00000000, 0x00000000, 0x00000004
 );
+
 #  else
 #    error No known generator for the specified exhaustive test group order.
 #  endif
 #else
+
 static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G;
 
-static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 7);
+static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(
+    0x00000000, 0x00000000, 0x00000000, 0x00000000,
+    0x00000000, 0x00000000, 0x00000000, 0x00000007
+);
+
 #endif
+/* End of section generated by sage/gen_exhaustive_groups.sage. */
 
 static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) {
     secp256k1_fe zi2;

src/modules/recovery/tests_exhaustive_impl.h

@@ -43,8 +43,7 @@ void test_exhaustive_recovery_sign(const secp256k1_context *ctx, const secp256k1
                       (k * (EXHAUSTIVE_TEST_ORDER - s)) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER);
                 /* The recid's second bit is for conveying overflow (R.x value >= group order).
                  * In the actual secp256k1 this is an astronomically unlikely event, but in the
-                 * small group used here, it will be the case for all points except the ones where
-                 * R.x=1 (which the group is specifically selected to have).
+                 * small group used here, it will almost certainly be the case for all points.
                  * Note that this isn't actually useful; full recovery would need to convey
                  * floor(R.x / group_order), but only one bit is used as that is sufficient
                  * in the real group. */

src/precomputed_ecmult.h

@@ -13,7 +13,9 @@ extern "C" {
 
 #include "group.h"
 #if defined(EXHAUSTIVE_TEST_ORDER)
-#if EXHAUSTIVE_TEST_ORDER == 13
+#    if EXHAUSTIVE_TEST_ORDER == 7
+#        define WINDOW_G 3
+#    elif EXHAUSTIVE_TEST_ORDER == 13
 #        define WINDOW_G 4
 #    elif EXHAUSTIVE_TEST_ORDER == 199
 #        define WINDOW_G 8

src/scalar_impl.h

@@ -33,15 +33,18 @@ static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned c
     return (!overflow) & (!secp256k1_scalar_is_zero(r));
 }
 
-/* These parameters are generated using sage/gen_exhaustive_groups.sage. */
 #if defined(EXHAUSTIVE_TEST_ORDER)
-#  if EXHAUSTIVE_TEST_ORDER == 13
+/* Begin of section generated by sage/gen_exhaustive_groups.sage. */
+#  if EXHAUSTIVE_TEST_ORDER == 7
+#    define EXHAUSTIVE_TEST_LAMBDA 2
+#  elif EXHAUSTIVE_TEST_ORDER == 13
 #    define EXHAUSTIVE_TEST_LAMBDA 9
 #  elif EXHAUSTIVE_TEST_ORDER == 199
 #    define EXHAUSTIVE_TEST_LAMBDA 92
 #  else
 #    error No known lambda for the specified exhaustive test group order.
 #  endif
+/* End of section generated by sage/gen_exhaustive_groups.sage. */
 
 /**
  * Find r1 and r2 given k, such that r1 + r2 * lambda == k mod n; unlike in the