frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge bitcoin-core/secp256k1#1010: doc: Minor fixes in safegcd_implementation.md

Browse Source 
dc9b6853b72b9a492cad230623670e89157525ca doc: Minor fixes in safegcd_implementation.md (Elliott Jin)

Pull request description:

ACKs for top commit:
  sipa:
    ACK dc9b6853b72b9a492cad230623670e89157525ca
  real-or-random:
    ACK dc9b6853b7

Tree-SHA512: 990c969806b9abf42e5554093aa573911bbdf28a68c26f60e03e2a754506b1c714f784c673d862b973c5d0a38576605b14aff9d4bd3df176d535ca8ebfe4c0bd
This commit is contained in:
Tim Ruffing 2021-11-17 00:56:13 +01:00
commit 793ad9016a
No known key found for this signature in database
GPG Key ID: 8C461CCD293F6011
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/safegcd_implementation.md
View File

@ -569,7 +569,13 @@ bits efficiently, which is possible on most platforms; it is abstracted here as
```python ```python
def count_trailing_zeros(v): def count_trailing_zeros(v):
"""For a non-zero value v, find z such that v=(d<<z) for some odd d.""" """
When v is zero, consider all N zero bits as "trailing".
For a non-zero value v, find z such that v=(d<<z) for some odd d.
"""
if v == 0:
return N
else:
return (v & -v).bit_length() - 1 return (v & -v).bit_length() - 1
i = N # divsteps left to do i = N # divsteps left to do
@ -601,7 +607,7 @@ becomes negative, or when *i* reaches *0*. Combined, this is equivalent to addin
It is easy to find what that multiple is: we want a number *w* such that *g+w&thinsp;f* has a few bottom It is easy to find what that multiple is: we want a number *w* such that *g+w&thinsp;f* has a few bottom
zero bits. If that number of bits is *L*, we want *g+w&thinsp;f mod 2<sup>L</sup> = 0*, or *w = -g/f mod 2<sup>L</sup>*. Since *f* zero bits. If that number of bits is *L*, we want *g+w&thinsp;f mod 2<sup>L</sup> = 0*, or *w = -g/f mod 2<sup>L</sup>*. Since *f*
is odd, such a *w* exists for any *L*. *L* cannot be more than *i* steps (as we'd finish the loop before is odd, such a *w* exists for any *L*. *L* cannot be more than *i* steps (as we'd finish the loop before
doing more) or more than *&eta;+1* steps (as we'd run `eta, f, g = -eta, g, f` at that point), but doing more) or more than *&eta;+1* steps (as we'd run `eta, f, g = -eta, g, -f` at that point), but
apart from that, we're only limited by the complexity of computing *w*. apart from that, we're only limited by the complexity of computing *w*.
This code demonstrates how to cancel up to 4 bits per step: This code demonstrates how to cancel up to 4 bits per step:
@ -618,7 +624,7 @@ while True:
break break
# We know g is odd now # We know g is odd now
if eta < 0: if eta < 0:
eta, f, g = -eta, g, f eta, f, g = -eta, g, -f
# Compute limit on number of bits to cancel # Compute limit on number of bits to cancel
limit = min(min(eta + 1, i), 4) limit = min(min(eta + 1, i), 4)
# Compute w = -g/f mod 2**limit, using the table value for -1/f mod 2**4. Note that f is # Compute w = -g/f mod 2**limit, using the table value for -1/f mod 2**4. Note that f is