Abstract out verify logic for fe_half
This commit is contained in:
Pieter Wuille
parent
283cd80ab4
commit
89e324c6b9
10
src/field.h
10
src/field.h
@ -98,6 +98,7 @@ static const secp256k1_fe secp256k1_const_beta = SECP256K1_FE_CONST(
|
||||
# define secp256k1_fe_inv secp256k1_fe_impl_inv
|
||||
# define secp256k1_fe_inv_var secp256k1_fe_impl_inv_var
|
||||
# define secp256k1_fe_get_bounds secp256k1_fe_impl_get_bounds
|
||||
# define secp256k1_fe_half secp256k1_fe_impl_half
|
||||
#endif /* !defined(VERIFY) */
|
||||
|
||||
/** Normalize a field element.
|
||||
@ -302,9 +303,12 @@ static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_f
|
||||
*/
|
||||
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag);
|
||||
|
||||
/** Halves the value of a field element modulo the field prime. Constant-time.
|
||||
* For an input magnitude 'm', the output magnitude is set to 'floor(m/2) + 1'.
|
||||
* The output is not guaranteed to be normalized, regardless of the input. */
|
||||
/** Halve the value of a field element modulo the field prime in constant-time.
|
||||
*
|
||||
* On input, r must be a valid field element.
|
||||
* On output, r will be normalized and have magnitude floor(m/2) + 1 where m is
|
||||
* the magnitude of r on input.
|
||||
*/
|
||||
static void secp256k1_fe_half(secp256k1_fe *r);
|
||||
|
||||
/** Sets r to a field element with magnitude m, normalized if (and only if) m==0.
|
||||
|
||||
@ -1046,17 +1046,12 @@ SECP256K1_INLINE static void secp256k1_fe_impl_cmov(secp256k1_fe *r, const secp2
|
||||
r->n[9] = (r->n[9] & mask0) | (a->n[9] & mask1);
|
||||
}
|
||||
|
||||
static SECP256K1_INLINE void secp256k1_fe_half(secp256k1_fe *r) {
|
||||
static SECP256K1_INLINE void secp256k1_fe_impl_half(secp256k1_fe *r) {
|
||||
uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4],
|
||||
t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9];
|
||||
uint32_t one = (uint32_t)1;
|
||||
uint32_t mask = -(t0 & one) >> 6;
|
||||
|
||||
#ifdef VERIFY
|
||||
secp256k1_fe_verify(r);
|
||||
VERIFY_CHECK(r->magnitude < 32);
|
||||
#endif
|
||||
|
||||
/* Bounds analysis (over the rationals).
|
||||
*
|
||||
* Let m = r->magnitude
|
||||
@ -1103,10 +1098,8 @@ static SECP256K1_INLINE void secp256k1_fe_half(secp256k1_fe *r) {
|
||||
*
|
||||
* Current bounds: t0..t8 <= C * (m/2 + 1/2)
|
||||
* t9 <= D * (m/2 + 1/4)
|
||||
*/
|
||||
|
||||
#ifdef VERIFY
|
||||
/* Therefore the output magnitude (M) has to be set such that:
|
||||
*
|
||||
* Therefore the output magnitude (M) has to be set such that:
|
||||
* t0..t8: C * M >= C * (m/2 + 1/2)
|
||||
* t9: D * M >= D * (m/2 + 1/4)
|
||||
*
|
||||
@ -1116,10 +1109,6 @@ static SECP256K1_INLINE void secp256k1_fe_half(secp256k1_fe *r) {
|
||||
* and since we want the smallest such integer value for M:
|
||||
* M == floor(m/2) + 1
|
||||
*/
|
||||
r->magnitude = (r->magnitude >> 1) + 1;
|
||||
r->normalized = 0;
|
||||
secp256k1_fe_verify(r);
|
||||
#endif
|
||||
}
|
||||
|
||||
static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) {
|
||||
|
||||
@ -375,16 +375,11 @@ SECP256K1_INLINE static void secp256k1_fe_impl_cmov(secp256k1_fe *r, const secp2
|
||||
r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
|
||||
}
|
||||
|
||||
static SECP256K1_INLINE void secp256k1_fe_half(secp256k1_fe *r) {
|
||||
static SECP256K1_INLINE void secp256k1_fe_impl_half(secp256k1_fe *r) {
|
||||
uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
|
||||
uint64_t one = (uint64_t)1;
|
||||
uint64_t mask = -(t0 & one) >> 12;
|
||||
|
||||
#ifdef VERIFY
|
||||
secp256k1_fe_verify(r);
|
||||
VERIFY_CHECK(r->magnitude < 32);
|
||||
#endif
|
||||
|
||||
/* Bounds analysis (over the rationals).
|
||||
*
|
||||
* Let m = r->magnitude
|
||||
@ -421,10 +416,8 @@ static SECP256K1_INLINE void secp256k1_fe_half(secp256k1_fe *r) {
|
||||
*
|
||||
* Current bounds: t0..t3 <= C * (m/2 + 1/2)
|
||||
* t4 <= D * (m/2 + 1/4)
|
||||
*/
|
||||
|
||||
#ifdef VERIFY
|
||||
/* Therefore the output magnitude (M) has to be set such that:
|
||||
*
|
||||
* Therefore the output magnitude (M) has to be set such that:
|
||||
* t0..t3: C * M >= C * (m/2 + 1/2)
|
||||
* t4: D * M >= D * (m/2 + 1/4)
|
||||
*
|
||||
@ -434,10 +427,6 @@ static SECP256K1_INLINE void secp256k1_fe_half(secp256k1_fe *r) {
|
||||
* and since we want the smallest such integer value for M:
|
||||
* M == floor(m/2) + 1
|
||||
*/
|
||||
r->magnitude = (r->magnitude >> 1) + 1;
|
||||
r->normalized = 0;
|
||||
secp256k1_fe_verify(r);
|
||||
#endif
|
||||
}
|
||||
|
||||
static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) {
|
||||
|
||||
@ -384,6 +384,16 @@ SECP256K1_INLINE static void secp256k1_fe_get_bounds(secp256k1_fe* r, int m) {
|
||||
secp256k1_fe_verify(r);
|
||||
}
|
||||
|
||||
static void secp256k1_fe_impl_half(secp256k1_fe *r);
|
||||
SECP256K1_INLINE static void secp256k1_fe_half(secp256k1_fe *r) {
|
||||
secp256k1_fe_verify(r);
|
||||
VERIFY_CHECK(r->magnitude < 32);
|
||||
secp256k1_fe_impl_half(r);
|
||||
r->magnitude = (r->magnitude >> 1) + 1;
|
||||
r->normalized = 0;
|
||||
secp256k1_fe_verify(r);
|
||||
}
|
||||
|
||||
#endif /* defined(VERIFY) */
|
||||
|
||||
#endif /* SECP256K1_FIELD_IMPL_H */
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user