group_impl.h File Reference

#include <string.h>
#include "num.h"
#include "field.h"
#include "group.h"

Go to the source code of this file.

Functions
static void	secp256k1_ge_set_gej_zinv (secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi)
static void	secp256k1_ge_set_xy (secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
static int	secp256k1_ge_is_infinity (const secp256k1_ge *a)
static void	secp256k1_ge_neg (secp256k1_ge *r, const secp256k1_ge *a)
static void	secp256k1_ge_set_gej (secp256k1_ge *r, secp256k1_gej *a)
static void	secp256k1_ge_set_gej_var (secp256k1_ge *r, secp256k1_gej *a)
static void	secp256k1_ge_set_all_gej_var (size_t len, secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_callback *cb)
static void	secp256k1_ge_set_table_gej_var (size_t len, secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zr)
static void	secp256k1_ge_globalz_set_table_gej (size_t len, secp256k1_ge *r, secp256k1_fe *globalz, const secp256k1_gej *a, const secp256k1_fe *zr)
static void	secp256k1_gej_set_infinity (secp256k1_gej *r)
static void	secp256k1_gej_clear (secp256k1_gej *r)
static void	secp256k1_ge_clear (secp256k1_ge *r)
static int	secp256k1_ge_set_xquad_var (secp256k1_ge *r, const secp256k1_fe *x)
static int	secp256k1_ge_set_xo_var (secp256k1_ge *r, const secp256k1_fe *x, int odd)
static void	secp256k1_gej_set_ge (secp256k1_gej *r, const secp256k1_ge *a)
static int	secp256k1_gej_eq_x_var (const secp256k1_fe *x, const secp256k1_gej *a)
static void	secp256k1_gej_neg (secp256k1_gej *r, const secp256k1_gej *a)
static int	secp256k1_gej_is_infinity (const secp256k1_gej *a)
static int	secp256k1_gej_is_valid_var (const secp256k1_gej *a)
static int	secp256k1_ge_is_valid_var (const secp256k1_ge *a)
static void	secp256k1_gej_double_var (secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
static SECP256K1_INLINE void	secp256k1_gej_double_nonzero (secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
static void	secp256k1_gej_add_var (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
static void	secp256k1_gej_add_ge_var (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
static void	secp256k1_gej_add_zinv_var (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
static void	secp256k1_gej_add_ge (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
static void	secp256k1_gej_rescale (secp256k1_gej *r, const secp256k1_fe *s)
static void	secp256k1_ge_to_storage (secp256k1_ge_storage *r, const secp256k1_ge *a)
static void	secp256k1_ge_from_storage (secp256k1_ge *r, const secp256k1_ge_storage *a)
static SECP256K1_INLINE void	secp256k1_ge_storage_cmov (secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)

Variables
static const secp256k1_ge	secp256k1_ge_const_g

Function Documentation

secp256k1_ge_clear()

static void secp256k1_ge_clear ( secp256k1_ge *  r )

static

Definition at line 162 of file group_impl.h.

secp256k1_ge_from_storage()

static void secp256k1_ge_from_storage ( secp256k1_ge *  r, const secp256k1_ge_storage *  a  )

static

Definition at line 604 of file group_impl.h.

secp256k1_ge_globalz_set_table_gej()

static void secp256k1_ge_globalz_set_table_gej ( size_t  len, secp256k1_ge *  r, secp256k1_fe *  globalz, const secp256k1_gej *  a, const secp256k1_fe *  zr  )

static

Definition at line 125 of file group_impl.h.

secp256k1_ge_is_infinity()

static int secp256k1_ge_is_infinity ( const secp256k1_ge *  a )

static

Definition at line 42 of file group_impl.h.

secp256k1_ge_is_valid_var()

static int secp256k1_ge_is_valid_var ( const secp256k1_ge *  a )

static

Definition at line 239 of file group_impl.h.

secp256k1_ge_neg()

static void secp256k1_ge_neg ( secp256k1_ge *  r, const secp256k1_ge *  a  )

static

Definition at line 46 of file group_impl.h.

secp256k1_ge_set_all_gej_var()

static void secp256k1_ge_set_all_gej_var ( size_t  len, secp256k1_ge *  r, const secp256k1_gej *  a, const secp256k1_callback *  cb  )

static

Definition at line 81 of file group_impl.h.

secp256k1_ge_set_gej()

static void secp256k1_ge_set_gej ( secp256k1_ge *  r, secp256k1_gej *  a  )

static

Definition at line 52 of file group_impl.h.

secp256k1_ge_set_gej_var()

static void secp256k1_ge_set_gej_var ( secp256k1_ge *  r, secp256k1_gej *  a  )

static

Definition at line 65 of file group_impl.h.

Referenced by secp256k1_ecdsa_sig_recover(), secp256k1_schnorr_sig_verify(), test_ge(), and test_schnorr_sign_verify().

secp256k1_ge_set_gej_zinv()

static void secp256k1_ge_set_gej_zinv ( secp256k1_ge *  r, const secp256k1_gej *  a, const secp256k1_fe *  zi  )

static

Definition at line 26 of file group_impl.h.

Referenced by secp256k1_ecmult_odd_multiples_table(), secp256k1_ge_globalz_set_table_gej(), secp256k1_ge_set_all_gej_var(), and secp256k1_ge_set_table_gej_var().

secp256k1_ge_set_table_gej_var()

static void secp256k1_ge_set_table_gej_var ( size_t  len, secp256k1_ge *  r, const secp256k1_gej *  a, const secp256k1_fe *  zr  )

static

Definition at line 107 of file group_impl.h.

secp256k1_ge_set_xo_var()

static int secp256k1_ge_set_xo_var ( secp256k1_ge *  r, const secp256k1_fe *  x, int  odd  )

static

Definition at line 179 of file group_impl.h.

secp256k1_ge_set_xquad_var()

static int secp256k1_ge_set_xquad_var ( secp256k1_ge *  r, const secp256k1_fe *  x  )

static

Definition at line 168 of file group_impl.h.

Referenced by secp256k1_ge_set_xo_var().

secp256k1_ge_set_xy()

static void secp256k1_ge_set_xy ( secp256k1_ge *  r, const secp256k1_fe *  x, const secp256k1_fe *  y  )

static

Definition at line 36 of file group_impl.h.

secp256k1_ge_storage_cmov()

static SECP256K1_INLINE void secp256k1_ge_storage_cmov ( secp256k1_ge_storage *  r, const secp256k1_ge_storage *  a, int  flag  )

static

Definition at line 610 of file group_impl.h.

secp256k1_ge_to_storage()

static void secp256k1_ge_to_storage ( secp256k1_ge_storage *  r, const secp256k1_ge *  a  )

static

Definition at line 593 of file group_impl.h.

secp256k1_gej_add_ge()

static void secp256k1_gej_add_ge ( secp256k1_gej *  r, const secp256k1_gej *  a, const secp256k1_ge *  b  )

static

In: Eric Brier and Marc Joye, Weierstrass Elliptic Curves and Side-Channel Attacks. In D. Naccache and P. Paillier, Eds., Public Key Cryptography, vol. 2274 of Lecture Notes in Computer Science, pages 335-345. Springer-Verlag, 2002. we find as solution for a unified addition/doubling formula: lambda = ((x1 + x2)^2 - x1 * x2 + a) / (y1 + y2), with a = 0 for secp256k1's curve equation. x3 = lambda^2 - (x1 + x2) 2*y3 = lambda * (x1 + x2 - 2 * x3) - (y1 + y2).

Substituting x_i = Xi / Zi^2 and yi = Yi / Zi^3, for i=1,2,3, gives: U1 = X1*Z2^2, U2 = X2*Z1^2 S1 = Y1*Z2^3, S2 = Y2*Z1^3 Z = Z1*Z2 T = U1+U2 M = S1+S2 Q = T*M^2 R = T^2-U1*U2 X3 = 4*(R^2-Q) Y3 = 4*(R*(3*Q-2*R^2)-M^4) Z3 = 2*M*Z (Note that the paper uses xi = Xi / Zi and yi = Yi / Zi instead.)

This formula has the benefit of being the same for both addition of distinct points and doubling. However, it breaks down in the case that either point is infinity, or that y1 = -y2. We handle these cases in the following ways:

• If b is infinity we simply bail by means of a VERIFY_CHECK.
• If a is infinity, we detect this, and at the end of the computation replace the result (which will be meaningless, but we compute to be constant-time) with b.x : b.y : 1.
• If a = -b, we have y1 = -y2, which is a degenerate case. But here the answer is infinity, so we simply set the infinity flag of the result, overriding the computed values without even needing to cmov.
• If y1 = -y2 but x1 != x2, which does occur thanks to certain properties of our curve (specifically, 1 has nontrivial cube roots in our field, and the curve equation has no x coefficient) then the answer is not infinity but also not given by the above equation. In this case, we cmov in place an alternate expression for lambda. Specifically (y1 - y2)/(x1 - x2). Where both these expressions for lambda are defined, they are equal, and can be obtained from each other by multiplication by (y1 + y2)/(y1 + y2) then substitution of x^3 + 7 for y^2 (using the curve equation). For all pairs of nonzero points (a, b) at least one is defined, so this covers everything.

If lambda = R/M = 0/0 we have a problem (except in the "trivial" case that Z = z1z2 = 0, and this is special-cased later on).
In case a->infinity == 1, replace r with (b->x, b->y, 1).

Definition at line 460 of file group_impl.h.

secp256k1_gej_add_ge_var()

static void secp256k1_gej_add_ge_var ( secp256k1_gej *  r, const secp256k1_gej *  a, const secp256k1_ge *  b, secp256k1_fe *  rzr  )

static

Definition at line 354 of file group_impl.h.

secp256k1_gej_add_var()

static void secp256k1_gej_add_var ( secp256k1_gej *  r, const secp256k1_gej *  a, const secp256k1_gej *  b, secp256k1_fe *  rzr  )

static

Definition at line 301 of file group_impl.h.

secp256k1_gej_add_zinv_var()

static void secp256k1_gej_add_zinv_var ( secp256k1_gej *  r, const secp256k1_gej *  a, const secp256k1_ge *  b, const secp256k1_fe *  bzinv  )

static

We need to calculate (rx,ry,rz) = (ax,ay,az) + (bx,by,1/bzinv). Due to secp256k1's isomorphism we can multiply the Z coordinates on both sides by bzinv, and get: (rx,ry,rz*bzinv) = (ax,ay,az*bzinv) + (bx,by,1). This means that (rx,ry,rz) can be calculated as (ax,ay,az*bzinv) + (bx,by,1), when not applying the bzinv factor to rz. The variable az below holds the modified Z coordinate for a, which is used for the computation of rx and ry, but not for rz.

Definition at line 403 of file group_impl.h.

secp256k1_gej_clear()

static void secp256k1_gej_clear ( secp256k1_gej *  r )

static

Definition at line 155 of file group_impl.h.

secp256k1_gej_double_nonzero()

static SECP256K1_INLINE void secp256k1_gej_double_nonzero ( secp256k1_gej *  r, const secp256k1_gej *  a, secp256k1_fe *  rzr  )

static

Definition at line 296 of file group_impl.h.

secp256k1_gej_double_var()

static void secp256k1_gej_double_var ( secp256k1_gej *  r, const secp256k1_gej *  a, secp256k1_fe *  rzr  )

static

For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity, Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p.

Definition at line 253 of file group_impl.h.

Referenced by secp256k1_gej_add_ge_var(), secp256k1_gej_add_var(), secp256k1_gej_add_zinv_var(), and secp256k1_gej_double_nonzero().

secp256k1_gej_eq_x_var()

static int secp256k1_gej_eq_x_var ( const secp256k1_fe *  x, const secp256k1_gej *  a  )

static

Definition at line 198 of file group_impl.h.

secp256k1_gej_is_infinity()

static int secp256k1_gej_is_infinity ( const secp256k1_gej *  a )

static

Definition at line 215 of file group_impl.h.

Referenced by secp256k1_gej_double_nonzero().

secp256k1_gej_is_valid_var()

static int secp256k1_gej_is_valid_var ( const secp256k1_gej *  a )

static

y^2 = x^3 + 7 (Y/Z^3)^2 = (X/Z^2)^3 + 7 Y^2 / Z^6 = X^3 / Z^6 + 7 Y^2 = X^3 + 7*Z^6

Definition at line 219 of file group_impl.h.

Referenced by run_point_times_order(), and test_point_times_order().

secp256k1_gej_neg()

static void secp256k1_gej_neg ( secp256k1_gej *  r, const secp256k1_gej *  a  )

static

Definition at line 206 of file group_impl.h.

secp256k1_gej_rescale()

static void secp256k1_gej_rescale ( secp256k1_gej *  r, const secp256k1_fe *  s  )

static

Definition at line 582 of file group_impl.h.

secp256k1_gej_set_ge()

static void secp256k1_gej_set_ge ( secp256k1_gej *  r, const secp256k1_ge *  a  )

static

Definition at line 191 of file group_impl.h.

Referenced by secp256k1_gej_add_ge_var().

secp256k1_gej_set_infinity()

static void secp256k1_gej_set_infinity ( secp256k1_gej *  r )

static

Definition at line 148 of file group_impl.h.

Variable Documentation

secp256k1_ge_const_g

const secp256k1_ge secp256k1_ge_const_g

static

Initial value:

= SECP256K1_GE_CONST(
    0x79BE667EUL, 0xF9DCBBACUL, 0x55A06295UL, 0xCE870B07UL,
    0x029BFCDBUL, 0x2DCE28D9UL, 0x59F2815BUL, 0x16F81798UL,
    0x483ADA77UL, 0x26A3C465UL, 0x5DA4FBFCUL, 0x0E1108A8UL,
    0xFD17B448UL, 0xA6855419UL, 0x9C47D08FUL, 0xFB10D4B8UL
)

Generator for secp256k1, value 'g' defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1.

Definition at line 19 of file group_impl.h.

Referenced by ecmult_const_chain_multiply(), ecmult_const_commutativity(), run_ec_pubkey_parse_test(), secp256k1_ecmult_context_build(), secp256k1_ecmult_gen_blind(), secp256k1_ecmult_gen_context_build(), test_ecmult_constants(), and test_point_times_order().