[secp256k1.git] / src / ecmult_gen.h

/**********************************************************************
 * Copyright (c) 2013, 2014 Pieter Wuille                             *
 * Distributed under the MIT software license, see the accompanying   *
 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
 **********************************************************************/

#ifndef SECP256K1_ECMULT_GEN_H
#define SECP256K1_ECMULT_GEN_H

#include "scalar.h"
#include "group.h"

#if ECMULT_GEN_PREC_BITS != 2 && ECMULT_GEN_PREC_BITS != 4 && ECMULT_GEN_PREC_BITS != 8
#  error "Set ECMULT_GEN_PREC_BITS to 2, 4 or 8."
#endif
#define ECMULT_GEN_PREC_B ECMULT_GEN_PREC_BITS
#define ECMULT_GEN_PREC_G (1 << ECMULT_GEN_PREC_B)
#define ECMULT_GEN_PREC_N (256 / ECMULT_GEN_PREC_B)

typedef struct {
    /* For accelerating the computation of a*G:
     * To harden against timing attacks, use the following mechanism:
     * * Break up the multiplicand into groups of PREC_B bits, called n_0, n_1, n_2, ..., n_(PREC_N-1).
     * * Compute sum(n_i * (PREC_G)^i * G + U_i, i=0 ... PREC_N-1), where:
     *   * U_i = U * 2^i, for i=0 ... PREC_N-2
     *   * U_i = U * (1-2^(PREC_N-1)), for i=PREC_N-1
     *   where U is a point with no known corresponding scalar. Note that sum(U_i, i=0 ... PREC_N-1) = 0.
     * For each i, and each of the PREC_G possible values of n_i, (n_i * (PREC_G)^i * G + U_i) is
     * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0 ... PREC_N-1).
     * None of the resulting prec group elements have a known scalar, and neither do any of
     * the intermediate sums while computing a*G.
     */
    secp256k1_ge_storage (*prec)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G]; /* prec[j][i] = (PREC_G)^j * i * G + U_i */
    secp256k1_scalar blind;
    secp256k1_gej initial;
} secp256k1_ecmult_gen_context;

static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context* ctx);
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx, void **prealloc);
static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context* src);
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context* ctx);
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context* ctx);

/** Multiply with the generator: R = a*G */
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context* ctx, secp256k1_gej *r, const secp256k1_scalar *a);

static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32);

#endif /* SECP256K1_ECMULT_GEN_H */
Commit	Line	Data
71712b27 GM	1	/**********************************************************************
	2	* Copyright (c) 2013, 2014 Pieter Wuille *
	3	* Distributed under the MIT software license, see the accompanying *
	4	* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
	5	**********************************************************************/
949c1ebb	6
abe2d3e8 DR	7	#ifndef SECP256K1_ECMULT_GEN_H
abe2d3e8 DR	8	#define SECP256K1_ECMULT_GEN_H
949c1ebb	9
a9f5c8b8	10	#include "scalar.h"
949c1ebb PW	11	#include "group.h"
949c1ebb PW	12
dcb2e3b3	13	#if ECMULT_GEN_PREC_BITS != 2 && ECMULT_GEN_PREC_BITS != 4 && ECMULT_GEN_PREC_BITS != 8
	14	# error "Set ECMULT_GEN_PREC_BITS to 2, 4 or 8."
	15	#endif
	16	#define ECMULT_GEN_PREC_B ECMULT_GEN_PREC_BITS
	17	#define ECMULT_GEN_PREC_G (1 << ECMULT_GEN_PREC_B)
	18	#define ECMULT_GEN_PREC_N (256 / ECMULT_GEN_PREC_B)
	19
a9b6595e PW	20	typedef struct {
	21	/* For accelerating the computation of a*G:
	22	* To harden against timing attacks, use the following mechanism:
dcb2e3b3	23	* * Break up the multiplicand into groups of PREC_B bits, called n_0, n_1, n_2, ..., n_(PREC_N-1).
	24	* * Compute sum(n_i * (PREC_G)^i * G + U_i, i=0 ... PREC_N-1), where:
	25	* * U_i = U * 2^i, for i=0 ... PREC_N-2
	26	* * U_i = U * (1-2^(PREC_N-1)), for i=PREC_N-1
	27	* where U is a point with no known corresponding scalar. Note that sum(U_i, i=0 ... PREC_N-1) = 0.
	28	* For each i, and each of the PREC_G possible values of n_i, (n_i * (PREC_G)^i * G + U_i) is
	29	* precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0 ... PREC_N-1).
a9b6595e PW	30	* None of the resulting prec group elements have a known scalar, and neither do any of
	31	* the intermediate sums while computing a*G.
	32	*/
dcb2e3b3	33	secp256k1_ge_storage (prec)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G]; / prec[j][i] = (PREC_G)^j * i * G + U_i */
dd891e0e PW	34	secp256k1_scalar blind;
	35	secp256k1_gej initial;
	36	} secp256k1_ecmult_gen_context;
a9b6595e	37
ef020de1	38	static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
dd891e0e	39	static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context* ctx);
c4fd5dab TR	40	static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx, void **prealloc);
c4fd5dab TR	41	static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context dst, const secp256k1_ecmult_gen_context src);
dd891e0e PW	42	static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context* ctx);
dd891e0e PW	43	static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context* ctx);
949c1ebb PW	44
949c1ebb PW	45	/** Multiply with the generator: R = aG /
dd891e0e	46	static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context* ctx, secp256k1_gej r, const secp256k1_scalar a);
949c1ebb	47
dd891e0e	48	static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context ctx, const unsigned char seed32);
d2275795	49
abe2d3e8	50	#endif /* SECP256K1_ECMULT_GEN_H */