projects / secp256k1.git / blame
| Commit | Line | Data |
|---|---|---|
| 71712b27 GM |
1 | /********************************************************************** |
| 2 | * Copyright (c) 2014 Pieter Wuille * | |
| 3 | * Distributed under the MIT software license, see the accompanying * | |
| 4 | * file COPYING or http://www.opensource.org/licenses/mit-license.php.* | |
| 5 | **********************************************************************/ | |
| a9f5c8b8 | 6 | |
| abe2d3e8 DR |
7 | #ifndef SECP256K1_SCALAR_H |
| 8 | #define SECP256K1_SCALAR_H | |
| a9f5c8b8 PW |
9 | |
| 10 | #include "num.h" | |
| 79f1f7a4 | 11 | #include "util.h" |
| a9f5c8b8 | 12 | |
| 1d52a8b1 PW |
13 | #if defined HAVE_CONFIG_H |
| 14 | #include "libsecp256k1-config.h" | |
| 15 | #endif | |
| 16 | ||
| 83836a95 AP |
17 | #if defined(EXHAUSTIVE_TEST_ORDER) |
| 18 | #include "scalar_low.h" | |
| 79f1f7a4 | 19 | #elif defined(SECP256K1_WIDEMUL_INT128) |
| 1d52a8b1 | 20 | #include "scalar_4x64.h" |
| 79f1f7a4 | 21 | #elif defined(SECP256K1_WIDEMUL_INT64) |
| 1d52a8b1 PW |
22 | #include "scalar_8x32.h" |
| 23 | #else | |
| 79f1f7a4 | 24 | #error "Please select wide multiplication implementation" |
| 1d52a8b1 | 25 | #endif |
| a9f5c8b8 | 26 | |
| a9f5c8b8 | 27 | /** Clear a scalar to prevent the leak of sensitive data. */ |
| dd891e0e | 28 | static void secp256k1_scalar_clear(secp256k1_scalar *r); |
| a9f5c8b8 | 29 | |
| 1e6c77c3 | 30 | /** Access bits from a scalar. All requested bits must belong to the same 32-bit limb. */ |
| dd891e0e | 31 | static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count); |
| 1e6c77c3 PW |
32 | |
| 33 | /** Access bits from a scalar. Not constant time. */ | |
| dd891e0e | 34 | static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count); |
| a9f5c8b8 | 35 | |
| dc7d8fd9 MB |
36 | /** Set a scalar from a big endian byte array. The scalar will be reduced modulo group order `n`. |
| 37 | * In: bin: pointer to a 32-byte array. | |
| 38 | * Out: r: scalar to be set. | |
| 39 | * overflow: non-zero if the scalar was bigger or equal to `n` before reduction, zero otherwise (can be NULL). | |
| 40 | */ | |
| dd891e0e | 41 | static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow); |
| a9f5c8b8 | 42 | |
| 9ab2cbe0 JN |
43 | /** Set a scalar from a big endian byte array and returns 1 if it is a valid |
| 44 | * seckey and 0 otherwise. */ | |
| 45 | static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin); | |
| 46 | ||
| 1e6c77c3 | 47 | /** Set a scalar to an unsigned integer. */ |
| dd891e0e | 48 | static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v); |
| 1e6c77c3 | 49 | |
| a9f5c8b8 | 50 | /** Convert a scalar to a byte array. */ |
| dd891e0e | 51 | static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar* a); |
| a9f5c8b8 | 52 | |
| 29ae1310 | 53 | /** Add two scalars together (modulo the group order). Returns whether it overflowed. */ |
| dd891e0e | 54 | static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b); |
| a9f5c8b8 | 55 | |
| ed35d43a | 56 | /** Conditionally add a power of two to a scalar. The result is not allowed to overflow. */ |
| dd891e0e | 57 | static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag); |
| 52132078 | 58 | |
| a9f5c8b8 | 59 | /** Multiply two scalars (modulo the group order). */ |
| dd891e0e | 60 | static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b); |
| a9f5c8b8 | 61 | |
| 44015000 AP |
62 | /** Shift a scalar right by some amount strictly between 0 and 16, returning |
| 63 | * the low bits that were shifted off */ | |
| dd891e0e | 64 | static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n); |
| 44015000 | 65 | |
| 1d52a8b1 | 66 | /** Compute the square of a scalar (modulo the group order). */ |
| dd891e0e | 67 | static void secp256k1_scalar_sqr(secp256k1_scalar *r, const secp256k1_scalar *a); |
| 1d52a8b1 | 68 | |
| a9f5c8b8 | 69 | /** Compute the inverse of a scalar (modulo the group order). */ |
| dd891e0e | 70 | static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a); |
| a9f5c8b8 | 71 | |
| d1502eb4 | 72 | /** Compute the inverse of a scalar (modulo the group order), without constant-time guarantee. */ |
| dd891e0e | 73 | static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a); |
| d1502eb4 | 74 | |
| a9f5c8b8 | 75 | /** Compute the complement of a scalar (modulo the group order). */ |
| dd891e0e | 76 | static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a); |
| a9f5c8b8 PW |
77 | |
| 78 | /** Check whether a scalar equals zero. */ | |
| dd891e0e | 79 | static int secp256k1_scalar_is_zero(const secp256k1_scalar *a); |
| a9f5c8b8 | 80 | |
| 79359302 | 81 | /** Check whether a scalar equals one. */ |
| dd891e0e | 82 | static int secp256k1_scalar_is_one(const secp256k1_scalar *a); |
| 79359302 | 83 | |
| 44015000 | 84 | /** Check whether a scalar, considered as an nonnegative integer, is even. */ |
| dd891e0e | 85 | static int secp256k1_scalar_is_even(const secp256k1_scalar *a); |
| 44015000 | 86 | |
| a9f5c8b8 | 87 | /** Check whether a scalar is higher than the group order divided by 2. */ |
| dd891e0e | 88 | static int secp256k1_scalar_is_high(const secp256k1_scalar *a); |
| a9f5c8b8 | 89 | |
| 44015000 AP |
90 | /** Conditionally negate a number, in constant time. |
| 91 | * Returns -1 if the number was negated, 1 otherwise */ | |
| dd891e0e | 92 | static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag); |
| 44015000 | 93 | |
| 597128d3 | 94 | #ifndef USE_NUM_NONE |
| a9f5c8b8 | 95 | /** Convert a scalar to a number. */ |
| dd891e0e | 96 | static void secp256k1_scalar_get_num(secp256k1_num *r, const secp256k1_scalar *a); |
| a9f5c8b8 | 97 | |
| 659b554d | 98 | /** Get the order of the group as a number. */ |
| dd891e0e | 99 | static void secp256k1_scalar_order_get_num(secp256k1_num *r); |
| 597128d3 | 100 | #endif |
| 659b554d | 101 | |
| f24041d6 | 102 | /** Compare two scalars. */ |
| dd891e0e | 103 | static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b); |
| f24041d6 | 104 | |
| 6794be60 | 105 | #ifdef USE_ENDOMORPHISM |
| f735446c | 106 | /** Find r1 and r2 such that r1+r2*2^128 = a. */ |
| dd891e0e | 107 | static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a); |
| 6794be60 | 108 | /** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (see secp256k1_gej_mul_lambda). */ |
| dd891e0e | 109 | static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a); |
| 6794be60 PW |
110 | #endif |
| 111 | ||
| ff8746d4 | 112 | /** Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer. Shift must be at least 256. */ |
| dd891e0e | 113 | static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift); |
| ff8746d4 | 114 | |
| a39c2b09 | 115 | /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/ |
| 34a67c77 GM |
116 | static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag); |
| 117 | ||
| abe2d3e8 | 118 | #endif /* SECP256K1_SCALAR_H */ |