[secp256k1.git] / src / ecmult_gen.h

/**********************************************************************
 * Copyright (c) 2013, 2014 Pieter Wuille                             *
 * Distributed under the MIT software license, see the accompanying   *
 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
 **********************************************************************/

#ifndef _SECP256K1_ECMULT_GEN_
#define _SECP256K1_ECMULT_GEN_

#include "scalar.h"
#include "group.h"

typedef struct {
    /* For accelerating the computation of a*G:
     * To harden against timing attacks, use the following mechanism:
     * * Break up the multiplicand into groups of 4 bits, called n_0, n_1, n_2, ..., n_63.
     * * Compute sum(n_i * 16^i * G + U_i, i=0..63), where:
     *   * U_i = U * 2^i (for i=0..62)
     *   * U_i = U * (1-2^63) (for i=63)
     *   where U is a point with no known corresponding scalar. Note that sum(U_i, i=0..63) = 0.
     * For each i, and each of the 16 possible values of n_i, (n_i * 16^i * G + U_i) is
     * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0..63).
     * None of the resulting prec group elements have a known scalar, and neither do any of
     * the intermediate sums while computing a*G.
     */
    secp256k1_ge_storage_t (*prec)[64][16]; /* prec[j][i] = 16^j * i * G + U_i */
    secp256k1_scalar_t blind;
    secp256k1_gej_t initial;
} secp256k1_ecmult_gen_context_t;

static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context_t* ctx);
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context_t* ctx, const callback_t* cb);
static void secp256k1_ecmult_gen_context_clone(secp256k1_ecmult_gen_context_t *dst,
                                               const secp256k1_ecmult_gen_context_t* src, const callback_t* cb);
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context_t* ctx);
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context_t* ctx);

/** Multiply with the generator: R = a*G */
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context_t* ctx, secp256k1_gej_t *r, const secp256k1_scalar_t *a);

static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context_t *ctx, const unsigned char *seed32);

#endif
Commit	Line	Data
71712b27 GM	1	/**********************************************************************
	2	* Copyright (c) 2013, 2014 Pieter Wuille *
	3	* Distributed under the MIT software license, see the accompanying *
	4	* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
	5	**********************************************************************/
949c1ebb PW	6
	7	#ifndef _SECP256K1_ECMULT_GEN_
	8	#define _SECP256K1_ECMULT_GEN_
	9
a9f5c8b8	10	#include "scalar.h"
949c1ebb PW	11	#include "group.h"
949c1ebb PW	12
a9b6595e PW	13	typedef struct {
	14	/* For accelerating the computation of a*G:
	15	* To harden against timing attacks, use the following mechanism:
	16	* * Break up the multiplicand into groups of 4 bits, called n_0, n_1, n_2, ..., n_63.
	17	* * Compute sum(n_i * 16^i * G + U_i, i=0..63), where:
	18	* * U_i = U * 2^i (for i=0..62)
	19	* * U_i = U * (1-2^63) (for i=63)
	20	* where U is a point with no known corresponding scalar. Note that sum(U_i, i=0..63) = 0.
	21	* For each i, and each of the 16 possible values of n_i, (n_i * 16^i * G + U_i) is
	22	* precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0..63).
	23	* None of the resulting prec group elements have a known scalar, and neither do any of
	24	* the intermediate sums while computing a*G.
	25	*/
	26	secp256k1_ge_storage_t (prec)[64][16]; / prec[j][i] = 16^j * i * G + U_i */
d2275795 GM	27	secp256k1_scalar_t blind;
d2275795 GM	28	secp256k1_gej_t initial;
a9b6595e PW	29	} secp256k1_ecmult_gen_context_t;
	30
	31	static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context_t* ctx);
995c5487	32	static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context_t* ctx, const callback_t* cb);
d899b5b6	33	static void secp256k1_ecmult_gen_context_clone(secp256k1_ecmult_gen_context_t *dst,
995c5487	34	const secp256k1_ecmult_gen_context_t* src, const callback_t* cb);
a9b6595e PW	35	static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context_t* ctx);
a9b6595e PW	36	static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context_t* ctx);
949c1ebb PW	37
949c1ebb PW	38	/** Multiply with the generator: R = aG /
a9b6595e	39	static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context_t* ctx, secp256k1_gej_t r, const secp256k1_scalar_t a);
949c1ebb	40
d2275795 GM	41	static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context_t ctx, const unsigned char seed32);
d2275795 GM	42
949c1ebb	43	#endif