1 /*****************************************************************************
2 * Copyright (c) 2013, 2014, 2017 Pieter Wuille, Andrew Poelstra, Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php. *
5 *****************************************************************************/
7 #ifndef SECP256K1_ECMULT_IMPL_H
8 #define SECP256K1_ECMULT_IMPL_H
17 #if defined(EXHAUSTIVE_TEST_ORDER)
18 /* We need to lower these values for exhaustive tests because
19 * the tables cannot have infinities in them (this breaks the
20 * affine-isomorphism stuff which tracks z-ratios) */
21 # if EXHAUSTIVE_TEST_ORDER > 128
24 # elif EXHAUSTIVE_TEST_ORDER > 8
32 /* optimal for 128-bit and 256-bit exponents. */
34 /** larger numbers may result in slightly better performance, at the cost of
35 exponentially larger precomputed tables. */
36 #ifdef USE_ENDOMORPHISM
37 /** Two tables for window size 15: 1.375 MiB. */
40 /** One table for window size 16: 1.375 MiB. */
45 #ifdef USE_ENDOMORPHISM
50 #define WNAF_SIZE_BITS(bits, w) (((bits) + (w) - 1) / (w))
51 #define WNAF_SIZE(w) WNAF_SIZE_BITS(WNAF_BITS, w)
53 /** The number of entries a table with precomputed multiples needs to have. */
54 #define ECMULT_TABLE_SIZE(w) (1 << ((w)-2))
56 /* The number of objects allocated on the scratch space for ecmult_multi algorithms */
57 #define PIPPENGER_SCRATCH_OBJECTS 6
58 #define STRAUSS_SCRATCH_OBJECTS 6
60 #define PIPPENGER_MAX_BUCKET_WINDOW 12
62 /* Minimum number of points for which pippenger_wnaf is faster than strauss wnaf */
63 #ifdef USE_ENDOMORPHISM
64 #define ECMULT_PIPPENGER_THRESHOLD 88
66 #define ECMULT_PIPPENGER_THRESHOLD 160
69 #ifdef USE_ENDOMORPHISM
70 #define ECMULT_MAX_POINTS_PER_BATCH 5000000
72 #define ECMULT_MAX_POINTS_PER_BATCH 10000000
75 /** Fill a table 'prej' with precomputed odd multiples of a. Prej will contain
76 * the values [1*a,3*a,...,(2*n-1)*a], so it space for n values. zr[0] will
77 * contain prej[0].z / a.z. The other zr[i] values = prej[i].z / prej[i-1].z.
78 * Prej's Z values are undefined, except for the last value.
80 static void secp256k1_ecmult_odd_multiples_table(int n, secp256k1_gej *prej, secp256k1_fe *zr, const secp256k1_gej *a) {
82 secp256k1_ge a_ge, d_ge;
85 VERIFY_CHECK(!a->infinity);
87 secp256k1_gej_double_var(&d, a, NULL);
90 * Perform the additions on an isomorphism where 'd' is affine: drop the z coordinate
91 * of 'd', and scale the 1P starting value's x/y coordinates without changing its z.
97 secp256k1_ge_set_gej_zinv(&a_ge, a, &d.z);
101 prej[0].infinity = 0;
104 for (i = 1; i < n; i++) {
105 secp256k1_gej_add_ge_var(&prej[i], &prej[i-1], &d_ge, &zr[i]);
109 * Each point in 'prej' has a z coordinate too small by a factor of 'd.z'. Only
110 * the final point's z coordinate is actually used though, so just update that.
112 secp256k1_fe_mul(&prej[n-1].z, &prej[n-1].z, &d.z);
115 /** Fill a table 'pre' with precomputed odd multiples of a.
117 * There are two versions of this function:
118 * - secp256k1_ecmult_odd_multiples_table_globalz_windowa which brings its
119 * resulting point set to a single constant Z denominator, stores the X and Y
120 * coordinates as ge_storage points in pre, and stores the global Z in rz.
121 * It only operates on tables sized for WINDOW_A wnaf multiples.
122 * - secp256k1_ecmult_odd_multiples_table_storage_var, which converts its
123 * resulting point set to actually affine points, and stores those in pre.
124 * It operates on tables of any size, but uses heap-allocated temporaries.
126 * To compute a*P + b*G, we compute a table for P using the first function,
127 * and for G using the second (which requires an inverse, but it only needs to
130 static void secp256k1_ecmult_odd_multiples_table_globalz_windowa(secp256k1_ge *pre, secp256k1_fe *globalz, const secp256k1_gej *a) {
131 secp256k1_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)];
132 secp256k1_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)];
134 /* Compute the odd multiples in Jacobian form. */
135 secp256k1_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), prej, zr, a);
136 /* Bring them to the same Z denominator. */
137 secp256k1_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A), pre, globalz, prej, zr);
140 static void secp256k1_ecmult_odd_multiples_table_storage_var(const int n, secp256k1_ge_storage *pre, const secp256k1_gej *a) {
142 secp256k1_ge d_ge, p_ge;
146 secp256k1_fe dx_over_dz_squared;
149 VERIFY_CHECK(!a->infinity);
151 secp256k1_gej_double_var(&d, a, NULL);
153 /* First, we perform all the additions in an isomorphic curve obtained by multiplying
154 * all `z` coordinates by 1/`d.z`. In these coordinates `d` is affine so we can use
155 * `secp256k1_gej_add_ge_var` to perform the additions. For each addition, we store
156 * the resulting y-coordinate and the z-ratio, since we only have enough memory to
157 * store two field elements. These are sufficient to efficiently undo the isomorphism
158 * and recompute all the `x`s.
164 secp256k1_ge_set_gej_zinv(&p_ge, a, &d.z);
170 for (i = 0; i < (n - 1); i++) {
171 secp256k1_fe_normalize_var(&pj.y);
172 secp256k1_fe_to_storage(&pre[i].y, &pj.y);
173 secp256k1_gej_add_ge_var(&pj, &pj, &d_ge, &zr);
174 secp256k1_fe_normalize_var(&zr);
175 secp256k1_fe_to_storage(&pre[i].x, &zr);
178 /* Invert d.z in the same batch, preserving pj.z so we can extract 1/d.z */
179 secp256k1_fe_mul(&zi, &pj.z, &d.z);
180 secp256k1_fe_inv_var(&zi, &zi);
182 /* Directly set `pre[n - 1]` to `pj`, saving the inverted z-coordinate so
183 * that we can combine it with the saved z-ratios to compute the other zs
184 * without any more inversions. */
185 secp256k1_ge_set_gej_zinv(&p_ge, &pj, &zi);
186 secp256k1_ge_to_storage(&pre[n - 1], &p_ge);
188 /* Compute the actual x-coordinate of D, which will be needed below. */
189 secp256k1_fe_mul(&d.z, &zi, &pj.z); /* d.z = 1/d.z */
190 secp256k1_fe_sqr(&dx_over_dz_squared, &d.z);
191 secp256k1_fe_mul(&dx_over_dz_squared, &dx_over_dz_squared, &d.x);
195 secp256k1_fe zi2, zi3;
196 const secp256k1_fe *rzr;
199 secp256k1_ge_from_storage(&p_ge, &pre[i]);
201 /* For the remaining points, we extract the z-ratio from the stored
202 * x-coordinate, compute its z^-1 from that, and compute the full
203 * point from that. */
205 secp256k1_fe_mul(&zi, &zi, rzr);
206 secp256k1_fe_sqr(&zi2, &zi);
207 secp256k1_fe_mul(&zi3, &zi2, &zi);
208 /* To compute the actual x-coordinate, we use the stored z ratio and
209 * y-coordinate, which we obtained from `secp256k1_gej_add_ge_var`
210 * in the loop above, as well as the inverse of the square of its
211 * z-coordinate. We store the latter in the `zi2` variable, which is
212 * computed iteratively starting from the overall Z inverse then
213 * multiplying by each z-ratio in turn.
215 * Denoting the z-ratio as `rzr` (though the actual variable binding
216 * is `p_ge.x`), we observe that it equal to `h` from the inside
217 * of the above `gej_add_ge_var` call. This satisfies
219 * rzr = d_x * z^2 - x
221 * where `d_x` is the x coordinate of `D` and `(x, z)` are Jacobian
222 * coordinates of our desired point.
224 * Rearranging and dividing by `z^2` to convert to affine, we get
226 * x = d_x - rzr / z^2
229 secp256k1_fe_mul(&p_ge.x, rzr, &zi2);
230 secp256k1_fe_negate(&p_ge.x, &p_ge.x, 1);
231 secp256k1_fe_add(&p_ge.x, &dx_over_dz_squared);
232 /* y is stored_y/z^3, as we expect */
233 secp256k1_fe_mul(&p_ge.y, &p_ge.y, &zi3);
235 secp256k1_ge_to_storage(&pre[i], &p_ge);
239 /** The following two macro retrieves a particular odd multiple from a table
240 * of precomputed multiples. */
241 #define ECMULT_TABLE_GET_GE(r,pre,n,w) do { \
242 VERIFY_CHECK(((n) & 1) == 1); \
243 VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \
244 VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \
246 *(r) = (pre)[((n)-1)/2]; \
248 secp256k1_ge_neg((r), &(pre)[(-(n)-1)/2]); \
252 #define ECMULT_TABLE_GET_GE_STORAGE(r,pre,n,w) do { \
253 VERIFY_CHECK(((n) & 1) == 1); \
254 VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \
255 VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \
257 secp256k1_ge_from_storage((r), &(pre)[((n)-1)/2]); \
259 secp256k1_ge_from_storage((r), &(pre)[(-(n)-1)/2]); \
260 secp256k1_ge_neg((r), (r)); \
264 static void secp256k1_ecmult_context_init(secp256k1_ecmult_context *ctx) {
266 #ifdef USE_ENDOMORPHISM
267 ctx->pre_g_128 = NULL;
271 static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, const secp256k1_callback *cb) {
274 if (ctx->pre_g != NULL) {
278 /* get the generator */
279 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
281 ctx->pre_g = (secp256k1_ge_storage (*)[])checked_malloc(cb, sizeof((*ctx->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G));
283 /* precompute the tables with odd multiples */
284 secp256k1_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g, &gj);
286 #ifdef USE_ENDOMORPHISM
288 secp256k1_gej g_128j;
291 ctx->pre_g_128 = (secp256k1_ge_storage (*)[])checked_malloc(cb, sizeof((*ctx->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G));
293 /* calculate 2^128*generator */
295 for (i = 0; i < 128; i++) {
296 secp256k1_gej_double_var(&g_128j, &g_128j, NULL);
298 secp256k1_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g_128, &g_128j);
303 static void secp256k1_ecmult_context_clone(secp256k1_ecmult_context *dst,
304 const secp256k1_ecmult_context *src, const secp256k1_callback *cb) {
305 if (src->pre_g == NULL) {
308 size_t size = sizeof((*dst->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G);
309 dst->pre_g = (secp256k1_ge_storage (*)[])checked_malloc(cb, size);
310 memcpy(dst->pre_g, src->pre_g, size);
312 #ifdef USE_ENDOMORPHISM
313 if (src->pre_g_128 == NULL) {
314 dst->pre_g_128 = NULL;
316 size_t size = sizeof((*dst->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G);
317 dst->pre_g_128 = (secp256k1_ge_storage (*)[])checked_malloc(cb, size);
318 memcpy(dst->pre_g_128, src->pre_g_128, size);
323 static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx) {
324 return ctx->pre_g != NULL;
327 static void secp256k1_ecmult_context_clear(secp256k1_ecmult_context *ctx) {
329 #ifdef USE_ENDOMORPHISM
330 free(ctx->pre_g_128);
332 secp256k1_ecmult_context_init(ctx);
335 /** Convert a number to WNAF notation. The number becomes represented by sum(2^i * wnaf[i], i=0..bits),
336 * with the following guarantees:
337 * - each wnaf[i] is either 0, or an odd integer between -(1<<(w-1) - 1) and (1<<(w-1) - 1)
338 * - two non-zero entries in wnaf are separated by at least w-1 zeroes.
339 * - the number of set values in wnaf is returned. This number is at most 256, and at most one more
340 * than the number of bits in the (absolute value) of the input.
342 static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w) {
343 secp256k1_scalar s = *a;
344 int last_set_bit = -1;
349 VERIFY_CHECK(wnaf != NULL);
350 VERIFY_CHECK(0 <= len && len <= 256);
351 VERIFY_CHECK(a != NULL);
352 VERIFY_CHECK(2 <= w && w <= 31);
354 memset(wnaf, 0, len * sizeof(wnaf[0]));
356 if (secp256k1_scalar_get_bits(&s, 255, 1)) {
357 secp256k1_scalar_negate(&s, &s);
364 if (secp256k1_scalar_get_bits(&s, bit, 1) == (unsigned int)carry) {
370 if (now > len - bit) {
374 word = secp256k1_scalar_get_bits_var(&s, bit, now) + carry;
376 carry = (word >> (w-1)) & 1;
379 wnaf[bit] = sign * word;
387 CHECK(secp256k1_scalar_get_bits(&s, bit++, 1) == 0);
390 return last_set_bit + 1;
393 struct secp256k1_strauss_point_state {
394 #ifdef USE_ENDOMORPHISM
395 secp256k1_scalar na_1, na_lam;
397 int wnaf_na_lam[130];
407 struct secp256k1_strauss_state {
411 #ifdef USE_ENDOMORPHISM
412 secp256k1_ge* pre_a_lam;
414 struct secp256k1_strauss_point_state* ps;
417 static void secp256k1_ecmult_strauss_wnaf(const secp256k1_ecmult_context *ctx, const struct secp256k1_strauss_state *state, secp256k1_gej *r, int num, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng) {
420 #ifdef USE_ENDOMORPHISM
421 /* Splitted G factors. */
422 secp256k1_scalar ng_1, ng_128;
425 int wnaf_ng_128[129];
436 for (np = 0; np < num; ++np) {
437 if (secp256k1_scalar_is_zero(&na[np]) || secp256k1_gej_is_infinity(&a[np])) {
440 state->ps[no].input_pos = np;
441 #ifdef USE_ENDOMORPHISM
442 /* split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit) */
443 secp256k1_scalar_split_lambda(&state->ps[no].na_1, &state->ps[no].na_lam, &na[np]);
445 /* build wnaf representation for na_1 and na_lam. */
446 state->ps[no].bits_na_1 = secp256k1_ecmult_wnaf(state->ps[no].wnaf_na_1, 130, &state->ps[no].na_1, WINDOW_A);
447 state->ps[no].bits_na_lam = secp256k1_ecmult_wnaf(state->ps[no].wnaf_na_lam, 130, &state->ps[no].na_lam, WINDOW_A);
448 VERIFY_CHECK(state->ps[no].bits_na_1 <= 130);
449 VERIFY_CHECK(state->ps[no].bits_na_lam <= 130);
450 if (state->ps[no].bits_na_1 > bits) {
451 bits = state->ps[no].bits_na_1;
453 if (state->ps[no].bits_na_lam > bits) {
454 bits = state->ps[no].bits_na_lam;
457 /* build wnaf representation for na. */
458 state->ps[no].bits_na = secp256k1_ecmult_wnaf(state->ps[no].wnaf_na, 256, &na[np], WINDOW_A);
459 if (state->ps[no].bits_na > bits) {
460 bits = state->ps[no].bits_na;
466 /* Calculate odd multiples of a.
467 * All multiples are brought to the same Z 'denominator', which is stored
468 * in Z. Due to secp256k1' isomorphism we can do all operations pretending
469 * that the Z coordinate was 1, use affine addition formulae, and correct
470 * the Z coordinate of the result once at the end.
471 * The exception is the precomputed G table points, which are actually
472 * affine. Compared to the base used for other points, they have a Z ratio
473 * of 1/Z, so we can use secp256k1_gej_add_zinv_var, which uses the same
474 * isomorphism to efficiently add with a known Z inverse.
477 /* Compute the odd multiples in Jacobian form. */
478 secp256k1_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej, state->zr, &a[state->ps[0].input_pos]);
479 for (np = 1; np < no; ++np) {
480 secp256k1_gej tmp = a[state->ps[np].input_pos];
482 secp256k1_fe_normalize_var(&(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z));
484 secp256k1_gej_rescale(&tmp, &(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z));
485 secp256k1_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &tmp);
486 secp256k1_fe_mul(state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &(a[state->ps[np].input_pos].z));
488 /* Bring them to the same Z denominator. */
489 secp256k1_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A) * no, state->pre_a, &Z, state->prej, state->zr);
491 secp256k1_fe_set_int(&Z, 1);
494 #ifdef USE_ENDOMORPHISM
495 for (np = 0; np < no; ++np) {
496 for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
497 secp256k1_ge_mul_lambda(&state->pre_a_lam[np * ECMULT_TABLE_SIZE(WINDOW_A) + i], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + i]);
502 /* split ng into ng_1 and ng_128 (where gn = gn_1 + gn_128*2^128, and gn_1 and gn_128 are ~128 bit) */
503 secp256k1_scalar_split_128(&ng_1, &ng_128, ng);
505 /* Build wnaf representation for ng_1 and ng_128 */
506 bits_ng_1 = secp256k1_ecmult_wnaf(wnaf_ng_1, 129, &ng_1, WINDOW_G);
507 bits_ng_128 = secp256k1_ecmult_wnaf(wnaf_ng_128, 129, &ng_128, WINDOW_G);
508 if (bits_ng_1 > bits) {
511 if (bits_ng_128 > bits) {
517 bits_ng = secp256k1_ecmult_wnaf(wnaf_ng, 256, ng, WINDOW_G);
518 if (bits_ng > bits) {
524 secp256k1_gej_set_infinity(r);
526 for (i = bits - 1; i >= 0; i--) {
528 secp256k1_gej_double_var(r, r, NULL);
529 #ifdef USE_ENDOMORPHISM
530 for (np = 0; np < no; ++np) {
531 if (i < state->ps[np].bits_na_1 && (n = state->ps[np].wnaf_na_1[i])) {
532 ECMULT_TABLE_GET_GE(&tmpa, state->pre_a + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A);
533 secp256k1_gej_add_ge_var(r, r, &tmpa, NULL);
535 if (i < state->ps[np].bits_na_lam && (n = state->ps[np].wnaf_na_lam[i])) {
536 ECMULT_TABLE_GET_GE(&tmpa, state->pre_a_lam + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A);
537 secp256k1_gej_add_ge_var(r, r, &tmpa, NULL);
540 if (i < bits_ng_1 && (n = wnaf_ng_1[i])) {
541 ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g, n, WINDOW_G);
542 secp256k1_gej_add_zinv_var(r, r, &tmpa, &Z);
544 if (i < bits_ng_128 && (n = wnaf_ng_128[i])) {
545 ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g_128, n, WINDOW_G);
546 secp256k1_gej_add_zinv_var(r, r, &tmpa, &Z);
549 for (np = 0; np < no; ++np) {
550 if (i < state->ps[np].bits_na && (n = state->ps[np].wnaf_na[i])) {
551 ECMULT_TABLE_GET_GE(&tmpa, state->pre_a + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A);
552 secp256k1_gej_add_ge_var(r, r, &tmpa, NULL);
555 if (i < bits_ng && (n = wnaf_ng[i])) {
556 ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g, n, WINDOW_G);
557 secp256k1_gej_add_zinv_var(r, r, &tmpa, &Z);
563 secp256k1_fe_mul(&r->z, &r->z, &Z);
567 static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng) {
568 secp256k1_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)];
569 secp256k1_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)];
570 secp256k1_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)];
571 struct secp256k1_strauss_point_state ps[1];
572 #ifdef USE_ENDOMORPHISM
573 secp256k1_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)];
575 struct secp256k1_strauss_state state;
580 #ifdef USE_ENDOMORPHISM
581 state.pre_a_lam = pre_a_lam;
584 secp256k1_ecmult_strauss_wnaf(ctx, &state, r, 1, a, na, ng);
587 static size_t secp256k1_strauss_scratch_size(size_t n_points) {
588 #ifdef USE_ENDOMORPHISM
589 static const size_t point_size = (2 * sizeof(secp256k1_ge) + sizeof(secp256k1_gej) + sizeof(secp256k1_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct secp256k1_strauss_point_state) + sizeof(secp256k1_gej) + sizeof(secp256k1_scalar);
591 static const size_t point_size = (sizeof(secp256k1_ge) + sizeof(secp256k1_gej) + sizeof(secp256k1_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct secp256k1_strauss_point_state) + sizeof(secp256k1_gej) + sizeof(secp256k1_scalar);
593 return n_points*point_size;
596 static int secp256k1_ecmult_strauss_batch(const secp256k1_ecmult_context *ctx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) {
597 secp256k1_gej* points;
598 secp256k1_scalar* scalars;
599 struct secp256k1_strauss_state state;
602 secp256k1_gej_set_infinity(r);
603 if (inp_g_sc == NULL && n_points == 0) {
607 if (!secp256k1_scratch_allocate_frame(scratch, secp256k1_strauss_scratch_size(n_points), STRAUSS_SCRATCH_OBJECTS)) {
610 points = (secp256k1_gej*)secp256k1_scratch_alloc(scratch, n_points * sizeof(secp256k1_gej));
611 scalars = (secp256k1_scalar*)secp256k1_scratch_alloc(scratch, n_points * sizeof(secp256k1_scalar));
612 state.prej = (secp256k1_gej*)secp256k1_scratch_alloc(scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_gej));
613 state.zr = (secp256k1_fe*)secp256k1_scratch_alloc(scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_fe));
614 #ifdef USE_ENDOMORPHISM
615 state.pre_a = (secp256k1_ge*)secp256k1_scratch_alloc(scratch, n_points * 2 * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_ge));
616 state.pre_a_lam = state.pre_a + n_points * ECMULT_TABLE_SIZE(WINDOW_A);
618 state.pre_a = (secp256k1_ge*)secp256k1_scratch_alloc(scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_ge));
620 state.ps = (struct secp256k1_strauss_point_state*)secp256k1_scratch_alloc(scratch, n_points * sizeof(struct secp256k1_strauss_point_state));
622 for (i = 0; i < n_points; i++) {
624 if (!cb(&scalars[i], &point, i+cb_offset, cbdata)) {
625 secp256k1_scratch_deallocate_frame(scratch);
628 secp256k1_gej_set_ge(&points[i], &point);
630 secp256k1_ecmult_strauss_wnaf(ctx, &state, r, n_points, points, scalars, inp_g_sc);
631 secp256k1_scratch_deallocate_frame(scratch);
635 /* Wrapper for secp256k1_ecmult_multi_func interface */
636 static int secp256k1_ecmult_strauss_batch_single(const secp256k1_ecmult_context *actx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n) {
637 return secp256k1_ecmult_strauss_batch(actx, scratch, r, inp_g_sc, cb, cbdata, n, 0);
640 static size_t secp256k1_strauss_max_points(secp256k1_scratch *scratch) {
641 return secp256k1_scratch_max_allocation(scratch, STRAUSS_SCRATCH_OBJECTS) / secp256k1_strauss_scratch_size(1);
644 /** Convert a number to WNAF notation.
645 * The number becomes represented by sum(2^{wi} * wnaf[i], i=0..WNAF_SIZE(w)+1) - return_val.
646 * It has the following guarantees:
647 * - each wnaf[i] is either 0 or an odd integer between -(1 << w) and (1 << w)
648 * - the number of words set is always WNAF_SIZE(w)
649 * - the returned skew is 0 or 1
651 static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w) {
656 const secp256k1_scalar *work = s;
658 if (secp256k1_scalar_is_zero(s)) {
659 for (pos = 0; pos < WNAF_SIZE(w); pos++) {
665 if (secp256k1_scalar_is_even(s)) {
669 wnaf[0] = secp256k1_scalar_get_bits_var(work, 0, w) + skew;
670 /* Compute last window size. Relevant when window size doesn't divide the
671 * number of bits in the scalar */
672 last_w = WNAF_BITS - (WNAF_SIZE(w) - 1) * w;
674 /* Store the position of the first nonzero word in max_pos to allow
675 * skipping leading zeros when calculating the wnaf. */
676 for (pos = WNAF_SIZE(w) - 1; pos > 0; pos--) {
677 int val = secp256k1_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w);
686 while (pos <= max_pos) {
687 int val = secp256k1_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w);
688 if ((val & 1) == 0) {
689 wnaf[pos - 1] -= (1 << w);
690 wnaf[pos] = (val + 1);
694 /* Set a coefficient to zero if it is 1 or -1 and the proceeding digit
695 * is strictly negative or strictly positive respectively. Only change
696 * coefficients at previous positions because above code assumes that
697 * wnaf[pos - 1] is odd.
699 if (pos >= 2 && ((wnaf[pos - 1] == 1 && wnaf[pos - 2] < 0) || (wnaf[pos - 1] == -1 && wnaf[pos - 2] > 0))) {
700 if (wnaf[pos - 1] == 1) {
701 wnaf[pos - 2] += 1 << w;
703 wnaf[pos - 2] -= 1 << w;
713 struct secp256k1_pippenger_point_state {
718 struct secp256k1_pippenger_state {
720 struct secp256k1_pippenger_point_state* ps;
724 * pippenger_wnaf computes the result of a multi-point multiplication as
725 * follows: The scalars are brought into wnaf with n_wnaf elements each. Then
726 * for every i < n_wnaf, first each point is added to a "bucket" corresponding
727 * to the point's wnaf[i]. Second, the buckets are added together such that
728 * r += 1*bucket[0] + 3*bucket[1] + 5*bucket[2] + ...
730 static int secp256k1_ecmult_pippenger_wnaf(secp256k1_gej *buckets, int bucket_window, struct secp256k1_pippenger_state *state, secp256k1_gej *r, const secp256k1_scalar *sc, const secp256k1_ge *pt, size_t num) {
731 size_t n_wnaf = WNAF_SIZE(bucket_window+1);
737 for (np = 0; np < num; ++np) {
738 if (secp256k1_scalar_is_zero(&sc[np]) || secp256k1_ge_is_infinity(&pt[np])) {
741 state->ps[no].input_pos = np;
742 state->ps[no].skew_na = secp256k1_wnaf_fixed(&state->wnaf_na[no*n_wnaf], &sc[np], bucket_window+1);
745 secp256k1_gej_set_infinity(r);
751 for (i = n_wnaf - 1; i >= 0; i--) {
752 secp256k1_gej running_sum;
754 for(j = 0; j < ECMULT_TABLE_SIZE(bucket_window+2); j++) {
755 secp256k1_gej_set_infinity(&buckets[j]);
758 for (np = 0; np < no; ++np) {
759 int n = state->wnaf_na[np*n_wnaf + i];
760 struct secp256k1_pippenger_point_state point_state = state->ps[np];
765 /* correct for wnaf skew */
766 int skew = point_state.skew_na;
768 secp256k1_ge_neg(&tmp, &pt[point_state.input_pos]);
769 secp256k1_gej_add_ge_var(&buckets[0], &buckets[0], &tmp, NULL);
774 secp256k1_gej_add_ge_var(&buckets[idx], &buckets[idx], &pt[point_state.input_pos], NULL);
777 secp256k1_ge_neg(&tmp, &pt[point_state.input_pos]);
778 secp256k1_gej_add_ge_var(&buckets[idx], &buckets[idx], &tmp, NULL);
782 for(j = 0; j < bucket_window; j++) {
783 secp256k1_gej_double_var(r, r, NULL);
786 secp256k1_gej_set_infinity(&running_sum);
787 /* Accumulate the sum: bucket[0] + 3*bucket[1] + 5*bucket[2] + 7*bucket[3] + ...
788 * = bucket[0] + bucket[1] + bucket[2] + bucket[3] + ...
789 * + 2 * (bucket[1] + 2*bucket[2] + 3*bucket[3] + ...)
790 * using an intermediate running sum:
791 * running_sum = bucket[0] + bucket[1] + bucket[2] + ...
793 * The doubling is done implicitly by deferring the final window doubling (of 'r').
795 for(j = ECMULT_TABLE_SIZE(bucket_window+2) - 1; j > 0; j--) {
796 secp256k1_gej_add_var(&running_sum, &running_sum, &buckets[j], NULL);
797 secp256k1_gej_add_var(r, r, &running_sum, NULL);
800 secp256k1_gej_add_var(&running_sum, &running_sum, &buckets[0], NULL);
801 secp256k1_gej_double_var(r, r, NULL);
802 secp256k1_gej_add_var(r, r, &running_sum, NULL);
808 * Returns optimal bucket_window (number of bits of a scalar represented by a
809 * set of buckets) for a given number of points.
811 static int secp256k1_pippenger_bucket_window(size_t n) {
812 #ifdef USE_ENDOMORPHISM
817 } else if (n <= 20) {
819 } else if (n <= 57) {
821 } else if (n <= 136) {
823 } else if (n <= 235) {
825 } else if (n <= 1260) {
827 } else if (n <= 4420) {
829 } else if (n <= 7880) {
831 } else if (n <= 16050) {
834 return PIPPENGER_MAX_BUCKET_WINDOW;
839 } else if (n <= 11) {
841 } else if (n <= 45) {
843 } else if (n <= 100) {
845 } else if (n <= 275) {
847 } else if (n <= 625) {
849 } else if (n <= 1850) {
851 } else if (n <= 3400) {
853 } else if (n <= 9630) {
855 } else if (n <= 17900) {
857 } else if (n <= 32800) {
860 return PIPPENGER_MAX_BUCKET_WINDOW;
866 * Returns the maximum optimal number of points for a bucket_window.
868 static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window) {
869 switch(bucket_window) {
870 #ifdef USE_ENDOMORPHISM
880 case 10: return 7880;
881 case 11: return 16050;
882 case PIPPENGER_MAX_BUCKET_WINDOW: return SIZE_MAX;
893 case 10: return 17900;
894 case 11: return 32800;
895 case PIPPENGER_MAX_BUCKET_WINDOW: return SIZE_MAX;
902 #ifdef USE_ENDOMORPHISM
903 SECP256K1_INLINE static void secp256k1_ecmult_endo_split(secp256k1_scalar *s1, secp256k1_scalar *s2, secp256k1_ge *p1, secp256k1_ge *p2) {
904 secp256k1_scalar tmp = *s1;
905 secp256k1_scalar_split_lambda(s1, s2, &tmp);
906 secp256k1_ge_mul_lambda(p2, p1);
908 if (secp256k1_scalar_is_high(s1)) {
909 secp256k1_scalar_negate(s1, s1);
910 secp256k1_ge_neg(p1, p1);
912 if (secp256k1_scalar_is_high(s2)) {
913 secp256k1_scalar_negate(s2, s2);
914 secp256k1_ge_neg(p2, p2);
920 * Returns the scratch size required for a given number of points (excluding
921 * base point G) without considering alignment.
923 static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window) {
924 #ifdef USE_ENDOMORPHISM
925 size_t entries = 2*n_points + 2;
927 size_t entries = n_points + 1;
929 size_t entry_size = sizeof(secp256k1_ge) + sizeof(secp256k1_scalar) + sizeof(struct secp256k1_pippenger_point_state) + (WNAF_SIZE(bucket_window+1)+1)*sizeof(int);
930 return ((1<<bucket_window) * sizeof(secp256k1_gej) + sizeof(struct secp256k1_pippenger_state) + entries * entry_size);
933 static int secp256k1_ecmult_pippenger_batch(const secp256k1_ecmult_context *ctx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) {
934 /* Use 2(n+1) with the endomorphism, n+1 without, when calculating batch
935 * sizes. The reason for +1 is that we add the G scalar to the list of
937 #ifdef USE_ENDOMORPHISM
938 size_t entries = 2*n_points + 2;
940 size_t entries = n_points + 1;
942 secp256k1_ge *points;
943 secp256k1_scalar *scalars;
944 secp256k1_gej *buckets;
945 struct secp256k1_pippenger_state *state_space;
947 size_t point_idx = 0;
952 secp256k1_gej_set_infinity(r);
953 if (inp_g_sc == NULL && n_points == 0) {
957 bucket_window = secp256k1_pippenger_bucket_window(n_points);
958 if (!secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points, bucket_window), PIPPENGER_SCRATCH_OBJECTS)) {
961 points = (secp256k1_ge *) secp256k1_scratch_alloc(scratch, entries * sizeof(*points));
962 scalars = (secp256k1_scalar *) secp256k1_scratch_alloc(scratch, entries * sizeof(*scalars));
963 state_space = (struct secp256k1_pippenger_state *) secp256k1_scratch_alloc(scratch, sizeof(*state_space));
964 state_space->ps = (struct secp256k1_pippenger_point_state *) secp256k1_scratch_alloc(scratch, entries * sizeof(*state_space->ps));
965 state_space->wnaf_na = (int *) secp256k1_scratch_alloc(scratch, entries*(WNAF_SIZE(bucket_window+1)) * sizeof(int));
966 buckets = (secp256k1_gej *) secp256k1_scratch_alloc(scratch, (1<<bucket_window) * sizeof(*buckets));
968 if (inp_g_sc != NULL) {
969 scalars[0] = *inp_g_sc;
970 points[0] = secp256k1_ge_const_g;
972 #ifdef USE_ENDOMORPHISM
973 secp256k1_ecmult_endo_split(&scalars[0], &scalars[1], &points[0], &points[1]);
978 while (point_idx < n_points) {
979 if (!cb(&scalars[idx], &points[idx], point_idx + cb_offset, cbdata)) {
980 secp256k1_scratch_deallocate_frame(scratch);
984 #ifdef USE_ENDOMORPHISM
985 secp256k1_ecmult_endo_split(&scalars[idx - 1], &scalars[idx], &points[idx - 1], &points[idx]);
991 secp256k1_ecmult_pippenger_wnaf(buckets, bucket_window, state_space, r, scalars, points, idx);
994 for(i = 0; (size_t)i < idx; i++) {
995 secp256k1_scalar_clear(&scalars[i]);
996 state_space->ps[i].skew_na = 0;
997 for(j = 0; j < WNAF_SIZE(bucket_window+1); j++) {
998 state_space->wnaf_na[i * WNAF_SIZE(bucket_window+1) + j] = 0;
1001 for(i = 0; i < 1<<bucket_window; i++) {
1002 secp256k1_gej_clear(&buckets[i]);
1004 secp256k1_scratch_deallocate_frame(scratch);
1008 /* Wrapper for secp256k1_ecmult_multi_func interface */
1009 static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_ecmult_context *actx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n) {
1010 return secp256k1_ecmult_pippenger_batch(actx, scratch, r, inp_g_sc, cb, cbdata, n, 0);
1014 * Returns the maximum number of points in addition to G that can be used with
1015 * a given scratch space. The function ensures that fewer points may also be
1018 static size_t secp256k1_pippenger_max_points(secp256k1_scratch *scratch) {
1019 size_t max_alloc = secp256k1_scratch_max_allocation(scratch, PIPPENGER_SCRATCH_OBJECTS);
1023 for (bucket_window = 1; bucket_window <= PIPPENGER_MAX_BUCKET_WINDOW; bucket_window++) {
1025 size_t max_points = secp256k1_pippenger_bucket_window_inv(bucket_window);
1026 size_t space_for_points;
1027 size_t space_overhead;
1028 size_t entry_size = sizeof(secp256k1_ge) + sizeof(secp256k1_scalar) + sizeof(struct secp256k1_pippenger_point_state) + (WNAF_SIZE(bucket_window+1)+1)*sizeof(int);
1030 #ifdef USE_ENDOMORPHISM
1031 entry_size = 2*entry_size;
1033 space_overhead = ((1<<bucket_window) * sizeof(secp256k1_gej) + entry_size + sizeof(struct secp256k1_pippenger_state));
1034 if (space_overhead > max_alloc) {
1037 space_for_points = max_alloc - space_overhead;
1039 n_points = space_for_points/entry_size;
1040 n_points = n_points > max_points ? max_points : n_points;
1041 if (n_points > res) {
1044 if (n_points < max_points) {
1045 /* A larger bucket_window may support even more points. But if we
1046 * would choose that then the caller couldn't safely use any number
1047 * smaller than what this function returns */
1054 typedef int (*secp256k1_ecmult_multi_func)(const secp256k1_ecmult_context*, secp256k1_scratch*, secp256k1_gej*, const secp256k1_scalar*, secp256k1_ecmult_multi_callback cb, void*, size_t);
1055 static int secp256k1_ecmult_multi_var(const secp256k1_ecmult_context *ctx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n) {
1058 int (*f)(const secp256k1_ecmult_context*, secp256k1_scratch*, secp256k1_gej*, const secp256k1_scalar*, secp256k1_ecmult_multi_callback cb, void*, size_t, size_t);
1061 size_t n_batch_points;
1063 secp256k1_gej_set_infinity(r);
1064 if (inp_g_sc == NULL && n == 0) {
1066 } else if (n == 0) {
1067 secp256k1_scalar szero;
1068 secp256k1_scalar_set_int(&szero, 0);
1069 secp256k1_ecmult(ctx, r, r, &szero, inp_g_sc);
1073 max_points = secp256k1_pippenger_max_points(scratch);
1074 if (max_points == 0) {
1076 } else if (max_points > ECMULT_MAX_POINTS_PER_BATCH) {
1077 max_points = ECMULT_MAX_POINTS_PER_BATCH;
1079 n_batches = (n+max_points-1)/max_points;
1080 n_batch_points = (n+n_batches-1)/n_batches;
1082 if (n_batch_points >= ECMULT_PIPPENGER_THRESHOLD) {
1083 f = secp256k1_ecmult_pippenger_batch;
1085 max_points = secp256k1_strauss_max_points(scratch);
1086 if (max_points == 0) {
1089 n_batches = (n+max_points-1)/max_points;
1090 n_batch_points = (n+n_batches-1)/n_batches;
1091 f = secp256k1_ecmult_strauss_batch;
1093 for(i = 0; i < n_batches; i++) {
1094 size_t nbp = n < n_batch_points ? n : n_batch_points;
1095 size_t offset = n_batch_points*i;
1097 if (!f(ctx, scratch, &tmp, i == 0 ? inp_g_sc : NULL, cb, cbdata, nbp, offset)) {
1100 secp256k1_gej_add_var(r, r, &tmp, NULL);
1106 #endif /* SECP256K1_ECMULT_IMPL_H */
projects / secp256k1.git / blob