diff options
author | Pieter Wuille <pieter.wuille@gmail.com> | 2014-12-04 19:17:07 +0100 |
---|---|---|
committer | Pieter Wuille <pieter.wuille@gmail.com> | 2014-12-04 19:17:07 +0100 |
commit | 87bddb7a3a83aaad96b5b54b4bac34d8a71b3810 (patch) | |
tree | 8aab2e424df56d5786947d0827e98fe840a8caa6 /src/ecmult_gen_impl.h | |
parent | d48555b36ac512161b81f9b6bca7bea16a0cd806 (diff) | |
download | bitcoin-87bddb7a3a83aaad96b5b54b4bac34d8a71b3810.tar.xz |
Squashed 'src/secp256k1/' changes from ad2028f..b0210a9
b0210a9 Merge pull request #135
ee3eb4b Fix a memory leak and add a number of small tests.
4d879a3 Merge pull request #134
d5e8362 Merge pull request #127
7b92cf6 Merge pull request #132
0bf70a5 Merge pull request #133
29ae131 Make scalar_add_bit test's overflow detection exact
9048def Avoid undefined shift behaviour
efb7d4b Use constant-time conditional moves instead of byte slicing
d220062 Merge pull request #131
82f9254 Fix typo
601ca04 Merge pull request #129
35399e0 Bugfix: b is restricted, not r
c35ff1e Convert lambda splitter to pure scalar code.
cc604e9 Avoid division when decomposing scalars
ff8746d Add secp256k1_scalar_mul_shift_var
bd313f7 Merge pull request #119
276f987 Merge pull request #124
25d125e Merge pull request #126
24b3c65 Add a test case for ECDSA recomputing infinity
32600e5 Add a test for r >= order signature handling
4d4eeea Make secp256k1_fe_mul_inner use the r != property
be82e92 Require that r and b are different for field multiplication.
597128d Make num optional
659b554 Make constant initializers independent from num
0af5b47 Merge pull request #120
e2e8a36 Merge pull request #117
c76be9e Remove unused num functions
4285a98 Move lambda-splitting code to scalar.
f24041d Switch all EC/ECDSA logic from num to scalar
6794be6 Add scalar splitting functions
d1502eb Add secp256k1_scalar_inverse_var which delegates to GMP
b5c9ee7 Make test_point_times_order test meaningful again
0b73059 Switch wnaf splitting from num-based to scalar-based
1e6c77c Generalize secp256k1_scalar_get_bits
5213207 Add secp256k1_scalar_add_bit
3c0ae43 Merge pull request #122
6e05287 Do signature recovery/verification with 4 possible recid case
e3d692f Explain why no y=0 check is necessary for doubling
f7dc1c6 Optimize doubling: secp256k1 has no y=0 point
666d3b5 Merge pull request #121
2a54f9b Correct typo in comment
9d64145 Merge pull request #114
99f0728 Fix secp256k1_num_set_bin handling of 0
d907ebc Add bounds checking to field element setters
bb2cd94 Merge pull request #116
665775b Don't split the g factor when not using endomorphism
9431d6b Merge pull request #115
e2274c5 build: osx: attempt to work with homebrew keg-only packages
git-subtree-dir: src/secp256k1
git-subtree-split: b0210a95da433e048a11d298efbcc14eb423c95f
Diffstat (limited to 'src/ecmult_gen_impl.h')
-rw-r--r-- | src/ecmult_gen_impl.h | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/src/ecmult_gen_impl.h b/src/ecmult_gen_impl.h index 07859ab04b..af0ead522d 100644 --- a/src/ecmult_gen_impl.h +++ b/src/ecmult_gen_impl.h @@ -23,8 +23,8 @@ typedef struct { * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0..63). * None of the resulting prec group elements have a known scalar, and neither do any of * the intermediate sums while computing a*G. - * To make memory access uniform, the bytes of prec(i, n_i) are sliced per value of n_i. */ - unsigned char prec[64][sizeof(secp256k1_ge_t)][16]; /* prec[j][k][i] = k'th byte of (16^j * i * G + U_i) */ + */ + secp256k1_fe_t prec[64][16][2]; /* prec[j][i] = (16^j * i * G + U_i).{x,y} */ } secp256k1_ecmult_gen_consts_t; static const secp256k1_ecmult_gen_consts_t *secp256k1_ecmult_gen_consts = NULL; @@ -45,7 +45,7 @@ static void secp256k1_ecmult_gen_start(void) { { static const unsigned char nums_b32[32] = "The scalar for this x is unknown"; secp256k1_fe_t nums_x; - secp256k1_fe_set_b32(&nums_x, nums_b32); + VERIFY_CHECK(secp256k1_fe_set_b32(&nums_x, nums_b32)); secp256k1_ge_t nums_ge; VERIFY_CHECK(secp256k1_ge_set_xo(&nums_ge, &nums_x, 0)); secp256k1_gej_set_ge(&nums_gej, &nums_ge); @@ -81,9 +81,9 @@ static void secp256k1_ecmult_gen_start(void) { } for (int j=0; j<64; j++) { for (int i=0; i<16; i++) { - const unsigned char* raw = (const unsigned char*)(&prec[j*16 + i]); - for (size_t k=0; k<sizeof(secp256k1_ge_t); k++) - ret->prec[j][k][i] = raw[k]; + VERIFY_CHECK(!secp256k1_ge_is_infinity(&prec[j*16 + i])); + ret->prec[j][i][0] = prec[j*16 + i].x; + ret->prec[j][i][1] = prec[j*16 + i].y; } } @@ -104,11 +104,14 @@ static void secp256k1_ecmult_gen(secp256k1_gej_t *r, const secp256k1_scalar_t *g const secp256k1_ecmult_gen_consts_t *c = secp256k1_ecmult_gen_consts; secp256k1_gej_set_infinity(r); secp256k1_ge_t add; + add.infinity = 0; int bits; for (int j=0; j<64; j++) { bits = secp256k1_scalar_get_bits(gn, j * 4, 4); - for (size_t k=0; k<sizeof(secp256k1_ge_t); k++) - ((unsigned char*)(&add))[k] = c->prec[j][k][bits]; + for (int i=0; i<16; i++) { + secp256k1_fe_cmov(&add.x, &c->prec[j][i][0], i == bits); + secp256k1_fe_cmov(&add.y, &c->prec[j][i][1], i == bits); + } secp256k1_gej_add_ge(r, r, &add); } bits = 0; |