Squashed 'src/secp256k1/' changes from ad2028f..b0210a9

b0210a9 Merge pull request #135 ee3eb4b Fix a memory leak and add a number of small tests. 4d879a3 Merge pull request #134 d5e8362 Merge pull request #127 7b92cf6 Merge pull request #132 0bf70a5 Merge pull request #133 29ae131 Make scalar_add_bit test's overflow detection exact 9048def Avoid undefined shift behaviour efb7d4b Use constant-time conditional moves instead of byte slicing d220062 Merge pull request #131 82f9254 Fix typo 601ca04 Merge pull request #129 35399e0 Bugfix: b is restricted, not r c35ff1e Convert lambda splitter to pure scalar code. cc604e9 Avoid division when decomposing scalars ff8746d Add secp256k1_scalar_mul_shift_var bd313f7 Merge pull request #119 276f987 Merge pull request #124 25d125e Merge pull request #126 24b3c65 Add a test case for ECDSA recomputing infinity 32600e5 Add a test for r >= order signature handling 4d4eeea Make secp256k1_fe_mul_inner use the r != property be82e92 Require that r and b are different for field multiplication. 597128d Make num optional 659b554 Make constant initializers independent from num 0af5b47 Merge pull request #120 e2e8a36 Merge pull request #117 c76be9e Remove unused num functions 4285a98 Move lambda-splitting code to scalar. f24041d Switch all EC/ECDSA logic from num to scalar 6794be6 Add scalar splitting functions d1502eb Add secp256k1_scalar_inverse_var which delegates to GMP b5c9ee7 Make test_point_times_order test meaningful again 0b73059 Switch wnaf splitting from num-based to scalar-based 1e6c77c Generalize secp256k1_scalar_get_bits 5213207 Add secp256k1_scalar_add_bit 3c0ae43 Merge pull request #122 6e05287 Do signature recovery/verification with 4 possible recid case e3d692f Explain why no y=0 check is necessary for doubling f7dc1c6 Optimize doubling: secp256k1 has no y=0 point 666d3b5 Merge pull request #121 2a54f9b Correct typo in comment 9d64145 Merge pull request #114 99f0728 Fix secp256k1_num_set_bin handling of 0 d907ebc Add bounds checking to field element setters bb2cd94 Merge pull request #116 665775b Don't split the g factor when not using endomorphism 9431d6b Merge pull request #115 e2274c5 build: osx: attempt to work with homebrew keg-only packages git-subtree-dir: src/secp256k1 git-subtree-split: b0210a95da433e048a11d298efbcc14eb423c95f
author: Pieter Wuille <pieter.wuille@gmail.com> 2014-12-04 19:17:07 +0100
committer: Pieter Wuille <pieter.wuille@gmail.com> 2014-12-04 19:17:07 +0100
commit: 87bddb7a3a83aaad96b5b54b4bac34d8a71b3810 (patch)
tree: 8aab2e424df56d5786947d0827e98fe840a8caa6 /src/ecmult_gen_impl.h
parent: d48555b36ac512161b81f9b6bca7bea16a0cd806 (diff)
download: bitcoin-87bddb7a3a83aaad96b5b54b4bac34d8a71b3810.tar.xz
1 files changed, 11 insertions, 8 deletions
diff --git a/src/ecmult_gen_impl.h b/src/ecmult_gen_impl.h
index 07859ab04b..af0ead522d 100644
--- a/src/ecmult_gen_impl.h
+++ b/src/ecmult_gen_impl.h
@@ -23,8 +23,8 @@ typedef struct {
      * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0..63).
      * None of the resulting prec group elements have a known scalar, and neither do any of
      * the intermediate sums while computing a*G.
-     * To make memory access uniform, the bytes of prec(i, n_i) are sliced per value of n_i. */
-    unsigned char prec[64][sizeof(secp256k1_ge_t)][16]; /* prec[j][k][i] = k'th byte of (16^j * i * G + U_i) */
+     */
+    secp256k1_fe_t prec[64][16][2]; /* prec[j][i] = (16^j * i * G + U_i).{x,y} */
 } secp256k1_ecmult_gen_consts_t;
 
 static const secp256k1_ecmult_gen_consts_t *secp256k1_ecmult_gen_consts = NULL;
@@ -45,7 +45,7 @@ static void secp256k1_ecmult_gen_start(void) {
     {
         static const unsigned char nums_b32[32] = "The scalar for this x is unknown";
         secp256k1_fe_t nums_x;
-        secp256k1_fe_set_b32(&nums_x, nums_b32);
+        VERIFY_CHECK(secp256k1_fe_set_b32(&nums_x, nums_b32));
         secp256k1_ge_t nums_ge;
         VERIFY_CHECK(secp256k1_ge_set_xo(&nums_ge, &nums_x, 0));
         secp256k1_gej_set_ge(&nums_gej, &nums_ge);
@@ -81,9 +81,9 @@ static void secp256k1_ecmult_gen_start(void) {
     }
     for (int j=0; j<64; j++) {
         for (int i=0; i<16; i++) {
-            const unsigned char* raw = (const unsigned char*)(&prec[j*16 + i]);
-            for (size_t k=0; k<sizeof(secp256k1_ge_t); k++)
-                ret->prec[j][k][i] = raw[k];
+            VERIFY_CHECK(!secp256k1_ge_is_infinity(&prec[j*16 + i]));
+            ret->prec[j][i][0] = prec[j*16 + i].x;
+            ret->prec[j][i][1] = prec[j*16 + i].y;
         }
     }
 
@@ -104,11 +104,14 @@ static void secp256k1_ecmult_gen(secp256k1_gej_t *r, const secp256k1_scalar_t *g
     const secp256k1_ecmult_gen_consts_t *c = secp256k1_ecmult_gen_consts;
     secp256k1_gej_set_infinity(r);
     secp256k1_ge_t add;
+    add.infinity = 0;
     int bits;
     for (int j=0; j<64; j++) {
         bits = secp256k1_scalar_get_bits(gn, j * 4, 4);
-        for (size_t k=0; k<sizeof(secp256k1_ge_t); k++)
-            ((unsigned char*)(&add))[k] = c->prec[j][k][bits];
+        for (int i=0; i<16; i++) {
+            secp256k1_fe_cmov(&add.x, &c->prec[j][i][0], i == bits);
+            secp256k1_fe_cmov(&add.y, &c->prec[j][i][1], i == bits);
+        }
         secp256k1_gej_add_ge(r, r, &add);
     }
     bits = 0;
author	Pieter Wuille <pieter.wuille@gmail.com>	2014-12-04 19:17:07 +0100
committer	Pieter Wuille <pieter.wuille@gmail.com>	2014-12-04 19:17:07 +0100
commit	87bddb7a3a83aaad96b5b54b4bac34d8a71b3810 (patch)
tree	8aab2e424df56d5786947d0827e98fe840a8caa6 /src/ecmult_gen_impl.h
parent	d48555b36ac512161b81f9b6bca7bea16a0cd806 (diff)
download	bitcoin-87bddb7a3a83aaad96b5b54b4bac34d8a71b3810.tar.xz