Working secp mul

2026-01-06 07:43:10 +00:00 · 2022-07-13 19:25:28 +02:00 · 2022-07-13 19:25:28 +02:00 · 7a6c53e921
commit 7a6c53e921
parent a831fab8f8
2 changed files with 110 additions and 1 deletions
--- a/evm/src/cpu/kernel/asm/secp256k1/curve_mul.asm
+++ b/evm/src/cpu/kernel/asm/secp256k1/curve_mul.asm
@ -0,0 +1,109 @@
+// Secp256k1 elliptic curve scalar multiplication.
+// Recursive implementation, same algorithm as in `exp.asm`.
+global ec_mul_secp:
+    JUMPDEST
+    // stack: x, y, s, retdest
+    DUP2
+    // stack: y, x, y, s, retdest
+    DUP2
+    // stack: x, y, x, y, s, retdest
+    %ec_isidentity
+    // stack: (x,y)==(0,0), x, y, s, retdest
+    %jumpi(ret_zero)
+    // stack: x, y, s, retdest
+    DUP2
+    // stack: y, x, y, s, retdest
+    DUP2
+    // stack: x, y, x, y, s, retdest
+    %ec_check_secp
+    // stack: isValid(x, y), x, y, s, retdest
+    %jumpi(ec_mul_valid_point)
+    // stack: x, y, s, retdest
+    %pop3
+    %ec_invalid_input
+
+// Same algorithm as in `exp.asm`
+ec_mul_valid_point:
+    JUMPDEST
+    // stack: x, y, s, retdest
+    DUP3
+    // stack: s, x, y, s, retdest
+    %jumpi(step_case)
+    // stack: x, y, s, retdest
+    %jump(ret_zero)
+
+step_case:
+    JUMPDEST
+    // stack: x, y, s, retdest
+    PUSH recursion_return
+    // stack: recursion_return, x, y, s, retdest
+    PUSH 2
+    // stack: 2, recursion_return, x, y, s, retdest
+    DUP5
+    // stack: s, 2, recursion_return, x, y, s, retdest
+    DIV
+    // stack: s / 2, recursion_return, x, y, s, retdest
+    PUSH step_case_contd
+    // stack: step_case_contd, s / 2, recursion_return, x, y, s, retdest
+    DUP5
+    // stack: y, step_case_contd, s / 2, recursion_return, x, y, s, retdest
+    DUP5
+    // stack: x, y, step_case_contd, s / 2, recursion_return, x, y, s, retdest
+    %jump(ec_double_secp)
+
+// Assumption: 2(x,y) = (x',y')
+step_case_contd:
+    JUMPDEST
+    // stack: x', y', s / 2, recursion_return, x, y, s, retdest
+    %jump(ec_mul_valid_point)
+
+recursion_return:
+    JUMPDEST
+    // stack: x', y', x, y, s, retdest
+    SWAP4
+    // stack: s, y', x, y, x', retdest
+    PUSH 1
+    // stack: 1, s, y', x, y, x', retdest
+    AND
+    // stack: s & 1, y', x, y, x', retdest
+    SWAP1
+    // stack: y', s & 1, x, y, x', retdest
+    SWAP2
+    // stack: x, s & 1, y', y, x', retdest
+    SWAP3
+    // stack: y, s & 1, y', x, x', retdest
+    SWAP4
+    // stack: x', s & 1, y', x, y, retdest
+    SWAP1
+    // stack: s & 1, x', y', x, y, retdest
+    %jumpi(odd_scalar)
+    // stack: x', y', x, y, retdest
+    SWAP3
+    // stack: y, y', x, x', retdest
+    POP
+    // stack: y', x, x', retdest
+    SWAP1
+    // stack: x, y', x', retdest
+    POP
+    // stack: y', x', retdest
+    SWAP2
+    // stack: retdest, x', y'
+    JUMP
+
+odd_scalar:
+    JUMPDEST
+    // stack: x', y', x, y, retdest
+    %jump(ec_add_valid_points_secp)
+
+ret_zero:
+    JUMPDEST
+    // stack: x, y, s, retdest
+    %pop3
+    // stack: retdest
+    PUSH 0
+    // stack: 0, retdest
+    PUSH 0
+    // stack: 0, 0, retdest
+    SWAP2
+    // stack: retdest, 0, 0
+    JUMP
--- a/evm/src/cpu/kernel/tests/curve_ops.rs
+++ b/evm/src/cpu/kernel/tests/curve_ops.rs
@ -148,7 +148,7 @@ mod secp {
        let kernel = combined_kernel();
        let ec_add = kernel.global_labels["ec_add_secp"];
        let ec_double = kernel.global_labels["ec_double_secp"];
-        let ec_mul = kernel.global_labels["ec_mul"];
+        let ec_mul = kernel.global_labels["ec_mul_secp"];
        let identity = ("0x0", "0x0");
        let invalid = ("0x0", "0x3"); // Not on curve
        let point0 = (