status-im
/
secp256k1
mirror of https://github.com/status-im/secp256k1.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Eliminate input_pos state field from ecmult_strauss_wnaf.

This commit is contained in:
Russell O'Connor 2021-02-27 14:07:45 -05:00
parent 0397d00ba0
commit fe34d9f341
1 changed files with 21 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/ecmult_impl.h
View File

@ -214,7 +214,6 @@ struct secp256k1_strauss_point_state {
int wnaf_na_lam[129]; int wnaf_na_lam[129];
int bits_na_1; int bits_na_1;
int bits_na_lam; int bits_na_lam;
size_t input_pos;
}; };
struct secp256k1_strauss_state { struct secp256k1_strauss_state {
@ -238,12 +237,13 @@ static void secp256k1_ecmult_strauss_wnaf(const struct secp256k1_strauss_state *
size_t np; size_t np;
size_t no = 0; size_t no = 0;
secp256k1_fe_set_int(&Z, 1);
for (np = 0; np < num; ++np) { for (np = 0; np < num; ++np) {
secp256k1_gej tmp;
secp256k1_scalar na_1, na_lam; secp256k1_scalar na_1, na_lam;
if (secp256k1_scalar_is_zero(&na[np]) || secp256k1_gej_is_infinity(&a[np])) { if (secp256k1_scalar_is_zero(&na[np]) || secp256k1_gej_is_infinity(&a[np])) {
continue; continue;
} }
state->ps[no].input_pos = np;
/* split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit) */ /* split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit) */
secp256k1_scalar_split_lambda(&na_1, &na_lam, &na[np]); secp256k1_scalar_split_lambda(&na_1, &na_lam, &na[np]);
@ -258,37 +258,33 @@ static void secp256k1_ecmult_strauss_wnaf(const struct secp256k1_strauss_state *
if (state->ps[no].bits_na_lam > bits) { if (state->ps[no].bits_na_lam > bits) {
bits = state->ps[no].bits_na_lam; bits = state->ps[no].bits_na_lam;
} }
++no;
}
/* Calculate odd multiples of a. /* Calculate odd multiples of a.
* All multiples are brought to the same Z 'denominator', which is stored * All multiples are brought to the same Z 'denominator', which is stored
* in Z. Due to secp256k1' isomorphism we can do all operations pretending * in Z. Due to secp256k1' isomorphism we can do all operations pretending
* that the Z coordinate was 1, use affine addition formulae, and correct * that the Z coordinate was 1, use affine addition formulae, and correct
* the Z coordinate of the result once at the end. * the Z coordinate of the result once at the end.
* The exception is the precomputed G table points, which are actually * The exception is the precomputed G table points, which are actually
* affine. Compared to the base used for other points, they have a Z ratio * affine. Compared to the base used for other points, they have a Z ratio
* of 1/Z, so we can use secp256k1_gej_add_zinv_var, which uses the same * of 1/Z, so we can use secp256k1_gej_add_zinv_var, which uses the same
* isomorphism to efficiently add with a known Z inverse. * isomorphism to efficiently add with a known Z inverse.
*/ */
if (no > 0) { tmp = a[np];
/* Compute the odd multiples in Jacobian form. */ if (no) {
secp256k1_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->pre_a, state->aux, &Z, &a[state->ps[0].input_pos]);
for (np = 1; np < no; ++np) {
secp256k1_gej tmp = a[state->ps[np].input_pos];
#ifdef VERIFY #ifdef VERIFY
secp256k1_fe_normalize_var(&Z); secp256k1_fe_normalize_var(&Z);
#endif #endif
secp256k1_gej_rescale(&tmp, &Z); secp256k1_gej_rescale(&tmp, &Z);
secp256k1_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->pre_a + np * ECMULT_TABLE_SIZE(WINDOW_A), state->aux + np * ECMULT_TABLE_SIZE(WINDOW_A), &Z, &tmp);
secp256k1_fe_mul(state->aux + np * ECMULT_TABLE_SIZE(WINDOW_A), state->aux + np * ECMULT_TABLE_SIZE(WINDOW_A), &(a[state->ps[np].input_pos].z));
} }
/* Bring them to the same Z denominator. */ secp256k1_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->pre_a + no * ECMULT_TABLE_SIZE(WINDOW_A), state->aux + no * ECMULT_TABLE_SIZE(WINDOW_A), &Z, &tmp);
secp256k1_ge_table_set_globalz(ECMULT_TABLE_SIZE(WINDOW_A) * no, state->pre_a, state->aux); if (no) secp256k1_fe_mul(state->aux + no * ECMULT_TABLE_SIZE(WINDOW_A), state->aux + no * ECMULT_TABLE_SIZE(WINDOW_A), &(a[np].z));
} else {
secp256k1_fe_set_int(&Z, 1); ++no;
} }
/* Bring them to the same Z denominator. */
secp256k1_ge_table_set_globalz(ECMULT_TABLE_SIZE(WINDOW_A) * no, state->pre_a, state->aux);
for (np = 0; np < no; ++np) { for (np = 0; np < no; ++np) {
for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
secp256k1_fe_mul(&state->aux[np * ECMULT_TABLE_SIZE(WINDOW_A) + i], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + i].x, &secp256k1_const_beta); secp256k1_fe_mul(&state->aux[np * ECMULT_TABLE_SIZE(WINDOW_A) + i], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + i].x, &secp256k1_const_beta);