Skip to content

Commit 82872d9

Browse files
peterdettmanpeterdettman
committed
Tighter verification bounds in mul/sqr
1 parent b450c34 commit 82872d9

File tree

2 files changed

+86
-86
lines changed

2 files changed

+86
-86
lines changed

src/field_10x26_impl.h

Lines changed: 52 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -502,11 +502,11 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
502502
uint64_t u1 = d & M; d >>= 26; c += u1 * R0;
503503
VERIFY_BITS(u1, 26);
504504
VERIFY_BITS(d, 37);
505-
VERIFY_BITS(c, 63);
505+
VERIFY_BITS(c, 62);
506506
/* [d u1 0 t9 0 0 0 0 0 0 0 c-u1*R0 t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
507507
uint32_t t1 = c & M; c >>= 26; c += u1 * R1;
508508
VERIFY_BITS(t1, 26);
509-
VERIFY_BITS(c, 38);
509+
VERIFY_BITS(c, 37);
510510
/* [d u1 0 t9 0 0 0 0 0 0 c-u1*R1 t1-u1*R0 t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
511511
/* [d 0 0 t9 0 0 0 0 0 0 c t1 t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
512512

@@ -527,11 +527,11 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
527527
uint64_t u2 = d & M; d >>= 26; c += u2 * R0;
528528
VERIFY_BITS(u2, 26);
529529
VERIFY_BITS(d, 37);
530-
VERIFY_BITS(c, 63);
530+
VERIFY_BITS(c, 62);
531531
/* [d u2 0 0 t9 0 0 0 0 0 0 c-u2*R0 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
532532
uint32_t t2 = c & M; c >>= 26; c += u2 * R1;
533533
VERIFY_BITS(t2, 26);
534-
VERIFY_BITS(c, 38);
534+
VERIFY_BITS(c, 37);
535535
/* [d u2 0 0 t9 0 0 0 0 0 c-u2*R1 t2-u2*R0 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
536536
/* [d 0 0 0 t9 0 0 0 0 0 c t2 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
537537

@@ -552,11 +552,11 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
552552
uint64_t u3 = d & M; d >>= 26; c += u3 * R0;
553553
VERIFY_BITS(u3, 26);
554554
VERIFY_BITS(d, 37);
555-
/* VERIFY_BITS(c, 64); */
555+
VERIFY_BITS(c, 63);
556556
/* [d u3 0 0 0 t9 0 0 0 0 0 c-u3*R0 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
557557
uint32_t t3 = c & M; c >>= 26; c += u3 * R1;
558558
VERIFY_BITS(t3, 26);
559-
VERIFY_BITS(c, 39);
559+
VERIFY_BITS(c, 38);
560560
/* [d u3 0 0 0 t9 0 0 0 0 c-u3*R1 t3-u3*R0 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
561561
/* [d 0 0 0 0 t9 0 0 0 0 c t3 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
562562

@@ -577,11 +577,11 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
577577
uint64_t u4 = d & M; d >>= 26; c += u4 * R0;
578578
VERIFY_BITS(u4, 26);
579579
VERIFY_BITS(d, 36);
580-
/* VERIFY_BITS(c, 64); */
580+
VERIFY_BITS(c, 63);
581581
/* [d u4 0 0 0 0 t9 0 0 0 0 c-u4*R0 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
582582
uint32_t t4 = c & M; c >>= 26; c += u4 * R1;
583583
VERIFY_BITS(t4, 26);
584-
VERIFY_BITS(c, 39);
584+
VERIFY_BITS(c, 38);
585585
/* [d u4 0 0 0 0 t9 0 0 0 c-u4*R1 t4-u4*R0 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
586586
/* [d 0 0 0 0 0 t9 0 0 0 c t4 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
587587

@@ -602,11 +602,11 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
602602
uint64_t u5 = d & M; d >>= 26; c += u5 * R0;
603603
VERIFY_BITS(u5, 26);
604604
VERIFY_BITS(d, 36);
605-
/* VERIFY_BITS(c, 64); */
605+
VERIFY_BITS(c, 63);
606606
/* [d u5 0 0 0 0 0 t9 0 0 0 c-u5*R0 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
607607
uint32_t t5 = c & M; c >>= 26; c += u5 * R1;
608608
VERIFY_BITS(t5, 26);
609-
VERIFY_BITS(c, 39);
609+
VERIFY_BITS(c, 38);
610610
/* [d u5 0 0 0 0 0 t9 0 0 c-u5*R1 t5-u5*R0 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
611611
/* [d 0 0 0 0 0 0 t9 0 0 c t5 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
612612

@@ -627,11 +627,11 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
627627
uint64_t u6 = d & M; d >>= 26; c += u6 * R0;
628628
VERIFY_BITS(u6, 26);
629629
VERIFY_BITS(d, 35);
630-
/* VERIFY_BITS(c, 64); */
630+
VERIFY_BITS(c, 63);
631631
/* [d u6 0 0 0 0 0 0 t9 0 0 c-u6*R0 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
632632
uint32_t t6 = c & M; c >>= 26; c += u6 * R1;
633633
VERIFY_BITS(t6, 26);
634-
VERIFY_BITS(c, 39);
634+
VERIFY_BITS(c, 38);
635635
/* [d u6 0 0 0 0 0 0 t9 0 c-u6*R1 t6-u6*R0 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
636636
/* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
637637

@@ -644,7 +644,7 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
644644
+ (uint64_t)a[6] * b[1]
645645
+ (uint64_t)a[7] * b[0];
646646
/* VERIFY_BITS(c, 64); */
647-
VERIFY_CHECK(c <= 0x8000007C00000007ULL);
647+
VERIFY_CHECK(c <= 0x8000003C00000007ULL);
648648
/* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
649649
d += (uint64_t)a[8] * b[9]
650650
+ (uint64_t)a[9] * b[8];
@@ -654,7 +654,7 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
654654
VERIFY_BITS(u7, 26);
655655
VERIFY_BITS(d, 32);
656656
/* VERIFY_BITS(c, 64); */
657-
VERIFY_CHECK(c <= 0x800001703FFFC2F7ULL);
657+
VERIFY_CHECK(c <= 0x800001303FFFC2F7ULL);
658658
/* [d u7 0 0 0 0 0 0 0 t9 0 c-u7*R0 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
659659
uint32_t t7 = c & M; c >>= 26; c += u7 * R1;
660660
VERIFY_BITS(t7, 26);
@@ -672,16 +672,16 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
672672
+ (uint64_t)a[7] * b[1]
673673
+ (uint64_t)a[8] * b[0];
674674
/* VERIFY_BITS(c, 64); */
675-
VERIFY_CHECK(c <= 0x9000007B80000008ULL);
675+
VERIFY_CHECK(c <= 0x9000003B80000008ULL);
676676
/* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
677677
d += (uint64_t)a[9] * b[9];
678-
VERIFY_BITS(d, 57);
678+
VERIFY_BITS(d, 53);
679679
/* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
680680
uint64_t u8 = d & M; d >>= 26; c += u8 * R0;
681681
VERIFY_BITS(u8, 26);
682-
VERIFY_BITS(d, 31);
682+
VERIFY_BITS(d, 27);
683683
/* VERIFY_BITS(c, 64); */
684-
VERIFY_CHECK(c <= 0x9000016FBFFFC2F8ULL);
684+
VERIFY_CHECK(c <= 0x9000012FBFFFC2F8ULL);
685685
/* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 t5 t4 t3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
686686

687687
r[3] = t3;
@@ -702,35 +702,35 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t
702702

703703
r[8] = c & M; c >>= 26; c += u8 * R1;
704704
VERIFY_BITS(r[8], 26);
705-
VERIFY_BITS(c, 39);
705+
VERIFY_BITS(c, 38);
706706
/* [d u8 0 0 0 0 0 0 0 0 t9+c-u8*R1 r8-u8*R0 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
707707
/* [d 0 0 0 0 0 0 0 0 0 t9+c r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
708708
c += d * R0 + t9;
709-
VERIFY_BITS(c, 45);
709+
VERIFY_BITS(c, 42);
710710
/* [d 0 0 0 0 0 0 0 0 0 c-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
711711
r[9] = c & (M >> 4); c >>= 22; c += d * (R1 << 4);
712712
VERIFY_BITS(r[9], 22);
713-
VERIFY_BITS(c, 46);
713+
VERIFY_BITS(c, 42);
714714
/* [d 0 0 0 0 0 0 0 0 r9+((c-d*R1<<4)<<22)-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
715715
/* [d 0 0 0 0 0 0 0 -d*R1 r9+(c<<22)-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
716716
/* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
717717

718718
d = c * (R0 >> 4) + t0;
719-
VERIFY_BITS(d, 56);
719+
VERIFY_BITS(d, 52);
720720
/* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1 d-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
721721
r[0] = d & M; d >>= 26;
722722
VERIFY_BITS(r[0], 26);
723-
VERIFY_BITS(d, 30);
723+
VERIFY_BITS(d, 26);
724724
/* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1+d r0-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
725725
d += c * (R1 >> 4) + t1;
726-
VERIFY_BITS(d, 53);
727-
VERIFY_CHECK(d <= 0x10000003FFFFBFULL);
726+
VERIFY_BITS(d, 49);
727+
VERIFY_CHECK(d <= 0x1000007D0FFBFULL);
728728
/* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 d-c*R1>>4 r0-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
729729
/* [r9 r8 r7 r6 r5 r4 r3 t2 d r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
730730
r[1] = d & M; d >>= 26;
731731
VERIFY_BITS(r[1], 26);
732-
VERIFY_BITS(d, 27);
733-
VERIFY_CHECK(d <= 0x4000000ULL);
732+
VERIFY_BITS(d, 23);
733+
VERIFY_CHECK(d <= 0x400001ULL);
734734
/* [r9 r8 r7 r6 r5 r4 r3 t2+d r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
735735
d += t2;
736736
VERIFY_BITS(d, 27);
@@ -826,11 +826,11 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t
826826
uint64_t u2 = d & M; d >>= 26; c += u2 * R0;
827827
VERIFY_BITS(u2, 26);
828828
VERIFY_BITS(d, 37);
829-
VERIFY_BITS(c, 63);
829+
VERIFY_BITS(c, 62);
830830
/* [d u2 0 0 t9 0 0 0 0 0 0 c-u2*R0 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
831831
uint32_t t2 = c & M; c >>= 26; c += u2 * R1;
832832
VERIFY_BITS(t2, 26);
833-
VERIFY_BITS(c, 38);
833+
VERIFY_BITS(c, 37);
834834
/* [d u2 0 0 t9 0 0 0 0 0 c-u2*R1 t2-u2*R0 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
835835
/* [d 0 0 0 t9 0 0 0 0 0 c t2 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
836836

@@ -846,11 +846,11 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t
846846
uint64_t u3 = d & M; d >>= 26; c += u3 * R0;
847847
VERIFY_BITS(u3, 26);
848848
VERIFY_BITS(d, 37);
849-
/* VERIFY_BITS(c, 64); */
849+
VERIFY_BITS(c, 63);
850850
/* [d u3 0 0 0 t9 0 0 0 0 0 c-u3*R0 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
851851
uint32_t t3 = c & M; c >>= 26; c += u3 * R1;
852852
VERIFY_BITS(t3, 26);
853-
VERIFY_BITS(c, 39);
853+
VERIFY_BITS(c, 38);
854854
/* [d u3 0 0 0 t9 0 0 0 0 c-u3*R1 t3-u3*R0 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
855855
/* [d 0 0 0 0 t9 0 0 0 0 c t3 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
856856

@@ -867,11 +867,11 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t
867867
uint64_t u4 = d & M; d >>= 26; c += u4 * R0;
868868
VERIFY_BITS(u4, 26);
869869
VERIFY_BITS(d, 36);
870-
/* VERIFY_BITS(c, 64); */
870+
VERIFY_BITS(c, 63);
871871
/* [d u4 0 0 0 0 t9 0 0 0 0 c-u4*R0 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
872872
uint32_t t4 = c & M; c >>= 26; c += u4 * R1;
873873
VERIFY_BITS(t4, 26);
874-
VERIFY_BITS(c, 39);
874+
VERIFY_BITS(c, 38);
875875
/* [d u4 0 0 0 0 t9 0 0 0 c-u4*R1 t4-u4*R0 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
876876
/* [d 0 0 0 0 0 t9 0 0 0 c t4 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
877877

@@ -887,11 +887,11 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t
887887
uint64_t u5 = d & M; d >>= 26; c += u5 * R0;
888888
VERIFY_BITS(u5, 26);
889889
VERIFY_BITS(d, 36);
890-
/* VERIFY_BITS(c, 64); */
890+
VERIFY_BITS(c, 63);
891891
/* [d u5 0 0 0 0 0 t9 0 0 0 c-u5*R0 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
892892
uint32_t t5 = c & M; c >>= 26; c += u5 * R1;
893893
VERIFY_BITS(t5, 26);
894-
VERIFY_BITS(c, 39);
894+
VERIFY_BITS(c, 38);
895895
/* [d u5 0 0 0 0 0 t9 0 0 c-u5*R1 t5-u5*R0 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
896896
/* [d 0 0 0 0 0 0 t9 0 0 c t5 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
897897

@@ -908,11 +908,11 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t
908908
uint64_t u6 = d & M; d >>= 26; c += u6 * R0;
909909
VERIFY_BITS(u6, 26);
910910
VERIFY_BITS(d, 35);
911-
/* VERIFY_BITS(c, 64); */
911+
VERIFY_BITS(c, 63);
912912
/* [d u6 0 0 0 0 0 0 t9 0 0 c-u6*R0 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
913913
uint32_t t6 = c & M; c >>= 26; c += u6 * R1;
914914
VERIFY_BITS(t6, 26);
915-
VERIFY_BITS(c, 39);
915+
VERIFY_BITS(c, 38);
916916
/* [d u6 0 0 0 0 0 0 t9 0 c-u6*R1 t6-u6*R0 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
917917
/* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
918918

@@ -921,7 +921,7 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t
921921
+ (uint64_t)(a[2]*2) * a[5]
922922
+ (uint64_t)(a[3]*2) * a[4];
923923
/* VERIFY_BITS(c, 64); */
924-
VERIFY_CHECK(c <= 0x8000007C00000007ULL);
924+
VERIFY_CHECK(c <= 0x8000003C00000007ULL);
925925
/* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
926926
d += (uint64_t)(a[8]*2) * a[9];
927927
VERIFY_BITS(d, 58);
@@ -930,7 +930,7 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t
930930
VERIFY_BITS(u7, 26);
931931
VERIFY_BITS(d, 32);
932932
/* VERIFY_BITS(c, 64); */
933-
VERIFY_CHECK(c <= 0x800001703FFFC2F7ULL);
933+
VERIFY_CHECK(c <= 0x800001303FFFC2F7ULL);
934934
/* [d u7 0 0 0 0 0 0 0 t9 0 c-u7*R0 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
935935
uint32_t t7 = c & M; c >>= 26; c += u7 * R1;
936936
VERIFY_BITS(t7, 26);
@@ -944,16 +944,16 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t
944944
+ (uint64_t)(a[3]*2) * a[5]
945945
+ (uint64_t)a[4] * a[4];
946946
/* VERIFY_BITS(c, 64); */
947-
VERIFY_CHECK(c <= 0x9000007B80000008ULL);
947+
VERIFY_CHECK(c <= 0x9000003B80000008ULL);
948948
/* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
949949
d += (uint64_t)a[9] * a[9];
950-
VERIFY_BITS(d, 57);
950+
VERIFY_BITS(d, 53);
951951
/* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
952952
uint64_t u8 = d & M; d >>= 26; c += u8 * R0;
953953
VERIFY_BITS(u8, 26);
954-
VERIFY_BITS(d, 31);
954+
VERIFY_BITS(d, 27);
955955
/* VERIFY_BITS(c, 64); */
956-
VERIFY_CHECK(c <= 0x9000016FBFFFC2F8ULL);
956+
VERIFY_CHECK(c <= 0x9000012FBFFFC2F8ULL);
957957
/* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 t5 t4 t3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
958958

959959
r[3] = t3;
@@ -974,35 +974,35 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t
974974

975975
r[8] = c & M; c >>= 26; c += u8 * R1;
976976
VERIFY_BITS(r[8], 26);
977-
VERIFY_BITS(c, 39);
977+
VERIFY_BITS(c, 38);
978978
/* [d u8 0 0 0 0 0 0 0 0 t9+c-u8*R1 r8-u8*R0 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
979979
/* [d 0 0 0 0 0 0 0 0 0 t9+c r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
980980
c += d * R0 + t9;
981-
VERIFY_BITS(c, 45);
981+
VERIFY_BITS(c, 42);
982982
/* [d 0 0 0 0 0 0 0 0 0 c-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
983983
r[9] = c & (M >> 4); c >>= 22; c += d * (R1 << 4);
984984
VERIFY_BITS(r[9], 22);
985-
VERIFY_BITS(c, 46);
985+
VERIFY_BITS(c, 42);
986986
/* [d 0 0 0 0 0 0 0 0 r9+((c-d*R1<<4)<<22)-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
987987
/* [d 0 0 0 0 0 0 0 -d*R1 r9+(c<<22)-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
988988
/* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
989989

990990
d = c * (R0 >> 4) + t0;
991-
VERIFY_BITS(d, 56);
991+
VERIFY_BITS(d, 52);
992992
/* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1 d-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
993993
r[0] = d & M; d >>= 26;
994994
VERIFY_BITS(r[0], 26);
995-
VERIFY_BITS(d, 30);
995+
VERIFY_BITS(d, 26);
996996
/* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1+d r0-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
997997
d += c * (R1 >> 4) + t1;
998-
VERIFY_BITS(d, 53);
999-
VERIFY_CHECK(d <= 0x10000003FFFFBFULL);
998+
VERIFY_BITS(d, 49);
999+
VERIFY_CHECK(d <= 0x1000007D0FFBFULL);
10001000
/* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 d-c*R1>>4 r0-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
10011001
/* [r9 r8 r7 r6 r5 r4 r3 t2 d r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
10021002
r[1] = d & M; d >>= 26;
10031003
VERIFY_BITS(r[1], 26);
1004-
VERIFY_BITS(d, 27);
1005-
VERIFY_CHECK(d <= 0x4000000ULL);
1004+
VERIFY_BITS(d, 23);
1005+
VERIFY_CHECK(d <= 0x400001ULL);
10061006
/* [r9 r8 r7 r6 r5 r4 r3 t2+d r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
10071007
d += t2;
10081008
VERIFY_BITS(d, 27);

0 commit comments

Comments
 (0)