Skip to content

Commit bd0d0fb

Browse files
djbdouglasbakkum
djb
authored and
douglasbakkum
committed
variable signing precompute table
1 parent 544435f commit bd0d0fb

File tree

3 files changed

+41
-34
lines changed

3 files changed

+41
-34
lines changed

src/ecmult_gen.h

Lines changed: 15 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,27 @@
1010
#include "scalar.h"
1111
#include "group.h"
1212

13+
#ifndef ECMULT_GEN_PREC_BITS
14+
#define ECMULT_GEN_PREC_BITS 4/* 4 bits: 64kB table, fastest; 2 bits: 32kB table, ~75% speed */
15+
#endif
16+
#define ECMULT_GEN_PREC_B ECMULT_GEN_PREC_BITS
17+
#define ECMULT_GEN_PREC_G (1 << ECMULT_GEN_PREC_B)
18+
#define ECMULT_GEN_PREC_N (256 / ECMULT_GEN_PREC_B)
19+
1320
typedef struct {
1421
/* For accelerating the computation of a*G:
1522
* To harden against timing attacks, use the following mechanism:
16-
* * Break up the multiplicand into groups of 4 bits, called n_0, n_1, n_2, ..., n_63.
17-
* * Compute sum(n_i * 16^i * G + U_i, i=0..63), where:
18-
* * U_i = U * 2^i (for i=0..62)
19-
* * U_i = U * (1-2^63) (for i=63)
20-
* where U is a point with no known corresponding scalar. Note that sum(U_i, i=0..63) = 0.
21-
* For each i, and each of the 16 possible values of n_i, (n_i * 16^i * G + U_i) is
22-
* precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0..63).
23+
* * Break up the multiplicand into groups of PREC_B bits, called n_0, n_1, n_2, ..., n_(PREC_N-1).
24+
* * Compute sum(n_i * (PREC_G)^i * G + U_i, i=0 ... PREC_N-1), where:
25+
* * U_i = U * 2^i, for i=0 ... PREC_N-2
26+
* * U_i = U * (1-2^(PREC_N-1)), for i=PREC_N-1
27+
* where U is a point with no known corresponding scalar. Note that sum(U_i, i=0 ... PREC_N-1) = 0.
28+
* For each i, and each of the PREC_G possible values of n_i, (n_i * (PREC_G)^i * G + U_i) is
29+
* precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0 ... PREC_N-1).
2330
* None of the resulting prec group elements have a known scalar, and neither do any of
2431
* the intermediate sums while computing a*G.
2532
*/
26-
secp256k1_ge_storage (*prec)[64][16]; /* prec[j][i] = 16^j * i * G + U_i */
33+
secp256k1_ge_storage (*prec)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G]; /* prec[j][i] = (PREC_G)^j * i * G + U_i */
2734
secp256k1_scalar blind;
2835
secp256k1_gej initial;
2936
} secp256k1_ecmult_gen_context;

src/ecmult_gen_impl.h

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
2828

2929
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc) {
3030
#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
31-
secp256k1_ge prec[1024];
31+
secp256k1_ge prec[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G];
3232
secp256k1_gej gj;
3333
secp256k1_gej nums_gej;
3434
int i, j;
@@ -40,7 +40,7 @@ static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx
4040
return;
4141
}
4242
#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
43-
ctx->prec = (secp256k1_ge_storage (*)[64][16])manual_alloc(prealloc, prealloc_size, base, prealloc_size);
43+
ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])manual_alloc(prealloc, prealloc_size, base, prealloc_size);
4444

4545
/* get the generator */
4646
secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
@@ -64,39 +64,39 @@ static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx
6464

6565
/* compute prec. */
6666
{
67-
secp256k1_gej precj[1024]; /* Jacobian versions of prec. */
67+
secp256k1_gej precj[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; /* Jacobian versions of prec. */
6868
secp256k1_gej gbase;
6969
secp256k1_gej numsbase;
70-
gbase = gj; /* 16^j * G */
70+
gbase = gj; /* PREC_G^j * G */
7171
numsbase = nums_gej; /* 2^j * nums. */
72-
for (j = 0; j < 64; j++) {
73-
/* Set precj[j*16 .. j*16+15] to (numsbase, numsbase + gbase, ..., numsbase + 15*gbase). */
74-
precj[j*16] = numsbase;
75-
for (i = 1; i < 16; i++) {
76-
secp256k1_gej_add_var(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase, NULL);
72+
for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
73+
/* Set precj[j*PREC_G .. j*PREC_G+(PREC_G-1)] to (numsbase, numsbase + gbase, ..., numsbase + (PREC_G-1)*gbase). */
74+
precj[j*ECMULT_GEN_PREC_G] = numsbase;
75+
for (i = 1; i < ECMULT_GEN_PREC_G; i++) {
76+
secp256k1_gej_add_var(&precj[j*ECMULT_GEN_PREC_G + i], &precj[j*ECMULT_GEN_PREC_G + i - 1], &gbase, NULL);
7777
}
78-
/* Multiply gbase by 16. */
79-
for (i = 0; i < 4; i++) {
78+
/* Multiply gbase by PREC_G. */
79+
for (i = 0; i < ECMULT_GEN_PREC_B; i++) {
8080
secp256k1_gej_double_var(&gbase, &gbase, NULL);
8181
}
8282
/* Multiply numbase by 2. */
8383
secp256k1_gej_double_var(&numsbase, &numsbase, NULL);
84-
if (j == 62) {
84+
if (j == ECMULT_GEN_PREC_N - 2) {
8585
/* In the last iteration, numsbase is (1 - 2^j) * nums instead. */
8686
secp256k1_gej_neg(&numsbase, &numsbase);
8787
secp256k1_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL);
8888
}
8989
}
90-
secp256k1_ge_set_all_gej_var(prec, precj, 1024);
90+
secp256k1_ge_set_all_gej_var(prec, precj, ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G);
9191
}
92-
for (j = 0; j < 64; j++) {
93-
for (i = 0; i < 16; i++) {
94-
secp256k1_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*16 + i]);
92+
for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
93+
for (i = 0; i < ECMULT_GEN_PREC_G; i++) {
94+
secp256k1_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*ECMULT_GEN_PREC_G + i]);
9595
}
9696
}
9797
#else
9898
(void)prealloc;
99-
ctx->prec = (secp256k1_ge_storage (*)[64][16])secp256k1_ecmult_static_context;
99+
ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])secp256k1_ecmult_static_context;
100100
#endif
101101
secp256k1_ecmult_gen_blind(ctx, NULL);
102102
}
@@ -109,7 +109,7 @@ static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_co
109109
#ifndef USE_ECMULT_STATIC_PRECOMPUTATION
110110
if (src->prec != NULL) {
111111
/* We cast to void* first to suppress a -Wcast-align warning. */
112-
dst->prec = (secp256k1_ge_storage (*)[64][16])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src));
112+
dst->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src));
113113
}
114114
#else
115115
(void)dst, (void)src;
@@ -133,9 +133,9 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
133133
/* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */
134134
secp256k1_scalar_add(&gnb, gn, &ctx->blind);
135135
add.infinity = 0;
136-
for (j = 0; j < 64; j++) {
137-
bits = secp256k1_scalar_get_bits(&gnb, j * 4, 4);
138-
for (i = 0; i < 16; i++) {
136+
for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
137+
bits = secp256k1_scalar_get_bits(&gnb, j * ECMULT_GEN_PREC_B, ECMULT_GEN_PREC_B);
138+
for (i = 0; i < ECMULT_GEN_PREC_G; i++) {
139139
/** This uses a conditional move to avoid any secret data in array indexes.
140140
* _Any_ use of secret indexes has been demonstrated to result in timing
141141
* sidechannels, even when the cache-line access patterns are uniform.

src/gen_context.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -45,23 +45,23 @@ int main(int argc, char **argv) {
4545
fprintf(fp, "#define _SECP256K1_ECMULT_STATIC_CONTEXT_\n");
4646
fprintf(fp, "#include \"src/group.h\"\n");
4747
fprintf(fp, "#define SC SECP256K1_GE_STORAGE_CONST\n");
48-
fprintf(fp, "static const secp256k1_ge_storage secp256k1_ecmult_static_context[64][16] = {\n");
48+
fprintf(fp, "static const secp256k1_ge_storage secp256k1_ecmult_static_context[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G] = {\n");
4949

5050
base = checked_malloc(&default_error_callback, SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE);
5151
prealloc = base;
5252
secp256k1_ecmult_gen_context_init(&ctx);
5353
secp256k1_ecmult_gen_context_build(&ctx, &prealloc);
54-
for(outer = 0; outer != 64; outer++) {
54+
for(outer = 0; outer != ECMULT_GEN_PREC_N; outer++) {
5555
fprintf(fp,"{\n");
56-
for(inner = 0; inner != 16; inner++) {
56+
for(inner = 0; inner != ECMULT_GEN_PREC_G; inner++) {
5757
fprintf(fp," SC(%uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu)", SECP256K1_GE_STORAGE_CONST_GET((*ctx.prec)[outer][inner]));
58-
if (inner != 15) {
58+
if (inner != ECMULT_GEN_PREC_G - 1) {
5959
fprintf(fp,",\n");
6060
} else {
6161
fprintf(fp,"\n");
6262
}
6363
}
64-
if (outer != 63) {
64+
if (outer != ECMULT_GEN_PREC_N - 1) {
6565
fprintf(fp,"},\n");
6666
} else {
6767
fprintf(fp,"}\n");

0 commit comments

Comments
 (0)