Skip to content

Commit 2446b1e

Browse files
roconnor-blockstreamroconnor-blockstream
committed
Replace secp256k1_scalar_complement with secp256k1_scalar_sub.
1 parent 0a4741a commit 2446b1e

File tree

3 files changed

+34
-71
lines changed

3 files changed

+34
-71
lines changed

src/scalar_4x64_impl.h

Lines changed: 12 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,18 @@ static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int
114114
#endif
115115
}
116116

117+
static void secp256k1_scalar_sub(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) {
118+
uint128_t t = (uint128_t)a->d[0] - b->d[0];
119+
r->d[0] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64; t |= t << 64;
120+
t += (uint128_t)a->d[1] - b->d[1];
121+
r->d[1] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64; t |= t << 64;
122+
t += (uint128_t)a->d[2] - b->d[2];
123+
r->d[2] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64; t |= t << 64;
124+
t += (uint128_t)a->d[3] - b->d[3];
125+
r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL;
126+
VERIFY_CHECK((t >> 64) == 0);
127+
}
128+
117129
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) {
118130
int over;
119131
r->d[0] = (uint64_t)b32[31] | (uint64_t)b32[30] << 8 | (uint64_t)b32[29] << 16 | (uint64_t)b32[28] << 24 | (uint64_t)b32[27] << 32 | (uint64_t)b32[26] << 40 | (uint64_t)b32[25] << 48 | (uint64_t)b32[24] << 56;
@@ -181,31 +193,6 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
181193
return 2 * (mask == 0) - 1;
182194
}
183195

184-
static int secp256k1_scalar_complement(secp256k1_scalar *r, const secp256k1_scalar *a) {
185-
uint128_t t = 1;
186-
t += ~a->d[0];
187-
r->d[0] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
188-
t += ~a->d[1];
189-
r->d[1] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
190-
t += ~a->d[2];
191-
r->d[2] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
192-
t += ~a->d[3];
193-
r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
194-
return t;
195-
}
196-
197-
static int secp256k1_scalar_binadd(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) {
198-
uint128_t t = (uint128_t)a->d[0] + b->d[0];
199-
r->d[0] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
200-
t += (uint128_t)a->d[1] + b->d[1];
201-
r->d[1] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
202-
t += (uint128_t)a->d[2] + b->d[2];
203-
r->d[2] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
204-
t += (uint128_t)a->d[3] + b->d[3];
205-
r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
206-
return t;
207-
}
208-
209196
/* Inspired by the macros in OpenSSL's crypto/bn/asm/x86_64-gcc.c. */
210197

211198
/** Add a*b to the number defined by (c0,c1,c2). c2 must never overflow. */

src/scalar_8x32_impl.h

Lines changed: 20 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,26 @@ static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int
162162
#endif
163163
}
164164

165+
static void secp256k1_scalar_sub(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) {
166+
uint64_t t = (uint64_t)a->d[0] - b->d[0];
167+
r->d[0] = t & 0xFFFFFFFFULL; t >>= 32; t |= t << 32;
168+
t += (uint64_t)a->d[1] - b->d[1];
169+
r->d[1] = t & 0xFFFFFFFFULL; t >>= 32; t |= t << 32;
170+
t += (uint64_t)a->d[2] - b->d[2];
171+
r->d[2] = t & 0xFFFFFFFFULL; t >>= 32; t |= t << 32;
172+
t += (uint64_t)a->d[3] - b->d[3];
173+
r->d[3] = t & 0xFFFFFFFFULL; t >>= 32; t |= t << 32;
174+
t += (uint64_t)a->d[4] - b->d[4];
175+
r->d[4] = t & 0xFFFFFFFFULL; t >>= 32; t |= t << 32;
176+
t += (uint64_t)a->d[5] - b->d[5];
177+
r->d[5] = t & 0xFFFFFFFFULL; t >>= 32; t |= t << 32;
178+
t += (uint64_t)a->d[6] - b->d[6];
179+
r->d[6] = t & 0xFFFFFFFFULL; t >>= 32; t |= t << 32;
180+
t += (uint64_t)a->d[7] - b->d[7];
181+
r->d[7] = t & 0xFFFFFFFFULL;
182+
VERIFY_CHECK((t >> 32) == 0);
183+
}
184+
165185
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) {
166186
int over;
167187
r->d[0] = (uint32_t)b32[31] | (uint32_t)b32[30] << 8 | (uint32_t)b32[29] << 16 | (uint32_t)b32[28] << 24;
@@ -259,47 +279,6 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
259279
return 2 * (mask == 0) - 1;
260280
}
261281

262-
static int secp256k1_scalar_complement(secp256k1_scalar *r, const secp256k1_scalar *a) {
263-
uint64_t t = 1;
264-
t += ~a->d[0];
265-
r->d[0] = t & 0xFFFFFFFFULL; t >>= 32;
266-
t += ~a->d[1];
267-
r->d[1] = t & 0xFFFFFFFFULL; t >>= 32;
268-
t += ~a->d[2];
269-
r->d[2] = t & 0xFFFFFFFFULL; t >>= 32;
270-
t += ~a->d[3];
271-
r->d[3] = t & 0xFFFFFFFFULL; t >>= 32;
272-
t += ~a->d[4];
273-
r->d[4] = t & 0xFFFFFFFFULL; t >>= 32;
274-
t += ~a->d[5];
275-
r->d[5] = t & 0xFFFFFFFFULL; t >>= 32;
276-
t += ~a->d[6];
277-
r->d[6] = t & 0xFFFFFFFFULL; t >>= 32;
278-
t += ~a->d[7];
279-
r->d[7] = t & 0xFFFFFFFFULL; t >>= 32;
280-
return t;
281-
}
282-
283-
static int secp256k1_scalar_binadd(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) {
284-
uint64_t t = (uint64_t)a->d[0] + b->d[0];
285-
r->d[0] = t & 0xFFFFFFFFULL; t >>= 32;
286-
t += (uint64_t)a->d[1] + b->d[1];
287-
r->d[1] = t & 0xFFFFFFFFULL; t >>= 32;
288-
t += (uint64_t)a->d[2] + b->d[2];
289-
r->d[2] = t & 0xFFFFFFFFULL; t >>= 32;
290-
t += (uint64_t)a->d[3] + b->d[3];
291-
r->d[3] = t & 0xFFFFFFFFULL; t >>= 32;
292-
t += (uint64_t)a->d[4] + b->d[4];
293-
r->d[4] = t & 0xFFFFFFFFULL; t >>= 32;
294-
t += (uint64_t)a->d[5] + b->d[5];
295-
r->d[5] = t & 0xFFFFFFFFULL; t >>= 32;
296-
t += (uint64_t)a->d[6] + b->d[6];
297-
r->d[6] = t & 0xFFFFFFFFULL; t >>= 32;
298-
t += (uint64_t)a->d[7] + b->d[7];
299-
r->d[7] = t & 0xFFFFFFFFULL; t >>= 32;
300-
return t;
301-
}
302-
303282
/* Inspired by the macros in OpenSSL's crypto/bn/asm/x86_64-gcc.c. */
304283

305284
/** Add a*b to the number defined by (c0,c1,c2). c2 must never overflow. */

src/scalar_impl.h

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -307,7 +307,7 @@ SECP256K1_INLINE static int secp256k1_scalar_shr_zeros(secp256k1_scalar *r) {
307307
}
308308

309309
static int secp256k1_scalar_eea_inverse(secp256k1_scalar *r, const secp256k1_scalar *n) {
310-
secp256k1_scalar u, v, i, j, acomp, negx;
310+
secp256k1_scalar u, v, i, j, negx;
311311
secp256k1_scalar *a, *b, *x0, *x1, *tmp;
312312
int ka, kb;
313313

@@ -352,17 +352,14 @@ static int secp256k1_scalar_eea_inverse(secp256k1_scalar *r, const secp256k1_sca
352352
goto done;
353353
}
354354

355-
/* For a and b, we use 2 comlement math and ensure no overflow happens. */
356-
secp256k1_scalar_complement(&acomp, a);
357355
goto bzero;
358356

359357
while (!secp256k1_scalar_is_one(a)) {
360-
secp256k1_scalar_complement(&acomp, a);
361358
secp256k1_scalar_negate(&negx, x0);
362359

363360
VERIFY_CHECK(secp256k1_scalar_cmp_var(b, a) > 0);
364361
do {
365-
secp256k1_scalar_binadd(b, b, &acomp);
362+
secp256k1_scalar_sub(b, b, a);
366363

367364
bzero:
368365
/* We ensure that a and b are odd, so b must be even after subtracting a. */

0 commit comments

Comments
 (0)