7 #ifndef SECP256K1_FIELD_REPR_IMPL_H 8 #define SECP256K1_FIELD_REPR_IMPL_H 15 #if defined(USE_ASM_X86_64) 39 int m =
a->normalized ? 1 : 2 *
a->magnitude, r = 1;
41 r &= (d[0] <= 0xFFFFFFFFFFFFFULL * m);
42 r &= (d[1] <= 0xFFFFFFFFFFFFFULL * m);
43 r &= (d[2] <= 0xFFFFFFFFFFFFFULL * m);
44 r &= (d[3] <= 0xFFFFFFFFFFFFFULL * m);
45 r &= (d[4] <= 0x0FFFFFFFFFFFFULL * m);
46 r &= (
a->magnitude >= 0);
47 r &= (
a->magnitude <= 2048);
49 r &= (
a->magnitude <= 1);
50 if (r && (d[4] == 0x0FFFFFFFFFFFFULL) && ((d[3] & d[2] & d[1]) == 0xFFFFFFFFFFFFFULL)) {
51 r &= (d[0] < 0xFFFFEFFFFFC2FULL);
58 static void secp256k1_fe_get_bounds(
secp256k1_fe *r,
int m) {
61 r->
n[0] = 0xFFFFFFFFFFFFFULL * 2 * m;
62 r->
n[1] = 0xFFFFFFFFFFFFFULL * 2 * m;
63 r->
n[2] = 0xFFFFFFFFFFFFFULL * 2 * m;
64 r->
n[3] = 0xFFFFFFFFFFFFFULL * 2 * m;
65 r->
n[4] = 0x0FFFFFFFFFFFFULL * 2 * m;
68 r->normalized = (m == 0);
69 secp256k1_fe_verify(r);
78 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
81 t0 += x * 0x1000003D1ULL;
82 t1 += (
t0 >> 52);
t0 &= 0xFFFFFFFFFFFFFULL;
83 t2 += (
t1 >> 52);
t1 &= 0xFFFFFFFFFFFFFULL; m =
t1;
84 t3 += (
t2 >> 52);
t2 &= 0xFFFFFFFFFFFFFULL; m &=
t2;
85 t4 += (
t3 >> 52);
t3 &= 0xFFFFFFFFFFFFFULL; m &=
t3;
91 x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL)
92 & (
t0 >= 0xFFFFEFFFFFC2FULL));
95 t0 += x * 0x1000003D1ULL;
96 t1 += (
t0 >> 52);
t0 &= 0xFFFFFFFFFFFFFULL;
97 t2 += (
t1 >> 52);
t1 &= 0xFFFFFFFFFFFFFULL;
98 t3 += (
t2 >> 52);
t2 &= 0xFFFFFFFFFFFFFULL;
99 t4 += (
t3 >> 52);
t3 &= 0xFFFFFFFFFFFFFULL;
105 t4 &= 0x0FFFFFFFFFFFFULL;
107 r->
n[0] =
t0; r->
n[1] =
t1; r->
n[2] =
t2; r->
n[3] =
t3; r->
n[4] = t4;
112 secp256k1_fe_verify(r);
116 static void secp256k1_fe_normalize_weak(
secp256k1_fe *r) {
120 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
123 t0 += x * 0x1000003D1ULL;
124 t1 += (
t0 >> 52);
t0 &= 0xFFFFFFFFFFFFFULL;
125 t2 += (
t1 >> 52);
t1 &= 0xFFFFFFFFFFFFFULL;
126 t3 += (
t2 >> 52);
t2 &= 0xFFFFFFFFFFFFFULL;
127 t4 += (
t3 >> 52);
t3 &= 0xFFFFFFFFFFFFFULL;
132 r->
n[0] =
t0; r->
n[1] =
t1; r->
n[2] =
t2; r->
n[3] =
t3; r->
n[4] = t4;
136 secp256k1_fe_verify(r);
140 static void secp256k1_fe_normalize_var(
secp256k1_fe *r) {
145 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
148 t0 += x * 0x1000003D1ULL;
149 t1 += (
t0 >> 52);
t0 &= 0xFFFFFFFFFFFFFULL;
150 t2 += (
t1 >> 52);
t1 &= 0xFFFFFFFFFFFFFULL; m =
t1;
151 t3 += (
t2 >> 52);
t2 &= 0xFFFFFFFFFFFFFULL; m &=
t2;
152 t4 += (
t3 >> 52);
t3 &= 0xFFFFFFFFFFFFFULL; m &=
t3;
158 x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL)
159 & (
t0 >= 0xFFFFEFFFFFC2FULL));
162 t0 += 0x1000003D1ULL;
163 t1 += (
t0 >> 52);
t0 &= 0xFFFFFFFFFFFFFULL;
164 t2 += (
t1 >> 52);
t1 &= 0xFFFFFFFFFFFFFULL;
165 t3 += (
t2 >> 52);
t2 &= 0xFFFFFFFFFFFFFULL;
166 t4 += (
t3 >> 52);
t3 &= 0xFFFFFFFFFFFFFULL;
172 t4 &= 0x0FFFFFFFFFFFFULL;
175 r->
n[0] =
t0; r->
n[1] =
t1; r->
n[2] =
t2; r->
n[3] =
t3; r->
n[4] = t4;
180 secp256k1_fe_verify(r);
184 static int secp256k1_fe_normalizes_to_zero(
const secp256k1_fe *r) {
191 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
194 t0 += x * 0x1000003D1ULL;
195 t1 += (
t0 >> 52);
t0 &= 0xFFFFFFFFFFFFFULL; z0 =
t0; z1 =
t0 ^ 0x1000003D0ULL;
196 t2 += (
t1 >> 52);
t1 &= 0xFFFFFFFFFFFFFULL; z0 |=
t1; z1 &=
t1;
197 t3 += (
t2 >> 52);
t2 &= 0xFFFFFFFFFFFFFULL; z0 |=
t2; z1 &=
t2;
198 t4 += (
t3 >> 52);
t3 &= 0xFFFFFFFFFFFFFULL; z0 |=
t3; z1 &=
t3;
199 z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL;
204 return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL);
207 static int secp256k1_fe_normalizes_to_zero_var(
const secp256k1_fe *r) {
219 t0 += x * 0x1000003D1ULL;
222 z0 =
t0 & 0xFFFFFFFFFFFFFULL;
223 z1 = z0 ^ 0x1000003D0ULL;
226 if ((z0 != 0ULL) & (z1 != 0xFFFFFFFFFFFFFULL)) {
234 t4 &= 0x0FFFFFFFFFFFFULL;
237 t2 += (
t1 >> 52);
t1 &= 0xFFFFFFFFFFFFFULL; z0 |=
t1; z1 &=
t1;
238 t3 += (
t2 >> 52);
t2 &= 0xFFFFFFFFFFFFFULL; z0 |=
t2; z1 &=
t2;
239 t4 += (
t3 >> 52);
t3 &= 0xFFFFFFFFFFFFFULL; z0 |=
t3; z1 &=
t3;
240 z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL;
245 return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL);
251 r->
n[1] = r->
n[2] = r->
n[3] = r->
n[4] = 0;
253 r->magnitude = (
a != 0);
255 secp256k1_fe_verify(r);
263 secp256k1_fe_verify(
a);
265 return (t[0] | t[1] | t[2] | t[3] | t[4]) == 0;
271 secp256k1_fe_verify(
a);
282 for (i=0; i<5; i++) {
292 secp256k1_fe_verify(
a);
293 secp256k1_fe_verify(b);
295 for (i = 4; i >= 0; i--) {
296 if (
a->n[i] > b->
n[i]) {
299 if (
a->n[i] < b->
n[i]) {
306 static int secp256k1_fe_set_b32(
secp256k1_fe *r,
const unsigned char *
a) {
342 ret = !((r->
n[4] == 0x0FFFFFFFFFFFFULL) & ((r->
n[3] & r->
n[2] & r->
n[1]) == 0xFFFFFFFFFFFFFULL) & (r->
n[0] >= 0xFFFFEFFFFFC2FULL));
347 secp256k1_fe_verify(r);
356 static void secp256k1_fe_get_b32(
unsigned char *r,
const secp256k1_fe *
a) {
359 secp256k1_fe_verify(
a);
361 r[0] = (
a->n[4] >> 40) & 0xFF;
362 r[1] = (
a->n[4] >> 32) & 0xFF;
363 r[2] = (
a->n[4] >> 24) & 0xFF;
364 r[3] = (
a->n[4] >> 16) & 0xFF;
365 r[4] = (
a->n[4] >> 8) & 0xFF;
366 r[5] =
a->n[4] & 0xFF;
367 r[6] = (
a->n[3] >> 44) & 0xFF;
368 r[7] = (
a->n[3] >> 36) & 0xFF;
369 r[8] = (
a->n[3] >> 28) & 0xFF;
370 r[9] = (
a->n[3] >> 20) & 0xFF;
371 r[10] = (
a->n[3] >> 12) & 0xFF;
372 r[11] = (
a->n[3] >> 4) & 0xFF;
373 r[12] = ((
a->n[2] >> 48) & 0xF) | ((
a->n[3] & 0xF) << 4);
374 r[13] = (
a->n[2] >> 40) & 0xFF;
375 r[14] = (
a->n[2] >> 32) & 0xFF;
376 r[15] = (
a->n[2] >> 24) & 0xFF;
377 r[16] = (
a->n[2] >> 16) & 0xFF;
378 r[17] = (
a->n[2] >> 8) & 0xFF;
379 r[18] =
a->n[2] & 0xFF;
380 r[19] = (
a->n[1] >> 44) & 0xFF;
381 r[20] = (
a->n[1] >> 36) & 0xFF;
382 r[21] = (
a->n[1] >> 28) & 0xFF;
383 r[22] = (
a->n[1] >> 20) & 0xFF;
384 r[23] = (
a->n[1] >> 12) & 0xFF;
385 r[24] = (
a->n[1] >> 4) & 0xFF;
386 r[25] = ((
a->n[0] >> 48) & 0xF) | ((
a->n[1] & 0xF) << 4);
387 r[26] = (
a->n[0] >> 40) & 0xFF;
388 r[27] = (
a->n[0] >> 32) & 0xFF;
389 r[28] = (
a->n[0] >> 24) & 0xFF;
390 r[29] = (
a->n[0] >> 16) & 0xFF;
391 r[30] = (
a->n[0] >> 8) & 0xFF;
392 r[31] =
a->n[0] & 0xFF;
398 secp256k1_fe_verify(
a);
399 VERIFY_CHECK(0xFFFFEFFFFFC2FULL * 2 * (m + 1) >= 0xFFFFFFFFFFFFFULL * 2 * m);
400 VERIFY_CHECK(0xFFFFFFFFFFFFFULL * 2 * (m + 1) >= 0xFFFFFFFFFFFFFULL * 2 * m);
401 VERIFY_CHECK(0x0FFFFFFFFFFFFULL * 2 * (m + 1) >= 0x0FFFFFFFFFFFFULL * 2 * m);
403 r->
n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) -
a->n[0];
404 r->
n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) -
a->n[1];
405 r->
n[2] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) -
a->n[2];
406 r->
n[3] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) -
a->n[3];
407 r->
n[4] = 0x0FFFFFFFFFFFFULL * 2 * (m + 1) -
a->n[4];
409 r->magnitude = m + 1;
411 secp256k1_fe_verify(r);
424 secp256k1_fe_verify(r);
430 secp256k1_fe_verify(
a);
438 r->magnitude +=
a->magnitude;
440 secp256k1_fe_verify(r);
448 secp256k1_fe_verify(
a);
449 secp256k1_fe_verify(b);
453 secp256k1_fe_mul_inner(r->
n,
a->n, b->n);
457 secp256k1_fe_verify(r);
464 secp256k1_fe_verify(
a);
466 secp256k1_fe_sqr_inner(r->
n,
a->n);
470 secp256k1_fe_verify(r);
479 r->
n[0] = (r->
n[0] & mask0) | (
a->n[0] & mask1);
480 r->
n[1] = (r->
n[1] & mask0) | (
a->n[1] & mask1);
481 r->
n[2] = (r->
n[2] & mask0) | (
a->n[2] & mask1);
482 r->
n[3] = (r->
n[3] & mask0) | (
a->n[3] & mask1);
483 r->
n[4] = (r->
n[4] & mask0) | (
a->n[4] & mask1);
486 r->magnitude =
a->magnitude;
487 r->normalized =
a->normalized;
498 secp256k1_fe_verify(r);
512 t0 += 0xFFFFEFFFFFC2FULL & mask;
527 r->
n[0] = (
t0 >> 1) + ((
t1 & one) << 51);
528 r->
n[1] = (
t1 >> 1) + ((
t2 & one) << 51);
529 r->
n[2] = (
t2 >> 1) + ((
t3 & one) << 51);
530 r->
n[3] = (
t3 >> 1) + ((t4 & one) << 51);
551 r->magnitude = (r->magnitude >> 1) + 1;
553 secp256k1_fe_verify(r);
562 r->
n[0] = (r->
n[0] & mask0) | (
a->n[0] & mask1);
563 r->
n[1] = (r->
n[1] & mask0) | (
a->n[1] & mask1);
564 r->
n[2] = (r->
n[2] & mask0) | (
a->n[2] & mask1);
565 r->
n[3] = (r->
n[3] & mask0) | (
a->n[3] & mask1);
572 r->
n[0] =
a->n[0] |
a->n[1] << 52;
573 r->
n[1] =
a->n[1] >> 12 |
a->n[2] << 40;
574 r->
n[2] =
a->n[2] >> 24 |
a->n[3] << 28;
575 r->
n[3] =
a->n[3] >> 36 |
a->n[4] << 16;
579 r->
n[0] =
a->n[0] & 0xFFFFFFFFFFFFFULL;
580 r->
n[1] =
a->n[0] >> 52 | ((
a->n[1] << 12) & 0xFFFFFFFFFFFFFULL);
581 r->
n[2] =
a->n[1] >> 40 | ((
a->n[2] << 24) & 0xFFFFFFFFFFFFFULL);
582 r->
n[3] =
a->n[2] >> 28 | ((
a->n[3] << 36) & 0xFFFFFFFFFFFFFULL);
583 r->
n[4] =
a->n[3] >> 16;
587 secp256k1_fe_verify(r);
593 const uint64_t a0 =
a->v[0], a1 =
a->v[1], a2 =
a->v[2], a3 =
a->v[3], a4 =
a->v[4];
605 r->
n[1] = (a0 >> 52 | a1 << 10) & M52;
606 r->
n[2] = (a1 >> 42 | a2 << 20) & M52;
607 r->
n[3] = (a2 >> 32 | a3 << 30) & M52;
608 r->
n[4] = (a3 >> 22 | a4 << 40);
613 secp256k1_fe_verify(r);
619 const uint64_t a0 =
a->n[0], a1 =
a->n[1], a2 =
a->n[2], a3 =
a->n[3], a4 =
a->n[4];
625 r->
v[0] = (a0 | a1 << 52) & M62;
626 r->
v[1] = (a1 >> 10 | a2 << 42) & M62;
627 r->
v[2] = (a2 >> 20 | a3 << 32) & M62;
628 r->
v[3] = (a3 >> 30 | a4 << 22) & M62;
633 {{-0x1000003D1LL, 0, 0, 0, 256}},
642 secp256k1_fe_normalize(&tmp);
643 secp256k1_fe_to_signed62(&s, &tmp);
644 secp256k1_modinv64(&s, &secp256k1_const_modinfo_fe);
645 secp256k1_fe_from_signed62(r, &s);
648 VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
657 secp256k1_fe_normalize_var(&tmp);
658 secp256k1_fe_to_signed62(&s, &tmp);
659 secp256k1_modinv64_var(&s, &secp256k1_const_modinfo_fe);
660 secp256k1_fe_from_signed62(r, &s);
663 VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
#define VERIFY_CHECK(cond)
unsigned __int64 uint64_t
const GenericPointer< typename T::ValueType > T2 T::AllocatorType & a
#define SECP256K1_CHECKMEM_CHECK_VERIFY(p, len)
#define SECP256K1_RESTRICT