Differential D18157

[secp256k1] Use modified divsteps with initial delta=1/2 for constant-time
ClosedPublic
Actions

Authored by Fabien on May 27 2025, 12:43.

Details

Reviewers

PiRK

Group Reviewers

Restricted Project

Commits

rABCe7a0cc46cffd: [secp256k1] Use modified divsteps with initial delta=1/2 for constant-time

Summary

This updates the divsteps-based modular inverse code to use the modified version which starts with delta=1/2. For variable time, the delta=1 variant is still used as it appears to be faster.

See https://github.com/sipa/safegcd-bounds/tree/master/coq and https://medium.com/blockstream/a-formal-proof-of-safegcd-bounds-695e1735a348 for a proof of correctness of this variant.

Backport of secp256k1#906.

Test Plan

ninja check-secp256k1

Diff Detail

Repository

rABC Bitcoin ABC

Branch

PR906

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 33451
Build 66381: Build Diff	ecash-wallet-tests · lint-circular-dependencies · ecash-agora-integration-tests · ecash-lib-integration-tests · ecash-agora-tests · cashtab-tests · build-ecash-secp256k1 · ecash-lib-tests · build-secp256k1-bench · build-without-wallet · build-secp256k1-java · build-secp256k1 · build-diff · build-clang-tidy · build-clang · build-debug
Build 66380: arc lint + arc unit