Changeset View
Changeset View
Standalone View
Standalone View
src/secp256k1/src/ecmult_const_impl.h
| /********************************************************************** | /********************************************************************** | ||||
| * Copyright (c) 2015 Pieter Wuille, Andrew Poelstra * | * Copyright (c) 2015 Pieter Wuille, Andrew Poelstra * | ||||
| * Distributed under the MIT software license, see the accompanying * | * Distributed under the MIT software license, see the accompanying * | ||||
| * file COPYING or http://www.opensource.org/licenses/mit-license.php.* | * file COPYING or http://www.opensource.org/licenses/mit-license.php.* | ||||
| **********************************************************************/ | **********************************************************************/ | ||||
| #ifndef SECP256K1_ECMULT_CONST_IMPL_H | #ifndef SECP256K1_ECMULT_CONST_IMPL_H | ||||
| #define SECP256K1_ECMULT_CONST_IMPL_H | #define SECP256K1_ECMULT_CONST_IMPL_H | ||||
| #include "scalar.h" | #include "scalar.h" | ||||
| #include "group.h" | #include "group.h" | ||||
| #include "ecmult_const.h" | #include "ecmult_const.h" | ||||
| #include "ecmult_impl.h" | #include "ecmult_impl.h" | ||||
| /* This is like `ECMULT_TABLE_GET_GE` but is constant time */ | /* This is like `ECMULT_TABLE_GET_GE` but is constant time */ | ||||
| #define ECMULT_CONST_TABLE_GET_GE(r,pre,n,w) do { \ | #define ECMULT_CONST_TABLE_GET_GE(r,pre,n,w) do { \ | ||||
| int m; \ | int m = 0; \ | ||||
| /* Extract the sign-bit for a constant time absolute-value. */ \ | /* Extract the sign-bit for a constant time absolute-value. */ \ | ||||
| int mask = (n) >> (sizeof(n) * CHAR_BIT - 1); \ | int mask = (n) >> (sizeof(n) * CHAR_BIT - 1); \ | ||||
| int abs_n = ((n) + mask) ^ mask; \ | int abs_n = ((n) + mask) ^ mask; \ | ||||
| int idx_n = abs_n >> 1; \ | int idx_n = abs_n >> 1; \ | ||||
| secp256k1_fe neg_y; \ | secp256k1_fe neg_y; \ | ||||
| VERIFY_CHECK(((n) & 1) == 1); \ | VERIFY_CHECK(((n) & 1) == 1); \ | ||||
| VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ | VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ | ||||
| VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ | VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ | ||||
| VERIFY_SETUP(secp256k1_fe_clear(&(r)->x)); \ | VERIFY_SETUP(secp256k1_fe_clear(&(r)->x)); \ | ||||
| VERIFY_SETUP(secp256k1_fe_clear(&(r)->y)); \ | VERIFY_SETUP(secp256k1_fe_clear(&(r)->y)); \ | ||||
| for (m = 0; m < ECMULT_TABLE_SIZE(w); m++) { \ | /* Unconditionally set r->x = (pre)[m].x. r->y = (pre)[m].y. because it's either the correct one \ | ||||
| * or will get replaced in the later iterations, this is needed to make sure `r` is initialized. */ \ | |||||
| (r)->x = (pre)[m].x; \ | |||||
| (r)->y = (pre)[m].y; \ | |||||
| for (m = 1; m < ECMULT_TABLE_SIZE(w); m++) { \ | |||||
| /* This loop is used to avoid secret data in array indices. See | /* This loop is used to avoid secret data in array indices. See | ||||
| * the comment in ecmult_gen_impl.h for rationale. */ \ | * the comment in ecmult_gen_impl.h for rationale. */ \ | ||||
| secp256k1_fe_cmov(&(r)->x, &(pre)[m].x, m == idx_n); \ | secp256k1_fe_cmov(&(r)->x, &(pre)[m].x, m == idx_n); \ | ||||
| secp256k1_fe_cmov(&(r)->y, &(pre)[m].y, m == idx_n); \ | secp256k1_fe_cmov(&(r)->y, &(pre)[m].y, m == idx_n); \ | ||||
| } \ | } \ | ||||
| (r)->infinity = 0; \ | (r)->infinity = 0; \ | ||||
| secp256k1_fe_negate(&neg_y, &(r)->y, 1); \ | secp256k1_fe_negate(&neg_y, &(r)->y, 1); \ | ||||
| secp256k1_fe_cmov(&(r)->y, &neg_y, (n) != abs_n); \ | secp256k1_fe_cmov(&(r)->y, &neg_y, (n) != abs_n); \ | ||||
| ▲ Show 20 Lines • Show All 228 Lines • Show Last 20 Lines | |||||