Page MenuHomePhabricator
Differential D7595 Diff 23865 src/secp256k1/src/ecmult_const_impl.h

Changeset View

Standalone View

View Options

src/secp256k1/src/ecmult_const_impl.h

Show First 20 LinesShow All 99 Lines▼ Show 20 Linesstatic int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size) {
* our flags to claim that we only skewed. */ * our flags to claim that we only skewed. */
global_sign = secp256k1_scalar_cond_negate(&s, flip); global_sign = secp256k1_scalar_cond_negate(&s, flip);
global_sign *= not_neg_one * 2 - 1; global_sign *= not_neg_one * 2 - 1;
skew = 1 << bit; skew = 1 << bit;
/* 4 */ /* 4 */
u_last = secp256k1_scalar_shr_int(&s, w); u_last = secp256k1_scalar_shr_int(&s, w);
do { do {
int sign;
int even; int even;
/* 4.1 4.4 */ /* 4.1 4.4 */
u = secp256k1_scalar_shr_int(&s, w); u = secp256k1_scalar_shr_int(&s, w);
/* 4.2 */ /* 4.2 */
even = ((u & 1) == 0); even = ((u & 1) == 0);
sign = 2 * (u_last > 0) - 1; /* In contrast to the original algorithm, u_last is always > 0 and
u += sign * even; * therefore we do not need to check its sign. In particular, it's easy
u_last -= sign * even * (1 << w); * to see that u_last is never < 0 because u is never < 0. Moreover,
* u_last is never = 0 because u is never even after a loop
* iteration. The same holds analogously for the initial value of
* u_last (in the first loop iteration). */
VERIFY_CHECK(u_last > 0);
VERIFY_CHECK((u_last & 1) == 1);
u += even;
u_last -= even * (1 << w);
/* 4.3, adapted for global sign change */ /* 4.3, adapted for global sign change */
wnaf[word++] = u_last * global_sign; wnaf[word++] = u_last * global_sign;
u_last = u; u_last = u;
} while (word * w < size); } while (word * w < size);
wnaf[word] = u * global_sign; wnaf[word] = u * global_sign;
▲ Show 20 LinesShow All 143 LinesShow Last 20 Lines