Changeset View
Changeset View
Standalone View
Standalone View
src/secp256k1/src/ecmult_const_impl.h
Show All 9 Lines | |||||
#include "scalar.h" | #include "scalar.h" | ||||
#include "group.h" | #include "group.h" | ||||
#include "ecmult_const.h" | #include "ecmult_const.h" | ||||
#include "ecmult_impl.h" | #include "ecmult_impl.h" | ||||
/* This is like `ECMULT_TABLE_GET_GE` but is constant time */ | /* This is like `ECMULT_TABLE_GET_GE` but is constant time */ | ||||
#define ECMULT_CONST_TABLE_GET_GE(r,pre,n,w) do { \ | #define ECMULT_CONST_TABLE_GET_GE(r,pre,n,w) do { \ | ||||
int m; \ | int m; \ | ||||
int abs_n = (n) * (((n) > 0) * 2 - 1); \ | /* Extract the sign-bit for a constant time absolute-value. */ \ | ||||
int idx_n = abs_n / 2; \ | int mask = (n) >> (sizeof(n) * CHAR_BIT - 1); \ | ||||
int abs_n = ((n) + mask) ^ mask; \ | |||||
int idx_n = abs_n >> 1; \ | |||||
secp256k1_fe neg_y; \ | secp256k1_fe neg_y; \ | ||||
VERIFY_CHECK(((n) & 1) == 1); \ | VERIFY_CHECK(((n) & 1) == 1); \ | ||||
VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ | VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ | ||||
VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ | VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ | ||||
VERIFY_SETUP(secp256k1_fe_clear(&(r)->x)); \ | VERIFY_SETUP(secp256k1_fe_clear(&(r)->x)); \ | ||||
VERIFY_SETUP(secp256k1_fe_clear(&(r)->y)); \ | VERIFY_SETUP(secp256k1_fe_clear(&(r)->y)); \ | ||||
for (m = 0; m < ECMULT_TABLE_SIZE(w); m++) { \ | for (m = 0; m < ECMULT_TABLE_SIZE(w); m++) { \ | ||||
/* This loop is used to avoid secret data in array indices. See | /* This loop is used to avoid secret data in array indices. See | ||||
▲ Show 20 Lines • Show All 139 Lines • ▼ Show 20 Lines | #endif | ||||
for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { | for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { | ||||
secp256k1_fe_normalize_weak(&pre_a[i].y); | secp256k1_fe_normalize_weak(&pre_a[i].y); | ||||
} | } | ||||
#ifdef USE_ENDOMORPHISM | #ifdef USE_ENDOMORPHISM | ||||
if (size > 128) { | if (size > 128) { | ||||
for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { | for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { | ||||
secp256k1_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]); | secp256k1_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]); | ||||
} | } | ||||
} | } | ||||
#endif | #endif | ||||
/* first loop iteration (separated out so we can directly set r, rather | /* first loop iteration (separated out so we can directly set r, rather | ||||
* than having it start at infinity, get doubled several times, then have | * than having it start at infinity, get doubled several times, then have | ||||
* its new value added to it) */ | * its new value added to it) */ | ||||
i = wnaf_1[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)]; | i = wnaf_1[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)]; | ||||
VERIFY_CHECK(i != 0); | VERIFY_CHECK(i != 0); | ||||
ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, i, WINDOW_A); | ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, i, WINDOW_A); | ||||
secp256k1_gej_set_ge(r, &tmpa); | secp256k1_gej_set_ge(r, &tmpa); | ||||
#ifdef USE_ENDOMORPHISM | #ifdef USE_ENDOMORPHISM | ||||
if (size > 128) { | if (size > 128) { | ||||
i = wnaf_lam[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)]; | i = wnaf_lam[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)]; | ||||
VERIFY_CHECK(i != 0); | VERIFY_CHECK(i != 0); | ||||
ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, i, WINDOW_A); | ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, i, WINDOW_A); | ||||
secp256k1_gej_add_ge(r, r, &tmpa); | secp256k1_gej_add_ge(r, r, &tmpa); | ||||
} | } | ||||
#endif | #endif | ||||
/* remaining loop iterations */ | /* remaining loop iterations */ | ||||
for (i = WNAF_SIZE_BITS(rsize, WINDOW_A - 1) - 1; i >= 0; i--) { | for (i = WNAF_SIZE_BITS(rsize, WINDOW_A - 1) - 1; i >= 0; i--) { | ||||
int n; | int n; | ||||
int j; | int j; | ||||
for (j = 0; j < WINDOW_A - 1; ++j) { | for (j = 0; j < WINDOW_A - 1; ++j) { | ||||
secp256k1_gej_double_nonzero(r, r, NULL); | secp256k1_gej_double_nonzero(r, r); | ||||
} | } | ||||
n = wnaf_1[i]; | n = wnaf_1[i]; | ||||
ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, n, WINDOW_A); | ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, n, WINDOW_A); | ||||
VERIFY_CHECK(n != 0); | VERIFY_CHECK(n != 0); | ||||
secp256k1_gej_add_ge(r, r, &tmpa); | secp256k1_gej_add_ge(r, r, &tmpa); | ||||
#ifdef USE_ENDOMORPHISM | #ifdef USE_ENDOMORPHISM | ||||
if (size > 128) { | if (size > 128) { | ||||
▲ Show 20 Lines • Show All 55 Lines • Show Last 20 Lines |