Diffusion Bitcoin ABC e7a0cc46cffd

[secp256k1] Use modified divsteps with initial delta=1/2 for constant-time
e7a0cc46cffd
Actions

Tags

None

Subscribers

None

Description

[secp256k1] Use modified divsteps with initial delta=1/2 for constant-time

Summary:

This updates the divsteps-based modular inverse code to use the modified version which starts with delta=1/2. For variable time, the delta=1 variant is still used as it appears to be faster.

See https://github.com/sipa/safegcd-bounds/tree/master/coq and https://medium.com/blockstream/a-formal-proof-of-safegcd-bounds-695e1735a348 for a proof of correctness of this variant.

Backport of secp256k1#906.

Test Plan:

ninja check-secp256k1

Reviewers: #bitcoin_abc, PiRK

Reviewed By: #bitcoin_abc, PiRK

Differential Revision: https://reviews.bitcoinabc.org/D18157

Details

Provenance

Pieter Wuille <pieter@wuille.net>	Authored on Mar 29 2021, 23:33
Fabien	Committed on May 27 2025, 21:27
Fabien	Pushed on May 27 2025, 21:27

Reviewer

Restricted Project

Differential Revision

D18157: [secp256k1] Use modified divsteps with initial delta=1/2 for constant-time

Parents

rABC7b68fb8230a3: [ChronikClient] Add "UNKNOWN" protocol type

Branches

Unknown

Tags

Unknown

Event Timeline

Fabien committed rABCe7a0cc46cffd: [secp256k1] Use modified divsteps with initial delta=1/2 for constant-time (authored by Pieter Wuille <pieter@wuille.net>).May 27 2025, 21:27

Fabien added an edge: D18157: [secp256k1] Use modified divsteps with initial delta=1/2 for constant-time.

Changes (4)

Path

Size

src/

secp256k1/

doc/

safegcd_implementation.md

src/

modinv32_impl.h

modinv64_impl.h

rABCe7a0cc46cffd

src/secp256k1/doc/safegcd_implementation.md

Loading...

src/secp256k1/src/modinv32_impl.h

Loading...

src/secp256k1/src/modinv64_impl.h

Loading...

src/secp256k1/src/tests.c

Loading...