Bitcoin ABC  0.24.7
P2P Digital Currency
field_5x52_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_FIELD_REPR_IMPL_H
8 #define SECP256K1_FIELD_REPR_IMPL_H
9 
10 #if defined HAVE_CONFIG_H
11 #include "libsecp256k1-config.h"
12 #endif
13 
14 #include "util.h"
15 #include "field.h"
16 #include "modinv64_impl.h"
17 
18 #if defined(USE_ASM_X86_64)
19 #include "field_5x52_asm_impl.h"
20 #else
21 #include "field_5x52_int128_impl.h"
22 #endif
23 
32 #ifdef VERIFY
33 static void secp256k1_fe_verify(const secp256k1_fe *a) {
34  const uint64_t *d = a->n;
35  int m = a->normalized ? 1 : 2 * a->magnitude, r = 1;
36  /* secp256k1 'p' value defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */
37  r &= (d[0] <= 0xFFFFFFFFFFFFFULL * m);
38  r &= (d[1] <= 0xFFFFFFFFFFFFFULL * m);
39  r &= (d[2] <= 0xFFFFFFFFFFFFFULL * m);
40  r &= (d[3] <= 0xFFFFFFFFFFFFFULL * m);
41  r &= (d[4] <= 0x0FFFFFFFFFFFFULL * m);
42  r &= (a->magnitude >= 0);
43  r &= (a->magnitude <= 2048);
44  if (a->normalized) {
45  r &= (a->magnitude <= 1);
46  if (r && (d[4] == 0x0FFFFFFFFFFFFULL) && ((d[3] & d[2] & d[1]) == 0xFFFFFFFFFFFFFULL)) {
47  r &= (d[0] < 0xFFFFEFFFFFC2FULL);
48  }
49  }
50  VERIFY_CHECK(r == 1);
51 }
52 #endif
53 
55  uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
56 
57  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
58  uint64_t m;
59  uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
60 
61  /* The first pass ensures the magnitude is 1, ... */
62  t0 += x * 0x1000003D1ULL;
63  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
64  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1;
65  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2;
66  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3;
67 
68  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
69  VERIFY_CHECK(t4 >> 49 == 0);
70 
71  /* At most a single final reduction is needed; check if the value is >= the field characteristic */
72  x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL)
73  & (t0 >= 0xFFFFEFFFFFC2FULL));
74 
75  /* Apply the final reduction (for constant-time behaviour, we do it always) */
76  t0 += x * 0x1000003D1ULL;
77  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
78  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
79  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
80  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
81 
82  /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */
83  VERIFY_CHECK(t4 >> 48 == x);
84 
85  /* Mask off the possible multiple of 2^256 from the final reduction */
86  t4 &= 0x0FFFFFFFFFFFFULL;
87 
88  r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
89 
90 #ifdef VERIFY
91  r->magnitude = 1;
92  r->normalized = 1;
93  secp256k1_fe_verify(r);
94 #endif
95 }
96 
98  uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
99 
100  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
101  uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
102 
103  /* The first pass ensures the magnitude is 1, ... */
104  t0 += x * 0x1000003D1ULL;
105  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
106  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
107  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
108  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
109 
110  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
111  VERIFY_CHECK(t4 >> 49 == 0);
112 
113  r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
114 
115 #ifdef VERIFY
116  r->magnitude = 1;
117  secp256k1_fe_verify(r);
118 #endif
119 }
120 
122  uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
123 
124  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
125  uint64_t m;
126  uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
127 
128  /* The first pass ensures the magnitude is 1, ... */
129  t0 += x * 0x1000003D1ULL;
130  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
131  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1;
132  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2;
133  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3;
134 
135  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
136  VERIFY_CHECK(t4 >> 49 == 0);
137 
138  /* At most a single final reduction is needed; check if the value is >= the field characteristic */
139  x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL)
140  & (t0 >= 0xFFFFEFFFFFC2FULL));
141 
142  if (x) {
143  t0 += 0x1000003D1ULL;
144  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
145  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
146  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
147  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
148 
149  /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */
150  VERIFY_CHECK(t4 >> 48 == x);
151 
152  /* Mask off the possible multiple of 2^256 from the final reduction */
153  t4 &= 0x0FFFFFFFFFFFFULL;
154  }
155 
156  r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
157 
158 #ifdef VERIFY
159  r->magnitude = 1;
160  r->normalized = 1;
161  secp256k1_fe_verify(r);
162 #endif
163 }
164 
166  uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
167 
168  /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */
169  uint64_t z0, z1;
170 
171  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
172  uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
173 
174  /* The first pass ensures the magnitude is 1, ... */
175  t0 += x * 0x1000003D1ULL;
176  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0 = t0; z1 = t0 ^ 0x1000003D0ULL;
177  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1;
178  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2;
179  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3;
180  z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL;
181 
182  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
183  VERIFY_CHECK(t4 >> 49 == 0);
184 
185  return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL);
186 }
187 
189  uint64_t t0, t1, t2, t3, t4;
190  uint64_t z0, z1;
191  uint64_t x;
192 
193  t0 = r->n[0];
194  t4 = r->n[4];
195 
196  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
197  x = t4 >> 48;
198 
199  /* The first pass ensures the magnitude is 1, ... */
200  t0 += x * 0x1000003D1ULL;
201 
202  /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */
203  z0 = t0 & 0xFFFFFFFFFFFFFULL;
204  z1 = z0 ^ 0x1000003D0ULL;
205 
206  /* Fast return path should catch the majority of cases */
207  if ((z0 != 0ULL) & (z1 != 0xFFFFFFFFFFFFFULL)) {
208  return 0;
209  }
210 
211  t1 = r->n[1];
212  t2 = r->n[2];
213  t3 = r->n[3];
214 
215  t4 &= 0x0FFFFFFFFFFFFULL;
216 
217  t1 += (t0 >> 52);
218  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1;
219  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2;
220  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3;
221  z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL;
222 
223  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
224  VERIFY_CHECK(t4 >> 49 == 0);
225 
226  return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL);
227 }
228 
230  r->n[0] = a;
231  r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0;
232 #ifdef VERIFY
233  r->magnitude = 1;
234  r->normalized = 1;
235  secp256k1_fe_verify(r);
236 #endif
237 }
238 
240  const uint64_t *t = a->n;
241 #ifdef VERIFY
242  VERIFY_CHECK(a->normalized);
243  secp256k1_fe_verify(a);
244 #endif
245  return (t[0] | t[1] | t[2] | t[3] | t[4]) == 0;
246 }
247 
249 #ifdef VERIFY
250  VERIFY_CHECK(a->normalized);
251  secp256k1_fe_verify(a);
252 #endif
253  return a->n[0] & 1;
254 }
255 
257  int i;
258 #ifdef VERIFY
259  a->magnitude = 0;
260  a->normalized = 1;
261 #endif
262  for (i=0; i<5; i++) {
263  a->n[i] = 0;
264  }
265 }
266 
267 static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
268  int i;
269 #ifdef VERIFY
270  VERIFY_CHECK(a->normalized);
271  VERIFY_CHECK(b->normalized);
272  secp256k1_fe_verify(a);
273  secp256k1_fe_verify(b);
274 #endif
275  for (i = 4; i >= 0; i--) {
276  if (a->n[i] > b->n[i]) {
277  return 1;
278  }
279  if (a->n[i] < b->n[i]) {
280  return -1;
281  }
282  }
283  return 0;
284 }
285 
286 static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a) {
287  int ret;
288  r->n[0] = (uint64_t)a[31]
289  | ((uint64_t)a[30] << 8)
290  | ((uint64_t)a[29] << 16)
291  | ((uint64_t)a[28] << 24)
292  | ((uint64_t)a[27] << 32)
293  | ((uint64_t)a[26] << 40)
294  | ((uint64_t)(a[25] & 0xF) << 48);
295  r->n[1] = (uint64_t)((a[25] >> 4) & 0xF)
296  | ((uint64_t)a[24] << 4)
297  | ((uint64_t)a[23] << 12)
298  | ((uint64_t)a[22] << 20)
299  | ((uint64_t)a[21] << 28)
300  | ((uint64_t)a[20] << 36)
301  | ((uint64_t)a[19] << 44);
302  r->n[2] = (uint64_t)a[18]
303  | ((uint64_t)a[17] << 8)
304  | ((uint64_t)a[16] << 16)
305  | ((uint64_t)a[15] << 24)
306  | ((uint64_t)a[14] << 32)
307  | ((uint64_t)a[13] << 40)
308  | ((uint64_t)(a[12] & 0xF) << 48);
309  r->n[3] = (uint64_t)((a[12] >> 4) & 0xF)
310  | ((uint64_t)a[11] << 4)
311  | ((uint64_t)a[10] << 12)
312  | ((uint64_t)a[9] << 20)
313  | ((uint64_t)a[8] << 28)
314  | ((uint64_t)a[7] << 36)
315  | ((uint64_t)a[6] << 44);
316  r->n[4] = (uint64_t)a[5]
317  | ((uint64_t)a[4] << 8)
318  | ((uint64_t)a[3] << 16)
319  | ((uint64_t)a[2] << 24)
320  | ((uint64_t)a[1] << 32)
321  | ((uint64_t)a[0] << 40);
322  ret = !((r->n[4] == 0x0FFFFFFFFFFFFULL) & ((r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL) & (r->n[0] >= 0xFFFFEFFFFFC2FULL));
323 #ifdef VERIFY
324  r->magnitude = 1;
325  if (ret) {
326  r->normalized = 1;
327  secp256k1_fe_verify(r);
328  } else {
329  r->normalized = 0;
330  }
331 #endif
332  return ret;
333 }
334 
336 static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a) {
337 #ifdef VERIFY
338  VERIFY_CHECK(a->normalized);
339  secp256k1_fe_verify(a);
340 #endif
341  r[0] = (a->n[4] >> 40) & 0xFF;
342  r[1] = (a->n[4] >> 32) & 0xFF;
343  r[2] = (a->n[4] >> 24) & 0xFF;
344  r[3] = (a->n[4] >> 16) & 0xFF;
345  r[4] = (a->n[4] >> 8) & 0xFF;
346  r[5] = a->n[4] & 0xFF;
347  r[6] = (a->n[3] >> 44) & 0xFF;
348  r[7] = (a->n[3] >> 36) & 0xFF;
349  r[8] = (a->n[3] >> 28) & 0xFF;
350  r[9] = (a->n[3] >> 20) & 0xFF;
351  r[10] = (a->n[3] >> 12) & 0xFF;
352  r[11] = (a->n[3] >> 4) & 0xFF;
353  r[12] = ((a->n[2] >> 48) & 0xF) | ((a->n[3] & 0xF) << 4);
354  r[13] = (a->n[2] >> 40) & 0xFF;
355  r[14] = (a->n[2] >> 32) & 0xFF;
356  r[15] = (a->n[2] >> 24) & 0xFF;
357  r[16] = (a->n[2] >> 16) & 0xFF;
358  r[17] = (a->n[2] >> 8) & 0xFF;
359  r[18] = a->n[2] & 0xFF;
360  r[19] = (a->n[1] >> 44) & 0xFF;
361  r[20] = (a->n[1] >> 36) & 0xFF;
362  r[21] = (a->n[1] >> 28) & 0xFF;
363  r[22] = (a->n[1] >> 20) & 0xFF;
364  r[23] = (a->n[1] >> 12) & 0xFF;
365  r[24] = (a->n[1] >> 4) & 0xFF;
366  r[25] = ((a->n[0] >> 48) & 0xF) | ((a->n[1] & 0xF) << 4);
367  r[26] = (a->n[0] >> 40) & 0xFF;
368  r[27] = (a->n[0] >> 32) & 0xFF;
369  r[28] = (a->n[0] >> 24) & 0xFF;
370  r[29] = (a->n[0] >> 16) & 0xFF;
371  r[30] = (a->n[0] >> 8) & 0xFF;
372  r[31] = a->n[0] & 0xFF;
373 }
374 
376 #ifdef VERIFY
377  VERIFY_CHECK(a->magnitude <= m);
378  secp256k1_fe_verify(a);
379 #endif
380  r->n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) - a->n[0];
381  r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[1];
382  r->n[2] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[2];
383  r->n[3] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[3];
384  r->n[4] = 0x0FFFFFFFFFFFFULL * 2 * (m + 1) - a->n[4];
385 #ifdef VERIFY
386  r->magnitude = m + 1;
387  r->normalized = 0;
388  secp256k1_fe_verify(r);
389 #endif
390 }
391 
393  r->n[0] *= a;
394  r->n[1] *= a;
395  r->n[2] *= a;
396  r->n[3] *= a;
397  r->n[4] *= a;
398 #ifdef VERIFY
399  r->magnitude *= a;
400  r->normalized = 0;
401  secp256k1_fe_verify(r);
402 #endif
403 }
404 
406 #ifdef VERIFY
407  secp256k1_fe_verify(a);
408 #endif
409  r->n[0] += a->n[0];
410  r->n[1] += a->n[1];
411  r->n[2] += a->n[2];
412  r->n[3] += a->n[3];
413  r->n[4] += a->n[4];
414 #ifdef VERIFY
415  r->magnitude += a->magnitude;
416  r->normalized = 0;
417  secp256k1_fe_verify(r);
418 #endif
419 }
420 
422 #ifdef VERIFY
423  VERIFY_CHECK(a->magnitude <= 8);
424  VERIFY_CHECK(b->magnitude <= 8);
425  secp256k1_fe_verify(a);
426  secp256k1_fe_verify(b);
427  VERIFY_CHECK(r != b);
428  VERIFY_CHECK(a != b);
429 #endif
430  secp256k1_fe_mul_inner(r->n, a->n, b->n);
431 #ifdef VERIFY
432  r->magnitude = 1;
433  r->normalized = 0;
434  secp256k1_fe_verify(r);
435 #endif
436 }
437 
438 static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {
439 #ifdef VERIFY
440  VERIFY_CHECK(a->magnitude <= 8);
441  secp256k1_fe_verify(a);
442 #endif
443  secp256k1_fe_sqr_inner(r->n, a->n);
444 #ifdef VERIFY
445  r->magnitude = 1;
446  r->normalized = 0;
447  secp256k1_fe_verify(r);
448 #endif
449 }
450 
451 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
452  uint64_t mask0, mask1;
453  VG_CHECK_VERIFY(r->n, sizeof(r->n));
454  mask0 = flag + ~((uint64_t)0);
455  mask1 = ~mask0;
456  r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
457  r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
458  r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
459  r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
460  r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
461 #ifdef VERIFY
462  if (flag) {
463  r->magnitude = a->magnitude;
464  r->normalized = a->normalized;
465  }
466 #endif
467 }
468 
470  uint64_t mask0, mask1;
471  VG_CHECK_VERIFY(r->n, sizeof(r->n));
472  mask0 = flag + ~((uint64_t)0);
473  mask1 = ~mask0;
474  r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
475  r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
476  r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
477  r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
478 }
479 
481 #ifdef VERIFY
482  VERIFY_CHECK(a->normalized);
483 #endif
484  r->n[0] = a->n[0] | a->n[1] << 52;
485  r->n[1] = a->n[1] >> 12 | a->n[2] << 40;
486  r->n[2] = a->n[2] >> 24 | a->n[3] << 28;
487  r->n[3] = a->n[3] >> 36 | a->n[4] << 16;
488 }
489 
491  r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL;
492  r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL);
493  r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL);
494  r->n[3] = a->n[2] >> 28 | ((a->n[3] << 36) & 0xFFFFFFFFFFFFFULL);
495  r->n[4] = a->n[3] >> 16;
496 #ifdef VERIFY
497  r->magnitude = 1;
498  r->normalized = 1;
499 #endif
500 }
501 
503  const uint64_t M52 = UINT64_MAX >> 12;
504  const uint64_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4];
505 
506  /* The output from secp256k1_modinv64{_var} should be normalized to range [0,modulus), and
507  * have limbs in [0,2^62). The modulus is < 2^256, so the top limb must be below 2^(256-62*4).
508  */
509  VERIFY_CHECK(a0 >> 62 == 0);
510  VERIFY_CHECK(a1 >> 62 == 0);
511  VERIFY_CHECK(a2 >> 62 == 0);
512  VERIFY_CHECK(a3 >> 62 == 0);
513  VERIFY_CHECK(a4 >> 8 == 0);
514 
515  r->n[0] = a0 & M52;
516  r->n[1] = (a0 >> 52 | a1 << 10) & M52;
517  r->n[2] = (a1 >> 42 | a2 << 20) & M52;
518  r->n[3] = (a2 >> 32 | a3 << 30) & M52;
519  r->n[4] = (a3 >> 22 | a4 << 40);
520 
521 #ifdef VERIFY
522  r->magnitude = 1;
523  r->normalized = 1;
524  secp256k1_fe_verify(r);
525 #endif
526 }
527 
529  const uint64_t M62 = UINT64_MAX >> 2;
530  const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4];
531 
532 #ifdef VERIFY
533  VERIFY_CHECK(a->normalized);
534 #endif
535 
536  r->v[0] = (a0 | a1 << 52) & M62;
537  r->v[1] = (a1 >> 10 | a2 << 42) & M62;
538  r->v[2] = (a2 >> 20 | a3 << 32) & M62;
539  r->v[3] = (a3 >> 30 | a4 << 22) & M62;
540  r->v[4] = a4 >> 40;
541 }
542 
544  {{-0x1000003D1LL, 0, 0, 0, 256}},
545  0x27C7F6E22DDACACFLL
546 };
547 
548 static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
549  secp256k1_fe tmp;
551 
552  tmp = *x;
554  secp256k1_fe_to_signed62(&s, &tmp);
557 
558 #ifdef VERIFY
560 #endif
561 }
562 
563 static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
564  secp256k1_fe tmp;
566 
567  tmp = *x;
569  secp256k1_fe_to_signed62(&s, &tmp);
572 
573 #ifdef VERIFY
575 #endif
576 }
577 
578 #endif /* SECP256K1_FIELD_REPR_IMPL_H */
secp256k1_fe_normalizes_to_zero_var
static int secp256k1_fe_normalizes_to_zero_var(secp256k1_fe *r)
Definition: field_5x52_impl.h:188
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:68
secp256k1_fe_cmp_var
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: field_5x52_impl.h:267
secp256k1_fe_cmov
static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
Definition: field_5x52_impl.h:451
secp256k1_fe_storage
Definition: field_10x26.h:43
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
Definition: field_5x52_impl.h:336
SECP256K1_RESTRICT
#define SECP256K1_RESTRICT
Definition: util.h:158
field_5x52_int128_impl.h
secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Definition: field_5x52_impl.h:438
util.h
field_5x52_asm_impl.h
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Definition: field_5x52_impl.h:480
secp256k1_fe_mul_int
static SECP256K1_INLINE void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Definition: field_5x52_impl.h:392
secp256k1_fe_storage::n
uint32_t n[8]
Definition: field_10x26.h:44
secp256k1_fe_is_zero
static SECP256K1_INLINE int secp256k1_fe_is_zero(const secp256k1_fe *a)
Definition: field_5x52_impl.h:239
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:20
secp256k1_fe_from_signed62
static void secp256k1_fe_from_signed62(secp256k1_fe *r, const secp256k1_modinv64_signed62 *a)
Definition: field_5x52_impl.h:502
secp256k1_fe_sqr_inner
static SECP256K1_INLINE void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t *a)
Definition: field_10x26_impl.h:794
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Definition: field_5x52_impl.h:421
secp256k1_fe_normalizes_to_zero
static int secp256k1_fe_normalizes_to_zero(secp256k1_fe *r)
Definition: field_5x52_impl.h:165
secp256k1_fe_add
static SECP256K1_INLINE void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Definition: field_5x52_impl.h:405
secp256k1_fe_set_int
static SECP256K1_INLINE void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Definition: field_5x52_impl.h:229
secp256k1_fe_from_storage
static SECP256K1_INLINE void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Definition: field_5x52_impl.h:490
field.h
secp256k1_modinv64_modinfo
Definition: modinv64.h:27
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Definition: field_5x52_impl.h:121
secp256k1_fe_inv_var
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x)
Definition: field_5x52_impl.h:563
VG_CHECK_VERIFY
#define VG_CHECK_VERIFY(x, y)
Definition: util.h:88
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Definition: field_5x52_impl.h:97
secp256k1_fe_mul_inner
static SECP256K1_INLINE void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t *SECP256K1_RESTRICT b)
Definition: field_10x26_impl.h:464
secp256k1_const_modinfo_fe
static const secp256k1_modinv64_modinfo secp256k1_const_modinfo_fe
Definition: field_5x52_impl.h:543
secp256k1_fe_clear
static SECP256K1_INLINE void secp256k1_fe_clear(secp256k1_fe *a)
Definition: field_5x52_impl.h:256
secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Implements arithmetic modulo FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F,...
Definition: field_5x52_impl.h:54
secp256k1_modinv64_signed62
Definition: modinv64.h:23
secp256k1_fe_storage_cmov
static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
Definition: field_5x52_impl.h:469
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x)
Definition: field_5x52_impl.h:548
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: secp256k1.h:124
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Definition: field_5x52_impl.h:286
ScriptError::VERIFY
@ VERIFY
modinv64_impl.h
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:28
secp256k1_fe_negate
static SECP256K1_INLINE void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Definition: field_5x52_impl.h:375
secp256k1_fe_to_signed62
static void secp256k1_fe_to_signed62(secp256k1_modinv64_signed62 *r, const secp256k1_fe *a)
Definition: field_5x52_impl.h:528
secp256k1_fe_is_odd
static SECP256K1_INLINE int secp256k1_fe_is_odd(const secp256k1_fe *a)
Definition: field_5x52_impl.h:248