Bitcoin Core  25.99.0
P2P Digital Currency
field_5x52_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_FIELD_REPR_IMPL_H
8 #define SECP256K1_FIELD_REPR_IMPL_H
9 
10 #include "checkmem.h"
11 #include "util.h"
12 #include "field.h"
13 #include "modinv64_impl.h"
14 
15 #if defined(USE_ASM_X86_64)
16 #include "field_5x52_asm_impl.h"
17 #else
18 #include "field_5x52_int128_impl.h"
19 #endif
20 
21 #ifdef VERIFY
22 static void secp256k1_fe_impl_verify(const secp256k1_fe *a) {
23  const uint64_t *d = a->n;
24  int m = a->normalized ? 1 : 2 * a->magnitude;
25  /* secp256k1 'p' value defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */
26  VERIFY_CHECK(d[0] <= 0xFFFFFFFFFFFFFULL * m);
27  VERIFY_CHECK(d[1] <= 0xFFFFFFFFFFFFFULL * m);
28  VERIFY_CHECK(d[2] <= 0xFFFFFFFFFFFFFULL * m);
29  VERIFY_CHECK(d[3] <= 0xFFFFFFFFFFFFFULL * m);
30  VERIFY_CHECK(d[4] <= 0x0FFFFFFFFFFFFULL * m);
31  if (a->normalized) {
32  if ((d[4] == 0x0FFFFFFFFFFFFULL) && ((d[3] & d[2] & d[1]) == 0xFFFFFFFFFFFFFULL)) {
33  VERIFY_CHECK(d[0] < 0xFFFFEFFFFFC2FULL);
34  }
35  }
36 }
37 #endif
38 
40  r->n[0] = 0xFFFFFFFFFFFFFULL * 2 * m;
41  r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * m;
42  r->n[2] = 0xFFFFFFFFFFFFFULL * 2 * m;
43  r->n[3] = 0xFFFFFFFFFFFFFULL * 2 * m;
44  r->n[4] = 0x0FFFFFFFFFFFFULL * 2 * m;
45 }
46 
48  uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
49 
50  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
51  uint64_t m;
52  uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
53 
54  /* The first pass ensures the magnitude is 1, ... */
55  t0 += x * 0x1000003D1ULL;
56  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
57  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1;
58  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2;
59  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3;
60 
61  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
62  VERIFY_CHECK(t4 >> 49 == 0);
63 
64  /* At most a single final reduction is needed; check if the value is >= the field characteristic */
65  x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL)
66  & (t0 >= 0xFFFFEFFFFFC2FULL));
67 
68  /* Apply the final reduction (for constant-time behaviour, we do it always) */
69  t0 += x * 0x1000003D1ULL;
70  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
71  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
72  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
73  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
74 
75  /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */
76  VERIFY_CHECK(t4 >> 48 == x);
77 
78  /* Mask off the possible multiple of 2^256 from the final reduction */
79  t4 &= 0x0FFFFFFFFFFFFULL;
80 
81  r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
82 }
83 
85  uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
86 
87  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
88  uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
89 
90  /* The first pass ensures the magnitude is 1, ... */
91  t0 += x * 0x1000003D1ULL;
92  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
93  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
94  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
95  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
96 
97  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
98  VERIFY_CHECK(t4 >> 49 == 0);
99 
100  r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
101 }
102 
104  uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
105 
106  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
107  uint64_t m;
108  uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
109 
110  /* The first pass ensures the magnitude is 1, ... */
111  t0 += x * 0x1000003D1ULL;
112  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
113  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1;
114  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2;
115  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3;
116 
117  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
118  VERIFY_CHECK(t4 >> 49 == 0);
119 
120  /* At most a single final reduction is needed; check if the value is >= the field characteristic */
121  x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL)
122  & (t0 >= 0xFFFFEFFFFFC2FULL));
123 
124  if (x) {
125  t0 += 0x1000003D1ULL;
126  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
127  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
128  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
129  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
130 
131  /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */
132  VERIFY_CHECK(t4 >> 48 == x);
133 
134  /* Mask off the possible multiple of 2^256 from the final reduction */
135  t4 &= 0x0FFFFFFFFFFFFULL;
136  }
137 
138  r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
139 }
140 
142  uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
143 
144  /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */
145  uint64_t z0, z1;
146 
147  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
148  uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
149 
150  /* The first pass ensures the magnitude is 1, ... */
151  t0 += x * 0x1000003D1ULL;
152  t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0 = t0; z1 = t0 ^ 0x1000003D0ULL;
153  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1;
154  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2;
155  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3;
156  z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL;
157 
158  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
159  VERIFY_CHECK(t4 >> 49 == 0);
160 
161  return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL);
162 }
163 
165  uint64_t t0, t1, t2, t3, t4;
166  uint64_t z0, z1;
167  uint64_t x;
168 
169  t0 = r->n[0];
170  t4 = r->n[4];
171 
172  /* Reduce t4 at the start so there will be at most a single carry from the first pass */
173  x = t4 >> 48;
174 
175  /* The first pass ensures the magnitude is 1, ... */
176  t0 += x * 0x1000003D1ULL;
177 
178  /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */
179  z0 = t0 & 0xFFFFFFFFFFFFFULL;
180  z1 = z0 ^ 0x1000003D0ULL;
181 
182  /* Fast return path should catch the majority of cases */
183  if ((z0 != 0ULL) & (z1 != 0xFFFFFFFFFFFFFULL)) {
184  return 0;
185  }
186 
187  t1 = r->n[1];
188  t2 = r->n[2];
189  t3 = r->n[3];
190 
191  t4 &= 0x0FFFFFFFFFFFFULL;
192 
193  t1 += (t0 >> 52);
194  t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1;
195  t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2;
196  t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3;
197  z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL;
198 
199  /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
200  VERIFY_CHECK(t4 >> 49 == 0);
201 
202  return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL);
203 }
204 
206  r->n[0] = a;
207  r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0;
208 }
209 
211  const uint64_t *t = a->n;
212  return (t[0] | t[1] | t[2] | t[3] | t[4]) == 0;
213 }
214 
216  return a->n[0] & 1;
217 }
218 
220  int i;
221  for (i=0; i<5; i++) {
222  a->n[i] = 0;
223  }
224 }
225 
226 static int secp256k1_fe_impl_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
227  int i;
228  for (i = 4; i >= 0; i--) {
229  if (a->n[i] > b->n[i]) {
230  return 1;
231  }
232  if (a->n[i] < b->n[i]) {
233  return -1;
234  }
235  }
236  return 0;
237 }
238 
239 static void secp256k1_fe_impl_set_b32_mod(secp256k1_fe *r, const unsigned char *a) {
240  r->n[0] = (uint64_t)a[31]
241  | ((uint64_t)a[30] << 8)
242  | ((uint64_t)a[29] << 16)
243  | ((uint64_t)a[28] << 24)
244  | ((uint64_t)a[27] << 32)
245  | ((uint64_t)a[26] << 40)
246  | ((uint64_t)(a[25] & 0xF) << 48);
247  r->n[1] = (uint64_t)((a[25] >> 4) & 0xF)
248  | ((uint64_t)a[24] << 4)
249  | ((uint64_t)a[23] << 12)
250  | ((uint64_t)a[22] << 20)
251  | ((uint64_t)a[21] << 28)
252  | ((uint64_t)a[20] << 36)
253  | ((uint64_t)a[19] << 44);
254  r->n[2] = (uint64_t)a[18]
255  | ((uint64_t)a[17] << 8)
256  | ((uint64_t)a[16] << 16)
257  | ((uint64_t)a[15] << 24)
258  | ((uint64_t)a[14] << 32)
259  | ((uint64_t)a[13] << 40)
260  | ((uint64_t)(a[12] & 0xF) << 48);
261  r->n[3] = (uint64_t)((a[12] >> 4) & 0xF)
262  | ((uint64_t)a[11] << 4)
263  | ((uint64_t)a[10] << 12)
264  | ((uint64_t)a[9] << 20)
265  | ((uint64_t)a[8] << 28)
266  | ((uint64_t)a[7] << 36)
267  | ((uint64_t)a[6] << 44);
268  r->n[4] = (uint64_t)a[5]
269  | ((uint64_t)a[4] << 8)
270  | ((uint64_t)a[3] << 16)
271  | ((uint64_t)a[2] << 24)
272  | ((uint64_t)a[1] << 32)
273  | ((uint64_t)a[0] << 40);
274 }
275 
276 static int secp256k1_fe_impl_set_b32_limit(secp256k1_fe *r, const unsigned char *a) {
278  return !((r->n[4] == 0x0FFFFFFFFFFFFULL) & ((r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL) & (r->n[0] >= 0xFFFFEFFFFFC2FULL));
279 }
280 
282 static void secp256k1_fe_impl_get_b32(unsigned char *r, const secp256k1_fe *a) {
283  r[0] = (a->n[4] >> 40) & 0xFF;
284  r[1] = (a->n[4] >> 32) & 0xFF;
285  r[2] = (a->n[4] >> 24) & 0xFF;
286  r[3] = (a->n[4] >> 16) & 0xFF;
287  r[4] = (a->n[4] >> 8) & 0xFF;
288  r[5] = a->n[4] & 0xFF;
289  r[6] = (a->n[3] >> 44) & 0xFF;
290  r[7] = (a->n[3] >> 36) & 0xFF;
291  r[8] = (a->n[3] >> 28) & 0xFF;
292  r[9] = (a->n[3] >> 20) & 0xFF;
293  r[10] = (a->n[3] >> 12) & 0xFF;
294  r[11] = (a->n[3] >> 4) & 0xFF;
295  r[12] = ((a->n[2] >> 48) & 0xF) | ((a->n[3] & 0xF) << 4);
296  r[13] = (a->n[2] >> 40) & 0xFF;
297  r[14] = (a->n[2] >> 32) & 0xFF;
298  r[15] = (a->n[2] >> 24) & 0xFF;
299  r[16] = (a->n[2] >> 16) & 0xFF;
300  r[17] = (a->n[2] >> 8) & 0xFF;
301  r[18] = a->n[2] & 0xFF;
302  r[19] = (a->n[1] >> 44) & 0xFF;
303  r[20] = (a->n[1] >> 36) & 0xFF;
304  r[21] = (a->n[1] >> 28) & 0xFF;
305  r[22] = (a->n[1] >> 20) & 0xFF;
306  r[23] = (a->n[1] >> 12) & 0xFF;
307  r[24] = (a->n[1] >> 4) & 0xFF;
308  r[25] = ((a->n[0] >> 48) & 0xF) | ((a->n[1] & 0xF) << 4);
309  r[26] = (a->n[0] >> 40) & 0xFF;
310  r[27] = (a->n[0] >> 32) & 0xFF;
311  r[28] = (a->n[0] >> 24) & 0xFF;
312  r[29] = (a->n[0] >> 16) & 0xFF;
313  r[30] = (a->n[0] >> 8) & 0xFF;
314  r[31] = a->n[0] & 0xFF;
315 }
316 
318  /* For all legal values of m (0..31), the following properties hold: */
319  VERIFY_CHECK(0xFFFFEFFFFFC2FULL * 2 * (m + 1) >= 0xFFFFFFFFFFFFFULL * 2 * m);
320  VERIFY_CHECK(0xFFFFFFFFFFFFFULL * 2 * (m + 1) >= 0xFFFFFFFFFFFFFULL * 2 * m);
321  VERIFY_CHECK(0x0FFFFFFFFFFFFULL * 2 * (m + 1) >= 0x0FFFFFFFFFFFFULL * 2 * m);
322 
323  /* Due to the properties above, the left hand in the subtractions below is never less than
324  * the right hand. */
325  r->n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) - a->n[0];
326  r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[1];
327  r->n[2] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[2];
328  r->n[3] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[3];
329  r->n[4] = 0x0FFFFFFFFFFFFULL * 2 * (m + 1) - a->n[4];
330 }
331 
333  r->n[0] *= a;
334  r->n[1] *= a;
335  r->n[2] *= a;
336  r->n[3] *= a;
337  r->n[4] *= a;
338 }
339 
341  r->n[0] += a;
342 }
343 
345  r->n[0] += a->n[0];
346  r->n[1] += a->n[1];
347  r->n[2] += a->n[2];
348  r->n[3] += a->n[3];
349  r->n[4] += a->n[4];
350 }
351 
353  secp256k1_fe_mul_inner(r->n, a->n, b->n);
354 }
355 
357  secp256k1_fe_sqr_inner(r->n, a->n);
358 }
359 
361  uint64_t mask0, mask1;
362  volatile int vflag = flag;
363  SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n));
364  mask0 = vflag + ~((uint64_t)0);
365  mask1 = ~mask0;
366  r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
367  r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
368  r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
369  r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
370  r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
371 }
372 
374  uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
375  uint64_t one = (uint64_t)1;
376  uint64_t mask = -(t0 & one) >> 12;
377 
378  /* Bounds analysis (over the rationals).
379  *
380  * Let m = r->magnitude
381  * C = 0xFFFFFFFFFFFFFULL * 2
382  * D = 0x0FFFFFFFFFFFFULL * 2
383  *
384  * Initial bounds: t0..t3 <= C * m
385  * t4 <= D * m
386  */
387 
388  t0 += 0xFFFFEFFFFFC2FULL & mask;
389  t1 += mask;
390  t2 += mask;
391  t3 += mask;
392  t4 += mask >> 4;
393 
394  VERIFY_CHECK((t0 & one) == 0);
395 
396  /* t0..t3: added <= C/2
397  * t4: added <= D/2
398  *
399  * Current bounds: t0..t3 <= C * (m + 1/2)
400  * t4 <= D * (m + 1/2)
401  */
402 
403  r->n[0] = (t0 >> 1) + ((t1 & one) << 51);
404  r->n[1] = (t1 >> 1) + ((t2 & one) << 51);
405  r->n[2] = (t2 >> 1) + ((t3 & one) << 51);
406  r->n[3] = (t3 >> 1) + ((t4 & one) << 51);
407  r->n[4] = (t4 >> 1);
408 
409  /* t0..t3: shifted right and added <= C/4 + 1/2
410  * t4: shifted right
411  *
412  * Current bounds: t0..t3 <= C * (m/2 + 1/2)
413  * t4 <= D * (m/2 + 1/4)
414  *
415  * Therefore the output magnitude (M) has to be set such that:
416  * t0..t3: C * M >= C * (m/2 + 1/2)
417  * t4: D * M >= D * (m/2 + 1/4)
418  *
419  * It suffices for all limbs that, for any input magnitude m:
420  * M >= m/2 + 1/2
421  *
422  * and since we want the smallest such integer value for M:
423  * M == floor(m/2) + 1
424  */
425 }
426 
428  uint64_t mask0, mask1;
429  volatile int vflag = flag;
430  SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n));
431  mask0 = vflag + ~((uint64_t)0);
432  mask1 = ~mask0;
433  r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
434  r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
435  r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
436  r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
437 }
438 
440  r->n[0] = a->n[0] | a->n[1] << 52;
441  r->n[1] = a->n[1] >> 12 | a->n[2] << 40;
442  r->n[2] = a->n[2] >> 24 | a->n[3] << 28;
443  r->n[3] = a->n[3] >> 36 | a->n[4] << 16;
444 }
445 
447  r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL;
448  r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL);
449  r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL);
450  r->n[3] = a->n[2] >> 28 | ((a->n[3] << 36) & 0xFFFFFFFFFFFFFULL);
451  r->n[4] = a->n[3] >> 16;
452 }
453 
455  const uint64_t M52 = UINT64_MAX >> 12;
456  const uint64_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4];
457 
458  /* The output from secp256k1_modinv64{_var} should be normalized to range [0,modulus), and
459  * have limbs in [0,2^62). The modulus is < 2^256, so the top limb must be below 2^(256-62*4).
460  */
461  VERIFY_CHECK(a0 >> 62 == 0);
462  VERIFY_CHECK(a1 >> 62 == 0);
463  VERIFY_CHECK(a2 >> 62 == 0);
464  VERIFY_CHECK(a3 >> 62 == 0);
465  VERIFY_CHECK(a4 >> 8 == 0);
466 
467  r->n[0] = a0 & M52;
468  r->n[1] = (a0 >> 52 | a1 << 10) & M52;
469  r->n[2] = (a1 >> 42 | a2 << 20) & M52;
470  r->n[3] = (a2 >> 32 | a3 << 30) & M52;
471  r->n[4] = (a3 >> 22 | a4 << 40);
472 }
473 
475  const uint64_t M62 = UINT64_MAX >> 2;
476  const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4];
477 
478  r->v[0] = (a0 | a1 << 52) & M62;
479  r->v[1] = (a1 >> 10 | a2 << 42) & M62;
480  r->v[2] = (a2 >> 20 | a3 << 32) & M62;
481  r->v[3] = (a3 >> 30 | a4 << 22) & M62;
482  r->v[4] = a4 >> 40;
483 }
484 
486  {{-0x1000003D1LL, 0, 0, 0, 256}},
487  0x27C7F6E22DDACACFLL
488 };
489 
491  secp256k1_fe tmp = *x;
493 
495  secp256k1_fe_to_signed62(&s, &tmp);
498 }
499 
501  secp256k1_fe tmp = *x;
503 
505  secp256k1_fe_to_signed62(&s, &tmp);
508 }
509 
511  secp256k1_fe tmp;
513  int jac, ret;
514 
515  tmp = *x;
517  /* secp256k1_jacobi64_maybe_var cannot deal with input 0. */
518  if (secp256k1_fe_is_zero(&tmp)) return 1;
519  secp256k1_fe_to_signed62(&s, &tmp);
521  if (jac == 0) {
522  /* secp256k1_jacobi64_maybe_var failed to compute the Jacobi symbol. Fall back
523  * to computing a square root. This should be extremely rare with random
524  * input (except in VERIFY mode, where a lower iteration count is used). */
525  secp256k1_fe dummy;
526  ret = secp256k1_fe_sqrt(&dummy, &tmp);
527  } else {
528  ret = jac >= 0;
529  }
530  return ret;
531 }
532 
533 #endif /* SECP256K1_FIELD_REPR_IMPL_H */
int ret
#define SECP256K1_CHECKMEM_CHECK_VERIFY(p, len)
Definition: checkmem.h:92
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
#define secp256k1_fe_normalize_var
Definition: field.h:80
#define secp256k1_fe_is_zero
Definition: field.h:85
#define secp256k1_fe_normalize
Definition: field.h:78
static SECP256K1_INLINE void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t *a)
static SECP256K1_INLINE void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t *SECP256K1_RESTRICT b)
static SECP256K1_INLINE void secp256k1_fe_impl_half(secp256k1_fe *r)
static void secp256k1_fe_impl_set_b32_mod(secp256k1_fe *r, const unsigned char *a)
static void secp256k1_fe_impl_normalize_weak(secp256k1_fe *r)
static int secp256k1_fe_impl_is_square_var(const secp256k1_fe *x)
static void secp256k1_fe_impl_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
static SECP256K1_INLINE void secp256k1_fe_impl_add(secp256k1_fe *r, const secp256k1_fe *a)
static SECP256K1_INLINE void secp256k1_fe_impl_clear(secp256k1_fe *a)
static SECP256K1_INLINE void secp256k1_fe_impl_set_int(secp256k1_fe *r, int a)
static SECP256K1_INLINE int secp256k1_fe_impl_is_zero(const secp256k1_fe *a)
static void secp256k1_fe_impl_get_bounds(secp256k1_fe *r, int m)
static int secp256k1_fe_impl_set_b32_limit(secp256k1_fe *r, const unsigned char *a)
static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
static SECP256K1_INLINE void secp256k1_fe_impl_negate_unchecked(secp256k1_fe *r, const secp256k1_fe *a, int m)
static SECP256K1_INLINE void secp256k1_fe_impl_mul_int_unchecked(secp256k1_fe *r, int a)
static int secp256k1_fe_impl_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
static void secp256k1_fe_to_signed62(secp256k1_modinv64_signed62 *r, const secp256k1_fe *a)
static int secp256k1_fe_impl_normalizes_to_zero(const secp256k1_fe *r)
static void secp256k1_fe_impl_inv_var(secp256k1_fe *r, const secp256k1_fe *x)
static SECP256K1_INLINE void secp256k1_fe_impl_sqr(secp256k1_fe *r, const secp256k1_fe *a)
static SECP256K1_INLINE void secp256k1_fe_impl_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
static void secp256k1_fe_impl_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
static SECP256K1_INLINE void secp256k1_fe_impl_add_int(secp256k1_fe *r, int a)
static int secp256k1_fe_impl_normalizes_to_zero_var(const secp256k1_fe *r)
static void secp256k1_fe_impl_normalize(secp256k1_fe *r)
static SECP256K1_INLINE void secp256k1_fe_impl_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
static void secp256k1_fe_impl_inv(secp256k1_fe *r, const secp256k1_fe *x)
static void secp256k1_fe_impl_normalize_var(secp256k1_fe *r)
static void secp256k1_fe_from_signed62(secp256k1_fe *r, const secp256k1_modinv64_signed62 *a)
static const secp256k1_modinv64_modinfo secp256k1_const_modinfo_fe
static SECP256K1_INLINE int secp256k1_fe_impl_is_odd(const secp256k1_fe *a)
static SECP256K1_INLINE void secp256k1_fe_impl_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
#define SECP256K1_INLINE
Definition: util.h:48
#define VERIFY_CHECK(cond)
Definition: util.h:143
#define SECP256K1_RESTRICT
Definition: util.h:176
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
uint32_t n[10]
Definition: field_10x26.h:22