Bitcoin Core  27.99.0
P2P Digital Currency
Classes | Macros | Functions
group.h File Reference
#include "field.h"
Include dependency graph for group.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  secp256k1_ge
 A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve of the form y^2 = x^3 + 7*t^6. More...
 
struct  secp256k1_gej
 A group element of the secp256k1 curve, in jacobian coordinates. More...
 
struct  secp256k1_ge_storage
 

Macros

#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)   {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), 0}
 
#define SECP256K1_GE_CONST_INFINITY   {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1}
 
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)   {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), 0}
 
#define SECP256K1_GEJ_CONST_INFINITY   {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1}
 
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)   {SECP256K1_FE_STORAGE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_STORAGE_CONST((i),(j),(k),(l),(m),(n),(o),(p))}
 
#define SECP256K1_GE_STORAGE_CONST_GET(t)   SECP256K1_FE_STORAGE_CONST_GET(t.x), SECP256K1_FE_STORAGE_CONST_GET(t.y)
 
#define SECP256K1_GE_X_MAGNITUDE_MAX   4
 Maximum allowed magnitudes for group element coordinates in affine (x, y) and jacobian (x, y, z) representation. More...
 
#define SECP256K1_GE_Y_MAGNITUDE_MAX   3
 
#define SECP256K1_GEJ_X_MAGNITUDE_MAX   4
 
#define SECP256K1_GEJ_Y_MAGNITUDE_MAX   4
 
#define SECP256K1_GEJ_Z_MAGNITUDE_MAX   1
 
#define SECP256K1_GE_VERIFY(a)   secp256k1_ge_verify(a)
 
#define SECP256K1_GEJ_VERIFY(a)   secp256k1_gej_verify(a)
 

Functions

static void secp256k1_ge_set_xy (secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
 Set a group element equal to the point with given X and Y coordinates. More...
 
static int secp256k1_ge_set_xo_var (secp256k1_ge *r, const secp256k1_fe *x, int odd)
 Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y. More...
 
static int secp256k1_ge_x_on_curve_var (const secp256k1_fe *x)
 Determine whether x is a valid X coordinate on the curve. More...
 
static int secp256k1_ge_x_frac_on_curve_var (const secp256k1_fe *xn, const secp256k1_fe *xd)
 Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0). More...
 
static int secp256k1_ge_is_infinity (const secp256k1_ge *a)
 Check whether a group element is the point at infinity. More...
 
static int secp256k1_ge_is_valid_var (const secp256k1_ge *a)
 Check whether a group element is valid (i.e., on the curve). More...
 
static void secp256k1_ge_neg (secp256k1_ge *r, const secp256k1_ge *a)
 Set r equal to the inverse of a (i.e., mirrored around the X axis) More...
 
static void secp256k1_ge_set_gej (secp256k1_ge *r, secp256k1_gej *a)
 Set a group element equal to another which is given in jacobian coordinates. More...
 
static void secp256k1_ge_set_gej_var (secp256k1_ge *r, secp256k1_gej *a)
 Set a group element equal to another which is given in jacobian coordinates. More...
 
static void secp256k1_ge_set_all_gej_var (secp256k1_ge *r, const secp256k1_gej *a, size_t len)
 Set a batch of group elements equal to the inputs given in jacobian coordinates. More...
 
static void secp256k1_ge_table_set_globalz (size_t len, secp256k1_ge *a, const secp256k1_fe *zr)
 Bring a batch of inputs to the same global z "denominator", based on ratios between (omitted) z coordinates of adjacent elements. More...
 
static int secp256k1_ge_eq_var (const secp256k1_ge *a, const secp256k1_ge *b)
 Check two group elements (affine) for equality in variable time. More...
 
static void secp256k1_ge_set_infinity (secp256k1_ge *r)
 Set a group element (affine) equal to the point at infinity. More...
 
static void secp256k1_gej_set_infinity (secp256k1_gej *r)
 Set a group element (jacobian) equal to the point at infinity. More...
 
static void secp256k1_gej_set_ge (secp256k1_gej *r, const secp256k1_ge *a)
 Set a group element (jacobian) equal to another which is given in affine coordinates. More...
 
static int secp256k1_gej_eq_var (const secp256k1_gej *a, const secp256k1_gej *b)
 Check two group elements (jacobian) for equality in variable time. More...
 
static int secp256k1_gej_eq_ge_var (const secp256k1_gej *a, const secp256k1_ge *b)
 Check two group elements (jacobian and affine) for equality in variable time. More...
 
static int secp256k1_gej_eq_x_var (const secp256k1_fe *x, const secp256k1_gej *a)
 Compare the X coordinate of a group element (jacobian). More...
 
static void secp256k1_gej_neg (secp256k1_gej *r, const secp256k1_gej *a)
 Set r equal to the inverse of a (i.e., mirrored around the X axis) More...
 
static int secp256k1_gej_is_infinity (const secp256k1_gej *a)
 Check whether a group element is the point at infinity. More...
 
static void secp256k1_gej_double (secp256k1_gej *r, const secp256k1_gej *a)
 Set r equal to the double of a. More...
 
static void secp256k1_gej_double_var (secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
 Set r equal to the double of a. More...
 
static void secp256k1_gej_add_var (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
 Set r equal to the sum of a and b. More...
 
static void secp256k1_gej_add_ge (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
 Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity). More...
 
static void secp256k1_gej_add_ge_var (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
 Set r equal to the sum of a and b (with b given in affine coordinates). More...
 
static void secp256k1_gej_add_zinv_var (secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
 Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv). More...
 
static void secp256k1_ge_mul_lambda (secp256k1_ge *r, const secp256k1_ge *a)
 Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast. More...
 
static void secp256k1_gej_clear (secp256k1_gej *r)
 Clear a secp256k1_gej to prevent leaking sensitive information. More...
 
static void secp256k1_ge_clear (secp256k1_ge *r)
 Clear a secp256k1_ge to prevent leaking sensitive information. More...
 
static void secp256k1_ge_to_storage (secp256k1_ge_storage *r, const secp256k1_ge *a)
 Convert a group element to the storage type. More...
 
static void secp256k1_ge_from_storage (secp256k1_ge *r, const secp256k1_ge_storage *a)
 Convert a group element back from the storage type. More...
 
static void secp256k1_gej_cmov (secp256k1_gej *r, const secp256k1_gej *a, int flag)
 If flag is true, set *r equal to *a; otherwise leave it. More...
 
static void secp256k1_ge_storage_cmov (secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
 If flag is true, set *r equal to *a; otherwise leave it. More...
 
static void secp256k1_gej_rescale (secp256k1_gej *r, const secp256k1_fe *b)
 Rescale a jacobian point by b which must be non-zero. More...
 
static int secp256k1_ge_is_in_correct_subgroup (const secp256k1_ge *ge)
 Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve. More...
 
static void secp256k1_ge_verify (const secp256k1_ge *a)
 Check invariants on an affine group element (no-op unless VERIFY is enabled). More...
 
static void secp256k1_gej_verify (const secp256k1_gej *a)
 Check invariants on a Jacobian group element (no-op unless VERIFY is enabled). More...
 

Macro Definition Documentation

◆ SECP256K1_GE_CONST

#define SECP256K1_GE_CONST (   a,
  b,
  c,
  d,
  e,
  f,
  g,
  h,
  i,
  j,
  k,
  l,
  m,
  n,
  o,
 
)    {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), 0}

Definition at line 22 of file group.h.

◆ SECP256K1_GE_CONST_INFINITY

#define SECP256K1_GE_CONST_INFINITY   {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1}

Definition at line 23 of file group.h.

◆ SECP256K1_GE_STORAGE_CONST

#define SECP256K1_GE_STORAGE_CONST (   a,
  b,
  c,
  d,
  e,
  f,
  g,
  h,
  i,
  j,
  k,
  l,
  m,
  n,
  o,
 
)    {SECP256K1_FE_STORAGE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_STORAGE_CONST((i),(j),(k),(l),(m),(n),(o),(p))}

Definition at line 43 of file group.h.

◆ SECP256K1_GE_STORAGE_CONST_GET

#define SECP256K1_GE_STORAGE_CONST_GET (   t)    SECP256K1_FE_STORAGE_CONST_GET(t.x), SECP256K1_FE_STORAGE_CONST_GET(t.y)

Definition at line 45 of file group.h.

◆ SECP256K1_GE_VERIFY

#define SECP256K1_GE_VERIFY (   a)    secp256k1_ge_verify(a)

Definition at line 190 of file group.h.

◆ SECP256K1_GE_X_MAGNITUDE_MAX

#define SECP256K1_GE_X_MAGNITUDE_MAX   4

Maximum allowed magnitudes for group element coordinates in affine (x, y) and jacobian (x, y, z) representation.

Definition at line 49 of file group.h.

◆ SECP256K1_GE_Y_MAGNITUDE_MAX

#define SECP256K1_GE_Y_MAGNITUDE_MAX   3

Definition at line 50 of file group.h.

◆ SECP256K1_GEJ_CONST

#define SECP256K1_GEJ_CONST (   a,
  b,
  c,
  d,
  e,
  f,
  g,
  h,
  i,
  j,
  k,
  l,
  m,
  n,
  o,
 
)    {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), 0}

Definition at line 35 of file group.h.

◆ SECP256K1_GEJ_CONST_INFINITY

#define SECP256K1_GEJ_CONST_INFINITY   {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1}

Definition at line 36 of file group.h.

◆ SECP256K1_GEJ_VERIFY

#define SECP256K1_GEJ_VERIFY (   a)    secp256k1_gej_verify(a)

Definition at line 194 of file group.h.

◆ SECP256K1_GEJ_X_MAGNITUDE_MAX

#define SECP256K1_GEJ_X_MAGNITUDE_MAX   4

Definition at line 51 of file group.h.

◆ SECP256K1_GEJ_Y_MAGNITUDE_MAX

#define SECP256K1_GEJ_Y_MAGNITUDE_MAX   4

Definition at line 52 of file group.h.

◆ SECP256K1_GEJ_Z_MAGNITUDE_MAX

#define SECP256K1_GEJ_Z_MAGNITUDE_MAX   1

Definition at line 53 of file group.h.

Function Documentation

◆ secp256k1_ge_clear()

static void secp256k1_ge_clear ( secp256k1_ge r)
static

Clear a secp256k1_ge to prevent leaking sensitive information.

Here is the caller graph for this function:

◆ secp256k1_ge_eq_var()

static int secp256k1_ge_eq_var ( const secp256k1_ge a,
const secp256k1_ge b 
)
static

Check two group elements (affine) for equality in variable time.

Here is the caller graph for this function:

◆ secp256k1_ge_from_storage()

static void secp256k1_ge_from_storage ( secp256k1_ge r,
const secp256k1_ge_storage a 
)
static

Convert a group element back from the storage type.

Here is the caller graph for this function:

◆ secp256k1_ge_is_in_correct_subgroup()

static int secp256k1_ge_is_in_correct_subgroup ( const secp256k1_ge ge)
static

Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.

In normal mode, the used group is secp256k1, which has cofactor=1 meaning that every point on the curve is in the group, and this function returns always true.

When compiling in exhaustive test mode, a slightly different curve equation is used, leading to a group with a (very) small subgroup, and that subgroup is what is used for all cryptographic operations. In that mode, this function checks whether a point that is on the curve is in fact also in that subgroup.

Here is the caller graph for this function:

◆ secp256k1_ge_is_infinity()

static int secp256k1_ge_is_infinity ( const secp256k1_ge a)
static

Check whether a group element is the point at infinity.

Here is the caller graph for this function:

◆ secp256k1_ge_is_valid_var()

static int secp256k1_ge_is_valid_var ( const secp256k1_ge a)
static

Check whether a group element is valid (i.e., on the curve).

Here is the caller graph for this function:

◆ secp256k1_ge_mul_lambda()

static void secp256k1_ge_mul_lambda ( secp256k1_ge r,
const secp256k1_ge a 
)
static

Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.

Here is the caller graph for this function:

◆ secp256k1_ge_neg()

static void secp256k1_ge_neg ( secp256k1_ge r,
const secp256k1_ge a 
)
static

Set r equal to the inverse of a (i.e., mirrored around the X axis)

Here is the caller graph for this function:

◆ secp256k1_ge_set_all_gej_var()

static void secp256k1_ge_set_all_gej_var ( secp256k1_ge r,
const secp256k1_gej a,
size_t  len 
)
static

Set a batch of group elements equal to the inputs given in jacobian coordinates.

Here is the caller graph for this function:

◆ secp256k1_ge_set_gej()

static void secp256k1_ge_set_gej ( secp256k1_ge r,
secp256k1_gej a 
)
static

Set a group element equal to another which is given in jacobian coordinates.

Constant time.

Here is the caller graph for this function:

◆ secp256k1_ge_set_gej_var()

static void secp256k1_ge_set_gej_var ( secp256k1_ge r,
secp256k1_gej a 
)
static

Set a group element equal to another which is given in jacobian coordinates.

Here is the caller graph for this function:

◆ secp256k1_ge_set_infinity()

static void secp256k1_ge_set_infinity ( secp256k1_ge r)
static

Set a group element (affine) equal to the point at infinity.

Here is the caller graph for this function:

◆ secp256k1_ge_set_xo_var()

static int secp256k1_ge_set_xo_var ( secp256k1_ge r,
const secp256k1_fe x,
int  odd 
)
static

Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.

Return value indicates whether the result is valid.

Here is the caller graph for this function:

◆ secp256k1_ge_set_xy()

static void secp256k1_ge_set_xy ( secp256k1_ge r,
const secp256k1_fe x,
const secp256k1_fe y 
)
static

Set a group element equal to the point with given X and Y coordinates.

Here is the caller graph for this function:

◆ secp256k1_ge_storage_cmov()

static void secp256k1_ge_storage_cmov ( secp256k1_ge_storage r,
const secp256k1_ge_storage a,
int  flag 
)
static

If flag is true, set *r equal to *a; otherwise leave it.

Constant-time. Both *r and *a must be initialized.

Here is the caller graph for this function:

◆ secp256k1_ge_table_set_globalz()

static void secp256k1_ge_table_set_globalz ( size_t  len,
secp256k1_ge a,
const secp256k1_fe zr 
)
static

Bring a batch of inputs to the same global z "denominator", based on ratios between (omitted) z coordinates of adjacent elements.

Although the elements a[i] are _ge rather than _gej, they actually represent elements in Jacobian coordinates with their z coordinates omitted.

Using the notation z(b) to represent the omitted z coordinate of b, the array zr of z coordinate ratios must satisfy zr[i] == z(a[i]) / z(a[i-1]) for 0 < 'i' < len. The zr[0] value is unused.

This function adjusts the coordinates of 'a' in place so that for all 'i', z(a[i]) == z(a[len-1]). In other words, the initial value of z(a[len-1]) becomes the global z "denominator". Only the a[i].x and a[i].y coordinates are explicitly modified; the adjustment of the omitted z coordinate is implicit.

The coordinates of the final element a[len-1] are not changed.

Here is the caller graph for this function:

◆ secp256k1_ge_to_storage()

static void secp256k1_ge_to_storage ( secp256k1_ge_storage r,
const secp256k1_ge a 
)
static

Convert a group element to the storage type.

Here is the caller graph for this function:

◆ secp256k1_ge_verify()

static void secp256k1_ge_verify ( const secp256k1_ge a)
static

Check invariants on an affine group element (no-op unless VERIFY is enabled).

◆ secp256k1_ge_x_frac_on_curve_var()

static int secp256k1_ge_x_frac_on_curve_var ( const secp256k1_fe xn,
const secp256k1_fe xd 
)
static

Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).

Here is the caller graph for this function:

◆ secp256k1_ge_x_on_curve_var()

static int secp256k1_ge_x_on_curve_var ( const secp256k1_fe x)
static

Determine whether x is a valid X coordinate on the curve.

Here is the caller graph for this function:

◆ secp256k1_gej_add_ge()

static void secp256k1_gej_add_ge ( secp256k1_gej r,
const secp256k1_gej a,
const secp256k1_ge b 
)
static

Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).

Here is the caller graph for this function:

◆ secp256k1_gej_add_ge_var()

static void secp256k1_gej_add_ge_var ( secp256k1_gej r,
const secp256k1_gej a,
const secp256k1_ge b,
secp256k1_fe rzr 
)
static

Set r equal to the sum of a and b (with b given in affine coordinates).

This is more efficient than secp256k1_gej_add_var. It is identical to secp256k1_gej_add_ge but without constant-time guarantee, and b is allowed to be infinity. If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case).

Here is the caller graph for this function:

◆ secp256k1_gej_add_var()

static void secp256k1_gej_add_var ( secp256k1_gej r,
const secp256k1_gej a,
const secp256k1_gej b,
secp256k1_fe rzr 
)
static

Set r equal to the sum of a and b.

If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case).

Here is the caller graph for this function:

◆ secp256k1_gej_add_zinv_var()

static void secp256k1_gej_add_zinv_var ( secp256k1_gej r,
const secp256k1_gej a,
const secp256k1_ge b,
const secp256k1_fe bzinv 
)
static

Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).

Here is the caller graph for this function:

◆ secp256k1_gej_clear()

static void secp256k1_gej_clear ( secp256k1_gej r)
static

Clear a secp256k1_gej to prevent leaking sensitive information.

Here is the caller graph for this function:

◆ secp256k1_gej_cmov()

static void secp256k1_gej_cmov ( secp256k1_gej r,
const secp256k1_gej a,
int  flag 
)
static

If flag is true, set *r equal to *a; otherwise leave it.

Constant-time. Both *r and *a must be initialized.

Here is the caller graph for this function:

◆ secp256k1_gej_double()

static void secp256k1_gej_double ( secp256k1_gej r,
const secp256k1_gej a 
)
static

Set r equal to the double of a.

Constant time.

Here is the caller graph for this function:

◆ secp256k1_gej_double_var()

static void secp256k1_gej_double_var ( secp256k1_gej r,
const secp256k1_gej a,
secp256k1_fe rzr 
)
static

Set r equal to the double of a.

If rzr is not-NULL this sets *rzr such that r->z == a->z * *rzr (where infinity means an implicit z = 0).

Here is the caller graph for this function:

◆ secp256k1_gej_eq_ge_var()

static int secp256k1_gej_eq_ge_var ( const secp256k1_gej a,
const secp256k1_ge b 
)
static

Check two group elements (jacobian and affine) for equality in variable time.

Here is the caller graph for this function:

◆ secp256k1_gej_eq_var()

static int secp256k1_gej_eq_var ( const secp256k1_gej a,
const secp256k1_gej b 
)
static

Check two group elements (jacobian) for equality in variable time.

Here is the caller graph for this function:

◆ secp256k1_gej_eq_x_var()

static int secp256k1_gej_eq_x_var ( const secp256k1_fe x,
const secp256k1_gej a 
)
static

Compare the X coordinate of a group element (jacobian).

The magnitude of the group element's X coordinate must not exceed 31.

Here is the caller graph for this function:

◆ secp256k1_gej_is_infinity()

static int secp256k1_gej_is_infinity ( const secp256k1_gej a)
static

Check whether a group element is the point at infinity.

Here is the caller graph for this function:

◆ secp256k1_gej_neg()

static void secp256k1_gej_neg ( secp256k1_gej r,
const secp256k1_gej a 
)
static

Set r equal to the inverse of a (i.e., mirrored around the X axis)

Here is the caller graph for this function:

◆ secp256k1_gej_rescale()

static void secp256k1_gej_rescale ( secp256k1_gej r,
const secp256k1_fe b 
)
static

Rescale a jacobian point by b which must be non-zero.

Constant-time.

Here is the caller graph for this function:

◆ secp256k1_gej_set_ge()

static void secp256k1_gej_set_ge ( secp256k1_gej r,
const secp256k1_ge a 
)
static

Set a group element (jacobian) equal to another which is given in affine coordinates.

Here is the caller graph for this function:

◆ secp256k1_gej_set_infinity()

static void secp256k1_gej_set_infinity ( secp256k1_gej r)
static

Set a group element (jacobian) equal to the point at infinity.

Here is the caller graph for this function:

◆ secp256k1_gej_verify()

static void secp256k1_gej_verify ( const secp256k1_gej a)
static

Check invariants on a Jacobian group element (no-op unless VERIFY is enabled).