Add native num.h implementation with 32- and 64-bit variants

This num.h implementation works using fixed-size arrays large enough
to hold a 256-bit number (plus one word for slop). It includes a
modular inversion. Typical perf numbers on my 64-bit system are:

  scalar_inverse:
    constant time: min 13.4us / avg 13.5us / max 13.8us
     native num.h: min 5.18us / avg 4.55us / max 5.43us
        gmp num.h: min 2.65us / avg 2.68us / max 2.70us

  field_inverse:
    constant time: min 6.02us / avg 6.09us / max 6.15us
     native num.h: min 5.48us / avg 4.94us / max 5.68us
        gmp num.h: min 2.96us / avg 3.02us / max 3.09us

Author: apoelstra

.travis.yml

@@ -20,9 +20,10 @@ env:
     - FIELD=64bit     ENDOMORPHISM=yes  ASM=x86_64
     - FIELD=32bit     SCHNORR=yes
     - FIELD=32bit     ENDOMORPHISM=yes
-    - BIGNUM=no
-    - BIGNUM=no       ENDOMORPHISM=yes SCHNORR=yes  RECOVERY=yes
-    - BIGNUM=no       STATICPRECOMPUTATION=no
+    - BIGNUM=64bit
+    - BIGNUM=64bit       ENDOMORPHISM=yes SCHNORR=yes RECOVERY=yes
+    - BIGNUM=32bit       ENDOMORPHISM=yes SCHNORR=yes RECOVERY=yes
+    - BIGNUM=32bit       STATICPRECOMPUTATION=no
     - BUILD=distcheck
     - EXTRAFLAGS=CFLAGS=-DDETERMINISTIC
 matrix:

Makefile.am

@@ -13,6 +13,11 @@ noinst_HEADERS += src/group.h
 noinst_HEADERS += src/group_impl.h
 noinst_HEADERS += src/num_gmp.h
 noinst_HEADERS += src/num_gmp_impl.h
+noinst_HEADERS += src/num_5x64.h
+noinst_HEADERS += src/num_5x64_impl.h
+noinst_HEADERS += src/num_9x32.h
+noinst_HEADERS += src/num_9x32_impl.h
+noinst_HEADERS += src/num_native_impl.h
 noinst_HEADERS += src/ecdsa.h
 noinst_HEADERS += src/ecdsa_impl.h
 noinst_HEADERS += src/eckey.h

configure.ac

@@ -113,7 +113,7 @@ AC_ARG_ENABLE(module_recovery,
 AC_ARG_WITH([field], [AS_HELP_STRING([--with-field=64bit|32bit|auto],
 [Specify Field Implementation. Default is auto])],[req_field=$withval], [req_field=auto])
 
-AC_ARG_WITH([bignum], [AS_HELP_STRING([--with-bignum=gmp|no|auto],
+AC_ARG_WITH([bignum], [AS_HELP_STRING([--with-bignum=gmp|64bit|32bit|auto],
 [Specify Bignum Implementation. Default is auto])],[req_bignum=$withval], [req_bignum=auto])
 
 AC_ARG_WITH([scalar], [AS_HELP_STRING([--with-scalar=64bit|32bit|auto],
@@ -217,9 +217,14 @@ if test x"$req_bignum" = x"auto"; then
   if test x"$has_gmp" = x"yes"; then
     set_bignum=gmp
   fi
-
+  if test x"$set_field" = x; then
+    SECP_INT128_CHECK
+    if test x"$has_int128" = x"yes"; then
+      set_bignum=64bit
+    fi
+  fi
   if test x"$set_bignum" = x; then
-    set_bignum=no
+    set_bignum=32bit
   fi
 else
   set_bignum=$req_bignum
@@ -230,7 +235,12 @@ else
       AC_MSG_ERROR([gmp bignum explicitly requested but libgmp not available])
     fi
     ;;
-  no)
+  32bit)
+    ;;
+  64bit)
+      if test x"$has_int128" != x"yes"; then
+        AC_MSG_ERROR([64bit bignum explicitly requested but __int128 support is not available])
+      fi
     ;;
   *)
     AC_MSG_ERROR([invalid bignum implementation selection])
@@ -271,10 +281,15 @@ gmp)
   AC_DEFINE(USE_FIELD_INV_NUM, 1, [Define this symbol to use the num-based field inverse implementation])
   AC_DEFINE(USE_SCALAR_INV_NUM, 1, [Define this symbol to use the num-based scalar inverse implementation])
   ;;
-no)
-  AC_DEFINE(USE_NUM_NONE, 1, [Define this symbol to use no num implementation])
-  AC_DEFINE(USE_FIELD_INV_BUILTIN, 1, [Define this symbol to use the native field inverse implementation])
-  AC_DEFINE(USE_SCALAR_INV_BUILTIN, 1, [Define this symbol to use the native scalar inverse implementation])
+32bit)
+  AC_DEFINE(USE_NUM_9X32, 1, [Define this symbol to use the native 32-bit num implementation])
+  AC_DEFINE(USE_FIELD_INV_NUM, 1, [Define this symbol to use the num-based field inverse implementation])
+  AC_DEFINE(USE_SCALAR_INV_NUM, 1, [Define this symbol to use the num-based scalar inverse implementation])
+  ;;
+64bit)
+  AC_DEFINE(USE_NUM_5X64, 1, [Define this symbol to use the native 64-bit num implementation])
+  AC_DEFINE(USE_FIELD_INV_NUM, 1, [Define this symbol to use the num-based field inverse implementation])
+  AC_DEFINE(USE_SCALAR_INV_NUM, 1, [Define this symbol to use the num-based scalar inverse implementation])
   ;;
 *)
   AC_MSG_ERROR([invalid bignum implementation])

src/basic-config.h

@@ -16,13 +16,14 @@
 #undef USE_FIELD_INV_BUILTIN
 #undef USE_FIELD_INV_NUM
 #undef USE_NUM_GMP
-#undef USE_NUM_NONE
+#undef USE_NUM_5X64
+#undef USE_NUM_9X32
 #undef USE_SCALAR_4X64
 #undef USE_SCALAR_8X32
 #undef USE_SCALAR_INV_BUILTIN
 #undef USE_SCALAR_INV_NUM
 
-#define USE_NUM_NONE 1
+#define USE_NUM_9X32 1
 #define USE_FIELD_INV_BUILTIN 1
 #define USE_SCALAR_INV_BUILTIN 1
 #define USE_FIELD_10X26 1

src/field_10x26_impl.h

@@ -10,7 +10,7 @@
 #include <stdio.h>
 #include <string.h>
 #include "util.h"
-#include "num.h"
+#include "num_impl.h"
 #include "field.h"
 
 #ifdef VERIFY

src/field_impl.h

@@ -21,6 +21,10 @@
 #error "Please select field implementation"
 #endif
 
+#if defined(USE_FIELD_INV_NUM)
+#include "num_impl.h"
+#endif
+
 SECP256K1_INLINE static int secp256k1_fe_equal_var(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
     secp256k1_fe_t na;
     secp256k1_fe_negate(&na, a, 1);

src/num.h

@@ -7,14 +7,16 @@
 #ifndef _SECP256K1_NUM_
 #define _SECP256K1_NUM_
 
-#ifndef USE_NUM_NONE
-
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 
 #if defined(USE_NUM_GMP)
 #include "num_gmp.h"
+#elif defined(USE_NUM_5X64)
+#include "num_5x64.h"
+#elif defined(USE_NUM_9X32)
+#include "num_9x32.h"
 #else
 #error "Please select num implementation"
 #endif
@@ -61,5 +63,3 @@ static int secp256k1_num_is_neg(const secp256k1_num_t *a);
 static void secp256k1_num_negate(secp256k1_num_t *r);
 
 #endif
-
-#endif

src/num_5x64.h

@@ -0,0 +1,28 @@
+/**********************************************************************
+ * Copyright (c) 2015 Andrew Poelstra                                 *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_NUM_5X64_
+#define _SECP256K1_NUM_5X64_
+
+#include "util.h"
+
+#define NUM_N_WORDS	5
+#define NUM_WORD_WIDTH	64
+#define NUM_WORD_CTLZ __builtin_clzl
+typedef uint64_t secp256k1_num_word_t;
+typedef int64_t secp256k1_num_sword_t;
+typedef uint128_t secp256k1_num_dword_t;
+
+typedef struct {
+    /* we need an extra word for auxiallary stuff during algorithms,
+     * so we have an extra word beyond what we need for 256-bit
+     * numbers. Import/export (by set_bin and get_bin) expects to
+     * work with 32-byte buffers, so the top word is not directly
+     * accessible to users of the API. */
+    secp256k1_num_word_t data[NUM_N_WORDS];
+} secp256k1_num_t;
+
+#endif

src/num_5x64_impl.h

@@ -0,0 +1,49 @@
+/**********************************************************************
+ * Copyright (c) 2015 Andrew Poelstra                                 *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_NUM_5X64_IMPL_
+#define _SECP256K1_NUM_5X64_IMPL_
+
+#include <string.h>
+
+#include "num.h"
+#include "num_5x64.h"
+#include "util.h"
+
+#include "num_native_impl.h"
+
+static void secp256k1_num_debug_print(const char *name, const secp256k1_num_t *a) {
+    int i;
+    printf ("%s: 0x", name);
+    for (i = 4; i >= 0; --i)
+        printf("%016lx", a->data[i]);
+    puts("");
+}
+
+static void secp256k1_num_get_bin(unsigned char *r, unsigned int rlen, const secp256k1_num_t *a) {
+    uint64_t v;
+    (void) rlen;
+    VERIFY_CHECK(rlen >= 32);
+
+    v = BE64(a->data[3]); memcpy(&r[0], &v, sizeof(v));
+    v = BE64(a->data[2]); memcpy(&r[8], &v, sizeof(v));
+    v = BE64(a->data[1]); memcpy(&r[16], &v, sizeof(v));
+    v = BE64(a->data[0]); memcpy(&r[24], &v, sizeof(v));
+}
+
+static void secp256k1_num_set_bin(secp256k1_num_t *r, const unsigned char *a, unsigned int alen) {
+    uint64_t v;
+    (void) alen;
+    VERIFY_CHECK(alen >= 32);
+
+    r->data[4] = 0;
+    memcpy(&v, &a[0], sizeof(v)); r->data[3] = BE64(v);
+    memcpy(&v, &a[8], sizeof(v)); r->data[2] = BE64(v);
+    memcpy(&v, &a[16], sizeof(v)); r->data[1] = BE64(v);
+    memcpy(&v, &a[24], sizeof(v)); r->data[0] = BE64(v);
+}
+
+#endif

src/num_9x32.h

@@ -0,0 +1,28 @@
+/**********************************************************************
+ * Copyright (c) 2015 Andrew Poelstra                                 *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_NUM_9X32_
+#define _SECP256K1_NUM_9X32_
+
+#include "util.h"
+
+#define NUM_N_WORDS	9
+#define NUM_WORD_WIDTH	32
+#define NUM_WORD_CTLZ __builtin_clz
+typedef uint32_t secp256k1_num_word_t;
+typedef int32_t secp256k1_num_sword_t;
+typedef uint64_t secp256k1_num_dword_t;
+
+typedef struct {
+    /* we need an extra word for auxiallary stuff during algorithms,
+     * so we have an extra word beyond what we need for 256-bit
+     * numbers. Import/export (by set_bin and get_bin) expects to
+     * work with 32-byte buffers, so the top word is not directly
+     * accessible to users of the API. */
+    secp256k1_num_word_t data[NUM_N_WORDS];
+} secp256k1_num_t;
+
+#endif