Merge pull request #6 from peterdettman/202010_pr767

Rework _update_de and format conversions

Author: sipa

src/field_10x26_impl.h

@@ -1169,58 +1169,31 @@ static void secp256k1_fe_from_signed30(secp256k1_fe *r, const secp256k1_modinv32
     const uint32_t M26 = UINT32_MAX >> 6;
     const uint32_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4],
                    a5 = a->v[5], a6 = a->v[6], a7 = a->v[7], a8 = a->v[8];
-    uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, t;
-
-    t = (int32_t)a8 >> 16;
 
     secp256k1_modinv32_signed30_verify(a);
 
-    /* Add 2P if a8 is "negative". */
-    r0  = 0x3FFF85EUL & t;
-    r1  = 0x3FFFF7FUL & t;
-    r2  = 0x3FFFFFFUL & t;
-    r3  = 0x3FFFFFFUL & t;
-    r4  = 0x3FFFFFFUL & t;
-    r5  = 0x3FFFFFFUL & t;
-    r6  = 0x3FFFFFFUL & t;
-    r7  = 0x3FFFFFFUL & t;
-    r8  = 0x3FFFFFFUL & t;
-    r9  = 0x07FFFFFUL & t;
-
-    r0 +=  a0                   & M26;
-    r1 += (a0 >> 26 | a1 <<  4) & M26;
-    r2 += (a1 >> 22 | a2 <<  8) & M26;
-    r3 += (a2 >> 18 | a3 << 12) & M26;
-    r4 += (a3 >> 14 | a4 << 16) & M26;
-    r5 += (a4 >> 10 | a5 << 20) & M26;
-    r6 += (a5 >>  6 | a6 << 24) & M26;
-    r7 += (a6 >>  2           ) & M26;
-    r8 += (a6 >> 28 | a7 <<  2) & M26;
-    r9 += (a7 >> 24 | a8 <<  6);
-
-    r->n[0] = r0;
-    r->n[1] = r1;
-    r->n[2] = r2;
-    r->n[3] = r3;
-    r->n[4] = r4;
-    r->n[5] = r5;
-    r->n[6] = r6;
-    r->n[7] = r7;
-    r->n[8] = r8;
-    r->n[9] = r9;
+    r->n[0] =  a0                   & M26;
+    r->n[1] = (a0 >> 26 | a1 <<  4) & M26;
+    r->n[2] = (a1 >> 22 | a2 <<  8) & M26;
+    r->n[3] = (a2 >> 18 | a3 << 12) & M26;
+    r->n[4] = (a3 >> 14 | a4 << 16) & M26;
+    r->n[5] = (a4 >> 10 | a5 << 20) & M26;
+    r->n[6] = (a5 >>  6 | a6 << 24) & M26;
+    r->n[7] = (a6 >>  2           ) & M26;
+    r->n[8] = (a6 >> 28 | a7 <<  2) & M26;
+    r->n[9] = (a7 >> 24 | a8 <<  6);
 
 #ifdef VERIFY
     r->magnitude = 1;
-    r->normalized = 0;
+    r->normalized = 1;
     secp256k1_fe_verify(r);
 #endif
 }
 
 static void secp256k1_fe_to_signed30(secp256k1_modinv32_signed30 *r, const secp256k1_fe *a) {
     const uint32_t M30 = UINT32_MAX >> 2;
-    const uint32_t *n = &a->n[0];
-    const uint64_t a0 = n[0], a1 = n[1], a2 = n[2], a3 = n[3], a4 = n[4],
-                   a5 = n[5], a6 = n[6], a7 = n[7], a8 = n[8], a9 = n[9];
+    const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4],
+                   a5 = a->n[5], a6 = a->n[6], a7 = a->n[7], a8 = a->n[8], a9 = a->n[9];
 
 #ifdef VERIFY
     VERIFY_CHECK(a->normalized);
@@ -1240,11 +1213,10 @@ static void secp256k1_fe_to_signed30(secp256k1_modinv32_signed30 *r, const secp2
 
 static const secp256k1_modinv32_modinfo secp256k1_const_modinfo_fe = {
     {{-0x3D1, -4, 0, 0, 0, 0, 0, 0, 65536}},
-    0x12253531L * 4
+    0x2DDACACFL
 };
 
 static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
-    int sign;
     secp256k1_fe tmp;
     secp256k1_modinv32_signed30 s;
 #ifdef VERIFY
@@ -1257,19 +1229,15 @@ static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
     zero_in = secp256k1_fe_normalizes_to_zero(&tmp);
 #endif
     secp256k1_fe_to_signed30(&s, &tmp);
-    secp256k1_modinv32(&sign, &s, &secp256k1_const_modinfo_fe);
+    secp256k1_modinv32(&s, &secp256k1_const_modinfo_fe);
     secp256k1_fe_from_signed30(r, &s);
-    secp256k1_fe_negate(&tmp, r, 1);
-    secp256k1_fe_cmov(r, &tmp, sign);
-    secp256k1_fe_normalize_weak(r);
 
 #ifdef VERIFY
     VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == zero_in);
 #endif
 }
 
 static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
-    int sign;
     secp256k1_fe tmp;
     secp256k1_modinv32_signed30 s;
 #ifdef VERIFY
@@ -1282,12 +1250,8 @@ static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
     zero_in = secp256k1_fe_normalizes_to_zero(&tmp);
 #endif
     secp256k1_fe_to_signed30(&s, &tmp);
-    secp256k1_modinv32_var(&sign, &s, &secp256k1_const_modinfo_fe);
+    secp256k1_modinv32_var(&s, &secp256k1_const_modinfo_fe);
     secp256k1_fe_from_signed30(r, &s);
-    if (sign) {
-        secp256k1_fe_negate(r, r, 1);
-        secp256k1_fe_normalize_weak(r);
-    }
 
 #ifdef VERIFY
     VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == zero_in);

src/field_5x52_impl.h

@@ -502,42 +502,25 @@ static SECP256K1_INLINE void secp256k1_fe_from_storage(secp256k1_fe *r, const se
 static void secp256k1_fe_from_signed62(secp256k1_fe *r, const secp256k1_modinv64_signed62 *a) {
     const uint64_t M52 = UINT64_MAX >> 12;
     const uint64_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4];
-    uint64_t r0, r1, r2, r3, r4, t;
 
     secp256k1_modinv64_signed62_verify(a);
 
-    t = (int64_t)a4 >> 8;
-
-    /* Add 2P if a4 is "negative". */
-    r0  = 0xFFFFDFFFFF85EULL & t;
-    r1  = 0xFFFFFFFFFFFFFULL & t;
-    r2  = 0xFFFFFFFFFFFFFULL & t;
-    r3  = 0xFFFFFFFFFFFFFULL & t;
-    r4  = 0x1FFFFFFFFFFFFULL & t;
-
-    r0 +=  a0                   & M52;
-    r1 += (a0 >> 52 | a1 << 10) & M52;
-    r2 += (a1 >> 42 | a2 << 20) & M52;
-    r3 += (a2 >> 32 | a3 << 30) & M52;
-    r4 += (a3 >> 22 | a4 << 40);
-
-    r->n[0] = r0;
-    r->n[1] = r1;
-    r->n[2] = r2;
-    r->n[3] = r3;
-    r->n[4] = r4;
+    r->n[0] =  a0                   & M52;
+    r->n[1] = (a0 >> 52 | a1 << 10) & M52;
+    r->n[2] = (a1 >> 42 | a2 << 20) & M52;
+    r->n[3] = (a2 >> 32 | a3 << 30) & M52;
+    r->n[4] = (a3 >> 22 | a4 << 40);
 
 #ifdef VERIFY
     r->magnitude = 1;
-    r->normalized = 0;
+    r->normalized = 1;
     secp256k1_fe_verify(r);
 #endif
 }
 
 static void secp256k1_fe_to_signed62(secp256k1_modinv64_signed62 *r, const secp256k1_fe *a) {
     const uint64_t M62 = UINT64_MAX >> 2;
-    const uint64_t *n = &a->n[0];
-    const uint64_t a0 = n[0], a1 = n[1], a2 = n[2], a3 = n[3], a4 = n[4];
+    const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4];
 
 #ifdef VERIFY
     VERIFY_CHECK(a->normalized);
@@ -552,11 +535,10 @@ static void secp256k1_fe_to_signed62(secp256k1_modinv64_signed62 *r, const secp2
 
 static const secp256k1_modinv64_modinfo secp256k1_const_modinfo_fe = {
     {{-0x1000003D1LL, 0, 0, 0, 256}},
-    0x1838091DD2253531LL * 4
+    0x27C7F6E22DDACACFLL
 };
 
 static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
-    int sign;
     secp256k1_fe tmp;
     secp256k1_modinv64_signed62 s;
 #ifdef VERIFY
@@ -569,19 +551,15 @@ static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
     zero_in = secp256k1_fe_normalizes_to_zero(&tmp);
 #endif
     secp256k1_fe_to_signed62(&s, &tmp);
-    secp256k1_modinv64(&sign, &s, &secp256k1_const_modinfo_fe);
+    secp256k1_modinv64(&s, &secp256k1_const_modinfo_fe);
     secp256k1_fe_from_signed62(r, &s);
-    secp256k1_fe_negate(&tmp, r, 1);
-    secp256k1_fe_cmov(r, &tmp, sign);
-    secp256k1_fe_normalize_weak(r);
 
 #ifdef VERIFY
     VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == zero_in);
 #endif
 }
 
 static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
-    int sign;
     secp256k1_fe tmp;
     secp256k1_modinv64_signed62 s;
 #ifdef VERIFY
@@ -594,12 +572,8 @@ static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
     zero_in = secp256k1_fe_normalizes_to_zero(&tmp);
 #endif
     secp256k1_fe_to_signed62(&s, &tmp);
-    secp256k1_modinv64_var(&sign, &s, &secp256k1_const_modinfo_fe);
+    secp256k1_modinv64_var(&s, &secp256k1_const_modinfo_fe);
     secp256k1_fe_from_signed62(r, &s);
-    if (sign) {
-        secp256k1_fe_negate(r, r, 1);
-        secp256k1_fe_normalize_weak(r);
-    }
 
 #ifdef VERIFY
     VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == zero_in);

src/modinv32.h

@@ -21,12 +21,12 @@ typedef struct {
     /* The modulus in signed30 notation. */
     secp256k1_modinv32_signed30 modulus;
 
-    /* (-modulus^{-1} mod 2^30) * 4 */
-    uint32_t montmul4;
+    /* modulus^{-1} mod 2^30 */
+    int32_t modulus_inv30;
 } secp256k1_modinv32_modinfo;
 
-static void secp256k1_modinv32_signed30_verify(const secp256k1_modinv32_signed30* a);
-static void secp256k1_modinv32(int* sign, secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo* modinfo);
-static void secp256k1_modinv32_var(int* sign, secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo* modinfo);
+static void secp256k1_modinv32_signed30_verify(const secp256k1_modinv32_signed30 *a);
+static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo);
+static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo);
 
 #endif /* SECP256K1_MODINV32_H */

src/modinv32_impl.h

@@ -11,8 +11,7 @@
 
 #include "util.h"
 
-static void secp256k1_modinv32_signed30_verify(const secp256k1_modinv32_signed30* a) {
-    /* a must be in the range [-2^256, 2^256). */
+static void secp256k1_modinv32_signed30_verify(const secp256k1_modinv32_signed30 *a) {
     VERIFY_CHECK(a->v[0] >> 30 == 0);
     VERIFY_CHECK(a->v[1] >> 30 == 0);
     VERIFY_CHECK(a->v[2] >> 30 == 0);
@@ -21,7 +20,58 @@ static void secp256k1_modinv32_signed30_verify(const secp256k1_modinv32_signed30
     VERIFY_CHECK(a->v[5] >> 30 == 0);
     VERIFY_CHECK(a->v[6] >> 30 == 0);
     VERIFY_CHECK(a->v[7] >> 30 == 0);
-    VERIFY_CHECK(a->v[8] >> 16 == 0 || a->v[8] >> 16 == -(int32_t)1);
+    VERIFY_CHECK(a->v[8] >> 16 == 0);
+}
+
+static void secp256k1_modinv32_normalize_30(secp256k1_modinv32_signed30 *r, int32_t cond_negate, const secp256k1_modinv32_modinfo *modinfo) {
+    const int32_t M30 = (int32_t)(UINT32_MAX >> 2);
+    int32_t r0 = r->v[0], r1 = r->v[1], r2 = r->v[2], r3 = r->v[3], r4 = r->v[4],
+            r5 = r->v[5], r6 = r->v[6], r7 = r->v[7], r8 = r->v[8];
+    int32_t c, cond_add;
+
+    cond_add = r8 >> 31;
+
+    c  = r0 + (modinfo->modulus.v[0] & cond_add);
+    r0 = c & M30; c >>= 30;
+    c += r1 + (modinfo->modulus.v[1] & cond_add);
+    r1 = c & M30; c >>= 30;
+    c += r2 + (modinfo->modulus.v[2] & cond_add);
+    r2 = c & M30; c >>= 30;
+    c += r3 + (modinfo->modulus.v[3] & cond_add);
+    r3 = c & M30; c >>= 30;
+    c += r4 + (modinfo->modulus.v[4] & cond_add);
+    r4 = c & M30; c >>= 30;
+    c += r5 + (modinfo->modulus.v[5] & cond_add);
+    r5 = c & M30; c >>= 30;
+    c += r6 + (modinfo->modulus.v[6] & cond_add);
+    r6 = c & M30; c >>= 30;
+    c += r7 + (modinfo->modulus.v[7] & cond_add);
+    r7 = c & M30; c >>= 30;
+    c += r8 + (modinfo->modulus.v[8] & cond_add);
+    r8 = c;
+
+    cond_add = (c >> 31) ^ cond_negate;
+
+    c  = (r0 ^ cond_negate) - cond_negate + (modinfo->modulus.v[0] & cond_add);
+    r->v[0] = c & M30; c >>= 30;
+    c += (r1 ^ cond_negate) - cond_negate + (modinfo->modulus.v[1] & cond_add);
+    r->v[1] = c & M30; c >>= 30;
+    c += (r2 ^ cond_negate) - cond_negate + (modinfo->modulus.v[2] & cond_add);
+    r->v[2] = c & M30; c >>= 30;
+    c += (r3 ^ cond_negate) - cond_negate + (modinfo->modulus.v[3] & cond_add);
+    r->v[3] = c & M30; c >>= 30;
+    c += (r4 ^ cond_negate) - cond_negate + (modinfo->modulus.v[4] & cond_add);
+    r->v[4] = c & M30; c >>= 30;
+    c += (r5 ^ cond_negate) - cond_negate + (modinfo->modulus.v[5] & cond_add);
+    r->v[5] = c & M30; c >>= 30;
+    c += (r6 ^ cond_negate) - cond_negate + (modinfo->modulus.v[6] & cond_add);
+    r->v[6] = c & M30; c >>= 30;
+    c += (r7 ^ cond_negate) - cond_negate + (modinfo->modulus.v[7] & cond_add);
+    r->v[7] = c & M30; c >>= 30;
+    c += (r8 ^ cond_negate) - cond_negate + (modinfo->modulus.v[8] & cond_add);
+    r->v[8] = c;
+
+    VERIFY_CHECK(c >> 16 == 0);
 }
 
 static uint32_t secp256k1_modinv32_divsteps_30(uint32_t eta, uint32_t f0, uint32_t g0, int32_t *t) {
@@ -134,20 +184,37 @@ static uint32_t secp256k1_modinv32_divsteps_30_var(uint32_t eta, uint32_t f0, ui
 
 static void secp256k1_modinv32_update_de_30(secp256k1_modinv32_signed30 *d, secp256k1_modinv32_signed30 *e, const int32_t *t, const secp256k1_modinv32_modinfo* modinfo) {
     const int32_t M30 = (int32_t)(UINT32_MAX >> 2);
-    int32_t u = t[0], v = t[1], q = t[2], r = t[3], di, ei, md, me;
+    const int32_t u = t[0], v = t[1], q = t[2], r = t[3];
+    int32_t di, ei, md, me, sd, se;
     int64_t cd, ce;
     int i;
 
+    /*
+     * On input, d/e must be in the range (-2.P, P). For initially negative d (resp. e), we add
+     * u and/or v (resp. q and/or r) multiples of the modulus to the corresponding output (prior
+     * to division by 2^30). This has the same effect as if we added the modulus to the input(s).
+     */
+
+    sd = d->v[8] >> 31;
+    se = e->v[8] >> 31;
+
+    md = (u & sd) + (v & se);
+    me = (q & sd) + (r & se);
+
     di = d->v[0];
     ei = e->v[0];
 
     cd = (int64_t)u * di + (int64_t)v * ei;
     ce = (int64_t)q * di + (int64_t)r * ei;
 
-    /* Calculate the multiples of P to add, to zero the 30 bottom bits. We choose md, me
-     * from the centred range [-2^29, 2^29) to keep d, e within [-2^256, 2^256). */
-    md = ((int32_t)(modinfo->montmul4 * (uint32_t)cd)) >> 2;
-    me = ((int32_t)(modinfo->montmul4 * (uint32_t)ce)) >> 2;
+    /*
+     * Subtract from md/me an extra term in the range [0, 2^30) such that the low 30 bits of each
+     * sum of products will be 0. This allows clean division by 2^30. On output, d/e are thus in
+     * the range (-2.P, P), consistent with the input constraint.
+     */
+
+    md -= (modinfo->modulus_inv30 * (int32_t)cd + md) & M30;
+    me -= (modinfo->modulus_inv30 * (int32_t)ce + me) & M30;
 
     if (modinfo->modulus.v[0]) {
         cd += (int64_t)modinfo->modulus.v[0] * md;
@@ -243,7 +310,7 @@ static void secp256k1_modinv32_update_fg_30_var(int len, secp256k1_modinv32_sign
     g->v[len - 1] = (int32_t)cg;
 }
 
-static void secp256k1_modinv32(int* sign, secp256k1_modinv32_signed30* x, const secp256k1_modinv32_modinfo* modinfo) {
+static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo) {
     /* Modular inversion based on the paper "Fast constant-time gcd computation and
      * modular inversion" by Daniel J. Bernstein and Bo-Yin Yang. */
     int32_t t[4];
@@ -272,11 +339,12 @@ static void secp256k1_modinv32(int* sign, secp256k1_modinv32_signed30* x, const
      * values i.e. +/- 1, and d now contains +/- the modular inverse. */
     VERIFY_CHECK((g.v[0] | g.v[1] | g.v[2] | g.v[3] | g.v[4] | g.v[5] | g.v[6] | g.v[7] | g.v[8]) == 0);
 
-    *sign = (f.v[0] >> 1) & 1;
+    secp256k1_modinv32_normalize_30(&d, f.v[8] >> 31, modinfo);
+
     *x = d;
 }
 
-static void secp256k1_modinv32_var(int* sign, secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo* modinfo) {
+static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo) {
     /* Modular inversion based on the paper "Fast constant-time gcd computation and
      * modular inversion" by Daniel J. Bernstein and Bo-Yin Yang. */
     int32_t t[4];
@@ -328,7 +396,8 @@ static void secp256k1_modinv32_var(int* sign, secp256k1_modinv32_signed30 *x, co
 
     VERIFY_CHECK(i < 25);
 
-    *sign = (f.v[0] >> 1) & 1;
+    secp256k1_modinv32_normalize_30(&d, f.v[len - 1] >> 31, modinfo);
+
     *x = d;
 }