Add _fe_half and use in _gej_add_ge

- Trades 1 _half for 3 _mul_int and 2 _normalize_weak
bitcoin-core · Dec 5, 2021 · 4be5d4d · 4be5d4d
1 parent 4900227
commit 4be5d4d
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 9 deletions.
diff --git a/src/field.h b/src/field.h
@@ -124,4 +124,6 @@ static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_f
 /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/
 static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag);
 
+static void secp256k1_fe_half(secp256k1_fe *r);
+
 #endif /* SECP256K1_FIELD_H */
diff --git a/src/field_10x26_impl.h b/src/field_10x26_impl.h
@@ -1120,6 +1120,45 @@ static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_
 #endif
 }
 
+static SECP256K1_INLINE void secp256k1_fe_half(secp256k1_fe *r) {
+ uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4],
+ t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9];
+ uint32_t one = (uint32_t)1;
+ uint32_t mask = -(t0 & one) >> 6;
+
+#ifdef VERIFY
+ secp256k1_fe_verify(r);
+#endif
+
+ t0 += 0x3FFFC2FUL & mask;
+ t1 += 0x3FFFFBFUL & mask;
+ t2 += mask;
+ t3 += mask;
+ t4 += mask;
+ t5 += mask;
+ t6 += mask;
+ t7 += mask;
+ t8 += mask;
+ t9 += mask >> 4;
+
+ r->n[0] = (t0 >> 1) + ((t1 & one) << 25);
+ r->n[1] = (t1 >> 1) + ((t2 & one) << 25);
+ r->n[2] = (t2 >> 1) + ((t3 & one) << 25);
+ r->n[3] = (t3 >> 1) + ((t4 & one) << 25);
+ r->n[4] = (t4 >> 1) + ((t5 & one) << 25);
+ r->n[5] = (t5 >> 1) + ((t6 & one) << 25);
+ r->n[6] = (t6 >> 1) + ((t7 & one) << 25);
+ r->n[7] = (t7 >> 1) + ((t8 & one) << 25);
+ r->n[8] = (t8 >> 1) + ((t9 & one) << 25);
+ r->n[9] = (t9 >> 1);
+
+#ifdef VERIFY
+ r->magnitude = (r->magnitude >> 1) + 1;
+ r->normalized = 0;
+ secp256k1_fe_verify(r);
+#endif
+}
+
 static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) {
  uint32_t mask0, mask1;
  VG_CHECK_VERIFY(r->n, sizeof(r->n));

diff --git a/src/field_5x52_impl.h b/src/field_5x52_impl.h
@@ -467,6 +467,34 @@ static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_
 #endif
 }
 
+static SECP256K1_INLINE void secp256k1_fe_half(secp256k1_fe *r) {
+ uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
+ uint64_t one = (uint64_t)1;
+ uint64_t mask = -(t0 & one) >> 12;
+
+#ifdef VERIFY
+ secp256k1_fe_verify(r);
+#endif
+
+ t0 += 0xFFFFEFFFFFC2FULL & mask;
+ t1 += mask;
+ t2 += mask;
+ t3 += mask;
+ t4 += mask >> 4;
+
+ r->n[0] = (t0 >> 1) + ((t1 & one) << 51);
+ r->n[1] = (t1 >> 1) + ((t2 & one) << 51);
+ r->n[2] = (t2 >> 1) + ((t3 & one) << 51);
+ r->n[3] = (t3 >> 1) + ((t4 & one) << 51);
+ r->n[4] = (t4 >> 1);
+
+#ifdef VERIFY
+ r->magnitude = (r->magnitude >> 1) + 1;
+ r->normalized = 0;
+ secp256k1_fe_verify(r);
+#endif
+}
+
 static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) {
  uint64_t mask0, mask1;
  VG_CHECK_VERIFY(r->n, sizeof(r->n));

diff --git a/src/group_impl.h b/src/group_impl.h
@@ -592,19 +592,15 @@ static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const
  secp256k1_fe_sqr(&t, &rr_alt); /* t = Ralt^2 (1) */
  secp256k1_fe_mul(&r->z, &a->z, &m_alt); /* r->z = Malt*Z (1) */
  infinity = secp256k1_fe_normalizes_to_zero(&r->z) & ~a->infinity;
- secp256k1_fe_mul_int(&r->z, 2); /* r->z = Z3 = 2*Malt*Z (2) */
  secp256k1_fe_negate(&q, &q, 1); /* q = -Q (2) */
  secp256k1_fe_add(&t, &q); /* t = Ralt^2-Q (3) */
- secp256k1_fe_normalize_weak(&t);
- r->x = t; /* r->x = Ralt^2-Q (1) */
- secp256k1_fe_mul_int(&t, 2); /* t = 2*x3 (2) */
- secp256k1_fe_add(&t, &q); /* t = 2*x3 - Q: (4) */
+ r->x = t; /* r->x = Ralt^2-Q (3) */
+ secp256k1_fe_mul_int(&t, 2); /* t = 2*x3 (6) */
+ secp256k1_fe_add(&t, &q); /* t = 2*x3 - Q: (8) */
  secp256k1_fe_mul(&t, &t, &rr_alt); /* t = Ralt*(2*x3 - Q) (1) */
  secp256k1_fe_add(&t, &n); /* t = Ralt*(2*x3 - Q) + M^3*Malt (3) */
- secp256k1_fe_negate(&r->y, &t, 3); /* r->y = Ralt*(Q - 2x3) - M^3*Malt (4) */
- secp256k1_fe_normalize_weak(&r->y);
- secp256k1_fe_mul_int(&r->x, 4); /* r->x = X3 = 4*(Ralt^2-Q) */
- secp256k1_fe_mul_int(&r->y, 4); /* r->y = Y3 = 4*Ralt*(Q - 2x3) - 4*M^3*Malt (4) */
+ secp256k1_fe_negate(&r->y, &t, 3); /* r->y = Ralt*(Q - 2*x3) - M^3*Malt (4) */
+ secp256k1_fe_half(&r->y); /* r->y = (Ralt*(Q - 2*x3) - M^3*Malt)/2 (3) */
 
  /** In case a->infinity == 1, replace r with (b->x, b->y, 1). */
  secp256k1_fe_cmov(&r->x, &b->x, a->infinity);