_ZN4CKey5CheckEPKh: 157| 4.57k|bool CKey::Check(const unsigned char *vch) { 158| 4.57k| return secp256k1_ec_seckey_verify(secp256k1_context_sign, vch); 159| 4.57k|} _ZNK4CKey14EllSwiftCreateE4SpanIKSt4byteE: 312| 5.72k|{ 313| 5.72k| assert(keydata); 314| 5.72k| assert(ent32.size() == 32); 315| 5.72k| std::array encoded_pubkey; 316| | 317| 5.72k| auto success = secp256k1_ellswift_create(secp256k1_context_sign, 318| 5.72k| UCharCast(encoded_pubkey.data()), 319| 5.72k| keydata->data(), 320| 5.72k| UCharCast(ent32.data())); 321| | 322| | // Should always succeed for valid keys (asserted above). 323| 5.72k| assert(success); 324| 5.72k| return {encoded_pubkey}; 325| 5.72k|} _ZNK4CKey23ComputeBIP324ECDHSecretERK14EllSwiftPubKeyS2_b: 328| 5.91k|{ 329| 5.91k| assert(keydata); 330| | 331| 5.91k| ECDHSecret output; 332| | // BIP324 uses the initiator as party A, and the responder as party B. Remap the inputs 333| | // accordingly: 334| 5.91k| bool success = secp256k1_ellswift_xdh(secp256k1_context_sign, 335| 5.91k| UCharCast(output.data()), 336| 5.91k| UCharCast(initiating ? our_ellswift.data() : their_ellswift.data()), ------------------ | Branch (336:53): [True: 3.80k, False: 2.10k] ------------------ 337| 5.91k| UCharCast(initiating ? their_ellswift.data() : our_ellswift.data()), ------------------ | Branch (337:53): [True: 3.80k, False: 2.10k] ------------------ 338| 5.91k| keydata->data(), 339| 5.91k| initiating ? 0 : 1, ------------------ | Branch (339:43): [True: 3.80k, False: 2.10k] ------------------ 340| 5.91k| secp256k1_ellswift_xdh_hash_function_bip324, 341| 5.91k| nullptr); 342| | // Should always succeed for valid keys (assert above). 343| 5.91k| assert(success); 344| 5.91k| return output; 345| 5.91k|} _ZN11ECC_ContextD2Ev: 482| 2|{ 483| 2| ECC_Stop(); 484| 2|} key.cpp:_ZL8ECC_Stopv: 467| 2|static void ECC_Stop() { 468| 2| secp256k1_context *ctx = secp256k1_context_sign; 469| 2| secp256k1_context_sign = nullptr; 470| | 471| 2| if (ctx) { ------------------ | Branch (471:9): [True: 2, False: 0] ------------------ 472| 2| secp256k1_context_destroy(ctx); 473| 2| } 474| 2|} _ZN4CKey11MakeKeyDataEv: 64| 4.17k| { 65| 4.17k| if (!keydata) keydata = make_secure_unique(); ------------------ | Branch (65:13): [True: 4.17k, False: 0] ------------------ 66| 4.17k| } _ZN4CKey12ClearKeyDataEv: 69| 403| { 70| 403| keydata.reset(); 71| 403| } _ZNK4CKey7IsValidEv: 123| 4.57k| bool IsValid() const { return !!keydata; } _ZN4CKeyC2Ev: 74| 4.57k| CKey() noexcept = default; _ZN4CKey3SetINSt3__111__wrap_iterIPhEEEEvT_S5_b: 104| 4.57k| { 105| 4.57k| if (size_t(pend - pbegin) != std::tuple_size_v) { ------------------ | Branch (105:13): [True: 0, False: 4.57k] ------------------ 106| 0| ClearKeyData(); 107| 4.57k| } else if (Check(UCharCast(&pbegin[0]))) { ------------------ | Branch (107:20): [True: 4.17k, False: 403] ------------------ 108| 4.17k| MakeKeyData(); 109| 4.17k| memcpy(keydata->data(), (unsigned char*)&pbegin[0], keydata->size()); 110| 4.17k| fCompressed = fCompressedIn; 111| 4.17k| } else { 112| 403| ClearKeyData(); 113| 403| } 114| 4.57k| } _ZN14EllSwiftPubKeyC2E4SpanIKSt4byteE: 357| 5.72k|{ 358| 5.72k| assert(ellswift.size() == SIZE); 359| 5.72k| std::copy(ellswift.begin(), ellswift.end(), m_pubkey.begin()); 360| 5.72k|} _ZNK14EllSwiftPubKey4dataEv: 326| 11.8k| const std::byte* data() const { return m_pubkey.data(); } _ZeqRK14EllSwiftPubKeyS1_: 332| 1.90k| { 333| 1.90k| return a.m_pubkey == b.m_pubkey; 334| 1.90k| } _ZneRK14EllSwiftPubKeyS1_: 337| 3.81k| { 338| 3.81k| return a.m_pubkey != b.m_pubkey; 339| 3.81k| } secp256k1.c:secp256k1_ecmult_const_xonly: 270| 5.91k|static int secp256k1_ecmult_const_xonly(secp256k1_fe* r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve) { 271| | 272| | /* This algorithm is a generalization of Peter Dettman's technique for 273| | * avoiding the square root in a random-basepoint x-only multiplication 274| | * on a Weierstrass curve: 275| | * https://mailarchive.ietf.org/arch/msg/cfrg/7DyYY6gg32wDgHAhgSb6XxMDlJA/ 276| | * 277| | * 278| | * === Background: the effective affine technique === 279| | * 280| | * Let phi_u be the isomorphism that maps (x, y) on secp256k1 curve y^2 = x^3 + 7 to 281| | * x' = u^2*x, y' = u^3*y on curve y'^2 = x'^3 + u^6*7. This new curve has the same order as 282| | * the original (it is isomorphic), but moreover, has the same addition/doubling formulas, as 283| | * the curve b=7 coefficient does not appear in those formulas (or at least does not appear in 284| | * the formulas implemented in this codebase, both affine and Jacobian). See also Example 9.5.2 285| | * in https://www.math.auckland.ac.nz/~sgal018/crypto-book/ch9.pdf. 286| | * 287| | * This means any linear combination of secp256k1 points can be computed by applying phi_u 288| | * (with non-zero u) on all input points (including the generator, if used), computing the 289| | * linear combination on the isomorphic curve (using the same group laws), and then applying 290| | * phi_u^{-1} to get back to secp256k1. 291| | * 292| | * Switching to Jacobian coordinates, note that phi_u applied to (X, Y, Z) is simply 293| | * (X, Y, Z/u). Thus, if we want to compute (X1, Y1, Z) + (X2, Y2, Z), with identical Z 294| | * coordinates, we can use phi_Z to transform it to (X1, Y1, 1) + (X2, Y2, 1) on an isomorphic 295| | * curve where the affine addition formula can be used instead. 296| | * If (X3, Y3, Z3) = (X1, Y1) + (X2, Y2) on that curve, then our answer on secp256k1 is 297| | * (X3, Y3, Z3*Z). 298| | * 299| | * This is the effective affine technique: if we have a linear combination of group elements 300| | * to compute, and all those group elements have the same Z coordinate, we can simply pretend 301| | * that all those Z coordinates are 1, perform the computation that way, and then multiply the 302| | * original Z coordinate back in. 303| | * 304| | * The technique works on any a=0 short Weierstrass curve. It is possible to generalize it to 305| | * other curves too, but there the isomorphic curves will have different 'a' coefficients, 306| | * which typically does affect the group laws. 307| | * 308| | * 309| | * === Avoiding the square root for x-only point multiplication === 310| | * 311| | * In this function, we want to compute the X coordinate of q*(n/d, y), for 312| | * y = sqrt((n/d)^3 + 7). Its negation would also be a valid Y coordinate, but by convention 313| | * we pick whatever sqrt returns (which we assume to be a deterministic function). 314| | * 315| | * Let g = y^2*d^3 = n^3 + 7*d^3. This also means y = sqrt(g/d^3). 316| | * Further let v = sqrt(d*g), which must exist as d*g = y^2*d^4 = (y*d^2)^2. 317| | * 318| | * The input point (n/d, y) also has Jacobian coordinates: 319| | * 320| | * (n/d, y, 1) 321| | * = (n/d * v^2, y * v^3, v) 322| | * = (n/d * d*g, y * sqrt(d^3*g^3), v) 323| | * = (n/d * d*g, sqrt(y^2 * d^3*g^3), v) 324| | * = (n*g, sqrt(g/d^3 * d^3*g^3), v) 325| | * = (n*g, sqrt(g^4), v) 326| | * = (n*g, g^2, v) 327| | * 328| | * It is easy to verify that both (n*g, g^2, v) and its negation (n*g, -g^2, v) have affine X 329| | * coordinate n/d, and this holds even when the square root function doesn't have a 330| | * deterministic sign. We choose the (n*g, g^2, v) version. 331| | * 332| | * Now switch to the effective affine curve using phi_v, where the input point has coordinates 333| | * (n*g, g^2). Compute (X, Y, Z) = q * (n*g, g^2) there. 334| | * 335| | * Back on secp256k1, that means q * (n*g, g^2, v) = (X, Y, v*Z). This last point has affine X 336| | * coordinate X / (v^2*Z^2) = X / (d*g*Z^2). Determining the affine Y coordinate would involve 337| | * a square root, but as long as we only care about the resulting X coordinate, no square root 338| | * is needed anywhere in this computation. 339| | */ 340| | 341| 5.91k| secp256k1_fe g, i; 342| 5.91k| secp256k1_ge p; 343| 5.91k| secp256k1_gej rj; 344| | 345| | /* Compute g = (n^3 + B*d^3). */ 346| 5.91k| secp256k1_fe_sqr(&g, n); ------------------ | | 94| 5.91k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 347| 5.91k| secp256k1_fe_mul(&g, &g, n); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 348| 5.91k| if (d) { ------------------ | Branch (348:9): [True: 5.91k, False: 0] ------------------ 349| 5.91k| secp256k1_fe b; 350| 5.91k| VERIFY_CHECK(!secp256k1_fe_normalizes_to_zero(d)); 351| 5.91k| secp256k1_fe_sqr(&b, d); ------------------ | | 94| 5.91k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 352| 5.91k| VERIFY_CHECK(SECP256K1_B <= 8); /* magnitude of b will be <= 8 after the next call */ 353| 5.91k| secp256k1_fe_mul_int(&b, SECP256K1_B); ------------------ | | 233| 5.91k|#define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) | | ------------------ | | | | 77| 5.91k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 5.91k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 5.91k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 5.91k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 5.91k, False: 0] | | | | ------------------ | | | | 83| 5.91k| } \ | | | | 84| 5.91k| stmt; \ | | | | 85| 5.91k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 354| 5.91k| secp256k1_fe_mul(&b, &b, d); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 355| 5.91k| secp256k1_fe_add(&g, &b); ------------------ | | 92| 5.91k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 356| 5.91k| if (!known_on_curve) { ------------------ | Branch (356:13): [True: 0, False: 5.91k] ------------------ 357| | /* We need to determine whether (n/d)^3 + 7 is square. 358| | * 359| | * is_square((n/d)^3 + 7) 360| | * <=> is_square(((n/d)^3 + 7) * d^4) 361| | * <=> is_square((n^3 + 7*d^3) * d) 362| | * <=> is_square(g * d) 363| | */ 364| 0| secp256k1_fe c; 365| 0| secp256k1_fe_mul(&c, &g, d); ------------------ | | 93| 0|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 366| 0| if (!secp256k1_fe_is_square_var(&c)) return 0; ------------------ | | 103| 0|# define secp256k1_fe_is_square_var secp256k1_fe_impl_is_square_var ------------------ | Branch (366:17): [True: 0, False: 0] ------------------ 367| 0| } 368| 5.91k| } else { 369| 0| secp256k1_fe_add_int(&g, SECP256K1_B); ------------------ | | 102| 0|# define secp256k1_fe_add_int secp256k1_fe_impl_add_int ------------------ secp256k1_fe_add_int(&g, SECP256K1_B); ------------------ | | 73| 0|#define SECP256K1_B 7 ------------------ 370| 0| if (!known_on_curve) { ------------------ | Branch (370:13): [True: 0, False: 0] ------------------ 371| | /* g at this point equals x^3 + 7. Test if it is square. */ 372| 0| if (!secp256k1_fe_is_square_var(&g)) return 0; ------------------ | | 103| 0|# define secp256k1_fe_is_square_var secp256k1_fe_impl_is_square_var ------------------ | Branch (372:17): [True: 0, False: 0] ------------------ 373| 0| } 374| 0| } 375| | 376| | /* Compute base point P = (n*g, g^2), the effective affine version of (n*g, g^2, v), which has 377| | * corresponding affine X coordinate n/d. */ 378| 5.91k| secp256k1_fe_mul(&p.x, &g, n); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 379| 5.91k| secp256k1_fe_sqr(&p.y, &g); ------------------ | | 94| 5.91k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 380| 5.91k| p.infinity = 0; 381| | 382| | /* Perform x-only EC multiplication of P with q. */ 383| 5.91k| VERIFY_CHECK(!secp256k1_scalar_is_zero(q)); 384| 5.91k| secp256k1_ecmult_const(&rj, &p, q); 385| 5.91k| VERIFY_CHECK(!secp256k1_gej_is_infinity(&rj)); 386| | 387| | /* The resulting (X, Y, Z) point on the effective-affine isomorphic curve corresponds to 388| | * (X, Y, Z*v) on the secp256k1 curve. The affine version of that has X coordinate 389| | * (X / (Z^2*d*g)). */ 390| 5.91k| secp256k1_fe_sqr(&i, &rj.z); ------------------ | | 94| 5.91k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 391| 5.91k| secp256k1_fe_mul(&i, &i, &g); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 392| 5.91k| if (d) secp256k1_fe_mul(&i, &i, d); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ | Branch (392:9): [True: 5.91k, False: 0] ------------------ 393| 5.91k| secp256k1_fe_inv(&i, &i); ------------------ | | 98| 5.91k|# define secp256k1_fe_inv secp256k1_fe_impl_inv ------------------ 394| 5.91k| secp256k1_fe_mul(r, &rj.x, &i); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 395| | 396| 5.91k| return 1; 397| 5.91k|} secp256k1.c:secp256k1_ecmult_const: 124| 5.91k|static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q) { 125| | /* The approach below combines the signed-digit logic from Mike Hamburg's 126| | * "Fast and compact elliptic-curve cryptography" (https://eprint.iacr.org/2012/309) 127| | * Section 3.3, with the GLV endomorphism. 128| | * 129| | * The idea there is to interpret the bits of a scalar as signs (1 = +, 0 = -), and compute a 130| | * point multiplication in that fashion. Let v be an n-bit non-negative integer (0 <= v < 2^n), 131| | * and v[i] its i'th bit (so v = sum(v[i] * 2^i, i=0..n-1)). Then define: 132| | * 133| | * C_l(v, A) = sum((2*v[i] - 1) * 2^i*A, i=0..l-1) 134| | * 135| | * Then it holds that C_l(v, A) = sum((2*v[i] - 1) * 2^i*A, i=0..l-1) 136| | * = (2*sum(v[i] * 2^i, i=0..l-1) + 1 - 2^l) * A 137| | * = (2*v + 1 - 2^l) * A 138| | * 139| | * Thus, one can compute q*A as C_256((q + 2^256 - 1) / 2, A). This is the basis for the 140| | * paper's signed-digit multi-comb algorithm for multiplication using a precomputed table. 141| | * 142| | * It is appealing to try to combine this with the GLV optimization: the idea that a scalar 143| | * s can be written as s1 + lambda*s2, where lambda is a curve-specific constant such that 144| | * lambda*A is easy to compute, and where s1 and s2 are small. In particular we have the 145| | * secp256k1_scalar_split_lambda function which performs such a split with the resulting s1 146| | * and s2 in range (-2^128, 2^128) mod n. This does work, but is uninteresting: 147| | * 148| | * To compute q*A: 149| | * - Let s1, s2 = split_lambda(q) 150| | * - Let R1 = C_256((s1 + 2^256 - 1) / 2, A) 151| | * - Let R2 = C_256((s2 + 2^256 - 1) / 2, lambda*A) 152| | * - Return R1 + R2 153| | * 154| | * The issue is that while s1 and s2 are small-range numbers, (s1 + 2^256 - 1) / 2 (mod n) 155| | * and (s2 + 2^256 - 1) / 2 (mod n) are not, undoing the benefit of the splitting. 156| | * 157| | * To make it work, we want to modify the input scalar q first, before splitting, and then only 158| | * add a 2^128 offset of the split results (so that they end up in the single 129-bit range 159| | * [0,2^129]). A slightly smaller offset would work due to the bounds on the split, but we pick 160| | * 2^128 for simplicity. Let s be the scalar fed to split_lambda, and f(q) the function to 161| | * compute it from q: 162| | * 163| | * To compute q*A: 164| | * - Compute s = f(q) 165| | * - Let s1, s2 = split_lambda(s) 166| | * - Let v1 = s1 + 2^128 (mod n) 167| | * - Let v2 = s2 + 2^128 (mod n) 168| | * - Let R1 = C_l(v1, A) 169| | * - Let R2 = C_l(v2, lambda*A) 170| | * - Return R1 + R2 171| | * 172| | * l will thus need to be at least 129, but we may overshoot by a few bits (see 173| | * further), so keep it as a variable. 174| | * 175| | * To solve for s, we reason: 176| | * q*A = R1 + R2 177| | * <=> q*A = C_l(s1 + 2^128, A) + C_l(s2 + 2^128, lambda*A) 178| | * <=> q*A = (2*(s1 + 2^128) + 1 - 2^l) * A + (2*(s2 + 2^128) + 1 - 2^l) * lambda*A 179| | * <=> q*A = (2*(s1 + s2*lambda) + (2^129 + 1 - 2^l) * (1 + lambda)) * A 180| | * <=> q = 2*(s1 + s2*lambda) + (2^129 + 1 - 2^l) * (1 + lambda) (mod n) 181| | * <=> q = 2*s + (2^129 + 1 - 2^l) * (1 + lambda) (mod n) 182| | * <=> s = (q + (2^l - 2^129 - 1) * (1 + lambda)) / 2 (mod n) 183| | * <=> f(q) = (q + K) / 2 (mod n) 184| | * where K = (2^l - 2^129 - 1)*(1 + lambda) (mod n) 185| | * 186| | * We will process the computation of C_l(v1, A) and C_l(v2, lambda*A) in groups of 187| | * ECMULT_CONST_GROUP_SIZE, so we set l to the smallest multiple of ECMULT_CONST_GROUP_SIZE 188| | * that is not less than 129; this equals ECMULT_CONST_BITS. 189| | */ 190| | 191| | /* The offset to add to s1 and s2 to make them non-negative. Equal to 2^128. */ 192| 5.91k| static const secp256k1_scalar S_OFFSET = SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0); ------------------ | | 17| 5.91k|#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{((uint64_t)(d1)) << 32 | (d0), ((uint64_t)(d3)) << 32 | (d2), ((uint64_t)(d5)) << 32 | (d4), ((uint64_t)(d7)) << 32 | (d6)}} ------------------ 193| 5.91k| secp256k1_scalar s, v1, v2; 194| 5.91k| secp256k1_ge pre_a[ECMULT_CONST_TABLE_SIZE]; 195| 5.91k| secp256k1_ge pre_a_lam[ECMULT_CONST_TABLE_SIZE]; 196| 5.91k| secp256k1_fe global_z; 197| 5.91k| int group, i; 198| | 199| | /* We're allowed to be non-constant time in the point, and the code below (in particular, 200| | * secp256k1_ecmult_const_odd_multiples_table_globalz) cannot deal with infinity in a 201| | * constant-time manner anyway. */ 202| 5.91k| if (secp256k1_ge_is_infinity(a)) { ------------------ | Branch (202:9): [True: 0, False: 5.91k] ------------------ 203| 0| secp256k1_gej_set_infinity(r); 204| 0| return; 205| 0| } 206| | 207| | /* Compute v1 and v2. */ 208| 5.91k| secp256k1_scalar_add(&s, q, &secp256k1_ecmult_const_K); 209| 5.91k| secp256k1_scalar_half(&s, &s); 210| 5.91k| secp256k1_scalar_split_lambda(&v1, &v2, &s); 211| 5.91k| secp256k1_scalar_add(&v1, &v1, &S_OFFSET); 212| 5.91k| secp256k1_scalar_add(&v2, &v2, &S_OFFSET); 213| | 214| |#ifdef VERIFY 215| | /* Verify that v1 and v2 are in range [0, 2^129-1]. */ 216| | for (i = 129; i < 256; ++i) { 217| | VERIFY_CHECK(secp256k1_scalar_get_bits_limb32(&v1, i, 1) == 0); 218| | VERIFY_CHECK(secp256k1_scalar_get_bits_limb32(&v2, i, 1) == 0); 219| | } 220| |#endif 221| | 222| | /* Calculate odd multiples of A and A*lambda. 223| | * All multiples are brought to the same Z 'denominator', which is stored 224| | * in global_z. Due to secp256k1' isomorphism we can do all operations pretending 225| | * that the Z coordinate was 1, use affine addition formulae, and correct 226| | * the Z coordinate of the result once at the end. 227| | */ 228| 5.91k| secp256k1_gej_set_ge(r, a); 229| 5.91k| secp256k1_ecmult_const_odd_multiples_table_globalz(pre_a, &global_z, r); 230| 100k| for (i = 0; i < ECMULT_CONST_TABLE_SIZE; i++) { ------------------ | | 33| 100k|#define ECMULT_CONST_TABLE_SIZE (1L << (ECMULT_CONST_GROUP_SIZE - 1)) | | ------------------ | | | | 30| 100k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ ------------------ | Branch (230:17): [True: 94.5k, False: 5.91k] ------------------ 231| 94.5k| secp256k1_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]); 232| 94.5k| } 233| | 234| | /* Next, we compute r = C_l(v1, A) + C_l(v2, lambda*A). 235| | * 236| | * We proceed in groups of ECMULT_CONST_GROUP_SIZE bits, operating on that many bits 237| | * at a time, from high in v1, v2 to low. Call these bits1 (from v1) and bits2 (from v2). 238| | * 239| | * Now note that ECMULT_CONST_TABLE_GET_GE(&t, pre_a, bits1) loads into t a point equal 240| | * to C_{ECMULT_CONST_GROUP_SIZE}(bits1, A), and analogously for pre_lam_a / bits2. 241| | * This means that all we need to do is add these looked up values together, multiplied 242| | * by 2^(ECMULT_GROUP_SIZE * group). 243| | */ 244| 159k| for (group = ECMULT_CONST_GROUPS - 1; group >= 0; --group) { ------------------ | | 34| 5.91k|#define ECMULT_CONST_GROUPS ((129 + ECMULT_CONST_GROUP_SIZE - 1) / ECMULT_CONST_GROUP_SIZE) | | ------------------ | | | | 30| 5.91k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ | | #define ECMULT_CONST_GROUPS ((129 + ECMULT_CONST_GROUP_SIZE - 1) / ECMULT_CONST_GROUP_SIZE) | | ------------------ | | | | 30| 5.91k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ ------------------ | Branch (244:43): [True: 153k, False: 5.91k] ------------------ 245| | /* Using the _var get_bits function is ok here, since it's only variable in offset and count, not in the scalar. */ 246| 153k| unsigned int bits1 = secp256k1_scalar_get_bits_var(&v1, group * ECMULT_CONST_GROUP_SIZE, ECMULT_CONST_GROUP_SIZE); ------------------ | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 ------------------ unsigned int bits1 = secp256k1_scalar_get_bits_var(&v1, group * ECMULT_CONST_GROUP_SIZE, ECMULT_CONST_GROUP_SIZE); ------------------ | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 ------------------ 247| 153k| unsigned int bits2 = secp256k1_scalar_get_bits_var(&v2, group * ECMULT_CONST_GROUP_SIZE, ECMULT_CONST_GROUP_SIZE); ------------------ | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 ------------------ unsigned int bits2 = secp256k1_scalar_get_bits_var(&v2, group * ECMULT_CONST_GROUP_SIZE, ECMULT_CONST_GROUP_SIZE); ------------------ | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 ------------------ 248| 153k| secp256k1_ge t; 249| 153k| int j; 250| | 251| 153k| ECMULT_CONST_TABLE_GET_GE(&t, pre_a, bits1); ------------------ | | 61| 153k|#define ECMULT_CONST_TABLE_GET_GE(r,pre,n) do { \ | | 62| 153k| unsigned int m = 0; \ | | 63| 153k| /* If the top bit of n is 0, we want the negation. */ \ | | 64| 153k| volatile unsigned int negative = ((n) >> (ECMULT_CONST_GROUP_SIZE - 1)) ^ 1; \ | | ------------------ | | | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ | | 65| 153k| /* Let n[i] be the i-th bit of n, then the index is | | 66| 153k| * sum(cnot(n[i]) * 2^i, i=0..l-2) | | 67| 153k| * where cnot(b) = b if n[l-1] = 1 and 1 - b otherwise. | | 68| 153k| * For example, if n = 4, in binary 0100, the index is 3, in binary 011. | | 69| 153k| * | | 70| 153k| * Proof: | | 71| 153k| * Let | | 72| 153k| * x = sum((2*n[i] - 1)*2^i, i=0..l-1) | | 73| 153k| * = 2*sum(n[i] * 2^i, i=0..l-1) - 2^l + 1 | | 74| 153k| * be the value represented by n. | | 75| 153k| * The index is (x - 1)/2 if x > 0 and -(x + 1)/2 otherwise. | | 76| 153k| * Case x > 0: | | 77| 153k| * n[l-1] = 1 | | 78| 153k| * index = sum(n[i] * 2^i, i=0..l-1) - 2^(l-1) | | 79| 153k| * = sum(n[i] * 2^i, i=0..l-2) | | 80| 153k| * Case x <= 0: | | 81| 153k| * n[l-1] = 0 | | 82| 153k| * index = -(2*sum(n[i] * 2^i, i=0..l-1) - 2^l + 2)/2 | | 83| 153k| * = 2^(l-1) - 1 - sum(n[i] * 2^i, i=0..l-1) | | 84| 153k| * = sum((1 - n[i]) * 2^i, i=0..l-2) | | 85| 153k| */ \ | | 86| 153k| unsigned int index = ((unsigned int)(-negative) ^ n) & ((1U << (ECMULT_CONST_GROUP_SIZE - 1)) - 1U); \ | | ------------------ | | | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ | | 87| 153k| secp256k1_fe neg_y; \ | | 88| 153k| VERIFY_CHECK((n) < (1U << ECMULT_CONST_GROUP_SIZE)); \ | | 89| 153k| VERIFY_CHECK(index < (1U << (ECMULT_CONST_GROUP_SIZE - 1))); \ | | 90| 153k| /* Unconditionally set r->x = (pre)[m].x. r->y = (pre)[m].y. because it's either the correct one | | 91| 153k| * or will get replaced in the later iterations, this is needed to make sure `r` is initialized. */ \ | | 92| 153k| (r)->x = (pre)[m].x; \ | | 93| 153k| (r)->y = (pre)[m].y; \ | | 94| 2.45M| for (m = 1; m < ECMULT_CONST_TABLE_SIZE; m++) { \ | | ------------------ | | | | 33| 2.45M|#define ECMULT_CONST_TABLE_SIZE (1L << (ECMULT_CONST_GROUP_SIZE - 1)) | | | | ------------------ | | | | | | 30| 2.45M|# define ECMULT_CONST_GROUP_SIZE 5 | | | | ------------------ | | ------------------ | | | Branch (94:17): [True: 2.30M, False: 153k] | | ------------------ | | 95| 2.30M| /* This loop is used to avoid secret data in array indices. See | | 96| 2.30M| * the comment in ecmult_gen_impl.h for rationale. */ \ | | 97| 2.30M| secp256k1_fe_cmov(&(r)->x, &(pre)[m].x, m == index); \ | | ------------------ | | | | 95| 2.30M|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov | | ------------------ | | 98| 2.30M| secp256k1_fe_cmov(&(r)->y, &(pre)[m].y, m == index); \ | | ------------------ | | | | 95| 2.30M|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov | | ------------------ | | 99| 2.30M| } \ | | 100| 153k| (r)->infinity = 0; \ | | 101| 153k| secp256k1_fe_negate(&neg_y, &(r)->y, 1); \ | | ------------------ | | | | 211| 153k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | | | ------------------ | | | | | | 77| 153k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | | | 78| 153k| switch(42) { \ | | | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | | | ------------------ | | | | | | | Branch (80:9): [True: 0, False: 153k] | | | | | | ------------------ | | | | | | 81| 0| break; \ | | | | | | 82| 153k| default: ; \ | | | | | | ------------------ | | | | | | | Branch (82:9): [True: 153k, False: 0] | | | | | | ------------------ | | | | | | 83| 153k| } \ | | | | | | 84| 153k| stmt; \ | | | | | | 85| 153k|} while(0) | | | | | | ------------------ | | | | | | | Branch (85:9): [Folded - Ignored] | | | | | | ------------------ | | | | ------------------ | | ------------------ | | 102| 153k| secp256k1_fe_cmov(&(r)->y, &neg_y, negative); \ | | ------------------ | | | | 95| 153k|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov | | ------------------ | | 103| 153k|} while(0) | | ------------------ | | | Branch (103:9): [Folded - Ignored] | | ------------------ ------------------ 252| 153k| if (group == ECMULT_CONST_GROUPS - 1) { ------------------ | | 34| 153k|#define ECMULT_CONST_GROUPS ((129 + ECMULT_CONST_GROUP_SIZE - 1) / ECMULT_CONST_GROUP_SIZE) | | ------------------ | | | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ | | #define ECMULT_CONST_GROUPS ((129 + ECMULT_CONST_GROUP_SIZE - 1) / ECMULT_CONST_GROUP_SIZE) | | ------------------ | | | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ ------------------ | Branch (252:13): [True: 5.91k, False: 147k] ------------------ 253| | /* Directly set r in the first iteration. */ 254| 5.91k| secp256k1_gej_set_ge(r, &t); 255| 147k| } else { 256| | /* Shift the result so far up. */ 257| 886k| for (j = 0; j < ECMULT_CONST_GROUP_SIZE; ++j) { ------------------ | | 30| 886k|# define ECMULT_CONST_GROUP_SIZE 5 ------------------ | Branch (257:25): [True: 738k, False: 147k] ------------------ 258| 738k| secp256k1_gej_double(r, r); 259| 738k| } 260| 147k| secp256k1_gej_add_ge(r, r, &t); 261| 147k| } 262| 153k| ECMULT_CONST_TABLE_GET_GE(&t, pre_a_lam, bits2); ------------------ | | 61| 153k|#define ECMULT_CONST_TABLE_GET_GE(r,pre,n) do { \ | | 62| 153k| unsigned int m = 0; \ | | 63| 153k| /* If the top bit of n is 0, we want the negation. */ \ | | 64| 153k| volatile unsigned int negative = ((n) >> (ECMULT_CONST_GROUP_SIZE - 1)) ^ 1; \ | | ------------------ | | | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ | | 65| 153k| /* Let n[i] be the i-th bit of n, then the index is | | 66| 153k| * sum(cnot(n[i]) * 2^i, i=0..l-2) | | 67| 153k| * where cnot(b) = b if n[l-1] = 1 and 1 - b otherwise. | | 68| 153k| * For example, if n = 4, in binary 0100, the index is 3, in binary 011. | | 69| 153k| * | | 70| 153k| * Proof: | | 71| 153k| * Let | | 72| 153k| * x = sum((2*n[i] - 1)*2^i, i=0..l-1) | | 73| 153k| * = 2*sum(n[i] * 2^i, i=0..l-1) - 2^l + 1 | | 74| 153k| * be the value represented by n. | | 75| 153k| * The index is (x - 1)/2 if x > 0 and -(x + 1)/2 otherwise. | | 76| 153k| * Case x > 0: | | 77| 153k| * n[l-1] = 1 | | 78| 153k| * index = sum(n[i] * 2^i, i=0..l-1) - 2^(l-1) | | 79| 153k| * = sum(n[i] * 2^i, i=0..l-2) | | 80| 153k| * Case x <= 0: | | 81| 153k| * n[l-1] = 0 | | 82| 153k| * index = -(2*sum(n[i] * 2^i, i=0..l-1) - 2^l + 2)/2 | | 83| 153k| * = 2^(l-1) - 1 - sum(n[i] * 2^i, i=0..l-1) | | 84| 153k| * = sum((1 - n[i]) * 2^i, i=0..l-2) | | 85| 153k| */ \ | | 86| 153k| unsigned int index = ((unsigned int)(-negative) ^ n) & ((1U << (ECMULT_CONST_GROUP_SIZE - 1)) - 1U); \ | | ------------------ | | | | 30| 153k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ | | 87| 153k| secp256k1_fe neg_y; \ | | 88| 153k| VERIFY_CHECK((n) < (1U << ECMULT_CONST_GROUP_SIZE)); \ | | 89| 153k| VERIFY_CHECK(index < (1U << (ECMULT_CONST_GROUP_SIZE - 1))); \ | | 90| 153k| /* Unconditionally set r->x = (pre)[m].x. r->y = (pre)[m].y. because it's either the correct one | | 91| 153k| * or will get replaced in the later iterations, this is needed to make sure `r` is initialized. */ \ | | 92| 153k| (r)->x = (pre)[m].x; \ | | 93| 153k| (r)->y = (pre)[m].y; \ | | 94| 2.45M| for (m = 1; m < ECMULT_CONST_TABLE_SIZE; m++) { \ | | ------------------ | | | | 33| 2.45M|#define ECMULT_CONST_TABLE_SIZE (1L << (ECMULT_CONST_GROUP_SIZE - 1)) | | | | ------------------ | | | | | | 30| 2.45M|# define ECMULT_CONST_GROUP_SIZE 5 | | | | ------------------ | | ------------------ | | | Branch (94:17): [True: 2.30M, False: 153k] | | ------------------ | | 95| 2.30M| /* This loop is used to avoid secret data in array indices. See | | 96| 2.30M| * the comment in ecmult_gen_impl.h for rationale. */ \ | | 97| 2.30M| secp256k1_fe_cmov(&(r)->x, &(pre)[m].x, m == index); \ | | ------------------ | | | | 95| 2.30M|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov | | ------------------ | | 98| 2.30M| secp256k1_fe_cmov(&(r)->y, &(pre)[m].y, m == index); \ | | ------------------ | | | | 95| 2.30M|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov | | ------------------ | | 99| 2.30M| } \ | | 100| 153k| (r)->infinity = 0; \ | | 101| 153k| secp256k1_fe_negate(&neg_y, &(r)->y, 1); \ | | ------------------ | | | | 211| 153k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | | | ------------------ | | | | | | 77| 153k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | | | 78| 153k| switch(42) { \ | | | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | | | ------------------ | | | | | | | Branch (80:9): [True: 0, False: 153k] | | | | | | ------------------ | | | | | | 81| 0| break; \ | | | | | | 82| 153k| default: ; \ | | | | | | ------------------ | | | | | | | Branch (82:9): [True: 153k, False: 0] | | | | | | ------------------ | | | | | | 83| 153k| } \ | | | | | | 84| 153k| stmt; \ | | | | | | 85| 153k|} while(0) | | | | | | ------------------ | | | | | | | Branch (85:9): [Folded - Ignored] | | | | | | ------------------ | | | | ------------------ | | ------------------ | | 102| 153k| secp256k1_fe_cmov(&(r)->y, &neg_y, negative); \ | | ------------------ | | | | 95| 153k|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov | | ------------------ | | 103| 153k|} while(0) | | ------------------ | | | Branch (103:9): [Folded - Ignored] | | ------------------ ------------------ 263| 153k| secp256k1_gej_add_ge(r, r, &t); 264| 153k| } 265| | 266| | /* Map the result back to the secp256k1 curve from the isomorphic curve. */ 267| 5.91k| secp256k1_fe_mul(&r->z, &r->z, &global_z); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 268| 5.91k|} secp256k1.c:secp256k1_ecmult_const_odd_multiples_table_globalz: 44| 5.91k|static void secp256k1_ecmult_const_odd_multiples_table_globalz(secp256k1_ge *pre, secp256k1_fe *globalz, const secp256k1_gej *a) { 45| 5.91k| secp256k1_fe zr[ECMULT_CONST_TABLE_SIZE]; 46| | 47| 5.91k| secp256k1_ecmult_odd_multiples_table(ECMULT_CONST_TABLE_SIZE, pre, zr, globalz, a); ------------------ | | 33| 5.91k|#define ECMULT_CONST_TABLE_SIZE (1L << (ECMULT_CONST_GROUP_SIZE - 1)) | | ------------------ | | | | 30| 5.91k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ ------------------ 48| 5.91k| secp256k1_ge_table_set_globalz(ECMULT_CONST_TABLE_SIZE, pre, zr); ------------------ | | 33| 5.91k|#define ECMULT_CONST_TABLE_SIZE (1L << (ECMULT_CONST_GROUP_SIZE - 1)) | | ------------------ | | | | 30| 5.91k|# define ECMULT_CONST_GROUP_SIZE 5 | | ------------------ ------------------ 49| 5.91k|} secp256k1.c:secp256k1_ecmult_gen_context_clear: 26| 2|static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx) { 27| 2| ctx->built = 0; 28| 2| secp256k1_scalar_clear(&ctx->scalar_offset); 29| 2| secp256k1_ge_clear(&ctx->ge_offset); 30| 2| secp256k1_fe_clear(&ctx->proj_blind); 31| 2|} secp256k1.c:secp256k1_ecmult_gen_context_is_built: 22| 5.73k|static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context* ctx) { 23| 5.73k| return ctx->built; 24| 5.73k|} secp256k1.c:secp256k1_ecmult_gen: 54| 5.72k|static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *gn) { 55| 5.72k| uint32_t comb_off; 56| 5.72k| secp256k1_ge add; 57| 5.72k| secp256k1_fe neg; 58| 5.72k| secp256k1_ge_storage adds; 59| 5.72k| secp256k1_scalar d; 60| | /* Array of uint32_t values large enough to store COMB_BITS bits. Only the bottom 61| | * 8 are ever nonzero, but having the zero padding at the end if COMB_BITS>256 62| | * avoids the need to deal with out-of-bounds reads from a scalar. */ 63| 5.72k| uint32_t recoded[(COMB_BITS + 31) >> 5] = {0}; 64| 5.72k| int first = 1, i; 65| | 66| 5.72k| memset(&adds, 0, sizeof(adds)); 67| | 68| | /* We want to compute R = gn*G. 69| | * 70| | * To blind the scalar used in the computation, we rewrite this to be 71| | * R = (gn - b)*G + b*G, with a blinding value b determined by the context. 72| | * 73| | * The multiplication (gn-b)*G will be performed using a signed-digit multi-comb (see Section 74| | * 3.3 of "Fast and compact elliptic-curve cryptography" by Mike Hamburg, 75| | * https://eprint.iacr.org/2012/309). 76| | * 77| | * Let comb(s, P) = sum((2*s[i]-1)*2^i*P for i=0..COMB_BITS-1), where s[i] is the i'th bit of 78| | * the binary representation of scalar s. So the s[i] values determine whether -2^i*P (s[i]=0) 79| | * or +2^i*P (s[i]=1) are added together. COMB_BITS is at least 256, so all bits of s are 80| | * covered. By manipulating: 81| | * 82| | * comb(s, P) = sum((2*s[i]-1)*2^i*P for i=0..COMB_BITS-1) 83| | * <=> comb(s, P) = sum((2*s[i]-1)*2^i for i=0..COMB_BITS-1) * P 84| | * <=> comb(s, P) = (2*sum(s[i]*2^i for i=0..COMB_BITS-1) - sum(2^i for i=0..COMB_BITS-1)) * P 85| | * <=> comb(s, P) = (2*s - (2^COMB_BITS - 1)) * P 86| | * 87| | * If we wanted to compute (gn-b)*G as comb(s, G), it would need to hold that 88| | * 89| | * (gn - b) * G = (2*s - (2^COMB_BITS - 1)) * G 90| | * <=> s = (gn - b + (2^COMB_BITS - 1))/2 (mod order) 91| | * 92| | * We use an alternative here that avoids the modular division by two: instead we compute 93| | * (gn-b)*G as comb(d, G/2). For that to hold it must be the case that 94| | * 95| | * (gn - b) * G = (2*d - (2^COMB_BITS - 1)) * (G/2) 96| | * <=> d = gn - b + (2^COMB_BITS - 1)/2 (mod order) 97| | * 98| | * Adding precomputation, our final equations become: 99| | * 100| | * ctx->scalar_offset = (2^COMB_BITS - 1)/2 - b (mod order) 101| | * ctx->ge_offset = b*G 102| | * d = gn + ctx->scalar_offset (mod order) 103| | * R = comb(d, G/2) + ctx->ge_offset 104| | * 105| | * comb(d, G/2) function is then computed by summing + or - 2^(i-1)*G, for i=0..COMB_BITS-1, 106| | * depending on the value of the bits d[i] of the binary representation of scalar d. 107| | */ 108| | 109| | /* Compute the scalar d = (gn + ctx->scalar_offset). */ 110| 5.72k| secp256k1_scalar_add(&d, &ctx->scalar_offset, gn); 111| | /* Convert to recoded array. */ 112| 51.5k| for (i = 0; i < 8 && i < ((COMB_BITS + 31) >> 5); ++i) { ------------------ | | 84| 45.8k|#define COMB_BITS (COMB_BLOCKS * COMB_TEETH * COMB_SPACING) | | ------------------ | | | | 78| 45.8k|#define COMB_SPACING CEIL_DIV(COMB_RANGE, COMB_BLOCKS * COMB_TEETH) | | | | ------------------ | | | | | | 180| 45.8k|#define CEIL_DIV(x, y) (1 + ((x) - 1) / (y)) | | | | ------------------ | | ------------------ ------------------ | Branch (112:17): [True: 45.8k, False: 5.72k] | Branch (112:26): [True: 45.8k, False: 0] ------------------ 113| 45.8k| recoded[i] = secp256k1_scalar_get_bits_limb32(&d, 32 * i, 32); 114| 45.8k| } 115| 5.72k| secp256k1_scalar_clear(&d); 116| | 117| | /* In secp256k1_ecmult_gen_prec_table we have precomputed sums of the 118| | * (2*d[i]-1) * 2^(i-1) * G points, for various combinations of i positions. 119| | * We rewrite our equation in terms of these table entries. 120| | * 121| | * Let mask(b) = sum(2^((b*COMB_TEETH + t)*COMB_SPACING) for t=0..COMB_TEETH-1), 122| | * with b ranging from 0 to COMB_BLOCKS-1. So for example with COMB_BLOCKS=11, 123| | * COMB_TEETH=6, COMB_SPACING=4, we would have: 124| | * mask(0) = 2^0 + 2^4 + 2^8 + 2^12 + 2^16 + 2^20, 125| | * mask(1) = 2^24 + 2^28 + 2^32 + 2^36 + 2^40 + 2^44, 126| | * mask(2) = 2^48 + 2^52 + 2^56 + 2^60 + 2^64 + 2^68, 127| | * ... 128| | * mask(10) = 2^240 + 2^244 + 2^248 + 2^252 + 2^256 + 2^260 129| | * 130| | * We will split up the bits d[i] using these masks. Specifically, each mask is 131| | * used COMB_SPACING times, with different shifts: 132| | * 133| | * d = (d & mask(0)<<0) + (d & mask(1)<<0) + ... + (d & mask(COMB_BLOCKS-1)<<0) + 134| | * (d & mask(0)<<1) + (d & mask(1)<<1) + ... + (d & mask(COMB_BLOCKS-1)<<1) + 135| | * ... 136| | * (d & mask(0)<<(COMB_SPACING-1)) + ... 137| | * 138| | * Now define table(b, m) = (m - mask(b)/2) * G, and we will precompute these values for 139| | * b=0..COMB_BLOCKS-1, and for all values m which (d & mask(b)) can take (so m can take on 140| | * 2^COMB_TEETH distinct values). 141| | * 142| | * If m=(d & mask(b)), then table(b, m) is the sum of 2^i * (2*d[i]-1) * G/2, with i 143| | * iterating over the set bits in mask(b). In our example, table(2, 2^48 + 2^56 + 2^68) 144| | * would equal (2^48 - 2^52 + 2^56 - 2^60 - 2^64 + 2^68) * G/2. 145| | * 146| | * With that, we can rewrite comb(d, G/2) as: 147| | * 148| | * 2^0 * (table(0, d>>0 & mask(0)) + ... + table(COMB_BLOCKS-1, d>>0 & mask(COMP_BLOCKS-1))) 149| | * + 2^1 * (table(0, d>>1 & mask(0)) + ... + table(COMB_BLOCKS-1, d>>1 & mask(COMP_BLOCKS-1))) 150| | * + 2^2 * (table(0, d>>2 & mask(0)) + ... + table(COMB_BLOCKS-1, d>>2 & mask(COMP_BLOCKS-1))) 151| | * + ... 152| | * + 2^(COMB_SPACING-1) * (table(0, d>>(COMB_SPACING-1) & mask(0)) + ...) 153| | * 154| | * Or more generically as 155| | * 156| | * sum(2^i * sum(table(b, d>>i & mask(b)), b=0..COMB_BLOCKS-1), i=0..COMB_SPACING-1) 157| | * 158| | * This is implemented using an outer loop that runs in reverse order over the lines of this 159| | * equation, which in each iteration runs an inner loop that adds the terms of that line and 160| | * then doubles the result before proceeding to the next line. 161| | * 162| | * In pseudocode: 163| | * c = infinity 164| | * for comb_off in range(COMB_SPACING - 1, -1, -1): 165| | * for block in range(COMB_BLOCKS): 166| | * c += table(block, (d >> comb_off) & mask(block)) 167| | * if comb_off > 0: 168| | * c = 2*c 169| | * return c 170| | * 171| | * This computes c = comb(d, G/2), and thus finally R = c + ctx->ge_offset. Note that it would 172| | * be possible to apply an initial offset instead of a final offset (moving ge_offset to take 173| | * the place of infinity above), but the chosen approach allows using (in a future improvement) 174| | * an incomplete addition formula for most of the multiplication. 175| | * 176| | * The last question is how to implement the table(b, m) function. For any value of b, 177| | * m=(d & mask(b)) can only take on at most 2^COMB_TEETH possible values (the last one may have 178| | * fewer as there mask(b) may exceed the curve order). So we could create COMB_BLOCK tables 179| | * which contain a value for each such m value. 180| | * 181| | * Now note that if m=(d & mask(b)), then flipping the relevant bits of m results in negating 182| | * the result of table(b, m). This is because table(b,m XOR mask(b)) = table(b, mask(b) - m) = 183| | * (mask(b) - m - mask(b)/2)*G = (-m + mask(b)/2)*G = -(m - mask(b)/2)*G = -table(b, m). 184| | * Because of this it suffices to only store the first half of the m values for every b. If an 185| | * entry from the second half is needed, we look up its bit-flipped version instead, and negate 186| | * it. 187| | * 188| | * secp256k1_ecmult_gen_prec_table[b][index] stores the table(b, m) entries. Index 189| | * is the relevant mask(b) bits of m packed together without gaps. */ 190| | 191| | /* Outer loop: iterate over comb_off from COMB_SPACING - 1 down to 0. */ 192| 5.72k| comb_off = COMB_SPACING - 1; ------------------ | | 78| 5.72k|#define COMB_SPACING CEIL_DIV(COMB_RANGE, COMB_BLOCKS * COMB_TEETH) | | ------------------ | | | | 180| 5.72k|#define CEIL_DIV(x, y) (1 + ((x) - 1) / (y)) | | ------------------ ------------------ 193| 5.72k| while (1) { ------------------ | Branch (193:12): [Folded - Ignored] ------------------ 194| 5.72k| uint32_t block; 195| 5.72k| uint32_t bit_pos = comb_off; 196| | /* Inner loop: for each block, add table entries to the result. */ 197| 251k| for (block = 0; block < COMB_BLOCKS; ++block) { ------------------ | Branch (197:25): [True: 246k, False: 5.72k] ------------------ 198| | /* Gather the mask(block)-selected bits of d into bits. They're packed: 199| | * bits[tooth] = d[(block*COMB_TEETH + tooth)*COMB_SPACING + comb_off]. */ 200| 246k| uint32_t bits = 0, sign, abs, index, tooth; 201| | /* Instead of reading individual bits here to construct the bits variable, 202| | * build up the result by xoring rotated reads together. In every iteration, 203| | * one additional bit is made correct, starting at the bottom. The bits 204| | * above that contain junk. This reduces leakage by avoiding computations 205| | * on variables that can have only a low number of possible values (e.g., 206| | * just two values when reading a single bit into a variable.) See: 207| | * https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-alam.pdf 208| | */ 209| 1.72M| for (tooth = 0; tooth < COMB_TEETH; ++tooth) { ------------------ | Branch (209:29): [True: 1.47M, False: 246k] ------------------ 210| | /* Construct bitdata s.t. the bottom bit is the bit we'd like to read. 211| | * 212| | * We could just set bitdata = recoded[bit_pos >> 5] >> (bit_pos & 0x1f) 213| | * but this would simply discard the bits that fall off at the bottom, 214| | * and thus, for example, bitdata could still have only two values if we 215| | * happen to shift by exactly 31 positions. We use a rotation instead, 216| | * which ensures that bitdata doesn't loose entropy. This relies on the 217| | * rotation being atomic, i.e., the compiler emitting an actual rot 218| | * instruction. */ 219| 1.47M| uint32_t bitdata = secp256k1_rotr32(recoded[bit_pos >> 5], bit_pos & 0x1f); 220| | 221| | /* Clear the bit at position tooth, but sssh, don't tell clang. */ 222| 1.47M| uint32_t volatile vmask = ~(1 << tooth); 223| 1.47M| bits &= vmask; 224| | 225| | /* Write the bit into position tooth (and junk into higher bits). */ 226| 1.47M| bits ^= bitdata << tooth; 227| 1.47M| bit_pos += COMB_SPACING; ------------------ | | 78| 1.47M|#define COMB_SPACING CEIL_DIV(COMB_RANGE, COMB_BLOCKS * COMB_TEETH) | | ------------------ | | | | 180| 1.47M|#define CEIL_DIV(x, y) (1 + ((x) - 1) / (y)) | | ------------------ ------------------ 228| 1.47M| } 229| | 230| | /* If the top bit of bits is 1, flip them all (corresponding to looking up 231| | * the negated table value), and remember to negate the result in sign. */ 232| 246k| sign = (bits >> (COMB_TEETH - 1)) & 1; 233| 246k| abs = (bits ^ -sign) & (COMB_POINTS - 1); ------------------ | | 86| 246k|#define COMB_POINTS (1 << (COMB_TEETH - 1)) ------------------ 234| 246k| VERIFY_CHECK(sign == 0 || sign == 1); 235| 246k| VERIFY_CHECK(abs < COMB_POINTS); 236| | 237| | /** This uses a conditional move to avoid any secret data in array indexes. 238| | * _Any_ use of secret indexes has been demonstrated to result in timing 239| | * sidechannels, even when the cache-line access patterns are uniform. 240| | * See also: 241| | * "A word of warning", CHES 2013 Rump Session, by Daniel J. Bernstein and Peter Schwabe 242| | * (https://cryptojedi.org/peter/data/chesrump-20130822.pdf) and 243| | * "Cache Attacks and Countermeasures: the Case of AES", RSA 2006, 244| | * by Dag Arne Osvik, Adi Shamir, and Eran Tromer 245| | * (https://www.tau.ac.il/~tromer/papers/cache.pdf) 246| | */ 247| 8.12M| for (index = 0; index < COMB_POINTS; ++index) { ------------------ | | 86| 8.12M|#define COMB_POINTS (1 << (COMB_TEETH - 1)) ------------------ | Branch (247:29): [True: 7.88M, False: 246k] ------------------ 248| 7.88M| secp256k1_ge_storage_cmov(&adds, &secp256k1_ecmult_gen_prec_table[block][index], index == abs); 249| 7.88M| } 250| | 251| | /* Set add=adds or add=-adds, in constant time, based on sign. */ 252| 246k| secp256k1_ge_from_storage(&add, &adds); 253| 246k| secp256k1_fe_negate(&neg, &add.y, 1); ------------------ | | 211| 246k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 246k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 246k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 246k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 246k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 246k, False: 0] | | | | ------------------ | | | | 83| 246k| } \ | | | | 84| 246k| stmt; \ | | | | 85| 246k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 254| 246k| secp256k1_fe_cmov(&add.y, &neg, sign); ------------------ | | 95| 246k|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov ------------------ 255| | 256| | /* Add the looked up and conditionally negated value to r. */ 257| 246k| if (EXPECT(first, 0)) { ------------------ | | 136| 246k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | ------------------ | | | Branch (136:21): [True: 5.72k, False: 240k] | | ------------------ ------------------ 258| | /* If this is the first table lookup, we can skip addition. */ 259| 5.72k| secp256k1_gej_set_ge(r, &add); 260| | /* Give the entry a random Z coordinate to blind intermediary results. */ 261| 5.72k| secp256k1_gej_rescale(r, &ctx->proj_blind); 262| 5.72k| first = 0; 263| 240k| } else { 264| 240k| secp256k1_gej_add_ge(r, r, &add); 265| 240k| } 266| 246k| } 267| | 268| | /* Double the result, except in the last iteration. */ 269| 5.72k| if (comb_off-- == 0) break; ------------------ | Branch (269:13): [True: 5.72k, False: 0] ------------------ 270| 0| secp256k1_gej_double(r, r); 271| 0| } 272| | 273| | /* Correct for the scalar_offset added at the start (ge_offset = b*G, while b was 274| | * subtracted from the input scalar gn). */ 275| 5.72k| secp256k1_gej_add_ge(r, r, &ctx->ge_offset); 276| | 277| | /* Cleanup. */ 278| 5.72k| secp256k1_fe_clear(&neg); 279| 5.72k| secp256k1_ge_clear(&add); 280| 5.72k| secp256k1_memclear(&adds, sizeof(adds)); 281| 5.72k| secp256k1_memclear(&recoded, sizeof(recoded)); 282| 5.72k|} secp256k1.c:secp256k1_ecmult_odd_multiples_table: 73| 5.91k|static void secp256k1_ecmult_odd_multiples_table(int n, secp256k1_ge *pre_a, secp256k1_fe *zr, secp256k1_fe *z, const secp256k1_gej *a) { 74| 5.91k| secp256k1_gej d, ai; 75| 5.91k| secp256k1_ge d_ge; 76| 5.91k| int i; 77| | 78| 5.91k| VERIFY_CHECK(!a->infinity); 79| | 80| 5.91k| secp256k1_gej_double_var(&d, a, NULL); 81| | 82| | /* 83| | * Perform the additions using an isomorphic curve Y^2 = X^3 + 7*C^6 where C := d.z. 84| | * The isomorphism, phi, maps a secp256k1 point (x, y) to the point (x*C^2, y*C^3) on the other curve. 85| | * In Jacobian coordinates phi maps (x, y, z) to (x*C^2, y*C^3, z) or, equivalently to (x, y, z/C). 86| | * 87| | * phi(x, y, z) = (x*C^2, y*C^3, z) = (x, y, z/C) 88| | * d_ge := phi(d) = (d.x, d.y, 1) 89| | * ai := phi(a) = (a.x*C^2, a.y*C^3, a.z) 90| | * 91| | * The group addition functions work correctly on these isomorphic curves. 92| | * In particular phi(d) is easy to represent in affine coordinates under this isomorphism. 93| | * This lets us use the faster secp256k1_gej_add_ge_var group addition function that we wouldn't be able to use otherwise. 94| | */ 95| 5.91k| secp256k1_ge_set_xy(&d_ge, &d.x, &d.y); 96| 5.91k| secp256k1_ge_set_gej_zinv(&pre_a[0], a, &d.z); 97| 5.91k| secp256k1_gej_set_ge(&ai, &pre_a[0]); 98| 5.91k| ai.z = a->z; 99| | 100| | /* pre_a[0] is the point (a.x*C^2, a.y*C^3, a.z*C) which is equivalent to a. 101| | * Set zr[0] to C, which is the ratio between the omitted z(pre_a[0]) value and a.z. 102| | */ 103| 5.91k| zr[0] = d.z; 104| | 105| 94.5k| for (i = 1; i < n; i++) { ------------------ | Branch (105:17): [True: 88.6k, False: 5.91k] ------------------ 106| 88.6k| secp256k1_gej_add_ge_var(&ai, &ai, &d_ge, &zr[i]); 107| 88.6k| secp256k1_ge_set_xy(&pre_a[i], &ai.x, &ai.y); 108| 88.6k| } 109| | 110| | /* Multiply the last z-coordinate by C to undo the isomorphism. 111| | * Since the z-coordinates of the pre_a values are implied by the zr array of z-coordinate ratios, 112| | * undoing the isomorphism here undoes the isomorphism for all pre_a values. 113| | */ 114| 5.91k| secp256k1_fe_mul(z, &ai.z, &d.z); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 115| 5.91k|} secp256k1.c:secp256k1_fe_impl_sqr: 345| 8.50M|SECP256K1_INLINE static void secp256k1_fe_impl_sqr(secp256k1_fe *r, const secp256k1_fe *a) { 346| 8.50M| secp256k1_fe_sqr_inner(r->n, a->n); 347| 8.50M|} secp256k1.c:secp256k1_fe_impl_mul: 341| 7.55M|SECP256K1_INLINE static void secp256k1_fe_impl_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe * SECP256K1_RESTRICT b) { 342| 7.55M| secp256k1_fe_mul_inner(r->n, a->n, b->n); 343| 7.55M|} secp256k1.c:secp256k1_fe_impl_add_int: 329| 30.9k|SECP256K1_INLINE static void secp256k1_fe_impl_add_int(secp256k1_fe *r, int a) { 330| 30.9k| r->n[0] += a; 331| 30.9k|} secp256k1.c:secp256k1_fe_impl_from_storage: 435| 492k|static SECP256K1_INLINE void secp256k1_fe_impl_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a) { 436| 492k| r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL; 437| 492k| r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL); 438| 492k| r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL); 439| 492k| r->n[3] = a->n[2] >> 28 | ((a->n[3] << 36) & 0xFFFFFFFFFFFFFULL); 440| 492k| r->n[4] = a->n[3] >> 16; 441| 492k|} secp256k1.c:secp256k1_fe_impl_is_zero: 206| 45.9k|SECP256K1_INLINE static int secp256k1_fe_impl_is_zero(const secp256k1_fe *a) { 207| 45.9k| const uint64_t *t = a->n; 208| 45.9k| return (t[0] | t[1] | t[2] | t[3] | t[4]) == 0; 209| 45.9k|} secp256k1.c:secp256k1_fe_impl_add: 333| 7.51M|SECP256K1_INLINE static void secp256k1_fe_impl_add(secp256k1_fe *r, const secp256k1_fe *a) { 334| 7.51M| r->n[0] += a->n[0]; 335| 7.51M| r->n[1] += a->n[1]; 336| 7.51M| r->n[2] += a->n[2]; 337| 7.51M| r->n[3] += a->n[3]; 338| 7.51M| r->n[4] += a->n[4]; 339| 7.51M|} secp256k1.c:secp256k1_fe_storage_cmov: 416| 15.7M|static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) { 417| 15.7M| uint64_t mask0, mask1; 418| 15.7M| volatile int vflag = flag; 419| 15.7M| SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n)); ------------------ | | 99| 15.7M|#define SECP256K1_CHECKMEM_CHECK_VERIFY(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 15.7M|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 420| 15.7M| mask0 = vflag + ~((uint64_t)0); 421| 15.7M| mask1 = ~mask0; 422| 15.7M| r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1); 423| 15.7M| r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1); 424| 15.7M| r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1); 425| 15.7M| r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1); 426| 15.7M|} secp256k1.c:secp256k1_fe_impl_negate_unchecked: 306| 4.01M|SECP256K1_INLINE static void secp256k1_fe_impl_negate_unchecked(secp256k1_fe *r, const secp256k1_fe *a, int m) { 307| | /* For all legal values of m (0..31), the following properties hold: */ 308| 4.01M| VERIFY_CHECK(0xFFFFEFFFFFC2FULL * 2 * (m + 1) >= 0xFFFFFFFFFFFFFULL * 2 * m); 309| 4.01M| VERIFY_CHECK(0xFFFFFFFFFFFFFULL * 2 * (m + 1) >= 0xFFFFFFFFFFFFFULL * 2 * m); 310| 4.01M| VERIFY_CHECK(0x0FFFFFFFFFFFFULL * 2 * (m + 1) >= 0x0FFFFFFFFFFFFULL * 2 * m); 311| | 312| | /* Due to the properties above, the left hand in the subtractions below is never less than 313| | * the right hand. */ 314| 4.01M| r->n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) - a->n[0]; 315| 4.01M| r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[1]; 316| 4.01M| r->n[2] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[2]; 317| 4.01M| r->n[3] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[3]; 318| 4.01M| r->n[4] = 0x0FFFFFFFFFFFFULL * 2 * (m + 1) - a->n[4]; 319| 4.01M|} secp256k1.c:secp256k1_fe_impl_cmov: 349| 13.0M|SECP256K1_INLINE static void secp256k1_fe_impl_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) { 350| 13.0M| uint64_t mask0, mask1; 351| 13.0M| volatile int vflag = flag; 352| 13.0M| SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n)); ------------------ | | 99| 13.0M|#define SECP256K1_CHECKMEM_CHECK_VERIFY(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 13.0M|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 353| 13.0M| mask0 = vflag + ~((uint64_t)0); 354| 13.0M| mask1 = ~mask0; 355| 13.0M| r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1); 356| 13.0M| r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1); 357| 13.0M| r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1); 358| 13.0M| r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1); 359| 13.0M| r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1); 360| 13.0M|} secp256k1.c:secp256k1_fe_impl_mul_int_unchecked: 321| 1.87M|SECP256K1_INLINE static void secp256k1_fe_impl_mul_int_unchecked(secp256k1_fe *r, int a) { 322| 1.87M| r->n[0] *= a; 323| 1.87M| r->n[1] *= a; 324| 1.87M| r->n[2] *= a; 325| 1.87M| r->n[3] *= a; 326| 1.87M| r->n[4] *= a; 327| 1.87M|} secp256k1.c:secp256k1_fe_impl_half: 362| 1.29M|static SECP256K1_INLINE void secp256k1_fe_impl_half(secp256k1_fe *r) { 363| 1.29M| uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 364| 1.29M| uint64_t one = (uint64_t)1; 365| 1.29M| uint64_t mask = -(t0 & one) >> 12; 366| | 367| | /* Bounds analysis (over the rationals). 368| | * 369| | * Let m = r->magnitude 370| | * C = 0xFFFFFFFFFFFFFULL * 2 371| | * D = 0x0FFFFFFFFFFFFULL * 2 372| | * 373| | * Initial bounds: t0..t3 <= C * m 374| | * t4 <= D * m 375| | */ 376| | 377| 1.29M| t0 += 0xFFFFEFFFFFC2FULL & mask; 378| 1.29M| t1 += mask; 379| 1.29M| t2 += mask; 380| 1.29M| t3 += mask; 381| 1.29M| t4 += mask >> 4; 382| | 383| 1.29M| VERIFY_CHECK((t0 & one) == 0); 384| | 385| | /* t0..t3: added <= C/2 386| | * t4: added <= D/2 387| | * 388| | * Current bounds: t0..t3 <= C * (m + 1/2) 389| | * t4 <= D * (m + 1/2) 390| | */ 391| | 392| 1.29M| r->n[0] = (t0 >> 1) + ((t1 & one) << 51); 393| 1.29M| r->n[1] = (t1 >> 1) + ((t2 & one) << 51); 394| 1.29M| r->n[2] = (t2 >> 1) + ((t3 & one) << 51); 395| 1.29M| r->n[3] = (t3 >> 1) + ((t4 & one) << 51); 396| 1.29M| r->n[4] = (t4 >> 1); 397| | 398| | /* t0..t3: shifted right and added <= C/4 + 1/2 399| | * t4: shifted right 400| | * 401| | * Current bounds: t0..t3 <= C * (m/2 + 1/2) 402| | * t4 <= D * (m/2 + 1/4) 403| | * 404| | * Therefore the output magnitude (M) has to be set such that: 405| | * t0..t3: C * M >= C * (m/2 + 1/2) 406| | * t4: D * M >= D * (m/2 + 1/4) 407| | * 408| | * It suffices for all limbs that, for any input magnitude m: 409| | * M >= m/2 + 1/2 410| | * 411| | * and since we want the smallest such integer value for M: 412| | * M == floor(m/2) + 1 413| | */ 414| 1.29M|} secp256k1.c:secp256k1_fe_impl_normalize_weak: 80| 55.9k|static void secp256k1_fe_impl_normalize_weak(secp256k1_fe *r) { 81| 55.9k| uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 82| | 83| | /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 84| 55.9k| uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 85| | 86| | /* The first pass ensures the magnitude is 1, ... */ 87| 55.9k| t0 += x * 0x1000003D1ULL; 88| 55.9k| t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 89| 55.9k| t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; 90| 55.9k| t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; 91| 55.9k| t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; 92| | 93| | /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 94| 55.9k| VERIFY_CHECK(t4 >> 49 == 0); 95| | 96| 55.9k| r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4; 97| 55.9k|} secp256k1.c:secp256k1_fe_impl_normalizes_to_zero: 137| 1.10M|static int secp256k1_fe_impl_normalizes_to_zero(const secp256k1_fe *r) { 138| 1.10M| uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 139| | 140| | /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */ 141| 1.10M| uint64_t z0, z1; 142| | 143| | /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 144| 1.10M| uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 145| | 146| | /* The first pass ensures the magnitude is 1, ... */ 147| 1.10M| t0 += x * 0x1000003D1ULL; 148| 1.10M| t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0 = t0; z1 = t0 ^ 0x1000003D0ULL; 149| 1.10M| t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1; 150| 1.10M| t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2; 151| 1.10M| t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3; 152| 1.10M| z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL; 153| | 154| | /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 155| 1.10M| VERIFY_CHECK(t4 >> 49 == 0); 156| | 157| 1.10M| return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); 158| 1.10M|} secp256k1.c:secp256k1_fe_impl_set_int: 201| 29.1k|SECP256K1_INLINE static void secp256k1_fe_impl_set_int(secp256k1_fe *r, int a) { 202| 29.1k| r->n[0] = a; 203| 29.1k| r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0; 204| 29.1k|} secp256k1.c:secp256k1_fe_impl_inv: 479| 11.6k|static void secp256k1_fe_impl_inv(secp256k1_fe *r, const secp256k1_fe *x) { 480| 11.6k| secp256k1_fe tmp = *x; 481| 11.6k| secp256k1_modinv64_signed62 s; 482| | 483| 11.6k| secp256k1_fe_normalize(&tmp); ------------------ | | 78| 11.6k|# define secp256k1_fe_normalize secp256k1_fe_impl_normalize ------------------ 484| 11.6k| secp256k1_fe_to_signed62(&s, &tmp); 485| 11.6k| secp256k1_modinv64(&s, &secp256k1_const_modinfo_fe); 486| 11.6k| secp256k1_fe_from_signed62(r, &s); 487| 11.6k|} secp256k1.c:secp256k1_fe_to_signed62: 463| 63.3k|static void secp256k1_fe_to_signed62(secp256k1_modinv64_signed62 *r, const secp256k1_fe *a) { 464| 63.3k| const uint64_t M62 = UINT64_MAX >> 2; 465| 63.3k| const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4]; 466| | 467| 63.3k| r->v[0] = (a0 | a1 << 52) & M62; 468| 63.3k| r->v[1] = (a1 >> 10 | a2 << 42) & M62; 469| 63.3k| r->v[2] = (a2 >> 20 | a3 << 32) & M62; 470| 63.3k| r->v[3] = (a3 >> 30 | a4 << 22) & M62; 471| 63.3k| r->v[4] = a4 >> 40; 472| 63.3k|} secp256k1.c:secp256k1_fe_from_signed62: 443| 17.3k|static void secp256k1_fe_from_signed62(secp256k1_fe *r, const secp256k1_modinv64_signed62 *a) { 444| 17.3k| const uint64_t M52 = UINT64_MAX >> 12; 445| 17.3k| const uint64_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4]; 446| | 447| | /* The output from secp256k1_modinv64{_var} should be normalized to range [0,modulus), and 448| | * have limbs in [0,2^62). The modulus is < 2^256, so the top limb must be below 2^(256-62*4). 449| | */ 450| 17.3k| VERIFY_CHECK(a0 >> 62 == 0); 451| 17.3k| VERIFY_CHECK(a1 >> 62 == 0); 452| 17.3k| VERIFY_CHECK(a2 >> 62 == 0); 453| 17.3k| VERIFY_CHECK(a3 >> 62 == 0); 454| 17.3k| VERIFY_CHECK(a4 >> 8 == 0); 455| | 456| 17.3k| r->n[0] = a0 & M52; 457| 17.3k| r->n[1] = (a0 >> 52 | a1 << 10) & M52; 458| 17.3k| r->n[2] = (a1 >> 42 | a2 << 20) & M52; 459| 17.3k| r->n[3] = (a2 >> 32 | a3 << 30) & M52; 460| 17.3k| r->n[4] = (a3 >> 22 | a4 << 40); 461| 17.3k|} secp256k1.c:secp256k1_fe_impl_get_b32: 271| 11.6k|static void secp256k1_fe_impl_get_b32(unsigned char *r, const secp256k1_fe *a) { 272| 11.6k| r[0] = (a->n[4] >> 40) & 0xFF; 273| 11.6k| r[1] = (a->n[4] >> 32) & 0xFF; 274| 11.6k| r[2] = (a->n[4] >> 24) & 0xFF; 275| 11.6k| r[3] = (a->n[4] >> 16) & 0xFF; 276| 11.6k| r[4] = (a->n[4] >> 8) & 0xFF; 277| 11.6k| r[5] = a->n[4] & 0xFF; 278| 11.6k| r[6] = (a->n[3] >> 44) & 0xFF; 279| 11.6k| r[7] = (a->n[3] >> 36) & 0xFF; 280| 11.6k| r[8] = (a->n[3] >> 28) & 0xFF; 281| 11.6k| r[9] = (a->n[3] >> 20) & 0xFF; 282| 11.6k| r[10] = (a->n[3] >> 12) & 0xFF; 283| 11.6k| r[11] = (a->n[3] >> 4) & 0xFF; 284| 11.6k| r[12] = ((a->n[2] >> 48) & 0xF) | ((a->n[3] & 0xF) << 4); 285| 11.6k| r[13] = (a->n[2] >> 40) & 0xFF; 286| 11.6k| r[14] = (a->n[2] >> 32) & 0xFF; 287| 11.6k| r[15] = (a->n[2] >> 24) & 0xFF; 288| 11.6k| r[16] = (a->n[2] >> 16) & 0xFF; 289| 11.6k| r[17] = (a->n[2] >> 8) & 0xFF; 290| 11.6k| r[18] = a->n[2] & 0xFF; 291| 11.6k| r[19] = (a->n[1] >> 44) & 0xFF; 292| 11.6k| r[20] = (a->n[1] >> 36) & 0xFF; 293| 11.6k| r[21] = (a->n[1] >> 28) & 0xFF; 294| 11.6k| r[22] = (a->n[1] >> 20) & 0xFF; 295| 11.6k| r[23] = (a->n[1] >> 12) & 0xFF; 296| 11.6k| r[24] = (a->n[1] >> 4) & 0xFF; 297| 11.6k| r[25] = ((a->n[0] >> 48) & 0xF) | ((a->n[1] & 0xF) << 4); 298| 11.6k| r[26] = (a->n[0] >> 40) & 0xFF; 299| 11.6k| r[27] = (a->n[0] >> 32) & 0xFF; 300| 11.6k| r[28] = (a->n[0] >> 24) & 0xFF; 301| 11.6k| r[29] = (a->n[0] >> 16) & 0xFF; 302| 11.6k| r[30] = (a->n[0] >> 8) & 0xFF; 303| 11.6k| r[31] = a->n[0] & 0xFF; 304| 11.6k|} secp256k1.c:secp256k1_fe_impl_normalize_var: 99| 71.8k|static void secp256k1_fe_impl_normalize_var(secp256k1_fe *r) { 100| 71.8k| uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 101| | 102| | /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 103| 71.8k| uint64_t m; 104| 71.8k| uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 105| | 106| | /* The first pass ensures the magnitude is 1, ... */ 107| 71.8k| t0 += x * 0x1000003D1ULL; 108| 71.8k| t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 109| 71.8k| t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1; 110| 71.8k| t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2; 111| 71.8k| t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3; 112| | 113| | /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 114| 71.8k| VERIFY_CHECK(t4 >> 49 == 0); 115| | 116| | /* At most a single final reduction is needed; check if the value is >= the field characteristic */ 117| 71.8k| x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL) 118| 71.8k| & (t0 >= 0xFFFFEFFFFFC2FULL)); 119| | 120| 71.8k| if (x) { ------------------ | Branch (120:9): [True: 0, False: 71.8k] ------------------ 121| 0| t0 += 0x1000003D1ULL; 122| 0| t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 123| 0| t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; 124| 0| t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; 125| 0| t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; 126| | 127| | /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */ 128| 0| VERIFY_CHECK(t4 >> 48 == x); 129| | 130| | /* Mask off the possible multiple of 2^256 from the final reduction */ 131| 0| t4 &= 0x0FFFFFFFFFFFFULL; 132| 0| } 133| | 134| 71.8k| r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4; 135| 71.8k|} secp256k1.c:secp256k1_fe_impl_is_odd: 211| 11.4k|SECP256K1_INLINE static int secp256k1_fe_impl_is_odd(const secp256k1_fe *a) { 212| 11.4k| return a->n[0] & 1; 213| 11.4k|} secp256k1.c:secp256k1_fe_impl_normalizes_to_zero_var: 160| 111k|static int secp256k1_fe_impl_normalizes_to_zero_var(const secp256k1_fe *r) { 161| 111k| uint64_t t0, t1, t2, t3, t4; 162| 111k| uint64_t z0, z1; 163| 111k| uint64_t x; 164| | 165| 111k| t0 = r->n[0]; 166| 111k| t4 = r->n[4]; 167| | 168| | /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 169| 111k| x = t4 >> 48; 170| | 171| | /* The first pass ensures the magnitude is 1, ... */ 172| 111k| t0 += x * 0x1000003D1ULL; 173| | 174| | /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */ 175| 111k| z0 = t0 & 0xFFFFFFFFFFFFFULL; 176| 111k| z1 = z0 ^ 0x1000003D0ULL; 177| | 178| | /* Fast return path should catch the majority of cases */ 179| 111k| if ((z0 != 0ULL) & (z1 != 0xFFFFFFFFFFFFFULL)) { ------------------ | Branch (179:9): [True: 111k, False: 0] ------------------ 180| 111k| return 0; 181| 111k| } 182| | 183| 0| t1 = r->n[1]; 184| 0| t2 = r->n[2]; 185| 0| t3 = r->n[3]; 186| | 187| 0| t4 &= 0x0FFFFFFFFFFFFULL; 188| | 189| 0| t1 += (t0 >> 52); 190| 0| t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1; 191| 0| t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2; 192| 0| t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3; 193| 0| z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL; 194| | 195| | /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 196| 0| VERIFY_CHECK(t4 >> 49 == 0); 197| | 198| 0| return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); 199| 111k|} secp256k1.c:secp256k1_fe_impl_inv_var: 489| 5.72k|static void secp256k1_fe_impl_inv_var(secp256k1_fe *r, const secp256k1_fe *x) { 490| 5.72k| secp256k1_fe tmp = *x; 491| 5.72k| secp256k1_modinv64_signed62 s; 492| | 493| 5.72k| secp256k1_fe_normalize_var(&tmp); ------------------ | | 80| 5.72k|# define secp256k1_fe_normalize_var secp256k1_fe_impl_normalize_var ------------------ 494| 5.72k| secp256k1_fe_to_signed62(&s, &tmp); 495| 5.72k| secp256k1_modinv64_var(&s, &secp256k1_const_modinfo_fe); 496| 5.72k| secp256k1_fe_from_signed62(r, &s); 497| 5.72k|} secp256k1.c:secp256k1_fe_impl_is_square_var: 499| 45.9k|static int secp256k1_fe_impl_is_square_var(const secp256k1_fe *x) { 500| 45.9k| secp256k1_fe tmp; 501| 45.9k| secp256k1_modinv64_signed62 s; 502| 45.9k| int jac, ret; 503| | 504| 45.9k| tmp = *x; 505| 45.9k| secp256k1_fe_normalize_var(&tmp); ------------------ | | 80| 45.9k|# define secp256k1_fe_normalize_var secp256k1_fe_impl_normalize_var ------------------ 506| | /* secp256k1_jacobi64_maybe_var cannot deal with input 0. */ 507| 45.9k| if (secp256k1_fe_is_zero(&tmp)) return 1; ------------------ | | 84| 45.9k|# define secp256k1_fe_is_zero secp256k1_fe_impl_is_zero ------------------ | Branch (507:9): [True: 0, False: 45.9k] ------------------ 508| 45.9k| secp256k1_fe_to_signed62(&s, &tmp); 509| 45.9k| jac = secp256k1_jacobi64_maybe_var(&s, &secp256k1_const_modinfo_fe); 510| 45.9k| if (jac == 0) { ------------------ | Branch (510:9): [True: 0, False: 45.9k] ------------------ 511| | /* secp256k1_jacobi64_maybe_var failed to compute the Jacobi symbol. Fall back 512| | * to computing a square root. This should be extremely rare with random 513| | * input (except in VERIFY mode, where a lower iteration count is used). */ 514| 0| secp256k1_fe dummy; 515| 0| ret = secp256k1_fe_sqrt(&dummy, &tmp); 516| 45.9k| } else { 517| 45.9k| ret = jac >= 0; 518| 45.9k| } 519| 45.9k| return ret; 520| 45.9k|} secp256k1.c:secp256k1_fe_impl_set_b32_mod: 228| 36.8k|static void secp256k1_fe_impl_set_b32_mod(secp256k1_fe *r, const unsigned char *a) { 229| 36.8k| r->n[0] = (uint64_t)a[31] 230| 36.8k| | ((uint64_t)a[30] << 8) 231| 36.8k| | ((uint64_t)a[29] << 16) 232| 36.8k| | ((uint64_t)a[28] << 24) 233| 36.8k| | ((uint64_t)a[27] << 32) 234| 36.8k| | ((uint64_t)a[26] << 40) 235| 36.8k| | ((uint64_t)(a[25] & 0xF) << 48); 236| 36.8k| r->n[1] = (uint64_t)((a[25] >> 4) & 0xF) 237| 36.8k| | ((uint64_t)a[24] << 4) 238| 36.8k| | ((uint64_t)a[23] << 12) 239| 36.8k| | ((uint64_t)a[22] << 20) 240| 36.8k| | ((uint64_t)a[21] << 28) 241| 36.8k| | ((uint64_t)a[20] << 36) 242| 36.8k| | ((uint64_t)a[19] << 44); 243| 36.8k| r->n[2] = (uint64_t)a[18] 244| 36.8k| | ((uint64_t)a[17] << 8) 245| 36.8k| | ((uint64_t)a[16] << 16) 246| 36.8k| | ((uint64_t)a[15] << 24) 247| 36.8k| | ((uint64_t)a[14] << 32) 248| 36.8k| | ((uint64_t)a[13] << 40) 249| 36.8k| | ((uint64_t)(a[12] & 0xF) << 48); 250| 36.8k| r->n[3] = (uint64_t)((a[12] >> 4) & 0xF) 251| 36.8k| | ((uint64_t)a[11] << 4) 252| 36.8k| | ((uint64_t)a[10] << 12) 253| 36.8k| | ((uint64_t)a[9] << 20) 254| 36.8k| | ((uint64_t)a[8] << 28) 255| 36.8k| | ((uint64_t)a[7] << 36) 256| 36.8k| | ((uint64_t)a[6] << 44); 257| 36.8k| r->n[4] = (uint64_t)a[5] 258| 36.8k| | ((uint64_t)a[4] << 8) 259| 36.8k| | ((uint64_t)a[3] << 16) 260| 36.8k| | ((uint64_t)a[2] << 24) 261| 36.8k| | ((uint64_t)a[1] << 32) 262| 36.8k| | ((uint64_t)a[0] << 40); 263| 36.8k|} secp256k1.c:secp256k1_fe_impl_normalize: 43| 17.5k|static void secp256k1_fe_impl_normalize(secp256k1_fe *r) { 44| 17.5k| uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 45| | 46| | /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 47| 17.5k| uint64_t m; 48| 17.5k| uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 49| | 50| | /* The first pass ensures the magnitude is 1, ... */ 51| 17.5k| t0 += x * 0x1000003D1ULL; 52| 17.5k| t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 53| 17.5k| t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1; 54| 17.5k| t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2; 55| 17.5k| t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3; 56| | 57| | /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 58| 17.5k| VERIFY_CHECK(t4 >> 49 == 0); 59| | 60| | /* At most a single final reduction is needed; check if the value is >= the field characteristic */ 61| 17.5k| x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL) 62| 17.5k| & (t0 >= 0xFFFFEFFFFFC2FULL)); 63| | 64| | /* Apply the final reduction (for constant-time behaviour, we do it always) */ 65| 17.5k| t0 += x * 0x1000003D1ULL; 66| 17.5k| t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 67| 17.5k| t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; 68| 17.5k| t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; 69| 17.5k| t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; 70| | 71| | /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */ 72| 17.5k| VERIFY_CHECK(t4 >> 48 == x); 73| | 74| | /* Mask off the possible multiple of 2^256 from the final reduction */ 75| 17.5k| t4 &= 0x0FFFFFFFFFFFFULL; 76| | 77| 17.5k| r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4; 78| 17.5k|} secp256k1.c:secp256k1_fe_sqr_inner: 154| 8.50M|SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint64_t *r, const uint64_t *a) { 155| 8.50M| secp256k1_uint128 c, d; 156| 8.50M| uint64_t a0 = a[0], a1 = a[1], a2 = a[2], a3 = a[3], a4 = a[4]; 157| 8.50M| uint64_t t3, t4, tx, u0; 158| 8.50M| const uint64_t M = 0xFFFFFFFFFFFFFULL, R = 0x1000003D10ULL; 159| | 160| 8.50M| VERIFY_BITS(a[0], 56); 161| 8.50M| VERIFY_BITS(a[1], 56); 162| 8.50M| VERIFY_BITS(a[2], 56); 163| 8.50M| VERIFY_BITS(a[3], 56); 164| 8.50M| VERIFY_BITS(a[4], 52); 165| | 166| | /** [... a b c] is a shorthand for ... + a<<104 + b<<52 + c<<0 mod n. 167| | * px is a shorthand for sum(a[i]*a[x-i], i=0..x). 168| | * Note that [x 0 0 0 0 0] = [x*R]. 169| | */ 170| | 171| 8.50M| secp256k1_u128_mul(&d, a0*2, a3); 172| 8.50M| secp256k1_u128_accum_mul(&d, a1*2, a2); 173| 8.50M| VERIFY_BITS_128(&d, 114); 174| | /* [d 0 0 0] = [p3 0 0 0] */ 175| 8.50M| secp256k1_u128_mul(&c, a4, a4); 176| 8.50M| VERIFY_BITS_128(&c, 112); 177| | /* [c 0 0 0 0 d 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */ 178| 8.50M| secp256k1_u128_accum_mul(&d, R, secp256k1_u128_to_u64(&c)); secp256k1_u128_rshift(&c, 64); 179| 8.50M| VERIFY_BITS_128(&d, 115); 180| 8.50M| VERIFY_BITS_128(&c, 48); 181| | /* [(c<<12) 0 0 0 0 0 d 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */ 182| 8.50M| t3 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52); 183| 8.50M| VERIFY_BITS(t3, 52); 184| 8.50M| VERIFY_BITS_128(&d, 63); 185| | /* [(c<<12) 0 0 0 0 d t3 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */ 186| | 187| 8.50M| a4 *= 2; 188| 8.50M| secp256k1_u128_accum_mul(&d, a0, a4); 189| 8.50M| secp256k1_u128_accum_mul(&d, a1*2, a3); 190| 8.50M| secp256k1_u128_accum_mul(&d, a2, a2); 191| 8.50M| VERIFY_BITS_128(&d, 115); 192| | /* [(c<<12) 0 0 0 0 d t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */ 193| 8.50M| secp256k1_u128_accum_mul(&d, R << 12, secp256k1_u128_to_u64(&c)); 194| 8.50M| VERIFY_BITS_128(&d, 116); 195| | /* [d t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */ 196| 8.50M| t4 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52); 197| 8.50M| VERIFY_BITS(t4, 52); 198| 8.50M| VERIFY_BITS_128(&d, 64); 199| | /* [d t4 t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */ 200| 8.50M| tx = (t4 >> 48); t4 &= (M >> 4); 201| 8.50M| VERIFY_BITS(tx, 4); 202| 8.50M| VERIFY_BITS(t4, 48); 203| | /* [d t4+(tx<<48) t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */ 204| | 205| 8.50M| secp256k1_u128_mul(&c, a0, a0); 206| 8.50M| VERIFY_BITS_128(&c, 112); 207| | /* [d t4+(tx<<48) t3 0 0 c] = [p8 0 0 0 p4 p3 0 0 p0] */ 208| 8.50M| secp256k1_u128_accum_mul(&d, a1, a4); 209| 8.50M| secp256k1_u128_accum_mul(&d, a2*2, a3); 210| 8.50M| VERIFY_BITS_128(&d, 114); 211| | /* [d t4+(tx<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 212| 8.50M| u0 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52); 213| 8.50M| VERIFY_BITS(u0, 52); 214| 8.50M| VERIFY_BITS_128(&d, 62); 215| | /* [d u0 t4+(tx<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 216| | /* [d 0 t4+(tx<<48)+(u0<<52) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 217| 8.50M| u0 = (u0 << 4) | tx; 218| 8.50M| VERIFY_BITS(u0, 56); 219| | /* [d 0 t4+(u0<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 220| 8.50M| secp256k1_u128_accum_mul(&c, u0, R >> 4); 221| 8.50M| VERIFY_BITS_128(&c, 113); 222| | /* [d 0 t4 t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 223| 8.50M| r[0] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52); 224| 8.50M| VERIFY_BITS(r[0], 52); 225| 8.50M| VERIFY_BITS_128(&c, 61); 226| | /* [d 0 t4 t3 0 c r0] = [p8 0 0 p5 p4 p3 0 0 p0] */ 227| | 228| 8.50M| a0 *= 2; 229| 8.50M| secp256k1_u128_accum_mul(&c, a0, a1); 230| 8.50M| VERIFY_BITS_128(&c, 114); 231| | /* [d 0 t4 t3 0 c r0] = [p8 0 0 p5 p4 p3 0 p1 p0] */ 232| 8.50M| secp256k1_u128_accum_mul(&d, a2, a4); 233| 8.50M| secp256k1_u128_accum_mul(&d, a3, a3); 234| 8.50M| VERIFY_BITS_128(&d, 114); 235| | /* [d 0 t4 t3 0 c r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */ 236| 8.50M| secp256k1_u128_accum_mul(&c, secp256k1_u128_to_u64(&d) & M, R); secp256k1_u128_rshift(&d, 52); 237| 8.50M| VERIFY_BITS_128(&c, 115); 238| 8.50M| VERIFY_BITS_128(&d, 62); 239| | /* [d 0 0 t4 t3 0 c r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */ 240| 8.50M| r[1] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52); 241| 8.50M| VERIFY_BITS(r[1], 52); 242| 8.50M| VERIFY_BITS_128(&c, 63); 243| | /* [d 0 0 t4 t3 c r1 r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */ 244| | 245| 8.50M| secp256k1_u128_accum_mul(&c, a0, a2); 246| 8.50M| secp256k1_u128_accum_mul(&c, a1, a1); 247| 8.50M| VERIFY_BITS_128(&c, 114); 248| | /* [d 0 0 t4 t3 c r1 r0] = [p8 0 p6 p5 p4 p3 p2 p1 p0] */ 249| 8.50M| secp256k1_u128_accum_mul(&d, a3, a4); 250| 8.50M| VERIFY_BITS_128(&d, 114); 251| | /* [d 0 0 t4 t3 c r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 252| 8.50M| secp256k1_u128_accum_mul(&c, R, secp256k1_u128_to_u64(&d)); secp256k1_u128_rshift(&d, 64); 253| 8.50M| VERIFY_BITS_128(&c, 115); 254| 8.50M| VERIFY_BITS_128(&d, 50); 255| | /* [(d<<12) 0 0 0 t4 t3 c r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 256| 8.50M| r[2] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52); 257| 8.50M| VERIFY_BITS(r[2], 52); 258| 8.50M| VERIFY_BITS_128(&c, 63); 259| | /* [(d<<12) 0 0 0 t4 t3+c r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 260| | 261| 8.50M| secp256k1_u128_accum_mul(&c, R << 12, secp256k1_u128_to_u64(&d)); 262| 8.50M| secp256k1_u128_accum_u64(&c, t3); 263| 8.50M| VERIFY_BITS_128(&c, 100); 264| | /* [t4 c r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 265| 8.50M| r[3] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52); 266| 8.50M| VERIFY_BITS(r[3], 52); 267| 8.50M| VERIFY_BITS_128(&c, 48); 268| | /* [t4+c r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 269| 8.50M| r[4] = secp256k1_u128_to_u64(&c) + t4; 270| 8.50M| VERIFY_BITS(r[4], 49); 271| | /* [r4 r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 272| 8.50M|} secp256k1.c:secp256k1_fe_mul_inner: 18| 7.55M|SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) { 19| 7.55M| secp256k1_uint128 c, d; 20| 7.55M| uint64_t t3, t4, tx, u0; 21| 7.55M| uint64_t a0 = a[0], a1 = a[1], a2 = a[2], a3 = a[3], a4 = a[4]; 22| 7.55M| const uint64_t M = 0xFFFFFFFFFFFFFULL, R = 0x1000003D10ULL; 23| | 24| 7.55M| VERIFY_BITS(a[0], 56); 25| 7.55M| VERIFY_BITS(a[1], 56); 26| 7.55M| VERIFY_BITS(a[2], 56); 27| 7.55M| VERIFY_BITS(a[3], 56); 28| 7.55M| VERIFY_BITS(a[4], 52); 29| 7.55M| VERIFY_BITS(b[0], 56); 30| 7.55M| VERIFY_BITS(b[1], 56); 31| 7.55M| VERIFY_BITS(b[2], 56); 32| 7.55M| VERIFY_BITS(b[3], 56); 33| 7.55M| VERIFY_BITS(b[4], 52); 34| 7.55M| VERIFY_CHECK(r != b); 35| 7.55M| VERIFY_CHECK(a != b); 36| | 37| | /* [... a b c] is a shorthand for ... + a<<104 + b<<52 + c<<0 mod n. 38| | * for 0 <= x <= 4, px is a shorthand for sum(a[i]*b[x-i], i=0..x). 39| | * for 4 <= x <= 8, px is a shorthand for sum(a[i]*b[x-i], i=(x-4)..4) 40| | * Note that [x 0 0 0 0 0] = [x*R]. 41| | */ 42| | 43| 7.55M| secp256k1_u128_mul(&d, a0, b[3]); 44| 7.55M| secp256k1_u128_accum_mul(&d, a1, b[2]); 45| 7.55M| secp256k1_u128_accum_mul(&d, a2, b[1]); 46| 7.55M| secp256k1_u128_accum_mul(&d, a3, b[0]); 47| 7.55M| VERIFY_BITS_128(&d, 114); 48| | /* [d 0 0 0] = [p3 0 0 0] */ 49| 7.55M| secp256k1_u128_mul(&c, a4, b[4]); 50| 7.55M| VERIFY_BITS_128(&c, 112); 51| | /* [c 0 0 0 0 d 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */ 52| 7.55M| secp256k1_u128_accum_mul(&d, R, secp256k1_u128_to_u64(&c)); secp256k1_u128_rshift(&c, 64); 53| 7.55M| VERIFY_BITS_128(&d, 115); 54| 7.55M| VERIFY_BITS_128(&c, 48); 55| | /* [(c<<12) 0 0 0 0 0 d 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */ 56| 7.55M| t3 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52); 57| 7.55M| VERIFY_BITS(t3, 52); 58| 7.55M| VERIFY_BITS_128(&d, 63); 59| | /* [(c<<12) 0 0 0 0 d t3 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */ 60| | 61| 7.55M| secp256k1_u128_accum_mul(&d, a0, b[4]); 62| 7.55M| secp256k1_u128_accum_mul(&d, a1, b[3]); 63| 7.55M| secp256k1_u128_accum_mul(&d, a2, b[2]); 64| 7.55M| secp256k1_u128_accum_mul(&d, a3, b[1]); 65| 7.55M| secp256k1_u128_accum_mul(&d, a4, b[0]); 66| 7.55M| VERIFY_BITS_128(&d, 115); 67| | /* [(c<<12) 0 0 0 0 d t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */ 68| 7.55M| secp256k1_u128_accum_mul(&d, R << 12, secp256k1_u128_to_u64(&c)); 69| 7.55M| VERIFY_BITS_128(&d, 116); 70| | /* [d t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */ 71| 7.55M| t4 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52); 72| 7.55M| VERIFY_BITS(t4, 52); 73| 7.55M| VERIFY_BITS_128(&d, 64); 74| | /* [d t4 t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */ 75| 7.55M| tx = (t4 >> 48); t4 &= (M >> 4); 76| 7.55M| VERIFY_BITS(tx, 4); 77| 7.55M| VERIFY_BITS(t4, 48); 78| | /* [d t4+(tx<<48) t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */ 79| | 80| 7.55M| secp256k1_u128_mul(&c, a0, b[0]); 81| 7.55M| VERIFY_BITS_128(&c, 112); 82| | /* [d t4+(tx<<48) t3 0 0 c] = [p8 0 0 0 p4 p3 0 0 p0] */ 83| 7.55M| secp256k1_u128_accum_mul(&d, a1, b[4]); 84| 7.55M| secp256k1_u128_accum_mul(&d, a2, b[3]); 85| 7.55M| secp256k1_u128_accum_mul(&d, a3, b[2]); 86| 7.55M| secp256k1_u128_accum_mul(&d, a4, b[1]); 87| 7.55M| VERIFY_BITS_128(&d, 114); 88| | /* [d t4+(tx<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 89| 7.55M| u0 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52); 90| 7.55M| VERIFY_BITS(u0, 52); 91| 7.55M| VERIFY_BITS_128(&d, 62); 92| | /* [d u0 t4+(tx<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 93| | /* [d 0 t4+(tx<<48)+(u0<<52) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 94| 7.55M| u0 = (u0 << 4) | tx; 95| 7.55M| VERIFY_BITS(u0, 56); 96| | /* [d 0 t4+(u0<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 97| 7.55M| secp256k1_u128_accum_mul(&c, u0, R >> 4); 98| 7.55M| VERIFY_BITS_128(&c, 113); 99| | /* [d 0 t4 t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */ 100| 7.55M| r[0] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52); 101| 7.55M| VERIFY_BITS(r[0], 52); 102| 7.55M| VERIFY_BITS_128(&c, 61); 103| | /* [d 0 t4 t3 0 c r0] = [p8 0 0 p5 p4 p3 0 0 p0] */ 104| | 105| 7.55M| secp256k1_u128_accum_mul(&c, a0, b[1]); 106| 7.55M| secp256k1_u128_accum_mul(&c, a1, b[0]); 107| 7.55M| VERIFY_BITS_128(&c, 114); 108| | /* [d 0 t4 t3 0 c r0] = [p8 0 0 p5 p4 p3 0 p1 p0] */ 109| 7.55M| secp256k1_u128_accum_mul(&d, a2, b[4]); 110| 7.55M| secp256k1_u128_accum_mul(&d, a3, b[3]); 111| 7.55M| secp256k1_u128_accum_mul(&d, a4, b[2]); 112| 7.55M| VERIFY_BITS_128(&d, 114); 113| | /* [d 0 t4 t3 0 c r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */ 114| 7.55M| secp256k1_u128_accum_mul(&c, secp256k1_u128_to_u64(&d) & M, R); secp256k1_u128_rshift(&d, 52); 115| 7.55M| VERIFY_BITS_128(&c, 115); 116| 7.55M| VERIFY_BITS_128(&d, 62); 117| | /* [d 0 0 t4 t3 0 c r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */ 118| 7.55M| r[1] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52); 119| 7.55M| VERIFY_BITS(r[1], 52); 120| 7.55M| VERIFY_BITS_128(&c, 63); 121| | /* [d 0 0 t4 t3 c r1 r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */ 122| | 123| 7.55M| secp256k1_u128_accum_mul(&c, a0, b[2]); 124| 7.55M| secp256k1_u128_accum_mul(&c, a1, b[1]); 125| 7.55M| secp256k1_u128_accum_mul(&c, a2, b[0]); 126| 7.55M| VERIFY_BITS_128(&c, 114); 127| | /* [d 0 0 t4 t3 c r1 r0] = [p8 0 p6 p5 p4 p3 p2 p1 p0] */ 128| 7.55M| secp256k1_u128_accum_mul(&d, a3, b[4]); 129| 7.55M| secp256k1_u128_accum_mul(&d, a4, b[3]); 130| 7.55M| VERIFY_BITS_128(&d, 114); 131| | /* [d 0 0 t4 t3 c t1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 132| 7.55M| secp256k1_u128_accum_mul(&c, R, secp256k1_u128_to_u64(&d)); secp256k1_u128_rshift(&d, 64); 133| 7.55M| VERIFY_BITS_128(&c, 115); 134| 7.55M| VERIFY_BITS_128(&d, 50); 135| | /* [(d<<12) 0 0 0 t4 t3 c r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 136| | 137| 7.55M| r[2] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52); 138| 7.55M| VERIFY_BITS(r[2], 52); 139| 7.55M| VERIFY_BITS_128(&c, 63); 140| | /* [(d<<12) 0 0 0 t4 t3+c r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 141| 7.55M| secp256k1_u128_accum_mul(&c, R << 12, secp256k1_u128_to_u64(&d)); 142| 7.55M| secp256k1_u128_accum_u64(&c, t3); 143| 7.55M| VERIFY_BITS_128(&c, 100); 144| | /* [t4 c r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 145| 7.55M| r[3] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52); 146| 7.55M| VERIFY_BITS(r[3], 52); 147| 7.55M| VERIFY_BITS_128(&c, 48); 148| | /* [t4+c r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 149| 7.55M| r[4] = secp256k1_u128_to_u64(&c) + t4; 150| 7.55M| VERIFY_BITS(r[4], 49); 151| | /* [r4 r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ 152| 7.55M|} secp256k1.c:secp256k1_fe_verify: 149| 11.6M|static void secp256k1_fe_verify(const secp256k1_fe *a) { (void)a; } secp256k1.c:secp256k1_fe_verify_magnitude: 150| 11.2M|static void secp256k1_fe_verify_magnitude(const secp256k1_fe *a, int m) { (void)a; (void)m; } secp256k1.c:secp256k1_fe_sqrt: 37| 9.11k|static int secp256k1_fe_sqrt(secp256k1_fe * SECP256K1_RESTRICT r, const secp256k1_fe * SECP256K1_RESTRICT a) { 38| | /** Given that p is congruent to 3 mod 4, we can compute the square root of 39| | * a mod p as the (p+1)/4'th power of a. 40| | * 41| | * As (p+1)/4 is an even number, it will have the same result for a and for 42| | * (-a). Only one of these two numbers actually has a square root however, 43| | * so we test at the end by squaring and comparing to the input. 44| | * Also because (p+1)/4 is an even number, the computed square root is 45| | * itself always a square (a ** ((p+1)/4) is the square of a ** ((p+1)/8)). 46| | */ 47| 9.11k| secp256k1_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1; 48| 9.11k| int j, ret; 49| | 50| 9.11k| VERIFY_CHECK(r != a); 51| 9.11k| SECP256K1_FE_VERIFY(a); ------------------ | | 344| 9.11k|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 52| 9.11k| SECP256K1_FE_VERIFY_MAGNITUDE(a, 8); ------------------ | | 348| 9.11k|#define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) ------------------ 53| | 54| | /** The binary representation of (p + 1)/4 has 3 blocks of 1s, with lengths in 55| | * { 2, 22, 223 }. Use an addition chain to calculate 2^n - 1 for each block: 56| | * 1, [2], 3, 6, 9, 11, [22], 44, 88, 176, 220, [223] 57| | */ 58| | 59| 9.11k| secp256k1_fe_sqr(&x2, a); ------------------ | | 94| 9.11k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 60| 9.11k| secp256k1_fe_mul(&x2, &x2, a); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 61| | 62| 9.11k| secp256k1_fe_sqr(&x3, &x2); ------------------ | | 94| 9.11k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 63| 9.11k| secp256k1_fe_mul(&x3, &x3, a); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 64| | 65| 9.11k| x6 = x3; 66| 36.4k| for (j=0; j<3; j++) { ------------------ | Branch (66:15): [True: 27.3k, False: 9.11k] ------------------ 67| 27.3k| secp256k1_fe_sqr(&x6, &x6); ------------------ | | 94| 27.3k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 68| 27.3k| } 69| 9.11k| secp256k1_fe_mul(&x6, &x6, &x3); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 70| | 71| 9.11k| x9 = x6; 72| 36.4k| for (j=0; j<3; j++) { ------------------ | Branch (72:15): [True: 27.3k, False: 9.11k] ------------------ 73| 27.3k| secp256k1_fe_sqr(&x9, &x9); ------------------ | | 94| 27.3k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 74| 27.3k| } 75| 9.11k| secp256k1_fe_mul(&x9, &x9, &x3); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 76| | 77| 9.11k| x11 = x9; 78| 27.3k| for (j=0; j<2; j++) { ------------------ | Branch (78:15): [True: 18.2k, False: 9.11k] ------------------ 79| 18.2k| secp256k1_fe_sqr(&x11, &x11); ------------------ | | 94| 18.2k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 80| 18.2k| } 81| 9.11k| secp256k1_fe_mul(&x11, &x11, &x2); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 82| | 83| 9.11k| x22 = x11; 84| 109k| for (j=0; j<11; j++) { ------------------ | Branch (84:15): [True: 100k, False: 9.11k] ------------------ 85| 100k| secp256k1_fe_sqr(&x22, &x22); ------------------ | | 94| 100k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 86| 100k| } 87| 9.11k| secp256k1_fe_mul(&x22, &x22, &x11); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 88| | 89| 9.11k| x44 = x22; 90| 209k| for (j=0; j<22; j++) { ------------------ | Branch (90:15): [True: 200k, False: 9.11k] ------------------ 91| 200k| secp256k1_fe_sqr(&x44, &x44); ------------------ | | 94| 200k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 92| 200k| } 93| 9.11k| secp256k1_fe_mul(&x44, &x44, &x22); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 94| | 95| 9.11k| x88 = x44; 96| 410k| for (j=0; j<44; j++) { ------------------ | Branch (96:15): [True: 401k, False: 9.11k] ------------------ 97| 401k| secp256k1_fe_sqr(&x88, &x88); ------------------ | | 94| 401k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 98| 401k| } 99| 9.11k| secp256k1_fe_mul(&x88, &x88, &x44); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 100| | 101| 9.11k| x176 = x88; 102| 811k| for (j=0; j<88; j++) { ------------------ | Branch (102:15): [True: 802k, False: 9.11k] ------------------ 103| 802k| secp256k1_fe_sqr(&x176, &x176); ------------------ | | 94| 802k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 104| 802k| } 105| 9.11k| secp256k1_fe_mul(&x176, &x176, &x88); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 106| | 107| 9.11k| x220 = x176; 108| 410k| for (j=0; j<44; j++) { ------------------ | Branch (108:15): [True: 401k, False: 9.11k] ------------------ 109| 401k| secp256k1_fe_sqr(&x220, &x220); ------------------ | | 94| 401k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 110| 401k| } 111| 9.11k| secp256k1_fe_mul(&x220, &x220, &x44); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 112| | 113| 9.11k| x223 = x220; 114| 36.4k| for (j=0; j<3; j++) { ------------------ | Branch (114:15): [True: 27.3k, False: 9.11k] ------------------ 115| 27.3k| secp256k1_fe_sqr(&x223, &x223); ------------------ | | 94| 27.3k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 116| 27.3k| } 117| 9.11k| secp256k1_fe_mul(&x223, &x223, &x3); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 118| | 119| | /* The final result is then assembled using a sliding window over the blocks. */ 120| | 121| 9.11k| t1 = x223; 122| 218k| for (j=0; j<23; j++) { ------------------ | Branch (122:15): [True: 209k, False: 9.11k] ------------------ 123| 209k| secp256k1_fe_sqr(&t1, &t1); ------------------ | | 94| 209k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 124| 209k| } 125| 9.11k| secp256k1_fe_mul(&t1, &t1, &x22); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 126| 63.7k| for (j=0; j<6; j++) { ------------------ | Branch (126:15): [True: 54.6k, False: 9.11k] ------------------ 127| 54.6k| secp256k1_fe_sqr(&t1, &t1); ------------------ | | 94| 54.6k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 128| 54.6k| } 129| 9.11k| secp256k1_fe_mul(&t1, &t1, &x2); ------------------ | | 93| 9.11k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 130| 9.11k| secp256k1_fe_sqr(&t1, &t1); ------------------ | | 94| 9.11k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 131| 9.11k| secp256k1_fe_sqr(r, &t1); ------------------ | | 94| 9.11k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 132| | 133| | /* Check that a square root was actually calculated */ 134| | 135| 9.11k| secp256k1_fe_sqr(&t1, r); ------------------ | | 94| 9.11k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 136| 9.11k| ret = secp256k1_fe_equal(&t1, a); 137| | 138| |#ifdef VERIFY 139| | if (!ret) { 140| | secp256k1_fe_negate(&t1, &t1, 1); 141| | secp256k1_fe_normalize_var(&t1); 142| | VERIFY_CHECK(secp256k1_fe_equal(&t1, a)); 143| | } 144| |#endif 145| 9.11k| return ret; 146| 9.11k|} secp256k1.c:secp256k1_fe_equal: 25| 9.11k|SECP256K1_INLINE static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) { 26| 9.11k| secp256k1_fe na; 27| 9.11k| SECP256K1_FE_VERIFY(a); ------------------ | | 344| 9.11k|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 28| 9.11k| SECP256K1_FE_VERIFY(b); ------------------ | | 344| 9.11k|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 29| 9.11k| SECP256K1_FE_VERIFY_MAGNITUDE(a, 1); ------------------ | | 348| 9.11k|#define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) ------------------ 30| 9.11k| SECP256K1_FE_VERIFY_MAGNITUDE(b, 31); ------------------ | | 348| 9.11k|#define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) ------------------ 31| | 32| 9.11k| secp256k1_fe_negate(&na, a, 1); ------------------ | | 211| 9.11k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 9.11k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 9.11k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 9.11k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 9.11k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 9.11k, False: 0] | | | | ------------------ | | | | 83| 9.11k| } \ | | | | 84| 9.11k| stmt; \ | | | | 85| 9.11k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 33| 9.11k| secp256k1_fe_add(&na, b); ------------------ | | 92| 9.11k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 34| 9.11k| return secp256k1_fe_normalizes_to_zero(&na); ------------------ | | 81| 9.11k|# define secp256k1_fe_normalizes_to_zero secp256k1_fe_impl_normalizes_to_zero ------------------ 35| 9.11k|} secp256k1.c:secp256k1_fe_clear: 21| 11.6k|SECP256K1_INLINE static void secp256k1_fe_clear(secp256k1_fe *a) { 22| 11.6k| secp256k1_memclear(a, sizeof(secp256k1_fe)); 23| 11.6k|} secp256k1.c:secp256k1_ge_set_xy: 132| 94.5k|static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y) { 133| 94.5k| SECP256K1_FE_VERIFY(x); ------------------ | | 344| 94.5k|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 134| 94.5k| SECP256K1_FE_VERIFY(y); ------------------ | | 344| 94.5k|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 135| | 136| 94.5k| r->infinity = 0; 137| 94.5k| r->x = *x; 138| 94.5k| r->y = *y; 139| | 140| 94.5k| SECP256K1_GE_VERIFY(r); ------------------ | | 206| 94.5k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 141| 94.5k|} secp256k1.c:secp256k1_ge_verify: 78| 1.38M|static void secp256k1_ge_verify(const secp256k1_ge *a) { 79| 1.38M| SECP256K1_FE_VERIFY(&a->x); ------------------ | | 344| 1.38M|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 80| 1.38M| SECP256K1_FE_VERIFY(&a->y); ------------------ | | 344| 1.38M|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 81| 1.38M| SECP256K1_FE_VERIFY_MAGNITUDE(&a->x, SECP256K1_GE_X_MAGNITUDE_MAX); ------------------ | | 348| 1.38M|#define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) ------------------ 82| 1.38M| SECP256K1_FE_VERIFY_MAGNITUDE(&a->y, SECP256K1_GE_Y_MAGNITUDE_MAX); ------------------ | | 348| 1.38M|#define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) ------------------ 83| 1.38M| VERIFY_CHECK(a->infinity == 0 || a->infinity == 1); 84| 1.38M| (void)a; 85| 1.38M|} secp256k1.c:secp256k1_ge_clear: 305| 5.72k|static void secp256k1_ge_clear(secp256k1_ge *r) { 306| 5.72k| secp256k1_memclear(r, sizeof(secp256k1_ge)); 307| 5.72k|} secp256k1.c:secp256k1_ge_from_storage: 852| 246k|static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a) { 853| 246k| secp256k1_fe_from_storage(&r->x, &a->x); ------------------ | | 97| 246k|# define secp256k1_fe_from_storage secp256k1_fe_impl_from_storage ------------------ 854| 246k| secp256k1_fe_from_storage(&r->y, &a->y); ------------------ | | 97| 246k|# define secp256k1_fe_from_storage secp256k1_fe_impl_from_storage ------------------ 855| 246k| r->infinity = 0; 856| | 857| 246k| SECP256K1_GE_VERIFY(r); ------------------ | | 206| 246k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 858| 246k|} secp256k1.c:secp256k1_gej_verify: 87| 2.82M|static void secp256k1_gej_verify(const secp256k1_gej *a) { 88| 2.82M| SECP256K1_FE_VERIFY(&a->x); ------------------ | | 344| 2.82M|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 89| 2.82M| SECP256K1_FE_VERIFY(&a->y); ------------------ | | 344| 2.82M|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 90| 2.82M| SECP256K1_FE_VERIFY(&a->z); ------------------ | | 344| 2.82M|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 91| 2.82M| SECP256K1_FE_VERIFY_MAGNITUDE(&a->x, SECP256K1_GEJ_X_MAGNITUDE_MAX); ------------------ | | 348| 2.82M|#define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) ------------------ 92| 2.82M| SECP256K1_FE_VERIFY_MAGNITUDE(&a->y, SECP256K1_GEJ_Y_MAGNITUDE_MAX); ------------------ | | 348| 2.82M|#define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) ------------------ 93| 2.82M| SECP256K1_FE_VERIFY_MAGNITUDE(&a->z, SECP256K1_GEJ_Z_MAGNITUDE_MAX); ------------------ | | 348| 2.82M|#define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) ------------------ 94| 2.82M| VERIFY_CHECK(a->infinity == 0 || a->infinity == 1); 95| 2.82M| (void)a; 96| 2.82M|} secp256k1.c:secp256k1_ge_storage_cmov: 872| 7.88M|static SECP256K1_INLINE void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag) { 873| 7.88M| secp256k1_fe_storage_cmov(&r->x, &a->x, flag); 874| 7.88M| secp256k1_fe_storage_cmov(&r->y, &a->y, flag); 875| 7.88M|} secp256k1.c:secp256k1_gej_rescale: 823| 5.72k|static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *s) { 824| | /* Operations: 4 mul, 1 sqr */ 825| 5.72k| secp256k1_fe zz; 826| 5.72k| SECP256K1_GEJ_VERIFY(r); ------------------ | | 210| 5.72k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 827| 5.72k| SECP256K1_FE_VERIFY(s); ------------------ | | 344| 5.72k|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 828| 5.72k| VERIFY_CHECK(!secp256k1_fe_normalizes_to_zero_var(s)); 829| | 830| 5.72k| secp256k1_fe_sqr(&zz, s); ------------------ | | 94| 5.72k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 831| 5.72k| secp256k1_fe_mul(&r->x, &r->x, &zz); /* r->x *= s^2 */ ------------------ | | 93| 5.72k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 832| 5.72k| secp256k1_fe_mul(&r->y, &r->y, &zz); ------------------ | | 93| 5.72k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 833| 5.72k| secp256k1_fe_mul(&r->y, &r->y, s); /* r->y *= s^3 */ ------------------ | | 93| 5.72k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 834| 5.72k| secp256k1_fe_mul(&r->z, &r->z, s); /* r->z *= s */ ------------------ | | 93| 5.72k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 835| | 836| 5.72k| SECP256K1_GEJ_VERIFY(r); ------------------ | | 210| 5.72k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 837| 5.72k|} secp256k1.c:secp256k1_gej_double: 422| 744k|static SECP256K1_INLINE void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a) { 423| | /* Operations: 3 mul, 4 sqr, 8 add/half/mul_int/negate */ 424| 744k| secp256k1_fe l, s, t; 425| 744k| SECP256K1_GEJ_VERIFY(a); ------------------ | | 210| 744k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 426| | 427| 744k| r->infinity = a->infinity; 428| | 429| | /* Formula used: 430| | * L = (3/2) * X1^2 431| | * S = Y1^2 432| | * T = -X1*S 433| | * X3 = L^2 + 2*T 434| | * Y3 = -(L*(X3 + T) + S^2) 435| | * Z3 = Y1*Z1 436| | */ 437| | 438| 744k| secp256k1_fe_mul(&r->z, &a->z, &a->y); /* Z3 = Y1*Z1 (1) */ ------------------ | | 93| 744k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 439| 744k| secp256k1_fe_sqr(&s, &a->y); /* S = Y1^2 (1) */ ------------------ | | 94| 744k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 440| 744k| secp256k1_fe_sqr(&l, &a->x); /* L = X1^2 (1) */ ------------------ | | 94| 744k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 441| 744k| secp256k1_fe_mul_int(&l, 3); /* L = 3*X1^2 (3) */ ------------------ | | 233| 744k|#define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) | | ------------------ | | | | 77| 744k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 744k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 744k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 744k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 744k, False: 0] | | | | ------------------ | | | | 83| 744k| } \ | | | | 84| 744k| stmt; \ | | | | 85| 744k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 442| 744k| secp256k1_fe_half(&l); /* L = 3/2*X1^2 (2) */ ------------------ | | 101| 744k|# define secp256k1_fe_half secp256k1_fe_impl_half ------------------ 443| 744k| secp256k1_fe_negate(&t, &s, 1); /* T = -S (2) */ ------------------ | | 211| 744k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 744k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 744k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 744k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 744k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 744k, False: 0] | | | | ------------------ | | | | 83| 744k| } \ | | | | 84| 744k| stmt; \ | | | | 85| 744k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 444| 744k| secp256k1_fe_mul(&t, &t, &a->x); /* T = -X1*S (1) */ ------------------ | | 93| 744k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 445| 744k| secp256k1_fe_sqr(&r->x, &l); /* X3 = L^2 (1) */ ------------------ | | 94| 744k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 446| 744k| secp256k1_fe_add(&r->x, &t); /* X3 = L^2 + T (2) */ ------------------ | | 92| 744k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 447| 744k| secp256k1_fe_add(&r->x, &t); /* X3 = L^2 + 2*T (3) */ ------------------ | | 92| 744k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 448| 744k| secp256k1_fe_sqr(&s, &s); /* S' = S^2 (1) */ ------------------ | | 94| 744k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 449| 744k| secp256k1_fe_add(&t, &r->x); /* T' = X3 + T (4) */ ------------------ | | 92| 744k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 450| 744k| secp256k1_fe_mul(&r->y, &t, &l); /* Y3 = L*(X3 + T) (1) */ ------------------ | | 93| 744k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 451| 744k| secp256k1_fe_add(&r->y, &s); /* Y3 = L*(X3 + T) + S^2 (2) */ ------------------ | | 92| 744k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 452| 744k| secp256k1_fe_negate(&r->y, &r->y, 2); /* Y3 = -(L*(X3 + T) + S^2) (3) */ ------------------ | | 211| 744k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 744k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 744k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 744k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 744k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 744k, False: 0] | | | | ------------------ | | | | 83| 744k| } \ | | | | 84| 744k| stmt; \ | | | | 85| 744k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 453| | 454| 744k| SECP256K1_GEJ_VERIFY(r); ------------------ | | 210| 744k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 455| 744k|} secp256k1.c:secp256k1_gej_clear: 301| 5.72k|static void secp256k1_gej_clear(secp256k1_gej *r) { 302| 5.72k| secp256k1_memclear(r, sizeof(secp256k1_gej)); 303| 5.72k|} secp256k1.c:secp256k1_gej_add_ge: 686| 547k|static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b) { 687| | /* Operations: 7 mul, 5 sqr, 21 add/cmov/half/mul_int/negate/normalizes_to_zero */ 688| 547k| secp256k1_fe zz, u1, u2, s1, s2, t, tt, m, n, q, rr; 689| 547k| secp256k1_fe m_alt, rr_alt; 690| 547k| int degenerate; 691| 547k| SECP256K1_GEJ_VERIFY(a); ------------------ | | 210| 547k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 692| 547k| SECP256K1_GE_VERIFY(b); ------------------ | | 206| 547k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 693| 547k| VERIFY_CHECK(!b->infinity); 694| | 695| | /* In: 696| | * Eric Brier and Marc Joye, Weierstrass Elliptic Curves and Side-Channel Attacks. 697| | * In D. Naccache and P. Paillier, Eds., Public Key Cryptography, vol. 2274 of Lecture Notes in Computer Science, pages 335-345. Springer-Verlag, 2002. 698| | * we find as solution for a unified addition/doubling formula: 699| | * lambda = ((x1 + x2)^2 - x1 * x2 + a) / (y1 + y2), with a = 0 for secp256k1's curve equation. 700| | * x3 = lambda^2 - (x1 + x2) 701| | * 2*y3 = lambda * (x1 + x2 - 2 * x3) - (y1 + y2). 702| | * 703| | * Substituting x_i = Xi / Zi^2 and yi = Yi / Zi^3, for i=1,2,3, gives: 704| | * U1 = X1*Z2^2, U2 = X2*Z1^2 705| | * S1 = Y1*Z2^3, S2 = Y2*Z1^3 706| | * Z = Z1*Z2 707| | * T = U1+U2 708| | * M = S1+S2 709| | * Q = -T*M^2 710| | * R = T^2-U1*U2 711| | * X3 = R^2+Q 712| | * Y3 = -(R*(2*X3+Q)+M^4)/2 713| | * Z3 = M*Z 714| | * (Note that the paper uses xi = Xi / Zi and yi = Yi / Zi instead.) 715| | * 716| | * This formula has the benefit of being the same for both addition 717| | * of distinct points and doubling. However, it breaks down in the 718| | * case that either point is infinity, or that y1 = -y2. We handle 719| | * these cases in the following ways: 720| | * 721| | * - If b is infinity we simply bail by means of a VERIFY_CHECK. 722| | * 723| | * - If a is infinity, we detect this, and at the end of the 724| | * computation replace the result (which will be meaningless, 725| | * but we compute to be constant-time) with b.x : b.y : 1. 726| | * 727| | * - If a = -b, we have y1 = -y2, which is a degenerate case. 728| | * But here the answer is infinity, so we simply set the 729| | * infinity flag of the result, overriding the computed values 730| | * without even needing to cmov. 731| | * 732| | * - If y1 = -y2 but x1 != x2, which does occur thanks to certain 733| | * properties of our curve (specifically, 1 has nontrivial cube 734| | * roots in our field, and the curve equation has no x coefficient) 735| | * then the answer is not infinity but also not given by the above 736| | * equation. In this case, we cmov in place an alternate expression 737| | * for lambda. Specifically (y1 - y2)/(x1 - x2). Where both these 738| | * expressions for lambda are defined, they are equal, and can be 739| | * obtained from each other by multiplication by (y1 + y2)/(y1 + y2) 740| | * then substitution of x^3 + 7 for y^2 (using the curve equation). 741| | * For all pairs of nonzero points (a, b) at least one is defined, 742| | * so this covers everything. 743| | */ 744| | 745| 547k| secp256k1_fe_sqr(&zz, &a->z); /* z = Z1^2 */ ------------------ | | 94| 547k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 746| 547k| u1 = a->x; /* u1 = U1 = X1*Z2^2 (GEJ_X_M) */ 747| 547k| secp256k1_fe_mul(&u2, &b->x, &zz); /* u2 = U2 = X2*Z1^2 (1) */ ------------------ | | 93| 547k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 748| 547k| s1 = a->y; /* s1 = S1 = Y1*Z2^3 (GEJ_Y_M) */ 749| 547k| secp256k1_fe_mul(&s2, &b->y, &zz); /* s2 = Y2*Z1^2 (1) */ ------------------ | | 93| 547k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 750| 547k| secp256k1_fe_mul(&s2, &s2, &a->z); /* s2 = S2 = Y2*Z1^3 (1) */ ------------------ | | 93| 547k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 751| 547k| t = u1; secp256k1_fe_add(&t, &u2); /* t = T = U1+U2 (GEJ_X_M+1) */ ------------------ | | 92| 547k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 752| 547k| m = s1; secp256k1_fe_add(&m, &s2); /* m = M = S1+S2 (GEJ_Y_M+1) */ ------------------ | | 92| 547k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 753| 547k| secp256k1_fe_sqr(&rr, &t); /* rr = T^2 (1) */ ------------------ | | 94| 547k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 754| 547k| secp256k1_fe_negate(&m_alt, &u2, 1); /* Malt = -X2*Z1^2 (2) */ ------------------ | | 211| 547k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 547k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 547k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 547k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 547k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 547k, False: 0] | | | | ------------------ | | | | 83| 547k| } \ | | | | 84| 547k| stmt; \ | | | | 85| 547k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 755| 547k| secp256k1_fe_mul(&tt, &u1, &m_alt); /* tt = -U1*U2 (1) */ ------------------ | | 93| 547k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 756| 547k| secp256k1_fe_add(&rr, &tt); /* rr = R = T^2-U1*U2 (2) */ ------------------ | | 92| 547k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 757| | /* If lambda = R/M = R/0 we have a problem (except in the "trivial" 758| | * case that Z = z1z2 = 0, and this is special-cased later on). */ 759| 547k| degenerate = secp256k1_fe_normalizes_to_zero(&m); ------------------ | | 81| 547k|# define secp256k1_fe_normalizes_to_zero secp256k1_fe_impl_normalizes_to_zero ------------------ 760| | /* This only occurs when y1 == -y2 and x1^3 == x2^3, but x1 != x2. 761| | * This means either x1 == beta*x2 or beta*x1 == x2, where beta is 762| | * a nontrivial cube root of one. In either case, an alternate 763| | * non-indeterminate expression for lambda is (y1 - y2)/(x1 - x2), 764| | * so we set R/M equal to this. */ 765| 547k| rr_alt = s1; 766| 547k| secp256k1_fe_mul_int(&rr_alt, 2); /* rr_alt = Y1*Z2^3 - Y2*Z1^3 (GEJ_Y_M*2) */ ------------------ | | 233| 547k|#define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) | | ------------------ | | | | 77| 547k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 547k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 547k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 547k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 547k, False: 0] | | | | ------------------ | | | | 83| 547k| } \ | | | | 84| 547k| stmt; \ | | | | 85| 547k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 767| 547k| secp256k1_fe_add(&m_alt, &u1); /* Malt = X1*Z2^2 - X2*Z1^2 (GEJ_X_M+2) */ ------------------ | | 92| 547k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 768| | 769| 547k| secp256k1_fe_cmov(&rr_alt, &rr, !degenerate); /* rr_alt (GEJ_Y_M*2) */ ------------------ | | 95| 547k|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov ------------------ 770| 547k| secp256k1_fe_cmov(&m_alt, &m, !degenerate); /* m_alt (GEJ_X_M+2) */ ------------------ | | 95| 547k|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov ------------------ 771| | /* Now Ralt / Malt = lambda and is guaranteed not to be Ralt / 0. 772| | * From here on out Ralt and Malt represent the numerator 773| | * and denominator of lambda; R and M represent the explicit 774| | * expressions x1^2 + x2^2 + x1x2 and y1 + y2. */ 775| 547k| secp256k1_fe_sqr(&n, &m_alt); /* n = Malt^2 (1) */ ------------------ | | 94| 547k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 776| 547k| secp256k1_fe_negate(&q, &t, ------------------ | | 211| 547k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 547k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 547k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 547k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 547k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 547k, False: 0] | | | | ------------------ | | | | 83| 547k| } \ | | | | 84| 547k| stmt; \ | | | | 85| 547k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 777| 547k| SECP256K1_GEJ_X_MAGNITUDE_MAX + 1); /* q = -T (GEJ_X_M+2) */ 778| 547k| secp256k1_fe_mul(&q, &q, &n); /* q = Q = -T*Malt^2 (1) */ ------------------ | | 93| 547k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 779| | /* These two lines use the observation that either M == Malt or M == 0, 780| | * so M^3 * Malt is either Malt^4 (which is computed by squaring), or 781| | * zero (which is "computed" by cmov). So the cost is one squaring 782| | * versus two multiplications. */ 783| 547k| secp256k1_fe_sqr(&n, &n); /* n = Malt^4 (1) */ ------------------ | | 94| 547k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 784| 547k| secp256k1_fe_cmov(&n, &m, degenerate); /* n = M^3 * Malt (GEJ_Y_M+1) */ ------------------ | | 95| 547k|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov ------------------ 785| 547k| secp256k1_fe_sqr(&t, &rr_alt); /* t = Ralt^2 (1) */ ------------------ | | 94| 547k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 786| 547k| secp256k1_fe_mul(&r->z, &a->z, &m_alt); /* r->z = Z3 = Malt*Z (1) */ ------------------ | | 93| 547k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 787| 547k| secp256k1_fe_add(&t, &q); /* t = Ralt^2 + Q (2) */ ------------------ | | 92| 547k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 788| 547k| r->x = t; /* r->x = X3 = Ralt^2 + Q (2) */ 789| 547k| secp256k1_fe_mul_int(&t, 2); /* t = 2*X3 (4) */ ------------------ | | 233| 547k|#define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) | | ------------------ | | | | 77| 547k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 547k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 547k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 547k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 547k, False: 0] | | | | ------------------ | | | | 83| 547k| } \ | | | | 84| 547k| stmt; \ | | | | 85| 547k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 790| 547k| secp256k1_fe_add(&t, &q); /* t = 2*X3 + Q (5) */ ------------------ | | 92| 547k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 791| 547k| secp256k1_fe_mul(&t, &t, &rr_alt); /* t = Ralt*(2*X3 + Q) (1) */ ------------------ | | 93| 547k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 792| 547k| secp256k1_fe_add(&t, &n); /* t = Ralt*(2*X3 + Q) + M^3*Malt (GEJ_Y_M+2) */ ------------------ | | 92| 547k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 793| 547k| secp256k1_fe_negate(&r->y, &t, ------------------ | | 211| 547k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 547k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 547k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 547k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 547k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 547k, False: 0] | | | | ------------------ | | | | 83| 547k| } \ | | | | 84| 547k| stmt; \ | | | | 85| 547k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 794| 547k| SECP256K1_GEJ_Y_MAGNITUDE_MAX + 2); /* r->y = -(Ralt*(2*X3 + Q) + M^3*Malt) (GEJ_Y_M+3) */ 795| 547k| secp256k1_fe_half(&r->y); /* r->y = Y3 = -(Ralt*(2*X3 + Q) + M^3*Malt)/2 ((GEJ_Y_M+3)/2 + 1) */ ------------------ | | 101| 547k|# define secp256k1_fe_half secp256k1_fe_impl_half ------------------ 796| | 797| | /* In case a->infinity == 1, replace r with (b->x, b->y, 1). */ 798| 547k| secp256k1_fe_cmov(&r->x, &b->x, a->infinity); ------------------ | | 95| 547k|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov ------------------ 799| 547k| secp256k1_fe_cmov(&r->y, &b->y, a->infinity); ------------------ | | 95| 547k|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov ------------------ 800| 547k| secp256k1_fe_cmov(&r->z, &secp256k1_fe_one, a->infinity); ------------------ | | 95| 547k|# define secp256k1_fe_cmov secp256k1_fe_impl_cmov ------------------ 801| | 802| | /* Set r->infinity if r->z is 0. 803| | * 804| | * If a->infinity is set, then r->infinity = (r->z == 0) = (1 == 0) = false, 805| | * which is correct because the function assumes that b is not infinity. 806| | * 807| | * Now assume !a->infinity. This implies Z = Z1 != 0. 808| | * 809| | * Case y1 = -y2: 810| | * In this case we could have a = -b, namely if x1 = x2. 811| | * We have degenerate = true, r->z = (x1 - x2) * Z. 812| | * Then r->infinity = ((x1 - x2)Z == 0) = (x1 == x2) = (a == -b). 813| | * 814| | * Case y1 != -y2: 815| | * In this case, we can't have a = -b. 816| | * We have degenerate = false, r->z = (y1 + y2) * Z. 817| | * Then r->infinity = ((y1 + y2)Z == 0) = (y1 == -y2) = false. */ 818| 547k| r->infinity = secp256k1_fe_normalizes_to_zero(&r->z); ------------------ | | 81| 547k|# define secp256k1_fe_normalizes_to_zero secp256k1_fe_impl_normalizes_to_zero ------------------ 819| | 820| 547k| SECP256K1_GEJ_VERIFY(r); ------------------ | | 210| 547k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 821| 547k|} secp256k1.c:secp256k1_ge_set_gej: 159| 5.72k|static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a) { 160| 5.72k| secp256k1_fe z2, z3; 161| 5.72k| SECP256K1_GEJ_VERIFY(a); ------------------ | | 210| 5.72k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 162| | 163| 5.72k| r->infinity = a->infinity; 164| 5.72k| secp256k1_fe_inv(&a->z, &a->z); ------------------ | | 98| 5.72k|# define secp256k1_fe_inv secp256k1_fe_impl_inv ------------------ 165| 5.72k| secp256k1_fe_sqr(&z2, &a->z); ------------------ | | 94| 5.72k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 166| 5.72k| secp256k1_fe_mul(&z3, &a->z, &z2); ------------------ | | 93| 5.72k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 167| 5.72k| secp256k1_fe_mul(&a->x, &a->x, &z2); ------------------ | | 93| 5.72k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 168| 5.72k| secp256k1_fe_mul(&a->y, &a->y, &z3); ------------------ | | 93| 5.72k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 169| 5.72k| secp256k1_fe_set_int(&a->z, 1); ------------------ | | 83| 5.72k|# define secp256k1_fe_set_int secp256k1_fe_impl_set_int ------------------ 170| 5.72k| r->x = a->x; 171| 5.72k| r->y = a->y; 172| | 173| 5.72k| SECP256K1_GEJ_VERIFY(a); ------------------ | | 210| 5.72k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 174| 5.72k| SECP256K1_GE_VERIFY(r); ------------------ | | 206| 5.72k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 175| 5.72k|} secp256k1.c:secp256k1_gej_set_ge: 329| 23.4k|static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a) { 330| 23.4k| SECP256K1_GE_VERIFY(a); ------------------ | | 206| 23.4k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 331| | 332| 23.4k| r->infinity = a->infinity; 333| 23.4k| r->x = a->x; 334| 23.4k| r->y = a->y; 335| 23.4k| secp256k1_fe_set_int(&r->z, 1); ------------------ | | 83| 23.4k|# define secp256k1_fe_set_int secp256k1_fe_impl_set_int ------------------ 336| | 337| 23.4k| SECP256K1_GEJ_VERIFY(r); ------------------ | | 210| 23.4k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 338| 23.4k|} secp256k1.c:secp256k1_ge_set_gej_zinv: 99| 5.91k|static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) { 100| 5.91k| secp256k1_fe zi2; 101| 5.91k| secp256k1_fe zi3; 102| 5.91k| SECP256K1_GEJ_VERIFY(a); ------------------ | | 210| 5.91k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 103| 5.91k| SECP256K1_FE_VERIFY(zi); ------------------ | | 344| 5.91k|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 104| 5.91k| VERIFY_CHECK(!a->infinity); 105| | 106| 5.91k| secp256k1_fe_sqr(&zi2, zi); ------------------ | | 94| 5.91k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 107| 5.91k| secp256k1_fe_mul(&zi3, &zi2, zi); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 108| 5.91k| secp256k1_fe_mul(&r->x, &a->x, &zi2); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 109| 5.91k| secp256k1_fe_mul(&r->y, &a->y, &zi3); ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 110| 5.91k| r->infinity = a->infinity; 111| | 112| 5.91k| SECP256K1_GE_VERIFY(r); ------------------ | | 206| 5.91k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 113| 5.91k|} secp256k1.c:secp256k1_ge_table_set_globalz: 251| 5.91k|static void secp256k1_ge_table_set_globalz(size_t len, secp256k1_ge *a, const secp256k1_fe *zr) { 252| 5.91k| size_t i; 253| 5.91k| secp256k1_fe zs; 254| |#ifdef VERIFY 255| | for (i = 0; i < len; i++) { 256| | SECP256K1_GE_VERIFY(&a[i]); 257| | SECP256K1_FE_VERIFY(&zr[i]); 258| | } 259| |#endif 260| | 261| 5.91k| if (len > 0) { ------------------ | Branch (261:9): [True: 5.91k, False: 0] ------------------ 262| 5.91k| i = len - 1; 263| | /* Ensure all y values are in weak normal form for fast negation of points */ 264| 5.91k| secp256k1_fe_normalize_weak(&a[i].y); ------------------ | | 79| 5.91k|# define secp256k1_fe_normalize_weak secp256k1_fe_impl_normalize_weak ------------------ 265| 5.91k| zs = zr[i]; 266| | 267| | /* Work our way backwards, using the z-ratios to scale the x/y values. */ 268| 94.5k| while (i > 0) { ------------------ | Branch (268:16): [True: 88.6k, False: 5.91k] ------------------ 269| 88.6k| if (i != len - 1) { ------------------ | Branch (269:17): [True: 82.7k, False: 5.91k] ------------------ 270| 82.7k| secp256k1_fe_mul(&zs, &zs, &zr[i]); ------------------ | | 93| 82.7k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 271| 82.7k| } 272| 88.6k| i--; 273| 88.6k| secp256k1_ge_set_ge_zinv(&a[i], &a[i], &zs); 274| 88.6k| } 275| 5.91k| } 276| | 277| |#ifdef VERIFY 278| | for (i = 0; i < len; i++) { 279| | SECP256K1_GE_VERIFY(&a[i]); 280| | } 281| |#endif 282| 5.91k|} secp256k1.c:secp256k1_ge_set_ge_zinv: 116| 88.6k|static void secp256k1_ge_set_ge_zinv(secp256k1_ge *r, const secp256k1_ge *a, const secp256k1_fe *zi) { 117| 88.6k| secp256k1_fe zi2; 118| 88.6k| secp256k1_fe zi3; 119| 88.6k| SECP256K1_GE_VERIFY(a); ------------------ | | 206| 88.6k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 120| 88.6k| SECP256K1_FE_VERIFY(zi); ------------------ | | 344| 88.6k|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ 121| 88.6k| VERIFY_CHECK(!a->infinity); 122| | 123| 88.6k| secp256k1_fe_sqr(&zi2, zi); ------------------ | | 94| 88.6k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 124| 88.6k| secp256k1_fe_mul(&zi3, &zi2, zi); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 125| 88.6k| secp256k1_fe_mul(&r->x, &a->x, &zi2); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 126| 88.6k| secp256k1_fe_mul(&r->y, &a->y, &zi3); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 127| 88.6k| r->infinity = a->infinity; 128| | 129| 88.6k| SECP256K1_GE_VERIFY(r); ------------------ | | 206| 88.6k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 130| 88.6k|} secp256k1.c:secp256k1_gej_double_var: 457| 5.91k|static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr) { 458| 5.91k| SECP256K1_GEJ_VERIFY(a); ------------------ | | 210| 5.91k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 459| | 460| | /** For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity, 461| | * Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have 462| | * y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p. 463| | * 464| | * Having said this, if this function receives a point on a sextic twist, e.g. by 465| | * a fault attack, it is possible for y to be 0. This happens for y^2 = x^3 + 6, 466| | * since -6 does have a cube root mod p. For this point, this function will not set 467| | * the infinity flag even though the point doubles to infinity, and the result 468| | * point will be gibberish (z = 0 but infinity = 0). 469| | */ 470| 5.91k| if (a->infinity) { ------------------ | Branch (470:9): [True: 0, False: 5.91k] ------------------ 471| 0| secp256k1_gej_set_infinity(r); 472| 0| if (rzr != NULL) { ------------------ | Branch (472:13): [True: 0, False: 0] ------------------ 473| 0| secp256k1_fe_set_int(rzr, 1); ------------------ | | 83| 0|# define secp256k1_fe_set_int secp256k1_fe_impl_set_int ------------------ 474| 0| } 475| 0| return; 476| 0| } 477| | 478| 5.91k| if (rzr != NULL) { ------------------ | Branch (478:9): [True: 0, False: 5.91k] ------------------ 479| 0| *rzr = a->y; 480| 0| secp256k1_fe_normalize_weak(rzr); ------------------ | | 79| 0|# define secp256k1_fe_normalize_weak secp256k1_fe_impl_normalize_weak ------------------ 481| 0| } 482| | 483| 5.91k| secp256k1_gej_double(r, a); 484| | 485| 5.91k| SECP256K1_GEJ_VERIFY(r); ------------------ | | 210| 5.91k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 486| 5.91k|} secp256k1.c:secp256k1_gej_add_ge_var: 552| 88.6k|static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr) { 553| | /* Operations: 8 mul, 3 sqr, 11 add/negate/normalizes_to_zero (ignoring special cases) */ 554| 88.6k| secp256k1_fe z12, u1, u2, s1, s2, h, i, h2, h3, t; 555| 88.6k| SECP256K1_GEJ_VERIFY(a); ------------------ | | 210| 88.6k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 556| 88.6k| SECP256K1_GE_VERIFY(b); ------------------ | | 206| 88.6k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 557| | 558| 88.6k| if (a->infinity) { ------------------ | Branch (558:9): [True: 0, False: 88.6k] ------------------ 559| 0| VERIFY_CHECK(rzr == NULL); 560| 0| secp256k1_gej_set_ge(r, b); 561| 0| return; 562| 0| } 563| 88.6k| if (b->infinity) { ------------------ | Branch (563:9): [True: 0, False: 88.6k] ------------------ 564| 0| if (rzr != NULL) { ------------------ | Branch (564:13): [True: 0, False: 0] ------------------ 565| 0| secp256k1_fe_set_int(rzr, 1); ------------------ | | 83| 0|# define secp256k1_fe_set_int secp256k1_fe_impl_set_int ------------------ 566| 0| } 567| 0| *r = *a; 568| 0| return; 569| 0| } 570| | 571| 88.6k| secp256k1_fe_sqr(&z12, &a->z); ------------------ | | 94| 88.6k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 572| 88.6k| u1 = a->x; 573| 88.6k| secp256k1_fe_mul(&u2, &b->x, &z12); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 574| 88.6k| s1 = a->y; 575| 88.6k| secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 576| 88.6k| secp256k1_fe_negate(&h, &u1, SECP256K1_GEJ_X_MAGNITUDE_MAX); secp256k1_fe_add(&h, &u2); ------------------ | | 211| 88.6k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 88.6k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 88.6k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 88.6k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 88.6k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 88.6k, False: 0] | | | | ------------------ | | | | 83| 88.6k| } \ | | | | 84| 88.6k| stmt; \ | | | | 85| 88.6k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ secp256k1_fe_negate(&h, &u1, SECP256K1_GEJ_X_MAGNITUDE_MAX); secp256k1_fe_add(&h, &u2); ------------------ | | 92| 88.6k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 577| 88.6k| secp256k1_fe_negate(&i, &s2, 1); secp256k1_fe_add(&i, &s1); ------------------ | | 211| 88.6k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 88.6k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 88.6k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 88.6k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 88.6k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 88.6k, False: 0] | | | | ------------------ | | | | 83| 88.6k| } \ | | | | 84| 88.6k| stmt; \ | | | | 85| 88.6k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ secp256k1_fe_negate(&i, &s2, 1); secp256k1_fe_add(&i, &s1); ------------------ | | 92| 88.6k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 578| 88.6k| if (secp256k1_fe_normalizes_to_zero_var(&h)) { ------------------ | | 82| 88.6k|# define secp256k1_fe_normalizes_to_zero_var secp256k1_fe_impl_normalizes_to_zero_var ------------------ | Branch (578:9): [True: 0, False: 88.6k] ------------------ 579| 0| if (secp256k1_fe_normalizes_to_zero_var(&i)) { ------------------ | | 82| 0|# define secp256k1_fe_normalizes_to_zero_var secp256k1_fe_impl_normalizes_to_zero_var ------------------ | Branch (579:13): [True: 0, False: 0] ------------------ 580| 0| secp256k1_gej_double_var(r, a, rzr); 581| 0| } else { 582| 0| if (rzr != NULL) { ------------------ | Branch (582:17): [True: 0, False: 0] ------------------ 583| 0| secp256k1_fe_set_int(rzr, 0); ------------------ | | 83| 0|# define secp256k1_fe_set_int secp256k1_fe_impl_set_int ------------------ 584| 0| } 585| 0| secp256k1_gej_set_infinity(r); 586| 0| } 587| 0| return; 588| 0| } 589| | 590| 88.6k| r->infinity = 0; 591| 88.6k| if (rzr != NULL) { ------------------ | Branch (591:9): [True: 88.6k, False: 0] ------------------ 592| 88.6k| *rzr = h; 593| 88.6k| } 594| 88.6k| secp256k1_fe_mul(&r->z, &a->z, &h); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 595| | 596| 88.6k| secp256k1_fe_sqr(&h2, &h); ------------------ | | 94| 88.6k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 597| 88.6k| secp256k1_fe_negate(&h2, &h2, 1); ------------------ | | 211| 88.6k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 88.6k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 88.6k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 88.6k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 88.6k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 88.6k, False: 0] | | | | ------------------ | | | | 83| 88.6k| } \ | | | | 84| 88.6k| stmt; \ | | | | 85| 88.6k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 598| 88.6k| secp256k1_fe_mul(&h3, &h2, &h); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 599| 88.6k| secp256k1_fe_mul(&t, &u1, &h2); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 600| | 601| 88.6k| secp256k1_fe_sqr(&r->x, &i); ------------------ | | 94| 88.6k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 602| 88.6k| secp256k1_fe_add(&r->x, &h3); ------------------ | | 92| 88.6k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 603| 88.6k| secp256k1_fe_add(&r->x, &t); ------------------ | | 92| 88.6k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 604| 88.6k| secp256k1_fe_add(&r->x, &t); ------------------ | | 92| 88.6k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 605| | 606| 88.6k| secp256k1_fe_add(&t, &r->x); ------------------ | | 92| 88.6k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 607| 88.6k| secp256k1_fe_mul(&r->y, &t, &i); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 608| 88.6k| secp256k1_fe_mul(&h3, &h3, &s1); ------------------ | | 93| 88.6k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 609| 88.6k| secp256k1_fe_add(&r->y, &h3); ------------------ | | 92| 88.6k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 610| | 611| 88.6k| SECP256K1_GEJ_VERIFY(r); ------------------ | | 210| 88.6k|#define SECP256K1_GEJ_VERIFY(a) secp256k1_gej_verify(a) ------------------ 612| 88.6k| if (rzr != NULL) SECP256K1_FE_VERIFY(rzr); ------------------ | | 344| 88.6k|#define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) ------------------ | Branch (612:9): [True: 88.6k, False: 0] ------------------ 613| 88.6k|} secp256k1.c:secp256k1_ge_is_infinity: 143| 5.91k|static int secp256k1_ge_is_infinity(const secp256k1_ge *a) { 144| 5.91k| SECP256K1_GE_VERIFY(a); ------------------ | | 206| 5.91k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 145| | 146| 5.91k| return a->infinity; 147| 5.91k|} secp256k1.c:secp256k1_ge_x_on_curve_var: 910| 12.3k|static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x) { 911| 12.3k| secp256k1_fe c; 912| 12.3k| secp256k1_fe_sqr(&c, x); ------------------ | | 94| 12.3k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 913| 12.3k| secp256k1_fe_mul(&c, &c, x); ------------------ | | 93| 12.3k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 914| 12.3k| secp256k1_fe_add_int(&c, SECP256K1_B); ------------------ | | 102| 12.3k|# define secp256k1_fe_add_int secp256k1_fe_impl_add_int ------------------ secp256k1_fe_add_int(&c, SECP256K1_B); ------------------ | | 73| 12.3k|#define SECP256K1_B 7 ------------------ 915| 12.3k| return secp256k1_fe_is_square_var(&c); ------------------ | | 103| 12.3k|# define secp256k1_fe_is_square_var secp256k1_fe_impl_is_square_var ------------------ 916| 12.3k|} secp256k1.c:secp256k1_ge_x_frac_on_curve_var: 918| 8.34k|static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd) { 919| | /* We want to determine whether (xn/xd) is on the curve. 920| | * 921| | * (xn/xd)^3 + 7 is square <=> xd*xn^3 + 7*xd^4 is square (multiplying by xd^4, a square). 922| | */ 923| 8.34k| secp256k1_fe r, t; 924| 8.34k| VERIFY_CHECK(!secp256k1_fe_normalizes_to_zero_var(xd)); 925| | 926| 8.34k| secp256k1_fe_mul(&r, xd, xn); /* r = xd*xn */ ------------------ | | 93| 8.34k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 927| 8.34k| secp256k1_fe_sqr(&t, xn); /* t = xn^2 */ ------------------ | | 94| 8.34k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 928| 8.34k| secp256k1_fe_mul(&r, &r, &t); /* r = xd*xn^3 */ ------------------ | | 93| 8.34k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 929| 8.34k| secp256k1_fe_sqr(&t, xd); /* t = xd^2 */ ------------------ | | 94| 8.34k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 930| 8.34k| secp256k1_fe_sqr(&t, &t); /* t = xd^4 */ ------------------ | | 94| 8.34k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 931| 8.34k| VERIFY_CHECK(SECP256K1_B <= 31); 932| 8.34k| secp256k1_fe_mul_int(&t, SECP256K1_B); /* t = 7*xd^4 */ ------------------ | | 233| 8.34k|#define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) | | ------------------ | | | | 77| 8.34k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 8.34k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 8.34k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 8.34k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 8.34k, False: 0] | | | | ------------------ | | | | 83| 8.34k| } \ | | | | 84| 8.34k| stmt; \ | | | | 85| 8.34k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 933| 8.34k| secp256k1_fe_add(&r, &t); /* r = xd*xn^3 + 7*xd^4 */ ------------------ | | 92| 8.34k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 934| 8.34k| return secp256k1_fe_is_square_var(&r); ------------------ | | 103| 8.34k|# define secp256k1_fe_is_square_var secp256k1_fe_impl_is_square_var ------------------ 935| 8.34k|} secp256k1.c:secp256k1_ge_mul_lambda: 877| 94.5k|static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a) { 878| 94.5k| SECP256K1_GE_VERIFY(a); ------------------ | | 206| 94.5k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 879| | 880| 94.5k| *r = *a; 881| 94.5k| secp256k1_fe_mul(&r->x, &r->x, &secp256k1_const_beta); ------------------ | | 93| 94.5k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 882| | 883| 94.5k| SECP256K1_GE_VERIFY(r); ------------------ | | 206| 94.5k|#define SECP256K1_GE_VERIFY(a) secp256k1_ge_verify(a) ------------------ 884| 94.5k|} secp256k1.c:secp256k1_sha256_initialize: 31| 11.6k|static void secp256k1_sha256_initialize(secp256k1_sha256 *hash) { 32| 11.6k| hash->s[0] = 0x6a09e667ul; 33| 11.6k| hash->s[1] = 0xbb67ae85ul; 34| 11.6k| hash->s[2] = 0x3c6ef372ul; 35| 11.6k| hash->s[3] = 0xa54ff53aul; 36| 11.6k| hash->s[4] = 0x510e527ful; 37| 11.6k| hash->s[5] = 0x9b05688cul; 38| 11.6k| hash->s[6] = 0x1f83d9abul; 39| 11.6k| hash->s[7] = 0x5be0cd19ul; 40| 11.6k| hash->bytes = 0; 41| 11.6k|} secp256k1.c:secp256k1_sha256_write: 126| 139k|static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { 127| 139k| size_t bufsize = hash->bytes & 0x3F; 128| 139k| hash->bytes += len; 129| 139k| VERIFY_CHECK(hash->bytes >= len); 130| 193k| while (len >= 64 - bufsize) { ------------------ | Branch (130:12): [True: 54.2k, False: 139k] ------------------ 131| | /* Fill the buffer, and process it. */ 132| 54.2k| size_t chunk_len = 64 - bufsize; 133| 54.2k| memcpy(hash->buf + bufsize, data, chunk_len); 134| 54.2k| data += chunk_len; 135| 54.2k| len -= chunk_len; 136| 54.2k| secp256k1_sha256_transform(hash->s, hash->buf); 137| 54.2k| bufsize = 0; 138| 54.2k| } 139| 139k| if (len) { ------------------ | Branch (139:9): [True: 84.8k, False: 54.2k] ------------------ 140| | /* Fill the buffer with what remains. */ 141| 84.8k| memcpy(hash->buf + bufsize, data, len); 142| 84.8k| } 143| 139k|} secp256k1.c:secp256k1_sha256_transform: 44| 54.2k|static void secp256k1_sha256_transform(uint32_t* s, const unsigned char* buf) { 45| 54.2k| uint32_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7]; 46| 54.2k| uint32_t w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15; 47| | 48| 54.2k| Round(a, b, c, d, e, f, g, h, 0x428a2f98, w0 = secp256k1_read_be32(&buf[0])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 49| 54.2k| Round(h, a, b, c, d, e, f, g, 0x71374491, w1 = secp256k1_read_be32(&buf[4])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 50| 54.2k| Round(g, h, a, b, c, d, e, f, 0xb5c0fbcf, w2 = secp256k1_read_be32(&buf[8])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 51| 54.2k| Round(f, g, h, a, b, c, d, e, 0xe9b5dba5, w3 = secp256k1_read_be32(&buf[12])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 52| 54.2k| Round(e, f, g, h, a, b, c, d, 0x3956c25b, w4 = secp256k1_read_be32(&buf[16])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 53| 54.2k| Round(d, e, f, g, h, a, b, c, 0x59f111f1, w5 = secp256k1_read_be32(&buf[20])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 54| 54.2k| Round(c, d, e, f, g, h, a, b, 0x923f82a4, w6 = secp256k1_read_be32(&buf[24])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 55| 54.2k| Round(b, c, d, e, f, g, h, a, 0xab1c5ed5, w7 = secp256k1_read_be32(&buf[28])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 56| 54.2k| Round(a, b, c, d, e, f, g, h, 0xd807aa98, w8 = secp256k1_read_be32(&buf[32])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 57| 54.2k| Round(h, a, b, c, d, e, f, g, 0x12835b01, w9 = secp256k1_read_be32(&buf[36])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 58| 54.2k| Round(g, h, a, b, c, d, e, f, 0x243185be, w10 = secp256k1_read_be32(&buf[40])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 59| 54.2k| Round(f, g, h, a, b, c, d, e, 0x550c7dc3, w11 = secp256k1_read_be32(&buf[44])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 60| 54.2k| Round(e, f, g, h, a, b, c, d, 0x72be5d74, w12 = secp256k1_read_be32(&buf[48])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 61| 54.2k| Round(d, e, f, g, h, a, b, c, 0x80deb1fe, w13 = secp256k1_read_be32(&buf[52])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 62| 54.2k| Round(c, d, e, f, g, h, a, b, 0x9bdc06a7, w14 = secp256k1_read_be32(&buf[56])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 63| 54.2k| Round(b, c, d, e, f, g, h, a, 0xc19bf174, w15 = secp256k1_read_be32(&buf[60])); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 64| | 65| 54.2k| Round(a, b, c, d, e, f, g, h, 0xe49b69c1, w0 += sigma1(w14) + w9 + sigma0(w1)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 66| 54.2k| Round(h, a, b, c, d, e, f, g, 0xefbe4786, w1 += sigma1(w15) + w10 + sigma0(w2)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 67| 54.2k| Round(g, h, a, b, c, d, e, f, 0x0fc19dc6, w2 += sigma1(w0) + w11 + sigma0(w3)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 68| 54.2k| Round(f, g, h, a, b, c, d, e, 0x240ca1cc, w3 += sigma1(w1) + w12 + sigma0(w4)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 69| 54.2k| Round(e, f, g, h, a, b, c, d, 0x2de92c6f, w4 += sigma1(w2) + w13 + sigma0(w5)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 70| 54.2k| Round(d, e, f, g, h, a, b, c, 0x4a7484aa, w5 += sigma1(w3) + w14 + sigma0(w6)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 71| 54.2k| Round(c, d, e, f, g, h, a, b, 0x5cb0a9dc, w6 += sigma1(w4) + w15 + sigma0(w7)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 72| 54.2k| Round(b, c, d, e, f, g, h, a, 0x76f988da, w7 += sigma1(w5) + w0 + sigma0(w8)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 73| 54.2k| Round(a, b, c, d, e, f, g, h, 0x983e5152, w8 += sigma1(w6) + w1 + sigma0(w9)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 74| 54.2k| Round(h, a, b, c, d, e, f, g, 0xa831c66d, w9 += sigma1(w7) + w2 + sigma0(w10)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 75| 54.2k| Round(g, h, a, b, c, d, e, f, 0xb00327c8, w10 += sigma1(w8) + w3 + sigma0(w11)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 76| 54.2k| Round(f, g, h, a, b, c, d, e, 0xbf597fc7, w11 += sigma1(w9) + w4 + sigma0(w12)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 77| 54.2k| Round(e, f, g, h, a, b, c, d, 0xc6e00bf3, w12 += sigma1(w10) + w5 + sigma0(w13)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 78| 54.2k| Round(d, e, f, g, h, a, b, c, 0xd5a79147, w13 += sigma1(w11) + w6 + sigma0(w14)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 79| 54.2k| Round(c, d, e, f, g, h, a, b, 0x06ca6351, w14 += sigma1(w12) + w7 + sigma0(w15)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 80| 54.2k| Round(b, c, d, e, f, g, h, a, 0x14292967, w15 += sigma1(w13) + w8 + sigma0(w0)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 81| | 82| 54.2k| Round(a, b, c, d, e, f, g, h, 0x27b70a85, w0 += sigma1(w14) + w9 + sigma0(w1)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 83| 54.2k| Round(h, a, b, c, d, e, f, g, 0x2e1b2138, w1 += sigma1(w15) + w10 + sigma0(w2)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 84| 54.2k| Round(g, h, a, b, c, d, e, f, 0x4d2c6dfc, w2 += sigma1(w0) + w11 + sigma0(w3)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 85| 54.2k| Round(f, g, h, a, b, c, d, e, 0x53380d13, w3 += sigma1(w1) + w12 + sigma0(w4)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 86| 54.2k| Round(e, f, g, h, a, b, c, d, 0x650a7354, w4 += sigma1(w2) + w13 + sigma0(w5)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 87| 54.2k| Round(d, e, f, g, h, a, b, c, 0x766a0abb, w5 += sigma1(w3) + w14 + sigma0(w6)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 88| 54.2k| Round(c, d, e, f, g, h, a, b, 0x81c2c92e, w6 += sigma1(w4) + w15 + sigma0(w7)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 89| 54.2k| Round(b, c, d, e, f, g, h, a, 0x92722c85, w7 += sigma1(w5) + w0 + sigma0(w8)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 90| 54.2k| Round(a, b, c, d, e, f, g, h, 0xa2bfe8a1, w8 += sigma1(w6) + w1 + sigma0(w9)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 91| 54.2k| Round(h, a, b, c, d, e, f, g, 0xa81a664b, w9 += sigma1(w7) + w2 + sigma0(w10)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 92| 54.2k| Round(g, h, a, b, c, d, e, f, 0xc24b8b70, w10 += sigma1(w8) + w3 + sigma0(w11)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 93| 54.2k| Round(f, g, h, a, b, c, d, e, 0xc76c51a3, w11 += sigma1(w9) + w4 + sigma0(w12)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 94| 54.2k| Round(e, f, g, h, a, b, c, d, 0xd192e819, w12 += sigma1(w10) + w5 + sigma0(w13)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 95| 54.2k| Round(d, e, f, g, h, a, b, c, 0xd6990624, w13 += sigma1(w11) + w6 + sigma0(w14)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 96| 54.2k| Round(c, d, e, f, g, h, a, b, 0xf40e3585, w14 += sigma1(w12) + w7 + sigma0(w15)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 97| 54.2k| Round(b, c, d, e, f, g, h, a, 0x106aa070, w15 += sigma1(w13) + w8 + sigma0(w0)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 98| | 99| 54.2k| Round(a, b, c, d, e, f, g, h, 0x19a4c116, w0 += sigma1(w14) + w9 + sigma0(w1)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 100| 54.2k| Round(h, a, b, c, d, e, f, g, 0x1e376c08, w1 += sigma1(w15) + w10 + sigma0(w2)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 101| 54.2k| Round(g, h, a, b, c, d, e, f, 0x2748774c, w2 += sigma1(w0) + w11 + sigma0(w3)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 102| 54.2k| Round(f, g, h, a, b, c, d, e, 0x34b0bcb5, w3 += sigma1(w1) + w12 + sigma0(w4)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 103| 54.2k| Round(e, f, g, h, a, b, c, d, 0x391c0cb3, w4 += sigma1(w2) + w13 + sigma0(w5)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 104| 54.2k| Round(d, e, f, g, h, a, b, c, 0x4ed8aa4a, w5 += sigma1(w3) + w14 + sigma0(w6)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 105| 54.2k| Round(c, d, e, f, g, h, a, b, 0x5b9cca4f, w6 += sigma1(w4) + w15 + sigma0(w7)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 106| 54.2k| Round(b, c, d, e, f, g, h, a, 0x682e6ff3, w7 += sigma1(w5) + w0 + sigma0(w8)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 107| 54.2k| Round(a, b, c, d, e, f, g, h, 0x748f82ee, w8 += sigma1(w6) + w1 + sigma0(w9)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 108| 54.2k| Round(h, a, b, c, d, e, f, g, 0x78a5636f, w9 += sigma1(w7) + w2 + sigma0(w10)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 109| 54.2k| Round(g, h, a, b, c, d, e, f, 0x84c87814, w10 += sigma1(w8) + w3 + sigma0(w11)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 110| 54.2k| Round(f, g, h, a, b, c, d, e, 0x8cc70208, w11 += sigma1(w9) + w4 + sigma0(w12)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 111| 54.2k| Round(e, f, g, h, a, b, c, d, 0x90befffa, w12 += sigma1(w10) + w5 + sigma0(w13)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 112| 54.2k| Round(d, e, f, g, h, a, b, c, 0xa4506ceb, w13 += sigma1(w11) + w6 + sigma0(w14)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 113| 54.2k| Round(c, d, e, f, g, h, a, b, 0xbef9a3f7, w14 + sigma1(w12) + w7 + sigma0(w15)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 114| 54.2k| Round(b, c, d, e, f, g, h, a, 0xc67178f2, w15 + sigma1(w13) + w8 + sigma0(w0)); ------------------ | | 24| 54.2k|#define Round(a,b,c,d,e,f,g,h,k,w) do { \ | | 25| 54.2k| uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 20| 54.2k|#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) | | ------------------ | | uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ | | ------------------ | | | | 17| 54.2k|#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) | | ------------------ | | 26| 54.2k| uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 19| 54.2k|#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) | | ------------------ | | uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ | | ------------------ | | | | 18| 54.2k|#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) | | ------------------ | | 27| 54.2k| (d) += t1; \ | | 28| 54.2k| (h) = t1 + t2; \ | | 29| 54.2k|} while(0) | | ------------------ | | | Branch (29:9): [Folded - Ignored] | | ------------------ ------------------ 115| | 116| 54.2k| s[0] += a; 117| 54.2k| s[1] += b; 118| 54.2k| s[2] += c; 119| 54.2k| s[3] += d; 120| 54.2k| s[4] += e; 121| 54.2k| s[5] += f; 122| 54.2k| s[6] += g; 123| 54.2k| s[7] += h; 124| 54.2k|} secp256k1.c:secp256k1_sha256_finalize: 145| 36.6k|static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32) { 146| 36.6k| static const unsigned char pad[64] = {0x80}; 147| 36.6k| unsigned char sizedesc[8]; 148| 36.6k| int i; 149| | /* The maximum message size of SHA256 is 2^64-1 bits. */ 150| 36.6k| VERIFY_CHECK(hash->bytes < ((uint64_t)1 << 61)); 151| 36.6k| secp256k1_write_be32(&sizedesc[0], hash->bytes >> 29); 152| 36.6k| secp256k1_write_be32(&sizedesc[4], hash->bytes << 3); 153| 36.6k| secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); 154| 36.6k| secp256k1_sha256_write(hash, sizedesc, 8); 155| 330k| for (i = 0; i < 8; i++) { ------------------ | Branch (155:17): [True: 293k, False: 36.6k] ------------------ 156| 293k| secp256k1_write_be32(&out32[4*i], hash->s[i]); 157| 293k| hash->s[i] = 0; 158| 293k| } 159| 36.6k|} secp256k1.c:secp256k1_sha256_clear: 174| 5.91k|static void secp256k1_sha256_clear(secp256k1_sha256 *hash) { 175| 5.91k| secp256k1_memclear(hash, sizeof(*hash)); 176| 5.91k|} secp256k1.c:secp256k1_u128_mul: 11| 48.1M|static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b) { 12| 48.1M| *r = (uint128_t)a * b; 13| 48.1M|} secp256k1.c:secp256k1_u128_accum_mul: 15| 364M|static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b) { 16| 364M| *r += (uint128_t)a * b; 17| 364M|} secp256k1.c:secp256k1_u128_to_u64: 28| 209M|static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a) { 29| 209M| return (uint64_t)(*a); 30| 209M|} secp256k1.c:secp256k1_u128_rshift: 23| 160M|static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n) { 24| 160M| VERIFY_CHECK(n < 128); 25| 160M| *r >>= n; 26| 160M|} secp256k1.c:secp256k1_u128_accum_u64: 19| 16.8M|static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a) { 20| 16.8M| *r += a; 21| 16.8M|} secp256k1.c:secp256k1_u128_from_u64: 36| 128k|static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a) { 37| 128k| *r = a; 38| 128k|} secp256k1.c:secp256k1_i128_mul: 49| 1.83M|static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b) { 50| 1.83M| *r = (int128_t)a * b; 51| 1.83M|} secp256k1.c:secp256k1_i128_accum_mul: 53| 11.4M|static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b) { 54| 11.4M| int128_t ab = (int128_t)a * b; 55| 11.4M| VERIFY_CHECK(0 <= ab ? *r <= INT128_MAX - ab : INT128_MIN - ab <= *r); 56| 11.4M| *r += ab; 57| 11.4M|} secp256k1.c:secp256k1_i128_to_u64: 71| 4.78M|static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a) { 72| 4.78M| return (uint64_t)*a; 73| 4.78M|} secp256k1.c:secp256k1_i128_rshift: 66| 6.28M|static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n) { 67| 6.28M| VERIFY_CHECK(n < 128); 68| 6.28M| *r >>= n; 69| 6.28M|} secp256k1.c:secp256k1_i128_to_i64: 75| 1.83M|static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a) { 76| 1.83M| VERIFY_CHECK(INT64_MIN <= *a && *a <= INT64_MAX); 77| 1.83M| return *a; 78| 1.83M|} secp256k1.c:secp256k1_modinv64_var: 637| 5.72k|static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo) { 638| | /* Start with d=0, e=1, f=modulus, g=x, eta=-1. */ 639| 5.72k| secp256k1_modinv64_signed62 d = {{0, 0, 0, 0, 0}}; 640| 5.72k| secp256k1_modinv64_signed62 e = {{1, 0, 0, 0, 0}}; 641| 5.72k| secp256k1_modinv64_signed62 f = modinfo->modulus; 642| 5.72k| secp256k1_modinv64_signed62 g = *x; 643| |#ifdef VERIFY 644| | int i = 0; 645| |#endif 646| 5.72k| int j, len = 5; 647| 5.72k| int64_t eta = -1; /* eta = -delta; delta is initially 1 */ 648| 5.72k| int64_t cond, fn, gn; 649| | 650| | /* Do iterations of 62 divsteps each until g=0. */ 651| 51.5k| while (1) { ------------------ | Branch (651:12): [Folded - Ignored] ------------------ 652| | /* Compute transition matrix and new eta after 62 divsteps. */ 653| 51.5k| secp256k1_modinv64_trans2x2 t; 654| 51.5k| eta = secp256k1_modinv64_divsteps_62_var(eta, f.v[0], g.v[0], &t); 655| | /* Update d,e using that transition matrix. */ 656| 51.5k| secp256k1_modinv64_update_de_62(&d, &e, &t, modinfo); 657| | /* Update f,g using that transition matrix. */ 658| 51.5k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, -1) > 0); /* f > -modulus */ 659| 51.5k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */ 660| 51.5k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, -1) > 0); /* g > -modulus */ 661| 51.5k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */ 662| | 663| 51.5k| secp256k1_modinv64_update_fg_62_var(len, &f, &g, &t); 664| | /* If the bottom limb of g is zero, there is a chance that g=0. */ 665| 51.5k| if (g.v[0] == 0) { ------------------ | Branch (665:13): [True: 5.72k, False: 45.8k] ------------------ 666| 5.72k| cond = 0; 667| | /* Check if the other limbs are also 0. */ 668| 5.72k| for (j = 1; j < len; ++j) { ------------------ | Branch (668:25): [True: 0, False: 5.72k] ------------------ 669| 0| cond |= g.v[j]; 670| 0| } 671| | /* If so, we're done. */ 672| 5.72k| if (cond == 0) break; ------------------ | Branch (672:17): [True: 5.72k, False: 0] ------------------ 673| 5.72k| } 674| | 675| | /* Determine if len>1 and limb (len-1) of both f and g is 0 or -1. */ 676| 45.8k| fn = f.v[len - 1]; 677| 45.8k| gn = g.v[len - 1]; 678| 45.8k| cond = ((int64_t)len - 2) >> 63; 679| 45.8k| cond |= fn ^ (fn >> 63); 680| 45.8k| cond |= gn ^ (gn >> 63); 681| | /* If so, reduce length, propagating the sign of f and g's top limb into the one below. */ 682| 45.8k| if (cond == 0) { ------------------ | Branch (682:13): [True: 22.9k, False: 22.9k] ------------------ 683| 22.9k| f.v[len - 2] |= (uint64_t)fn << 62; 684| 22.9k| g.v[len - 2] |= (uint64_t)gn << 62; 685| 22.9k| --len; 686| 22.9k| } 687| | 688| 45.8k| VERIFY_CHECK(++i < 12); /* We should never need more than 12*62 = 744 divsteps */ 689| 45.8k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, -1) > 0); /* f > -modulus */ 690| 45.8k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */ 691| 45.8k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, -1) > 0); /* g > -modulus */ 692| 45.8k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */ 693| 45.8k| } 694| | 695| | /* At this point g is 0 and (if g was not originally 0) f must now equal +/- GCD of 696| | * the initial f, g values i.e. +/- 1, and d now contains +/- the modular inverse. */ 697| | 698| | /* g == 0 */ 699| 5.72k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &SECP256K1_SIGNED62_ONE, 0) == 0); 700| | /* |f| == 1, or (x == 0 and d == 0 and f == modulus) */ 701| 5.72k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &SECP256K1_SIGNED62_ONE, -1) == 0 || 702| 5.72k| secp256k1_modinv64_mul_cmp_62(&f, len, &SECP256K1_SIGNED62_ONE, 1) == 0 || 703| 5.72k| (secp256k1_modinv64_mul_cmp_62(x, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 && 704| 5.72k| secp256k1_modinv64_mul_cmp_62(&d, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 && 705| 5.72k| secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) == 0)); 706| | 707| | /* Optionally negate d, normalize to [0,modulus), and return it. */ 708| 5.72k| secp256k1_modinv64_normalize_62(&d, f.v[len - 1], modinfo); 709| 5.72k| *x = d; 710| 5.72k|} secp256k1.c:secp256k1_modinv64_divsteps_62_var: 239| 51.5k|static int64_t secp256k1_modinv64_divsteps_62_var(int64_t eta, uint64_t f0, uint64_t g0, secp256k1_modinv64_trans2x2 *t) { 240| | /* Transformation matrix; see comments in secp256k1_modinv64_divsteps_62. */ 241| 51.5k| uint64_t u = 1, v = 0, q = 0, r = 1; 242| 51.5k| uint64_t f = f0, g = g0, m; 243| 51.5k| uint32_t w; 244| 51.5k| int i = 62, limit, zeros; 245| | 246| 848k| for (;;) { 247| | /* Use a sentinel bit to count zeros only up to i. */ 248| 848k| zeros = secp256k1_ctz64_var(g | (UINT64_MAX << i)); 249| | /* Perform zeros divsteps at once; they all just divide g by two. */ 250| 848k| g >>= zeros; 251| 848k| u <<= zeros; 252| 848k| v <<= zeros; 253| 848k| eta -= zeros; 254| 848k| i -= zeros; 255| | /* We're done once we've done 62 divsteps. */ 256| 848k| if (i == 0) break; ------------------ | Branch (256:13): [True: 51.5k, False: 797k] ------------------ 257| 797k| VERIFY_CHECK((f & 1) == 1); 258| 797k| VERIFY_CHECK((g & 1) == 1); 259| 797k| VERIFY_CHECK((u * f0 + v * g0) == f << (62 - i)); 260| 797k| VERIFY_CHECK((q * f0 + r * g0) == g << (62 - i)); 261| | /* Bounds on eta that follow from the bounds on iteration count (max 12*62 divsteps). */ 262| 797k| VERIFY_CHECK(eta >= -745 && eta <= 745); 263| | /* If eta is negative, negate it and replace f,g with g,-f. */ 264| 797k| if (eta < 0) { ------------------ | Branch (264:13): [True: 769k, False: 28.2k] ------------------ 265| 769k| uint64_t tmp; 266| 769k| eta = -eta; 267| 769k| tmp = f; f = g; g = -tmp; 268| 769k| tmp = u; u = q; q = -tmp; 269| 769k| tmp = v; v = r; r = -tmp; 270| | /* Use a formula to cancel out up to 6 bits of g. Also, no more than i can be cancelled 271| | * out (as we'd be done before that point), and no more than eta+1 can be done as its 272| | * sign will flip again once that happens. */ 273| 769k| limit = ((int)eta + 1) > i ? i : ((int)eta + 1); ------------------ | Branch (273:21): [True: 14.9k, False: 754k] ------------------ 274| 769k| VERIFY_CHECK(limit > 0 && limit <= 62); 275| | /* m is a mask for the bottom min(limit, 6) bits. */ 276| 769k| m = (UINT64_MAX >> (64 - limit)) & 63U; 277| | /* Find what multiple of f must be added to g to cancel its bottom min(limit, 6) 278| | * bits. */ 279| 769k| w = (f * g * (f * f - 2)) & m; 280| 769k| } else { 281| | /* In this branch, use a simpler formula that only lets us cancel up to 4 bits of g, as 282| | * eta tends to be smaller here. */ 283| 28.2k| limit = ((int)eta + 1) > i ? i : ((int)eta + 1); ------------------ | Branch (283:21): [True: 139, False: 28.1k] ------------------ 284| 28.2k| VERIFY_CHECK(limit > 0 && limit <= 62); 285| | /* m is a mask for the bottom min(limit, 4) bits. */ 286| 28.2k| m = (UINT64_MAX >> (64 - limit)) & 15U; 287| | /* Find what multiple of f must be added to g to cancel its bottom min(limit, 4) 288| | * bits. */ 289| 28.2k| w = f + (((f + 1) & 4) << 1); 290| 28.2k| w = (-w * g) & m; 291| 28.2k| } 292| 797k| g += f * w; 293| 797k| q += u * w; 294| 797k| r += v * w; 295| 797k| VERIFY_CHECK((g & m) == 0); 296| 797k| } 297| | /* Return data in t and return value. */ 298| 51.5k| t->u = (int64_t)u; 299| 51.5k| t->v = (int64_t)v; 300| 51.5k| t->q = (int64_t)q; 301| 51.5k| t->r = (int64_t)r; 302| | 303| | /* The determinant of t must be a power of two. This guarantees that multiplication with t 304| | * does not change the gcd of f and g, apart from adding a power-of-2 factor to it (which 305| | * will be divided out again). As each divstep's individual matrix has determinant 2, the 306| | * aggregate of 62 of them will have determinant 2^62. */ 307| 51.5k| VERIFY_CHECK(secp256k1_modinv64_det_check_pow2(t, 62, 0)); 308| | 309| 51.5k| return eta; 310| 51.5k|} secp256k1.c:secp256k1_modinv64_update_de_62: 411| 167k|static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp256k1_modinv64_signed62 *e, const secp256k1_modinv64_trans2x2 *t, const secp256k1_modinv64_modinfo* modinfo) { 412| 167k| const uint64_t M62 = UINT64_MAX >> 2; 413| 167k| const int64_t d0 = d->v[0], d1 = d->v[1], d2 = d->v[2], d3 = d->v[3], d4 = d->v[4]; 414| 167k| const int64_t e0 = e->v[0], e1 = e->v[1], e2 = e->v[2], e3 = e->v[3], e4 = e->v[4]; 415| 167k| const int64_t u = t->u, v = t->v, q = t->q, r = t->r; 416| 167k| int64_t md, me, sd, se; 417| 167k| secp256k1_int128 cd, ce; 418| 167k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, -2) > 0); /* d > -2*modulus */ 419| 167k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, 1) < 0); /* d < modulus */ 420| 167k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, -2) > 0); /* e > -2*modulus */ 421| 167k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, 1) < 0); /* e < modulus */ 422| 167k| VERIFY_CHECK(secp256k1_modinv64_abs(u) <= (((int64_t)1 << 62) - secp256k1_modinv64_abs(v))); /* |u|+|v| <= 2^62 */ 423| 167k| VERIFY_CHECK(secp256k1_modinv64_abs(q) <= (((int64_t)1 << 62) - secp256k1_modinv64_abs(r))); /* |q|+|r| <= 2^62 */ 424| | 425| | /* [md,me] start as zero; plus [u,q] if d is negative; plus [v,r] if e is negative. */ 426| 167k| sd = d4 >> 63; 427| 167k| se = e4 >> 63; 428| 167k| md = (u & sd) + (v & se); 429| 167k| me = (q & sd) + (r & se); 430| | /* Begin computing t*[d,e]. */ 431| 167k| secp256k1_i128_mul(&cd, u, d0); 432| 167k| secp256k1_i128_accum_mul(&cd, v, e0); 433| 167k| secp256k1_i128_mul(&ce, q, d0); 434| 167k| secp256k1_i128_accum_mul(&ce, r, e0); 435| | /* Correct md,me so that t*[d,e]+modulus*[md,me] has 62 zero bottom bits. */ 436| 167k| md -= (modinfo->modulus_inv62 * secp256k1_i128_to_u64(&cd) + md) & M62; 437| 167k| me -= (modinfo->modulus_inv62 * secp256k1_i128_to_u64(&ce) + me) & M62; 438| | /* Update the beginning of computation for t*[d,e]+modulus*[md,me] now md,me are known. */ 439| 167k| secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[0], md); 440| 167k| secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[0], me); 441| | /* Verify that the low 62 bits of the computation are indeed zero, and then throw them away. */ 442| 167k| VERIFY_CHECK((secp256k1_i128_to_u64(&cd) & M62) == 0); secp256k1_i128_rshift(&cd, 62); 443| 167k| VERIFY_CHECK((secp256k1_i128_to_u64(&ce) & M62) == 0); secp256k1_i128_rshift(&ce, 62); 444| | /* Compute limb 1 of t*[d,e]+modulus*[md,me], and store it as output limb 0 (= down shift). */ 445| 167k| secp256k1_i128_accum_mul(&cd, u, d1); 446| 167k| secp256k1_i128_accum_mul(&cd, v, e1); 447| 167k| secp256k1_i128_accum_mul(&ce, q, d1); 448| 167k| secp256k1_i128_accum_mul(&ce, r, e1); 449| 167k| if (modinfo->modulus.v[1]) { /* Optimize for the case where limb of modulus is zero. */ ------------------ | Branch (449:9): [True: 0, False: 167k] ------------------ 450| 0| secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[1], md); 451| 0| secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[1], me); 452| 0| } 453| 167k| d->v[0] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); 454| 167k| e->v[0] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); 455| | /* Compute limb 2 of t*[d,e]+modulus*[md,me], and store it as output limb 1. */ 456| 167k| secp256k1_i128_accum_mul(&cd, u, d2); 457| 167k| secp256k1_i128_accum_mul(&cd, v, e2); 458| 167k| secp256k1_i128_accum_mul(&ce, q, d2); 459| 167k| secp256k1_i128_accum_mul(&ce, r, e2); 460| 167k| if (modinfo->modulus.v[2]) { /* Optimize for the case where limb of modulus is zero. */ ------------------ | Branch (460:9): [True: 0, False: 167k] ------------------ 461| 0| secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[2], md); 462| 0| secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[2], me); 463| 0| } 464| 167k| d->v[1] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); 465| 167k| e->v[1] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); 466| | /* Compute limb 3 of t*[d,e]+modulus*[md,me], and store it as output limb 2. */ 467| 167k| secp256k1_i128_accum_mul(&cd, u, d3); 468| 167k| secp256k1_i128_accum_mul(&cd, v, e3); 469| 167k| secp256k1_i128_accum_mul(&ce, q, d3); 470| 167k| secp256k1_i128_accum_mul(&ce, r, e3); 471| 167k| if (modinfo->modulus.v[3]) { /* Optimize for the case where limb of modulus is zero. */ ------------------ | Branch (471:9): [True: 0, False: 167k] ------------------ 472| 0| secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[3], md); 473| 0| secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[3], me); 474| 0| } 475| 167k| d->v[2] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); 476| 167k| e->v[2] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); 477| | /* Compute limb 4 of t*[d,e]+modulus*[md,me], and store it as output limb 3. */ 478| 167k| secp256k1_i128_accum_mul(&cd, u, d4); 479| 167k| secp256k1_i128_accum_mul(&cd, v, e4); 480| 167k| secp256k1_i128_accum_mul(&ce, q, d4); 481| 167k| secp256k1_i128_accum_mul(&ce, r, e4); 482| 167k| secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[4], md); 483| 167k| secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[4], me); 484| 167k| d->v[3] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); 485| 167k| e->v[3] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); 486| | /* What remains is limb 5 of t*[d,e]+modulus*[md,me]; store it as output limb 4. */ 487| 167k| d->v[4] = secp256k1_i128_to_i64(&cd); 488| 167k| e->v[4] = secp256k1_i128_to_i64(&ce); 489| | 490| 167k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, -2) > 0); /* d > -2*modulus */ 491| 167k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, 1) < 0); /* d < modulus */ 492| 167k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, -2) > 0); /* e > -2*modulus */ 493| 167k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, 1) < 0); /* e < modulus */ 494| 167k|} secp256k1.c:secp256k1_modinv64_update_fg_62_var: 553| 633k|static void secp256k1_modinv64_update_fg_62_var(int len, secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t) { 554| 633k| const uint64_t M62 = UINT64_MAX >> 2; 555| 633k| const int64_t u = t->u, v = t->v, q = t->q, r = t->r; 556| 633k| int64_t fi, gi; 557| 633k| secp256k1_int128 cf, cg; 558| 633k| int i; 559| 633k| VERIFY_CHECK(len > 0); 560| | /* Start computing t*[f,g]. */ 561| 633k| fi = f->v[0]; 562| 633k| gi = g->v[0]; 563| 633k| secp256k1_i128_mul(&cf, u, fi); 564| 633k| secp256k1_i128_accum_mul(&cf, v, gi); 565| 633k| secp256k1_i128_mul(&cg, q, fi); 566| 633k| secp256k1_i128_accum_mul(&cg, r, gi); 567| | /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */ 568| 633k| VERIFY_CHECK((secp256k1_i128_to_u64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62); 569| 633k| VERIFY_CHECK((secp256k1_i128_to_u64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62); 570| | /* Now iteratively compute limb i=1..len of t*[f,g], and store them in output limb i-1 (shifting 571| | * down by 62 bits). */ 572| 1.72M| for (i = 1; i < len; ++i) { ------------------ | Branch (572:17): [True: 1.08M, False: 633k] ------------------ 573| 1.08M| fi = f->v[i]; 574| 1.08M| gi = g->v[i]; 575| 1.08M| secp256k1_i128_accum_mul(&cf, u, fi); 576| 1.08M| secp256k1_i128_accum_mul(&cf, v, gi); 577| 1.08M| secp256k1_i128_accum_mul(&cg, q, fi); 578| 1.08M| secp256k1_i128_accum_mul(&cg, r, gi); 579| 1.08M| f->v[i - 1] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); 580| 1.08M| g->v[i - 1] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); 581| 1.08M| } 582| | /* What remains is limb (len) of t*[f,g]; store it as output limb (len-1). */ 583| 633k| f->v[len - 1] = secp256k1_i128_to_i64(&cf); 584| 633k| g->v[len - 1] = secp256k1_i128_to_i64(&cg); 585| 633k|} secp256k1.c:secp256k1_modinv64_normalize_62: 88| 17.3k|static void secp256k1_modinv64_normalize_62(secp256k1_modinv64_signed62 *r, int64_t sign, const secp256k1_modinv64_modinfo *modinfo) { 89| 17.3k| const int64_t M62 = (int64_t)(UINT64_MAX >> 2); 90| 17.3k| int64_t r0 = r->v[0], r1 = r->v[1], r2 = r->v[2], r3 = r->v[3], r4 = r->v[4]; 91| 17.3k| volatile int64_t cond_add, cond_negate; 92| | 93| |#ifdef VERIFY 94| | /* Verify that all limbs are in range (-2^62,2^62). */ 95| | int i; 96| | for (i = 0; i < 5; ++i) { 97| | VERIFY_CHECK(r->v[i] >= -M62); 98| | VERIFY_CHECK(r->v[i] <= M62); 99| | } 100| | VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, -2) > 0); /* r > -2*modulus */ 101| | VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, 1) < 0); /* r < modulus */ 102| |#endif 103| | 104| | /* In a first step, add the modulus if the input is negative, and then negate if requested. 105| | * This brings r from range (-2*modulus,modulus) to range (-modulus,modulus). As all input 106| | * limbs are in range (-2^62,2^62), this cannot overflow an int64_t. Note that the right 107| | * shifts below are signed sign-extending shifts (see assumptions.h for tests that that is 108| | * indeed the behavior of the right shift operator). */ 109| 17.3k| cond_add = r4 >> 63; 110| 17.3k| r0 += modinfo->modulus.v[0] & cond_add; 111| 17.3k| r1 += modinfo->modulus.v[1] & cond_add; 112| 17.3k| r2 += modinfo->modulus.v[2] & cond_add; 113| 17.3k| r3 += modinfo->modulus.v[3] & cond_add; 114| 17.3k| r4 += modinfo->modulus.v[4] & cond_add; 115| 17.3k| cond_negate = sign >> 63; 116| 17.3k| r0 = (r0 ^ cond_negate) - cond_negate; 117| 17.3k| r1 = (r1 ^ cond_negate) - cond_negate; 118| 17.3k| r2 = (r2 ^ cond_negate) - cond_negate; 119| 17.3k| r3 = (r3 ^ cond_negate) - cond_negate; 120| 17.3k| r4 = (r4 ^ cond_negate) - cond_negate; 121| | /* Propagate the top bits, to bring limbs back to range (-2^62,2^62). */ 122| 17.3k| r1 += r0 >> 62; r0 &= M62; 123| 17.3k| r2 += r1 >> 62; r1 &= M62; 124| 17.3k| r3 += r2 >> 62; r2 &= M62; 125| 17.3k| r4 += r3 >> 62; r3 &= M62; 126| | 127| | /* In a second step add the modulus again if the result is still negative, bringing 128| | * r to range [0,modulus). */ 129| 17.3k| cond_add = r4 >> 63; 130| 17.3k| r0 += modinfo->modulus.v[0] & cond_add; 131| 17.3k| r1 += modinfo->modulus.v[1] & cond_add; 132| 17.3k| r2 += modinfo->modulus.v[2] & cond_add; 133| 17.3k| r3 += modinfo->modulus.v[3] & cond_add; 134| 17.3k| r4 += modinfo->modulus.v[4] & cond_add; 135| | /* And propagate again. */ 136| 17.3k| r1 += r0 >> 62; r0 &= M62; 137| 17.3k| r2 += r1 >> 62; r1 &= M62; 138| 17.3k| r3 += r2 >> 62; r2 &= M62; 139| 17.3k| r4 += r3 >> 62; r3 &= M62; 140| | 141| 17.3k| r->v[0] = r0; 142| 17.3k| r->v[1] = r1; 143| 17.3k| r->v[2] = r2; 144| 17.3k| r->v[3] = r3; 145| 17.3k| r->v[4] = r4; 146| | 147| 17.3k| VERIFY_CHECK(r0 >> 62 == 0); 148| 17.3k| VERIFY_CHECK(r1 >> 62 == 0); 149| 17.3k| VERIFY_CHECK(r2 >> 62 == 0); 150| 17.3k| VERIFY_CHECK(r3 >> 62 == 0); 151| 17.3k| VERIFY_CHECK(r4 >> 62 == 0); 152| 17.3k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, 0) >= 0); /* r >= 0 */ 153| 17.3k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, 1) < 0); /* r < modulus */ 154| 17.3k|} secp256k1.c:secp256k1_modinv64: 588| 11.6k|static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo) { 589| | /* Start with d=0, e=1, f=modulus, g=x, zeta=-1. */ 590| 11.6k| secp256k1_modinv64_signed62 d = {{0, 0, 0, 0, 0}}; 591| 11.6k| secp256k1_modinv64_signed62 e = {{1, 0, 0, 0, 0}}; 592| 11.6k| secp256k1_modinv64_signed62 f = modinfo->modulus; 593| 11.6k| secp256k1_modinv64_signed62 g = *x; 594| 11.6k| int i; 595| 11.6k| int64_t zeta = -1; /* zeta = -(delta+1/2); delta starts at 1/2. */ 596| | 597| | /* Do 10 iterations of 59 divsteps each = 590 divsteps. This suffices for 256-bit inputs. */ 598| 128k| for (i = 0; i < 10; ++i) { ------------------ | Branch (598:17): [True: 116k, False: 11.6k] ------------------ 599| | /* Compute transition matrix and new zeta after 59 divsteps. */ 600| 116k| secp256k1_modinv64_trans2x2 t; 601| 116k| zeta = secp256k1_modinv64_divsteps_59(zeta, f.v[0], g.v[0], &t); 602| | /* Update d,e using that transition matrix. */ 603| 116k| secp256k1_modinv64_update_de_62(&d, &e, &t, modinfo); 604| | /* Update f,g using that transition matrix. */ 605| 116k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, -1) > 0); /* f > -modulus */ 606| 116k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, 1) <= 0); /* f <= modulus */ 607| 116k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, -1) > 0); /* g > -modulus */ 608| 116k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, 1) < 0); /* g < modulus */ 609| | 610| 116k| secp256k1_modinv64_update_fg_62(&f, &g, &t); 611| | 612| 116k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, -1) > 0); /* f > -modulus */ 613| 116k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, 1) <= 0); /* f <= modulus */ 614| 116k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, -1) > 0); /* g > -modulus */ 615| 116k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, 1) < 0); /* g < modulus */ 616| 116k| } 617| | 618| | /* At this point sufficient iterations have been performed that g must have reached 0 619| | * and (if g was not originally 0) f must now equal +/- GCD of the initial f, g 620| | * values i.e. +/- 1, and d now contains +/- the modular inverse. */ 621| | 622| | /* g == 0 */ 623| 11.6k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, 5, &SECP256K1_SIGNED62_ONE, 0) == 0); 624| | /* |f| == 1, or (x == 0 and d == 0 and f == modulus) */ 625| 11.6k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, 5, &SECP256K1_SIGNED62_ONE, -1) == 0 || 626| 11.6k| secp256k1_modinv64_mul_cmp_62(&f, 5, &SECP256K1_SIGNED62_ONE, 1) == 0 || 627| 11.6k| (secp256k1_modinv64_mul_cmp_62(x, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 && 628| 11.6k| secp256k1_modinv64_mul_cmp_62(&d, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 && 629| 11.6k| secp256k1_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, 1) == 0)); 630| | 631| | /* Optionally negate d, normalize to [0,modulus), and return it. */ 632| 11.6k| secp256k1_modinv64_normalize_62(&d, f.v[4], modinfo); 633| 11.6k| *x = d; 634| 11.6k|} secp256k1.c:secp256k1_modinv64_divsteps_59: 167| 116k|static int64_t secp256k1_modinv64_divsteps_59(int64_t zeta, uint64_t f0, uint64_t g0, secp256k1_modinv64_trans2x2 *t) { 168| | /* u,v,q,r are the elements of the transformation matrix being built up, 169| | * starting with the identity matrix times 8 (because the caller expects 170| | * a result scaled by 2^62). Semantically they are signed integers 171| | * in range [-2^62,2^62], but here represented as unsigned mod 2^64. This 172| | * permits left shifting (which is UB for negative numbers). The range 173| | * being inside [-2^63,2^63) means that casting to signed works correctly. 174| | */ 175| 116k| uint64_t u = 8, v = 0, q = 0, r = 8; 176| 116k| volatile uint64_t c1, c2; 177| 116k| uint64_t mask1, mask2, f = f0, g = g0, x, y, z; 178| 116k| int i; 179| | 180| 6.98M| for (i = 3; i < 62; ++i) { ------------------ | Branch (180:17): [True: 6.86M, False: 116k] ------------------ 181| 6.86M| VERIFY_CHECK((f & 1) == 1); /* f must always be odd */ 182| 6.86M| VERIFY_CHECK((u * f0 + v * g0) == f << i); 183| 6.86M| VERIFY_CHECK((q * f0 + r * g0) == g << i); 184| | /* Compute conditional masks for (zeta < 0) and for (g & 1). */ 185| 6.86M| c1 = zeta >> 63; 186| 6.86M| mask1 = c1; 187| 6.86M| c2 = g & 1; 188| 6.86M| mask2 = -c2; 189| | /* Compute x,y,z, conditionally negated versions of f,u,v. */ 190| 6.86M| x = (f ^ mask1) - mask1; 191| 6.86M| y = (u ^ mask1) - mask1; 192| 6.86M| z = (v ^ mask1) - mask1; 193| | /* Conditionally add x,y,z to g,q,r. */ 194| 6.86M| g += x & mask2; 195| 6.86M| q += y & mask2; 196| 6.86M| r += z & mask2; 197| | /* In what follows, c1 is a condition mask for (zeta < 0) and (g & 1). */ 198| 6.86M| mask1 &= mask2; 199| | /* Conditionally change zeta into -zeta-2 or zeta-1. */ 200| 6.86M| zeta = (zeta ^ mask1) - 1; 201| | /* Conditionally add g,q,r to f,u,v. */ 202| 6.86M| f += g & mask1; 203| 6.86M| u += q & mask1; 204| 6.86M| v += r & mask1; 205| | /* Shifts */ 206| 6.86M| g >>= 1; 207| 6.86M| u <<= 1; 208| 6.86M| v <<= 1; 209| | /* Bounds on zeta that follow from the bounds on iteration count (max 10*59 divsteps). */ 210| 6.86M| VERIFY_CHECK(zeta >= -591 && zeta <= 591); 211| 6.86M| } 212| | /* Return data in t and return value. */ 213| 116k| t->u = (int64_t)u; 214| 116k| t->v = (int64_t)v; 215| 116k| t->q = (int64_t)q; 216| 116k| t->r = (int64_t)r; 217| | 218| | /* The determinant of t must be a power of two. This guarantees that multiplication with t 219| | * does not change the gcd of f and g, apart from adding a power-of-2 factor to it (which 220| | * will be divided out again). As each divstep's individual matrix has determinant 2, the 221| | * aggregate of 59 of them will have determinant 2^59. Multiplying with the initial 222| | * 8*identity (which has determinant 2^6) means the overall outputs has determinant 223| | * 2^65. */ 224| 116k| VERIFY_CHECK(secp256k1_modinv64_det_check_pow2(t, 65, 0)); 225| | 226| 116k| return zeta; 227| 116k|} secp256k1.c:secp256k1_modinv64_update_fg_62: 500| 116k|static void secp256k1_modinv64_update_fg_62(secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t) { 501| 116k| const uint64_t M62 = UINT64_MAX >> 2; 502| 116k| const int64_t f0 = f->v[0], f1 = f->v[1], f2 = f->v[2], f3 = f->v[3], f4 = f->v[4]; 503| 116k| const int64_t g0 = g->v[0], g1 = g->v[1], g2 = g->v[2], g3 = g->v[3], g4 = g->v[4]; 504| 116k| const int64_t u = t->u, v = t->v, q = t->q, r = t->r; 505| 116k| secp256k1_int128 cf, cg; 506| | /* Start computing t*[f,g]. */ 507| 116k| secp256k1_i128_mul(&cf, u, f0); 508| 116k| secp256k1_i128_accum_mul(&cf, v, g0); 509| 116k| secp256k1_i128_mul(&cg, q, f0); 510| 116k| secp256k1_i128_accum_mul(&cg, r, g0); 511| | /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */ 512| 116k| VERIFY_CHECK((secp256k1_i128_to_u64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62); 513| 116k| VERIFY_CHECK((secp256k1_i128_to_u64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62); 514| | /* Compute limb 1 of t*[f,g], and store it as output limb 0 (= down shift). */ 515| 116k| secp256k1_i128_accum_mul(&cf, u, f1); 516| 116k| secp256k1_i128_accum_mul(&cf, v, g1); 517| 116k| secp256k1_i128_accum_mul(&cg, q, f1); 518| 116k| secp256k1_i128_accum_mul(&cg, r, g1); 519| 116k| f->v[0] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); 520| 116k| g->v[0] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); 521| | /* Compute limb 2 of t*[f,g], and store it as output limb 1. */ 522| 116k| secp256k1_i128_accum_mul(&cf, u, f2); 523| 116k| secp256k1_i128_accum_mul(&cf, v, g2); 524| 116k| secp256k1_i128_accum_mul(&cg, q, f2); 525| 116k| secp256k1_i128_accum_mul(&cg, r, g2); 526| 116k| f->v[1] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); 527| 116k| g->v[1] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); 528| | /* Compute limb 3 of t*[f,g], and store it as output limb 2. */ 529| 116k| secp256k1_i128_accum_mul(&cf, u, f3); 530| 116k| secp256k1_i128_accum_mul(&cf, v, g3); 531| 116k| secp256k1_i128_accum_mul(&cg, q, f3); 532| 116k| secp256k1_i128_accum_mul(&cg, r, g3); 533| 116k| f->v[2] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); 534| 116k| g->v[2] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); 535| | /* Compute limb 4 of t*[f,g], and store it as output limb 3. */ 536| 116k| secp256k1_i128_accum_mul(&cf, u, f4); 537| 116k| secp256k1_i128_accum_mul(&cf, v, g4); 538| 116k| secp256k1_i128_accum_mul(&cg, q, f4); 539| 116k| secp256k1_i128_accum_mul(&cg, r, g4); 540| 116k| f->v[3] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); 541| 116k| g->v[3] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); 542| | /* What remains is limb 5 of t*[f,g]; store it as output limb 4. */ 543| 116k| f->v[4] = secp256k1_i128_to_i64(&cf); 544| 116k| g->v[4] = secp256k1_i128_to_i64(&cg); 545| 116k|} secp256k1.c:secp256k1_jacobi64_maybe_var: 721| 45.9k|static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo) { 722| | /* Start with f=modulus, g=x, eta=-1. */ 723| 45.9k| secp256k1_modinv64_signed62 f = modinfo->modulus; 724| 45.9k| secp256k1_modinv64_signed62 g = *x; 725| 45.9k| int j, len = 5; 726| 45.9k| int64_t eta = -1; /* eta = -delta; delta is initially 1 */ 727| 45.9k| int64_t cond, fn, gn; 728| 45.9k| int jac = 0; 729| 45.9k| int count; 730| | 731| | /* The input limbs must all be non-negative. */ 732| 45.9k| VERIFY_CHECK(g.v[0] >= 0 && g.v[1] >= 0 && g.v[2] >= 0 && g.v[3] >= 0 && g.v[4] >= 0); 733| | 734| | /* If x > 0, then if the loop below converges, it converges to f=g=gcd(x,modulus). Since we 735| | * require that gcd(x,modulus)=1 and modulus>=3, x cannot be 0. Thus, we must reach f=1 (or 736| | * time out). */ 737| 45.9k| VERIFY_CHECK((g.v[0] | g.v[1] | g.v[2] | g.v[3] | g.v[4]) != 0); 738| | 739| 582k| for (count = 0; count < JACOBI64_ITERATIONS; ++count) { ------------------ | | 717| 582k|#define JACOBI64_ITERATIONS 25 ------------------ | Branch (739:21): [True: 582k, False: 0] ------------------ 740| | /* Compute transition matrix and new eta after 62 posdivsteps. */ 741| 582k| secp256k1_modinv64_trans2x2 t; 742| 582k| eta = secp256k1_modinv64_posdivsteps_62_var(eta, f.v[0] | ((uint64_t)f.v[1] << 62), g.v[0] | ((uint64_t)g.v[1] << 62), &t, &jac); 743| | /* Update f,g using that transition matrix. */ 744| 582k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 0) > 0); /* f > 0 */ 745| 582k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */ 746| 582k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 0) > 0); /* g > 0 */ 747| 582k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */ 748| | 749| 582k| secp256k1_modinv64_update_fg_62_var(len, &f, &g, &t); 750| | /* If the bottom limb of f is 1, there is a chance that f=1. */ 751| 582k| if (f.v[0] == 1) { ------------------ | Branch (751:13): [True: 45.9k, False: 536k] ------------------ 752| 45.9k| cond = 0; 753| | /* Check if the other limbs are also 0. */ 754| 45.9k| for (j = 1; j < len; ++j) { ------------------ | Branch (754:25): [True: 0, False: 45.9k] ------------------ 755| 0| cond |= f.v[j]; 756| 0| } 757| | /* If so, we're done. When f=1, the Jacobi symbol (g | f)=1. */ 758| 45.9k| if (cond == 0) return 1 - 2*(jac & 1); ------------------ | Branch (758:17): [True: 45.9k, False: 0] ------------------ 759| 45.9k| } 760| | 761| | /* Determine if len>1 and limb (len-1) of both f and g is 0. */ 762| 536k| fn = f.v[len - 1]; 763| 536k| gn = g.v[len - 1]; 764| 536k| cond = ((int64_t)len - 2) >> 63; 765| 536k| cond |= fn; 766| 536k| cond |= gn; 767| | /* If so, reduce length. */ 768| 536k| if (cond == 0) --len; ------------------ | Branch (768:13): [True: 183k, False: 352k] ------------------ 769| | 770| 536k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 0) > 0); /* f > 0 */ 771| 536k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */ 772| 536k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 0) > 0); /* g > 0 */ 773| 536k| VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */ 774| 536k| } 775| | 776| | /* The loop failed to converge to f=g after 1550 iterations. Return 0, indicating unknown result. */ 777| 0| return 0; 778| 45.9k|} secp256k1.c:secp256k1_modinv64_posdivsteps_62_var: 325| 582k|static int64_t secp256k1_modinv64_posdivsteps_62_var(int64_t eta, uint64_t f0, uint64_t g0, secp256k1_modinv64_trans2x2 *t, int *jacp) { 326| | /* Transformation matrix; see comments in secp256k1_modinv64_divsteps_62. */ 327| 582k| uint64_t u = 1, v = 0, q = 0, r = 1; 328| 582k| uint64_t f = f0, g = g0, m; 329| 582k| uint32_t w; 330| 582k| int i = 62, limit, zeros; 331| 582k| int jac = *jacp; 332| | 333| 10.2M| for (;;) { 334| | /* Use a sentinel bit to count zeros only up to i. */ 335| 10.2M| zeros = secp256k1_ctz64_var(g | (UINT64_MAX << i)); 336| | /* Perform zeros divsteps at once; they all just divide g by two. */ 337| 10.2M| g >>= zeros; 338| 10.2M| u <<= zeros; 339| 10.2M| v <<= zeros; 340| 10.2M| eta -= zeros; 341| 10.2M| i -= zeros; 342| | /* Update the bottom bit of jac: when dividing g by an odd power of 2, 343| | * if (f mod 8) is 3 or 5, the Jacobi symbol changes sign. */ 344| 10.2M| jac ^= (zeros & ((f >> 1) ^ (f >> 2))); 345| | /* We're done once we've done 62 posdivsteps. */ 346| 10.2M| if (i == 0) break; ------------------ | Branch (346:13): [True: 582k, False: 9.65M] ------------------ 347| 9.65M| VERIFY_CHECK((f & 1) == 1); 348| 9.65M| VERIFY_CHECK((g & 1) == 1); 349| 9.65M| VERIFY_CHECK((u * f0 + v * g0) == f << (62 - i)); 350| 9.65M| VERIFY_CHECK((q * f0 + r * g0) == g << (62 - i)); 351| | /* If eta is negative, negate it and replace f,g with g,f. */ 352| 9.65M| if (eta < 0) { ------------------ | Branch (352:13): [True: 9.33M, False: 317k] ------------------ 353| 9.33M| uint64_t tmp; 354| 9.33M| eta = -eta; 355| 9.33M| tmp = f; f = g; g = tmp; 356| 9.33M| tmp = u; u = q; q = tmp; 357| 9.33M| tmp = v; v = r; r = tmp; 358| | /* Update bottom bit of jac: when swapping f and g, the Jacobi symbol changes sign 359| | * if both f and g are 3 mod 4. */ 360| 9.33M| jac ^= ((f & g) >> 1); 361| | /* Use a formula to cancel out up to 6 bits of g. Also, no more than i can be cancelled 362| | * out (as we'd be done before that point), and no more than eta+1 can be done as its 363| | * sign will flip again once that happens. */ 364| 9.33M| limit = ((int)eta + 1) > i ? i : ((int)eta + 1); ------------------ | Branch (364:21): [True: 179k, False: 9.15M] ------------------ 365| 9.33M| VERIFY_CHECK(limit > 0 && limit <= 62); 366| | /* m is a mask for the bottom min(limit, 6) bits. */ 367| 9.33M| m = (UINT64_MAX >> (64 - limit)) & 63U; 368| | /* Find what multiple of f must be added to g to cancel its bottom min(limit, 6) 369| | * bits. */ 370| 9.33M| w = (f * g * (f * f - 2)) & m; 371| 9.33M| } else { 372| | /* In this branch, use a simpler formula that only lets us cancel up to 4 bits of g, as 373| | * eta tends to be smaller here. */ 374| 317k| limit = ((int)eta + 1) > i ? i : ((int)eta + 1); ------------------ | Branch (374:21): [True: 2.34k, False: 315k] ------------------ 375| 317k| VERIFY_CHECK(limit > 0 && limit <= 62); 376| | /* m is a mask for the bottom min(limit, 4) bits. */ 377| 317k| m = (UINT64_MAX >> (64 - limit)) & 15U; 378| | /* Find what multiple of f must be added to g to cancel its bottom min(limit, 4) 379| | * bits. */ 380| 317k| w = f + (((f + 1) & 4) << 1); 381| 317k| w = (-w * g) & m; 382| 317k| } 383| 9.65M| g += f * w; 384| 9.65M| q += u * w; 385| 9.65M| r += v * w; 386| 9.65M| VERIFY_CHECK((g & m) == 0); 387| 9.65M| } 388| | /* Return data in t and return value. */ 389| 582k| t->u = (int64_t)u; 390| 582k| t->v = (int64_t)v; 391| 582k| t->q = (int64_t)q; 392| 582k| t->r = (int64_t)r; 393| | 394| | /* The determinant of t must be a power of two. This guarantees that multiplication with t 395| | * does not change the gcd of f and g, apart from adding a power-of-2 factor to it (which 396| | * will be divided out again). As each divstep's individual matrix has determinant 2 or -2, 397| | * the aggregate of 62 of them will have determinant 2^62 or -2^62. */ 398| 582k| VERIFY_CHECK(secp256k1_modinv64_det_check_pow2(t, 62, 1)); 399| | 400| 582k| *jacp = jac; 401| 582k| return eta; 402| 582k|} secp256k1_ellswift_create: 450| 5.72k|int secp256k1_ellswift_create(const secp256k1_context *ctx, unsigned char *ell64, const unsigned char *seckey32, const unsigned char *auxrnd32) { 451| 5.72k| secp256k1_ge p; 452| 5.72k| secp256k1_fe t; 453| 5.72k| secp256k1_sha256 hash; 454| 5.72k| secp256k1_scalar seckey_scalar; 455| 5.72k| int ret; 456| 5.72k| static const unsigned char zero32[32] = {0}; 457| | 458| | /* Sanity check inputs. */ 459| 5.72k| VERIFY_CHECK(ctx != NULL); 460| 5.72k| ARG_CHECK(ell64 != NULL); ------------------ | | 45| 5.72k|#define ARG_CHECK(cond) do { \ | | 46| 5.72k| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 5.72k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 5.72k] | | | | ------------------ | | ------------------ | | 47| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 48| 0| return 0; \ | | 49| 0| } \ | | 50| 5.72k|} while(0) | | ------------------ | | | Branch (50:9): [Folded - Ignored] | | ------------------ ------------------ 461| 5.72k| memset(ell64, 0, 64); 462| 5.72k| ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ------------------ | | 45| 5.72k|#define ARG_CHECK(cond) do { \ | | 46| 5.72k| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 5.72k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 5.72k] | | | | ------------------ | | ------------------ | | 47| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 48| 0| return 0; \ | | 49| 0| } \ | | 50| 5.72k|} while(0) | | ------------------ | | | Branch (50:9): [Folded - Ignored] | | ------------------ ------------------ 463| 5.72k| ARG_CHECK(seckey32 != NULL); ------------------ | | 45| 5.72k|#define ARG_CHECK(cond) do { \ | | 46| 5.72k| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 5.72k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 5.72k] | | | | ------------------ | | ------------------ | | 47| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 48| 0| return 0; \ | | 49| 0| } \ | | 50| 5.72k|} while(0) | | ------------------ | | | Branch (50:9): [Folded - Ignored] | | ------------------ ------------------ 464| | 465| | /* Compute (affine) public key */ 466| 5.72k| ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey32); 467| 5.72k| secp256k1_declassify(ctx, &p, sizeof(p)); /* not constant time in produced pubkey */ 468| 5.72k| secp256k1_fe_normalize_var(&p.x); ------------------ | | 80| 5.72k|# define secp256k1_fe_normalize_var secp256k1_fe_impl_normalize_var ------------------ 469| 5.72k| secp256k1_fe_normalize_var(&p.y); ------------------ | | 80| 5.72k|# define secp256k1_fe_normalize_var secp256k1_fe_impl_normalize_var ------------------ 470| | 471| | /* Set up hasher state. The used RNG is H(privkey || "\x00"*32 [|| auxrnd32] || cnt++), 472| | * using BIP340 tagged hash with tag "secp256k1_ellswift_create". */ 473| 5.72k| secp256k1_ellswift_sha256_init_create(&hash); 474| 5.72k| secp256k1_sha256_write(&hash, seckey32, 32); 475| 5.72k| secp256k1_sha256_write(&hash, zero32, sizeof(zero32)); 476| 5.72k| secp256k1_declassify(ctx, &hash, sizeof(hash)); /* private key is hashed now */ 477| 5.72k| if (auxrnd32) secp256k1_sha256_write(&hash, auxrnd32, 32); ------------------ | Branch (477:9): [True: 5.72k, False: 0] ------------------ 478| | 479| | /* Compute ElligatorSwift encoding and construct output. */ 480| 5.72k| secp256k1_ellswift_elligatorswift_var(ell64, &t, &p, &hash); /* puts u in ell64[0..32] */ 481| 5.72k| secp256k1_fe_get_b32(ell64 + 32, &t); /* puts t in ell64[32..64] */ ------------------ | | 89| 5.72k|# define secp256k1_fe_get_b32 secp256k1_fe_impl_get_b32 ------------------ 482| | 483| 5.72k| secp256k1_memczero(ell64, 64, !ret); 484| 5.72k| secp256k1_scalar_clear(&seckey_scalar); 485| | 486| 5.72k| return ret; 487| 5.72k|} secp256k1_ellswift_xdh: 551| 5.91k|int secp256k1_ellswift_xdh(const secp256k1_context *ctx, unsigned char *output, const unsigned char *ell_a64, const unsigned char *ell_b64, const unsigned char *seckey32, int party, secp256k1_ellswift_xdh_hash_function hashfp, void *data) { 552| 5.91k| int ret = 0; 553| 5.91k| int overflow; 554| 5.91k| secp256k1_scalar s; 555| 5.91k| secp256k1_fe xn, xd, px, u, t; 556| 5.91k| unsigned char sx[32]; 557| 5.91k| const unsigned char* theirs64; 558| | 559| 5.91k| VERIFY_CHECK(ctx != NULL); 560| 5.91k| ARG_CHECK(output != NULL); ------------------ | | 45| 5.91k|#define ARG_CHECK(cond) do { \ | | 46| 5.91k| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 5.91k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 5.91k] | | | | ------------------ | | ------------------ | | 47| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 48| 0| return 0; \ | | 49| 0| } \ | | 50| 5.91k|} while(0) | | ------------------ | | | Branch (50:9): [Folded - Ignored] | | ------------------ ------------------ 561| 5.91k| ARG_CHECK(ell_a64 != NULL); ------------------ | | 45| 5.91k|#define ARG_CHECK(cond) do { \ | | 46| 5.91k| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 5.91k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 5.91k] | | | | ------------------ | | ------------------ | | 47| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 48| 0| return 0; \ | | 49| 0| } \ | | 50| 5.91k|} while(0) | | ------------------ | | | Branch (50:9): [Folded - Ignored] | | ------------------ ------------------ 562| 5.91k| ARG_CHECK(ell_b64 != NULL); ------------------ | | 45| 5.91k|#define ARG_CHECK(cond) do { \ | | 46| 5.91k| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 5.91k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 5.91k] | | | | ------------------ | | ------------------ | | 47| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 48| 0| return 0; \ | | 49| 0| } \ | | 50| 5.91k|} while(0) | | ------------------ | | | Branch (50:9): [Folded - Ignored] | | ------------------ ------------------ 563| 5.91k| ARG_CHECK(seckey32 != NULL); ------------------ | | 45| 5.91k|#define ARG_CHECK(cond) do { \ | | 46| 5.91k| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 5.91k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 5.91k] | | | | ------------------ | | ------------------ | | 47| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 48| 0| return 0; \ | | 49| 0| } \ | | 50| 5.91k|} while(0) | | ------------------ | | | Branch (50:9): [Folded - Ignored] | | ------------------ ------------------ 564| 5.91k| ARG_CHECK(hashfp != NULL); ------------------ | | 45| 5.91k|#define ARG_CHECK(cond) do { \ | | 46| 5.91k| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 5.91k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 5.91k] | | | | ------------------ | | ------------------ | | 47| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 48| 0| return 0; \ | | 49| 0| } \ | | 50| 5.91k|} while(0) | | ------------------ | | | Branch (50:9): [Folded - Ignored] | | ------------------ ------------------ 565| | 566| | /* Load remote public key (as fraction). */ 567| 5.91k| theirs64 = party ? ell_a64 : ell_b64; ------------------ | Branch (567:16): [True: 2.10k, False: 3.80k] ------------------ 568| 5.91k| secp256k1_fe_set_b32_mod(&u, theirs64); ------------------ | | 87| 5.91k|# define secp256k1_fe_set_b32_mod secp256k1_fe_impl_set_b32_mod ------------------ 569| 5.91k| secp256k1_fe_set_b32_mod(&t, theirs64 + 32); ------------------ | | 87| 5.91k|# define secp256k1_fe_set_b32_mod secp256k1_fe_impl_set_b32_mod ------------------ 570| 5.91k| secp256k1_ellswift_xswiftec_frac_var(&xn, &xd, &u, &t); 571| | 572| | /* Load private key (using one if invalid). */ 573| 5.91k| secp256k1_scalar_set_b32(&s, seckey32, &overflow); 574| 5.91k| overflow = secp256k1_scalar_is_zero(&s); 575| 5.91k| secp256k1_scalar_cmov(&s, &secp256k1_scalar_one, overflow); 576| | 577| | /* Compute shared X coordinate. */ 578| 5.91k| secp256k1_ecmult_const_xonly(&px, &xn, &xd, &s, 1); 579| 5.91k| secp256k1_fe_normalize(&px); ------------------ | | 78| 5.91k|# define secp256k1_fe_normalize secp256k1_fe_impl_normalize ------------------ 580| 5.91k| secp256k1_fe_get_b32(sx, &px); ------------------ | | 89| 5.91k|# define secp256k1_fe_get_b32 secp256k1_fe_impl_get_b32 ------------------ 581| | 582| | /* Invoke hasher */ 583| 5.91k| ret = hashfp(output, sx, ell_a64, ell_b64, data); 584| | 585| 5.91k| secp256k1_memclear(sx, sizeof(sx)); 586| 5.91k| secp256k1_fe_clear(&px); 587| 5.91k| secp256k1_scalar_clear(&s); 588| | 589| 5.91k| return !!ret & !overflow; 590| 5.91k|} secp256k1.c:secp256k1_ellswift_elligatorswift_var: 375| 5.72k|static void secp256k1_ellswift_elligatorswift_var(unsigned char *u32, secp256k1_fe *t, const secp256k1_ge *p, const secp256k1_sha256 *hasher) { 376| 5.72k| secp256k1_ellswift_xelligatorswift_var(u32, t, &p->x, hasher); 377| 5.72k| secp256k1_fe_normalize_var(t); ------------------ | | 80| 5.72k|# define secp256k1_fe_normalize_var secp256k1_fe_impl_normalize_var ------------------ 378| 5.72k| if (secp256k1_fe_is_odd(t) != secp256k1_fe_is_odd(&p->y)) { ------------------ | | 85| 5.72k|# define secp256k1_fe_is_odd secp256k1_fe_impl_is_odd ------------------ if (secp256k1_fe_is_odd(t) != secp256k1_fe_is_odd(&p->y)) { ------------------ | | 85| 5.72k|# define secp256k1_fe_is_odd secp256k1_fe_impl_is_odd ------------------ | Branch (378:9): [True: 2.96k, False: 2.76k] ------------------ 379| 2.96k| secp256k1_fe_negate(t, t, 1); ------------------ | | 211| 2.96k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 2.96k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 2.96k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 2.96k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 2.96k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 2.96k, False: 0] | | | | ------------------ | | | | 83| 2.96k| } \ | | | | 84| 2.96k| stmt; \ | | | | 85| 2.96k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 380| 2.96k| secp256k1_fe_normalize_var(t); ------------------ | | 80| 2.96k|# define secp256k1_fe_normalize_var secp256k1_fe_impl_normalize_var ------------------ 381| 2.96k| } 382| 5.72k|} secp256k1.c:secp256k1_ellswift_xelligatorswift_var: 333| 5.72k|static void secp256k1_ellswift_xelligatorswift_var(unsigned char *u32, secp256k1_fe *t, const secp256k1_fe *x, const secp256k1_sha256 *hasher) { 334| | /* Pool of 3-bit branch values. */ 335| 5.72k| unsigned char branch_hash[32]; 336| | /* Number of 3-bit values in branch_hash left. */ 337| 5.72k| int branches_left = 0; 338| | /* Field elements u and branch values are extracted from RNG based on hasher for consecutive 339| | * values of cnt. cnt==0 is first used to populate a pool of 64 4-bit branch values. The 64 340| | * cnt values that follow are used to generate field elements u. cnt==65 (and multiples 341| | * thereof) are used to repopulate the pool and start over, if that were ever necessary. 342| | * On average, 4 iterations are needed. */ 343| 5.72k| uint32_t cnt = 0; 344| 25.0k| while (1) { ------------------ | Branch (344:12): [Folded - Ignored] ------------------ 345| 25.0k| int branch; 346| 25.0k| secp256k1_fe u; 347| | /* If the pool of branch values is empty, populate it. */ 348| 25.0k| if (branches_left == 0) { ------------------ | Branch (348:13): [True: 5.74k, False: 19.2k] ------------------ 349| 5.74k| secp256k1_ellswift_prng(branch_hash, hasher, cnt++); 350| 5.74k| branches_left = 64; 351| 5.74k| } 352| | /* Take a 3-bit branch value from the branch pool (top bit is discarded). */ 353| 25.0k| --branches_left; 354| 25.0k| branch = (branch_hash[branches_left >> 1] >> ((branches_left & 1) << 2)) & 7; 355| | /* Compute a new u value by hashing. */ 356| 25.0k| secp256k1_ellswift_prng(u32, hasher, cnt++); 357| | /* overflow is not a problem (we prefer uniform u32 over uniform u). */ 358| 25.0k| secp256k1_fe_set_b32_mod(&u, u32); ------------------ | | 87| 25.0k|# define secp256k1_fe_set_b32_mod secp256k1_fe_impl_set_b32_mod ------------------ 359| | /* Since u is the output of a hash, it should practically never be 0. We could apply the 360| | * u=0 to u=1 correction here too to deal with that case still, but it's such a low 361| | * probability event that we do not bother. */ 362| 25.0k| VERIFY_CHECK(!secp256k1_fe_normalizes_to_zero_var(&u)); 363| | 364| | /* Find a remainder t, and return it if found. */ 365| 25.0k| if (EXPECT(secp256k1_ellswift_xswiftec_inv_var(t, x, &u, branch), 0)) break; ------------------ | | 136| 25.0k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | ------------------ | | | Branch (136:21): [True: 5.72k, False: 19.3k] | | ------------------ ------------------ 366| 25.0k| } 367| 5.72k|} secp256k1.c:secp256k1_ellswift_prng: 310| 30.7k|static void secp256k1_ellswift_prng(unsigned char* out32, const secp256k1_sha256 *hasher, uint32_t cnt) { 311| 30.7k| secp256k1_sha256 hash = *hasher; 312| 30.7k| unsigned char buf4[4]; 313| |#ifdef VERIFY 314| | size_t blocks = hash.bytes >> 6; 315| |#endif 316| 30.7k| buf4[0] = cnt; 317| 30.7k| buf4[1] = cnt >> 8; 318| 30.7k| buf4[2] = cnt >> 16; 319| 30.7k| buf4[3] = cnt >> 24; 320| 30.7k| secp256k1_sha256_write(&hash, buf4, 4); 321| 30.7k| secp256k1_sha256_finalize(&hash, out32); 322| | 323| | /* Writing and finalizing together should trigger exactly one SHA256 compression. */ 324| 30.7k| VERIFY_CHECK(((hash.bytes) >> 6) == (blocks + 1)); 325| 30.7k|} secp256k1.c:secp256k1_ellswift_xswiftec_inv_var: 168| 25.0k|static int secp256k1_ellswift_xswiftec_inv_var(secp256k1_fe *t, const secp256k1_fe *x_in, const secp256k1_fe *u_in, int c) { 169| | /* The implemented algorithm is this (all arithmetic, except involving c, is mod p): 170| | * 171| | * - If (c & 2) = 0: 172| | * - If (-x-u) is a valid X coordinate, fail. 173| | * - Let s=-(u^3+7)/(u^2+u*x+x^2). 174| | * - If s is not square, fail. 175| | * - Let v=x. 176| | * - If (c & 2) = 2: 177| | * - Let s=x-u. 178| | * - If s is not square, fail. 179| | * - Let r=sqrt(-s*(4*(u^3+7)+3*u^2*s)); fail if it doesn't exist. 180| | * - If (c & 1) = 1 and r = 0, fail. 181| | * - If s=0, fail. 182| | * - Let v=(r/s-u)/2. 183| | * - Let w=sqrt(s). 184| | * - If (c & 5) = 0: return -w*(c3*u + v). 185| | * - If (c & 5) = 1: return w*(c4*u + v). 186| | * - If (c & 5) = 4: return w*(c3*u + v). 187| | * - If (c & 5) = 5: return -w*(c4*u + v). 188| | */ 189| 25.0k| secp256k1_fe x = *x_in, u = *u_in, g, v, s, m, r, q; 190| 25.0k| int ret; 191| | 192| 25.0k| secp256k1_fe_normalize_weak(&x); ------------------ | | 79| 25.0k|# define secp256k1_fe_normalize_weak secp256k1_fe_impl_normalize_weak ------------------ 193| 25.0k| secp256k1_fe_normalize_weak(&u); ------------------ | | 79| 25.0k|# define secp256k1_fe_normalize_weak secp256k1_fe_impl_normalize_weak ------------------ 194| | 195| 25.0k| VERIFY_CHECK(c >= 0 && c < 8); 196| 25.0k| VERIFY_CHECK(secp256k1_ge_x_on_curve_var(&x)); 197| | 198| 25.0k| if (!(c & 2)) { ------------------ | Branch (198:9): [True: 12.3k, False: 12.6k] ------------------ 199| | /* c is in {0, 1, 4, 5}. In this case we look for an inverse under the x1 (if c=0 or 200| | * c=4) formula, or x2 (if c=1 or c=5) formula. */ 201| | 202| | /* If -u-x is a valid X coordinate, fail. This would yield an encoding that roundtrips 203| | * back under the x3 formula instead (which has priority over x1 and x2, so the decoding 204| | * would not match x). */ 205| 12.3k| m = x; /* m = x */ 206| 12.3k| secp256k1_fe_add(&m, &u); /* m = u+x */ ------------------ | | 92| 12.3k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 207| 12.3k| secp256k1_fe_negate(&m, &m, 2); /* m = -u-x */ ------------------ | | 211| 12.3k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 12.3k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 12.3k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 12.3k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 12.3k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 12.3k, False: 0] | | | | ------------------ | | | | 83| 12.3k| } \ | | | | 84| 12.3k| stmt; \ | | | | 85| 12.3k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 208| | /* Test if (-u-x) is a valid X coordinate. If so, fail. */ 209| 12.3k| if (secp256k1_ge_x_on_curve_var(&m)) return 0; ------------------ | Branch (209:13): [True: 6.54k, False: 5.84k] ------------------ 210| | 211| | /* Let s = -(u^3 + 7)/(u^2 + u*x + x^2) [first part] */ 212| 5.84k| secp256k1_fe_sqr(&s, &m); /* s = (u+x)^2 */ ------------------ | | 94| 5.84k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 213| 5.84k| secp256k1_fe_negate(&s, &s, 1); /* s = -(u+x)^2 */ ------------------ | | 211| 5.84k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 5.84k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 5.84k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 5.84k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 5.84k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 5.84k, False: 0] | | | | ------------------ | | | | 83| 5.84k| } \ | | | | 84| 5.84k| stmt; \ | | | | 85| 5.84k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 214| 5.84k| secp256k1_fe_mul(&m, &u, &x); /* m = u*x */ ------------------ | | 93| 5.84k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 215| 5.84k| secp256k1_fe_add(&s, &m); /* s = -(u^2 + u*x + x^2) */ ------------------ | | 92| 5.84k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 216| | 217| | /* Note that at this point, s = 0 is impossible. If it were the case: 218| | * s = -(u^2 + u*x + x^2) = 0 219| | * => u^2 + u*x + x^2 = 0 220| | * => (u + 2*x) * (u^2 + u*x + x^2) = 0 221| | * => 2*x^3 + 3*x^2*u + 3*x*u^2 + u^3 = 0 222| | * => (x + u)^3 + x^3 = 0 223| | * => x^3 = -(x + u)^3 224| | * => x^3 + B = (-u - x)^3 + B 225| | * 226| | * However, we know x^3 + B is square (because x is on the curve) and 227| | * that (-u-x)^3 + B is not square (the secp256k1_ge_x_on_curve_var(&m) 228| | * test above would have failed). This is a contradiction, and thus the 229| | * assumption s=0 is false. */ 230| 5.84k| VERIFY_CHECK(!secp256k1_fe_normalizes_to_zero_var(&s)); 231| | 232| | /* If s is not square, fail. We have not fully computed s yet, but s is square iff 233| | * -(u^3+7)*(u^2+u*x+x^2) is square (because a/b is square iff a*b is square and b is 234| | * nonzero). */ 235| 5.84k| secp256k1_fe_sqr(&g, &u); /* g = u^2 */ ------------------ | | 94| 5.84k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 236| 5.84k| secp256k1_fe_mul(&g, &g, &u); /* g = u^3 */ ------------------ | | 93| 5.84k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 237| 5.84k| secp256k1_fe_add_int(&g, SECP256K1_B); /* g = u^3+7 */ ------------------ | | 102| 5.84k|# define secp256k1_fe_add_int secp256k1_fe_impl_add_int ------------------ secp256k1_fe_add_int(&g, SECP256K1_B); /* g = u^3+7 */ ------------------ | | 73| 5.84k|#define SECP256K1_B 7 ------------------ 238| 5.84k| secp256k1_fe_mul(&m, &s, &g); /* m = -(u^3 + 7)*(u^2 + u*x + x^2) */ ------------------ | | 93| 5.84k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 239| 5.84k| if (!secp256k1_fe_is_square_var(&m)) return 0; ------------------ | | 103| 5.84k|# define secp256k1_fe_is_square_var secp256k1_fe_impl_is_square_var ------------------ | Branch (239:13): [True: 3.50k, False: 2.34k] ------------------ 240| | 241| | /* Let s = -(u^3 + 7)/(u^2 + u*x + x^2) [second part] */ 242| 2.34k| secp256k1_fe_inv_var(&s, &s); /* s = -1/(u^2 + u*x + x^2) [no div by 0] */ ------------------ | | 99| 2.34k|# define secp256k1_fe_inv_var secp256k1_fe_impl_inv_var ------------------ 243| 2.34k| secp256k1_fe_mul(&s, &s, &g); /* s = -(u^3 + 7)/(u^2 + u*x + x^2) */ ------------------ | | 93| 2.34k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 244| | 245| | /* Let v = x. */ 246| 2.34k| v = x; 247| 12.6k| } else { 248| | /* c is in {2, 3, 6, 7}. In this case we look for an inverse under the x3 formula. */ 249| | 250| | /* Let s = x-u. */ 251| 12.6k| secp256k1_fe_negate(&m, &u, 1); /* m = -u */ ------------------ | | 211| 12.6k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 12.6k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 12.6k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 12.6k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 12.6k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 12.6k, False: 0] | | | | ------------------ | | | | 83| 12.6k| } \ | | | | 84| 12.6k| stmt; \ | | | | 85| 12.6k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 252| 12.6k| s = m; /* s = -u */ 253| 12.6k| secp256k1_fe_add(&s, &x); /* s = x-u */ ------------------ | | 92| 12.6k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 254| | 255| | /* If s is not square, fail. */ 256| 12.6k| if (!secp256k1_fe_is_square_var(&s)) return 0; ------------------ | | 103| 12.6k|# define secp256k1_fe_is_square_var secp256k1_fe_impl_is_square_var ------------------ | Branch (256:13): [True: 5.87k, False: 6.76k] ------------------ 257| | 258| | /* Let r = sqrt(-s*(4*(u^3+7)+3*u^2*s)); fail if it doesn't exist. */ 259| 6.76k| secp256k1_fe_sqr(&g, &u); /* g = u^2 */ ------------------ | | 94| 6.76k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 260| 6.76k| secp256k1_fe_mul(&q, &s, &g); /* q = s*u^2 */ ------------------ | | 93| 6.76k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 261| 6.76k| secp256k1_fe_mul_int(&q, 3); /* q = 3*s*u^2 */ ------------------ | | 233| 6.76k|#define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) | | ------------------ | | | | 77| 6.76k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 6.76k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 6.76k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 6.76k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 6.76k, False: 0] | | | | ------------------ | | | | 83| 6.76k| } \ | | | | 84| 6.76k| stmt; \ | | | | 85| 6.76k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 262| 6.76k| secp256k1_fe_mul(&g, &g, &u); /* g = u^3 */ ------------------ | | 93| 6.76k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 263| 6.76k| secp256k1_fe_mul_int(&g, 4); /* g = 4*u^3 */ ------------------ | | 233| 6.76k|#define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) | | ------------------ | | | | 77| 6.76k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 6.76k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 6.76k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 6.76k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 6.76k, False: 0] | | | | ------------------ | | | | 83| 6.76k| } \ | | | | 84| 6.76k| stmt; \ | | | | 85| 6.76k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 264| 6.76k| secp256k1_fe_add_int(&g, 4 * SECP256K1_B); /* g = 4*(u^3+7) */ ------------------ | | 102| 6.76k|# define secp256k1_fe_add_int secp256k1_fe_impl_add_int ------------------ secp256k1_fe_add_int(&g, 4 * SECP256K1_B); /* g = 4*(u^3+7) */ ------------------ | | 73| 6.76k|#define SECP256K1_B 7 ------------------ 265| 6.76k| secp256k1_fe_add(&q, &g); /* q = 4*(u^3+7)+3*s*u^2 */ ------------------ | | 92| 6.76k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 266| 6.76k| secp256k1_fe_mul(&q, &q, &s); /* q = s*(4*(u^3+7)+3*u^2*s) */ ------------------ | | 93| 6.76k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 267| 6.76k| secp256k1_fe_negate(&q, &q, 1); /* q = -s*(4*(u^3+7)+3*u^2*s) */ ------------------ | | 211| 6.76k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 6.76k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 6.76k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 6.76k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 6.76k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 6.76k, False: 0] | | | | ------------------ | | | | 83| 6.76k| } \ | | | | 84| 6.76k| stmt; \ | | | | 85| 6.76k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 268| 6.76k| if (!secp256k1_fe_is_square_var(&q)) return 0; ------------------ | | 103| 6.76k|# define secp256k1_fe_is_square_var secp256k1_fe_impl_is_square_var ------------------ | Branch (268:13): [True: 3.37k, False: 3.38k] ------------------ 269| 3.38k| ret = secp256k1_fe_sqrt(&r, &q); /* r = sqrt(-s*(4*(u^3+7)+3*u^2*s)) */ 270| |#ifdef VERIFY 271| | VERIFY_CHECK(ret); 272| |#else 273| 3.38k| (void)ret; 274| 3.38k|#endif 275| | 276| | /* If (c & 1) = 1 and r = 0, fail. */ 277| 3.38k| if (EXPECT((c & 1) && secp256k1_fe_normalizes_to_zero_var(&r), 0)) return 0; ------------------ | | 136| 5.51k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | ------------------ | | | Branch (136:21): [True: 0, False: 3.38k] | | | Branch (136:39): [True: 2.12k, False: 1.26k] | | | Branch (136:39): [True: 0, False: 2.12k] | | ------------------ ------------------ 278| | 279| | /* If s = 0, fail. */ 280| 3.38k| if (EXPECT(secp256k1_fe_normalizes_to_zero_var(&s), 0)) return 0; ------------------ | | 136| 3.38k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | ------------------ | | | Branch (136:21): [True: 0, False: 3.38k] | | ------------------ ------------------ 281| | 282| | /* Let v = (r/s-u)/2. */ 283| 3.38k| secp256k1_fe_inv_var(&v, &s); /* v = 1/s [no div by 0] */ ------------------ | | 99| 3.38k|# define secp256k1_fe_inv_var secp256k1_fe_impl_inv_var ------------------ 284| 3.38k| secp256k1_fe_mul(&v, &v, &r); /* v = r/s */ ------------------ | | 93| 3.38k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 285| 3.38k| secp256k1_fe_add(&v, &m); /* v = r/s-u */ ------------------ | | 92| 3.38k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 286| 3.38k| secp256k1_fe_half(&v); /* v = (r/s-u)/2 */ ------------------ | | 101| 3.38k|# define secp256k1_fe_half secp256k1_fe_impl_half ------------------ 287| 3.38k| } 288| | 289| | /* Let w = sqrt(s). */ 290| 5.72k| ret = secp256k1_fe_sqrt(&m, &s); /* m = sqrt(s) = w */ 291| 5.72k| VERIFY_CHECK(ret); 292| | 293| | /* Return logic. */ 294| 5.72k| if ((c & 5) == 0 || (c & 5) == 5) { ------------------ | Branch (294:9): [True: 1.29k, False: 4.43k] | Branch (294:25): [True: 1.72k, False: 2.71k] ------------------ 295| 3.01k| secp256k1_fe_negate(&m, &m, 1); /* m = -w */ ------------------ | | 211| 3.01k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 3.01k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 3.01k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 3.01k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 3.01k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 3.01k, False: 0] | | | | ------------------ | | | | 83| 3.01k| } \ | | | | 84| 3.01k| stmt; \ | | | | 85| 3.01k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 296| 3.01k| } 297| | /* Now m = {-w if c&5=0 or c&5=5; w otherwise}. */ 298| 5.72k| secp256k1_fe_mul(&u, &u, c&1 ? &secp256k1_ellswift_c4 : &secp256k1_ellswift_c3); ------------------ | | 93| 5.72k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ | Branch (298:30): [True: 3.22k, False: 2.50k] ------------------ 299| | /* u = {c4 if c&1=1; c3 otherwise}*u */ 300| 5.72k| secp256k1_fe_add(&u, &v); /* u = {c4 if c&1=1; c3 otherwise}*u + v */ ------------------ | | 92| 5.72k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 301| 5.72k| secp256k1_fe_mul(t, &m, &u); ------------------ | | 93| 5.72k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 302| 5.72k| return 1; 303| 5.72k|} secp256k1.c:secp256k1_ellswift_sha256_init_create: 436| 5.72k|static void secp256k1_ellswift_sha256_init_create(secp256k1_sha256* hash) { 437| 5.72k| secp256k1_sha256_initialize(hash); 438| 5.72k| hash->s[0] = 0xd29e1bf5ul; 439| 5.72k| hash->s[1] = 0xf7025f42ul; 440| 5.72k| hash->s[2] = 0x9b024773ul; 441| 5.72k| hash->s[3] = 0x094cb7d5ul; 442| 5.72k| hash->s[4] = 0xe59ed789ul; 443| 5.72k| hash->s[5] = 0x03bc9786ul; 444| 5.72k| hash->s[6] = 0x68335b35ul; 445| 5.72k| hash->s[7] = 0x4e363b53ul; 446| | 447| 5.72k| hash->bytes = 64; 448| 5.72k|} secp256k1.c:ellswift_xdh_hash_function_bip324: 533| 5.91k|static int ellswift_xdh_hash_function_bip324(unsigned char* output, const unsigned char *x32, const unsigned char *ell_a64, const unsigned char *ell_b64, void *data) { 534| 5.91k| secp256k1_sha256 sha; 535| | 536| 5.91k| (void)data; 537| | 538| 5.91k| secp256k1_ellswift_sha256_init_bip324(&sha); 539| 5.91k| secp256k1_sha256_write(&sha, ell_a64, 64); 540| 5.91k| secp256k1_sha256_write(&sha, ell_b64, 64); 541| 5.91k| secp256k1_sha256_write(&sha, x32, 32); 542| 5.91k| secp256k1_sha256_finalize(&sha, output); 543| 5.91k| secp256k1_sha256_clear(&sha); 544| | 545| 5.91k| return 1; 546| 5.91k|} secp256k1.c:secp256k1_ellswift_sha256_init_bip324: 519| 5.91k|static void secp256k1_ellswift_sha256_init_bip324(secp256k1_sha256* hash) { 520| 5.91k| secp256k1_sha256_initialize(hash); 521| 5.91k| hash->s[0] = 0x8c12d730ul; 522| 5.91k| hash->s[1] = 0x827bd392ul; 523| 5.91k| hash->s[2] = 0x9e4fb2eeul; 524| 5.91k| hash->s[3] = 0x207b373eul; 525| 5.91k| hash->s[4] = 0x2292bd7aul; 526| 5.91k| hash->s[5] = 0xaa5441bcul; 527| 5.91k| hash->s[6] = 0x15c3779ful; 528| 5.91k| hash->s[7] = 0xcfb52549ul; 529| | 530| 5.91k| hash->bytes = 64; 531| 5.91k|} secp256k1.c:secp256k1_ellswift_xswiftec_frac_var: 24| 5.91k|static void secp256k1_ellswift_xswiftec_frac_var(secp256k1_fe *xn, secp256k1_fe *xd, const secp256k1_fe *u, const secp256k1_fe *t) { 25| | /* The implemented algorithm is the following (all operations in GF(p)): 26| | * 27| | * - Let c0 = sqrt(-3) = 0xa2d2ba93507f1df233770c2a797962cc61f6d15da14ecd47d8d27ae1cd5f852. 28| | * - If u = 0, set u = 1. 29| | * - If t = 0, set t = 1. 30| | * - If u^3+7+t^2 = 0, set t = 2*t. 31| | * - Let X = (u^3+7-t^2)/(2*t). 32| | * - Let Y = (X+t)/(c0*u). 33| | * - If x3 = u+4*Y^2 is a valid x coordinate, return it. 34| | * - If x2 = (-X/Y-u)/2 is a valid x coordinate, return it. 35| | * - Return x1 = (X/Y-u)/2 (which is now guaranteed to be a valid x coordinate). 36| | * 37| | * Introducing s=t^2, g=u^3+7, and simplifying x1=-(x2+u) we get: 38| | * 39| | * - Let c0 = ... 40| | * - If u = 0, set u = 1. 41| | * - If t = 0, set t = 1. 42| | * - Let s = t^2 43| | * - Let g = u^3+7 44| | * - If g+s = 0, set t = 2*t, s = 4*s 45| | * - Let X = (g-s)/(2*t). 46| | * - Let Y = (X+t)/(c0*u) = (g+s)/(2*c0*t*u). 47| | * - If x3 = u+4*Y^2 is a valid x coordinate, return it. 48| | * - If x2 = (-X/Y-u)/2 is a valid x coordinate, return it. 49| | * - Return x1 = -(x2+u). 50| | * 51| | * Now substitute Y^2 = -(g+s)^2/(12*s*u^2) and X/Y = c0*u*(g-s)/(g+s). This 52| | * means X and Y do not need to be evaluated explicitly anymore. 53| | * 54| | * - ... 55| | * - If g+s = 0, set s = 4*s. 56| | * - If x3 = u-(g+s)^2/(3*s*u^2) is a valid x coordinate, return it. 57| | * - If x2 = (-c0*u*(g-s)/(g+s)-u)/2 is a valid x coordinate, return it. 58| | * - Return x1 = -(x2+u). 59| | * 60| | * Simplifying x2 using 2 additional constants: 61| | * 62| | * - Let c1 = (c0-1)/2 = 0x851695d49a83f8ef919bb86153cbcb16630fb68aed0a766a3ec693d68e6afa40. 63| | * - Let c2 = (-c0-1)/2 = 0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee. 64| | * - ... 65| | * - If x2 = u*(c1*s+c2*g)/(g+s) is a valid x coordinate, return it. 66| | * - ... 67| | * 68| | * Writing x3 as a fraction: 69| | * 70| | * - ... 71| | * - If x3 = (3*s*u^3-(g+s)^2)/(3*s*u^2) ... 72| | * - ... 73| | 74| | * Overall, we get: 75| | * 76| | * - Let c1 = 0x851695d49a83f8ef919bb86153cbcb16630fb68aed0a766a3ec693d68e6afa40. 77| | * - Let c2 = 0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee. 78| | * - If u = 0, set u = 1. 79| | * - If t = 0, set s = 1, else set s = t^2. 80| | * - Let g = u^3+7. 81| | * - If g+s = 0, set s = 4*s. 82| | * - If x3 = (3*s*u^3-(g+s)^2)/(3*s*u^2) is a valid x coordinate, return it. 83| | * - If x2 = u*(c1*s+c2*g)/(g+s) is a valid x coordinate, return it. 84| | * - Return x1 = -(x2+u). 85| | */ 86| 5.91k| secp256k1_fe u1, s, g, p, d, n, l; 87| 5.91k| u1 = *u; 88| 5.91k| if (EXPECT(secp256k1_fe_normalizes_to_zero_var(&u1), 0)) u1 = secp256k1_fe_one; ------------------ | | 136| 5.91k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | ------------------ | | | Branch (136:21): [True: 0, False: 5.91k] | | ------------------ ------------------ 89| 5.91k| secp256k1_fe_sqr(&s, t); ------------------ | | 94| 5.91k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 90| 5.91k| if (EXPECT(secp256k1_fe_normalizes_to_zero_var(t), 0)) s = secp256k1_fe_one; ------------------ | | 136| 5.91k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | ------------------ | | | Branch (136:21): [True: 0, False: 5.91k] | | ------------------ ------------------ 91| 5.91k| secp256k1_fe_sqr(&l, &u1); /* l = u^2 */ ------------------ | | 94| 5.91k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 92| 5.91k| secp256k1_fe_mul(&g, &l, &u1); /* g = u^3 */ ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 93| 5.91k| secp256k1_fe_add_int(&g, SECP256K1_B); /* g = u^3 + 7 */ ------------------ | | 102| 5.91k|# define secp256k1_fe_add_int secp256k1_fe_impl_add_int ------------------ secp256k1_fe_add_int(&g, SECP256K1_B); /* g = u^3 + 7 */ ------------------ | | 73| 5.91k|#define SECP256K1_B 7 ------------------ 94| 5.91k| p = g; /* p = g */ 95| 5.91k| secp256k1_fe_add(&p, &s); /* p = g+s */ ------------------ | | 92| 5.91k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 96| 5.91k| if (EXPECT(secp256k1_fe_normalizes_to_zero_var(&p), 0)) { ------------------ | | 136| 5.91k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | ------------------ | | | Branch (136:21): [True: 0, False: 5.91k] | | ------------------ ------------------ 97| 0| secp256k1_fe_mul_int(&s, 4); ------------------ | | 233| 0|#define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) | | ------------------ | | | | 77| 0|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 0| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 0] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 0| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 0, False: 0] | | | | ------------------ | | | | 83| 0| } \ | | | | 84| 0| stmt; \ | | | | 85| 0|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 98| | /* Recompute p = g+s */ 99| 0| p = g; /* p = g */ 100| 0| secp256k1_fe_add(&p, &s); /* p = g+s */ ------------------ | | 92| 0|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 101| 0| } 102| 5.91k| secp256k1_fe_mul(&d, &s, &l); /* d = s*u^2 */ ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 103| 5.91k| secp256k1_fe_mul_int(&d, 3); /* d = 3*s*u^2 */ ------------------ | | 233| 5.91k|#define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) | | ------------------ | | | | 77| 5.91k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 5.91k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 5.91k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 5.91k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 5.91k, False: 0] | | | | ------------------ | | | | 83| 5.91k| } \ | | | | 84| 5.91k| stmt; \ | | | | 85| 5.91k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 104| 5.91k| secp256k1_fe_sqr(&l, &p); /* l = (g+s)^2 */ ------------------ | | 94| 5.91k|# define secp256k1_fe_sqr secp256k1_fe_impl_sqr ------------------ 105| 5.91k| secp256k1_fe_negate(&l, &l, 1); /* l = -(g+s)^2 */ ------------------ | | 211| 5.91k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 5.91k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 5.91k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 5.91k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 5.91k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 5.91k, False: 0] | | | | ------------------ | | | | 83| 5.91k| } \ | | | | 84| 5.91k| stmt; \ | | | | 85| 5.91k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 106| 5.91k| secp256k1_fe_mul(&n, &d, &u1); /* n = 3*s*u^3 */ ------------------ | | 93| 5.91k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 107| 5.91k| secp256k1_fe_add(&n, &l); /* n = 3*s*u^3-(g+s)^2 */ ------------------ | | 92| 5.91k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 108| 5.91k| if (secp256k1_ge_x_frac_on_curve_var(&n, &d)) { ------------------ | Branch (108:9): [True: 3.47k, False: 2.43k] ------------------ 109| | /* Return x3 = n/d = (3*s*u^3-(g+s)^2)/(3*s*u^2) */ 110| 3.47k| *xn = n; 111| 3.47k| *xd = d; 112| 3.47k| return; 113| 3.47k| } 114| 2.43k| *xd = p; 115| 2.43k| secp256k1_fe_mul(&l, &secp256k1_ellswift_c1, &s); /* l = c1*s */ ------------------ | | 93| 2.43k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 116| 2.43k| secp256k1_fe_mul(&n, &secp256k1_ellswift_c2, &g); /* n = c2*g */ ------------------ | | 93| 2.43k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 117| 2.43k| secp256k1_fe_add(&n, &l); /* n = c1*s+c2*g */ ------------------ | | 92| 2.43k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 118| 2.43k| secp256k1_fe_mul(&n, &n, &u1); /* n = u*(c1*s+c2*g) */ ------------------ | | 93| 2.43k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 119| | /* Possible optimization: in the invocation below, p^2 = (g+s)^2 is computed, 120| | * which we already have computed above. This could be deduplicated. */ 121| 2.43k| if (secp256k1_ge_x_frac_on_curve_var(&n, &p)) { ------------------ | Branch (121:9): [True: 1.15k, False: 1.28k] ------------------ 122| | /* Return x2 = n/p = u*(c1*s+c2*g)/(g+s) */ 123| 1.15k| *xn = n; 124| 1.15k| return; 125| 1.15k| } 126| 1.28k| secp256k1_fe_mul(&l, &p, &u1); /* l = u*(g+s) */ ------------------ | | 93| 1.28k|# define secp256k1_fe_mul secp256k1_fe_impl_mul ------------------ 127| 1.28k| secp256k1_fe_add(&n, &l); /* n = u*(c1*s+c2*g)+u*(g+s) */ ------------------ | | 92| 1.28k|# define secp256k1_fe_add secp256k1_fe_impl_add ------------------ 128| 1.28k| secp256k1_fe_negate(xn, &n, 2); /* n = -u*(c1*s+c2*g)-u*(g+s) */ ------------------ | | 211| 1.28k|#define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) | | ------------------ | | | | 77| 1.28k|#define ASSERT_INT_CONST_AND_DO(expr, stmt) do { \ | | | | 78| 1.28k| switch(42) { \ | | | | 79| 0| /* C allows only integer constant expressions as case labels. */ \ | | | | 80| 0| case /* ERROR: integer argument is not constant */ (expr): \ | | | | ------------------ | | | | | Branch (80:9): [True: 0, False: 1.28k] | | | | ------------------ | | | | 81| 0| break; \ | | | | 82| 1.28k| default: ; \ | | | | ------------------ | | | | | Branch (82:9): [True: 1.28k, False: 0] | | | | ------------------ | | | | 83| 1.28k| } \ | | | | 84| 1.28k| stmt; \ | | | | 85| 1.28k|} while(0) | | | | ------------------ | | | | | Branch (85:9): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 129| | 130| 1.28k| VERIFY_CHECK(secp256k1_ge_x_frac_on_curve_var(xn, &p)); 131| | /* Return x3 = n/p = -(u*(c1*s+c2*g)/(g+s)+u) */ 132| 1.28k|} secp256k1.c:secp256k1_scalar_set_b32: 144| 16.2k|static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) { 145| 16.2k| int over; 146| 16.2k| r->d[0] = secp256k1_read_be64(&b32[24]); 147| 16.2k| r->d[1] = secp256k1_read_be64(&b32[16]); 148| 16.2k| r->d[2] = secp256k1_read_be64(&b32[8]); 149| 16.2k| r->d[3] = secp256k1_read_be64(&b32[0]); 150| 16.2k| over = secp256k1_scalar_reduce(r, secp256k1_scalar_check_overflow(r)); 151| 16.2k| if (overflow) { ------------------ | Branch (151:9): [True: 16.2k, False: 0] ------------------ 152| 16.2k| *overflow = over; 153| 16.2k| } 154| | 155| 16.2k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 16.2k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 156| 16.2k|} secp256k1.c:secp256k1_scalar_reduce: 74| 69.2k|SECP256K1_INLINE static int secp256k1_scalar_reduce(secp256k1_scalar *r, unsigned int overflow) { 75| 69.2k| secp256k1_uint128 t; 76| 69.2k| VERIFY_CHECK(overflow <= 1); 77| | 78| 69.2k| secp256k1_u128_from_u64(&t, r->d[0]); 79| 69.2k| secp256k1_u128_accum_u64(&t, overflow * SECP256K1_N_C_0); ------------------ | | 22| 69.2k|#define SECP256K1_N_C_0 (~SECP256K1_N_0 + 1) | | ------------------ | | | | 16| 69.2k|#define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL) | | ------------------ ------------------ 80| 69.2k| r->d[0] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 81| 69.2k| secp256k1_u128_accum_u64(&t, r->d[1]); 82| 69.2k| secp256k1_u128_accum_u64(&t, overflow * SECP256K1_N_C_1); ------------------ | | 23| 69.2k|#define SECP256K1_N_C_1 (~SECP256K1_N_1) | | ------------------ | | | | 17| 69.2k|#define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL) | | ------------------ ------------------ 83| 69.2k| r->d[1] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 84| 69.2k| secp256k1_u128_accum_u64(&t, r->d[2]); 85| 69.2k| secp256k1_u128_accum_u64(&t, overflow * SECP256K1_N_C_2); ------------------ | | 24| 69.2k|#define SECP256K1_N_C_2 (1) ------------------ 86| 69.2k| r->d[2] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 87| 69.2k| secp256k1_u128_accum_u64(&t, r->d[3]); 88| 69.2k| r->d[3] = secp256k1_u128_to_u64(&t); 89| | 90| 69.2k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 69.2k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 91| 69.2k| return overflow; 92| 69.2k|} secp256k1.c:secp256k1_scalar_check_overflow: 62| 69.2k|SECP256K1_INLINE static int secp256k1_scalar_check_overflow(const secp256k1_scalar *a) { 63| 69.2k| int yes = 0; 64| 69.2k| int no = 0; 65| 69.2k| no |= (a->d[3] < SECP256K1_N_3); /* No need for a > check. */ ------------------ | | 19| 69.2k|#define SECP256K1_N_3 ((uint64_t)0xFFFFFFFFFFFFFFFFULL) ------------------ 66| 69.2k| no |= (a->d[2] < SECP256K1_N_2); ------------------ | | 18| 69.2k|#define SECP256K1_N_2 ((uint64_t)0xFFFFFFFFFFFFFFFEULL) ------------------ 67| 69.2k| yes |= (a->d[2] > SECP256K1_N_2) & ~no; ------------------ | | 18| 69.2k|#define SECP256K1_N_2 ((uint64_t)0xFFFFFFFFFFFFFFFEULL) ------------------ 68| 69.2k| no |= (a->d[1] < SECP256K1_N_1); ------------------ | | 17| 69.2k|#define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL) ------------------ 69| 69.2k| yes |= (a->d[1] > SECP256K1_N_1) & ~no; ------------------ | | 17| 69.2k|#define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL) ------------------ 70| 69.2k| yes |= (a->d[0] >= SECP256K1_N_0) & ~no; ------------------ | | 16| 69.2k|#define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL) ------------------ 71| 69.2k| return yes; 72| 69.2k|} secp256k1.c:secp256k1_scalar_negate: 173| 5.91k|static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a) { 174| 5.91k| uint64_t nonzero = 0xFFFFFFFFFFFFFFFFULL * (secp256k1_scalar_is_zero(a) == 0); 175| 5.91k| secp256k1_uint128 t; 176| 5.91k| SECP256K1_SCALAR_VERIFY(a); ------------------ | | 103| 5.91k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 177| | 178| 5.91k| secp256k1_u128_from_u64(&t, ~a->d[0]); 179| 5.91k| secp256k1_u128_accum_u64(&t, SECP256K1_N_0 + 1); ------------------ | | 16| 5.91k|#define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL) ------------------ 180| 5.91k| r->d[0] = secp256k1_u128_to_u64(&t) & nonzero; secp256k1_u128_rshift(&t, 64); 181| 5.91k| secp256k1_u128_accum_u64(&t, ~a->d[1]); 182| 5.91k| secp256k1_u128_accum_u64(&t, SECP256K1_N_1); ------------------ | | 17| 5.91k|#define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL) ------------------ 183| 5.91k| r->d[1] = secp256k1_u128_to_u64(&t) & nonzero; secp256k1_u128_rshift(&t, 64); 184| 5.91k| secp256k1_u128_accum_u64(&t, ~a->d[2]); 185| 5.91k| secp256k1_u128_accum_u64(&t, SECP256K1_N_2); ------------------ | | 18| 5.91k|#define SECP256K1_N_2 ((uint64_t)0xFFFFFFFFFFFFFFFEULL) ------------------ 186| 5.91k| r->d[2] = secp256k1_u128_to_u64(&t) & nonzero; secp256k1_u128_rshift(&t, 64); 187| 5.91k| secp256k1_u128_accum_u64(&t, ~a->d[3]); 188| 5.91k| secp256k1_u128_accum_u64(&t, SECP256K1_N_3); ------------------ | | 19| 5.91k|#define SECP256K1_N_3 ((uint64_t)0xFFFFFFFFFFFFFFFFULL) ------------------ 189| 5.91k| r->d[3] = secp256k1_u128_to_u64(&t) & nonzero; 190| | 191| 5.91k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 5.91k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 192| 5.91k|} secp256k1.c:secp256k1_scalar_mul: 855| 17.7k|static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) { 856| 17.7k| uint64_t l[8]; 857| 17.7k| SECP256K1_SCALAR_VERIFY(a); ------------------ | | 103| 17.7k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 858| 17.7k| SECP256K1_SCALAR_VERIFY(b); ------------------ | | 103| 17.7k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 859| | 860| 17.7k| secp256k1_scalar_mul_512(l, a, b); 861| 17.7k| secp256k1_scalar_reduce_512(r, l); 862| | 863| 17.7k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 17.7k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 864| 17.7k|} secp256k1.c:secp256k1_scalar_mul_512: 678| 29.5k|static void secp256k1_scalar_mul_512(uint64_t *l8, const secp256k1_scalar *a, const secp256k1_scalar *b) { 679| 29.5k|#ifdef USE_ASM_X86_64 680| 29.5k| const uint64_t *pb = b->d; 681| 29.5k| __asm__ __volatile__( 682| | /* Preload */ 683| 29.5k| "movq 0(%%rdi), %%r15\n" 684| 29.5k| "movq 8(%%rdi), %%rbx\n" 685| 29.5k| "movq 16(%%rdi), %%rcx\n" 686| 29.5k| "movq 0(%%rdx), %%r11\n" 687| 29.5k| "movq 8(%%rdx), %%r12\n" 688| 29.5k| "movq 16(%%rdx), %%r13\n" 689| 29.5k| "movq 24(%%rdx), %%r14\n" 690| | /* (rax,rdx) = a0 * b0 */ 691| 29.5k| "movq %%r15, %%rax\n" 692| 29.5k| "mulq %%r11\n" 693| | /* Extract l8[0] */ 694| 29.5k| "movq %%rax, 0(%%rsi)\n" 695| | /* (r8,r9,r10) = (rdx) */ 696| 29.5k| "movq %%rdx, %%r8\n" 697| 29.5k| "xorq %%r9, %%r9\n" 698| 29.5k| "xorq %%r10, %%r10\n" 699| | /* (r8,r9,r10) += a0 * b1 */ 700| 29.5k| "movq %%r15, %%rax\n" 701| 29.5k| "mulq %%r12\n" 702| 29.5k| "addq %%rax, %%r8\n" 703| 29.5k| "adcq %%rdx, %%r9\n" 704| 29.5k| "adcq $0, %%r10\n" 705| | /* (r8,r9,r10) += a1 * b0 */ 706| 29.5k| "movq %%rbx, %%rax\n" 707| 29.5k| "mulq %%r11\n" 708| 29.5k| "addq %%rax, %%r8\n" 709| 29.5k| "adcq %%rdx, %%r9\n" 710| 29.5k| "adcq $0, %%r10\n" 711| | /* Extract l8[1] */ 712| 29.5k| "movq %%r8, 8(%%rsi)\n" 713| 29.5k| "xorq %%r8, %%r8\n" 714| | /* (r9,r10,r8) += a0 * b2 */ 715| 29.5k| "movq %%r15, %%rax\n" 716| 29.5k| "mulq %%r13\n" 717| 29.5k| "addq %%rax, %%r9\n" 718| 29.5k| "adcq %%rdx, %%r10\n" 719| 29.5k| "adcq $0, %%r8\n" 720| | /* (r9,r10,r8) += a1 * b1 */ 721| 29.5k| "movq %%rbx, %%rax\n" 722| 29.5k| "mulq %%r12\n" 723| 29.5k| "addq %%rax, %%r9\n" 724| 29.5k| "adcq %%rdx, %%r10\n" 725| 29.5k| "adcq $0, %%r8\n" 726| | /* (r9,r10,r8) += a2 * b0 */ 727| 29.5k| "movq %%rcx, %%rax\n" 728| 29.5k| "mulq %%r11\n" 729| 29.5k| "addq %%rax, %%r9\n" 730| 29.5k| "adcq %%rdx, %%r10\n" 731| 29.5k| "adcq $0, %%r8\n" 732| | /* Extract l8[2] */ 733| 29.5k| "movq %%r9, 16(%%rsi)\n" 734| 29.5k| "xorq %%r9, %%r9\n" 735| | /* (r10,r8,r9) += a0 * b3 */ 736| 29.5k| "movq %%r15, %%rax\n" 737| 29.5k| "mulq %%r14\n" 738| 29.5k| "addq %%rax, %%r10\n" 739| 29.5k| "adcq %%rdx, %%r8\n" 740| 29.5k| "adcq $0, %%r9\n" 741| | /* Preload a3 */ 742| 29.5k| "movq 24(%%rdi), %%r15\n" 743| | /* (r10,r8,r9) += a1 * b2 */ 744| 29.5k| "movq %%rbx, %%rax\n" 745| 29.5k| "mulq %%r13\n" 746| 29.5k| "addq %%rax, %%r10\n" 747| 29.5k| "adcq %%rdx, %%r8\n" 748| 29.5k| "adcq $0, %%r9\n" 749| | /* (r10,r8,r9) += a2 * b1 */ 750| 29.5k| "movq %%rcx, %%rax\n" 751| 29.5k| "mulq %%r12\n" 752| 29.5k| "addq %%rax, %%r10\n" 753| 29.5k| "adcq %%rdx, %%r8\n" 754| 29.5k| "adcq $0, %%r9\n" 755| | /* (r10,r8,r9) += a3 * b0 */ 756| 29.5k| "movq %%r15, %%rax\n" 757| 29.5k| "mulq %%r11\n" 758| 29.5k| "addq %%rax, %%r10\n" 759| 29.5k| "adcq %%rdx, %%r8\n" 760| 29.5k| "adcq $0, %%r9\n" 761| | /* Extract l8[3] */ 762| 29.5k| "movq %%r10, 24(%%rsi)\n" 763| 29.5k| "xorq %%r10, %%r10\n" 764| | /* (r8,r9,r10) += a1 * b3 */ 765| 29.5k| "movq %%rbx, %%rax\n" 766| 29.5k| "mulq %%r14\n" 767| 29.5k| "addq %%rax, %%r8\n" 768| 29.5k| "adcq %%rdx, %%r9\n" 769| 29.5k| "adcq $0, %%r10\n" 770| | /* (r8,r9,r10) += a2 * b2 */ 771| 29.5k| "movq %%rcx, %%rax\n" 772| 29.5k| "mulq %%r13\n" 773| 29.5k| "addq %%rax, %%r8\n" 774| 29.5k| "adcq %%rdx, %%r9\n" 775| 29.5k| "adcq $0, %%r10\n" 776| | /* (r8,r9,r10) += a3 * b1 */ 777| 29.5k| "movq %%r15, %%rax\n" 778| 29.5k| "mulq %%r12\n" 779| 29.5k| "addq %%rax, %%r8\n" 780| 29.5k| "adcq %%rdx, %%r9\n" 781| 29.5k| "adcq $0, %%r10\n" 782| | /* Extract l8[4] */ 783| 29.5k| "movq %%r8, 32(%%rsi)\n" 784| 29.5k| "xorq %%r8, %%r8\n" 785| | /* (r9,r10,r8) += a2 * b3 */ 786| 29.5k| "movq %%rcx, %%rax\n" 787| 29.5k| "mulq %%r14\n" 788| 29.5k| "addq %%rax, %%r9\n" 789| 29.5k| "adcq %%rdx, %%r10\n" 790| 29.5k| "adcq $0, %%r8\n" 791| | /* (r9,r10,r8) += a3 * b2 */ 792| 29.5k| "movq %%r15, %%rax\n" 793| 29.5k| "mulq %%r13\n" 794| 29.5k| "addq %%rax, %%r9\n" 795| 29.5k| "adcq %%rdx, %%r10\n" 796| 29.5k| "adcq $0, %%r8\n" 797| | /* Extract l8[5] */ 798| 29.5k| "movq %%r9, 40(%%rsi)\n" 799| | /* (r10,r8) += a3 * b3 */ 800| 29.5k| "movq %%r15, %%rax\n" 801| 29.5k| "mulq %%r14\n" 802| 29.5k| "addq %%rax, %%r10\n" 803| 29.5k| "adcq %%rdx, %%r8\n" 804| | /* Extract l8[6] */ 805| 29.5k| "movq %%r10, 48(%%rsi)\n" 806| | /* Extract l8[7] */ 807| 29.5k| "movq %%r8, 56(%%rsi)\n" 808| 29.5k| : "+d"(pb) 809| 29.5k| : "S"(l8), "D"(a->d) 810| 29.5k| : "rax", "rbx", "rcx", "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15", "cc", "memory"); 811| | 812| 29.5k| SECP256K1_CHECKMEM_MSAN_DEFINE(l8, sizeof(*l8) * 8); ------------------ | | 60| 29.5k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 29.5k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 813| | 814| |#else 815| | /* 160 bit accumulator. */ 816| | uint64_t c0 = 0, c1 = 0; 817| | uint32_t c2 = 0; 818| | 819| | /* l8[0..7] = a[0..3] * b[0..3]. */ 820| | muladd_fast(a->d[0], b->d[0]); 821| | extract_fast(l8[0]); 822| | muladd(a->d[0], b->d[1]); 823| | muladd(a->d[1], b->d[0]); 824| | extract(l8[1]); 825| | muladd(a->d[0], b->d[2]); 826| | muladd(a->d[1], b->d[1]); 827| | muladd(a->d[2], b->d[0]); 828| | extract(l8[2]); 829| | muladd(a->d[0], b->d[3]); 830| | muladd(a->d[1], b->d[2]); 831| | muladd(a->d[2], b->d[1]); 832| | muladd(a->d[3], b->d[0]); 833| | extract(l8[3]); 834| | muladd(a->d[1], b->d[3]); 835| | muladd(a->d[2], b->d[2]); 836| | muladd(a->d[3], b->d[1]); 837| | extract(l8[4]); 838| | muladd(a->d[2], b->d[3]); 839| | muladd(a->d[3], b->d[2]); 840| | extract(l8[5]); 841| | muladd_fast(a->d[3], b->d[3]); 842| | extract_fast(l8[6]); 843| | VERIFY_CHECK(c1 == 0); 844| | l8[7] = c0; 845| |#endif 846| 29.5k|} secp256k1.c:secp256k1_scalar_reduce_512: 347| 17.7k|static void secp256k1_scalar_reduce_512(secp256k1_scalar *r, const uint64_t *l) { 348| 17.7k|#ifdef USE_ASM_X86_64 349| | /* Reduce 512 bits into 385. */ 350| 17.7k| uint64_t m0, m1, m2, m3, m4, m5, m6; 351| 17.7k| uint64_t p0, p1, p2, p3, p4; 352| 17.7k| uint64_t c; 353| | 354| 17.7k| __asm__ __volatile__( 355| | /* Preload. */ 356| 17.7k| "movq 32(%%rsi), %%r11\n" 357| 17.7k| "movq 40(%%rsi), %%r12\n" 358| 17.7k| "movq 48(%%rsi), %%r13\n" 359| 17.7k| "movq 56(%%rsi), %%r14\n" 360| | /* Initialize r8,r9,r10 */ 361| 17.7k| "movq 0(%%rsi), %%r8\n" 362| 17.7k| "xorq %%r9, %%r9\n" 363| 17.7k| "xorq %%r10, %%r10\n" 364| | /* (r8,r9) += n0 * c0 */ 365| 17.7k| "movq %8, %%rax\n" 366| 17.7k| "mulq %%r11\n" 367| 17.7k| "addq %%rax, %%r8\n" 368| 17.7k| "adcq %%rdx, %%r9\n" 369| | /* extract m0 */ 370| 17.7k| "movq %%r8, %q0\n" 371| 17.7k| "xorq %%r8, %%r8\n" 372| | /* (r9,r10) += l1 */ 373| 17.7k| "addq 8(%%rsi), %%r9\n" 374| 17.7k| "adcq $0, %%r10\n" 375| | /* (r9,r10,r8) += n1 * c0 */ 376| 17.7k| "movq %8, %%rax\n" 377| 17.7k| "mulq %%r12\n" 378| 17.7k| "addq %%rax, %%r9\n" 379| 17.7k| "adcq %%rdx, %%r10\n" 380| 17.7k| "adcq $0, %%r8\n" 381| | /* (r9,r10,r8) += n0 * c1 */ 382| 17.7k| "movq %9, %%rax\n" 383| 17.7k| "mulq %%r11\n" 384| 17.7k| "addq %%rax, %%r9\n" 385| 17.7k| "adcq %%rdx, %%r10\n" 386| 17.7k| "adcq $0, %%r8\n" 387| | /* extract m1 */ 388| 17.7k| "movq %%r9, %q1\n" 389| 17.7k| "xorq %%r9, %%r9\n" 390| | /* (r10,r8,r9) += l2 */ 391| 17.7k| "addq 16(%%rsi), %%r10\n" 392| 17.7k| "adcq $0, %%r8\n" 393| 17.7k| "adcq $0, %%r9\n" 394| | /* (r10,r8,r9) += n2 * c0 */ 395| 17.7k| "movq %8, %%rax\n" 396| 17.7k| "mulq %%r13\n" 397| 17.7k| "addq %%rax, %%r10\n" 398| 17.7k| "adcq %%rdx, %%r8\n" 399| 17.7k| "adcq $0, %%r9\n" 400| | /* (r10,r8,r9) += n1 * c1 */ 401| 17.7k| "movq %9, %%rax\n" 402| 17.7k| "mulq %%r12\n" 403| 17.7k| "addq %%rax, %%r10\n" 404| 17.7k| "adcq %%rdx, %%r8\n" 405| 17.7k| "adcq $0, %%r9\n" 406| | /* (r10,r8,r9) += n0 */ 407| 17.7k| "addq %%r11, %%r10\n" 408| 17.7k| "adcq $0, %%r8\n" 409| 17.7k| "adcq $0, %%r9\n" 410| | /* extract m2 */ 411| 17.7k| "movq %%r10, %q2\n" 412| 17.7k| "xorq %%r10, %%r10\n" 413| | /* (r8,r9,r10) += l3 */ 414| 17.7k| "addq 24(%%rsi), %%r8\n" 415| 17.7k| "adcq $0, %%r9\n" 416| 17.7k| "adcq $0, %%r10\n" 417| | /* (r8,r9,r10) += n3 * c0 */ 418| 17.7k| "movq %8, %%rax\n" 419| 17.7k| "mulq %%r14\n" 420| 17.7k| "addq %%rax, %%r8\n" 421| 17.7k| "adcq %%rdx, %%r9\n" 422| 17.7k| "adcq $0, %%r10\n" 423| | /* (r8,r9,r10) += n2 * c1 */ 424| 17.7k| "movq %9, %%rax\n" 425| 17.7k| "mulq %%r13\n" 426| 17.7k| "addq %%rax, %%r8\n" 427| 17.7k| "adcq %%rdx, %%r9\n" 428| 17.7k| "adcq $0, %%r10\n" 429| | /* (r8,r9,r10) += n1 */ 430| 17.7k| "addq %%r12, %%r8\n" 431| 17.7k| "adcq $0, %%r9\n" 432| 17.7k| "adcq $0, %%r10\n" 433| | /* extract m3 */ 434| 17.7k| "movq %%r8, %q3\n" 435| 17.7k| "xorq %%r8, %%r8\n" 436| | /* (r9,r10,r8) += n3 * c1 */ 437| 17.7k| "movq %9, %%rax\n" 438| 17.7k| "mulq %%r14\n" 439| 17.7k| "addq %%rax, %%r9\n" 440| 17.7k| "adcq %%rdx, %%r10\n" 441| 17.7k| "adcq $0, %%r8\n" 442| | /* (r9,r10,r8) += n2 */ 443| 17.7k| "addq %%r13, %%r9\n" 444| 17.7k| "adcq $0, %%r10\n" 445| 17.7k| "adcq $0, %%r8\n" 446| | /* extract m4 */ 447| 17.7k| "movq %%r9, %q4\n" 448| | /* (r10,r8) += n3 */ 449| 17.7k| "addq %%r14, %%r10\n" 450| 17.7k| "adcq $0, %%r8\n" 451| | /* extract m5 */ 452| 17.7k| "movq %%r10, %q5\n" 453| | /* extract m6 */ 454| 17.7k| "movq %%r8, %q6\n" 455| 17.7k| : "=&g"(m0), "=&g"(m1), "=&g"(m2), "=g"(m3), "=g"(m4), "=g"(m5), "=g"(m6) 456| 17.7k| : "S"(l), "i"(SECP256K1_N_C_0), "i"(SECP256K1_N_C_1) ------------------ | | 22| 17.7k|#define SECP256K1_N_C_0 (~SECP256K1_N_0 + 1) | | ------------------ | | | | 16| 17.7k|#define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL) | | ------------------ ------------------ : "S"(l), "i"(SECP256K1_N_C_0), "i"(SECP256K1_N_C_1) ------------------ | | 23| 17.7k|#define SECP256K1_N_C_1 (~SECP256K1_N_1) | | ------------------ | | | | 17| 17.7k|#define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL) | | ------------------ ------------------ 457| 17.7k| : "rax", "rdx", "r8", "r9", "r10", "r11", "r12", "r13", "r14", "cc"); 458| | 459| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&m0, sizeof(m0)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 460| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&m1, sizeof(m1)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 461| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&m2, sizeof(m2)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 462| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&m3, sizeof(m3)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 463| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&m4, sizeof(m4)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 464| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&m5, sizeof(m5)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 465| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&m6, sizeof(m6)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 466| | 467| | /* Reduce 385 bits into 258. */ 468| 17.7k| __asm__ __volatile__( 469| | /* Preload */ 470| 17.7k| "movq %q9, %%r11\n" 471| 17.7k| "movq %q10, %%r12\n" 472| 17.7k| "movq %q11, %%r13\n" 473| | /* Initialize (r8,r9,r10) */ 474| 17.7k| "movq %q5, %%r8\n" 475| 17.7k| "xorq %%r9, %%r9\n" 476| 17.7k| "xorq %%r10, %%r10\n" 477| | /* (r8,r9) += m4 * c0 */ 478| 17.7k| "movq %12, %%rax\n" 479| 17.7k| "mulq %%r11\n" 480| 17.7k| "addq %%rax, %%r8\n" 481| 17.7k| "adcq %%rdx, %%r9\n" 482| | /* extract p0 */ 483| 17.7k| "movq %%r8, %q0\n" 484| 17.7k| "xorq %%r8, %%r8\n" 485| | /* (r9,r10) += m1 */ 486| 17.7k| "addq %q6, %%r9\n" 487| 17.7k| "adcq $0, %%r10\n" 488| | /* (r9,r10,r8) += m5 * c0 */ 489| 17.7k| "movq %12, %%rax\n" 490| 17.7k| "mulq %%r12\n" 491| 17.7k| "addq %%rax, %%r9\n" 492| 17.7k| "adcq %%rdx, %%r10\n" 493| 17.7k| "adcq $0, %%r8\n" 494| | /* (r9,r10,r8) += m4 * c1 */ 495| 17.7k| "movq %13, %%rax\n" 496| 17.7k| "mulq %%r11\n" 497| 17.7k| "addq %%rax, %%r9\n" 498| 17.7k| "adcq %%rdx, %%r10\n" 499| 17.7k| "adcq $0, %%r8\n" 500| | /* extract p1 */ 501| 17.7k| "movq %%r9, %q1\n" 502| 17.7k| "xorq %%r9, %%r9\n" 503| | /* (r10,r8,r9) += m2 */ 504| 17.7k| "addq %q7, %%r10\n" 505| 17.7k| "adcq $0, %%r8\n" 506| 17.7k| "adcq $0, %%r9\n" 507| | /* (r10,r8,r9) += m6 * c0 */ 508| 17.7k| "movq %12, %%rax\n" 509| 17.7k| "mulq %%r13\n" 510| 17.7k| "addq %%rax, %%r10\n" 511| 17.7k| "adcq %%rdx, %%r8\n" 512| 17.7k| "adcq $0, %%r9\n" 513| | /* (r10,r8,r9) += m5 * c1 */ 514| 17.7k| "movq %13, %%rax\n" 515| 17.7k| "mulq %%r12\n" 516| 17.7k| "addq %%rax, %%r10\n" 517| 17.7k| "adcq %%rdx, %%r8\n" 518| 17.7k| "adcq $0, %%r9\n" 519| | /* (r10,r8,r9) += m4 */ 520| 17.7k| "addq %%r11, %%r10\n" 521| 17.7k| "adcq $0, %%r8\n" 522| 17.7k| "adcq $0, %%r9\n" 523| | /* extract p2 */ 524| 17.7k| "movq %%r10, %q2\n" 525| | /* (r8,r9) += m3 */ 526| 17.7k| "addq %q8, %%r8\n" 527| 17.7k| "adcq $0, %%r9\n" 528| | /* (r8,r9) += m6 * c1 */ 529| 17.7k| "movq %13, %%rax\n" 530| 17.7k| "mulq %%r13\n" 531| 17.7k| "addq %%rax, %%r8\n" 532| 17.7k| "adcq %%rdx, %%r9\n" 533| | /* (r8,r9) += m5 */ 534| 17.7k| "addq %%r12, %%r8\n" 535| 17.7k| "adcq $0, %%r9\n" 536| | /* extract p3 */ 537| 17.7k| "movq %%r8, %q3\n" 538| | /* (r9) += m6 */ 539| 17.7k| "addq %%r13, %%r9\n" 540| | /* extract p4 */ 541| 17.7k| "movq %%r9, %q4\n" 542| 17.7k| : "=&g"(p0), "=&g"(p1), "=&g"(p2), "=g"(p3), "=g"(p4) 543| 17.7k| : "g"(m0), "g"(m1), "g"(m2), "g"(m3), "g"(m4), "g"(m5), "g"(m6), "i"(SECP256K1_N_C_0), "i"(SECP256K1_N_C_1) ------------------ | | 22| 17.7k|#define SECP256K1_N_C_0 (~SECP256K1_N_0 + 1) | | ------------------ | | | | 16| 17.7k|#define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL) | | ------------------ ------------------ : "g"(m0), "g"(m1), "g"(m2), "g"(m3), "g"(m4), "g"(m5), "g"(m6), "i"(SECP256K1_N_C_0), "i"(SECP256K1_N_C_1) ------------------ | | 23| 17.7k|#define SECP256K1_N_C_1 (~SECP256K1_N_1) | | ------------------ | | | | 17| 17.7k|#define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL) | | ------------------ ------------------ 544| 17.7k| : "rax", "rdx", "r8", "r9", "r10", "r11", "r12", "r13", "cc"); 545| | 546| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&p0, sizeof(p0)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 547| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&p1, sizeof(p1)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 548| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&p2, sizeof(p2)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 549| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&p3, sizeof(p3)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 550| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&p4, sizeof(p4)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 551| | 552| | /* Reduce 258 bits into 256. */ 553| 17.7k| __asm__ __volatile__( 554| | /* Preload */ 555| 17.7k| "movq %q5, %%r10\n" 556| | /* (rax,rdx) = p4 * c0 */ 557| 17.7k| "movq %7, %%rax\n" 558| 17.7k| "mulq %%r10\n" 559| | /* (rax,rdx) += p0 */ 560| 17.7k| "addq %q1, %%rax\n" 561| 17.7k| "adcq $0, %%rdx\n" 562| | /* extract r0 */ 563| 17.7k| "movq %%rax, 0(%q6)\n" 564| | /* Move to (r8,r9) */ 565| 17.7k| "movq %%rdx, %%r8\n" 566| 17.7k| "xorq %%r9, %%r9\n" 567| | /* (r8,r9) += p1 */ 568| 17.7k| "addq %q2, %%r8\n" 569| 17.7k| "adcq $0, %%r9\n" 570| | /* (r8,r9) += p4 * c1 */ 571| 17.7k| "movq %8, %%rax\n" 572| 17.7k| "mulq %%r10\n" 573| 17.7k| "addq %%rax, %%r8\n" 574| 17.7k| "adcq %%rdx, %%r9\n" 575| | /* Extract r1 */ 576| 17.7k| "movq %%r8, 8(%q6)\n" 577| 17.7k| "xorq %%r8, %%r8\n" 578| | /* (r9,r8) += p4 */ 579| 17.7k| "addq %%r10, %%r9\n" 580| 17.7k| "adcq $0, %%r8\n" 581| | /* (r9,r8) += p2 */ 582| 17.7k| "addq %q3, %%r9\n" 583| 17.7k| "adcq $0, %%r8\n" 584| | /* Extract r2 */ 585| 17.7k| "movq %%r9, 16(%q6)\n" 586| 17.7k| "xorq %%r9, %%r9\n" 587| | /* (r8,r9) += p3 */ 588| 17.7k| "addq %q4, %%r8\n" 589| 17.7k| "adcq $0, %%r9\n" 590| | /* Extract r3 */ 591| 17.7k| "movq %%r8, 24(%q6)\n" 592| | /* Extract c */ 593| 17.7k| "movq %%r9, %q0\n" 594| 17.7k| : "=g"(c) 595| 17.7k| : "g"(p0), "g"(p1), "g"(p2), "g"(p3), "g"(p4), "D"(r), "i"(SECP256K1_N_C_0), "i"(SECP256K1_N_C_1) ------------------ | | 22| 17.7k|#define SECP256K1_N_C_0 (~SECP256K1_N_0 + 1) | | ------------------ | | | | 16| 17.7k|#define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL) | | ------------------ ------------------ : "g"(p0), "g"(p1), "g"(p2), "g"(p3), "g"(p4), "D"(r), "i"(SECP256K1_N_C_0), "i"(SECP256K1_N_C_1) ------------------ | | 23| 17.7k|#define SECP256K1_N_C_1 (~SECP256K1_N_1) | | ------------------ | | | | 17| 17.7k|#define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL) | | ------------------ ------------------ 596| 17.7k| : "rax", "rdx", "r8", "r9", "r10", "cc", "memory"); 597| | 598| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(r, sizeof(*r)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 599| 17.7k| SECP256K1_CHECKMEM_MSAN_DEFINE(&c, sizeof(c)); ------------------ | | 60| 17.7k|# define SECP256K1_CHECKMEM_MSAN_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 17.7k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 600| | 601| |#else 602| | secp256k1_uint128 c128; 603| | uint64_t c, c0, c1, c2; 604| | uint64_t n0 = l[4], n1 = l[5], n2 = l[6], n3 = l[7]; 605| | uint64_t m0, m1, m2, m3, m4, m5; 606| | uint32_t m6; 607| | uint64_t p0, p1, p2, p3; 608| | uint32_t p4; 609| | 610| | /* Reduce 512 bits into 385. */ 611| | /* m[0..6] = l[0..3] + n[0..3] * SECP256K1_N_C. */ 612| | c0 = l[0]; c1 = 0; c2 = 0; 613| | muladd_fast(n0, SECP256K1_N_C_0); 614| | extract_fast(m0); 615| | sumadd_fast(l[1]); 616| | muladd(n1, SECP256K1_N_C_0); 617| | muladd(n0, SECP256K1_N_C_1); 618| | extract(m1); 619| | sumadd(l[2]); 620| | muladd(n2, SECP256K1_N_C_0); 621| | muladd(n1, SECP256K1_N_C_1); 622| | sumadd(n0); 623| | extract(m2); 624| | sumadd(l[3]); 625| | muladd(n3, SECP256K1_N_C_0); 626| | muladd(n2, SECP256K1_N_C_1); 627| | sumadd(n1); 628| | extract(m3); 629| | muladd(n3, SECP256K1_N_C_1); 630| | sumadd(n2); 631| | extract(m4); 632| | sumadd_fast(n3); 633| | extract_fast(m5); 634| | VERIFY_CHECK(c0 <= 1); 635| | m6 = c0; 636| | 637| | /* Reduce 385 bits into 258. */ 638| | /* p[0..4] = m[0..3] + m[4..6] * SECP256K1_N_C. */ 639| | c0 = m0; c1 = 0; c2 = 0; 640| | muladd_fast(m4, SECP256K1_N_C_0); 641| | extract_fast(p0); 642| | sumadd_fast(m1); 643| | muladd(m5, SECP256K1_N_C_0); 644| | muladd(m4, SECP256K1_N_C_1); 645| | extract(p1); 646| | sumadd(m2); 647| | muladd(m6, SECP256K1_N_C_0); 648| | muladd(m5, SECP256K1_N_C_1); 649| | sumadd(m4); 650| | extract(p2); 651| | sumadd_fast(m3); 652| | muladd_fast(m6, SECP256K1_N_C_1); 653| | sumadd_fast(m5); 654| | extract_fast(p3); 655| | p4 = c0 + m6; 656| | VERIFY_CHECK(p4 <= 2); 657| | 658| | /* Reduce 258 bits into 256. */ 659| | /* r[0..3] = p[0..3] + p[4] * SECP256K1_N_C. */ 660| | secp256k1_u128_from_u64(&c128, p0); 661| | secp256k1_u128_accum_mul(&c128, SECP256K1_N_C_0, p4); 662| | r->d[0] = secp256k1_u128_to_u64(&c128); secp256k1_u128_rshift(&c128, 64); 663| | secp256k1_u128_accum_u64(&c128, p1); 664| | secp256k1_u128_accum_mul(&c128, SECP256K1_N_C_1, p4); 665| | r->d[1] = secp256k1_u128_to_u64(&c128); secp256k1_u128_rshift(&c128, 64); 666| | secp256k1_u128_accum_u64(&c128, p2); 667| | secp256k1_u128_accum_u64(&c128, p4); 668| | r->d[2] = secp256k1_u128_to_u64(&c128); secp256k1_u128_rshift(&c128, 64); 669| | secp256k1_u128_accum_u64(&c128, p3); 670| | r->d[3] = secp256k1_u128_to_u64(&c128); 671| | c = secp256k1_u128_hi_u64(&c128); 672| |#endif 673| | 674| | /* Final reduction of r. */ 675| 17.7k| secp256k1_scalar_reduce(r, c + secp256k1_scalar_check_overflow(r)); 676| 17.7k|} secp256k1.c:secp256k1_scalar_get_bits_limb32: 41| 329k|SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { 42| 329k| SECP256K1_SCALAR_VERIFY(a); ------------------ | | 103| 329k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 43| 329k| VERIFY_CHECK(count > 0 && count <= 32); 44| 329k| VERIFY_CHECK((offset + count - 1) >> 6 == offset >> 6); 45| | 46| 329k| return (a->d[offset >> 6] >> (offset & 0x3F)) & (0xFFFFFFFF >> (32 - count)); 47| 329k|} secp256k1.c:secp256k1_scalar_add: 94| 35.2k|static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) { 95| 35.2k| int overflow; 96| 35.2k| secp256k1_uint128 t; 97| 35.2k| SECP256K1_SCALAR_VERIFY(a); ------------------ | | 103| 35.2k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 98| 35.2k| SECP256K1_SCALAR_VERIFY(b); ------------------ | | 103| 35.2k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 99| | 100| 35.2k| secp256k1_u128_from_u64(&t, a->d[0]); 101| 35.2k| secp256k1_u128_accum_u64(&t, b->d[0]); 102| 35.2k| r->d[0] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 103| 35.2k| secp256k1_u128_accum_u64(&t, a->d[1]); 104| 35.2k| secp256k1_u128_accum_u64(&t, b->d[1]); 105| 35.2k| r->d[1] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 106| 35.2k| secp256k1_u128_accum_u64(&t, a->d[2]); 107| 35.2k| secp256k1_u128_accum_u64(&t, b->d[2]); 108| 35.2k| r->d[2] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 109| 35.2k| secp256k1_u128_accum_u64(&t, a->d[3]); 110| 35.2k| secp256k1_u128_accum_u64(&t, b->d[3]); 111| 35.2k| r->d[3] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 112| 35.2k| overflow = secp256k1_u128_to_u64(&t) + secp256k1_scalar_check_overflow(r); 113| 35.2k| VERIFY_CHECK(overflow == 0 || overflow == 1); 114| 35.2k| secp256k1_scalar_reduce(r, overflow); 115| | 116| 35.2k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 35.2k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 117| 35.2k| return overflow; 118| 35.2k|} secp256k1.c:secp256k1_scalar_cmov: 911| 11.6k|static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag) { 912| 11.6k| uint64_t mask0, mask1; 913| 11.6k| volatile int vflag = flag; 914| 11.6k| SECP256K1_SCALAR_VERIFY(a); ------------------ | | 103| 11.6k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 915| 11.6k| SECP256K1_CHECKMEM_CHECK_VERIFY(r->d, sizeof(r->d)); ------------------ | | 99| 11.6k|#define SECP256K1_CHECKMEM_CHECK_VERIFY(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 11.6k|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 916| | 917| 11.6k| mask0 = vflag + ~((uint64_t)0); 918| 11.6k| mask1 = ~mask0; 919| 11.6k| r->d[0] = (r->d[0] & mask0) | (a->d[0] & mask1); 920| 11.6k| r->d[1] = (r->d[1] & mask0) | (a->d[1] & mask1); 921| 11.6k| r->d[2] = (r->d[2] & mask0) | (a->d[2] & mask1); 922| 11.6k| r->d[3] = (r->d[3] & mask0) | (a->d[3] & mask1); 923| | 924| 11.6k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 11.6k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 925| 11.6k|} secp256k1.c:secp256k1_scalar_half: 194| 5.91k|static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a) { 195| | /* Writing `/` for field division and `//` for integer division, we compute 196| | * 197| | * a/2 = (a - (a&1))/2 + (a&1)/2 198| | * = (a >> 1) + (a&1 ? 1/2 : 0) 199| | * = (a >> 1) + (a&1 ? n//2+1 : 0), 200| | * 201| | * where n is the group order and in the last equality we have used 1/2 = n//2+1 (mod n). 202| | * For n//2, we have the constants SECP256K1_N_H_0, ... 203| | * 204| | * This sum does not overflow. The most extreme case is a = -2, the largest odd scalar. Here: 205| | * - the left summand is: a >> 1 = (a - a&1)/2 = (n-2-1)//2 = (n-3)//2 206| | * - the right summand is: a&1 ? n//2+1 : 0 = n//2+1 = (n-1)//2 + 2//2 = (n+1)//2 207| | * Together they sum to (n-3)//2 + (n+1)//2 = (2n-2)//2 = n - 1, which is less than n. 208| | */ 209| 5.91k| uint64_t mask = -(uint64_t)(a->d[0] & 1U); 210| 5.91k| secp256k1_uint128 t; 211| 5.91k| SECP256K1_SCALAR_VERIFY(a); ------------------ | | 103| 5.91k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 212| | 213| 5.91k| secp256k1_u128_from_u64(&t, (a->d[0] >> 1) | (a->d[1] << 63)); 214| 5.91k| secp256k1_u128_accum_u64(&t, (SECP256K1_N_H_0 + 1U) & mask); ------------------ | | 27| 5.91k|#define SECP256K1_N_H_0 ((uint64_t)0xDFE92F46681B20A0ULL) ------------------ 215| 5.91k| r->d[0] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 216| 5.91k| secp256k1_u128_accum_u64(&t, (a->d[1] >> 1) | (a->d[2] << 63)); 217| 5.91k| secp256k1_u128_accum_u64(&t, SECP256K1_N_H_1 & mask); ------------------ | | 28| 5.91k|#define SECP256K1_N_H_1 ((uint64_t)0x5D576E7357A4501DULL) ------------------ 218| 5.91k| r->d[1] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 219| 5.91k| secp256k1_u128_accum_u64(&t, (a->d[2] >> 1) | (a->d[3] << 63)); 220| 5.91k| secp256k1_u128_accum_u64(&t, SECP256K1_N_H_2 & mask); ------------------ | | 29| 5.91k|#define SECP256K1_N_H_2 ((uint64_t)0xFFFFFFFFFFFFFFFFULL) ------------------ 221| 5.91k| r->d[2] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 222| 5.91k| r->d[3] = secp256k1_u128_to_u64(&t) + (a->d[3] >> 1) + (SECP256K1_N_H_3 & mask); ------------------ | | 30| 5.91k|#define SECP256K1_N_H_3 ((uint64_t)0x7FFFFFFFFFFFFFFFULL) ------------------ 223| |#ifdef VERIFY 224| | /* The line above only computed the bottom 64 bits of r->d[3]; redo the computation 225| | * in full 128 bits to make sure the top 64 bits are indeed zero. */ 226| | secp256k1_u128_accum_u64(&t, a->d[3] >> 1); 227| | secp256k1_u128_accum_u64(&t, SECP256K1_N_H_3 & mask); 228| | secp256k1_u128_rshift(&t, 64); 229| | VERIFY_CHECK(secp256k1_u128_to_u64(&t) == 0); 230| | 231| | SECP256K1_SCALAR_VERIFY(r); 232| |#endif 233| 5.91k|} secp256k1.c:secp256k1_scalar_mul_shift_var: 889| 11.8k|SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift) { 890| 11.8k| uint64_t l[8]; 891| 11.8k| unsigned int shiftlimbs; 892| 11.8k| unsigned int shiftlow; 893| 11.8k| unsigned int shifthigh; 894| 11.8k| SECP256K1_SCALAR_VERIFY(a); ------------------ | | 103| 11.8k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 895| 11.8k| SECP256K1_SCALAR_VERIFY(b); ------------------ | | 103| 11.8k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 896| 11.8k| VERIFY_CHECK(shift >= 256); 897| | 898| 11.8k| secp256k1_scalar_mul_512(l, a, b); 899| 11.8k| shiftlimbs = shift >> 6; 900| 11.8k| shiftlow = shift & 0x3F; 901| 11.8k| shifthigh = 64 - shiftlow; 902| 11.8k| r->d[0] = shift < 512 ? (l[0 + shiftlimbs] >> shiftlow | (shift < 448 && shiftlow ? (l[1 + shiftlimbs] << shifthigh) : 0)) : 0; ------------------ | Branch (902:15): [True: 11.8k, False: 0] | Branch (902:63): [True: 11.8k, False: 0] | Branch (902:78): [True: 0, False: 11.8k] ------------------ 903| 11.8k| r->d[1] = shift < 448 ? (l[1 + shiftlimbs] >> shiftlow | (shift < 384 && shiftlow ? (l[2 + shiftlimbs] << shifthigh) : 0)) : 0; ------------------ | Branch (903:15): [True: 11.8k, False: 0] | Branch (903:63): [True: 0, False: 11.8k] | Branch (903:78): [True: 0, False: 0] ------------------ 904| 11.8k| r->d[2] = shift < 384 ? (l[2 + shiftlimbs] >> shiftlow | (shift < 320 && shiftlow ? (l[3 + shiftlimbs] << shifthigh) : 0)) : 0; ------------------ | Branch (904:15): [True: 0, False: 11.8k] | Branch (904:63): [True: 0, False: 0] | Branch (904:78): [True: 0, False: 0] ------------------ 905| 11.8k| r->d[3] = shift < 320 ? (l[3 + shiftlimbs] >> shiftlow) : 0; ------------------ | Branch (905:15): [True: 0, False: 11.8k] ------------------ 906| 11.8k| secp256k1_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 6] >> ((shift - 1) & 0x3f)) & 1); 907| | 908| 11.8k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 11.8k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 909| 11.8k|} secp256k1.c:secp256k1_scalar_cadd_bit: 120| 11.8k|static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag) { 121| 11.8k| secp256k1_uint128 t; 122| 11.8k| volatile int vflag = flag; 123| 11.8k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 11.8k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 124| 11.8k| VERIFY_CHECK(bit < 256); 125| | 126| 11.8k| bit += ((uint32_t) vflag - 1) & 0x100; /* forcing (bit >> 6) > 3 makes this a noop */ 127| 11.8k| secp256k1_u128_from_u64(&t, r->d[0]); 128| 11.8k| secp256k1_u128_accum_u64(&t, ((uint64_t)((bit >> 6) == 0)) << (bit & 0x3F)); 129| 11.8k| r->d[0] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 130| 11.8k| secp256k1_u128_accum_u64(&t, r->d[1]); 131| 11.8k| secp256k1_u128_accum_u64(&t, ((uint64_t)((bit >> 6) == 1)) << (bit & 0x3F)); 132| 11.8k| r->d[1] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 133| 11.8k| secp256k1_u128_accum_u64(&t, r->d[2]); 134| 11.8k| secp256k1_u128_accum_u64(&t, ((uint64_t)((bit >> 6) == 2)) << (bit & 0x3F)); 135| 11.8k| r->d[2] = secp256k1_u128_to_u64(&t); secp256k1_u128_rshift(&t, 64); 136| 11.8k| secp256k1_u128_accum_u64(&t, r->d[3]); 137| 11.8k| secp256k1_u128_accum_u64(&t, ((uint64_t)((bit >> 6) == 3)) << (bit & 0x3F)); 138| 11.8k| r->d[3] = secp256k1_u128_to_u64(&t); 139| | 140| 11.8k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 11.8k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 141| 11.8k| VERIFY_CHECK(secp256k1_u128_hi_u64(&t) == 0); 142| 11.8k|} secp256k1.c:secp256k1_scalar_get_bits_var: 49| 307k|SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { 50| 307k| SECP256K1_SCALAR_VERIFY(a); ------------------ | | 103| 307k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 51| 307k| VERIFY_CHECK(count > 0 && count <= 32); 52| 307k| VERIFY_CHECK(offset + count <= 256); 53| | 54| 307k| if ((offset + count - 1) >> 6 == offset >> 6) { ------------------ | Branch (54:9): [True: 283k, False: 23.6k] ------------------ 55| 283k| return secp256k1_scalar_get_bits_limb32(a, offset, count); 56| 283k| } else { 57| 23.6k| VERIFY_CHECK((offset >> 6) + 1 < 4); 58| 23.6k| return ((a->d[offset >> 6] >> (offset & 0x3F)) | (a->d[(offset >> 6) + 1] << (64 - (offset & 0x3F)))) & (0xFFFFFFFF >> (32 - count)); 59| 23.6k| } 60| 307k|} secp256k1.c:secp256k1_scalar_is_zero: 167| 22.1k|SECP256K1_INLINE static int secp256k1_scalar_is_zero(const secp256k1_scalar *a) { 168| 22.1k| SECP256K1_SCALAR_VERIFY(a); ------------------ | | 103| 22.1k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 169| | 170| 22.1k| return (a->d[0] | a->d[1] | a->d[2] | a->d[3]) == 0; 171| 22.1k|} secp256k1.c:secp256k1_scalar_verify: 42| 1.03M|static void secp256k1_scalar_verify(const secp256k1_scalar *r) { 43| 1.03M| VERIFY_CHECK(secp256k1_scalar_check_overflow(r) == 0); 44| | 45| 1.03M| (void)r; 46| 1.03M|} secp256k1.c:secp256k1_scalar_set_b32_seckey: 34| 10.3k|static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin) { 35| 10.3k| int overflow; 36| 10.3k| secp256k1_scalar_set_b32(r, bin, &overflow); 37| | 38| 10.3k| SECP256K1_SCALAR_VERIFY(r); ------------------ | | 103| 10.3k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 39| 10.3k| return (!overflow) & (!secp256k1_scalar_is_zero(r)); 40| 10.3k|} secp256k1.c:secp256k1_scalar_clear: 30| 21.9k|SECP256K1_INLINE static void secp256k1_scalar_clear(secp256k1_scalar *r) { 31| 21.9k| secp256k1_memclear(r, sizeof(secp256k1_scalar)); 32| 21.9k|} secp256k1.c:secp256k1_scalar_split_lambda: 142| 5.91k|static void secp256k1_scalar_split_lambda(secp256k1_scalar * SECP256K1_RESTRICT r1, secp256k1_scalar * SECP256K1_RESTRICT r2, const secp256k1_scalar * SECP256K1_RESTRICT k) { 143| 5.91k| secp256k1_scalar c1, c2; 144| 5.91k| static const secp256k1_scalar minus_b1 = SECP256K1_SCALAR_CONST( ------------------ | | 17| 5.91k|#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{((uint64_t)(d1)) << 32 | (d0), ((uint64_t)(d3)) << 32 | (d2), ((uint64_t)(d5)) << 32 | (d4), ((uint64_t)(d7)) << 32 | (d6)}} ------------------ 145| 5.91k| 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000000UL, 146| 5.91k| 0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C3UL 147| 5.91k| ); 148| 5.91k| static const secp256k1_scalar minus_b2 = SECP256K1_SCALAR_CONST( ------------------ | | 17| 5.91k|#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{((uint64_t)(d1)) << 32 | (d0), ((uint64_t)(d3)) << 32 | (d2), ((uint64_t)(d5)) << 32 | (d4), ((uint64_t)(d7)) << 32 | (d6)}} ------------------ 149| 5.91k| 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 150| 5.91k| 0x8A280AC5UL, 0x0774346DUL, 0xD765CDA8UL, 0x3DB1562CUL 151| 5.91k| ); 152| 5.91k| static const secp256k1_scalar g1 = SECP256K1_SCALAR_CONST( ------------------ | | 17| 5.91k|#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{((uint64_t)(d1)) << 32 | (d0), ((uint64_t)(d3)) << 32 | (d2), ((uint64_t)(d5)) << 32 | (d4), ((uint64_t)(d7)) << 32 | (d6)}} ------------------ 153| 5.91k| 0x3086D221UL, 0xA7D46BCDUL, 0xE86C90E4UL, 0x9284EB15UL, 154| 5.91k| 0x3DAA8A14UL, 0x71E8CA7FUL, 0xE893209AUL, 0x45DBB031UL 155| 5.91k| ); 156| 5.91k| static const secp256k1_scalar g2 = SECP256K1_SCALAR_CONST( ------------------ | | 17| 5.91k|#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{((uint64_t)(d1)) << 32 | (d0), ((uint64_t)(d3)) << 32 | (d2), ((uint64_t)(d5)) << 32 | (d4), ((uint64_t)(d7)) << 32 | (d6)}} ------------------ 157| 5.91k| 0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C4UL, 158| 5.91k| 0x221208ACUL, 0x9DF506C6UL, 0x1571B4AEUL, 0x8AC47F71UL 159| 5.91k| ); 160| 5.91k| SECP256K1_SCALAR_VERIFY(k); ------------------ | | 103| 5.91k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 161| 5.91k| VERIFY_CHECK(r1 != k); 162| 5.91k| VERIFY_CHECK(r2 != k); 163| 5.91k| VERIFY_CHECK(r1 != r2); 164| | 165| | /* these _var calls are constant time since the shift amount is constant */ 166| 5.91k| secp256k1_scalar_mul_shift_var(&c1, k, &g1, 384); 167| 5.91k| secp256k1_scalar_mul_shift_var(&c2, k, &g2, 384); 168| 5.91k| secp256k1_scalar_mul(&c1, &c1, &minus_b1); 169| 5.91k| secp256k1_scalar_mul(&c2, &c2, &minus_b2); 170| 5.91k| secp256k1_scalar_add(r2, &c1, &c2); 171| 5.91k| secp256k1_scalar_mul(r1, r2, &secp256k1_const_lambda); 172| 5.91k| secp256k1_scalar_negate(r1, r1); 173| 5.91k| secp256k1_scalar_add(r1, r1, k); 174| | 175| 5.91k| SECP256K1_SCALAR_VERIFY(r1); ------------------ | | 103| 5.91k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 176| 5.91k| SECP256K1_SCALAR_VERIFY(r2); ------------------ | | 103| 5.91k|#define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) ------------------ 177| |#ifdef VERIFY 178| | secp256k1_scalar_split_lambda_verify(r1, r2, k); 179| |#endif 180| 5.91k|} secp256k1_context_preallocated_destroy: 176| 2|void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) { 177| 2| ARG_CHECK_VOID(ctx == NULL || secp256k1_context_is_proper(ctx)); ------------------ | | 52| 2|#define ARG_CHECK_VOID(cond) do { \ | | 53| 2| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 4|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 2] | | | | | Branch (136:39): [True: 0, False: 2] | | | | | Branch (136:39): [True: 2, False: 0] | | | | ------------------ | | ------------------ | | 54| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 55| 0| return; \ | | 56| 0| } \ | | 57| 2|} while(0) | | ------------------ | | | Branch (57:9): [Folded - Ignored] | | ------------------ ------------------ 178| | 179| | /* Defined as noop */ 180| 2| if (ctx == NULL) { ------------------ | Branch (180:9): [True: 0, False: 2] ------------------ 181| 0| return; 182| 0| } 183| | 184| 2| secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); 185| 2|} secp256k1_context_destroy: 187| 2|void secp256k1_context_destroy(secp256k1_context* ctx) { 188| 2| ARG_CHECK_VOID(ctx == NULL || secp256k1_context_is_proper(ctx)); ------------------ | | 52| 2|#define ARG_CHECK_VOID(cond) do { \ | | 53| 2| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 4|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 2] | | | | | Branch (136:39): [True: 0, False: 2] | | | | | Branch (136:39): [True: 2, False: 0] | | | | ------------------ | | ------------------ | | 54| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 55| 0| return; \ | | 56| 0| } \ | | 57| 2|} while(0) | | ------------------ | | | Branch (57:9): [Folded - Ignored] | | ------------------ ------------------ 189| | 190| | /* Defined as noop */ 191| 2| if (ctx == NULL) { ------------------ | Branch (191:9): [True: 0, False: 2] ------------------ 192| 0| return; 193| 0| } 194| | 195| 2| secp256k1_context_preallocated_destroy(ctx); 196| 2| free(ctx); 197| 2|} secp256k1_ec_seckey_verify: 580| 4.57k|int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) { 581| 4.57k| secp256k1_scalar sec; 582| 4.57k| int ret; 583| 4.57k| VERIFY_CHECK(ctx != NULL); 584| 4.57k| ARG_CHECK(seckey != NULL); ------------------ | | 45| 4.57k|#define ARG_CHECK(cond) do { \ | | 46| 4.57k| if (EXPECT(!(cond), 0)) { \ | | ------------------ | | | | 136| 4.57k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | | | ------------------ | | | | | Branch (136:21): [True: 0, False: 4.57k] | | | | ------------------ | | ------------------ | | 47| 0| secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | | 48| 0| return 0; \ | | 49| 0| } \ | | 50| 4.57k|} while(0) | | ------------------ | | | Branch (50:9): [Folded - Ignored] | | ------------------ ------------------ 585| | 586| 4.57k| ret = secp256k1_scalar_set_b32_seckey(&sec, seckey); 587| 4.57k| secp256k1_scalar_clear(&sec); 588| 4.57k| return ret; 589| 4.57k|} secp256k1.c:secp256k1_context_is_proper: 82| 4|static int secp256k1_context_is_proper(const secp256k1_context* ctx) { 83| 4| return secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx); 84| 4|} secp256k1.c:secp256k1_ec_pubkey_create_helper: 591| 5.72k|static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) { 592| 5.72k| secp256k1_gej pj; 593| 5.72k| int ret; 594| | 595| 5.72k| ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey); 596| 5.72k| secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret); 597| | 598| 5.72k| secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar); 599| 5.72k| secp256k1_ge_set_gej(p, &pj); 600| 5.72k| secp256k1_gej_clear(&pj); 601| 5.72k| return ret; 602| 5.72k|} secp256k1.c:secp256k1_declassify: 236| 11.4k|static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) { 237| 11.4k| if (EXPECT(ctx->declassify, 0)) SECP256K1_CHECKMEM_DEFINE(p, len); ------------------ | | 136| 11.4k|#define EXPECT(x,c) __builtin_expect((x),(c)) | | ------------------ | | | Branch (136:21): [True: 0, False: 11.4k] | | ------------------ ------------------ if (EXPECT(ctx->declassify, 0)) SECP256K1_CHECKMEM_DEFINE(p, len); ------------------ | | 91| 0|# define SECP256K1_CHECKMEM_DEFINE(p, len) SECP256K1_CHECKMEM_NOOP((p), (len)) | | ------------------ | | | | 42| 0|#define SECP256K1_CHECKMEM_NOOP(p, len) do { (void)(p); (void)(len); } while(0) | | | | ------------------ | | | | | Branch (42:78): [Folded - Ignored] | | | | ------------------ | | ------------------ ------------------ 238| 11.4k|} secp256k1.c:secp256k1_read_be64: 416| 64.8k|SECP256K1_INLINE static uint64_t secp256k1_read_be64(const unsigned char* p) { 417| 64.8k| return (uint64_t)p[0] << 56 | 418| 64.8k| (uint64_t)p[1] << 48 | 419| 64.8k| (uint64_t)p[2] << 40 | 420| 64.8k| (uint64_t)p[3] << 32 | 421| 64.8k| (uint64_t)p[4] << 24 | 422| 64.8k| (uint64_t)p[5] << 16 | 423| 64.8k| (uint64_t)p[6] << 8 | 424| 64.8k| (uint64_t)p[7]; 425| 64.8k|} secp256k1.c:secp256k1_ctz64_var: 382| 11.0M|static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x) { 383| 11.0M| VERIFY_CHECK(x != 0); 384| 11.0M|#if (__has_builtin(__builtin_ctzl) || SECP256K1_GNUC_PREREQ(3,4)) 385| | /* If the unsigned long type is sufficient to represent the largest uint64_t, consider __builtin_ctzl. */ 386| 11.0M| if (((unsigned long)UINT64_MAX) == UINT64_MAX) { ------------------ | Branch (386:9): [Folded - Ignored] ------------------ 387| 11.0M| return __builtin_ctzl(x); 388| 11.0M| } 389| 0|#endif 390| 0|#if (__has_builtin(__builtin_ctzll) || SECP256K1_GNUC_PREREQ(3,4)) 391| | /* Otherwise consider __builtin_ctzll (the unsigned long long type is always at least 64 bits). */ 392| 0| return __builtin_ctzll(x); 393| |#else 394| | /* If no suitable CTZ builtin is available, use a (variable time) software emulation. */ 395| | return secp256k1_ctz64_var_debruijn(x); 396| |#endif 397| 11.0M|} secp256k1.c:secp256k1_rotr32: 440| 1.47M|SECP256K1_INLINE static uint32_t secp256k1_rotr32(const uint32_t x, const unsigned int by) { 441| |#if defined(_MSC_VER) 442| | return _rotr(x, by); /* needs */ 443| |#else 444| | /* Reduce rotation amount to avoid UB when shifting. */ 445| 1.47M| const unsigned int mask = CHAR_BIT * sizeof(x) - 1; 446| | /* Turned into a rot instruction by GCC and clang. */ 447| 1.47M| return (x >> (by & mask)) | (x << ((-by) & mask)); 448| 1.47M|#endif 449| 1.47M|} secp256k1.c:secp256k1_memczero: 208| 5.72k|static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag) { 209| 5.72k| unsigned char *p = (unsigned char *)s; 210| | /* Access flag with a volatile-qualified lvalue. 211| | This prevents clang from figuring out (after inlining) that flag can 212| | take only be 0 or 1, which leads to variable time code. */ 213| 5.72k| volatile int vflag = flag; 214| 5.72k| unsigned char mask = -(unsigned char) vflag; 215| 372k| while (len) { ------------------ | Branch (215:12): [True: 366k, False: 5.72k] ------------------ 216| 366k| *p &= ~mask; 217| 366k| p++; 218| 366k| len--; 219| 366k| } 220| 5.72k|} secp256k1.c:secp256k1_read_be32: 400| 867k|SECP256K1_INLINE static uint32_t secp256k1_read_be32(const unsigned char* p) { 401| 867k| return (uint32_t)p[0] << 24 | 402| 867k| (uint32_t)p[1] << 16 | 403| 867k| (uint32_t)p[2] << 8 | 404| 867k| (uint32_t)p[3]; 405| 867k|} secp256k1.c:secp256k1_write_be32: 408| 366k|SECP256K1_INLINE static void secp256k1_write_be32(unsigned char* p, uint32_t x) { 409| 366k| p[3] = x; 410| 366k| p[2] = x >> 8; 411| 366k| p[1] = x >> 16; 412| 366k| p[0] = x >> 24; 413| 366k|} secp256k1.c:secp256k1_memclear: 223| 68.3k|static SECP256K1_INLINE void secp256k1_memclear(void *ptr, size_t len) { 224| |#if defined(_MSC_VER) 225| | /* SecureZeroMemory is guaranteed not to be optimized out by MSVC. */ 226| | SecureZeroMemory(ptr, len); 227| |#elif defined(__GNUC__) 228| | /* We use a memory barrier that scares the compiler away from optimizing out the memset. 229| | * 230| | * Quoting Adam Langley in commit ad1907fe73334d6c696c8539646c21b11178f20f 231| | * in BoringSSL (ISC License): 232| | * As best as we can tell, this is sufficient to break any optimisations that 233| | * might try to eliminate "superfluous" memsets. 234| | * This method is used in memzero_explicit() the Linux kernel, too. Its advantage is that it 235| | * is pretty efficient, because the compiler can still implement the memset() efficently, 236| | * just not remove it entirely. See "Dead Store Elimination (Still) Considered Harmful" by 237| | * Yang et al. (USENIX Security 2017) for more background. 238| | */ 239| 68.3k| memset(ptr, 0, len); 240| 68.3k| __asm__ __volatile__("" : : "r"(ptr) : "memory"); 241| |#else 242| | void *(*volatile const volatile_memset)(void *, int, size_t) = memset; 243| | volatile_memset(ptr, 0, len); 244| |#endif 245| |#ifdef VERIFY 246| | SECP256K1_CHECKMEM_UNDEFINE(ptr, len); 247| |#endif 248| 68.3k|} _Z9UCharCastPh: 281| 4.57k|inline unsigned char* UCharCast(unsigned char* c) { return c; } _Z9UCharCastPSt4byte: 283| 11.6k|inline unsigned char* UCharCast(std::byte* c) { return reinterpret_cast(c); } _Z9UCharCastPKSt4byte: 287| 17.5k|inline const unsigned char* UCharCast(const std::byte* c) { return reinterpret_cast(c); } _ZNK4SpanIKSt4byteE4sizeEv: 187| 11.4k| constexpr std::size_t size() const noexcept { return m_size; } _ZNK4SpanIKSt4byteE4dataEv: 174| 5.72k| constexpr C* data() const noexcept { return m_data; } _ZNK4SpanIKSt4byteE5beginEv: 175| 5.72k| constexpr C* begin() const noexcept { return m_data; } _ZNK4SpanIKSt4byteE3endEv: 176| 5.72k| constexpr C* end() const noexcept { return m_data + m_size; } _ZN4SpanIKSt4byteEC2INSt3__16vectorIS0_NS4_9allocatorIS0_EEEEEERT_NS4_9enable_ifIXaaaantsr7is_SpanIS9_EE5valuesr3std14is_convertibleIPA_NS4_14remove_pointerIDTcldtclsr3stdE7declvalISA_EE4dataEEE4typeEPA_S1_EE5valuesr3std14is_convertibleIDTcldtclsr3stdE7declvalISA_EE4sizeEEmEE5valueEDnE4typeE: 165| 5.72k| : m_data(other.data()), m_size(other.size()){} _ZN4SpanIKSt4byteEC2INSt3__15arrayIS0_Lm64EEEEERT_NS4_9enable_ifIXaaaantsr7is_SpanIS7_EE5valuesr3std14is_convertibleIPA_NS4_14remove_pointerIDTcldtclsr3stdE7declvalIS8_EE4dataEEE4typeEPA_S1_EE5valuesr3std14is_convertibleIDTcldtclsr3stdE7declvalIS8_EE4sizeEEmEE5valueEDnE4typeE: 165| 5.72k| : m_data(other.data()), m_size(other.size()){} _Z18make_secure_uniqueINSt3__15arrayIhLm32EEEJEENS0_10unique_ptrIT_19SecureUniqueDeleterIS4_EEEDpOT0_: 72| 4.17k|{ 73| 4.17k| T* p = secure_allocator().allocate(1); 74| | 75| | // initialize in place, and return as secure_unique_ptr 76| 4.17k| try { 77| 4.17k| return secure_unique_ptr(new (p) T(std::forward(as)...)); 78| 4.17k| } catch (...) { 79| 0| secure_allocator().deallocate(p, 1); 80| 0| throw; 81| 0| } 82| 4.17k|} _ZN16secure_allocatorINSt3__15arrayIhLm32EEEE8allocateEm: 28| 4.17k| { 29| 4.17k| T* allocation = static_cast(LockedPoolManager::Instance().alloc(sizeof(T) * n)); 30| 4.17k| if (!allocation) { ------------------ | Branch (30:13): [True: 0, False: 4.17k] ------------------ 31| 0| throw std::bad_alloc(); 32| 0| } 33| 4.17k| return allocation; 34| 4.17k| } _ZN16secure_allocatorINSt3__15arrayIhLm32EEEE10deallocateEPS2_m: 37| 4.17k| { 38| 4.17k| if (p != nullptr) { ------------------ | Branch (38:13): [True: 4.17k, False: 0] ------------------ 39| 4.17k| memory_cleanse(p, sizeof(T) * n); 40| 4.17k| } 41| 4.17k| LockedPoolManager::Instance().free(p); 42| 4.17k| } _ZN19SecureUniqueDeleterINSt3__15arrayIhLm32EEEEclEPS2_: 62| 4.17k| void operator()(T* t) noexcept { 63| 4.17k| secure_allocator().deallocate(t, 1); 64| 4.17k| } _Z14memory_cleansePvm: 15| 4.17k|{ 16| |#if defined(WIN32) 17| | /* SecureZeroMemory is guaranteed not to be optimized out. */ 18| | SecureZeroMemory(ptr, len); 19| |#else 20| 4.17k| std::memset(ptr, 0, len); 21| | 22| | /* Memory barrier that scares the compiler away from optimizing out the memset. 23| | * 24| | * Quoting Adam Langley in commit ad1907fe73334d6c696c8539646c21b11178f20f 25| | * in BoringSSL (ISC License): 26| | * As best as we can tell, this is sufficient to break any optimisations that 27| | * might try to eliminate "superfluous" memsets. 28| | * This method is used in memzero_explicit() the Linux kernel, too. Its advantage is that it 29| | * is pretty efficient because the compiler can still implement the memset() efficiently, 30| | * just not remove it entirely. See "Dead Store Elimination (Still) Considered Harmful" by 31| | * Yang et al. (USENIX Security 2017) for more background. 32| | */ 33| 4.17k| __asm__ __volatile__("" : : "r"(ptr) : "memory"); 34| 4.17k|#endif 35| 4.17k|} _ZN5Arena5allocEm: 52| 4.17k|{ 53| | // Round to next multiple of alignment 54| 4.17k| size = align_up(size, alignment); 55| | 56| | // Don't handle zero-sized chunks 57| 4.17k| if (size == 0) ------------------ | Branch (57:9): [True: 0, False: 4.17k] ------------------ 58| 0| return nullptr; 59| | 60| | // Pick a large enough free-chunk. Returns an iterator pointing to the first element that is not less than key. 61| | // This allocation strategy is best-fit. According to "Dynamic Storage Allocation: A Survey and Critical Review", 62| | // Wilson et. al. 1995, https://www.scs.stanford.edu/14wi-cs140/sched/readings/wilson.pdf, best-fit and first-fit 63| | // policies seem to work well in practice. 64| 4.17k| auto size_ptr_it = size_to_free_chunk.lower_bound(size); 65| 4.17k| if (size_ptr_it == size_to_free_chunk.end()) ------------------ | Branch (65:9): [True: 0, False: 4.17k] ------------------ 66| 0| return nullptr; 67| | 68| | // Create the used-chunk, taking its space from the end of the free-chunk 69| 4.17k| const size_t size_remaining = size_ptr_it->first - size; 70| 4.17k| char* const free_chunk = static_cast(size_ptr_it->second); 71| 4.17k| auto allocated = chunks_used.emplace(free_chunk + size_remaining, size).first; 72| 4.17k| chunks_free_end.erase(free_chunk + size_ptr_it->first); 73| 4.17k| if (size_ptr_it->first == size) { ------------------ | Branch (73:9): [True: 0, False: 4.17k] ------------------ 74| | // whole chunk is used up 75| 0| chunks_free.erase(size_ptr_it->second); 76| 4.17k| } else { 77| | // still some memory left in the chunk 78| 4.17k| auto it_remaining = size_to_free_chunk.emplace(size_remaining, size_ptr_it->second); 79| 4.17k| chunks_free[size_ptr_it->second] = it_remaining; 80| 4.17k| chunks_free_end.emplace(free_chunk + size_remaining, it_remaining); 81| 4.17k| } 82| 4.17k| size_to_free_chunk.erase(size_ptr_it); 83| | 84| 4.17k| return allocated->first; 85| 4.17k|} _ZN5Arena4freeEPv: 88| 4.17k|{ 89| | // Freeing the nullptr pointer is OK. 90| 4.17k| if (ptr == nullptr) { ------------------ | Branch (90:9): [True: 0, False: 4.17k] ------------------ 91| 0| return; 92| 0| } 93| | 94| | // Remove chunk from used map 95| 4.17k| auto i = chunks_used.find(ptr); 96| 4.17k| if (i == chunks_used.end()) { ------------------ | Branch (96:9): [True: 0, False: 4.17k] ------------------ 97| 0| throw std::runtime_error("Arena: invalid or double free"); 98| 0| } 99| 4.17k| auto freed = std::make_pair(static_cast(i->first), i->second); 100| 4.17k| chunks_used.erase(i); 101| | 102| | // coalesce freed with previous chunk 103| 4.17k| auto prev = chunks_free_end.find(freed.first); 104| 4.17k| if (prev != chunks_free_end.end()) { ------------------ | Branch (104:9): [True: 4.17k, False: 0] ------------------ 105| 4.17k| freed.first -= prev->second->first; 106| 4.17k| freed.second += prev->second->first; 107| 4.17k| size_to_free_chunk.erase(prev->second); 108| 4.17k| chunks_free_end.erase(prev); 109| 4.17k| } 110| | 111| | // coalesce freed with chunk after freed 112| 4.17k| auto next = chunks_free.find(freed.first + freed.second); 113| 4.17k| if (next != chunks_free.end()) { ------------------ | Branch (113:9): [True: 0, False: 4.17k] ------------------ 114| 0| freed.second += next->second->first; 115| 0| size_to_free_chunk.erase(next->second); 116| 0| chunks_free.erase(next); 117| 0| } 118| | 119| | // Add/set space with coalesced free chunk 120| 4.17k| auto it = size_to_free_chunk.emplace(freed.second, freed.first); 121| 4.17k| chunks_free[freed.first] = it; 122| 4.17k| chunks_free_end[freed.first + freed.second] = it; 123| 4.17k|} _ZN10LockedPool5allocEm: 286| 4.17k|{ 287| 4.17k| std::lock_guard lock(mutex); 288| | 289| | // Don't handle impossible sizes 290| 4.17k| if (size == 0 || size > ARENA_SIZE) ------------------ | Branch (290:9): [True: 0, False: 4.17k] | Branch (290:22): [True: 0, False: 4.17k] ------------------ 291| 0| return nullptr; 292| | 293| | // Try allocating from each current arena 294| 4.17k| for (auto &arena: arenas) { ------------------ | Branch (294:21): [True: 4.17k, False: 0] ------------------ 295| 4.17k| void *addr = arena.alloc(size); 296| 4.17k| if (addr) { ------------------ | Branch (296:13): [True: 4.17k, False: 0] ------------------ 297| 4.17k| return addr; 298| 4.17k| } 299| 4.17k| } 300| | // If that fails, create a new one 301| 0| if (new_arena(ARENA_SIZE, ARENA_ALIGN)) { ------------------ | Branch (301:9): [True: 0, False: 0] ------------------ 302| 0| return arenas.back().alloc(size); 303| 0| } 304| 0| return nullptr; 305| 0|} _ZN10LockedPool4freeEPv: 308| 4.17k|{ 309| 4.17k| std::lock_guard lock(mutex); 310| | // TODO we can do better than this linear search by keeping a map of arena 311| | // extents to arena, and looking up the address. 312| 4.17k| for (auto &arena: arenas) { ------------------ | Branch (312:21): [True: 4.17k, False: 0] ------------------ 313| 4.17k| if (arena.addressInArena(ptr)) { ------------------ | Branch (313:13): [True: 4.17k, False: 0] ------------------ 314| 4.17k| arena.free(ptr); 315| 4.17k| return; 316| 4.17k| } 317| 4.17k| } 318| 0| throw std::runtime_error("LockedPool: invalid address not pointing to any arena"); 319| 4.17k|} lockedpool.cpp:_ZL8align_upmm: 33| 4.17k|{ 34| 4.17k| return (x + align - 1) & ~(align - 1); 35| 4.17k|} _ZNK5Arena14addressInArenaEPv: 90| 4.17k| bool addressInArena(void *ptr) const { return ptr >= base && ptr < end; } ------------------ | Branch (90:51): [True: 4.17k, False: 0] | Branch (90:66): [True: 4.17k, False: 0] ------------------ _ZN17LockedPoolManager8InstanceEv: 223| 8.35k| { 224| 8.35k| static std::once_flag init_flag; 225| 8.35k| std::call_once(init_flag, LockedPoolManager::CreateInstance); 226| 8.35k| return *LockedPoolManager::_instance; 227| 8.35k| } _ZN18FuzzedDataProviderC2EPKhm: 37| 2.31k| : data_ptr_(data), remaining_bytes_(size) {} _ZN18FuzzedDataProvider15ConsumeIntegralIhEET_v: 195| 1.90k|template T FuzzedDataProvider::ConsumeIntegral() { 196| 1.90k| return ConsumeIntegralInRange(std::numeric_limits::min(), 197| 1.90k| std::numeric_limits::max()); 198| 1.90k|} _ZN18FuzzedDataProvider22ConsumeIntegralInRangeIhEET_S1_S1_: 205| 1.90k|T FuzzedDataProvider::ConsumeIntegralInRange(T min, T max) { 206| 1.90k| static_assert(std::is_integral::value, "An integral type is required."); 207| 1.90k| static_assert(sizeof(T) <= sizeof(uint64_t), "Unsupported integral type."); 208| | 209| 1.90k| if (min > max) ------------------ | Branch (209:7): [True: 0, False: 1.90k] ------------------ 210| 0| abort(); 211| | 212| | // Use the biggest type possible to hold the range and the result. 213| 1.90k| uint64_t range = static_cast(max) - static_cast(min); 214| 1.90k| uint64_t result = 0; 215| 1.90k| size_t offset = 0; 216| | 217| 2.02k| while (offset < sizeof(T) * CHAR_BIT && (range >> offset) > 0 && ------------------ | Branch (217:10): [True: 1.90k, False: 119] | Branch (217:43): [True: 1.90k, False: 0] ------------------ 218| 2.02k| remaining_bytes_ != 0) { ------------------ | Branch (218:10): [True: 119, False: 1.79k] ------------------ 219| | // Pull bytes off the end of the seed data. Experimentally, this seems to 220| | // allow the fuzzer to more easily explore the input space. This makes 221| | // sense, since it works by modifying inputs that caused new code to run, 222| | // and this data is often used to encode length of data read by 223| | // |ConsumeBytes|. Separating out read lengths makes it easier modify the 224| | // contents of the data that is actually read. 225| 119| --remaining_bytes_; 226| 119| result = (result << CHAR_BIT) | data_ptr_[remaining_bytes_]; 227| 119| offset += CHAR_BIT; 228| 119| } 229| | 230| | // Avoid division by 0, in case |range + 1| results in overflow. 231| 1.90k| if (range != std::numeric_limits::max()) ------------------ | Branch (231:7): [True: 1.90k, False: 0] ------------------ 232| 1.90k| result = result % (range + 1); 233| | 234| 1.90k| return static_cast(static_cast(min) + result); 235| 1.90k|} _ZN18FuzzedDataProvider11ConsumeBoolEv: 289| 1.90k|inline bool FuzzedDataProvider::ConsumeBool() { 290| 1.90k| return 1 & ConsumeIntegral(); 291| 1.90k|} _ZN18FuzzedDataProvider14CopyAndAdvanceEPvm: 339| 4.81k| size_t num_bytes) { 340| 4.81k| std::memcpy(destination, data_ptr_, num_bytes); 341| 4.81k| Advance(num_bytes); 342| 4.81k|} _ZN18FuzzedDataProvider7AdvanceEm: 344| 4.81k|inline void FuzzedDataProvider::Advance(size_t num_bytes) { 345| 4.81k| if (num_bytes > remaining_bytes_) ------------------ | Branch (345:7): [True: 0, False: 4.81k] ------------------ 346| 0| abort(); 347| | 348| 4.81k| data_ptr_ += num_bytes; 349| 4.81k| remaining_bytes_ -= num_bytes; 350| 4.81k|} _ZN18FuzzedDataProvider12ConsumeBytesIhEENSt3__16vectorIT_NS1_9allocatorIS3_EEEEm: 109| 4.57k|std::vector FuzzedDataProvider::ConsumeBytes(size_t num_bytes) { 110| 4.57k| num_bytes = std::min(num_bytes, remaining_bytes_); 111| 4.57k| return ConsumeBytes(num_bytes, num_bytes); 112| 4.57k|} _ZN18FuzzedDataProvider12ConsumeBytesIhEENSt3__16vectorIT_NS1_9allocatorIS3_EEEEmm: 353| 4.57k|std::vector FuzzedDataProvider::ConsumeBytes(size_t size, size_t num_bytes) { 354| 4.57k| static_assert(sizeof(T) == sizeof(uint8_t), "Incompatible data type."); 355| | 356| | // The point of using the size-based constructor below is to increase the 357| | // odds of having a vector object with capacity being equal to the length. 358| | // That part is always implementation specific, but at least both libc++ and 359| | // libstdc++ allocate the requested number of bytes in that constructor, 360| | // which seems to be a natural choice for other implementations as well. 361| | // To increase the odds even more, we also call |shrink_to_fit| below. 362| 4.57k| std::vector result(size); 363| 4.57k| if (size == 0) { ------------------ | Branch (363:7): [True: 355, False: 4.22k] ------------------ 364| 355| if (num_bytes != 0) ------------------ | Branch (364:9): [True: 0, False: 355] ------------------ 365| 0| abort(); 366| 355| return result; 367| 355| } 368| | 369| 4.22k| CopyAndAdvance(result.data(), num_bytes); 370| | 371| | // Even though |shrink_to_fit| is also implementation specific, we expect it 372| | // to provide an additional assurance in case vector's constructor allocated 373| | // a buffer which is larger than the actual amount of data we put inside it. 374| 4.22k| result.shrink_to_fit(); 375| 4.22k| return result; 376| 4.57k|} _ZN18FuzzedDataProvider12ConsumeBytesISt4byteEENSt3__16vectorIT_NS2_9allocatorIS4_EEEEm: 109| 5.72k|std::vector FuzzedDataProvider::ConsumeBytes(size_t num_bytes) { 110| 5.72k| num_bytes = std::min(num_bytes, remaining_bytes_); 111| 5.72k| return ConsumeBytes(num_bytes, num_bytes); 112| 5.72k|} _ZN18FuzzedDataProvider12ConsumeBytesISt4byteEENSt3__16vectorIT_NS2_9allocatorIS4_EEEEmm: 353| 5.72k|std::vector FuzzedDataProvider::ConsumeBytes(size_t size, size_t num_bytes) { 354| 5.72k| static_assert(sizeof(T) == sizeof(uint8_t), "Incompatible data type."); 355| | 356| | // The point of using the size-based constructor below is to increase the 357| | // odds of having a vector object with capacity being equal to the length. 358| | // That part is always implementation specific, but at least both libc++ and 359| | // libstdc++ allocate the requested number of bytes in that constructor, 360| | // which seems to be a natural choice for other implementations as well. 361| | // To increase the odds even more, we also call |shrink_to_fit| below. 362| 5.72k| std::vector result(size); 363| 5.72k| if (size == 0) { ------------------ | Branch (363:7): [True: 5.13k, False: 593] ------------------ 364| 5.13k| if (num_bytes != 0) ------------------ | Branch (364:9): [True: 0, False: 5.13k] ------------------ 365| 0| abort(); 366| 5.13k| return result; 367| 5.13k| } 368| | 369| 593| CopyAndAdvance(result.data(), num_bytes); 370| | 371| | // Even though |shrink_to_fit| is also implementation specific, we expect it 372| | // to provide an additional assurance in case vector's constructor allocated 373| | // a buffer which is larger than the actual amount of data we put inside it. 374| 593| result.shrink_to_fit(); 375| 593| return result; 376| 5.72k|} LLVMFuzzerTestOneInput: 222| 2.31k|{ 223| 2.31k| test_one_input({data, size}); 224| 2.31k| return 0; 225| 2.31k|} fuzz.cpp:_ZL14test_one_inputNSt3__14spanIKhLm18446744073709551615EEE: 83| 2.31k|{ 84| 2.31k| CheckGlobals check{}; 85| 2.31k| (*Assert(g_test_one_input))(buffer); ------------------ | | 85| 2.31k|#define Assert(val) inline_assertion_check(val, __FILE__, __LINE__, __func__, #val) ------------------ 86| 2.31k|} _Z23bip324_ecdh_fuzz_targetNSt3__14spanIKhLm18446744073709551615EEE: 324| 2.31k|{ 325| 2.31k| FuzzedDataProvider fdp{buffer.data(), buffer.size()}; 326| | 327| | // We generate private key, k1. 328| 2.31k| CKey k1 = ConsumePrivateKey(fdp, /*compressed=*/true); 329| 2.31k| if (!k1.IsValid()) return; ------------------ | Branch (329:9): [True: 46, False: 2.26k] ------------------ 330| | 331| | // They generate private key, k2. 332| 2.26k| CKey k2 = ConsumePrivateKey(fdp, /*compressed=*/true); 333| 2.26k| if (!k2.IsValid()) return; ------------------ | Branch (333:9): [True: 357, False: 1.90k] ------------------ 334| | 335| | // We construct an ellswift encoding for our key, k1_ellswift. 336| 1.90k| auto ent32_1 = fdp.ConsumeBytes(32); 337| 1.90k| ent32_1.resize(32); 338| 1.90k| auto k1_ellswift = k1.EllSwiftCreate(ent32_1); 339| | 340| | // They construct an ellswift encoding for their key, k2_ellswift. 341| 1.90k| auto ent32_2 = fdp.ConsumeBytes(32); 342| 1.90k| ent32_2.resize(32); 343| 1.90k| auto k2_ellswift = k2.EllSwiftCreate(ent32_2); 344| | 345| | // They construct another (possibly distinct) ellswift encoding for their key, k2_ellswift_bad. 346| 1.90k| auto ent32_2_bad = fdp.ConsumeBytes(32); 347| 1.90k| ent32_2_bad.resize(32); 348| 1.90k| auto k2_ellswift_bad = k2.EllSwiftCreate(ent32_2_bad); 349| 1.90k| assert((ent32_2_bad == ent32_2) == (k2_ellswift_bad == k2_ellswift)); 350| | 351| | // Determine who is who. 352| 1.90k| bool initiating = fdp.ConsumeBool(); 353| | 354| | // We compute our shared secret using our key and their public key. 355| 1.90k| auto ecdh_secret_1 = k1.ComputeBIP324ECDHSecret(k2_ellswift, k1_ellswift, initiating); 356| | // They compute their shared secret using their key and our public key. 357| 1.90k| auto ecdh_secret_2 = k2.ComputeBIP324ECDHSecret(k1_ellswift, k2_ellswift, !initiating); 358| | // Those must match, as everyone is behaving correctly. 359| 1.90k| assert(ecdh_secret_1 == ecdh_secret_2); 360| | 361| 1.90k| if (k1_ellswift != k2_ellswift) { ------------------ | Branch (361:9): [True: 1.90k, False: 4] ------------------ 362| | // Unless the two keys are exactly identical, acting as the wrong party breaks things. 363| 1.90k| auto ecdh_secret_bad = k1.ComputeBIP324ECDHSecret(k2_ellswift, k1_ellswift, !initiating); 364| 1.90k| assert(ecdh_secret_bad != ecdh_secret_1); 365| 1.90k| } 366| | 367| 1.90k| if (k2_ellswift_bad != k2_ellswift) { ------------------ | Branch (367:9): [True: 188, False: 1.72k] ------------------ 368| | // Unless both encodings created by them are identical, using the second one breaks things. 369| 188| auto ecdh_secret_bad = k1.ComputeBIP324ECDHSecret(k2_ellswift_bad, k1_ellswift, initiating); 370| 188| assert(ecdh_secret_bad != ecdh_secret_1); 371| 188| } 372| 1.90k|} _Z17ConsumePrivateKeyR18FuzzedDataProviderNSt3__18optionalIbEE: 231| 4.57k|{ 232| 4.57k| auto key_data = fuzzed_data_provider.ConsumeBytes(32); 233| 4.57k| key_data.resize(32); 234| 4.57k| CKey key; 235| 4.57k| bool compressed_value = compressed ? *compressed : fuzzed_data_provider.ConsumeBool(); ------------------ | Branch (235:29): [True: 4.57k, False: 0] ------------------ 236| 4.57k| key.Set(key_data.begin(), key_data.end(), compressed_value); 237| 4.57k| return key; 238| 4.57k|} _ZN12CheckGlobalsC2Ev: 56| 2.31k|CheckGlobals::CheckGlobals() : m_impl(std::make_unique()) {} _ZN12CheckGlobalsD2Ev: 57| 2.31k|CheckGlobals::~CheckGlobals() = default; _ZN16CheckGlobalsImplC2Ev: 17| 2.31k| { 18| 2.31k| g_used_g_prng = false; 19| 2.31k| g_seeded_g_prng_zero = false; 20| 2.31k| g_used_system_time = false; 21| 2.31k| SetMockTime(0s); 22| 2.31k| } _ZN16CheckGlobalsImplD2Ev: 24| 2.31k| { 25| 2.31k| if (g_used_g_prng && !g_seeded_g_prng_zero) { ------------------ | Branch (25:13): [True: 0, False: 2.31k] | Branch (25:30): [True: 0, False: 0] ------------------ 26| 0| std::cerr << "\n\n" 27| 0| "The current fuzz target used the global random state.\n\n" 28| | 29| 0| "This is acceptable, but requires the fuzz target to call \n" 30| 0| "SeedRandomStateForTest(SeedRand::ZEROS) in the first line \n" 31| 0| "of the FUZZ_TARGET function.\n\n" 32| | 33| 0| "An alternative solution would be to avoid any use of globals.\n\n" 34| | 35| 0| "Without a solution, fuzz instability and non-determinism can lead \n" 36| 0| "to non-reproducible bugs or inefficient fuzzing.\n\n" 37| 0| << std::endl; 38| 0| std::abort(); // Abort, because AFL may try to recover from a std::exit 39| 0| } 40| | 41| 2.31k| if (g_used_system_time) { ------------------ | Branch (41:13): [True: 0, False: 2.31k] ------------------ 42| 0| std::cerr << "\n\n" 43| 0| "The current fuzz target accessed system time.\n\n" 44| | 45| 0| "This is acceptable, but requires the fuzz target to call \n" 46| 0| "SetMockTime() at the beginning of processing the fuzz input.\n\n" 47| | 48| 0| "Without setting mock time, time-dependent behavior can lead \n" 49| 0| "to non-reproducible bugs or inefficient fuzzing.\n\n" 50| 0| << std::endl; 51| 0| std::abort(); 52| 0| } 53| 2.31k| } _Z22inline_assertion_checkILb1EbEOT0_S1_PKciS3_S3_: 52| 2.31k|{ 53| 2.31k| if (IS_ASSERT || std::is_constant_evaluated() || G_FUZZING ------------------ | Branch (53:9): [Folded - Ignored] | Branch (53:22): [Folded - Ignored] | Branch (53:54): [Folded - Ignored] ------------------ 54| |#ifdef ABORT_ON_FAILED_ASSUME 55| | || true 56| |#endif 57| 2.31k| ) { 58| 2.31k| if (!val) { ------------------ | Branch (58:13): [True: 0, False: 2.31k] ------------------ 59| 0| assertion_fail(file, line, func, assertion); 60| 0| } 61| 2.31k| } 62| 2.31k| return std::forward(val); 63| 2.31k|} _Z22inline_assertion_checkILb1ERPKNSt3__18functionIFvNS0_4spanIKhLm18446744073709551615EEEEEEEOT0_SB_PKciSD_SD_: 52| 2.31k|{ 53| 2.31k| if (IS_ASSERT || std::is_constant_evaluated() || G_FUZZING ------------------ | Branch (53:9): [Folded - Ignored] | Branch (53:22): [Folded - Ignored] | Branch (53:54): [Folded - Ignored] ------------------ 54| |#ifdef ABORT_ON_FAILED_ASSUME 55| | || true 56| |#endif 57| 2.31k| ) { 58| 2.31k| if (!val) { ------------------ | Branch (58:13): [True: 0, False: 2.31k] ------------------ 59| 0| assertion_fail(file, line, func, assertion); 60| 0| } 61| 2.31k| } 62| 2.31k| return std::forward(val); 63| 2.31k|} _Z11SetMockTimeNSt3__16chrono8durationIxNS_5ratioILl1ELl1EEEEE: 42| 2.31k|{ 43| 2.31k| Assert(mock_time_in >= 0s); ------------------ | | 85| 2.31k|#define Assert(val) inline_assertion_check(val, __FILE__, __LINE__, __func__, #val) ------------------ 44| 2.31k| g_mock_time.store(mock_time_in, std::memory_order_relaxed); 45| 2.31k|}