Add secp256k1_fe_add_int function #1217

pull sipa wants to merge 1 commits into bitcoin-core:master from sipa:202303_add_int changing 5 files +43 −3
  1. sipa commented at 9:45 pm on March 1, 2023: contributor

    Suggested here: #1118 (review)

    This adds a new field function secp256k1_fe_add_int which is equivalent to secp256k1_fe_set_int + secp256k1_fe_add, which is a pattern that occurs a few times, and uses a needlessly convoluted computation for an absolutely trivial effect (incrementing one limb variable). Existing PRs like #1118 and #1129 add more ways this function would be useful.

  2. in src/group_impl.h:379 in 42518bf1f8 outdated
    375@@ -376,7 +376,7 @@ static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, cons
    376             secp256k1_gej_double_var(r, a, rzr);
    377         } else {
    378             if (rzr != NULL) {
    379-                secp256k1_fe_set_int(rzr, 0);
    380+                secp256k1_fe_clear(rzr);
    


    real-or-random commented at 10:02 am on March 2, 2023:

    This reminds me of https://github.com/bitcoin-core/secp256k1/pull/636/commits/b33a8e49e89f5a1ea02a9b9b9b208cb4f3d59e44 Okay, the PR is almost 4 years old now… :/ But I should continue the work at some point.

    Currently, clear is mostly used to kill secrets (though that doesn’t work due to dead-store elimination), and this should be separated from setting to 0 in the future for the purposes of the aforementioned PR. Now, the advantage of clear over set_int(0) is that the former sets the magnitude to 0 instead of 1. In the mentioned PR, I change set_int to do the same for input 0 but that’s a bad idea because we want statically implied magnitude in the long term. The proper solution to all of this is a set_zero function that guarantees to set the value and magnitude to 0 (and won’t just clear out memory).

    What does this mean for this PR? To avoid getting side tracked again, I’d say don’t introduce that new function here, but maybe keep that line and the instances below just how it is. That avoids introducing more code locations where clear is not used for clearing memory. The current behavior of setting magnitude of 1 is apparently good enough with the current code.


    sipa commented at 10:10 pm on March 2, 2023:
    Done, I’ve refrained from touching any set_int(..., 0) -> clear(...).
  3. in src/field_5x52_impl.h:432 in 42518bf1f8 outdated
    424@@ -425,6 +425,20 @@ SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) {
    425 #endif
    426 }
    427 
    428+SECP256K1_INLINE static void secp256k1_fe_add_int(secp256k1_fe *r, int a) {
    429+#ifdef VERIFY
    430+    secp256k1_fe_verify(r);
    431+    VERIFY_CHECK(a >= 0);
    432+    VERIFY_CHECK(a <= 0xFFFF);
    


    real-or-random commented at 10:05 am on March 2, 2023:
    Is there a reason to keep it in these bounds? Sorry if it’s obvious, but I don’t see it.

    sipa commented at 10:11 pm on March 2, 2023:
    Apparently (for unclear reasons…) set_int is restricted to range 0…0x7FFF. The 0xFFFF is a typo here; I wanted to copy the bound, so that the tests can verify correspondence between add_int and set_int + add.

    real-or-random commented at 10:46 pm on March 2, 2023:
    0x7FFF is the minimum portable MAX_INT, see #943 (review)
  4. in src/field.h:88 in 42518bf1f8 outdated
    84@@ -85,6 +85,9 @@ static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a);
    85  *  as an argument. The magnitude of the output is one higher. */
    86 static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m);
    87 
    88+/** Adds a small integer (up to 0x7FFF) to r. The resulting magnitude increases by one. */
    


    real-or-random commented at 10:07 am on March 2, 2023:
    0/** Adds a small integer (up to 0xFFFF) to r. The resulting magnitude increases by one. */
    

    At least that’s what you VERIFY_CHECK.


    sipa commented at 10:11 pm on March 2, 2023:
    Changed to 0x7FFF everywhere instead.
  5. real-or-random commented at 10:10 am on March 2, 2023: contributor
    Nice! Concept ACK
  6. Add secp256k1_fe_add_int function b081f7e4cb
  7. sipa force-pushed on Mar 2, 2023
  8. real-or-random approved
  9. real-or-random commented at 10:21 pm on March 2, 2023: contributor
    utACK b081f7e4cbfd27edc36e823dcd93537a46f7d2a6
  10. jonasnick commented at 2:06 pm on March 7, 2023: contributor
    ACK b081f7e4cbfd27edc36e823dcd93537a46f7d2a6
  11. jonasnick merged this on Mar 7, 2023
  12. jonasnick closed this on Mar 7, 2023

  13. sipa cross-referenced this on Mar 7, 2023 from issue Add x-only ecmult_const version with x specified as n/d by sipa
  14. sipa cross-referenced this on Mar 7, 2023 from issue ElligatorSwift + integrated x-only DH by sipa
  15. dhruv referenced this in commit a5df79db12 on Mar 7, 2023
  16. dhruv referenced this in commit 77b510d84c on Mar 7, 2023
  17. sipa referenced this in commit 763079a3f1 on Mar 8, 2023
  18. in src/group_impl.h:230 in b081f7e4cb
    226@@ -227,7 +227,7 @@ static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int o
    227     secp256k1_fe_sqr(&x2, x);
    228     secp256k1_fe_mul(&x3, x, &x2);
    229     r->infinity = 0;
    230-    secp256k1_fe_add(&x3, &secp256k1_fe_const_b);
    


    roconnor-blockstream commented at 4:01 pm on March 14, 2023:
    secp256k1_fe_const_b is now unused.

    real-or-random commented at 5:40 pm on April 20, 2023:
    @roconnor-blockstream Good catch. Do you want to open a PR to remove it?

    roconnor-blockstream commented at 5:53 pm on April 20, 2023:
    I suppose I can do that.
  19. div72 referenced this in commit 945b094575 on Mar 14, 2023
  20. roconnor-blockstream referenced this in commit d6be470ee5 on Apr 20, 2023
  21. roconnor-blockstream cross-referenced this on Apr 20, 2023 from issue Remove secp256k1_fe_const_b by roconnor-blockstream
  22. sipa cross-referenced this on Apr 20, 2023 from issue Get rid of secp256k1_fe_const_b by sipa
  23. real-or-random referenced this in commit f6bef03c0a on Apr 21, 2023
  24. sipa cross-referenced this on May 11, 2023 from issue Abstract out and merge all the magnitude/normalized logic by sipa
  25. vmta referenced this in commit e1120c94a1 on Jun 4, 2023
  26. vmta referenced this in commit 8f03457eed on Jul 1, 2023

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-30 03:15 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me