Add secp256k1_fe_add

sipa commented at 9:45 pm on March 1, 2023: contributor

This adds a new field function secp256k1_fe_add_int which is equivalent to secp256k1_fe_set_int + secp256k1_fe_add, which is a pattern that occurs a few times, and uses a needlessly convoluted computation for an absolutely trivial effect (incrementing one limb variable). Existing PRs like #1118 and #1129 add more ways this function would be useful.

in src/group_impl.h:379 in 42518bf1f8 outdated

375@@ -376,7 +376,7 @@ static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, cons
376             secp256k1_gej_double_var(r, a, rzr);
377         } else {
378             if (rzr != NULL) {
379-                secp256k1_fe_set_int(rzr, 0);
380+                secp256k1_fe_clear(rzr);

real-or-random commented at 10:02 am on March 2, 2023:

This reminds me of https://github.com/bitcoin-core/secp256k1/pull/636/commits/b33a8e49e89f5a1ea02a9b9b9b208cb4f3d59e44 Okay, the PR is almost 4 years old now… :/ But I should continue the work at some point.

Currently, clear is mostly used to kill secrets (though that doesn’t work due to dead-store elimination), and this should be separated from setting to 0 in the future for the purposes of the aforementioned PR. Now, the advantage of clear over set_int(0) is that the former sets the magnitude to 0 instead of 1. In the mentioned PR, I change set_int to do the same for input 0 but that’s a bad idea because we want statically implied magnitude in the long term. The proper solution to all of this is a set_zero function that guarantees to set the value and magnitude to 0 (and won’t just clear out memory).

What does this mean for this PR? To avoid getting side tracked again, I’d say don’t introduce that new function here, but maybe keep that line and the instances below just how it is. That avoids introducing more code locations where clear is not used for clearing memory. The current behavior of setting magnitude of 1 is apparently good enough with the current code.

sipa commented at 10:10 pm on March 2, 2023:

Done, I’ve refrained from touching any set_int(..., 0) -> clear(...).

in src/field_5x52_impl.h:432 in 42518bf1f8 outdated

424@@ -425,6 +425,20 @@ SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) {
425 #endif
426 }
427 
428+SECP256K1_INLINE static void secp256k1_fe_add_int(secp256k1_fe *r, int a) {
429+#ifdef VERIFY
430+    secp256k1_fe_verify(r);
431+    VERIFY_CHECK(a >= 0);
432+    VERIFY_CHECK(a <= 0xFFFF);

real-or-random commented at 10:05 am on March 2, 2023:

Is there a reason to keep it in these bounds? Sorry if it’s obvious, but I don’t see it.

sipa commented at 10:11 pm on March 2, 2023:

Apparently (for unclear reasons…) set_int is restricted to range 0…0x7FFF. The 0xFFFF is a typo here; I wanted to copy the bound, so that the tests can verify correspondence between add_int and set_int + add.

real-or-random commented at 10:46 pm on March 2, 2023:

0x7FFF is the minimum portable MAX_INT, see #943 (review)

in src/field.h:88 in 42518bf1f8 outdated

84@@ -85,6 +85,9 @@ static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a);
85  *  as an argument. The magnitude of the output is one higher. */
86 static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m);
87 
88+/** Adds a small integer (up to 0x7FFF) to r. The resulting magnitude increases by one. */

real-or-random commented at 10:07 am on March 2, 2023:

0/** Adds a small integer (up to 0xFFFF) to r. The resulting magnitude increases by one. */

At least that’s what you VERIFY_CHECK.

sipa commented at 10:11 pm on March 2, 2023:

Changed to 0x7FFF everywhere instead.

real-or-random commented at 10:10 am on March 2, 2023: contributor

Nice! Concept ACK

Add secp256k1_fe_add_int function b081f7e4cb

sipa force-pushed on Mar 2, 2023

real-or-random approved

real-or-random commented at 10:21 pm on March 2, 2023: contributor

utACK b081f7e4cbfd27edc36e823dcd93537a46f7d2a6

jonasnick commented at 2:06 pm on March 7, 2023: contributor

ACK b081f7e4cbfd27edc36e823dcd93537a46f7d2a6

jonasnick merged this on Mar 7, 2023

jonasnick closed this on Mar 7, 2023

sipa cross-referenced this on Mar 7, 2023 from issue Add x-only ecmult_const version with x specified as n/d by sipa

sipa cross-referenced this on Mar 7, 2023 from issue ElligatorSwift + integrated x-only DH by sipa

dhruv referenced this in commit a5df79db12 on Mar 7, 2023

dhruv referenced this in commit 77b510d84c on Mar 7, 2023

sipa referenced this in commit 763079a3f1 on Mar 8, 2023

in src/group_impl.h:230 in b081f7e4cb

226@@ -227,7 +227,7 @@ static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int o
227     secp256k1_fe_sqr(&x2, x);
228     secp256k1_fe_mul(&x3, x, &x2);
229     r->infinity = 0;
230-    secp256k1_fe_add(&x3, &secp256k1_fe_const_b);

roconnor-blockstream commented at 4:01 pm on March 14, 2023:

secp256k1_fe_const_b is now unused.

real-or-random commented at 5:40 pm on April 20, 2023:

@roconnor-blockstream Good catch. Do you want to open a PR to remove it?

roconnor-blockstream commented at 5:53 pm on April 20, 2023:

I suppose I can do that.

div72 referenced this in commit 945b094575 on Mar 14, 2023

roconnor-blockstream referenced this in commit d6be470ee5 on Apr 20, 2023

roconnor-blockstream cross-referenced this on Apr 20, 2023 from issue Remove secp256k1_fe_const_b by roconnor-blockstream

sipa cross-referenced this on Apr 20, 2023 from issue Get rid of secp256k1_fe_const_b by sipa

real-or-random referenced this in commit f6bef03c0a on Apr 21, 2023

sipa cross-referenced this on May 11, 2023 from issue Abstract out and merge all the magnitude/normalized logic by sipa

vmta referenced this in commit e1120c94a1 on Jun 4, 2023

vmta referenced this in commit 8f03457eed on Jul 1, 2023

jonasnick cross-referenced this on Jul 20, 2023 from issue Upstream PRs 1160, 1193, 1169, 1190, 1192, 1194, 1196, 1195, 1170, 1172, 1200, 1199, 1203, 1201, 1206, 1078, 1209, 979, 1212, 1218, 1217, 1221, 1222 by jonasnick

Add secp256k1_fe_add_int function #1217