Permalink
Switch branches/tags
Nothing to show
Find file Copy path
6e5d9ad Jan 23, 2017
540 lines (444 sloc) 15.8 KB
/* Copyright (c) 2015 Nicolas Courtois, Guangyan Song, Ryan Castellucci, All Rights Reserved */
#include "ec_pubkey_fast.h"
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include "secp256k1/src/libsecp256k1-config.h"
#include "secp256k1/include/secp256k1.h"
#include "secp256k1/src/util.h"
#include "secp256k1/src/num_impl.h"
#include "secp256k1/src/field_impl.h"
#include "secp256k1/src/field_10x26_impl.h"
#include "secp256k1/src/scalar_impl.h"
#include "secp256k1/src/group_impl.h"
#include "secp256k1/src/ecmult_gen_impl.h"
#include "secp256k1/src/ecmult.h"
#include "secp256k1/src/eckey_impl.h"
static int secp256k1_eckey_pubkey_parse(secp256k1_ge_t *elem, const unsigned char *pub, int size);
#include "mmapf.h"
#undef ASSERT
#define READBIT(A, B) ((A >> (B & 7)) & 1)
#define SETBIT(T, B, V) (T = V ? T | (1<<B) : T & ~(1<<B))
int n_windows = 0;
int n_values;
secp256k1_gej_t nums_gej;
secp256k1_ge_t *prec;
int remmining = 0;
int WINDOW_SIZE = 0;
size_t MMAP_SIZE;
mmapf_ctx prec_mmapf;
int secp256k1_ec_pubkey_precomp_table_save(int window_size, unsigned char *filename) {
int fd, ret;
size_t records;
FILE *dest;
if ((ret = secp256k1_ec_pubkey_precomp_table(window_size, NULL)) < 0)
return ret;
if ((fd = open(filename, O_RDWR | O_CREAT | O_EXCL, 0660)) < 0)
return fd;
records = n_windows*n_values;
dest = fdopen(fd, "w");
if (fwrite(prec, sizeof(secp256k1_ge_t), n_windows*n_values, dest) != records)
return -1;
return 0;
}
int secp256k1_ec_pubkey_precomp_table(int window_size, unsigned char *filename) {
int ret;
struct stat sb;
size_t prec_sz;
secp256k1_gej_t gj; // base point in jacobian coordinates
secp256k1_gej_t *table;
if (filename) {
if (stat(filename, &sb) == 0) {
if (!S_ISREG(sb.st_mode))
return -100;
} else {
return -101;
}
}
// try to find a window size that matched the file size
for (;;) {
WINDOW_SIZE = window_size;
n_values = 1 << window_size;
if (256 % window_size == 0) {
n_windows = (256 / window_size);
} else {
n_windows = (256 / window_size) + 1;
}
remmining = 256 % window_size;
prec_sz = n_windows*n_values*sizeof(secp256k1_ge_t);
if (!filename || sb.st_size <= prec_sz)
break;
++window_size;
}
if ((ret = mmapf(&prec_mmapf, filename, prec_sz, MMAPF_RNDRD)) != MMAPF_OKAY) {
fprintf(stderr, "failed to open ecmult table '%s': %s\n", filename, mmapf_strerror(ret));
exit(1);
} else if (prec_mmapf.mem == NULL) {
fprintf(stderr, "got NULL pointer from mmapf\n");
exit(1);
}
prec = prec_mmapf.mem;
if (filename) { return 0; }
table = malloc(n_windows*n_values*sizeof(secp256k1_gej_t));
secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
//fprintf(stderr, "%d %d %d %d %zu\n", window_size, n_windows, n_values, remmining, prec_sz);
static const unsigned char nums_b32[33] = "The scalar for this x is unknown";
secp256k1_fe_t nums_x;
secp256k1_ge_t nums_ge;
VERIFY_CHECK(secp256k1_fe_set_b32(&nums_x, nums_b32));
VERIFY_CHECK(secp256k1_ge_set_xo_var(&nums_ge, &nums_x, 0));
secp256k1_gej_set_ge(&nums_gej, &nums_ge);
/* Add G to make the bits in x uniformly distributed. */
secp256k1_gej_add_ge_var(&nums_gej, &nums_gej, &secp256k1_ge_const_g, NULL);
secp256k1_gej_t gbase;
secp256k1_gej_t numsbase;
gbase = gj; /* (2^w_size)^num_of_windows * G */
numsbase = nums_gej; /* 2^num_of_windows * nums. */
for (int j = 0; j < n_windows; j++) {
//[number of windows][each value from 0 - (2^window_size - 1)]
table[j*n_values] = numsbase;
for (int i = 1; i < n_values; i++) {
secp256k1_gej_add_var(&table[j*n_values + i], &table[j*n_values + i - 1], &gbase, NULL);
}
for (int i = 0; i < window_size; i++) {
secp256k1_gej_double_var(&gbase, &gbase, NULL);
}
/* Multiply numbase by 2. */
secp256k1_gej_double_var(&numsbase, &numsbase, NULL);
if (j == n_windows-2) {
/* In the last iteration, numsbase is (1 - 2^j) * nums instead. */
secp256k1_gej_neg(&numsbase, &numsbase);
secp256k1_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL);
}
}
secp256k1_ge_set_all_gej_var(n_windows*n_values, prec, table, 0);
free(table);
return 0;
}
static void secp256k1_ecmult_gen2(secp256k1_gej_t *r, const unsigned char *seckey){
unsigned char a[256];
for (int j = 0; j < 32; j++) {
for (int i = 0; i < 8; i++) {
a[i+j*8] = READBIT(seckey[31-j], i);
}
}
r->infinity = 1;
int bits;
for (int j = 0; j < n_windows; j++) {
if (j == n_windows -1 && remmining != 0) {
bits = 0;
for (int i = 0; i < remmining; i++) {
SETBIT(bits,i,a[i + j * WINDOW_SIZE]);
}
} else {
bits = 0;
for (int i = 0; i < WINDOW_SIZE; i++) {
SETBIT(bits,i,a[i + j * WINDOW_SIZE]);
}
}
#if 1
secp256k1_gej_add_ge_var(r, r, &prec[j*n_values + bits], NULL);
#else
secp256k1_gej_add_ge(r, r, &prec[j*n_values + bits]);
#endif
}
}
#ifdef USE_BL_ARITHMETIC
static void secp256k1_gej_add_ge_bl(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b, secp256k1_fe_t *rzr) {
secp256k1_fe_t z1z1, /*z1,*/ u2, x1, y1, t0, s2, h, hh, i, j, t1, rr, v, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11;
// 7M + 4S + 2 normalize + 22 mul_int/add/negate
if (a->infinity) {
VERIFY_CHECK(rzr == NULL);
secp256k1_gej_set_ge(r, b);
return;
}
if (b->infinity) {
if (rzr) {
secp256k1_fe_set_int(rzr, 1);
}
*r = *a;
return;
}
r->infinity = 0;
x1 = a->x; secp256k1_fe_normalize_weak(&x1);
y1 = a->y; secp256k1_fe_normalize_weak(&y1);
secp256k1_fe_sqr(&z1z1, &a->z); // z1z1 = z1^2
secp256k1_fe_mul(&u2, &b->x, &z1z1); // u2 = x2*z1z1
secp256k1_fe_mul(&t0, &a->z, &z1z1); // t0 = z1*z1z1
secp256k1_fe_mul(&s2, &b->y, &t0); // s2 = y2 * t0
secp256k1_fe_negate(&h, &x1, 1); secp256k1_fe_add(&h, &u2); // h = u2-x1 (3)
secp256k1_fe_sqr(&hh,&h); // hh = h^2
i = hh; secp256k1_fe_mul_int(&i,4); // i = 4*hh
if (secp256k1_fe_normalizes_to_zero_var(&h)) {
if (secp256k1_fe_normalizes_to_zero_var(&i)) {
secp256k1_gej_double_var(r, a, rzr);
} else {
if (rzr) {
secp256k1_fe_set_int(rzr, 0);
}
r->infinity = 1;
}
return;
}
secp256k1_fe_mul(&j,&h,&i); // j = h*i
secp256k1_fe_negate(&t1, &y1, 1); secp256k1_fe_add(&t1, &s2); // t1 = s2-y1
rr = t1; secp256k1_fe_mul_int(&rr, 2); // rr = 2 * t1;
secp256k1_fe_mul(&v, &x1, &i); // v = x1 * i
secp256k1_fe_sqr(&t2, &rr); // t2 = rr^2
t3 = v; secp256k1_fe_mul_int(&t3, 2); // t3 = 2*v
secp256k1_fe_negate(&t4, &j, 1); secp256k1_fe_add(&t4, &t2); // t4 = t2 - j
secp256k1_fe_negate(&r->x, &t3, 2); secp256k1_fe_add(&r->x, &t4); // x3 = t4 - t3;
//secp256k1_fe_normalize_weak(&r->x);
secp256k1_fe_negate(&t5, &r->x, 6); secp256k1_fe_add(&t5, &v); // t5 = v - x3
secp256k1_fe_mul(&t6,&y1,&j); // t6 = y1 * j
t7 = t6; secp256k1_fe_mul_int(&t7,2); // t7 = 2*t6;
secp256k1_fe_mul(&t8,&rr,&t5); // t8 = rr* t5;
secp256k1_fe_negate(&r->y, &t7, 2); secp256k1_fe_add(&r->y,&t8); // y3 = t8-t7
//secp256k1_fe_normalize_weak(&r->y);
t9 = h; secp256k1_fe_add(&t9, &a->z); // t9 = z1 + h
secp256k1_fe_sqr(&t10, &t9); // t10 = t9^2
secp256k1_fe_negate(&t11, &z1z1, 1); secp256k1_fe_add(&t11, &t10); // t11 = t10-z1z1
secp256k1_fe_negate(&r->z, &hh, 1); secp256k1_fe_add(&r->z, &t11); // z3 = t11 - hh
}
static void secp256k1_ecmult_gen_bl(secp256k1_gej_t *r, const unsigned char *seckey){
unsigned char a[256];
for (int j = 0; j < 32; j++){
for (int i = 0; i < 8; i++){
a[i+j*8] = READBIT(seckey[31-j], i);
}
}
r->infinity = 1;
int bits;
for (int j = 0; j < n_windows; j++) {
if (j == n_windows -1 && remmining != 0) {
bits = 0;
for (int i = 0; i < remmining; i++) {
SETBIT(bits,i,a[i + j * WINDOW_SIZE]);
}
//bits = secp256k1_scalar_get_bits2(a, j * WINDOW_SIZE, remmining);
} else {
bits = 0;
for (int i = 0; i < WINDOW_SIZE; i++) {
SETBIT(bits,i,a[i + j * WINDOW_SIZE]);
}
//bits = secp256k1_scalar_get_bits2(a, j * WINDOW_SIZE, WINDOW_SIZE);
}
secp256k1_gej_add_ge_bl(r, r, &prec[j*n_values + bits], NULL);
}
}
#endif
int secp256k1_ec_pubkey_create_precomp(unsigned char *pub_chr, int *pub_chr_sz, const unsigned char *seckey) {
secp256k1_gej_t pj;
secp256k1_ge_t p;
#ifdef USE_BL_ARITHMETIC
secp256k1_ecmult_gen_bl(&pj, seckey);
#else
secp256k1_ecmult_gen2(&pj, seckey);
#endif
secp256k1_ge_set_gej(&p, &pj);
*pub_chr_sz = 65;
pub_chr[0] = 4;
secp256k1_fe_normalize_var(&p.x);
secp256k1_fe_normalize_var(&p.y);
secp256k1_fe_get_b32(pub_chr + 1, &p.x);
secp256k1_fe_get_b32(pub_chr + 33, &p.y);
return 0;
}
static secp256k1_gej_t *batchpj;
static secp256k1_ge_t *batchpa;
static secp256k1_fe_t *batchaz;
static secp256k1_fe_t *batchai;
int secp256k1_ec_pubkey_batch_init(unsigned int num) {
if (!batchpj) { batchpj = malloc(sizeof(secp256k1_gej_t)*num); }
if (!batchpa) { batchpa = malloc(sizeof(secp256k1_ge_t)*num); }
if (!batchaz) { batchaz = malloc(sizeof(secp256k1_fe_t)*num); }
if (!batchai) { batchai = malloc(sizeof(secp256k1_fe_t)*num); }
if (batchpj == NULL || batchpa == NULL || batchaz == NULL || batchai == NULL) {
return 1;
} else {
return 0;
}
}
void secp256k1_ge_set_all_gej_static(int num, secp256k1_ge_t *batchpa, secp256k1_gej_t *batchpj) {
size_t i;
for (i = 0; i < num; i++) {
batchaz[i] = batchpj[i].z;
}
secp256k1_fe_inv_all_var(num, batchai, batchaz);
for (i = 0; i < num; i++) {
secp256k1_ge_set_gej_zinv(&batchpa[i], &batchpj[i], &batchai[i]);
}
}
// call secp256k1_ec_pubkey_batch_init first or you get segfaults
int secp256k1_ec_pubkey_batch_incr(unsigned int num, unsigned int skip, unsigned char (*pub)[65], unsigned char (*sec)[32], unsigned char start[32]) {
// some of the values could be reused between calls, but dealing with the data
// structures is a pain, and with a reasonable batch size, the perf difference
// is tiny
int i;
unsigned char b32[32];
secp256k1_scalar_t priv, incr_s;
secp256k1_gej_t temp;
secp256k1_ge_t incr_a;
/* load staring private key */
secp256k1_scalar_set_b32(&priv, start, NULL);
/* fill first private */
secp256k1_scalar_get_b32(sec[0], &priv);
/* set up increments */
secp256k1_scalar_set_int(&incr_s, skip);
secp256k1_scalar_get_b32(b32, &incr_s);
#ifdef USE_BL_ARITHMETIC
secp256k1_ecmult_gen_bl(&temp, b32);
secp256k1_ecmult_gen_bl(&batchpj[0], start);
#else
secp256k1_ecmult_gen2(&temp, b32);
secp256k1_ecmult_gen2(&batchpj[0], start);
#endif
/* get affine public point for incrementing */
secp256k1_ge_set_gej_var(&incr_a, &temp);
for (i = 1; i < num; ++i) {
/* increment and write private key */
secp256k1_scalar_add(&priv, &priv, &incr_s);
secp256k1_scalar_get_b32(sec[i], &priv);
/* increment public key */
secp256k1_gej_add_ge_var(&batchpj[i], &batchpj[i-1], &incr_a, NULL);
}
/* convert all jacobian coordinates to affine */
secp256k1_ge_set_all_gej_static(num, batchpa, batchpj);
/* write out formatted public key */
for (i = 0; i < num; ++i) {
secp256k1_fe_normalize_var(&batchpa[i].x);
secp256k1_fe_normalize_var(&batchpa[i].y);
pub[i][0] = 0x04;
secp256k1_fe_get_b32(pub[i] + 1, &batchpa[i].x);
secp256k1_fe_get_b32(pub[i] + 33, &batchpa[i].y);
}
return 0;
}
// call secp256k1_ec_pubkey_batch_init first or you get segfaults
int secp256k1_ec_pubkey_batch_create(unsigned int num, unsigned char (*pub)[65], unsigned char (*sec)[32]) {
int i;
/* generate jacobian coordinates */
for (i = 0; i < num; ++i) {
#ifdef USE_BL_ARITHMETIC
secp256k1_ecmult_gen_bl(&batchpj[i], sec[i]);
#else
secp256k1_ecmult_gen2(&batchpj[i], sec[i]);
#endif
}
/* convert all jacobian coordinates to affine */
secp256k1_ge_set_all_gej_static(num, batchpa, batchpj);
/* write out formatted public key */
for (i = 0; i < num; ++i) {
secp256k1_fe_normalize_var(&batchpa[i].x);
secp256k1_fe_normalize_var(&batchpa[i].y);
pub[i][0] = 0x04;
secp256k1_fe_get_b32(pub[i] + 1, &batchpa[i].x);
secp256k1_fe_get_b32(pub[i] + 33, &batchpa[i].y);
}
return 0;
}
int secp256k1_scalar_add_b32(void * out, void * a, void *b) {
secp256k1_scalar_t tmp_a, tmp_b;
secp256k1_scalar_set_b32(&tmp_a, a, NULL);
secp256k1_scalar_set_b32(&tmp_b, b, NULL);
secp256k1_scalar_add(&tmp_a, &tmp_a, &tmp_b);
secp256k1_scalar_get_b32(out, &tmp_a);
return 0;
}
inline static void _priv_add(unsigned char *priv, unsigned char add, int p) {
priv[p] += add;
if (priv[p] < add) {
priv[--p] += 1;
while (p) {
if (priv[p] == 0) {
priv[--p] += 1;
} else {
break;
}
}
}
}
void priv_add_uint8(unsigned char *priv, unsigned char add) {
_priv_add(priv, add, 31);
}
void priv_add_uint32(unsigned char *priv, unsigned int add) {
int p = 31;
while (add) {
_priv_add(priv, add & 255, p--);
add >>= 8;
}
}
typedef struct {
secp256k1_gej_t pubj;
secp256k1_ge_t inc;
secp256k1_gej_t incj;
unsigned int n;
} pubkey_incr_t;
pubkey_incr_t pubkey_incr_ctx;
int secp256k1_ec_pubkey_incr_init(unsigned char *seckey, unsigned int add) {
unsigned char incr_priv[32];
memset(incr_priv, 0, sizeof(incr_priv));
memset(&pubkey_incr_ctx, 0, sizeof(pubkey_incr_ctx));
priv_add_uint32(incr_priv, add);
pubkey_incr_ctx.n = add;
#ifdef USE_BL_ARITHMETIC
secp256k1_ecmult_gen_bl(&pubkey_incr_ctx.pubj, seckey);
secp256k1_ecmult_gen_bl(&pubkey_incr_ctx.incj, incr_priv);
#else
secp256k1_ecmult_gen2(&pubkey_incr_ctx.pubj, seckey);
secp256k1_ecmult_gen2(&pubkey_incr_ctx.incj, incr_priv);
#endif
secp256k1_ge_set_gej(&pubkey_incr_ctx.inc, &pubkey_incr_ctx.incj);
return 0;
}
int secp256k1_ec_pubkey_incr(unsigned char *pub_chr, int *pub_chr_sz, unsigned char *seckey) {
secp256k1_ge_t p;
priv_add_uint32(seckey, pubkey_incr_ctx.n);
#ifdef USE_BL_ARITHMETIC
secp256k1_gej_add_ge_bl(&pubkey_incr_ctx.pubj, &pubkey_incr_ctx.pubj, &pubkey_incr_ctx.inc, NULL);
#else
secp256k1_gej_add_ge_var(&pubkey_incr_ctx.pubj, &pubkey_incr_ctx.pubj, &pubkey_incr_ctx.inc, NULL);
#endif
secp256k1_ge_set_gej(&p, &pubkey_incr_ctx.pubj);
*pub_chr_sz = 65;
pub_chr[0] = 4;
secp256k1_fe_normalize_var(&p.x);
secp256k1_fe_normalize_var(&p.y);
secp256k1_fe_get_b32(pub_chr + 1, &p.x);
secp256k1_fe_get_b32(pub_chr + 33, &p.y);
return 0;
}
void * secp256k1_ec_priv_to_gej(unsigned char *priv) {
secp256k1_gej_t *gej = malloc(sizeof(secp256k1_gej_t));
#ifdef USE_BL_ARITHMETIC
secp256k1_ecmult_gen_bl(gej, priv);
#else
secp256k1_ecmult_gen2(gej, priv);
#endif
return gej;
}
int secp256k1_ec_pubkey_add_gej(unsigned char *pub_chr, int *pub_chr_sz, void *add) {
secp256k1_ge_t in;
secp256k1_ge_t p;
secp256k1_gej_t out;
secp256k1_eckey_pubkey_parse(&in, pub_chr, *pub_chr_sz);
#ifdef USE_BL_ARITHMETIC
secp256k1_gej_add_ge_bl(&out, (secp256k1_gej_t *)add, &in, NULL);
#else
secp256k1_gej_add_ge_var(&out, (secp256k1_gej_t *)add, &in, NULL);
#endif
secp256k1_ge_set_gej(&p, &out);
*pub_chr_sz = 65;
pub_chr[0] = 4;
secp256k1_fe_normalize_var(&p.x);
secp256k1_fe_normalize_var(&p.y);
secp256k1_fe_get_b32(pub_chr + 1, &p.x);
secp256k1_fe_get_b32(pub_chr + 33, &p.y);
return 0;
}
/* vim: set ts=2 sw=2 et ai si: */