Skip to content

Commit 2238463

Browse files
roconnor-blockstreamroconnor-blockstream
committed
1 parent 65e0690 commit 2238463

12 files changed

+690
-256
lines changed

C/secp256k1/assumptions.h

+5-2
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@
1010
#include <limits.h>
1111

1212
#include "util.h"
13+
#if defined(SECP256K1_INT128_NATIVE)
14+
#include "int128_native.h"
15+
#endif
1316

1417
/* This library, like most software, relies on a number of compiler implementation defined (but not undefined)
1518
behaviours. Although the behaviours we require are essentially universal we test them specifically here to
@@ -55,7 +58,7 @@ struct secp256k1_assumption_checker {
5558

5659
/* To int64_t. */
5760
((int64_t)(uint64_t)0xB123C456D789E012ULL == (int64_t)-(int64_t)0x4EDC3BA928761FEEULL) &&
58-
#if defined(SECP256K1_WIDEMUL_INT128)
61+
#if defined(SECP256K1_INT128_NATIVE)
5962
((int64_t)(((uint128_t)0xA1234567B8901234ULL << 64) + 0xC5678901D2345678ULL) == (int64_t)-(int64_t)0x3A9876FE2DCBA988ULL) &&
6063
(((int64_t)(int128_t)(((uint128_t)0xB1C2D3E4F5A6B7C8ULL << 64) + 0xD9E0F1A2B3C4D5E6ULL)) == (int64_t)(uint64_t)0xD9E0F1A2B3C4D5E6ULL) &&
6164
(((int64_t)(int128_t)(((uint128_t)0xABCDEF0123456789ULL << 64) + 0x0123456789ABCDEFULL)) == (int64_t)(uint64_t)0x0123456789ABCDEFULL) &&
@@ -71,7 +74,7 @@ struct secp256k1_assumption_checker {
7174
((((int16_t)0xE9AC) >> 4) == (int16_t)(uint16_t)0xFE9A) &&
7275
((((int32_t)0x937C918A) >> 9) == (int32_t)(uint32_t)0xFFC9BE48) &&
7376
((((int64_t)0xA8B72231DF9CF4B9ULL) >> 19) == (int64_t)(uint64_t)0xFFFFF516E4463BF3ULL) &&
74-
#if defined(SECP256K1_WIDEMUL_INT128)
77+
#if defined(SECP256K1_INT128_NATIVE)
7578
((((int128_t)(((uint128_t)0xCD833A65684A0DBCULL << 64) + 0xB349312F71EA7637ULL)) >> 39) == (int128_t)(((uint128_t)0xFFFFFFFFFF9B0674ULL << 64) + 0xCAD0941B79669262ULL)) &&
7679
#endif
7780
1) * 2 - 1];

C/secp256k1/field_5x52_int128_impl.h

+126-126
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,18 @@
99

1010
#include <stdint.h>
1111

12+
#include "int128.h"
13+
1214
#ifdef VERIFY
1315
#define VERIFY_BITS(x, n) VERIFY_CHECK(((x) >> (n)) == 0)
16+
#define VERIFY_BITS_128(x, n) VERIFY_CHECK(secp256k1_u128_check_bits((x), (n)))
1417
#else
1518
#define VERIFY_BITS(x, n) do { } while(0)
19+
#define VERIFY_BITS_128(x, n) do { } while(0)
1620
#endif
1721

1822
SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) {
19-
uint128_t c, d;
23+
secp256k1_uint128 c, d;
2024
uint64_t t3, t4, tx, u0;
2125
uint64_t a0 = a[0], a1 = a[1], a2 = a[2], a3 = a[3], a4 = a[4];
2226
const uint64_t M = 0xFFFFFFFFFFFFFULL, R = 0x1000003D10ULL;
@@ -40,121 +44,119 @@ SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint64_t *r, const uint64_t
4044
* Note that [x 0 0 0 0 0] = [x*R].
4145
*/
4246

43-
d = (uint128_t)a0 * b[3]
44-
+ (uint128_t)a1 * b[2]
45-
+ (uint128_t)a2 * b[1]
46-
+ (uint128_t)a3 * b[0];
47-
VERIFY_BITS(d, 114);
47+
secp256k1_u128_mul(&d, a0, b[3]);
48+
secp256k1_u128_accum_mul(&d, a1, b[2]);
49+
secp256k1_u128_accum_mul(&d, a2, b[1]);
50+
secp256k1_u128_accum_mul(&d, a3, b[0]);
51+
VERIFY_BITS_128(&d, 114);
4852
/* [d 0 0 0] = [p3 0 0 0] */
49-
c = (uint128_t)a4 * b[4];
50-
VERIFY_BITS(c, 112);
53+
secp256k1_u128_mul(&c, a4, b[4]);
54+
VERIFY_BITS_128(&c, 112);
5155
/* [c 0 0 0 0 d 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */
52-
d += (uint128_t)R * (uint64_t)c; c >>= 64;
53-
VERIFY_BITS(d, 115);
54-
VERIFY_BITS(c, 48);
56+
secp256k1_u128_accum_mul(&d, R, secp256k1_u128_to_u64(&c)); secp256k1_u128_rshift(&c, 64);
57+
VERIFY_BITS_128(&d, 115);
58+
VERIFY_BITS_128(&c, 48);
5559
/* [(c<<12) 0 0 0 0 0 d 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */
56-
t3 = d & M; d >>= 52;
60+
t3 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
5761
VERIFY_BITS(t3, 52);
58-
VERIFY_BITS(d, 63);
62+
VERIFY_BITS_128(&d, 63);
5963
/* [(c<<12) 0 0 0 0 d t3 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */
6064

61-
d += (uint128_t)a0 * b[4]
62-
+ (uint128_t)a1 * b[3]
63-
+ (uint128_t)a2 * b[2]
64-
+ (uint128_t)a3 * b[1]
65-
+ (uint128_t)a4 * b[0];
66-
VERIFY_BITS(d, 115);
65+
secp256k1_u128_accum_mul(&d, a0, b[4]);
66+
secp256k1_u128_accum_mul(&d, a1, b[3]);
67+
secp256k1_u128_accum_mul(&d, a2, b[2]);
68+
secp256k1_u128_accum_mul(&d, a3, b[1]);
69+
secp256k1_u128_accum_mul(&d, a4, b[0]);
70+
VERIFY_BITS_128(&d, 115);
6771
/* [(c<<12) 0 0 0 0 d t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */
68-
d += (uint128_t)(R << 12) * (uint64_t)c;
69-
VERIFY_BITS(d, 116);
72+
secp256k1_u128_accum_mul(&d, R << 12, secp256k1_u128_to_u64(&c));
73+
VERIFY_BITS_128(&d, 116);
7074
/* [d t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */
71-
t4 = d & M; d >>= 52;
75+
t4 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
7276
VERIFY_BITS(t4, 52);
73-
VERIFY_BITS(d, 64);
77+
VERIFY_BITS_128(&d, 64);
7478
/* [d t4 t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */
7579
tx = (t4 >> 48); t4 &= (M >> 4);
7680
VERIFY_BITS(tx, 4);
7781
VERIFY_BITS(t4, 48);
7882
/* [d t4+(tx<<48) t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */
7983

80-
c = (uint128_t)a0 * b[0];
81-
VERIFY_BITS(c, 112);
84+
secp256k1_u128_mul(&c, a0, b[0]);
85+
VERIFY_BITS_128(&c, 112);
8286
/* [d t4+(tx<<48) t3 0 0 c] = [p8 0 0 0 p4 p3 0 0 p0] */
83-
d += (uint128_t)a1 * b[4]
84-
+ (uint128_t)a2 * b[3]
85-
+ (uint128_t)a3 * b[2]
86-
+ (uint128_t)a4 * b[1];
87-
VERIFY_BITS(d, 115);
87+
secp256k1_u128_accum_mul(&d, a1, b[4]);
88+
secp256k1_u128_accum_mul(&d, a2, b[3]);
89+
secp256k1_u128_accum_mul(&d, a3, b[2]);
90+
secp256k1_u128_accum_mul(&d, a4, b[1]);
91+
VERIFY_BITS_128(&d, 115);
8892
/* [d t4+(tx<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
89-
u0 = d & M; d >>= 52;
93+
u0 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
9094
VERIFY_BITS(u0, 52);
91-
VERIFY_BITS(d, 63);
95+
VERIFY_BITS_128(&d, 63);
9296
/* [d u0 t4+(tx<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
9397
/* [d 0 t4+(tx<<48)+(u0<<52) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
9498
u0 = (u0 << 4) | tx;
9599
VERIFY_BITS(u0, 56);
96100
/* [d 0 t4+(u0<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
97-
c += (uint128_t)u0 * (R >> 4);
98-
VERIFY_BITS(c, 115);
101+
secp256k1_u128_accum_mul(&c, u0, R >> 4);
102+
VERIFY_BITS_128(&c, 115);
99103
/* [d 0 t4 t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
100-
r[0] = c & M; c >>= 52;
104+
r[0] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
101105
VERIFY_BITS(r[0], 52);
102-
VERIFY_BITS(c, 61);
106+
VERIFY_BITS_128(&c, 61);
103107
/* [d 0 t4 t3 0 c r0] = [p8 0 0 p5 p4 p3 0 0 p0] */
104108

105-
c += (uint128_t)a0 * b[1]
106-
+ (uint128_t)a1 * b[0];
107-
VERIFY_BITS(c, 114);
109+
secp256k1_u128_accum_mul(&c, a0, b[1]);
110+
secp256k1_u128_accum_mul(&c, a1, b[0]);
111+
VERIFY_BITS_128(&c, 114);
108112
/* [d 0 t4 t3 0 c r0] = [p8 0 0 p5 p4 p3 0 p1 p0] */
109-
d += (uint128_t)a2 * b[4]
110-
+ (uint128_t)a3 * b[3]
111-
+ (uint128_t)a4 * b[2];
112-
VERIFY_BITS(d, 114);
113+
secp256k1_u128_accum_mul(&d, a2, b[4]);
114+
secp256k1_u128_accum_mul(&d, a3, b[3]);
115+
secp256k1_u128_accum_mul(&d, a4, b[2]);
116+
VERIFY_BITS_128(&d, 114);
113117
/* [d 0 t4 t3 0 c r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */
114-
c += (d & M) * R; d >>= 52;
115-
VERIFY_BITS(c, 115);
116-
VERIFY_BITS(d, 62);
118+
secp256k1_u128_accum_mul(&c, secp256k1_u128_to_u64(&d) & M, R); secp256k1_u128_rshift(&d, 52);
119+
VERIFY_BITS_128(&c, 115);
120+
VERIFY_BITS_128(&d, 62);
117121
/* [d 0 0 t4 t3 0 c r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */
118-
r[1] = c & M; c >>= 52;
122+
r[1] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
119123
VERIFY_BITS(r[1], 52);
120-
VERIFY_BITS(c, 63);
124+
VERIFY_BITS_128(&c, 63);
121125
/* [d 0 0 t4 t3 c r1 r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */
122126

123-
c += (uint128_t)a0 * b[2]
124-
+ (uint128_t)a1 * b[1]
125-
+ (uint128_t)a2 * b[0];
126-
VERIFY_BITS(c, 114);
127+
secp256k1_u128_accum_mul(&c, a0, b[2]);
128+
secp256k1_u128_accum_mul(&c, a1, b[1]);
129+
secp256k1_u128_accum_mul(&c, a2, b[0]);
130+
VERIFY_BITS_128(&c, 114);
127131
/* [d 0 0 t4 t3 c r1 r0] = [p8 0 p6 p5 p4 p3 p2 p1 p0] */
128-
d += (uint128_t)a3 * b[4]
129-
+ (uint128_t)a4 * b[3];
130-
VERIFY_BITS(d, 114);
132+
secp256k1_u128_accum_mul(&d, a3, b[4]);
133+
secp256k1_u128_accum_mul(&d, a4, b[3]);
134+
VERIFY_BITS_128(&d, 114);
131135
/* [d 0 0 t4 t3 c t1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
132-
c += (uint128_t)R * (uint64_t)d; d >>= 64;
133-
VERIFY_BITS(c, 115);
134-
VERIFY_BITS(d, 50);
136+
secp256k1_u128_accum_mul(&c, R, secp256k1_u128_to_u64(&d)); secp256k1_u128_rshift(&d, 64);
137+
VERIFY_BITS_128(&c, 115);
138+
VERIFY_BITS_128(&d, 50);
135139
/* [(d<<12) 0 0 0 t4 t3 c r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
136140

137-
r[2] = c & M; c >>= 52;
141+
r[2] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
138142
VERIFY_BITS(r[2], 52);
139-
VERIFY_BITS(c, 63);
143+
VERIFY_BITS_128(&c, 63);
140144
/* [(d<<12) 0 0 0 t4 t3+c r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
141-
c += (uint128_t)(R << 12) * (uint64_t)d + t3;
142-
VERIFY_BITS(c, 100);
145+
secp256k1_u128_accum_mul(&c, R << 12, secp256k1_u128_to_u64(&d));
146+
secp256k1_u128_accum_u64(&c, t3);
147+
VERIFY_BITS_128(&c, 100);
143148
/* [t4 c r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
144-
r[3] = c & M; c >>= 52;
149+
r[3] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
145150
VERIFY_BITS(r[3], 52);
146-
VERIFY_BITS(c, 48);
151+
VERIFY_BITS_128(&c, 48);
147152
/* [t4+c r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
148-
c += t4;
149-
VERIFY_BITS(c, 49);
150-
/* [c r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
151-
r[4] = c;
153+
r[4] = secp256k1_u128_to_u64(&c) + t4;
152154
VERIFY_BITS(r[4], 49);
153155
/* [r4 r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
154156
}
155157

156158
SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint64_t *r, const uint64_t *a) {
157-
uint128_t c, d;
159+
secp256k1_uint128 c, d;
158160
uint64_t a0 = a[0], a1 = a[1], a2 = a[2], a3 = a[3], a4 = a[4];
159161
int64_t t3, t4, tx, u0;
160162
const uint64_t M = 0xFFFFFFFFFFFFFULL, R = 0x1000003D10ULL;
@@ -170,107 +172,105 @@ SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint64_t *r, const uint64_t
170172
* Note that [x 0 0 0 0 0] = [x*R].
171173
*/
172174

173-
d = (uint128_t)(a0*2) * a3
174-
+ (uint128_t)(a1*2) * a2;
175-
VERIFY_BITS(d, 114);
175+
secp256k1_u128_mul(&d, a0*2, a3);
176+
secp256k1_u128_accum_mul(&d, a1*2, a2);
177+
VERIFY_BITS_128(&d, 114);
176178
/* [d 0 0 0] = [p3 0 0 0] */
177-
c = (uint128_t)a4 * a4;
178-
VERIFY_BITS(c, 112);
179+
secp256k1_u128_mul(&c, a4, a4);
180+
VERIFY_BITS_128(&c, 112);
179181
/* [c 0 0 0 0 d 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */
180-
d += (uint128_t)R * (uint64_t)c; c >>= 64;
181-
VERIFY_BITS(d, 115);
182-
VERIFY_BITS(c, 48);
182+
secp256k1_u128_accum_mul(&d, R, secp256k1_u128_to_u64(&c)); secp256k1_u128_rshift(&c, 64);
183+
VERIFY_BITS_128(&d, 115);
184+
VERIFY_BITS_128(&c, 48);
183185
/* [(c<<12) 0 0 0 0 0 d 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */
184-
t3 = d & M; d >>= 52;
186+
t3 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
185187
VERIFY_BITS(t3, 52);
186-
VERIFY_BITS(d, 63);
188+
VERIFY_BITS_128(&d, 63);
187189
/* [(c<<12) 0 0 0 0 d t3 0 0 0] = [p8 0 0 0 0 p3 0 0 0] */
188190

189191
a4 *= 2;
190-
d += (uint128_t)a0 * a4
191-
+ (uint128_t)(a1*2) * a3
192-
+ (uint128_t)a2 * a2;
193-
VERIFY_BITS(d, 115);
192+
secp256k1_u128_accum_mul(&d, a0, a4);
193+
secp256k1_u128_accum_mul(&d, a1*2, a3);
194+
secp256k1_u128_accum_mul(&d, a2, a2);
195+
VERIFY_BITS_128(&d, 115);
194196
/* [(c<<12) 0 0 0 0 d t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */
195-
d += (uint128_t)(R << 12) * (uint64_t)c;
196-
VERIFY_BITS(d, 116);
197+
secp256k1_u128_accum_mul(&d, R << 12, secp256k1_u128_to_u64(&c));
198+
VERIFY_BITS_128(&d, 116);
197199
/* [d t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */
198-
t4 = d & M; d >>= 52;
200+
t4 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
199201
VERIFY_BITS(t4, 52);
200-
VERIFY_BITS(d, 64);
202+
VERIFY_BITS_128(&d, 64);
201203
/* [d t4 t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */
202204
tx = (t4 >> 48); t4 &= (M >> 4);
203205
VERIFY_BITS(tx, 4);
204206
VERIFY_BITS(t4, 48);
205207
/* [d t4+(tx<<48) t3 0 0 0] = [p8 0 0 0 p4 p3 0 0 0] */
206208

207-
c = (uint128_t)a0 * a0;
208-
VERIFY_BITS(c, 112);
209+
secp256k1_u128_mul(&c, a0, a0);
210+
VERIFY_BITS_128(&c, 112);
209211
/* [d t4+(tx<<48) t3 0 0 c] = [p8 0 0 0 p4 p3 0 0 p0] */
210-
d += (uint128_t)a1 * a4
211-
+ (uint128_t)(a2*2) * a3;
212-
VERIFY_BITS(d, 114);
212+
secp256k1_u128_accum_mul(&d, a1, a4);
213+
secp256k1_u128_accum_mul(&d, a2*2, a3);
214+
VERIFY_BITS_128(&d, 114);
213215
/* [d t4+(tx<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
214-
u0 = d & M; d >>= 52;
216+
u0 = secp256k1_u128_to_u64(&d) & M; secp256k1_u128_rshift(&d, 52);
215217
VERIFY_BITS(u0, 52);
216-
VERIFY_BITS(d, 62);
218+
VERIFY_BITS_128(&d, 62);
217219
/* [d u0 t4+(tx<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
218220
/* [d 0 t4+(tx<<48)+(u0<<52) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
219221
u0 = (u0 << 4) | tx;
220222
VERIFY_BITS(u0, 56);
221223
/* [d 0 t4+(u0<<48) t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
222-
c += (uint128_t)u0 * (R >> 4);
223-
VERIFY_BITS(c, 113);
224+
secp256k1_u128_accum_mul(&c, u0, R >> 4);
225+
VERIFY_BITS_128(&c, 113);
224226
/* [d 0 t4 t3 0 0 c] = [p8 0 0 p5 p4 p3 0 0 p0] */
225-
r[0] = c & M; c >>= 52;
227+
r[0] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
226228
VERIFY_BITS(r[0], 52);
227-
VERIFY_BITS(c, 61);
229+
VERIFY_BITS_128(&c, 61);
228230
/* [d 0 t4 t3 0 c r0] = [p8 0 0 p5 p4 p3 0 0 p0] */
229231

230232
a0 *= 2;
231-
c += (uint128_t)a0 * a1;
232-
VERIFY_BITS(c, 114);
233+
secp256k1_u128_accum_mul(&c, a0, a1);
234+
VERIFY_BITS_128(&c, 114);
233235
/* [d 0 t4 t3 0 c r0] = [p8 0 0 p5 p4 p3 0 p1 p0] */
234-
d += (uint128_t)a2 * a4
235-
+ (uint128_t)a3 * a3;
236-
VERIFY_BITS(d, 114);
236+
secp256k1_u128_accum_mul(&d, a2, a4);
237+
secp256k1_u128_accum_mul(&d, a3, a3);
238+
VERIFY_BITS_128(&d, 114);
237239
/* [d 0 t4 t3 0 c r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */
238-
c += (d & M) * R; d >>= 52;
239-
VERIFY_BITS(c, 115);
240-
VERIFY_BITS(d, 62);
240+
secp256k1_u128_accum_mul(&c, secp256k1_u128_to_u64(&d) & M, R); secp256k1_u128_rshift(&d, 52);
241+
VERIFY_BITS_128(&c, 115);
242+
VERIFY_BITS_128(&d, 62);
241243
/* [d 0 0 t4 t3 0 c r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */
242-
r[1] = c & M; c >>= 52;
244+
r[1] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
243245
VERIFY_BITS(r[1], 52);
244-
VERIFY_BITS(c, 63);
246+
VERIFY_BITS_128(&c, 63);
245247
/* [d 0 0 t4 t3 c r1 r0] = [p8 0 p6 p5 p4 p3 0 p1 p0] */
246248

247-
c += (uint128_t)a0 * a2
248-
+ (uint128_t)a1 * a1;
249-
VERIFY_BITS(c, 114);
249+
secp256k1_u128_accum_mul(&c, a0, a2);
250+
secp256k1_u128_accum_mul(&c, a1, a1);
251+
VERIFY_BITS_128(&c, 114);
250252
/* [d 0 0 t4 t3 c r1 r0] = [p8 0 p6 p5 p4 p3 p2 p1 p0] */
251-
d += (uint128_t)a3 * a4;
252-
VERIFY_BITS(d, 114);
253+
secp256k1_u128_accum_mul(&d, a3, a4);
254+
VERIFY_BITS_128(&d, 114);
253255
/* [d 0 0 t4 t3 c r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
254-
c += (uint128_t)R * (uint64_t)d; d >>= 64;
255-
VERIFY_BITS(c, 115);
256-
VERIFY_BITS(d, 50);
256+
secp256k1_u128_accum_mul(&c, R, secp256k1_u128_to_u64(&d)); secp256k1_u128_rshift(&d, 64);
257+
VERIFY_BITS_128(&c, 115);
258+
VERIFY_BITS_128(&d, 50);
257259
/* [(d<<12) 0 0 0 t4 t3 c r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
258-
r[2] = c & M; c >>= 52;
260+
r[2] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
259261
VERIFY_BITS(r[2], 52);
260-
VERIFY_BITS(c, 63);
262+
VERIFY_BITS_128(&c, 63);
261263
/* [(d<<12) 0 0 0 t4 t3+c r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
262264

263-
c += (uint128_t)(R << 12) * (uint64_t)d + t3;
264-
VERIFY_BITS(c, 100);
265+
secp256k1_u128_accum_mul(&c, R << 12, secp256k1_u128_to_u64(&d));
266+
secp256k1_u128_accum_u64(&c, t3);
267+
VERIFY_BITS_128(&c, 100);
265268
/* [t4 c r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
266-
r[3] = c & M; c >>= 52;
269+
r[3] = secp256k1_u128_to_u64(&c) & M; secp256k1_u128_rshift(&c, 52);
267270
VERIFY_BITS(r[3], 52);
268-
VERIFY_BITS(c, 48);
271+
VERIFY_BITS_128(&c, 48);
269272
/* [t4+c r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
270-
c += t4;
271-
VERIFY_BITS(c, 49);
272-
/* [c r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
273-
r[4] = c;
273+
r[4] = secp256k1_u128_to_u64(&c) + t4;
274274
VERIFY_BITS(r[4], 49);
275275
/* [r4 r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */
276276
}

0 commit comments

Comments
 (0)