Remove unused secp256k1_wnaf_const

Author: sipa

src/bench_internal.c

@@ -14,7 +14,6 @@
 #include "field_impl.h"
 #include "group_impl.h"
 #include "scalar_impl.h"
-#include "ecmult_const_impl.h"
 #include "ecmult_impl.h"
 #include "bench.h"
 
@@ -321,18 +320,6 @@ static void bench_ecmult_wnaf(void* arg, int iters) {
     CHECK(bits <= 256*iters);
 }
 
-static void bench_wnaf_const(void* arg, int iters) {
-    int i, bits = 0, overflow = 0;
-    bench_inv *data = (bench_inv*)arg;
-
-    for (i = 0; i < iters; i++) {
-        bits += secp256k1_wnaf_const(data->wnaf, &data->scalar[0], WINDOW_A, 256);
-        overflow += secp256k1_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]);
-    }
-    CHECK(overflow >= 0);
-    CHECK(bits <= 256*iters);
-}
-
 static void bench_sha256(void* arg, int iters) {
     int i;
     bench_inv *data = (bench_inv*)arg;
@@ -407,7 +394,6 @@ int main(int argc, char **argv) {
     if (d || have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_zinv_var", bench_group_add_zinv_var, bench_setup, NULL, &data, 10, iters*10);
     if (d || have_flag(argc, argv, "group") || have_flag(argc, argv, "to_affine")) run_benchmark("group_to_affine_var", bench_group_to_affine_var, bench_setup, NULL, &data, 10, iters);
 
-    if (d || have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("wnaf_const", bench_wnaf_const, bench_setup, NULL, &data, 10, iters);
     if (d || have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("ecmult_wnaf", bench_ecmult_wnaf, bench_setup, NULL, &data, 10, iters);
 
     if (d || have_flag(argc, argv, "hash") || have_flag(argc, argv, "sha256")) run_benchmark("hash_sha256", bench_sha256, bench_setup, NULL, &data, 10, iters);

src/ecmult_const_impl.h

@@ -104,83 +104,6 @@ static void secp256k1_ecmult_const_odd_multiples_table_globalz(secp256k1_ge *pre
     secp256k1_fe_cmov(&(r)->y, &neg_y, negative); \
 } while(0)
 
-/** Convert a number to WNAF notation.
- *  The number becomes represented by sum(2^{wi} * wnaf[i], i=0..WNAF_SIZE(w)+1) - return_val.
- *  It has the following guarantees:
- *  - each wnaf[i] an odd integer between -(1 << w) and (1 << w)
- *  - each wnaf[i] is nonzero
- *  - the number of words set is always WNAF_SIZE(w) + 1
- *
- *  Adapted from `The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar
- *  Multiplications Secure against Side Channel Attacks`, Okeya and Tagaki. M. Joye (Ed.)
- *  CT-RSA 2003, LNCS 2612, pp. 328-443, 2003. Springer-Verlag Berlin Heidelberg 2003
- *
- *  Numbers reference steps of `Algorithm SPA-resistant Width-w NAF with Odd Scalar` on pp. 335
- */
-static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size) {
-    int global_sign;
-    int skew;
-    int word = 0;
-
-    /* 1 2 3 */
-    int u_last;
-    int u;
-
-    int flip;
-    secp256k1_scalar s = *scalar;
-
-    VERIFY_CHECK(w > 0);
-    VERIFY_CHECK(size > 0);
-
-    /* Note that we cannot handle even numbers by negating them to be odd, as is
-     * done in other implementations, since if our scalars were specified to have
-     * width < 256 for performance reasons, their negations would have width 256
-     * and we'd lose any performance benefit. Instead, we use a variation of a
-     * technique from Section 4.2 of the Okeya/Tagaki paper, which is to add 1 to the
-     * number we are encoding when it is even, returning a skew value indicating
-     * this, and having the caller compensate after doing the multiplication.
-     *
-     * In fact, we _do_ want to negate numbers to minimize their bit-lengths (and in
-     * particular, to ensure that the outputs from the endomorphism-split fit into
-     * 128 bits). If we negate, the parity of our number flips, affecting whether
-     * we want to add to the scalar to ensure that it's odd. */
-    flip = secp256k1_scalar_is_high(&s);
-    skew = flip ^ secp256k1_scalar_is_even(&s);
-    secp256k1_scalar_cadd_bit(&s, 0, skew);
-    global_sign = secp256k1_scalar_cond_negate(&s, flip);
-
-    /* 4 */
-    u_last = secp256k1_scalar_shr_int(&s, w);
-    do {
-        int even;
-
-        /* 4.1 4.4 */
-        u = secp256k1_scalar_shr_int(&s, w);
-        /* 4.2 */
-        even = ((u & 1) == 0);
-        /* In contrast to the original algorithm, u_last is always > 0 and
-         * therefore we do not need to check its sign. In particular, it's easy
-         * to see that u_last is never < 0 because u is never < 0. Moreover,
-         * u_last is never = 0 because u is never even after a loop
-         * iteration. The same holds analogously for the initial value of
-         * u_last (in the first loop iteration). */
-        VERIFY_CHECK(u_last > 0);
-        VERIFY_CHECK((u_last & 1) == 1);
-        u += even;
-        u_last -= even * (1 << w);
-
-        /* 4.3, adapted for global sign change */
-        wnaf[word++] = u_last * global_sign;
-
-        u_last = u;
-    } while (word * w < size);
-    wnaf[word] = u * global_sign;
-
-    VERIFY_CHECK(secp256k1_scalar_is_zero(&s));
-    VERIFY_CHECK(word == WNAF_SIZE_BITS(size, w));
-    return skew;
-}
-
 /* For K as defined in the comment of secp256k1_ecmult_const, we have several precomputed
  * formulas/constants.
  * - in exhaustive test mode, we give an explicit expression to compute it at compile time: */

src/tests.c

@@ -5275,61 +5275,6 @@ static void test_wnaf(const secp256k1_scalar *number, int w) {
     CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
 }
 
-static void test_constant_wnaf_negate(const secp256k1_scalar *number) {
-    secp256k1_scalar neg1 = *number;
-    secp256k1_scalar neg2 = *number;
-    int sign1 = 1;
-    int sign2 = 1;
-
-    if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
-        secp256k1_scalar_negate(&neg1, &neg1);
-        sign1 = -1;
-    }
-    sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
-    CHECK(sign1 == sign2);
-    CHECK(secp256k1_scalar_eq(&neg1, &neg2));
-}
-
-static void test_constant_wnaf(const secp256k1_scalar *number, int w) {
-    secp256k1_scalar x, shift;
-    int wnaf[256] = {0};
-    int i;
-    int skew;
-    int bits = 256;
-    secp256k1_scalar num = *number;
-    secp256k1_scalar scalar_skew;
-
-    secp256k1_scalar_set_int(&x, 0);
-    secp256k1_scalar_set_int(&shift, 1 << w);
-    for (i = 0; i < 16; ++i) {
-        secp256k1_scalar_shr_int(&num, 8);
-    }
-    bits = 128;
-    skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
-
-    for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
-        secp256k1_scalar t;
-        int v = wnaf[i];
-        CHECK(v != 0); /* check nonzero */
-        CHECK(v & 1);  /* check parity */
-        CHECK(v > -(1 << w)); /* check range above */
-        CHECK(v < (1 << w));  /* check range below */
-
-        secp256k1_scalar_mul(&x, &x, &shift);
-        if (v >= 0) {
-            secp256k1_scalar_set_int(&t, v);
-        } else {
-            secp256k1_scalar_set_int(&t, -v);
-            secp256k1_scalar_negate(&t, &t);
-        }
-        secp256k1_scalar_add(&x, &x, &t);
-    }
-    /* Skew num because when encoding numbers as odd we use an offset */
-    secp256k1_scalar_set_int(&scalar_skew, skew);
-    secp256k1_scalar_add(&num, &num, &scalar_skew);
-    CHECK(secp256k1_scalar_eq(&x, &num));
-}
-
 static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
     secp256k1_scalar x, shift;
     int wnaf[256] = {0};
@@ -5433,41 +5378,14 @@ static void test_fixed_wnaf_small(void) {
 
 static void run_wnaf(void) {
     int i;
-    secp256k1_scalar n = {{0}};
-
-    test_constant_wnaf(&n, 4);
-    /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
-     *               have easier-to-diagnose failure modes  */
-    n.d[0] = 1;
-    test_constant_wnaf(&n, 4);
-    n.d[0] = 2;
-    test_constant_wnaf(&n, 4);
-    /* Test -1, because it's a special case in wnaf_const */
-    n = secp256k1_scalar_one;
-    secp256k1_scalar_negate(&n, &n);
-    test_constant_wnaf(&n, 4);
-
-    /* Test -2, which may not lead to overflows in wnaf_const */
-    secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
-    secp256k1_scalar_negate(&n, &n);
-    test_constant_wnaf(&n, 4);
-
-    /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
-       as corner cases of negation handling in wnaf_const */
-    secp256k1_scalar_inverse(&n, &n);
-    test_constant_wnaf(&n, 4);
-
-    secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
-    test_constant_wnaf(&n, 4);
+    secp256k1_scalar n;
 
     /* Test 0 for fixed wnaf */
     test_fixed_wnaf_small();
     /* Random tests */
     for (i = 0; i < COUNT; i++) {
         random_scalar_order(&n);
         test_wnaf(&n, 4+(i%10));
-        test_constant_wnaf_negate(&n);
-        test_constant_wnaf(&n, 4 + (i % 10));
         test_fixed_wnaf(&n, 4 + (i % 10));
     }
     secp256k1_scalar_set_int(&n, 0);