Skip to content

Commit 145078c

Browse files
Merge #1118: Add x-only ecmult_const version with x specified as n/d
0f86420 Add exhaustive tests for ecmult_const_xonly (Pieter Wuille) 4485926 Add x-only ecmult_const version for x=n/d (Pieter Wuille) Pull request description: This implements a generalization of Peter Dettman's sqrt-less x-only random-base multiplication algorithm from #262, using the Jacobi symbol algorithm from #979. The generalization is to permit the X coordinate of the base point to be specified as a fraction $n/d$: To compute $x(q \cdot P)$, where $x(P) = n/d$: * Compute $g=n^3 + 7d^3$. * Let $P' = (ng, g^2, 1)$ (the Jacobian coordinates of $P$ mapped to the isomorphic curve $y^2 = x^3 + 7(dg)^3$). * Compute the Jacobian coordinates $(X',Y',Z') = q \cdot P'$ on the isomorphic curve. * Return $X'/(dgZ'^2)$, which is the affine x coordinate on the isomorphic curve $X/Z'^2$ mapped back to secp256k1. This ability to specify the X coordinate as a fraction is useful in the context of x-only [Elligator Swift](https://eprint.iacr.org/2022/759), which can decode to X coordinates on the curve without inversions this way. ACKs for top commit: jonasnick: ACK 0f86420 real-or-random: ACK 0f86420 Tree-SHA512: eeedb3045bfabcb4bcaf3a1738067c83a5ea9a79b150b8fd1c00dc3f68505d34c19654885a90e2292ae40ddf40a58dfb27197d98eebcf5d6d9e25897e07ae595
2 parents a0f4644 + 0f86420 commit 145078c

File tree

4 files changed

+263
-4
lines changed

4 files changed

+263
-4
lines changed

src/ecmult_const.h

+21
Original file line numberDiff line numberDiff line change
@@ -18,4 +18,25 @@
1818
*/
1919
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits);
2020

21+
/**
22+
* Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point
23+
* only, specified as fraction n/d (numerator/denominator). Only the x coordinate of the result is
24+
* returned.
25+
*
26+
* If known_on_curve is 0, a verification is performed that n/d is a valid X
27+
* coordinate, and 0 is returned if not. Otherwise, 1 is returned.
28+
*
29+
* d being NULL is interpreted as d=1. If non-NULL, d must not be zero. q must not be zero.
30+
*
31+
* Constant time in the value of q, but not any other inputs.
32+
*/
33+
static int secp256k1_ecmult_const_xonly(
34+
secp256k1_fe *r,
35+
const secp256k1_fe *n,
36+
const secp256k1_fe *d,
37+
const secp256k1_scalar *q,
38+
int bits,
39+
int known_on_curve
40+
);
41+
2142
#endif /* SECP256K1_ECMULT_CONST_H */

src/ecmult_const_impl.h

+135
Original file line numberDiff line numberDiff line change
@@ -228,4 +228,139 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
228228
secp256k1_fe_mul(&r->z, &r->z, &Z);
229229
}
230230

231+
static int secp256k1_ecmult_const_xonly(secp256k1_fe* r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int bits, int known_on_curve) {
232+
233+
/* This algorithm is a generalization of Peter Dettman's technique for
234+
* avoiding the square root in a random-basepoint x-only multiplication
235+
* on a Weierstrass curve:
236+
* https://mailarchive.ietf.org/arch/msg/cfrg/7DyYY6gg32wDgHAhgSb6XxMDlJA/
237+
*
238+
*
239+
* === Background: the effective affine technique ===
240+
*
241+
* Let phi_u be the isomorphism that maps (x, y) on secp256k1 curve y^2 = x^3 + 7 to
242+
* x' = u^2*x, y' = u^3*y on curve y'^2 = x'^3 + u^6*7. This new curve has the same order as
243+
* the original (it is isomorphic), but moreover, has the same addition/doubling formulas, as
244+
* the curve b=7 coefficient does not appear in those formulas (or at least does not appear in
245+
* the formulas implemented in this codebase, both affine and Jacobian). See also Example 9.5.2
246+
* in https://www.math.auckland.ac.nz/~sgal018/crypto-book/ch9.pdf.
247+
*
248+
* This means any linear combination of secp256k1 points can be computed by applying phi_u
249+
* (with non-zero u) on all input points (including the generator, if used), computing the
250+
* linear combination on the isomorphic curve (using the same group laws), and then applying
251+
* phi_u^{-1} to get back to secp256k1.
252+
*
253+
* Switching to Jacobian coordinates, note that phi_u applied to (X, Y, Z) is simply
254+
* (X, Y, Z/u). Thus, if we want to compute (X1, Y1, Z) + (X2, Y2, Z), with identical Z
255+
* coordinates, we can use phi_Z to transform it to (X1, Y1, 1) + (X2, Y2, 1) on an isomorphic
256+
* curve where the affine addition formula can be used instead.
257+
* If (X3, Y3, Z3) = (X1, Y1) + (X2, Y2) on that curve, then our answer on secp256k1 is
258+
* (X3, Y3, Z3*Z).
259+
*
260+
* This is the effective affine technique: if we have a linear combination of group elements
261+
* to compute, and all those group elements have the same Z coordinate, we can simply pretend
262+
* that all those Z coordinates are 1, perform the computation that way, and then multiply the
263+
* original Z coordinate back in.
264+
*
265+
* The technique works on any a=0 short Weierstrass curve. It is possible to generalize it to
266+
* other curves too, but there the isomorphic curves will have different 'a' coefficients,
267+
* which typically does affect the group laws.
268+
*
269+
*
270+
* === Avoiding the square root for x-only point multiplication ===
271+
*
272+
* In this function, we want to compute the X coordinate of q*(n/d, y), for
273+
* y = sqrt((n/d)^3 + 7). Its negation would also be a valid Y coordinate, but by convention
274+
* we pick whatever sqrt returns (which we assume to be a deterministic function).
275+
*
276+
* Let g = y^2*d^3 = n^3 + 7*d^3. This also means y = sqrt(g/d^3).
277+
* Further let v = sqrt(d*g), which must exist as d*g = y^2*d^4 = (y*d^2)^2.
278+
*
279+
* The input point (n/d, y) also has Jacobian coordinates:
280+
*
281+
* (n/d, y, 1)
282+
* = (n/d * v^2, y * v^3, v)
283+
* = (n/d * d*g, y * sqrt(d^3*g^3), v)
284+
* = (n/d * d*g, sqrt(y^2 * d^3*g^3), v)
285+
* = (n*g, sqrt(g/d^3 * d^3*g^3), v)
286+
* = (n*g, sqrt(g^4), v)
287+
* = (n*g, g^2, v)
288+
*
289+
* It is easy to verify that both (n*g, g^2, v) and its negation (n*g, -g^2, v) have affine X
290+
* coordinate n/d, and this holds even when the square root function doesn't have a
291+
* determinstic sign. We choose the (n*g, g^2, v) version.
292+
*
293+
* Now switch to the effective affine curve using phi_v, where the input point has coordinates
294+
* (n*g, g^2). Compute (X, Y, Z) = q * (n*g, g^2) there.
295+
*
296+
* Back on secp256k1, that means q * (n*g, g^2, v) = (X, Y, v*Z). This last point has affine X
297+
* coordinate X / (v^2*Z^2) = X / (d*g*Z^2). Determining the affine Y coordinate would involve
298+
* a square root, but as long as we only care about the resulting X coordinate, no square root
299+
* is needed anywhere in this computation.
300+
*/
301+
302+
secp256k1_fe g, i;
303+
secp256k1_ge p;
304+
secp256k1_gej rj;
305+
306+
/* Compute g = (n^3 + B*d^3). */
307+
secp256k1_fe_sqr(&g, n);
308+
secp256k1_fe_mul(&g, &g, n);
309+
if (d) {
310+
secp256k1_fe b;
311+
#ifdef VERIFY
312+
VERIFY_CHECK(!secp256k1_fe_normalizes_to_zero(d));
313+
#endif
314+
secp256k1_fe_sqr(&b, d);
315+
VERIFY_CHECK(SECP256K1_B <= 8); /* magnitude of b will be <= 8 after the next call */
316+
secp256k1_fe_mul_int(&b, SECP256K1_B);
317+
secp256k1_fe_mul(&b, &b, d);
318+
secp256k1_fe_add(&g, &b);
319+
if (!known_on_curve) {
320+
/* We need to determine whether (n/d)^3 + 7 is square.
321+
*
322+
* is_square((n/d)^3 + 7)
323+
* <=> is_square(((n/d)^3 + 7) * d^4)
324+
* <=> is_square((n^3 + 7*d^3) * d)
325+
* <=> is_square(g * d)
326+
*/
327+
secp256k1_fe c;
328+
secp256k1_fe_mul(&c, &g, d);
329+
if (!secp256k1_fe_is_square_var(&c)) return 0;
330+
}
331+
} else {
332+
secp256k1_fe_add_int(&g, SECP256K1_B);
333+
if (!known_on_curve) {
334+
/* g at this point equals x^3 + 7. Test if it is square. */
335+
if (!secp256k1_fe_is_square_var(&g)) return 0;
336+
}
337+
}
338+
339+
/* Compute base point P = (n*g, g^2), the effective affine version of (n*g, g^2, v), which has
340+
* corresponding affine X coordinate n/d. */
341+
secp256k1_fe_mul(&p.x, &g, n);
342+
secp256k1_fe_sqr(&p.y, &g);
343+
p.infinity = 0;
344+
345+
/* Perform x-only EC multiplication of P with q. */
346+
#ifdef VERIFY
347+
VERIFY_CHECK(!secp256k1_scalar_is_zero(q));
348+
#endif
349+
secp256k1_ecmult_const(&rj, &p, q, bits);
350+
#ifdef VERIFY
351+
VERIFY_CHECK(!secp256k1_gej_is_infinity(&rj));
352+
#endif
353+
354+
/* The resulting (X, Y, Z) point on the effective-affine isomorphic curve corresponds to
355+
* (X, Y, Z*v) on the secp256k1 curve. The affine version of that has X coordinate
356+
* (X / (Z^2*d*g)). */
357+
secp256k1_fe_sqr(&i, &rj.z);
358+
secp256k1_fe_mul(&i, &i, &g);
359+
if (d) secp256k1_fe_mul(&i, &i, d);
360+
secp256k1_fe_inv(&i, &i);
361+
secp256k1_fe_mul(r, &rj.x, &i);
362+
363+
return 1;
364+
}
365+
231366
#endif /* SECP256K1_ECMULT_CONST_IMPL_H */

src/tests.c

+63
Original file line numberDiff line numberDiff line change
@@ -4452,6 +4452,68 @@ static void ecmult_const_mult_zero_one(void) {
44524452
ge_equals_ge(&res2, &point);
44534453
}
44544454

4455+
static void ecmult_const_mult_xonly(void) {
4456+
int i;
4457+
4458+
/* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4459+
for (i = 0; i < 2*COUNT; ++i) {
4460+
secp256k1_ge base;
4461+
secp256k1_gej basej, resj;
4462+
secp256k1_fe n, d, resx, v;
4463+
secp256k1_scalar q;
4464+
int res;
4465+
/* Random base point. */
4466+
random_group_element_test(&base);
4467+
/* Random scalar to multiply it with. */
4468+
random_scalar_order_test(&q);
4469+
/* If i is odd, n=d*base.x for random non-zero d */
4470+
if (i & 1) {
4471+
do {
4472+
random_field_element_test(&d);
4473+
} while (secp256k1_fe_normalizes_to_zero_var(&d));
4474+
secp256k1_fe_mul(&n, &base.x, &d);
4475+
} else {
4476+
n = base.x;
4477+
}
4478+
/* Perform x-only multiplication. */
4479+
res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, 256, i & 2);
4480+
CHECK(res);
4481+
/* Perform normal multiplication. */
4482+
secp256k1_gej_set_ge(&basej, &base);
4483+
secp256k1_ecmult(&resj, &basej, &q, NULL);
4484+
/* Check that resj's X coordinate corresponds with resx. */
4485+
secp256k1_fe_sqr(&v, &resj.z);
4486+
secp256k1_fe_mul(&v, &v, &resx);
4487+
CHECK(check_fe_equal(&v, &resj.x));
4488+
}
4489+
4490+
/* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4491+
for (i = 0; i < 2*COUNT; ++i) {
4492+
secp256k1_fe x, n, d, c, r;
4493+
int res;
4494+
secp256k1_scalar q;
4495+
random_scalar_order_test(&q);
4496+
/* Generate random X coordinate not on the curve. */
4497+
do {
4498+
random_field_element_test(&x);
4499+
secp256k1_fe_sqr(&c, &x);
4500+
secp256k1_fe_mul(&c, &c, &x);
4501+
secp256k1_fe_add(&c, &secp256k1_fe_const_b);
4502+
} while (secp256k1_fe_is_square_var(&c));
4503+
/* If i is odd, n=d*x for random non-zero d. */
4504+
if (i & 1) {
4505+
do {
4506+
random_field_element_test(&d);
4507+
} while (secp256k1_fe_normalizes_to_zero_var(&d));
4508+
secp256k1_fe_mul(&n, &x, &d);
4509+
} else {
4510+
n = x;
4511+
}
4512+
res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 256, 0);
4513+
CHECK(res == 0);
4514+
}
4515+
}
4516+
44554517
static void ecmult_const_chain_multiply(void) {
44564518
/* Check known result (randomly generated test problem from sage) */
44574519
const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
@@ -4483,6 +4545,7 @@ static void run_ecmult_const_tests(void) {
44834545
ecmult_const_random_mult();
44844546
ecmult_const_commutativity();
44854547
ecmult_const_chain_multiply();
4548+
ecmult_const_mult_xonly();
44864549
}
44874550

44884551
typedef struct {

src/tests_exhaustive.c

+44-4
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,19 @@ static void random_fe(secp256k1_fe *x) {
5959
}
6060
} while(1);
6161
}
62+
63+
static void random_fe_non_zero(secp256k1_fe *nz) {
64+
int tries = 10;
65+
while (--tries >= 0) {
66+
random_fe(nz);
67+
secp256k1_fe_normalize(nz);
68+
if (!secp256k1_fe_is_zero(nz)) {
69+
break;
70+
}
71+
}
72+
/* Infinitesimal probability of spurious failure here */
73+
CHECK(tries >= 0);
74+
}
6275
/** END stolen from tests.c */
6376

6477
static uint32_t num_cores = 1;
@@ -174,10 +187,37 @@ static void test_exhaustive_ecmult(const secp256k1_ge *group, const secp256k1_ge
174187
secp256k1_ecmult(&tmp, &groupj[r_log], &na, &ng);
175188
ge_equals_gej(&group[(i * r_log + j) % EXHAUSTIVE_TEST_ORDER], &tmp);
176189

177-
if (i > 0) {
178-
secp256k1_ecmult_const(&tmp, &group[i], &ng, 256);
179-
ge_equals_gej(&group[(i * j) % EXHAUSTIVE_TEST_ORDER], &tmp);
180-
}
190+
}
191+
}
192+
}
193+
194+
for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) {
195+
for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
196+
int ret;
197+
secp256k1_gej tmp;
198+
secp256k1_fe xn, xd, tmpf;
199+
secp256k1_scalar ng;
200+
201+
if (skip_section(&iter)) continue;
202+
203+
secp256k1_scalar_set_int(&ng, j);
204+
205+
/* Test secp256k1_ecmult_const. */
206+
secp256k1_ecmult_const(&tmp, &group[i], &ng, 256);
207+
ge_equals_gej(&group[(i * j) % EXHAUSTIVE_TEST_ORDER], &tmp);
208+
209+
if (j != 0) {
210+
/* Test secp256k1_ecmult_const_xonly with all curve X coordinates, and xd=NULL. */
211+
ret = secp256k1_ecmult_const_xonly(&tmpf, &group[i].x, NULL, &ng, 256, 0);
212+
CHECK(ret);
213+
CHECK(secp256k1_fe_equal_var(&tmpf, &group[(i * j) % EXHAUSTIVE_TEST_ORDER].x));
214+
215+
/* Test secp256k1_ecmult_const_xonly with all curve X coordinates, with random xd. */
216+
random_fe_non_zero(&xd);
217+
secp256k1_fe_mul(&xn, &xd, &group[i].x);
218+
ret = secp256k1_ecmult_const_xonly(&tmpf, &xn, &xd, &ng, 256, 0);
219+
CHECK(ret);
220+
CHECK(secp256k1_fe_equal_var(&tmpf, &group[(i * j) % EXHAUSTIVE_TEST_ORDER].x));
181221
}
182222
}
183223
}

0 commit comments

Comments
 (0)