Remove old ecmult_gen code and always use multi-comb

Author: sipa

src/ecmult_gen.h

@@ -10,10 +10,6 @@
 #include "scalar.h"
 #include "group.h"
 
-#define USE_COMB 1
-
-#if USE_COMB
-
 #if defined(EXHAUSTIVE_TEST_ORDER)
 
   /* We need to control these values for exhaustive tests because
@@ -78,19 +74,7 @@
 #  error "COMB_BITS must be in the range [256, 288]"
 #endif
 
-#else
-
-#if ECMULT_GEN_PREC_BITS != 2 && ECMULT_GEN_PREC_BITS != 4 && ECMULT_GEN_PREC_BITS != 8
-#  error "Set ECMULT_GEN_PREC_BITS to 2, 4 or 8."
-#endif
-#define ECMULT_GEN_PREC_B ECMULT_GEN_PREC_BITS
-#define ECMULT_GEN_PREC_G (1 << ECMULT_GEN_PREC_B)
-#define ECMULT_GEN_PREC_N (256 / ECMULT_GEN_PREC_B)
-
-#endif
-
 typedef struct {
-#if USE_COMB
     /* Precomputation data for the signed-digit multi-comb algorithm as described in section 3.3 of:
      *     "Fast and compact elliptic-curve cryptography", Mike Hamburg
      *         (https://eprint.iacr.org/2012/309)
@@ -103,21 +87,6 @@ typedef struct {
      * for the (COMB_SPACING - 1) doublings in the _ecmult_gen ladder.
      */
     secp256k1_ge offset;
-#endif
-#else
-    /* For accelerating the computation of a*G:
-     * To harden against timing attacks, use the following mechanism:
-     * * Break up the multiplicand into groups of PREC_B bits, called n_0, n_1, n_2, ..., n_(PREC_N-1).
-     * * Compute sum(n_i * (PREC_G)^i * G + U_i, i=0 ... PREC_N-1), where:
-     *   * U_i = U * 2^i, for i=0 ... PREC_N-2
-     *   * U_i = U * (1-2^(PREC_N-1)), for i=PREC_N-1
-     *   where U is a point with no known corresponding scalar. Note that sum(U_i, i=0 ... PREC_N-1) = 0.
-     * For each i, and each of the PREC_G possible values of n_i, (n_i * (PREC_G)^i * G + U_i) is
-     * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0 ... PREC_N-1).
-     * None of the resulting prec group elements have a known scalar, and neither do any of
-     * the intermediate sums while computing a*G.
-     */
-    secp256k1_ge_storage (*prec)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G]; /* prec[j][i] = (PREC_G)^j * i * G + U_i */
 #endif
     secp256k1_scalar blind;
     secp256k1_gej initial;

src/ecmult_gen_impl.h

@@ -28,16 +28,9 @@ static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
 
 static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc) {
 #ifndef USE_ECMULT_STATIC_PRECOMPUTATION
-#if USE_COMB
     secp256k1_ge prec[COMB_POINTS_TOTAL + COMB_OFFSET];
     secp256k1_gej u, sum;
     int block, index, spacing, stride, tooth;
-#else
-    secp256k1_ge prec[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G];
-    secp256k1_gej gj;
-    secp256k1_gej nums_gej;
-    int i, j;
-#endif
     size_t const prealloc_size = SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
     void* const base = *prealloc;
 #endif
@@ -46,7 +39,6 @@ static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx
         return;
     }
 #ifndef USE_ECMULT_STATIC_PRECOMPUTATION
-#if USE_COMB
     ctx->prec = (secp256k1_ge_storage (*)[COMB_BLOCKS][COMB_POINTS])manual_alloc(prealloc, prealloc_size, base, prealloc_size);
 
     /* get the generator */
@@ -95,72 +87,12 @@ static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx
     ctx->offset = prec[COMB_POINTS_TOTAL];
 #endif
 
-#else
-    ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])manual_alloc(prealloc, prealloc_size, base, prealloc_size);
-
-    /* get the generator */
-    secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
-
-    /* Construct a group element with no known corresponding scalar (nothing up my sleeve). */
-    {
-        static const unsigned char nums_b32[33] = "The scalar for this x is unknown";
-        secp256k1_fe nums_x;
-        secp256k1_ge nums_ge;
-        int r;
-        r = secp256k1_fe_set_b32(&nums_x, nums_b32);
-        (void)r;
-        VERIFY_CHECK(r);
-        r = secp256k1_ge_set_xo_var(&nums_ge, &nums_x, 0);
-        (void)r;
-        VERIFY_CHECK(r);
-        secp256k1_gej_set_ge(&nums_gej, &nums_ge);
-        /* Add G to make the bits in x uniformly distributed. */
-        secp256k1_gej_add_ge_var(&nums_gej, &nums_gej, &secp256k1_ge_const_g, NULL);
-    }
-
-    /* compute prec. */
-    {
-        secp256k1_gej precj[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; /* Jacobian versions of prec. */
-        secp256k1_gej gbase;
-        secp256k1_gej numsbase;
-        gbase = gj; /* PREC_G^j * G */
-        numsbase = nums_gej; /* 2^j * nums. */
-        for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
-            /* Set precj[j*PREC_G .. j*PREC_G+(PREC_G-1)] to (numsbase, numsbase + gbase, ..., numsbase + (PREC_G-1)*gbase). */
-            precj[j*ECMULT_GEN_PREC_G] = numsbase;
-            for (i = 1; i < ECMULT_GEN_PREC_G; i++) {
-                secp256k1_gej_add_var(&precj[j*ECMULT_GEN_PREC_G + i], &precj[j*ECMULT_GEN_PREC_G + i - 1], &gbase, NULL);
-            }
-            /* Multiply gbase by PREC_G. */
-            for (i = 0; i < ECMULT_GEN_PREC_B; i++) {
-                secp256k1_gej_double_var(&gbase, &gbase, NULL);
-            }
-            /* Multiply numbase by 2. */
-            secp256k1_gej_double_var(&numsbase, &numsbase, NULL);
-            if (j == ECMULT_GEN_PREC_N - 2) {
-                /* In the last iteration, numsbase is (1 - 2^j) * nums instead. */
-                secp256k1_gej_neg(&numsbase, &numsbase);
-                secp256k1_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL);
-            }
-        }
-        secp256k1_ge_set_all_gej_var(prec, precj, ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G);
-    }
-    for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
-        for (i = 0; i < ECMULT_GEN_PREC_G; i++) {
-            secp256k1_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*ECMULT_GEN_PREC_G + i]);
-        }
-    }
-#endif
 #else
     (void)prealloc;
-#if USE_COMB
     ctx->prec = (secp256k1_ge_storage (*)[COMB_BLOCKS][COMB_POINTS])secp256k1_ecmult_gen_ctx_prec;
 #if COMB_OFFSET
     secp256k1_ge_from_storage(&ctx->offset, &secp256k1_ecmult_gen_ctx_offset);
 #endif
-#else
-    ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])secp256k1_ecmult_static_context;
-#endif
 #endif
     secp256k1_ecmult_gen_blind(ctx, NULL);
 }
@@ -171,28 +103,20 @@ static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_cont
 
 static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src) {
 #ifndef USE_ECMULT_STATIC_PRECOMPUTATION
-#if USE_COMB
     if (src->prec != NULL) {
         /* We cast to void* first to suppress a -Wcast-align warning. */
         dst->prec = (secp256k1_ge_storage (*)[COMB_BLOCKS][COMB_POINTS])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src));
     }
 #if COMB_OFFSET
     dst->offset = src->offset;
 #endif
-#else
-    if (src->prec != NULL) {
-        dst->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src));
-    }
-#endif
 #endif
     (void)dst, (void)src;
 }
 
 static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx) {
-#if USE_COMB
 #if COMB_OFFSET
     secp256k1_ge_clear(&ctx->offset);
-#endif
 #endif
     secp256k1_scalar_clear(&ctx->blind);
     secp256k1_gej_clear(&ctx->initial);
@@ -205,8 +129,6 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
     secp256k1_scalar gnb;
     int bits;
 
-#if USE_COMB
-
 #if COMB_NEGATION
     secp256k1_fe neg;
     int sign;
@@ -252,6 +174,16 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
             VERIFY_CHECK(0 <= abs && abs < COMB_POINTS);
 
             for (index = 0; index < COMB_POINTS; ++index) {
+                /** This uses a conditional move to avoid any secret data in array indexes.
+                 *   _Any_ use of secret indexes has been demonstrated to result in timing
+                 *   sidechannels, even when the cache-line access patterns are uniform.
+                 *  See also:
+                 *   "A word of warning", CHES 2013 Rump Session, by Daniel J. Bernstein and Peter Schwabe
+                 *    (https://cryptojedi.org/peter/data/chesrump-20130822.pdf) and
+                 *   "Cache Attacks and Countermeasures: the Case of AES", RSA 2006,
+                 *    by Dag Arne Osvik, Adi Shamir, and Eran Tromer
+                 *    (http://www.tau.ac.il/~tromer/papers/cache.pdf)
+                 */
                 secp256k1_ge_storage_cmov(&adds, &(*ctx->prec)[block][index], index == abs);
             }
 
@@ -278,32 +210,6 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
     memset(recoded, 0, sizeof(recoded));
     abs = 0;
 
-#else
-    int i, j;
-    memset(&adds, 0, sizeof(adds));
-    *r = ctx->initial;
-    /* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */
-    secp256k1_scalar_add(&gnb, gn, &ctx->blind);
-    add.infinity = 0;
-    for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
-        bits = secp256k1_scalar_get_bits(&gnb, j * ECMULT_GEN_PREC_B, ECMULT_GEN_PREC_B);
-        for (i = 0; i < ECMULT_GEN_PREC_G; i++) {
-            /** This uses a conditional move to avoid any secret data in array indexes.
-             *   _Any_ use of secret indexes has been demonstrated to result in timing
-             *   sidechannels, even when the cache-line access patterns are uniform.
-             *  See also:
-             *   "A word of warning", CHES 2013 Rump Session, by Daniel J. Bernstein and Peter Schwabe
-             *    (https://cryptojedi.org/peter/data/chesrump-20130822.pdf) and
-             *   "Cache Attacks and Countermeasures: the Case of AES", RSA 2006,
-             *    by Dag Arne Osvik, Adi Shamir, and Eran Tromer
-             *    (http://www.tau.ac.il/~tromer/papers/cache.pdf)
-             */
-            secp256k1_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits);
-        }
-        secp256k1_ge_from_storage(&add, &adds);
-        secp256k1_gej_add_ge(r, r, &add);
-    }
-#endif
     bits = 0;
     secp256k1_ge_clear(&add);
     memset(&adds, 0, sizeof(adds));
@@ -312,9 +218,7 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
 
 /* Setup blinding values for secp256k1_ecmult_gen. */
 static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32) {
-#if USE_COMB
     int spacing;
-#endif
     secp256k1_scalar b;
     secp256k1_gej gb;
     secp256k1_fe s;
@@ -327,13 +231,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
         secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);
         secp256k1_gej_neg(&ctx->initial, &ctx->initial);
         secp256k1_scalar_set_int(&ctx->blind, 1);
-#if USE_COMB
         for (spacing = 1; spacing < COMB_SPACING; ++spacing) {
             secp256k1_scalar_add(&ctx->blind, &ctx->blind, &ctx->blind);
         }
 #if COMB_OFFSET
         secp256k1_gej_add_ge(&ctx->initial, &ctx->initial, &ctx->offset);
-#endif
 #endif
     }
     /* The prior blinding value (if not reset) is chained forward by including it in the hash. */
@@ -369,13 +271,11 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
     secp256k1_scalar_negate(&b, &b);
     ctx->blind = b;
     ctx->initial = gb;
-#if USE_COMB
     for (spacing = 1; spacing < COMB_SPACING; ++spacing) {
         secp256k1_scalar_add(&ctx->blind, &ctx->blind, &ctx->blind);
     }
 #if COMB_OFFSET
     secp256k1_gej_add_ge(&ctx->initial, &ctx->initial, &ctx->offset);
-#endif
 #endif
     secp256k1_scalar_clear(&b);
     secp256k1_gej_clear(&gb);

src/gen_context.c

@@ -38,16 +38,11 @@ int main(int argc, char **argv) {
     FILE* fp;
     const char *SC_FORMAT = "    SC(%uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu)";
 
-#if USE_COMB
     const int blocks = COMB_BLOCKS;
     const int points = COMB_POINTS;
 #if COMB_OFFSET
     secp256k1_ge_storage offset;
 #endif
-#else
-    const int blocks = ECMULT_GEN_PREC_N;
-    const int points = ECMULT_GEN_PREC_G;
-#endif
 
     (void)argc;
     (void)argv;
@@ -62,31 +57,20 @@ int main(int argc, char **argv) {
     fprintf(fp, "#define _SECP256K1_ECMULT_STATIC_CONTEXT_\n");
     fprintf(fp, "#include \"src/group.h\"\n");
     fprintf(fp, "#define SC SECP256K1_GE_STORAGE_CONST\n");
-    fprintf(fp, "#if USE_COMB != %i\n", USE_COMB);
-    fprintf(fp, "   #error configuration mismatch, invalid USE_COMB. Try deleting ecmult_static_context.h before the build.\n");
-    fprintf(fp, "#endif\n");
-#if USE_COMB
     fprintf(fp, "#if COMB_BLOCKS != %i || COMB_TEETH != %i || COMB_SPACING != %i || COMB_NEGATION != %i\n", COMB_BLOCKS, COMB_TEETH, COMB_SPACING, COMB_NEGATION);
     fprintf(fp, "   #error configuration mismatch, invalid COMB_BLOCKS, COMB_TEETH, COMB_SPACING, or COMB_NEGATION. Try deleting ecmult_static_context.h before the build.\n");
     fprintf(fp, "#endif\n");
-#else
-    fprintf(fp, "#if ECMULT_GEN_PREC_N != %d || ECMULT_GEN_PREC_G != %d\n", ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G);
-    fprintf(fp, "   #error configuration mismatch, invalid ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G. Try deleting ecmult_static_context.h before the build.\n");
-    fprintf(fp, "#endif\n");
-#endif
 
     base = checked_malloc(&default_error_callback, SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE);
     prealloc = base;
     secp256k1_ecmult_gen_context_init(&ctx);
     secp256k1_ecmult_gen_context_build(&ctx, &prealloc);
 
-#if USE_COMB
 #if COMB_OFFSET
     secp256k1_ge_to_storage(&offset, &ctx.offset);
     fprintf(fp, "static const secp256k1_ge_storage secp256k1_ecmult_gen_ctx_offset =\n");
     fprintf(fp, SC_FORMAT, SECP256K1_GE_STORAGE_CONST_GET(offset));
     fprintf(fp, ";\n");
-#endif
 #endif
 
     fprintf(fp, "static const secp256k1_ge_storage secp256k1_ecmult_gen_ctx_prec[%i][%i] = {\n", blocks, points);