bitcoin-core
diff --git a/‎.cirrus.yml
+1-1 b/‎.cirrus.yml
+1-1
diff --git a/‎.github/workflows/ci.yml
+9-9 b/‎.github/workflows/ci.yml
+9-9
diff --git a/‎CHANGELOG.md
+5 b/‎CHANGELOG.md
+5
diff --git a/‎CMakeLists.txt
+16-7 b/‎CMakeLists.txt
+16-7
diff --git a/‎ci/ci.sh
+2-2 b/‎ci/ci.sh
+2-2
diff --git a/‎configure.ac
+20-15 b/‎configure.ac
+20-15
diff --git a/‎src/ecmult_const_impl.h
+2-2 b/‎src/ecmult_const_impl.h
+2-2
diff --git a/‎src/ecmult_gen.h
+108-13 b/‎src/ecmult_gen.h
+108-13
diff --git a/‎src/ecmult_gen_compute_table.h
+2-2 b/‎src/ecmult_gen_compute_table.h
+2-2
@@ -11,7 +11,7 @@ env:
   BUILD: check
   ### secp256k1 config
   ECMULTWINDOW: auto
-  ECMULTGENPRECISION: auto
+  ECMULTGENKB: auto
   ASM: no
   WIDEMUL: auto
   WITH_VALGRIND: yes
 
@@ -22,7 +22,7 @@ env:
   BUILD: 'check'
   ### secp256k1 config
   ECMULTWINDOW: 'auto'
-  ECMULTGENPRECISION: 'auto'
+  ECMULTGENKB: 'auto'
   ASM: 'no'
   WIDEMUL: 'auto'
   WITH_VALGRIND: 'yes'
@@ -83,8 +83,8 @@ jobs:
           - env_vars: { CPPFLAGS: '-DDETERMINISTIC' }
           - env_vars: { CFLAGS: '-O0', CTIMETESTS: 'no' }
           - env_vars: { CFLAGS: '-O1',     RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
-          - env_vars: { ECMULTGENPRECISION: 2, ECMULTWINDOW: 2 }
-          - env_vars: { ECMULTGENPRECISION: 8, ECMULTWINDOW: 4 }
+          - env_vars: { ECMULTGENKB: 2, ECMULTWINDOW: 2 }
+          - env_vars: { ECMULTGENKB: 86, ECMULTWINDOW: 4 }
         cc:
           - 'gcc'
           - 'clang'
@@ -377,8 +377,8 @@ jobs:
         configuration:
           - env_vars: { CC: 'clang',                                      ASM: 'auto' }
           - env_vars: { CC: 'i686-linux-gnu-gcc', HOST: 'i686-linux-gnu', ASM: 'auto' }
-          - env_vars: { CC: 'clang',                                      ASM: 'no', ECMULTGENPRECISION: 2, ECMULTWINDOW: 2 }
-          - env_vars: { CC: 'i686-linux-gnu-gcc', HOST: 'i686-linux-gnu', ASM: 'no', ECMULTGENPRECISION: 2, ECMULTWINDOW: 2 }
+          - env_vars: { CC: 'clang',                                      ASM: 'no', ECMULTGENKB: 2, ECMULTWINDOW: 2 }
+          - env_vars: { CC: 'i686-linux-gnu-gcc', HOST: 'i686-linux-gnu', ASM: 'no', ECMULTGENKB: 2, ECMULTWINDOW: 2 }
 
     env:
       # The `--error-exitcode` is required to make the test fail if valgrind found errors,
@@ -431,8 +431,8 @@ jobs:
         configuration:
           - env_vars: { CC: 'clang',                                      ASM: 'auto' }
           - env_vars: { CC: 'i686-linux-gnu-gcc', HOST: 'i686-linux-gnu', ASM: 'auto' }
-          - env_vars: { CC: 'clang',                                      ASM: 'no', ECMULTGENPRECISION: 2, ECMULTWINDOW: 2 }
-          - env_vars: { CC: 'i686-linux-gnu-gcc', HOST: 'i686-linux-gnu', ASM: 'no', ECMULTGENPRECISION: 2, ECMULTWINDOW: 2 }
+          - env_vars: { CC: 'clang',                                      ASM: 'no', ECMULTGENKB: 2, ECMULTWINDOW: 2 }
+          - env_vars: { CC: 'i686-linux-gnu-gcc', HOST: 'i686-linux-gnu', ASM: 'no', ECMULTGENKB: 2, ECMULTWINDOW: 2 }
 
     env:
       ECDH: 'yes'
@@ -487,7 +487,7 @@ jobs:
           - env_vars:
               CFLAGS: '-fsanitize=memory -fsanitize-recover=memory -g'
           - env_vars:
-              ECMULTGENPRECISION: 2
+              ECMULTGENKB: 2
               ECMULTWINDOW: 2
               CFLAGS: '-fsanitize=memory -fsanitize-recover=memory -g -O3'
 
@@ -600,7 +600,7 @@ jobs:
       matrix:
         env_vars:
           - { WIDEMUL: 'int64',  RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
-          - { WIDEMUL: 'int128_struct', ECMULTGENPRECISION: 2, ECMULTWINDOW: 4 }
+          - { WIDEMUL: 'int128_struct', ECMULTGENKB: 2, ECMULTWINDOW: 4 }
           - { WIDEMUL: 'int128',                  ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
           - { WIDEMUL: 'int128', RECOVERY: 'yes' }
           - { WIDEMUL: 'int128', RECOVERY: 'yes', ECDH: 'yes', SCHNORRSIG: 'yes', ELLSWIFT: 'yes' }
 
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+#### Changed
+ - The implementation of the point multiplication algorithm used for signing and public key generation was changed, resulting in improved performance for those operations.
+   - The related configure option `--ecmult-gen-precision` was replaced with `--ecmult-gen-kb` (`ECMULT_GEN_KB` for CMake).
+   - This changes the supported precomputed table sizes for these operations. The new supported sizes are 2 KiB, 22 KiB, or 86 KiB (while the old supported sizes were 32 KiB, 64 KiB, or 512 KiB).
+
 ## [0.4.1] - 2023-12-21
 
 #### Changed
 
@@ -101,13 +101,22 @@ if(SECP256K1_ECMULT_WINDOW_SIZE STREQUAL "AUTO")
 endif()
 add_compile_definitions(ECMULT_WINDOW_SIZE=${SECP256K1_ECMULT_WINDOW_SIZE})
 
-set(SECP256K1_ECMULT_GEN_PREC_BITS "AUTO" CACHE STRING "Precision bits to tune the precomputed table size for signing, specified as integer 2, 4 or 8. \"AUTO\" is a reasonable setting for desktop machines (currently 4). [default=AUTO]")
-set_property(CACHE SECP256K1_ECMULT_GEN_PREC_BITS PROPERTY STRINGS "AUTO" 2 4 8)
-check_string_option_value(SECP256K1_ECMULT_GEN_PREC_BITS)
-if(SECP256K1_ECMULT_GEN_PREC_BITS STREQUAL "AUTO")
-  set(SECP256K1_ECMULT_GEN_PREC_BITS 4)
+set(SECP256K1_ECMULT_GEN_KB "AUTO" CACHE STRING "The size of the precomputed table for signing in multiples of 1024 bytes (on typical platforms). Larger values result in possibly better signing or key generation performance at the cost of a larger table. Valid choices are 2, 22, 86. \"AUTO\" is a reasonable setting for desktop machines (currently 22). [default=AUTO]")
+set_property(CACHE SECP256K1_ECMULT_GEN_KB PROPERTY STRINGS "AUTO" 2 22 86)
+check_string_option_value(SECP256K1_ECMULT_GEN_KB)
+if(SECP256K1_ECMULT_GEN_KB STREQUAL "AUTO")
+  set(SECP256K1_ECMULT_GEN_KB 22)
+endif()
+if(SECP256K1_ECMULT_GEN_KB EQUAL 2)
+  add_compile_definitions(COMB_BLOCKS=2)
+  add_compile_definitions(COMB_TEETH=5)
+elseif(SECP256K1_ECMULT_GEN_KB EQUAL 22)
+  add_compile_definitions(COMB_BLOCKS=11)
+  add_compile_definitions(COMB_TEETH=6)
+elseif(SECP256K1_ECMULT_GEN_KB EQUAL 86)
+  add_compile_definitions(COMB_BLOCKS=43)
+  add_compile_definitions(COMB_TEETH=6)
 endif()
-add_compile_definitions(ECMULT_GEN_PREC_BITS=${SECP256K1_ECMULT_GEN_PREC_BITS})
 
 set(SECP256K1_TEST_OVERRIDE_WIDE_MULTIPLY "OFF" CACHE STRING "Test-only override of the (autodetected by the C code) \"widemul\" setting. Legal values are: \"OFF\", \"int128_struct\", \"int128\" or \"int64\". [default=OFF]")
 set_property(CACHE SECP256K1_TEST_OVERRIDE_WIDE_MULTIPLY PROPERTY STRINGS "OFF" "int128_struct" "int128" "int64")
@@ -294,7 +303,7 @@ message("  schnorrsig .......................... ${SECP256K1_ENABLE_MODULE_SCHNO
 message("  ElligatorSwift ...................... ${SECP256K1_ENABLE_MODULE_ELLSWIFT}")
 message("Parameters:")
 message("  ecmult window size .................. ${SECP256K1_ECMULT_WINDOW_SIZE}")
-message("  ecmult gen precision bits ........... ${SECP256K1_ECMULT_GEN_PREC_BITS}")
+message("  ecmult gen table size ............... ${SECP256K1_ECMULT_GEN_KB} KiB")
 message("Optional features:")
 message("  assembly ............................ ${SECP256K1_ASM}")
 message("  external callbacks .................. ${SECP256K1_USE_EXTERNAL_DEFAULT_CALLBACKS}")
 
@@ -12,7 +12,7 @@ print_environment() {
     # There are many ways to print variable names and their content. This one
     # does not rely on bash.
     for var in WERROR_CFLAGS MAKEFLAGS BUILD \
-            ECMULTWINDOW ECMULTGENPRECISION ASM WIDEMUL WITH_VALGRIND EXTRAFLAGS \
+            ECMULTWINDOW ECMULTGENKB ASM WIDEMUL WITH_VALGRIND EXTRAFLAGS \
             EXPERIMENTAL ECDH RECOVERY SCHNORRSIG ELLSWIFT \
             SECP256K1_TEST_ITERS BENCH SECP256K1_BENCH_ITERS CTIMETESTS\
             EXAMPLES \
@@ -74,7 +74,7 @@ esac
     --enable-experimental="$EXPERIMENTAL" \
     --with-test-override-wide-multiply="$WIDEMUL" --with-asm="$ASM" \
     --with-ecmult-window="$ECMULTWINDOW" \
-    --with-ecmult-gen-precision="$ECMULTGENPRECISION" \
+    --with-ecmult-gen-kb="$ECMULTGENKB" \
     --enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \
     --enable-module-ellswift="$ELLSWIFT" \
     --enable-module-schnorrsig="$SCHNORRSIG" \
 
@@ -213,13 +213,12 @@ AC_ARG_WITH([ecmult-window], [AS_HELP_STRING([--with-ecmult-window=SIZE|auto],
 )],
 [req_ecmult_window=$withval], [req_ecmult_window=auto])
 
-AC_ARG_WITH([ecmult-gen-precision], [AS_HELP_STRING([--with-ecmult-gen-precision=2|4|8|auto],
-[Precision bits to tune the precomputed table size for signing.]
-[The size of the table is 32kB for 2 bits, 64kB for 4 bits, 512kB for 8 bits of precision.]
-[A larger table size usually results in possible faster signing.]
-["auto" is a reasonable setting for desktop machines (currently 4). [default=auto]]
+AC_ARG_WITH([ecmult-gen-kb], [AS_HELP_STRING([--with-ecmult-gen-kb=2|22|86|auto],
+[The size of the precomputed table for signing in multiples of 1024 bytes (on typical platforms).]
+[Larger values result in possibly better signing/keygeneration performance at the cost of a larger table.]
+["auto" is a reasonable setting for desktop machines (currently 22). [default=auto]]
 )],
-[req_ecmult_gen_precision=$withval], [req_ecmult_gen_precision=auto])
+[req_ecmult_gen_kb=$withval], [req_ecmult_gen_kb=auto])
 
 AC_ARG_WITH([valgrind], [AS_HELP_STRING([--with-valgrind=yes|no|auto],
 [Build with extra checks for running inside Valgrind [default=auto]]
@@ -358,19 +357,25 @@ case $set_ecmult_window in
   ;;
 esac
 
-# Set ecmult gen precision
-if test x"$req_ecmult_gen_precision" = x"auto"; then
-  set_ecmult_gen_precision=4
+# Set ecmult gen kb
+if test x"$req_ecmult_gen_kb" = x"auto"; then
+  set_ecmult_gen_kb=22
 else
-  set_ecmult_gen_precision=$req_ecmult_gen_precision
+  set_ecmult_gen_kb=$req_ecmult_gen_kb
 fi
 
-case $set_ecmult_gen_precision in
-2|4|8)
-  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DECMULT_GEN_PREC_BITS=$set_ecmult_gen_precision"
+case $set_ecmult_gen_kb in
+2)
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DCOMB_BLOCKS=2 -DCOMB_TEETH=5"
+  ;;
+22)
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DCOMB_BLOCKS=11 -DCOMB_TEETH=6"
+  ;;
+86)
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DCOMB_BLOCKS=43 -DCOMB_TEETH=6"
   ;;
 *)
-  AC_MSG_ERROR(['ecmult gen precision not 2, 4, 8 or "auto"'])
+  AC_MSG_ERROR(['ecmult gen table size not 2, 22, 86 or "auto"'])
   ;;
 esac
 
@@ -475,7 +480,7 @@ echo "  module ellswift         = $enable_module_ellswift"
 echo
 echo "  asm                     = $set_asm"
 echo "  ecmult window size      = $set_ecmult_window"
-echo "  ecmult gen prec. bits   = $set_ecmult_gen_precision"
+echo "  ecmult gen table size   = $set_ecmult_gen_kb KiB"
 # Hide test-only options unless they're used.
 if test x"$set_widemul" != xauto; then
 echo "  wide multiplication     = $set_widemul"
 
@@ -214,8 +214,8 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
 #ifdef VERIFY
     /* Verify that v1 and v2 are in range [0, 2^129-1]. */
     for (i = 129; i < 256; ++i) {
-        VERIFY_CHECK(secp256k1_scalar_get_bits(&v1, i, 1) == 0);
-        VERIFY_CHECK(secp256k1_scalar_get_bits(&v2, i, 1) == 0);
+        VERIFY_CHECK(secp256k1_scalar_get_bits_limb32(&v1, i, 1) == 0);
+        VERIFY_CHECK(secp256k1_scalar_get_bits_limb32(&v2, i, 1) == 0);
     }
 #endif
 
 
@@ -1,5 +1,5 @@
 /***********************************************************************
- * Copyright (c) 2013, 2014 Pieter Wuille                              *
+ * Copyright (c) Pieter Wuille, Peter Dettman                          *
  * Distributed under the MIT software license, see the accompanying    *
  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
  ***********************************************************************/
@@ -10,31 +10,126 @@
 #include "scalar.h"
 #include "group.h"
 
-#ifndef ECMULT_GEN_PREC_BITS
-#  define ECMULT_GEN_PREC_BITS 4
+
+/* Configuration parameters for the signed-digit multi-comb algorithm:
+ *
+ * - COMB_BLOCKS is the number of blocks the input is split into. Each
+ *   has a corresponding table.
+ * - COMB_TEETH is the number of bits simultaneously covered by one table.
+ * - COMB_RANGE is the number of bits in supported scalars. For production
+ *   purposes, only 256 is reasonable, but smaller numbers are supported for
+ *   exhaustive test mode.
+ *
+ * The comb's spacing (COMB_SPACING), or the distance between the teeth,
+ * is defined as ceil(COMB_RANGE / (COMB_BLOCKS * COMB_TEETH)). Each block covers
+ * COMB_SPACING * COMB_TEETH consecutive bits in the input.
+ *
+ * The size of the precomputed table is COMB_BLOCKS * (1 << (COMB_TEETH - 1))
+ * secp256k1_ge_storages.
+ *
+ * The number of point additions equals COMB_BLOCKS * COMB_SPACING. Each point
+ * addition involves a cmov from (1 << (COMB_TEETH - 1)) table entries and a
+ * conditional negation.
+ *
+ * The number of point doublings is COMB_SPACING - 1. */
+
+#if defined(EXHAUSTIVE_TEST_ORDER)
+/* We need to control these values for exhaustive tests because
+ * the table cannot have infinities in them (secp256k1_ge_storage
+ * doesn't support infinities) */
+#  undef COMB_BLOCKS
+#  undef COMB_TEETH
+#  if EXHAUSTIVE_TEST_ORDER == 7
+#    define COMB_RANGE 3
+#    define COMB_BLOCKS 1
+#    define COMB_TEETH 2
+#  elif EXHAUSTIVE_TEST_ORDER == 13
+#    define COMB_RANGE 4
+#    define COMB_BLOCKS 1
+#    define COMB_TEETH 2
+#  elif EXHAUSTIVE_TEST_ORDER == 199
+#    define COMB_RANGE 8
+#    define COMB_BLOCKS 2
+#    define COMB_TEETH 3
+#  else
+#    error "Unknown exhaustive test order"
+#  endif
+#  if (COMB_RANGE >= 32) || ((EXHAUSTIVE_TEST_ORDER >> (COMB_RANGE - 1)) != 1)
+#    error "COMB_RANGE != ceil(log2(EXHAUSTIVE_TEST_ORDER+1))"
+#  endif
+#else /* !defined(EXHAUSTIVE_TEST_ORDER) */
+#  define COMB_RANGE 256
+#endif /* defined(EXHAUSTIVE_TEST_ORDER) */
+
+/* Use (11, 6) as default configuration, which results in a 22 kB table. */
+#ifndef COMB_BLOCKS
+#  define COMB_BLOCKS 11
 #  ifdef DEBUG_CONFIG
-#     pragma message DEBUG_CONFIG_MSG("ECMULT_GEN_PREC_BITS undefined, assuming default value")
+#    pragma message DEBUG_CONFIG_MSG("COMB_BLOCKS undefined, assuming default value")
 #  endif
 #endif
+#ifndef COMB_TEETH
+#  define COMB_TEETH 6
+#  ifdef DEBUG_CONFIG
+#    pragma message DEBUG_CONFIG_MSG("COMB_TEETH undefined, assuming default value")
+#  endif
+#endif
+/* Use ceil(COMB_RANGE / (COMB_BLOCKS * COMB_TEETH)) as COMB_SPACING. */
+#define COMB_SPACING CEIL_DIV(COMB_RANGE, COMB_BLOCKS * COMB_TEETH)
 
-#ifdef DEBUG_CONFIG
-#  pragma message DEBUG_CONFIG_DEF(ECMULT_GEN_PREC_BITS)
+/* Range checks on the parameters. */
+
+/* The remaining COMB_* parameters are derived values, don't modify these. */
+/* - The number of bits covered by all the blocks; must be at least COMB_RANGE. */
+#define COMB_BITS (COMB_BLOCKS * COMB_TEETH * COMB_SPACING)
+/* - The number of entries per table. */
+#define COMB_POINTS (1 << (COMB_TEETH - 1))
+
+/* Sanity checks. */
+#if !(1 <= COMB_BLOCKS && COMB_BLOCKS <= 256)
+#  error "COMB_BLOCKS must be in the range [1, 256]"
+#endif
+#if !(1 <= COMB_TEETH && COMB_TEETH <= 8)
+#  error "COMB_TEETH must be in the range [1, 8]"
+#endif
+#if COMB_BITS < COMB_RANGE
+#  error "COMB_BLOCKS * COMB_TEETH * COMB_SPACING is too low"
 #endif
 
-#if ECMULT_GEN_PREC_BITS != 2 && ECMULT_GEN_PREC_BITS != 4 && ECMULT_GEN_PREC_BITS != 8
-#  error "Set ECMULT_GEN_PREC_BITS to 2, 4 or 8."
+/* These last 2 checks are not strictly required, but prevent gratuitously inefficient
+ * configurations. Note that they compare with 256 rather than COMB_RANGE, so they do
+ * permit somewhat excessive values for the exhaustive test case, where testing with
+ * suboptimal parameters may be desirable. */
+#if (COMB_BLOCKS - 1) * COMB_TEETH * COMB_SPACING >= 256
+#  error "COMB_BLOCKS can be reduced"
+#endif
+#if COMB_BLOCKS * (COMB_TEETH - 1) * COMB_SPACING >= 256
+#  error "COMB_TEETH can be reduced"
 #endif
 
-#define ECMULT_GEN_PREC_G(bits) (1 << bits)
-#define ECMULT_GEN_PREC_N(bits) (256 / bits)
+#ifdef DEBUG_CONFIG
+#  pragma message DEBUG_CONFIG_DEF(COMB_RANGE)
+#  pragma message DEBUG_CONFIG_DEF(COMB_BLOCKS)
+#  pragma message DEBUG_CONFIG_DEF(COMB_TEETH)
+#  pragma message DEBUG_CONFIG_DEF(COMB_SPACING)
+#endif
 
 typedef struct {
     /* Whether the context has been built. */
     int built;
 
-    /* Blinding values used when computing (n-b)G + bG. */
-    secp256k1_scalar blind; /* -b */
-    secp256k1_gej initial;  /* bG */
+    /* Values chosen such that
+     *
+     *   n*G == comb(n + scalar_offset, G/2) + ge_offset.
+     *
+     * This expression lets us use scalar blinding and optimize the comb precomputation. See
+     * ecmult_gen_impl.h for more details. */
+    secp256k1_scalar scalar_offset;
+    secp256k1_ge ge_offset;
+
+    /* Factor used for projective blinding. This value is used to rescale the Z
+     * coordinate of the first table lookup. */
+    secp256k1_fe proj_blind;
 } secp256k1_ecmult_gen_context;
 
 static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx);
 
@@ -1,5 +1,5 @@
 /***********************************************************************
- * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell       *
+ * Copyright (c) Pieter Wuille, Gregory Maxwell                        *
  * Distributed under the MIT software license, see the accompanying    *
  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
  ***********************************************************************/
@@ -9,6 +9,6 @@
 
 #include "ecmult_gen.h"
 
-static void secp256k1_ecmult_gen_compute_table(secp256k1_ge_storage* table, const secp256k1_ge* gen, int bits);
+static void secp256k1_ecmult_gen_compute_table(secp256k1_ge_storage* table, const secp256k1_ge* gen, int blocks, int teeth, int spacing);
 
 #endif /* SECP256K1_ECMULT_GEN_COMPUTE_TABLE_H */