PRCYCoin  2.0.0.7rc1
P2P Digital Currency
scalar_4x64_impl.h
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013, 2014 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #ifndef _SECP256K1_SCALAR_REPR_IMPL_H_
8 #define _SECP256K1_SCALAR_REPR_IMPL_H_
9 
10 typedef unsigned __int128 uint128_t;
11 
12 /* Limbs of the secp256k1 order. */
13 #define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL)
14 #define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL)
15 #define SECP256K1_N_2 ((uint64_t)0xFFFFFFFFFFFFFFFEULL)
16 #define SECP256K1_N_3 ((uint64_t)0xFFFFFFFFFFFFFFFFULL)
17 
18 /* Limbs of 2^256 minus the secp256k1 order. */
19 #define SECP256K1_N_C_0 (~SECP256K1_N_0 + 1)
20 #define SECP256K1_N_C_1 (~SECP256K1_N_1)
21 #define SECP256K1_N_C_2 (1)
22 
23 /* Limbs of half the secp256k1 order. */
24 #define SECP256K1_N_H_0 ((uint64_t)0xDFE92F46681B20A0ULL)
25 #define SECP256K1_N_H_1 ((uint64_t)0x5D576E7357A4501DULL)
26 #define SECP256K1_N_H_2 ((uint64_t)0xFFFFFFFFFFFFFFFFULL)
27 #define SECP256K1_N_H_3 ((uint64_t)0x7FFFFFFFFFFFFFFFULL)
28 
29 SECP256K1_INLINE static void secp256k1_scalar_clear(secp256k1_scalar_t *r) {
30  r->d[0] = 0;
31  r->d[1] = 0;
32  r->d[2] = 0;
33  r->d[3] = 0;
34 }
35 
36 SECP256K1_INLINE static void secp256k1_scalar_set_int(secp256k1_scalar_t *r, unsigned int v) {
37  r->d[0] = v;
38  r->d[1] = 0;
39  r->d[2] = 0;
40  r->d[3] = 0;
41 }
42 
43 SECP256K1_INLINE static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar_t *a, unsigned int offset, unsigned int count) {
44  VERIFY_CHECK((offset + count - 1) >> 6 == offset >> 6);
45  return (a->d[offset >> 6] >> (offset & 0x3F)) & ((((uint64_t)1) << count) - 1);
46 }
47 
48 SECP256K1_INLINE static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar_t *a, unsigned int offset, unsigned int count) {
49  VERIFY_CHECK(count < 32);
50  VERIFY_CHECK(offset + count <= 256);
51  if ((offset + count - 1) >> 6 == offset >> 6) {
52  return secp256k1_scalar_get_bits(a, offset, count);
53  } else {
54  VERIFY_CHECK((offset >> 6) + 1 < 4);
55  return ((a->d[offset >> 6] >> (offset & 0x3F)) | (a->d[(offset >> 6) + 1] << (64 - (offset & 0x3F)))) & ((((uint64_t)1) << count) - 1);
56  }
57 }
58 
59 SECP256K1_INLINE static int secp256k1_scalar_check_overflow(const secp256k1_scalar_t *a) {
60  int yes = 0;
61  int no = 0;
62  no |= (a->d[3] < SECP256K1_N_3); /* No need for a > check. */
63  no |= (a->d[2] < SECP256K1_N_2);
64  yes |= (a->d[2] > SECP256K1_N_2) & ~no;
65  no |= (a->d[1] < SECP256K1_N_1);
66  yes |= (a->d[1] > SECP256K1_N_1) & ~no;
67  yes |= (a->d[0] >= SECP256K1_N_0) & ~no;
68  return yes;
69 }
70 
71 SECP256K1_INLINE static int secp256k1_scalar_reduce(secp256k1_scalar_t *r, unsigned int overflow) {
72  VERIFY_CHECK(overflow <= 1);
73  uint128_t t = (uint128_t)r->d[0] + overflow * SECP256K1_N_C_0;
74  r->d[0] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
75  t += (uint128_t)r->d[1] + overflow * SECP256K1_N_C_1;
76  r->d[1] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
77  t += (uint128_t)r->d[2] + overflow * SECP256K1_N_C_2;
78  r->d[2] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
79  t += (uint64_t)r->d[3];
80  r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL;
81  return overflow;
82 }
83 
84 static int secp256k1_scalar_add(secp256k1_scalar_t *r, const secp256k1_scalar_t *a, const secp256k1_scalar_t *b) {
85  uint128_t t = (uint128_t)a->d[0] + b->d[0];
86  r->d[0] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
87  t += (uint128_t)a->d[1] + b->d[1];
88  r->d[1] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
89  t += (uint128_t)a->d[2] + b->d[2];
90  r->d[2] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
91  t += (uint128_t)a->d[3] + b->d[3];
92  r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
93  int overflow = t + secp256k1_scalar_check_overflow(r);
94  VERIFY_CHECK(overflow == 0 || overflow == 1);
95  secp256k1_scalar_reduce(r, overflow);
96  return overflow;
97 }
98 
99 static void secp256k1_scalar_add_bit(secp256k1_scalar_t *r, unsigned int bit) {
100  VERIFY_CHECK(bit < 256);
101  uint128_t t = (uint128_t)r->d[0] + (((uint64_t)((bit >> 6) == 0)) << (bit & 0x3F));
102  r->d[0] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
103  t += (uint128_t)r->d[1] + (((uint64_t)((bit >> 6) == 1)) << (bit & 0x3F));
104  r->d[1] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
105  t += (uint128_t)r->d[2] + (((uint64_t)((bit >> 6) == 2)) << (bit & 0x3F));
106  r->d[2] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64;
107  t += (uint128_t)r->d[3] + (((uint64_t)((bit >> 6) == 3)) << (bit & 0x3F));
108  r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL;
109 #ifdef VERIFY
110  VERIFY_CHECK((t >> 64) == 0);
111  VERIFY_CHECK(secp256k1_scalar_check_overflow(r) == 0);
112 #endif
113 }
114 
115 static void secp256k1_scalar_set_b32(secp256k1_scalar_t *r, const unsigned char *b32, int *overflow) {
116  r->d[0] = (uint64_t)b32[31] | (uint64_t)b32[30] << 8 | (uint64_t)b32[29] << 16 | (uint64_t)b32[28] << 24 | (uint64_t)b32[27] << 32 | (uint64_t)b32[26] << 40 | (uint64_t)b32[25] << 48 | (uint64_t)b32[24] << 56;
117  r->d[1] = (uint64_t)b32[23] | (uint64_t)b32[22] << 8 | (uint64_t)b32[21] << 16 | (uint64_t)b32[20] << 24 | (uint64_t)b32[19] << 32 | (uint64_t)b32[18] << 40 | (uint64_t)b32[17] << 48 | (uint64_t)b32[16] << 56;
118  r->d[2] = (uint64_t)b32[15] | (uint64_t)b32[14] << 8 | (uint64_t)b32[13] << 16 | (uint64_t)b32[12] << 24 | (uint64_t)b32[11] << 32 | (uint64_t)b32[10] << 40 | (uint64_t)b32[9] << 48 | (uint64_t)b32[8] << 56;
119  r->d[3] = (uint64_t)b32[7] | (uint64_t)b32[6] << 8 | (uint64_t)b32[5] << 16 | (uint64_t)b32[4] << 24 | (uint64_t)b32[3] << 32 | (uint64_t)b32[2] << 40 | (uint64_t)b32[1] << 48 | (uint64_t)b32[0] << 56;
120  int over = secp256k1_scalar_reduce(r, secp256k1_scalar_check_overflow(r));
121  if (overflow) {
122  *overflow = over;
123  }
124 }
125 
126 static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar_t* a) {
127  bin[0] = a->d[3] >> 56; bin[1] = a->d[3] >> 48; bin[2] = a->d[3] >> 40; bin[3] = a->d[3] >> 32; bin[4] = a->d[3] >> 24; bin[5] = a->d[3] >> 16; bin[6] = a->d[3] >> 8; bin[7] = a->d[3];
128  bin[8] = a->d[2] >> 56; bin[9] = a->d[2] >> 48; bin[10] = a->d[2] >> 40; bin[11] = a->d[2] >> 32; bin[12] = a->d[2] >> 24; bin[13] = a->d[2] >> 16; bin[14] = a->d[2] >> 8; bin[15] = a->d[2];
129  bin[16] = a->d[1] >> 56; bin[17] = a->d[1] >> 48; bin[18] = a->d[1] >> 40; bin[19] = a->d[1] >> 32; bin[20] = a->d[1] >> 24; bin[21] = a->d[1] >> 16; bin[22] = a->d[1] >> 8; bin[23] = a->d[1];
130  bin[24] = a->d[0] >> 56; bin[25] = a->d[0] >> 48; bin[26] = a->d[0] >> 40; bin[27] = a->d[0] >> 32; bin[28] = a->d[0] >> 24; bin[29] = a->d[0] >> 16; bin[30] = a->d[0] >> 8; bin[31] = a->d[0];
131 }
132 
133 SECP256K1_INLINE static int secp256k1_scalar_is_zero(const secp256k1_scalar_t *a) {
134  return (a->d[0] | a->d[1] | a->d[2] | a->d[3]) == 0;
135 }
136 
137 static void secp256k1_scalar_negate(secp256k1_scalar_t *r, const secp256k1_scalar_t *a) {
138  uint64_t nonzero = 0xFFFFFFFFFFFFFFFFULL * (secp256k1_scalar_is_zero(a) == 0);
139  uint128_t t = (uint128_t)(~a->d[0]) + SECP256K1_N_0 + 1;
140  r->d[0] = t & nonzero; t >>= 64;
141  t += (uint128_t)(~a->d[1]) + SECP256K1_N_1;
142  r->d[1] = t & nonzero; t >>= 64;
143  t += (uint128_t)(~a->d[2]) + SECP256K1_N_2;
144  r->d[2] = t & nonzero; t >>= 64;
145  t += (uint128_t)(~a->d[3]) + SECP256K1_N_3;
146  r->d[3] = t & nonzero;
147 }
148 
149 SECP256K1_INLINE static int secp256k1_scalar_is_one(const secp256k1_scalar_t *a) {
150  return ((a->d[0] ^ 1) | a->d[1] | a->d[2] | a->d[3]) == 0;
151 }
152 
153 static int secp256k1_scalar_is_high(const secp256k1_scalar_t *a) {
154  int yes = 0;
155  int no = 0;
156  no |= (a->d[3] < SECP256K1_N_H_3);
157  yes |= (a->d[3] > SECP256K1_N_H_3) & ~no;
158  no |= (a->d[2] < SECP256K1_N_H_2) & ~yes; /* No need for a > check. */
159  no |= (a->d[1] < SECP256K1_N_H_1) & ~yes;
160  yes |= (a->d[1] > SECP256K1_N_H_1) & ~no;
161  yes |= (a->d[0] > SECP256K1_N_H_0) & ~no;
162  return yes;
163 }
164 
165 /* Inspired by the macros in OpenSSL's crypto/bn/asm/x86_64-gcc.c. */
166 
168 #define muladd(a,b) { \
169  uint64_t tl, th; \
170  { \
171  uint128_t t = (uint128_t)a * b; \
172  th = t >> 64; /* at most 0xFFFFFFFFFFFFFFFE */ \
173  tl = t; \
174  } \
175  c0 += tl; /* overflow is handled on the next line */ \
176  th += (c0 < tl) ? 1 : 0; /* at most 0xFFFFFFFFFFFFFFFF */ \
177  c1 += th; /* overflow is handled on the next line */ \
178  c2 += (c1 < th) ? 1 : 0; /* never overflows by contract (verified in the next line) */ \
179  VERIFY_CHECK((c1 >= th) || (c2 != 0)); \
180 }
181 
183 #define muladd_fast(a,b) { \
184  uint64_t tl, th; \
185  { \
186  uint128_t t = (uint128_t)a * b; \
187  th = t >> 64; /* at most 0xFFFFFFFFFFFFFFFE */ \
188  tl = t; \
189  } \
190  c0 += tl; /* overflow is handled on the next line */ \
191  th += (c0 < tl) ? 1 : 0; /* at most 0xFFFFFFFFFFFFFFFF */ \
192  c1 += th; /* never overflows by contract (verified in the next line) */ \
193  VERIFY_CHECK(c1 >= th); \
194 }
195 
197 #define muladd2(a,b) { \
198  uint64_t tl, th; \
199  { \
200  uint128_t t = (uint128_t)a * b; \
201  th = t >> 64; /* at most 0xFFFFFFFFFFFFFFFE */ \
202  tl = t; \
203  } \
204  uint64_t th2 = th + th; /* at most 0xFFFFFFFFFFFFFFFE (in case th was 0x7FFFFFFFFFFFFFFF) */ \
205  c2 += (th2 < th) ? 1 : 0; /* never overflows by contract (verified the next line) */ \
206  VERIFY_CHECK((th2 >= th) || (c2 != 0)); \
207  uint64_t tl2 = tl + tl; /* at most 0xFFFFFFFFFFFFFFFE (in case the lowest 63 bits of tl were 0x7FFFFFFFFFFFFFFF) */ \
208  th2 += (tl2 < tl) ? 1 : 0; /* at most 0xFFFFFFFFFFFFFFFF */ \
209  c0 += tl2; /* overflow is handled on the next line */ \
210  th2 += (c0 < tl2) ? 1 : 0; /* second overflow is handled on the next line */ \
211  c2 += (c0 < tl2) & (th2 == 0); /* never overflows by contract (verified the next line) */ \
212  VERIFY_CHECK((c0 >= tl2) || (th2 != 0) || (c2 != 0)); \
213  c1 += th2; /* overflow is handled on the next line */ \
214  c2 += (c1 < th2) ? 1 : 0; /* never overflows by contract (verified the next line) */ \
215  VERIFY_CHECK((c1 >= th2) || (c2 != 0)); \
216 }
217 
219 #define sumadd(a) { \
220  c0 += (a); /* overflow is handled on the next line */ \
221  unsigned int over = (c0 < (a)) ? 1 : 0; \
222  c1 += over; /* overflow is handled on the next line */ \
223  c2 += (c1 < over) ? 1 : 0; /* never overflows by contract */ \
224 }
225 
227 #define sumadd_fast(a) { \
228  c0 += (a); /* overflow is handled on the next line */ \
229  c1 += (c0 < (a)) ? 1 : 0; /* never overflows by contract (verified the next line) */ \
230  VERIFY_CHECK((c1 != 0) | (c0 >= (a))); \
231  VERIFY_CHECK(c2 == 0); \
232 }
233 
235 #define extract(n) { \
236  (n) = c0; \
237  c0 = c1; \
238  c1 = c2; \
239  c2 = 0; \
240 }
241 
243 #define extract_fast(n) { \
244  (n) = c0; \
245  c0 = c1; \
246  c1 = 0; \
247  VERIFY_CHECK(c2 == 0); \
248 }
249 
250 static void secp256k1_scalar_reduce_512(secp256k1_scalar_t *r, const uint64_t *l) {
251  uint64_t n0 = l[4], n1 = l[5], n2 = l[6], n3 = l[7];
252 
253  /* 160 bit accumulator. */
254  uint64_t c0, c1;
255  uint32_t c2;
256 
257  /* Reduce 512 bits into 385. */
258  /* m[0..6] = l[0..3] + n[0..3] * SECP256K1_N_C. */
259  c0 = l[0]; c1 = 0; c2 = 0;
260  muladd_fast(n0, SECP256K1_N_C_0);
261  uint64_t m0; extract_fast(m0);
262  sumadd_fast(l[1]);
263  muladd(n1, SECP256K1_N_C_0);
264  muladd(n0, SECP256K1_N_C_1);
265  uint64_t m1; extract(m1);
266  sumadd(l[2]);
267  muladd(n2, SECP256K1_N_C_0);
268  muladd(n1, SECP256K1_N_C_1);
269  sumadd(n0);
270  uint64_t m2; extract(m2);
271  sumadd(l[3]);
272  muladd(n3, SECP256K1_N_C_0);
273  muladd(n2, SECP256K1_N_C_1);
274  sumadd(n1);
275  uint64_t m3; extract(m3);
276  muladd(n3, SECP256K1_N_C_1);
277  sumadd(n2);
278  uint64_t m4; extract(m4);
279  sumadd_fast(n3);
280  uint64_t m5; extract_fast(m5);
281  VERIFY_CHECK(c0 <= 1);
282  uint32_t m6 = c0;
283 
284  /* Reduce 385 bits into 258. */
285  /* p[0..4] = m[0..3] + m[4..6] * SECP256K1_N_C. */
286  c0 = m0; c1 = 0; c2 = 0;
287  muladd_fast(m4, SECP256K1_N_C_0);
288  uint64_t p0; extract_fast(p0);
289  sumadd_fast(m1);
290  muladd(m5, SECP256K1_N_C_0);
291  muladd(m4, SECP256K1_N_C_1);
292  uint64_t p1; extract(p1);
293  sumadd(m2);
294  muladd(m6, SECP256K1_N_C_0);
295  muladd(m5, SECP256K1_N_C_1);
296  sumadd(m4);
297  uint64_t p2; extract(p2);
298  sumadd_fast(m3);
299  muladd_fast(m6, SECP256K1_N_C_1);
300  sumadd_fast(m5);
301  uint64_t p3; extract_fast(p3);
302  uint32_t p4 = c0 + m6;
303  VERIFY_CHECK(p4 <= 2);
304 
305  /* Reduce 258 bits into 256. */
306  /* r[0..3] = p[0..3] + p[4] * SECP256K1_N_C. */
307  uint128_t c = p0 + (uint128_t)SECP256K1_N_C_0 * p4;
308  r->d[0] = c & 0xFFFFFFFFFFFFFFFFULL; c >>= 64;
309  c += p1 + (uint128_t)SECP256K1_N_C_1 * p4;
310  r->d[1] = c & 0xFFFFFFFFFFFFFFFFULL; c >>= 64;
311  c += p2 + (uint128_t)p4;
312  r->d[2] = c & 0xFFFFFFFFFFFFFFFFULL; c >>= 64;
313  c += p3;
314  r->d[3] = c & 0xFFFFFFFFFFFFFFFFULL; c >>= 64;
315 
316  /* Final reduction of r. */
317  secp256k1_scalar_reduce(r, c + secp256k1_scalar_check_overflow(r));
318 }
319 
320 static void secp256k1_scalar_mul_512(uint64_t l[8], const secp256k1_scalar_t *a, const secp256k1_scalar_t *b) {
321  /* 160 bit accumulator. */
322  uint64_t c0 = 0, c1 = 0;
323  uint32_t c2 = 0;
324 
325  /* l[0..7] = a[0..3] * b[0..3]. */
326  muladd_fast(a->d[0], b->d[0]);
327  extract_fast(l[0]);
328  muladd(a->d[0], b->d[1]);
329  muladd(a->d[1], b->d[0]);
330  extract(l[1]);
331  muladd(a->d[0], b->d[2]);
332  muladd(a->d[1], b->d[1]);
333  muladd(a->d[2], b->d[0]);
334  extract(l[2]);
335  muladd(a->d[0], b->d[3]);
336  muladd(a->d[1], b->d[2]);
337  muladd(a->d[2], b->d[1]);
338  muladd(a->d[3], b->d[0]);
339  extract(l[3]);
340  muladd(a->d[1], b->d[3]);
341  muladd(a->d[2], b->d[2]);
342  muladd(a->d[3], b->d[1]);
343  extract(l[4]);
344  muladd(a->d[2], b->d[3]);
345  muladd(a->d[3], b->d[2]);
346  extract(l[5]);
347  muladd_fast(a->d[3], b->d[3]);
348  extract_fast(l[6]);
349  VERIFY_CHECK(c1 <= 0);
350  l[7] = c0;
351 }
352 
353 static void secp256k1_scalar_sqr_512(uint64_t l[8], const secp256k1_scalar_t *a) {
354  /* 160 bit accumulator. */
355  uint64_t c0 = 0, c1 = 0;
356  uint32_t c2 = 0;
357 
358  /* l[0..7] = a[0..3] * b[0..3]. */
359  muladd_fast(a->d[0], a->d[0]);
360  extract_fast(l[0]);
361  muladd2(a->d[0], a->d[1]);
362  extract(l[1]);
363  muladd2(a->d[0], a->d[2]);
364  muladd(a->d[1], a->d[1]);
365  extract(l[2]);
366  muladd2(a->d[0], a->d[3]);
367  muladd2(a->d[1], a->d[2]);
368  extract(l[3]);
369  muladd2(a->d[1], a->d[3]);
370  muladd(a->d[2], a->d[2]);
371  extract(l[4]);
372  muladd2(a->d[2], a->d[3]);
373  extract(l[5]);
374  muladd_fast(a->d[3], a->d[3]);
375  extract_fast(l[6]);
376  VERIFY_CHECK(c1 == 0);
377  l[7] = c0;
378 }
379 
380 #undef sumadd
381 #undef sumadd_fast
382 #undef muladd
383 #undef muladd_fast
384 #undef muladd2
385 #undef extract
386 #undef extract_fast
387 
388 static void secp256k1_scalar_mul(secp256k1_scalar_t *r, const secp256k1_scalar_t *a, const secp256k1_scalar_t *b) {
389  uint64_t l[8];
390  secp256k1_scalar_mul_512(l, a, b);
391  secp256k1_scalar_reduce_512(r, l);
392 }
393 
394 static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t *a) {
395  uint64_t l[8];
396  secp256k1_scalar_sqr_512(l, a);
397  secp256k1_scalar_reduce_512(r, l);
398 }
399 
400 static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) {
401  r1->d[0] = a->d[0];
402  r1->d[1] = a->d[1];
403  r1->d[2] = 0;
404  r1->d[3] = 0;
405  r2->d[0] = a->d[2];
406  r2->d[1] = a->d[3];
407  r2->d[2] = 0;
408  r2->d[3] = 0;
409 }
410 
411 SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar_t *a, const secp256k1_scalar_t *b) {
412  return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3])) == 0;
413 }
414 
415 SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar_t *r, const secp256k1_scalar_t *a, const secp256k1_scalar_t *b, unsigned int shift) {
416  VERIFY_CHECK(shift >= 256);
417  uint64_t l[8];
418  secp256k1_scalar_mul_512(l, a, b);
419  unsigned int shiftlimbs = shift >> 6;
420  unsigned int shiftlow = shift & 0x3F;
421  unsigned int shifthigh = 64 - shiftlow;
422  r->d[0] = shift < 512 ? (l[0 + shiftlimbs] >> shiftlow | (shift < 448 && shiftlow ? (l[1 + shiftlimbs] << shifthigh) : 0)) : 0;
423  r->d[1] = shift < 448 ? (l[1 + shiftlimbs] >> shiftlow | (shift < 384 && shiftlow ? (l[2 + shiftlimbs] << shifthigh) : 0)) : 0;
424  r->d[2] = shift < 384 ? (l[2 + shiftlimbs] >> shiftlow | (shift < 320 && shiftlow ? (l[3 + shiftlimbs] << shifthigh) : 0)) : 0;
425  r->d[3] = shift < 320 ? (l[3 + shiftlimbs] >> shiftlow) : 0;
426  if ((l[(shift - 1) >> 6] >> ((shift - 1) & 0x3f)) & 1) {
427  secp256k1_scalar_add_bit(r, 0);
428  }
429 }
430 
431 #endif
uint128_t
unsigned __int128 uint128_t
Definition: scalar_4x64_impl.h:10
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:61
extract
#define extract(n)
Extract the lowest 64 bits of (c0,c1,c2) into n, and left shift the number 64 bits.
Definition: scalar_4x64_impl.h:235
extract_fast
#define extract_fast(n)
Extract the lowest 64 bits of (c0,c1,c2) into n, and left shift the number 64 bits.
Definition: scalar_4x64_impl.h:243
b
void const uint64_t * b
Definition: field_5x52_asm_impl.h:10
sumadd
#define sumadd(a)
Add a to the number defined by (c0,c1,c2).
Definition: scalar_4x64_impl.h:219
SECP256K1_N_H_2
#define SECP256K1_N_H_2
Definition: scalar_4x64_impl.h:26
secp256k1_scalar_t::d
uint64_t d[4]
Definition: scalar_4x64.h:18
SECP256K1_N_0
#define SECP256K1_N_0
Definition: scalar_4x64_impl.h:13
muladd
#define muladd(a, b)
Add a*b to the number defined by (c0,c1,c2).
Definition: scalar_4x64_impl.h:168
r
void const uint64_t uint64_t * r
Definition: field_5x52_asm_impl.h:10
SECP256K1_N_1
#define SECP256K1_N_1
Definition: scalar_4x64_impl.h:14
SECP256K1_N_C_1
#define SECP256K1_N_C_1
Definition: scalar_4x64_impl.h:20
SECP256K1_N_C_2
#define SECP256K1_N_C_2
Definition: scalar_4x64_impl.h:21
zxcvbn::no
const auto no
Definition: adjacency_graphs.cpp:17
muladd_fast
#define muladd_fast(a, b)
Add a*b to the number defined by (c0,c1).
Definition: scalar_4x64_impl.h:183
sumadd_fast
#define sumadd_fast(a)
Add a to the number defined by (c0,c1).
Definition: scalar_4x64_impl.h:227
SECP256K1_N_2
#define SECP256K1_N_2
Definition: scalar_4x64_impl.h:15
SECP256K1_N_H_0
#define SECP256K1_N_H_0
Definition: scalar_4x64_impl.h:24
SECP256K1_N_H_3
#define SECP256K1_N_H_3
Definition: scalar_4x64_impl.h:27
SECP256K1_N_3
#define SECP256K1_N_3
Definition: scalar_4x64_impl.h:16
muladd2
#define muladd2(a, b)
Add 2*a*b to the number defined by (c0,c1,c2).
Definition: scalar_4x64_impl.h:197
SECP256K1_N_H_1
#define SECP256K1_N_H_1
Definition: scalar_4x64_impl.h:25
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: secp256k1.h:23
secp256k1_scalar_t
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
SECP256K1_N_C_0
#define SECP256K1_N_C_0
Definition: scalar_4x64_impl.h:19
Generated on Tue Apr 28 2026 00:02:59 for PRCYCoin by   doxygen 1.8.17