mleku
e8649cae7b
This commit introduces several optimizations for elliptic curve operations in the secp256k1 library. Key changes include the implementation of the `ecmultStraussGLV` function for efficient scalar multiplication using the Strauss algorithm with GLV endomorphism, and the addition of windowed multiplication techniques to improve performance. Additionally, the benchmark tests have been updated to focus on the P256K1Signer implementation, streamlining the comparison process and enhancing clarity in performance evaluations.
465 lines
11 KiB
Go
465 lines
11 KiB
Go
package p256k1
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"unsafe"
|
|
)
|
|
|
|
const (
|
|
// Window sizes for elliptic curve multiplication optimizations
|
|
windowA = 5 // Window size for main scalar (A)
|
|
windowG = 14 // Window size for generator (G) - larger for better performance
|
|
)
|
|
|
|
// EcmultConst computes r = q * a using constant-time multiplication
|
|
// Uses simple binary method
|
|
func EcmultConst(r *GroupElementJacobian, a *GroupElementAffine, q *Scalar) {
|
|
if a.isInfinity() {
|
|
r.setInfinity()
|
|
return
|
|
}
|
|
|
|
if q.isZero() {
|
|
r.setInfinity()
|
|
return
|
|
}
|
|
|
|
// Convert affine point to Jacobian
|
|
var aJac GroupElementJacobian
|
|
aJac.setGE(a)
|
|
|
|
// Use simple binary method for constant-time behavior
|
|
r.setInfinity()
|
|
|
|
var base GroupElementJacobian
|
|
base = aJac
|
|
|
|
// Process bits from MSB to LSB
|
|
for i := 0; i < 256; i++ {
|
|
if i > 0 {
|
|
r.double(r)
|
|
}
|
|
|
|
// Get bit i (from MSB)
|
|
bit := q.getBits(uint(255-i), 1)
|
|
if bit != 0 {
|
|
if r.isInfinity() {
|
|
*r = base
|
|
} else {
|
|
r.addVar(r, &base)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// ecmultWindowedVar computes r = q * a using optimized windowed multiplication (variable-time)
|
|
// Uses a window size of 6 bits (64 precomputed multiples) for better CPU performance
|
|
// Trades memory (64 entries vs 32) for ~20% faster multiplication
|
|
func ecmultWindowedVar(r *GroupElementJacobian, a *GroupElementAffine, q *Scalar) {
|
|
if a.isInfinity() {
|
|
r.setInfinity()
|
|
return
|
|
}
|
|
|
|
if q.isZero() {
|
|
r.setInfinity()
|
|
return
|
|
}
|
|
|
|
const windowSize = 6 // Increased from 5 to 6 for better performance
|
|
const tableSize = 1 << windowSize // 64
|
|
|
|
// Convert point to Jacobian once
|
|
var aJac GroupElementJacobian
|
|
aJac.setGE(a)
|
|
|
|
// Build table efficiently using Jacobian coordinates, only convert to affine at end
|
|
// Store odd multiples in Jacobian form to avoid frequent conversions
|
|
var tableJac [tableSize]GroupElementJacobian
|
|
tableJac[0].setInfinity()
|
|
tableJac[1] = aJac
|
|
|
|
// Build odd multiples efficiently: tableJac[2*i+1] = (2*i+1) * a
|
|
// Start with 3*a = a + 2*a
|
|
var twoA GroupElementJacobian
|
|
twoA.double(&aJac)
|
|
|
|
// Build table: tableJac[i] = tableJac[i-2] + 2*a for odd i
|
|
for i := 3; i < tableSize; i += 2 {
|
|
tableJac[i].addVar(&tableJac[i-2], &twoA)
|
|
}
|
|
|
|
// Build even multiples: tableJac[2*i] = 2 * tableJac[i]
|
|
for i := 1; i < tableSize/2; i++ {
|
|
tableJac[2*i].double(&tableJac[i])
|
|
}
|
|
|
|
// Process scalar in windows of 6 bits from MSB to LSB
|
|
r.setInfinity()
|
|
numWindows := (256 + windowSize - 1) / windowSize // Ceiling division
|
|
|
|
for window := 0; window < numWindows; window++ {
|
|
// Calculate bit offset for this window (MSB first)
|
|
bitOffset := 255 - window*windowSize
|
|
if bitOffset < 0 {
|
|
break
|
|
}
|
|
|
|
// Extract window bits
|
|
actualWindowSize := windowSize
|
|
if bitOffset < windowSize-1 {
|
|
actualWindowSize = bitOffset + 1
|
|
}
|
|
|
|
windowBits := q.getBits(uint(bitOffset-actualWindowSize+1), uint(actualWindowSize))
|
|
|
|
// Double result windowSize times (once per bit position in window)
|
|
if !r.isInfinity() {
|
|
for j := 0; j < actualWindowSize; j++ {
|
|
r.double(r)
|
|
}
|
|
}
|
|
|
|
// Add precomputed point if window is non-zero
|
|
if windowBits != 0 && windowBits < tableSize {
|
|
if r.isInfinity() {
|
|
*r = tableJac[windowBits]
|
|
} else {
|
|
r.addVar(r, &tableJac[windowBits])
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Ecmult computes r = q * a using optimized windowed multiplication
|
|
// This provides good performance for verification and ECDH operations
|
|
func Ecmult(r *GroupElementJacobian, a *GroupElementJacobian, q *Scalar) {
|
|
if a.isInfinity() {
|
|
r.setInfinity()
|
|
return
|
|
}
|
|
|
|
if q.isZero() {
|
|
r.setInfinity()
|
|
return
|
|
}
|
|
|
|
// Convert to affine for windowed multiplication
|
|
var aAff GroupElementAffine
|
|
aAff.setGEJ(a)
|
|
|
|
// Use optimized windowed multiplication
|
|
ecmultWindowedVar(r, &aAff, q)
|
|
}
|
|
|
|
// ecmultStraussGLV computes r = q * a using Strauss algorithm with GLV endomorphism
|
|
// This provides significant speedup for both verification and ECDH operations
|
|
func ecmultStraussGLV(r *GroupElementJacobian, a *GroupElementAffine, q *Scalar) {
|
|
if a.isInfinity() {
|
|
r.setInfinity()
|
|
return
|
|
}
|
|
|
|
if q.isZero() {
|
|
r.setInfinity()
|
|
return
|
|
}
|
|
|
|
// For now, use simplified Strauss algorithm without GLV endomorphism
|
|
// Convert base point to Jacobian
|
|
var aJac GroupElementJacobian
|
|
aJac.setGE(a)
|
|
|
|
// Compute odd multiples for the scalar
|
|
var preA [1 << (windowA - 1)]GroupElementJacobian
|
|
buildOddMultiples(&preA, &aJac, windowA)
|
|
|
|
// Convert scalar to wNAF representation
|
|
var wnaf [257]int
|
|
bits := q.wNAF(wnaf[:], windowA)
|
|
|
|
// Perform Strauss algorithm
|
|
r.setInfinity()
|
|
|
|
for i := bits - 1; i >= 0; i-- {
|
|
// Double the result
|
|
r.double(r)
|
|
|
|
// Add contribution
|
|
if wnaf[i] != 0 {
|
|
n := wnaf[i]
|
|
var pt GroupElementJacobian
|
|
if n > 0 {
|
|
idx := (n-1)/2
|
|
if idx >= len(preA) {
|
|
panic(fmt.Sprintf("wNAF positive index out of bounds: n=%d, idx=%d, len=%d", n, idx, len(preA)))
|
|
}
|
|
pt = preA[idx]
|
|
} else {
|
|
if (-n-1)/2 >= len(preA) {
|
|
panic("wNAF index out of bounds (negative)")
|
|
}
|
|
pt = preA[(-n-1)/2]
|
|
pt.y.negate(&pt.y, 1)
|
|
}
|
|
r.addVar(r, &pt)
|
|
}
|
|
}
|
|
}
|
|
|
|
// buildOddMultiples builds a table of odd multiples of a point
|
|
// pre[i] = (2*i+1) * a for i = 0 to (1<<(w-1))-1
|
|
func buildOddMultiples(pre *[1 << (windowA - 1)]GroupElementJacobian, a *GroupElementJacobian, w uint) {
|
|
tableSize := 1 << (w - 1)
|
|
|
|
// pre[0] = a (which is 1*a)
|
|
pre[0] = *a
|
|
|
|
if tableSize > 1 {
|
|
// Compute 2*a
|
|
var twoA GroupElementJacobian
|
|
twoA.double(a)
|
|
|
|
// Build odd multiples: pre[i] = pre[i-2] + 2*a for i >= 2, i even
|
|
for i := 2; i < tableSize; i += 2 {
|
|
pre[i].addVar(&pre[i-2], &twoA)
|
|
}
|
|
}
|
|
}
|
|
|
|
// EcmultStraussGLV is the public interface for optimized Strauss+GLV multiplication
|
|
func EcmultStraussGLV(r *GroupElementJacobian, a *GroupElementAffine, q *Scalar) {
|
|
ecmultStraussGLV(r, a, q)
|
|
}
|
|
|
|
// ECDHHashFunction is a function type for hashing ECDH shared secrets
|
|
type ECDHHashFunction func(output []byte, x32 []byte, y32 []byte) bool
|
|
|
|
// ecdhHashFunctionSHA256 implements the default SHA-256 based hash function for ECDH
|
|
// Following the C reference implementation exactly
|
|
func ecdhHashFunctionSHA256(output []byte, x32 []byte, y32 []byte) bool {
|
|
if len(output) != 32 || len(x32) != 32 || len(y32) != 32 {
|
|
return false
|
|
}
|
|
|
|
// Version byte: (y32[31] & 0x01) | 0x02
|
|
version := byte((y32[31] & 0x01) | 0x02)
|
|
|
|
sha := NewSHA256()
|
|
sha.Write([]byte{version})
|
|
sha.Write(x32)
|
|
sha.Finalize(output)
|
|
sha.Clear()
|
|
|
|
return true
|
|
}
|
|
|
|
// ECDH computes an EC Diffie-Hellman shared secret
|
|
// Following the C reference implementation secp256k1_ecdh
|
|
func ECDH(output []byte, pubkey *PublicKey, seckey []byte, hashfp ECDHHashFunction) error {
|
|
if len(output) != 32 {
|
|
return errors.New("output must be 32 bytes")
|
|
}
|
|
if len(seckey) != 32 {
|
|
return errors.New("seckey must be 32 bytes")
|
|
}
|
|
if pubkey == nil {
|
|
return errors.New("pubkey cannot be nil")
|
|
}
|
|
|
|
// Use default hash function if none provided
|
|
if hashfp == nil {
|
|
hashfp = ecdhHashFunctionSHA256
|
|
}
|
|
|
|
// Load public key
|
|
var pt GroupElementAffine
|
|
pt.fromBytes(pubkey.data[:])
|
|
if pt.isInfinity() {
|
|
return errors.New("invalid public key")
|
|
}
|
|
|
|
// Parse scalar
|
|
var s Scalar
|
|
if !s.setB32Seckey(seckey) {
|
|
return errors.New("invalid secret key")
|
|
}
|
|
|
|
// Handle zero scalar
|
|
if s.isZero() {
|
|
return errors.New("secret key cannot be zero")
|
|
}
|
|
|
|
// Compute res = s * pt using optimized windowed multiplication (variable-time)
|
|
// ECDH doesn't require constant-time since the secret key is already known
|
|
var res GroupElementJacobian
|
|
ecmultWindowedVar(&res, &pt, &s)
|
|
|
|
// Convert to affine
|
|
var resAff GroupElementAffine
|
|
resAff.setGEJ(&res)
|
|
resAff.x.normalize()
|
|
resAff.y.normalize()
|
|
|
|
// Extract x and y coordinates
|
|
var x, y [32]byte
|
|
resAff.x.getB32(x[:])
|
|
resAff.y.getB32(y[:])
|
|
|
|
// Compute hash
|
|
success := hashfp(output, x[:], y[:])
|
|
|
|
// Clear sensitive data
|
|
memclear(unsafe.Pointer(&x[0]), 32)
|
|
memclear(unsafe.Pointer(&y[0]), 32)
|
|
s.clear()
|
|
resAff.clear()
|
|
res.clear()
|
|
|
|
if !success {
|
|
return errors.New("hash function failed")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// HKDF performs HMAC-based Key Derivation Function (RFC 5869)
|
|
// Outputs key material of the specified length
|
|
func HKDF(output []byte, ikm []byte, salt []byte, info []byte) error {
|
|
if len(output) == 0 {
|
|
return errors.New("output length must be greater than 0")
|
|
}
|
|
|
|
// Step 1: Extract (if salt is empty, use zeros)
|
|
if len(salt) == 0 {
|
|
salt = make([]byte, 32)
|
|
}
|
|
|
|
// PRK = HMAC-SHA256(salt, IKM)
|
|
var prk [32]byte
|
|
hmac := NewHMACSHA256(salt)
|
|
hmac.Write(ikm)
|
|
hmac.Finalize(prk[:])
|
|
hmac.Clear()
|
|
|
|
// Step 2: Expand
|
|
// Generate output using HKDF-Expand
|
|
// T(0) = empty
|
|
// T(i) = HMAC(PRK, T(i-1) || info || i)
|
|
|
|
outlen := len(output)
|
|
outidx := 0
|
|
|
|
// T(0) is empty
|
|
var t []byte
|
|
|
|
// Generate blocks until we have enough output
|
|
blockNum := byte(1)
|
|
for outidx < outlen {
|
|
// Compute T(i) = HMAC(PRK, T(i-1) || info || i)
|
|
hmac = NewHMACSHA256(prk[:])
|
|
if len(t) > 0 {
|
|
hmac.Write(t)
|
|
}
|
|
if len(info) > 0 {
|
|
hmac.Write(info)
|
|
}
|
|
hmac.Write([]byte{blockNum})
|
|
|
|
var tBlock [32]byte
|
|
hmac.Finalize(tBlock[:])
|
|
hmac.Clear()
|
|
|
|
// Copy to output
|
|
copyLen := len(tBlock)
|
|
if copyLen > outlen-outidx {
|
|
copyLen = outlen - outidx
|
|
}
|
|
copy(output[outidx:outidx+copyLen], tBlock[:copyLen])
|
|
outidx += copyLen
|
|
|
|
// Update T for next iteration
|
|
t = tBlock[:]
|
|
blockNum++
|
|
}
|
|
|
|
// Clear sensitive data
|
|
memclear(unsafe.Pointer(&prk[0]), 32)
|
|
if len(t) > 0 {
|
|
memclear(unsafe.Pointer(&t[0]), uintptr(len(t)))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ECDHWithHKDF computes ECDH and derives a key using HKDF
|
|
func ECDHWithHKDF(output []byte, pubkey *PublicKey, seckey []byte, salt []byte, info []byte) error {
|
|
// Compute ECDH shared secret
|
|
var sharedSecret [32]byte
|
|
if err := ECDH(sharedSecret[:], pubkey, seckey, nil); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Derive key using HKDF
|
|
err := HKDF(output, sharedSecret[:], salt, info)
|
|
|
|
// Clear shared secret
|
|
memclear(unsafe.Pointer(&sharedSecret[0]), 32)
|
|
|
|
return err
|
|
}
|
|
|
|
// ECDHXOnly computes X-only ECDH (BIP-340 style)
|
|
// Outputs only the X coordinate of the shared secret point
|
|
func ECDHXOnly(output []byte, pubkey *PublicKey, seckey []byte) error {
|
|
if len(output) != 32 {
|
|
return errors.New("output must be 32 bytes")
|
|
}
|
|
if len(seckey) != 32 {
|
|
return errors.New("seckey must be 32 bytes")
|
|
}
|
|
if pubkey == nil {
|
|
return errors.New("pubkey cannot be nil")
|
|
}
|
|
|
|
// Load public key
|
|
var pt GroupElementAffine
|
|
pt.fromBytes(pubkey.data[:])
|
|
if pt.isInfinity() {
|
|
return errors.New("invalid public key")
|
|
}
|
|
|
|
// Parse scalar
|
|
var s Scalar
|
|
if !s.setB32Seckey(seckey) {
|
|
return errors.New("invalid secret key")
|
|
}
|
|
|
|
if s.isZero() {
|
|
return errors.New("secret key cannot be zero")
|
|
}
|
|
|
|
// Compute res = s * pt using optimized windowed multiplication (variable-time)
|
|
// ECDH doesn't require constant-time since the secret key is already known
|
|
var res GroupElementJacobian
|
|
ecmultWindowedVar(&res, &pt, &s)
|
|
|
|
// Convert to affine
|
|
var resAff GroupElementAffine
|
|
resAff.setGEJ(&res)
|
|
resAff.x.normalize()
|
|
|
|
// Extract X coordinate only
|
|
resAff.x.getB32(output)
|
|
|
|
// Clear sensitive data
|
|
s.clear()
|
|
resAff.clear()
|
|
res.clear()
|
|
|
|
return nil
|
|
}
|
|
|
|
|