fixed

generate_inv.sh (4983B)

---

 #!/usr/bin/env bash
 
 # generates a constant-time haskell function for performing modular
 # inversion with montgomery arithmetic on a secp256k1-derived field.
 #
 # fermat inversion is used: a^-1 = a ^ (m - 2) mod m, where m is the
 # secp256k1 field prime (curve) or the scalar group order (scalar).
 #
 # rather than a naive square-and-multiply over the exponent bits (one
 # montgomery-multiply per set bit), we use an addition chain that
 # coalesces runs of 1 bits. for a maximal run of L consecutive 1 bits
 # we precompute the block
 #
 #   x_L = a ^ (2^L - 1)
 #
 # and fold the whole run in with a single multiply, since
 #
 #   result^(2^L) * x_L
 #
 # appends L ones to the accumulated exponent. the x_L blocks are built
 # with a doubling ladder using the identities
 #
 #   x_(i+j) = (x_i)^(2^j) * x_j         (so x_2k = (x_k)^(2^k) * x_k)
 #
 # which costs O(log L) multiplies per block instead of O(L).
 #
 # the square-and-multiply schedule is still fixed and data-independent,
 # so given constant-time 'sqr#' and 'mul#', 'inv#' is constant-time by
 # construction.
 
 # secp256k1 field prime - 2
 exponent_curve="1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111111111111111110000101101"
 
 # secp256k1 scalar group order - 2
 exponent_scalar="1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111010111010101011101101110011100110101011110100100010100000001110111011111111010010010111101000110011010000001101100100000100111111"
 
 # adjust me as desired; use 'curve' or 'scalar'
 target="curve"
 
 declare exponent
 if [[ $target == "curve" ]]; then
   exponent=$exponent_curve
 elif [[ $target == "scalar" ]]; then
   exponent=$exponent_scalar
 else
   echo "unknown target: $target" >&2
   exit 1
 fi
 
 # next free t-label, and a map from block length L to the variable
 # holding x_L = a ^ (2^L - 1). x_1 is the argument 'a' itself.
 idx=1
 declare -A blk
 blk[1]="a"
 
 # REPLY conventions: emit_* helpers return the resulting variable in
 # the global REPLY.
 
 emit_sqr_n() { # $1 = source var, $2 = count
   local src=$1 n=$2 i
   for (( i = 0; i < n; i++ )); do
     echo "      !t$idx = sqr# $src"
     src=t$idx
     idx=$((idx + 1))
   done
   REPLY=$src
 }
 
 emit_mul() { # $1, $2 = vars
   echo "      !t$idx = mul# $1 $2"
   REPLY=t$idx
   idx=$((idx + 1))
 }
 
 # ensure x_1, x_2, x_4, ..., x_hp (powers of two up to hp) are built
 build_powers() { # $1 = highest power of two needed
   local hp=$1 p=1 np acc
   while (( p < hp )); do
     np=$((p * 2))
     if [[ -z ${blk[$np]:-} ]]; then
       emit_sqr_n "${blk[$p]}" "$p"; acc=$REPLY # x_p ^ (2^p)
       emit_mul "$acc" "${blk[$p]}"; acc=$REPLY # * x_p  = x_2p
       blk[$np]=$acc
     fi
     p=$np
   done
 }
 
 # ensure x_L is built, composing it from power-of-two blocks
 build_block() { # $1 = run length L
   local L=$1 hp pw rem acc
   [[ -n ${blk[$L]:-} ]] && return
   hp=1
   while (( hp * 2 <= L )); do hp=$((hp * 2)); done
   build_powers "$hp"
   rem=$L; acc=""; pw=$hp
   while (( pw >= 1 )); do
     if (( rem >= pw )); then
       if [[ -z $acc ]]; then
         acc=${blk[$pw]}
       else
         emit_sqr_n "$acc" "$pw"; acc=$REPLY
         emit_mul "$acc" "${blk[$pw]}"; acc=$REPLY
       fi
       rem=$((rem - pw))
     fi
     pw=$((pw / 2))
   done
   blk[$L]=$acc
 }
 
 # parse the exponent into alternating runs ('R', ones) and gaps ('G')
 seg_type=(); seg_len=()
 i=0; n=${#exponent}
 while (( i < n )); do
   c=${exponent:i:1}
   j=$i
   while (( j < n )) && [[ ${exponent:j:1} == "$c" ]]; do j=$((j + 1)); done
   if [[ $c == 1 ]]; then seg_type+=("R"); else seg_type+=("G"); fi
   seg_len+=("$((j - i))")
   i=$j
 done
 
 echo "-- generated by etc/generate_inv.sh"
 echo "inv#"
 echo "  :: Limb4"
 echo "  -> Limb4"
 echo "inv# a ="
 echo "  let"
 
 # build blocks for the longest run first so the doubling ladder is
 # shared, then any shorter runs reuse the cached intermediates.
 maxrun=0
 for k in "${!seg_type[@]}"; do
   if [[ ${seg_type[k]} == R ]] && (( seg_len[k] > maxrun )); then
     maxrun=${seg_len[k]}
   fi
 done
 build_block "$maxrun"
 for k in "${!seg_type[@]}"; do
   if [[ ${seg_type[k]} == R ]]; then build_block "${seg_len[k]}"; fi
 done
 
 # fold the exponent: result starts at the leading run, then each
 # subsequent run is appended via result^(2^(gap+run)) * x_run.
 result=""; pending=0; first=1
 for k in "${!seg_type[@]}"; do
   if [[ ${seg_type[k]} == G ]]; then
     pending=$((pending + seg_len[k]))
   else
     L=${seg_len[k]}
     if (( first )); then
       result=${blk[$L]}; first=0
     else
       emit_sqr_n "$result" "$((pending + L))"; result=$REPLY
       emit_mul "$result" "${blk[$L]}"; result=$REPLY
     fi
     pending=0
   fi
 done
 # trailing zero bits, if any
 if (( pending > 0 )); then
   emit_sqr_n "$result" "$pending"; result=$REPLY
 fi
 
 echo "      !r = $result"
 echo "  in  r"
 echo '{-# INLINE inv# #-}'