fixed

generate_inv.sh (1946B)

---

 #!/usr/bin/env bash
 
 # generates a constant-time haskell function for performing modular
 # inversion with montgomery arithmetic on a secp256k1-derived field.
 #
 # fermat inversion is used. one proceeds through the (fixed, known)
 # bit-string of the exponent in MSB order, montgomery-squaring an
 # accumulator each time, and montgomery-multiplying on every '1' bit.
 # this script generates a function consisting of this loop, unrolled.
 #
 # since the square-and-multiply schedule is fixed, then given
 # constant-time 'sqr#' and 'mul#", 'inv#' is also constant-time by
 # construction.
 
 # for fermat inversion, we raise an argument to e.g. the secp256k1 field
 # prime - 2. i.e.:
 #
 # a^-1 = a ^ p - 2 mod p
 #
 # or to the secp256k1 scalar group order - 2:
 #
 # a^-1 = a ^ q - 2 mod q
 
 # secp256k1 field prime - 2
 # exponent="1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111111111111111110000101101"
 
 # secp256k1 scalar group order - 2
 exponent="1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111010111010101011101101110011100110101011110100100010100000001110111011111111010010010111101000110011010000001101100100000101000001"
 
 echo "-- generated by etc/generate_inv.sh"
 echo "inv#"
 echo "  :: (# Word#, Word#, Word#, Word# #)"
 echo "  -> (# Word#, Word#, Word#, Word# #)"
 echo "inv# a ="
 echo "  let !t0 = (# 0x1000003D1##, 0##, 0##, 0## #) -- montgomery 'one'"
 
 label=1
 
 for ((i = 0; i < ${#exponent}; i++)); do
   echo "      !t""$label"" = sqr# t""$((label-1))"
   if [[ "${exponent:i:1}" == "1" ]]; then
     label=$((label+1))
     echo "      !t""$label"" = mul# a t""$((label-1))"
   fi
   label=$((label+1))
 done
 
 echo "      !r = t""$((label-1))"
 echo "  in  r"
 echo '{-# INLINE inv# #-}'