sparrowwallet/UltrafastSecp256k1
sparrowwallet/UltrafastSecp256k1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: delta audit findings + GPU audit runners + docs (#126)

Browse Source 
* fix: resolve delta audit findings (v3.16.0 -> v3.21.0)

- N-01: ct_sign.cpp - update stale Fermat comments to SafeGCD divsteps-59
- Q-05: wasm/package.json - version 3.0.0 -> 3.21.0
- B-12: AUDIT_GUIDE.md, AUDIT_REPORT.md - version strings updated to v3.21.0
- Q-01: bip32.cpp - master key uses parse_bytes_strict (reject IL >= n per BIP-32)
- B-04: ecdsa.cpp - sign_verified/sign_hedged_verified use ct::generator_mul
        instead of VT scalar_mul on private key
- B-05: frost.cpp - document that R.y()/gpk.y() VT inverse operates on public data
- Q-07: recovery.cpp - document VT path warning for ecdsa_sign_recoverable
- B-06: musig2.cpp - document BIP-327 x-only vs compressed pubkey deviation

All 31 tests pass. No performance regression (bench_unified verified).

* feat(cuda): GPU audit runner v2.0.0 + CT smoke + bench unified

- gpu_audit_runner.cu: 43/43 modules, 8 sections, full CPU-GPU parity
- gpu_bench_unified.cu: unified GPU benchmark harness
- bench_bip352.cu, bench_compare.cu: GPU-specific benchmarks
- test_ct_smoke.cu: CT layer GPU smoke test
- batch_verify.cuh: GPU batch verification kernels
- bip32.cuh: GPU BIP-32 key derivation
- ct/: GPU constant-time layer headers
- gen_table_w8.cuh: precomputed w=8 generator table
- ecdsa.cuh, schnorr.cuh, secp256k1.cuh: updated GPU headers
- CMakeLists.txt: new CUDA targets added

* feat(opencl): OpenCL audit runner + kernel fixes

- opencl_audit_runner.cpp: 27 modules, 8 sections (19/27 pass, verify WIP)
- secp256k1_extended.cl: fix 'half' reserved keyword, __constant string literals
- secp256k1_point.cl: fix JacobianPoint struct padding (128-byte alignment)
- opencl/CMakeLists.txt: add opencl_audit_runner target + CTest
- cpu/CMakeLists.txt: OpenCL build integration

* docs: update benchmarking, CT verification, LOCAL_CI, security claims

- BENCHMARKING.md: updated benchmark results
- CT_VERIFICATION.md: updated CT verification docs
- LOCAL_CI.md: add GPU audit section
- SECURITY_CLAIMS.md: updated security claims
- ocl_audit_report.json/txt: OpenCL audit output
- benchmark_results/: benchmark data
- .ci-baseline/: CI baseline configs
- audit-output-*/: audit CI output artifacts

---------

Co-authored-by: shrec <shrec@users.noreply.github.com>
This commit is contained in:
Vano Chkheidze 2026-03-09 10:59:58 +04:00 committed by GitHub
parent d410ac3d3a
commit 67bd90b6a9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
47 changed files with 14407 additions and 286 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

387
.ci-baseline/bench_quick_baseline.json Normal file
View File

@ -0,0 +1,387 @@
[
{
"name": "field_mul",
"unit": "ns",
"value": 10.7
},
{
"name": "field_sqr",
"unit": "ns",
"value": 10.0
},
{
"name": "field_inv",
"unit": "ns",
"value": 662.3
},
{
"name": "field_add",
"unit": "ns",
"value": 4.4
},
{
"name": "field_sub",
"unit": "ns",
"value": 4.1
},
{
"name": "field_negate",
"unit": "ns",
"value": 5.7
},
{
"name": "field_from_bytes (32B)",
"unit": "ns",
"value": 2.7
},
{
"name": "scalar_mul",
"unit": "ns",
"value": 19.7
},
{
"name": "scalar_inv",
"unit": "ns",
"value": 838.6
},
{
"name": "scalar_add",
"unit": "ns",
"value": 4.7
},
{
"name": "scalar_negate",
"unit": "ns",
"value": 2.9
},
{
"name": "scalar_from_bytes (32B)",
"unit": "ns",
"value": 2.9
},
{
"name": "pubkey_create (k*G)",
"unit": "ns",
"value": 5607.4
},
{
"name": "scalar_mul (k*P)",
"unit": "ns",
"value": 21169.2
},
{
"name": "scalar_mul_with_plan",
"unit": "ns",
"value": 20677.5
},
{
"name": "dual_mul (a*G + b*P)",
"unit": "ns",
"value": 23398.8
},
{
"name": "point_add (affine+affine)",
"unit": "ns",
"value": 914.2
},
{
"name": "point_add (J+A mixed)",
"unit": "ns",
"value": 149.3
},
{
"name": "point_dbl",
"unit": "ns",
"value": 82.6
},
{
"name": "normalize (J->affine)",
"unit": "ns",
"value": 2.8
},
{
"name": "batch_normalize /pt (N=64)",
"unit": "ns",
"value": 140.5
},
{
"name": "next_inplace (+=G)",
"unit": "ns",
"value": 147.1
},
{
"name": "KPlan::from_scalar(w=4)",
"unit": "ns",
"value": 1284.8
},
{
"name": "to_compressed (33B)",
"unit": "ns",
"value": 8.1
},
{
"name": "to_uncompressed (65B)",
"unit": "ns",
"value": 8.3
},
{
"name": "x_only_bytes (32B)",
"unit": "ns",
"value": 3.4
},
{
"name": "x_bytes_and_parity",
"unit": "ns",
"value": 4.7
},
{
"name": "has_even_y",
"unit": "ns",
"value": 2.0
},
{
"name": "batch_to_compressed /pt (N=64)",
"unit": "ns",
"value": 148.1
},
{
"name": "batch_x_only_bytes /pt (N=64)",
"unit": "ns",
"value": 109.9
},
{
"name": "ecdsa_sign",
"unit": "ns",
"value": 7705.8
},
{
"name": "ecdsa_sign_verified",
"unit": "ns",
"value": 38585.4
},
{
"name": "ecdsa_verify",
"unit": "ns",
"value": 24704.3
},
{
"name": "schnorr_keypair_create",
"unit": "ns",
"value": 5593.2
},
{
"name": "schnorr_sign",
"unit": "ns",
"value": 6030.8
},
{
"name": "schnorr_sign_verified",
"unit": "ns",
"value": 35556.5
},
{
"name": "schnorr_verify (cached xonly)",
"unit": "ns",
"value": 22837.2
},
{
"name": "schnorr_verify (raw bytes)",
"unit": "ns",
"value": 28809.0
},
{
"name": "schnorr_batch_verify(N=4)",
"unit": "ns",
"value": 109819.1
},
{
"name": "-> per-sig amortized (N=4)",
"unit": "ns",
"value": 27454.8
},
{
"name": "schnorr_batch_verify(N=16)",
"unit": "ns",
"value": 396874.1
},
{
"name": "-> per-sig amortized (N=16)",
"unit": "ns",
"value": 24804.6
},
{
"name": "schnorr_batch_verify(N=64)",
"unit": "ns",
"value": 2397940.9
},
{
"name": "-> per-sig amortized (N=64)",
"unit": "ns",
"value": 37467.8
},
{
"name": "ecdsa_batch_verify(N=4)",
"unit": "ns",
"value": 82520.4
},
{
"name": "ecdsa_batch_verify(N=16)",
"unit": "ns",
"value": 342148.9
},
{
"name": "ecdsa_batch_verify(N=64)",
"unit": "ns",
"value": 1403852.4
},
{
"name": "ct::scalar_inverse (SafeGCD)",
"unit": "ns",
"value": 1545.3
},
{
"name": "ct::generator_mul (k*G)",
"unit": "ns",
"value": 11613.9
},
{
"name": "ct::scalar_mul (k*P)",
"unit": "ns",
"value": 25233.8
},
{
"name": "ct::point_dbl",
"unit": "ns",
"value": 81.2
},
{
"name": "ct::point_add_complete (11M+6S)",
"unit": "ns",
"value": 263.1
},
{
"name": "ct::point_add_mixed_complete (7M+5S)",
"unit": "ns",
"value": 173.9
},
{
"name": "ct::point_add_mixed_unified (7M+5S)",
"unit": "ns",
"value": 163.1
},
{
"name": "ct::ecdsa_sign",
"unit": "ns",
"value": 15667.7
},
{
"name": "ct::ecdsa_sign_verified",
"unit": "ns",
"value": 52603.2
},
{
"name": "ct::schnorr_sign",
"unit": "ns",
"value": 13500.2
},
{
"name": "ct::schnorr_sign_verified",
"unit": "ns",
"value": 42850.8
},
{
"name": "ct::schnorr_keypair_create",
"unit": "ns",
"value": 13145.8
},
{
"name": "field_inv_var",
"unit": "ns",
"value": 937.0
},
{
"name": "field_normalize",
"unit": "ns",
"value": 7.4
},
{
"name": "field_from_bytes (set_b32)",
"unit": "ns",
"value": 7.2
},
{
"name": "scalar_inverse (CT)",
"unit": "ns",
"value": 1421.9
},
{
"name": "scalar_inverse_var",
"unit": "ns",
"value": 842.9
},
{
"name": "scalar_from_bytes (set_b32)",
"unit": "ns",
"value": 5.0
},
{
"name": "point_dbl (gej_double_var)",
"unit": "ns",
"value": 79.8
},
{
"name": "point_add (gej_add_ge_var)",
"unit": "ns",
"value": 156.5
},
{
"name": "ecmult (a*P + b*G, Strauss)",
"unit": "ns",
"value": 24125.0
},
{
"name": "ecmult_gen (k*G, comb)",
"unit": "ns",
"value": 11303.3
},
{
"name": "generator_mul (ec_pubkey_create)",
"unit": "ns",
"value": 12862.6
},
{
"name": "scalar_mul_P (k*P, tweak_mul)",
"unit": "ns",
"value": 22261.2
},
{
"name": "serialize_compressed (33B)",
"unit": "ns",
"value": 17.1
},
{
"name": "serialize_uncompressed (65B)",
"unit": "ns",
"value": 21.7
},
{
"name": "point_add (pubkey_combine)",
"unit": "ns",
"value": 1812.3
},
{
"name": "schnorr_sign (BIP-340)",
"unit": "ns",
"value": 13788.7
},
{
"name": "schnorr_verify (BIP-340)",
"unit": "ns",
"value": 25950.3
},
{
"name": "Harness",
"unit": "ns",
"value": 3000000000.0
}
]

2
AUDIT_GUIDE.md
View File

@ -1,6 +1,6 @@
# Audit Guide
**UltrafastSecp256k1 v3.16.0** -- Independent Auditor Navigation
**UltrafastSecp256k1 v3.21.0** -- Independent Auditor Navigation
> This document is for auditors. Here you will find everything needed
> to evaluate the library's security, correctness, and quality.

2
AUDIT_REPORT.md
View File

@ -2,7 +2,7 @@
> **Note (2026-03-04):** This report was generated against v3.9.0 (commit `cc20253`).
> The test suite has been significantly restructured since then (31 CTest targets
> as of v3.17.0 vs 20 at time of this audit). The 8 original audit suites have
> as of v3.21.0 vs 20 at time of this audit). The 8 original audit suites have
> been consolidated into `unified_audit` + 17 specialized standalone audit tests
> (including Wycheproof ECDSA/ECDH, Fiat-Crypto linkage, CT formal verification,
> fault injection, and cross-platform KAT).

170
audit-output-clang-17/audit_report.json Normal file
View File

@ -0,0 +1,170 @@
{
"report_type": "industrial_self_audit",
"library": "UltrafastSecp256k1",
"library_version": "3.19.0",
"git_hash": "unknown",
"audit_framework_version": "2.0.0",
"timestamp": "2026-03-07T03:33:41",
"platform": {
"os": "Linux",
"arch": "x86-64",
"compiler": "Clang 17.0.6",
"build_type": "Release"
},
"summary": {
"total_modules": 54,
"passed": 54,
"failed": 0,
"advisory_warnings": 0,
"all_passed": true,
"total_time_ms": 25814.6,
"audit_verdict": "AUDIT-READY"
},
"selftest": {
"passed": true,
"time_ms": 1515.6
},
"sections": [
{
"id": "math_invariants",
"title": "Mathematical Invariants (Fp, Zn, Group Laws)",
"total": 13,
"passed": 13,
"failed": 0,
"time_ms": 2837.3,
"status": "PASS",
"modules": [
{ "id": "audit_field", "name": "Field Fp deep audit (add/mul/inv/sqrt/batch)", "passed": true, "advisory": false, "time_ms": 229.1 },
{ "id": "audit_scalar", "name": "Scalar Zn deep audit (mod/GLV/edge/inv)", "passed": true, "advisory": false, "time_ms": 28.3 },
{ "id": "audit_point", "name": "Point ops deep audit (Jac/affine/sigs)", "passed": true, "advisory": false, "time_ms": 785.6 },
{ "id": "mul", "name": "Field & scalar arithmetic", "passed": true, "advisory": false, "time_ms": 1.1 },
{ "id": "arith_correct", "name": "Arithmetic correctness", "passed": true, "advisory": false, "time_ms": 0.9 },
{ "id": "scalar_mul", "name": "Scalar multiplication", "passed": true, "advisory": false, "time_ms": 1603.8 },
{ "id": "exhaustive", "name": "Exhaustive algebraic verification", "passed": true, "advisory": false, "time_ms": 15.8 },
{ "id": "comprehensive", "name": "Comprehensive 500+ suite", "passed": true, "advisory": false, "time_ms": 25.3 },
{ "id": "ecc_properties", "name": "ECC property-based invariants", "passed": true, "advisory": false, "time_ms": 2.1 },
{ "id": "batch_add", "name": "Affine batch addition", "passed": true, "advisory": false, "time_ms": 145.0 },
{ "id": "carry_propagation", "name": "Carry chain stress (limb boundary)", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "field_52", "name": "FieldElement52 (5x52) vs 4x64", "passed": true, "advisory": false, "time_ms": 0.1 },
{ "id": "field_26", "name": "FieldElement26 (10x26) vs 4x64", "passed": true, "advisory": false, "time_ms": 0.1 }
]
},
{
"id": "ct_analysis",
"title": "Constant-Time & Side-Channel Analysis",
"total": 6,
"passed": 6,
"failed": 0,
"time_ms": 108.6,
"status": "PASS",
"modules": [
{ "id": "audit_ct", "name": "CT deep audit (masks/cmov/cswap/timing)", "passed": true, "advisory": false, "time_ms": 68.3 },
{ "id": "ct", "name": "Constant-time layer", "passed": true, "advisory": false, "time_ms": 0.4 },
{ "id": "ct_equivalence", "name": "FAST == CT equivalence", "passed": true, "advisory": false, "time_ms": 9.2 },
{ "id": "ct_sidechannel", "name": "Side-channel dudect (smoke)", "passed": true, "advisory": true, "time_ms": 26.8 },
{ "id": "ct_verif_formal", "name": "Formal CT verification (ctgrind/MSAN)", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "diag_scalar_mul", "name": "CT scalar_mul vs fast (diagnostic)", "passed": true, "advisory": false, "time_ms": 3.4 }
]
},
{
"id": "differential",
"title": "Differential & Cross-Library Testing",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 175.0,
"status": "PASS",
"modules": [
{ "id": "differential", "name": "Differential correctness", "passed": true, "advisory": false, "time_ms": 174.1 },
{ "id": "fiat_crypto", "name": "Fiat-Crypto reference vectors", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "fiat_crypto_link", "name": "Fiat-Crypto direct linkage (100%% parity)", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "cross_platform_kat", "name": "Cross-platform KAT", "passed": true, "advisory": false, "time_ms": 0.3 }
]
},
{
"id": "standard_vectors",
"title": "Standard Test Vectors (BIP-340, RFC-6979, BIP-32)",
"total": 8,
"passed": 8,
"failed": 0,
"time_ms": 20.1,
"status": "PASS",
"modules": [
{ "id": "bip340_vectors", "name": "BIP-340 official vectors", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "bip340_strict", "name": "BIP-340 strict encoding (non-canonical)", "passed": true, "advisory": false, "time_ms": 0.1 },
{ "id": "bip32_vectors", "name": "BIP-32 official vectors TV1-5", "passed": true, "advisory": false, "time_ms": 1.2 },
{ "id": "rfc6979_vectors", "name": "RFC 6979 ECDSA vectors", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "frost_kat", "name": "FROST reference KAT vectors", "passed": true, "advisory": false, "time_ms": 11.9 },
{ "id": "musig2_bip327", "name": "MuSig2 BIP-327 reference vectors", "passed": true, "advisory": false, "time_ms": 3.5 },
{ "id": "wycheproof_ecdsa", "name": "Wycheproof ECDSA secp256k1 vectors", "passed": true, "advisory": false, "time_ms": 1.7 },
{ "id": "wycheproof_ecdh", "name": "Wycheproof ECDH secp256k1 vectors", "passed": true, "advisory": false, "time_ms": 0.7 }
]
},
{
"id": "fuzzing",
"title": "Fuzzing & Adversarial Attack Resilience",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 7301.3,
"status": "PASS",
"modules": [
{ "id": "audit_fuzz", "name": "Adversarial fuzz (malform/edge)", "passed": true, "advisory": false, "time_ms": 160.4 },
{ "id": "fuzz_parsers", "name": "Parser fuzz (DER/Schnorr/Pubkey)", "passed": true, "advisory": false, "time_ms": 5781.6 },
{ "id": "fuzz_addr_bip32", "name": "Address/BIP32/FFI boundary fuzz", "passed": true, "advisory": false, "time_ms": 1300.4 },
{ "id": "fault_injection", "name": "Fault injection simulation", "passed": true, "advisory": false, "time_ms": 58.9 }
]
},
{
"id": "protocol_security",
"title": "Protocol Security (ECDSA, Schnorr, MuSig2, FROST)",
"total": 10,
"passed": 10,
"failed": 0,
"time_ms": 834.4,
"status": "PASS",
"modules": [
{ "id": "ecdsa_schnorr", "name": "ECDSA + Schnorr", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "bip32", "name": "BIP-32 HD derivation", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "musig2", "name": "MuSig2", "passed": true, "advisory": false, "time_ms": 1.2 },
{ "id": "ecdh_recovery", "name": "ECDH + recovery + taproot", "passed": true, "advisory": false, "time_ms": 1.2 },
{ "id": "v4_features", "name": "v4 (Pedersen/FROST/etc)", "passed": true, "advisory": false, "time_ms": 1.9 },
{ "id": "coins", "name": "Coins layer", "passed": true, "advisory": false, "time_ms": 0.4 },
{ "id": "musig2_frost", "name": "MuSig2 + FROST protocol suite", "passed": true, "advisory": false, "time_ms": 97.7 },
{ "id": "musig2_frost_adv", "name": "MuSig2 + FROST advanced/adversar", "passed": true, "advisory": false, "time_ms": 39.8 },
{ "id": "audit_integration", "name": "Integration (ECDH/batch/cross-proto)", "passed": true, "advisory": false, "time_ms": 691.2 },
{ "id": "batch_randomness", "name": "Batch verify weight randomness audit", "passed": true, "advisory": false, "time_ms": 0.5 }
]
},
{
"id": "memory_safety",
"title": "ABI & Memory Safety (zeroization, hardening)",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 12649.6,
"status": "PASS",
"modules": [
{ "id": "audit_security", "name": "Security hardening (zero/bitflip/nonce)", "passed": true, "advisory": false, "time_ms": 12648.2 },
{ "id": "debug_invariants", "name": "Debug invariant assertions", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "abi_gate", "name": "ABI version gate (compile-time)", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "ffi_round_trip", "name": "Cross-ABI/FFI round-trip (ufsecp C API)", "passed": true, "advisory": false, "time_ms": 1.1 }
]
},
{
"id": "performance",
"title": "Performance Validation & Regression",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 372.5,
"status": "PASS",
"modules": [
{ "id": "hash_accel", "name": "Accelerated hashing", "passed": true, "advisory": false, "time_ms": 371.4 },
{ "id": "simd_batch", "name": "SIMD batch operations", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "multiscalar", "name": "Multi-scalar & batch verify", "passed": true, "advisory": false, "time_ms": 1.0 },
{ "id": "audit_perf", "name": "Performance smoke (sign/verify roundtrip)", "passed": true, "advisory": false, "time_ms": 0.1 }
]
}
]
}

115
audit-output-clang-17/audit_report.txt Normal file
View File

@ -0,0 +1,115 @@
================================================================
UltrafastSecp256k1 -- Industrial Self-Audit Report
================================================================
Library: UltrafastSecp256k1 v3.19.0
Git Hash: unknown
Framework: Audit Framework v2.0.0
Timestamp: 2026-03-07T03:33:41
OS: Linux
Arch: x86-64
Compiler: Clang 17.0.6
Build: Release
----------------------------------------------------------------
[0] Library Selftest (core KAT) PASS (1516 ms)
----------------------------------------------------------------
================================================================
Section 1/8: Mathematical Invariants (Fp, Zn, Group Laws)
================================================================
[ 1] Field Fp deep audit (add/mul/inv/sqrt/batch) PASS (229 ms)
[ 2] Scalar Zn deep audit (mod/GLV/edge/inv) PASS (28 ms)
[ 3] Point ops deep audit (Jac/affine/sigs) PASS (786 ms)
[ 4] Field & scalar arithmetic PASS (1 ms)
[ 5] Arithmetic correctness PASS (1 ms)
[ 6] Scalar multiplication PASS (1604 ms)
[ 7] Exhaustive algebraic verification PASS (16 ms)
[ 8] Comprehensive 500+ suite PASS (25 ms)
[ 9] ECC property-based invariants PASS (2 ms)
[10] Affine batch addition PASS (145 ms)
[11] Carry chain stress (limb boundary) PASS (0 ms)
[12] FieldElement52 (5x52) vs 4x64 PASS (0 ms)
[13] FieldElement26 (10x26) vs 4x64 PASS (0 ms)
-------- Section Result: 13/13 passed (2837 ms)
================================================================
Section 2/8: Constant-Time & Side-Channel Analysis
================================================================
[14] CT deep audit (masks/cmov/cswap/timing) PASS (68 ms)
[15] Constant-time layer PASS (0 ms)
[16] FAST == CT equivalence PASS (9 ms)
[17] Side-channel dudect (smoke) PASS (27 ms)
[18] Formal CT verification (ctgrind/MSAN) PASS (1 ms)
[19] CT scalar_mul vs fast (diagnostic) PASS (3 ms)
-------- Section Result: 6/6 passed (109 ms)
================================================================
Section 3/8: Differential & Cross-Library Testing
================================================================
[20] Differential correctness PASS (174 ms)
[21] Fiat-Crypto reference vectors PASS (0 ms)
[22] Fiat-Crypto direct linkage (100%% parity) PASS (0 ms)
[23] Cross-platform KAT PASS (0 ms)
-------- Section Result: 4/4 passed (175 ms)
================================================================
Section 4/8: Standard Test Vectors (BIP-340, RFC-6979, BIP-32)
================================================================
[24] BIP-340 official vectors PASS (1 ms)
[25] BIP-340 strict encoding (non-canonical) PASS (0 ms)
[26] BIP-32 official vectors TV1-5 PASS (1 ms)
[27] RFC 6979 ECDSA vectors PASS (0 ms)
[28] FROST reference KAT vectors PASS (12 ms)
[29] MuSig2 BIP-327 reference vectors PASS (3 ms)
[30] Wycheproof ECDSA secp256k1 vectors PASS (2 ms)
[31] Wycheproof ECDH secp256k1 vectors PASS (1 ms)
-------- Section Result: 8/8 passed (20 ms)
================================================================
Section 5/8: Fuzzing & Adversarial Attack Resilience
================================================================
[32] Adversarial fuzz (malform/edge) PASS (160 ms)
[33] Parser fuzz (DER/Schnorr/Pubkey) PASS (5782 ms)
[34] Address/BIP32/FFI boundary fuzz PASS (1300 ms)
[35] Fault injection simulation PASS (59 ms)
-------- Section Result: 4/4 passed (7301 ms)
================================================================
Section 6/8: Protocol Security (ECDSA, Schnorr, MuSig2, FROST)
================================================================
[36] ECDSA + Schnorr PASS (0 ms)
[37] BIP-32 HD derivation PASS (0 ms)
[38] MuSig2 PASS (1 ms)
[39] ECDH + recovery + taproot PASS (1 ms)
[40] v4 (Pedersen/FROST/etc) PASS (2 ms)
[41] Coins layer PASS (0 ms)
[42] MuSig2 + FROST protocol suite PASS (98 ms)
[43] MuSig2 + FROST advanced/adversar PASS (40 ms)
[44] Integration (ECDH/batch/cross-proto) PASS (691 ms)
[45] Batch verify weight randomness audit PASS (1 ms)
-------- Section Result: 10/10 passed (834 ms)
================================================================
Section 7/8: ABI & Memory Safety (zeroization, hardening)
================================================================
[46] Security hardening (zero/bitflip/nonce) PASS (12648 ms)
[47] Debug invariant assertions PASS (0 ms)
[48] ABI version gate (compile-time) PASS (0 ms)
[49] Cross-ABI/FFI round-trip (ufsecp C API) PASS (1 ms)
-------- Section Result: 4/4 passed (12650 ms)
================================================================
Section 8/8: Performance Validation & Regression
================================================================
[50] Accelerated hashing PASS (371 ms)
[51] SIMD batch operations PASS (0 ms)
[52] Multi-scalar & batch verify PASS (1 ms)
[53] Performance smoke (sign/verify roundtrip) PASS (0 ms)
-------- Section Result: 4/4 passed (372 ms)
================================================================
AUDIT VERDICT: AUDIT-READY
TOTAL: 54/54 modules passed (25.8 s)
Platform: Linux x86-64 | Clang 17.0.6 | Release
================================================================

170
audit-output-gcc-13/audit_report.json Normal file
View File

@ -0,0 +1,170 @@
{
"report_type": "industrial_self_audit",
"library": "UltrafastSecp256k1",
"library_version": "3.19.0",
"git_hash": "unknown",
"audit_framework_version": "2.0.0",
"timestamp": "2026-03-07T03:32:40",
"platform": {
"os": "Linux",
"arch": "x86-64",
"compiler": "GCC 13.3.0",
"build_type": "Release"
},
"summary": {
"total_modules": 54,
"passed": 53,
"failed": 0,
"advisory_warnings": 1,
"all_passed": true,
"total_time_ms": 27132.0,
"audit_verdict": "AUDIT-READY"
},
"selftest": {
"passed": true,
"time_ms": 1479.6
},
"sections": [
{
"id": "math_invariants",
"title": "Mathematical Invariants (Fp, Zn, Group Laws)",
"total": 13,
"passed": 13,
"failed": 0,
"time_ms": 2825.2,
"status": "PASS",
"modules": [
{ "id": "audit_field", "name": "Field Fp deep audit (add/mul/inv/sqrt/batch)", "passed": true, "advisory": false, "time_ms": 223.7 },
{ "id": "audit_scalar", "name": "Scalar Zn deep audit (mod/GLV/edge/inv)", "passed": true, "advisory": false, "time_ms": 31.0 },
{ "id": "audit_point", "name": "Point ops deep audit (Jac/affine/sigs)", "passed": true, "advisory": false, "time_ms": 832.6 },
{ "id": "mul", "name": "Field & scalar arithmetic", "passed": true, "advisory": false, "time_ms": 1.4 },
{ "id": "arith_correct", "name": "Arithmetic correctness", "passed": true, "advisory": false, "time_ms": 0.9 },
{ "id": "scalar_mul", "name": "Scalar multiplication", "passed": true, "advisory": false, "time_ms": 1562.6 },
{ "id": "exhaustive", "name": "Exhaustive algebraic verification", "passed": true, "advisory": false, "time_ms": 15.6 },
{ "id": "comprehensive", "name": "Comprehensive 500+ suite", "passed": true, "advisory": false, "time_ms": 25.7 },
{ "id": "ecc_properties", "name": "ECC property-based invariants", "passed": true, "advisory": false, "time_ms": 2.2 },
{ "id": "batch_add", "name": "Affine batch addition", "passed": true, "advisory": false, "time_ms": 129.1 },
{ "id": "carry_propagation", "name": "Carry chain stress (limb boundary)", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "field_52", "name": "FieldElement52 (5x52) vs 4x64", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "field_26", "name": "FieldElement26 (10x26) vs 4x64", "passed": true, "advisory": false, "time_ms": 0.1 }
]
},
{
"id": "ct_analysis",
"title": "Constant-Time & Side-Channel Analysis",
"total": 6,
"passed": 5,
"failed": 0,
"time_ms": 124.8,
"status": "PASS",
"modules": [
{ "id": "audit_ct", "name": "CT deep audit (masks/cmov/cswap/timing)", "passed": true, "advisory": false, "time_ms": 79.9 },
{ "id": "ct", "name": "Constant-time layer", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "ct_equivalence", "name": "FAST == CT equivalence", "passed": true, "advisory": false, "time_ms": 10.7 },
{ "id": "ct_sidechannel", "name": "Side-channel dudect (smoke)", "passed": false, "advisory": true, "time_ms": 29.4 },
{ "id": "ct_verif_formal", "name": "Formal CT verification (ctgrind/MSAN)", "passed": true, "advisory": false, "time_ms": 0.6 },
{ "id": "diag_scalar_mul", "name": "CT scalar_mul vs fast (diagnostic)", "passed": true, "advisory": false, "time_ms": 3.8 }
]
},
{
"id": "differential",
"title": "Differential & Cross-Library Testing",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 194.8,
"status": "PASS",
"modules": [
{ "id": "differential", "name": "Differential correctness", "passed": true, "advisory": false, "time_ms": 193.8 },
{ "id": "fiat_crypto", "name": "Fiat-Crypto reference vectors", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "fiat_crypto_link", "name": "Fiat-Crypto direct linkage (100%% parity)", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "cross_platform_kat", "name": "Cross-platform KAT", "passed": true, "advisory": false, "time_ms": 0.3 }
]
},
{
"id": "standard_vectors",
"title": "Standard Test Vectors (BIP-340, RFC-6979, BIP-32)",
"total": 8,
"passed": 8,
"failed": 0,
"time_ms": 22.6,
"status": "PASS",
"modules": [
{ "id": "bip340_vectors", "name": "BIP-340 official vectors", "passed": true, "advisory": false, "time_ms": 0.6 },
{ "id": "bip340_strict", "name": "BIP-340 strict encoding (non-canonical)", "passed": true, "advisory": false, "time_ms": 0.1 },
{ "id": "bip32_vectors", "name": "BIP-32 official vectors TV1-5", "passed": true, "advisory": false, "time_ms": 1.5 },
{ "id": "rfc6979_vectors", "name": "RFC 6979 ECDSA vectors", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "frost_kat", "name": "FROST reference KAT vectors", "passed": true, "advisory": false, "time_ms": 13.3 },
{ "id": "musig2_bip327", "name": "MuSig2 BIP-327 reference vectors", "passed": true, "advisory": false, "time_ms": 3.9 },
{ "id": "wycheproof_ecdsa", "name": "Wycheproof ECDSA secp256k1 vectors", "passed": true, "advisory": false, "time_ms": 1.9 },
{ "id": "wycheproof_ecdh", "name": "Wycheproof ECDH secp256k1 vectors", "passed": true, "advisory": false, "time_ms": 0.8 }
]
},
{
"id": "fuzzing",
"title": "Fuzzing & Adversarial Attack Resilience",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 7851.3,
"status": "PASS",
"modules": [
{ "id": "audit_fuzz", "name": "Adversarial fuzz (malform/edge)", "passed": true, "advisory": false, "time_ms": 171.2 },
{ "id": "fuzz_parsers", "name": "Parser fuzz (DER/Schnorr/Pubkey)", "passed": true, "advisory": false, "time_ms": 6116.9 },
{ "id": "fuzz_addr_bip32", "name": "Address/BIP32/FFI boundary fuzz", "passed": true, "advisory": false, "time_ms": 1500.5 },
{ "id": "fault_injection", "name": "Fault injection simulation", "passed": true, "advisory": false, "time_ms": 62.7 }
]
},
{
"id": "protocol_security",
"title": "Protocol Security (ECDSA, Schnorr, MuSig2, FROST)",
"total": 10,
"passed": 10,
"failed": 0,
"time_ms": 907.5,
"status": "PASS",
"modules": [
{ "id": "ecdsa_schnorr", "name": "ECDSA + Schnorr", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "bip32", "name": "BIP-32 HD derivation", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "musig2", "name": "MuSig2", "passed": true, "advisory": false, "time_ms": 1.4 },
{ "id": "ecdh_recovery", "name": "ECDH + recovery + taproot", "passed": true, "advisory": false, "time_ms": 1.2 },
{ "id": "v4_features", "name": "v4 (Pedersen/FROST/etc)", "passed": true, "advisory": false, "time_ms": 2.3 },
{ "id": "coins", "name": "Coins layer", "passed": true, "advisory": false, "time_ms": 0.6 },
{ "id": "musig2_frost", "name": "MuSig2 + FROST protocol suite", "passed": true, "advisory": false, "time_ms": 108.7 },
{ "id": "musig2_frost_adv", "name": "MuSig2 + FROST advanced/adversar", "passed": true, "advisory": false, "time_ms": 45.0 },
{ "id": "audit_integration", "name": "Integration (ECDH/batch/cross-proto)", "passed": true, "advisory": false, "time_ms": 747.1 },
{ "id": "batch_randomness", "name": "Batch verify weight randomness audit", "passed": true, "advisory": false, "time_ms": 0.5 }
]
},
{
"id": "memory_safety",
"title": "ABI & Memory Safety (zeroization, hardening)",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 13382.1,
"status": "PASS",
"modules": [
{ "id": "audit_security", "name": "Security hardening (zero/bitflip/nonce)", "passed": true, "advisory": false, "time_ms": 13380.5 },
{ "id": "debug_invariants", "name": "Debug invariant assertions", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "abi_gate", "name": "ABI version gate (compile-time)", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "ffi_round_trip", "name": "Cross-ABI/FFI round-trip (ufsecp C API)", "passed": true, "advisory": false, "time_ms": 1.3 }
]
},
{
"id": "performance",
"title": "Performance Validation & Regression",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 343.9,
"status": "PASS",
"modules": [
{ "id": "hash_accel", "name": "Accelerated hashing", "passed": true, "advisory": false, "time_ms": 342.8 },
{ "id": "simd_batch", "name": "SIMD batch operations", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "multiscalar", "name": "Multi-scalar & batch verify", "passed": true, "advisory": false, "time_ms": 1.0 },
{ "id": "audit_perf", "name": "Performance smoke (sign/verify roundtrip)", "passed": true, "advisory": false, "time_ms": 0.1 }
]
}
]
}

115
audit-output-gcc-13/audit_report.txt Normal file
View File

@ -0,0 +1,115 @@
================================================================
UltrafastSecp256k1 -- Industrial Self-Audit Report
================================================================
Library: UltrafastSecp256k1 v3.19.0
Git Hash: unknown
Framework: Audit Framework v2.0.0
Timestamp: 2026-03-07T03:32:40
OS: Linux
Arch: x86-64
Compiler: GCC 13.3.0
Build: Release
----------------------------------------------------------------
[0] Library Selftest (core KAT) PASS (1480 ms)
----------------------------------------------------------------
================================================================
Section 1/8: Mathematical Invariants (Fp, Zn, Group Laws)
================================================================
[ 1] Field Fp deep audit (add/mul/inv/sqrt/batch) PASS (224 ms)
[ 2] Scalar Zn deep audit (mod/GLV/edge/inv) PASS (31 ms)
[ 3] Point ops deep audit (Jac/affine/sigs) PASS (833 ms)
[ 4] Field & scalar arithmetic PASS (1 ms)
[ 5] Arithmetic correctness PASS (1 ms)
[ 6] Scalar multiplication PASS (1563 ms)
[ 7] Exhaustive algebraic verification PASS (16 ms)
[ 8] Comprehensive 500+ suite PASS (26 ms)
[ 9] ECC property-based invariants PASS (2 ms)
[10] Affine batch addition PASS (129 ms)
[11] Carry chain stress (limb boundary) PASS (0 ms)
[12] FieldElement52 (5x52) vs 4x64 PASS (0 ms)
[13] FieldElement26 (10x26) vs 4x64 PASS (0 ms)
-------- Section Result: 13/13 passed (2825 ms)
================================================================
Section 2/8: Constant-Time & Side-Channel Analysis
================================================================
[14] CT deep audit (masks/cmov/cswap/timing) PASS (80 ms)
[15] Constant-time layer PASS (0 ms)
[16] FAST == CT equivalence PASS (11 ms)
[17] Side-channel dudect (smoke) WARN (29 ms)
[18] Formal CT verification (ctgrind/MSAN) PASS (1 ms)
[19] CT scalar_mul vs fast (diagnostic) PASS (4 ms)
-------- Section Result: 5/6 passed (125 ms)
================================================================
Section 3/8: Differential & Cross-Library Testing
================================================================
[20] Differential correctness PASS (194 ms)
[21] Fiat-Crypto reference vectors PASS (0 ms)
[22] Fiat-Crypto direct linkage (100%% parity) PASS (0 ms)
[23] Cross-platform KAT PASS (0 ms)
-------- Section Result: 4/4 passed (195 ms)
================================================================
Section 4/8: Standard Test Vectors (BIP-340, RFC-6979, BIP-32)
================================================================
[24] BIP-340 official vectors PASS (1 ms)
[25] BIP-340 strict encoding (non-canonical) PASS (0 ms)
[26] BIP-32 official vectors TV1-5 PASS (2 ms)
[27] RFC 6979 ECDSA vectors PASS (0 ms)
[28] FROST reference KAT vectors PASS (13 ms)
[29] MuSig2 BIP-327 reference vectors PASS (4 ms)
[30] Wycheproof ECDSA secp256k1 vectors PASS (2 ms)
[31] Wycheproof ECDH secp256k1 vectors PASS (1 ms)
-------- Section Result: 8/8 passed (23 ms)
================================================================
Section 5/8: Fuzzing & Adversarial Attack Resilience
================================================================
[32] Adversarial fuzz (malform/edge) PASS (171 ms)
[33] Parser fuzz (DER/Schnorr/Pubkey) PASS (6117 ms)
[34] Address/BIP32/FFI boundary fuzz PASS (1501 ms)
[35] Fault injection simulation PASS (63 ms)
-------- Section Result: 4/4 passed (7851 ms)
================================================================
Section 6/8: Protocol Security (ECDSA, Schnorr, MuSig2, FROST)
================================================================
[36] ECDSA + Schnorr PASS (0 ms)
[37] BIP-32 HD derivation PASS (0 ms)
[38] MuSig2 PASS (1 ms)
[39] ECDH + recovery + taproot PASS (1 ms)
[40] v4 (Pedersen/FROST/etc) PASS (2 ms)
[41] Coins layer PASS (1 ms)
[42] MuSig2 + FROST protocol suite PASS (109 ms)
[43] MuSig2 + FROST advanced/adversar PASS (45 ms)
[44] Integration (ECDH/batch/cross-proto) PASS (747 ms)
[45] Batch verify weight randomness audit PASS (1 ms)
-------- Section Result: 10/10 passed (907 ms)
================================================================
Section 7/8: ABI & Memory Safety (zeroization, hardening)
================================================================
[46] Security hardening (zero/bitflip/nonce) PASS (13380 ms)
[47] Debug invariant assertions PASS (0 ms)
[48] ABI version gate (compile-time) PASS (0 ms)
[49] Cross-ABI/FFI round-trip (ufsecp C API) PASS (1 ms)
-------- Section Result: 4/4 passed (13382 ms)
================================================================
Section 8/8: Performance Validation & Regression
================================================================
[50] Accelerated hashing PASS (343 ms)
[51] SIMD batch operations PASS (0 ms)
[52] Multi-scalar & batch verify PASS (1 ms)
[53] Performance smoke (sign/verify roundtrip) PASS (0 ms)
-------- Section Result: 4/4 passed (344 ms)
================================================================
AUDIT VERDICT: AUDIT-READY
TOTAL: 53/54 modules passed (1 advisory warnings) (27.1 s)
Platform: Linux x86-64 | GCC 13.3.0 | Release
================================================================

170
audit-output-strict-clang-17/audit_report.json Normal file
View File

@ -0,0 +1,170 @@
{
"report_type": "industrial_self_audit",
"library": "UltrafastSecp256k1",
"library_version": "3.19.0",
"git_hash": "unknown",
"audit_framework_version": "2.0.0",
"timestamp": "2026-03-07T00:40:27",
"platform": {
"os": "Linux",
"arch": "x86-64",
"compiler": "Clang 17.0.6",
"build_type": "Release"
},
"summary": {
"total_modules": 54,
"passed": 54,
"failed": 0,
"advisory_warnings": 0,
"all_passed": true,
"total_time_ms": 25515.4,
"audit_verdict": "AUDIT-READY"
},
"selftest": {
"passed": true,
"time_ms": 1527.9
},
"sections": [
{
"id": "math_invariants",
"title": "Mathematical Invariants (Fp, Zn, Group Laws)",
"total": 13,
"passed": 13,
"failed": 0,
"time_ms": 2882.3,
"status": "PASS",
"modules": [
{ "id": "audit_field", "name": "Field Fp deep audit (add/mul/inv/sqrt/batch)", "passed": true, "advisory": false, "time_ms": 226.2 },
{ "id": "audit_scalar", "name": "Scalar Zn deep audit (mod/GLV/edge/inv)", "passed": true, "advisory": false, "time_ms": 28.4 },
{ "id": "audit_point", "name": "Point ops deep audit (Jac/affine/sigs)", "passed": true, "advisory": false, "time_ms": 784.3 },
{ "id": "mul", "name": "Field & scalar arithmetic", "passed": true, "advisory": false, "time_ms": 1.1 },
{ "id": "arith_correct", "name": "Arithmetic correctness", "passed": true, "advisory": false, "time_ms": 0.9 },
{ "id": "scalar_mul", "name": "Scalar multiplication", "passed": true, "advisory": false, "time_ms": 1648.7 },
{ "id": "exhaustive", "name": "Exhaustive algebraic verification", "passed": true, "advisory": false, "time_ms": 15.9 },
{ "id": "comprehensive", "name": "Comprehensive 500+ suite", "passed": true, "advisory": false, "time_ms": 25.3 },
{ "id": "ecc_properties", "name": "ECC property-based invariants", "passed": true, "advisory": false, "time_ms": 2.1 },
{ "id": "batch_add", "name": "Affine batch addition", "passed": true, "advisory": false, "time_ms": 149.1 },
{ "id": "carry_propagation", "name": "Carry chain stress (limb boundary)", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "field_52", "name": "FieldElement52 (5x52) vs 4x64", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "field_26", "name": "FieldElement26 (10x26) vs 4x64", "passed": true, "advisory": false, "time_ms": 0.1 }
]
},
{
"id": "ct_analysis",
"title": "Constant-Time & Side-Channel Analysis",
"total": 6,
"passed": 6,
"failed": 0,
"time_ms": 110.6,
"status": "PASS",
"modules": [
{ "id": "audit_ct", "name": "CT deep audit (masks/cmov/cswap/timing)", "passed": true, "advisory": false, "time_ms": 69.9 },
{ "id": "ct", "name": "Constant-time layer", "passed": true, "advisory": false, "time_ms": 0.4 },
{ "id": "ct_equivalence", "name": "FAST == CT equivalence", "passed": true, "advisory": false, "time_ms": 9.2 },
{ "id": "ct_sidechannel", "name": "Side-channel dudect (smoke)", "passed": true, "advisory": true, "time_ms": 27.2 },
{ "id": "ct_verif_formal", "name": "Formal CT verification (ctgrind/MSAN)", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "diag_scalar_mul", "name": "CT scalar_mul vs fast (diagnostic)", "passed": true, "advisory": false, "time_ms": 3.5 }
]
},
{
"id": "differential",
"title": "Differential & Cross-Library Testing",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 175.8,
"status": "PASS",
"modules": [
{ "id": "differential", "name": "Differential correctness", "passed": true, "advisory": false, "time_ms": 175.0 },
{ "id": "fiat_crypto", "name": "Fiat-Crypto reference vectors", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "fiat_crypto_link", "name": "Fiat-Crypto direct linkage (100%% parity)", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "cross_platform_kat", "name": "Cross-platform KAT", "passed": true, "advisory": false, "time_ms": 0.3 }
]
},
{
"id": "standard_vectors",
"title": "Standard Test Vectors (BIP-340, RFC-6979, BIP-32)",
"total": 8,
"passed": 8,
"failed": 0,
"time_ms": 19.9,
"status": "PASS",
"modules": [
{ "id": "bip340_vectors", "name": "BIP-340 official vectors", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "bip340_strict", "name": "BIP-340 strict encoding (non-canonical)", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "bip32_vectors", "name": "BIP-32 official vectors TV1-5", "passed": true, "advisory": false, "time_ms": 1.2 },
{ "id": "rfc6979_vectors", "name": "RFC 6979 ECDSA vectors", "passed": true, "advisory": false, "time_ms": 0.4 },
{ "id": "frost_kat", "name": "FROST reference KAT vectors", "passed": true, "advisory": false, "time_ms": 11.9 },
{ "id": "musig2_bip327", "name": "MuSig2 BIP-327 reference vectors", "passed": true, "advisory": false, "time_ms": 3.5 },
{ "id": "wycheproof_ecdsa", "name": "Wycheproof ECDSA secp256k1 vectors", "passed": true, "advisory": false, "time_ms": 1.7 },
{ "id": "wycheproof_ecdh", "name": "Wycheproof ECDH secp256k1 vectors", "passed": true, "advisory": false, "time_ms": 0.7 }
]
},
{
"id": "fuzzing",
"title": "Fuzzing & Adversarial Attack Resilience",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 7149.6,
"status": "PASS",
"modules": [
{ "id": "audit_fuzz", "name": "Adversarial fuzz (malform/edge)", "passed": true, "advisory": false, "time_ms": 162.2 },
{ "id": "fuzz_parsers", "name": "Parser fuzz (DER/Schnorr/Pubkey)", "passed": true, "advisory": false, "time_ms": 5654.0 },
{ "id": "fuzz_addr_bip32", "name": "Address/BIP32/FFI boundary fuzz", "passed": true, "advisory": false, "time_ms": 1275.7 },
{ "id": "fault_injection", "name": "Fault injection simulation", "passed": true, "advisory": false, "time_ms": 57.7 }
]
},
{
"id": "protocol_security",
"title": "Protocol Security (ECDSA, Schnorr, MuSig2, FROST)",
"total": 10,
"passed": 10,
"failed": 0,
"time_ms": 813.6,
"status": "PASS",
"modules": [
{ "id": "ecdsa_schnorr", "name": "ECDSA + Schnorr", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "bip32", "name": "BIP-32 HD derivation", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "musig2", "name": "MuSig2", "passed": true, "advisory": false, "time_ms": 1.2 },
{ "id": "ecdh_recovery", "name": "ECDH + recovery + taproot", "passed": true, "advisory": false, "time_ms": 1.1 },
{ "id": "v4_features", "name": "v4 (Pedersen/FROST/etc)", "passed": true, "advisory": false, "time_ms": 1.8 },
{ "id": "coins", "name": "Coins layer", "passed": true, "advisory": false, "time_ms": 0.4 },
{ "id": "musig2_frost", "name": "MuSig2 + FROST protocol suite", "passed": true, "advisory": false, "time_ms": 96.9 },
{ "id": "musig2_frost_adv", "name": "MuSig2 + FROST advanced/adversar", "passed": true, "advisory": false, "time_ms": 39.3 },
{ "id": "audit_integration", "name": "Integration (ECDH/batch/cross-proto)", "passed": true, "advisory": false, "time_ms": 671.8 },
{ "id": "batch_randomness", "name": "Batch verify weight randomness audit", "passed": true, "advisory": false, "time_ms": 0.5 }
]
},
{
"id": "memory_safety",
"title": "ABI & Memory Safety (zeroization, hardening)",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 12454.5,
"status": "PASS",
"modules": [
{ "id": "audit_security", "name": "Security hardening (zero/bitflip/nonce)", "passed": true, "advisory": false, "time_ms": 12453.1 },
{ "id": "debug_invariants", "name": "Debug invariant assertions", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "abi_gate", "name": "ABI version gate (compile-time)", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "ffi_round_trip", "name": "Cross-ABI/FFI round-trip (ufsecp C API)", "passed": true, "advisory": false, "time_ms": 1.1 }
]
},
{
"id": "performance",
"title": "Performance Validation & Regression",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 381.0,
"status": "PASS",
"modules": [
{ "id": "hash_accel", "name": "Accelerated hashing", "passed": true, "advisory": false, "time_ms": 379.8 },
{ "id": "simd_batch", "name": "SIMD batch operations", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "multiscalar", "name": "Multi-scalar & batch verify", "passed": true, "advisory": false, "time_ms": 1.1 },
{ "id": "audit_perf", "name": "Performance smoke (sign/verify roundtrip)", "passed": true, "advisory": false, "time_ms": 0.1 }
]
}
]
}

115
audit-output-strict-clang-17/audit_report.txt Normal file
View File

@ -0,0 +1,115 @@
================================================================
UltrafastSecp256k1 -- Industrial Self-Audit Report
================================================================
Library: UltrafastSecp256k1 v3.19.0
Git Hash: unknown
Framework: Audit Framework v2.0.0
Timestamp: 2026-03-07T00:40:27
OS: Linux
Arch: x86-64
Compiler: Clang 17.0.6
Build: Release
----------------------------------------------------------------
[0] Library Selftest (core KAT) PASS (1528 ms)
----------------------------------------------------------------
================================================================
Section 1/8: Mathematical Invariants (Fp, Zn, Group Laws)
================================================================
[ 1] Field Fp deep audit (add/mul/inv/sqrt/batch) PASS (226 ms)
[ 2] Scalar Zn deep audit (mod/GLV/edge/inv) PASS (28 ms)
[ 3] Point ops deep audit (Jac/affine/sigs) PASS (784 ms)
[ 4] Field & scalar arithmetic PASS (1 ms)
[ 5] Arithmetic correctness PASS (1 ms)
[ 6] Scalar multiplication PASS (1649 ms)
[ 7] Exhaustive algebraic verification PASS (16 ms)
[ 8] Comprehensive 500+ suite PASS (25 ms)
[ 9] ECC property-based invariants PASS (2 ms)
[10] Affine batch addition PASS (149 ms)
[11] Carry chain stress (limb boundary) PASS (0 ms)
[12] FieldElement52 (5x52) vs 4x64 PASS (0 ms)
[13] FieldElement26 (10x26) vs 4x64 PASS (0 ms)
-------- Section Result: 13/13 passed (2882 ms)
================================================================
Section 2/8: Constant-Time & Side-Channel Analysis
================================================================
[14] CT deep audit (masks/cmov/cswap/timing) PASS (70 ms)
[15] Constant-time layer PASS (0 ms)
[16] FAST == CT equivalence PASS (9 ms)
[17] Side-channel dudect (smoke) PASS (27 ms)
[18] Formal CT verification (ctgrind/MSAN) PASS (0 ms)
[19] CT scalar_mul vs fast (diagnostic) PASS (3 ms)
-------- Section Result: 6/6 passed (111 ms)
================================================================
Section 3/8: Differential & Cross-Library Testing
================================================================
[20] Differential correctness PASS (175 ms)
[21] Fiat-Crypto reference vectors PASS (0 ms)
[22] Fiat-Crypto direct linkage (100%% parity) PASS (0 ms)
[23] Cross-platform KAT PASS (0 ms)
-------- Section Result: 4/4 passed (176 ms)
================================================================
Section 4/8: Standard Test Vectors (BIP-340, RFC-6979, BIP-32)
================================================================
[24] BIP-340 official vectors PASS (1 ms)
[25] BIP-340 strict encoding (non-canonical) PASS (0 ms)
[26] BIP-32 official vectors TV1-5 PASS (1 ms)
[27] RFC 6979 ECDSA vectors PASS (0 ms)
[28] FROST reference KAT vectors PASS (12 ms)
[29] MuSig2 BIP-327 reference vectors PASS (3 ms)
[30] Wycheproof ECDSA secp256k1 vectors PASS (2 ms)
[31] Wycheproof ECDH secp256k1 vectors PASS (1 ms)
-------- Section Result: 8/8 passed (20 ms)
================================================================
Section 5/8: Fuzzing & Adversarial Attack Resilience
================================================================
[32] Adversarial fuzz (malform/edge) PASS (162 ms)
[33] Parser fuzz (DER/Schnorr/Pubkey) PASS (5654 ms)
[34] Address/BIP32/FFI boundary fuzz PASS (1276 ms)
[35] Fault injection simulation PASS (58 ms)
-------- Section Result: 4/4 passed (7150 ms)
================================================================
Section 6/8: Protocol Security (ECDSA, Schnorr, MuSig2, FROST)
================================================================
[36] ECDSA + Schnorr PASS (0 ms)
[37] BIP-32 HD derivation PASS (0 ms)
[38] MuSig2 PASS (1 ms)
[39] ECDH + recovery + taproot PASS (1 ms)
[40] v4 (Pedersen/FROST/etc) PASS (2 ms)
[41] Coins layer PASS (0 ms)
[42] MuSig2 + FROST protocol suite PASS (97 ms)
[43] MuSig2 + FROST advanced/adversar PASS (39 ms)
[44] Integration (ECDH/batch/cross-proto) PASS (672 ms)
[45] Batch verify weight randomness audit PASS (1 ms)
-------- Section Result: 10/10 passed (814 ms)
================================================================
Section 7/8: ABI & Memory Safety (zeroization, hardening)
================================================================
[46] Security hardening (zero/bitflip/nonce) PASS (12453 ms)
[47] Debug invariant assertions PASS (0 ms)
[48] ABI version gate (compile-time) PASS (0 ms)
[49] Cross-ABI/FFI round-trip (ufsecp C API) PASS (1 ms)
-------- Section Result: 4/4 passed (12454 ms)
================================================================
Section 8/8: Performance Validation & Regression
================================================================
[50] Accelerated hashing PASS (380 ms)
[51] SIMD batch operations PASS (0 ms)
[52] Multi-scalar & batch verify PASS (1 ms)
[53] Performance smoke (sign/verify roundtrip) PASS (0 ms)
-------- Section Result: 4/4 passed (381 ms)
================================================================
AUDIT VERDICT: AUDIT-READY
TOTAL: 54/54 modules passed (25.5 s)
Platform: Linux x86-64 | Clang 17.0.6 | Release
================================================================

170
audit-output-strict-gcc-13/audit_report.json Normal file
View File

@ -0,0 +1,170 @@
{
"report_type": "industrial_self_audit",
"library": "UltrafastSecp256k1",
"library_version": "3.19.0",
"git_hash": "unknown",
"audit_framework_version": "2.0.0",
"timestamp": "2026-03-07T00:39:30",
"platform": {
"os": "Linux",
"arch": "x86-64",
"compiler": "GCC 13.3.0",
"build_type": "Release"
},
"summary": {
"total_modules": 54,
"passed": 53,
"failed": 0,
"advisory_warnings": 1,
"all_passed": true,
"total_time_ms": 26783.1,
"audit_verdict": "AUDIT-READY"
},
"selftest": {
"passed": true,
"time_ms": 1472.6
},
"sections": [
{
"id": "math_invariants",
"title": "Mathematical Invariants (Fp, Zn, Group Laws)",
"total": 13,
"passed": 13,
"failed": 0,
"time_ms": 2817.0,
"status": "PASS",
"modules": [
{ "id": "audit_field", "name": "Field Fp deep audit (add/mul/inv/sqrt/batch)", "passed": true, "advisory": false, "time_ms": 224.3 },
{ "id": "audit_scalar", "name": "Scalar Zn deep audit (mod/GLV/edge/inv)", "passed": true, "advisory": false, "time_ms": 31.2 },
{ "id": "audit_point", "name": "Point ops deep audit (Jac/affine/sigs)", "passed": true, "advisory": false, "time_ms": 852.8 },
{ "id": "mul", "name": "Field & scalar arithmetic", "passed": true, "advisory": false, "time_ms": 1.5 },
{ "id": "arith_correct", "name": "Arithmetic correctness", "passed": true, "advisory": false, "time_ms": 0.8 },
{ "id": "scalar_mul", "name": "Scalar multiplication", "passed": true, "advisory": false, "time_ms": 1530.5 },
{ "id": "exhaustive", "name": "Exhaustive algebraic verification", "passed": true, "advisory": false, "time_ms": 15.9 },
{ "id": "comprehensive", "name": "Comprehensive 500+ suite", "passed": true, "advisory": false, "time_ms": 25.6 },
{ "id": "ecc_properties", "name": "ECC property-based invariants", "passed": true, "advisory": false, "time_ms": 2.2 },
{ "id": "batch_add", "name": "Affine batch addition", "passed": true, "advisory": false, "time_ms": 131.8 },
{ "id": "carry_propagation", "name": "Carry chain stress (limb boundary)", "passed": true, "advisory": false, "time_ms": 0.2 },
{ "id": "field_52", "name": "FieldElement52 (5x52) vs 4x64", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "field_26", "name": "FieldElement26 (10x26) vs 4x64", "passed": true, "advisory": false, "time_ms": 0.1 }
]
},
{
"id": "ct_analysis",
"title": "Constant-Time & Side-Channel Analysis",
"total": 6,
"passed": 5,
"failed": 0,
"time_ms": 123.4,
"status": "PASS",
"modules": [
{ "id": "audit_ct", "name": "CT deep audit (masks/cmov/cswap/timing)", "passed": true, "advisory": false, "time_ms": 79.2 },
{ "id": "ct", "name": "Constant-time layer", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "ct_equivalence", "name": "FAST == CT equivalence", "passed": true, "advisory": false, "time_ms": 10.7 },
{ "id": "ct_sidechannel", "name": "Side-channel dudect (smoke)", "passed": false, "advisory": true, "time_ms": 28.7 },
{ "id": "ct_verif_formal", "name": "Formal CT verification (ctgrind/MSAN)", "passed": true, "advisory": false, "time_ms": 0.6 },
{ "id": "diag_scalar_mul", "name": "CT scalar_mul vs fast (diagnostic)", "passed": true, "advisory": false, "time_ms": 3.8 }
]
},
{
"id": "differential",
"title": "Differential & Cross-Library Testing",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 186.9,
"status": "PASS",
"modules": [
{ "id": "differential", "name": "Differential correctness", "passed": true, "advisory": false, "time_ms": 185.9 },
{ "id": "fiat_crypto", "name": "Fiat-Crypto reference vectors", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "fiat_crypto_link", "name": "Fiat-Crypto direct linkage (100%% parity)", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "cross_platform_kat", "name": "Cross-platform KAT", "passed": true, "advisory": false, "time_ms": 0.3 }
]
},
{
"id": "standard_vectors",
"title": "Standard Test Vectors (BIP-340, RFC-6979, BIP-32)",
"total": 8,
"passed": 8,
"failed": 0,
"time_ms": 22.5,
"status": "PASS",
"modules": [
{ "id": "bip340_vectors", "name": "BIP-340 official vectors", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "bip340_strict", "name": "BIP-340 strict encoding (non-canonical)", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "bip32_vectors", "name": "BIP-32 official vectors TV1-5", "passed": true, "advisory": false, "time_ms": 1.5 },
{ "id": "rfc6979_vectors", "name": "RFC 6979 ECDSA vectors", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "frost_kat", "name": "FROST reference KAT vectors", "passed": true, "advisory": false, "time_ms": 13.4 },
{ "id": "musig2_bip327", "name": "MuSig2 BIP-327 reference vectors", "passed": true, "advisory": false, "time_ms": 3.9 },
{ "id": "wycheproof_ecdsa", "name": "Wycheproof ECDSA secp256k1 vectors", "passed": true, "advisory": false, "time_ms": 1.9 },
{ "id": "wycheproof_ecdh", "name": "Wycheproof ECDH secp256k1 vectors", "passed": true, "advisory": false, "time_ms": 0.8 }
]
},
{
"id": "fuzzing",
"title": "Fuzzing & Adversarial Attack Resilience",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 7825.3,
"status": "PASS",
"modules": [
{ "id": "audit_fuzz", "name": "Adversarial fuzz (malform/edge)", "passed": true, "advisory": false, "time_ms": 175.2 },
{ "id": "fuzz_parsers", "name": "Parser fuzz (DER/Schnorr/Pubkey)", "passed": true, "advisory": false, "time_ms": 6103.5 },
{ "id": "fuzz_addr_bip32", "name": "Address/BIP32/FFI boundary fuzz", "passed": true, "advisory": false, "time_ms": 1487.6 },
{ "id": "fault_injection", "name": "Fault injection simulation", "passed": true, "advisory": false, "time_ms": 59.0 }
]
},
{
"id": "protocol_security",
"title": "Protocol Security (ECDSA, Schnorr, MuSig2, FROST)",
"total": 10,
"passed": 10,
"failed": 0,
"time_ms": 905.7,
"status": "PASS",
"modules": [
{ "id": "ecdsa_schnorr", "name": "ECDSA + Schnorr", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "bip32", "name": "BIP-32 HD derivation", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "musig2", "name": "MuSig2", "passed": true, "advisory": false, "time_ms": 1.3 },
{ "id": "ecdh_recovery", "name": "ECDH + recovery + taproot", "passed": true, "advisory": false, "time_ms": 1.2 },
{ "id": "v4_features", "name": "v4 (Pedersen/FROST/etc)", "passed": true, "advisory": false, "time_ms": 2.2 },
{ "id": "coins", "name": "Coins layer", "passed": true, "advisory": false, "time_ms": 0.5 },
{ "id": "musig2_frost", "name": "MuSig2 + FROST protocol suite", "passed": true, "advisory": false, "time_ms": 109.0 },
{ "id": "musig2_frost_adv", "name": "MuSig2 + FROST advanced/adversar", "passed": true, "advisory": false, "time_ms": 45.0 },
{ "id": "audit_integration", "name": "Integration (ECDH/batch/cross-proto)", "passed": true, "advisory": false, "time_ms": 745.4 },
{ "id": "batch_randomness", "name": "Batch verify weight randomness audit", "passed": true, "advisory": false, "time_ms": 0.5 }
]
},
{
"id": "memory_safety",
"title": "ABI & Memory Safety (zeroization, hardening)",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 13100.8,
"status": "PASS",
"modules": [
{ "id": "audit_security", "name": "Security hardening (zero/bitflip/nonce)", "passed": true, "advisory": false, "time_ms": 13099.2 },
{ "id": "debug_invariants", "name": "Debug invariant assertions", "passed": true, "advisory": false, "time_ms": 0.3 },
{ "id": "abi_gate", "name": "ABI version gate (compile-time)", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "ffi_round_trip", "name": "Cross-ABI/FFI round-trip (ufsecp C API)", "passed": true, "advisory": false, "time_ms": 1.3 }
]
},
{
"id": "performance",
"title": "Performance Validation & Regression",
"total": 4,
"passed": 4,
"failed": 0,
"time_ms": 328.7,
"status": "PASS",
"modules": [
{ "id": "hash_accel", "name": "Accelerated hashing", "passed": true, "advisory": false, "time_ms": 327.6 },
{ "id": "simd_batch", "name": "SIMD batch operations", "passed": true, "advisory": false, "time_ms": 0.0 },
{ "id": "multiscalar", "name": "Multi-scalar & batch verify", "passed": true, "advisory": false, "time_ms": 1.0 },
{ "id": "audit_perf", "name": "Performance smoke (sign/verify roundtrip)", "passed": true, "advisory": false, "time_ms": 0.1 }
]
}
]
}

115
audit-output-strict-gcc-13/audit_report.txt Normal file
View File

@ -0,0 +1,115 @@
================================================================
UltrafastSecp256k1 -- Industrial Self-Audit Report
================================================================
Library: UltrafastSecp256k1 v3.19.0
Git Hash: unknown
Framework: Audit Framework v2.0.0
Timestamp: 2026-03-07T00:39:30
OS: Linux
Arch: x86-64
Compiler: GCC 13.3.0
Build: Release
----------------------------------------------------------------
[0] Library Selftest (core KAT) PASS (1473 ms)
----------------------------------------------------------------
================================================================
Section 1/8: Mathematical Invariants (Fp, Zn, Group Laws)
================================================================
[ 1] Field Fp deep audit (add/mul/inv/sqrt/batch) PASS (224 ms)
[ 2] Scalar Zn deep audit (mod/GLV/edge/inv) PASS (31 ms)
[ 3] Point ops deep audit (Jac/affine/sigs) PASS (853 ms)
[ 4] Field & scalar arithmetic PASS (2 ms)
[ 5] Arithmetic correctness PASS (1 ms)
[ 6] Scalar multiplication PASS (1530 ms)
[ 7] Exhaustive algebraic verification PASS (16 ms)
[ 8] Comprehensive 500+ suite PASS (26 ms)
[ 9] ECC property-based invariants PASS (2 ms)
[10] Affine batch addition PASS (132 ms)
[11] Carry chain stress (limb boundary) PASS (0 ms)
[12] FieldElement52 (5x52) vs 4x64 PASS (0 ms)
[13] FieldElement26 (10x26) vs 4x64 PASS (0 ms)
-------- Section Result: 13/13 passed (2817 ms)
================================================================
Section 2/8: Constant-Time & Side-Channel Analysis
================================================================
[14] CT deep audit (masks/cmov/cswap/timing) PASS (79 ms)
[15] Constant-time layer PASS (0 ms)
[16] FAST == CT equivalence PASS (11 ms)
[17] Side-channel dudect (smoke) WARN (29 ms)
[18] Formal CT verification (ctgrind/MSAN) PASS (1 ms)
[19] CT scalar_mul vs fast (diagnostic) PASS (4 ms)
-------- Section Result: 5/6 passed (123 ms)
================================================================
Section 3/8: Differential & Cross-Library Testing
================================================================
[20] Differential correctness PASS (186 ms)
[21] Fiat-Crypto reference vectors PASS (0 ms)
[22] Fiat-Crypto direct linkage (100%% parity) PASS (0 ms)
[23] Cross-platform KAT PASS (0 ms)
-------- Section Result: 4/4 passed (187 ms)
================================================================
Section 4/8: Standard Test Vectors (BIP-340, RFC-6979, BIP-32)
================================================================
[24] BIP-340 official vectors PASS (1 ms)
[25] BIP-340 strict encoding (non-canonical) PASS (0 ms)
[26] BIP-32 official vectors TV1-5 PASS (2 ms)
[27] RFC 6979 ECDSA vectors PASS (0 ms)
[28] FROST reference KAT vectors PASS (13 ms)
[29] MuSig2 BIP-327 reference vectors PASS (4 ms)
[30] Wycheproof ECDSA secp256k1 vectors PASS (2 ms)
[31] Wycheproof ECDH secp256k1 vectors PASS (1 ms)
-------- Section Result: 8/8 passed (23 ms)
================================================================
Section 5/8: Fuzzing & Adversarial Attack Resilience
================================================================
[32] Adversarial fuzz (malform/edge) PASS (175 ms)
[33] Parser fuzz (DER/Schnorr/Pubkey) PASS (6103 ms)
[34] Address/BIP32/FFI boundary fuzz PASS (1488 ms)
[35] Fault injection simulation PASS (59 ms)
-------- Section Result: 4/4 passed (7825 ms)
================================================================
Section 6/8: Protocol Security (ECDSA, Schnorr, MuSig2, FROST)
================================================================
[36] ECDSA + Schnorr PASS (0 ms)
[37] BIP-32 HD derivation PASS (0 ms)
[38] MuSig2 PASS (1 ms)
[39] ECDH + recovery + taproot PASS (1 ms)
[40] v4 (Pedersen/FROST/etc) PASS (2 ms)
[41] Coins layer PASS (1 ms)
[42] MuSig2 + FROST protocol suite PASS (109 ms)
[43] MuSig2 + FROST advanced/adversar PASS (45 ms)
[44] Integration (ECDH/batch/cross-proto) PASS (745 ms)
[45] Batch verify weight randomness audit PASS (1 ms)
-------- Section Result: 10/10 passed (906 ms)
================================================================
Section 7/8: ABI & Memory Safety (zeroization, hardening)
================================================================
[46] Security hardening (zero/bitflip/nonce) PASS (13099 ms)
[47] Debug invariant assertions PASS (0 ms)
[48] ABI version gate (compile-time) PASS (0 ms)
[49] Cross-ABI/FFI round-trip (ufsecp C API) PASS (1 ms)
-------- Section Result: 4/4 passed (13101 ms)
================================================================
Section 8/8: Performance Validation & Regression
================================================================
[50] Accelerated hashing PASS (328 ms)
[51] SIMD batch operations PASS (0 ms)
[52] Multi-scalar & batch verify PASS (1 ms)
[53] Performance smoke (sign/verify roundtrip) PASS (0 ms)
-------- Section Result: 4/4 passed (329 ms)
================================================================
AUDIT VERDICT: AUDIT-READY
TOTAL: 53/54 modules passed (1 advisory warnings) (26.8 s)
Platform: Linux x86-64 | GCC 13.3.0 | Release
================================================================

392
benchmark_results/benchmark.json Normal file
View File

@ -0,0 +1,392 @@
[
{
"name": "field_mul",
"unit": "ns",
"value": 10.7
},
{
"name": "field_sqr",
"unit": "ns",
"value": 10.0
},
{
"name": "field_inv",
"unit": "ns",
"value": 666.7
},
{
"name": "field_add",
"unit": "ns",
"value": 4.4
},
{
"name": "field_sub",
"unit": "ns",
"value": 4.1
},
{
"name": "field_negate",
"unit": "ns",
"value": 5.7
},
{
"name": "field_from_bytes (32B)",
"unit": "ns",
"value": 2.7
},
{
"name": "scalar_mul",
"unit": "ns",
"value": 19.7
},
{
"name": "scalar_inv",
"unit": "ns",
"value": 842.6
},
{
"name": "scalar_add",
"unit": "ns",
"value": 4.1
},
{
"name": "scalar_negate",
"unit": "ns",
"value": 2.4
},
{
"name": "scalar_from_bytes (32B)",
"unit": "ns",
"value": 2.6
},
{
"name": "pubkey_create (k*G)",
"unit": "ns",
"value": 4923.5
},
{
"name": "scalar_mul (k*P)",
"unit": "ns",
"value": 18724.7
},
{
"name": "scalar_mul_with_plan",
"unit": "ns",
"value": 18300.5
},
{
"name": "dual_mul (a*G + b*P)",
"unit": "ns",
"value": 20331.9
},
{
"name": "point_add (affine+affine)",
"unit": "ns",
"value": 822.1
},
{
"name": "point_add (J+A mixed)",
"unit": "ns",
"value": 132.3
},
{
"name": "point_dbl",
"unit": "ns",
"value": 73.7
},
{
"name": "normalize (J->affine)",
"unit": "ns",
"value": 2.4
},
{
"name": "batch_normalize /pt (N=64)",
"unit": "ns",
"value": 125.7
},
{
"name": "next_inplace (+=G)",
"unit": "ns",
"value": 132.1
},
{
"name": "KPlan::from_scalar(w=4)",
"unit": "ns",
"value": 1136.1
},
{
"name": "to_compressed (33B)",
"unit": "ns",
"value": 6.5
},
{
"name": "to_uncompressed (65B)",
"unit": "ns",
"value": 7.4
},
{
"name": "x_only_bytes (32B)",
"unit": "ns",
"value": 3.1
},
{
"name": "x_bytes_and_parity",
"unit": "ns",
"value": 4.2
},
{
"name": "has_even_y",
"unit": "ns",
"value": 1.8
},
{
"name": "batch_to_compressed /pt (N=64)",
"unit": "ns",
"value": 131.9
},
{
"name": "batch_x_only_bytes /pt (N=64)",
"unit": "ns",
"value": 98.1
},
{
"name": "ecdsa_sign",
"unit": "ns",
"value": 6846.8
},
{
"name": "ecdsa_sign_verified",
"unit": "ns",
"value": 34302.9
},
{
"name": "ecdsa_verify",
"unit": "ns",
"value": 21623.0
},
{
"name": "schnorr_keypair_create",
"unit": "ns",
"value": 4948.3
},
{
"name": "schnorr_sign",
"unit": "ns",
"value": 5283.5
},
{
"name": "schnorr_sign_verified",
"unit": "ns",
"value": 31073.6
},
{
"name": "schnorr_verify (cached xonly)",
"unit": "ns",
"value": 22041.5
},
{
"name": "schnorr_verify (raw bytes)",
"unit": "ns",
"value": 25201.8
},
{
"name": "schnorr_batch_verify(N=4)",
"unit": "ns",
"value": 109923.3
},
{
"name": "-> per-sig amortized (N=4)",
"unit": "ns",
"value": 27480.8
},
{
"name": "schnorr_batch_verify(N=16)",
"unit": "ns",
"value": 389531.3
},
{
"name": "-> per-sig amortized (N=16)",
"unit": "ns",
"value": 24345.7
},
{
"name": "schnorr_batch_verify(N=64)",
"unit": "ns",
"value": 2256663.5
},
{
"name": "-> per-sig amortized (N=64)",
"unit": "ns",
"value": 35260.4
},
{
"name": "ecdsa_batch_verify(N=4)",
"unit": "ns",
"value": 80551.7
},
{
"name": "ecdsa_batch_verify(N=16)",
"unit": "ns",
"value": 323889.4
},
{
"name": "ecdsa_batch_verify(N=64)",
"unit": "ns",
"value": 1318075.2
},
{
"name": "ct::scalar_inverse (SafeGCD)",
"unit": "ns",
"value": 1521.7
},
{
"name": "ct::generator_mul (k*G)",
"unit": "ns",
"value": 11635.5
},
{
"name": "ct::scalar_mul (k*P)",
"unit": "ns",
"value": 25096.3
},
{
"name": "ct::point_dbl",
"unit": "ns",
"value": 85.6
},
{
"name": "ct::point_add_complete (11M+6S)",
"unit": "ns",
"value": 254.0
},
{
"name": "ct::point_add_mixed_complete (7M+5S)",
"unit": "ns",
"value": 171.2
},
{
"name": "ct::point_add_mixed_unified (7M+5S)",
"unit": "ns",
"value": 167.3
},
{
"name": "ct::ecdsa_sign",
"unit": "ns",
"value": 15550.8
},
{
"name": "ct::ecdsa_sign_verified",
"unit": "ns",
"value": 47114.4
},
{
"name": "ct::schnorr_sign",
"unit": "ns",
"value": 11983.4
},
{
"name": "ct::schnorr_sign_verified",
"unit": "ns",
"value": 38752.0
},
{
"name": "ct::schnorr_keypair_create",
"unit": "ns",
"value": 11720.2
},
{
"name": "field_inv_var",
"unit": "ns",
"value": 834.1
},
{
"name": "field_normalize",
"unit": "ns",
"value": 7.4
},
{
"name": "field_from_bytes (set_b32)",
"unit": "ns",
"value": 13.1
},
{
"name": "scalar_inverse (CT)",
"unit": "ns",
"value": 1417.8
},
{
"name": "scalar_inverse_var",
"unit": "ns",
"value": 853.1
},
{
"name": "scalar_from_bytes (set_b32)",
"unit": "ns",
"value": 5.1
},
{
"name": "point_dbl (gej_double_var)",
"unit": "ns",
"value": 79.1
},
{
"name": "point_add (gej_add_ge_var)",
"unit": "ns",
"value": 142.7
},
{
"name": "ecmult (a*P + b*G, Strauss)",
"unit": "ns",
"value": 21479.8
},
{
"name": "ecmult_gen (k*G, comb)",
"unit": "ns",
"value": 10211.2
},
{
"name": "generator_mul (ec_pubkey_create)",
"unit": "ns",
"value": 11512.8
},
{
"name": "scalar_mul_P (k*P, tweak_mul)",
"unit": "ns",
"value": 20365.8
},
{
"name": "serialize_compressed (33B)",
"unit": "ns",
"value": 17.1
},
{
"name": "serialize_uncompressed (65B)",
"unit": "ns",
"value": 21.7
},
{
"name": "point_add (pubkey_combine)",
"unit": "ns",
"value": 1794.5
},
{
"name": "schnorr_sign (BIP-340)",
"unit": "ns",
"value": 12283.2
},
{
"name": "schnorr_verify (BIP-340)",
"unit": "ns",
"value": 23144.7
},
{
"name": "schnorr_verify_raw (parse+verify)",
"unit": "ns",
"value": 26107.4
},
{
"name": "Harness",
"unit": "ns",
"value": 3000000000.0
}
]

4
cpu/CMakeLists.txt
View File

@ -276,9 +276,9 @@ if(NOT TARGET ${SECP256K1_LIB_NAME})
endif()
elseif(CMAKE_CXX_COMPILER_ID MATCHES "GNU")
target_compile_options(${SECP256K1_LIB_NAME} PRIVATE
$<$<COMPILE_LANGUAGE:CXX>:-flto>)
$<$<COMPILE_LANGUAGE:CXX>:-flto -ffat-lto-objects>)
target_link_options(${SECP256K1_LIB_NAME} INTERFACE -flto)
message(STATUS "Secp256k1: OK LTO ENABLED (GCC LTO, INTERFACE propagated)")
message(STATUS "Secp256k1: OK LTO ENABLED (GCC LTO fat objects, INTERFACE propagated)")
else()
message(STATUS "Secp256k1: LTO not available for compiler ${CMAKE_CXX_COMPILER_ID}")
endif()

4
cpu/src/bip32.cpp
View File

@ -390,7 +390,9 @@ std::pair<ExtendedKey, bool> bip32_master_key(const uint8_t* seed, std::size_t s
std::memcpy(IL.data(), I.data(), 32);
std::memcpy(IR.data(), I.data() + 32, 32);
auto master_key = Scalar::from_bytes(IL);
auto master_key = Scalar{};
// BIP-32: IL must be < curve order n; reject if >= n (same as child derivation)
if (!Scalar::parse_bytes_strict(IL, master_key)) return {ExtendedKey{}, false};
if (master_key.is_zero()) return {ExtendedKey{}, false};
ExtendedKey ext{};

4
cpu/src/ct_sign.cpp
View File

@ -48,7 +48,7 @@ ECDSASignature ecdsa_sign(const std::array<uint8_t, 32>& msg_hash,
if (r.is_zero()) return {Scalar::zero(), Scalar::zero()};
// s = k^{-1} * (z + r * d) mod n
// CT inverse: Fermat a^{n-2} -- fixed addition chain, no secret-dependent branches.
// CT inverse: SafeGCD Bernstein-Yang divsteps-59, constant-time.
auto k_inv = ct::scalar_inverse(k);
auto s = k_inv * (z + r * private_key);
if (s.is_zero()) return {Scalar::zero(), Scalar::zero()};
@ -106,7 +106,7 @@ ECDSASignature ecdsa_sign_hedged(const std::array<uint8_t, 32>& msg_hash,
auto r = Scalar::from_bytes(r_bytes);
if (r.is_zero()) return {Scalar::zero(), Scalar::zero()};
// CT inverse: Fermat a^{n-2} -- same fixed chain as ecdsa_sign above.
// CT inverse: SafeGCD Bernstein-Yang divsteps-59, same as ecdsa_sign above.
auto k_inv = ct::scalar_inverse(k);
auto s = k_inv * (z + r * private_key);
if (s.is_zero()) return {Scalar::zero(), Scalar::zero()};

4
cpu/src/ecdsa.cpp
View File

@ -483,7 +483,7 @@ ECDSASignature ecdsa_sign_verified(const std::array<uint8_t, 32>& msg_hash,
auto result = ecdsa_sign(msg_hash, private_key);
if (!result.r.is_zero()) {
auto pk = Point::generator().scalar_mul(private_key);
auto pk = ct::generator_mul(private_key);
if (!ecdsa_verify(msg_hash.data(), pk, result)) {
result = {Scalar::zero(), Scalar::zero()};
}
@ -536,7 +536,7 @@ ECDSASignature ecdsa_sign_hedged_verified(const std::array<uint8_t, 32>& msg_has
auto result = ecdsa_sign_hedged(msg_hash, private_key, aux_rand);
if (!result.r.is_zero()) {
auto pk = Point::generator().scalar_mul(private_key);
auto pk = ct::generator_mul(private_key);
if (!ecdsa_verify(msg_hash.data(), pk, result)) {
result = {Scalar::zero(), Scalar::zero()};
}

3
cpu/src/frost.cpp
View File

@ -274,6 +274,7 @@ frost_sign(const FrostKeyPackage& key_pkg,
Point const R = compute_group_commitment(nonce_commitments, binding_factors);
// BIP-340 compatibility: negate nonces if R has odd y
// NOTE: R and group_public_key are public values; VT field inverse is safe here.
auto R_y = R.y().to_bytes();
bool const negate_R = (R_y[31] & 1) != 0;
@ -339,6 +340,7 @@ bool frost_verify_partial(const FrostPartialSig& partial_sig,
}
// Group commitment
// NOTE: R and group_public_key are public values; VT field inverse is safe here.
Point const R = compute_group_commitment(nonce_commitments, binding_factors);
auto R_y = R.y().to_bytes();
bool const negate_R = (R_y[31] & 1) != 0;
@ -386,6 +388,7 @@ frost_aggregate(const std::vector<FrostPartialSig>& partial_sigs,
Point R = compute_group_commitment(nonce_commitments, binding_factors);
// BIP-340: ensure even y
// NOTE: R is a public group commitment; VT field inverse is safe here.
auto R_y = R.y().to_bytes();
if (R_y[31] & 1) {
R = R.negate();

6
cpu/src/musig2.cpp
View File

@ -69,6 +69,12 @@ bool has_even_y(const Point& P) {
// BIP-327 KeyAgg: Q = sum(a_i * P_i)
// a_i = tagged_hash("KeyAgg coefficient", L || pk_i)
// where L = hash of all sorted pubkeys
//
// NOTE: This implementation uses 32-byte x-only pubkeys (even Y assumed).
// BIP-327 specifies 33-byte compressed ("plain") pubkeys to preserve Y parity.
// This is correct when all signers use x-only keys by convention, but does not
// handle signers with odd-Y keys. A future revision should accept 33-byte keys
// for full BIP-327 conformance.
MuSig2KeyAggCtx musig2_key_agg(const std::vector<std::array<uint8_t, 32>>& pubkeys) {
MuSig2KeyAggCtx ctx{};

4
cpu/src/recovery.cpp
View File

@ -44,6 +44,10 @@ static const std::array<uint8_t, 32> SECP256K1_ORDER_BYTES = {
};
// -- Sign with Recovery ID ----------------------------------------------------
// WARNING: Variable-time path -- uses fast::scalar_mul(k) and fast::inverse(k)
// on the secret nonce. For side-channel-resistant signing, use ct::ecdsa_sign()
// (which does not produce recovery IDs). This function is suitable only for
// environments where timing attacks are not a concern.
RecoverableSignature ecdsa_sign_recoverable(
const std::array<uint8_t, 32>& msg_hash,

124
cuda/CMakeLists.txt
View File

@ -94,3 +94,127 @@ target_link_libraries(secp256k1_cuda_bench PRIVATE secp256k1_cuda_lib)
enable_testing()
add_test(NAME cuda_selftest COMMAND secp256k1_cuda_test)
# ===== GPU Unified Audit Runner =====
set(_AUDIT_SOURCES src/gpu_audit_runner.cu)
if(_GPU_LANG STREQUAL "HIP")
set_source_files_properties(${_AUDIT_SOURCES} PROPERTIES LANGUAGE HIP)
add_executable(gpu_audit_runner ${_AUDIT_SOURCES})
target_compile_options(gpu_audit_runner PRIVATE
$<$<COMPILE_LANGUAGE:HIP>:-O3>
$<$<COMPILE_LANGUAGE:HIP>:-ffast-math>
)
else()
add_executable(gpu_audit_runner ${_AUDIT_SOURCES})
target_compile_options(gpu_audit_runner PRIVATE
$<$<COMPILE_LANGUAGE:CUDA>:--expt-relaxed-constexpr>
$<$<COMPILE_LANGUAGE:CUDA>:-O3>
$<$<COMPILE_LANGUAGE:CUDA>:--use_fast_math>
$<$<COMPILE_LANGUAGE:CUDA>:-Xptxas=-O3>
)
endif()
target_link_libraries(gpu_audit_runner PRIVATE secp256k1_cuda_lib)
add_test(NAME gpu_audit COMMAND gpu_audit_runner --json-only)
# ===== GPU Unified Benchmark =====
set(_BENCH_UNIFIED_SOURCES src/gpu_bench_unified.cu)
if(_GPU_LANG STREQUAL "HIP")
set_source_files_properties(${_BENCH_UNIFIED_SOURCES} PROPERTIES LANGUAGE HIP)
add_executable(gpu_bench_unified ${_BENCH_UNIFIED_SOURCES})
target_compile_options(gpu_bench_unified PRIVATE
$<$<COMPILE_LANGUAGE:HIP>:-O3>
$<$<COMPILE_LANGUAGE:HIP>:-ffast-math>
)
else()
add_executable(gpu_bench_unified ${_BENCH_UNIFIED_SOURCES})
target_compile_options(gpu_bench_unified PRIVATE
$<$<COMPILE_LANGUAGE:CUDA>:--expt-relaxed-constexpr>
$<$<COMPILE_LANGUAGE:CUDA>:-O3>
$<$<COMPILE_LANGUAGE:CUDA>:--use_fast_math>
$<$<COMPILE_LANGUAGE:CUDA>:-Xptxas=-O3>
)
endif()
target_link_libraries(gpu_bench_unified PRIVATE secp256k1_cuda_lib)
# ===== CPU vs GPU Comparison Benchmark =====
set(_BENCH_COMPARE_SOURCES src/bench_compare.cu)
if(_GPU_LANG STREQUAL "HIP")
set_source_files_properties(${_BENCH_COMPARE_SOURCES} PROPERTIES LANGUAGE HIP)
add_executable(bench_compare ${_BENCH_COMPARE_SOURCES})
target_compile_options(bench_compare PRIVATE
$<$<COMPILE_LANGUAGE:HIP>:-O3>
$<$<COMPILE_LANGUAGE:HIP>:-ffast-math>
)
else()
add_executable(bench_compare ${_BENCH_COMPARE_SOURCES})
target_compile_options(bench_compare PRIVATE
$<$<COMPILE_LANGUAGE:CUDA>:--expt-relaxed-constexpr>
$<$<COMPILE_LANGUAGE:CUDA>:-O3>
$<$<COMPILE_LANGUAGE:CUDA>:--use_fast_math>
$<$<COMPILE_LANGUAGE:CUDA>:-Xptxas=-O3>
)
endif()
# Link both GPU and CPU libraries for side-by-side comparison.
# CUDA/LTO gotcha: nvcc bundles GCC 12 as its host linker, but fastsecp256k1.a
# is compiled with host GCC 14 + LTO (fat objects with LTO v14.0 bytecodes).
# GCC 12 cannot process v14.0 LTO bytecodes -> fatal error.
# Solution: link the archive directly (bypassing INTERFACE -flto propagation)
# AND pass -fno-lto to tell GCC 12 to use regular object code from the fat archive.
target_link_libraries(bench_compare PRIVATE secp256k1_cuda_lib)
target_include_directories(bench_compare PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}/../cpu/include
)
target_link_libraries(bench_compare PRIVATE
$<TARGET_FILE:fastsecp256k1>
)
set_target_properties(bench_compare PROPERTIES INTERPROCEDURAL_OPTIMIZATION FALSE)
target_link_options(bench_compare PRIVATE -fno-lto)
# ===== BIP-352 Silent Payments Pipeline Benchmark =====
set(_BENCH_BIP352_SOURCES src/bench_bip352.cu)
if(_GPU_LANG STREQUAL "HIP")
set_source_files_properties(${_BENCH_BIP352_SOURCES} PROPERTIES LANGUAGE HIP)
add_executable(bench_bip352 ${_BENCH_BIP352_SOURCES})
target_compile_options(bench_bip352 PRIVATE
$<$<COMPILE_LANGUAGE:HIP>:-O3>
$<$<COMPILE_LANGUAGE:HIP>:-ffast-math>
)
else()
add_executable(bench_bip352 ${_BENCH_BIP352_SOURCES})
target_compile_options(bench_bip352 PRIVATE
$<$<COMPILE_LANGUAGE:CUDA>:--expt-relaxed-constexpr>
$<$<COMPILE_LANGUAGE:CUDA>:-O3>
$<$<COMPILE_LANGUAGE:CUDA>:--use_fast_math>
$<$<COMPILE_LANGUAGE:CUDA>:-Xptxas=-O3>
)
endif()
target_link_libraries(bench_bip352 PRIVATE secp256k1_cuda_lib)
target_include_directories(bench_bip352 PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}/../cpu/include
)
target_link_libraries(bench_bip352 PRIVATE
$<TARGET_FILE:fastsecp256k1>
)
set_target_properties(bench_bip352 PROPERTIES INTERPROCEDURAL_OPTIMIZATION FALSE)
target_link_options(bench_bip352 PRIVATE -fno-lto)
# ===== GPU CT Layer Smoke Test =====
set(_CT_TEST_SOURCES src/test_ct_smoke.cu)
if(_GPU_LANG STREQUAL "HIP")
set_source_files_properties(${_CT_TEST_SOURCES} PROPERTIES LANGUAGE HIP)
add_executable(test_ct_smoke ${_CT_TEST_SOURCES})
target_compile_options(test_ct_smoke PRIVATE
$<$<COMPILE_LANGUAGE:HIP>:-O3>
$<$<COMPILE_LANGUAGE:HIP>:-ffast-math>
)
else()
add_executable(test_ct_smoke ${_CT_TEST_SOURCES})
target_compile_options(test_ct_smoke PRIVATE
$<$<COMPILE_LANGUAGE:CUDA>:--expt-relaxed-constexpr>
$<$<COMPILE_LANGUAGE:CUDA>:-O3>
$<$<COMPILE_LANGUAGE:CUDA>:--use_fast_math>
$<$<COMPILE_LANGUAGE:CUDA>:-Xptxas=-O3>
)
endif()
target_link_libraries(test_ct_smoke PRIVATE secp256k1_cuda_lib)
add_test(NAME gpu_ct_smoke COMMAND test_ct_smoke)

172
cuda/include/batch_verify.cuh Normal file
View File

@ -0,0 +1,172 @@
#pragma once
// ============================================================================
// Batch Signature Verification -- CUDA device implementation
// ============================================================================
// GPU-parallel batch verification for ECDSA and Schnorr (BIP-340).
//
// Batch verification uses Strauss/random-linear-combination technique:
// For n signatures, verify that a random linear combination holds,
// reducing n independent verifications to one n-scalar-mul check.
//
// - schnorr_batch_verify: BIP-340 batch verification
// - ecdsa_batch_verify: ECDSA batch verification
// - GPU kernels for massively parallel individual verification
// ============================================================================
#include "schnorr.cuh"
#if !SECP256K1_CUDA_LIMBS_32
namespace secp256k1 {
namespace cuda {
// ============================================================================
// Batch entry types
// ============================================================================
struct SchnorrBatchEntryGPU {
uint8_t pubkey_x[32];
uint8_t message[32];
SchnorrSignatureGPU signature;
};
struct ECDSABatchEntryGPU {
uint8_t msg_hash[32];
JacobianPoint public_key;
ECDSASignatureGPU signature;
};
// ============================================================================
// GPU Kernels: parallel individual verification
// ============================================================================
// Each thread verifies one Schnorr signature independently.
__global__ void schnorr_batch_verify_kernel(
const SchnorrBatchEntryGPU* entries,
int n,
int* results) // 1 = valid, 0 = invalid
{
int idx = blockIdx.x * blockDim.x + threadIdx.x;
if (idx >= n) return;
results[idx] = schnorr_verify(
entries[idx].pubkey_x,
entries[idx].message,
&entries[idx].signature) ? 1 : 0;
}
// Each thread verifies one ECDSA signature independently.
__global__ void ecdsa_batch_verify_kernel(
const ECDSABatchEntryGPU* entries,
int n,
int* results)
{
int idx = blockIdx.x * blockDim.x + threadIdx.x;
if (idx >= n) return;
results[idx] = ecdsa_verify(
entries[idx].msg_hash,
&entries[idx].public_key,
&entries[idx].signature) ? 1 : 0;
}
// ============================================================================
// Host-callable batch verification
// ============================================================================
// Schnorr batch verify: launches GPU kernel, returns true iff ALL valid.
// out_invalid (optional): bit-array of invalid signature indices.
// Caller is responsible for cudaMalloc/cudaFree of device memory.
inline bool schnorr_batch_verify_gpu(
const SchnorrBatchEntryGPU* h_entries,
int n,
int* h_invalid_indices = nullptr,
int* out_invalid_count = nullptr)
{
if (n <= 0) return true;
SchnorrBatchEntryGPU* d_entries = nullptr;
int* d_results = nullptr;
cudaMalloc(&d_entries, n * sizeof(SchnorrBatchEntryGPU));
cudaMalloc(&d_results, n * sizeof(int));
cudaMemcpy(d_entries, h_entries, n * sizeof(SchnorrBatchEntryGPU),
cudaMemcpyHostToDevice);
int block_size = 128;
int grid_size = (n + block_size - 1) / block_size;
schnorr_batch_verify_kernel<<<grid_size, block_size>>>(d_entries, n, d_results);
int* h_results = new int[n];
cudaMemcpy(h_results, d_results, n * sizeof(int), cudaMemcpyDeviceToHost);
bool all_valid = true;
int invalid_count = 0;
for (int i = 0; i < n; i++) {
if (h_results[i] == 0) {
all_valid = false;
if (h_invalid_indices && invalid_count < n) {
h_invalid_indices[invalid_count] = i;
}
invalid_count++;
}
}
if (out_invalid_count) *out_invalid_count = invalid_count;
delete[] h_results;
cudaFree(d_results);
cudaFree(d_entries);
return all_valid;
}
// ECDSA batch verify: launches GPU kernel, returns true iff ALL valid.
inline bool ecdsa_batch_verify_gpu(
const ECDSABatchEntryGPU* h_entries,
int n,
int* h_invalid_indices = nullptr,
int* out_invalid_count = nullptr)
{
if (n <= 0) return true;
ECDSABatchEntryGPU* d_entries = nullptr;
int* d_results = nullptr;
cudaMalloc(&d_entries, n * sizeof(ECDSABatchEntryGPU));
cudaMalloc(&d_results, n * sizeof(int));
cudaMemcpy(d_entries, h_entries, n * sizeof(ECDSABatchEntryGPU),
cudaMemcpyHostToDevice);
int block_size = 128;
int grid_size = (n + block_size - 1) / block_size;
ecdsa_batch_verify_kernel<<<grid_size, block_size>>>(d_entries, n, d_results);
int* h_results = new int[n];
cudaMemcpy(h_results, d_results, n * sizeof(int), cudaMemcpyDeviceToHost);
bool all_valid = true;
int invalid_count = 0;
for (int i = 0; i < n; i++) {
if (h_results[i] == 0) {
all_valid = false;
if (h_invalid_indices && invalid_count < n) {
h_invalid_indices[invalid_count] = i;
}
invalid_count++;
}
}
if (out_invalid_count) *out_invalid_count = invalid_count;
delete[] h_results;
cudaFree(d_results);
cudaFree(d_entries);
return all_valid;
}
} // namespace cuda
} // namespace secp256k1
#endif // !SECP256K1_CUDA_LIMBS_32

500
cuda/include/bip32.cuh Normal file
View File

@ -0,0 +1,500 @@
#pragma once
// ============================================================================
// BIP-32 Hierarchical Deterministic Key Derivation -- CUDA device
// ============================================================================
// Provides GPU-side BIP-32 operations:
// - SHA-512 (streaming + one-shot)
// - HMAC-SHA512
// - Master key from seed
// - Child key derivation (normal + hardened)
// - Path-based derivation
//
// Reference: BIP-32 (https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki)
// ============================================================================
#include "schnorr.cuh" // for scalar_from_bytes, scalar_mul_generator_const, etc.
#include "hash160.cuh" // for hash160_pubkey (BIP-32 fingerprint)
#if !SECP256K1_CUDA_LIMBS_32
namespace secp256k1 {
namespace cuda {
// ============================================================================
// SHA-512 device implementation
// ============================================================================
__device__ __constant__ static const uint64_t SHA512_K[80] = {
0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL,
};
__device__ __forceinline__ uint64_t sha512_rotr(uint64_t x, int n) {
return (x >> n) | (x << (64 - n));
}
struct SHA512Ctx {
uint64_t h[8];
uint8_t buf[128];
uint32_t buf_len;
uint64_t total;
};
__device__ inline void sha512_compress(uint64_t state[8], const uint8_t block[128]) {
uint64_t w[80];
for (int i = 0; i < 16; i++) {
w[i] = 0;
for (int j = 0; j < 8; j++)
w[i] = (w[i] << 8) | block[i * 8 + j];
}
for (int i = 16; i < 80; i++) {
uint64_t s0 = sha512_rotr(w[i-15], 1) ^ sha512_rotr(w[i-15], 8) ^ (w[i-15] >> 7);
uint64_t s1 = sha512_rotr(w[i-2], 19) ^ sha512_rotr(w[i-2], 61) ^ (w[i-2] >> 6);
w[i] = w[i-16] + s0 + w[i-7] + s1;
}
uint64_t a = state[0], b = state[1], c = state[2], d = state[3];
uint64_t e = state[4], f = state[5], g = state[6], hh = state[7];
for (int i = 0; i < 80; i++) {
uint64_t S1 = sha512_rotr(e, 14) ^ sha512_rotr(e, 18) ^ sha512_rotr(e, 41);
uint64_t ch = (e & f) ^ (~e & g);
uint64_t t1 = hh + S1 + ch + SHA512_K[i] + w[i];
uint64_t S0 = sha512_rotr(a, 28) ^ sha512_rotr(a, 34) ^ sha512_rotr(a, 39);
uint64_t maj = (a & b) ^ (a & c) ^ (b & c);
uint64_t t2 = S0 + maj;
hh = g; g = f; f = e; e = d + t1;
d = c; c = b; b = a; a = t1 + t2;
}
state[0] += a; state[1] += b; state[2] += c; state[3] += d;
state[4] += e; state[5] += f; state[6] += g; state[7] += hh;
}
__device__ inline void sha512_init(SHA512Ctx* ctx) {
ctx->h[0] = 0x6a09e667f3bcc908ULL; ctx->h[1] = 0xbb67ae8584caa73bULL;
ctx->h[2] = 0x3c6ef372fe94f82bULL; ctx->h[3] = 0xa54ff53a5f1d36f1ULL;
ctx->h[4] = 0x510e527fade682d1ULL; ctx->h[5] = 0x9b05688c2b3e6c1fULL;
ctx->h[6] = 0x1f83d9abfb41bd6bULL; ctx->h[7] = 0x5be0cd19137e2179ULL;
ctx->buf_len = 0;
ctx->total = 0;
}
__device__ inline void sha512_update(SHA512Ctx* ctx, const uint8_t* data, size_t len) {
ctx->total += len;
size_t offset = 0;
if (ctx->buf_len > 0) {
uint32_t fill = 128 - ctx->buf_len;
uint32_t copy = (len < fill) ? (uint32_t)len : fill;
for (uint32_t i = 0; i < copy; i++) ctx->buf[ctx->buf_len + i] = data[i];
ctx->buf_len += copy;
offset += copy;
if (ctx->buf_len == 128) {
sha512_compress(ctx->h, ctx->buf);
ctx->buf_len = 0;
}
}
while (offset + 128 <= len) {
sha512_compress(ctx->h, data + offset);
offset += 128;
}
while (offset < len) {
ctx->buf[ctx->buf_len++] = data[offset++];
}
}
__device__ inline void sha512_final(SHA512Ctx* ctx, uint8_t out[64]) {
uint64_t bit_len = ctx->total * 8;
ctx->buf[ctx->buf_len++] = 0x80;
if (ctx->buf_len > 112) {
while (ctx->buf_len < 128) ctx->buf[ctx->buf_len++] = 0;
sha512_compress(ctx->h, ctx->buf);
ctx->buf_len = 0;
}
while (ctx->buf_len < 120) ctx->buf[ctx->buf_len++] = 0;
// SHA-512 length is 128-bit big-endian; upper 64 bits are 0 for our use.
for (int i = 0; i < 8; i++) ctx->buf[112 + i] = 0;
for (int i = 7; i >= 0; i--)
ctx->buf[120 + (7 - i)] = (uint8_t)(bit_len >> (i * 8));
sha512_compress(ctx->h, ctx->buf);
for (int i = 0; i < 8; i++) {
for (int j = 0; j < 8; j++)
out[i * 8 + j] = (uint8_t)(ctx->h[i] >> (56 - j * 8));
}
}
// One-shot SHA-512
__device__ inline void sha512(const uint8_t* data, size_t len, uint8_t out[64]) {
SHA512Ctx ctx;
sha512_init(&ctx);
sha512_update(&ctx, data, len);
sha512_final(&ctx, out);
}
// ============================================================================
// HMAC-SHA512
// ============================================================================
__device__ inline void hmac_sha512(
const uint8_t* key, size_t key_len,
const uint8_t* msg, size_t msg_len,
uint8_t out[64])
{
uint8_t k_buf[128];
for (int i = 0; i < 128; i++) k_buf[i] = 0;
if (key_len > 128) {
sha512(key, key_len, k_buf); // k_buf[0..63]=hash, [64..127]=0
} else {
for (size_t i = 0; i < key_len; i++) k_buf[i] = key[i];
}
uint8_t ipad[128], opad[128];
for (int i = 0; i < 128; i++) {
ipad[i] = k_buf[i] ^ 0x36;
opad[i] = k_buf[i] ^ 0x5c;
}
// inner = SHA512(ipad || msg)
SHA512Ctx inner;
sha512_init(&inner);
sha512_update(&inner, ipad, 128);
sha512_update(&inner, msg, msg_len);
uint8_t inner_hash[64];
sha512_final(&inner, inner_hash);
// outer = SHA512(opad || inner_hash)
SHA512Ctx outer;
sha512_init(&outer);
sha512_update(&outer, opad, 128);
sha512_update(&outer, inner_hash, 64);
sha512_final(&outer, out);
}
// ============================================================================
// BIP-32 Extended Key
// ============================================================================
struct ExtendedKeyGPU {
uint8_t key[32]; // Private key (32 bytes) or public key (33 bytes, compressed)
uint8_t chain_code[32]; // Chain code (32 bytes)
uint8_t depth; // 0 for master
uint32_t child_number; // 0 for master
uint8_t parent_fp[4]; // First 4 bytes of parent's Hash160(pubkey)
bool is_private; // true if this is a private extended key
};
// ============================================================================
// BIP-32 Master Key from Seed
// ============================================================================
// Derives master extended key from seed bytes.
// seed_len: typically 16, 32, or 64 bytes.
// Returns false if the derived key is invalid (>= n or == 0).
__device__ inline bool bip32_master_key(
const uint8_t* seed, size_t seed_len,
ExtendedKeyGPU* master)
{
// I = HMAC-SHA512(Key="Bitcoin seed", Data=seed)
const uint8_t btc_seed[] = "Bitcoin seed"; // 12 bytes
uint8_t I[64];
hmac_sha512(btc_seed, 12, seed, seed_len, I);
// IL = I[0..31] = master secret key
// IR = I[32..63] = master chain code
Scalar sk;
if (!scalar_from_bytes_strict_nonzero(I, &sk)) return false;
for (int i = 0; i < 32; i++) master->key[i] = I[i];
for (int i = 0; i < 32; i++) master->chain_code[i] = I[32 + i];
master->depth = 0;
master->child_number = 0;
for (int i = 0; i < 4; i++) master->parent_fp[i] = 0;
master->is_private = true;
return true;
}
// ============================================================================
// BIP-32 Fingerprint (Hash160 of compressed pubkey)
// ============================================================================
// Compute the 4-byte fingerprint of a key: first 4 bytes of Hash160(compressed pubkey).
__device__ inline void bip32_fingerprint(
const ExtendedKeyGPU* xkey,
uint8_t fp[4])
{
// Compute compressed public key
uint8_t compressed[33];
if (xkey->is_private) {
Scalar sk;
scalar_from_bytes(xkey->key, &sk);
JacobianPoint P;
scalar_mul_generator_const(&sk, &P);
point_to_compressed(&P, compressed);
} else {
// For public keys, key[0..32] is already the compressed pubkey
for (int i = 0; i < 33; i++) compressed[i] = xkey->key[i];
}
// Hash160 = RIPEMD160(SHA256(compressed))
uint8_t hash[20];
hash160_pubkey(compressed, 33, hash);
for (int i = 0; i < 4; i++) fp[i] = hash[i];
}
// ============================================================================
// BIP-32 Child Key Derivation
// ============================================================================
// Derive child key from parent. index >= 0x80000000 = hardened.
// Returns false if derived key is invalid.
__device__ inline bool bip32_derive_child(
const ExtendedKeyGPU* parent,
uint32_t index,
ExtendedKeyGPU* child)
{
bool hardened = (index >= 0x80000000U);
// Build HMAC-SHA512 data:
// Hardened: 0x00 || ser256(kpar) || ser32(index) = 37 bytes
// Normal: serP(point(kpar)) || ser32(index) = 37 bytes
uint8_t data[37];
if (hardened) {
if (!parent->is_private) return false; // Can't derive hardened from public
data[0] = 0x00;
for (int i = 0; i < 32; i++) data[1 + i] = parent->key[i];
} else {
// Compressed public key
if (parent->is_private) {
Scalar sk;
scalar_from_bytes(parent->key, &sk);
JacobianPoint P;
scalar_mul_generator_const(&sk, &P);
point_to_compressed(&P, data);
} else {
for (int i = 0; i < 33; i++) data[i] = parent->key[i];
}
}
// Append ser32(index) in big-endian
int data_len = hardened ? 37 : 37;
int idx_off = hardened ? 33 : 33;
data[idx_off + 0] = (uint8_t)(index >> 24);
data[idx_off + 1] = (uint8_t)(index >> 16);
data[idx_off + 2] = (uint8_t)(index >> 8);
data[idx_off + 3] = (uint8_t)(index);
// I = HMAC-SHA512(Key=cpar, Data=data)
uint8_t I[64];
hmac_sha512(parent->chain_code, 32, data, data_len, I);
// IL = I[0..31], IR = I[32..63]
Scalar IL;
scalar_from_bytes(I, &IL);
// Check IL < n
{
Scalar raw;
for (int i = 0; i < 4; i++) {
uint64_t limb = 0;
int base = (3 - i) * 8;
for (int j = 0; j < 8; j++) limb = (limb << 8) | I[base + j];
raw.limbs[i] = limb;
}
if (!scalar_eq(&raw, &IL)) return false; // IL >= n
}
if (parent->is_private) {
// child_key = (IL + kpar) mod n
Scalar kpar;
scalar_from_bytes(parent->key, &kpar);
Scalar child_key;
scalar_add(&IL, &kpar, &child_key);
// Reduce mod n
uint64_t borrow = 0;
uint64_t tmp[4];
for (int i = 0; i < 4; i++) {
unsigned __int128 diff = (unsigned __int128)child_key.limbs[i] - ORDER[i] - borrow;
tmp[i] = (uint64_t)diff;
borrow = (uint64_t)(-(int64_t)(diff >> 64));
}
if (borrow == 0) {
for (int i = 0; i < 4; i++) child_key.limbs[i] = tmp[i];
}
if (scalar_is_zero(&child_key)) return false;
scalar_to_bytes(&child_key, child->key);
child->is_private = true;
} else {
// child_pubkey = point(IL) + Kpar
JacobianPoint IL_point;
scalar_mul_generator_const(&IL, &IL_point);
JacobianPoint Kpar;
if (!point_from_compressed(parent->key, &Kpar)) return false;
JacobianPoint child_pub;
jacobian_add(&IL_point, &Kpar, &child_pub);
if (child_pub.infinity) return false;
point_to_compressed(&child_pub, child->key);
child->is_private = false;
}
for (int i = 0; i < 32; i++) child->chain_code[i] = I[32 + i];
child->depth = parent->depth + 1;
child->child_number = index;
bip32_fingerprint(parent, child->parent_fp);
return true;
}
// Convenience: derive normal (non-hardened) child
__device__ inline bool bip32_derive_normal(
const ExtendedKeyGPU* parent, uint32_t index,
ExtendedKeyGPU* child)
{
return bip32_derive_child(parent, index, child);
}
// Convenience: derive hardened child
__device__ inline bool bip32_derive_hardened(
const ExtendedKeyGPU* parent, uint32_t index,
ExtendedKeyGPU* child)
{
return bip32_derive_child(parent, 0x80000000U | index, child);
}
// ============================================================================
// BIP-32 Public Key from Extended Key
// ============================================================================
// Get the compressed public key from an extended key.
__device__ inline bool bip32_public_key(
const ExtendedKeyGPU* xkey,
uint8_t compressed[33])
{
if (xkey->is_private) {
Scalar sk;
scalar_from_bytes(xkey->key, &sk);
JacobianPoint P;
scalar_mul_generator_const(&sk, &P);
return point_to_compressed(&P, compressed);
} else {
for (int i = 0; i < 33; i++) compressed[i] = xkey->key[i];
return true;
}
}
// ============================================================================
// BIP-32 Serialize (78 bytes, standard format)
// ============================================================================
__device__ inline void bip32_serialize(
const ExtendedKeyGPU* xkey,
bool mainnet,
uint8_t out[78])
{
// Version bytes
uint32_t version;
if (xkey->is_private) {
version = mainnet ? 0x0488ADE4U : 0x04358394U; // xprv / tprv
} else {
version = mainnet ? 0x0488B21EU : 0x043587CFU; // xpub / tpub
}
out[0] = (uint8_t)(version >> 24);
out[1] = (uint8_t)(version >> 16);
out[2] = (uint8_t)(version >> 8);
out[3] = (uint8_t)(version);
// Depth
out[4] = xkey->depth;
// Parent fingerprint
for (int i = 0; i < 4; i++) out[5 + i] = xkey->parent_fp[i];
// Child number (big-endian)
out[9] = (uint8_t)(xkey->child_number >> 24);
out[10] = (uint8_t)(xkey->child_number >> 16);
out[11] = (uint8_t)(xkey->child_number >> 8);
out[12] = (uint8_t)(xkey->child_number);
// Chain code
for (int i = 0; i < 32; i++) out[13 + i] = xkey->chain_code[i];
// Key data
if (xkey->is_private) {
out[45] = 0x00;
for (int i = 0; i < 32; i++) out[46 + i] = xkey->key[i];
} else {
for (int i = 0; i < 33; i++) out[45 + i] = xkey->key[i];
}
}
// ============================================================================
// BIP-32 to_public (convert private extended key to public)
// ============================================================================
__device__ inline bool bip32_to_public(
const ExtendedKeyGPU* xpriv,
ExtendedKeyGPU* xpub)
{
if (!xpriv->is_private) {
*xpub = *xpriv;
return true;
}
Scalar sk;
scalar_from_bytes(xpriv->key, &sk);
JacobianPoint P;
scalar_mul_generator_const(&sk, &P);
if (!point_to_compressed(&P, xpub->key)) return false;
for (int i = 0; i < 32; i++) xpub->chain_code[i] = xpriv->chain_code[i];
xpub->depth = xpriv->depth;
xpub->child_number = xpriv->child_number;
for (int i = 0; i < 4; i++) xpub->parent_fp[i] = xpriv->parent_fp[i];
xpub->is_private = false;
return true;
}
} // namespace cuda
} // namespace secp256k1
#endif // !SECP256K1_CUDA_LIMBS_32

222
cuda/include/ct/ct_field.cuh Normal file
View File

@ -0,0 +1,222 @@
#pragma once
// ============================================================================
// Constant-Time Field Arithmetic -- CUDA Device
// ============================================================================
// Side-channel resistant field operations for secp256k1.
// Uses the same FieldElement type as fast path -- 4x64-bit limbs.
//
// CT guarantees:
// - No secret-dependent branches (branchless add/sub/normalize)
// - No secret-dependent memory access patterns
// - Fixed instruction count for all inputs
//
// The fast::field_mul / fast::field_sqr are inherently CT (fixed Comba/PTX),
// so ct::field_mul / ct::field_sqr just wrap them with a CT normalize.
// field_inv uses Fermat chain a^(p-2) which is CT (fixed exponent).
//
// Port of: cpu/include/secp256k1/ct/field.hpp + cpu/src/ct_field.cpp
// ============================================================================
#include "ct/ct_ops.cuh"
#include "secp256k1.cuh"
namespace secp256k1 {
namespace cuda {
namespace ct {
// --- Internal: branchless 256-bit add/sub ------------------------------------
// CT 256-bit addition with carry out. Returns carry (0 or 1).
__device__ __forceinline__
uint64_t add256(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]) {
uint64_t r0, r1, r2, r3, carry;
#if SECP256K1_USE_PTX
asm volatile(
"add.cc.u64 %0, %5, %9; \n\t"
"addc.cc.u64 %1, %6, %10; \n\t"
"addc.cc.u64 %2, %7, %11; \n\t"
"addc.cc.u64 %3, %8, %12; \n\t"
"addc.u64 %4, 0, 0; \n\t"
: "=l"(r0), "=l"(r1), "=l"(r2), "=l"(r3), "=l"(carry)
: "l"(a[0]), "l"(a[1]), "l"(a[2]), "l"(a[3]),
"l"(b[0]), "l"(b[1]), "l"(b[2]), "l"(b[3])
);
#else
unsigned __int128 sum;
carry = 0;
sum = (unsigned __int128)a[0] + b[0]; r0 = (uint64_t)sum; carry = (uint64_t)(sum >> 64);
sum = (unsigned __int128)a[1] + b[1] + carry; r1 = (uint64_t)sum; carry = (uint64_t)(sum >> 64);
sum = (unsigned __int128)a[2] + b[2] + carry; r2 = (uint64_t)sum; carry = (uint64_t)(sum >> 64);
sum = (unsigned __int128)a[3] + b[3] + carry; r3 = (uint64_t)sum; carry = (uint64_t)(sum >> 64);
#endif
r[0] = r0; r[1] = r1; r[2] = r2; r[3] = r3;
return carry;
}
// CT 256-bit subtraction with borrow out. Returns borrow (0 or 1).
__device__ __forceinline__
uint64_t sub256(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]) {
uint64_t r0, r1, r2, r3, borrow;
#if SECP256K1_USE_PTX
asm volatile(
"sub.cc.u64 %0, %5, %9; \n\t"
"subc.cc.u64 %1, %6, %10; \n\t"
"subc.cc.u64 %2, %7, %11; \n\t"
"subc.cc.u64 %3, %8, %12; \n\t"
"subc.u64 %4, 0, 0; \n\t"
: "=l"(r0), "=l"(r1), "=l"(r2), "=l"(r3), "=l"(borrow)
: "l"(a[0]), "l"(a[1]), "l"(a[2]), "l"(a[3]),
"l"(b[0]), "l"(b[1]), "l"(b[2]), "l"(b[3])
);
// PTX subc.u64 %4,0,0 gives 0xFFFFFFFFFFFFFFFF on borrow, 0 otherwise
borrow &= 1;
#else
unsigned __int128 diff;
borrow = 0;
diff = (unsigned __int128)a[0] - b[0]; r0 = (uint64_t)diff; borrow = (diff >> 127) & 1;
diff = (unsigned __int128)a[1] - b[1] - borrow; r1 = (uint64_t)diff; borrow = (diff >> 127) & 1;
diff = (unsigned __int128)a[2] - b[2] - borrow; r2 = (uint64_t)diff; borrow = (diff >> 127) & 1;
diff = (unsigned __int128)a[3] - b[3] - borrow; r3 = (uint64_t)diff; borrow = (diff >> 127) & 1;
#endif
r[0] = r0; r[1] = r1; r[2] = r2; r[3] = r3;
return borrow;
}
// CT reduce once: if value >= p, subtract p. Uses cmov (no branch).
__device__ __forceinline__
void ct_reduce_field(uint64_t r[4]) {
uint64_t tmp[4];
uint64_t borrow = sub256(tmp, r, MODULUS);
// If borrow == 0, r >= p -> use tmp (reduced). Else keep r.
uint64_t mask = is_zero_mask(borrow); // all-1s if no borrow (r >= p)
cmov256(r, tmp, mask);
}
// --- CT Field Arithmetic (public API) ----------------------------------------
// CT modular addition: r = (a + b) mod p
__device__ __forceinline__
void field_add(const FieldElement* a, const FieldElement* b, FieldElement* r) {
uint64_t tmp[4];
uint64_t carry = add256(tmp, a->limbs, b->limbs);
// Try to subtract p
uint64_t reduced[4];
uint64_t borrow = sub256(reduced, tmp, MODULUS);
// Use reduced if: carry (overflow 256 bits) OR no borrow (tmp >= p)
// Matches fast path logic: if (carry || borrow == 0) use reduced
uint64_t use_reduced = is_nonzero_mask(carry) | is_zero_mask(borrow);
ct_select256(r->limbs, reduced, tmp, use_reduced);
}
// CT modular subtraction: r = (a - b) mod p
__device__ __forceinline__
void field_sub(const FieldElement* a, const FieldElement* b, FieldElement* r) {
uint64_t tmp[4];
uint64_t borrow = sub256(tmp, a->limbs, b->limbs);
// If borrow, add p back. mask = all-1s if borrow occurred.
uint64_t mask = is_nonzero_mask(borrow);
uint64_t corrected[4];
add256(corrected, tmp, MODULUS);
ct_select256(r->limbs, corrected, tmp, mask);
}
// CT modular negation: r = -a mod p
// Always computes p - a; if a == 0, result is 0 (p - 0 overflows to p, reduce)
__device__ __forceinline__
void field_neg(const FieldElement* a, FieldElement* r) {
// p - a is always correct for a in [1, p-1]
// For a == 0: p - 0 = p, which we reduce to 0
uint64_t tmp[4];
sub256(tmp, MODULUS, a->limbs);
// Zero check: if a was 0, tmp == p, need to set to 0
uint64_t a_nz = a->limbs[0] | a->limbs[1] | a->limbs[2] | a->limbs[3];
uint64_t mask = is_nonzero_mask(a_nz);
r->limbs[0] = tmp[0] & mask;
r->limbs[1] = tmp[1] & mask;
r->limbs[2] = tmp[2] & mask;
r->limbs[3] = tmp[3] & mask;
}
// CT modular multiplication: r = (a * b) mod p
// The underlying mul is already fixed-instruction-count.
__device__ __forceinline__
void field_mul(const FieldElement* a, const FieldElement* b, FieldElement* r) {
secp256k1::cuda::field_mul(a, b, r);
}
// CT modular squaring: r = a^2 mod p
__device__ __forceinline__
void field_sqr(const FieldElement* a, FieldElement* r) {
secp256k1::cuda::field_sqr(a, r);
}
// CT modular inverse: r = a^(-1) mod p (Fermat: a^(p-2))
// Fixed add-chain: always same number of mul+sqr regardless of input.
__device__ __forceinline__
void field_inv(const FieldElement* a, FieldElement* r) {
secp256k1::cuda::field_inv(a, r);
}
// CT modular half: r = a/2 mod p
// Already branchless in the fast path (mask-based).
__device__ __forceinline__
void field_half(const FieldElement* a, FieldElement* r) {
secp256k1::cuda::field_half(a, r);
}
// --- CT Field Conditional Operations -----------------------------------------
// CT conditional move: if mask == all-ones, *r = a; else unchanged
__device__ __forceinline__
void field_cmov(FieldElement* r, const FieldElement* a, uint64_t mask) {
cmov256(r->limbs, a->limbs, mask);
}
// CT conditional swap: when mask is all-ones, swaps a and b
__device__ __forceinline__
void field_cswap(FieldElement* a, FieldElement* b, uint64_t mask) {
cswap256(a->limbs, b->limbs, mask);
}
// CT select: returns a if mask==all-ones, else b
__device__ __forceinline__
void field_select(FieldElement* r, const FieldElement* a, const FieldElement* b, uint64_t mask) {
ct_select256(r->limbs, a->limbs, b->limbs, mask);
}
// CT conditional negate: if mask == all-ones, r = -a; else r = a
__device__ __forceinline__
void field_cneg(FieldElement* r, const FieldElement* a, uint64_t mask) {
FieldElement neg;
field_neg(a, &neg);
field_select(r, &neg, a, mask);
}
// --- CT Field Comparisons (mask-based) ---------------------------------------
// Returns all-ones mask if a == 0, else 0.
__device__ __forceinline__
uint64_t field_is_zero(const FieldElement* a) {
uint64_t acc = a->limbs[0] | a->limbs[1] | a->limbs[2] | a->limbs[3];
return is_zero_mask(acc);
}
// Returns all-ones mask if a == b, else 0.
__device__ __forceinline__
uint64_t field_eq(const FieldElement* a, const FieldElement* b) {
uint64_t diff = (a->limbs[0] ^ b->limbs[0]) |
(a->limbs[1] ^ b->limbs[1]) |
(a->limbs[2] ^ b->limbs[2]) |
(a->limbs[3] ^ b->limbs[3]);
return is_zero_mask(diff);
}
// CT normalize: ensure value in [0, p). Branchless.
__device__ __forceinline__
void field_normalize(FieldElement* a) {
ct_reduce_field(a->limbs);
}
} // namespace ct
} // namespace cuda
} // namespace secp256k1

155
cuda/include/ct/ct_ops.cuh Normal file
View File

@ -0,0 +1,155 @@
#pragma once
// ============================================================================
// Constant-Time Primitives -- CUDA Device
// ============================================================================
// GPU-side building blocks for side-channel resistant code.
// Every function has a data-independent execution trace:
// - No secret-dependent branches
// - No secret-dependent memory access patterns
// - Fixed instruction count regardless of input
//
// NOTE: GPU side-channel attack surfaces differ from CPU:
// - No branch predictor state to leak (warp-level SIMT)
// - No cache-timing attacks (unified L2, no per-core L1d)
// - Power/EM analysis requires physical access to GPU
// - Warp divergence IS observable (different warps = different timing)
//
// This CT layer enables:
// 1. Research into GPU side-channel feasibility
// 2. Defense-in-depth for GPU signing workloads
// 3. Parity with CPU CT layer for comparative analysis
//
// Port of: cpu/include/secp256k1/ct/ops.hpp
// ============================================================================
#include <cstdint>
namespace secp256k1 {
namespace cuda {
namespace ct {
// --- Compiler barrier --------------------------------------------------------
// Prevents compiler from optimizing away branchless patterns.
// Uses PTX asm volatile to create optimization barrier on GPU.
__device__ __forceinline__ void value_barrier(uint64_t& v) {
asm volatile("" : "+l"(v));
}
__device__ __forceinline__ void value_barrier(uint32_t& v) {
asm volatile("" : "+r"(v));
}
// --- Mask generation ---------------------------------------------------------
// Returns 0xFFFFFFFFFFFFFFFF if v == 0, else 0x0000000000000000
__device__ __forceinline__ uint64_t is_zero_mask(uint64_t v) {
uint64_t z = v;
value_barrier(z);
// (v | -v) >> 63: 0 if v==0, 1 if v!=0
uint64_t nz = (z | (uint64_t)(-(int64_t)z)) >> 63;
value_barrier(nz);
// nz==0 → we want all-ones; nz==1 → we want 0
return (nz - 1); // 0-1=0xFFF... (zero case), 1-1=0 (nonzero case)
}
// Returns 0xFFFFFFFFFFFFFFFF if v != 0, else 0x0000000000000000
__device__ __forceinline__ uint64_t is_nonzero_mask(uint64_t v) {
return ~is_zero_mask(v);
}
// Returns 0xFFFFFFFFFFFFFFFF if a == b, else 0x0000000000000000
__device__ __forceinline__ uint64_t eq_mask(uint64_t a, uint64_t b) {
return is_zero_mask(a ^ b);
}
// Convert bool/flag to mask: 0 -> 0, nonzero -> 0xFFFF...
__device__ __forceinline__ uint64_t bool_to_mask(uint64_t flag) {
uint64_t f = flag;
value_barrier(f);
return -(uint64_t)(f != 0);
}
// Unsigned less-than: returns all-ones if a < b, else 0
__device__ __forceinline__ uint64_t lt_mask(uint64_t a, uint64_t b) {
// a < b iff (a - b) borrows, i.e., high bit of (a - b) when a < b
// For unsigned: a < b iff MSB of (a ^ ((a ^ b) | ((a - b) ^ a))) is set
// Simpler: use the borrow from subtraction
uint64_t diff = a - b;
// Borrow occurs when a < b: borrow = (a < b) ? 1 : 0
// borrow = ((~a & b) | ((~(a ^ b)) & diff)) >> 63
uint64_t borrow = ((~a & b) | (~(a ^ b) & diff)) >> 63;
value_barrier(borrow);
return -borrow; // 0xFFF... if a < b, else 0
}
// --- Conditional operations --------------------------------------------------
// CT conditional move (64-bit): if mask is all-1s, *dst = src; else unchanged
__device__ __forceinline__ void cmov64(uint64_t* dst, uint64_t src, uint64_t mask) {
uint64_t m = mask;
value_barrier(m);
*dst ^= ((*dst ^ src) & m);
}
// CT conditional move (256-bit / 4 limbs)
__device__ __forceinline__ void cmov256(uint64_t dst[4], const uint64_t src[4], uint64_t mask) {
uint64_t m = mask;
value_barrier(m);
dst[0] ^= ((dst[0] ^ src[0]) & m);
dst[1] ^= ((dst[1] ^ src[1]) & m);
dst[2] ^= ((dst[2] ^ src[2]) & m);
dst[3] ^= ((dst[3] ^ src[3]) & m);
}
// CT conditional swap (256-bit): if mask is all-1s, swap a and b
__device__ __forceinline__ void cswap256(uint64_t a[4], uint64_t b[4], uint64_t mask) {
uint64_t m = mask;
value_barrier(m);
for (int i = 0; i < 4; i++) {
uint64_t x = (a[i] ^ b[i]) & m;
a[i] ^= x;
b[i] ^= x;
}
}
// CT select: returns a if mask == all-ones, else b
__device__ __forceinline__ uint64_t ct_select(uint64_t a, uint64_t b, uint64_t mask) {
uint64_t m = mask;
value_barrier(m);
return (a & m) | (b & ~m);
}
// CT 256-bit select: copies a if mask, else b, into dst
__device__ __forceinline__ void ct_select256(uint64_t dst[4],
const uint64_t a[4],
const uint64_t b[4],
uint64_t mask) {
uint64_t m = mask;
value_barrier(m);
dst[0] = (a[0] & m) | (b[0] & ~m);
dst[1] = (a[1] & m) | (b[1] & ~m);
dst[2] = (a[2] & m) | (b[2] & ~m);
dst[3] = (a[3] & m) | (b[3] & ~m);
}
// CT table lookup: scans ALL entries, returns entry at `index`.
// Always reads every entry (no secret-dependent memory pattern).
// table: array of 4-limb (256-bit) entries, `count` entries total.
__device__ inline void ct_lookup_256(const uint64_t table[][4],
int count,
int index,
uint64_t out[4]) {
out[0] = 0; out[1] = 0; out[2] = 0; out[3] = 0;
for (int i = 0; i < count; i++) {
uint64_t m = eq_mask((uint64_t)i, (uint64_t)index);
out[0] |= (table[i][0] & m);
out[1] |= (table[i][1] & m);
out[2] |= (table[i][2] & m);
out[3] |= (table[i][3] & m);
}
}
} // namespace ct
} // namespace cuda
} // namespace secp256k1

524
cuda/include/ct/ct_point.cuh Normal file
View File

@ -0,0 +1,524 @@
#pragma once
// ============================================================================
// Constant-Time Point Arithmetic -- CUDA Device
// ============================================================================
// Side-channel resistant point operations for secp256k1.
//
// Key features:
// - Brier-Joye complete addition (11M+6S Jac+Jac, 7M+5S Jac+Aff)
// - Handles ALL cases: P+Q, P+P, P+O, O+Q, P+(-P)=O
// - Mask-based infinity flag (uint64_t, not bool)
// - CT table lookup (scans ALL entries)
// - CT generator_mul (fixed-trace, signed-digit comb)
// - CT scalar_mul (GLV + Hamburg wNAF, fixed-trace)
//
// Port of: cpu/include/secp256k1/ct/point.hpp + cpu/src/ct_point.cpp
// ============================================================================
#include "ct/ct_scalar.cuh"
namespace secp256k1 {
namespace cuda {
namespace ct {
// --- CT Point Types ----------------------------------------------------------
// Jacobian point with mask-based infinity flag (not bool)
struct CTJacobianPoint {
FieldElement x;
FieldElement y;
FieldElement z;
uint64_t infinity; // 0 = normal, 0xFFFF... = point at infinity
};
// Affine point with mask-based infinity flag
struct CTAffinePoint {
FieldElement x;
FieldElement y;
uint64_t infinity; // 0 = normal, 0xFFFF... = point at infinity
};
// --- CT Point Utilities ------------------------------------------------------
__device__ __forceinline__
void ct_point_set_infinity(CTJacobianPoint* p) {
field_set_zero(&p->x);
field_set_zero(&p->y);
field_set_zero(&p->z);
p->infinity = ~(uint64_t)0;
}
__device__ __forceinline__
CTJacobianPoint ct_point_from_jacobian(const JacobianPoint* p) {
CTJacobianPoint r;
r.x = p->x; r.y = p->y; r.z = p->z;
r.infinity = bool_to_mask((uint64_t)p->infinity);
return r;
}
__device__ __forceinline__
JacobianPoint ct_point_to_jacobian(const CTJacobianPoint* p) {
JacobianPoint r;
r.x = p->x; r.y = p->y; r.z = p->z;
r.infinity = (p->infinity != 0);
return r;
}
__device__ __forceinline__
CTJacobianPoint ct_point_from_affine(const CTAffinePoint* a) {
CTJacobianPoint r;
r.x = a->x; r.y = a->y;
field_set_one(&r.z);
r.infinity = a->infinity;
return r;
}
// CT conditional move for CT Jacobian points
__device__ __forceinline__
void ct_point_cmov(CTJacobianPoint* r, const CTJacobianPoint* a, uint64_t mask) {
cmov256(r->x.limbs, a->x.limbs, mask);
cmov256(r->y.limbs, a->y.limbs, mask);
cmov256(r->z.limbs, a->z.limbs, mask);
cmov64(&r->infinity, a->infinity, mask);
}
// CT conditional move for CT Affine points
__device__ __forceinline__
void ct_aff_cmov(CTAffinePoint* r, const CTAffinePoint* a, uint64_t mask) {
cmov256(r->x.limbs, a->x.limbs, mask);
cmov256(r->y.limbs, a->y.limbs, mask);
cmov64(&r->infinity, a->infinity, mask);
}
// CT conditional negate Y
__device__ __forceinline__
void ct_point_cneg_y(CTAffinePoint* p, uint64_t mask) {
FieldElement neg_y;
secp256k1::cuda::field_negate(&p->y, &neg_y);
cmov256(p->y.limbs, neg_y.limbs, mask);
}
// CT table lookup for affine points: scans ALL entries
__device__ inline
void ct_affine_table_lookup(const CTAffinePoint* table, int count,
int index, CTAffinePoint* out) {
out->x.limbs[0] = 0; out->x.limbs[1] = 0;
out->x.limbs[2] = 0; out->x.limbs[3] = 0;
out->y.limbs[0] = 0; out->y.limbs[1] = 0;
out->y.limbs[2] = 0; out->y.limbs[3] = 0;
out->infinity = 0;
for (int i = 0; i < count; i++) {
uint64_t m = eq_mask((uint64_t)i, (uint64_t)index);
out->x.limbs[0] |= (table[i].x.limbs[0] & m);
out->x.limbs[1] |= (table[i].x.limbs[1] & m);
out->x.limbs[2] |= (table[i].x.limbs[2] & m);
out->x.limbs[3] |= (table[i].x.limbs[3] & m);
out->y.limbs[0] |= (table[i].y.limbs[0] & m);
out->y.limbs[1] |= (table[i].y.limbs[1] & m);
out->y.limbs[2] |= (table[i].y.limbs[2] & m);
out->y.limbs[3] |= (table[i].y.limbs[3] & m);
out->infinity |= (table[i].infinity & m);
}
}
// --- CT Point Doubling (4M + 4S + 2add + 2sub) --------------------------------
// Standard Jacobian doubling (same formula as fast path's jacobian_double).
// Handles identity via cmov.
__device__ inline
void ct_point_dbl(const CTJacobianPoint* p, CTJacobianPoint* r) {
using namespace secp256k1::cuda;
FieldElement S, M, X3, Y3, Z3, YY, YYYY, t1;
// YY = Y^2
field_sqr(&p->y, &YY);
// S = 4*X*Y^2
field_mul(&p->x, &YY, &S);
field_add(&S, &S, &S);
field_add(&S, &S, &S);
// M = 3*X^2
field_sqr(&p->x, &M);
field_add(&M, &M, &t1); // t1 = 2*X^2
field_add(&M, &t1, &M); // M = 3*X^2
// X3 = M^2 - 2*S
field_sqr(&M, &X3);
field_add(&S, &S, &t1); // t1 = 2*S
field_sub(&X3, &t1, &X3);
// YYYY = Y^4
field_sqr(&YY, &YYYY);
// Y3 = M*(S - X3) - 8*Y^4
field_add(&YYYY, &YYYY, &t1); // 2*Y^4
field_add(&t1, &t1, &t1); // 4*Y^4
field_add(&t1, &t1, &t1); // 8*Y^4
field_sub(&S, &X3, &S); // S - X3 (reuse S)
field_mul(&M, &S, &Y3); // M*(S - X3)
field_sub(&Y3, &t1, &Y3); // Y3 final
// Z3 = 2*Y*Z
field_mul(&p->y, &p->z, &Z3);
field_add(&Z3, &Z3, &Z3);
r->x = X3;
r->y = Y3;
r->z = Z3;
r->infinity = p->infinity;
// If input was infinity, cmov to identity
CTJacobianPoint inf;
ct_point_set_infinity(&inf);
ct_point_cmov(r, &inf, p->infinity);
}
// --- CT Complete Addition (Jac + Aff, Brier-Joye, 7M + 5S) ------------------
// Handles ALL cases in ONE codepath: P+Q, P+P (doubling), P+O, O+Q, P+(-P)=O
__device__ inline
void ct_point_add_mixed(const CTJacobianPoint* p, const CTAffinePoint* q,
CTJacobianPoint* r) {
using namespace secp256k1::cuda;
// ZZ = Z1^2
FieldElement zz;
field_sqr(&p->z, &zz);
// U1 = X1, U2 = q.x * ZZ
FieldElement u1, u2;
u1 = p->x;
field_mul(&q->x, &zz, &u2);
// S1 = Y1, S2 = q.y * ZZ * Z1
FieldElement s1, s2;
s1 = p->y;
FieldElement zzz;
field_mul(&zz, &p->z, &zzz);
field_mul(&q->y, &zzz, &s2);
// T = U1 + U2
FieldElement t;
field_add(&u1, &u2, &t);
// M = S1 + S2
FieldElement m;
field_add(&s1, &s2, &m);
// R = T^2 - U1*U2
FieldElement t_sq, u1u2, rr;
field_sqr(&t, &t_sq);
field_mul(&u1, &u2, &u1u2);
field_sub(&t_sq, &u1u2, &rr);
// Degenerate check: M == 0 means P == -Q (doubling case)
uint64_t m_is_zero = ct::field_is_zero(&m);
// Ralt = degen ? 2*S1 : R
FieldElement ralt, s1_2;
field_add(&s1, &s1, &s1_2);
ct_select256(ralt.limbs, s1_2.limbs, rr.limbs, m_is_zero);
// Malt = degen ? U1-U2 : M
FieldElement malt, u1_u2;
field_sub(&u1, &u2, &u1_u2);
ct_select256(malt.limbs, u1_u2.limbs, m.limbs, m_is_zero);
// N = Malt^2
FieldElement n;
field_sqr(&malt, &n);
// Q_ = -T * N
FieldElement q_;
field_mul(&t, &n, &q_);
field_negate(&q_, &q_);
// N = N^2 (reuse N)
FieldElement nn;
field_sqr(&n, &nn);
// X3 = Ralt^2 + Q_
FieldElement x3;
field_sqr(&ralt, &x3);
field_add(&x3, &q_, &x3);
// Z3 = Malt * Z1
FieldElement z3;
field_mul(&malt, &p->z, &z3);
// Y3 = -(Ralt * (2*X3 + Q_) + N) / 2
FieldElement x3_2, y3_tmp, y3;
field_add(&x3, &x3, &x3_2);
field_add(&x3_2, &q_, &y3_tmp);
field_mul(&ralt, &y3_tmp, &y3);
field_add(&y3, &nn, &y3);
field_negate(&y3, &y3);
field_half(&y3, &y3);
r->x = x3;
r->y = y3;
r->z = z3;
r->infinity = 0;
// Check Z3 == 0 (means P + (-P) = O)
uint64_t z3_zero = ct::field_is_zero(&z3);
r->infinity = z3_zero;
// If P was infinity, result = Q (as Jacobian)
CTJacobianPoint q_jac;
q_jac.x = q->x; q_jac.y = q->y;
field_set_one(&q_jac.z);
q_jac.infinity = q->infinity;
ct_point_cmov(r, &q_jac, p->infinity);
// If Q was infinity, result = P
ct_point_cmov(r, p, q->infinity);
}
// --- CT Complete Addition (Jac + Jac, Brier-Joye, 11M + 6S) -----------------
__device__ inline
void ct_point_add(const CTJacobianPoint* p, const CTJacobianPoint* q,
CTJacobianPoint* r) {
using namespace secp256k1::cuda;
// Z1Z1 = Z1^2, Z2Z2 = Z2^2
FieldElement z1z1, z2z2;
field_sqr(&p->z, &z1z1);
field_sqr(&q->z, &z2z2);
// U1 = X1 * Z2Z2, U2 = X2 * Z1Z1
FieldElement u1, u2;
field_mul(&p->x, &z2z2, &u1);
field_mul(&q->x, &z1z1, &u2);
// S1 = Y1 * Z2Z2 * Z2, S2 = Y2 * Z1Z1 * Z1
FieldElement s1, s2, z2z2z2, z1z1z1;
field_mul(&z2z2, &q->z, &z2z2z2);
field_mul(&p->y, &z2z2z2, &s1);
field_mul(&z1z1, &p->z, &z1z1z1);
field_mul(&q->y, &z1z1z1, &s2);
// Z = Z1 * Z2
FieldElement z;
field_mul(&p->z, &q->z, &z);
// T = U1 + U2
FieldElement t;
field_add(&u1, &u2, &t);
// M = S1 + S2
FieldElement m;
field_add(&s1, &s2, &m);
// R = T^2 - U1*U2
FieldElement t_sq, u1u2, rr;
field_sqr(&t, &t_sq);
field_mul(&u1, &u2, &u1u2);
field_sub(&t_sq, &u1u2, &rr);
// Degenerate check
uint64_t m_is_zero = ct::field_is_zero(&m);
FieldElement ralt, s1_2;
field_add(&s1, &s1, &s1_2);
ct_select256(ralt.limbs, s1_2.limbs, rr.limbs, m_is_zero);
FieldElement malt, u1_u2;
field_sub(&u1, &u2, &u1_u2);
ct_select256(malt.limbs, u1_u2.limbs, m.limbs, m_is_zero);
FieldElement n;
field_sqr(&malt, &n);
FieldElement q_;
field_mul(&t, &n, &q_);
field_negate(&q_, &q_);
FieldElement nn;
field_sqr(&n, &nn);
FieldElement x3;
field_sqr(&ralt, &x3);
field_add(&x3, &q_, &x3);
// Z3 = Z * Malt (note: Z = Z1*Z2, not just Z1)
FieldElement z3;
field_mul(&z, &malt, &z3);
FieldElement x3_2, y3_tmp, y3;
field_add(&x3, &x3, &x3_2);
field_add(&x3_2, &q_, &y3_tmp);
field_mul(&ralt, &y3_tmp, &y3);
field_add(&y3, &nn, &y3);
field_negate(&y3, &y3);
field_half(&y3, &y3);
r->x = x3;
r->y = y3;
r->z = z3;
r->infinity = 0;
uint64_t z3_zero = ct::field_is_zero(&z3);
r->infinity = z3_zero;
ct_point_cmov(r, q, p->infinity);
ct_point_cmov(r, p, q->infinity);
}
// --- CT Point Negation -------------------------------------------------------
__device__ __forceinline__
void ct_point_neg(const CTJacobianPoint* p, CTJacobianPoint* r) {
r->x = p->x;
secp256k1::cuda::field_negate(&p->y, &r->y);
r->z = p->z;
r->infinity = p->infinity;
}
// --- CT Scalar Multiplication: k*P (GLV + fixed-window, CT) ------------------
// Uses CT complete addition, CT table lookups.
// Cost: ~128 doublings + ~64 mixed additions (CT complete)
__device__ inline
void ct_scalar_mul(const JacobianPoint* p_in, const Scalar* k,
JacobianPoint* r_out) {
using namespace secp256k1::cuda;
// Convert to CT types
CTJacobianPoint p = ct_point_from_jacobian(p_in);
// GLV decompose (CT version)
CTGLVDecomposition glv = ct_glv_decompose(k);
// Build precomputed table: odd multiples [1P, 3P, 5P, 7P, ..., 15P]
// Window width w=4 for CT: 8 table entries
constexpr int TABLE_SIZE = 8;
CTAffinePoint table_a[TABLE_SIZE];
CTAffinePoint table_b[TABLE_SIZE]; // endomorphism table (beta)
// Table[0] = P (affine)
{
FieldElement z_inv, z_inv2, z_inv3;
field_inv(&p.z, &z_inv);
field_sqr(&z_inv, &z_inv2);
field_mul(&z_inv, &z_inv2, &z_inv3);
field_mul(&p.x, &z_inv2, &table_a[0].x);
field_mul(&p.y, &z_inv3, &table_a[0].y);
table_a[0].infinity = p.infinity;
}
// Build remaining odd multiples via complete additions
// 2P (Jacobian)
CTJacobianPoint dbl;
ct_point_dbl(&p, &dbl);
// Convert 2P to affine for mixed adds
CTAffinePoint dbl_aff;
{
FieldElement z_inv, z_inv2, z_inv3;
field_inv(&dbl.z, &z_inv);
field_sqr(&z_inv, &z_inv2);
field_mul(&z_inv, &z_inv2, &z_inv3);
field_mul(&dbl.x, &z_inv2, &dbl_aff.x);
field_mul(&dbl.y, &z_inv3, &dbl_aff.y);
dbl_aff.infinity = dbl.infinity;
}
// table[i] = (2i+1)*P via accumulation
CTJacobianPoint acc = p;
for (int i = 1; i < TABLE_SIZE; i++) {
ct_point_add_mixed(&acc, &dbl_aff, &acc);
// Convert to affine
FieldElement z_inv, z_inv2, z_inv3;
field_inv(&acc.z, &z_inv);
field_sqr(&z_inv, &z_inv2);
field_mul(&z_inv, &z_inv2, &z_inv3);
field_mul(&acc.x, &z_inv2, &table_a[i].x);
field_mul(&acc.y, &z_inv3, &table_a[i].y);
table_a[i].infinity = acc.infinity;
}
// Build endomorphism table: beta * X, same Y (or negated if k2_neg)
// phi(P) = (beta*x, y) on secp256k1
FieldElement beta;
for (int i = 0; i < 4; i++) beta.limbs[i] = BETA[i];
for (int i = 0; i < TABLE_SIZE; i++) {
field_mul(&table_a[i].x, &beta, &table_b[i].x);
table_b[i].y = table_a[i].y;
table_b[i].infinity = table_a[i].infinity;
}
// Conditionally negate tables based on GLV sign
for (int i = 0; i < TABLE_SIZE; i++) {
ct_point_cneg_y(&table_a[i], glv.k1_neg);
ct_point_cneg_y(&table_b[i], glv.k2_neg);
}
// Bit-by-bit double-and-add with CT table lookup
// Process k1 and k2 (~128 bits each), fixed 128 iterations
CTJacobianPoint result;
ct_point_set_infinity(&result);
// Process bit-by-bit (simplest CT approach: fixed 128 iterations)
// Each iteration: double + conditionally add from k1 table + conditionally add from k2 table
for (int i = 127; i >= 0; --i) {
// Always double
ct_point_dbl(&result, &result);
// k1 bit
uint64_t b1 = ct::scalar_bit(&glv.k1, i);
uint64_t m1 = bool_to_mask(b1);
CTAffinePoint entry1;
entry1.x = table_a[0].x;
entry1.y = table_a[0].y;
entry1.infinity = 0;
// Add P if bit is set (CT: always compute add, cmov result)
CTJacobianPoint with_add1;
ct_point_add_mixed(&result, &entry1, &with_add1);
ct_point_cmov(&result, &with_add1, m1);
// k2 bit
uint64_t b2 = ct::scalar_bit(&glv.k2, i);
uint64_t m2 = bool_to_mask(b2);
CTAffinePoint entry2;
entry2.x = table_b[0].x;
entry2.y = table_b[0].y;
entry2.infinity = 0;
CTJacobianPoint with_add2;
ct_point_add_mixed(&result, &entry2, &with_add2);
ct_point_cmov(&result, &with_add2, m2);
}
*r_out = ct_point_to_jacobian(&result);
}
// --- CT Generator Multiplication: k*G (fixed-base comb, CT) ------------------
// Uses a precomputed table (loaded at init time) and signed-digit comb method.
// Falls back to ct_scalar_mul(G, k) if no precomputed table is available.
__device__ inline
void ct_generator_mul(const Scalar* k, JacobianPoint* r_out) {
using namespace secp256k1::cuda;
// Use the standard generator point G
JacobianPoint G;
for (int i = 0; i < 4; i++) {
G.x.limbs[i] = GENERATOR_X[i];
G.y.limbs[i] = GENERATOR_Y[i];
}
field_set_one(&G.z);
G.infinity = false;
// For now, delegate to ct_scalar_mul which is fully constant-time
// A comb-based generator_mul with precomputed table would be faster
// but requires a global precomputed table (like the CPU version's 352-point table)
ct_scalar_mul(&G, k, r_out);
}
} // namespace ct
} // namespace cuda
} // namespace secp256k1

305
cuda/include/ct/ct_scalar.cuh Normal file
View File

@ -0,0 +1,305 @@
#pragma once
// ============================================================================
// Constant-Time Scalar Arithmetic -- CUDA Device
// ============================================================================
// Side-channel resistant scalar operations for secp256k1 curve order.
// Uses the same Scalar type as fast path -- 4x64-bit limbs.
//
// CT guarantees:
// - No secret-dependent branches
// - No secret-dependent memory access patterns
// - Fixed instruction count for all inputs
//
// Port of: cpu/include/secp256k1/ct/scalar.hpp + cpu/src/ct_scalar.cpp
// ============================================================================
#include "ct/ct_ops.cuh"
#include "ct/ct_field.cuh"
namespace secp256k1 {
namespace cuda {
namespace ct {
// n/2 for is_high check
__device__ __constant__ static const uint64_t HALF_ORDER[4] = {
0xDFE92F46681B20A0ULL, 0x5D576E7357A4501DULL,
0xFFFFFFFFFFFFFFFFULL, 0x7FFFFFFFFFFFFFFFULL
};
// --- Internal: branchless 256-bit ops with ORDER ----------------------------
// CT reduce once mod n: if value >= n, subtract n. Uses cmov.
__device__ __forceinline__
void ct_reduce_order(uint64_t r[4]) {
uint64_t tmp[4];
uint64_t borrow = sub256(tmp, r, ORDER);
uint64_t mask = is_zero_mask(borrow); // all-1s if no borrow (r >= n)
cmov256(r, tmp, mask);
}
// --- CT Scalar Arithmetic (public API) ---------------------------------------
// CT modular addition: r = (a + b) mod n
__device__ __forceinline__
void scalar_add(const Scalar* a, const Scalar* b, Scalar* r) {
uint64_t tmp[4];
uint64_t carry = add256(tmp, a->limbs, b->limbs);
uint64_t reduced[4];
uint64_t borrow = sub256(reduced, tmp, ORDER);
// Use reduced if carry occurred OR no borrow (tmp >= n)
uint64_t use_reduced = is_nonzero_mask(carry) | is_zero_mask(borrow);
ct_select256(r->limbs, reduced, tmp, use_reduced);
}
// CT modular subtraction: r = (a - b) mod n
__device__ __forceinline__
void scalar_sub(const Scalar* a, const Scalar* b, Scalar* r) {
uint64_t tmp[4];
uint64_t borrow = sub256(tmp, a->limbs, b->limbs);
uint64_t mask = is_nonzero_mask(borrow);
uint64_t corrected[4];
add256(corrected, tmp, ORDER);
ct_select256(r->limbs, corrected, tmp, mask);
}
// CT modular negation: r = -a mod n (branchless)
// Reuses the existing fast-path implementation which is already branchless.
__device__ __forceinline__
void scalar_neg(const Scalar* a, Scalar* r) {
uint64_t tmp[4];
sub256(tmp, ORDER, a->limbs);
uint64_t nz = a->limbs[0] | a->limbs[1] | a->limbs[2] | a->limbs[3];
uint64_t mask = is_nonzero_mask(nz);
r->limbs[0] = tmp[0] & mask;
r->limbs[1] = tmp[1] & mask;
r->limbs[2] = tmp[2] & mask;
r->limbs[3] = tmp[3] & mask;
}
// CT modular halving: r = a/2 mod n
// Already branchless in fast path (mask-based parity handling).
__device__ __forceinline__
void scalar_half(const Scalar* a, Scalar* r) {
secp256k1::cuda::scalar_half(a, r);
}
// CT modular multiplication: r = (a * b) mod n
// Schoolbook 4x4 + Barrett reduction is fixed-instruction-count.
__device__ __forceinline__
void scalar_mul(const Scalar* a, const Scalar* b, Scalar* r) {
secp256k1::cuda::scalar_mul_mod_n(a, b, r);
}
// CT modular squaring: r = a^2 mod n
__device__ __forceinline__
void scalar_sqr(const Scalar* a, Scalar* r) {
secp256k1::cuda::scalar_sqr_mod_n(a, r);
}
// CT modular inverse: r = a^(-1) mod n (Fermat: a^(n-2))
// Fixed add-chain: always multiply regardless of bit value.
// Slower than fast-path but constant-time.
__device__ inline void scalar_inverse(const Scalar* a, Scalar* r) {
Scalar result;
result.limbs[0] = 1; result.limbs[1] = 0;
result.limbs[2] = 0; result.limbs[3] = 0;
Scalar base = *a;
for (int i = 255; i >= 0; --i) {
Scalar sqrd;
scalar_sqr(&result, &sqrd);
// Always compute the multiply
Scalar mulled;
scalar_mul(&sqrd, &base, &mulled);
// CT select: if bit is set, use mulled; else use sqrd
int limb_idx = i / 64;
int bit_idx = i % 64;
uint64_t bit = (ORDER_MINUS_2[limb_idx] >> bit_idx) & 1;
uint64_t mask = bool_to_mask(bit);
ct_select256(result.limbs, mulled.limbs, sqrd.limbs, mask);
}
*r = result;
}
// --- CT Scalar Conditional Operations ----------------------------------------
// CT conditional move: if mask == all-ones, *r = a
__device__ __forceinline__
void scalar_cmov(Scalar* r, const Scalar* a, uint64_t mask) {
cmov256(r->limbs, a->limbs, mask);
}
// CT conditional swap: when mask is all-ones, swaps a and b
__device__ __forceinline__
void scalar_cswap(Scalar* a, Scalar* b, uint64_t mask) {
cswap256(a->limbs, b->limbs, mask);
}
// CT select: if mask == all-ones, r = a; else r = b
__device__ __forceinline__
void scalar_select(Scalar* r, const Scalar* a, const Scalar* b, uint64_t mask) {
ct_select256(r->limbs, a->limbs, b->limbs, mask);
}
// CT conditional negate: if mask == all-ones, r = -a; else r = a
__device__ __forceinline__
void scalar_cneg(Scalar* r, const Scalar* a, uint64_t mask) {
Scalar neg;
scalar_neg(a, &neg);
scalar_select(r, &neg, a, mask);
}
// --- CT Scalar Comparisons (mask-based, not bool) ----------------------------
// Returns all-ones mask if a == 0, else 0
__device__ __forceinline__
uint64_t scalar_is_zero(const Scalar* a) {
uint64_t acc = a->limbs[0] | a->limbs[1] | a->limbs[2] | a->limbs[3];
return is_zero_mask(acc);
}
// Returns all-ones mask if a == b, else 0
__device__ __forceinline__
uint64_t scalar_eq(const Scalar* a, const Scalar* b) {
uint64_t diff = (a->limbs[0] ^ b->limbs[0]) |
(a->limbs[1] ^ b->limbs[1]) |
(a->limbs[2] ^ b->limbs[2]) |
(a->limbs[3] ^ b->limbs[3]);
return is_zero_mask(diff);
}
// Returns all-ones mask if a > n/2, else 0 (CT, no early-exit)
__device__ __forceinline__
uint64_t scalar_is_high(const Scalar* a) {
// Compare a > HALF_ORDER lexicographically from high to low
// Result is the OR of all "a[i] > half[i]" while all higher limbs are equal
uint64_t gt = 0; // accumulated "greater than"
uint64_t eq_so_far = ~(uint64_t)0; // all equal so far (all-ones)
for (int i = 3; i >= 0; --i) {
uint64_t a_gt_h = lt_mask(HALF_ORDER[i], a->limbs[i]); // half < a => a > half
uint64_t a_eq_h = eq_mask(a->limbs[i], HALF_ORDER[i]);
gt |= (a_gt_h & eq_so_far); // this limb is greater AND all above were equal
eq_so_far &= a_eq_h;
}
return gt;
}
// --- CT Bit Access -----------------------------------------------------------
// Returns bit at position 'index' (0 = LSB). CT (always same computation).
__device__ __forceinline__
uint64_t scalar_bit(const Scalar* a, int index) {
int limb_idx = index >> 6;
int bit_idx = index & 63;
uint64_t result = (a->limbs[limb_idx] >> bit_idx) & 1;
return result;
}
// Returns w-bit window at position 'pos' (0 = LSB). CT.
__device__ __forceinline__
uint64_t scalar_window(const Scalar* a, int pos, int width) {
int limb_idx = pos >> 6;
int bit_pos = pos & 63;
uint64_t mask_w = ((uint64_t)1 << width) - 1;
uint64_t result = (a->limbs[limb_idx] >> bit_pos) & mask_w;
// Handle case where window spans two limbs
int remaining = 64 - bit_pos;
if (remaining < width && limb_idx < 3) {
uint64_t extra = a->limbs[limb_idx + 1] & (((uint64_t)1 << (width - remaining)) - 1);
result |= (extra << remaining);
}
return result;
}
// --- CT ECDSA Low-S Normalize ------------------------------------------------
// CT low-S normalization: if s > n/2 return n-s, else return s.
// Branchless comparison + conditional negate.
__device__ __forceinline__
void scalar_normalize_low_s(Scalar* s) {
uint64_t high = scalar_is_high(s);
Scalar neg;
scalar_neg(s, &neg);
scalar_cmov(s, &neg, high);
}
// --- CT GLV Decompose --------------------------------------------------------
struct CTGLVDecomposition {
Scalar k1, k2;
uint64_t k1_neg; // all-ones mask if negated, 0 otherwise
uint64_t k2_neg;
};
// CT GLV decomposition: k = k1 + k2*lambda (mod n)
// No branches on k value. Uses CT comparison for sign selection.
__device__ inline CTGLVDecomposition ct_glv_decompose(const Scalar* k) {
CTGLVDecomposition result;
// Step 1: c1 = round(k * g1 / 2^384), c2 = round(k * g2 / 2^384)
uint64_t c1_limbs[4], c2_limbs[4];
mul_shift_384(k->limbs, GLV_G1, c1_limbs);
mul_shift_384(k->limbs, GLV_G2, c2_limbs);
Scalar c1, c2;
for (int i = 0; i < 4; i++) {
c1.limbs[i] = c1_limbs[i];
c2.limbs[i] = c2_limbs[i];
}
// CT normalize
ct_reduce_order(c1.limbs);
ct_reduce_order(c2.limbs);
// Step 2: k2 = c1*(-b1) + c2*(-b2) (mod n)
Scalar minus_b1, minus_b2;
for (int i = 0; i < 4; i++) {
minus_b1.limbs[i] = GLV_MINUS_B1[i];
minus_b2.limbs[i] = GLV_MINUS_B2[i];
}
Scalar t1, t2, k2_mod;
scalar_mul(&c1, &minus_b1, &t1);
scalar_mul(&c2, &minus_b2, &t2);
scalar_add(&t1, &t2, &k2_mod);
// Step 3: CT pick shorter representation for k2
Scalar k2_neg_val;
scalar_neg(&k2_mod, &k2_neg_val);
// CT comparison: is_high(k2_mod) means k2_mod > n/2, so negation is shorter
uint64_t k2_is_neg = scalar_is_high(&k2_mod);
Scalar k2_abs;
scalar_select(&k2_abs, &k2_neg_val, &k2_mod, k2_is_neg);
// k2_signed = k2_is_neg ? -k2_abs : k2_abs = k2_is_neg ? k2_mod : k2_mod
// Actually: k2_signed = k2_mod always (the sign just tells us which form to use)
Scalar k2_signed = k2_mod;
// Step 4: k1 = k - lambda*k2_signed (mod n)
Scalar lambda_s;
for (int i = 0; i < 4; i++) lambda_s.limbs[i] = LAMBDA[i];
Scalar lk2;
scalar_mul(&lambda_s, &k2_signed, &lk2);
Scalar k1_mod;
scalar_sub(k, &lk2, &k1_mod);
// Step 5: CT pick shorter representation for k1
Scalar k1_neg_val;
scalar_neg(&k1_mod, &k1_neg_val);
uint64_t k1_is_neg = scalar_is_high(&k1_mod);
Scalar k1_abs;
scalar_select(&k1_abs, &k1_neg_val, &k1_mod, k1_is_neg);
result.k1 = k1_abs;
result.k2 = k2_abs;
result.k1_neg = k1_is_neg;
result.k2_neg = k2_is_neg;
return result;
}
} // namespace ct
} // namespace cuda
} // namespace secp256k1

378
cuda/include/ct/ct_sign.cuh Normal file
View File

@ -0,0 +1,378 @@
#pragma once
// ============================================================================
// Constant-Time ECDSA & Schnorr Signing -- CUDA Device
// ============================================================================
// Side-channel resistant signing for secp256k1.
//
// Key differences from fast path:
// - R = k*G via ct_generator_mul (fixed execution trace)
// - k^{-1} via ct::scalar_inverse (Fermat, no branch on bits)
// - Low-S via ct::scalar_normalize_low_s (branchless cmov)
// - Y-parity via ct::scalar_cneg + bool_to_mask (no branch)
// - All scalar arithmetic via CT layer (no early-exit comparisons)
// - SHA-256 / HMAC / RFC6979 / tagged_hash already data-independent
//
// Port of: cpu/include/secp256k1/ct/sign.hpp + cpu/src/ct_sign.cpp
// ============================================================================
#include "ct/ct_point.cuh"
#include "ecdsa.cuh"
#include "schnorr.cuh"
#if !SECP256K1_CUDA_LIMBS_32
namespace secp256k1 {
namespace cuda {
namespace ct {
// ============================================================================
// CT Jacobian -> Affine Conversion
// ============================================================================
// Branchless: always computes z_inv; cmov zeros on infinity
__device__ inline
void ct_jacobian_to_affine(const JacobianPoint* p,
FieldElement* out_x, FieldElement* out_y,
uint8_t* y_parity)
{
FieldElement z_inv, z_inv2, z_inv3;
secp256k1::cuda::field_inv(&p->z, &z_inv);
secp256k1::cuda::field_sqr(&z_inv, &z_inv2);
secp256k1::cuda::field_mul(&z_inv, &z_inv2, &z_inv3);
secp256k1::cuda::field_mul(&p->x, &z_inv2, out_x);
secp256k1::cuda::field_mul(&p->y, &z_inv3, out_y);
// Extract Y parity from bytes
uint8_t y_bytes[32];
secp256k1::cuda::field_to_bytes(out_y, y_bytes);
*y_parity = y_bytes[31] & 1;
}
// ============================================================================
// CT ECDSA Sign
// ============================================================================
// Constant-time ECDSA sign using RFC 6979 deterministic nonce.
// All secret-dependent operations use CT layer:
// - R = k*G: ct_generator_mul
// - k^{-1}: ct::scalar_inverse
// - low-S: ct::scalar_normalize_low_s
// - scalar add: ct::scalar_add
__device__ inline bool ct_ecdsa_sign(
const uint8_t msg_hash[32],
const Scalar* private_key,
ECDSASignatureGPU* sig)
{
// Check private key is nonzero (public validation, branch OK)
if (secp256k1::cuda::scalar_is_zero(private_key)) return false;
// z = message hash as scalar (public data, use fast path)
Scalar z;
secp256k1::cuda::scalar_from_bytes(msg_hash, &z);
// k = RFC 6979 deterministic nonce (HMAC-SHA256 is data-independent)
Scalar k;
secp256k1::cuda::rfc6979_nonce(private_key, msg_hash, &k);
// R = k * G (CT: fixed execution trace, no branch on bits of k)
JacobianPoint R;
ct_generator_mul(&k, &R);
// Convert R to affine (need x-coordinate for r)
FieldElement rx_aff, ry_aff;
uint8_t y_parity;
ct_jacobian_to_affine(&R, &rx_aff, &ry_aff, &y_parity);
// r = rx mod n
uint8_t x_bytes[32];
secp256k1::cuda::field_to_bytes(&rx_aff, x_bytes);
secp256k1::cuda::scalar_from_bytes(x_bytes, &sig->r);
// Check r != 0 (r depends on public curve point, branch OK)
if (secp256k1::cuda::scalar_is_zero(&sig->r)) return false;
// k^{-1} (CT Fermat: always compute both paths, select by bit)
Scalar k_inv;
scalar_inverse(&k, &k_inv);
// rd = r * d mod n (CT scalar_mul)
Scalar rd;
scalar_mul(&sig->r, private_key, &rd);
// z_plus_rd = z + r*d mod n (CT scalar_add)
Scalar z_plus_rd;
scalar_add(&z, &rd, &z_plus_rd);
// s = k^{-1} * (z + r*d) mod n (CT scalar_mul)
scalar_mul(&k_inv, &z_plus_rd, &sig->s);
// Check s != 0 (branch on public output, OK)
if (secp256k1::cuda::scalar_is_zero(&sig->s)) return false;
// Low-S normalization (CT: branchless cmov)
scalar_normalize_low_s(&sig->s);
return true;
}
// CT ECDSA sign with immediate verification (fault countermeasure)
__device__ inline bool ct_ecdsa_sign_verified(
const uint8_t msg_hash[32],
const Scalar* private_key,
ECDSASignatureGPU* sig)
{
if (!ct_ecdsa_sign(msg_hash, private_key, sig)) return false;
// Derive public key (CT, since private_key is secret)
JacobianPoint pubkey;
ct_generator_mul(private_key, &pubkey);
// Verify uses fast path (public key + signature are public)
return secp256k1::cuda::ecdsa_verify(msg_hash, &pubkey, sig);
}
// ============================================================================
// CT Schnorr Keypair
// ============================================================================
struct CTSchnorrKeypairGPU {
Scalar d; // signing key (adjusted for even Y)
uint8_t px[32]; // x-coordinate bytes of pubkey
};
// CT keypair creation: adjusts private key for even Y without branching.
__device__ inline bool ct_schnorr_keypair_create(
const Scalar* private_key,
CTSchnorrKeypairGPU* kp)
{
if (secp256k1::cuda::scalar_is_zero(private_key)) return false;
// P = d' * G (CT: secret key)
JacobianPoint P;
ct_generator_mul(private_key, &P);
// Convert to affine and get parity
FieldElement px_fe, py_fe;
uint8_t y_parity;
ct_jacobian_to_affine(&P, &px_fe, &py_fe, &y_parity);
// Store pubkey x-bytes
secp256k1::cuda::field_to_bytes(&px_fe, kp->px);
// CT conditional negate: if y is odd, negate d
uint64_t odd_mask = bool_to_mask((uint64_t)y_parity);
scalar_cneg(&kp->d, private_key, odd_mask);
return true;
}
// ============================================================================
// CT Schnorr Sign (BIP-340)
// ============================================================================
// CT BIP-340 Schnorr sign. All secret-dependent ops are constant-time:
// - P = d'*G: ct_generator_mul (secret key)
// - R = k'*G: ct_generator_mul (secret nonce)
// - Y-parity negation: ct::scalar_cneg (no branch)
// - s = k + e*d: ct::scalar_add + ct::scalar_mul
__device__ inline bool ct_schnorr_sign(
const Scalar* private_key,
const uint8_t msg[32],
const uint8_t aux_rand[32],
SchnorrSignatureGPU* sig)
{
if (secp256k1::cuda::scalar_is_zero(private_key)) return false;
// P = d' * G (CT: secret key multiplication)
JacobianPoint P;
ct_generator_mul(private_key, &P);
// Convert P to affine, extract parity
FieldElement px_fe, py_fe;
uint8_t p_y_parity;
ct_jacobian_to_affine(&P, &px_fe, &py_fe, &p_y_parity);
// CT conditional negate: if Y is odd, d = -d'
uint64_t p_odd_mask = bool_to_mask((uint64_t)p_y_parity);
Scalar d;
scalar_cneg(&d, private_key, p_odd_mask);
// px as bytes
uint8_t px_bytes[32];
secp256k1::cuda::field_to_bytes(&px_fe, px_bytes);
// t = d XOR tagged_hash("BIP0340/aux", aux_rand)
// (SHA-256/tagged_hash is data-independent, safe on fast path)
uint8_t t_hash[32];
secp256k1::cuda::tagged_hash_fast(BIP340_TAG_AUX, aux_rand, 32, t_hash);
uint8_t d_bytes[32];
secp256k1::cuda::scalar_to_bytes(&d, d_bytes);
uint8_t t[32];
for (int i = 0; i < 32; i++) t[i] = d_bytes[i] ^ t_hash[i];
// rand = tagged_hash("BIP0340/nonce", t || px || msg)
uint8_t nonce_input[96];
for (int i = 0; i < 32; i++) nonce_input[i] = t[i];
for (int i = 0; i < 32; i++) nonce_input[32 + i] = px_bytes[i];
for (int i = 0; i < 32; i++) nonce_input[64 + i] = msg[i];
uint8_t rand_hash[32];
secp256k1::cuda::tagged_hash_fast(BIP340_TAG_NONCE, nonce_input, 96, rand_hash);
Scalar k_prime;
secp256k1::cuda::scalar_from_bytes(rand_hash, &k_prime);
if (secp256k1::cuda::scalar_is_zero(&k_prime)) return false;
// R = k' * G (CT: secret nonce multiplication)
JacobianPoint R;
ct_generator_mul(&k_prime, &R);
// Convert R to affine, extract Y parity
FieldElement rx_fe, ry_fe;
uint8_t r_y_parity;
ct_jacobian_to_affine(&R, &rx_fe, &ry_fe, &r_y_parity);
// CT conditional negate: if R.y is odd, k = -k'
uint64_t r_odd_mask = bool_to_mask((uint64_t)r_y_parity);
Scalar k;
scalar_cneg(&k, &k_prime, r_odd_mask);
// sig.r = R.x as bytes
secp256k1::cuda::field_to_bytes(&rx_fe, sig->r);
// e = tagged_hash("BIP0340/challenge", R.x || px || msg) mod n
uint8_t challenge_input[96];
for (int i = 0; i < 32; i++) challenge_input[i] = sig->r[i];
for (int i = 0; i < 32; i++) challenge_input[32 + i] = px_bytes[i];
for (int i = 0; i < 32; i++) challenge_input[64 + i] = msg[i];
uint8_t e_hash[32];
secp256k1::cuda::tagged_hash_fast(BIP340_TAG_CHALLENGE, challenge_input, 96, e_hash);
Scalar e;
secp256k1::cuda::scalar_from_bytes(e_hash, &e);
// s = k + e * d mod n (CT scalar arithmetic)
Scalar ed;
scalar_mul(&e, &d, &ed);
scalar_add(&k, &ed, &sig->s);
return true;
}
// CT Schnorr sign with keypair (avoids recomputing P = d*G)
__device__ inline bool ct_schnorr_sign_with_keypair(
const CTSchnorrKeypairGPU* kp,
const uint8_t msg[32],
const uint8_t aux_rand[32],
SchnorrSignatureGPU* sig)
{
// t = d XOR tagged_hash("BIP0340/aux", aux_rand)
uint8_t t_hash[32];
secp256k1::cuda::tagged_hash_fast(BIP340_TAG_AUX, aux_rand, 32, t_hash);
uint8_t d_bytes[32];
secp256k1::cuda::scalar_to_bytes(&kp->d, d_bytes);
uint8_t t[32];
for (int i = 0; i < 32; i++) t[i] = d_bytes[i] ^ t_hash[i];
// rand = tagged_hash("BIP0340/nonce", t || px || msg)
uint8_t nonce_input[96];
for (int i = 0; i < 32; i++) nonce_input[i] = t[i];
for (int i = 0; i < 32; i++) nonce_input[32 + i] = kp->px[i];
for (int i = 0; i < 32; i++) nonce_input[64 + i] = msg[i];
uint8_t rand_hash[32];
secp256k1::cuda::tagged_hash_fast(BIP340_TAG_NONCE, nonce_input, 96, rand_hash);
Scalar k_prime;
secp256k1::cuda::scalar_from_bytes(rand_hash, &k_prime);
if (secp256k1::cuda::scalar_is_zero(&k_prime)) return false;
// R = k' * G (CT: secret nonce)
JacobianPoint R;
ct_generator_mul(&k_prime, &R);
// Convert R to affine, extract parity
FieldElement rx_fe, ry_fe;
uint8_t r_y_parity;
ct_jacobian_to_affine(&R, &rx_fe, &ry_fe, &r_y_parity);
// CT conditional negate k
uint64_t r_odd_mask = bool_to_mask((uint64_t)r_y_parity);
Scalar k;
scalar_cneg(&k, &k_prime, r_odd_mask);
// sig.r = R.x
secp256k1::cuda::field_to_bytes(&rx_fe, sig->r);
// e = tagged_hash("BIP0340/challenge", R.x || px || msg) mod n
uint8_t challenge_input[96];
for (int i = 0; i < 32; i++) challenge_input[i] = sig->r[i];
for (int i = 0; i < 32; i++) challenge_input[32 + i] = kp->px[i];
for (int i = 0; i < 32; i++) challenge_input[64 + i] = msg[i];
uint8_t e_hash[32];
secp256k1::cuda::tagged_hash_fast(BIP340_TAG_CHALLENGE, challenge_input, 96, e_hash);
Scalar e;
secp256k1::cuda::scalar_from_bytes(e_hash, &e);
// s = k + e * d mod n (CT)
Scalar ed;
scalar_mul(&e, &kp->d, &ed);
scalar_add(&k, &ed, &sig->s);
return true;
}
// CT Schnorr sign with immediate verification (fault countermeasure)
__device__ inline bool ct_schnorr_sign_verified(
const Scalar* private_key,
const uint8_t msg[32],
const uint8_t aux_rand[32],
SchnorrSignatureGPU* sig)
{
if (!ct_schnorr_sign(private_key, msg, aux_rand, sig)) return false;
if (secp256k1::cuda::scalar_is_zero(&sig->s)) return false;
// Compute pubkey for verification (fast path OK: pubkey is public)
uint8_t pubkey_x[32];
JacobianPoint P;
ct_generator_mul(private_key, &P);
FieldElement ax, ay;
uint8_t _;
ct_jacobian_to_affine(&P, &ax, &ay, &_);
secp256k1::cuda::field_to_bytes(&ax, pubkey_x);
// Verify uses fast path (public data)
return secp256k1::cuda::schnorr_verify(pubkey_x, msg, sig);
}
// CT Schnorr pubkey extraction (X-only, even Y)
__device__ inline bool ct_schnorr_pubkey(
const Scalar* private_key,
uint8_t pubkey_x[32])
{
if (secp256k1::cuda::scalar_is_zero(private_key)) return false;
JacobianPoint P;
ct_generator_mul(private_key, &P);
FieldElement ax, ay;
uint8_t y_parity;
ct_jacobian_to_affine(&P, &ax, &ay, &y_parity);
secp256k1::cuda::field_to_bytes(&ax, pubkey_x);
return true;
}
} // namespace ct
} // namespace cuda
} // namespace secp256k1
#endif // !SECP256K1_CUDA_LIMBS_32

252
cuda/include/ecdsa.cuh
View File

@ -18,77 +18,7 @@
namespace secp256k1 {
namespace cuda {
// -- Byte <-> Scalar conversion (big-endian bytes <-> LE uint64_t limbs) ---------
// Convert 32 big-endian bytes to a Scalar (reduced mod n).
__device__ inline void scalar_from_bytes(const uint8_t bytes[32], Scalar* r) {
// BE bytes -> LE uint64_t limbs
for (int i = 0; i < 4; i++) {
uint64_t limb = 0;
int base = (3 - i) * 8;
for (int j = 0; j < 8; j++) {
limb = (limb << 8) | bytes[base + j];
}
r->limbs[i] = limb;
}
// Branchless reduction: compute r - ORDER, keep if r >= n
uint64_t borrow = 0;
uint64_t tmp[4];
for (int i = 0; i < 4; i++) {
unsigned __int128 diff = (unsigned __int128)r->limbs[i] - ORDER[i] - borrow;
tmp[i] = (uint64_t)diff;
borrow = (uint64_t)(-(int64_t)(diff >> 64)); // 1 if borrow, 0 otherwise
}
// mask = all-ones if r >= n (no borrow), all-zeros otherwise
uint64_t mask = ~borrow + 1; // borrow==0 -> ~0+1=0 -> wrong
// Actually: borrow=0 means no underflow -> r >= n -> use tmp
// borrow=1 means underflow -> r < n -> keep r
mask = -(uint64_t)(borrow == 0);
for (int i = 0; i < 4; i++) {
r->limbs[i] = (tmp[i] & mask) | (r->limbs[i] & ~mask);
}
}
// Convert Scalar to 32 big-endian bytes.
__device__ inline void scalar_to_bytes(const Scalar* s, uint8_t bytes[32]) {
for (int i = 0; i < 4; i++) {
uint64_t limb = s->limbs[3 - i];
for (int j = 0; j < 8; j++) {
bytes[i * 8 + j] = (uint8_t)(limb >> (56 - j * 8));
}
}
}
// Convert FieldElement to 32 big-endian bytes.
// Normalizes (fully reduces mod p) before serialization so byte comparisons
// are always consistent, regardless of internal carry state.
__device__ inline void field_to_bytes(const FieldElement* fe, uint8_t bytes[32]) {
// p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
constexpr uint64_t P[4] = {
0xFFFFFFFEFFFFFC2FULL, 0xFFFFFFFFFFFFFFFFULL,
0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL
};
// Branchless: try subtracting p; keep result only if no borrow
uint64_t tmp[4];
uint64_t borrow = 0;
for (int i = 0; i < 4; i++) {
unsigned __int128 diff = (unsigned __int128)fe->limbs[i] - P[i] - borrow;
tmp[i] = (uint64_t)diff;
borrow = (uint64_t)(-(int64_t)(diff >> 64)); // 1 if borrow, 0 otherwise
}
// If borrow==0: fe >= p -> use tmp (reduced). If borrow==1: fe < p -> use fe.
uint64_t mask = -(uint64_t)(borrow == 0); // all-1s if no borrow, all-0s if borrow
uint64_t norm[4];
for (int i = 0; i < 4; i++)
norm[i] = (tmp[i] & mask) | (fe->limbs[i] & ~mask);
for (int i = 0; i < 4; i++) {
uint64_t limb = norm[3 - i];
for (int j = 0; j < 8; j++) {
bytes[i * 8 + j] = (uint8_t)(limb >> (56 - j * 8));
}
}
}
// scalar_from_bytes, scalar_to_bytes, field_to_bytes moved to secp256k1.cuh
// -- SHA-256 Streaming Context ------------------------------------------------
@ -487,6 +417,186 @@ __device__ inline bool ecdsa_verify(
return scalar_eq(&v, &sig->r);
}
// ============================================================================
// ECDSA extensions (CPU parity)
// ============================================================================
// -- ECDSA: normalize to low-S (BIP-62) -------------------------------------
__device__ __forceinline__ void ecdsa_normalize_low_s(ECDSASignatureGPU* sig) {
if (!scalar_is_low_s(&sig->s)) {
scalar_negate(&sig->s, &sig->s);
}
}
// -- ECDSA: is_low_s check ---------------------------------------------------
__device__ __forceinline__ bool ecdsa_is_low_s(const ECDSASignatureGPU* sig) {
return scalar_is_low_s(&sig->s);
}
// -- ECDSA: signature to 64-byte compact format (r || s, BE) ----------------
__device__ inline void ecdsa_sig_to_compact(const ECDSASignatureGPU* sig, uint8_t out[64]) {
scalar_to_bytes(&sig->r, out);
scalar_to_bytes(&sig->s, out + 32);
}
// -- ECDSA: signature from 64-byte compact format ----------------------------
__device__ inline void ecdsa_sig_from_compact(const uint8_t data[64], ECDSASignatureGPU* sig) {
scalar_from_bytes(data, &sig->r);
scalar_from_bytes(data + 32, &sig->s);
}
// -- ECDSA: parse compact strict (reject r,s >= n or == 0) ------------------
__device__ inline bool ecdsa_sig_parse_compact_strict(const uint8_t data[64],
ECDSASignatureGPU* sig) {
if (!scalar_from_bytes_strict_nonzero(data, &sig->r)) return false;
if (!scalar_from_bytes_strict_nonzero(data + 32, &sig->s)) return false;
return true;
}
// -- ECDSA: sign with verification (fault countermeasure) --------------------
// Signs and immediately verifies the result. Returns false if sign or verify fail.
__device__ inline bool ecdsa_sign_verified(
const uint8_t msg_hash[32],
const Scalar* private_key,
ECDSASignatureGPU* sig)
{
if (!ecdsa_sign(msg_hash, private_key, sig)) return false;
// Compute public key for verification
JacobianPoint pubkey;
scalar_mul_generator_const(private_key, &pubkey);
return ecdsa_verify(msg_hash, &pubkey, sig);
}
// -- RFC 6979 hedged nonce (with auxiliary entropy) --------------------------
__device__ inline void rfc6979_nonce_hedged(
const Scalar* private_key,
const uint8_t msg_hash[32],
const uint8_t aux_rand[32],
Scalar* k_out)
{
uint8_t x_bytes[32];
scalar_to_bytes(private_key, x_bytes);
// XOR auxiliary randomness into the private key bytes for personalization
uint8_t x_pers[32];
for (int i = 0; i < 32; i++) x_pers[i] = x_bytes[i] ^ aux_rand[i];
uint8_t V[32], K[32];
for (int i = 0; i < 32; i++) { V[i] = 0x01; K[i] = 0x00; }
// Step d: K = HMAC(K, V || 0x00 || x_pers || h1)
{
uint8_t buf[97];
for (int i = 0; i < 32; i++) buf[i] = V[i];
buf[32] = 0x00;
for (int i = 0; i < 32; i++) buf[33 + i] = x_pers[i];
for (int i = 0; i < 32; i++) buf[65 + i] = msg_hash[i];
hmac_sha256(K, 32, buf, 97, K);
}
hmac_sha256(K, 32, V, 32, V);
{
uint8_t buf[97];
for (int i = 0; i < 32; i++) buf[i] = V[i];
buf[32] = 0x01;
for (int i = 0; i < 32; i++) buf[33 + i] = x_pers[i];
for (int i = 0; i < 32; i++) buf[65 + i] = msg_hash[i];
hmac_sha256(K, 32, buf, 97, K);
}
hmac_sha256(K, 32, V, 32, V);
for (int attempt = 0; attempt < 100; attempt++) {
hmac_sha256(K, 32, V, 32, V);
scalar_from_bytes(V, k_out);
if (!scalar_is_zero(k_out)) return;
uint8_t buf[33];
for (int i = 0; i < 32; i++) buf[i] = V[i];
buf[32] = 0x00;
hmac_sha256(K, 32, buf, 33, K);
hmac_sha256(K, 32, V, 32, V);
}
for (int i = 0; i < 4; i++) k_out->limbs[i] = 0;
}
// -- ECDSA: sign hedged (RFC 6979 + aux_rand) --------------------------------
__device__ inline bool ecdsa_sign_hedged(
const uint8_t msg_hash[32],
const Scalar* private_key,
const uint8_t aux_rand[32],
ECDSASignatureGPU* sig)
{
if (scalar_is_zero(private_key)) return false;
Scalar z;
scalar_from_bytes(msg_hash, &z);
Scalar k;
rfc6979_nonce_hedged(private_key, msg_hash, aux_rand, &k);
if (scalar_is_zero(&k)) return false;
JacobianPoint R;
scalar_mul_generator_const(&k, &R);
if (R.infinity) return false;
FieldElement z_inv, z_inv2, x_affine;
field_inv(&R.z, &z_inv);
field_sqr(&z_inv, &z_inv2);
field_mul(&R.x, &z_inv2, &x_affine);
uint8_t x_bytes[32];
field_to_bytes(&x_affine, x_bytes);
scalar_from_bytes(x_bytes, &sig->r);
if (scalar_is_zero(&sig->r)) return false;
Scalar k_inv;
scalar_inverse(&k, &k_inv);
Scalar rd;
scalar_mul_mod_n(&sig->r, private_key, &rd);
Scalar z_plus_rd;
{
uint64_t carry = 0;
for (int i = 0; i < 4; i++) {
unsigned __int128 sum = (unsigned __int128)z.limbs[i] + rd.limbs[i] + carry;
z_plus_rd.limbs[i] = (uint64_t)sum;
carry = (uint64_t)(sum >> 64);
}
uint64_t borrow = 0;
uint64_t tmp[4];
for (int i = 0; i < 4; i++) {
unsigned __int128 diff = (unsigned __int128)z_plus_rd.limbs[i] - ORDER[i] - borrow;
tmp[i] = (uint64_t)diff;
borrow = (uint64_t)(-(int64_t)(diff >> 64));
}
uint64_t mask = -(uint64_t)(borrow == 0 || carry);
for (int i = 0; i < 4; i++)
z_plus_rd.limbs[i] = (tmp[i] & mask) | (z_plus_rd.limbs[i] & ~mask);
}
scalar_mul_mod_n(&k_inv, &z_plus_rd, &sig->s);
if (scalar_is_zero(&sig->s)) return false;
if (!scalar_is_low_s(&sig->s))
scalar_negate(&sig->s, &sig->s);
return true;
}
// -- ECDSA: sign hedged + verified -------------------------------------------
__device__ inline bool ecdsa_sign_hedged_verified(
const uint8_t msg_hash[32],
const Scalar* private_key,
const uint8_t aux_rand[32],
ECDSASignatureGPU* sig)
{
if (!ecdsa_sign_hedged(msg_hash, private_key, aux_rand, sig)) return false;
JacobianPoint pubkey;
scalar_mul_generator_const(private_key, &pubkey);
return ecdsa_verify(msg_hash, &pubkey, sig);
}
} // namespace cuda
} // namespace secp256k1

517
cuda/include/gen_table_w8.cuh Normal file
View File

@ -0,0 +1,517 @@
// Precomputed [0..255]*G for w=8 fixed-window generator multiplication
// Generated offline. Stored in CUDA __constant__ memory.
// 256 entries * 64 bytes = 16 KB (fits in constant memory limit of 64 KB)
__device__ __constant__ static const AffinePoint GENERATOR_TABLE_W8[256] = {
// [0] = O (identity)
{{{0x0000000000000000ULL, 0x0000000000000000ULL, 0x0000000000000000ULL, 0x0000000000000000ULL}}, {{0x0000000000000000ULL, 0x0000000000000000ULL, 0x0000000000000000ULL, 0x0000000000000000ULL}}},
// [1] = 1G
{{{0x59F2815B16F81798ULL, 0x029BFCDB2DCE28D9ULL, 0x55A06295CE870B07ULL, 0x79BE667EF9DCBBACULL}}, {{0x9C47D08FFB10D4B8ULL, 0xFD17B448A6855419ULL, 0x5DA4FBFC0E1108A8ULL, 0x483ADA7726A3C465ULL}}},
// [2] = 2G
{{{0xABAC09B95C709EE5ULL, 0x5C778E4B8CEF3CA7ULL, 0x3045406E95C07CD8ULL, 0xC6047F9441ED7D6DULL}}, {{0x236431A950CFE52AULL, 0xF7F632653266D0E1ULL, 0xA3C58419466CEAEEULL, 0x1AE168FEA63DC339ULL}}},
// [3] = 3G
{{{0x8601F113BCE036F9ULL, 0xB531C845836F99B0ULL, 0x49344F85F89D5229ULL, 0xF9308A019258C310ULL}}, {{0x6CB9FD7584B8E672ULL, 0x6500A99934C2231BULL, 0x0FE337E62A37F356ULL, 0x388F7B0F632DE814ULL}}},
// [4] = 4G
{{{0x74FA94ABE8C4CD13ULL, 0xCC6C13900EE07584ULL, 0x581E4904930B1404ULL, 0xE493DBF1C10D80F3ULL}}, {{0xCFE97BDC47739922ULL, 0xD967AE33BFBDFE40ULL, 0x5642E2098EA51448ULL, 0x51ED993EA0D455B7ULL}}},
// [5] = 5G
{{{0xCBA8D569B240EFE4ULL, 0xE88B84BDDC619AB7ULL, 0x55B4A7250A5C5128ULL, 0x2F8BDE4D1A072093ULL}}, {{0xDCA87D3AA6AC62D6ULL, 0xF788271BAB0D6840ULL, 0xD4DBA9DDA6C9C426ULL, 0xD8AC222636E5E3D6ULL}}},
// [6] = 6G
{{{0x2F057A1460297556ULL, 0x82F6472F8568A18BULL, 0x20453A14355235D3ULL, 0xFFF97BD5755EEEA4ULL}}, {{0x3C870C36B075F297ULL, 0xDE80F0F6518FE4A0ULL, 0xF3BE96017F45C560ULL, 0xAE12777AACFBB620ULL}}},
// [7] = 7G
{{{0xE92BDDEDCAC4F9BCULL, 0x3D419B7E0330E39CULL, 0xA398F365F2EA7A0EULL, 0x5CBDF0646E5DB4EAULL}}, {{0xA5082628087264DAULL, 0xA813D0B813FDE7B5ULL, 0xA3178D6D861A54DBULL, 0x6AEBCA40BA255960ULL}}},
// [8] = 8G
{{{0x67784EF3E10A2A01ULL, 0x0A1BDD05E5AF888AULL, 0xAFF3843FB70F3C2FULL, 0x2F01E5E15CCA351DULL}}, {{0xB5DA2CB76CBDE904ULL, 0xC2E213D6BA5B7617ULL, 0x293D082A132D13B4ULL, 0x5C4DA8A741539949ULL}}},
// [9] = 9G
{{{0xC35F110DFC27CCBEULL, 0xE09796974C57E714ULL, 0x09AD178A9F559ABDULL, 0xACD484E2F0C7F653ULL}}, {{0x05CC262AC64F9C37ULL, 0xADD888A4375F8E0FULL, 0x64380971763B61E9ULL, 0xCC338921B0A7D9FDULL}}},
// [10] = 10G
{{{0x52A68E2A47E247C7ULL, 0x3442D49B1943C2B7ULL, 0x35477C7B1AE6AE5DULL, 0xA0434D9E47F3C862ULL}}, {{0x3CBEE53B037368D7ULL, 0x6F794C2ED877A159ULL, 0xA3B6C7E693A24C69ULL, 0x893ABA425419BC27ULL}}},
// [11] = 11G
{{{0xBBEC17895DA008CBULL, 0x5649980BE5C17891ULL, 0x5EF4246B70C65AACULL, 0x774AE7F858A9411EULL}}, {{0x301D74C9C953C61BULL, 0x372DB1E2DFF9D6A8ULL, 0x0243DD56D7B7B365ULL, 0xD984A032EB6B5E19ULL}}},
// [12] = 12G
{{{0xC5B0F47070AFE85AULL, 0x687CF4419620095BULL, 0x15C38F004D734633ULL, 0xD01115D548E7561BULL}}, {{0x6B051B13F4062327ULL, 0x79238C5DD9A86D52ULL, 0xA8B64537E17BD815ULL, 0xA9F34FFDC815E0D7ULL}}},
// [13] = 13G
{{{0xDEEDDF8F19405AA8ULL, 0xB075FBC6610E58CDULL, 0xC7D1D205C3748651ULL, 0xF28773C2D975288BULL}}, {{0x29B5CB52DB03ED81ULL, 0x3A1A06DA521FA91FULL, 0x758212EB65CDAF47ULL, 0x0AB0902E8D880A89ULL}}},
// [14] = 14G
{{{0xE49B241A60E823E4ULL, 0x26AA7B63678949E6ULL, 0xFD64E67F07D38E32ULL, 0x499FDF9E895E719CULL}}, {{0xC65F40D403A13F5BULL, 0x464279C27A3F95BCULL, 0x90F044E4A7B3D464ULL, 0xCAC2F6C4B54E8551ULL}}},
// [15] = 15G
{{{0x44ADBCF8E27E080EULL, 0x31E5946F3C85F79EULL, 0x5A465AE3095FF411ULL, 0xD7924D4F7D43EA96ULL}}, {{0xC504DC9FF6A26B58ULL, 0xEA40AF2BD896D3A5ULL, 0x83842EC228CC6DEFULL, 0x581E2872A86C72A6ULL}}},
// [16] = 16G
{{{0xC44EE89E2A6DEC0AULL, 0xB2A31369B87A5AE9ULL, 0x3011AABC21C23E97ULL, 0xE60FCE93B59E9EC5ULL}}, {{0xE1F32CCE69616821ULL, 0x1296891E44D23F0BULL, 0x9DB99F34F5793710ULL, 0xF7E3507399E59592ULL}}},
// [17] = 17G
{{{0x66E4FAA04A2D4A34ULL, 0xEB9898AE79B97687ULL, 0xA420FEE807EACF21ULL, 0xDEFDEA4CDB677750ULL}}, {{0xCFB199F69E56EB77ULL, 0xCED1F4A04A95C0F6ULL, 0xE997B0EAD2A93DAEULL, 0x4211AB0694635168ULL}}},
// [18] = 18G
{{{0xCF55C2A2444DA7CCULL, 0xF3BA28D1A319F5E7ULL, 0x2B0286DB4A990FA0ULL, 0x5601570CB47F238DULL}}, {{0xF5192E5E8B061D58ULL, 0x81D8E0BC736AE2A1ULL, 0xE9E298043589351DULL, 0xC136C1DC0CBEB930ULL}}},
// [19] = 19G
{{{0x7475656138385B6CULL, 0xF06ACFEBD7E86D27ULL, 0x93EF5CFF444F4979ULL, 0x2B4EA0A797A443D2ULL}}, {{0xB570C854E5C09B7AULL, 0x1A01F60C50269763ULL, 0xB343083B5A1C8613ULL, 0x85E89BC037945D93ULL}}},
// [20] = 20G
{{{0xF3E471B273211C97ULL, 0xF02D5290AFF74B03ULL, 0x200B559B2F7DD5A5ULL, 0x4CE119C96E2FA357ULL}}, {{0x450288EE9233DC3AULL, 0x6162948271D96967ULL, 0x5DA61FA10A844C67ULL, 0x12BA26DCB10EC162ULL}}},
// [21] = 21G
{{{0x81340AEF25BE59D5ULL, 0x1D9AD40271F81071ULL, 0x4F93FA332CE33330ULL, 0x352BBF4A4CDD1256ULL}}, {{0x67BD3D8BCF81998CULL, 0x4A1B3B2E71B1039CULL, 0xD59C18259DDA3E1FULL, 0x321EB4075348F534ULL}}},
// [22] = 22G
{{{0x99DDCB316F31E9FCULL, 0x2431741C72713B4BULL, 0x5C96FDB91C0C1E2FULL, 0x421F5FC9A2106544ULL}}, {{0xDB20717AD1CD6781ULL, 0x743034B37B223115ULL, 0x16F6DB7E225D1E14ULL, 0x2B90F16D11DABDB6ULL}}},
// [23] = 23G
{{{0xDC9CDADD4ECACC3FULL, 0xE42AB8DFEFF5FF29ULL, 0x0230010559879124ULL, 0x2FA2104D6B38D11BULL}}, {{0x423BA76B532B7D67ULL, 0x181D70ECFC882648ULL, 0xB64569335BD5DD80ULL, 0x02DE1068295DD865ULL}}},
// [24] = 24G
{{{0x0502BDA8B202E6CEULL, 0x683215439D62B794ULL, 0x8AC09C9161BA8B09ULL, 0xFE72C435413D33D4ULL}}, {{0x978ED2FBCF58C5BFULL, 0x01DC88E36B4A9D22ULL, 0xD3AB47E09D729981ULL, 0x6851DE067FF24A68ULL}}},
// [25] = 25G
{{{0x69CA0CD7F5453714ULL, 0x263C3D84E09572E2ULL, 0xAB21A9B066EDDA83ULL, 0x9248279B09B4D68DULL}}, {{0xE54A32CE97CB3402ULL, 0x3FC0DE2A887912FFULL, 0x5D1AA71BDEA2B1FFULL, 0x73016F7BF234AADEULL}}},
// [26] = 26G
{{{0x5E5CAD81710C4C8AULL, 0xC03FE1B2ABB84088ULL, 0xF40CBDEFC8E40997ULL, 0x6687CDB5B650D558ULL}}, {{0xB32E83B25C83AD64ULL, 0x0EF8E529F033F272ULL, 0x1A1FA873825C7200ULL, 0x3FD502B3111178B1ULL}}},
// [27] = 27G
{{{0x7E996D443DEE8729ULL, 0x2F570E144BF615C0ULL, 0x8E70132FB0BEB752ULL, 0xDAED4F2BE3A8BF27ULL}}, {{0xAB40E52290BE1C55ULL, 0x3F83C230F3AFA726ULL, 0xD4A1ACA87EF8D700ULL, 0xA69DCE4A7D6C98E8ULL}}},
// [28] = 28G
{{{0xC39A66F904F97968ULL, 0x6B31536DA6EB344DULL, 0xA7FA6F64D5DC3C82ULL, 0x55EB67D7B7238A70ULL}}, {{0xD0689F2F493BE3C8ULL, 0x40973BCE1C95052DULL, 0x0B1E718BF4042585ULL, 0x7D916A47B2B58140ULL}}},
// [29] = 29G
{{{0xE6A3B5E87D22E7DBULL, 0x11ECD9E9FDF281B0ULL, 0x8ACF28D7CBB19F90ULL, 0xC44D12C7065D812EULL}}, {{0xA039063F0E0E6482ULL, 0x0E106E861EDF61C5ULL, 0x76C45926C982FDACULL, 0x2119A460CE326CDCULL}}},
// [30] = 30G
{{{0x7513A49D9A688A00ULL, 0x1CCFFF21574DE092ULL, 0x0B69FC311A03F864ULL, 0x6D2B085E9E382ED1ULL}}, {{0x8DBAC47A17F388FBULL, 0x776238AA0BD5FF24ULL, 0xC739DDFA33604A83ULL, 0xACB82EB93309AD1CULL}}},
// [31] = 31G
{{{0xB61C65CBD269E6B4ULL, 0x152B695336C28063ULL, 0xC89A20CFDED60853ULL, 0x6A245BF6DC698504ULL}}, {{0xFD5E6348100D8A82ULL, 0x8B33BA48D0423B6EULL, 0x8B3F5126F16A24ADULL, 0xE022CF42C2BD4A70ULL}}},
// [32] = 32G
{{{0x75D0DBD407143E65ULL, 0xDACFFCB89904A61DULL, 0x47B6E054E2F378CEULL, 0xD30199D74FB5A22DULL}}, {{0x05B3FF1F24106AB9ULL, 0x1F760CC364ED8196ULL, 0xB3D6DEC9E9838065ULL, 0x95038D9D0AE3D5C3ULL}}},
// [33] = 33G
{{{0xF95AE57F0D0BD6A5ULL, 0xCE13300B0BEC1146ULL, 0xC077E3D2FE541084ULL, 0x1697FFA6FD9DE627ULL}}, {{0xADEE9D63D01B2396ULL, 0xA2CF15009E498AE7ULL, 0x27561506E4557433ULL, 0xB9C398F186806F5DULL}}},
// [34] = 34G
{{{0x32E8B4DA0547FC11ULL, 0x31D611B96C358B60ULL, 0xD0E80D468C344BA3ULL, 0x1BE68A5A028F2601ULL}}, {{0xFF1822F5D1F30E79ULL, 0xC076329C75146BC6ULL, 0xB3CA6265F9400779ULL, 0xBEBC47511ADE7308ULL}}},
// [35] = 35G
{{{0xF982345EF27A7479ULL, 0x9DEB8360FFB7F61DULL, 0x986D0F07E834CB0DULL, 0x605BDB019981718BULL}}, {{0x3B01E1E9056B8C49ULL, 0xC26BFAE84FB14DB4ULL, 0x81A78D93EC96FE23ULL, 0x02972D2DE4F8D206ULL}}},
// [36] = 36G
{{{0x0C899DA20F0198F9ULL, 0x5D5FEFE3388F85D9ULL, 0x0B56C563E3E5E67AULL, 0xE0392CFA338AAF2FULL}}, {{0xDFD6E3F50E7DA3ACULL, 0xBB5B10F4BD8AA51EULL, 0xEE7A347A5E4681F9ULL, 0x76D458642A2C93ADULL}}},
// [37] = 37G
{{{0xFE31C7E9D87FF33DULL, 0xDCB01C354959B10CULL, 0x7402FDC45A215E10ULL, 0x62D14DAB4150BF49ULL}}, {{0x35F5642483B25EAFULL, 0x01AA132967AB4722ULL, 0x98088A1950EED0DBULL, 0x80FC06BD8CC5B010ULL}}},
// [38] = 38G
{{{0x69CD5FDF1691FFF7ULL, 0x38E2E1FC705821EAULL, 0xA88AC16C7D80BFFDULL, 0xB699A30E6E184CDFULL}}, {{0xB745BC318A51AB04ULL, 0xD9D7268126C76A16ULL, 0x5A096EE637EBED3BULL, 0xD505700C51D860CEULL}}},
// [39] = 39G
{{{0x5E555C2F86308B6FULL, 0x2C50E9F56B9B8B42ULL, 0xDE5B4B06C408E56BULL, 0x80C60AD0040F27DAULL}}, {{0x1AA01F56430BD57AULL, 0xA65EED4CBE7024EBULL, 0x26E66BAD7FE72F70ULL, 0x1C38303F1CC5C30FULL}}},
// [40] = 40G
{{{0xF1929141BB0B4D0BULL, 0x0EACF59A33D99CD9ULL, 0x9F0E21203041BF08ULL, 0x91DE2F6BB67B1113ULL}}, {{0x9A9A2E83124A7899ULL, 0x55B03158202A9D3EULL, 0xE34E7A1009F87251ULL, 0xEB9EF6C031EED31DULL}}},
// [41] = 41G
{{{0x9D5EABB0FA03C8FBULL, 0x4CC5DC9487D84704ULL, 0xAA74C6348CC54D34ULL, 0x7A9375AD6167AD54ULL}}, {{0x02D499EC224DC7F7ULL, 0xBDC59EA10C70CE2BULL, 0x09559E0D79269046ULL, 0x0D0E3FA9ECA87269ULL}}},
// [42] = 42G
{{{0xC18ED3A3C86CE1AFULL, 0x9CB5E65CEE430558ULL, 0x1DB5833FF5F2226DULL, 0xFE8D1EB1BCB3432BULL}}, {{0xE531C573CDA9B5B4ULL, 0xFAE4DB40801A2572ULL, 0x134AC7C1D371CFFBULL, 0x07B158F244CD0DE2ULL}}},
// [43] = 43G
{{{0x4BB51F459BC3FFC9ULL, 0xBB408EC39B68DF50ULL, 0x907A9ED045447A79ULL, 0xD528ECD9B696B54CULL}}, {{0x063465B521409933ULL, 0xBC4345405C520DBCULL, 0x9966F21881FD656EULL, 0xEECF41253136E5F9ULL}}},
// [44] = 44G
{{{0xE06B70A9B3834765ULL, 0x60C180165D971A61ULL, 0x541514731622AF8DULL, 0x5D045857332D5B9EULL}}, {{0x1879A7CABF06FB68ULL, 0xA1D1F34761C6CF26ULL, 0x2DECBAB8D098A8C2ULL, 0xDB2BA972802D45FDULL}}},
// [45] = 45G
{{{0x87231808F8B45963ULL, 0x5266115E4A7ECB13ULL, 0xEA25F514E8ECDAD0ULL, 0x049370A4B5F43412ULL}}, {{0xB653052A12949C9AULL, 0x54C3F3AFBB5B6764ULL, 0x8B3081B0512FD62AULL, 0x758F3F41AFD6ED42ULL}}},
// [46] = 46G
{{{0xC16BAEDC90235717ULL, 0x980FDDE9C7E85701ULL, 0xF903B3D100E3950DULL, 0xF8B0B03D44112259ULL}}, {{0x517AB5C246242203ULL, 0xD0A986928AC79972ULL, 0x6BE1883B362F123BULL, 0xBD8E9DC301D9ADC9ULL}}},
// [47] = 47G
{{{0xF1C13EB1FC345D74ULL, 0x881D811E0E1498E2ULL, 0xD73DF930D64702EFULL, 0x77F230936EE88CBBULL}}, {{0xBE8EB3C7671C60D6ULL, 0x96C95330D97077CBULL, 0x0A08266E9BA1B378ULL, 0x958EF42A7886B640ULL}}},
// [48] = 48G
{{{0x9BD870AA1118E5C3ULL, 0xFC579B27452BEBC1ULL, 0xB441656EF4E65B4BULL, 0x6ECA335D9645307DULL}}, {{0x498A2F7805A08668ULL, 0x3A496A3A3BF8EC34ULL, 0x592F579074B875A0ULL, 0xD50123B57A7A0710ULL}}},
// [49] = 49G
{{{0xEB28531B7739F530ULL, 0x58C80074AB9D4DBAULL, 0xEA44887E5C7C0BCEULL, 0xF2DAC991CC4CE4B9ULL}}, {{0x1A117DBA703A3C37ULL, 0x9EB5FBEB0598E4FDULL, 0x4DA1F32DEC2531DFULL, 0xE0DEDC9B3B2F8DADULL}}},
// [50] = 50G
{{{0x7E8FDE79BD559A9AULL, 0x50BC64404230E7A6ULL, 0xD5F1774AEFA8F02EULL, 0x29757774CC6F3BE1ULL}}, {{0x50BD28C17C470134ULL, 0x151B423EAC4033B5ULL, 0xA0EBA45A7A41876DULL, 0xC39D07337DDC9268ULL}}},
// [51] = 51G
{{{0xBCBA4850C690D45BULL, 0x5A216CDFC9DAE3DEULL, 0x1B4BE8FBBE252012ULL, 0x463B3D9F662621FBULL}}, {{0x1CB377B01AF7307EULL, 0xC622E27C970A1DE3ULL, 0x43114306DD8622D7ULL, 0x5ED430D78C296C35ULL}}},
// [52] = 52G
{{{0xCA731921025FF695ULL, 0x7D36CFC8814C1B29ULL, 0x0294339CA3DA761FULL, 0x2B22EFDA32491A9EULL}}, {{0x30B83FD19ADC87CDULL, 0xC7048846D46ADE00ULL, 0x4C16662FC134FADCULL, 0x7ED520327080A9FAULL}}},
// [53] = 53G
{{{0xA32496B49998F247ULL, 0x6B98FAC14328A2D1ULL, 0x09232D4AFF3B5997ULL, 0xF16F804244E46E2AULL}}, {{0xD6579962C4E31DF6ULL, 0x2A6C53C26E5CCE26ULL, 0x13D206FCDF4E33D9ULL, 0xCEDABD9B82203F7EULL}}},
// [54] = 54G
{{{0x249971067C1D506BULL, 0x3447BE24500CA7A5ULL, 0x1C8331FD47A2E5FFULL, 0x4FDCB8FA639CEE44ULL}}, {{0x90F3743D00FDAEFBULL, 0x422CC82409D50796ULL, 0xAE4D91EB555010AAULL, 0x25A5208B674BFD4CULL}}},
// [55] = 55G
{{{0x369E15F7151D41D1ULL, 0x5D245315ACE27C65ULL, 0xB0352B7A14311AF5ULL, 0xCAF754272DC84563ULL}}, {{0xC32F908318A04476ULL, 0x5F4FA9B7962232A5ULL, 0xA41B643FA5E46057ULL, 0xCB474660EF35F5F2ULL}}},
// [56] = 56G
{{{0x48894A2BD3460117ULL, 0xAFE5FD8D103F827EULL, 0x27740C2BBFF05B6AULL, 0xBCE74DE6D5F98DC0ULL}}, {{0xF216512417C9F6B4ULL, 0x4F7CE5C6FC73A6F4ULL, 0x525A3E7DBF0D8D5AULL, 0x5BEA1FA17A41B115ULL}}},
// [57] = 57G
{{{0x24497BC86F082120ULL, 0x44A09C07CB86D7C1ULL, 0xF85D0F1709979D8BULL, 0x2600CA4B282CB986ULL}}, {{0x4B0BE9475A7E4B40ULL, 0x5AC6BE74AB5F0EF4ULL, 0xA693B03FCDDBB45DULL, 0x4119B88753C15BD6ULL}}},
// [58] = 58G
{{{0x742B761C49B46D3BULL, 0x764C1EF4094EE4B6ULL, 0x1540CBC9BF962CF4ULL, 0x45562F033698FACAULL}}, {{0x99025EC62B034E02ULL, 0x64558508362BC5FCULL, 0xACF931BFBD9C32A2ULL, 0x9403D11A2B419EDAULL}}},
// [59] = 59G
{{{0xC602A7746998E435ULL, 0x01C48685E24F7DC8ULL, 0x338EC53CD12220BCULL, 0x7635CA72D7E8432CULL}}, {{0xD9E76F302C5B9C61ULL, 0x4ECFC061D57048BAULL, 0x3D1D5E590F78E6D7ULL, 0x091B649609489D61ULL}}},
// [60] = 60G
{{{0xD2ACFC4D5FB8C192ULL, 0x350C778AC8A30E57ULL, 0x8FE0CF28FF1D8822ULL, 0x01257E93A78A5B7DULL}}, {{0xB54E3D341904A1A7ULL, 0xA7CC69244F295166ULL, 0x042DAD154E1116EDULL, 0x1124EC11C77D356EULL}}},
// [61] = 61G
{{{0xC1A50743BF56CC18ULL, 0xB7F2B33479D468FBULL, 0xDBBF4A87DEEE8A66ULL, 0x754E3239F325570CULL}}, {{0x0C5D98093C536683ULL, 0x23EE33D0197A695DULL, 0xB3CD0ED304EA49A0ULL, 0x0673FB86E5BDA30FULL}}},
// [62] = 62G
{{{0xBF07F6894C04F299ULL, 0x3C4D66A91706EDECULL, 0x84A271333F7FBD04ULL, 0x108443B948D15535ULL}}, {{0x5B04403DB9581A9FULL, 0xD60282D32ADFCA55ULL, 0xF055520D4DB8C49FULL, 0x4E7B5DABA34FBCF9ULL}}},
// [63] = 63G
{{{0x9FE2694691D9B9E8ULL, 0x330800661D1C952FULL, 0xFF57859C82D570F0ULL, 0xE3E6BD1071A1E96AULL}}, {{0x67002AF4920E37F5ULL, 0xA5A2283993E90C41ULL, 0x40C0AA58379A3CB6ULL, 0x59C9E0BBA394E76FULL}}},
// [64] = 64G
{{{0xE37918E6F874EF8BULL, 0xFC4C6F1DCDBAFD81ULL, 0x0B1051EAF832823CULL, 0xBF23C1542D16EAB7ULL}}, {{0x4DC37EFE66831D9FULL, 0xC522FC54811E2F78ULL, 0x7AD928A0BA5392E4ULL, 0x5CB3866FC3300373ULL}}},
// [65] = 65G
{{{0x4CC47FDCF04AA6EBULL, 0xC4CCB1F32BA35F4BULL, 0x26AE73D88F732985ULL, 0x186B483D056A0338ULL}}, {{0xA4A797F86E80888BULL, 0x21FB8090895138B4ULL, 0x2E17446E204180ABULL, 0x3B952D32C67CF77EULL}}},
// [66] = 66G
{{{0x7B54D781FF03D722ULL, 0x3A5B3ABCD29189BFULL, 0xE3A7B7B92B6C439FULL, 0x079264C4B4BFCD7FULL}}, {{0xE3071C74B063C5E1ULL, 0xAA2C8068F1845197ULL, 0x92999EE9C438D47EULL, 0x6F6F0E0784EADA9FULL}}},
// [67] = 67G
{{{0x1A8321724CE0963FULL, 0x5442E6D2B737D9C9ULL, 0x44C98561F4BE4F72ULL, 0xDF9D70A6B9876CE5ULL}}, {{0x17B8C45CF2BA2417ULL, 0xB157222720EF9DA2ULL, 0x5F862B785DC39D4AULL, 0x55EB2DAFD84D6CCDULL}}},
// [68] = 68G
{{{0x980BB7B87C78B8E9ULL, 0x4B795B416E702C1CULL, 0xB673BACB5CB7CA55ULL, 0x70E6B44A2AC6083AULL}}, {{0x4FF98B2AAE170CF8ULL, 0x0A0D0E6436DA1675ULL, 0x4173867AB5324BE4ULL, 0x49BA3203048E06D8ULL}}},
// [69] = 69G
{{{0x5DE64C5F34CE7143ULL, 0xAB52554F849ED899ULL, 0x497CA815D5DCE0F8ULL, 0x5EDD5CC23C51E87AULL}}, {{0xCDC706AB7399A868ULL, 0xC13C66C0D17A2905ULL, 0x61E8CEC030C89AD0ULL, 0xEFAE9C8DBC141306ULL}}},
// [70] = 70G
{{{0xF959C495A3BE5440ULL, 0x1FB66F6861C84A35ULL, 0x4F1420DD3B90D344ULL, 0xC00BE8830995D1E4ULL}}, {{0xA2043E7791C51BB7ULL, 0x56EFE24D228BFE6EULL, 0x0DE652A340600C73ULL, 0xECF9665E6EBA4572ULL}}},
// [71] = 71G
{{{0x722D362F84614FBAULL, 0x7AA3FBA1C355B17AULL, 0xDA12FE02287E9E77ULL, 0x290798C2B6476830ULL}}, {{0x6D003AFD41943E7AULL, 0x5B29C094DB2A2314ULL, 0x988D00BCF79AF25DULL, 0xE38DA76DCD440621ULL}}},
// [72] = 72G
{{{0x659032865FF5154CULL, 0x1E988D693DF4A1FBULL, 0xECB4B17F84F42D8CULL, 0xA8F2C94E19D9D829ULL}}, {{0xF9DDC14E86BE1EBFULL, 0xFAD3DA15D691EFA4ULL, 0x462E21F336A8971DULL, 0x3F1D72D253A01DFCULL}}},
// [73] = 73G
{{{0x62DFDECEF4053B45ULL, 0xCD29552FE3602573ULL, 0x054754EFA150AC39ULL, 0xAF3C423A95D9F5B3ULL}}, {{0xBC2FEDED498FD9C6ULL, 0xC8CD5AA667A15581ULL, 0x9A93B0E6F35CFB40ULL, 0xF98A3FD831EB2B74ULL}}},
// [74] = 74G
{{{0x6E37B93C5C478840ULL, 0xFD6B072C4FBB8D47ULL, 0x9C052CEBBFBB7E9DULL, 0x2773840FCF4E9E45ULL}}, {{0x9D3A95324E543C49ULL, 0x9AFD48BBC2A2CFB4ULL, 0x74EAA876AA416CF5ULL, 0xCC26479830E10370ULL}}},
// [75] = 75G
{{{0x8D2FED50D884249AULL, 0x06BB66B26DCF98DFULL, 0xCCCAA28C99BF2749ULL, 0x766DBB24D134E745ULL}}, {{0x2C924F97CBAC5996ULL, 0x97584A65FA06CEDDULL, 0x8DCC887980DA38B8ULL, 0x744B1152EACBE5E3ULL}}},
// [76] = 76G
{{{0x3FE397C5B3300B23ULL, 0xAC44BD64C7BAE07CULL, 0x278D0D7420A88DF0ULL, 0x96516A8F65774275ULL}}, {{0x7F6BF255F1337FF0ULL, 0xB2F75AB36207E155ULL, 0x108C0A99D567FBA9ULL, 0xBDACD9A05FB9FB73ULL}}},
// [77] = 77G
{{{0xCE92E666191ABE3EULL, 0x45F7B44F6C596A58ULL, 0xA21277C33784F416ULL, 0x59DBF46F8C94759BULL}}, {{0xD85E216C4A307F6EULL, 0x42CE739A7919798CULL, 0x0F4EA6CE648309A0ULL, 0xC534AD44175FBC30ULL}}},
// [78] = 78G
{{{0xBB3D3D987058C8AEULL, 0x0E7E555BD9114950ULL, 0x7EFE354DB9F95FE7ULL, 0x2DDF7BBCFE114E80ULL}}, {{0xEB13F199399F4EC9ULL, 0x90F3408491C470B4ULL, 0x2E754603B426BC0DULL, 0xEC93E49C88FC8565ULL}}},
// [79] = 79G
{{{0xB62DC6018CFD87B8ULL, 0xDD647E711A95E73CULL, 0x305E691E74E9A4A8ULL, 0xF13ADA95103C4537ULL}}, {{0x0778419BDAF5733DULL, 0x6949E21A6A75C257ULL, 0x63BF4BC808341F32ULL, 0xE13817B44EE14DE6ULL}}},
// [80] = 80G
{{{0x0ECD31E14F87F62EULL, 0x10E6E63863716127ULL, 0x0D7C744ED34659F0ULL, 0xE9623BBEF1BF90ECULL}}, {{0x53013EAFA44EE737ULL, 0xFE6043C9DD68844EULL, 0xE0FE953A8EDAA929ULL, 0x38A9743B4BC299E9ULL}}},
// [81] = 81G
{{{0x488550015A88522CULL, 0xDA1869C06EBADFB6ULL, 0x6D4167A2C59CCA4CULL, 0x7754B4FA0E8ACED0ULL}}, {{0x37A48B57841163A2ULL, 0x8D1E4E350B6CBCC5ULL, 0x224B967C3020B8FAULL, 0x30E93E864E669D82ULL}}},
// [82] = 82G
{{{0x9E594FECC13B59DFULL, 0xBE89B397B454C8B5ULL, 0x0A37C28E771C6CB4ULL, 0xE35BC6BB1B05B213ULL}}, {{0xC128B757CDD92ACBULL, 0x358EB4E66A331B76ULL, 0x9C4D07D56A198DECULL, 0x21868874CC2CB5A7ULL}}},
// [83] = 83G
{{{0xA6828C99E2262519ULL, 0x01858F95DE8041D2ULL, 0xAA3874D46ABEF9D7ULL, 0x948DCADF5990E048ULL}}, {{0xCBBA2CAE5347D57EULL, 0xDF9154EFBD2EF1D2ULL, 0xD5D28A3224B1BC25ULL, 0xE491A42537F6E597ULL}}},
// [84] = 84G
{{{0xE5626BAAF6812379ULL, 0xA1ECDBABDCFCCD39ULL, 0xD3330A7F05A58614ULL, 0x87C01E27D84DA2DBULL}}, {{0x0E5EC95EE2A1ECEEULL, 0x420E76859E59E54EULL, 0x64EF68644823BE8AULL, 0x90E9991A7304206AULL}}},
// [85] = 85G
{{{0x70328A8A3D7C77ABULL, 0xFB224CF5AC0BFA15ULL, 0x89C7B48F8202EC37ULL, 0x7962414450C76C16ULL}}, {{0x60AFA5B29DB83437ULL, 0x12507A051F04AC57ULL, 0x0D5C1FC133EF6F6BULL, 0x100B610EC4FFB476ULL}}},
// [86] = 86G
{{{0xE4749682DE46EEACULL, 0x9DE2D0E222575F22ULL, 0x070FB906BCED4409ULL, 0x497C83C39C76E56DULL}}, {{0xA7ED795B923B9722ULL, 0x7AE69493FDA866F8ULL, 0x4653A557449FF8B2ULL, 0x9807DA341A297EE8ULL}}},
// [87] = 87G
{{{0xB0DD085137EC47CAULL, 0x5A16977225B8847BULL, 0xB15B160644D91548ULL, 0x3514087834964B54ULL}}, {{0x7E7D15A0DE293311ULL, 0x6039E77C15C2378BULL, 0x8E1652C48E8127FCULL, 0xEF0AFBB205620544ULL}}},
// [88] = 88G
{{{0xF7086353A80C44FEULL, 0x16D1CFDA1B054DA5ULL, 0x3D81D3E1EF66CDABULL, 0xA8AF384E794930E6ULL}}, {{0xE3AB823D6581CC28ULL, 0xAF9915F0377906F1ULL, 0xCB32648C493AF7DEULL, 0xA24D6D07EDE1CEDEULL}}},
// [89] = 89G
{{{0x42943D3F7B527EAFULL, 0x93E947EB8DF787B4ULL, 0xC79CE2C9DD8BC549ULL, 0xD3CC30AD6B483E4BULL}}, {{0xAFB34DB04EEDE0A4ULL, 0x3C2AD46290358630ULL, 0x89C5E9BE8F9508AEULL, 0x8B378A22D827278DULL}}},
// [90] = 90G
{{{0x2AF2E606110CC919ULL, 0x216CBBC90D97AED6ULL, 0xFE540E4B0664410FULL, 0xEB49FD9F510469F4ULL}}, {{0x4C481324A6C8912BULL, 0x5D6406CBFCD76E17ULL, 0x34DB14F93706891DULL, 0x6E638DF7A9105BBCULL}}},
// [91] = 91G
{{{0x3975BA0FF4847610ULL, 0x2B29823DB913F649ULL, 0xCE1C78FCBFEFE08BULL, 0x1624D84780732860ULL}}, {{0xCC06E2A404078575ULL, 0x896878F5282BE4C8ULL, 0x0914448C6CD9D4CAULL, 0x68651CF9B6DA903EULL}}},
// [92] = 92G
{{{0xF6639D49C8704818ULL, 0xD3A6172D6511C68BULL, 0xB435DB84A21605A7ULL, 0xDE1D35CBC6308CC5ULL}}, {{0x75D5E1F0201F1DEDULL, 0x823AC662E052FA27ULL, 0x2AAF43C6B4E4EBF1ULL, 0xD03CE0B8EF7AA8AAULL}}},
// [93] = 93G
{{{0x6DF7B4FD5FC61CD4ULL, 0x5192474B5AF207DAULL, 0x6902C95633E62A98ULL, 0x733CE80DA955A8A2ULL}}, {{0xC54673BC1DC5EA1DULL, 0x3E1EF8E0201E4578ULL, 0x485A4D8B8DB9FCCEULL, 0xF5435A2BD2BADF7DULL}}},
// [94] = 94G
{{{0xBF6DCD5710E682F2ULL, 0xC134BCD7D6F35919ULL, 0x24120CA18648961AULL, 0x84DF2E6E5E84CDFFULL}}, {{0x79B16D545167625EULL, 0x8935E6D57F30002AULL, 0xC5339C7D978E3B74ULL, 0x1D1D201C7C29525CULL}}},
// [95] = 95G
{{{0xEF258DFAB81C045CULL, 0x8966C5092171E699ULL, 0xCF1A1C33BBD3B49FULL, 0x15D9441254945064ULL}}, {{0xFC37BBE9EFE4070DULL, 0x434800BACEBFC685ULL, 0x34F5137B73B84177ULL, 0xD56EB30B69463E72ULL}}},
// [96] = 96G
{{{0x43933ACA7F8CB0E3ULL, 0xA22EB53FE1EFE3A4ULL, 0x8FA64E044B2EB72EULL, 0x3F0E80E574456D8FULL}}, {{0xCB0289E2EA5F404FULL, 0x9501253AA65B53A4ULL, 0xE90B9C08485D01B3ULL, 0xCB66D7D7296CBC91ULL}}},
// [97] = 97G
{{{0xAC138599D0717940ULL, 0x1C21417C9D2B8AAAULL, 0xB612136E5CE70D27ULL, 0xA1D0FCF2EC9DE675ULL}}, {{0x19212D39C197A629ULL, 0x641462A54070F3D5ULL, 0xB2E90737309667F2ULL, 0xEDD77F50BCB5A3CAULL}}},
// [98] = 98G
{{{0xD637AB63EF91E5B4ULL, 0x191110FD2E9122ABULL, 0x39BF1C39D65F194DULL, 0x4752F85486208311ULL}}, {{0x654F3EE5C9E6C1C2ULL, 0xB6F36B14FBF54AD1ULL, 0x6EC19E9CE26AE4BDULL, 0xC80F1D852659B418ULL}}},
// [99] = 99G
{{{0xC7CA37331CB36980ULL, 0xA790BADEE8245C06ULL, 0x5780C0735F84DBE9ULL, 0xE22FBE15C0AF8CCCULL}}, {{0xE43D06D77D31DA06ULL, 0xA38289154964799BULL, 0x88B430A69F53A1A7ULL, 0x0A855BABAD5CD60CULL}}},
// [100] = 100G
{{{0x0221B4CEF7500F88ULL, 0x3EE306B3406A2689ULL, 0x2E174C835FB72BF5ULL, 0xED3BACE23C5E1765ULL}}, {{0xFCE17AD5E335286EULL, 0x97BD17BE084895D0ULL, 0xDCDA5E8A7A1F87BFULL, 0xE57A6F571288CCFFULL}}},
// [101] = 101G
{{{0x4009452246CFA9B3ULL, 0x69635E394704EAA7ULL, 0x0EE13473C1155F5FULL, 0x311091DD9860E8E2ULL}}, {{0xBD80F0B1286D8374ULL, 0x871EC5A64FEEE685ULL, 0xFFD1F04788C06830ULL, 0x66DB656F87D1F04FULL}}},
// [102] = 102G
{{{0x00E5D46389103C7EULL, 0x74E3A1B9D30671F8ULL, 0xD9BED6F42DC6A289ULL, 0x3049F7FFC71D744BULL}}, {{0xC7032F99470BEF44ULL, 0xDFEFDEFD1262BCA4ULL, 0x7F86709D01D2B66EULL, 0xFAE7BC16185FC1A6ULL}}},
// [103] = 103G
{{{0x1867D4232EC2DBDFULL, 0x883928B45A934078ULL, 0xB31C0442D3E6AC24ULL, 0x34C1FD04D301BE89ULL}}, {{0xC5321857BA73ABEEULL, 0xD57F1CEEB487443DULL, 0x54BD46F730174136ULL, 0x09414685E97B1B59ULL}}},
// [104] = 104G
{{{0x203F636EE00926DCULL, 0xDB0DF90ECD4C9483ULL, 0x1FB52A688D9D6FE6ULL, 0x1880C9AD32FBB07EULL}}, {{0x0E6DB815548473CCULL, 0x99AC0B24E3A90C27ULL, 0x0B7F1C9750E28AFEULL, 0xA20C096CF36367BFULL}}},
// [105] = 105G
{{{0xCC2A5E6B049B8D63ULL, 0x8D13F3ABBCD08AFFULL, 0x1C14DE5B557EB42AULL, 0xF219EA5D6B54701CULL}}, {{0xD8C2962A400766D1ULL, 0xF4B08D3C07B27FB8ULL, 0xF73AF4544CCCF6B1ULL, 0x4CB95957E83D40B0ULL}}},
// [106] = 106G
{{{0x90C7F04F8ACCB725ULL, 0x888043B17BCBE914ULL, 0x72310DB34C1E79F3ULL, 0x1FC757D383E42507ULL}}, {{0x2F80FD5DC15E76BDULL, 0x9A859739BEA9B37EULL, 0x9297FF08E74DF0BDULL, 0xB4D0E7EF521C1C81ULL}}},
// [107] = 107G
{{{0x7236912469A0B448ULL, 0x543A5490BCA62708ULL, 0xB1F683DB8F45DE26ULL, 0xD7B8740F74A8FBAAULL}}, {{0x411E0315EAA4593BULL, 0xFF15DB5ED3C049B3ULL, 0xE1010F337AD4717EULL, 0xFA77968128D9C92EULL}}},
// [108] = 108G
{{{0x81C5845BB834C21EULL, 0x853B0F22B8925D5DULL, 0x20391CEF85374576ULL, 0x7E660BEDA020E9CCULL}}, {{0x21EAEF2C7208E409ULL, 0x6A8FEDC6F9E8EAD4ULL, 0x806527D1DAF1BBB9ULL, 0x2D114A5EDB320CC9ULL}}},
// [109] = 109G
{{{0x9FE4D3091AA824BFULL, 0xAD5BCD32ABDD9428ULL, 0xF86F7C98D3A3335EULL, 0x32D31C222F8F6F0EULL}}, {{0x118D14B8462E1661ULL, 0x2E6DAC9E6F26E961ULL, 0x9CCD3D7915B9E1DAULL, 0x5F3032F5892156E3ULL}}},
// [110] = 110G
{{{0xF745DDAA42583D11ULL, 0x7B00F024A9728087ULL, 0xFA735FC4FCD0AB7CULL, 0x3BB9AEC1F1EB9EC7ULL}}, {{0x21EE1BAEF2BB04CDULL, 0xCD14D9DD764D4726ULL, 0x6AF5B9DD4A6600D7ULL, 0x9AE0247B2342180CULL}}},
// [111] = 111G
{{{0x340F86CBC18347B5ULL, 0x8793D77CD59592C4ULL, 0x71045A155D9831EAULL, 0x7461F371914AB326ULL}}, {{0xB39847B3CC092FF6ULL, 0x2EEE1FF50C986EA6ULL, 0xCBDDDCAE0AA44254ULL, 0x8EC0BA238B96BEC0ULL}}},
// [112] = 112G
{{{0xEB0AADF82A8D733CULL, 0xFFC274BF62FCA8F9ULL, 0x0884A36F2080D682ULL, 0xBC82DD73E5161DBAULL}}, {{0x1E786104F47797F0ULL, 0xAE93A0BAE7389730ULL, 0x54A9B4BF719F02DFULL, 0xE5F28C3A044B1CACULL}}},
// [113] = 113G
{{{0x287698BAD7B2B2D6ULL, 0x6D716B2C3E67453DULL, 0x74356A25AA38206AULL, 0xEE079ADB1DF18600ULL}}, {{0xEBAAC479EC1C8C1EULL, 0xA446989AF04C4E25ULL, 0x4C5F37E0ECC5F9F6ULL, 0x8DC2412AAFE3BE5CULL}}},
// [114] = 114G
{{{0xBD95EC557A93EAB5ULL, 0x88D6B130B16695E5ULL, 0x93CC339096D66AD5ULL, 0xB74F0C165B4A9435ULL}}, {{0x3B98E9611F5DC208ULL, 0x90AB454E65E5EC9EULL, 0xBC306C9B6C15494AULL, 0x646FA5B5FCDAD2D3ULL}}},
// [115] = 115G
{{{0x2BFD8616BA9DA6B5ULL, 0xE65DE331874C9DC7ULL, 0x467B18302EE620F7ULL, 0x16EC93E447EC83F0ULL}}, {{0x9626778E25B0674DULL, 0x9D58186A50E49713ULL, 0xD0E8C2A7CA5804A3ULL, 0x5E4631150E62FB40ULL}}},
// [116] = 116G
{{{0x9306FE7F8957F489ULL, 0xEF6CC374CE143846ULL, 0xF81EEE193A3AF355ULL, 0xFC6040FE245682CDULL}}, {{0x5D4E075E32808785ULL, 0xED8BD517407373FDULL, 0xF656A354B9C92684ULL, 0x28312A55765D0435ULL}}},
// [117] = 117G
{{{0x85B96065D537BD99ULL, 0xD8855897F98B6AA4ULL, 0x38978290AFA70B6BULL, 0xEAA5F980C245F6F0ULL}}, {{0xB18041024EDC07DCULL, 0xD784869D7E6EA67FULL, 0x19A528391C994624ULL, 0xF65F5D3E292C2E08ULL}}},
// [118] = 118G
{{{0x3EC1775D0FADAE00ULL, 0x1DC81F9C32BB84A5ULL, 0x53DE84833CCFFDB3ULL, 0xA7C0EA7395D87852ULL}}, {{0xF58513F8FB152BCEULL, 0x19E16B89CE982871ULL, 0x3F876FF45961A83CULL, 0xA26BECC5EA1819D3ULL}}},
// [119] = 119G
{{{0xA96C4B6B35A49F51ULL, 0x58AE04877151342EULL, 0x692EE1910A024399ULL, 0x078C9407544AC132ULL}}, {{0x62B675F194A3DDB4ULL, 0xFA1FBD583C064D24ULL, 0xD5404795539A5E68ULL, 0xF3E0319169EB9B85ULL}}},
// [120] = 120G
{{{0x9CAA00F574ADC826ULL, 0x89E7020E8E0BECB7ULL, 0xBD3FF25E9D1667FAULL, 0xDD5BA67CFB807824ULL}}, {{0x94A0753A915B644CULL, 0x42425D84290545F2ULL, 0xD0D6E193AAAF5A56ULL, 0xD6B837116FA89FA1ULL}}},
// [121] = 121G
{{{0x726578D9702857A5ULL, 0x01CDC8AE7A6FC688ULL, 0x16DCD838431AEA00ULL, 0x494F4BE219A1A770ULL}}, {{0x55F4B031880D562CULL, 0xF925CE30D767ED6EULL, 0x39BA7F075E36BA2AULL, 0x42242A969283A5F3ULL}}},
// [122] = 122G
{{{0xE0A3BFDA73176237ULL, 0x7BF7DDAF568A5FB9ULL, 0xD23F25EFBA0F6DD8ULL, 0x139AE46A1133F1F9ULL}}, {{0x3E6EC481A8991472ULL, 0xB8A5FFBEB480BA0EULL, 0x63FD238833A12188ULL, 0x00995E555C8AABD2ULL}}},
// [123] = 123G
{{{0xBF4C1E665C1FE9B5ULL, 0xD28211EA58FAA70EULL, 0x6BC7F2F5144EA549ULL, 0xA598A8030DA6D86CULL}}, {{0x10026DBD2D864E6BULL, 0x23FC63B65B35F86AULL, 0x7E4B4A7140737AECULL, 0x204B5D6F84822C30ULL}}},
// [124] = 124G
{{{0x9A7B09B1029471E3ULL, 0xB8FFEA50EC08422AULL, 0x685BB8C12419BBF5ULL, 0xF90B89D53BDC724AULL}}, {{0x7048C13FEB4785F6ULL, 0x1A652CB086EE45D5ULL, 0x1AAA132D75F7515FULL, 0x672BD987C7E383BAULL}}},
// [125] = 125G
{{{0x4DBADC3E58595997ULL, 0x208F020F12570A18ULL, 0x09192F5F2DBEAFECULL, 0xC41916365ABB2B5DULL}}, {{0xED16E96B58FA9913ULL, 0xD5CAF9450F34BFC0ULL, 0x49D245B328984989ULL, 0x04F14351D0087EFAULL}}},
// [126] = 126G
{{{0x6938AD32C494B319ULL, 0x9F055DD3C1C7E533ULL, 0x2E1E0BA01AD1A0F8ULL, 0x6DF7B5A7A126A611ULL}}, {{0xEB09520A981FDF32ULL, 0xA81EFA6B414A583EULL, 0xB290CF45325AF0B4ULL, 0x9E2599B420982535ULL}}},
// [127] = 127G
{{{0xE4C73A5514742881ULL, 0x92A2E0D2E0A36ACFULL, 0x5A724604DA03BC5BULL, 0x841D6063A586FA47ULL}}, {{0xE7A36DE01A8D6154ULL, 0xE62562D6744C169CULL, 0x1904F9A1C7543698ULL, 0x073867F59C0659E8ULL}}},
// [128] = 128G
{{{0x647077456769A24EULL, 0xBCF55CD700535655ULL, 0x696C3D09F7D1671CULL, 0x34FF3BE4033F7A06ULL}}, {{0x8491067A73CC2F1AULL, 0x55DF16C3E8F8B681ULL, 0x3F6619D89832098CULL, 0x5D9D11623A236C55ULL}}},
// [129] = 129G
{{{0xED112AC4D70E20D5ULL, 0x282B33810928BE4DULL, 0x76026947F89BDE2FULL, 0x5E95BB399A6971D3ULL}}, {{0x161384C746012865ULL, 0xA99C9AED7D8BA38BULL, 0xEEBFC71181313775ULL, 0x39F23F366809085BULL}}},
// [130] = 130G
{{{0x6E731B06C6F51CD8ULL, 0xA0E70ED205C5E94DULL, 0x74E67F1D7052F398ULL, 0x9DDA94404337DB14ULL}}, {{0x7D5FA49229D31669ULL, 0x306A0A11FDD22B0DULL, 0xAE6FAE38ED6D2EC4ULL, 0x0065A58128F755AFULL}}},
// [131] = 131G
{{{0xF99471BCA0EF2F66ULL, 0x5EC07564B5315D8BULL, 0x76C39F8A99FD974EULL, 0x36E4641A53948FD4ULL}}, {{0x6FD51CF5694C78FCULL, 0x56EA13493FD563E0ULL, 0x164227B085C9AA94ULL, 0xD2424B1B1ABE4EB8ULL}}},
// [132] = 132G
{{{0x45D2AE2AE38947D7ULL, 0x7ED3C170C45E44D4ULL, 0x361BCD154301FF4BULL, 0x8A93046D22897B40ULL}}, {{0xE9002DCCB1AF50CEULL, 0x43DDF472FBB16491ULL, 0x29CA19B9110C315BULL, 0xB227F7D021263C6FULL}}},
// [133] = 133G
{{{0xAEAB27C2C579F726ULL, 0xF5643842170E914FULL, 0x90C191A2F507A41CULL, 0x0336581EA7BFBBB2ULL}}, {{0xF3DCDCABD2FDA224ULL, 0x91F7AB1410CD1E0EULL, 0x99252129B6E56B33ULL, 0xEAD12168595FE1BEULL}}},
// [134] = 134G
{{{0x2B1F39BEC59B9618ULL, 0xF17D3F1F5EEAFB4EULL, 0x75E8B46DC5A91925ULL, 0xD5F66020BDD383A8ULL}}, {{0x17C5DE9E6F3AA216ULL, 0x879B9AB8E9B75D4AULL, 0x11263A75D9328A1CULL, 0x8F8C3EEC190DF3D1ULL}}},
// [135] = 135G
{{{0x849742706BD43EDEULL, 0x03781025ED6890C4ULL, 0xA1F2634FCF00EC84ULL, 0x8AB89816DADFD6B6ULL}}, {{0x58A47A9129CDD24EULL, 0x503D459C3E898458ULL, 0x44E654AEF624136FULL, 0x6FDCEF09F2F6D0A0ULL}}},
// [136] = 136G
{{{0x3F667F69D0D97018ULL, 0xAFE835FECA1575E9ULL, 0x5F5F8D2AAF30FC6DULL, 0xF25F6E271E231DFDULL}}, {{0x369EE69A35B4AF25ULL, 0x8BE2FF17F252CEBDULL, 0xD2946AF2A8737BB6ULL, 0xBAB2192B75324599ULL}}},
// [137] = 137G
{{{0x4BB40284B8C5FB94ULL, 0x20B0938E8ACFF254ULL, 0x8133344D9299FCAAULL, 0x1E33F1A746C9C577ULL}}, {{0xE33A7D2057F3B3B6ULL, 0x2306D320F1D03010ULL, 0xA9C8ED618D24EDFFULL, 0x060660257DD11B3AULL}}},
// [138] = 138G
{{{0x5EA937913CCF1095ULL, 0x6F0328BC6EDA337BULL, 0x9541A803535B09DCULL, 0x0F1DD626B9722019ULL}}, {{0xFEB77705FC25F516ULL, 0xE17549340A46831AULL, 0x4286AE3F103A2074ULL, 0xF46BFB389FDB7CE4ULL}}},
// [139] = 139G
{{{0xA410361FD8F08F31ULL, 0x0ED1F4CC18CBCFCFULL, 0xEE7F30DED79DD20AULL, 0x85B7C1DCB3CEC1B7ULL}}, {{0xC6FED3C35E999511ULL, 0xFCAFAD1895D7A633ULL, 0xF39048F25A8847F4ULL, 0x3D98A9CDD026DD43ULL}}},
// [140] = 140G
{{{0xB92D2F1129289FA9ULL, 0xFA4ACB89CD7D9487ULL, 0x888C0A54CE408B48ULL, 0x9358BF4E626CE79AULL}}, {{0x5530A39D2E8D7639ULL, 0xB34905A2087E6A25ULL, 0x57337B85CCACBB62ULL, 0x5AF11032704E83D0ULL}}},
// [141] = 141G
{{{0x72A2800661AC5F51ULL, 0x7FBE9A3B878A7AF8ULL, 0x9275F4B125D6D45DULL, 0x29DF9FBD8D9E4650ULL}}, {{0xCD2876EB2A27D84BULL, 0xDA61DC861C019E55ULL, 0x6E2D8862179139FFULL, 0x0B4C4FE99C775A60ULL}}},
// [142] = 142G
{{{0xC9F81B66FF472ADBULL, 0xB5E571AF914FE014ULL, 0x6ADC31B4E7830036ULL, 0xEF68A2C7AD33241DULL}}, {{0x786EF55EBE29887EULL, 0x2ABE221A176D0E2EULL, 0xE8842C4BFD67C46CULL, 0x202632E371066766ULL}}},
// [143] = 143G
{{{0x8082B2E449FCE252ULL, 0xDFE58CA2F768105CULL, 0x3FEA6E671AAF8ADFULL, 0xA0B1CAE06B0A847AULL}}, {{0x50F049503A296CF2ULL, 0x6B72DA1834AFF0E6ULL, 0xEC4B19D917A6A28EULL, 0xAE434102EDDE0958ULL}}},
// [144] = 144G
{{{0xD7EFE2315FBC7671ULL, 0x743F1BC852858E32ULL, 0xD20291CE1798F490ULL, 0x8E3D1248C7657211ULL}}, {{0x7EF1DC6418717DECULL, 0xB9352BAAA63E144AULL, 0xF64480E19393E90EULL, 0x099A48E10ECFCB81ULL}}},
// [145] = 145G
{{{0xA113F2E4C0E121E5ULL, 0xB499DFB3B2133E4BULL, 0x36DC7FF67E840295ULL, 0x04E8CEAFB9B3E9A1ULL}}, {{0xB827CE62A326683CULL, 0x422C086A63460502ULL, 0x4B48F6D534CE5C79ULL, 0xCF2174118C8B6D7AULL}}},
// [146] = 146G
{{{0x5DFB298429952152ULL, 0x1CF5E707C8F3050DULL, 0x08A0E679D9EEA6A8ULL, 0x7B732AF34077F331ULL}}, {{0x8F163904BAD1C7CFULL, 0x3E0012F6AF5C01DFULL, 0xB92FD08559EE2A71ULL, 0x17C4D13C535BE360ULL}}},
// [147] = 147G
{{{0xF42725C2B789A33BULL, 0x0A5076689A010919ULL, 0x5AFB81C7CA2F6908ULL, 0xD24A44E047E19B6FULL}}, {{0x2CDEC417AFEA8FA3ULL, 0x013F996887B8244DULL, 0xC63DB50F1C0F1C69ULL, 0x6FB8D5591B466F8FULL}}},
// [148] = 148G
{{{0xDF051B79DA14B6C3ULL, 0x6F02C24FBB10AE46ULL, 0x2718197EF17ED087ULL, 0xECC99B0CF89EF141ULL}}, {{0x6D5C41A70C1E9FDBULL, 0xE7C5F702206DC0E8ULL, 0x598A5284FC790673ULL, 0x04ABCDD05201E8BDULL}}},
// [149] = 149G
{{{0x5104E98E8E3B35D4ULL, 0x001EDD28ABBAB77BULL, 0x249FDFCFACB99584ULL, 0xEA01606A7A6C9CDDULL}}, {{0xCFD652188A3EA98DULL, 0xB7D4494BC2823700ULL, 0xCFBFE369F7A7B3CDULL, 0x322AF4908C7312B0ULL}}},
// [150] = 150G
{{{0xB908EA95E5EEBBEFULL, 0x09B16386BDE7F857ULL, 0x0C128AC00A410976ULL, 0x1F6014569D1203AEULL}}, {{0x91475348AC0DCE51ULL, 0xAFE9F96231D1D1C2ULL, 0x5A75A2A70908F483ULL, 0x82B83F8D79EC4B86ULL}}},
// [151] = 151G
{{{0x4AD196DE8CE2131FULL, 0x252007D8C5EA31BEULL, 0x6C6328655EB96651ULL, 0xAF8ADDBF2B661C8AULL}}, {{0xF3DFBCDB71749700ULL, 0x2520818680E26AC8ULL, 0x2A034EAFD096836BULL, 0x6749E67C029B85F5ULL}}},
// [152] = 152G
{{{0x419EB6997DEE8D17ULL, 0x2F127B76FF24D7B8ULL, 0xB603B7D515377322ULL, 0xE19D8D416B28EEEFULL}}, {{0x266E2D163FC83D99ULL, 0x0E2268C7D1679757ULL, 0x0FC534D42AECC459ULL, 0xA54B0056FBEB471BULL}}},
// [153] = 153G
{{{0x722F0E3450F45889ULL, 0xA674A3DABCFCA15EULL, 0x6CC516D47E0FB165ULL, 0x00E3AE1974566CA0ULL}}, {{0x3420A72EEB0BD6A4ULL, 0x0DE97E4874F81F53ULL, 0x16217F07BF4D0730ULL, 0x2AEABE7E45315101ULL}}},
// [154] = 154G
{{{0x8E7B0A261F997190ULL, 0x4A03A9C0107E1D63ULL, 0xBF7257C3B588E75BULL, 0x9EA5C218B98CC990ULL}}, {{0xBD249EEB28A2FEA2ULL, 0x9FABF3E9A060BD70ULL, 0xE74E6B0C79B53775ULL, 0xA049B1F4EEFC6732ULL}}},
// [155] = 155G
{{{0x075EA8CED397E246ULL, 0x01993FF3ED258802ULL, 0x1CF6993FFED1E3E3ULL, 0x591EE355313D9972ULL}}, {{0xEEE98F1A4BE5D196ULL, 0x1FF0B053D25CA2BDULL, 0xA60FC4775460C790ULL, 0xB0EA558A113C30BEULL}}},
// [156] = 156G
{{{0xD7A17C18F15A3699ULL, 0x5E603EB6750077ACULL, 0x5F13C7CC84C166D5ULL, 0xA8BE67D40815919CULL}}, {{0x65A2B31F88196C47ULL, 0xBAB1D00DB0DBC03AULL, 0x189B5D017F8FDB76ULL, 0x6DB068BBF5499243ULL}}},
// [157] = 157G
{{{0x077CF03255B52984ULL, 0xFA8584E47B084945ULL, 0xF19AA97318D8DA61ULL, 0x11396D55FDA54C49ULL}}, {{0xC5767BEA93EA57A4ULL, 0x4FF536B01B257BE4ULL, 0x289D5833A7BEB474ULL, 0x998C74A8CD45AC01ULL}}},
// [158] = 158G
{{{0x0F734AFB0A29F390ULL, 0xA53573822A6E94B3ULL, 0x36ECBE198E90FE71ULL, 0x915050C28C39EBFDULL}}, {{0xC121316A8DED4293ULL, 0x87A558DADAE0C580ULL, 0xDE8682090B6EC098ULL, 0x51559BE325B4D6D6ULL}}},
// [159] = 159G
{{{0x05540157E017AA7AULL, 0x8DCDFD5468754B64ULL, 0x90000738C9E0C40BULL, 0x3C5D2A1BA39C5A17ULL}}, {{0x61F79CA4C81BD257ULL, 0x0F9B8B9FDD270F66ULL, 0xF9D4DE7396FC18B8ULL, 0xB2284279995A34E2ULL}}},
// [160] = 160G
{{{0x05EC32AD51B03F6CULL, 0xA4D047122A9B184BULL, 0x2BC776838F73F576ULL, 0x308913A27A52D922ULL}}, {{0x60AB5EFCE8FE4C67ULL, 0xA8333FEA82BD1F12ULL, 0x91E3531F66C0375DULL, 0xF4A5B09543FEBE5FULL}}},
// [161] = 161G
{{{0x425EF8A1793CC030ULL, 0xFBC395AFB04AC078ULL, 0xA3A99A7299F2E9C3ULL, 0xCC8704B8A60A0DEFULL}}, {{0x940B74E3AC1F1B13ULL, 0xF395B74FC4BCDC4EULL, 0x1D1E0862DB347F8CULL, 0xBDD46039FEED1788ULL}}},
// [162] = 162G
{{{0x22109700780A7943ULL, 0x83FF4AC34A966EB8ULL, 0x97A3B8BC51BFA271ULL, 0xFBAF4EB5BDF8FE93ULL}}, {{0x52C0BB205D654A9DULL, 0x8209F6506FE4C0FFULL, 0x6571DE2ED92BCC04ULL, 0x36E7FF517AD79FABULL}}},
// [163] = 163G
{{{0xA204119B2889B197ULL, 0x7DD4DEFCCC53EE7EULL, 0xCD9777AC5CAD29B9ULL, 0xC533E4F7EA8555AAULL}}, {{0xBB8E0F45EB596096ULL, 0xD9B925BB4A4B3A26ULL, 0x9A2FB6242F1A43A2ULL, 0x6F0A256BC5EFDF42ULL}}},
// [164] = 164G
{{{0xA218A7BDA715E7BAULL, 0xB77BEEB53920DB82ULL, 0x91DD96717159E106ULL, 0xF62885CE55FF7BE2ULL}}, {{0x7EB8538D1DA95407ULL, 0x52BFE6A7B0DEAB60ULL, 0x656DF2F95983CFF2ULL, 0x74EB8317416FE8FDULL}}},
// [165] = 165G
{{{0xF566D48E33DA6593ULL, 0x69BA8C34EEC07BBCULL, 0x109F6D08D03CC96AULL, 0x0C14F8F2CCB27D6FULL}}, {{0xC0E8649113DC3A38ULL, 0x75B740DD098075E6ULL, 0xFD4473E16FE1C284ULL, 0xC359D6923BB398F7ULL}}},
// [166] = 166G
{{{0x56835FE50C9D3205ULL, 0x09F00C12CDC12C51ULL, 0xB41F30C4EFD7C491ULL, 0xA5822BD06C673E21ULL}}, {{0xB35F4EDA136D08A8ULL, 0x19B58FA4588CB4F5ULL, 0x487708EBEB652D9FULL, 0xA3BCD62645CEBA65ULL}}},
// [167] = 167G
{{{0xE441F72E0B90E6EFULL, 0x4C9739ED75F8F21CULL, 0xBAC24789FA17115AULL, 0xA6CBC3046BC6A450ULL}}, {{0x9862AFD617FA9B9FULL, 0x60CEB573C7060313ULL, 0xB130619E2C0F95A3ULL, 0x021AE7F4680E889BULL}}},
// [168] = 168G
{{{0xBAA1F1CDCBF2D359ULL, 0x695331569D729745ULL, 0xA663505914704A7BULL, 0x328BA6C70C404497ULL}}, {{0x4A6EFE1A786FCE55ULL, 0x287D8F897B2B1B47ULL, 0xA518BDC4C4E812E4ULL, 0xC8ECC2845917B7FFULL}}},
// [169] = 169G
{{{0x344B39F99D43CC38ULL, 0x130A3C0267D11CE6ULL, 0xEBFB86C1359B1CAFULL, 0x347D6D9A02C48927ULL}}, {{0x2689FF1E31C74448ULL, 0x6D565AB687870CB1ULL, 0x1C987F6ECEC92F08ULL, 0x60EA7F61A353524DULL}}},
// [170] = 170G
{{{0x4FA07B1B19160F3BULL, 0xCD0B27F7EEC5752FULL, 0x09EA89E83889FA4BULL, 0xF9502D540CA7D5ABULL}}, {{0x6B71DF5B05C81AE8ULL, 0xB6822F65E0A7A93BULL, 0xC4BA2FBD12803A7BULL, 0xA10CE6DB4859D825ULL}}},
// [171] = 171G
{{{0x855EF7437B72656AULL, 0xD47C67B1BF31C8CFULL, 0x83F7DCB375EF5866ULL, 0xDA6545D2181DB8D9ULL}}, {{0x7FEA824B77DC208AULL, 0x6673051B4935BD89ULL, 0x9E78F07CE5680C5DULL, 0x49B96715AB6878A7ULL}}},
// [172] = 172G
{{{0x8464AB4070AB2B7AULL, 0xD9C41961F668FDB6ULL, 0xF06E95D0665A4073ULL, 0xC4F942EA2B52A8CEULL}}, {{0x3592FC86703DAD66ULL, 0xECBDE264616C3F61ULL, 0x99A77F7FEABE8213ULL, 0xC6BD3CDF50B11F93ULL}}},
// [173] = 173G
{{{0xB9D5994B8FEB1111ULL, 0xEC25D6945D657146ULL, 0xA13B8148309C6DE7ULL, 0xC40747CC9D012CB1ULL}}, {{0xBB5E83037E0FA2D4ULL, 0x5DB936156B9514E1ULL, 0xC6DE6CAF2CB48956ULL, 0x5CA560753BE2A12FULL}}},
// [174] = 174G
{{{0xFA4F1BC1DA40F082ULL, 0x838230A85B762E92ULL, 0x48FC20EC98691ED6ULL, 0x69317694D15B16C5ULL}}, {{0x4DEF01604ED38E14ULL, 0xD61A7EC68024807AULL, 0x3F5624422BBC0ABCULL, 0xE39A66553AC9F9D6ULL}}},
// [175] = 175G
{{{0xC8203EF4037F3502ULL, 0x338C7F713348BD34ULL, 0xCCF3A610BE870E78ULL, 0x4E42C8EC82C99798ULL}}, {{0x0A94473693606437ULL, 0xA5492144CC54BCC4ULL, 0xA7A8B33A07783341ULL, 0x7571D74EE5E0FB92ULL}}},
// [176] = 176G
{{{0xF3287432BEB31DB2ULL, 0x8FCAE82788F506A0ULL, 0x896A193ED088A2B6ULL, 0x78A891AA2234A498ULL}}, {{0x3069D623B9FA4343ULL, 0x54379BCDD800B82DULL, 0xFCF5F25527302DF6ULL, 0x6912A35BEB5035CBULL}}},
// [177] = 177G
{{{0x87522A1B3B0DEDEAULL, 0xD251CADB0C867432ULL, 0x23ABA2E1AF70B236ULL, 0x3775AB7089BC6AF8ULL}}, {{0x42AD961409018CF7ULL, 0xAC8DB17BF7A76A2CULL, 0xBCB9736A828CFA7FULL, 0xBE52D107BCFA09D8ULL}}},
// [178] = 178G
{{{0x7632C5C33E4CB721ULL, 0xDCB079365966C543ULL, 0xAD4572C55B488607ULL, 0x192E787021B1E83EULL}}, {{0xBFD1E93BF71E23B9ULL, 0x81C36D5C8710BB68ULL, 0xD84C22CDD600EF63ULL, 0x6C8E5D14A501C926ULL}}},
// [179] = 179G
{{{0x46959E3E82F74E26ULL, 0xD954595D1314BA88ULL, 0x9D94FB814D3D775AULL, 0xCEE31CBF7E34EC37ULL}}, {{0x0F448A01C43B1C6DULL, 0x0149EF0BE14ED4D8ULL, 0x26B947AE2BCF6BFAULL, 0x8FD64A14C06B589CULL}}},
// [180] = 180G
{{{0x74818EE88F5E524FULL, 0x0C8C0AC8D1F6B993ULL, 0xCF58F7BC65A2514DULL, 0x8267F5F35E78F30DULL}}, {{0x21AB2902DA0FF381ULL, 0xC67205E31E72C170ULL, 0x8ECC5E35E976F77EULL, 0xB5CDCB48EE2CDCD6ULL}}},
// [181] = 181G
{{{0xCDC1A01D08B47986ULL, 0xFDDB58FD45B1EBEFULL, 0x19F6EA6A4EB5464EULL, 0xB4F9EAEA09B69176ULL}}, {{0xB24A8AC07200682AULL, 0x8BB131C012CA542EULL, 0x7433A4F18C61726FULL, 0x39E5C9925B5A54B0ULL}}},
// [182] = 182G
{{{0x9169E4EA2B19A602ULL, 0x5DACF1A224B15755ULL, 0x94ED72DA5B996139ULL, 0xA076CACF92CC467CULL}}, {{0x449D42EE37E65FA4ULL, 0x10770AD296A01AD0ULL, 0x043E203FE3B8C422ULL, 0xA213CBD11F2C882DULL}}},
// [183] = 183G
{{{0xB77907792EBCC60EULL, 0x84E2515AFC3DCCC1ULL, 0xA0179A48966D30CEULL, 0xD4263DFC3D2DF923ULL}}, {{0xAE164E122A208D54ULL, 0x89E127760AD6CF7FULL, 0x30E30D6295853CE1ULL, 0x62DFAF07A0F78FEBULL}}},
// [184] = 184G
{{{0x395681815F5BE39CULL, 0xB9E912769EF3393FULL, 0x162AAAE1836A64AAULL, 0x4265BBAF8D442AC5ULL}}, {{0xB3FA2102457CF151ULL, 0x9D4552D208E1E7E2ULL, 0x87A3B97E37FD2230ULL, 0x3140B915410C1212ULL}}},
// [185] = 185G
{{{0x2233EEDA897612C4ULL, 0x0032ACC0A4A2DE42ULL, 0x4F8D35EB6930857CULL, 0x48457524820FA65AULL}}, {{0xE7A76AAA49BD0F77ULL, 0xDC6CC07DB2D60A9AULL, 0x8733C38A1FA1C2E7ULL, 0x25A748AB367979D9ULL}}},
// [186] = 186G
{{{0xB054D3844F1724C1ULL, 0x495F3686C9351822ULL, 0x2187EE0A7A4E2503ULL, 0x3E805FA563758C7BULL}}, {{0x0B4EEBA071B0594BULL, 0xCC12918983BF74F0ULL, 0xEC1DAF204A51288AULL, 0xE74D9C8F8463EA37ULL}}},
// [187] = 187G
{{{0x367A1767C11CCEDAULL, 0x045E19919152923FULL, 0xB11644F3A2AFDFC2ULL, 0xDFEEEF1881101F2CULL}}, {{0x16A83AE09A9A7517ULL, 0xC390BDE74B4BBDFFULL, 0xF9420BAB396793C0ULL, 0xECFB7056CF1DE042ULL}}},
// [188] = 188G
{{{0x75F3D8EF294845F3ULL, 0x75A7ADB1B1596240ULL, 0xEC401A7FA0F5DB8BULL, 0x296EEF5BDD483AF1ULL}}, {{0xCF85D393D3F2F8BFULL, 0x2B1DE5B2D1D3BD8CULL, 0xF9A51421B1549BCEULL, 0x94DE12D051E62940ULL}}},
// [189] = 189G
{{{0x6C82DF83B8FAE859ULL, 0x5D89BCBC6062CED3ULL, 0x3C573F44E1F38983ULL, 0x6D7EF6B17543F837ULL}}, {{0xF74B190DCA712D10ULL, 0xC521A0959B2D80BBULL, 0xDFEFA10C57FEA9BCULL, 0xCD450EC335438986ULL}}},
// [190] = 190G
{{{0xE63065B098BBAE2EULL, 0x5D8DB3A2DC56B8B1ULL, 0x2416F0AE4ED51EC8ULL, 0x32C001F5785688F6ULL}}, {{0xFCFCC8FC7C306316ULL, 0xFAC71452A632431FULL, 0x657CC56CF6E46AD1ULL, 0xE662B869A22227B3ULL}}},
// [191] = 191G
{{{0x5AF25AF66E04541FULL, 0xF3C88B9322554703ULL, 0x684500D3B991F2E3ULL, 0xE75605D59102A5A2ULL}}, {{0x8360990E2BFAD125ULL, 0x4F729AC5308B0693ULL, 0x40B9B48728473E31ULL, 0xF5C54754A8F71EE5ULL}}},
// [192] = 192G
{{{0xC7B750F733CE1752ULL, 0xE783C797D7CD204EULL, 0x812DDF64D99C9AEAULL, 0xD7A0DA58D01DC635ULL}}, {{0xBBC027380762CEF4ULL, 0x0BE040A8C062B742ULL, 0xF6F2928340E28465ULL, 0x912770E068008032ULL}}},
// [193] = 193G
{{{0x7DD43FEFB1ED620CULL, 0x9A0C2E60ABE38845ULL, 0x6A2BE453D5020BC9ULL, 0xEB98660F4C4DFAA0ULL}}, {{0xE85F44100099223EULL, 0xA0A7CD8A9411131CULL, 0x0609AF3ADD26CD20ULL, 0x6CB9A8876D9CB852ULL}}},
// [194] = 194G
{{{0xD0F9CF8031BDC863ULL, 0x1D8742AF3A39049AULL, 0x3B4AB50F6B1030CEULL, 0x838ED2EB98F46685ULL}}, {{0xAEE700EA6C6AE32FULL, 0xFC9ADB6C57D54C9CULL, 0x495BA885D9B8B819ULL, 0x836ED454D94C9199ULL}}},
// [195] = 195G
{{{0xDC3563E3B8DBA942ULL, 0x2154596941888336ULL, 0x5939F2E6892B1992ULL, 0x13E87B027D8514D3ULL}}, {{0x2570D55646B8ADF1ULL, 0xAC2B9DA568D6ABEBULL, 0xC5D624114BF1E91AULL, 0xFEF5A3C68059A6DEULL}}},
// [196] = 196G
{{{0x5F2D7CA5D86E196EULL, 0x64F08EA3AA575D8FULL, 0x88B4262217960359ULL, 0x21C76DBF7A8D075AULL}}, {{0xBC8F0186CCF45C5AULL, 0xA25F0CBD2A296656ULL, 0xDCAE9BD97378BD4AULL, 0xD67286B1D5716401ULL}}},
// [197] = 197G
{{{0x7BF4491691E5764AULL, 0x25424B371CE2708EULL, 0x17C38F06A5BE6FC1ULL, 0xEE163026E9FD6FE0ULL}}, {{0xE5430DA0AD6C62B2ULL, 0xF49AE3FA15B96623ULL, 0x43D94CCC670D0F58ULL, 0x1ACB250F255DD61CULL}}},
// [198] = 198G
{{{0x6A0C81BD90877ED5ULL, 0xFE3F31125F3BC5BCULL, 0xE38B59BA5857B83CULL, 0x93E651F2D3AC2659ULL}}, {{0x8CF83C556D73AF84ULL, 0xBF27585F4B1AC1EDULL, 0xDC34A72350EA5D40ULL, 0x907308B0980C45CEULL}}},
// [199] = 199G
{{{0x9932E5DB33AF3D80ULL, 0x1E626D4350586799ULL, 0x78DE3A750C2DC89BULL, 0xB268F5EF9AD51E4DULL}}, {{0x003E945A1216E423ULL, 0x8CF0D34FD4191614ULL, 0xB19F77D41C1DEE01ULL, 0x5F310D4B3C99B9EBULL}}},
// [200] = 200G
{{{0xEEEFBCC2E74B75FBULL, 0x8FECED69F26A8B55ULL, 0x83FE7A9DE8AE5B4BULL, 0xCD5A3BE41717D656ULL}}, {{0x9C0B605BA95832A5ULL, 0xFA92C34B1F38C89FULL, 0xB1373FBBA578001EULL, 0xFD6381EAF29657FDULL}}},
// [201] = 201G
{{{0xBF7FFDBA93C4750DULL, 0x2B02F01CA99CEEA3ULL, 0xE9FAD85EB6C7BFE4ULL, 0xFF07F3118A9DF035ULL}}, {{0x4740D098CED1F0D8ULL, 0xC1D2942114E2EDDDULL, 0xA5C440C38ECCBADDULL, 0x438136D603E858A3ULL}}},
// [202] = 202G
{{{0xC1E4DBFD90AC0427ULL, 0x658AA6490EF4EF1AULL, 0x4108C1D9049DF6B3ULL, 0x6C0D1F1784E47FF0ULL}}, {{0x1F5262F7887B72AFULL, 0x4519A730A32E2265ULL, 0x413BD16E1749EE18ULL, 0xEF9A8BD1525F4864ULL}}},
// [203] = 203G
{{{0xC16E8C3CE2B526A1ULL, 0xA4B9F69E0D825EBEULL, 0x4146FD20FFB658BEULL, 0x8D8B9855C7C052A3ULL}}, {{0x30E2E7F463036758ULL, 0x4BCF50FEE51D7CEBULL, 0x26BAF44FB84EA4D4ULL, 0xCDB559EEDC2D79F9ULL}}},
// [204] = 204G
{{{0xACC0A89758554B6CULL, 0xCA6DD9DA7A9EFA19ULL, 0xEF8B8CDBD452F7C5ULL, 0xDA9B9E9AB699C11CULL}}, {{0x25C560257BE95BDBULL, 0x01FAAF5675484185ULL, 0x75BB7A8E714E885EULL, 0xEC8598C45D39F0E0ULL}}},
// [205] = 205G
{{{0xA54263180DA32B63ULL, 0xE4B851CECA91B1EBULL, 0xBFA9D472D7AE26DFULL, 0x52DB0B5384DFBF05ULL}}, {{0xE924B69D84A7B375ULL, 0xB3180C902875679DULL, 0x23EBAF66A6DB9F57ULL, 0x0C3B997D050EE5D4ULL}}},
// [206] = 206G
{{{0x56FC4C098AD30369ULL, 0xD2F58220C30A7CB0ULL, 0xF080EA4C21A2ADE2ULL, 0x52520DE6009C7E49ULL}}, {{0x350D54CFE47BF50BULL, 0x4F3003EFE1B2802CULL, 0xF4C888520BD33955ULL, 0x9D0A6B077D71CC3BULL}}},
// [207] = 207G
{{{0xFFF543BECBD43352ULL, 0x7D0F29C3F3FA48C6ULL, 0x395EFD24E80919CCULL, 0xE62F9490D3D51DA6ULL}}, {{0x70E07BFD9CCAFA7DULL, 0xF342C8591F1DAF51ULL, 0x22C2CA280C682862ULL, 0x6D89AD7BA4876B0BULL}}},
// [208] = 208G
{{{0x65348F778DB0E595ULL, 0xA7163CB9FBA082BBULL, 0xD7CE3765816076EBULL, 0x7D86781855DB1B17ULL}}, {{0x99951E3ABC733DE8ULL, 0x2937844E0E25D532ULL, 0x2E562E2BED4F8838ULL, 0xE2B99ADFEC86F877ULL}}},
// [209] = 209G
{{{0x6D8E7D65AAAB1193ULL, 0x1AFA2FF5CB7B14FDULL, 0x957509C88F77D019ULL, 0x7F30EA2476B399B4ULL}}, {{0x80EF4BFF637ACAECULL, 0xDAFF7BB67B103E98ULL, 0x3B15389A5F6311E9ULL, 0xCA5EF7D4B231C94CULL}}},
// [210] = 210G
{{{0xB25031DF15661815ULL, 0x4E7759552D729E07ULL, 0x81C5C2CD51AC727BULL, 0x59AE134C1A41CFEEULL}}, {{0x09CDA7F01E8BFC2BULL, 0x847A414A8455218DULL, 0xBD7DF32296A9FC38ULL, 0xE0C2821689A92635ULL}}},
// [211] = 211G
{{{0xC60A0361800B7A00ULL, 0xEF0FB7B4A1DD1D9AULL, 0x46A210FADA6C903FULL, 0x5098FF1E1D9F14FBULL}}, {{0x62A5B132FD17DDC0ULL, 0xB3EE1B40D60DFE53ULL, 0x084D37C6E7542006ULL, 0x09731141D81FC8F8ULL}}},
// [212] = 212G
{{{0x2CF6531FD68BEFD5ULL, 0x8615402EB31F2C08ULL, 0x5131B1389EFFBBD2ULL, 0xF4A0CAAD9AD20992ULL}}, {{0x2DBD7A76B1B9C8B9ULL, 0x7FD5A3AE8BA8B4B1ULL, 0x64FE48656B101B58ULL, 0x3CBF5C99286222F4ULL}}},
// [213] = 213G
{{{0xB9F2C81E2778AD58ULL, 0xE2F3C4CCCE445C96ULL, 0x72895BE6B9CBEFA6ULL, 0x32B78C7DE9EE512AULL}}, {{0xA497237794C8753CULL, 0x73BB80547AE2275BULL, 0x2EFC3896EE28260CULL, 0xEE1849F513DF71E3ULL}}},
// [214] = 214G
{{{0xA8F9E0CFB9746ECCULL, 0xAC67947361320882ULL, 0x0B360AD75EE73FABULL, 0xB40226A37A1A586DULL}}, {{0x48E525620A13060CULL, 0x5226C0D3CF24C4AFULL, 0x1F8D4A3E21ACE469ULL, 0xF7CE91842E49E9D4ULL}}},
// [215] = 215G
{{{0x74B581550547A4F7ULL, 0xE37D50F08269DFC0ULL, 0xD076EEF2A7C72B0CULL, 0xE2CB74FDDC8E9FBCULL}}, {{0x8641ABCB005CC4A4ULL, 0xADDEA9E36122D2BEULL, 0x7A62DF062736EB0BULL, 0xD3AA2ED71C9DD224ULL}}},
// [216] = 216G
{{{0x577E0FFA43B4F3BCULL, 0x66C2F828CA99FACCULL, 0x52AC321EA930AFA6ULL, 0x54BEBC996F6C2B7CULL}}, {{0x2A3619AD0DE244E9ULL, 0x041EAE9F117B3E34ULL, 0x2BEBEDE498E028D8ULL, 0x15276D9145B9BCAFULL}}},
// [217] = 217G
{{{0x1BE0D99CD10AE3A8ULL, 0x26009A35F235CB14ULL, 0xDADC299496AB3574ULL, 0x8438447566D4D7BEULL}}, {{0x2390426B2EDD791FULL, 0x34EF0D7906631C4FULL, 0xA5D01AC5E6AD3307ULL, 0xC4E1020916980A4DULL}}},
// [218] = 218G
{{{0x34D667B8FAD96201ULL, 0xCAC732BE31E1B614ULL, 0x2BBA4EFF99C743DCULL, 0xCEA8D97AE24CAEBBULL}}, {{0xC90774F6BAA7E834ULL, 0xB25E0A780FDEA14EULL, 0x1DA077543CE0B7F1ULL, 0x03E6B5491EB5219DULL}}},
// [219] = 219G
{{{0x8AB65C82C711D67EULL, 0x0587D9C46F660B87ULL, 0x9B584C6FC6C30887ULL, 0x4162D488B8940203ULL}}, {{0xBDA47AE5A0852649ULL, 0xC1732F2B84B4E95DULL, 0x776F22C25FB8A3AFULL, 0x67163E903236289FULL}}},
// [220] = 220G
{{{0xFC9CAA19FF32151EULL, 0xF84B6F6249AE3D7DULL, 0xD12EF9CA0A34B068ULL, 0x4B24649AC96F264FULL}}, {{0x62F3B896E8369787ULL, 0x81C434D346DF5E0CULL, 0x2AB27141690AB859ULL, 0xC98998BE4C613A7AULL}}},
// [221] = 221G
{{{0x4F3BA4A4BF5F683DULL, 0x175D767AEC3E5068ULL, 0xF0F89BFD2DCF54FCULL, 0x3FAD3FA84CAF0F34ULL}}, {{0x3FA20EFCDFE61826ULL, 0x0CF71872E7D0D2A5ULL, 0xB2F0CA647C718A73ULL, 0x0CD1BC7CB6CC407BULL}}},
// [222] = 222G
{{{0xF600BBDE5B2C74A4ULL, 0xA562847BEC1B88B6ULL, 0x243061575DC28B48ULL, 0xBDC6C1B0F061C563ULL}}, {{0x716409CC8BAB85AEULL, 0x64D28821559FCEDCULL, 0xB40A81E852827B8EULL, 0xCA7A42DAF8694C62ULL}}},
// [223] = 223G
{{{0x1C69532FAEB1A86BULL, 0xC1FB84BF1370798FULL, 0x568C1A7CE05D0816ULL, 0x674F2600A3007A00ULL}}, {{0xE09EECC69E0D38A5ULL, 0x70DB57DA0B182259ULL, 0xEDF43B257004580BULL, 0x299D21F9413F33B3ULL}}},
// [224] = 224G
{{{0x609C45706CE6B514ULL, 0x890905C79B357322ULL, 0x8885C35600844D49ULL, 0x08BC89C2F919ED15ULL}}, {{0x6F63F4CEA8C95157ULL, 0x172D3056112776F0ULL, 0xDE776FEC3B5892C1ULL, 0xD313F3CDD7CDCC16ULL}}},
// [225] = 225G
{{{0xF87D29BD5EE9F08FULL, 0x3D82D6C692714BCFULL, 0xB81B815AD1FB3B26ULL, 0xD32F4DA54ADE74ABULL}}, {{0x2FC416910B3EEA87ULL, 0x82E14F4535359D58ULL, 0x68E99016C0597077ULL, 0xF9429E738B8E53B9ULL}}},
// [226] = 226G
{{{0x0F08670F188CE2BCULL, 0x234D56537053D014ULL, 0x78AC98661E39723DULL, 0x714651A9CB4AF14CULL}}, {{0x2DD668C1FD617CC6ULL, 0xF1F902C744E425BDULL, 0xAA11B1AB6F7EC0F3ULL, 0x28B6D7837004120FULL}}},
// [227] = 227G
{{{0x1ED954F1E3CE3FF6ULL, 0x6FBB6931F72B08CBULL, 0x6E593657135845D3ULL, 0x30E4E67043538555ULL}}, {{0xC695A559EB88DB7BULL, 0x0A878D35DA70740DULL, 0x8499350113BBC9B1ULL, 0x462F9BCE61989863ULL}}},
// [228] = 228G
{{{0x25149EED98FE1249ULL, 0x7558B9E8D46130C1ULL, 0x61FA0449250CD2A5ULL, 0x7E62469C0893FC16ULL}}, {{0xDF02760AEA9E0A2CULL, 0xF80BEB233DBD9DF7ULL, 0x0DFCAEF6A82B9C7CULL, 0x60F803C2B44D43A0ULL}}},
// [229] = 229G
{{{0xF1971B04D4CAD297ULL, 0x7F3DCD10B01E580BULL, 0x04682904330E4DEEULL, 0xBE2062003C51CC30ULL}}, {{0xD5558ED72DCCB9BCULL, 0xB1C61090905682A0ULL, 0x8573D48A74E1C655ULL, 0x62188BC49D61E542ULL}}},
// [230] = 230G
{{{0x6B51046BF16E839BULL, 0xAFDDFED53EA14522ULL, 0x867960F4F378473FULL, 0x0639863C5CF03696ULL}}, {{0x1FCA864423D1C1BEULL, 0xD00E3228BF1EB99DULL, 0xC2A5BC741DEEB71AULL, 0xC130794479F2BB77ULL}}},
// [231] = 231G
{{{0xC419859FFF5DF04AULL, 0xCB6E84A601DF5993ULL, 0xD29E0FB9AC2AF211ULL, 0x93144423ACE3451EULL}}, {{0xD902A6D13037B47CULL, 0xF1065224F72BB9D1ULL, 0x5C71A3F9D7992038ULL, 0x7C10DFB164C3425FULL}}},
// [232] = 232G
{{{0x422049A122517961ULL, 0x2FB1F35EA3ADC41FULL, 0xA5B943ABDD4A0D7FULL, 0x7D54261D569C7330ULL}}, {{0x63ADD999D2F95BB3ULL, 0xEFDD509A19C63E56ULL, 0x77559BDC7F1017D1ULL, 0xB52974A37A1C5E94ULL}}},
// [233] = 233G
{{{0xCB66418C157B112CULL, 0x97829205C7B7D2A7ULL, 0xF21CA26D6C34FB81ULL, 0xB015F8044F5FCBDCULL}}, {{0xD3AEA1454E3A1D5FULL, 0x3B3CDC6FAA3088C1ULL, 0x744A655B2DF8D5F8ULL, 0xAB8C1E086D04E813ULL}}},
// [234] = 234G
{{{0xA5CBFC789EF0184BULL, 0x30C21799E65A6647ULL, 0x52DB740B48ABA6D2ULL, 0xB35511D67E63FA65ULL}}, {{0x7DC74CEC622A5995ULL, 0x91930CD46322A119ULL, 0x8D859B3982343DEAULL, 0xC8EED15DFA36BCA2ULL}}},
// [235] = 235G
{{{0x6B3F2AF341A21B52ULL, 0x4F8A18DE57A140D3ULL, 0x9E4868117A465A3AULL, 0xD5E9E1DA649D97D8ULL}}, {{0x8955E8592F27447AULL, 0x1693465C2240480DULL, 0x111A13CC1D4DD0DBULL, 0x4CB04437F391ED73ULL}}},
// [236] = 236G
{{{0x9683BAAB330BFF95ULL, 0x7F0107D535274C94ULL, 0x0E0CA7B596DA918DULL, 0xE485BE3DACCABFABULL}}, {{0xDF71E1ABDCFD8FB6ULL, 0x7C0834F9544168FCULL, 0x30C621E8AAB586A1ULL, 0xC4071FD9F1B90283ULL}}},
// [237] = 237G
{{{0x996A5316D36966BBULL, 0x983005CD72E16D6FULL, 0x5DBF8ED77B992439ULL, 0xD3AE41047DD7CA06ULL}}, {{0x4B10DC14D125AC46ULL, 0x64F8CDD7DF0ACA61ULL, 0x2A10F0303417C6D9ULL, 0xBD1AEB21AD22EBB2ULL}}},
// [238] = 238G
{{{0x215B395A558AA151ULL, 0xB9E20C1151EFA971ULL, 0x23F53C4CF55A0A63ULL, 0x0659214AC1A17900ULL}}, {{0xD7F4590701E5364DULL, 0x4EEA355D9DABD94EULL, 0x59320A356230569AULL, 0xB126363AA4243D27ULL}}},
// [239] = 239G
{{{0x9F80AF87C897B065ULL, 0x87197D0A82E377B4ULL, 0xFC66CDD22800F0A4ULL, 0x463E2763D885F958ULL}}, {{0xB79992671EF7CA7FULL, 0x26B80C61FBC97508ULL, 0xDF3A311A94DE062BULL, 0xBFEFACDB0E5D0FD7ULL}}},
// [240] = 240G
{{{0x008FEF8516060DFCULL, 0x76545F84205E6A2AULL, 0x48494B9DC41AB086ULL, 0xDDC5310F00582AC8ULL}}, {{0xFB5F8AB6E7820CA8ULL, 0x41DBAFC6ABD04730ULL, 0x0191AB6DCC8F0E90ULL, 0xBA0D2F3AF20D9692ULL}}},
// [241] = 241G
{{{0x83CDDFC910641917ULL, 0x58E597C40BFE747CULL, 0xC6F53EC1BB63EC31ULL, 0x7985FDFD127C0567ULL}}, {{0x03A5BD567F32ED03ULL, 0x24ED291E0EC67087ULL, 0xF2B25FE1DE289AEDULL, 0x603C12DAF3D9862EULL}}},
// [242] = 242G
{{{0xF3ED516ED7C504EFULL, 0x4D8E2DF756EF139DULL, 0xA8F86C708C25F0E1ULL, 0x6A843BA43C244F89ULL}}, {{0x3112844DCAB0AF01ULL, 0xF8CBA1B16A19B8F2ULL, 0x58643C3FEB2CFAC6ULL, 0x63DAD3922E66CDFBULL}}},
// [243] = 243G
{{{0xD5FF1543DA7703E9ULL, 0x9E74C59CB83D2D0EULL, 0xB2DD249410EAC7F9ULL, 0x74A1AD6B5F76E39DULL}}, {{0xD5737FD790E0DB08ULL, 0x093E0968942E8C33ULL, 0xD6193D83631BBEA0ULL, 0xCC6157EF18C9C63CULL}}},
// [244] = 244G
{{{0x5FC0DA4813704A08ULL, 0x636478CBBFF1713AULL, 0x5EDF6A1F8A10DFF8ULL, 0x2E34552AA716AEF7ULL}}, {{0x4E44DE8E79598A01ULL, 0x64782B5A3885AB58ULL, 0x8C9CBAFEE51F97A0ULL, 0xFC822D5EA0C68B76ULL}}},
// [245] = 245G
{{{0xA71D0896B22F6DA3ULL, 0xC9BAB42C72747463ULL, 0x02D416664BA19B7FULL, 0x30682A50703375F6ULL}}, {{0x17714D9977A22FF8ULL, 0x6290D0E0F19CA73FULL, 0x6C8F39E7F311D317ULL, 0x553E04F6B018B4FAULL}}},
// [246] = 246G
{{{0xD33464C342DC0080ULL, 0x0EEF5D66580C8E23ULL, 0xA74EBD6746E13AFEULL, 0x00136933174BC388ULL}}, {{0x906E54680127FF92ULL, 0x60AC69C82044E8E5ULL, 0x689F232541C04105ULL, 0x27015DC47DBFE781ULL}}},
// [247] = 247G
{{{0x1EE6C1347769EF57ULL, 0x654E7A2B2464F52BULL, 0x6C3791EFEFA79597ULL, 0x9E2158F0D7C0D5F2ULL}}, {{0x9E2FBF2629008373ULL, 0x9FFD7C8EF35A3850ULL, 0x9003A3481FA7762EULL, 0x0712FCDD1B9053F0ULL}}},
// [248] = 248G
{{{0xF50618FA7EAF5AA3ULL, 0x8B2B0C32F081E206ULL, 0xEB76CC1731C1BA31ULL, 0x22213B78F3DCFBDFULL}}, {{0x0D86E5C8718A3051ULL, 0xE476ADD5CF739174ULL, 0xD2A203D8EEDC863FULL, 0xDD81B694EC3A60BAULL}}},
// [249] = 249G
{{{0x322857F3BE327D66ULL, 0x8172E566E3C4FCE7ULL, 0xEBA4029C202538C2ULL, 0x176E26989A43C9CFULL}}, {{0x7B47834C1FA4B1C3ULL, 0x9AEFD31F4EEE09EEULL, 0x7D270B4878DC43C1ULL, 0xED8CC9D04B29EB87ULL}}},
// [250] = 250G
{{{0x2D6C77BCAC938F93ULL, 0xC46E2A586D37641CULL, 0xA7AFC8456A40D57BULL, 0x8758A9FD232F0FE9ULL}}, {{0x7863AC2A068F7866ULL, 0xE22E369309AC3C4EULL, 0x0C0AB2C94A8E89E6ULL, 0x5CC678A31A3B536CULL}}},
// [251] = 251G
{{{0x7004788C50374DA8ULL, 0xCF1892393DFC4F1BULL, 0x68ABB89A13AD747EULL, 0x75D46EFEA3771E6EULL}}, {{0x3CA4726586A6BED8ULL, 0xD7EFC22151346E1AULL, 0xFD0B86FD2B39A868ULL, 0x9852390A99507679ULL}}},
// [252] = 252G
{{{0xD903E0547BB26BFBULL, 0x861A483939A113E2ULL, 0xA5F3C28DB17E60DAULL, 0x69B47C7249439D23ULL}}, {{0x0B08824DF1978EA2ULL, 0x43590D98E54E5678ULL, 0xFD37E43C0D6230C6ULL, 0x1A9CF6CD7C7AD92AULL}}},
// [253] = 253G
{{{0x5B7319F645605721ULL, 0x2310FB0451C86934ULL, 0xFB698C4C825F6D5FULL, 0x809A20C67D64900FULL}}, {{0x5EBFA5F3F8E286C1ULL, 0x3D096CCC54963E6AULL, 0xB76B061927FA0414ULL, 0x9E994980D9917E22ULL}}},
// [254] = 254G
{{{0x475A62C4BC8ADE53ULL, 0xED04459E09CA4351ULL, 0xC300E97D5188FCA2ULL, 0x5654834268843E72ULL}}, {{0x69394D2089481E75ULL, 0xC6DDCC39676E2EA1ULL, 0x19CF1C838C69253CULL, 0x1B33A3362BC07380ULL}}},
// [255] = 255G
{{{0x8D563446F972C180ULL, 0xDEFECE1CF29C6352ULL, 0xED4500B4EAC7083FULL, 0x1B38903A43F7F114ULL}}, {{0xD3394119DAF408F9ULL, 0x2708B26B6F5DA72AULL, 0x89353F77FD53DE4AULL, 0x4036EDC931A60AE8ULL}}},
};

248
cuda/include/schnorr.cuh
View File

@ -339,6 +339,254 @@ __device__ inline bool schnorr_verify(
return true;
}
// ============================================================================
// Schnorr/BIP-340 extensions (CPU parity)
// ============================================================================
// -- Schnorr keypair struct --------------------------------------------------
struct SchnorrKeypairGPU {
Scalar d; // signing key (adjusted for even Y)
uint8_t px[32]; // x-coordinate bytes of pubkey
};
// -- Schnorr: keypair_create -------------------------------------------------
// Creates a BIP-340 keypair: adjusts private key so pubkey has even Y.
__device__ inline bool schnorr_keypair_create(
const Scalar* private_key,
SchnorrKeypairGPU* kp)
{
if (scalar_is_zero(private_key)) return false;
JacobianPoint P;
scalar_mul_generator_const(private_key, &P);
if (P.infinity) return false;
FieldElement ax, ay;
jacobian_to_affine(&P, &ax, &ay);
// Get pubkey x-bytes
field_to_bytes(&ax, kp->px);
// If Y is odd, negate the signing key
uint8_t y_bytes[32];
field_to_bytes(&ay, y_bytes);
if (y_bytes[31] & 1) {
scalar_negate(private_key, &kp->d);
} else {
kp->d = *private_key;
}
return true;
}
// -- Schnorr: pubkey (X-only from private key) -------------------------------
// Returns the 32-byte x-only public key for a private key.
__device__ inline bool schnorr_pubkey(const Scalar* private_key, uint8_t pubkey_x[32]) {
if (scalar_is_zero(private_key)) return false;
JacobianPoint P;
scalar_mul_generator_const(private_key, &P);
if (P.infinity) return false;
FieldElement ax, ay;
jacobian_to_affine(&P, &ax, &ay);
field_to_bytes(&ax, pubkey_x);
return true;
}
// -- Schnorr: sign with keypair (faster, avoids recomputing pubkey) ----------
__device__ inline bool schnorr_sign_with_keypair(
const SchnorrKeypairGPU* kp,
const uint8_t msg[32],
const uint8_t aux_rand[32],
SchnorrSignatureGPU* sig)
{
// t = d XOR tagged_hash("BIP0340/aux", aux_rand)
uint8_t t_hash[32];
tagged_hash_fast(BIP340_TAG_AUX, aux_rand, 32, t_hash);
uint8_t d_bytes[32];
scalar_to_bytes(&kp->d, d_bytes);
uint8_t t[32];
for (int i = 0; i < 32; i++) t[i] = d_bytes[i] ^ t_hash[i];
// rand = tagged_hash("BIP0340/nonce", t || px || msg)
uint8_t nonce_input[96];
for (int i = 0; i < 32; i++) nonce_input[i] = t[i];
for (int i = 0; i < 32; i++) nonce_input[32 + i] = kp->px[i];
for (int i = 0; i < 32; i++) nonce_input[64 + i] = msg[i];
uint8_t rand_hash[32];
tagged_hash_fast(BIP340_TAG_NONCE, nonce_input, 96, rand_hash);
Scalar k_prime;
scalar_from_bytes(rand_hash, &k_prime);
if (scalar_is_zero(&k_prime)) return false;
JacobianPoint R;
scalar_mul_generator_const(&k_prime, &R);
FieldElement rz_inv, rz_inv2, rz_inv3, rx, ry;
field_inv(&R.z, &rz_inv);
field_sqr(&rz_inv, &rz_inv2);
field_mul(&rz_inv, &rz_inv2, &rz_inv3);
field_mul(&R.x, &rz_inv2, &rx);
field_mul(&R.y, &rz_inv3, &ry);
uint8_t ry_bytes[32];
field_to_bytes(&ry, ry_bytes);
Scalar k;
if (ry_bytes[31] & 1) {
scalar_negate(&k_prime, &k);
} else {
k = k_prime;
}
field_to_bytes(&rx, sig->r);
// e = tagged_hash("BIP0340/challenge", R.x || px || msg) mod n
uint8_t challenge_input[96];
for (int i = 0; i < 32; i++) challenge_input[i] = sig->r[i];
for (int i = 0; i < 32; i++) challenge_input[32 + i] = kp->px[i];
for (int i = 0; i < 32; i++) challenge_input[64 + i] = msg[i];
uint8_t e_hash[32];
tagged_hash_fast(BIP340_TAG_CHALLENGE, challenge_input, 96, e_hash);
Scalar e;
scalar_from_bytes(e_hash, &e);
// s = k + e * d mod n
Scalar ed;
scalar_mul_mod_n(&e, &kp->d, &ed);
uint64_t carry = 0;
for (int i = 0; i < 4; i++) {
unsigned __int128 sum = (unsigned __int128)k.limbs[i] + ed.limbs[i] + carry;
sig->s.limbs[i] = (uint64_t)sum;
carry = (uint64_t)(sum >> 64);
}
uint64_t borrow = 0;
uint64_t tmp[4];
for (int i = 0; i < 4; i++) {
unsigned __int128 diff = (unsigned __int128)sig->s.limbs[i] - ORDER[i] - borrow;
tmp[i] = (uint64_t)diff;
borrow = (uint64_t)(-(int64_t)(diff >> 64));
}
uint64_t mask = -(uint64_t)(borrow == 0 || carry);
for (int i = 0; i < 4; i++)
sig->s.limbs[i] = (tmp[i] & mask) | (sig->s.limbs[i] & ~mask);
return true;
}
// -- Schnorr: sign verified (fault countermeasure) ---------------------------
__device__ inline bool schnorr_sign_verified(
const Scalar* private_key,
const uint8_t msg[32],
const uint8_t aux_rand[32],
SchnorrSignatureGPU* sig)
{
if (!schnorr_sign(private_key, msg, aux_rand, sig)) return false;
// Compute pubkey for verification
uint8_t pubkey_x[32];
schnorr_pubkey(private_key, pubkey_x);
return schnorr_verify(pubkey_x, msg, sig);
}
// -- Schnorr: sign with keypair + verified -----------------------------------
__device__ inline bool schnorr_sign_with_keypair_verified(
const SchnorrKeypairGPU* kp,
const uint8_t msg[32],
const uint8_t aux_rand[32],
SchnorrSignatureGPU* sig)
{
if (!schnorr_sign_with_keypair(kp, msg, aux_rand, sig)) return false;
return schnorr_verify(kp->px, msg, sig);
}
// -- Schnorr: parse_strict (reject >= n for s, check r < p) -----------------
__device__ inline bool schnorr_sig_parse_strict(
const uint8_t data[64],
SchnorrSignatureGPU* sig)
{
// r = first 32 bytes (field element, must be < p)
for (int i = 0; i < 32; i++) sig->r[i] = data[i];
// Validate r < p
FieldElement r_fe;
if (!field_from_bytes_strict(data, &r_fe)) return false;
// s = last 32 bytes (scalar, must be < n)
if (!scalar_from_bytes_strict(data + 32, &sig->s)) return false;
return true;
}
// -- X-only pubkey parse (lift_x wrapper) ------------------------------------
struct SchnorrXonlyPubkeyGPU {
JacobianPoint point;
uint8_t x_bytes[32];
};
__device__ inline bool schnorr_xonly_pubkey_parse(
const uint8_t pubkey_x[32],
SchnorrXonlyPubkeyGPU* out)
{
for (int i = 0; i < 32; i++) out->x_bytes[i] = pubkey_x[i];
return lift_x(pubkey_x, &out->point);
}
// -- Schnorr verify with cached pubkey (avoids re-lifting x) ----------------
__device__ inline bool schnorr_verify_xonly(
const SchnorrXonlyPubkeyGPU* pubkey,
const uint8_t msg[32],
const SchnorrSignatureGPU* sig)
{
if (scalar_is_zero(&sig->s)) return false;
uint8_t challenge_input[96];
for (int i = 0; i < 32; i++) challenge_input[i] = sig->r[i];
for (int i = 0; i < 32; i++) challenge_input[32 + i] = pubkey->x_bytes[i];
for (int i = 0; i < 32; i++) challenge_input[64 + i] = msg[i];
uint8_t e_hash[32];
tagged_hash_fast(BIP340_TAG_CHALLENGE, challenge_input, 96, e_hash);
Scalar e;
scalar_from_bytes(e_hash, &e);
Scalar neg_e;
scalar_negate(&e, &neg_e);
JacobianPoint R;
shamir_double_mul_glv(&GENERATOR_JACOBIAN, &sig->s, &pubkey->point, &neg_e, &R);
if (R.infinity) return false;
FieldElement rz_inv, rz_inv2, rz_inv3, rx_aff, ry_aff;
field_inv(&R.z, &rz_inv);
field_sqr(&rz_inv, &rz_inv2);
field_mul(&rz_inv, &rz_inv2, &rz_inv3);
field_mul(&R.x, &rz_inv2, &rx_aff);
field_mul(&R.y, &rz_inv3, &ry_aff);
uint8_t ry_bytes[32];
field_to_bytes(&ry_aff, ry_bytes);
if (ry_bytes[31] & 1) return false;
uint8_t rx_bytes[32];
field_to_bytes(&rx_aff, rx_bytes);
for (int i = 0; i < 32; i++) {
if (rx_bytes[i] != sig->r[i]) return false;
}
return true;
}
} // namespace cuda
} // namespace secp256k1

966
cuda/include/secp256k1.cuh
View File

File diff suppressed because it is too large Load Diff

1286
cuda/src/bench_bip352.cu Normal file
View File

File diff suppressed because it is too large Load Diff

1540
cuda/src/bench_compare.cu Normal file
View File

File diff suppressed because it is too large Load Diff

2462
cuda/src/gpu_audit_runner.cu Normal file
View File

File diff suppressed because it is too large Load Diff

1248
cuda/src/gpu_bench_unified.cu Normal file
View File

File diff suppressed because it is too large Load Diff

223
cuda/src/test_ct_smoke.cu Normal file
View File

@ -0,0 +1,223 @@
// ============================================================================
// GPU CT Layer Compilation + Smoke Test
// ============================================================================
// Exercises all CT headers to verify compilation and basic correctness.
// Kernels: ct_sign ECDSA, ct_sign Schnorr, CT field/scalar/point ops.
// ============================================================================
#include "ct/ct_sign.cuh"
#include <cstdio>
#include <cstring>
using namespace secp256k1::cuda;
// -- Known test vector (from BIP-340 / Wycheproof) ----------------------------
// Private key: 1 (simplest non-trivial key)
__device__ static const Scalar TEST_PRIVKEY = {
{1ULL, 0ULL, 0ULL, 0ULL}
};
// SHA-256("test") truncated to 32 bytes
__device__ static const uint8_t TEST_MSG[32] = {
0x9f, 0x86, 0xd0, 0x81, 0x88, 0x4c, 0x7d, 0x65,
0x9a, 0x2f, 0xea, 0xa0, 0xc5, 0x5a, 0xd0, 0x15,
0xa3, 0xbf, 0x4f, 0x1b, 0x2b, 0x0b, 0x82, 0x2c,
0xd1, 0x5d, 0x6c, 0x15, 0xb0, 0xf0, 0x0a, 0x08
};
__device__ static const uint8_t ZERO_AUX[32] = {0};
// ---------- CT ECDSA Sign + Verify -------------------------------------------
__global__ void test_ct_ecdsa_kernel(int* result) {
ECDSASignatureGPU sig;
bool ok = ct::ct_ecdsa_sign(TEST_MSG, &TEST_PRIVKEY, &sig);
if (!ok) { *result = 1; return; }
// Verify: compute pubkey via CT, then verify with fast path
JacobianPoint pubkey;
ct::ct_generator_mul(&TEST_PRIVKEY, &pubkey);
bool verified = ecdsa_verify(TEST_MSG, &pubkey, &sig);
*result = verified ? 0 : 2;
}
// ---------- CT Schnorr Sign + Verify -----------------------------------------
__global__ void test_ct_schnorr_kernel(int* result) {
SchnorrSignatureGPU sig;
bool ok = ct::ct_schnorr_sign(&TEST_PRIVKEY, TEST_MSG, ZERO_AUX, &sig);
if (!ok) { *result = 1; return; }
// Get pubkey for verification
uint8_t pubkey_x[32];
ct::ct_schnorr_pubkey(&TEST_PRIVKEY, pubkey_x);
bool verified = schnorr_verify(pubkey_x, TEST_MSG, &sig);
*result = verified ? 0 : 2;
}
// ---------- CT Schnorr Keypair Sign + Verify ---------------------------------
__global__ void test_ct_schnorr_keypair_kernel(int* result) {
ct::CTSchnorrKeypairGPU kp;
bool ok = ct::ct_schnorr_keypair_create(&TEST_PRIVKEY, &kp);
if (!ok) { *result = 1; return; }
SchnorrSignatureGPU sig;
ok = ct::ct_schnorr_sign_with_keypair(&kp, TEST_MSG, ZERO_AUX, &sig);
if (!ok) { *result = 2; return; }
bool verified = schnorr_verify(kp.px, TEST_MSG, &sig);
*result = verified ? 0 : 3;
}
// ---------- CT vs Fast ECDSA Cross-Check ------------------------------------
// Both should produce the same r value (same nonce from RFC6979, same k*G)
__global__ void test_ct_fast_ecdsa_parity_kernel(int* result) {
ECDSASignatureGPU ct_sig, fast_sig;
ct::ct_ecdsa_sign(TEST_MSG, &TEST_PRIVKEY, &ct_sig);
ecdsa_sign(TEST_MSG, &TEST_PRIVKEY, &fast_sig);
// r must match (same nonce → same R.x → same r)
bool r_match = true;
for (int i = 0; i < 4; i++) {
if (ct_sig.r.limbs[i] != fast_sig.r.limbs[i]) r_match = false;
}
// s must match (same k_inv, same z+rd)
bool s_match = true;
for (int i = 0; i < 4; i++) {
if (ct_sig.s.limbs[i] != fast_sig.s.limbs[i]) s_match = false;
}
if (!r_match) { *result = 1; return; }
if (!s_match) { *result = 2; return; }
*result = 0;
}
// ---------- CT Field/Scalar/Point Ops ----------------------------------------
__global__ void test_ct_ops_kernel(int* result) {
// Test CT field add/sub round-trip
FieldElement a, b, sum, diff;
field_set_zero(&a); a.limbs[0] = 0x123456789ABCDEF0ULL;
field_set_zero(&b); b.limbs[0] = 0xFEDCBA9876543210ULL;
ct::field_add(&a, &b, &sum);
ct::field_sub(&sum, &b, &diff);
// diff should equal a
bool field_ok = true;
for (int i = 0; i < 4; i++) {
if (diff.limbs[i] != a.limbs[i]) field_ok = false;
}
if (!field_ok) { *result = 1; return; }
*result = 0;
}
__global__ void test_ct_scalar_basic_kernel(int* result) {
// Test CT scalar add/sub round-trip
Scalar sa, sb, ssum, sdiff;
sa.limbs[0] = 42; sa.limbs[1] = 0; sa.limbs[2] = 0; sa.limbs[3] = 0;
sb.limbs[0] = 99; sb.limbs[1] = 0; sb.limbs[2] = 0; sb.limbs[3] = 0;
ct::scalar_add(&sa, &sb, &ssum);
ct::scalar_sub(&ssum, &sb, &sdiff);
bool scalar_ok = true;
for (int i = 0; i < 4; i++) {
if (sdiff.limbs[i] != sa.limbs[i]) scalar_ok = false;
}
// Test CT scalar_is_high: value 1 should NOT be high
uint64_t high = ct::scalar_is_high(&sa);
bool high_ok = (high == 0);
// Test CT scalar_cneg
Scalar neg_sa;
ct::scalar_cneg(&neg_sa, &sa, ~(uint64_t)0); // negate
Scalar re_neg;
ct::scalar_cneg(&re_neg, &neg_sa, ~(uint64_t)0); // negate again
bool cneg_ok = true;
for (int i = 0; i < 4; i++) {
if (re_neg.limbs[i] != sa.limbs[i]) cneg_ok = false;
}
if (!scalar_ok) { *result = 2; return; }
if (!high_ok) { *result = 3; return; }
if (!cneg_ok) { *result = 4; return; }
*result = 0;
}
__global__ void test_ct_scalar_inv_kernel(int* result) {
// Test CT scalar_inverse: a * a^{-1} = 1
Scalar sa;
sa.limbs[0] = 42; sa.limbs[1] = 0; sa.limbs[2] = 0; sa.limbs[3] = 0;
Scalar sa_inv, product;
ct::scalar_inverse(&sa, &sa_inv);
ct::scalar_mul(&sa, &sa_inv, &product);
bool inv_ok = (product.limbs[0] == 1 && product.limbs[1] == 0 &&
product.limbs[2] == 0 && product.limbs[3] == 0);
if (!inv_ok) { *result = 5; return; }
*result = 0;
}
// ---------- Main -------------------------------------------------------------
int main() {
int* d_result;
int h_result;
cudaMalloc(&d_result, sizeof(int));
auto run = [&](const char* name, auto kernel_fn) -> bool {
h_result = -1;
cudaMemset(d_result, 0xFF, sizeof(int));
kernel_fn<<<1, 1>>>(d_result);
cudaError_t err = cudaGetLastError();
if (err != cudaSuccess) {
printf(" [FAIL] %s (launch error: %s)\n", name, cudaGetErrorString(err));
return false;
}
err = cudaDeviceSynchronize();
if (err != cudaSuccess) {
printf(" [FAIL] %s (sync error: %s)\n", name, cudaGetErrorString(err));
return false;
}
cudaMemcpy(&h_result, d_result, sizeof(int), cudaMemcpyDeviceToHost);
if (h_result == 0) {
printf(" [OK] %s\n", name);
return true;
} else {
printf(" [FAIL] %s (code=%d)\n", name, h_result);
return false;
}
};
printf("=== GPU CT Layer Smoke Test ===\n\n");
fflush(stdout);
int pass = 0, fail = 0;
if (run("CT field/scalar ops", test_ct_ops_kernel)) pass++; else fail++;
if (run("CT scalar basic ops", test_ct_scalar_basic_kernel)) pass++; else fail++;
if (run("CT scalar inverse", test_ct_scalar_inv_kernel)) pass++; else fail++;
if (run("CT ECDSA sign + verify", test_ct_ecdsa_kernel)) pass++; else fail++;
if (run("CT Schnorr sign + verify", test_ct_schnorr_kernel)) pass++; else fail++;
if (run("CT Schnorr keypair sign", test_ct_schnorr_keypair_kernel)) pass++; else fail++;
if (run("CT vs Fast ECDSA parity", test_ct_fast_ecdsa_parity_kernel)) pass++; else fail++;
printf("\n%d/%d passed\n", pass, pass + fail);
cudaFree(d_result);
return fail > 0 ? 1 : 0;
}

71
docs/BENCHMARKING.md
View File

@ -8,6 +8,8 @@ How to build, run, and interpret benchmarks on all supported platforms.
### Benchmark Targets
#### CPU Benchmarks
| Target | CI Canonical | Always Builds | Purpose |
|--------|:---:|:---:|---------|
| **`bench_unified`** | **YES** | No (needs libsecp256k1 src) | THE standard: full apple-to-apple vs libsecp256k1 + OpenSSL |
@ -17,6 +19,13 @@ How to build, run, and interpret benchmarks on all supported platforms.
| `bench_kP` | No | YES | Scalar multiplication (k*P) benchmarks |
| `bench_hornet` | No | No (Android only) | ARM64 Android benchmark (in android/test/) |
#### GPU Benchmarks
| Target | CI Canonical | Purpose |
|--------|:---:|---------|
| **`gpu_bench_unified`** | **YES** | GPU unified: FAST + CT ops, all categories, structured report |
| `secp256k1_cuda_bench` | No | Basic GPU search throughput measurement |
**`bench_unified`** is the canonical benchmark runner (see [.github/copilot-instructions.md](../.github/copilot-instructions.md) "Benchmark rules" section).
It runs ALL operation categories in a single binary and produces apple-to-apple
comparison ratios against both libsecp256k1 and OpenSSL.
@ -130,6 +139,67 @@ idf.py flash monitor
Results print to serial monitor. The ESP32 version uses `esp_timer_get_time()`
and a reduced key pool (16 keys, median of 5 passes) due to memory limits.
### 5. GPU (CUDA)
Requires:
- NVIDIA GPU with Compute Capability 7.5+ (Turing, Ampere, Ada Lovelace, Blackwell)
- CUDA Toolkit 12.0+
- CMake with `-DSECP256K1_BUILD_CUDA=ON`
```bash
# Configure (from repo root)
cmake -S . -B build-cuda -G Ninja \
-DCMAKE_BUILD_TYPE=Release \
-DSECP256K1_BUILD_CUDA=ON \
-DCMAKE_CUDA_ARCHITECTURES="86;89"
# Build gpu_bench_unified
cmake --build build-cuda --target gpu_bench_unified -j
# Run
./build-cuda/cuda/gpu_bench_unified
```
For Blackwell GPUs (RTX 50 series), use PTX JIT:
```bash
cmake -S . -B build-cuda -G Ninja \
-DCMAKE_BUILD_TYPE=Release \
-DSECP256K1_BUILD_CUDA=ON \
-DCMAKE_CUDA_ARCHITECTURES=90
cmake --build build-cuda --target gpu_bench_unified -j
./build-cuda/cuda/gpu_bench_unified
```
#### GPU Benchmark Sections
`gpu_bench_unified` measures all GPU operations in a single binary:
| Section | Operations |
|---------|-----------|
| 1. Field Arithmetic | field_mul, field_sqr, field_inv, field_add, field_sub |
| 2. Scalar Arithmetic | scalar_mul, scalar_inv, scalar_add, scalar_negate |
| 3. Point Arithmetic | k*G (generator), k*P (arbitrary), point_add, point_dbl |
| 4. ECDSA | sign (FAST), verify |
| 5. Schnorr / BIP-340 | keypair, sign (FAST), verify |
| 6. Constant-Time (CT) | ct::k*G, ct::k*P, ct::ecdsa_sign, ct::schnorr_sign |
| 7. Throughput | ECDSA sign/s, Schnorr sign/s |
Each section reports:
- **ns/op** (nanoseconds per operation, averaged over batched GPU launch)
- **ops/sec** (throughput)
- **CT/FAST ratio** (for CT section, overhead vs. FAST equivalent)
#### GPU Performance Expectations
| GPU | k*G | ECDSA Sign | CT ECDSA Sign | CT/FAST |
|-----|-----|-----------|---------------|---------|
| RTX 5060 Ti (SM 12.0) | 129.1 ns | 211.1 ns | 433.9 ns | 2.06x |
| RTX 4090 (SM 8.9) | ~90-120 ns | ~150-200 ns | ~300-400 ns | ~2x |
**Note**: GPU kernel timings include launch overhead. Batch size strongly
affects per-op cost -- larger batches amortize launch overhead better.
---
## Apple-to-Apple Comparison
@ -215,6 +285,7 @@ by the benchmark infrastructure scripts -- see `audit/platform-reports/`.
| `cpu/bench/bench_field_52.cpp` | 5x52 field arithmetic micro-benchmarks |
| `cpu/bench/bench_field_26.cpp` | 10x26 field arithmetic micro-benchmarks |
| `cpu/bench/libsecp_provider.c` | libsecp256k1 apple-to-apple provider |
| `cuda/src/gpu_bench_unified.cu` | GPU unified benchmark (FAST + CT) |
| `android/test/bench_hornet_android.cpp` | ARM64 Android port |
| `android/test/libsecp_bench.c` | libsecp256k1 apple-to-apple (ARM64) |
| `examples/esp32_bench_hornet/` | ESP32-S3 bench_hornet example |

83
docs/CT_VERIFICATION.md
View File

@ -1,12 +1,17 @@
# Constant-Time Verification
**UltrafastSecp256k1 v3.16.0** -- CT Layer Methodology & Audit Status
**UltrafastSecp256k1 v3.21.0** -- CT Layer Methodology & Audit Status
---
## Overview
The constant-time (CT) layer lives in the `secp256k1::ct` namespace and provides side-channel resistant operations for secret key material. The FAST layer (`secp256k1::fast`) is explicitly variable-time for maximum throughput on public data.
The constant-time (CT) layer provides side-channel resistant operations for secret key material. It is available on **both CPU and GPU backends**:
- **CPU**: `secp256k1::ct::` namespace (headers in `cpu/include/secp256k1/ct/`)
- **GPU**: `secp256k1::cuda::ct::` namespace (headers in `cuda/include/ct/`)
The FAST layer (`secp256k1::fast::` on CPU, `secp256k1::cuda::` on GPU) is explicitly variable-time for maximum throughput on public data.
**Principle**: Any operation that touches secret data (private keys, nonces, intermediate scalars) MUST use `ct::` functions. The default `fast::` namespace is allowed only when all inputs are public.
@ -14,6 +19,8 @@ The constant-time (CT) layer lives in the `secp256k1::ct` namespace and provides
## CT Layer Architecture
### CPU CT Layer
```
secp256k1::ct::
+-- ops.hpp -- Low-level CT primitives (cmov, select, cswap)
@ -27,6 +34,54 @@ secp256k1::fast::
+-- ... -- Variable-time (NOT for secrets)
```
### GPU CT Layer
```
secp256k1::cuda::ct::
+-- ct_ops.cuh -- CT primitives: value_barrier (PTX asm), masks, cmov, cswap
+-- ct_field.cuh -- CT field: add, sub, neg, mul, sqr, inv, half, cmov, cswap
+-- ct_scalar.cuh -- CT scalar: add, sub, neg, half, mul, inverse (Fermat), GLV
+-- ct_point.cuh -- CT point: dbl, add_mixed (Brier-Joye 7M+5S), add (11M+6S),
| scalar_mul (GLV + bit-by-bit), generator_mul
+-- ct_sign.cuh -- CT signing: ct_ecdsa_sign, ct_schnorr_sign, ct_schnorr_keypair
```
The GPU CT layer mirrors the CPU CT layer with identical algorithms adapted for CUDA:
- `value_barrier()` uses PTX `asm volatile` to prevent compiler optimization
- All mask operations are 64-bit (matching GPU's native word size)
- No branch divergence on secret data (critical for SIMT warp execution)
- Field/scalar heavy arithmetic delegates to fast-path (same cost) with CT
control flow wrapping
#### GPU CT Usage
```cuda
#include "ct/ct_sign.cuh"
__global__ void sign_kernel(const uint8_t* msg, const Scalar* privkey,
ECDSASignatureGPU* sig, bool* ok) {
// CT ECDSA sign -- constant-time k*G, k^-1, scalar ops
*ok = secp256k1::cuda::ct::ct_ecdsa_sign(msg, privkey, sig);
}
__global__ void schnorr_kernel(const Scalar* privkey, const uint8_t* msg,
const uint8_t* aux, SchnorrSignatureGPU* sig, bool* ok) {
// CT Schnorr sign -- constant-time nonce generation + signing
*ok = secp256k1::cuda::ct::ct_schnorr_sign(privkey, msg, aux, sig);
}
```
#### GPU CT Benchmark Results (RTX 5060 Ti, SM 12.0)
| Operation | FAST | CT | CT/FAST Overhead |
|-----------|------|-----|------------------|
| k*G (generator) | 129.1 ns | 341.9 ns | 2.65x |
| k*P (scalar mul) | -- | 347.2 ns | -- |
| ECDSA sign | 211.1 ns | 433.9 ns | 2.06x |
| Schnorr sign | 284.9 ns | 715.8 ns | 2.51x |
GPU CT throughput: **2.30M ECDSA sign/sec**, **1.40M Schnorr sign/sec**.
---
## CT Guarantees
@ -229,13 +284,25 @@ CT properties verified on one CPU may not hold on another:
- ARM64: Apple Silicon M1 (macos-14) -- smoke per-PR, full nightly (`.github/workflows/ct-arm64.yml`)
- ARM64: cross-compiled via aarch64-linux-gnu-g++-13 (compile check only)
### 4. GPU Is Explicitly Non-CT
### 4. GPU CT Guarantees
GPU backends (CUDA, ROCm, OpenCL, Metal) make NO constant-time guarantees:
- SIMT execution model exposes branch divergence
- Shared memory access patterns are observable
- No hardware support for CT on consumer GPUs
- **Use GPU only for public-data workloads**
The GPU CT layer (`secp256k1::cuda::ct::`) provides **algorithmic** constant-time
guarantees: no secret-dependent branches, no secret-dependent memory access patterns,
fixed iteration counts.
**What GPU CT protects against:**
- Software-level timing attacks from co-located GPU workloads
- Branch divergence leaking scalar bits within a warp
- Memory access pattern analysis via GPU profiling tools
**What GPU CT does NOT protect against:**
- Hardware-level electromagnetic or power analysis
- GPU shared memory bank conflict timing (microarchitectural)
- Driver-level scheduling observation
- Physical side-channels requiring oscilloscope-level measurements
The GPU CT layer is tested via `test_ct_smoke` (7 functional tests) and integrated
into the GPU audit runner (Section S6: CT Analysis). See the GPU audit section below.
### 5. Experimental Protocols

58
docs/LOCAL_CI.md
View File

@ -75,7 +75,63 @@ Override threshold:
BENCH_ALERT_THRESHOLD=130 ./scripts/ci-local.sh bench-regression
```
## 5. What is still not reproducible on Linux local Docker
## 5. GPU Audit (Local Only)
The GPU audit cannot run on GitHub CI (no GPU runners). It runs **locally only** on any machine with an NVIDIA GPU and CUDA toolkit.
### Prerequisites
- NVIDIA GPU (any compute capability >= 5.0)
- CUDA Toolkit >= 12.0
- CMake >= 3.24, Ninja
### Build
```bash
# From library root:
cmake -S . -B build-cuda -G Ninja \
-DCMAKE_BUILD_TYPE=Release \
-DSECP256K1_BUILD_CUDA=ON \
-DCMAKE_CUDA_ARCHITECTURES="native" # or e.g. "86;89;90"
ninja -C build-cuda gpu_audit_runner
```
### Run
```bash
./build-cuda/cuda/gpu_audit_runner
```
### Expected Output
The runner executes **43 modules** across **10 sections** and produces:
| Section | Modules | Coverage |
|---------|---------|----------|
| Mathematical Invariants | 12 | Field, scalar, point arithmetic, group order |
| Signature Operations | 3 | ECDSA + Schnorr roundtrip, wrong-key rejection |
| Batch Operations | 4 | Batch inversion, bloom filter, batch ECDSA verify, MSM |
| CPU-GPU Differential | 1 | Generator mul cross-check |
| Device Memory | 2 | Alloc/free stress, CUDA error state |
| Constant-Time Layer | 6 | CT field/scalar/point, CT ECDSA/Schnorr, CT-FAST parity |
| Standard Test Vectors | 3 | BIP-340, RFC-6979, BIP-32 |
| Protocol Security | 6 | Multi-key ECDSA/Schnorr, ECDH, recovery, BIP-32 chain, Hash160 |
| Fuzzing | 4 | Edge scalars, zero-key rejection, serialization roundtrip |
| Performance Smoke | 2 | ECDSA 100-iter stress, Schnorr 50-iter stress |
Verdict: **AUDIT-READY** when all 43/43 pass.
Reports are written to the build directory:
- `gpu_audit_report.json` -- machine-readable
- `gpu_audit_report.txt` -- human-readable summary
### Notes
- First run may take ~5 minutes due to PTX JIT compilation (subsequent runs are faster)
- The `selftest_core` module runs 41+ GPU kernel tests and dominates total runtime
- `CMAKE_CUDA_ARCHITECTURES="native"` auto-detects your GPU; explicit SM values avoid JIT overhead
## 6. What is still not reproducible on Linux local Docker
These GitHub jobs need non-Linux or hosted integrations:

56
docs/SECURITY_CLAIMS.md
View File

@ -1,6 +1,6 @@
# Security Claims & API Contract
**UltrafastSecp256k1 v3.16.0** -- FAST / CT Dual-Layer Architecture
**UltrafastSecp256k1 v3.21.0** -- FAST / CT Dual-Layer Architecture (CPU + GPU)
---
@ -20,16 +20,17 @@ mathematical semantics. They differ **only** in execution profile:
| **Nonce Erasure** | Not erased | Intermediate nonces erased (volatile fn-ptr) |
| **Side-Channel** | Not resistant | Resistant (CPU backend) |
### CT Overhead by Platform (v3.16.0)
### CT Overhead by Platform (v3.21.0)
Measured with `bench_hornet` (signing operations; verify uses public inputs — CT not needed):
Measured with `bench_unified` / `gpu_bench_unified` (signing operations; verify uses public inputs -- CT not needed):
| Platform | ECDSA Sign CT/FAST | Schnorr Sign CT/FAST |
|---|---|---|
| x86-64 (i7-11700, Clang 21) | **1.77x** | **2.03x** |
| x86-64 (i5-14400F, GCC 14.2) | **1.93x** | **2.13x** |
| ARM64 Cortex-A55 (Clang 18) | 2.57x | 3.18x |
| RISC-V U74 @ 1.5 GHz (GCC 13) | 1.96x | 2.37x |
| ESP32-S3 Xtensa LX7 @ 240 MHz | 1.05x | 1.06x |
| **GPU RTX 5060 Ti (CUDA 12.0)** | **2.06x** | **2.51x** |
ESP32 has near-zero CT overhead: in-order core, no speculative execution. x86 overhead
improved in v3.16.0 (was 1.94x ECDSA) following the GLV decomposition correctness fix.
@ -190,6 +191,8 @@ cryptographic implementations, including libsecp256k1.
## 6. API Mapping: FAST <-> CT
### CPU API
| Operation | FAST (public data) | CT (secret data) |
|-----------|--------------------|-------------------|
| Scalar x G | `Point::generator().scalar_mul(k)` | `ct::generator_mul(k)` |
@ -204,6 +207,34 @@ cryptographic implementations, including libsecp256k1.
| Scalar cond. swap | N/A (use std::swap) | `ct::scalar_cswap(a, b, mask)` |
| Scalar cond. negate | `s.negate()` with if | `ct::scalar_cneg(a, mask)` |
### GPU (CUDA) API
All GPU CT functions are in the `secp256k1::cuda::ct::` namespace.
Headers: `cuda/include/ct/{ct_ops.cuh, ct_field.cuh, ct_scalar.cuh, ct_point.cuh, ct_sign.cuh}`
| Operation | FAST (`secp256k1::cuda::`) | CT (`secp256k1::cuda::ct::`) |
|-----------|---------------------------|------------------------------|
| Scalar x G | `scalar_mul_generator_const(k, &r)` | `ct_generator_mul(k, &r)` |
| Scalar x P | `scalar_mul(&P, k, &r)` | `ct_scalar_mul(&P, k, &r)` |
| Point add | `jacobian_add(&P, &Q, &r)` | `ct_point_add(&P, &Q, &r)` |
| Point double | `jacobian_double(&P, &r)` | `ct_point_dbl(&P, &r)` |
| Mixed add | N/A | `ct_point_add_mixed(&P, &Q, &r)` |
| ECDSA sign | `ecdsa_sign(msg, key, &sig)` | `ct_ecdsa_sign(msg, key, &sig)` |
| Schnorr sign | `schnorr_sign(key, msg, aux, &sig)` | `ct_schnorr_sign(key, msg, aux, &sig)` |
| Keypair create | N/A | `ct_schnorr_keypair_create(key, &kp)` |
| Field cmov | N/A | `field_cmov(&r, &a, mask)` |
| Scalar cmov | N/A | `scalar_cmov(&r, &a, mask)` |
| Scalar inverse | `scalar_inverse(a, &r)` | `scalar_inverse(a, &r)` (CT Fermat) |
#### GPU CT Throughput (RTX 5060 Ti)
| Operation | ns/op | Throughput | CT/FAST |
|-----------|-------|------------|---------|
| ct::k*G | 341.9 | 2.92 M/s | 2.65x |
| ct::k*P | 347.2 | 2.88 M/s | -- |
| ct::ecdsa_sign | 433.9 | **2.30 M/s** | 2.06x |
| ct::schnorr_sign | 715.8 | **1.40 M/s** | 2.51x |
---
## 7. CT Timing Verification
@ -228,15 +259,19 @@ See [docs/CT_EMPIRICAL_REPORT.md](CT_EMPIRICAL_REPORT.md) for full methodology.
### CT Claim Scope
> The CT guarantee applies to the **CPU backend** (`secp256k1::ct::`) under
> the specified compilers (`g++-13` / `clang-17+`) at `-O2`, on **x86-64**
> and **ARM64** architectures.
> The CT guarantee applies to:
> - **CPU**: `secp256k1::ct::` under `g++-13` / `clang-17+` at `-O2`, on **x86-64** and **ARM64**
> - **GPU**: `secp256k1::cuda::ct::` under CUDA 12.0+ / nvcc, on **SM 7.5+** (Turing through Blackwell)
The GPU CT layer provides **algorithmic** constant-time guarantees (no secret-dependent
branches or memory access patterns). Hardware-level side-channel resistance on GPUs
is limited by the SIMT execution model.
**Explicitly NOT covered:**
- GPU backends (CUDA, ROCm, OpenCL, Metal) — SIMT model leaks by design
- Protocol internals of FROST and MuSig2 — partial coverage only
- Protocol internals of FROST and MuSig2 -- partial coverage only
- Compilers or optimization levels not tested in CI
- Microarchitectures not in the CI matrix
- Hardware-level electromagnetic/power analysis on any platform
---
@ -246,6 +281,7 @@ Every release must answer: **"Did the CT scope change?"**
| Release | CT Scope Changed? | Details |
|---------|-------------------|---------|
| v3.21.0 | **Yes** | GPU CT layer (5 headers); GPU CT audit modules in gpu_audit_runner; GPU CT benchmarks in gpu_bench_unified |
| v3.16.0 | **Yes** | CT nonce erasure (volatile fn-ptr trick); MuSig2/FROST dudect added; ct-arm64 ARM64 native CI |
| v3.15.0 | **Yes** | Branchless `scalar_window` on RISC-V; `value_barrier` after mask; RISC-V `is_zero_mask` asm |
| v3.13.1 | **Yes (fix)** | GLV decomposition correctness fix; CT scalar_mul overhead reduced to 1.05x |
@ -291,4 +327,4 @@ Every release must answer: **"Did the CT scope change?"**
---
*UltrafastSecp256k1 v3.16.0 — Security Claims*
*UltrafastSecp256k1 v3.21.0 -- Security Claims*

55
ocl_audit_report.json Normal file
View File

@ -0,0 +1,55 @@
{
"framework_version": "2.0.0",
"backend": "OpenCL",
"device": {
"name": "NVIDIA GeForce RTX 5060 Ti",
"vendor": "NVIDIA Corporation",
"version": "OpenCL 3.0 CUDA",
"driver_version": "580.126.09",
"memory_mb": 15847,
"compute_units": 36
},
"platform": {
"os": "Linux",
"arch": "x86-64",
"compiler": "GCC 14.2.0",
"build_type": "Release"
},
"summary": {
"total": 27,
"passed": 19,
"failed": 8,
"skipped": 0,
"total_seconds": 0.195707,
"verdict": "ISSUES-FOUND"
},
"modules": [
{ "id": "selftest_core", "name": "OpenCL Selftest (23+ kernel tests)", "section": "math_invariants", "result": "PASS", "time_ms": 157.458784, "error_code": 0 },
{ "id": "field_add_sub", "name": "Field add/sub roundtrip", "section": "math_invariants", "result": "PASS", "time_ms": 0.344194, "error_code": 0 },
{ "id": "field_mul_comm", "name": "Field mul commutativity", "section": "math_invariants", "result": "PASS", "time_ms": 0.161442, "error_code": 0 },
{ "id": "field_inv", "name": "Field inverse roundtrip (a * a^-1 = 1)", "section": "math_invariants", "result": "PASS", "time_ms": 0.277172, "error_code": 0 },
{ "id": "field_sqr", "name": "Field square == mul(a,a)", "section": "math_invariants", "result": "PASS", "time_ms": 0.133867, "error_code": 0 },
{ "id": "field_negate", "name": "Field negate roundtrip (a + (-a) = 0)", "section": "math_invariants", "result": "PASS", "time_ms": 0.132015, "error_code": 0 },
{ "id": "gen_mul_vec", "name": "Generator mul known vectors", "section": "math_invariants", "result": "PASS", "time_ms": 0.074126, "error_code": 0 },
{ "id": "scalar_roundtrip", "name": "Scalar/Point consistency", "section": "math_invariants", "result": "PASS", "time_ms": 0.201873, "error_code": 0 },
{ "id": "add_dbl_consist", "name": "Point add vs double consistency", "section": "math_invariants", "result": "PASS", "time_ms": 0.243917, "error_code": 0 },
{ "id": "scalar_mul_lin", "name": "Scalar mul linearity (a+b)*G = aG+bG", "section": "math_invariants", "result": "PASS", "time_ms": 0.353603, "error_code": 0 },
{ "id": "group_order", "name": "Group order basic checks", "section": "math_invariants", "result": "PASS", "time_ms": 0.234223, "error_code": 0 },
{ "id": "batch_inv", "name": "Batch inversion (Montgomery trick)", "section": "math_invariants", "result": "PASS", "time_ms": 0.694958, "error_code": 0 },
{ "id": "ecdsa_roundtrip", "name": "ECDSA sign + verify roundtrip", "section": "signatures", "result": "FAIL", "time_ms": 5.387598, "error_code": 2 },
{ "id": "schnorr_roundtrip", "name": "Schnorr/BIP-340 sign + verify roundtrip", "section": "signatures", "result": "FAIL", "time_ms": 2.694820, "error_code": 2 },
{ "id": "ecdsa_wrong_key", "name": "ECDSA verify rejects wrong pubkey", "section": "signatures", "result": "PASS", "time_ms": 4.869086, "error_code": 0 },
{ "id": "batch_smul", "name": "Batch scalar mul generator", "section": "batch_advanced", "result": "PASS", "time_ms": 0.454583, "error_code": 0 },
{ "id": "batch_j2a", "name": "Batch Jacobian to Affine", "section": "batch_advanced", "result": "FAIL", "time_ms": 0.375855, "error_code": 1 },
{ "id": "diff_smul", "name": "OpenCL-host differential scalar mul", "section": "differential", "result": "PASS", "time_ms": 0.074472, "error_code": 0 },
{ "id": "rfc6979_determ", "name": "RFC-6979 ECDSA deterministic nonce", "section": "standard_vectors", "result": "PASS", "time_ms": 5.097664, "error_code": 0 },
{ "id": "bip340_vectors", "name": "BIP-340 Schnorr known-key roundtrip", "section": "standard_vectors", "result": "FAIL", "time_ms": 1.981557, "error_code": 2 },
{ "id": "ecdsa_multi_key", "name": "ECDSA multi-key (10 keys) sign+verify", "section": "protocol_security", "result": "FAIL", "time_ms": 4.830620, "error_code": 20 },
{ "id": "schnorr_multi_key", "name": "Schnorr multi-key (10 keys) sign+verify", "section": "protocol_security", "result": "FAIL", "time_ms": 1.892115, "error_code": 20 },
{ "id": "fuzz_edge_scalar", "name": "Edge-case scalars (0*G, 1*G, G+G=2G)", "section": "fuzzing", "result": "PASS", "time_ms": 0.244023, "error_code": 0 },
{ "id": "fuzz_ecdsa_zero", "name": "ECDSA rejects zero private key", "section": "fuzzing", "result": "PASS", "time_ms": 0.082785, "error_code": 0 },
{ "id": "fuzz_schnorr_zero", "name": "Schnorr rejects zero private key", "section": "fuzzing", "result": "PASS", "time_ms": 0.088844, "error_code": 0 },
{ "id": "perf_ecdsa_50", "name": "ECDSA 50-iteration stress", "section": "performance", "result": "FAIL", "time_ms": 4.934114, "error_code": 2 },
{ "id": "perf_schnorr_25", "name": "Schnorr 25-iteration stress", "section": "performance", "result": "FAIL", "time_ms": 2.247930, "error_code": 2 }
]
}

63
ocl_audit_report.txt Normal file
View File

@ -0,0 +1,63 @@
================================================================
UltrafastSecp256k1 -- OpenCL Unified Audit Report
Framework v2.0.0
Linux x86-64 | GCC 14.2.0 | Release
Device: NVIDIA GeForce RTX 5060 Ti (NVIDIA Corporation) | 36 CUs | 15847 MB
================================================================
Section: math_invariants
--------------------------------------------------
[PASS] OpenCL Selftest (23+ kernel tests) (157.459 ms)
[PASS] Field add/sub roundtrip (0.344194 ms)
[PASS] Field mul commutativity (0.161442 ms)
[PASS] Field inverse roundtrip (a * a^-1 = 1) (0.277172 ms)
[PASS] Field square == mul(a,a) (0.133867 ms)
[PASS] Field negate roundtrip (a + (-a) = 0) (0.132015 ms)
[PASS] Generator mul known vectors (0.074126 ms)
[PASS] Scalar/Point consistency (0.201873 ms)
[PASS] Point add vs double consistency (0.243917 ms)
[PASS] Scalar mul linearity (a+b)*G = aG+bG (0.353603 ms)
[PASS] Group order basic checks (0.234223 ms)
[PASS] Batch inversion (Montgomery trick) (0.694958 ms)
Section: signatures
--------------------------------------------------
[FAIL] ECDSA sign + verify roundtrip (5.3876 ms)
[FAIL] Schnorr/BIP-340 sign + verify roundtrip (2.69482 ms)
[PASS] ECDSA verify rejects wrong pubkey (4.86909 ms)
Section: batch_advanced
--------------------------------------------------
[PASS] Batch scalar mul generator (0.454583 ms)
[FAIL] Batch Jacobian to Affine (0.375855 ms)
Section: differential
--------------------------------------------------
[PASS] OpenCL-host differential scalar mul (0.074472 ms)
Section: standard_vectors
--------------------------------------------------
[PASS] RFC-6979 ECDSA deterministic nonce (5.09766 ms)
[FAIL] BIP-340 Schnorr known-key roundtrip (1.98156 ms)
Section: protocol_security
--------------------------------------------------
[FAIL] ECDSA multi-key (10 keys) sign+verify (4.83062 ms)
[FAIL] Schnorr multi-key (10 keys) sign+verify (1.89211 ms)
Section: fuzzing
--------------------------------------------------
[PASS] Edge-case scalars (0*G, 1*G, G+G=2G) (0.244023 ms)
[PASS] ECDSA rejects zero private key (0.082785 ms)
[PASS] Schnorr rejects zero private key (0.088844 ms)
Section: performance
--------------------------------------------------
[FAIL] ECDSA 50-iteration stress (4.93411 ms)
[FAIL] Schnorr 25-iteration stress (2.24793 ms)
================================================================
VERDICT: ISSUES-FOUND
TOTAL: 19/27 passed, 8 FAILED (0.2 s)
================================================================

34
opencl/CMakeLists.txt
View File

@ -228,9 +228,43 @@ if(HAVE_CPU_LIB AND TARGET fastsecp256k1)
target_compile_definitions(opencl_test PRIVATE HAVE_CPU_LIB=1)
endif()
# =============================================================================
# Audit Runner Executable
# =============================================================================
add_executable(opencl_audit_runner
src/opencl_audit_runner.cpp
)
target_link_libraries(opencl_audit_runner PRIVATE
secp256k1_opencl
${OpenCL_LIBRARY}
)
target_include_directories(opencl_audit_runner PRIVATE
${OpenCL_INCLUDE_DIR}
${CMAKE_CURRENT_SOURCE_DIR}/../cpu/include
${CMAKE_CURRENT_SOURCE_DIR}/../include
)
# Copy kernel files next to the audit runner binary for runtime loading
add_custom_command(TARGET opencl_audit_runner POST_BUILD
COMMAND ${CMAKE_COMMAND} -E make_directory $<TARGET_FILE_DIR:opencl_audit_runner>/kernels
COMMAND ${CMAKE_COMMAND} -E copy_if_different
${CMAKE_CURRENT_SOURCE_DIR}/kernels/secp256k1_field.cl
${CMAKE_CURRENT_SOURCE_DIR}/kernels/secp256k1_point.cl
${CMAKE_CURRENT_SOURCE_DIR}/kernels/secp256k1_batch.cl
${CMAKE_CURRENT_SOURCE_DIR}/kernels/secp256k1_affine.cl
${CMAKE_CURRENT_SOURCE_DIR}/kernels/secp256k1_extended.cl
${CMAKE_CURRENT_SOURCE_DIR}/kernels/secp256k1_hash160.cl
$<TARGET_FILE_DIR:opencl_audit_runner>/kernels/
COMMENT "Copying OpenCL kernel files for audit runner"
)
# CTest integration
enable_testing()
add_test(NAME opencl_selftest COMMAND opencl_test)
add_test(NAME opencl_audit COMMAND opencl_audit_runner --kernel-dir ${CMAKE_CURRENT_SOURCE_DIR}/kernels)
# =============================================================================
# Installation

22
opencl/kernels/secp256k1_extended.cl
View File

@ -415,13 +415,13 @@ inline int scalar_ge_impl(const Scalar* a, const Scalar* b) {
// low-S check (BIP-62)
inline int scalar_is_low_s_impl(const Scalar* s) {
Scalar half;
half.limbs[0] = HALF_ORDER_0; half.limbs[1] = HALF_ORDER_1;
half.limbs[2] = HALF_ORDER_2; half.limbs[3] = HALF_ORDER_3;
Scalar half_n;
half_n.limbs[0] = HALF_ORDER_0; half_n.limbs[1] = HALF_ORDER_1;
half_n.limbs[2] = HALF_ORDER_2; half_n.limbs[3] = HALF_ORDER_3;
for (int i = 3; i >= 0; i--) {
if (s->limbs[i] > half.limbs[i]) return 0;
if (s->limbs[i] < half.limbs[i]) return 1;
if (s->limbs[i] > half_n.limbs[i]) return 0;
if (s->limbs[i] < half_n.limbs[i]) return 1;
}
return 1; // equal = low
}
@ -866,7 +866,8 @@ inline int schnorr_sign_impl(const Scalar* priv, const uchar msg[32],
// t = d XOR tagged_hash("BIP0340/aux", aux_rand)
uchar t_hash[32];
tagged_hash_impl((const uchar*)"BIP0340/aux", 11, aux_rand, 32, t_hash);
{ uchar _tag[] = {'B','I','P','0','3','4','0','/','a','u','x'};
tagged_hash_impl(_tag, 11, aux_rand, 32, t_hash); }
uchar d_bytes[32];
scalar_to_bytes_impl(&d, d_bytes);
@ -881,7 +882,8 @@ inline int schnorr_sign_impl(const Scalar* priv, const uchar msg[32],
for (int i = 0; i < 32; i++) nonce_input[64+i] = msg[i];
uchar rand_hash[32];
tagged_hash_impl((const uchar*)"BIP0340/nonce", 13, nonce_input, 96, rand_hash);
{ uchar _tag[] = {'B','I','P','0','3','4','0','/','n','o','n','c','e'};
tagged_hash_impl(_tag, 13, nonce_input, 96, rand_hash); }
Scalar k_prime;
scalar_from_bytes_impl(rand_hash, &k_prime);
@ -913,7 +915,8 @@ inline int schnorr_sign_impl(const Scalar* priv, const uchar msg[32],
for (int i = 0; i < 32; i++) challenge_input[64+i] = msg[i];
uchar e_hash[32];
tagged_hash_impl((const uchar*)"BIP0340/challenge", 17, challenge_input, 96, e_hash);
{ uchar _tag[] = {'B','I','P','0','3','4','0','/','c','h','a','l','l','e','n','g','e'};
tagged_hash_impl(_tag, 17, challenge_input, 96, e_hash); }
Scalar e;
scalar_from_bytes_impl(e_hash, &e);
@ -939,7 +942,8 @@ inline int schnorr_verify_impl(const uchar pubkey_x[32], const uchar msg[32],
for (int i = 0; i < 32; i++) challenge_input[64+i] = msg[i];
uchar e_hash[32];
tagged_hash_impl((const uchar*)"BIP0340/challenge", 17, challenge_input, 96, e_hash);
{ uchar _tag[] = {'B','I','P','0','3','4','0','/','c','h','a','l','l','e','n','g','e'};
tagged_hash_impl(_tag, 17, challenge_input, 96, e_hash); }
Scalar e;
scalar_from_bytes_impl(e_hash, &e);

1
opencl/kernels/secp256k1_point.cl
View File

@ -46,6 +46,7 @@ typedef struct {
FieldElement y;
FieldElement z;
uint infinity; // 1 if point at infinity
uint pad[7]; // Match host alignas(128) layout — sizeof = 128 bytes
} JacobianPoint;
typedef struct {

1174
opencl/src/opencl_audit_runner.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

2
wasm/package.json
View File

@ -1,6 +1,6 @@
{
"name": "@ultrafastsecp256k1/wasm",
"version": "3.0.0",
"version": "3.21.0",
"description": "Ultra high-performance secp256k1 elliptic curve cryptography — WebAssembly build",
"type": "module",
"main": "secp256k1.mjs",