correct assertion for secp256k1_fe_mul_inner #1438

pull roconnor-blockstream wants to merge 2 commits into bitcoin-core:master from roconnor-blockstream:patch-6 changing 1 files +3 −3
  1. roconnor-blockstream commented at 10:41 PM on November 6, 2023: contributor

    Based on the surrounding asserts, 112 bits before this line, and 61 bits after this line, this assertion should be 113 bits. Notably the commensurate line in secp256k1_fe_sqr_inner is correctly assert to be 113 bits.

  2. correct assertion for secp256k1_fe_mul_inner
    Based on the surrounding asserts, 112 bits before this line, and 61 bits after this line, this assertion should be 113 bits.  Notably the commensurate line in secp256k1_fe_sqr_inner is correctly assert to be 113 bits.
    8e2a5fe908
  3. real-or-random approved
  4. real-or-random commented at 9:59 AM on November 7, 2023: contributor

    utACK https://github.com/bitcoin-core/secp256k1/pull/1438/commits/8e2a5fe908faa2ad0b847b3e5c42662614c8fa88 This computes c += u0 * (R << 4), where u0 is 56 bits, (R >> 4) is 33 bits, therefore u0 * (R << 4) is 89 bits, and c before the assignment was 112 bits, so c after the assignment is at most 113 bits

  5. real-or-random added the label assurance on Nov 13, 2023
  6. real-or-random added the label refactor/smell on Nov 13, 2023
  7. Tighten secp256k1_fe_mul_inner's VERIFY_BITS checks
    These changes bring the checks to the same values used at the corresponding positions in secp256k1_fe_sqr_inner.
    dcdda31f2c
  8. roconnor-blockstream commented at 5:10 PM on November 14, 2023: contributor

    Added a few more changes to make the VERIFY_BITS checks in secp256k1_fe_mul_inner to match the corresponding checks in secp256k1_fe_sqr_inner.

  9. real-or-random commented at 9:05 AM on November 16, 2023: contributor

    utACK dcdda31f2cda13839a4285d8601118c041b18c13

    8e2a5fe908faa2ad0b847b3e5c42662614c8fa88: This computes c += u0 * (R << 4), where u0 is 56 bits, (R >> 4) is 33 bits, therefore u0 * (R << 4) is 89 bits, and c before the assignment was 112 bits, so c after the assignment is at most 113 bits dcdda31f2cda13839a4285d8601118c041b18c13: We're adding values of bit sizes (64, 108, 112, 112, 108). Combining as (((64, 108), 112), (112, 108)) yields ((109, 112), (112, 108)), then (113, 113), and then 114.

  10. real-or-random commented at 2:36 PM on November 24, 2023: contributor

    @roconnor-blockstream When you say that you integrated this PR in your formal verification efforts, I assume this means that the proven statement includes the guarantee that these assertions hold?

  11. roconnor-blockstream commented at 4:40 PM on November 24, 2023: contributor

    yes (under the preconditions I give for my specification).

  12. roconnor-blockstream commented at 4:45 PM on November 24, 2023: contributor

    untested-but-formally-verified-ACK

  13. real-or-random approved
  14. real-or-random commented at 8:44 AM on November 27, 2023: contributor

    ACK dcdda31f2cda13839a4285d8601118c041b18c13 tested with asm disabled

  15. real-or-random merged this on Nov 27, 2023
  16. real-or-random closed this on Nov 27, 2023
  17. roconnor-blockstream deleted the branch on Nov 27, 2023
  18. fanquake referenced this in commit 41e1b677ca on Jan 3, 2024
  19. fanquake referenced this in commit 29fde0223a on Jan 4, 2024
  20. janus referenced this in commit 5fe435c9b2 on Apr 6, 2024
  21. hebasto referenced this in commit b6de625950 on May 11, 2024
  22. delta1 referenced this in commit 6089844b3c on Apr 2, 2025
  23. div72 referenced this in commit af627d47c3 on Apr 12, 2025
  24. str4d referenced this in commit 136aa9fe62 on Jun 4, 2025
  25. oskarszoon referenced this in commit 0d5c9260f4 on Jul 1, 2025
Contributors
roconnor-blockstreamreal-or-random
Labels
assurancetweak/refactor
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-19 06:52 UTC