mirror of
https://github.com/bitcoin/bitcoin.git
synced 2025-12-08 11:44:14 +01:00
b0869648aa
f5883286e3Add a fuzz test for Num3072 multiplication and inversion (Pieter Wuille)a26ce62894Safegcd based modular inverse for Num3072 (Pieter Wuille)91ce8cef2dAdd benchmark for MuHash finalization (Pieter Wuille) Pull request description: This implements a safegcd-based modular inverse for MuHash3072. It is a fairly straightforward translation of [the libsecp256k1 implementation](https://github.com/bitcoin-core/secp256k1/pull/831), with the following changes: * Generic for 32-bit and 64-bit * Specialized for the specific MuHash3072 modulus (2^3072 - 1103717). * A bit more C++ish * Far fewer sanity checks A benchmark is also included for MuHash3072::Finalize. The new implementation is around 100x faster on x86_64 for me (from 5.8 ms to 57 μs); for 32-bit code the factor is likely even larger. For more information: * [Original paper](https://gcd.cr.yp.to/papers.html) by Daniel J. Bernstein and Bo-Yin Yang * [Implementation](https://github.com/bitcoin-core/secp256k1/pull/767) for libsecp256k1 by Peter Dettman; and the [final](https://github.com/bitcoin-core/secp256k1/pull/831) version * [Explanation](https://github.com/bitcoin-core/secp256k1/blob/master/doc/safegcd_implementation.md) of the algorithm using Python snippets * [Analysis](https://github.com/sipa/safegcd-bounds) of the maximum number of iterations the algorithm needs * [Formal proof in Coq](https://medium.com/blockstream/a-formal-proof-of-safegcd-bounds-695e1735a348) by Russell O'Connor (for the 256-bit version of the algorithm; here we use a 3072-bit one). ACKs for top commit: achow101: ACKf5883286e3TheCharlatan: Re-ACKf5883286e3dergoegge: tACKf5883286e3Tree-SHA512: 275872c61d30817a82901dee93fc7153afca55c32b72a95b8768f3fd464da1b09b36f952f30e70225e766b580751cfb9b874b2feaeb73ffaa6943c8062aee19a