Given [b, c, a, carry] on stack top, following function computes<br /><br />tmp = a + (b * c) + carry<br />hi = tmp >> 32<br />lo = tmp & 0xffff_ffff<br />return (hi, lo)<br /><br />At end of execution of this function, stack top should look like [hi, lo]<br />See https://github.com/itzmeanjan/secp256k1/blob/6e5e654823a073add7d62b21ed88e9de9bb06869/field/base_field_utils.py#L41-L46<br />
## std::math::secp256k1::base_field
| Procedure | Description |
| ----------- | ------------- |
| mul | Given two 256 -bit numbers ( elements belonging to secp256k1 base field ) on stack,<br />where each number is represented in radix-2^32 form ( i.e. each number having eight<br />32 -bit limbs ), following function computes modular multiplication of those two<br />operands, computing 256 -bit result, which belongs to secp256k1 base field.<br /><br />Stack expected as below, holding input<br /><br />[a0, a1, a2, a3, a4, a5, a6, a7, b0, b1, b2, b3, b4, b5, b6, b7, ...] \| a[0..8], b[0..8] are 256 -bit numbers<br /><br />After finishing execution of this function, stack should look like<br /><br />[c0, c1, c2, c3, c4, c5, c6, c7, ...] \| c[0..8] is a 256 -bit number<br /><br />Note, for computing modular multiplication of a[0..8] & b[0..8],<br />school book multiplication equipped with Montgomery reduction technique<br />is used, which is why a[0..8], b[0..8] are expected to be in Montgomery form,<br />while computed c[0..8] will also be in Montgomery form.<br /><br />See https://github.com/itzmeanjan/secp256k1/blob/6e5e654823a073add7d62b21ed88e9de9bb06869/field/base_field_utils.py#L101-L222<br /> |
| add | Given two 256 -bit numbers ( elements belonging to secp256k1 base field ) on stack,<br />where each number is represented in radix-2^32 form ( i.e. each number having eight<br />32 -bit limbs ), following function computes modular addition of those two operands,<br />in secp256k1 base field.<br /><br />Stack expected as below, holding input<br /><br />[a0, a1, a2, a3, a4, a5, a6, a7, b0, b1, b2, b3, b4, b5, b6, b7, ...] \| a[0..8], b[0..8] are 256 -bit numbers<br /><br />After finishing execution of this function, stack should look like<br /><br />[c0, c1, c2, c3, c4, c5, c6, c7, ...] \| c[0..8] is a 256 -bit number<br /><br />See https://github.com/itzmeanjan/secp256k1/blob/6e5e654823a073add7d62b21ed88e9de9bb06869/field/base_field.py#L57-L76<br /> |
| neg | Given a secp256k1 base field element ( say a ) on stack, represented in Montgomery form<br />( i.e. number having eight 32 -bit limbs ), following function negates it to<br />field element a' \| a' + a = 0<br /><br />Stack expected as below, holding input<br /><br />[a0, a1, a2, a3, a4, a5, a6, a7, ...] \| a[0..8] is a secp256k1 base field element<br /><br />After finishing execution of this function, stack should look like<br /><br />[c0, c1, c2, c3, c4, c5, c6, c7, ...] \| c[0..8] is a secp256k1 base field element<br /><br />See https://github.com/itzmeanjan/secp256k1/blob/6e5e654823a073add7d62b21ed88e9de9bb06869/field/base_field.py#L78-L96<br /> |
| sub | Given two secp256k1 base field elements, say a, b, ( represented in Montgomery form,<br />each number having eight 32 -bit limbs ) on stack, following function computes modular<br />subtraction of those two operands c = a + (-b) = a - b<br /><br />Stack expected as below, holding input<br /><br />[a0, a1, a2, a3, a4, a5, a6, a7, b0, b1, b2, b3, b4, b5, b6, b7, ...] \| a[0..8], b[0..8] are secp256k1 base field elements<br /><br />After finishing execution of this function, stack should look like<br /><br />[c0, c1, c2, c3, c4, c5, c6, c7, ...] \| c[0..8] is a secp256k1 base field element<br /><br />See https://github.com/itzmeanjan/secp256k1/blob/6e5e654823a073add7d62b21ed88e9de9bb06869/field/base_field.py#L98-L102<br /> |
| to_mont | Given a 256 -bit number on stack, represented in radix-2^32 form i.e. eight 32 -bit limbs,<br />this routine computes Montgomery representation of provided radix-2^32 number.<br /><br />Stack expected in form<br /><br />[a0, a1, a2, a3, a4, a5, a6, a7, ...]<br /><br />Final stack should look like<br /><br />[a0', a1', a2', a3', a4', a5', a6', a7', ...]<br /><br />See section 2.2 of https://eprint.iacr.org/2017/1057.pdf<br />See https://github.com/itzmeanjan/secp256k1/blob/6e5e654823a073add7d62b21ed88e9de9bb06869/field/base_field_utils.py#L225-L232<br />for implementation<br /> |
| from_mont | Given a 256 -bit number on stack, represented in Montgomery form i.e. eight 32 -bit limbs,<br />this routine computes radix-2^32 representation of provided u256 number.<br /><br />Stack expected as<br /><br />[a0, a1, a2, a3, a4, a5, a6, a7, ...]<br /><br />Final stack should look like<br /><br />[a0', a1', a2', a3', a4', a5', a6', a7', ...]<br /><br />See section 2.2 of https://eprint.iacr.org/2017/1057.pdf<br />See https://github.com/itzmeanjan/secp256k1/blob/6e5e654823a073add7d62b21ed88e9de9bb06869/field/base_field_utils.py#L235-L241<br />for implementation<br /> |
| inv | Given an element ( say a ) of secp256k1 base field, this routine computes multiplicative<br />inverse ( say a' ) of that element s.t. a * a' = 1 ( mod p ) \| p = secp256k1 base field prime<br /><br />Expected stack state<br /><br />[a0, a1, a2, a3, a4, a5, a6, a7, ...] \| a[0..8] is a 256 -bit number<br /><br />Final stack state<br /><br />[b0, b1, b2, b3, b4, b5, b6, b7, ...] \| b[0..8] is a 256 -bit number s.t. b = a^-1 ( mod p )<br /><br />Note, both input and output stays in Montgomery form. If 0 is input operand, then multiplicative<br />inverse can't be computed, which is why output result is also 0.<br /><br />See https://github.com/itzmeanjan/secp256k1/blob/37b339db3e03d24c2977399eb8896ef515ebb09b/field/base_field.py#L114-L132<br /> |