secp256k1FeNormalizesToZero static method

Implementation

static int secp256k1FeNormalizesToZero(Secp256k1Fe r) {
  BigInt t0 = r[0], t1 = r[1], t2 = r[2], t3 = r[3], t4 = r[4];

  /// z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P
  BigInt z0, z1;

  /// Reduce t4 at the start so there will be at most a single carry from the first pass
  BigInt x = (t4 >> 48).toUnsigned64;

  t4 = (t4 & Secp256k1Const.mask48).toUnsigned64;

  /// The first pass ensures the magnitude is 1, ...
  t0 = (t0 + x * Secp256k1Const.mask33).toUnsigned64;
  t1 = (t1 + (t0 >> 52)).toUnsigned64;
  t0 = (t0 & Secp256k1Const.mask52).toUnsigned64;

  z0 = t0;
  z1 = (t0 ^ 0x1000003D0.toBigInt).toUnsigned64;

  t2 = (t2 + (t1 >> 52)).toUnsigned64;
  t1 = (t1 & Secp256k1Const.mask52).toUnsigned64;

  z0 = (z0 | t1).toUnsigned64;
  z1 = (z1 & t1).toUnsigned64;

  t3 = (t3 + (t2 >> 52)).toUnsigned64;
  t2 = (t2 & Secp256k1Const.mask52).toUnsigned64;

  z0 = (z0 | t2).toUnsigned64;
  z1 = (z1 & t2).toUnsigned64;

  t4 = (t4 + (t3 >> 52)).toUnsigned64;
  t3 = (t3 & Secp256k1Const.mask52).toUnsigned64;

  z0 = (z0 | t3).toUnsigned64;
  z1 = (z1 & t3).toUnsigned64;

  z0 = (z0 | t4).toUnsigned64;
  z1 = (z1 & (t4 ^ Secp256k1Const.high4Mask52)).toUnsigned64;

  /// ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element)
  _cond(t4 >> 49 == BigInt.zero, "secp256k1FeNormalizesToZero");

  return ((z0 == BigInt.zero) | (z1 == Secp256k1Const.mask52)).toInt;
}