#include "ed448.h"
#include "curve448_lcl.h"
-/* Template stuff */
-#define SCALAR_BITS DECAF_448_SCALAR_BITS
-#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
-#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
-#define scalar_t curve448_scalar_t
-#define point_t curve448_point_t
-#define precomputed_s curve448_precomputed_s
#define COFACTOR 4
/* Comb config: number of combs, n, t, s. */
#define DECAF_WNAF_VAR_TABLE_BITS 3
static const int EDWARDS_D = -39081;
-static const scalar_t precomputed_scalarmul_adjustment = {{{
+static const curve448_scalar_t precomputed_scalarmul_adjustment = {{{
SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)
}}};
typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1];
/* Precomputed base */
-struct precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };
+struct curve448_precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };
extern const gf curve448_precomputed_base_as_fe[];
-const precomputed_s *curve448_precomputed_base =
- (const precomputed_s *) &curve448_precomputed_base_as_fe;
+const curve448_precomputed_s *curve448_precomputed_base =
+ (const curve448_precomputed_s *) &curve448_precomputed_base_as_fe;
/** Inverse. */
static void
}
/** identity = (0,1) */
-const point_t curve448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
+const curve448_point_t curve448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
static DECAF_NOINLINE void
point_double_internal (
- point_t p,
- const point_t q,
+ curve448_point_t p,
+ const curve448_point_t q,
int before_double
) {
gf a, b, c, d;
if (!before_double) gf_mul ( p->t, b, d );
}
-void curve448_point_double(point_t p, const point_t q) {
+void curve448_point_double(curve448_point_t p, const curve448_point_t q) {
point_double_internal(p,q,0);
}
static DECAF_NOINLINE void pt_to_pniels (
pniels_t b,
- const point_t a
+ const curve448_point_t a
) {
gf_sub ( b->n->a, a->y, a->x );
gf_add ( b->n->b, a->x, a->y );
}
static DECAF_NOINLINE void pniels_to_pt (
- point_t e,
+ curve448_point_t e,
const pniels_t d
) {
gf eu;
static DECAF_NOINLINE void
niels_to_pt (
- point_t e,
+ curve448_point_t e,
const niels_t n
) {
gf_add ( e->y, n->b, n->a );
static DECAF_NOINLINE void
add_niels_to_pt (
- point_t d,
+ curve448_point_t d,
const niels_t e,
int before_double
) {
static DECAF_NOINLINE void
sub_niels_from_pt (
- point_t d,
+ curve448_point_t d,
const niels_t e,
int before_double
) {
static void
add_pniels_to_pt (
- point_t p,
+ curve448_point_t p,
const pniels_t pn,
int before_double
) {
static void
sub_pniels_from_pt (
- point_t p,
+ curve448_point_t p,
const pniels_t pn,
int before_double
) {
sub_niels_from_pt( p, pn->n, before_double );
}
-decaf_bool_t curve448_point_eq ( const point_t p, const point_t q ) {
+decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_t q ) {
/* equality mod 2-torsion compares x/y */
gf a, b;
gf_mul ( a, p->y, q->x );
}
decaf_bool_t curve448_point_valid (
- const point_t p
+ const curve448_point_t p
) {
gf a,b,c;
gf_mul(a,p->x,p->y);
}
void curve448_precomputed_scalarmul (
- point_t out,
- const precomputed_s *table,
- const scalar_t scalar
+ curve448_point_t out,
+ const curve448_precomputed_s *table,
+ const curve448_scalar_t scalar
) {
int i;
unsigned j,k;
const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
- scalar_t scalar1x;
+ curve448_scalar_t scalar1x;
curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment);
curve448_scalar_halve(scalar1x,scalar1x);
for (k=0; k<t; k++) {
unsigned int bit = i + s*(k + j*t);
- if (bit < SCALAR_BITS) {
+ if (bit < DECAF_448_SCALAR_BITS) {
tab |= (scalar1x->limb[bit/WBITS] >> (bit%WBITS) & 1) << k;
}
}
void curve448_point_mul_by_ratio_and_encode_like_eddsa (
uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
- const point_t p
+ const curve448_point_t p
) {
/* The point is now on the twisted curve. Move it to untwisted. */
gf x, y, z, t;
- point_t q;
+ curve448_point_t q;
curve448_point_copy(q,p);
{
decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio (
- point_t p,
+ curve448_point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
) {
uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];
void curve448_point_mul_by_ratio_and_encode_like_x448 (
uint8_t out[X_PUBLIC_BYTES],
- const point_t p
+ const curve448_point_t p
) {
- point_t q;
+ curve448_point_t q;
curve448_point_copy(q,p);
gf_invert(q->t,q->x,0); /* 1/x */
gf_mul(q->z,q->t,q->y); /* y/x */
scalar2[X_PRIVATE_BYTES-1] &= ~(-1u<<((X_PRIVATE_BITS+7)%8));
scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8);
- scalar_t the_scalar;
+ curve448_scalar_t the_scalar;
curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2));
/* Compensate for the encoding ratio */
for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
curve448_scalar_halve(the_scalar,the_scalar);
}
- point_t p;
+ curve448_point_t p;
curve448_precomputed_scalarmul(p,curve448_precomputed_base,the_scalar);
curve448_point_mul_by_ratio_and_encode_like_x448(out,p);
curve448_point_destroy(p);
static int recode_wnaf (
struct smvt_control *control, /* [nbits/(table_bits+1) + 3] */
- const scalar_t scalar,
+ const curve448_scalar_t scalar,
unsigned int table_bits
) {
- unsigned int table_size = SCALAR_BITS/(table_bits+1) + 3;
+ unsigned int table_size = DECAF_448_SCALAR_BITS/(table_bits+1) + 3;
int position = table_size - 1; /* at the end */
/* place the end marker */
unsigned int w;
const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2;
- for (w = 1; w<(SCALAR_BITS-1)/16+3; w++) {
- if (w < (SCALAR_BITS-1)/16+1) {
+ for (w = 1; w<(DECAF_448_SCALAR_BITS-1)/16+3; w++) {
+ if (w < (DECAF_448_SCALAR_BITS-1)/16+1) {
/* Refill the 16 high bits of current */
current += (uint32_t)((scalar->limb[w/B_OVER_16]>>(16*(w%B_OVER_16)))<<16);
}
static void
prepare_wnaf_table(
pniels_t *output,
- const point_t working,
+ const curve448_point_t working,
unsigned int tbits
) {
- point_t tmp;
+ curve448_point_t tmp;
int i;
pt_to_pniels(output[0], working);
static const niels_t *curve448_wnaf_base = (const niels_t *)curve448_precomputed_wnaf_as_fe;
void curve448_base_double_scalarmul_non_secret (
- point_t combo,
- const scalar_t scalar1,
- const point_t base2,
- const scalar_t scalar2
+ curve448_point_t combo,
+ const curve448_scalar_t scalar1,
+ const curve448_point_t base2,
+ const curve448_scalar_t scalar2
) {
const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS,
table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS;
- struct smvt_control control_var[SCALAR_BITS/(table_bits_var+1)+3];
- struct smvt_control control_pre[SCALAR_BITS/(table_bits_pre+1)+3];
+ struct smvt_control control_var[DECAF_448_SCALAR_BITS/(table_bits_var+1)+3];
+ struct smvt_control control_pre[DECAF_448_SCALAR_BITS/(table_bits_pre+1)+3];
int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
}
void curve448_point_destroy (
- point_t point
+ curve448_point_t point
) {
- OPENSSL_cleanse(point, sizeof(point_t));
+ OPENSSL_cleanse(point, sizeof(curve448_point_t));
}
int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],
#include "constant_time.h"
#include "point_448.h"
-/* Template stuff */
-#define SCALAR_BITS DECAF_448_SCALAR_BITS
-#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
-#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
-#define scalar_t curve448_scalar_t
-
static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull;
-static const scalar_t sc_p = {{{
+static const curve448_scalar_t sc_p = {{{
SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)
}}}, sc_r2 = {{{
SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), SC_LIMB(0x3402a939f823b729)
#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
-const scalar_t curve448_scalar_one = {{{1}}}, curve448_scalar_zero = {{{0}}};
+const curve448_scalar_t curve448_scalar_one = {{{1}}}, curve448_scalar_zero = {{{0}}};
/** {extra,accum} - sub +? p
* Must have extra <= 1
*/
static DECAF_NOINLINE void sc_subx(
- scalar_t out,
- const decaf_word_t accum[SCALAR_LIMBS],
- const scalar_t sub,
- const scalar_t p,
+ curve448_scalar_t out,
+ const decaf_word_t accum[DECAF_448_SCALAR_LIMBS],
+ const curve448_scalar_t sub,
+ const curve448_scalar_t p,
decaf_word_t extra
) {
decaf_dsword_t chain = 0;
unsigned int i;
- for (i=0; i<SCALAR_LIMBS; i++) {
+ for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
decaf_word_t borrow = chain+extra; /* = 0 or -1 */
chain = 0;
- for (i=0; i<SCALAR_LIMBS; i++) {
+ for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
out->limb[i] = chain;
chain >>= WBITS;
}
static DECAF_NOINLINE void sc_montmul (
- scalar_t out,
- const scalar_t a,
- const scalar_t b
+ curve448_scalar_t out,
+ const curve448_scalar_t a,
+ const curve448_scalar_t b
) {
unsigned int i,j;
- decaf_word_t accum[SCALAR_LIMBS+1] = {0};
+ decaf_word_t accum[DECAF_448_SCALAR_LIMBS+1] = {0};
decaf_word_t hi_carry = 0;
- for (i=0; i<SCALAR_LIMBS; i++) {
+ for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
decaf_word_t mand = a->limb[i];
const decaf_word_t *mier = b->limb;
decaf_dword_t chain = 0;
- for (j=0; j<SCALAR_LIMBS; j++) {
+ for (j=0; j<DECAF_448_SCALAR_LIMBS; j++) {
chain += ((decaf_dword_t)mand)*mier[j] + accum[j];
accum[j] = chain;
chain >>= WBITS;
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
- for (j=0; j<SCALAR_LIMBS; j++) {
+ for (j=0; j<DECAF_448_SCALAR_LIMBS; j++) {
chain += (decaf_dword_t)mand*mier[j] + accum[j];
if (j) accum[j-1] = chain;
chain >>= WBITS;
}
void curve448_scalar_mul (
- scalar_t out,
- const scalar_t a,
- const scalar_t b
+ curve448_scalar_t out,
+ const curve448_scalar_t a,
+ const curve448_scalar_t b
) {
sc_montmul(out,a,b);
sc_montmul(out,out,sc_r2);
}
void curve448_scalar_sub (
- scalar_t out,
- const scalar_t a,
- const scalar_t b
+ curve448_scalar_t out,
+ const curve448_scalar_t a,
+ const curve448_scalar_t b
) {
sc_subx(out, a->limb, b, sc_p, 0);
}
void curve448_scalar_add (
- scalar_t out,
- const scalar_t a,
- const scalar_t b
+ curve448_scalar_t out,
+ const curve448_scalar_t a,
+ const curve448_scalar_t b
) {
decaf_dword_t chain = 0;
unsigned int i;
- for (i=0; i<SCALAR_LIMBS; i++) {
+ for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + b->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
static DECAF_INLINE void scalar_decode_short (
- scalar_t s,
+ curve448_scalar_t s,
const unsigned char *ser,
unsigned int nbytes
) {
unsigned int i,j,k=0;
- for (i=0; i<SCALAR_LIMBS; i++) {
+ for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
decaf_word_t out = 0;
for (j=0; j<sizeof(decaf_word_t) && k<nbytes; j++,k++) {
out |= ((decaf_word_t)ser[k])<<(8*j);
}
decaf_error_t curve448_scalar_decode(
- scalar_t s,
- const unsigned char ser[SCALAR_SER_BYTES]
+ curve448_scalar_t s,
+ const unsigned char ser[DECAF_448_SCALAR_BYTES]
) {
unsigned int i;
- scalar_decode_short(s, ser, SCALAR_SER_BYTES);
+ scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES);
decaf_dsword_t accum = 0;
- for (i=0; i<SCALAR_LIMBS; i++) {
+ for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
}
/* Here accum == 0 or -1 */
}
void curve448_scalar_destroy (
- scalar_t scalar
+ curve448_scalar_t scalar
) {
- OPENSSL_cleanse(scalar, sizeof(scalar_t));
+ OPENSSL_cleanse(scalar, sizeof(curve448_scalar_t));
}
void curve448_scalar_decode_long(
- scalar_t s,
+ curve448_scalar_t s,
const unsigned char *ser,
size_t ser_len
) {
}
size_t i;
- scalar_t t1, t2;
+ curve448_scalar_t t1, t2;
- i = ser_len - (ser_len%SCALAR_SER_BYTES);
- if (i==ser_len) i -= SCALAR_SER_BYTES;
+ i = ser_len - (ser_len%DECAF_448_SCALAR_BYTES);
+ if (i==ser_len) i -= DECAF_448_SCALAR_BYTES;
scalar_decode_short(t1, &ser[i], ser_len-i);
- if (ser_len == sizeof(scalar_t)) {
+ if (ser_len == sizeof(curve448_scalar_t)) {
assert(i==0);
/* ham-handed reduce */
curve448_scalar_mul(s,t1,curve448_scalar_one);
}
while (i) {
- i -= SCALAR_SER_BYTES;
+ i -= DECAF_448_SCALAR_BYTES;
sc_montmul(t1,t1,sc_r2);
ignore_result( curve448_scalar_decode(t2, ser+i) );
curve448_scalar_add(t1, t1, t2);
}
void curve448_scalar_encode(
- unsigned char ser[SCALAR_SER_BYTES],
- const scalar_t s
+ unsigned char ser[DECAF_448_SCALAR_BYTES],
+ const curve448_scalar_t s
) {
unsigned int i,j,k=0;
- for (i=0; i<SCALAR_LIMBS; i++) {
+ for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
for (j=0; j<sizeof(decaf_word_t); j++,k++) {
ser[k] = s->limb[i] >> (8*j);
}
}
void curve448_scalar_halve (
- scalar_t out,
- const scalar_t a
+ curve448_scalar_t out,
+ const curve448_scalar_t a
) {
decaf_word_t mask = -(a->limb[0] & 1);
decaf_dword_t chain = 0;
unsigned int i;
- for (i=0; i<SCALAR_LIMBS; i++) {
+ for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
out->limb[i] = chain;
chain >>= DECAF_WORD_BITS;
}
- for (i=0; i<SCALAR_LIMBS-1; i++) {
+ for (i=0; i<DECAF_448_SCALAR_LIMBS-1; i++) {
out->limb[i] = out->limb[i]>>1 | out->limb[i+1]<<(WBITS-1);
}
out->limb[i] = out->limb[i]>>1 | chain<<(WBITS-1);
projects / openssl.git / commitdiff