2 * @file ed448goldilocks/decaf.c
6 * Copyright (c) 2015-2016 Cryptography Research, Inc. \n
7 * Released under the MIT License. See LICENSE.txt for license information.
9 * @brief Decaf high-level functions.
11 * @warning This file was automatically generated in Python.
12 * Please do not edit it.
14 #define _XOPEN_SOURCE 600 /* for posix_memalign */
19 #include <decaf/ed448.h>
22 #define API_NS(_id) decaf_448_##_id
23 #define SCALAR_BITS DECAF_448_SCALAR_BITS
24 #define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
25 #define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
26 #define scalar_t API_NS(scalar_t)
27 #define point_t API_NS(point_t)
28 #define precomputed_s API_NS(precomputed_s)
29 #define IMAGINE_TWIST 0
32 /* Comb config: number of combs, n, t, s. */
36 #define DECAF_WINDOW_BITS 5
37 #define DECAF_WNAF_FIXED_TABLE_BITS 5
38 #define DECAF_WNAF_VAR_TABLE_BITS 3
40 #define EDDSA_USE_SIGMA_ISOGENY 0
42 static const int EDWARDS_D = -39081;
43 static const scalar_t point_scalarmul_adjustment = {{{
44 SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)
45 }}}, precomputed_scalarmul_adjustment = {{{
46 SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)
49 const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] = { 0x05 };
51 #define RISTRETTO_FACTOR DECAF_448_RISTRETTO_FACTOR
52 const gf RISTRETTO_FACTOR = {{{
53 0x42ef0f45572736, 0x7bf6aa20ce5296, 0xf4fd6eded26033, 0x968c14ba839a66, 0xb8d54b64a2d780, 0x6aa0a1f1a7b8a5, 0x683bf68d722fa2, 0x22d962fbeb24f7
57 #define TWISTED_D (-(EDWARDS_D))
59 #define TWISTED_D ((EDWARDS_D)-1)
63 #define EFF_D (-(TWISTED_D))
66 #define EFF_D TWISTED_D
70 /* End of template stuff */
73 #if (COFACTOR == 8) && !IMAGINE_TWIST && !UNSAFE_CURVE_HAS_POINTS_AT_INFINITY
74 /* FUTURE MAGIC: Curve41417 doesn't have these properties. */
75 #error "Currently require IMAGINE_TWIST (and thus p=5 mod 8) for cofactor 8"
77 * Two reasons: #1: There are bugs when COFACTOR == && IMAGINE_TWIST
82 #if IMAGINE_TWIST && (P_MOD_8 != 5)
83 #error "Cannot use IMAGINE_TWIST except for p == 5 mod 8"
86 #if (COFACTOR != 8) && (COFACTOR != 4)
87 #error "COFACTOR must be 4 or 8"
91 extern const gf SQRT_MINUS_ONE;
94 #define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
96 extern const point_t API_NS(point_base);
98 /* Projective Niels coordinates */
99 typedef struct { gf a, b, c; } niels_s, niels_t[1];
100 typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1];
102 /* Precomputed base */
103 struct precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };
105 extern const gf API_NS(precomputed_base_as_fe)[];
106 const precomputed_s *API_NS(precomputed_base) =
107 (const precomputed_s *) &API_NS(precomputed_base_as_fe);
109 const size_t API_NS(sizeof_precomputed_s) = sizeof(precomputed_s);
110 const size_t API_NS(alignof_precomputed_s) = sizeof(big_register_t);
114 gf_invert(gf y, const gf x, int assert_nonzero) {
116 gf_sqr(t1, x); // o^2
117 mask_t ret = gf_isr(t2, t1); // +-1/sqrt(o^2) = +-1/o
119 if (assert_nonzero) assert(ret);
121 gf_mul(t2, t1, x); // not direct to y in case of alias.
125 /** identity = (0,1) */
126 const point_t API_NS(point_identity) = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
128 /* Predeclare because not static: called by elligator */
129 void API_NS(deisogenize) (
130 gf_s *__restrict__ s,
131 gf_s *__restrict__ inv_el_sum,
132 gf_s *__restrict__ inv_el_m1,
136 mask_t toggle_rotation
139 void API_NS(deisogenize) (
140 gf_s *__restrict__ s,
141 gf_s *__restrict__ inv_el_sum,
142 gf_s *__restrict__ inv_el_m1,
146 mask_t toggle_rotation
148 #if COFACTOR == 4 && !IMAGINE_TWIST
149 (void)toggle_rotation; /* Only applies to cofactor 8 */
151 gf_s *t2 = s, *t3=inv_el_sum, *t4=inv_el_m1;
153 gf_add(t1,p->x,p->t);
154 gf_sub(t2,p->x,p->t);
155 gf_mul(t3,t1,t2); /* t3 = num */
158 gf_mulw(t2,t1,-1-TWISTED_D); /* -x^2 * (a-d) * num */
159 gf_isr(t1,t2); /* t1 = isr */
160 gf_mul(t2,t1,t3); /* t2 = ratio */
161 gf_mul(t4,t2,RISTRETTO_FACTOR);
162 mask_t negx = gf_lobit(t4) ^ toggle_altx;
163 gf_cond_neg(t2, negx);
167 gf_mulw(t4,t2,-1-TWISTED_D);
169 mask_t lobs = gf_lobit(s);
171 gf_copy(inv_el_m1,p->x);
172 gf_cond_neg(inv_el_m1,~lobs^negx^toggle_s);
173 gf_add(inv_el_m1,inv_el_m1,p->t);
175 #elif COFACTOR == 8 && IMAGINE_TWIST
176 /* More complicated because of rotation */
178 gf_add(t1,p->z,p->y);
179 gf_sub(t2,p->z,p->y);
180 gf_mul(t3,t1,t2); /* t3 = num */
181 gf_mul(t2,p->x,p->y); /* t2 = den */
184 gf_mulw(t1,t4,-1-TWISTED_D);
185 gf_isr(t4,t1); /* isqrt(num*(a-d)*den^2) */
187 gf_mul(t2,t1,RISTRETTO_FACTOR); /* t2 = "iden" in ristretto.sage */
188 gf_mul(t1,t3,t4); /* t1 = "inum" in ristretto.sage */
190 /* Calculate altxy = iden*inum*i*t^2*(d-a) */
195 gf_mulw(t3,t4,TWISTED_D+1); /* iden*inum*i*t^2*(d-1) */
196 mask_t rotate = toggle_rotation ^ gf_lobit(t3);
198 /* Rotate if altxy is negative */
199 gf_cond_swap(t1,t2,rotate);
201 gf_cond_sel(t4,p->y,t4,rotate); /* t4 = "fac" = ix if rotate, else y */
203 gf_mul_i(t5,RISTRETTO_FACTOR); /* t5 = imi */
204 gf_mul(t3,t5,t2); /* iden * imi */
206 gf_mul(t5,t2,p->t); /* "altx" = iden*imi*t */
207 mask_t negx = gf_lobit(t5) ^ toggle_altx;
209 gf_cond_neg(t1,negx^rotate);
212 gf_mul(inv_el_sum,t2,t4);
213 gf_mul(s,inv_el_sum,t3);
215 mask_t negs = gf_lobit(s);
218 mask_t negz = ~negs ^ toggle_s ^ negx;
219 gf_copy(inv_el_m1,p->z);
220 gf_cond_neg(inv_el_m1,negz);
221 gf_sub(inv_el_m1,inv_el_m1,t4);
223 #error "Cofactor must be 4 (with no IMAGINE_TWIST) or 8 (with IMAGINE_TWIST)"
227 void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {
229 API_NS(deisogenize)(s,ie1,ie2,p,0,0,0);
230 gf_serialize(ser,s,1);
233 decaf_error_t API_NS(point_decode) (
235 const unsigned char ser[SER_BYTES],
236 decaf_bool_t allow_identity
239 gf_s *tmp2=s2, *ynum=p->z, *isr=p->x, *den=p->t;
241 mask_t succ = gf_deserialize(s, ser, 1, 0);
242 succ &= bool_to_mask(allow_identity) | ~gf_eq(s, ZERO);
243 succ &= ~gf_lobit(s);
245 gf_sqr(s2,s); /* s^2 = -as^2 */
247 gf_sub(s2,ZERO,s2); /* -as^2 */
249 gf_sub(den,ONE,s2); /* 1+as^2 */
250 gf_add(ynum,ONE,s2); /* 1-as^2 */
251 gf_mulw(num,s2,-4*TWISTED_D);
252 gf_sqr(tmp,den); /* tmp = den^2 */
253 gf_add(num,tmp,num); /* num = den^2 - 4*d*s^2 */
254 gf_mul(tmp2,num,tmp); /* tmp2 = num*den^2 */
255 succ &= gf_isr(isr,tmp2); /* isr = 1/sqrt(num*den^2) */
256 gf_mul(tmp,isr,den); /* isr*den */
257 gf_mul(p->y,tmp,ynum); /* isr*den*(1-as^2) */
258 gf_mul(tmp2,tmp,s); /* s*isr*den */
259 gf_add(tmp2,tmp2,tmp2); /* 2*s*isr*den */
260 gf_mul(tmp,tmp2,isr); /* 2*s*isr^2*den */
261 gf_mul(p->x,tmp,num); /* 2*s*isr^2*den*num */
262 gf_mul(tmp,tmp2,RISTRETTO_FACTOR); /* 2*s*isr*den*magic */
263 gf_cond_neg(p->x,gf_lobit(tmp)); /* flip x */
266 /* Additionally check y != 0 and x*y*isomagic nonegative */
267 succ &= ~gf_eq(p->y,ZERO);
268 gf_mul(tmp,p->x,p->y);
269 gf_mul(tmp2,tmp,RISTRETTO_FACTOR);
270 succ &= ~gf_lobit(tmp2);
278 /* Fill in z and t */
280 gf_mul(p->t,p->x,p->y);
282 assert(API_NS(point_valid)(p) | ~succ);
283 return decaf_succeed_if(mask_to_bool(succ));
286 void API_NS(point_sub) (
292 gf_sub_nr ( b, q->y, q->x ); /* 3+e */
293 gf_sub_nr ( d, r->y, r->x ); /* 3+e */
294 gf_add_nr ( c, r->y, r->x ); /* 2+e */
296 gf_add_nr ( b, q->y, q->x ); /* 2+e */
297 gf_mul ( p->y, d, b );
298 gf_mul ( b, r->t, q->t );
299 gf_mulw ( p->x, b, 2*EFF_D );
300 gf_add_nr ( b, a, p->y ); /* 2+e */
301 gf_sub_nr ( c, p->y, a ); /* 3+e */
302 gf_mul ( a, q->z, r->z );
303 gf_add_nr ( a, a, a ); /* 2+e */
304 if (GF_HEADROOM <= 3) gf_weak_reduce(a); /* or 1+e */
306 gf_sub_nr ( p->y, a, p->x ); /* 4+e or 3+e */
307 gf_add_nr ( a, a, p->x ); /* 3+e or 2+e */
309 gf_add_nr ( p->y, a, p->x ); /* 3+e or 2+e */
310 gf_sub_nr ( a, a, p->x ); /* 4+e or 3+e */
312 gf_mul ( p->z, a, p->y );
313 gf_mul ( p->x, p->y, c );
314 gf_mul ( p->y, a, b );
315 gf_mul ( p->t, b, c );
318 void API_NS(point_add) (
324 gf_sub_nr ( b, q->y, q->x ); /* 3+e */
325 gf_sub_nr ( c, r->y, r->x ); /* 3+e */
326 gf_add_nr ( d, r->y, r->x ); /* 2+e */
328 gf_add_nr ( b, q->y, q->x ); /* 2+e */
329 gf_mul ( p->y, d, b );
330 gf_mul ( b, r->t, q->t );
331 gf_mulw ( p->x, b, 2*EFF_D );
332 gf_add_nr ( b, a, p->y ); /* 2+e */
333 gf_sub_nr ( c, p->y, a ); /* 3+e */
334 gf_mul ( a, q->z, r->z );
335 gf_add_nr ( a, a, a ); /* 2+e */
336 if (GF_HEADROOM <= 3) gf_weak_reduce(a); /* or 1+e */
338 gf_add_nr ( p->y, a, p->x ); /* 3+e or 2+e */
339 gf_sub_nr ( a, a, p->x ); /* 4+e or 3+e */
341 gf_sub_nr ( p->y, a, p->x ); /* 4+e or 3+e */
342 gf_add_nr ( a, a, p->x ); /* 3+e or 2+e */
344 gf_mul ( p->z, a, p->y );
345 gf_mul ( p->x, p->y, c );
346 gf_mul ( p->y, a, b );
347 gf_mul ( p->t, b, c );
350 static DECAF_NOINLINE void
351 point_double_internal (
359 gf_add_nr ( d, c, a ); /* 2+e */
360 gf_add_nr ( p->t, q->y, q->x ); /* 2+e */
362 gf_subx_nr ( b, b, d, 3 ); /* 4+e */
363 gf_sub_nr ( p->t, a, c ); /* 3+e */
364 gf_sqr ( p->x, q->z );
365 gf_add_nr ( p->z, p->x, p->x ); /* 2+e */
366 gf_subx_nr ( a, p->z, p->t, 4 ); /* 6+e */
367 if (GF_HEADROOM == 5) gf_weak_reduce(a); /* or 1+e */
368 gf_mul ( p->x, a, b );
369 gf_mul ( p->z, p->t, a );
370 gf_mul ( p->y, p->t, d );
371 if (!before_double) gf_mul ( p->t, b, d );
374 void API_NS(point_double)(point_t p, const point_t q) {
375 point_double_internal(p,q,0);
378 void API_NS(point_negate) (
382 gf_sub(nega->x, ZERO, a->x);
383 gf_copy(nega->y, a->y);
384 gf_copy(nega->z, a->z);
385 gf_sub(nega->t, ZERO, a->t);
388 /* Operations on [p]niels */
389 static DECAF_INLINE void
394 gf_cond_swap(n->a, n->b, neg);
395 gf_cond_neg(n->c, neg);
398 static DECAF_NOINLINE void pt_to_pniels (
402 gf_sub ( b->n->a, a->y, a->x );
403 gf_add ( b->n->b, a->x, a->y );
404 gf_mulw ( b->n->c, a->t, 2*TWISTED_D );
405 gf_add ( b->z, a->z, a->z );
408 static DECAF_NOINLINE void pniels_to_pt (
413 gf_add ( eu, d->n->b, d->n->a );
414 gf_sub ( e->y, d->n->b, d->n->a );
415 gf_mul ( e->t, e->y, eu);
416 gf_mul ( e->x, d->z, e->y );
417 gf_mul ( e->y, d->z, eu );
418 gf_sqr ( e->z, d->z );
421 static DECAF_NOINLINE void
426 gf_add ( e->y, n->b, n->a );
427 gf_sub ( e->x, n->b, n->a );
428 gf_mul ( e->t, e->y, e->x );
429 gf_copy ( e->z, ONE );
432 static DECAF_NOINLINE void
439 gf_sub_nr ( b, d->y, d->x ); /* 3+e */
440 gf_mul ( a, e->a, b );
441 gf_add_nr ( b, d->x, d->y ); /* 2+e */
442 gf_mul ( d->y, e->b, b );
443 gf_mul ( d->x, e->c, d->t );
444 gf_add_nr ( c, a, d->y ); /* 2+e */
445 gf_sub_nr ( b, d->y, a ); /* 3+e */
446 gf_sub_nr ( d->y, d->z, d->x ); /* 3+e */
447 gf_add_nr ( a, d->x, d->z ); /* 2+e */
448 gf_mul ( d->z, a, d->y );
449 gf_mul ( d->x, d->y, b );
450 gf_mul ( d->y, a, c );
451 if (!before_double) gf_mul ( d->t, b, c );
454 static DECAF_NOINLINE void
461 gf_sub_nr ( b, d->y, d->x ); /* 3+e */
462 gf_mul ( a, e->b, b );
463 gf_add_nr ( b, d->x, d->y ); /* 2+e */
464 gf_mul ( d->y, e->a, b );
465 gf_mul ( d->x, e->c, d->t );
466 gf_add_nr ( c, a, d->y ); /* 2+e */
467 gf_sub_nr ( b, d->y, a ); /* 3+e */
468 gf_add_nr ( d->y, d->z, d->x ); /* 2+e */
469 gf_sub_nr ( a, d->z, d->x ); /* 3+e */
470 gf_mul ( d->z, a, d->y );
471 gf_mul ( d->x, d->y, b );
472 gf_mul ( d->y, a, c );
473 if (!before_double) gf_mul ( d->t, b, c );
483 gf_mul ( L0, p->z, pn->z );
484 gf_copy ( p->z, L0 );
485 add_niels_to_pt( p, pn->n, before_double );
495 gf_mul ( L0, p->z, pn->z );
496 gf_copy ( p->z, L0 );
497 sub_niels_from_pt( p, pn->n, before_double );
500 static DECAF_NOINLINE void
501 prepare_fixed_window(
510 point_double_internal(tmp, b, 0);
511 pt_to_pniels(pn, tmp);
512 pt_to_pniels(multiples[0], b);
513 API_NS(point_copy)(tmp, b);
514 for (i=1; i<ntable; i++) {
515 add_pniels_to_pt(tmp, pn, 0);
516 pt_to_pniels(multiples[i], tmp);
519 decaf_bzero(pn,sizeof(pn));
520 decaf_bzero(tmp,sizeof(tmp));
523 void API_NS(point_scalarmul) (
526 const scalar_t scalar
528 const int WINDOW = DECAF_WINDOW_BITS,
529 WINDOW_MASK = (1<<WINDOW)-1,
530 WINDOW_T_MASK = WINDOW_MASK >> 1,
531 NTABLE = 1<<(WINDOW-1);
534 API_NS(scalar_add)(scalar1x, scalar, point_scalarmul_adjustment);
535 API_NS(scalar_halve)(scalar1x,scalar1x);
537 /* Set up a precomputed table with odd multiples of b. */
538 pniels_t pn, multiples[NTABLE];
540 prepare_fixed_window(multiples, b, NTABLE);
544 i = SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;
546 for (; i>=0; i-=WINDOW) {
547 /* Fetch another block of bits */
548 word_t bits = scalar1x->limb[i/WBITS] >> (i%WBITS);
549 if (i%WBITS >= WBITS-WINDOW && i/WBITS<SCALAR_LIMBS-1) {
550 bits ^= scalar1x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
553 mask_t inv = (bits>>(WINDOW-1))-1;
556 /* Add in from table. Compute t only on last iteration. */
557 constant_time_lookup(pn, multiples, sizeof(pn), NTABLE, bits & WINDOW_T_MASK);
558 cond_neg_niels(pn->n, inv);
560 pniels_to_pt(tmp, pn);
563 /* Using Hisil et al's lookahead method instead of extensible here
564 * for no particular reason. Double WINDOW times, but only compute t on
567 for (j=0; j<WINDOW-1; j++)
568 point_double_internal(tmp, tmp, -1);
569 point_double_internal(tmp, tmp, 0);
570 add_pniels_to_pt(tmp, pn, i ? -1 : 0);
574 /* Write out the answer */
575 API_NS(point_copy)(a,tmp);
577 decaf_bzero(scalar1x,sizeof(scalar1x));
578 decaf_bzero(pn,sizeof(pn));
579 decaf_bzero(multiples,sizeof(multiples));
580 decaf_bzero(tmp,sizeof(tmp));
583 void API_NS(point_double_scalarmul) (
586 const scalar_t scalarb,
588 const scalar_t scalarc
590 const int WINDOW = DECAF_WINDOW_BITS,
591 WINDOW_MASK = (1<<WINDOW)-1,
592 WINDOW_T_MASK = WINDOW_MASK >> 1,
593 NTABLE = 1<<(WINDOW-1);
595 scalar_t scalar1x, scalar2x;
596 API_NS(scalar_add)(scalar1x, scalarb, point_scalarmul_adjustment);
597 API_NS(scalar_halve)(scalar1x,scalar1x);
598 API_NS(scalar_add)(scalar2x, scalarc, point_scalarmul_adjustment);
599 API_NS(scalar_halve)(scalar2x,scalar2x);
601 /* Set up a precomputed table with odd multiples of b. */
602 pniels_t pn, multiples1[NTABLE], multiples2[NTABLE];
604 prepare_fixed_window(multiples1, b, NTABLE);
605 prepare_fixed_window(multiples2, c, NTABLE);
609 i = SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;
611 for (; i>=0; i-=WINDOW) {
612 /* Fetch another block of bits */
613 word_t bits1 = scalar1x->limb[i/WBITS] >> (i%WBITS),
614 bits2 = scalar2x->limb[i/WBITS] >> (i%WBITS);
615 if (i%WBITS >= WBITS-WINDOW && i/WBITS<SCALAR_LIMBS-1) {
616 bits1 ^= scalar1x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
617 bits2 ^= scalar2x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
619 bits1 &= WINDOW_MASK;
620 bits2 &= WINDOW_MASK;
621 mask_t inv1 = (bits1>>(WINDOW-1))-1;
622 mask_t inv2 = (bits2>>(WINDOW-1))-1;
626 /* Add in from table. Compute t only on last iteration. */
627 constant_time_lookup(pn, multiples1, sizeof(pn), NTABLE, bits1 & WINDOW_T_MASK);
628 cond_neg_niels(pn->n, inv1);
630 pniels_to_pt(tmp, pn);
633 /* Using Hisil et al's lookahead method instead of extensible here
634 * for no particular reason. Double WINDOW times, but only compute t on
637 for (j=0; j<WINDOW-1; j++)
638 point_double_internal(tmp, tmp, -1);
639 point_double_internal(tmp, tmp, 0);
640 add_pniels_to_pt(tmp, pn, 0);
642 constant_time_lookup(pn, multiples2, sizeof(pn), NTABLE, bits2 & WINDOW_T_MASK);
643 cond_neg_niels(pn->n, inv2);
644 add_pniels_to_pt(tmp, pn, i?-1:0);
647 /* Write out the answer */
648 API_NS(point_copy)(a,tmp);
651 decaf_bzero(scalar1x,sizeof(scalar1x));
652 decaf_bzero(scalar2x,sizeof(scalar2x));
653 decaf_bzero(pn,sizeof(pn));
654 decaf_bzero(multiples1,sizeof(multiples1));
655 decaf_bzero(multiples2,sizeof(multiples2));
656 decaf_bzero(tmp,sizeof(tmp));
659 void API_NS(point_dual_scalarmul) (
663 const scalar_t scalar1,
664 const scalar_t scalar2
666 const int WINDOW = DECAF_WINDOW_BITS,
667 WINDOW_MASK = (1<<WINDOW)-1,
668 WINDOW_T_MASK = WINDOW_MASK >> 1,
669 NTABLE = 1<<(WINDOW-1);
671 scalar_t scalar1x, scalar2x;
672 API_NS(scalar_add)(scalar1x, scalar1, point_scalarmul_adjustment);
673 API_NS(scalar_halve)(scalar1x,scalar1x);
674 API_NS(scalar_add)(scalar2x, scalar2, point_scalarmul_adjustment);
675 API_NS(scalar_halve)(scalar2x,scalar2x);
677 /* Set up a precomputed table with odd multiples of b. */
678 point_t multiples1[NTABLE], multiples2[NTABLE], working, tmp;
681 API_NS(point_copy)(working, b);
686 for (i=0; i<NTABLE; i++) {
687 API_NS(point_copy)(multiples1[i], API_NS(point_identity));
688 API_NS(point_copy)(multiples2[i], API_NS(point_identity));
691 for (i=0; i<SCALAR_BITS; i+=WINDOW) {
693 for (j=0; j<WINDOW-1; j++)
694 point_double_internal(working, working, -1);
695 point_double_internal(working, working, 0);
698 /* Fetch another block of bits */
699 word_t bits1 = scalar1x->limb[i/WBITS] >> (i%WBITS),
700 bits2 = scalar2x->limb[i/WBITS] >> (i%WBITS);
701 if (i%WBITS >= WBITS-WINDOW && i/WBITS<SCALAR_LIMBS-1) {
702 bits1 ^= scalar1x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
703 bits2 ^= scalar2x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
705 bits1 &= WINDOW_MASK;
706 bits2 &= WINDOW_MASK;
707 mask_t inv1 = (bits1>>(WINDOW-1))-1;
708 mask_t inv2 = (bits2>>(WINDOW-1))-1;
712 pt_to_pniels(pn, working);
714 constant_time_lookup(tmp, multiples1, sizeof(tmp), NTABLE, bits1 & WINDOW_T_MASK);
715 cond_neg_niels(pn->n, inv1);
716 /* add_pniels_to_pt(multiples1[bits1 & WINDOW_T_MASK], pn, 0); */
717 add_pniels_to_pt(tmp, pn, 0);
718 constant_time_insert(multiples1, tmp, sizeof(tmp), NTABLE, bits1 & WINDOW_T_MASK);
721 constant_time_lookup(tmp, multiples2, sizeof(tmp), NTABLE, bits2 & WINDOW_T_MASK);
722 cond_neg_niels(pn->n, inv1^inv2);
723 /* add_pniels_to_pt(multiples2[bits2 & WINDOW_T_MASK], pn, 0); */
724 add_pniels_to_pt(tmp, pn, 0);
725 constant_time_insert(multiples2, tmp, sizeof(tmp), NTABLE, bits2 & WINDOW_T_MASK);
729 API_NS(point_copy)(working, multiples1[NTABLE-1]);
730 API_NS(point_copy)(tmp , multiples2[NTABLE-1]);
732 for (i=NTABLE-1; i>1; i--) {
733 API_NS(point_add)(multiples1[i-1], multiples1[i-1], multiples1[i]);
734 API_NS(point_add)(multiples2[i-1], multiples2[i-1], multiples2[i]);
735 API_NS(point_add)(working, working, multiples1[i-1]);
736 API_NS(point_add)(tmp, tmp, multiples2[i-1]);
739 API_NS(point_add)(multiples1[0], multiples1[0], multiples1[1]);
740 API_NS(point_add)(multiples2[0], multiples2[0], multiples2[1]);
741 point_double_internal(working, working, 0);
742 point_double_internal(tmp, tmp, 0);
743 API_NS(point_add)(a1, working, multiples1[0]);
744 API_NS(point_add)(a2, tmp, multiples2[0]);
746 API_NS(point_copy)(a1, multiples1[0]);
747 API_NS(point_copy)(a2, multiples2[0]);
750 decaf_bzero(scalar1x,sizeof(scalar1x));
751 decaf_bzero(scalar2x,sizeof(scalar2x));
752 decaf_bzero(pn,sizeof(pn));
753 decaf_bzero(multiples1,sizeof(multiples1));
754 decaf_bzero(multiples2,sizeof(multiples2));
755 decaf_bzero(tmp,sizeof(tmp));
756 decaf_bzero(working,sizeof(working));
759 decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
760 /* equality mod 2-torsion compares x/y */
762 gf_mul ( a, p->y, q->x );
763 gf_mul ( b, q->y, p->x );
764 mask_t succ = gf_eq(a,b);
766 #if (COFACTOR == 8) && IMAGINE_TWIST
767 gf_mul ( a, p->y, q->y );
768 gf_mul ( b, q->x, p->x );
770 gf_sub ( a, ZERO, a );
772 /* Interesting note: the 4tor would normally be rotation.
773 * But because of the *i twist, it's actually
777 /* No code, just a comment. */
782 return mask_to_bool(succ);
785 decaf_bool_t API_NS(point_valid) (
791 mask_t out = gf_eq(a,b);
796 gf_mulw(c,b,TWISTED_D);
800 out &= ~gf_eq(p->z,ZERO);
801 return mask_to_bool(out);
804 void API_NS(point_debugging_torque) (
808 #if COFACTOR == 8 && IMAGINE_TWIST
810 gf_mul(tmp,p->x,SQRT_MINUS_ONE);
811 gf_mul(q->x,p->y,SQRT_MINUS_ONE);
814 gf_sub(q->t,ZERO,p->t);
816 gf_sub(q->x,ZERO,p->x);
817 gf_sub(q->y,ZERO,p->y);
823 void API_NS(point_debugging_pscale) (
826 const uint8_t factor[SER_BYTES]
829 /* NB this means you'll never pscale by negative numbers for p521 */
830 ignore_result(gf_deserialize(gfac,factor,0,0));
831 gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO));
832 gf_mul(tmp,p->x,gfac);
834 gf_mul(tmp,p->y,gfac);
836 gf_mul(tmp,p->z,gfac);
838 gf_mul(tmp,p->t,gfac);
842 static void gf_batch_invert (
843 gf *__restrict__ out,
850 gf_copy(out[1], in[0]);
852 for (i=1; i<(int) (n-1); i++) {
853 gf_mul(out[i+1], out[i], in[i]);
855 gf_mul(out[0], out[n-1], in[n-1]);
857 gf_invert(out[0], out[0], 1);
859 for (i=n-1; i>0; i--) {
860 gf_mul(t1, out[i], out[0]);
862 gf_mul(t1, out[0], in[i]);
867 static void batch_normalize_niels (
870 gf *__restrict__ zis,
875 gf_batch_invert(zis, zs, n);
877 for (i=0; i<n; i++) {
878 gf_mul(product, table[i]->a, zis[i]);
879 gf_strong_reduce(product);
880 gf_copy(table[i]->a, product);
882 gf_mul(product, table[i]->b, zis[i]);
883 gf_strong_reduce(product);
884 gf_copy(table[i]->b, product);
886 gf_mul(product, table[i]->c, zis[i]);
887 gf_strong_reduce(product);
888 gf_copy(table[i]->c, product);
891 decaf_bzero(product,sizeof(product));
894 void API_NS(precompute) (
895 precomputed_s *table,
898 const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
899 assert(n*t*s >= SCALAR_BITS);
901 point_t working, start, doubles[t-1];
902 API_NS(point_copy)(working, base);
905 gf zs[n<<(t-1)], zis[n<<(t-1)];
909 /* Compute n tables */
910 for (i=0; i<n; i++) {
913 for (j=0; j<t; j++) {
914 if (j) API_NS(point_add)(start, start, working);
915 else API_NS(point_copy)(start, working);
917 if (j==t-1 && i==n-1) break;
919 point_double_internal(working, working,0);
920 if (j<t-1) API_NS(point_copy)(doubles[j], working);
922 for (k=0; k<s-1; k++)
923 point_double_internal(working, working, k<s-2);
926 /* Gray-code phase */
928 int gray = j ^ (j>>1);
929 int idx = (((i+1)<<(t-1))-1) ^ gray;
931 pt_to_pniels(pn_tmp, start);
932 memcpy(table->table[idx], pn_tmp->n, sizeof(pn_tmp->n));
933 gf_copy(zs[idx], pn_tmp->z);
935 if (j >= (1u<<(t-1)) - 1) break;
936 int delta = (j+1) ^ ((j+1)>>1) ^ gray;
938 for (k=0; delta>1; k++)
942 API_NS(point_add)(start, start, doubles[k]);
944 API_NS(point_sub)(start, start, doubles[k]);
949 batch_normalize_niels(table->table,(const gf *)zs,zis,n<<(t-1));
951 decaf_bzero(zs,sizeof(zs));
952 decaf_bzero(zis,sizeof(zis));
953 decaf_bzero(pn_tmp,sizeof(pn_tmp));
954 decaf_bzero(working,sizeof(working));
955 decaf_bzero(start,sizeof(start));
956 decaf_bzero(doubles,sizeof(doubles));
959 static DECAF_INLINE void
960 constant_time_lookup_niels (
961 niels_s *__restrict__ ni,
962 const niels_t *table,
966 constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx);
969 void API_NS(precomputed_scalarmul) (
971 const precomputed_s *table,
972 const scalar_t scalar
976 const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
979 API_NS(scalar_add)(scalar1x, scalar, precomputed_scalarmul_adjustment);
980 API_NS(scalar_halve)(scalar1x,scalar1x);
984 for (i=s-1; i>=0; i--) {
985 if (i != (int)s-1) point_double_internal(out,out,0);
987 for (j=0; j<n; j++) {
990 for (k=0; k<t; k++) {
991 unsigned int bit = i + s*(k + j*t);
992 if (bit < SCALAR_BITS) {
993 tab |= (scalar1x->limb[bit/WBITS] >> (bit%WBITS) & 1) << k;
997 mask_t invert = (tab>>(t-1))-1;
999 tab &= (1<<(t-1)) - 1;
1001 constant_time_lookup_niels(ni, &table->table[j<<(t-1)], 1<<(t-1), tab);
1003 cond_neg_niels(ni, invert);
1004 if ((i!=(int)s-1)||j) {
1005 add_niels_to_pt(out, ni, j==n-1 && i);
1007 niels_to_pt(out, ni);
1012 decaf_bzero(ni,sizeof(ni));
1013 decaf_bzero(scalar1x,sizeof(scalar1x));
1016 void API_NS(point_cond_sel) (
1022 constant_time_select(out,a,b,sizeof(point_t),bool_to_mask(pick_b),0);
1025 /* FUTURE: restore Curve25519 Montgomery ladder? */
1026 decaf_error_t API_NS(direct_scalarmul) (
1027 uint8_t scaled[SER_BYTES],
1028 const uint8_t base[SER_BYTES],
1029 const scalar_t scalar,
1030 decaf_bool_t allow_identity,
1031 decaf_bool_t short_circuit
1034 decaf_error_t succ = API_NS(point_decode)(basep, base, allow_identity);
1035 if (short_circuit && succ != DECAF_SUCCESS) return succ;
1036 API_NS(point_cond_sel)(basep, API_NS(point_base), basep, succ);
1037 API_NS(point_scalarmul)(basep, basep, scalar);
1038 API_NS(point_encode)(scaled, basep);
1039 API_NS(point_destroy)(basep);
1043 void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
1044 uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
1048 /* The point is now on the twisted curve. Move it to untwisted. */
1052 API_NS(point_double)(q,p);
1054 API_NS(point_copy)(q,p);
1057 #if EDDSA_USE_SIGMA_ISOGENY
1059 /* Use 4-isogeny like ed25519:
1060 * 2*x*y*sqrt(d/a-1)/(ax^2 + y^2 - 2)
1061 * (y^2 - ax^2)/(y^2 + ax^2)
1062 * with a = -1, d = -EDWARDS_D:
1063 * -2xysqrt(EDWARDS_D-1)/(2z^2-y^2+x^2)
1064 * (y^2+x^2)/(y^2-x^2)
1067 gf_sqr ( x, q->x ); // x^2
1068 gf_sqr ( t, q->y ); // y^2
1069 gf_add( u, x, t ); // x^2 + y^2
1070 gf_add( z, q->y, q->x );
1072 gf_sub ( y, u, y ); // -2xy
1073 gf_sub ( z, t, x ); // y^2 - x^2
1076 gf_sub ( t, t, z); // 2z^2 - y^2 + x^2
1077 gf_mul ( x, y, z ); // 2xy(y^2-x^2)
1078 gf_mul ( y, u, t ); // (x^2+y^2)(2z^2-y^2+x^2)
1081 gf_mul ( u, x, RISTRETTO_FACTOR );
1085 #error "... probably wrong"
1088 decaf_bzero(u,sizeof(u));
1092 API_NS(point_double)(q,q);
1093 API_NS(point_double)(q,q);
1100 /* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
1105 gf_add( z, q->y, q->x );
1115 decaf_bzero(u,sizeof(u));
1124 enc[DECAF_EDDSA_448_PRIVATE_BYTES-1] = 0;
1125 gf_serialize(enc, x, 1);
1126 enc[DECAF_EDDSA_448_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t);
1128 decaf_bzero(x,sizeof(x));
1129 decaf_bzero(y,sizeof(y));
1130 decaf_bzero(z,sizeof(z));
1131 decaf_bzero(t,sizeof(t));
1132 API_NS(point_destroy)(q);
1136 decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
1138 const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
1140 uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];
1141 memcpy(enc2,enc,sizeof(enc2));
1143 mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80);
1144 enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] &= ~0x80;
1146 mask_t succ = gf_deserialize(p->y, enc2, 1, 0);
1148 succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1]);
1152 gf_sub(p->z,ONE,p->x); /* num = 1-y^2 */
1153 #if EDDSA_USE_SIGMA_ISOGENY
1154 gf_mulw(p->t,p->z,EDWARDS_D); /* d-dy^2 */
1155 gf_mulw(p->x,p->z,EDWARDS_D-1); /* num = (1-y^2)(d-1) */
1158 gf_mulw(p->t,p->x,EDWARDS_D); /* dy^2 */
1160 gf_sub(p->t,ONE,p->t); /* denom = 1-dy^2 or 1-d + dy^2 */
1162 gf_mul(p->x,p->z,p->t);
1163 succ &= gf_isr(p->t,p->x); /* 1/sqrt(num * denom) */
1165 gf_mul(p->x,p->t,p->z); /* sqrt(num / denom) */
1166 gf_cond_neg(p->x,gf_lobit(p->x)^low);
1169 #if EDDSA_USE_SIGMA_ISOGENY
1171 /* Use 4-isogeny like ed25519:
1172 * 2*x*y/sqrt(1-d/a)/(ax^2 + y^2 - 2)
1173 * (y^2 - ax^2)/(y^2 + ax^2)
1174 * (MAGIC: above formula may be off by a factor of -a
1175 * or something somewhere; check it for other a)
1177 * with a = -1, d = -EDWARDS_D:
1178 * -2xy/sqrt(1-EDWARDS_D)/(2z^2-y^2+x^2)
1179 * (y^2+x^2)/(y^2-x^2)
1184 gf_add ( d, c, a ); // x^2 + y^2
1185 gf_add ( p->t, p->y, p->x );
1187 gf_sub ( b, b, d ); // 2xy
1188 gf_sub ( p->t, a, c ); // y^2 - x^2
1189 gf_sqr ( p->x, p->z );
1190 gf_add ( p->z, p->x, p->x );
1191 gf_sub ( c, p->z, p->t ); // 2z^2 - y^2 + x^2
1193 gf_mul ( c, a, RISTRETTO_FACTOR );
1194 gf_mul ( p->x, b, p->t); // (2xy)(y^2-x^2)
1195 gf_mul ( p->z, p->t, c ); // (y^2-x^2)sd(2z^2 - y^2 + x^2)
1196 gf_mul ( p->y, d, c ); // (y^2+x^2)sd(2z^2 - y^2 + x^2)
1197 gf_mul ( p->t, d, b );
1198 decaf_bzero(a,sizeof(a));
1199 decaf_bzero(b,sizeof(b));
1200 decaf_bzero(c,sizeof(c));
1201 decaf_bzero(d,sizeof(d));
1205 gf_mul(p->t,p->x,SQRT_MINUS_ONE);
1207 gf_mul(p->t,p->x,p->y);
1211 /* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */
1216 gf_add ( p->t, p->y, p->x );
1219 gf_sub ( p->t, a, c );
1220 gf_sqr ( p->x, p->z );
1221 gf_add ( p->z, p->x, p->x );
1222 gf_sub ( a, p->z, d );
1223 gf_mul ( p->x, a, b );
1224 gf_mul ( p->z, p->t, a );
1225 gf_mul ( p->y, p->t, d );
1226 gf_mul ( p->t, b, d );
1227 decaf_bzero(a,sizeof(a));
1228 decaf_bzero(b,sizeof(b));
1229 decaf_bzero(c,sizeof(c));
1230 decaf_bzero(d,sizeof(d));
1234 decaf_bzero(enc2,sizeof(enc2));
1235 assert(API_NS(point_valid)(p) || ~succ);
1237 return decaf_succeed_if(mask_to_bool(succ));
1240 decaf_error_t decaf_x448 (
1241 uint8_t out[X_PUBLIC_BYTES],
1242 const uint8_t base[X_PUBLIC_BYTES],
1243 const uint8_t scalar[X_PRIVATE_BYTES]
1245 gf x1, x2, z2, x3, z3, t1, t2;
1246 ignore_result(gf_deserialize(x1,base,1,0));
1255 for (t = X_PRIVATE_BITS-1; t>=0; t--) {
1256 uint8_t sb = scalar[t/8];
1258 /* Scalar conditioning */
1259 if (t/8==0) sb &= -(uint8_t)COFACTOR;
1260 else if (t == X_PRIVATE_BITS-1) sb = -1;
1262 mask_t k_t = (sb>>(t%8)) & 1;
1263 k_t = -k_t; /* set to all 0s or all 1s */
1266 gf_cond_swap(x2,x3,swap);
1267 gf_cond_swap(z2,z3,swap);
1270 gf_add_nr(t1,x2,z2); /* A = x2 + z2 */ /* 2+e */
1271 gf_sub_nr(t2,x2,z2); /* B = x2 - z2 */ /* 3+e */
1272 gf_sub_nr(z2,x3,z3); /* D = x3 - z3 */ /* 3+e */
1273 gf_mul(x2,t1,z2); /* DA */
1274 gf_add_nr(z2,z3,x3); /* C = x3 + z3 */ /* 2+e */
1275 gf_mul(x3,t2,z2); /* CB */
1276 gf_sub_nr(z3,x2,x3); /* DA-CB */ /* 3+e */
1277 gf_sqr(z2,z3); /* (DA-CB)^2 */
1278 gf_mul(z3,x1,z2); /* z3 = x1(DA-CB)^2 */
1279 gf_add_nr(z2,x2,x3); /* (DA+CB) */ /* 2+e */
1280 gf_sqr(x3,z2); /* x3 = (DA+CB)^2 */
1282 gf_sqr(z2,t1); /* AA = A^2 */
1283 gf_sqr(t1,t2); /* BB = B^2 */
1284 gf_mul(x2,z2,t1); /* x2 = AA*BB */
1285 gf_sub_nr(t2,z2,t1); /* E = AA-BB */ /* 3+e */
1287 gf_mulw(t1,t2,-EDWARDS_D); /* E*-d = a24*E */
1288 gf_add_nr(t1,t1,z2); /* AA + a24*E */ /* 2+e */
1289 gf_mul(z2,t2,t1); /* z2 = E(AA+a24*E) */
1293 gf_cond_swap(x2,x3,swap);
1294 gf_cond_swap(z2,z3,swap);
1297 gf_serialize(out,x1,1);
1298 mask_t nz = ~gf_eq(x1,ZERO);
1300 decaf_bzero(x1,sizeof(x1));
1301 decaf_bzero(x2,sizeof(x2));
1302 decaf_bzero(z2,sizeof(z2));
1303 decaf_bzero(x3,sizeof(x3));
1304 decaf_bzero(z3,sizeof(z3));
1305 decaf_bzero(t1,sizeof(t1));
1306 decaf_bzero(t2,sizeof(t2));
1308 return decaf_succeed_if(mask_to_bool(nz));
1311 /* Thanks Johan Pascal */
1312 void decaf_ed448_convert_public_key_to_x448 (
1313 uint8_t x[DECAF_X448_PUBLIC_BYTES],
1314 const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]
1317 const uint8_t mask = (uint8_t)(0xFE<<(7));
1318 ignore_result(gf_deserialize(y, ed, 1, mask));
1323 #if EDDSA_USE_SIGMA_ISOGENY
1324 /* u = (1+y)/(1-y)*/
1325 gf_add(n, y, ONE); /* n = y+1 */
1326 gf_sub(d, ONE, y); /* d = 1-y */
1327 gf_invert(d, d, 0); /* d = 1/(1-y) */
1328 gf_mul(y, n, d); /* u = (y+1)/(1-y) */
1329 gf_serialize(x,y,1);
1330 #else /* EDDSA_USE_SIGMA_ISOGENY */
1331 /* u = y^2 * (1-dy^2) / (1-y^2) */
1332 gf_sqr(n,y); /* y^2*/
1333 gf_sub(d,ONE,n); /* 1-y^2*/
1334 gf_invert(d,d,0); /* 1/(1-y^2)*/
1335 gf_mul(y,n,d); /* y^2 / (1-y^2) */
1336 gf_mulw(d,n,EDWARDS_D); /* dy^2*/
1337 gf_sub(d, ONE, d); /* 1-dy^2*/
1338 gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */
1339 gf_serialize(x,n,1);
1340 #endif /* EDDSA_USE_SIGMA_ISOGENY */
1342 decaf_bzero(y,sizeof(y));
1343 decaf_bzero(n,sizeof(n));
1344 decaf_bzero(d,sizeof(d));
1348 void decaf_x448_generate_key (
1349 uint8_t out[X_PUBLIC_BYTES],
1350 const uint8_t scalar[X_PRIVATE_BYTES]
1352 decaf_x448_derive_public_key(out,scalar);
1355 void API_NS(point_mul_by_ratio_and_encode_like_x448) (
1356 uint8_t out[X_PUBLIC_BYTES],
1361 point_double_internal(q,p,1);
1363 API_NS(point_copy)(q,p);
1365 gf_invert(q->t,q->x,0); /* 1/x */
1366 gf_mul(q->z,q->t,q->y); /* y/x */
1367 gf_sqr(q->y,q->z); /* (y/x)^2 */
1369 gf_sub(q->y,ZERO,q->y);
1371 gf_serialize(out,q->y,1);
1372 API_NS(point_destroy(q));
1375 void decaf_x448_derive_public_key (
1376 uint8_t out[X_PUBLIC_BYTES],
1377 const uint8_t scalar[X_PRIVATE_BYTES]
1379 /* Scalar conditioning */
1380 uint8_t scalar2[X_PRIVATE_BYTES];
1381 memcpy(scalar2,scalar,sizeof(scalar2));
1382 scalar2[0] &= -(uint8_t)COFACTOR;
1384 scalar2[X_PRIVATE_BYTES-1] &= ~(-1u<<((X_PRIVATE_BITS+7)%8));
1385 scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8);
1387 scalar_t the_scalar;
1388 API_NS(scalar_decode_long)(the_scalar,scalar2,sizeof(scalar2));
1390 /* Compensate for the encoding ratio */
1391 for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
1392 API_NS(scalar_halve)(the_scalar,the_scalar);
1395 API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),the_scalar);
1396 API_NS(point_mul_by_ratio_and_encode_like_x448)(out,p);
1397 API_NS(point_destroy)(p);
1402 * Control for variable-time scalar multiply algorithms.
1404 struct smvt_control {
1408 static int recode_wnaf (
1409 struct smvt_control *control, /* [nbits/(table_bits+1) + 3] */
1410 const scalar_t scalar,
1411 unsigned int table_bits
1413 unsigned int table_size = SCALAR_BITS/(table_bits+1) + 3;
1414 int position = table_size - 1; /* at the end */
1416 /* place the end marker */
1417 control[position].power = -1;
1418 control[position].addend = 0;
1421 /* PERF: Could negate scalar if it's large. But then would need more cases
1422 * in the actual code that uses it, all for an expected reduction of like 1/5 op.
1423 * Probably not worth it.
1426 uint64_t current = scalar->limb[0] & 0xFFFF;
1427 uint32_t mask = (1<<(table_bits+1))-1;
1430 const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2;
1431 for (w = 1; w<(SCALAR_BITS-1)/16+3; w++) {
1432 if (w < (SCALAR_BITS-1)/16+1) {
1433 /* Refill the 16 high bits of current */
1434 current += (uint32_t)((scalar->limb[w/B_OVER_16]>>(16*(w%B_OVER_16)))<<16);
1437 while (current & 0xFFFF) {
1438 assert(position >= 0);
1439 uint32_t pos = __builtin_ctz((uint32_t)current), odd = (uint32_t)current >> pos;
1440 int32_t delta = odd & mask;
1441 if (odd & 1<<(table_bits+1)) delta -= (1<<(table_bits+1));
1442 current -= delta << pos;
1443 control[position].power = pos + 16*(w-1);
1444 control[position].addend = delta;
1452 unsigned int n = table_size - position;
1454 for (i=0; i<n; i++) {
1455 control[i] = control[i+position];
1463 const point_t working,
1468 pt_to_pniels(output[0], working);
1470 if (tbits == 0) return;
1472 API_NS(point_double)(tmp,working);
1474 pt_to_pniels(twop, tmp);
1476 add_pniels_to_pt(tmp, output[0],0);
1477 pt_to_pniels(output[1], tmp);
1479 for (i=2; i < 1<<tbits; i++) {
1480 add_pniels_to_pt(tmp, twop,0);
1481 pt_to_pniels(output[i], tmp);
1484 API_NS(point_destroy)(tmp);
1485 decaf_bzero(twop,sizeof(twop));
1488 extern const gf API_NS(precomputed_wnaf_as_fe)[];
1489 static const niels_t *API_NS(wnaf_base) = (const niels_t *)API_NS(precomputed_wnaf_as_fe);
1490 const size_t API_NS(sizeof_precomputed_wnafs) __attribute((visibility("hidden")))
1491 = sizeof(niels_t)<<DECAF_WNAF_FIXED_TABLE_BITS;
1493 void API_NS(precompute_wnafs) (
1494 niels_t out[1<<DECAF_WNAF_FIXED_TABLE_BITS],
1496 ) __attribute__ ((visibility ("hidden")));
1498 void API_NS(precompute_wnafs) (
1499 niels_t out[1<<DECAF_WNAF_FIXED_TABLE_BITS],
1502 pniels_t tmp[1<<DECAF_WNAF_FIXED_TABLE_BITS];
1503 gf zs[1<<DECAF_WNAF_FIXED_TABLE_BITS], zis[1<<DECAF_WNAF_FIXED_TABLE_BITS];
1505 prepare_wnaf_table(tmp,base,DECAF_WNAF_FIXED_TABLE_BITS);
1506 for (i=0; i<1<<DECAF_WNAF_FIXED_TABLE_BITS; i++) {
1507 memcpy(out[i], tmp[i]->n, sizeof(niels_t));
1508 gf_copy(zs[i], tmp[i]->z);
1510 batch_normalize_niels(out, (const gf *)zs, zis, 1<<DECAF_WNAF_FIXED_TABLE_BITS);
1512 decaf_bzero(tmp,sizeof(tmp));
1513 decaf_bzero(zs,sizeof(zs));
1514 decaf_bzero(zis,sizeof(zis));
1517 void API_NS(base_double_scalarmul_non_secret) (
1519 const scalar_t scalar1,
1520 const point_t base2,
1521 const scalar_t scalar2
1523 const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS,
1524 table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS;
1525 struct smvt_control control_var[SCALAR_BITS/(table_bits_var+1)+3];
1526 struct smvt_control control_pre[SCALAR_BITS/(table_bits_pre+1)+3];
1528 int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
1529 int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
1531 pniels_t precmp_var[1<<table_bits_var];
1532 prepare_wnaf_table(precmp_var, base2, table_bits_var);
1534 int contp=0, contv=0, i = control_var[0].power;
1537 API_NS(point_copy)(combo, API_NS(point_identity));
1539 } else if (i > control_pre[0].power) {
1540 pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);
1542 } else if (i == control_pre[0].power && i >=0 ) {
1543 pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);
1544 add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1], i);
1547 i = control_pre[0].power;
1548 niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1]);
1552 for (i--; i >= 0; i--) {
1553 int cv = (i==control_var[contv].power), cp = (i==control_pre[contp].power);
1554 point_double_internal(combo,combo,i && !(cv||cp));
1557 assert(control_var[contv].addend);
1559 if (control_var[contv].addend > 0) {
1560 add_pniels_to_pt(combo, precmp_var[control_var[contv].addend >> 1], i&&!cp);
1562 sub_pniels_from_pt(combo, precmp_var[(-control_var[contv].addend) >> 1], i&&!cp);
1568 assert(control_pre[contp].addend);
1570 if (control_pre[contp].addend > 0) {
1571 add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[contp].addend >> 1], i);
1573 sub_niels_from_pt(combo, API_NS(wnaf_base)[(-control_pre[contp].addend) >> 1], i);
1579 /* This function is non-secret, but whatever this is cheap. */
1580 decaf_bzero(control_var,sizeof(control_var));
1581 decaf_bzero(control_pre,sizeof(control_pre));
1582 decaf_bzero(precmp_var,sizeof(precmp_var));
1584 assert(contv == ncb_var); (void)ncb_var;
1585 assert(contp == ncb_pre); (void)ncb_pre;
1588 void API_NS(point_destroy) (
1591 decaf_bzero(point, sizeof(point_t));
1594 void API_NS(precomputed_destroy) (
1597 decaf_bzero(pre, API_NS(sizeof_precomputed_s));
projects / openssl.git / blob