* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2016 Cryptography Research, Inc.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
static const curve448_scalar_t precomputed_scalarmul_adjustment = {
{
{
- SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad),
- SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)
+ SC_LIMB(0xc873d6d54a7bb0cfULL), SC_LIMB(0xe933d8d723a70aadULL),
+ SC_LIMB(0xbb124b65129c96fdULL), SC_LIMB(0x00000008335dc163ULL)
}
}
};
-#define TWISTED_D ((EDWARDS_D)-1)
+#define TWISTED_D (EDWARDS_D - 1)
#define WBITS C448_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
mask_t swap = 0;
mask_t nz;
- ignore_result(gf_deserialize(x1, base, 1, 0));
+ (void)gf_deserialize(x1, base, 1, 0);
gf_copy(x2, ONE);
gf_copy(z2, ZERO);
gf_copy(x3, x1);
gf_cond_swap(z2, z3, swap);
swap = k_t;
- gf_add_nr(t1, x2, z2); /* A = x2 + z2 *//* 2+e */
- gf_sub_nr(t2, x2, z2); /* B = x2 - z2 *//* 3+e */
- gf_sub_nr(z2, x3, z3); /* D = x3 - z3 *//* 3+e */
+ /*
+ * The "_nr" below skips coefficient reduction. In the following
+ * comments, "2+e" is saying that the coefficients are at most 2+epsilon
+ * times the reduction limit.
+ */
+ gf_add_nr(t1, x2, z2); /* A = x2 + z2 */ /* 2+e */
+ gf_sub_nr(t2, x2, z2); /* B = x2 - z2 */ /* 3+e */
+ gf_sub_nr(z2, x3, z3); /* D = x3 - z3 */ /* 3+e */
gf_mul(x2, t1, z2); /* DA */
- gf_add_nr(z2, z3, x3); /* C = x3 + z3 *//* 2+e */
+ gf_add_nr(z2, z3, x3); /* C = x3 + z3 */ /* 2+e */
gf_mul(x3, t2, z2); /* CB */
- gf_sub_nr(z3, x2, x3); /* DA-CB *//* 3+e */
+ gf_sub_nr(z3, x2, x3); /* DA-CB */ /* 3+e */
gf_sqr(z2, z3); /* (DA-CB)^2 */
gf_mul(z3, x1, z2); /* z3 = x1(DA-CB)^2 */
- gf_add_nr(z2, x2, x3); /* (DA+CB) *//* 2+e */
+ gf_add_nr(z2, x2, x3); /* (DA+CB) */ /* 2+e */
gf_sqr(x3, z2); /* x3 = (DA+CB)^2 */
gf_sqr(z2, t1); /* AA = A^2 */
gf_sqr(t1, t2); /* BB = B^2 */
gf_mul(x2, z2, t1); /* x2 = AA*BB */
- gf_sub_nr(t2, z2, t1); /* E = AA-BB *//* 3+e */
+ gf_sub_nr(t2, z2, t1); /* E = AA-BB */ /* 3+e */
gf_mulw(t1, t2, -EDWARDS_D); /* E*-d = a24*E */
- gf_add_nr(t1, t1, z2); /* AA + a24*E *//* 2+e */
+ gf_add_nr(t1, t1, z2); /* AA + a24*E */ /* 2+e */
gf_mul(z2, t2, t1); /* z2 = E(AA+a24*E) */
}
int power, addend;
};
-#if defined(__GNUC__) || defined(__clang__)
+#if defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 3))
# define NUMTRAILINGZEROS __builtin_ctz
#else
# define NUMTRAILINGZEROS numtrailingzeros
assert(position >= 0);
if (odd & (1 << (table_bits + 1)))
delta -= (1 << (table_bits + 1));
- current -= delta << pos;
+ current -= delta * (1 << pos);
control[position].power = pos + 16 * (w - 1);
control[position].addend = delta;
position--;