* work which got its smarts from Daniel J. Bernstein's work on the same.
*/
-#ifdef EC_NISTP_64_GCC_128
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+#ifndef OPENSSL_SYS_VMS
#include <stdint.h>
+#else
+#include <inttypes.h>
+#endif
+
#include <string.h>
#include <openssl/err.h>
#include "ec_lcl.h"
0x66, 0x50}
};
-/* The representation of field elements.
+/*-
+ * The representation of field elements.
* ------------------------------------
*
* We represent field elements with nine values. These values are either 64 or
out[8] *= scalar;
}
-/* felem_neg sets |out| to |-in|
+/*-
+ * felem_neg sets |out| to |-in|
* On entry:
* in[i] < 2^59 + 2^14
* On exit:
out[8] = two62m2 - in[8];
}
-/* felem_diff64 subtracts |in| from |out|
+/*-
+ * felem_diff64 subtracts |in| from |out|
* On entry:
* in[i] < 2^59 + 2^14
* On exit:
out[8] += two62m2 - in[8];
}
-/* felem_diff_128_64 subtracts |in| from |out|
+/*-
+ * felem_diff_128_64 subtracts |in| from |out|
* On entry:
* in[i] < 2^62 + 2^17
* On exit:
*/
static void felem_diff_128_64(largefelem out, const felem in)
{
- // In order to prevent underflow, we add 0 mod p before subtracting.
+ /* In order to prevent underflow, we add 0 mod p before subtracting. */
static const limb two63m6 = (((limb)1) << 62) - (((limb)1) << 5);
static const limb two63m5 = (((limb)1) << 62) - (((limb)1) << 4);
out[8] += two63m5 - in[8];
}
-/* felem_diff_128_64 subtracts |in| from |out|
+/*-
+ * felem_diff_128_64 subtracts |in| from |out|
* On entry:
* in[i] < 2^126
* On exit:
*/
static void felem_diff128(largefelem out, const largefelem in)
{
- // In order to prevent underflow, we add 0 mod p before subtracting.
+ /* In order to prevent underflow, we add 0 mod p before subtracting. */
static const uint128_t two127m70 = (((uint128_t)1) << 127) - (((uint128_t)1) << 70);
static const uint128_t two127m69 = (((uint128_t)1) << 127) - (((uint128_t)1) << 69);
out[8] += (two127m69 - in[8]);
}
-/* felem_square sets |out| = |in|^2
+/*-
+ * felem_square sets |out| = |in|^2
* On entry:
* in[i] < 2^62
* On exit:
felem_scalar(inx2, in, 2);
felem_scalar(inx4, in, 4);
- /* We have many cases were we want to do
+ /*-
+ * We have many cases were we want to do
* in[x] * in[y] +
* in[y] * in[x]
* This is obviously just
* the inputs to the multiplication. If we want to double for both this
* reason, and the reason above, then we end up multiplying by four. */
- // 9
+ /* 9 */
out[0] += ((uint128_t) in[1]) * inx4[8] +
((uint128_t) in[2]) * inx4[7] +
((uint128_t) in[3]) * inx4[6] +
((uint128_t) in[4]) * inx4[5];
- // 10
+ /* 10 */
out[1] += ((uint128_t) in[2]) * inx4[8] +
((uint128_t) in[3]) * inx4[7] +
((uint128_t) in[4]) * inx4[6] +
((uint128_t) in[5]) * inx2[5];
- // 11
+ /* 11 */
out[2] += ((uint128_t) in[3]) * inx4[8] +
((uint128_t) in[4]) * inx4[7] +
((uint128_t) in[5]) * inx4[6];
- // 12
+ /* 12 */
out[3] += ((uint128_t) in[4]) * inx4[8] +
((uint128_t) in[5]) * inx4[7] +
((uint128_t) in[6]) * inx2[6];
- // 13
+ /* 13 */
out[4] += ((uint128_t) in[5]) * inx4[8] +
((uint128_t) in[6]) * inx4[7];
- // 14
+ /* 14 */
out[5] += ((uint128_t) in[6]) * inx4[8] +
((uint128_t) in[7]) * inx2[7];
- // 15
+ /* 15 */
out[6] += ((uint128_t) in[7]) * inx4[8];
- // 16
+ /* 16 */
out[7] += ((uint128_t) in[8]) * inx2[8];
}
-/* felem_mul sets |out| = |in1| * |in2|
+/*-
+ * felem_mul sets |out| = |in1| * |in2|
* On entry:
* in1[i] < 2^64
* in2[i] < 2^63
static const limb bottom52bits = 0xfffffffffffff;
-/* felem_reduce converts a largefelem to an felem.
+/*-
+ * felem_reduce converts a largefelem to an felem.
* On entry:
* in[i] < 2^128
* On exit:
*/
static void felem_reduce(felem out, const largefelem in)
{
+ u64 overflow1, overflow2;
+
out[0] = ((limb) in[0]) & bottom58bits;
out[1] = ((limb) in[1]) & bottom58bits;
out[2] = ((limb) in[2]) & bottom58bits;
out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6;
/* out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12
* < 2^59 + 2^13 */
- u64 overflow1 = ((limb) (in[7] >> 64)) >> 52;
+ overflow1 = ((limb) (in[7] >> 64)) >> 52;
overflow1 += ((limb) in[8]) >> 58;
overflow1 += (((limb) (in[8] >> 64)) & bottom52bits) << 6;
- u64 overflow2 = ((limb) (in[8] >> 64)) >> 52;
+ overflow2 = ((limb) (in[8] >> 64)) >> 52;
overflow1 <<= 1; /* overflow1 < 2^13 + 2^7 + 2^59 */
overflow2 <<= 1; /* overflow2 < 2^13 */
felem_reduce(out, tmp);
}
-/* felem_inv calculates |out| = |in|^{-1}
+/*-
+ * felem_inv calculates |out| = |in|^{-1}
*
* Based on Fermat's Little Theorem:
* a^p = a (mod p)
0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff
};
-/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+/*-
+ * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
* otherwise.
* On entry:
* in[i] < 2^59 + 2^14
is_zero |= ftmp[8];
is_zero--;
- // We know that ftmp[i] < 2^63, therefore the only way that the top bit
- // can be set is if is_zero was 0 before the decrement.
+ /* We know that ftmp[i] < 2^63, therefore the only way that the top bit
+ * can be set is if is_zero was 0 before the decrement. */
is_zero = ((s64) is_zero) >> 63;
is_p = ftmp[0] ^ kPrime[0];
return (int) (felem_is_zero(in) & ((limb)1));
}
-/* felem_contract converts |in| to its unique, minimal representation.
+/*-
+ * felem_contract converts |in| to its unique, minimal representation.
* On entry:
* in[i] < 2^59 + 2^14
*/
sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign);
}
-/* Group operations
+/*-
+ * Group operations
* ----------------
*
* Building on top of the field operations we have the operations on the
* elliptic curve group itself. Points on the curve are represented in Jacobian
* coordinates */
-/* point_double calcuates 2*(x_in, y_in, z_in)
+/*-
+ * point_double calcuates 2*(x_in, y_in, z_in)
*
* The method is taken from:
* http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
felem_scalar64(ftmp2, 3);
/* ftmp2[i] < 3*2^60 + 3*2^15 */
felem_mul(tmp, ftmp, ftmp2);
- /* tmp[i] < 17(3*2^121 + 3*2^76)
+ /*-
+ * tmp[i] < 17(3*2^121 + 3*2^76)
* = 61*2^121 + 61*2^76
* < 64*2^121 + 64*2^76
* = 2^127 + 2^82
- * < 2^128 */
+ * < 2^128
+ */
felem_reduce(alpha, tmp);
/* x' = alpha^2 - 8*beta */
felem_diff64(beta, x_out);
/* beta[i] < 2^61 + 2^60 + 2^16 */
felem_mul(tmp, alpha, beta);
- /* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
+ /*-
+ * tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
* = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30)
* = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
- * < 2^128 */
+ * < 2^128
+ */
felem_square(tmp2, gamma);
- /* tmp2[i] < 17*(2^59 + 2^14)^2
- * = 17*(2^118 + 2^74 + 2^28) */
+ /*-
+ * tmp2[i] < 17*(2^59 + 2^14)^2
+ * = 17*(2^118 + 2^74 + 2^28)
+ */
felem_scalar128(tmp2, 8);
- /* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
+ /*-
+ * tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
* = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31
- * < 2^126 */
+ * < 2^126
+ */
felem_diff128(tmp, tmp2);
- /* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
+ /*-
+ * tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
* = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 +
* 2^74 + 2^69 + 2^34 + 2^30
- * < 2^128 */
+ * < 2^128
+ */
felem_reduce(y_out, tmp);
}
}
}
-/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+/*-
+ * point_add calcuates (x1, y1, z1) + (x2, y2, z2)
*
* The method is taken from
* http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
felem_assign(z3, z_out);
}
-/* Base point pre computation
+/*-
+ * Base point pre computation
* --------------------------
*
* Two different sorts of precomputed tables are used in the following code.
0x0154536a0c6e966a, 0x037964d1286ee9fe, 0x0199bcd90e125055},
{1, 0, 0, 0, 0, 0, 0, 0, 0}}};
-/* select_point selects the |index|th point from a precomputation table and
+/* select_point selects the |idx|th point from a precomputation table and
* copies it to out. */
-static void select_point(const limb index, unsigned int size, const felem pre_comp[size][3],
+static void select_point(const limb idx, unsigned int size, const felem pre_comp[/* size */][3],
felem out[3])
{
unsigned i, j;
for (i = 0; i < size; i++)
{
const limb *inlimbs = &pre_comp[i][0][0];
- limb mask = i ^ index;
+ limb mask = i ^ idx;
mask |= mask >> 4;
mask |= mask >> 2;
mask |= mask >> 1;
ec_GFp_simple_get_Jprojective_coordinates_GFp,
ec_GFp_simple_point_set_affine_coordinates,
ec_GFp_nistp521_point_get_affine_coordinates,
- 0 /* point_set_compressed_coordinates */,
- 0 /* point2oct */,
- 0 /* oct2point */,
+ 0 /* point_set_compressed_coordinates */,
+ 0 /* point2oct */,
+ 0 /* oct2point */,
ec_GFp_simple_add,
ec_GFp_simple_dbl,
ec_GFp_simple_invert,
return 1;
}
-static void make_points_affine(size_t num, felem points[num][3], felem tmp_felems[num+1])
+static void make_points_affine(size_t num, felem points[/* num */][3], felem tmp_felems[/* num+1 */])
{
/* Runs in constant time, unless an input is the point at infinity
* (which normally shouldn't happen). */
projects / openssl.git / blobdiff