diff --git a/Makefile b/Makefile index 0dc971c..b9d53a9 100644 --- a/Makefile +++ b/Makefile @@ -63,7 +63,7 @@ ASFLAGS = $(ARCHFLAGS) HEADERS= Makefile $(shell find . -name "*.h") build/timestamp LIBCOMPONENTS= build/goldilocks.o build/barrett_field.o build/crandom.o \ - build/p448.o build/ec_point.o build/scalarmul.o build/sha512.o build/magic.o + build/p448.o build/ec_point.o build/scalarmul.o build/sha512.o build/magic.o build/arithmetic.o TESTCOMPONENTS=build/test.o build/test_scalarmul.o build/test_sha512.o \ build/test_pointops.o build/test_arithmetic.o build/test_goldilocks.o build/magic.o diff --git a/src/arch_32/p448.c b/src/arch_32/p448.c index 9dab9fb..b53250c 100644 --- a/src/arch_32/p448.c +++ b/src/arch_32/p448.c @@ -250,38 +250,3 @@ p448_deserialize ( return ~is_zero(ge ^ mask); } -void -simultaneous_invert_p448( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -) { - if (n==0) { - return; - } else if (n==1) { - p448_inverse(out,in); - return; - } - - p448_copy(&out[1], &in[0]); - int i; - for (i=1; i<(int) (n-1); i++) { - p448_mul(&out[i+1], &out[i], &in[i]); - } - p448_mul(&out[0], &out[n-1], &in[n-1]); - - struct p448_t tmp; - p448_inverse(&tmp, &out[0]); - p448_copy(&out[0], &tmp); - - /* at this point, out[0] = product(in[i]) ^ -1 - * out[i] = product(in[0]..in[i-1]) if i != 0 - */ - for (i=n-1; i>0; i--) { - p448_mul(&tmp, &out[i], &out[0]); - p448_copy(&out[i], &tmp); - - p448_mul(&tmp, &out[0], &in[i]); - p448_copy(&out[0], &tmp); - } -} diff --git a/src/arch_32/p448.h b/src/arch_32/p448.h index 94dacd7..60ecac5 100644 --- a/src/arch_32/p448.h +++ b/src/arch_32/p448.h @@ -151,13 +151,6 @@ p448_inverse ( struct p448_t* a, const struct p448_t* x ); - -void -simultaneous_invert_p448 ( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -); static inline mask_t p448_eq ( diff --git a/src/arch_arm_32/p448.c b/src/arch_arm_32/p448.c index ec08fb8..a4acd83 100644 --- a/src/arch_arm_32/p448.c +++ b/src/arch_arm_32/p448.c @@ -976,39 +976,3 @@ p448_deserialize ( return ~is_zero(ge ^ mask); } - -void -simultaneous_invert_p448( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -) { - if (n==0) { - return; - } else if (n==1) { - p448_inverse(out,in); - return; - } - - p448_copy(&out[1], &in[0]); - int i; - for (i=1; i<(int) (n-1); i++) { - p448_mul(&out[i+1], &out[i], &in[i]); - } - p448_mul(&out[0], &out[n-1], &in[n-1]); - - struct p448_t tmp; - p448_inverse(&tmp, &out[0]); - p448_copy(&out[0], &tmp); - - /* at this point, out[0] = product(in[i]) ^ -1 - * out[i] = product(in[0]..in[i-1]) if i != 0 - */ - for (i=n-1; i>0; i--) { - p448_mul(&tmp, &out[i], &out[0]); - p448_copy(&out[i], &tmp); - - p448_mul(&tmp, &out[0], &in[i]); - p448_copy(&out[0], &tmp); - } -} diff --git a/src/arch_arm_32/p448.h b/src/arch_arm_32/p448.h index befc9e0..0878e9c 100644 --- a/src/arch_arm_32/p448.h +++ b/src/arch_arm_32/p448.h @@ -151,14 +151,7 @@ p448_inverse ( struct p448_t* a, const struct p448_t* x ); - -void -simultaneous_invert_p448 ( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -); - + static inline mask_t p448_eq ( const struct p448_t *a, diff --git a/src/arch_neon/p448.c b/src/arch_neon/p448.c index ac0c051..956f356 100644 --- a/src/arch_neon/p448.c +++ b/src/arch_neon/p448.c @@ -721,39 +721,3 @@ p448_deserialize ( return ~is_zero(ge ^ mask); } - -void -simultaneous_invert_p448( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -) { - if (n==0) { - return; - } else if (n==1) { - p448_inverse(out,in); - return; - } - - p448_copy(&out[1], &in[0]); - int i; - for (i=1; i<(int) (n-1); i++) { - p448_mul(&out[i+1], &out[i], &in[i]); - } - p448_mul(&out[0], &out[n-1], &in[n-1]); - - struct p448_t tmp; - p448_inverse(&tmp, &out[0]); - p448_copy(&out[0], &tmp); - - /* at this point, out[0] = product(in[i]) ^ -1 - * out[i] = product(in[0]..in[i-1]) if i != 0 - */ - for (i=n-1; i>0; i--) { - p448_mul(&tmp, &out[i], &out[0]); - p448_copy(&out[i], &tmp); - - p448_mul(&tmp, &out[0], &in[i]); - p448_copy(&out[0], &tmp); - } -} diff --git a/src/arch_neon/p448.h b/src/arch_neon/p448.h index 94dacd7..60ecac5 100644 --- a/src/arch_neon/p448.h +++ b/src/arch_neon/p448.h @@ -151,13 +151,6 @@ p448_inverse ( struct p448_t* a, const struct p448_t* x ); - -void -simultaneous_invert_p448 ( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -); static inline mask_t p448_eq ( diff --git a/src/arch_neon_experimental/p448.c b/src/arch_neon_experimental/p448.c index 17b05ef..0e2dc5d 100644 --- a/src/arch_neon_experimental/p448.c +++ b/src/arch_neon_experimental/p448.c @@ -736,38 +736,3 @@ p448_deserialize ( return ~is_zero(ge ^ mask); } -void -simultaneous_invert_p448( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -) { - if (n==0) { - return; - } else if (n==1) { - p448_inverse(out,in); - return; - } - - p448_copy(&out[1], &in[0]); - int i; - for (i=1; i<(int) (n-1); i++) { - p448_mul(&out[i+1], &out[i], &in[i]); - } - p448_mul(&out[0], &out[n-1], &in[n-1]); - - struct p448_t tmp; - p448_inverse(&tmp, &out[0]); - p448_copy(&out[0], &tmp); - - /* at this point, out[0] = product(in[i]) ^ -1 - * out[i] = product(in[0]..in[i-1]) if i != 0 - */ - for (i=n-1; i>0; i--) { - p448_mul(&tmp, &out[i], &out[0]); - p448_copy(&out[i], &tmp); - - p448_mul(&tmp, &out[0], &in[i]); - p448_copy(&out[0], &tmp); - } -} diff --git a/src/arch_neon_experimental/p448.h b/src/arch_neon_experimental/p448.h index 4f0be0a..e2a034d 100644 --- a/src/arch_neon_experimental/p448.h +++ b/src/arch_neon_experimental/p448.h @@ -154,13 +154,6 @@ p448_inverse ( struct p448_t* a, const struct p448_t* x ); - -void -simultaneous_invert_p448 ( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -); static inline mask_t p448_eq ( diff --git a/src/arch_ref64/p448.c b/src/arch_ref64/p448.c index 0f23613..1668211 100644 --- a/src/arch_ref64/p448.c +++ b/src/arch_ref64/p448.c @@ -439,39 +439,3 @@ p448_deserialize ( return ~is_zero(ge ^ mask); } - -void -simultaneous_invert_p448( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -) { - if (n==0) { - return; - } else if (n==1) { - p448_inverse(out,in); - return; - } - - p448_copy(&out[1], &in[0]); - int i; - for (i=1; i<(int) (n-1); i++) { - p448_mul(&out[i+1], &out[i], &in[i]); - } - p448_mul(&out[0], &out[n-1], &in[n-1]); - - struct p448_t tmp; - p448_inverse(&tmp, &out[0]); - p448_copy(&out[0], &tmp); - - /* at this point, out[0] = product(in[i]) ^ -1 - * out[i] = product(in[0]..in[i-1]) if i != 0 - */ - for (i=n-1; i>0; i--) { - p448_mul(&tmp, &out[i], &out[0]); - p448_copy(&out[i], &tmp); - - p448_mul(&tmp, &out[0], &in[i]); - p448_copy(&out[0], &tmp); - } -} diff --git a/src/arch_ref64/p448.h b/src/arch_ref64/p448.h index 431c04f..5fb28b4 100644 --- a/src/arch_ref64/p448.h +++ b/src/arch_ref64/p448.h @@ -158,13 +158,6 @@ p448_inverse ( struct p448_t* a, const struct p448_t* x ); - -void -simultaneous_invert_p448 ( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -); static inline mask_t p448_eq ( diff --git a/src/arch_x86_64/p448.c b/src/arch_x86_64/p448.c index 5e97812..8fa80a3 100644 --- a/src/arch_x86_64/p448.c +++ b/src/arch_x86_64/p448.c @@ -419,38 +419,3 @@ p448_deserialize ( return ~is_zero(ge ^ mask); } -void -simultaneous_invert_p448( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -) { - if (n==0) { - return; - } else if (n==1) { - p448_inverse(out,in); - return; - } - - p448_copy(&out[1], &in[0]); - int i; - for (i=1; i<(int) (n-1); i++) { - p448_mul(&out[i+1], &out[i], &in[i]); - } - p448_mul(&out[0], &out[n-1], &in[n-1]); - - struct p448_t tmp; - p448_inverse(&tmp, &out[0]); - p448_copy(&out[0], &tmp); - - /* at this point, out[0] = product(in[i]) ^ -1 - * out[i] = product(in[0]..in[i-1]) if i != 0 - */ - for (i=n-1; i>0; i--) { - p448_mul(&tmp, &out[i], &out[0]); - p448_copy(&out[i], &tmp); - - p448_mul(&tmp, &out[0], &in[i]); - p448_copy(&out[0], &tmp); - } -} diff --git a/src/arch_x86_64/p448.h b/src/arch_x86_64/p448.h index 59de4ff..4b04445 100644 --- a/src/arch_x86_64/p448.h +++ b/src/arch_x86_64/p448.h @@ -151,13 +151,6 @@ p448_inverse ( struct p448_t* a, const struct p448_t* x ); - -void -simultaneous_invert_p448 ( - struct p448_t *__restrict__ out, - const struct p448_t *in, - unsigned int n -); static inline mask_t p448_eq ( diff --git a/src/arithmetic.c b/src/arithmetic.c new file mode 100644 index 0000000..de463fe --- /dev/null +++ b/src/arithmetic.c @@ -0,0 +1,76 @@ +/** + * @cond internal + * @file field.c + * @copyright + * Copyright (c) 2014 Cryptography Research, Inc. \n + * Released under the MIT License. See LICENSE.txt for license information. + * @author Mike Hamburg + * @brief High-level arithmetic routines, independent of field (except 3 mod 4). + */ + +#include "field.h" +#include "ec_point.h" // TODO + +void +field_inverse ( + struct field_t* a, + const struct field_t* x +) { + struct field_t L0, L1; + field_isr ( &L0, x ); + field_sqr ( &L1, &L0 ); + field_sqr ( &L0, &L1 ); + field_mul ( a, x, &L0 ); +} + +mask_t +field_is_square ( + const struct field_t* x +) { + mask_t L2, L3; + struct field_t L0, L1; + field_isr ( &L0, x ); + field_sqr ( &L1, &L0 ); + field_mul ( &L0, x, &L1 ); + field_subw ( &L0, 1 ); + field_bias ( &L0, 1 ); + L3 = field_is_zero( &L0 ); + L2 = field_is_zero( x ); + return L3 | L2; +} + +void +field_simultaneous_invert ( + struct field_t *__restrict__ out, + const struct field_t *in, + unsigned int n +) { + if (n==0) { + return; + } else if (n==1) { + field_inverse(out,in); + return; + } + + field_copy(&out[1], &in[0]); + int i; + for (i=1; i<(int) (n-1); i++) { + field_mul(&out[i+1], &out[i], &in[i]); + } + field_mul(&out[0], &out[n-1], &in[n-1]); + + struct field_t tmp; + field_inverse(&tmp, &out[0]); + field_copy(&out[0], &tmp); + + /* at this point, out[0] = product(in[i]) ^ -1 + * out[i] = product(in[0]..in[i-1]) if i != 0 + */ + for (i=n-1; i>0; i--) { + field_mul(&tmp, &out[i], &out[0]); + field_copy(&out[i], &tmp); + + field_mul(&tmp, &out[0], &in[i]); + field_copy(&out[0], &tmp); + } +} diff --git a/src/ec_point.c b/src/ec_point.c index 9a80863..ae97cf6 100644 --- a/src/ec_point.c +++ b/src/ec_point.c @@ -10,6 +10,7 @@ */ #include "ec_point.h" +#include "magic.h" #define is32 (GOLDI_BITS == 32) @@ -23,48 +24,64 @@ #define IF32(s) #endif -void -p448_isr ( - struct p448_t* a, - const struct p448_t* x -) { - struct p448_t L0, L1, L2; - p448_sqr ( &L1, x ); - p448_mul ( &L2, x, &L1 ); - p448_sqr ( &L1, &L2 ); - p448_mul ( &L2, x, &L1 ); - p448_sqrn ( &L1, &L2, 3 ); - p448_mul ( &L0, &L2, &L1 ); - p448_sqrn ( &L1, &L0, 3 ); - p448_mul ( &L0, &L2, &L1 ); - p448_sqrn ( &L2, &L0, 9 ); - p448_mul ( &L1, &L0, &L2 ); - p448_sqr ( &L0, &L1 ); - p448_mul ( &L2, x, &L0 ); - p448_sqrn ( &L0, &L2, 18 ); - p448_mul ( &L2, &L1, &L0 ); - p448_sqrn ( &L0, &L2, 37 ); - p448_mul ( &L1, &L2, &L0 ); - p448_sqrn ( &L0, &L1, 37 ); - p448_mul ( &L1, &L2, &L0 ); - p448_sqrn ( &L0, &L1, 111 ); - p448_mul ( &L2, &L1, &L0 ); - p448_sqr ( &L0, &L2 ); - p448_mul ( &L1, x, &L0 ); - p448_sqrn ( &L0, &L1, 223 ); - p448_mul ( a, &L2, &L0 ); +/* Multiply by signed curve constant */ +static __inline__ void +field_mulw_scc ( + struct field_t* __restrict__ out, + const struct field_t *a, + int64_t scc +) { + if (scc >= 0) { + field_mulw(out, a, scc); + } else { + field_mulw(out, a, -scc); + field_neg(out,out); + field_bias(out,2); + } } -void -p448_inverse ( - struct p448_t* a, - const struct p448_t* x +/* Multiply by signed curve constant and weak reduce if biased */ +static __inline__ void +field_mulw_scc_wr ( + struct field_t* __restrict__ out, + const struct field_t *a, + int64_t scc ) { - struct p448_t L0, L1; - p448_isr ( &L0, x ); - p448_sqr ( &L1, &L0 ); - p448_sqr ( &L0, &L1 ); - p448_mul ( a, x, &L0 ); + field_mulw_scc(out, a, scc); + if (scc < 0) + field_weak_reduce(out); +} + +void +field_isr ( + struct field_t* a, + const struct field_t* x +) { + struct field_t L0, L1, L2; + field_sqr ( &L1, x ); + field_mul ( &L2, x, &L1 ); + field_sqr ( &L1, &L2 ); + field_mul ( &L2, x, &L1 ); + field_sqrn ( &L1, &L2, 3 ); + field_mul ( &L0, &L2, &L1 ); + field_sqrn ( &L1, &L0, 3 ); + field_mul ( &L0, &L2, &L1 ); + field_sqrn ( &L2, &L0, 9 ); + field_mul ( &L1, &L0, &L2 ); + field_sqr ( &L0, &L1 ); + field_mul ( &L2, x, &L0 ); + field_sqrn ( &L0, &L2, 18 ); + field_mul ( &L2, &L1, &L0 ); + field_sqrn ( &L0, &L2, 37 ); + field_mul ( &L1, &L2, &L0 ); + field_sqrn ( &L0, &L1, 37 ); + field_mul ( &L1, &L2, &L0 ); + field_sqrn ( &L0, &L1, 111 ); + field_mul ( &L2, &L1, &L0 ); + field_sqr ( &L0, &L2 ); + field_mul ( &L1, x, &L0 ); + field_sqrn ( &L0, &L1, 223 ); + field_mul ( a, &L2, &L0 ); } void @@ -72,26 +89,26 @@ add_tw_niels_to_tw_extensible ( struct tw_extensible_t* d, const struct tw_niels_t* e ) { - struct p448_t L0, L1; - p448_sub ( &L1, &d->y, &d->x ); - p448_bias ( &L1, 2 ); - IF32( p448_weak_reduce( &L1 ) ); - p448_mul ( &L0, &e->a, &L1 ); - p448_add ( &L1, &d->x, &d->y ); - p448_mul ( &d->y, &e->b, &L1 ); - p448_mul ( &L1, &d->u, &d->t ); - p448_mul ( &d->x, &e->c, &L1 ); - p448_add ( &d->u, &L0, &d->y ); - p448_sub ( &d->t, &d->y, &L0 ); - p448_bias ( &d->t, 2 ); - IF32( p448_weak_reduce( &d->t ) ); - p448_sub ( &d->y, &d->z, &d->x ); - p448_bias ( &d->y, 2 ); - IF32( p448_weak_reduce( &d->y ) ); - p448_add ( &L0, &d->x, &d->z ); - p448_mul ( &d->z, &L0, &d->y ); - p448_mul ( &d->x, &d->y, &d->t ); - p448_mul ( &d->y, &L0, &d->u ); + struct field_t L0, L1; + field_sub ( &L1, &d->y, &d->x ); + field_bias ( &L1, 2 ); + IF32( field_weak_reduce( &L1 ) ); + field_mul ( &L0, &e->a, &L1 ); + field_add ( &L1, &d->x, &d->y ); + field_mul ( &d->y, &e->b, &L1 ); + field_mul ( &L1, &d->u, &d->t ); + field_mul ( &d->x, &e->c, &L1 ); + field_add ( &d->u, &L0, &d->y ); + field_sub ( &d->t, &d->y, &L0 ); + field_bias ( &d->t, 2 ); + IF32( field_weak_reduce( &d->t ) ); + field_sub ( &d->y, &d->z, &d->x ); + field_bias ( &d->y, 2 ); + IF32( field_weak_reduce( &d->y ) ); + field_add ( &L0, &d->x, &d->z ); + field_mul ( &d->z, &L0, &d->y ); + field_mul ( &d->x, &d->y, &d->t ); + field_mul ( &d->y, &L0, &d->u ); } void @@ -99,26 +116,26 @@ sub_tw_niels_from_tw_extensible ( struct tw_extensible_t* d, const struct tw_niels_t* e ) { - struct p448_t L0, L1; - p448_sub ( &L1, &d->y, &d->x ); - p448_bias ( &L1, 2 ); - IF32( p448_weak_reduce( &L1 ) ); - p448_mul ( &L0, &e->b, &L1 ); - p448_add ( &L1, &d->x, &d->y ); - p448_mul ( &d->y, &e->a, &L1 ); - p448_mul ( &L1, &d->u, &d->t ); - p448_mul ( &d->x, &e->c, &L1 ); - p448_add ( &d->u, &L0, &d->y ); - p448_sub ( &d->t, &d->y, &L0 ); - p448_bias ( &d->t, 2 ); - IF32( p448_weak_reduce( &d->t ) ); - p448_add ( &d->y, &d->x, &d->z ); - p448_sub ( &L0, &d->z, &d->x ); - p448_bias ( &L0, 2 ); - IF32( p448_weak_reduce( &L0 ) ); - p448_mul ( &d->z, &L0, &d->y ); - p448_mul ( &d->x, &d->y, &d->t ); - p448_mul ( &d->y, &L0, &d->u ); + struct field_t L0, L1; + field_sub ( &L1, &d->y, &d->x ); + field_bias ( &L1, 2 ); + IF32( field_weak_reduce( &L1 ) ); + field_mul ( &L0, &e->b, &L1 ); + field_add ( &L1, &d->x, &d->y ); + field_mul ( &d->y, &e->a, &L1 ); + field_mul ( &L1, &d->u, &d->t ); + field_mul ( &d->x, &e->c, &L1 ); + field_add ( &d->u, &L0, &d->y ); + field_sub ( &d->t, &d->y, &L0 ); + field_bias ( &d->t, 2 ); + IF32( field_weak_reduce( &d->t ) ); + field_add ( &d->y, &d->x, &d->z ); + field_sub ( &L0, &d->z, &d->x ); + field_bias ( &L0, 2 ); + IF32( field_weak_reduce( &L0 ) ); + field_mul ( &d->z, &L0, &d->y ); + field_mul ( &d->x, &d->y, &d->t ); + field_mul ( &d->y, &L0, &d->u ); } void @@ -126,9 +143,9 @@ add_tw_pniels_to_tw_extensible ( struct tw_extensible_t* e, const struct tw_pniels_t* a ) { - struct p448_t L0; - p448_mul ( &L0, &e->z, &a->z ); - p448_copy ( &e->z, &L0 ); + struct field_t L0; + field_mul ( &L0, &e->z, &a->z ); + field_copy ( &e->z, &L0 ); add_tw_niels_to_tw_extensible( e, &a->n ); } @@ -137,9 +154,9 @@ sub_tw_pniels_from_tw_extensible ( struct tw_extensible_t* e, const struct tw_pniels_t* a ) { - struct p448_t L0; - p448_mul ( &L0, &e->z, &a->z ); - p448_copy ( &e->z, &L0 ); + struct field_t L0; + field_mul ( &L0, &e->z, &a->z ); + field_copy ( &e->z, &L0 ); sub_tw_niels_from_tw_extensible( e, &a->n ); } @@ -147,52 +164,52 @@ void double_tw_extensible ( struct tw_extensible_t* a ) { - struct p448_t L0, L1, L2; - p448_sqr ( &L2, &a->x ); - p448_sqr ( &L0, &a->y ); - p448_add ( &a->u, &L2, &L0 ); - p448_add ( &a->t, &a->y, &a->x ); - p448_sqr ( &L1, &a->t ); - p448_sub ( &a->t, &L1, &a->u ); - p448_bias ( &a->t, 3 ); - IF32( p448_weak_reduce( &a->t ) ); - p448_sub ( &L1, &L0, &L2 ); - p448_bias ( &L1, 2 ); - IF32( p448_weak_reduce( &L1 ) ); - p448_sqr ( &a->x, &a->z ); - p448_bias ( &a->x, 2-is32 /*is32 ? 1 : 2*/ ); - p448_add ( &a->z, &a->x, &a->x ); - p448_sub ( &L0, &a->z, &L1 ); - IF32( p448_weak_reduce( &L0 ) ); - p448_mul ( &a->z, &L1, &L0 ); - p448_mul ( &a->x, &L0, &a->t ); - p448_mul ( &a->y, &L1, &a->u ); + struct field_t L0, L1, L2; + field_sqr ( &L2, &a->x ); + field_sqr ( &L0, &a->y ); + field_add ( &a->u, &L2, &L0 ); + field_add ( &a->t, &a->y, &a->x ); + field_sqr ( &L1, &a->t ); + field_sub ( &a->t, &L1, &a->u ); + field_bias ( &a->t, 3 ); + IF32( field_weak_reduce( &a->t ) ); + field_sub ( &L1, &L0, &L2 ); + field_bias ( &L1, 2 ); + IF32( field_weak_reduce( &L1 ) ); + field_sqr ( &a->x, &a->z ); + field_bias ( &a->x, 2-is32 /*is32 ? 1 : 2*/ ); + field_add ( &a->z, &a->x, &a->x ); + field_sub ( &L0, &a->z, &L1 ); + IF32( field_weak_reduce( &L0 ) ); + field_mul ( &a->z, &L1, &L0 ); + field_mul ( &a->x, &L0, &a->t ); + field_mul ( &a->y, &L1, &a->u ); } void double_extensible ( struct extensible_t* a ) { - struct p448_t L0, L1, L2; - p448_sqr ( &L2, &a->x ); - p448_sqr ( &L0, &a->y ); - p448_add ( &L1, &L2, &L0 ); - p448_add ( &a->t, &a->y, &a->x ); - p448_sqr ( &a->u, &a->t ); - p448_sub ( &a->t, &a->u, &L1 ); - p448_bias ( &a->t, 3 ); - IF32( p448_weak_reduce( &a->t ) ); - p448_sub ( &a->u, &L0, &L2 ); - p448_bias ( &a->u, 2 ); - IF32( p448_weak_reduce( &a->u ) ); - p448_sqr ( &a->x, &a->z ); - p448_bias ( &a->x, 2 ); - p448_add ( &a->z, &a->x, &a->x ); - p448_sub ( &L0, &a->z, &L1 ); - IF32( p448_weak_reduce( &L0 ) ); - p448_mul ( &a->z, &L1, &L0 ); - p448_mul ( &a->x, &L0, &a->t ); - p448_mul ( &a->y, &L1, &a->u ); + struct field_t L0, L1, L2; + field_sqr ( &L2, &a->x ); + field_sqr ( &L0, &a->y ); + field_add ( &L1, &L2, &L0 ); + field_add ( &a->t, &a->y, &a->x ); + field_sqr ( &a->u, &a->t ); + field_sub ( &a->t, &a->u, &L1 ); + field_bias ( &a->t, 3 ); + IF32( field_weak_reduce( &a->t ) ); + field_sub ( &a->u, &L0, &L2 ); + field_bias ( &a->u, 2 ); + IF32( field_weak_reduce( &a->u ) ); + field_sqr ( &a->x, &a->z ); + field_bias ( &a->x, 2 ); + field_add ( &a->z, &a->x, &a->x ); + field_sub ( &L0, &a->z, &L1 ); + IF32( field_weak_reduce( &L0 ) ); + field_mul ( &a->z, &L1, &L0 ); + field_mul ( &a->x, &L0, &a->t ); + field_mul ( &a->y, &L1, &a->u ); } void @@ -200,26 +217,26 @@ twist_and_double ( struct tw_extensible_t* b, const struct extensible_t* a ) { - struct p448_t L0; - p448_sqr ( &b->x, &a->x ); - p448_sqr ( &b->z, &a->y ); - p448_add ( &b->u, &b->x, &b->z ); - p448_add ( &b->t, &a->y, &a->x ); - p448_sqr ( &L0, &b->t ); - p448_sub ( &b->t, &L0, &b->u ); - p448_bias ( &b->t, 3 ); - IF32( p448_weak_reduce( &b->t ) ); - p448_sub ( &L0, &b->z, &b->x ); - p448_bias ( &L0, 2 ); - IF32( p448_weak_reduce( &L0 ) ); - p448_sqr ( &b->x, &a->z ); - p448_bias ( &b->x, 2 ); - p448_add ( &b->z, &b->x, &b->x ); - p448_sub ( &b->y, &b->z, &b->u ); - IF32( p448_weak_reduce( &b->y ) ); - p448_mul ( &b->z, &L0, &b->y ); - p448_mul ( &b->x, &b->y, &b->t ); - p448_mul ( &b->y, &L0, &b->u ); + struct field_t L0; + field_sqr ( &b->x, &a->x ); + field_sqr ( &b->z, &a->y ); + field_add ( &b->u, &b->x, &b->z ); + field_add ( &b->t, &a->y, &a->x ); + field_sqr ( &L0, &b->t ); + field_sub ( &b->t, &L0, &b->u ); + field_bias ( &b->t, 3 ); + IF32( field_weak_reduce( &b->t ) ); + field_sub ( &L0, &b->z, &b->x ); + field_bias ( &L0, 2 ); + IF32( field_weak_reduce( &L0 ) ); + field_sqr ( &b->x, &a->z ); + field_bias ( &b->x, 2 ); + field_add ( &b->z, &b->x, &b->x ); + field_sub ( &b->y, &b->z, &b->u ); + IF32( field_weak_reduce( &b->y ) ); + field_mul ( &b->z, &L0, &b->y ); + field_mul ( &b->x, &b->y, &b->t ); + field_mul ( &b->y, &L0, &b->u ); } void @@ -227,26 +244,26 @@ untwist_and_double ( struct extensible_t* b, const struct tw_extensible_t* a ) { - struct p448_t L0; - p448_sqr ( &b->x, &a->x ); - p448_sqr ( &b->z, &a->y ); - p448_add ( &L0, &b->x, &b->z ); - p448_add ( &b->t, &a->y, &a->x ); - p448_sqr ( &b->u, &b->t ); - p448_sub ( &b->t, &b->u, &L0 ); - p448_bias ( &b->t, 3 ); - IF32( p448_weak_reduce( &b->t ) ); - p448_sub ( &b->u, &b->z, &b->x ); - p448_bias ( &b->u, 2 ); - IF32( p448_weak_reduce( &b->u ) ); - p448_sqr ( &b->x, &a->z ); - p448_bias ( &b->x, 2-is32 /*is32 ? 1 : 2*/ ); - p448_add ( &b->z, &b->x, &b->x ); - p448_sub ( &b->y, &b->z, &b->u ); - IF32( p448_weak_reduce( &b->y ) ); - p448_mul ( &b->z, &L0, &b->y ); - p448_mul ( &b->x, &b->y, &b->t ); - p448_mul ( &b->y, &L0, &b->u ); + struct field_t L0; + field_sqr ( &b->x, &a->x ); + field_sqr ( &b->z, &a->y ); + field_add ( &L0, &b->x, &b->z ); + field_add ( &b->t, &a->y, &a->x ); + field_sqr ( &b->u, &b->t ); + field_sub ( &b->t, &b->u, &L0 ); + field_bias ( &b->t, 3 ); + IF32( field_weak_reduce( &b->t ) ); + field_sub ( &b->u, &b->z, &b->x ); + field_bias ( &b->u, 2 ); + IF32( field_weak_reduce( &b->u ) ); + field_sqr ( &b->x, &a->z ); + field_bias ( &b->x, 2-is32 /*is32 ? 1 : 2*/ ); + field_add ( &b->z, &b->x, &b->x ); + field_sub ( &b->y, &b->z, &b->u ); + IF32( field_weak_reduce( &b->y ) ); + field_mul ( &b->z, &L0, &b->y ); + field_mul ( &b->x, &b->y, &b->t ); + field_mul ( &b->y, &L0, &b->u ); } void @@ -254,17 +271,14 @@ convert_tw_affine_to_tw_pniels ( struct tw_pniels_t* b, const struct tw_affine_t* a ) { - p448_sub ( &b->n.a, &a->y, &a->x ); - p448_bias ( &b->n.a, 2 ); - p448_weak_reduce( &b->n.a ); - p448_add ( &b->n.b, &a->x, &a->y ); - p448_weak_reduce( &b->n.b ); - p448_mul ( &b->n.c, &a->y, &a->x ); - p448_mulw ( &b->z, &b->n.c, 78164 ); - p448_neg ( &b->n.c, &b->z ); - p448_bias ( &b->n.c, 2 ); - p448_weak_reduce( &b->n.c ); - p448_set_ui( &b->z, 2 ); + field_sub ( &b->n.a, &a->y, &a->x ); + field_bias ( &b->n.a, 2 ); + field_weak_reduce( &b->n.a ); + field_add ( &b->n.b, &a->x, &a->y ); + field_weak_reduce( &b->n.b ); + field_mul ( &b->z, &a->y, &a->x ); + field_mulw_scc_wr ( &b->n.c, &b->z, 2*EDWARDS_D-2 ); + field_set_ui( &b->z, 2 ); } void @@ -272,11 +286,11 @@ convert_tw_affine_to_tw_extensible ( struct tw_extensible_t* b, const struct tw_affine_t* a ) { - p448_copy ( &b->x, &a->x ); - p448_copy ( &b->y, &a->y ); - p448_set_ui( &b->z, 1 ); - p448_copy ( &b->t, &a->x ); - p448_copy ( &b->u, &a->y ); + field_copy ( &b->x, &a->x ); + field_copy ( &b->y, &a->y ); + field_set_ui( &b->z, 1 ); + field_copy ( &b->t, &a->x ); + field_copy ( &b->u, &a->y ); } void @@ -284,11 +298,11 @@ convert_affine_to_extensible ( struct extensible_t* b, const struct affine_t* a ) { - p448_copy ( &b->x, &a->x ); - p448_copy ( &b->y, &a->y ); - p448_set_ui( &b->z, 1 ); - p448_copy ( &b->t, &a->x ); - p448_copy ( &b->u, &a->y ); + field_copy ( &b->x, &a->x ); + field_copy ( &b->y, &a->y ); + field_set_ui( &b->z, 1 ); + field_copy ( &b->t, &a->x ); + field_copy ( &b->u, &a->y ); } void @@ -296,18 +310,15 @@ convert_tw_extensible_to_tw_pniels ( struct tw_pniels_t* b, const struct tw_extensible_t* a ) { - p448_sub ( &b->n.a, &a->y, &a->x ); - p448_bias ( &b->n.a, 2 ); - p448_weak_reduce( &b->n.a ); - p448_add ( &b->n.b, &a->x, &a->y ); - p448_weak_reduce( &b->n.b ); - p448_mul ( &b->n.c, &a->u, &a->t ); - p448_mulw ( &b->z, &b->n.c, 78164 ); - p448_neg ( &b->n.c, &b->z ); - p448_bias ( &b->n.c, 2 ); - p448_weak_reduce( &b->n.c ); - p448_add ( &b->z, &a->z, &a->z ); - p448_weak_reduce( &b->z ); + field_sub ( &b->n.a, &a->y, &a->x ); + field_bias ( &b->n.a, 2 ); + field_weak_reduce( &b->n.a ); + field_add ( &b->n.b, &a->x, &a->y ); + field_weak_reduce( &b->n.b ); + field_mul ( &b->z, &a->u, &a->t ); + field_mulw_scc_wr ( &b->n.c, &b->z, 2*EDWARDS_D-2 ); + field_add ( &b->z, &a->z, &a->z ); + field_weak_reduce( &b->z ); } void @@ -315,13 +326,13 @@ convert_tw_pniels_to_tw_extensible ( struct tw_extensible_t* e, const struct tw_pniels_t* d ) { - p448_add ( &e->u, &d->n.b, &d->n.a ); - p448_sub ( &e->t, &d->n.b, &d->n.a ); - p448_bias ( &e->t, 2 ); - IF32( p448_weak_reduce( &e->t ) ); - p448_mul ( &e->x, &d->z, &e->t ); - p448_mul ( &e->y, &d->z, &e->u ); - p448_sqr ( &e->z, &d->z ); + field_add ( &e->u, &d->n.b, &d->n.a ); + field_sub ( &e->t, &d->n.b, &d->n.a ); + field_bias ( &e->t, 2 ); + IF32( field_weak_reduce( &e->t ) ); + field_mul ( &e->x, &d->z, &e->t ); + field_mul ( &e->y, &d->z, &e->u ); + field_sqr ( &e->z, &d->z ); } void @@ -329,170 +340,170 @@ convert_tw_niels_to_tw_extensible ( struct tw_extensible_t* e, const struct tw_niels_t* d ) { - p448_add ( &e->y, &d->b, &d->a ); - p448_weak_reduce( &e->y ); - p448_sub ( &e->x, &d->b, &d->a ); - p448_bias ( &e->x, 2 ); - p448_weak_reduce( &e->x ); - p448_set_ui( &e->z, 1 ); - p448_copy ( &e->t, &e->x ); - p448_copy ( &e->u, &e->y ); + field_add ( &e->y, &d->b, &d->a ); + field_weak_reduce( &e->y ); + field_sub ( &e->x, &d->b, &d->a ); + field_bias ( &e->x, 2 ); + field_weak_reduce( &e->x ); + field_set_ui( &e->z, 1 ); + field_copy ( &e->t, &e->x ); + field_copy ( &e->u, &e->y ); } void montgomery_step ( struct montgomery_t* a ) { - struct p448_t L0, L1; - p448_add ( &L0, &a->zd, &a->xd ); - p448_sub ( &L1, &a->xd, &a->zd ); - p448_bias ( &L1, 2 ); - IF32( p448_weak_reduce( &L1 ) ); - p448_sub ( &a->zd, &a->xa, &a->za ); - p448_bias ( &a->zd, 2 ); - IF32( p448_weak_reduce( &a->zd ) ); - p448_mul ( &a->xd, &L0, &a->zd ); - p448_add ( &a->zd, &a->za, &a->xa ); - p448_mul ( &a->za, &L1, &a->zd ); - p448_add ( &a->xa, &a->za, &a->xd ); - p448_sqr ( &a->zd, &a->xa ); - p448_mul ( &a->xa, &a->z0, &a->zd ); - p448_sub ( &a->zd, &a->xd, &a->za ); - p448_bias ( &a->zd, 2 ); - IF32( p448_weak_reduce( &a->zd ) ); - p448_sqr ( &a->za, &a->zd ); - p448_sqr ( &a->xd, &L0 ); - p448_sqr ( &L0, &L1 ); - p448_mulw ( &a->zd, &a->xd, 39082 ); - p448_sub ( &L1, &a->xd, &L0 ); - p448_bias ( &L1, 2 ); - IF32( p448_weak_reduce( &L1 ) ); - p448_mul ( &a->xd, &L0, &a->zd ); - p448_sub ( &L0, &a->zd, &L1 ); - p448_bias ( &L0, 4 - 2*is32 /*is32 ? 2 : 4*/ ); - IF32( p448_weak_reduce( &L0 ) ); - p448_mul ( &a->zd, &L0, &L1 ); + struct field_t L0, L1; + field_add ( &L0, &a->zd, &a->xd ); + field_sub ( &L1, &a->xd, &a->zd ); + field_bias ( &L1, 2 ); + IF32( field_weak_reduce( &L1 ) ); + field_sub ( &a->zd, &a->xa, &a->za ); + field_bias ( &a->zd, 2 ); + IF32( field_weak_reduce( &a->zd ) ); + field_mul ( &a->xd, &L0, &a->zd ); + field_add ( &a->zd, &a->za, &a->xa ); + field_mul ( &a->za, &L1, &a->zd ); + field_add ( &a->xa, &a->za, &a->xd ); + field_sqr ( &a->zd, &a->xa ); + field_mul ( &a->xa, &a->z0, &a->zd ); + field_sub ( &a->zd, &a->xd, &a->za ); + field_bias ( &a->zd, 2 ); + IF32( field_weak_reduce( &a->zd ) ); + field_sqr ( &a->za, &a->zd ); + field_sqr ( &a->xd, &L0 ); + field_sqr ( &L0, &L1 ); + field_mulw ( &a->zd, &a->xd, 1-EDWARDS_D ); + field_sub ( &L1, &a->xd, &L0 ); + field_bias ( &L1, 2 ); + IF32( field_weak_reduce( &L1 ) ); + field_mul ( &a->xd, &L0, &a->zd ); + field_sub ( &L0, &a->zd, &L1 ); + field_bias ( &L0, 4 - 2*is32 /*is32 ? 2 : 4*/ ); + IF32( field_weak_reduce( &L0 ) ); + field_mul ( &a->zd, &L0, &L1 ); } void deserialize_montgomery ( struct montgomery_t* a, - const struct p448_t* sbz + const struct field_t* sbz ) { - p448_sqr ( &a->z0, sbz ); - p448_set_ui( &a->xd, 1 ); - p448_set_ui( &a->zd, 0 ); - p448_set_ui( &a->xa, 1 ); - p448_copy ( &a->za, &a->z0 ); + field_sqr ( &a->z0, sbz ); + field_set_ui( &a->xd, 1 ); + field_set_ui( &a->zd, 0 ); + field_set_ui( &a->xa, 1 ); + field_copy ( &a->za, &a->z0 ); } mask_t serialize_montgomery ( - struct p448_t* b, + struct field_t* b, const struct montgomery_t* a, - const struct p448_t* sbz + const struct field_t* sbz ) { mask_t L4, L5, L6; - struct p448_t L0, L1, L2, L3; - p448_mul ( &L3, &a->z0, &a->zd ); - p448_sub ( &L1, &L3, &a->xd ); - p448_bias ( &L1, 2 ); - IF32( p448_weak_reduce( &L1 ) ); - p448_mul ( &L3, &a->za, &L1 ); - p448_mul ( &L2, &a->z0, &a->xd ); - p448_sub ( &L1, &L2, &a->zd ); - p448_bias ( &L1, 2 ); - IF32( p448_weak_reduce( &L1 ) ); - p448_mul ( &L0, &a->xa, &L1 ); - p448_add ( &L2, &L0, &L3 ); - p448_sub ( &L1, &L3, &L0 ); - p448_bias ( &L1, 2 ); - IF32( p448_weak_reduce( &L1 ) ); - p448_mul ( &L3, &L1, &L2 ); - p448_copy ( &L2, &a->z0 ); - p448_addw ( &L2, 1 ); - p448_sqr ( &L1, &L2 ); - p448_mulw ( &L2, &L1, 39082 ); - p448_neg ( &L1, &L2 ); - p448_add ( &L2, &a->z0, &a->z0 ); - p448_bias ( &L2, 1 ); - p448_add ( &L0, &L2, &L2 ); - p448_add ( &L2, &L0, &L1 ); - IF32( p448_weak_reduce( &L2 ) ); - p448_mul ( &L0, &a->xd, &L2 ); - L5 = p448_is_zero( &a->zd ); + struct field_t L0, L1, L2, L3; + field_mul ( &L3, &a->z0, &a->zd ); + field_sub ( &L1, &L3, &a->xd ); + field_bias ( &L1, 2 ); + IF32( field_weak_reduce( &L1 ) ); + field_mul ( &L3, &a->za, &L1 ); + field_mul ( &L2, &a->z0, &a->xd ); + field_sub ( &L1, &L2, &a->zd ); + field_bias ( &L1, 2 ); + IF32( field_weak_reduce( &L1 ) ); + field_mul ( &L0, &a->xa, &L1 ); + field_add ( &L2, &L0, &L3 ); + field_sub ( &L1, &L3, &L0 ); + field_bias ( &L1, 2 ); + IF32( field_weak_reduce( &L1 ) ); + field_mul ( &L3, &L1, &L2 ); + field_copy ( &L2, &a->z0 ); + field_addw ( &L2, 1 ); + field_sqr ( &L1, &L2 ); + field_mulw ( &L2, &L1, 1-EDWARDS_D ); + field_neg ( &L1, &L2 ); + field_add ( &L2, &a->z0, &a->z0 ); + field_bias ( &L2, 1 ); + field_add ( &L0, &L2, &L2 ); + field_add ( &L2, &L0, &L1 ); + IF32( field_weak_reduce( &L2 ) ); + field_mul ( &L0, &a->xd, &L2 ); + L5 = field_is_zero( &a->zd ); L6 = - L5; - p448_mask ( &L1, &L0, L5 ); - p448_add ( &L2, &L1, &a->zd ); + field_mask ( &L1, &L0, L5 ); + field_add ( &L2, &L1, &a->zd ); L4 = ~ L5; - p448_mul ( &L1, sbz, &L3 ); - p448_addw ( &L1, L6 ); - p448_mul ( &L3, &L2, &L1 ); - p448_mul ( &L1, &L3, &L2 ); - p448_mul ( &L2, &L3, &a->xd ); - p448_mul ( &L3, &L1, &L2 ); - p448_isr ( &L0, &L3 ); - p448_mul ( &L2, &L1, &L0 ); - p448_sqr ( &L1, &L0 ); - p448_mul ( &L0, &L3, &L1 ); - p448_mask ( b, &L2, L4 ); - p448_subw ( &L0, 1 ); - p448_bias ( &L0, 1 ); - L5 = p448_is_zero( &L0 ); - L4 = p448_is_zero( sbz ); + field_mul ( &L1, sbz, &L3 ); + field_addw ( &L1, L6 ); + field_mul ( &L3, &L2, &L1 ); + field_mul ( &L1, &L3, &L2 ); + field_mul ( &L2, &L3, &a->xd ); + field_mul ( &L3, &L1, &L2 ); + field_isr ( &L0, &L3 ); + field_mul ( &L2, &L1, &L0 ); + field_sqr ( &L1, &L0 ); + field_mul ( &L0, &L3, &L1 ); + field_mask ( b, &L2, L4 ); + field_subw ( &L0, 1 ); + field_bias ( &L0, 1 ); + L5 = field_is_zero( &L0 ); + L4 = field_is_zero( sbz ); return L5 | L4; } void serialize_extensible ( - struct p448_t* b, + struct field_t* b, const struct extensible_t* a ) { - struct p448_t L0, L1, L2; - p448_sub ( &L0, &a->y, &a->z ); - p448_bias ( &L0, 2 ); - IF32( p448_weak_reduce( &L0 ) ); - p448_add ( b, &a->z, &a->y ); - p448_mul ( &L1, &a->z, &a->x ); - p448_mul ( &L2, &L0, &L1 ); - p448_mul ( &L1, &L2, &L0 ); - p448_mul ( &L0, &L2, b ); - p448_mul ( &L2, &L1, &L0 ); - p448_isr ( &L0, &L2 ); - p448_mul ( b, &L1, &L0 ); - p448_sqr ( &L1, &L0 ); - p448_mul ( &L0, &L2, &L1 ); + struct field_t L0, L1, L2; + field_sub ( &L0, &a->y, &a->z ); + field_bias ( &L0, 2 ); + IF32( field_weak_reduce( &L0 ) ); + field_add ( b, &a->z, &a->y ); + field_mul ( &L1, &a->z, &a->x ); + field_mul ( &L2, &L0, &L1 ); + field_mul ( &L1, &L2, &L0 ); + field_mul ( &L0, &L2, b ); + field_mul ( &L2, &L1, &L0 ); + field_isr ( &L0, &L2 ); + field_mul ( b, &L1, &L0 ); + field_sqr ( &L1, &L0 ); + field_mul ( &L0, &L2, &L1 ); } void untwist_and_double_and_serialize ( - struct p448_t* b, + struct field_t* b, const struct tw_extensible_t* a ) { - struct p448_t L0, L1, L2, L3; - p448_mul ( &L3, &a->y, &a->x ); - p448_add ( b, &a->y, &a->x ); - p448_sqr ( &L1, b ); - p448_add ( &L2, &L3, &L3 ); - p448_sub ( b, &L1, &L2 ); - p448_bias ( b, 3 ); - IF32( p448_weak_reduce( b ) ); - p448_sqr ( &L2, &a->z ); - p448_sqr ( &L1, &L2 ); - p448_add ( &L2, b, b ); - p448_mulw ( b, &L2, 39082 ); - p448_neg ( &L2, b ); - p448_bias ( &L2, 2 ); - p448_mulw ( &L0, &L2, 39082 ); - p448_neg ( b, &L0 ); - p448_bias ( b, 2 ); - p448_mul ( &L0, &L2, &L1 ); - p448_mul ( &L2, b, &L0 ); - p448_isr ( &L0, &L2 ); - p448_mul ( &L1, b, &L0 ); - p448_sqr ( b, &L0 ); - p448_mul ( &L0, &L2, b ); - p448_mul ( b, &L1, &L3 ); + struct field_t L0, L1, L2, L3; + field_mul ( &L3, &a->y, &a->x ); + field_add ( b, &a->y, &a->x ); + field_sqr ( &L1, b ); + field_add ( &L2, &L3, &L3 ); + field_sub ( b, &L1, &L2 ); + field_bias ( b, 3 ); + IF32( field_weak_reduce( b ) ); + field_sqr ( &L2, &a->z ); + field_sqr ( &L1, &L2 ); + field_add ( &L2, b, b ); + field_mulw ( b, &L2, 1-EDWARDS_D ); + field_neg ( &L2, b ); + field_bias ( &L2, 2 ); + field_mulw ( &L0, &L2, 1-EDWARDS_D ); + field_neg ( b, &L0 ); + field_bias ( b, 2 ); + field_mul ( &L0, &L2, &L1 ); + field_mul ( &L2, b, &L0 ); + field_isr ( &L0, &L2 ); + field_mul ( &L1, b, &L0 ); + field_sqr ( b, &L0 ); + field_mul ( &L0, &L2, b ); + field_mul ( b, &L1, &L3 ); } void @@ -501,34 +512,34 @@ twist_even ( const struct extensible_t* a ) { mask_t L0, L1; - p448_sqr ( &b->y, &a->z ); - p448_sqr ( &b->z, &a->x ); - p448_sub ( &b->u, &b->y, &b->z ); - p448_bias ( &b->u, 2 ); - IF32( p448_weak_reduce( &b->u ) ); - p448_sub ( &b->z, &a->z, &a->x ); - p448_bias ( &b->z, 2 ); - IF32( p448_weak_reduce( &b->z ) ); - p448_mul ( &b->y, &b->z, &a->y ); - p448_sub ( &b->z, &a->z, &a->y ); - p448_bias ( &b->z, 2 ); - IF32( p448_weak_reduce( &b->z ) ); - p448_mul ( &b->x, &b->z, &b->y ); - p448_mul ( &b->t, &b->x, &b->u ); - p448_mul ( &b->y, &b->x, &b->t ); - p448_isr ( &b->t, &b->y ); - p448_mul ( &b->u, &b->x, &b->t ); - p448_sqr ( &b->x, &b->t ); - p448_mul ( &b->t, &b->y, &b->x ); - p448_mul ( &b->x, &a->x, &b->u ); - p448_mul ( &b->y, &a->y, &b->u ); - L1 = p448_is_zero( &b->z ); + field_sqr ( &b->y, &a->z ); + field_sqr ( &b->z, &a->x ); + field_sub ( &b->u, &b->y, &b->z ); + field_bias ( &b->u, 2 ); + IF32( field_weak_reduce( &b->u ) ); + field_sub ( &b->z, &a->z, &a->x ); + field_bias ( &b->z, 2 ); + IF32( field_weak_reduce( &b->z ) ); + field_mul ( &b->y, &b->z, &a->y ); + field_sub ( &b->z, &a->z, &a->y ); + field_bias ( &b->z, 2 ); + IF32( field_weak_reduce( &b->z ) ); + field_mul ( &b->x, &b->z, &b->y ); + field_mul ( &b->t, &b->x, &b->u ); + field_mul ( &b->y, &b->x, &b->t ); + field_isr ( &b->t, &b->y ); + field_mul ( &b->u, &b->x, &b->t ); + field_sqr ( &b->x, &b->t ); + field_mul ( &b->t, &b->y, &b->x ); + field_mul ( &b->x, &a->x, &b->u ); + field_mul ( &b->y, &a->y, &b->u ); + L1 = field_is_zero( &b->z ); L0 = - L1; - p448_addw ( &b->y, L0 ); - p448_weak_reduce( &b->y ); - p448_set_ui( &b->z, 1 ); - p448_copy ( &b->t, &b->x ); - p448_copy ( &b->u, &b->y ); + field_addw ( &b->y, L0 ); + field_weak_reduce( &b->y ); + field_set_ui( &b->z, 1 ); + field_copy ( &b->t, &b->x ); + field_copy ( &b->u, &b->y ); } void @@ -537,187 +548,171 @@ test_only_twist ( const struct extensible_t* a ) { mask_t L2, L3; - struct p448_t L0, L1; - p448_sqr ( &b->u, &a->z ); - p448_sqr ( &b->y, &a->x ); - p448_sub ( &b->z, &b->u, &b->y ); - p448_bias ( &b->z, 2 ); - p448_add ( &b->y, &b->z, &b->z ); - p448_add ( &b->u, &b->y, &b->y ); - IF32( p448_weak_reduce( &b->u ) ); - p448_sub ( &b->y, &a->z, &a->x ); - p448_bias ( &b->y, 2 ); - IF32( p448_weak_reduce( &b->y ) ); - p448_mul ( &b->x, &b->y, &a->y ); - p448_sub ( &b->z, &a->z, &a->y ); - p448_bias ( &b->z, 2 ); - IF32( p448_weak_reduce( &b->z ) ); - p448_mul ( &b->t, &b->z, &b->x ); - p448_mul ( &L1, &b->t, &b->u ); - p448_mul ( &b->x, &b->t, &L1 ); - p448_isr ( &L0, &b->x ); - p448_mul ( &b->u, &b->t, &L0 ); - p448_sqr ( &L1, &L0 ); - p448_mul ( &b->t, &b->x, &L1 ); - p448_add ( &L1, &a->y, &a->x ); - IF32( p448_weak_reduce( &L1 ) ); - p448_sub ( &L0, &a->x, &a->y ); - p448_bias ( &L0, 2 ); - IF32( p448_weak_reduce( &L0 ) ); - p448_mul ( &b->x, &b->t, &L0 ); - p448_add ( &L0, &b->x, &L1 ); - p448_sub ( &b->t, &L1, &b->x ); - p448_bias ( &b->t, 2 ); - IF32( p448_weak_reduce( &b->t ) ); - p448_mul ( &b->x, &L0, &b->u ); - L2 = p448_is_zero( &b->y ); + struct field_t L0, L1; + field_sqr ( &b->u, &a->z ); + field_sqr ( &b->y, &a->x ); + field_sub ( &b->z, &b->u, &b->y ); + field_bias ( &b->z, 2 ); + field_add ( &b->y, &b->z, &b->z ); + field_add ( &b->u, &b->y, &b->y ); + IF32( field_weak_reduce( &b->u ) ); + field_sub ( &b->y, &a->z, &a->x ); + field_bias ( &b->y, 2 ); + IF32( field_weak_reduce( &b->y ) ); + field_mul ( &b->x, &b->y, &a->y ); + field_sub ( &b->z, &a->z, &a->y ); + field_bias ( &b->z, 2 ); + IF32( field_weak_reduce( &b->z ) ); + field_mul ( &b->t, &b->z, &b->x ); + field_mul ( &L1, &b->t, &b->u ); + field_mul ( &b->x, &b->t, &L1 ); + field_isr ( &L0, &b->x ); + field_mul ( &b->u, &b->t, &L0 ); + field_sqr ( &L1, &L0 ); + field_mul ( &b->t, &b->x, &L1 ); + field_add ( &L1, &a->y, &a->x ); + IF32( field_weak_reduce( &L1 ) ); + field_sub ( &L0, &a->x, &a->y ); + field_bias ( &L0, 2 ); + IF32( field_weak_reduce( &L0 ) ); + field_mul ( &b->x, &b->t, &L0 ); + field_add ( &L0, &b->x, &L1 ); + field_sub ( &b->t, &L1, &b->x ); + field_bias ( &b->t, 2 ); + IF32( field_weak_reduce( &b->t ) ); + field_mul ( &b->x, &L0, &b->u ); + L2 = field_is_zero( &b->y ); L3 = - L2; - p448_addw ( &b->x, L3 ); - p448_weak_reduce( &b->x ); - p448_mul ( &b->y, &b->t, &b->u ); - L2 = p448_is_zero( &b->z ); + field_addw ( &b->x, L3 ); + field_weak_reduce( &b->x ); + field_mul ( &b->y, &b->t, &b->u ); + L2 = field_is_zero( &b->z ); L3 = - L2; - p448_addw ( &b->y, L3 ); - p448_weak_reduce( &b->y ); - L3 = p448_is_zero( &a->y ); + field_addw ( &b->y, L3 ); + field_weak_reduce( &b->y ); + L3 = field_is_zero( &a->y ); L2 = L3 + 1; - p448_set_ui( &b->z, L2 ); - p448_copy ( &b->t, &b->x ); - p448_copy ( &b->u, &b->y ); -} - -mask_t -is_square ( - const struct p448_t* x -) { - mask_t L2, L3; - struct p448_t L0, L1; - p448_isr ( &L0, x ); - p448_sqr ( &L1, &L0 ); - p448_mul ( &L0, x, &L1 ); - p448_subw ( &L0, 1 ); - p448_bias ( &L0, 1 ); - L3 = p448_is_zero( &L0 ); - L2 = p448_is_zero( x ); - return L3 | L2; + field_set_ui( &b->z, L2 ); + field_copy ( &b->t, &b->x ); + field_copy ( &b->u, &b->y ); } mask_t is_even_pt ( const struct extensible_t* a ) { - struct p448_t L0, L1, L2; - p448_sqr ( &L2, &a->z ); - p448_sqr ( &L1, &a->x ); - p448_sub ( &L0, &L2, &L1 ); - p448_bias ( &L0, 2 ); - p448_weak_reduce( &L0 ); - return is_square ( &L0 ); + struct field_t L0, L1, L2; + field_sqr ( &L2, &a->z ); + field_sqr ( &L1, &a->x ); + field_sub ( &L0, &L2, &L1 ); + field_bias ( &L0, 2 ); + field_weak_reduce( &L0 ); + return field_is_square ( &L0 ); } mask_t is_even_tw ( const struct tw_extensible_t* a ) { - struct p448_t L0, L1, L2; - p448_sqr ( &L2, &a->z ); - p448_sqr ( &L1, &a->x ); - p448_add ( &L0, &L1, &L2 ); - p448_weak_reduce( &L0 ); - return is_square ( &L0 ); + struct field_t L0, L1, L2; + field_sqr ( &L2, &a->z ); + field_sqr ( &L1, &a->x ); + field_add ( &L0, &L1, &L2 ); + field_weak_reduce( &L0 ); + return field_is_square ( &L0 ); } mask_t deserialize_affine ( struct affine_t* a, - const struct p448_t* sz -) { - struct p448_t L0, L1, L2, L3; - p448_sqr ( &L1, sz ); - p448_copy ( &L3, &L1 ); - p448_addw ( &L3, 1 ); - p448_sqr ( &a->x, &L3 ); - p448_mulw ( &L3, &a->x, 39082 ); - p448_neg ( &a->x, &L3 ); - p448_add ( &L3, &L1, &L1 ); - p448_bias ( &L3, 1 ); - p448_add ( &a->y, &L3, &L3 ); - p448_add ( &L3, &a->y, &a->x ); - IF32( p448_weak_reduce( &L3 ) ); - p448_copy ( &a->y, &L1 ); - p448_subw ( &a->y, 1 ); - p448_neg ( &a->x, &a->y ); - p448_bias ( &a->x, 2 ); - IF32( p448_weak_reduce( &a->x ) ); - p448_mul ( &a->y, &a->x, &L3 ); - p448_sqr ( &L2, &a->x ); - p448_mul ( &L0, &L2, &a->y ); - p448_mul ( &a->y, &a->x, &L0 ); - p448_isr ( &L3, &a->y ); - p448_mul ( &a->y, &L2, &L3 ); - p448_sqr ( &L2, &L3 ); - p448_mul ( &L3, &L0, &L2 ); - p448_mul ( &L0, &a->x, &L3 ); - p448_add ( &L2, &a->y, &a->y ); - p448_mul ( &a->x, sz, &L2 ); - p448_addw ( &L1, 1 ); - p448_mul ( &a->y, &L1, &L3 ); - p448_subw ( &L0, 1 ); - p448_bias ( &L0, 1 ); - return p448_is_zero( &L0 ); + const struct field_t* sz +) { + struct field_t L0, L1, L2, L3; + field_sqr ( &L1, sz ); + field_copy ( &L3, &L1 ); + field_addw ( &L3, 1 ); + field_sqr ( &L2, &L3 ); + field_mulw ( &L3, &L2, 1-EDWARDS_D ); + field_neg ( &a->x, &L3 ); + field_add ( &L3, &L1, &L1 ); + field_bias ( &L3, 1 ); + field_add ( &a->y, &L3, &L3 ); + field_add ( &L3, &a->y, &a->x ); + IF32( field_weak_reduce( &L3 ) ); + field_copy ( &a->y, &L1 ); + field_subw ( &a->y, 1 ); + field_neg ( &a->x, &a->y ); + field_bias ( &a->x, 2 ); + IF32( field_weak_reduce( &a->x ) ); + field_mul ( &a->y, &a->x, &L3 ); + field_sqr ( &L2, &a->x ); + field_mul ( &L0, &L2, &a->y ); + field_mul ( &a->y, &a->x, &L0 ); + field_isr ( &L3, &a->y ); + field_mul ( &a->y, &L2, &L3 ); + field_sqr ( &L2, &L3 ); + field_mul ( &L3, &L0, &L2 ); + field_mul ( &L0, &a->x, &L3 ); + field_add ( &L2, &a->y, &a->y ); + field_mul ( &a->x, sz, &L2 ); + field_addw ( &L1, 1 ); + field_mul ( &a->y, &L1, &L3 ); + field_subw ( &L0, 1 ); + field_bias ( &L0, 1 ); + return field_is_zero( &L0 ); } mask_t deserialize_and_twist_approx ( struct tw_extensible_t* a, - const struct p448_t* sdm1, - const struct p448_t* sz -) { - struct p448_t L0, L1; - p448_sqr ( &a->z, sz ); - p448_copy ( &a->y, &a->z ); - p448_addw ( &a->y, 1 ); - p448_sqr ( &a->x, &a->y ); - p448_mulw ( &a->y, &a->x, 39082 ); - p448_neg ( &a->x, &a->y ); - p448_add ( &a->y, &a->z, &a->z ); - p448_bias ( &a->y, 1 ); - p448_add ( &a->u, &a->y, &a->y ); - p448_add ( &a->y, &a->u, &a->x ); - IF32( p448_weak_reduce( &a->y ) ); - p448_sqr ( &a->x, &a->z ); - p448_subw ( &a->x, 1 ); - p448_neg ( &a->u, &a->x ); - p448_bias ( &a->u, 2 ); - IF32( p448_weak_reduce( &a->u ) ); - p448_mul ( &a->x, sdm1, &a->u ); - p448_mul ( &L0, &a->x, &a->y ); - p448_mul ( &a->t, &L0, &a->y ); - p448_mul ( &a->u, &a->x, &a->t ); - p448_mul ( &a->t, &a->u, &L0 ); - p448_mul ( &a->y, &a->x, &a->t ); - p448_isr ( &L0, &a->y ); - p448_mul ( &a->y, &a->u, &L0 ); - p448_sqr ( &L1, &L0 ); - p448_mul ( &a->u, &a->t, &L1 ); - p448_mul ( &a->t, &a->x, &a->u ); - p448_add ( &a->x, sz, sz ); - p448_mul ( &L0, &a->u, &a->x ); - p448_copy ( &a->x, &a->z ); - p448_subw ( &a->x, 1 ); - p448_neg ( &L1, &a->x ); - p448_bias ( &L1, 2 ); - IF32( p448_weak_reduce( &L1 ) ); - p448_mul ( &a->x, &L1, &L0 ); - p448_mul ( &L0, &a->u, &a->y ); - p448_addw ( &a->z, 1 ); - p448_mul ( &a->y, &a->z, &L0 ); - p448_subw ( &a->t, 1 ); - p448_bias ( &a->t, 1 ); - mask_t ret = p448_is_zero( &a->t ); - p448_set_ui( &a->z, 1 ); - p448_copy ( &a->t, &a->x ); - p448_copy ( &a->u, &a->y ); + const struct field_t* sdm1, + const struct field_t* sz +) { + struct field_t L0, L1; + field_sqr ( &a->z, sz ); + field_copy ( &a->y, &a->z ); + field_addw ( &a->y, 1 ); + field_sqr ( &a->x, &a->y ); + field_mulw ( &a->y, &a->x, 1-EDWARDS_D ); + field_neg ( &a->x, &a->y ); + field_add ( &a->y, &a->z, &a->z ); + field_bias ( &a->y, 1 ); + field_add ( &a->u, &a->y, &a->y ); + field_add ( &a->y, &a->u, &a->x ); + IF32( field_weak_reduce( &a->y ) ); + field_sqr ( &a->x, &a->z ); + field_subw ( &a->x, 1 ); + field_neg ( &a->u, &a->x ); + field_bias ( &a->u, 2 ); + IF32( field_weak_reduce( &a->u ) ); + field_mul ( &a->x, sdm1, &a->u ); + field_mul ( &L0, &a->x, &a->y ); + field_mul ( &a->t, &L0, &a->y ); + field_mul ( &a->u, &a->x, &a->t ); + field_mul ( &a->t, &a->u, &L0 ); + field_mul ( &a->y, &a->x, &a->t ); + field_isr ( &L0, &a->y ); + field_mul ( &a->y, &a->u, &L0 ); + field_sqr ( &L1, &L0 ); + field_mul ( &a->u, &a->t, &L1 ); + field_mul ( &a->t, &a->x, &a->u ); + field_add ( &a->x, sz, sz ); + field_mul ( &L0, &a->u, &a->x ); + field_copy ( &a->x, &a->z ); + field_subw ( &a->x, 1 ); + field_neg ( &L1, &a->x ); + field_bias ( &L1, 2 ); + IF32( field_weak_reduce( &L1 ) ); + field_mul ( &a->x, &L1, &L0 ); + field_mul ( &L0, &a->u, &a->y ); + field_addw ( &a->z, 1 ); + field_mul ( &a->y, &a->z, &L0 ); + field_subw ( &a->t, 1 ); + field_bias ( &a->t, 1 ); + mask_t ret = field_is_zero( &a->t ); + field_set_ui( &a->z, 1 ); + field_copy ( &a->t, &a->x ); + field_copy ( &a->u, &a->y ); return ret; } @@ -725,30 +720,30 @@ void set_identity_extensible ( struct extensible_t* a ) { - p448_set_ui( &a->x, 0 ); - p448_set_ui( &a->y, 1 ); - p448_set_ui( &a->z, 1 ); - p448_set_ui( &a->t, 0 ); - p448_set_ui( &a->u, 0 ); + field_set_ui( &a->x, 0 ); + field_set_ui( &a->y, 1 ); + field_set_ui( &a->z, 1 ); + field_set_ui( &a->t, 0 ); + field_set_ui( &a->u, 0 ); } void set_identity_tw_extensible ( struct tw_extensible_t* a ) { - p448_set_ui( &a->x, 0 ); - p448_set_ui( &a->y, 1 ); - p448_set_ui( &a->z, 1 ); - p448_set_ui( &a->t, 0 ); - p448_set_ui( &a->u, 0 ); + field_set_ui( &a->x, 0 ); + field_set_ui( &a->y, 1 ); + field_set_ui( &a->z, 1 ); + field_set_ui( &a->t, 0 ); + field_set_ui( &a->u, 0 ); } void set_identity_affine ( struct affine_t* a ) { - p448_set_ui( &a->x, 0 ); - p448_set_ui( &a->y, 1 ); + field_set_ui( &a->x, 0 ); + field_set_ui( &a->y, 1 ); } mask_t @@ -757,13 +752,13 @@ eq_affine ( const struct affine_t* b ) { mask_t L1, L2; - struct p448_t L0; - p448_sub ( &L0, &a->x, &b->x ); - p448_bias ( &L0, 2 ); - L2 = p448_is_zero( &L0 ); - p448_sub ( &L0, &a->y, &b->y ); - p448_bias ( &L0, 2 ); - L1 = p448_is_zero( &L0 ); + struct field_t L0; + field_sub ( &L0, &a->x, &b->x ); + field_bias ( &L0, 2 ); + L2 = field_is_zero( &L0 ); + field_sub ( &L0, &a->y, &b->y ); + field_bias ( &L0, 2 ); + L1 = field_is_zero( &L0 ); return L2 & L1; } @@ -773,17 +768,17 @@ eq_extensible ( const struct extensible_t* b ) { mask_t L3, L4; - struct p448_t L0, L1, L2; - p448_mul ( &L2, &b->z, &a->x ); - p448_mul ( &L1, &a->z, &b->x ); - p448_sub ( &L0, &L2, &L1 ); - p448_bias ( &L0, 2 ); - L4 = p448_is_zero( &L0 ); - p448_mul ( &L2, &b->z, &a->y ); - p448_mul ( &L1, &a->z, &b->y ); - p448_sub ( &L0, &L2, &L1 ); - p448_bias ( &L0, 2 ); - L3 = p448_is_zero( &L0 ); + struct field_t L0, L1, L2; + field_mul ( &L2, &b->z, &a->x ); + field_mul ( &L1, &a->z, &b->x ); + field_sub ( &L0, &L2, &L1 ); + field_bias ( &L0, 2 ); + L4 = field_is_zero( &L0 ); + field_mul ( &L2, &b->z, &a->y ); + field_mul ( &L1, &a->z, &b->y ); + field_sub ( &L0, &L2, &L1 ); + field_bias ( &L0, 2 ); + L3 = field_is_zero( &L0 ); return L4 & L3; } @@ -793,99 +788,94 @@ eq_tw_extensible ( const struct tw_extensible_t* b ) { mask_t L3, L4; - struct p448_t L0, L1, L2; - p448_mul ( &L2, &b->z, &a->x ); - p448_mul ( &L1, &a->z, &b->x ); - p448_sub ( &L0, &L2, &L1 ); - p448_bias ( &L0, 2 ); - L4 = p448_is_zero( &L0 ); - p448_mul ( &L2, &b->z, &a->y ); - p448_mul ( &L1, &a->z, &b->y ); - p448_sub ( &L0, &L2, &L1 ); - p448_bias ( &L0, 2 ); - L3 = p448_is_zero( &L0 ); + struct field_t L0, L1, L2; + field_mul ( &L2, &b->z, &a->x ); + field_mul ( &L1, &a->z, &b->x ); + field_sub ( &L0, &L2, &L1 ); + field_bias ( &L0, 2 ); + L4 = field_is_zero( &L0 ); + field_mul ( &L2, &b->z, &a->y ); + field_mul ( &L1, &a->z, &b->y ); + field_sub ( &L0, &L2, &L1 ); + field_bias ( &L0, 2 ); + L3 = field_is_zero( &L0 ); return L4 & L3; } void elligator_2s_inject ( struct affine_t* a, - const struct p448_t* r + const struct field_t* r ) { mask_t L0, L1; - struct p448_t L2, L3, L4, L5, L6, L7, L8; - p448_sqr ( &a->x, r ); - p448_sqr ( &L3, &a->x ); - p448_copy ( &a->y, &L3 ); - p448_subw ( &a->y, 1 ); - p448_neg ( &L4, &a->y ); - p448_bias ( &L4, 2 ); - IF32( p448_weak_reduce( &L4 ) ); - p448_sqr ( &L2, &L4 ); - p448_mulw ( &L7, &L2, 1527402724 ); - p448_mulw ( &L8, &L3, 6108985600 ); - p448_add ( &a->y, &L8, &L7 ); - IF32( p448_weak_reduce( &a->y ) ); - p448_mulw ( &L8, &L2, 6109454568 ); - p448_sub ( &L7, &a->y, &L8 ); - p448_bias ( &L7, 2 ); - IF32( p448_weak_reduce( &L7 ) ); - p448_mulw ( &L6, &a->y, 78160 ); - p448_mul ( &L5, &L7, &L6 ); - p448_mul ( &L8, &L5, &L4 ); - p448_mul ( &L4, &L5, &L6 ); - p448_mul ( &L5, &L7, &L8 ); - p448_mul ( &L8, &L5, &L4 ); - p448_mul ( &L4, &L7, &L8 ); - p448_isr ( &L6, &L4 ); - p448_mul ( &L4, &L5, &L6 ); - p448_sqr ( &L5, &L6 ); - p448_mul ( &L6, &L8, &L5 ); - p448_mul ( &L8, &L7, &L6 ); - p448_mul ( &L7, &L8, &L6 ); - p448_copy ( &L6, &a->x ); - p448_subw ( &L6, 1 ); - p448_addw ( &a->x, 1 ); - p448_mul ( &L5, &a->x, &L8 ); - p448_sub ( &a->x, &L6, &L5 ); - p448_bias ( &a->x, 3 ); - IF32( p448_weak_reduce( &a->x ) ); - p448_mul ( &L5, &L4, &a->x ); - p448_mulw ( &L4, &L5, 78160 ); - p448_neg ( &a->x, &L4 ); - p448_bias ( &a->x, 2 ); - p448_weak_reduce( &a->x ); - p448_add ( &L4, &L3, &L3 ); - p448_add ( &L3, &L4, &L2 ); - p448_subw ( &L3, 2 ); - p448_bias ( &L3, 1 ); - IF32( p448_weak_reduce( &L3 ) ); - p448_mul ( &L2, &L3, &L8 ); - p448_mulw ( &L3, &L2, 3054649120 ); - p448_add ( &L2, &L3, &a->y ); - p448_mul ( &a->y, &L7, &L2 ); - L1 = p448_is_zero( &L8 ); + struct field_t L2, L3, L4, L5, L6, L7, L8; + field_sqr ( &a->x, r ); + field_sqr ( &L3, &a->x ); + field_copy ( &a->y, &L3 ); + field_subw ( &a->y, 1 ); + field_neg ( &L4, &a->y ); + field_bias ( &L4, 2 ); + IF32( field_weak_reduce( &L4 ) ); + field_sqr ( &L2, &L4 ); + field_mulw ( &L7, &L2, (EDWARDS_D-1)*(EDWARDS_D-1) ); + field_mulw ( &L8, &L3, 4*(EDWARDS_D+1)*(EDWARDS_D+1) ); + field_add ( &a->y, &L8, &L7 ); + IF32( field_weak_reduce( &a->y ) ); + field_mulw ( &L8, &L2, 4*(EDWARDS_D)*(EDWARDS_D-1) ); + field_sub ( &L7, &a->y, &L8 ); + field_bias ( &L7, 2 ); + IF32( field_weak_reduce( &L7 ) ); + field_mulw_scc ( &L6, &a->y, -2-2*EDWARDS_D ); + field_mul ( &L5, &L7, &L6 ); + field_mul ( &L8, &L5, &L4 ); + field_mul ( &L4, &L5, &L6 ); + field_mul ( &L5, &L7, &L8 ); + field_mul ( &L8, &L5, &L4 ); + field_mul ( &L4, &L7, &L8 ); + field_isr ( &L6, &L4 ); + field_mul ( &L4, &L5, &L6 ); + field_sqr ( &L5, &L6 ); + field_mul ( &L6, &L8, &L5 ); + field_mul ( &L8, &L7, &L6 ); + field_mul ( &L7, &L8, &L6 ); + field_copy ( &L6, &a->x ); + field_subw ( &L6, 1 ); + field_addw ( &a->x, 1 ); + field_mul ( &L5, &a->x, &L8 ); + field_sub ( &a->x, &L6, &L5 ); + field_bias ( &a->x, 3 ); + IF32( field_weak_reduce( &a->x ) ); + field_mul ( &L5, &L4, &a->x ); + field_mulw_scc_wr ( &a->x, &L5, -2-2*EDWARDS_D ); + field_add ( &L4, &L3, &L3 ); + field_add ( &L3, &L4, &L2 ); + field_subw ( &L3, 2 ); + field_bias ( &L3, 1 ); + IF32( field_weak_reduce( &L3 ) ); + field_mul ( &L2, &L3, &L8 ); + field_mulw ( &L3, &L2, 2*(EDWARDS_D+1)*(EDWARDS_D-1) ); + field_add ( &L2, &L3, &a->y ); + field_mul ( &a->y, &L7, &L2 ); + L1 = field_is_zero( &L8 ); L0 = - L1; - p448_addw ( &a->y, L0 ); - p448_weak_reduce( &a->y ); + field_addw ( &a->y, L0 ); + field_weak_reduce( &a->y ); } mask_t validate_affine ( const struct affine_t* a ) { - struct p448_t L0, L1, L2, L3; - p448_sqr ( &L0, &a->y ); - p448_sqr ( &L2, &a->x ); - p448_add ( &L3, &L2, &L0 ); - p448_subw ( &L3, 1 ); - p448_mulw ( &L1, &L2, 39081 ); - p448_neg ( &L2, &L1 ); - p448_bias ( &L2, 2 ); - p448_mul ( &L1, &L0, &L2 ); - p448_sub ( &L0, &L3, &L1 ); - p448_bias ( &L0, 3 ); - return p448_is_zero( &L0 ); + struct field_t L0, L1, L2, L3; + field_sqr ( &L0, &a->y ); + field_sqr ( &L1, &a->x ); + field_add ( &L3, &L1, &L0 ); + field_subw ( &L3, 1 ); + field_mulw_scc ( &L2, &L1, EDWARDS_D ); + field_mul ( &L1, &L0, &L2 ); + field_sub ( &L0, &L3, &L1 ); + field_bias ( &L0, 3 ); + return field_is_zero( &L0 ); } mask_t @@ -893,41 +883,38 @@ validate_tw_extensible ( const struct tw_extensible_t* ext ) { mask_t L4, L5; - struct p448_t L0, L1, L2, L3; + struct field_t L0, L1, L2, L3; /* * Check invariant: * 0 = -x*y + z*t*u */ - p448_mul ( &L1, &ext->t, &ext->u ); - p448_mul ( &L2, &ext->z, &L1 ); - p448_addw ( &L2, 0 ); - p448_mul ( &L0, &ext->x, &ext->y ); - p448_neg ( &L1, &L0 ); - p448_add ( &L0, &L1, &L2 ); - p448_bias ( &L0, 2 ); - L5 = p448_is_zero( &L0 ); + field_mul ( &L1, &ext->t, &ext->u ); + field_mul ( &L2, &ext->z, &L1 ); + field_mul ( &L0, &ext->x, &ext->y ); + field_neg ( &L1, &L0 ); + field_add ( &L0, &L1, &L2 ); + field_bias ( &L0, 2 ); + L5 = field_is_zero( &L0 ); /* * Check invariant: * 0 = d*t^2*u^2 + x^2 - y^2 + z^2 - t^2*u^2 */ - p448_sqr ( &L2, &ext->y ); - p448_neg ( &L1, &L2 ); - p448_addw ( &L1, 0 ); - p448_sqr ( &L0, &ext->x ); - p448_add ( &L2, &L0, &L1 ); - p448_sqr ( &L3, &ext->u ); - p448_sqr ( &L0, &ext->t ); - p448_mul ( &L1, &L0, &L3 ); - p448_mulw ( &L0, &L1, 39081 ); - p448_neg ( &L3, &L0 ); - p448_add ( &L0, &L3, &L2 ); - p448_neg ( &L3, &L1 ); - p448_add ( &L2, &L3, &L0 ); - p448_sqr ( &L1, &ext->z ); - p448_add ( &L0, &L1, &L2 ); - p448_bias ( &L0, 4 ); - L4 = p448_is_zero( &L0 ); - return L5 & L4; + field_sqr ( &L2, &ext->y ); + field_neg ( &L1, &L2 ); + field_sqr ( &L0, &ext->x ); + field_add ( &L2, &L0, &L1 ); + field_sqr ( &L3, &ext->u ); + field_sqr ( &L0, &ext->t ); + field_mul ( &L1, &L0, &L3 ); + field_mulw_scc ( &L3, &L1, EDWARDS_D ); + field_add ( &L0, &L3, &L2 ); + field_neg ( &L3, &L1 ); + field_add ( &L2, &L3, &L0 ); + field_sqr ( &L1, &ext->z ); + field_add ( &L0, &L1, &L2 ); + field_bias ( &L0, 2 ); + L4 = field_is_zero( &L0 ); + return L5 & L4 &~ field_is_zero(&ext->z); } mask_t @@ -935,40 +922,35 @@ validate_extensible ( const struct extensible_t* ext ) { mask_t L4, L5; - struct p448_t L0, L1, L2, L3; + struct field_t L0, L1, L2, L3; /* * Check invariant: * 0 = d*t^2*u^2 - x^2 - y^2 + z^2 */ - p448_sqr ( &L2, &ext->y ); - p448_neg ( &L1, &L2 ); - p448_addw ( &L1, 0 ); - p448_sqr ( &L0, &ext->z ); - p448_add ( &L2, &L0, &L1 ); - p448_sqr ( &L3, &ext->u ); - p448_sqr ( &L0, &ext->t ); - p448_mul ( &L1, &L0, &L3 ); - p448_mulw ( &L3, &L1, 39081 ); - p448_neg ( &L0, &L3 ); - p448_add ( &L1, &L0, &L2 ); - p448_sqr ( &L0, &ext->x ); - p448_neg ( &L2, &L0 ); - p448_add ( &L0, &L2, &L1 ); - p448_bias ( &L0, 4 ); - L5 = p448_is_zero( &L0 ); + field_sqr ( &L2, &ext->y ); + field_neg ( &L1, &L2 ); + field_sqr ( &L0, &ext->z ); + field_add ( &L2, &L0, &L1 ); + field_sqr ( &L3, &ext->u ); + field_sqr ( &L0, &ext->t ); + field_mul ( &L1, &L0, &L3 ); + field_mulw_scc ( &L0, &L1, EDWARDS_D ); + field_add ( &L1, &L0, &L2 ); + field_sqr ( &L0, &ext->x ); + field_neg ( &L2, &L0 ); + field_add ( &L0, &L2, &L1 ); + field_bias ( &L0, 2 ); + L5 = field_is_zero( &L0 ); /* * Check invariant: * 0 = -x*y + z*t*u */ - p448_mul ( &L1, &ext->t, &ext->u ); - p448_mul ( &L2, &ext->z, &L1 ); - p448_addw ( &L2, 0 ); - p448_mul ( &L0, &ext->x, &ext->y ); - p448_neg ( &L1, &L0 ); - p448_add ( &L0, &L1, &L2 ); - p448_bias ( &L0, 2 ); - L4 = p448_is_zero( &L0 ); - return L5 & L4; + field_mul ( &L1, &ext->t, &ext->u ); + field_mul ( &L2, &ext->z, &L1 ); + field_mul ( &L0, &ext->x, &ext->y ); + field_neg ( &L1, &L0 ); + field_add ( &L0, &L1, &L2 ); + field_bias ( &L0, 2 ); + L4 = field_is_zero( &L0 ); + return L5 & L4 &~ field_is_zero(&ext->z); } - - diff --git a/src/include/ec_point.h b/src/include/ec_point.h index 456cd3d..f875450 100644 --- a/src/include/ec_point.h +++ b/src/include/ec_point.h @@ -10,7 +10,7 @@ #ifndef __CC_INCLUDED_EC_POINT_H__ #define __CC_INCLUDED_EC_POINT_H__ -#include "p448.h" +#include "field.h" #ifdef __cplusplus extern "C" { @@ -20,21 +20,21 @@ extern "C" { * Affine point on an Edwards curve. */ struct affine_t { - struct p448_t x, y; + struct field_t x, y; }; /** * Affine point on a twisted Edwards curve. */ struct tw_affine_t { - struct p448_t x, y; + struct field_t x, y; }; /** * Montgomery buffer. */ struct montgomery_t { - struct p448_t z0, xd, zd, xa, za; + struct field_t z0, xd, zd, xa, za; }; /** @@ -56,7 +56,7 @@ struct montgomery_t { * instead. */ struct extensible_t { - struct p448_t x, y, z, t, u; + struct field_t x, y, z, t, u; }; /** @@ -64,7 +64,7 @@ struct extensible_t { * suitable for accumulators. */ struct tw_extensible_t { - struct p448_t x, y, z, t, u; + struct field_t x, y, z, t, u; }; /** @@ -73,7 +73,7 @@ struct tw_extensible_t { * Good for mixed readdition; suitable for fixed tables. */ struct tw_niels_t { - struct p448_t a, b, c; + struct field_t a, b, c; }; /** @@ -83,7 +83,7 @@ struct tw_niels_t { */ struct tw_pniels_t { struct tw_niels_t n; - struct p448_t z; + struct field_t z; }; @@ -159,9 +159,21 @@ copy_tw_pniels ( * If x=0, returns 0. */ void -p448_isr ( - struct p448_t* a, - const struct p448_t* x +field_isr ( + struct field_t* a, + const struct field_t* x +); + +/** + * Batch inverts out[i] = 1/in[i] + * + * If any input is zero, all the outputs will be zero. + */ +void +field_simultaneous_invert ( + struct p448_t *__restrict__ out, + const struct p448_t *in, + unsigned int n ); /** @@ -170,9 +182,9 @@ p448_isr ( * If x=0, returns 0. */ void -p448_inverse ( - struct p448_t* a, - const struct p448_t* x +field_inverse ( + struct field_t* a, + const struct field_t* x ); /** @@ -297,14 +309,14 @@ montgomery_step ( void deserialize_montgomery ( struct montgomery_t* a, - const struct p448_t* sbz + const struct field_t* sbz ); mask_t serialize_montgomery ( - struct p448_t* b, + struct field_t* b, const struct montgomery_t* a, - const struct p448_t* sbz + const struct field_t* sbz ); /** @@ -320,7 +332,7 @@ serialize_montgomery ( */ void serialize_extensible ( - struct p448_t* b, + struct field_t* b, const struct extensible_t* a ); @@ -329,7 +341,7 @@ serialize_extensible ( */ void untwist_and_double_and_serialize ( - struct p448_t* b, + struct field_t* b, const struct tw_extensible_t* a ); @@ -368,8 +380,8 @@ test_only_twist ( ); mask_t -is_square ( - const struct p448_t* x +field_is_square ( + const struct field_t* x ); mask_t @@ -388,7 +400,7 @@ is_even_tw ( mask_t deserialize_affine ( struct affine_t* a, - const struct p448_t* sz + const struct field_t* sz ); /** @@ -401,8 +413,8 @@ deserialize_affine ( mask_t deserialize_and_twist_approx ( struct tw_extensible_t* a, - const struct p448_t* sdm1, - const struct p448_t* sz + const struct field_t* sdm1, + const struct field_t* sz ); void @@ -441,7 +453,7 @@ eq_tw_extensible ( void elligator_2s_inject ( struct affine_t* a, - const struct p448_t* r + const struct field_t* r ); mask_t @@ -475,8 +487,8 @@ copy_affine ( struct affine_t* a, const struct affine_t* ds ) { - p448_copy ( &a->x, &ds->x ); - p448_copy ( &a->y, &ds->y ); + field_copy ( &a->x, &ds->x ); + field_copy ( &a->y, &ds->y ); } void @@ -484,8 +496,8 @@ copy_tw_affine ( struct tw_affine_t* a, const struct tw_affine_t* ds ) { - p448_copy ( &a->x, &ds->x ); - p448_copy ( &a->y, &ds->y ); + field_copy ( &a->x, &ds->x ); + field_copy ( &a->y, &ds->y ); } void @@ -493,11 +505,11 @@ copy_montgomery ( struct montgomery_t* a, const struct montgomery_t* ds ) { - p448_copy ( &a->z0, &ds->z0 ); - p448_copy ( &a->xd, &ds->xd ); - p448_copy ( &a->zd, &ds->zd ); - p448_copy ( &a->xa, &ds->xa ); - p448_copy ( &a->za, &ds->za ); + field_copy ( &a->z0, &ds->z0 ); + field_copy ( &a->xd, &ds->xd ); + field_copy ( &a->zd, &ds->zd ); + field_copy ( &a->xa, &ds->xa ); + field_copy ( &a->za, &ds->za ); } void @@ -505,11 +517,11 @@ copy_extensible ( struct extensible_t* a, const struct extensible_t* ds ) { - p448_copy ( &a->x, &ds->x ); - p448_copy ( &a->y, &ds->y ); - p448_copy ( &a->z, &ds->z ); - p448_copy ( &a->t, &ds->t ); - p448_copy ( &a->u, &ds->u ); + field_copy ( &a->x, &ds->x ); + field_copy ( &a->y, &ds->y ); + field_copy ( &a->z, &ds->z ); + field_copy ( &a->t, &ds->t ); + field_copy ( &a->u, &ds->u ); } void @@ -517,11 +529,11 @@ copy_tw_extensible ( struct tw_extensible_t* a, const struct tw_extensible_t* ds ) { - p448_copy ( &a->x, &ds->x ); - p448_copy ( &a->y, &ds->y ); - p448_copy ( &a->z, &ds->z ); - p448_copy ( &a->t, &ds->t ); - p448_copy ( &a->u, &ds->u ); + field_copy ( &a->x, &ds->x ); + field_copy ( &a->y, &ds->y ); + field_copy ( &a->z, &ds->z ); + field_copy ( &a->t, &ds->t ); + field_copy ( &a->u, &ds->u ); } void @@ -529,9 +541,9 @@ copy_tw_niels ( struct tw_niels_t* a, const struct tw_niels_t* ds ) { - p448_copy ( &a->a, &ds->a ); - p448_copy ( &a->b, &ds->b ); - p448_copy ( &a->c, &ds->c ); + field_copy ( &a->a, &ds->a ); + field_copy ( &a->b, &ds->b ); + field_copy ( &a->c, &ds->c ); } void @@ -540,7 +552,7 @@ copy_tw_pniels ( const struct tw_pniels_t* ds ) { copy_tw_niels( &a->n, &ds->n ); - p448_copy ( &a->z, &ds->z ); + field_copy ( &a->z, &ds->z ); } diff --git a/src/include/field.h b/src/include/field.h index 6e1eb96..06fd93f 100644 --- a/src/include/field.h +++ b/src/include/field.h @@ -8,16 +8,32 @@ */ #ifndef __FIELD_H__ #define __FIELD_H__ -#include "magic.h" #include "p448.h" +#define FIELD_BITS 448 +#define FIELD_BYTES (1+(FIELD_BITS-1)/8) +#define FIELD_WORDS (1+(FIELD_BITS-1)/sizeof(word_t)) + +/** + * @brief For GMP tests: little-endian representation of the field modulus. + */ +extern const uint8_t FIELD_MODULUS[FIELD_BYTES]; + #define field_t p448_t #define field_mul p448_mul +#define field_sqr p448_sqr +#define field_sqrn p448_sqrn #define field_add p448_add #define field_sub p448_sub +#define field_mulw p448_mulw +#define field_addw p448_addw +#define field_subw p448_subw +#define field_neg p448_neg +#define field_set_ui p448_set_ui #define field_bias p448_bias #define field_copy p448_copy +#define field_mask p448_mask #define field_weak_reduce p448_weak_reduce #define field_strong_reduce p448_strong_reduce #define field_cond_swap p448_cond_swap @@ -26,6 +42,5 @@ #define field_deserialize p448_deserialize #define field_eq p448_eq #define field_is_zero p448_is_zero -#define simultaneous_invert simultaneous_invert_p448 /* FUTURE: consistency */ #endif /* __FIELD_H__ */ diff --git a/src/include/magic.h b/src/include/magic.h index 9246e40..70be081 100644 --- a/src/include/magic.h +++ b/src/include/magic.h @@ -17,18 +17,17 @@ /* TODO: standardize notation */ - -/** @brief The number of bits in the Goldilocks field. */ -#define GOLDI_FIELD_BITS 448 - /** @brief The number of words in the Goldilocks field. */ -#define GOLDI_FIELD_WORDS DIV_CEIL(GOLDI_FIELD_BITS,WORD_BITS) +#define GOLDI_FIELD_WORDS DIV_CEIL(FIELD_BITS,WORD_BITS) /** @brief The number of bits in the Goldilocks curve's cofactor (cofactor=4). */ #define COFACTOR_BITS 2 /** @brief The number of bits in a Goldilocks scalar. */ -#define SCALAR_BITS (GOLDI_FIELD_BITS - COFACTOR_BITS) +#define SCALAR_BITS (FIELD_BITS - COFACTOR_BITS) + +/** @brief The number of bytes in a Goldilocks scalar. */ +#define SCALAR_BYTES (1+(SCALAR_BITS)/8) /** @brief The number of words in the Goldilocks field. */ #define SCALAR_WORDS WORDS_FOR_BITS(SCALAR_BITS) @@ -36,7 +35,12 @@ /** * @brief sqrt(d-1), used for point formats and twisting. */ -extern const struct p448_t sqrt_d_minus_1; +extern const struct field_t sqrt_d_minus_1; + +/** + * @brief The Edwards "d" term for this curve. + */ +static const int64_t EDWARDS_D = -39081; /** * @brief The base point for Goldilocks. diff --git a/src/magic.c b/src/magic.c index 4778d97..5157e14 100644 --- a/src/magic.c +++ b/src/magic.c @@ -6,7 +6,14 @@ #include "magic.h" #include "barrett_field.h" -/* FUTURE: automatically generate this file. */ +/* FUTURE: automatically generate this file? */ + +const uint8_t FIELD_MODULUS[FIELD_BYTES] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +/*!*/ 0xfe, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; const word_t SCALARMUL_FIXED_WINDOW_ADJUSTMENT[2*SCALAR_WORDS] = { U64LE(0xebec9967f5d3f5c2), diff --git a/src/scalarmul.c b/src/scalarmul.c index 7427e18..ea9cded 100644 --- a/src/scalarmul.c +++ b/src/scalarmul.c @@ -570,7 +570,7 @@ precompute_fixed_base ( } } - simultaneous_invert(zis, zs, n<<(t-1)); + field_simultaneous_invert(zis, zs, n<<(t-1)); field_t product; for (i=0; i #include -#include "p448.h" +#include "field.h" #include "ec_point.h" #include "scalarmul.h" #include "barrett_field.h" @@ -29,19 +29,19 @@ static double now(void) { return tv.tv_sec + tv.tv_usec/1000000.0; } -static void p448_randomize( struct crandom_state_t *crand, struct p448_t *a ) { +static void field_randomize( struct crandom_state_t *crand, struct field_t *a ) { crandom_generate(crand, (unsigned char *)a, sizeof(*a)); - p448_strong_reduce(a); + field_strong_reduce(a); } -static void q448_randomize( struct crandom_state_t *crand, word_t sk[448/WORD_BITS] ) { - crandom_generate(crand, (unsigned char *)sk, 448/8); +static void q448_randomize( struct crandom_state_t *crand, word_t sk[SCALAR_WORDS] ) { + crandom_generate(crand, (unsigned char *)sk, SCALAR_BYTES); } -static void p448_print( const char *descr, const struct p448_t *a ) { - p448_t b; - p448_copy(&b, a); - p448_strong_reduce(&b); +static void field_print( const char *descr, const struct field_t *a ) { + field_t b; + field_copy(&b, a); + field_strong_reduce(&b); int j; printf("%s = 0x", descr); for (j=sizeof(*a)/sizeof(a->limb[0])-1; j>=0; j--) { @@ -51,9 +51,9 @@ static void p448_print( const char *descr, const struct p448_t *a ) { } static void __attribute__((unused)) -p448_print_full ( +field_print_full ( const char *descr, - const struct p448_t *a + const struct field_t *a ) { int j; printf("%s = 0x", descr); @@ -64,10 +64,10 @@ p448_print_full ( printf("\n"); } -static void q448_print( const char *descr, const word_t secret[448/WORD_BITS] ) { +static void q448_print( const char *descr, const word_t secret[SCALAR_WORDS] ) { int j; printf("%s = 0x", descr); - for (j=448/WORD_BITS-1; j>=0; j--) { + for (j=SCALAR_WORDS-1; j>=0; j--) { printf(PRIxWORDfull, secret[j]); } printf("\n"); @@ -87,7 +87,7 @@ int main(int argc, char **argv) { struct tw_pniels_t pniels; struct affine_t affine; struct montgomery_t mb; - struct p448_t a,b,c,d; + struct field_t a,b,c,d; double when; @@ -104,41 +104,41 @@ int main(int argc, char **argv) { ignore_result(crandom_init_from_file(&crand, "/dev/urandom", 10000, 1)); */ - word_t sk[448/WORD_BITS],tk[448/WORD_BITS]; + word_t sk[SCALAR_WORDS],tk[SCALAR_WORDS]; q448_randomize(&crand, sk); when = now(); for (i=0; i=0; j--) { + for (j=FIELD_WORDS - 1; j>=0; j--) { printf(PRIxWORD58, b.limb[LIMBPERM(j)]); } printf("\n"); diff --git a/test/test.h b/test/test.h index e41f578..b491f0e 100644 --- a/test/test.h +++ b/test/test.h @@ -2,7 +2,7 @@ #define __GOLDILOCKS_TEST_H__ 1 #include "word.h" -#include "p448.h" +#include "field.h" int hexdecode ( @@ -18,9 +18,9 @@ hexprint ( unsigned int nbytes ); -void p448_print ( +void field_print ( const char *descr, - const struct p448_t *a + const struct field_t *a ); void scalar_print ( diff --git a/test/test_arithmetic.c b/test/test_arithmetic.c index b2064c2..a956c03 100644 --- a/test/test_arithmetic.c +++ b/test/test_arithmetic.c @@ -1,63 +1,63 @@ -#include "p448.h" +#include "field.h" #include "test.h" #include #include #include -mpz_t mp_p448; +mpz_t mp_field; -static mask_t mpz_to_p448 ( - struct p448_t *out, +static mask_t mpz_to_field ( + struct field_t *out, const mpz_t in ) { - uint8_t ser[56]; + uint8_t ser[FIELD_BYTES]; mpz_t modded; memset(ser,0,sizeof(ser)); mpz_init(modded); - mpz_mod(modded, in, mp_p448); + mpz_mod(modded, in, mp_field); mpz_export(ser, NULL, -1, 1, -1, 0, modded); - mask_t succ = p448_deserialize(out, ser); + mask_t succ = field_deserialize(out, ser); return succ; } -static mask_t p448_assert_eq_gmp( +static mask_t field_assert_eq_gmp( const char *descr, - const struct p448_t *x, + const struct field_t *x, const mpz_t y, float lowBound, float highBound ) { - uint8_t xser[56], yser[56]; + uint8_t xser[FIELD_BYTES], yser[FIELD_BYTES]; mpz_t modded; memset(yser,0,sizeof(yser)); - p448_serialize(xser, x); + field_serialize(xser, x); mpz_init(modded); - mpz_mod(modded, y, mp_p448); + mpz_mod(modded, y, mp_field); mpz_export(yser, NULL, -1, 1, -1, 0, modded); unsigned int i; for (i=0; ilimb[0]); i++) { - int bits = sizeof(x->limb[0]) * 448 / sizeof(*x); + int radix_bits = sizeof(x->limb[0]) * 448 / sizeof(*x); word_t yardstick = (i==sizeof(*x)/sizeof(x->limb[0])/2) ? - (1ull<limb[i] < yardstick * lowBound || x->limb[i] > yardstick * highBound) { youfail(); - printf(" P448 limb %d -> " PRIxWORDfull " is out of bounds (%0.2f, %0.2f) for test %s (yardstick = " PRIxWORDfull ")\n", + printf(" Limb %d -> " PRIxWORDfull " is out of bounds (%0.2f, %0.2f) for test %s (yardstick = " PRIxWORDfull ")\n", i, x->limb[i], lowBound, highBound, descr, yardstick); break; } } - if (memcmp(xser,yser,56)) { + if (memcmp(xser,yser,FIELD_BYTES)) { youfail(); printf(" Failed arithmetic test %s\n", descr); - p448_print(" p448", x); - printf(" gmp = 0x"); + field_print(" goldi", x); + printf(" gmp = 0x"); int j; - for (j=55; j>=0; j--) { + for (j=FIELD_BYTES-1; j>=0; j--) { printf("%02x", yser[j]); } printf("\n"); @@ -73,36 +73,36 @@ static mask_t test_add_sub ( const mpz_t y, word_t word ) { - struct p448_t xx,yy,tt; + struct field_t xx,yy,tt; mpz_t t; mask_t succ = MASK_SUCCESS; - succ = mpz_to_p448(&xx,x); - succ &= mpz_to_p448(&yy,y); + succ = mpz_to_field(&xx,x); + succ &= mpz_to_field(&yy,y); mpz_init(t); - p448_add(&tt,&xx,&yy); + field_add(&tt,&xx,&yy); mpz_add(t,x,y); - succ &= p448_assert_eq_gmp("add",&tt,t,0,2.1); + succ &= field_assert_eq_gmp("add",&tt,t,0,2.1); - p448_sub(&tt,&xx,&yy); - p448_bias(&tt,2); + field_sub(&tt,&xx,&yy); + field_bias(&tt,2); mpz_sub(t,x,y); - succ &= p448_assert_eq_gmp("sub",&tt,t,0,3.1); + succ &= field_assert_eq_gmp("sub",&tt,t,0,3.1); - p448_copy(&tt,&xx); - p448_addw(&tt,word); + field_copy(&tt,&xx); + field_addw(&tt,word); mpz_add_ui(t,x,word); - succ &= p448_assert_eq_gmp("addw",&tt,t,0,2.1); + succ &= field_assert_eq_gmp("addw",&tt,t,0,2.1); - p448_copy(&tt,&xx); - p448_subw(&tt,word); - p448_bias(&tt,1); + field_copy(&tt,&xx); + field_subw(&tt,word); + field_bias(&tt,1); mpz_sub_ui(t,x,word); - succ &= p448_assert_eq_gmp("subw",&tt,t,0,2.1); + succ &= field_assert_eq_gmp("subw",&tt,t,0,2.1); if (!succ) { - p448_print(" x", &xx); - p448_print(" y", &yy); + field_print(" x", &xx); + field_print(" y", &yy); } mpz_clear(t); @@ -115,32 +115,32 @@ static mask_t test_mul_sqr ( const mpz_t y, word_t word ) { - struct p448_t xx,yy,tt; + struct field_t xx,yy,tt; mpz_t t; mask_t succ = MASK_SUCCESS; - succ = mpz_to_p448(&xx,x); - succ &= mpz_to_p448(&yy,y); + succ = mpz_to_field(&xx,x); + succ &= mpz_to_field(&yy,y); mpz_init(t); - p448_mul(&tt,&xx,&yy); + field_mul(&tt,&xx,&yy); mpz_mul(t,x,y); - succ &= p448_assert_eq_gmp("mul",&tt,t,0,1.1); + succ &= field_assert_eq_gmp("mul",&tt,t,0,1.1); - p448_mulw(&tt,&xx,word); + field_mulw(&tt,&xx,word); mpz_mul_ui(t,x,word); - succ &= p448_assert_eq_gmp("mulw",&tt,t,0,1.1); + succ &= field_assert_eq_gmp("mulw",&tt,t,0,1.1); - p448_sqr(&tt,&xx); + field_sqr(&tt,&xx); mpz_mul(t,x,x); - succ &= p448_assert_eq_gmp("sqrx",&tt,t,0,1.1); + succ &= field_assert_eq_gmp("sqrx",&tt,t,0,1.1); - p448_sqr(&tt,&yy); + field_sqr(&tt,&yy); mpz_mul(t,y,y); - succ &= p448_assert_eq_gmp("sqy",&tt,t,0,1.1); + succ &= field_assert_eq_gmp("sqy",&tt,t,0,1.1); if (!succ) { - p448_print(" x", &xx); - p448_print(" y", &yy); + field_print(" x", &xx); + field_print(" y", &yy); } mpz_clear(t); @@ -153,13 +153,8 @@ int test_arithmetic (void) { gmp_randstate_t state; gmp_randinit_mt(state); - - uint8_t pser[56]; - for (j=0; j<56; j++) { - pser[j] = (j==28) ? 0xFE : 0xFF; - } - mpz_init(mp_p448); - mpz_import(mp_p448, 56, -1, 1, -1, 0, pser); + mpz_init(mp_field); + mpz_import(mp_field, FIELD_BYTES, -1, 1, -1, 0, FIELD_MODULUS); mpz_t x,y; mpz_init(x); @@ -167,23 +162,23 @@ int test_arithmetic (void) { mask_t succ = MASK_SUCCESS; - int bits = sizeof(word_t) * 448 / sizeof(p448_t); + int radix_bits = sizeof(word_t) * FIELD_BITS / sizeof(field_t); for (j=0; j #include "ec_point.h" -#include "p448.h" +#include "field.h" #include "crandom.h" @@ -11,15 +11,15 @@ static void failprint_ext ( const struct extensible_t *a ) { - struct p448_t zi, scaled; - p448_print(" x", &a->x); - p448_print(" y", &a->y); - p448_print(" z", &a->z); - p448_inverse(&zi, &a->z); - p448_mul(&scaled, &zi, &a->x); - p448_print(" X", &scaled); - p448_mul(&scaled, &zi, &a->y); - p448_print(" Y", &scaled); + struct field_t zi, scaled; + field_print(" x", &a->x); + field_print(" y", &a->y); + field_print(" z", &a->z); + field_inverse(&zi, &a->z); + field_mul(&scaled, &zi, &a->x); + field_print(" X", &scaled); + field_mul(&scaled, &zi, &a->y); + field_print(" Y", &scaled); printf("\n"); } @@ -164,10 +164,10 @@ add_double_test ( if (~succ) { printf(" Bases were:\n"); - p448_print(" x1", &base1->x); - p448_print(" y1", &base1->y); - p448_print(" x2", &base2->x); - p448_print(" y2", &base2->y); + field_print(" x1", &base1->x); + field_print(" y1", &base1->y); + field_print(" x2", &base2->x); + field_print(" y2", &base2->y); } return succ ? 0 : -1; @@ -210,18 +210,18 @@ single_twisting_test ( succ = 0; } /* FUTURE: quadness */ - p448_t sera,serb; + field_t sera,serb; untwist_and_double_and_serialize(&sera,&text); copy_extensible(&tmpext,&exb); double_extensible(&tmpext); serialize_extensible(&serb,&tmpext); /* check that their (doubled; FUTURE?) serializations are equal */ - if (~p448_eq(&sera,&serb)) { + if (~field_eq(&sera,&serb)) { youfail(); printf(" Different serialization from twist + double ()\n"); - p448_print(" t", &sera); - p448_print(" b", &serb); + field_print(" t", &sera); + field_print(" b", &serb); succ = 0; } @@ -241,8 +241,8 @@ single_twisting_test ( if (~succ) { printf(" Base was:\n"); - p448_print(" x", &base->x); - p448_print(" y", &base->y); + field_print(" x", &base->x); + field_print(" y", &base->y); } @@ -251,28 +251,28 @@ single_twisting_test ( int test_pointops (void) { struct affine_t base, pbase; - struct p448_t ser448; + struct field_t serf; struct crandom_state_t crand; crandom_init_from_buffer(&crand, "test_pointops random initializer"); int i, ret; for (i=0; i<1000; i++) { - uint8_t ser[56]; + uint8_t ser[FIELD_BYTES]; crandom_generate(&crand, ser, sizeof(ser)); - /* TODO: we need a p448 generate, which can return random or pathological. */ - mask_t succ = p448_deserialize(&ser448, ser); + /* TODO: we need a field generate, which can return random or pathological. */ + mask_t succ = field_deserialize(&serf, ser); if (!succ) { youfail(); - printf(" Unlikely: fail at p448_deserialize\n"); + printf(" Unlikely: fail at field_deserialize\n"); return -1; } if (i) { copy_affine(&pbase, &base); } - elligator_2s_inject(&base, &ser448); + elligator_2s_inject(&base, &serf); if (i) { ret = add_double_test(&base, &pbase); diff --git a/test/test_scalarmul.c b/test/test_scalarmul.c index 661a1d7..82989b9 100644 --- a/test/test_scalarmul.c +++ b/test/test_scalarmul.c @@ -4,18 +4,20 @@ #include "scalarmul.h" #include "ec_point.h" -#include "p448.h" +#include "field.h" #include "crandom.h" +#define STRIDE 7 + /* 0 = succeed, 1 = inval, -1 = fail */ static int single_scalarmul_compatibility_test ( - const struct p448_t *base, + const struct field_t *base, const word_t *scalar, int nbits ) { struct tw_extensible_t text, work; - struct p448_t mont, ct, vl, vt; + struct field_t mont, ct, vl, vt; int ret = 0, i; mask_t succ, succm; @@ -29,7 +31,7 @@ single_scalarmul_compatibility_test ( printf(" Deserialize_and_twist_approx succ=%d, montgomery_ladder succ=%d\n", (int)-succ, (int)-succm); printf(" nbits = %d\n", nbits); - p448_print(" base", base); + field_print(" base", base); scalar_print(" scal", scalar, (nbits+WORD_BITS-1)/WORD_BITS); return -1; } @@ -38,10 +40,11 @@ single_scalarmul_compatibility_test ( return 1; } - struct { int n,t,s; } params[] = {{5,5,18},{3,5,30},{4,4,28},{1,2,224}}; + struct { int n,t,s; } params[] = {{5,5,18},{3,5,30},{4,4,28},{1,2,224}}; // FIELD_MAGIC const int nparams = sizeof(params)/sizeof(params[0]); struct fixed_base_table_t fbt; - struct p448_t fbout[nparams], wout[6]; + const int nsizes = 6; + struct field_t fbout[nparams], wout[nsizes]; memset(&fbt, 0, sizeof(fbt)); memset(&fbout, 0, sizeof(fbout)); memset(&wout, 0, sizeof(wout)); @@ -68,7 +71,7 @@ single_scalarmul_compatibility_test ( } /* compute using precomp wNAF */ - for (i=0; i<=5; i++) { + for (i=0; i