jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

wipe out the multiple layers of rename between decaf_fast and field. still some serious HACKs in the include prio to avoid multiple definition of struct gf

master
Michael Hamburg 9 years ago
parent
b6c12d7e38
commit
5af980b85a
18 changed files with 748 additions and 465 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +39
    -92
      src/decaf_fast.c
  2. +24
    -26
      src/decaf_gen_tables.c
  3. +54
    -44
      src/include/field.h
  4. +20
    -20
      src/p25519/arch_ref64/p25519.c
  5. +53
    -53
      src/p25519/arch_ref64/p25519.h
  6. +20
    -20
      src/p25519/arch_x86_64/p25519.c
  7. +54
    -51
      src/p25519/arch_x86_64/p25519.h
  8. +0
    -1
      src/p25519/arch_x86_64/x86-64-arith.h
  9. +323
    -0
      src/p25519/arch_x86_64/x86-64-arith.h
  10. +14
    -14
      src/p25519/f_arithmetic.c
  11. +16
    -15
      src/p25519/f_field.h
  12. +28
    -28
      src/p448/f_arithmetic.c
  13. +14
    -14
      src/p448/f_field.h
  14. +28
    -28
      src/p480/f_arithmetic.c
  15. +14
    -14
      src/p480/f_field.h
  16. +28
    -28
      src/p521/f_arithmetic.c
  17. +14
    -14
      src/p521/f_field.h
  18. +5
    -3
      src/public_include/decaf/decaf_255.h

+ 39
- 92
src/decaf_fast.c View File

@@ -27,8 +27,6 @@
#define point_t decaf_255_point_t
#define precomputed_s decaf_255_precomputed_s
#define SER_BYTES DECAF_255_SER_BYTES
#define gf_s gf_255_s
#define gf gf_255_t

#if WBITS == 64
typedef __int128_t decaf_sdword_t;
@@ -72,7 +70,7 @@ typedef struct { niels_t n; gf z; } __attribute__((aligned(32))) pniels_s, pniel
/* Precomputed base */
struct precomputed_s { niels_t table [DECAF_COMBS_N<<(DECAF_COMBS_T-1)]; };

extern const field_t API_NS(precomputed_base_as_fe)[];
extern const gf API_NS(precomputed_base_as_fe)[];
const precomputed_s *API_NS(precomputed_base) =
(const precomputed_s *) &API_NS(precomputed_base_as_fe);

@@ -95,52 +93,6 @@ const size_t API_NS2(alignof,precomputed_s) = 32;
/** Copy x = y */
siv gf_cpy(gf x, const gf y) { x[0] = y[0]; }

/** Mostly-unoptimized multiply, but at least it's unrolled. */
siv gf_mul (gf c, const gf a, const gf b) {
field_mul((field_t *)c, (const field_t *)a, (const field_t *)b);
}

/** Dedicated square */
siv gf_sqr (gf c, const gf a) {
field_sqr((field_t *)c, (const field_t *)a);
}

/** Add mod p. Conservatively always weak-reduce. */
snv gf_add ( gf_s *__restrict__ c, const gf a, const gf b ) {
field_add((field_t *)c, (const field_t *)a, (const field_t *)b);
}

/** Subtract mod p. Conservatively always weak-reduce. */
snv gf_sub ( gf c, const gf a, const gf b ) {
field_sub((field_t *)c, (const field_t *)a, (const field_t *)b);
}

/** Add mod p. Conservatively always weak-reduce.) */
siv gf_bias ( gf c, int amt) {
field_bias((field_t *)c, amt);
}

/** Subtract mod p. Bias by 2 and don't reduce */
siv gf_sub_nr ( gf_s *__restrict__ c, const gf a, const gf b ) {
// FOR_LIMB_U(i, c->limb[i] = a->limb[i] - b->limb[i] + 2*P->limb[i] );
field_sub_nr((field_t *)c, (const field_t *)a, (const field_t *)b);
gf_bias(c, 2);
if (WBITS==32) field_weak_reduce((field_t*) c); // HACK
}

/** Subtract mod p. Bias by amt but don't reduce. */
siv gf_sub_nr_x ( gf c, const gf a, const gf b, int amt ) {
field_sub_nr((field_t *)c, (const field_t *)a, (const field_t *)b);
gf_bias(c, amt);
if (WBITS==32) field_weak_reduce((field_t*) c); // HACK
}

/** Add mod p. Don't reduce. */
siv gf_add_nr ( gf c, const gf a, const gf b ) {
// FOR_LIMB_U(i, c->limb[i] = a->limb[i] + b->limb[i]);
field_add_nr((field_t *)c, (const field_t *)a, (const field_t *)b);
}

/** Constant time, x = is_z ? z : y */
siv cond_sel(gf x, const gf y, const gf z, decaf_bool_t is_z) {
constant_time_select(x,z,y,sizeof(gf),is_z);
@@ -162,29 +114,11 @@ siv cond_swap(gf x, gf_s *__restrict__ y, decaf_bool_t swap) {
});
}

/**
* Mul by signed int. Not constant-time WRT the sign of that int.
* Just uses a full mul (PERF)
*/
siv gf_mlw(gf c, const gf a, int w) {
if (w>0) {
field_mulw((field_t *)c, (const field_t *)a, w);
} else {
field_mulw((field_t *)c, (const field_t *)a, -w);
gf_sub(c,ZERO,c);
}
}

/** Canonicalize */
siv gf_canon ( gf a ) {
field_strong_reduce((field_t *)a);
}

/** Compare a==b */
static decaf_word_t __attribute__((noinline)) gf_eq(const gf a, const gf b) {
gf c;
gf_sub(c,a,b);
gf_canon(c);
gf_strong_reduce(c);
decaf_word_t ret=0;
FOR_LIMB(i, ret |= c->limb[i] );
/* Hope the compiler is too dumb to optimize this, thus noinline */
@@ -194,7 +128,7 @@ static decaf_word_t __attribute__((noinline)) gf_eq(const gf a, const gf b) {
/** Inverse square root using addition chain. */
static decaf_bool_t gf_isqrt_chk(gf y, const gf x, decaf_bool_t allow_zero) {
gf tmp0, tmp1;
field_isr((field_t *)y, (const field_t *)x);
gf_isr((gf_s *)y, (const gf_s *)x);
gf_sqr(tmp0,y);
gf_mul(tmp1,tmp0,x);
return gf_eq(tmp1,ONE) | (allow_zero & gf_eq(tmp1,ZERO));
@@ -211,11 +145,24 @@ sv gf_invert(gf y, const gf x) {
gf_cpy(y, t2);
}

/**
* Mul by signed int. Not constant-time WRT the sign of that int.
* Just uses a full mul (PERF)
*/
static inline void gf_mulw_sgn(gf c, const gf a, int w) {
if (w>0) {
gf_mulw(c, a, w);
} else {
gf_mulw(c, a, -w);
gf_sub(c,ZERO,c);
}
}

/** Return high bit of x = low bit of 2x mod p */
static decaf_word_t hibit(const gf x) {
gf y;
gf_add(y,x,x);
gf_canon(y);
gf_strong_reduce(y);
return -(y->limb[0]&1);
}

@@ -223,7 +170,7 @@ static decaf_word_t hibit(const gf x) {
static decaf_word_t lobit(const gf x) {
gf y;
gf_cpy(y,x);
gf_canon(y);
gf_strong_reduce(y);
return -(y->limb[0]&1);
}

@@ -454,7 +401,7 @@ decaf_bool_t API_NS(scalar_eq) (
const point_t API_NS(point_identity) = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};

static void gf_encode ( unsigned char ser[SER_BYTES], gf a ) {
field_serialize(ser, (field_t *)a);
gf_serialize(ser, (gf_s *)a);
}
extern const gf SQRT_MINUS_ONE, SQRT_ONE_MINUS_D; /* Intern this? */
@@ -528,7 +475,7 @@ void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {
* Deserialize a bool, return TRUE if < p.
*/
static decaf_bool_t gf_deser(gf s, const unsigned char ser[SER_BYTES]) {
return field_deserialize((field_t *)s, ser);
return gf_deserialize((gf_s *)s, ser);
}
decaf_bool_t API_NS(point_decode) (
@@ -544,7 +491,7 @@ decaf_bool_t API_NS(point_decode) (
gf_sub ( f, ONE, a ); /* f = 1-s^2 = 1-as^2 since a=1 */
succ &= ~ gf_eq( f, ZERO );
gf_sqr ( b, f );
gf_mlw ( c, a, 4-4*EDWARDS_D );
gf_mulw_sgn ( c, a, 4-4*EDWARDS_D );
gf_add ( c, c, b ); /* t^2 */
gf_mul ( d, f, s ); /* s(1-s^2) for denoms */
gf_sqr ( e, d );
@@ -596,7 +543,7 @@ void API_NS(point_sub) (
gf_add_nr ( b, q->y, q->x );
gf_mul ( p->y, d, b );
gf_mul ( b, r->t, q->t );
gf_mlw ( p->x, b, -2*EDWARDS_D );
gf_mulw_sgn ( p->x, b, -2*EDWARDS_D );
gf_add_nr ( b, a, p->y );
gf_sub_nr ( c, p->y, a );
gf_mul ( a, q->z, r->z );
@@ -622,7 +569,7 @@ void API_NS(point_add) (
gf_add_nr ( b, q->y, q->x );
gf_mul ( p->y, d, b );
gf_mul ( b, r->t, q->t );
gf_mlw ( p->x, b, -2*EDWARDS_D );
gf_mulw_sgn ( p->x, b, -2*EDWARDS_D );
gf_add_nr ( b, a, p->y );
gf_sub_nr ( c, p->y, a );
gf_mul ( a, q->z, r->z );
@@ -646,11 +593,11 @@ snv point_double_internal (
gf_add_nr ( d, c, a );
gf_add_nr ( p->t, q->y, q->x );
gf_sqr ( b, p->t );
gf_sub_nr_x ( b, b, d, 3 );
gf_subx_nr ( b, b, d, 3 );
gf_sub_nr ( p->t, a, c );
gf_sqr ( p->x, q->z );
gf_add_nr ( p->z, p->x, p->x );
gf_sub_nr_x ( a, p->z, p->t, 4 );
gf_subx_nr ( a, p->z, p->t, 4 );
gf_mul ( p->x, a, b );
gf_mul ( p->z, p->t, a );
gf_mul ( p->y, p->t, d );
@@ -777,7 +724,7 @@ static void pt_to_pniels (
) {
gf_sub ( b->n->a, a->y, a->x );
gf_add ( b->n->b, a->x, a->y );
gf_mlw ( b->n->c, a->t, -2*EDWARDS_D );
gf_mulw_sgn ( b->n->c, a->t, -2*EDWARDS_D );
gf_add ( b->z, a->z, a->z );
}

@@ -1047,12 +994,12 @@ void API_NS(point_from_hash_nonuniform) (
// TODO: simplify since we don't return a hint anymore
gf r0,r,a,b,c,dee,D,N,rN,e;
gf_deser(r0,ser);
gf_canon(r0);
gf_strong_reduce(r0);
gf_sqr(a,r0);
//gf_sub(r,ZERO,a); /*gf_mlw(r,a,QUADRATIC_NONRESIDUE);*/
//gf_sub(r,ZERO,a); /*gf_mulw_sgn(r,a,QUADRATIC_NONRESIDUE);*/
gf_mul(r,a,SQRT_MINUS_ONE);
gf_mlw(dee,ONE,EDWARDS_D);
gf_mlw(c,r,EDWARDS_D);
gf_mulw_sgn(dee,ONE,EDWARDS_D);
gf_mulw_sgn(c,r,EDWARDS_D);
/* Compute D := (dr+a-d)(dr-ar-d) with a=1 */
gf_sub(a,c,dee);
@@ -1064,7 +1011,7 @@ void API_NS(point_from_hash_nonuniform) (
/* compute N := (r+1)(a-2d) */
gf_add(a,r,ONE);
gf_mlw(N,a,1-2*EDWARDS_D);
gf_mulw_sgn(N,a,1-2*EDWARDS_D);
/* e = +-1/sqrt(+-ND) */
gf_mul(rN,r,N);
@@ -1078,8 +1025,8 @@ void API_NS(point_from_hash_nonuniform) (
/* b <- t/s */
cond_sel(c,r0,r,square); /* r? = sqr ? r : 1 */
/* In two steps to avoid overflow on 32-bit arch */
gf_mlw(a,c,1-2*EDWARDS_D);
gf_mlw(b,a,1-2*EDWARDS_D);
gf_mulw_sgn(a,c,1-2*EDWARDS_D);
gf_mulw_sgn(b,a,1-2*EDWARDS_D);
gf_sub(c,r,ONE);
gf_mul(a,b,c); /* = r? * (r-1) * (a-2d)^2 with a=1 */
gf_mul(b,a,e);
@@ -1148,7 +1095,7 @@ API_NS(invert_elligator_nonuniform) (
cond_sel(b,b,ZERO,is_identity & ~sgn_t_over_s & ~sgn_s); /* identity adjust */
}
gf_mlw(d,c,2*EDWARDS_D-1); /* $d = (2d-a)s^2 */
gf_mulw_sgn(d,c,2*EDWARDS_D-1); /* $d = (2d-a)s^2 */
gf_add(a,d,b); /* num? */
gf_sub(d,d,b); /* den? */
gf_mul(b,a,d); /* n*d */
@@ -1199,7 +1146,7 @@ decaf_bool_t API_NS(point_valid) (
gf_sqr(b,p->y);
gf_sub(a,b,a);
gf_sqr(b,p->t);
gf_mlw(c,b,-EDWARDS_D);
gf_mulw_sgn(c,b,-EDWARDS_D);
gf_sqr(b,p->z);
gf_add(b,b,c);
out &= gf_eq(a,b);
@@ -1281,15 +1228,15 @@ static void batch_normalize_niels (

for (i=0; i<n; i++) {
gf_mul(product, table[i]->a, zis[i]);
gf_canon(product);
gf_strong_reduce(product);
gf_cpy(table[i]->a, product);
gf_mul(product, table[i]->b, zis[i]);
gf_canon(product);
gf_strong_reduce(product);
gf_cpy(table[i]->b, product);
gf_mul(product, table[i]->c, zis[i]);
gf_canon(product);
gf_strong_reduce(product);
gf_cpy(table[i]->c, product);
}
}
@@ -1510,7 +1457,7 @@ sv prepare_wnaf_table(
}
}

extern const field_t API_NS(precomputed_wnaf_as_fe)[];
extern const gf API_NS(precomputed_wnaf_as_fe)[];
static const niels_t *API_NS(wnaf_base) = (const niels_t *)API_NS(precomputed_wnaf_as_fe);
const size_t API_NS2(sizeof,precomputed_wnafs) __attribute((visibility("hidden")))
= sizeof(niels_t)<<DECAF_WNAF_FIXED_TABLE_BITS;


+ 24
- 26
src/decaf_gen_tables.c View File

@@ -19,7 +19,7 @@
#define API_NS2(_pref,_id) _pref##_decaf_255_##_id

/* To satisfy linker. */
const field_t API_NS(precomputed_base_as_fe)[1];
const gf API_NS(precomputed_base_as_fe)[1];
const API_NS(scalar_t) API_NS(precomputed_scalarmul_adjustment);
const API_NS(scalar_t) API_NS(point_scalarmul_adjustment);
const API_NS(scalar_t) sc_r2 = {{{0}}};
@@ -29,7 +29,7 @@ const unsigned char base_point_ser_for_pregen[DECAF_255_SER_BYTES];
const API_NS(point_t) API_NS(point_base);

struct niels_s;
const field_t *API_NS(precomputed_wnaf_as_fe);
const gf_s *API_NS(precomputed_wnaf_as_fe);
extern const size_t API_NS2(sizeof,precomputed_wnafs);

void API_NS(precompute_wnafs) (
@@ -48,26 +48,26 @@ static void scalar_print(const char *name, const API_NS(scalar_t) sc) {
printf("}}};\n\n");
}

static void field_print(const field_t *f) {
const int FIELD_SER_BYTES = (FIELD_BITS + 7) / 8;
unsigned char ser[FIELD_SER_BYTES];
field_serialize(ser,f);
static void field_print(const gf f) {
const int GF_SER_BYTES = (GF_BITS + 7) / 8;
unsigned char ser[GF_SER_BYTES];
gf_serialize(ser,f);
int b=0, i, comma=0;
unsigned long long limb = 0;
printf("FIELD_LITERAL(");
for (i=0; i<FIELD_SER_BYTES; i++) {
printf("{FIELD_LITERAL(");
for (i=0; i<GF_SER_BYTES; i++) {
limb |= ((uint64_t)ser[i])<<b;
b += 8;
if (b >= FIELD_LIT_LIMB_BITS) {
limb &= (1ull<<FIELD_LIT_LIMB_BITS) -1;
b -= FIELD_LIT_LIMB_BITS;
if (b >= GF_LIT_LIMB_BITS) {
limb &= (1ull<<GF_LIT_LIMB_BITS) -1;
b -= GF_LIT_LIMB_BITS;
if (comma) printf(",");
comma = 1;
printf("0x%016llx", limb);
limb = ((uint64_t)ser[i])>>(8-b);
}
}
printf(")");
printf(")}");
assert(b<8);
}

@@ -88,41 +88,39 @@ int main(int argc, char **argv) {
if (ret || !preWnaf) return 1;
API_NS(precompute_wnafs)(preWnaf, real_point_base);

const field_t *output;
const gf_s *output;
unsigned i;
printf("/** @warning: this file was automatically generated. */\n");
printf("#include <decaf.h>\n\n");
printf("#include \"field.h\"\n\n");
printf("#include \"decaf.h\"\n\n");
printf("#define API_NS(_id) decaf_255_##_id\n");
printf("#define API_NS2(_pref,_id) _pref##_decaf_255_##_id\n");
output = (const field_t *)real_point_base;
output = (const gf_s *)real_point_base;
printf("const API_NS(point_t) API_NS(point_base) = {{\n");
for (i=0; i < sizeof(API_NS(point_t)); i+=sizeof(field_t)) {
for (i=0; i < sizeof(API_NS(point_t)); i+=sizeof(gf)) {
if (i) printf(",\n ");
printf("{");
field_print(output++);
printf("}");
}
printf("\n}};\n");
output = (const field_t *)pre;
printf("const field_t API_NS(precomputed_base_as_fe)[%d]\n",
(int)(API_NS2(sizeof,precomputed_s) / sizeof(field_t)));
output = (const gf_s *)pre;
printf("const gf API_NS(precomputed_base_as_fe)[%d]\n",
(int)(API_NS2(sizeof,precomputed_s) / sizeof(gf)));
printf("__attribute__((aligned(%d),visibility(\"hidden\"))) = {\n ", (int)API_NS2(alignof,precomputed_s));
for (i=0; i < API_NS2(sizeof,precomputed_s); i+=sizeof(field_t)) {
for (i=0; i < API_NS2(sizeof,precomputed_s); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}
printf("\n};\n");
output = (const field_t *)preWnaf;
printf("const field_t API_NS(precomputed_wnaf_as_fe)[%d]\n",
(int)(API_NS2(sizeof,precomputed_wnafs) / sizeof(field_t)));
output = (const gf_s *)preWnaf;
printf("const gf API_NS(precomputed_wnaf_as_fe)[%d]\n",
(int)(API_NS2(sizeof,precomputed_wnafs) / sizeof(gf)));
printf("__attribute__((aligned(%d),visibility(\"hidden\"))) = {\n ", (int)API_NS2(alignof,precomputed_s));
for (i=0; i < API_NS2(sizeof,precomputed_wnafs); i+=sizeof(field_t)) {
for (i=0; i < API_NS2(sizeof,precomputed_wnafs); i+=sizeof(gf)) {
if (i) printf(",\n ");
field_print(output++);
}


+ 54
- 44
src/include/field.h View File

@@ -1,23 +1,20 @@
/**
* @file field.h
* @brief Generic field header.
* @brief Generic gf header.
* @copyright
* Copyright (c) 2014 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
*/

#ifndef __FIELD_H__
#define __FIELD_H__
#ifndef __GF_H__
#define __GF_H__

#include "constant_time.h"
#include "f_field.h"
#include <string.h>

typedef struct field_t field_a_t[1];
#define field_a_restrict_t struct field_t *__restrict__

#define is32 (GOLDI_BITS == 32 || FIELD_BITS != 448)
#define is32 (GOLDI_BITS == 32 || GF_BITS != 448)
#if (is32)
#define IF32(s) (s)
#else
@@ -33,9 +30,9 @@ typedef struct field_t field_a_t[1];
* If x=0, returns 0.
*/
void
field_isr (
field_a_t a,
const field_a_t x
gf_isr (
gf a,
const gf x
);
/**
@@ -43,62 +40,75 @@ field_isr (
*/
static __inline__ void
__attribute__((unused,always_inline))
field_sqrn (
field_a_restrict_t y,
const field_a_t x,
gf_sqrn (
gf_s *__restrict__ y,
const gf x,
int n
) {
field_a_t tmp;
gf tmp;
assert(n>0);
if (n&1) {
field_sqr(y,x);
gf_sqr(y,x);
n--;
} else {
field_sqr(tmp,x);
field_sqr(y,tmp);
gf_sqr(tmp,x);
gf_sqr(y,tmp);
n-=2;
}
for (; n; n-=2) {
field_sqr(tmp,y);
field_sqr(y,tmp);
gf_sqr(tmp,y);
gf_sqr(y,tmp);
}
}

static __inline__ void
field_subx_RAW (
field_a_t d,
const field_a_t a,
const field_a_t b
gf_subx_RAW (
gf d,
const gf a,
const gf b
) {
field_sub_RAW ( d, a, b );
field_bias( d, 2 );
IF32( field_weak_reduce ( d ) );
gf_sub_RAW ( d, a, b );
gf_bias( d, 2 );
IF32( gf_weak_reduce ( d ) );
}

static __inline__ void
field_sub (
field_a_t d,
const field_a_t a,
const field_a_t b
gf_sub (
gf d,
const gf a,
const gf b
) {
field_sub_RAW ( d, a, b );
field_bias( d, 2 );
field_weak_reduce ( d );
gf_sub_RAW ( d, a, b );
gf_bias( d, 2 );
gf_weak_reduce ( d );
}

static __inline__ void
field_add (
field_a_t d,
const field_a_t a,
const field_a_t b
gf_add (
gf d,
const gf a,
const gf b
) {
field_add_RAW ( d, a, b );
field_weak_reduce ( d );
gf_add_RAW ( d, a, b );
gf_weak_reduce ( d );
}

#define gf_add_nr gf_add_RAW

/** Subtract mod p. Bias by 2 and don't reduce */
static inline void gf_sub_nr ( gf c, const gf a, const gf b ) {
// FOR_LIMB_U(i, c->limb[i] = a->limb[i] - b->limb[i] + 2*P->limb[i] );
gf_sub_RAW(c,a,b);
gf_bias(c, 2);
if (DECAF_WORD_BITS==32) gf_weak_reduce(c); // HACK
}

/** Subtract mod p. Bias by amt but don't reduce. */
static inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) {
gf_sub_RAW(c,a,b);
gf_bias(c, amt);
if (DECAF_WORD_BITS==32) gf_weak_reduce(c); // HACK
}

/* FIXME: no warnings on RAW routines */
#define field_add_nr field_add_RAW
#define field_sub_nr field_sub_RAW
#define field_subx_nr field_subx_RAW

#endif // __FIELD_H__
#endif // __GF_H__

+ 20
- 20
src/p25519/arch_ref64/p25519.c View File

@@ -17,10 +17,10 @@ static __inline__ uint64_t is_zero(uint64_t a) {
}

void
p255_mul (
p255_t *__restrict__ cs,
const p255_t *as,
const p255_t *bs
gf_25519_mul (
gf_25519_t __restrict__ cs,
const gf_25519_t as,
const gf_25519_t bs
) {
const uint64_t *a = as->limb, *b = bs->limb, mask = ((1ull<<51)-1);
@@ -52,9 +52,9 @@ p255_mul (
}

void
p255_mulw (
p255_t *__restrict__ cs,
const p255_t *as,
gf_25519_mulw (
gf_25519_t __restrict__ cs,
const gf_25519_t as,
uint64_t b
) {
const uint64_t *a = as->limb, mask = ((1ull<<51)-1);
@@ -79,16 +79,16 @@ p255_mulw (
}

void
p255_sqr (
p255_t *__restrict__ cs,
const p255_t *as
gf_25519_t qr (
gf_25519_t __restrict__ cs,
const gf_25519_t as
) {
p255_mul(cs,as,as); // TODO
gf_25519_mul(cs,as,as); // TODO
}

void
p255_strong_reduce (
p255_t *a
gf_25519_t trong_reduce (
gf_25519_t a
) {
uint64_t mask = (1ull<<51)-1;

@@ -128,14 +128,14 @@ p255_strong_reduce (
}

void
p255_serialize (
gf_25519_t erialize (
uint8_t serial[32],
const struct p255_t *x
const struct gf_25519_t x
) {
int i,j;
p255_t red;
p255_copy(&red, x);
p255_strong_reduce(&red);
gf_25519_t red;
gf_25519_copy(&red, x);
gf_25519_t trong_reduce(&red);
uint64_t *r = red.limb;
uint64_t ser64[4] = {r[0] | r[1]<<51, r[1]>>13|r[2]<<38, r[2]>>26|r[3]<<25, r[3]>>39|r[4]<<12};
for (i=0; i<4; i++) {
@@ -147,8 +147,8 @@ p255_serialize (
}

mask_t
p255_deserialize (
p255_t *x,
gf_25519_deserialize (
gf_25519_t x,
const uint8_t serial[32]
) {
int i,j;


+ 53
- 53
src/p25519/arch_ref64/p25519.h View File

@@ -1,8 +1,8 @@
/* Copyright (c) 2014 Cryptography Research, Inc.
* Released under the MIT License. See LICENSE.txt for license information.
*/
#ifndef __P255_H__
#define __P255_H__ 1
#ifndef __P25519_H__
#define __P25519_H__ 1

#include <stdint.h>
#include <assert.h>
@@ -10,9 +10,9 @@

#include "word.h"

typedef struct p255_t {
typedef struct gf_25519_s {
uint64_t limb[5];
} p255_t;
} gf_25519_s, gf_25519_t[1];

#define LBITS 51
#define FIELD_LITERAL(a,b,c,d,e) {{ a,b,c,d,e }}
@@ -32,113 +32,113 @@ extern "C" {
#endif

static __inline__ void
p255_add_RAW (
p255_t *out,
const p255_t *a,
const p255_t *b
gf_25519_add_RAW (
gf_25519_t out,
const gf_25519_t a,
const gf_25519_t b
) __attribute__((unused));
static __inline__ void
p255_sub_RAW (
p255_t *out,
const p255_t *a,
const p255_t *b
gf_25519_sub_RAW (
gf_25519_t out,
const gf_25519_t a,
const gf_25519_t b
) __attribute__((unused));
static __inline__ void
p255_copy (
p255_t *out,
const p255_t *a
gf_25519_copy (
gf_25519_t out,
const gf_25519_t a
) __attribute__((unused));
static __inline__ void
p255_weak_reduce (
p255_t *inout
gf_25519_weak_reduce (
gf_25519_t inout
) __attribute__((unused));
void
p255_strong_reduce (
p255_t *inout
gf_25519_strong_reduce (
gf_25519_t inout
);

static __inline__ void
p255_bias (
p255_t *inout,
gf_25519_bias (
gf_25519_t inout,
int amount
) __attribute__((unused));
void
p255_mul (
p255_t *__restrict__ out,
const p255_t *a,
const p255_t *b
gf_25519_mul (
gf_25519_s *__restrict__ out,
const gf_25519_t a,
const gf_25519_t b
);

void
p255_mulw (
p255_t *__restrict__ out,
const p255_t *a,
gf_25519_mulw (
gf_25519_s *__restrict__ out,
const gf_25519_t a,
uint64_t b
);

void
p255_sqr (
p255_t *__restrict__ out,
const p255_t *a
gf_25519_sqr (
gf_25519_s *__restrict__ out,
const gf_25519_t a
);

void
p255_serialize (
gf_25519_serialize (
uint8_t serial[32],
const struct p255_t *x
const gf_25519_t x
);

mask_t
p255_deserialize (
p255_t *x,
gf_25519_deserialize (
gf_25519_t x,
const uint8_t serial[32]
);

/* -------------- Inline functions begin here -------------- */

void
p255_add_RAW (
p255_t *out,
const p255_t *a,
const p255_t *b
gf_25519_add_RAW (
gf_25519_t out,
const gf_25519_t a,
const gf_25519_t b
) {
unsigned int i;
for (i=0; i<5; i++) {
out->limb[i] = a->limb[i] + b->limb[i];
}
p255_weak_reduce(out);
gf_25519_weak_reduce(out);
}

void
p255_sub_RAW (
p255_t *out,
const p255_t *a,
const p255_t *b
gf_25519_sub_RAW (
gf_25519_t out,
const gf_25519_t a,
const gf_25519_t b
) {
unsigned int i;
uint64_t co1 = ((1ull<<51)-1)*2, co2 = co1-36;
for (i=0; i<5; i++) {
out->limb[i] = a->limb[i] - b->limb[i] + ((i==0) ? co2 : co1);
}
p255_weak_reduce(out);
gf_25519_weak_reduce(out);
}

void
p255_copy (
p255_t *out,
const p255_t *a
gf_25519_copy (
gf_25519_t out,
const gf_25519_t a
) {
memcpy(out,a,sizeof(*a));
}

void
p255_bias (
p255_t *a,
gf_25519_bias (
gf_25519_t a,
int amt
) {
(void) a;
@@ -146,8 +146,8 @@ p255_bias (
}

void
p255_weak_reduce (
p255_t *a
gf_25519_weak_reduce (
gf_25519_t a
) {
uint64_t mask = (1ull<<51) - 1;
uint64_t tmp = a->limb[4] >> 51;
@@ -162,4 +162,4 @@ p255_weak_reduce (
}; /* extern "C" */
#endif

#endif /* __P255_H__ */
#endif /* __P25519_H__ */

+ 20
- 20
src/p25519/arch_x86_64/p25519.c View File

@@ -10,10 +10,10 @@ static inline uint64_t shr(__uint128_t x, int n) {
}

void
p255_mul (
p255_t *__restrict__ cs,
const p255_t *as,
const p255_t *bs
gf_25519_mul (
gf_25519_s *__restrict__ cs,
const gf_25519_t as,
const gf_25519_t bs
) {
const uint64_t *a = as->limb, *b = bs->limb, mask = ((1ull<<51)-1);
uint64_t *c = cs->limb;
@@ -92,9 +92,9 @@ p255_mul (
}

void
p255_sqr (
p255_t *__restrict__ cs,
const p255_t *as
gf_25519_sqr (
gf_25519_s *__restrict__ cs,
const gf_25519_t as
) {
const uint64_t *a = as->limb, mask = ((1ull<<51)-1);
uint64_t *c = cs->limb;
@@ -156,9 +156,9 @@ p255_sqr (
}

void
p255_mulw (
p255_t *__restrict__ cs,
const p255_t *as,
gf_25519_mulw (
gf_25519_s *__restrict__ cs,
const gf_25519_t as,
uint64_t b
) {
const uint64_t *a = as->limb, mask = ((1ull<<51)-1);
@@ -191,8 +191,8 @@ p255_mulw (
}

void
p255_strong_reduce (
p255_t *a
gf_25519_strong_reduce (
gf_25519_t a
) {
uint64_t mask = (1ull<<51)-1;

@@ -232,15 +232,15 @@ p255_strong_reduce (
}

void
p255_serialize (
gf_25519_serialize (
uint8_t serial[32],
const struct p255_t *x
const gf_25519_t x
) {
int i,j;
p255_t red;
p255_copy(&red, x);
p255_strong_reduce(&red);
uint64_t *r = red.limb;
gf_25519_t red;
gf_25519_copy(red, x);
gf_25519_strong_reduce(red);
uint64_t *r = red->limb;
uint64_t ser64[4] = {r[0] | r[1]<<51, r[1]>>13|r[2]<<38, r[2]>>26|r[3]<<25, r[3]>>39|r[4]<<12};
for (i=0; i<4; i++) {
for (j=0; j<8; j++) {
@@ -251,8 +251,8 @@ p255_serialize (
}

mask_t
p255_deserialize (
p255_t *x,
gf_25519_deserialize (
gf_25519_t x,
const uint8_t serial[32]
) {
int i,j;


+ 54
- 51
src/p25519/arch_x86_64/p25519.h View File

@@ -1,8 +1,8 @@
/* Copyright (c) 2014 Cryptography Research, Inc.
* Released under the MIT License. See LICENSE.txt for license information.
*/
#ifndef __P255_H__
#define __P255_H__ 1
#ifndef __P25519_H__
#define __P25519_H__ 1

#include <stdint.h>
#include <assert.h>
@@ -10,9 +10,12 @@

#include "word.h"

typedef struct p255_t {
#ifndef __DECAF_255_H__ // HACK FIXME
#define DECAF_WORD_BITS 64
typedef struct gf_25519_s {
uint64_t limb[5];
} p255_t;
} gf_25519_s, gf_25519_t[1];
#endif

#define LBITS 51
#define FIELD_LITERAL(a,b,c,d,e) {{ a,b,c,d,e }}
@@ -32,80 +35,80 @@ extern "C" {
#endif

static __inline__ void
p255_add_RAW (
p255_t *out,
const p255_t *a,
const p255_t *b
gf_25519_add_RAW (
gf_25519_t out,
const gf_25519_t a,
const gf_25519_t b
) __attribute__((unused));
static __inline__ void
p255_sub_RAW (
p255_t *out,
const p255_t *a,
const p255_t *b
gf_25519_sub_RAW (
gf_25519_t out,
const gf_25519_t a,
const gf_25519_t b
) __attribute__((unused));
static __inline__ void
p255_copy (
p255_t *out,
const p255_t *a
gf_25519_copy (
gf_25519_t out,
const gf_25519_t a
) __attribute__((unused));
static __inline__ void
p255_weak_reduce (
p255_t *inout
gf_25519_weak_reduce (
gf_25519_t inout
) __attribute__((unused));
void
p255_strong_reduce (
p255_t *inout
gf_25519_strong_reduce (
gf_25519_t inout
);

static __inline__ void
p255_bias (
p255_t *inout,
gf_25519_bias (
gf_25519_t inout,
int amount
) __attribute__((unused));
void
p255_mul (
p255_t *__restrict__ out,
const p255_t *a,
const p255_t *b
gf_25519_mul (
gf_25519_s *__restrict__ out,
const gf_25519_t a,
const gf_25519_t b
);

void
p255_mulw (
p255_t *__restrict__ out,
const p255_t *a,
gf_25519_mulw (
gf_25519_s *__restrict__ out,
const gf_25519_t a,
uint64_t b
);

void
p255_sqr (
p255_t *__restrict__ out,
const p255_t *a
gf_25519_sqr (
gf_25519_s *__restrict__ out,
const gf_25519_t a
);

void
p255_serialize (
gf_25519_serialize (
uint8_t serial[32],
const struct p255_t *x
const gf_25519_t x
);

mask_t
p255_deserialize (
p255_t *x,
gf_25519_deserialize (
gf_25519_t x,
const uint8_t serial[32]
);

/* -------------- Inline functions begin here -------------- */

void
p255_add_RAW (
p255_t *out,
const p255_t *a,
const p255_t *b
gf_25519_add_RAW (
gf_25519_t out,
const gf_25519_t a,
const gf_25519_t b
) {
unsigned int i;
for (i=0; i<5; i++) {
@@ -114,10 +117,10 @@ p255_add_RAW (
}

void
p255_sub_RAW (
p255_t *out,
const p255_t *a,
const p255_t *b
gf_25519_sub_RAW (
gf_25519_t out,
const gf_25519_t a,
const gf_25519_t b
) {
unsigned int i;
uint64_t co1 = ((1ull<<51)-1)*2, co2 = co1-36;
@@ -127,16 +130,16 @@ p255_sub_RAW (
}

void
p255_copy (
p255_t *out,
const p255_t *a
gf_25519_copy (
gf_25519_t out,
const gf_25519_t a
) {
memcpy(out,a,sizeof(*a));
}

void
p255_bias (
p255_t *a,
gf_25519_bias (
gf_25519_t a,
int amt
) {
a->limb[0] += ((uint64_t)(amt)<<52) - 38*amt;
@@ -147,8 +150,8 @@ p255_bias (
}

void
p255_weak_reduce (
p255_t *a
gf_25519_weak_reduce (
gf_25519_t a
) {
uint64_t mask = (1ull<<51) - 1;
uint64_t tmp = a->limb[4] >> 51;
@@ -163,4 +166,4 @@ p255_weak_reduce (
}; /* extern "C" */
#endif

#endif /* __P255_H__ */
#endif /* __P25519_H__ */

+ 0
- 1
src/p25519/arch_x86_64/x86-64-arith.h View File

@@ -1 +0,0 @@
../../p448/arch_x86_64/x86-64-arith.h

+ 323
- 0
src/p25519/arch_x86_64/x86-64-arith.h View File

@@ -0,0 +1,323 @@
/* Copyright (c) 2014 Cryptography Research, Inc.
* Released under the MIT License. See LICENSE.txt for license information.
*/

#ifndef __X86_64_ARITH_H__
#define __X86_64_ARITH_H__

#include <stdint.h>

/* TODO: non x86-64 versions of these.
* FUTURE: autogenerate
*/

static __inline__ __uint128_t widemul(const uint64_t *a, const uint64_t *b) {
#ifndef __BMI2__
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rax;"
"mulq %[b];"
: [c]"=a"(c), [d]"=d"(d)
: [b]"m"(*b), [a]"m"(*a)
: "cc");
return (((__uint128_t)(d))<<64) | c;
#else
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rdx;"
"mulx %[b], %[c], %[d];"
: [c]"=r"(c), [d]"=r"(d)
: [b]"m"(*b), [a]"m"(*a)
: "rdx");
return (((__uint128_t)(d))<<64) | c;
#endif
}

static __inline__ __uint128_t widemul_rm(uint64_t a, const uint64_t *b) {
#ifndef __BMI2__
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rax;"
"mulq %[b];"
: [c]"=a"(c), [d]"=d"(d)
: [b]"m"(*b), [a]"r"(a)
: "cc");
return (((__uint128_t)(d))<<64) | c;
#else
uint64_t c,d;
__asm__ volatile
("mulx %[b], %[c], %[d];"
: [c]"=r"(c), [d]"=r"(d)
: [b]"m"(*b), [a]"d"(a));
return (((__uint128_t)(d))<<64) | c;
#endif
}

static __inline__ __uint128_t widemul_rr(uint64_t a, uint64_t b) {
#ifndef __BMI2__
uint64_t c,d;
__asm__ volatile
("mulq %[b];"
: [c]"=a"(c), [d]"=d"(d)
: [b]"r"(b), "a"(a)
: "cc");
return (((__uint128_t)(d))<<64) | c;
#else
uint64_t c,d;
__asm__ volatile
("mulx %[b], %[c], %[d];"
: [c]"=r"(c), [d]"=r"(d)
: [b]"r"(b), [a]"d"(a));
return (((__uint128_t)(d))<<64) | c;
#endif
}

static __inline__ __uint128_t widemul2(const uint64_t *a, const uint64_t *b) {
#ifndef __BMI2__
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rax; "
"addq %%rax, %%rax; "
"mulq %[b];"
: [c]"=a"(c), [d]"=d"(d)
: [b]"m"(*b), [a]"m"(*a)
: "cc");
return (((__uint128_t)(d))<<64) | c;
#else
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rdx;"
"leaq (,%%rdx,2), %%rdx;"
"mulx %[b], %[c], %[d];"
: [c]"=r"(c), [d]"=r"(d)
: [b]"m"(*b), [a]"m"(*a)
: "rdx");
return (((__uint128_t)(d))<<64) | c;
#endif
}

static __inline__ void mac(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {
uint64_t lo = *acc, hi = *acc>>64;
#ifdef __BMI2__
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rdx; "
"mulx %[b], %[c], %[d]; "
"addq %[c], %[lo]; "
"adcq %[d], %[hi]; "
: [c]"=r"(c), [d]"=r"(d), [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"m"(*a)
: "rdx", "cc");
#else
__asm__ volatile
("movq %[a], %%rax; "
"mulq %[b]; "
"addq %%rax, %[lo]; "
"adcq %%rdx, %[hi]; "
: [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"m"(*a)
: "rax", "rdx", "cc");
#endif
*acc = (((__uint128_t)(hi))<<64) | lo;
}

static __inline__ void macac(__uint128_t *acc, __uint128_t *acc2, const uint64_t *a, const uint64_t *b) {
uint64_t lo = *acc, hi = *acc>>64;
uint64_t lo2 = *acc2, hi2 = *acc2>>64;
#ifdef __BMI2__
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rdx; "
"mulx %[b], %[c], %[d]; "
"addq %[c], %[lo]; "
"adcq %[d], %[hi]; "
"addq %[c], %[lo2]; "
"adcq %[d], %[hi2]; "
: [c]"=r"(c), [d]"=r"(d), [lo]"+r"(lo), [hi]"+r"(hi), [lo2]"+r"(lo2), [hi2]"+r"(hi2)
: [b]"m"(*b), [a]"m"(*a)
: "rdx", "cc");
#else
__asm__ volatile
("movq %[a], %%rax; "
"mulq %[b]; "
"addq %%rax, %[lo]; "
"adcq %%rdx, %[hi]; "
"addq %%rax, %[lo2]; "
"adcq %%rdx, %[hi2]; "
: [lo]"+r"(lo), [hi]"+r"(hi), [lo2]"+r"(lo2), [hi2]"+r"(hi2)
: [b]"m"(*b), [a]"m"(*a)
: "rax", "rdx", "cc");
#endif
*acc = (((__uint128_t)(hi))<<64) | lo;
*acc2 = (((__uint128_t)(hi2))<<64) | lo2;
}

static __inline__ void mac_rm(__uint128_t *acc, uint64_t a, const uint64_t *b) {
uint64_t lo = *acc, hi = *acc>>64;
#ifdef __BMI2__
uint64_t c,d;
__asm__ volatile
("mulx %[b], %[c], %[d]; "
"addq %[c], %[lo]; "
"adcq %[d], %[hi]; "
: [c]"=r"(c), [d]"=r"(d), [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"d"(a)
: "cc");
#else
__asm__ volatile
("movq %[a], %%rax; "
"mulq %[b]; "
"addq %%rax, %[lo]; "
"adcq %%rdx, %[hi]; "
: [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"r"(a)
: "rax", "rdx", "cc");
#endif
*acc = (((__uint128_t)(hi))<<64) | lo;
}

static __inline__ void mac_rr(__uint128_t *acc, uint64_t a, const uint64_t b) {
uint64_t lo = *acc, hi = *acc>>64;
#ifdef __BMI2__
uint64_t c,d;
__asm__ volatile
("mulx %[b], %[c], %[d]; "
"addq %[c], %[lo]; "
"adcq %[d], %[hi]; "
: [c]"=r"(c), [d]"=r"(d), [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"r"(b), [a]"d"(a)
: "cc");
#else
__asm__ volatile
("mulq %[b]; "
"addq %%rax, %[lo]; "
"adcq %%rdx, %[hi]; "
: [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"r"(b), "a"(a)
: "rax", "rdx", "cc");
#endif
*acc = (((__uint128_t)(hi))<<64) | lo;
}

static __inline__ void mac2(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {
uint64_t lo = *acc, hi = *acc>>64;
#ifdef __BMI2__
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rdx; "
"addq %%rdx, %%rdx; "
"mulx %[b], %[c], %[d]; "
"addq %[c], %[lo]; "
"adcq %[d], %[hi]; "
: [c]"=r"(c), [d]"=r"(d), [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"m"(*a)
: "rdx", "cc");
#else
__asm__ volatile
("movq %[a], %%rax; "
"addq %%rax, %%rax; "
"mulq %[b]; "
"addq %%rax, %[lo]; "
"adcq %%rdx, %[hi]; "
: [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"m"(*a)
: "rax", "rdx", "cc");
#endif
*acc = (((__uint128_t)(hi))<<64) | lo;
}

static __inline__ void msb(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {
uint64_t lo = *acc, hi = *acc>>64;
#ifdef __BMI2__
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rdx; "
"mulx %[b], %[c], %[d]; "
"subq %[c], %[lo]; "
"sbbq %[d], %[hi]; "
: [c]"=r"(c), [d]"=r"(d), [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"m"(*a)
: "rdx", "cc");
#else
__asm__ volatile
("movq %[a], %%rax; "
"mulq %[b]; "
"subq %%rax, %[lo]; "
"sbbq %%rdx, %[hi]; "
: [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"m"(*a)
: "rax", "rdx", "cc");
#endif
*acc = (((__uint128_t)(hi))<<64) | lo;
}

static __inline__ void msb2(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {
uint64_t lo = *acc, hi = *acc>>64;
#ifdef __BMI2__
uint64_t c,d;
__asm__ volatile
("movq %[a], %%rdx; "
"addq %%rdx, %%rdx; "
"mulx %[b], %[c], %[d]; "
"subq %[c], %[lo]; "
"sbbq %[d], %[hi]; "
: [c]"=r"(c), [d]"=r"(d), [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"m"(*a)
: "rdx", "cc");
#else
__asm__ volatile
("movq %[a], %%rax; "
"addq %%rax, %%rax; "
"mulq %[b]; "
"subq %%rax, %[lo]; "
"sbbq %%rdx, %[hi]; "
: [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"m"(*a)
: "rax", "rdx", "cc");
#endif
*acc = (((__uint128_t)(hi))<<64) | lo;
}

static __inline__ void mrs(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {
uint64_t c,d, lo = *acc, hi = *acc>>64;
__asm__ volatile
("movq %[a], %%rdx; "
"mulx %[b], %[c], %[d]; "
"subq %[lo], %[c]; "
"sbbq %[hi], %[d]; "
: [c]"=r"(c), [d]"=r"(d), [lo]"+r"(lo), [hi]"+r"(hi)
: [b]"m"(*b), [a]"m"(*a)
: "rdx", "cc");
*acc = (((__uint128_t)(d))<<64) | c;
}

static __inline__ __uint128_t widemulu(uint64_t a, uint64_t b) {
return ((__uint128_t)(a)) * b;
}

static __inline__ __int128_t widemuls(int64_t a, int64_t b) {
return ((__int128_t)(a)) * b;
}
static __inline__ uint64_t opacify(uint64_t x) {
__asm__ volatile("" : "+r"(x));
return x;
}

static __inline__ mask_t is_zero(uint64_t x) {
__asm__ volatile("neg %0; sbb %0, %0;" : "+r"(x));
return ~x;
}

#endif /* __X86_64_ARITH_H__ */

+ 14
- 14
src/p25519/f_arithmetic.c View File

@@ -10,7 +10,7 @@

#include "field.h"

const field_a_t P25519_SQRT_MINUS_ONE = {FIELD_LITERAL(
const gf_25519_t P25519_SQRT_MINUS_ONE = {FIELD_LITERAL(
0x61b274a0ea0b0,
0x0d5a5fc8f189d,
0x7ef5e9cbd0c60,
@@ -18,7 +18,7 @@ const field_a_t P25519_SQRT_MINUS_ONE = {FIELD_LITERAL(
0x2b8324804fc1d
)};
const field_a_t SQRT_ONE_MINUS_D = {FIELD_LITERAL( // FIXME MAGIC goes elsewhere?
const gf_25519_t SQRT_ONE_MINUS_D = {FIELD_LITERAL( // FIXME MAGIC goes elsewhere?
0x6db8831bbddec,
0x38d7b56c9c165,
0x016b221394bdc,
@@ -26,15 +26,15 @@ const field_a_t SQRT_ONE_MINUS_D = {FIELD_LITERAL( // FIXME MAGIC goes elsewhere
0x0a0d85b4032b1
)};
static const field_a_t ONE = {FIELD_LITERAL( // FIXME copy-pasted
static const gf_25519_t ONE = {FIELD_LITERAL( // FIXME copy-pasted
1,0,0,0,0
)};

// ARCH MAGIC FIXME copy-pasted from decaf_fast.c
static mask_t gf_eq(const field_a_t a, const field_a_t b) {
field_a_t c;
field_sub(c,a,b);
field_strong_reduce(c);
static mask_t gf_eq(const gf_25519_t a, const gf_25519_t b) {
gf_25519_t c;
gf_sub(c,a,b);
gf_strong_reduce(c);
mask_t ret=0;
int i;
for (i=0; i<5; i++) { ret |= c->limb[i]; }
@@ -43,19 +43,19 @@ static mask_t gf_eq(const field_a_t a, const field_a_t b) {

/* Guarantee: a^2 x = 0 if x = 0; else a^2 x = 1 or SQRT_MINUS_ONE; */
void
field_isr (
field_a_t a,
const field_a_t x
gf_isr (
gf_25519_t a,
const gf_25519_t x
) {
field_a_t st[3], tmp1, tmp2;
gf_25519_t st[3], tmp1, tmp2;
const struct { unsigned char sh, idx; } ops[] = {
{1,2},{1,2},{3,1},{6,0},{1,2},{12,1},{25,1},{25,1},{50,0},{125,0},{2,2},{1,2}
};
st[0][0] = st[1][0] = st[2][0] = x[0];
unsigned int i;
for (i=0; i<sizeof(ops)/sizeof(ops[0]); i++) {
field_sqrn(tmp1, st[1^(i&1)], ops[i].sh);
field_mul(tmp2, tmp1, st[ops[i].idx]);
gf_sqrn(tmp1, st[1^(i&1)], ops[i].sh);
gf_mul(tmp2, tmp1, st[ops[i].idx]);
st[i&1][0] = tmp2[0];
}
@@ -64,5 +64,5 @@ field_isr (
// ARCH MAGIC FIXME: should be cond_sel
for (i=0; i<5; i++) tmp1->limb[i] = (ONE->limb[i] & mask)
| (SQRT_MINUS_ONE->limb[i] & ~mask);
field_mul(a,tmp1,st[0]);
gf_mul(a,tmp1,st[0]);
}

+ 16
- 15
src/p25519/f_field.h View File

@@ -13,20 +13,21 @@
#include <string.h>

#include "p25519.h"
#define FIELD_LIT_LIMB_BITS 51
#define FIELD_BITS 255
#define field_t p255_t
#define field_mul p255_mul
#define field_sqr p255_sqr
#define field_add_RAW p255_add_RAW
#define field_sub_RAW p255_sub_RAW
#define field_mulw p255_mulw
#define field_bias p255_bias
#define field_isr p255_isr
#define field_weak_reduce p255_weak_reduce
#define field_strong_reduce p255_strong_reduce
#define field_serialize p255_serialize
#define field_deserialize p255_deserialize
#define SQRT_MINUS_ONE P25519_SQRT_MINUS_ONE
#define GF_LIT_LIMB_BITS 51
#define GF_BITS 255
#define gf gf_25519_t
#define gf_s gf_25519_s
#define gf_mul gf_25519_mul
#define gf_sqr gf_25519_sqr
#define gf_add_RAW gf_25519_add_RAW
#define gf_sub_RAW gf_25519_sub_RAW
#define gf_mulw gf_25519_mulw
#define gf_bias gf_25519_bias
#define gf_isr gf_25519_isr
#define gf_weak_reduce gf_25519_weak_reduce
#define gf_strong_reduce gf_25519_strong_reduce
#define gf_serialize gf_25519_serialize
#define gf_deserialize gf_25519_deserialize
#define SQRT_MINUS_ONE P25519_SQRT_MINUS_ONE

#endif /* __F_FIELD_H__ */

+ 28
- 28
src/p448/f_arithmetic.c View File

@@ -11,33 +11,33 @@
#include "field.h"

void
field_isr (
field_a_t a,
const field_a_t x
gf_isr (
gf_a_t a,
const gf_a_t x
) {
field_a_t L0, L1, L2;
field_sqr ( L1, x );
field_mul ( L2, x, L1 );
field_sqr ( L1, L2 );
field_mul ( L2, x, L1 );
field_sqrn ( L1, L2, 3 );
field_mul ( L0, L2, L1 );
field_sqrn ( L1, L0, 3 );
field_mul ( L0, L2, L1 );
field_sqrn ( L2, L0, 9 );
field_mul ( L1, L0, L2 );
field_sqr ( L0, L1 );
field_mul ( L2, x, L0 );
field_sqrn ( L0, L2, 18 );
field_mul ( L2, L1, L0 );
field_sqrn ( L0, L2, 37 );
field_mul ( L1, L2, L0 );
field_sqrn ( L0, L1, 37 );
field_mul ( L1, L2, L0 );
field_sqrn ( L0, L1, 111 );
field_mul ( L2, L1, L0 );
field_sqr ( L0, L2 );
field_mul ( L1, x, L0 );
field_sqrn ( L0, L1, 223 );
field_mul ( a, L2, L0 );
gf_a_t L0, L1, L2;
gf_sqr ( L1, x );
gf_mul ( L2, x, L1 );
gf_sqr ( L1, L2 );
gf_mul ( L2, x, L1 );
gf_sqrn ( L1, L2, 3 );
gf_mul ( L0, L2, L1 );
gf_sqrn ( L1, L0, 3 );
gf_mul ( L0, L2, L1 );
gf_sqrn ( L2, L0, 9 );
gf_mul ( L1, L0, L2 );
gf_sqr ( L0, L1 );
gf_mul ( L2, x, L0 );
gf_sqrn ( L0, L2, 18 );
gf_mul ( L2, L1, L0 );
gf_sqrn ( L0, L2, 37 );
gf_mul ( L1, L2, L0 );
gf_sqrn ( L0, L1, 37 );
gf_mul ( L1, L2, L0 );
gf_sqrn ( L0, L1, 111 );
gf_mul ( L2, L1, L0 );
gf_sqr ( L0, L2 );
gf_mul ( L1, x, L0 );
gf_sqrn ( L0, L1, 223 );
gf_mul ( a, L2, L0 );
}

+ 14
- 14
src/p448/f_field.h View File

@@ -13,19 +13,19 @@
#include <string.h>

#include "p448.h"
#define FIELD_LIT_LIMB_BITS 56
#define FIELD_BITS 448
#define field_t p448_t
#define field_mul p448_mul
#define field_sqr p448_sqr
#define field_add_RAW p448_add_RAW
#define field_sub_RAW p448_sub_RAW
#define field_mulw p448_mulw
#define field_bias p448_bias
#define field_isr p448_isr
#define field_weak_reduce p448_weak_reduce
#define field_strong_reduce p448_strong_reduce
#define field_serialize p448_serialize
#define field_deserialize p448_deserialize
#define GF_LIT_LIMB_BITS 56
#define GF_BITS 448
#define gf p448_t
#define gf_mul p448_mul
#define gf_sqr p448_sqr
#define gf_add_RAW p448_add_RAW
#define gf_sub_RAW p448_sub_RAW
#define gf_mulw p448_mulw
#define gf_bias p448_bias
#define gf_isr p448_isr
#define gf_weak_reduce p448_weak_reduce
#define gf_strong_reduce p448_strong_reduce
#define gf_serialize p448_serialize
#define gf_deserialize p448_deserialize

#endif /* __F_FIELD_H__ */

+ 28
- 28
src/p480/f_arithmetic.c View File

@@ -11,33 +11,33 @@
#include "field.h"

void
field_isr (
field_a_t a,
const field_a_t x
gf_isr (
gf_a_t a,
const gf_a_t x
) {
field_a_t L0, L1, L2, L3;
field_sqr ( L2, x );
field_mul ( L1, x, L2 );
field_sqrn ( L0, L1, 2 );
field_mul ( L2, L1, L0 );
field_sqrn ( L0, L2, 4 );
field_mul ( L1, L2, L0 );
field_sqr ( L0, L1 );
field_mul ( L2, x, L0 );
field_sqrn ( L0, L2, 8 );
field_mul ( L2, L1, L0 );
field_sqrn ( L0, L2, 17 );
field_mul ( L1, L2, L0 );
field_sqrn ( L0, L1, 17 );
field_mul ( L1, L2, L0 );
field_sqrn ( L3, L1, 17 );
field_mul ( L0, L2, L3 );
field_sqrn ( L2, L0, 51 );
field_mul ( L0, L1, L2 );
field_sqrn ( L1, L0, 119 );
field_mul ( L2, L0, L1 );
field_sqr ( L0, L2 );
field_mul ( L1, x, L0 );
field_sqrn ( L0, L1, 239 );
field_mul ( a, L2, L0 );
gf_a_t L0, L1, L2, L3;
gf_sqr ( L2, x );
gf_mul ( L1, x, L2 );
gf_sqrn ( L0, L1, 2 );
gf_mul ( L2, L1, L0 );
gf_sqrn ( L0, L2, 4 );
gf_mul ( L1, L2, L0 );
gf_sqr ( L0, L1 );
gf_mul ( L2, x, L0 );
gf_sqrn ( L0, L2, 8 );
gf_mul ( L2, L1, L0 );
gf_sqrn ( L0, L2, 17 );
gf_mul ( L1, L2, L0 );
gf_sqrn ( L0, L1, 17 );
gf_mul ( L1, L2, L0 );
gf_sqrn ( L3, L1, 17 );
gf_mul ( L0, L2, L3 );
gf_sqrn ( L2, L0, 51 );
gf_mul ( L0, L1, L2 );
gf_sqrn ( L1, L0, 119 );
gf_mul ( L2, L0, L1 );
gf_sqr ( L0, L2 );
gf_mul ( L1, x, L0 );
gf_sqrn ( L0, L1, 239 );
gf_mul ( a, L2, L0 );
}

+ 14
- 14
src/p480/f_field.h View File

@@ -13,19 +13,19 @@
#include <string.h>

#include "p480.h"
#define FIELD_LIT_LIMB_BITS 60
#define FIELD_BITS 480
#define field_t p480_t
#define field_mul p480_mul
#define field_sqr p480_sqr
#define field_add_RAW p480_add_RAW
#define field_sub_RAW p480_sub_RAW
#define field_mulw p480_mulw
#define field_bias p480_bias
#define field_isr p480_isr
#define field_weak_reduce p480_weak_reduce
#define field_strong_reduce p480_strong_reduce
#define field_serialize p480_serialize
#define field_deserialize p480_deserialize
#define GF_LIT_LIMB_BITS 60
#define GF_BITS 480
#define gf p480_t
#define gf_mul p480_mul
#define gf_sqr p480_sqr
#define gf_add_RAW p480_add_RAW
#define gf_sub_RAW p480_sub_RAW
#define gf_mulw p480_mulw
#define gf_bias p480_bias
#define gf_isr p480_isr
#define gf_weak_reduce p480_weak_reduce
#define gf_strong_reduce p480_strong_reduce
#define gf_serialize p480_serialize
#define gf_deserialize p480_deserialize

#endif /* __F_FIELD_H__ */

+ 28
- 28
src/p521/f_arithmetic.c View File

@@ -11,33 +11,33 @@
#include "field.h"

void
field_isr (
field_a_t a,
const field_a_t x
gf_isr (
gf_a_t a,
const gf_a_t x
) {
field_a_t L0, L1, L2;
field_sqr ( L1, x );
field_mul ( L0, x, L1 );
field_sqrn ( L2, L0, 2 );
field_mul ( L1, L0, L2 );
field_sqrn ( L2, L1, 4 );
field_mul ( L0, L1, L2 );
field_sqrn ( L2, L0, 8 );
field_mul ( L1, L0, L2 );
field_sqrn ( L2, L1, 16 );
field_mul ( L0, L1, L2 );
field_sqrn ( L2, L0, 32 );
field_mul ( L1, L0, L2 );
field_sqr ( L2, L1 );
field_mul ( L0, x, L2 );
field_sqrn ( L2, L0, 64 );
field_mul ( L0, L1, L2 );
field_sqrn ( L2, L0, 129 );
field_mul ( L1, L0, L2 );
field_sqr ( L2, L1 );
field_mul ( L0, x, L2 );
field_sqrn ( L2, L0, 259 );
field_mul ( L1, L0, L2 );
field_sqr ( L0, L1 );
field_mul ( a, x, L0 );
gf_a_t L0, L1, L2;
gf_sqr ( L1, x );
gf_mul ( L0, x, L1 );
gf_sqrn ( L2, L0, 2 );
gf_mul ( L1, L0, L2 );
gf_sqrn ( L2, L1, 4 );
gf_mul ( L0, L1, L2 );
gf_sqrn ( L2, L0, 8 );
gf_mul ( L1, L0, L2 );
gf_sqrn ( L2, L1, 16 );
gf_mul ( L0, L1, L2 );
gf_sqrn ( L2, L0, 32 );
gf_mul ( L1, L0, L2 );
gf_sqr ( L2, L1 );
gf_mul ( L0, x, L2 );
gf_sqrn ( L2, L0, 64 );
gf_mul ( L0, L1, L2 );
gf_sqrn ( L2, L0, 129 );
gf_mul ( L1, L0, L2 );
gf_sqr ( L2, L1 );
gf_mul ( L0, x, L2 );
gf_sqrn ( L2, L0, 259 );
gf_mul ( L1, L0, L2 );
gf_sqr ( L0, L1 );
gf_mul ( a, x, L0 );
}

+ 14
- 14
src/p521/f_field.h View File

@@ -13,19 +13,19 @@
#include "constant_time.h"

#include "p521.h"
#define FIELD_LIT_LIMB_BITS 58
#define FIELD_BITS 521
#define field_t p521_t
#define field_mul p521_mul
#define field_sqr p521_sqr
#define field_add_RAW p521_add_RAW
#define field_sub_RAW p521_sub_RAW
#define field_mulw p521_mulw
#define field_bias p521_bias
#define field_isr p521_isr
#define field_weak_reduce p521_weak_reduce
#define field_strong_reduce p521_strong_reduce
#define field_serialize p521_serialize
#define field_deserialize p521_deserialize
#define GF_LIT_LIMB_BITS 58
#define GF_BITS 521
#define gf p521_t
#define gf_mul p521_mul
#define gf_sqr p521_sqr
#define gf_add_RAW p521_add_RAW
#define gf_sub_RAW p521_sub_RAW
#define gf_mulw p521_mulw
#define gf_bias p521_bias
#define gf_isr p521_isr
#define gf_weak_reduce p521_weak_reduce
#define gf_strong_reduce p521_strong_reduce
#define gf_serialize p521_serialize
#define gf_deserialize p521_deserialize

#endif /* __F_FIELD_H__ */

+ 5
- 3
src/public_include/decaf/decaf_255.h View File

@@ -21,11 +21,13 @@ extern "C" {
#define DECAF_255_SCALAR_BITS 254 // Curve25519: 253
#define DECAF_255_SCALAR_LIMBS (256/DECAF_WORD_BITS)

#ifndef __DECAF_GF_ALREADY_DEFINED__
/** Galois field element internal structure */
typedef struct gf_255_s {
typedef struct gf_25519_s {
decaf_word_t limb[DECAF_255_LIMBS];
} gf_255_s, gf_255_t[1];
} gf_25519_s, gf_25519_t[1];
/** @endcond */
#endif /* __DECAF_GF_ALREADY_DEFINED__ */

/** Number of bytes in a serialized point. */
#define DECAF_255_SER_BYTES 32
@@ -34,7 +36,7 @@ typedef struct gf_255_s {
#define DECAF_255_SCALAR_BYTES 32

/** Twisted Edwards (-1,d-1) extended homogeneous coordinates */
typedef struct decaf_255_point_s { /**@cond internal*/gf_255_t x,y,z,t;/**@endcond*/ } decaf_255_point_t[1];
typedef struct decaf_255_point_s { /**@cond internal*/gf_25519_t x,y,z,t;/**@endcond*/ } decaf_255_point_t[1];

/** Precomputed table based on a point. Can be trivial implementation. */
struct decaf_255_precomputed_s;


Write Preview
Loading…
Cancel
Save