From 752d260af270921f0b55712f4cabb9b6c611e1b2 Mon Sep 17 00:00:00 2001
From: Michael Hamburg <mike@shiftleft.org>
Date: Sun, 24 Feb 2019 22:20:21 -0800
Subject: [PATCH] Thanks Johan Pascal: remove gf_hibit, since it was a relic
 from p521 days

---
 src/per_curve/decaf.tmpl.c            | 22 +++++++++++-----------
 src/per_curve/decaf_gen_tables.tmpl.c |  2 +-
 src/per_curve/elligator.tmpl.c        |  8 ++------
 src/per_field/f_field.tmpl.h          |  6 ++----
 src/per_field/f_generic.tmpl.c        | 23 ++++++-----------------
 5 files changed, 22 insertions(+), 39 deletions(-)

diff --git a/src/per_curve/decaf.tmpl.c b/src/per_curve/decaf.tmpl.c
index 56b9d7f..5714e4d 100644
--- a/src/per_curve/decaf.tmpl.c
+++ b/src/per_curve/decaf.tmpl.c
@@ -233,7 +233,7 @@ void API_NS(deisogenize) (
 void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {
     gf s,ie1,ie2;
     API_NS(deisogenize)(s,ie1,ie2,p,0,0,0);
-    gf_serialize(ser,s,1);
+    gf_serialize(ser,s);
 }
 
 decaf_error_t API_NS(point_decode) (
@@ -244,7 +244,7 @@ decaf_error_t API_NS(point_decode) (
     gf s, s2, num, tmp;
     gf_s *tmp2=s2, *ynum=p->z, *isr=p->x, *den=p->t;
     
-    mask_t succ = gf_deserialize(s, ser, 1, 0);
+    mask_t succ = gf_deserialize(s, ser, 0);
     succ &= bool_to_mask(allow_identity) | ~gf_eq(s, ZERO);
     succ &= ~gf_lobit(s);
     
@@ -840,7 +840,7 @@ void API_NS(point_debugging_pscale) (
 ) {
     gf gfac,tmp;
     /* NB this means you'll never pscale by negative numbers for p521 */
-    ignore_result(gf_deserialize(gfac,factor,0,0));
+    ignore_result(gf_deserialize(gfac,factor,0));
     gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO));
     gf_mul(tmp,p->x,gfac);
     gf_copy(q->x,tmp);
@@ -1135,7 +1135,7 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
     
     /* Encode */
     enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] = 0;
-    gf_serialize(enc, x, 1);
+    gf_serialize(enc, x);
     enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t);
 
     decaf_bzero(x,sizeof(x));
@@ -1156,7 +1156,7 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
     mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] & 0x80);
     enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] &= ~0x80;
     
-    mask_t succ = gf_deserialize(p->y, enc2, 1, 0);
+    mask_t succ = gf_deserialize(p->y, enc2, 0);
 #if $(gf_bits % 8) == 0
     succ &= word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1]);
 #endif
@@ -1256,7 +1256,7 @@ decaf_error_t decaf_x$(gf_shortname) (
     const uint8_t scalar[X_PRIVATE_BYTES]
 ) {
     gf x1, x2, z2, x3, z3, t1, t2;
-    ignore_result(gf_deserialize(x1,base,1,0));
+    ignore_result(gf_deserialize(x1,base,0));
     gf_copy(x2,ONE);
     gf_copy(z2,ZERO);
     gf_copy(x3,x1);
@@ -1307,7 +1307,7 @@ decaf_error_t decaf_x$(gf_shortname) (
     gf_cond_swap(z2,z3,swap);
     gf_invert(z2,z2,0);
     gf_mul(x1,x2,z2);
-    gf_serialize(out,x1,1);
+    gf_serialize(out,x1);
     mask_t nz = ~gf_eq(x1,ZERO);
     
     decaf_bzero(x1,sizeof(x1));
@@ -1328,7 +1328,7 @@ void decaf_ed$(gf_shortname)_convert_public_key_to_x$(gf_shortname) (
 ) {
     gf y;
     const uint8_t mask = (uint8_t)(0xFE<<($((gf_bits-1)%8)));
-    ignore_result(gf_deserialize(y, ed, 1, mask));
+    ignore_result(gf_deserialize(y, ed, mask));
     
     {
         gf n,d;
@@ -1339,7 +1339,7 @@ void decaf_ed$(gf_shortname)_convert_public_key_to_x$(gf_shortname) (
         gf_sub(d, ONE, y); /* d = 1-y */
         gf_invert(d, d, 0); /* d = 1/(1-y) */
         gf_mul(y, n, d); /* u = (y+1)/(1-y) */
-        gf_serialize(x,y,1);
+        gf_serialize(x,y);
 #else /* EDDSA_USE_SIGMA_ISOGENY */
         /* u = y^2 * (1-dy^2) / (1-y^2) */
         gf_sqr(n,y); /* y^2*/
@@ -1349,7 +1349,7 @@ void decaf_ed$(gf_shortname)_convert_public_key_to_x$(gf_shortname) (
         gf_mulw(d,n,EDWARDS_D); /* dy^2*/
         gf_sub(d, ONE, d); /* 1-dy^2*/
         gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */
-        gf_serialize(x,n,1);
+        gf_serialize(x,n);
 #endif /* EDDSA_USE_SIGMA_ISOGENY */
         
         decaf_bzero(y,sizeof(y));
@@ -1381,7 +1381,7 @@ void API_NS(point_mul_by_ratio_and_encode_like_x$(gf_shortname)) (
 #if IMAGINE_TWIST
     gf_sub(q->y,ZERO,q->y);
 #endif
-    gf_serialize(out,q->y,1);
+    gf_serialize(out,q->y);
     API_NS(point_destroy(q));
 }
 
diff --git a/src/per_curve/decaf_gen_tables.tmpl.c b/src/per_curve/decaf_gen_tables.tmpl.c
index 686d942..7b1d27e 100644
--- a/src/per_curve/decaf_gen_tables.tmpl.c
+++ b/src/per_curve/decaf_gen_tables.tmpl.c
@@ -27,7 +27,7 @@ void API_NS(precompute_wnafs) (
 );
 static void field_print(const gf f) {
     unsigned char ser[X_SER_BYTES];
-    gf_serialize(ser,f,1);
+    gf_serialize(ser,f);
     int b=0, i, comma=0;
     unsigned long long limb = 0;
     printf("{FIELD_LITERAL(");
diff --git a/src/per_curve/elligator.tmpl.c b/src/per_curve/elligator.tmpl.c
index 2e24743..12d97b8 100644
--- a/src/per_curve/elligator.tmpl.c
+++ b/src/per_curve/elligator.tmpl.c
@@ -31,7 +31,7 @@ void API_NS(point_from_hash_nonuniform) (
 ) {
     gf r0,r,a,b,c,N,e;
     const uint8_t mask = (uint8_t)(0xFE<<($((gf_bits-1)%8)));
-    ignore_result(gf_deserialize(r0,ser,0,mask));
+    ignore_result(gf_deserialize(r0,ser,mask));
     gf_strong_reduce(r0);
     gf_sqr(a,r0);
     gf_mul_qnr(r,a);
@@ -165,11 +165,7 @@ API_NS(invert_elligator_nonuniform) (
     //     succ &= ~(is_identity & sgn_ed_T); /* NB: there are no preimages of rotated identity. */
     // #endif
     
-    #if $(gf_bits) == 8*SER_BYTES + 1 /* p521 */
-        gf_serialize(recovered_hash,b,0);
-    #else
-        gf_serialize(recovered_hash,b,1);
-    #endif
+    gf_serialize(recovered_hash,b);
 #if $(gf_bits%8)
     #if COFACTOR==8
         recovered_hash[SER_BYTES-1] ^= (hint>>4)<<$(gf_bits%8);
diff --git a/src/per_field/f_field.tmpl.h b/src/per_field/f_field.tmpl.h
index 5c04d3d..7e8d625 100644
--- a/src/per_field/f_field.tmpl.h
+++ b/src/per_field/f_field.tmpl.h
@@ -22,7 +22,6 @@ typedef struct gf_$(gf_shortname)_s {
 #define gf                gf_$(gf_shortname)_t
 #define gf_s              gf_$(gf_shortname)_s
 #define gf_eq             gf_$(gf_shortname)_eq
-#define gf_hibit          gf_$(gf_shortname)_hibit
 #define gf_lobit          gf_$(gf_shortname)_lobit
 #define gf_copy           gf_$(gf_shortname)_copy
 #define gf_add            gf_$(gf_shortname)_add
@@ -68,10 +67,9 @@ void gf_sqr (gf_s *__restrict__ out, const gf a);
 mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0.  Return true if successful */
 mask_t gf_eq (const gf x, const gf y);
 mask_t gf_lobit (const gf x);
-mask_t gf_hibit (const gf x);
 
-void gf_serialize (uint8_t *serial, const gf x,int with_highbit);
-mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint8_t hi_nmask);
+void gf_serialize (uint8_t *serial, const gf x);
+mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],uint8_t hi_nmask);
 
 
 #ifdef __cplusplus
diff --git a/src/per_field/f_generic.tmpl.c b/src/per_field/f_generic.tmpl.c
index 2dfc920..563a6e5 100644
--- a/src/per_field/f_generic.tmpl.c
+++ b/src/per_field/f_generic.tmpl.c
@@ -13,15 +13,14 @@ static const gf MODULUS = {FIELD_LITERAL(
 #endif
 
 /** Serialize to wire format. */
-void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
+void gf_serialize (uint8_t serial[SER_BYTES], const gf x) {
     gf red;
     gf_copy(red, x);
     gf_strong_reduce(red);
-    if (!with_hibit) { assert(gf_hibit(red) == 0); }
     
     unsigned int j=0, fill=0;
     dword_t buffer = 0;
-    UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
+    UNROLL for (unsigned int i=0; i<SER_BYTES; i++) {
         if (fill < 8 && j < NLIMBS) {
             buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill;
             fill += LIMB_PLACE_VALUE(LIMBPERM(j));
@@ -33,14 +32,6 @@ void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
     }
 }
 
-/** Return high bit of x = low bit of 2x mod p */
-mask_t gf_hibit(const gf x) {
-    gf y;
-    gf_add(y,x,x);
-    gf_strong_reduce(y);
-    return -(y->limb[0]&1);
-}
-
 /** Return high bit of x = low bit of 2x mod p */
 mask_t gf_lobit(const gf x) {
     gf y;
@@ -50,15 +41,14 @@ mask_t gf_lobit(const gf x) {
 }
 
 /** Deserialize from wire format; return -1 on success and 0 on failure. */
-mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, uint8_t hi_nmask) {
+mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], uint8_t hi_nmask) {
     unsigned int j=0, fill=0;
     dword_t buffer = 0;
     dsword_t scarry = 0;
-    const unsigned nbytes = with_hibit ? X_SER_BYTES : SER_BYTES;
     UNROLL for (unsigned int i=0; i<NLIMBS; i++) {
-        UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < nbytes) {
+        UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < SER_BYTES) {
             uint8_t sj = serial[j];
-            if (j==nbytes-1) sj &= ~hi_nmask;
+            if (j==SER_BYTES-1) sj &= ~hi_nmask;
             buffer |= ((dword_t)sj) << fill;
             fill += 8;
             j++;
@@ -68,8 +58,7 @@ mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, ui
         buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i));
         scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t));
     }
-    mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
-    return succ & word_is_zero(buffer) & ~word_is_zero(scarry);
+    return word_is_zero(buffer) & ~word_is_zero(scarry);
 }
 
 /** Reduce to canonical form. */