Browse Source
Faster scalarmul is ported from Goldilocks, modulo a bit of magic. Of course, it's the one that doesn't matter as much because we have the monty ladder. Next up, port wNAF and recomputation?
master
Mike Hamburg
10 years ago
1 changed files with 50 additions and 33 deletions
Split View
Diff Options
-
+50 -33src/decaf_fast.c
+ 50
- 33
src/decaf_fast.c
View File
| @@ -548,7 +548,11 @@ void decaf_448_point_add ( | |||
| gf_mul ( p->t, b, c ); | |||
| } | |||
| void decaf_448_point_double(decaf_448_point_t p, const decaf_448_point_t q) { | |||
| static void decaf_448_point_double_internal ( | |||
| decaf_448_point_t p, | |||
| const decaf_448_point_t q, | |||
| decaf_bool_t before_double | |||
| ) { | |||
| gf a, b, c, d; | |||
| gf_sqr ( c, q->x ); | |||
| gf_sqr ( a, q->y ); | |||
| @@ -563,8 +567,11 @@ void decaf_448_point_double(decaf_448_point_t p, const decaf_448_point_t q) { | |||
| gf_mul ( p->x, a, b ); | |||
| gf_mul ( p->z, p->t, a ); | |||
| gf_mul ( p->y, p->t, d ); | |||
| /* TODO: conditional? */ | |||
| gf_mul ( p->t, b, d ); | |||
| if (!before_double) gf_mul ( p->t, b, d ); | |||
| } | |||
| void decaf_448_point_double(decaf_448_point_t p, const decaf_448_point_t q) { | |||
| decaf_448_point_double_internal(p,q,0); | |||
| } | |||
| void decaf_448_point_copy ( | |||
| @@ -734,7 +741,8 @@ static void pniels_to_pt ( | |||
| static void add_niels_to_pt ( | |||
| decaf_448_point_t d, | |||
| const niels_t e | |||
| const niels_t e, | |||
| decaf_bool_t before_double | |||
| ) { | |||
| gf a, b, c; | |||
| gf_sub_nr ( b, d->y, d->x ); | |||
| @@ -749,18 +757,18 @@ static void add_niels_to_pt ( | |||
| gf_mul ( d->z, a, d->y ); | |||
| gf_mul ( d->x, d->y, b ); | |||
| gf_mul ( d->y, a, c ); | |||
| /* TODO: if... */ | |||
| gf_mul ( d->t, b, c ); | |||
| if (!before_double) gf_mul ( d->t, b, c ); | |||
| } | |||
| static void add_pniels_to_pt ( | |||
| decaf_448_point_t p, | |||
| const pniels_t pn | |||
| const pniels_t pn, | |||
| decaf_bool_t before_double | |||
| ) { | |||
| gf L0; | |||
| gf_mul ( L0, p->z, pn->z ); | |||
| gf_cpy ( p->z, L0 ); | |||
| add_niels_to_pt( p, pn->n ); | |||
| add_niels_to_pt( p, pn->n, before_double ); | |||
| } | |||
| void decaf_448_point_scalarmul ( | |||
| @@ -768,64 +776,73 @@ void decaf_448_point_scalarmul ( | |||
| const decaf_448_point_t b, | |||
| const decaf_448_scalar_t scalar | |||
| ) { | |||
| const int WINDOW = 5, | |||
| const int WINDOW = 5, /* PERF: Make 4 on non hugevector platforms? */ | |||
| WINDOW_MASK = (1<<WINDOW)-1, | |||
| WINDOW_U_MASK = (1<<((448%WINDOW)-1))-1, | |||
| WINDOW_T_MASK = WINDOW_MASK >> 1, | |||
| NTABLE = 1<<(WINDOW-1); | |||
| decaf_448_scalar_t scalar2, onehalf = {{{0}}}, arrr; | |||
| /* Adjust the scalar to SABS window. TODO: optimize, subroutinize */ | |||
| decaf_448_scalar_t scalar2, onehalf = {{{0}}}, two = {{{2}}}, arrr; | |||
| onehalf->limb[SCALAR_WORDS-1] = 1ull<<(WBITS-1); | |||
| /* FIXME PERF MAGIC precompute 2^449-1/2 mod q. Could instead use 2^446-1/2 mod q though. */ | |||
| decaf_448_montmul(arrr,two,decaf_448_scalar_r2,decaf_448_scalar_p,DECAF_MONTGOMERY_FACTOR); | |||
| /* PERF dedicated halve */ | |||
| decaf_448_scalar_sub(scalar2, scalar, decaf_448_scalar_one); | |||
| decaf_448_montmul(scalar2,scalar2,onehalf,decaf_448_scalar_p,DECAF_MONTGOMERY_FACTOR); | |||
| /* FIXME PERF precompute 2^447-1/2 mod q. Could instead use 2^446-1/2 mod q though. */ | |||
| decaf_448_montmul(arrr,decaf_448_scalar_one,decaf_448_scalar_r2,decaf_448_scalar_p,DECAF_MONTGOMERY_FACTOR); | |||
| decaf_448_montmul(arrr,arrr,onehalf,decaf_448_scalar_p,DECAF_MONTGOMERY_FACTOR); | |||
| decaf_448_scalar_add(scalar2, scalar2, arrr); | |||
| /* Set up a precomputed table with odd multiples of b. */ | |||
| pniels_t pn, multiples[NTABLE]; | |||
| decaf_448_point_t tmp; | |||
| decaf_448_point_double(tmp, b); | |||
| pt_to_pniels(pn, tmp); | |||
| pt_to_pniels(multiples[0], b); | |||
| decaf_448_point_double(a, b); | |||
| pt_to_pniels(pn, a); | |||
| decaf_448_point_copy(tmp, b); | |||
| int i,j; | |||
| for (i=1; i<NTABLE; i++) { | |||
| add_pniels_to_pt(a, pn); | |||
| pt_to_pniels(multiples[i], a); | |||
| add_pniels_to_pt(tmp, pn, 0); | |||
| pt_to_pniels(multiples[i], tmp); | |||
| } | |||
| i = 448 - (448 % WINDOW); | |||
| int bits = scalar2->limb[i/WBITS] >> (i%WBITS), | |||
| inv = (bits>>((448 % WINDOW)-1))-1; | |||
| /* Initialize. */ | |||
| i = DECAF_448_SCALAR_BITS - ((DECAF_448_SCALAR_BITS-1) % WINDOW) - 1; | |||
| int bits = scalar2->limb[i/WBITS] >> (i%WBITS) & WINDOW_MASK, | |||
| inv = (bits>>(WINDOW-1))-1; | |||
| bits ^= inv; | |||
| constant_time_lookup(pn, multiples, sizeof(pn), NTABLE, bits & WINDOW_U_MASK); | |||
| constant_time_lookup(pn, multiples, sizeof(pn), NTABLE, bits & WINDOW_T_MASK); | |||
| cond_neg_pniels(pn, inv); | |||
| pniels_to_pt(a, pn); | |||
| pniels_to_pt(tmp, pn); | |||
| for (i-=WINDOW; i>=0; i-=WINDOW) { | |||
| for (j=0; j<WINDOW; j++) { | |||
| decaf_448_point_double(a, a); | |||
| } | |||
| /* Using Hisil et al's lookahead method instead of extensible here | |||
| * for no particular reason. Double WINDOW times, but only compute t on | |||
| * the last one. | |||
| */ | |||
| for (j=0; j<WINDOW-1; j++) | |||
| decaf_448_point_double_internal(tmp, tmp, -1); | |||
| decaf_448_point_double(tmp, tmp); | |||
| /* Fetch another block of bits */ | |||
| bits = scalar2->limb[i/WBITS] >> (i%WBITS); | |||
| if (i%WBITS >= WBITS-WINDOW) { | |||
| bits ^= scalar2->limb[i/WBITS+1] << (WBITS - (i%WBITS)); | |||
| } | |||
| bits &= WINDOW_MASK; | |||
| inv = (bits>>(WINDOW-1))-1; | |||
| bits ^= inv; | |||
| /* Add in from table. Compute t only on last iteration. */ | |||
| constant_time_lookup(pn, multiples, sizeof(pn), NTABLE, bits & WINDOW_T_MASK); | |||
| cond_neg_pniels(pn, inv); | |||
| add_pniels_to_pt(a, pn); | |||
| add_pniels_to_pt(tmp, pn, i ? -1 : 0); | |||
| } | |||
| /* Write out the answer */ | |||
| decaf_448_point_copy(a,tmp); | |||
| } | |||
| void decaf_448_point_double_scalarmul ( | |||