get rid of unchecked isqrt. will be a tiny slowdown for p448 invert, called only in batch_invert

src/decaf_fast.c

@@ -105,21 +105,6 @@ siv gf_sqr (gf c, const gf a) {
     field_sqr((field_t *)c, (const field_t *)a);
 }
 
-/** Inverse square root using addition chain. */
-siv gf_isqrt(gf y, const gf x) {
-    field_isr((field_t *)y, (const field_t *)x);
-}
-
-/** Inverse. */
-sv gf_invert(gf y, const gf x) {
-    gf t1, t2;
-    gf_sqr(t1, x); // o^2
-    gf_isqrt(t2, t1); // +-1/sqrt(o^2) = +-1/o
-    gf_sqr(t1, t2);
-    gf_mul(t2, t1, x); // not direct to y in case of alias.
-    gf_cpy(y, t2);
-}
-
 /** Add mod p.  Conservatively always weak-reduce. */
 snv gf_add ( gf_s *__restrict__ c, const gf a, const gf b ) {
     field_add((field_t *)c, (const field_t *)a, (const field_t *)b);
@@ -138,7 +123,6 @@ siv gf_bias ( gf c, int amt) {
 /** Subtract mod p.  Bias by 2 and don't reduce  */
 siv gf_sub_nr ( gf_s *__restrict__ c, const gf a, const gf b ) {
 //    FOR_LIMB_U(i, c->limb[i] = a->limb[i] - b->limb[i] + 2*P->limb[i] );
-    ANALYZE_THIS_ROUTINE_CAREFULLY; //TODO
     field_sub_nr((field_t *)c, (const field_t *)a, (const field_t *)b);
     gf_bias(c, 2);
     if (WBITS==32) field_weak_reduce((field_t*) c); // HACK
@@ -146,7 +130,6 @@ siv gf_sub_nr ( gf_s *__restrict__ c, const gf a, const gf b ) {
 
 /** Subtract mod p. Bias by amt but don't reduce.  */
 siv gf_sub_nr_x ( gf c, const gf a, const gf b, int amt ) {
-    ANALYZE_THIS_ROUTINE_CAREFULLY; //TODO
     field_sub_nr((field_t *)c, (const field_t *)a, (const field_t *)b);
     gf_bias(c, amt);
     if (WBITS==32) field_weak_reduce((field_t*) c); // HACK
@@ -155,7 +138,6 @@ siv gf_sub_nr_x ( gf c, const gf a, const gf b, int amt ) {
 /** Add mod p.  Don't reduce. */
 siv gf_add_nr ( gf c, const gf a, const gf b ) {
 //    FOR_LIMB_U(i, c->limb[i] = a->limb[i] + b->limb[i]);
-    ANALYZE_THIS_ROUTINE_CAREFULLY; //TODO
     field_add_nr((field_t *)c, (const field_t *)a, (const field_t *)b);
 }
 
@@ -218,6 +200,17 @@ static decaf_bool_t gf_isqrt_chk(gf y, const gf x, decaf_bool_t allow_zero) {
     return gf_eq(tmp1,ONE) | (allow_zero & gf_eq(tmp1,ZERO));
 }
 
+/** Inverse. */
+sv gf_invert(gf y, const gf x) {
+    gf t1, t2;
+    gf_sqr(t1, x); // o^2
+    decaf_bool_t ret = gf_isqrt_chk(t2, t1, 0); // +-1/sqrt(o^2) = +-1/o
+    (void)ret; assert(ret);
+    gf_sqr(t1, t2);
+    gf_mul(t2, t1, x); // not direct to y in case of alias.
+    gf_cpy(y, t2);
+}
+
 /** Return high bit of x = low bit of 2x mod p */
 static decaf_word_t hibit(const gf x) {
     gf y;
@@ -321,7 +314,7 @@ decaf_bool_t API_NS(scalar_invert) (
     const scalar_t a
 ) {
 #if 0
-    /* FIELD MAGIC.  FIXME: not updated for 25519 */
+    /* FIELD MAGIC.  TODO PERF: not updated for 25519 */
     scalar_t chain[7], tmp;
     sc_montmul(chain[0],a,sc_r2);
     

src/include/field.h

@@ -96,11 +96,9 @@ field_add (
     field_weak_reduce ( d );
 }
 
-/** Require the warning annotation on raw routines */
-#define ANALYZE_THIS_ROUTINE_CAREFULLY const int ANNOTATE___ANALYZE_THIS_ROUTINE_CAREFULLY = 0;
-#define MUST_BE_CAREFUL (void) ANNOTATE___ANALYZE_THIS_ROUTINE_CAREFULLY
-#define field_add_nr(a,b,c) { MUST_BE_CAREFUL; field_add_RAW(a,b,c); }
-#define field_sub_nr(a,b,c) { MUST_BE_CAREFUL; field_sub_RAW(a,b,c); }
-#define field_subx_nr(a,b,c) { MUST_BE_CAREFUL; field_subx_RAW(a,b,c); }
+/* FIXME: no warnings on RAW routines */
+#define field_add_nr field_add_RAW
+#define field_sub_nr field_add_RAW
+#define field_subx_nr field_add_RAW
 
 #endif // __FIELD_H__

test/test_decaf.cxx

@@ -171,7 +171,7 @@ static void test_elligator() {
     bool successes2[NHINTS];
 
     for (int i=0; i<NTESTS/10 && (test.passing_now || i < 100); i++) {
-        size_t len =  (i % (2*Point::HASH_BYTES + 3)); // FIXME: 0
+        size_t len =  (i % (2*Point::HASH_BYTES + 3));
         decaf::SecureBuffer b1(len);
         if (i!=Point::HASH_BYTES) rng.read(b1); /* special test case */
         if (i==1) b1[0] = 1; /* special case test */