jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

tidy up

master
Michael Hamburg 10 years ago
parent
f18cf359c6
commit
b5f7c2eff8
18 changed files with 58 additions and 904 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +22
    -0
      HISTORY.txt
  2. +12
    -30
      README.txt
  3. +11
    -88
      TODO.txt
  4. +4
    -1
      include/decaf_crypto.h
  5. +1
    -1
      src/decaf_crypto.c
  6. +1
    -7
      src/decaf_fast.c
  7. +4
    -141
      src/include/field.h
  8. +0
    -75
      src/p448/arch_32/p448.h
  9. +0
    -75
      src/p448/arch_arm_32/p448.h
  10. +0
    -62
      src/p448/arch_neon_experimental/p448.h
  11. +0
    -92
      src/p448/arch_ref64/p448.h
  12. +0
    -74
      src/p448/arch_x86_64/p448.h
  13. +1
    -8
      src/p448/f_field.h
  14. +0
    -74
      src/p480/arch_x86_64/p480.h
  15. +1
    -8
      src/p480/f_field.h
  16. +0
    -92
      src/p521/arch_ref64/p521.h
  17. +0
    -68
      src/p521/arch_x86_64_r12/p521.h
  18. +1
    -8
      src/p521/f_field.h

+ 22
- 0
HISTORY.txt View File

@@ -1,3 +1,25 @@
April 23, 2015:
Removed the original Goldilocks code; Decaf now stands on its own.
This cuts the source code approximately in half, to a still-large
13.7k wc-lines. (Most of these lines are in the arch-specific
field implementations.)
Note that the decaf_crypto routines are not intended to set
standards. They should be secure, but they're intended more as
examples of how the core ECC library could be used.
The SHAKE stuff is also mostly an experiment, particularly the
STROBE protocol/mode stuff. This is all fine, because the ECC
library itself is the core, and doesn't require the SHAKE stuff.
(Except for the C++ header, which should probably also be factored
so that it doesn't need the SHAKE stuff.)
I've started work on making a Decaf BAT, but not done yet.
I haven't ripped out all old multi-field code, because I intend
to add support for other fields eventually. Maybe properly this
time, instead of with a million compile flags like the original.

March 23, 2015:
I've been fleshing out Decaf, and hopefully the API is somewhere
near final. I will probably move a few things around and add a


+ 12
- 30
README.txt View File

@@ -1,42 +1,24 @@
Ed448-Goldilocks
Ed448-Goldilocks, Decaf version.

This software is an experimental implementation of a new 448-bit elliptic
curve called Ed448-Goldilocks. The implementation itself is based on that of
an earlier, unnamed 252-bit curve which should probably be referred to as
Ed252-MontgomeryStation. See http://eprint.iacr.org/2012/309 for details of
that implementation.
curve called Ed448-Goldilocks, with "Decaf" cofactor removal.

The source files here are all by Mike Hamburg. Most of them are (c) 2014
Cryptography Research, Inc (a division of Rambus). The cRandom
implementation is the exception: these files are from the OpenConflict video
game protection system out of Stanford, and are (c) 2011 Stanford
University. All of these files are usable under the MIT license contained in
LICENSE.txt.
The source files here are all by Mike Hamburg. Most of them are (c)
2014-2015 Cryptography Research, Inc (a division of Rambus). All of these
files are usable under the MIT license contained in LICENSE.txt.

The Makefile is set for my 2013 MacBook Air. You can `make bench` to run
a completely arbitrary set of benchmarks and tests, or `make
build/goldilocks.so` to build a stripped-down version of the library. For
non-Haswell platforms, you need to replace -mavx2 -mbmi2 by an appropriate
vector declaration. For non-Mac platforms, you won't be able to build a
library with this Makefile. This is fine, because you shouldn't be using
this for much at this stage anyway.
a completely arbitrary set of benchmarks and tests, or `make lib` to build
a stripped-down version of the library. For non-Haswell platforms, you may
need to replace -mavx2 -mbmi2 by an appropriate vector declaration.

I've attempted to protect against timing attacks and invalid point attacks,
but as of yet no attempt to protect against power analysis. This is an early
revision, so I haven't done much analysis or correctness testing of
corner-cases.

The code in ec_point.c and ec_point.h was generated with the help of a tool
written in SAGE. The field code in p448.h doesn't reduce after add/sub, and
so it requires care to prevent overflow. The SAGE tool figures out where to
put reductions and adjustments to prevent overflow. It also formally
verifies that the formulas produce points on the curve. I'm planning to add
more features to it eventually. That tool is even more experimental than
this library, though, and so I won't be releasing it just yet.
but as of yet no attempt to protect against power analysis.

This software is incomplete, and lacks documentation. None of the APIs are
stable. The software is probably not secure. Please consult TODO.txt for
additional agenda items. Do not taunt happy fun ball.
yet stable, though they may be getting there. The software is probably not
secure. Please consult TODO.txt for additional agenda items. Do not taunt
happy fun ball.

Cheers,
-- Mike Hamburg

+ 11
- 88
TODO.txt View File

@@ -1,16 +1,10 @@
Important work items for Ed448-Goldilocks:

* Better architecture detection / factoring of arch-related headers.
[PROGRESS]

* Better factoring of high-level vs low-level library.
Important work items for Ed448-Goldilocks / decaf:

* Factor out hash, crandom from core library?
[DONE, except for C++ headers]

* Signed 32-bit NEON implementation to avoid bias/reduce after subtract



* Documentation: write high-level API docs, and internal docs to help
other implementors.
* Partial progress on Doxygenating the code.
@@ -20,65 +14,27 @@ Important work items for Ed448-Goldilocks:
* Cleanup: rename everything consistently.
* namespace_op or op_namespace? namespace_op_type?
* We don't have to be super-careful with the namespacing, because
symbols will be scrubbed by exported.sym.

* Cleanup: hard-coded tables (probably?)
* This reduces the work required for goldilocks_init() at the expense
of library size.
* Makes error-handling and thread safety easier.
* Use the SAGE tool?
symbols will be scrubbed by visibility

* Cleanup: unify intrinsics code
* Word_t, mask_t, bigregister_t, etc.
* Generate asm intrinsics with a script?

* [DONE] Bugfix: make sure that init() and randomization are thread-safe.

* [DONE] Security: check on deserialization that points are < p.
* [NEEDS TESTING] Check also that they're nonzero or otherwise non-pathological?

* Testing:
* Corner-case testing
* More bulk random testing
* Negative testing.
* SAGE-(auto?)-generated test vectors
* Test the Barrett fields
* More testing. Testing, testing and testing.
* Test corner cases better.

* Safety: add static analysis attributes for compilers that support them
* Most functions now have warn on ignored return.
* [ MOSTLY DONE ]

* Safety:
* [DONE] Check for init() if it's still required once we've done the above
* Decide what to do about RNG failures
* abort
* return error and zeroize
* return error but continue if RNG is kind of mostly OK
* Flexibility: decide which API options are good.
* [DONE?] Eg, should functions take nbits and table sizes?
* [DONE] Remove hardcoded adjustments from comb control.
* These adjustments make the output wrong when it's not 450 bits.
* Other slow Barrett fields? Montgomery fields?

* Mid-level API
* Make it easier to work with untwisted Edwards objects.
* Probably use extended or projective, not extensible coordinates.
* Scalarmul with other cofactor modes.

* High-level API:
* SHA512 Elligator Edition? Maybe write a paper first.
* Elligator.
* Need to write Elligator inverse. Might not be Elligator-2S.
* FHMQV? Is this patented?
* What low-level APIs to expose?
* Edwards points with add, sub, scalarmul, =, ==, ser/deser?

* High-level API: [DONE]

* Portability: test and make clean with other compilers
* Using a fair amount of __attribute__ code.
@@ -89,47 +45,14 @@ Important work items for Ed448-Goldilocks:
* I can't get a simple for-loop to autovectorize :-/
* SAGE tool?

* Portability: make the inner layers of the code 32-bit clean.
* Write new versions of the field code.
* [DONE] 28-bit limbs give less headroom for carries.
* [DONE] Now have a vectorless ARM version; need NEON.
* Improve speed of 32-bit field code.
* [DONE] Run through the SAGE tool to generate new bias & bound.

* [DONE] Portability: make the outer layers of the code 32-bit clean.

* [DONE] Performance/flexibility: decide which parameters should be hard-coded.
* Perhaps useful for comb precomputation.

* Performance: Improve SHA512.
* [DONE?] Improve portability.
* Improve speed.
* Except not, because this adds too much code size.
* Link OpenSSL if a fast SHA is desired.

* Protocol:
* Decide what things to stir into hashes for various functions.
* Performance: improve the Barrett field code.
* Support other primes?
* Capture prime shape into a struct instead of passing 3 params.
* [DONE] Make 32-bit clean.

* Automation:
* Improve the SAGE tool to cover more cases
* Real SSA classes to cover branching and looping
* Constant-time selection
* Intrinsics code
* Field code?
* SAGE tool is impossibly slow on 32-bit
* Currently stuck on Elligator after 19 hours.
* [FIXED] at least for now.
* Vector-mul-chains
* Negation "bubble pushing" optimization
* Performance: Improve SHAKE.
* Improve speed. (Maybe)

* Clear other TODO/FIXME/HACK/PERF items in the code

* [DONE?] Submit to SUPERCOP
* Submit Decaf to SUPERCOP

+ 4
- 1
include/decaf_crypto.h View File

@@ -4,7 +4,10 @@
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief Decaf cyrpto routines.
* @brief Example Decaf cyrpto routines.
* @warning These are merely examples, though they ought to be secure. But real
* protocols will decide differently on magic numbers, formats, which items to
* hash, etc.
* @warning Experimental! The names, parameter orders etc are likely to change.
*/



+ 1
- 1
src/decaf_crypto.c View File

@@ -5,7 +5,7 @@
* Copyright (c) 2015 Cryptography Research, Inc. \n
* Released under the MIT License. See LICENSE.txt for license information.
* @author Mike Hamburg
* @brief Decaf cyrpto routines.
* @brief Example Decaf cyrpto routines.
*/

#include "decaf_crypto.h"


+ 1
- 7
src/decaf_fast.c View File

@@ -1106,12 +1106,6 @@ static void gf_batch_invert (
/* const */ gf *in,
unsigned int n
) {
// if (n==0) {
// return;
// } else if (n==1) {
// field_inverse(out[0],in[0]);
// return;
// }
assert(n>1);
gf_cpy(out[1], in[0]);
@@ -1254,7 +1248,7 @@ void decaf_448_precomputed_scalarmul (
for (k=0; k<t; k++) {
unsigned int bit = i + s*(k + j*t);
if (bit < SCALAR_WORDS * WBITS) {
if (bit < DECAF_448_SCALAR_BITS) {
tab |= (scalar1x->limb[bit/WBITS] >> (bit%WBITS) & 1) << k;
}
}


+ 4
- 141
src/include/field.h View File

@@ -24,45 +24,6 @@ typedef struct field_t field_a_t[1];
#define IF32(s)
#endif

/** @brief Bytes in a field element */
#define FIELD_BYTES (1+(FIELD_BITS-1)/8)

/** @brief Words in a field element */
#define FIELD_WORDS (1+(FIELD_BITS-1)/sizeof(word_t))

/* TODO: standardize notation */
/** @brief The number of words in the Goldilocks field. */
#define GOLDI_FIELD_WORDS DIV_CEIL(FIELD_BITS,WORD_BITS)

/** @brief The number of bits in the Goldilocks curve's cofactor (cofactor=4). */
#define COFACTOR_BITS 2

/** @brief The number of bits in a Goldilocks scalar. */
#define SCALAR_BITS (FIELD_BITS - COFACTOR_BITS)

/** @brief The number of bytes in a Goldilocks scalar. */
#define SCALAR_BYTES (1+(SCALAR_BITS)/8)

/** @brief The number of words in the Goldilocks field. */
#define SCALAR_WORDS WORDS_FOR_BITS(SCALAR_BITS)

/**
* @brief For GMP tests: little-endian representation of the field modulus.
*/
extern const uint8_t FIELD_MODULUS[FIELD_BYTES];

/**
* Copy one field element to another.
*/
static inline void
__attribute__((unused,always_inline))
field_copy (
field_a_restrict_t a,
const field_a_restrict_t b
) {
memcpy(a,b,sizeof(*a));
}

/**
* Returns 1/sqrt(+- x).
*
@@ -76,38 +37,21 @@ field_isr (
field_a_t a,
const field_a_t x
);
/**
* Batch inverts out[i] = 1/in[i]
*
* If any input is zero, all the outputs will be zero.
*/
void
field_simultaneous_invert (
field_a_t *__restrict__ out,
const field_a_t *in,
unsigned int n
);

/**
* Returns 1/x.
*
* If x=0, returns 0.
*
* TODO: this is currently unused in Decaf, but I've left a decl
* for it because field_inverse is different (and simpler) than
* field_isqrt for 5-mod-8 fields.
*/
void
field_inverse (
field_a_t a,
const field_a_t x
);

/**
* Returns -1 if a==b, 0 otherwise.
*/
mask_t
field_eq (
const field_a_t a,
const field_a_t b
);
/**
* Square x, n times.
@@ -135,53 +79,6 @@ field_sqrn (
}
}

static __inline__ mask_t
__attribute__((unused,always_inline))
field_high_bit (const field_a_t f) {
field_a_t red;
field_copy(red,f);
field_weak_reduce(red);
field_add_RAW(red,red,red);
field_strong_reduce(red);
return -(1&red->limb[0]);
}

static __inline__ mask_t
__attribute__((unused,always_inline))
field_make_nonzero (field_a_t f) {
mask_t z = field_is_zero(f);
field_addw( f, -z );
return z;
}

/* Multiply by signed curve constant */
static __inline__ void
field_mulw_scc (
field_a_restrict_t out,
const field_a_t a,
int64_t scc
) {
if (scc >= 0) {
field_mulw(out, a, scc);
} else {
field_mulw(out, a, -scc);
field_neg_RAW(out,out);
field_bias(out,2);
}
}

/* Multiply by signed curve constant and weak reduce if biased */
static __inline__ void
field_mulw_scc_wr (
field_a_restrict_t out,
const field_a_t a,
int64_t scc
) {
field_mulw_scc(out, a, scc);
if (scc < 0)
field_weak_reduce(out);
}

static __inline__ void
field_subx_RAW (
field_a_t d,
@@ -214,40 +111,6 @@ field_add (
field_weak_reduce ( d );
}

static __inline__ void
field_subw (
field_a_t d,
word_t c
) {
field_subw_RAW ( d, c );
field_bias( d, 1 );
field_weak_reduce ( d );
}

static __inline__ void
field_neg (
field_a_t d,
const field_a_t a
) {
field_neg_RAW ( d, a );
field_bias( d, 2 );
field_weak_reduce ( d );
}

/**
* Negate a in place if doNegate.
*/
static inline void
__attribute__((unused,always_inline))
field_cond_neg (
field_a_t a,
mask_t doNegate
) {
field_a_t negated;
field_neg(negated, a);
constant_time_select(a, negated, a, sizeof(negated), doNegate);
}

/** Require the warning annotation on raw routines */
#define ANALYZE_THIS_ROUTINE_CAREFULLY const int ANNOTATE___ANALYZE_THIS_ROUTINE_CAREFULLY = 0;
#define MUST_BE_CAREFUL (void) ANNOTATE___ANALYZE_THIS_ROUTINE_CAREFULLY


+ 0
- 75
src/p448/arch_32/p448.h View File

@@ -17,12 +17,6 @@ typedef struct p448_t {
extern "C" {
#endif

static __inline__ void
p448_set_ui (
p448_t *out,
uint64_t x
) __attribute__((unused,always_inline));

static __inline__ void
p448_add_RAW (
p448_t *out,
@@ -37,24 +31,6 @@ p448_sub_RAW (
const p448_t *b
) __attribute__((unused,always_inline));
static __inline__ void
p448_neg_RAW (
p448_t *out,
const p448_t *a
) __attribute__((unused,always_inline));

static __inline__ void
p448_addw (
p448_t *a,
uint32_t x
) __attribute__((unused,always_inline));
static __inline__ void
p448_subw (
p448_t *a,
uint32_t x
) __attribute__((unused,always_inline));
static __inline__ void
p448_copy (
p448_t *out,
@@ -70,11 +46,6 @@ void
p448_strong_reduce (
p448_t *inout
);

mask_t
p448_is_zero (
const p448_t *in
);
static __inline__ void
p448_bias (
@@ -116,19 +87,6 @@ p448_deserialize (

/* -------------- Inline functions begin here -------------- */

void
p448_set_ui (
p448_t *out,
uint64_t x
) {
int i;
out->limb[0] = x & ((1<<28)-1);
out->limb[1] = x>>28;
for (i=2; i<16; i++) {
out->limb[i] = 0;
}
}

void
p448_add_RAW (
p448_t *out,
@@ -165,39 +123,6 @@ p448_sub_RAW (
*/
}

void
p448_neg_RAW (
p448_t *out,
const p448_t *a
) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(uint32xn_t); i++) {
((uint32xn_t*)out)[i] = -((const uint32xn_t*)a)[i];
}
/*
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
out->limb[i] = -a->limb[i];
}
*/
}

void
p448_addw (
p448_t *a,
uint32_t x
) {
a->limb[0] += x;
}
void
p448_subw (
p448_t *a,
uint32_t x
) {
a->limb[0] -= x;
}

void
p448_copy (
p448_t *out,


+ 0
- 75
src/p448/arch_arm_32/p448.h View File

@@ -17,12 +17,6 @@ typedef struct p448_t {
extern "C" {
#endif

static __inline__ void
p448_set_ui (
p448_t *out,
uint64_t x
) __attribute__((unused,always_inline));

static __inline__ void
p448_add_RAW (
p448_t *out,
@@ -37,24 +31,6 @@ p448_sub_RAW (
const p448_t *b
) __attribute__((unused,always_inline));
static __inline__ void
p448_neg_RAW (
p448_t *out,
const p448_t *a
) __attribute__((unused,always_inline));

static __inline__ void
p448_addw (
p448_t *a,
uint32_t x
) __attribute__((unused,always_inline));
static __inline__ void
p448_subw (
p448_t *a,
uint32_t x
) __attribute__((unused,always_inline));
static __inline__ void
p448_copy (
p448_t *out,
@@ -70,11 +46,6 @@ void
p448_strong_reduce (
p448_t *inout
);

mask_t
p448_is_zero (
const p448_t *in
);
static __inline__ void
p448_bias (
@@ -116,19 +87,6 @@ p448_deserialize (

/* -------------- Inline functions begin here -------------- */

void
p448_set_ui (
p448_t *out,
uint64_t x
) {
int i;
out->limb[0] = x & ((1<<28)-1);
out->limb[1] = x>>28;
for (i=2; i<16; i++) {
out->limb[i] = 0;
}
}

void
p448_add_RAW (
p448_t *out,
@@ -165,39 +123,6 @@ p448_sub_RAW (
*/
}

void
p448_neg_RAW (
p448_t *out,
const p448_t *a
) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(uint32xn_t); i++) {
((uint32xn_t*)out)[i] = -((const uint32xn_t*)a)[i];
}
/*
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
out->limb[i] = -a->limb[i];
}
*/
}

void
p448_addw (
p448_t *a,
uint32_t x
) {
a->limb[0] += x;
}
void
p448_subw (
p448_t *a,
uint32_t x
) {
a->limb[0] -= x;
}

void
p448_copy (
p448_t *out,


+ 0
- 62
src/p448/arch_neon_experimental/p448.h View File

@@ -27,12 +27,6 @@ typedef struct p448_t {
extern "C" {
#endif

static __inline__ void
p448_set_ui (
p448_t *out,
uint64_t x
) __attribute__((unused,always_inline));

static __inline__ void
p448_add_RAW (
p448_t *out,
@@ -47,24 +41,6 @@ p448_sub_RAW (
const p448_t *b
) __attribute__((unused,always_inline));
static __inline__ void
p448_neg_RAW (
p448_t *out,
const p448_t *a
) __attribute__((unused,always_inline));

static __inline__ void
p448_addw (
p448_t *a,
uint32_t x
) __attribute__((unused,always_inline));
static __inline__ void
p448_subw (
p448_t *a,
uint32_t x
) __attribute__((unused,always_inline));
static __inline__ void
p448_copy (
p448_t *out,
@@ -80,11 +56,6 @@ void
p448_strong_reduce (
p448_t *inout
);

mask_t
p448_is_zero (
const p448_t *in
);
static __inline__ void
p448_bias (
@@ -169,39 +140,6 @@ p448_sub_RAW (
*/
}

void
p448_neg_RAW (
p448_t *out,
const p448_t *a
) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(uint32xn_t); i++) {
((uint32xn_t*)out)[i] = -((const uint32xn_t*)a)[i];
}
/*
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
out->limb[i] = -a->limb[i];
}
*/
}

void
p448_addw (
p448_t *a,
uint32_t x
) {
a->limb[0] += x;
}
void
p448_subw (
p448_t *a,
uint32_t x
) {
a->limb[0] -= x;
}

void
p448_copy (
p448_t *out,


+ 0
- 92
src/p448/arch_ref64/p448.h View File

@@ -18,12 +18,6 @@ typedef struct p448_t {
extern "C" {
#endif

static __inline__ void
p448_set_ui (
p448_t *out,
uint64_t x
) __attribute__((unused));

static __inline__ void
p448_add_RAW (
p448_t *out,
@@ -38,24 +32,6 @@ p448_sub_RAW (
const p448_t *b
) __attribute__((unused));
static __inline__ void
p448_neg_RAW (
p448_t *out,
const p448_t *a
) __attribute__((unused));

static __inline__ void
p448_addw (
p448_t *a,
uint64_t x
) __attribute__((unused));
static __inline__ void
p448_subw (
p448_t *a,
uint64_t x
) __attribute__((unused));
static __inline__ void
p448_copy (
p448_t *out,
@@ -72,22 +48,11 @@ p448_strong_reduce (
p448_t *inout
);

mask_t
p448_is_zero (
const p448_t *in
);

static __inline__ void
p448_bias (
p448_t *inout,
int amount
) __attribute__((unused));

static __inline__ void
p448_really_bias (
p448_t *inout,
int amount
) __attribute__((unused));
void
p448_mul (
@@ -123,18 +88,6 @@ p448_deserialize (

/* -------------- Inline functions begin here -------------- */

void
p448_set_ui (
p448_t *out,
uint64_t x
) {
int i;
out->limb[0] = x;
for (i=1; i<8; i++) {
out->limb[i] = 0;
}
}

void
p448_add_RAW (
p448_t *out,
@@ -162,39 +115,6 @@ p448_sub_RAW (
p448_weak_reduce(out);
}

void
p448_neg_RAW (
struct p448_t *out,
const p448_t *a
) {
unsigned int i;
uint64_t co1 = ((1ull<<56)-1)*2, co2 = co1-2;
for (i=0; i<8; i++) {
out->limb[i] = ((i==4) ? co2 : co1) - a->limb[i];
}
p448_weak_reduce(out);
}

void
p448_addw (
p448_t *a,
uint64_t x
) {
a->limb[0] += x;
a->limb[1] += a->limb[0]>>56;
a->limb[0] &= (1ull<<56)-1;
}
void
p448_subw (
p448_t *a,
uint64_t x
) {
a->limb[0] -= x;
p448_really_bias(a, 1);
p448_weak_reduce(a);
}

void
p448_copy (
p448_t *out,
@@ -203,18 +123,6 @@ p448_copy (
memcpy(out,a,sizeof(*a));
}

void
p448_really_bias (
p448_t *a,
int amt
) {
uint64_t co1 = ((1ull<<56)-1)*amt, co2 = co1-amt;
int i;
for (i=0; i<8; i++) {
a->limb[i] += (i==4) ? co2 : co1;
}
}

void
p448_bias (
p448_t *a,


+ 0
- 74
src/p448/arch_x86_64/p448.h View File

@@ -17,12 +17,6 @@ typedef struct p448_t {
extern "C" {
#endif

static __inline__ void
p448_set_ui (
p448_t *out,
uint64_t x
) __attribute__((unused,always_inline));

static __inline__ void
p448_add_RAW (
p448_t *out,
@@ -37,24 +31,6 @@ p448_sub_RAW (
const p448_t *b
) __attribute__((unused,always_inline));
static __inline__ void
p448_neg_RAW (
p448_t *out,
const p448_t *a
) __attribute__((unused,always_inline));

static __inline__ void
p448_addw (
p448_t *a,
uint64_t x
) __attribute__((unused,always_inline));
static __inline__ void
p448_subw (
p448_t *a,
uint64_t x
) __attribute__((unused,always_inline));
static __inline__ void
p448_copy (
p448_t *out,
@@ -71,11 +47,6 @@ p448_strong_reduce (
p448_t *inout
);

mask_t
p448_is_zero (
const p448_t *in
);

static __inline__ void
p448_bias (
p448_t *inout,
@@ -116,18 +87,6 @@ p448_deserialize (

/* -------------- Inline functions begin here -------------- */

void
p448_set_ui (
p448_t *out,
uint64_t x
) {
int i;
out->limb[0] = x;
for (i=1; i<8; i++) {
out->limb[i] = 0;
}
}

void
p448_add_RAW (
p448_t *out,
@@ -164,39 +123,6 @@ p448_sub_RAW (
*/
}

void
p448_neg_RAW (
struct p448_t *out,
const p448_t *a
) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(uint64xn_t); i++) {
((uint64xn_t*)out)[i] = -((const uint64xn_t*)a)[i];
}
/*
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
out->limb[i] = -a->limb[i];
}
*/
}

void
p448_addw (
p448_t *a,
uint64_t x
) {
a->limb[0] += x;
}
void
p448_subw (
p448_t *a,
uint64_t x
) {
a->limb[0] -= x;
}

void
p448_copy (
p448_t *out,


+ 1
- 8
src/p448/f_field.h View File

@@ -20,19 +20,12 @@
#define field_add_RAW p448_add_RAW
#define field_sub_RAW p448_sub_RAW
#define field_mulw p448_mulw
#define field_addw p448_addw
#define field_subw_RAW p448_subw
#define field_neg_RAW p448_neg_RAW
#define field_set_ui p448_set_ui
#define field_bias p448_bias
#define field_inverse p448_inverse
#define field_eq p448_eq
#define field_isr p448_isr
#define field_simultaneous_invert p448_simultaneous_invert
#define field_inverse p448_inverse
#define field_weak_reduce p448_weak_reduce
#define field_strong_reduce p448_strong_reduce
#define field_serialize p448_serialize
#define field_deserialize p448_deserialize
#define field_is_zero p448_is_zero

#endif /* __F_FIELD_H__ */

+ 0
- 74
src/p480/arch_x86_64/p480.h View File

@@ -17,12 +17,6 @@ typedef struct p480_t {
extern "C" {
#endif

static __inline__ void
p480_set_ui (
p480_t *out,
uint64_t x
) __attribute__((unused,always_inline));

static __inline__ void
p480_add_RAW (
p480_t *out,
@@ -37,24 +31,6 @@ p480_sub_RAW (
const p480_t *b
) __attribute__((unused,always_inline));
static __inline__ void
p480_neg_RAW (
p480_t *out,
const p480_t *a
) __attribute__((unused,always_inline));

static __inline__ void
p480_addw (
p480_t *a,
uint64_t x
) __attribute__((unused,always_inline));
static __inline__ void
p480_subw (
p480_t *a,
uint64_t x
) __attribute__((unused,always_inline));
static __inline__ void
p480_copy (
p480_t *out,
@@ -70,11 +46,6 @@ void
p480_strong_reduce (
p480_t *inout
);

mask_t
p480_is_zero (
const p480_t *in
);
static __inline__ void
p480_bias (
@@ -116,18 +87,6 @@ p480_deserialize (

/* -------------- Inline functions begin here -------------- */

void
p480_set_ui (
p480_t *out,
uint64_t x
) {
int i;
out->limb[0] = x;
for (i=1; i<8; i++) {
out->limb[i] = 0;
}
}

void
p480_add_RAW (
p480_t *out,
@@ -164,39 +123,6 @@ p480_sub_RAW (
*/
}

void
p480_neg_RAW (
struct p480_t *out,
const p480_t *a
) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(uint64xn_t); i++) {
((uint64xn_t*)out)[i] = -((const uint64xn_t*)a)[i];
}
/*
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
out->limb[i] = -a->limb[i];
}
*/
}

void
p480_addw (
p480_t *a,
uint64_t x
) {
a->limb[0] += x;
}
void
p480_subw (
p480_t *a,
uint64_t x
) {
a->limb[0] -= x;
}

void
p480_copy (
p480_t *out,


+ 1
- 8
src/p480/f_field.h View File

@@ -20,19 +20,12 @@
#define field_add_RAW p480_add_RAW
#define field_sub_RAW p480_sub_RAW
#define field_mulw p480_mulw
#define field_addw p480_addw
#define field_subw_RAW p480_subw
#define field_neg_RAW p480_neg_RAW
#define field_set_ui p480_set_ui
#define field_bias p480_bias
#define field_inverse p480_inverse
#define field_eq p480_eq
#define field_isr p480_isr
#define field_simultaneous_invert p480_simultaneous_invert
#define field_inverse p480_inverse
#define field_weak_reduce p480_weak_reduce
#define field_strong_reduce p480_strong_reduce
#define field_serialize p480_serialize
#define field_deserialize p480_deserialize
#define field_is_zero p480_is_zero

#endif /* __F_FIELD_H__ */

+ 0
- 92
src/p521/arch_ref64/p521.h View File

@@ -18,12 +18,6 @@ typedef struct p521_t {
extern "C" {
#endif

static __inline__ void
p521_set_ui (
p521_t *out,
uint64_t x
) __attribute__((unused));

static __inline__ void
p521_add_RAW (
p521_t *out,
@@ -38,24 +32,6 @@ p521_sub_RAW (
const p521_t *b
) __attribute__((unused));
static __inline__ void
p521_neg_RAW (
p521_t *out,
const p521_t *a
) __attribute__((unused));

static __inline__ void
p521_addw (
p521_t *a,
uint64_t x
) __attribute__((unused));
static __inline__ void
p521_subw (
p521_t *a,
uint64_t x
) __attribute__((unused));
static __inline__ void
p521_copy (
p521_t *out,
@@ -72,22 +48,11 @@ p521_strong_reduce (
p521_t *inout
);

mask_t
p521_is_zero (
const p521_t *in
);

static __inline__ void
p521_bias (
p521_t *inout,
int amount
) __attribute__((unused));

static __inline__ void
p521_really_bias (
p521_t *inout,
int amount
) __attribute__((unused));
void
p521_mul (
@@ -123,18 +88,6 @@ p521_deserialize (

/* -------------- Inline functions begin here -------------- */

void
p521_set_ui (
p521_t *out,
uint64_t x
) {
int i;
out->limb[0] = x;
for (i=1; i<9; i++) {
out->limb[i] = 0;
}
}

void
p521_add_RAW (
p521_t *out,
@@ -162,39 +115,6 @@ p521_sub_RAW (
p521_weak_reduce(out);
}

void
p521_neg_RAW (
struct p521_t *out,
const p521_t *a
) {
unsigned int i;
uint64_t co1 = ((1ull<<58)-1)*4, co2 = ((1ull<<57)-1)*4;
for (i=0; i<9; i++) {
out->limb[i] = ((i==8) ? co2 : co1) - a->limb[i];
}
p521_weak_reduce(out);
}

void
p521_addw (
p521_t *a,
uint64_t x
) {
a->limb[0] += x;
a->limb[1] += a->limb[0]>>58;
a->limb[0] &= (1ull<<58)-1;
}
void
p521_subw (
p521_t *a,
uint64_t x
) {
a->limb[0] -= x;
p521_really_bias(a, 1);
p521_weak_reduce(a);
}

void
p521_copy (
p521_t *out,
@@ -203,18 +123,6 @@ p521_copy (
memcpy(out,a,sizeof(*a));
}

void
p521_really_bias (
p521_t *a,
int amt
) {
uint64_t co1 = ((1ull<<58)-1)*2*amt, co2 = ((1ull<<57)-1)*2*amt;
int i;
for (i=0; i<9; i++) {
a->limb[i] += (i==8) ? co2 : co1;
}
}

void
p521_bias (
p521_t *a,


+ 0
- 68
src/p521/arch_x86_64_r12/p521.h View File

@@ -22,12 +22,6 @@ typedef struct p521_t {
extern "C" {
#endif

static __inline__ void
p521_set_ui (
p521_t *out,
uint64_t x
) __attribute__((unused));

static __inline__ void
p521_add_RAW (
p521_t *out,
@@ -42,24 +36,6 @@ p521_sub_RAW (
const p521_t *b
) __attribute__((unused));
static __inline__ void
p521_neg_RAW (
p521_t *out,
const p521_t *a
) __attribute__((unused));

static __inline__ void
p521_addw (
p521_t *a,
uint64_t x
) __attribute__((unused));
static __inline__ void
p521_subw (
p521_t *a,
uint64_t x
) __attribute__((unused));
static __inline__ void
p521_copy (
p521_t *out,
@@ -76,11 +52,6 @@ p521_strong_reduce (
p521_t *inout
);

mask_t
p521_is_zero (
const p521_t *in
);

static __inline__ void
p521_bias (
p521_t *inout,
@@ -134,18 +105,6 @@ timesW (
return u.zxyw + u.zwww;
}

void
p521_set_ui (
p521_t *out,
uint64_t x
) {
int i;
out->limb[0] = x;
for (i=1; i<12; i++) {
out->limb[i] = 0;
}
}

void
p521_add_RAW (
p521_t *out,
@@ -170,33 +129,6 @@ p521_sub_RAW (
}
}

void
p521_neg_RAW (
struct p521_t *out,
const p521_t *a
) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(uint64xn_t); i++) {
((uint64xn_t*)out)[i] = -((const uint64xn_t*)a)[i];
}
}

void
p521_addw (
p521_t *a,
uint64_t x
) {
a->limb[0] += x;
}
void
p521_subw (
p521_t *a,
uint64_t x
) {
a->limb[0] -= x;
}

void
p521_copy (
p521_t *out,


+ 1
- 8
src/p521/f_field.h View File

@@ -20,19 +20,12 @@
#define field_add_RAW p521_add_RAW
#define field_sub_RAW p521_sub_RAW
#define field_mulw p521_mulw
#define field_addw p521_addw
#define field_subw_RAW p521_subw
#define field_neg_RAW p521_neg_RAW
#define field_set_ui p521_set_ui
#define field_bias p521_bias
#define field_inverse p521_inverse
#define field_eq p521_eq
#define field_isr p521_isr
#define field_simultaneous_invert p521_simultaneous_invert
#define field_inverse p521_inverse
#define field_weak_reduce p521_weak_reduce
#define field_strong_reduce p521_strong_reduce
#define field_serialize p521_serialize
#define field_deserialize p521_deserialize
#define field_is_zero p521_is_zero

#endif /* __F_FIELD_H__ */

Write Preview
Loading…
Cancel
Save