diff --git a/HISTORY.txt b/HISTORY.txt index 231077a..93dbb87 100644 --- a/HISTORY.txt +++ b/HISTORY.txt @@ -1,3 +1,25 @@ +April 23, 2015: + Removed the original Goldilocks code; Decaf now stands on its own. + This cuts the source code approximately in half, to a still-large + 13.7k wc-lines. (Most of these lines are in the arch-specific + field implementations.) + + Note that the decaf_crypto routines are not intended to set + standards. They should be secure, but they're intended more as + examples of how the core ECC library could be used. + + The SHAKE stuff is also mostly an experiment, particularly the + STROBE protocol/mode stuff. This is all fine, because the ECC + library itself is the core, and doesn't require the SHAKE stuff. + (Except for the C++ header, which should probably also be factored + so that it doesn't need the SHAKE stuff.) + + I've started work on making a Decaf BAT, but not done yet. + + I haven't ripped out all old multi-field code, because I intend + to add support for other fields eventually. Maybe properly this + time, instead of with a million compile flags like the original. + March 23, 2015: I've been fleshing out Decaf, and hopefully the API is somewhere near final. I will probably move a few things around and add a diff --git a/README.txt b/README.txt index 6a53bea..7aa8f7e 100644 --- a/README.txt +++ b/README.txt @@ -1,42 +1,24 @@ -Ed448-Goldilocks +Ed448-Goldilocks, Decaf version. This software is an experimental implementation of a new 448-bit elliptic -curve called Ed448-Goldilocks. The implementation itself is based on that of -an earlier, unnamed 252-bit curve which should probably be referred to as -Ed252-MontgomeryStation. See http://eprint.iacr.org/2012/309 for details of -that implementation. +curve called Ed448-Goldilocks, with "Decaf" cofactor removal. -The source files here are all by Mike Hamburg. Most of them are (c) 2014 -Cryptography Research, Inc (a division of Rambus). The cRandom -implementation is the exception: these files are from the OpenConflict video -game protection system out of Stanford, and are (c) 2011 Stanford -University. All of these files are usable under the MIT license contained in -LICENSE.txt. +The source files here are all by Mike Hamburg. Most of them are (c) +2014-2015 Cryptography Research, Inc (a division of Rambus). All of these +files are usable under the MIT license contained in LICENSE.txt. The Makefile is set for my 2013 MacBook Air. You can `make bench` to run -a completely arbitrary set of benchmarks and tests, or `make -build/goldilocks.so` to build a stripped-down version of the library. For -non-Haswell platforms, you need to replace -mavx2 -mbmi2 by an appropriate -vector declaration. For non-Mac platforms, you won't be able to build a -library with this Makefile. This is fine, because you shouldn't be using -this for much at this stage anyway. +a completely arbitrary set of benchmarks and tests, or `make lib` to build +a stripped-down version of the library. For non-Haswell platforms, you may +need to replace -mavx2 -mbmi2 by an appropriate vector declaration. I've attempted to protect against timing attacks and invalid point attacks, -but as of yet no attempt to protect against power analysis. This is an early -revision, so I haven't done much analysis or correctness testing of -corner-cases. - -The code in ec_point.c and ec_point.h was generated with the help of a tool -written in SAGE. The field code in p448.h doesn't reduce after add/sub, and -so it requires care to prevent overflow. The SAGE tool figures out where to -put reductions and adjustments to prevent overflow. It also formally -verifies that the formulas produce points on the curve. I'm planning to add -more features to it eventually. That tool is even more experimental than -this library, though, and so I won't be releasing it just yet. +but as of yet no attempt to protect against power analysis. This software is incomplete, and lacks documentation. None of the APIs are -stable. The software is probably not secure. Please consult TODO.txt for -additional agenda items. Do not taunt happy fun ball. +yet stable, though they may be getting there. The software is probably not +secure. Please consult TODO.txt for additional agenda items. Do not taunt +happy fun ball. Cheers, -- Mike Hamburg diff --git a/TODO.txt b/TODO.txt index 827c947..ff8ef63 100644 --- a/TODO.txt +++ b/TODO.txt @@ -1,16 +1,10 @@ -Important work items for Ed448-Goldilocks: - -* Better architecture detection / factoring of arch-related headers. - [PROGRESS] - -* Better factoring of high-level vs low-level library. +Important work items for Ed448-Goldilocks / decaf: * Factor out hash, crandom from core library? + [DONE, except for C++ headers] * Signed 32-bit NEON implementation to avoid bias/reduce after subtract - - * Documentation: write high-level API docs, and internal docs to help other implementors. * Partial progress on Doxygenating the code. @@ -20,65 +14,27 @@ Important work items for Ed448-Goldilocks: * Cleanup: rename everything consistently. * namespace_op or op_namespace? namespace_op_type? * We don't have to be super-careful with the namespacing, because - symbols will be scrubbed by exported.sym. - -* Cleanup: hard-coded tables (probably?) - * This reduces the work required for goldilocks_init() at the expense - of library size. - - * Makes error-handling and thread safety easier. - - * Use the SAGE tool? + symbols will be scrubbed by visibility * Cleanup: unify intrinsics code * Word_t, mask_t, bigregister_t, etc. * Generate asm intrinsics with a script? -* [DONE] Bugfix: make sure that init() and randomization are thread-safe. - -* [DONE] Security: check on deserialization that points are < p. - * [NEEDS TESTING] Check also that they're nonzero or otherwise non-pathological? - * Testing: - * Corner-case testing - * More bulk random testing - * Negative testing. - * SAGE-(auto?)-generated test vectors - * Test the Barrett fields + * More testing. Testing, testing and testing. + * Test corner cases better. * Safety: add static analysis attributes for compilers that support them * Most functions now have warn on ignored return. + * [ MOSTLY DONE ] * Safety: - * [DONE] Check for init() if it's still required once we've done the above * Decide what to do about RNG failures * abort * return error and zeroize * return error but continue if RNG is kind of mostly OK - -* Flexibility: decide which API options are good. - * [DONE?] Eg, should functions take nbits and table sizes? - - * [DONE] Remove hardcoded adjustments from comb control. - * These adjustments make the output wrong when it's not 450 bits. - - * Other slow Barrett fields? Montgomery fields? - -* Mid-level API - * Make it easier to work with untwisted Edwards objects. - * Probably use extended or projective, not extensible coordinates. - * Scalarmul with other cofactor modes. - -* High-level API: - * SHA512 Elligator Edition? Maybe write a paper first. - - * Elligator. - * Need to write Elligator inverse. Might not be Elligator-2S. - - * FHMQV? Is this patented? - - * What low-level APIs to expose? - * Edwards points with add, sub, scalarmul, =, ==, ser/deser? + +* High-level API: [DONE] * Portability: test and make clean with other compilers * Using a fair amount of __attribute__ code. @@ -89,47 +45,14 @@ Important work items for Ed448-Goldilocks: * I can't get a simple for-loop to autovectorize :-/ * SAGE tool? -* Portability: make the inner layers of the code 32-bit clean. - * Write new versions of the field code. - * [DONE] 28-bit limbs give less headroom for carries. - * [DONE] Now have a vectorless ARM version; need NEON. - * Improve speed of 32-bit field code. - - * [DONE] Run through the SAGE tool to generate new bias & bound. - * [DONE] Portability: make the outer layers of the code 32-bit clean. * [DONE] Performance/flexibility: decide which parameters should be hard-coded. * Perhaps useful for comb precomputation. -* Performance: Improve SHA512. - * [DONE?] Improve portability. - * Improve speed. - * Except not, because this adds too much code size. - * Link OpenSSL if a fast SHA is desired. - -* Protocol: - * Decide what things to stir into hashes for various functions. - -* Performance: improve the Barrett field code. - * Support other primes? - * Capture prime shape into a struct instead of passing 3 params. - * [DONE] Make 32-bit clean. - -* Automation: - * Improve the SAGE tool to cover more cases - * Real SSA classes to cover branching and looping - * Constant-time selection - * Intrinsics code - * Field code? - - * SAGE tool is impossibly slow on 32-bit - * Currently stuck on Elligator after 19 hours. - * [FIXED] at least for now. - - * Vector-mul-chains - * Negation "bubble pushing" optimization +* Performance: Improve SHAKE. + * Improve speed. (Maybe) * Clear other TODO/FIXME/HACK/PERF items in the code -* [DONE?] Submit to SUPERCOP +* Submit Decaf to SUPERCOP diff --git a/include/decaf_crypto.h b/include/decaf_crypto.h index 81c4ad2..6e428fc 100644 --- a/include/decaf_crypto.h +++ b/include/decaf_crypto.h @@ -4,7 +4,10 @@ * Copyright (c) 2015 Cryptography Research, Inc. \n * Released under the MIT License. See LICENSE.txt for license information. * @author Mike Hamburg - * @brief Decaf cyrpto routines. + * @brief Example Decaf cyrpto routines. + * @warning These are merely examples, though they ought to be secure. But real + * protocols will decide differently on magic numbers, formats, which items to + * hash, etc. * @warning Experimental! The names, parameter orders etc are likely to change. */ diff --git a/src/decaf_crypto.c b/src/decaf_crypto.c index 8d49c38..4ec136e 100644 --- a/src/decaf_crypto.c +++ b/src/decaf_crypto.c @@ -5,7 +5,7 @@ * Copyright (c) 2015 Cryptography Research, Inc. \n * Released under the MIT License. See LICENSE.txt for license information. * @author Mike Hamburg - * @brief Decaf cyrpto routines. + * @brief Example Decaf cyrpto routines. */ #include "decaf_crypto.h" diff --git a/src/decaf_fast.c b/src/decaf_fast.c index 3f1eb2d..6e3c012 100644 --- a/src/decaf_fast.c +++ b/src/decaf_fast.c @@ -1106,12 +1106,6 @@ static void gf_batch_invert ( /* const */ gf *in, unsigned int n ) { - // if (n==0) { - // return; - // } else if (n==1) { - // field_inverse(out[0],in[0]); - // return; - // } assert(n>1); gf_cpy(out[1], in[0]); @@ -1254,7 +1248,7 @@ void decaf_448_precomputed_scalarmul ( for (k=0; klimb[bit/WBITS] >> (bit%WBITS) & 1) << k; } } diff --git a/src/include/field.h b/src/include/field.h index cb8cb59..9607e67 100644 --- a/src/include/field.h +++ b/src/include/field.h @@ -24,45 +24,6 @@ typedef struct field_t field_a_t[1]; #define IF32(s) #endif -/** @brief Bytes in a field element */ -#define FIELD_BYTES (1+(FIELD_BITS-1)/8) - -/** @brief Words in a field element */ -#define FIELD_WORDS (1+(FIELD_BITS-1)/sizeof(word_t)) - -/* TODO: standardize notation */ -/** @brief The number of words in the Goldilocks field. */ -#define GOLDI_FIELD_WORDS DIV_CEIL(FIELD_BITS,WORD_BITS) - -/** @brief The number of bits in the Goldilocks curve's cofactor (cofactor=4). */ -#define COFACTOR_BITS 2 - -/** @brief The number of bits in a Goldilocks scalar. */ -#define SCALAR_BITS (FIELD_BITS - COFACTOR_BITS) - -/** @brief The number of bytes in a Goldilocks scalar. */ -#define SCALAR_BYTES (1+(SCALAR_BITS)/8) - -/** @brief The number of words in the Goldilocks field. */ -#define SCALAR_WORDS WORDS_FOR_BITS(SCALAR_BITS) - -/** - * @brief For GMP tests: little-endian representation of the field modulus. - */ -extern const uint8_t FIELD_MODULUS[FIELD_BYTES]; - -/** - * Copy one field element to another. - */ -static inline void -__attribute__((unused,always_inline)) -field_copy ( - field_a_restrict_t a, - const field_a_restrict_t b -) { - memcpy(a,b,sizeof(*a)); -} - /** * Returns 1/sqrt(+- x). * @@ -76,38 +37,21 @@ field_isr ( field_a_t a, const field_a_t x ); - -/** - * Batch inverts out[i] = 1/in[i] - * - * If any input is zero, all the outputs will be zero. - */ -void -field_simultaneous_invert ( - field_a_t *__restrict__ out, - const field_a_t *in, - unsigned int n -); /** * Returns 1/x. * * If x=0, returns 0. + * + * TODO: this is currently unused in Decaf, but I've left a decl + * for it because field_inverse is different (and simpler) than + * field_isqrt for 5-mod-8 fields. */ void field_inverse ( field_a_t a, const field_a_t x ); - -/** - * Returns -1 if a==b, 0 otherwise. - */ -mask_t -field_eq ( - const field_a_t a, - const field_a_t b -); /** * Square x, n times. @@ -135,53 +79,6 @@ field_sqrn ( } } -static __inline__ mask_t -__attribute__((unused,always_inline)) -field_high_bit (const field_a_t f) { - field_a_t red; - field_copy(red,f); - field_weak_reduce(red); - field_add_RAW(red,red,red); - field_strong_reduce(red); - return -(1&red->limb[0]); -} - -static __inline__ mask_t -__attribute__((unused,always_inline)) -field_make_nonzero (field_a_t f) { - mask_t z = field_is_zero(f); - field_addw( f, -z ); - return z; -} - -/* Multiply by signed curve constant */ -static __inline__ void -field_mulw_scc ( - field_a_restrict_t out, - const field_a_t a, - int64_t scc -) { - if (scc >= 0) { - field_mulw(out, a, scc); - } else { - field_mulw(out, a, -scc); - field_neg_RAW(out,out); - field_bias(out,2); - } -} - -/* Multiply by signed curve constant and weak reduce if biased */ -static __inline__ void -field_mulw_scc_wr ( - field_a_restrict_t out, - const field_a_t a, - int64_t scc -) { - field_mulw_scc(out, a, scc); - if (scc < 0) - field_weak_reduce(out); -} - static __inline__ void field_subx_RAW ( field_a_t d, @@ -214,40 +111,6 @@ field_add ( field_weak_reduce ( d ); } -static __inline__ void -field_subw ( - field_a_t d, - word_t c -) { - field_subw_RAW ( d, c ); - field_bias( d, 1 ); - field_weak_reduce ( d ); -} - -static __inline__ void -field_neg ( - field_a_t d, - const field_a_t a -) { - field_neg_RAW ( d, a ); - field_bias( d, 2 ); - field_weak_reduce ( d ); -} - -/** - * Negate a in place if doNegate. - */ -static inline void -__attribute__((unused,always_inline)) -field_cond_neg ( - field_a_t a, - mask_t doNegate -) { - field_a_t negated; - field_neg(negated, a); - constant_time_select(a, negated, a, sizeof(negated), doNegate); -} - /** Require the warning annotation on raw routines */ #define ANALYZE_THIS_ROUTINE_CAREFULLY const int ANNOTATE___ANALYZE_THIS_ROUTINE_CAREFULLY = 0; #define MUST_BE_CAREFUL (void) ANNOTATE___ANALYZE_THIS_ROUTINE_CAREFULLY diff --git a/src/p448/arch_32/p448.h b/src/p448/arch_32/p448.h index f0406cd..d3529fb 100644 --- a/src/p448/arch_32/p448.h +++ b/src/p448/arch_32/p448.h @@ -17,12 +17,6 @@ typedef struct p448_t { extern "C" { #endif -static __inline__ void -p448_set_ui ( - p448_t *out, - uint64_t x -) __attribute__((unused,always_inline)); - static __inline__ void p448_add_RAW ( p448_t *out, @@ -37,24 +31,6 @@ p448_sub_RAW ( const p448_t *b ) __attribute__((unused,always_inline)); -static __inline__ void -p448_neg_RAW ( - p448_t *out, - const p448_t *a -) __attribute__((unused,always_inline)); - -static __inline__ void -p448_addw ( - p448_t *a, - uint32_t x -) __attribute__((unused,always_inline)); - -static __inline__ void -p448_subw ( - p448_t *a, - uint32_t x -) __attribute__((unused,always_inline)); - static __inline__ void p448_copy ( p448_t *out, @@ -70,11 +46,6 @@ void p448_strong_reduce ( p448_t *inout ); - -mask_t -p448_is_zero ( - const p448_t *in -); static __inline__ void p448_bias ( @@ -116,19 +87,6 @@ p448_deserialize ( /* -------------- Inline functions begin here -------------- */ -void -p448_set_ui ( - p448_t *out, - uint64_t x -) { - int i; - out->limb[0] = x & ((1<<28)-1); - out->limb[1] = x>>28; - for (i=2; i<16; i++) { - out->limb[i] = 0; - } -} - void p448_add_RAW ( p448_t *out, @@ -165,39 +123,6 @@ p448_sub_RAW ( */ } -void -p448_neg_RAW ( - p448_t *out, - const p448_t *a -) { - unsigned int i; - for (i=0; ilimb[0]); i++) { - out->limb[i] = -a->limb[i]; - } - */ -} - -void -p448_addw ( - p448_t *a, - uint32_t x -) { - a->limb[0] += x; -} - -void -p448_subw ( - p448_t *a, - uint32_t x -) { - a->limb[0] -= x; -} - void p448_copy ( p448_t *out, diff --git a/src/p448/arch_arm_32/p448.h b/src/p448/arch_arm_32/p448.h index f0406cd..d3529fb 100644 --- a/src/p448/arch_arm_32/p448.h +++ b/src/p448/arch_arm_32/p448.h @@ -17,12 +17,6 @@ typedef struct p448_t { extern "C" { #endif -static __inline__ void -p448_set_ui ( - p448_t *out, - uint64_t x -) __attribute__((unused,always_inline)); - static __inline__ void p448_add_RAW ( p448_t *out, @@ -37,24 +31,6 @@ p448_sub_RAW ( const p448_t *b ) __attribute__((unused,always_inline)); -static __inline__ void -p448_neg_RAW ( - p448_t *out, - const p448_t *a -) __attribute__((unused,always_inline)); - -static __inline__ void -p448_addw ( - p448_t *a, - uint32_t x -) __attribute__((unused,always_inline)); - -static __inline__ void -p448_subw ( - p448_t *a, - uint32_t x -) __attribute__((unused,always_inline)); - static __inline__ void p448_copy ( p448_t *out, @@ -70,11 +46,6 @@ void p448_strong_reduce ( p448_t *inout ); - -mask_t -p448_is_zero ( - const p448_t *in -); static __inline__ void p448_bias ( @@ -116,19 +87,6 @@ p448_deserialize ( /* -------------- Inline functions begin here -------------- */ -void -p448_set_ui ( - p448_t *out, - uint64_t x -) { - int i; - out->limb[0] = x & ((1<<28)-1); - out->limb[1] = x>>28; - for (i=2; i<16; i++) { - out->limb[i] = 0; - } -} - void p448_add_RAW ( p448_t *out, @@ -165,39 +123,6 @@ p448_sub_RAW ( */ } -void -p448_neg_RAW ( - p448_t *out, - const p448_t *a -) { - unsigned int i; - for (i=0; ilimb[0]); i++) { - out->limb[i] = -a->limb[i]; - } - */ -} - -void -p448_addw ( - p448_t *a, - uint32_t x -) { - a->limb[0] += x; -} - -void -p448_subw ( - p448_t *a, - uint32_t x -) { - a->limb[0] -= x; -} - void p448_copy ( p448_t *out, diff --git a/src/p448/arch_neon_experimental/p448.h b/src/p448/arch_neon_experimental/p448.h index 63dea24..f2d2794 100644 --- a/src/p448/arch_neon_experimental/p448.h +++ b/src/p448/arch_neon_experimental/p448.h @@ -27,12 +27,6 @@ typedef struct p448_t { extern "C" { #endif -static __inline__ void -p448_set_ui ( - p448_t *out, - uint64_t x -) __attribute__((unused,always_inline)); - static __inline__ void p448_add_RAW ( p448_t *out, @@ -47,24 +41,6 @@ p448_sub_RAW ( const p448_t *b ) __attribute__((unused,always_inline)); -static __inline__ void -p448_neg_RAW ( - p448_t *out, - const p448_t *a -) __attribute__((unused,always_inline)); - -static __inline__ void -p448_addw ( - p448_t *a, - uint32_t x -) __attribute__((unused,always_inline)); - -static __inline__ void -p448_subw ( - p448_t *a, - uint32_t x -) __attribute__((unused,always_inline)); - static __inline__ void p448_copy ( p448_t *out, @@ -80,11 +56,6 @@ void p448_strong_reduce ( p448_t *inout ); - -mask_t -p448_is_zero ( - const p448_t *in -); static __inline__ void p448_bias ( @@ -169,39 +140,6 @@ p448_sub_RAW ( */ } -void -p448_neg_RAW ( - p448_t *out, - const p448_t *a -) { - unsigned int i; - for (i=0; ilimb[0]); i++) { - out->limb[i] = -a->limb[i]; - } - */ -} - -void -p448_addw ( - p448_t *a, - uint32_t x -) { - a->limb[0] += x; -} - -void -p448_subw ( - p448_t *a, - uint32_t x -) { - a->limb[0] -= x; -} - void p448_copy ( p448_t *out, diff --git a/src/p448/arch_ref64/p448.h b/src/p448/arch_ref64/p448.h index d6670c3..ba669a0 100644 --- a/src/p448/arch_ref64/p448.h +++ b/src/p448/arch_ref64/p448.h @@ -18,12 +18,6 @@ typedef struct p448_t { extern "C" { #endif -static __inline__ void -p448_set_ui ( - p448_t *out, - uint64_t x -) __attribute__((unused)); - static __inline__ void p448_add_RAW ( p448_t *out, @@ -38,24 +32,6 @@ p448_sub_RAW ( const p448_t *b ) __attribute__((unused)); -static __inline__ void -p448_neg_RAW ( - p448_t *out, - const p448_t *a -) __attribute__((unused)); - -static __inline__ void -p448_addw ( - p448_t *a, - uint64_t x -) __attribute__((unused)); - -static __inline__ void -p448_subw ( - p448_t *a, - uint64_t x -) __attribute__((unused)); - static __inline__ void p448_copy ( p448_t *out, @@ -72,22 +48,11 @@ p448_strong_reduce ( p448_t *inout ); -mask_t -p448_is_zero ( - const p448_t *in -); - static __inline__ void p448_bias ( p448_t *inout, int amount ) __attribute__((unused)); - -static __inline__ void -p448_really_bias ( - p448_t *inout, - int amount -) __attribute__((unused)); void p448_mul ( @@ -123,18 +88,6 @@ p448_deserialize ( /* -------------- Inline functions begin here -------------- */ -void -p448_set_ui ( - p448_t *out, - uint64_t x -) { - int i; - out->limb[0] = x; - for (i=1; i<8; i++) { - out->limb[i] = 0; - } -} - void p448_add_RAW ( p448_t *out, @@ -162,39 +115,6 @@ p448_sub_RAW ( p448_weak_reduce(out); } -void -p448_neg_RAW ( - struct p448_t *out, - const p448_t *a -) { - unsigned int i; - uint64_t co1 = ((1ull<<56)-1)*2, co2 = co1-2; - for (i=0; i<8; i++) { - out->limb[i] = ((i==4) ? co2 : co1) - a->limb[i]; - } - p448_weak_reduce(out); -} - -void -p448_addw ( - p448_t *a, - uint64_t x -) { - a->limb[0] += x; - a->limb[1] += a->limb[0]>>56; - a->limb[0] &= (1ull<<56)-1; -} - -void -p448_subw ( - p448_t *a, - uint64_t x -) { - a->limb[0] -= x; - p448_really_bias(a, 1); - p448_weak_reduce(a); -} - void p448_copy ( p448_t *out, @@ -203,18 +123,6 @@ p448_copy ( memcpy(out,a,sizeof(*a)); } -void -p448_really_bias ( - p448_t *a, - int amt -) { - uint64_t co1 = ((1ull<<56)-1)*amt, co2 = co1-amt; - int i; - for (i=0; i<8; i++) { - a->limb[i] += (i==4) ? co2 : co1; - } -} - void p448_bias ( p448_t *a, diff --git a/src/p448/arch_x86_64/p448.h b/src/p448/arch_x86_64/p448.h index d91895b..68bafdf 100644 --- a/src/p448/arch_x86_64/p448.h +++ b/src/p448/arch_x86_64/p448.h @@ -17,12 +17,6 @@ typedef struct p448_t { extern "C" { #endif -static __inline__ void -p448_set_ui ( - p448_t *out, - uint64_t x -) __attribute__((unused,always_inline)); - static __inline__ void p448_add_RAW ( p448_t *out, @@ -37,24 +31,6 @@ p448_sub_RAW ( const p448_t *b ) __attribute__((unused,always_inline)); -static __inline__ void -p448_neg_RAW ( - p448_t *out, - const p448_t *a -) __attribute__((unused,always_inline)); - -static __inline__ void -p448_addw ( - p448_t *a, - uint64_t x -) __attribute__((unused,always_inline)); - -static __inline__ void -p448_subw ( - p448_t *a, - uint64_t x -) __attribute__((unused,always_inline)); - static __inline__ void p448_copy ( p448_t *out, @@ -71,11 +47,6 @@ p448_strong_reduce ( p448_t *inout ); -mask_t -p448_is_zero ( - const p448_t *in -); - static __inline__ void p448_bias ( p448_t *inout, @@ -116,18 +87,6 @@ p448_deserialize ( /* -------------- Inline functions begin here -------------- */ -void -p448_set_ui ( - p448_t *out, - uint64_t x -) { - int i; - out->limb[0] = x; - for (i=1; i<8; i++) { - out->limb[i] = 0; - } -} - void p448_add_RAW ( p448_t *out, @@ -164,39 +123,6 @@ p448_sub_RAW ( */ } -void -p448_neg_RAW ( - struct p448_t *out, - const p448_t *a -) { - unsigned int i; - for (i=0; ilimb[0]); i++) { - out->limb[i] = -a->limb[i]; - } - */ -} - -void -p448_addw ( - p448_t *a, - uint64_t x -) { - a->limb[0] += x; -} - -void -p448_subw ( - p448_t *a, - uint64_t x -) { - a->limb[0] -= x; -} - void p448_copy ( p448_t *out, diff --git a/src/p448/f_field.h b/src/p448/f_field.h index 7284194..a6fa008 100644 --- a/src/p448/f_field.h +++ b/src/p448/f_field.h @@ -20,19 +20,12 @@ #define field_add_RAW p448_add_RAW #define field_sub_RAW p448_sub_RAW #define field_mulw p448_mulw -#define field_addw p448_addw -#define field_subw_RAW p448_subw -#define field_neg_RAW p448_neg_RAW -#define field_set_ui p448_set_ui #define field_bias p448_bias -#define field_inverse p448_inverse -#define field_eq p448_eq #define field_isr p448_isr -#define field_simultaneous_invert p448_simultaneous_invert +#define field_inverse p448_inverse #define field_weak_reduce p448_weak_reduce #define field_strong_reduce p448_strong_reduce #define field_serialize p448_serialize #define field_deserialize p448_deserialize -#define field_is_zero p448_is_zero #endif /* __F_FIELD_H__ */ diff --git a/src/p480/arch_x86_64/p480.h b/src/p480/arch_x86_64/p480.h index ea841aa..c309200 100644 --- a/src/p480/arch_x86_64/p480.h +++ b/src/p480/arch_x86_64/p480.h @@ -17,12 +17,6 @@ typedef struct p480_t { extern "C" { #endif -static __inline__ void -p480_set_ui ( - p480_t *out, - uint64_t x -) __attribute__((unused,always_inline)); - static __inline__ void p480_add_RAW ( p480_t *out, @@ -37,24 +31,6 @@ p480_sub_RAW ( const p480_t *b ) __attribute__((unused,always_inline)); -static __inline__ void -p480_neg_RAW ( - p480_t *out, - const p480_t *a -) __attribute__((unused,always_inline)); - -static __inline__ void -p480_addw ( - p480_t *a, - uint64_t x -) __attribute__((unused,always_inline)); - -static __inline__ void -p480_subw ( - p480_t *a, - uint64_t x -) __attribute__((unused,always_inline)); - static __inline__ void p480_copy ( p480_t *out, @@ -70,11 +46,6 @@ void p480_strong_reduce ( p480_t *inout ); - -mask_t -p480_is_zero ( - const p480_t *in -); static __inline__ void p480_bias ( @@ -116,18 +87,6 @@ p480_deserialize ( /* -------------- Inline functions begin here -------------- */ -void -p480_set_ui ( - p480_t *out, - uint64_t x -) { - int i; - out->limb[0] = x; - for (i=1; i<8; i++) { - out->limb[i] = 0; - } -} - void p480_add_RAW ( p480_t *out, @@ -164,39 +123,6 @@ p480_sub_RAW ( */ } -void -p480_neg_RAW ( - struct p480_t *out, - const p480_t *a -) { - unsigned int i; - for (i=0; ilimb[0]); i++) { - out->limb[i] = -a->limb[i]; - } - */ -} - -void -p480_addw ( - p480_t *a, - uint64_t x -) { - a->limb[0] += x; -} - -void -p480_subw ( - p480_t *a, - uint64_t x -) { - a->limb[0] -= x; -} - void p480_copy ( p480_t *out, diff --git a/src/p480/f_field.h b/src/p480/f_field.h index c681bd3..24c9471 100644 --- a/src/p480/f_field.h +++ b/src/p480/f_field.h @@ -20,19 +20,12 @@ #define field_add_RAW p480_add_RAW #define field_sub_RAW p480_sub_RAW #define field_mulw p480_mulw -#define field_addw p480_addw -#define field_subw_RAW p480_subw -#define field_neg_RAW p480_neg_RAW -#define field_set_ui p480_set_ui #define field_bias p480_bias -#define field_inverse p480_inverse -#define field_eq p480_eq #define field_isr p480_isr -#define field_simultaneous_invert p480_simultaneous_invert +#define field_inverse p480_inverse #define field_weak_reduce p480_weak_reduce #define field_strong_reduce p480_strong_reduce #define field_serialize p480_serialize #define field_deserialize p480_deserialize -#define field_is_zero p480_is_zero #endif /* __F_FIELD_H__ */ diff --git a/src/p521/arch_ref64/p521.h b/src/p521/arch_ref64/p521.h index ff458a6..2b63f13 100644 --- a/src/p521/arch_ref64/p521.h +++ b/src/p521/arch_ref64/p521.h @@ -18,12 +18,6 @@ typedef struct p521_t { extern "C" { #endif -static __inline__ void -p521_set_ui ( - p521_t *out, - uint64_t x -) __attribute__((unused)); - static __inline__ void p521_add_RAW ( p521_t *out, @@ -38,24 +32,6 @@ p521_sub_RAW ( const p521_t *b ) __attribute__((unused)); -static __inline__ void -p521_neg_RAW ( - p521_t *out, - const p521_t *a -) __attribute__((unused)); - -static __inline__ void -p521_addw ( - p521_t *a, - uint64_t x -) __attribute__((unused)); - -static __inline__ void -p521_subw ( - p521_t *a, - uint64_t x -) __attribute__((unused)); - static __inline__ void p521_copy ( p521_t *out, @@ -72,22 +48,11 @@ p521_strong_reduce ( p521_t *inout ); -mask_t -p521_is_zero ( - const p521_t *in -); - static __inline__ void p521_bias ( p521_t *inout, int amount ) __attribute__((unused)); - -static __inline__ void -p521_really_bias ( - p521_t *inout, - int amount -) __attribute__((unused)); void p521_mul ( @@ -123,18 +88,6 @@ p521_deserialize ( /* -------------- Inline functions begin here -------------- */ -void -p521_set_ui ( - p521_t *out, - uint64_t x -) { - int i; - out->limb[0] = x; - for (i=1; i<9; i++) { - out->limb[i] = 0; - } -} - void p521_add_RAW ( p521_t *out, @@ -162,39 +115,6 @@ p521_sub_RAW ( p521_weak_reduce(out); } -void -p521_neg_RAW ( - struct p521_t *out, - const p521_t *a -) { - unsigned int i; - uint64_t co1 = ((1ull<<58)-1)*4, co2 = ((1ull<<57)-1)*4; - for (i=0; i<9; i++) { - out->limb[i] = ((i==8) ? co2 : co1) - a->limb[i]; - } - p521_weak_reduce(out); -} - -void -p521_addw ( - p521_t *a, - uint64_t x -) { - a->limb[0] += x; - a->limb[1] += a->limb[0]>>58; - a->limb[0] &= (1ull<<58)-1; -} - -void -p521_subw ( - p521_t *a, - uint64_t x -) { - a->limb[0] -= x; - p521_really_bias(a, 1); - p521_weak_reduce(a); -} - void p521_copy ( p521_t *out, @@ -203,18 +123,6 @@ p521_copy ( memcpy(out,a,sizeof(*a)); } -void -p521_really_bias ( - p521_t *a, - int amt -) { - uint64_t co1 = ((1ull<<58)-1)*2*amt, co2 = ((1ull<<57)-1)*2*amt; - int i; - for (i=0; i<9; i++) { - a->limb[i] += (i==8) ? co2 : co1; - } -} - void p521_bias ( p521_t *a, diff --git a/src/p521/arch_x86_64_r12/p521.h b/src/p521/arch_x86_64_r12/p521.h index 568784b..14ecb3f 100644 --- a/src/p521/arch_x86_64_r12/p521.h +++ b/src/p521/arch_x86_64_r12/p521.h @@ -22,12 +22,6 @@ typedef struct p521_t { extern "C" { #endif -static __inline__ void -p521_set_ui ( - p521_t *out, - uint64_t x -) __attribute__((unused)); - static __inline__ void p521_add_RAW ( p521_t *out, @@ -42,24 +36,6 @@ p521_sub_RAW ( const p521_t *b ) __attribute__((unused)); -static __inline__ void -p521_neg_RAW ( - p521_t *out, - const p521_t *a -) __attribute__((unused)); - -static __inline__ void -p521_addw ( - p521_t *a, - uint64_t x -) __attribute__((unused)); - -static __inline__ void -p521_subw ( - p521_t *a, - uint64_t x -) __attribute__((unused)); - static __inline__ void p521_copy ( p521_t *out, @@ -76,11 +52,6 @@ p521_strong_reduce ( p521_t *inout ); -mask_t -p521_is_zero ( - const p521_t *in -); - static __inline__ void p521_bias ( p521_t *inout, @@ -134,18 +105,6 @@ timesW ( return u.zxyw + u.zwww; } -void -p521_set_ui ( - p521_t *out, - uint64_t x -) { - int i; - out->limb[0] = x; - for (i=1; i<12; i++) { - out->limb[i] = 0; - } -} - void p521_add_RAW ( p521_t *out, @@ -170,33 +129,6 @@ p521_sub_RAW ( } } -void -p521_neg_RAW ( - struct p521_t *out, - const p521_t *a -) { - unsigned int i; - for (i=0; ilimb[0] += x; -} - -void -p521_subw ( - p521_t *a, - uint64_t x -) { - a->limb[0] -= x; -} - void p521_copy ( p521_t *out, diff --git a/src/p521/f_field.h b/src/p521/f_field.h index 6331072..54cf74c 100644 --- a/src/p521/f_field.h +++ b/src/p521/f_field.h @@ -20,19 +20,12 @@ #define field_add_RAW p521_add_RAW #define field_sub_RAW p521_sub_RAW #define field_mulw p521_mulw -#define field_addw p521_addw -#define field_subw_RAW p521_subw -#define field_neg_RAW p521_neg_RAW -#define field_set_ui p521_set_ui #define field_bias p521_bias -#define field_inverse p521_inverse -#define field_eq p521_eq #define field_isr p521_isr -#define field_simultaneous_invert p521_simultaneous_invert +#define field_inverse p521_inverse #define field_weak_reduce p521_weak_reduce #define field_strong_reduce p521_strong_reduce #define field_serialize p521_serialize #define field_deserialize p521_deserialize -#define field_is_zero p521_is_zero #endif /* __F_FIELD_H__ */