From cc79f559b34e8be7398e129ce99558ed29a7d0a2 Mon Sep 17 00:00:00 2001
From: Michael Hamburg <mike@shiftleft.org>
Date: Fri, 19 Jun 2015 14:48:52 -0700
Subject: [PATCH] remove direct ladder for now

---
 src/decaf_fast.c | 137 +----------------------------------------------
 1 file changed, 1 insertion(+), 136 deletions(-)

diff --git a/src/decaf_fast.c b/src/decaf_fast.c
index faa684c..c80a177 100644
--- a/src/decaf_fast.c
+++ b/src/decaf_fast.c
@@ -1371,141 +1371,7 @@ void API_NS(precomputed_scalarmul) (
     }
 }
 
-#if DECAF_USE_MONTGOMERY_LADDER
-/** Return high bit of x/2 = low bit of x mod p */
-static inline decaf_word_t lobit(gf x) {
-    gf_canon(x);
-    return -(x->limb[0]&1);
-}
-
-decaf_bool_t API_NS(direct_scalarmul) (
-    uint8_t scaled[SER_BYTES],
-    const uint8_t base[SER_BYTES],
-    const scalar_t scalar,
-    decaf_bool_t allow_identity,
-    decaf_bool_t short_circuit
-) {
-    /* The Montgomery ladder does not short-circuit return on invalid points,
-     * since it detects them during recompress.
-     */
-    (void)short_circuit;
-    
-    gf s0, x0, xa, za, xd, zd, xs, zs, L0, L1;
-    decaf_bool_t succ = gf_deser ( s0, base );
-    succ &= allow_identity |~ gf_eq( s0, ZERO);
-
-    /* Prepare the Montgomery ladder: Q = 1:0, P+Q = P */
-    gf_sqr ( xa, s0 );
-    gf_cpy ( x0, xa );
-    gf_cpy ( za, ONE );
-    gf_cpy ( xd, ONE );
-    gf_cpy ( zd, ZERO );
-    
-    int j;
-    decaf_bool_t pflip = 0;
-    for (j=SCALAR_BITS-1; j>=0; j--) {
-        /* Augmented Montgomery ladder */
-        decaf_bool_t flip = -((scalar->limb[j/WBITS]>>(j%WBITS))&1);
-        
-        /* Differential add first... */
-        gf_add_nr ( xs, xa, za );
-        gf_sub_nr ( zs, xa, za );
-        gf_add_nr ( xa, xd, zd );
-        gf_sub_nr ( za, xd, zd );
-        
-        cond_sel(L0,xa,xs,flip^pflip);
-        cond_sel(L1,za,zs,flip^pflip);
-        
-        gf_mul ( xd, xa, zs );
-        gf_mul ( zd, xs, za );
-        gf_add_nr ( xs, xd, zd );
-        gf_sub_nr ( zd, xd, zd );
-        gf_mul ( zs, zd, s0 );
-        gf_sqr ( xa, xs );
-        gf_sqr ( za, zs );
-        
-        /* ... and then double */
-        gf_sqr ( zd, L0 );
-        gf_sqr ( L0, L1 );
-        gf_sub_nr ( L1, zd, L0 );
-        gf_mul ( xd, L0, zd );
-        gf_mlw ( zd, L1, 1-EDWARDS_D );
-        gf_add_nr ( L0, L0, zd );
-        gf_mul ( zd, L0, L1 );
-        
-        pflip = flip;
-    }
-    cond_swap(xa,xd,pflip);
-    cond_swap(za,zd,pflip);
-    
-    /* OK, time to reserialize! Should be easy (heh, but seriously, TODO: simplify) */
-    gf xz_d, xz_a, xz_s, den, L2, L3;
-    mask_t zcase, output_zero, sflip, za_zero;
-    gf_mul(xz_s, xs, zs);
-    gf_mul(xz_d, xd, zd);
-    gf_mul(xz_a, xa, za);
-    output_zero = gf_eq(xz_d, ZERO);
-    xz_d->limb[0] -= output_zero; /* make xz_d always nonzero */
-    zcase = output_zero | gf_eq(xz_a, ZERO);
-    za_zero = gf_eq(za, ZERO);
-
-    /* Curve test in zcase, compute x0^2 + (2d-4)x0 + 1
-     * (we know that x0 = s0^2 is square).
-     */
-    gf_add(L0,x0,ONE);
-    gf_sqr(L1,L0);
-    gf_mlw(L0,x0,-4*EDWARDS_D);
-    gf_add(L1,L1,L0);
-    cond_sel(xz_a,xz_a,L1,zcase);
-
-    /* Compute denominator = x0 xa za xd zd */
-    gf_mul(L0, x0, xz_a);
-    gf_mul(L1, L0, xz_d);
-    gf_isqrt(den, L1);
-
-    /* Check that the square root came out OK. */
-    gf_sqr(L2, den);
-    gf_mul(L3, L0, L2); /* x0 xa za den^2 = 1/xz_d, for later */
-    gf_mul(L0, L1, L2);
-    gf_add(L0, L0, ONE);
-    succ &= ~hibit(s0) & ~gf_eq(L0, ZERO);
-
-    /* Compute y/x for input and output point. */
-    gf_mul(L1, x0, xd);
-    gf_sub(L1, zd, L1);
-    gf_mul(L0, za, L1); /* L0 = "opq" */
-    gf_mul(L1, x0, zd);
-    gf_sub(L1, L1, xd);
-    gf_mul(L2, xa, L1); /* L2 = "pqr" */
-    gf_sub(L1, L0, L2);
-    gf_add(L0, L0, L2);
-    gf_mul(L2, L1, den); /* L2 = y0 / x0 */
-    gf_mul(L1, L0, den); /* L1 = yO / xO */
-    sflip = (lobit(L1) ^ lobit(L2)) | za_zero;
-    /* OK, done with y-coordinates */
-    
-    /* If xa==0 or za ==0: return 0
-     * Else if za == 0: return s0           * (sflip ? zd : xd)^2 * L3
-     * Else if zd == 0: return s0           * (sflip ? zd : xd)^2 * L3
-     * Else if pflip:   return      xs * zs * (sflip ? zd : xd)   * L3
-     * Else:            return s0 * xs * zs * (sflip ? zd : xd)   * den
-     */
-    cond_sel(xd, xd, zd, sflip); /* xd = actual xd we care about */
-    cond_sel(den,den,L3,pflip|zcase);
-    cond_sel(xz_s,xz_s,xd,zcase);
-    cond_sel(s0,s0,ONE,pflip&~zcase);
-    cond_sel(s0,s0,ZERO,output_zero);
-    
-    gf_mul(L0,xd,den);
-    gf_mul(L1,L0,s0);
-    gf_mul(L0,L1,xz_s);
-    
-    cond_neg(L0,hibit(L0));
-    gf_encode(scaled, L0);
-
-    return succ;
-}
-#else /* DECAF_USE_MONTGOMERY_LADDER */
+/* TODO: restore Curve25519 Montgomery ladder? */
 decaf_bool_t API_NS(direct_scalarmul) (
     uint8_t scaled[SER_BYTES],
     const uint8_t base[SER_BYTES],
@@ -1520,7 +1386,6 @@ decaf_bool_t API_NS(direct_scalarmul) (
     API_NS(point_encode)(scaled, basep);
     return succ;
 }
-#endif /* DECAF_USE_MONTGOMERY_LADDER */
 
 /**
  * @cond internal