diff --git a/src/curve_ed25519/curve_data.inc.c b/src/curve_ed25519/curve_data.inc.c index ac8b018..8c33457 100644 --- a/src/curve_ed25519/curve_data.inc.c +++ b/src/curve_ed25519/curve_data.inc.c @@ -1,14 +1,3 @@ -// FIXME move to arch or something -#define WBITS DECAF_WORD_BITS -#define LBITS DECAF_255_LIMB_BITS - -#if WBITS == 64 -#define LIMB(x) (x##ull) -#define SC_LIMB(x) (x##ull) -#else -#error "Only supporting 64-bit platforms right now" -#endif - #define API_NAME "decaf_255" #define API_NS(_id) decaf_255_##_id #define API_NS2(_pref,_id) _pref##_decaf_255_##_id diff --git a/src/curve_ed448goldilocks/curve_data.inc.c b/src/curve_ed448goldilocks/curve_data.inc.c index 6977044..b4a619b 100644 --- a/src/curve_ed448goldilocks/curve_data.inc.c +++ b/src/curve_ed448goldilocks/curve_data.inc.c @@ -1,14 +1,3 @@ -#define WBITS DECAF_WORD_BITS -// #define LBITS DECAF_448_LIMB_BITS // FIXME - -#if WBITS == 64 -#define SC_LIMB(x) (x##ull) -#elif WBITS == 32 -#define SC_LIMB(x) (x##ull)&((1ull<<32)-1), (x##ull)>>32 -#else -#error "Only supporting 32- and 64-bit platforms right now" -#endif - #define API_NAME "decaf_448" #define API_NS(_id) decaf_448_##_id #define API_NS2(_pref,_id) _pref##_decaf_448_##_id diff --git a/src/decaf_fast.c b/src/decaf_fast.c index 902eb18..d0c95a9 100644 --- a/src/decaf_fast.c +++ b/src/decaf_fast.c @@ -41,11 +41,9 @@ extern const gf SQRT_MINUS_ONE; extern const gf SQRT_ONE_MINUS_D; /* TODO: Intern this? */ #endif -#define sv static void -#define snv static void __attribute__((noinline)) -#define siv static inline void __attribute__((always_inline)) - - +#define NOINLINE __attribute__((noinline)) +#define INLINE inline __attribute__((always_inline)) +#define WBITS DECAF_WORD_BITS const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}}; extern const scalar_t API_NS(sc_r2); @@ -90,22 +88,26 @@ const size_t API_NS2(alignof,precomputed_s) = 32; #define FOR_LIMB_U(i,op) { unsigned int i=0; UNROLL for (i=0; ilimb[i] ^ y->limb[i]) & swap; x->limb[i] ^= s; @@ -114,7 +116,9 @@ siv cond_swap(gf x, gf_s *__restrict__ y, decaf_bool_t swap) { } /** Compare a==b */ -decaf_word_t __attribute__((noinline)) gf_eq(const gf a, const gf b) { +/* Not static because it's used in inverse square root. */ +decaf_word_t +gf_eq(const gf a, const gf b) { gf c; gf_sub(c,a,b); gf_strong_reduce(c); @@ -125,7 +129,8 @@ decaf_word_t __attribute__((noinline)) gf_eq(const gf a, const gf b) { } /** Inverse square root using addition chain. */ -static decaf_bool_t gf_isqrt_chk(gf y, const gf x, decaf_bool_t allow_zero) { +static decaf_bool_t +gf_isqrt_chk(gf y, const gf x, decaf_bool_t allow_zero) { gf tmp0, tmp1; gf_isr((gf_s *)y, (const gf_s *)x); gf_sqr(tmp0,y); @@ -134,7 +139,8 @@ static decaf_bool_t gf_isqrt_chk(gf y, const gf x, decaf_bool_t allow_zero) { } /** Inverse. */ -sv gf_invert(gf y, const gf x) { +static void +gf_invert(gf y, const gf x) { gf t1, t2; gf_sqr(t1, x); // o^2 decaf_bool_t ret = gf_isqrt_chk(t2, t1, 0); // +-1/sqrt(o^2) = +-1/o @@ -148,7 +154,8 @@ sv gf_invert(gf y, const gf x) { * Mul by signed int. Not constant-time WRT the sign of that int. * Just uses a full mul (PERF) */ -static inline void gf_mulw_sgn(gf c, const gf a, int w) { +static INLINE void +gf_mulw_sgn(gf c, const gf a, int w) { if (w>0) { gf_mulw(c, a, w); } else { @@ -178,7 +185,8 @@ static decaf_word_t lobit(const gf x) { /** {extra,accum} - sub +? p * Must have extra <= 1 */ -snv sc_subx( +static NOINLINE void +sc_subx( scalar_t out, const decaf_word_t accum[SCALAR_LIMBS], const scalar_t sub, @@ -202,7 +210,8 @@ snv sc_subx( } } -snv sc_montmul ( +static NOINLINE void +sc_montmul ( scalar_t out, const scalar_t a, const scalar_t b @@ -250,7 +259,8 @@ void API_NS(scalar_mul) ( } /* PERF: could implement this */ -siv sc_montsqr ( +static INLINE void +sc_montsqr ( scalar_t out, const scalar_t a ) { @@ -357,7 +367,8 @@ void API_NS(scalar_add) ( sc_subx(out, out->limb, sc_p, sc_p, chain); } -snv sc_halve ( +static NOINLINE void +sc_halve ( scalar_t out, const scalar_t a, const scalar_t p @@ -376,7 +387,8 @@ snv sc_halve ( out->limb[i] = out->limb[i]>>1 | chain<<(WBITS-1); } -void API_NS(scalar_set_unsigned) ( +void +API_NS(scalar_set_unsigned) ( scalar_t out, decaf_word_t w ) { @@ -384,7 +396,8 @@ void API_NS(scalar_set_unsigned) ( out->limb[0] = w; } -decaf_bool_t API_NS(scalar_eq) ( +decaf_bool_t +API_NS(scalar_eq) ( const scalar_t a, const scalar_t b ) { @@ -401,11 +414,13 @@ decaf_bool_t API_NS(scalar_eq) ( /** identity = (0,1) */ const point_t API_NS(point_identity) = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}}; -static void gf_encode ( unsigned char ser[SER_BYTES], gf a ) { +static void +gf_encode ( unsigned char ser[SER_BYTES], gf a ) { gf_serialize(ser, (gf_s *)a); } -static void deisogenize ( +static void +deisogenize ( gf_s *__restrict__ s, gf_s *__restrict__ minus_t_over_s, const point_t p, @@ -655,7 +670,8 @@ void API_NS(point_add) ( gf_mul ( p->t, b, c ); } -snv point_double_internal ( +static NOINLINE void +point_double_internal ( point_t p, const point_t q, decaf_bool_t before_double @@ -691,7 +707,8 @@ void API_NS(point_negate) ( gf_sub(nega->t, ZERO, a->t); } -siv scalar_decode_short ( +static INLINE void +scalar_decode_short ( scalar_t s, const unsigned char ser[SER_BYTES], unsigned int nbytes @@ -728,7 +745,7 @@ void API_NS(scalar_destroy) ( decaf_bzero(scalar, sizeof(scalar_t)); } -static inline void ignore_result ( decaf_bool_t boo ) { +static INLINE void ignore_result ( decaf_bool_t boo ) { (void)boo; } @@ -783,7 +800,8 @@ void API_NS(scalar_encode)( } /* Operations on [p]niels */ -siv cond_neg_niels ( +static INLINE void +cond_neg_niels ( niels_t n, decaf_bool_t neg ) { @@ -814,7 +832,8 @@ static void pniels_to_pt ( gf_sqr ( e->z, d->z ); } -snv niels_to_pt ( +static NOINLINE void +niels_to_pt ( point_t e, const niels_t n ) { @@ -824,7 +843,8 @@ snv niels_to_pt ( gf_cpy ( e->z, ONE ); } -snv add_niels_to_pt ( +static NOINLINE void +add_niels_to_pt ( point_t d, const niels_t e, decaf_bool_t before_double @@ -845,7 +865,8 @@ snv add_niels_to_pt ( if (!before_double) gf_mul ( d->t, b, c ); } -snv sub_niels_from_pt ( +static NOINLINE void +sub_niels_from_pt ( point_t d, const niels_t e, decaf_bool_t before_double @@ -866,7 +887,8 @@ snv sub_niels_from_pt ( if (!before_double) gf_mul ( d->t, b, c ); } -sv add_pniels_to_pt ( +static void +add_pniels_to_pt ( point_t p, const pniels_t pn, decaf_bool_t before_double @@ -877,7 +899,8 @@ sv add_pniels_to_pt ( add_niels_to_pt( p, pn->n, before_double ); } -sv sub_pniels_from_pt ( +static void +sub_pniels_from_pt ( point_t p, const pniels_t pn, decaf_bool_t before_double @@ -890,7 +913,8 @@ sv sub_pniels_from_pt ( extern const scalar_t API_NS(point_scalarmul_adjustment); -siv constant_time_lookup_xx ( +static INLINE void +constant_time_lookup_xx ( void *__restrict__ out_, const void *table_, decaf_word_t elem_bytes, @@ -900,7 +924,8 @@ siv constant_time_lookup_xx ( constant_time_lookup(out_,table_,elem_bytes,n_table,idx); } -snv prepare_fixed_window( +static NOINLINE void +prepare_fixed_window( pniels_t *multiples, const point_t b, int ntable @@ -1416,7 +1441,8 @@ void API_NS(precompute) ( extern const scalar_t API_NS(precomputed_scalarmul_adjustment); -siv constant_time_lookup_xx_niels ( +static INLINE void +constant_time_lookup_xx_niels ( niels_s *__restrict__ ni, const niels_t *table, int nelts, @@ -1573,7 +1599,8 @@ static int recode_wnaf ( return position; } -sv prepare_wnaf_table( +static void +prepare_wnaf_table( pniels_t *output, const point_t working, unsigned int tbits @@ -1690,7 +1717,7 @@ void API_NS(base_double_scalarmul_non_secret) ( } } - // Non-secret, but whatever this is cheap. + /* This function is non-secret, but whatever this is cheap. */ decaf_bzero(control_var,sizeof(control_var)); decaf_bzero(control_pre,sizeof(control_pre)); decaf_bzero(precmp_var,sizeof(precmp_var)); @@ -1700,13 +1727,13 @@ void API_NS(base_double_scalarmul_non_secret) ( } void API_NS(point_destroy) ( - point_t point + point_t point ) { decaf_bzero(point, sizeof(point_t)); } void API_NS(precomputed_destroy) ( - precomputed_s *pre + precomputed_s *pre ) { decaf_bzero(pre, API_NS2(sizeof,precomputed_s)); } diff --git a/src/include/word.h b/src/include/word.h index 5f40e17..876b2b4 100644 --- a/src/include/word.h +++ b/src/include/word.h @@ -46,7 +46,8 @@ typedef __int128_t dsword_t; #define U60LE(x) x##ull #define letohWORD letoh64 #define GOLDI_BITS 64 -#else +#define SC_LIMB(x) (x##ull) +#elif (WORD_BITS == 32) typedef uint16_t hword_t; typedef uint32_t word_t; typedef uint64_t dword_t; @@ -62,6 +63,9 @@ typedef int64_t dsword_t; #define U60LE(x) (x##ull)&((1ull<<30)-1), (x##ull)>>30 #define letohWORD letoh32 #define GOLDI_BITS 32 +#define SC_LIMB(x) (x##ull) +#else +#error "For now, libdecaf only supports 32- and 64-bit architectures." #endif #define DIV_CEIL(_x,_y) (((_x) + (_y) - 1)/(_y)) diff --git a/src/public_include/decaf/decaf_255.h b/src/public_include/decaf/decaf_255.h index 2ad1152..f7d143b 100644 --- a/src/public_include/decaf/decaf_255.h +++ b/src/public_include/decaf/decaf_255.h @@ -18,7 +18,7 @@ extern "C" { #endif #define DECAF_255_LIMBS (320/DECAF_WORD_BITS) -#define DECAF_255_SCALAR_BITS 254 // Curve25519: 253 +#define DECAF_255_SCALAR_BITS 253 #define DECAF_255_SCALAR_LIMBS (256/DECAF_WORD_BITS) #ifndef __DECAF_255_GF_DEFINED__