diff --git a/src/arithmetic.c b/src/arithmetic.c index 4530aa3..89be5c4 100644 --- a/src/arithmetic.c +++ b/src/arithmetic.c @@ -13,78 +13,75 @@ mask_t field_eq ( - const struct field_t *a, - const struct field_t *b + const field_a_t a, + const field_a_t b ) { - struct field_t ra, rb; - field_copy(&ra, a); - field_copy(&rb, b); - field_weak_reduce(&ra); - field_weak_reduce(&rb); - field_sub_RAW(&ra, &ra, &rb); - field_bias(&ra, 2); - return field_is_zero(&ra); + field_a_t ra, rb; + field_copy(ra, a); + field_copy(rb, b); + field_weak_reduce(ra); + field_weak_reduce(rb); + field_sub_RAW(ra, ra, rb); + field_bias(ra, 2); + return field_is_zero(ra); } void field_inverse ( - struct field_t* a, - const struct field_t* x + field_a_t a, + const field_a_t x ) { - struct field_t L0, L1; - field_isr ( &L0, x ); - field_sqr ( &L1, &L0 ); - field_sqr ( &L0, &L1 ); - field_mul ( a, x, &L0 ); + field_a_t L0, L1; + field_isr ( L0, x ); + field_sqr ( L1, L0 ); + field_sqr ( L0, L1 ); + field_mul ( a, x, L0 ); } mask_t field_is_square ( - const struct field_t* x + const field_a_t x ) { - mask_t L2, L3; - struct field_t L0, L1; - field_isr ( &L0, x ); - field_sqr ( &L1, &L0 ); - field_mul ( &L0, x, &L1 ); - field_subw( &L0, 1 ); - L3 = field_is_zero( &L0 ); - L2 = field_is_zero( x ); - return L3 | L2; + field_a_t L0, L1; + field_isr ( L0, x ); + field_sqr ( L1, L0 ); + field_mul ( L0, x, L1 ); + field_subw( L0, 1 ); + return field_is_zero( L0 ) | field_is_zero( x ); } void field_simultaneous_invert ( - struct field_t *__restrict__ out, - const struct field_t *in, + field_a_t *__restrict__ out, + const field_a_t *in, unsigned int n ) { if (n==0) { return; } else if (n==1) { - field_inverse(out,in); + field_inverse(out[0],in[0]); return; } - field_copy(&out[1], &in[0]); + field_copy(out[1], in[0]); int i; for (i=1; i<(int) (n-1); i++) { - field_mul(&out[i+1], &out[i], &in[i]); + field_mul(out[i+1], out[i], in[i]); } - field_mul(&out[0], &out[n-1], &in[n-1]); + field_mul(out[0], out[n-1], in[n-1]); - struct field_t tmp; - field_inverse(&tmp, &out[0]); - field_copy(&out[0], &tmp); + field_a_t tmp; + field_inverse(tmp, out[0]); + field_copy(out[0], tmp); /* at this point, out[0] = product(in[i]) ^ -1 * out[i] = product(in[0]..in[i-1]) if i != 0 */ for (i=n-1; i>0; i--) { - field_mul(&tmp, &out[i], &out[0]); - field_copy(&out[i], &tmp); + field_mul(tmp, out[i], out[0]); + field_copy(out[i], tmp); - field_mul(&tmp, &out[0], &in[i]); - field_copy(&out[0], &tmp); + field_mul(tmp, out[0], in[i]); + field_copy(out[0], tmp); } } diff --git a/src/ec_point.c b/src/ec_point.c index 48c84b1..aea17ac 100644 --- a/src/ec_point.c +++ b/src/ec_point.c @@ -18,20 +18,20 @@ add_tw_niels_to_tw_extensible ( const struct tw_niels_t* e ) { ANALYZE_THIS_ROUTINE_CAREFULLY; - struct field_t L0, L1; - field_sub ( &L1, &d->y, &d->x ); - field_mul ( &L0, &e->a, &L1 ); - field_add_nr ( &L1, &d->x, &d->y ); - field_mul ( &d->y, &e->b, &L1 ); - field_mul ( &L1, &d->u, &d->t ); - field_mul ( &d->x, &e->c, &L1 ); - field_add_nr ( &d->u, &L0, &d->y ); - field_subx_nr ( &d->t, &d->y, &L0 ); - field_subx_nr ( &d->y, &d->z, &d->x ); - field_add_nr ( &L0, &d->x, &d->z ); - field_mul ( &d->z, &L0, &d->y ); - field_mul ( &d->x, &d->y, &d->t ); - field_mul ( &d->y, &L0, &d->u ); + field_a_t L0, L1; + field_sub ( L1, d->y, d->x ); + field_mul ( L0, e->a, L1 ); + field_add_nr ( L1, d->x, d->y ); + field_mul ( d->y, e->b, L1 ); + field_mul ( L1, d->u, d->t ); + field_mul ( d->x, e->c, L1 ); + field_add_nr ( d->u, L0, d->y ); + field_sub_nr ( d->t, d->y, L0 ); + field_sub_nr ( d->y, d->z, d->x ); + field_add_nr ( L0, d->x, d->z ); + field_mul ( d->z, L0, d->y ); + field_mul ( d->x, d->y, d->t ); + field_mul ( d->y, L0, d->u ); } void @@ -40,20 +40,20 @@ sub_tw_niels_from_tw_extensible ( const struct tw_niels_t* e ) { ANALYZE_THIS_ROUTINE_CAREFULLY; - struct field_t L0, L1; - field_subx_nr ( &L1, &d->y, &d->x ); - field_mul ( &L0, &e->b, &L1 ); - field_add_nr ( &L1, &d->x, &d->y ); - field_mul ( &d->y, &e->a, &L1 ); - field_mul ( &L1, &d->u, &d->t ); - field_mul ( &d->x, &e->c, &L1 ); - field_add_nr ( &d->u, &L0, &d->y ); - field_subx_nr ( &d->t, &d->y, &L0 ); - field_add_nr ( &d->y, &d->x, &d->z ); - field_subx_nr ( &L0, &d->z, &d->x ); - field_mul ( &d->z, &L0, &d->y ); - field_mul ( &d->x, &d->y, &d->t ); - field_mul ( &d->y, &L0, &d->u ); + field_a_t L0, L1; + field_sub_nr ( L1, d->y, d->x ); + field_mul ( L0, e->b, L1 ); + field_add_nr ( L1, d->x, d->y ); + field_mul ( d->y, e->a, L1 ); + field_mul ( L1, d->u, d->t ); + field_mul ( d->x, e->c, L1 ); + field_add_nr ( d->u, L0, d->y ); + field_sub_nr ( d->t, d->y, L0 ); + field_add_nr ( d->y, d->x, d->z ); + field_sub_nr ( L0, d->z, d->x ); + field_mul ( d->z, L0, d->y ); + field_mul ( d->x, d->y, d->t ); + field_mul ( d->y, L0, d->u ); } void @@ -61,9 +61,9 @@ add_tw_pniels_to_tw_extensible ( struct tw_extensible_t* e, const struct tw_pniels_t* a ) { - struct field_t L0; - field_mul ( &L0, &e->z, &a->z ); - field_copy ( &e->z, &L0 ); + field_a_t L0; + field_mul ( L0, e->z, a->z ); + field_copy ( e->z, L0 ); add_tw_niels_to_tw_extensible( e, &a->n ); } @@ -72,9 +72,9 @@ sub_tw_pniels_from_tw_extensible ( struct tw_extensible_t* e, const struct tw_pniels_t* a ) { - struct field_t L0; - field_mul ( &L0, &e->z, &a->z ); - field_copy ( &e->z, &L0 ); + field_a_t L0; + field_mul ( L0, e->z, a->z ); + field_copy ( e->z, L0 ); sub_tw_niels_from_tw_extensible( e, &a->n ); } @@ -83,24 +83,24 @@ double_tw_extensible ( struct tw_extensible_t* a ) { ANALYZE_THIS_ROUTINE_CAREFULLY; - struct field_t L0, L1, L2; - field_sqr ( &L2, &a->x ); - field_sqr ( &L0, &a->y ); - field_add_nr ( &a->u, &L2, &L0 ); - field_add_nr ( &a->t, &a->y, &a->x ); - field_sqr ( &L1, &a->t ); - field_sub_nr ( &a->t, &L1, &a->u ); - field_bias ( &a->t, 3 ); - IF32( field_weak_reduce( &a->t ) ); - field_subx_nr ( &L1, &L0, &L2 ); - field_sqr ( &a->x, &a->z ); - field_bias ( &a->x, 2-is32 /*is32 ? 1 : 2*/ ); - field_add_nr ( &a->z, &a->x, &a->x ); - field_sub_nr ( &L0, &a->z, &L1 ); - IF32( field_weak_reduce( &L0 ) ); - field_mul ( &a->z, &L1, &L0 ); - field_mul ( &a->x, &L0, &a->t ); - field_mul ( &a->y, &L1, &a->u ); + field_a_t L0, L1, L2; + field_sqr ( L2, a->x ); + field_sqr ( L0, a->y ); + field_add_nr ( a->u, L2, L0 ); + field_add_nr ( a->t, a->y, a->x ); + field_sqr ( L1, a->t ); + field_sub_nr ( a->t, L1, a->u ); + field_bias ( a->t, 3 ); + IF32( field_weak_reduce( a->t ) ); + field_sub_nr ( L1, L0, L2 ); + field_sqr ( a->x, a->z ); + field_bias ( a->x, 2-is32 /*is32 ? 1 : 2*/ ); + field_add_nr ( a->z, a->x, a->x ); + field_sub_nr ( L0, a->z, L1 ); + IF32( field_weak_reduce( L0 ) ); + field_mul ( a->z, L1, L0 ); + field_mul ( a->x, L0, a->t ); + field_mul ( a->y, L1, a->u ); } void @@ -108,24 +108,24 @@ double_extensible ( struct extensible_t* a ) { ANALYZE_THIS_ROUTINE_CAREFULLY; - struct field_t L0, L1, L2; - field_sqr ( &L2, &a->x ); - field_sqr ( &L0, &a->y ); - field_add_nr ( &L1, &L2, &L0 ); - field_add_nr ( &a->t, &a->y, &a->x ); - field_sqr ( &a->u, &a->t ); - field_sub_nr ( &a->t, &a->u, &L1 ); - field_bias ( &a->t, 3 ); - IF32( field_weak_reduce( &a->t ) ); - field_subx_nr ( &a->u, &L0, &L2 ); - field_sqr ( &a->x, &a->z ); - field_bias ( &a->x, 2 ); - field_add_nr ( &a->z, &a->x, &a->x ); - field_sub_nr ( &L0, &a->z, &L1 ); - IF32( field_weak_reduce( &L0 ) ); - field_mul ( &a->z, &L1, &L0 ); - field_mul ( &a->x, &L0, &a->t ); - field_mul ( &a->y, &L1, &a->u ); + field_a_t L0, L1, L2; + field_sqr ( L2, a->x ); + field_sqr ( L0, a->y ); + field_add_nr ( L1, L2, L0 ); + field_add_nr ( a->t, a->y, a->x ); + field_sqr ( a->u, a->t ); + field_sub_nr ( a->t, a->u, L1 ); + field_bias ( a->t, 3 ); + IF32( field_weak_reduce( a->t ) ); + field_sub_nr ( a->u, L0, L2 ); + field_sqr ( a->x, a->z ); + field_bias ( a->x, 2 ); + field_add_nr ( a->z, a->x, a->x ); + field_sub_nr ( L0, a->z, L1 ); + IF32( field_weak_reduce( L0 ) ); + field_mul ( a->z, L1, L0 ); + field_mul ( a->x, L0, a->t ); + field_mul ( a->y, L1, a->u ); } void @@ -133,20 +133,20 @@ twist_and_double ( struct tw_extensible_t* b, const struct extensible_t* a ) { - struct field_t L0; - field_sqr ( &b->x, &a->x ); - field_sqr ( &b->z, &a->y ); - field_add ( &b->u, &b->x, &b->z ); - field_add ( &b->t, &a->y, &a->x ); - field_sqr ( &L0, &b->t ); - field_sub ( &b->t, &L0, &b->u ); - field_sub ( &L0, &b->z, &b->x ); - field_sqr ( &b->x, &a->z ); - field_add ( &b->z, &b->x, &b->x ); - field_sub ( &b->y, &b->z, &b->u ); - field_mul ( &b->z, &L0, &b->y ); - field_mul ( &b->x, &b->y, &b->t ); - field_mul ( &b->y, &L0, &b->u ); + field_a_t L0; + field_sqr ( b->x, a->x ); + field_sqr ( b->z, a->y ); + field_add ( b->u, b->x, b->z ); + field_add ( b->t, a->y, a->x ); + field_sqr ( L0, b->t ); + field_sub ( b->t, L0, b->u ); + field_sub ( L0, b->z, b->x ); + field_sqr ( b->x, a->z ); + field_add ( b->z, b->x, b->x ); + field_sub ( b->y, b->z, b->u ); + field_mul ( b->z, L0, b->y ); + field_mul ( b->x, b->y, b->t ); + field_mul ( b->y, L0, b->u ); } void @@ -154,20 +154,20 @@ untwist_and_double ( struct extensible_t* b, const struct tw_extensible_t* a ) { - struct field_t L0; - field_sqr ( &b->x, &a->x ); - field_sqr ( &b->z, &a->y ); - field_add ( &L0, &b->x, &b->z ); - field_add ( &b->t, &a->y, &a->x ); - field_sqr ( &b->u, &b->t ); - field_sub ( &b->t, &b->u, &L0 ); - field_sub ( &b->u, &b->z, &b->x ); - field_sqr ( &b->x, &a->z ); - field_add ( &b->z, &b->x, &b->x ); - field_sub ( &b->y, &b->z, &b->u ); - field_mul ( &b->z, &L0, &b->y ); - field_mul ( &b->x, &b->y, &b->t ); - field_mul ( &b->y, &L0, &b->u ); + field_a_t L0; + field_sqr ( b->x, a->x ); + field_sqr ( b->z, a->y ); + field_add ( L0, b->x, b->z ); + field_add ( b->t, a->y, a->x ); + field_sqr ( b->u, b->t ); + field_sub ( b->t, b->u, L0 ); + field_sub ( b->u, b->z, b->x ); + field_sqr ( b->x, a->z ); + field_add ( b->z, b->x, b->x ); + field_sub ( b->y, b->z, b->u ); + field_mul ( b->z, L0, b->y ); + field_mul ( b->x, b->y, b->t ); + field_mul ( b->y, L0, b->u ); } void @@ -175,11 +175,11 @@ convert_tw_affine_to_tw_pniels ( struct tw_pniels_t* b, const struct tw_affine_t* a ) { - field_sub ( &b->n.a, &a->y, &a->x ); - field_add ( &b->n.b, &a->x, &a->y ); - field_mul ( &b->z, &a->y, &a->x ); - field_mulw_scc_wr ( &b->n.c, &b->z, 2*EDWARDS_D-2 ); - field_set_ui( &b->z, 2 ); + field_sub ( b->n.a, a->y, a->x ); + field_add ( b->n.b, a->x, a->y ); + field_mul ( b->z, a->y, a->x ); + field_mulw_scc_wr ( b->n.c, b->z, 2*EDWARDS_D-2 ); + field_set_ui( b->z, 2 ); } void @@ -187,11 +187,11 @@ convert_tw_affine_to_tw_extensible ( struct tw_extensible_t* b, const struct tw_affine_t* a ) { - field_copy ( &b->x, &a->x ); - field_copy ( &b->y, &a->y ); - field_set_ui( &b->z, 1 ); - field_copy ( &b->t, &a->x ); - field_copy ( &b->u, &a->y ); + field_copy ( b->x, a->x ); + field_copy ( b->y, a->y ); + field_set_ui( b->z, 1 ); + field_copy ( b->t, a->x ); + field_copy ( b->u, a->y ); } void @@ -199,11 +199,11 @@ convert_affine_to_extensible ( struct extensible_t* b, const struct affine_t* a ) { - field_copy ( &b->x, &a->x ); - field_copy ( &b->y, &a->y ); - field_set_ui( &b->z, 1 ); - field_copy ( &b->t, &a->x ); - field_copy ( &b->u, &a->y ); + field_copy ( b->x, a->x ); + field_copy ( b->y, a->y ); + field_set_ui( b->z, 1 ); + field_copy ( b->t, a->x ); + field_copy ( b->u, a->y ); } void @@ -211,11 +211,11 @@ convert_tw_extensible_to_tw_pniels ( struct tw_pniels_t* b, const struct tw_extensible_t* a ) { - field_sub ( &b->n.a, &a->y, &a->x ); - field_add ( &b->n.b, &a->x, &a->y ); - field_mul ( &b->z, &a->u, &a->t ); - field_mulw_scc_wr ( &b->n.c, &b->z, 2*EDWARDS_D-2 ); - field_add ( &b->z, &a->z, &a->z ); + field_sub ( b->n.a, a->y, a->x ); + field_add ( b->n.b, a->x, a->y ); + field_mul ( b->z, a->u, a->t ); + field_mulw_scc_wr ( b->n.c, b->z, 2*EDWARDS_D-2 ); + field_add ( b->z, a->z, a->z ); } void @@ -223,11 +223,11 @@ convert_tw_pniels_to_tw_extensible ( struct tw_extensible_t* e, const struct tw_pniels_t* d ) { - field_add ( &e->u, &d->n.b, &d->n.a ); - field_sub ( &e->t, &d->n.b, &d->n.a ); - field_mul ( &e->x, &d->z, &e->t ); - field_mul ( &e->y, &d->z, &e->u ); - field_sqr ( &e->z, &d->z ); + field_add ( e->u, d->n.b, d->n.a ); + field_sub ( e->t, d->n.b, d->n.a ); + field_mul ( e->x, d->z, e->t ); + field_mul ( e->y, d->z, e->u ); + field_sqr ( e->z, d->z ); } void @@ -235,47 +235,47 @@ convert_tw_niels_to_tw_extensible ( struct tw_extensible_t* e, const struct tw_niels_t* d ) { - field_add ( &e->y, &d->b, &d->a ); - field_sub ( &e->x, &d->b, &d->a ); - field_set_ui( &e->z, 1 ); - field_copy ( &e->t, &e->x ); - field_copy ( &e->u, &e->y ); + field_add ( e->y, d->b, d->a ); + field_sub ( e->x, d->b, d->a ); + field_set_ui( e->z, 1 ); + field_copy ( e->t, e->x ); + field_copy ( e->u, e->y ); } void deserialize_montgomery_decaf ( struct montgomery_aux_t* a, - const struct field_t *s + const field_a_t s ) { - field_copy ( &a->s0, s ); - field_copy ( &a->xa, s ); - field_set_ui ( &a->za, 1 ); - field_set_ui ( &a->xd, 1 ); - field_set_ui ( &a->zd, 0 ); + field_copy ( a->s0, s ); + field_copy ( a->xa, s ); + field_set_ui ( a->za, 1 ); + field_set_ui ( a->xd, 1 ); + field_set_ui ( a->zd, 0 ); } void montgomery_aux_step ( struct montgomery_aux_t* a ) { - field_add ( &a->xs, &a->xa, &a->za ); // xs = C - field_subx ( &a->zs, &a->xa, &a->za ); // zs = D - field_add ( &a->xa, &a->xd, &a->zd ); // xa = A - field_subx ( &a->za, &a->xd, &a->zd ); // za = B - field_mul ( &a->xd, &a->xa, &a->zs ); // xd = DA - field_mul ( &a->zd, &a->xs, &a->za ); // zd = CB - field_add ( &a->xs, &a->xd, &a->zd ); // xs = DA+CB - field_subx ( &a->zd, &a->xd, &a->zd ); // zd = DA-CB - field_mul ( &a->zs, &a->zd, &a->s0 ); // zs = (DA-CB)*s0 - field_sqr ( &a->zd, &a->xa ); // zd = AA - field_sqr ( &a->xa, &a->za ); // xa = BB - field_subx ( &a->za, &a->zd, &a->xa ); // za = E - field_mul ( &a->xd, &a->xa, &a->zd ); // xd final - field_mulw_scc_wr ( &a->zd, &a->xa, 1-EDWARDS_D ); // zd = (1-d)*E - field_add ( &a->xa, &a->za, &a->zd ); // BB + (1-d)*E - field_mul ( &a->zd, &a->xa, &a->za ); // zd final - field_sqr ( &a->xa, &a->xs ); // (DA+CB)^2 - field_sqr ( &a->za, &a->zs ); // (DA-CB)^2*s0^2 + field_add ( a->xs, a->xa, a->za ); // xs = C + field_sub ( a->zs, a->xa, a->za ); // zs = D + field_add ( a->xa, a->xd, a->zd ); // xa = A + field_sub ( a->za, a->xd, a->zd ); // za = B + field_mul ( a->xd, a->xa, a->zs ); // xd = DA + field_mul ( a->zd, a->xs, a->za ); // zd = CB + field_add ( a->xs, a->xd, a->zd ); // xs = DA+CB + field_sub ( a->zd, a->xd, a->zd ); // zd = DA-CB + field_mul ( a->zs, a->zd, a->s0 ); // zs = (DA-CB)*s0 + field_sqr ( a->zd, a->xa ); // zd = AA + field_sqr ( a->xa, a->za ); // xa = BB + field_sub ( a->za, a->zd, a->xa ); // za = E + field_mul ( a->xd, a->xa, a->zd ); // xd final + field_mulw_scc_wr ( a->zd, a->xa, 1-EDWARDS_D ); // zd = (1-d)*E + field_add ( a->xa, a->za, a->zd ); // BB + (1-d)*E + field_mul ( a->zd, a->xa, a->za ); // zd final + field_sqr ( a->xa, a->xs ); // (DA+CB)^2 + field_sqr ( a->za, a->zs ); // (DA-CB)^2*s0^2 } void @@ -283,110 +283,110 @@ montgomery_step ( struct montgomery_t* a ) { ANALYZE_THIS_ROUTINE_CAREFULLY; - struct field_t L0, L1; - field_add_nr ( &L0, &a->zd, &a->xd ); - field_sub ( &L1, &a->xd, &a->zd ); - field_sub ( &a->zd, &a->xa, &a->za ); - field_mul ( &a->xd, &L0, &a->zd ); - field_add_nr ( &a->zd, &a->za, &a->xa ); - field_mul ( &a->za, &L1, &a->zd ); - field_add_nr ( &a->xa, &a->za, &a->xd ); - field_sqr ( &a->zd, &a->xa ); - field_mul ( &a->xa, &a->z0, &a->zd ); - field_sub ( &a->zd, &a->xd, &a->za ); - field_sqr ( &a->za, &a->zd ); - field_sqr ( &a->xd, &L0 ); - field_sqr ( &L0, &L1 ); - field_mulw_scc ( &a->zd, &a->xd, 1-EDWARDS_D ); /* FIXME PERF MULW */ - field_sub ( &L1, &a->xd, &L0 ); - field_mul ( &a->xd, &L0, &a->zd ); - field_sub_nr ( &L0, &a->zd, &L1 ); - field_bias ( &L0, 4 - 2*is32 /*is32 ? 2 : 4*/ ); - IF32( field_weak_reduce( &L0 ) ); - field_mul ( &a->zd, &L0, &L1 ); + field_a_t L0, L1; + field_add_nr ( L0, a->zd, a->xd ); + field_sub ( L1, a->xd, a->zd ); + field_sub ( a->zd, a->xa, a->za ); + field_mul ( a->xd, L0, a->zd ); + field_add_nr ( a->zd, a->za, a->xa ); + field_mul ( a->za, L1, a->zd ); + field_add_nr ( a->xa, a->za, a->xd ); + field_sqr ( a->zd, a->xa ); + field_mul ( a->xa, a->z0, a->zd ); + field_sub ( a->zd, a->xd, a->za ); + field_sqr ( a->za, a->zd ); + field_sqr ( a->xd, L0 ); + field_sqr ( L0, L1 ); + field_mulw_scc ( a->zd, a->xd, 1-EDWARDS_D ); /* FIXME PERF MULW */ + field_sub ( L1, a->xd, L0 ); + field_mul ( a->xd, L0, a->zd ); + field_sub_nr ( L0, a->zd, L1 ); + field_bias ( L0, 4 - 2*is32 /*is32 ? 2 : 4*/ ); + IF32( field_weak_reduce( L0 ) ); + field_mul ( a->zd, L0, L1 ); } void deserialize_montgomery ( struct montgomery_t* a, - const struct field_t* sbz + const field_a_t sbz ) { - field_sqr ( &a->z0, sbz ); - field_set_ui( &a->xd, 1 ); - field_set_ui( &a->zd, 0 ); - field_set_ui( &a->xa, 1 ); - field_copy ( &a->za, &a->z0 ); + field_sqr ( a->z0, sbz ); + field_set_ui( a->xd, 1 ); + field_set_ui( a->zd, 0 ); + field_set_ui( a->xa, 1 ); + field_copy ( a->za, a->z0 ); } mask_t serialize_montgomery ( - struct field_t* b, + field_a_t b, const struct montgomery_t* a, - const struct field_t* sbz + const field_a_t sbz ) { mask_t L4, L5, L6; - struct field_t L0, L1, L2, L3; - field_mul ( &L3, &a->z0, &a->zd ); - field_sub ( &L1, &L3, &a->xd ); - field_mul ( &L3, &a->za, &L1 ); - field_mul ( &L2, &a->z0, &a->xd ); - field_sub ( &L1, &L2, &a->zd ); - field_mul ( &L0, &a->xa, &L1 ); - field_add ( &L2, &L0, &L3 ); - field_sub ( &L1, &L3, &L0 ); - field_mul ( &L3, &L1, &L2 ); - field_copy ( &L2, &a->z0 ); - field_addw ( &L2, 1 ); - field_sqr ( &L0, &L2 ); - field_mulw_scc_wr ( &L1, &L0, EDWARDS_D-1 ); - field_add ( &L2, &a->z0, &a->z0 ); - field_add ( &L0, &L2, &L2 ); - field_add ( &L2, &L0, &L1 ); - field_mul ( &L0, &a->xd, &L2 ); - L5 = field_is_zero( &a->zd ); + field_a_t L0, L1, L2, L3; + field_mul ( L3, a->z0, a->zd ); + field_sub ( L1, L3, a->xd ); + field_mul ( L3, a->za, L1 ); + field_mul ( L2, a->z0, a->xd ); + field_sub ( L1, L2, a->zd ); + field_mul ( L0, a->xa, L1 ); + field_add ( L2, L0, L3 ); + field_sub ( L1, L3, L0 ); + field_mul ( L3, L1, L2 ); + field_copy ( L2, a->z0 ); + field_addw ( L2, 1 ); + field_sqr ( L0, L2 ); + field_mulw_scc_wr ( L1, L0, EDWARDS_D-1 ); + field_add ( L2, a->z0, a->z0 ); + field_add ( L0, L2, L2 ); + field_add ( L2, L0, L1 ); + field_mul ( L0, a->xd, L2 ); + L5 = field_is_zero( a->zd ); L6 = - L5; - constant_time_mask ( &L1, &L0, sizeof(L1), L5 ); - field_add ( &L2, &L1, &a->zd ); + constant_time_mask ( L1, L0, sizeof(L1), L5 ); + field_add ( L2, L1, a->zd ); L4 = ~ L5; - field_mul ( &L1, sbz, &L3 ); - field_addw ( &L1, L6 ); - field_mul ( &L3, &L2, &L1 ); - field_mul ( &L1, &L3, &L2 ); - field_mul ( &L2, &L3, &a->xd ); - field_mul ( &L3, &L1, &L2 ); - field_isr ( &L0, &L3 ); - field_mul ( &L2, &L1, &L0 ); - field_sqr ( &L1, &L0 ); - field_mul ( &L0, &L3, &L1 ); - constant_time_mask ( b, &L2, sizeof(L1), L4 ); - field_subw( &L0, 1 ); - L5 = field_is_zero( &L0 ); + field_mul ( L1, sbz, L3 ); + field_addw ( L1, L6 ); + field_mul ( L3, L2, L1 ); + field_mul ( L1, L3, L2 ); + field_mul ( L2, L3, a->xd ); + field_mul ( L3, L1, L2 ); + field_isr ( L0, L3 ); + field_mul ( L2, L1, L0 ); + field_sqr ( L1, L0 ); + field_mul ( L0, L3, L1 ); + constant_time_mask ( b, L2, sizeof(L1), L4 ); + field_subw( L0, 1 ); + L5 = field_is_zero( L0 ); L4 = field_is_zero( sbz ); return L5 | L4; } void serialize_extensible ( - struct field_t* b, + field_a_t b, const struct extensible_t* a ) { - struct field_t L0, L1, L2; - field_sub ( &L0, &a->y, &a->z ); - field_add ( b, &a->z, &a->y ); - field_mul ( &L1, &a->z, &a->x ); - field_mul ( &L2, &L0, &L1 ); - field_mul ( &L1, &L2, &L0 ); - field_mul ( &L0, &L2, b ); - field_mul ( &L2, &L1, &L0 ); - field_isr ( &L0, &L2 ); - field_mul ( b, &L1, &L0 ); - field_sqr ( &L1, &L0 ); - field_mul ( &L0, &L2, &L1 ); + field_a_t L0, L1, L2; + field_sub ( L0, a->y, a->z ); + field_add ( b, a->z, a->y ); + field_mul ( L1, a->z, a->x ); + field_mul ( L2, L0, L1 ); + field_mul ( L1, L2, L0 ); + field_mul ( L0, L2, b ); + field_mul ( L2, L1, L0 ); + field_isr ( L0, L2 ); + field_mul ( b, L1, L0 ); + field_sqr ( L1, L0 ); + field_mul ( L0, L2, L1 ); } void decaf_make_even ( - struct field_t *a + field_a_t a ) { field_cond_neg ( a, field_low_bit(a) ); field_strong_reduce ( a ); @@ -394,163 +394,163 @@ decaf_make_even ( void decaf_serialize_extensible ( - struct field_t* b, + field_a_t b, const struct extensible_t* a ) { - struct field_t L0, L1, L2, L3; - field_mulw_scc ( &L2, &a->y, EDWARDS_D ); // L2 = d*y - field_mul ( &L3, &L2, &a->t ); // L3 = d*y*t_ - field_mul ( &L2, &L3, &a->u ); // L2 = d*y*t - field_mul ( &L0, &a->x, &a->z ); // L0 = x*z - field_subx ( &L3, &L2, &L0 ); // L3 = d*y*t - x*z - field_add ( &L0, &a->y, &a->z ); // L0 = y+z - field_subx ( &L1, &a->y, &a->z ); // L1 = y-z - field_mul ( &L2, &L1, &L0 ); // L2 = y^2-z^2 - field_isr ( &L2, &L2 ); // L2 = 1/sqrt(y^2-z^2) - field_sqr ( &L1, &L2 ); // L1 = 1/(y^2-z^2) - field_mul ( &L0, &L1, &L3 ); // L0 = (d*y*t - z*x)/(y^2-z^2) = 1/x - field_mul ( &L1, &L2, &sqrt_d_minus_1 ); // L1 = sy - field_add ( &L3, &L1, &L1 ); // L3 = 2*sy - field_negx ( &L3, &L3 ); // L3 = -2*sy - field_mul ( &L2, &L3, &a->z ); // L2 = -2*sy*z - field_cond_neg ( &L1, field_low_bit(&L2) ); // cond-neg sy - field_mul ( &L2, &L1, &a->y ); // L2 = 2*sy*y - field_add ( b, &L0, &L2 ); + field_a_t L0, L1, L2, L3; + field_mulw_scc ( L2, a->y, EDWARDS_D ); // L2 = d*y + field_mul ( L3, L2, a->t ); // L3 = d*y*t_ + field_mul ( L2, L3, a->u ); // L2 = d*y*t + field_mul ( L0, a->x, a->z ); // L0 = x*z + field_sub ( L3, L2, L0 ); // L3 = d*y*t - x*z + field_add ( L0, a->y, a->z ); // L0 = y+z + field_sub ( L1, a->y, a->z ); // L1 = y-z + field_mul ( L2, L1, L0 ); // L2 = y^2-z^2 + field_isr ( L2, L2 ); // L2 = 1/sqrt(y^2-z^2) + field_sqr ( L1, L2 ); // L1 = 1/(y^2-z^2) + field_mul ( L0, L1, L3 ); // L0 = (d*y*t - z*x)/(y^2-z^2) = 1/x + field_mul ( L1, L2, sqrt_d_minus_1 ); // L1 = sy + field_add ( L3, L1, L1 ); // L3 = 2*sy + field_neg ( L3, L3 ); // L3 = -2*sy + field_mul ( L2, L3, a->z ); // L2 = -2*sy*z + field_cond_neg ( L1, field_low_bit(L2) ); // cond-neg sy + field_mul ( L2, L1, a->y ); // L2 = 2*sy*y + field_add ( b, L0, L2 ); decaf_make_even ( b ); } void decaf_serialize_tw_extensible ( - struct field_t* b, + field_a_t b, const struct tw_extensible_t* a ) { - struct field_t L0, L1, L2, L3; - field_mulw_scc ( &L2, &a->y, 1-EDWARDS_D ); // L2 = (1-d)*y - field_mul ( &L3, &L2, &a->t ); // L3 = (1-d)*y*t_ - field_mul ( &L2, &L3, &a->u ); // L2 = (1-d)*y*t - field_mul ( &L0, &a->x, &a->z ); // L0 = x*z - field_subx ( &L3, &L2, &L0 ); // L3 = d*y*t - x*z - field_add ( &L0, &a->z, &a->y ); // L0 = y+z - field_subx ( &L1, &a->z, &a->y ); // L1 = z-y - field_mul ( &L2, &L1, &L0 ); // L2 = z^2-y^2 - field_isr ( &L2, &L2 ); // L2 = 1/sqrt(z^2-y^2) - field_sqr ( &L1, &L2 ); // L1 = 1/(z^2-y^2) - field_mul ( &L0, &L1, &L3 ); // L0 = ((1-d)*y*t - z*x)/(y^2-z^2) = 1/x - field_mul ( &L1, &L2, &sqrt_minus_d ); // L1 = sy - field_add ( &L3, &L1, &L1 ); // L3 = 2*sy - field_negx ( &L3, &L3 ); // L3 = -2*sy - field_mul ( &L2, &L3, &a->z ); // L2 = -2*sy*z - field_cond_neg ( &L1, field_low_bit(&L2) ); // cond-neg sy - field_mul ( &L2, &L1, &a->y ); // L2 = 2*sy*y - field_add ( b, &L0, &L2 ); + field_a_t L0, L1, L2, L3; + field_mulw_scc ( L2, a->y, 1-EDWARDS_D ); // L2 = (1-d)*y + field_mul ( L3, L2, a->t ); // L3 = (1-d)*y*t_ + field_mul ( L2, L3, a->u ); // L2 = (1-d)*y*t + field_mul ( L0, a->x, a->z ); // L0 = x*z + field_sub ( L3, L2, L0 ); // L3 = d*y*t - x*z + field_add ( L0, a->z, a->y ); // L0 = y+z + field_sub ( L1, a->z, a->y ); // L1 = z-y + field_mul ( L2, L1, L0 ); // L2 = z^2-y^2 + field_isr ( L2, L2 ); // L2 = 1/sqrt(z^2-y^2) + field_sqr ( L1, L2 ); // L1 = 1/(z^2-y^2) + field_mul ( L0, L1, L3 ); // L0 = ((1-d)*y*t - z*x)/(y^2-z^2) = 1/x + field_mul ( L1, L2, sqrt_minus_d ); // L1 = sy + field_add ( L3, L1, L1 ); // L3 = 2*sy + field_neg ( L3, L3 ); // L3 = -2*sy + field_mul ( L2, L3, a->z ); // L2 = -2*sy*z + field_cond_neg ( L1, field_low_bit(L2) ); // cond-neg sy + field_mul ( L2, L1, a->y ); // L2 = 2*sy*y + field_add ( b, L0, L2 ); decaf_make_even ( b ); } mask_t decaf_deserialize_affine ( struct affine_t *a, - const struct field_t *s, + const field_a_t s, mask_t allow_identity ) { - struct field_t L0, L1, L2, L3, L4, L5; + field_a_t L0, L1, L2, L3, L4, L5; mask_t succ, zero; zero = field_is_zero(s); succ = allow_identity | ~zero; succ &= ~field_low_bit(s); - field_sqr ( &L0, s ); - field_copy ( &L1, &L0 ); - field_addw ( &L1, 1 ); - field_make_nonzero ( &L1 ); - field_sqr ( &L2, &L1 ); - field_mulw_scc_wr ( &L3, &L0, -4*EDWARDS_D ); - field_add ( &L3, &L3, &L2 ); - field_mul ( &L4, &L3, &L2 ); - field_mul ( &L2, &L4, &L0 ); - field_isr ( &L4, &L2 ); - field_sqr ( &L5, &L4 ); - field_mul ( &L0, &L5, &L2 ); - field_addw( &L0, 1 ); - succ &= ~field_is_zero( &L0 ); - field_mul ( &L2, &L3, &L1 ); - field_mul ( &L3, &L2, &L4 ); - field_cond_neg ( &L4, field_low_bit(&L3) ); - field_mul ( &L3, &L4, s ); - field_sqr ( &L4, &L3 ); - field_mul ( &L0, &L2, &L4 ); - field_add ( &L0, &L0, &L0 ); - field_mul ( &a->x, &L0, s ); - field_mul ( &L2, &L1, &L3 ); - field_negx ( &L1, &L1 ); - field_addw ( &L1, 2 ); - field_mul ( &a->y, &L1, &L2 ); - field_addw ( &a->y, -zero ); + field_sqr ( L0, s ); + field_copy ( L1, L0 ); + field_addw ( L1, 1 ); + field_make_nonzero ( L1 ); + field_sqr ( L2, L1 ); + field_mulw_scc_wr ( L3, L0, -4*EDWARDS_D ); + field_add ( L3, L3, L2 ); + field_mul ( L4, L3, L2 ); + field_mul ( L2, L4, L0 ); + field_isr ( L4, L2 ); + field_sqr ( L5, L4 ); + field_mul ( L0, L5, L2 ); + field_addw( L0, 1 ); + succ &= ~field_is_zero( L0 ); + field_mul ( L2, L3, L1 ); + field_mul ( L3, L2, L4 ); + field_cond_neg ( L4, field_low_bit(L3) ); + field_mul ( L3, L4, s ); + field_sqr ( L4, L3 ); + field_mul ( L0, L2, L4 ); + field_add ( L0, L0, L0 ); + field_mul ( a->x, L0, s ); + field_mul ( L2, L1, L3 ); + field_neg ( L1, L1 ); + field_addw ( L1, 2 ); + field_mul ( a->y, L1, L2 ); + field_addw ( a->y, -zero ); return succ; } mask_t decaf_deserialize_tw_affine ( struct tw_affine_t *a, - const struct field_t *s, + const field_a_t s, mask_t allow_identity ) { - struct field_t L0, L1, L2, L3, L4, L5; + field_a_t L0, L1, L2, L3, L4, L5; mask_t succ, zero; zero = field_is_zero(s); succ = allow_identity | ~zero; succ &= ~field_low_bit(s); - field_sqr ( &L0, s ); - field_negx ( &L1, &L0 ); - field_addw ( &L1, 1 ); - field_make_nonzero ( &L1 ); - field_sqr ( &L2, &L1 ); - field_mulw_scc_wr ( &L3, &L0, 4-4*EDWARDS_D ); - field_add ( &L3, &L3, &L2 ); - field_mul ( &L4, &L3, &L2 ); - field_mul ( &L2, &L4, &L0 ); - field_isr ( &L4, &L2 ); - field_sqr ( &L5, &L4 ); - field_mul ( &L0, &L5, &L2 ); - field_addw( &L0, 1 ); - succ &= ~field_is_zero( &L0 ); - field_mul ( &L2, &L3, &L1 ); - field_mul ( &L3, &L2, &L4 ); - field_cond_neg ( &L4, field_low_bit(&L3) ); - field_mul ( &L3, &L4, s ); - field_sqr ( &L4, &L3 ); - field_mul ( &L0, &L2, &L4 ); - field_add ( &L0, &L0, &L0 ); - field_mul ( &a->x, &L0, s ); - field_mul ( &L2, &L1, &L3 ); - field_negx ( &L1, &L1 ); - field_addw ( &L1, 2 ); - field_mul ( &a->y, &L1, &L2 ); - field_addw ( &a->y, -zero ); + field_sqr ( L0, s ); + field_neg ( L1, L0 ); + field_addw ( L1, 1 ); + field_make_nonzero ( L1 ); + field_sqr ( L2, L1 ); + field_mulw_scc_wr ( L3, L0, 4-4*EDWARDS_D ); + field_add ( L3, L3, L2 ); + field_mul ( L4, L3, L2 ); + field_mul ( L2, L4, L0 ); + field_isr ( L4, L2 ); + field_sqr ( L5, L4 ); + field_mul ( L0, L5, L2 ); + field_addw( L0, 1 ); + succ &= ~field_is_zero( L0 ); + field_mul ( L2, L3, L1 ); + field_mul ( L3, L2, L4 ); + field_cond_neg ( L4, field_low_bit(L3) ); + field_mul ( L3, L4, s ); + field_sqr ( L4, L3 ); + field_mul ( L0, L2, L4 ); + field_add ( L0, L0, L0 ); + field_mul ( a->x, L0, s ); + field_mul ( L2, L1, L3 ); + field_neg ( L1, L1 ); + field_addw ( L1, 2 ); + field_mul ( a->y, L1, L2 ); + field_addw ( a->y, -zero ); return succ; } void untwist_and_double_and_serialize ( - struct field_t* b, + field_a_t b, const struct tw_extensible_t* a ) { - struct field_t L0, L1, L2, L3; - field_mul ( &L3, &a->y, &a->x ); - field_add ( b, &a->y, &a->x ); - field_sqr ( &L1, b ); - field_add ( &L2, &L3, &L3 ); - field_sub ( b, &L1, &L2 ); - field_sqr ( &L2, &a->z ); - field_sqr ( &L1, &L2 ); + field_a_t L0, L1, L2, L3; + field_mul ( L3, a->y, a->x ); + field_add ( b, a->y, a->x ); + field_sqr ( L1, b ); + field_add ( L2, L3, L3 ); + field_sub ( b, L1, L2 ); + field_sqr ( L2, a->z ); + field_sqr ( L1, L2 ); field_add ( b, b, b ); - field_mulw_scc ( &L2, b, EDWARDS_D-1 ); - field_mulw_scc ( b, &L2, EDWARDS_D-1 ); - field_mul ( &L0, &L2, &L1 ); - field_mul ( &L2, b, &L0 ); - field_isr ( &L0, &L2 ); - field_mul ( &L1, b, &L0 ); - field_sqr ( b, &L0 ); - field_mul ( &L0, &L2, b ); - field_mul ( b, &L1, &L3 ); + field_mulw_scc ( L2, b, EDWARDS_D-1 ); + field_mulw_scc ( b, L2, EDWARDS_D-1 ); + field_mul ( L0, L2, L1 ); + field_mul ( L2, b, L0 ); + field_isr ( L0, L2 ); + field_mul ( L1, b, L0 ); + field_sqr ( b, L0 ); + field_mul ( L0, L2, b ); + field_mul ( b, L1, L3 ); } void @@ -558,25 +558,25 @@ twist_even ( struct tw_extensible_t* b, const struct extensible_t* a ) { - field_sqr ( &b->y, &a->z ); - field_sqr ( &b->z, &a->x ); - field_sub ( &b->u, &b->y, &b->z ); - field_sub ( &b->z, &a->z, &a->x ); - field_mul ( &b->y, &b->z, &a->y ); - field_sub ( &b->z, &a->z, &a->y ); - field_mul ( &b->x, &b->z, &b->y ); - field_mul ( &b->t, &b->x, &b->u ); - field_mul ( &b->y, &b->x, &b->t ); - field_isr ( &b->t, &b->y ); - field_mul ( &b->u, &b->x, &b->t ); - field_sqr ( &b->x, &b->t ); - field_mul ( &b->t, &b->y, &b->x ); - field_mul ( &b->x, &a->x, &b->u ); - field_mul ( &b->y, &a->y, &b->u ); - field_addw ( &b->y, -field_is_zero( &b->z ) ); - field_set_ui( &b->z, 1 ); - field_copy ( &b->t, &b->x ); - field_copy ( &b->u, &b->y ); + field_sqr ( b->y, a->z ); + field_sqr ( b->z, a->x ); + field_sub ( b->u, b->y, b->z ); + field_sub ( b->z, a->z, a->x ); + field_mul ( b->y, b->z, a->y ); + field_sub ( b->z, a->z, a->y ); + field_mul ( b->x, b->z, b->y ); + field_mul ( b->t, b->x, b->u ); + field_mul ( b->y, b->x, b->t ); + field_isr ( b->t, b->y ); + field_mul ( b->u, b->x, b->t ); + field_sqr ( b->x, b->t ); + field_mul ( b->t, b->y, b->x ); + field_mul ( b->x, a->x, b->u ); + field_mul ( b->y, a->y, b->u ); + field_addw ( b->y, -field_is_zero( b->z ) ); + field_set_ui( b->z, 1 ); + field_copy ( b->t, b->x ); + field_copy ( b->u, b->y ); } void @@ -584,135 +584,134 @@ test_only_twist ( struct tw_extensible_t* b, const struct extensible_t* a ) { - struct field_t L0, L1; - field_sqr ( &b->u, &a->z ); - field_sqr ( &b->y, &a->x ); - field_sub ( &b->z, &b->u, &b->y ); - field_add ( &b->y, &b->z, &b->z ); - field_add ( &b->u, &b->y, &b->y ); - field_sub ( &b->y, &a->z, &a->x ); - field_mul ( &b->x, &b->y, &a->y ); - field_sub ( &b->z, &a->z, &a->y ); - field_mul ( &b->t, &b->z, &b->x ); - field_mul ( &L1, &b->t, &b->u ); - field_mul ( &b->x, &b->t, &L1 ); - field_isr ( &L0, &b->x ); - field_mul ( &b->u, &b->t, &L0 ); - field_sqr ( &L1, &L0 ); - field_mul ( &b->t, &b->x, &L1 ); - field_add ( &L1, &a->y, &a->x ); - field_sub ( &L0, &a->x, &a->y ); - field_mul ( &b->x, &b->t, &L0 ); - field_add ( &L0, &b->x, &L1 ); - field_sub ( &b->t, &L1, &b->x ); - field_mul ( &b->x, &L0, &b->u ); - field_addw ( &b->x, -field_is_zero( &b->y ) ); - field_mul ( &b->y, &b->t, &b->u ); - field_addw ( &b->y, -field_is_zero( &b->z ) ); - field_set_ui( &b->z, 1+field_is_zero( &a->y ) ); - field_copy ( &b->t, &b->x ); - field_copy ( &b->u, &b->y ); + field_a_t L0, L1; + field_sqr ( b->u, a->z ); + field_sqr ( b->y, a->x ); + field_sub ( b->z, b->u, b->y ); + field_add ( b->y, b->z, b->z ); + field_add ( b->u, b->y, b->y ); + field_sub ( b->y, a->z, a->x ); + field_mul ( b->x, b->y, a->y ); + field_sub ( b->z, a->z, a->y ); + field_mul ( b->t, b->z, b->x ); + field_mul ( L1, b->t, b->u ); + field_mul ( b->x, b->t, L1 ); + field_isr ( L0, b->x ); + field_mul ( b->u, b->t, L0 ); + field_sqr ( L1, L0 ); + field_mul ( b->t, b->x, L1 ); + field_add ( L1, a->y, a->x ); + field_sub ( L0, a->x, a->y ); + field_mul ( b->x, b->t, L0 ); + field_add ( L0, b->x, L1 ); + field_sub ( b->t, L1, b->x ); + field_mul ( b->x, L0, b->u ); + field_addw ( b->x, -field_is_zero( b->y ) ); + field_mul ( b->y, b->t, b->u ); + field_addw ( b->y, -field_is_zero( b->z ) ); + field_set_ui( b->z, 1+field_is_zero( a->y ) ); + field_copy ( b->t, b->x ); + field_copy ( b->u, b->y ); } mask_t is_even_pt ( const struct extensible_t* a ) { - struct field_t L0, L1, L2; - field_sqr ( &L2, &a->z ); - field_sqr ( &L1, &a->x ); - field_sub ( &L0, &L2, &L1 ); - return field_is_square ( &L0 ); + field_a_t L0, L1, L2; + field_sqr ( L2, a->z ); + field_sqr ( L1, a->x ); + field_sub ( L0, L2, L1 ); + return field_is_square ( L0 ); } mask_t is_even_tw ( const struct tw_extensible_t* a ) { - struct field_t L0, L1, L2; - field_sqr ( &L2, &a->z ); - field_sqr ( &L1, &a->x ); - field_add ( &L0, &L1, &L2 ); - return field_is_square ( &L0 ); + field_a_t L0, L1, L2; + field_sqr ( L2, a->z ); + field_sqr ( L1, a->x ); + field_add ( L0, L1, L2 ); + return field_is_square ( L0 ); } mask_t deserialize_affine ( struct affine_t* a, - const struct field_t* sz -) { - struct field_t L0, L1, L2, L3; - field_sqr ( &L1, sz ); - field_copy ( &L3, &L1 ); - field_addw ( &L3, 1 ); - field_sqr ( &L2, &L3 ); - field_mulw_scc ( &a->x, &L2, EDWARDS_D-1 ); /* PERF MULW */ - field_add ( &L3, &L1, &L1 ); /* FIXME: i adjusted the bias here, was it right? */ - field_add ( &a->y, &L3, &L3 ); - field_add ( &L3, &a->y, &a->x ); - field_copy ( &a->y, &L1 ); - field_negx ( &a->x, &a->y ); - field_addw ( &a->x, 1 ); - field_mul ( &a->y, &a->x, &L3 ); - field_sqr ( &L2, &a->x ); - field_mul ( &L0, &L2, &a->y ); - field_mul ( &a->y, &a->x, &L0 ); - field_isr ( &L3, &a->y ); - field_mul ( &a->y, &L2, &L3 ); - field_sqr ( &L2, &L3 ); - field_mul ( &L3, &L0, &L2 ); - field_mul ( &L0, &a->x, &L3 ); - field_add ( &L2, &a->y, &a->y ); - field_mul ( &a->x, sz, &L2 ); - field_addw ( &L1, 1 ); - field_mul ( &a->y, &L1, &L3 ); - field_subw( &L0, 1 ); - return field_is_zero( &L0 ); + const field_a_t sz +) { + field_a_t L0, L1, L2, L3; + field_sqr ( L1, sz ); + field_copy ( L3, L1 ); + field_addw ( L3, 1 ); + field_sqr ( L2, L3 ); + field_mulw_scc ( a->x, L2, EDWARDS_D-1 ); /* PERF MULW */ + field_add ( L3, L1, L1 ); /* FIXME: i adjusted the bias here, was it right? */ + field_add ( a->y, L3, L3 ); + field_add ( L3, a->y, a->x ); + field_copy ( a->y, L1 ); + field_neg ( a->x, a->y ); + field_addw ( a->x, 1 ); + field_mul ( a->y, a->x, L3 ); + field_sqr ( L2, a->x ); + field_mul ( L0, L2, a->y ); + field_mul ( a->y, a->x, L0 ); + field_isr ( L3, a->y ); + field_mul ( a->y, L2, L3 ); + field_sqr ( L2, L3 ); + field_mul ( L3, L0, L2 ); + field_mul ( L0, a->x, L3 ); + field_add ( L2, a->y, a->y ); + field_mul ( a->x, sz, L2 ); + field_addw ( L1, 1 ); + field_mul ( a->y, L1, L3 ); + field_subw( L0, 1 ); + return field_is_zero( L0 ); } mask_t deserialize_and_twist_approx ( struct tw_extensible_t* a, - const struct field_t* sdm1, - const struct field_t* sz -) { - struct field_t L0, L1; - field_sqr ( &a->z, sz ); - field_copy ( &a->y, &a->z ); - field_addw ( &a->y, 1 ); - field_sqr ( &L0, &a->y ); - field_mulw_scc ( &a->x, &L0, EDWARDS_D-1 ); - field_add ( &a->y, &a->z, &a->z ); - field_add ( &a->u, &a->y, &a->y ); - field_add ( &a->y, &a->u, &a->x ); - field_sqr ( &a->x, &a->z ); - field_negx ( &a->u, &a->x ); - field_addw ( &a->u, 1 ); - field_mul ( &a->x, sdm1, &a->u ); - field_mul ( &L0, &a->x, &a->y ); - field_mul ( &a->t, &L0, &a->y ); - field_mul ( &a->u, &a->x, &a->t ); - field_mul ( &a->t, &a->u, &L0 ); - field_mul ( &a->y, &a->x, &a->t ); - field_isr ( &L0, &a->y ); - field_mul ( &a->y, &a->u, &L0 ); - field_sqr ( &L1, &L0 ); - field_mul ( &a->u, &a->t, &L1 ); - field_mul ( &a->t, &a->x, &a->u ); - field_add ( &a->x, sz, sz ); - field_mul ( &L0, &a->u, &a->x ); - field_copy ( &a->x, &a->z ); - field_negx ( &L1, &a->x ); - field_addw ( &L1, 1 ); - field_mul ( &a->x, &L1, &L0 ); - field_mul ( &L0, &a->u, &a->y ); - field_addw ( &a->z, 1 ); - field_mul ( &a->y, &a->z, &L0 ); - field_subw( &a->t, 1 ); - mask_t ret = field_is_zero( &a->t ); - field_set_ui( &a->z, 1 ); - field_copy ( &a->t, &a->x ); - field_copy ( &a->u, &a->y ); + const field_a_t sz +) { + field_a_t L0, L1; + field_sqr ( a->z, sz ); + field_copy ( a->y, a->z ); + field_addw ( a->y, 1 ); + field_sqr ( L0, a->y ); + field_mulw_scc ( a->x, L0, EDWARDS_D-1 ); + field_add ( a->y, a->z, a->z ); + field_add ( a->u, a->y, a->y ); + field_add ( a->y, a->u, a->x ); + field_sqr ( a->x, a->z ); + field_neg ( a->u, a->x ); + field_addw ( a->u, 1 ); + field_mul ( a->x, sqrt_d_minus_1, a->u ); + field_mul ( L0, a->x, a->y ); + field_mul ( a->t, L0, a->y ); + field_mul ( a->u, a->x, a->t ); + field_mul ( a->t, a->u, L0 ); + field_mul ( a->y, a->x, a->t ); + field_isr ( L0, a->y ); + field_mul ( a->y, a->u, L0 ); + field_sqr ( L1, L0 ); + field_mul ( a->u, a->t, L1 ); + field_mul ( a->t, a->x, a->u ); + field_add ( a->x, sz, sz ); + field_mul ( L0, a->u, a->x ); + field_copy ( a->x, a->z ); + field_neg ( L1, a->x ); + field_addw ( L1, 1 ); + field_mul ( a->x, L1, L0 ); + field_mul ( L0, a->u, a->y ); + field_addw ( a->z, 1 ); + field_mul ( a->y, a->z, L0 ); + field_subw( a->t, 1 ); + mask_t ret = field_is_zero( a->t ); + field_set_ui( a->z, 1 ); + field_copy ( a->t, a->x ); + field_copy ( a->u, a->y ); return ret; } @@ -720,30 +719,30 @@ void set_identity_extensible ( struct extensible_t* a ) { - field_set_ui( &a->x, 0 ); - field_set_ui( &a->y, 1 ); - field_set_ui( &a->z, 1 ); - field_set_ui( &a->t, 0 ); - field_set_ui( &a->u, 0 ); + field_set_ui( a->x, 0 ); + field_set_ui( a->y, 1 ); + field_set_ui( a->z, 1 ); + field_set_ui( a->t, 0 ); + field_set_ui( a->u, 0 ); } void set_identity_tw_extensible ( struct tw_extensible_t* a ) { - field_set_ui( &a->x, 0 ); - field_set_ui( &a->y, 1 ); - field_set_ui( &a->z, 1 ); - field_set_ui( &a->t, 0 ); - field_set_ui( &a->u, 0 ); + field_set_ui( a->x, 0 ); + field_set_ui( a->y, 1 ); + field_set_ui( a->z, 1 ); + field_set_ui( a->t, 0 ); + field_set_ui( a->u, 0 ); } void set_identity_affine ( struct affine_t* a ) { - field_set_ui( &a->x, 0 ); - field_set_ui( &a->y, 1 ); + field_set_ui( a->x, 0 ); + field_set_ui( a->y, 1 ); } mask_t @@ -751,12 +750,12 @@ decaf_eq_extensible ( const struct extensible_t* a, const struct extensible_t* b ) { - struct field_t L0, L1, L2; - field_mul ( &L2, &b->y, &a->x ); - field_mul ( &L1, &a->y, &b->x ); - field_sub ( &L0, &L2, &L1 ); - field_bias ( &L0, 2 ); - return field_is_zero ( &L0 ); + field_a_t L0, L1, L2; + field_mul ( L2, b->y, a->x ); + field_mul ( L1, a->y, b->x ); + field_sub ( L0, L2, L1 ); + field_bias ( L0, 2 ); + return field_is_zero ( L0 ); } mask_t @@ -764,12 +763,12 @@ decaf_eq_tw_extensible ( const struct tw_extensible_t* a, const struct tw_extensible_t* b ) { - struct field_t L0, L1, L2; - field_mul ( &L2, &b->y, &a->x ); - field_mul ( &L1, &a->y, &b->x ); - field_sub ( &L0, &L2, &L1 ); - field_bias ( &L0, 2 ); - return field_is_zero ( &L0 ); + field_a_t L0, L1, L2; + field_mul ( L2, b->y, a->x ); + field_mul ( L1, a->y, b->x ); + field_sub ( L0, L2, L1 ); + field_bias ( L0, 2 ); + return field_is_zero ( L0 ); } mask_t @@ -778,11 +777,11 @@ eq_affine ( const struct affine_t* b ) { mask_t L1, L2; - struct field_t L0; - field_sub ( &L0, &a->x, &b->x ); - L2 = field_is_zero( &L0 ); - field_sub ( &L0, &a->y, &b->y ); - L1 = field_is_zero( &L0 ); + field_a_t L0; + field_sub ( L0, a->x, b->x ); + L2 = field_is_zero( L0 ); + field_sub ( L0, a->y, b->y ); + L1 = field_is_zero( L0 ); return L2 & L1; } @@ -792,15 +791,15 @@ eq_extensible ( const struct extensible_t* b ) { mask_t L3, L4; - struct field_t L0, L1, L2; - field_mul ( &L2, &b->z, &a->x ); - field_mul ( &L1, &a->z, &b->x ); - field_sub ( &L0, &L2, &L1 ); - L4 = field_is_zero( &L0 ); - field_mul ( &L2, &b->z, &a->y ); - field_mul ( &L1, &a->z, &b->y ); - field_sub ( &L0, &L2, &L1 ); - L3 = field_is_zero( &L0 ); + field_a_t L0, L1, L2; + field_mul ( L2, b->z, a->x ); + field_mul ( L1, a->z, b->x ); + field_sub ( L0, L2, L1 ); + L4 = field_is_zero( L0 ); + field_mul ( L2, b->z, a->y ); + field_mul ( L1, a->z, b->y ); + field_sub ( L0, L2, L1 ); + L3 = field_is_zero( L0 ); return L4 & L3; } @@ -810,39 +809,39 @@ eq_tw_extensible ( const struct tw_extensible_t* b ) { mask_t L3, L4; - struct field_t L0, L1, L2; - field_mul ( &L2, &b->z, &a->x ); - field_mul ( &L1, &a->z, &b->x ); - field_sub ( &L0, &L2, &L1 ); - L4 = field_is_zero( &L0 ); - field_mul ( &L2, &b->z, &a->y ); - field_mul ( &L1, &a->z, &b->y ); - field_sub ( &L0, &L2, &L1 ); - L3 = field_is_zero( &L0 ); + field_a_t L0, L1, L2; + field_mul ( L2, b->z, a->x ); + field_mul ( L1, a->z, b->x ); + field_sub ( L0, L2, L1 ); + L4 = field_is_zero( L0 ); + field_mul ( L2, b->z, a->y ); + field_mul ( L1, a->z, b->y ); + field_sub ( L0, L2, L1 ); + L3 = field_is_zero( L0 ); return L4 & L3; } void elligator_2s_inject ( struct affine_t* a, - const struct field_t* r -) { - struct field_t L2, L3, L4, L5, L6, L7, L8; - field_sqr ( &a->x, r ); - field_sqr ( &L3, &a->x ); - field_copy ( &a->y, &L3 ); - field_negx ( &L4, &a->y ); - field_addw ( &L4, 1 ); - field_sqr ( &L2, &L4 ); - field_mulw ( &L7, &L2, (EDWARDS_D-1)*(EDWARDS_D-1) ); - field_mulw ( &L8, &L3, 4*(EDWARDS_D+1)*(EDWARDS_D+1) ); - field_add ( &a->y, &L8, &L7 ); - field_mulw ( &L8, &L2, 4*(EDWARDS_D)*(EDWARDS_D-1) ); - field_sub ( &L7, &a->y, &L8 ); - field_mulw_scc ( &L6, &a->y, -2-2*EDWARDS_D ); - field_mul ( &L5, &L7, &L6 ); + const field_a_t r +) { + field_a_t L2, L3, L4, L5, L6, L7, L8; + field_sqr ( a->x, r ); + field_sqr ( L3, a->x ); + field_copy ( a->y, L3 ); + field_neg ( L4, a->y ); + field_addw ( L4, 1 ); + field_sqr ( L2, L4 ); + field_mulw ( L7, L2, (EDWARDS_D-1)*(EDWARDS_D-1) ); + field_mulw ( L8, L3, 4*(EDWARDS_D+1)*(EDWARDS_D+1) ); + field_add ( a->y, L8, L7 ); + field_mulw ( L8, L2, 4*(EDWARDS_D)*(EDWARDS_D-1) ); + field_sub ( L7, a->y, L8 ); + field_mulw_scc ( L6, a->y, -2-2*EDWARDS_D ); + field_mul ( L5, L7, L6 ); /* FIXME Stability problem (API stability, not crash) / possible bug. - * change to: p448_mul ( &L5, &L7, &L4 ); ? + * change to: p448_mul ( L5, L7, L4 ); ? * This isn't a deep change: it's for sign adjustment. * Need to check which one leads to the correct sign, probably by writig * the invert routine. @@ -853,47 +852,47 @@ elligator_2s_inject ( * Could compute be, (be)^2, (be)^3, a b^3 e^3, a b^3 e^4. = 4M+S * instead of 6M. */ - field_mul ( &L8, &L5, &L4 ); - field_mul ( &L4, &L5, &L6 ); - field_mul ( &L5, &L7, &L8 ); - field_mul ( &L8, &L5, &L4 ); - field_mul ( &L4, &L7, &L8 ); - field_isr ( &L6, &L4 ); - field_mul ( &L4, &L5, &L6 ); - field_sqr ( &L5, &L6 ); - field_mul ( &L6, &L8, &L5 ); - field_mul ( &L8, &L7, &L6 ); - field_mul ( &L7, &L8, &L6 ); - field_copy ( &L6, &a->x ); - field_addw ( &a->x, 1 ); - field_mul ( &L5, &a->x, &L8 ); - field_addw ( &L5, 1 ); - field_sub ( &a->x, &L6, &L5 ); - field_mul ( &L5, &L4, &a->x ); - field_mulw_scc_wr ( &a->x, &L5, -2-2*EDWARDS_D ); - field_add ( &L4, &L3, &L3 ); - field_add ( &L3, &L4, &L2 ); - field_subw( &L3, 2 ); - field_mul ( &L2, &L3, &L8 ); - field_mulw ( &L3, &L2, 2*(EDWARDS_D+1)*(EDWARDS_D-1) ); - field_add ( &L2, &L3, &a->y ); - field_mul ( &a->y, &L7, &L2 ); - field_addw ( &a->y, -field_is_zero( &L8 ) ); + field_mul ( L8, L5, L4 ); + field_mul ( L4, L5, L6 ); + field_mul ( L5, L7, L8 ); + field_mul ( L8, L5, L4 ); + field_mul ( L4, L7, L8 ); + field_isr ( L6, L4 ); + field_mul ( L4, L5, L6 ); + field_sqr ( L5, L6 ); + field_mul ( L6, L8, L5 ); + field_mul ( L8, L7, L6 ); + field_mul ( L7, L8, L6 ); + field_copy ( L6, a->x ); + field_addw ( a->x, 1 ); + field_mul ( L5, a->x, L8 ); + field_addw ( L5, 1 ); + field_sub ( a->x, L6, L5 ); + field_mul ( L5, L4, a->x ); + field_mulw_scc_wr ( a->x, L5, -2-2*EDWARDS_D ); + field_add ( L4, L3, L3 ); + field_add ( L3, L4, L2 ); + field_subw( L3, 2 ); + field_mul ( L2, L3, L8 ); + field_mulw ( L3, L2, 2*(EDWARDS_D+1)*(EDWARDS_D-1) ); + field_add ( L2, L3, a->y ); + field_mul ( a->y, L7, L2 ); + field_addw ( a->y, -field_is_zero( L8 ) ); } mask_t validate_affine ( const struct affine_t* a ) { - struct field_t L0, L1, L2, L3; - field_sqr ( &L0, &a->y ); - field_sqr ( &L1, &a->x ); - field_add ( &L3, &L1, &L0 ); - field_mulw_scc ( &L2, &L1, EDWARDS_D ); - field_mul ( &L1, &L0, &L2 ); - field_addw ( &L1, 1 ); - field_sub ( &L0, &L3, &L1 ); - return field_is_zero( &L0 ); + field_a_t L0, L1, L2, L3; + field_sqr ( L0, a->y ); + field_sqr ( L1, a->x ); + field_add ( L3, L1, L0 ); + field_mulw_scc ( L2, L1, EDWARDS_D ); + field_mul ( L1, L0, L2 ); + field_addw ( L1, 1 ); + field_sub ( L0, L3, L1 ); + return field_is_zero( L0 ); } mask_t @@ -901,36 +900,36 @@ validate_tw_extensible ( const struct tw_extensible_t* ext ) { mask_t L4, L5; - struct field_t L0, L1, L2, L3; + field_a_t L0, L1, L2, L3; /* * Check invariant: * 0 = -x*y + z*t*u */ - field_mul ( &L1, &ext->t, &ext->u ); - field_mul ( &L2, &ext->z, &L1 ); - field_mul ( &L0, &ext->x, &ext->y ); - field_negx ( &L1, &L0 ); - field_add ( &L0, &L1, &L2 ); - L5 = field_is_zero( &L0 ); + field_mul ( L1, ext->t, ext->u ); + field_mul ( L2, ext->z, L1 ); + field_mul ( L0, ext->x, ext->y ); + field_neg ( L1, L0 ); + field_add ( L0, L1, L2 ); + L5 = field_is_zero( L0 ); /* * Check invariant: * 0 = d*t^2*u^2 + x^2 - y^2 + z^2 - t^2*u^2 */ - field_sqr ( &L2, &ext->y ); - field_negx ( &L1, &L2 ); - field_sqr ( &L0, &ext->x ); - field_add ( &L2, &L0, &L1 ); - field_sqr ( &L3, &ext->u ); - field_sqr ( &L0, &ext->t ); - field_mul ( &L1, &L0, &L3 ); - field_mulw_scc ( &L3, &L1, EDWARDS_D ); - field_add ( &L0, &L3, &L2 ); - field_negx ( &L3, &L1 ); - field_add ( &L2, &L3, &L0 ); - field_sqr ( &L1, &ext->z ); - field_add ( &L0, &L1, &L2 ); - L4 = field_is_zero( &L0 ); - return L5 & L4 &~ field_is_zero(&ext->z); + field_sqr ( L2, ext->y ); + field_neg ( L1, L2 ); + field_sqr ( L0, ext->x ); + field_add ( L2, L0, L1 ); + field_sqr ( L3, ext->u ); + field_sqr ( L0, ext->t ); + field_mul ( L1, L0, L3 ); + field_mulw_scc ( L3, L1, EDWARDS_D ); + field_add ( L0, L3, L2 ); + field_neg ( L3, L1 ); + field_add ( L2, L3, L0 ); + field_sqr ( L1, ext->z ); + field_add ( L0, L1, L2 ); + L4 = field_is_zero( L0 ); + return L5 & L4 &~ field_is_zero(ext->z); } mask_t @@ -938,33 +937,33 @@ validate_extensible ( const struct extensible_t* ext ) { mask_t L4, L5; - struct field_t L0, L1, L2, L3; + field_a_t L0, L1, L2, L3; /* * Check invariant: * 0 = d*t^2*u^2 - x^2 - y^2 + z^2 */ - field_sqr ( &L2, &ext->y ); - field_negx ( &L1, &L2 ); - field_sqr ( &L0, &ext->z ); - field_add ( &L2, &L0, &L1 ); - field_sqr ( &L3, &ext->u ); - field_sqr ( &L0, &ext->t ); - field_mul ( &L1, &L0, &L3 ); - field_mulw_scc ( &L0, &L1, EDWARDS_D ); - field_add ( &L1, &L0, &L2 ); - field_sqr ( &L0, &ext->x ); - field_negx ( &L2, &L0 ); - field_add ( &L0, &L2, &L1 ); - L5 = field_is_zero( &L0 ); + field_sqr ( L2, ext->y ); + field_neg ( L1, L2 ); + field_sqr ( L0, ext->z ); + field_add ( L2, L0, L1 ); + field_sqr ( L3, ext->u ); + field_sqr ( L0, ext->t ); + field_mul ( L1, L0, L3 ); + field_mulw_scc ( L0, L1, EDWARDS_D ); + field_add ( L1, L0, L2 ); + field_sqr ( L0, ext->x ); + field_neg ( L2, L0 ); + field_add ( L0, L2, L1 ); + L5 = field_is_zero( L0 ); /* * Check invariant: * 0 = -x*y + z*t*u */ - field_mul ( &L1, &ext->t, &ext->u ); - field_mul ( &L2, &ext->z, &L1 ); - field_mul ( &L0, &ext->x, &ext->y ); - field_negx ( &L1, &L0 ); - field_add ( &L0, &L1, &L2 ); - L4 = field_is_zero( &L0 ); - return L5 & L4 &~ field_is_zero(&ext->z); + field_mul ( L1, ext->t, ext->u ); + field_mul ( L2, ext->z, L1 ); + field_mul ( L0, ext->x, ext->y ); + field_neg ( L1, L0 ); + field_add ( L0, L1, L2 ); + L4 = field_is_zero( L0 ); + return L5 & L4 &~ field_is_zero(ext->z); } diff --git a/src/goldilocks.c b/src/goldilocks.c index f86e1ab..7cba9c4 100644 --- a/src/goldilocks.c +++ b/src/goldilocks.c @@ -162,7 +162,7 @@ goldilocks_derive_private_key ( struct sha512_ctx_t ctx; struct tw_extensible_t exta; - struct field_t pk; + field_a_t pk; sha512_init(&ctx); sha512_update(&ctx, (const unsigned char *)"derivepk", GOLDI_DIVERSIFY_BYTES); @@ -173,9 +173,9 @@ goldilocks_derive_private_key ( barrett_serialize(privkey->opaque, sk, GOLDI_FIELD_BYTES); scalarmul_fixed_base(&exta, sk, GOLDI_SCALAR_BITS, &goldilocks_global.fixed_base); - untwist_and_double_and_serialize(&pk, &exta); + untwist_and_double_and_serialize(pk, &exta); - field_serialize(&privkey->opaque[GOLDI_FIELD_BYTES], &pk); + field_serialize(&privkey->opaque[GOLDI_FIELD_BYTES], pk); return GOLDI_EOK; } @@ -225,11 +225,11 @@ goldilocks_private_to_public ( struct goldilocks_public_key_t *pubkey, const struct goldilocks_private_key_t *privkey ) { - struct field_t pk; - mask_t msucc = field_deserialize(&pk,&privkey->opaque[GOLDI_FIELD_BYTES]); + field_a_t pk; + mask_t msucc = field_deserialize(pk,&privkey->opaque[GOLDI_FIELD_BYTES]); if (msucc) { - field_serialize(pubkey->opaque, &pk); + field_serialize(pubkey->opaque, pk); return GOLDI_EOK; } else { return GOLDI_ECORRUPT; @@ -252,15 +252,15 @@ goldilocks_shared_secret_core ( assert(GOLDI_SHARED_SECRET_BYTES == SHA512_OUTPUT_BYTES); word_t sk[GOLDI_FIELD_WORDS]; - struct field_t pk; + field_a_t pk; - mask_t succ = field_deserialize(&pk,your_pubkey->opaque), msucc = -1; + mask_t succ = field_deserialize(pk,your_pubkey->opaque), msucc = -1; #ifdef EXPERIMENT_ECDH_STIR_IN_PUBKEYS - struct field_t sum, prod; - msucc &= field_deserialize(&sum,&my_privkey->opaque[GOLDI_FIELD_BYTES]); - field_mul(&prod,&pk,&sum); - field_add(&sum,&pk,&sum); + field_a_t sum, prod; + msucc &= field_deserialize(sum,&my_privkey->opaque[GOLDI_FIELD_BYTES]); + field_mul(prod,pk,sum); + field_add(sum,pk,sum); #endif msucc &= barrett_deserialize(sk,my_privkey->opaque,&curve_prime_order); @@ -269,17 +269,17 @@ goldilocks_shared_secret_core ( if (pre) { struct tw_extensible_t tw; succ &= scalarmul_fixed_base(&tw, sk, GOLDI_SCALAR_BITS, &pre->table); - untwist_and_double_and_serialize(&pk, &tw); + untwist_and_double_and_serialize(pk, &tw); } else { - succ &= montgomery_ladder(&pk,&pk,sk,GOLDI_SCALAR_BITS,1); + succ &= montgomery_ladder(pk,pk,sk,GOLDI_SCALAR_BITS,1); } #else (void)pre; - succ &= montgomery_ladder(&pk,&pk,sk,GOLDI_SCALAR_BITS,1); + succ &= montgomery_ladder(pk,pk,sk,GOLDI_SCALAR_BITS,1); #endif - field_serialize(gxy,&pk); + field_serialize(gxy,pk); /* obliterate records of our failure by adjusting with obliteration key */ struct sha512_ctx_t ctx; @@ -300,9 +300,9 @@ goldilocks_shared_secret_core ( #ifdef EXPERIMENT_ECDH_STIR_IN_PUBKEYS /* stir in the sum and product of the pubkeys. */ uint8_t a_pk[GOLDI_FIELD_BYTES]; - field_serialize(a_pk, &sum); + field_serialize(a_pk, sum); sha512_update(&ctx, a_pk, GOLDI_FIELD_BYTES); - field_serialize(a_pk, &prod); + field_serialize(a_pk, prod); sha512_update(&ctx, a_pk, GOLDI_FIELD_BYTES); #endif @@ -383,11 +383,11 @@ goldilocks_sign ( /* 4[nonce]G */ uint8_t signature_tmp[GOLDI_FIELD_BYTES]; struct tw_extensible_t exta; - struct field_t gsk; + field_a_t gsk; scalarmul_fixed_base(&exta, tk, GOLDI_SCALAR_BITS, &goldilocks_global.fixed_base); double_tw_extensible(&exta); - untwist_and_double_and_serialize(&gsk, &exta); - field_serialize(signature_tmp, &gsk); + untwist_and_double_and_serialize(gsk, &exta); + field_serialize(signature_tmp, gsk); word_t challenge[GOLDI_FIELD_WORDS]; goldilocks_derive_challenge ( @@ -437,10 +437,10 @@ goldilocks_verify ( return GOLDI_EUNINIT; } - struct field_t pk; + field_a_t pk; word_t s[GOLDI_FIELD_WORDS]; - mask_t succ = field_deserialize(&pk,pubkey->opaque); + mask_t succ = field_deserialize(pk,pubkey->opaque); if (!succ) return GOLDI_EINVAL; succ = barrett_deserialize(s, &signature[GOLDI_FIELD_BYTES], &curve_prime_order); @@ -449,14 +449,14 @@ goldilocks_verify ( word_t challenge[GOLDI_FIELD_WORDS]; goldilocks_derive_challenge(challenge, pubkey->opaque, signature, message, message_len); - struct field_t eph; + field_a_t eph; struct tw_extensible_t pk_text; /* deserialize [nonce]G */ - succ = field_deserialize(&eph, signature); + succ = field_deserialize(eph, signature); if (!succ) return GOLDI_EINVAL; - succ = deserialize_and_twist_approx(&pk_text, &sqrt_d_minus_1, &pk); + succ = deserialize_and_twist_approx(&pk_text, pk); if (!succ) return GOLDI_EINVAL; linear_combo_var_fixed_vt( &pk_text, @@ -464,9 +464,9 @@ goldilocks_verify ( s, GOLDI_SCALAR_BITS, goldilocks_global.wnafs, WNAF_PRECMP_BITS ); - untwist_and_double_and_serialize( &pk, &pk_text ); + untwist_and_double_and_serialize( pk, &pk_text ); - succ = field_eq(&eph, &pk); + succ = field_eq(eph, pk); return succ ? 0 : GOLDI_EINVAL; } #endif @@ -485,14 +485,14 @@ goldilocks_precompute_public_key ( struct tw_extensible_t pk_text; - struct field_t pk; - mask_t succ = field_deserialize(&pk, pub->opaque); + field_a_t pk; + mask_t succ = field_deserialize(pk, pub->opaque); if (!succ) { free(precom); return NULL; } - succ = deserialize_and_twist_approx(&pk_text, &sqrt_d_minus_1, &pk); + succ = deserialize_and_twist_approx(&pk_text, pk); if (!succ) { free(precom); return NULL; @@ -538,11 +538,11 @@ goldilocks_verify_precomputed ( word_t challenge[GOLDI_FIELD_WORDS]; goldilocks_derive_challenge(challenge, pubkey->pub.opaque, signature, message, message_len); - struct field_t eph, pk; + field_a_t eph, pk; struct tw_extensible_t pk_text; /* deserialize [nonce]G */ - succ = field_deserialize(&eph, signature); + succ = field_deserialize(eph, signature); if (!succ) return GOLDI_EINVAL; succ = linear_combo_combs_vt ( @@ -552,9 +552,9 @@ goldilocks_verify_precomputed ( ); if (!succ) return GOLDI_EINVAL; - untwist_and_double_and_serialize( &pk, &pk_text ); + untwist_and_double_and_serialize( pk, &pk_text ); - succ = field_eq(&eph, &pk); + succ = field_eq(eph, pk); return succ ? 0 : GOLDI_EINVAL; } diff --git a/src/include/ec_point.h b/src/include/ec_point.h index 0391928..f91216d 100644 --- a/src/include/ec_point.h +++ b/src/include/ec_point.h @@ -21,28 +21,28 @@ extern "C" { * Affine point on an Edwards curve. */ struct affine_t { - struct field_t x, y; + field_a_t x, y; }; /** * Affine point on a twisted Edwards curve. */ struct tw_affine_t { - struct field_t x, y; + field_a_t x, y; }; /** * Montgomery buffer. */ struct montgomery_t { - struct field_t z0, xd, zd, xa, za; + field_a_t z0, xd, zd, xa, za; }; /** * Montgomery buffer, augmented version. */ struct montgomery_aux_t { - struct field_t s0, xd, zd, xa, za, xs, zs; + field_a_t s0, xd, zd, xa, za, xs, zs; }; /** @@ -64,7 +64,7 @@ struct montgomery_aux_t { * instead. */ struct extensible_t { - struct field_t x, y, z, t, u; + field_a_t x, y, z, t, u; }; /** @@ -72,7 +72,7 @@ struct extensible_t { * suitable for accumulators. */ struct tw_extensible_t { - struct field_t x, y, z, t, u; + field_a_t x, y, z, t, u; }; /** @@ -81,7 +81,7 @@ struct tw_extensible_t { * Good for mixed readdition; suitable for fixed tables. */ struct tw_niels_t { - struct field_t a, b, c; + field_a_t a, b, c; }; /** @@ -91,7 +91,7 @@ struct tw_niels_t { */ struct tw_pniels_t { struct tw_niels_t n; - struct field_t z; + field_a_t z; }; @@ -285,20 +285,20 @@ montgomery_aux_step ( void deserialize_montgomery ( struct montgomery_t* a, - const struct field_t* sbz + const field_a_t sbz ); mask_t serialize_montgomery ( - struct field_t* b, + field_a_t b, const struct montgomery_t* a, - const struct field_t* sbz + const field_a_t sbz ); void deserialize_montgomery_decaf ( struct montgomery_aux_t* a, - const struct field_t *s + const field_a_t s ); /** @@ -314,7 +314,7 @@ deserialize_montgomery_decaf ( */ void serialize_extensible ( - struct field_t* b, + field_a_t b, const struct extensible_t* a ); @@ -323,7 +323,7 @@ serialize_extensible ( */ void untwist_and_double_and_serialize ( - struct field_t* b, + field_a_t b, const struct tw_extensible_t* a ); @@ -363,7 +363,7 @@ test_only_twist ( mask_t field_is_square ( - const struct field_t* x + const field_a_t x ); mask_t @@ -382,7 +382,7 @@ is_even_tw ( mask_t deserialize_affine ( struct affine_t* a, - const struct field_t* sz + const field_a_t sz ); /** @@ -395,22 +395,21 @@ deserialize_affine ( mask_t deserialize_and_twist_approx ( struct tw_extensible_t* a, - const struct field_t* sdm1, - const struct field_t* sz + const field_a_t sz ) __attribute__((warn_unused_result)); mask_t decaf_deserialize_affine ( - struct affine_t *a, - const struct field_t *s, + struct affine_t *a, + const field_a_t s, mask_t allow_identity ) __attribute__((warn_unused_result)); void decaf_serialize_extensible ( - struct field_t* b, + field_a_t b, const struct extensible_t* a ); @@ -418,14 +417,14 @@ decaf_serialize_extensible ( mask_t decaf_deserialize_tw_affine ( struct tw_affine_t *a, - const struct field_t *s, + const field_a_t s, mask_t allow_identity ) __attribute__((warn_unused_result)); void decaf_serialize_tw_extensible ( - struct field_t* b, + field_a_t b, const struct tw_extensible_t* a ); @@ -465,7 +464,7 @@ eq_tw_extensible ( void elligator_2s_inject ( struct affine_t* a, - const struct field_t* r + const field_a_t r ); mask_t @@ -516,8 +515,8 @@ cond_negate_tw_niels ( struct tw_niels_t *n, mask_t doNegate ) { - constant_time_cond_swap(&n->a, &n->b, sizeof(n->a), doNegate); - field_cond_neg(&n->c, doNegate); + constant_time_cond_swap(n->a, n->b, sizeof(n->a), doNegate); + field_cond_neg(n->c, doNegate); } /** @@ -537,8 +536,8 @@ copy_affine ( struct affine_t* a, const struct affine_t* ds ) { - field_copy ( &a->x, &ds->x ); - field_copy ( &a->y, &ds->y ); + field_copy ( a->x, ds->x ); + field_copy ( a->y, ds->y ); } void @@ -546,8 +545,8 @@ copy_tw_affine ( struct tw_affine_t* a, const struct tw_affine_t* ds ) { - field_copy ( &a->x, &ds->x ); - field_copy ( &a->y, &ds->y ); + field_copy ( a->x, ds->x ); + field_copy ( a->y, ds->y ); } void @@ -555,11 +554,11 @@ copy_montgomery ( struct montgomery_t* a, const struct montgomery_t* ds ) { - field_copy ( &a->z0, &ds->z0 ); - field_copy ( &a->xd, &ds->xd ); - field_copy ( &a->zd, &ds->zd ); - field_copy ( &a->xa, &ds->xa ); - field_copy ( &a->za, &ds->za ); + field_copy ( a->z0, ds->z0 ); + field_copy ( a->xd, ds->xd ); + field_copy ( a->zd, ds->zd ); + field_copy ( a->xa, ds->xa ); + field_copy ( a->za, ds->za ); } void @@ -567,11 +566,11 @@ copy_extensible ( struct extensible_t* a, const struct extensible_t* ds ) { - field_copy ( &a->x, &ds->x ); - field_copy ( &a->y, &ds->y ); - field_copy ( &a->z, &ds->z ); - field_copy ( &a->t, &ds->t ); - field_copy ( &a->u, &ds->u ); + field_copy ( a->x, ds->x ); + field_copy ( a->y, ds->y ); + field_copy ( a->z, ds->z ); + field_copy ( a->t, ds->t ); + field_copy ( a->u, ds->u ); } void @@ -579,11 +578,11 @@ copy_tw_extensible ( struct tw_extensible_t* a, const struct tw_extensible_t* ds ) { - field_copy ( &a->x, &ds->x ); - field_copy ( &a->y, &ds->y ); - field_copy ( &a->z, &ds->z ); - field_copy ( &a->t, &ds->t ); - field_copy ( &a->u, &ds->u ); + field_copy ( a->x, ds->x ); + field_copy ( a->y, ds->y ); + field_copy ( a->z, ds->z ); + field_copy ( a->t, ds->t ); + field_copy ( a->u, ds->u ); } void @@ -591,9 +590,9 @@ copy_tw_niels ( struct tw_niels_t* a, const struct tw_niels_t* ds ) { - field_copy ( &a->a, &ds->a ); - field_copy ( &a->b, &ds->b ); - field_copy ( &a->c, &ds->c ); + field_copy ( a->a, ds->a ); + field_copy ( a->b, ds->b ); + field_copy ( a->c, ds->c ); } void @@ -602,7 +601,7 @@ copy_tw_pniels ( const struct tw_pniels_t* ds ) { copy_tw_niels( &a->n, &ds->n ); - field_copy ( &a->z, &ds->z ); + field_copy ( a->z, ds->z ); } #ifdef __cplusplus diff --git a/src/include/field.h b/src/include/field.h index 77aa2a0..212eda5 100644 --- a/src/include/field.h +++ b/src/include/field.h @@ -14,6 +14,9 @@ #include "f_field.h" #include +typedef struct field_t field_a_t[1]; +#define field_a_restrict_t struct field_t *__restrict__ + #define is32 (GOLDI_BITS == 32 || FIELD_BITS != 448) #if (is32) #define IF32(s) (s) @@ -54,8 +57,8 @@ extern const uint8_t FIELD_MODULUS[FIELD_BYTES]; static inline void __attribute__((unused,always_inline)) field_copy ( - struct field_t *__restrict__ a, - const struct field_t *__restrict__ b + field_a_restrict_t a, + const field_a_restrict_t b ) { memcpy(a,b,sizeof(*a)); } @@ -70,8 +73,8 @@ field_copy ( */ void field_isr ( - struct field_t* a, - const struct field_t* x + field_a_t a, + const field_a_t x ); /** @@ -81,8 +84,8 @@ field_isr ( */ void field_simultaneous_invert ( - struct field_t *__restrict__ out, - const struct field_t *in, + field_a_t *__restrict__ out, + const field_a_t *in, unsigned int n ); @@ -93,8 +96,8 @@ field_simultaneous_invert ( */ void field_inverse ( - struct field_t* a, - const struct field_t* x + field_a_t a, + const field_a_t x ); /** @@ -102,8 +105,8 @@ field_inverse ( */ mask_t field_eq ( - const struct field_t *a, - const struct field_t *b + const field_a_t a, + const field_a_t b ); /** @@ -112,23 +115,23 @@ field_eq ( static __inline__ void __attribute__((unused,always_inline)) field_sqrn ( - field_t *__restrict__ y, - const field_t *x, + field_a_restrict_t y, + const field_a_t x, int n ) { - field_t tmp; + field_a_t tmp; assert(n>0); if (n&1) { field_sqr(y,x); n--; } else { - field_sqr(&tmp,x); - field_sqr(y,&tmp); + field_sqr(tmp,x); + field_sqr(y,tmp); n-=2; } for (; n; n-=2) { - field_sqr(&tmp,y); - field_sqr(y,&tmp); + field_sqr(tmp,y); + field_sqr(y,tmp); } } @@ -152,8 +155,8 @@ field_make_nonzero (struct field_t *f) { /* Multiply by signed curve constant */ static __inline__ void field_mulw_scc ( - struct field_t* __restrict__ out, - const struct field_t *a, + field_a_restrict_t out, + const field_a_t a, int64_t scc ) { if (scc >= 0) { @@ -168,8 +171,8 @@ field_mulw_scc ( /* Multiply by signed curve constant and weak reduce if biased */ static __inline__ void field_mulw_scc_wr ( - struct field_t* __restrict__ out, - const struct field_t *a, + field_a_restrict_t out, + const field_a_t a, int64_t scc ) { field_mulw_scc(out, a, scc); @@ -179,9 +182,9 @@ field_mulw_scc_wr ( static __inline__ void field_subx_RAW ( - struct field_t *d, - const struct field_t *a, - const struct field_t *b + field_a_t d, + const field_a_t a, + const field_a_t b ) { field_sub_RAW ( d, a, b ); field_bias( d, 2 ); @@ -190,9 +193,9 @@ field_subx_RAW ( static __inline__ void field_sub ( - struct field_t *d, - const struct field_t *a, - const struct field_t *b + field_a_t d, + const field_a_t a, + const field_a_t b ) { field_sub_RAW ( d, a, b ); field_bias( d, 2 ); @@ -201,9 +204,9 @@ field_sub ( static __inline__ void field_add ( - struct field_t *d, - const struct field_t *a, - const struct field_t *b + field_a_t d, + const field_a_t a, + const field_a_t b ) { field_add_RAW ( d, a, b ); field_weak_reduce ( d ); @@ -211,7 +214,7 @@ field_add ( static __inline__ void field_subw ( - struct field_t *d, + field_a_t d, word_t c ) { field_subw_RAW ( d, c ); @@ -220,9 +223,9 @@ field_subw ( } static __inline__ void -field_negx ( - struct field_t *d, - const struct field_t *a +field_neg ( + field_a_t d, + const field_a_t a ) { field_neg_RAW ( d, a ); field_bias( d, 2 ); @@ -235,12 +238,12 @@ field_negx ( static inline void __attribute__((unused,always_inline)) field_cond_neg ( - field_t *a, + field_a_t a, mask_t doNegate ) { - struct field_t negated; - field_negx(&negated, a); - constant_time_select(a, &negated, a, sizeof(negated), doNegate); + field_a_t negated; + field_neg(negated, a); + constant_time_select(a, negated, a, sizeof(negated), doNegate); } /** Require the warning annotation on raw routines */ diff --git a/src/include/magic.h b/src/include/magic.h index badf484..551060e 100644 --- a/src/include/magic.h +++ b/src/include/magic.h @@ -45,12 +45,12 @@ /** * @brief sqrt(d-1), used for point formats and twisting. */ -extern const struct field_t sqrt_d_minus_1; +extern const field_a_t sqrt_d_minus_1; /** * @brief sqrt(-d), used for point formats and twisting. */ -extern const struct field_t sqrt_minus_d; +extern const field_a_t sqrt_minus_d; /** * @brief The base point for Goldilocks. diff --git a/src/include/scalarmul.h b/src/include/scalarmul.h index bd97cc9..ecb1782 100644 --- a/src/include/scalarmul.h +++ b/src/include/scalarmul.h @@ -90,8 +90,8 @@ struct fixed_base_table_t { */ mask_t montgomery_ladder ( - struct field_t *out, - const struct field_t *in, + field_a_t out, + const field_a_t in, const word_t *scalar, unsigned int nbits, unsigned int n_extra_doubles diff --git a/src/p448/f_arithmetic.c b/src/p448/f_arithmetic.c index 82f35b8..c9b87e5 100644 --- a/src/p448/f_arithmetic.c +++ b/src/p448/f_arithmetic.c @@ -12,32 +12,32 @@ void field_isr ( - struct field_t* a, - const struct field_t* x + field_a_t a, + const field_a_t x ) { - struct field_t L0, L1, L2; - field_sqr ( &L1, x ); - field_mul ( &L2, x, &L1 ); - field_sqr ( &L1, &L2 ); - field_mul ( &L2, x, &L1 ); - field_sqrn ( &L1, &L2, 3 ); - field_mul ( &L0, &L2, &L1 ); - field_sqrn ( &L1, &L0, 3 ); - field_mul ( &L0, &L2, &L1 ); - field_sqrn ( &L2, &L0, 9 ); - field_mul ( &L1, &L0, &L2 ); - field_sqr ( &L0, &L1 ); - field_mul ( &L2, x, &L0 ); - field_sqrn ( &L0, &L2, 18 ); - field_mul ( &L2, &L1, &L0 ); - field_sqrn ( &L0, &L2, 37 ); - field_mul ( &L1, &L2, &L0 ); - field_sqrn ( &L0, &L1, 37 ); - field_mul ( &L1, &L2, &L0 ); - field_sqrn ( &L0, &L1, 111 ); - field_mul ( &L2, &L1, &L0 ); - field_sqr ( &L0, &L2 ); - field_mul ( &L1, x, &L0 ); - field_sqrn ( &L0, &L1, 223 ); - field_mul ( a, &L2, &L0 ); + field_a_t L0, L1, L2; + field_sqr ( L1, x ); + field_mul ( L2, x, L1 ); + field_sqr ( L1, L2 ); + field_mul ( L2, x, L1 ); + field_sqrn ( L1, L2, 3 ); + field_mul ( L0, L2, L1 ); + field_sqrn ( L1, L0, 3 ); + field_mul ( L0, L2, L1 ); + field_sqrn ( L2, L0, 9 ); + field_mul ( L1, L0, L2 ); + field_sqr ( L0, L1 ); + field_mul ( L2, x, L0 ); + field_sqrn ( L0, L2, 18 ); + field_mul ( L2, L1, L0 ); + field_sqrn ( L0, L2, 37 ); + field_mul ( L1, L2, L0 ); + field_sqrn ( L0, L1, 37 ); + field_mul ( L1, L2, L0 ); + field_sqrn ( L0, L1, 111 ); + field_mul ( L2, L1, L0 ); + field_sqr ( L0, L2 ); + field_mul ( L1, x, L0 ); + field_sqrn ( L0, L1, 223 ); + field_mul ( a, L2, L0 ); } diff --git a/src/p448/magic.c b/src/p448/magic.c index 42db98f..9258614 100644 --- a/src/p448/magic.c +++ b/src/p448/magic.c @@ -35,17 +35,17 @@ const word_t SCALARMUL_FIXED_WINDOW_ADJUSTMENT[2*SCALAR_WORDS] = { const struct affine_t goldilocks_base_point = { #ifdef USE_NEON_PERM - {{ 0xaed939f,0xc59d070,0xf0de840,0x5f065c3, 0xf4ba0c7,0xdf73324,0xc170033,0x3a6a26a, + {{{ 0xaed939f,0xc59d070,0xf0de840,0x5f065c3, 0xf4ba0c7,0xdf73324,0xc170033,0x3a6a26a, 0x4c63d96,0x4609845,0xf3932d9,0x1b4faff, 0x6147eaa,0xa2692ff,0x9cecfa9,0x297ea0e - }}, + }}}, #else - {{ U56LE(0xf0de840aed939f), U56LE(0xc170033f4ba0c7), + {{{ U56LE(0xf0de840aed939f), U56LE(0xc170033f4ba0c7), U56LE(0xf3932d94c63d96), U56LE(0x9cecfa96147eaa), U56LE(0x5f065c3c59d070), U56LE(0x3a6a26adf73324), U56LE(0x1b4faff4609845), U56LE(0x297ea0ea2692ff) - }}, + }}}, #endif - {{ 19 }} + {{{ 19 }}} }; static const word_t curve_prime_order_lo[(224+WORD_BITS-1)/WORD_BITS] = { @@ -61,8 +61,8 @@ const struct barrett_prime_t curve_prime_order = { curve_prime_order_lo }; -const struct field_t -sqrt_d_minus_1 = {{ +const field_a_t +sqrt_d_minus_1 = {{{ #ifdef USE_NEON_PERM 0x6749f46,0x24d9770,0xd2e2183,0xa49f7b4, 0xb4f0179,0x8c5f656,0x888db42,0xdcac462, @@ -78,10 +78,10 @@ sqrt_d_minus_1 = {{ U56LE(0x49443b8748734a), U56LE(0x12fec0c0b25b7a) #endif -}}; +}}}; -const struct field_t -sqrt_minus_d = {{ +const field_a_t +sqrt_minus_d = {{{ #ifdef USE_NEON_PERM 0x5572736,0x4a2d780,0x42ef0f4,0xb8d54b6, 0x0ce5296,0x1a7b8a5,0x7bf6aa2,0x6aa0a1f, @@ -97,4 +97,4 @@ sqrt_minus_d = {{ U56LE(0x683bf68d722fa2), U56LE(0x22d962fbeb24f7) #endif -}}; +}}}; diff --git a/src/p480/f_arithmetic.c b/src/p480/f_arithmetic.c index d616e42..bc8e657 100644 --- a/src/p480/f_arithmetic.c +++ b/src/p480/f_arithmetic.c @@ -12,32 +12,32 @@ void field_isr ( - struct field_t* a, - const struct field_t* x + field_a_t a, + const field_a_t x ) { - struct field_t L0, L1, L2, L3; - field_sqr ( &L2, x ); - field_mul ( &L1, x, &L2 ); - field_sqrn ( &L0, &L1, 2 ); - field_mul ( &L2, &L1, &L0 ); - field_sqrn ( &L0, &L2, 4 ); - field_mul ( &L1, &L2, &L0 ); - field_sqr ( &L0, &L1 ); - field_mul ( &L2, x, &L0 ); - field_sqrn ( &L0, &L2, 8 ); - field_mul ( &L2, &L1, &L0 ); - field_sqrn ( &L0, &L2, 17 ); - field_mul ( &L1, &L2, &L0 ); - field_sqrn ( &L0, &L1, 17 ); - field_mul ( &L1, &L2, &L0 ); - field_sqrn ( &L3, &L1, 17 ); - field_mul ( &L0, &L2, &L3 ); - field_sqrn ( &L2, &L0, 51 ); - field_mul ( &L0, &L1, &L2 ); - field_sqrn ( &L1, &L0, 119 ); - field_mul ( &L2, &L0, &L1 ); - field_sqr ( &L0, &L2 ); - field_mul ( &L1, x, &L0 ); - field_sqrn ( &L0, &L1, 239 ); - field_mul ( a, &L2, &L0 ); + field_a_t L0, L1, L2, L3; + field_sqr ( L2, x ); + field_mul ( L1, x, L2 ); + field_sqrn ( L0, L1, 2 ); + field_mul ( L2, L1, L0 ); + field_sqrn ( L0, L2, 4 ); + field_mul ( L1, L2, L0 ); + field_sqr ( L0, L1 ); + field_mul ( L2, x, L0 ); + field_sqrn ( L0, L2, 8 ); + field_mul ( L2, L1, L0 ); + field_sqrn ( L0, L2, 17 ); + field_mul ( L1, L2, L0 ); + field_sqrn ( L0, L1, 17 ); + field_mul ( L1, L2, L0 ); + field_sqrn ( L3, L1, 17 ); + field_mul ( L0, L2, L3 ); + field_sqrn ( L2, L0, 51 ); + field_mul ( L0, L1, L2 ); + field_sqrn ( L1, L0, 119 ); + field_mul ( L2, L0, L1 ); + field_sqr ( L0, L2 ); + field_mul ( L1, x, L0 ); + field_sqrn ( L0, L1, 239 ); + field_mul ( a, L2, L0 ); } diff --git a/src/p480/magic.c b/src/p480/magic.c index fbb3011..db6ba43 100644 --- a/src/p480/magic.c +++ b/src/p480/magic.c @@ -36,7 +36,7 @@ const word_t SCALARMUL_FIXED_WINDOW_ADJUSTMENT[2*SCALAR_WORDS] = { }; const struct affine_t goldilocks_base_point = { - {{ + {{{ U60LE(0x849ff7f845c30d3), U60LE(0x7dda488553a4c5b), U60LE(0x1d3a2d9844831ea), @@ -45,8 +45,8 @@ const struct affine_t goldilocks_base_point = { U60LE(0xfc955e59aeefa65), U60LE(0x3ab247cd530013c), U60LE(0x7ca42af3d564280) - }}, - {{ 5 }} + }}}, + {{{ 5 }}} }; static const word_t curve_prime_order_lo[(240+WORD_BITS-1)/WORD_BITS] = { @@ -62,13 +62,13 @@ const struct barrett_prime_t curve_prime_order = { curve_prime_order_lo }; -const struct field_t -sqrt_d_minus_1 = {{ +const field_a_t +sqrt_d_minus_1 = {{{ 232 /* Whoa, it comes out even. */ -}}; +}}}; -const struct field_t -sqrt_minus_d = {{ +const field_a_t +sqrt_minus_d = {{{ U60LE(0xf098fba8d880ec0), U60LE(0x9d6ea1b2774d3e9), U60LE(0x1a52c44c0154b38), @@ -77,4 +77,4 @@ sqrt_minus_d = {{ U60LE(0xb9d4b5edcfee721), U60LE(0x65275d687c7215d), U60LE(0x3458ffa5bbfdea5) -}}; +}}}; diff --git a/src/p521/f_arithmetic.c b/src/p521/f_arithmetic.c index 7fbdfb8..37c0b50 100644 --- a/src/p521/f_arithmetic.c +++ b/src/p521/f_arithmetic.c @@ -12,32 +12,32 @@ void field_isr ( - struct field_t* a, - const struct field_t* x + field_a_t a, + const field_a_t x ) { - struct field_t L0, L1, L2; - field_sqr ( &L1, x ); - field_mul ( &L0, x, &L1 ); - field_sqrn ( &L2, &L0, 2 ); - field_mul ( &L1, &L0, &L2 ); - field_sqrn ( &L2, &L1, 4 ); - field_mul ( &L0, &L1, &L2 ); - field_sqrn ( &L2, &L0, 8 ); - field_mul ( &L1, &L0, &L2 ); - field_sqrn ( &L2, &L1, 16 ); - field_mul ( &L0, &L1, &L2 ); - field_sqrn ( &L2, &L0, 32 ); - field_mul ( &L1, &L0, &L2 ); - field_sqr ( &L2, &L1 ); - field_mul ( &L0, x, &L2 ); - field_sqrn ( &L2, &L0, 64 ); - field_mul ( &L0, &L1, &L2 ); - field_sqrn ( &L2, &L0, 129 ); - field_mul ( &L1, &L0, &L2 ); - field_sqr ( &L2, &L1 ); - field_mul ( &L0, x, &L2 ); - field_sqrn ( &L2, &L0, 259 ); - field_mul ( &L1, &L0, &L2 ); - field_sqr ( &L0, &L1 ); - field_mul ( a, x, &L0 ); + field_a_t L0, L1, L2; + field_sqr ( L1, x ); + field_mul ( L0, x, L1 ); + field_sqrn ( L2, L0, 2 ); + field_mul ( L1, L0, L2 ); + field_sqrn ( L2, L1, 4 ); + field_mul ( L0, L1, L2 ); + field_sqrn ( L2, L0, 8 ); + field_mul ( L1, L0, L2 ); + field_sqrn ( L2, L1, 16 ); + field_mul ( L0, L1, L2 ); + field_sqrn ( L2, L0, 32 ); + field_mul ( L1, L0, L2 ); + field_sqr ( L2, L1 ); + field_mul ( L0, x, L2 ); + field_sqrn ( L2, L0, 64 ); + field_mul ( L0, L1, L2 ); + field_sqrn ( L2, L0, 129 ); + field_mul ( L1, L0, L2 ); + field_sqr ( L2, L1 ); + field_mul ( L0, x, L2 ); + field_sqrn ( L2, L0, 259 ); + field_mul ( L1, L0, L2 ); + field_sqr ( L0, L1 ); + field_mul ( a, x, L0 ); } diff --git a/src/p521/magic.c b/src/p521/magic.c index 5319f6c..1ab3293 100644 --- a/src/p521/magic.c +++ b/src/p521/magic.c @@ -39,7 +39,7 @@ const word_t SCALARMUL_FIXED_WINDOW_ADJUSTMENT[2*SCALAR_WORDS] = { }; const struct affine_t goldilocks_base_point = { - {{ + {{{ #ifdef USE_P521_3x3_TRANSPOSE U58LE(0x02a940a2f19ba6c), U58LE(0x3331c90d2c6ba52), @@ -64,8 +64,8 @@ const struct affine_t goldilocks_base_point = { U58LE(0x06277e432c8a5ac), U58LE(0x0752cb45c48648b) #endif - }}, - {{ 12 }} + }}}, + {{{ 12 }}} }; static const word_t curve_prime_order_lo[(261+WORD_BITS-1)/WORD_BITS] = { @@ -82,8 +82,8 @@ const struct barrett_prime_t curve_prime_order = { curve_prime_order_lo }; -const struct field_t -sqrt_d_minus_1 = {{ +const field_a_t +sqrt_d_minus_1 = {{{ #ifdef USE_P521_3x3_TRANSPOSE U58LE(0x1e2be72c1c81990), U58LE(0x207dfc238a33e46), @@ -108,10 +108,10 @@ sqrt_d_minus_1 = {{ U58LE(0x0524b9e715937f5), U58LE(0x0a9ea3ac10d6aed) #endif -}}; +}}}; -const struct field_t -sqrt_minus_d = {{ +const field_a_t +sqrt_minus_d = {{{ #ifdef USE_P521_3x3_TRANSPOSE U58LE(0x375d668ef98910e), U58LE(0x2e033a89e955dfc), @@ -136,4 +136,4 @@ sqrt_minus_d = {{ U58LE(0x009993c0e8ee528), U58LE(0x0d07656ee612ae6) #endif -}}; +}}}; diff --git a/src/scalarmul.c b/src/scalarmul.c index b85a42c..cf95984 100644 --- a/src/scalarmul.c +++ b/src/scalarmul.c @@ -15,8 +15,8 @@ mask_t montgomery_ladder ( - struct field_t *out, - const struct field_t *in, + field_a_t out, + const field_a_t in, const word_t *scalar, unsigned int nbits, unsigned int n_extra_doubles @@ -30,15 +30,15 @@ montgomery_ladder ( word_t w = scalar[j]; for (i=n; i>=0; i--) { mask_t flip = -((w>>i)&1); - constant_time_cond_swap(&mont.xa,&mont.xd,sizeof(mont.xd),flip^pflip); - constant_time_cond_swap(&mont.za,&mont.zd,sizeof(mont.xd),flip^pflip); + constant_time_cond_swap(mont.xa,mont.xd,sizeof(mont.xd),flip^pflip); + constant_time_cond_swap(mont.za,mont.zd,sizeof(mont.xd),flip^pflip); montgomery_step(&mont); pflip = flip; } n = WORD_BITS-1; } - constant_time_cond_swap(&mont.xa,&mont.xd,sizeof(mont.xd),pflip); - constant_time_cond_swap(&mont.za,&mont.zd,sizeof(mont.xd),pflip); + constant_time_cond_swap(mont.xa,mont.xd,sizeof(mont.xd),pflip); + constant_time_cond_swap(mont.za,mont.zd,sizeof(mont.xd),pflip); assert(n_extra_doubles < INT_MAX); for (j=0; j<(int)n_extra_doubles; j++) { @@ -475,8 +475,8 @@ precompute_fixed_base ( struct tw_pniels_t pn_tmp; struct tw_pniels_t *doubles = (struct tw_pniels_t *) malloc_vector(sizeof(*doubles) * (t-1)); - struct field_t *zs = (struct field_t *) malloc_vector(sizeof(*zs) * (n<<(t-1))); - struct field_t *zis = (struct field_t *) malloc_vector(sizeof(*zis) * (n<<(t-1))); + field_a_t *zs = (field_a_t *) malloc_vector(sizeof(*zs) * (n<<(t-1))); + field_a_t *zis = (field_a_t *) malloc_vector(sizeof(*zis) * (n<<(t-1))); struct tw_niels_t *table = prealloc; if (prealloc) { @@ -562,7 +562,7 @@ precompute_fixed_base ( convert_tw_extensible_to_tw_pniels(&pn_tmp, &start); copy_tw_niels(&table[idx], &pn_tmp.n); - field_copy(&zs[idx], &pn_tmp.z); + field_copy(zs[idx], pn_tmp.z); if (j >= (1u<<(t-1)) - 1) break; int delta = (j+1) ^ ((j+1)>>1) ^ gray; @@ -584,22 +584,22 @@ precompute_fixed_base ( field_simultaneous_invert(zis, zs, n<<(t-1)); - field_t product; + field_a_t product; for (i=0; i 0) { @@ -659,32 +659,32 @@ precompute_fixed_base_wnaf ( add_tw_pniels_to_tw_extensible(&base, &tmp); convert_tw_extensible_to_tw_pniels(&tmp, &base); - field_copy(&zs[1], &tmp.z); + field_copy(zs[1], tmp.z); copy_tw_niels(&out[1], &tmp.n); for (i=2; i < 1<x); - field_print(" y", &a->y); - field_print(" z", &a->z); - field_inverse(&zi, &a->z); - field_mul(&scaled, &zi, &a->x); - field_print(" X", &scaled); - field_mul(&scaled, &zi, &a->y); - field_print(" Y", &scaled); + field_a_t zi, scaled; + field_print(" x", a->x); + field_print(" y", a->y); + field_print(" z", a->z); + field_inverse(zi, a->z); + field_mul(scaled, zi, a->x); + field_print(" X", scaled); + field_mul(scaled, zi, a->y); + field_print(" Y", scaled); printf("\n"); } @@ -165,10 +165,10 @@ add_double_test ( if (~succ) { printf(" Bases were:\n"); - field_print(" x1", &base1->x); - field_print(" y1", &base1->y); - field_print(" x2", &base2->x); - field_print(" y2", &base2->y); + field_print(" x1", base1->x); + field_print(" y1", base1->y); + field_print(" x2", base2->x); + field_print(" y2", base2->y); } return succ ? 0 : -1; @@ -211,18 +211,18 @@ single_twisting_test ( succ = 0; } /* FUTURE: quadness */ - field_t sera,serb; - untwist_and_double_and_serialize(&sera,&text); + field_a_t sera,serb; + untwist_and_double_and_serialize(sera,&text); copy_extensible(&tmpext,&exb); double_extensible(&tmpext); - serialize_extensible(&serb,&tmpext); + serialize_extensible(serb,&tmpext); /* check that their (doubled; FUTURE?) serializations are equal */ - if (~field_eq(&sera,&serb)) { + if (~field_eq(sera,serb)) { youfail(); printf(" Different serialization from twist + double ()\n"); - field_print(" t", &sera); - field_print(" b", &serb); + field_print(" t", sera); + field_print(" b", serb); succ = 0; } @@ -242,8 +242,8 @@ single_twisting_test ( if (~succ) { printf(" Base was:\n"); - field_print(" x", &base->x); - field_print(" y", &base->y); + field_print(" x", base->x); + field_print(" y", base->y); } @@ -253,7 +253,7 @@ single_twisting_test ( int test_decaf (void) { struct affine_t base; struct tw_affine_t tw_base; - struct field_t serf; + field_a_t serf; struct crandom_state_t crand; crandom_init_from_buffer(&crand, "my test_decaf random initializer"); @@ -267,87 +267,87 @@ int test_decaf (void) { #endif ser[0] &= ~1; - mask_t succ = field_deserialize(&serf, ser); + mask_t succ = field_deserialize(serf, ser); if (!succ) { youfail(); printf(" Unlikely: fail at field_deserialize\n"); return -1; } - succ &= decaf_deserialize_affine(&base, &serf, 0); + succ &= decaf_deserialize_affine(&base, serf, 0); if (!succ) continue; hits++; - struct field_t serf2; + field_a_t serf2; struct extensible_t ext; convert_affine_to_extensible(&ext, &base); - decaf_serialize_extensible(&serf2, &ext); + decaf_serialize_extensible(serf2, &ext); if (~validate_affine(&base)) { youfail(); printf("Invalid decaf deser:\n"); - field_print(" s", &serf); - field_print(" x", &base.x); - field_print(" y", &base.y); + field_print(" s", serf); + field_print(" x", base.x); + field_print(" y", base.y); fails ++; - } else if (~field_eq(&serf, &serf2)) { + } else if (~field_eq(serf, serf2)) { youfail(); printf("Fail round-trip through decaf ser:\n"); - field_print(" s", &serf); - field_print(" x", &base.x); - field_print(" y", &base.y); + field_print(" s", serf); + field_print(" x", base.x); + field_print(" y", base.y); printf(" deser is %s\n", validate_affine(&base) ? "valid" : "invalid"); - field_print(" S", &serf2); + field_print(" S", serf2); fails ++; } else if (~is_even_pt(&ext)) { youfail(); printf("Decaf deser isn't even:\n"); - field_print(" s", &serf); - field_print(" x", &base.x); - field_print(" y", &base.y); + field_print(" s", serf); + field_print(" x", base.x); + field_print(" y", base.y); fails ++; } - succ = decaf_deserialize_tw_affine(&tw_base, &serf, 0); + succ = decaf_deserialize_tw_affine(&tw_base, serf, 0); struct tw_extensible_t tw_ext, tw_ext2; convert_tw_affine_to_tw_extensible(&tw_ext, &tw_base); - decaf_serialize_tw_extensible(&serf2, &tw_ext); + decaf_serialize_tw_extensible(serf2, &tw_ext); twist_even(&tw_ext2, &ext); if (~validate_tw_extensible(&tw_ext)) { youfail(); printf("Invalid decaf tw deser:\n"); - field_print(" s", &serf); - field_print(" x", &tw_base.x); - field_print(" y", &tw_base.y); + field_print(" s", serf); + field_print(" x", tw_base.x); + field_print(" y", tw_base.y); fails ++; - } else if (~field_eq(&serf, &serf2)) { + } else if (~field_eq(serf, serf2)) { youfail(); printf("Fail round-trip through decaf ser:\n"); - field_print(" s", &serf); - field_print(" x", &tw_base.x); - field_print(" y", &tw_base.y); + field_print(" s", serf); + field_print(" x", tw_base.x); + field_print(" y", tw_base.y); printf(" tw deser is %s\n", validate_tw_extensible(&tw_ext) ? "valid" : "invalid"); - field_print(" S", &serf2); + field_print(" S", serf2); fails ++; } else if (~is_even_tw(&tw_ext)) { youfail(); printf("Decaf tw deser isn't even:\n"); - field_print(" s", &serf); - field_print(" x", &tw_base.x); - field_print(" y", &tw_base.y); + field_print(" s", serf); + field_print(" x", tw_base.x); + field_print(" y", tw_base.y); fails ++; } else if (~decaf_eq_tw_extensible(&tw_ext,&tw_ext2)) { youfail(); printf("Decaf tw doesn't equal ext:\n"); - field_print(" s", &serf); - field_print(" x1", &base.x); - field_print(" y1", &base.y); - field_print(" x2", &tw_base.x); - field_print(" y2", &tw_base.y); - field_print(" X2", &tw_ext2.x); - field_print(" Y2", &tw_ext2.y); + field_print(" s", serf); + field_print(" x1", base.x); + field_print(" y1", base.y); + field_print(" x2", tw_base.x); + field_print(" y2", tw_base.y); + field_print(" X2", tw_ext2.x); + field_print(" Y2", tw_ext2.y); fails ++; } @@ -365,7 +365,7 @@ int test_decaf (void) { int test_pointops (void) { struct affine_t base, pbase; - struct field_t serf; + field_a_t serf; struct crandom_state_t crand; crandom_init_from_buffer(&crand, "test_pointops random initializer"); @@ -390,7 +390,7 @@ int test_pointops (void) { #endif /* TODO: we need a field generate, which can return random or pathological. */ - mask_t succ = field_deserialize(&serf, ser); + mask_t succ = field_deserialize(serf, ser); if (!succ) { youfail(); printf(" Unlikely: fail at field_deserialize\n"); @@ -400,7 +400,7 @@ int test_pointops (void) { if (i) { copy_affine(&pbase, &base); } - elligator_2s_inject(&base, &serf); + elligator_2s_inject(&base, serf); if (i) { ret = add_double_test(&base, &pbase); diff --git a/test/test_scalarmul.c b/test/test_scalarmul.c index 89db764..d21be13 100644 --- a/test/test_scalarmul.c +++ b/test/test_scalarmul.c @@ -12,19 +12,19 @@ /* 0 = succeed, 1 = inval, -1 = fail */ static int single_scalarmul_compatibility_test ( - const struct field_t *base, + const field_a_t base, const word_t *scalar, int nbits ) { struct tw_extensible_t text, work; - struct field_t mont, ct, vl, vt; + field_a_t mont, ct, vl, vt; int ret = 0, i; mask_t succ, succm; - succ = deserialize_and_twist_approx(&text, &sqrt_d_minus_1, base); + succ = deserialize_and_twist_approx(&text, base); - succm = montgomery_ladder(&mont,base,scalar,nbits,1); + succm = montgomery_ladder(mont,base,scalar,nbits,1); if (succ != succm) { youfail(); @@ -52,7 +52,7 @@ single_scalarmul_compatibility_test ( const int nparams = sizeof(params)/sizeof(params[0]); struct fixed_base_table_t fbt; const int nsizes = 6; - struct field_t fbout[nparams], wout[nsizes]; + field_a_t fbout[nparams], wout[nsizes]; memset(&fbt, 0, sizeof(fbt)); memset(&fbout, 0, sizeof(fbout)); memset(&wout, 0, sizeof(wout)); @@ -75,7 +75,7 @@ single_scalarmul_compatibility_test ( continue; } - untwist_and_double_and_serialize(&fbout[i], &work); + untwist_and_double_and_serialize(fbout[i], &work); } /* compute using precomp wNAF */ @@ -91,7 +91,7 @@ single_scalarmul_compatibility_test ( scalarmul_fixed_base_wnaf_vt(&work, scalar, nbits, pre, i); - untwist_and_double_and_serialize(&wout[i], &work); + untwist_and_double_and_serialize(wout[i], &work); } mask_t consistent = MASK_SUCCESS; @@ -100,31 +100,31 @@ single_scalarmul_compatibility_test ( /* window methods currently only work on FIELD_BITS bits. */ copy_tw_extensible(&work, &text); scalarmul(&work, scalar); - untwist_and_double_and_serialize(&ct, &work); + untwist_and_double_and_serialize(ct, &work); copy_tw_extensible(&work, &text); scalarmul_vlook(&work, scalar); - untwist_and_double_and_serialize(&vl, &work); + untwist_and_double_and_serialize(vl, &work); copy_tw_extensible(&work, &text); scalarmul_vt(&work, scalar, nbits); - untwist_and_double_and_serialize(&vt, &work); + untwist_and_double_and_serialize(vt, &work); /* check consistency mont vs window */ - consistent &= field_eq(&mont, &ct); - consistent &= field_eq(&mont, &vl); - consistent &= field_eq(&mont, &vt); + consistent &= field_eq(mont, ct); + consistent &= field_eq(mont, vl); + consistent &= field_eq(mont, vt); } /* check consistency mont vs combs */ for (i=0; i