jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 1f1836de12
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1f1836de12'
${ noResults }
ed448goldilocks/src/ec_point.c

764 lines
20 KiB
Raw Blame History 

  1. /**

  2.  * @cond internal

  3.  * @file ec_point.c

  4.  * @copyright

  5.  *   Copyright (c) 2014 Cryptography Research, Inc.  \n

  6.  *   Released under the MIT License.  See LICENSE.txt for license information.

  7.  * @author Mike Hamburg

  8.  * @warning This file was automatically generated.

  9.  *     Then it was edited by hand.  Good luck, have fun.

  10.  */

  11. 

  12. #include "ec_point.h"

  13. #include "magic.h"

  14. 

  15. void

  16. add_tw_niels_to_tw_extensible (

  17.     tw_extensible_a_t  d,

  18.     const tw_niels_a_t e

  19. ) {

  20.     ANALYZE_THIS_ROUTINE_CAREFULLY;

  21.     field_a_t L0, L1;

  22.     field_sub ( L1, d->y, d->x );

  23.     field_mul ( L0, e->a, L1 );

  24.     field_add_nr ( L1, d->x, d->y );

  25.     field_mul ( d->y, e->b, L1 );

  26.     field_mul ( L1, d->u, d->t );

  27.     field_mul ( d->x, e->c, L1 );

  28.     field_add_nr ( d->u, L0, d->y );

  29.     field_subx_nr ( d->t, d->y, L0 );

  30.     field_subx_nr ( d->y, d->z, d->x );

  31.     field_add_nr ( L0, d->x, d->z );

  32.     field_mul ( d->z, L0, d->y );

  33.     field_mul ( d->x, d->y, d->t );

  34.     field_mul ( d->y, L0, d->u );

  35. }

  36. 

  37. void

  38. sub_tw_niels_from_tw_extensible (

  39.     tw_extensible_a_t  d,

  40.     const tw_niels_a_t e

  41. ) {

  42.     ANALYZE_THIS_ROUTINE_CAREFULLY;

  43.     field_a_t L0, L1;

  44.     field_subx_nr ( L1, d->y, d->x );

  45.     field_mul ( L0, e->b, L1 );

  46.     field_add_nr ( L1, d->x, d->y );

  47.     field_mul ( d->y, e->a, L1 );

  48.     field_mul ( L1, d->u, d->t );

  49.     field_mul ( d->x, e->c, L1 );

  50.     field_add_nr ( d->u, L0, d->y );

  51.     field_subx_nr ( d->t, d->y, L0 );

  52.     field_add_nr ( d->y, d->x, d->z );

  53.     field_subx_nr ( L0, d->z, d->x );

  54.     field_mul ( d->z, L0, d->y );

  55.     field_mul ( d->x, d->y, d->t );

  56.     field_mul ( d->y, L0, d->u );

  57. }

  58. 

  59. void

  60. add_tw_pniels_to_tw_extensible (

  61.     tw_extensible_a_t   e,

  62.     const tw_pniels_a_t a

  63. ) {

  64.     field_a_t L0;

  65.     field_mul ( L0, e->z, a->z );

  66.     field_copy ( e->z, L0 );

  67.     add_tw_niels_to_tw_extensible( e, a->n );

  68. }

  69. 

  70. void

  71. sub_tw_pniels_from_tw_extensible (

  72.     tw_extensible_a_t   e,

  73.     const tw_pniels_a_t a

  74. ) {

  75.     field_a_t L0;

  76.     field_mul ( L0, e->z, a->z );

  77.     field_copy ( e->z, L0 );

  78.     sub_tw_niels_from_tw_extensible( e, a->n );

  79. }

  80. 

  81. void

  82. double_tw_extensible (

  83.     tw_extensible_a_t a

  84. ) {

  85.     ANALYZE_THIS_ROUTINE_CAREFULLY;

  86.     field_a_t L0, L1, L2;

  87.     field_sqr ( L2, a->x );

  88.     field_sqr ( L0, a->y );

  89.     field_add_nr ( a->u, L2, L0 );

  90.     field_add_nr ( a->t, a->y, a->x );

  91.     field_sqr ( L1, a->t );

  92.     field_sub_nr ( a->t, L1, a->u );

  93.     field_bias ( a->t, 3 );

  94.     IF32( field_weak_reduce( a->t ) );

  95.     field_subx_nr ( L1, L0, L2 );

  96.     field_sqr ( a->x, a->z );

  97.     field_bias ( a->x, 2-is32 /*is32 ? 1 : 2*/ );

  98.     field_add_nr ( a->z, a->x, a->x );

  99.     field_sub_nr ( L0, a->z, L1 );

  100.     IF32( field_weak_reduce( L0 ) );

  101.     field_mul ( a->z, L1, L0 );

  102.     field_mul ( a->x, L0, a->t );

  103.     field_mul ( a->y, L1, a->u );

  104. }

  105. 

  106. void

  107. double_extensible (

  108.     extensible_a_t a

  109. ) {

  110.     ANALYZE_THIS_ROUTINE_CAREFULLY;

  111.     field_a_t L0, L1, L2;

  112.     field_sqr ( L2, a->x );

  113.     field_sqr ( L0, a->y );

  114.     field_add_nr ( L1, L2, L0 );

  115.     field_add_nr ( a->t, a->y, a->x );

  116.     field_sqr ( a->u, a->t );

  117.     field_sub_nr ( a->t, a->u, L1 );

  118.     field_bias ( a->t, 3 );

  119.     IF32( field_weak_reduce( a->t ) );

  120.     field_subx_nr ( a->u, L0, L2 );

  121.     field_sqr ( a->x, a->z );

  122.     field_bias ( a->x, 2 );

  123.     field_add_nr ( a->z, a->x, a->x );

  124.     field_sub_nr ( L0, a->z, L1 );

  125.     IF32( field_weak_reduce( L0 ) );

  126.     field_mul ( a->z, L1, L0 );

  127.     field_mul ( a->x, L0, a->t );

  128.     field_mul ( a->y, L1, a->u );

  129. }

  130. 

  131. void

  132. twist_and_double (

  133.     tw_extensible_a_t    b,

  134.     const extensible_a_t a

  135. ) {

  136.     field_a_t L0;

  137.     field_sqr ( b->x, a->x );

  138.     field_sqr ( b->z, a->y );

  139.     field_add ( b->u, b->x, b->z );

  140.     field_add ( b->t, a->y, a->x );

  141.     field_sqr ( L0, b->t );

  142.     field_sub ( b->t, L0, b->u );

  143.     field_sub ( L0, b->z, b->x );

  144.     field_sqr ( b->x, a->z );

  145.     field_add ( b->z, b->x, b->x );

  146.     field_sub ( b->y, b->z, b->u );

  147.     field_mul ( b->z, L0, b->y );

  148.     field_mul ( b->x, b->y, b->t );

  149.     field_mul ( b->y, L0, b->u );

  150. }

  151. 

  152. void

  153. untwist_and_double (

  154.     extensible_a_t          b,

  155.     const tw_extensible_a_t a

  156. ) {

  157.     field_a_t L0;

  158.     field_sqr ( b->x, a->x );

  159.     field_sqr ( b->z, a->y );

  160.     field_add ( L0, b->x, b->z );

  161.     field_add ( b->t, a->y, a->x );

  162.     field_sqr ( b->u, b->t );

  163.     field_sub ( b->t, b->u, L0 );

  164.     field_sub ( b->u, b->z, b->x );

  165.     field_sqr ( b->x, a->z );

  166.     field_add ( b->z, b->x, b->x );

  167.     field_sub ( b->y, b->z, b->u );

  168.     field_mul ( b->z, L0, b->y );

  169.     field_mul ( b->x, b->y, b->t );

  170.     field_mul ( b->y, L0, b->u );

  171. }

  172. 

  173. void

  174. convert_tw_affine_to_tw_pniels (

  175.     tw_pniels_a_t       b,

  176.     const tw_affine_a_t a

  177. ) {

  178.     field_sub ( b->n->a, a->y, a->x );

  179.     field_add ( b->n->b, a->x, a->y );

  180.     field_mul ( b->z, a->y, a->x );

  181.     field_mulw_scc_wr ( b->n->c, b->z, 2*EDWARDS_D-2 );

  182.     field_set_ui( b->z, 2 );

  183. }

  184. 

  185. void

  186. convert_tw_affine_to_tw_extensible (

  187.     tw_extensible_a_t   b,

  188.     const tw_affine_a_t a

  189. ) {

  190.     field_copy ( b->x, a->x );

  191.     field_copy ( b->y, a->y );

  192.     field_set_ui( b->z, 1 );

  193.     field_copy ( b->t, a->x );

  194.     field_copy ( b->u, a->y );

  195. }

  196. 

  197. void

  198. convert_affine_to_extensible (

  199.     extensible_a_t   b,

  200.     const affine_a_t a

  201. ) {

  202.     field_copy ( b->x, a->x );

  203.     field_copy ( b->y, a->y );

  204.     field_set_ui( b->z, 1 );

  205.     field_copy ( b->t, a->x );

  206.     field_copy ( b->u, a->y );

  207. }

  208. 

  209. void

  210. convert_tw_extensible_to_tw_pniels (

  211.     tw_pniels_a_t           b,

  212.     const tw_extensible_a_t a

  213. ) {

  214.     field_sub ( b->n->a, a->y, a->x );

  215.     field_add ( b->n->b, a->x, a->y );

  216.     field_mul ( b->z, a->u, a->t );

  217.     field_mulw_scc_wr ( b->n->c, b->z, 2*EDWARDS_D-2 );

  218.     field_add ( b->z, a->z, a->z );

  219. }

  220. 

  221. void

  222. convert_tw_pniels_to_tw_extensible (

  223.     tw_extensible_a_t   e,

  224.     const tw_pniels_a_t d

  225. ) {

  226.     field_add ( e->u, d->n->b, d->n->a );

  227.     field_sub ( e->t, d->n->b, d->n->a );

  228.     field_mul ( e->x, d->z, e->t );

  229.     field_mul ( e->y, d->z, e->u );

  230.     field_sqr ( e->z, d->z );

  231. }

  232. 

  233. void

  234. convert_tw_niels_to_tw_extensible (

  235.     tw_extensible_a_t  e,

  236.     const tw_niels_a_t d

  237. ) {

  238.     field_add ( e->y, d->b, d->a );

  239.     field_sub ( e->x, d->b, d->a );

  240.     field_set_ui( e->z, 1 );

  241.     field_copy ( e->t, e->x );

  242.     field_copy ( e->u, e->y );

  243. }

  244. 

  245. void

  246. montgomery_step (

  247.     montgomery_a_t a

  248. ) {

  249.     ANALYZE_THIS_ROUTINE_CAREFULLY;

  250.     field_a_t L0, L1;

  251.     field_add_nr ( L0, a->zd, a->xd );

  252.     field_sub ( L1, a->xd, a->zd );

  253.     field_sub ( a->zd, a->xa, a->za );

  254.     field_mul ( a->xd, L0, a->zd );

  255.     field_add_nr ( a->zd, a->za, a->xa );

  256.     field_mul ( a->za, L1, a->zd );

  257.     field_add_nr ( a->xa, a->za, a->xd );

  258.     field_sqr ( a->zd, a->xa );

  259.     field_mul ( a->xa, a->z0, a->zd );

  260.     field_sub ( a->zd, a->xd, a->za );

  261.     field_sqr ( a->za, a->zd );

  262.     field_sqr ( a->xd, L0 );

  263.     field_sqr ( L0, L1 );

  264.     field_mulw_scc ( a->zd, a->xd, 1-EDWARDS_D ); /* FIXME PERF MULW */

  265.     field_sub ( L1, a->xd, L0 );

  266.     field_mul ( a->xd, L0, a->zd );

  267.     field_sub_nr ( L0, a->zd, L1 );

  268.     field_bias ( L0, 4 - 2*is32 /*is32 ? 2 : 4*/ );

  269.     IF32( field_weak_reduce( L0 ) );

  270.     field_mul ( a->zd, L0, L1 );

  271. }

  272. 

  273. void

  274. deserialize_montgomery (

  275.     montgomery_a_t a,

  276.     const field_a_t sbz

  277. ) {

  278.     field_sqr ( a->z0, sbz );

  279.     field_set_ui( a->xd, 1 );

  280.     field_set_ui( a->zd, 0 );

  281.     field_set_ui( a->xa, 1 );

  282.     field_copy ( a->za, a->z0 );

  283. }

  284. 

  285. mask_t

  286. serialize_montgomery (

  287.     field_a_t             b,

  288.     const montgomery_a_t a,

  289.     const field_a_t       sbz

  290. ) {

  291.     mask_t L4, L5, L6;

  292.     field_a_t L0, L1, L2, L3;

  293.     field_mul ( L3, a->z0, a->zd );

  294.     field_sub ( L1, L3, a->xd );

  295.     field_mul ( L3, a->za, L1 );

  296.     field_mul ( L2, a->z0, a->xd );

  297.     field_sub ( L1, L2, a->zd );

  298.     field_mul ( L0, a->xa, L1 );

  299.     field_add ( L2, L0, L3 );

  300.     field_sub ( L1, L3, L0 );

  301.     field_mul ( L3, L1, L2 );

  302.     field_copy ( L2, a->z0 );

  303.     field_addw ( L2, 1 );

  304.     field_sqr ( L0, L2 );

  305.     field_mulw_scc_wr ( L1, L0, EDWARDS_D-1 );

  306.     field_add ( L2, a->z0, a->z0 );

  307.     field_add ( L0, L2, L2 );

  308.     field_add ( L2, L0, L1 );

  309.     field_mul ( L0, a->xd, L2 );

  310.     L5 = field_is_zero( a->zd );

  311.     L6 = -   L5;

  312.     constant_time_mask ( L1, L0, sizeof(L1), L5 );

  313.     field_add ( L2, L1, a->zd );

  314.     L4 = ~   L5;

  315.     field_mul ( L1, sbz, L3 );

  316.     field_addw ( L1, L6 );

  317.     field_mul ( L3, L2, L1 );

  318.     field_mul ( L1, L3, L2 );

  319.     field_mul ( L2, L3, a->xd );

  320.     field_mul ( L3, L1, L2 );

  321.     field_isr ( L0, L3 );

  322.     field_mul ( L2, L1, L0 );

  323.     field_sqr ( L1, L0 );

  324.     field_mul ( L0, L3, L1 );

  325.     constant_time_mask ( b, L2, sizeof(L1), L4 );

  326.     field_subw( L0, 1 );

  327.     L5 = field_is_zero( L0 );

  328.     L4 = field_is_zero( sbz );

  329.     return    L5 |    L4;

  330. }

  331. 

  332. void

  333. serialize_extensible (

  334.     field_a_t             b,

  335.     const extensible_a_t a

  336. ) {

  337.     field_a_t L0, L1, L2;

  338.     field_sub ( L0, a->y, a->z );

  339.     field_add ( b, a->z, a->y );

  340.     field_mul ( L1, a->z, a->x );

  341.     field_mul ( L2, L0, L1 );

  342.     field_mul ( L1, L2, L0 );

  343.     field_mul ( L0, L2, b );

  344.     field_mul ( L2, L1, L0 );

  345.     field_isr ( L0, L2 );

  346.     field_mul ( b, L1, L0 );

  347.     field_sqr ( L1, L0 );

  348.     field_mul ( L0, L2, L1 );

  349. }

  350. 

  351. void

  352. untwist_and_double_and_serialize (

  353.     field_a_t                b,

  354.     const tw_extensible_a_t a

  355. ) {

  356.     field_a_t L0, L1, L2, L3;

  357.     field_mul ( L3, a->y, a->x );

  358.     field_add ( b, a->y, a->x );

  359.     field_sqr ( L1, b );

  360.     field_add ( L2, L3, L3 );

  361.     field_sub ( b, L1, L2 );

  362.     field_sqr ( L2, a->z );

  363.     field_sqr ( L1, L2 );

  364.     field_add ( b, b, b );

  365.     field_mulw_scc ( L2, b, EDWARDS_D-1 );

  366.     field_mulw_scc ( b, L2, EDWARDS_D-1 );

  367.     field_mul ( L0, L2, L1 );

  368.     field_mul ( L2, b, L0 );

  369.     field_isr ( L0, L2 );

  370.     field_mul ( L1, b, L0 );

  371.     field_sqr ( b, L0 );

  372.     field_mul ( L0, L2, b );

  373.     field_mul ( b, L1, L3 );

  374. }

  375. 

  376. void

  377. twist_even (

  378.     tw_extensible_a_t    b,

  379.     const extensible_a_t a

  380. ) {

  381.     field_sqr ( b->y, a->z );

  382.     field_sqr ( b->z, a->x );

  383.     field_sub ( b->u, b->y, b->z );

  384.     field_sub ( b->z, a->z, a->x );

  385.     field_mul ( b->y, b->z, a->y );

  386.     field_sub ( b->z, a->z, a->y );

  387.     field_mul ( b->x, b->z, b->y );

  388.     field_mul ( b->t, b->x, b->u );

  389.     field_mul ( b->y, b->x, b->t );

  390.     field_isr ( b->t, b->y );

  391.     field_mul ( b->u, b->x, b->t );

  392.     field_sqr ( b->x, b->t );

  393.     field_mul ( b->t, b->y, b->x );

  394.     field_mul ( b->x, a->x, b->u );

  395.     field_mul ( b->y, a->y, b->u );

  396.     field_addw ( b->y, -field_is_zero( b->z ) );

  397.     field_set_ui( b->z, 1 );

  398.     field_copy ( b->t, b->x );

  399.     field_copy ( b->u, b->y );

  400. }

  401. 

  402. void

  403. test_only_twist (

  404.     tw_extensible_a_t    b,

  405.     const extensible_a_t a

  406. ) {

  407.     field_a_t L0, L1;

  408.     field_sqr ( b->u, a->z );

  409.     field_sqr ( b->y, a->x );

  410.     field_sub ( b->z, b->u, b->y );

  411.     field_add ( b->y, b->z, b->z );

  412.     field_add ( b->u, b->y, b->y );

  413.     field_sub ( b->y, a->z, a->x );

  414.     field_mul ( b->x, b->y, a->y );

  415.     field_sub ( b->z, a->z, a->y );

  416.     field_mul ( b->t, b->z, b->x );

  417.     field_mul ( L1, b->t, b->u );

  418.     field_mul ( b->x, b->t, L1 );

  419.     field_isr ( L0, b->x );

  420.     field_mul ( b->u, b->t, L0 );

  421.     field_sqr ( L1, L0 );

  422.     field_mul ( b->t, b->x, L1 );

  423.     field_add ( L1, a->y, a->x );

  424.     field_sub ( L0, a->x, a->y );

  425.     field_mul ( b->x, b->t, L0 );

  426.     field_add ( L0, b->x, L1 );

  427.     field_sub ( b->t, L1, b->x );

  428.     field_mul ( b->x, L0, b->u );

  429.     field_addw ( b->x, -field_is_zero( b->y ) );

  430.     field_mul ( b->y, b->t, b->u );

  431.     field_addw ( b->y, -field_is_zero( b->z ) );

  432.     field_set_ui( b->z, 1+field_is_zero( a->y ) );

  433.     field_copy ( b->t, b->x );

  434.     field_copy ( b->u, b->y );

  435. }

  436. 

  437. mask_t

  438. is_even_pt (

  439.     const extensible_a_t a

  440. ) {

  441.     field_a_t L0, L1, L2;

  442.     field_sqr ( L2, a->z );

  443.     field_sqr ( L1, a->x );

  444.     field_sub ( L0, L2, L1 );

  445.     return field_is_square ( L0 );

  446. }

  447. 

  448. mask_t

  449. is_even_tw (

  450.     const tw_extensible_a_t a

  451. ) {

  452.     field_a_t L0, L1, L2;

  453.     field_sqr ( L2, a->z );

  454.     field_sqr ( L1, a->x );

  455.     field_add ( L0, L1, L2 );

  456.     return field_is_square ( L0 );

  457. }

  458. 

  459. mask_t

  460. deserialize_affine (

  461.     affine_a_t     a,

  462.     const field_a_t sz

  463. ) {

  464.     field_a_t L0, L1, L2, L3;

  465.     field_sqr ( L1, sz );

  466.     field_copy ( L3, L1 );

  467.     field_addw ( L3, 1 );

  468.     field_sqr ( L2, L3 );

  469.     field_mulw_scc ( a->x, L2, EDWARDS_D-1 ); /* PERF MULW */

  470.     field_add ( L3, L1, L1 ); /* FIXME: i adjusted the bias here, was it right? */

  471.     field_add ( a->y, L3, L3 );

  472.     field_add ( L3, a->y, a->x );

  473.     field_copy ( a->y, L1 );

  474.     field_neg ( a->x, a->y );

  475.     field_addw ( a->x, 1 );

  476.     field_mul ( a->y, a->x, L3 );

  477.     field_sqr ( L2, a->x );

  478.     field_mul ( L0, L2, a->y );

  479.     field_mul ( a->y, a->x, L0 );

  480.     field_isr ( L3, a->y );

  481.     field_mul ( a->y, L2, L3 );

  482.     field_sqr ( L2, L3 );

  483.     field_mul ( L3, L0, L2 );

  484.     field_mul ( L0, a->x, L3 );

  485.     field_add ( L2, a->y, a->y );

  486.     field_mul ( a->x, sz, L2 );

  487.     field_addw ( L1, 1 );

  488.     field_mul ( a->y, L1, L3 );

  489.     field_subw( L0, 1 );

  490.     return field_is_zero( L0 );

  491. }

  492. 

  493. mask_t

  494. deserialize_and_twist_approx (

  495.     tw_extensible_a_t a,

  496.     const field_a_t    sz

  497. ) {

  498.     field_a_t L0, L1;

  499.     field_sqr ( a->z, sz );

  500.     field_copy ( a->y, a->z );

  501.     field_addw ( a->y, 1 );

  502.     field_sqr ( L0, a->y );

  503.     field_mulw_scc ( a->x, L0, EDWARDS_D-1 );

  504.     field_add ( a->y, a->z, a->z );

  505.     field_add ( a->u, a->y, a->y );

  506.     field_add ( a->y, a->u, a->x );

  507.     field_sqr ( a->x, a->z );

  508.     field_neg ( a->u, a->x );

  509.     field_addw ( a->u, 1 );

  510.     field_mul ( a->x, sqrt_d_minus_1, a->u );

  511.     field_mul ( L0, a->x, a->y );

  512.     field_mul ( a->t, L0, a->y );

  513.     field_mul ( a->u, a->x, a->t );

  514.     field_mul ( a->t, a->u, L0 );

  515.     field_mul ( a->y, a->x, a->t );

  516.     field_isr ( L0, a->y );

  517.     field_mul ( a->y, a->u, L0 );

  518.     field_sqr ( L1, L0 );

  519.     field_mul ( a->u, a->t, L1 );

  520.     field_mul ( a->t, a->x, a->u );

  521.     field_add ( a->x, sz, sz );

  522.     field_mul ( L0, a->u, a->x );

  523.     field_copy ( a->x, a->z );

  524.     field_neg ( L1, a->x );

  525.     field_addw ( L1, 1 );

  526.     field_mul ( a->x, L1, L0 );

  527.     field_mul ( L0, a->u, a->y );

  528.     field_addw ( a->z, 1 );

  529.     field_mul ( a->y, a->z, L0 );

  530.     field_subw( a->t, 1 );

  531.     mask_t ret = field_is_zero( a->t );

  532.     field_set_ui( a->z, 1 );

  533.     field_copy ( a->t, a->x );

  534.     field_copy ( a->u, a->y );

  535.     return ret;

  536. }

  537. 

  538. void

  539. set_identity_extensible (

  540.     extensible_a_t a

  541. ) {

  542.     field_set_ui( a->x, 0 );

  543.     field_set_ui( a->y, 1 );

  544.     field_set_ui( a->z, 1 );

  545.     field_set_ui( a->t, 0 );

  546.     field_set_ui( a->u, 0 );

  547. }

  548. 

  549. void

  550. set_identity_tw_extensible (

  551.     tw_extensible_a_t a

  552. ) {

  553.     field_set_ui( a->x, 0 );

  554.     field_set_ui( a->y, 1 );

  555.     field_set_ui( a->z, 1 );

  556.     field_set_ui( a->t, 0 );

  557.     field_set_ui( a->u, 0 );

  558. }

  559. 

  560. void

  561. set_identity_affine (

  562.     affine_a_t a

  563. ) {

  564.     field_set_ui( a->x, 0 );

  565.     field_set_ui( a->y, 1 );

  566. }

  567. 

  568. mask_t

  569. eq_affine (

  570.     const affine_a_t a,

  571.     const affine_a_t b

  572. ) {

  573.     mask_t L1, L2;

  574.     field_a_t L0;

  575.     field_sub ( L0, a->x, b->x );

  576.     L2 = field_is_zero( L0 );

  577.     field_sub ( L0, a->y, b->y );

  578.     L1 = field_is_zero( L0 );

  579.     return    L2 &    L1;

  580. }

  581. 

  582. mask_t

  583. eq_extensible (

  584.     const extensible_a_t a,

  585.     const extensible_a_t b

  586. ) {

  587.     mask_t L3, L4;

  588.     field_a_t L0, L1, L2;

  589.     field_mul ( L2, b->z, a->x );

  590.     field_mul ( L1, a->z, b->x );

  591.     field_sub ( L0, L2, L1 );

  592.     L4 = field_is_zero( L0 );

  593.     field_mul ( L2, b->z, a->y );

  594.     field_mul ( L1, a->z, b->y );

  595.     field_sub ( L0, L2, L1 );

  596.     L3 = field_is_zero( L0 );

  597.     return    L4 &    L3;

  598. }

  599. 

  600. mask_t

  601. eq_tw_extensible (

  602.     const tw_extensible_a_t a,

  603.     const tw_extensible_a_t b

  604. ) {

  605.     mask_t L3, L4;

  606.     field_a_t L0, L1, L2;

  607.     field_mul ( L2, b->z, a->x );

  608.     field_mul ( L1, a->z, b->x );

  609.     field_sub ( L0, L2, L1 );

  610.     L4 = field_is_zero( L0 );

  611.     field_mul ( L2, b->z, a->y );

  612.     field_mul ( L1, a->z, b->y );

  613.     field_sub ( L0, L2, L1 );

  614.     L3 = field_is_zero( L0 );

  615.     return    L4 &    L3;

  616. }

  617. 

  618. void

  619. elligator_2s_inject (

  620.     affine_a_t     a,

  621.     const field_a_t r

  622. ) {

  623.     field_a_t L2, L3, L4, L5, L6, L7, L8;

  624.     field_sqr ( a->x, r );

  625.     field_sqr ( L3, a->x );

  626.     field_copy ( a->y, L3 );

  627.     field_neg ( L4, a->y );

  628.     field_addw ( L4, 1 );

  629.     field_sqr ( L2, L4 );

  630.     field_mulw ( L7, L2, (EDWARDS_D-1)*(EDWARDS_D-1) );

  631.     field_mulw ( L8, L3, 4*(EDWARDS_D+1)*(EDWARDS_D+1) );

  632.     field_add ( a->y, L8, L7 );

  633.     field_mulw ( L8, L2, 4*(EDWARDS_D)*(EDWARDS_D-1) );

  634.     field_sub ( L7, a->y, L8 );

  635.     field_mulw_scc ( L6, a->y, -2-2*EDWARDS_D );

  636.     field_mul ( L5, L7, L6 );

  637.         /* FIXME Stability problem (API stability, not crash) / possible bug.

  638.          * change to: p448_mul ( L5, L7, L4 ); ?

  639.          * This isn't a deep change: it's for sign adjustment.

  640.          * Need to check which one leads to the correct sign, probably by writig

  641.          * the invert routine.

  642.          *

  643.          * Also, the tool doesn't produce the optimal route to this.

  644.          * Let incoming L6 = a, L7 = e, L4 = b.

  645.          *

  646.          * Could compute be, (be)^2, (be)^3, a b^3 e^3, a b^3 e^4. = 4M+S

  647.          * instead of 6M.

  648.          */

  649.     field_mul ( L8, L5, L4 );

  650.     field_mul ( L4, L5, L6 );

  651.     field_mul ( L5, L7, L8 );

  652.     field_mul ( L8, L5, L4 );

  653.     field_mul ( L4, L7, L8 );

  654.     field_isr ( L6, L4 );

  655.     field_mul ( L4, L5, L6 );

  656.     field_sqr ( L5, L6 );

  657.     field_mul ( L6, L8, L5 );

  658.     field_mul ( L8, L7, L6 );

  659.     field_mul ( L7, L8, L6 );

  660.     field_copy ( L6, a->x );

  661.     field_addw ( a->x, 1 );

  662.     field_mul ( L5, a->x, L8 );

  663.     field_addw ( L5, 1 );

  664.     field_sub ( a->x, L6, L5 );

  665.     field_mul ( L5, L4, a->x );

  666.     field_mulw_scc_wr ( a->x, L5, -2-2*EDWARDS_D );

  667.     field_add ( L4, L3, L3 );

  668.     field_add ( L3, L4, L2 );

  669.     field_subw( L3, 2 );

  670.     field_mul ( L2, L3, L8 );

  671.     field_mulw ( L3, L2, 2*(EDWARDS_D+1)*(EDWARDS_D-1) );

  672.     field_add ( L2, L3, a->y );

  673.     field_mul ( a->y, L7, L2 );

  674.     field_addw ( a->y, -field_is_zero( L8 ) );

  675. }

  676. 

  677. mask_t

  678. validate_affine (

  679.     const affine_a_t a

  680. ) {

  681.     field_a_t L0, L1, L2, L3;

  682.     field_sqr ( L0, a->y );

  683.     field_sqr ( L1, a->x );

  684.     field_add ( L3, L1, L0 );

  685.     field_mulw_scc ( L2, L1, EDWARDS_D );

  686.     field_mul ( L1, L0, L2 );

  687.     field_addw ( L1, 1 );

  688.     field_sub ( L0, L3, L1 );

  689.     return field_is_zero( L0 );

  690. }

  691. 

  692. mask_t

  693. validate_tw_extensible (

  694.     const tw_extensible_a_t ext

  695. ) {

  696.     mask_t L4, L5;

  697.     field_a_t L0, L1, L2, L3;

  698.     /*

  699.      * Check invariant:

  700.      * 0 = -x*y + z*t*u

  701.      */

  702.     field_mul ( L1, ext->t, ext->u );

  703.     field_mul ( L2, ext->z, L1 );

  704.     field_mul ( L0, ext->x, ext->y );

  705.     field_neg ( L1, L0 );

  706.     field_add ( L0, L1, L2 );

  707.     L5 = field_is_zero( L0 );

  708.     /*

  709.      * Check invariant:

  710.      * 0 = d*t^2*u^2 + x^2 - y^2 + z^2 - t^2*u^2

  711.      */

  712.     field_sqr ( L2, ext->y );

  713.     field_neg ( L1, L2 );

  714.     field_sqr ( L0, ext->x );

  715.     field_add ( L2, L0, L1 );

  716.     field_sqr ( L3, ext->u );

  717.     field_sqr ( L0, ext->t );

  718.     field_mul ( L1, L0, L3 );

  719.     field_mulw_scc ( L3, L1, EDWARDS_D );

  720.     field_add ( L0, L3, L2 );

  721.     field_neg ( L3, L1 );

  722.     field_add ( L2, L3, L0 );

  723.     field_sqr ( L1, ext->z );

  724.     field_add ( L0, L1, L2 );

  725.     L4 = field_is_zero( L0 );

  726.     return    L5 & L4 &~ field_is_zero(ext->z);

  727. }

  728. 

  729. mask_t

  730. validate_extensible (

  731.     const extensible_a_t ext

  732. ) {

  733.     mask_t L4, L5;

  734.     field_a_t L0, L1, L2, L3;

  735.     /*

  736.      * Check invariant:

  737.      * 0 = d*t^2*u^2 - x^2 - y^2 + z^2

  738.      */

  739.     field_sqr ( L2, ext->y );

  740.     field_neg ( L1, L2 );

  741.     field_sqr ( L0, ext->z );

  742.     field_add ( L2, L0, L1 );

  743.     field_sqr ( L3, ext->u );

  744.     field_sqr ( L0, ext->t );

  745.     field_mul ( L1, L0, L3 );

  746.     field_mulw_scc ( L0, L1, EDWARDS_D );

  747.     field_add ( L1, L0, L2 );

  748.     field_sqr ( L0, ext->x );

  749.     field_neg ( L2, L0 );

  750.     field_add ( L0, L2, L1 );

  751.     L5 = field_is_zero( L0 );

  752.     /*

  753.      * Check invariant:

  754.      * 0 = -x*y + z*t*u

  755.      */

  756.     field_mul ( L1, ext->t, ext->u );

  757.     field_mul ( L2, ext->z, L1 );

  758.     field_mul ( L0, ext->x, ext->y );

  759.     field_neg ( L1, L0 );

  760.     field_add ( L0, L1, L2 );

  761.     L4 = field_is_zero( L0 );

  762.     return L5 & L4 &~ field_is_zero(ext->z);

  763. }