jmg
/
ed448goldilocks


			
				
					
						
						
							
							/* Copyright (c) 2014 Cryptography Research, Inc.
 * Released under the MIT License.  See LICENSE.txt for license information.
 */

#include "barrett_field.h"
#include <assert.h>

word_t
add_nr_ext_packed(
    word_t *out,
    const word_t *a,
    int nwords_a,
    const word_t *c,
    int nwords_c,
    word_t mask
) {
    int i;
    dword_t carry = 0;
    for (i=0; i<nwords_c; i++) {
        out[i] = carry = carry + a[i] + (c[i]&mask);
        carry >>= WORD_BITS;
    }
    for (; i<nwords_a; i++) {
        out[i] = carry = carry + a[i];
        carry >>= WORD_BITS;
    }
    return carry;
}

static __inline__ word_t
add_nr_packed(
    word_t *a,
    const word_t *c,
    int nwords
) {
    int i;
    dword_t carry = 0;
    for (i=0; i<nwords; i++) {
        a[i] = carry = carry + a[i] + c[i];
        carry >>= WORD_BITS;
    }
    return carry;
}

static __inline__ word_t
sub_nr_packed(
    word_t *a,
    const word_t *c,
    int nwords
) {
    int i;
    dsword_t carry = 0;
    for (i=0; i<nwords; i++) {
        a[i] = carry = carry + a[i] - c[i];
        carry >>= WORD_BITS;
    }
    return carry;
}

word_t
sub_nr_ext_packed(
    word_t *out,
    const word_t *a,
    int nwords_a,
    const word_t *c,
    int nwords_c,
    word_t mask
) {
    int i;
    dsword_t carry = 0;
    for (i=0; i<nwords_c; i++) {
        out[i] = carry = carry + a[i] - (c[i]&mask);
        carry >>= WORD_BITS;
    }
    for (; i<nwords_a; i++) {
        out[i] = carry = carry + a[i];
        carry >>= WORD_BITS;
    }
    return carry;
}

static word_t
widemac(
    word_t *accum,
    int nwords_accum,
    const word_t *mier,
    int nwords_mier,
    word_t mand,
    word_t carry
) {
    int i;
    assert(nwords_accum >= nwords_mier);
    
    for (i=0; i<nwords_mier; i++) {
        /* UMAAL chain for the wordy part of p */
        dword_t product = ((dword_t)mand) * mier[i];
        product += accum[i];
        product += carry;
        accum[i] = product;
        carry = product >> WORD_BITS;
    }
    
    for (; i<nwords_accum; i++) {
        dword_t sum = ((dword_t)carry) + accum[i];
        accum[i] = sum;
        carry = sum >> WORD_BITS;
    }
    
    return carry;
}

void
barrett_reduce(
    word_t *a,
    int nwords_a,
    word_t a_carry,
    const word_t *p_lo,
    int nwords_p,
    int nwords_lo,
    int p_shift
) {
    /* TODO: non 2^k-c primes. */
    int repeat, nwords_left_in_a=nwords_a;
    
    /* TODO: is there a point to this a_carry business? */
    assert(a_carry < ((word_t)1)<<p_shift && nwords_a >= nwords_p);
    
    for (; nwords_left_in_a >= nwords_p; nwords_left_in_a--) {
        for (repeat=0; repeat<2; repeat++) {
            /* PERF: surely a more careful implementation could
             * avoid this double round
             */
            word_t mand = a[nwords_left_in_a-1] >> p_shift;
            a[nwords_left_in_a-1] &= (((word_t)1)<<p_shift)-1;
            if (p_shift && !repeat) {
                /* collect high bits when there are any */
                if (nwords_left_in_a < nwords_a) {
                    mand |= a[nwords_left_in_a] << (WORD_BITS-p_shift);
                    a[nwords_left_in_a] = 0;
                } else {
                    mand |= a_carry << (WORD_BITS-p_shift);
                }
            }
            
            word_t carry = widemac(a+nwords_left_in_a-nwords_p, nwords_p, p_lo, nwords_lo, mand, 0);
            assert(!carry);
            (void)carry;
        }
    }
    
    assert(nwords_left_in_a == nwords_p-1);
    
    /* OK, but it still isn't reduced.  Add and subtract p_lo. */
    word_t cout = add_nr_ext_packed(a,a,nwords_p,p_lo,nwords_lo,-1);
    if (p_shift) {
        cout = (cout<<(WORD_BITS-p_shift)) + (a[nwords_p-1]>>p_shift);
        a[nwords_p-1] &= (((word_t)1)<<p_shift)-1;
    }
    
    /* mask = carry-1: if no carry then do sub, otherwise don't */
    sub_nr_ext_packed(a,a,nwords_p,p_lo,nwords_lo,cout-1);
}

/* PERF: This function is horribly slow.  Enough to break 1%. */
void
barrett_mul_or_mac(
    word_t *accum,
    int nwords_accum,
    
    const word_t *a,
    int nwords_a,
    
    const word_t *b,
    int nwords_b,
    
    const word_t *p_lo,
    int nwords_p,
    int nwords_lo,
    int p_shift,
    
    mask_t doMac
) {
    assert(nwords_accum >= nwords_p);
    
    /* nwords_tmp = max(nwords_a + 1, nwords_p + 1, nwords_accum if doMac); */
    int nwords_tmp = (nwords_a > nwords_p) ? nwords_a : nwords_p;
    nwords_tmp++;
    if (nwords_tmp < nwords_accum && doMac)
        nwords_tmp = nwords_accum;
    
    word_t tmp[nwords_tmp];
    int bpos, i;
    
    for (i=0; i<nwords_tmp; i++) {
        tmp[i] = 0;
    }
    
    if (doMac) {
        for (i=0; i<nwords_accum; i++) {
            tmp[i] = accum[i];
        }

        barrett_reduce(tmp, nwords_tmp, 0, p_lo, nwords_p, nwords_lo, p_shift);
    }
    
    for (bpos=nwords_b-1; bpos >= 0; bpos--) {
        /* Invariant at the beginning of the loop: the high word is unused. */
        assert(tmp[nwords_tmp-1] == 0);
        
        /* shift up */
        for (i=nwords_tmp-2; i>=0; i--) {
            tmp[i+1] = tmp[i];
        }

        /* mac and reduce */
        word_t carry = widemac(tmp, nwords_tmp, a, nwords_a, b[bpos], 0);
        
        /* the mac can't carry, because nwords_tmp >= nwords_a+1 and its high word is clear */
        assert(!carry);
        barrett_reduce(tmp, nwords_tmp, carry, p_lo, nwords_p, nwords_lo, p_shift);
        
        /* at this point, the number of words used is nwords_p <= nwords_tmp-1,
         * so the high word is again clear */
    }
    
    for (i=0; i<nwords_tmp && i<nwords_accum; i++) {
        accum[i] = tmp[i];
    }
    for (; i<nwords_tmp; i++) {
        assert(tmp[i] == 0);
    }
    for (; i<nwords_accum; i++) {
        accum[i] = 0;
    }
}