jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 25697caf5c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '25697caf5c'
${ noResults }
ed448goldilocks/ec_point.c

622 lines
17 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. /* This file was generated with the assistance of a tool written in SAGE. */

  6. #include "ec_point.h"

  7. 

  8. 

  9. void

  10. p448_isr (

  11.     struct p448_t*       a,

  12.     const struct p448_t* x

  13. ) {

  14.     struct p448_t L0, L1, L2;

  15.     p448_sqr  (   &L1,     x );

  16.     p448_mul  (   &L2,     x,   &L1 );

  17.     p448_sqr  (   &L1,   &L2 );

  18.     p448_mul  (   &L2,     x,   &L1 );

  19.     p448_sqrn (   &L1,   &L2,     3 );

  20.     p448_mul  (   &L0,   &L2,   &L1 );

  21.     p448_sqrn (   &L1,   &L0,     3 );

  22.     p448_mul  (   &L0,   &L2,   &L1 );

  23.     p448_sqrn (   &L2,   &L0,     9 );

  24.     p448_mul  (   &L1,   &L0,   &L2 );

  25.     p448_sqr  (   &L0,   &L1 );

  26.     p448_mul  (   &L2,     x,   &L0 );

  27.     p448_sqrn (   &L0,   &L2,    18 );

  28.     p448_mul  (   &L2,   &L1,   &L0 );

  29.     p448_sqrn (   &L0,   &L2,    37 );

  30.     p448_mul  (   &L1,   &L2,   &L0 );

  31.     p448_sqrn (   &L0,   &L1,    37 );

  32.     p448_mul  (   &L1,   &L2,   &L0 );

  33.     p448_sqrn (   &L0,   &L1,   111 );

  34.     p448_mul  (   &L2,   &L1,   &L0 );

  35.     p448_sqr  (   &L0,   &L2 );

  36.     p448_mul  (   &L1,     x,   &L0 );

  37.     p448_sqrn (   &L0,   &L1,   223 );

  38.     p448_mul  (     a,   &L2,   &L0 );

  39. }

  40. 

  41. void

  42. p448_inverse (

  43.     struct p448_t*       a,

  44.     const struct p448_t* x

  45. ) {

  46.     struct p448_t L0, L1;

  47.     p448_isr  (   &L0,     x );

  48.     p448_sqr  (   &L1,   &L0 );

  49.     p448_sqr  (   &L0,   &L1 );

  50.     p448_mul  (     a,     x,   &L0 );

  51. }

  52. 

  53. void

  54. p448_tw_extensible_add_niels (

  55.     struct tw_extensible_t*  d,

  56.     const struct tw_niels_t* e

  57. ) {

  58.     struct p448_t L0, L1;

  59.     p448_bias ( &d->y,     2 );

  60.     p448_bias ( &d->z,     2 );

  61.     p448_sub  (   &L1, &d->y, &d->x );

  62.     p448_mul  (   &L0, &e->a,   &L1 );

  63.     p448_add  (   &L1, &d->x, &d->y );

  64.     p448_mul  ( &d->y, &e->b,   &L1 );

  65.     p448_bias ( &d->y,     2 );

  66.     p448_mul  (   &L1, &d->u, &d->t );

  67.     p448_mul  ( &d->x, &e->c,   &L1 );

  68.     p448_add  ( &d->u,   &L0, &d->y );

  69.     p448_sub  ( &d->t, &d->y,   &L0 );

  70.     p448_sub  ( &d->y, &d->z, &d->x );

  71.     p448_add  (   &L0, &d->x, &d->z );

  72.     p448_mul  ( &d->z,   &L0, &d->y );

  73.     p448_mul  ( &d->x, &d->y, &d->t );

  74.     p448_mul  ( &d->y,   &L0, &d->u );

  75. }

  76. 

  77. void

  78. p448_tw_extensible_add_pniels (

  79.     struct tw_extensible_t*   e,

  80.     const struct tw_pniels_t* a

  81. ) {

  82.     struct p448_t L0;

  83.     p448_mul  (   &L0, &e->z, &a->z );

  84.     p448_copy ( &e->z,   &L0 );

  85.     p448_tw_extensible_add_niels(     e, &a->n );

  86. }

  87. 

  88. void

  89. p448_tw_extensible_double (

  90.     struct tw_extensible_t* a

  91. ) {

  92.     struct p448_t L0, L1, L2;

  93.     p448_sqr  (   &L2, &a->x );

  94.     p448_sqr  (   &L0, &a->y );

  95.     p448_add  ( &a->u,   &L2,   &L0 );

  96.     p448_add  ( &a->t, &a->y, &a->x );

  97.     p448_sqr  (   &L1, &a->t );

  98.     p448_bias (   &L1,     3 );

  99.     p448_sub  ( &a->t,   &L1, &a->u );

  100.     p448_sub  (   &L1,   &L0,   &L2 );

  101.     p448_bias (   &L1,     2 );

  102.     p448_sqr  ( &a->x, &a->z );

  103.     p448_bias ( &a->x,     2 );

  104.     p448_add  ( &a->z, &a->x, &a->x );

  105.     p448_sub  (   &L0, &a->z,   &L1 );

  106.     p448_mul  ( &a->z,   &L1,   &L0 );

  107.     p448_mul  ( &a->x,   &L0, &a->t );

  108.     p448_mul  ( &a->y,   &L1, &a->u );

  109. }

  110. 

  111. void

  112. p448_extensible_double (

  113.     struct extensible_t* a

  114. ) {

  115.     struct p448_t L0, L1, L2;

  116.     p448_sqr  (   &L2, &a->x );

  117.     p448_sqr  (   &L0, &a->y );

  118.     p448_add  (   &L1,   &L2,   &L0 );

  119.     p448_add  ( &a->t, &a->y, &a->x );

  120.     p448_sqr  ( &a->u, &a->t );

  121.     p448_bias ( &a->u,     3 );

  122.     p448_sub  ( &a->t, &a->u,   &L1 );

  123.     p448_sub  ( &a->u,   &L0,   &L2 );

  124.     p448_bias ( &a->u,     2 );

  125.     p448_sqr  ( &a->x, &a->z );

  126.     p448_bias ( &a->x,     2 );

  127.     p448_add  ( &a->z, &a->x, &a->x );

  128.     p448_sub  (   &L0, &a->z,   &L1 );

  129.     p448_mul  ( &a->z,   &L1,   &L0 );

  130.     p448_mul  ( &a->x,   &L0, &a->t );

  131.     p448_mul  ( &a->y,   &L1, &a->u );

  132. }

  133. 

  134. void

  135. p448_isogeny_un_to_tw (

  136.     struct tw_extensible_t*    b,

  137.     const struct extensible_t* a

  138. ) {

  139.     struct p448_t L0;

  140.     p448_sqr  ( &b->x, &a->x );

  141.     p448_sqr  ( &b->z, &a->y );

  142.     p448_add  ( &b->u, &b->x, &b->z );

  143.     p448_add  ( &b->t, &a->y, &a->x );

  144.     p448_sqr  (   &L0, &b->t );

  145.     p448_bias (   &L0,     3 );

  146.     p448_sub  ( &b->t,   &L0, &b->u );

  147.     p448_sub  (   &L0, &b->z, &b->x );

  148.     p448_bias (   &L0,     2 );

  149.     p448_sqr  ( &b->x, &a->z );

  150.     p448_bias ( &b->x,     2 );

  151.     p448_add  ( &b->z, &b->x, &b->x );

  152.     p448_sub  ( &b->y, &b->z, &b->u );

  153.     p448_mul  ( &b->z,   &L0, &b->y );

  154.     p448_mul  ( &b->x, &b->y, &b->t );

  155.     p448_mul  ( &b->y,   &L0, &b->u );

  156. }

  157. 

  158. void

  159. p448_isogeny_tw_to_un (

  160.     struct extensible_t*          b,

  161.     const struct tw_extensible_t* a

  162. ) {

  163.     struct p448_t L0;

  164.     p448_sqr  ( &b->x, &a->x );

  165.     p448_sqr  ( &b->z, &a->y );

  166.     p448_add  (   &L0, &b->x, &b->z );

  167.     p448_add  ( &b->t, &a->y, &a->x );

  168.     p448_sqr  ( &b->u, &b->t );

  169.     p448_bias ( &b->u,     3 );

  170.     p448_sub  ( &b->t, &b->u,   &L0 );

  171.     p448_sub  ( &b->u, &b->z, &b->x );

  172.     p448_bias ( &b->u,     2 );

  173.     p448_sqr  ( &b->x, &a->z );

  174.     p448_bias ( &b->x,     2 );

  175.     p448_add  ( &b->z, &b->x, &b->x );

  176.     p448_sub  ( &b->y, &b->z, &b->u );

  177.     p448_mul  ( &b->z,   &L0, &b->y );

  178.     p448_mul  ( &b->x, &b->y, &b->t );

  179.     p448_mul  ( &b->y,   &L0, &b->u );

  180. }

  181. 

  182. void

  183. convert_tw_affine_to_tw_pniels (

  184.     struct tw_pniels_t*       b,

  185.     const struct tw_affine_t* a

  186. ) {

  187.     p448_sub  ( &b->n.a, &a->y, &a->x );

  188.     p448_bias ( &b->n.a,     2 );

  189.     p448_weak_reduce( &b->n.a );

  190.     p448_add  ( &b->n.b, &a->x, &a->y );

  191.     p448_weak_reduce( &b->n.b );

  192.     p448_mul  ( &b->n.c, &a->y, &a->x );

  193.     p448_mulw ( &b->z, &b->n.c, 78164 );

  194.     p448_neg  ( &b->n.c, &b->z );

  195.     p448_bias ( &b->n.c,     2 );

  196.     p448_weak_reduce( &b->n.c );

  197.     p448_set_ui( &b->z,     2 );

  198. }

  199. 

  200. void

  201. convert_tw_affine_to_tw_extensible (

  202.     struct tw_extensible_t*   b,

  203.     const struct tw_affine_t* a

  204. ) {

  205.     p448_copy ( &b->x, &a->x );

  206.     p448_copy ( &b->y, &a->y );

  207.     p448_set_ui( &b->z,     1 );

  208.     p448_copy ( &b->t, &a->x );

  209.     p448_copy ( &b->u, &a->y );

  210. }

  211. 

  212. void

  213. convert_affine_to_extensible (

  214.     struct extensible_t*   b,

  215.     const struct affine_t* a

  216. ) {

  217.     p448_copy ( &b->x, &a->x );

  218.     p448_copy ( &b->y, &a->y );

  219.     p448_set_ui( &b->z,     1 );

  220.     p448_copy ( &b->t, &a->x );

  221.     p448_copy ( &b->u, &a->y );

  222. }

  223. 

  224. void

  225. convert_tw_extensible_to_tw_pniels (

  226.     struct tw_pniels_t*           b,

  227.     const struct tw_extensible_t* a

  228. ) {

  229.     p448_sub  ( &b->n.a, &a->y, &a->x );

  230.     p448_bias ( &b->n.a,     2 );

  231.     p448_weak_reduce( &b->n.a );

  232.     p448_add  ( &b->n.b, &a->x, &a->y );

  233.     p448_weak_reduce( &b->n.b );

  234.     p448_mul  ( &b->n.c, &a->u, &a->t );

  235.     p448_mulw ( &b->z, &b->n.c, 78164 );

  236.     p448_neg  ( &b->n.c, &b->z );

  237.     p448_bias ( &b->n.c,     2 );

  238.     p448_weak_reduce( &b->n.c );

  239.     p448_add  ( &b->z, &a->z, &a->z );

  240.     p448_weak_reduce( &b->z );

  241. }

  242. 

  243. void

  244. convert_tw_pniels_to_tw_extensible (

  245.     struct tw_extensible_t*   e,

  246.     const struct tw_pniels_t* d

  247. ) {

  248.     p448_add  ( &e->u, &d->n.b, &d->n.a );

  249.     p448_sub  ( &e->t, &d->n.b, &d->n.a );

  250.     p448_bias ( &e->t,     2 );

  251.     p448_mul  ( &e->x, &d->z, &e->t );

  252.     p448_mul  ( &e->y, &d->z, &e->u );

  253.     p448_sqr  ( &e->z, &d->z );

  254. }

  255. 

  256. void

  257. convert_tw_niels_to_tw_extensible (

  258.     struct tw_extensible_t*  e,

  259.     const struct tw_niels_t* d

  260. ) {

  261.     p448_add  ( &e->y, &d->b, &d->a );

  262.     p448_weak_reduce( &e->y );

  263.     p448_sub  ( &e->x, &d->b, &d->a );

  264.     p448_bias ( &e->x,     2 );

  265.     p448_weak_reduce( &e->x );

  266.     p448_set_ui( &e->z,     1 );

  267.     p448_copy ( &e->t, &e->x );

  268.     p448_copy ( &e->u, &e->y );

  269. }

  270. 

  271. void

  272. p448_montgomery_step (

  273.     struct montgomery_t* a

  274. ) {

  275.     struct p448_t L0, L1;

  276.     p448_bias ( &a->xd,     2 );

  277.     p448_bias ( &a->xa,     2 );

  278.     p448_add  (   &L0, &a->zd, &a->xd );

  279.     p448_sub  (   &L1, &a->xd, &a->zd );

  280.     p448_sub  ( &a->zd, &a->xa, &a->za );

  281.     p448_mul  ( &a->xd,   &L0, &a->zd );

  282.     p448_bias ( &a->xd,     2 );

  283.     p448_add  ( &a->zd, &a->za, &a->xa );

  284.     p448_mul  ( &a->za,   &L1, &a->zd );

  285.     p448_add  ( &a->xa, &a->za, &a->xd );

  286.     p448_sqr  ( &a->zd, &a->xa );

  287.     p448_mul  ( &a->xa, &a->z0, &a->zd );

  288.     p448_sub  ( &a->zd, &a->xd, &a->za );

  289.     p448_sqr  ( &a->za, &a->zd );

  290.     p448_sqr  ( &a->xd,   &L0 );

  291.     p448_bias ( &a->xd,     2 );

  292.     p448_sqr  (   &L0,   &L1 );

  293.     p448_mulw ( &a->zd, &a->xd, 39082 );

  294.     p448_bias ( &a->zd,     4 );

  295.     p448_sub  (   &L1, &a->xd,   &L0 );

  296.     p448_mul  ( &a->xd,   &L0, &a->zd );

  297.     p448_sub  (   &L0, &a->zd,   &L1 );

  298.     p448_mul  ( &a->zd,   &L0,   &L1 );

  299. }

  300. 

  301. void

  302. p448_montgomery_serialize (

  303.     struct p448_t*             sign,

  304.     struct p448_t*             ser,

  305.     const struct montgomery_t* a,

  306.     const struct p448_t*       sbz

  307. ) {

  308.     struct p448_t L0, L1, L2, L3;

  309.     p448_mul  (   &L2, &a->z0, &a->zd );

  310.     p448_bias (   &L2,     2 );

  311.     p448_sub  (   &L0,   &L2, &a->xd );

  312.     p448_mul  (   &L2, &a->za,   &L0 );

  313.     p448_bias (   &L2,     2 );

  314.     p448_mul  (   &L1, &a->z0, &a->xd );

  315.     p448_bias (   &L1,     2 );

  316.     p448_sub  (   &L0,   &L1, &a->zd );

  317.     p448_mul  (   &L3, &a->xa,   &L0 );

  318.     p448_add  (   &L1,   &L3,   &L2 );

  319.     p448_sub  (   &L0,   &L2,   &L3 );

  320.     p448_mul  (   &L2,   &L0,   &L1 );

  321.     p448_mul  (   &L0,   sbz,   &L2 );

  322.     p448_mul  (   &L2, &a->zd,   &L0 );

  323.     p448_mul  (  sign,   &L2, &a->zd );

  324.     p448_mul  (   ser,   &L2, &a->xd );

  325.     p448_mul  (   &L2,  sign,   ser );

  326.     p448_isr  (   &L1,   &L2 );

  327.     p448_mul  (   ser,  sign,   &L1 );

  328.     p448_sqr  (   &L0,   &L1 );

  329.     p448_mul  (  sign,   &L2,   &L0 );

  330. }

  331. 

  332. void

  333. extensible_serialize (

  334.     struct p448_t*             b,

  335.     const struct extensible_t* a

  336. ) {

  337.     struct p448_t L0, L1, L2;

  338.     p448_sub  (   &L0, &a->y, &a->z );

  339.     p448_bias (   &L0,     2 );

  340.     p448_add  (     b, &a->z, &a->y );

  341.     p448_mul  (   &L1, &a->z, &a->x );

  342.     p448_mul  (   &L2,   &L0,   &L1 );

  343.     p448_mul  (   &L1,   &L2,   &L0 );

  344.     p448_mul  (   &L0,   &L2,     b );

  345.     p448_mul  (   &L2,   &L1,   &L0 );

  346.     p448_isr  (   &L0,   &L2 );

  347.     p448_mul  (     b,   &L1,   &L0 );

  348.     p448_sqr  (   &L1,   &L0 );

  349.     p448_mul  (   &L0,   &L2,   &L1 );

  350. }

  351. 

  352. void

  353. isogeny_and_serialize (

  354.     struct p448_t*                b,

  355.     const struct tw_extensible_t* a

  356. ) {

  357.     struct p448_t L0, L1, L2, L3;

  358.     p448_mul  (   &L3, &a->y, &a->x );

  359.     p448_add  (   &L1, &a->y, &a->x );

  360.     p448_sqr  (     b,   &L1 );

  361.     p448_add  (   &L2,   &L3,   &L3 );

  362.     p448_sub  (   &L1,     b,   &L2 );

  363.     p448_bias (   &L1,     3 );

  364.     p448_sqr  (   &L2, &a->z );

  365.     p448_sqr  (     b,   &L2 );

  366.     p448_add  (   &L2,   &L1,   &L1 );

  367.     p448_mulw (   &L1,   &L2, 39082 );

  368.     p448_neg  (   &L2,   &L1 );

  369.     p448_bias (   &L2,     2 );

  370.     p448_mulw (   &L0,   &L2, 39082 );

  371.     p448_neg  (   &L1,   &L0 );

  372.     p448_bias (   &L1,     2 );

  373.     p448_mul  (   &L0,   &L2,     b );

  374.     p448_mul  (     b,   &L1,   &L0 );

  375.     p448_isr  (   &L0,     b );

  376.     p448_mul  (   &L2,   &L1,   &L0 );

  377.     p448_sqr  (   &L1,   &L0 );

  378.     p448_mul  (   &L0,     b,   &L1 );

  379.     p448_mul  (     b,   &L2,   &L3 );

  380. }

  381. 

  382. mask_t

  383. affine_deserialize (

  384.     struct affine_t*     a,

  385.     const struct p448_t* sz

  386. ) {

  387.     struct p448_t L0, L1, L2, L3;

  388.     p448_sqr  (   &L1,    sz );

  389.     p448_copy (   &L3,   &L1 );

  390.     p448_addw (   &L3,     1 );

  391.     p448_sqr  ( &a->x,   &L3 );

  392.     p448_mulw (   &L3, &a->x, 39082 );

  393.     p448_neg  ( &a->x,   &L3 );

  394.     p448_add  (   &L3,   &L1,   &L1 );

  395.     p448_bias (   &L3,     1 );

  396.     p448_add  ( &a->y,   &L3,   &L3 );

  397.     p448_add  (   &L3, &a->y, &a->x );

  398.     p448_copy ( &a->y,   &L1 );

  399.     p448_subw ( &a->y,     1 );

  400.     p448_neg  ( &a->x, &a->y );

  401.     p448_bias ( &a->x,     2 );

  402.     p448_mul  ( &a->y, &a->x,   &L3 );

  403.     p448_sqr  (   &L2, &a->x );

  404.     p448_mul  (   &L0,   &L2, &a->y );

  405.     p448_mul  ( &a->y, &a->x,   &L0 );

  406.     p448_isr  (   &L3, &a->y );

  407.     p448_mul  ( &a->y,   &L2,   &L3 );

  408.     p448_sqr  (   &L2,   &L3 );

  409.     p448_mul  (   &L3,   &L0,   &L2 );

  410.     p448_mul  (   &L0, &a->x,   &L3 );

  411.     p448_bias (   &L0,     1 );

  412.     p448_add  (   &L2, &a->y, &a->y );

  413.     p448_mul  ( &a->x,    sz,   &L2 );

  414.     p448_addw (   &L1,     1 );

  415.     p448_mul  ( &a->y,   &L1,   &L3 );

  416.     p448_subw (   &L0,     1 );

  417.     return p448_is_zero(   &L0 );

  418. }

  419. 

  420. void

  421. set_identity_extensible (

  422.     struct extensible_t* a

  423. ) {

  424.     p448_set_ui( &a->x,     0 );

  425.     p448_set_ui( &a->y,     1 );

  426.     p448_set_ui( &a->z,     1 );

  427.     p448_set_ui( &a->t,     0 );

  428.     p448_set_ui( &a->u,     0 );

  429. }

  430. 

  431. void

  432. set_identity_tw_extensible (

  433.     struct tw_extensible_t* a

  434. ) {

  435.     p448_set_ui( &a->x,     0 );

  436.     p448_set_ui( &a->y,     1 );

  437.     p448_set_ui( &a->z,     1 );

  438.     p448_set_ui( &a->t,     0 );

  439.     p448_set_ui( &a->u,     0 );

  440. }

  441. 

  442. void

  443. set_identity_affine (

  444.     struct affine_t* a

  445. ) {

  446.     p448_set_ui( &a->x,     0 );

  447.     p448_set_ui( &a->y,     1 );

  448. }

  449. 

  450. mask_t

  451. eq_affine (

  452.     const struct affine_t* a,

  453.     const struct affine_t* b

  454. ) {

  455.     mask_t L0, L1;

  456.     struct p448_t L2;

  457.     p448_sub  (   &L2, &a->x, &b->x );

  458.     p448_bias (   &L2,     2 );

  459.        L1 = p448_is_zero(   &L2 );

  460.     p448_sub  (   &L2, &a->y, &b->y );

  461.     p448_bias (   &L2,     2 );

  462.        L0 = p448_is_zero(   &L2 );

  463.     return    L1 &    L0;

  464. }

  465. 

  466. mask_t

  467. eq_extensible (

  468.     const struct extensible_t* a,

  469.     const struct extensible_t* b

  470. ) {

  471.     mask_t L0, L1;

  472.     struct p448_t L2, L3, L4;

  473.     p448_mul  (   &L4, &b->z, &a->x );

  474.     p448_mul  (   &L3, &a->z, &b->x );

  475.     p448_sub  (   &L2,   &L4,   &L3 );

  476.     p448_bias (   &L2,     2 );

  477.        L1 = p448_is_zero(   &L2 );

  478.     p448_mul  (   &L4, &b->z, &a->y );

  479.     p448_mul  (   &L3, &a->z, &b->y );

  480.     p448_sub  (   &L2,   &L4,   &L3 );

  481.     p448_bias (   &L2,     2 );

  482.        L0 = p448_is_zero(   &L2 );

  483.     return    L1 &    L0;

  484. }

  485. 

  486. mask_t

  487. eq_tw_extensible (

  488.     const struct tw_extensible_t* a,

  489.     const struct tw_extensible_t* b

  490. ) {

  491.     mask_t L0, L1;

  492.     struct p448_t L2, L3, L4;

  493.     p448_mul  (   &L4, &b->z, &a->x );

  494.     p448_mul  (   &L3, &a->z, &b->x );

  495.     p448_sub  (   &L2,   &L4,   &L3 );

  496.     p448_bias (   &L2,     2 );

  497.        L1 = p448_is_zero(   &L2 );

  498.     p448_mul  (   &L4, &b->z, &a->y );

  499.     p448_mul  (   &L3, &a->z, &b->y );

  500.     p448_sub  (   &L2,   &L4,   &L3 );

  501.     p448_bias (   &L2,     2 );

  502.        L0 = p448_is_zero(   &L2 );

  503.     return    L1 &    L0;

  504. }

  505. 

  506. void

  507. elligator_2s_inject (

  508.     struct affine_t*     a,

  509.     const struct p448_t* r

  510. ) {

  511.     mask_t L0, L1;

  512.     struct p448_t L2, L3, L4, L5, L6, L7, L8, L9;

  513.     p448_sqr  ( &a->x,     r );

  514.     p448_sqr  (   &L3, &a->x );

  515.     p448_copy ( &a->y,   &L3 );

  516.     p448_subw ( &a->y,     1 );

  517.     p448_neg  (   &L9, &a->y );

  518.     p448_bias (   &L9,     2 );

  519.     p448_sqr  (   &L2,   &L9 );

  520.     p448_bias (   &L2,     1 );

  521.     p448_mulw (   &L7,   &L2, 1527402724 );

  522.     p448_bias (   &L7,     2 );

  523.     p448_mulw (   &L8,   &L3, 6108985600 );

  524.     p448_add  ( &a->y,   &L8,   &L7 );

  525.     p448_mulw (   &L8,   &L2, 6109454568 );

  526.     p448_sub  (   &L7, &a->y,   &L8 );

  527.     p448_mulw (   &L4, &a->y, 78160 );

  528.     p448_mul  (   &L6,   &L7,   &L9 );

  529.     p448_mul  (   &L8,   &L6,   &L4 );

  530.     p448_mul  (   &L4,   &L7,   &L8 );

  531.     p448_isr  (   &L5,   &L4 );

  532.     p448_mul  (   &L4,   &L6,   &L5 );

  533.     p448_sqr  (   &L6,   &L5 );

  534.     p448_mul  (   &L5,   &L8,   &L6 );

  535.     p448_mul  (   &L8,   &L7,   &L5 );

  536.     p448_mul  (   &L7,   &L8,   &L5 );

  537.     p448_copy (   &L6, &a->x );

  538.     p448_subw (   &L6,     1 );

  539.     p448_addw ( &a->x,     1 );

  540.     p448_mul  (   &L5, &a->x,   &L8 );

  541.     p448_sub  ( &a->x,   &L6,   &L5 );

  542.     p448_bias ( &a->x,     3 );

  543.     p448_mul  (   &L5,   &L4, &a->x );

  544.     p448_mulw (   &L4,   &L5, 78160 );

  545.     p448_neg  ( &a->x,   &L4 );

  546.     p448_bias ( &a->x,     2 );

  547.     p448_weak_reduce( &a->x );

  548.     p448_add  (   &L4,   &L3,   &L3 );

  549.     p448_add  (   &L3,   &L4,   &L2 );

  550.     p448_subw (   &L3,     2 );

  551.     p448_mul  (   &L2,   &L3,   &L8 );

  552.     p448_mulw (   &L3,   &L2, 3054649120 );

  553.     p448_add  (   &L2,   &L3, &a->y );

  554.     p448_mul  ( &a->y,   &L7,   &L2 );

  555.        L1 = p448_is_zero(   &L9 );

  556.        L0 = -   L1;

  557.     p448_addw ( &a->y,    L0 );

  558.     p448_weak_reduce( &a->y );

  559. }

  560. 

  561. mask_t

  562. p448_affine_validate (

  563.     const struct affine_t* a

  564. ) {

  565.     struct p448_t L0, L1, L2, L3;

  566.     p448_sqr  (   &L0, &a->y );

  567.     p448_sqr  (   &L2, &a->x );

  568.     p448_add  (   &L3,   &L2,   &L0 );

  569.     p448_subw (   &L3,     1 );

  570.     p448_mulw (   &L1,   &L2, 39081 );

  571.     p448_neg  (   &L2,   &L1 );

  572.     p448_bias (   &L2,     2 );

  573.     p448_mul  (   &L1,   &L0,   &L2 );

  574.     p448_sub  (   &L0,   &L3,   &L1 );

  575.     p448_bias (   &L0,     3 );

  576.     return p448_is_zero(   &L0 );

  577. }

  578. 

  579. mask_t

  580. p448_tw_extensible_validate (

  581.     const struct tw_extensible_t* ext

  582. ) {

  583.     mask_t L0, L1;

  584.     struct p448_t L2, L3, L4, L5;

  585.     /*

  586.      * Check invariant:

  587.      * 0 = -x*y + z*t*u

  588.      */

  589.     p448_mul  (   &L2, &ext->t, &ext->u );

  590.     p448_mul  (   &L4, &ext->z,   &L2 );

  591.     p448_addw (   &L4,     0 );

  592.     p448_mul  (   &L3, &ext->x, &ext->y );

  593.     p448_neg  (   &L2,   &L3 );

  594.     p448_add  (   &L3,   &L2,   &L4 );

  595.     p448_bias (   &L3,     2 );

  596.        L1 = p448_is_zero(   &L3 );

  597.     /*

  598.      * Check invariant:

  599.      * 0 = d*t^2*u^2 + x^2 - y^2 + z^2 - t^2*u^2

  600.      */

  601.     p448_sqr  (   &L4, &ext->y );

  602.     p448_neg  (   &L2,   &L4 );

  603.     p448_addw (   &L2,     0 );

  604.     p448_sqr  (   &L3, &ext->x );

  605.     p448_bias (   &L3,     4 );

  606.     p448_add  (   &L4,   &L3,   &L2 );

  607.     p448_sqr  (   &L5, &ext->u );

  608.     p448_sqr  (   &L3, &ext->t );

  609.     p448_mul  (   &L2,   &L3,   &L5 );

  610.     p448_mulw (   &L3,   &L2, 39081 );

  611.     p448_neg  (   &L5,   &L3 );

  612.     p448_add  (   &L3,   &L5,   &L4 );

  613.     p448_neg  (   &L5,   &L2 );

  614.     p448_add  (   &L4,   &L5,   &L3 );

  615.     p448_sqr  (   &L3, &ext->z );

  616.     p448_add  (   &L2,   &L3,   &L4 );

  617.        L0 = p448_is_zero(   &L2 );

  618.     return    L1 &    L0;

  619. }

  620.