jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 4eb210cd85
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4eb210cd85'
${ noResults }
ed448goldilocks/src/arch_x86_64/p448.c

457 lines
10 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "p448.h"

  6. #include "x86-64-arith.h"

  7. 

  8. void

  9. p448_mul (

  10.     p448_t *__restrict__ cs,

  11.     const p448_t *as,

  12.     const p448_t *bs

  13. ) {

  14.     const uint64_t *a = as->limb, *b = bs->limb;

  15.     uint64_t *c = cs->limb;

  16. 

  17.     __uint128_t accum0 = 0, accum1 = 0, accum2;

  18.     uint64_t mask = (1ull<<56) - 1;  

  19. 

  20.     uint64_t aa[4] __attribute__((aligned(32))), bb[4] __attribute__((aligned(32))), bbb[4] __attribute__((aligned(32)));

  21. 

  22.     /* For some reason clang doesn't vectorize this without prompting? */

  23.     unsigned int i;

  24.     for (i=0; i<sizeof(aa)/sizeof(uint64xn_t); i++) {

  25.         ((uint64xn_t*)aa)[i] = ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(&a[4]))[i];

  26.         ((uint64xn_t*)bb)[i] = ((const uint64xn_t*)b)[i] + ((const uint64xn_t*)(&b[4]))[i]; 

  27.         ((uint64xn_t*)bbb)[i] = ((const uint64xn_t*)bb)[i] + ((const uint64xn_t*)(&b[4]))[i];     

  28.     }

  29.     /*

  30.     for (int i=0; i<4; i++) {

  31.     aa[i] = a[i] + a[i+4];

  32.     bb[i] = b[i] + b[i+4];

  33.     }

  34.     */

  35. 

  36.     accum2  = widemul(&a[0],&b[3]);

  37.     accum0  = widemul(&aa[0],&bb[3]);

  38.     accum1  = widemul(&a[4],&b[7]);

  39. 

  40.     mac(&accum2, &a[1], &b[2]);

  41.     mac(&accum0, &aa[1], &bb[2]);

  42.     mac(&accum1, &a[5], &b[6]);

  43. 

  44.     mac(&accum2, &a[2], &b[1]);

  45.     mac(&accum0, &aa[2], &bb[1]);

  46.     mac(&accum1, &a[6], &b[5]);

  47. 

  48.     mac(&accum2, &a[3], &b[0]);

  49.     mac(&accum0, &aa[3], &bb[0]);

  50.     mac(&accum1, &a[7], &b[4]);

  51. 

  52.     accum0 -= accum2;

  53.     accum1 += accum2;

  54. 

  55.     c[3] = ((uint64_t)(accum1)) & mask;

  56.     c[7] = ((uint64_t)(accum0)) & mask;

  57. 

  58.     accum0 >>= 56;

  59.     accum1 >>= 56;

  60.     

  61.     mac(&accum0, &aa[1],&bb[3]);

  62.     mac(&accum1, &a[5], &b[7]);

  63.     mac(&accum0, &aa[2], &bb[2]);

  64.     mac(&accum1, &a[6], &b[6]);

  65.     mac(&accum0, &aa[3], &bb[1]);

  66.     accum1 += accum0;

  67. 

  68.     accum2 = widemul(&a[0],&b[0]);

  69.     accum1 -= accum2;

  70.     accum0 += accum2;

  71.     

  72.     msb(&accum0, &a[1], &b[3]);

  73.     msb(&accum0, &a[2], &b[2]);

  74.     mac(&accum1, &a[7], &b[5]);

  75.     msb(&accum0, &a[3], &b[1]);

  76.     mac(&accum1, &aa[0], &bb[0]);

  77.     mac(&accum0, &a[4], &b[4]);

  78. 

  79.     c[0] = ((uint64_t)(accum0)) & mask;

  80.     c[4] = ((uint64_t)(accum1)) & mask;

  81. 

  82.     accum0 >>= 56;

  83.     accum1 >>= 56;

  84. 

  85.     accum2  = widemul(&a[2],&b[7]);

  86.     mac(&accum0, &a[6], &bb[3]);

  87.     mac(&accum1, &aa[2], &bbb[3]);

  88. 

  89.     mac(&accum2, &a[3], &b[6]);

  90.     mac(&accum0, &a[7], &bb[2]);

  91.     mac(&accum1, &aa[3], &bbb[2]);

  92. 

  93.     mac(&accum2, &a[0],&b[1]);

  94.     mac(&accum1, &aa[0], &bb[1]);

  95.     mac(&accum0, &a[4], &b[5]);

  96. 

  97.     mac(&accum2, &a[1], &b[0]);

  98.     mac(&accum1, &aa[1], &bb[0]);

  99.     mac(&accum0, &a[5], &b[4]);

  100. 

  101.     accum1 -= accum2;

  102.     accum0 += accum2;

  103. 

  104.     c[1] = ((uint64_t)(accum0)) & mask;

  105.     c[5] = ((uint64_t)(accum1)) & mask;

  106. 

  107.     accum0 >>= 56;

  108.     accum1 >>= 56;

  109. 

  110.     accum2  = widemul(&a[3],&b[7]);

  111.     mac(&accum0, &a[7], &bb[3]);

  112.     mac(&accum1, &aa[3], &bbb[3]);

  113. 

  114.     mac(&accum2, &a[0],&b[2]);

  115.     mac(&accum1, &aa[0], &bb[2]);

  116.     mac(&accum0, &a[4], &b[6]);

  117. 

  118.     mac(&accum2, &a[1], &b[1]);

  119.     mac(&accum1, &aa[1], &bb[1]);

  120.     mac(&accum0, &a[5], &b[5]);

  121. 

  122.     mac(&accum2, &a[2], &b[0]);

  123.     mac(&accum1, &aa[2], &bb[0]);

  124.     mac(&accum0, &a[6], &b[4]);

  125. 

  126.     accum1 -= accum2;

  127.     accum0 += accum2;

  128. 

  129.     c[2] = ((uint64_t)(accum0)) & mask;

  130.     c[6] = ((uint64_t)(accum1)) & mask;

  131. 

  132.     accum0 >>= 56;

  133.     accum1 >>= 56;

  134. 

  135.     accum0 += c[3];

  136.     accum1 += c[7];

  137.     c[3] = ((uint64_t)(accum0)) & mask;

  138.     c[7] = ((uint64_t)(accum1)) & mask;

  139. 

  140.     /* we could almost stop here, but it wouldn't be stable, so... */

  141. 

  142.     accum0 >>= 56;

  143.     accum1 >>= 56;

  144.     c[4] += ((uint64_t)(accum0)) + ((uint64_t)(accum1));

  145.     c[0] += ((uint64_t)(accum1));

  146. }

  147. 

  148. void

  149. p448_mulw (

  150.     p448_t *__restrict__ cs,

  151.     const p448_t *as,

  152.     uint64_t b

  153. ) {

  154.     const uint64_t *a = as->limb;

  155.     uint64_t *c = cs->limb;

  156. 

  157.     __uint128_t accum0, accum4;

  158.     uint64_t mask = (1ull<<56) - 1;  

  159. 

  160.     accum0 = widemul_rm(b, &a[0]);

  161.     accum4 = widemul_rm(b, &a[4]);

  162. 

  163.     c[0] = accum0 & mask; accum0 >>= 56;

  164.     c[4] = accum4 & mask; accum4 >>= 56;

  165. 

  166.     mac_rm(&accum0, b, &a[1]);

  167.     mac_rm(&accum4, b, &a[5]);

  168. 

  169.     c[1] = accum0 & mask; accum0 >>= 56;

  170.     c[5] = accum4 & mask; accum4 >>= 56;

  171. 

  172.     mac_rm(&accum0, b, &a[2]);

  173.     mac_rm(&accum4, b, &a[6]);

  174. 

  175.     c[2] = accum0 & mask; accum0 >>= 56;

  176.     c[6] = accum4 & mask; accum4 >>= 56;

  177. 

  178.     mac_rm(&accum0, b, &a[3]);

  179.     mac_rm(&accum4, b, &a[7]);

  180. 

  181.     c[3] = accum0 & mask; accum0 >>= 56;

  182.     c[7] = accum4 & mask; accum4 >>= 56;

  183.     

  184.     accum0 += accum4 + c[4];

  185.     c[4] = accum0 & mask;

  186.     c[5] += accum0 >> 56;

  187. 

  188.     accum4 += c[0];

  189.     c[0] = accum4 & mask;

  190.     c[1] += accum4 >> 56;

  191. }

  192. 

  193. void

  194. p448_sqr (

  195.     p448_t *__restrict__ cs,

  196.     const p448_t *as

  197. ) {

  198.     const uint64_t *a = as->limb;

  199.     uint64_t *c = cs->limb;

  200. 

  201.     __uint128_t accum0 = 0, accum1 = 0, accum2;

  202.     uint64_t mask = (1ull<<56) - 1;  

  203. 

  204.     uint64_t aa[4] __attribute__((aligned(32)));

  205. 

  206.     /* For some reason clang doesn't vectorize this without prompting? */

  207.     unsigned int i;

  208.     for (i=0; i<sizeof(aa)/sizeof(uint64xn_t); i++) {

  209.       ((uint64xn_t*)aa)[i] = ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(&a[4]))[i];

  210.     }

  211. 

  212.     accum2  = widemul(&a[0],&a[3]);

  213.     accum0  = widemul(&aa[0],&aa[3]);

  214.     accum1  = widemul(&a[4],&a[7]);

  215. 

  216.     mac(&accum2, &a[1], &a[2]);

  217.     mac(&accum0, &aa[1], &aa[2]);

  218.     mac(&accum1, &a[5], &a[6]);

  219. 

  220.     accum0 -= accum2;

  221.     accum1 += accum2;

  222. 

  223.     c[3] = ((uint64_t)(accum1))<<1 & mask;

  224.     c[7] = ((uint64_t)(accum0))<<1 & mask;

  225. 

  226.     accum0 >>= 55;

  227.     accum1 >>= 55;

  228. 

  229.     mac2(&accum0, &aa[1],&aa[3]);

  230.     mac2(&accum1, &a[5], &a[7]);

  231.     mac(&accum0, &aa[2], &aa[2]);

  232.     accum1 += accum0;

  233. 

  234.     msb2(&accum0, &a[1], &a[3]);

  235.     mac(&accum1, &a[6], &a[6]);

  236.     

  237.     accum2 = widemul(&a[0],&a[0]);

  238.     accum1 -= accum2;

  239.     accum0 += accum2;

  240. 

  241.     msb(&accum0, &a[2], &a[2]);

  242.     mac(&accum1, &aa[0], &aa[0]);

  243.     mac(&accum0, &a[4], &a[4]);

  244. 

  245.     c[0] = ((uint64_t)(accum0)) & mask;

  246.     c[4] = ((uint64_t)(accum1)) & mask;

  247. 

  248.     accum0 >>= 56;

  249.     accum1 >>= 56;

  250. 

  251.     accum2  = widemul2(&aa[2],&aa[3]);

  252.     msb2(&accum0, &a[2], &a[3]);

  253.     mac2(&accum1, &a[6], &a[7]);

  254. 

  255.     accum1 += accum2;

  256.     accum0 += accum2;

  257. 

  258.     accum2  = widemul2(&a[0],&a[1]);

  259.     mac2(&accum1, &aa[0], &aa[1]);

  260.     mac2(&accum0, &a[4], &a[5]);

  261. 

  262.     accum1 -= accum2;

  263.     accum0 += accum2;

  264. 

  265.     c[1] = ((uint64_t)(accum0)) & mask;

  266.     c[5] = ((uint64_t)(accum1)) & mask;

  267. 

  268.     accum0 >>= 56;

  269.     accum1 >>= 56;

  270. 

  271.     accum2  = widemul(&aa[3],&aa[3]);

  272.     msb(&accum0, &a[3], &a[3]);

  273.     mac(&accum1, &a[7], &a[7]);

  274. 

  275.     accum1 += accum2;

  276.     accum0 += accum2;

  277. 

  278.     accum2  = widemul2(&a[0],&a[2]);

  279.     mac2(&accum1, &aa[0], &aa[2]);

  280.     mac2(&accum0, &a[4], &a[6]);

  281. 

  282.     mac(&accum2, &a[1], &a[1]);

  283.     mac(&accum1, &aa[1], &aa[1]);

  284.     mac(&accum0, &a[5], &a[5]);

  285. 

  286.     accum1 -= accum2;

  287.     accum0 += accum2;

  288. 

  289.     c[2] = ((uint64_t)(accum0)) & mask;

  290.     c[6] = ((uint64_t)(accum1)) & mask;

  291. 

  292.     accum0 >>= 56;

  293.     accum1 >>= 56;

  294. 

  295.     accum0 += c[3];

  296.     accum1 += c[7];

  297.     c[3] = ((uint64_t)(accum0)) & mask;

  298.     c[7] = ((uint64_t)(accum1)) & mask;

  299. 

  300.     /* we could almost stop here, but it wouldn't be stable, so... */

  301. 

  302.     accum0 >>= 56;

  303.     accum1 >>= 56;

  304.     c[4] += ((uint64_t)(accum0)) + ((uint64_t)(accum1));

  305.     c[0] += ((uint64_t)(accum1));

  306. }

  307. 

  308. void

  309. p448_strong_reduce (

  310.     p448_t *a

  311. ) {

  312.     uint64_t mask = (1ull<<56)-1;

  313. 

  314.     /* first, clear high */

  315.     a->limb[4] += a->limb[7]>>56;

  316.     a->limb[0] += a->limb[7]>>56;

  317.     a->limb[7] &= mask;

  318. 

  319.     /* now the total is less than 2^448 - 2^(448-56) + 2^(448-56+8) < 2p */

  320. 

  321.     /* compute total_value - p.  No need to reduce mod p. */

  322. 

  323.     __int128_t scarry = 0;

  324.     int i;

  325.     for (i=0; i<8; i++) {

  326.         scarry = scarry + a->limb[i] - ((i==4)?mask-1:mask);

  327.         a->limb[i] = scarry & mask;

  328.         scarry >>= 56;

  329.     }

  330. 

  331.     /* uncommon case: it was >= p, so now scarry = 0 and this = x

  332.     * common case: it was < p, so now scarry = -1 and this = x - p + 2^448

  333.     * so let's add back in p.  will carry back off the top for 2^448.

  334.     */

  335. 

  336.     assert(is_zero(scarry) | is_zero(scarry+1));

  337. 

  338.     uint64_t scarry_mask = scarry & mask;

  339.     __uint128_t carry = 0;

  340. 

  341.     /* add it back */

  342.     for (i=0; i<8; i++) {

  343.         carry = carry + a->limb[i] + ((i==4)?(scarry_mask&~1):scarry_mask);

  344.         a->limb[i] = carry & mask;

  345.         carry >>= 56;

  346.     }

  347. 

  348.     assert(is_zero(carry + scarry));

  349. }

  350. 

  351. mask_t

  352. p448_is_zero (

  353.     const struct p448_t *a

  354. ) {

  355.     struct p448_t b;

  356.     p448_copy(&b,a);

  357.     p448_strong_reduce(&b);

  358. 

  359.     uint64_t any = 0;

  360.     int i;

  361.     for (i=0; i<8; i++) {

  362.         any |= b.limb[i];

  363.     }

  364.     return is_zero(any);

  365. }

  366. 

  367. void

  368. p448_serialize (

  369.     uint8_t *serial,

  370.     const struct p448_t *x

  371. ) {

  372.     int i,j;

  373.     p448_t red;

  374.     p448_copy(&red, x);

  375.     p448_strong_reduce(&red);

  376.     for (i=0; i<8; i++) {

  377.         for (j=0; j<7; j++) {

  378.             serial[7*i+j] = red.limb[i];

  379.             red.limb[i] >>= 8;

  380.         }

  381.         assert(red.limb[i] == 0);

  382.     }

  383. }

  384. 

  385. mask_t

  386. p448_deserialize (

  387.     p448_t *x,

  388.     const uint8_t serial[56]

  389. ) {

  390.     int i,j;

  391.     for (i=0; i<8; i++) {

  392.         word_t out = 0;

  393.         for (j=0; j<7; j++) {

  394.             out |= ((word_t)serial[7*i+j])<<(8*j);

  395.         }

  396.         x->limb[i] = out;

  397.     }

  398.     

  399.     /* Check for reduction.

  400.      *

  401.      * The idea is to create a variable ge which is all ones (rather, 56 ones)

  402.      * if and only if the low $i$ words of $x$ are >= those of p.

  403.      *

  404.      * Remember p = little_endian(1111,1111,1111,1111,1110,1111,1111,1111)

  405.      */

  406.     word_t ge = -1, mask = (1ull<<56)-1;

  407.     for (i=0; i<4; i++) {

  408.         ge &= x->limb[i];

  409.     }

  410.     

  411.     /* At this point, ge = 1111 iff bottom are all 1111.  Now propagate if 1110, or set if 1111 */

  412.     ge = (ge & (x->limb[4] + 1)) | is_zero(x->limb[4] ^ mask);

  413.     

  414.     /* Propagate the rest */

  415.     for (i=5; i<8; i++) {

  416.         ge &= x->limb[i];

  417.     }

  418.     

  419.     return ~is_zero(ge ^ mask);

  420. }

  421. 

  422. void

  423. simultaneous_invert_p448(

  424.     struct p448_t *__restrict__ out,

  425.     const struct p448_t *in,

  426.     unsigned int n

  427. ) {

  428.   if (n==0) {

  429.       return;

  430.   } else if (n==1) {

  431.       p448_inverse(out,in);

  432.       return;

  433.   }

  434.   

  435.   p448_copy(&out[1], &in[0]);

  436.   int i;

  437.   for (i=1; i<(int) (n-1); i++) {

  438.       p448_mul(&out[i+1], &out[i], &in[i]);

  439.   }

  440.   p448_mul(&out[0], &out[n-1], &in[n-1]);

  441.   

  442.   struct p448_t tmp;

  443.   p448_inverse(&tmp, &out[0]);

  444.   p448_copy(&out[0], &tmp);

  445.   

  446.   /* at this point, out[0] = product(in[i]) ^ -1

  447.    * out[i] = product(in[0]..in[i-1]) if i != 0

  448.    */

  449.   for (i=n-1; i>0; i--) {

  450.       p448_mul(&tmp, &out[i], &out[0]);

  451.       p448_copy(&out[i], &tmp);

  452.       

  453.       p448_mul(&tmp, &out[0], &in[i]);

  454.       p448_copy(&out[0], &tmp);

  455.   }

  456. }