jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
302 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 6bc97fb756
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6bc97fb756'
${ noResults }
ed448goldilocks/src/p448/arch_arm_32/f_impl.c

947 lines
26 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "f_field.h"

  6. 

  7. static inline mask_t is_zero (word_t x) {

  8.     dword_t xx = x;

  9.     xx--;

  10.     return xx >> WORD_BITS;

  11. }

  12. 

  13. static uint64_t widemul (

  14.     const uint32_t a,

  15.     const uint32_t b

  16. ) {

  17.     return ((uint64_t)a)* b;

  18. }

  19. 

  20. static inline void __attribute__((gnu_inline,always_inline))

  21. smlal (

  22.     uint64_t *acc,

  23.     const uint32_t a,

  24.     const uint32_t b

  25. ) {

  26. 

  27. #ifdef  __ARMEL__

  28.     uint32_t lo = *acc, hi = (*acc)>>32;

  29.     

  30.     __asm__ __volatile__ ("smlal %[lo], %[hi], %[a], %[b]"

  31.         : [lo]"+&r"(lo), [hi]"+&r"(hi)

  32.         : [a]"r"(a), [b]"r"(b));

  33.     

  34.     *acc = lo + (((uint64_t)hi)<<32);

  35. #else

  36.     *acc += (int64_t)(int32_t)a * (int64_t)(int32_t)b;

  37. #endif

  38. }

  39. 

  40. static inline void __attribute__((gnu_inline,always_inline))

  41. smlal2 (

  42.     uint64_t *acc,

  43.     const uint32_t a,

  44.     const uint32_t b

  45. ) {

  46. #ifdef __ARMEL__

  47.     uint32_t lo = *acc, hi = (*acc)>>32;

  48.     

  49.     __asm__ __volatile__ ("smlal %[lo], %[hi], %[a], %[b]"

  50.         : [lo]"+&r"(lo), [hi]"+&r"(hi)

  51.         : [a]"r"(a), [b]"r"(2*b));

  52.     

  53.     *acc = lo + (((uint64_t)hi)<<32);

  54. #else

  55.     *acc += (int64_t)(int32_t)a * (int64_t)(int32_t)(b * 2);

  56. #endif

  57. }

  58. 

  59. static inline void __attribute__((gnu_inline,always_inline))

  60. smull (

  61.     uint64_t *acc,

  62.     const uint32_t a,

  63.     const uint32_t b

  64. ) {

  65. #ifdef __ARMEL__

  66.     uint32_t lo, hi;

  67.     

  68.     __asm__ __volatile__ ("smull %[lo], %[hi], %[a], %[b]"

  69.         : [lo]"=&r"(lo), [hi]"=&r"(hi)

  70.         : [a]"r"(a), [b]"r"(b));

  71.     

  72.     *acc = lo + (((uint64_t)hi)<<32);

  73. #else

  74.     *acc = (int64_t)(int32_t)a * (int64_t)(int32_t)b;

  75. #endif

  76. }

  77. 

  78. static inline void __attribute__((gnu_inline,always_inline))

  79. smull2 (

  80.     uint64_t *acc,

  81.     const uint32_t a,

  82.     const uint32_t b

  83. ) {

  84. #ifdef __ARMEL__

  85.     uint32_t lo, hi;

  86.     

  87.     __asm__ /*__volatile__*/ ("smull %[lo], %[hi], %[a], %[b]"

  88.         : [lo]"=&r"(lo), [hi]"=&r"(hi)

  89.         : [a]"r"(a), [b]"r"(2*b));

  90.     

  91.     *acc = lo + (((uint64_t)hi)<<32);

  92. #else

  93.     *acc = (int64_t)(int32_t)a * (int64_t)(int32_t)(b * 2);

  94. #endif

  95. }

  96. 

  97. void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {

  98.     

  99.     const uint32_t *a = as->limb, *b = bs->limb;

  100.     uint32_t *c = cs->limb;

  101. 

  102.     uint64_t accum0 = 0, accum1 = 0, accum2, accum3, accumC0, accumC1;

  103.     uint32_t mask = (1<<28) - 1;  

  104. 

  105.     uint32_t aa[8], bm[8];

  106. 

  107.     int i;

  108.     for (i=0; i<8; i++) {

  109.         aa[i] = a[i] + a[i+8];

  110.         bm[i] = b[i] - b[i+8];

  111.     }

  112. 

  113.     uint32_t ax,bx;

  114.     {

  115.         /* t^3 terms */

  116.         smull(&accum1, ax = aa[1], bx = b[15]);

  117.         smull(&accum3, ax = aa[2], bx);

  118.         smlal(&accum1, ax, bx = b[14]);

  119.         smlal(&accum3, ax = aa[3], bx);

  120.         smlal(&accum1, ax, bx = b[13]);

  121.         smlal(&accum3, ax = aa[4], bx);

  122.         smlal(&accum1, ax, bx = b[12]);

  123.         smlal(&accum3, ax = aa[5], bx);

  124.         smlal(&accum1, ax, bx = b[11]);

  125.         smlal(&accum3, ax = aa[6], bx);

  126.         smlal(&accum1, ax, bx = b[10]);

  127.         smlal(&accum3, ax = aa[7], bx);

  128.         smlal(&accum1, ax, bx = b[9]);

  129.         

  130.         accum0 = accum1;

  131.         accum2 = accum3;

  132.         

  133.         /* t^2 terms */

  134.         smlal(&accum2, ax = aa[0], bx);

  135.         smlal(&accum0, ax, bx = b[8]);

  136.         smlal(&accum2, ax = aa[1], bx);

  137.         

  138.         smlal(&accum0, ax = a[9], bx = b[7]);

  139.         smlal(&accum2, ax = a[10], bx);

  140.         smlal(&accum0, ax, bx = b[6]);

  141.         smlal(&accum2, ax = a[11], bx);

  142.         smlal(&accum0, ax, bx = b[5]);

  143.         smlal(&accum2, ax = a[12], bx);

  144.         smlal(&accum0, ax, bx = b[4]);

  145.         smlal(&accum2, ax = a[13], bx);

  146.         smlal(&accum0, ax, bx = b[3]);

  147.         smlal(&accum2, ax = a[14], bx);

  148.         smlal(&accum0, ax, bx = b[2]);

  149.         smlal(&accum2, ax = a[15], bx);

  150.         smlal(&accum0, ax, bx = b[1]);

  151.         

  152.         /* t terms */

  153.         accum1 += accum0;

  154.         accum3 += accum2;

  155.         smlal(&accum3, ax = a[8], bx);

  156.         smlal(&accum1, ax, bx = b[0]);

  157.         smlal(&accum3, ax = a[9], bx);

  158.         

  159.         smlal(&accum1, ax = a[1], bx = bm[7]);

  160.         smlal(&accum3, ax = a[2], bx);

  161.         smlal(&accum1, ax, bx = bm[6]);

  162.         smlal(&accum3, ax = a[3], bx);

  163.         smlal(&accum1, ax, bx = bm[5]);

  164.         smlal(&accum3, ax = a[4], bx);

  165.         smlal(&accum1, ax, bx = bm[4]);

  166.         smlal(&accum3, ax = a[5], bx);

  167.         smlal(&accum1, ax, bx = bm[3]);

  168.         smlal(&accum3, ax = a[6], bx);

  169.         smlal(&accum1, ax, bx = bm[2]);

  170.         smlal(&accum3, ax = a[7], bx);

  171.         smlal(&accum1, ax, bx = bm[1]);

  172.         

  173.         /* 1 terms */

  174.         smlal(&accum2, ax = a[0], bx);

  175.         smlal(&accum0, ax, bx = bm[0]);

  176.         smlal(&accum2, ax = a[1], bx);

  177.         

  178.         accum2 += accum0 >> 28;

  179.         accum3 += accum1 >> 28;

  180.         

  181.         c[0] = ((uint32_t)(accum0)) & mask;

  182.         c[1] = ((uint32_t)(accum2)) & mask;

  183.         c[8] = ((uint32_t)(accum1)) & mask;

  184.         c[9] = ((uint32_t)(accum3)) & mask;

  185.         

  186.         accumC0 = accum2 >> 28;

  187.         accumC1 = accum3 >> 28;

  188.     }

  189.     {

  190.         /* t^3 terms */

  191.         smull(&accum1, ax = aa[3], bx = b[15]);

  192.         smull(&accum3, ax = aa[4], bx);

  193.         smlal(&accum1, ax, bx = b[14]);

  194.         smlal(&accum3, ax = aa[5], bx);

  195.         smlal(&accum1, ax, bx = b[13]);

  196.         smlal(&accum3, ax = aa[6], bx);

  197.         smlal(&accum1, ax, bx = b[12]);

  198.         smlal(&accum3, ax = aa[7], bx);

  199.         smlal(&accum1, ax, bx = b[11]);

  200.         

  201.         accum0 = accum1;

  202.         accum2 = accum3;

  203.         

  204.         /* t^2 terms */

  205.         smlal(&accum2, ax = aa[0], bx);

  206.         smlal(&accum0, ax, bx = b[10]);

  207.         smlal(&accum2, ax = aa[1], bx);

  208.         smlal(&accum0, ax, bx = b[9]);

  209.         smlal(&accum2, ax = aa[2], bx);

  210.         smlal(&accum0, ax, bx = b[8]);

  211.         smlal(&accum2, ax = aa[3], bx);

  212.         

  213.         smlal(&accum0, ax = a[11], bx = b[7]);

  214.         smlal(&accum2, ax = a[12], bx);

  215.         smlal(&accum0, ax, bx = b[6]);

  216.         smlal(&accum2, ax = a[13], bx);

  217.         smlal(&accum0, ax, bx = b[5]);

  218.         smlal(&accum2, ax = a[14], bx);

  219.         smlal(&accum0, ax, bx = b[4]);

  220.         smlal(&accum2, ax = a[15], bx);

  221.         smlal(&accum0, ax, bx = b[3]);

  222.         

  223.         /* t terms */

  224.         accum1 += accum0;

  225.         accum3 += accum2;

  226.         smlal(&accum3, ax = a[8], bx);

  227.         smlal(&accum1, ax, bx = b[2]);

  228.         smlal(&accum3, ax = a[9], bx);

  229.         smlal(&accum1, ax, bx = b[1]);

  230.         smlal(&accum3, ax = a[10], bx);

  231.         smlal(&accum1, ax, bx = b[0]);

  232.         smlal(&accum3, ax = a[11], bx);

  233.         

  234.         smlal(&accum1, ax = a[3], bx = bm[7]);

  235.         smlal(&accum3, ax = a[4], bx);

  236.         smlal(&accum1, ax, bx = bm[6]);

  237.         smlal(&accum3, ax = a[5], bx);

  238.         smlal(&accum1, ax, bx = bm[5]);

  239.         smlal(&accum3, ax = a[6], bx);

  240.         smlal(&accum1, ax, bx = bm[4]);

  241.         smlal(&accum3, ax = a[7], bx);

  242.         smlal(&accum1, ax, bx = bm[3]);

  243.         

  244.         /* 1 terms */

  245.         smlal(&accum2, ax = a[0], bx);

  246.         smlal(&accum0, ax, bx = bm[2]);

  247.         smlal(&accum2, ax = a[1], bx);

  248.         smlal(&accum0, ax, bx = bm[1]);

  249.         smlal(&accum2, ax = a[2], bx);

  250.         smlal(&accum0, ax, bx = bm[0]);

  251.         smlal(&accum2, ax = a[3], bx);

  252.         

  253.         accum0 += accumC0;

  254.         accum1 += accumC1;

  255.         accum2 += accum0 >> 28;

  256.         accum3 += accum1 >> 28;

  257.         

  258.         c[2] = ((uint32_t)(accum0)) & mask;

  259.         c[3] = ((uint32_t)(accum2)) & mask;

  260.         c[10] = ((uint32_t)(accum1)) & mask;

  261.         c[11] = ((uint32_t)(accum3)) & mask;

  262.         

  263.         accumC0 = accum2 >> 28;

  264.         accumC1 = accum3 >> 28;

  265.     }

  266.     {

  267.         

  268.         /* t^3 terms */

  269.         smull(&accum1, ax = aa[5], bx = b[15]);

  270.         smull(&accum3, ax = aa[6], bx);

  271.         smlal(&accum1, ax, bx = b[14]);

  272.         smlal(&accum3, ax = aa[7], bx);

  273.         smlal(&accum1, ax, bx = b[13]);

  274.         

  275.         accum0 = accum1;

  276.         accum2 = accum3;

  277.         

  278.         /* t^2 terms */

  279.         

  280.         smlal(&accum2, ax = aa[0], bx);

  281.         smlal(&accum0, ax, bx = b[12]);

  282.         smlal(&accum2, ax = aa[1], bx);

  283.         smlal(&accum0, ax, bx = b[11]);

  284.         smlal(&accum2, ax = aa[2], bx);

  285.         smlal(&accum0, ax, bx = b[10]);

  286.         smlal(&accum2, ax = aa[3], bx);

  287.         smlal(&accum0, ax, bx = b[9]);

  288.         smlal(&accum2, ax = aa[4], bx);

  289.         smlal(&accum0, ax, bx = b[8]);

  290.         smlal(&accum2, ax = aa[5], bx);

  291.         

  292.         

  293.         smlal(&accum0, ax = a[13], bx = b[7]);

  294.         smlal(&accum2, ax = a[14], bx);

  295.         smlal(&accum0, ax, bx = b[6]);

  296.         smlal(&accum2, ax = a[15], bx);

  297.         smlal(&accum0, ax, bx = b[5]);

  298.         

  299.         /* t terms */

  300.         accum1 += accum0;

  301.         accum3 += accum2;

  302.         

  303.         smlal(&accum3, ax = a[8], bx);

  304.         smlal(&accum1, ax, bx = b[4]);

  305.         smlal(&accum3, ax = a[9], bx);

  306.         smlal(&accum1, ax, bx = b[3]);

  307.         smlal(&accum3, ax = a[10], bx);

  308.         smlal(&accum1, ax, bx = b[2]);

  309.         smlal(&accum3, ax = a[11], bx);

  310.         smlal(&accum1, ax, bx = b[1]);

  311.         smlal(&accum3, ax = a[12], bx);

  312.         smlal(&accum1, ax, bx = b[0]);

  313.         smlal(&accum3, ax = a[13], bx);

  314.         

  315.         

  316.         smlal(&accum1, ax = a[5], bx = bm[7]);

  317.         smlal(&accum3, ax = a[6], bx);

  318.         smlal(&accum1, ax, bx = bm[6]);

  319.         smlal(&accum3, ax = a[7], bx);

  320.         smlal(&accum1, ax, bx = bm[5]);

  321.         

  322.         /* 1 terms */

  323.         

  324.         smlal(&accum2, ax = a[0], bx);

  325.         smlal(&accum0, ax, bx = bm[4]);

  326.         smlal(&accum2, ax = a[1], bx);

  327.         smlal(&accum0, ax, bx = bm[3]);

  328.         smlal(&accum2, ax = a[2], bx);

  329.         smlal(&accum0, ax, bx = bm[2]);

  330.         smlal(&accum2, ax = a[3], bx);

  331.         smlal(&accum0, ax, bx = bm[1]);

  332.         smlal(&accum2, ax = a[4], bx);

  333.         smlal(&accum0, ax, bx = bm[0]);

  334.         smlal(&accum2, ax = a[5], bx);

  335.         

  336.         accum0 += accumC0;

  337.         accum1 += accumC1;

  338.         accum2 += accum0 >> 28;

  339.         accum3 += accum1 >> 28;

  340.         

  341.         c[4] = ((uint32_t)(accum0)) & mask;

  342.         c[5] = ((uint32_t)(accum2)) & mask;

  343.         c[12] = ((uint32_t)(accum1)) & mask;

  344.         c[13] = ((uint32_t)(accum3)) & mask;

  345.         

  346.         accumC0 = accum2 >> 28;

  347.         accumC1 = accum3 >> 28;

  348.     }

  349.     {

  350.         

  351.         /* t^3 terms */

  352.         smull(&accum1, ax = aa[7], bx = b[15]);

  353.         accum0 = accum1;

  354.         

  355.         /* t^2 terms */

  356.         

  357.         smull(&accum2, ax = aa[0], bx);

  358.         smlal(&accum0, ax, bx = b[14]);

  359.         smlal(&accum2, ax = aa[1], bx);

  360.         smlal(&accum0, ax, bx = b[13]);

  361.         smlal(&accum2, ax = aa[2], bx);

  362.         smlal(&accum0, ax, bx = b[12]);

  363.         smlal(&accum2, ax = aa[3], bx);

  364.         smlal(&accum0, ax, bx = b[11]);

  365.         smlal(&accum2, ax = aa[4], bx);

  366.         smlal(&accum0, ax, bx = b[10]);

  367.         smlal(&accum2, ax = aa[5], bx);

  368.         smlal(&accum0, ax, bx = b[9]);

  369.         smlal(&accum2, ax = aa[6], bx);

  370.         smlal(&accum0, ax, bx = b[8]);

  371.         smlal(&accum2, ax = aa[7], bx);

  372.         

  373.         

  374.         smlal(&accum0, ax = a[15], bx = b[7]);

  375.         

  376.         /* t terms */

  377.         accum1 += accum0;

  378.         accum3 = accum2;

  379.         

  380.         smlal(&accum3, ax = a[8], bx);

  381.         smlal(&accum1, ax, bx = b[6]);

  382.         smlal(&accum3, ax = a[9], bx);

  383.         smlal(&accum1, ax, bx = b[5]);

  384.         smlal(&accum3, ax = a[10], bx);

  385.         smlal(&accum1, ax, bx = b[4]);

  386.         smlal(&accum3, ax = a[11], bx);

  387.         smlal(&accum1, ax, bx = b[3]);

  388.         smlal(&accum3, ax = a[12], bx);

  389.         smlal(&accum1, ax, bx = b[2]);

  390.         smlal(&accum3, ax = a[13], bx);

  391.         smlal(&accum1, ax, bx = b[1]);

  392.         smlal(&accum3, ax = a[14], bx);

  393.         smlal(&accum1, ax, bx = b[0]);

  394.         smlal(&accum3, ax = a[15], bx);

  395.         

  396.         

  397.         smlal(&accum1, ax = a[7], bx = bm[7]);

  398.         

  399.         /* 1 terms */

  400.         

  401.         smlal(&accum2, ax = a[0], bx);

  402.         smlal(&accum0, ax, bx = bm[6]);

  403.         smlal(&accum2, ax = a[1], bx);

  404.         smlal(&accum0, ax, bx = bm[5]);

  405.         smlal(&accum2, ax = a[2], bx);

  406.         smlal(&accum0, ax, bx = bm[4]);

  407.         smlal(&accum2, ax = a[3], bx);

  408.         smlal(&accum0, ax, bx = bm[3]);

  409.         smlal(&accum2, ax = a[4], bx);

  410.         smlal(&accum0, ax, bx = bm[2]);

  411.         smlal(&accum2, ax = a[5], bx);

  412.         smlal(&accum0, ax, bx = bm[1]);

  413.         smlal(&accum2, ax = a[6], bx);

  414.         smlal(&accum0, ax, bx = bm[0]);

  415.         smlal(&accum2, ax = a[7], bx);

  416.         

  417.         accum0 += accumC0;

  418.         accum1 += accumC1;

  419.         accum2 += accum0 >> 28;

  420.         accum3 += accum1 >> 28;

  421.         

  422.         c[6] = ((uint32_t)(accum0)) & mask;

  423.         c[7] = ((uint32_t)(accum2)) & mask;

  424.         c[14] = ((uint32_t)(accum1)) & mask;

  425.         c[15] = ((uint32_t)(accum3)) & mask;

  426.         

  427.         accum0 = accum2 >> 28;

  428.         accum1 = accum3 >> 28;

  429.     }

  430. 

  431.     accum0 += accum1;

  432.     accum0 += c[8];

  433.     accum1 += c[0];

  434.     c[8] = ((uint32_t)(accum0)) & mask;

  435.     c[0] = ((uint32_t)(accum1)) & mask;

  436.     

  437.     accum0 >>= 28;

  438.     accum1 >>= 28;

  439.     c[9] += ((uint32_t)(accum0));

  440.     c[1] += ((uint32_t)(accum1));

  441. }

  442. 

  443. void gf_sqr (gf_s *__restrict__ cs, const gf as) {

  444.     const uint32_t *a = as->limb;

  445.     uint32_t *c = cs->limb;

  446. 

  447.     uint64_t accum0 = 0, accum1 = 0, accum2, accum3, accumC0, accumC1, tmp;

  448.     uint32_t mask = (1<<28) - 1;  

  449. 

  450.     uint32_t bm[8];

  451.     

  452.     int i;

  453.     for (i=0; i<8; i++) {

  454.         bm[i] = a[i] - a[i+8];

  455.     }

  456. 

  457.     uint32_t ax,bx;

  458.     {

  459.         /* t^3 terms */

  460.         smull2(&accum1, ax = a[9], bx = a[15]);

  461.         smull2(&accum3, ax = a[10], bx);

  462.         smlal2(&accum1, ax, bx = a[14]);

  463.         smlal2(&accum3, ax = a[11], bx);

  464.         smlal2(&accum1, ax, bx = a[13]);

  465.         smlal2(&accum3, ax = a[12], bx);

  466.         smlal(&accum1, ax, ax);

  467.         

  468.         accum0 = accum1;

  469.         accum2 = accum3;

  470.         

  471.         /* t^2 terms */

  472.         smlal2(&accum2, ax = a[8], a[9]);

  473.         smlal(&accum0, ax, ax);

  474.         

  475.         smlal2(&accum0, ax = a[1], bx = a[7]);

  476.         smlal2(&accum2, ax = a[2], bx);

  477.         smlal2(&accum0, ax, bx = a[6]);

  478.         smlal2(&accum2, ax = a[3], bx);

  479.         smlal2(&accum0, ax, bx = a[5]);

  480.         smlal2(&accum2, ax = a[4], bx);

  481.         smlal(&accum0, ax, ax);

  482.         

  483.         /* t terms */

  484.         accum1 += accum0;

  485.         accum3 += accum2;

  486.         smlal2(&accum3, ax = a[0], bx = a[1]);

  487.         smlal(&accum1, ax, ax);

  488.         

  489.         accum1 = -accum1;

  490.         accum3 = -accum3;

  491.         accum2 = -accum2;

  492.         accum0 = -accum0;

  493.         

  494.         smlal2(&accum1, ax = bm[1], bx = bm[7]);

  495.         smlal2(&accum3, ax = bm[2], bx);

  496.         smlal2(&accum1, ax, bx = bm[6]);

  497.         smlal2(&accum3, ax = bm[3], bx);

  498.         smlal2(&accum1, ax, bx = bm[5]);

  499.         smlal2(&accum3, ax = bm[4], bx);

  500.         smlal(&accum1, ax, ax);

  501.         

  502.         /* 1 terms */

  503.         smlal2(&accum2, ax = bm[0], bx = bm[1]);

  504.         smlal(&accum0, ax, ax);

  505.         

  506.         tmp = -accum3; accum3 = tmp-accum2; accum2 = tmp;

  507.         tmp = -accum1; accum1 = tmp-accum0; accum0 = tmp;

  508.         

  509.         accum2 += accum0 >> 28;

  510.         accum3 += accum1 >> 28;

  511.         

  512.         c[0] = ((uint32_t)(accum0)) & mask;

  513.         c[1] = ((uint32_t)(accum2)) & mask;

  514.         c[8] = ((uint32_t)(accum1)) & mask;

  515.         c[9] = ((uint32_t)(accum3)) & mask;

  516.         

  517.         accumC0 = accum2 >> 28;

  518.         accumC1 = accum3 >> 28;

  519.     }

  520.     {

  521.         /* t^3 terms */

  522.         smull2(&accum1, ax = a[11], bx = a[15]);

  523.         smull2(&accum3, ax = a[12], bx);

  524.         smlal2(&accum1, ax, bx = a[14]);

  525.         smlal2(&accum3, ax = a[13], bx);

  526.         smlal(&accum1, ax, ax);

  527.         

  528.         accum0 = accum1;

  529.         accum2 = accum3;

  530.         

  531.         /* t^2 terms */

  532.         smlal2(&accum2, ax = a[8], bx = a[11]);

  533.         smlal2(&accum0, ax, bx = a[10]);

  534.         smlal2(&accum2, ax = a[9], bx);

  535.         smlal(&accum0, ax, ax);

  536.         

  537.         smlal2(&accum0, ax = a[3], bx = a[7]);

  538.         smlal2(&accum2, ax = a[4], bx);

  539.         smlal2(&accum0, ax, bx = a[6]);

  540.         smlal2(&accum2, ax = a[5], bx);

  541.         smlal(&accum0, ax, ax);

  542.         

  543.         /* t terms */

  544.         accum1 += accum0;

  545.         accum3 += accum2;

  546.         smlal2(&accum3, ax = a[0], bx = a[3]);

  547.         smlal2(&accum1, ax, bx = a[2]);

  548.         smlal2(&accum3, ax = a[1], bx);

  549.         smlal(&accum1, ax, ax);

  550.         

  551.         accum1 = -accum1;

  552.         accum3 = -accum3;

  553.         accum2 = -accum2;

  554.         accum0 = -accum0;

  555.         

  556.         smlal2(&accum1, ax = bm[3], bx = bm[7]);

  557.         smlal2(&accum3, ax = bm[4], bx);

  558.         smlal2(&accum1, ax, bx = bm[6]);

  559.         smlal2(&accum3, ax = bm[5], bx);

  560.         smlal(&accum1, ax, ax);

  561.         

  562.         /* 1 terms */

  563.         smlal2(&accum2, ax = bm[0], bx = bm[3]);

  564.         smlal2(&accum0, ax, bx = bm[2]);

  565.         smlal2(&accum2, ax = bm[1], bx);

  566.         smlal(&accum0, ax, ax);

  567.         

  568.         

  569.         tmp = -accum3; accum3 = tmp-accum2; accum2 = tmp;

  570.         tmp = -accum1; accum1 = tmp-accum0; accum0 = tmp;

  571.         

  572.         accum0 += accumC0;

  573.         accum1 += accumC1;

  574.         accum2 += accum0 >> 28;

  575.         accum3 += accum1 >> 28;

  576.         

  577.         c[2] = ((uint32_t)(accum0)) & mask;

  578.         c[3] = ((uint32_t)(accum2)) & mask;

  579.         c[10] = ((uint32_t)(accum1)) & mask;

  580.         c[11] = ((uint32_t)(accum3)) & mask;

  581.         

  582.         accumC0 = accum2 >> 28;

  583.         accumC1 = accum3 >> 28;

  584.     }

  585.     {

  586.         

  587.         /* t^3 terms */

  588.         smull2(&accum1, ax = a[13], bx = a[15]);

  589.         smull2(&accum3, ax = a[14], bx);

  590.         smlal(&accum1, ax, ax);

  591.         

  592.         accum0 = accum1;

  593.         accum2 = accum3;

  594.         

  595.         /* t^2 terms */

  596.         

  597.         smlal2(&accum2, ax = a[8], bx = a[13]);

  598.         smlal2(&accum0, ax, bx = a[12]);

  599.         smlal2(&accum2, ax = a[9], bx);

  600.         smlal2(&accum0, ax, bx = a[11]);

  601.         smlal2(&accum2, ax = a[10], bx);

  602.         smlal(&accum0, ax, ax);

  603.         

  604.         

  605.         smlal2(&accum0, ax = a[5], bx = a[7]);

  606.         smlal2(&accum2, ax = a[6], bx);

  607.         smlal(&accum0, ax, ax);

  608.         

  609.         /* t terms */

  610.         accum1 += accum0;

  611.         accum3 += accum2;

  612.         

  613.         smlal2(&accum3, ax = a[0], bx = a[5]);

  614.         smlal2(&accum1, ax, bx = a[4]);

  615.         smlal2(&accum3, ax = a[1], bx);

  616.         smlal2(&accum1, ax, bx = a[3]);

  617.         smlal2(&accum3, ax = a[2], bx);

  618.         smlal(&accum1, ax, ax);

  619.         

  620.         accum1 = -accum1;

  621.         accum3 = -accum3;

  622.         accum2 = -accum2;

  623.         accum0 = -accum0;

  624.         

  625.         smlal2(&accum1, ax = bm[5], bx = bm[7]);

  626.         smlal2(&accum3, ax = bm[6], bx);

  627.         smlal(&accum1, ax, ax);

  628.         

  629.         /* 1 terms */

  630.         

  631.         smlal2(&accum2, ax = bm[0], bx = bm[5]);

  632.         smlal2(&accum0, ax, bx = bm[4]);

  633.         smlal2(&accum2, ax = bm[1], bx);

  634.         smlal2(&accum0, ax, bx = bm[3]);

  635.         smlal2(&accum2, ax = bm[2], bx);

  636.         smlal(&accum0, ax, ax);

  637.         

  638.         

  639.         tmp = -accum3; accum3 = tmp-accum2; accum2 = tmp;

  640.         tmp = -accum1; accum1 = tmp-accum0; accum0 = tmp;

  641.         

  642.         accum0 += accumC0;

  643.         accum1 += accumC1;

  644.         accum2 += accum0 >> 28;

  645.         accum3 += accum1 >> 28;

  646.         

  647.         c[4] = ((uint32_t)(accum0)) & mask;

  648.         c[5] = ((uint32_t)(accum2)) & mask;

  649.         c[12] = ((uint32_t)(accum1)) & mask;

  650.         c[13] = ((uint32_t)(accum3)) & mask;

  651.         

  652.         accumC0 = accum2 >> 28;

  653.         accumC1 = accum3 >> 28;

  654.     }

  655.     {

  656.         

  657.         /* t^3 terms */

  658.         smull(&accum1, ax = a[15], bx = a[15]);

  659.         accum0 = accum1;

  660.         

  661.         /* t^2 terms */

  662.         

  663.         smull2(&accum2, ax = a[8], bx);

  664.         smlal2(&accum0, ax, bx = a[14]);

  665.         smlal2(&accum2, ax = a[9], bx);

  666.         smlal2(&accum0, ax, bx = a[13]);

  667.         smlal2(&accum2, ax = a[10], bx);

  668.         smlal2(&accum0, ax, bx = a[12]);

  669.         smlal2(&accum2, ax = a[11], bx);

  670.         smlal(&accum0, ax, ax);

  671.         

  672.         

  673.         smlal(&accum0, ax = a[7], bx = a[7]);

  674.         

  675.         /* t terms */

  676.         accum1 += accum0;

  677.         accum3 = accum2;

  678.         

  679.         smlal2(&accum3, ax = a[0], bx);

  680.         smlal2(&accum1, ax, bx = a[6]);

  681.         smlal2(&accum3, ax = a[1], bx);

  682.         smlal2(&accum1, ax, bx = a[5]);

  683.         smlal2(&accum3, ax = a[2], bx);

  684.         smlal2(&accum1, ax, bx = a[4]);

  685.         smlal2(&accum3, ax = a[3], bx);

  686.         smlal(&accum1, ax, ax);

  687.         

  688.         accum1 = -accum1;

  689.         accum3 = -accum3;

  690.         accum2 = -accum2;

  691.         accum0 = -accum0;

  692.         

  693.         bx = bm[7];

  694.         smlal(&accum1, bx, bx);

  695.         

  696.         /* 1 terms */

  697.         

  698.         smlal2(&accum2, ax = bm[0], bx);

  699.         smlal2(&accum0, ax, bx = bm[6]);

  700.         smlal2(&accum2, ax = bm[1], bx);

  701.         smlal2(&accum0, ax, bx = bm[5]);

  702.         smlal2(&accum2, ax = bm[2], bx);

  703.         smlal2(&accum0, ax, bx = bm[4]);

  704.         smlal2(&accum2, ax = bm[3], bx);

  705.         smlal(&accum0, ax, ax);

  706.         

  707.         tmp = -accum3; accum3 = tmp-accum2; accum2 = tmp;

  708.         tmp = -accum1; accum1 = tmp-accum0; accum0 = tmp;

  709.         

  710.         

  711.         accum0 += accumC0;

  712.         accum1 += accumC1;

  713.         accum2 += accum0 >> 28;

  714.         accum3 += accum1 >> 28;

  715.         

  716.         c[6] = ((uint32_t)(accum0)) & mask;

  717.         c[7] = ((uint32_t)(accum2)) & mask;

  718.         c[14] = ((uint32_t)(accum1)) & mask;

  719.         c[15] = ((uint32_t)(accum3)) & mask;

  720.         

  721.         accum0 = accum2 >> 28;

  722.         accum1 = accum3 >> 28;

  723.     }

  724. 

  725.     accum0 += accum1;

  726.     accum0 += c[8];

  727.     accum1 += c[0];

  728.     c[8] = ((uint32_t)(accum0)) & mask;

  729.     c[0] = ((uint32_t)(accum1)) & mask;

  730.     

  731.     accum0 >>= 28;

  732.     accum1 >>= 28;

  733.     c[9] += ((uint32_t)(accum0));

  734.     c[1] += ((uint32_t)(accum1));

  735. }

  736. 

  737. void gf_mulw (

  738.     gf_s *__restrict__ cs,

  739.     const gf as,

  740.     uint64_t b

  741. ) {

  742.     uint32_t mask = (1ull<<28)-1;  

  743.     const uint32_t bhi = b>>28, blo = b & mask;

  744.     

  745.     const uint32_t *a = as->limb;

  746.     uint32_t *c = cs->limb;

  747. 

  748.     uint64_t accum0, accum8;

  749. 

  750.     int i;

  751. 

  752.     uint32_t c0, c8, n0, n8;

  753.     accum0 = widemul(bhi, a[15]);

  754.     accum8 = widemul(bhi, a[15] + a[7]);

  755.     c0 = a[0]; c8 = a[8];

  756.     smlal(&accum0, blo, c0);

  757.     smlal(&accum8, blo, c8);

  758. 

  759.     c[0] = accum0 & mask; accum0 >>= 28;

  760.     c[8] = accum8 & mask; accum8 >>= 28;

  761.     

  762.     i=1;

  763.     {

  764.         n0 = a[i]; n8 = a[i+8];

  765.         smlal(&accum0, bhi, c0);

  766.         smlal(&accum8, bhi, c8);

  767.         smlal(&accum0, blo, n0);

  768.         smlal(&accum8, blo, n8);

  769.         

  770.         c[i] = accum0 & mask; accum0 >>= 28;

  771.         c[i+8] = accum8 & mask; accum8 >>= 28;

  772.         i++;

  773.     }

  774.     {

  775.         c0 = a[i]; c8 = a[i+8];

  776.         smlal(&accum0, bhi, n0);

  777.         smlal(&accum8, bhi, n8);

  778.         smlal(&accum0, blo, c0);

  779.         smlal(&accum8, blo, c8);

  780. 

  781.         c[i] = accum0 & mask; accum0 >>= 28;

  782.         c[i+8] = accum8 & mask; accum8 >>= 28;

  783.         i++;

  784.     }

  785.     {

  786.         n0 = a[i]; n8 = a[i+8];

  787.         smlal(&accum0, bhi, c0);

  788.         smlal(&accum8, bhi, c8);

  789.         smlal(&accum0, blo, n0);

  790.         smlal(&accum8, blo, n8);

  791. 

  792.         c[i] = accum0 & mask; accum0 >>= 28;

  793.         c[i+8] = accum8 & mask; accum8 >>= 28;

  794.         i++;

  795.     }

  796.     {

  797.         c0 = a[i]; c8 = a[i+8];

  798.         smlal(&accum0, bhi, n0);

  799.         smlal(&accum8, bhi, n8);

  800.         smlal(&accum0, blo, c0);

  801.         smlal(&accum8, blo, c8);

  802. 

  803.         c[i] = accum0 & mask; accum0 >>= 28;

  804.         c[i+8] = accum8 & mask; accum8 >>= 28;

  805.         i++;

  806.     }

  807.     {

  808.         n0 = a[i]; n8 = a[i+8];

  809.         smlal(&accum0, bhi, c0);

  810.         smlal(&accum8, bhi, c8);

  811.         smlal(&accum0, blo, n0);

  812.         smlal(&accum8, blo, n8);

  813. 

  814.         c[i] = accum0 & mask; accum0 >>= 28;

  815.         c[i+8] = accum8 & mask; accum8 >>= 28;

  816.         i++;

  817.     }

  818.     {

  819.         c0 = a[i]; c8 = a[i+8];

  820.         smlal(&accum0, bhi, n0);

  821.         smlal(&accum8, bhi, n8);

  822.         smlal(&accum0, blo, c0);

  823.         smlal(&accum8, blo, c8);

  824.         

  825.         c[i] = accum0 & mask; accum0 >>= 28;

  826.         c[i+8] = accum8 & mask; accum8 >>= 28;

  827.         i++;

  828.     }

  829.     {

  830.         n0 = a[i]; n8 = a[i+8];

  831.         smlal(&accum0, bhi, c0);

  832.         smlal(&accum8, bhi, c8);

  833.         smlal(&accum0, blo, n0);

  834.         smlal(&accum8, blo, n8);

  835. 

  836.         c[i] = accum0 & mask; accum0 >>= 28;

  837.         c[i+8] = accum8 & mask; accum8 >>= 28;

  838.         i++;

  839.     }

  840. 

  841.     accum0 += accum8 + c[8];

  842.     c[8] = accum0 & mask;

  843.     c[9] += accum0 >> 28;

  844. 

  845.     accum8 += c[0];

  846.     c[0] = accum8 & mask;

  847.     c[1] += accum8 >> 28;

  848. }

  849. 

  850. void gf_strong_reduce (

  851.     gf a

  852. ) {

  853.     word_t mask = (1ull<<28)-1;

  854. 

  855.     /* first, clear high */

  856.     a->limb[8] += a->limb[15]>>28;

  857.     a->limb[0] += a->limb[15]>>28;

  858.     a->limb[15] &= mask;

  859. 

  860.     /* now the total is less than 2^448 - 2^(448-56) + 2^(448-56+8) < 2p */

  861. 

  862.     /* compute total_value - p.  No need to reduce mod p. */

  863. 

  864.     dsword_t scarry = 0;

  865.     int i;

  866.     for (i=0; i<16; i++) {

  867.         scarry = scarry + a->limb[i] - ((i==8)?mask-1:mask);

  868.         a->limb[i] = scarry & mask;

  869.         scarry >>= 28;

  870.     }

  871. 

  872.     /* uncommon case: it was >= p, so now scarry = 0 and this = x

  873.     * common case: it was < p, so now scarry = -1 and this = x - p + 2^448

  874.     * so let's add back in p.  will carry back off the top for 2^448.

  875.     */

  876. 

  877.     assert(is_zero(scarry) | is_zero(scarry+1));

  878. 

  879.     word_t scarry_mask = scarry & mask;

  880.     dword_t carry = 0;

  881. 

  882.     /* add it back */

  883.     for (i=0; i<16; i++) {

  884.         carry = carry + a->limb[i] + ((i==8)?(scarry_mask&~1):scarry_mask);

  885.         a->limb[i] = carry & mask;

  886.         carry >>= 28;

  887.     }

  888. 

  889.     assert(is_zero(carry + scarry));

  890. }

  891. 

  892. void gf_serialize (

  893.     uint8_t *serial,

  894.     const gf x

  895. ) {

  896.     int i,j;

  897.     gf red;

  898.     gf_copy(red, x);

  899.     gf_strong_reduce(red);

  900.     for (i=0; i<8; i++) {

  901.         uint64_t limb = red->limb[2*i] + (((uint64_t)red->limb[2*i+1])<<28);

  902.         for (j=0; j<7; j++) {

  903.             serial[7*i+j] = limb;

  904.             limb >>= 8;

  905.         }

  906.         assert(limb == 0);

  907.     }

  908. }

  909. 

  910. mask_t

  911. gf_deserialize (

  912.     gf x,

  913.     const uint8_t serial[56]

  914. ) {

  915.     int i,j;

  916.     for (i=0; i<8; i++) {

  917.         uint64_t out = 0;

  918.         for (j=0; j<7; j++) {

  919.             out |= ((uint64_t)serial[7*i+j])<<(8*j);

  920.         }

  921.         x->limb[2*i] = out & ((1ull<<28)-1);

  922.         x->limb[2*i+1] = out >> 28;

  923.     }

  924.     

  925.     /* Check for reduction.

  926.      *

  927.      * The idea is to create a variable ge which is all ones (rather, 56 ones)

  928.      * if and only if the low $i$ words of $x$ are >= those of p.

  929.      *

  930.      * Remember p = little_endian(1111,1111,1111,1111,1110,1111,1111,1111)

  931.      */

  932.     uint32_t ge = -1, mask = (1ull<<28)-1;

  933.     for (i=0; i<8; i++) {

  934.         ge &= x->limb[i];

  935.     }

  936.     

  937.     /* At this point, ge = 1111 iff bottom are all 1111.  Now propagate if 1110, or set if 1111 */

  938.     ge = (ge & (x->limb[8] + 1)) | is_zero(x->limb[8] ^ mask);

  939.     

  940.     /* Propagate the rest */

  941.     for (i=9; i<16; i++) {

  942.         ge &= x->limb[i];

  943.     }

  944.     

  945.     return ~is_zero(ge ^ mask);

  946. }