jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
236 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 719fcacc58
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '719fcacc58'
${ noResults }
ed448goldilocks/src/p521/arch_ref64/f_impl.c

402 lines
10 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "f_impl.h"

  6. 

  7. static __inline__ __uint128_t widemul(

  8.     const uint64_t a,

  9.     const uint64_t b

  10. ) {

  11.     return ((__uint128_t)a) * ((__uint128_t)b);

  12. }

  13. 

  14. static __inline__ uint64_t is_zero(uint64_t a) {

  15.     /* let's hope the compiler isn't clever enough to optimize this. */

  16.     return (((__uint128_t)a)-1)>>64;

  17. }

  18. 

  19. void

  20. p521_mul (

  21.     p521_t *__restrict__ cs,

  22.     const p521_t *as,

  23.     const p521_t *bs

  24. ) {

  25.     uint64_t *c = cs->limb;

  26.     const uint64_t *a = as->limb, *b = bs->limb;

  27.     __uint128_t accum0, accum1;

  28. 

  29.     accum0  = widemul(2*a[8], b[8]);

  30.     accum1  = widemul(a[0], b[7]);

  31.     accum0 += widemul(a[1], b[6]);

  32.     accum1 += widemul(a[2], b[5]);

  33.     accum0 += widemul(a[3], b[4]);

  34.     accum1 += widemul(a[4], b[3]);

  35.     accum0 += widemul(a[5], b[2]);

  36.     accum1 += widemul(a[6], b[1]);

  37.     accum0 += widemul(a[7], b[0]);

  38.     accum1 += accum0;

  39.     c[7] = accum1 & ((1ull<<58)-1);

  40.     accum1 >>= 58;

  41.   

  42.     accum0 = 0;

  43.     accum1 += widemul(a[0], b[8-0]);

  44.     accum0 += widemul(a[1], b[8-1]);

  45.     accum1 += widemul(a[2], b[8-2]);

  46.     accum0 += widemul(a[3], b[8-3]);

  47.     accum1 += widemul(a[4], b[8-4]);

  48.     accum0 += widemul(a[5], b[8-5]);

  49.     accum1 += widemul(a[6], b[8-6]);

  50.     accum0 += widemul(a[7], b[8-7]);

  51.     accum1 += widemul(a[8], b[8-8]);

  52.     accum1 += accum0;

  53.     c[8] = accum1 & ((1ull<<57)-1);

  54.     accum1 >>= 57;

  55. 

  56.     accum0 = 0;

  57.     accum0 += widemul(a[1], b[0+9-1]);

  58.     accum0 += widemul(a[2], b[0+9-2]);

  59.     accum0 += widemul(a[3], b[0+9-3]);

  60.     accum0 += widemul(a[4], b[0+9-4]);

  61.     accum1 += widemul(a[0], b[0-0]);

  62.     accum0 += widemul(a[5], b[0+9-5]);

  63.     accum0 += widemul(a[6], b[0+9-6]);

  64.     accum0 += widemul(a[7], b[0+9-7]);

  65.     accum0 += widemul(a[8], b[0+9-8]);

  66.     accum1 += accum0 << 1;

  67.     c[0] = accum1 & ((1ull<<58)-1);

  68.     accum1 >>= 58;

  69. 

  70.     accum0 = 0;

  71.     accum0 += widemul(a[2], b[1+9-2]);

  72.     accum0 += widemul(a[3], b[1+9-3]);

  73.     accum1 += widemul(a[0], b[1-0]);

  74.     accum0 += widemul(a[4], b[1+9-4]);

  75.     accum0 += widemul(a[5], b[1+9-5]);

  76.     accum1 += widemul(a[1], b[1-1]);

  77.     accum0 += widemul(a[6], b[1+9-6]);

  78.     accum0 += widemul(a[7], b[1+9-7]);

  79.     accum0 += widemul(a[8], b[1+9-8]);

  80.     accum1 += accum0 << 1;

  81.     c[1] = accum1 & ((1ull<<58)-1);

  82.     accum1 >>= 58;

  83. 

  84.     accum0 = 0;

  85.     accum0 += widemul(a[3], b[2+9-3]);

  86.     accum1 += widemul(a[0], b[2-0]);

  87.     accum0 += widemul(a[4], b[2+9-4]);

  88.     accum0 += widemul(a[5], b[2+9-5]);

  89.     accum1 += widemul(a[1], b[2-1]);

  90.     accum0 += widemul(a[6], b[2+9-6]);

  91.     accum0 += widemul(a[7], b[2+9-7]);

  92.     accum1 += widemul(a[2], b[2-2]);

  93.     accum0 += widemul(a[8], b[2+9-8]);

  94.     accum1 += accum0 << 1;

  95.     c[2] = accum1 & ((1ull<<58)-1);

  96.     accum1 >>= 58;

  97. 

  98.     accum0 = 0;

  99.     accum0 += widemul(a[4], b[3+9-4]);

  100.     accum1 += widemul(a[0], b[3-0]);

  101.     accum0 += widemul(a[5], b[3+9-5]);

  102.     accum1 += widemul(a[1], b[3-1]);

  103.     accum0 += widemul(a[6], b[3+9-6]);

  104.     accum1 += widemul(a[2], b[3-2]);

  105.     accum0 += widemul(a[7], b[3+9-7]);

  106.     accum1 += widemul(a[3], b[3-3]);

  107.     accum0 += widemul(a[8], b[3+9-8]);

  108.     accum1 += accum0 << 1;

  109.     c[3] = accum1 & ((1ull<<58)-1);

  110.     accum1 >>= 58;

  111. 

  112.     accum0 = 0;

  113.     accum1 += widemul(a[0], b[4-0]);

  114.     accum0 += widemul(a[5], b[4+9-5]);

  115.     accum1 += widemul(a[1], b[4-1]);

  116.     accum0 += widemul(a[6], b[4+9-6]);

  117.     accum1 += widemul(a[2], b[4-2]);

  118.     accum0 += widemul(a[7], b[4+9-7]);

  119.     accum1 += widemul(a[3], b[4-3]);

  120.     accum0 += widemul(a[8], b[4+9-8]);

  121.     accum1 += widemul(a[4], b[4-4]);

  122.     accum1 += accum0 << 1;

  123.     c[4] = accum1 & ((1ull<<58)-1);

  124.     accum1 >>= 58;

  125. 

  126.     accum0 = 0;

  127.     accum1 += widemul(a[0], b[5-0]);

  128.     accum0 += widemul(a[6], b[5+9-6]);

  129.     accum1 += widemul(a[1], b[5-1]);

  130.     accum1 += widemul(a[2], b[5-2]);

  131.     accum0 += widemul(a[7], b[5+9-7]);

  132.     accum1 += widemul(a[3], b[5-3]);

  133.     accum1 += widemul(a[4], b[5-4]);

  134.     accum0 += widemul(a[8], b[5+9-8]);

  135.     accum1 += widemul(a[5], b[5-5]);

  136.     accum1 += accum0 << 1;

  137.     c[5] = accum1 & ((1ull<<58)-1);

  138.     accum1 >>= 58;

  139. 

  140.     accum0 = 0;

  141.     accum1 += widemul(a[0], b[6-0]);

  142.     accum1 += widemul(a[1], b[6-1]);

  143.     accum0 += widemul(a[7], b[6+9-7]);

  144.     accum1 += widemul(a[2], b[6-2]);

  145.     accum1 += widemul(a[3], b[6-3]);

  146.     accum1 += widemul(a[4], b[6-4]);

  147.     accum0 += widemul(a[8], b[6+9-8]);

  148.     accum1 += widemul(a[5], b[6-5]);

  149.     accum1 += widemul(a[6], b[6-6]);

  150.     accum1 += accum0 << 1;

  151.     c[6] = accum1 & ((1ull<<58)-1);

  152.     accum1 >>= 58;

  153.   

  154.     accum1 += c[7];

  155.     c[7] = accum1 & ((1ull<<58)-1);

  156.   

  157.     c[8] += accum1 >> 58;

  158. }

  159. 

  160. void

  161. p521_mulw (

  162.     p521_t *__restrict__ cs,

  163.     const p521_t *as,

  164.     uint64_t b

  165. ) {

  166.     const uint64_t *a = as->limb;

  167.     uint64_t *c = cs->limb;

  168. 

  169.     __uint128_t accum0 = 0, accum3 = 0, accum6 = 0;

  170.     uint64_t mask = (1ull<<58) - 1;  

  171. 

  172.     int i;

  173.     for (i=0; i<3; i++) {

  174.         accum0 += widemul(b, a[i]);

  175.         accum3 += widemul(b, a[i+3]);

  176.         accum6 += widemul(b, a[i+6]);

  177.         c[i]   = accum0 & mask; accum0 >>= 58;

  178.         c[i+3] = accum3 & mask; accum3 >>= 58;

  179.         if (i==2) { 

  180.             c[i+6] = accum6 & (mask>>1); accum6 >>= 57;

  181.         } else {

  182.             c[i+6] = accum6 & mask; accum6 >>= 58;

  183.         }

  184.     }

  185.     

  186.     accum0 += c[3];

  187.     c[3] = accum0 & mask;

  188.     c[4] += accum0 >> 58;

  189. 

  190.     accum3 += c[6];

  191.     c[6] = accum3 & mask;

  192.     c[7] += accum3 >> 58;

  193. 

  194.     accum6 += c[0];

  195.     c[0] = accum6 & mask;

  196.     c[1] += accum6 >> 58;

  197. }

  198. 

  199. void

  200. p521_sqr (

  201.     p521_t *__restrict__ cs,

  202.     const p521_t *as

  203. ) {

  204.     uint64_t *c = cs->limb;

  205.     const uint64_t *a = as->limb;

  206.     __uint128_t accum0, accum1;

  207. 

  208.     accum0  = widemul(a[8], a[8]);

  209.     accum1  = widemul(a[0], a[7]);

  210.     accum0 += widemul(a[1], a[6]);

  211.     accum1 += widemul(a[2], a[5]);

  212.     accum0 += widemul(a[3], a[4]);

  213.     accum1 += accum0;

  214.     c[7] = 2 * (accum1 & ((1ull<<57)-1));

  215.     accum1 >>= 57;

  216.   

  217.     accum0 = 0;

  218.     accum0 = 0;

  219.     accum1 += widemul(a[4], a[4]);

  220.     accum0 += widemul(a[1], a[7]);

  221.     accum1 += widemul(2*a[2], a[6]);

  222.     accum0 += widemul(a[3], a[5]);

  223.     accum1 += widemul(2*a[0], a[8]);

  224.     accum1 += 2*accum0;

  225.     c[8] = accum1 & ((1ull<<57)-1);

  226.     accum1 >>= 57;

  227. 

  228.     accum0 = 0;

  229.     accum1 += widemul(a[0], a[0]);

  230.     accum0 += widemul(a[1], a[8]);

  231.     accum0 += widemul(a[2], a[7]);

  232.     accum0 += widemul(a[3], a[6]);

  233.     accum0 += widemul(a[4], a[5]);

  234.     accum1 += accum0 << 2;

  235.     c[0] = accum1 & ((1ull<<58)-1);

  236.     accum1 >>= 58;

  237. 

  238.     accum0 = 0;

  239.     accum0 += widemul(a[2], a[8]);

  240.     accum0 += widemul(a[3], a[7]);

  241.     accum0 += widemul(a[4], a[6]);

  242.     accum0 <<= 1;

  243.     accum0 += widemul(a[5], a[5]);

  244.     accum0 += widemul(a[0], a[1]);

  245.     accum1 += accum0 << 1;

  246.     c[1] = accum1 & ((1ull<<58)-1);

  247.     accum1 >>= 58;

  248. 

  249.     accum0 = 0;

  250.     accum1 += widemul(a[1], a[1]);

  251. 

  252.     accum0 += widemul(a[3], a[8]);

  253.     accum0 += widemul(a[4], a[7]);

  254.     accum0 += widemul(a[5], a[6]);

  255.     accum0 <<= 1;

  256.     accum0 += widemul(a[0], a[2]);

  257.     accum1 += accum0 << 1;

  258.     c[2] = accum1 & ((1ull<<58)-1);

  259.     accum1 >>= 58;

  260. 

  261.     accum0 = 0;

  262.     accum0 += widemul(a[6], a[6]);

  263.     accum0 += widemul(2*a[5], a[7]);

  264.     accum0 += widemul(2*a[4], a[8]);

  265.     accum0 += widemul(a[0], a[3]);

  266.     accum0 += widemul(a[1], a[2]);

  267.     accum1 += accum0 << 1;

  268.     c[3] = accum1 & ((1ull<<58)-1);

  269.     accum1 >>= 58;

  270. 

  271.     accum0 = 0;

  272.     accum0 += widemul(a[6], a[7]);

  273.     accum0 += widemul(a[5], a[8]);

  274.     accum0 <<= 1;

  275.     accum1 += widemul(a[2], a[2]);

  276.     accum0 += widemul(a[0], a[4]);

  277.     accum0 += widemul(a[1], a[3]);

  278.     accum1 += accum0 << 1;

  279.     c[4] = accum1 & ((1ull<<58)-1);

  280.     accum1 >>= 58;

  281. 

  282.     accum0 = 0;

  283.     accum0 += widemul(2*a[6], a[8]);

  284.     accum0 += widemul(a[7], a[7]);

  285.     accum0 += widemul(a[0], a[5]);

  286.     accum0 += widemul(a[1], a[4]);

  287.     accum0 += widemul(a[2], a[3]);

  288.     accum1 += accum0 << 1;

  289.     c[5] = accum1 & ((1ull<<58)-1);

  290.     accum1 >>= 58;

  291. 

  292.     accum0 = 0;

  293.     accum1 += widemul(a[3], a[3]);

  294.     accum0 += widemul(a[0], a[6]);

  295.     accum0 += widemul(a[1], a[5]);

  296.     accum0 += widemul(2*a[7], a[8]);

  297.     accum0 += widemul(a[2], a[4]);

  298.     accum1 += accum0 << 1;

  299.     c[6] = accum1 & ((1ull<<58)-1);

  300.     accum1 >>= 58;

  301.   

  302.     accum1 += c[7];

  303.     c[7] = accum1 & ((1ull<<58)-1);

  304.   

  305.     c[8] += accum1 >> 58;

  306. }

  307. 

  308. void

  309. p521_strong_reduce (

  310.     p521_t *a

  311. ) {

  312.     uint64_t mask = (1ull<<58)-1, mask2 = (1ull<<57)-1;

  313. 

  314.     /* first, clear high */

  315.     __int128_t scarry = a->limb[8]>>57;

  316.     a->limb[8] &= mask2;

  317. 

  318.     /* now the total is less than 2p */

  319. 

  320.     /* compute total_value - p.  No need to reduce mod p. */

  321. 

  322.     int i;

  323.     for (i=0; i<9; i++) {

  324.         scarry = scarry + a->limb[i] - ((i==8) ? mask2 : mask);

  325.         a->limb[i] = scarry & ((i==8) ? mask2 : mask);

  326.         scarry >>= (i==8) ? 57 : 58;

  327.     }

  328. 

  329.     /* uncommon case: it was >= p, so now scarry = 0 and this = x

  330.     * common case: it was < p, so now scarry = -1 and this = x - p + 2^521

  331.     * so let's add back in p.  will carry back off the top for 2^521.

  332.     */

  333. 

  334.     assert(is_zero(scarry) | is_zero(scarry+1));

  335. 

  336.     uint64_t scarry_mask = scarry & mask;

  337.     __uint128_t carry = 0;

  338. 

  339.     /* add it back */

  340.     for (i=0; i<9; i++) {

  341.         carry = carry + a->limb[i] + ((i==8)?(scarry_mask>>1):scarry_mask);

  342.         a->limb[i] = carry & ((i==8) ? mask>>1 : mask);

  343.         carry >>= (i==8) ? 57 : 58;

  344.     }

  345. 

  346.     assert(is_zero(carry + scarry));

  347. }

  348. 

  349. void

  350. p521_serialize (

  351.     uint8_t *serial,

  352.     const struct p521_t *x

  353. ) {

  354.     int i,k=0;

  355.     p521_t red;

  356.     p521_copy(&red, x);

  357.     p521_strong_reduce(&red);

  358.     

  359.     uint64_t r=0;

  360.     int bits = 0;

  361.     for (i=0; i<9; i++) {

  362.         r |= red.limb[i] << bits;

  363.         for (bits += 58; bits >= 8; bits -= 8) {

  364.             serial[k++] = r;

  365.             r >>= 8;

  366.         }

  367.         assert(bits <= 6);

  368.     }

  369.     assert(bits);

  370.     serial[k++] = r;

  371. }

  372. 

  373. mask_t

  374. p521_deserialize (

  375.     p521_t *x,

  376.     const uint8_t serial[66]

  377. ) {

  378.     int i,k=0,bits=0;

  379.     __uint128_t out = 0;

  380.     uint64_t mask = (1ull<<58)-1;

  381.     for (i=0; i<9; i++) {

  382.         out >>= 58;

  383.         for (; bits<58; bits+=8) {

  384.             out |= ((__uint128_t)serial[k++])<<bits;

  385.         }

  386.         x->limb[i] = out & mask;

  387.         bits -= 58;

  388.     }

  389.     

  390.     /* Check for reduction.  First, high has to be < 2^57 */

  391.     mask_t good = is_zero(out>>57);

  392.     

  393.     uint64_t and = -1ull;

  394.     for (i=0; i<8; i++) {

  395.         and &= x->limb[i];

  396.     }

  397.     and &= (2*out+1);

  398.     good &= is_zero((and+1)>>58);

  399.     

  400.     return good;

  401. }