jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
106 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: ccfeb083a7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ccfeb083a7'
${ noResults }
ed448goldilocks/src/barrett_field.c

350 lines
8.8 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "barrett_field.h"

  6. #include <string.h>

  7. #include <assert.h>

  8. 

  9. word_t

  10. add_nr_ext_packed(

  11.     word_t *out,

  12.     const word_t *a,

  13.     uint32_t nwords_a,

  14.     const word_t *c,

  15.     uint32_t nwords_c,

  16.     word_t mask

  17. ) {

  18.     uint32_t i;

  19.     dword_t carry = 0;

  20.     for (i=0; i<nwords_c; i++) {

  21.         out[i] = carry = carry + a[i] + (c[i]&mask);

  22.         carry >>= WORD_BITS;

  23.     }

  24.     for (; i<nwords_a; i++) {

  25.         out[i] = carry = carry + a[i];

  26.         carry >>= WORD_BITS;

  27.     }

  28.     return carry;

  29. }

  30. 

  31. static __inline__ word_t

  32. add_nr_packed(

  33.     word_t *a,

  34.     const word_t *c,

  35.     uint32_t nwords

  36. ) {

  37.     uint32_t i;

  38.     dword_t carry = 0;

  39.     for (i=0; i<nwords; i++) {

  40.         a[i] = carry = carry + a[i] + c[i];

  41.         carry >>= WORD_BITS;

  42.     }

  43.     return carry;

  44. }

  45. 

  46. word_t

  47. sub_nr_ext_packed(

  48.     word_t *out,

  49.     const word_t *a,

  50.     uint32_t nwords_a,

  51.     const word_t *c,

  52.     uint32_t nwords_c,

  53.     word_t mask

  54. ) {

  55.     uint32_t i;

  56.     dsword_t carry = 0;

  57.     for (i=0; i<nwords_c; i++) {

  58.         out[i] = carry = carry + a[i] - (c[i]&mask);

  59.         carry >>= WORD_BITS;

  60.     }

  61.     for (; i<nwords_a; i++) {

  62.         out[i] = carry = carry + a[i];

  63.         carry >>= WORD_BITS;

  64.     }

  65.     return carry;

  66. }

  67. 

  68. static word_t

  69. widemac(

  70.     word_t *accum,

  71.     uint32_t nwords_accum,

  72.     const word_t *mier,

  73.     uint32_t nwords_mier,

  74.     word_t mand,

  75.     word_t carry

  76. ) {

  77.     uint32_t i;

  78.     assert(nwords_mier <= nwords_accum);

  79.     

  80.     for (i=0; i<nwords_mier; i++) {

  81. #ifdef __clang_analyzer__

  82.         /* always true, but this satisfies scan-build (bug in scan-build?) */

  83.         assert(i<nwords_accum);

  84. #endif

  85.         /* UMAAL chain for the wordy part of p */

  86.         dword_t product = ((dword_t)mand) * mier[i];

  87.         product += accum[i];

  88.         product += carry;

  89.         accum[i] = product;

  90.         carry = product >> WORD_BITS;

  91.     }

  92.     

  93.     for (; i<nwords_accum; i++) {

  94.         dword_t sum = ((dword_t)carry) + accum[i];

  95.         accum[i] = sum;

  96.         carry = sum >> WORD_BITS;

  97.     }

  98.     

  99.     return carry;

  100. }

  101. 

  102. void

  103. barrett_negate (

  104.     word_t *a,

  105.     uint32_t nwords_a,

  106.     const struct barrett_prime_t *prime

  107. ) {

  108.     uint32_t i;

  109.     dsword_t carry = 0;

  110.     

  111.     barrett_reduce(a,nwords_a,0,prime);

  112.     

  113.     /* Have p = 2^big - p_lo.  Want p - a = 2^big - p_lo - a */

  114.     

  115.     for (i=0; i<prime->nwords_lo; i++) {

  116.         a[i] = carry = carry - prime->p_lo[i] - a[i];

  117.         carry >>= WORD_BITS;

  118.     }

  119.     for (; i<prime->nwords_p; i++) {

  120.         a[i] = carry = carry - a[i];

  121.         if (i<prime->nwords_p-1) {

  122.             carry >>= WORD_BITS;

  123.         }

  124.     }

  125.     

  126.     a[prime->nwords_p-1] = carry = carry + (((word_t)1) << prime->p_shift);

  127.     

  128.     for (; i<nwords_a; i++) {

  129.         assert(!a[i]);

  130.     }

  131.     

  132.     assert(!(carry>>WORD_BITS));

  133. }

  134. 

  135. void

  136. barrett_reduce(

  137.     word_t *a,

  138.     uint32_t nwords_a,

  139.     word_t a_carry,

  140.     const struct barrett_prime_t *prime

  141. ) {

  142.     uint32_t repeat, nwords_left_in_a=nwords_a;

  143.     

  144.     /* Is there a point to this a_carry business? */

  145.     assert(a_carry < ((word_t)1) << prime->p_shift);

  146.     assert(nwords_a >= prime->nwords_p);

  147.     assert(prime->nwords_p > 0); /* scan-build: prevent underflow */

  148.     

  149.     for (; nwords_left_in_a >= prime->nwords_p; nwords_left_in_a--) {

  150.         for (repeat=0; repeat<2; repeat++) {

  151.             /* PERF: surely a more careful implementation could

  152.              * avoid this double round

  153.              */

  154.             word_t mand = a[nwords_left_in_a-1] >> prime->p_shift;

  155.             a[nwords_left_in_a-1] &= (((word_t)1)<<prime->p_shift)-1;

  156.             if (prime->p_shift && !repeat) {

  157.                 /* collect high bits when there are any */

  158.                 if (nwords_left_in_a < nwords_a) {

  159.                     mand |= a[nwords_left_in_a] << (WORD_BITS-prime->p_shift);

  160.                     a[nwords_left_in_a] = 0;

  161.                 } else {

  162.                     mand |= a_carry << (WORD_BITS-prime->p_shift);

  163.                 }

  164.             }

  165.             

  166.             word_t carry = widemac(

  167.                 a+nwords_left_in_a-prime->nwords_p,

  168.                 prime->nwords_p,

  169.                 prime->p_lo,

  170.                 prime->nwords_lo,

  171.                 mand,

  172.                 0

  173.             );

  174.             assert(!carry);

  175.             (void)carry;

  176.         }

  177.     }

  178.     

  179.     assert(nwords_left_in_a == prime->nwords_p-1);

  180.     

  181.     /* OK, but it still isn't reduced.  Add and subtract p_lo. */

  182.     word_t cout = add_nr_ext_packed(a,a,prime->nwords_p,prime->p_lo,prime->nwords_lo,-1);

  183.     if (prime->p_shift) {

  184.         cout = (cout<<(WORD_BITS-prime->p_shift)) + (a[prime->nwords_p-1]>>prime->p_shift);

  185.         a[prime->nwords_p-1] &= (((word_t)1)<<prime->p_shift)-1;

  186.     }

  187.     

  188.     /* mask = carry-1: if no carry then do sub, otherwise don't */

  189.     sub_nr_ext_packed(a,a,prime->nwords_p,prime->p_lo,prime->nwords_lo,cout-1);

  190. }

  191. 

  192. /* PERF: This function is horribly slow.  Enough to break 1%. */

  193. void

  194. barrett_mul_or_mac(

  195.     word_t *accum,

  196.     uint32_t nwords_accum,

  197.     

  198.     const word_t *a,

  199.     uint32_t nwords_a,

  200.     

  201.     const word_t *b,

  202.     uint32_t nwords_b,

  203.     

  204.     const struct barrett_prime_t *prime,

  205.     

  206.     mask_t doMac

  207. ) {

  208.     assert(nwords_accum >= prime->nwords_p);

  209.     

  210.     /* nwords_tmp = max(nwords_a + 1, nwords_p + 1, nwords_accum if doMac); */

  211.     uint32_t nwords_tmp = (nwords_a > prime->nwords_p) ? nwords_a : prime->nwords_p;

  212.     nwords_tmp++;

  213.     assert(nwords_tmp > 0); /* scan-build: prevent underflow. */

  214.     if (nwords_tmp < nwords_accum && doMac)

  215.         nwords_tmp = nwords_accum;

  216.     

  217.     word_t tmp[nwords_tmp];

  218.     int bpos, idown;

  219.     uint32_t i;

  220.     

  221.     for (i=0; i<nwords_tmp; i++) {

  222.         tmp[i] = 0;

  223.     }

  224.     

  225.     for (bpos=nwords_b-1; bpos >= 0; bpos--) {

  226.         /* Invariant at the beginning of the loop: the high word is unused. */

  227.         assert(tmp[nwords_tmp-1] == 0);

  228.         

  229.         /* shift up */

  230.         for (idown=nwords_tmp-2; idown>=0; idown--) {

  231.             tmp[idown+1] = tmp[idown];

  232.         }

  233.         tmp[0] = 0;

  234. 

  235.         /* mac and reduce */

  236.         word_t carry = widemac(tmp, nwords_tmp, a, nwords_a, b[bpos], 0);

  237.         

  238.         /* the mac can't carry, because nwords_tmp >= nwords_a+1 and its high word is clear */

  239.         assert(!carry);

  240.         barrett_reduce(tmp, nwords_tmp, carry, prime);

  241.         

  242.         /* at this point, the number of words used is nwords_p <= nwords_tmp-1,

  243.          * so the high word is again clear */

  244.     }

  245.     

  246.     if (doMac) {

  247.         word_t cout = add_nr_packed(tmp, accum, nwords_accum);

  248.         barrett_reduce(tmp, nwords_tmp, cout, prime);

  249.     }

  250.     

  251.     for (i=0; i<nwords_tmp && i<nwords_accum; i++) {

  252.         accum[i] = tmp[i];

  253.     }

  254.     for (; i<nwords_tmp; i++) {

  255.         assert(tmp[i] == 0);

  256.     }

  257.     for (; i<nwords_accum; i++) {

  258.         accum[i] = 0;

  259.     }

  260. }

  261. mask_t

  262. barrett_deserialize (

  263.     word_t *x,

  264.     const uint8_t *serial,

  265.     const struct barrett_prime_t *prime

  266. ) {

  267.     unsigned int i,j,nserial = prime->nwords_p * sizeof(word_t);

  268.     if (prime->p_shift) {

  269.         nserial -= (WORD_BITS - prime->p_shift) / 8;

  270.     }

  271. 

  272.     

  273.     /* Track x < p, p = 2^k - p_lo <==> x + p_lo < 2^k */

  274.     dword_t carry = 0;

  275.     

  276.     for (i=0; i*sizeof(word_t)<nserial; i++) {

  277.         carry >>= WORD_BITS;

  278.         

  279.         word_t the = 0;

  280.         for (j=0; j<sizeof(word_t) && sizeof(word_t)*i+j < nserial; j++) {

  281.             the |= ((word_t)serial[sizeof(word_t)*i+j]) << (8*j);

  282.         }

  283.         x[i] = the;

  284.         

  285.         carry += the;

  286.         if (i < prime->nwords_lo) carry += prime->p_lo[i];

  287.     }

  288.     

  289.     /* check for reduction */

  290.     if (prime->p_shift) {

  291.         carry >>= prime->p_shift;

  292.     } else {

  293.         carry >>= WORD_BITS;

  294.     }

  295.     

  296.     /* at this point, carry > 0 indicates failure */

  297.     dsword_t scarry = carry;

  298.     scarry = -scarry;

  299.     scarry >>= WORD_BITS;

  300.     scarry >>= WORD_BITS;

  301.     

  302.     return (mask_t) ~scarry;

  303. }

  304.     

  305. void

  306. barrett_deserialize_and_reduce (

  307.     word_t *x,

  308.     const uint8_t *serial,

  309.     uint32_t nserial,

  310.     const struct barrett_prime_t *prime

  311. ) {

  312.     unsigned int size = (nserial + sizeof(word_t) - 1)/sizeof(word_t);

  313.     if (size < prime->nwords_p) {

  314.         size = prime->nwords_p;

  315.     }

  316.     word_t tmp[size];

  317.     memset(tmp,0,sizeof(tmp));

  318.     

  319.     unsigned int i,j;

  320.     for (i=0; i*sizeof(word_t)<nserial; i++) {

  321.         word_t the = 0;

  322.         for (j=0; j<sizeof(word_t) && sizeof(word_t)*i+j < nserial; j++) {

  323.             the |= ((word_t)serial[sizeof(word_t)*i+j]) << (8*j);

  324.         }

  325.         tmp[i] = the;

  326.     }

  327.     

  328.     barrett_reduce(tmp,size,0,prime);

  329.     for (i=0; i<prime->nwords_p; i++) {

  330.         x[i] = tmp[i];

  331.     }

  332.     for (; i<size; i++) {

  333.         assert(!tmp[i]);

  334.     }

  335. }

  336. 

  337. void

  338. barrett_serialize (

  339.     uint8_t *serial,

  340.     const word_t *x,

  341.     uint32_t nserial

  342. ) {

  343.     unsigned int i,j;

  344.     for (i=0; i*sizeof(word_t)<nserial; i++) {

  345.         for (j=0; j<sizeof(word_t); j++) {

  346.             serial[sizeof(word_t)*i+j] = x[i]>>(8*j);

  347.         }

  348.     }

  349. }