jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
463 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: cdb0ce047d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cdb0ce047d'
${ noResults }
ed448goldilocks/aux/attic/p521/arch_ref64/f_impl.c

285 lines
7.8 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "f_field.h"

  6. 

  7. void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {

  8.     uint64_t *c = cs->limb;

  9.     const uint64_t *a = as->limb, *b = bs->limb;

  10.     __uint128_t accum0, accum1;

  11. 

  12.     accum0  = widemul(2*a[8], b[8]);

  13.     accum1  = widemul(a[0], b[7]);

  14.     accum0 += widemul(a[1], b[6]);

  15.     accum1 += widemul(a[2], b[5]);

  16.     accum0 += widemul(a[3], b[4]);

  17.     accum1 += widemul(a[4], b[3]);

  18.     accum0 += widemul(a[5], b[2]);

  19.     accum1 += widemul(a[6], b[1]);

  20.     accum0 += widemul(a[7], b[0]);

  21.     accum1 += accum0;

  22.     c[7] = accum1 & ((1ull<<58)-1);

  23.     accum1 >>= 58;

  24.   

  25.     accum0 = 0;

  26.     accum1 += widemul(a[0], b[8-0]);

  27.     accum0 += widemul(a[1], b[8-1]);

  28.     accum1 += widemul(a[2], b[8-2]);

  29.     accum0 += widemul(a[3], b[8-3]);

  30.     accum1 += widemul(a[4], b[8-4]);

  31.     accum0 += widemul(a[5], b[8-5]);

  32.     accum1 += widemul(a[6], b[8-6]);

  33.     accum0 += widemul(a[7], b[8-7]);

  34.     accum1 += widemul(a[8], b[8-8]);

  35.     accum1 += accum0;

  36.     c[8] = accum1 & ((1ull<<57)-1);

  37.     accum1 >>= 57;

  38. 

  39.     accum0 = 0;

  40.     accum0 += widemul(a[1], b[0+9-1]);

  41.     accum0 += widemul(a[2], b[0+9-2]);

  42.     accum0 += widemul(a[3], b[0+9-3]);

  43.     accum0 += widemul(a[4], b[0+9-4]);

  44.     accum1 += widemul(a[0], b[0-0]);

  45.     accum0 += widemul(a[5], b[0+9-5]);

  46.     accum0 += widemul(a[6], b[0+9-6]);

  47.     accum0 += widemul(a[7], b[0+9-7]);

  48.     accum0 += widemul(a[8], b[0+9-8]);

  49.     accum1 += accum0 << 1;

  50.     c[0] = accum1 & ((1ull<<58)-1);

  51.     accum1 >>= 58;

  52. 

  53.     accum0 = 0;

  54.     accum0 += widemul(a[2], b[1+9-2]);

  55.     accum0 += widemul(a[3], b[1+9-3]);

  56.     accum1 += widemul(a[0], b[1-0]);

  57.     accum0 += widemul(a[4], b[1+9-4]);

  58.     accum0 += widemul(a[5], b[1+9-5]);

  59.     accum1 += widemul(a[1], b[1-1]);

  60.     accum0 += widemul(a[6], b[1+9-6]);

  61.     accum0 += widemul(a[7], b[1+9-7]);

  62.     accum0 += widemul(a[8], b[1+9-8]);

  63.     accum1 += accum0 << 1;

  64.     c[1] = accum1 & ((1ull<<58)-1);

  65.     accum1 >>= 58;

  66. 

  67.     accum0 = 0;

  68.     accum0 += widemul(a[3], b[2+9-3]);

  69.     accum1 += widemul(a[0], b[2-0]);

  70.     accum0 += widemul(a[4], b[2+9-4]);

  71.     accum0 += widemul(a[5], b[2+9-5]);

  72.     accum1 += widemul(a[1], b[2-1]);

  73.     accum0 += widemul(a[6], b[2+9-6]);

  74.     accum0 += widemul(a[7], b[2+9-7]);

  75.     accum1 += widemul(a[2], b[2-2]);

  76.     accum0 += widemul(a[8], b[2+9-8]);

  77.     accum1 += accum0 << 1;

  78.     c[2] = accum1 & ((1ull<<58)-1);

  79.     accum1 >>= 58;

  80. 

  81.     accum0 = 0;

  82.     accum0 += widemul(a[4], b[3+9-4]);

  83.     accum1 += widemul(a[0], b[3-0]);

  84.     accum0 += widemul(a[5], b[3+9-5]);

  85.     accum1 += widemul(a[1], b[3-1]);

  86.     accum0 += widemul(a[6], b[3+9-6]);

  87.     accum1 += widemul(a[2], b[3-2]);

  88.     accum0 += widemul(a[7], b[3+9-7]);

  89.     accum1 += widemul(a[3], b[3-3]);

  90.     accum0 += widemul(a[8], b[3+9-8]);

  91.     accum1 += accum0 << 1;

  92.     c[3] = accum1 & ((1ull<<58)-1);

  93.     accum1 >>= 58;

  94. 

  95.     accum0 = 0;

  96.     accum1 += widemul(a[0], b[4-0]);

  97.     accum0 += widemul(a[5], b[4+9-5]);

  98.     accum1 += widemul(a[1], b[4-1]);

  99.     accum0 += widemul(a[6], b[4+9-6]);

  100.     accum1 += widemul(a[2], b[4-2]);

  101.     accum0 += widemul(a[7], b[4+9-7]);

  102.     accum1 += widemul(a[3], b[4-3]);

  103.     accum0 += widemul(a[8], b[4+9-8]);

  104.     accum1 += widemul(a[4], b[4-4]);

  105.     accum1 += accum0 << 1;

  106.     c[4] = accum1 & ((1ull<<58)-1);

  107.     accum1 >>= 58;

  108. 

  109.     accum0 = 0;

  110.     accum1 += widemul(a[0], b[5-0]);

  111.     accum0 += widemul(a[6], b[5+9-6]);

  112.     accum1 += widemul(a[1], b[5-1]);

  113.     accum1 += widemul(a[2], b[5-2]);

  114.     accum0 += widemul(a[7], b[5+9-7]);

  115.     accum1 += widemul(a[3], b[5-3]);

  116.     accum1 += widemul(a[4], b[5-4]);

  117.     accum0 += widemul(a[8], b[5+9-8]);

  118.     accum1 += widemul(a[5], b[5-5]);

  119.     accum1 += accum0 << 1;

  120.     c[5] = accum1 & ((1ull<<58)-1);

  121.     accum1 >>= 58;

  122. 

  123.     accum0 = 0;

  124.     accum1 += widemul(a[0], b[6-0]);

  125.     accum1 += widemul(a[1], b[6-1]);

  126.     accum0 += widemul(a[7], b[6+9-7]);

  127.     accum1 += widemul(a[2], b[6-2]);

  128.     accum1 += widemul(a[3], b[6-3]);

  129.     accum1 += widemul(a[4], b[6-4]);

  130.     accum0 += widemul(a[8], b[6+9-8]);

  131.     accum1 += widemul(a[5], b[6-5]);

  132.     accum1 += widemul(a[6], b[6-6]);

  133.     accum1 += accum0 << 1;

  134.     c[6] = accum1 & ((1ull<<58)-1);

  135.     accum1 >>= 58;

  136.   

  137.     accum1 += c[7];

  138.     c[7] = accum1 & ((1ull<<58)-1);

  139.   

  140.     c[8] += accum1 >> 58;

  141. }

  142. 

  143. void gf_mulw (

  144.     gf_s *__restrict__ cs,

  145.     const gf as,

  146.     uint64_t b

  147. ) {

  148.     const uint64_t *a = as->limb;

  149.     uint64_t *c = cs->limb;

  150. 

  151.     __uint128_t accum0 = 0, accum3 = 0, accum6 = 0;

  152.     uint64_t mask = (1ull<<58) - 1;  

  153. 

  154.     int i;

  155.     for (i=0; i<3; i++) {

  156.         accum0 += widemul(b, a[i]);

  157.         accum3 += widemul(b, a[i+3]);

  158.         accum6 += widemul(b, a[i+6]);

  159.         c[i]   = accum0 & mask; accum0 >>= 58;

  160.         c[i+3] = accum3 & mask; accum3 >>= 58;

  161.         if (i==2) { 

  162.             c[i+6] = accum6 & (mask>>1); accum6 >>= 57;

  163.         } else {

  164.             c[i+6] = accum6 & mask; accum6 >>= 58;

  165.         }

  166.     }

  167.     

  168.     accum0 += c[3];

  169.     c[3] = accum0 & mask;

  170.     c[4] += accum0 >> 58;

  171. 

  172.     accum3 += c[6];

  173.     c[6] = accum3 & mask;

  174.     c[7] += accum3 >> 58;

  175. 

  176.     accum6 += c[0];

  177.     c[0] = accum6 & mask;

  178.     c[1] += accum6 >> 58;

  179. }

  180. 

  181. void gf_sqr (gf_s *__restrict__ cs, const gf as) {

  182.     uint64_t *c = cs->limb;

  183.     const uint64_t *a = as->limb;

  184.     __uint128_t accum0, accum1;

  185. 

  186.     accum0  = widemul(a[8], a[8]);

  187.     accum1  = widemul(a[0], a[7]);

  188.     accum0 += widemul(a[1], a[6]);

  189.     accum1 += widemul(a[2], a[5]);

  190.     accum0 += widemul(a[3], a[4]);

  191.     accum1 += accum0;

  192.     c[7] = 2 * (accum1 & ((1ull<<57)-1));

  193.     accum1 >>= 57;

  194.   

  195.     accum0 = 0;

  196.     accum0 = 0;

  197.     accum1 += widemul(a[4], a[4]);

  198.     accum0 += widemul(a[1], a[7]);

  199.     accum1 += widemul(2*a[2], a[6]);

  200.     accum0 += widemul(a[3], a[5]);

  201.     accum1 += widemul(2*a[0], a[8]);

  202.     accum1 += 2*accum0;

  203.     c[8] = accum1 & ((1ull<<57)-1);

  204.     accum1 >>= 57;

  205. 

  206.     accum0 = 0;

  207.     accum1 += widemul(a[0], a[0]);

  208.     accum0 += widemul(a[1], a[8]);

  209.     accum0 += widemul(a[2], a[7]);

  210.     accum0 += widemul(a[3], a[6]);

  211.     accum0 += widemul(a[4], a[5]);

  212.     accum1 += accum0 << 2;

  213.     c[0] = accum1 & ((1ull<<58)-1);

  214.     accum1 >>= 58;

  215. 

  216.     accum0 = 0;

  217.     accum0 += widemul(a[2], a[8]);

  218.     accum0 += widemul(a[3], a[7]);

  219.     accum0 += widemul(a[4], a[6]);

  220.     accum0 <<= 1;

  221.     accum0 += widemul(a[5], a[5]);

  222.     accum0 += widemul(a[0], a[1]);

  223.     accum1 += accum0 << 1;

  224.     c[1] = accum1 & ((1ull<<58)-1);

  225.     accum1 >>= 58;

  226. 

  227.     accum0 = 0;

  228.     accum1 += widemul(a[1], a[1]);

  229. 

  230.     accum0 += widemul(a[3], a[8]);

  231.     accum0 += widemul(a[4], a[7]);

  232.     accum0 += widemul(a[5], a[6]);

  233.     accum0 <<= 1;

  234.     accum0 += widemul(a[0], a[2]);

  235.     accum1 += accum0 << 1;

  236.     c[2] = accum1 & ((1ull<<58)-1);

  237.     accum1 >>= 58;

  238. 

  239.     accum0 = 0;

  240.     accum0 += widemul(a[6], a[6]);

  241.     accum0 += widemul(2*a[5], a[7]);

  242.     accum0 += widemul(2*a[4], a[8]);

  243.     accum0 += widemul(a[0], a[3]);

  244.     accum0 += widemul(a[1], a[2]);

  245.     accum1 += accum0 << 1;

  246.     c[3] = accum1 & ((1ull<<58)-1);

  247.     accum1 >>= 58;

  248. 

  249.     accum0 = 0;

  250.     accum0 += widemul(a[6], a[7]);

  251.     accum0 += widemul(a[5], a[8]);

  252.     accum0 <<= 1;

  253.     accum1 += widemul(a[2], a[2]);

  254.     accum0 += widemul(a[0], a[4]);

  255.     accum0 += widemul(a[1], a[3]);

  256.     accum1 += accum0 << 1;

  257.     c[4] = accum1 & ((1ull<<58)-1);

  258.     accum1 >>= 58;

  259. 

  260.     accum0 = 0;

  261.     accum0 += widemul(2*a[6], a[8]);

  262.     accum0 += widemul(a[7], a[7]);

  263.     accum0 += widemul(a[0], a[5]);

  264.     accum0 += widemul(a[1], a[4]);

  265.     accum0 += widemul(a[2], a[3]);

  266.     accum1 += accum0 << 1;

  267.     c[5] = accum1 & ((1ull<<58)-1);

  268.     accum1 >>= 58;

  269. 

  270.     accum0 = 0;

  271.     accum1 += widemul(a[3], a[3]);

  272.     accum0 += widemul(a[0], a[6]);

  273.     accum0 += widemul(a[1], a[5]);

  274.     accum0 += widemul(2*a[7], a[8]);

  275.     accum0 += widemul(a[2], a[4]);

  276.     accum1 += accum0 << 1;

  277.     c[6] = accum1 & ((1ull<<58)-1);

  278.     accum1 >>= 58;

  279.   

  280.     accum1 += c[7];

  281.     c[7] = accum1 & ((1ull<<58)-1);

  282.   

  283.     c[8] += accum1 >> 58;

  284. }