jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: d4085b9606
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd4085b9606'
${ noResults }
ed448goldilocks/src/arch_x86_64/p448.c

460 lines
10 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "p448.h"

  6. #include "x86-64-arith.h"

  7. 

  8. void

  9. p448_mul (

  10.     p448_t *__restrict__ cs,

  11.     const p448_t *as,

  12.     const p448_t *bs

  13. ) {

  14.     const uint64_t *a = as->limb, *b = bs->limb;

  15.     uint64_t *c = cs->limb;

  16. 

  17.     __uint128_t accum0 = 0, accum1 = 0, accum2;

  18.     uint64_t mask = (1ull<<56) - 1;  

  19. 

  20.     uint64_t aa[4] __attribute__((aligned(32))), bb[4] __attribute__((aligned(32))), bbb[4] __attribute__((aligned(32)));

  21. 

  22.     /* For some reason clang doesn't vectorize this without prompting? */

  23.     unsigned int i;

  24.     for (i=0; i<sizeof(aa)/sizeof(uint64xn_t); i++) {

  25.         ((uint64xn_t*)aa)[i] = ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(&a[4]))[i];

  26.         ((uint64xn_t*)bb)[i] = ((const uint64xn_t*)b)[i] + ((const uint64xn_t*)(&b[4]))[i]; 

  27.         ((uint64xn_t*)bbb)[i] = ((const uint64xn_t*)bb)[i] + ((const uint64xn_t*)(&b[4]))[i];     

  28.     }

  29.     /*

  30.     for (int i=0; i<4; i++) {

  31.     aa[i] = a[i] + a[i+4];

  32.     bb[i] = b[i] + b[i+4];

  33.     }

  34.     */

  35. 

  36.     accum2  = widemul(&a[0],&b[3]);

  37.     accum0  = widemul(&aa[0],&bb[3]);

  38.     accum1  = widemul(&a[4],&b[7]);

  39. 

  40.     mac(&accum2, &a[1], &b[2]);

  41.     mac(&accum0, &aa[1], &bb[2]);

  42.     mac(&accum1, &a[5], &b[6]);

  43. 

  44.     mac(&accum2, &a[2], &b[1]);

  45.     mac(&accum0, &aa[2], &bb[1]);

  46.     mac(&accum1, &a[6], &b[5]);

  47. 

  48.     mac(&accum2, &a[3], &b[0]);

  49.     mac(&accum0, &aa[3], &bb[0]);

  50.     mac(&accum1, &a[7], &b[4]);

  51. 

  52.     accum0 -= accum2;

  53.     accum1 += accum2;

  54. 

  55.     c[3] = ((uint64_t)(accum1)) & mask;

  56.     c[7] = ((uint64_t)(accum0)) & mask;

  57. 

  58.     accum0 >>= 56;

  59.     accum1 >>= 56;

  60.     

  61.     mac(&accum0, &aa[1],&bb[3]);

  62.     mac(&accum1, &a[5], &b[7]);

  63.     mac(&accum0, &aa[2], &bb[2]);

  64.     mac(&accum1, &a[6], &b[6]);

  65.     mac(&accum0, &aa[3], &bb[1]);

  66.     accum1 += accum0;

  67. 

  68.     accum2 = widemul(&a[0],&b[0]);

  69.     accum1 -= accum2;

  70.     accum0 += accum2;

  71.     

  72.     msb(&accum0, &a[1], &b[3]);

  73.     msb(&accum0, &a[2], &b[2]);

  74.     mac(&accum1, &a[7], &b[5]);

  75.     msb(&accum0, &a[3], &b[1]);

  76.     mac(&accum1, &aa[0], &bb[0]);

  77.     mac(&accum0, &a[4], &b[4]);

  78. 

  79.     c[0] = ((uint64_t)(accum0)) & mask;

  80.     c[4] = ((uint64_t)(accum1)) & mask;

  81. 

  82.     accum0 >>= 56;

  83.     accum1 >>= 56;

  84. 

  85.     accum2  = widemul(&a[2],&b[7]);

  86.     mac(&accum0, &a[6], &bb[3]);

  87.     mac(&accum1, &aa[2], &bbb[3]);

  88. 

  89.     mac(&accum2, &a[3], &b[6]);

  90.     mac(&accum0, &a[7], &bb[2]);

  91.     mac(&accum1, &aa[3], &bbb[2]);

  92. 

  93.     mac(&accum2, &a[0],&b[1]);

  94.     mac(&accum1, &aa[0], &bb[1]);

  95.     mac(&accum0, &a[4], &b[5]);

  96. 

  97.     mac(&accum2, &a[1], &b[0]);

  98.     mac(&accum1, &aa[1], &bb[0]);

  99.     mac(&accum0, &a[5], &b[4]);

  100. 

  101.     accum1 -= accum2;

  102.     accum0 += accum2;

  103. 

  104.     c[1] = ((uint64_t)(accum0)) & mask;

  105.     c[5] = ((uint64_t)(accum1)) & mask;

  106. 

  107.     accum0 >>= 56;

  108.     accum1 >>= 56;

  109. 

  110.     accum2  = widemul(&a[3],&b[7]);

  111.     mac(&accum0, &a[7], &bb[3]);

  112.     mac(&accum1, &aa[3], &bbb[3]);

  113. 

  114.     mac(&accum2, &a[0],&b[2]);

  115.     mac(&accum1, &aa[0], &bb[2]);

  116.     mac(&accum0, &a[4], &b[6]);

  117. 

  118.     mac(&accum2, &a[1], &b[1]);

  119.     mac(&accum1, &aa[1], &bb[1]);

  120.     mac(&accum0, &a[5], &b[5]);

  121. 

  122.     mac(&accum2, &a[2], &b[0]);

  123.     mac(&accum1, &aa[2], &bb[0]);

  124.     mac(&accum0, &a[6], &b[4]);

  125. 

  126.     accum1 -= accum2;

  127.     accum0 += accum2;

  128. 

  129.     c[2] = ((uint64_t)(accum0)) & mask;

  130.     c[6] = ((uint64_t)(accum1)) & mask;

  131. 

  132.     accum0 >>= 56;

  133.     accum1 >>= 56;

  134. 

  135.     accum0 += c[3];

  136.     accum1 += c[7];

  137.     c[3] = ((uint64_t)(accum0)) & mask;

  138.     c[7] = ((uint64_t)(accum1)) & mask;

  139. 

  140.     /* we could almost stop here, but it wouldn't be stable, so... */

  141. 

  142.     accum0 >>= 56;

  143.     accum1 >>= 56;

  144.     c[4] += ((uint64_t)(accum0)) + ((uint64_t)(accum1));

  145.     c[0] += ((uint64_t)(accum1));

  146. }

  147. 

  148. void

  149. p448_mulw (

  150.     p448_t *__restrict__ cs,

  151.     const p448_t *as,

  152.     uint64_t b

  153. ) {

  154.     const uint64_t *a = as->limb;

  155.     uint64_t *c = cs->limb;

  156. 

  157.     __uint128_t accum0, accum4;

  158.     uint64_t mask = (1ull<<56) - 1;  

  159. 

  160.     accum0 = widemul_rm(b, &a[0]);

  161.     accum4 = widemul_rm(b, &a[4]);

  162. 

  163.     c[0] = accum0 & mask; accum0 >>= 56;

  164.     c[4] = accum4 & mask; accum4 >>= 56;

  165. 

  166.     mac_rm(&accum0, b, &a[1]);

  167.     mac_rm(&accum4, b, &a[5]);

  168. 

  169.     c[1] = accum0 & mask; accum0 >>= 56;

  170.     c[5] = accum4 & mask; accum4 >>= 56;

  171. 

  172.     mac_rm(&accum0, b, &a[2]);

  173.     mac_rm(&accum4, b, &a[6]);

  174. 

  175.     c[2] = accum0 & mask; accum0 >>= 56;

  176.     c[6] = accum4 & mask; accum4 >>= 56;

  177. 

  178.     mac_rm(&accum0, b, &a[3]);

  179.     mac_rm(&accum4, b, &a[7]);

  180. 

  181.     c[3] = accum0 & mask; accum0 >>= 56;

  182.     c[7] = accum4 & mask; accum4 >>= 56;

  183. 

  184.     // c[4] += accum0 + accum4;

  185.     // c[0] += accum4;

  186.     

  187.     accum0 += accum4 + c[4];

  188.     c[4] = accum0 & mask;

  189.     c[5] += accum0 >> 56;

  190. 

  191.     accum4 += c[0];

  192.     c[0] = accum4 & mask;

  193.     c[1] += accum4 >> 56;

  194. }

  195. 

  196. void

  197. p448_sqr (

  198.     p448_t *__restrict__ cs,

  199.     const p448_t *as

  200. ) {

  201.     const uint64_t *a = as->limb;

  202.     uint64_t *c = cs->limb;

  203. 

  204.     __uint128_t accum0 = 0, accum1 = 0, accum2;

  205.     uint64_t mask = (1ull<<56) - 1;  

  206. 

  207.     uint64_t aa[4] __attribute__((aligned(32)));

  208. 

  209.     /* For some reason clang doesn't vectorize this without prompting? */

  210.     unsigned int i;

  211.     for (i=0; i<sizeof(aa)/sizeof(uint64xn_t); i++) {

  212.       ((uint64xn_t*)aa)[i] = ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(&a[4]))[i];

  213.     }

  214. 

  215.     accum2  = widemul(&a[0],&a[3]);

  216.     accum0  = widemul(&aa[0],&aa[3]);

  217.     accum1  = widemul(&a[4],&a[7]);

  218. 

  219.     mac(&accum2, &a[1], &a[2]);

  220.     mac(&accum0, &aa[1], &aa[2]);

  221.     mac(&accum1, &a[5], &a[6]);

  222. 

  223.     accum0 -= accum2;

  224.     accum1 += accum2;

  225. 

  226.     c[3] = ((uint64_t)(accum1))<<1 & mask;

  227.     c[7] = ((uint64_t)(accum0))<<1 & mask;

  228. 

  229.     accum0 >>= 55;

  230.     accum1 >>= 55;

  231. 

  232.     mac2(&accum0, &aa[1],&aa[3]);

  233.     mac2(&accum1, &a[5], &a[7]);

  234.     mac(&accum0, &aa[2], &aa[2]);

  235.     accum1 += accum0;

  236. 

  237.     msb2(&accum0, &a[1], &a[3]);

  238.     mac(&accum1, &a[6], &a[6]);

  239.     

  240.     accum2 = widemul(&a[0],&a[0]);

  241.     accum1 -= accum2;

  242.     accum0 += accum2;

  243. 

  244.     msb(&accum0, &a[2], &a[2]);

  245.     mac(&accum1, &aa[0], &aa[0]);

  246.     mac(&accum0, &a[4], &a[4]);

  247. 

  248.     c[0] = ((uint64_t)(accum0)) & mask;

  249.     c[4] = ((uint64_t)(accum1)) & mask;

  250. 

  251.     accum0 >>= 56;

  252.     accum1 >>= 56;

  253. 

  254.     accum2  = widemul2(&aa[2],&aa[3]);

  255.     msb2(&accum0, &a[2], &a[3]);

  256.     mac2(&accum1, &a[6], &a[7]);

  257. 

  258.     accum1 += accum2;

  259.     accum0 += accum2;

  260. 

  261.     accum2  = widemul2(&a[0],&a[1]);

  262.     mac2(&accum1, &aa[0], &aa[1]);

  263.     mac2(&accum0, &a[4], &a[5]);

  264. 

  265.     accum1 -= accum2;

  266.     accum0 += accum2;

  267. 

  268.     c[1] = ((uint64_t)(accum0)) & mask;

  269.     c[5] = ((uint64_t)(accum1)) & mask;

  270. 

  271.     accum0 >>= 56;

  272.     accum1 >>= 56;

  273. 

  274.     accum2  = widemul(&aa[3],&aa[3]);

  275.     msb(&accum0, &a[3], &a[3]);

  276.     mac(&accum1, &a[7], &a[7]);

  277. 

  278.     accum1 += accum2;

  279.     accum0 += accum2;

  280. 

  281.     accum2  = widemul2(&a[0],&a[2]);

  282.     mac2(&accum1, &aa[0], &aa[2]);

  283.     mac2(&accum0, &a[4], &a[6]);

  284. 

  285.     mac(&accum2, &a[1], &a[1]);

  286.     mac(&accum1, &aa[1], &aa[1]);

  287.     mac(&accum0, &a[5], &a[5]);

  288. 

  289.     accum1 -= accum2;

  290.     accum0 += accum2;

  291. 

  292.     c[2] = ((uint64_t)(accum0)) & mask;

  293.     c[6] = ((uint64_t)(accum1)) & mask;

  294. 

  295.     accum0 >>= 56;

  296.     accum1 >>= 56;

  297. 

  298.     accum0 += c[3];

  299.     accum1 += c[7];

  300.     c[3] = ((uint64_t)(accum0)) & mask;

  301.     c[7] = ((uint64_t)(accum1)) & mask;

  302. 

  303.     /* we could almost stop here, but it wouldn't be stable, so... */

  304. 

  305.     accum0 >>= 56;

  306.     accum1 >>= 56;

  307.     c[4] += ((uint64_t)(accum0)) + ((uint64_t)(accum1));

  308.     c[0] += ((uint64_t)(accum1));

  309. }

  310. 

  311. void

  312. p448_strong_reduce (

  313.     p448_t *a

  314. ) {

  315.     uint64_t mask = (1ull<<56)-1;

  316. 

  317.     /* first, clear high */

  318.     a->limb[4] += a->limb[7]>>56;

  319.     a->limb[0] += a->limb[7]>>56;

  320.     a->limb[7] &= mask;

  321. 

  322.     /* now the total is less than 2^448 - 2^(448-56) + 2^(448-56+8) < 2p */

  323. 

  324.     /* compute total_value - p.  No need to reduce mod p. */

  325. 

  326.     __int128_t scarry = 0;

  327.     int i;

  328.     for (i=0; i<8; i++) {

  329.         scarry = scarry + a->limb[i] - ((i==4)?mask-1:mask);

  330.         a->limb[i] = scarry & mask;

  331.         scarry >>= 56;

  332.     }

  333. 

  334.     /* uncommon case: it was >= p, so now scarry = 0 and this = x

  335.     * common case: it was < p, so now scarry = -1 and this = x - p + 2^448

  336.     * so let's add back in p.  will carry back off the top for 2^448.

  337.     */

  338. 

  339.     assert(is_zero(scarry) | is_zero(scarry+1));

  340. 

  341.     uint64_t scarry_mask = scarry & mask;

  342.     __uint128_t carry = 0;

  343. 

  344.     /* add it back */

  345.     for (i=0; i<8; i++) {

  346.         carry = carry + a->limb[i] + ((i==4)?(scarry_mask&~1):scarry_mask);

  347.         a->limb[i] = carry & mask;

  348.         carry >>= 56;

  349.     }

  350. 

  351.     assert(is_zero(carry + scarry));

  352. }

  353. 

  354. mask_t

  355. p448_is_zero (

  356.     const struct p448_t *a

  357. ) {

  358.     struct p448_t b;

  359.     p448_copy(&b,a);

  360.     p448_strong_reduce(&b);

  361. 

  362.     uint64_t any = 0;

  363.     int i;

  364.     for (i=0; i<8; i++) {

  365.         any |= b.limb[i];

  366.     }

  367.     return is_zero(any);

  368. }

  369. 

  370. void

  371. p448_serialize (

  372.     uint8_t *serial,

  373.     const struct p448_t *x

  374. ) {

  375.     int i,j;

  376.     p448_t red;

  377.     p448_copy(&red, x);

  378.     p448_strong_reduce(&red);

  379.     for (i=0; i<8; i++) {

  380.         for (j=0; j<7; j++) {

  381.             serial[7*i+j] = red.limb[i];

  382.             red.limb[i] >>= 8;

  383.         }

  384.         assert(red.limb[i] == 0);

  385.     }

  386. }

  387. 

  388. mask_t

  389. p448_deserialize (

  390.     p448_t *x,

  391.     const uint8_t serial[56]

  392. ) {

  393.     int i,j;

  394.     for (i=0; i<8; i++) {

  395.         word_t out = 0;

  396.         for (j=0; j<7; j++) {

  397.             out |= ((word_t)serial[7*i+j])<<(8*j);

  398.         }

  399.         x->limb[i] = out;

  400.     }

  401.     

  402.     /* Check for reduction.

  403.      *

  404.      * The idea is to create a variable ge which is all ones (rather, 56 ones)

  405.      * if and only if the low $i$ words of $x$ are >= those of p.

  406.      *

  407.      * Remember p = little_endian(1111,1111,1111,1111,1110,1111,1111,1111)

  408.      */

  409.     word_t ge = -1, mask = (1ull<<56)-1;

  410.     for (i=0; i<4; i++) {

  411.         ge &= x->limb[i];

  412.     }

  413.     

  414.     /* At this point, ge = 1111 iff bottom are all 1111.  Now propagate if 1110, or set if 1111 */

  415.     ge = (ge & (x->limb[4] + 1)) | is_zero(x->limb[4] ^ mask);

  416.     

  417.     /* Propagate the rest */

  418.     for (i=5; i<8; i++) {

  419.         ge &= x->limb[i];

  420.     }

  421.     

  422.     return ~is_zero(ge ^ mask);

  423. }

  424. 

  425. void

  426. simultaneous_invert_p448(

  427.     struct p448_t *__restrict__ out,

  428.     const struct p448_t *in,

  429.     unsigned int n

  430. ) {

  431.   if (n==0) {

  432.       return;

  433.   } else if (n==1) {

  434.       p448_inverse(out,in);

  435.       return;

  436.   }

  437.   

  438.   p448_copy(&out[1], &in[0]);

  439.   int i;

  440.   for (i=1; i<(int) (n-1); i++) {

  441.       p448_mul(&out[i+1], &out[i], &in[i]);

  442.   }

  443.   p448_mul(&out[0], &out[n-1], &in[n-1]);

  444.   

  445.   struct p448_t tmp;

  446.   p448_inverse(&tmp, &out[0]);

  447.   p448_copy(&out[0], &tmp);

  448.   

  449.   /* at this point, out[0] = product(in[i]) ^ -1

  450.    * out[i] = product(in[0]..in[i-1]) if i != 0

  451.    */

  452.   for (i=n-1; i>0; i--) {

  453.       p448_mul(&tmp, &out[i], &out[0]);

  454.       p448_copy(&out[i], &tmp);

  455.       

  456.       p448_mul(&tmp, &out[0], &in[i]);

  457.       p448_copy(&out[0], &tmp);

  458.   }

  459. }