jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: ed6fdbf3c3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ed6fdbf3c3'
${ noResults }
ed448goldilocks/ec_point.c

746 lines
21 KiB
Raw Blame History 

  1. /**

  2.  * @cond internal

  3.  * @file ec_point.c

  4.  * @copyright

  5.  *   Copyright (c) 2014 Cryptography Research, Inc.  \n

  6.  *   Released under the MIT License.  See LICENSE.txt for license information.

  7.  * @author Mike Hamburg

  8.  * @warning This file was automatically generated.

  9.  */

  10. 

  11. #include "ec_point.h"

  12. 

  13. 

  14. void

  15. p448_isr (

  16.     struct p448_t*       a,

  17.     const struct p448_t* x

  18. ) {

  19.     struct p448_t L0, L1, L2;

  20.     p448_sqr  (   &L1,     x );

  21.     p448_mul  (   &L2,     x,   &L1 );

  22.     p448_sqr  (   &L1,   &L2 );

  23.     p448_mul  (   &L2,     x,   &L1 );

  24.     p448_sqrn (   &L1,   &L2,     3 );

  25.     p448_mul  (   &L0,   &L2,   &L1 );

  26.     p448_sqrn (   &L1,   &L0,     3 );

  27.     p448_mul  (   &L0,   &L2,   &L1 );

  28.     p448_sqrn (   &L2,   &L0,     9 );

  29.     p448_mul  (   &L1,   &L0,   &L2 );

  30.     p448_sqr  (   &L0,   &L1 );

  31.     p448_mul  (   &L2,     x,   &L0 );

  32.     p448_sqrn (   &L0,   &L2,    18 );

  33.     p448_mul  (   &L2,   &L1,   &L0 );

  34.     p448_sqrn (   &L0,   &L2,    37 );

  35.     p448_mul  (   &L1,   &L2,   &L0 );

  36.     p448_sqrn (   &L0,   &L1,    37 );

  37.     p448_mul  (   &L1,   &L2,   &L0 );

  38.     p448_sqrn (   &L0,   &L1,   111 );

  39.     p448_mul  (   &L2,   &L1,   &L0 );

  40.     p448_sqr  (   &L0,   &L2 );

  41.     p448_mul  (   &L1,     x,   &L0 );

  42.     p448_sqrn (   &L0,   &L1,   223 );

  43.     p448_mul  (     a,   &L2,   &L0 );

  44. }

  45. 

  46. void

  47. p448_inverse (

  48.     struct p448_t*       a,

  49.     const struct p448_t* x

  50. ) {

  51.     struct p448_t L0, L1;

  52.     p448_isr  (   &L0,     x );

  53.     p448_sqr  (   &L1,   &L0 );

  54.     p448_sqr  (   &L0,   &L1 );

  55.     p448_mul  (     a,     x,   &L0 );

  56. }

  57. 

  58. void

  59. add_tw_niels_to_tw_extensible (

  60.     struct tw_extensible_t*  d,

  61.     const struct tw_niels_t* e

  62. ) {

  63.     struct p448_t L0, L1;

  64.     p448_bias ( &d->y,     2 );

  65.     p448_bias ( &d->z,     2 );

  66.     p448_sub  (   &L1, &d->y, &d->x );

  67.     p448_mul  (   &L0, &e->a,   &L1 );

  68.     p448_add  (   &L1, &d->x, &d->y );

  69.     p448_mul  ( &d->y, &e->b,   &L1 );

  70.     p448_bias ( &d->y,     2 );

  71.     p448_mul  (   &L1, &d->u, &d->t );

  72.     p448_mul  ( &d->x, &e->c,   &L1 );

  73.     p448_add  ( &d->u,   &L0, &d->y );

  74.     p448_sub  ( &d->t, &d->y,   &L0 );

  75.     p448_sub  ( &d->y, &d->z, &d->x );

  76.     p448_add  (   &L0, &d->x, &d->z );

  77.     p448_mul  ( &d->z,   &L0, &d->y );

  78.     p448_mul  ( &d->x, &d->y, &d->t );

  79.     p448_mul  ( &d->y,   &L0, &d->u );

  80. }

  81. 

  82. void

  83. sub_tw_niels_from_tw_extensible (

  84.     struct tw_extensible_t*  d,

  85.     const struct tw_niels_t* e

  86. ) {

  87.     struct p448_t L0, L1;

  88.     p448_bias ( &d->y,     2 );

  89.     p448_bias ( &d->z,     2 );

  90.     p448_sub  (   &L1, &d->y, &d->x );

  91.     p448_mul  (   &L0, &e->b,   &L1 );

  92.     p448_add  (   &L1, &d->x, &d->y );

  93.     p448_mul  ( &d->y, &e->a,   &L1 );

  94.     p448_bias ( &d->y,     2 );

  95.     p448_mul  (   &L1, &d->u, &d->t );

  96.     p448_mul  ( &d->x, &e->c,   &L1 );

  97.     p448_add  ( &d->u,   &L0, &d->y );

  98.     p448_sub  ( &d->t, &d->y,   &L0 );

  99.     p448_add  ( &d->y, &d->x, &d->z );

  100.     p448_sub  (   &L0, &d->z, &d->x );

  101.     p448_mul  ( &d->z,   &L0, &d->y );

  102.     p448_mul  ( &d->x, &d->y, &d->t );

  103.     p448_mul  ( &d->y,   &L0, &d->u );

  104. }

  105. 

  106. void

  107. add_tw_pniels_to_tw_extensible (

  108.     struct tw_extensible_t*   e,

  109.     const struct tw_pniels_t* a

  110. ) {

  111.     struct p448_t L0;

  112.     p448_mul  (   &L0, &e->z, &a->z );

  113.     p448_copy ( &e->z,   &L0 );

  114.     add_tw_niels_to_tw_extensible(     e, &a->n );

  115. }

  116. 

  117. void

  118. sub_tw_pniels_from_tw_extensible (

  119.     struct tw_extensible_t*   e,

  120.     const struct tw_pniels_t* a

  121. ) {

  122.     struct p448_t L0;

  123.     p448_mul  (   &L0, &e->z, &a->z );

  124.     p448_copy ( &e->z,   &L0 );

  125.     sub_tw_niels_from_tw_extensible(     e, &a->n );

  126. }

  127. 

  128. void

  129. double_tw_extensible (

  130.     struct tw_extensible_t* a

  131. ) {

  132.     struct p448_t L0, L1, L2;

  133.     p448_sqr  (   &L2, &a->x );

  134.     p448_sqr  (   &L0, &a->y );

  135.     p448_add  ( &a->u,   &L2,   &L0 );

  136.     p448_add  ( &a->t, &a->y, &a->x );

  137.     p448_sqr  (   &L1, &a->t );

  138.     p448_bias (   &L1,     3 );

  139.     p448_sub  ( &a->t,   &L1, &a->u );

  140.     p448_sub  (   &L1,   &L0,   &L2 );

  141.     p448_bias (   &L1,     2 );

  142.     p448_sqr  ( &a->x, &a->z );

  143.     p448_bias ( &a->x,     2 );

  144.     p448_add  ( &a->z, &a->x, &a->x );

  145.     p448_sub  (   &L0, &a->z,   &L1 );

  146.     p448_mul  ( &a->z,   &L1,   &L0 );

  147.     p448_mul  ( &a->x,   &L0, &a->t );

  148.     p448_mul  ( &a->y,   &L1, &a->u );

  149. }

  150. 

  151. void

  152. double_extensible (

  153.     struct extensible_t* a

  154. ) {

  155.     struct p448_t L0, L1, L2;

  156.     p448_sqr  (   &L2, &a->x );

  157.     p448_sqr  (   &L0, &a->y );

  158.     p448_add  (   &L1,   &L2,   &L0 );

  159.     p448_add  ( &a->t, &a->y, &a->x );

  160.     p448_sqr  ( &a->u, &a->t );

  161.     p448_bias ( &a->u,     3 );

  162.     p448_sub  ( &a->t, &a->u,   &L1 );

  163.     p448_sub  ( &a->u,   &L0,   &L2 );

  164.     p448_bias ( &a->u,     2 );

  165.     p448_sqr  ( &a->x, &a->z );

  166.     p448_bias ( &a->x,     2 );

  167.     p448_add  ( &a->z, &a->x, &a->x );

  168.     p448_sub  (   &L0, &a->z,   &L1 );

  169.     p448_mul  ( &a->z,   &L1,   &L0 );

  170.     p448_mul  ( &a->x,   &L0, &a->t );

  171.     p448_mul  ( &a->y,   &L1, &a->u );

  172. }

  173. 

  174. void

  175. twist_and_double (

  176.     struct tw_extensible_t*    b,

  177.     const struct extensible_t* a

  178. ) {

  179.     struct p448_t L0;

  180.     p448_sqr  ( &b->x, &a->x );

  181.     p448_sqr  ( &b->z, &a->y );

  182.     p448_add  ( &b->u, &b->x, &b->z );

  183.     p448_add  ( &b->t, &a->y, &a->x );

  184.     p448_sqr  (   &L0, &b->t );

  185.     p448_bias (   &L0,     3 );

  186.     p448_sub  ( &b->t,   &L0, &b->u );

  187.     p448_sub  (   &L0, &b->z, &b->x );

  188.     p448_bias (   &L0,     2 );

  189.     p448_sqr  ( &b->x, &a->z );

  190.     p448_bias ( &b->x,     2 );

  191.     p448_add  ( &b->z, &b->x, &b->x );

  192.     p448_sub  ( &b->y, &b->z, &b->u );

  193.     p448_mul  ( &b->z,   &L0, &b->y );

  194.     p448_mul  ( &b->x, &b->y, &b->t );

  195.     p448_mul  ( &b->y,   &L0, &b->u );

  196. }

  197. 

  198. void

  199. untwist_and_double (

  200.     struct extensible_t*          b,

  201.     const struct tw_extensible_t* a

  202. ) {

  203.     struct p448_t L0;

  204.     p448_sqr  ( &b->x, &a->x );

  205.     p448_sqr  ( &b->z, &a->y );

  206.     p448_add  (   &L0, &b->x, &b->z );

  207.     p448_add  ( &b->t, &a->y, &a->x );

  208.     p448_sqr  ( &b->u, &b->t );

  209.     p448_bias ( &b->u,     3 );

  210.     p448_sub  ( &b->t, &b->u,   &L0 );

  211.     p448_sub  ( &b->u, &b->z, &b->x );

  212.     p448_bias ( &b->u,     2 );

  213.     p448_sqr  ( &b->x, &a->z );

  214.     p448_bias ( &b->x,     2 );

  215.     p448_add  ( &b->z, &b->x, &b->x );

  216.     p448_sub  ( &b->y, &b->z, &b->u );

  217.     p448_mul  ( &b->z,   &L0, &b->y );

  218.     p448_mul  ( &b->x, &b->y, &b->t );

  219.     p448_mul  ( &b->y,   &L0, &b->u );

  220. }

  221. 

  222. void

  223. convert_tw_affine_to_tw_pniels (

  224.     struct tw_pniels_t*       b,

  225.     const struct tw_affine_t* a

  226. ) {

  227.     p448_sub  ( &b->n.a, &a->y, &a->x );

  228.     p448_bias ( &b->n.a,     2 );

  229.     p448_weak_reduce( &b->n.a );

  230.     p448_add  ( &b->n.b, &a->x, &a->y );

  231.     p448_weak_reduce( &b->n.b );

  232.     p448_mul  ( &b->n.c, &a->y, &a->x );

  233.     p448_mulw ( &b->z, &b->n.c, 78164 );

  234.     p448_neg  ( &b->n.c, &b->z );

  235.     p448_bias ( &b->n.c,     2 );

  236.     p448_weak_reduce( &b->n.c );

  237.     p448_set_ui( &b->z,     2 );

  238. }

  239. 

  240. void

  241. convert_tw_affine_to_tw_extensible (

  242.     struct tw_extensible_t*   b,

  243.     const struct tw_affine_t* a

  244. ) {

  245.     p448_copy ( &b->x, &a->x );

  246.     p448_copy ( &b->y, &a->y );

  247.     p448_set_ui( &b->z,     1 );

  248.     p448_copy ( &b->t, &a->x );

  249.     p448_copy ( &b->u, &a->y );

  250. }

  251. 

  252. void

  253. convert_affine_to_extensible (

  254.     struct extensible_t*   b,

  255.     const struct affine_t* a

  256. ) {

  257.     p448_copy ( &b->x, &a->x );

  258.     p448_copy ( &b->y, &a->y );

  259.     p448_set_ui( &b->z,     1 );

  260.     p448_copy ( &b->t, &a->x );

  261.     p448_copy ( &b->u, &a->y );

  262. }

  263. 

  264. void

  265. convert_tw_extensible_to_tw_pniels (

  266.     struct tw_pniels_t*           b,

  267.     const struct tw_extensible_t* a

  268. ) {

  269.     p448_sub  ( &b->n.a, &a->y, &a->x );

  270.     p448_bias ( &b->n.a,     2 );

  271.     p448_weak_reduce( &b->n.a );

  272.     p448_add  ( &b->n.b, &a->x, &a->y );

  273.     p448_weak_reduce( &b->n.b );

  274.     p448_mul  ( &b->n.c, &a->u, &a->t );

  275.     p448_mulw ( &b->z, &b->n.c, 78164 );

  276.     p448_neg  ( &b->n.c, &b->z );

  277.     p448_bias ( &b->n.c,     2 );

  278.     p448_weak_reduce( &b->n.c );

  279.     p448_add  ( &b->z, &a->z, &a->z );

  280.     p448_weak_reduce( &b->z );

  281. }

  282. 

  283. void

  284. convert_tw_pniels_to_tw_extensible (

  285.     struct tw_extensible_t*   e,

  286.     const struct tw_pniels_t* d

  287. ) {

  288.     p448_add  ( &e->u, &d->n.b, &d->n.a );

  289.     p448_sub  ( &e->t, &d->n.b, &d->n.a );

  290.     p448_bias ( &e->t,     2 );

  291.     p448_mul  ( &e->x, &d->z, &e->t );

  292.     p448_mul  ( &e->y, &d->z, &e->u );

  293.     p448_sqr  ( &e->z, &d->z );

  294. }

  295. 

  296. void

  297. convert_tw_niels_to_tw_extensible (

  298.     struct tw_extensible_t*  e,

  299.     const struct tw_niels_t* d

  300. ) {

  301.     p448_add  ( &e->y, &d->b, &d->a );

  302.     p448_weak_reduce( &e->y );

  303.     p448_sub  ( &e->x, &d->b, &d->a );

  304.     p448_bias ( &e->x,     2 );

  305.     p448_weak_reduce( &e->x );

  306.     p448_set_ui( &e->z,     1 );

  307.     p448_copy ( &e->t, &e->x );

  308.     p448_copy ( &e->u, &e->y );

  309. }

  310. 

  311. void

  312. montgomery_step (

  313.     struct montgomery_t* a

  314. ) {

  315.     struct p448_t L0, L1;

  316.     p448_bias ( &a->xd,     2 );

  317.     p448_bias ( &a->xa,     2 );

  318.     p448_add  (   &L0, &a->zd, &a->xd );

  319.     p448_sub  (   &L1, &a->xd, &a->zd );

  320.     p448_sub  ( &a->zd, &a->xa, &a->za );

  321.     p448_mul  ( &a->xd,   &L0, &a->zd );

  322.     p448_bias ( &a->xd,     2 );

  323.     p448_add  ( &a->zd, &a->za, &a->xa );

  324.     p448_mul  ( &a->za,   &L1, &a->zd );

  325.     p448_add  ( &a->xa, &a->za, &a->xd );

  326.     p448_sqr  ( &a->zd, &a->xa );

  327.     p448_mul  ( &a->xa, &a->z0, &a->zd );

  328.     p448_sub  ( &a->zd, &a->xd, &a->za );

  329.     p448_sqr  ( &a->za, &a->zd );

  330.     p448_sqr  ( &a->xd,   &L0 );

  331.     p448_bias ( &a->xd,     2 );

  332.     p448_sqr  (   &L0,   &L1 );

  333.     p448_mulw ( &a->zd, &a->xd, 39082 );

  334.     p448_bias ( &a->zd,     4 );

  335.     p448_sub  (   &L1, &a->xd,   &L0 );

  336.     p448_mul  ( &a->xd,   &L0, &a->zd );

  337.     p448_sub  (   &L0, &a->zd,   &L1 );

  338.     p448_mul  ( &a->zd,   &L0,   &L1 );

  339. }

  340. 

  341. void

  342. serialize_montgomery (

  343.     struct p448_t*             sign,

  344.     struct p448_t*             ser,

  345.     const struct montgomery_t* a,

  346.     const struct p448_t*       sbz

  347. ) {

  348.     struct p448_t L0, L1, L2, L3;

  349.     p448_mul  (   &L2, &a->z0, &a->zd );

  350.     p448_bias (   &L2,     2 );

  351.     p448_sub  (   &L0,   &L2, &a->xd );

  352.     p448_mul  (   &L2, &a->za,   &L0 );

  353.     p448_bias (   &L2,     2 );

  354.     p448_mul  (   &L1, &a->z0, &a->xd );

  355.     p448_bias (   &L1,     2 );

  356.     p448_sub  (   &L0,   &L1, &a->zd );

  357.     p448_mul  (   &L3, &a->xa,   &L0 );

  358.     p448_add  (   &L1,   &L3,   &L2 );

  359.     p448_sub  (   &L0,   &L2,   &L3 );

  360.     p448_mul  (   &L2,   &L0,   &L1 );

  361.     p448_mul  (   &L0,   sbz,   &L2 );

  362.     p448_mul  (   &L2, &a->zd,   &L0 );

  363.     p448_mul  (  sign,   &L2, &a->zd );

  364.     p448_mul  (   ser,   &L2, &a->xd );

  365.     p448_mul  (   &L2,  sign,   ser );

  366.     p448_isr  (   &L1,   &L2 );

  367.     p448_mul  (   ser,  sign,   &L1 );

  368.     p448_sqr  (   &L0,   &L1 );

  369.     p448_mul  (  sign,   &L2,   &L0 );

  370. }

  371. 

  372. void

  373. serialize_extensible (

  374.     struct p448_t*             b,

  375.     const struct extensible_t* a

  376. ) {

  377.     struct p448_t L0, L1, L2;

  378.     p448_sub  (   &L0, &a->y, &a->z );

  379.     p448_bias (   &L0,     2 );

  380.     p448_add  (     b, &a->z, &a->y );

  381.     p448_mul  (   &L1, &a->z, &a->x );

  382.     p448_mul  (   &L2,   &L0,   &L1 );

  383.     p448_mul  (   &L1,   &L2,   &L0 );

  384.     p448_mul  (   &L0,   &L2,     b );

  385.     p448_mul  (   &L2,   &L1,   &L0 );

  386.     p448_isr  (   &L0,   &L2 );

  387.     p448_mul  (     b,   &L1,   &L0 );

  388.     p448_sqr  (   &L1,   &L0 );

  389.     p448_mul  (   &L0,   &L2,   &L1 );

  390. }

  391. 

  392. void

  393. untwist_and_double_and_serialize (

  394.     struct p448_t*                b,

  395.     const struct tw_extensible_t* a

  396. ) {

  397.     struct p448_t L0, L1, L2, L3;

  398.     p448_mul  (   &L3, &a->y, &a->x );

  399.     p448_add  (     b, &a->y, &a->x );

  400.     p448_sqr  (   &L1,     b );

  401.     p448_add  (   &L2,   &L3,   &L3 );

  402.     p448_sub  (     b,   &L1,   &L2 );

  403.     p448_bias (     b,     3 );

  404.     p448_sqr  (   &L2, &a->z );

  405.     p448_sqr  (   &L1,   &L2 );

  406.     p448_add  (   &L2,     b,     b );

  407.     p448_mulw (     b,   &L2, 39082 );

  408.     p448_neg  (   &L2,     b );

  409.     p448_bias (   &L2,     2 );

  410.     p448_mulw (   &L0,   &L2, 39082 );

  411.     p448_neg  (     b,   &L0 );

  412.     p448_bias (     b,     2 );

  413.     p448_mul  (   &L0,   &L2,   &L1 );

  414.     p448_mul  (   &L2,     b,   &L0 );

  415.     p448_isr  (   &L0,   &L2 );

  416.     p448_mul  (   &L1,     b,   &L0 );

  417.     p448_sqr  (     b,   &L0 );

  418.     p448_mul  (   &L0,   &L2,     b );

  419.     p448_mul  (     b,   &L1,   &L3 );

  420. }

  421. 

  422. void

  423. twist (

  424.     struct tw_extensible_t*    b,

  425.     const struct extensible_t* a

  426. ) {

  427.     mask_t L0, L1;

  428.     p448_sqr  ( &b->y, &a->z );

  429.     p448_sqr  ( &b->z, &a->x );

  430.     p448_sub  ( &b->u, &b->y, &b->z );

  431.     p448_bias ( &b->u,     2 );

  432.     p448_sub  ( &b->z, &a->z, &a->x );

  433.     p448_bias ( &b->z,     2 );

  434.     p448_mul  ( &b->y, &b->z, &a->y );

  435.     p448_sub  ( &b->z, &a->z, &a->y );

  436.     p448_bias ( &b->z,     2 );

  437.     p448_mul  ( &b->x, &b->z, &b->y );

  438.     p448_mul  ( &b->t, &b->x, &b->u );

  439.     p448_mul  ( &b->y, &b->x, &b->t );

  440.     p448_isr  ( &b->t, &b->y );

  441.     p448_mul  ( &b->u, &b->x, &b->t );

  442.     p448_sqr  ( &b->x, &b->t );

  443.     p448_mul  ( &b->t, &b->y, &b->x );

  444.     p448_mul  ( &b->x, &a->x, &b->u );

  445.     p448_mul  ( &b->y, &a->y, &b->u );

  446.        L1 = p448_is_zero( &b->z );

  447.        L0 = -   L1;

  448.     p448_addw ( &b->y,    L0 );

  449.     p448_weak_reduce( &b->y );

  450.     p448_set_ui( &b->z,     1 );

  451.     p448_copy ( &b->t, &b->x );

  452.     p448_copy ( &b->u, &b->y );

  453. }

  454. 

  455. mask_t

  456. deserialize_affine (

  457.     struct affine_t*     a,

  458.     const struct p448_t* sz

  459. ) {

  460.     struct p448_t L0, L1, L2, L3;

  461.     p448_sqr  (   &L1,    sz );

  462.     p448_copy (   &L3,   &L1 );

  463.     p448_addw (   &L3,     1 );

  464.     p448_sqr  ( &a->x,   &L3 );

  465.     p448_mulw (   &L3, &a->x, 39082 );

  466.     p448_neg  ( &a->x,   &L3 );

  467.     p448_add  (   &L3,   &L1,   &L1 );

  468.     p448_bias (   &L3,     1 );

  469.     p448_add  ( &a->y,   &L3,   &L3 );

  470.     p448_add  (   &L3, &a->y, &a->x );

  471.     p448_copy ( &a->y,   &L1 );

  472.     p448_subw ( &a->y,     1 );

  473.     p448_neg  ( &a->x, &a->y );

  474.     p448_bias ( &a->x,     2 );

  475.     p448_mul  ( &a->y, &a->x,   &L3 );

  476.     p448_sqr  (   &L2, &a->x );

  477.     p448_mul  (   &L0,   &L2, &a->y );

  478.     p448_mul  ( &a->y, &a->x,   &L0 );

  479.     p448_isr  (   &L3, &a->y );

  480.     p448_mul  ( &a->y,   &L2,   &L3 );

  481.     p448_sqr  (   &L2,   &L3 );

  482.     p448_mul  (   &L3,   &L0,   &L2 );

  483.     p448_mul  (   &L0, &a->x,   &L3 );

  484.     p448_bias (   &L0,     1 );

  485.     p448_add  (   &L2, &a->y, &a->y );

  486.     p448_mul  ( &a->x,    sz,   &L2 );

  487.     p448_addw (   &L1,     1 );

  488.     p448_mul  ( &a->y,   &L1,   &L3 );

  489.     p448_subw (   &L0,     1 );

  490.     return p448_is_zero(   &L0 );

  491. }

  492. 

  493. mask_t

  494. deserialize_and_twist_approx (

  495.     struct tw_extensible_t* a,

  496.     const struct p448_t*    sdm1,

  497.     const struct p448_t*    sz

  498. ) {

  499.     struct p448_t L0, L1;

  500.     p448_sqr  ( &a->z,    sz );

  501.     p448_copy ( &a->y, &a->z );

  502.     p448_addw ( &a->y,     1 );

  503.     p448_sqr  ( &a->x, &a->y );

  504.     p448_mulw ( &a->y, &a->x, 39082 );

  505.     p448_neg  ( &a->x, &a->y );

  506.     p448_add  ( &a->y, &a->z, &a->z );

  507.     p448_bias ( &a->y,     1 );

  508.     p448_add  ( &a->u, &a->y, &a->y );

  509.     p448_add  ( &a->y, &a->u, &a->x );

  510.     p448_sqr  ( &a->x, &a->z );

  511.     p448_subw ( &a->x,     1 );

  512.     p448_neg  ( &a->u, &a->x );

  513.     p448_bias ( &a->u,     2 );

  514.     p448_mul  ( &a->x,  sdm1, &a->u );

  515.     p448_mul  (   &L0, &a->x, &a->y );

  516.     p448_mul  ( &a->t,   &L0, &a->y );

  517.     p448_mul  ( &a->u, &a->x, &a->t );

  518.     p448_mul  ( &a->t, &a->u,   &L0 );

  519.     p448_mul  ( &a->y, &a->x, &a->t );

  520.     p448_isr  (   &L0, &a->y );

  521.     p448_mul  ( &a->y, &a->u,   &L0 );

  522.     p448_sqr  (   &L1,   &L0 );

  523.     p448_mul  ( &a->u, &a->t,   &L1 );

  524.     p448_mul  ( &a->t, &a->x, &a->u );

  525.     p448_bias ( &a->t,     1 );

  526.     p448_add  ( &a->x,    sz,    sz );

  527.     p448_mul  (   &L0, &a->u, &a->x );

  528.     p448_copy ( &a->x, &a->z );

  529.     p448_subw ( &a->x,     1 );

  530.     p448_neg  (   &L1, &a->x );

  531.     p448_bias (   &L1,     2 );

  532.     p448_mul  ( &a->x,   &L1,   &L0 );

  533.     p448_mul  (   &L0, &a->u, &a->y );

  534.     p448_addw ( &a->z,     1 );

  535.     p448_mul  ( &a->y, &a->z,   &L0 );

  536.     p448_subw ( &a->t,     1 );

  537.     mask_t ret = p448_is_zero( &a->t );

  538.     p448_set_ui( &a->z,     1 );

  539.     p448_copy ( &a->t, &a->x );

  540.     p448_copy ( &a->u, &a->y );

  541.     return ret;

  542. }

  543. 

  544. void

  545. set_identity_extensible (

  546.     struct extensible_t* a

  547. ) {

  548.     p448_set_ui( &a->x,     0 );

  549.     p448_set_ui( &a->y,     1 );

  550.     p448_set_ui( &a->z,     1 );

  551.     p448_set_ui( &a->t,     0 );

  552.     p448_set_ui( &a->u,     0 );

  553. }

  554. 

  555. void

  556. set_identity_tw_extensible (

  557.     struct tw_extensible_t* a

  558. ) {

  559.     p448_set_ui( &a->x,     0 );

  560.     p448_set_ui( &a->y,     1 );

  561.     p448_set_ui( &a->z,     1 );

  562.     p448_set_ui( &a->t,     0 );

  563.     p448_set_ui( &a->u,     0 );

  564. }

  565. 

  566. void

  567. set_identity_affine (

  568.     struct affine_t* a

  569. ) {

  570.     p448_set_ui( &a->x,     0 );

  571.     p448_set_ui( &a->y,     1 );

  572. }

  573. 

  574. mask_t

  575. eq_affine (

  576.     const struct affine_t* a,

  577.     const struct affine_t* b

  578. ) {

  579.     mask_t L1, L2;

  580.     struct p448_t L0;

  581.     p448_sub  (   &L0, &a->x, &b->x );

  582.     p448_bias (   &L0,     2 );

  583.        L2 = p448_is_zero(   &L0 );

  584.     p448_sub  (   &L0, &a->y, &b->y );

  585.     p448_bias (   &L0,     2 );

  586.        L1 = p448_is_zero(   &L0 );

  587.     return    L2 &    L1;

  588. }

  589. 

  590. mask_t

  591. eq_extensible (

  592.     const struct extensible_t* a,

  593.     const struct extensible_t* b

  594. ) {

  595.     mask_t L3, L4;

  596.     struct p448_t L0, L1, L2;

  597.     p448_mul  (   &L2, &b->z, &a->x );

  598.     p448_mul  (   &L1, &a->z, &b->x );

  599.     p448_sub  (   &L0,   &L2,   &L1 );

  600.     p448_bias (   &L0,     2 );

  601.        L4 = p448_is_zero(   &L0 );

  602.     p448_mul  (   &L2, &b->z, &a->y );

  603.     p448_mul  (   &L1, &a->z, &b->y );

  604.     p448_sub  (   &L0,   &L2,   &L1 );

  605.     p448_bias (   &L0,     2 );

  606.        L3 = p448_is_zero(   &L0 );

  607.     return    L4 &    L3;

  608. }

  609. 

  610. mask_t

  611. eq_tw_extensible (

  612.     const struct tw_extensible_t* a,

  613.     const struct tw_extensible_t* b

  614. ) {

  615.     mask_t L3, L4;

  616.     struct p448_t L0, L1, L2;

  617.     p448_mul  (   &L2, &b->z, &a->x );

  618.     p448_mul  (   &L1, &a->z, &b->x );

  619.     p448_sub  (   &L0,   &L2,   &L1 );

  620.     p448_bias (   &L0,     2 );

  621.        L4 = p448_is_zero(   &L0 );

  622.     p448_mul  (   &L2, &b->z, &a->y );

  623.     p448_mul  (   &L1, &a->z, &b->y );

  624.     p448_sub  (   &L0,   &L2,   &L1 );

  625.     p448_bias (   &L0,     2 );

  626.        L3 = p448_is_zero(   &L0 );

  627.     return    L4 &    L3;

  628. }

  629. 

  630. void

  631. elligator_2s_inject (

  632.     struct affine_t*     a,

  633.     const struct p448_t* r

  634. ) {

  635.     mask_t L0, L1;

  636.     struct p448_t L2, L3, L4, L5, L6, L7, L8, L9;

  637.     p448_sqr  ( &a->x,     r );

  638.     p448_sqr  (   &L3, &a->x );

  639.     p448_copy ( &a->y,   &L3 );

  640.     p448_subw ( &a->y,     1 );

  641.     p448_neg  (   &L9, &a->y );

  642.     p448_bias (   &L9,     2 );

  643.     p448_sqr  (   &L2,   &L9 );

  644.     p448_bias (   &L2,     1 );

  645.     p448_mulw (   &L7,   &L2, 1527402724 );

  646.     p448_bias (   &L7,     2 );

  647.     p448_mulw (   &L8,   &L3, 6108985600 );

  648.     p448_add  ( &a->y,   &L8,   &L7 );

  649.     p448_mulw (   &L8,   &L2, 6109454568 );

  650.     p448_sub  (   &L7, &a->y,   &L8 );

  651.     p448_mulw (   &L4, &a->y, 78160 );

  652.     p448_mul  (   &L6,   &L7,   &L9 );

  653.     p448_mul  (   &L8,   &L6,   &L4 );

  654.     p448_mul  (   &L4,   &L7,   &L8 );

  655.     p448_isr  (   &L5,   &L4 );

  656.     p448_mul  (   &L4,   &L6,   &L5 );

  657.     p448_sqr  (   &L6,   &L5 );

  658.     p448_mul  (   &L5,   &L8,   &L6 );

  659.     p448_mul  (   &L8,   &L7,   &L5 );

  660.     p448_mul  (   &L7,   &L8,   &L5 );

  661.     p448_copy (   &L6, &a->x );

  662.     p448_subw (   &L6,     1 );

  663.     p448_addw ( &a->x,     1 );

  664.     p448_mul  (   &L5, &a->x,   &L8 );

  665.     p448_sub  ( &a->x,   &L6,   &L5 );

  666.     p448_bias ( &a->x,     3 );

  667.     p448_mul  (   &L5,   &L4, &a->x );

  668.     p448_mulw (   &L4,   &L5, 78160 );

  669.     p448_neg  ( &a->x,   &L4 );

  670.     p448_bias ( &a->x,     2 );

  671.     p448_weak_reduce( &a->x );

  672.     p448_add  (   &L4,   &L3,   &L3 );

  673.     p448_add  (   &L3,   &L4,   &L2 );

  674.     p448_subw (   &L3,     2 );

  675.     p448_mul  (   &L2,   &L3,   &L8 );

  676.     p448_mulw (   &L3,   &L2, 3054649120 );

  677.     p448_add  (   &L2,   &L3, &a->y );

  678.     p448_mul  ( &a->y,   &L7,   &L2 );

  679.        L1 = p448_is_zero(   &L9 );

  680.        L0 = -   L1;

  681.     p448_addw ( &a->y,    L0 );

  682.     p448_weak_reduce( &a->y );

  683. }

  684. 

  685. mask_t

  686. validate_affine (

  687.     const struct affine_t* a

  688. ) {

  689.     struct p448_t L0, L1, L2, L3;

  690.     p448_sqr  (   &L0, &a->y );

  691.     p448_sqr  (   &L2, &a->x );

  692.     p448_add  (   &L3,   &L2,   &L0 );

  693.     p448_subw (   &L3,     1 );

  694.     p448_mulw (   &L1,   &L2, 39081 );

  695.     p448_neg  (   &L2,   &L1 );

  696.     p448_bias (   &L2,     2 );

  697.     p448_mul  (   &L1,   &L0,   &L2 );

  698.     p448_sub  (   &L0,   &L3,   &L1 );

  699.     p448_bias (   &L0,     3 );

  700.     return p448_is_zero(   &L0 );

  701. }

  702. 

  703. mask_t

  704. validate_tw_extensible (

  705.     const struct tw_extensible_t* ext

  706. ) {

  707.     mask_t L4, L5;

  708.     struct p448_t L0, L1, L2, L3;

  709.     /*

  710.      * Check invariant:

  711.      * 0 = -x*y + z*t*u

  712.      */

  713.     p448_mul  (   &L0, &ext->t, &ext->u );

  714.     p448_mul  (   &L2, &ext->z,   &L0 );

  715.     p448_addw (   &L2,     0 );

  716.     p448_mul  (   &L1, &ext->x, &ext->y );

  717.     p448_neg  (   &L0,   &L1 );

  718.     p448_add  (   &L1,   &L0,   &L2 );

  719.     p448_bias (   &L1,     2 );

  720.        L5 = p448_is_zero(   &L1 );

  721.     /*

  722.      * Check invariant:

  723.      * 0 = d*t^2*u^2 + x^2 - y^2 + z^2 - t^2*u^2

  724.      */

  725.     p448_sqr  (   &L2, &ext->y );

  726.     p448_neg  (   &L0,   &L2 );

  727.     p448_addw (   &L0,     0 );

  728.     p448_sqr  (   &L1, &ext->x );

  729.     p448_bias (   &L1,     4 );

  730.     p448_add  (   &L2,   &L1,   &L0 );

  731.     p448_sqr  (   &L3, &ext->u );

  732.     p448_sqr  (   &L1, &ext->t );

  733.     p448_mul  (   &L0,   &L1,   &L3 );

  734.     p448_mulw (   &L1,   &L0, 39081 );

  735.     p448_neg  (   &L3,   &L1 );

  736.     p448_add  (   &L1,   &L3,   &L2 );

  737.     p448_neg  (   &L3,   &L0 );

  738.     p448_add  (   &L2,   &L3,   &L1 );

  739.     p448_sqr  (   &L1, &ext->z );

  740.     p448_add  (   &L0,   &L1,   &L2 );

  741.        L4 = p448_is_zero(   &L0 );

  742.     return    L5 &    L4;

  743. }

  744.