jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 04b955eabe
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '04b955eabe'
${ noResults }
ed448goldilocks/src/scalarmul.c

936 lines
27 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. #include "word.h"

  5. 

  6. #include <stdlib.h>

  7. #include <limits.h>

  8. #include <string.h>

  9. 

  10. #include "intrinsics.h"

  11. #include "scalarmul.h"

  12. #include "barrett_field.h"

  13. 

  14. mask_t

  15. montgomery_ladder (

  16.     struct field_t *out,

  17.     const struct field_t *in,

  18.     const word_t *scalar,

  19.     unsigned int nbits,

  20.     unsigned int n_extra_doubles

  21. ) { 

  22.     struct montgomery_t mont;

  23.     deserialize_montgomery(&mont, in);

  24.     

  25.     int i,j,n=(nbits-1)%WORD_BITS;

  26.     mask_t pflip = 0;

  27.     for (j=(nbits+WORD_BITS-1)/WORD_BITS-1; j>=0; j--) {

  28.         word_t w = scalar[j];

  29.         for (i=n; i>=0; i--) {

  30.             mask_t flip = -((w>>i)&1);

  31.             field_cond_swap(&mont.xa,&mont.xd,flip^pflip);

  32.             field_cond_swap(&mont.za,&mont.zd,flip^pflip);

  33.             montgomery_step(&mont);

  34.             pflip = flip;

  35.         }

  36.         n = WORD_BITS-1;

  37.     }

  38.     field_cond_swap(&mont.xa,&mont.xd,pflip);

  39.     field_cond_swap(&mont.za,&mont.zd,pflip);

  40.     

  41.     assert(n_extra_doubles < INT_MAX);

  42.     for (j=0; j<(int)n_extra_doubles; j++) {

  43.         montgomery_step(&mont);

  44.     }

  45.     

  46.     return serialize_montgomery(out, &mont, in);

  47. }

  48. 

  49. static __inline__ void

  50. cond_negate_tw_niels (

  51.     struct tw_niels_t *n,

  52.     mask_t doNegate

  53. ) {

  54.     field_cond_swap(&n->a, &n->b, doNegate);

  55.     field_cond_neg(&n->c, doNegate);

  56. }

  57. 

  58. static __inline__ void

  59. cond_negate_tw_pniels (

  60.     struct tw_pniels_t *n,

  61.     mask_t doNegate

  62. ) {

  63.     cond_negate_tw_niels(&n->n, doNegate);

  64. }

  65. 

  66. #if (defined(__GNUC__) && !defined(__clang__) && defined(__x86_64__) && !defined(__AVX2__))

  67.   /* This works around an apparent compiler bug in GCC, thanks Samuel Neves */

  68.   static void __attribute__((optimize("O1")))

  69.   #ifdef __OPTIMIZE_SIZE__

  70.     #warning "There's a bug in here somewhere with GCC -Os on non-AVX2 platforms"

  71.   #endif

  72. #else

  73.   static __inline__ void

  74. #endif

  75. constant_time_lookup_tw_pniels (

  76.     struct tw_pniels_t *out,

  77.     const struct tw_pniels_t *in,

  78.     int nin,

  79.     int idx

  80. ) {

  81.     big_register_t big_one = br_set_to_mask(1), big_i = br_set_to_mask(idx);

  82.     big_register_t *o = (big_register_t *)out;

  83.     const big_register_t *i = (const big_register_t *)in;

  84.     int j;

  85.     unsigned int k;

  86.     

  87.     really_memset(out, 0, sizeof(*out));

  88.     for (j=0; j<nin; j++, big_i-=big_one) {

  89.         big_register_t mask = br_is_zero(big_i);

  90.         for (k=0; k<sizeof(*out)/sizeof(*o); k++) {

  91.             o[k] |= mask & i[k+j*sizeof(*out)/sizeof(*o)];

  92.         }

  93.     }

  94. }

  95. 

  96. static __inline__ void

  97. constant_time_lookup_tw_niels (

  98.     struct tw_niels_t *out,

  99.     const struct tw_niels_t *in,

  100.     int nin,

  101.     int idx

  102. ) {

  103.     big_register_t big_one = br_set_to_mask(1), big_i = br_set_to_mask(idx);

  104.     big_register_t *o = (big_register_t *)out;

  105.     const big_register_t *i = (const big_register_t *)in;

  106.     int j;

  107.     unsigned int k;

  108.     

  109.     really_memset(out, 0, sizeof(*out));

  110.     for (j=0; j<nin; j++, big_i-=big_one) {

  111.         big_register_t mask = br_is_zero(big_i);

  112.         for (k=0; k<sizeof(*out)/sizeof(*o); k++) {

  113.             o[k] |= mask & i[k+j*sizeof(*out)/sizeof(*o)];

  114.         }

  115.     }

  116. }

  117. 

  118. static void

  119. convert_to_signed_window_form (

  120.     word_t *out,

  121.     const word_t *scalar,

  122.     int nwords_scalar,

  123.     const word_t *prepared_data,

  124.     int nwords_pd

  125. ) {

  126.     assert(nwords_pd <= nwords_scalar);

  127.     mask_t mask = -(scalar[0]&1);

  128. 

  129.     word_t carry = add_nr_ext_packed(out, scalar, nwords_scalar, prepared_data, nwords_pd, ~mask);

  130.     carry += add_nr_ext_packed(out, out, nwords_scalar, prepared_data+nwords_pd, nwords_pd, mask);

  131.     

  132.     assert(!(out[0]&1));

  133.     

  134.     int i;

  135.     for (i=0; i<nwords_scalar; i++) {

  136.         out[i] >>= 1;

  137.         if (i<nwords_scalar-1) {

  138.             out[i] |= out[i+1]<<(WORD_BITS-1);

  139.         } else {

  140.             out[i] |= carry<<(WORD_BITS-1);

  141.         }

  142.     }

  143. }

  144. 

  145. void

  146. scalarmul (

  147.     struct tw_extensible_t *working,

  148.     const word_t scalar[SCALAR_WORDS]

  149. ) {

  150.     const int WINDOW = SCALARMUL_FIXED_WINDOW_SIZE,

  151.         WINDOW_MASK = (1<<WINDOW)-1, WINDOW_T_MASK = WINDOW_MASK >> 1,

  152.         NTABLE = 1<<(WINDOW-1),

  153.         nbits = ROUND_UP(SCALAR_BITS,WINDOW);

  154.     

  155.     word_t scalar2[SCALAR_WORDS];

  156.     convert_to_signed_window_form (

  157.         scalar2, scalar, SCALAR_WORDS,

  158.         SCALARMUL_FIXED_WINDOW_ADJUSTMENT, SCALAR_WORDS

  159.     );

  160. 

  161.     struct tw_extensible_t tabulator;

  162.     copy_tw_extensible(&tabulator, working);

  163.     double_tw_extensible(&tabulator);

  164. 

  165.     struct tw_pniels_t pn, multiples[NTABLE];

  166.     convert_tw_extensible_to_tw_pniels(&pn, &tabulator);

  167.     convert_tw_extensible_to_tw_pniels(&multiples[0], working);

  168. 

  169.     int i,j;

  170.     for (i=1; i<NTABLE; i++) {

  171.         add_tw_pniels_to_tw_extensible(working, &pn);

  172.         convert_tw_extensible_to_tw_pniels(&multiples[i], working);

  173.     }

  174. 

  175.     i = nbits - WINDOW;

  176.     int bits = scalar2[i/WORD_BITS] >> (i%WORD_BITS) & WINDOW_MASK,

  177.         inv = (bits>>(WINDOW-1))-1;

  178.     bits ^= inv;

  179.     

  180.     constant_time_lookup_tw_pniels(&pn, multiples, NTABLE, bits & WINDOW_T_MASK);

  181.     cond_negate_tw_pniels(&pn, inv);

  182.     convert_tw_pniels_to_tw_extensible(working, &pn);

  183. 		

  184. 

  185.     for (i-=WINDOW; i>=0; i-=WINDOW) {

  186.         for (j=0; j<WINDOW; j++) {

  187.             double_tw_extensible(working);

  188.         }

  189. 

  190.         bits = scalar2[i/WORD_BITS] >> (i%WORD_BITS);

  191.         

  192.         if (i/WORD_BITS < SCALAR_WORDS-1 && i%WORD_BITS >= WORD_BITS-WINDOW) {

  193.             bits ^= scalar2[i/WORD_BITS+1] << (WORD_BITS - (i%WORD_BITS));

  194.         }

  195.                 

  196.         bits &= WINDOW_MASK;

  197.         inv = (bits>>(WINDOW-1))-1;

  198.         bits ^= inv;

  199.     

  200.         constant_time_lookup_tw_pniels(&pn, multiples, NTABLE, bits & WINDOW_T_MASK);

  201.         cond_negate_tw_pniels(&pn, inv);

  202.         add_tw_pniels_to_tw_extensible(working, &pn);

  203.     }

  204. }

  205. 

  206. void

  207. scalarmul_vlook (

  208.     struct tw_extensible_t *working,

  209.     const word_t scalar[SCALAR_WORDS]

  210. ) {    

  211.     const int WINDOW = SCALARMUL_FIXED_WINDOW_SIZE,

  212.         WINDOW_MASK = (1<<WINDOW)-1, WINDOW_T_MASK = WINDOW_MASK >> 1,

  213.         NTABLE = 1<<(WINDOW-1),

  214.         nbits = ROUND_UP(SCALAR_BITS,WINDOW);

  215.     

  216.     word_t scalar2[SCALAR_WORDS];

  217.     convert_to_signed_window_form(

  218.         scalar2, scalar, SCALAR_WORDS,

  219.         SCALARMUL_FIXED_WINDOW_ADJUSTMENT, SCALAR_WORDS

  220.     );

  221. 

  222. 

  223.     struct tw_extensible_t tabulator;

  224.     copy_tw_extensible(&tabulator, working);

  225.     double_tw_extensible(&tabulator);

  226. 

  227.     struct tw_pniels_t pn, multiples[NTABLE];

  228.     convert_tw_extensible_to_tw_pniels(&pn, &tabulator);

  229.     convert_tw_extensible_to_tw_pniels(&multiples[0], working);

  230. 

  231.     int i,j;

  232.     for (i=1; i<NTABLE; i++) {

  233.         add_tw_pniels_to_tw_extensible(working, &pn);

  234.         convert_tw_extensible_to_tw_pniels(&multiples[i], working);

  235.     }

  236. 

  237.     i = nbits - WINDOW;

  238.     int bits = scalar2[i/WORD_BITS] >> (i%WORD_BITS) & WINDOW_MASK,

  239.         inv = (bits>>(WINDOW-1))-1;

  240.     bits ^= inv;

  241. 

  242.     copy_tw_pniels(&pn, &multiples[bits & WINDOW_T_MASK]);

  243.     cond_negate_tw_pniels(&pn, inv);

  244.     convert_tw_pniels_to_tw_extensible(working, &pn);

  245. 		

  246. 

  247.     for (i-=WINDOW; i>=0; i-=WINDOW) {

  248.         for (j=0; j<WINDOW; j++) {

  249.             double_tw_extensible(working);

  250.         }

  251. 

  252.         bits = scalar2[i/WORD_BITS] >> (i%WORD_BITS);

  253.         

  254.         if (i/WORD_BITS < SCALAR_WORDS-1 && i%WORD_BITS >= WORD_BITS-WINDOW) {

  255.             bits ^= scalar2[i/WORD_BITS+1] << (WORD_BITS - (i%WORD_BITS));

  256.         }

  257.                 

  258.         bits &= WINDOW_MASK;

  259.         inv = (bits>>(WINDOW-1))-1;

  260.         bits ^= inv;

  261.     

  262.         copy_tw_pniels(&pn, &multiples[bits & WINDOW_T_MASK]);

  263.         cond_negate_tw_pniels(&pn, inv);

  264.         add_tw_pniels_to_tw_extensible(working, &pn);

  265.     }

  266. }

  267. 

  268. static mask_t

  269. schedule_scalar_for_combs (

  270.     word_t *scalar2,

  271.     const word_t *scalar,

  272.     unsigned int nbits,

  273.     const struct fixed_base_table_t *table

  274. ) {

  275.     unsigned int i;

  276.     unsigned int n = table->n, t = table->t, s = table->s;

  277.     

  278.     if (n*t*s < nbits || n < 1 || t < 1 || s < 1) {

  279.         return MASK_FAILURE;

  280.     }

  281.     

  282.     unsigned int scalar_words = (nbits + WORD_BITS - 1)/WORD_BITS,

  283.         scalar2_words = scalar_words;

  284.     if (scalar2_words < SCALAR_WORDS)

  285.         scalar2_words = SCALAR_WORDS;

  286.     word_t scalar3[scalar2_words];

  287.     

  288.     /* Copy scalar to scalar3, but clear its high bits (if there are any) */

  289.     for (i=0; i<scalar_words; i++) {

  290.         scalar3[i] = scalar[i];

  291.     }

  292.     if (likely(i) && (nbits % WORD_BITS)) {

  293.         scalar3[i-1] &= (((word_t)1) << (nbits%WORD_BITS)) - 1;

  294.     }

  295.     for (; i<scalar2_words; i++) {

  296.         scalar3[i] = 0;

  297.     }

  298.     

  299.     convert_to_signed_window_form (

  300.         scalar2,

  301.         scalar3, scalar2_words,

  302.         table->scalar_adjustments , SCALAR_WORDS

  303.     );

  304.     

  305.     return MASK_SUCCESS;

  306. }

  307. 

  308. mask_t

  309. scalarmul_fixed_base (

  310.     struct tw_extensible_t *out,

  311.     const word_t scalar[SCALAR_WORDS],

  312.     unsigned int nbits,

  313.     const struct fixed_base_table_t *table

  314. ) {

  315.     unsigned int i,j,k;

  316.     unsigned int n = table->n, t = table->t, s = table->s;

  317.     

  318.     unsigned int scalar2_words = (nbits + WORD_BITS - 1)/WORD_BITS;

  319.     if (scalar2_words < SCALAR_WORDS) scalar2_words = SCALAR_WORDS;

  320.     

  321.     word_t scalar2[scalar2_words];

  322. 

  323.     mask_t succ = schedule_scalar_for_combs(scalar2, scalar, nbits, table);

  324.     if (!succ) return MASK_FAILURE;

  325.     

  326. #ifdef __clang_analyzer__

  327.     assert(t >= 1);

  328. #endif

  329.     

  330.     struct tw_niels_t ni;

  331.     

  332.     for (i=0; i<s; i++) {

  333.         if (i) double_tw_extensible(out);

  334.         

  335.         for (j=0; j<n; j++) {

  336.             int tab = 0;

  337. 			

  338. 			/*

  339.              * PERF: This computation takes about 1.5µs on SBR, i.e. 2-3% of the

  340. 			 * time of a keygen or sign op.  Surely it is possible to speed it up.

  341.              */

  342.             for (k=0; k<t; k++) {

  343.                 unsigned int bit = (s-1-i) + k*s + j*(s*t);

  344.                 if (bit < scalar2_words * WORD_BITS) {

  345.                     tab |= (scalar2[bit/WORD_BITS] >> (bit%WORD_BITS) & 1) << k;

  346.                 }

  347.             }

  348.             

  349.             mask_t invert = (tab>>(t-1))-1;

  350.             tab ^= invert;

  351.             tab &= (1<<(t-1)) - 1;

  352.             

  353.             constant_time_lookup_tw_niels(&ni, table->table + (j<<(t-1)), 1<<(t-1), tab);

  354.             cond_negate_tw_niels(&ni, invert);

  355.             if (i||j) {

  356.                 add_tw_niels_to_tw_extensible(out, &ni);

  357.             } else {

  358.                 convert_tw_niels_to_tw_extensible(out, &ni);

  359.             }

  360.         }

  361.     }

  362.     

  363.     return MASK_SUCCESS;

  364. }

  365. 

  366. mask_t

  367. linear_combo_combs_vt (

  368.     struct tw_extensible_t *out,

  369.     const word_t scalar1[SCALAR_WORDS],

  370.     unsigned int nbits1,

  371.     const struct fixed_base_table_t *table1,

  372.     const word_t scalar2[SCALAR_WORDS],

  373.     unsigned int nbits2,

  374.     const struct fixed_base_table_t *table2

  375. ) { 

  376.     unsigned int i,j,k,sc;

  377.     unsigned int s1 = table1->s, s2 = table2->s, smax = (s1 > s2) ? s1 : s2;

  378.     

  379.     unsigned int scalar1b_words = (nbits1 + WORD_BITS - 1)/WORD_BITS;

  380.     if (scalar1b_words < SCALAR_WORDS) scalar1b_words = SCALAR_WORDS;

  381.     

  382.     unsigned int scalar2b_words = (nbits2 + WORD_BITS - 1)/WORD_BITS;

  383.     if (scalar2b_words < SCALAR_WORDS) scalar2b_words = SCALAR_WORDS;

  384.     

  385.     word_t scalar1b[scalar1b_words], scalar2b[scalar2b_words];

  386. 

  387.     /* Schedule the scalars */

  388.     mask_t succ;

  389.     succ = schedule_scalar_for_combs(scalar1b, scalar1, nbits1, table1);

  390.     if (!succ) return MASK_FAILURE;

  391.   

  392.     succ = schedule_scalar_for_combs(scalar2b, scalar2, nbits2, table2);

  393.     if (!succ) return MASK_FAILURE;

  394. 

  395. #ifdef __clang_analyzer__

  396.     assert(table1->t >= 1);

  397.     assert(table2->t >= 1);

  398. #endif

  399.   

  400.     struct tw_niels_t ni;

  401.     

  402.     unsigned int swords[2] = {scalar1b_words, scalar2b_words}, started = 0;

  403.     word_t *scalars[2] = {scalar1b,scalar2b};

  404.     

  405.     for (i=0; i<smax; i++) {

  406.         if (i) double_tw_extensible(out);

  407.             

  408.         for (sc=0; sc<2; sc++) {

  409.             const struct fixed_base_table_t *table = sc ? table2 : table1;

  410.             

  411.             int ii = i-smax+table->s;

  412.             if (ii < 0) continue;

  413.             assert(ii < (int)table->s);

  414.         

  415.             for (j=0; j<table->n; j++) {

  416.             

  417.                 int tab = 0;

  418. 

  419.                 for (k=0; k<table->t; k++) {

  420.                     unsigned int bit = (table->s-1-ii) + k*table->s + j*(table->s*table->t);

  421.                     if (bit < swords[sc] * WORD_BITS) {

  422.                         tab |= (scalars[sc][bit/WORD_BITS] >> (bit%WORD_BITS) & 1) << k;

  423.                     }

  424.                 }

  425.             

  426.                 mask_t invert = (tab>>(table->t-1))-1;

  427.                 tab ^= invert;

  428.                 tab &= (1<<(table->t-1)) - 1;

  429.             

  430.                 copy_tw_niels(&ni, &table->table[tab + (j<<(table->t-1))]);

  431.                 cond_negate_tw_niels(&ni,invert);

  432.                 

  433.                 if (started) {

  434.                     add_tw_niels_to_tw_extensible(out, &ni);

  435.                 } else {

  436.                     convert_tw_niels_to_tw_extensible(out, &ni);

  437.                     started = 1;

  438.                 }

  439.             

  440.             }

  441.         }

  442.         

  443.         assert(started);

  444.     }

  445.     

  446.     return MASK_SUCCESS;

  447. }

  448. 

  449. 

  450. mask_t

  451. precompute_fixed_base (

  452.   struct fixed_base_table_t *out,

  453.   const struct tw_extensible_t *base,

  454.   unsigned int n,

  455.   unsigned int t,

  456.   unsigned int s,

  457.   struct tw_niels_t *prealloc

  458. ) {

  459.     if (s < 1 || t < 1 || n < 1 || n*t*s < SCALAR_BITS) {

  460.         really_memset(out, 0, sizeof(*out));

  461.         return 0;

  462.     }

  463.     

  464.     out->n = n;

  465.     out->t = t;

  466.     out->s = s;

  467.   

  468.     struct tw_extensible_t working, start;

  469.     copy_tw_extensible(&working, base);

  470.     struct tw_pniels_t pn_tmp;

  471.   

  472.     struct tw_pniels_t *doubles = (struct tw_pniels_t *) malloc_vector(sizeof(*doubles) * (t-1));

  473.     struct field_t *zs  = (struct field_t *) malloc_vector(sizeof(*zs) * (n<<(t-1)));

  474.     struct field_t *zis = (struct field_t *) malloc_vector(sizeof(*zis) * (n<<(t-1)));

  475.     

  476.     struct tw_niels_t *table = prealloc;

  477.     if (prealloc) {

  478.         out->own_table = 0;

  479.     } else {

  480.         table = (struct tw_niels_t *) malloc_vector(sizeof(*table) * (n<<(t-1)));

  481.         out->own_table = 1;

  482.     }

  483.     out->table = table;

  484.   

  485.     if (!doubles || !zs || !zis || !table) {

  486.         free(doubles);

  487.         free(zs);

  488.         free(zis);

  489.         really_memset(out, 0, sizeof(*out));

  490.         really_memset(table, 0, sizeof(*table) * (n<<(t-1)));

  491.         if (!prealloc) free(table);

  492.         return 0;

  493.     }

  494.   

  495.     unsigned int i,j,k;

  496.     

  497.     /* Compute the scalar adjustments, equal to 2^nbits-1 mod q */

  498.     unsigned int adjustment_size = (n*t*s)/WORD_BITS + 1;

  499.     assert(adjustment_size >= SCALAR_WORDS);

  500.     word_t adjustment[adjustment_size];

  501.     for (i=0; i<adjustment_size; i++) {

  502.         adjustment[i] = -1;

  503.     }

  504.     

  505.     adjustment[(n*t*s) / WORD_BITS] += ((word_t)1) << ((n*t*s) % WORD_BITS);

  506.     

  507.     /* The low adjustment is 2^nbits - 1 mod q */

  508.     barrett_reduce(adjustment, adjustment_size, 0, &curve_prime_order);

  509.     word_t *low_adjustment = &out->scalar_adjustments[(SCALAR_WORDS)*(adjustment[0] & 1)],

  510.         *high_adjustment = &out->scalar_adjustments[(SCALAR_WORDS)*((~adjustment[0]) & 1)];

  511.     for (i=0; i<SCALAR_WORDS; i++) {

  512.         low_adjustment[i] = adjustment[i];

  513.     }

  514.     

  515.     /* The high adjustment is low + q = low - q_lo + 2^big */

  516.     (void)

  517.     sub_nr_ext_packed(

  518.         high_adjustment,

  519.         adjustment, SCALAR_WORDS,

  520.         curve_prime_order.p_lo, curve_prime_order.nwords_lo,

  521.         -1

  522.     );

  523.     if (curve_prime_order.p_shift) {

  524.         high_adjustment[curve_prime_order.nwords_p - 1] += ((word_t)1)<<curve_prime_order.p_shift;

  525.     }

  526.     

  527.     /* OK, now compute the tables */

  528.     for (i=0; i<n; i++) {

  529. 

  530.         /* doubling phase */

  531.         for (j=0; j<t; j++) {

  532.             if (j) {

  533.                 convert_tw_extensible_to_tw_pniels(&pn_tmp, &working);

  534.                 add_tw_pniels_to_tw_extensible(&start, &pn_tmp);

  535.             } else {

  536.                 copy_tw_extensible(&start, &working);

  537.             }

  538. 

  539.             if (j==t-1 && i==n-1) {

  540.                 break;

  541.             }

  542. 

  543.             double_tw_extensible(&working);

  544.             if (j<t-1) {

  545.                 convert_tw_extensible_to_tw_pniels(&doubles[j], &working);

  546.             }

  547. 

  548.             for (k=0; k<s-1; k++) {

  549.                 double_tw_extensible(&working);

  550.             }

  551.         }

  552. 

  553.         /* Gray-code phase */

  554.         for (j=0;; j++) {

  555.             int gray = j ^ (j>>1);

  556.             int idx = (((i+1)<<(t-1))-1) ^ gray;

  557. 

  558.             convert_tw_extensible_to_tw_pniels(&pn_tmp, &start);

  559.             copy_tw_niels(&table[idx], &pn_tmp.n);

  560.             field_copy(&zs[idx], &pn_tmp.z);

  561. 			

  562.             if (j >= (1u<<(t-1)) - 1) break;

  563.             int delta = (j+1) ^ ((j+1)>>1) ^ gray;

  564. 

  565.             for (k=0; delta>1; k++)

  566.                 delta >>=1;

  567.             

  568.             if (gray & (1<<k)) {

  569.                 /* start += doubles[k] */

  570.                 add_tw_pniels_to_tw_extensible(&start, &doubles[k]);

  571.             } else {

  572.                 /* start -= doubles[k] */

  573.                 sub_tw_pniels_from_tw_extensible(&start, &doubles[k]);

  574.             }

  575.             

  576.             

  577.         }

  578.     }

  579. 	

  580.     simultaneous_invert(zis, zs, n<<(t-1));

  581. 

  582.     field_t product;

  583.     for (i=0; i<n<<(t-1); i++) {

  584.         field_mul(&product, &table[i].a, &zis[i]);

  585.         field_strong_reduce(&product);

  586.         field_copy(&table[i].a, &product);

  587.         

  588.         field_mul(&product, &table[i].b, &zis[i]);

  589.         field_strong_reduce(&product);

  590.         field_copy(&table[i].b, &product);

  591.         

  592.         field_mul(&product, &table[i].c, &zis[i]);

  593.         field_strong_reduce(&product);

  594.         field_copy(&table[i].c, &product);

  595.     }

  596. 	

  597. 	mask_t ret = ~field_is_zero(&zis[0]);

  598. 

  599.     free(doubles);

  600.     free(zs);

  601.     free(zis);

  602. 

  603.     if (unlikely(!ret)) {

  604.         really_memset(table, 0, sizeof(*table) * (n<<(t-1)));

  605.         if (!prealloc) free(table);

  606.         really_memset(out, 0, sizeof(*out));

  607.         return 0;

  608.     }

  609. 

  610.     return ret;

  611. }

  612. 

  613. void

  614. destroy_fixed_base (

  615.     struct fixed_base_table_t *table

  616. ) {

  617.     if (table->table) {

  618.         really_memset(table->table,0,sizeof(*table->table)*(table->n<<(table->t-1)));

  619.     }

  620.     if (table->own_table) {

  621.         free(table->table);

  622.     }

  623.     really_memset(table,0,sizeof(*table));

  624. }

  625. 

  626. mask_t

  627. precompute_fixed_base_wnaf (

  628.     struct tw_niels_t *out,

  629.     const struct tw_extensible_t *const_base,

  630.     unsigned int tbits

  631. ) {

  632.     int i;

  633.     struct field_t *zs  = (struct field_t *) malloc_vector(sizeof(*zs)<<tbits);

  634.     struct field_t *zis = (struct field_t *) malloc_vector(sizeof(*zis)<<tbits);

  635. 

  636.     if (!zs || !zis) {

  637.         free(zs);

  638.         free(zis);

  639.         return 0;

  640.     }

  641. 

  642.     struct tw_extensible_t base;

  643.     copy_tw_extensible(&base,const_base);

  644.     

  645.     struct tw_pniels_t twop, tmp;

  646.     

  647.     convert_tw_extensible_to_tw_pniels(&tmp, &base);

  648.     field_copy(&zs[0], &tmp.z);

  649.     copy_tw_niels(&out[0], &tmp.n);

  650. 

  651.     if (tbits > 0) {

  652.         double_tw_extensible(&base);

  653.         convert_tw_extensible_to_tw_pniels(&twop, &base);

  654.         add_tw_pniels_to_tw_extensible(&base, &tmp);

  655.         

  656.         convert_tw_extensible_to_tw_pniels(&tmp, &base);

  657.         field_copy(&zs[1], &tmp.z);

  658.         copy_tw_niels(&out[1], &tmp.n);

  659. 

  660.         for (i=2; i < 1<<tbits; i++) {

  661.             add_tw_pniels_to_tw_extensible(&base, &twop);

  662.             convert_tw_extensible_to_tw_pniels(&tmp, &base);

  663.             field_copy(&zs[i], &tmp.z);

  664.             copy_tw_niels(&out[i], &tmp.n);

  665.         }

  666.     }

  667.     

  668.     simultaneous_invert(zis, zs, 1<<tbits);

  669. 

  670.     field_t product;

  671.     for (i=0; i<1<<tbits; i++) {

  672.         field_mul(&product, &out[i].a, &zis[i]);

  673.         field_strong_reduce(&product);

  674.         field_copy(&out[i].a, &product);

  675.         

  676.         field_mul(&product, &out[i].b, &zis[i]);

  677.         field_strong_reduce(&product);

  678.         field_copy(&out[i].b, &product);

  679.         

  680.         field_mul(&product, &out[i].c, &zis[i]);

  681.         field_strong_reduce(&product);

  682.         field_copy(&out[i].c, &product);

  683.     }

  684. 

  685.     free(zs);

  686.     free(zis);

  687. 

  688.     return -1;

  689. }

  690. 

  691. /**

  692.  * @cond internal

  693.  * Control for variable-time scalar multiply algorithms.

  694.  */

  695. struct smvt_control {

  696.   int power, addend;

  697. };

  698. 

  699. static int

  700. recode_wnaf(

  701.     struct smvt_control *control, /* [nbits/(tableBits+1) + 3] */

  702.     const word_t *scalar,

  703.     unsigned int nbits,

  704.     unsigned int tableBits)

  705. {

  706.     int current = 0, i, j;

  707.     unsigned int position = 0;

  708. 

  709.     /* PERF: negate scalar if it's large

  710.      * PERF: this is a pretty simplistic algorithm.  I'm sure there's a faster one...

  711.      */

  712.     for (i=nbits-1; i >= 0; i--) {

  713.         int bit = (scalar[i/WORD_BITS] >> (i%WORD_BITS)) & 1;

  714.         current = 2*current + bit;

  715. 

  716.         /*

  717.          * Sizing: |current| >= 2^(tableBits+1) -> |current| = 2^0

  718.          * So current loses (tableBits+1) bits every time.  It otherwise gains

  719.          * 1 bit per iteration.  The number of iterations is

  720.          * (nbits + 2 + tableBits), and an additional control word is added at

  721.          * the end.  So the total number of control words is at most

  722.          * ceil((nbits+1) / (tableBits+1)) + 2 = floor((nbits)/(tableBits+1)) + 2.

  723.          * There's also the stopper with power -1, for a total of +3.

  724.          */

  725.         if (current >= (2<<tableBits) || current <= -1 - (2<<tableBits)) {

  726.             int delta = (current + 1) >> 1; /* |delta| < 2^tablebits */

  727.             current = -(current & 1);

  728. 

  729.             for (j=i; (delta & 1) == 0; j++) {

  730.                 delta >>= 1;

  731.             }

  732.             control[position].power = j+1;

  733.             control[position].addend = delta;

  734.             position++;

  735.             assert(position <= nbits/(tableBits+1) + 2);

  736.         }

  737.     }

  738.     

  739.     if (current) {

  740.         for (j=0; (current & 1) == 0; j++) {

  741.             current >>= 1;

  742.         }

  743.         control[position].power = j;

  744.         control[position].addend = current;

  745.         position++;

  746.         assert(position <= nbits/(tableBits+1) + 2);

  747.     }

  748.     

  749.   

  750.     control[position].power = -1;

  751.     control[position].addend = 0;

  752.     return position;

  753. }

  754. 

  755. 

  756. static void

  757. prepare_wnaf_table(

  758.     struct tw_pniels_t *output,

  759.     struct tw_extensible_t *working,

  760.     unsigned int tbits

  761. ) {

  762.     convert_tw_extensible_to_tw_pniels(&output[0], working);

  763. 

  764.     if (tbits == 0) return;

  765. 

  766.     double_tw_extensible(working);

  767.     struct tw_pniels_t twop;

  768.     convert_tw_extensible_to_tw_pniels(&twop, working);

  769. 

  770.     add_tw_pniels_to_tw_extensible(working, &output[0]);

  771.     convert_tw_extensible_to_tw_pniels(&output[1], working);

  772. 

  773.     for (int i=2; i < 1<<tbits; i++) {

  774.         add_tw_pniels_to_tw_extensible(working, &twop);

  775.         convert_tw_extensible_to_tw_pniels(&output[i], working);

  776.     }

  777. }

  778. 

  779. void

  780. scalarmul_vt (

  781.     struct tw_extensible_t *working,

  782.     const word_t scalar[SCALAR_WORDS],

  783.     unsigned int nbits

  784. ) {

  785.     const int table_bits = SCALARMUL_WNAF_TABLE_BITS;

  786.     struct smvt_control control[nbits/(table_bits+1)+3];

  787.     

  788.     int control_bits = recode_wnaf(control, scalar, nbits, table_bits);

  789.   

  790.     struct tw_pniels_t precmp[1<<table_bits];

  791.     prepare_wnaf_table(precmp, working, table_bits);

  792.   

  793.     if (control_bits > 0) {

  794.         assert(control[0].addend > 0);

  795.         assert(control[0].power >= 0);

  796.         convert_tw_pniels_to_tw_extensible(working, &precmp[control[0].addend >> 1]);

  797.     } else {

  798.         set_identity_tw_extensible(working);

  799.         return;

  800.     }

  801.   

  802.     int conti = 1, i;

  803.     for (i = control[0].power - 1; i >= 0; i--) {

  804.         double_tw_extensible(working);

  805. 

  806.         if (i == control[conti].power) {

  807.             assert(control[conti].addend);

  808. 

  809.             if (control[conti].addend > 0) {

  810.                 add_tw_pniels_to_tw_extensible(working, &precmp[control[conti].addend >> 1]);

  811.             } else {

  812.                 sub_tw_pniels_from_tw_extensible(working, &precmp[(-control[conti].addend) >> 1]);

  813.             }

  814.             conti++;

  815.             assert(conti <= control_bits);

  816.         }

  817.     }

  818. }

  819. 

  820. void

  821. scalarmul_fixed_base_wnaf_vt (

  822.     struct tw_extensible_t *working,

  823.     const word_t scalar[SCALAR_WORDS],

  824.     unsigned int nbits,

  825.     const struct tw_niels_t *precmp,

  826.     unsigned int table_bits

  827. ) {

  828.     struct smvt_control control[nbits/(table_bits+1)+3];

  829.     

  830.     int control_bits = recode_wnaf(control, scalar, nbits, table_bits);

  831.   

  832.     if (control_bits > 0) {

  833.         assert(control[0].addend > 0);

  834.         assert(control[0].power >= 0);

  835.         convert_tw_niels_to_tw_extensible(working, &precmp[control[0].addend >> 1]);

  836.     } else {

  837.         set_identity_tw_extensible(working);

  838.         return;

  839.     }

  840.   

  841.     int conti = 1, i;

  842.     for (; control[conti].power >= 0; conti++) {

  843.         assert(conti <= control_bits);

  844.         for (i = control[conti-1].power - control[conti].power; i; i--) {

  845.             double_tw_extensible(working);

  846.         }

  847.         

  848.         assert(control[conti].addend);

  849.         if (control[conti].addend > 0) {

  850.             add_tw_niels_to_tw_extensible(working, &precmp[control[conti].addend >> 1]);

  851.         } else {

  852.             sub_tw_niels_from_tw_extensible(working, &precmp[(-control[conti].addend) >> 1]);

  853.         }

  854.     }

  855. 

  856.     for (i = control[conti-1].power; i; i--) {

  857.         double_tw_extensible(working);

  858.     }

  859. }

  860. 

  861. void

  862. linear_combo_var_fixed_vt(

  863.     struct tw_extensible_t *working,

  864.     const word_t scalar_var[SCALAR_WORDS],

  865.     unsigned int nbits_var,

  866.     const word_t scalar_pre[SCALAR_WORDS],

  867.     unsigned int nbits_pre,

  868.     const struct tw_niels_t *precmp,

  869.     unsigned int table_bits_pre

  870. ) {

  871.     const int table_bits_var = SCALARMUL_WNAF_COMBO_TABLE_BITS;

  872.     struct smvt_control control_var[nbits_var/(table_bits_var+1)+3];

  873.     struct smvt_control control_pre[nbits_pre/(table_bits_pre+1)+3];

  874.     

  875.     int ncb_var = recode_wnaf(control_var, scalar_var, nbits_var, table_bits_var);

  876.     int ncb_pre = recode_wnaf(control_pre, scalar_pre, nbits_pre, table_bits_pre);

  877.     (void)ncb_var;

  878.     (void)ncb_pre;

  879.   

  880.     struct tw_pniels_t precmp_var[1<<table_bits_var];

  881.     prepare_wnaf_table(precmp_var, working, table_bits_var);

  882.   

  883.     int contp=0, contv=0, i;

  884.   

  885.     i = control_var[0].power;

  886.     if (i > control_pre[0].power) {

  887.         convert_tw_pniels_to_tw_extensible(working, &precmp_var[control_var[0].addend >> 1]);

  888.         contv++;

  889.     } else if (i == control_pre[0].power && i >=0 ) {

  890.         convert_tw_pniels_to_tw_extensible(working, &precmp_var[control_var[0].addend >> 1]);

  891.         add_tw_niels_to_tw_extensible(working, &precmp[control_pre[0].addend >> 1]);

  892.         contv++; contp++;

  893.     } else {

  894.         i = control_pre[0].power;

  895.         convert_tw_niels_to_tw_extensible(working, &precmp[control_pre[0].addend >> 1]);

  896.         contp++;

  897.     }

  898.     

  899.     if (i < 0) {

  900.         set_identity_tw_extensible(working);

  901.         return;

  902.     }

  903.     

  904.     for (i--; i >= 0; i--) {

  905.         double_tw_extensible(working);

  906. 

  907.         if (i == control_var[contv].power) {

  908.             assert(control_var[contv].addend);

  909. 

  910.             if (control_var[contv].addend > 0) {

  911.                 add_tw_pniels_to_tw_extensible(working, &precmp_var[control_var[contv].addend >> 1]);

  912.             } else {

  913.                 sub_tw_pniels_from_tw_extensible(working, &precmp_var[(-control_var[contv].addend) >> 1]);

  914.             }

  915.             contv++;

  916.         }

  917. 

  918.         if (i == control_pre[contp].power) {

  919.             assert(control_pre[contp].addend);

  920. 

  921.             if (control_pre[contp].addend > 0) {

  922.                 add_tw_niels_to_tw_extensible(working, &precmp[control_pre[contp].addend >> 1]);

  923.             } else {

  924.                 sub_tw_niels_from_tw_extensible(working, &precmp[(-control_pre[contp].addend) >> 1]);

  925.             }

  926.             contp++;

  927.         }

  928.     }

  929.     

  930.     assert(contv == ncb_var);

  931.     assert(contp == ncb_pre);

  932. }

  933. 

  934.