jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
52 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 93e866bb8c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '93e866bb8c'
${ noResults }
ed448goldilocks/src/scalarmul.c

942 lines
27 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "word.h"

  6. 

  7. #include <stdlib.h>

  8. #include <limits.h>

  9. #include <string.h>

  10. 

  11. #include "intrinsics.h"

  12. #include "scalarmul.h"

  13. #include "barrett_field.h"

  14. #include "constant_time.h"

  15. 

  16. mask_t

  17. montgomery_ladder (

  18.     field_a_t out,

  19.     const field_a_t in,

  20.     const word_t *scalar,

  21.     unsigned int nbits,

  22.     unsigned int n_extra_doubles

  23. ) { 

  24.     montgomery_a_t mont;

  25.     deserialize_montgomery(mont, in);

  26.     

  27.     int i,j,n=(nbits-1)%WORD_BITS;

  28.     mask_t pflip = 0;

  29.     for (j=(nbits+WORD_BITS-1)/WORD_BITS-1; j>=0; j--) {

  30.         word_t w = scalar[j];

  31.         for (i=n; i>=0; i--) {

  32.             mask_t flip = -((w>>i)&1);

  33.             constant_time_cond_swap(mont->xa,mont->xd,sizeof(mont->xd),flip^pflip);

  34.             constant_time_cond_swap(mont->za,mont->zd,sizeof(mont->xd),flip^pflip);

  35.             montgomery_step(mont);

  36.             pflip = flip;

  37.         }

  38.         n = WORD_BITS-1;

  39.     }

  40.     constant_time_cond_swap(mont->xa,mont->xd,sizeof(mont->xd),pflip);

  41.     constant_time_cond_swap(mont->za,mont->zd,sizeof(mont->xd),pflip);

  42.     

  43.     assert(n_extra_doubles < INT_MAX);

  44.     for (j=0; j<(int)n_extra_doubles; j++) {

  45.         montgomery_step(mont);

  46.     }

  47.     

  48.     return serialize_montgomery(out, mont, in);

  49. }

  50. 

  51. static __inline__ void

  52. __attribute__((unused,always_inline))

  53. constant_time_lookup_tw_pniels (

  54.     tw_pniels_a_t out,

  55.     const tw_pniels_a_t *in,

  56.     int nin,

  57.     int idx

  58. ) {

  59.     constant_time_lookup(out,in,sizeof(*out),nin,idx);

  60. }

  61. 

  62. static __inline__ void

  63. __attribute__((unused,always_inline))

  64. constant_time_lookup_tw_niels (

  65.     tw_niels_a_t out,

  66.     const tw_niels_a_t *in,

  67.     int nin,

  68.     int idx

  69. ) {

  70.     constant_time_lookup(out,in,sizeof(*out),nin,idx);

  71. }

  72. 

  73. /*

  74. static __inline__ void

  75. constant_time_lookup_tw_pniels (

  76.     tw_pniels_a_t out,

  77.     const tw_pniels_a_t in,

  78.     int nin,

  79.     int idx

  80. ) {

  81.     big_register_t big_one = br_set_to_mask(1), big_i = br_set_to_mask(idx);

  82.     big_register_t *o = (big_register_t *)out;

  83.     const big_register_t *i = (const big_register_t *)in;

  84.     int j;

  85.     unsigned int k;

  86.     

  87.     really_memset(out, 0, sizeof(*out));

  88.     for (j=0; j<nin; j++, big_i-=big_one) {

  89.         big_register_t mask = br_is_zero(big_i);

  90.         for (k=0; k<sizeof(*out)/sizeof(*o); k++) {

  91.             o[k] |= mask & i[k+j*sizeof(*out)/sizeof(*o)];

  92.         }

  93.     }

  94. }

  95. 

  96. static __inline__ void

  97. constant_time_lookup_tw_niels (

  98.     tw_niels_a_t out,

  99.     const tw_niels_a_t in,

  100.     int nin,

  101.     int idx

  102. ) {

  103.     big_register_t big_one = br_set_to_mask(1), big_i = br_set_to_mask(idx);

  104.     big_register_t *o = (big_register_t *)out;

  105.     const big_register_t *i = (const big_register_t *)in;

  106.     int j;

  107.     unsigned int k;

  108.     

  109.     really_memset(out, 0, sizeof(*out));

  110.     for (j=0; j<nin; j++, big_i-=big_one) {

  111.         big_register_t mask = br_is_zero(big_i);

  112.         for (k=0; k<sizeof(*out)/sizeof(*o); k++) {

  113.             o[k] |= mask & i[k+j*sizeof(*out)/sizeof(*o)];

  114.         }

  115.     }

  116. }

  117. */

  118. 

  119. static void

  120. convert_to_signed_window_form (

  121.     word_t *out,

  122.     const word_t *scalar,

  123.     int nwords_scalar,

  124.     const word_t *prepared_data,

  125.     int nwords_pd

  126. ) {

  127.     assert(nwords_pd <= nwords_scalar);

  128.     mask_t mask = -(scalar[0]&1);

  129. 

  130.     word_t carry = add_nr_ext_packed(out, scalar, nwords_scalar, prepared_data, nwords_pd, ~mask);

  131.     carry += add_nr_ext_packed(out, out, nwords_scalar, prepared_data+nwords_pd, nwords_pd, mask);

  132.     

  133.     assert(!(out[0]&1));

  134.     

  135.     int i;

  136.     for (i=0; i<nwords_scalar; i++) {

  137.         out[i] >>= 1;

  138.         if (i<nwords_scalar-1) {

  139.             out[i] |= out[i+1]<<(WORD_BITS-1);

  140.         } else {

  141.             out[i] |= carry<<(WORD_BITS-1);

  142.         }

  143.     }

  144. }

  145. 

  146. void

  147. scalarmul (

  148.     tw_extensible_a_t working,

  149.     const word_t scalar[SCALAR_WORDS]

  150. ) {

  151.     const int WINDOW = SCALARMUL_FIXED_WINDOW_SIZE,

  152.         WINDOW_MASK = (1<<WINDOW)-1, WINDOW_T_MASK = WINDOW_MASK >> 1,

  153.         NTABLE = 1<<(WINDOW-1),

  154.         nbits = ROUND_UP(SCALAR_BITS,WINDOW);

  155.     

  156.     word_t scalar2[SCALAR_WORDS];

  157.     convert_to_signed_window_form (

  158.         scalar2, scalar, SCALAR_WORDS,

  159.         SCALARMUL_FIXED_WINDOW_ADJUSTMENT, SCALAR_WORDS

  160.     );

  161. 

  162.     tw_extensible_a_t tabulator;

  163.     copy_tw_extensible(tabulator, working);

  164.     double_tw_extensible(tabulator);

  165. 

  166.     tw_pniels_a_t

  167. 	  pn VECTOR_ALIGNED,

  168. 	  multiples[NTABLE] VECTOR_ALIGNED;

  169.     convert_tw_extensible_to_tw_pniels(pn, tabulator);

  170.     convert_tw_extensible_to_tw_pniels(multiples[0], working);

  171. 

  172.     int i,j;

  173.     for (i=1; i<NTABLE; i++) {

  174.         add_tw_pniels_to_tw_extensible(working, pn);

  175.         convert_tw_extensible_to_tw_pniels(multiples[i], working);

  176.     }

  177. 

  178.     i = nbits - WINDOW;

  179.     int bits = scalar2[i/WORD_BITS] >> (i%WORD_BITS) & WINDOW_MASK,

  180.         inv = (bits>>(WINDOW-1))-1;

  181.     bits ^= inv;

  182.     

  183.     constant_time_lookup_tw_pniels(pn, multiples, NTABLE, bits & WINDOW_T_MASK);

  184.     cond_negate_tw_pniels(pn, inv);

  185.     convert_tw_pniels_to_tw_extensible(working, pn);

  186. 		

  187. 

  188.     for (i-=WINDOW; i>=0; i-=WINDOW) {

  189.         for (j=0; j<WINDOW; j++) {

  190.             double_tw_extensible(working);

  191.         }

  192. 

  193.         bits = scalar2[i/WORD_BITS] >> (i%WORD_BITS);

  194.         

  195.         if (i/WORD_BITS < SCALAR_WORDS-1 && i%WORD_BITS >= WORD_BITS-WINDOW) {

  196.             bits ^= scalar2[i/WORD_BITS+1] << (WORD_BITS - (i%WORD_BITS));

  197.         }

  198.                 

  199.         bits &= WINDOW_MASK;

  200.         inv = (bits>>(WINDOW-1))-1;

  201.         bits ^= inv;

  202.     

  203.         constant_time_lookup_tw_pniels(pn, multiples, NTABLE, bits & WINDOW_T_MASK);

  204.         cond_negate_tw_pniels(pn, inv);

  205.         add_tw_pniels_to_tw_extensible(working, pn);

  206.     }

  207. }

  208. 

  209. void

  210. scalarmul_vlook (

  211.     tw_extensible_a_t working,

  212.     const word_t scalar[SCALAR_WORDS]

  213. ) {    

  214.     const int WINDOW = SCALARMUL_FIXED_WINDOW_SIZE,

  215.         WINDOW_MASK = (1<<WINDOW)-1, WINDOW_T_MASK = WINDOW_MASK >> 1,

  216.         NTABLE = 1<<(WINDOW-1),

  217.         nbits = ROUND_UP(SCALAR_BITS,WINDOW);

  218.     

  219.     word_t scalar2[SCALAR_WORDS];

  220.     convert_to_signed_window_form(

  221.         scalar2, scalar, SCALAR_WORDS,

  222.         SCALARMUL_FIXED_WINDOW_ADJUSTMENT, SCALAR_WORDS

  223.     );

  224. 

  225. 

  226.     tw_extensible_a_t tabulator;

  227.     copy_tw_extensible(tabulator, working);

  228.     double_tw_extensible(tabulator);

  229. 

  230.     tw_pniels_a_t

  231. 	  pn VECTOR_ALIGNED,

  232. 	  multiples[NTABLE] VECTOR_ALIGNED;

  233.     convert_tw_extensible_to_tw_pniels(pn, tabulator);

  234.     convert_tw_extensible_to_tw_pniels(multiples[0], working);

  235. 

  236.     int i,j;

  237.     for (i=1; i<NTABLE; i++) {

  238.         add_tw_pniels_to_tw_extensible(working, pn);

  239.         convert_tw_extensible_to_tw_pniels(multiples[i], working);

  240.     }

  241. 

  242.     i = nbits - WINDOW;

  243.     int bits = scalar2[i/WORD_BITS] >> (i%WORD_BITS) & WINDOW_MASK,

  244.         inv = (bits>>(WINDOW-1))-1;

  245.     bits ^= inv;

  246. 

  247.     copy_tw_pniels(pn, multiples[bits & WINDOW_T_MASK]);

  248.     cond_negate_tw_pniels(pn, inv);

  249.     convert_tw_pniels_to_tw_extensible(working, pn);

  250. 		

  251. 

  252.     for (i-=WINDOW; i>=0; i-=WINDOW) {

  253.         for (j=0; j<WINDOW; j++) {

  254.             double_tw_extensible(working);

  255.         }

  256. 

  257.         bits = scalar2[i/WORD_BITS] >> (i%WORD_BITS);

  258.         

  259.         if (i/WORD_BITS < SCALAR_WORDS-1 && i%WORD_BITS >= WORD_BITS-WINDOW) {

  260.             bits ^= scalar2[i/WORD_BITS+1] << (WORD_BITS - (i%WORD_BITS));

  261.         }

  262.                 

  263.         bits &= WINDOW_MASK;

  264.         inv = (bits>>(WINDOW-1))-1;

  265.         bits ^= inv;

  266.     

  267.         copy_tw_pniels(pn, multiples[bits & WINDOW_T_MASK]);

  268.         cond_negate_tw_pniels(pn, inv);

  269.         add_tw_pniels_to_tw_extensible(working, pn);

  270.     }

  271. }

  272. 

  273. static mask_t

  274. schedule_scalar_for_combs (

  275.     word_t *scalar2,

  276.     const word_t *scalar,

  277.     unsigned int nbits,

  278.     const struct fixed_base_table_t* table

  279. ) {

  280.     unsigned int i;

  281.     unsigned int n = table->n, t = table->t, s = table->s;

  282.     

  283.     if (n*t*s < nbits || n < 1 || t < 1 || s < 1) {

  284.         return MASK_FAILURE;

  285.     }

  286.     

  287.     unsigned int scalar_words = (nbits + WORD_BITS - 1)/WORD_BITS,

  288.         scalar2_words = scalar_words;

  289.     if (scalar2_words < SCALAR_WORDS)

  290.         scalar2_words = SCALAR_WORDS;

  291.     word_t scalar3[scalar2_words];

  292.     

  293.     /* Copy scalar to scalar3, but clear its high bits (if there are any) */

  294.     for (i=0; i<scalar_words; i++) {

  295.         scalar3[i] = scalar[i];

  296.     }

  297.     if (likely(i) && (nbits % WORD_BITS)) {

  298.         scalar3[i-1] &= (((word_t)1) << (nbits%WORD_BITS)) - 1;

  299.     }

  300.     for (; i<scalar2_words; i++) {

  301.         scalar3[i] = 0;

  302.     }

  303.     

  304.     convert_to_signed_window_form (

  305.         scalar2,

  306.         scalar3, scalar2_words,

  307.         table->scalar_adjustments , SCALAR_WORDS

  308.     );

  309.     

  310.     return MASK_SUCCESS;

  311. }

  312. 

  313. mask_t

  314. scalarmul_fixed_base (

  315.     tw_extensible_a_t out,

  316.     const word_t scalar[SCALAR_WORDS],

  317.     unsigned int nbits,

  318.     const struct fixed_base_table_t* table

  319. ) {

  320.     unsigned int i,j,k;

  321.     unsigned int n = table->n, t = table->t, s = table->s;

  322.     

  323.     unsigned int scalar2_words = (nbits + WORD_BITS - 1)/WORD_BITS;

  324.     if (scalar2_words < SCALAR_WORDS) scalar2_words = SCALAR_WORDS;

  325.     

  326.     word_t scalar2[scalar2_words];

  327. 

  328.     mask_t succ = schedule_scalar_for_combs(scalar2, scalar, nbits, table);

  329.     if (!succ) return MASK_FAILURE;

  330.     

  331. #ifdef __clang_analyzer__

  332.     assert(t >= 1);

  333. #endif

  334.     

  335.     tw_niels_a_t ni;

  336.     

  337.     for (i=0; i<s; i++) {

  338.         if (i) double_tw_extensible(out);

  339.         

  340.         for (j=0; j<n; j++) {

  341.             int tab = 0;

  342. 			

  343. 			/*

  344.              * PERF: This computation takes about 1.5µs on SBR, i.e. 2-3% of the

  345. 			 * time of a keygen or sign op.  Surely it is possible to speed it up.

  346.              */

  347.             for (k=0; k<t; k++) {

  348.                 unsigned int bit = (s-1-i) + k*s + j*(s*t);

  349.                 if (bit < scalar2_words * WORD_BITS) {

  350.                     tab |= (scalar2[bit/WORD_BITS] >> (bit%WORD_BITS) & 1) << k;

  351.                 }

  352.             }

  353.             

  354.             mask_t invert = (tab>>(t-1))-1;

  355.             tab ^= invert;

  356.             tab &= (1<<(t-1)) - 1;

  357.             

  358.             constant_time_lookup_tw_niels(ni, table->table + (j<<(t-1)), 1<<(t-1), tab);

  359.             cond_negate_tw_niels(ni, invert);

  360.             if (i||j) {

  361.                 add_tw_niels_to_tw_extensible(out, ni);

  362.             } else {

  363.                 convert_tw_niels_to_tw_extensible(out, ni);

  364.             }

  365.         }

  366.     }

  367.     

  368.     return MASK_SUCCESS;

  369. }

  370. 

  371. mask_t

  372. linear_combo_combs_vt (

  373.     tw_extensible_a_t out,

  374.     const word_t scalar1[SCALAR_WORDS],

  375.     unsigned int nbits1,

  376.     const struct fixed_base_table_t* table1,

  377.     const word_t scalar2[SCALAR_WORDS],

  378.     unsigned int nbits2,

  379.     const struct fixed_base_table_t* table2

  380. ) { 

  381.     unsigned int i,j,k,sc;

  382.     unsigned int s1 = table1->s, s2 = table2->s, smax = (s1 > s2) ? s1 : s2;

  383.     

  384.     unsigned int scalar1b_words = (nbits1 + WORD_BITS - 1)/WORD_BITS;

  385.     if (scalar1b_words < SCALAR_WORDS) scalar1b_words = SCALAR_WORDS;

  386.     

  387.     unsigned int scalar2b_words = (nbits2 + WORD_BITS - 1)/WORD_BITS;

  388.     if (scalar2b_words < SCALAR_WORDS) scalar2b_words = SCALAR_WORDS;

  389.     

  390.     word_t scalar1b[scalar1b_words], scalar2b[scalar2b_words];

  391. 

  392.     /* Schedule the scalars */

  393.     mask_t succ;

  394.     succ = schedule_scalar_for_combs(scalar1b, scalar1, nbits1, table1);

  395.     if (!succ) return MASK_FAILURE;

  396.   

  397.     succ = schedule_scalar_for_combs(scalar2b, scalar2, nbits2, table2);

  398.     if (!succ) return MASK_FAILURE;

  399. 

  400. #ifdef __clang_analyzer__

  401.     assert(table1->t >= 1);

  402.     assert(table2->t >= 1);

  403. #endif

  404.   

  405.     tw_niels_a_t ni;

  406.     

  407.     unsigned int swords[2] = {scalar1b_words, scalar2b_words}, started = 0;

  408.     word_t *scalars[2] = {scalar1b,scalar2b};

  409.     

  410.     for (i=0; i<smax; i++) {

  411.         if (i) double_tw_extensible(out);

  412.             

  413.         for (sc=0; sc<2; sc++) {

  414.             const struct fixed_base_table_t* table = sc ? table2 : table1;

  415.             

  416.             int ii = i-smax+table->s;

  417.             if (ii < 0) continue;

  418.             assert(ii < (int)table->s);

  419.         

  420.             for (j=0; j<table->n; j++) {

  421.             

  422.                 int tab = 0;

  423. 

  424.                 for (k=0; k<table->t; k++) {

  425.                     unsigned int bit = (table->s-1-ii) + k*table->s + j*(table->s*table->t);

  426.                     if (bit < swords[sc] * WORD_BITS) {

  427.                         tab |= (scalars[sc][bit/WORD_BITS] >> (bit%WORD_BITS) & 1) << k;

  428.                     }

  429.                 }

  430.             

  431.                 mask_t invert = (tab>>(table->t-1))-1;

  432.                 tab ^= invert;

  433.                 tab &= (1<<(table->t-1)) - 1;

  434.             

  435.                 copy_tw_niels(ni, table->table[tab + (j<<(table->t-1))]);

  436.                 cond_negate_tw_niels(ni,invert);

  437.                 

  438.                 if (started) {

  439.                     add_tw_niels_to_tw_extensible(out, ni);

  440.                 } else {

  441.                     convert_tw_niels_to_tw_extensible(out, ni);

  442.                     started = 1;

  443.                 }

  444.             

  445.             }

  446.         }

  447.         

  448.         assert(started);

  449.     }

  450.     

  451.     return MASK_SUCCESS;

  452. }

  453. 

  454. 

  455. mask_t

  456. precompute_fixed_base (

  457.   struct fixed_base_table_t* out,

  458.   const tw_extensible_a_t base,

  459.   unsigned int n,

  460.   unsigned int t,

  461.   unsigned int s,

  462.   tw_niels_a_t *prealloc

  463. ) {

  464.     if (s < 1 || t < 1 || n < 1 || n*t*s < SCALAR_BITS) {

  465.         really_memset(out, 0, sizeof(*out));

  466.         return 0;

  467.     }

  468.     

  469.     out->n = n;

  470.     out->t = t;

  471.     out->s = s;

  472.   

  473.     tw_extensible_a_t working, start;

  474.     copy_tw_extensible(working, base);

  475.     tw_pniels_a_t pn_tmp;

  476.   

  477.     tw_pniels_a_t *doubles = (tw_pniels_a_t *) malloc_vector(sizeof(*doubles) * (t-1));

  478.     field_a_t *zs  = (field_a_t *) malloc_vector(sizeof(*zs) * (n<<(t-1)));

  479.     field_a_t *zis = (field_a_t *) malloc_vector(sizeof(*zis) * (n<<(t-1)));

  480.     

  481.     tw_niels_a_t *table = prealloc;

  482.     if (prealloc) {

  483.         out->own_table = 0;

  484.     } else {

  485.         table = (tw_niels_a_t *) malloc_vector(sizeof(*table) * (n<<(t-1)));

  486.         out->own_table = 1;

  487.     }

  488.     out->table = table;

  489.   

  490.     if (!doubles || !zs || !zis || !table) {

  491.         free(doubles);

  492.         free(zs);

  493.         free(zis);

  494.         really_memset(out, 0, sizeof(*out));

  495.         really_memset(table, 0, sizeof(*table) * (n<<(t-1)));

  496.         if (!prealloc) free(table);

  497.         return 0;

  498.     }

  499.   

  500.     unsigned int i,j,k;

  501.     

  502.     /* Compute the scalar adjustments, equal to 2^nbits-1 mod q */

  503.     unsigned int adjustment_size = (n*t*s)/WORD_BITS + 1;

  504.     assert(adjustment_size >= SCALAR_WORDS);

  505.     word_t adjustment[adjustment_size];

  506.     for (i=0; i<adjustment_size; i++) {

  507.         adjustment[i] = -1;

  508.     }

  509.     

  510.     adjustment[(n*t*s) / WORD_BITS] += ((word_t)1) << ((n*t*s) % WORD_BITS);

  511.     

  512.     /* The low adjustment is 2^nbits - 1 mod q */

  513.     barrett_reduce(adjustment, adjustment_size, 0, &curve_prime_order);

  514.     word_t *low_adjustment = &out->scalar_adjustments[(SCALAR_WORDS)*(adjustment[0] & 1)],

  515.         *high_adjustment = &out->scalar_adjustments[(SCALAR_WORDS)*((~adjustment[0]) & 1)];

  516.     for (i=0; i<SCALAR_WORDS; i++) {

  517.         low_adjustment[i] = adjustment[i];

  518.     }

  519.     

  520.     /* The high adjustment is low + q = low - q_lo + 2^big */

  521.     (void)

  522.     sub_nr_ext_packed(

  523.         high_adjustment,

  524.         adjustment, SCALAR_WORDS,

  525.         curve_prime_order.p_lo, curve_prime_order.nwords_lo,

  526.         -1

  527.     );

  528.     if (curve_prime_order.p_shift) {

  529.         high_adjustment[curve_prime_order.nwords_p - 1] += ((word_t)1)<<curve_prime_order.p_shift;

  530.     }

  531.     

  532.     /* OK, now compute the tables */

  533.     for (i=0; i<n; i++) {

  534. 

  535.         /* doubling phase */

  536.         for (j=0; j<t; j++) {

  537.             if (j) {

  538.                 convert_tw_extensible_to_tw_pniels(pn_tmp, working);

  539.                 add_tw_pniels_to_tw_extensible(start, pn_tmp);

  540.             } else {

  541.                 copy_tw_extensible(start, working);

  542.             }

  543. 

  544.             if (j==t-1 && i==n-1) {

  545.                 break;

  546.             }

  547. 

  548.             double_tw_extensible(working);

  549.             if (j<t-1) {

  550.                 convert_tw_extensible_to_tw_pniels(doubles[j], working);

  551.             }

  552. 

  553.             for (k=0; k<s-1; k++) {

  554.                 double_tw_extensible(working);

  555.             }

  556.         }

  557. 

  558.         /* Gray-code phase */

  559.         for (j=0;; j++) {

  560.             int gray = j ^ (j>>1);

  561.             int idx = (((i+1)<<(t-1))-1) ^ gray;

  562. 

  563.             convert_tw_extensible_to_tw_pniels(pn_tmp, start);

  564.             copy_tw_niels(table[idx], pn_tmp->n);

  565.             field_copy(zs[idx], pn_tmp->z);

  566. 			

  567.             if (j >= (1u<<(t-1)) - 1) break;

  568.             int delta = (j+1) ^ ((j+1)>>1) ^ gray;

  569. 

  570.             for (k=0; delta>1; k++)

  571.                 delta >>=1;

  572.             

  573.             if (gray & (1<<k)) {

  574.                 /* start += doubles[k] */

  575.                 add_tw_pniels_to_tw_extensible(start, doubles[k]);

  576.             } else {

  577.                 /* start -= doubles[k] */

  578.                 sub_tw_pniels_from_tw_extensible(start, doubles[k]);

  579.             }

  580.             

  581.             

  582.         }

  583.     }

  584. 	

  585.     field_simultaneous_invert(zis, zs, n<<(t-1));

  586. 

  587.     field_a_t product;

  588.     for (i=0; i<n<<(t-1); i++) {

  589.         field_mul(product, table[i]->a, zis[i]);

  590.         field_strong_reduce(product);

  591.         field_copy(table[i]->a, product);

  592.         

  593.         field_mul(product, table[i]->b, zis[i]);

  594.         field_strong_reduce(product);

  595.         field_copy(table[i]->b, product);

  596.         

  597.         field_mul(product, table[i]->c, zis[i]);

  598.         field_strong_reduce(product);

  599.         field_copy(table[i]->c, product);

  600.     }

  601. 	

  602. 	mask_t ret = ~field_is_zero(zis[0]);

  603. 

  604.     free(doubles);

  605.     free(zs);

  606.     free(zis);

  607. 

  608.     if (unlikely(!ret)) {

  609.         really_memset(table, 0, sizeof(*table) * (n<<(t-1)));

  610.         if (!prealloc) free(table);

  611.         really_memset(out, 0, sizeof(*out));

  612.         return 0;

  613.     }

  614. 

  615.     return ret;

  616. }

  617. 

  618. void

  619. destroy_fixed_base (

  620.     struct fixed_base_table_t* table

  621. ) {

  622.     if (table->table) {

  623.         really_memset(table->table,0,sizeof(*table->table)*(table->n<<(table->t-1)));

  624.     }

  625.     if (table->own_table) {

  626.         free(table->table);

  627.     }

  628.     really_memset(table,0,sizeof(*table));

  629. }

  630. 

  631. mask_t

  632. precompute_fixed_base_wnaf (

  633.     tw_niels_a_t *out,

  634.     const tw_extensible_a_t const_base,

  635.     unsigned int tbits

  636. ) {

  637.     int i;

  638.     field_a_t *zs  = (field_a_t *) malloc_vector(sizeof(*zs)<<tbits);

  639.     field_a_t *zis = (field_a_t *) malloc_vector(sizeof(*zis)<<tbits);

  640. 

  641.     if (!zs || !zis) {

  642.         free(zs);

  643.         free(zis);

  644.         return 0;

  645.     }

  646. 

  647.     tw_extensible_a_t base;

  648.     copy_tw_extensible(base,const_base);

  649.     

  650.     tw_pniels_a_t twop, tmp;

  651.     

  652.     convert_tw_extensible_to_tw_pniels(tmp, base);

  653.     field_copy(zs[0], tmp->z);

  654.     copy_tw_niels(out[0], tmp->n);

  655. 

  656.     if (tbits > 0) {

  657.         double_tw_extensible(base);

  658.         convert_tw_extensible_to_tw_pniels(twop, base);

  659.         add_tw_pniels_to_tw_extensible(base, tmp);

  660.         

  661.         convert_tw_extensible_to_tw_pniels(tmp, base);

  662.         field_copy(zs[1], tmp->z);

  663.         copy_tw_niels(out[1], tmp->n);

  664. 

  665.         for (i=2; i < 1<<tbits; i++) {

  666.             add_tw_pniels_to_tw_extensible(base, twop);

  667.             convert_tw_extensible_to_tw_pniels(tmp, base);

  668.             field_copy(zs[i], tmp->z);

  669.             copy_tw_niels(out[i], tmp->n);

  670.         }

  671.     }

  672.     

  673.     field_simultaneous_invert(zis, zs, 1<<tbits);

  674. 

  675.     field_a_t product;

  676.     for (i=0; i<1<<tbits; i++) {

  677.         field_mul(product, out[i]->a, zis[i]);

  678.         field_strong_reduce(product);

  679.         field_copy(out[i]->a, product);

  680.         

  681.         field_mul(product, out[i]->b, zis[i]);

  682.         field_strong_reduce(product);

  683.         field_copy(out[i]->b, product);

  684.         

  685.         field_mul(product, out[i]->c, zis[i]);

  686.         field_strong_reduce(product);

  687.         field_copy(out[i]->c, product);

  688.     }

  689. 

  690.     free(zs);

  691.     free(zis);

  692. 

  693.     return -1;

  694. }

  695. 

  696. /**

  697.  * @cond internal

  698.  * Control for variable-time scalar multiply algorithms.

  699.  */

  700. struct smvt_control {

  701.   int power, addend;

  702. };

  703. 

  704. static int

  705. recode_wnaf(

  706.     struct smvt_control *control, /* [nbits/(tableBits+1) + 3] */

  707.     const word_t *scalar,

  708.     unsigned int nbits,

  709.     unsigned int tableBits)

  710. {

  711.     int current = 0, i, j;

  712.     unsigned int position = 0;

  713. 

  714.     /* PERF: negate scalar if it's large

  715.      * PERF: this is a pretty simplistic algorithm.  I'm sure there's a faster one...

  716.      */

  717.     for (i=nbits-1; i >= 0; i--) {

  718.         int bit = (scalar[i/WORD_BITS] >> (i%WORD_BITS)) & 1;

  719.         current = 2*current + bit;

  720. 

  721.         /*

  722.          * Sizing: |current| >= 2^(tableBits+1) -> |current| = 2^0

  723.          * So current loses (tableBits+1) bits every time.  It otherwise gains

  724.          * 1 bit per iteration.  The number of iterations is

  725.          * (nbits + 2 + tableBits), and an additional control word is added at

  726.          * the end.  So the total number of control words is at most

  727.          * ceil((nbits+1) / (tableBits+1)) + 2 = floor((nbits)/(tableBits+1)) + 2.

  728.          * There's also the stopper with power -1, for a total of +3.

  729.          */

  730.         if (current >= (2<<tableBits) || current <= -1 - (2<<tableBits)) {

  731.             int delta = (current + 1) >> 1; /* |delta| < 2^tablebits */

  732.             current = -(current & 1);

  733. 

  734.             for (j=i; (delta & 1) == 0; j++) {

  735.                 delta >>= 1;

  736.             }

  737.             control[position].power = j+1;

  738.             control[position].addend = delta;

  739.             position++;

  740.             assert(position <= nbits/(tableBits+1) + 2);

  741.         }

  742.     }

  743.     

  744.     if (current) {

  745.         for (j=0; (current & 1) == 0; j++) {

  746.             current >>= 1;

  747.         }

  748.         control[position].power = j;

  749.         control[position].addend = current;

  750.         position++;

  751.         assert(position <= nbits/(tableBits+1) + 2);

  752.     }

  753.     

  754.   

  755.     control[position].power = -1;

  756.     control[position].addend = 0;

  757.     return position;

  758. }

  759. 

  760. 

  761. static void

  762. prepare_wnaf_table(

  763.     tw_pniels_a_t *output,

  764.     tw_extensible_a_t working,

  765.     unsigned int tbits

  766. ) {

  767.     int i;

  768.     convert_tw_extensible_to_tw_pniels(output[0], working);

  769. 

  770.     if (tbits == 0) return;

  771. 

  772.     double_tw_extensible(working);

  773.     tw_pniels_a_t twop;

  774.     convert_tw_extensible_to_tw_pniels(twop, working);

  775. 

  776.     add_tw_pniels_to_tw_extensible(working, output[0]);

  777.     convert_tw_extensible_to_tw_pniels(output[1], working);

  778. 

  779.     for (i=2; i < 1<<tbits; i++) {

  780.         add_tw_pniels_to_tw_extensible(working, twop);

  781.         convert_tw_extensible_to_tw_pniels(output[i], working);

  782.     }

  783. }

  784. 

  785. void

  786. scalarmul_vt (

  787.     tw_extensible_a_t working,

  788.     const word_t scalar[SCALAR_WORDS],

  789.     unsigned int nbits

  790. ) {

  791.     const int table_bits = SCALARMUL_WNAF_TABLE_BITS;

  792.     struct smvt_control control[nbits/(table_bits+1)+3];

  793.     

  794.     int control_bits = recode_wnaf(control, scalar, nbits, table_bits);

  795.   

  796.     tw_pniels_a_t precmp[1<<table_bits];

  797.     prepare_wnaf_table(precmp, working, table_bits);

  798.   

  799.     if (control_bits > 0) {

  800.         assert(control[0].addend > 0);

  801.         assert(control[0].power >= 0);

  802.         convert_tw_pniels_to_tw_extensible(working, precmp[control[0].addend >> 1]);

  803.     } else {

  804.         set_identity_tw_extensible(working);

  805.         return;

  806.     }

  807.   

  808.     int conti = 1, i;

  809.     for (i = control[0].power - 1; i >= 0; i--) {

  810.         double_tw_extensible(working);

  811. 

  812.         if (i == control[conti].power) {

  813.             assert(control[conti].addend);

  814. 

  815.             if (control[conti].addend > 0) {

  816.                 add_tw_pniels_to_tw_extensible(working, precmp[control[conti].addend >> 1]);

  817.             } else {

  818.                 sub_tw_pniels_from_tw_extensible(working, precmp[(-control[conti].addend) >> 1]);

  819.             }

  820.             conti++;

  821.             assert(conti <= control_bits);

  822.         }

  823.     }

  824. }

  825. 

  826. void

  827. scalarmul_fixed_base_wnaf_vt (

  828.     tw_extensible_a_t working,

  829.     const word_t scalar[SCALAR_WORDS],

  830.     unsigned int nbits,

  831.     const tw_niels_a_t *precmp,

  832.     unsigned int table_bits

  833. ) {

  834.     struct smvt_control control[nbits/(table_bits+1)+3];

  835.     

  836.     int control_bits = recode_wnaf(control, scalar, nbits, table_bits);

  837.   

  838.     if (control_bits > 0) {

  839.         assert(control[0].addend > 0);

  840.         assert(control[0].power >= 0);

  841.         convert_tw_niels_to_tw_extensible(working, precmp[control[0].addend >> 1]);

  842.     } else {

  843.         set_identity_tw_extensible(working);

  844.         return;

  845.     }

  846.   

  847.     int conti = 1, i;

  848.     for (; control[conti].power >= 0; conti++) {

  849.         assert(conti <= control_bits);

  850.         for (i = control[conti-1].power - control[conti].power; i; i--) {

  851.             double_tw_extensible(working);

  852.         }

  853.         

  854.         assert(control[conti].addend);

  855.         if (control[conti].addend > 0) {

  856.             add_tw_niels_to_tw_extensible(working, precmp[control[conti].addend >> 1]);

  857.         } else {

  858.             sub_tw_niels_from_tw_extensible(working, precmp[(-control[conti].addend) >> 1]);

  859.         }

  860.     }

  861. 

  862.     for (i = control[conti-1].power; i; i--) {

  863.         double_tw_extensible(working);

  864.     }

  865. }

  866. 

  867. void

  868. linear_combo_var_fixed_vt(

  869.     tw_extensible_a_t working,

  870.     const word_t scalar_var[SCALAR_WORDS],

  871.     unsigned int nbits_var,

  872.     const word_t scalar_pre[SCALAR_WORDS],

  873.     unsigned int nbits_pre,

  874.     const tw_niels_a_t *precmp,

  875.     unsigned int table_bits_pre

  876. ) {

  877.     const int table_bits_var = SCALARMUL_WNAF_COMBO_TABLE_BITS;

  878.     struct smvt_control control_var[nbits_var/(table_bits_var+1)+3];

  879.     struct smvt_control control_pre[nbits_pre/(table_bits_pre+1)+3];

  880.     

  881.     int ncb_var = recode_wnaf(control_var, scalar_var, nbits_var, table_bits_var);

  882.     int ncb_pre = recode_wnaf(control_pre, scalar_pre, nbits_pre, table_bits_pre);

  883.     (void)ncb_var;

  884.     (void)ncb_pre;

  885.   

  886.     tw_pniels_a_t precmp_var[1<<table_bits_var];

  887.     prepare_wnaf_table(precmp_var, working, table_bits_var);

  888.   

  889.     int contp=0, contv=0, i;

  890.   

  891.     i = control_var[0].power;

  892.     if (i > control_pre[0].power) {

  893.         convert_tw_pniels_to_tw_extensible(working, precmp_var[control_var[0].addend >> 1]);

  894.         contv++;

  895.     } else if (i == control_pre[0].power && i >=0 ) {

  896.         convert_tw_pniels_to_tw_extensible(working, precmp_var[control_var[0].addend >> 1]);

  897.         add_tw_niels_to_tw_extensible(working, precmp[control_pre[0].addend >> 1]);

  898.         contv++; contp++;

  899.     } else {

  900.         i = control_pre[0].power;

  901.         convert_tw_niels_to_tw_extensible(working, precmp[control_pre[0].addend >> 1]);

  902.         contp++;

  903.     }

  904.     

  905.     if (i < 0) {

  906.         set_identity_tw_extensible(working);

  907.         return;

  908.     }

  909.     

  910.     for (i--; i >= 0; i--) {

  911.         double_tw_extensible(working);

  912. 

  913.         if (i == control_var[contv].power) {

  914.             assert(control_var[contv].addend);

  915. 

  916.             if (control_var[contv].addend > 0) {

  917.                 add_tw_pniels_to_tw_extensible(working, precmp_var[control_var[contv].addend >> 1]);

  918.             } else {

  919.                 sub_tw_pniels_from_tw_extensible(working, precmp_var[(-control_var[contv].addend) >> 1]);

  920.             }

  921.             contv++;

  922.         }

  923. 

  924.         if (i == control_pre[contp].power) {

  925.             assert(control_pre[contp].addend);

  926. 

  927.             if (control_pre[contp].addend > 0) {

  928.                 add_tw_niels_to_tw_extensible(working, precmp[control_pre[contp].addend >> 1]);

  929.             } else {

  930.                 sub_tw_niels_from_tw_extensible(working, precmp[(-control_pre[contp].addend) >> 1]);

  931.             }

  932.             contp++;

  933.         }

  934.     }

  935.     

  936.     assert(contv == ncb_var);

  937.     assert(contp == ncb_pre);

  938. }

  939. 

  940.