jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
41 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: a9e16440a2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a9e16440a2'
${ noResults }
ed448goldilocks/src/p521/arch_x86_64_r12/p521.c

491 lines
12 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. #include "p521.h"

  6. 

  7. typedef struct {

  8.   uint64x3_t lo, hi, hier;

  9. } nonad_t;

  10. 

  11. static __inline__ uint64_t is_zero(uint64_t a) {

  12.     /* let's hope the compiler isn't clever enough to optimize this. */

  13.     return (((__uint128_t)a)-1)>>64;

  14. }

  15. 

  16. static inline __uint128_t widemulu(uint64_t a, uint64_t b) {

  17.     return ((__uint128_t)(a)) * b;

  18. }

  19. 

  20. static inline __int128_t widemuls(int64_t a, int64_t b) {

  21.     return ((__int128_t)(a)) * b;

  22. }

  23.  

  24. /* This is a trick to prevent terrible register allocation by hiding things from clang's optimizer */

  25. static inline uint64_t opacify(uint64_t x) {

  26.     __asm__ volatile("" : "+r"(x));

  27.     return x;

  28. }

  29. 

  30. /* These used to be hexads, leading to 10% better performance, but there were overflow issues */

  31. static inline void nonad_mul (

  32.   nonad_t *hex,

  33.   const uint64_t *a,

  34.   const uint64_t *b

  35. ) {

  36.     __uint128_t xu, xv, xw;

  37. 

  38.     uint64_t tmp = opacify(a[2]);

  39.     xw = widemulu(tmp, b[0]);

  40.     tmp <<= 1;

  41.     xu = widemulu(tmp, b[1]);

  42.     xv = widemulu(tmp, b[2]);

  43. 

  44.     tmp = opacify(a[1]);

  45.     xw += widemulu(tmp, b[1]);

  46.     xv += widemulu(tmp, b[0]);

  47.     tmp <<= 1;

  48.     xu += widemulu(tmp, b[2]);

  49. 

  50.     tmp = opacify(a[0]);

  51.     xu += widemulu(tmp, b[0]);

  52.     xv += widemulu(tmp, b[1]);

  53.     xw += widemulu(tmp, b[2]);

  54. 

  55.     uint64x3_t

  56.     lo = { (uint64_t)(xu), (uint64_t)(xv), (uint64_t)(xw), 0 },

  57.     hi = { (uint64_t)(xu>>64), (uint64_t)(xv>>64), (uint64_t)(xw>>64), 0 };

  58. 

  59.     hex->hier = hi>>52;

  60.     hex->hi = (hi<<12)>>6 | lo>>58;

  61.     hex->lo = lo & mask58;

  62. }

  63. 

  64. static inline void hexad_mul_signed (

  65.   nonad_t *hex,

  66.   const int64_t *a,

  67.   const int64_t *b

  68. ) {

  69.     __int128_t xu, xv, xw;

  70. 

  71.     int64_t tmp = opacify(a[2]);

  72.     xw = widemuls(tmp, b[0]);

  73.     tmp <<= 1;

  74.     xu = widemuls(tmp, b[1]);

  75.     xv = widemuls(tmp, b[2]);

  76. 

  77.     tmp = opacify(a[1]);

  78.     xw += widemuls(tmp, b[1]);

  79.     xv += widemuls(tmp, b[0]);

  80.     tmp <<= 1;

  81.     xu += widemuls(tmp, b[2]);

  82. 

  83.     tmp = opacify(a[0]);

  84.     xu += widemuls(tmp, b[0]);

  85.     xv += widemuls(tmp, b[1]);

  86.     xw += widemuls(tmp, b[2]);

  87. 

  88.     uint64x3_t

  89.     lo = { (uint64_t)(xu), (uint64_t)(xv), (uint64_t)(xw), 0 },

  90.     hi = { (uint64_t)(xu>>64), (uint64_t)(xv>>64), (uint64_t)(xw>>64), 0 };

  91. 

  92.     /*

  93.     hex->hier = (uint64x4_t)((int64x4_t)hi>>52);

  94.     hex->hi = (hi<<12)>>6 | lo>>58;

  95.     hex->lo = lo & mask58;

  96.     */

  97.     

  98.     hex->hi = hi<<6 | lo>>58;

  99.     hex->lo = lo & mask58;

  100. }

  101. 

  102. static inline void nonad_sqr (

  103.   nonad_t *hex,

  104.   const uint64_t *a

  105. ) {

  106.     __uint128_t xu, xv, xw;

  107. 

  108.     int64_t tmp = a[2];

  109.     tmp <<= 1;

  110.     xw = widemulu(tmp, a[0]);

  111.     xv = widemulu(tmp, a[2]);

  112.     tmp <<= 1;

  113.     xu = widemulu(tmp, a[1]);

  114. 

  115.     tmp = a[1];

  116.     xw += widemulu(tmp, a[1]);

  117.     tmp <<= 1;

  118.     xv += widemulu(tmp, a[0]);

  119. 

  120.     tmp = a[0];

  121.     xu += widemulu(tmp, a[0]);

  122. 

  123.     uint64x3_t

  124.     lo = { (uint64_t)(xu), (uint64_t)(xv), (uint64_t)(xw), 0 },

  125.     hi = { (uint64_t)(xu>>64), (uint64_t)(xv>>64), (uint64_t)(xw>>64), 0 };

  126. 

  127.     hex->hier = hi>>52;

  128.     hex->hi = (hi<<12)>>6 | lo>>58;

  129.     hex->lo = lo & mask58;

  130. }

  131. 

  132. static inline void hexad_sqr_signed (

  133.   nonad_t *hex,

  134.   const int64_t *a

  135. ) {

  136.     __uint128_t xu, xv, xw;

  137. 

  138.     int64_t tmp = a[2];

  139.     tmp <<= 1;

  140.     xw = widemuls(tmp, a[0]);

  141.     xv = widemuls(tmp, a[2]);

  142.     tmp <<= 1;

  143.     xu = widemuls(tmp, a[1]);

  144. 

  145.     tmp = a[1];

  146.     xw += widemuls(tmp, a[1]);

  147.     tmp <<= 1;

  148.     xv += widemuls(tmp, a[0]);

  149. 

  150.     tmp = a[0];

  151.     xu += widemuls(tmp, a[0]);

  152. 

  153.     uint64x3_t

  154.     lo = { (uint64_t)(xu), (uint64_t)(xv), (uint64_t)(xw), 0 },

  155.     hi = { (uint64_t)(xu>>64), (uint64_t)(xv>>64), (uint64_t)(xw>>64), 0 };

  156. 

  157. 

  158.     /*

  159.     hex->hier = (uint64x4_t)((int64x4_t)hi>>52);

  160.     hex->hi = (hi<<12)>>6 | lo>>58;

  161.     hex->lo = lo & mask58;

  162.     */

  163.     

  164.     hex->hi = hi<<6 | lo>>58;

  165.     hex->lo = lo & mask58;

  166. }

  167. 

  168. 

  169. 

  170. void

  171. p521_mul (

  172.     p521_t *__restrict__ cs,

  173.     const p521_t *as,

  174.     const p521_t *bs

  175. ) {

  176.     int i;

  177.     

  178. #if 0

  179.     assert(as->limb[3] == 0 && as->limb[7] == 0 && as->limb[11] == 0);

  180.     assert(bs->limb[3] == 0 && bs->limb[7] == 0 && bs->limb[11] == 0);

  181.     for (i=0; i<12; i++) {

  182.         assert(as->limb[i] < 5ull<<57);

  183.         assert(bs->limb[i] < 5ull<<57);

  184.     }

  185. #endif

  186.     

  187.     /* Bounds on the hexads and nonads.

  188.      *

  189.      * Limbs < 2<<58 + ep.

  190.      * Nonad mul < 1<<58, 1<<58, tiny

  191.      * -> t0 < (3,2,2)<<58 + tiny

  192.      * t1,t2 < 2<<58 + tiny

  193.      *   * w < (4,2,2)

  194.      * Hexad mul < +- (5,4,3) * 4<<116 -> 2^58 lo, +- (5,4,3) * 4<<58+ep

  195.      * TimesW < (2,1,1)<<58, (6,5,4)*4<<58 + ep

  196.     

  197.      * ot2 = t0 + timesW(t2 + t1 - acdf.hi - bcef.lo);

  198.          == (3,2,2) + (4,2,2) + (4,2,2) +- (6,5,4)*4 - (1) << 58

  199.          in (-25, +35) << 58

  200. 

  201.     uint64x3_t ot0 = t0 + timesW(t2 + t1 - acdf.hi - bcef.lo);

  202.     uint64x3_t ot1 = t0 + t1 - abde.lo + timesW(t2 - bcef.hi);

  203.     uint64x3_t ot2 = t0 + t1 + t2 - abde.hi - acdf.lo + vhi2;

  204.      

  205.      */

  206.     

  207.     

  208.     uint64_t *c = cs->limb;

  209.     const uint64_t *a = as->limb, *b = bs->limb;

  210. 

  211.     nonad_t ad, be, cf, abde, bcef, acdf;

  212.     nonad_mul(&ad, &a[0], &b[0]);

  213.     nonad_mul(&be, &a[4], &b[4]);

  214.     nonad_mul(&cf, &a[8], &b[8]);

  215. 

  216.     uint64_t amt = 26;

  217.     uint64x3_t vhi = { amt*((1ull<<58)-1), amt*((1ull<<58)-1), amt*((1ull<<58)-1), 0 },

  218.     vhi2 = { 0, 0, -amt<<57, 0 };

  219. 

  220.     uint64x3_t t2 = cf.lo + be.hi + ad.hier, t0 = ad.lo + timesW(cf.hi + be.hier) + vhi, t1 = ad.hi + be.lo + timesW(cf.hier);

  221. 

  222.     int64_t ta[4] VECTOR_ALIGNED, tb[4] VECTOR_ALIGNED;

  223.     // it seems to be faster not to vectorize these loops

  224.     for (i=0; i<3; i++) {

  225.         ta[i] = a[i]-a[i+4];

  226.         tb[i] = b[i]-b[i+4];

  227.     }

  228.     hexad_mul_signed(&abde,ta,tb);

  229. 

  230.     for (i=0; i<3; i++) {

  231.         ta[i] = a[i+4]-a[i+8];

  232.         tb[i] = b[i+4]-b[i+8];

  233.     }

  234.     hexad_mul_signed(&bcef,ta,tb);

  235. 

  236.     for (i=0; i<3; i++) {

  237.         ta[i] = a[i]-a[i+8];

  238.         tb[i] = b[i]-b[i+8];

  239.     }

  240.     hexad_mul_signed(&acdf,ta,tb);

  241. 

  242.     uint64x3_t ot0 = t0 + timesW(t2 + t1 - acdf.hi - bcef.lo);

  243.     uint64x3_t ot1 = t0 + t1 - abde.lo + timesW(t2 - bcef.hi);

  244.     uint64x3_t ot2 = t0 + t1 + t2 - abde.hi - acdf.lo + vhi2;

  245. 

  246.     uint64x3_t out0 = (ot0 & mask58) + timesW(ot2>>58);

  247.     uint64x3_t out1 = (ot1 & mask58) + (ot0>>58);

  248.     uint64x3_t out2 = (ot2 & mask58) + (ot1>>58);

  249. 

  250.     *(uint64x4_t *)&c[0] = out0;

  251.     *(uint64x4_t *)&c[4] = out1;

  252.     *(uint64x4_t *)&c[8] = out2;

  253. }

  254. 

  255. 

  256. void

  257. p521_sqr (

  258.     p521_t *__restrict__ cs,

  259.     const p521_t *as

  260. ) {

  261.     

  262. 

  263.     int i;

  264. #if 0

  265.     assert(as->limb[3] == 0 && as->limb[7] == 0 && as->limb[11] == 0);

  266.     for (i=0; i<12; i++) {

  267.         assert(as->limb[i] < 5ull<<57);

  268.     }

  269. #endif

  270. 

  271.     uint64_t *c = cs->limb;

  272.     const uint64_t *a = as->limb;

  273. 

  274.     nonad_t ad, be, cf, abde, bcef, acdf;

  275.     nonad_sqr(&ad, &a[0]);

  276.     nonad_sqr(&be, &a[4]);

  277.     nonad_sqr(&cf, &a[8]);

  278. 

  279.     uint64_t amt = 26;

  280.     uint64x3_t vhi = { amt*((1ull<<58)-1), amt*((1ull<<58)-1), amt*((1ull<<58)-1), 0 },

  281.     vhi2 = { 0, 0, -amt<<57, 0 };

  282.     

  283.     uint64x3_t t2 = cf.lo + be.hi + ad.hier, t0 = ad.lo + timesW(cf.hi + be.hier) + vhi, t1 = ad.hi + be.lo + timesW(cf.hier);

  284. 

  285.     int64_t ta[4] VECTOR_ALIGNED;

  286.     // it seems to be faster not to vectorize these loops

  287.     for (i=0; i<3; i++) {

  288.         ta[i] = a[i]-a[i+4];

  289.     }

  290.     hexad_sqr_signed(&abde,ta);

  291. 

  292.     for (i=0; i<3; i++) {

  293.         ta[i] = a[i+4]-a[i+8];

  294.     }

  295.     hexad_sqr_signed(&bcef,ta);

  296. 

  297.     for (i=0; i<3; i++) {

  298.         ta[i] = a[i]-a[i+8];

  299.     }

  300.     hexad_sqr_signed(&acdf,ta);

  301. 

  302.     uint64x3_t ot0 = t0 + timesW(t2 + t1 - acdf.hi - bcef.lo);

  303.     uint64x3_t ot1 = t0 + t1 - abde.lo + timesW(t2 - bcef.hi);

  304.     uint64x3_t ot2 = t0 + t1 + t2 - abde.hi - acdf.lo + vhi2;

  305. 

  306.     uint64x3_t out0 = (ot0 & mask58) + timesW(ot2>>58);

  307.     uint64x3_t out1 = (ot1 & mask58) + (ot0>>58);

  308.     uint64x3_t out2 = (ot2 & mask58) + (ot1>>58);

  309. 

  310.     *(uint64x4_t *)&c[0] = out0;

  311.     *(uint64x4_t *)&c[4] = out1;

  312.     *(uint64x4_t *)&c[8] = out2;

  313. }

  314. 

  315. void

  316. p521_mulw (

  317.     p521_t *__restrict__ cs,

  318.     const p521_t *as,

  319.     uint64_t b

  320. ) {

  321.     

  322.     

  323. 

  324. #if 0

  325.     int i;

  326.     assert(as->limb[3] == 0 && as->limb[7] == 0 && as->limb[11] == 0);

  327.     for (i=0; i<12; i++) {

  328.         assert(as->limb[i] < 1ull<<61);

  329.     }

  330.     assert(b < 1ull<<61);

  331. #endif

  332.     

  333.     

  334.     const uint64_t *a = as->limb;

  335.     uint64_t *c = cs->limb;

  336. 

  337.     __uint128_t accum0 = 0, accum3 = 0, accum6 = 0;

  338.     uint64_t mask = (1ull<<58) - 1;

  339. 

  340.     accum0 += widemulu(b, a[0]);

  341.     accum3 += widemulu(b, a[1]);

  342.     accum6 += widemulu(b, a[2]);

  343.     c[0] = accum0 & mask; accum0 >>= 58;

  344.     c[1] = accum3 & mask; accum3 >>= 58;

  345.     c[2] = accum6 & mask; accum6 >>= 58;

  346. 

  347.     accum0 += widemulu(b, a[4]);

  348.     accum3 += widemulu(b, a[5]);

  349.     accum6 += widemulu(b, a[6]);

  350.     c[4] = accum0 & mask; accum0 >>= 58;

  351.     c[5] = accum3 & mask; accum3 >>= 58;

  352.     c[6] = accum6 & mask; accum6 >>= 58;

  353. 

  354.     accum0 += widemulu(b, a[8]);

  355.     accum3 += widemulu(b, a[9]);

  356.     accum6 += widemulu(b, a[10]);

  357.     c[8] = accum0 & mask; accum0 >>= 58;

  358.     c[9] = accum3 & mask; accum3 >>= 58;

  359.     c[10] = accum6 & (mask>>1); accum6 >>= 57;

  360.     

  361.     accum0 += c[1];

  362.     c[1] = accum0 & mask;

  363.     c[5] += accum0 >> 58;

  364. 

  365.     accum3 += c[2];

  366.     c[2] = accum3 & mask;

  367.     c[6] += accum3 >> 58;

  368. 

  369.     accum6 += c[0];

  370.     c[0] = accum6 & mask;

  371.     c[4] += accum6 >> 58;

  372.     

  373.     c[3] = c[7] = c[11] = 0;

  374. }

  375. 

  376. 

  377. void

  378. p521_strong_reduce (

  379.     p521_t *a

  380. ) {

  381.     uint64_t mask = (1ull<<58)-1, mask2 = (1ull<<57)-1;

  382. 

  383.     /* first, clear high */

  384.     __int128_t scarry = a->limb[LIMBPERM(8)]>>57;

  385.     a->limb[LIMBPERM(8)] &= mask2;

  386. 

  387.     /* now the total is less than 2p */

  388. 

  389.     /* compute total_value - p.  No need to reduce mod p. */

  390. 

  391.     int i;

  392.     for (i=0; i<9; i++) {

  393.         scarry = scarry + a->limb[LIMBPERM(i)] - ((i==8) ? mask2 : mask);

  394.         a->limb[LIMBPERM(i)] = scarry & ((i==8) ? mask2 : mask);

  395.         scarry >>= (i==8) ? 57 : 58;

  396.     }

  397. 

  398.     /* uncommon case: it was >= p, so now scarry = 0 and this = x

  399.     * common case: it was < p, so now scarry = -1 and this = x - p + 2^521

  400.     * so let's add back in p.  will carry back off the top for 2^521.

  401.     */

  402. 

  403.     assert(is_zero(scarry) | is_zero(scarry+1));

  404. 

  405.     uint64_t scarry_mask = scarry & mask;

  406.     __uint128_t carry = 0;

  407. 

  408.     /* add it back */

  409.     for (i=0; i<9; i++) {

  410.         carry = carry + a->limb[LIMBPERM(i)] + ((i==8)?(scarry_mask>>1):scarry_mask);

  411.         a->limb[LIMBPERM(i)] = carry & ((i==8) ? mask>>1 : mask);

  412.         carry >>= (i==8) ? 57 : 58;

  413.     }

  414. 

  415.     assert(is_zero(carry + scarry));

  416. 

  417.     a->limb[3] = a->limb[7] = a->limb[11] = 0;

  418. }

  419. 

  420. mask_t

  421. p521_is_zero (

  422.     const struct p521_t *a

  423. ) {

  424.     struct p521_t b;

  425.     p521_copy(&b,a);

  426.     p521_strong_reduce(&b);

  427. 

  428.     uint64_t any = 0;

  429.     unsigned int i;

  430.     for (i=0; i<sizeof(b)/sizeof(b.limb[0]); i++) {

  431.         any |= b.limb[i];

  432.     }

  433.     return is_zero(any);

  434. }

  435. 

  436. void

  437. p521_serialize (

  438.     uint8_t *serial,

  439.     const struct p521_t *x

  440. ) {

  441.     unsigned int i,k=0;

  442.     p521_t red;

  443.     p521_copy(&red, x);

  444.     p521_strong_reduce(&red);

  445.     

  446.     uint64_t r=0;

  447.     int bits = 0;

  448.     for (i=0; i<9; i++) {

  449.         r |= red.limb[LIMBPERM(i)] << bits;

  450.         for (bits += 58; bits >= 8; bits -= 8) {

  451.             serial[k++] = r;

  452.             r >>= 8;

  453.         }

  454.         assert(bits <= 6);

  455.     }

  456.     assert(bits);

  457.     serial[k++] = r;

  458. }

  459. 

  460. mask_t

  461. p521_deserialize (

  462.     p521_t *x,

  463.     const uint8_t serial[LIMBPERM(66)]

  464. ) {

  465.     int i,k=0,bits=0;

  466.     __uint128_t out = 0;

  467.     uint64_t mask = (1ull<<58)-1;

  468.     for (i=0; i<9; i++) {

  469.         out >>= 58;

  470.         for (; bits<58; bits+=8) {

  471.             out |= ((__uint128_t)serial[k++])<<bits;

  472.         }

  473.         x->limb[LIMBPERM(i)] = out & mask;

  474.         bits -= 58;

  475.     }

  476.     

  477.     /* Check for reduction.  First, high has to be < 2^57 */

  478.     mask_t good = is_zero(out>>57);

  479.     

  480.     uint64_t and = -1ull;

  481.     for (i=0; i<8; i++) {

  482.         and &= x->limb[LIMBPERM(i)];

  483.     }

  484.     and &= (2*out+1);

  485.     good &= is_zero((and+1)>>58);

  486. 

  487.     x->limb[3] = x->limb[7] = x->limb[11] = 0;

  488.     

  489.     return good;

  490. }