jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
398 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: bc80c744bf
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bc80c744bf'
${ noResults }
ed448goldilocks/src/per_curve/scalar.tmpl.c

329 lines
8.2 KiB
Raw Blame History 

  1. /** @brief Decaf high-level functions. */

  2. 

  3. #include "word.h"

  4. #include "constant_time.h"

  5. #include <decaf.h>

  6. 

  7. /* Template stuff */

  8. #define API_NS(_id) $(c_ns)_##_id

  9. #define SCALAR_BITS $(C_NS)_SCALAR_BITS

  10. #define SCALAR_SER_BYTES $(C_NS)_SCALAR_BYTES

  11. #define SCALAR_LIMBS $(C_NS)_SCALAR_LIMBS

  12. #define scalar_t API_NS(scalar_t)

  13. 

  14. static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x$("%x" % pow(-q,2**64-1,2**64))ull;

  15. static const scalar_t sc_p = {{{

  16.     $(ser(q,64,"SC_LIMB"))

  17. }}}, sc_r2 = {{{

  18.     $(ser(((2**128)**((scalar_bits+63)/64))%q,64,"SC_LIMB"))

  19. }}};

  20. /* End of template stuff */

  21. 

  22. #define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */

  23. 

  24. const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}};

  25. 

  26. /** {extra,accum} - sub +? p

  27.  * Must have extra <= 1

  28.  */

  29. static NOINLINE void sc_subx(

  30.     scalar_t out,

  31.     const decaf_word_t accum[SCALAR_LIMBS],

  32.     const scalar_t sub,

  33.     const scalar_t p,

  34.     decaf_word_t extra

  35. ) {

  36.     decaf_dsword_t chain = 0;

  37.     unsigned int i;

  38.     for (i=0; i<SCALAR_LIMBS; i++) {

  39.         chain = (chain + accum[i]) - sub->limb[i];

  40.         out->limb[i] = chain;

  41.         chain >>= WBITS;

  42.     }

  43.     decaf_word_t borrow = chain+extra; /* = 0 or -1 */

  44.     

  45.     chain = 0;

  46.     for (i=0; i<SCALAR_LIMBS; i++) {

  47.         chain = (chain + out->limb[i]) + (p->limb[i] & borrow);

  48.         out->limb[i] = chain;

  49.         chain >>= WBITS;

  50.     }

  51. }

  52. 

  53. static NOINLINE void sc_montmul (

  54.     scalar_t out,

  55.     const scalar_t a,

  56.     const scalar_t b

  57. ) {

  58.     unsigned int i,j;

  59.     decaf_word_t accum[SCALAR_LIMBS+1] = {0};

  60.     decaf_word_t hi_carry = 0;

  61.     

  62.     for (i=0; i<SCALAR_LIMBS; i++) {

  63.         decaf_word_t mand = a->limb[i];

  64.         const decaf_word_t *mier = b->limb;

  65.         

  66.         decaf_dword_t chain = 0;

  67.         for (j=0; j<SCALAR_LIMBS; j++) {

  68.             chain += ((decaf_dword_t)mand)*mier[j] + accum[j];

  69.             accum[j] = chain;

  70.             chain >>= WBITS;

  71.         }

  72.         accum[j] = chain;

  73.         

  74.         mand = accum[0] * MONTGOMERY_FACTOR;

  75.         chain = 0;

  76.         mier = sc_p->limb;

  77.         for (j=0; j<SCALAR_LIMBS; j++) {

  78.             chain += (decaf_dword_t)mand*mier[j] + accum[j];

  79.             if (j) accum[j-1] = chain;

  80.             chain >>= WBITS;

  81.         }

  82.         chain += accum[j];

  83.         chain += hi_carry;

  84.         accum[j-1] = chain;

  85.         hi_carry = chain >> WBITS;

  86.     }

  87.     

  88.     sc_subx(out, accum, sc_p, sc_p, hi_carry);

  89. }

  90. 

  91. void API_NS(scalar_mul) (

  92.     scalar_t out,

  93.     const scalar_t a,

  94.     const scalar_t b

  95. ) {

  96.     sc_montmul(out,a,b);

  97.     sc_montmul(out,out,sc_r2);

  98. }

  99. 

  100. /* PERF: could implement this */

  101. static INLINE void sc_montsqr (scalar_t out, const scalar_t a) {

  102.     sc_montmul(out,a,a);

  103. }

  104. 

  105. decaf_error_t API_NS(scalar_invert) (

  106.     scalar_t out,

  107.     const scalar_t a

  108. ) {

  109.     /* Fermat's little theorem, sliding window.

  110.      * Sliding window is fine here because the modulus isn't secret.

  111.      */

  112.     const int SCALAR_WINDOW_BITS = 3;

  113.     scalar_t precmp[1<<SCALAR_WINDOW_BITS];

  114.     const int LAST = (1<<SCALAR_WINDOW_BITS)-1;

  115. 

  116.     /* Precompute precmp = [a^1,a^3,...] */

  117.     sc_montmul(precmp[0],a,sc_r2);

  118.     if (LAST > 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]);

  119. 

  120.     int i;

  121.     for (i=1; i<=LAST; i++) {

  122.         sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);

  123.     }

  124.     

  125.     /* Sliding window */

  126.     unsigned residue = 0, trailing = 0, started = 0;

  127.     for (i=SCALAR_BITS-1; i>=-SCALAR_WINDOW_BITS; i--) {

  128.         

  129.         if (started) sc_montsqr(out,out);

  130.         

  131.         decaf_word_t w = (i>=0) ? sc_p->limb[i/WBITS] : 0;

  132.         if (i >= 0 && i<WBITS) {

  133.             assert(w >= 2);

  134.             w-=2;

  135.         }

  136.         

  137.         residue = (residue<<1) | ((w>>(i%WBITS))&1);

  138.         if (residue>>SCALAR_WINDOW_BITS != 0) {

  139.             assert(trailing == 0);

  140.             trailing = residue;

  141.             residue = 0;

  142.         }

  143.         

  144.         if (trailing > 0 && (trailing & ((1<<SCALAR_WINDOW_BITS)-1)) == 0) {

  145.             if (started) {

  146.                 sc_montmul(out,out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);

  147.             } else {

  148.                 API_NS(scalar_copy)(out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);

  149.                 started = 1;

  150.             }

  151.             trailing = 0;

  152.         }

  153.         trailing <<= 1;

  154.         

  155.     }

  156.     assert(residue==0);

  157.     assert(trailing==0);

  158.     

  159.     /* Demontgomerize */

  160.     sc_montmul(out,out,API_NS(scalar_one));

  161.     decaf_bzero(precmp, sizeof(precmp));

  162.     return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));

  163. }

  164. 

  165. void API_NS(scalar_sub) (

  166.     scalar_t out,

  167.     const scalar_t a,

  168.     const scalar_t b

  169. ) {

  170.     sc_subx(out, a->limb, b, sc_p, 0);

  171. }

  172. 

  173. void API_NS(scalar_add) (

  174.     scalar_t out,

  175.     const scalar_t a,

  176.     const scalar_t b

  177. ) {

  178.     decaf_dword_t chain = 0;

  179.     unsigned int i;

  180.     for (i=0; i<SCALAR_LIMBS; i++) {

  181.         chain = (chain + a->limb[i]) + b->limb[i];

  182.         out->limb[i] = chain;

  183.         chain >>= WBITS;

  184.     }

  185.     sc_subx(out, out->limb, sc_p, sc_p, chain);

  186. }

  187. 

  188. void

  189. API_NS(scalar_set_unsigned) (

  190.     scalar_t out,

  191.     uint64_t w

  192. ) {

  193.     memset(out,0,sizeof(scalar_t));

  194.     unsigned int i = 0;

  195.     for (; i<sizeof(uint64_t)/sizeof(decaf_word_t); i++) {

  196.         out->limb[i] = w;

  197.         w >>= (sizeof(uint64_t) > sizeof(decaf_word_t)) ? 8*sizeof(decaf_word_t) : 0;

  198.     }

  199. }

  200. 

  201. decaf_bool_t

  202. API_NS(scalar_eq) (

  203.     const scalar_t a,

  204.     const scalar_t b

  205. ) {

  206.     decaf_word_t diff = 0;

  207.     unsigned int i;

  208.     for (i=0; i<SCALAR_LIMBS; i++) {

  209.         diff |= a->limb[i] ^ b->limb[i];

  210.     }

  211.     return mask_to_bool(word_is_zero(diff));

  212. }

  213. 

  214. static INLINE void scalar_decode_short (

  215.     scalar_t s,

  216.     const unsigned char *ser,

  217.     unsigned int nbytes

  218. ) {

  219.     unsigned int i,j,k=0;

  220.     for (i=0; i<SCALAR_LIMBS; i++) {

  221.         decaf_word_t out = 0;

  222.         for (j=0; j<sizeof(decaf_word_t) && k<nbytes; j++,k++) {

  223.             out |= ((decaf_word_t)ser[k])<<(8*j);

  224.         }

  225.         s->limb[i] = out;

  226.     }

  227. }

  228. 

  229. decaf_error_t API_NS(scalar_decode)(

  230.     scalar_t s,

  231.     const unsigned char ser[SCALAR_SER_BYTES]

  232. ) {

  233.     unsigned int i;

  234.     scalar_decode_short(s, ser, SCALAR_SER_BYTES);

  235.     decaf_dsword_t accum = 0;

  236.     for (i=0; i<SCALAR_LIMBS; i++) {

  237.         accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;

  238.     }

  239.     /* Here accum == 0 or -1 */

  240.     

  241.     API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */

  242.     

  243.     return decaf_succeed_if(~word_is_zero(accum));

  244. }

  245. 

  246. void API_NS(scalar_destroy) (

  247.     scalar_t scalar

  248. ) {

  249.     decaf_bzero(scalar, sizeof(scalar_t));

  250. }

  251. 

  252. void API_NS(scalar_decode_long)(

  253.     scalar_t s,

  254.     const unsigned char *ser,

  255.     size_t ser_len

  256. ) {

  257.     if (ser_len == 0) {

  258.         API_NS(scalar_copy)(s, API_NS(scalar_zero));

  259.         return;

  260.     }

  261.     

  262.     size_t i;

  263.     scalar_t t1, t2;

  264. 

  265.     i = ser_len - (ser_len%SCALAR_SER_BYTES);

  266.     if (i==ser_len) i -= SCALAR_SER_BYTES;

  267.     

  268.     scalar_decode_short(t1, &ser[i], ser_len-i);

  269. 

  270.     if (ser_len == sizeof(scalar_t)) {

  271.         assert(i==0);

  272.         /* ham-handed reduce */

  273.         API_NS(scalar_mul)(s,t1,API_NS(scalar_one));

  274.         API_NS(scalar_destroy)(t1);

  275.         return;

  276.     }

  277. 

  278.     while (i) {

  279.         i -= SCALAR_SER_BYTES;

  280.         sc_montmul(t1,t1,sc_r2);

  281.         ignore_result( API_NS(scalar_decode)(t2, ser+i) );

  282.         API_NS(scalar_add)(t1, t1, t2);

  283.     }

  284. 

  285.     API_NS(scalar_copy)(s, t1);

  286.     API_NS(scalar_destroy)(t1);

  287.     API_NS(scalar_destroy)(t2);

  288. }

  289. 

  290. void API_NS(scalar_encode)(

  291.     unsigned char ser[SCALAR_SER_BYTES],

  292.     const scalar_t s

  293. ) {

  294.     unsigned int i,j,k=0;

  295.     for (i=0; i<SCALAR_LIMBS; i++) {

  296.         for (j=0; j<sizeof(decaf_word_t); j++,k++) {

  297.             ser[k] = s->limb[i] >> (8*j);

  298.         }

  299.     }

  300. }

  301. 

  302. void API_NS(scalar_cond_sel) (

  303.     scalar_t out,

  304.     const scalar_t a,

  305.     const scalar_t b,

  306.     decaf_bool_t pick_b

  307. ) {

  308.     constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0]));

  309. }

  310. 

  311. void API_NS(scalar_halve) (

  312.     scalar_t out,

  313.     const scalar_t a

  314. ) {

  315.     decaf_word_t mask = -(a->limb[0] & 1);

  316.     decaf_dword_t chain = 0;

  317.     unsigned int i;

  318.     for (i=0; i<SCALAR_LIMBS; i++) {

  319.         chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);

  320.         out->limb[i] = chain;

  321.         chain >>= DECAF_WORD_BITS;

  322.     }

  323.     for (i=0; i<SCALAR_LIMBS-1; i++) {

  324.         out->limb[i] = out->limb[i]>>1 | out->limb[i+1]<<(WBITS-1);

  325.     }

  326.     out->limb[i] = out->limb[i]>>1 | chain<<(WBITS-1);

  327. }