Remove some unneeded stuff (67f1cccd) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

crypto/ec/curve448/decaf.c

+1 −713

Original line number	Diff line number	Diff line
		@@ -42,9 +42,7 @@
		#define EDDSA_USE_SIGMA_ISOGENY 0

		static const int EDWARDS_D = -39081;
		static const scalar_t point_scalarmul_adjustment = {{{
		SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)
		}}}, precomputed_scalarmul_adjustment = {{{
		static const scalar_t precomputed_scalarmul_adjustment = {{{
		SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)
		}}};

		@@ -95,8 +93,6 @@ const gf RISTRETTO_FACTOR = {{{

		#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */

		extern const point_t API_NS(point_base);

		/* Projective Niels coordinates */
		typedef struct { gf a, b, c; } niels_s, niels_t[1];
		typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1];
		@@ -108,9 +104,6 @@ extern const gf API_NS(precomputed_base_as_fe)[];
		const precomputed_s *API_NS(precomputed_base) =
		(const precomputed_s *) &API_NS(precomputed_base_as_fe);

		const size_t API_NS(sizeof_precomputed_s) = sizeof(precomputed_s);
		const size_t API_NS(alignof_precomputed_s) = sizeof(big_register_t);

		/** Inverse. */
		static void
		gf_invert(gf y, const gf x, int assert_nonzero) {
		@@ -127,228 +120,6 @@ gf_invert(gf y, const gf x, int assert_nonzero) {
		/** identity = (0,1) */
		const point_t API_NS(point_identity) = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};

		/* Predeclare because not static: called by elligator */
		void API_NS(deisogenize) (
		gf_s *__restrict__ s,
		gf_s *__restrict__ inv_el_sum,
		gf_s *__restrict__ inv_el_m1,
		const point_t p,
		mask_t toggle_s,
		mask_t toggle_altx,
		mask_t toggle_rotation
		);

		void API_NS(deisogenize) (
		gf_s *__restrict__ s,
		gf_s *__restrict__ inv_el_sum,
		gf_s *__restrict__ inv_el_m1,
		const point_t p,
		mask_t toggle_s,
		mask_t toggle_altx,
		mask_t toggle_rotation
		) {
		#if COFACTOR == 4 && !IMAGINE_TWIST
		(void)toggle_rotation; /* Only applies to cofactor 8 */
		gf t1;
		gf_s t2 = s, t3=inv_el_sum, *t4=inv_el_m1;

		gf_add(t1,p->x,p->t);
		gf_sub(t2,p->x,p->t);
		gf_mul(t3,t1,t2); /* t3 = num */
		gf_sqr(t2,p->x);
		gf_mul(t1,t2,t3);
		gf_mulw(t2,t1,-1-TWISTED_D); /* -x^2 * (a-d) * num */
		gf_isr(t1,t2); /* t1 = isr */
		gf_mul(t2,t1,t3); /* t2 = ratio */
		gf_mul(t4,t2,RISTRETTO_FACTOR);
		mask_t negx = gf_lobit(t4) ^ toggle_altx;
		gf_cond_neg(t2, negx);
		gf_mul(t3,t2,p->z);
		gf_sub(t3,t3,p->t);
		gf_mul(t2,t3,p->x);
		gf_mulw(t4,t2,-1-TWISTED_D);
		gf_mul(s,t4,t1);
		mask_t lobs = gf_lobit(s);
		gf_cond_neg(s,lobs);
		gf_copy(inv_el_m1,p->x);
		gf_cond_neg(inv_el_m1,~lobs^negx^toggle_s);
		gf_add(inv_el_m1,inv_el_m1,p->t);

		#elif COFACTOR == 8 && IMAGINE_TWIST
		/* More complicated because of rotation */
		gf t1,t2,t3,t4,t5;
		gf_add(t1,p->z,p->y);
		gf_sub(t2,p->z,p->y);
		gf_mul(t3,t1,t2); /* t3 = num */
		gf_mul(t2,p->x,p->y); /* t2 = den */
		gf_sqr(t1,t2);
		gf_mul(t4,t1,t3);
		gf_mulw(t1,t4,-1-TWISTED_D);
		gf_isr(t4,t1); /* isqrt(num(a-d)den^2) */
		gf_mul(t1,t2,t4);
		gf_mul(t2,t1,RISTRETTO_FACTOR); /* t2 = "iden" in ristretto.sage */
		gf_mul(t1,t3,t4); /* t1 = "inum" in ristretto.sage */

		/* Calculate altxy = ideninumit^2(d-a) */
		gf_mul(t3,t1,t2);
		gf_mul_i(t4,t3);
		gf_mul(t3,t4,p->t);
		gf_mul(t4,t3,p->t);
		gf_mulw(t3,t4,TWISTED_D+1); /* ideninumit^2(d-1) */
		mask_t rotate = toggle_rotation ^ gf_lobit(t3);

		/* Rotate if altxy is negative */
		gf_cond_swap(t1,t2,rotate);
		gf_mul_i(t4,p->x);
		gf_cond_sel(t4,p->y,t4,rotate); /* t4 = "fac" = ix if rotate, else y */

		gf_mul_i(t5,RISTRETTO_FACTOR); /* t5 = imi */
		gf_mul(t3,t5,t2); /* iden * imi */
		gf_mul(t2,t5,t1);
		gf_mul(t5,t2,p->t); /* "altx" = idenimit */
		mask_t negx = gf_lobit(t5) ^ toggle_altx;

		gf_cond_neg(t1,negx^rotate);
		gf_mul(t2,t1,p->z);
		gf_add(t2,t2,ONE);
		gf_mul(inv_el_sum,t2,t4);
		gf_mul(s,inv_el_sum,t3);

		mask_t negs = gf_lobit(s);
		gf_cond_neg(s,negs);

		mask_t negz = ~negs ^ toggle_s ^ negx;
		gf_copy(inv_el_m1,p->z);
		gf_cond_neg(inv_el_m1,negz);
		gf_sub(inv_el_m1,inv_el_m1,t4);
		#else
		#error "Cofactor must be 4 (with no IMAGINE_TWIST) or 8 (with IMAGINE_TWIST)"
		#endif
		}

		void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {
		gf s,ie1,ie2;
		API_NS(deisogenize)(s,ie1,ie2,p,0,0,0);
		gf_serialize(ser,s,1);
		}

		decaf_error_t API_NS(point_decode) (
		point_t p,
		const unsigned char ser[SER_BYTES],
		decaf_bool_t allow_identity
		) {
		gf s, s2, num, tmp;
		gf_s tmp2=s2, ynum=p->z, isr=p->x, den=p->t;

		mask_t succ = gf_deserialize(s, ser, 1, 0);
		succ &= bool_to_mask(allow_identity) \| ~gf_eq(s, ZERO);
		succ &= ~gf_lobit(s);

		gf_sqr(s2,s); /* s^2 = -as^2 */
		#if IMAGINE_TWIST
		gf_sub(s2,ZERO,s2); /* -as^2 */
		#endif
		gf_sub(den,ONE,s2); /* 1+as^2 */
		gf_add(ynum,ONE,s2); /* 1-as^2 */
		gf_mulw(num,s2,-4*TWISTED_D);
		gf_sqr(tmp,den); /* tmp = den^2 */
		gf_add(num,tmp,num); /* num = den^2 - 4ds^2 */
		gf_mul(tmp2,num,tmp); /* tmp2 = numden^2 /
		succ &= gf_isr(isr,tmp2); /* isr = 1/sqrt(numden^2) /
		gf_mul(tmp,isr,den); /* isrden /
		gf_mul(p->y,tmp,ynum); /* isrden(1-as^2) */
		gf_mul(tmp2,tmp,s); /* sisrden */
		gf_add(tmp2,tmp2,tmp2); /* 2sisrden /
		gf_mul(tmp,tmp2,isr); /* 2sisr^2den /
		gf_mul(p->x,tmp,num); /* 2sisr^2dennum */
		gf_mul(tmp,tmp2,RISTRETTO_FACTOR); /* 2sisrdenmagic */
		gf_cond_neg(p->x,gf_lobit(tmp)); /* flip x */

		#if COFACTOR==8
		/* Additionally check y != 0 and xyisomagic nonegative */
		succ &= ~gf_eq(p->y,ZERO);
		gf_mul(tmp,p->x,p->y);
		gf_mul(tmp2,tmp,RISTRETTO_FACTOR);
		succ &= ~gf_lobit(tmp2);
		#endif

		#if IMAGINE_TWIST
		gf_copy(tmp,p->x);
		gf_mul_i(p->x,tmp);
		#endif

		/* Fill in z and t */
		gf_copy(p->z,ONE);
		gf_mul(p->t,p->x,p->y);

		assert(API_NS(point_valid)(p) \| ~succ);
		return decaf_succeed_if(mask_to_bool(succ));
		}

		void API_NS(point_sub) (
		point_t p,
		const point_t q,
		const point_t r
		) {
		gf a, b, c, d;
		gf_sub_nr ( b, q->y, q->x ); /* 3+e */
		gf_sub_nr ( d, r->y, r->x ); /* 3+e */
		gf_add_nr ( c, r->y, r->x ); /* 2+e */
		gf_mul ( a, c, b );
		gf_add_nr ( b, q->y, q->x ); /* 2+e */
		gf_mul ( p->y, d, b );
		gf_mul ( b, r->t, q->t );
		gf_mulw ( p->x, b, 2*EFF_D );
		gf_add_nr ( b, a, p->y ); /* 2+e */
		gf_sub_nr ( c, p->y, a ); /* 3+e */
		gf_mul ( a, q->z, r->z );
		gf_add_nr ( a, a, a ); /* 2+e */
		if (GF_HEADROOM <= 3) gf_weak_reduce(a); /* or 1+e */
		#if NEG_D
		gf_sub_nr ( p->y, a, p->x ); /* 4+e or 3+e */
		gf_add_nr ( a, a, p->x ); /* 3+e or 2+e */
		#else
		gf_add_nr ( p->y, a, p->x ); /* 3+e or 2+e */
		gf_sub_nr ( a, a, p->x ); /* 4+e or 3+e */
		#endif
		gf_mul ( p->z, a, p->y );
		gf_mul ( p->x, p->y, c );
		gf_mul ( p->y, a, b );
		gf_mul ( p->t, b, c );
		}

		void API_NS(point_add) (
		point_t p,
		const point_t q,
		const point_t r
		) {
		gf a, b, c, d;
		gf_sub_nr ( b, q->y, q->x ); /* 3+e */
		gf_sub_nr ( c, r->y, r->x ); /* 3+e */
		gf_add_nr ( d, r->y, r->x ); /* 2+e */
		gf_mul ( a, c, b );
		gf_add_nr ( b, q->y, q->x ); /* 2+e */
		gf_mul ( p->y, d, b );
		gf_mul ( b, r->t, q->t );
		gf_mulw ( p->x, b, 2*EFF_D );
		gf_add_nr ( b, a, p->y ); /* 2+e */
		gf_sub_nr ( c, p->y, a ); /* 3+e */
		gf_mul ( a, q->z, r->z );
		gf_add_nr ( a, a, a ); /* 2+e */
		if (GF_HEADROOM <= 3) gf_weak_reduce(a); /* or 1+e */
		#if NEG_D
		gf_add_nr ( p->y, a, p->x ); /* 3+e or 2+e */
		gf_sub_nr ( a, a, p->x ); /* 4+e or 3+e */
		#else
		gf_sub_nr ( p->y, a, p->x ); /* 4+e or 3+e */
		gf_add_nr ( a, a, p->x ); /* 3+e or 2+e */
		#endif
		gf_mul ( p->z, a, p->y );
		gf_mul ( p->x, p->y, c );
		gf_mul ( p->y, a, b );
		gf_mul ( p->t, b, c );
		}

		static DECAF_NOINLINE void
		point_double_internal (
		point_t p,
		@@ -377,16 +148,6 @@ void API_NS(point_double)(point_t p, const point_t q) {
		point_double_internal(p,q,0);
		}

		void API_NS(point_negate) (
		point_t nega,
		const point_t a
		) {
		gf_sub(nega->x, ZERO, a->x);
		gf_copy(nega->y, a->y);
		gf_copy(nega->z, a->z);
		gf_sub(nega->t, ZERO, a->t);
		}

		/* Operations on [p]niels */
		static DECAF_INLINE void
		cond_neg_niels (
		@@ -499,265 +260,6 @@ sub_pniels_from_pt (
		sub_niels_from_pt( p, pn->n, before_double );
		}

		static DECAF_NOINLINE void
		prepare_fixed_window(
		pniels_t *multiples,
		const point_t b,
		int ntable
		) {
		point_t tmp;
		pniels_t pn;
		int i;

		point_double_internal(tmp, b, 0);
		pt_to_pniels(pn, tmp);
		pt_to_pniels(multiples[0], b);
		API_NS(point_copy)(tmp, b);
		for (i=1; i<ntable; i++) {
		add_pniels_to_pt(tmp, pn, 0);
		pt_to_pniels(multiples[i], tmp);
		}

		OPENSSL_cleanse(pn,sizeof(pn));
		OPENSSL_cleanse(tmp,sizeof(tmp));
		}

		void API_NS(point_scalarmul) (
		point_t a,
		const point_t b,
		const scalar_t scalar
		) {
		const int WINDOW = DECAF_WINDOW_BITS,
		WINDOW_MASK = (1<<WINDOW)-1,
		WINDOW_T_MASK = WINDOW_MASK >> 1,
		NTABLE = 1<<(WINDOW-1);

		scalar_t scalar1x;
		API_NS(scalar_add)(scalar1x, scalar, point_scalarmul_adjustment);
		API_NS(scalar_halve)(scalar1x,scalar1x);

		/* Set up a precomputed table with odd multiples of b. */
		pniels_t pn, multiples[NTABLE];
		point_t tmp;
		prepare_fixed_window(multiples, b, NTABLE);

		/* Initialize. */
		int i,j,first=1;
		i = SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;

		for (; i>=0; i-=WINDOW) {
		/* Fetch another block of bits */
		word_t bits = scalar1x->limb[i/WBITS] >> (i%WBITS);
		if (i%WBITS >= WBITS-WINDOW && i/WBITS<SCALAR_LIMBS-1) {
		bits ^= scalar1x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
		}
		bits &= WINDOW_MASK;
		mask_t inv = (bits>>(WINDOW-1))-1;
		bits ^= inv;

		/* Add in from table. Compute t only on last iteration. */
		constant_time_lookup(pn, multiples, sizeof(pn), NTABLE, bits & WINDOW_T_MASK);
		cond_neg_niels(pn->n, inv);
		if (first) {
		pniels_to_pt(tmp, pn);
		first = 0;
		} else {
		/* Using Hisil et al's lookahead method instead of extensible here
		* for no particular reason. Double WINDOW times, but only compute t on
		* the last one.
		*/
		for (j=0; j<WINDOW-1; j++)
		point_double_internal(tmp, tmp, -1);
		point_double_internal(tmp, tmp, 0);
		add_pniels_to_pt(tmp, pn, i ? -1 : 0);
		}
		}

		/* Write out the answer */
		API_NS(point_copy)(a,tmp);

		OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
		OPENSSL_cleanse(pn,sizeof(pn));
		OPENSSL_cleanse(multiples,sizeof(multiples));
		OPENSSL_cleanse(tmp,sizeof(tmp));
		}

		void API_NS(point_double_scalarmul) (
		point_t a,
		const point_t b,
		const scalar_t scalarb,
		const point_t c,
		const scalar_t scalarc
		) {
		const int WINDOW = DECAF_WINDOW_BITS,
		WINDOW_MASK = (1<<WINDOW)-1,
		WINDOW_T_MASK = WINDOW_MASK >> 1,
		NTABLE = 1<<(WINDOW-1);

		scalar_t scalar1x, scalar2x;
		API_NS(scalar_add)(scalar1x, scalarb, point_scalarmul_adjustment);
		API_NS(scalar_halve)(scalar1x,scalar1x);
		API_NS(scalar_add)(scalar2x, scalarc, point_scalarmul_adjustment);
		API_NS(scalar_halve)(scalar2x,scalar2x);

		/* Set up a precomputed table with odd multiples of b. */
		pniels_t pn, multiples1[NTABLE], multiples2[NTABLE];
		point_t tmp;
		prepare_fixed_window(multiples1, b, NTABLE);
		prepare_fixed_window(multiples2, c, NTABLE);

		/* Initialize. */
		int i,j,first=1;
		i = SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;

		for (; i>=0; i-=WINDOW) {
		/* Fetch another block of bits */
		word_t bits1 = scalar1x->limb[i/WBITS] >> (i%WBITS),
		bits2 = scalar2x->limb[i/WBITS] >> (i%WBITS);
		if (i%WBITS >= WBITS-WINDOW && i/WBITS<SCALAR_LIMBS-1) {
		bits1 ^= scalar1x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
		bits2 ^= scalar2x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
		}
		bits1 &= WINDOW_MASK;
		bits2 &= WINDOW_MASK;
		mask_t inv1 = (bits1>>(WINDOW-1))-1;
		mask_t inv2 = (bits2>>(WINDOW-1))-1;
		bits1 ^= inv1;
		bits2 ^= inv2;

		/* Add in from table. Compute t only on last iteration. */
		constant_time_lookup(pn, multiples1, sizeof(pn), NTABLE, bits1 & WINDOW_T_MASK);
		cond_neg_niels(pn->n, inv1);
		if (first) {
		pniels_to_pt(tmp, pn);
		first = 0;
		} else {
		/* Using Hisil et al's lookahead method instead of extensible here
		* for no particular reason. Double WINDOW times, but only compute t on
		* the last one.
		*/
		for (j=0; j<WINDOW-1; j++)
		point_double_internal(tmp, tmp, -1);
		point_double_internal(tmp, tmp, 0);
		add_pniels_to_pt(tmp, pn, 0);
		}
		constant_time_lookup(pn, multiples2, sizeof(pn), NTABLE, bits2 & WINDOW_T_MASK);
		cond_neg_niels(pn->n, inv2);
		add_pniels_to_pt(tmp, pn, i?-1:0);
		}

		/* Write out the answer */
		API_NS(point_copy)(a,tmp);


		OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
		OPENSSL_cleanse(scalar2x,sizeof(scalar2x));
		OPENSSL_cleanse(pn,sizeof(pn));
		OPENSSL_cleanse(multiples1,sizeof(multiples1));
		OPENSSL_cleanse(multiples2,sizeof(multiples2));
		OPENSSL_cleanse(tmp,sizeof(tmp));
		}

		void API_NS(point_dual_scalarmul) (
		point_t a1,
		point_t a2,
		const point_t b,
		const scalar_t scalar1,
		const scalar_t scalar2
		) {
		const int WINDOW = DECAF_WINDOW_BITS,
		WINDOW_MASK = (1<<WINDOW)-1,
		WINDOW_T_MASK = WINDOW_MASK >> 1,
		NTABLE = 1<<(WINDOW-1);

		scalar_t scalar1x, scalar2x;
		API_NS(scalar_add)(scalar1x, scalar1, point_scalarmul_adjustment);
		API_NS(scalar_halve)(scalar1x,scalar1x);
		API_NS(scalar_add)(scalar2x, scalar2, point_scalarmul_adjustment);
		API_NS(scalar_halve)(scalar2x,scalar2x);

		/* Set up a precomputed table with odd multiples of b. */
		point_t multiples1[NTABLE], multiples2[NTABLE], working, tmp;
		pniels_t pn;

		API_NS(point_copy)(working, b);

		/* Initialize. */
		int i,j;

		for (i=0; i<NTABLE; i++) {
		API_NS(point_copy)(multiples1[i], API_NS(point_identity));
		API_NS(point_copy)(multiples2[i], API_NS(point_identity));
		}

		for (i=0; i<SCALAR_BITS; i+=WINDOW) {
		if (i) {
		for (j=0; j<WINDOW-1; j++)
		point_double_internal(working, working, -1);
		point_double_internal(working, working, 0);
		}

		/* Fetch another block of bits */
		word_t bits1 = scalar1x->limb[i/WBITS] >> (i%WBITS),
		bits2 = scalar2x->limb[i/WBITS] >> (i%WBITS);
		if (i%WBITS >= WBITS-WINDOW && i/WBITS<SCALAR_LIMBS-1) {
		bits1 ^= scalar1x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
		bits2 ^= scalar2x->limb[i/WBITS+1] << (WBITS - (i%WBITS));
		}
		bits1 &= WINDOW_MASK;
		bits2 &= WINDOW_MASK;
		mask_t inv1 = (bits1>>(WINDOW-1))-1;
		mask_t inv2 = (bits2>>(WINDOW-1))-1;
		bits1 ^= inv1;
		bits2 ^= inv2;

		pt_to_pniels(pn, working);

		constant_time_lookup(tmp, multiples1, sizeof(tmp), NTABLE, bits1 & WINDOW_T_MASK);
		cond_neg_niels(pn->n, inv1);
		/* add_pniels_to_pt(multiples1[bits1 & WINDOW_T_MASK], pn, 0); */
		add_pniels_to_pt(tmp, pn, 0);
		constant_time_insert(multiples1, tmp, sizeof(tmp), NTABLE, bits1 & WINDOW_T_MASK);


		constant_time_lookup(tmp, multiples2, sizeof(tmp), NTABLE, bits2 & WINDOW_T_MASK);
		cond_neg_niels(pn->n, inv1^inv2);
		/* add_pniels_to_pt(multiples2[bits2 & WINDOW_T_MASK], pn, 0); */
		add_pniels_to_pt(tmp, pn, 0);
		constant_time_insert(multiples2, tmp, sizeof(tmp), NTABLE, bits2 & WINDOW_T_MASK);
		}

		if (NTABLE > 1) {
		API_NS(point_copy)(working, multiples1[NTABLE-1]);
		API_NS(point_copy)(tmp , multiples2[NTABLE-1]);

		for (i=NTABLE-1; i>1; i--) {
		API_NS(point_add)(multiples1[i-1], multiples1[i-1], multiples1[i]);
		API_NS(point_add)(multiples2[i-1], multiples2[i-1], multiples2[i]);
		API_NS(point_add)(working, working, multiples1[i-1]);
		API_NS(point_add)(tmp, tmp, multiples2[i-1]);
		}

		API_NS(point_add)(multiples1[0], multiples1[0], multiples1[1]);
		API_NS(point_add)(multiples2[0], multiples2[0], multiples2[1]);
		point_double_internal(working, working, 0);
		point_double_internal(tmp, tmp, 0);
		API_NS(point_add)(a1, working, multiples1[0]);
		API_NS(point_add)(a2, tmp, multiples2[0]);
		} else {
		API_NS(point_copy)(a1, multiples1[0]);
		API_NS(point_copy)(a2, multiples2[0]);
		}

		OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
		OPENSSL_cleanse(scalar2x,sizeof(scalar2x));
		OPENSSL_cleanse(pn,sizeof(pn));
		OPENSSL_cleanse(multiples1,sizeof(multiples1));
		OPENSSL_cleanse(multiples2,sizeof(multiples2));
		OPENSSL_cleanse(tmp,sizeof(tmp));
		OPENSSL_cleanse(working,sizeof(working));
		}

		decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
		/* equality mod 2-torsion compares x/y */
		gf a, b;
		@@ -803,161 +305,6 @@ decaf_bool_t API_NS(point_valid) (
		return mask_to_bool(out);
		}

		void API_NS(point_debugging_torque) (
		point_t q,
		const point_t p
		) {
		#if COFACTOR == 8 && IMAGINE_TWIST
		gf tmp;
		gf_mul(tmp,p->x,SQRT_MINUS_ONE);
		gf_mul(q->x,p->y,SQRT_MINUS_ONE);
		gf_copy(q->y,tmp);
		gf_copy(q->z,p->z);
		gf_sub(q->t,ZERO,p->t);
		#else
		gf_sub(q->x,ZERO,p->x);
		gf_sub(q->y,ZERO,p->y);
		gf_copy(q->z,p->z);
		gf_copy(q->t,p->t);
		#endif
		}

		void API_NS(point_debugging_pscale) (
		point_t q,
		const point_t p,
		const uint8_t factor[SER_BYTES]
		) {
		gf gfac,tmp;
		/* NB this means you'll never pscale by negative numbers for p521 */
		ignore_result(gf_deserialize(gfac,factor,0,0));
		gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO));
		gf_mul(tmp,p->x,gfac);
		gf_copy(q->x,tmp);
		gf_mul(tmp,p->y,gfac);
		gf_copy(q->y,tmp);
		gf_mul(tmp,p->z,gfac);
		gf_copy(q->z,tmp);
		gf_mul(tmp,p->t,gfac);
		gf_copy(q->t,tmp);
		}

		static void gf_batch_invert (
		gf *__restrict__ out,
		const gf *in,
		unsigned int n
		) {
		gf t1;
		assert(n>1);

		gf_copy(out[1], in[0]);
		int i;
		for (i=1; i<(int) (n-1); i++) {
		gf_mul(out[i+1], out[i], in[i]);
		}
		gf_mul(out[0], out[n-1], in[n-1]);

		gf_invert(out[0], out[0], 1);

		for (i=n-1; i>0; i--) {
		gf_mul(t1, out[i], out[0]);
		gf_copy(out[i], t1);
		gf_mul(t1, out[0], in[i]);
		gf_copy(out[0], t1);
		}
		}

		static void batch_normalize_niels (
		niels_t *table,
		const gf *zs,
		gf *__restrict__ zis,
		int n
		) {
		int i;
		gf product;
		gf_batch_invert(zis, zs, n);

		for (i=0; i<n; i++) {
		gf_mul(product, table[i]->a, zis[i]);
		gf_strong_reduce(product);
		gf_copy(table[i]->a, product);

		gf_mul(product, table[i]->b, zis[i]);
		gf_strong_reduce(product);
		gf_copy(table[i]->b, product);

		gf_mul(product, table[i]->c, zis[i]);
		gf_strong_reduce(product);
		gf_copy(table[i]->c, product);
		}

		OPENSSL_cleanse(product,sizeof(product));
		}

		void API_NS(precompute) (
		precomputed_s *table,
		const point_t base
		) {
		const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
		assert(nts >= SCALAR_BITS);

		point_t working, start, doubles[t-1];
		API_NS(point_copy)(working, base);
		pniels_t pn_tmp;

		gf zs[n<<(t-1)], zis[n<<(t-1)];

		unsigned int i,j,k;

		/* Compute n tables */
		for (i=0; i<n; i++) {

		/* Doubling phase */
		for (j=0; j<t; j++) {
		if (j) API_NS(point_add)(start, start, working);
		else API_NS(point_copy)(start, working);

		if (j==t-1 && i==n-1) break;

		point_double_internal(working, working,0);
		if (j<t-1) API_NS(point_copy)(doubles[j], working);

		for (k=0; k<s-1; k++)
		point_double_internal(working, working, k<s-2);
		}

		/* Gray-code phase */
		for (j=0;; j++) {
		int gray = j ^ (j>>1);
		int idx = (((i+1)<<(t-1))-1) ^ gray;

		pt_to_pniels(pn_tmp, start);
		memcpy(table->table[idx], pn_tmp->n, sizeof(pn_tmp->n));
		gf_copy(zs[idx], pn_tmp->z);

		if (j >= (1u<<(t-1)) - 1) break;
		int delta = (j+1) ^ ((j+1)>>1) ^ gray;

		for (k=0; delta>1; k++)
		delta >>=1;

		if (gray & (1<<k)) {
		API_NS(point_add)(start, start, doubles[k]);
		} else {
		API_NS(point_sub)(start, start, doubles[k]);
		}
		}
		}

		batch_normalize_niels(table->table,(const gf *)zs,zis,n<<(t-1));

		OPENSSL_cleanse(zs,sizeof(zs));
		OPENSSL_cleanse(zis,sizeof(zis));
		OPENSSL_cleanse(pn_tmp,sizeof(pn_tmp));
		OPENSSL_cleanse(working,sizeof(working));
		OPENSSL_cleanse(start,sizeof(start));
		OPENSSL_cleanse(doubles,sizeof(doubles));
		}

		static DECAF_INLINE void
		constant_time_lookup_niels (
		niels_s *__restrict__ ni,
		@@ -1015,33 +362,6 @@ void API_NS(precomputed_scalarmul) (
		OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
		}

		void API_NS(point_cond_sel) (
		point_t out,
		const point_t a,
		const point_t b,
		decaf_bool_t pick_b
		) {
		constant_time_select(out,a,b,sizeof(point_t),bool_to_mask(pick_b),0);
		}

		/* FUTURE: restore Curve25519 Montgomery ladder? */
		decaf_error_t API_NS(direct_scalarmul) (
		uint8_t scaled[SER_BYTES],
		const uint8_t base[SER_BYTES],
		const scalar_t scalar,
		decaf_bool_t allow_identity,
		decaf_bool_t short_circuit
		) {
		point_t basep;
		decaf_error_t succ = API_NS(point_decode)(basep, base, allow_identity);
		if (short_circuit && succ != DECAF_SUCCESS) return succ;
		API_NS(point_cond_sel)(basep, API_NS(point_base), basep, succ);
		API_NS(point_scalarmul)(basep, basep, scalar);
		API_NS(point_encode)(scaled, basep);
		API_NS(point_destroy)(basep);
		return succ;
		}

		void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
		uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
		const point_t p
		@@ -1482,32 +802,6 @@ prepare_wnaf_table(

		extern const gf API_NS(precomputed_wnaf_as_fe)[];
		static const niels_t API_NS(wnaf_base) = (const niels_t )API_NS(precomputed_wnaf_as_fe);
		const size_t API_NS(sizeof_precomputed_wnafs) __attribute((visibility("hidden")))
		= sizeof(niels_t)<<DECAF_WNAF_FIXED_TABLE_BITS;

		void API_NS(precompute_wnafs) (
		niels_t out[1<<DECAF_WNAF_FIXED_TABLE_BITS],
		const point_t base
		) __attribute__ ((visibility ("hidden")));

		void API_NS(precompute_wnafs) (
		niels_t out[1<<DECAF_WNAF_FIXED_TABLE_BITS],
		const point_t base
		) {
		pniels_t tmp[1<<DECAF_WNAF_FIXED_TABLE_BITS];
		gf zs[1<<DECAF_WNAF_FIXED_TABLE_BITS], zis[1<<DECAF_WNAF_FIXED_TABLE_BITS];
		int i;
		prepare_wnaf_table(tmp,base,DECAF_WNAF_FIXED_TABLE_BITS);
		for (i=0; i<1<<DECAF_WNAF_FIXED_TABLE_BITS; i++) {
		memcpy(out[i], tmp[i]->n, sizeof(niels_t));
		gf_copy(zs[i], tmp[i]->z);
		}
		batch_normalize_niels(out, (const gf *)zs, zis, 1<<DECAF_WNAF_FIXED_TABLE_BITS);

		OPENSSL_cleanse(tmp,sizeof(tmp));
		OPENSSL_cleanse(zs,sizeof(zs));
		OPENSSL_cleanse(zis,sizeof(zis));
		}

		void API_NS(base_double_scalarmul_non_secret) (
		point_t combo,
		@@ -1586,12 +880,6 @@ void API_NS(point_destroy) (
		OPENSSL_cleanse(point, sizeof(point_t));
		}

		void API_NS(precomputed_destroy) (
		precomputed_s *pre
		) {
		OPENSSL_cleanse(pre, API_NS(sizeof_precomputed_s));
		}

		int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],
		const uint8_t peer_public_value[56])
		{

crypto/ec/curve448/decaf_tables.c

+0 −6

File changed.

Preview size limit exceeded, changes collapsed.

crypto/ec/curve448/point_448.h

+0 −206

File changed.

Preview size limit exceeded, changes collapsed.

crypto/ec/curve448/scalar.c

+0 −102

File changed.

Preview size limit exceeded, changes collapsed.