Import Curve 448 support (7324473f) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

crypto/ec/curve448/GENERATED/c/ed448goldilocks/decaf.c

0 → 100644

+1598 −0

File added.

Preview size limit exceeded, changes collapsed.

crypto/ec/curve448/GENERATED/c/ed448goldilocks/decaf_tables.c

0 → 100644

+354 −0

File added.

Preview size limit exceeded, changes collapsed.

crypto/ec/curve448/GENERATED/c/ed448goldilocks/eddsa.c

0 → 100644

+328 −0

Original line number	Diff line number	Diff line
		/**
		* @file ed448goldilocks/eddsa.c
		* @author Mike Hamburg
		*
		* @copyright
		* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
		* Released under the MIT License. See LICENSE.txt for license information.
		*
		* @cond internal
		* @brief EdDSA routines.
		*
		* @warning This file was automatically generated in Python.
		* Please do not edit it.
		*/
		#include "word.h"
		#include <decaf/ed448.h>
		#include <decaf/shake.h>
		#include <decaf/sha512.h>
		#include <string.h>

		#define API_NAME "decaf_448"
		#define API_NS(_id) decaf_448_##_id

		#define hash_ctx_t decaf_shake256_ctx_t
		#define hash_init decaf_shake256_init
		#define hash_update decaf_shake256_update
		#define hash_final decaf_shake256_final
		#define hash_destroy decaf_shake256_destroy
		#define hash_hash decaf_shake256_hash

		#define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS
		#define EDDSA_USE_SIGMA_ISOGENY 0
		#define COFACTOR 4
		#define EDDSA_PREHASH_BYTES 64

		#if NO_CONTEXT
		const uint8_t NO_CONTEXT_POINTS_HERE = 0;
		const uint8_t * const DECAF_ED448_NO_CONTEXT = &NO_CONTEXT_POINTS_HERE;
		#endif

		/* EDDSA_BASE_POINT_RATIO = 1 or 2
		* Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d,
		* its base point is twice ours.
		*/
		#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY) /* TODO: remove */

		static void clamp (
		uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]
		) {
		/* Blarg */
		secret_scalar_ser[0] &= -COFACTOR;
		uint8_t hibit = (1<<0)>>1;
		if (hibit == 0) {
		secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
		secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] \|= 0x80;
		} else {
		secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit-1;
		secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] \|= hibit;
		}
		}

		static void hash_init_with_dom(
		hash_ctx_t hash,
		uint8_t prehashed,
		uint8_t for_prehash,
		const uint8_t *context,
		uint8_t context_len
		) {
		hash_init(hash);

		#if NO_CONTEXT
		if (context_len == 0 && context == DECAF_ED448_NO_CONTEXT) {
		(void)prehashed;
		(void)for_prehash;
		(void)context;
		(void)context_len;
		return;
		}
		#endif
		const char *dom_s = "SigEd448";
		const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
		hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
		hash_update(hash,dom,2);
		hash_update(hash,context,context_len);
		}

		void decaf_ed448_prehash_init (
		hash_ctx_t hash
		) {
		hash_init(hash);
		}

		/* In this file because it uses the hash */
		void decaf_ed448_convert_private_key_to_x448 (
		uint8_t x[DECAF_X448_PRIVATE_BYTES],
		const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]
		) {
		/* pass the private key through hash_hash function */
		/* and keep the first DECAF_X448_PRIVATE_BYTES bytes */
		hash_hash(
		x,
		DECAF_X448_PRIVATE_BYTES,
		ed,
		DECAF_EDDSA_448_PRIVATE_BYTES
		);
		}

		void decaf_ed448_derive_public_key (
		uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
		const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]
		) {
		/* only this much used for keygen */
		uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];

		hash_hash(
		secret_scalar_ser,
		sizeof(secret_scalar_ser),
		privkey,
		DECAF_EDDSA_448_PRIVATE_BYTES
		);
		clamp(secret_scalar_ser);

		API_NS(scalar_t) secret_scalar;
		API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));

		/* Since we are going to mul_by_cofactor during encoding, divide by it here.
		* However, the EdDSA base point is not the same as the decaf base point if
		* the sigma isogeny is in use: the EdDSA base point is on Etwist_d/(1-d) and
		* the decaf base point is on Etwist_d, and when converted it effectively
		* picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1.
		*/
		for (unsigned int c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
		API_NS(scalar_halve)(secret_scalar,secret_scalar);
		}

		API_NS(point_t) p;
		API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);

		API_NS(point_mul_by_ratio_and_encode_like_eddsa)(pubkey, p);

		/* Cleanup */
		API_NS(scalar_destroy)(secret_scalar);
		API_NS(point_destroy)(p);
		decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));
		}

		void decaf_ed448_sign (
		uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
		const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
		const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
		const uint8_t *message,
		size_t message_len,
		uint8_t prehashed,
		const uint8_t *context,
		uint8_t context_len
		) {
		API_NS(scalar_t) secret_scalar;
		hash_ctx_t hash;
		{
		/* Schedule the secret key */
		struct {
		uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
		uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES];
		} __attribute__((packed)) expanded;
		hash_hash(
		(uint8_t *)&expanded,
		sizeof(expanded),
		privkey,
		DECAF_EDDSA_448_PRIVATE_BYTES
		);
		clamp(expanded.secret_scalar_ser);
		API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));

		/* Hash to create the nonce */
		hash_init_with_dom(hash,prehashed,0,context,context_len);
		hash_update(hash,expanded.seed,sizeof(expanded.seed));
		hash_update(hash,message,message_len);
		decaf_bzero(&expanded, sizeof(expanded));
		}

		/* Decode the nonce */
		API_NS(scalar_t) nonce_scalar;
		{
		uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];
		hash_final(hash,nonce,sizeof(nonce));
		API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
		decaf_bzero(nonce, sizeof(nonce));
		}

		uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
		{
		/* Scalarmul to create the nonce-point */
		API_NS(scalar_t) nonce_scalar_2;
		API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
		for (unsigned int c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
		API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
		}

		API_NS(point_t) p;
		API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
		API_NS(point_mul_by_ratio_and_encode_like_eddsa)(nonce_point, p);
		API_NS(point_destroy)(p);
		API_NS(scalar_destroy)(nonce_scalar_2);
		}

		API_NS(scalar_t) challenge_scalar;
		{
		/* Compute the challenge */
		hash_init_with_dom(hash,prehashed,0,context,context_len);
		hash_update(hash,nonce_point,sizeof(nonce_point));
		hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
		hash_update(hash,message,message_len);
		uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
		hash_final(hash,challenge,sizeof(challenge));
		hash_destroy(hash);
		API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
		decaf_bzero(challenge,sizeof(challenge));
		}

		API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
		API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);

		decaf_bzero(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);
		memcpy(signature,nonce_point,sizeof(nonce_point));
		API_NS(scalar_encode)(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);

		API_NS(scalar_destroy)(secret_scalar);
		API_NS(scalar_destroy)(nonce_scalar);
		API_NS(scalar_destroy)(challenge_scalar);
		}


		void decaf_ed448_sign_prehash (
		uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
		const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
		const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
		const decaf_ed448_prehash_ctx_t hash,
		const uint8_t *context,
		uint8_t context_len
		) {
		uint8_t hash_output[EDDSA_PREHASH_BYTES];
		{
		decaf_ed448_prehash_ctx_t hash_too;
		memcpy(hash_too,hash,sizeof(hash_too));
		hash_final(hash_too,hash_output,sizeof(hash_output));
		hash_destroy(hash_too);
		}

		decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
		decaf_bzero(hash_output,sizeof(hash_output));
		}

		decaf_error_t decaf_ed448_verify (
		const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
		const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
		const uint8_t *message,
		size_t message_len,
		uint8_t prehashed,
		const uint8_t *context,
		uint8_t context_len
		) {
		API_NS(point_t) pk_point, r_point;
		decaf_error_t error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(pk_point,pubkey);
		if (DECAF_SUCCESS != error) { return error; }

		error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(r_point,signature);
		if (DECAF_SUCCESS != error) { return error; }

		API_NS(scalar_t) challenge_scalar;
		{
		/* Compute the challenge */
		hash_ctx_t hash;
		hash_init_with_dom(hash,prehashed,0,context,context_len);
		hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);
		hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
		hash_update(hash,message,message_len);
		uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
		hash_final(hash,challenge,sizeof(challenge));
		hash_destroy(hash);
		API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
		decaf_bzero(challenge,sizeof(challenge));
		}
		API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);

		API_NS(scalar_t) response_scalar;
		API_NS(scalar_decode_long)(
		response_scalar,
		&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
		DECAF_EDDSA_448_PRIVATE_BYTES
		);

		for (unsigned c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) {
		API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
		}


		/* pk_point = -c(x(P)) + (cx + k)G = kG */
		API_NS(base_double_scalarmul_non_secret)(
		pk_point,
		response_scalar,
		pk_point,
		challenge_scalar
		);
		return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
		}


		decaf_error_t decaf_ed448_verify_prehash (
		const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
		const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
		const decaf_ed448_prehash_ctx_t hash,
		const uint8_t *context,
		uint8_t context_len
		) {
		decaf_error_t ret;

		uint8_t hash_output[EDDSA_PREHASH_BYTES];
		{
		decaf_ed448_prehash_ctx_t hash_too;
		memcpy(hash_too,hash,sizeof(hash_too));
		hash_final(hash_too,hash_output,sizeof(hash_output));
		hash_destroy(hash_too);
		}

		ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);

		return ret;
		}

crypto/ec/curve448/GENERATED/c/ed448goldilocks/scalar.c

0 → 100644

+341 −0

Original line number	Diff line number	Diff line
		/**
		* @file ed448goldilocks/scalar.c
		* @author Mike Hamburg
		*
		* @copyright
		* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
		* Released under the MIT License. See LICENSE.txt for license information.
		*
		* @brief Decaf high-level functions.
		*
		* @warning This file was automatically generated in Python.
		* Please do not edit it.
		*/
		#include "word.h"
		#include "constant_time.h"
		#include <decaf.h>

		/* Template stuff */
		#define API_NS(_id) decaf_448_##_id
		#define SCALAR_BITS DECAF_448_SCALAR_BITS
		#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
		#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
		#define scalar_t API_NS(scalar_t)

		static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull;
		static const scalar_t sc_p = {{{
		SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)
		}}}, sc_r2 = {{{
		SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), SC_LIMB(0x3402a939f823b729)
		}}};
		/* End of template stuff */

		#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */

		const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}};

		/** {extra,accum} - sub +? p
		* Must have extra <= 1
		*/
		static DECAF_NOINLINE void sc_subx(
		scalar_t out,
		const decaf_word_t accum[SCALAR_LIMBS],
		const scalar_t sub,
		const scalar_t p,
		decaf_word_t extra
		) {
		decaf_dsword_t chain = 0;
		unsigned int i;
		for (i=0; i<SCALAR_LIMBS; i++) {
		chain = (chain + accum[i]) - sub->limb[i];
		out->limb[i] = chain;
		chain >>= WBITS;
		}
		decaf_word_t borrow = chain+extra; /* = 0 or -1 */

		chain = 0;
		for (i=0; i<SCALAR_LIMBS; i++) {
		chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
		out->limb[i] = chain;
		chain >>= WBITS;
		}
		}

		static DECAF_NOINLINE void sc_montmul (
		scalar_t out,
		const scalar_t a,
		const scalar_t b
		) {
		unsigned int i,j;
		decaf_word_t accum[SCALAR_LIMBS+1] = {0};
		decaf_word_t hi_carry = 0;

		for (i=0; i<SCALAR_LIMBS; i++) {
		decaf_word_t mand = a->limb[i];
		const decaf_word_t *mier = b->limb;

		decaf_dword_t chain = 0;
		for (j=0; j<SCALAR_LIMBS; j++) {
		chain += ((decaf_dword_t)mand)*mier[j] + accum[j];
		accum[j] = chain;
		chain >>= WBITS;
		}
		accum[j] = chain;

		mand = accum[0] * MONTGOMERY_FACTOR;
		chain = 0;
		mier = sc_p->limb;
		for (j=0; j<SCALAR_LIMBS; j++) {
		chain += (decaf_dword_t)mand*mier[j] + accum[j];
		if (j) accum[j-1] = chain;
		chain >>= WBITS;
		}
		chain += accum[j];
		chain += hi_carry;
		accum[j-1] = chain;
		hi_carry = chain >> WBITS;
		}

		sc_subx(out, accum, sc_p, sc_p, hi_carry);
		}

		void API_NS(scalar_mul) (
		scalar_t out,
		const scalar_t a,
		const scalar_t b
		) {
		sc_montmul(out,a,b);
		sc_montmul(out,out,sc_r2);
		}

		/* PERF: could implement this */
		static DECAF_INLINE void sc_montsqr (scalar_t out, const scalar_t a) {
		sc_montmul(out,a,a);
		}

		decaf_error_t API_NS(scalar_invert) (
		scalar_t out,
		const scalar_t a
		) {
		/* Fermat's little theorem, sliding window.
		* Sliding window is fine here because the modulus isn't secret.
		*/
		const int SCALAR_WINDOW_BITS = 3;
		scalar_t precmp[1<<SCALAR_WINDOW_BITS];
		const int LAST = (1<<SCALAR_WINDOW_BITS)-1;

		/* Precompute precmp = [a^1,a^3,...] */
		sc_montmul(precmp[0],a,sc_r2);
		if (LAST > 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]);

		int i;
		for (i=1; i<=LAST; i++) {
		sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);
		}

		/* Sliding window */
		unsigned residue = 0, trailing = 0, started = 0;
		for (i=SCALAR_BITS-1; i>=-SCALAR_WINDOW_BITS; i--) {

		if (started) sc_montsqr(out,out);

		decaf_word_t w = (i>=0) ? sc_p->limb[i/WBITS] : 0;
		if (i >= 0 && i<WBITS) {
		assert(w >= 2);
		w-=2;
		}

		residue = (residue<<1) \| ((w>>(i%WBITS))&1);
		if (residue>>SCALAR_WINDOW_BITS != 0) {
		assert(trailing == 0);
		trailing = residue;
		residue = 0;
		}

		if (trailing > 0 && (trailing & ((1<<SCALAR_WINDOW_BITS)-1)) == 0) {
		if (started) {
		sc_montmul(out,out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
		} else {
		API_NS(scalar_copy)(out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);
		started = 1;
		}
		trailing = 0;
		}
		trailing <<= 1;

		}
		assert(residue==0);
		assert(trailing==0);

		/* Demontgomerize */
		sc_montmul(out,out,API_NS(scalar_one));
		decaf_bzero(precmp, sizeof(precmp));
		return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));
		}

		void API_NS(scalar_sub) (
		scalar_t out,
		const scalar_t a,
		const scalar_t b
		) {
		sc_subx(out, a->limb, b, sc_p, 0);
		}

		void API_NS(scalar_add) (
		scalar_t out,
		const scalar_t a,
		const scalar_t b
		) {
		decaf_dword_t chain = 0;
		unsigned int i;
		for (i=0; i<SCALAR_LIMBS; i++) {
		chain = (chain + a->limb[i]) + b->limb[i];
		out->limb[i] = chain;
		chain >>= WBITS;
		}
		sc_subx(out, out->limb, sc_p, sc_p, chain);
		}

		void
		API_NS(scalar_set_unsigned) (
		scalar_t out,
		uint64_t w
		) {
		memset(out,0,sizeof(scalar_t));
		unsigned int i = 0;
		for (; i<sizeof(uint64_t)/sizeof(decaf_word_t); i++) {
		out->limb[i] = w;
		#if DECAF_WORD_BITS < 64
		w >>= 8*sizeof(decaf_word_t);
		#endif
		}
		}

		decaf_bool_t
		API_NS(scalar_eq) (
		const scalar_t a,
		const scalar_t b
		) {
		decaf_word_t diff = 0;
		unsigned int i;
		for (i=0; i<SCALAR_LIMBS; i++) {
		diff \|= a->limb[i] ^ b->limb[i];
		}
		return mask_to_bool(word_is_zero(diff));
		}

		static DECAF_INLINE void scalar_decode_short (
		scalar_t s,
		const unsigned char *ser,
		unsigned int nbytes
		) {
		unsigned int i,j,k=0;
		for (i=0; i<SCALAR_LIMBS; i++) {
		decaf_word_t out = 0;
		for (j=0; j<sizeof(decaf_word_t) && k<nbytes; j++,k++) {
		out \|= ((decaf_word_t)ser[k])<<(8*j);
		}
		s->limb[i] = out;
		}
		}

		decaf_error_t API_NS(scalar_decode)(
		scalar_t s,
		const unsigned char ser[SCALAR_SER_BYTES]
		) {
		unsigned int i;
		scalar_decode_short(s, ser, SCALAR_SER_BYTES);
		decaf_dsword_t accum = 0;
		for (i=0; i<SCALAR_LIMBS; i++) {
		accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
		}
		/* Here accum == 0 or -1 */

		API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */

		return decaf_succeed_if(~word_is_zero(accum));
		}

		void API_NS(scalar_destroy) (
		scalar_t scalar
		) {
		decaf_bzero(scalar, sizeof(scalar_t));
		}

		void API_NS(scalar_decode_long)(
		scalar_t s,
		const unsigned char *ser,
		size_t ser_len
		) {
		if (ser_len == 0) {
		API_NS(scalar_copy)(s, API_NS(scalar_zero));
		return;
		}

		size_t i;
		scalar_t t1, t2;

		i = ser_len - (ser_len%SCALAR_SER_BYTES);
		if (i==ser_len) i -= SCALAR_SER_BYTES;

		scalar_decode_short(t1, &ser[i], ser_len-i);

		if (ser_len == sizeof(scalar_t)) {
		assert(i==0);
		/* ham-handed reduce */
		API_NS(scalar_mul)(s,t1,API_NS(scalar_one));
		API_NS(scalar_destroy)(t1);
		return;
		}

		while (i) {
		i -= SCALAR_SER_BYTES;
		sc_montmul(t1,t1,sc_r2);
		ignore_result( API_NS(scalar_decode)(t2, ser+i) );
		API_NS(scalar_add)(t1, t1, t2);
		}

		API_NS(scalar_copy)(s, t1);
		API_NS(scalar_destroy)(t1);
		API_NS(scalar_destroy)(t2);
		}

		void API_NS(scalar_encode)(
		unsigned char ser[SCALAR_SER_BYTES],
		const scalar_t s
		) {
		unsigned int i,j,k=0;
		for (i=0; i<SCALAR_LIMBS; i++) {
		for (j=0; j<sizeof(decaf_word_t); j++,k++) {
		ser[k] = s->limb[i] >> (8*j);
		}
		}
		}

		void API_NS(scalar_cond_sel) (
		scalar_t out,
		const scalar_t a,
		const scalar_t b,
		decaf_bool_t pick_b
		) {
		constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0]));
		}

		void API_NS(scalar_halve) (
		scalar_t out,
		const scalar_t a
		) {
		decaf_word_t mask = -(a->limb[0] & 1);
		decaf_dword_t chain = 0;
		unsigned int i;
		for (i=0; i<SCALAR_LIMBS; i++) {
		chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
		out->limb[i] = chain;
		chain >>= DECAF_WORD_BITS;
		}
		for (i=0; i<SCALAR_LIMBS-1; i++) {
		out->limb[i] = out->limb[i]>>1 \| out->limb[i+1]<<(WBITS-1);
		}
		out->limb[i] = out->limb[i]>>1 \| chain<<(WBITS-1);
		}

crypto/ec/curve448/GENERATED/c/p448/f_field.h

0 → 100644

+110 −0

Original line number	Diff line number	Diff line
		/**
		* @file p448/f_field.h
		* @author Mike Hamburg
		*
		* @copyright
		* Copyright (c) 2015-2016 Cryptography Research, Inc. \n
		* Released under the MIT License. See LICENSE.txt for license information.
		*
		* @brief Field-specific code for 2^448 - 2^224 - 1.
		*
		* @warning This file was automatically generated in Python.
		* Please do not edit it.
		*/

		#ifndef __P448_F_FIELD_H__
		#define __P448_F_FIELD_H__ 1

		#include "constant_time.h"
		#include <string.h>
		#include <assert.h>

		#include "word.h"

		#define __DECAF_448_GF_DEFINED__ 1
		#define NLIMBS (64/sizeof(word_t))
		#define X_SER_BYTES 56
		#define SER_BYTES 56
		typedef struct gf_448_s {
		word_t limb[NLIMBS];
		} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];

		#define GF_LIT_LIMB_BITS 56
		#define GF_BITS 448
		#define ZERO gf_448_ZERO
		#define ONE gf_448_ONE
		#define MODULUS gf_448_MODULUS
		#define gf gf_448_t
		#define gf_s gf_448_s
		#define gf_eq gf_448_eq
		#define gf_hibit gf_448_hibit
		#define gf_lobit gf_448_lobit
		#define gf_copy gf_448_copy
		#define gf_add gf_448_add
		#define gf_sub gf_448_sub
		#define gf_add_RAW gf_448_add_RAW
		#define gf_sub_RAW gf_448_sub_RAW
		#define gf_bias gf_448_bias
		#define gf_weak_reduce gf_448_weak_reduce
		#define gf_strong_reduce gf_448_strong_reduce
		#define gf_mul gf_448_mul
		#define gf_sqr gf_448_sqr
		#define gf_mulw_unsigned gf_448_mulw_unsigned
		#define gf_isr gf_448_isr
		#define gf_serialize gf_448_serialize
		#define gf_deserialize gf_448_deserialize

		/* RFC 7748 support */
		#define X_PUBLIC_BYTES X_SER_BYTES
		#define X_PRIVATE_BYTES X_PUBLIC_BYTES
		#define X_PRIVATE_BITS 448

		#define SQRT_MINUS_ONE P448_SQRT_MINUS_ONE /* might not be defined */

		#define INLINE_UNUSED __inline__ __attribute__((unused,always_inline))

		#ifdef __cplusplus
		extern "C" {
		#endif

		/* Defined below in f_impl.h */
		static INLINE_UNUSED void gf_copy (gf out, const gf a) { out = a; }
		static INLINE_UNUSED void gf_add_RAW (gf out, const gf a, const gf b);
		static INLINE_UNUSED void gf_sub_RAW (gf out, const gf a, const gf b);
		static INLINE_UNUSED void gf_bias (gf inout, int amount);
		static INLINE_UNUSED void gf_weak_reduce (gf inout);

		void gf_strong_reduce (gf inout);
		void gf_add (gf out, const gf a, const gf b);
		void gf_sub (gf out, const gf a, const gf b);
		void gf_mul (gf_s *__restrict__ out, const gf a, const gf b);
		void gf_mulw_unsigned (gf_s *__restrict__ out, const gf a, uint32_t b);
		void gf_sqr (gf_s *__restrict__ out, const gf a);
		mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0. Return true if successful */
		mask_t gf_eq (const gf x, const gf y);
		mask_t gf_lobit (const gf x);
		mask_t gf_hibit (const gf x);

		void gf_serialize (uint8_t *serial, const gf x,int with_highbit);
		mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint8_t hi_nmask);


		#ifdef __cplusplus
		} /* extern "C" */
		#endif

		#include "f_impl.h" /* Bring in the inline implementations */

		#define P_MOD_8 7
		#if P_MOD_8 == 5
		extern const gf SQRT_MINUS_ONE;
		#endif

		#ifndef LIMBPERM
		#define LIMBPERM(i) (i)
		#endif
		#define LIMB_MASK(i) (((1ull)<<LIMB_PLACE_VALUE(i))-1)

		static const gf ZERO = {{{0}}}, ONE = {{{ [LIMBPERM(0)] = 1 }}};

		#endif /* __P448_F_FIELD_H__ */