}
void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) {
- assert(b<1<<28);
-
const uint32_t *a = as->limb;
uint32_t *c = cs->limb;
-
uint64_t accum0 = 0, accum8 = 0;
- uint32_t mask = (1ull<<28)-1;
-
+ uint32_t mask = (1<<28)-1;
int i;
+
+ assert(b<1<<28);
+
FOR_LIMB(i,0,8,{
accum0 += widemul(b, a[i]);
accum8 += widemul(b, a[i+8]);
*/
#define GF_HEADROOM 2
-#define LIMB(x) (x##ull)&((1ull<<28)-1), (x##ull)>>28
+#define LIMB(x) (x)&((1<<28)-1), (x)>>28
#define FIELD_LITERAL(a,b,c,d,e,f,g,h) \
{{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}}
#define LIMB_PLACE_VALUE(i) 28
void gf_add_RAW (gf out, const gf a, const gf b) {
- for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
+ unsigned int i;
+
+ for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
out->limb[i] = a->limb[i] + b->limb[i];
}
}
void gf_sub_RAW (gf out, const gf a, const gf b) {
- for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
+ unsigned int i;
+
+ for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
out->limb[i] = a->limb[i] - b->limb[i];
}
}
-void gf_bias (gf a, int amt) {
- uint32_t co1 = ((1ull<<28)-1)*amt, co2 = co1-amt;
- for (unsigned int i=0; i<sizeof(*a)/sizeof(a->limb[0]); i++) {
+void gf_bias (gf a, int amt) {
+ unsigned int i;
+ uint32_t co1 = ((1<<28)-1)*amt, co2 = co1-amt;
+
+ for (i=0; i<sizeof(*a)/sizeof(a->limb[0]); i++) {
a->limb[i] += (i==sizeof(*a)/sizeof(a->limb[0])/2) ? co2 : co1;
}
}
void gf_weak_reduce (gf a) {
- uint32_t mask = (1ull<<28) - 1;
+ uint32_t mask = (1<<28) - 1;
uint32_t tmp = a->limb[15] >> 28;
+ unsigned int i;
+
a->limb[8] += tmp;
- for (unsigned int i=15; i>0; i--) {
+ for (i=15; i>0; i--) {
a->limb[i] = (a->limb[i] & mask) + (a->limb[i-1]>>28);
}
a->limb[0] = (a->limb[0] & mask) + tmp;
memset(out, 0, elem_bytes);
for (j=0; j<n_table; j++, big_i-=big_one) {
big_register_t br_mask = br_is_zero(big_i);
+ word_t mask;
+
for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) {
if (elem_bytes % sizeof(big_register_t)) {
/* unaligned */
}
}
- word_t mask = word_is_zero(idx^j);
+ mask = word_is_zero(idx^j);
if (elem_bytes % sizeof(big_register_t) >= sizeof(word_t)) {
for (; k<=elem_bytes-sizeof(word_t); k+=sizeof(word_t)) {
if (elem_bytes % sizeof(word_t)) {
unsigned char *a = (unsigned char *)a_;
const unsigned char *bTrue = (const unsigned char *)bTrue_;
const unsigned char *bFalse = (const unsigned char *)bFalse_;
+ word_t k;
+ big_register_t br_mask = br_set_to_mask(mask);
alignment_bytes |= elem_bytes;
- word_t k;
- big_register_t br_mask = br_set_to_mask(mask);
for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) {
if (alignment_bytes % sizeof(big_register_t)) {
/* unaligned */
const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] = { 0x05 };
-#define RISTRETTO_FACTOR DECAF_448_RISTRETTO_FACTOR
-const gf RISTRETTO_FACTOR = {{{
- 0x42ef0f45572736, 0x7bf6aa20ce5296, 0xf4fd6eded26033, 0x968c14ba839a66, 0xb8d54b64a2d780, 0x6aa0a1f1a7b8a5, 0x683bf68d722fa2, 0x22d962fbeb24f7
-}}};
-
#define TWISTED_D ((EDWARDS_D)-1)
/** Inverse. */
static void
gf_invert(gf y, const gf x, int assert_nonzero) {
+ mask_t ret;
+
gf t1, t2;
- gf_sqr(t1, x); // o^2
- mask_t ret = gf_isr(t2, t1); // +-1/sqrt(o^2) = +-1/o
+ gf_sqr(t1, x); /* o^2 */
+ ret = gf_isr(t2, t1); /* +-1/sqrt(o^2) = +-1/o */
(void)ret;
if (assert_nonzero) assert(ret);
gf_sqr(t1, t2);
- gf_mul(t2, t1, x); // not direct to y in case of alias.
+ gf_mul(t2, t1, x); /* not direct to y in case of alias. */
gf_copy(y, t2);
}
}
decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_t q ) {
+ mask_t succ;
+
/* equality mod 2-torsion compares x/y */
gf a, b;
gf_mul ( a, p->y, q->x );
gf_mul ( b, q->y, p->x );
- mask_t succ = gf_eq(a,b);
+ succ = gf_eq(a,b);
return mask_to_bool(succ);
}
decaf_bool_t curve448_point_valid (
const curve448_point_t p
) {
+ mask_t out;
+
gf a,b,c;
gf_mul(a,p->x,p->y);
gf_mul(b,p->z,p->t);
- mask_t out = gf_eq(a,b);
+ out = gf_eq(a,b);
gf_sqr(a,p->x);
gf_sqr(b,p->y);
gf_sub(a,b,a);
int i;
unsigned j,k;
const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
+ niels_t ni;
curve448_scalar_t scalar1x;
curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment);
curve448_scalar_halve(scalar1x,scalar1x);
- niels_t ni;
-
for (i=s-1; i>=0; i--) {
if (i != (int)s-1) point_double_internal(out,out,0);
for (j=0; j<n; j++) {
int tab = 0;
+ mask_t invert;
for (k=0; k<t; k++) {
unsigned int bit = i + s*(k + j*t);
}
}
- mask_t invert = (tab>>(t-1))-1;
+ invert = (tab>>(t-1))-1;
tab ^= invert;
tab &= (1<<(t-1)) - 1;
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
) {
uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];
+ mask_t low;
+ mask_t succ;
+
memcpy(enc2,enc,sizeof(enc2));
- mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80);
+ low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80);
enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] &= ~0x80;
- mask_t succ = gf_deserialize(p->y, enc2, 1, 0);
+ succ = gf_deserialize(p->y, enc2, 1, 0);
#if 0 == 0
succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1]);
#endif
const uint8_t scalar[X_PRIVATE_BYTES]
) {
gf x1, x2, z2, x3, z3, t1, t2;
+ int t;
+ mask_t swap = 0;
+ mask_t nz;
+
ignore_result(gf_deserialize(x1,base,1,0));
gf_copy(x2,ONE);
gf_copy(z2,ZERO);
gf_copy(x3,x1);
gf_copy(z3,ONE);
- int t;
- mask_t swap = 0;
-
for (t = X_PRIVATE_BITS-1; t>=0; t--) {
uint8_t sb = scalar[t/8];
+ mask_t k_t;
/* Scalar conditioning */
if (t/8==0) sb &= -(uint8_t)COFACTOR;
else if (t == X_PRIVATE_BITS-1) sb = -1;
- mask_t k_t = (sb>>(t%8)) & 1;
+ k_t = (sb>>(t%8)) & 1;
k_t = -k_t; /* set to all 0s or all 1s */
swap ^= k_t;
gf_invert(z2,z2,0);
gf_mul(x1,x2,z2);
gf_serialize(out,x1,1);
- mask_t nz = ~gf_eq(x1,ZERO);
+ nz = ~gf_eq(x1,ZERO);
OPENSSL_cleanse(x1,sizeof(x1));
OPENSSL_cleanse(x2,sizeof(x2));
) {
/* Scalar conditioning */
uint8_t scalar2[X_PRIVATE_BYTES];
+ curve448_scalar_t the_scalar;
+ curve448_point_t p;
+ unsigned int i;
+
memcpy(scalar2,scalar,sizeof(scalar2));
scalar2[0] &= -(uint8_t)COFACTOR;
scalar2[X_PRIVATE_BYTES-1] &= ~(-1u<<((X_PRIVATE_BITS+7)%8));
scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8);
- curve448_scalar_t the_scalar;
curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2));
/* Compensate for the encoding ratio */
- for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
+ for (i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
curve448_scalar_halve(the_scalar,the_scalar);
}
- curve448_point_t p;
curve448_precomputed_scalarmul(p,curve448_precomputed_base,the_scalar);
curve448_point_mul_by_ratio_and_encode_like_x448(out,p);
curve448_point_destroy(p);
) {
unsigned int table_size = DECAF_448_SCALAR_BITS/(table_bits+1) + 3;
int position = table_size - 1; /* at the end */
-
+ uint64_t current = scalar->limb[0] & 0xFFFF;
+ uint32_t mask = (1<<(table_bits+1))-1;
+ unsigned int w;
+ const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2;
+ unsigned int n, i;
+
/* place the end marker */
control[position].power = -1;
control[position].addend = 0;
* in the actual code that uses it, all for an expected reduction of like 1/5 op.
* Probably not worth it.
*/
-
- uint64_t current = scalar->limb[0] & 0xFFFF;
- uint32_t mask = (1<<(table_bits+1))-1;
- unsigned int w;
- const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2;
for (w = 1; w<(DECAF_448_SCALAR_BITS-1)/16+3; w++) {
if (w < (DECAF_448_SCALAR_BITS-1)/16+1) {
/* Refill the 16 high bits of current */
}
while (current & 0xFFFF) {
- assert(position >= 0);
uint32_t pos = __builtin_ctz((uint32_t)current), odd = (uint32_t)current >> pos;
int32_t delta = odd & mask;
+
+ assert(position >= 0);
if (odd & 1<<(table_bits+1)) delta -= (1<<(table_bits+1));
current -= delta << pos;
control[position].power = pos + 16*(w-1);
assert(current==0);
position++;
- unsigned int n = table_size - position;
- unsigned int i;
+ n = table_size - position;
for (i=0; i<n; i++) {
control[i] = control[i+position];
}
) {
curve448_point_t tmp;
int i;
+ pniels_t twop;
+
pt_to_pniels(output[0], working);
if (tbits == 0) return;
curve448_point_double(tmp,working);
- pniels_t twop;
pt_to_pniels(twop, tmp);
add_pniels_to_pt(tmp, output[0],0);
) {
const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS,
table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS;
- struct smvt_control control_var[DECAF_448_SCALAR_BITS/(table_bits_var+1)+3];
- struct smvt_control control_pre[DECAF_448_SCALAR_BITS/(table_bits_pre+1)+3];
-
+ struct smvt_control control_var[DECAF_448_SCALAR_BITS/(DECAF_WNAF_VAR_TABLE_BITS+1)+3];
+ struct smvt_control control_pre[DECAF_448_SCALAR_BITS/(DECAF_WNAF_FIXED_TABLE_BITS+1)+3];
int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
-
- pniels_t precmp_var[1<<table_bits_var];
+ pniels_t precmp_var[1<<DECAF_WNAF_VAR_TABLE_BITS];
+ int contp=0, contv=0, i;
+
prepare_wnaf_table(precmp_var, base2, table_bits_var);
-
- int contp=0, contv=0, i = control_var[0].power;
+ i = control_var[0].power;
if (i < 0) {
curve448_point_copy(combo, curve448_point_identity);
static void clamp (
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]
) {
+ uint8_t hibit = (1<<0)>>1;
+
/* Blarg */
secret_scalar_ser[0] &= -COFACTOR;
- uint8_t hibit = (1<<0)>>1;
if (hibit == 0) {
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
size_t context_len
) {
const char *dom_s = "SigEd448";
- const uint8_t dom[2] = {
- 2 + word_is_zero(prehashed) + word_is_zero(for_prehash),
- (uint8_t)context_len
- };
+ uint8_t dom[2];
+
+ dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash);
+ dom[1] = (uint8_t)context_len;
if (context_len > UINT8_MAX)
return DECAF_FAILURE;
) {
/* only this much used for keygen */
uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
-
+ curve448_scalar_t secret_scalar;
+ unsigned int c;
+ curve448_point_t p;
+
if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
DECAF_EDDSA_448_PRIVATE_BYTES)) {
return DECAF_FAILURE;
}
clamp(secret_scalar_ser);
-
- curve448_scalar_t secret_scalar;
+
curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
/* Since we are going to mul_by_cofactor during encoding, divide by it here.
* the decaf base point is on Etwist_d, and when converted it effectively
* picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1.
*/
- for (unsigned int c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
+ for (c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
curve448_scalar_halve(secret_scalar,secret_scalar);
}
- curve448_point_t p;
curve448_precomputed_scalarmul(p,curve448_precomputed_base,secret_scalar);
curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
curve448_scalar_t secret_scalar;
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
decaf_error_t ret = DECAF_FAILURE;
+ curve448_scalar_t nonce_scalar;
+ uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
+ unsigned int c;
+ curve448_scalar_t challenge_scalar;
if (hashctx == NULL)
return DECAF_FAILURE;
}
/* Decode the nonce */
- curve448_scalar_t nonce_scalar;
{
uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];
curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
OPENSSL_cleanse(nonce, sizeof(nonce));
}
-
- uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
+
{
/* Scalarmul to create the nonce-point */
curve448_scalar_t nonce_scalar_2;
+ curve448_point_t p;
+
curve448_scalar_halve(nonce_scalar_2,nonce_scalar);
- for (unsigned int c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
+ for (c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
curve448_scalar_halve(nonce_scalar_2,nonce_scalar_2);
}
-
- curve448_point_t p;
+
curve448_precomputed_scalarmul(p,curve448_precomputed_base,nonce_scalar_2);
curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
curve448_point_destroy(p);
curve448_scalar_destroy(nonce_scalar_2);
}
-
- curve448_scalar_t challenge_scalar;
+
{
uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
) {
curve448_point_t pk_point, r_point;
decaf_error_t error = curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point,pubkey);
+ curve448_scalar_t challenge_scalar;
+ curve448_scalar_t response_scalar;
+ unsigned int c;
+
if (DECAF_SUCCESS != error) { return error; }
error = curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point,signature);
if (DECAF_SUCCESS != error) { return error; }
- curve448_scalar_t challenge_scalar;
{
/* Compute the challenge */
EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
OPENSSL_cleanse(challenge,sizeof(challenge));
}
curve448_scalar_sub(challenge_scalar, curve448_scalar_zero, challenge_scalar);
-
- curve448_scalar_t response_scalar;
+
curve448_scalar_decode_long(
response_scalar,
&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
DECAF_EDDSA_448_PRIVATE_BYTES
);
- for (unsigned c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) {
+ for (c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) {
curve448_scalar_add(response_scalar,response_scalar,response_scalar);
}
#ifndef LIMBPERM
#define LIMBPERM(i) (i)
#endif
-#define LIMB_MASK(i) (((1ull)<<LIMB_PLACE_VALUE(i))-1)
+#define LIMB_MASK(i) (((1)<<LIMB_PLACE_VALUE(i))-1)
-static const gf ZERO = {{{0}}}, ONE = {{{ [LIMBPERM(0)] = 1 }}};
+static const gf ZERO = {{{0}}}, ONE = {{{1}}};
#endif /* __P448_F_FIELD_H__ */
/** Serialize to wire format. */
void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {
+ unsigned int j=0, fill=0;
+ dword_t buffer = 0;
+ unsigned int i;
gf red;
+
gf_copy(red, x);
gf_strong_reduce(red);
if (!with_hibit) { assert(gf_hibit(red) == 0); }
-
- unsigned int j=0, fill=0;
- dword_t buffer = 0;
- UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
+
+ UNROLL for (i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {
if (fill < 8 && j < NLIMBS) {
buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill;
fill += LIMB_PLACE_VALUE(LIMBPERM(j));
dword_t buffer = 0;
dsword_t scarry = 0;
const unsigned nbytes = with_hibit ? X_SER_BYTES : SER_BYTES;
- UNROLL for (unsigned int i=0; i<NLIMBS; i++) {
+ unsigned int i;
+ mask_t succ;
+
+ UNROLL for (i=0; i<NLIMBS; i++) {
UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < nbytes) {
uint8_t sj = serial[j];
if (j==nbytes-1) sj &= ~hi_nmask;
buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i));
scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t));
}
- mask_t succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
+ succ = with_hibit ? -(mask_t)1 : ~gf_hibit(x);
return succ & word_is_zero(buffer) & ~word_is_zero(scarry);
}
/** Reduce to canonical form. */
void gf_strong_reduce (gf a) {
+ dsword_t scarry;
+ word_t scarry_0;
+ dword_t carry = 0;
+ unsigned int i;
+
/* first, clear high */
gf_weak_reduce(a); /* Determined to have negligible perf impact. */
/* now the total is less than 2p */
/* compute total_value - p. No need to reduce mod p. */
- dsword_t scarry = 0;
- for (unsigned int i=0; i<NLIMBS; i++) {
+ scarry = 0;
+ for (i=0; i<NLIMBS; i++) {
scarry = scarry + a->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)];
a->limb[LIMBPERM(i)] = scarry & LIMB_MASK(LIMBPERM(i));
scarry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
*/
assert(word_is_zero(scarry) | word_is_zero(scarry+1));
- word_t scarry_0 = scarry;
- dword_t carry = 0;
+ scarry_0 = scarry;
/* add it back */
- for (unsigned int i=0; i<NLIMBS; i++) {
+ for (i=0; i<NLIMBS; i++) {
carry = carry + a->limb[LIMBPERM(i)] + (scarry_0 & MODULUS->limb[LIMBPERM(i)]);
a->limb[LIMBPERM(i)] = carry & LIMB_MASK(LIMBPERM(i));
carry >>= LIMB_PLACE_VALUE(LIMBPERM(i));
/** Compare a==b */
mask_t gf_eq(const gf a, const gf b) {
gf c;
+ mask_t ret=0;
+ unsigned int i;
+
gf_sub(c,a,b);
gf_strong_reduce(c);
- mask_t ret=0;
- for (unsigned int i=0; i<NLIMBS; i++) {
+
+ for (i=0; i<NLIMBS; i++) {
ret |= c->limb[LIMBPERM(i)];
}
#define gf_add_nr gf_add_RAW
/** Subtract mod p. Bias by 2 and don't reduce */
-static inline void gf_sub_nr ( gf c, const gf a, const gf b ) {
+static ossl_inline void gf_sub_nr ( gf c, const gf a, const gf b ) {
gf_sub_RAW(c,a,b);
gf_bias(c, 2);
if (GF_HEADROOM < 3) gf_weak_reduce(c);
}
/** Subtract mod p. Bias by amt but don't reduce. */
-static inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) {
+static ossl_inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) {
gf_sub_RAW(c,a,b);
gf_bias(c, amt);
if (GF_HEADROOM < amt+1) gf_weak_reduce(c);
}
/** Mul by signed int. Not constant-time WRT the sign of that int. */
-static inline void gf_mulw(gf c, const gf a, int32_t w) {
+static ossl_inline void gf_mulw(gf c, const gf a, int32_t w) {
if (w>0) {
gf_mulw_unsigned(c, a, w);
} else {
}
/** Constant time, x = is_z ? z : y */
-static inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) {
+static ossl_inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) {
constant_time_select(x,y,z,sizeof(gf),is_z,0);
}
/** Constant time, if (neg) x=-x; */
-static inline void gf_cond_neg(gf x, mask_t neg) {
+static ossl_inline void gf_cond_neg(gf x, mask_t neg) {
gf y;
gf_sub(y,ZERO,x);
gf_cond_sel(x,x,y,neg);
}
/** Constant time, if (swap) (x,y) = (y,x); */
-static inline void
+static ossl_inline void
gf_cond_swap(gf x, gf_s *__restrict__ y, mask_t swap) {
constant_time_cond_swap(x,y,sizeof(gf_s),swap);
}
}
-#endif // __GF_H__
+#endif /* __GF_H__ */
* @param [in] a A scalar.
* @param [out] out Will become a copy of a.
*/
-static inline void curve448_scalar_copy (
+static ossl_inline void curve448_scalar_copy (
curve448_scalar_t out,
const curve448_scalar_t a
) {
* @param [out] a A copy of the point.
* @param [in] b Any point.
*/
-static inline void curve448_point_copy (
+static ossl_inline void curve448_point_copy (
curve448_point_t a,
const curve448_point_t b
) {
#include "constant_time.h"
#include "point_448.h"
-static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull;
+static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5;
static const curve448_scalar_t sc_p = {{{
SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)
}}}, sc_r2 = {{{
) {
decaf_dsword_t chain = 0;
unsigned int i;
+ decaf_word_t borrow;
+
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
}
- decaf_word_t borrow = chain+extra; /* = 0 or -1 */
+ borrow = chain+extra; /* = 0 or -1 */
chain = 0;
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
const unsigned char ser[DECAF_448_SCALAR_BYTES]
) {
unsigned int i;
- scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES);
decaf_dsword_t accum = 0;
+
+ scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES);
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
}
const unsigned char *ser,
size_t ser_len
) {
+ size_t i;
+ curve448_scalar_t t1, t2;
+
if (ser_len == 0) {
curve448_scalar_copy(s, curve448_scalar_zero);
return;
}
-
- size_t i;
- curve448_scalar_t t1, t2;
i = ser_len - (ser_len%DECAF_448_SCALAR_BYTES);
if (i==ser_len) i -= DECAF_448_SCALAR_BYTES;
/* Scalar limbs are keyed off of the API word size instead of the arch word size. */
#if DECAF_WORD_BITS == 64
- #define SC_LIMB(x) (x##ull)
+ #define SC_LIMB(x) (x)
#elif DECAF_WORD_BITS == 32
- #define SC_LIMB(x) ((uint32_t)x##ull),(x##ull>>32)
+ #define SC_LIMB(x) ((uint32_t)x),(x>>32)
#else
#error "For now, libdecaf only supports 32- and 64-bit architectures."
#endif
static ossl_inline mask_t bool_to_mask (decaf_bool_t m) {
/* On most arches this will be optimized to a simple cast. */
mask_t ret = 0;
+ unsigned int i;
+
unsigned int limit = sizeof(decaf_bool_t)/sizeof(mask_t);
if (limit < 1) limit = 1;
- for (unsigned int i=0; i<limit; i++) {
+ for (i=0; i<limit; i++) {
ret |= ~ word_is_zero(m >> (i*8*sizeof(word_t)));
}
return ret;
projects / oweals / openssl.git / commitdiff