summaryrefslogtreecommitdiffstats
path: root/crypto/ec/ecp_nistp521.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/ec/ecp_nistp521.c')
-rw-r--r--crypto/ec/ecp_nistp521.c78
1 files changed, 52 insertions, 26 deletions
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index 178b655f7f..7ff3a0b1be 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -109,7 +109,8 @@ static const felem_bytearray nistp521_curve_params[5] =
0x66, 0x50}
};
-/* The representation of field elements.
+/*-
+ * The representation of field elements.
* ------------------------------------
*
* We represent field elements with nine values. These values are either 64 or
@@ -291,7 +292,8 @@ static void felem_scalar128(largefelem out, limb scalar)
out[8] *= scalar;
}
-/* felem_neg sets |out| to |-in|
+/*-
+ * felem_neg sets |out| to |-in|
* On entry:
* in[i] < 2^59 + 2^14
* On exit:
@@ -314,7 +316,8 @@ static void felem_neg(felem out, const felem in)
out[8] = two62m2 - in[8];
}
-/* felem_diff64 subtracts |in| from |out|
+/*-
+ * felem_diff64 subtracts |in| from |out|
* On entry:
* in[i] < 2^59 + 2^14
* On exit:
@@ -337,7 +340,8 @@ static void felem_diff64(felem out, const felem in)
out[8] += two62m2 - in[8];
}
-/* felem_diff_128_64 subtracts |in| from |out|
+/*-
+ * felem_diff_128_64 subtracts |in| from |out|
* On entry:
* in[i] < 2^62 + 2^17
* On exit:
@@ -360,7 +364,8 @@ static void felem_diff_128_64(largefelem out, const felem in)
out[8] += two63m5 - in[8];
}
-/* felem_diff_128_64 subtracts |in| from |out|
+/*-
+ * felem_diff_128_64 subtracts |in| from |out|
* On entry:
* in[i] < 2^126
* On exit:
@@ -383,7 +388,8 @@ static void felem_diff128(largefelem out, const largefelem in)
out[8] += (two127m69 - in[8]);
}
-/* felem_square sets |out| = |in|^2
+/*-
+ * felem_square sets |out| = |in|^2
* On entry:
* in[i] < 2^62
* On exit:
@@ -395,7 +401,8 @@ static void felem_square(largefelem out, const felem in)
felem_scalar(inx2, in, 2);
felem_scalar(inx4, in, 4);
- /* We have many cases were we want to do
+ /*-
+ * We have many cases were we want to do
* in[x] * in[y] +
* in[y] * in[x]
* This is obviously just
@@ -474,7 +481,8 @@ static void felem_square(largefelem out, const felem in)
out[7] += ((uint128_t) in[8]) * inx2[8];
}
-/* felem_mul sets |out| = |in1| * |in2|
+/*-
+ * felem_mul sets |out| = |in1| * |in2|
* On entry:
* in1[i] < 2^64
* in2[i] < 2^63
@@ -589,7 +597,8 @@ static void felem_mul(largefelem out, const felem in1, const felem in2)
static const limb bottom52bits = 0xfffffffffffff;
-/* felem_reduce converts a largefelem to an felem.
+/*-
+ * felem_reduce converts a largefelem to an felem.
* On entry:
* in[i] < 2^128
* On exit:
@@ -677,7 +686,8 @@ static void felem_mul_reduce(felem out, const felem in1, const felem in2)
felem_reduce(out, tmp);
}
-/* felem_inv calculates |out| = |in|^{-1}
+/*-
+ * felem_inv calculates |out| = |in|^{-1}
*
* Based on Fermat's Little Theorem:
* a^p = a (mod p)
@@ -769,7 +779,8 @@ static const felem kPrime =
0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff
};
-/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+/*-
+ * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
* otherwise.
* On entry:
* in[i] < 2^59 + 2^14
@@ -834,7 +845,8 @@ static int felem_is_zero_int(const felem in)
return (int) (felem_is_zero(in) & ((limb)1));
}
-/* felem_contract converts |in| to its unique, minimal representation.
+/*-
+ * felem_contract converts |in| to its unique, minimal representation.
* On entry:
* in[i] < 2^59 + 2^14
*/
@@ -930,14 +942,16 @@ static void felem_contract(felem out, const felem in)
sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign);
}
-/* Group operations
+/*-
+ * Group operations
* ----------------
*
* Building on top of the field operations we have the operations on the
* elliptic curve group itself. Points on the curve are represented in Jacobian
* coordinates */
-/* point_double calcuates 2*(x_in, y_in, z_in)
+/*-
+ * point_double calcuates 2*(x_in, y_in, z_in)
*
* The method is taken from:
* http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
@@ -974,11 +988,13 @@ point_double(felem x_out, felem y_out, felem z_out,
felem_scalar64(ftmp2, 3);
/* ftmp2[i] < 3*2^60 + 3*2^15 */
felem_mul(tmp, ftmp, ftmp2);
- /* tmp[i] < 17(3*2^121 + 3*2^76)
+ /*-
+ * tmp[i] < 17(3*2^121 + 3*2^76)
* = 61*2^121 + 61*2^76
* < 64*2^121 + 64*2^76
* = 2^127 + 2^82
- * < 2^128 */
+ * < 2^128
+ */
felem_reduce(alpha, tmp);
/* x' = alpha^2 - 8*beta */
@@ -1011,22 +1027,30 @@ point_double(felem x_out, felem y_out, felem z_out,
felem_diff64(beta, x_out);
/* beta[i] < 2^61 + 2^60 + 2^16 */
felem_mul(tmp, alpha, beta);
- /* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
+ /*-
+ * tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
* = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30)
* = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
- * < 2^128 */
+ * < 2^128
+ */
felem_square(tmp2, gamma);
- /* tmp2[i] < 17*(2^59 + 2^14)^2
- * = 17*(2^118 + 2^74 + 2^28) */
+ /*-
+ * tmp2[i] < 17*(2^59 + 2^14)^2
+ * = 17*(2^118 + 2^74 + 2^28)
+ */
felem_scalar128(tmp2, 8);
- /* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
+ /*-
+ * tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
* = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31
- * < 2^126 */
+ * < 2^126
+ */
felem_diff128(tmp, tmp2);
- /* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
+ /*-
+ * tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
* = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 +
* 2^74 + 2^69 + 2^34 + 2^30
- * < 2^128 */
+ * < 2^128
+ */
felem_reduce(y_out, tmp);
}
@@ -1042,7 +1066,8 @@ copy_conditional(felem out, const felem in, limb mask)
}
}
-/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+/*-
+ * point_add calcuates (x1, y1, z1) + (x2, y2, z2)
*
* The method is taken from
* http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
@@ -1205,7 +1230,8 @@ static void point_add(felem x3, felem y3, felem z3,
felem_assign(z3, z_out);
}
-/* Base point pre computation
+/*-
+ * Base point pre computation
* --------------------------
*
* Two different sorts of precomputed tables are used in the following code.