diff options
Diffstat (limited to 'crypto/ec/ecp_nistp521.c')
-rw-r--r-- | crypto/ec/ecp_nistp521.c | 78 |
1 files changed, 52 insertions, 26 deletions
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 178b655f7f..7ff3a0b1be 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -109,7 +109,8 @@ static const felem_bytearray nistp521_curve_params[5] = 0x66, 0x50} }; -/* The representation of field elements. +/*- + * The representation of field elements. * ------------------------------------ * * We represent field elements with nine values. These values are either 64 or @@ -291,7 +292,8 @@ static void felem_scalar128(largefelem out, limb scalar) out[8] *= scalar; } -/* felem_neg sets |out| to |-in| +/*- + * felem_neg sets |out| to |-in| * On entry: * in[i] < 2^59 + 2^14 * On exit: @@ -314,7 +316,8 @@ static void felem_neg(felem out, const felem in) out[8] = two62m2 - in[8]; } -/* felem_diff64 subtracts |in| from |out| +/*- + * felem_diff64 subtracts |in| from |out| * On entry: * in[i] < 2^59 + 2^14 * On exit: @@ -337,7 +340,8 @@ static void felem_diff64(felem out, const felem in) out[8] += two62m2 - in[8]; } -/* felem_diff_128_64 subtracts |in| from |out| +/*- + * felem_diff_128_64 subtracts |in| from |out| * On entry: * in[i] < 2^62 + 2^17 * On exit: @@ -360,7 +364,8 @@ static void felem_diff_128_64(largefelem out, const felem in) out[8] += two63m5 - in[8]; } -/* felem_diff_128_64 subtracts |in| from |out| +/*- + * felem_diff_128_64 subtracts |in| from |out| * On entry: * in[i] < 2^126 * On exit: @@ -383,7 +388,8 @@ static void felem_diff128(largefelem out, const largefelem in) out[8] += (two127m69 - in[8]); } -/* felem_square sets |out| = |in|^2 +/*- + * felem_square sets |out| = |in|^2 * On entry: * in[i] < 2^62 * On exit: @@ -395,7 +401,8 @@ static void felem_square(largefelem out, const felem in) felem_scalar(inx2, in, 2); felem_scalar(inx4, in, 4); - /* We have many cases were we want to do + /*- + * We have many cases were we want to do * in[x] * in[y] + * in[y] * in[x] * This is obviously just @@ -474,7 +481,8 @@ static void felem_square(largefelem out, const felem in) out[7] += ((uint128_t) in[8]) * inx2[8]; } -/* felem_mul sets |out| = |in1| * |in2| +/*- + * felem_mul sets |out| = |in1| * |in2| * On entry: * in1[i] < 2^64 * in2[i] < 2^63 @@ -589,7 +597,8 @@ static void felem_mul(largefelem out, const felem in1, const felem in2) static const limb bottom52bits = 0xfffffffffffff; -/* felem_reduce converts a largefelem to an felem. +/*- + * felem_reduce converts a largefelem to an felem. * On entry: * in[i] < 2^128 * On exit: @@ -677,7 +686,8 @@ static void felem_mul_reduce(felem out, const felem in1, const felem in2) felem_reduce(out, tmp); } -/* felem_inv calculates |out| = |in|^{-1} +/*- + * felem_inv calculates |out| = |in|^{-1} * * Based on Fermat's Little Theorem: * a^p = a (mod p) @@ -769,7 +779,8 @@ static const felem kPrime = 0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff }; -/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0 +/*- + * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0 * otherwise. * On entry: * in[i] < 2^59 + 2^14 @@ -834,7 +845,8 @@ static int felem_is_zero_int(const felem in) return (int) (felem_is_zero(in) & ((limb)1)); } -/* felem_contract converts |in| to its unique, minimal representation. +/*- + * felem_contract converts |in| to its unique, minimal representation. * On entry: * in[i] < 2^59 + 2^14 */ @@ -930,14 +942,16 @@ static void felem_contract(felem out, const felem in) sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign); } -/* Group operations +/*- + * Group operations * ---------------- * * Building on top of the field operations we have the operations on the * elliptic curve group itself. Points on the curve are represented in Jacobian * coordinates */ -/* point_double calcuates 2*(x_in, y_in, z_in) +/*- + * point_double calcuates 2*(x_in, y_in, z_in) * * The method is taken from: * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b @@ -974,11 +988,13 @@ point_double(felem x_out, felem y_out, felem z_out, felem_scalar64(ftmp2, 3); /* ftmp2[i] < 3*2^60 + 3*2^15 */ felem_mul(tmp, ftmp, ftmp2); - /* tmp[i] < 17(3*2^121 + 3*2^76) + /*- + * tmp[i] < 17(3*2^121 + 3*2^76) * = 61*2^121 + 61*2^76 * < 64*2^121 + 64*2^76 * = 2^127 + 2^82 - * < 2^128 */ + * < 2^128 + */ felem_reduce(alpha, tmp); /* x' = alpha^2 - 8*beta */ @@ -1011,22 +1027,30 @@ point_double(felem x_out, felem y_out, felem z_out, felem_diff64(beta, x_out); /* beta[i] < 2^61 + 2^60 + 2^16 */ felem_mul(tmp, alpha, beta); - /* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16)) + /*- + * tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16)) * = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30) * = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30) - * < 2^128 */ + * < 2^128 + */ felem_square(tmp2, gamma); - /* tmp2[i] < 17*(2^59 + 2^14)^2 - * = 17*(2^118 + 2^74 + 2^28) */ + /*- + * tmp2[i] < 17*(2^59 + 2^14)^2 + * = 17*(2^118 + 2^74 + 2^28) + */ felem_scalar128(tmp2, 8); - /* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28) + /*- + * tmp2[i] < 8*17*(2^118 + 2^74 + 2^28) * = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31 - * < 2^126 */ + * < 2^126 + */ felem_diff128(tmp, tmp2); - /* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30) + /*- + * tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30) * = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 + * 2^74 + 2^69 + 2^34 + 2^30 - * < 2^128 */ + * < 2^128 + */ felem_reduce(y_out, tmp); } @@ -1042,7 +1066,8 @@ copy_conditional(felem out, const felem in, limb mask) } } -/* point_add calcuates (x1, y1, z1) + (x2, y2, z2) +/*- + * point_add calcuates (x1, y1, z1) + (x2, y2, z2) * * The method is taken from * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl, @@ -1205,7 +1230,8 @@ static void point_add(felem x3, felem y3, felem z3, felem_assign(z3, z_out); } -/* Base point pre computation +/*- + * Base point pre computation * -------------------------- * * Two different sorts of precomputed tables are used in the following code. |