From 67f1cccd7e527e6865ff9e86820c7f2b25da49b4 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 16 Nov 2017 14:08:23 +0000 Subject: Remove some unneeded stuff Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/5105) --- crypto/ec/curve448/decaf.c | 714 +------------------------------------- crypto/ec/curve448/decaf_tables.c | 6 - crypto/ec/curve448/point_448.h | 206 ----------- crypto/ec/curve448/scalar.c | 102 ------ 4 files changed, 1 insertion(+), 1027 deletions(-) (limited to 'crypto/ec') diff --git a/crypto/ec/curve448/decaf.c b/crypto/ec/curve448/decaf.c index d4a093a25b..c751a43199 100644 --- a/crypto/ec/curve448/decaf.c +++ b/crypto/ec/curve448/decaf.c @@ -42,9 +42,7 @@ #define EDDSA_USE_SIGMA_ISOGENY 0 static const int EDWARDS_D = -39081; -static const scalar_t point_scalarmul_adjustment = {{{ - SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163) -}}}, precomputed_scalarmul_adjustment = {{{ +static const scalar_t precomputed_scalarmul_adjustment = {{{ SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163) }}}; @@ -95,8 +93,6 @@ const gf RISTRETTO_FACTOR = {{{ #define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */ -extern const point_t API_NS(point_base); - /* Projective Niels coordinates */ typedef struct { gf a, b, c; } niels_s, niels_t[1]; typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1]; @@ -108,9 +104,6 @@ extern const gf API_NS(precomputed_base_as_fe)[]; const precomputed_s *API_NS(precomputed_base) = (const precomputed_s *) &API_NS(precomputed_base_as_fe); -const size_t API_NS(sizeof_precomputed_s) = sizeof(precomputed_s); -const size_t API_NS(alignof_precomputed_s) = sizeof(big_register_t); - /** Inverse. */ static void gf_invert(gf y, const gf x, int assert_nonzero) { @@ -127,228 +120,6 @@ gf_invert(gf y, const gf x, int assert_nonzero) { /** identity = (0,1) */ const point_t API_NS(point_identity) = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}}; -/* Predeclare because not static: called by elligator */ -void API_NS(deisogenize) ( - gf_s *__restrict__ s, - gf_s *__restrict__ inv_el_sum, - gf_s *__restrict__ inv_el_m1, - const point_t p, - mask_t toggle_s, - mask_t toggle_altx, - mask_t toggle_rotation -); - -void API_NS(deisogenize) ( - gf_s *__restrict__ s, - gf_s *__restrict__ inv_el_sum, - gf_s *__restrict__ inv_el_m1, - const point_t p, - mask_t toggle_s, - mask_t toggle_altx, - mask_t toggle_rotation -) { -#if COFACTOR == 4 && !IMAGINE_TWIST - (void)toggle_rotation; /* Only applies to cofactor 8 */ - gf t1; - gf_s *t2 = s, *t3=inv_el_sum, *t4=inv_el_m1; - - gf_add(t1,p->x,p->t); - gf_sub(t2,p->x,p->t); - gf_mul(t3,t1,t2); /* t3 = num */ - gf_sqr(t2,p->x); - gf_mul(t1,t2,t3); - gf_mulw(t2,t1,-1-TWISTED_D); /* -x^2 * (a-d) * num */ - gf_isr(t1,t2); /* t1 = isr */ - gf_mul(t2,t1,t3); /* t2 = ratio */ - gf_mul(t4,t2,RISTRETTO_FACTOR); - mask_t negx = gf_lobit(t4) ^ toggle_altx; - gf_cond_neg(t2, negx); - gf_mul(t3,t2,p->z); - gf_sub(t3,t3,p->t); - gf_mul(t2,t3,p->x); - gf_mulw(t4,t2,-1-TWISTED_D); - gf_mul(s,t4,t1); - mask_t lobs = gf_lobit(s); - gf_cond_neg(s,lobs); - gf_copy(inv_el_m1,p->x); - gf_cond_neg(inv_el_m1,~lobs^negx^toggle_s); - gf_add(inv_el_m1,inv_el_m1,p->t); - -#elif COFACTOR == 8 && IMAGINE_TWIST - /* More complicated because of rotation */ - gf t1,t2,t3,t4,t5; - gf_add(t1,p->z,p->y); - gf_sub(t2,p->z,p->y); - gf_mul(t3,t1,t2); /* t3 = num */ - gf_mul(t2,p->x,p->y); /* t2 = den */ - gf_sqr(t1,t2); - gf_mul(t4,t1,t3); - gf_mulw(t1,t4,-1-TWISTED_D); - gf_isr(t4,t1); /* isqrt(num*(a-d)*den^2) */ - gf_mul(t1,t2,t4); - gf_mul(t2,t1,RISTRETTO_FACTOR); /* t2 = "iden" in ristretto.sage */ - gf_mul(t1,t3,t4); /* t1 = "inum" in ristretto.sage */ - - /* Calculate altxy = iden*inum*i*t^2*(d-a) */ - gf_mul(t3,t1,t2); - gf_mul_i(t4,t3); - gf_mul(t3,t4,p->t); - gf_mul(t4,t3,p->t); - gf_mulw(t3,t4,TWISTED_D+1); /* iden*inum*i*t^2*(d-1) */ - mask_t rotate = toggle_rotation ^ gf_lobit(t3); - - /* Rotate if altxy is negative */ - gf_cond_swap(t1,t2,rotate); - gf_mul_i(t4,p->x); - gf_cond_sel(t4,p->y,t4,rotate); /* t4 = "fac" = ix if rotate, else y */ - - gf_mul_i(t5,RISTRETTO_FACTOR); /* t5 = imi */ - gf_mul(t3,t5,t2); /* iden * imi */ - gf_mul(t2,t5,t1); - gf_mul(t5,t2,p->t); /* "altx" = iden*imi*t */ - mask_t negx = gf_lobit(t5) ^ toggle_altx; - - gf_cond_neg(t1,negx^rotate); - gf_mul(t2,t1,p->z); - gf_add(t2,t2,ONE); - gf_mul(inv_el_sum,t2,t4); - gf_mul(s,inv_el_sum,t3); - - mask_t negs = gf_lobit(s); - gf_cond_neg(s,negs); - - mask_t negz = ~negs ^ toggle_s ^ negx; - gf_copy(inv_el_m1,p->z); - gf_cond_neg(inv_el_m1,negz); - gf_sub(inv_el_m1,inv_el_m1,t4); -#else -#error "Cofactor must be 4 (with no IMAGINE_TWIST) or 8 (with IMAGINE_TWIST)" -#endif -} - -void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) { - gf s,ie1,ie2; - API_NS(deisogenize)(s,ie1,ie2,p,0,0,0); - gf_serialize(ser,s,1); -} - -decaf_error_t API_NS(point_decode) ( - point_t p, - const unsigned char ser[SER_BYTES], - decaf_bool_t allow_identity -) { - gf s, s2, num, tmp; - gf_s *tmp2=s2, *ynum=p->z, *isr=p->x, *den=p->t; - - mask_t succ = gf_deserialize(s, ser, 1, 0); - succ &= bool_to_mask(allow_identity) | ~gf_eq(s, ZERO); - succ &= ~gf_lobit(s); - - gf_sqr(s2,s); /* s^2 = -as^2 */ -#if IMAGINE_TWIST - gf_sub(s2,ZERO,s2); /* -as^2 */ -#endif - gf_sub(den,ONE,s2); /* 1+as^2 */ - gf_add(ynum,ONE,s2); /* 1-as^2 */ - gf_mulw(num,s2,-4*TWISTED_D); - gf_sqr(tmp,den); /* tmp = den^2 */ - gf_add(num,tmp,num); /* num = den^2 - 4*d*s^2 */ - gf_mul(tmp2,num,tmp); /* tmp2 = num*den^2 */ - succ &= gf_isr(isr,tmp2); /* isr = 1/sqrt(num*den^2) */ - gf_mul(tmp,isr,den); /* isr*den */ - gf_mul(p->y,tmp,ynum); /* isr*den*(1-as^2) */ - gf_mul(tmp2,tmp,s); /* s*isr*den */ - gf_add(tmp2,tmp2,tmp2); /* 2*s*isr*den */ - gf_mul(tmp,tmp2,isr); /* 2*s*isr^2*den */ - gf_mul(p->x,tmp,num); /* 2*s*isr^2*den*num */ - gf_mul(tmp,tmp2,RISTRETTO_FACTOR); /* 2*s*isr*den*magic */ - gf_cond_neg(p->x,gf_lobit(tmp)); /* flip x */ - -#if COFACTOR==8 - /* Additionally check y != 0 and x*y*isomagic nonegative */ - succ &= ~gf_eq(p->y,ZERO); - gf_mul(tmp,p->x,p->y); - gf_mul(tmp2,tmp,RISTRETTO_FACTOR); - succ &= ~gf_lobit(tmp2); -#endif - -#if IMAGINE_TWIST - gf_copy(tmp,p->x); - gf_mul_i(p->x,tmp); -#endif - - /* Fill in z and t */ - gf_copy(p->z,ONE); - gf_mul(p->t,p->x,p->y); - - assert(API_NS(point_valid)(p) | ~succ); - return decaf_succeed_if(mask_to_bool(succ)); -} - -void API_NS(point_sub) ( - point_t p, - const point_t q, - const point_t r -) { - gf a, b, c, d; - gf_sub_nr ( b, q->y, q->x ); /* 3+e */ - gf_sub_nr ( d, r->y, r->x ); /* 3+e */ - gf_add_nr ( c, r->y, r->x ); /* 2+e */ - gf_mul ( a, c, b ); - gf_add_nr ( b, q->y, q->x ); /* 2+e */ - gf_mul ( p->y, d, b ); - gf_mul ( b, r->t, q->t ); - gf_mulw ( p->x, b, 2*EFF_D ); - gf_add_nr ( b, a, p->y ); /* 2+e */ - gf_sub_nr ( c, p->y, a ); /* 3+e */ - gf_mul ( a, q->z, r->z ); - gf_add_nr ( a, a, a ); /* 2+e */ - if (GF_HEADROOM <= 3) gf_weak_reduce(a); /* or 1+e */ -#if NEG_D - gf_sub_nr ( p->y, a, p->x ); /* 4+e or 3+e */ - gf_add_nr ( a, a, p->x ); /* 3+e or 2+e */ -#else - gf_add_nr ( p->y, a, p->x ); /* 3+e or 2+e */ - gf_sub_nr ( a, a, p->x ); /* 4+e or 3+e */ -#endif - gf_mul ( p->z, a, p->y ); - gf_mul ( p->x, p->y, c ); - gf_mul ( p->y, a, b ); - gf_mul ( p->t, b, c ); -} - -void API_NS(point_add) ( - point_t p, - const point_t q, - const point_t r -) { - gf a, b, c, d; - gf_sub_nr ( b, q->y, q->x ); /* 3+e */ - gf_sub_nr ( c, r->y, r->x ); /* 3+e */ - gf_add_nr ( d, r->y, r->x ); /* 2+e */ - gf_mul ( a, c, b ); - gf_add_nr ( b, q->y, q->x ); /* 2+e */ - gf_mul ( p->y, d, b ); - gf_mul ( b, r->t, q->t ); - gf_mulw ( p->x, b, 2*EFF_D ); - gf_add_nr ( b, a, p->y ); /* 2+e */ - gf_sub_nr ( c, p->y, a ); /* 3+e */ - gf_mul ( a, q->z, r->z ); - gf_add_nr ( a, a, a ); /* 2+e */ - if (GF_HEADROOM <= 3) gf_weak_reduce(a); /* or 1+e */ -#if NEG_D - gf_add_nr ( p->y, a, p->x ); /* 3+e or 2+e */ - gf_sub_nr ( a, a, p->x ); /* 4+e or 3+e */ -#else - gf_sub_nr ( p->y, a, p->x ); /* 4+e or 3+e */ - gf_add_nr ( a, a, p->x ); /* 3+e or 2+e */ -#endif - gf_mul ( p->z, a, p->y ); - gf_mul ( p->x, p->y, c ); - gf_mul ( p->y, a, b ); - gf_mul ( p->t, b, c ); -} - static DECAF_NOINLINE void point_double_internal ( point_t p, @@ -377,16 +148,6 @@ void API_NS(point_double)(point_t p, const point_t q) { point_double_internal(p,q,0); } -void API_NS(point_negate) ( - point_t nega, - const point_t a -) { - gf_sub(nega->x, ZERO, a->x); - gf_copy(nega->y, a->y); - gf_copy(nega->z, a->z); - gf_sub(nega->t, ZERO, a->t); -} - /* Operations on [p]niels */ static DECAF_INLINE void cond_neg_niels ( @@ -499,265 +260,6 @@ sub_pniels_from_pt ( sub_niels_from_pt( p, pn->n, before_double ); } -static DECAF_NOINLINE void -prepare_fixed_window( - pniels_t *multiples, - const point_t b, - int ntable -) { - point_t tmp; - pniels_t pn; - int i; - - point_double_internal(tmp, b, 0); - pt_to_pniels(pn, tmp); - pt_to_pniels(multiples[0], b); - API_NS(point_copy)(tmp, b); - for (i=1; i> 1, - NTABLE = 1<<(WINDOW-1); - - scalar_t scalar1x; - API_NS(scalar_add)(scalar1x, scalar, point_scalarmul_adjustment); - API_NS(scalar_halve)(scalar1x,scalar1x); - - /* Set up a precomputed table with odd multiples of b. */ - pniels_t pn, multiples[NTABLE]; - point_t tmp; - prepare_fixed_window(multiples, b, NTABLE); - - /* Initialize. */ - int i,j,first=1; - i = SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1; - - for (; i>=0; i-=WINDOW) { - /* Fetch another block of bits */ - word_t bits = scalar1x->limb[i/WBITS] >> (i%WBITS); - if (i%WBITS >= WBITS-WINDOW && i/WBITSlimb[i/WBITS+1] << (WBITS - (i%WBITS)); - } - bits &= WINDOW_MASK; - mask_t inv = (bits>>(WINDOW-1))-1; - bits ^= inv; - - /* Add in from table. Compute t only on last iteration. */ - constant_time_lookup(pn, multiples, sizeof(pn), NTABLE, bits & WINDOW_T_MASK); - cond_neg_niels(pn->n, inv); - if (first) { - pniels_to_pt(tmp, pn); - first = 0; - } else { - /* Using Hisil et al's lookahead method instead of extensible here - * for no particular reason. Double WINDOW times, but only compute t on - * the last one. - */ - for (j=0; j> 1, - NTABLE = 1<<(WINDOW-1); - - scalar_t scalar1x, scalar2x; - API_NS(scalar_add)(scalar1x, scalarb, point_scalarmul_adjustment); - API_NS(scalar_halve)(scalar1x,scalar1x); - API_NS(scalar_add)(scalar2x, scalarc, point_scalarmul_adjustment); - API_NS(scalar_halve)(scalar2x,scalar2x); - - /* Set up a precomputed table with odd multiples of b. */ - pniels_t pn, multiples1[NTABLE], multiples2[NTABLE]; - point_t tmp; - prepare_fixed_window(multiples1, b, NTABLE); - prepare_fixed_window(multiples2, c, NTABLE); - - /* Initialize. */ - int i,j,first=1; - i = SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1; - - for (; i>=0; i-=WINDOW) { - /* Fetch another block of bits */ - word_t bits1 = scalar1x->limb[i/WBITS] >> (i%WBITS), - bits2 = scalar2x->limb[i/WBITS] >> (i%WBITS); - if (i%WBITS >= WBITS-WINDOW && i/WBITSlimb[i/WBITS+1] << (WBITS - (i%WBITS)); - bits2 ^= scalar2x->limb[i/WBITS+1] << (WBITS - (i%WBITS)); - } - bits1 &= WINDOW_MASK; - bits2 &= WINDOW_MASK; - mask_t inv1 = (bits1>>(WINDOW-1))-1; - mask_t inv2 = (bits2>>(WINDOW-1))-1; - bits1 ^= inv1; - bits2 ^= inv2; - - /* Add in from table. Compute t only on last iteration. */ - constant_time_lookup(pn, multiples1, sizeof(pn), NTABLE, bits1 & WINDOW_T_MASK); - cond_neg_niels(pn->n, inv1); - if (first) { - pniels_to_pt(tmp, pn); - first = 0; - } else { - /* Using Hisil et al's lookahead method instead of extensible here - * for no particular reason. Double WINDOW times, but only compute t on - * the last one. - */ - for (j=0; jn, inv2); - add_pniels_to_pt(tmp, pn, i?-1:0); - } - - /* Write out the answer */ - API_NS(point_copy)(a,tmp); - - - OPENSSL_cleanse(scalar1x,sizeof(scalar1x)); - OPENSSL_cleanse(scalar2x,sizeof(scalar2x)); - OPENSSL_cleanse(pn,sizeof(pn)); - OPENSSL_cleanse(multiples1,sizeof(multiples1)); - OPENSSL_cleanse(multiples2,sizeof(multiples2)); - OPENSSL_cleanse(tmp,sizeof(tmp)); -} - -void API_NS(point_dual_scalarmul) ( - point_t a1, - point_t a2, - const point_t b, - const scalar_t scalar1, - const scalar_t scalar2 -) { - const int WINDOW = DECAF_WINDOW_BITS, - WINDOW_MASK = (1<> 1, - NTABLE = 1<<(WINDOW-1); - - scalar_t scalar1x, scalar2x; - API_NS(scalar_add)(scalar1x, scalar1, point_scalarmul_adjustment); - API_NS(scalar_halve)(scalar1x,scalar1x); - API_NS(scalar_add)(scalar2x, scalar2, point_scalarmul_adjustment); - API_NS(scalar_halve)(scalar2x,scalar2x); - - /* Set up a precomputed table with odd multiples of b. */ - point_t multiples1[NTABLE], multiples2[NTABLE], working, tmp; - pniels_t pn; - - API_NS(point_copy)(working, b); - - /* Initialize. */ - int i,j; - - for (i=0; ilimb[i/WBITS] >> (i%WBITS), - bits2 = scalar2x->limb[i/WBITS] >> (i%WBITS); - if (i%WBITS >= WBITS-WINDOW && i/WBITSlimb[i/WBITS+1] << (WBITS - (i%WBITS)); - bits2 ^= scalar2x->limb[i/WBITS+1] << (WBITS - (i%WBITS)); - } - bits1 &= WINDOW_MASK; - bits2 &= WINDOW_MASK; - mask_t inv1 = (bits1>>(WINDOW-1))-1; - mask_t inv2 = (bits2>>(WINDOW-1))-1; - bits1 ^= inv1; - bits2 ^= inv2; - - pt_to_pniels(pn, working); - - constant_time_lookup(tmp, multiples1, sizeof(tmp), NTABLE, bits1 & WINDOW_T_MASK); - cond_neg_niels(pn->n, inv1); - /* add_pniels_to_pt(multiples1[bits1 & WINDOW_T_MASK], pn, 0); */ - add_pniels_to_pt(tmp, pn, 0); - constant_time_insert(multiples1, tmp, sizeof(tmp), NTABLE, bits1 & WINDOW_T_MASK); - - - constant_time_lookup(tmp, multiples2, sizeof(tmp), NTABLE, bits2 & WINDOW_T_MASK); - cond_neg_niels(pn->n, inv1^inv2); - /* add_pniels_to_pt(multiples2[bits2 & WINDOW_T_MASK], pn, 0); */ - add_pniels_to_pt(tmp, pn, 0); - constant_time_insert(multiples2, tmp, sizeof(tmp), NTABLE, bits2 & WINDOW_T_MASK); - } - - if (NTABLE > 1) { - API_NS(point_copy)(working, multiples1[NTABLE-1]); - API_NS(point_copy)(tmp , multiples2[NTABLE-1]); - - for (i=NTABLE-1; i>1; i--) { - API_NS(point_add)(multiples1[i-1], multiples1[i-1], multiples1[i]); - API_NS(point_add)(multiples2[i-1], multiples2[i-1], multiples2[i]); - API_NS(point_add)(working, working, multiples1[i-1]); - API_NS(point_add)(tmp, tmp, multiples2[i-1]); - } - - API_NS(point_add)(multiples1[0], multiples1[0], multiples1[1]); - API_NS(point_add)(multiples2[0], multiples2[0], multiples2[1]); - point_double_internal(working, working, 0); - point_double_internal(tmp, tmp, 0); - API_NS(point_add)(a1, working, multiples1[0]); - API_NS(point_add)(a2, tmp, multiples2[0]); - } else { - API_NS(point_copy)(a1, multiples1[0]); - API_NS(point_copy)(a2, multiples2[0]); - } - - OPENSSL_cleanse(scalar1x,sizeof(scalar1x)); - OPENSSL_cleanse(scalar2x,sizeof(scalar2x)); - OPENSSL_cleanse(pn,sizeof(pn)); - OPENSSL_cleanse(multiples1,sizeof(multiples1)); - OPENSSL_cleanse(multiples2,sizeof(multiples2)); - OPENSSL_cleanse(tmp,sizeof(tmp)); - OPENSSL_cleanse(working,sizeof(working)); -} - decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) { /* equality mod 2-torsion compares x/y */ gf a, b; @@ -803,161 +305,6 @@ decaf_bool_t API_NS(point_valid) ( return mask_to_bool(out); } -void API_NS(point_debugging_torque) ( - point_t q, - const point_t p -) { -#if COFACTOR == 8 && IMAGINE_TWIST - gf tmp; - gf_mul(tmp,p->x,SQRT_MINUS_ONE); - gf_mul(q->x,p->y,SQRT_MINUS_ONE); - gf_copy(q->y,tmp); - gf_copy(q->z,p->z); - gf_sub(q->t,ZERO,p->t); -#else - gf_sub(q->x,ZERO,p->x); - gf_sub(q->y,ZERO,p->y); - gf_copy(q->z,p->z); - gf_copy(q->t,p->t); -#endif -} - -void API_NS(point_debugging_pscale) ( - point_t q, - const point_t p, - const uint8_t factor[SER_BYTES] -) { - gf gfac,tmp; - /* NB this means you'll never pscale by negative numbers for p521 */ - ignore_result(gf_deserialize(gfac,factor,0,0)); - gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO)); - gf_mul(tmp,p->x,gfac); - gf_copy(q->x,tmp); - gf_mul(tmp,p->y,gfac); - gf_copy(q->y,tmp); - gf_mul(tmp,p->z,gfac); - gf_copy(q->z,tmp); - gf_mul(tmp,p->t,gfac); - gf_copy(q->t,tmp); -} - -static void gf_batch_invert ( - gf *__restrict__ out, - const gf *in, - unsigned int n -) { - gf t1; - assert(n>1); - - gf_copy(out[1], in[0]); - int i; - for (i=1; i<(int) (n-1); i++) { - gf_mul(out[i+1], out[i], in[i]); - } - gf_mul(out[0], out[n-1], in[n-1]); - - gf_invert(out[0], out[0], 1); - - for (i=n-1; i>0; i--) { - gf_mul(t1, out[i], out[0]); - gf_copy(out[i], t1); - gf_mul(t1, out[0], in[i]); - gf_copy(out[0], t1); - } -} - -static void batch_normalize_niels ( - niels_t *table, - const gf *zs, - gf *__restrict__ zis, - int n -) { - int i; - gf product; - gf_batch_invert(zis, zs, n); - - for (i=0; ia, zis[i]); - gf_strong_reduce(product); - gf_copy(table[i]->a, product); - - gf_mul(product, table[i]->b, zis[i]); - gf_strong_reduce(product); - gf_copy(table[i]->b, product); - - gf_mul(product, table[i]->c, zis[i]); - gf_strong_reduce(product); - gf_copy(table[i]->c, product); - } - - OPENSSL_cleanse(product,sizeof(product)); -} - -void API_NS(precompute) ( - precomputed_s *table, - const point_t base -) { - const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S; - assert(n*t*s >= SCALAR_BITS); - - point_t working, start, doubles[t-1]; - API_NS(point_copy)(working, base); - pniels_t pn_tmp; - - gf zs[n<<(t-1)], zis[n<<(t-1)]; - - unsigned int i,j,k; - - /* Compute n tables */ - for (i=0; i>1); - int idx = (((i+1)<<(t-1))-1) ^ gray; - - pt_to_pniels(pn_tmp, start); - memcpy(table->table[idx], pn_tmp->n, sizeof(pn_tmp->n)); - gf_copy(zs[idx], pn_tmp->z); - - if (j >= (1u<<(t-1)) - 1) break; - int delta = (j+1) ^ ((j+1)>>1) ^ gray; - - for (k=0; delta>1; k++) - delta >>=1; - - if (gray & (1<table,(const gf *)zs,zis,n<<(t-1)); - - OPENSSL_cleanse(zs,sizeof(zs)); - OPENSSL_cleanse(zis,sizeof(zis)); - OPENSSL_cleanse(pn_tmp,sizeof(pn_tmp)); - OPENSSL_cleanse(working,sizeof(working)); - OPENSSL_cleanse(start,sizeof(start)); - OPENSSL_cleanse(doubles,sizeof(doubles)); -} - static DECAF_INLINE void constant_time_lookup_niels ( niels_s *__restrict__ ni, @@ -1015,33 +362,6 @@ void API_NS(precomputed_scalarmul) ( OPENSSL_cleanse(scalar1x,sizeof(scalar1x)); } -void API_NS(point_cond_sel) ( - point_t out, - const point_t a, - const point_t b, - decaf_bool_t pick_b -) { - constant_time_select(out,a,b,sizeof(point_t),bool_to_mask(pick_b),0); -} - -/* FUTURE: restore Curve25519 Montgomery ladder? */ -decaf_error_t API_NS(direct_scalarmul) ( - uint8_t scaled[SER_BYTES], - const uint8_t base[SER_BYTES], - const scalar_t scalar, - decaf_bool_t allow_identity, - decaf_bool_t short_circuit -) { - point_t basep; - decaf_error_t succ = API_NS(point_decode)(basep, base, allow_identity); - if (short_circuit && succ != DECAF_SUCCESS) return succ; - API_NS(point_cond_sel)(basep, API_NS(point_base), basep, succ); - API_NS(point_scalarmul)(basep, basep, scalar); - API_NS(point_encode)(scaled, basep); - API_NS(point_destroy)(basep); - return succ; -} - void API_NS(point_mul_by_ratio_and_encode_like_eddsa) ( uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES], const point_t p @@ -1482,32 +802,6 @@ prepare_wnaf_table( extern const gf API_NS(precomputed_wnaf_as_fe)[]; static const niels_t *API_NS(wnaf_base) = (const niels_t *)API_NS(precomputed_wnaf_as_fe); -const size_t API_NS(sizeof_precomputed_wnafs) __attribute((visibility("hidden"))) - = sizeof(niels_t)<n, sizeof(niels_t)); - gf_copy(zs[i], tmp[i]->z); - } - batch_normalize_niels(out, (const gf *)zs, zis, 1< 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]); - - int i; - for (i=1; i<=LAST; i++) { - sc_montmul(precmp[i],precmp[i-1],precmp[LAST]); - } - - /* Sliding window */ - unsigned residue = 0, trailing = 0, started = 0; - for (i=SCALAR_BITS-1; i>=-SCALAR_WINDOW_BITS; i--) { - - if (started) sc_montsqr(out,out); - - decaf_word_t w = (i>=0) ? sc_p->limb[i/WBITS] : 0; - if (i >= 0 && i= 2); - w-=2; - } - - residue = (residue<<1) | ((w>>(i%WBITS))&1); - if (residue>>SCALAR_WINDOW_BITS != 0) { - assert(trailing == 0); - trailing = residue; - residue = 0; - } - - if (trailing > 0 && (trailing & ((1<>(SCALAR_WINDOW_BITS+1)]); - } else { - API_NS(scalar_copy)(out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]); - started = 1; - } - trailing = 0; - } - trailing <<= 1; - - } - assert(residue==0); - assert(trailing==0); - - /* Demontgomerize */ - sc_montmul(out,out,API_NS(scalar_one)); - OPENSSL_cleanse(precmp, sizeof(precmp)); - return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero))); -} - void API_NS(scalar_sub) ( scalar_t out, const scalar_t a, @@ -198,34 +133,6 @@ void API_NS(scalar_add) ( sc_subx(out, out->limb, sc_p, sc_p, chain); } -void -API_NS(scalar_set_unsigned) ( - scalar_t out, - uint64_t w -) { - memset(out,0,sizeof(scalar_t)); - unsigned int i = 0; - for (; ilimb[i] = w; -#if DECAF_WORD_BITS < 64 - w >>= 8*sizeof(decaf_word_t); -#endif - } -} - -decaf_bool_t -API_NS(scalar_eq) ( - const scalar_t a, - const scalar_t b -) { - decaf_word_t diff = 0; - unsigned int i; - for (i=0; ilimb[i] ^ b->limb[i]; - } - return mask_to_bool(word_is_zero(diff)); -} - static DECAF_INLINE void scalar_decode_short ( scalar_t s, const unsigned char *ser, @@ -314,15 +221,6 @@ void API_NS(scalar_encode)( } } -void API_NS(scalar_cond_sel) ( - scalar_t out, - const scalar_t a, - const scalar_t b, - decaf_bool_t pick_b -) { - constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0])); -} - void API_NS(scalar_halve) ( scalar_t out, const scalar_t a -- cgit v1.2.3