/src/botan/build/include/botan/internal/ed25519_internal.h
Line | Count | Source |
1 | | /* |
2 | | * Ed25519 |
3 | | * (C) 2017 Ribose Inc |
4 | | * |
5 | | * Based on the public domain code from SUPERCOP ref10 by |
6 | | * Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang |
7 | | * |
8 | | * Botan is released under the Simplified BSD License (see license.txt) |
9 | | */ |
10 | | |
11 | | #ifndef BOTAN_ED25519_INT_H_ |
12 | | #define BOTAN_ED25519_INT_H_ |
13 | | |
14 | | #include <botan/internal/ed25519_fe.h> |
15 | | #include <botan/internal/loadstor.h> |
16 | | |
17 | | namespace Botan { |
18 | | |
19 | | inline uint64_t load_3(const uint8_t in[3]) |
20 | 1.66k | { |
21 | 1.66k | return static_cast<uint64_t>(in[0]) | |
22 | 1.66k | (static_cast<uint64_t>(in[1]) << 8) | |
23 | 1.66k | (static_cast<uint64_t>(in[2]) << 16); |
24 | 1.66k | } |
25 | | |
26 | | inline uint64_t load_4(const uint8_t* in) |
27 | 1.30k | { |
28 | 1.30k | return load_le<uint32_t>(in, 0); |
29 | 1.30k | } |
30 | | |
31 | | template<size_t S, int64_t MUL=1> |
32 | | inline void carry(int64_t& h0, int64_t& h1) |
33 | 2.99M | { |
34 | 2.99M | static_assert(S > 0 && S < 64, "Shift in range"); |
35 | | |
36 | 2.99M | const int64_t X1 = (static_cast<int64_t>(1) << S); |
37 | 2.99M | const int64_t X2 = (static_cast<int64_t>(1) << (S - 1)); |
38 | 2.99M | int64_t c = (h0 + X2) >> S; |
39 | 2.99M | h1 += c * MUL; |
40 | 2.99M | h0 -= c * X1; |
41 | 2.99M | } void Botan::carry<21ul, 1l>(long&, long&) Line | Count | Source | 33 | 2.00k | { | 34 | 2.00k | static_assert(S > 0 && S < 64, "Shift in range"); | 35 | | | 36 | 2.00k | const int64_t X1 = (static_cast<int64_t>(1) << S); | 37 | 2.00k | const int64_t X2 = (static_cast<int64_t>(1) << (S - 1)); | 38 | 2.00k | int64_t c = (h0 + X2) >> S; | 39 | 2.00k | h1 += c * MUL; | 40 | 2.00k | h0 -= c * X1; | 41 | 2.00k | } |
void Botan::carry<26ul, 1l>(long&, long&) Line | Count | Source | 33 | 1.74M | { | 34 | 1.74M | static_assert(S > 0 && S < 64, "Shift in range"); | 35 | | | 36 | 1.74M | const int64_t X1 = (static_cast<int64_t>(1) << S); | 37 | 1.74M | const int64_t X2 = (static_cast<int64_t>(1) << (S - 1)); | 38 | 1.74M | int64_t c = (h0 + X2) >> S; | 39 | 1.74M | h1 += c * MUL; | 40 | 1.74M | h0 -= c * X1; | 41 | 1.74M | } |
void Botan::carry<25ul, 1l>(long&, long&) Line | Count | Source | 33 | 996k | { | 34 | 996k | static_assert(S > 0 && S < 64, "Shift in range"); | 35 | | | 36 | 996k | const int64_t X1 = (static_cast<int64_t>(1) << S); | 37 | 996k | const int64_t X2 = (static_cast<int64_t>(1) << (S - 1)); | 38 | 996k | int64_t c = (h0 + X2) >> S; | 39 | 996k | h1 += c * MUL; | 40 | 996k | h0 -= c * X1; | 41 | 996k | } |
void Botan::carry<25ul, 19l>(long&, long&) Line | Count | Source | 33 | 249k | { | 34 | 249k | static_assert(S > 0 && S < 64, "Shift in range"); | 35 | | | 36 | 249k | const int64_t X1 = (static_cast<int64_t>(1) << S); | 37 | 249k | const int64_t X2 = (static_cast<int64_t>(1) << (S - 1)); | 38 | 249k | int64_t c = (h0 + X2) >> S; | 39 | 249k | h1 += c * MUL; | 40 | 249k | h0 -= c * X1; | 41 | 249k | } |
|
42 | | |
43 | | template<size_t S> |
44 | | inline void carry0(int64_t& h0, int64_t& h1) |
45 | 2.08k | { |
46 | 2.08k | static_assert(S > 0 && S < 64, "Shift in range"); |
47 | | |
48 | 2.08k | const int64_t X1 = (static_cast<int64_t>(1) << S); |
49 | 2.08k | int64_t c = h0 >> S; |
50 | 2.08k | h1 += c; |
51 | 2.08k | h0 -= c * X1; |
52 | 2.08k | } |
53 | | |
54 | | template<size_t S> |
55 | | inline void carry0(int32_t& h0, int32_t& h1) |
56 | 3.59k | { |
57 | 3.59k | static_assert(S > 0 && S < 32, "Shift in range"); |
58 | | |
59 | 3.59k | const int32_t X1 = (static_cast<int64_t>(1) << S); |
60 | 3.59k | int32_t c = h0 >> S; |
61 | 3.59k | h1 += c; |
62 | 3.59k | h0 -= c * X1; |
63 | 3.59k | } void Botan::carry0<26ul>(int&, int&) Line | Count | Source | 56 | 1.99k | { | 57 | 1.99k | static_assert(S > 0 && S < 32, "Shift in range"); | 58 | | | 59 | 1.99k | const int32_t X1 = (static_cast<int64_t>(1) << S); | 60 | 1.99k | int32_t c = h0 >> S; | 61 | 1.99k | h1 += c; | 62 | 1.99k | h0 -= c * X1; | 63 | 1.99k | } |
void Botan::carry0<25ul>(int&, int&) Line | Count | Source | 56 | 1.59k | { | 57 | 1.59k | static_assert(S > 0 && S < 32, "Shift in range"); | 58 | | | 59 | 1.59k | const int32_t X1 = (static_cast<int64_t>(1) << S); | 60 | 1.59k | int32_t c = h0 >> S; | 61 | 1.59k | h1 += c; | 62 | 1.59k | h0 -= c * X1; | 63 | 1.59k | } |
|
64 | | |
65 | | inline void redc_mul(int64_t& s1, |
66 | | int64_t& s2, |
67 | | int64_t& s3, |
68 | | int64_t& s4, |
69 | | int64_t& s5, |
70 | | int64_t& s6, |
71 | | int64_t& X) |
72 | 1.21k | { |
73 | 1.21k | s1 += X * 666643; |
74 | 1.21k | s2 += X * 470296; |
75 | 1.21k | s3 += X * 654183; |
76 | 1.21k | s4 -= X * 997805; |
77 | 1.21k | s5 += X * 136657; |
78 | 1.21k | s6 -= X * 683901; |
79 | 1.21k | X = 0; |
80 | 1.21k | } |
81 | | |
82 | | /* |
83 | | ge means group element. |
84 | | |
85 | | Here the group is the set of pairs (x,y) of field elements (see fe.h) |
86 | | satisfying -x^2 + y^2 = 1 + d x^2y^2 |
87 | | where d = -121665/121666. |
88 | | |
89 | | Representations: |
90 | | ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT |
91 | | */ |
92 | | |
93 | | typedef struct |
94 | | { |
95 | | fe X; |
96 | | fe Y; |
97 | | fe Z; |
98 | | fe T; |
99 | | } ge_p3; |
100 | | |
101 | | int ge_frombytes_negate_vartime(ge_p3*, const uint8_t*); |
102 | | void ge_scalarmult_base(uint8_t out[32], const uint8_t in[32]); |
103 | | |
104 | | void ge_double_scalarmult_vartime(uint8_t out[32], |
105 | | const uint8_t a[], |
106 | | const ge_p3* A, |
107 | | const uint8_t b[]); |
108 | | |
109 | | /* |
110 | | The set of scalars is \Z/l |
111 | | where l = 2^252 + 27742317777372353535851937790883648493. |
112 | | */ |
113 | | |
114 | | void sc_reduce(uint8_t*); |
115 | | void sc_muladd(uint8_t*, const uint8_t*, const uint8_t*, const uint8_t*); |
116 | | |
117 | | } |
118 | | |
119 | | #endif |