Lines Matching +full:0 +full:a
5 * a copy of this software and associated documentation files (the
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
28 * If BR_NO_ARITH_SHIFT is undefined, or defined to 0, then we _assume_
29 * that right-shifting a signed negative integer copies the sign bit
45 * Convert an integer from unsigned big-endian encoding to a sequence of
55 acc = 0; in be8_to_le13()
56 acc_len = 0; in be8_to_le13()
57 while (len -- > 0) { in be8_to_le13()
61 *dst ++ = acc & 0x1FFF; in be8_to_le13()
80 acc = 0; in le13_to_be8()
81 acc_len = 0; in le13_to_be8()
82 while (len -- > 0) { in le13_to_be8()
94 * Normalise an array of words to a strict 13 bits per word. Returned
104 cc = 0; in norm13()
105 for (u = 0; u < len; u ++) { in norm13()
109 d[u] = z & 0x1FFF; in norm13()
120 * square20() computes the square of a 260-bit integer. Each word must
128 mul20(uint32_t *d, const uint32_t *a, const uint32_t *b) in mul20() argument
131 * Two-level Karatsuba: turns a 20x20 multiplication into in mul20()
153 (dw)[5 * (d_off) + 0] = (s1w)[5 * (s1_off) + 0] \ in mul20()
154 + (s2w)[5 * (s2_off) + 0]; \ in mul20()
163 } while (0) in mul20()
166 (dw)[5 * (d_off) + 0] += (sw)[5 * (s_off) + 0]; \ in mul20()
171 } while (0) in mul20()
174 (dw)[5 * (d_off) + 0] -= (s1w)[5 * (s1_off) + 0] \ in mul20()
175 + (s2w)[5 * (s2_off) + 0]; \ in mul20()
184 } while (0) in mul20()
188 (w) = cprz & 0x1FFF; \ in mul20()
190 } while (0) in mul20()
194 cprcc = 0; \ in mul20()
195 CPR1((dw)[(d_off) + 0], cprcc); \ in mul20()
205 } while (0) in mul20()
207 memcpy(u, a, 20 * sizeof *a); in mul20()
208 ZADD(u, 4, a, 0, a, 1); in mul20()
209 ZADD(u, 5, a, 2, a, 3); in mul20()
210 ZADD(u, 6, a, 0, a, 2); in mul20()
211 ZADD(u, 7, a, 1, a, 3); in mul20()
215 ZADD(v, 4, b, 0, b, 1); in mul20()
217 ZADD(v, 6, b, 0, b, 2); in mul20()
226 for (i = 0; i < 40; i += 5) { in mul20()
227 w[(i << 1) + 0] = MUL15(u[i + 0], v[i + 0]); in mul20()
228 w[(i << 1) + 1] = MUL15(u[i + 0], v[i + 1]) in mul20()
229 + MUL15(u[i + 1], v[i + 0]); in mul20()
230 w[(i << 1) + 2] = MUL15(u[i + 0], v[i + 2]) in mul20()
232 + MUL15(u[i + 2], v[i + 0]); in mul20()
233 w[(i << 1) + 3] = MUL15(u[i + 0], v[i + 3]) in mul20()
236 + MUL15(u[i + 3], v[i + 0]); in mul20()
237 w[(i << 1) + 4] = MUL15(u[i + 0], v[i + 4]) in mul20()
241 + MUL15(u[i + 4], v[i + 0]); in mul20()
252 w[(i << 1) + 9] = 0; in mul20()
263 * then do a carry propagation (this reduces words to 13 bits in mul20()
267 w[80 + 0] = MUL15(u[40 + 0], v[40 + 0]); in mul20()
268 w[80 + 1] = MUL15(u[40 + 0], v[40 + 1]) in mul20()
269 + MUL15(u[40 + 1], v[40 + 0]); in mul20()
270 w[80 + 2] = MUL15(u[40 + 0], v[40 + 2]) in mul20()
272 + MUL15(u[40 + 2], v[40 + 0]); in mul20()
273 w[80 + 3] = MUL15(u[40 + 0], v[40 + 3]) in mul20()
276 + MUL15(u[40 + 3], v[40 + 0]); in mul20()
277 w[80 + 4] = MUL15(u[40 + 0], v[40 + 4]) in mul20()
281 /* + MUL15(u[40 + 4], v[40 + 0]) */ in mul20()
295 w[80 + 4] += MUL15(u[40 + 4], v[40 + 0]); in mul20()
301 * in a _signed_ 32-bit integer, i.e. 31 bits + a sign bit. in mul20()
302 * However, 10*(16382^2) does not fit. So we must perform a in mul20()
312 /* 0..1*0..1 into 0..3 */ in mul20()
313 ZSUB2F(w, 8, w, 0, w, 2); in mul20()
324 /* (0..1+2..3)*(0..1+2..3) into 12..15 */ in mul20()
331 ZSUB2F(w, 12, w, 0, w, 4); in mul20()
354 square20(uint32_t *d, const uint32_t *a) in square20() argument
356 mul20(d, a, a); in square20()
362 mul20(uint32_t *d, const uint32_t *a, const uint32_t *b) in mul20() argument
366 t[ 0] = MUL15(a[ 0], b[ 0]); in mul20()
367 t[ 1] = MUL15(a[ 0], b[ 1]) in mul20()
368 + MUL15(a[ 1], b[ 0]); in mul20()
369 t[ 2] = MUL15(a[ 0], b[ 2]) in mul20()
370 + MUL15(a[ 1], b[ 1]) in mul20()
371 + MUL15(a[ 2], b[ 0]); in mul20()
372 t[ 3] = MUL15(a[ 0], b[ 3]) in mul20()
373 + MUL15(a[ 1], b[ 2]) in mul20()
374 + MUL15(a[ 2], b[ 1]) in mul20()
375 + MUL15(a[ 3], b[ 0]); in mul20()
376 t[ 4] = MUL15(a[ 0], b[ 4]) in mul20()
377 + MUL15(a[ 1], b[ 3]) in mul20()
378 + MUL15(a[ 2], b[ 2]) in mul20()
379 + MUL15(a[ 3], b[ 1]) in mul20()
380 + MUL15(a[ 4], b[ 0]); in mul20()
381 t[ 5] = MUL15(a[ 0], b[ 5]) in mul20()
382 + MUL15(a[ 1], b[ 4]) in mul20()
383 + MUL15(a[ 2], b[ 3]) in mul20()
384 + MUL15(a[ 3], b[ 2]) in mul20()
385 + MUL15(a[ 4], b[ 1]) in mul20()
386 + MUL15(a[ 5], b[ 0]); in mul20()
387 t[ 6] = MUL15(a[ 0], b[ 6]) in mul20()
388 + MUL15(a[ 1], b[ 5]) in mul20()
389 + MUL15(a[ 2], b[ 4]) in mul20()
390 + MUL15(a[ 3], b[ 3]) in mul20()
391 + MUL15(a[ 4], b[ 2]) in mul20()
392 + MUL15(a[ 5], b[ 1]) in mul20()
393 + MUL15(a[ 6], b[ 0]); in mul20()
394 t[ 7] = MUL15(a[ 0], b[ 7]) in mul20()
395 + MUL15(a[ 1], b[ 6]) in mul20()
396 + MUL15(a[ 2], b[ 5]) in mul20()
397 + MUL15(a[ 3], b[ 4]) in mul20()
398 + MUL15(a[ 4], b[ 3]) in mul20()
399 + MUL15(a[ 5], b[ 2]) in mul20()
400 + MUL15(a[ 6], b[ 1]) in mul20()
401 + MUL15(a[ 7], b[ 0]); in mul20()
402 t[ 8] = MUL15(a[ 0], b[ 8]) in mul20()
403 + MUL15(a[ 1], b[ 7]) in mul20()
404 + MUL15(a[ 2], b[ 6]) in mul20()
405 + MUL15(a[ 3], b[ 5]) in mul20()
406 + MUL15(a[ 4], b[ 4]) in mul20()
407 + MUL15(a[ 5], b[ 3]) in mul20()
408 + MUL15(a[ 6], b[ 2]) in mul20()
409 + MUL15(a[ 7], b[ 1]) in mul20()
410 + MUL15(a[ 8], b[ 0]); in mul20()
411 t[ 9] = MUL15(a[ 0], b[ 9]) in mul20()
412 + MUL15(a[ 1], b[ 8]) in mul20()
413 + MUL15(a[ 2], b[ 7]) in mul20()
414 + MUL15(a[ 3], b[ 6]) in mul20()
415 + MUL15(a[ 4], b[ 5]) in mul20()
416 + MUL15(a[ 5], b[ 4]) in mul20()
417 + MUL15(a[ 6], b[ 3]) in mul20()
418 + MUL15(a[ 7], b[ 2]) in mul20()
419 + MUL15(a[ 8], b[ 1]) in mul20()
420 + MUL15(a[ 9], b[ 0]); in mul20()
421 t[10] = MUL15(a[ 0], b[10]) in mul20()
422 + MUL15(a[ 1], b[ 9]) in mul20()
423 + MUL15(a[ 2], b[ 8]) in mul20()
424 + MUL15(a[ 3], b[ 7]) in mul20()
425 + MUL15(a[ 4], b[ 6]) in mul20()
426 + MUL15(a[ 5], b[ 5]) in mul20()
427 + MUL15(a[ 6], b[ 4]) in mul20()
428 + MUL15(a[ 7], b[ 3]) in mul20()
429 + MUL15(a[ 8], b[ 2]) in mul20()
430 + MUL15(a[ 9], b[ 1]) in mul20()
431 + MUL15(a[10], b[ 0]); in mul20()
432 t[11] = MUL15(a[ 0], b[11]) in mul20()
433 + MUL15(a[ 1], b[10]) in mul20()
434 + MUL15(a[ 2], b[ 9]) in mul20()
435 + MUL15(a[ 3], b[ 8]) in mul20()
436 + MUL15(a[ 4], b[ 7]) in mul20()
437 + MUL15(a[ 5], b[ 6]) in mul20()
438 + MUL15(a[ 6], b[ 5]) in mul20()
439 + MUL15(a[ 7], b[ 4]) in mul20()
440 + MUL15(a[ 8], b[ 3]) in mul20()
441 + MUL15(a[ 9], b[ 2]) in mul20()
442 + MUL15(a[10], b[ 1]) in mul20()
443 + MUL15(a[11], b[ 0]); in mul20()
444 t[12] = MUL15(a[ 0], b[12]) in mul20()
445 + MUL15(a[ 1], b[11]) in mul20()
446 + MUL15(a[ 2], b[10]) in mul20()
447 + MUL15(a[ 3], b[ 9]) in mul20()
448 + MUL15(a[ 4], b[ 8]) in mul20()
449 + MUL15(a[ 5], b[ 7]) in mul20()
450 + MUL15(a[ 6], b[ 6]) in mul20()
451 + MUL15(a[ 7], b[ 5]) in mul20()
452 + MUL15(a[ 8], b[ 4]) in mul20()
453 + MUL15(a[ 9], b[ 3]) in mul20()
454 + MUL15(a[10], b[ 2]) in mul20()
455 + MUL15(a[11], b[ 1]) in mul20()
456 + MUL15(a[12], b[ 0]); in mul20()
457 t[13] = MUL15(a[ 0], b[13]) in mul20()
458 + MUL15(a[ 1], b[12]) in mul20()
459 + MUL15(a[ 2], b[11]) in mul20()
460 + MUL15(a[ 3], b[10]) in mul20()
461 + MUL15(a[ 4], b[ 9]) in mul20()
462 + MUL15(a[ 5], b[ 8]) in mul20()
463 + MUL15(a[ 6], b[ 7]) in mul20()
464 + MUL15(a[ 7], b[ 6]) in mul20()
465 + MUL15(a[ 8], b[ 5]) in mul20()
466 + MUL15(a[ 9], b[ 4]) in mul20()
467 + MUL15(a[10], b[ 3]) in mul20()
468 + MUL15(a[11], b[ 2]) in mul20()
469 + MUL15(a[12], b[ 1]) in mul20()
470 + MUL15(a[13], b[ 0]); in mul20()
471 t[14] = MUL15(a[ 0], b[14]) in mul20()
472 + MUL15(a[ 1], b[13]) in mul20()
473 + MUL15(a[ 2], b[12]) in mul20()
474 + MUL15(a[ 3], b[11]) in mul20()
475 + MUL15(a[ 4], b[10]) in mul20()
476 + MUL15(a[ 5], b[ 9]) in mul20()
477 + MUL15(a[ 6], b[ 8]) in mul20()
478 + MUL15(a[ 7], b[ 7]) in mul20()
479 + MUL15(a[ 8], b[ 6]) in mul20()
480 + MUL15(a[ 9], b[ 5]) in mul20()
481 + MUL15(a[10], b[ 4]) in mul20()
482 + MUL15(a[11], b[ 3]) in mul20()
483 + MUL15(a[12], b[ 2]) in mul20()
484 + MUL15(a[13], b[ 1]) in mul20()
485 + MUL15(a[14], b[ 0]); in mul20()
486 t[15] = MUL15(a[ 0], b[15]) in mul20()
487 + MUL15(a[ 1], b[14]) in mul20()
488 + MUL15(a[ 2], b[13]) in mul20()
489 + MUL15(a[ 3], b[12]) in mul20()
490 + MUL15(a[ 4], b[11]) in mul20()
491 + MUL15(a[ 5], b[10]) in mul20()
492 + MUL15(a[ 6], b[ 9]) in mul20()
493 + MUL15(a[ 7], b[ 8]) in mul20()
494 + MUL15(a[ 8], b[ 7]) in mul20()
495 + MUL15(a[ 9], b[ 6]) in mul20()
496 + MUL15(a[10], b[ 5]) in mul20()
497 + MUL15(a[11], b[ 4]) in mul20()
498 + MUL15(a[12], b[ 3]) in mul20()
499 + MUL15(a[13], b[ 2]) in mul20()
500 + MUL15(a[14], b[ 1]) in mul20()
501 + MUL15(a[15], b[ 0]); in mul20()
502 t[16] = MUL15(a[ 0], b[16]) in mul20()
503 + MUL15(a[ 1], b[15]) in mul20()
504 + MUL15(a[ 2], b[14]) in mul20()
505 + MUL15(a[ 3], b[13]) in mul20()
506 + MUL15(a[ 4], b[12]) in mul20()
507 + MUL15(a[ 5], b[11]) in mul20()
508 + MUL15(a[ 6], b[10]) in mul20()
509 + MUL15(a[ 7], b[ 9]) in mul20()
510 + MUL15(a[ 8], b[ 8]) in mul20()
511 + MUL15(a[ 9], b[ 7]) in mul20()
512 + MUL15(a[10], b[ 6]) in mul20()
513 + MUL15(a[11], b[ 5]) in mul20()
514 + MUL15(a[12], b[ 4]) in mul20()
515 + MUL15(a[13], b[ 3]) in mul20()
516 + MUL15(a[14], b[ 2]) in mul20()
517 + MUL15(a[15], b[ 1]) in mul20()
518 + MUL15(a[16], b[ 0]); in mul20()
519 t[17] = MUL15(a[ 0], b[17]) in mul20()
520 + MUL15(a[ 1], b[16]) in mul20()
521 + MUL15(a[ 2], b[15]) in mul20()
522 + MUL15(a[ 3], b[14]) in mul20()
523 + MUL15(a[ 4], b[13]) in mul20()
524 + MUL15(a[ 5], b[12]) in mul20()
525 + MUL15(a[ 6], b[11]) in mul20()
526 + MUL15(a[ 7], b[10]) in mul20()
527 + MUL15(a[ 8], b[ 9]) in mul20()
528 + MUL15(a[ 9], b[ 8]) in mul20()
529 + MUL15(a[10], b[ 7]) in mul20()
530 + MUL15(a[11], b[ 6]) in mul20()
531 + MUL15(a[12], b[ 5]) in mul20()
532 + MUL15(a[13], b[ 4]) in mul20()
533 + MUL15(a[14], b[ 3]) in mul20()
534 + MUL15(a[15], b[ 2]) in mul20()
535 + MUL15(a[16], b[ 1]) in mul20()
536 + MUL15(a[17], b[ 0]); in mul20()
537 t[18] = MUL15(a[ 0], b[18]) in mul20()
538 + MUL15(a[ 1], b[17]) in mul20()
539 + MUL15(a[ 2], b[16]) in mul20()
540 + MUL15(a[ 3], b[15]) in mul20()
541 + MUL15(a[ 4], b[14]) in mul20()
542 + MUL15(a[ 5], b[13]) in mul20()
543 + MUL15(a[ 6], b[12]) in mul20()
544 + MUL15(a[ 7], b[11]) in mul20()
545 + MUL15(a[ 8], b[10]) in mul20()
546 + MUL15(a[ 9], b[ 9]) in mul20()
547 + MUL15(a[10], b[ 8]) in mul20()
548 + MUL15(a[11], b[ 7]) in mul20()
549 + MUL15(a[12], b[ 6]) in mul20()
550 + MUL15(a[13], b[ 5]) in mul20()
551 + MUL15(a[14], b[ 4]) in mul20()
552 + MUL15(a[15], b[ 3]) in mul20()
553 + MUL15(a[16], b[ 2]) in mul20()
554 + MUL15(a[17], b[ 1]) in mul20()
555 + MUL15(a[18], b[ 0]); in mul20()
556 t[19] = MUL15(a[ 0], b[19]) in mul20()
557 + MUL15(a[ 1], b[18]) in mul20()
558 + MUL15(a[ 2], b[17]) in mul20()
559 + MUL15(a[ 3], b[16]) in mul20()
560 + MUL15(a[ 4], b[15]) in mul20()
561 + MUL15(a[ 5], b[14]) in mul20()
562 + MUL15(a[ 6], b[13]) in mul20()
563 + MUL15(a[ 7], b[12]) in mul20()
564 + MUL15(a[ 8], b[11]) in mul20()
565 + MUL15(a[ 9], b[10]) in mul20()
566 + MUL15(a[10], b[ 9]) in mul20()
567 + MUL15(a[11], b[ 8]) in mul20()
568 + MUL15(a[12], b[ 7]) in mul20()
569 + MUL15(a[13], b[ 6]) in mul20()
570 + MUL15(a[14], b[ 5]) in mul20()
571 + MUL15(a[15], b[ 4]) in mul20()
572 + MUL15(a[16], b[ 3]) in mul20()
573 + MUL15(a[17], b[ 2]) in mul20()
574 + MUL15(a[18], b[ 1]) in mul20()
575 + MUL15(a[19], b[ 0]); in mul20()
576 t[20] = MUL15(a[ 1], b[19]) in mul20()
577 + MUL15(a[ 2], b[18]) in mul20()
578 + MUL15(a[ 3], b[17]) in mul20()
579 + MUL15(a[ 4], b[16]) in mul20()
580 + MUL15(a[ 5], b[15]) in mul20()
581 + MUL15(a[ 6], b[14]) in mul20()
582 + MUL15(a[ 7], b[13]) in mul20()
583 + MUL15(a[ 8], b[12]) in mul20()
584 + MUL15(a[ 9], b[11]) in mul20()
585 + MUL15(a[10], b[10]) in mul20()
586 + MUL15(a[11], b[ 9]) in mul20()
587 + MUL15(a[12], b[ 8]) in mul20()
588 + MUL15(a[13], b[ 7]) in mul20()
589 + MUL15(a[14], b[ 6]) in mul20()
590 + MUL15(a[15], b[ 5]) in mul20()
591 + MUL15(a[16], b[ 4]) in mul20()
592 + MUL15(a[17], b[ 3]) in mul20()
593 + MUL15(a[18], b[ 2]) in mul20()
594 + MUL15(a[19], b[ 1]); in mul20()
595 t[21] = MUL15(a[ 2], b[19]) in mul20()
596 + MUL15(a[ 3], b[18]) in mul20()
597 + MUL15(a[ 4], b[17]) in mul20()
598 + MUL15(a[ 5], b[16]) in mul20()
599 + MUL15(a[ 6], b[15]) in mul20()
600 + MUL15(a[ 7], b[14]) in mul20()
601 + MUL15(a[ 8], b[13]) in mul20()
602 + MUL15(a[ 9], b[12]) in mul20()
603 + MUL15(a[10], b[11]) in mul20()
604 + MUL15(a[11], b[10]) in mul20()
605 + MUL15(a[12], b[ 9]) in mul20()
606 + MUL15(a[13], b[ 8]) in mul20()
607 + MUL15(a[14], b[ 7]) in mul20()
608 + MUL15(a[15], b[ 6]) in mul20()
609 + MUL15(a[16], b[ 5]) in mul20()
610 + MUL15(a[17], b[ 4]) in mul20()
611 + MUL15(a[18], b[ 3]) in mul20()
612 + MUL15(a[19], b[ 2]); in mul20()
613 t[22] = MUL15(a[ 3], b[19]) in mul20()
614 + MUL15(a[ 4], b[18]) in mul20()
615 + MUL15(a[ 5], b[17]) in mul20()
616 + MUL15(a[ 6], b[16]) in mul20()
617 + MUL15(a[ 7], b[15]) in mul20()
618 + MUL15(a[ 8], b[14]) in mul20()
619 + MUL15(a[ 9], b[13]) in mul20()
620 + MUL15(a[10], b[12]) in mul20()
621 + MUL15(a[11], b[11]) in mul20()
622 + MUL15(a[12], b[10]) in mul20()
623 + MUL15(a[13], b[ 9]) in mul20()
624 + MUL15(a[14], b[ 8]) in mul20()
625 + MUL15(a[15], b[ 7]) in mul20()
626 + MUL15(a[16], b[ 6]) in mul20()
627 + MUL15(a[17], b[ 5]) in mul20()
628 + MUL15(a[18], b[ 4]) in mul20()
629 + MUL15(a[19], b[ 3]); in mul20()
630 t[23] = MUL15(a[ 4], b[19]) in mul20()
631 + MUL15(a[ 5], b[18]) in mul20()
632 + MUL15(a[ 6], b[17]) in mul20()
633 + MUL15(a[ 7], b[16]) in mul20()
634 + MUL15(a[ 8], b[15]) in mul20()
635 + MUL15(a[ 9], b[14]) in mul20()
636 + MUL15(a[10], b[13]) in mul20()
637 + MUL15(a[11], b[12]) in mul20()
638 + MUL15(a[12], b[11]) in mul20()
639 + MUL15(a[13], b[10]) in mul20()
640 + MUL15(a[14], b[ 9]) in mul20()
641 + MUL15(a[15], b[ 8]) in mul20()
642 + MUL15(a[16], b[ 7]) in mul20()
643 + MUL15(a[17], b[ 6]) in mul20()
644 + MUL15(a[18], b[ 5]) in mul20()
645 + MUL15(a[19], b[ 4]); in mul20()
646 t[24] = MUL15(a[ 5], b[19]) in mul20()
647 + MUL15(a[ 6], b[18]) in mul20()
648 + MUL15(a[ 7], b[17]) in mul20()
649 + MUL15(a[ 8], b[16]) in mul20()
650 + MUL15(a[ 9], b[15]) in mul20()
651 + MUL15(a[10], b[14]) in mul20()
652 + MUL15(a[11], b[13]) in mul20()
653 + MUL15(a[12], b[12]) in mul20()
654 + MUL15(a[13], b[11]) in mul20()
655 + MUL15(a[14], b[10]) in mul20()
656 + MUL15(a[15], b[ 9]) in mul20()
657 + MUL15(a[16], b[ 8]) in mul20()
658 + MUL15(a[17], b[ 7]) in mul20()
659 + MUL15(a[18], b[ 6]) in mul20()
660 + MUL15(a[19], b[ 5]); in mul20()
661 t[25] = MUL15(a[ 6], b[19]) in mul20()
662 + MUL15(a[ 7], b[18]) in mul20()
663 + MUL15(a[ 8], b[17]) in mul20()
664 + MUL15(a[ 9], b[16]) in mul20()
665 + MUL15(a[10], b[15]) in mul20()
666 + MUL15(a[11], b[14]) in mul20()
667 + MUL15(a[12], b[13]) in mul20()
668 + MUL15(a[13], b[12]) in mul20()
669 + MUL15(a[14], b[11]) in mul20()
670 + MUL15(a[15], b[10]) in mul20()
671 + MUL15(a[16], b[ 9]) in mul20()
672 + MUL15(a[17], b[ 8]) in mul20()
673 + MUL15(a[18], b[ 7]) in mul20()
674 + MUL15(a[19], b[ 6]); in mul20()
675 t[26] = MUL15(a[ 7], b[19]) in mul20()
676 + MUL15(a[ 8], b[18]) in mul20()
677 + MUL15(a[ 9], b[17]) in mul20()
678 + MUL15(a[10], b[16]) in mul20()
679 + MUL15(a[11], b[15]) in mul20()
680 + MUL15(a[12], b[14]) in mul20()
681 + MUL15(a[13], b[13]) in mul20()
682 + MUL15(a[14], b[12]) in mul20()
683 + MUL15(a[15], b[11]) in mul20()
684 + MUL15(a[16], b[10]) in mul20()
685 + MUL15(a[17], b[ 9]) in mul20()
686 + MUL15(a[18], b[ 8]) in mul20()
687 + MUL15(a[19], b[ 7]); in mul20()
688 t[27] = MUL15(a[ 8], b[19]) in mul20()
689 + MUL15(a[ 9], b[18]) in mul20()
690 + MUL15(a[10], b[17]) in mul20()
691 + MUL15(a[11], b[16]) in mul20()
692 + MUL15(a[12], b[15]) in mul20()
693 + MUL15(a[13], b[14]) in mul20()
694 + MUL15(a[14], b[13]) in mul20()
695 + MUL15(a[15], b[12]) in mul20()
696 + MUL15(a[16], b[11]) in mul20()
697 + MUL15(a[17], b[10]) in mul20()
698 + MUL15(a[18], b[ 9]) in mul20()
699 + MUL15(a[19], b[ 8]); in mul20()
700 t[28] = MUL15(a[ 9], b[19]) in mul20()
701 + MUL15(a[10], b[18]) in mul20()
702 + MUL15(a[11], b[17]) in mul20()
703 + MUL15(a[12], b[16]) in mul20()
704 + MUL15(a[13], b[15]) in mul20()
705 + MUL15(a[14], b[14]) in mul20()
706 + MUL15(a[15], b[13]) in mul20()
707 + MUL15(a[16], b[12]) in mul20()
708 + MUL15(a[17], b[11]) in mul20()
709 + MUL15(a[18], b[10]) in mul20()
710 + MUL15(a[19], b[ 9]); in mul20()
711 t[29] = MUL15(a[10], b[19]) in mul20()
712 + MUL15(a[11], b[18]) in mul20()
713 + MUL15(a[12], b[17]) in mul20()
714 + MUL15(a[13], b[16]) in mul20()
715 + MUL15(a[14], b[15]) in mul20()
716 + MUL15(a[15], b[14]) in mul20()
717 + MUL15(a[16], b[13]) in mul20()
718 + MUL15(a[17], b[12]) in mul20()
719 + MUL15(a[18], b[11]) in mul20()
720 + MUL15(a[19], b[10]); in mul20()
721 t[30] = MUL15(a[11], b[19]) in mul20()
722 + MUL15(a[12], b[18]) in mul20()
723 + MUL15(a[13], b[17]) in mul20()
724 + MUL15(a[14], b[16]) in mul20()
725 + MUL15(a[15], b[15]) in mul20()
726 + MUL15(a[16], b[14]) in mul20()
727 + MUL15(a[17], b[13]) in mul20()
728 + MUL15(a[18], b[12]) in mul20()
729 + MUL15(a[19], b[11]); in mul20()
730 t[31] = MUL15(a[12], b[19]) in mul20()
731 + MUL15(a[13], b[18]) in mul20()
732 + MUL15(a[14], b[17]) in mul20()
733 + MUL15(a[15], b[16]) in mul20()
734 + MUL15(a[16], b[15]) in mul20()
735 + MUL15(a[17], b[14]) in mul20()
736 + MUL15(a[18], b[13]) in mul20()
737 + MUL15(a[19], b[12]); in mul20()
738 t[32] = MUL15(a[13], b[19]) in mul20()
739 + MUL15(a[14], b[18]) in mul20()
740 + MUL15(a[15], b[17]) in mul20()
741 + MUL15(a[16], b[16]) in mul20()
742 + MUL15(a[17], b[15]) in mul20()
743 + MUL15(a[18], b[14]) in mul20()
744 + MUL15(a[19], b[13]); in mul20()
745 t[33] = MUL15(a[14], b[19]) in mul20()
746 + MUL15(a[15], b[18]) in mul20()
747 + MUL15(a[16], b[17]) in mul20()
748 + MUL15(a[17], b[16]) in mul20()
749 + MUL15(a[18], b[15]) in mul20()
750 + MUL15(a[19], b[14]); in mul20()
751 t[34] = MUL15(a[15], b[19]) in mul20()
752 + MUL15(a[16], b[18]) in mul20()
753 + MUL15(a[17], b[17]) in mul20()
754 + MUL15(a[18], b[16]) in mul20()
755 + MUL15(a[19], b[15]); in mul20()
756 t[35] = MUL15(a[16], b[19]) in mul20()
757 + MUL15(a[17], b[18]) in mul20()
758 + MUL15(a[18], b[17]) in mul20()
759 + MUL15(a[19], b[16]); in mul20()
760 t[36] = MUL15(a[17], b[19]) in mul20()
761 + MUL15(a[18], b[18]) in mul20()
762 + MUL15(a[19], b[17]); in mul20()
763 t[37] = MUL15(a[18], b[19]) in mul20()
764 + MUL15(a[19], b[18]); in mul20()
765 t[38] = MUL15(a[19], b[19]); in mul20()
770 square20(uint32_t *d, const uint32_t *a) in square20() argument
774 t[ 0] = MUL15(a[ 0], a[ 0]); in square20()
775 t[ 1] = ((MUL15(a[ 0], a[ 1])) << 1); in square20()
776 t[ 2] = MUL15(a[ 1], a[ 1]) in square20()
777 + ((MUL15(a[ 0], a[ 2])) << 1); in square20()
778 t[ 3] = ((MUL15(a[ 0], a[ 3]) in square20()
779 + MUL15(a[ 1], a[ 2])) << 1); in square20()
780 t[ 4] = MUL15(a[ 2], a[ 2]) in square20()
781 + ((MUL15(a[ 0], a[ 4]) in square20()
782 + MUL15(a[ 1], a[ 3])) << 1); in square20()
783 t[ 5] = ((MUL15(a[ 0], a[ 5]) in square20()
784 + MUL15(a[ 1], a[ 4]) in square20()
785 + MUL15(a[ 2], a[ 3])) << 1); in square20()
786 t[ 6] = MUL15(a[ 3], a[ 3]) in square20()
787 + ((MUL15(a[ 0], a[ 6]) in square20()
788 + MUL15(a[ 1], a[ 5]) in square20()
789 + MUL15(a[ 2], a[ 4])) << 1); in square20()
790 t[ 7] = ((MUL15(a[ 0], a[ 7]) in square20()
791 + MUL15(a[ 1], a[ 6]) in square20()
792 + MUL15(a[ 2], a[ 5]) in square20()
793 + MUL15(a[ 3], a[ 4])) << 1); in square20()
794 t[ 8] = MUL15(a[ 4], a[ 4]) in square20()
795 + ((MUL15(a[ 0], a[ 8]) in square20()
796 + MUL15(a[ 1], a[ 7]) in square20()
797 + MUL15(a[ 2], a[ 6]) in square20()
798 + MUL15(a[ 3], a[ 5])) << 1); in square20()
799 t[ 9] = ((MUL15(a[ 0], a[ 9]) in square20()
800 + MUL15(a[ 1], a[ 8]) in square20()
801 + MUL15(a[ 2], a[ 7]) in square20()
802 + MUL15(a[ 3], a[ 6]) in square20()
803 + MUL15(a[ 4], a[ 5])) << 1); in square20()
804 t[10] = MUL15(a[ 5], a[ 5]) in square20()
805 + ((MUL15(a[ 0], a[10]) in square20()
806 + MUL15(a[ 1], a[ 9]) in square20()
807 + MUL15(a[ 2], a[ 8]) in square20()
808 + MUL15(a[ 3], a[ 7]) in square20()
809 + MUL15(a[ 4], a[ 6])) << 1); in square20()
810 t[11] = ((MUL15(a[ 0], a[11]) in square20()
811 + MUL15(a[ 1], a[10]) in square20()
812 + MUL15(a[ 2], a[ 9]) in square20()
813 + MUL15(a[ 3], a[ 8]) in square20()
814 + MUL15(a[ 4], a[ 7]) in square20()
815 + MUL15(a[ 5], a[ 6])) << 1); in square20()
816 t[12] = MUL15(a[ 6], a[ 6]) in square20()
817 + ((MUL15(a[ 0], a[12]) in square20()
818 + MUL15(a[ 1], a[11]) in square20()
819 + MUL15(a[ 2], a[10]) in square20()
820 + MUL15(a[ 3], a[ 9]) in square20()
821 + MUL15(a[ 4], a[ 8]) in square20()
822 + MUL15(a[ 5], a[ 7])) << 1); in square20()
823 t[13] = ((MUL15(a[ 0], a[13]) in square20()
824 + MUL15(a[ 1], a[12]) in square20()
825 + MUL15(a[ 2], a[11]) in square20()
826 + MUL15(a[ 3], a[10]) in square20()
827 + MUL15(a[ 4], a[ 9]) in square20()
828 + MUL15(a[ 5], a[ 8]) in square20()
829 + MUL15(a[ 6], a[ 7])) << 1); in square20()
830 t[14] = MUL15(a[ 7], a[ 7]) in square20()
831 + ((MUL15(a[ 0], a[14]) in square20()
832 + MUL15(a[ 1], a[13]) in square20()
833 + MUL15(a[ 2], a[12]) in square20()
834 + MUL15(a[ 3], a[11]) in square20()
835 + MUL15(a[ 4], a[10]) in square20()
836 + MUL15(a[ 5], a[ 9]) in square20()
837 + MUL15(a[ 6], a[ 8])) << 1); in square20()
838 t[15] = ((MUL15(a[ 0], a[15]) in square20()
839 + MUL15(a[ 1], a[14]) in square20()
840 + MUL15(a[ 2], a[13]) in square20()
841 + MUL15(a[ 3], a[12]) in square20()
842 + MUL15(a[ 4], a[11]) in square20()
843 + MUL15(a[ 5], a[10]) in square20()
844 + MUL15(a[ 6], a[ 9]) in square20()
845 + MUL15(a[ 7], a[ 8])) << 1); in square20()
846 t[16] = MUL15(a[ 8], a[ 8]) in square20()
847 + ((MUL15(a[ 0], a[16]) in square20()
848 + MUL15(a[ 1], a[15]) in square20()
849 + MUL15(a[ 2], a[14]) in square20()
850 + MUL15(a[ 3], a[13]) in square20()
851 + MUL15(a[ 4], a[12]) in square20()
852 + MUL15(a[ 5], a[11]) in square20()
853 + MUL15(a[ 6], a[10]) in square20()
854 + MUL15(a[ 7], a[ 9])) << 1); in square20()
855 t[17] = ((MUL15(a[ 0], a[17]) in square20()
856 + MUL15(a[ 1], a[16]) in square20()
857 + MUL15(a[ 2], a[15]) in square20()
858 + MUL15(a[ 3], a[14]) in square20()
859 + MUL15(a[ 4], a[13]) in square20()
860 + MUL15(a[ 5], a[12]) in square20()
861 + MUL15(a[ 6], a[11]) in square20()
862 + MUL15(a[ 7], a[10]) in square20()
863 + MUL15(a[ 8], a[ 9])) << 1); in square20()
864 t[18] = MUL15(a[ 9], a[ 9]) in square20()
865 + ((MUL15(a[ 0], a[18]) in square20()
866 + MUL15(a[ 1], a[17]) in square20()
867 + MUL15(a[ 2], a[16]) in square20()
868 + MUL15(a[ 3], a[15]) in square20()
869 + MUL15(a[ 4], a[14]) in square20()
870 + MUL15(a[ 5], a[13]) in square20()
871 + MUL15(a[ 6], a[12]) in square20()
872 + MUL15(a[ 7], a[11]) in square20()
873 + MUL15(a[ 8], a[10])) << 1); in square20()
874 t[19] = ((MUL15(a[ 0], a[19]) in square20()
875 + MUL15(a[ 1], a[18]) in square20()
876 + MUL15(a[ 2], a[17]) in square20()
877 + MUL15(a[ 3], a[16]) in square20()
878 + MUL15(a[ 4], a[15]) in square20()
879 + MUL15(a[ 5], a[14]) in square20()
880 + MUL15(a[ 6], a[13]) in square20()
881 + MUL15(a[ 7], a[12]) in square20()
882 + MUL15(a[ 8], a[11]) in square20()
883 + MUL15(a[ 9], a[10])) << 1); in square20()
884 t[20] = MUL15(a[10], a[10]) in square20()
885 + ((MUL15(a[ 1], a[19]) in square20()
886 + MUL15(a[ 2], a[18]) in square20()
887 + MUL15(a[ 3], a[17]) in square20()
888 + MUL15(a[ 4], a[16]) in square20()
889 + MUL15(a[ 5], a[15]) in square20()
890 + MUL15(a[ 6], a[14]) in square20()
891 + MUL15(a[ 7], a[13]) in square20()
892 + MUL15(a[ 8], a[12]) in square20()
893 + MUL15(a[ 9], a[11])) << 1); in square20()
894 t[21] = ((MUL15(a[ 2], a[19]) in square20()
895 + MUL15(a[ 3], a[18]) in square20()
896 + MUL15(a[ 4], a[17]) in square20()
897 + MUL15(a[ 5], a[16]) in square20()
898 + MUL15(a[ 6], a[15]) in square20()
899 + MUL15(a[ 7], a[14]) in square20()
900 + MUL15(a[ 8], a[13]) in square20()
901 + MUL15(a[ 9], a[12]) in square20()
902 + MUL15(a[10], a[11])) << 1); in square20()
903 t[22] = MUL15(a[11], a[11]) in square20()
904 + ((MUL15(a[ 3], a[19]) in square20()
905 + MUL15(a[ 4], a[18]) in square20()
906 + MUL15(a[ 5], a[17]) in square20()
907 + MUL15(a[ 6], a[16]) in square20()
908 + MUL15(a[ 7], a[15]) in square20()
909 + MUL15(a[ 8], a[14]) in square20()
910 + MUL15(a[ 9], a[13]) in square20()
911 + MUL15(a[10], a[12])) << 1); in square20()
912 t[23] = ((MUL15(a[ 4], a[19]) in square20()
913 + MUL15(a[ 5], a[18]) in square20()
914 + MUL15(a[ 6], a[17]) in square20()
915 + MUL15(a[ 7], a[16]) in square20()
916 + MUL15(a[ 8], a[15]) in square20()
917 + MUL15(a[ 9], a[14]) in square20()
918 + MUL15(a[10], a[13]) in square20()
919 + MUL15(a[11], a[12])) << 1); in square20()
920 t[24] = MUL15(a[12], a[12]) in square20()
921 + ((MUL15(a[ 5], a[19]) in square20()
922 + MUL15(a[ 6], a[18]) in square20()
923 + MUL15(a[ 7], a[17]) in square20()
924 + MUL15(a[ 8], a[16]) in square20()
925 + MUL15(a[ 9], a[15]) in square20()
926 + MUL15(a[10], a[14]) in square20()
927 + MUL15(a[11], a[13])) << 1); in square20()
928 t[25] = ((MUL15(a[ 6], a[19]) in square20()
929 + MUL15(a[ 7], a[18]) in square20()
930 + MUL15(a[ 8], a[17]) in square20()
931 + MUL15(a[ 9], a[16]) in square20()
932 + MUL15(a[10], a[15]) in square20()
933 + MUL15(a[11], a[14]) in square20()
934 + MUL15(a[12], a[13])) << 1); in square20()
935 t[26] = MUL15(a[13], a[13]) in square20()
936 + ((MUL15(a[ 7], a[19]) in square20()
937 + MUL15(a[ 8], a[18]) in square20()
938 + MUL15(a[ 9], a[17]) in square20()
939 + MUL15(a[10], a[16]) in square20()
940 + MUL15(a[11], a[15]) in square20()
941 + MUL15(a[12], a[14])) << 1); in square20()
942 t[27] = ((MUL15(a[ 8], a[19]) in square20()
943 + MUL15(a[ 9], a[18]) in square20()
944 + MUL15(a[10], a[17]) in square20()
945 + MUL15(a[11], a[16]) in square20()
946 + MUL15(a[12], a[15]) in square20()
947 + MUL15(a[13], a[14])) << 1); in square20()
948 t[28] = MUL15(a[14], a[14]) in square20()
949 + ((MUL15(a[ 9], a[19]) in square20()
950 + MUL15(a[10], a[18]) in square20()
951 + MUL15(a[11], a[17]) in square20()
952 + MUL15(a[12], a[16]) in square20()
953 + MUL15(a[13], a[15])) << 1); in square20()
954 t[29] = ((MUL15(a[10], a[19]) in square20()
955 + MUL15(a[11], a[18]) in square20()
956 + MUL15(a[12], a[17]) in square20()
957 + MUL15(a[13], a[16]) in square20()
958 + MUL15(a[14], a[15])) << 1); in square20()
959 t[30] = MUL15(a[15], a[15]) in square20()
960 + ((MUL15(a[11], a[19]) in square20()
961 + MUL15(a[12], a[18]) in square20()
962 + MUL15(a[13], a[17]) in square20()
963 + MUL15(a[14], a[16])) << 1); in square20()
964 t[31] = ((MUL15(a[12], a[19]) in square20()
965 + MUL15(a[13], a[18]) in square20()
966 + MUL15(a[14], a[17]) in square20()
967 + MUL15(a[15], a[16])) << 1); in square20()
968 t[32] = MUL15(a[16], a[16]) in square20()
969 + ((MUL15(a[13], a[19]) in square20()
970 + MUL15(a[14], a[18]) in square20()
971 + MUL15(a[15], a[17])) << 1); in square20()
972 t[33] = ((MUL15(a[14], a[19]) in square20()
973 + MUL15(a[15], a[18]) in square20()
974 + MUL15(a[16], a[17])) << 1); in square20()
975 t[34] = MUL15(a[17], a[17]) in square20()
976 + ((MUL15(a[15], a[19]) in square20()
977 + MUL15(a[16], a[18])) << 1); in square20()
978 t[35] = ((MUL15(a[16], a[19]) in square20()
979 + MUL15(a[17], a[18])) << 1); in square20()
980 t[36] = MUL15(a[18], a[18]) in square20()
981 + ((MUL15(a[17], a[19])) << 1); in square20()
982 t[37] = ((MUL15(a[18], a[19])) << 1); in square20()
983 t[38] = MUL15(a[19], a[19]); in square20()
993 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x001F,
994 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0400, 0x0000,
995 0x0000, 0x1FF8, 0x1FFF, 0x01FF
1002 0x004B, 0x1E93, 0x0F89, 0x1C78, 0x03BC, 0x187B, 0x114E, 0x1619,
1003 0x1D06, 0x0328, 0x01AF, 0x0D31, 0x1557, 0x15DE, 0x1ECF, 0x127C,
1004 0x0A3A, 0x0EC5, 0x118D, 0x00B5
1008 * Perform a "short reduction" in field F256 (field for curve P-256).
1018 d[19] &= 0x01FF; in reduce_f256()
1022 d[0] += x; in reduce_f256()
1027 * Perform a "final reduction" in field F256 (field for curve P-256).
1031 * returns 0.
1041 cc = 0; in reduce_final_f256()
1042 for (i = 0; i < 20; i ++) { in reduce_final_f256()
1047 t[i] = w & 0x1FFF; in reduce_final_f256()
1055 * Perform a multiplication of two integers modulo
1062 mul_f256(uint32_t *d, const uint32_t *a, const uint32_t *b) in mul_f256() argument
1071 mul20(t, a, b); in mul_f256()
1082 * For a word x at bit offset n (n >= 256), we have: in mul_f256()
1094 t[i - 3] += (x << 7) & 0x1FFF; in mul_f256()
1096 t[i - 5] -= (x << 1) & 0x1FFF; in mul_f256()
1098 t[i - 13] -= (x << 9) & 0x1FFF; in mul_f256()
1100 t[i - 20] += (x << 4) & 0x1FFF; in mul_f256()
1104 * Propagate carries. This is a signed propagation, and the in mul_f256()
1107 * in which a value may be added to itself up to 7 times. Since in mul_f256()
1120 t[19] &= 0x01FF; in mul_f256()
1124 t[0] += cc; in mul_f256()
1128 * end up with a value which is negative, and we don't want that. in mul_f256()
1135 t[0] -= cc; in mul_f256()
1152 square_f256(uint32_t *d, const uint32_t *a) in square_f256() argument
1160 square20(t, a); in square_f256()
1171 * For a word x at bit offset n (n >= 256), we have: in square_f256()
1183 t[i - 3] += (x << 7) & 0x1FFF; in square_f256()
1185 t[i - 5] -= (x << 1) & 0x1FFF; in square_f256()
1187 t[i - 13] -= (x << 9) & 0x1FFF; in square_f256()
1189 t[i - 20] += (x << 4) & 0x1FFF; in square_f256()
1193 * Propagate carries. This is a signed propagation, and the in square_f256()
1196 * in which a value may be added to itself up to 7 times. Since in square_f256()
1209 t[19] &= 0x01FF; in square_f256()
1213 t[0] += cc; in square_f256()
1217 * end up with a value which is negative, and we don't want that. in square_f256()
1224 t[0] -= cc; in square_f256()
1234 * Jacobian coordinates for a point in P-256: affine coordinates (X,Y)
1238 * For the point at infinity, z = 0.
1252 * Convert a point to affine coordinates:
1254 * are set to 0.
1266 * Invert z with a modular exponentiation: the modulus is in p256_to_affine()
1270 * - 31 bits of value 0 in p256_to_affine()
1272 * - 96 bits of value 0 in p256_to_affine()
1274 * - 1 bit of value 0 in p256_to_affine()
1278 * If z = 0 (point at infinity) then the modular exponentiation in p256_to_affine()
1279 * will yield 0, which leads to the expected result (all three in p256_to_affine()
1280 * coordinates set to 0). in p256_to_affine()
1284 * A simple square-and-multiply for z^(2^31-1). We could save about in p256_to_affine()
1286 * this would require a bit more code, and extra stack buffers. in p256_to_affine()
1289 for (i = 0; i < 30; i ++) { in p256_to_affine()
1295 * Square-and-multiply. Apart from the squarings, we have a few in p256_to_affine()
1328 * Multiply z by 1/z. If z = 0, then this will yield 0, otherwise in p256_to_affine()
1336 * Double a point in P-256. This function works for all valid points,
1353 * - If y = 0 then z' = 0. But there is no such point in P-256 in p256_double()
1355 * - If z = 0 then z' = 0. in p256_double()
1368 for (i = 0; i < 20; i ++) { in p256_double()
1379 for (i = 0; i < 20; i ++) { in p256_double()
1388 for (i = 0; i < 20; i ++) { in p256_double()
1393 for (i = 0; i < 20; i ++) { in p256_double()
1403 for (i = 0; i < 20; i ++) { in p256_double()
1413 for (i = 0; i < 20; i ++) { in p256_double()
1423 for (i = 0; i < 20; i ++) { in p256_double()
1429 for (i = 0; i < 20; i ++) { in p256_double()
1441 * - If P1 == 0 but P2 != 0
1442 * - If P1 != 0 but P2 == 0
1447 * Returned value is 0 if one of the following occurs:
1450 * - P1 == 0 and P2 == 0
1451 * - The Y coordinate of one of the points is 0 and the other point is
1454 * The third case cannot actually happen with valid points, since a point
1455 * with Y == 0 is a point of order 2, and there is no point of order 2 on
1458 * Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
1462 * - Otherwise, if the returned value is 1, then this is a case of
1463 * P1+P2 == 0, so the result is indeed the point at infinity.
1464 * - Otherwise, P1 == P2, so a "double" operation should have been
1508 for (i = 0; i < 20; i ++) { in p256_add()
1516 ret = 0; in p256_add()
1517 for (i = 0; i < 20; i ++) { in p256_add()
1533 for (i = 0; i < 20; i ++) { in p256_add()
1542 for (i = 0; i < 20; i ++) { in p256_add()
1548 for (i = 0; i < 20; i ++) { in p256_add()
1564 * Add point P2 to point P1. This is a specialised function for the
1565 * case when P2 is a non-zero point in affine coordinate.
1569 * - If P1 == 0
1574 * Returned value is 0 if one of the following occurs:
1577 * - The Y coordinate of P2 is 0 and P1 is the point at infinity.
1579 * The second case cannot actually happen with valid points, since a point
1580 * with Y == 0 is a point of order 2, and there is no point of order 2 on
1583 * Therefore, assuming that P1 != 0 on input, then the caller
1587 * - Otherwise, if the returned value is 1, then this is a case of
1588 * P1+P2 == 0, so the result is indeed the point at infinity.
1589 * - Otherwise, P1 == P2, so a "double" operation should have been
1631 for (i = 0; i < 20; i ++) { in p256_add_mixed()
1639 ret = 0; in p256_add_mixed()
1640 for (i = 0; i < 20; i ++) { in p256_add_mixed()
1656 for (i = 0; i < 20; i ++) { in p256_add_mixed()
1665 for (i = 0; i < 20; i ++) { in p256_add_mixed()
1671 for (i = 0; i < 20; i ++) { in p256_add_mixed()
1686 * Decode a P-256 point. This function does not support the point at
1687 * infinity. Returned value is 0 if the point is invalid, 1 otherwise.
1698 return 0; in p256_decode()
1703 * First byte must be 0x04 (uncompressed format). We could support in p256_decode()
1704 * "hybrid format" (first byte is 0x06 or 0x07, and encodes the in p256_decode()
1708 bad = NEQ(buf[0], 0x04); in p256_decode()
1725 for (i = 0; i < 20; i ++) { in p256_decode()
1731 for (i = 0; i < 20; i ++) { in p256_decode()
1740 memset(P->z, 0, sizeof P->z); in p256_decode()
1741 P->z[0] = 1; in p256_decode()
1742 return EQ(bad, 0); in p256_decode()
1746 * Encode a point into a buffer. This function assumes that the point is
1755 buf[0] = 0x04; in p256_encode()
1761 * Multiply a curve point by an integer. The integer is assumed to be
1769 * qz is a flag that is initially 1, and remains equal to 1 in p256_mul()
1772 * We use a 2-bit window to handle multiplier bits by pairs. in p256_mul()
1787 * We start with Q = 0. We process multiplier bits 2 by 2. in p256_mul()
1789 memset(&Q, 0, sizeof Q); in p256_mul()
1791 while (xlen -- > 0) { in p256_mul()
1794 for (k = 6; k >= 0; k -= 2) { in p256_mul()
1803 bnz = NEQ(bits, 0); in p256_mul()
1825 { 0x04C60296, 0x02721176, 0x19D00F4A, 0x102517AC,
1826 0x13B8037D, 0x0748103C, 0x1E730E56, 0x08481FE2,
1827 0x0F97012C, 0x00D605F4, 0x1DFA11F5, 0x0C801A0D,
1828 0x0F670CBB, 0x0AED0CC5, 0x115E0E33, 0x181F0785,
1829 0x13F514A7, 0x0FF30E3B, 0x17171E1A, 0x009F18D0 },
1831 { 0x1B341978, 0x16911F11, 0x0D9A1A60, 0x1C4E1FC8,
1832 0x1E040969, 0x096A06B0, 0x091C0030, 0x09EF1A29,
1833 0x18C40D03, 0x00F91C9E, 0x13C313D1, 0x096F0748,
1834 0x011419E0, 0x1CC713A6, 0x1DD31DAD, 0x1EE80C36,
1835 0x1ECD0C69, 0x1A0800A4, 0x08861B8E, 0x000E1DD5 },
1837 { 0x173F1D6C, 0x02CC06F1, 0x14C21FB4, 0x043D1EB6,
1838 0x0F3606B7, 0x1A971C59, 0x1BF71951, 0x01481323,
1839 0x068D0633, 0x00BD12F9, 0x13EA1032, 0x136209E8,
1840 0x1C1E19A7, 0x06C7013E, 0x06C10AB0, 0x14C908BB,
1841 0x05830CE1, 0x1FEF18DD, 0x00620998, 0x010E0D19 },
1843 { 0x18180852, 0x0604111A, 0x0B771509, 0x1B6F0156,
1844 0x00181FE2, 0x1DCC0AF4, 0x16EF0659, 0x11F70E80,
1845 0x11A912D0, 0x01C414D2, 0x027618C6, 0x05840FC6,
1846 0x100215C4, 0x187E0C3B, 0x12771C96, 0x150C0B5D,
1847 0x0FF705FD, 0x07981C67, 0x1AD20C63, 0x01C11C55 },
1849 { 0x1E8113ED, 0x0A940370, 0x12920215, 0x1FA31D6F,
1850 0x1F7C0C82, 0x10CD03F7, 0x02640560, 0x081A0B5E,
1851 0x1BD21151, 0x00A21642, 0x0D0B0DA4, 0x0176113F,
1852 0x04440D1D, 0x001A1360, 0x1068012F, 0x1F141E49,
1853 0x10DF136B, 0x0E4F162B, 0x0D44104A, 0x01C1105F },
1855 { 0x011411A9, 0x01551A4F, 0x0ADA0C6B, 0x01BD0EC8,
1856 0x18120C74, 0x112F1778, 0x099202CB, 0x0C05124B,
1857 0x195316A4, 0x01600685, 0x1E3B1FE2, 0x189014E3,
1858 0x0B5E1FD7, 0x0E0311F8, 0x08E000F7, 0x174E00DE,
1859 0x160702DF, 0x1B5A15BF, 0x03A11237, 0x01D01704 },
1861 { 0x0C3D12A3, 0x0C501C0C, 0x17AD1300, 0x1715003F,
1862 0x03F719F8, 0x18031ED8, 0x1D980667, 0x0F681896,
1863 0x1B7D00BF, 0x011C14CE, 0x0FA000B4, 0x1C3501B0,
1864 0x0D901C55, 0x06790C10, 0x029E0736, 0x0DEB0400,
1865 0x034F183A, 0x030619B4, 0x0DEF0033, 0x00E71AC7 },
1867 { 0x1B7D1393, 0x1B3B1076, 0x0BED1B4D, 0x13011F3A,
1868 0x0E0E1238, 0x156A132B, 0x013A02D3, 0x160A0D01,
1869 0x1CED1EE9, 0x00C5165D, 0x184C157E, 0x08141A83,
1870 0x153C0DA5, 0x1ED70F9D, 0x05170D51, 0x02CF13B8,
1871 0x18AE1771, 0x1B04113F, 0x05EC11E9, 0x015A16B3 },
1873 { 0x04A41EE0, 0x1D1412E4, 0x1C591D79, 0x118511B7,
1874 0x14F00ACB, 0x1AE31E1C, 0x049C0D51, 0x016E061E,
1875 0x1DB71EDF, 0x01D41A35, 0x0E8208FA, 0x14441293,
1876 0x011F1E85, 0x1D54137A, 0x026B114F, 0x151D0832,
1877 0x00A50964, 0x1F9C1E1C, 0x064B12C9, 0x005409D1 },
1879 { 0x062B123F, 0x0C0D0501, 0x183704C3, 0x08E31120,
1880 0x0A2E0A6C, 0x14440FED, 0x090A0D1E, 0x13271964,
1881 0x0B590A3A, 0x019D1D9B, 0x05780773, 0x09770A91,
1882 0x0F770CA3, 0x053F19D4, 0x02C80DED, 0x1A761304,
1883 0x091E0DD9, 0x15D201B8, 0x151109AA, 0x010F0198 },
1885 { 0x05E101D1, 0x072314DD, 0x045F1433, 0x1A041541,
1886 0x10B3142E, 0x01840736, 0x1C1B19DB, 0x098B0418,
1887 0x1DBC083B, 0x007D1444, 0x01511740, 0x11DD1F3A,
1888 0x04ED0E2F, 0x1B4B1A62, 0x10480D04, 0x09E911A2,
1889 0x04211AFA, 0x19140893, 0x04D60CC4, 0x01210648 },
1891 { 0x112703C4, 0x018B1BA1, 0x164C1D50, 0x05160BE0,
1892 0x0BCC1830, 0x01CB1554, 0x13291732, 0x1B2B1918,
1893 0x0DED0817, 0x00E80775, 0x0A2401D3, 0x0BFE08B3,
1894 0x0E531199, 0x058616E9, 0x04770B91, 0x110F0C55,
1895 0x19C11554, 0x0BFB1159, 0x03541C38, 0x000E1C2D },
1897 { 0x10390C01, 0x02BB0751, 0x0AC5098E, 0x096C17AB,
1898 0x03C90E28, 0x10BD18BF, 0x002E1F2D, 0x092B0986,
1899 0x1BD700AC, 0x002E1F20, 0x1E3D1FD8, 0x077718BB,
1900 0x06F919C4, 0x187407ED, 0x11370E14, 0x081E139C,
1901 0x00481ADB, 0x14AB0289, 0x066A0EBE, 0x00C70ED6 },
1903 { 0x0694120B, 0x124E1CC9, 0x0E2F0570, 0x17CF081A,
1904 0x078906AC, 0x066D17CF, 0x1B3207F4, 0x0C5705E9,
1905 0x10001C38, 0x00A919DE, 0x06851375, 0x0F900BD8,
1906 0x080401BA, 0x0EEE0D42, 0x1B8B11EA, 0x0B4519F0,
1907 0x090F18C0, 0x062E1508, 0x0DD909F4, 0x01EB067C },
1909 { 0x0CDC1D5F, 0x0D1818F9, 0x07781636, 0x125B18E8,
1910 0x0D7003AF, 0x13110099, 0x1D9B1899, 0x175C1EB7,
1911 0x0E34171A, 0x01E01153, 0x081A0F36, 0x0B391783,
1912 0x1D1F147E, 0x19CE16D7, 0x11511B21, 0x1F2C10F9,
1913 0x12CA0E51, 0x05A31D39, 0x171A192E, 0x016B0E4F }
1926 memset(xy, 0, sizeof xy); in lookup_Gwin()
1927 for (k = 0; k < 15; k ++) { in lookup_Gwin()
1931 for (u = 0; u < 20; u ++) { in lookup_Gwin()
1935 for (u = 0; u < 10; u ++) { in lookup_Gwin()
1936 T->x[(u << 1) + 0] = xy[u] & 0xFFFF; in lookup_Gwin()
1938 T->y[(u << 1) + 0] = xy[u + 10] & 0xFFFF; in lookup_Gwin()
1941 memset(T->z, 0, sizeof T->z); in lookup_Gwin()
1942 T->z[0] = 1; in lookup_Gwin()
1953 * qz is a flag that is initially 1, and remains equal to 1 in p256_mulgen()
1956 * We use a 4-bit window to handle multiplier bits by groups in p256_mulgen()
1958 * points in affine coordinates; we use a constant-time lookup. in p256_mulgen()
1963 memset(&Q, 0, sizeof Q); in p256_mulgen()
1965 while (xlen -- > 0) { in p256_mulgen()
1970 for (k = 0; k < 2; k ++) { in p256_mulgen()
1979 bits = (bx >> 4) & 0x0F; in p256_mulgen()
1980 bnz = NEQ(bits, 0); in p256_mulgen()
1994 0x04, 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8,
1995 0xBC, 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D,
1996 0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8,
1997 0x98, 0xC2, 0x96, 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F,
1998 0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 0x0F, 0x9E, 0x16, 0x2B,
1999 0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 0x40,
2000 0x68, 0x37, 0xBF, 0x51, 0xF5
2004 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
2005 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
2006 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
2007 0x25, 0x51
2043 return 0; in api_mul()
2066 api_muladd(unsigned char *A, const unsigned char *B, size_t len, in api_muladd() argument
2076 return 0; in api_muladd()
2078 r = p256_decode(&P, A, len); in api_muladd()
2092 z = 0; in api_muladd()
2093 for (i = 0; i < 20; i ++) { in api_muladd()
2096 z = EQ(z, 0); in api_muladd()
2100 * If z is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we in api_muladd()
2103 * z = 0, t = 0 return P (normal addition) in api_muladd()
2104 * z = 0, t = 1 return P (normal addition) in api_muladd()
2105 * z = 1, t = 0 return Q (a 'double' case) in api_muladd()
2106 * z = 1, t = 1 report an error (P+Q = 0) in api_muladd()
2110 p256_encode(A, &P); in api_muladd()
2117 (uint32_t)0x00800000,