Lines Matching +full:1 +full:p1
71 return 1; in api_xoff()
84 #define BIT(n) ((uint64_t)1 << (n))
110 d[1] = a[1] + b[1]; in f256_add()
132 w = a[1] + cc; in f256_partial_reduce()
133 a[1] = w & MASK52; in f256_partial_reduce()
145 w = a[1] - (s << 44); in f256_partial_reduce()
146 a[1] = w & MASK52; /* a[1] < 2^52 */ in f256_partial_reduce()
150 cc = w >> 63; /* cc = 0 or 1 */ in f256_partial_reduce()
153 cc = w >> 63; /* cc = 0 or 1 */ in f256_partial_reduce()
189 w = a[1] - b[1] + cc; in f256_sub()
190 t[1] = w & MASK52; in f256_sub()
205 * 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p in f256_sub()
208 * 0 <= t[0] <= 2^52 - 1 in f256_sub()
209 * 0 <= t[1] <= 2^52 - 1 in f256_sub()
210 * 2^5 <= t[2] <= 2^52 + 2^5 - 1 in f256_sub()
211 * 2^49 <= t[3] <= 2^52 + 2^49 - 1 in f256_sub()
220 w = t[1] - (s << 44); in f256_sub()
221 d[1] = w & MASK52; /* d[1] <= 2^52 - 1 */ in f256_sub()
224 cc = w >> 63; /* cc = 0 or 1 */ in f256_sub()
227 cc = w >> 63; /* cc = 0 or 1 */ in f256_sub()
228 d[3] = w + (cc << 52); /* t[3] <= 2^52 + 2^49 - 1 */ in f256_sub()
252 t[1] = 0; in f256_montymul()
275 z = (unsigned __int128)b[1] * (unsigned __int128)x in f256_montymul()
276 + (unsigned __int128)t[1] + cc in f256_montymul()
282 t[1] = (uint64_t)z & MASK52; in f256_montymul()
303 w = t[1] - (s << 44); in f256_montymul()
304 t[1] = w & MASK52; /* t[1] < 2^52 */ in f256_montymul()
308 cc = w >> 63; /* cc = 0 or 1 */ in f256_montymul()
311 cc = w >> 63; /* cc = 0 or 1 */ in f256_montymul()
316 * The final t[4] cannot overflow because cc is 0 or 1, in f256_montymul()
317 * and cc can be 1 only if s != 0. in f256_montymul()
322 d[1] = t[1]; in f256_montymul()
333 t[1] = 0; in f256_montymul()
358 zl = _umul128(b[1], x, &zh); in f256_montymul()
359 k = _addcarry_u64(0, t[1], zl, &zl); in f256_montymul()
373 t[1] = zl & MASK52; in f256_montymul()
405 w = t[1] - (s << 44); in f256_montymul()
406 t[1] = w & MASK52; /* t[1] < 2^52 */ in f256_montymul()
410 cc = w >> 63; /* cc = 0 or 1 */ in f256_montymul()
413 cc = w >> 63; /* cc = 0 or 1 */ in f256_montymul()
418 * The final t[4] cannot overflow because cc is 0 or 1, in f256_montymul()
419 * and cc can be 1 only if s != 0. in f256_montymul()
424 d[1] = t[1]; in f256_montymul()
470 * Montgomery multiplication by 1 is division by 2^260 modulo p. in f256_frommonty()
472 static const uint64_t one[] = { 1, 0, 0, 0, 0 }; in f256_frommonty()
487 * - 32 bits of value 1 in f256_invert()
489 * - 1 bit of value 1 in f256_invert()
491 * - 94 bits of value 1 in f256_invert()
492 * - 1 bit of value 0 in f256_invert()
493 * - 1 bit of value 1 in f256_invert()
495 * a^(2^31-1). in f256_invert()
550 * We compute t = r + (2^256 - p) = r + 2^224 - 2^192 - 2^96 + 1. in f256_final_reduce()
556 * Add 2^224 + 1, and propagate carries to ensure that limbs in f256_final_reduce()
559 w = r[0] + 1; in f256_final_reduce()
562 w = r[1] + cc; in f256_final_reduce()
563 t[1] = w & MASK52; in f256_final_reduce()
574 * Subtract 2^192 + 2^96. Since we just added 2^224 + 1, the in f256_final_reduce()
577 w = t[1] - BIT(44); in f256_final_reduce()
578 t[1] = w & MASK52; in f256_final_reduce()
631 a[1] = ((w0 >> 52) | (w1 << 12)) & MASK52; in f256_decode()
646 w0 = a[0] | (a[1] << 52); in f256_encode()
647 w1 = (a[1] >> 12) | (a[2] << 40); in f256_encode()
658 * with z = 1. If the encoding is invalid, or encodes a point which is
660 * returns 0. Otherwise, 1 is returned.
679 f256_decode(x, buf + 1); in point_decode()
699 tt = t[0] | t[1] | t[2] | t[3] | t[4]; in point_decode()
720 * the encoded point is written in the buffer, and 1 is returned.
727 /* Set t1 = 1/z^2 and t2 = 1/z^3. */ in point_encode()
745 f256_encode(buf + 1, t1); in point_encode()
749 z = P->z[0] | P->z[1] | P->z[2] | P->z[3] | P->z[4]; in point_encode()
831 * Point addition (Jacobian coordinates): P1 is replaced with P1+P2.
834 * - If P1 == 0 but P2 != 0
835 * - If P1 != 0 but P2 == 0
836 * - If P1 == P2
838 * In all three cases, P1 is set to the point at infinity.
842 * - P1 and P2 have the same Y coordinate.
843 * - P1 == 0 and P2 == 0.
851 * Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
855 * - Otherwise, if the returned value is 1, then this is a case of
856 * P1+P2 == 0, so the result is indeed the point at infinity.
857 * - Otherwise, P1 == P2, so a "double" operation should have been
861 * e.g. if P1 and P2 have the same Y coordinate, but distinct X coordinates.
864 p256_add(p256_jacobian *P1, const p256_jacobian *P2) in p256_add() argument
886 f256_montymul(t1, P1->x, t3); in p256_add()
888 f256_montymul(t3, P1->y, t4); in p256_add()
893 f256_montysquare(t4, P1->z); in p256_add()
895 f256_montymul(t5, P1->z, t4); in p256_add()
906 tt = t4[0] | t4[1] | t4[2] | t4[3] | t4[4]; in p256_add()
920 f256_montysquare(P1->x, t4); in p256_add()
921 f256_sub(P1->x, P1->x, t5); in p256_add()
922 f256_sub(P1->x, P1->x, t6); in p256_add()
923 f256_sub(P1->x, P1->x, t6); in p256_add()
928 f256_sub(t6, t6, P1->x); in p256_add()
929 f256_montymul(P1->y, t4, t6); in p256_add()
931 f256_sub(P1->y, P1->y, t1); in p256_add()
936 f256_montymul(t1, P1->z, P2->z); in p256_add()
937 f256_montymul(P1->z, t1, t2); in p256_add()
943 * Point addition (mixed coordinates): P1 is replaced with P1+P2.
949 * - If P1 == 0
950 * - If P1 == P2
952 * In both cases, P1 is set to the point at infinity.
956 * - P1 and P2 have the same Y (affine) coordinate.
957 * - The Y coordinate of P2 is 0 and P1 is the point at infinity.
963 * Therefore, assuming that P1 != 0 on input, then the caller
967 * - Otherwise, if the returned value is 1, then this is a case of
968 * P1+P2 == 0, so the result is indeed the point at infinity.
969 * - Otherwise, P1 == P2, so a "double" operation should have been
976 p256_add_mixed(p256_jacobian *P1, const p256_affine *P2) in p256_add_mixed() argument
997 memcpy(t1, P1->x, sizeof t1); in p256_add_mixed()
998 memcpy(t3, P1->y, sizeof t3); in p256_add_mixed()
1003 f256_montysquare(t4, P1->z); in p256_add_mixed()
1005 f256_montymul(t5, P1->z, t4); in p256_add_mixed()
1016 tt = t4[0] | t4[1] | t4[2] | t4[3] | t4[4]; in p256_add_mixed()
1030 f256_montysquare(P1->x, t4); in p256_add_mixed()
1031 f256_sub(P1->x, P1->x, t5); in p256_add_mixed()
1032 f256_sub(P1->x, P1->x, t6); in p256_add_mixed()
1033 f256_sub(P1->x, P1->x, t6); in p256_add_mixed()
1038 f256_sub(t6, t6, P1->x); in p256_add_mixed()
1039 f256_montymul(P1->y, t4, t6); in p256_add_mixed()
1041 f256_sub(P1->y, P1->y, t1); in p256_add_mixed()
1046 f256_montymul(P1->z, P1->z, t2); in p256_add_mixed()
1054 * Point addition (mixed coordinates, complete): P1 is replaced with P1+P2.
1061 p256_add_complete_mixed(p256_jacobian *P1, const p256_affine *P2)
1078 * - If P1 is the point-at-infinity (z1 = 0), then z3 is
1081 * - If P1 = P2, then u1 = u2 and s1 = s2, and x3, y3 and z3
1084 * However, if P1 + P2 = 0, then u1 = u2 but s1 != s2, and then
1087 * To fix the case P1 = 0, we perform at the end a copy of P2
1088 * over P1, conditional to z1 = 0.
1090 * For P1 = P2: in that case, both h and r are set to 0, and
1092 * occurrence to make a mask which will be all-one if P1 = P2,
1097 * simplifying since P2 is affine (i.e. z2 = 1, implicitly),
1100 * m = 3*(x2 + 1)*(x2 - 1)
1112 * Set zz to -1 if P1 is the point at infinity, 0 otherwise.
1114 zz = P1->z[0] | P1->z[1] | P1->z[2] | P1->z[3] | P1->z[4];
1115 zz = ((zz | -zz) >> 63) - (uint64_t)1;
1120 memcpy(t1, P1->x, sizeof t1);
1121 memcpy(t3, P1->y, sizeof t3);
1126 f256_montysquare(t4, P1->z);
1128 f256_montymul(t5, P1->z, t4);
1139 * If both h = 0 and r = 0, then P1 = P2, and we want to set
1140 * the mask tt to -1; otherwise, the mask will be 0.
1144 tt = t2[0] | t2[1] | t2[2] | t2[3] | t2[4]
1145 | t4[0] | t4[1] | t4[2] | t4[3] | t4[4];
1146 tt = ((tt | -tt) >> 63) - (uint64_t)1;
1158 f256_montysquare(P1->x, t4);
1159 f256_sub(P1->x, P1->x, t5);
1160 f256_sub(P1->x, P1->x, t6);
1161 f256_sub(P1->x, P1->x, t6);
1166 f256_sub(t6, t6, P1->x);
1167 f256_montymul(P1->y, t4, t6);
1169 f256_sub(P1->y, P1->y, t1);
1174 f256_montymul(P1->z, P1->z, t2);
1177 * The "double" result, in case P1 = P2.
1195 * Compute m = 3*(x2^2 - 1) (in t4).
1223 P1->x[i] |= tt & t5[i];
1224 P1->y[i] |= tt & t6[i];
1225 P1->z[i] |= tt & t1[i];
1229 * If P1 = 0, then we get z3 = 0 (which is invalid); if z1 is 0,
1234 P1->x[i] ^= zz & (P1->x[i] ^ P2->x[i]);
1235 P1->y[i] ^= zz & (P1->y[i] ^ P2->y[i]);
1236 P1->z[i] ^= zz & (P1->z[i] ^ F256_R[i]);
1243 * provided, with points 1*P to 15*P in affine coordinates.
1258 qz = 1; in point_mul_inner()
1288 m = -(uint64_t)EQ(bits, n + 1); in point_mul_inner()
1290 T.x[1] |= m & W[n].x[1]; in point_mul_inner()
1295 T.y[1] |= m & W[n].y[1]; in point_mul_inner()
1305 * If qz is still 1, then Q was all-zeros, and this in point_mul_inner()
1339 * we compute u = 1/(z1*z2*z3*z4), and then we have: in window_to_affine()
1340 * 1/z1 = u*z2*z3*z4 in window_to_affine()
1341 * 1/z2 = u*z1*z3*z4 in window_to_affine()
1342 * 1/z3 = u*z1*z2*z4 in window_to_affine()
1343 * 1/z4 = u*z1*z2*z3 in window_to_affine()
1350 * recurse on (z_(n/2+1),z_(n/2+2)... z_n) -> r2 and m2 in window_to_affine()
1357 * hexadecimal, starting at 1). in window_to_affine()
1359 * - Depth 1: in window_to_affine()
1399 * extra one with coordinate Z = 1 (in Montgomery representation). in window_to_affine()
1401 for (i = 0; (i + 1) < num; i += 2) { in window_to_affine()
1403 memcpy(jac[i].z, jac[i + 1].z, sizeof zt); in window_to_affine()
1404 memcpy(jac[i + 1].z, zt, sizeof zt); in window_to_affine()
1405 f256_montymul(z[i >> 1], jac[i].z, jac[i + 1].z); in window_to_affine()
1407 if ((num & 1) != 0) { in window_to_affine()
1408 memcpy(z[num >> 1], jac[num - 1].z, sizeof zt); in window_to_affine()
1409 memcpy(jac[num - 1].z, F256_R, sizeof F256_R); in window_to_affine()
1417 for (k = 1, s = 2; s < num; k ++, s <<= 1) { in window_to_affine()
1421 f256_montymul(jac[i].z, jac[i].z, z[(i >> k) ^ 1]); in window_to_affine()
1423 n = (num + s - 1) >> k; in window_to_affine()
1424 for (i = 0; i < (n >> 1); i ++) { in window_to_affine()
1425 f256_montymul(z[i], z[i << 1], z[(i << 1) + 1]); in window_to_affine()
1427 if ((n & 1) != 0) { in window_to_affine()
1428 memmove(z[n >> 1], z[n], sizeof zt); in window_to_affine()
1468 window.jac[i - 1] = window.jac[(i >> 1) - 1]; in p256_mul()
1469 if ((i & 1) == 0) { in p256_mul()
1470 p256_double(&window.jac[i - 1]); in p256_mul()
1472 p256_add(&window.jac[i - 1], &window.jac[i >> 1]); in p256_mul()
1490 * contains (n+1)*G (affine coordinates, in Montgomery representation).
1601 * Return 1 if all of the following hold:
1629 c = -1; in check_scalar()
1680 * 16*16-1 = 255 points. For the same window size as in the in api_muladd()
1719 z = P.z[0] | P.z[1] | P.z[2] | P.z[3] | P.z[4]; in api_muladd()
1724 * If s is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we in api_muladd()
1728 * s = 0, t = 1 return P (normal addition) in api_muladd()
1729 * s = 1, t = 0 return Q (a 'double' case) in api_muladd()
1730 * s = 1, t = 1 report an error (P+Q = 0) in api_muladd()