1 // SPDX-License-Identifier: GPL-2.0-or-later
3  * Copyright 2024- IBM Corp.
7  *     - Algorithm 1 Scalar multiplication of a variable point
19 asmlinkage void x25519_fe51_mul(fe51 h, const fe51 f, const fe51 g);
32 static void fadd(fe51 h, const fe51 f, const fe51 g)  in fadd()  argument
34 	h[0] = f[0] + g[0];  in fadd()
35 	h[1] = f[1] + g[1];  in fadd()
36 	h[2] = f[2] + g[2];  in fadd()
37 	h[3] = f[3] + g[3];  in fadd()
38 	h[4] = f[4] + g[4];  in fadd()
42  * Prime = 2 ** 255 - 19, 255 bits
45  * Prime in 5 51-bit limbs
49 static void fsub(fe51 h, const fe51 f, const fe51 g)  in fsub()  argument
51 	h[0] = (f[0] + ((prime51[0] * 2))) - g[0];  in fsub()
52 	h[1] = (f[1] + ((prime51[1] * 2))) - g[1];  in fsub()
53 	h[2] = (f[2] + ((prime51[2] * 2))) - g[2];  in fsub()
54 	h[3] = (f[3] + ((prime51[3] * 2))) - g[3];  in fsub()
55 	h[4] = (f[4] + ((prime51[4] * 2))) - g[4];  in fsub()
61 	 * Make sure 64-bit aligned.  in fe51_frombytes()
75 	x25519_fe51_sqr_times(t00, a0, 2);  in finv()
123 	z2[0] = z2[1] = z2[2] = z2[3] = z2[4] = 0;  in curve25519_fe51()
126 	x3[2] = x1[2];  in curve25519_fe51()
132 	x2[2] = z3[2] = 0;  in curve25519_fe51()
136 	for (i = 254; i >= 0; --i) {  in curve25519_fe51()
147 		fsub(b, x2, z2);		// B = x_2 - z_2  in curve25519_fe51()
149 		fsub(d, x3, z3);		// D = x_3 - z_3  in curve25519_fe51()
152 		fsqr(bb, b);			// BB = B^2  in curve25519_fe51()
153 		fsqr(aa, a);			// AA = A^2  in curve25519_fe51()
157 		fsub(e, aa, bb);		// E = AA - BB  in curve25519_fe51()
160 		fsub(dacb_m, da, cb);		// DA - CB  in curve25519_fe51()
163 		fsqr(z2, dacb_m);		// (DA - CB)^2  in curve25519_fe51()
164 		fsqr(x3, dacb_p);		// x3 = (DA + CB)^2  in curve25519_fe51()
166 		fmul(z3, x1, z2);		// z3 = x1 * (DA - CB)^2  in curve25519_fe51()
167 		fmul(z2, e, b);		// z2 = e * (BB + (DA + CB)^2)  in curve25519_fe51()