xref: /freebsd/contrib/bearssl/src/ec/ec_p256_m15.c (revision 05427f4639bcf2703329a9be9d25ec09bb782742)
1 /*
2  * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include "inner.h"
26 
27 /*
28  * If BR_NO_ARITH_SHIFT is undefined, or defined to 0, then we _assume_
29  * that right-shifting a signed negative integer copies the sign bit
30  * (arithmetic right-shift). This is "implementation-defined behaviour",
31  * i.e. it is not undefined, but it may differ between compilers. Each
32  * compiler is supposed to document its behaviour in that respect. GCC
33  * explicitly defines that an arithmetic right shift is used. We expect
34  * all other compilers to do the same, because underlying CPU offer an
35  * arithmetic right shift opcode that could not be used otherwise.
36  */
37 #if BR_NO_ARITH_SHIFT
38 #define ARSH(x, n)   (((uint32_t)(x) >> (n)) \
39                     | ((-((uint32_t)(x) >> 31)) << (32 - (n))))
40 #else
41 #define ARSH(x, n)   ((*(int32_t *)&(x)) >> (n))
42 #endif
43 
44 /*
45  * Convert an integer from unsigned big-endian encoding to a sequence of
46  * 13-bit words in little-endian order. The final "partial" word is
47  * returned.
48  */
49 static uint32_t
50 be8_to_le13(uint32_t *dst, const unsigned char *src, size_t len)
51 {
52 	uint32_t acc;
53 	int acc_len;
54 
55 	acc = 0;
56 	acc_len = 0;
57 	while (len -- > 0) {
58 		acc |= (uint32_t)src[len] << acc_len;
59 		acc_len += 8;
60 		if (acc_len >= 13) {
61 			*dst ++ = acc & 0x1FFF;
62 			acc >>= 13;
63 			acc_len -= 13;
64 		}
65 	}
66 	return acc;
67 }
68 
69 /*
70  * Convert an integer (13-bit words, little-endian) to unsigned
71  * big-endian encoding. The total encoding length is provided; all
72  * the destination bytes will be filled.
73  */
74 static void
75 le13_to_be8(unsigned char *dst, size_t len, const uint32_t *src)
76 {
77 	uint32_t acc;
78 	int acc_len;
79 
80 	acc = 0;
81 	acc_len = 0;
82 	while (len -- > 0) {
83 		if (acc_len < 8) {
84 			acc |= (*src ++) << acc_len;
85 			acc_len += 13;
86 		}
87 		dst[len] = (unsigned char)acc;
88 		acc >>= 8;
89 		acc_len -= 8;
90 	}
91 }
92 
93 /*
94  * Normalise an array of words to a strict 13 bits per word. Returned
95  * value is the resulting carry. The source (w) and destination (d)
96  * arrays may be identical, but shall not overlap partially.
97  */
98 static inline uint32_t
99 norm13(uint32_t *d, const uint32_t *w, size_t len)
100 {
101 	size_t u;
102 	uint32_t cc;
103 
104 	cc = 0;
105 	for (u = 0; u < len; u ++) {
106 		int32_t z;
107 
108 		z = w[u] + cc;
109 		d[u] = z & 0x1FFF;
110 		cc = ARSH(z, 13);
111 	}
112 	return cc;
113 }
114 
115 /*
116  * mul20() multiplies two 260-bit integers together. Each word must fit
117  * on 13 bits; source operands use 20 words, destination operand
118  * receives 40 words. All overlaps allowed.
119  *
120  * square20() computes the square of a 260-bit integer. Each word must
121  * fit on 13 bits; source operand uses 20 words, destination operand
122  * receives 40 words. All overlaps allowed.
123  */
124 
125 #if BR_SLOW_MUL15
126 
127 static void
128 mul20(uint32_t *d, const uint32_t *a, const uint32_t *b)
129 {
130 	/*
131 	 * Two-level Karatsuba: turns a 20x20 multiplication into
132 	 * nine 5x5 multiplications. We use 13-bit words but do not
133 	 * propagate carries immediately, so words may expand:
134 	 *
135 	 *  - First Karatsuba decomposition turns the 20x20 mul on
136 	 *    13-bit words into three 10x10 muls, two on 13-bit words
137 	 *    and one on 14-bit words.
138 	 *
139 	 *  - Second Karatsuba decomposition further splits these into:
140 	 *
141 	 *     * four 5x5 muls on 13-bit words
142 	 *     * four 5x5 muls on 14-bit words
143 	 *     * one 5x5 mul on 15-bit words
144 	 *
145 	 * Highest word value is 8191, 16382 or 32764, for 13-bit, 14-bit
146 	 * or 15-bit words, respectively.
147 	 */
148 	uint32_t u[45], v[45], w[90];
149 	uint32_t cc;
150 	int i;
151 
152 #define ZADD(dw, d_off, s1w, s1_off, s2w, s2_off)   do { \
153 		(dw)[5 * (d_off) + 0] = (s1w)[5 * (s1_off) + 0] \
154 			+ (s2w)[5 * (s2_off) + 0]; \
155 		(dw)[5 * (d_off) + 1] = (s1w)[5 * (s1_off) + 1] \
156 			+ (s2w)[5 * (s2_off) + 1]; \
157 		(dw)[5 * (d_off) + 2] = (s1w)[5 * (s1_off) + 2] \
158 			+ (s2w)[5 * (s2_off) + 2]; \
159 		(dw)[5 * (d_off) + 3] = (s1w)[5 * (s1_off) + 3] \
160 			+ (s2w)[5 * (s2_off) + 3]; \
161 		(dw)[5 * (d_off) + 4] = (s1w)[5 * (s1_off) + 4] \
162 			+ (s2w)[5 * (s2_off) + 4]; \
163 	} while (0)
164 
165 #define ZADDT(dw, d_off, sw, s_off)   do { \
166 		(dw)[5 * (d_off) + 0] += (sw)[5 * (s_off) + 0]; \
167 		(dw)[5 * (d_off) + 1] += (sw)[5 * (s_off) + 1]; \
168 		(dw)[5 * (d_off) + 2] += (sw)[5 * (s_off) + 2]; \
169 		(dw)[5 * (d_off) + 3] += (sw)[5 * (s_off) + 3]; \
170 		(dw)[5 * (d_off) + 4] += (sw)[5 * (s_off) + 4]; \
171 	} while (0)
172 
173 #define ZSUB2F(dw, d_off, s1w, s1_off, s2w, s2_off)   do { \
174 		(dw)[5 * (d_off) + 0] -= (s1w)[5 * (s1_off) + 0] \
175 			+ (s2w)[5 * (s2_off) + 0]; \
176 		(dw)[5 * (d_off) + 1] -= (s1w)[5 * (s1_off) + 1] \
177 			+ (s2w)[5 * (s2_off) + 1]; \
178 		(dw)[5 * (d_off) + 2] -= (s1w)[5 * (s1_off) + 2] \
179 			+ (s2w)[5 * (s2_off) + 2]; \
180 		(dw)[5 * (d_off) + 3] -= (s1w)[5 * (s1_off) + 3] \
181 			+ (s2w)[5 * (s2_off) + 3]; \
182 		(dw)[5 * (d_off) + 4] -= (s1w)[5 * (s1_off) + 4] \
183 			+ (s2w)[5 * (s2_off) + 4]; \
184 	} while (0)
185 
186 #define CPR1(w, cprcc)   do { \
187 		uint32_t cprz = (w) + cprcc; \
188 		(w) = cprz & 0x1FFF; \
189 		cprcc = cprz >> 13; \
190 	} while (0)
191 
192 #define CPR(dw, d_off)   do { \
193 		uint32_t cprcc; \
194 		cprcc = 0; \
195 		CPR1((dw)[(d_off) + 0], cprcc); \
196 		CPR1((dw)[(d_off) + 1], cprcc); \
197 		CPR1((dw)[(d_off) + 2], cprcc); \
198 		CPR1((dw)[(d_off) + 3], cprcc); \
199 		CPR1((dw)[(d_off) + 4], cprcc); \
200 		CPR1((dw)[(d_off) + 5], cprcc); \
201 		CPR1((dw)[(d_off) + 6], cprcc); \
202 		CPR1((dw)[(d_off) + 7], cprcc); \
203 		CPR1((dw)[(d_off) + 8], cprcc); \
204 		(dw)[(d_off) + 9] = cprcc; \
205 	} while (0)
206 
207 	memcpy(u, a, 20 * sizeof *a);
208 	ZADD(u, 4, a, 0, a, 1);
209 	ZADD(u, 5, a, 2, a, 3);
210 	ZADD(u, 6, a, 0, a, 2);
211 	ZADD(u, 7, a, 1, a, 3);
212 	ZADD(u, 8, u, 6, u, 7);
213 
214 	memcpy(v, b, 20 * sizeof *b);
215 	ZADD(v, 4, b, 0, b, 1);
216 	ZADD(v, 5, b, 2, b, 3);
217 	ZADD(v, 6, b, 0, b, 2);
218 	ZADD(v, 7, b, 1, b, 3);
219 	ZADD(v, 8, v, 6, v, 7);
220 
221 	/*
222 	 * Do the eight first 8x8 muls. Source words are at most 16382
223 	 * each, so we can add product results together "as is" in 32-bit
224 	 * words.
225 	 */
226 	for (i = 0; i < 40; i += 5) {
227 		w[(i << 1) + 0] = MUL15(u[i + 0], v[i + 0]);
228 		w[(i << 1) + 1] = MUL15(u[i + 0], v[i + 1])
229 			+ MUL15(u[i + 1], v[i + 0]);
230 		w[(i << 1) + 2] = MUL15(u[i + 0], v[i + 2])
231 			+ MUL15(u[i + 1], v[i + 1])
232 			+ MUL15(u[i + 2], v[i + 0]);
233 		w[(i << 1) + 3] = MUL15(u[i + 0], v[i + 3])
234 			+ MUL15(u[i + 1], v[i + 2])
235 			+ MUL15(u[i + 2], v[i + 1])
236 			+ MUL15(u[i + 3], v[i + 0]);
237 		w[(i << 1) + 4] = MUL15(u[i + 0], v[i + 4])
238 			+ MUL15(u[i + 1], v[i + 3])
239 			+ MUL15(u[i + 2], v[i + 2])
240 			+ MUL15(u[i + 3], v[i + 1])
241 			+ MUL15(u[i + 4], v[i + 0]);
242 		w[(i << 1) + 5] = MUL15(u[i + 1], v[i + 4])
243 			+ MUL15(u[i + 2], v[i + 3])
244 			+ MUL15(u[i + 3], v[i + 2])
245 			+ MUL15(u[i + 4], v[i + 1]);
246 		w[(i << 1) + 6] = MUL15(u[i + 2], v[i + 4])
247 			+ MUL15(u[i + 3], v[i + 3])
248 			+ MUL15(u[i + 4], v[i + 2]);
249 		w[(i << 1) + 7] = MUL15(u[i + 3], v[i + 4])
250 			+ MUL15(u[i + 4], v[i + 3]);
251 		w[(i << 1) + 8] = MUL15(u[i + 4], v[i + 4]);
252 		w[(i << 1) + 9] = 0;
253 	}
254 
255 	/*
256 	 * For the 9th multiplication, source words are up to 32764,
257 	 * so we must do some carry propagation. If we add up to
258 	 * 4 products and the carry is no more than 524224, then the
259 	 * result fits in 32 bits, and the next carry will be no more
260 	 * than 524224 (because 4*(32764^2)+524224 < 8192*524225).
261 	 *
262 	 * We thus just skip one of the products in the middle word,
263 	 * then do a carry propagation (this reduces words to 13 bits
264 	 * each, except possibly the last, which may use up to 17 bits
265 	 * or so), then add the missing product.
266 	 */
267 	w[80 + 0] = MUL15(u[40 + 0], v[40 + 0]);
268 	w[80 + 1] = MUL15(u[40 + 0], v[40 + 1])
269 		+ MUL15(u[40 + 1], v[40 + 0]);
270 	w[80 + 2] = MUL15(u[40 + 0], v[40 + 2])
271 		+ MUL15(u[40 + 1], v[40 + 1])
272 		+ MUL15(u[40 + 2], v[40 + 0]);
273 	w[80 + 3] = MUL15(u[40 + 0], v[40 + 3])
274 		+ MUL15(u[40 + 1], v[40 + 2])
275 		+ MUL15(u[40 + 2], v[40 + 1])
276 		+ MUL15(u[40 + 3], v[40 + 0]);
277 	w[80 + 4] = MUL15(u[40 + 0], v[40 + 4])
278 		+ MUL15(u[40 + 1], v[40 + 3])
279 		+ MUL15(u[40 + 2], v[40 + 2])
280 		+ MUL15(u[40 + 3], v[40 + 1]);
281 		/* + MUL15(u[40 + 4], v[40 + 0]) */
282 	w[80 + 5] = MUL15(u[40 + 1], v[40 + 4])
283 		+ MUL15(u[40 + 2], v[40 + 3])
284 		+ MUL15(u[40 + 3], v[40 + 2])
285 		+ MUL15(u[40 + 4], v[40 + 1]);
286 	w[80 + 6] = MUL15(u[40 + 2], v[40 + 4])
287 		+ MUL15(u[40 + 3], v[40 + 3])
288 		+ MUL15(u[40 + 4], v[40 + 2]);
289 	w[80 + 7] = MUL15(u[40 + 3], v[40 + 4])
290 		+ MUL15(u[40 + 4], v[40 + 3]);
291 	w[80 + 8] = MUL15(u[40 + 4], v[40 + 4]);
292 
293 	CPR(w, 80);
294 
295 	w[80 + 4] += MUL15(u[40 + 4], v[40 + 0]);
296 
297 	/*
298 	 * The products on 14-bit words in slots 6 and 7 yield values
299 	 * up to 5*(16382^2) each, and we need to subtract two such
300 	 * values from the higher word. We need the subtraction to fit
301 	 * in a _signed_ 32-bit integer, i.e. 31 bits + a sign bit.
302 	 * However, 10*(16382^2) does not fit. So we must perform a
303 	 * bit of reduction here.
304 	 */
305 	CPR(w, 60);
306 	CPR(w, 70);
307 
308 	/*
309 	 * Recompose results.
310 	 */
311 
312 	/* 0..1*0..1 into 0..3 */
313 	ZSUB2F(w, 8, w, 0, w, 2);
314 	ZSUB2F(w, 9, w, 1, w, 3);
315 	ZADDT(w, 1, w, 8);
316 	ZADDT(w, 2, w, 9);
317 
318 	/* 2..3*2..3 into 4..7 */
319 	ZSUB2F(w, 10, w, 4, w, 6);
320 	ZSUB2F(w, 11, w, 5, w, 7);
321 	ZADDT(w, 5, w, 10);
322 	ZADDT(w, 6, w, 11);
323 
324 	/* (0..1+2..3)*(0..1+2..3) into 12..15 */
325 	ZSUB2F(w, 16, w, 12, w, 14);
326 	ZSUB2F(w, 17, w, 13, w, 15);
327 	ZADDT(w, 13, w, 16);
328 	ZADDT(w, 14, w, 17);
329 
330 	/* first-level recomposition */
331 	ZSUB2F(w, 12, w, 0, w, 4);
332 	ZSUB2F(w, 13, w, 1, w, 5);
333 	ZSUB2F(w, 14, w, 2, w, 6);
334 	ZSUB2F(w, 15, w, 3, w, 7);
335 	ZADDT(w, 2, w, 12);
336 	ZADDT(w, 3, w, 13);
337 	ZADDT(w, 4, w, 14);
338 	ZADDT(w, 5, w, 15);
339 
340 	/*
341 	 * Perform carry propagation to bring all words down to 13 bits.
342 	 */
343 	cc = norm13(d, w, 40);
344 	d[39] += (cc << 13);
345 
346 #undef ZADD
347 #undef ZADDT
348 #undef ZSUB2F
349 #undef CPR1
350 #undef CPR
351 }
352 
353 static inline void
354 square20(uint32_t *d, const uint32_t *a)
355 {
356 	mul20(d, a, a);
357 }
358 
359 #else
360 
361 static void
362 mul20(uint32_t *d, const uint32_t *a, const uint32_t *b)
363 {
364 	uint32_t t[39];
365 
366 	t[ 0] = MUL15(a[ 0], b[ 0]);
367 	t[ 1] = MUL15(a[ 0], b[ 1])
368 		+ MUL15(a[ 1], b[ 0]);
369 	t[ 2] = MUL15(a[ 0], b[ 2])
370 		+ MUL15(a[ 1], b[ 1])
371 		+ MUL15(a[ 2], b[ 0]);
372 	t[ 3] = MUL15(a[ 0], b[ 3])
373 		+ MUL15(a[ 1], b[ 2])
374 		+ MUL15(a[ 2], b[ 1])
375 		+ MUL15(a[ 3], b[ 0]);
376 	t[ 4] = MUL15(a[ 0], b[ 4])
377 		+ MUL15(a[ 1], b[ 3])
378 		+ MUL15(a[ 2], b[ 2])
379 		+ MUL15(a[ 3], b[ 1])
380 		+ MUL15(a[ 4], b[ 0]);
381 	t[ 5] = MUL15(a[ 0], b[ 5])
382 		+ MUL15(a[ 1], b[ 4])
383 		+ MUL15(a[ 2], b[ 3])
384 		+ MUL15(a[ 3], b[ 2])
385 		+ MUL15(a[ 4], b[ 1])
386 		+ MUL15(a[ 5], b[ 0]);
387 	t[ 6] = MUL15(a[ 0], b[ 6])
388 		+ MUL15(a[ 1], b[ 5])
389 		+ MUL15(a[ 2], b[ 4])
390 		+ MUL15(a[ 3], b[ 3])
391 		+ MUL15(a[ 4], b[ 2])
392 		+ MUL15(a[ 5], b[ 1])
393 		+ MUL15(a[ 6], b[ 0]);
394 	t[ 7] = MUL15(a[ 0], b[ 7])
395 		+ MUL15(a[ 1], b[ 6])
396 		+ MUL15(a[ 2], b[ 5])
397 		+ MUL15(a[ 3], b[ 4])
398 		+ MUL15(a[ 4], b[ 3])
399 		+ MUL15(a[ 5], b[ 2])
400 		+ MUL15(a[ 6], b[ 1])
401 		+ MUL15(a[ 7], b[ 0]);
402 	t[ 8] = MUL15(a[ 0], b[ 8])
403 		+ MUL15(a[ 1], b[ 7])
404 		+ MUL15(a[ 2], b[ 6])
405 		+ MUL15(a[ 3], b[ 5])
406 		+ MUL15(a[ 4], b[ 4])
407 		+ MUL15(a[ 5], b[ 3])
408 		+ MUL15(a[ 6], b[ 2])
409 		+ MUL15(a[ 7], b[ 1])
410 		+ MUL15(a[ 8], b[ 0]);
411 	t[ 9] = MUL15(a[ 0], b[ 9])
412 		+ MUL15(a[ 1], b[ 8])
413 		+ MUL15(a[ 2], b[ 7])
414 		+ MUL15(a[ 3], b[ 6])
415 		+ MUL15(a[ 4], b[ 5])
416 		+ MUL15(a[ 5], b[ 4])
417 		+ MUL15(a[ 6], b[ 3])
418 		+ MUL15(a[ 7], b[ 2])
419 		+ MUL15(a[ 8], b[ 1])
420 		+ MUL15(a[ 9], b[ 0]);
421 	t[10] = MUL15(a[ 0], b[10])
422 		+ MUL15(a[ 1], b[ 9])
423 		+ MUL15(a[ 2], b[ 8])
424 		+ MUL15(a[ 3], b[ 7])
425 		+ MUL15(a[ 4], b[ 6])
426 		+ MUL15(a[ 5], b[ 5])
427 		+ MUL15(a[ 6], b[ 4])
428 		+ MUL15(a[ 7], b[ 3])
429 		+ MUL15(a[ 8], b[ 2])
430 		+ MUL15(a[ 9], b[ 1])
431 		+ MUL15(a[10], b[ 0]);
432 	t[11] = MUL15(a[ 0], b[11])
433 		+ MUL15(a[ 1], b[10])
434 		+ MUL15(a[ 2], b[ 9])
435 		+ MUL15(a[ 3], b[ 8])
436 		+ MUL15(a[ 4], b[ 7])
437 		+ MUL15(a[ 5], b[ 6])
438 		+ MUL15(a[ 6], b[ 5])
439 		+ MUL15(a[ 7], b[ 4])
440 		+ MUL15(a[ 8], b[ 3])
441 		+ MUL15(a[ 9], b[ 2])
442 		+ MUL15(a[10], b[ 1])
443 		+ MUL15(a[11], b[ 0]);
444 	t[12] = MUL15(a[ 0], b[12])
445 		+ MUL15(a[ 1], b[11])
446 		+ MUL15(a[ 2], b[10])
447 		+ MUL15(a[ 3], b[ 9])
448 		+ MUL15(a[ 4], b[ 8])
449 		+ MUL15(a[ 5], b[ 7])
450 		+ MUL15(a[ 6], b[ 6])
451 		+ MUL15(a[ 7], b[ 5])
452 		+ MUL15(a[ 8], b[ 4])
453 		+ MUL15(a[ 9], b[ 3])
454 		+ MUL15(a[10], b[ 2])
455 		+ MUL15(a[11], b[ 1])
456 		+ MUL15(a[12], b[ 0]);
457 	t[13] = MUL15(a[ 0], b[13])
458 		+ MUL15(a[ 1], b[12])
459 		+ MUL15(a[ 2], b[11])
460 		+ MUL15(a[ 3], b[10])
461 		+ MUL15(a[ 4], b[ 9])
462 		+ MUL15(a[ 5], b[ 8])
463 		+ MUL15(a[ 6], b[ 7])
464 		+ MUL15(a[ 7], b[ 6])
465 		+ MUL15(a[ 8], b[ 5])
466 		+ MUL15(a[ 9], b[ 4])
467 		+ MUL15(a[10], b[ 3])
468 		+ MUL15(a[11], b[ 2])
469 		+ MUL15(a[12], b[ 1])
470 		+ MUL15(a[13], b[ 0]);
471 	t[14] = MUL15(a[ 0], b[14])
472 		+ MUL15(a[ 1], b[13])
473 		+ MUL15(a[ 2], b[12])
474 		+ MUL15(a[ 3], b[11])
475 		+ MUL15(a[ 4], b[10])
476 		+ MUL15(a[ 5], b[ 9])
477 		+ MUL15(a[ 6], b[ 8])
478 		+ MUL15(a[ 7], b[ 7])
479 		+ MUL15(a[ 8], b[ 6])
480 		+ MUL15(a[ 9], b[ 5])
481 		+ MUL15(a[10], b[ 4])
482 		+ MUL15(a[11], b[ 3])
483 		+ MUL15(a[12], b[ 2])
484 		+ MUL15(a[13], b[ 1])
485 		+ MUL15(a[14], b[ 0]);
486 	t[15] = MUL15(a[ 0], b[15])
487 		+ MUL15(a[ 1], b[14])
488 		+ MUL15(a[ 2], b[13])
489 		+ MUL15(a[ 3], b[12])
490 		+ MUL15(a[ 4], b[11])
491 		+ MUL15(a[ 5], b[10])
492 		+ MUL15(a[ 6], b[ 9])
493 		+ MUL15(a[ 7], b[ 8])
494 		+ MUL15(a[ 8], b[ 7])
495 		+ MUL15(a[ 9], b[ 6])
496 		+ MUL15(a[10], b[ 5])
497 		+ MUL15(a[11], b[ 4])
498 		+ MUL15(a[12], b[ 3])
499 		+ MUL15(a[13], b[ 2])
500 		+ MUL15(a[14], b[ 1])
501 		+ MUL15(a[15], b[ 0]);
502 	t[16] = MUL15(a[ 0], b[16])
503 		+ MUL15(a[ 1], b[15])
504 		+ MUL15(a[ 2], b[14])
505 		+ MUL15(a[ 3], b[13])
506 		+ MUL15(a[ 4], b[12])
507 		+ MUL15(a[ 5], b[11])
508 		+ MUL15(a[ 6], b[10])
509 		+ MUL15(a[ 7], b[ 9])
510 		+ MUL15(a[ 8], b[ 8])
511 		+ MUL15(a[ 9], b[ 7])
512 		+ MUL15(a[10], b[ 6])
513 		+ MUL15(a[11], b[ 5])
514 		+ MUL15(a[12], b[ 4])
515 		+ MUL15(a[13], b[ 3])
516 		+ MUL15(a[14], b[ 2])
517 		+ MUL15(a[15], b[ 1])
518 		+ MUL15(a[16], b[ 0]);
519 	t[17] = MUL15(a[ 0], b[17])
520 		+ MUL15(a[ 1], b[16])
521 		+ MUL15(a[ 2], b[15])
522 		+ MUL15(a[ 3], b[14])
523 		+ MUL15(a[ 4], b[13])
524 		+ MUL15(a[ 5], b[12])
525 		+ MUL15(a[ 6], b[11])
526 		+ MUL15(a[ 7], b[10])
527 		+ MUL15(a[ 8], b[ 9])
528 		+ MUL15(a[ 9], b[ 8])
529 		+ MUL15(a[10], b[ 7])
530 		+ MUL15(a[11], b[ 6])
531 		+ MUL15(a[12], b[ 5])
532 		+ MUL15(a[13], b[ 4])
533 		+ MUL15(a[14], b[ 3])
534 		+ MUL15(a[15], b[ 2])
535 		+ MUL15(a[16], b[ 1])
536 		+ MUL15(a[17], b[ 0]);
537 	t[18] = MUL15(a[ 0], b[18])
538 		+ MUL15(a[ 1], b[17])
539 		+ MUL15(a[ 2], b[16])
540 		+ MUL15(a[ 3], b[15])
541 		+ MUL15(a[ 4], b[14])
542 		+ MUL15(a[ 5], b[13])
543 		+ MUL15(a[ 6], b[12])
544 		+ MUL15(a[ 7], b[11])
545 		+ MUL15(a[ 8], b[10])
546 		+ MUL15(a[ 9], b[ 9])
547 		+ MUL15(a[10], b[ 8])
548 		+ MUL15(a[11], b[ 7])
549 		+ MUL15(a[12], b[ 6])
550 		+ MUL15(a[13], b[ 5])
551 		+ MUL15(a[14], b[ 4])
552 		+ MUL15(a[15], b[ 3])
553 		+ MUL15(a[16], b[ 2])
554 		+ MUL15(a[17], b[ 1])
555 		+ MUL15(a[18], b[ 0]);
556 	t[19] = MUL15(a[ 0], b[19])
557 		+ MUL15(a[ 1], b[18])
558 		+ MUL15(a[ 2], b[17])
559 		+ MUL15(a[ 3], b[16])
560 		+ MUL15(a[ 4], b[15])
561 		+ MUL15(a[ 5], b[14])
562 		+ MUL15(a[ 6], b[13])
563 		+ MUL15(a[ 7], b[12])
564 		+ MUL15(a[ 8], b[11])
565 		+ MUL15(a[ 9], b[10])
566 		+ MUL15(a[10], b[ 9])
567 		+ MUL15(a[11], b[ 8])
568 		+ MUL15(a[12], b[ 7])
569 		+ MUL15(a[13], b[ 6])
570 		+ MUL15(a[14], b[ 5])
571 		+ MUL15(a[15], b[ 4])
572 		+ MUL15(a[16], b[ 3])
573 		+ MUL15(a[17], b[ 2])
574 		+ MUL15(a[18], b[ 1])
575 		+ MUL15(a[19], b[ 0]);
576 	t[20] = MUL15(a[ 1], b[19])
577 		+ MUL15(a[ 2], b[18])
578 		+ MUL15(a[ 3], b[17])
579 		+ MUL15(a[ 4], b[16])
580 		+ MUL15(a[ 5], b[15])
581 		+ MUL15(a[ 6], b[14])
582 		+ MUL15(a[ 7], b[13])
583 		+ MUL15(a[ 8], b[12])
584 		+ MUL15(a[ 9], b[11])
585 		+ MUL15(a[10], b[10])
586 		+ MUL15(a[11], b[ 9])
587 		+ MUL15(a[12], b[ 8])
588 		+ MUL15(a[13], b[ 7])
589 		+ MUL15(a[14], b[ 6])
590 		+ MUL15(a[15], b[ 5])
591 		+ MUL15(a[16], b[ 4])
592 		+ MUL15(a[17], b[ 3])
593 		+ MUL15(a[18], b[ 2])
594 		+ MUL15(a[19], b[ 1]);
595 	t[21] = MUL15(a[ 2], b[19])
596 		+ MUL15(a[ 3], b[18])
597 		+ MUL15(a[ 4], b[17])
598 		+ MUL15(a[ 5], b[16])
599 		+ MUL15(a[ 6], b[15])
600 		+ MUL15(a[ 7], b[14])
601 		+ MUL15(a[ 8], b[13])
602 		+ MUL15(a[ 9], b[12])
603 		+ MUL15(a[10], b[11])
604 		+ MUL15(a[11], b[10])
605 		+ MUL15(a[12], b[ 9])
606 		+ MUL15(a[13], b[ 8])
607 		+ MUL15(a[14], b[ 7])
608 		+ MUL15(a[15], b[ 6])
609 		+ MUL15(a[16], b[ 5])
610 		+ MUL15(a[17], b[ 4])
611 		+ MUL15(a[18], b[ 3])
612 		+ MUL15(a[19], b[ 2]);
613 	t[22] = MUL15(a[ 3], b[19])
614 		+ MUL15(a[ 4], b[18])
615 		+ MUL15(a[ 5], b[17])
616 		+ MUL15(a[ 6], b[16])
617 		+ MUL15(a[ 7], b[15])
618 		+ MUL15(a[ 8], b[14])
619 		+ MUL15(a[ 9], b[13])
620 		+ MUL15(a[10], b[12])
621 		+ MUL15(a[11], b[11])
622 		+ MUL15(a[12], b[10])
623 		+ MUL15(a[13], b[ 9])
624 		+ MUL15(a[14], b[ 8])
625 		+ MUL15(a[15], b[ 7])
626 		+ MUL15(a[16], b[ 6])
627 		+ MUL15(a[17], b[ 5])
628 		+ MUL15(a[18], b[ 4])
629 		+ MUL15(a[19], b[ 3]);
630 	t[23] = MUL15(a[ 4], b[19])
631 		+ MUL15(a[ 5], b[18])
632 		+ MUL15(a[ 6], b[17])
633 		+ MUL15(a[ 7], b[16])
634 		+ MUL15(a[ 8], b[15])
635 		+ MUL15(a[ 9], b[14])
636 		+ MUL15(a[10], b[13])
637 		+ MUL15(a[11], b[12])
638 		+ MUL15(a[12], b[11])
639 		+ MUL15(a[13], b[10])
640 		+ MUL15(a[14], b[ 9])
641 		+ MUL15(a[15], b[ 8])
642 		+ MUL15(a[16], b[ 7])
643 		+ MUL15(a[17], b[ 6])
644 		+ MUL15(a[18], b[ 5])
645 		+ MUL15(a[19], b[ 4]);
646 	t[24] = MUL15(a[ 5], b[19])
647 		+ MUL15(a[ 6], b[18])
648 		+ MUL15(a[ 7], b[17])
649 		+ MUL15(a[ 8], b[16])
650 		+ MUL15(a[ 9], b[15])
651 		+ MUL15(a[10], b[14])
652 		+ MUL15(a[11], b[13])
653 		+ MUL15(a[12], b[12])
654 		+ MUL15(a[13], b[11])
655 		+ MUL15(a[14], b[10])
656 		+ MUL15(a[15], b[ 9])
657 		+ MUL15(a[16], b[ 8])
658 		+ MUL15(a[17], b[ 7])
659 		+ MUL15(a[18], b[ 6])
660 		+ MUL15(a[19], b[ 5]);
661 	t[25] = MUL15(a[ 6], b[19])
662 		+ MUL15(a[ 7], b[18])
663 		+ MUL15(a[ 8], b[17])
664 		+ MUL15(a[ 9], b[16])
665 		+ MUL15(a[10], b[15])
666 		+ MUL15(a[11], b[14])
667 		+ MUL15(a[12], b[13])
668 		+ MUL15(a[13], b[12])
669 		+ MUL15(a[14], b[11])
670 		+ MUL15(a[15], b[10])
671 		+ MUL15(a[16], b[ 9])
672 		+ MUL15(a[17], b[ 8])
673 		+ MUL15(a[18], b[ 7])
674 		+ MUL15(a[19], b[ 6]);
675 	t[26] = MUL15(a[ 7], b[19])
676 		+ MUL15(a[ 8], b[18])
677 		+ MUL15(a[ 9], b[17])
678 		+ MUL15(a[10], b[16])
679 		+ MUL15(a[11], b[15])
680 		+ MUL15(a[12], b[14])
681 		+ MUL15(a[13], b[13])
682 		+ MUL15(a[14], b[12])
683 		+ MUL15(a[15], b[11])
684 		+ MUL15(a[16], b[10])
685 		+ MUL15(a[17], b[ 9])
686 		+ MUL15(a[18], b[ 8])
687 		+ MUL15(a[19], b[ 7]);
688 	t[27] = MUL15(a[ 8], b[19])
689 		+ MUL15(a[ 9], b[18])
690 		+ MUL15(a[10], b[17])
691 		+ MUL15(a[11], b[16])
692 		+ MUL15(a[12], b[15])
693 		+ MUL15(a[13], b[14])
694 		+ MUL15(a[14], b[13])
695 		+ MUL15(a[15], b[12])
696 		+ MUL15(a[16], b[11])
697 		+ MUL15(a[17], b[10])
698 		+ MUL15(a[18], b[ 9])
699 		+ MUL15(a[19], b[ 8]);
700 	t[28] = MUL15(a[ 9], b[19])
701 		+ MUL15(a[10], b[18])
702 		+ MUL15(a[11], b[17])
703 		+ MUL15(a[12], b[16])
704 		+ MUL15(a[13], b[15])
705 		+ MUL15(a[14], b[14])
706 		+ MUL15(a[15], b[13])
707 		+ MUL15(a[16], b[12])
708 		+ MUL15(a[17], b[11])
709 		+ MUL15(a[18], b[10])
710 		+ MUL15(a[19], b[ 9]);
711 	t[29] = MUL15(a[10], b[19])
712 		+ MUL15(a[11], b[18])
713 		+ MUL15(a[12], b[17])
714 		+ MUL15(a[13], b[16])
715 		+ MUL15(a[14], b[15])
716 		+ MUL15(a[15], b[14])
717 		+ MUL15(a[16], b[13])
718 		+ MUL15(a[17], b[12])
719 		+ MUL15(a[18], b[11])
720 		+ MUL15(a[19], b[10]);
721 	t[30] = MUL15(a[11], b[19])
722 		+ MUL15(a[12], b[18])
723 		+ MUL15(a[13], b[17])
724 		+ MUL15(a[14], b[16])
725 		+ MUL15(a[15], b[15])
726 		+ MUL15(a[16], b[14])
727 		+ MUL15(a[17], b[13])
728 		+ MUL15(a[18], b[12])
729 		+ MUL15(a[19], b[11]);
730 	t[31] = MUL15(a[12], b[19])
731 		+ MUL15(a[13], b[18])
732 		+ MUL15(a[14], b[17])
733 		+ MUL15(a[15], b[16])
734 		+ MUL15(a[16], b[15])
735 		+ MUL15(a[17], b[14])
736 		+ MUL15(a[18], b[13])
737 		+ MUL15(a[19], b[12]);
738 	t[32] = MUL15(a[13], b[19])
739 		+ MUL15(a[14], b[18])
740 		+ MUL15(a[15], b[17])
741 		+ MUL15(a[16], b[16])
742 		+ MUL15(a[17], b[15])
743 		+ MUL15(a[18], b[14])
744 		+ MUL15(a[19], b[13]);
745 	t[33] = MUL15(a[14], b[19])
746 		+ MUL15(a[15], b[18])
747 		+ MUL15(a[16], b[17])
748 		+ MUL15(a[17], b[16])
749 		+ MUL15(a[18], b[15])
750 		+ MUL15(a[19], b[14]);
751 	t[34] = MUL15(a[15], b[19])
752 		+ MUL15(a[16], b[18])
753 		+ MUL15(a[17], b[17])
754 		+ MUL15(a[18], b[16])
755 		+ MUL15(a[19], b[15]);
756 	t[35] = MUL15(a[16], b[19])
757 		+ MUL15(a[17], b[18])
758 		+ MUL15(a[18], b[17])
759 		+ MUL15(a[19], b[16]);
760 	t[36] = MUL15(a[17], b[19])
761 		+ MUL15(a[18], b[18])
762 		+ MUL15(a[19], b[17]);
763 	t[37] = MUL15(a[18], b[19])
764 		+ MUL15(a[19], b[18]);
765 	t[38] = MUL15(a[19], b[19]);
766 	d[39] = norm13(d, t, 39);
767 }
768 
769 static void
770 square20(uint32_t *d, const uint32_t *a)
771 {
772 	uint32_t t[39];
773 
774 	t[ 0] = MUL15(a[ 0], a[ 0]);
775 	t[ 1] = ((MUL15(a[ 0], a[ 1])) << 1);
776 	t[ 2] = MUL15(a[ 1], a[ 1])
777 		+ ((MUL15(a[ 0], a[ 2])) << 1);
778 	t[ 3] = ((MUL15(a[ 0], a[ 3])
779 		+ MUL15(a[ 1], a[ 2])) << 1);
780 	t[ 4] = MUL15(a[ 2], a[ 2])
781 		+ ((MUL15(a[ 0], a[ 4])
782 		+ MUL15(a[ 1], a[ 3])) << 1);
783 	t[ 5] = ((MUL15(a[ 0], a[ 5])
784 		+ MUL15(a[ 1], a[ 4])
785 		+ MUL15(a[ 2], a[ 3])) << 1);
786 	t[ 6] = MUL15(a[ 3], a[ 3])
787 		+ ((MUL15(a[ 0], a[ 6])
788 		+ MUL15(a[ 1], a[ 5])
789 		+ MUL15(a[ 2], a[ 4])) << 1);
790 	t[ 7] = ((MUL15(a[ 0], a[ 7])
791 		+ MUL15(a[ 1], a[ 6])
792 		+ MUL15(a[ 2], a[ 5])
793 		+ MUL15(a[ 3], a[ 4])) << 1);
794 	t[ 8] = MUL15(a[ 4], a[ 4])
795 		+ ((MUL15(a[ 0], a[ 8])
796 		+ MUL15(a[ 1], a[ 7])
797 		+ MUL15(a[ 2], a[ 6])
798 		+ MUL15(a[ 3], a[ 5])) << 1);
799 	t[ 9] = ((MUL15(a[ 0], a[ 9])
800 		+ MUL15(a[ 1], a[ 8])
801 		+ MUL15(a[ 2], a[ 7])
802 		+ MUL15(a[ 3], a[ 6])
803 		+ MUL15(a[ 4], a[ 5])) << 1);
804 	t[10] = MUL15(a[ 5], a[ 5])
805 		+ ((MUL15(a[ 0], a[10])
806 		+ MUL15(a[ 1], a[ 9])
807 		+ MUL15(a[ 2], a[ 8])
808 		+ MUL15(a[ 3], a[ 7])
809 		+ MUL15(a[ 4], a[ 6])) << 1);
810 	t[11] = ((MUL15(a[ 0], a[11])
811 		+ MUL15(a[ 1], a[10])
812 		+ MUL15(a[ 2], a[ 9])
813 		+ MUL15(a[ 3], a[ 8])
814 		+ MUL15(a[ 4], a[ 7])
815 		+ MUL15(a[ 5], a[ 6])) << 1);
816 	t[12] = MUL15(a[ 6], a[ 6])
817 		+ ((MUL15(a[ 0], a[12])
818 		+ MUL15(a[ 1], a[11])
819 		+ MUL15(a[ 2], a[10])
820 		+ MUL15(a[ 3], a[ 9])
821 		+ MUL15(a[ 4], a[ 8])
822 		+ MUL15(a[ 5], a[ 7])) << 1);
823 	t[13] = ((MUL15(a[ 0], a[13])
824 		+ MUL15(a[ 1], a[12])
825 		+ MUL15(a[ 2], a[11])
826 		+ MUL15(a[ 3], a[10])
827 		+ MUL15(a[ 4], a[ 9])
828 		+ MUL15(a[ 5], a[ 8])
829 		+ MUL15(a[ 6], a[ 7])) << 1);
830 	t[14] = MUL15(a[ 7], a[ 7])
831 		+ ((MUL15(a[ 0], a[14])
832 		+ MUL15(a[ 1], a[13])
833 		+ MUL15(a[ 2], a[12])
834 		+ MUL15(a[ 3], a[11])
835 		+ MUL15(a[ 4], a[10])
836 		+ MUL15(a[ 5], a[ 9])
837 		+ MUL15(a[ 6], a[ 8])) << 1);
838 	t[15] = ((MUL15(a[ 0], a[15])
839 		+ MUL15(a[ 1], a[14])
840 		+ MUL15(a[ 2], a[13])
841 		+ MUL15(a[ 3], a[12])
842 		+ MUL15(a[ 4], a[11])
843 		+ MUL15(a[ 5], a[10])
844 		+ MUL15(a[ 6], a[ 9])
845 		+ MUL15(a[ 7], a[ 8])) << 1);
846 	t[16] = MUL15(a[ 8], a[ 8])
847 		+ ((MUL15(a[ 0], a[16])
848 		+ MUL15(a[ 1], a[15])
849 		+ MUL15(a[ 2], a[14])
850 		+ MUL15(a[ 3], a[13])
851 		+ MUL15(a[ 4], a[12])
852 		+ MUL15(a[ 5], a[11])
853 		+ MUL15(a[ 6], a[10])
854 		+ MUL15(a[ 7], a[ 9])) << 1);
855 	t[17] = ((MUL15(a[ 0], a[17])
856 		+ MUL15(a[ 1], a[16])
857 		+ MUL15(a[ 2], a[15])
858 		+ MUL15(a[ 3], a[14])
859 		+ MUL15(a[ 4], a[13])
860 		+ MUL15(a[ 5], a[12])
861 		+ MUL15(a[ 6], a[11])
862 		+ MUL15(a[ 7], a[10])
863 		+ MUL15(a[ 8], a[ 9])) << 1);
864 	t[18] = MUL15(a[ 9], a[ 9])
865 		+ ((MUL15(a[ 0], a[18])
866 		+ MUL15(a[ 1], a[17])
867 		+ MUL15(a[ 2], a[16])
868 		+ MUL15(a[ 3], a[15])
869 		+ MUL15(a[ 4], a[14])
870 		+ MUL15(a[ 5], a[13])
871 		+ MUL15(a[ 6], a[12])
872 		+ MUL15(a[ 7], a[11])
873 		+ MUL15(a[ 8], a[10])) << 1);
874 	t[19] = ((MUL15(a[ 0], a[19])
875 		+ MUL15(a[ 1], a[18])
876 		+ MUL15(a[ 2], a[17])
877 		+ MUL15(a[ 3], a[16])
878 		+ MUL15(a[ 4], a[15])
879 		+ MUL15(a[ 5], a[14])
880 		+ MUL15(a[ 6], a[13])
881 		+ MUL15(a[ 7], a[12])
882 		+ MUL15(a[ 8], a[11])
883 		+ MUL15(a[ 9], a[10])) << 1);
884 	t[20] = MUL15(a[10], a[10])
885 		+ ((MUL15(a[ 1], a[19])
886 		+ MUL15(a[ 2], a[18])
887 		+ MUL15(a[ 3], a[17])
888 		+ MUL15(a[ 4], a[16])
889 		+ MUL15(a[ 5], a[15])
890 		+ MUL15(a[ 6], a[14])
891 		+ MUL15(a[ 7], a[13])
892 		+ MUL15(a[ 8], a[12])
893 		+ MUL15(a[ 9], a[11])) << 1);
894 	t[21] = ((MUL15(a[ 2], a[19])
895 		+ MUL15(a[ 3], a[18])
896 		+ MUL15(a[ 4], a[17])
897 		+ MUL15(a[ 5], a[16])
898 		+ MUL15(a[ 6], a[15])
899 		+ MUL15(a[ 7], a[14])
900 		+ MUL15(a[ 8], a[13])
901 		+ MUL15(a[ 9], a[12])
902 		+ MUL15(a[10], a[11])) << 1);
903 	t[22] = MUL15(a[11], a[11])
904 		+ ((MUL15(a[ 3], a[19])
905 		+ MUL15(a[ 4], a[18])
906 		+ MUL15(a[ 5], a[17])
907 		+ MUL15(a[ 6], a[16])
908 		+ MUL15(a[ 7], a[15])
909 		+ MUL15(a[ 8], a[14])
910 		+ MUL15(a[ 9], a[13])
911 		+ MUL15(a[10], a[12])) << 1);
912 	t[23] = ((MUL15(a[ 4], a[19])
913 		+ MUL15(a[ 5], a[18])
914 		+ MUL15(a[ 6], a[17])
915 		+ MUL15(a[ 7], a[16])
916 		+ MUL15(a[ 8], a[15])
917 		+ MUL15(a[ 9], a[14])
918 		+ MUL15(a[10], a[13])
919 		+ MUL15(a[11], a[12])) << 1);
920 	t[24] = MUL15(a[12], a[12])
921 		+ ((MUL15(a[ 5], a[19])
922 		+ MUL15(a[ 6], a[18])
923 		+ MUL15(a[ 7], a[17])
924 		+ MUL15(a[ 8], a[16])
925 		+ MUL15(a[ 9], a[15])
926 		+ MUL15(a[10], a[14])
927 		+ MUL15(a[11], a[13])) << 1);
928 	t[25] = ((MUL15(a[ 6], a[19])
929 		+ MUL15(a[ 7], a[18])
930 		+ MUL15(a[ 8], a[17])
931 		+ MUL15(a[ 9], a[16])
932 		+ MUL15(a[10], a[15])
933 		+ MUL15(a[11], a[14])
934 		+ MUL15(a[12], a[13])) << 1);
935 	t[26] = MUL15(a[13], a[13])
936 		+ ((MUL15(a[ 7], a[19])
937 		+ MUL15(a[ 8], a[18])
938 		+ MUL15(a[ 9], a[17])
939 		+ MUL15(a[10], a[16])
940 		+ MUL15(a[11], a[15])
941 		+ MUL15(a[12], a[14])) << 1);
942 	t[27] = ((MUL15(a[ 8], a[19])
943 		+ MUL15(a[ 9], a[18])
944 		+ MUL15(a[10], a[17])
945 		+ MUL15(a[11], a[16])
946 		+ MUL15(a[12], a[15])
947 		+ MUL15(a[13], a[14])) << 1);
948 	t[28] = MUL15(a[14], a[14])
949 		+ ((MUL15(a[ 9], a[19])
950 		+ MUL15(a[10], a[18])
951 		+ MUL15(a[11], a[17])
952 		+ MUL15(a[12], a[16])
953 		+ MUL15(a[13], a[15])) << 1);
954 	t[29] = ((MUL15(a[10], a[19])
955 		+ MUL15(a[11], a[18])
956 		+ MUL15(a[12], a[17])
957 		+ MUL15(a[13], a[16])
958 		+ MUL15(a[14], a[15])) << 1);
959 	t[30] = MUL15(a[15], a[15])
960 		+ ((MUL15(a[11], a[19])
961 		+ MUL15(a[12], a[18])
962 		+ MUL15(a[13], a[17])
963 		+ MUL15(a[14], a[16])) << 1);
964 	t[31] = ((MUL15(a[12], a[19])
965 		+ MUL15(a[13], a[18])
966 		+ MUL15(a[14], a[17])
967 		+ MUL15(a[15], a[16])) << 1);
968 	t[32] = MUL15(a[16], a[16])
969 		+ ((MUL15(a[13], a[19])
970 		+ MUL15(a[14], a[18])
971 		+ MUL15(a[15], a[17])) << 1);
972 	t[33] = ((MUL15(a[14], a[19])
973 		+ MUL15(a[15], a[18])
974 		+ MUL15(a[16], a[17])) << 1);
975 	t[34] = MUL15(a[17], a[17])
976 		+ ((MUL15(a[15], a[19])
977 		+ MUL15(a[16], a[18])) << 1);
978 	t[35] = ((MUL15(a[16], a[19])
979 		+ MUL15(a[17], a[18])) << 1);
980 	t[36] = MUL15(a[18], a[18])
981 		+ ((MUL15(a[17], a[19])) << 1);
982 	t[37] = ((MUL15(a[18], a[19])) << 1);
983 	t[38] = MUL15(a[19], a[19]);
984 	d[39] = norm13(d, t, 39);
985 }
986 
987 #endif
988 
989 /*
990  * Modulus for field F256 (field for point coordinates in curve P-256).
991  */
992 static const uint32_t F256[] = {
993 	0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x001F,
994 	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0400, 0x0000,
995 	0x0000, 0x1FF8, 0x1FFF, 0x01FF
996 };
997 
998 /*
999  * The 'b' curve equation coefficient for P-256.
1000  */
1001 static const uint32_t P256_B[] = {
1002 	0x004B, 0x1E93, 0x0F89, 0x1C78, 0x03BC, 0x187B, 0x114E, 0x1619,
1003 	0x1D06, 0x0328, 0x01AF, 0x0D31, 0x1557, 0x15DE, 0x1ECF, 0x127C,
1004 	0x0A3A, 0x0EC5, 0x118D, 0x00B5
1005 };
1006 
1007 /*
1008  * Perform a "short reduction" in field F256 (field for curve P-256).
1009  * The source value should be less than 262 bits; on output, it will
1010  * be at most 257 bits, and less than twice the modulus.
1011  */
1012 static void
1013 reduce_f256(uint32_t *d)
1014 {
1015 	uint32_t x;
1016 
1017 	x = d[19] >> 9;
1018 	d[19] &= 0x01FF;
1019 	d[17] += x << 3;
1020 	d[14] -= x << 10;
1021 	d[7] -= x << 5;
1022 	d[0] += x;
1023 	norm13(d, d, 20);
1024 }
1025 
1026 /*
1027  * Perform a "final reduction" in field F256 (field for curve P-256).
1028  * The source value must be less than twice the modulus. If the value
1029  * is not lower than the modulus, then the modulus is subtracted and
1030  * this function returns 1; otherwise, it leaves it untouched and it
1031  * returns 0.
1032  */
1033 static uint32_t
1034 reduce_final_f256(uint32_t *d)
1035 {
1036 	uint32_t t[20];
1037 	uint32_t cc;
1038 	int i;
1039 
1040 	memcpy(t, d, sizeof t);
1041 	cc = 0;
1042 	for (i = 0; i < 20; i ++) {
1043 		uint32_t w;
1044 
1045 		w = t[i] - F256[i] - cc;
1046 		cc = w >> 31;
1047 		t[i] = w & 0x1FFF;
1048 	}
1049 	cc ^= 1;
1050 	CCOPY(cc, d, t, sizeof t);
1051 	return cc;
1052 }
1053 
1054 /*
1055  * Perform a multiplication of two integers modulo
1056  * 2^256-2^224+2^192+2^96-1 (for NIST curve P-256). Operands are arrays
1057  * of 20 words, each containing 13 bits of data, in little-endian order.
1058  * On input, upper word may be up to 13 bits (hence value up to 2^260-1);
1059  * on output, value fits on 257 bits and is lower than twice the modulus.
1060  */
1061 static void
1062 mul_f256(uint32_t *d, const uint32_t *a, const uint32_t *b)
1063 {
1064 	uint32_t t[40], cc;
1065 	int i;
1066 
1067 	/*
1068 	 * Compute raw multiplication. All result words fit in 13 bits
1069 	 * each.
1070 	 */
1071 	mul20(t, a, b);
1072 
1073 	/*
1074 	 * Modular reduction: each high word in added/subtracted where
1075 	 * necessary.
1076 	 *
1077 	 * The modulus is:
1078 	 *    p = 2^256 - 2^224 + 2^192 + 2^96 - 1
1079 	 * Therefore:
1080 	 *    2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
1081 	 *
1082 	 * For a word x at bit offset n (n >= 256), we have:
1083 	 *    x*2^n = x*2^(n-32) - x*2^(n-64)
1084 	 *            - x*2^(n - 160) + x*2^(n-256) mod p
1085 	 *
1086 	 * Thus, we can nullify the high word if we reinject it at some
1087 	 * proper emplacements.
1088 	 */
1089 	for (i = 39; i >= 20; i --) {
1090 		uint32_t x;
1091 
1092 		x = t[i];
1093 		t[i - 2] += ARSH(x, 6);
1094 		t[i - 3] += (x << 7) & 0x1FFF;
1095 		t[i - 4] -= ARSH(x, 12);
1096 		t[i - 5] -= (x << 1) & 0x1FFF;
1097 		t[i - 12] -= ARSH(x, 4);
1098 		t[i - 13] -= (x << 9) & 0x1FFF;
1099 		t[i - 19] += ARSH(x, 9);
1100 		t[i - 20] += (x << 4) & 0x1FFF;
1101 	}
1102 
1103 	/*
1104 	 * Propagate carries. This is a signed propagation, and the
1105 	 * result may be negative. The loop above may enlarge values,
1106 	 * but not two much: worst case is the chain involving t[i - 3],
1107 	 * in which a value may be added to itself up to 7 times. Since
1108 	 * starting values are 13-bit each, all words fit on 20 bits
1109 	 * (21 to account for the sign bit).
1110 	 */
1111 	cc = norm13(t, t, 20);
1112 
1113 	/*
1114 	 * Perform modular reduction again for the bits beyond 256 (the carry
1115 	 * and the bits 256..259). Since the largest shift below is by 10
1116 	 * bits, and the values fit on 21 bits, values fit in 32-bit words,
1117 	 * thereby allowing injecting full word values.
1118 	 */
1119 	cc = (cc << 4) | (t[19] >> 9);
1120 	t[19] &= 0x01FF;
1121 	t[17] += cc << 3;
1122 	t[14] -= cc << 10;
1123 	t[7] -= cc << 5;
1124 	t[0] += cc;
1125 
1126 	/*
1127 	 * If the carry is negative, then after carry propagation, we may
1128 	 * end up with a value which is negative, and we don't want that.
1129 	 * Thus, in that case, we add the modulus. Note that the subtraction
1130 	 * result, when the carry is negative, is always smaller than the
1131 	 * modulus, so the extra addition will not make the value exceed
1132 	 * twice the modulus.
1133 	 */
1134 	cc >>= 31;
1135 	t[0] -= cc;
1136 	t[7] += cc << 5;
1137 	t[14] += cc << 10;
1138 	t[17] -= cc << 3;
1139 	t[19] += cc << 9;
1140 
1141 	norm13(d, t, 20);
1142 }
1143 
1144 /*
1145  * Square an integer modulo 2^256-2^224+2^192+2^96-1 (for NIST curve
1146  * P-256). Operand is an array of 20 words, each containing 13 bits of
1147  * data, in little-endian order. On input, upper word may be up to 13
1148  * bits (hence value up to 2^260-1); on output, value fits on 257 bits
1149  * and is lower than twice the modulus.
1150  */
1151 static void
1152 square_f256(uint32_t *d, const uint32_t *a)
1153 {
1154 	uint32_t t[40], cc;
1155 	int i;
1156 
1157 	/*
1158 	 * Compute raw square. All result words fit in 13 bits each.
1159 	 */
1160 	square20(t, a);
1161 
1162 	/*
1163 	 * Modular reduction: each high word in added/subtracted where
1164 	 * necessary.
1165 	 *
1166 	 * The modulus is:
1167 	 *    p = 2^256 - 2^224 + 2^192 + 2^96 - 1
1168 	 * Therefore:
1169 	 *    2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
1170 	 *
1171 	 * For a word x at bit offset n (n >= 256), we have:
1172 	 *    x*2^n = x*2^(n-32) - x*2^(n-64)
1173 	 *            - x*2^(n - 160) + x*2^(n-256) mod p
1174 	 *
1175 	 * Thus, we can nullify the high word if we reinject it at some
1176 	 * proper emplacements.
1177 	 */
1178 	for (i = 39; i >= 20; i --) {
1179 		uint32_t x;
1180 
1181 		x = t[i];
1182 		t[i - 2] += ARSH(x, 6);
1183 		t[i - 3] += (x << 7) & 0x1FFF;
1184 		t[i - 4] -= ARSH(x, 12);
1185 		t[i - 5] -= (x << 1) & 0x1FFF;
1186 		t[i - 12] -= ARSH(x, 4);
1187 		t[i - 13] -= (x << 9) & 0x1FFF;
1188 		t[i - 19] += ARSH(x, 9);
1189 		t[i - 20] += (x << 4) & 0x1FFF;
1190 	}
1191 
1192 	/*
1193 	 * Propagate carries. This is a signed propagation, and the
1194 	 * result may be negative. The loop above may enlarge values,
1195 	 * but not two much: worst case is the chain involving t[i - 3],
1196 	 * in which a value may be added to itself up to 7 times. Since
1197 	 * starting values are 13-bit each, all words fit on 20 bits
1198 	 * (21 to account for the sign bit).
1199 	 */
1200 	cc = norm13(t, t, 20);
1201 
1202 	/*
1203 	 * Perform modular reduction again for the bits beyond 256 (the carry
1204 	 * and the bits 256..259). Since the largest shift below is by 10
1205 	 * bits, and the values fit on 21 bits, values fit in 32-bit words,
1206 	 * thereby allowing injecting full word values.
1207 	 */
1208 	cc = (cc << 4) | (t[19] >> 9);
1209 	t[19] &= 0x01FF;
1210 	t[17] += cc << 3;
1211 	t[14] -= cc << 10;
1212 	t[7] -= cc << 5;
1213 	t[0] += cc;
1214 
1215 	/*
1216 	 * If the carry is negative, then after carry propagation, we may
1217 	 * end up with a value which is negative, and we don't want that.
1218 	 * Thus, in that case, we add the modulus. Note that the subtraction
1219 	 * result, when the carry is negative, is always smaller than the
1220 	 * modulus, so the extra addition will not make the value exceed
1221 	 * twice the modulus.
1222 	 */
1223 	cc >>= 31;
1224 	t[0] -= cc;
1225 	t[7] += cc << 5;
1226 	t[14] += cc << 10;
1227 	t[17] -= cc << 3;
1228 	t[19] += cc << 9;
1229 
1230 	norm13(d, t, 20);
1231 }
1232 
1233 /*
1234  * Jacobian coordinates for a point in P-256: affine coordinates (X,Y)
1235  * are such that:
1236  *   X = x / z^2
1237  *   Y = y / z^3
1238  * For the point at infinity, z = 0.
1239  * Each point thus admits many possible representations.
1240  *
1241  * Coordinates are represented in arrays of 32-bit integers, each holding
1242  * 13 bits of data. Values may also be slightly greater than the modulus,
1243  * but they will always be lower than twice the modulus.
1244  */
1245 typedef struct {
1246 	uint32_t x[20];
1247 	uint32_t y[20];
1248 	uint32_t z[20];
1249 } p256_jacobian;
1250 
1251 /*
1252  * Convert a point to affine coordinates:
1253  *  - If the point is the point at infinity, then all three coordinates
1254  *    are set to 0.
1255  *  - Otherwise, the 'z' coordinate is set to 1, and the 'x' and 'y'
1256  *    coordinates are the 'X' and 'Y' affine coordinates.
1257  * The coordinates are guaranteed to be lower than the modulus.
1258  */
1259 static void
1260 p256_to_affine(p256_jacobian *P)
1261 {
1262 	uint32_t t1[20], t2[20];
1263 	int i;
1264 
1265 	/*
1266 	 * Invert z with a modular exponentiation: the modulus is
1267 	 * p = 2^256 - 2^224 + 2^192 + 2^96 - 1, and the exponent is
1268 	 * p-2. Exponent bit pattern (from high to low) is:
1269 	 *  - 32 bits of value 1
1270 	 *  - 31 bits of value 0
1271 	 *  - 1 bit of value 1
1272 	 *  - 96 bits of value 0
1273 	 *  - 94 bits of value 1
1274 	 *  - 1 bit of value 0
1275 	 *  - 1 bit of value 1
1276 	 * Thus, we precompute z^(2^31-1) to speed things up.
1277 	 *
1278 	 * If z = 0 (point at infinity) then the modular exponentiation
1279 	 * will yield 0, which leads to the expected result (all three
1280 	 * coordinates set to 0).
1281 	 */
1282 
1283 	/*
1284 	 * A simple square-and-multiply for z^(2^31-1). We could save about
1285 	 * two dozen multiplications here with an addition chain, but
1286 	 * this would require a bit more code, and extra stack buffers.
1287 	 */
1288 	memcpy(t1, P->z, sizeof P->z);
1289 	for (i = 0; i < 30; i ++) {
1290 		square_f256(t1, t1);
1291 		mul_f256(t1, t1, P->z);
1292 	}
1293 
1294 	/*
1295 	 * Square-and-multiply. Apart from the squarings, we have a few
1296 	 * multiplications to set bits to 1; we multiply by the original z
1297 	 * for setting 1 bit, and by t1 for setting 31 bits.
1298 	 */
1299 	memcpy(t2, P->z, sizeof P->z);
1300 	for (i = 1; i < 256; i ++) {
1301 		square_f256(t2, t2);
1302 		switch (i) {
1303 		case 31:
1304 		case 190:
1305 		case 221:
1306 		case 252:
1307 			mul_f256(t2, t2, t1);
1308 			break;
1309 		case 63:
1310 		case 253:
1311 		case 255:
1312 			mul_f256(t2, t2, P->z);
1313 			break;
1314 		}
1315 	}
1316 
1317 	/*
1318 	 * Now that we have 1/z, multiply x by 1/z^2 and y by 1/z^3.
1319 	 */
1320 	mul_f256(t1, t2, t2);
1321 	mul_f256(P->x, t1, P->x);
1322 	mul_f256(t1, t1, t2);
1323 	mul_f256(P->y, t1, P->y);
1324 	reduce_final_f256(P->x);
1325 	reduce_final_f256(P->y);
1326 
1327 	/*
1328 	 * Multiply z by 1/z. If z = 0, then this will yield 0, otherwise
1329 	 * this will set z to 1.
1330 	 */
1331 	mul_f256(P->z, P->z, t2);
1332 	reduce_final_f256(P->z);
1333 }
1334 
1335 /*
1336  * Double a point in P-256. This function works for all valid points,
1337  * including the point at infinity.
1338  */
1339 static void
1340 p256_double(p256_jacobian *Q)
1341 {
1342 	/*
1343 	 * Doubling formulas are:
1344 	 *
1345 	 *   s = 4*x*y^2
1346 	 *   m = 3*(x + z^2)*(x - z^2)
1347 	 *   x' = m^2 - 2*s
1348 	 *   y' = m*(s - x') - 8*y^4
1349 	 *   z' = 2*y*z
1350 	 *
1351 	 * These formulas work for all points, including points of order 2
1352 	 * and points at infinity:
1353 	 *   - If y = 0 then z' = 0. But there is no such point in P-256
1354 	 *     anyway.
1355 	 *   - If z = 0 then z' = 0.
1356 	 */
1357 	uint32_t t1[20], t2[20], t3[20], t4[20];
1358 	int i;
1359 
1360 	/*
1361 	 * Compute z^2 in t1.
1362 	 */
1363 	square_f256(t1, Q->z);
1364 
1365 	/*
1366 	 * Compute x-z^2 in t2 and x+z^2 in t1.
1367 	 */
1368 	for (i = 0; i < 20; i ++) {
1369 		t2[i] = (F256[i] << 1) + Q->x[i] - t1[i];
1370 		t1[i] += Q->x[i];
1371 	}
1372 	norm13(t1, t1, 20);
1373 	norm13(t2, t2, 20);
1374 
1375 	/*
1376 	 * Compute 3*(x+z^2)*(x-z^2) in t1.
1377 	 */
1378 	mul_f256(t3, t1, t2);
1379 	for (i = 0; i < 20; i ++) {
1380 		t1[i] = MUL15(3, t3[i]);
1381 	}
1382 	norm13(t1, t1, 20);
1383 
1384 	/*
1385 	 * Compute 4*x*y^2 (in t2) and 2*y^2 (in t3).
1386 	 */
1387 	square_f256(t3, Q->y);
1388 	for (i = 0; i < 20; i ++) {
1389 		t3[i] <<= 1;
1390 	}
1391 	norm13(t3, t3, 20);
1392 	mul_f256(t2, Q->x, t3);
1393 	for (i = 0; i < 20; i ++) {
1394 		t2[i] <<= 1;
1395 	}
1396 	norm13(t2, t2, 20);
1397 	reduce_f256(t2);
1398 
1399 	/*
1400 	 * Compute x' = m^2 - 2*s.
1401 	 */
1402 	square_f256(Q->x, t1);
1403 	for (i = 0; i < 20; i ++) {
1404 		Q->x[i] += (F256[i] << 2) - (t2[i] << 1);
1405 	}
1406 	norm13(Q->x, Q->x, 20);
1407 	reduce_f256(Q->x);
1408 
1409 	/*
1410 	 * Compute z' = 2*y*z.
1411 	 */
1412 	mul_f256(t4, Q->y, Q->z);
1413 	for (i = 0; i < 20; i ++) {
1414 		Q->z[i] = t4[i] << 1;
1415 	}
1416 	norm13(Q->z, Q->z, 20);
1417 	reduce_f256(Q->z);
1418 
1419 	/*
1420 	 * Compute y' = m*(s - x') - 8*y^4. Note that we already have
1421 	 * 2*y^2 in t3.
1422 	 */
1423 	for (i = 0; i < 20; i ++) {
1424 		t2[i] += (F256[i] << 1) - Q->x[i];
1425 	}
1426 	norm13(t2, t2, 20);
1427 	mul_f256(Q->y, t1, t2);
1428 	square_f256(t4, t3);
1429 	for (i = 0; i < 20; i ++) {
1430 		Q->y[i] += (F256[i] << 2) - (t4[i] << 1);
1431 	}
1432 	norm13(Q->y, Q->y, 20);
1433 	reduce_f256(Q->y);
1434 }
1435 
1436 /*
1437  * Add point P2 to point P1.
1438  *
1439  * This function computes the wrong result in the following cases:
1440  *
1441  *   - If P1 == 0 but P2 != 0
1442  *   - If P1 != 0 but P2 == 0
1443  *   - If P1 == P2
1444  *
1445  * In all three cases, P1 is set to the point at infinity.
1446  *
1447  * Returned value is 0 if one of the following occurs:
1448  *
1449  *   - P1 and P2 have the same Y coordinate
1450  *   - P1 == 0 and P2 == 0
1451  *   - The Y coordinate of one of the points is 0 and the other point is
1452  *     the point at infinity.
1453  *
1454  * The third case cannot actually happen with valid points, since a point
1455  * with Y == 0 is a point of order 2, and there is no point of order 2 on
1456  * curve P-256.
1457  *
1458  * Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
1459  * can apply the following:
1460  *
1461  *   - If the result is not the point at infinity, then it is correct.
1462  *   - Otherwise, if the returned value is 1, then this is a case of
1463  *     P1+P2 == 0, so the result is indeed the point at infinity.
1464  *   - Otherwise, P1 == P2, so a "double" operation should have been
1465  *     performed.
1466  */
1467 static uint32_t
1468 p256_add(p256_jacobian *P1, const p256_jacobian *P2)
1469 {
1470 	/*
1471 	 * Addtions formulas are:
1472 	 *
1473 	 *   u1 = x1 * z2^2
1474 	 *   u2 = x2 * z1^2
1475 	 *   s1 = y1 * z2^3
1476 	 *   s2 = y2 * z1^3
1477 	 *   h = u2 - u1
1478 	 *   r = s2 - s1
1479 	 *   x3 = r^2 - h^3 - 2 * u1 * h^2
1480 	 *   y3 = r * (u1 * h^2 - x3) - s1 * h^3
1481 	 *   z3 = h * z1 * z2
1482 	 */
1483 	uint32_t t1[20], t2[20], t3[20], t4[20], t5[20], t6[20], t7[20];
1484 	uint32_t ret;
1485 	int i;
1486 
1487 	/*
1488 	 * Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
1489 	 */
1490 	square_f256(t3, P2->z);
1491 	mul_f256(t1, P1->x, t3);
1492 	mul_f256(t4, P2->z, t3);
1493 	mul_f256(t3, P1->y, t4);
1494 
1495 	/*
1496 	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
1497 	 */
1498 	square_f256(t4, P1->z);
1499 	mul_f256(t2, P2->x, t4);
1500 	mul_f256(t5, P1->z, t4);
1501 	mul_f256(t4, P2->y, t5);
1502 
1503 	/*
1504 	 * Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
1505 	 * We need to test whether r is zero, so we will do some extra
1506 	 * reduce.
1507 	 */
1508 	for (i = 0; i < 20; i ++) {
1509 		t2[i] += (F256[i] << 1) - t1[i];
1510 		t4[i] += (F256[i] << 1) - t3[i];
1511 	}
1512 	norm13(t2, t2, 20);
1513 	norm13(t4, t4, 20);
1514 	reduce_f256(t4);
1515 	reduce_final_f256(t4);
1516 	ret = 0;
1517 	for (i = 0; i < 20; i ++) {
1518 		ret |= t4[i];
1519 	}
1520 	ret = (ret | -ret) >> 31;
1521 
1522 	/*
1523 	 * Compute u1*h^2 (in t6) and h^3 (in t5);
1524 	 */
1525 	square_f256(t7, t2);
1526 	mul_f256(t6, t1, t7);
1527 	mul_f256(t5, t7, t2);
1528 
1529 	/*
1530 	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
1531 	 */
1532 	square_f256(P1->x, t4);
1533 	for (i = 0; i < 20; i ++) {
1534 		P1->x[i] += (F256[i] << 3) - t5[i] - (t6[i] << 1);
1535 	}
1536 	norm13(P1->x, P1->x, 20);
1537 	reduce_f256(P1->x);
1538 
1539 	/*
1540 	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
1541 	 */
1542 	for (i = 0; i < 20; i ++) {
1543 		t6[i] += (F256[i] << 1) - P1->x[i];
1544 	}
1545 	norm13(t6, t6, 20);
1546 	mul_f256(P1->y, t4, t6);
1547 	mul_f256(t1, t5, t3);
1548 	for (i = 0; i < 20; i ++) {
1549 		P1->y[i] += (F256[i] << 1) - t1[i];
1550 	}
1551 	norm13(P1->y, P1->y, 20);
1552 	reduce_f256(P1->y);
1553 
1554 	/*
1555 	 * Compute z3 = h*z1*z2.
1556 	 */
1557 	mul_f256(t1, P1->z, P2->z);
1558 	mul_f256(P1->z, t1, t2);
1559 
1560 	return ret;
1561 }
1562 
1563 /*
1564  * Add point P2 to point P1. This is a specialised function for the
1565  * case when P2 is a non-zero point in affine coordinate.
1566  *
1567  * This function computes the wrong result in the following cases:
1568  *
1569  *   - If P1 == 0
1570  *   - If P1 == P2
1571  *
1572  * In both cases, P1 is set to the point at infinity.
1573  *
1574  * Returned value is 0 if one of the following occurs:
1575  *
1576  *   - P1 and P2 have the same Y coordinate
1577  *   - The Y coordinate of P2 is 0 and P1 is the point at infinity.
1578  *
1579  * The second case cannot actually happen with valid points, since a point
1580  * with Y == 0 is a point of order 2, and there is no point of order 2 on
1581  * curve P-256.
1582  *
1583  * Therefore, assuming that P1 != 0 on input, then the caller
1584  * can apply the following:
1585  *
1586  *   - If the result is not the point at infinity, then it is correct.
1587  *   - Otherwise, if the returned value is 1, then this is a case of
1588  *     P1+P2 == 0, so the result is indeed the point at infinity.
1589  *   - Otherwise, P1 == P2, so a "double" operation should have been
1590  *     performed.
1591  */
1592 static uint32_t
1593 p256_add_mixed(p256_jacobian *P1, const p256_jacobian *P2)
1594 {
1595 	/*
1596 	 * Addtions formulas are:
1597 	 *
1598 	 *   u1 = x1
1599 	 *   u2 = x2 * z1^2
1600 	 *   s1 = y1
1601 	 *   s2 = y2 * z1^3
1602 	 *   h = u2 - u1
1603 	 *   r = s2 - s1
1604 	 *   x3 = r^2 - h^3 - 2 * u1 * h^2
1605 	 *   y3 = r * (u1 * h^2 - x3) - s1 * h^3
1606 	 *   z3 = h * z1
1607 	 */
1608 	uint32_t t1[20], t2[20], t3[20], t4[20], t5[20], t6[20], t7[20];
1609 	uint32_t ret;
1610 	int i;
1611 
1612 	/*
1613 	 * Compute u1 = x1 (in t1) and s1 = y1 (in t3).
1614 	 */
1615 	memcpy(t1, P1->x, sizeof t1);
1616 	memcpy(t3, P1->y, sizeof t3);
1617 
1618 	/*
1619 	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
1620 	 */
1621 	square_f256(t4, P1->z);
1622 	mul_f256(t2, P2->x, t4);
1623 	mul_f256(t5, P1->z, t4);
1624 	mul_f256(t4, P2->y, t5);
1625 
1626 	/*
1627 	 * Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
1628 	 * We need to test whether r is zero, so we will do some extra
1629 	 * reduce.
1630 	 */
1631 	for (i = 0; i < 20; i ++) {
1632 		t2[i] += (F256[i] << 1) - t1[i];
1633 		t4[i] += (F256[i] << 1) - t3[i];
1634 	}
1635 	norm13(t2, t2, 20);
1636 	norm13(t4, t4, 20);
1637 	reduce_f256(t4);
1638 	reduce_final_f256(t4);
1639 	ret = 0;
1640 	for (i = 0; i < 20; i ++) {
1641 		ret |= t4[i];
1642 	}
1643 	ret = (ret | -ret) >> 31;
1644 
1645 	/*
1646 	 * Compute u1*h^2 (in t6) and h^3 (in t5);
1647 	 */
1648 	square_f256(t7, t2);
1649 	mul_f256(t6, t1, t7);
1650 	mul_f256(t5, t7, t2);
1651 
1652 	/*
1653 	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
1654 	 */
1655 	square_f256(P1->x, t4);
1656 	for (i = 0; i < 20; i ++) {
1657 		P1->x[i] += (F256[i] << 3) - t5[i] - (t6[i] << 1);
1658 	}
1659 	norm13(P1->x, P1->x, 20);
1660 	reduce_f256(P1->x);
1661 
1662 	/*
1663 	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
1664 	 */
1665 	for (i = 0; i < 20; i ++) {
1666 		t6[i] += (F256[i] << 1) - P1->x[i];
1667 	}
1668 	norm13(t6, t6, 20);
1669 	mul_f256(P1->y, t4, t6);
1670 	mul_f256(t1, t5, t3);
1671 	for (i = 0; i < 20; i ++) {
1672 		P1->y[i] += (F256[i] << 1) - t1[i];
1673 	}
1674 	norm13(P1->y, P1->y, 20);
1675 	reduce_f256(P1->y);
1676 
1677 	/*
1678 	 * Compute z3 = h*z1*z2.
1679 	 */
1680 	mul_f256(P1->z, P1->z, t2);
1681 
1682 	return ret;
1683 }
1684 
1685 /*
1686  * Decode a P-256 point. This function does not support the point at
1687  * infinity. Returned value is 0 if the point is invalid, 1 otherwise.
1688  */
1689 static uint32_t
1690 p256_decode(p256_jacobian *P, const void *src, size_t len)
1691 {
1692 	const unsigned char *buf;
1693 	uint32_t tx[20], ty[20], t1[20], t2[20];
1694 	uint32_t bad;
1695 	int i;
1696 
1697 	if (len != 65) {
1698 		return 0;
1699 	}
1700 	buf = src;
1701 
1702 	/*
1703 	 * First byte must be 0x04 (uncompressed format). We could support
1704 	 * "hybrid format" (first byte is 0x06 or 0x07, and encodes the
1705 	 * least significant bit of the Y coordinate), but it is explicitly
1706 	 * forbidden by RFC 5480 (section 2.2).
1707 	 */
1708 	bad = NEQ(buf[0], 0x04);
1709 
1710 	/*
1711 	 * Decode the coordinates, and check that they are both lower
1712 	 * than the modulus.
1713 	 */
1714 	tx[19] = be8_to_le13(tx, buf + 1, 32);
1715 	ty[19] = be8_to_le13(ty, buf + 33, 32);
1716 	bad |= reduce_final_f256(tx);
1717 	bad |= reduce_final_f256(ty);
1718 
1719 	/*
1720 	 * Check curve equation.
1721 	 */
1722 	square_f256(t1, tx);
1723 	mul_f256(t1, tx, t1);
1724 	square_f256(t2, ty);
1725 	for (i = 0; i < 20; i ++) {
1726 		t1[i] += (F256[i] << 3) - MUL15(3, tx[i]) + P256_B[i] - t2[i];
1727 	}
1728 	norm13(t1, t1, 20);
1729 	reduce_f256(t1);
1730 	reduce_final_f256(t1);
1731 	for (i = 0; i < 20; i ++) {
1732 		bad |= t1[i];
1733 	}
1734 
1735 	/*
1736 	 * Copy coordinates to the point structure.
1737 	 */
1738 	memcpy(P->x, tx, sizeof tx);
1739 	memcpy(P->y, ty, sizeof ty);
1740 	memset(P->z, 0, sizeof P->z);
1741 	P->z[0] = 1;
1742 	return EQ(bad, 0);
1743 }
1744 
1745 /*
1746  * Encode a point into a buffer. This function assumes that the point is
1747  * valid, in affine coordinates, and not the point at infinity.
1748  */
1749 static void
1750 p256_encode(void *dst, const p256_jacobian *P)
1751 {
1752 	unsigned char *buf;
1753 
1754 	buf = dst;
1755 	buf[0] = 0x04;
1756 	le13_to_be8(buf + 1, 32, P->x);
1757 	le13_to_be8(buf + 33, 32, P->y);
1758 }
1759 
1760 /*
1761  * Multiply a curve point by an integer. The integer is assumed to be
1762  * lower than the curve order, and the base point must not be the point
1763  * at infinity.
1764  */
1765 static void
1766 p256_mul(p256_jacobian *P, const unsigned char *x, size_t xlen)
1767 {
1768 	/*
1769 	 * qz is a flag that is initially 1, and remains equal to 1
1770 	 * as long as the point is the point at infinity.
1771 	 *
1772 	 * We use a 2-bit window to handle multiplier bits by pairs.
1773 	 * The precomputed window really is the points P2 and P3.
1774 	 */
1775 	uint32_t qz;
1776 	p256_jacobian P2, P3, Q, T, U;
1777 
1778 	/*
1779 	 * Compute window values.
1780 	 */
1781 	P2 = *P;
1782 	p256_double(&P2);
1783 	P3 = *P;
1784 	p256_add(&P3, &P2);
1785 
1786 	/*
1787 	 * We start with Q = 0. We process multiplier bits 2 by 2.
1788 	 */
1789 	memset(&Q, 0, sizeof Q);
1790 	qz = 1;
1791 	while (xlen -- > 0) {
1792 		int k;
1793 
1794 		for (k = 6; k >= 0; k -= 2) {
1795 			uint32_t bits;
1796 			uint32_t bnz;
1797 
1798 			p256_double(&Q);
1799 			p256_double(&Q);
1800 			T = *P;
1801 			U = Q;
1802 			bits = (*x >> k) & (uint32_t)3;
1803 			bnz = NEQ(bits, 0);
1804 			CCOPY(EQ(bits, 2), &T, &P2, sizeof T);
1805 			CCOPY(EQ(bits, 3), &T, &P3, sizeof T);
1806 			p256_add(&U, &T);
1807 			CCOPY(bnz & qz, &Q, &T, sizeof Q);
1808 			CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
1809 			qz &= ~bnz;
1810 		}
1811 		x ++;
1812 	}
1813 	*P = Q;
1814 }
1815 
1816 /*
1817  * Precomputed window: k*G points, where G is the curve generator, and k
1818  * is an integer from 1 to 15 (inclusive). The X and Y coordinates of
1819  * the point are encoded as 20 words of 13 bits each (little-endian
1820  * order); 13-bit words are then grouped 2-by-2 into 32-bit words
1821  * (little-endian order within each word).
1822  */
1823 static const uint32_t Gwin[15][20] = {
1824 
1825 	{ 0x04C60296, 0x02721176, 0x19D00F4A, 0x102517AC,
1826 	  0x13B8037D, 0x0748103C, 0x1E730E56, 0x08481FE2,
1827 	  0x0F97012C, 0x00D605F4, 0x1DFA11F5, 0x0C801A0D,
1828 	  0x0F670CBB, 0x0AED0CC5, 0x115E0E33, 0x181F0785,
1829 	  0x13F514A7, 0x0FF30E3B, 0x17171E1A, 0x009F18D0 },
1830 
1831 	{ 0x1B341978, 0x16911F11, 0x0D9A1A60, 0x1C4E1FC8,
1832 	  0x1E040969, 0x096A06B0, 0x091C0030, 0x09EF1A29,
1833 	  0x18C40D03, 0x00F91C9E, 0x13C313D1, 0x096F0748,
1834 	  0x011419E0, 0x1CC713A6, 0x1DD31DAD, 0x1EE80C36,
1835 	  0x1ECD0C69, 0x1A0800A4, 0x08861B8E, 0x000E1DD5 },
1836 
1837 	{ 0x173F1D6C, 0x02CC06F1, 0x14C21FB4, 0x043D1EB6,
1838 	  0x0F3606B7, 0x1A971C59, 0x1BF71951, 0x01481323,
1839 	  0x068D0633, 0x00BD12F9, 0x13EA1032, 0x136209E8,
1840 	  0x1C1E19A7, 0x06C7013E, 0x06C10AB0, 0x14C908BB,
1841 	  0x05830CE1, 0x1FEF18DD, 0x00620998, 0x010E0D19 },
1842 
1843 	{ 0x18180852, 0x0604111A, 0x0B771509, 0x1B6F0156,
1844 	  0x00181FE2, 0x1DCC0AF4, 0x16EF0659, 0x11F70E80,
1845 	  0x11A912D0, 0x01C414D2, 0x027618C6, 0x05840FC6,
1846 	  0x100215C4, 0x187E0C3B, 0x12771C96, 0x150C0B5D,
1847 	  0x0FF705FD, 0x07981C67, 0x1AD20C63, 0x01C11C55 },
1848 
1849 	{ 0x1E8113ED, 0x0A940370, 0x12920215, 0x1FA31D6F,
1850 	  0x1F7C0C82, 0x10CD03F7, 0x02640560, 0x081A0B5E,
1851 	  0x1BD21151, 0x00A21642, 0x0D0B0DA4, 0x0176113F,
1852 	  0x04440D1D, 0x001A1360, 0x1068012F, 0x1F141E49,
1853 	  0x10DF136B, 0x0E4F162B, 0x0D44104A, 0x01C1105F },
1854 
1855 	{ 0x011411A9, 0x01551A4F, 0x0ADA0C6B, 0x01BD0EC8,
1856 	  0x18120C74, 0x112F1778, 0x099202CB, 0x0C05124B,
1857 	  0x195316A4, 0x01600685, 0x1E3B1FE2, 0x189014E3,
1858 	  0x0B5E1FD7, 0x0E0311F8, 0x08E000F7, 0x174E00DE,
1859 	  0x160702DF, 0x1B5A15BF, 0x03A11237, 0x01D01704 },
1860 
1861 	{ 0x0C3D12A3, 0x0C501C0C, 0x17AD1300, 0x1715003F,
1862 	  0x03F719F8, 0x18031ED8, 0x1D980667, 0x0F681896,
1863 	  0x1B7D00BF, 0x011C14CE, 0x0FA000B4, 0x1C3501B0,
1864 	  0x0D901C55, 0x06790C10, 0x029E0736, 0x0DEB0400,
1865 	  0x034F183A, 0x030619B4, 0x0DEF0033, 0x00E71AC7 },
1866 
1867 	{ 0x1B7D1393, 0x1B3B1076, 0x0BED1B4D, 0x13011F3A,
1868 	  0x0E0E1238, 0x156A132B, 0x013A02D3, 0x160A0D01,
1869 	  0x1CED1EE9, 0x00C5165D, 0x184C157E, 0x08141A83,
1870 	  0x153C0DA5, 0x1ED70F9D, 0x05170D51, 0x02CF13B8,
1871 	  0x18AE1771, 0x1B04113F, 0x05EC11E9, 0x015A16B3 },
1872 
1873 	{ 0x04A41EE0, 0x1D1412E4, 0x1C591D79, 0x118511B7,
1874 	  0x14F00ACB, 0x1AE31E1C, 0x049C0D51, 0x016E061E,
1875 	  0x1DB71EDF, 0x01D41A35, 0x0E8208FA, 0x14441293,
1876 	  0x011F1E85, 0x1D54137A, 0x026B114F, 0x151D0832,
1877 	  0x00A50964, 0x1F9C1E1C, 0x064B12C9, 0x005409D1 },
1878 
1879 	{ 0x062B123F, 0x0C0D0501, 0x183704C3, 0x08E31120,
1880 	  0x0A2E0A6C, 0x14440FED, 0x090A0D1E, 0x13271964,
1881 	  0x0B590A3A, 0x019D1D9B, 0x05780773, 0x09770A91,
1882 	  0x0F770CA3, 0x053F19D4, 0x02C80DED, 0x1A761304,
1883 	  0x091E0DD9, 0x15D201B8, 0x151109AA, 0x010F0198 },
1884 
1885 	{ 0x05E101D1, 0x072314DD, 0x045F1433, 0x1A041541,
1886 	  0x10B3142E, 0x01840736, 0x1C1B19DB, 0x098B0418,
1887 	  0x1DBC083B, 0x007D1444, 0x01511740, 0x11DD1F3A,
1888 	  0x04ED0E2F, 0x1B4B1A62, 0x10480D04, 0x09E911A2,
1889 	  0x04211AFA, 0x19140893, 0x04D60CC4, 0x01210648 },
1890 
1891 	{ 0x112703C4, 0x018B1BA1, 0x164C1D50, 0x05160BE0,
1892 	  0x0BCC1830, 0x01CB1554, 0x13291732, 0x1B2B1918,
1893 	  0x0DED0817, 0x00E80775, 0x0A2401D3, 0x0BFE08B3,
1894 	  0x0E531199, 0x058616E9, 0x04770B91, 0x110F0C55,
1895 	  0x19C11554, 0x0BFB1159, 0x03541C38, 0x000E1C2D },
1896 
1897 	{ 0x10390C01, 0x02BB0751, 0x0AC5098E, 0x096C17AB,
1898 	  0x03C90E28, 0x10BD18BF, 0x002E1F2D, 0x092B0986,
1899 	  0x1BD700AC, 0x002E1F20, 0x1E3D1FD8, 0x077718BB,
1900 	  0x06F919C4, 0x187407ED, 0x11370E14, 0x081E139C,
1901 	  0x00481ADB, 0x14AB0289, 0x066A0EBE, 0x00C70ED6 },
1902 
1903 	{ 0x0694120B, 0x124E1CC9, 0x0E2F0570, 0x17CF081A,
1904 	  0x078906AC, 0x066D17CF, 0x1B3207F4, 0x0C5705E9,
1905 	  0x10001C38, 0x00A919DE, 0x06851375, 0x0F900BD8,
1906 	  0x080401BA, 0x0EEE0D42, 0x1B8B11EA, 0x0B4519F0,
1907 	  0x090F18C0, 0x062E1508, 0x0DD909F4, 0x01EB067C },
1908 
1909 	{ 0x0CDC1D5F, 0x0D1818F9, 0x07781636, 0x125B18E8,
1910 	  0x0D7003AF, 0x13110099, 0x1D9B1899, 0x175C1EB7,
1911 	  0x0E34171A, 0x01E01153, 0x081A0F36, 0x0B391783,
1912 	  0x1D1F147E, 0x19CE16D7, 0x11511B21, 0x1F2C10F9,
1913 	  0x12CA0E51, 0x05A31D39, 0x171A192E, 0x016B0E4F }
1914 };
1915 
1916 /*
1917  * Lookup one of the Gwin[] values, by index. This is constant-time.
1918  */
1919 static void
1920 lookup_Gwin(p256_jacobian *T, uint32_t idx)
1921 {
1922 	uint32_t xy[20];
1923 	uint32_t k;
1924 	size_t u;
1925 
1926 	memset(xy, 0, sizeof xy);
1927 	for (k = 0; k < 15; k ++) {
1928 		uint32_t m;
1929 
1930 		m = -EQ(idx, k + 1);
1931 		for (u = 0; u < 20; u ++) {
1932 			xy[u] |= m & Gwin[k][u];
1933 		}
1934 	}
1935 	for (u = 0; u < 10; u ++) {
1936 		T->x[(u << 1) + 0] = xy[u] & 0xFFFF;
1937 		T->x[(u << 1) + 1] = xy[u] >> 16;
1938 		T->y[(u << 1) + 0] = xy[u + 10] & 0xFFFF;
1939 		T->y[(u << 1) + 1] = xy[u + 10] >> 16;
1940 	}
1941 	memset(T->z, 0, sizeof T->z);
1942 	T->z[0] = 1;
1943 }
1944 
1945 /*
1946  * Multiply the generator by an integer. The integer is assumed non-zero
1947  * and lower than the curve order.
1948  */
1949 static void
1950 p256_mulgen(p256_jacobian *P, const unsigned char *x, size_t xlen)
1951 {
1952 	/*
1953 	 * qz is a flag that is initially 1, and remains equal to 1
1954 	 * as long as the point is the point at infinity.
1955 	 *
1956 	 * We use a 4-bit window to handle multiplier bits by groups
1957 	 * of 4. The precomputed window is constant static data, with
1958 	 * points in affine coordinates; we use a constant-time lookup.
1959 	 */
1960 	p256_jacobian Q;
1961 	uint32_t qz;
1962 
1963 	memset(&Q, 0, sizeof Q);
1964 	qz = 1;
1965 	while (xlen -- > 0) {
1966 		int k;
1967 		unsigned bx;
1968 
1969 		bx = *x ++;
1970 		for (k = 0; k < 2; k ++) {
1971 			uint32_t bits;
1972 			uint32_t bnz;
1973 			p256_jacobian T, U;
1974 
1975 			p256_double(&Q);
1976 			p256_double(&Q);
1977 			p256_double(&Q);
1978 			p256_double(&Q);
1979 			bits = (bx >> 4) & 0x0F;
1980 			bnz = NEQ(bits, 0);
1981 			lookup_Gwin(&T, bits);
1982 			U = Q;
1983 			p256_add_mixed(&U, &T);
1984 			CCOPY(bnz & qz, &Q, &T, sizeof Q);
1985 			CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
1986 			qz &= ~bnz;
1987 			bx <<= 4;
1988 		}
1989 	}
1990 	*P = Q;
1991 }
1992 
1993 static const unsigned char P256_G[] = {
1994 	0x04, 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8,
1995 	0xBC, 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D,
1996 	0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8,
1997 	0x98, 0xC2, 0x96, 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F,
1998 	0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 0x0F, 0x9E, 0x16, 0x2B,
1999 	0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 0x40,
2000 	0x68, 0x37, 0xBF, 0x51, 0xF5
2001 };
2002 
2003 static const unsigned char P256_N[] = {
2004 	0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
2005 	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
2006 	0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
2007 	0x25, 0x51
2008 };
2009 
2010 static const unsigned char *
2011 api_generator(int curve, size_t *len)
2012 {
2013 	(void)curve;
2014 	*len = sizeof P256_G;
2015 	return P256_G;
2016 }
2017 
2018 static const unsigned char *
2019 api_order(int curve, size_t *len)
2020 {
2021 	(void)curve;
2022 	*len = sizeof P256_N;
2023 	return P256_N;
2024 }
2025 
2026 static size_t
2027 api_xoff(int curve, size_t *len)
2028 {
2029 	(void)curve;
2030 	*len = 32;
2031 	return 1;
2032 }
2033 
2034 static uint32_t
2035 api_mul(unsigned char *G, size_t Glen,
2036 	const unsigned char *x, size_t xlen, int curve)
2037 {
2038 	uint32_t r;
2039 	p256_jacobian P;
2040 
2041 	(void)curve;
2042 	if (Glen != 65) {
2043 		return 0;
2044 	}
2045 	r = p256_decode(&P, G, Glen);
2046 	p256_mul(&P, x, xlen);
2047 	p256_to_affine(&P);
2048 	p256_encode(G, &P);
2049 	return r;
2050 }
2051 
2052 static size_t
2053 api_mulgen(unsigned char *R,
2054 	const unsigned char *x, size_t xlen, int curve)
2055 {
2056 	p256_jacobian P;
2057 
2058 	(void)curve;
2059 	p256_mulgen(&P, x, xlen);
2060 	p256_to_affine(&P);
2061 	p256_encode(R, &P);
2062 	return 65;
2063 }
2064 
2065 static uint32_t
2066 api_muladd(unsigned char *A, const unsigned char *B, size_t len,
2067 	const unsigned char *x, size_t xlen,
2068 	const unsigned char *y, size_t ylen, int curve)
2069 {
2070 	p256_jacobian P, Q;
2071 	uint32_t r, t, z;
2072 	int i;
2073 
2074 	(void)curve;
2075 	if (len != 65) {
2076 		return 0;
2077 	}
2078 	r = p256_decode(&P, A, len);
2079 	p256_mul(&P, x, xlen);
2080 	if (B == NULL) {
2081 		p256_mulgen(&Q, y, ylen);
2082 	} else {
2083 		r &= p256_decode(&Q, B, len);
2084 		p256_mul(&Q, y, ylen);
2085 	}
2086 
2087 	/*
2088 	 * The final addition may fail in case both points are equal.
2089 	 */
2090 	t = p256_add(&P, &Q);
2091 	reduce_final_f256(P.z);
2092 	z = 0;
2093 	for (i = 0; i < 20; i ++) {
2094 		z |= P.z[i];
2095 	}
2096 	z = EQ(z, 0);
2097 	p256_double(&Q);
2098 
2099 	/*
2100 	 * If z is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
2101 	 * have the following:
2102 	 *
2103 	 *   z = 0, t = 0   return P (normal addition)
2104 	 *   z = 0, t = 1   return P (normal addition)
2105 	 *   z = 1, t = 0   return Q (a 'double' case)
2106 	 *   z = 1, t = 1   report an error (P+Q = 0)
2107 	 */
2108 	CCOPY(z & ~t, &P, &Q, sizeof Q);
2109 	p256_to_affine(&P);
2110 	p256_encode(A, &P);
2111 	r &= ~(z & t);
2112 	return r;
2113 }
2114 
2115 /* see bearssl_ec.h */
2116 const br_ec_impl br_ec_p256_m15 = {
2117 	(uint32_t)0x00800000,
2118 	&api_generator,
2119 	&api_order,
2120 	&api_xoff,
2121 	&api_mul,
2122 	&api_mulgen,
2123 	&api_muladd
2124 };
2125