src/ec/ec_p256_m62.c

0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Permission is hereby granted, free of charge, to any person obtaining
0957b409SSimon J. Gerraty * a copy of this software and associated documentation files (the
0957b409SSimon J. Gerraty * "Software"), to deal in the Software without restriction, including
0957b409SSimon J. Gerraty * without limitation the rights to use, copy, modify, merge, publish,
0957b409SSimon J. Gerraty * distribute, sublicense, and/or sell copies of the Software, and to
0957b409SSimon J. Gerraty * permit persons to whom the Software is furnished to do so, subject to
0957b409SSimon J. Gerraty * the following conditions:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The above copyright notice and this permission notice shall be
0957b409SSimon J. Gerraty * included in all copies or substantial portions of the Software.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
0957b409SSimon J. Gerraty * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
0957b409SSimon J. Gerraty * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
0957b409SSimon J. Gerraty * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
0957b409SSimon J. Gerraty * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
0957b409SSimon J. Gerraty * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
0957b409SSimon J. Gerraty * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
0957b409SSimon J. Gerraty * SOFTWARE.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#include "inner.h"
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#if BR_INT128 || BR_UMUL128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#if BR_UMUL128
0957b409SSimon J. Gerraty#include <intrin.h>
0957b409SSimon J. Gerraty#endif
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic const unsigned char P256_G[] = {
0957b409SSimon J. Gerraty	0x04, 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8,
0957b409SSimon J. Gerraty	0xBC, 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D,
0957b409SSimon J. Gerraty	0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8,
0957b409SSimon J. Gerraty	0x98, 0xC2, 0x96, 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F,
0957b409SSimon J. Gerraty	0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 0x0F, 0x9E, 0x16, 0x2B,
0957b409SSimon J. Gerraty	0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 0x40,
0957b409SSimon J. Gerraty	0x68, 0x37, 0xBF, 0x51, 0xF5
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic const unsigned char P256_N[] = {
0957b409SSimon J. Gerraty	0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
0957b409SSimon J. Gerraty	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
0957b409SSimon J. Gerraty	0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
0957b409SSimon J. Gerraty	0x25, 0x51
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic const unsigned char *
0957b409SSimon J. Gerratyapi_generator(int curve, size_t *len)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	*len = sizeof P256_G;
0957b409SSimon J. Gerraty	return P256_G;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic const unsigned char *
0957b409SSimon J. Gerratyapi_order(int curve, size_t *len)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	*len = sizeof P256_N;
0957b409SSimon J. Gerraty	return P256_N;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic size_t
0957b409SSimon J. Gerratyapi_xoff(int curve, size_t *len)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	*len = 32;
0957b409SSimon J. Gerraty	return 1;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * A field element is encoded as five 64-bit integers, in basis 2^52.
0957b409SSimon J. Gerraty * Limbs may occasionally exceed 2^52.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * A _partially reduced_ value is such that the following hold:
0957b409SSimon J. Gerraty *   - top limb is less than 2^48 + 2^30
0957b409SSimon J. Gerraty *   - the other limbs fit on 53 bits each
0957b409SSimon J. Gerraty * In particular, such a value is less than twice the modulus p.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#define BIT(n)   ((uint64_t)1 << (n))
0957b409SSimon J. Gerraty#define MASK48   (BIT(48) - BIT(0))
0957b409SSimon J. Gerraty#define MASK52   (BIT(52) - BIT(0))
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* R = 2^260 mod p */
0957b409SSimon J. Gerratystatic const uint64_t F256_R[] = {
0957b409SSimon J. Gerraty	0x0000000000010, 0xF000000000000, 0xFFFFFFFFFFFFF,
0957b409SSimon J. Gerraty	0xFFEFFFFFFFFFF, 0x00000000FFFFF
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* Curve equation is y^2 = x^3 - 3*x + B. This constant is B*R mod p
0957b409SSimon J. Gerraty   (Montgomery representation of B). */
0957b409SSimon J. Gerratystatic const uint64_t P256_B_MONTY[] = {
0957b409SSimon J. Gerraty	0xDF6229C4BDDFD, 0xCA8843090D89C, 0x212ED6ACF005C,
0957b409SSimon J. Gerraty	0x83415A220ABF7, 0x0C30061DD4874
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Addition in the field. Carry propagation is not performed.
0957b409SSimon J. Gerraty * On input, limbs may be up to 63 bits each; on output, they will
0957b409SSimon J. Gerraty * be up to one bit more than on input.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic inline void
0957b409SSimon J. Gerratyf256_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	d[0] = a[0] + b[0];
0957b409SSimon J. Gerraty	d[1] = a[1] + b[1];
0957b409SSimon J. Gerraty	d[2] = a[2] + b[2];
0957b409SSimon J. Gerraty	d[3] = a[3] + b[3];
0957b409SSimon J. Gerraty	d[4] = a[4] + b[4];
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Partially reduce the provided value.
0957b409SSimon J. Gerraty * Input: limbs can go up to 61 bits each.
0957b409SSimon J. Gerraty * Output: partially reduced.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic inline void
0957b409SSimon J. Gerratyf256_partial_reduce(uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint64_t w, cc, s;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Propagate carries.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	w = a[0];
0957b409SSimon J. Gerraty	a[0] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	w = a[1] + cc;
0957b409SSimon J. Gerraty	a[1] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	w = a[2] + cc;
0957b409SSimon J. Gerraty	a[2] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	w = a[3] + cc;
0957b409SSimon J. Gerraty	a[3] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	a[4] += cc;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	s = a[4] >> 48;             /* s < 2^14 */
0957b409SSimon J. Gerraty	a[0] += s;                  /* a[0] < 2^52 + 2^14 */
0957b409SSimon J. Gerraty	w = a[1] - (s << 44);
0957b409SSimon J. Gerraty	a[1] = w & MASK52;          /* a[1] < 2^52 */
0957b409SSimon J. Gerraty	cc = -(w >> 52) & 0xFFF;    /* cc < 16 */
0957b409SSimon J. Gerraty	w = a[2] - cc;
0957b409SSimon J. Gerraty	a[2] = w & MASK52;          /* a[2] < 2^52 */
0957b409SSimon J. Gerraty	cc = w >> 63;               /* cc = 0 or 1 */
0957b409SSimon J. Gerraty	w = a[3] - cc - (s << 36);
0957b409SSimon J. Gerraty	a[3] = w & MASK52;          /* a[3] < 2^52 */
0957b409SSimon J. Gerraty	cc = w >> 63;               /* cc = 0 or 1 */
0957b409SSimon J. Gerraty	w = a[4] & MASK48;
0957b409SSimon J. Gerraty	a[4] = w + (s << 16) - cc;  /* a[4] < 2^48 + 2^30 */
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Subtraction in the field.
0957b409SSimon J. Gerraty * Input: limbs must fit on 60 bits each; in particular, the complete
0957b409SSimon J. Gerraty * integer will be less than 2^268 + 2^217.
0957b409SSimon J. Gerraty * Output: partially reduced.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic inline void
0957b409SSimon J. Gerratyf256_sub(uint64_t *d, const uint64_t *a, const uint64_t *b)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint64_t t[5], w, s, cc;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * We compute d = 2^13*p + a - b; this ensures a positive
0957b409SSimon J. Gerraty	 * intermediate value.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * Each individual addition/subtraction may yield a positive or
0957b409SSimon J. Gerraty	 * negative result; thus, we need to handle a signed carry, thus
0957b409SSimon J. Gerraty	 * with sign extension. We prefer not to use signed types (int64_t)
0957b409SSimon J. Gerraty	 * because conversion from unsigned to signed is cumbersome (a
0957b409SSimon J. Gerraty	 * direct cast with the top bit set is undefined behavior; instead,
0957b409SSimon J. Gerraty	 * we have to use pointer aliasing, using the guaranteed properties
0957b409SSimon J. Gerraty	 * of exact-width types, but this requires the compiler to optimize
0957b409SSimon J. Gerraty	 * away the writes and reads from RAM), and right-shifting a
0957b409SSimon J. Gerraty	 * signed negative value is implementation-defined. Therefore,
0957b409SSimon J. Gerraty	 * we use a custom sign extension.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	w = a[0] - b[0] - BIT(13);
0957b409SSimon J. Gerraty	t[0] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	cc |= -(cc & BIT(11));
0957b409SSimon J. Gerraty	w = a[1] - b[1] + cc;
0957b409SSimon J. Gerraty	t[1] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	cc |= -(cc & BIT(11));
0957b409SSimon J. Gerraty	w = a[2] - b[2] + cc;
0957b409SSimon J. Gerraty	t[2] = (w & MASK52) + BIT(5);
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	cc |= -(cc & BIT(11));
0957b409SSimon J. Gerraty	w = a[3] - b[3] + cc;
0957b409SSimon J. Gerraty	t[3] = (w & MASK52) + BIT(49);
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	cc |= -(cc & BIT(11));
0957b409SSimon J. Gerraty	t[4] = (BIT(61) - BIT(29)) + a[4] - b[4] + cc;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Perform partial reduction. Rule is:
0957b409SSimon J. Gerraty	 *  2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * At that point:
0957b409SSimon J. Gerraty	 *    0 <= t[0] <= 2^52 - 1
0957b409SSimon J. Gerraty	 *    0 <= t[1] <= 2^52 - 1
0957b409SSimon J. Gerraty	 *    2^5 <= t[2] <= 2^52 + 2^5 - 1
0957b409SSimon J. Gerraty	 *    2^49 <= t[3] <= 2^52 + 2^49 - 1
0957b409SSimon J. Gerraty	 *    2^59 < t[4] <= 2^61 + 2^60 - 2^29
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * Thus, the value 's' (t[4] / 2^48) will be necessarily
0957b409SSimon J. Gerraty	 * greater than 2048, and less than 12288.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	s = t[4] >> 48;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	d[0] = t[0] + s;             /* d[0] <= 2^52 + 12287 */
0957b409SSimon J. Gerraty	w = t[1] - (s << 44);
0957b409SSimon J. Gerraty	d[1] = w & MASK52;           /* d[1] <= 2^52 - 1 */
0957b409SSimon J. Gerraty	cc = -(w >> 52) & 0xFFF;     /* cc <= 48 */
0957b409SSimon J. Gerraty	w = t[2] - cc;
0957b409SSimon J. Gerraty	cc = w >> 63;                /* cc = 0 or 1 */
0957b409SSimon J. Gerraty	d[2] = w + (cc << 52);       /* d[2] <= 2^52 + 31 */
0957b409SSimon J. Gerraty	w = t[3] - cc - (s << 36);
0957b409SSimon J. Gerraty	cc = w >> 63;                /* cc = 0 or 1 */
0957b409SSimon J. Gerraty	d[3] = w + (cc << 52);       /* t[3] <= 2^52 + 2^49 - 1 */
0957b409SSimon J. Gerraty	d[4] = (t[4] & MASK48) + (s << 16) - cc;  /* d[4] < 2^48 + 2^30 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * If s = 0, then none of the limbs is modified, and there cannot
0957b409SSimon J. Gerraty	 * be an overflow; if s != 0, then (s << 16) > cc, and there is
0957b409SSimon J. Gerraty	 * no overflow either.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Montgomery multiplication in the field.
0957b409SSimon J. Gerraty * Input: limbs must fit on 56 bits each.
0957b409SSimon J. Gerraty * Output: partially reduced.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_montymul(uint64_t *d, const uint64_t *a, const uint64_t *b)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty#if BR_INT128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty	uint64_t t[5];
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	t[0] = 0;
0957b409SSimon J. Gerraty	t[1] = 0;
0957b409SSimon J. Gerraty	t[2] = 0;
0957b409SSimon J. Gerraty	t[3] = 0;
0957b409SSimon J. Gerraty	t[4] = 0;
0957b409SSimon J. Gerraty	for (i = 0; i < 5; i ++) {
0957b409SSimon J. Gerraty		uint64_t x, f, cc, w, s;
0957b409SSimon J. Gerraty		unsigned __int128 z;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/*
0957b409SSimon J. Gerraty		 * Since limbs of a[] and b[] fit on 56 bits each,
0957b409SSimon J. Gerraty		 * each individual product fits on 112 bits. Also,
0957b409SSimon J. Gerraty		 * the factor f fits on 52 bits, so f<<48 fits on
0957b409SSimon J. Gerraty		 * 112 bits too. This guarantees that carries (cc)
0957b409SSimon J. Gerraty		 * will fit on 62 bits, thus no overflow.
0957b409SSimon J. Gerraty		 *
0957b409SSimon J. Gerraty		 * The operations below compute:
0957b409SSimon J. Gerraty		 *   t <- (t + x*b + f*p) / 2^64
0957b409SSimon J. Gerraty		 */
0957b409SSimon J. Gerraty		x = a[i];
0957b409SSimon J. Gerraty		z = (unsigned __int128)b[0] * (unsigned __int128)x
0957b409SSimon J. Gerraty			+ (unsigned __int128)t[0];
0957b409SSimon J. Gerraty		f = (uint64_t)z & MASK52;
0957b409SSimon J. Gerraty		cc = (uint64_t)(z >> 52);
0957b409SSimon J. Gerraty		z = (unsigned __int128)b[1] * (unsigned __int128)x
0957b409SSimon J. Gerraty			+ (unsigned __int128)t[1] + cc
0957b409SSimon J. Gerraty			+ ((unsigned __int128)f << 44);
0957b409SSimon J. Gerraty		t[0] = (uint64_t)z & MASK52;
0957b409SSimon J. Gerraty		cc = (uint64_t)(z >> 52);
0957b409SSimon J. Gerraty		z = (unsigned __int128)b[2] * (unsigned __int128)x
0957b409SSimon J. Gerraty			+ (unsigned __int128)t[2] + cc;
0957b409SSimon J. Gerraty		t[1] = (uint64_t)z & MASK52;
0957b409SSimon J. Gerraty		cc = (uint64_t)(z >> 52);
0957b409SSimon J. Gerraty		z = (unsigned __int128)b[3] * (unsigned __int128)x
0957b409SSimon J. Gerraty			+ (unsigned __int128)t[3] + cc
0957b409SSimon J. Gerraty			+ ((unsigned __int128)f << 36);
0957b409SSimon J. Gerraty		t[2] = (uint64_t)z & MASK52;
0957b409SSimon J. Gerraty		cc = (uint64_t)(z >> 52);
0957b409SSimon J. Gerraty		z = (unsigned __int128)b[4] * (unsigned __int128)x
0957b409SSimon J. Gerraty			+ (unsigned __int128)t[4] + cc
0957b409SSimon J. Gerraty			+ ((unsigned __int128)f << 48)
0957b409SSimon J. Gerraty			- ((unsigned __int128)f << 16);
0957b409SSimon J. Gerraty		t[3] = (uint64_t)z & MASK52;
0957b409SSimon J. Gerraty		t[4] = (uint64_t)(z >> 52);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/*
0957b409SSimon J. Gerraty		 * t[4] may be up to 62 bits here; we need to do a
0957b409SSimon J. Gerraty		 * partial reduction. Note that limbs t[0] to t[3]
0957b409SSimon J. Gerraty		 * fit on 52 bits each.
0957b409SSimon J. Gerraty		 */
0957b409SSimon J. Gerraty		s = t[4] >> 48;             /* s < 2^14 */
0957b409SSimon J. Gerraty		t[0] += s;                  /* t[0] < 2^52 + 2^14 */
0957b409SSimon J. Gerraty		w = t[1] - (s << 44);
0957b409SSimon J. Gerraty		t[1] = w & MASK52;          /* t[1] < 2^52 */
0957b409SSimon J. Gerraty		cc = -(w >> 52) & 0xFFF;    /* cc < 16 */
0957b409SSimon J. Gerraty		w = t[2] - cc;
0957b409SSimon J. Gerraty		t[2] = w & MASK52;          /* t[2] < 2^52 */
0957b409SSimon J. Gerraty		cc = w >> 63;               /* cc = 0 or 1 */
0957b409SSimon J. Gerraty		w = t[3] - cc - (s << 36);
0957b409SSimon J. Gerraty		t[3] = w & MASK52;          /* t[3] < 2^52 */
0957b409SSimon J. Gerraty		cc = w >> 63;               /* cc = 0 or 1 */
0957b409SSimon J. Gerraty		w = t[4] & MASK48;
0957b409SSimon J. Gerraty		t[4] = w + (s << 16) - cc;  /* t[4] < 2^48 + 2^30 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/*
0957b409SSimon J. Gerraty		 * The final t[4] cannot overflow because cc is 0 or 1,
0957b409SSimon J. Gerraty		 * and cc can be 1 only if s != 0.
0957b409SSimon J. Gerraty		 */
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	d[0] = t[0];
0957b409SSimon J. Gerraty	d[1] = t[1];
0957b409SSimon J. Gerraty	d[2] = t[2];
0957b409SSimon J. Gerraty	d[3] = t[3];
0957b409SSimon J. Gerraty	d[4] = t[4];
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#elif BR_UMUL128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty	uint64_t t[5];
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	t[0] = 0;
0957b409SSimon J. Gerraty	t[1] = 0;
0957b409SSimon J. Gerraty	t[2] = 0;
0957b409SSimon J. Gerraty	t[3] = 0;
0957b409SSimon J. Gerraty	t[4] = 0;
0957b409SSimon J. Gerraty	for (i = 0; i < 5; i ++) {
0957b409SSimon J. Gerraty		uint64_t x, f, cc, w, s, zh, zl;
0957b409SSimon J. Gerraty		unsigned char k;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/*
0957b409SSimon J. Gerraty		 * Since limbs of a[] and b[] fit on 56 bits each,
0957b409SSimon J. Gerraty		 * each individual product fits on 112 bits. Also,
0957b409SSimon J. Gerraty		 * the factor f fits on 52 bits, so f<<48 fits on
0957b409SSimon J. Gerraty		 * 112 bits too. This guarantees that carries (cc)
0957b409SSimon J. Gerraty		 * will fit on 62 bits, thus no overflow.
0957b409SSimon J. Gerraty		 *
0957b409SSimon J. Gerraty		 * The operations below compute:
0957b409SSimon J. Gerraty		 *   t <- (t + x*b + f*p) / 2^64
0957b409SSimon J. Gerraty		 */
0957b409SSimon J. Gerraty		x = a[i];
0957b409SSimon J. Gerraty		zl = _umul128(b[0], x, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, t[0], zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, 0, zh, &zh);
0957b409SSimon J. Gerraty		f = zl & MASK52;
0957b409SSimon J. Gerraty		cc = (zl >> 52) | (zh << 12);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		zl = _umul128(b[1], x, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, t[1], zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, 0, zh, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, cc, zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, 0, zh, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, f << 44, zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, f >> 20, zh, &zh);
0957b409SSimon J. Gerraty		t[0] = zl & MASK52;
0957b409SSimon J. Gerraty		cc = (zl >> 52) | (zh << 12);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		zl = _umul128(b[2], x, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, t[2], zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, 0, zh, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, cc, zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, 0, zh, &zh);
0957b409SSimon J. Gerraty		t[1] = zl & MASK52;
0957b409SSimon J. Gerraty		cc = (zl >> 52) | (zh << 12);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		zl = _umul128(b[3], x, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, t[3], zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, 0, zh, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, cc, zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, 0, zh, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, f << 36, zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, f >> 28, zh, &zh);
0957b409SSimon J. Gerraty		t[2] = zl & MASK52;
0957b409SSimon J. Gerraty		cc = (zl >> 52) | (zh << 12);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		zl = _umul128(b[4], x, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, t[4], zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, 0, zh, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, cc, zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, 0, zh, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, f << 48, zl, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, f >> 16, zh, &zh);
0957b409SSimon J. Gerraty		k = _subborrow_u64(0, zl, f << 16, &zl);
0957b409SSimon J. Gerraty		(void)_subborrow_u64(k, zh, f >> 48, &zh);
0957b409SSimon J. Gerraty		t[3] = zl & MASK52;
0957b409SSimon J. Gerraty		t[4] = (zl >> 52) | (zh << 12);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/*
0957b409SSimon J. Gerraty		 * t[4] may be up to 62 bits here; we need to do a
0957b409SSimon J. Gerraty		 * partial reduction. Note that limbs t[0] to t[3]
0957b409SSimon J. Gerraty		 * fit on 52 bits each.
0957b409SSimon J. Gerraty		 */
0957b409SSimon J. Gerraty		s = t[4] >> 48;             /* s < 2^14 */
0957b409SSimon J. Gerraty		t[0] += s;                  /* t[0] < 2^52 + 2^14 */
0957b409SSimon J. Gerraty		w = t[1] - (s << 44);
0957b409SSimon J. Gerraty		t[1] = w & MASK52;          /* t[1] < 2^52 */
0957b409SSimon J. Gerraty		cc = -(w >> 52) & 0xFFF;    /* cc < 16 */
0957b409SSimon J. Gerraty		w = t[2] - cc;
0957b409SSimon J. Gerraty		t[2] = w & MASK52;          /* t[2] < 2^52 */
0957b409SSimon J. Gerraty		cc = w >> 63;               /* cc = 0 or 1 */
0957b409SSimon J. Gerraty		w = t[3] - cc - (s << 36);
0957b409SSimon J. Gerraty		t[3] = w & MASK52;          /* t[3] < 2^52 */
0957b409SSimon J. Gerraty		cc = w >> 63;               /* cc = 0 or 1 */
0957b409SSimon J. Gerraty		w = t[4] & MASK48;
0957b409SSimon J. Gerraty		t[4] = w + (s << 16) - cc;  /* t[4] < 2^48 + 2^30 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/*
0957b409SSimon J. Gerraty		 * The final t[4] cannot overflow because cc is 0 or 1,
0957b409SSimon J. Gerraty		 * and cc can be 1 only if s != 0.
0957b409SSimon J. Gerraty		 */
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	d[0] = t[0];
0957b409SSimon J. Gerraty	d[1] = t[1];
0957b409SSimon J. Gerraty	d[2] = t[2];
0957b409SSimon J. Gerraty	d[3] = t[3];
0957b409SSimon J. Gerraty	d[4] = t[4];
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#endif
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Montgomery squaring in the field; currently a basic wrapper around
0957b409SSimon J. Gerraty * multiplication (inline, should be optimized away).
0957b409SSimon J. Gerraty * TODO: see if some extra speed can be gained here.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic inline void
0957b409SSimon J. Gerratyf256_montysquare(uint64_t *d, const uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	f256_montymul(d, a, a);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Convert to Montgomery representation.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_tomonty(uint64_t *d, const uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * R2 = 2^520 mod p.
0957b409SSimon J. Gerraty	 * If R = 2^260 mod p, then R2 = R^2 mod p; and the Montgomery
0957b409SSimon J. Gerraty	 * multiplication of a by R2 is: a*R2/R = a*R mod p, i.e. the
0957b409SSimon J. Gerraty	 * conversion to Montgomery representation.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	static const uint64_t R2[] = {
0957b409SSimon J. Gerraty		0x0000000000300, 0xFFFFFFFF00000, 0xFFFFEFFFFFFFB,
0957b409SSimon J. Gerraty		0xFDFFFFFFFFFFF, 0x0000004FFFFFF
0957b409SSimon J. Gerraty	};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	f256_montymul(d, a, R2);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Convert from Montgomery representation.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_frommonty(uint64_t *d, const uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Montgomery multiplication by 1 is division by 2^260 modulo p.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	static const uint64_t one[] = { 1, 0, 0, 0, 0 };
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	f256_montymul(d, a, one);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Inversion in the field. If the source value is 0 modulo p, then this
0957b409SSimon J. Gerraty * returns 0 or p. This function uses Montgomery representation.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_invert(uint64_t *d, const uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * We compute a^(p-2) mod p. The exponent pattern (from high to
0957b409SSimon J. Gerraty	 * low) is:
0957b409SSimon J. Gerraty	 *  - 32 bits of value 1
0957b409SSimon J. Gerraty	 *  - 31 bits of value 0
0957b409SSimon J. Gerraty	 *  - 1 bit of value 1
0957b409SSimon J. Gerraty	 *  - 96 bits of value 0
0957b409SSimon J. Gerraty	 *  - 94 bits of value 1
0957b409SSimon J. Gerraty	 *  - 1 bit of value 0
0957b409SSimon J. Gerraty	 *  - 1 bit of value 1
0957b409SSimon J. Gerraty	 * To speed up the square-and-multiply algorithm, we precompute
0957b409SSimon J. Gerraty	 * a^(2^31-1).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	uint64_t r[5], t[5];
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	memcpy(t, a, sizeof t);
0957b409SSimon J. Gerraty	for (i = 0; i < 30; i ++) {
0957b409SSimon J. Gerraty		f256_montysquare(t, t);
0957b409SSimon J. Gerraty		f256_montymul(t, t, a);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	memcpy(r, t, sizeof t);
0957b409SSimon J. Gerraty	for (i = 224; i >= 0; i --) {
0957b409SSimon J. Gerraty		f256_montysquare(r, r);
0957b409SSimon J. Gerraty		switch (i) {
0957b409SSimon J. Gerraty		case 0:
0957b409SSimon J. Gerraty		case 2:
0957b409SSimon J. Gerraty		case 192:
0957b409SSimon J. Gerraty		case 224:
0957b409SSimon J. Gerraty			f256_montymul(r, r, a);
0957b409SSimon J. Gerraty			break;
0957b409SSimon J. Gerraty		case 3:
0957b409SSimon J. Gerraty		case 34:
0957b409SSimon J. Gerraty		case 65:
0957b409SSimon J. Gerraty			f256_montymul(r, r, t);
0957b409SSimon J. Gerraty			break;
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	memcpy(d, r, sizeof r);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Finalize reduction.
0957b409SSimon J. Gerraty * Input value should be partially reduced.
0957b409SSimon J. Gerraty * On output, limbs a[0] to a[3] fit on 52 bits each, limb a[4] fits
0957b409SSimon J. Gerraty * on 48 bits, and the integer is less than p.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic inline void
0957b409SSimon J. Gerratyf256_final_reduce(uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint64_t r[5], t[5], w, cc;
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Propagate carries to ensure that limbs 0 to 3 fit on 52 bits.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	cc = 0;
0957b409SSimon J. Gerraty	for (i = 0; i < 5; i ++) {
0957b409SSimon J. Gerraty		w = a[i] + cc;
0957b409SSimon J. Gerraty		r[i] = w & MASK52;
0957b409SSimon J. Gerraty		cc = w >> 52;
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * We compute t = r + (2^256 - p) = r + 2^224 - 2^192 - 2^96 + 1.
0957b409SSimon J. Gerraty	 * If t < 2^256, then r < p, and we return r. Otherwise, we
0957b409SSimon J. Gerraty	 * want to return r - p = t - 2^256.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Add 2^224 + 1, and propagate carries to ensure that limbs
0957b409SSimon J. Gerraty	 * t[0] to t[3] fit in 52 bits each.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	w = r[0] + 1;
0957b409SSimon J. Gerraty	t[0] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	w = r[1] + cc;
0957b409SSimon J. Gerraty	t[1] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	w = r[2] + cc;
0957b409SSimon J. Gerraty	t[2] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	w = r[3] + cc;
0957b409SSimon J. Gerraty	t[3] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 52;
0957b409SSimon J. Gerraty	t[4] = r[4] + cc + BIT(16);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Subtract 2^192 + 2^96. Since we just added 2^224 + 1, the
0957b409SSimon J. Gerraty	 * result cannot be negative.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	w = t[1] - BIT(44);
0957b409SSimon J. Gerraty	t[1] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 63;
0957b409SSimon J. Gerraty	w = t[2] - cc;
0957b409SSimon J. Gerraty	t[2] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 63;
*cc9e6590SSimon J. Gerraty	w = t[3] - BIT(36) - cc;
0957b409SSimon J. Gerraty	t[3] = w & MASK52;
0957b409SSimon J. Gerraty	cc = w >> 63;
0957b409SSimon J. Gerraty	t[4] -= cc;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * If the top limb t[4] fits on 48 bits, then r[] is already
0957b409SSimon J. Gerraty	 * in the proper range. Otherwise, t[] is the value to return
0957b409SSimon J. Gerraty	 * (truncated to 256 bits).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	cc = -(t[4] >> 48);
0957b409SSimon J. Gerraty	t[4] &= MASK48;
0957b409SSimon J. Gerraty	for (i = 0; i < 5; i ++) {
0957b409SSimon J. Gerraty		a[i] = r[i] ^ (cc & (r[i] ^ t[i]));
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Points in affine and Jacobian coordinates.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *  - In affine coordinates, the point-at-infinity cannot be encoded.
0957b409SSimon J. Gerraty *  - Jacobian coordinates (X,Y,Z) correspond to affine (X/Z^2,Y/Z^3);
0957b409SSimon J. Gerraty *    if Z = 0 then this is the point-at-infinity.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratytypedef struct {
0957b409SSimon J. Gerraty	uint64_t x[5];
0957b409SSimon J. Gerraty	uint64_t y[5];
0957b409SSimon J. Gerraty} p256_affine;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratytypedef struct {
0957b409SSimon J. Gerraty	uint64_t x[5];
0957b409SSimon J. Gerraty	uint64_t y[5];
0957b409SSimon J. Gerraty	uint64_t z[5];
0957b409SSimon J. Gerraty} p256_jacobian;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Decode a field element (unsigned big endian notation).
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_decode(uint64_t *a, const unsigned char *buf)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint64_t w0, w1, w2, w3;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	w3 = br_dec64be(buf +  0);
0957b409SSimon J. Gerraty	w2 = br_dec64be(buf +  8);
0957b409SSimon J. Gerraty	w1 = br_dec64be(buf + 16);
0957b409SSimon J. Gerraty	w0 = br_dec64be(buf + 24);
0957b409SSimon J. Gerraty	a[0] = w0 & MASK52;
0957b409SSimon J. Gerraty	a[1] = ((w0 >> 52) | (w1 << 12)) & MASK52;
0957b409SSimon J. Gerraty	a[2] = ((w1 >> 40) | (w2 << 24)) & MASK52;
0957b409SSimon J. Gerraty	a[3] = ((w2 >> 28) | (w3 << 36)) & MASK52;
0957b409SSimon J. Gerraty	a[4] = w3 >> 16;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Encode a field element (unsigned big endian notation). The field
0957b409SSimon J. Gerraty * element MUST be fully reduced.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_encode(unsigned char *buf, const uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint64_t w0, w1, w2, w3;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	w0 = a[0] | (a[1] << 52);
0957b409SSimon J. Gerraty	w1 = (a[1] >> 12) | (a[2] << 40);
0957b409SSimon J. Gerraty	w2 = (a[2] >> 24) | (a[3] << 28);
0957b409SSimon J. Gerraty	w3 = (a[3] >> 36) | (a[4] << 16);
0957b409SSimon J. Gerraty	br_enc64be(buf +  0, w3);
0957b409SSimon J. Gerraty	br_enc64be(buf +  8, w2);
0957b409SSimon J. Gerraty	br_enc64be(buf + 16, w1);
0957b409SSimon J. Gerraty	br_enc64be(buf + 24, w0);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Decode a point. The returned point is in Jacobian coordinates, but
0957b409SSimon J. Gerraty * with z = 1. If the encoding is invalid, or encodes a point which is
0957b409SSimon J. Gerraty * not on the curve, or encodes the point at infinity, then this function
0957b409SSimon J. Gerraty * returns 0. Otherwise, 1 is returned.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The buffer is assumed to have length exactly 65 bytes.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratypoint_decode(p256_jacobian *P, const unsigned char *buf)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint64_t x[5], y[5], t[5], x3[5], tt;
0957b409SSimon J. Gerraty	uint32_t r;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Header byte shall be 0x04.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	r = EQ(buf[0], 0x04);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Decode X and Y coordinates, and convert them into
0957b409SSimon J. Gerraty	 * Montgomery representation.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_decode(x, buf +  1);
0957b409SSimon J. Gerraty	f256_decode(y, buf + 33);
0957b409SSimon J. Gerraty	f256_tomonty(x, x);
0957b409SSimon J. Gerraty	f256_tomonty(y, y);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Verify y^2 = x^3 + A*x + B. In curve P-256, A = -3.
0957b409SSimon J. Gerraty	 * Note that the Montgomery representation of 0 is 0. We must
0957b409SSimon J. Gerraty	 * take care to apply the final reduction to make sure we have
0957b409SSimon J. Gerraty	 * 0 and not p.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t, y);
0957b409SSimon J. Gerraty	f256_montysquare(x3, x);
0957b409SSimon J. Gerraty	f256_montymul(x3, x3, x);
0957b409SSimon J. Gerraty	f256_sub(t, t, x3);
0957b409SSimon J. Gerraty	f256_add(t, t, x);
0957b409SSimon J. Gerraty	f256_add(t, t, x);
0957b409SSimon J. Gerraty	f256_add(t, t, x);
0957b409SSimon J. Gerraty	f256_sub(t, t, P256_B_MONTY);
0957b409SSimon J. Gerraty	f256_final_reduce(t);
0957b409SSimon J. Gerraty	tt = t[0] | t[1] | t[2] | t[3] | t[4];
0957b409SSimon J. Gerraty	r &= EQ((uint32_t)(tt | (tt >> 32)), 0);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Return the point in Jacobian coordinates (and Montgomery
0957b409SSimon J. Gerraty	 * representation).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	memcpy(P->x, x, sizeof x);
0957b409SSimon J. Gerraty	memcpy(P->y, y, sizeof y);
0957b409SSimon J. Gerraty	memcpy(P->z, F256_R, sizeof F256_R);
0957b409SSimon J. Gerraty	return r;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Final conversion for a point:
0957b409SSimon J. Gerraty *  - The point is converted back to affine coordinates.
0957b409SSimon J. Gerraty *  - Final reduction is performed.
0957b409SSimon J. Gerraty *  - The point is encoded into the provided buffer.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * If the point is the point-at-infinity, all operations are performed,
0957b409SSimon J. Gerraty * but the buffer contents are indeterminate, and 0 is returned. Otherwise,
0957b409SSimon J. Gerraty * the encoded point is written in the buffer, and 1 is returned.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratypoint_encode(unsigned char *buf, const p256_jacobian *P)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint64_t t1[5], t2[5], z;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Set t1 = 1/z^2 and t2 = 1/z^3. */
0957b409SSimon J. Gerraty	f256_invert(t2, P->z);
0957b409SSimon J. Gerraty	f256_montysquare(t1, t2);
0957b409SSimon J. Gerraty	f256_montymul(t2, t2, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Compute affine coordinates x (in t1) and y (in t2). */
0957b409SSimon J. Gerraty	f256_montymul(t1, P->x, t1);
0957b409SSimon J. Gerraty	f256_montymul(t2, P->y, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Convert back from Montgomery representation, and finalize
0957b409SSimon J. Gerraty	   reductions. */
0957b409SSimon J. Gerraty	f256_frommonty(t1, t1);
0957b409SSimon J. Gerraty	f256_frommonty(t2, t2);
0957b409SSimon J. Gerraty	f256_final_reduce(t1);
0957b409SSimon J. Gerraty	f256_final_reduce(t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Encode. */
0957b409SSimon J. Gerraty	buf[0] = 0x04;
0957b409SSimon J. Gerraty	f256_encode(buf +  1, t1);
0957b409SSimon J. Gerraty	f256_encode(buf + 33, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Return success if and only if P->z != 0. */
0957b409SSimon J. Gerraty	z = P->z[0] | P->z[1] | P->z[2] | P->z[3] | P->z[4];
0957b409SSimon J. Gerraty	return NEQ((uint32_t)(z | z >> 32), 0);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Point doubling in Jacobian coordinates: point P is doubled.
0957b409SSimon J. Gerraty * Note: if the source point is the point-at-infinity, then the result is
0957b409SSimon J. Gerraty * still the point-at-infinity, which is correct. Moreover, if the three
0957b409SSimon J. Gerraty * coordinates were zero, then they still are zero in the returned value.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyp256_double(p256_jacobian *P)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Doubling formulas are:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   s = 4*x*y^2
0957b409SSimon J. Gerraty	 *   m = 3*(x + z^2)*(x - z^2)
0957b409SSimon J. Gerraty	 *   x' = m^2 - 2*s
0957b409SSimon J. Gerraty	 *   y' = m*(s - x') - 8*y^4
0957b409SSimon J. Gerraty	 *   z' = 2*y*z
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * These formulas work for all points, including points of order 2
0957b409SSimon J. Gerraty	 * and points at infinity:
0957b409SSimon J. Gerraty	 *   - If y = 0 then z' = 0. But there is no such point in P-256
0957b409SSimon J. Gerraty	 *     anyway.
0957b409SSimon J. Gerraty	 *   - If z = 0 then z' = 0.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	uint64_t t1[5], t2[5], t3[5], t4[5];
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z^2 in t1.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t1, P->z);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x-z^2 in t2 and x+z^2 in t1.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_add(t2, P->x, t1);
0957b409SSimon J. Gerraty	f256_sub(t1, P->x, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute 3*(x+z^2)*(x-z^2) in t1.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(t3, t1, t2);
0957b409SSimon J. Gerraty	f256_add(t1, t3, t3);
0957b409SSimon J. Gerraty	f256_add(t1, t3, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute 4*x*y^2 (in t2) and 2*y^2 (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t3, P->y);
0957b409SSimon J. Gerraty	f256_add(t3, t3, t3);
0957b409SSimon J. Gerraty	f256_montymul(t2, P->x, t3);
0957b409SSimon J. Gerraty	f256_add(t2, t2, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x' = m^2 - 2*s.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(P->x, t1);
0957b409SSimon J. Gerraty	f256_sub(P->x, P->x, t2);
0957b409SSimon J. Gerraty	f256_sub(P->x, P->x, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z' = 2*y*z.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(t4, P->y, P->z);
0957b409SSimon J. Gerraty	f256_add(P->z, t4, t4);
0957b409SSimon J. Gerraty	f256_partial_reduce(P->z);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y' = m*(s - x') - 8*y^4. Note that we already have
0957b409SSimon J. Gerraty	 * 2*y^2 in t3.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t2, t2, P->x);
0957b409SSimon J. Gerraty	f256_montymul(P->y, t1, t2);
0957b409SSimon J. Gerraty	f256_montysquare(t4, t3);
0957b409SSimon J. Gerraty	f256_add(t4, t4, t4);
0957b409SSimon J. Gerraty	f256_sub(P->y, P->y, t4);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Point addition (Jacobian coordinates): P1 is replaced with P1+P2.
0957b409SSimon J. Gerraty * This function computes the wrong result in the following cases:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - If P1 == 0 but P2 != 0
0957b409SSimon J. Gerraty *   - If P1 != 0 but P2 == 0
0957b409SSimon J. Gerraty *   - If P1 == P2
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * In all three cases, P1 is set to the point at infinity.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Returned value is 0 if one of the following occurs:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - P1 and P2 have the same Y coordinate.
0957b409SSimon J. Gerraty *   - P1 == 0 and P2 == 0.
0957b409SSimon J. Gerraty *   - The Y coordinate of one of the points is 0 and the other point is
0957b409SSimon J. Gerraty *     the point at infinity.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The third case cannot actually happen with valid points, since a point
0957b409SSimon J. Gerraty * with Y == 0 is a point of order 2, and there is no point of order 2 on
0957b409SSimon J. Gerraty * curve P-256.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
0957b409SSimon J. Gerraty * can apply the following:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - If the result is not the point at infinity, then it is correct.
0957b409SSimon J. Gerraty *   - Otherwise, if the returned value is 1, then this is a case of
0957b409SSimon J. Gerraty *     P1+P2 == 0, so the result is indeed the point at infinity.
0957b409SSimon J. Gerraty *   - Otherwise, P1 == P2, so a "double" operation should have been
0957b409SSimon J. Gerraty *     performed.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Note that you can get a returned value of 0 with a correct result,
0957b409SSimon J. Gerraty * e.g. if P1 and P2 have the same Y coordinate, but distinct X coordinates.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyp256_add(p256_jacobian *P1, const p256_jacobian *P2)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Addtions formulas are:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   u1 = x1 * z2^2
0957b409SSimon J. Gerraty	 *   u2 = x2 * z1^2
0957b409SSimon J. Gerraty	 *   s1 = y1 * z2^3
0957b409SSimon J. Gerraty	 *   s2 = y2 * z1^3
0957b409SSimon J. Gerraty	 *   h = u2 - u1
0957b409SSimon J. Gerraty	 *   r = s2 - s1
0957b409SSimon J. Gerraty	 *   x3 = r^2 - h^3 - 2 * u1 * h^2
0957b409SSimon J. Gerraty	 *   y3 = r * (u1 * h^2 - x3) - s1 * h^3
0957b409SSimon J. Gerraty	 *   z3 = h * z1 * z2
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	uint64_t t1[5], t2[5], t3[5], t4[5], t5[5], t6[5], t7[5], tt;
0957b409SSimon J. Gerraty	uint32_t ret;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t3, P2->z);
0957b409SSimon J. Gerraty	f256_montymul(t1, P1->x, t3);
0957b409SSimon J. Gerraty	f256_montymul(t4, P2->z, t3);
0957b409SSimon J. Gerraty	f256_montymul(t3, P1->y, t4);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t4, P1->z);
0957b409SSimon J. Gerraty	f256_montymul(t2, P2->x, t4);
0957b409SSimon J. Gerraty	f256_montymul(t5, P1->z, t4);
0957b409SSimon J. Gerraty	f256_montymul(t4, P2->y, t5);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
0957b409SSimon J. Gerraty	 * We need to test whether r is zero, so we will do some extra
0957b409SSimon J. Gerraty	 * reduce.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t2, t2, t1);
0957b409SSimon J. Gerraty	f256_sub(t4, t4, t3);
0957b409SSimon J. Gerraty	f256_final_reduce(t4);
0957b409SSimon J. Gerraty	tt = t4[0] | t4[1] | t4[2] | t4[3] | t4[4];
0957b409SSimon J. Gerraty	ret = (uint32_t)(tt | (tt >> 32));
0957b409SSimon J. Gerraty	ret = (ret | -ret) >> 31;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1*h^2 (in t6) and h^3 (in t5);
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t7, t2);
0957b409SSimon J. Gerraty	f256_montymul(t6, t1, t7);
0957b409SSimon J. Gerraty	f256_montymul(t5, t7, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(P1->x, t4);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t5);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t6, t6, P1->x);
0957b409SSimon J. Gerraty	f256_montymul(P1->y, t4, t6);
0957b409SSimon J. Gerraty	f256_montymul(t1, t5, t3);
0957b409SSimon J. Gerraty	f256_sub(P1->y, P1->y, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z3 = h*z1*z2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(t1, P1->z, P2->z);
0957b409SSimon J. Gerraty	f256_montymul(P1->z, t1, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	return ret;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Point addition (mixed coordinates): P1 is replaced with P1+P2.
0957b409SSimon J. Gerraty * This is a specialised function for the case when P2 is a non-zero point
0957b409SSimon J. Gerraty * in affine coordinates.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * This function computes the wrong result in the following cases:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - If P1 == 0
0957b409SSimon J. Gerraty *   - If P1 == P2
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * In both cases, P1 is set to the point at infinity.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Returned value is 0 if one of the following occurs:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - P1 and P2 have the same Y (affine) coordinate.
0957b409SSimon J. Gerraty *   - The Y coordinate of P2 is 0 and P1 is the point at infinity.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The second case cannot actually happen with valid points, since a point
0957b409SSimon J. Gerraty * with Y == 0 is a point of order 2, and there is no point of order 2 on
0957b409SSimon J. Gerraty * curve P-256.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Therefore, assuming that P1 != 0 on input, then the caller
0957b409SSimon J. Gerraty * can apply the following:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - If the result is not the point at infinity, then it is correct.
0957b409SSimon J. Gerraty *   - Otherwise, if the returned value is 1, then this is a case of
0957b409SSimon J. Gerraty *     P1+P2 == 0, so the result is indeed the point at infinity.
0957b409SSimon J. Gerraty *   - Otherwise, P1 == P2, so a "double" operation should have been
0957b409SSimon J. Gerraty *     performed.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Again, a value of 0 may be returned in some cases where the addition
0957b409SSimon J. Gerraty * result is correct.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyp256_add_mixed(p256_jacobian *P1, const p256_affine *P2)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Addtions formulas are:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   u1 = x1
0957b409SSimon J. Gerraty	 *   u2 = x2 * z1^2
0957b409SSimon J. Gerraty	 *   s1 = y1
0957b409SSimon J. Gerraty	 *   s2 = y2 * z1^3
0957b409SSimon J. Gerraty	 *   h = u2 - u1
0957b409SSimon J. Gerraty	 *   r = s2 - s1
0957b409SSimon J. Gerraty	 *   x3 = r^2 - h^3 - 2 * u1 * h^2
0957b409SSimon J. Gerraty	 *   y3 = r * (u1 * h^2 - x3) - s1 * h^3
0957b409SSimon J. Gerraty	 *   z3 = h * z1
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	uint64_t t1[5], t2[5], t3[5], t4[5], t5[5], t6[5], t7[5], tt;
0957b409SSimon J. Gerraty	uint32_t ret;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1 = x1 (in t1) and s1 = y1 (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	memcpy(t1, P1->x, sizeof t1);
0957b409SSimon J. Gerraty	memcpy(t3, P1->y, sizeof t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t4, P1->z);
0957b409SSimon J. Gerraty	f256_montymul(t2, P2->x, t4);
0957b409SSimon J. Gerraty	f256_montymul(t5, P1->z, t4);
0957b409SSimon J. Gerraty	f256_montymul(t4, P2->y, t5);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
0957b409SSimon J. Gerraty	 * We need to test whether r is zero, so we will do some extra
0957b409SSimon J. Gerraty	 * reduce.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t2, t2, t1);
0957b409SSimon J. Gerraty	f256_sub(t4, t4, t3);
0957b409SSimon J. Gerraty	f256_final_reduce(t4);
0957b409SSimon J. Gerraty	tt = t4[0] | t4[1] | t4[2] | t4[3] | t4[4];
0957b409SSimon J. Gerraty	ret = (uint32_t)(tt | (tt >> 32));
0957b409SSimon J. Gerraty	ret = (ret | -ret) >> 31;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1*h^2 (in t6) and h^3 (in t5);
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t7, t2);
0957b409SSimon J. Gerraty	f256_montymul(t6, t1, t7);
0957b409SSimon J. Gerraty	f256_montymul(t5, t7, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(P1->x, t4);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t5);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t6, t6, P1->x);
0957b409SSimon J. Gerraty	f256_montymul(P1->y, t4, t6);
0957b409SSimon J. Gerraty	f256_montymul(t1, t5, t3);
0957b409SSimon J. Gerraty	f256_sub(P1->y, P1->y, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z3 = h*z1*z2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(P1->z, P1->z, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	return ret;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#if 0
0957b409SSimon J. Gerraty/* unused */
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Point addition (mixed coordinates, complete): P1 is replaced with P1+P2.
0957b409SSimon J. Gerraty * This is a specialised function for the case when P2 is a non-zero point
0957b409SSimon J. Gerraty * in affine coordinates.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * This function returns the correct result in all cases.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyp256_add_complete_mixed(p256_jacobian *P1, const p256_affine *P2)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Addtions formulas, in the general case, are:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   u1 = x1
0957b409SSimon J. Gerraty	 *   u2 = x2 * z1^2
0957b409SSimon J. Gerraty	 *   s1 = y1
0957b409SSimon J. Gerraty	 *   s2 = y2 * z1^3
0957b409SSimon J. Gerraty	 *   h = u2 - u1
0957b409SSimon J. Gerraty	 *   r = s2 - s1
0957b409SSimon J. Gerraty	 *   x3 = r^2 - h^3 - 2 * u1 * h^2
0957b409SSimon J. Gerraty	 *   y3 = r * (u1 * h^2 - x3) - s1 * h^3
0957b409SSimon J. Gerraty	 *   z3 = h * z1
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * These formulas mishandle the two following cases:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - If P1 is the point-at-infinity (z1 = 0), then z3 is
0957b409SSimon J. Gerraty	 *    incorrectly set to 0.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - If P1 = P2, then u1 = u2 and s1 = s2, and x3, y3 and z3
0957b409SSimon J. Gerraty	 *    are all set to 0.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * However, if P1 + P2 = 0, then u1 = u2 but s1 != s2, and then
0957b409SSimon J. Gerraty	 * we correctly get z3 = 0 (the point-at-infinity).
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * To fix the case P1 = 0, we perform at the end a copy of P2
0957b409SSimon J. Gerraty	 * over P1, conditional to z1 = 0.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * For P1 = P2: in that case, both h and r are set to 0, and
0957b409SSimon J. Gerraty	 * we get x3, y3 and z3 equal to 0. We can test for that
0957b409SSimon J. Gerraty	 * occurrence to make a mask which will be all-one if P1 = P2,
0957b409SSimon J. Gerraty	 * or all-zero otherwise; then we can compute the double of P2
0957b409SSimon J. Gerraty	 * and add it, combined with the mask, to (x3,y3,z3).
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * Using the doubling formulas in p256_double() on (x2,y2),
0957b409SSimon J. Gerraty	 * simplifying since P2 is affine (i.e. z2 = 1, implicitly),
0957b409SSimon J. Gerraty	 * we get:
0957b409SSimon J. Gerraty	 *   s = 4*x2*y2^2
0957b409SSimon J. Gerraty	 *   m = 3*(x2 + 1)*(x2 - 1)
0957b409SSimon J. Gerraty	 *   x' = m^2 - 2*s
0957b409SSimon J. Gerraty	 *   y' = m*(s - x') - 8*y2^4
0957b409SSimon J. Gerraty	 *   z' = 2*y2
0957b409SSimon J. Gerraty	 * which requires only 6 multiplications. Added to the 11
0957b409SSimon J. Gerraty	 * multiplications of the normal mixed addition in Jacobian
0957b409SSimon J. Gerraty	 * coordinates, we get a cost of 17 multiplications in total.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	uint64_t t1[5], t2[5], t3[5], t4[5], t5[5], t6[5], t7[5], tt, zz;
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Set zz to -1 if P1 is the point at infinity, 0 otherwise.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	zz = P1->z[0] | P1->z[1] | P1->z[2] | P1->z[3] | P1->z[4];
0957b409SSimon J. Gerraty	zz = ((zz | -zz) >> 63) - (uint64_t)1;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1 = x1 (in t1) and s1 = y1 (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	memcpy(t1, P1->x, sizeof t1);
0957b409SSimon J. Gerraty	memcpy(t3, P1->y, sizeof t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t4, P1->z);
0957b409SSimon J. Gerraty	f256_montymul(t2, P2->x, t4);
0957b409SSimon J. Gerraty	f256_montymul(t5, P1->z, t4);
0957b409SSimon J. Gerraty	f256_montymul(t4, P2->y, t5);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
0957b409SSimon J. Gerraty	 * reduce.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t2, t2, t1);
0957b409SSimon J. Gerraty	f256_sub(t4, t4, t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * If both h = 0 and r = 0, then P1 = P2, and we want to set
0957b409SSimon J. Gerraty	 * the mask tt to -1; otherwise, the mask will be 0.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_final_reduce(t2);
0957b409SSimon J. Gerraty	f256_final_reduce(t4);
0957b409SSimon J. Gerraty	tt = t2[0] | t2[1] | t2[2] | t2[3] | t2[4]
0957b409SSimon J. Gerraty		| t4[0] | t4[1] | t4[2] | t4[3] | t4[4];
0957b409SSimon J. Gerraty	tt = ((tt | -tt) >> 63) - (uint64_t)1;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1*h^2 (in t6) and h^3 (in t5);
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t7, t2);
0957b409SSimon J. Gerraty	f256_montymul(t6, t1, t7);
0957b409SSimon J. Gerraty	f256_montymul(t5, t7, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(P1->x, t4);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t5);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t6, t6, P1->x);
0957b409SSimon J. Gerraty	f256_montymul(P1->y, t4, t6);
0957b409SSimon J. Gerraty	f256_montymul(t1, t5, t3);
0957b409SSimon J. Gerraty	f256_sub(P1->y, P1->y, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z3 = h*z1.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(P1->z, P1->z, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * The "double" result, in case P1 = P2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z' = 2*y2 (in t1).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_add(t1, P2->y, P2->y);
0957b409SSimon J. Gerraty	f256_partial_reduce(t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute 2*(y2^2) (in t2) and s = 4*x2*(y2^2) (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t2, P2->y);
0957b409SSimon J. Gerraty	f256_add(t2, t2, t2);
0957b409SSimon J. Gerraty	f256_add(t3, t2, t2);
0957b409SSimon J. Gerraty	f256_montymul(t3, P2->x, t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute m = 3*(x2^2 - 1) (in t4).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t4, P2->x);
0957b409SSimon J. Gerraty	f256_sub(t4, t4, F256_R);
0957b409SSimon J. Gerraty	f256_add(t5, t4, t4);
0957b409SSimon J. Gerraty	f256_add(t4, t4, t5);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x' = m^2 - 2*s (in t5).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t5, t4);
0957b409SSimon J. Gerraty	f256_sub(t5, t3);
0957b409SSimon J. Gerraty	f256_sub(t5, t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y' = m*(s - x') - 8*y2^4 (in t6).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t6, t3, t5);
0957b409SSimon J. Gerraty	f256_montymul(t6, t6, t4);
0957b409SSimon J. Gerraty	f256_montysquare(t7, t2);
0957b409SSimon J. Gerraty	f256_sub(t6, t6, t7);
0957b409SSimon J. Gerraty	f256_sub(t6, t6, t7);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * We now have the alternate (doubling) coordinates in (t5,t6,t1).
0957b409SSimon J. Gerraty	 * We combine them with (x3,y3,z3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (i = 0; i < 5; i ++) {
0957b409SSimon J. Gerraty		P1->x[i] |= tt & t5[i];
0957b409SSimon J. Gerraty		P1->y[i] |= tt & t6[i];
0957b409SSimon J. Gerraty		P1->z[i] |= tt & t1[i];
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * If P1 = 0, then we get z3 = 0 (which is invalid); if z1 is 0,
0957b409SSimon J. Gerraty	 * then we want to replace the result with a copy of P2. The
0957b409SSimon J. Gerraty	 * test on z1 was done at the start, in the zz mask.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (i = 0; i < 5; i ++) {
0957b409SSimon J. Gerraty		P1->x[i] ^= zz & (P1->x[i] ^ P2->x[i]);
0957b409SSimon J. Gerraty		P1->y[i] ^= zz & (P1->y[i] ^ P2->y[i]);
0957b409SSimon J. Gerraty		P1->z[i] ^= zz & (P1->z[i] ^ F256_R[i]);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty#endif
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Inner function for computing a point multiplication. A window is
0957b409SSimon J. Gerraty * provided, with points 1*P to 15*P in affine coordinates.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Assumptions:
0957b409SSimon J. Gerraty *  - All provided points are valid points on the curve.
0957b409SSimon J. Gerraty *  - Multiplier is non-zero, and smaller than the curve order.
0957b409SSimon J. Gerraty *  - Everything is in Montgomery representation.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratypoint_mul_inner(p256_jacobian *R, const p256_affine *W,
0957b409SSimon J. Gerraty	const unsigned char *k, size_t klen)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	p256_jacobian Q;
0957b409SSimon J. Gerraty	uint32_t qz;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	memset(&Q, 0, sizeof Q);
0957b409SSimon J. Gerraty	qz = 1;
0957b409SSimon J. Gerraty	while (klen -- > 0) {
0957b409SSimon J. Gerraty		int i;
0957b409SSimon J. Gerraty		unsigned bk;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		bk = *k ++;
0957b409SSimon J. Gerraty		for (i = 0; i < 2; i ++) {
0957b409SSimon J. Gerraty			uint32_t bits;
0957b409SSimon J. Gerraty			uint32_t bnz;
0957b409SSimon J. Gerraty			p256_affine T;
0957b409SSimon J. Gerraty			p256_jacobian U;
0957b409SSimon J. Gerraty			uint32_t n;
0957b409SSimon J. Gerraty			int j;
0957b409SSimon J. Gerraty			uint64_t m;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty			p256_double(&Q);
0957b409SSimon J. Gerraty			p256_double(&Q);
0957b409SSimon J. Gerraty			p256_double(&Q);
0957b409SSimon J. Gerraty			p256_double(&Q);
0957b409SSimon J. Gerraty			bits = (bk >> 4) & 0x0F;
0957b409SSimon J. Gerraty			bnz = NEQ(bits, 0);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty			/*
0957b409SSimon J. Gerraty			 * Lookup point in window. If the bits are 0,
0957b409SSimon J. Gerraty			 * we get something invalid, which is not a
0957b409SSimon J. Gerraty			 * problem because we will use it only if the
0957b409SSimon J. Gerraty			 * bits are non-zero.
0957b409SSimon J. Gerraty			 */
0957b409SSimon J. Gerraty			memset(&T, 0, sizeof T);
0957b409SSimon J. Gerraty			for (n = 0; n < 15; n ++) {
0957b409SSimon J. Gerraty				m = -(uint64_t)EQ(bits, n + 1);
0957b409SSimon J. Gerraty				T.x[0] |= m & W[n].x[0];
0957b409SSimon J. Gerraty				T.x[1] |= m & W[n].x[1];
0957b409SSimon J. Gerraty				T.x[2] |= m & W[n].x[2];
0957b409SSimon J. Gerraty				T.x[3] |= m & W[n].x[3];
0957b409SSimon J. Gerraty				T.x[4] |= m & W[n].x[4];
0957b409SSimon J. Gerraty				T.y[0] |= m & W[n].y[0];
0957b409SSimon J. Gerraty				T.y[1] |= m & W[n].y[1];
0957b409SSimon J. Gerraty				T.y[2] |= m & W[n].y[2];
0957b409SSimon J. Gerraty				T.y[3] |= m & W[n].y[3];
0957b409SSimon J. Gerraty				T.y[4] |= m & W[n].y[4];
0957b409SSimon J. Gerraty			}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty			U = Q;
0957b409SSimon J. Gerraty			p256_add_mixed(&U, &T);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty			/*
0957b409SSimon J. Gerraty			 * If qz is still 1, then Q was all-zeros, and this
0957b409SSimon J. Gerraty			 * is conserved through p256_double().
0957b409SSimon J. Gerraty			 */
0957b409SSimon J. Gerraty			m = -(uint64_t)(bnz & qz);
0957b409SSimon J. Gerraty			for (j = 0; j < 5; j ++) {
0957b409SSimon J. Gerraty				Q.x[j] ^= m & (Q.x[j] ^ T.x[j]);
0957b409SSimon J. Gerraty				Q.y[j] ^= m & (Q.y[j] ^ T.y[j]);
0957b409SSimon J. Gerraty				Q.z[j] ^= m & (Q.z[j] ^ F256_R[j]);
0957b409SSimon J. Gerraty			}
0957b409SSimon J. Gerraty			CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
0957b409SSimon J. Gerraty			qz &= ~bnz;
0957b409SSimon J. Gerraty			bk <<= 4;
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	*R = Q;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Convert a window from Jacobian to affine coordinates. A single
0957b409SSimon J. Gerraty * field inversion is used. This function works for windows up to
0957b409SSimon J. Gerraty * 32 elements.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The destination array (aff[]) and the source array (jac[]) may
0957b409SSimon J. Gerraty * overlap, provided that the start of aff[] is not after the start of
0957b409SSimon J. Gerraty * jac[]. Even if the arrays do _not_ overlap, the source array is
0957b409SSimon J. Gerraty * modified.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratywindow_to_affine(p256_affine *aff, p256_jacobian *jac, int num)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Convert the window points to affine coordinates. We use the
0957b409SSimon J. Gerraty	 * following trick to mutualize the inversion computation: if
0957b409SSimon J. Gerraty	 * we have z1, z2, z3, and z4, and want to invert all of them,
0957b409SSimon J. Gerraty	 * we compute u = 1/(z1*z2*z3*z4), and then we have:
0957b409SSimon J. Gerraty	 *   1/z1 = u*z2*z3*z4
0957b409SSimon J. Gerraty	 *   1/z2 = u*z1*z3*z4
0957b409SSimon J. Gerraty	 *   1/z3 = u*z1*z2*z4
0957b409SSimon J. Gerraty	 *   1/z4 = u*z1*z2*z3
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * The partial products are computed recursively:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - on input (z_1,z_2), return (z_2,z_1) and z_1*z_2
0957b409SSimon J. Gerraty	 *  - on input (z_1,z_2,... z_n):
0957b409SSimon J. Gerraty	 *       recurse on (z_1,z_2,... z_(n/2)) -> r1 and m1
0957b409SSimon J. Gerraty	 *       recurse on (z_(n/2+1),z_(n/2+2)... z_n) -> r2 and m2
0957b409SSimon J. Gerraty	 *       multiply elements of r1 by m2 -> s1
0957b409SSimon J. Gerraty	 *       multiply elements of r2 by m1 -> s2
0957b409SSimon J. Gerraty	 *       return r1||r2 and m1*m2
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * In the example below, we suppose that we have 14 elements.
0957b409SSimon J. Gerraty	 * Let z1, z2,... zE be the 14 values to invert (index noted in
0957b409SSimon J. Gerraty	 * hexadecimal, starting at 1).
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - Depth 1:
0957b409SSimon J. Gerraty	 *      swap(z1, z2); z12 = z1*z2
0957b409SSimon J. Gerraty	 *      swap(z3, z4); z34 = z3*z4
0957b409SSimon J. Gerraty	 *      swap(z5, z6); z56 = z5*z6
0957b409SSimon J. Gerraty	 *      swap(z7, z8); z78 = z7*z8
0957b409SSimon J. Gerraty	 *      swap(z9, zA); z9A = z9*zA
0957b409SSimon J. Gerraty	 *      swap(zB, zC); zBC = zB*zC
0957b409SSimon J. Gerraty	 *      swap(zD, zE); zDE = zD*zE
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - Depth 2:
0957b409SSimon J. Gerraty	 *      z1 <- z1*z34, z2 <- z2*z34, z3 <- z3*z12, z4 <- z4*z12
0957b409SSimon J. Gerraty	 *      z1234 = z12*z34
0957b409SSimon J. Gerraty	 *      z5 <- z5*z78, z6 <- z6*z78, z7 <- z7*z56, z8 <- z8*z56
0957b409SSimon J. Gerraty	 *      z5678 = z56*z78
0957b409SSimon J. Gerraty	 *      z9 <- z9*zBC, zA <- zA*zBC, zB <- zB*z9A, zC <- zC*z9A
0957b409SSimon J. Gerraty	 *      z9ABC = z9A*zBC
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - Depth 3:
0957b409SSimon J. Gerraty	 *      z1 <- z1*z5678, z2 <- z2*z5678, z3 <- z3*z5678, z4 <- z4*z5678
0957b409SSimon J. Gerraty	 *      z5 <- z5*z1234, z6 <- z6*z1234, z7 <- z7*z1234, z8 <- z8*z1234
0957b409SSimon J. Gerraty	 *      z12345678 = z1234*z5678
0957b409SSimon J. Gerraty	 *      z9 <- z9*zDE, zA <- zA*zDE, zB <- zB*zDE, zC <- zC*zDE
0957b409SSimon J. Gerraty	 *      zD <- zD*z9ABC, zE*z9ABC
0957b409SSimon J. Gerraty	 *      z9ABCDE = z9ABC*zDE
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - Depth 4:
0957b409SSimon J. Gerraty	 *      multiply z1..z8 by z9ABCDE
0957b409SSimon J. Gerraty	 *      multiply z9..zE by z12345678
0957b409SSimon J. Gerraty	 *      final z = z12345678*z9ABCDE
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	uint64_t z[16][5];
0957b409SSimon J. Gerraty	int i, k, s;
0957b409SSimon J. Gerraty#define zt   (z[15])
0957b409SSimon J. Gerraty#define zu   (z[14])
0957b409SSimon J. Gerraty#define zv   (z[13])
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * First recursion step (pairwise swapping and multiplication).
0957b409SSimon J. Gerraty	 * If there is an odd number of elements, then we "invent" an
0957b409SSimon J. Gerraty	 * extra one with coordinate Z = 1 (in Montgomery representation).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (i = 0; (i + 1) < num; i += 2) {
0957b409SSimon J. Gerraty		memcpy(zt, jac[i].z, sizeof zt);
0957b409SSimon J. Gerraty		memcpy(jac[i].z, jac[i + 1].z, sizeof zt);
0957b409SSimon J. Gerraty		memcpy(jac[i + 1].z, zt, sizeof zt);
0957b409SSimon J. Gerraty		f256_montymul(z[i >> 1], jac[i].z, jac[i + 1].z);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	if ((num & 1) != 0) {
0957b409SSimon J. Gerraty		memcpy(z[num >> 1], jac[num - 1].z, sizeof zt);
0957b409SSimon J. Gerraty		memcpy(jac[num - 1].z, F256_R, sizeof F256_R);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Perform further recursion steps. At the entry of each step,
0957b409SSimon J. Gerraty	 * the process has been done for groups of 's' points. The
0957b409SSimon J. Gerraty	 * integer k is the log2 of s.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (k = 1, s = 2; s < num; k ++, s <<= 1) {
0957b409SSimon J. Gerraty		int n;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		for (i = 0; i < num; i ++) {
0957b409SSimon J. Gerraty			f256_montymul(jac[i].z, jac[i].z, z[(i >> k) ^ 1]);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty		n = (num + s - 1) >> k;
0957b409SSimon J. Gerraty		for (i = 0; i < (n >> 1); i ++) {
0957b409SSimon J. Gerraty			f256_montymul(z[i], z[i << 1], z[(i << 1) + 1]);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty		if ((n & 1) != 0) {
0957b409SSimon J. Gerraty			memmove(z[n >> 1], z[n], sizeof zt);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Invert the final result, and convert all points.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_invert(zt, z[0]);
0957b409SSimon J. Gerraty	for (i = 0; i < num; i ++) {
0957b409SSimon J. Gerraty		f256_montymul(zv, jac[i].z, zt);
0957b409SSimon J. Gerraty		f256_montysquare(zu, zv);
0957b409SSimon J. Gerraty		f256_montymul(zv, zv, zu);
0957b409SSimon J. Gerraty		f256_montymul(aff[i].x, jac[i].x, zu);
0957b409SSimon J. Gerraty		f256_montymul(aff[i].y, jac[i].y, zv);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Multiply the provided point by an integer.
0957b409SSimon J. Gerraty * Assumptions:
0957b409SSimon J. Gerraty *  - Source point is a valid curve point.
0957b409SSimon J. Gerraty *  - Source point is not the point-at-infinity.
0957b409SSimon J. Gerraty *  - Integer is not 0, and is lower than the curve order.
0957b409SSimon J. Gerraty * If these conditions are not met, then the result is indeterminate
0957b409SSimon J. Gerraty * (but the process is still constant-time).
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyp256_mul(p256_jacobian *P, const unsigned char *k, size_t klen)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	union {
0957b409SSimon J. Gerraty		p256_affine aff[15];
0957b409SSimon J. Gerraty		p256_jacobian jac[15];
0957b409SSimon J. Gerraty	} window;
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute window, in Jacobian coordinates.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	window.jac[0] = *P;
0957b409SSimon J. Gerraty	for (i = 2; i < 16; i ++) {
0957b409SSimon J. Gerraty		window.jac[i - 1] = window.jac[(i >> 1) - 1];
0957b409SSimon J. Gerraty		if ((i & 1) == 0) {
0957b409SSimon J. Gerraty			p256_double(&window.jac[i - 1]);
0957b409SSimon J. Gerraty		} else {
0957b409SSimon J. Gerraty			p256_add(&window.jac[i - 1], &window.jac[i >> 1]);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Convert the window points to affine coordinates. Point
0957b409SSimon J. Gerraty	 * window[0] is the source point, already in affine coordinates.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	window_to_affine(window.aff, window.jac, 15);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Perform point multiplication.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	point_mul_inner(P, window.aff, k, klen);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Precomputed window for the conventional generator: P256_Gwin[n]
0957b409SSimon J. Gerraty * contains (n+1)*G (affine coordinates, in Montgomery representation).
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic const p256_affine P256_Gwin[] = {
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x30D418A9143C1, 0xC4FEDB60179E7, 0x62251075BA95F,
0957b409SSimon J. Gerraty		  0x5C669FB732B77, 0x08905F76B5375 },
0957b409SSimon J. Gerraty		{ 0x5357CE95560A8, 0x43A19E45CDDF2, 0x21F3258B4AB8E,
0957b409SSimon J. Gerraty		  0xD8552E88688DD, 0x0571FF18A5885 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x46D410DDD64DF, 0x0B433827D8500, 0x1490D9AA6AE3C,
0957b409SSimon J. Gerraty		  0xA3A832205038D, 0x06BB32E52DCF3 },
0957b409SSimon J. Gerraty		{ 0x48D361BEE1A57, 0xB7B236FF82F36, 0x042DBE152CD7C,
0957b409SSimon J. Gerraty		  0xA3AA9A8FB0E92, 0x08C577517A5B8 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x3F904EEBC1272, 0x9E87D81FBFFAC, 0xCBBC98B027F84,
0957b409SSimon J. Gerraty		  0x47E46AD77DD87, 0x06936A3FD6FF7 },
0957b409SSimon J. Gerraty		{ 0x5C1FC983A7EBD, 0xC3861FE1AB04C, 0x2EE98E583E47A,
0957b409SSimon J. Gerraty		  0xC06A88208311A, 0x05F06A2AB587C }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0xB50D46918DCC5, 0xD7623C17374B0, 0x100AF24650A6E,
0957b409SSimon J. Gerraty		  0x76ABCDAACACE8, 0x077362F591B01 },
0957b409SSimon J. Gerraty		{ 0xF24CE4CBABA68, 0x17AD6F4472D96, 0xDDD22E1762847,
0957b409SSimon J. Gerraty		  0x862EB6C36DEE5, 0x04B14C39CC5AB }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x8AAEC45C61F5C, 0x9D4B9537DBE1B, 0x76C20C90EC649,
0957b409SSimon J. Gerraty		  0x3C7D41CB5AAD0, 0x0907960649052 },
0957b409SSimon J. Gerraty		{ 0x9B4AE7BA4F107, 0xF75EB882BEB30, 0x7A1F6873C568E,
0957b409SSimon J. Gerraty		  0x915C540A9877E, 0x03A076BB9DD1E }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x47373E77664A1, 0xF246CEE3E4039, 0x17A3AD55AE744,
0957b409SSimon J. Gerraty		  0x673C50A961A5B, 0x03074B5964213 },
0957b409SSimon J. Gerraty		{ 0x6220D377E44BA, 0x30DFF14B593D3, 0x639F11299C2B5,
0957b409SSimon J. Gerraty		  0x75F5424D44CEF, 0x04C9916DEA07F }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x354EA0173B4F1, 0x3C23C00F70746, 0x23BB082BD2021,
0957b409SSimon J. Gerraty		  0xE03E43EAAB50C, 0x03BA5119D3123 },
0957b409SSimon J. Gerraty		{ 0xD0303F5B9D4DE, 0x17DA67BDD2847, 0xC941956742F2F,
0957b409SSimon J. Gerraty		  0x8670F933BDC77, 0x0AEDD9164E240 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x4CD19499A78FB, 0x4BF9B345527F1, 0x2CFC6B462AB5C,
0957b409SSimon J. Gerraty		  0x30CDF90F02AF0, 0x0763891F62652 },
0957b409SSimon J. Gerraty		{ 0xA3A9532D49775, 0xD7F9EBA15F59D, 0x60BBF021E3327,
0957b409SSimon J. Gerraty		  0xF75C23C7B84BE, 0x06EC12F2C706D }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x6E8F264E20E8E, 0xC79A7A84175C9, 0xC8EB00ABE6BFE,
0957b409SSimon J. Gerraty		  0x16A4CC09C0444, 0x005B3081D0C4E },
0957b409SSimon J. Gerraty		{ 0x777AA45F33140, 0xDCE5D45E31EB7, 0xB12F1A56AF7BE,
0957b409SSimon J. Gerraty		  0xF9B2B6E019A88, 0x086659CDFD835 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0xDBD19DC21EC8C, 0x94FCF81392C18, 0x250B4998F9868,
0957b409SSimon J. Gerraty		  0x28EB37D2CD648, 0x0C61C947E4B34 },
0957b409SSimon J. Gerraty		{ 0x407880DD9E767, 0x0C83FBE080C2B, 0x9BE5D2C43A899,
0957b409SSimon J. Gerraty		  0xAB4EF7D2D6577, 0x08719A555B3B4 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x260A6245E4043, 0x53E7FDFE0EA7D, 0xAC1AB59DE4079,
0957b409SSimon J. Gerraty		  0x072EFF3A4158D, 0x0E7090F1949C9 },
0957b409SSimon J. Gerraty		{ 0x85612B944E886, 0xE857F61C81A76, 0xAD643D250F939,
0957b409SSimon J. Gerraty		  0x88DAC0DAA891E, 0x089300244125B }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x1AA7D26977684, 0x58A345A3304B7, 0x37385EABDEDEF,
0957b409SSimon J. Gerraty		  0x155E409D29DEE, 0x0EE1DF780B83E },
0957b409SSimon J. Gerraty		{ 0x12D91CBB5B437, 0x65A8956370CAC, 0xDE6D66170ED2F,
0957b409SSimon J. Gerraty		  0xAC9B8228CFA8A, 0x0FF57C95C3238 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x25634B2ED7097, 0x9156FD30DCCC4, 0x9E98110E35676,
0957b409SSimon J. Gerraty		  0x7594CBCD43F55, 0x038477ACC395B },
0957b409SSimon J. Gerraty		{ 0x2B90C00EE17FF, 0xF842ED2E33575, 0x1F5BC16874838,
0957b409SSimon J. Gerraty		  0x7968CD06422BD, 0x0BC0876AB9E7B }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0xA35BB0CF664AF, 0x68F9707E3A242, 0x832660126E48F,
0957b409SSimon J. Gerraty		  0x72D2717BF54C6, 0x0AAE7333ED12C },
0957b409SSimon J. Gerraty		{ 0x2DB7995D586B1, 0xE732237C227B5, 0x65E7DBBE29569,
0957b409SSimon J. Gerraty		  0xBBBD8E4193E2A, 0x052706DC3EAA1 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0xD8B7BC60055BE, 0xD76E27E4B72BC, 0x81937003CC23E,
0957b409SSimon J. Gerraty		  0xA090E337424E4, 0x02AA0E43EAD3D },
0957b409SSimon J. Gerraty		{ 0x524F6383C45D2, 0x422A41B2540B8, 0x8A4797D766355,
0957b409SSimon J. Gerraty		  0xDF444EFA6DE77, 0x0042170A9079A }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Multiply the conventional generator of the curve by the provided
0957b409SSimon J. Gerraty * integer. Return is written in *P.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Assumptions:
0957b409SSimon J. Gerraty *  - Integer is not 0, and is lower than the curve order.
0957b409SSimon J. Gerraty * If this conditions is not met, then the result is indeterminate
0957b409SSimon J. Gerraty * (but the process is still constant-time).
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyp256_mulgen(p256_jacobian *P, const unsigned char *k, size_t klen)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	point_mul_inner(P, P256_Gwin, k, klen);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Return 1 if all of the following hold:
0957b409SSimon J. Gerraty *  - klen <= 32
0957b409SSimon J. Gerraty *  - k != 0
0957b409SSimon J. Gerraty *  - k is lower than the curve order
0957b409SSimon J. Gerraty * Otherwise, return 0.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Constant-time behaviour: only klen may be observable.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratycheck_scalar(const unsigned char *k, size_t klen)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint32_t z;
0957b409SSimon J. Gerraty	int32_t c;
0957b409SSimon J. Gerraty	size_t u;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	if (klen > 32) {
0957b409SSimon J. Gerraty		return 0;
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	z = 0;
0957b409SSimon J. Gerraty	for (u = 0; u < klen; u ++) {
0957b409SSimon J. Gerraty		z |= k[u];
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	if (klen == 32) {
0957b409SSimon J. Gerraty		c = 0;
0957b409SSimon J. Gerraty		for (u = 0; u < klen; u ++) {
0957b409SSimon J. Gerraty			c |= -(int32_t)EQ0(c) & CMP(k[u], P256_N[u]);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	} else {
0957b409SSimon J. Gerraty		c = -1;
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	return NEQ(z, 0) & LT0(c);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyapi_mul(unsigned char *G, size_t Glen,
0957b409SSimon J. Gerraty	const unsigned char *k, size_t klen, int curve)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint32_t r;
0957b409SSimon J. Gerraty	p256_jacobian P;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	if (Glen != 65) {
0957b409SSimon J. Gerraty		return 0;
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	r = check_scalar(k, klen);
0957b409SSimon J. Gerraty	r &= point_decode(&P, G);
0957b409SSimon J. Gerraty	p256_mul(&P, k, klen);
0957b409SSimon J. Gerraty	r &= point_encode(G, &P);
0957b409SSimon J. Gerraty	return r;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic size_t
0957b409SSimon J. Gerratyapi_mulgen(unsigned char *R,
0957b409SSimon J. Gerraty	const unsigned char *k, size_t klen, int curve)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	p256_jacobian P;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	p256_mulgen(&P, k, klen);
0957b409SSimon J. Gerraty	point_encode(R, &P);
0957b409SSimon J. Gerraty	return 65;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyapi_muladd(unsigned char *A, const unsigned char *B, size_t len,
0957b409SSimon J. Gerraty	const unsigned char *x, size_t xlen,
0957b409SSimon J. Gerraty	const unsigned char *y, size_t ylen, int curve)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * We might want to use Shamir's trick here: make a composite
0957b409SSimon J. Gerraty	 * window of u*P+v*Q points, to merge the two doubling-ladders
0957b409SSimon J. Gerraty	 * into one. This, however, has some complications:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - During the computation, we may hit the point-at-infinity.
0957b409SSimon J. Gerraty	 *    Thus, we would need p256_add_complete_mixed() (complete
0957b409SSimon J. Gerraty	 *    formulas for point addition), with a higher cost (17 muls
0957b409SSimon J. Gerraty	 *    instead of 11).
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - A 4-bit window would be too large, since it would involve
0957b409SSimon J. Gerraty	 *    16*16-1 = 255 points. For the same window size as in the
0957b409SSimon J. Gerraty	 *    p256_mul() case, we would need to reduce the window size
0957b409SSimon J. Gerraty	 *    to 2 bits, and thus perform twice as many non-doubling
0957b409SSimon J. Gerraty	 *    point additions.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - The window may itself contain the point-at-infinity, and
0957b409SSimon J. Gerraty	 *    thus cannot be in all generality be made of affine points.
0957b409SSimon J. Gerraty	 *    Instead, we would need to make it a window of points in
0957b409SSimon J. Gerraty	 *    Jacobian coordinates. Even p256_add_complete_mixed() would
0957b409SSimon J. Gerraty	 *    be inappropriate.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * For these reasons, the code below performs two separate
0957b409SSimon J. Gerraty	 * point multiplications, then computes the final point addition
0957b409SSimon J. Gerraty	 * (which is both a "normal" addition, and a doubling, to handle
0957b409SSimon J. Gerraty	 * all cases).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	p256_jacobian P, Q;
0957b409SSimon J. Gerraty	uint32_t r, t, s;
0957b409SSimon J. Gerraty	uint64_t z;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	if (len != 65) {
0957b409SSimon J. Gerraty		return 0;
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	r = point_decode(&P, A);
0957b409SSimon J. Gerraty	p256_mul(&P, x, xlen);
0957b409SSimon J. Gerraty	if (B == NULL) {
0957b409SSimon J. Gerraty		p256_mulgen(&Q, y, ylen);
0957b409SSimon J. Gerraty	} else {
0957b409SSimon J. Gerraty		r &= point_decode(&Q, B);
0957b409SSimon J. Gerraty		p256_mul(&Q, y, ylen);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * The final addition may fail in case both points are equal.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	t = p256_add(&P, &Q);
0957b409SSimon J. Gerraty	f256_final_reduce(P.z);
0957b409SSimon J. Gerraty	z = P.z[0] | P.z[1] | P.z[2] | P.z[3] | P.z[4];
0957b409SSimon J. Gerraty	s = EQ((uint32_t)(z | (z >> 32)), 0);
0957b409SSimon J. Gerraty	p256_double(&Q);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * If s is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
0957b409SSimon J. Gerraty	 * have the following:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   s = 0, t = 0   return P (normal addition)
0957b409SSimon J. Gerraty	 *   s = 0, t = 1   return P (normal addition)
0957b409SSimon J. Gerraty	 *   s = 1, t = 0   return Q (a 'double' case)
0957b409SSimon J. Gerraty	 *   s = 1, t = 1   report an error (P+Q = 0)
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	CCOPY(s & ~t, &P, &Q, sizeof Q);
0957b409SSimon J. Gerraty	point_encode(A, &P);
0957b409SSimon J. Gerraty	r &= ~(s & t);
0957b409SSimon J. Gerraty	return r;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* see bearssl_ec.h */
0957b409SSimon J. Gerratyconst br_ec_impl br_ec_p256_m62 = {
0957b409SSimon J. Gerraty	(uint32_t)0x00800000,
0957b409SSimon J. Gerraty	&api_generator,
0957b409SSimon J. Gerraty	&api_order,
0957b409SSimon J. Gerraty	&api_xoff,
0957b409SSimon J. Gerraty	&api_mul,
0957b409SSimon J. Gerraty	&api_mulgen,
0957b409SSimon J. Gerraty	&api_muladd
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* see bearssl_ec.h */
0957b409SSimon J. Gerratyconst br_ec_impl *
0957b409SSimon J. Gerratybr_ec_p256_m62_get(void)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	return &br_ec_p256_m62;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#else
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* see bearssl_ec.h */
0957b409SSimon J. Gerratyconst br_ec_impl *
0957b409SSimon J. Gerratybr_ec_p256_m62_get(void)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	return 0;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#endif