src/ec/ec_p256_m64.c

0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Copyright (c) 2018 Thomas Pornin <pornin@bolet.org>
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Permission is hereby granted, free of charge, to any person obtaining
0957b409SSimon J. Gerraty * a copy of this software and associated documentation files (the
0957b409SSimon J. Gerraty * "Software"), to deal in the Software without restriction, including
0957b409SSimon J. Gerraty * without limitation the rights to use, copy, modify, merge, publish,
0957b409SSimon J. Gerraty * distribute, sublicense, and/or sell copies of the Software, and to
0957b409SSimon J. Gerraty * permit persons to whom the Software is furnished to do so, subject to
0957b409SSimon J. Gerraty * the following conditions:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The above copyright notice and this permission notice shall be
0957b409SSimon J. Gerraty * included in all copies or substantial portions of the Software.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
0957b409SSimon J. Gerraty * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
0957b409SSimon J. Gerraty * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
0957b409SSimon J. Gerraty * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
0957b409SSimon J. Gerraty * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
0957b409SSimon J. Gerraty * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
0957b409SSimon J. Gerraty * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
0957b409SSimon J. Gerraty * SOFTWARE.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#include "inner.h"
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#if BR_INT128 || BR_UMUL128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#if BR_UMUL128
0957b409SSimon J. Gerraty#include <intrin.h>
0957b409SSimon J. Gerraty#endif
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic const unsigned char P256_G[] = {
0957b409SSimon J. Gerraty	0x04, 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8,
0957b409SSimon J. Gerraty	0xBC, 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D,
0957b409SSimon J. Gerraty	0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8,
0957b409SSimon J. Gerraty	0x98, 0xC2, 0x96, 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F,
0957b409SSimon J. Gerraty	0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 0x0F, 0x9E, 0x16, 0x2B,
0957b409SSimon J. Gerraty	0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 0x40,
0957b409SSimon J. Gerraty	0x68, 0x37, 0xBF, 0x51, 0xF5
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic const unsigned char P256_N[] = {
0957b409SSimon J. Gerraty	0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
0957b409SSimon J. Gerraty	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
0957b409SSimon J. Gerraty	0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
0957b409SSimon J. Gerraty	0x25, 0x51
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic const unsigned char *
0957b409SSimon J. Gerratyapi_generator(int curve, size_t *len)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	*len = sizeof P256_G;
0957b409SSimon J. Gerraty	return P256_G;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic const unsigned char *
0957b409SSimon J. Gerratyapi_order(int curve, size_t *len)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	*len = sizeof P256_N;
0957b409SSimon J. Gerraty	return P256_N;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic size_t
0957b409SSimon J. Gerratyapi_xoff(int curve, size_t *len)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	*len = 32;
0957b409SSimon J. Gerraty	return 1;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * A field element is encoded as four 64-bit integers, in basis 2^64.
0957b409SSimon J. Gerraty * Values may reach up to 2^256-1. Montgomery multiplication is used.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* R = 2^256 mod p */
0957b409SSimon J. Gerratystatic const uint64_t F256_R[] = {
0957b409SSimon J. Gerraty	0x0000000000000001, 0xFFFFFFFF00000000,
0957b409SSimon J. Gerraty	0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFE
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* Curve equation is y^2 = x^3 - 3*x + B. This constant is B*R mod p
0957b409SSimon J. Gerraty   (Montgomery representation of B). */
0957b409SSimon J. Gerratystatic const uint64_t P256_B_MONTY[] = {
0957b409SSimon J. Gerraty	0xD89CDF6229C4BDDF, 0xACF005CD78843090,
0957b409SSimon J. Gerraty	0xE5A220ABF7212ED6, 0xDC30061D04874834
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Addition in the field.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic inline void
0957b409SSimon J. Gerratyf256_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty#if BR_INT128
0957b409SSimon J. Gerraty	unsigned __int128 w;
0957b409SSimon J. Gerraty	uint64_t t;
0957b409SSimon J. Gerraty
*cc9e6590SSimon J. Gerraty	/*
*cc9e6590SSimon J. Gerraty	 * Do the addition, with an extra carry in t.
*cc9e6590SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	w = (unsigned __int128)a[0] + b[0];
0957b409SSimon J. Gerraty	d[0] = (uint64_t)w;
0957b409SSimon J. Gerraty	w = (unsigned __int128)a[1] + b[1] + (w >> 64);
0957b409SSimon J. Gerraty	d[1] = (uint64_t)w;
0957b409SSimon J. Gerraty	w = (unsigned __int128)a[2] + b[2] + (w >> 64);
0957b409SSimon J. Gerraty	d[2] = (uint64_t)w;
0957b409SSimon J. Gerraty	w = (unsigned __int128)a[3] + b[3] + (w >> 64);
0957b409SSimon J. Gerraty	d[3] = (uint64_t)w;
0957b409SSimon J. Gerraty	t = (uint64_t)(w >> 64);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
*cc9e6590SSimon J. Gerraty	 * Fold carry t, using: 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	w = (unsigned __int128)d[0] + t;
0957b409SSimon J. Gerraty	d[0] = (uint64_t)w;
0957b409SSimon J. Gerraty	w = (unsigned __int128)d[1] + (w >> 64) - (t << 32);
0957b409SSimon J. Gerraty	d[1] = (uint64_t)w;
0957b409SSimon J. Gerraty	/* Here, carry "w >> 64" can only be 0 or -1 */
0957b409SSimon J. Gerraty	w = (unsigned __int128)d[2] - ((w >> 64) & 1);
0957b409SSimon J. Gerraty	d[2] = (uint64_t)w;
*cc9e6590SSimon J. Gerraty	/* Again, carry is 0 or -1. But there can be carry only if t = 1,
*cc9e6590SSimon J. Gerraty	   in which case the addition of (t << 32) - t is positive. */
*cc9e6590SSimon J. Gerraty	w = (unsigned __int128)d[3] - ((w >> 64) & 1) + (t << 32) - t;
*cc9e6590SSimon J. Gerraty	d[3] = (uint64_t)w;
*cc9e6590SSimon J. Gerraty	t = (uint64_t)(w >> 64);
*cc9e6590SSimon J. Gerraty
*cc9e6590SSimon J. Gerraty	/*
*cc9e6590SSimon J. Gerraty	 * There can be an extra carry here, which we must fold again.
*cc9e6590SSimon J. Gerraty	 */
*cc9e6590SSimon J. Gerraty	w = (unsigned __int128)d[0] + t;
*cc9e6590SSimon J. Gerraty	d[0] = (uint64_t)w;
*cc9e6590SSimon J. Gerraty	w = (unsigned __int128)d[1] + (w >> 64) - (t << 32);
*cc9e6590SSimon J. Gerraty	d[1] = (uint64_t)w;
*cc9e6590SSimon J. Gerraty	w = (unsigned __int128)d[2] - ((w >> 64) & 1);
*cc9e6590SSimon J. Gerraty	d[2] = (uint64_t)w;
*cc9e6590SSimon J. Gerraty	d[3] += (t << 32) - t - (uint64_t)((w >> 64) & 1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#elif BR_UMUL128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	unsigned char cc;
0957b409SSimon J. Gerraty	uint64_t t;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	cc = _addcarry_u64(0, a[0], b[0], &d[0]);
0957b409SSimon J. Gerraty	cc = _addcarry_u64(cc, a[1], b[1], &d[1]);
0957b409SSimon J. Gerraty	cc = _addcarry_u64(cc, a[2], b[2], &d[2]);
0957b409SSimon J. Gerraty	cc = _addcarry_u64(cc, a[3], b[3], &d[3]);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * If there is a carry, then we want to subtract p, which we
0957b409SSimon J. Gerraty	 * do by adding 2^256 - p.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	t = cc;
0957b409SSimon J. Gerraty	cc = _addcarry_u64(cc, d[0], 0, &d[0]);
0957b409SSimon J. Gerraty	cc = _addcarry_u64(cc, d[1], -(t << 32), &d[1]);
0957b409SSimon J. Gerraty	cc = _addcarry_u64(cc, d[2], -t, &d[2]);
*cc9e6590SSimon J. Gerraty	cc = _addcarry_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
*cc9e6590SSimon J. Gerraty
*cc9e6590SSimon J. Gerraty	/*
*cc9e6590SSimon J. Gerraty	 * We have to do it again if there still is a carry.
*cc9e6590SSimon J. Gerraty	 */
*cc9e6590SSimon J. Gerraty	t = cc;
*cc9e6590SSimon J. Gerraty	cc = _addcarry_u64(cc, d[0], 0, &d[0]);
*cc9e6590SSimon J. Gerraty	cc = _addcarry_u64(cc, d[1], -(t << 32), &d[1]);
*cc9e6590SSimon J. Gerraty	cc = _addcarry_u64(cc, d[2], -t, &d[2]);
0957b409SSimon J. Gerraty	(void)_addcarry_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#endif
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Subtraction in the field.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic inline void
0957b409SSimon J. Gerratyf256_sub(uint64_t *d, const uint64_t *a, const uint64_t *b)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty#if BR_INT128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	unsigned __int128 w;
0957b409SSimon J. Gerraty	uint64_t t;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	w = (unsigned __int128)a[0] - b[0];
0957b409SSimon J. Gerraty	d[0] = (uint64_t)w;
0957b409SSimon J. Gerraty	w = (unsigned __int128)a[1] - b[1] - ((w >> 64) & 1);
0957b409SSimon J. Gerraty	d[1] = (uint64_t)w;
0957b409SSimon J. Gerraty	w = (unsigned __int128)a[2] - b[2] - ((w >> 64) & 1);
0957b409SSimon J. Gerraty	d[2] = (uint64_t)w;
0957b409SSimon J. Gerraty	w = (unsigned __int128)a[3] - b[3] - ((w >> 64) & 1);
0957b409SSimon J. Gerraty	d[3] = (uint64_t)w;
0957b409SSimon J. Gerraty	t = (uint64_t)(w >> 64) & 1;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
*cc9e6590SSimon J. Gerraty	 * If there is a borrow (t = 1), then we must add the modulus
0957b409SSimon J. Gerraty	 * p = 2^256 - 2^224 + 2^192 + 2^96 - 1.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	w = (unsigned __int128)d[0] - t;
0957b409SSimon J. Gerraty	d[0] = (uint64_t)w;
0957b409SSimon J. Gerraty	w = (unsigned __int128)d[1] + (t << 32) - ((w >> 64) & 1);
0957b409SSimon J. Gerraty	d[1] = (uint64_t)w;
0957b409SSimon J. Gerraty	/* Here, carry "w >> 64" can only be 0 or +1 */
0957b409SSimon J. Gerraty	w = (unsigned __int128)d[2] + (w >> 64);
0957b409SSimon J. Gerraty	d[2] = (uint64_t)w;
0957b409SSimon J. Gerraty	/* Again, carry is 0 or +1 */
*cc9e6590SSimon J. Gerraty	w = (unsigned __int128)d[3] + (w >> 64) - (t << 32) + t;
*cc9e6590SSimon J. Gerraty	d[3] = (uint64_t)w;
*cc9e6590SSimon J. Gerraty	t = (uint64_t)(w >> 64) & 1;
*cc9e6590SSimon J. Gerraty
*cc9e6590SSimon J. Gerraty	/*
*cc9e6590SSimon J. Gerraty	 * There may be again a borrow, in which case we must add the
*cc9e6590SSimon J. Gerraty	 * modulus again.
*cc9e6590SSimon J. Gerraty	 */
*cc9e6590SSimon J. Gerraty	w = (unsigned __int128)d[0] - t;
*cc9e6590SSimon J. Gerraty	d[0] = (uint64_t)w;
*cc9e6590SSimon J. Gerraty	w = (unsigned __int128)d[1] + (t << 32) - ((w >> 64) & 1);
*cc9e6590SSimon J. Gerraty	d[1] = (uint64_t)w;
*cc9e6590SSimon J. Gerraty	w = (unsigned __int128)d[2] + (w >> 64);
*cc9e6590SSimon J. Gerraty	d[2] = (uint64_t)w;
0957b409SSimon J. Gerraty	d[3] += (uint64_t)(w >> 64) - (t << 32) + t;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#elif BR_UMUL128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	unsigned char cc;
0957b409SSimon J. Gerraty	uint64_t t;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	cc = _subborrow_u64(0, a[0], b[0], &d[0]);
0957b409SSimon J. Gerraty	cc = _subborrow_u64(cc, a[1], b[1], &d[1]);
0957b409SSimon J. Gerraty	cc = _subborrow_u64(cc, a[2], b[2], &d[2]);
0957b409SSimon J. Gerraty	cc = _subborrow_u64(cc, a[3], b[3], &d[3]);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
*cc9e6590SSimon J. Gerraty	 * If there is a borrow, then we need to add p. We (virtually)
*cc9e6590SSimon J. Gerraty	 * add 2^256, then subtract 2^256 - p.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	t = cc;
*cc9e6590SSimon J. Gerraty	cc = _subborrow_u64(0, d[0], t, &d[0]);
*cc9e6590SSimon J. Gerraty	cc = _subborrow_u64(cc, d[1], -(t << 32), &d[1]);
*cc9e6590SSimon J. Gerraty	cc = _subborrow_u64(cc, d[2], -t, &d[2]);
*cc9e6590SSimon J. Gerraty	cc = _subborrow_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
*cc9e6590SSimon J. Gerraty
*cc9e6590SSimon J. Gerraty	/*
*cc9e6590SSimon J. Gerraty	 * If there still is a borrow, then we need to add p again.
*cc9e6590SSimon J. Gerraty	 */
*cc9e6590SSimon J. Gerraty	t = cc;
*cc9e6590SSimon J. Gerraty	cc = _subborrow_u64(0, d[0], t, &d[0]);
*cc9e6590SSimon J. Gerraty	cc = _subborrow_u64(cc, d[1], -(t << 32), &d[1]);
*cc9e6590SSimon J. Gerraty	cc = _subborrow_u64(cc, d[2], -t, &d[2]);
*cc9e6590SSimon J. Gerraty	(void)_subborrow_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#endif
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Montgomery multiplication in the field.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_montymul(uint64_t *d, const uint64_t *a, const uint64_t *b)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty#if BR_INT128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	uint64_t x, f, t0, t1, t2, t3, t4;
0957b409SSimon J. Gerraty	unsigned __int128 z, ff;
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * When computing d <- d + a[u]*b, we also add f*p such
0957b409SSimon J. Gerraty	 * that d + a[u]*b + f*p is a multiple of 2^64. Since
0957b409SSimon J. Gerraty	 * p = -1 mod 2^64, we can compute f = d[0] + a[u]*b[0] mod 2^64.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Step 1: t <- (a[0]*b + f*p) / 2^64
0957b409SSimon J. Gerraty	 * We have f = a[0]*b[0] mod 2^64. Since p = -1 mod 2^64, this
0957b409SSimon J. Gerraty	 * ensures that (a[0]*b + f*p) is a multiple of 2^64.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * We also have: f*p = f*2^256 - f*2^224 + f*2^192 + f*2^96 - f.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	x = a[0];
0957b409SSimon J. Gerraty	z = (unsigned __int128)b[0] * x;
0957b409SSimon J. Gerraty	f = (uint64_t)z;
0957b409SSimon J. Gerraty	z = (unsigned __int128)b[1] * x + (z >> 64) + (uint64_t)(f << 32);
0957b409SSimon J. Gerraty	t0 = (uint64_t)z;
0957b409SSimon J. Gerraty	z = (unsigned __int128)b[2] * x + (z >> 64) + (uint64_t)(f >> 32);
0957b409SSimon J. Gerraty	t1 = (uint64_t)z;
0957b409SSimon J. Gerraty	z = (unsigned __int128)b[3] * x + (z >> 64) + f;
0957b409SSimon J. Gerraty	t2 = (uint64_t)z;
0957b409SSimon J. Gerraty	t3 = (uint64_t)(z >> 64);
0957b409SSimon J. Gerraty	ff = ((unsigned __int128)f << 64) - ((unsigned __int128)f << 32);
0957b409SSimon J. Gerraty	z = (unsigned __int128)t2 + (uint64_t)ff;
0957b409SSimon J. Gerraty	t2 = (uint64_t)z;
0957b409SSimon J. Gerraty	z = (unsigned __int128)t3 + (z >> 64) + (ff >> 64);
0957b409SSimon J. Gerraty	t3 = (uint64_t)z;
0957b409SSimon J. Gerraty	t4 = (uint64_t)(z >> 64);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Steps 2 to 4: t <- (t + a[i]*b + f*p) / 2^64
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (i = 1; i < 4; i ++) {
0957b409SSimon J. Gerraty		x = a[i];
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/* t <- (t + x*b - f) / 2^64 */
0957b409SSimon J. Gerraty		z = (unsigned __int128)b[0] * x + t0;
0957b409SSimon J. Gerraty		f = (uint64_t)z;
0957b409SSimon J. Gerraty		z = (unsigned __int128)b[1] * x + t1 + (z >> 64);
0957b409SSimon J. Gerraty		t0 = (uint64_t)z;
0957b409SSimon J. Gerraty		z = (unsigned __int128)b[2] * x + t2 + (z >> 64);
0957b409SSimon J. Gerraty		t1 = (uint64_t)z;
0957b409SSimon J. Gerraty		z = (unsigned __int128)b[3] * x + t3 + (z >> 64);
0957b409SSimon J. Gerraty		t2 = (uint64_t)z;
0957b409SSimon J. Gerraty		z = t4 + (z >> 64);
0957b409SSimon J. Gerraty		t3 = (uint64_t)z;
0957b409SSimon J. Gerraty		t4 = (uint64_t)(z >> 64);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/* t <- t + f*2^32, carry in the upper half of z */
0957b409SSimon J. Gerraty		z = (unsigned __int128)t0 + (uint64_t)(f << 32);
0957b409SSimon J. Gerraty		t0 = (uint64_t)z;
0957b409SSimon J. Gerraty		z = (z >> 64) + (unsigned __int128)t1 + (uint64_t)(f >> 32);
0957b409SSimon J. Gerraty		t1 = (uint64_t)z;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/* t <- t + f*2^192 - f*2^160 + f*2^128 */
0957b409SSimon J. Gerraty		ff = ((unsigned __int128)f << 64)
0957b409SSimon J. Gerraty			- ((unsigned __int128)f << 32) + f;
0957b409SSimon J. Gerraty		z = (z >> 64) + (unsigned __int128)t2 + (uint64_t)ff;
0957b409SSimon J. Gerraty		t2 = (uint64_t)z;
0957b409SSimon J. Gerraty		z = (unsigned __int128)t3 + (z >> 64) + (ff >> 64);
0957b409SSimon J. Gerraty		t3 = (uint64_t)z;
0957b409SSimon J. Gerraty		t4 += (uint64_t)(z >> 64);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * At that point, we have computed t = (a*b + F*p) / 2^256, where
0957b409SSimon J. Gerraty	 * F is a 256-bit integer whose limbs are the "f" coefficients
0957b409SSimon J. Gerraty	 * in the steps above. We have:
0957b409SSimon J. Gerraty	 *   a <= 2^256-1
0957b409SSimon J. Gerraty	 *   b <= 2^256-1
0957b409SSimon J. Gerraty	 *   F <= 2^256-1
0957b409SSimon J. Gerraty	 * Hence:
0957b409SSimon J. Gerraty	 *   a*b + F*p <= (2^256-1)*(2^256-1) + p*(2^256-1)
0957b409SSimon J. Gerraty	 *   a*b + F*p <= 2^256*(2^256 - 2 + p) + 1 - p
0957b409SSimon J. Gerraty	 * Therefore:
0957b409SSimon J. Gerraty	 *   t < 2^256 + p - 2
0957b409SSimon J. Gerraty	 * Since p < 2^256, it follows that:
0957b409SSimon J. Gerraty	 *   t4 can be only 0 or 1
0957b409SSimon J. Gerraty	 *   t - p < 2^256
0957b409SSimon J. Gerraty	 * We can therefore subtract p from t, conditionally on t4, to
0957b409SSimon J. Gerraty	 * get a nonnegative result that fits on 256 bits.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	z = (unsigned __int128)t0 + t4;
0957b409SSimon J. Gerraty	t0 = (uint64_t)z;
0957b409SSimon J. Gerraty	z = (unsigned __int128)t1 - (t4 << 32) + (z >> 64);
0957b409SSimon J. Gerraty	t1 = (uint64_t)z;
0957b409SSimon J. Gerraty	z = (unsigned __int128)t2 - (z >> 127);
0957b409SSimon J. Gerraty	t2 = (uint64_t)z;
0957b409SSimon J. Gerraty	t3 = t3 - (uint64_t)(z >> 127) - t4 + (t4 << 32);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	d[0] = t0;
0957b409SSimon J. Gerraty	d[1] = t1;
0957b409SSimon J. Gerraty	d[2] = t2;
0957b409SSimon J. Gerraty	d[3] = t3;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#elif BR_UMUL128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	uint64_t x, f, t0, t1, t2, t3, t4;
0957b409SSimon J. Gerraty	uint64_t zl, zh, ffl, ffh;
0957b409SSimon J. Gerraty	unsigned char k, m;
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * When computing d <- d + a[u]*b, we also add f*p such
0957b409SSimon J. Gerraty	 * that d + a[u]*b + f*p is a multiple of 2^64. Since
0957b409SSimon J. Gerraty	 * p = -1 mod 2^64, we can compute f = d[0] + a[u]*b[0] mod 2^64.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Step 1: t <- (a[0]*b + f*p) / 2^64
0957b409SSimon J. Gerraty	 * We have f = a[0]*b[0] mod 2^64. Since p = -1 mod 2^64, this
0957b409SSimon J. Gerraty	 * ensures that (a[0]*b + f*p) is a multiple of 2^64.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * We also have: f*p = f*2^256 - f*2^224 + f*2^192 + f*2^96 - f.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	x = a[0];
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	zl = _umul128(b[0], x, &zh);
0957b409SSimon J. Gerraty	f = zl;
0957b409SSimon J. Gerraty	t0 = zh;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	zl = _umul128(b[1], x, &zh);
0957b409SSimon J. Gerraty	k = _addcarry_u64(0, zl, t0, &zl);
0957b409SSimon J. Gerraty	(void)_addcarry_u64(k, zh, 0, &zh);
0957b409SSimon J. Gerraty	k = _addcarry_u64(0, zl, f << 32, &zl);
0957b409SSimon J. Gerraty	(void)_addcarry_u64(k, zh, 0, &zh);
0957b409SSimon J. Gerraty	t0 = zl;
0957b409SSimon J. Gerraty	t1 = zh;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	zl = _umul128(b[2], x, &zh);
0957b409SSimon J. Gerraty	k = _addcarry_u64(0, zl, t1, &zl);
0957b409SSimon J. Gerraty	(void)_addcarry_u64(k, zh, 0, &zh);
0957b409SSimon J. Gerraty	k = _addcarry_u64(0, zl, f >> 32, &zl);
0957b409SSimon J. Gerraty	(void)_addcarry_u64(k, zh, 0, &zh);
0957b409SSimon J. Gerraty	t1 = zl;
0957b409SSimon J. Gerraty	t2 = zh;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	zl = _umul128(b[3], x, &zh);
0957b409SSimon J. Gerraty	k = _addcarry_u64(0, zl, t2, &zl);
0957b409SSimon J. Gerraty	(void)_addcarry_u64(k, zh, 0, &zh);
0957b409SSimon J. Gerraty	k = _addcarry_u64(0, zl, f, &zl);
0957b409SSimon J. Gerraty	(void)_addcarry_u64(k, zh, 0, &zh);
0957b409SSimon J. Gerraty	t2 = zl;
0957b409SSimon J. Gerraty	t3 = zh;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	t4 = _addcarry_u64(0, t3, f, &t3);
0957b409SSimon J. Gerraty	k = _subborrow_u64(0, t2, f << 32, &t2);
0957b409SSimon J. Gerraty	k = _subborrow_u64(k, t3, f >> 32, &t3);
0957b409SSimon J. Gerraty	(void)_subborrow_u64(k, t4, 0, &t4);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Steps 2 to 4: t <- (t + a[i]*b + f*p) / 2^64
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (i = 1; i < 4; i ++) {
0957b409SSimon J. Gerraty		x = a[i];
0957b409SSimon J. Gerraty		/* f = t0 + x * b[0]; -- computed below */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/* t <- (t + x*b - f) / 2^64 */
0957b409SSimon J. Gerraty		zl = _umul128(b[0], x, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, zl, t0, &f);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, zh, 0, &t0);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		zl = _umul128(b[1], x, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, zl, t0, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, zh, 0, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, zl, t1, &t0);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, zh, 0, &t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		zl = _umul128(b[2], x, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, zl, t1, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, zh, 0, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, zl, t2, &t1);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, zh, 0, &t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		zl = _umul128(b[3], x, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, zl, t2, &zl);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, zh, 0, &zh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, zl, t3, &t2);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, zh, 0, &t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		t4 = _addcarry_u64(0, t3, t4, &t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/* t <- t + f*2^32, carry in k */
0957b409SSimon J. Gerraty		k = _addcarry_u64(0, t0, f << 32, &t0);
0957b409SSimon J. Gerraty		k = _addcarry_u64(k, t1, f >> 32, &t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		/* t <- t + f*2^192 - f*2^160 + f*2^128 */
0957b409SSimon J. Gerraty		m = _subborrow_u64(0, f, f << 32, &ffl);
0957b409SSimon J. Gerraty		(void)_subborrow_u64(m, f, f >> 32, &ffh);
0957b409SSimon J. Gerraty		k = _addcarry_u64(k, t2, ffl, &t2);
0957b409SSimon J. Gerraty		k = _addcarry_u64(k, t3, ffh, &t3);
0957b409SSimon J. Gerraty		(void)_addcarry_u64(k, t4, 0, &t4);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * At that point, we have computed t = (a*b + F*p) / 2^256, where
0957b409SSimon J. Gerraty	 * F is a 256-bit integer whose limbs are the "f" coefficients
0957b409SSimon J. Gerraty	 * in the steps above. We have:
0957b409SSimon J. Gerraty	 *   a <= 2^256-1
0957b409SSimon J. Gerraty	 *   b <= 2^256-1
0957b409SSimon J. Gerraty	 *   F <= 2^256-1
0957b409SSimon J. Gerraty	 * Hence:
0957b409SSimon J. Gerraty	 *   a*b + F*p <= (2^256-1)*(2^256-1) + p*(2^256-1)
0957b409SSimon J. Gerraty	 *   a*b + F*p <= 2^256*(2^256 - 2 + p) + 1 - p
0957b409SSimon J. Gerraty	 * Therefore:
0957b409SSimon J. Gerraty	 *   t < 2^256 + p - 2
0957b409SSimon J. Gerraty	 * Since p < 2^256, it follows that:
0957b409SSimon J. Gerraty	 *   t4 can be only 0 or 1
0957b409SSimon J. Gerraty	 *   t - p < 2^256
0957b409SSimon J. Gerraty	 * We can therefore subtract p from t, conditionally on t4, to
0957b409SSimon J. Gerraty	 * get a nonnegative result that fits on 256 bits.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	k = _addcarry_u64(0, t0, t4, &t0);
0957b409SSimon J. Gerraty	k = _addcarry_u64(k, t1, -(t4 << 32), &t1);
0957b409SSimon J. Gerraty	k = _addcarry_u64(k, t2, -t4, &t2);
0957b409SSimon J. Gerraty	(void)_addcarry_u64(k, t3, (t4 << 32) - (t4 << 1), &t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	d[0] = t0;
0957b409SSimon J. Gerraty	d[1] = t1;
0957b409SSimon J. Gerraty	d[2] = t2;
0957b409SSimon J. Gerraty	d[3] = t3;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#endif
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Montgomery squaring in the field; currently a basic wrapper around
0957b409SSimon J. Gerraty * multiplication (inline, should be optimized away).
0957b409SSimon J. Gerraty * TODO: see if some extra speed can be gained here.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic inline void
0957b409SSimon J. Gerratyf256_montysquare(uint64_t *d, const uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	f256_montymul(d, a, a);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Convert to Montgomery representation.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_tomonty(uint64_t *d, const uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * R2 = 2^512 mod p.
0957b409SSimon J. Gerraty	 * If R = 2^256 mod p, then R2 = R^2 mod p; and the Montgomery
0957b409SSimon J. Gerraty	 * multiplication of a by R2 is: a*R2/R = a*R mod p, i.e. the
0957b409SSimon J. Gerraty	 * conversion to Montgomery representation.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	static const uint64_t R2[] = {
0957b409SSimon J. Gerraty		0x0000000000000003,
0957b409SSimon J. Gerraty		0xFFFFFFFBFFFFFFFF,
0957b409SSimon J. Gerraty		0xFFFFFFFFFFFFFFFE,
0957b409SSimon J. Gerraty		0x00000004FFFFFFFD
0957b409SSimon J. Gerraty	};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	f256_montymul(d, a, R2);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Convert from Montgomery representation.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_frommonty(uint64_t *d, const uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Montgomery multiplication by 1 is division by 2^256 modulo p.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	static const uint64_t one[] = { 1, 0, 0, 0 };
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	f256_montymul(d, a, one);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Inversion in the field. If the source value is 0 modulo p, then this
0957b409SSimon J. Gerraty * returns 0 or p. This function uses Montgomery representation.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyf256_invert(uint64_t *d, const uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * We compute a^(p-2) mod p. The exponent pattern (from high to
0957b409SSimon J. Gerraty	 * low) is:
0957b409SSimon J. Gerraty	 *  - 32 bits of value 1
0957b409SSimon J. Gerraty	 *  - 31 bits of value 0
0957b409SSimon J. Gerraty	 *  - 1 bit of value 1
0957b409SSimon J. Gerraty	 *  - 96 bits of value 0
0957b409SSimon J. Gerraty	 *  - 94 bits of value 1
0957b409SSimon J. Gerraty	 *  - 1 bit of value 0
0957b409SSimon J. Gerraty	 *  - 1 bit of value 1
0957b409SSimon J. Gerraty	 * To speed up the square-and-multiply algorithm, we precompute
0957b409SSimon J. Gerraty	 * a^(2^31-1).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	uint64_t r[4], t[4];
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	memcpy(t, a, sizeof t);
0957b409SSimon J. Gerraty	for (i = 0; i < 30; i ++) {
0957b409SSimon J. Gerraty		f256_montysquare(t, t);
0957b409SSimon J. Gerraty		f256_montymul(t, t, a);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	memcpy(r, t, sizeof t);
0957b409SSimon J. Gerraty	for (i = 224; i >= 0; i --) {
0957b409SSimon J. Gerraty		f256_montysquare(r, r);
0957b409SSimon J. Gerraty		switch (i) {
0957b409SSimon J. Gerraty		case 0:
0957b409SSimon J. Gerraty		case 2:
0957b409SSimon J. Gerraty		case 192:
0957b409SSimon J. Gerraty		case 224:
0957b409SSimon J. Gerraty			f256_montymul(r, r, a);
0957b409SSimon J. Gerraty			break;
0957b409SSimon J. Gerraty		case 3:
0957b409SSimon J. Gerraty		case 34:
0957b409SSimon J. Gerraty		case 65:
0957b409SSimon J. Gerraty			f256_montymul(r, r, t);
0957b409SSimon J. Gerraty			break;
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	memcpy(d, r, sizeof r);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Finalize reduction.
0957b409SSimon J. Gerraty * Input value fits on 256 bits. This function subtracts p if and only
0957b409SSimon J. Gerraty * if the input is greater than or equal to p.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic inline void
0957b409SSimon J. Gerratyf256_final_reduce(uint64_t *a)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty#if BR_INT128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	uint64_t t0, t1, t2, t3, cc;
0957b409SSimon J. Gerraty	unsigned __int128 z;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * We add 2^224 - 2^192 - 2^96 + 1 to a. If there is no carry,
0957b409SSimon J. Gerraty	 * then a < p; otherwise, the addition result we computed is
0957b409SSimon J. Gerraty	 * the value we must return.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	z = (unsigned __int128)a[0] + 1;
0957b409SSimon J. Gerraty	t0 = (uint64_t)z;
0957b409SSimon J. Gerraty	z = (unsigned __int128)a[1] + (z >> 64) - ((uint64_t)1 << 32);
0957b409SSimon J. Gerraty	t1 = (uint64_t)z;
0957b409SSimon J. Gerraty	z = (unsigned __int128)a[2] - (z >> 127);
0957b409SSimon J. Gerraty	t2 = (uint64_t)z;
0957b409SSimon J. Gerraty	z = (unsigned __int128)a[3] - (z >> 127) + 0xFFFFFFFF;
0957b409SSimon J. Gerraty	t3 = (uint64_t)z;
0957b409SSimon J. Gerraty	cc = -(uint64_t)(z >> 64);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	a[0] ^= cc & (a[0] ^ t0);
0957b409SSimon J. Gerraty	a[1] ^= cc & (a[1] ^ t1);
0957b409SSimon J. Gerraty	a[2] ^= cc & (a[2] ^ t2);
0957b409SSimon J. Gerraty	a[3] ^= cc & (a[3] ^ t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#elif BR_UMUL128
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	uint64_t t0, t1, t2, t3, m;
0957b409SSimon J. Gerraty	unsigned char k;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	k = _addcarry_u64(0, a[0], (uint64_t)1, &t0);
0957b409SSimon J. Gerraty	k = _addcarry_u64(k, a[1], -((uint64_t)1 << 32), &t1);
0957b409SSimon J. Gerraty	k = _addcarry_u64(k, a[2], -(uint64_t)1, &t2);
0957b409SSimon J. Gerraty	k = _addcarry_u64(k, a[3], ((uint64_t)1 << 32) - 2, &t3);
0957b409SSimon J. Gerraty	m = -(uint64_t)k;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	a[0] ^= m & (a[0] ^ t0);
0957b409SSimon J. Gerraty	a[1] ^= m & (a[1] ^ t1);
0957b409SSimon J. Gerraty	a[2] ^= m & (a[2] ^ t2);
0957b409SSimon J. Gerraty	a[3] ^= m & (a[3] ^ t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#endif
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Points in affine and Jacobian coordinates.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *  - In affine coordinates, the point-at-infinity cannot be encoded.
0957b409SSimon J. Gerraty *  - Jacobian coordinates (X,Y,Z) correspond to affine (X/Z^2,Y/Z^3);
0957b409SSimon J. Gerraty *    if Z = 0 then this is the point-at-infinity.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratytypedef struct {
0957b409SSimon J. Gerraty	uint64_t x[4];
0957b409SSimon J. Gerraty	uint64_t y[4];
0957b409SSimon J. Gerraty} p256_affine;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratytypedef struct {
0957b409SSimon J. Gerraty	uint64_t x[4];
0957b409SSimon J. Gerraty	uint64_t y[4];
0957b409SSimon J. Gerraty	uint64_t z[4];
0957b409SSimon J. Gerraty} p256_jacobian;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Decode a point. The returned point is in Jacobian coordinates, but
0957b409SSimon J. Gerraty * with z = 1. If the encoding is invalid, or encodes a point which is
0957b409SSimon J. Gerraty * not on the curve, or encodes the point at infinity, then this function
0957b409SSimon J. Gerraty * returns 0. Otherwise, 1 is returned.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The buffer is assumed to have length exactly 65 bytes.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratypoint_decode(p256_jacobian *P, const unsigned char *buf)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint64_t x[4], y[4], t[4], x3[4], tt;
0957b409SSimon J. Gerraty	uint32_t r;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Header byte shall be 0x04.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	r = EQ(buf[0], 0x04);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Decode X and Y coordinates, and convert them into
0957b409SSimon J. Gerraty	 * Montgomery representation.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	x[3] = br_dec64be(buf +  1);
0957b409SSimon J. Gerraty	x[2] = br_dec64be(buf +  9);
0957b409SSimon J. Gerraty	x[1] = br_dec64be(buf + 17);
0957b409SSimon J. Gerraty	x[0] = br_dec64be(buf + 25);
0957b409SSimon J. Gerraty	y[3] = br_dec64be(buf + 33);
0957b409SSimon J. Gerraty	y[2] = br_dec64be(buf + 41);
0957b409SSimon J. Gerraty	y[1] = br_dec64be(buf + 49);
0957b409SSimon J. Gerraty	y[0] = br_dec64be(buf + 57);
0957b409SSimon J. Gerraty	f256_tomonty(x, x);
0957b409SSimon J. Gerraty	f256_tomonty(y, y);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Verify y^2 = x^3 + A*x + B. In curve P-256, A = -3.
0957b409SSimon J. Gerraty	 * Note that the Montgomery representation of 0 is 0. We must
0957b409SSimon J. Gerraty	 * take care to apply the final reduction to make sure we have
0957b409SSimon J. Gerraty	 * 0 and not p.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t, y);
0957b409SSimon J. Gerraty	f256_montysquare(x3, x);
0957b409SSimon J. Gerraty	f256_montymul(x3, x3, x);
0957b409SSimon J. Gerraty	f256_sub(t, t, x3);
0957b409SSimon J. Gerraty	f256_add(t, t, x);
0957b409SSimon J. Gerraty	f256_add(t, t, x);
0957b409SSimon J. Gerraty	f256_add(t, t, x);
0957b409SSimon J. Gerraty	f256_sub(t, t, P256_B_MONTY);
0957b409SSimon J. Gerraty	f256_final_reduce(t);
0957b409SSimon J. Gerraty	tt = t[0] | t[1] | t[2] | t[3];
0957b409SSimon J. Gerraty	r &= EQ((uint32_t)(tt | (tt >> 32)), 0);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Return the point in Jacobian coordinates (and Montgomery
0957b409SSimon J. Gerraty	 * representation).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	memcpy(P->x, x, sizeof x);
0957b409SSimon J. Gerraty	memcpy(P->y, y, sizeof y);
0957b409SSimon J. Gerraty	memcpy(P->z, F256_R, sizeof F256_R);
0957b409SSimon J. Gerraty	return r;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Final conversion for a point:
0957b409SSimon J. Gerraty *  - The point is converted back to affine coordinates.
0957b409SSimon J. Gerraty *  - Final reduction is performed.
0957b409SSimon J. Gerraty *  - The point is encoded into the provided buffer.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * If the point is the point-at-infinity, all operations are performed,
0957b409SSimon J. Gerraty * but the buffer contents are indeterminate, and 0 is returned. Otherwise,
0957b409SSimon J. Gerraty * the encoded point is written in the buffer, and 1 is returned.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratypoint_encode(unsigned char *buf, const p256_jacobian *P)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint64_t t1[4], t2[4], z;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Set t1 = 1/z^2 and t2 = 1/z^3. */
0957b409SSimon J. Gerraty	f256_invert(t2, P->z);
0957b409SSimon J. Gerraty	f256_montysquare(t1, t2);
0957b409SSimon J. Gerraty	f256_montymul(t2, t2, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Compute affine coordinates x (in t1) and y (in t2). */
0957b409SSimon J. Gerraty	f256_montymul(t1, P->x, t1);
0957b409SSimon J. Gerraty	f256_montymul(t2, P->y, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Convert back from Montgomery representation, and finalize
0957b409SSimon J. Gerraty	   reductions. */
0957b409SSimon J. Gerraty	f256_frommonty(t1, t1);
0957b409SSimon J. Gerraty	f256_frommonty(t2, t2);
0957b409SSimon J. Gerraty	f256_final_reduce(t1);
0957b409SSimon J. Gerraty	f256_final_reduce(t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Encode. */
0957b409SSimon J. Gerraty	buf[0] = 0x04;
0957b409SSimon J. Gerraty	br_enc64be(buf +  1, t1[3]);
0957b409SSimon J. Gerraty	br_enc64be(buf +  9, t1[2]);
0957b409SSimon J. Gerraty	br_enc64be(buf + 17, t1[1]);
0957b409SSimon J. Gerraty	br_enc64be(buf + 25, t1[0]);
0957b409SSimon J. Gerraty	br_enc64be(buf + 33, t2[3]);
0957b409SSimon J. Gerraty	br_enc64be(buf + 41, t2[2]);
0957b409SSimon J. Gerraty	br_enc64be(buf + 49, t2[1]);
0957b409SSimon J. Gerraty	br_enc64be(buf + 57, t2[0]);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/* Return success if and only if P->z != 0. */
0957b409SSimon J. Gerraty	z = P->z[0] | P->z[1] | P->z[2] | P->z[3];
0957b409SSimon J. Gerraty	return NEQ((uint32_t)(z | z >> 32), 0);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Point doubling in Jacobian coordinates: point P is doubled.
0957b409SSimon J. Gerraty * Note: if the source point is the point-at-infinity, then the result is
0957b409SSimon J. Gerraty * still the point-at-infinity, which is correct. Moreover, if the three
0957b409SSimon J. Gerraty * coordinates were zero, then they still are zero in the returned value.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * (Note: this is true even without the final reduction: if the three
0957b409SSimon J. Gerraty * coordinates are encoded as four words of value zero each, then the
0957b409SSimon J. Gerraty * result will also have all-zero coordinate encodings, not the alternate
0957b409SSimon J. Gerraty * encoding as the integer p.)
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyp256_double(p256_jacobian *P)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Doubling formulas are:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   s = 4*x*y^2
0957b409SSimon J. Gerraty	 *   m = 3*(x + z^2)*(x - z^2)
0957b409SSimon J. Gerraty	 *   x' = m^2 - 2*s
0957b409SSimon J. Gerraty	 *   y' = m*(s - x') - 8*y^4
0957b409SSimon J. Gerraty	 *   z' = 2*y*z
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * These formulas work for all points, including points of order 2
0957b409SSimon J. Gerraty	 * and points at infinity:
0957b409SSimon J. Gerraty	 *   - If y = 0 then z' = 0. But there is no such point in P-256
0957b409SSimon J. Gerraty	 *     anyway.
0957b409SSimon J. Gerraty	 *   - If z = 0 then z' = 0.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	uint64_t t1[4], t2[4], t3[4], t4[4];
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z^2 in t1.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t1, P->z);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x-z^2 in t2 and x+z^2 in t1.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_add(t2, P->x, t1);
0957b409SSimon J. Gerraty	f256_sub(t1, P->x, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute 3*(x+z^2)*(x-z^2) in t1.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(t3, t1, t2);
0957b409SSimon J. Gerraty	f256_add(t1, t3, t3);
0957b409SSimon J. Gerraty	f256_add(t1, t3, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute 4*x*y^2 (in t2) and 2*y^2 (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t3, P->y);
0957b409SSimon J. Gerraty	f256_add(t3, t3, t3);
0957b409SSimon J. Gerraty	f256_montymul(t2, P->x, t3);
0957b409SSimon J. Gerraty	f256_add(t2, t2, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x' = m^2 - 2*s.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(P->x, t1);
0957b409SSimon J. Gerraty	f256_sub(P->x, P->x, t2);
0957b409SSimon J. Gerraty	f256_sub(P->x, P->x, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z' = 2*y*z.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(t4, P->y, P->z);
0957b409SSimon J. Gerraty	f256_add(P->z, t4, t4);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y' = m*(s - x') - 8*y^4. Note that we already have
0957b409SSimon J. Gerraty	 * 2*y^2 in t3.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t2, t2, P->x);
0957b409SSimon J. Gerraty	f256_montymul(P->y, t1, t2);
0957b409SSimon J. Gerraty	f256_montysquare(t4, t3);
0957b409SSimon J. Gerraty	f256_add(t4, t4, t4);
0957b409SSimon J. Gerraty	f256_sub(P->y, P->y, t4);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Point addition (Jacobian coordinates): P1 is replaced with P1+P2.
0957b409SSimon J. Gerraty * This function computes the wrong result in the following cases:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - If P1 == 0 but P2 != 0
0957b409SSimon J. Gerraty *   - If P1 != 0 but P2 == 0
0957b409SSimon J. Gerraty *   - If P1 == P2
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * In all three cases, P1 is set to the point at infinity.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Returned value is 0 if one of the following occurs:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - P1 and P2 have the same Y coordinate.
0957b409SSimon J. Gerraty *   - P1 == 0 and P2 == 0.
0957b409SSimon J. Gerraty *   - The Y coordinate of one of the points is 0 and the other point is
0957b409SSimon J. Gerraty *     the point at infinity.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The third case cannot actually happen with valid points, since a point
0957b409SSimon J. Gerraty * with Y == 0 is a point of order 2, and there is no point of order 2 on
0957b409SSimon J. Gerraty * curve P-256.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
0957b409SSimon J. Gerraty * can apply the following:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - If the result is not the point at infinity, then it is correct.
0957b409SSimon J. Gerraty *   - Otherwise, if the returned value is 1, then this is a case of
0957b409SSimon J. Gerraty *     P1+P2 == 0, so the result is indeed the point at infinity.
0957b409SSimon J. Gerraty *   - Otherwise, P1 == P2, so a "double" operation should have been
0957b409SSimon J. Gerraty *     performed.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Note that you can get a returned value of 0 with a correct result,
0957b409SSimon J. Gerraty * e.g. if P1 and P2 have the same Y coordinate, but distinct X coordinates.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyp256_add(p256_jacobian *P1, const p256_jacobian *P2)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Addtions formulas are:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   u1 = x1 * z2^2
0957b409SSimon J. Gerraty	 *   u2 = x2 * z1^2
0957b409SSimon J. Gerraty	 *   s1 = y1 * z2^3
0957b409SSimon J. Gerraty	 *   s2 = y2 * z1^3
0957b409SSimon J. Gerraty	 *   h = u2 - u1
0957b409SSimon J. Gerraty	 *   r = s2 - s1
0957b409SSimon J. Gerraty	 *   x3 = r^2 - h^3 - 2 * u1 * h^2
0957b409SSimon J. Gerraty	 *   y3 = r * (u1 * h^2 - x3) - s1 * h^3
0957b409SSimon J. Gerraty	 *   z3 = h * z1 * z2
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	uint64_t t1[4], t2[4], t3[4], t4[4], t5[4], t6[4], t7[4], tt;
0957b409SSimon J. Gerraty	uint32_t ret;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t3, P2->z);
0957b409SSimon J. Gerraty	f256_montymul(t1, P1->x, t3);
0957b409SSimon J. Gerraty	f256_montymul(t4, P2->z, t3);
0957b409SSimon J. Gerraty	f256_montymul(t3, P1->y, t4);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t4, P1->z);
0957b409SSimon J. Gerraty	f256_montymul(t2, P2->x, t4);
0957b409SSimon J. Gerraty	f256_montymul(t5, P1->z, t4);
0957b409SSimon J. Gerraty	f256_montymul(t4, P2->y, t5);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
0957b409SSimon J. Gerraty	 * We need to test whether r is zero, so we will do some extra
0957b409SSimon J. Gerraty	 * reduce.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t2, t2, t1);
0957b409SSimon J. Gerraty	f256_sub(t4, t4, t3);
0957b409SSimon J. Gerraty	f256_final_reduce(t4);
0957b409SSimon J. Gerraty	tt = t4[0] | t4[1] | t4[2] | t4[3];
0957b409SSimon J. Gerraty	ret = (uint32_t)(tt | (tt >> 32));
0957b409SSimon J. Gerraty	ret = (ret | -ret) >> 31;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1*h^2 (in t6) and h^3 (in t5);
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t7, t2);
0957b409SSimon J. Gerraty	f256_montymul(t6, t1, t7);
0957b409SSimon J. Gerraty	f256_montymul(t5, t7, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(P1->x, t4);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t5);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t6, t6, P1->x);
0957b409SSimon J. Gerraty	f256_montymul(P1->y, t4, t6);
0957b409SSimon J. Gerraty	f256_montymul(t1, t5, t3);
0957b409SSimon J. Gerraty	f256_sub(P1->y, P1->y, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z3 = h*z1*z2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(t1, P1->z, P2->z);
0957b409SSimon J. Gerraty	f256_montymul(P1->z, t1, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	return ret;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Point addition (mixed coordinates): P1 is replaced with P1+P2.
0957b409SSimon J. Gerraty * This is a specialised function for the case when P2 is a non-zero point
0957b409SSimon J. Gerraty * in affine coordinates.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * This function computes the wrong result in the following cases:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - If P1 == 0
0957b409SSimon J. Gerraty *   - If P1 == P2
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * In both cases, P1 is set to the point at infinity.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Returned value is 0 if one of the following occurs:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - P1 and P2 have the same Y (affine) coordinate.
0957b409SSimon J. Gerraty *   - The Y coordinate of P2 is 0 and P1 is the point at infinity.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The second case cannot actually happen with valid points, since a point
0957b409SSimon J. Gerraty * with Y == 0 is a point of order 2, and there is no point of order 2 on
0957b409SSimon J. Gerraty * curve P-256.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Therefore, assuming that P1 != 0 on input, then the caller
0957b409SSimon J. Gerraty * can apply the following:
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty *   - If the result is not the point at infinity, then it is correct.
0957b409SSimon J. Gerraty *   - Otherwise, if the returned value is 1, then this is a case of
0957b409SSimon J. Gerraty *     P1+P2 == 0, so the result is indeed the point at infinity.
0957b409SSimon J. Gerraty *   - Otherwise, P1 == P2, so a "double" operation should have been
0957b409SSimon J. Gerraty *     performed.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Again, a value of 0 may be returned in some cases where the addition
0957b409SSimon J. Gerraty * result is correct.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyp256_add_mixed(p256_jacobian *P1, const p256_affine *P2)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Addtions formulas are:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   u1 = x1
0957b409SSimon J. Gerraty	 *   u2 = x2 * z1^2
0957b409SSimon J. Gerraty	 *   s1 = y1
0957b409SSimon J. Gerraty	 *   s2 = y2 * z1^3
0957b409SSimon J. Gerraty	 *   h = u2 - u1
0957b409SSimon J. Gerraty	 *   r = s2 - s1
0957b409SSimon J. Gerraty	 *   x3 = r^2 - h^3 - 2 * u1 * h^2
0957b409SSimon J. Gerraty	 *   y3 = r * (u1 * h^2 - x3) - s1 * h^3
0957b409SSimon J. Gerraty	 *   z3 = h * z1
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	uint64_t t1[4], t2[4], t3[4], t4[4], t5[4], t6[4], t7[4], tt;
0957b409SSimon J. Gerraty	uint32_t ret;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1 = x1 (in t1) and s1 = y1 (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	memcpy(t1, P1->x, sizeof t1);
0957b409SSimon J. Gerraty	memcpy(t3, P1->y, sizeof t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t4, P1->z);
0957b409SSimon J. Gerraty	f256_montymul(t2, P2->x, t4);
0957b409SSimon J. Gerraty	f256_montymul(t5, P1->z, t4);
0957b409SSimon J. Gerraty	f256_montymul(t4, P2->y, t5);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
0957b409SSimon J. Gerraty	 * We need to test whether r is zero, so we will do some extra
0957b409SSimon J. Gerraty	 * reduce.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t2, t2, t1);
0957b409SSimon J. Gerraty	f256_sub(t4, t4, t3);
0957b409SSimon J. Gerraty	f256_final_reduce(t4);
0957b409SSimon J. Gerraty	tt = t4[0] | t4[1] | t4[2] | t4[3];
0957b409SSimon J. Gerraty	ret = (uint32_t)(tt | (tt >> 32));
0957b409SSimon J. Gerraty	ret = (ret | -ret) >> 31;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1*h^2 (in t6) and h^3 (in t5);
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t7, t2);
0957b409SSimon J. Gerraty	f256_montymul(t6, t1, t7);
0957b409SSimon J. Gerraty	f256_montymul(t5, t7, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(P1->x, t4);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t5);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t6, t6, P1->x);
0957b409SSimon J. Gerraty	f256_montymul(P1->y, t4, t6);
0957b409SSimon J. Gerraty	f256_montymul(t1, t5, t3);
0957b409SSimon J. Gerraty	f256_sub(P1->y, P1->y, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z3 = h*z1*z2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(P1->z, P1->z, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	return ret;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#if 0
0957b409SSimon J. Gerraty/* unused */
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Point addition (mixed coordinates, complete): P1 is replaced with P1+P2.
0957b409SSimon J. Gerraty * This is a specialised function for the case when P2 is a non-zero point
0957b409SSimon J. Gerraty * in affine coordinates.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * This function returns the correct result in all cases.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyp256_add_complete_mixed(p256_jacobian *P1, const p256_affine *P2)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Addtions formulas, in the general case, are:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   u1 = x1
0957b409SSimon J. Gerraty	 *   u2 = x2 * z1^2
0957b409SSimon J. Gerraty	 *   s1 = y1
0957b409SSimon J. Gerraty	 *   s2 = y2 * z1^3
0957b409SSimon J. Gerraty	 *   h = u2 - u1
0957b409SSimon J. Gerraty	 *   r = s2 - s1
0957b409SSimon J. Gerraty	 *   x3 = r^2 - h^3 - 2 * u1 * h^2
0957b409SSimon J. Gerraty	 *   y3 = r * (u1 * h^2 - x3) - s1 * h^3
0957b409SSimon J. Gerraty	 *   z3 = h * z1
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * These formulas mishandle the two following cases:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - If P1 is the point-at-infinity (z1 = 0), then z3 is
0957b409SSimon J. Gerraty	 *    incorrectly set to 0.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - If P1 = P2, then u1 = u2 and s1 = s2, and x3, y3 and z3
0957b409SSimon J. Gerraty	 *    are all set to 0.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * However, if P1 + P2 = 0, then u1 = u2 but s1 != s2, and then
0957b409SSimon J. Gerraty	 * we correctly get z3 = 0 (the point-at-infinity).
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * To fix the case P1 = 0, we perform at the end a copy of P2
0957b409SSimon J. Gerraty	 * over P1, conditional to z1 = 0.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * For P1 = P2: in that case, both h and r are set to 0, and
0957b409SSimon J. Gerraty	 * we get x3, y3 and z3 equal to 0. We can test for that
0957b409SSimon J. Gerraty	 * occurrence to make a mask which will be all-one if P1 = P2,
0957b409SSimon J. Gerraty	 * or all-zero otherwise; then we can compute the double of P2
0957b409SSimon J. Gerraty	 * and add it, combined with the mask, to (x3,y3,z3).
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * Using the doubling formulas in p256_double() on (x2,y2),
0957b409SSimon J. Gerraty	 * simplifying since P2 is affine (i.e. z2 = 1, implicitly),
0957b409SSimon J. Gerraty	 * we get:
0957b409SSimon J. Gerraty	 *   s = 4*x2*y2^2
0957b409SSimon J. Gerraty	 *   m = 3*(x2 + 1)*(x2 - 1)
0957b409SSimon J. Gerraty	 *   x' = m^2 - 2*s
0957b409SSimon J. Gerraty	 *   y' = m*(s - x') - 8*y2^4
0957b409SSimon J. Gerraty	 *   z' = 2*y2
0957b409SSimon J. Gerraty	 * which requires only 6 multiplications. Added to the 11
0957b409SSimon J. Gerraty	 * multiplications of the normal mixed addition in Jacobian
0957b409SSimon J. Gerraty	 * coordinates, we get a cost of 17 multiplications in total.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	uint64_t t1[4], t2[4], t3[4], t4[4], t5[4], t6[4], t7[4], tt, zz;
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Set zz to -1 if P1 is the point at infinity, 0 otherwise.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	zz = P1->z[0] | P1->z[1] | P1->z[2] | P1->z[3];
0957b409SSimon J. Gerraty	zz = ((zz | -zz) >> 63) - (uint64_t)1;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1 = x1 (in t1) and s1 = y1 (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	memcpy(t1, P1->x, sizeof t1);
0957b409SSimon J. Gerraty	memcpy(t3, P1->y, sizeof t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t4, P1->z);
0957b409SSimon J. Gerraty	f256_montymul(t2, P2->x, t4);
0957b409SSimon J. Gerraty	f256_montymul(t5, P1->z, t4);
0957b409SSimon J. Gerraty	f256_montymul(t4, P2->y, t5);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
0957b409SSimon J. Gerraty	 * reduce.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t2, t2, t1);
0957b409SSimon J. Gerraty	f256_sub(t4, t4, t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * If both h = 0 and r = 0, then P1 = P2, and we want to set
0957b409SSimon J. Gerraty	 * the mask tt to -1; otherwise, the mask will be 0.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_final_reduce(t2);
0957b409SSimon J. Gerraty	f256_final_reduce(t4);
0957b409SSimon J. Gerraty	tt = t2[0] | t2[1] | t2[2] | t2[3] | t4[0] | t4[1] | t4[2] | t4[3];
0957b409SSimon J. Gerraty	tt = ((tt | -tt) >> 63) - (uint64_t)1;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute u1*h^2 (in t6) and h^3 (in t5);
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t7, t2);
0957b409SSimon J. Gerraty	f256_montymul(t6, t1, t7);
0957b409SSimon J. Gerraty	f256_montymul(t5, t7, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(P1->x, t4);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t5);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty	f256_sub(P1->x, P1->x, t6);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t6, t6, P1->x);
0957b409SSimon J. Gerraty	f256_montymul(P1->y, t4, t6);
0957b409SSimon J. Gerraty	f256_montymul(t1, t5, t3);
0957b409SSimon J. Gerraty	f256_sub(P1->y, P1->y, t1);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z3 = h*z1.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montymul(P1->z, P1->z, t2);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * The "double" result, in case P1 = P2.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute z' = 2*y2 (in t1).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_add(t1, P2->y, P2->y);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute 2*(y2^2) (in t2) and s = 4*x2*(y2^2) (in t3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t2, P2->y);
0957b409SSimon J. Gerraty	f256_add(t2, t2, t2);
0957b409SSimon J. Gerraty	f256_add(t3, t2, t2);
0957b409SSimon J. Gerraty	f256_montymul(t3, P2->x, t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute m = 3*(x2^2 - 1) (in t4).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t4, P2->x);
0957b409SSimon J. Gerraty	f256_sub(t4, t4, F256_R);
0957b409SSimon J. Gerraty	f256_add(t5, t4, t4);
0957b409SSimon J. Gerraty	f256_add(t4, t4, t5);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute x' = m^2 - 2*s (in t5).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_montysquare(t5, t4);
0957b409SSimon J. Gerraty	f256_sub(t5, t3);
0957b409SSimon J. Gerraty	f256_sub(t5, t3);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute y' = m*(s - x') - 8*y2^4 (in t6).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_sub(t6, t3, t5);
0957b409SSimon J. Gerraty	f256_montymul(t6, t6, t4);
0957b409SSimon J. Gerraty	f256_montysquare(t7, t2);
0957b409SSimon J. Gerraty	f256_sub(t6, t6, t7);
0957b409SSimon J. Gerraty	f256_sub(t6, t6, t7);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * We now have the alternate (doubling) coordinates in (t5,t6,t1).
0957b409SSimon J. Gerraty	 * We combine them with (x3,y3,z3).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (i = 0; i < 4; i ++) {
0957b409SSimon J. Gerraty		P1->x[i] |= tt & t5[i];
0957b409SSimon J. Gerraty		P1->y[i] |= tt & t6[i];
0957b409SSimon J. Gerraty		P1->z[i] |= tt & t1[i];
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * If P1 = 0, then we get z3 = 0 (which is invalid); if z1 is 0,
0957b409SSimon J. Gerraty	 * then we want to replace the result with a copy of P2. The
0957b409SSimon J. Gerraty	 * test on z1 was done at the start, in the zz mask.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (i = 0; i < 4; i ++) {
0957b409SSimon J. Gerraty		P1->x[i] ^= zz & (P1->x[i] ^ P2->x[i]);
0957b409SSimon J. Gerraty		P1->y[i] ^= zz & (P1->y[i] ^ P2->y[i]);
0957b409SSimon J. Gerraty		P1->z[i] ^= zz & (P1->z[i] ^ F256_R[i]);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty#endif
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Inner function for computing a point multiplication. A window is
0957b409SSimon J. Gerraty * provided, with points 1*P to 15*P in affine coordinates.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Assumptions:
0957b409SSimon J. Gerraty *  - All provided points are valid points on the curve.
0957b409SSimon J. Gerraty *  - Multiplier is non-zero, and smaller than the curve order.
0957b409SSimon J. Gerraty *  - Everything is in Montgomery representation.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratypoint_mul_inner(p256_jacobian *R, const p256_affine *W,
0957b409SSimon J. Gerraty	const unsigned char *k, size_t klen)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	p256_jacobian Q;
0957b409SSimon J. Gerraty	uint32_t qz;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	memset(&Q, 0, sizeof Q);
0957b409SSimon J. Gerraty	qz = 1;
0957b409SSimon J. Gerraty	while (klen -- > 0) {
0957b409SSimon J. Gerraty		int i;
0957b409SSimon J. Gerraty		unsigned bk;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		bk = *k ++;
0957b409SSimon J. Gerraty		for (i = 0; i < 2; i ++) {
0957b409SSimon J. Gerraty			uint32_t bits;
0957b409SSimon J. Gerraty			uint32_t bnz;
0957b409SSimon J. Gerraty			p256_affine T;
0957b409SSimon J. Gerraty			p256_jacobian U;
0957b409SSimon J. Gerraty			uint32_t n;
0957b409SSimon J. Gerraty			int j;
0957b409SSimon J. Gerraty			uint64_t m;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty			p256_double(&Q);
0957b409SSimon J. Gerraty			p256_double(&Q);
0957b409SSimon J. Gerraty			p256_double(&Q);
0957b409SSimon J. Gerraty			p256_double(&Q);
0957b409SSimon J. Gerraty			bits = (bk >> 4) & 0x0F;
0957b409SSimon J. Gerraty			bnz = NEQ(bits, 0);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty			/*
0957b409SSimon J. Gerraty			 * Lookup point in window. If the bits are 0,
0957b409SSimon J. Gerraty			 * we get something invalid, which is not a
0957b409SSimon J. Gerraty			 * problem because we will use it only if the
0957b409SSimon J. Gerraty			 * bits are non-zero.
0957b409SSimon J. Gerraty			 */
0957b409SSimon J. Gerraty			memset(&T, 0, sizeof T);
0957b409SSimon J. Gerraty			for (n = 0; n < 15; n ++) {
0957b409SSimon J. Gerraty				m = -(uint64_t)EQ(bits, n + 1);
0957b409SSimon J. Gerraty				T.x[0] |= m & W[n].x[0];
0957b409SSimon J. Gerraty				T.x[1] |= m & W[n].x[1];
0957b409SSimon J. Gerraty				T.x[2] |= m & W[n].x[2];
0957b409SSimon J. Gerraty				T.x[3] |= m & W[n].x[3];
0957b409SSimon J. Gerraty				T.y[0] |= m & W[n].y[0];
0957b409SSimon J. Gerraty				T.y[1] |= m & W[n].y[1];
0957b409SSimon J. Gerraty				T.y[2] |= m & W[n].y[2];
0957b409SSimon J. Gerraty				T.y[3] |= m & W[n].y[3];
0957b409SSimon J. Gerraty			}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty			U = Q;
0957b409SSimon J. Gerraty			p256_add_mixed(&U, &T);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty			/*
0957b409SSimon J. Gerraty			 * If qz is still 1, then Q was all-zeros, and this
0957b409SSimon J. Gerraty			 * is conserved through p256_double().
0957b409SSimon J. Gerraty			 */
0957b409SSimon J. Gerraty			m = -(uint64_t)(bnz & qz);
0957b409SSimon J. Gerraty			for (j = 0; j < 4; j ++) {
0957b409SSimon J. Gerraty				Q.x[j] |= m & T.x[j];
0957b409SSimon J. Gerraty				Q.y[j] |= m & T.y[j];
0957b409SSimon J. Gerraty				Q.z[j] |= m & F256_R[j];
0957b409SSimon J. Gerraty			}
0957b409SSimon J. Gerraty			CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
0957b409SSimon J. Gerraty			qz &= ~bnz;
0957b409SSimon J. Gerraty			bk <<= 4;
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	*R = Q;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Convert a window from Jacobian to affine coordinates. A single
0957b409SSimon J. Gerraty * field inversion is used. This function works for windows up to
0957b409SSimon J. Gerraty * 32 elements.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * The destination array (aff[]) and the source array (jac[]) may
0957b409SSimon J. Gerraty * overlap, provided that the start of aff[] is not after the start of
0957b409SSimon J. Gerraty * jac[]. Even if the arrays do _not_ overlap, the source array is
0957b409SSimon J. Gerraty * modified.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratywindow_to_affine(p256_affine *aff, p256_jacobian *jac, int num)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Convert the window points to affine coordinates. We use the
0957b409SSimon J. Gerraty	 * following trick to mutualize the inversion computation: if
0957b409SSimon J. Gerraty	 * we have z1, z2, z3, and z4, and want to inverse all of them,
0957b409SSimon J. Gerraty	 * we compute u = 1/(z1*z2*z3*z4), and then we have:
0957b409SSimon J. Gerraty	 *   1/z1 = u*z2*z3*z4
0957b409SSimon J. Gerraty	 *   1/z2 = u*z1*z3*z4
0957b409SSimon J. Gerraty	 *   1/z3 = u*z1*z2*z4
0957b409SSimon J. Gerraty	 *   1/z4 = u*z1*z2*z3
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * The partial products are computed recursively:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - on input (z_1,z_2), return (z_2,z_1) and z_1*z_2
0957b409SSimon J. Gerraty	 *  - on input (z_1,z_2,... z_n):
0957b409SSimon J. Gerraty	 *       recurse on (z_1,z_2,... z_(n/2)) -> r1 and m1
0957b409SSimon J. Gerraty	 *       recurse on (z_(n/2+1),z_(n/2+2)... z_n) -> r2 and m2
0957b409SSimon J. Gerraty	 *       multiply elements of r1 by m2 -> s1
0957b409SSimon J. Gerraty	 *       multiply elements of r2 by m1 -> s2
0957b409SSimon J. Gerraty	 *       return r1||r2 and m1*m2
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * In the example below, we suppose that we have 14 elements.
0957b409SSimon J. Gerraty	 * Let z1, z2,... zE be the 14 values to invert (index noted in
0957b409SSimon J. Gerraty	 * hexadecimal, starting at 1).
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - Depth 1:
0957b409SSimon J. Gerraty	 *      swap(z1, z2); z12 = z1*z2
0957b409SSimon J. Gerraty	 *      swap(z3, z4); z34 = z3*z4
0957b409SSimon J. Gerraty	 *      swap(z5, z6); z56 = z5*z6
0957b409SSimon J. Gerraty	 *      swap(z7, z8); z78 = z7*z8
0957b409SSimon J. Gerraty	 *      swap(z9, zA); z9A = z9*zA
0957b409SSimon J. Gerraty	 *      swap(zB, zC); zBC = zB*zC
0957b409SSimon J. Gerraty	 *      swap(zD, zE); zDE = zD*zE
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - Depth 2:
0957b409SSimon J. Gerraty	 *      z1 <- z1*z34, z2 <- z2*z34, z3 <- z3*z12, z4 <- z4*z12
0957b409SSimon J. Gerraty	 *      z1234 = z12*z34
0957b409SSimon J. Gerraty	 *      z5 <- z5*z78, z6 <- z6*z78, z7 <- z7*z56, z8 <- z8*z56
0957b409SSimon J. Gerraty	 *      z5678 = z56*z78
0957b409SSimon J. Gerraty	 *      z9 <- z9*zBC, zA <- zA*zBC, zB <- zB*z9A, zC <- zC*z9A
0957b409SSimon J. Gerraty	 *      z9ABC = z9A*zBC
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - Depth 3:
0957b409SSimon J. Gerraty	 *      z1 <- z1*z5678, z2 <- z2*z5678, z3 <- z3*z5678, z4 <- z4*z5678
0957b409SSimon J. Gerraty	 *      z5 <- z5*z1234, z6 <- z6*z1234, z7 <- z7*z1234, z8 <- z8*z1234
0957b409SSimon J. Gerraty	 *      z12345678 = z1234*z5678
0957b409SSimon J. Gerraty	 *      z9 <- z9*zDE, zA <- zA*zDE, zB <- zB*zDE, zC <- zC*zDE
0957b409SSimon J. Gerraty	 *      zD <- zD*z9ABC, zE*z9ABC
0957b409SSimon J. Gerraty	 *      z9ABCDE = z9ABC*zDE
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - Depth 4:
0957b409SSimon J. Gerraty	 *      multiply z1..z8 by z9ABCDE
0957b409SSimon J. Gerraty	 *      multiply z9..zE by z12345678
0957b409SSimon J. Gerraty	 *      final z = z12345678*z9ABCDE
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	uint64_t z[16][4];
0957b409SSimon J. Gerraty	int i, k, s;
0957b409SSimon J. Gerraty#define zt   (z[15])
0957b409SSimon J. Gerraty#define zu   (z[14])
0957b409SSimon J. Gerraty#define zv   (z[13])
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * First recursion step (pairwise swapping and multiplication).
0957b409SSimon J. Gerraty	 * If there is an odd number of elements, then we "invent" an
0957b409SSimon J. Gerraty	 * extra one with coordinate Z = 1 (in Montgomery representation).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (i = 0; (i + 1) < num; i += 2) {
0957b409SSimon J. Gerraty		memcpy(zt, jac[i].z, sizeof zt);
0957b409SSimon J. Gerraty		memcpy(jac[i].z, jac[i + 1].z, sizeof zt);
0957b409SSimon J. Gerraty		memcpy(jac[i + 1].z, zt, sizeof zt);
0957b409SSimon J. Gerraty		f256_montymul(z[i >> 1], jac[i].z, jac[i + 1].z);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	if ((num & 1) != 0) {
0957b409SSimon J. Gerraty		memcpy(z[num >> 1], jac[num - 1].z, sizeof zt);
0957b409SSimon J. Gerraty		memcpy(jac[num - 1].z, F256_R, sizeof F256_R);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Perform further recursion steps. At the entry of each step,
0957b409SSimon J. Gerraty	 * the process has been done for groups of 's' points. The
0957b409SSimon J. Gerraty	 * integer k is the log2 of s.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	for (k = 1, s = 2; s < num; k ++, s <<= 1) {
0957b409SSimon J. Gerraty		int n;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty		for (i = 0; i < num; i ++) {
0957b409SSimon J. Gerraty			f256_montymul(jac[i].z, jac[i].z, z[(i >> k) ^ 1]);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty		n = (num + s - 1) >> k;
0957b409SSimon J. Gerraty		for (i = 0; i < (n >> 1); i ++) {
0957b409SSimon J. Gerraty			f256_montymul(z[i], z[i << 1], z[(i << 1) + 1]);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty		if ((n & 1) != 0) {
0957b409SSimon J. Gerraty			memmove(z[n >> 1], z[n], sizeof zt);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Invert the final result, and convert all points.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	f256_invert(zt, z[0]);
0957b409SSimon J. Gerraty	for (i = 0; i < num; i ++) {
0957b409SSimon J. Gerraty		f256_montymul(zv, jac[i].z, zt);
0957b409SSimon J. Gerraty		f256_montysquare(zu, zv);
0957b409SSimon J. Gerraty		f256_montymul(zv, zv, zu);
0957b409SSimon J. Gerraty		f256_montymul(aff[i].x, jac[i].x, zu);
0957b409SSimon J. Gerraty		f256_montymul(aff[i].y, jac[i].y, zv);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Multiply the provided point by an integer.
0957b409SSimon J. Gerraty * Assumptions:
0957b409SSimon J. Gerraty *  - Source point is a valid curve point.
0957b409SSimon J. Gerraty *  - Source point is not the point-at-infinity.
0957b409SSimon J. Gerraty *  - Integer is not 0, and is lower than the curve order.
0957b409SSimon J. Gerraty * If these conditions are not met, then the result is indeterminate
0957b409SSimon J. Gerraty * (but the process is still constant-time).
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyp256_mul(p256_jacobian *P, const unsigned char *k, size_t klen)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	union {
0957b409SSimon J. Gerraty		p256_affine aff[15];
0957b409SSimon J. Gerraty		p256_jacobian jac[15];
0957b409SSimon J. Gerraty	} window;
0957b409SSimon J. Gerraty	int i;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Compute window, in Jacobian coordinates.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	window.jac[0] = *P;
0957b409SSimon J. Gerraty	for (i = 2; i < 16; i ++) {
0957b409SSimon J. Gerraty		window.jac[i - 1] = window.jac[(i >> 1) - 1];
0957b409SSimon J. Gerraty		if ((i & 1) == 0) {
0957b409SSimon J. Gerraty			p256_double(&window.jac[i - 1]);
0957b409SSimon J. Gerraty		} else {
0957b409SSimon J. Gerraty			p256_add(&window.jac[i - 1], &window.jac[i >> 1]);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Convert the window points to affine coordinates. Point
0957b409SSimon J. Gerraty	 * window[0] is the source point, already in affine coordinates.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	window_to_affine(window.aff, window.jac, 15);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * Perform point multiplication.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	point_mul_inner(P, window.aff, k, klen);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Precomputed window for the conventional generator: P256_Gwin[n]
0957b409SSimon J. Gerraty * contains (n+1)*G (affine coordinates, in Montgomery representation).
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic const p256_affine P256_Gwin[] = {
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x79E730D418A9143C, 0x75BA95FC5FEDB601,
0957b409SSimon J. Gerraty		  0x79FB732B77622510, 0x18905F76A53755C6 },
0957b409SSimon J. Gerraty		{ 0xDDF25357CE95560A, 0x8B4AB8E4BA19E45C,
0957b409SSimon J. Gerraty		  0xD2E88688DD21F325, 0x8571FF1825885D85 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x850046D410DDD64D, 0xAA6AE3C1A433827D,
0957b409SSimon J. Gerraty		  0x732205038D1490D9, 0xF6BB32E43DCF3A3B },
0957b409SSimon J. Gerraty		{ 0x2F3648D361BEE1A5, 0x152CD7CBEB236FF8,
0957b409SSimon J. Gerraty		  0x19A8FB0E92042DBE, 0x78C577510A5B8A3B }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0xFFAC3F904EEBC127, 0xB027F84A087D81FB,
0957b409SSimon J. Gerraty		  0x66AD77DD87CBBC98, 0x26936A3FB6FF747E },
0957b409SSimon J. Gerraty		{ 0xB04C5C1FC983A7EB, 0x583E47AD0861FE1A,
0957b409SSimon J. Gerraty		  0x788208311A2EE98E, 0xD5F06A29E587CC07 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x74B0B50D46918DCC, 0x4650A6EDC623C173,
0957b409SSimon J. Gerraty		  0x0CDAACACE8100AF2, 0x577362F541B0176B },
0957b409SSimon J. Gerraty		{ 0x2D96F24CE4CBABA6, 0x17628471FAD6F447,
0957b409SSimon J. Gerraty		  0x6B6C36DEE5DDD22E, 0x84B14C394C5AB863 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0xBE1B8AAEC45C61F5, 0x90EC649A94B9537D,
0957b409SSimon J. Gerraty		  0x941CB5AAD076C20C, 0xC9079605890523C8 },
0957b409SSimon J. Gerraty		{ 0xEB309B4AE7BA4F10, 0x73C568EFE5EB882B,
0957b409SSimon J. Gerraty		  0x3540A9877E7A1F68, 0x73A076BB2DD1E916 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x403947373E77664A, 0x55AE744F346CEE3E,
0957b409SSimon J. Gerraty		  0xD50A961A5B17A3AD, 0x13074B5954213673 },
0957b409SSimon J. Gerraty		{ 0x93D36220D377E44B, 0x299C2B53ADFF14B5,
0957b409SSimon J. Gerraty		  0xF424D44CEF639F11, 0xA4C9916D4A07F75F }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x0746354EA0173B4F, 0x2BD20213D23C00F7,
0957b409SSimon J. Gerraty		  0xF43EAAB50C23BB08, 0x13BA5119C3123E03 },
0957b409SSimon J. Gerraty		{ 0x2847D0303F5B9D4D, 0x6742F2F25DA67BDD,
0957b409SSimon J. Gerraty		  0xEF933BDC77C94195, 0xEAEDD9156E240867 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x27F14CD19499A78F, 0x462AB5C56F9B3455,
0957b409SSimon J. Gerraty		  0x8F90F02AF02CFC6B, 0xB763891EB265230D },
0957b409SSimon J. Gerraty		{ 0xF59DA3A9532D4977, 0x21E3327DCF9EBA15,
0957b409SSimon J. Gerraty		  0x123C7B84BE60BBF0, 0x56EC12F27706DF76 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x75C96E8F264E20E8, 0xABE6BFED59A7A841,
0957b409SSimon J. Gerraty		  0x2CC09C0444C8EB00, 0xE05B3080F0C4E16B },
0957b409SSimon J. Gerraty		{ 0x1EB7777AA45F3314, 0x56AF7BEDCE5D45E3,
0957b409SSimon J. Gerraty		  0x2B6E019A88B12F1A, 0x086659CDFD835F9B }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x2C18DBD19DC21EC8, 0x98F9868A0FCF8139,
0957b409SSimon J. Gerraty		  0x737D2CD648250B49, 0xCC61C94724B3428F },
0957b409SSimon J. Gerraty		{ 0x0C2B407880DD9E76, 0xC43A8991383FBE08,
0957b409SSimon J. Gerraty		  0x5F7D2D65779BE5D2, 0x78719A54EB3B4AB5 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0xEA7D260A6245E404, 0x9DE407956E7FDFE0,
0957b409SSimon J. Gerraty		  0x1FF3A4158DAC1AB5, 0x3E7090F1649C9073 },
0957b409SSimon J. Gerraty		{ 0x1A7685612B944E88, 0x250F939EE57F61C8,
0957b409SSimon J. Gerraty		  0x0C0DAA891EAD643D, 0x68930023E125B88E }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x04B71AA7D2697768, 0xABDEDEF5CA345A33,
0957b409SSimon J. Gerraty		  0x2409D29DEE37385E, 0x4EE1DF77CB83E156 },
0957b409SSimon J. Gerraty		{ 0x0CAC12D91CBB5B43, 0x170ED2F6CA895637,
0957b409SSimon J. Gerraty		  0x28228CFA8ADE6D66, 0x7FF57C9553238ACA }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0xCCC425634B2ED709, 0x0E356769856FD30D,
0957b409SSimon J. Gerraty		  0xBCBCD43F559E9811, 0x738477AC5395B759 },
0957b409SSimon J. Gerraty		{ 0x35752B90C00EE17F, 0x68748390742ED2E3,
0957b409SSimon J. Gerraty		  0x7CD06422BD1F5BC1, 0xFBC08769C9E7B797 }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0xA242A35BB0CF664A, 0x126E48F77F9707E3,
0957b409SSimon J. Gerraty		  0x1717BF54C6832660, 0xFAAE7332FD12C72E },
0957b409SSimon J. Gerraty		{ 0x27B52DB7995D586B, 0xBE29569E832237C2,
0957b409SSimon J. Gerraty		  0xE8E4193E2A65E7DB, 0x152706DC2EAA1BBB }
0957b409SSimon J. Gerraty	},
0957b409SSimon J. Gerraty	{
0957b409SSimon J. Gerraty		{ 0x72BCD8B7BC60055B, 0x03CC23EE56E27E4B,
0957b409SSimon J. Gerraty		  0xEE337424E4819370, 0xE2AA0E430AD3DA09 },
0957b409SSimon J. Gerraty		{ 0x40B8524F6383C45D, 0xD766355442A41B25,
0957b409SSimon J. Gerraty		  0x64EFA6DE778A4797, 0x2042170A7079ADF4 }
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Multiply the conventional generator of the curve by the provided
0957b409SSimon J. Gerraty * integer. Return is written in *P.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Assumptions:
0957b409SSimon J. Gerraty *  - Integer is not 0, and is lower than the curve order.
0957b409SSimon J. Gerraty * If this conditions is not met, then the result is indeterminate
0957b409SSimon J. Gerraty * (but the process is still constant-time).
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic void
0957b409SSimon J. Gerratyp256_mulgen(p256_jacobian *P, const unsigned char *k, size_t klen)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	point_mul_inner(P, P256_Gwin, k, klen);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/*
0957b409SSimon J. Gerraty * Return 1 if all of the following hold:
0957b409SSimon J. Gerraty *  - klen <= 32
0957b409SSimon J. Gerraty *  - k != 0
0957b409SSimon J. Gerraty *  - k is lower than the curve order
0957b409SSimon J. Gerraty * Otherwise, return 0.
0957b409SSimon J. Gerraty *
0957b409SSimon J. Gerraty * Constant-time behaviour: only klen may be observable.
0957b409SSimon J. Gerraty */
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratycheck_scalar(const unsigned char *k, size_t klen)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint32_t z;
0957b409SSimon J. Gerraty	int32_t c;
0957b409SSimon J. Gerraty	size_t u;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	if (klen > 32) {
0957b409SSimon J. Gerraty		return 0;
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	z = 0;
0957b409SSimon J. Gerraty	for (u = 0; u < klen; u ++) {
0957b409SSimon J. Gerraty		z |= k[u];
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	if (klen == 32) {
0957b409SSimon J. Gerraty		c = 0;
0957b409SSimon J. Gerraty		for (u = 0; u < klen; u ++) {
0957b409SSimon J. Gerraty			c |= -(int32_t)EQ0(c) & CMP(k[u], P256_N[u]);
0957b409SSimon J. Gerraty		}
0957b409SSimon J. Gerraty	} else {
0957b409SSimon J. Gerraty		c = -1;
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	return NEQ(z, 0) & LT0(c);
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyapi_mul(unsigned char *G, size_t Glen,
0957b409SSimon J. Gerraty	const unsigned char *k, size_t klen, int curve)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	uint32_t r;
0957b409SSimon J. Gerraty	p256_jacobian P;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	if (Glen != 65) {
0957b409SSimon J. Gerraty		return 0;
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	r = check_scalar(k, klen);
0957b409SSimon J. Gerraty	r &= point_decode(&P, G);
0957b409SSimon J. Gerraty	p256_mul(&P, k, klen);
0957b409SSimon J. Gerraty	r &= point_encode(G, &P);
0957b409SSimon J. Gerraty	return r;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic size_t
0957b409SSimon J. Gerratyapi_mulgen(unsigned char *R,
0957b409SSimon J. Gerraty	const unsigned char *k, size_t klen, int curve)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	p256_jacobian P;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	p256_mulgen(&P, k, klen);
0957b409SSimon J. Gerraty	point_encode(R, &P);
0957b409SSimon J. Gerraty	return 65;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerratystatic uint32_t
0957b409SSimon J. Gerratyapi_muladd(unsigned char *A, const unsigned char *B, size_t len,
0957b409SSimon J. Gerraty	const unsigned char *x, size_t xlen,
0957b409SSimon J. Gerraty	const unsigned char *y, size_t ylen, int curve)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * We might want to use Shamir's trick here: make a composite
0957b409SSimon J. Gerraty	 * window of u*P+v*Q points, to merge the two doubling-ladders
0957b409SSimon J. Gerraty	 * into one. This, however, has some complications:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - During the computation, we may hit the point-at-infinity.
0957b409SSimon J. Gerraty	 *    Thus, we would need p256_add_complete_mixed() (complete
0957b409SSimon J. Gerraty	 *    formulas for point addition), with a higher cost (17 muls
0957b409SSimon J. Gerraty	 *    instead of 11).
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - A 4-bit window would be too large, since it would involve
0957b409SSimon J. Gerraty	 *    16*16-1 = 255 points. For the same window size as in the
0957b409SSimon J. Gerraty	 *    p256_mul() case, we would need to reduce the window size
0957b409SSimon J. Gerraty	 *    to 2 bits, and thus perform twice as many non-doubling
0957b409SSimon J. Gerraty	 *    point additions.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *  - The window may itself contain the point-at-infinity, and
0957b409SSimon J. Gerraty	 *    thus cannot be in all generality be made of affine points.
0957b409SSimon J. Gerraty	 *    Instead, we would need to make it a window of points in
0957b409SSimon J. Gerraty	 *    Jacobian coordinates. Even p256_add_complete_mixed() would
0957b409SSimon J. Gerraty	 *    be inappropriate.
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 * For these reasons, the code below performs two separate
0957b409SSimon J. Gerraty	 * point multiplications, then computes the final point addition
0957b409SSimon J. Gerraty	 * (which is both a "normal" addition, and a doubling, to handle
0957b409SSimon J. Gerraty	 * all cases).
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	p256_jacobian P, Q;
0957b409SSimon J. Gerraty	uint32_t r, t, s;
0957b409SSimon J. Gerraty	uint64_t z;
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	(void)curve;
0957b409SSimon J. Gerraty	if (len != 65) {
0957b409SSimon J. Gerraty		return 0;
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty	r = point_decode(&P, A);
0957b409SSimon J. Gerraty	p256_mul(&P, x, xlen);
0957b409SSimon J. Gerraty	if (B == NULL) {
0957b409SSimon J. Gerraty		p256_mulgen(&Q, y, ylen);
0957b409SSimon J. Gerraty	} else {
0957b409SSimon J. Gerraty		r &= point_decode(&Q, B);
0957b409SSimon J. Gerraty		p256_mul(&Q, y, ylen);
0957b409SSimon J. Gerraty	}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * The final addition may fail in case both points are equal.
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	t = p256_add(&P, &Q);
0957b409SSimon J. Gerraty	f256_final_reduce(P.z);
0957b409SSimon J. Gerraty	z = P.z[0] | P.z[1] | P.z[2] | P.z[3];
0957b409SSimon J. Gerraty	s = EQ((uint32_t)(z | (z >> 32)), 0);
0957b409SSimon J. Gerraty	p256_double(&Q);
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty	/*
0957b409SSimon J. Gerraty	 * If s is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
0957b409SSimon J. Gerraty	 * have the following:
0957b409SSimon J. Gerraty	 *
0957b409SSimon J. Gerraty	 *   s = 0, t = 0   return P (normal addition)
0957b409SSimon J. Gerraty	 *   s = 0, t = 1   return P (normal addition)
0957b409SSimon J. Gerraty	 *   s = 1, t = 0   return Q (a 'double' case)
0957b409SSimon J. Gerraty	 *   s = 1, t = 1   report an error (P+Q = 0)
0957b409SSimon J. Gerraty	 */
0957b409SSimon J. Gerraty	CCOPY(s & ~t, &P, &Q, sizeof Q);
0957b409SSimon J. Gerraty	point_encode(A, &P);
0957b409SSimon J. Gerraty	r &= ~(s & t);
0957b409SSimon J. Gerraty	return r;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* see bearssl_ec.h */
0957b409SSimon J. Gerratyconst br_ec_impl br_ec_p256_m64 = {
0957b409SSimon J. Gerraty	(uint32_t)0x00800000,
0957b409SSimon J. Gerraty	&api_generator,
0957b409SSimon J. Gerraty	&api_order,
0957b409SSimon J. Gerraty	&api_xoff,
0957b409SSimon J. Gerraty	&api_mul,
0957b409SSimon J. Gerraty	&api_mulgen,
0957b409SSimon J. Gerraty	&api_muladd
0957b409SSimon J. Gerraty};
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* see bearssl_ec.h */
0957b409SSimon J. Gerratyconst br_ec_impl *
0957b409SSimon J. Gerratybr_ec_p256_m64_get(void)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	return &br_ec_p256_m64;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#else
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty/* see bearssl_ec.h */
0957b409SSimon J. Gerratyconst br_ec_impl *
0957b409SSimon J. Gerratybr_ec_p256_m64_get(void)
0957b409SSimon J. Gerraty{
0957b409SSimon J. Gerraty	return 0;
0957b409SSimon J. Gerraty}
0957b409SSimon J. Gerraty
0957b409SSimon J. Gerraty#endif