Line data Source code
1 : #ifndef HEADER_fd_src_ballet_ed25519_fd_curve25519_h
2 : #error "Do not include this directly; use fd_curve25519.h"
3 : #endif
4 :
5 : /* fd_curve25519.h provides the public Curve25519 API.
6 :
7 : Most operations in this API should be assumed to take a variable
8 : amount of time depending on inputs. (And thus should not be exposed
9 : to secret data).
10 :
11 : Const time operations are made explicit, see fd_curve25519_secure.c */
12 :
13 : #include "../../fd_ballet_base.h"
14 : #include "../fd_f25519.h"
15 : #include "../fd_curve25519_scalar.h"
16 : #include "./fd_r43x6_ge.h"
17 :
18 : /* struct fd_curve25519_edwards (aka fd_curve25519_edwards_t) represents
19 : a point in Extended Twisted Edwards Coordinates.
20 : https://eprint.iacr.org/2008/522 */
21 : struct fd_curve25519_edwards {
22 : FD_R43X6_QUAD_DECL( P ) __attribute__((aligned(FD_F25519_ALIGN)));
23 : };
24 : typedef struct fd_curve25519_edwards fd_curve25519_edwards_t;
25 :
26 : typedef fd_curve25519_edwards_t fd_ed25519_point_t;
27 : typedef fd_curve25519_edwards_t fd_ristretto255_point_t;
28 :
29 : #include "../table/fd_curve25519_table_avx512.c"
30 :
31 : FD_PROTOTYPES_BEGIN
32 :
33 : /* fd_ed25519_point_set sets r = 0 (point at infinity). */
34 : FD_25519_INLINE fd_ed25519_point_t *
35 855608 : fd_ed25519_point_set_zero( fd_ed25519_point_t * r ) {
36 855608 : FD_R43X6_GE_ZERO( r->P );
37 855608 : return r;
38 855608 : }
39 :
40 : /* fd_ed25519_point_set_zero_precomputed sets r = 0 (point at infinity). */
41 : FD_25519_INLINE fd_ed25519_point_t *
42 37545536 : fd_ed25519_point_set_zero_precomputed( fd_ed25519_point_t * r ) {
43 37545536 : r->P03 = wwl( 1L,1L,1L,0L, 0L,0L,0L,0L ); r->P14 = wwl_zero(); r->P25 = wwl_zero();
44 37545536 : return r;
45 37545536 : }
46 :
47 : /* fd_ed25519_point_set sets r = a. */
48 : FD_25519_INLINE fd_ed25519_point_t * FD_FN_NO_ASAN
49 : fd_ed25519_point_set( fd_ed25519_point_t * r,
50 90816846 : fd_ed25519_point_t const * a ) {
51 90816846 : r->P03 = a->P03;
52 90816846 : r->P14 = a->P14;
53 90816846 : r->P25 = a->P25;
54 90816846 : return r;
55 90816846 : }
56 :
57 : /* fd_ed25519_point_from sets r = (x : y : z : t). */
58 : FD_25519_INLINE fd_ed25519_point_t *
59 : fd_ed25519_point_from( fd_ed25519_point_t * r,
60 : fd_f25519_t const * x,
61 : fd_f25519_t const * y,
62 : fd_f25519_t const * z,
63 132806 : fd_f25519_t const * t ) {
64 132806 : FD_R43X6_QUAD_PACK( r->P, x->el, y->el, z->el, t->el );
65 132806 : return r;
66 132806 : }
67 :
68 : /* fd_ed25519_point_from sets (x : y : z : t) = a. */
69 : FD_25519_INLINE void
70 : fd_ed25519_point_to( fd_f25519_t * x,
71 : fd_f25519_t * y,
72 : fd_f25519_t * z,
73 : fd_f25519_t * t,
74 1201247 : fd_ed25519_point_t const * a ) {
75 1201247 : FD_R43X6_QUAD_UNPACK( x->el, y->el, z->el, t->el, a->P );
76 1201247 : }
77 :
78 : /* fd_ed25519_point_dbln computes r = 2^n a, and returns r.
79 : More efficient than n fd_ed25519_point_add. */
80 : FD_25519_INLINE fd_ed25519_point_t * FD_FN_NO_ASAN
81 : fd_ed25519_point_dbln( fd_ed25519_point_t * r,
82 : fd_ed25519_point_t const * a,
83 338733 : int n ) {
84 338733 : FD_R43X6_GE_DBL( r->P, a->P );
85 338733 : for( uchar i=1; i<n; i++ ) {
86 0 : FD_R43X6_GE_DBL( r->P, r->P );
87 0 : }
88 338733 : return r;
89 338733 : }
90 :
91 : /* fd_ed25519_point_sub sets r = -a. */
92 : FD_25519_INLINE fd_ed25519_point_t *
93 : fd_ed25519_point_neg( fd_ed25519_point_t * r,
94 1255868 : fd_ed25519_point_t const * a ) {
95 : /* use p instead of zero to avoid mod reduction */
96 1255868 : FD_R43X6_QUAD_DECL( _p );
97 1255868 : _p03 = wwl( 8796093022189L, 8796093022189L, 8796093022189L, 8796093022189L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L );
98 1255868 : _p14 = wwl( 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L );
99 1255868 : _p25 = wwl( 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 1099511627775L, 1099511627775L, 1099511627775L, 1099511627775L );
100 : // FD_R43X6_QUAD_LANE_SUB_FAST( r->P, a->P, 1,0,0,1, _p, a->P );
101 : // FD_R43X6_QUAD_FOLD_UNSIGNED( r->P, r->P );
102 1255868 : int _mask = 0x99; /* 1001 1001 */
103 1255868 : r->P03 = wwv_sub_if( _mask, _p03, a->P03, a->P03 );
104 1255868 : r->P14 = wwv_sub_if( _mask, _p14, a->P14, a->P14 );
105 1255868 : r->P25 = wwv_sub_if( _mask, _p25, a->P25, a->P25 );
106 1255868 : return r;
107 1255868 : }
108 :
109 : /* fd_ed25519_point_is_zero returns 1 if a == 0 (point at infinity), 0 otherwise. */
110 : FD_25519_INLINE int
111 0 : fd_ed25519_point_is_zero( fd_ed25519_point_t const * a ) {
112 0 : fd_ed25519_point_t zero[1];
113 0 : fd_ed25519_point_set_zero( zero );
114 0 : return FD_R43X6_GE_IS_EQ( a->P, zero->P );
115 0 : }
116 :
117 : /* fd_ed25519_point_eq returns 1 if a == b, 0 otherwise. */
118 : FD_25519_INLINE int
119 : fd_ed25519_point_eq( fd_ed25519_point_t const * a,
120 255758 : fd_ed25519_point_t const * b ) {
121 255758 : return FD_R43X6_GE_IS_EQ( a->P, b->P );
122 255758 : }
123 :
124 : /* fd_ed25519_point_eq returns 1 if a == b, 0 otherwise.
125 : b is a point with Z==1, e.g. a decompressed point. */
126 : FD_25519_INLINE int
127 : fd_ed25519_point_eq_z1( fd_ed25519_point_t const * a,
128 255757 : fd_ed25519_point_t const * b ) { /* b.Z == 1, e.g. a decompressed point */
129 255757 : return fd_ed25519_point_eq( a, b );
130 255757 : }
131 :
132 : FD_25519_INLINE void
133 2709864 : fd_curve25519_into_precomputed( fd_ed25519_point_t * r ) {
134 2709864 : FD_R43X6_QUAD_DECL ( _ta );
135 2709864 : FD_R43X6_QUAD_PERMUTE ( _ta, 1,0,2,3, r->P ); /* _ta = (Y1, X1, Z1, T1 ), s61|s61|s61|s61 */
136 2709864 : FD_R43X6_QUAD_LANE_SUB_FAST( _ta, _ta, 1,0,0,0, _ta, r->P ); /* _ta = (Y1-X1,X1, Z1, T1 ), s62|s61|s61|s61 */
137 2709864 : FD_R43X6_QUAD_LANE_ADD_FAST( _ta, _ta, 0,1,0,0, _ta, r->P ); /* _ta = (Y1-X1,Y1+X1,Z1, T1 ), s62|s62|s61|s61 */
138 2709864 : FD_R43X6_QUAD_FOLD_UNSIGNED( r->P, _ta ); /* r = (Y1-X1,Y1+X1,Z1, T1 ), u44|u44|u44|u44 */
139 :
140 2709864 : FD_R43X6_QUAD_DECL ( _1112d );
141 2709864 : FD_R43X6_QUAD_1112d ( _1112d );
142 2709864 : FD_R43X6_QUAD_MUL_FAST ( r->P, r->P, _1112d );
143 2709864 : FD_R43X6_QUAD_FOLD_UNSIGNED( r->P, r->P );
144 2709864 : }
145 :
146 : FD_PROTOTYPES_END
|
