Line data Source code
1 : #ifndef HEADER_fd_src_ballet_ed25519_fd_curve25519_h
2 : #error "Do not include this directly; use fd_curve25519.h"
3 : #endif
4 :
5 : /* fd_curve25519.h provides the public Curve25519 API.
6 :
7 : Most operations in this API should be assumed to take a variable
8 : amount of time depending on inputs. (And thus should not be exposed
9 : to secret data).
10 :
11 : Const time operations are made explicit, see fd_curve25519_secure.c */
12 :
13 : #include "../../fd_ballet_base.h"
14 : #include "../fd_f25519.h"
15 : #include "../fd_curve25519_scalar.h"
16 : #include "./fd_r43x6_ge.h"
17 :
18 : /* struct fd_curve25519_edwards (aka fd_curve25519_edwards_t) represents
19 : a point in Extended Twisted Edwards Coordinates.
20 : https://eprint.iacr.org/2008/522 */
21 : struct fd_curve25519_edwards {
22 : FD_R43X6_QUAD_DECL( P ) __attribute__((aligned(FD_F25519_ALIGN)));
23 : };
24 : typedef struct fd_curve25519_edwards fd_curve25519_edwards_t;
25 :
26 : typedef fd_curve25519_edwards_t fd_ed25519_point_t;
27 : typedef fd_curve25519_edwards_t fd_ristretto255_point_t;
28 :
29 : #include "../table/fd_curve25519_table_avx512.c"
30 :
31 : FD_PROTOTYPES_BEGIN
32 :
33 : /* fd_ed25519_point_set sets r = 0 (point at infinity). */
34 : FD_25519_INLINE fd_ed25519_point_t *
35 837340 : fd_ed25519_point_set_zero( fd_ed25519_point_t * r ) {
36 837340 : FD_R43X6_GE_ZERO( r->P );
37 837340 : return r;
38 837340 : }
39 :
40 : /* fd_ed25519_point_set_zero_precomputed sets r = 0 (point at infinity). */
41 : FD_25519_INLINE fd_ed25519_point_t *
42 36466240 : fd_ed25519_point_set_zero_precomputed( fd_ed25519_point_t * r ) {
43 36466240 : r->P03 = wwl( 1L,1L,1L,0L, 0L,0L,0L,0L ); r->P14 = wwl_zero(); r->P25 = wwl_zero();
44 36466240 : return r;
45 36466240 : }
46 :
47 : /* fd_ed25519_point_set sets r = a. */
48 : FD_25519_INLINE fd_ed25519_point_t * FD_FN_NO_ASAN
49 : fd_ed25519_point_set( fd_ed25519_point_t * r,
50 89747782 : fd_ed25519_point_t const * a ) {
51 89747782 : r->P03 = a->P03;
52 89747782 : r->P14 = a->P14;
53 89747782 : r->P25 = a->P25;
54 89747782 : return r;
55 89747782 : }
56 :
57 : /* fd_ed25519_point_from sets r = (x : y : z : t). */
58 : FD_25519_INLINE fd_ed25519_point_t *
59 : fd_ed25519_point_from( fd_ed25519_point_t * r,
60 : fd_f25519_t const * x,
61 : fd_f25519_t const * y,
62 : fd_f25519_t const * z,
63 130717 : fd_f25519_t const * t ) {
64 130717 : FD_R43X6_QUAD_PACK( r->P, x->el, y->el, z->el, t->el );
65 130717 : return r;
66 130717 : }
67 :
68 : /* fd_ed25519_point_from sets (x : y : z : t) = a. */
69 : FD_25519_INLINE void
70 : fd_ed25519_point_to( fd_f25519_t * x,
71 : fd_f25519_t * y,
72 : fd_f25519_t * z,
73 : fd_f25519_t * t,
74 1181890 : fd_ed25519_point_t const * a ) {
75 1181890 : FD_R43X6_QUAD_UNPACK( x->el, y->el, z->el, t->el, a->P );
76 1181890 : }
77 :
78 : /* fd_ed25519_point_dbln computes r = 2^n a, and returns r.
79 : More efficient than n fd_ed25519_point_add. */
80 : FD_25519_INLINE fd_ed25519_point_t * FD_FN_NO_ASAN
81 : fd_ed25519_point_dbln( fd_ed25519_point_t * r,
82 : fd_ed25519_point_t const * a,
83 324100 : int n ) {
84 324100 : FD_R43X6_GE_DBL( r->P, a->P );
85 324100 : for( uchar i=1; i<n; i++ ) {
86 0 : FD_R43X6_GE_DBL( r->P, r->P );
87 0 : }
88 324100 : return r;
89 324100 : }
90 :
91 : /* fd_ed25519_point_sub sets r = -a. */
92 : FD_25519_INLINE fd_ed25519_point_t *
93 : fd_ed25519_point_neg( fd_ed25519_point_t * r,
94 1255179 : fd_ed25519_point_t const * a ) {
95 : /* use p instead of zero to avoid mod reduction */
96 1255179 : FD_R43X6_QUAD_DECL( _p );
97 1255179 : _p03 = wwl( 8796093022189L, 8796093022189L, 8796093022189L, 8796093022189L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L );
98 1255179 : _p14 = wwl( 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L );
99 1255179 : _p25 = wwl( 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 1099511627775L, 1099511627775L, 1099511627775L, 1099511627775L );
100 1255179 : FD_R43X6_QUAD_LANE_SUB_FAST( r->P, a->P, 1,0,0,1, _p, a->P );
101 1255179 : FD_R43X6_QUAD_FOLD_UNSIGNED( r->P, r->P );
102 1255179 : return r;
103 1255179 : }
104 :
105 : /* fd_ed25519_point_is_zero returns 1 if a == 0 (point at infinity), 0 otherwise. */
106 : FD_25519_INLINE int
107 0 : fd_ed25519_point_is_zero( fd_ed25519_point_t const * a ) {
108 0 : fd_ed25519_point_t zero[1];
109 0 : fd_ed25519_point_set_zero( zero );
110 0 : return FD_R43X6_GE_IS_EQ( a->P, zero->P );
111 0 : }
112 :
113 : /* fd_ed25519_point_eq returns 1 if a == b, 0 otherwise. */
114 : FD_25519_INLINE int
115 : fd_ed25519_point_eq( fd_ed25519_point_t const * a,
116 255071 : fd_ed25519_point_t const * b ) {
117 255071 : return FD_R43X6_GE_IS_EQ( a->P, b->P );
118 255071 : }
119 :
120 : /* fd_ed25519_point_eq returns 1 if a == b, 0 otherwise.
121 : b is a point with Z==1, e.g. a decompressed point. */
122 : FD_25519_INLINE int
123 : fd_ed25519_point_eq_z1( fd_ed25519_point_t const * a,
124 255070 : fd_ed25519_point_t const * b ) { /* b.Z == 1, e.g. a decompressed point */
125 255070 : return fd_ed25519_point_eq( a, b );
126 255070 : }
127 :
128 : FD_25519_INLINE void
129 2592800 : fd_curve25519_into_precomputed( fd_ed25519_point_t * r ) {
130 2592800 : FD_R43X6_QUAD_DECL ( _ta );
131 2592800 : FD_R43X6_QUAD_PERMUTE ( _ta, 1,0,2,3, r->P ); /* _ta = (Y1, X1, Z1, T1 ), s61|s61|s61|s61 */
132 2592800 : FD_R43X6_QUAD_LANE_SUB_FAST( _ta, _ta, 1,0,0,0, _ta, r->P ); /* _ta = (Y1-X1,X1, Z1, T1 ), s62|s61|s61|s61 */
133 2592800 : FD_R43X6_QUAD_LANE_ADD_FAST( _ta, _ta, 0,1,0,0, _ta, r->P ); /* _ta = (Y1-X1,Y1+X1,Z1, T1 ), s62|s62|s61|s61 */
134 2592800 : FD_R43X6_QUAD_FOLD_UNSIGNED( r->P, _ta ); /* r = (Y1-X1,Y1+X1,Z1, T1 ), u44|u44|u44|u44 */
135 :
136 2592800 : FD_R43X6_QUAD_DECL ( _1112d );
137 2592800 : FD_R43X6_QUAD_1112d ( _1112d );
138 2592800 : FD_R43X6_QUAD_MUL_FAST ( r->P, r->P, _1112d );
139 : FD_R43X6_QUAD_FOLD_UNSIGNED( r->P, r->P );
140 2592800 : }
141 :
142 : FD_PROTOTYPES_END
|
