ge_scalarmult_base.c 2.4 KB

  1. #include "ge.h"
  2. #include "crypto_uint32.h"
  3. static unsigned char equal(signed char b,signed char c)
  4. {
  5. unsigned char ub = b;
  6. unsigned char uc = c;
  7. unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */
  8. crypto_uint32 y = x; /* 0: yes; 1..255: no */
  9. y -= 1; /* 4294967295: yes; 0..254: no */
  10. y >>= 31; /* 1: yes; 0: no */
  11. return y;
  12. }
  13. static unsigned char negative(signed char b)
  14. {
  15. unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
  16. x >>= 63; /* 1: yes; 0: no */
  17. return x;
  18. }
  19. static void cmov(ge_precomp *t,ge_precomp *u,unsigned char b)
  20. {
  21. fe_cmov(t->yplusx,u->yplusx,b);
  22. fe_cmov(t->yminusx,u->yminusx,b);
  23. fe_cmov(t->xy2d,u->xy2d,b);
  24. }
  25. /* base[i][j] = (j+1)*256^i*B */
  26. static ge_precomp base[32][8] = {
  27. #include "base.h"
  28. } ;
  29. static void select(ge_precomp *t,int pos,signed char b)
  30. {
  31. ge_precomp minust;
  32. unsigned char bnegative = negative(b);
  33. unsigned char babs = b - (((-bnegative) & b) << 1);
  34. ge_precomp_0(t);
  35. cmov(t,&base[pos][0],equal(babs,1));
  36. cmov(t,&base[pos][1],equal(babs,2));
  37. cmov(t,&base[pos][2],equal(babs,3));
  38. cmov(t,&base[pos][3],equal(babs,4));
  39. cmov(t,&base[pos][4],equal(babs,5));
  40. cmov(t,&base[pos][5],equal(babs,6));
  41. cmov(t,&base[pos][6],equal(babs,7));
  42. cmov(t,&base[pos][7],equal(babs,8));
  43. fe_copy(minust.yplusx,t->yminusx);
  44. fe_copy(minust.yminusx,t->yplusx);
  45. fe_neg(minust.xy2d,t->xy2d);
  46. cmov(t,&minust,bnegative);
  47. }
  48. /*
  49. h = a * B
  50. where a = a[0]+256*a[1]+...+256^31 a[31]
  51. B is the Ed25519 base point (x,4/5) with x positive.
  52. Preconditions:
  53. a[31] <= 127
  54. */
  55. void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
  56. {
  57. signed char e[64];
  58. signed char carry;
  59. ge_p1p1 r;
  60. ge_p2 s;
  61. ge_precomp t;
  62. int i;
  63. for (i = 0;i < 32;++i) {
  64. e[2 * i + 0] = (a[i] >> 0) & 15;
  65. e[2 * i + 1] = (a[i] >> 4) & 15;
  66. }
  67. /* each e[i] is between 0 and 15 */
  68. /* e[63] is between 0 and 7 */
  69. carry = 0;
  70. for (i = 0;i < 63;++i) {
  71. e[i] += carry;
  72. carry = e[i] + 8;
  73. carry >>= 4;
  74. e[i] -= carry << 4;
  75. }
  76. e[63] += carry;
  77. /* each e[i] is between -8 and 8 */
  78. ge_p3_0(h);
  79. for (i = 1;i < 64;i += 2) {
  80. select(&t,i / 2,e[i]);
  81. ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r);
  82. }
  83. ge_p3_dbl(&r,h); ge_p1p1_to_p2(&s,&r);
  84. ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
  85. ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
  86. ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r);
  87. for (i = 0;i < 64;i += 2) {
  88. select(&t,i / 2,e[i]);
  89. ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r);
  90. }
  91. }