kris
/
SIDH_p751
1
0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
107 提交
14 分支
653 KiB
 
 
 
分支: trials/prep_p503
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'trials/prep_p503'
${ noResults }
SIDH_p751/p751/arith_generic.go

259 行
5.4 KiB
原始文件 永久链接 Blame 文件历史 

  1. // +build noasm arm64 arm

  2. 

  3. package p751

  4. 

  5. import (

  6. 	. "github.com/cloudflare/p751sidh/internal/isogeny"

  7. )

  8. 

  9. // helper used for uint128 representation

  10. type uint128 struct {

  11. 	H, L uint64

  12. }

  13. 

  14. // Adds 2 64bit digits in constant time.

  15. // Returns result and carry (1 or 0)

  16. func addc64(cin, a, b uint64) (ret, cout uint64) {

  17. 	t := a + cin

  18. 	ret = b + t

  19. 	cout = ((a & b) | ((a | b) & (^ret))) >> 63

  20. 	return

  21. }

  22. 

  23. // Substracts 2 64bit digits in constant time.

  24. // Returns result and borrow (1 or 0)

  25. func subc64(bIn, a, b uint64) (ret, bOut uint64) {

  26. 	var tmp1 = a - b

  27. 	// Set bOut if bIn!=0 and tmp1==0 in constant time

  28. 	bOut = bIn & (1 ^ ((tmp1 | uint64(0-tmp1)) >> 63))

  29. 	// Constant time check if x<y

  30. 	bOut |= (a ^ ((a ^ b) | (uint64(a-b) ^ b))) >> 63

  31. 	ret = tmp1 - bIn

  32. 	return

  33. }

  34. 

  35. // Multiplies 2 64bit digits in constant time

  36. func mul64(a, b uint64) (res uint128) {

  37. 	var al, bl, ah, bh, albl, albh, ahbl, ahbh uint64

  38. 	var res1, res2, res3 uint64

  39. 	var carry, maskL, maskH, temp uint64

  40. 

  41. 	maskL = (^maskL) >> 32

  42. 	maskH = ^maskL

  43. 

  44. 	al = a & maskL

  45. 	ah = a >> 32

  46. 	bl = b & maskL

  47. 	bh = b >> 32

  48. 

  49. 	albl = al * bl

  50. 	albh = al * bh

  51. 	ahbl = ah * bl

  52. 	ahbh = ah * bh

  53. 	res.L = albl & maskL

  54. 

  55. 	res1 = albl >> 32

  56. 	res2 = ahbl & maskL

  57. 	res3 = albh & maskL

  58. 	temp = res1 + res2 + res3

  59. 	carry = temp >> 32

  60. 	res.L ^= temp << 32

  61. 

  62. 	res1 = ahbl >> 32

  63. 	res2 = albh >> 32

  64. 	res3 = ahbh & maskL

  65. 	temp = res1 + res2 + res3 + carry

  66. 	res.H = temp & maskL

  67. 	carry = temp & maskH

  68. 	res.H ^= (ahbh & maskH) + carry

  69. 	return

  70. }

  71. 

  72. // Compute z = x + y (mod p).

  73. func fp751AddReduced(z, x, y *FpElement) {

  74. 	var carry uint64

  75. 

  76. 	// z=x+y % p751

  77. 	for i := 0; i < NumWords; i++ {

  78. 		z[i], carry = addc64(carry, x[i], y[i])

  79. 	}

  80. 

  81. 	// z = z - p751x2

  82. 	carry = 0

  83. 	for i := 0; i < NumWords; i++ {

  84. 		z[i], carry = subc64(carry, z[i], p751x2[i])

  85. 	}

  86. 

  87. 	// z = z + p751x2

  88. 	mask := uint64(0 - carry)

  89. 	carry = 0

  90. 	for i := 0; i < NumWords; i++ {

  91. 		z[i], carry = addc64(carry, z[i], p751x2[i]&mask)

  92. 	}

  93. }

  94. 

  95. // Compute z = x - y (mod p).

  96. func fp751SubReduced(z, x, y *FpElement) {

  97. 	var borrow uint64

  98. 

  99. 	for i := 0; i < NumWords; i++ {

  100. 		z[i], borrow = subc64(borrow, x[i], y[i])

  101. 	}

  102. 

  103. 	mask := uint64(0 - borrow)

  104. 	borrow = 0

  105. 

  106. 	for i := 0; i < NumWords; i++ {

  107. 		z[i], borrow = addc64(borrow, z[i], p751x2[i]&mask)

  108. 	}

  109. }

  110. 

  111. // Conditionally swaps bits in x and y in constant time.

  112. // mask indicates bits to be swaped (set bits are swapped)

  113. // For details see "Hackers Delight, 2.20"

  114. //

  115. // Implementation doesn't actually depend on a prime field.

  116. func fp751ConditionalSwap(x, y *FpElement, mask uint8) {

  117. 	var tmp, mask64 uint64

  118. 

  119. 	mask64 = 0 - uint64(mask)

  120. 	for i := 0; i < len(x); i++ {

  121. 		tmp = mask64 & (x[i] ^ y[i])

  122. 		x[i] = tmp ^ x[i]

  123. 		y[i] = tmp ^ y[i]

  124. 	}

  125. }

  126. 

  127. // Perform Montgomery reduction: set z = x R^{-1} (mod 2*p)

  128. // with R=2^768. Destroys the input value.

  129. func fp751MontgomeryReduce(z *FpElement, x *FpElementX2) {

  130. 	var carry, t, u, v uint64

  131. 	var uv uint128

  132. 	var count int

  133. 

  134. 	count = 5 // number of 0 digits in the least significat part of p751 + 1

  135. 

  136. 	for i := 0; i < NumWords; i++ {

  137. 		for j := 0; j < i; j++ {

  138. 			if j < (i - count + 1) {

  139. 				uv = mul64(z[j], p751p1[i-j])

  140. 				v, carry = addc64(0, uv.L, v)

  141. 				u, carry = addc64(carry, uv.H, u)

  142. 				t += carry

  143. 			}

  144. 		}

  145. 		v, carry = addc64(0, v, x[i])

  146. 		u, carry = addc64(carry, u, 0)

  147. 		t += carry

  148. 

  149. 		z[i] = v

  150. 		v = u

  151. 		u = t

  152. 		t = 0

  153. 	}

  154. 

  155. 	for i := NumWords; i < 2*NumWords-1; i++ {

  156. 		if count > 0 {

  157. 			count--

  158. 		}

  159. 		for j := i - NumWords + 1; j < NumWords; j++ {

  160. 			if j < (NumWords - count) {

  161. 				uv = mul64(z[j], p751p1[i-j])

  162. 				v, carry = addc64(0, uv.L, v)

  163. 				u, carry = addc64(carry, uv.H, u)

  164. 				t += carry

  165. 			}

  166. 		}

  167. 		v, carry = addc64(0, v, x[i])

  168. 		u, carry = addc64(carry, u, 0)

  169. 

  170. 		t += carry

  171. 		z[i-NumWords] = v

  172. 		v = u

  173. 		u = t

  174. 		t = 0

  175. 	}

  176. 	v, carry = addc64(0, v, x[2*NumWords-1])

  177. 	z[NumWords-1] = v

  178. }

  179. 

  180. // Compute z = x * y.

  181. func fp751Mul(z *FpElementX2, x, y *FpElement) {

  182. 	var u, v, t uint64

  183. 	var carry uint64

  184. 	var uv uint128

  185. 

  186. 	for i := uint64(0); i < NumWords; i++ {

  187. 		for j := uint64(0); j <= i; j++ {

  188. 			uv = mul64(x[j], y[i-j])

  189. 			v, carry = addc64(0, uv.L, v)

  190. 			u, carry = addc64(carry, uv.H, u)

  191. 			t += carry

  192. 		}

  193. 		z[i] = v

  194. 		v = u

  195. 		u = t

  196. 		t = 0

  197. 	}

  198. 

  199. 	for i := NumWords; i < (2*NumWords)-1; i++ {

  200. 		for j := i - NumWords + 1; j < NumWords; j++ {

  201. 			uv = mul64(x[j], y[i-j])

  202. 			v, carry = addc64(0, uv.L, v)

  203. 			u, carry = addc64(carry, uv.H, u)

  204. 			t += carry

  205. 		}

  206. 		z[i] = v

  207. 		v = u

  208. 		u = t

  209. 		t = 0

  210. 	}

  211. 	z[2*NumWords-1] = v

  212. }

  213. 

  214. // Compute z = x + y, without reducing mod p.

  215. func fp751AddLazy(z, x, y *FpElement) {

  216. 	var carry uint64

  217. 	for i := 0; i < NumWords; i++ {

  218. 		z[i], carry = addc64(carry, x[i], y[i])

  219. 	}

  220. }

  221. 

  222. // Compute z = x + y, without reducing mod p.

  223. func fp751X2AddLazy(z, x, y *FpElementX2) {

  224. 	var carry uint64

  225. 	for i := 0; i < 2*NumWords; i++ {

  226. 		z[i], carry = addc64(carry, x[i], y[i])

  227. 	}

  228. }

  229. 

  230. // Reduce a field element in [0, 2*p) to one in [0,p).

  231. func fp751StrongReduce(x *FpElement) {

  232. 	var borrow, mask uint64

  233. 	for i := 0; i < NumWords; i++ {

  234. 		x[i], borrow = subc64(borrow, x[i], p751[i])

  235. 	}

  236. 

  237. 	// Sets all bits if borrow = 1

  238. 	mask = 0 - borrow

  239. 	borrow = 0

  240. 	for i := 0; i < NumWords; i++ {

  241. 		x[i], borrow = addc64(borrow, x[i], p751[i]&mask)

  242. 	}

  243. }

  244. 

  245. // Compute z = x - y, without reducing mod p.

  246. func fp751X2SubLazy(z, x, y *FpElementX2) {

  247. 	var borrow, mask uint64

  248. 	for i := 0; i < len(z); i++ {

  249. 		z[i], borrow = subc64(borrow, x[i], y[i])

  250. 	}

  251. 

  252. 	// Sets all bits if borrow = 1

  253. 	mask = 0 - borrow

  254. 	borrow = 0

  255. 	for i := NumWords; i < len(z); i++ {

  256. 		z[i], borrow = addc64(borrow, z[i], p751[i-NumWords]&mask)

  257. 	}

  258. }