kris
/
nobs
mirror of https://github.com/henrydcase/nobs.git
1
0
Fork 0
Code Issues 0 Releases 1 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
79 Commits
11 Branches
11 MiB
 
 
 
 
Tree: 3a8ac85da1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3a8ac85da1'
${ noResults }
nobs/dh/csidh/fp511.go

289 lines
8.0 KiB
Raw Blame History 

  1. package csidh

  2. 

  3. import (

  4. 	"math/bits"

  5. 

  6. 	"golang.org/x/sys/cpu"

  7. )

  8. 

  9. // CPU Capabilities. Those flags are referred by assembly code. According to

  10. // https://github.com/golang/go/issues/28230, variables referred from the

  11. // assembly must be in the same package.

  12. // We declare variables not constants, in order to facilitate testing.

  13. var (

  14. 	// Signals support for BMI2 (MULX)

  15. 	hasBMI2 = cpu.X86.HasBMI2 //nolint

  16. 	// Signals support for ADX and BMI2

  17. 	hasADXandBMI2 = cpu.X86.HasBMI2 && cpu.X86.HasADX

  18. )

  19. 

  20. // Constant time select.

  21. // if pick == 0xFF..FF (out = in1)

  22. // if pick == 0 (out = in2)

  23. // else out is undefined.

  24. func ctPick64(which uint64, in1, in2 uint64) uint64 {

  25. 	return (in1 & which) | (in2 & ^which)

  26. }

  27. 

  28. // ctIsNonZero64 returns 0 in case i == 0, otherwise it returns 1.

  29. // Constant-time.

  30. func ctIsNonZero64(i uint64) int {

  31. 	// In case i==0 then i-1 will set MSB. Only in such case (i OR ~(i-1))

  32. 	// will result in MSB being not set (logical implication: (i-1)=>i is

  33. 	// false iff (i-1)==0 and i==non-zero). In every other case MSB is

  34. 	// set and hence function returns 1.

  35. 	return int((i | (^(i - 1))) >> 63)

  36. }

  37. 

  38. func mulGeneric(r, x, y *fp) {

  39. 	var s fp // keeps intermediate results

  40. 	var t1, t2 [9]uint64

  41. 	var c, q uint64

  42. 

  43. 	for i := 0; i < numWords-1; i++ {

  44. 		q = ((x[i] * y[0]) + s[0]) * pNegInv[0]

  45. 		mul576(&t1, &p, q)

  46. 		mul576(&t2, y, x[i])

  47. 

  48. 		// x[i]*y + q_i*p

  49. 		t1[0], c = bits.Add64(t1[0], t2[0], 0)

  50. 		t1[1], c = bits.Add64(t1[1], t2[1], c)

  51. 		t1[2], c = bits.Add64(t1[2], t2[2], c)

  52. 		t1[3], c = bits.Add64(t1[3], t2[3], c)

  53. 		t1[4], c = bits.Add64(t1[4], t2[4], c)

  54. 		t1[5], c = bits.Add64(t1[5], t2[5], c)

  55. 		t1[6], c = bits.Add64(t1[6], t2[6], c)

  56. 		t1[7], c = bits.Add64(t1[7], t2[7], c)

  57. 		t1[8], _ = bits.Add64(t1[8], t2[8], c)

  58. 

  59. 		// s = (s + x[i]*y + q_i * p) / R

  60. 		_, c = bits.Add64(t1[0], s[0], 0)

  61. 		s[0], c = bits.Add64(t1[1], s[1], c)

  62. 		s[1], c = bits.Add64(t1[2], s[2], c)

  63. 		s[2], c = bits.Add64(t1[3], s[3], c)

  64. 		s[3], c = bits.Add64(t1[4], s[4], c)

  65. 		s[4], c = bits.Add64(t1[5], s[5], c)

  66. 		s[5], c = bits.Add64(t1[6], s[6], c)

  67. 		s[6], c = bits.Add64(t1[7], s[7], c)

  68. 		s[7], _ = bits.Add64(t1[8], 0, c)

  69. 	}

  70. 

  71. 	// last iteration stores result in r

  72. 	q = ((x[numWords-1] * y[0]) + s[0]) * pNegInv[0]

  73. 	mul576(&t1, &p, q)

  74. 	mul576(&t2, y, x[numWords-1])

  75. 

  76. 	t1[0], c = bits.Add64(t1[0], t2[0], c)

  77. 	t1[1], c = bits.Add64(t1[1], t2[1], c)

  78. 	t1[2], c = bits.Add64(t1[2], t2[2], c)

  79. 	t1[3], c = bits.Add64(t1[3], t2[3], c)

  80. 	t1[4], c = bits.Add64(t1[4], t2[4], c)

  81. 	t1[5], c = bits.Add64(t1[5], t2[5], c)

  82. 	t1[6], c = bits.Add64(t1[6], t2[6], c)

  83. 	t1[7], c = bits.Add64(t1[7], t2[7], c)

  84. 	t1[8], _ = bits.Add64(t1[8], t2[8], c)

  85. 

  86. 	_, c = bits.Add64(t1[0], s[0], 0)

  87. 	r[0], c = bits.Add64(t1[1], s[1], c)

  88. 	r[1], c = bits.Add64(t1[2], s[2], c)

  89. 	r[2], c = bits.Add64(t1[3], s[3], c)

  90. 	r[3], c = bits.Add64(t1[4], s[4], c)

  91. 	r[4], c = bits.Add64(t1[5], s[5], c)

  92. 	r[5], c = bits.Add64(t1[6], s[6], c)

  93. 	r[6], c = bits.Add64(t1[7], s[7], c)

  94. 	r[7], _ = bits.Add64(t1[8], 0, c)

  95. }

  96. 

  97. // Returns result of x<y operation.

  98. func isLess(x, y *fp) bool {

  99. 	for i := numWords - 1; i >= 0; i-- {

  100. 		v, c := bits.Sub64(y[i], x[i], 0)

  101. 		if c != 0 {

  102. 			return false

  103. 		}

  104. 		if v != 0 {

  105. 			return true

  106. 		}

  107. 	}

  108. 	// x == y

  109. 	return false

  110. }

  111. 

  112. // r = x + y mod p.

  113. func addRdc(r, x, y *fp) {

  114. 	var c uint64

  115. 	var t fp

  116. 	r[0], c = bits.Add64(x[0], y[0], 0)

  117. 	r[1], c = bits.Add64(x[1], y[1], c)

  118. 	r[2], c = bits.Add64(x[2], y[2], c)

  119. 	r[3], c = bits.Add64(x[3], y[3], c)

  120. 	r[4], c = bits.Add64(x[4], y[4], c)

  121. 	r[5], c = bits.Add64(x[5], y[5], c)

  122. 	r[6], c = bits.Add64(x[6], y[6], c)

  123. 	r[7], _ = bits.Add64(x[7], y[7], c)

  124. 

  125. 	t[0], c = bits.Sub64(r[0], p[0], 0)

  126. 	t[1], c = bits.Sub64(r[1], p[1], c)

  127. 	t[2], c = bits.Sub64(r[2], p[2], c)

  128. 	t[3], c = bits.Sub64(r[3], p[3], c)

  129. 	t[4], c = bits.Sub64(r[4], p[4], c)

  130. 	t[5], c = bits.Sub64(r[5], p[5], c)

  131. 	t[6], c = bits.Sub64(r[6], p[6], c)

  132. 	t[7], c = bits.Sub64(r[7], p[7], c)

  133. 

  134. 	var w = 0 - c

  135. 	r[0] = ctPick64(w, r[0], t[0])

  136. 	r[1] = ctPick64(w, r[1], t[1])

  137. 	r[2] = ctPick64(w, r[2], t[2])

  138. 	r[3] = ctPick64(w, r[3], t[3])

  139. 	r[4] = ctPick64(w, r[4], t[4])

  140. 	r[5] = ctPick64(w, r[5], t[5])

  141. 	r[6] = ctPick64(w, r[6], t[6])

  142. 	r[7] = ctPick64(w, r[7], t[7])

  143. }

  144. 

  145. // r = x - y.

  146. func sub512(r, x, y *fp) uint64 {

  147. 	var c uint64

  148. 	r[0], c = bits.Sub64(x[0], y[0], 0)

  149. 	r[1], c = bits.Sub64(x[1], y[1], c)

  150. 	r[2], c = bits.Sub64(x[2], y[2], c)

  151. 	r[3], c = bits.Sub64(x[3], y[3], c)

  152. 	r[4], c = bits.Sub64(x[4], y[4], c)

  153. 	r[5], c = bits.Sub64(x[5], y[5], c)

  154. 	r[6], c = bits.Sub64(x[6], y[6], c)

  155. 	r[7], c = bits.Sub64(x[7], y[7], c)

  156. 	return c

  157. }

  158. 

  159. // r = x - y mod p.

  160. func subRdc(r, x, y *fp) {

  161. 	var c uint64

  162. 

  163. 	// Same as sub512(r,x,y). Unfortunately

  164. 	// compiler is not able to inline it.

  165. 	r[0], c = bits.Sub64(x[0], y[0], 0)

  166. 	r[1], c = bits.Sub64(x[1], y[1], c)

  167. 	r[2], c = bits.Sub64(x[2], y[2], c)

  168. 	r[3], c = bits.Sub64(x[3], y[3], c)

  169. 	r[4], c = bits.Sub64(x[4], y[4], c)

  170. 	r[5], c = bits.Sub64(x[5], y[5], c)

  171. 	r[6], c = bits.Sub64(x[6], y[6], c)

  172. 	r[7], c = bits.Sub64(x[7], y[7], c)

  173. 

  174. 	// if x<y => r=x-y+p

  175. 	var w = 0 - c

  176. 	r[0], c = bits.Add64(r[0], ctPick64(w, p[0], 0), 0)

  177. 	r[1], c = bits.Add64(r[1], ctPick64(w, p[1], 0), c)

  178. 	r[2], c = bits.Add64(r[2], ctPick64(w, p[2], 0), c)

  179. 	r[3], c = bits.Add64(r[3], ctPick64(w, p[3], 0), c)

  180. 	r[4], c = bits.Add64(r[4], ctPick64(w, p[4], 0), c)

  181. 	r[5], c = bits.Add64(r[5], ctPick64(w, p[5], 0), c)

  182. 	r[6], c = bits.Add64(r[6], ctPick64(w, p[6], 0), c)

  183. 	r[7], _ = bits.Add64(r[7], ctPick64(w, p[7], 0), c)

  184. }

  185. 

  186. // Fixed-window mod exp for fpBitLen bit value with 4 bit window. Returned

  187. // result is a number in montgomery domain.

  188. // r = b ^ e (mod p).

  189. // Constant time.

  190. func modExpRdcCommon(r, b, e *fp, fpBitLen int) {

  191. 	var precomp [16]fp

  192. 	var t fp

  193. 	var c uint64

  194. 

  195. 	// Precompute step, computes an array of small powers of 'b'. As this

  196. 	// algorithm implements 4-bit window, we need 2^4=16 of such values.

  197. 	// b^0 = 1, which is equal to R from REDC.

  198. 	precomp[0] = one // b ^ 0

  199. 	precomp[1] = *b  // b ^ 1

  200. 	for i := 2; i < 16; i = i + 2 {

  201. 		// OPTIMIZE: implement fast squering. Then interleaving fast squaring

  202. 		// with multiplication should improve performance.

  203. 		mulRdc(&precomp[i], &precomp[i/2], &precomp[i/2]) // sqr

  204. 		mulRdc(&precomp[i+1], &precomp[i], b)

  205. 	}

  206. 

  207. 	*r = one

  208. 	for i := fpBitLen/4 - 1; i >= 0; i-- {

  209. 		for j := 0; j < 4; j++ {

  210. 			mulRdc(r, r, r)

  211. 		}

  212. 		// note: non resistant to cache SCA

  213. 		idx := (e[i/16] >> uint((i%16)*4)) & 15

  214. 		mulRdc(r, r, &precomp[idx])

  215. 	}

  216. 

  217. 	// if p <= r < 2p then r = r-p

  218. 	t[0], c = bits.Sub64(r[0], p[0], 0)

  219. 	t[1], c = bits.Sub64(r[1], p[1], c)

  220. 	t[2], c = bits.Sub64(r[2], p[2], c)

  221. 	t[3], c = bits.Sub64(r[3], p[3], c)

  222. 	t[4], c = bits.Sub64(r[4], p[4], c)

  223. 	t[5], c = bits.Sub64(r[5], p[5], c)

  224. 	t[6], c = bits.Sub64(r[6], p[6], c)

  225. 	t[7], c = bits.Sub64(r[7], p[7], c)

  226. 

  227. 	var w = 0 - c

  228. 	r[0] = ctPick64(w, r[0], t[0])

  229. 	r[1] = ctPick64(w, r[1], t[1])

  230. 	r[2] = ctPick64(w, r[2], t[2])

  231. 	r[3] = ctPick64(w, r[3], t[3])

  232. 	r[4] = ctPick64(w, r[4], t[4])

  233. 	r[5] = ctPick64(w, r[5], t[5])

  234. 	r[6] = ctPick64(w, r[6], t[6])

  235. 	r[7] = ctPick64(w, r[7], t[7])

  236. }

  237. 

  238. // modExpRdc does modular exponentation of 512-bit number.

  239. // Constant-time.

  240. func modExpRdc512(r, b, e *fp) {

  241. 	modExpRdcCommon(r, b, e, 512)

  242. }

  243. 

  244. // modExpRdc does modular exponentation of 64-bit number.

  245. // Constant-time.

  246. func modExpRdc64(r, b *fp, e uint64) {

  247. 	modExpRdcCommon(r, b, &fp{e}, 64)

  248. }

  249. 

  250. // isNonQuadRes checks whether value v is quadratic residue.

  251. // Implementation uses Fermat's little theorem (or

  252. // Euler's criterion)

  253. //      a^(p-1) == 1, hence

  254. //      (a^2) ((p-1)/2) == 1

  255. // Which means v is a quadratic residue iff v^((p-1)/2) == 1.

  256. // Caller provided v must be in montgomery domain.

  257. // Returns 0 in case v is quadratic residue or 1 in case

  258. // v is quadratic non-residue.

  259. func (v *fp) isNonQuadRes() int {

  260. 	var res fp

  261. 	var b uint64

  262. 

  263. 	modExpRdc512(&res, v, &pMin1By2)

  264. 	for i := range res {

  265. 		b |= res[i] ^ one[i]

  266. 	}

  267. 

  268. 	return ctIsNonZero64(b)

  269. }

  270. 

  271. // isZero returns false in case v is equal to 0, otherwise

  272. // true. Constant time.

  273. func (v *fp) isZero() bool {

  274. 	var r uint64

  275. 	for i := 0; i < numWords; i++ {

  276. 		r |= v[i]

  277. 	}

  278. 	return ctIsNonZero64(r) == 0

  279. }

  280. 

  281. // equal checks if v is equal to in. Constant time.

  282. func (v *fp) equal(in *fp) bool {

  283. 	var r uint64

  284. 	for i := range v {

  285. 		r |= v[i] ^ in[i]

  286. 	}

  287. 	return ctIsNonZero64(r) == 0

  288. }