| yuezonghe | 824eb0c | 2024-06-27 02:32:26 -0700 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * Copyright 2014 Cryptography Research, Inc. |
| 4 | * |
| 5 | * Licensed under the OpenSSL license (the "License"). You may not use |
| 6 | * this file except in compliance with the License. You can obtain a copy |
| 7 | * in the file LICENSE in the source distribution or at |
| 8 | * https://www.openssl.org/source/license.html |
| 9 | * |
| 10 | * Originally written by Mike Hamburg |
| 11 | */ |
| 12 | |
| 13 | #ifndef OSSL_CRYPTO_EC_CURVE448_FIELD_H |
| 14 | # define OSSL_CRYPTO_EC_CURVE448_FIELD_H |
| 15 | |
| 16 | # include "internal/constant_time.h" |
| 17 | # include <string.h> |
| 18 | # include <assert.h> |
| 19 | # include "word.h" |
| 20 | |
| 21 | # define NLIMBS (64/sizeof(word_t)) |
| 22 | # define X_SER_BYTES 56 |
| 23 | # define SER_BYTES 56 |
| 24 | |
| 25 | # if defined(__GNUC__) || defined(__clang__) |
| 26 | # define INLINE_UNUSED __inline__ __attribute__((__unused__,__always_inline__)) |
| 27 | # define RESTRICT __restrict__ |
| 28 | # define ALIGNED __attribute__((__aligned__(16))) |
| 29 | # else |
| 30 | # define INLINE_UNUSED ossl_inline |
| 31 | # define RESTRICT |
| 32 | # define ALIGNED |
| 33 | # endif |
| 34 | |
| 35 | typedef struct gf_s { |
| 36 | word_t limb[NLIMBS]; |
| 37 | } ALIGNED gf_s, gf[1]; |
| 38 | |
| 39 | /* RFC 7748 support */ |
| 40 | # define X_PUBLIC_BYTES X_SER_BYTES |
| 41 | # define X_PRIVATE_BYTES X_PUBLIC_BYTES |
| 42 | # define X_PRIVATE_BITS 448 |
| 43 | |
| 44 | static INLINE_UNUSED void gf_copy(gf out, const gf a) |
| 45 | { |
| 46 | *out = *a; |
| 47 | } |
| 48 | |
| 49 | static INLINE_UNUSED void gf_add_RAW(gf out, const gf a, const gf b); |
| 50 | static INLINE_UNUSED void gf_sub_RAW(gf out, const gf a, const gf b); |
| 51 | static INLINE_UNUSED void gf_bias(gf inout, int amount); |
| 52 | static INLINE_UNUSED void gf_weak_reduce(gf inout); |
| 53 | |
| 54 | void gf_strong_reduce(gf inout); |
| 55 | void gf_add(gf out, const gf a, const gf b); |
| 56 | void gf_sub(gf out, const gf a, const gf b); |
| 57 | void gf_mul(gf_s * RESTRICT out, const gf a, const gf b); |
| 58 | void gf_mulw_unsigned(gf_s * RESTRICT out, const gf a, uint32_t b); |
| 59 | void gf_sqr(gf_s * RESTRICT out, const gf a); |
| 60 | mask_t gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0. Return true if successful */ |
| 61 | mask_t gf_eq(const gf x, const gf y); |
| 62 | mask_t gf_lobit(const gf x); |
| 63 | mask_t gf_hibit(const gf x); |
| 64 | |
| 65 | void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_highbit); |
| 66 | mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit, |
| 67 | uint8_t hi_nmask); |
| 68 | |
| 69 | # include "f_impl.h" /* Bring in the inline implementations */ |
| 70 | |
| 71 | # define LIMBPERM(i) (i) |
| 72 | # define LIMB_MASK(i) (((1)<<LIMB_PLACE_VALUE(i))-1) |
| 73 | |
| 74 | static const gf ZERO = {{{0}}}, ONE = {{{1}}}; |
| 75 | |
| 76 | /* Square x, n times. */ |
| 77 | static ossl_inline void gf_sqrn(gf_s * RESTRICT y, const gf x, int n) |
| 78 | { |
| 79 | gf tmp; |
| 80 | |
| 81 | assert(n > 0); |
| 82 | if (n & 1) { |
| 83 | gf_sqr(y, x); |
| 84 | n--; |
| 85 | } else { |
| 86 | gf_sqr(tmp, x); |
| 87 | gf_sqr(y, tmp); |
| 88 | n -= 2; |
| 89 | } |
| 90 | for (; n; n -= 2) { |
| 91 | gf_sqr(tmp, y); |
| 92 | gf_sqr(y, tmp); |
| 93 | } |
| 94 | } |
| 95 | |
| 96 | # define gf_add_nr gf_add_RAW |
| 97 | |
| 98 | /* Subtract mod p. Bias by 2 and don't reduce */ |
| 99 | static ossl_inline void gf_sub_nr(gf c, const gf a, const gf b) |
| 100 | { |
| 101 | gf_sub_RAW(c, a, b); |
| 102 | gf_bias(c, 2); |
| 103 | if (GF_HEADROOM < 3) |
| 104 | gf_weak_reduce(c); |
| 105 | } |
| 106 | |
| 107 | /* Subtract mod p. Bias by amt but don't reduce. */ |
| 108 | static ossl_inline void gf_subx_nr(gf c, const gf a, const gf b, int amt) |
| 109 | { |
| 110 | gf_sub_RAW(c, a, b); |
| 111 | gf_bias(c, amt); |
| 112 | if (GF_HEADROOM < amt + 1) |
| 113 | gf_weak_reduce(c); |
| 114 | } |
| 115 | |
| 116 | /* Mul by signed int. Not constant-time WRT the sign of that int. */ |
| 117 | static ossl_inline void gf_mulw(gf c, const gf a, int32_t w) |
| 118 | { |
| 119 | if (w > 0) { |
| 120 | gf_mulw_unsigned(c, a, w); |
| 121 | } else { |
| 122 | gf_mulw_unsigned(c, a, -w); |
| 123 | gf_sub(c, ZERO, c); |
| 124 | } |
| 125 | } |
| 126 | |
| 127 | /* Constant time, x = is_z ? z : y */ |
| 128 | static ossl_inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) |
| 129 | { |
| 130 | size_t i; |
| 131 | |
| 132 | for (i = 0; i < NLIMBS; i++) { |
| 133 | #if ARCH_WORD_BITS == 32 |
| 134 | x[0].limb[i] = constant_time_select_32(is_z, z[0].limb[i], |
| 135 | y[0].limb[i]); |
| 136 | #else |
| 137 | /* Must be 64 bit */ |
| 138 | x[0].limb[i] = constant_time_select_64(is_z, z[0].limb[i], |
| 139 | y[0].limb[i]); |
| 140 | #endif |
| 141 | } |
| 142 | } |
| 143 | |
| 144 | /* Constant time, if (neg) x=-x; */ |
| 145 | static ossl_inline void gf_cond_neg(gf x, mask_t neg) |
| 146 | { |
| 147 | gf y; |
| 148 | |
| 149 | gf_sub(y, ZERO, x); |
| 150 | gf_cond_sel(x, x, y, neg); |
| 151 | } |
| 152 | |
| 153 | /* Constant time, if (swap) (x,y) = (y,x); */ |
| 154 | static ossl_inline void gf_cond_swap(gf x, gf_s * RESTRICT y, mask_t swap) |
| 155 | { |
| 156 | size_t i; |
| 157 | |
| 158 | for (i = 0; i < NLIMBS; i++) { |
| 159 | #if ARCH_WORD_BITS == 32 |
| 160 | constant_time_cond_swap_32(swap, &(x[0].limb[i]), &(y->limb[i])); |
| 161 | #else |
| 162 | /* Must be 64 bit */ |
| 163 | constant_time_cond_swap_64(swap, &(x[0].limb[i]), &(y->limb[i])); |
| 164 | #endif |
| 165 | } |
| 166 | } |
| 167 | |
| 168 | #endif /* OSSL_CRYPTO_EC_CURVE448_FIELD_H */ |