Commit cdab4953 authored by Michael Hamburg's avatar Michael Hamburg

Cross-curve compilation working! Still a bunch of FIXMEs though

parent d703b310
......@@ -39,8 +39,6 @@ else
ARCH ?= arch_ref32
endif
FIELD ?= p25519
WARNFLAGS = -pedantic -Wall -Wextra -Werror -Wunreachable-code \
-Wmissing-declarations -Wunused-function -Wno-overlength-strings $(EXWARN)
......@@ -79,22 +77,13 @@ SAGES= $(shell ls test/*.sage)
BUILDPYS= $(SAGES:test/%.sage=$(BUILD_PY)/%.py)
.PHONY: clean all test bench todo doc lib bat sage sagetest
.PRECIOUS: $(BUILD_ASM)/%.s $(BUILD_ASM)/%_impl.s $(BUILD_ASM)/$(DECAF)_%.s $(BUILD_ASM)/decaf_tables_%.c \
$(BUILD_IBIN)/decaf_gen_tables_%
HEADERS= Makefile $(shell find src test -name "*.h") $(shell find . -name "*.hxx") $(BUILD_OBJ)/timestamp
.PRECIOUS: $(BUILD_ASM)/%.s $(BUILD_C)/%.c $(BUILD_IBIN)/%
# components needed by the table generators
GENCOMPONENTS= \
$(BUILD_OBJ)/$(DECAF)_ed25519.o $(BUILD_OBJ)/p25519_impl.o $(BUILD_OBJ)/p25519_arithmetic.o \
$(BUILD_OBJ)/utils.o \
#$(BUILD_OBJ)/p448_impl.o $(BUILD_OBJ)/p448_arithmetic.o
HEADERS= Makefile $(shell find src test -name "*.h") $(BUILD_OBJ)/timestamp
HEADERSXX = $(HEADERS) $(shell find . -name "*.hxx")
# components needed by the lib
DECAFCOMPONENTS= $(BUILD_OBJ)/shake.o $(BUILD_OBJ)/decaf_crypto.o $(GENCOMPONENTS)
ifeq ($(DECAF),decaf_fast)
DECAFCOMPONENTS += $(BUILD_OBJ)/decaf_tables_ed25519.o
endif
LIBCOMPONENTS = $(BUILD_OBJ)/utils.o $(BUILD_OBJ)/shake.o $(BUILD_OBJ)/decaf_crypto.o # and per-field components
BENCHCOMPONENTS = $(BUILD_OBJ)/bench.o $(BUILD_OBJ)/shake.o
......@@ -105,26 +94,7 @@ scan: clean
-enable-checker deadcode -enable-checker llvm \
-enable-checker osx -enable-checker security -enable-checker unix \
make all
# The shakesum utility is in the public bin directory.
$(BUILD_BIN)/shakesum: $(BUILD_OBJ)/shakesum.o $(BUILD_OBJ)/shake.o $(BUILD_OBJ)/utils.o
$(LD) $(LDFLAGS) -o $@ $^
# The main decaf library, and its symlinks.
lib: $(BUILD_LIB)/libdecaf.so
$(BUILD_LIB)/libdecaf.so: $(BUILD_LIB)/libdecaf.so.1
ln -sf `basename $^` $@
$(BUILD_LIB)/libdecaf.so.1: $(DECAFCOMPONENTS)
rm -f $@
ifeq ($(UNAME),Darwin)
libtool -macosx_version_min 10.6 -dynamic -dead_strip -lc -x -o $@ \
$(DECAFCOMPONENTS)
else
$(LD) $(LDFLAGS) -shared -Wl,-soname,`basename $@` -Wl,--gc-sections -o $@ $(DECAFCOMPONENTS)
strip --discard-all $@
endif
# Internal test programs, which are not part of the final build/bin directory.
$(BUILD_IBIN)/test: $(BUILD_OBJ)/test_decaf.o lib
......@@ -150,50 +120,86 @@ $(BUILD_OBJ)/timestamp:
$(BUILD_OBJ)/%.o: $(BUILD_ASM)/%.s
$(ASM) $(ASFLAGS) -c -o $@ $<
# I don't know why this rule is necessary... bug in make, or obscure pattern matching rule?
$(BUILD_OBJ)/decaf_gen_tables_%.o: $(BUILD_ASM)/decaf_gen_tables_%.s
$(ASM) $(ASFLAGS) -c -o $@ $<
################################################################
# Per-field code: call with field, arch
################################################################
define define_field
ARCH_FOR_$(1) = $(2)
COMPONENTS_OF_$(1) = $$(BUILD_OBJ)/$(1)_impl.o $$(BUILD_OBJ)/$(1)_arithmetic.o
LIBCOMPONENTS += $$(COMPONENTS_OF_$(1))
$$(BUILD_ASM)/$(1)_arithmetic.s: src/$(1)/f_arithmetic.c $$(HEADERS)
$$(CC) $$(CFLAGS) -I src/$(1) -I src/$(1)/$(2) -S -c -o $$@ $$<
$$(BUILD_ASM)/$(1)_impl.s: src/$(1)/$(2)/f_impl.c $$(HEADERS)
$$(CC) $$(CFLAGS) -I src/$(1) -I src/$(1)/$(2) -S -c -o $$@ $$<
endef
################################################################
# Per-field, per-curve code: call with curve, field
################################################################
define define_curve
$$(BUILD_IBIN)/decaf_gen_tables_$(1): $$(BUILD_OBJ)/decaf_gen_tables_$(1).o $$(BUILD_OBJ)/decaf_fast_$(1).o $$(BUILD_OBJ)/utils.o \
$$(COMPONENTS_OF_$(2))
$$(LD) $$(LDFLAGS) -o $$@ $$^
$$(BUILD_C)/decaf_tables_$(1).c: $$(BUILD_IBIN)/decaf_gen_tables_$(1)
./$$< > $$@ || (rm $$@; exit 1)
$$(BUILD_ASM)/decaf_tables_$(1).s: $$(BUILD_C)/decaf_tables_$(1).c $$(HEADERS)
$$(CC) $$(CFLAGS) -S -c -o $$@ $$< \
-I src/curve_$(1)/ -I src/$(2) -I src/$(2)/$$(ARCH_FOR_$(2)) \
$$(BUILD_ASM)/decaf_gen_tables_$(1).s: src/decaf_gen_tables.c $$(HEADERS)
$$(CC) $$(CFLAGS) \
-I src/curve_$(1)/ -I src/$(2) -I src/$(2)/$$(ARCH_FOR_$(2)) \
-S -c -o $$@ $$<
$$(BUILD_ASM)/decaf_fast_$(1).s: src/decaf_fast.c $$(HEADERS)
$$(CC) $$(CFLAGS) \
-I src/curve_$(1)/ -I src/$(2) -I src/$(2)/$$(ARCH_FOR_$(2)) \
-S -c -o $$@ $$<
LIBCOMPONENTS += $$(BUILD_OBJ)/decaf_fast_$(1).o $$(BUILD_OBJ)/decaf_tables_$(1).o
endef
################################################################
# call code above to generate curves and fields
$(eval $(call define_field,p25519,arch_x86_64))
$(eval $(call define_curve,ed25519,p25519))
$(eval $(call define_field,p448,arch_x86_64))
$(eval $(call define_curve,ed448goldilocks,p448))
$(BUILD_IBIN)/decaf_gen_tables_%: $(BUILD_OBJ)/decaf_gen_tables_%.o $(GENCOMPONENTS)
# The shakesum utility is in the public bin directory.
$(BUILD_BIN)/shakesum: $(BUILD_OBJ)/shakesum.o $(BUILD_OBJ)/shake.o $(BUILD_OBJ)/utils.o
$(LD) $(LDFLAGS) -o $@ $^
$(BUILD_C)/decaf_tables_%.c: $(BUILD_IBIN)/decaf_gen_tables_%
./$< > $@
$(BUILD_ASM)/decaf_tables_%.s: $(BUILD_C)/decaf_tables_%.c $(HEADERS)
$(CC) $(CFLAGS) -S -c -o $@ $< \
-I src/curve_$*/ -I src/curve_$*/field -I src/curve_$*/field/$(ARCH) \
$(BUILD_ASM)/decaf_gen_tables_%.s: src/decaf_gen_tables.c $(HEADERS)
$(CC) $(CFLAGS) \
-I src/curve_$*/ -I src/curve_$*/field -I src/curve_$*/field/$(ARCH) \
-S -c -o $@ $<
$(BUILD_ASM)/decaf_fast_%.s: src/decaf_fast.c $(HEADERS)
$(CC) $(CFLAGS) \
-I src/curve_$*/ -I src/curve_$*/field -I src/curve_$*/field/$(ARCH) \
-S -c -o $@ $<
$(BUILD_ASM)/%_arithmetic.s: src/%/f_arithmetic.c $(HEADERS)
$(CC) $(CFLAGS) \
-I src/$* -I src/$*/$(ARCH) \
-S -c -o $@ $<
$(BUILD_ASM)/%_impl.s: src/%/$(ARCH)/f_impl.c $(HEADERS)
$(CC) $(CFLAGS) \
-I src/$* -I src/$*/$(ARCH) \
-S -c -o $@ $<
# The main decaf library, and its symlinks.
lib: $(BUILD_LIB)/libdecaf.so
$(BUILD_LIB)/libdecaf.so: $(BUILD_LIB)/libdecaf.so.1
ln -sf `basename $^` $@
$(BUILD_LIB)/libdecaf.so.1: $(LIBCOMPONENTS)
rm -f $@
ifeq ($(UNAME),Darwin)
libtool -macosx_version_min 10.6 -dynamic -dead_strip -lc -x -o $@ \
$(LIBCOMPONENTS)
else
$(LD) $(LDFLAGS) -shared -Wl,-soname,`basename $@` -Wl,--gc-sections -o $@ $(LIBCOMPONENTS)
strip --discard-all $@
endif
$(BUILD_ASM)/%.s: src/%.c $(HEADERS)
$(CC) $(CFLAGS) -S -c -o $@ $<
$(BUILD_ASM)/%.s: src/%.cxx $(HEADERS)
$(CXX) $(CXXFLAGS) -S -c -o $@ $<
$(BUILD_ASM)/%.s: test/%.c $(HEADERS)
$(CC) $(CFLAGS) -S -c -o $@ $<
$(BUILD_ASM)/%.s: test/%.cxx $(HEADERS)
$(BUILD_ASM)/%.s: test/%.cxx $(HEADERSXX)
$(CXX) $(CXXFLAGS) -S -c -o $@ $<
# The sage test scripts
......
/* Rename table for eventual factoring into .c.inc, MSR ECC style */
// FIXME move to arch or something
#define WBITS DECAF_WORD_BITS
#if WBITS == 64
#define LBITS 51
typedef __int128_t decaf_sdword_t;
#define LIMB(x) (x##ull)
#define SC_LIMB(x) (x##ull)
#else
#error "Only supporting 64-bit platforms right now"
#endif
#define API_NAME "decaf_255"
#define API_NS(_id) decaf_255_##_id
#define API_NS2(_pref,_id) _pref##_decaf_255_##_id
#define SCALAR_LIMBS DECAF_255_SCALAR_LIMBS
#define SCALAR_BITS DECAF_255_SCALAR_BITS
#define NLIMBS DECAF_255_LIMBS
#define API_NS(_id) decaf_255_##_id
#define API_NS2(_pref,_id) _pref##_decaf_255_##_id
#define scalar_t decaf_255_scalar_t
#define point_t decaf_255_point_t
#define precomputed_s decaf_255_precomputed_s
......@@ -21,12 +34,14 @@ static const scalar_t sc_p = {{{
SC_LIMB(0x1000000000000000)
}}};
#ifdef GEN_TABLES
/* sqrt(9) = 3 from the curve spec. Not exported, but used by pregen tool. */
const unsigned char base_point_ser_for_pregen[SER_BYTES] = {
static const unsigned char base_point_ser_for_pregen[SER_BYTES] = {
3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
};
#endif
const gf SQRT_ONE_MINUS_D = {FIELD_LITERAL(
static const gf SQRT_ONE_MINUS_D = {FIELD_LITERAL(
0x6db8831bbddec,
0x38d7b56c9c165,
0x016b221394bdc,
......
../p25519/
\ No newline at end of file
// FIXME move to arch or something
#define WBITS DECAF_WORD_BITS
#if WBITS == 64
#define LBITS 56
typedef __int128_t decaf_sdword_t;
#define LIMB(x) (x##ull)
#define SC_LIMB(x) (x##ull)
#elif WBITS == 32
typedef int64_t decaf_sdword_t;
#define LBITS 28
#define LIMB(x) (x##ull)&((1ull<<LBITS)-1), (x##ull)>>LBITS
#define SC_LIMB(x) (x##ull)&((1ull<<32)-1), (x##ull)>>32
#else
#error "Only supporting 32- and 64-bit platforms right now"
#endif
#define API_NAME "decaf_448"
#define API_NS(_id) decaf_448_##_id
#define API_NS2(_pref,_id) _pref##_decaf_448_##_id
#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
#define SCALAR_BITS DECAF_448_SCALAR_BITS
#define NLIMBS DECAF_448_LIMBS
#define API_NS(_id) decaf_448_##_id
#define API_NS2(_pref,_id) _pref##_decaf_448_##_id
#define scalar_t decaf_448_scalar_t
#define point_t decaf_448_point_t
#define precomputed_s decaf_448_precomputed_s
......@@ -22,8 +41,10 @@ static const scalar_t sc_p = {{{
SC_LIMB(0xffffffffffffffff),
SC_LIMB(0x3fffffffffffffff)
}}};
#ifdef GEN_TABLES
/* sqrt(5) = 2phi-1 from the curve spec. Not exported, but used by pregen tool. */
const unsigned char base_point_ser_for_pregen[SER_BYTES] = {
static const unsigned char base_point_ser_for_pregen[SER_BYTES] = {
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,1
};
#endif
../p448/
\ No newline at end of file
......@@ -13,22 +13,6 @@
#include <string.h>
#include <assert.h>
#define WBITS DECAF_WORD_BITS
#if WBITS == 64
#define LBITS 56
typedef __int128_t decaf_sdword_t;
#define LIMB(x) (x##ull)
#define SC_LIMB(x) (x##ull)
#elif WBITS == 32
typedef int64_t decaf_sdword_t;
#define LBITS 28
#define LIMB(x) (x##ull)&((1ull<<LBITS)-1), (x##ull)>>LBITS
#define SC_LIMB(x) (x##ull)&((1ull<<32)-1), (x##ull)>>32
#else
#error "Only supporting 32- and 64-bit platforms right now"
#endif
#define sv static void
#define snv static void __attribute__((noinline))
#define siv static inline void __attribute__((always_inline))
......
......@@ -15,21 +15,13 @@
#include "field.h"
#include "decaf_config.h"
#define WBITS DECAF_WORD_BITS
#if WBITS == 64
typedef __int128_t decaf_sdword_t;
#define SC_LIMB(x) (x##ull)
#elif WBITS == 32
typedef int64_t decaf_sdword_t;
#define SC_LIMB(x) (x##ull)&((1ull<<32)-1), (x##ull)>>32
#else
#error "Only supporting 32- and 64-bit platforms right now"
#endif
/* Include the curve data here */
#include "curve_data.inc.c"
#if (COFACTOR == 8) && !IMAGINE_TWIST
/* FUTURE: Curve41417 doesn't have these properties. */
#error "Currently require IMAGINE_TWIST (and thus p=5 mod 8) for cofactor 8"
#endif
#if IMAGINE_TWIST && (P_MOD_8 != 5)
#error "Cannot use IMAGINE_TWIST except for p == 5 mod 8"
......@@ -162,6 +154,7 @@ static decaf_word_t hibit(const gf x) {
return -(y->limb[0]&1);
}
#if COFACTOR==8
/** Return high bit of x = low bit of 2x mod p */
static decaf_word_t lobit(const gf x) {
gf y;
......@@ -169,6 +162,7 @@ static decaf_word_t lobit(const gf x) {
gf_strong_reduce(y);
return -(y->limb[0]&1);
}
#endif
/** {extra,accum} - sub +? p
* Must have extra <= 1
......@@ -408,27 +402,64 @@ static void deisogenize (
decaf_bool_t toggle_hibit_t_over_s,
decaf_bool_t toggle_rotation
) {
gf c, d, x, t;
#if COFACTOR == 4 && !IMAGINE_TWIST
(void) toggle_rotation;
/* TODO: Can shave off one mul here; not important but makes consistent with paper */
gf b, d;
gf_s *a = s, *c = minus_t_over_s;
gf_mulw_sgn ( a, p->y, 1-EDWARDS_D );
gf_mul ( c, a, p->t ); /* -dYT, with EDWARDS_D = d-1 */
gf_mul ( a, p->x, p->z );
gf_sub ( d, c, a ); /* aXZ-dYT with a=-1 */
gf_add ( a, p->z, p->y );
gf_sub ( b, p->z, p->y );
gf_mul ( c, b, a );
gf_mulw_sgn ( b, c, -EDWARDS_D ); /* (a-d)(Z+Y)(Z-Y) */
decaf_bool_t ok = gf_isqrt_chk ( a, b, DECAF_TRUE ); /* r in the paper */
(void)ok; assert(ok);
gf_mulw_sgn ( b, a, -EDWARDS_D ); /* u in the paper */
gf_mul ( c, b, a ); /* ur */
gf_mul ( a, c, d ); /* ur (aZX-dYT) */
gf_add ( d, b, b ); /* 2u = -2au since a=-1 */
gf_mul ( c, d, p->z ); /* 2uZ */
cond_neg ( b, toggle_hibit_t_over_s ^ ~hibit(c) ); /* u <- -u if negative. */
cond_neg ( c, toggle_hibit_t_over_s ^ ~hibit(c) ); /* u <- -u if negative. */
gf_mul ( d, b, p->y );
gf_add ( s, a, d );
cond_neg ( s, toggle_hibit_s ^ hibit(s) );
#else
/* More complicated because of rotation */
/* FIXME This code is wrong for certain non-Curve25519 curves; check if it's because of Cofactor==8 or IMAGINE_ROTATION */
gf c, d;
gf_s *b = s, *a = minus_t_over_s;
#if IMAGINE_TWIST
gf x, t;
gf_mul ( x, p->x, SQRT_MINUS_ONE);
gf_mul ( t, p->t, SQRT_MINUS_ONE);
gf_sub ( x, ZERO, x );
gf_sub ( t, ZERO, t );
#endif
gf DEBUG;
gf_add ( a, p->z, x );
gf_sub ( b, p->z, x );
gf_mul ( c, a, b ); /* "zx" = Z^2 - X^2 */
gf_cpy(DEBUG,c);
gf_mul ( c, a, b ); /* "zx" = Z^2 - aX^2 = Z^2 - X^2 */
#else
const gf_s *x = p->x, *t = p->t;
/* Won't hit the cond_sel below because COFACTOR==8 requires IMAGINE_TWIST for now. */
gf_sqr ( a, p->z );
gf_sqr ( b, p->x );
gf_add ( c, a, b ); /* "zx" = Z^2 - aX^2 = Z^2 + X^2 */
#endif
gf_mul ( a, p->z, t ); /* "tz" = T*Z */
gf_sqr ( b, a );
gf_mul ( d, b, c ); /* (TZ)^2 * (Z^2-X^2) */
gf_mul ( d, b, c ); /* (TZ)^2 * (Z^2-aX^2) */
decaf_bool_t ok = gf_isqrt_chk ( b, d, DECAF_TRUE );
(void)ok; assert(ok);
gf_mul ( d, b, a ); /* "osx" = 1 / sqrt(z^2-x^2) */
gf_mul ( d, b, a ); /* "osx" = 1 / sqrt(z^2-ax^2) */
gf_mul ( a, b, c );
gf_mul ( b, a, d ); /* 1/tz */
......@@ -445,6 +476,7 @@ static void deisogenize (
cond_sel ( x, p->y, x, rotate );
}
#else
(void)toggle_rotation;
rotate = 0;
#endif
......@@ -458,6 +490,8 @@ static void deisogenize (
gf_add ( d, d, c );
gf_mul ( b, d, x ); /* here "x" = y unless rotate */
cond_neg ( b, toggle_hibit_s ^ hibit(b) );
#endif
}
void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {
......@@ -472,7 +506,7 @@ void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {
static decaf_bool_t gf_deser(gf s, const unsigned char ser[SER_BYTES]) {
return gf_deserialize((gf_s *)s, ser);
}
decaf_bool_t API_NS(point_decode) (
point_t p,
const unsigned char ser[SER_BYTES],
......@@ -483,25 +517,32 @@ decaf_bool_t API_NS(point_decode) (
succ &= allow_identity | ~zero;
succ &= ~hibit(s);
gf_sqr ( a, s );
gf_sub ( f, ONE, a ); /* f = 1-s^2 = 1-as^2 since a=1 */
#if IMAGINE_TWIST
gf_sub ( f, ONE, a ); /* f = 1-as^2 = 1-s^2*/
#else
gf_add ( f, ONE, a ); /* f = 1-as^2 = 1+s^2 */
#endif
succ &= ~ gf_eq( f, ZERO );
gf_sqr ( b, f );
gf_mulw_sgn ( c, a, 4-4*EDWARDS_D );
gf_mulw_sgn ( c, a, 4*IMAGINE_TWIST-4*EDWARDS_D );
gf_add ( c, c, b ); /* t^2 */
gf_mul ( d, f, s ); /* s(1-s^2) for denoms */
gf_mul ( d, f, s ); /* s(1-as^2) for denoms */
gf_sqr ( e, d );
gf_mul ( b, c, e );
succ &= gf_isqrt_chk ( e, b, DECAF_TRUE ); /* e = 1/(t s (1-s^2)) */
succ &= gf_isqrt_chk ( e, b, DECAF_TRUE ); /* e = 1/(t s (1-as^2)) */
gf_mul ( b, e, d ); /* 1/t */
gf_mul ( d, e, c ); /* d = t / (s(1-s^2)) */
gf_mul ( d, e, c ); /* d = t / (s(1-as^2)) */
gf_mul ( e, d, f ); /* t/s */
decaf_bool_t negtos = hibit(e);
cond_neg(b, negtos);
cond_neg(d, negtos);
gf_add ( p->z, ONE, a); /* Z = 1+s^2 */
succ &= ~gf_eq( p->z, ZERO ); /* FUTURE: unnecessary? */
#if IMAGINE_TWIST
gf_add ( p->z, ONE, a); /* Z = 1+as^2 = 1-s^2 */
#else
gf_sub ( p->z, ONE, a); /* Z = 1+as^2 = 1-s^2 */
#endif
#if COFACTOR == 8
gf_mul ( a, p->z, d); /* t(1+s^2) / s(1-s^2) = 2/xy */
......@@ -745,7 +786,7 @@ static void pt_to_pniels (
) {
gf_sub ( b->n->a, a->y, a->x );
gf_add ( b->n->b, a->x, a->y );
gf_mulw_sgn ( b->n->c, a->t, 2*EFF_D );
gf_mulw_sgn ( b->n->c, a->t, 2*TWISTED_D );
gf_add ( b->z, a->z, a->z );
}
......
......@@ -15,8 +15,8 @@
#include "decaf_config.h"
#include "field.h"
#define API_NS(_id) decaf_255_##_id
#define API_NS2(_pref,_id) _pref##_decaf_255_##_id
#define GEN_TABLES
#include "curve_data.inc.c"
/* To satisfy linker. */
const gf API_NS(precomputed_base_as_fe)[1];
......@@ -24,7 +24,6 @@ const API_NS(scalar_t) API_NS(precomputed_scalarmul_adjustment);
const API_NS(scalar_t) API_NS(point_scalarmul_adjustment);
const API_NS(scalar_t) API_NS(sc_r2) = {{{0}}};
const decaf_word_t API_NS(MONTGOMERY_FACTOR) = 0;
const unsigned char base_point_ser_for_pregen[DECAF_255_SER_BYTES];
const API_NS(point_t) API_NS(point_base);
......@@ -94,8 +93,8 @@ int main(int argc, char **argv) {
printf("/** @warning: this file was automatically generated. */\n");
printf("#include <decaf.h>\n\n");
printf("#include \"field.h\"\n\n");
printf("#define API_NS(_id) decaf_255_##_id\n");
printf("#define API_NS2(_pref,_id) _pref##_decaf_255_##_id\n");
printf("#define API_NS(_id) %s_##_id\n", API_NAME);
printf("#define API_NS2(_pref,_id) _pref##_%s_##_id\n", API_NAME);
output = (const gf_s *)real_point_base;
printf("const API_NS(point_t) API_NS(point_base) = {{\n");
......@@ -136,8 +135,8 @@ int main(int argc, char **argv) {
scalar_print("API_NS(precomputed_scalarmul_adjustment)", smadj);
API_NS(scalar_copy)(smadj,API_NS(scalar_one));
for (i=0; i<DECAF_255_SCALAR_BITS-1 + DECAF_WINDOW_BITS
- ((DECAF_255_SCALAR_BITS-1)%DECAF_WINDOW_BITS); i++) {
for (i=0; i<SCALAR_BITS-1 + DECAF_WINDOW_BITS
- ((SCALAR_BITS-1) % DECAF_WINDOW_BITS); i++) {
API_NS(scalar_add)(smadj,smadj,smadj);
}
API_NS(scalar_sub)(smadj, smadj, API_NS(scalar_one));
......
......@@ -15,7 +15,7 @@
#include "f_impl.h"
#define GF_LIT_LIMB_BITS 51
#define GF_BITS 255
#define gf gf_25519_t
#define gf gf_25519_t
#define gf_s gf_25519_s
#define gf_mul gf_25519_mul
#define gf_sqr gf_25519_sqr
......
......@@ -23,9 +23,9 @@ static uint64_t widemul_32 (
void
p448_mul (
p448_t *__restrict__ cs,
const p448_t *as,
const p448_t *bs
gf_448_s *__restrict__ cs,
const gf_448_t as,
const gf_448_t bs
) {
const uint32_t *a = as->limb, *b = bs->limb;
uint32_t *c = cs->limb;
......@@ -84,8 +84,8 @@ p448_mul (
void
p448_mulw (
p448_t *__restrict__ cs,
const p448_t *as,
gf_448_s *__restrict__ cs,
const gf_448_t as,
uint64_t b
) {
const uint32_t bhi = b>>28, blo = b & ((1<<28)-1);
......@@ -128,15 +128,15 @@ p448_mulw (
void
p448_sqr (
p448_t *__restrict__ cs,
const p448_t *as
gf_448_s *__restrict__ cs,
const gf_448_t as
) {
p448_mul(cs,as,as); /* PERF */
}
void
p448_strong_reduce (
p448_t *a
gf_448_t a
) {
word_t mask = (1ull<<28)-1;
......@@ -180,14 +180,14 @@ p448_strong_reduce (
void
p448_serialize (
uint8_t *serial,
const struct p448_t *x
const gf_448_t x
) {
int i,j;
p448_t red;
p448_copy(&red, x);
p448_strong_reduce(&red);
gf_448_t red;
p448_copy(red, x);
p448_strong_reduce(red);
for (i=0; i<8; i++) {
uint64_t limb = red.limb[2*i] + (((uint64_t)red.limb[2*i+1])<<28);
uint64_t limb = red->limb[2*i] + (((uint64_t)red->limb[2*i+1])<<28);
for (j=0; j<7; j++) {
serial[7*i+j] = limb;
limb >>= 8;
......@@ -198,7 +198,7 @@ p448_serialize (
mask_t
p448_deserialize (
p448_t *x,
gf_448_t x,
const uint8_t serial[56]
) {
int i,j;
......
......@@ -9,9 +9,9 @@
#include <stdint.h>
#include <assert.h>
typedef struct p448_t {
typedef struct gf_448_s {
uint32_t limb[16];
} __attribute__((aligned(32))) p448_t;
} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];
#define LBITS 28
#define LIMB(x) (x##ull)&((1ull<<LBITS)-1), (x##ull)>>LBITS
......@@ -24,69 +24,69 @@ extern "C" {
static __inline__ void
p448_add_RAW (
p448_t *out,
const p448_t *a,
const p448_t *b
gf_448_t out,
const gf_448_t a,
const gf_448_t b
) __attribute__((unused,always_inline));
static __inline__ void
p448_sub_RAW (
p448_t *out,
const p448_t *a,
const p448_t *b
gf_448_t out,
const gf_448_t a,
const gf_448_t b
) __attribute__((unused,always_inline));
static __inline__ void
p448_copy (
p448_t *out,
const p448_t *a
gf_448_t out,
const gf_448_t a
) __attribute__((unused,always_inline));
static __inline__ void
p448_weak_reduce (
p448_t *inout
gf_448_t inout
) __attribute__((unused,always_inline));
void
p448_strong_reduce (
p448_t *inout
gf_448_t inout
);
static __inline__ void
p448_bias (
p448_t *inout,
gf_448_t inout,
int amount
) __attribute__((unused,always_inline));
void
p448_mul (
p448_t *__restrict__ out,
const p448_t *a,
const p448_t *b
gf_448_s *__restrict__ out,
const gf_448_t a,
const gf_448_t b
);
void
p448_mulw (
p448_t *__restrict__ out,
const p448_t *a,
gf_448_s *__restrict__ out,
const gf_448_t a,
uint64_t b
);
void
p448_sqr (
p448_t *__restrict__ out,
const p448_t *a
gf_448_s *__restrict__ out,
const gf_448_t a
);
void
p448_serialize (
uint8_t *serial,
const struct p448_t *x
const gf_448_t x
);
mask_t
p448_deserialize (
p448_t *x,
gf_448_t x,
const uint8_t serial[56]
);
......@@ -94,9 +94,9 @@ p448_deserialize (
void
p448_add_RAW (
p448_t *out,
const p448_t *a,
const p448_t *b
gf_448_t out,
const gf_448_t a,
const gf_448_t b
) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(uint32xn_t); i++) {
......@@ -112,9 +112,9 @@ p448_add_RAW (
void
p448_sub_RAW (
p448_t *out,
const p448_t *a,
const p448_t *b
gf_448_t out,
const gf_448_t a,
const gf_448_t b
) {
unsigned int i;
for (i=0; i<sizeof(*out)/sizeof(uint32xn_t); i++) {
......@@ -130,15 +130,15 @@ p448_sub_RAW (
void
p448_copy (
p448_t *out,
const p448_t