Example #1
0
mask_t
serialize_montgomery (
    struct p448_t*             b,
    const struct montgomery_t* a,
    const struct p448_t*       sbz
) {
    mask_t L4, L5, L6;
    struct p448_t L0, L1, L2, L3;
    p448_mul  (   &L3, &a->z0, &a->zd );
    p448_sub  (   &L1,   &L3, &a->xd );
    p448_bias (   &L1,     2 );
    IF32( p448_weak_reduce(   &L1 ) );
    p448_mul  (   &L3, &a->za,   &L1 );
    p448_mul  (   &L2, &a->z0, &a->xd );
    p448_sub  (   &L1,   &L2, &a->zd );
    p448_bias (   &L1,     2 );
    IF32( p448_weak_reduce(   &L1 ) );
    p448_mul  (   &L0, &a->xa,   &L1 );
    p448_add  (   &L2,   &L0,   &L3 );
    p448_sub  (   &L1,   &L3,   &L0 );
    p448_bias (   &L1,     2 );
    IF32( p448_weak_reduce(   &L1 ) );
    p448_mul  (   &L3,   &L1,   &L2 );
    p448_copy (   &L2, &a->z0 );
    p448_addw (   &L2,     1 );
    p448_sqr  (   &L1,   &L2 );
    p448_mulw (   &L2,   &L1, 39082 );
    p448_neg  (   &L1,   &L2 );
    p448_add  (   &L2, &a->z0, &a->z0 );
    p448_bias (   &L2,     1 );
    p448_add  (   &L0,   &L2,   &L2 );
    p448_add  (   &L2,   &L0,   &L1 );
    IF32( p448_weak_reduce(   &L2 ) );
    p448_mul  (   &L0, &a->xd,   &L2 );
       L5 = p448_is_zero( &a->zd );
       L6 = -   L5;
    p448_mask (   &L1,   &L0,    L5 );
    p448_add  (   &L2,   &L1, &a->zd );
       L4 = ~   L5;
    p448_mul  (   &L1,   sbz,   &L3 );
    p448_addw (   &L1,    L6 );
    p448_mul  (   &L3,   &L2,   &L1 );
    p448_mul  (   &L1,   &L3,   &L2 );
    p448_mul  (   &L2,   &L3, &a->xd );
    p448_mul  (   &L3,   &L1,   &L2 );
    p448_isr  (   &L0,   &L3 );
    p448_mul  (   &L2,   &L1,   &L0 );
    p448_sqr  (   &L1,   &L0 );
    p448_mul  (   &L0,   &L3,   &L1 );
    p448_mask (     b,   &L2,    L4 );
    p448_subw (   &L0,     1 );
    p448_bias (   &L0,     1 );
       L5 = p448_is_zero(   &L0 );
       L4 = p448_is_zero(   sbz );
    return    L5 |    L4;
}
Example #2
0
void
test_only_twist (
    struct tw_extensible_t*    b,
    const struct extensible_t* a
) {
    mask_t L2, L3;
    struct p448_t L0, L1;
    p448_sqr  ( &b->u, &a->z );
    p448_sqr  ( &b->y, &a->x );
    p448_sub  ( &b->z, &b->u, &b->y );
    p448_bias ( &b->z,     2 );
    p448_add  ( &b->y, &b->z, &b->z );
    p448_add  ( &b->u, &b->y, &b->y );
    IF32( p448_weak_reduce( &b->u ) );
    p448_sub  ( &b->y, &a->z, &a->x );
    p448_bias ( &b->y,     2 );
    IF32( p448_weak_reduce( &b->y ) );
    p448_mul  ( &b->x, &b->y, &a->y );
    p448_sub  ( &b->z, &a->z, &a->y );
    p448_bias ( &b->z,     2 );
    IF32( p448_weak_reduce( &b->z ) );
    p448_mul  ( &b->t, &b->z, &b->x );
    p448_mul  (   &L1, &b->t, &b->u );
    p448_mul  ( &b->x, &b->t,   &L1 );
    p448_isr  (   &L0, &b->x );
    p448_mul  ( &b->u, &b->t,   &L0 );
    p448_sqr  (   &L1,   &L0 );
    p448_mul  ( &b->t, &b->x,   &L1 );
    p448_add  (   &L1, &a->y, &a->x );
    IF32( p448_weak_reduce(   &L1 ) );
    p448_sub  (   &L0, &a->x, &a->y );
    p448_bias (   &L0,     2 );
    IF32( p448_weak_reduce(   &L0 ) );
    p448_mul  ( &b->x, &b->t,   &L0 );
    p448_add  (   &L0, &b->x,   &L1 );
    p448_sub  ( &b->t,   &L1, &b->x );
    p448_bias ( &b->t,     2 );
    IF32( p448_weak_reduce( &b->t ) );
    p448_mul  ( &b->x,   &L0, &b->u );
       L2 = p448_is_zero( &b->y );
       L3 = -   L2;
    p448_addw ( &b->x,    L3 );
    p448_weak_reduce( &b->x );
    p448_mul  ( &b->y, &b->t, &b->u );
       L2 = p448_is_zero( &b->z );
       L3 = -   L2;
    p448_addw ( &b->y,    L3 );
    p448_weak_reduce( &b->y );
       L3 = p448_is_zero( &a->y );
       L2 =    L3 +     1;
    p448_set_ui( &b->z,    L2 );
    p448_copy ( &b->t, &b->x );
    p448_copy ( &b->u, &b->y );
}
Example #3
0
mask_t eq_affine(const struct affine_t* a, const struct affine_t* b) {
  mask_t L1, L2;
  struct p448_t L0;
  p448_sub(&L0, &a->x, &b->x);
  p448_bias(&L0, 2);
  L2 = p448_is_zero(&L0);
  p448_sub(&L0, &a->y, &b->y);
  p448_bias(&L0, 2);
  L1 = p448_is_zero(&L0);
  return L2 & L1;
}
Example #4
0
mask_t eq_affine(const struct affine_t* a, const struct affine_t* b) {
    mask_t L0, L1;
    struct p448_t L2;
    p448_sub(&L2, &a->x, &b->x);
    p448_bias(&L2, 2);
    L1 = p448_is_zero(&L2);
    p448_sub(&L2, &a->y, &b->y);
    p448_bias(&L2, 2);
    L0 = p448_is_zero(&L2);
    return L1 & L0;
}
Example #5
0
mask_t is_square(const struct p448_t* x) {
    mask_t L0, L1;
    struct p448_t L2, L3;
    p448_isr(&L2, x);
    p448_sqr(&L3, &L2);
    p448_mul(&L2, x, &L3);
    p448_subw(&L2, 1);
    p448_bias(&L2, 1);
    L1 = p448_is_zero(&L2);
    L0 = p448_is_zero(x);
    return L1 | L0;
}
Example #6
0
mask_t is_square(const struct p448_t* x) {
  mask_t L2, L3;
  struct p448_t L0, L1;
  p448_isr(&L0, x);
  p448_sqr(&L1, &L0);
  p448_mul(&L0, x, &L1);
  p448_subw(&L0, 1);
  p448_bias(&L0, 1);
  L3 = p448_is_zero(&L0);
  L2 = p448_is_zero(x);
  return L3 | L2;
}
Example #7
0
mask_t serialize_montgomery(struct p448_t* b,
                            const struct montgomery_t* a,
                            const struct p448_t* sbz) {
    mask_t L0, L1, L2;
    struct p448_t L3, L4, L5, L6;
    p448_mul(&L6, &a->z0, &a->zd);
    p448_sub(&L4, &L6, &a->xd);
    p448_bias(&L4, 2);
    p448_mul(&L6, &a->za, &L4);
    p448_mul(&L5, &a->z0, &a->xd);
    p448_sub(&L4, &L5, &a->zd);
    p448_bias(&L4, 2);
    p448_mul(&L3, &a->xa, &L4);
    p448_add(&L5, &L3, &L6);
    p448_sub(&L4, &L6, &L3);
    p448_bias(&L4, 2);
    p448_mul(&L6, &L4, &L5);
    p448_copy(&L5, &a->z0);
    p448_addw(&L5, 1);
    p448_sqr(&L4, &L5);
    p448_mulw(&L5, &L4, 39082);
    p448_neg(&L4, &L5);
    p448_add(&L3, &a->z0, &a->z0);
    p448_bias(&L3, 1);
    p448_add(&L5, &L3, &L3);
    p448_add(&L3, &L5, &L4);
    p448_mul(&L5, &a->xd, &L3);
    L1 = p448_is_zero(&a->zd);
    L2 = -L1;
    p448_mask(&L4, &L5, L1);
    p448_add(&L5, &L4, &a->zd);
    L0 = ~L1;
    p448_mul(&L4, sbz, &L6);
    p448_addw(&L4, L2);
    p448_mul(&L6, &L5, &L4);
    p448_mul(&L4, &L6, &L5);
    p448_mul(&L5, &L6, &a->xd);
    p448_mul(&L6, &L4, &L5);
    p448_isr(&L3, &L6);
    p448_mul(&L5, &L4, &L3);
    p448_sqr(&L4, &L3);
    p448_mul(&L3, &L6, &L4);
    p448_mask(b, &L5, L0);
    p448_subw(&L3, 1);
    p448_bias(&L3, 1);
    L1 = p448_is_zero(&L3);
    L0 = p448_is_zero(sbz);
    return L1 | L0;
}
Example #8
0
mask_t eq_extensible(const struct extensible_t* a, const struct extensible_t* b) {
    mask_t L0, L1;
    struct p448_t L2, L3, L4;
    p448_mul(&L4, &b->z, &a->x);
    p448_mul(&L3, &a->z, &b->x);
    p448_sub(&L2, &L4, &L3);
    p448_bias(&L2, 2);
    L1 = p448_is_zero(&L2);
    p448_mul(&L4, &b->z, &a->y);
    p448_mul(&L3, &a->z, &b->y);
    p448_sub(&L2, &L4, &L3);
    p448_bias(&L2, 2);
    L0 = p448_is_zero(&L2);
    return L1 & L0;
}
Example #9
0
mask_t eq_extensible(const struct extensible_t* a, const struct extensible_t* b) {
  mask_t L3, L4;
  struct p448_t L0, L1, L2;
  p448_mul(&L2, &b->z, &a->x);
  p448_mul(&L1, &a->z, &b->x);
  p448_sub(&L0, &L2, &L1);
  p448_bias(&L0, 2);
  L4 = p448_is_zero(&L0);
  p448_mul(&L2, &b->z, &a->y);
  p448_mul(&L1, &a->z, &b->y);
  p448_sub(&L0, &L2, &L1);
  p448_bias(&L0, 2);
  L3 = p448_is_zero(&L0);
  return L4 & L3;
}
Example #10
0
mask_t deserialize_affine(struct affine_t* a, const struct p448_t* sz) {
  struct p448_t L0, L1, L2, L3;
  p448_sqr(&L1, sz);
  p448_copy(&L3, &L1);
  p448_addw(&L3, 1);
  p448_sqr(&a->x, &L3);
  p448_mulw(&L3, &a->x, 39082);
  p448_neg(&a->x, &L3);
  p448_add(&L3, &L1, &L1);
  p448_bias(&L3, 1);
  p448_add(&a->y, &L3, &L3);
  p448_add(&L3, &a->y, &a->x);
  p448_weak_reduce(&L3);
  p448_copy(&a->y, &L1);
  p448_subw(&a->y, 1);
  p448_neg(&a->x, &a->y);
  p448_bias(&a->x, 2);
  p448_weak_reduce(&a->x);
  p448_mul(&a->y, &a->x, &L3);
  p448_sqr(&L2, &a->x);
  p448_mul(&L0, &L2, &a->y);
  p448_mul(&a->y, &a->x, &L0);
  p448_isr(&L3, &a->y);
  p448_mul(&a->y, &L2, &L3);
  p448_sqr(&L2, &L3);
  p448_mul(&L3, &L0, &L2);
  p448_mul(&L0, &a->x, &L3);
  p448_add(&L2, &a->y, &a->y);
  p448_mul(&a->x, sz, &L2);
  p448_addw(&L1, 1);
  p448_mul(&a->y, &L1, &L3);
  p448_subw(&L0, 1);
  p448_bias(&L0, 1);
  return p448_is_zero(&L0);
}
Example #11
0
void twist_even(struct tw_extensible_t* b, const struct extensible_t* a) {
  mask_t L0, L1;
  p448_sqr(&b->y, &a->z);
  p448_sqr(&b->z, &a->x);
  p448_sub(&b->u, &b->y, &b->z);
  p448_bias(&b->u, 2);
  p448_weak_reduce(&b->u);
  p448_sub(&b->z, &a->z, &a->x);
  p448_bias(&b->z, 2);
  p448_weak_reduce(&b->z);
  p448_mul(&b->y, &b->z, &a->y);
  p448_sub(&b->z, &a->z, &a->y);
  p448_bias(&b->z, 2);
  p448_weak_reduce(&b->z);
  p448_mul(&b->x, &b->z, &b->y);
  p448_mul(&b->t, &b->x, &b->u);
  p448_mul(&b->y, &b->x, &b->t);
  p448_isr(&b->t, &b->y);
  p448_mul(&b->u, &b->x, &b->t);
  p448_sqr(&b->x, &b->t);
  p448_mul(&b->t, &b->y, &b->x);
  p448_mul(&b->x, &a->x, &b->u);
  p448_mul(&b->y, &a->y, &b->u);
  L1 = p448_is_zero(&b->z);
  L0 = -L1;
  p448_addw(&b->y, L0);
  p448_weak_reduce(&b->y);
  p448_set_ui(&b->z, 1);
  p448_copy(&b->t, &b->x);
  p448_copy(&b->u, &b->y);
}
Example #12
0
void elligator_2s_inject(struct affine_t* a, const struct p448_t* r) {
  mask_t L0, L1;
  struct p448_t L2, L3, L4, L5, L6, L7, L8;
  p448_sqr(&a->x, r);
  p448_sqr(&L3, &a->x);
  p448_copy(&a->y, &L3);
  p448_subw(&a->y, 1);
  p448_neg(&L4, &a->y);
  p448_bias(&L4, 2);
  p448_weak_reduce(&L4);
  p448_sqr(&L2, &L4);
  p448_mulw(&L7, &L2, 1527402724);
  p448_mulw(&L8, &L3, 6108985600);
  p448_add(&a->y, &L8, &L7);
  p448_weak_reduce(&a->y);
  p448_mulw(&L8, &L2, 6109454568);
  p448_sub(&L7, &a->y, &L8);
  p448_bias(&L7, 2);
  p448_weak_reduce(&L7);
  p448_mulw(&L6, &a->y, 78160);
  p448_mul(&L5, &L7, &L6);
  p448_mul(&L8, &L5, &L4);
  p448_mul(&L4, &L5, &L6);
  p448_mul(&L5, &L7, &L8);
  p448_mul(&L8, &L5, &L4);
  p448_mul(&L4, &L7, &L8);
  p448_isr(&L6, &L4);
  p448_mul(&L4, &L5, &L6);
  p448_sqr(&L5, &L6);
  p448_mul(&L6, &L8, &L5);
  p448_mul(&L8, &L7, &L6);
  p448_mul(&L7, &L8, &L6);
  p448_copy(&L6, &a->x);
  p448_subw(&L6, 1);
  p448_addw(&a->x, 1);
  p448_mul(&L5, &a->x, &L8);
  p448_sub(&a->x, &L6, &L5);
  p448_bias(&a->x, 3);
  p448_weak_reduce(&a->x);
  p448_mul(&L5, &L4, &a->x);
  p448_mulw(&L4, &L5, 78160);
  p448_neg(&a->x, &L4);
  p448_bias(&a->x, 2);
  p448_weak_reduce(&a->x);
  p448_add(&L4, &L3, &L3);
  p448_add(&L3, &L4, &L2);
  p448_subw(&L3, 2);
  p448_bias(&L3, 1);
  p448_weak_reduce(&L3);
  p448_mul(&L2, &L3, &L8);
  p448_mulw(&L3, &L2, 3054649120);
  p448_add(&L2, &L3, &a->y);
  p448_mul(&a->y, &L7, &L2);
  L1 = p448_is_zero(&L8);
  L0 = -L1;
  p448_addw(&a->y, L0);
  p448_weak_reduce(&a->y);
}
Example #13
0
void test_only_twist(struct tw_extensible_t* b, const struct extensible_t* a) {
    mask_t L0, L1;
    struct p448_t L2, L3;
    p448_sqr(&b->u, &a->z);
    p448_sqr(&b->y, &a->x);
    p448_sub(&b->z, &b->u, &b->y);
    p448_bias(&b->z, 2);
    p448_add(&b->y, &b->z, &b->z);
    p448_add(&b->u, &b->y, &b->y);
    p448_sub(&b->y, &a->z, &a->x);
    p448_bias(&b->y, 2);
    p448_mul(&b->x, &b->y, &a->y);
    p448_sub(&b->z, &a->z, &a->y);
    p448_bias(&b->z, 2);
    p448_mul(&b->t, &b->z, &b->x);
    p448_mul(&L3, &b->t, &b->u);
    p448_mul(&b->x, &b->t, &L3);
    p448_isr(&L2, &b->x);
    p448_mul(&b->u, &b->t, &L2);
    p448_sqr(&L3, &L2);
    p448_mul(&b->t, &b->x, &L3);
    p448_add(&L3, &a->y, &a->x);
    p448_sub(&L2, &a->x, &a->y);
    p448_bias(&L2, 2);
    p448_mul(&b->x, &b->t, &L2);
    p448_add(&L2, &b->x, &L3);
    p448_sub(&b->t, &L3, &b->x);
    p448_bias(&b->t, 2);
    p448_mul(&b->x, &L2, &b->u);
    L0 = p448_is_zero(&b->y);
    L1 = -L0;
    p448_addw(&b->x, L1);
    p448_weak_reduce(&b->x);
    p448_mul(&b->y, &b->t, &b->u);
    L0 = p448_is_zero(&b->z);
    L1 = -L0;
    p448_addw(&b->y, L1);
    p448_weak_reduce(&b->y);
    L1 = p448_is_zero(&a->y);
    L0 = L1 + 1;
    p448_set_ui(&b->z, L0);
    p448_copy(&b->t, &b->x);
    p448_copy(&b->u, &b->y);
}
Example #14
0
mask_t
validate_tw_extensible (
    const struct tw_extensible_t* ext
) {
    mask_t L4, L5;
    struct p448_t L0, L1, L2, L3;
    /*
     * Check invariant:
     * 0 = -x*y + z*t*u
     */
    p448_mul  (   &L1, &ext->t, &ext->u );
    p448_mul  (   &L2, &ext->z,   &L1 );
    p448_addw (   &L2,     0 );
    p448_mul  (   &L0, &ext->x, &ext->y );
    p448_neg  (   &L1,   &L0 );
    p448_add  (   &L0,   &L1,   &L2 );
    p448_bias (   &L0,     2 );
       L5 = p448_is_zero(   &L0 );
    /*
     * Check invariant:
     * 0 = d*t^2*u^2 + x^2 - y^2 + z^2 - t^2*u^2
     */
    p448_sqr  (   &L2, &ext->y );
    p448_neg  (   &L1,   &L2 );
    p448_addw (   &L1,     0 );
    p448_sqr  (   &L0, &ext->x );
    p448_add  (   &L2,   &L0,   &L1 );
    p448_sqr  (   &L3, &ext->u );
    p448_sqr  (   &L0, &ext->t );
    p448_mul  (   &L1,   &L0,   &L3 );
    p448_mulw (   &L0,   &L1, 39081 );
    p448_neg  (   &L3,   &L0 );
    p448_add  (   &L0,   &L3,   &L2 );
    p448_neg  (   &L3,   &L1 );
    p448_add  (   &L2,   &L3,   &L0 );
    p448_sqr  (   &L1, &ext->z );
    p448_add  (   &L0,   &L1,   &L2 );
    p448_bias (   &L0,     4 );
       L4 = p448_is_zero(   &L0 );
    return    L5 &    L4;
}
Example #15
0
mask_t
deserialize_and_twist_approx (
    struct tw_extensible_t* a,
    const struct p448_t*    sdm1,
    const struct p448_t*    sz
) {
    struct p448_t L0, L1;
    p448_sqr  ( &a->z,    sz );
    p448_copy ( &a->y, &a->z );
    p448_addw ( &a->y,     1 );
    p448_sqr  ( &a->x, &a->y );
    p448_mulw ( &a->y, &a->x, 39082 );
    p448_neg  ( &a->x, &a->y );
    p448_add  ( &a->y, &a->z, &a->z );
    p448_bias ( &a->y,     1 );
    p448_add  ( &a->u, &a->y, &a->y );
    p448_add  ( &a->y, &a->u, &a->x );
    IF32( p448_weak_reduce( &a->y ) );
    p448_sqr  ( &a->x, &a->z );
    p448_subw ( &a->x,     1 );
    p448_neg  ( &a->u, &a->x );
    p448_bias ( &a->u,     2 );
    IF32( p448_weak_reduce( &a->u ) );
    p448_mul  ( &a->x,  sdm1, &a->u );
    p448_mul  (   &L0, &a->x, &a->y );
    p448_mul  ( &a->t,   &L0, &a->y );
    p448_mul  ( &a->u, &a->x, &a->t );
    p448_mul  ( &a->t, &a->u,   &L0 );
    p448_mul  ( &a->y, &a->x, &a->t );
    p448_isr  (   &L0, &a->y );
    p448_mul  ( &a->y, &a->u,   &L0 );
    p448_sqr  (   &L1,   &L0 );
    p448_mul  ( &a->u, &a->t,   &L1 );
    p448_mul  ( &a->t, &a->x, &a->u );
    p448_add  ( &a->x,    sz,    sz );
    p448_mul  (   &L0, &a->u, &a->x );
    p448_copy ( &a->x, &a->z );
    p448_subw ( &a->x,     1 );
    p448_neg  (   &L1, &a->x );
    p448_bias (   &L1,     2 );
    IF32( p448_weak_reduce(   &L1 ) );
    p448_mul  ( &a->x,   &L1,   &L0 );
    p448_mul  (   &L0, &a->u, &a->y );
    p448_addw ( &a->z,     1 );
    p448_mul  ( &a->y, &a->z,   &L0 );
    p448_subw ( &a->t,     1 );
    p448_bias ( &a->t,     1 );
    mask_t ret = p448_is_zero( &a->t );
    p448_set_ui( &a->z,     1 );
    p448_copy ( &a->t, &a->x );
    p448_copy ( &a->u, &a->y );
    return ret;
}
Example #16
0
mask_t validate_affine(const struct affine_t* a) {
  struct p448_t L0, L1, L2, L3;
  p448_sqr(&L0, &a->y);
  p448_sqr(&L2, &a->x);
  p448_add(&L3, &L2, &L0);
  p448_subw(&L3, 1);
  p448_mulw(&L1, &L2, 39081);
  p448_neg(&L2, &L1);
  p448_bias(&L2, 2);
  p448_mul(&L1, &L0, &L2);
  p448_sub(&L0, &L3, &L1);
  p448_bias(&L0, 3);
  return p448_is_zero(&L0);
}
Example #17
0
mask_t validate_extensible(const struct extensible_t* ext) {
    mask_t L0, L1;
    struct p448_t L2, L3, L4, L5;
    /*
     * Check invariant:
     * 0 = d*t^2*u^2 - x^2 - y^2 + z^2
     */
    p448_sqr(&L4, &ext->y);
    p448_neg(&L3, &L4);
    p448_addw(&L3, 0);
    p448_sqr(&L2, &ext->z);
    p448_add(&L4, &L2, &L3);
    p448_sqr(&L5, &ext->u);
    p448_sqr(&L2, &ext->t);
    p448_mul(&L3, &L2, &L5);
    p448_mulw(&L5, &L3, 39081);
    p448_neg(&L2, &L5);
    p448_add(&L3, &L2, &L4);
    p448_sqr(&L2, &ext->x);
    p448_neg(&L4, &L2);
    p448_add(&L2, &L4, &L3);
    p448_bias(&L2, 4);
    L1 = p448_is_zero(&L2);
    /*
     * Check invariant:
     * 0 = -x*y + z*t*u
     */
    p448_mul(&L3, &ext->t, &ext->u);
    p448_mul(&L4, &ext->z, &L3);
    p448_addw(&L4, 0);
    p448_mul(&L2, &ext->x, &ext->y);
    p448_neg(&L3, &L2);
    p448_add(&L2, &L3, &L4);
    p448_bias(&L2, 2);
    L0 = p448_is_zero(&L2);
    return L1 & L0;
}