void untwist_and_double_and_serialize(struct p448_t* b, const struct tw_extensible_t* a) {
struct p448_t L0, L1, L2, L3;
p448_mul(&L3, &a->y, &a->x);
p448_add(b, &a->y, &a->x);
p448_sqr(&L1, b);
p448_add(&L2, &L3, &L3);
p448_sub(b, &L1, &L2);
p448_bias(b, 3);
p448_weak_reduce(b);
p448_sqr(&L2, &a->z);
p448_sqr(&L1, &L2);
p448_add(&L2, b, b);
p448_mulw(b, &L2, 39082);
p448_neg(&L2, b);
p448_bias(&L2, 2);
p448_mulw(&L0, &L2, 39082);
p448_neg(b, &L0);
p448_bias(b, 2);
p448_mul(&L0, &L2, &L1);
p448_mul(&L2, b, &L0);
p448_isr(&L0, &L2);
p448_mul(&L1, b, &L0);
p448_sqr(b, &L0);
p448_mul(&L0, &L2, b);
p448_mul(b, &L1, &L3);
}
mask_t deserialize_affine(struct affine_t* a, const struct p448_t* sz) {
struct p448_t L0, L1, L2, L3;
p448_sqr(&L1, sz);
p448_copy(&L3, &L1);
p448_addw(&L3, 1);
p448_sqr(&a->x, &L3);
p448_mulw(&L3, &a->x, 39082);
p448_neg(&a->x, &L3);
p448_add(&L3, &L1, &L1);
p448_bias(&L3, 1);
p448_add(&a->y, &L3, &L3);
p448_add(&L3, &a->y, &a->x);
p448_weak_reduce(&L3);
p448_copy(&a->y, &L1);
p448_subw(&a->y, 1);
p448_neg(&a->x, &a->y);
p448_bias(&a->x, 2);
p448_weak_reduce(&a->x);
p448_mul(&a->y, &a->x, &L3);
p448_sqr(&L2, &a->x);
p448_mul(&L0, &L2, &a->y);
p448_mul(&a->y, &a->x, &L0);
p448_isr(&L3, &a->y);
p448_mul(&a->y, &L2, &L3);
p448_sqr(&L2, &L3);
p448_mul(&L3, &L0, &L2);
p448_mul(&L0, &a->x, &L3);
p448_add(&L2, &a->y, &a->y);
p448_mul(&a->x, sz, &L2);
p448_addw(&L1, 1);
p448_mul(&a->y, &L1, &L3);
p448_subw(&L0, 1);
p448_bias(&L0, 1);
return p448_is_zero(&L0);
}
void montgomery_step(struct montgomery_t* a) {
struct p448_t L0, L1;
p448_add(&L0, &a->zd, &a->xd);
p448_sub(&L1, &a->xd, &a->zd);
p448_bias(&L1, 2);
p448_weak_reduce(&L1);
p448_sub(&a->zd, &a->xa, &a->za);
p448_bias(&a->zd, 2);
p448_weak_reduce(&a->zd);
p448_mul(&a->xd, &L0, &a->zd);
p448_add(&a->zd, &a->za, &a->xa);
p448_mul(&a->za, &L1, &a->zd);
p448_add(&a->xa, &a->za, &a->xd);
p448_sqr(&a->zd, &a->xa);
p448_mul(&a->xa, &a->z0, &a->zd);
p448_sub(&a->zd, &a->xd, &a->za);
p448_bias(&a->zd, 2);
p448_weak_reduce(&a->zd);
p448_sqr(&a->za, &a->zd);
p448_sqr(&a->xd, &L0);
p448_sqr(&L0, &L1);
p448_mulw(&a->zd, &a->xd, 39082);
p448_sub(&L1, &a->xd, &L0);
p448_bias(&L1, 2);
p448_weak_reduce(&L1);
p448_mul(&a->xd, &L0, &a->zd);
p448_sub(&L0, &a->zd, &L1);
p448_bias(&L0, 2);
p448_weak_reduce(&L0);
p448_mul(&a->zd, &L0, &L1);
}
mask_t
serialize_montgomery (
struct p448_t* b,
const struct montgomery_t* a,
const struct p448_t* sbz
) {
mask_t L4, L5, L6;
struct p448_t L0, L1, L2, L3;
p448_mul ( &L3, &a->z0, &a->zd );
p448_sub ( &L1, &L3, &a->xd );
p448_bias ( &L1, 2 );
IF32( p448_weak_reduce( &L1 ) );
p448_mul ( &L3, &a->za, &L1 );
p448_mul ( &L2, &a->z0, &a->xd );
p448_sub ( &L1, &L2, &a->zd );
p448_bias ( &L1, 2 );
IF32( p448_weak_reduce( &L1 ) );
p448_mul ( &L0, &a->xa, &L1 );
p448_add ( &L2, &L0, &L3 );
p448_sub ( &L1, &L3, &L0 );
p448_bias ( &L1, 2 );
IF32( p448_weak_reduce( &L1 ) );
p448_mul ( &L3, &L1, &L2 );
p448_copy ( &L2, &a->z0 );
p448_addw ( &L2, 1 );
p448_sqr ( &L1, &L2 );
p448_mulw ( &L2, &L1, 39082 );
p448_neg ( &L1, &L2 );
p448_add ( &L2, &a->z0, &a->z0 );
p448_bias ( &L2, 1 );
p448_add ( &L0, &L2, &L2 );
p448_add ( &L2, &L0, &L1 );
IF32( p448_weak_reduce( &L2 ) );
p448_mul ( &L0, &a->xd, &L2 );
L5 = p448_is_zero( &a->zd );
L6 = - L5;
p448_mask ( &L1, &L0, L5 );
p448_add ( &L2, &L1, &a->zd );
L4 = ~ L5;
p448_mul ( &L1, sbz, &L3 );
p448_addw ( &L1, L6 );
p448_mul ( &L3, &L2, &L1 );
p448_mul ( &L1, &L3, &L2 );
p448_mul ( &L2, &L3, &a->xd );
p448_mul ( &L3, &L1, &L2 );
p448_isr ( &L0, &L3 );
p448_mul ( &L2, &L1, &L0 );
p448_sqr ( &L1, &L0 );
p448_mul ( &L0, &L3, &L1 );
p448_mask ( b, &L2, L4 );
p448_subw ( &L0, 1 );
p448_bias ( &L0, 1 );
L5 = p448_is_zero( &L0 );
L4 = p448_is_zero( sbz );
return L5 | L4;
}
mask_t
deserialize_and_twist_approx (
struct tw_extensible_t* a,
const struct p448_t* sdm1,
const struct p448_t* sz
) {
struct p448_t L0, L1;
p448_sqr ( &a->z, sz );
p448_copy ( &a->y, &a->z );
p448_addw ( &a->y, 1 );
p448_sqr ( &a->x, &a->y );
p448_mulw ( &a->y, &a->x, 39082 );
p448_neg ( &a->x, &a->y );
p448_add ( &a->y, &a->z, &a->z );
p448_bias ( &a->y, 1 );
p448_add ( &a->u, &a->y, &a->y );
p448_add ( &a->y, &a->u, &a->x );
IF32( p448_weak_reduce( &a->y ) );
p448_sqr ( &a->x, &a->z );
p448_subw ( &a->x, 1 );
p448_neg ( &a->u, &a->x );
p448_bias ( &a->u, 2 );
IF32( p448_weak_reduce( &a->u ) );
p448_mul ( &a->x, sdm1, &a->u );
p448_mul ( &L0, &a->x, &a->y );
p448_mul ( &a->t, &L0, &a->y );
p448_mul ( &a->u, &a->x, &a->t );
p448_mul ( &a->t, &a->u, &L0 );
p448_mul ( &a->y, &a->x, &a->t );
p448_isr ( &L0, &a->y );
p448_mul ( &a->y, &a->u, &L0 );
p448_sqr ( &L1, &L0 );
p448_mul ( &a->u, &a->t, &L1 );
p448_mul ( &a->t, &a->x, &a->u );
p448_add ( &a->x, sz, sz );
p448_mul ( &L0, &a->u, &a->x );
p448_copy ( &a->x, &a->z );
p448_subw ( &a->x, 1 );
p448_neg ( &L1, &a->x );
p448_bias ( &L1, 2 );
IF32( p448_weak_reduce( &L1 ) );
p448_mul ( &a->x, &L1, &L0 );
p448_mul ( &L0, &a->u, &a->y );
p448_addw ( &a->z, 1 );
p448_mul ( &a->y, &a->z, &L0 );
p448_subw ( &a->t, 1 );
p448_bias ( &a->t, 1 );
mask_t ret = p448_is_zero( &a->t );
p448_set_ui( &a->z, 1 );
p448_copy ( &a->t, &a->x );
p448_copy ( &a->u, &a->y );
return ret;
}
void convert_tw_affine_to_tw_pniels(struct tw_pniels_t* b, const struct tw_affine_t* a) {
p448_sub(&b->n.a, &a->y, &a->x);
p448_bias(&b->n.a, 2);
p448_weak_reduce(&b->n.a);
p448_add(&b->n.b, &a->x, &a->y);
p448_weak_reduce(&b->n.b);
p448_mul(&b->n.c, &a->y, &a->x);
p448_mulw(&b->z, &b->n.c, 78164);
p448_neg(&b->n.c, &b->z);
p448_bias(&b->n.c, 2);
p448_weak_reduce(&b->n.c);
p448_set_ui(&b->z, 2);
}
void elligator_2s_inject(struct affine_t* a, const struct p448_t* r) {
mask_t L0, L1;
struct p448_t L2, L3, L4, L5, L6, L7, L8;
p448_sqr(&a->x, r);
p448_sqr(&L3, &a->x);
p448_copy(&a->y, &L3);
p448_subw(&a->y, 1);
p448_neg(&L4, &a->y);
p448_bias(&L4, 2);
p448_weak_reduce(&L4);
p448_sqr(&L2, &L4);
p448_mulw(&L7, &L2, 1527402724);
p448_mulw(&L8, &L3, 6108985600);
p448_add(&a->y, &L8, &L7);
p448_weak_reduce(&a->y);
p448_mulw(&L8, &L2, 6109454568);
p448_sub(&L7, &a->y, &L8);
p448_bias(&L7, 2);
p448_weak_reduce(&L7);
p448_mulw(&L6, &a->y, 78160);
p448_mul(&L5, &L7, &L6);
p448_mul(&L8, &L5, &L4);
p448_mul(&L4, &L5, &L6);
p448_mul(&L5, &L7, &L8);
p448_mul(&L8, &L5, &L4);
p448_mul(&L4, &L7, &L8);
p448_isr(&L6, &L4);
p448_mul(&L4, &L5, &L6);
p448_sqr(&L5, &L6);
p448_mul(&L6, &L8, &L5);
p448_mul(&L8, &L7, &L6);
p448_mul(&L7, &L8, &L6);
p448_copy(&L6, &a->x);
p448_subw(&L6, 1);
p448_addw(&a->x, 1);
p448_mul(&L5, &a->x, &L8);
p448_sub(&a->x, &L6, &L5);
p448_bias(&a->x, 3);
p448_weak_reduce(&a->x);
p448_mul(&L5, &L4, &a->x);
p448_mulw(&L4, &L5, 78160);
p448_neg(&a->x, &L4);
p448_bias(&a->x, 2);
p448_weak_reduce(&a->x);
p448_add(&L4, &L3, &L3);
p448_add(&L3, &L4, &L2);
p448_subw(&L3, 2);
p448_bias(&L3, 1);
p448_weak_reduce(&L3);
p448_mul(&L2, &L3, &L8);
p448_mulw(&L3, &L2, 3054649120);
p448_add(&L2, &L3, &a->y);
p448_mul(&a->y, &L7, &L2);
L1 = p448_is_zero(&L8);
L0 = -L1;
p448_addw(&a->y, L0);
p448_weak_reduce(&a->y);
}
mask_t validate_affine(const struct affine_t* a) {
struct p448_t L0, L1, L2, L3;
p448_sqr(&L0, &a->y);
p448_sqr(&L2, &a->x);
p448_add(&L3, &L2, &L0);
p448_subw(&L3, 1);
p448_mulw(&L1, &L2, 39081);
p448_neg(&L2, &L1);
p448_bias(&L2, 2);
p448_mul(&L1, &L0, &L2);
p448_sub(&L0, &L3, &L1);
p448_bias(&L0, 3);
return p448_is_zero(&L0);
}
mask_t serialize_montgomery(struct p448_t* b,
const struct montgomery_t* a,
const struct p448_t* sbz) {
mask_t L0, L1, L2;
struct p448_t L3, L4, L5, L6;
p448_mul(&L6, &a->z0, &a->zd);
p448_sub(&L4, &L6, &a->xd);
p448_bias(&L4, 2);
p448_mul(&L6, &a->za, &L4);
p448_mul(&L5, &a->z0, &a->xd);
p448_sub(&L4, &L5, &a->zd);
p448_bias(&L4, 2);
p448_mul(&L3, &a->xa, &L4);
p448_add(&L5, &L3, &L6);
p448_sub(&L4, &L6, &L3);
p448_bias(&L4, 2);
p448_mul(&L6, &L4, &L5);
p448_copy(&L5, &a->z0);
p448_addw(&L5, 1);
p448_sqr(&L4, &L5);
p448_mulw(&L5, &L4, 39082);
p448_neg(&L4, &L5);
p448_add(&L3, &a->z0, &a->z0);
p448_bias(&L3, 1);
p448_add(&L5, &L3, &L3);
p448_add(&L3, &L5, &L4);
p448_mul(&L5, &a->xd, &L3);
L1 = p448_is_zero(&a->zd);
L2 = -L1;
p448_mask(&L4, &L5, L1);
p448_add(&L5, &L4, &a->zd);
L0 = ~L1;
p448_mul(&L4, sbz, &L6);
p448_addw(&L4, L2);
p448_mul(&L6, &L5, &L4);
p448_mul(&L4, &L6, &L5);
p448_mul(&L5, &L6, &a->xd);
p448_mul(&L6, &L4, &L5);
p448_isr(&L3, &L6);
p448_mul(&L5, &L4, &L3);
p448_sqr(&L4, &L3);
p448_mul(&L3, &L6, &L4);
p448_mask(b, &L5, L0);
p448_subw(&L3, 1);
p448_bias(&L3, 1);
L1 = p448_is_zero(&L3);
L0 = p448_is_zero(sbz);
return L1 | L0;
}
mask_t
validate_tw_extensible (
const struct tw_extensible_t* ext
) {
mask_t L4, L5;
struct p448_t L0, L1, L2, L3;
/*
* Check invariant:
* 0 = -x*y + z*t*u
*/
p448_mul ( &L1, &ext->t, &ext->u );
p448_mul ( &L2, &ext->z, &L1 );
p448_addw ( &L2, 0 );
p448_mul ( &L0, &ext->x, &ext->y );
p448_neg ( &L1, &L0 );
p448_add ( &L0, &L1, &L2 );
p448_bias ( &L0, 2 );
L5 = p448_is_zero( &L0 );
/*
* Check invariant:
* 0 = d*t^2*u^2 + x^2 - y^2 + z^2 - t^2*u^2
*/
p448_sqr ( &L2, &ext->y );
p448_neg ( &L1, &L2 );
p448_addw ( &L1, 0 );
p448_sqr ( &L0, &ext->x );
p448_add ( &L2, &L0, &L1 );
p448_sqr ( &L3, &ext->u );
p448_sqr ( &L0, &ext->t );
p448_mul ( &L1, &L0, &L3 );
p448_mulw ( &L0, &L1, 39081 );
p448_neg ( &L3, &L0 );
p448_add ( &L0, &L3, &L2 );
p448_neg ( &L3, &L1 );
p448_add ( &L2, &L3, &L0 );
p448_sqr ( &L1, &ext->z );
p448_add ( &L0, &L1, &L2 );
p448_bias ( &L0, 4 );
L4 = p448_is_zero( &L0 );
return L5 & L4;
}
mask_t validate_extensible(const struct extensible_t* ext) {
mask_t L0, L1;
struct p448_t L2, L3, L4, L5;
/*
* Check invariant:
* 0 = d*t^2*u^2 - x^2 - y^2 + z^2
*/
p448_sqr(&L4, &ext->y);
p448_neg(&L3, &L4);
p448_addw(&L3, 0);
p448_sqr(&L2, &ext->z);
p448_add(&L4, &L2, &L3);
p448_sqr(&L5, &ext->u);
p448_sqr(&L2, &ext->t);
p448_mul(&L3, &L2, &L5);
p448_mulw(&L5, &L3, 39081);
p448_neg(&L2, &L5);
p448_add(&L3, &L2, &L4);
p448_sqr(&L2, &ext->x);
p448_neg(&L4, &L2);
p448_add(&L2, &L4, &L3);
p448_bias(&L2, 4);
L1 = p448_is_zero(&L2);
/*
* Check invariant:
* 0 = -x*y + z*t*u
*/
p448_mul(&L3, &ext->t, &ext->u);
p448_mul(&L4, &ext->z, &L3);
p448_addw(&L4, 0);
p448_mul(&L2, &ext->x, &ext->y);
p448_neg(&L3, &L2);
p448_add(&L2, &L3, &L4);
p448_bias(&L2, 2);
L0 = p448_is_zero(&L2);
return L1 & L0;
}