static void ge_cached_0(out GroupElementCached r) { FieldOperations.fe_1(out r.YplusX); FieldOperations.fe_1(out r.YminusX); FieldOperations.fe_1(out r.Z); FieldOperations.fe_0(out r.T2d); }
/* r = p */ public static void ge_p3_to_cached(out GroupElementCached r, ref GroupElementP3 p) { FieldOperations.fe_add(out r.YplusX, ref p.Y, ref p.X); FieldOperations.fe_sub(out r.YminusX, ref p.Y, ref p.X); r.Z = p.Z; FieldOperations.fe_mul(out r.T2d, ref p.T, ref LookupTables.d2); }
static void ge_cached_cmov(ref GroupElementCached t, ref GroupElementCached u, byte b) { FieldOperations.fe_cmov(ref t.YplusX, ref u.YplusX, b); FieldOperations.fe_cmov(ref t.YminusX, ref u.YminusX, b); FieldOperations.fe_cmov(ref t.Z, ref u.Z, b); FieldOperations.fe_cmov(ref t.T2d, ref u.T2d, b); }
public static void ge_double_scalarmult_precomp_vartime(out GroupElementP2 r, byte[] a, GroupElementP3 A, byte[] b, GroupElementCached[] Bi) { GroupElementCached[] Ai = new GroupElementCached[8]; /* A, 3A, 5A, 7A, 9A, 11A, 13A, 15A */ ge_dsm_precomp(Ai, ref A); ge_double_scalarmult_precomp_vartime2(out r, a, Ai, b, Bi); }
/* * r = p */ internal static void ge_p3_to_cached(out GroupElementCached r, ref GroupElementP3 p) { FieldOperations.fe_add(out r.YplusX, ref p.Y, ref p.X); FieldOperations.fe_sub(out r.YminusX, ref p.Y, ref p.X); r.Z = p.Z; FieldOperations.fe_mul(out r.T2d, ref p.T, ref LookupTables.d2); }
/* r = a * A + b * B where a = a[0]+256*a[1]+...+256^31 a[31]. and b = b[0]+256*b[1]+...+256^31 b[31]. B is the Ed25519 base point (x,4/5) with x positive. */ public static void ge_double_scalarmult_vartime(out GroupElementP2 r, byte[] a, ref GroupElementP3 A, byte[] b) { GroupElementPreComp[] Bi = LookupTables.Base2; sbyte[] aslide = new sbyte[256]; sbyte[] bslide = new sbyte[256]; GroupElementCached[] Ai = new GroupElementCached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ GroupElementP1P1 t; GroupElementP3 u; GroupElementP3 A2; int i; slide(aslide, a); slide(bslide, b); ge_p3_to_cached(out Ai[0], ref A); ge_p3_dbl(out t, ref A); ge_p1p1_to_p3(out A2, ref t); ge_add(out t, ref A2, ref Ai[0]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[1], ref u); ge_add(out t, ref A2, ref Ai[1]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[2], ref u); ge_add(out t, ref A2, ref Ai[2]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[3], ref u); ge_add(out t, ref A2, ref Ai[3]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[4], ref u); ge_add(out t, ref A2, ref Ai[4]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[5], ref u); ge_add(out t, ref A2, ref Ai[5]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[6], ref u); ge_add(out t, ref A2, ref Ai[6]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[7], ref u); ge_p2_0(out r); for (i = 255; i >= 0; --i) { if ((aslide[i] != 0) || (bslide[i] != 0)) break; } for (; i >= 0; --i) { ge_p2_dbl(out t, ref r); if (aslide[i] > 0) { ge_p1p1_to_p3(out u, ref t); ge_add(out t, ref u, ref Ai[aslide[i] / 2]); } else if (aslide[i] < 0) { ge_p1p1_to_p3(out u, ref t); ge_sub(out t, ref u, ref Ai[(-aslide[i]) / 2]); } if (bslide[i] > 0) { ge_p1p1_to_p3(out u, ref t); ge_madd(out t, ref u, ref Bi[bslide[i] / 2]); } else if (bslide[i] < 0) { ge_p1p1_to_p3(out u, ref t); ge_msub(out t, ref u, ref Bi[(-bslide[i]) / 2]); } ge_p1p1_to_p2(out r, ref t); } }
/* * r = a * A + b * B * where a = a[0]+256*a[1]+...+256^31 a[31]. * and b = b[0]+256*b[1]+...+256^31 b[31]. * B is the Ed25519 base point (x,4/5) with x positive. */ /// <summary> /// r = a * A + b * B, B is the Ed25519 base point (x,4/5) with x positive. /// </summary> /// <param name="r"></param> /// <param name="a">a = a[0]+256*a[1]+...+256^31 a[31]</param> /// <param name="A"></param> /// <param name="b">b = b[0]+256*b[1]+...+256^31 b[31]</param> public static void ge_double_scalarmult_vartime(out GroupElementP2 r, byte[] a, ref GroupElementP3 A, byte[] b) { GroupElementPreComp[] Bi = LookupTables.Base2; //TODO: Perhaps remove these allocations? sbyte[] aslide = new sbyte[256]; sbyte[] bslide = new sbyte[256]; GroupElementCached[] Ai = new GroupElementCached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ GroupElementP1P1 t; GroupElementP3 u; int i; slide(aslide, a); slide(bslide, b); ge_dsm_precomp(Ai, ref A); ge_p2_0(out r); for (i = 255; i >= 0; --i) { if ((aslide[i] != 0) || (bslide[i] != 0)) { break; } } for (; i >= 0; --i) { ge_p2_dbl(out t, ref r); if (aslide[i] > 0) { ge_p1p1_to_p3(out u, ref t); ge_add(out t, ref u, ref Ai[aslide[i] / 2]); } else if (aslide[i] < 0) { ge_p1p1_to_p3(out u, ref t); ge_sub(out t, ref u, ref Ai[(-aslide[i]) / 2]); } if (bslide[i] > 0) { ge_p1p1_to_p3(out u, ref t); ge_madd(out t, ref u, ref Bi[bslide[i] / 2]); } else if (bslide[i] < 0) { ge_p1p1_to_p3(out u, ref t); ge_msub(out t, ref u, ref Bi[(-bslide[i]) / 2]); } ge_p1p1_to_p2(out r, ref t); } }
/* * r = p + q */ internal static void ge_add(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q) { FieldElement t0; /* qhasm: enter GroupElementadd */ /* qhasm: fe X1 */ /* qhasm: fe Y1 */ /* qhasm: fe Z1 */ /* qhasm: fe Z2 */ /* qhasm: fe T1 */ /* qhasm: fe ZZ */ /* qhasm: fe YpX2 */ /* qhasm: fe YmX2 */ /* qhasm: fe T2d2 */ /* qhasm: fe X3 */ /* qhasm: fe Y3 */ /* qhasm: fe Z3 */ /* qhasm: fe T3 */ /* qhasm: fe YpX1 */ /* qhasm: fe YmX1 */ /* qhasm: fe A */ /* qhasm: fe B */ /* qhasm: fe C */ /* qhasm: fe D */ /* qhasm: YpX1 = Y1+X1 */ /* asm 1: fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */ /* asm 2: fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */ FieldOperations.fe_add(out r.X, ref p.Y, ref p.X); /* qhasm: YmX1 = Y1-X1 */ /* asm 1: fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */ /* asm 2: fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */ FieldOperations.fe_sub(out r.Y, ref p.Y, ref p.X); /* qhasm: A = YpX1*YpX2 */ /* asm 1: fe_mul(>A=fe#3,<YpX1=fe#1,<YpX2=fe#15); */ /* asm 2: fe_mul(>A=r.Z,<YpX1=r.X,<YpX2=q.YplusX); */ FieldOperations.fe_mul(out r.Z, ref r.X, ref q.YplusX); /* qhasm: B = YmX1*YmX2 */ /* asm 1: fe_mul(>B=fe#2,<YmX1=fe#2,<YmX2=fe#16); */ /* asm 2: fe_mul(>B=r.Y,<YmX1=r.Y,<YmX2=q.YminusX); */ FieldOperations.fe_mul(out r.Y, ref r.Y, ref q.YminusX); /* qhasm: C = T2d2*T1 */ /* asm 1: fe_mul(>C=fe#4,<T2d2=fe#18,<T1=fe#14); */ /* asm 2: fe_mul(>C=r.T,<T2d2=q.T2d,<T1=p.T); */ FieldOperations.fe_mul(out r.T, ref q.T2d, ref p.T); /* qhasm: ZZ = Z1*Z2 */ /* asm 1: fe_mul(>ZZ=fe#1,<Z1=fe#13,<Z2=fe#17); */ /* asm 2: fe_mul(>ZZ=r.X,<Z1=p.Z,<Z2=q.Z); */ FieldOperations.fe_mul(out r.X, ref p.Z, ref q.Z); /* qhasm: D = 2*ZZ */ /* asm 1: fe_add(>D=fe#5,<ZZ=fe#1,<ZZ=fe#1); */ /* asm 2: fe_add(>D=t0,<ZZ=r.X,<ZZ=r.X); */ FieldOperations.fe_add(out t0, ref r.X, ref r.X); /* qhasm: X3 = A-B */ /* asm 1: fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */ /* asm 2: fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */ FieldOperations.fe_sub(out r.X, ref r.Z, ref r.Y); /* qhasm: Y3 = A+B */ /* asm 1: fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */ /* asm 2: fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */ FieldOperations.fe_add(out r.Y, ref r.Z, ref r.Y); /* qhasm: Z3 = D+C */ /* asm 1: fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */ /* asm 2: fe_add(>Z3=r.Z,<D=t0,<C=r.T); */ FieldOperations.fe_add(out r.Z, ref t0, ref r.T); /* qhasm: T3 = D-C */ /* asm 1: fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */ /* asm 2: fe_sub(>T3=r.T,<D=t0,<C=r.T); */ FieldOperations.fe_sub(out r.T, ref t0, ref r.T); /* qhasm: return */ }
/* r = p + q */ internal static void ge_add(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q) { FieldElement t0;
/* r = p + q */ internal static void ge_add(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q) { FieldElement t0; /* qhasm: enter GroupElementadd */ /* qhasm: fe X1 */ /* qhasm: fe Y1 */ /* qhasm: fe Z1 */ /* qhasm: fe Z2 */ /* qhasm: fe T1 */ /* qhasm: fe ZZ */ /* qhasm: fe YpX2 */ /* qhasm: fe YmX2 */ /* qhasm: fe T2d2 */ /* qhasm: fe X3 */ /* qhasm: fe Y3 */ /* qhasm: fe Z3 */ /* qhasm: fe T3 */ /* qhasm: fe YpX1 */ /* qhasm: fe YmX1 */ /* qhasm: fe A */ /* qhasm: fe B */ /* qhasm: fe C */ /* qhasm: fe D */ /* qhasm: YpX1 = Y1+X1 */ /* asm 1: fe_add(>YpX1=fe#1,<Y1=fe#12,<X1=fe#11); */ /* asm 2: fe_add(>YpX1=r.X,<Y1=p.Y,<X1=p.X); */ FieldOperations.fe_add(out r.X, ref p.Y, ref p.X); /* qhasm: YmX1 = Y1-X1 */ /* asm 1: fe_sub(>YmX1=fe#2,<Y1=fe#12,<X1=fe#11); */ /* asm 2: fe_sub(>YmX1=r.Y,<Y1=p.Y,<X1=p.X); */ FieldOperations.fe_sub(out r.Y, ref p.Y, ref p.X); /* qhasm: A = YpX1*YpX2 */ /* asm 1: fe_mul(>A=fe#3,<YpX1=fe#1,<YpX2=fe#15); */ /* asm 2: fe_mul(>A=r.Z,<YpX1=r.X,<YpX2=q.YplusX); */ FieldOperations.fe_mul(out r.Z, ref r.X, ref q.YplusX); /* qhasm: B = YmX1*YmX2 */ /* asm 1: fe_mul(>B=fe#2,<YmX1=fe#2,<YmX2=fe#16); */ /* asm 2: fe_mul(>B=r.Y,<YmX1=r.Y,<YmX2=q.YminusX); */ FieldOperations.fe_mul(out r.Y, ref r.Y, ref q.YminusX); /* qhasm: C = T2d2*T1 */ /* asm 1: fe_mul(>C=fe#4,<T2d2=fe#18,<T1=fe#14); */ /* asm 2: fe_mul(>C=r.T,<T2d2=q.T2d,<T1=p.T); */ FieldOperations.fe_mul(out r.T, ref q.T2d, ref p.T); /* qhasm: ZZ = Z1*Z2 */ /* asm 1: fe_mul(>ZZ=fe#1,<Z1=fe#13,<Z2=fe#17); */ /* asm 2: fe_mul(>ZZ=r.X,<Z1=p.Z,<Z2=q.Z); */ FieldOperations.fe_mul(out r.X, ref p.Z, ref q.Z); /* qhasm: D = 2*ZZ */ /* asm 1: fe_add(>D=fe#5,<ZZ=fe#1,<ZZ=fe#1); */ /* asm 2: fe_add(>D=t0,<ZZ=r.X,<ZZ=r.X); */ FieldOperations.fe_add(out t0, ref r.X, ref r.X); /* qhasm: X3 = A-B */ /* asm 1: fe_sub(>X3=fe#1,<A=fe#3,<B=fe#2); */ /* asm 2: fe_sub(>X3=r.X,<A=r.Z,<B=r.Y); */ FieldOperations.fe_sub(out r.X, ref r.Z, ref r.Y); /* qhasm: Y3 = A+B */ /* asm 1: fe_add(>Y3=fe#2,<A=fe#3,<B=fe#2); */ /* asm 2: fe_add(>Y3=r.Y,<A=r.Z,<B=r.Y); */ FieldOperations.fe_add(out r.Y, ref r.Z, ref r.Y); /* qhasm: Z3 = D+C */ /* asm 1: fe_add(>Z3=fe#3,<D=fe#5,<C=fe#4); */ /* asm 2: fe_add(>Z3=r.Z,<D=t0,<C=r.T); */ FieldOperations.fe_add(out r.Z, ref t0, ref r.T); /* qhasm: T3 = D-C */ /* asm 1: fe_sub(>T3=fe#4,<D=fe#5,<C=fe#4); */ /* asm 2: fe_sub(>T3=r.T,<D=t0,<C=r.T); */ FieldOperations.fe_sub(out r.T, ref t0, ref r.T); /* qhasm: return */ }
public static void ge_scalarmult_p3(out GroupElementP3 r3, byte[] a, ref GroupElementP3 A) { sbyte[] e = new sbyte[64]; int carry, carry2, i; GroupElementCached[] Ai = new GroupElementCached[8]; /* 1 * A, 2 * A, ..., 8 * A */ GroupElementP1P1 t; GroupElementP3 u; GroupElementP2 r; carry = 0; /* 0..1 */ for (i = 0; i < 31; i++) { carry += a[i]; /* 0..256 */ carry2 = (carry + 8) >> 4; /* 0..16 */ e[2 * i] = (sbyte)(carry - (carry2 << 4)); /* -8..7 */ carry = (carry2 + 8) >> 4; /* 0..1 */ e[2 * i + 1] = (sbyte)(carry2 - (carry << 4)); /* -8..7 */ } carry += a[31]; /* 0..128 */ carry2 = (carry + 8) >> 4; /* 0..8 */ e[62] = (sbyte)(carry - (carry2 << 4)); /* -8..7 */ e[63] = (sbyte)carry2; /* 0..8 */ ge_p3_to_cached(out Ai[0], ref A); for (i = 0; i < 7; i++) { ge_add(out t, ref A, ref Ai[i]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[i + 1], ref u); } ge_p2_0(out r); GroupElementP3 resP3; ge_p3_0(out resP3); for (i = 63; i >= 0; i--) { sbyte b = e[i]; byte bnegative = negative(b); byte babs = (byte)(b - (((-bnegative) & b) << 1)); GroupElementCached cur, minuscur; ge_p2_dbl(out t, ref r); ge_p1p1_to_p2(out r, ref t); ge_p2_dbl(out t, ref r); ge_p1p1_to_p2(out r, ref t); ge_p2_dbl(out t, ref r); ge_p1p1_to_p2(out r, ref t); ge_p2_dbl(out t, ref r); ge_p1p1_to_p3(out u, ref t); ge_cached_0(out cur); ge_cached_cmov(ref cur, ref Ai[0], equal(babs, 1)); ge_cached_cmov(ref cur, ref Ai[1], equal(babs, 2)); ge_cached_cmov(ref cur, ref Ai[2], equal(babs, 3)); ge_cached_cmov(ref cur, ref Ai[3], equal(babs, 4)); ge_cached_cmov(ref cur, ref Ai[4], equal(babs, 5)); ge_cached_cmov(ref cur, ref Ai[5], equal(babs, 6)); ge_cached_cmov(ref cur, ref Ai[6], equal(babs, 7)); ge_cached_cmov(ref cur, ref Ai[7], equal(babs, 8)); FieldOperations.fe_copy(out minuscur.YplusX, ref cur.YminusX); FieldOperations.fe_copy(out minuscur.YminusX, ref cur.YplusX); FieldOperations.fe_copy(out minuscur.Z, ref cur.Z); FieldOperations.fe_neg(out minuscur.T2d, ref cur.T2d); ge_cached_cmov(ref cur, ref minuscur, bnegative); ge_add(out t, ref u, ref cur); if (i == 0) { ge_p1p1_to_p3(out resP3, ref t); } else { ge_p1p1_to_p2(out r, ref t); } } r3 = resP3; }
/* r = p - q */ public static void ge_sub(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q) { FieldElement t0;