wolf SSL / wolfSSL-TLS13-Beta

wolfSSL 3.11.1 for TLS1.3 beta

Fork of wolfSSL by wolf SSL

wolfcrypt/src/fe_operations.c@0:d92f9d21154c, 2015-06-26 (annotated)

Committer:
wolfSSL
Date:
Fri Jun 26 00:39:20 2015 +0000
Revision:
0:d92f9d21154c
wolfSSL 3.6.0

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 0:d92f9d21154c 1 /* fe_operations.c
wolfSSL 0:d92f9d21154c 2 *
wolfSSL 0:d92f9d21154c 3 * Copyright (C) 2006-2015 wolfSSL Inc.
wolfSSL 0:d92f9d21154c 4 *
wolfSSL 0:d92f9d21154c 5 * This file is part of wolfSSL. (formerly known as CyaSSL)
wolfSSL 0:d92f9d21154c 6 *
wolfSSL 0:d92f9d21154c 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 0:d92f9d21154c 8 * it under the terms of the GNU General Public License as published by
wolfSSL 0:d92f9d21154c 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 0:d92f9d21154c 10 * (at your option) any later version.
wolfSSL 0:d92f9d21154c 11 *
wolfSSL 0:d92f9d21154c 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 0:d92f9d21154c 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 0:d92f9d21154c 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 0:d92f9d21154c 15 * GNU General Public License for more details.
wolfSSL 0:d92f9d21154c 16 *
wolfSSL 0:d92f9d21154c 17 * You should have received a copy of the GNU General Public License
wolfSSL 0:d92f9d21154c 18 * along with this program; if not, write to the Free Software
wolfSSL 0:d92f9d21154c 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
wolfSSL 0:d92f9d21154c 20 */
wolfSSL 0:d92f9d21154c 21
wolfSSL 0:d92f9d21154c 22 /* Based On Daniel J Bernstein's curve25519 Public Domain ref10 work. */
wolfSSL 0:d92f9d21154c 23
wolfSSL 0:d92f9d21154c 24 #ifdef HAVE_CONFIG_H
wolfSSL 0:d92f9d21154c 25 #include <config.h>
wolfSSL 0:d92f9d21154c 26 #endif
wolfSSL 0:d92f9d21154c 27
wolfSSL 0:d92f9d21154c 28 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 0:d92f9d21154c 29
wolfSSL 0:d92f9d21154c 30 #if defined(HAVE_ED25519) || defined(HAVE_CURVE25519)
wolfSSL 0:d92f9d21154c 31
wolfSSL 0:d92f9d21154c 32 #include <wolfssl/wolfcrypt/fe_operations.h>
wolfSSL 0:d92f9d21154c 33 #include <stdint.h>
wolfSSL 0:d92f9d21154c 34
wolfSSL 0:d92f9d21154c 35 #ifdef NO_INLINE
wolfSSL 0:d92f9d21154c 36 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 0:d92f9d21154c 37 #else
wolfSSL 0:d92f9d21154c 38 #include <wolfcrypt/src/misc.c>
wolfSSL 0:d92f9d21154c 39 #endif
wolfSSL 0:d92f9d21154c 40
wolfSSL 0:d92f9d21154c 41 /*
wolfSSL 0:d92f9d21154c 42 fe means field element.
wolfSSL 0:d92f9d21154c 43 Here the field is \Z/(2^255-19).
wolfSSL 0:d92f9d21154c 44 An element t, entries t[0]...t[9], represents the integer
wolfSSL 0:d92f9d21154c 45 t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
wolfSSL 0:d92f9d21154c 46 Bounds on each t[i] vary depending on context.
wolfSSL 0:d92f9d21154c 47 */
wolfSSL 0:d92f9d21154c 48
wolfSSL 0:d92f9d21154c 49 uint64_t load_3(const unsigned char *in)
wolfSSL 0:d92f9d21154c 50 {
wolfSSL 0:d92f9d21154c 51 uint64_t result;
wolfSSL 0:d92f9d21154c 52 result = (uint64_t) in[0];
wolfSSL 0:d92f9d21154c 53 result |= ((uint64_t) in[1]) << 8;
wolfSSL 0:d92f9d21154c 54 result |= ((uint64_t) in[2]) << 16;
wolfSSL 0:d92f9d21154c 55 return result;
wolfSSL 0:d92f9d21154c 56 }
wolfSSL 0:d92f9d21154c 57
wolfSSL 0:d92f9d21154c 58
wolfSSL 0:d92f9d21154c 59 uint64_t load_4(const unsigned char *in)
wolfSSL 0:d92f9d21154c 60 {
wolfSSL 0:d92f9d21154c 61 uint64_t result;
wolfSSL 0:d92f9d21154c 62 result = (uint64_t) in[0];
wolfSSL 0:d92f9d21154c 63 result |= ((uint64_t) in[1]) << 8;
wolfSSL 0:d92f9d21154c 64 result |= ((uint64_t) in[2]) << 16;
wolfSSL 0:d92f9d21154c 65 result |= ((uint64_t) in[3]) << 24;
wolfSSL 0:d92f9d21154c 66 return result;
wolfSSL 0:d92f9d21154c 67 }
wolfSSL 0:d92f9d21154c 68
wolfSSL 0:d92f9d21154c 69
wolfSSL 0:d92f9d21154c 70 /*
wolfSSL 0:d92f9d21154c 71 h = 1
wolfSSL 0:d92f9d21154c 72 */
wolfSSL 0:d92f9d21154c 73
wolfSSL 0:d92f9d21154c 74 void fe_1(fe h)
wolfSSL 0:d92f9d21154c 75 {
wolfSSL 0:d92f9d21154c 76 h[0] = 1;
wolfSSL 0:d92f9d21154c 77 h[1] = 0;
wolfSSL 0:d92f9d21154c 78 h[2] = 0;
wolfSSL 0:d92f9d21154c 79 h[3] = 0;
wolfSSL 0:d92f9d21154c 80 h[4] = 0;
wolfSSL 0:d92f9d21154c 81 h[5] = 0;
wolfSSL 0:d92f9d21154c 82 h[6] = 0;
wolfSSL 0:d92f9d21154c 83 h[7] = 0;
wolfSSL 0:d92f9d21154c 84 h[8] = 0;
wolfSSL 0:d92f9d21154c 85 h[9] = 0;
wolfSSL 0:d92f9d21154c 86 }
wolfSSL 0:d92f9d21154c 87
wolfSSL 0:d92f9d21154c 88
wolfSSL 0:d92f9d21154c 89 /*
wolfSSL 0:d92f9d21154c 90 h = 0
wolfSSL 0:d92f9d21154c 91 */
wolfSSL 0:d92f9d21154c 92
wolfSSL 0:d92f9d21154c 93 void fe_0(fe h)
wolfSSL 0:d92f9d21154c 94 {
wolfSSL 0:d92f9d21154c 95 h[0] = 0;
wolfSSL 0:d92f9d21154c 96 h[1] = 0;
wolfSSL 0:d92f9d21154c 97 h[2] = 0;
wolfSSL 0:d92f9d21154c 98 h[3] = 0;
wolfSSL 0:d92f9d21154c 99 h[4] = 0;
wolfSSL 0:d92f9d21154c 100 h[5] = 0;
wolfSSL 0:d92f9d21154c 101 h[6] = 0;
wolfSSL 0:d92f9d21154c 102 h[7] = 0;
wolfSSL 0:d92f9d21154c 103 h[8] = 0;
wolfSSL 0:d92f9d21154c 104 h[9] = 0;
wolfSSL 0:d92f9d21154c 105 }
wolfSSL 0:d92f9d21154c 106
wolfSSL 0:d92f9d21154c 107
wolfSSL 0:d92f9d21154c 108 int curve25519(byte* q, byte* n, byte* p)
wolfSSL 0:d92f9d21154c 109 {
wolfSSL 0:d92f9d21154c 110 unsigned char e[32];
wolfSSL 0:d92f9d21154c 111 unsigned int i;
wolfSSL 0:d92f9d21154c 112 fe x1;
wolfSSL 0:d92f9d21154c 113 fe x2;
wolfSSL 0:d92f9d21154c 114 fe z2;
wolfSSL 0:d92f9d21154c 115 fe x3;
wolfSSL 0:d92f9d21154c 116 fe z3;
wolfSSL 0:d92f9d21154c 117 fe tmp0;
wolfSSL 0:d92f9d21154c 118 fe tmp1;
wolfSSL 0:d92f9d21154c 119 int pos;
wolfSSL 0:d92f9d21154c 120 unsigned int swap;
wolfSSL 0:d92f9d21154c 121 unsigned int b;
wolfSSL 0:d92f9d21154c 122
wolfSSL 0:d92f9d21154c 123 for (i = 0;i < 32;++i) e[i] = n[i];
wolfSSL 0:d92f9d21154c 124 e[0] &= 248;
wolfSSL 0:d92f9d21154c 125 e[31] &= 127;
wolfSSL 0:d92f9d21154c 126 e[31] |= 64;
wolfSSL 0:d92f9d21154c 127
wolfSSL 0:d92f9d21154c 128 fe_frombytes(x1,p);
wolfSSL 0:d92f9d21154c 129 fe_1(x2);
wolfSSL 0:d92f9d21154c 130 fe_0(z2);
wolfSSL 0:d92f9d21154c 131 fe_copy(x3,x1);
wolfSSL 0:d92f9d21154c 132 fe_1(z3);
wolfSSL 0:d92f9d21154c 133
wolfSSL 0:d92f9d21154c 134 swap = 0;
wolfSSL 0:d92f9d21154c 135 for (pos = 254;pos >= 0;--pos) {
wolfSSL 0:d92f9d21154c 136 b = e[pos / 8] >> (pos & 7);
wolfSSL 0:d92f9d21154c 137 b &= 1;
wolfSSL 0:d92f9d21154c 138 swap ^= b;
wolfSSL 0:d92f9d21154c 139 fe_cswap(x2,x3,swap);
wolfSSL 0:d92f9d21154c 140 fe_cswap(z2,z3,swap);
wolfSSL 0:d92f9d21154c 141 swap = b;
wolfSSL 0:d92f9d21154c 142
wolfSSL 0:d92f9d21154c 143 /* montgomery */
wolfSSL 0:d92f9d21154c 144 fe_sub(tmp0,x3,z3);
wolfSSL 0:d92f9d21154c 145 fe_sub(tmp1,x2,z2);
wolfSSL 0:d92f9d21154c 146 fe_add(x2,x2,z2);
wolfSSL 0:d92f9d21154c 147 fe_add(z2,x3,z3);
wolfSSL 0:d92f9d21154c 148 fe_mul(z3,tmp0,x2);
wolfSSL 0:d92f9d21154c 149 fe_mul(z2,z2,tmp1);
wolfSSL 0:d92f9d21154c 150 fe_sq(tmp0,tmp1);
wolfSSL 0:d92f9d21154c 151 fe_sq(tmp1,x2);
wolfSSL 0:d92f9d21154c 152 fe_add(x3,z3,z2);
wolfSSL 0:d92f9d21154c 153 fe_sub(z2,z3,z2);
wolfSSL 0:d92f9d21154c 154 fe_mul(x2,tmp1,tmp0);
wolfSSL 0:d92f9d21154c 155 fe_sub(tmp1,tmp1,tmp0);
wolfSSL 0:d92f9d21154c 156 fe_sq(z2,z2);
wolfSSL 0:d92f9d21154c 157 fe_mul121666(z3,tmp1);
wolfSSL 0:d92f9d21154c 158 fe_sq(x3,x3);
wolfSSL 0:d92f9d21154c 159 fe_add(tmp0,tmp0,z3);
wolfSSL 0:d92f9d21154c 160 fe_mul(z3,x1,z2);
wolfSSL 0:d92f9d21154c 161 fe_mul(z2,tmp1,tmp0);
wolfSSL 0:d92f9d21154c 162 }
wolfSSL 0:d92f9d21154c 163 fe_cswap(x2,x3,swap);
wolfSSL 0:d92f9d21154c 164 fe_cswap(z2,z3,swap);
wolfSSL 0:d92f9d21154c 165
wolfSSL 0:d92f9d21154c 166 fe_invert(z2,z2);
wolfSSL 0:d92f9d21154c 167 fe_mul(x2,x2,z2);
wolfSSL 0:d92f9d21154c 168 fe_tobytes(q,x2);
wolfSSL 0:d92f9d21154c 169
wolfSSL 0:d92f9d21154c 170 return 0;
wolfSSL 0:d92f9d21154c 171 }
wolfSSL 0:d92f9d21154c 172
wolfSSL 0:d92f9d21154c 173
wolfSSL 0:d92f9d21154c 174 /*
wolfSSL 0:d92f9d21154c 175 h = f * f
wolfSSL 0:d92f9d21154c 176 Can overlap h with f.
wolfSSL 0:d92f9d21154c 177
wolfSSL 0:d92f9d21154c 178 Preconditions:
wolfSSL 0:d92f9d21154c 179 |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
wolfSSL 0:d92f9d21154c 180
wolfSSL 0:d92f9d21154c 181 Postconditions:
wolfSSL 0:d92f9d21154c 182 |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
wolfSSL 0:d92f9d21154c 183 */
wolfSSL 0:d92f9d21154c 184
wolfSSL 0:d92f9d21154c 185 /*
wolfSSL 0:d92f9d21154c 186 See fe_mul.c for discussion of implementation strategy.
wolfSSL 0:d92f9d21154c 187 */
wolfSSL 0:d92f9d21154c 188
wolfSSL 0:d92f9d21154c 189 void fe_sq(fe h,const fe f)
wolfSSL 0:d92f9d21154c 190 {
wolfSSL 0:d92f9d21154c 191 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 192 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 193 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 194 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 195 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 196 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 197 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 198 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 199 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 200 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 201 int32_t f0_2 = 2 * f0;
wolfSSL 0:d92f9d21154c 202 int32_t f1_2 = 2 * f1;
wolfSSL 0:d92f9d21154c 203 int32_t f2_2 = 2 * f2;
wolfSSL 0:d92f9d21154c 204 int32_t f3_2 = 2 * f3;
wolfSSL 0:d92f9d21154c 205 int32_t f4_2 = 2 * f4;
wolfSSL 0:d92f9d21154c 206 int32_t f5_2 = 2 * f5;
wolfSSL 0:d92f9d21154c 207 int32_t f6_2 = 2 * f6;
wolfSSL 0:d92f9d21154c 208 int32_t f7_2 = 2 * f7;
wolfSSL 0:d92f9d21154c 209 int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 210 int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 211 int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 212 int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 213 int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 214 int64_t f0f0 = f0 * (int64_t) f0;
wolfSSL 0:d92f9d21154c 215 int64_t f0f1_2 = f0_2 * (int64_t) f1;
wolfSSL 0:d92f9d21154c 216 int64_t f0f2_2 = f0_2 * (int64_t) f2;
wolfSSL 0:d92f9d21154c 217 int64_t f0f3_2 = f0_2 * (int64_t) f3;
wolfSSL 0:d92f9d21154c 218 int64_t f0f4_2 = f0_2 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 219 int64_t f0f5_2 = f0_2 * (int64_t) f5;
wolfSSL 0:d92f9d21154c 220 int64_t f0f6_2 = f0_2 * (int64_t) f6;
wolfSSL 0:d92f9d21154c 221 int64_t f0f7_2 = f0_2 * (int64_t) f7;
wolfSSL 0:d92f9d21154c 222 int64_t f0f8_2 = f0_2 * (int64_t) f8;
wolfSSL 0:d92f9d21154c 223 int64_t f0f9_2 = f0_2 * (int64_t) f9;
wolfSSL 0:d92f9d21154c 224 int64_t f1f1_2 = f1_2 * (int64_t) f1;
wolfSSL 0:d92f9d21154c 225 int64_t f1f2_2 = f1_2 * (int64_t) f2;
wolfSSL 0:d92f9d21154c 226 int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
wolfSSL 0:d92f9d21154c 227 int64_t f1f4_2 = f1_2 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 228 int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
wolfSSL 0:d92f9d21154c 229 int64_t f1f6_2 = f1_2 * (int64_t) f6;
wolfSSL 0:d92f9d21154c 230 int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
wolfSSL 0:d92f9d21154c 231 int64_t f1f8_2 = f1_2 * (int64_t) f8;
wolfSSL 0:d92f9d21154c 232 int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 233 int64_t f2f2 = f2 * (int64_t) f2;
wolfSSL 0:d92f9d21154c 234 int64_t f2f3_2 = f2_2 * (int64_t) f3;
wolfSSL 0:d92f9d21154c 235 int64_t f2f4_2 = f2_2 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 236 int64_t f2f5_2 = f2_2 * (int64_t) f5;
wolfSSL 0:d92f9d21154c 237 int64_t f2f6_2 = f2_2 * (int64_t) f6;
wolfSSL 0:d92f9d21154c 238 int64_t f2f7_2 = f2_2 * (int64_t) f7;
wolfSSL 0:d92f9d21154c 239 int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 240 int64_t f2f9_38 = f2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 241 int64_t f3f3_2 = f3_2 * (int64_t) f3;
wolfSSL 0:d92f9d21154c 242 int64_t f3f4_2 = f3_2 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 243 int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
wolfSSL 0:d92f9d21154c 244 int64_t f3f6_2 = f3_2 * (int64_t) f6;
wolfSSL 0:d92f9d21154c 245 int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 246 int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 247 int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 248 int64_t f4f4 = f4 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 249 int64_t f4f5_2 = f4_2 * (int64_t) f5;
wolfSSL 0:d92f9d21154c 250 int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
wolfSSL 0:d92f9d21154c 251 int64_t f4f7_38 = f4 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 252 int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 253 int64_t f4f9_38 = f4 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 254 int64_t f5f5_38 = f5 * (int64_t) f5_38;
wolfSSL 0:d92f9d21154c 255 int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
wolfSSL 0:d92f9d21154c 256 int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 257 int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 258 int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 259 int64_t f6f6_19 = f6 * (int64_t) f6_19;
wolfSSL 0:d92f9d21154c 260 int64_t f6f7_38 = f6 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 261 int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 262 int64_t f6f9_38 = f6 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 263 int64_t f7f7_38 = f7 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 264 int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 265 int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 266 int64_t f8f8_19 = f8 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 267 int64_t f8f9_38 = f8 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 268 int64_t f9f9_38 = f9 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 269 int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38;
wolfSSL 0:d92f9d21154c 270 int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38;
wolfSSL 0:d92f9d21154c 271 int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19;
wolfSSL 0:d92f9d21154c 272 int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38;
wolfSSL 0:d92f9d21154c 273 int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38;
wolfSSL 0:d92f9d21154c 274 int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38;
wolfSSL 0:d92f9d21154c 275 int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19;
wolfSSL 0:d92f9d21154c 276 int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38;
wolfSSL 0:d92f9d21154c 277 int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38;
wolfSSL 0:d92f9d21154c 278 int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2;
wolfSSL 0:d92f9d21154c 279 int64_t carry0;
wolfSSL 0:d92f9d21154c 280 int64_t carry1;
wolfSSL 0:d92f9d21154c 281 int64_t carry2;
wolfSSL 0:d92f9d21154c 282 int64_t carry3;
wolfSSL 0:d92f9d21154c 283 int64_t carry4;
wolfSSL 0:d92f9d21154c 284 int64_t carry5;
wolfSSL 0:d92f9d21154c 285 int64_t carry6;
wolfSSL 0:d92f9d21154c 286 int64_t carry7;
wolfSSL 0:d92f9d21154c 287 int64_t carry8;
wolfSSL 0:d92f9d21154c 288 int64_t carry9;
wolfSSL 0:d92f9d21154c 289
wolfSSL 0:d92f9d21154c 290 carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
wolfSSL 0:d92f9d21154c 291 carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
wolfSSL 0:d92f9d21154c 292
wolfSSL 0:d92f9d21154c 293 carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
wolfSSL 0:d92f9d21154c 294 carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
wolfSSL 0:d92f9d21154c 295
wolfSSL 0:d92f9d21154c 296 carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
wolfSSL 0:d92f9d21154c 297 carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
wolfSSL 0:d92f9d21154c 298
wolfSSL 0:d92f9d21154c 299 carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
wolfSSL 0:d92f9d21154c 300 carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
wolfSSL 0:d92f9d21154c 301
wolfSSL 0:d92f9d21154c 302 carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
wolfSSL 0:d92f9d21154c 303 carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
wolfSSL 0:d92f9d21154c 304
wolfSSL 0:d92f9d21154c 305 carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
wolfSSL 0:d92f9d21154c 306
wolfSSL 0:d92f9d21154c 307 carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
wolfSSL 0:d92f9d21154c 308
wolfSSL 0:d92f9d21154c 309 h[0] = (int32_t)h0;
wolfSSL 0:d92f9d21154c 310 h[1] = (int32_t)h1;
wolfSSL 0:d92f9d21154c 311 h[2] = (int32_t)h2;
wolfSSL 0:d92f9d21154c 312 h[3] = (int32_t)h3;
wolfSSL 0:d92f9d21154c 313 h[4] = (int32_t)h4;
wolfSSL 0:d92f9d21154c 314 h[5] = (int32_t)h5;
wolfSSL 0:d92f9d21154c 315 h[6] = (int32_t)h6;
wolfSSL 0:d92f9d21154c 316 h[7] = (int32_t)h7;
wolfSSL 0:d92f9d21154c 317 h[8] = (int32_t)h8;
wolfSSL 0:d92f9d21154c 318 h[9] = (int32_t)h9;
wolfSSL 0:d92f9d21154c 319 }
wolfSSL 0:d92f9d21154c 320
wolfSSL 0:d92f9d21154c 321
wolfSSL 0:d92f9d21154c 322 /*
wolfSSL 0:d92f9d21154c 323 h = f + g
wolfSSL 0:d92f9d21154c 324 Can overlap h with f or g.
wolfSSL 0:d92f9d21154c 325
wolfSSL 0:d92f9d21154c 326 Preconditions:
wolfSSL 0:d92f9d21154c 327 |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
wolfSSL 0:d92f9d21154c 328 |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
wolfSSL 0:d92f9d21154c 329
wolfSSL 0:d92f9d21154c 330 Postconditions:
wolfSSL 0:d92f9d21154c 331 |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
wolfSSL 0:d92f9d21154c 332 */
wolfSSL 0:d92f9d21154c 333
wolfSSL 0:d92f9d21154c 334 void fe_add(fe h,const fe f,const fe g)
wolfSSL 0:d92f9d21154c 335 {
wolfSSL 0:d92f9d21154c 336 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 337 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 338 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 339 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 340 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 341 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 342 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 343 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 344 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 345 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 346 int32_t g0 = g[0];
wolfSSL 0:d92f9d21154c 347 int32_t g1 = g[1];
wolfSSL 0:d92f9d21154c 348 int32_t g2 = g[2];
wolfSSL 0:d92f9d21154c 349 int32_t g3 = g[3];
wolfSSL 0:d92f9d21154c 350 int32_t g4 = g[4];
wolfSSL 0:d92f9d21154c 351 int32_t g5 = g[5];
wolfSSL 0:d92f9d21154c 352 int32_t g6 = g[6];
wolfSSL 0:d92f9d21154c 353 int32_t g7 = g[7];
wolfSSL 0:d92f9d21154c 354 int32_t g8 = g[8];
wolfSSL 0:d92f9d21154c 355 int32_t g9 = g[9];
wolfSSL 0:d92f9d21154c 356 int32_t h0 = f0 + g0;
wolfSSL 0:d92f9d21154c 357 int32_t h1 = f1 + g1;
wolfSSL 0:d92f9d21154c 358 int32_t h2 = f2 + g2;
wolfSSL 0:d92f9d21154c 359 int32_t h3 = f3 + g3;
wolfSSL 0:d92f9d21154c 360 int32_t h4 = f4 + g4;
wolfSSL 0:d92f9d21154c 361 int32_t h5 = f5 + g5;
wolfSSL 0:d92f9d21154c 362 int32_t h6 = f6 + g6;
wolfSSL 0:d92f9d21154c 363 int32_t h7 = f7 + g7;
wolfSSL 0:d92f9d21154c 364 int32_t h8 = f8 + g8;
wolfSSL 0:d92f9d21154c 365 int32_t h9 = f9 + g9;
wolfSSL 0:d92f9d21154c 366 h[0] = h0;
wolfSSL 0:d92f9d21154c 367 h[1] = h1;
wolfSSL 0:d92f9d21154c 368 h[2] = h2;
wolfSSL 0:d92f9d21154c 369 h[3] = h3;
wolfSSL 0:d92f9d21154c 370 h[4] = h4;
wolfSSL 0:d92f9d21154c 371 h[5] = h5;
wolfSSL 0:d92f9d21154c 372 h[6] = h6;
wolfSSL 0:d92f9d21154c 373 h[7] = h7;
wolfSSL 0:d92f9d21154c 374 h[8] = h8;
wolfSSL 0:d92f9d21154c 375 h[9] = h9;
wolfSSL 0:d92f9d21154c 376 }
wolfSSL 0:d92f9d21154c 377
wolfSSL 0:d92f9d21154c 378
wolfSSL 0:d92f9d21154c 379 /*
wolfSSL 0:d92f9d21154c 380 Preconditions:
wolfSSL 0:d92f9d21154c 381 |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
wolfSSL 0:d92f9d21154c 382
wolfSSL 0:d92f9d21154c 383 Write p=2^255-19; q=floor(h/p).
wolfSSL 0:d92f9d21154c 384 Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
wolfSSL 0:d92f9d21154c 385
wolfSSL 0:d92f9d21154c 386 Proof:
wolfSSL 0:d92f9d21154c 387 Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
wolfSSL 0:d92f9d21154c 388 Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
wolfSSL 0:d92f9d21154c 389
wolfSSL 0:d92f9d21154c 390 Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
wolfSSL 0:d92f9d21154c 391 Then 0<y<1.
wolfSSL 0:d92f9d21154c 392
wolfSSL 0:d92f9d21154c 393 Write r=h-pq.
wolfSSL 0:d92f9d21154c 394 Have 0<=r<=p-1=2^255-20.
wolfSSL 0:d92f9d21154c 395 Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
wolfSSL 0:d92f9d21154c 396
wolfSSL 0:d92f9d21154c 397 Write x=r+19(2^-255)r+y.
wolfSSL 0:d92f9d21154c 398 Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
wolfSSL 0:d92f9d21154c 399
wolfSSL 0:d92f9d21154c 400 Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
wolfSSL 0:d92f9d21154c 401 so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
wolfSSL 0:d92f9d21154c 402 */
wolfSSL 0:d92f9d21154c 403
wolfSSL 0:d92f9d21154c 404 void fe_tobytes(unsigned char *s,const fe h)
wolfSSL 0:d92f9d21154c 405 {
wolfSSL 0:d92f9d21154c 406 int32_t h0 = h[0];
wolfSSL 0:d92f9d21154c 407 int32_t h1 = h[1];
wolfSSL 0:d92f9d21154c 408 int32_t h2 = h[2];
wolfSSL 0:d92f9d21154c 409 int32_t h3 = h[3];
wolfSSL 0:d92f9d21154c 410 int32_t h4 = h[4];
wolfSSL 0:d92f9d21154c 411 int32_t h5 = h[5];
wolfSSL 0:d92f9d21154c 412 int32_t h6 = h[6];
wolfSSL 0:d92f9d21154c 413 int32_t h7 = h[7];
wolfSSL 0:d92f9d21154c 414 int32_t h8 = h[8];
wolfSSL 0:d92f9d21154c 415 int32_t h9 = h[9];
wolfSSL 0:d92f9d21154c 416 int32_t q;
wolfSSL 0:d92f9d21154c 417 int32_t carry0;
wolfSSL 0:d92f9d21154c 418 int32_t carry1;
wolfSSL 0:d92f9d21154c 419 int32_t carry2;
wolfSSL 0:d92f9d21154c 420 int32_t carry3;
wolfSSL 0:d92f9d21154c 421 int32_t carry4;
wolfSSL 0:d92f9d21154c 422 int32_t carry5;
wolfSSL 0:d92f9d21154c 423 int32_t carry6;
wolfSSL 0:d92f9d21154c 424 int32_t carry7;
wolfSSL 0:d92f9d21154c 425 int32_t carry8;
wolfSSL 0:d92f9d21154c 426 int32_t carry9;
wolfSSL 0:d92f9d21154c 427
wolfSSL 0:d92f9d21154c 428 q = (19 * h9 + (((int32_t) 1) << 24)) >> 25;
wolfSSL 0:d92f9d21154c 429 q = (h0 + q) >> 26;
wolfSSL 0:d92f9d21154c 430 q = (h1 + q) >> 25;
wolfSSL 0:d92f9d21154c 431 q = (h2 + q) >> 26;
wolfSSL 0:d92f9d21154c 432 q = (h3 + q) >> 25;
wolfSSL 0:d92f9d21154c 433 q = (h4 + q) >> 26;
wolfSSL 0:d92f9d21154c 434 q = (h5 + q) >> 25;
wolfSSL 0:d92f9d21154c 435 q = (h6 + q) >> 26;
wolfSSL 0:d92f9d21154c 436 q = (h7 + q) >> 25;
wolfSSL 0:d92f9d21154c 437 q = (h8 + q) >> 26;
wolfSSL 0:d92f9d21154c 438 q = (h9 + q) >> 25;
wolfSSL 0:d92f9d21154c 439
wolfSSL 0:d92f9d21154c 440 /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
wolfSSL 0:d92f9d21154c 441 h0 += 19 * q;
wolfSSL 0:d92f9d21154c 442 /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
wolfSSL 0:d92f9d21154c 443
wolfSSL 0:d92f9d21154c 444 carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26;
wolfSSL 0:d92f9d21154c 445 carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25;
wolfSSL 0:d92f9d21154c 446 carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26;
wolfSSL 0:d92f9d21154c 447 carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25;
wolfSSL 0:d92f9d21154c 448 carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26;
wolfSSL 0:d92f9d21154c 449 carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25;
wolfSSL 0:d92f9d21154c 450 carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26;
wolfSSL 0:d92f9d21154c 451 carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25;
wolfSSL 0:d92f9d21154c 452 carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26;
wolfSSL 0:d92f9d21154c 453 carry9 = h9 >> 25; h9 -= carry9 << 25;
wolfSSL 0:d92f9d21154c 454 /* h10 = carry9 */
wolfSSL 0:d92f9d21154c 455
wolfSSL 0:d92f9d21154c 456 /*
wolfSSL 0:d92f9d21154c 457 Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
wolfSSL 0:d92f9d21154c 458 Have h0+...+2^230 h9 between 0 and 2^255-1;
wolfSSL 0:d92f9d21154c 459 evidently 2^255 h10-2^255 q = 0.
wolfSSL 0:d92f9d21154c 460 Goal: Output h0+...+2^230 h9.
wolfSSL 0:d92f9d21154c 461 */
wolfSSL 0:d92f9d21154c 462
wolfSSL 0:d92f9d21154c 463 s[0] = h0 >> 0;
wolfSSL 0:d92f9d21154c 464 s[1] = h0 >> 8;
wolfSSL 0:d92f9d21154c 465 s[2] = h0 >> 16;
wolfSSL 0:d92f9d21154c 466 s[3] = (h0 >> 24) | (h1 << 2);
wolfSSL 0:d92f9d21154c 467 s[4] = h1 >> 6;
wolfSSL 0:d92f9d21154c 468 s[5] = h1 >> 14;
wolfSSL 0:d92f9d21154c 469 s[6] = (h1 >> 22) | (h2 << 3);
wolfSSL 0:d92f9d21154c 470 s[7] = h2 >> 5;
wolfSSL 0:d92f9d21154c 471 s[8] = h2 >> 13;
wolfSSL 0:d92f9d21154c 472 s[9] = (h2 >> 21) | (h3 << 5);
wolfSSL 0:d92f9d21154c 473 s[10] = h3 >> 3;
wolfSSL 0:d92f9d21154c 474 s[11] = h3 >> 11;
wolfSSL 0:d92f9d21154c 475 s[12] = (h3 >> 19) | (h4 << 6);
wolfSSL 0:d92f9d21154c 476 s[13] = h4 >> 2;
wolfSSL 0:d92f9d21154c 477 s[14] = h4 >> 10;
wolfSSL 0:d92f9d21154c 478 s[15] = h4 >> 18;
wolfSSL 0:d92f9d21154c 479 s[16] = h5 >> 0;
wolfSSL 0:d92f9d21154c 480 s[17] = h5 >> 8;
wolfSSL 0:d92f9d21154c 481 s[18] = h5 >> 16;
wolfSSL 0:d92f9d21154c 482 s[19] = (h5 >> 24) | (h6 << 1);
wolfSSL 0:d92f9d21154c 483 s[20] = h6 >> 7;
wolfSSL 0:d92f9d21154c 484 s[21] = h6 >> 15;
wolfSSL 0:d92f9d21154c 485 s[22] = (h6 >> 23) | (h7 << 3);
wolfSSL 0:d92f9d21154c 486 s[23] = h7 >> 5;
wolfSSL 0:d92f9d21154c 487 s[24] = h7 >> 13;
wolfSSL 0:d92f9d21154c 488 s[25] = (h7 >> 21) | (h8 << 4);
wolfSSL 0:d92f9d21154c 489 s[26] = h8 >> 4;
wolfSSL 0:d92f9d21154c 490 s[27] = h8 >> 12;
wolfSSL 0:d92f9d21154c 491 s[28] = (h8 >> 20) | (h9 << 6);
wolfSSL 0:d92f9d21154c 492 s[29] = h9 >> 2;
wolfSSL 0:d92f9d21154c 493 s[30] = h9 >> 10;
wolfSSL 0:d92f9d21154c 494 s[31] = h9 >> 18;
wolfSSL 0:d92f9d21154c 495 }
wolfSSL 0:d92f9d21154c 496
wolfSSL 0:d92f9d21154c 497
wolfSSL 0:d92f9d21154c 498 /*
wolfSSL 0:d92f9d21154c 499 h = f - g
wolfSSL 0:d92f9d21154c 500 Can overlap h with f or g.
wolfSSL 0:d92f9d21154c 501
wolfSSL 0:d92f9d21154c 502 Preconditions:
wolfSSL 0:d92f9d21154c 503 |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
wolfSSL 0:d92f9d21154c 504 |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
wolfSSL 0:d92f9d21154c 505
wolfSSL 0:d92f9d21154c 506 Postconditions:
wolfSSL 0:d92f9d21154c 507 |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
wolfSSL 0:d92f9d21154c 508 */
wolfSSL 0:d92f9d21154c 509
wolfSSL 0:d92f9d21154c 510 void fe_sub(fe h,const fe f,const fe g)
wolfSSL 0:d92f9d21154c 511 {
wolfSSL 0:d92f9d21154c 512 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 513 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 514 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 515 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 516 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 517 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 518 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 519 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 520 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 521 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 522 int32_t g0 = g[0];
wolfSSL 0:d92f9d21154c 523 int32_t g1 = g[1];
wolfSSL 0:d92f9d21154c 524 int32_t g2 = g[2];
wolfSSL 0:d92f9d21154c 525 int32_t g3 = g[3];
wolfSSL 0:d92f9d21154c 526 int32_t g4 = g[4];
wolfSSL 0:d92f9d21154c 527 int32_t g5 = g[5];
wolfSSL 0:d92f9d21154c 528 int32_t g6 = g[6];
wolfSSL 0:d92f9d21154c 529 int32_t g7 = g[7];
wolfSSL 0:d92f9d21154c 530 int32_t g8 = g[8];
wolfSSL 0:d92f9d21154c 531 int32_t g9 = g[9];
wolfSSL 0:d92f9d21154c 532 int32_t h0 = f0 - g0;
wolfSSL 0:d92f9d21154c 533 int32_t h1 = f1 - g1;
wolfSSL 0:d92f9d21154c 534 int32_t h2 = f2 - g2;
wolfSSL 0:d92f9d21154c 535 int32_t h3 = f3 - g3;
wolfSSL 0:d92f9d21154c 536 int32_t h4 = f4 - g4;
wolfSSL 0:d92f9d21154c 537 int32_t h5 = f5 - g5;
wolfSSL 0:d92f9d21154c 538 int32_t h6 = f6 - g6;
wolfSSL 0:d92f9d21154c 539 int32_t h7 = f7 - g7;
wolfSSL 0:d92f9d21154c 540 int32_t h8 = f8 - g8;
wolfSSL 0:d92f9d21154c 541 int32_t h9 = f9 - g9;
wolfSSL 0:d92f9d21154c 542 h[0] = h0;
wolfSSL 0:d92f9d21154c 543 h[1] = h1;
wolfSSL 0:d92f9d21154c 544 h[2] = h2;
wolfSSL 0:d92f9d21154c 545 h[3] = h3;
wolfSSL 0:d92f9d21154c 546 h[4] = h4;
wolfSSL 0:d92f9d21154c 547 h[5] = h5;
wolfSSL 0:d92f9d21154c 548 h[6] = h6;
wolfSSL 0:d92f9d21154c 549 h[7] = h7;
wolfSSL 0:d92f9d21154c 550 h[8] = h8;
wolfSSL 0:d92f9d21154c 551 h[9] = h9;
wolfSSL 0:d92f9d21154c 552 }
wolfSSL 0:d92f9d21154c 553
wolfSSL 0:d92f9d21154c 554
wolfSSL 0:d92f9d21154c 555 /*
wolfSSL 0:d92f9d21154c 556 Ignores top bit of h.
wolfSSL 0:d92f9d21154c 557 */
wolfSSL 0:d92f9d21154c 558
wolfSSL 0:d92f9d21154c 559 void fe_frombytes(fe h,const unsigned char *s)
wolfSSL 0:d92f9d21154c 560 {
wolfSSL 0:d92f9d21154c 561 int64_t h0 = load_4(s);
wolfSSL 0:d92f9d21154c 562 int64_t h1 = load_3(s + 4) << 6;
wolfSSL 0:d92f9d21154c 563 int64_t h2 = load_3(s + 7) << 5;
wolfSSL 0:d92f9d21154c 564 int64_t h3 = load_3(s + 10) << 3;
wolfSSL 0:d92f9d21154c 565 int64_t h4 = load_3(s + 13) << 2;
wolfSSL 0:d92f9d21154c 566 int64_t h5 = load_4(s + 16);
wolfSSL 0:d92f9d21154c 567 int64_t h6 = load_3(s + 20) << 7;
wolfSSL 0:d92f9d21154c 568 int64_t h7 = load_3(s + 23) << 5;
wolfSSL 0:d92f9d21154c 569 int64_t h8 = load_3(s + 26) << 4;
wolfSSL 0:d92f9d21154c 570 int64_t h9 = (load_3(s + 29) & 8388607) << 2;
wolfSSL 0:d92f9d21154c 571 int64_t carry0;
wolfSSL 0:d92f9d21154c 572 int64_t carry1;
wolfSSL 0:d92f9d21154c 573 int64_t carry2;
wolfSSL 0:d92f9d21154c 574 int64_t carry3;
wolfSSL 0:d92f9d21154c 575 int64_t carry4;
wolfSSL 0:d92f9d21154c 576 int64_t carry5;
wolfSSL 0:d92f9d21154c 577 int64_t carry6;
wolfSSL 0:d92f9d21154c 578 int64_t carry7;
wolfSSL 0:d92f9d21154c 579 int64_t carry8;
wolfSSL 0:d92f9d21154c 580 int64_t carry9;
wolfSSL 0:d92f9d21154c 581
wolfSSL 0:d92f9d21154c 582 carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
wolfSSL 0:d92f9d21154c 583 carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
wolfSSL 0:d92f9d21154c 584 carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
wolfSSL 0:d92f9d21154c 585 carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
wolfSSL 0:d92f9d21154c 586 carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
wolfSSL 0:d92f9d21154c 587
wolfSSL 0:d92f9d21154c 588 carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
wolfSSL 0:d92f9d21154c 589 carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
wolfSSL 0:d92f9d21154c 590 carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
wolfSSL 0:d92f9d21154c 591 carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
wolfSSL 0:d92f9d21154c 592 carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
wolfSSL 0:d92f9d21154c 593
wolfSSL 0:d92f9d21154c 594 h[0] = (int32_t)h0;
wolfSSL 0:d92f9d21154c 595 h[1] = (int32_t)h1;
wolfSSL 0:d92f9d21154c 596 h[2] = (int32_t)h2;
wolfSSL 0:d92f9d21154c 597 h[3] = (int32_t)h3;
wolfSSL 0:d92f9d21154c 598 h[4] = (int32_t)h4;
wolfSSL 0:d92f9d21154c 599 h[5] = (int32_t)h5;
wolfSSL 0:d92f9d21154c 600 h[6] = (int32_t)h6;
wolfSSL 0:d92f9d21154c 601 h[7] = (int32_t)h7;
wolfSSL 0:d92f9d21154c 602 h[8] = (int32_t)h8;
wolfSSL 0:d92f9d21154c 603 h[9] = (int32_t)h9;
wolfSSL 0:d92f9d21154c 604 }
wolfSSL 0:d92f9d21154c 605
wolfSSL 0:d92f9d21154c 606
wolfSSL 0:d92f9d21154c 607 void fe_invert(fe out,const fe z)
wolfSSL 0:d92f9d21154c 608 {
wolfSSL 0:d92f9d21154c 609 fe t0;
wolfSSL 0:d92f9d21154c 610 fe t1;
wolfSSL 0:d92f9d21154c 611 fe t2;
wolfSSL 0:d92f9d21154c 612 fe t3;
wolfSSL 0:d92f9d21154c 613 int i;
wolfSSL 0:d92f9d21154c 614
wolfSSL 0:d92f9d21154c 615 /* pow225521 */
wolfSSL 0:d92f9d21154c 616 fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0);
wolfSSL 0:d92f9d21154c 617 fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1);
wolfSSL 0:d92f9d21154c 618 fe_mul(t1,z,t1);
wolfSSL 0:d92f9d21154c 619 fe_mul(t0,t0,t1);
wolfSSL 0:d92f9d21154c 620 fe_sq(t2,t0); for (i = 1;i < 1;++i) fe_sq(t2,t2);
wolfSSL 0:d92f9d21154c 621 fe_mul(t1,t1,t2);
wolfSSL 0:d92f9d21154c 622 fe_sq(t2,t1); for (i = 1;i < 5;++i) fe_sq(t2,t2);
wolfSSL 0:d92f9d21154c 623 fe_mul(t1,t2,t1);
wolfSSL 0:d92f9d21154c 624 fe_sq(t2,t1); for (i = 1;i < 10;++i) fe_sq(t2,t2);
wolfSSL 0:d92f9d21154c 625 fe_mul(t2,t2,t1);
wolfSSL 0:d92f9d21154c 626 fe_sq(t3,t2); for (i = 1;i < 20;++i) fe_sq(t3,t3);
wolfSSL 0:d92f9d21154c 627 fe_mul(t2,t3,t2);
wolfSSL 0:d92f9d21154c 628 fe_sq(t2,t2); for (i = 1;i < 10;++i) fe_sq(t2,t2);
wolfSSL 0:d92f9d21154c 629 fe_mul(t1,t2,t1);
wolfSSL 0:d92f9d21154c 630 fe_sq(t2,t1); for (i = 1;i < 50;++i) fe_sq(t2,t2);
wolfSSL 0:d92f9d21154c 631 fe_mul(t2,t2,t1);
wolfSSL 0:d92f9d21154c 632 fe_sq(t3,t2); for (i = 1;i < 100;++i) fe_sq(t3,t3);
wolfSSL 0:d92f9d21154c 633 fe_mul(t2,t3,t2);
wolfSSL 0:d92f9d21154c 634 fe_sq(t2,t2); for (i = 1;i < 50;++i) fe_sq(t2,t2);
wolfSSL 0:d92f9d21154c 635 fe_mul(t1,t2,t1);
wolfSSL 0:d92f9d21154c 636 fe_sq(t1,t1); for (i = 1;i < 5;++i) fe_sq(t1,t1);
wolfSSL 0:d92f9d21154c 637 fe_mul(out,t1,t0);
wolfSSL 0:d92f9d21154c 638
wolfSSL 0:d92f9d21154c 639 return;
wolfSSL 0:d92f9d21154c 640 }
wolfSSL 0:d92f9d21154c 641
wolfSSL 0:d92f9d21154c 642
wolfSSL 0:d92f9d21154c 643 /*
wolfSSL 0:d92f9d21154c 644 h = f
wolfSSL 0:d92f9d21154c 645 */
wolfSSL 0:d92f9d21154c 646
wolfSSL 0:d92f9d21154c 647 void fe_copy(fe h,const fe f)
wolfSSL 0:d92f9d21154c 648 {
wolfSSL 0:d92f9d21154c 649 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 650 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 651 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 652 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 653 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 654 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 655 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 656 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 657 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 658 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 659 h[0] = f0;
wolfSSL 0:d92f9d21154c 660 h[1] = f1;
wolfSSL 0:d92f9d21154c 661 h[2] = f2;
wolfSSL 0:d92f9d21154c 662 h[3] = f3;
wolfSSL 0:d92f9d21154c 663 h[4] = f4;
wolfSSL 0:d92f9d21154c 664 h[5] = f5;
wolfSSL 0:d92f9d21154c 665 h[6] = f6;
wolfSSL 0:d92f9d21154c 666 h[7] = f7;
wolfSSL 0:d92f9d21154c 667 h[8] = f8;
wolfSSL 0:d92f9d21154c 668 h[9] = f9;
wolfSSL 0:d92f9d21154c 669 }
wolfSSL 0:d92f9d21154c 670
wolfSSL 0:d92f9d21154c 671
wolfSSL 0:d92f9d21154c 672 /*
wolfSSL 0:d92f9d21154c 673 h = f * g
wolfSSL 0:d92f9d21154c 674 Can overlap h with f or g.
wolfSSL 0:d92f9d21154c 675
wolfSSL 0:d92f9d21154c 676 Preconditions:
wolfSSL 0:d92f9d21154c 677 |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
wolfSSL 0:d92f9d21154c 678 |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
wolfSSL 0:d92f9d21154c 679
wolfSSL 0:d92f9d21154c 680 Postconditions:
wolfSSL 0:d92f9d21154c 681 |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
wolfSSL 0:d92f9d21154c 682 */
wolfSSL 0:d92f9d21154c 683
wolfSSL 0:d92f9d21154c 684 /*
wolfSSL 0:d92f9d21154c 685 Notes on implementation strategy:
wolfSSL 0:d92f9d21154c 686
wolfSSL 0:d92f9d21154c 687 Using schoolbook multiplication.
wolfSSL 0:d92f9d21154c 688 Karatsuba would save a little in some cost models.
wolfSSL 0:d92f9d21154c 689
wolfSSL 0:d92f9d21154c 690 Most multiplications by 2 and 19 are 32-bit precomputations;
wolfSSL 0:d92f9d21154c 691 cheaper than 64-bit postcomputations.
wolfSSL 0:d92f9d21154c 692
wolfSSL 0:d92f9d21154c 693 There is one remaining multiplication by 19 in the carry chain;
wolfSSL 0:d92f9d21154c 694 one *19 precomputation can be merged into this,
wolfSSL 0:d92f9d21154c 695 but the resulting data flow is considerably less clean.
wolfSSL 0:d92f9d21154c 696
wolfSSL 0:d92f9d21154c 697 There are 12 carries below.
wolfSSL 0:d92f9d21154c 698 10 of them are 2-way parallelizable and vectorizable.
wolfSSL 0:d92f9d21154c 699 Can get away with 11 carries, but then data flow is much deeper.
wolfSSL 0:d92f9d21154c 700
wolfSSL 0:d92f9d21154c 701 With tighter constraints on inputs can squeeze carries into int32.
wolfSSL 0:d92f9d21154c 702 */
wolfSSL 0:d92f9d21154c 703
wolfSSL 0:d92f9d21154c 704 void fe_mul(fe h,const fe f,const fe g)
wolfSSL 0:d92f9d21154c 705 {
wolfSSL 0:d92f9d21154c 706 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 707 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 708 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 709 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 710 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 711 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 712 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 713 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 714 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 715 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 716 int32_t g0 = g[0];
wolfSSL 0:d92f9d21154c 717 int32_t g1 = g[1];
wolfSSL 0:d92f9d21154c 718 int32_t g2 = g[2];
wolfSSL 0:d92f9d21154c 719 int32_t g3 = g[3];
wolfSSL 0:d92f9d21154c 720 int32_t g4 = g[4];
wolfSSL 0:d92f9d21154c 721 int32_t g5 = g[5];
wolfSSL 0:d92f9d21154c 722 int32_t g6 = g[6];
wolfSSL 0:d92f9d21154c 723 int32_t g7 = g[7];
wolfSSL 0:d92f9d21154c 724 int32_t g8 = g[8];
wolfSSL 0:d92f9d21154c 725 int32_t g9 = g[9];
wolfSSL 0:d92f9d21154c 726 int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
wolfSSL 0:d92f9d21154c 727 int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
wolfSSL 0:d92f9d21154c 728 int32_t g3_19 = 19 * g3;
wolfSSL 0:d92f9d21154c 729 int32_t g4_19 = 19 * g4;
wolfSSL 0:d92f9d21154c 730 int32_t g5_19 = 19 * g5;
wolfSSL 0:d92f9d21154c 731 int32_t g6_19 = 19 * g6;
wolfSSL 0:d92f9d21154c 732 int32_t g7_19 = 19 * g7;
wolfSSL 0:d92f9d21154c 733 int32_t g8_19 = 19 * g8;
wolfSSL 0:d92f9d21154c 734 int32_t g9_19 = 19 * g9;
wolfSSL 0:d92f9d21154c 735 int32_t f1_2 = 2 * f1;
wolfSSL 0:d92f9d21154c 736 int32_t f3_2 = 2 * f3;
wolfSSL 0:d92f9d21154c 737 int32_t f5_2 = 2 * f5;
wolfSSL 0:d92f9d21154c 738 int32_t f7_2 = 2 * f7;
wolfSSL 0:d92f9d21154c 739 int32_t f9_2 = 2 * f9;
wolfSSL 0:d92f9d21154c 740 int64_t f0g0 = f0 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 741 int64_t f0g1 = f0 * (int64_t) g1;
wolfSSL 0:d92f9d21154c 742 int64_t f0g2 = f0 * (int64_t) g2;
wolfSSL 0:d92f9d21154c 743 int64_t f0g3 = f0 * (int64_t) g3;
wolfSSL 0:d92f9d21154c 744 int64_t f0g4 = f0 * (int64_t) g4;
wolfSSL 0:d92f9d21154c 745 int64_t f0g5 = f0 * (int64_t) g5;
wolfSSL 0:d92f9d21154c 746 int64_t f0g6 = f0 * (int64_t) g6;
wolfSSL 0:d92f9d21154c 747 int64_t f0g7 = f0 * (int64_t) g7;
wolfSSL 0:d92f9d21154c 748 int64_t f0g8 = f0 * (int64_t) g8;
wolfSSL 0:d92f9d21154c 749 int64_t f0g9 = f0 * (int64_t) g9;
wolfSSL 0:d92f9d21154c 750 int64_t f1g0 = f1 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 751 int64_t f1g1_2 = f1_2 * (int64_t) g1;
wolfSSL 0:d92f9d21154c 752 int64_t f1g2 = f1 * (int64_t) g2;
wolfSSL 0:d92f9d21154c 753 int64_t f1g3_2 = f1_2 * (int64_t) g3;
wolfSSL 0:d92f9d21154c 754 int64_t f1g4 = f1 * (int64_t) g4;
wolfSSL 0:d92f9d21154c 755 int64_t f1g5_2 = f1_2 * (int64_t) g5;
wolfSSL 0:d92f9d21154c 756 int64_t f1g6 = f1 * (int64_t) g6;
wolfSSL 0:d92f9d21154c 757 int64_t f1g7_2 = f1_2 * (int64_t) g7;
wolfSSL 0:d92f9d21154c 758 int64_t f1g8 = f1 * (int64_t) g8;
wolfSSL 0:d92f9d21154c 759 int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
wolfSSL 0:d92f9d21154c 760 int64_t f2g0 = f2 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 761 int64_t f2g1 = f2 * (int64_t) g1;
wolfSSL 0:d92f9d21154c 762 int64_t f2g2 = f2 * (int64_t) g2;
wolfSSL 0:d92f9d21154c 763 int64_t f2g3 = f2 * (int64_t) g3;
wolfSSL 0:d92f9d21154c 764 int64_t f2g4 = f2 * (int64_t) g4;
wolfSSL 0:d92f9d21154c 765 int64_t f2g5 = f2 * (int64_t) g5;
wolfSSL 0:d92f9d21154c 766 int64_t f2g6 = f2 * (int64_t) g6;
wolfSSL 0:d92f9d21154c 767 int64_t f2g7 = f2 * (int64_t) g7;
wolfSSL 0:d92f9d21154c 768 int64_t f2g8_19 = f2 * (int64_t) g8_19;
wolfSSL 0:d92f9d21154c 769 int64_t f2g9_19 = f2 * (int64_t) g9_19;
wolfSSL 0:d92f9d21154c 770 int64_t f3g0 = f3 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 771 int64_t f3g1_2 = f3_2 * (int64_t) g1;
wolfSSL 0:d92f9d21154c 772 int64_t f3g2 = f3 * (int64_t) g2;
wolfSSL 0:d92f9d21154c 773 int64_t f3g3_2 = f3_2 * (int64_t) g3;
wolfSSL 0:d92f9d21154c 774 int64_t f3g4 = f3 * (int64_t) g4;
wolfSSL 0:d92f9d21154c 775 int64_t f3g5_2 = f3_2 * (int64_t) g5;
wolfSSL 0:d92f9d21154c 776 int64_t f3g6 = f3 * (int64_t) g6;
wolfSSL 0:d92f9d21154c 777 int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
wolfSSL 0:d92f9d21154c 778 int64_t f3g8_19 = f3 * (int64_t) g8_19;
wolfSSL 0:d92f9d21154c 779 int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
wolfSSL 0:d92f9d21154c 780 int64_t f4g0 = f4 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 781 int64_t f4g1 = f4 * (int64_t) g1;
wolfSSL 0:d92f9d21154c 782 int64_t f4g2 = f4 * (int64_t) g2;
wolfSSL 0:d92f9d21154c 783 int64_t f4g3 = f4 * (int64_t) g3;
wolfSSL 0:d92f9d21154c 784 int64_t f4g4 = f4 * (int64_t) g4;
wolfSSL 0:d92f9d21154c 785 int64_t f4g5 = f4 * (int64_t) g5;
wolfSSL 0:d92f9d21154c 786 int64_t f4g6_19 = f4 * (int64_t) g6_19;
wolfSSL 0:d92f9d21154c 787 int64_t f4g7_19 = f4 * (int64_t) g7_19;
wolfSSL 0:d92f9d21154c 788 int64_t f4g8_19 = f4 * (int64_t) g8_19;
wolfSSL 0:d92f9d21154c 789 int64_t f4g9_19 = f4 * (int64_t) g9_19;
wolfSSL 0:d92f9d21154c 790 int64_t f5g0 = f5 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 791 int64_t f5g1_2 = f5_2 * (int64_t) g1;
wolfSSL 0:d92f9d21154c 792 int64_t f5g2 = f5 * (int64_t) g2;
wolfSSL 0:d92f9d21154c 793 int64_t f5g3_2 = f5_2 * (int64_t) g3;
wolfSSL 0:d92f9d21154c 794 int64_t f5g4 = f5 * (int64_t) g4;
wolfSSL 0:d92f9d21154c 795 int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
wolfSSL 0:d92f9d21154c 796 int64_t f5g6_19 = f5 * (int64_t) g6_19;
wolfSSL 0:d92f9d21154c 797 int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
wolfSSL 0:d92f9d21154c 798 int64_t f5g8_19 = f5 * (int64_t) g8_19;
wolfSSL 0:d92f9d21154c 799 int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
wolfSSL 0:d92f9d21154c 800 int64_t f6g0 = f6 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 801 int64_t f6g1 = f6 * (int64_t) g1;
wolfSSL 0:d92f9d21154c 802 int64_t f6g2 = f6 * (int64_t) g2;
wolfSSL 0:d92f9d21154c 803 int64_t f6g3 = f6 * (int64_t) g3;
wolfSSL 0:d92f9d21154c 804 int64_t f6g4_19 = f6 * (int64_t) g4_19;
wolfSSL 0:d92f9d21154c 805 int64_t f6g5_19 = f6 * (int64_t) g5_19;
wolfSSL 0:d92f9d21154c 806 int64_t f6g6_19 = f6 * (int64_t) g6_19;
wolfSSL 0:d92f9d21154c 807 int64_t f6g7_19 = f6 * (int64_t) g7_19;
wolfSSL 0:d92f9d21154c 808 int64_t f6g8_19 = f6 * (int64_t) g8_19;
wolfSSL 0:d92f9d21154c 809 int64_t f6g9_19 = f6 * (int64_t) g9_19;
wolfSSL 0:d92f9d21154c 810 int64_t f7g0 = f7 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 811 int64_t f7g1_2 = f7_2 * (int64_t) g1;
wolfSSL 0:d92f9d21154c 812 int64_t f7g2 = f7 * (int64_t) g2;
wolfSSL 0:d92f9d21154c 813 int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
wolfSSL 0:d92f9d21154c 814 int64_t f7g4_19 = f7 * (int64_t) g4_19;
wolfSSL 0:d92f9d21154c 815 int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
wolfSSL 0:d92f9d21154c 816 int64_t f7g6_19 = f7 * (int64_t) g6_19;
wolfSSL 0:d92f9d21154c 817 int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
wolfSSL 0:d92f9d21154c 818 int64_t f7g8_19 = f7 * (int64_t) g8_19;
wolfSSL 0:d92f9d21154c 819 int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
wolfSSL 0:d92f9d21154c 820 int64_t f8g0 = f8 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 821 int64_t f8g1 = f8 * (int64_t) g1;
wolfSSL 0:d92f9d21154c 822 int64_t f8g2_19 = f8 * (int64_t) g2_19;
wolfSSL 0:d92f9d21154c 823 int64_t f8g3_19 = f8 * (int64_t) g3_19;
wolfSSL 0:d92f9d21154c 824 int64_t f8g4_19 = f8 * (int64_t) g4_19;
wolfSSL 0:d92f9d21154c 825 int64_t f8g5_19 = f8 * (int64_t) g5_19;
wolfSSL 0:d92f9d21154c 826 int64_t f8g6_19 = f8 * (int64_t) g6_19;
wolfSSL 0:d92f9d21154c 827 int64_t f8g7_19 = f8 * (int64_t) g7_19;
wolfSSL 0:d92f9d21154c 828 int64_t f8g8_19 = f8 * (int64_t) g8_19;
wolfSSL 0:d92f9d21154c 829 int64_t f8g9_19 = f8 * (int64_t) g9_19;
wolfSSL 0:d92f9d21154c 830 int64_t f9g0 = f9 * (int64_t) g0;
wolfSSL 0:d92f9d21154c 831 int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
wolfSSL 0:d92f9d21154c 832 int64_t f9g2_19 = f9 * (int64_t) g2_19;
wolfSSL 0:d92f9d21154c 833 int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
wolfSSL 0:d92f9d21154c 834 int64_t f9g4_19 = f9 * (int64_t) g4_19;
wolfSSL 0:d92f9d21154c 835 int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
wolfSSL 0:d92f9d21154c 836 int64_t f9g6_19 = f9 * (int64_t) g6_19;
wolfSSL 0:d92f9d21154c 837 int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
wolfSSL 0:d92f9d21154c 838 int64_t f9g8_19 = f9 * (int64_t) g8_19;
wolfSSL 0:d92f9d21154c 839 int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
wolfSSL 0:d92f9d21154c 840 int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38;
wolfSSL 0:d92f9d21154c 841 int64_t h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19;
wolfSSL 0:d92f9d21154c 842 int64_t h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38;
wolfSSL 0:d92f9d21154c 843 int64_t h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19;
wolfSSL 0:d92f9d21154c 844 int64_t h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38;
wolfSSL 0:d92f9d21154c 845 int64_t h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19;
wolfSSL 0:d92f9d21154c 846 int64_t h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38;
wolfSSL 0:d92f9d21154c 847 int64_t h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19;
wolfSSL 0:d92f9d21154c 848 int64_t h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38;
wolfSSL 0:d92f9d21154c 849 int64_t h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ;
wolfSSL 0:d92f9d21154c 850 int64_t carry0;
wolfSSL 0:d92f9d21154c 851 int64_t carry1;
wolfSSL 0:d92f9d21154c 852 int64_t carry2;
wolfSSL 0:d92f9d21154c 853 int64_t carry3;
wolfSSL 0:d92f9d21154c 854 int64_t carry4;
wolfSSL 0:d92f9d21154c 855 int64_t carry5;
wolfSSL 0:d92f9d21154c 856 int64_t carry6;
wolfSSL 0:d92f9d21154c 857 int64_t carry7;
wolfSSL 0:d92f9d21154c 858 int64_t carry8;
wolfSSL 0:d92f9d21154c 859 int64_t carry9;
wolfSSL 0:d92f9d21154c 860
wolfSSL 0:d92f9d21154c 861 /*
wolfSSL 0:d92f9d21154c 862 |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
wolfSSL 0:d92f9d21154c 863 i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
wolfSSL 0:d92f9d21154c 864 |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
wolfSSL 0:d92f9d21154c 865 i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
wolfSSL 0:d92f9d21154c 866 */
wolfSSL 0:d92f9d21154c 867
wolfSSL 0:d92f9d21154c 868 carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
wolfSSL 0:d92f9d21154c 869 carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
wolfSSL 0:d92f9d21154c 870 /* |h0| <= 2^25 */
wolfSSL 0:d92f9d21154c 871 /* |h4| <= 2^25 */
wolfSSL 0:d92f9d21154c 872 /* |h1| <= 1.71*2^59 */
wolfSSL 0:d92f9d21154c 873 /* |h5| <= 1.71*2^59 */
wolfSSL 0:d92f9d21154c 874
wolfSSL 0:d92f9d21154c 875 carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
wolfSSL 0:d92f9d21154c 876 carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
wolfSSL 0:d92f9d21154c 877 /* |h1| <= 2^24; from now on fits into int32 */
wolfSSL 0:d92f9d21154c 878 /* |h5| <= 2^24; from now on fits into int32 */
wolfSSL 0:d92f9d21154c 879 /* |h2| <= 1.41*2^60 */
wolfSSL 0:d92f9d21154c 880 /* |h6| <= 1.41*2^60 */
wolfSSL 0:d92f9d21154c 881
wolfSSL 0:d92f9d21154c 882 carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
wolfSSL 0:d92f9d21154c 883 carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
wolfSSL 0:d92f9d21154c 884 /* |h2| <= 2^25; from now on fits into int32 unchanged */
wolfSSL 0:d92f9d21154c 885 /* |h6| <= 2^25; from now on fits into int32 unchanged */
wolfSSL 0:d92f9d21154c 886 /* |h3| <= 1.71*2^59 */
wolfSSL 0:d92f9d21154c 887 /* |h7| <= 1.71*2^59 */
wolfSSL 0:d92f9d21154c 888
wolfSSL 0:d92f9d21154c 889 carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
wolfSSL 0:d92f9d21154c 890 carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
wolfSSL 0:d92f9d21154c 891 /* |h3| <= 2^24; from now on fits into int32 unchanged */
wolfSSL 0:d92f9d21154c 892 /* |h7| <= 2^24; from now on fits into int32 unchanged */
wolfSSL 0:d92f9d21154c 893 /* |h4| <= 1.72*2^34 */
wolfSSL 0:d92f9d21154c 894 /* |h8| <= 1.41*2^60 */
wolfSSL 0:d92f9d21154c 895
wolfSSL 0:d92f9d21154c 896 carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
wolfSSL 0:d92f9d21154c 897 carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
wolfSSL 0:d92f9d21154c 898 /* |h4| <= 2^25; from now on fits into int32 unchanged */
wolfSSL 0:d92f9d21154c 899 /* |h8| <= 2^25; from now on fits into int32 unchanged */
wolfSSL 0:d92f9d21154c 900 /* |h5| <= 1.01*2^24 */
wolfSSL 0:d92f9d21154c 901 /* |h9| <= 1.71*2^59 */
wolfSSL 0:d92f9d21154c 902
wolfSSL 0:d92f9d21154c 903 carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
wolfSSL 0:d92f9d21154c 904 /* |h9| <= 2^24; from now on fits into int32 unchanged */
wolfSSL 0:d92f9d21154c 905 /* |h0| <= 1.1*2^39 */
wolfSSL 0:d92f9d21154c 906
wolfSSL 0:d92f9d21154c 907 carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
wolfSSL 0:d92f9d21154c 908 /* |h0| <= 2^25; from now on fits into int32 unchanged */
wolfSSL 0:d92f9d21154c 909 /* |h1| <= 1.01*2^24 */
wolfSSL 0:d92f9d21154c 910
wolfSSL 0:d92f9d21154c 911 h[0] = (int32_t)h0;
wolfSSL 0:d92f9d21154c 912 h[1] = (int32_t)h1;
wolfSSL 0:d92f9d21154c 913 h[2] = (int32_t)h2;
wolfSSL 0:d92f9d21154c 914 h[3] = (int32_t)h3;
wolfSSL 0:d92f9d21154c 915 h[4] = (int32_t)h4;
wolfSSL 0:d92f9d21154c 916 h[5] = (int32_t)h5;
wolfSSL 0:d92f9d21154c 917 h[6] = (int32_t)h6;
wolfSSL 0:d92f9d21154c 918 h[7] = (int32_t)h7;
wolfSSL 0:d92f9d21154c 919 h[8] = (int32_t)h8;
wolfSSL 0:d92f9d21154c 920 h[9] = (int32_t)h9;
wolfSSL 0:d92f9d21154c 921 }
wolfSSL 0:d92f9d21154c 922
wolfSSL 0:d92f9d21154c 923
wolfSSL 0:d92f9d21154c 924 /*
wolfSSL 0:d92f9d21154c 925 Replace (f,g) with (g,f) if b == 1;
wolfSSL 0:d92f9d21154c 926 replace (f,g) with (f,g) if b == 0.
wolfSSL 0:d92f9d21154c 927
wolfSSL 0:d92f9d21154c 928 Preconditions: b in {0,1}.
wolfSSL 0:d92f9d21154c 929 */
wolfSSL 0:d92f9d21154c 930
wolfSSL 0:d92f9d21154c 931 void fe_cswap(fe f,fe g,unsigned int b)
wolfSSL 0:d92f9d21154c 932 {
wolfSSL 0:d92f9d21154c 933 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 934 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 935 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 936 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 937 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 938 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 939 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 940 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 941 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 942 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 943 int32_t g0 = g[0];
wolfSSL 0:d92f9d21154c 944 int32_t g1 = g[1];
wolfSSL 0:d92f9d21154c 945 int32_t g2 = g[2];
wolfSSL 0:d92f9d21154c 946 int32_t g3 = g[3];
wolfSSL 0:d92f9d21154c 947 int32_t g4 = g[4];
wolfSSL 0:d92f9d21154c 948 int32_t g5 = g[5];
wolfSSL 0:d92f9d21154c 949 int32_t g6 = g[6];
wolfSSL 0:d92f9d21154c 950 int32_t g7 = g[7];
wolfSSL 0:d92f9d21154c 951 int32_t g8 = g[8];
wolfSSL 0:d92f9d21154c 952 int32_t g9 = g[9];
wolfSSL 0:d92f9d21154c 953 int32_t x0 = f0 ^ g0;
wolfSSL 0:d92f9d21154c 954 int32_t x1 = f1 ^ g1;
wolfSSL 0:d92f9d21154c 955 int32_t x2 = f2 ^ g2;
wolfSSL 0:d92f9d21154c 956 int32_t x3 = f3 ^ g3;
wolfSSL 0:d92f9d21154c 957 int32_t x4 = f4 ^ g4;
wolfSSL 0:d92f9d21154c 958 int32_t x5 = f5 ^ g5;
wolfSSL 0:d92f9d21154c 959 int32_t x6 = f6 ^ g6;
wolfSSL 0:d92f9d21154c 960 int32_t x7 = f7 ^ g7;
wolfSSL 0:d92f9d21154c 961 int32_t x8 = f8 ^ g8;
wolfSSL 0:d92f9d21154c 962 int32_t x9 = f9 ^ g9;
wolfSSL 0:d92f9d21154c 963 b = -b;
wolfSSL 0:d92f9d21154c 964 x0 &= b;
wolfSSL 0:d92f9d21154c 965 x1 &= b;
wolfSSL 0:d92f9d21154c 966 x2 &= b;
wolfSSL 0:d92f9d21154c 967 x3 &= b;
wolfSSL 0:d92f9d21154c 968 x4 &= b;
wolfSSL 0:d92f9d21154c 969 x5 &= b;
wolfSSL 0:d92f9d21154c 970 x6 &= b;
wolfSSL 0:d92f9d21154c 971 x7 &= b;
wolfSSL 0:d92f9d21154c 972 x8 &= b;
wolfSSL 0:d92f9d21154c 973 x9 &= b;
wolfSSL 0:d92f9d21154c 974 f[0] = f0 ^ x0;
wolfSSL 0:d92f9d21154c 975 f[1] = f1 ^ x1;
wolfSSL 0:d92f9d21154c 976 f[2] = f2 ^ x2;
wolfSSL 0:d92f9d21154c 977 f[3] = f3 ^ x3;
wolfSSL 0:d92f9d21154c 978 f[4] = f4 ^ x4;
wolfSSL 0:d92f9d21154c 979 f[5] = f5 ^ x5;
wolfSSL 0:d92f9d21154c 980 f[6] = f6 ^ x6;
wolfSSL 0:d92f9d21154c 981 f[7] = f7 ^ x7;
wolfSSL 0:d92f9d21154c 982 f[8] = f8 ^ x8;
wolfSSL 0:d92f9d21154c 983 f[9] = f9 ^ x9;
wolfSSL 0:d92f9d21154c 984 g[0] = g0 ^ x0;
wolfSSL 0:d92f9d21154c 985 g[1] = g1 ^ x1;
wolfSSL 0:d92f9d21154c 986 g[2] = g2 ^ x2;
wolfSSL 0:d92f9d21154c 987 g[3] = g3 ^ x3;
wolfSSL 0:d92f9d21154c 988 g[4] = g4 ^ x4;
wolfSSL 0:d92f9d21154c 989 g[5] = g5 ^ x5;
wolfSSL 0:d92f9d21154c 990 g[6] = g6 ^ x6;
wolfSSL 0:d92f9d21154c 991 g[7] = g7 ^ x7;
wolfSSL 0:d92f9d21154c 992 g[8] = g8 ^ x8;
wolfSSL 0:d92f9d21154c 993 g[9] = g9 ^ x9;
wolfSSL 0:d92f9d21154c 994 }
wolfSSL 0:d92f9d21154c 995
wolfSSL 0:d92f9d21154c 996
wolfSSL 0:d92f9d21154c 997 /*
wolfSSL 0:d92f9d21154c 998 h = f * 121666
wolfSSL 0:d92f9d21154c 999 Can overlap h with f.
wolfSSL 0:d92f9d21154c 1000
wolfSSL 0:d92f9d21154c 1001 Preconditions:
wolfSSL 0:d92f9d21154c 1002 |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
wolfSSL 0:d92f9d21154c 1003
wolfSSL 0:d92f9d21154c 1004 Postconditions:
wolfSSL 0:d92f9d21154c 1005 |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
wolfSSL 0:d92f9d21154c 1006 */
wolfSSL 0:d92f9d21154c 1007
wolfSSL 0:d92f9d21154c 1008 void fe_mul121666(fe h,fe f)
wolfSSL 0:d92f9d21154c 1009 {
wolfSSL 0:d92f9d21154c 1010 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 1011 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 1012 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 1013 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 1014 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 1015 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 1016 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 1017 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 1018 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 1019 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 1020 int64_t h0 = f0 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1021 int64_t h1 = f1 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1022 int64_t h2 = f2 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1023 int64_t h3 = f3 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1024 int64_t h4 = f4 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1025 int64_t h5 = f5 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1026 int64_t h6 = f6 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1027 int64_t h7 = f7 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1028 int64_t h8 = f8 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1029 int64_t h9 = f9 * (int64_t) 121666;
wolfSSL 0:d92f9d21154c 1030 int64_t carry0;
wolfSSL 0:d92f9d21154c 1031 int64_t carry1;
wolfSSL 0:d92f9d21154c 1032 int64_t carry2;
wolfSSL 0:d92f9d21154c 1033 int64_t carry3;
wolfSSL 0:d92f9d21154c 1034 int64_t carry4;
wolfSSL 0:d92f9d21154c 1035 int64_t carry5;
wolfSSL 0:d92f9d21154c 1036 int64_t carry6;
wolfSSL 0:d92f9d21154c 1037 int64_t carry7;
wolfSSL 0:d92f9d21154c 1038 int64_t carry8;
wolfSSL 0:d92f9d21154c 1039 int64_t carry9;
wolfSSL 0:d92f9d21154c 1040
wolfSSL 0:d92f9d21154c 1041 carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
wolfSSL 0:d92f9d21154c 1042 carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
wolfSSL 0:d92f9d21154c 1043 carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
wolfSSL 0:d92f9d21154c 1044 carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
wolfSSL 0:d92f9d21154c 1045 carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
wolfSSL 0:d92f9d21154c 1046
wolfSSL 0:d92f9d21154c 1047 carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
wolfSSL 0:d92f9d21154c 1048 carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
wolfSSL 0:d92f9d21154c 1049 carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
wolfSSL 0:d92f9d21154c 1050 carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
wolfSSL 0:d92f9d21154c 1051 carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
wolfSSL 0:d92f9d21154c 1052
wolfSSL 0:d92f9d21154c 1053 h[0] = (int32_t)h0;
wolfSSL 0:d92f9d21154c 1054 h[1] = (int32_t)h1;
wolfSSL 0:d92f9d21154c 1055 h[2] = (int32_t)h2;
wolfSSL 0:d92f9d21154c 1056 h[3] = (int32_t)h3;
wolfSSL 0:d92f9d21154c 1057 h[4] = (int32_t)h4;
wolfSSL 0:d92f9d21154c 1058 h[5] = (int32_t)h5;
wolfSSL 0:d92f9d21154c 1059 h[6] = (int32_t)h6;
wolfSSL 0:d92f9d21154c 1060 h[7] = (int32_t)h7;
wolfSSL 0:d92f9d21154c 1061 h[8] = (int32_t)h8;
wolfSSL 0:d92f9d21154c 1062 h[9] = (int32_t)h9;
wolfSSL 0:d92f9d21154c 1063 }
wolfSSL 0:d92f9d21154c 1064
wolfSSL 0:d92f9d21154c 1065
wolfSSL 0:d92f9d21154c 1066 /*
wolfSSL 0:d92f9d21154c 1067 h = 2 * f * f
wolfSSL 0:d92f9d21154c 1068 Can overlap h with f.
wolfSSL 0:d92f9d21154c 1069
wolfSSL 0:d92f9d21154c 1070 Preconditions:
wolfSSL 0:d92f9d21154c 1071 |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
wolfSSL 0:d92f9d21154c 1072
wolfSSL 0:d92f9d21154c 1073 Postconditions:
wolfSSL 0:d92f9d21154c 1074 |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
wolfSSL 0:d92f9d21154c 1075 */
wolfSSL 0:d92f9d21154c 1076
wolfSSL 0:d92f9d21154c 1077 /*
wolfSSL 0:d92f9d21154c 1078 See fe_mul.c for discussion of implementation strategy.
wolfSSL 0:d92f9d21154c 1079 */
wolfSSL 0:d92f9d21154c 1080
wolfSSL 0:d92f9d21154c 1081 void fe_sq2(fe h,const fe f)
wolfSSL 0:d92f9d21154c 1082 {
wolfSSL 0:d92f9d21154c 1083 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 1084 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 1085 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 1086 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 1087 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 1088 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 1089 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 1090 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 1091 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 1092 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 1093 int32_t f0_2 = 2 * f0;
wolfSSL 0:d92f9d21154c 1094 int32_t f1_2 = 2 * f1;
wolfSSL 0:d92f9d21154c 1095 int32_t f2_2 = 2 * f2;
wolfSSL 0:d92f9d21154c 1096 int32_t f3_2 = 2 * f3;
wolfSSL 0:d92f9d21154c 1097 int32_t f4_2 = 2 * f4;
wolfSSL 0:d92f9d21154c 1098 int32_t f5_2 = 2 * f5;
wolfSSL 0:d92f9d21154c 1099 int32_t f6_2 = 2 * f6;
wolfSSL 0:d92f9d21154c 1100 int32_t f7_2 = 2 * f7;
wolfSSL 0:d92f9d21154c 1101 int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 1102 int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 1103 int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 1104 int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 1105 int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
wolfSSL 0:d92f9d21154c 1106 int64_t f0f0 = f0 * (int64_t) f0;
wolfSSL 0:d92f9d21154c 1107 int64_t f0f1_2 = f0_2 * (int64_t) f1;
wolfSSL 0:d92f9d21154c 1108 int64_t f0f2_2 = f0_2 * (int64_t) f2;
wolfSSL 0:d92f9d21154c 1109 int64_t f0f3_2 = f0_2 * (int64_t) f3;
wolfSSL 0:d92f9d21154c 1110 int64_t f0f4_2 = f0_2 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 1111 int64_t f0f5_2 = f0_2 * (int64_t) f5;
wolfSSL 0:d92f9d21154c 1112 int64_t f0f6_2 = f0_2 * (int64_t) f6;
wolfSSL 0:d92f9d21154c 1113 int64_t f0f7_2 = f0_2 * (int64_t) f7;
wolfSSL 0:d92f9d21154c 1114 int64_t f0f8_2 = f0_2 * (int64_t) f8;
wolfSSL 0:d92f9d21154c 1115 int64_t f0f9_2 = f0_2 * (int64_t) f9;
wolfSSL 0:d92f9d21154c 1116 int64_t f1f1_2 = f1_2 * (int64_t) f1;
wolfSSL 0:d92f9d21154c 1117 int64_t f1f2_2 = f1_2 * (int64_t) f2;
wolfSSL 0:d92f9d21154c 1118 int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
wolfSSL 0:d92f9d21154c 1119 int64_t f1f4_2 = f1_2 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 1120 int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
wolfSSL 0:d92f9d21154c 1121 int64_t f1f6_2 = f1_2 * (int64_t) f6;
wolfSSL 0:d92f9d21154c 1122 int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
wolfSSL 0:d92f9d21154c 1123 int64_t f1f8_2 = f1_2 * (int64_t) f8;
wolfSSL 0:d92f9d21154c 1124 int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 1125 int64_t f2f2 = f2 * (int64_t) f2;
wolfSSL 0:d92f9d21154c 1126 int64_t f2f3_2 = f2_2 * (int64_t) f3;
wolfSSL 0:d92f9d21154c 1127 int64_t f2f4_2 = f2_2 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 1128 int64_t f2f5_2 = f2_2 * (int64_t) f5;
wolfSSL 0:d92f9d21154c 1129 int64_t f2f6_2 = f2_2 * (int64_t) f6;
wolfSSL 0:d92f9d21154c 1130 int64_t f2f7_2 = f2_2 * (int64_t) f7;
wolfSSL 0:d92f9d21154c 1131 int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 1132 int64_t f2f9_38 = f2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 1133 int64_t f3f3_2 = f3_2 * (int64_t) f3;
wolfSSL 0:d92f9d21154c 1134 int64_t f3f4_2 = f3_2 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 1135 int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
wolfSSL 0:d92f9d21154c 1136 int64_t f3f6_2 = f3_2 * (int64_t) f6;
wolfSSL 0:d92f9d21154c 1137 int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 1138 int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 1139 int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 1140 int64_t f4f4 = f4 * (int64_t) f4;
wolfSSL 0:d92f9d21154c 1141 int64_t f4f5_2 = f4_2 * (int64_t) f5;
wolfSSL 0:d92f9d21154c 1142 int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
wolfSSL 0:d92f9d21154c 1143 int64_t f4f7_38 = f4 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 1144 int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 1145 int64_t f4f9_38 = f4 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 1146 int64_t f5f5_38 = f5 * (int64_t) f5_38;
wolfSSL 0:d92f9d21154c 1147 int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
wolfSSL 0:d92f9d21154c 1148 int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 1149 int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 1150 int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 1151 int64_t f6f6_19 = f6 * (int64_t) f6_19;
wolfSSL 0:d92f9d21154c 1152 int64_t f6f7_38 = f6 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 1153 int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 1154 int64_t f6f9_38 = f6 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 1155 int64_t f7f7_38 = f7 * (int64_t) f7_38;
wolfSSL 0:d92f9d21154c 1156 int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 1157 int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 1158 int64_t f8f8_19 = f8 * (int64_t) f8_19;
wolfSSL 0:d92f9d21154c 1159 int64_t f8f9_38 = f8 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 1160 int64_t f9f9_38 = f9 * (int64_t) f9_38;
wolfSSL 0:d92f9d21154c 1161 int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38;
wolfSSL 0:d92f9d21154c 1162 int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38;
wolfSSL 0:d92f9d21154c 1163 int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19;
wolfSSL 0:d92f9d21154c 1164 int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38;
wolfSSL 0:d92f9d21154c 1165 int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38;
wolfSSL 0:d92f9d21154c 1166 int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38;
wolfSSL 0:d92f9d21154c 1167 int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19;
wolfSSL 0:d92f9d21154c 1168 int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38;
wolfSSL 0:d92f9d21154c 1169 int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38;
wolfSSL 0:d92f9d21154c 1170 int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2;
wolfSSL 0:d92f9d21154c 1171 int64_t carry0;
wolfSSL 0:d92f9d21154c 1172 int64_t carry1;
wolfSSL 0:d92f9d21154c 1173 int64_t carry2;
wolfSSL 0:d92f9d21154c 1174 int64_t carry3;
wolfSSL 0:d92f9d21154c 1175 int64_t carry4;
wolfSSL 0:d92f9d21154c 1176 int64_t carry5;
wolfSSL 0:d92f9d21154c 1177 int64_t carry6;
wolfSSL 0:d92f9d21154c 1178 int64_t carry7;
wolfSSL 0:d92f9d21154c 1179 int64_t carry8;
wolfSSL 0:d92f9d21154c 1180 int64_t carry9;
wolfSSL 0:d92f9d21154c 1181
wolfSSL 0:d92f9d21154c 1182 h0 += h0;
wolfSSL 0:d92f9d21154c 1183 h1 += h1;
wolfSSL 0:d92f9d21154c 1184 h2 += h2;
wolfSSL 0:d92f9d21154c 1185 h3 += h3;
wolfSSL 0:d92f9d21154c 1186 h4 += h4;
wolfSSL 0:d92f9d21154c 1187 h5 += h5;
wolfSSL 0:d92f9d21154c 1188 h6 += h6;
wolfSSL 0:d92f9d21154c 1189 h7 += h7;
wolfSSL 0:d92f9d21154c 1190 h8 += h8;
wolfSSL 0:d92f9d21154c 1191 h9 += h9;
wolfSSL 0:d92f9d21154c 1192
wolfSSL 0:d92f9d21154c 1193 carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
wolfSSL 0:d92f9d21154c 1194 carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
wolfSSL 0:d92f9d21154c 1195
wolfSSL 0:d92f9d21154c 1196 carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
wolfSSL 0:d92f9d21154c 1197 carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
wolfSSL 0:d92f9d21154c 1198
wolfSSL 0:d92f9d21154c 1199 carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
wolfSSL 0:d92f9d21154c 1200 carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
wolfSSL 0:d92f9d21154c 1201
wolfSSL 0:d92f9d21154c 1202 carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
wolfSSL 0:d92f9d21154c 1203 carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
wolfSSL 0:d92f9d21154c 1204
wolfSSL 0:d92f9d21154c 1205 carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
wolfSSL 0:d92f9d21154c 1206 carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
wolfSSL 0:d92f9d21154c 1207
wolfSSL 0:d92f9d21154c 1208 carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
wolfSSL 0:d92f9d21154c 1209
wolfSSL 0:d92f9d21154c 1210 carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
wolfSSL 0:d92f9d21154c 1211
wolfSSL 0:d92f9d21154c 1212 h[0] = (int32_t)h0;
wolfSSL 0:d92f9d21154c 1213 h[1] = (int32_t)h1;
wolfSSL 0:d92f9d21154c 1214 h[2] = (int32_t)h2;
wolfSSL 0:d92f9d21154c 1215 h[3] = (int32_t)h3;
wolfSSL 0:d92f9d21154c 1216 h[4] = (int32_t)h4;
wolfSSL 0:d92f9d21154c 1217 h[5] = (int32_t)h5;
wolfSSL 0:d92f9d21154c 1218 h[6] = (int32_t)h6;
wolfSSL 0:d92f9d21154c 1219 h[7] = (int32_t)h7;
wolfSSL 0:d92f9d21154c 1220 h[8] = (int32_t)h8;
wolfSSL 0:d92f9d21154c 1221 h[9] = (int32_t)h9;
wolfSSL 0:d92f9d21154c 1222 }
wolfSSL 0:d92f9d21154c 1223
wolfSSL 0:d92f9d21154c 1224
wolfSSL 0:d92f9d21154c 1225 void fe_pow22523(fe out,const fe z)
wolfSSL 0:d92f9d21154c 1226 {
wolfSSL 0:d92f9d21154c 1227 fe t0;
wolfSSL 0:d92f9d21154c 1228 fe t1;
wolfSSL 0:d92f9d21154c 1229 fe t2;
wolfSSL 0:d92f9d21154c 1230 int i;
wolfSSL 0:d92f9d21154c 1231
wolfSSL 0:d92f9d21154c 1232 fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0);
wolfSSL 0:d92f9d21154c 1233 fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1);
wolfSSL 0:d92f9d21154c 1234 fe_mul(t1,z,t1);
wolfSSL 0:d92f9d21154c 1235 fe_mul(t0,t0,t1);
wolfSSL 0:d92f9d21154c 1236 fe_sq(t0,t0); for (i = 1;i < 1;++i) fe_sq(t0,t0);
wolfSSL 0:d92f9d21154c 1237 fe_mul(t0,t1,t0);
wolfSSL 0:d92f9d21154c 1238 fe_sq(t1,t0); for (i = 1;i < 5;++i) fe_sq(t1,t1);
wolfSSL 0:d92f9d21154c 1239 fe_mul(t0,t1,t0);
wolfSSL 0:d92f9d21154c 1240 fe_sq(t1,t0); for (i = 1;i < 10;++i) fe_sq(t1,t1);
wolfSSL 0:d92f9d21154c 1241 fe_mul(t1,t1,t0);
wolfSSL 0:d92f9d21154c 1242 fe_sq(t2,t1); for (i = 1;i < 20;++i) fe_sq(t2,t2);
wolfSSL 0:d92f9d21154c 1243 fe_mul(t1,t2,t1);
wolfSSL 0:d92f9d21154c 1244 fe_sq(t1,t1); for (i = 1;i < 10;++i) fe_sq(t1,t1);
wolfSSL 0:d92f9d21154c 1245 fe_mul(t0,t1,t0);
wolfSSL 0:d92f9d21154c 1246 fe_sq(t1,t0); for (i = 1;i < 50;++i) fe_sq(t1,t1);
wolfSSL 0:d92f9d21154c 1247 fe_mul(t1,t1,t0);
wolfSSL 0:d92f9d21154c 1248 fe_sq(t2,t1); for (i = 1;i < 100;++i) fe_sq(t2,t2);
wolfSSL 0:d92f9d21154c 1249 fe_mul(t1,t2,t1);
wolfSSL 0:d92f9d21154c 1250 fe_sq(t1,t1); for (i = 1;i < 50;++i) fe_sq(t1,t1);
wolfSSL 0:d92f9d21154c 1251 fe_mul(t0,t1,t0);
wolfSSL 0:d92f9d21154c 1252 fe_sq(t0,t0); for (i = 1;i < 2;++i) fe_sq(t0,t0);
wolfSSL 0:d92f9d21154c 1253 fe_mul(out,t0,z);
wolfSSL 0:d92f9d21154c 1254
wolfSSL 0:d92f9d21154c 1255 return;
wolfSSL 0:d92f9d21154c 1256 }
wolfSSL 0:d92f9d21154c 1257
wolfSSL 0:d92f9d21154c 1258
wolfSSL 0:d92f9d21154c 1259 /*
wolfSSL 0:d92f9d21154c 1260 h = -f
wolfSSL 0:d92f9d21154c 1261
wolfSSL 0:d92f9d21154c 1262 Preconditions:
wolfSSL 0:d92f9d21154c 1263 |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
wolfSSL 0:d92f9d21154c 1264
wolfSSL 0:d92f9d21154c 1265 Postconditions:
wolfSSL 0:d92f9d21154c 1266 |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
wolfSSL 0:d92f9d21154c 1267 */
wolfSSL 0:d92f9d21154c 1268
wolfSSL 0:d92f9d21154c 1269 void fe_neg(fe h,const fe f)
wolfSSL 0:d92f9d21154c 1270 {
wolfSSL 0:d92f9d21154c 1271 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 1272 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 1273 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 1274 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 1275 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 1276 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 1277 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 1278 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 1279 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 1280 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 1281 int32_t h0 = -f0;
wolfSSL 0:d92f9d21154c 1282 int32_t h1 = -f1;
wolfSSL 0:d92f9d21154c 1283 int32_t h2 = -f2;
wolfSSL 0:d92f9d21154c 1284 int32_t h3 = -f3;
wolfSSL 0:d92f9d21154c 1285 int32_t h4 = -f4;
wolfSSL 0:d92f9d21154c 1286 int32_t h5 = -f5;
wolfSSL 0:d92f9d21154c 1287 int32_t h6 = -f6;
wolfSSL 0:d92f9d21154c 1288 int32_t h7 = -f7;
wolfSSL 0:d92f9d21154c 1289 int32_t h8 = -f8;
wolfSSL 0:d92f9d21154c 1290 int32_t h9 = -f9;
wolfSSL 0:d92f9d21154c 1291 h[0] = h0;
wolfSSL 0:d92f9d21154c 1292 h[1] = h1;
wolfSSL 0:d92f9d21154c 1293 h[2] = h2;
wolfSSL 0:d92f9d21154c 1294 h[3] = h3;
wolfSSL 0:d92f9d21154c 1295 h[4] = h4;
wolfSSL 0:d92f9d21154c 1296 h[5] = h5;
wolfSSL 0:d92f9d21154c 1297 h[6] = h6;
wolfSSL 0:d92f9d21154c 1298 h[7] = h7;
wolfSSL 0:d92f9d21154c 1299 h[8] = h8;
wolfSSL 0:d92f9d21154c 1300 h[9] = h9;
wolfSSL 0:d92f9d21154c 1301 }
wolfSSL 0:d92f9d21154c 1302
wolfSSL 0:d92f9d21154c 1303
wolfSSL 0:d92f9d21154c 1304 /*
wolfSSL 0:d92f9d21154c 1305 Preconditions:
wolfSSL 0:d92f9d21154c 1306 |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
wolfSSL 0:d92f9d21154c 1307 */
wolfSSL 0:d92f9d21154c 1308
wolfSSL 0:d92f9d21154c 1309 static const unsigned char zero[32];
wolfSSL 0:d92f9d21154c 1310
wolfSSL 0:d92f9d21154c 1311 int fe_isnonzero(const fe f)
wolfSSL 0:d92f9d21154c 1312 {
wolfSSL 0:d92f9d21154c 1313 unsigned char s[32];
wolfSSL 0:d92f9d21154c 1314 fe_tobytes(s,f);
wolfSSL 0:d92f9d21154c 1315 return ConstantCompare(s,zero,32);
wolfSSL 0:d92f9d21154c 1316 }
wolfSSL 0:d92f9d21154c 1317
wolfSSL 0:d92f9d21154c 1318
wolfSSL 0:d92f9d21154c 1319 /*
wolfSSL 0:d92f9d21154c 1320 return 1 if f is in {1,3,5,...,q-2}
wolfSSL 0:d92f9d21154c 1321 return 0 if f is in {0,2,4,...,q-1}
wolfSSL 0:d92f9d21154c 1322
wolfSSL 0:d92f9d21154c 1323 Preconditions:
wolfSSL 0:d92f9d21154c 1324 |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
wolfSSL 0:d92f9d21154c 1325 */
wolfSSL 0:d92f9d21154c 1326
wolfSSL 0:d92f9d21154c 1327 int fe_isnegative(const fe f)
wolfSSL 0:d92f9d21154c 1328 {
wolfSSL 0:d92f9d21154c 1329 unsigned char s[32];
wolfSSL 0:d92f9d21154c 1330 fe_tobytes(s,f);
wolfSSL 0:d92f9d21154c 1331 return s[0] & 1;
wolfSSL 0:d92f9d21154c 1332 }
wolfSSL 0:d92f9d21154c 1333
wolfSSL 0:d92f9d21154c 1334
wolfSSL 0:d92f9d21154c 1335 /*
wolfSSL 0:d92f9d21154c 1336 Replace (f,g) with (g,g) if b == 1;
wolfSSL 0:d92f9d21154c 1337 replace (f,g) with (f,g) if b == 0.
wolfSSL 0:d92f9d21154c 1338
wolfSSL 0:d92f9d21154c 1339 Preconditions: b in {0,1}.
wolfSSL 0:d92f9d21154c 1340 */
wolfSSL 0:d92f9d21154c 1341
wolfSSL 0:d92f9d21154c 1342 void fe_cmov(fe f,const fe g,unsigned int b)
wolfSSL 0:d92f9d21154c 1343 {
wolfSSL 0:d92f9d21154c 1344 int32_t f0 = f[0];
wolfSSL 0:d92f9d21154c 1345 int32_t f1 = f[1];
wolfSSL 0:d92f9d21154c 1346 int32_t f2 = f[2];
wolfSSL 0:d92f9d21154c 1347 int32_t f3 = f[3];
wolfSSL 0:d92f9d21154c 1348 int32_t f4 = f[4];
wolfSSL 0:d92f9d21154c 1349 int32_t f5 = f[5];
wolfSSL 0:d92f9d21154c 1350 int32_t f6 = f[6];
wolfSSL 0:d92f9d21154c 1351 int32_t f7 = f[7];
wolfSSL 0:d92f9d21154c 1352 int32_t f8 = f[8];
wolfSSL 0:d92f9d21154c 1353 int32_t f9 = f[9];
wolfSSL 0:d92f9d21154c 1354 int32_t g0 = g[0];
wolfSSL 0:d92f9d21154c 1355 int32_t g1 = g[1];
wolfSSL 0:d92f9d21154c 1356 int32_t g2 = g[2];
wolfSSL 0:d92f9d21154c 1357 int32_t g3 = g[3];
wolfSSL 0:d92f9d21154c 1358 int32_t g4 = g[4];
wolfSSL 0:d92f9d21154c 1359 int32_t g5 = g[5];
wolfSSL 0:d92f9d21154c 1360 int32_t g6 = g[6];
wolfSSL 0:d92f9d21154c 1361 int32_t g7 = g[7];
wolfSSL 0:d92f9d21154c 1362 int32_t g8 = g[8];
wolfSSL 0:d92f9d21154c 1363 int32_t g9 = g[9];
wolfSSL 0:d92f9d21154c 1364 int32_t x0 = f0 ^ g0;
wolfSSL 0:d92f9d21154c 1365 int32_t x1 = f1 ^ g1;
wolfSSL 0:d92f9d21154c 1366 int32_t x2 = f2 ^ g2;
wolfSSL 0:d92f9d21154c 1367 int32_t x3 = f3 ^ g3;
wolfSSL 0:d92f9d21154c 1368 int32_t x4 = f4 ^ g4;
wolfSSL 0:d92f9d21154c 1369 int32_t x5 = f5 ^ g5;
wolfSSL 0:d92f9d21154c 1370 int32_t x6 = f6 ^ g6;
wolfSSL 0:d92f9d21154c 1371 int32_t x7 = f7 ^ g7;
wolfSSL 0:d92f9d21154c 1372 int32_t x8 = f8 ^ g8;
wolfSSL 0:d92f9d21154c 1373 int32_t x9 = f9 ^ g9;
wolfSSL 0:d92f9d21154c 1374 b = -b;
wolfSSL 0:d92f9d21154c 1375 x0 &= b;
wolfSSL 0:d92f9d21154c 1376 x1 &= b;
wolfSSL 0:d92f9d21154c 1377 x2 &= b;
wolfSSL 0:d92f9d21154c 1378 x3 &= b;
wolfSSL 0:d92f9d21154c 1379 x4 &= b;
wolfSSL 0:d92f9d21154c 1380 x5 &= b;
wolfSSL 0:d92f9d21154c 1381 x6 &= b;
wolfSSL 0:d92f9d21154c 1382 x7 &= b;
wolfSSL 0:d92f9d21154c 1383 x8 &= b;
wolfSSL 0:d92f9d21154c 1384 x9 &= b;
wolfSSL 0:d92f9d21154c 1385 f[0] = f0 ^ x0;
wolfSSL 0:d92f9d21154c 1386 f[1] = f1 ^ x1;
wolfSSL 0:d92f9d21154c 1387 f[2] = f2 ^ x2;
wolfSSL 0:d92f9d21154c 1388 f[3] = f3 ^ x3;
wolfSSL 0:d92f9d21154c 1389 f[4] = f4 ^ x4;
wolfSSL 0:d92f9d21154c 1390 f[5] = f5 ^ x5;
wolfSSL 0:d92f9d21154c 1391 f[6] = f6 ^ x6;
wolfSSL 0:d92f9d21154c 1392 f[7] = f7 ^ x7;
wolfSSL 0:d92f9d21154c 1393 f[8] = f8 ^ x8;
wolfSSL 0:d92f9d21154c 1394 f[9] = f9 ^ x9;
wolfSSL 0:d92f9d21154c 1395 }
wolfSSL 0:d92f9d21154c 1396 #endif /* HAVE ED25519 or CURVE25519 */
wolfSSL 0:d92f9d21154c 1397
wolfSSL 0:d92f9d21154c 1398