hush
/
libsodium
8
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity
Browse Source

fe -> fe25519

coverity_scan
Frank Denis 7 years ago
parent
4bd6196c96
commit
fb2e83a4d1
10 changed files with 421 additions and 423 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 576
      src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c
  2. 6
      src/libsodium/crypto_core/curve25519/ref10/fe_25_5/constants.h
  3. 10
      src/libsodium/crypto_core/curve25519/ref10/fe_25_5/fe.h
  4. 6
      src/libsodium/crypto_core/curve25519/ref10/fe_51/constants.h
  5. 10
      src/libsodium/crypto_core/curve25519/ref10/fe_51/fe.h
  6. 92
      src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c
  7. 20
      src/libsodium/crypto_sign/ed25519/ref10/keypair.c
  8. 54
      src/libsodium/include/sodium/private/curve25519_ref10.h
  9. 32
      src/libsodium/include/sodium/private/curve25519_ref10_fe_25_5.h
  10. 38
      src/libsodium/include/sodium/private/curve25519_ref10_fe_51.h

576
src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c
View File

@ -45,116 +45,116 @@ load_4(const unsigned char *in)
#endif
void
fe_invert(fe out, const fe z)
fe25519_invert(fe25519 out, const fe25519 z)
{
fe t0;
fe t1;
fe t2;
fe t3;
int i;
fe_sq(t0, z);
fe_sq(t1, t0);
fe_sq(t1, t1);
fe_mul(t1, z, t1);
fe_mul(t0, t0, t1);
fe_sq(t2, t0);
fe_mul(t1, t1, t2);
fe_sq(t2, t1);
fe25519 t0;
fe25519 t1;
fe25519 t2;
fe25519 t3;
int i;
fe25519_sq(t0, z);
fe25519_sq(t1, t0);
fe25519_sq(t1, t1);
fe25519_mul(t1, z, t1);
fe25519_mul(t0, t0, t1);
fe25519_sq(t2, t0);
fe25519_mul(t1, t1, t2);
fe25519_sq(t2, t1);
for (i = 1; i < 5; ++i) {
fe_sq(t2, t2);
fe25519_sq(t2, t2);
}
fe_mul(t1, t2, t1);
fe_sq(t2, t1);
fe25519_mul(t1, t2, t1);
fe25519_sq(t2, t1);
for (i = 1; i < 10; ++i) {
fe_sq(t2, t2);
fe25519_sq(t2, t2);
}
fe_mul(t2, t2, t1);
fe_sq(t3, t2);
fe25519_mul(t2, t2, t1);
fe25519_sq(t3, t2);
for (i = 1; i < 20; ++i) {
fe_sq(t3, t3);
fe25519_sq(t3, t3);
}
fe_mul(t2, t3, t2);
fe_sq(t2, t2);
fe25519_mul(t2, t3, t2);
fe25519_sq(t2, t2);
for (i = 1; i < 10; ++i) {
fe_sq(t2, t2);
fe25519_sq(t2, t2);
}
fe_mul(t1, t2, t1);
fe_sq(t2, t1);
fe25519_mul(t1, t2, t1);
fe25519_sq(t2, t1);
for (i = 1; i < 50; ++i) {
fe_sq(t2, t2);
fe25519_sq(t2, t2);
}
fe_mul(t2, t2, t1);
fe_sq(t3, t2);
fe25519_mul(t2, t2, t1);
fe25519_sq(t3, t2);
for (i = 1; i < 100; ++i) {
fe_sq(t3, t3);
fe25519_sq(t3, t3);
}
fe_mul(t2, t3, t2);
fe_sq(t2, t2);
fe25519_mul(t2, t3, t2);
fe25519_sq(t2, t2);
for (i = 1; i < 50; ++i) {
fe_sq(t2, t2);
fe25519_sq(t2, t2);
}
fe_mul(t1, t2, t1);
fe_sq(t1, t1);
fe25519_mul(t1, t2, t1);
fe25519_sq(t1, t1);
for (i = 1; i < 5; ++i) {
fe_sq(t1, t1);
fe25519_sq(t1, t1);
}
fe_mul(out, t1, t0);
fe25519_mul(out, t1, t0);
}
static void
fe_pow22523(fe out, const fe z)
fe25519_pow22523(fe25519 out, const fe25519 z)
{
fe t0;
fe t1;
fe t2;
int i;
fe_sq(t0, z);
fe_sq(t1, t0);
fe_sq(t1, t1);
fe_mul(t1, z, t1);
fe_mul(t0, t0, t1);
fe_sq(t0, t0);
fe_mul(t0, t1, t0);
fe_sq(t1, t0);
fe25519 t0;
fe25519 t1;
fe25519 t2;
int i;
fe25519_sq(t0, z);
fe25519_sq(t1, t0);
fe25519_sq(t1, t1);
fe25519_mul(t1, z, t1);
fe25519_mul(t0, t0, t1);
fe25519_sq(t0, t0);
fe25519_mul(t0, t1, t0);
fe25519_sq(t1, t0);
for (i = 1; i < 5; ++i) {
fe_sq(t1, t1);
fe25519_sq(t1, t1);
}
fe_mul(t0, t1, t0);
fe_sq(t1, t0);
fe25519_mul(t0, t1, t0);
fe25519_sq(t1, t0);
for (i = 1; i < 10; ++i) {
fe_sq(t1, t1);
fe25519_sq(t1, t1);
}
fe_mul(t1, t1, t0);
fe_sq(t2, t1);
fe25519_mul(t1, t1, t0);
fe25519_sq(t2, t1);
for (i = 1; i < 20; ++i) {
fe_sq(t2, t2);
fe25519_sq(t2, t2);
}
fe_mul(t1, t2, t1);
fe_sq(t1, t1);
fe25519_mul(t1, t2, t1);
fe25519_sq(t1, t1);
for (i = 1; i < 10; ++i) {
fe_sq(t1, t1);
fe25519_sq(t1, t1);
}
fe_mul(t0, t1, t0);
fe_sq(t1, t0);
fe25519_mul(t0, t1, t0);
fe25519_sq(t1, t0);
for (i = 1; i < 50; ++i) {
fe_sq(t1, t1);
fe25519_sq(t1, t1);
}
fe_mul(t1, t1, t0);
fe_sq(t2, t1);
fe25519_mul(t1, t1, t0);
fe25519_sq(t2, t1);
for (i = 1; i < 100; ++i) {
fe_sq(t2, t2);
fe25519_sq(t2, t2);
}
fe_mul(t1, t2, t1);
fe_sq(t1, t1);
fe25519_mul(t1, t2, t1);
fe25519_sq(t1, t1);
for (i = 1; i < 50; ++i) {
fe_sq(t1, t1);
fe25519_sq(t1, t1);
}
fe_mul(t0, t1, t0);
fe_sq(t0, t0);
fe_sq(t0, t0);
fe_mul(out, t0, z);
fe25519_mul(t0, t1, t0);
fe25519_sq(t0, t0);
fe25519_sq(t0, t0);
fe25519_mul(out, t0, z);
}
/*
@ -164,19 +164,19 @@ fe_pow22523(fe out, const fe z)
void
ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
{
fe t0;
fe_add(r->X, p->Y, p->X);
fe_sub(r->Y, p->Y, p->X);
fe_mul(r->Z, r->X, q->YplusX);
fe_mul(r->Y, r->Y, q->YminusX);
fe_mul(r->T, q->T2d, p->T);
fe_mul(r->X, p->Z, q->Z);
fe_add(t0, r->X, r->X);
fe_sub(r->X, r->Z, r->Y);
fe_add(r->Y, r->Z, r->Y);
fe_add(r->Z, t0, r->T);
fe_sub(r->T, t0, r->T);
fe25519 t0;
fe25519_add(r->X, p->Y, p->X);
fe25519_sub(r->Y, p->Y, p->X);
fe25519_mul(r->Z, r->X, q->YplusX);
fe25519_mul(r->Y, r->Y, q->YminusX);
fe25519_mul(r->T, q->T2d, p->T);
fe25519_mul(r->X, p->Z, q->Z);
fe25519_add(t0, r->X, r->X);
fe25519_sub(r->X, r->Z, r->Y);
fe25519_add(r->Y, r->Z, r->Y);
fe25519_add(r->Z, t0, r->T);
fe25519_sub(r->T, t0, r->T);
}
static void
@ -224,44 +224,44 @@ slide_vartime(signed char *r, const unsigned char *a)
int
ge_frombytes(ge_p3 *h, const unsigned char *s)
{
fe u;
fe v;
fe v3;
fe vxx;
fe m_root_check, p_root_check;
fe negx;
fe x_sqrtm1;
int has_m_root, has_p_root;
fe_frombytes(h->Y, s);
fe_1(h->Z);
fe_sq(u, h->Y);
fe_mul(v, u, d);
fe_sub(u, u, h->Z); /* u = y^2-1 */
fe_add(v, v, h->Z); /* v = dy^2+1 */
fe_sq(v3, v);
fe_mul(v3, v3, v); /* v3 = v^3 */
fe_sq(h->X, v3);
fe_mul(h->X, h->X, v);
fe_mul(h->X, h->X, u); /* x = uv^7 */
fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
fe_mul(h->X, h->X, v3);
fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
fe_sq(vxx, h->X);
fe_mul(vxx, vxx, v);
fe_sub(m_root_check, vxx, u); /* vx^2-u */
fe_add(p_root_check, vxx, u); /* vx^2+u */
has_m_root = fe_iszero(m_root_check);
has_p_root = fe_iszero(p_root_check);
fe_mul(x_sqrtm1, h->X, sqrtm1); /* x*sqrt(-1) */
fe_cmov(h->X, x_sqrtm1, 1 - has_m_root);
fe_neg(negx, h->X);
fe_cmov(h->X, negx, fe_isnegative(h->X) ^ (s[31] >> 7));
fe_mul(h->T, h->X, h->Y);
fe25519 u;
fe25519 v;
fe25519 v3;
fe25519 vxx;
fe25519 m_root_check, p_root_check;
fe25519 negx;
fe25519 x_sqrtm1;
int has_m_root, has_p_root;
fe25519_frombytes(h->Y, s);
fe25519_1(h->Z);
fe25519_sq(u, h->Y);
fe25519_mul(v, u, d);
fe25519_sub(u, u, h->Z); /* u = y^2-1 */
fe25519_add(v, v, h->Z); /* v = dy^2+1 */
fe25519_sq(v3, v);
fe25519_mul(v3, v3, v); /* v3 = v^3 */
fe25519_sq(h->X, v3);
fe25519_mul(h->X, h->X, v);
fe25519_mul(h->X, h->X, u); /* x = uv^7 */
fe25519_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
fe25519_mul(h->X, h->X, v3);
fe25519_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
fe25519_sq(vxx, h->X);
fe25519_mul(vxx, vxx, v);
fe25519_sub(m_root_check, vxx, u); /* vx^2-u */
fe25519_add(p_root_check, vxx, u); /* vx^2+u */
has_m_root = fe25519_iszero(m_root_check);
has_p_root = fe25519_iszero(p_root_check);
fe25519_mul(x_sqrtm1, h->X, sqrtm1); /* x*sqrt(-1) */
fe25519_cmov(h->X, x_sqrtm1, 1 - has_m_root);
fe25519_neg(negx, h->X);
fe25519_cmov(h->X, negx, fe25519_isnegative(h->X) ^ (s[31] >> 7));
fe25519_mul(h->T, h->X, h->Y);
return (has_m_root | has_p_root) - 1;
}
@ -269,44 +269,44 @@ ge_frombytes(ge_p3 *h, const unsigned char *s)
int
ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s)
{
fe u;
fe v;
fe v3;
fe vxx;
fe m_root_check, p_root_check;
fe_frombytes(h->Y, s);
fe_1(h->Z);
fe_sq(u, h->Y);
fe_mul(v, u, d);
fe_sub(u, u, h->Z); /* u = y^2-1 */
fe_add(v, v, h->Z); /* v = dy^2+1 */
fe_sq(v3, v);
fe_mul(v3, v3, v); /* v3 = v^3 */
fe_sq(h->X, v3);
fe_mul(h->X, h->X, v);
fe_mul(h->X, h->X, u); /* x = uv^7 */
fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
fe_mul(h->X, h->X, v3);
fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
fe_sq(vxx, h->X);
fe_mul(vxx, vxx, v);
fe_sub(m_root_check, vxx, u); /* vx^2-u */
if (fe_iszero(m_root_check) == 0) {
fe_add(p_root_check, vxx, u); /* vx^2+u */
if (fe_iszero(p_root_check) == 0) {
fe25519 u;
fe25519 v;
fe25519 v3;
fe25519 vxx;
fe25519 m_root_check, p_root_check;
fe25519_frombytes(h->Y, s);
fe25519_1(h->Z);
fe25519_sq(u, h->Y);
fe25519_mul(v, u, d);
fe25519_sub(u, u, h->Z); /* u = y^2-1 */
fe25519_add(v, v, h->Z); /* v = dy^2+1 */
fe25519_sq(v3, v);
fe25519_mul(v3, v3, v); /* v3 = v^3 */
fe25519_sq(h->X, v3);
fe25519_mul(h->X, h->X, v);
fe25519_mul(h->X, h->X, u); /* x = uv^7 */
fe25519_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
fe25519_mul(h->X, h->X, v3);
fe25519_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
fe25519_sq(vxx, h->X);
fe25519_mul(vxx, vxx, v);
fe25519_sub(m_root_check, vxx, u); /* vx^2-u */
if (fe25519_iszero(m_root_check) == 0) {
fe25519_add(p_root_check, vxx, u); /* vx^2+u */
if (fe25519_iszero(p_root_check) == 0) {
return -1;
}
fe_mul(h->X, h->X, sqrtm1);
fe25519_mul(h->X, h->X, sqrtm1);
}
if (fe_isnegative(h->X) == (s[31] >> 7)) {
fe_neg(h->X, h->X);
if (fe25519_isnegative(h->X) == (s[31] >> 7)) {
fe25519_neg(h->X, h->X);
}
fe_mul(h->T, h->X, h->Y);
fe25519_mul(h->T, h->X, h->Y);
return 0;
}
@ -318,18 +318,18 @@ ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s)
static void
ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
{
fe t0;
fe_add(r->X, p->Y, p->X);
fe_sub(r->Y, p->Y, p->X);
fe_mul(r->Z, r->X, q->yplusx);
fe_mul(r->Y, r->Y, q->yminusx);
fe_mul(r->T, q->xy2d, p->T);
fe_add(t0, p->Z, p->Z);
fe_sub(r->X, r->Z, r->Y);
fe_add(r->Y, r->Z, r->Y);
fe_add(r->Z, t0, r->T);
fe_sub(r->T, t0, r->T);
fe25519 t0;
fe25519_add(r->X, p->Y, p->X);
fe25519_sub(r->Y, p->Y, p->X);
fe25519_mul(r->Z, r->X, q->yplusx);
fe25519_mul(r->Y, r->Y, q->yminusx);
fe25519_mul(r->T, q->xy2d, p->T);
fe25519_add(t0, p->Z, p->Z);
fe25519_sub(r->X, r->Z, r->Y);
fe25519_add(r->Y, r->Z, r->Y);
fe25519_add(r->Z, t0, r->T);
fe25519_sub(r->T, t0, r->T);
}
/*
@ -339,18 +339,18 @@ ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
static void
ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
{
fe t0;
fe_add(r->X, p->Y, p->X);
fe_sub(r->Y, p->Y, p->X);
fe_mul(r->Z, r->X, q->yminusx);
fe_mul(r->Y, r->Y, q->yplusx);
fe_mul(r->T, q->xy2d, p->T);
fe_add(t0, p->Z, p->Z);
fe_sub(r->X, r->Z, r->Y);
fe_add(r->Y, r->Z, r->Y);
fe_sub(r->Z, t0, r->T);
fe_add(r->T, t0, r->T);
fe25519 t0;
fe25519_add(r->X, p->Y, p->X);
fe25519_sub(r->Y, p->Y, p->X);
fe25519_mul(r->Z, r->X, q->yminusx);
fe25519_mul(r->Y, r->Y, q->yplusx);
fe25519_mul(r->T, q->xy2d, p->T);
fe25519_add(t0, p->Z, p->Z);
fe25519_sub(r->X, r->Z, r->Y);
fe25519_add(r->Y, r->Z, r->Y);
fe25519_sub(r->Z, t0, r->T);
fe25519_add(r->T, t0, r->T);
}
/*
@ -360,9 +360,9 @@ ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
void
ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p)
{
fe_mul(r->X, p->X, p->T);
fe_mul(r->Y, p->Y, p->Z);
fe_mul(r->Z, p->Z, p->T);
fe25519_mul(r->X, p->X, p->T);
fe25519_mul(r->Y, p->Y, p->Z);
fe25519_mul(r->Z, p->Z, p->T);
}
/*
@ -372,18 +372,18 @@ ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p)
static void
ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p)
{
fe_mul(r->X, p->X, p->T);
fe_mul(r->Y, p->Y, p->Z);
fe_mul(r->Z, p->Z, p->T);
fe_mul(r->T, p->X, p->Y);
fe25519_mul(r->X, p->X, p->T);
fe25519_mul(r->Y, p->Y, p->Z);
fe25519_mul(r->Z, p->Z, p->T);
fe25519_mul(r->T, p->X, p->Y);
}
static void
ge_p2_0(ge_p2 *h)
{
fe_0(h->X);
fe_1(h->Y);
fe_1(h->Z);
fe25519_0(h->X);
fe25519_1(h->Y);
fe25519_1(h->Z);
}
/*
@ -393,26 +393,26 @@ ge_p2_0(ge_p2 *h)
static void
ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p)
{
fe t0;
fe_sq(r->X, p->X);
fe_sq(r->Z, p->Y);
fe_sq2(r->T, p->Z);
fe_add(r->Y, p->X, p->Y);
fe_sq(t0, r->Y);
fe_add(r->Y, r->Z, r->X);
fe_sub(r->Z, r->Z, r->X);
fe_sub(r->X, t0, r->Y);
fe_sub(r->T, r->T, r->Z);
fe25519 t0;
fe25519_sq(r->X, p->X);
fe25519_sq(r->Z, p->Y);
fe25519_sq2(r->T, p->Z);
fe25519_add(r->Y, p->X, p->Y);
fe25519_sq(t0, r->Y);
fe25519_add(r->Y, r->Z, r->X);
fe25519_sub(r->Z, r->Z, r->X);
fe25519_sub(r->X, t0, r->Y);
fe25519_sub(r->T, r->T, r->Z);
}
static void
ge_p3_0(ge_p3 *h)
{
fe_0(h->X);
fe_1(h->Y);
fe_1(h->Z);
fe_0(h->T);
fe25519_0(h->X);
fe25519_1(h->Y);
fe25519_1(h->Z);
fe25519_0(h->T);
}
/*
@ -422,27 +422,27 @@ ge_p3_0(ge_p3 *h)
void
ge_p3_to_cached(ge_cached *r, const ge_p3 *p)
{
fe_add(r->YplusX, p->Y, p->X);
fe_sub(r->YminusX, p->Y, p->X);
fe_copy(r->Z, p->Z);
fe_mul(r->T2d, p->T, d2);
fe25519_add(r->YplusX, p->Y, p->X);
fe25519_sub(r->YminusX, p->Y, p->X);
fe25519_copy(r->Z, p->Z);
fe25519_mul(r->T2d, p->T, d2);
}
static void
ge_p3_to_precomp(ge_precomp *pi, const ge_p3 *p)
{
fe recip;
fe x;
fe y;
fe xy;
fe_invert(recip, p->Z);
fe_mul(x, p->X, recip);
fe_mul(y, p->Y, recip);
fe_add(pi->yplusx, y, x);
fe_sub(pi->yminusx, y, x);
fe_mul(xy, x, y);
fe_mul(pi->xy2d, xy, d2);
fe25519 recip;
fe25519 x;
fe25519 y;
fe25519 xy;
fe25519_invert(recip, p->Z);
fe25519_mul(x, p->X, recip);
fe25519_mul(y, p->Y, recip);
fe25519_add(pi->yplusx, y, x);
fe25519_sub(pi->yminusx, y, x);
fe25519_mul(xy, x, y);
fe25519_mul(pi->xy2d, xy, d2);
}
/*
@ -452,23 +452,23 @@ ge_p3_to_precomp(ge_precomp *pi, const ge_p3 *p)
static void
ge_p3_to_p2(ge_p2 *r, const ge_p3 *p)
{
fe_copy(r->X, p->X);
fe_copy(r->Y, p->Y);
fe_copy(r->Z, p->Z);
fe25519_copy(r->X, p->X);
fe25519_copy(r->Y, p->Y);
fe25519_copy(r->Z, p->Z);
}
void
ge_p3_tobytes(unsigned char *s, const ge_p3 *h)
{
fe recip;
fe x;
fe y;
fe_invert(recip, h->Z);
fe_mul(x, h->X, recip);
fe_mul(y, h->Y, recip);
fe_tobytes(s, y);
s[31] ^= fe_isnegative(x) << 7;
fe25519 recip;
fe25519 x;
fe25519 y;
fe25519_invert(recip, h->Z);
fe25519_mul(x, h->X, recip);
fe25519_mul(y, h->Y, recip);
fe25519_tobytes(s, y);
s[31] ^= fe25519_isnegative(x) << 7;
}
/*
@ -486,9 +486,9 @@ ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p)
static void
ge_precomp_0(ge_precomp *h)
{
fe_1(h->yplusx);
fe_1(h->yminusx);
fe_0(h->xy2d);
fe25519_1(h->yplusx);
fe25519_1(h->yminusx);
fe25519_0(h->xy2d);
}
static unsigned char
@ -519,9 +519,9 @@ negative(signed char b)
static void
ge_cmov(ge_precomp *t, const ge_precomp *u, unsigned char b)
{
fe_cmov(t->yplusx, u->yplusx, b);
fe_cmov(t->yminusx, u->yminusx, b);
fe_cmov(t->xy2d, u->xy2d, b);
fe25519_cmov(t->yplusx, u->yplusx, b);
fe25519_cmov(t->yminusx, u->yminusx, b);
fe25519_cmov(t->xy2d, u->xy2d, b);
}
static void
@ -540,9 +540,9 @@ ge_select(ge_precomp *t, const ge_precomp precomp[8], const signed char b)
ge_cmov(t, &precomp[5], equal(babs, 6));
ge_cmov(t, &precomp[6], equal(babs, 7));
ge_cmov(t, &precomp[7], equal(babs, 8));
fe_copy(minust.yplusx, t->yminusx);
fe_copy(minust.yminusx, t->yplusx);
fe_neg(minust.xy2d, t->xy2d);
fe25519_copy(minust.yplusx, t->yminusx);
fe25519_copy(minust.yminusx, t->yplusx);
fe25519_neg(minust.xy2d, t->xy2d);
ge_cmov(t, &minust, bnegative);
}
@ -566,33 +566,33 @@ ge_select_base(ge_precomp *t, const int pos, const signed char b)
static void
ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
{
fe t0;
fe_add(r->X, p->Y, p->X);
fe_sub(r->Y, p->Y, p->X);
fe_mul(r->Z, r->X, q->YminusX);
fe_mul(r->Y, r->Y, q->YplusX);
fe_mul(r->T, q->T2d, p->T);
fe_mul(r->X, p->Z, q->Z);
fe_add(t0, r->X, r->X);
fe_sub(r->X, r->Z, r->Y);
fe_add(r->Y, r->Z, r->Y);
fe_sub(r->Z, t0, r->T);
fe_add(r->T, t0, r->T);
fe25519 t0;
fe25519_add(r->X, p->Y, p->X);
fe25519_sub(r->Y, p->Y, p->X);
fe25519_mul(r->Z, r->X, q->YminusX);
fe25519_mul(r->Y, r->Y, q->YplusX);
fe25519_mul(r->T, q->T2d, p->T);
fe25519_mul(r->X, p->Z, q->Z);
fe25519_add(t0, r->X, r->X);
fe25519_sub(r->X, r->Z, r->Y);
fe25519_add(r->Y, r->Z, r->Y);
fe25519_sub(r->Z, t0, r->T);
fe25519_add(r->T, t0, r->T);
}
void
ge_tobytes(unsigned char *s, const ge_p2 *h)
{
fe recip;
fe x;
fe y;
fe_invert(recip, h->Z);
fe_mul(x, h->X, recip);
fe_mul(y, h->Y, recip);
fe_tobytes(s, y);
s[31] ^= fe_isnegative(x) << 7;
fe25519 recip;
fe25519 x;
fe25519 y;
fe25519_invert(recip, h->Z);
fe25519_mul(x, h->X, recip);
fe25519_mul(y, h->Y, recip);
fe25519_tobytes(s, y);
s[31] ^= fe25519_isnegative(x) << 7;
}
/*
@ -893,26 +893,26 @@ ge_mul_l(ge_p3 *r, const ge_p3 *A)
int
ge_is_on_curve(const ge_p3 *p)
{
fe x2;
fe y2;
fe z2;
fe z4;
fe t0;
fe t1;
fe_sq(x2, p->X);
fe_sq(y2, p->Y);
fe_sq(z2, p->Z);
fe_sub(t0, y2, x2);
fe_mul(t0, t0, z2);
fe_mul(t1, x2, y2);
fe_mul(t1, t1, d);
fe_sq(z4, z2);
fe_add(t1, t1, z4);
fe_sub(t0, t0, t1);
return fe_iszero(t0);
fe25519 x2;
fe25519 y2;
fe25519 z2;
fe25519 z4;
fe25519 t0;
fe25519 t1;
fe25519_sq(x2, p->X);
fe25519_sq(y2, p->Y);
fe25519_sq(z2, p->Z);
fe25519_sub(t0, y2, x2);
fe25519_mul(t0, t0, z2);
fe25519_mul(t1, x2, y2);
fe25519_mul(t1, t1, d);
fe25519_sq(z4, z2);
fe25519_add(t1, t1, z4);
fe25519_sub(t0, t0, t1);
return fe25519_iszero(t0);
}
int
@ -922,7 +922,7 @@ ge_is_on_main_subgroup(const ge_p3 *p)
ge_mul_l(&pl, p);
return fe_iszero(pl.X);
return fe25519_iszero(pl.X);
}
int

6
src/libsodium/crypto_core/curve25519/ref10/fe_25_5/constants.h
View File

@ -1,15 +1,15 @@
/* 37095705934669439343138083508754565189542113879843219016388785533085940283555 */
static const fe d = {
static const fe25519 d = {
-10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116
};
/* 2 * d =
* 16295367250680780974490674513165176452449235426866156013048779062215315747161
*/
static const fe d2 = {
static const fe25519 d2 = {
-21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199 };
/* sqrt(-1) */
static const fe sqrtm1 = {
static const fe25519 sqrtm1 = {
-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482
};

10
src/libsodium/crypto_core/curve25519/ref10/fe_25_5/fe.h
View File

@ -3,7 +3,7 @@
*/
void
fe_frombytes(fe h, const unsigned char *s)
fe25519_frombytes(fe25519 h, const unsigned char *s)
{
int64_t h0 = load_4(s);
int64_t h1 = load_3(s + 4) << 6;
@ -97,7 +97,7 @@ fe_frombytes(fe h, const unsigned char *s)
*/
static void
fe_reduce(fe h, const fe f)
fe25519_reduce(fe25519 h, const fe25519 f)
{
int32_t h0 = f[0];
int32_t h1 = f[1];
@ -180,11 +180,11 @@ fe_reduce(fe h, const fe f)
*/
void
fe_tobytes(unsigned char *s, const fe h)
fe25519_tobytes(unsigned char *s, const fe25519 h)
{
fe t;
fe25519 t;
fe_reduce(t, h);
fe25519_reduce(t, h);
s[0] = t[0] >> 0;
s[1] = t[0] >> 8;
s[2] = t[0] >> 16;

6
src/libsodium/crypto_core/curve25519/ref10/fe_51/constants.h
View File

@ -1,16 +1,16 @@
/* 37095705934669439343138083508754565189542113879843219016388785533085940283555 */
static const fe d = {
static const fe25519 d = {
929955233495203, 466365720129213, 1662059464998953, 2033849074728123, 1442794654840575
};
/* 2 * d =
* 16295367250680780974490674513165176452449235426866156013048779062215315747161
*/
static const fe d2 = {
static const fe25519 d2 = {
1859910466990425, 932731440258426, 1072319116312658, 1815898335770999, 633789495995903
};
/* sqrt(-1) */
static const fe sqrtm1 = {
static const fe25519 sqrtm1 = {
1718705420411056, 234908883556509, 2233514472574048, 2117202627021982, 765476049583133
};

10
src/libsodium/crypto_core/curve25519/ref10/fe_51/fe.h
View File

@ -3,7 +3,7 @@
*/
void
fe_frombytes(fe h, const unsigned char *s)
fe25519_frombytes(fe25519 h, const unsigned char *s)
{
const uint64_t mask = 0x7ffffffffffffULL;
uint64_t h0, h1, h2, h3, h4;
@ -22,7 +22,7 @@ fe_frombytes(fe h, const unsigned char *s)
}
static void
fe_reduce(fe h, const fe f)
fe25519_reduce(fe25519 h, const fe25519 f)
{
const uint64_t mask = 0x7ffffffffffffULL;
uint128_t t[5];
@ -99,12 +99,12 @@ fe_reduce(fe h, const fe f)
}
void
fe_tobytes(unsigned char *s, const fe h)
fe25519_tobytes(unsigned char *s, const fe25519 h)
{
fe t;
fe25519 t;
uint64_t t0, t1, t2, t3;
fe_reduce(t, h);
fe25519_reduce(t, h);
t0 = t[0] | (t[1] << 51);
t1 = (t[1] >> 13) | (t[2] << 38);
t2 = (t[2] >> 26) | (t[3] << 25);

92
src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c
View File

@ -14,13 +14,13 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
{
unsigned char *t = q;
unsigned int i;
fe x1;
fe x2;
fe z2;
fe x3;
fe z3;
fe tmp0;
fe tmp1;
fe25519 x1;
fe25519 x2;
fe25519 z2;
fe25519 x3;
fe25519 z3;
fe25519 tmp0;
fe25519 tmp1;
int pos;
unsigned int swap;
unsigned int b;
@ -31,59 +31,59 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
t[0] &= 248;
t[31] &= 127;
t[31] |= 64;
fe_frombytes(x1, p);
fe_1(x2);
fe_0(z2);
fe_copy(x3, x1);
fe_1(z3);
fe25519_frombytes(x1, p);
fe25519_1(x2);
fe25519_0(z2);
fe25519_copy(x3, x1);
fe25519_1(z3);
swap = 0;
for (pos = 254; pos >= 0; --pos) {
b = t[pos / 8] >> (pos & 7);
b &= 1;
swap ^= b;
fe_cswap(x2, x3, swap);
fe_cswap(z2, z3, swap);
fe25519_cswap(x2, x3, swap);
fe25519_cswap(z2, z3, swap);
swap = b;
fe_sub(tmp0, x3, z3);
fe_sub(tmp1, x2, z2);
fe_add(x2, x2, z2);
fe_add(z2, x3, z3);
fe_mul(z3, tmp0, x2);
fe_mul(z2, z2, tmp1);
fe_sq(tmp0, tmp1);
fe_sq(tmp1, x2);
fe_add(x3, z3, z2);
fe_sub(z2, z3, z2);
fe_mul(x2, tmp1, tmp0);
fe_sub(tmp1, tmp1, tmp0);
fe_sq(z2, z2);
fe_scalar_product(z3, tmp1, 121666);
fe_sq(x3, x3);
fe_add(tmp0, tmp0, z3);
fe_mul(z3, x1, z2);
fe_mul(z2, tmp1, tmp0);
fe25519_sub(tmp0, x3, z3);
fe25519_sub(tmp1, x2, z2);
fe25519_add(x2, x2, z2);
fe25519_add(z2, x3, z3);
fe25519_mul(z3, tmp0, x2);
fe25519_mul(z2, z2, tmp1);
fe25519_sq(tmp0, tmp1);
fe25519_sq(tmp1, x2);
fe25519_add(x3, z3, z2);
fe25519_sub(z2, z3, z2);
fe25519_mul(x2, tmp1, tmp0);
fe25519_sub(tmp1, tmp1, tmp0);
fe25519_sq(z2, z2);
fe25519_scalar_product(z3, tmp1, 121666);
fe25519_sq(x3, x3);
fe25519_add(tmp0, tmp0, z3);
fe25519_mul(z3, x1, z2);
fe25519_mul(z2, tmp1, tmp0);
}
fe_cswap(x2, x3, swap);
fe_cswap(z2, z3, swap);
fe25519_cswap(x2, x3, swap);
fe25519_cswap(z2, z3, swap);
fe_invert(z2, z2);
fe_mul(x2, x2, z2);
fe_tobytes(q, x2);
fe25519_invert(z2, z2);
fe25519_mul(x2, x2, z2);
fe25519_tobytes(q, x2);
return 0;
}
static void
edwards_to_montgomery(fe montgomeryX, const fe edwardsY, const fe edwardsZ)
edwards_to_montgomery(fe25519 montgomeryX, const fe25519 edwardsY, const fe25519 edwardsZ)
{
fe tempX;
fe tempZ;
fe25519 tempX;
fe25519 tempZ;
fe_add(tempX, edwardsZ, edwardsY);
fe_sub(tempZ, edwardsZ, edwardsY);
fe_invert(tempZ, tempZ);
fe_mul(montgomeryX, tempX, tempZ);
fe25519_add(tempX, edwardsZ, edwardsY);
fe25519_sub(tempZ, edwardsZ, edwardsY);
fe25519_invert(tempZ, tempZ);
fe25519_mul(montgomeryX, tempX, tempZ);
}
static int
@ -92,7 +92,7 @@ crypto_scalarmult_curve25519_ref10_base(unsigned char *q,
{
unsigned char *t = q;
ge_p3 A;
fe pk;
fe25519 pk;
unsigned int i;
for (i = 0; i < 32; i++) {
@ -103,7 +103,7 @@ crypto_scalarmult_curve25519_ref10_base(unsigned char *q,
t[31] |= 64;
ge_scalarmult_base(&A, t);
edwards_to_montgomery(pk, A.Y, A.Z);
fe_tobytes(q, pk);
fe25519_tobytes(q, pk);
return 0;
}

20
src/libsodium/crypto_sign/ed25519/ref10/keypair.c
View File

@ -50,22 +50,22 @@ int
crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
const unsigned char *ed25519_pk)
{
ge_p3 A;
fe x;
fe one_minus_y;
ge_p3 A;
fe25519 x;
fe25519 one_minus_y;
if (ge_has_small_order(ed25519_pk) != 0 ||
ge_frombytes_negate_vartime(&A, ed25519_pk) != 0 ||
ge_is_on_main_subgroup(&A) == 0) {
return -1;
}
fe_1(one_minus_y);
fe_sub(one_minus_y, one_minus_y, A.Y);
fe_invert(one_minus_y, one_minus_y);
fe_1(x);
fe_add(x, x, A.Y);
fe_mul(x, x, one_minus_y);
fe_tobytes(curve25519_pk, x);
fe25519_1(one_minus_y);
fe25519_sub(one_minus_y, one_minus_y, A.Y);
fe25519_invert(one_minus_y, one_minus_y);
fe25519_1(x);
fe25519_add(x, x, A.Y);
fe25519_mul(x, x, one_minus_y);
fe25519_tobytes(curve25519_pk, x);
return 0;
}

54
src/libsodium/include/sodium/private/curve25519_ref10.h
View File

@ -9,17 +9,15 @@
Here the field is \Z/(2^255-19).
*/
#define fe fe25519
#ifdef HAVE_TI_MODE
typedef uint64_t fe[5];
typedef uint64_t fe25519[5];
#else
typedef int32_t fe[10];
typedef int32_t fe25519[10];
#endif
void fe_invert(fe out, const fe z);
void fe_frombytes(fe h, const unsigned char *s);
void fe_tobytes(unsigned char *s, const fe h);
void fe25519_invert(fe25519 out, const fe25519 z);
void fe25519_frombytes(fe25519 h, const unsigned char *s);
void fe25519_tobytes(unsigned char *s, const fe25519 h);
#ifdef HAVE_TI_MODE
# include "curve25519_ref10_fe_51.h"
@ -30,11 +28,11 @@ void fe_tobytes(unsigned char *s, const fe h);
/*
ge means group element.
*
Here the group is the set of pairs (x,y) of field elements (see fe.h)
Here the group is the set of pairs (x,y) of field elements
satisfying -x^2 + y^2 = 1 + d x^2y^2
where d = -121665/121666.
*
Representations:
ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
@ -44,40 +42,40 @@ void fe_tobytes(unsigned char *s, const fe h);
#define ge_p2 ge25519_p2
typedef struct {
fe X;
fe Y;
fe Z;
fe25519 X;
fe25519 Y;
fe25519 Z;
} ge_p2;
#define ge_p3 ge25519_p3
typedef struct {
fe X;
fe Y;
fe Z;
fe T;
fe25519 X;
fe25519 Y;
fe25519 Z;
fe25519 T;
} ge_p3;
#define ge_p1p1 ge25519_p1p1
typedef struct {
fe X;
fe Y;
fe Z;
fe T;
fe25519 X;
fe25519 Y;
fe25519 Z;
fe25519 T;
} ge_p1p1;
#define ge_precomp ge25519_precomp
typedef struct {
fe yplusx;
fe yminusx;
fe xy2d;
fe25519 yplusx;
fe25519 yminusx;
fe25519 xy2d;
} ge_precomp;
#define ge_cached ge25519_cached
typedef struct {
fe YplusX;
fe YminusX;
fe Z;
fe T2d;
fe25519 YplusX;
fe25519 YminusX;
fe25519 Z;
fe25519 T2d;
} ge_cached;
void ge_tobytes(unsigned char *,const ge_p2 *);

32
src/libsodium/include/sodium/private/curve25519_ref10_fe_25_5.h
View File

@ -8,7 +8,7 @@
*/
static inline void
fe_0(fe h)
fe25519_0(fe25519 h)
{
memset(&h[0], 0, 10 * sizeof h[0]);
}
@ -18,7 +18,7 @@ fe_0(fe h)
*/
static inline void
fe_1(fe h)
fe25519_1(fe25519 h)
{
h[0] = 1;
h[1] = 0;
@ -38,7 +38,7 @@ fe_1(fe h)
*/
static inline void
fe_add(fe h, const fe f, const fe g)
fe25519_add(fe25519 h, const fe25519 f, const fe25519 g)
{
int32_t h0 = f[0] + g[0];
int32_t h1 = f[1] + g[1];
@ -76,7 +76,7 @@ fe_add(fe h, const fe f, const fe g)
*/
static void
fe_sub(fe h, const fe f, const fe g)
fe25519_sub(fe25519 h, const fe25519 f, const fe25519 g)
{
int32_t h0 = f[0] - g[0];
int32_t h1 = f[1] - g[1];
@ -112,7 +112,7 @@ fe_sub(fe h, const fe f, const fe g)
*/
static inline void
fe_neg(fe h, const fe f)
fe25519_neg(fe25519 h, const fe25519 f)
{
int32_t h0 = -f[0];
int32_t h1 = -f[1];
@ -145,7 +145,7 @@ fe_neg(fe h, const fe f)
*/
static void
fe_cmov(fe f, const fe g, unsigned int b)
fe25519_cmov(fe25519 f, const fe25519 g, unsigned int b)
{
const uint32_t mask = (uint32_t) (-(int32_t) b);
@ -195,7 +195,7 @@ fe_cmov(fe f, const fe g, unsigned int b)
}
static void
fe_cswap(fe f, fe g, unsigned int b)
fe25519_cswap(fe25519 f, fe25519 g, unsigned int b)
{
const uint32_t mask = (uint32_t) (-(int64_t) b);
@ -271,7 +271,7 @@ fe_cswap(fe f, fe g, unsigned int b)
*/
static inline void
fe_copy(fe h, const fe f)
fe25519_copy(fe25519 h, const fe25519 f)
{
int32_t f0 = f[0];
int32_t f1 = f[1];
@ -305,11 +305,11 @@ fe_copy(fe h, const fe f)
*/
static inline int
fe_isnegative(const fe f)
fe25519_isnegative(const fe25519 f)
{
unsigned char s[32];
fe_tobytes(s, f);
fe25519_tobytes(s, f);
return s[0] & 1;
}
@ -323,11 +323,11 @@ fe_isnegative(const fe f)
*/
static inline int
fe_iszero(const fe f)
fe25519_iszero(const fe25519 f)
{
unsigned char s[32];
fe_tobytes(s, f);
fe25519_tobytes(s, f);
return sodium_is_zero(s, 32);
}
@ -365,7 +365,7 @@ fe_iszero(const fe f)
*/
static void
fe_mul(fe h, const fe f, const fe g)
fe25519_mul(fe25519 h, const fe25519 f, const fe25519 g)
{
int32_t f0 = f[0];
int32_t f1 = f[1];
@ -635,7 +635,7 @@ fe_mul(fe h, const fe f, const fe g)
*/
static void
fe_sq(fe h, const fe f)
fe25519_sq(fe25519 h, const fe25519 f)
{
int32_t f0 = f[0];
int32_t f1 = f[1];
@ -807,7 +807,7 @@ fe_sq(fe h, const fe f)
*/
static void
fe_sq2(fe h, const fe f)
fe25519_sq2(fe25519 h, const fe25519 f)
{
int32_t f0 = f[0];
int32_t f1 = f[1];
@ -979,7 +979,7 @@ fe_sq2(fe h, const fe f)
}
static void
fe_scalar_product(fe h, const fe f, uint32_t n)
fe25519_scalar_product(fe25519 h, const fe25519 f, uint32_t n)
{
int64_t sn = (int64_t) n;
int32_t f0 = f[0];

38
src/libsodium/include/sodium/private/curve25519_ref10_fe_51.h
View File

@ -8,7 +8,7 @@
*/
static inline void
fe_0(fe h)
fe25519_0(fe25519 h)
{
memset(&h[0], 0, 5 * sizeof h[0]);
}
@ -18,7 +18,7 @@ fe_0(fe h)
*/
static inline void
fe_1(fe h)
fe25519_1(fe25519 h)
{
h[0] = 1;
memset(&h[1], 0, 4 * sizeof h[0]);
@ -30,7 +30,7 @@ fe_1(fe h)
*/
static inline void
fe_add(fe h, const fe f, const fe g)
fe25519_add(fe25519 h, const fe25519 f, const fe25519 g)
{
uint64_t h0 = f[0] + g[0];
uint64_t h1 = f[1] + g[1];
@ -50,7 +50,7 @@ fe_add(fe h, const fe f, const fe g)
*/
static void
fe_sub(fe h, const fe f, const fe g)
fe25519_sub(fe25519 h, const fe25519 f, const fe25519 g)
{
const uint64_t mask = 0x7ffffffffffffULL;
uint64_t h0, h1, h2, h3, h4;
@ -90,12 +90,12 @@ fe_sub(fe h, const fe f, const fe g)
*/
static inline void
fe_neg(fe h, const fe f)
fe25519_neg(fe25519 h, const fe25519 f)
{
fe zero;
fe25519 zero;
fe_0(zero);
fe_sub(h, zero, f);
fe25519_0(zero);
fe25519_sub(h, zero, f);
}
/*
@ -106,7 +106,7 @@ fe_neg(fe h, const fe f)
*/
static void
fe_cmov(fe f, const fe g, unsigned int b)
fe25519_cmov(fe25519 f, const fe25519 g, unsigned int b)
{
const uint64_t mask = (uint64_t) (-(int64_t) b);
@ -143,7 +143,7 @@ Preconditions: b in {0,1}.
*/
static void
fe_cswap(fe f, fe g, unsigned int b)
fe25519_cswap(fe25519 f, fe25519 g, unsigned int b)
{
const uint64_t mask = (uint64_t) (-(int64_t) b);
@ -189,7 +189,7 @@ fe_cswap(fe f, fe g, unsigned int b)
*/
static inline void
fe_copy(fe h, const fe f)
fe25519_copy(fe25519 h, const fe25519 f)
{
uint64_t f0 = f[0];
uint64_t f1 = f[1];
@ -210,11 +210,11 @@ fe_copy(fe h, const fe f)
*/
static inline int
fe_isnegative(const fe f)
fe25519_isnegative(const fe25519 f)
{
unsigned char s[32];
fe_tobytes(s, f);
fe25519_tobytes(s, f);
return s[0] & 1;
}
@ -225,11 +225,11 @@ fe_isnegative(const fe f)
*/
static inline int
fe_iszero(const fe f)
fe25519_iszero(const fe25519 f)
{
unsigned char s[32];
fe_tobytes(s, f);
fe25519_tobytes(s, f);
return sodium_is_zero(s, 32);
}
@ -240,7 +240,7 @@ fe_iszero(const fe f)
*/
static void
fe_mul(fe h, const fe f, const fe g)
fe25519_mul(fe25519 h, const fe25519 f, const fe25519 g)
{
const uint64_t mask = 0x7ffffffffffffULL;
uint128_t r0, r1, r2, r3, r4, carry;
@ -331,7 +331,7 @@ fe_mul(fe h, const fe f, const fe g)
*/
static void
fe_sq(fe h, const fe f)
fe25519_sq(fe25519 h, const fe25519 f)
{
const uint64_t mask = 0x7ffffffffffffULL;
uint128_t r0, r1, r2, r3, r4, carry;
@ -410,7 +410,7 @@ fe_sq(fe h, const fe f)
*/
static void
fe_sq2(fe h, const fe f)
fe25519_sq2(fe25519 h, const fe25519 f)
{
const uint64_t mask = 0x7ffffffffffffULL;
uint128_t r0, r1, r2, r3, r4, carry;
@ -490,7 +490,7 @@ fe_sq2(fe h, const fe f)
}
static void
fe_scalar_product(fe h, const fe f, uint32_t n)
fe25519_scalar_product(fe25519 h, const fe25519 f, uint32_t n)
{
const uint64_t mask = 0x7ffffffffffffULL;
uint128_t a;

Write Preview
Loading…
Cancel
Save