Botan 3.9.0
Crypto and TLS for C&
ed25519_fe.cpp
Go to the documentation of this file.
1/*
2* Ed25519 field element
3* (C) 2017 Ribose Inc
4*
5* Based on the public domain code from SUPERCOP ref10 by
6* Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#include <botan/internal/ed25519_fe.h>
12
13#include <botan/internal/ed25519_internal.h>
14
15namespace Botan {
16
17//static
18Ed25519_FieldElement Ed25519_FieldElement::invert() const {
19 auto t0 = this->sqr();
20 auto t1 = t0.sqr_iter(2);
21 t1 = *this * t1;
22 t0 = t0 * t1;
23 auto t2 = t0.sqr();
24 t1 = t1 * t2;
25 t2 = t1.sqr_iter(5);
26 t1 = t2 * t1;
27 t2 = t1.sqr_iter(10);
28 t2 = t2 * t1;
29 auto t3 = t2.sqr_iter(20);
30 t2 = t3 * t2;
31 t2 = t2.sqr_iter(10);
32 t1 = t2 * t1;
33 t2 = t1.sqr_iter(50);
34 t2 = t2 * t1;
35 t3 = t2.sqr_iter(100);
36 t2 = t3 * t2;
37 t2 = t2.sqr_iter(50);
38 t1 = t2 * t1;
39 t1 = t1.sqr_iter(5);
40
41 t0 = t1 * t0;
42 return t0;
43}
44
45Ed25519_FieldElement Ed25519_FieldElement::pow_22523() const {
46 auto t0 = this->sqr();
47 auto t1 = t0.sqr_iter(2);
48 t1 = (*this) * t1;
49 t0 = t0 * t1;
50 t0 = t0.sqr();
51 t0 = t1 * t0;
52 t1 = t0.sqr_iter(5);
53 t0 = t1 * t0;
54 t1 = t0.sqr_iter(10);
55 t1 = t1 * t0;
56 auto t2 = t1.sqr_iter(20);
57 t1 = t2 * t1;
58 t1 = t1.sqr_iter(10);
59 t0 = t1 * t0;
60 t1 = t0.sqr_iter(50);
61 t1 = t1 * t0;
62 t2 = t1.sqr_iter(100);
63 t1 = t2 * t1;
64 t1 = t1.sqr_iter(50);
65 t0 = t1 * t0;
66 t0 = t0.sqr_iter(2);
67
68 t0 = t0 * (*this);
69 return t0;
70}
71
72/*
73h = f * g
74Can overlap h with f or g.
75
76Preconditions:
77|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
78|g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
79
80Postconditions:
81|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
82*/
83
84/*
85Notes on implementation strategy:
86
87Using schoolbook multiplication.
88Karatsuba would save a little in some cost models.
89
90Most multiplications by 2 and 19 are 32-bit precomputations;
91cheaper than 64-bit postcomputations.
92
93There is one remaining multiplication by 19 in the carry chain;
94one *19 precomputation can be merged into this,
95but the resulting data flow is considerably less clean.
96
97There are 12 carries below.
9810 of them are 2-way parallelizable and vectorizable.
99Can get away with 11 carries, but then data flow is much deeper.
100
101With tighter constraints on inputs can squeeze carries into int32.
102*/
103
104//static
105Ed25519_FieldElement Ed25519_FieldElement::mul(const Ed25519_FieldElement& f, const Ed25519_FieldElement& g) {
106 const int32_t f0 = f.m_fe[0];
107 const int32_t f1 = f.m_fe[1];
108 const int32_t f2 = f.m_fe[2];
109 const int32_t f3 = f.m_fe[3];
110 const int32_t f4 = f.m_fe[4];
111 const int32_t f5 = f.m_fe[5];
112 const int32_t f6 = f.m_fe[6];
113 const int32_t f7 = f.m_fe[7];
114 const int32_t f8 = f.m_fe[8];
115 const int32_t f9 = f.m_fe[9];
116
117 const int32_t g0 = g.m_fe[0];
118 const int32_t g1 = g.m_fe[1];
119 const int32_t g2 = g.m_fe[2];
120 const int32_t g3 = g.m_fe[3];
121 const int32_t g4 = g.m_fe[4];
122 const int32_t g5 = g.m_fe[5];
123 const int32_t g6 = g.m_fe[6];
124 const int32_t g7 = g.m_fe[7];
125 const int32_t g8 = g.m_fe[8];
126 const int32_t g9 = g.m_fe[9];
127
128 const int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
129 const int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
130 const int32_t g3_19 = 19 * g3;
131 const int32_t g4_19 = 19 * g4;
132 const int32_t g5_19 = 19 * g5;
133 const int32_t g6_19 = 19 * g6;
134 const int32_t g7_19 = 19 * g7;
135 const int32_t g8_19 = 19 * g8;
136 const int32_t g9_19 = 19 * g9;
137 const int32_t f1_2 = 2 * f1;
138 const int32_t f3_2 = 2 * f3;
139 const int32_t f5_2 = 2 * f5;
140 const int32_t f7_2 = 2 * f7;
141 const int32_t f9_2 = 2 * f9;
142
143 const int64_t f0g0 = f0 * static_cast<int64_t>(g0);
144 const int64_t f0g1 = f0 * static_cast<int64_t>(g1);
145 const int64_t f0g2 = f0 * static_cast<int64_t>(g2);
146 const int64_t f0g3 = f0 * static_cast<int64_t>(g3);
147 const int64_t f0g4 = f0 * static_cast<int64_t>(g4);
148 const int64_t f0g5 = f0 * static_cast<int64_t>(g5);
149 const int64_t f0g6 = f0 * static_cast<int64_t>(g6);
150 const int64_t f0g7 = f0 * static_cast<int64_t>(g7);
151 const int64_t f0g8 = f0 * static_cast<int64_t>(g8);
152 const int64_t f0g9 = f0 * static_cast<int64_t>(g9);
153 const int64_t f1g0 = f1 * static_cast<int64_t>(g0);
154 const int64_t f1g1_2 = f1_2 * static_cast<int64_t>(g1);
155 const int64_t f1g2 = f1 * static_cast<int64_t>(g2);
156 const int64_t f1g3_2 = f1_2 * static_cast<int64_t>(g3);
157 const int64_t f1g4 = f1 * static_cast<int64_t>(g4);
158 const int64_t f1g5_2 = f1_2 * static_cast<int64_t>(g5);
159 const int64_t f1g6 = f1 * static_cast<int64_t>(g6);
160 const int64_t f1g7_2 = f1_2 * static_cast<int64_t>(g7);
161 const int64_t f1g8 = f1 * static_cast<int64_t>(g8);
162 const int64_t f1g9_38 = f1_2 * static_cast<int64_t>(g9_19);
163 const int64_t f2g0 = f2 * static_cast<int64_t>(g0);
164 const int64_t f2g1 = f2 * static_cast<int64_t>(g1);
165 const int64_t f2g2 = f2 * static_cast<int64_t>(g2);
166 const int64_t f2g3 = f2 * static_cast<int64_t>(g3);
167 const int64_t f2g4 = f2 * static_cast<int64_t>(g4);
168 const int64_t f2g5 = f2 * static_cast<int64_t>(g5);
169 const int64_t f2g6 = f2 * static_cast<int64_t>(g6);
170 const int64_t f2g7 = f2 * static_cast<int64_t>(g7);
171 const int64_t f2g8_19 = f2 * static_cast<int64_t>(g8_19);
172 const int64_t f2g9_19 = f2 * static_cast<int64_t>(g9_19);
173 const int64_t f3g0 = f3 * static_cast<int64_t>(g0);
174 const int64_t f3g1_2 = f3_2 * static_cast<int64_t>(g1);
175 const int64_t f3g2 = f3 * static_cast<int64_t>(g2);
176 const int64_t f3g3_2 = f3_2 * static_cast<int64_t>(g3);
177 const int64_t f3g4 = f3 * static_cast<int64_t>(g4);
178 const int64_t f3g5_2 = f3_2 * static_cast<int64_t>(g5);
179 const int64_t f3g6 = f3 * static_cast<int64_t>(g6);
180 const int64_t f3g7_38 = f3_2 * static_cast<int64_t>(g7_19);
181 const int64_t f3g8_19 = f3 * static_cast<int64_t>(g8_19);
182 const int64_t f3g9_38 = f3_2 * static_cast<int64_t>(g9_19);
183 const int64_t f4g0 = f4 * static_cast<int64_t>(g0);
184 const int64_t f4g1 = f4 * static_cast<int64_t>(g1);
185 const int64_t f4g2 = f4 * static_cast<int64_t>(g2);
186 const int64_t f4g3 = f4 * static_cast<int64_t>(g3);
187 const int64_t f4g4 = f4 * static_cast<int64_t>(g4);
188 const int64_t f4g5 = f4 * static_cast<int64_t>(g5);
189 const int64_t f4g6_19 = f4 * static_cast<int64_t>(g6_19);
190 const int64_t f4g7_19 = f4 * static_cast<int64_t>(g7_19);
191 const int64_t f4g8_19 = f4 * static_cast<int64_t>(g8_19);
192 const int64_t f4g9_19 = f4 * static_cast<int64_t>(g9_19);
193 const int64_t f5g0 = f5 * static_cast<int64_t>(g0);
194 const int64_t f5g1_2 = f5_2 * static_cast<int64_t>(g1);
195 const int64_t f5g2 = f5 * static_cast<int64_t>(g2);
196 const int64_t f5g3_2 = f5_2 * static_cast<int64_t>(g3);
197 const int64_t f5g4 = f5 * static_cast<int64_t>(g4);
198 const int64_t f5g5_38 = f5_2 * static_cast<int64_t>(g5_19);
199 const int64_t f5g6_19 = f5 * static_cast<int64_t>(g6_19);
200 const int64_t f5g7_38 = f5_2 * static_cast<int64_t>(g7_19);
201 const int64_t f5g8_19 = f5 * static_cast<int64_t>(g8_19);
202 const int64_t f5g9_38 = f5_2 * static_cast<int64_t>(g9_19);
203 const int64_t f6g0 = f6 * static_cast<int64_t>(g0);
204 const int64_t f6g1 = f6 * static_cast<int64_t>(g1);
205 const int64_t f6g2 = f6 * static_cast<int64_t>(g2);
206 const int64_t f6g3 = f6 * static_cast<int64_t>(g3);
207 const int64_t f6g4_19 = f6 * static_cast<int64_t>(g4_19);
208 const int64_t f6g5_19 = f6 * static_cast<int64_t>(g5_19);
209 const int64_t f6g6_19 = f6 * static_cast<int64_t>(g6_19);
210 const int64_t f6g7_19 = f6 * static_cast<int64_t>(g7_19);
211 const int64_t f6g8_19 = f6 * static_cast<int64_t>(g8_19);
212 const int64_t f6g9_19 = f6 * static_cast<int64_t>(g9_19);
213 const int64_t f7g0 = f7 * static_cast<int64_t>(g0);
214 const int64_t f7g1_2 = f7_2 * static_cast<int64_t>(g1);
215 const int64_t f7g2 = f7 * static_cast<int64_t>(g2);
216 const int64_t f7g3_38 = f7_2 * static_cast<int64_t>(g3_19);
217 const int64_t f7g4_19 = f7 * static_cast<int64_t>(g4_19);
218 const int64_t f7g5_38 = f7_2 * static_cast<int64_t>(g5_19);
219 const int64_t f7g6_19 = f7 * static_cast<int64_t>(g6_19);
220 const int64_t f7g7_38 = f7_2 * static_cast<int64_t>(g7_19);
221 const int64_t f7g8_19 = f7 * static_cast<int64_t>(g8_19);
222 const int64_t f7g9_38 = f7_2 * static_cast<int64_t>(g9_19);
223 const int64_t f8g0 = f8 * static_cast<int64_t>(g0);
224 const int64_t f8g1 = f8 * static_cast<int64_t>(g1);
225 const int64_t f8g2_19 = f8 * static_cast<int64_t>(g2_19);
226 const int64_t f8g3_19 = f8 * static_cast<int64_t>(g3_19);
227 const int64_t f8g4_19 = f8 * static_cast<int64_t>(g4_19);
228 const int64_t f8g5_19 = f8 * static_cast<int64_t>(g5_19);
229 const int64_t f8g6_19 = f8 * static_cast<int64_t>(g6_19);
230 const int64_t f8g7_19 = f8 * static_cast<int64_t>(g7_19);
231 const int64_t f8g8_19 = f8 * static_cast<int64_t>(g8_19);
232 const int64_t f8g9_19 = f8 * static_cast<int64_t>(g9_19);
233 const int64_t f9g0 = f9 * static_cast<int64_t>(g0);
234 const int64_t f9g1_38 = f9_2 * static_cast<int64_t>(g1_19);
235 const int64_t f9g2_19 = f9 * static_cast<int64_t>(g2_19);
236 const int64_t f9g3_38 = f9_2 * static_cast<int64_t>(g3_19);
237 const int64_t f9g4_19 = f9 * static_cast<int64_t>(g4_19);
238 const int64_t f9g5_38 = f9_2 * static_cast<int64_t>(g5_19);
239 const int64_t f9g6_19 = f9 * static_cast<int64_t>(g6_19);
240 const int64_t f9g7_38 = f9_2 * static_cast<int64_t>(g7_19);
241 const int64_t f9g8_19 = f9 * static_cast<int64_t>(g8_19);
242 const int64_t f9g9_38 = f9_2 * static_cast<int64_t>(g9_19);
243
244 int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38;
245 int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19;
246 int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38;
247 int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19;
248 int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38;
249 int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19;
250 int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38;
251 int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19;
252 int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38;
253 int64_t h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0;
254
255 /*
256 |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
257 i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
258 |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
259 i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
260 */
261 carry<26>(h0, h1);
262 carry<26>(h4, h5);
263
264 /* |h0| <= 2^25 */
265 /* |h4| <= 2^25 */
266 /* |h1| <= 1.71*2^59 */
267 /* |h5| <= 1.71*2^59 */
268
269 carry<25>(h1, h2);
270 carry<25>(h5, h6);
271
272 /* |h1| <= 2^24; from now on fits into int32 */
273 /* |h5| <= 2^24; from now on fits into int32 */
274 /* |h2| <= 1.41*2^60 */
275 /* |h6| <= 1.41*2^60 */
276
277 carry<26>(h2, h3);
278 carry<26>(h6, h7);
279 /* |h2| <= 2^25; from now on fits into int32 unchanged */
280 /* |h6| <= 2^25; from now on fits into int32 unchanged */
281 /* |h3| <= 1.71*2^59 */
282 /* |h7| <= 1.71*2^59 */
283
284 carry<25>(h3, h4);
285 carry<25>(h7, h8);
286 /* |h3| <= 2^24; from now on fits into int32 unchanged */
287 /* |h7| <= 2^24; from now on fits into int32 unchanged */
288 /* |h4| <= 1.72*2^34 */
289 /* |h8| <= 1.41*2^60 */
290
291 carry<26>(h4, h5);
292 carry<26>(h8, h9);
293 /* |h4| <= 2^25; from now on fits into int32 unchanged */
294 /* |h8| <= 2^25; from now on fits into int32 unchanged */
295 /* |h5| <= 1.01*2^24 */
296 /* |h9| <= 1.71*2^59 */
297
298 carry<25, 19>(h9, h0);
299
300 /* |h9| <= 2^24; from now on fits into int32 unchanged */
301 /* |h0| <= 1.1*2^39 */
302
303 carry<26>(h0, h1);
304 /* |h0| <= 2^25; from now on fits into int32 unchanged */
305 /* |h1| <= 1.01*2^24 */
306
307 return Ed25519_FieldElement(h0, h1, h2, h3, h4, h5, h6, h7, h8, h9);
308}
309
310/*
311h = f * f
312Can overlap h with f.
313
314Preconditions:
315|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
316
317Postconditions:
318|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
319*/
320
321/*
322See fe_mul.c for discussion of implementation strategy.
323*/
324
325//static
326Ed25519_FieldElement Ed25519_FieldElement::sqr_iter(size_t iter) const {
327 int32_t f0 = m_fe[0];
328 int32_t f1 = m_fe[1];
329 int32_t f2 = m_fe[2];
330 int32_t f3 = m_fe[3];
331 int32_t f4 = m_fe[4];
332 int32_t f5 = m_fe[5];
333 int32_t f6 = m_fe[6];
334 int32_t f7 = m_fe[7];
335 int32_t f8 = m_fe[8];
336 int32_t f9 = m_fe[9];
337
338 for(size_t i = 0; i != iter; ++i) {
339 const int32_t f0_2 = 2 * f0;
340 const int32_t f1_2 = 2 * f1;
341 const int32_t f2_2 = 2 * f2;
342 const int32_t f3_2 = 2 * f3;
343 const int32_t f4_2 = 2 * f4;
344 const int32_t f5_2 = 2 * f5;
345 const int32_t f6_2 = 2 * f6;
346 const int32_t f7_2 = 2 * f7;
347 const int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
348 const int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
349 const int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
350 const int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
351 const int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
352
353 const int64_t f0f0 = f0 * static_cast<int64_t>(f0);
354 const int64_t f0f1_2 = f0_2 * static_cast<int64_t>(f1);
355 const int64_t f0f2_2 = f0_2 * static_cast<int64_t>(f2);
356 const int64_t f0f3_2 = f0_2 * static_cast<int64_t>(f3);
357 const int64_t f0f4_2 = f0_2 * static_cast<int64_t>(f4);
358 const int64_t f0f5_2 = f0_2 * static_cast<int64_t>(f5);
359 const int64_t f0f6_2 = f0_2 * static_cast<int64_t>(f6);
360 const int64_t f0f7_2 = f0_2 * static_cast<int64_t>(f7);
361 const int64_t f0f8_2 = f0_2 * static_cast<int64_t>(f8);
362 const int64_t f0f9_2 = f0_2 * static_cast<int64_t>(f9);
363 const int64_t f1f1_2 = f1_2 * static_cast<int64_t>(f1);
364 const int64_t f1f2_2 = f1_2 * static_cast<int64_t>(f2);
365 const int64_t f1f3_4 = f1_2 * static_cast<int64_t>(f3_2);
366 const int64_t f1f4_2 = f1_2 * static_cast<int64_t>(f4);
367 const int64_t f1f5_4 = f1_2 * static_cast<int64_t>(f5_2);
368 const int64_t f1f6_2 = f1_2 * static_cast<int64_t>(f6);
369 const int64_t f1f7_4 = f1_2 * static_cast<int64_t>(f7_2);
370 const int64_t f1f8_2 = f1_2 * static_cast<int64_t>(f8);
371 const int64_t f1f9_76 = f1_2 * static_cast<int64_t>(f9_38);
372 const int64_t f2f2 = f2 * static_cast<int64_t>(f2);
373 const int64_t f2f3_2 = f2_2 * static_cast<int64_t>(f3);
374 const int64_t f2f4_2 = f2_2 * static_cast<int64_t>(f4);
375 const int64_t f2f5_2 = f2_2 * static_cast<int64_t>(f5);
376 const int64_t f2f6_2 = f2_2 * static_cast<int64_t>(f6);
377 const int64_t f2f7_2 = f2_2 * static_cast<int64_t>(f7);
378 const int64_t f2f8_38 = f2_2 * static_cast<int64_t>(f8_19);
379 const int64_t f2f9_38 = f2 * static_cast<int64_t>(f9_38);
380 const int64_t f3f3_2 = f3_2 * static_cast<int64_t>(f3);
381 const int64_t f3f4_2 = f3_2 * static_cast<int64_t>(f4);
382 const int64_t f3f5_4 = f3_2 * static_cast<int64_t>(f5_2);
383 const int64_t f3f6_2 = f3_2 * static_cast<int64_t>(f6);
384 const int64_t f3f7_76 = f3_2 * static_cast<int64_t>(f7_38);
385 const int64_t f3f8_38 = f3_2 * static_cast<int64_t>(f8_19);
386 const int64_t f3f9_76 = f3_2 * static_cast<int64_t>(f9_38);
387 const int64_t f4f4 = f4 * static_cast<int64_t>(f4);
388 const int64_t f4f5_2 = f4_2 * static_cast<int64_t>(f5);
389 const int64_t f4f6_38 = f4_2 * static_cast<int64_t>(f6_19);
390 const int64_t f4f7_38 = f4 * static_cast<int64_t>(f7_38);
391 const int64_t f4f8_38 = f4_2 * static_cast<int64_t>(f8_19);
392 const int64_t f4f9_38 = f4 * static_cast<int64_t>(f9_38);
393 const int64_t f5f5_38 = f5 * static_cast<int64_t>(f5_38);
394 const int64_t f5f6_38 = f5_2 * static_cast<int64_t>(f6_19);
395 const int64_t f5f7_76 = f5_2 * static_cast<int64_t>(f7_38);
396 const int64_t f5f8_38 = f5_2 * static_cast<int64_t>(f8_19);
397 const int64_t f5f9_76 = f5_2 * static_cast<int64_t>(f9_38);
398 const int64_t f6f6_19 = f6 * static_cast<int64_t>(f6_19);
399 const int64_t f6f7_38 = f6 * static_cast<int64_t>(f7_38);
400 const int64_t f6f8_38 = f6_2 * static_cast<int64_t>(f8_19);
401 const int64_t f6f9_38 = f6 * static_cast<int64_t>(f9_38);
402 const int64_t f7f7_38 = f7 * static_cast<int64_t>(f7_38);
403 const int64_t f7f8_38 = f7_2 * static_cast<int64_t>(f8_19);
404 const int64_t f7f9_76 = f7_2 * static_cast<int64_t>(f9_38);
405 const int64_t f8f8_19 = f8 * static_cast<int64_t>(f8_19);
406 const int64_t f8f9_38 = f8 * static_cast<int64_t>(f9_38);
407 const int64_t f9f9_38 = f9 * static_cast<int64_t>(f9_38);
408
409 int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
410 int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
411 int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
412 int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
413 int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
414 int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
415 int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
416 int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
417 int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
418 int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
419
420 carry<26>(h0, h1);
421 carry<26>(h4, h5);
422 carry<25>(h1, h2);
423 carry<25>(h5, h6);
424 carry<26>(h2, h3);
425 carry<26>(h6, h7);
426
427 carry<25>(h3, h4);
428 carry<25>(h7, h8);
429
430 carry<26>(h4, h5);
431 carry<26>(h8, h9);
432 carry<25, 19>(h9, h0);
433 carry<26>(h0, h1);
434
435 f0 = static_cast<int32_t>(h0);
436 f1 = static_cast<int32_t>(h1);
437 f2 = static_cast<int32_t>(h2);
438 f3 = static_cast<int32_t>(h3);
439 f4 = static_cast<int32_t>(h4);
440 f5 = static_cast<int32_t>(h5);
441 f6 = static_cast<int32_t>(h6);
442 f7 = static_cast<int32_t>(h7);
443 f8 = static_cast<int32_t>(h8);
444 f9 = static_cast<int32_t>(h9);
445 }
446
447 return Ed25519_FieldElement(f0, f1, f2, f3, f4, f5, f6, f7, f8, f9);
448}
449
450/*
451h = 2 * f * f
452Can overlap h with f.
453
454Preconditions:
455|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
456
457Postconditions:
458|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
459*/
460
461/*
462See fe_mul.c for discussion of implementation strategy.
463*/
464
465//static
466Ed25519_FieldElement Ed25519_FieldElement::sqr2() const {
467 const int32_t f0 = m_fe[0];
468 const int32_t f1 = m_fe[1];
469 const int32_t f2 = m_fe[2];
470 const int32_t f3 = m_fe[3];
471 const int32_t f4 = m_fe[4];
472 const int32_t f5 = m_fe[5];
473 const int32_t f6 = m_fe[6];
474 const int32_t f7 = m_fe[7];
475 const int32_t f8 = m_fe[8];
476 const int32_t f9 = m_fe[9];
477
478 const int32_t f0_2 = 2 * f0;
479 const int32_t f1_2 = 2 * f1;
480 const int32_t f2_2 = 2 * f2;
481 const int32_t f3_2 = 2 * f3;
482 const int32_t f4_2 = 2 * f4;
483 const int32_t f5_2 = 2 * f5;
484 const int32_t f6_2 = 2 * f6;
485 const int32_t f7_2 = 2 * f7;
486 const int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
487 const int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
488 const int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
489 const int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
490 const int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
491 const int64_t f0f0 = f0 * static_cast<int64_t>(f0);
492 const int64_t f0f1_2 = f0_2 * static_cast<int64_t>(f1);
493 const int64_t f0f2_2 = f0_2 * static_cast<int64_t>(f2);
494 const int64_t f0f3_2 = f0_2 * static_cast<int64_t>(f3);
495 const int64_t f0f4_2 = f0_2 * static_cast<int64_t>(f4);
496 const int64_t f0f5_2 = f0_2 * static_cast<int64_t>(f5);
497 const int64_t f0f6_2 = f0_2 * static_cast<int64_t>(f6);
498 const int64_t f0f7_2 = f0_2 * static_cast<int64_t>(f7);
499 const int64_t f0f8_2 = f0_2 * static_cast<int64_t>(f8);
500 const int64_t f0f9_2 = f0_2 * static_cast<int64_t>(f9);
501 const int64_t f1f1_2 = f1_2 * static_cast<int64_t>(f1);
502 const int64_t f1f2_2 = f1_2 * static_cast<int64_t>(f2);
503 const int64_t f1f3_4 = f1_2 * static_cast<int64_t>(f3_2);
504 const int64_t f1f4_2 = f1_2 * static_cast<int64_t>(f4);
505 const int64_t f1f5_4 = f1_2 * static_cast<int64_t>(f5_2);
506 const int64_t f1f6_2 = f1_2 * static_cast<int64_t>(f6);
507 const int64_t f1f7_4 = f1_2 * static_cast<int64_t>(f7_2);
508 const int64_t f1f8_2 = f1_2 * static_cast<int64_t>(f8);
509 const int64_t f1f9_76 = f1_2 * static_cast<int64_t>(f9_38);
510 const int64_t f2f2 = f2 * static_cast<int64_t>(f2);
511 const int64_t f2f3_2 = f2_2 * static_cast<int64_t>(f3);
512 const int64_t f2f4_2 = f2_2 * static_cast<int64_t>(f4);
513 const int64_t f2f5_2 = f2_2 * static_cast<int64_t>(f5);
514 const int64_t f2f6_2 = f2_2 * static_cast<int64_t>(f6);
515 const int64_t f2f7_2 = f2_2 * static_cast<int64_t>(f7);
516 const int64_t f2f8_38 = f2_2 * static_cast<int64_t>(f8_19);
517 const int64_t f2f9_38 = f2 * static_cast<int64_t>(f9_38);
518 const int64_t f3f3_2 = f3_2 * static_cast<int64_t>(f3);
519 const int64_t f3f4_2 = f3_2 * static_cast<int64_t>(f4);
520 const int64_t f3f5_4 = f3_2 * static_cast<int64_t>(f5_2);
521 const int64_t f3f6_2 = f3_2 * static_cast<int64_t>(f6);
522 const int64_t f3f7_76 = f3_2 * static_cast<int64_t>(f7_38);
523 const int64_t f3f8_38 = f3_2 * static_cast<int64_t>(f8_19);
524 const int64_t f3f9_76 = f3_2 * static_cast<int64_t>(f9_38);
525 const int64_t f4f4 = f4 * static_cast<int64_t>(f4);
526 const int64_t f4f5_2 = f4_2 * static_cast<int64_t>(f5);
527 const int64_t f4f6_38 = f4_2 * static_cast<int64_t>(f6_19);
528 const int64_t f4f7_38 = f4 * static_cast<int64_t>(f7_38);
529 const int64_t f4f8_38 = f4_2 * static_cast<int64_t>(f8_19);
530 const int64_t f4f9_38 = f4 * static_cast<int64_t>(f9_38);
531 const int64_t f5f5_38 = f5 * static_cast<int64_t>(f5_38);
532 const int64_t f5f6_38 = f5_2 * static_cast<int64_t>(f6_19);
533 const int64_t f5f7_76 = f5_2 * static_cast<int64_t>(f7_38);
534 const int64_t f5f8_38 = f5_2 * static_cast<int64_t>(f8_19);
535 const int64_t f5f9_76 = f5_2 * static_cast<int64_t>(f9_38);
536 const int64_t f6f6_19 = f6 * static_cast<int64_t>(f6_19);
537 const int64_t f6f7_38 = f6 * static_cast<int64_t>(f7_38);
538 const int64_t f6f8_38 = f6_2 * static_cast<int64_t>(f8_19);
539 const int64_t f6f9_38 = f6 * static_cast<int64_t>(f9_38);
540 const int64_t f7f7_38 = f7 * static_cast<int64_t>(f7_38);
541 const int64_t f7f8_38 = f7_2 * static_cast<int64_t>(f8_19);
542 const int64_t f7f9_76 = f7_2 * static_cast<int64_t>(f9_38);
543 const int64_t f8f8_19 = f8 * static_cast<int64_t>(f8_19);
544 const int64_t f8f9_38 = f8 * static_cast<int64_t>(f9_38);
545 const int64_t f9f9_38 = f9 * static_cast<int64_t>(f9_38);
546
547 int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
548 int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
549 int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
550 int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
551 int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
552 int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
553 int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
554 int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
555 int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
556 int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
557
558 h0 += h0;
559 h1 += h1;
560 h2 += h2;
561 h3 += h3;
562 h4 += h4;
563 h5 += h5;
564 h6 += h6;
565 h7 += h7;
566 h8 += h8;
567 h9 += h9;
568
569 carry<26>(h0, h1);
570 carry<26>(h4, h5);
571
572 carry<25>(h1, h2);
573 carry<25>(h5, h6);
574
575 carry<26>(h2, h3);
576 carry<26>(h6, h7);
577
578 carry<25>(h3, h4);
579 carry<25>(h7, h8);
580 carry<26>(h4, h5);
581 carry<26>(h8, h9);
582 carry<25, 19>(h9, h0);
583 carry<26>(h0, h1);
584
585 return Ed25519_FieldElement(h0, h1, h2, h3, h4, h5, h6, h7, h8, h9);
586}
587
588/*
589Ignores top bit of h.
590*/
591Ed25519_FieldElement Ed25519_FieldElement::deserialize(const uint8_t s[32]) {
592 int64_t h0 = load_4(s);
593 int64_t h1 = load_3(s + 4) << 6;
594 int64_t h2 = load_3(s + 7) << 5;
595 int64_t h3 = load_3(s + 10) << 3;
596 int64_t h4 = load_3(s + 13) << 2;
597 int64_t h5 = load_4(s + 16);
598 int64_t h6 = load_3(s + 20) << 7;
599 int64_t h7 = load_3(s + 23) << 5;
600 int64_t h8 = load_3(s + 26) << 4;
601 int64_t h9 = (load_3(s + 29) & 0x7fffff) << 2;
602
603 carry<25, 19>(h9, h0);
604 carry<25>(h1, h2);
605 carry<25>(h3, h4);
606 carry<25>(h5, h6);
607 carry<25>(h7, h8);
608
609 carry<26>(h0, h1);
610 carry<26>(h2, h3);
611 carry<26>(h4, h5);
612 carry<26>(h6, h7);
613 carry<26>(h8, h9);
614
615 return Ed25519_FieldElement(h0, h1, h2, h3, h4, h5, h6, h7, h8, h9);
616}
617
618/*
619Preconditions:
620|h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
621
622Write p=2^255-19; q=floor(h/p).
623Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
624
625Proof:
626Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
627Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
628
629Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
630Then 0<y<1.
631
632Write r=h-pq.
633Have 0<=r<=p-1=2^255-20.
634Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
635
636Write x=r+19(2^-255)r+y.
637Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
638
639Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
640so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
641*/
642
643void Ed25519_FieldElement::serialize_to(std::span<uint8_t, 32> s) const {
644 const int32_t X25 = (1 << 25);
645
646 int32_t h0 = m_fe[0];
647 int32_t h1 = m_fe[1];
648 int32_t h2 = m_fe[2];
649 int32_t h3 = m_fe[3];
650 int32_t h4 = m_fe[4];
651 int32_t h5 = m_fe[5];
652 int32_t h6 = m_fe[6];
653 int32_t h7 = m_fe[7];
654 int32_t h8 = m_fe[8];
655 int32_t h9 = m_fe[9];
656
657 int32_t q = (19 * h9 + ((static_cast<int32_t>(1) << 24))) >> 25;
658 q = (h0 + q) >> 26;
659 q = (h1 + q) >> 25;
660 q = (h2 + q) >> 26;
661 q = (h3 + q) >> 25;
662 q = (h4 + q) >> 26;
663 q = (h5 + q) >> 25;
664 q = (h6 + q) >> 26;
665 q = (h7 + q) >> 25;
666 q = (h8 + q) >> 26;
667 q = (h9 + q) >> 25;
668
669 /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
670 h0 += 19 * q;
671 /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
672
673 carry0<26>(h0, h1);
674 carry0<25>(h1, h2);
675 carry0<26>(h2, h3);
676 carry0<25>(h3, h4);
677 carry0<26>(h4, h5);
678 carry0<25>(h5, h6);
679 carry0<26>(h6, h7);
680 carry0<25>(h7, h8);
681 carry0<26>(h8, h9);
682
683 int32_t carry9 = h9 >> 25;
684 h9 -= carry9 * X25;
685 /* h10 = carry9 */
686
687 /*
688 Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
689 Have h0+...+2^230 h9 between 0 and 2^255-1;
690 evidently 2^255 h10-2^255 q = 0.
691 Goal: Output h0+...+2^230 h9.
692 */
693
694 s[0] = static_cast<uint8_t>(h0 >> 0);
695 s[1] = static_cast<uint8_t>(h0 >> 8);
696 s[2] = static_cast<uint8_t>(h0 >> 16);
697 s[3] = static_cast<uint8_t>((h0 >> 24) | (h1 << 2));
698 s[4] = static_cast<uint8_t>(h1 >> 6);
699 s[5] = static_cast<uint8_t>(h1 >> 14);
700 s[6] = static_cast<uint8_t>((h1 >> 22) | (h2 << 3));
701 s[7] = static_cast<uint8_t>(h2 >> 5);
702 s[8] = static_cast<uint8_t>(h2 >> 13);
703 s[9] = static_cast<uint8_t>((h2 >> 21) | (h3 << 5));
704 s[10] = static_cast<uint8_t>(h3 >> 3);
705 s[11] = static_cast<uint8_t>(h3 >> 11);
706 s[12] = static_cast<uint8_t>((h3 >> 19) | (h4 << 6));
707 s[13] = static_cast<uint8_t>(h4 >> 2);
708 s[14] = static_cast<uint8_t>(h4 >> 10);
709 s[15] = static_cast<uint8_t>(h4 >> 18);
710 s[16] = static_cast<uint8_t>(h5 >> 0);
711 s[17] = static_cast<uint8_t>(h5 >> 8);
712 s[18] = static_cast<uint8_t>(h5 >> 16);
713 s[19] = static_cast<uint8_t>((h5 >> 24) | (h6 << 1));
714 s[20] = static_cast<uint8_t>(h6 >> 7);
715 s[21] = static_cast<uint8_t>(h6 >> 15);
716 s[22] = static_cast<uint8_t>((h6 >> 23) | (h7 << 3));
717 s[23] = static_cast<uint8_t>(h7 >> 5);
718 s[24] = static_cast<uint8_t>(h7 >> 13);
719 s[25] = static_cast<uint8_t>((h7 >> 21) | (h8 << 4));
720 s[26] = static_cast<uint8_t>(h8 >> 4);
721 s[27] = static_cast<uint8_t>(h8 >> 12);
722 s[28] = static_cast<uint8_t>((h8 >> 20) | (h9 << 6));
723 s[29] = static_cast<uint8_t>(h9 >> 2);
724 s[30] = static_cast<uint8_t>(h9 >> 10);
725 s[31] = static_cast<uint8_t>(h9 >> 18);
726}
727
728} // namespace Botan
Botan::Ed25519_FieldElement::deserialize
static Ed25519_FieldElement deserialize(const uint8_t b[32])
Definition ed25519_fe.cpp:591
Botan::Ed25519_FieldElement::sqr
Ed25519_FieldElement sqr() const
Definition ed25519_fe.h:119
Botan::Ed25519_FieldElement::invert
Ed25519_FieldElement invert() const
Definition ed25519_fe.cpp:18
Botan::Ed25519_FieldElement::sqr2
Ed25519_FieldElement sqr2() const
Definition ed25519_fe.cpp:466
Botan::Ed25519_FieldElement::mul
static Ed25519_FieldElement mul(const Ed25519_FieldElement &a, const Ed25519_FieldElement &b)
Definition ed25519_fe.cpp:105
Botan::Ed25519_FieldElement::pow_22523
Ed25519_FieldElement pow_22523() const
Definition ed25519_fe.cpp:45
Botan::Ed25519_FieldElement::serialize_to
void serialize_to(std::span< uint8_t, 32 > b) const
Definition ed25519_fe.cpp:643
Botan::Ed25519_FieldElement::sqr_iter
Ed25519_FieldElement sqr_iter(size_t iter) const
Definition ed25519_fe.cpp:326
Botan::Ed25519_FieldElement::Ed25519_FieldElement
constexpr Ed25519_FieldElement()
Definition ed25519_fe.h:34
Botan::carry0
void carry0(int64_t &h0, int64_t &h1)
Definition ed25519_internal.h:38
Botan::load_3
uint32_t load_3(const uint8_t in[3])
Definition ed25519_internal.h:18
Botan::carry
void carry(int64_t &h0, int64_t &h1)
Definition ed25519_internal.h:27
Botan::load_4
uint32_t load_4(const uint8_t *in)
Definition ed25519_internal.h:22
Generated by doxygen 1.14.0