xref: /crypto/fipsmodule/ec/p224-64.cc.inc

4 // you may not use this file except in compliance with the License.
9 // Unless required by applicable law or agreed to in writing, software
57 // Points are given in coordinates (X, Y, Z) where Z normally is 1
182 static void p224_generic_to_felem(p224_felem out, const EC_FELEM *in) {
185   out[0] = in->words[0] & 0x00ffffffffffffff;
186   out[1] = ((in->words[0] >> 56) | (in->words[1] << 8)) & 0x00ffffffffffffff;
187   out[2] = ((in->words[1] >> 48) | (in->words[2] << 16)) & 0x00ffffffffffffff;
188   out[3] = ((in->words[2] >> 40) | (in->words[3] << 24)) & 0x00ffffffffffffff;
191 // Requires 0 <= in < 2*p (always call p224_felem_reduce first)
192 static void p224_felem_to_generic(EC_FELEM *out, const p224_felem in) {
195   // 0 <= in < 2*p, p = 2^224 - 2^96 + 1
196   // if in > p , reduce in = in - 2^224 + 2^96 - 1
198   tmp[0] = in[0];
199   tmp[1] = in[1];
200   tmp[2] = in[2];
201   tmp[3] = in[3];
202   // Case 1: a = 1 iff in >= 2^224
203   a = (in[3] >> 56);
207   // Case 2: a = 0 iff p <= in < 2^224, i.e., the high 128 bits are all 1 and
209   a = ((in[3] & in[2] & (in[1] | 0x000000ffffffffff)) + 1) |
210       (((int64_t)(in[0] + (in[1] & 0x000000ffffffffff)) - 1) >> 63);
251 // expected to be correct in general - e.g., multiplication with a large scalar
254 static void p224_felem_assign(p224_felem out, const p224_felem in) {
255   out[0] = in[0];
256   out[1] = in[1];
257   out[2] = in[2];
258   out[3] = in[3];
261 // Sum two field elements: out += in
262 static void p224_felem_sum(p224_felem out, const p224_felem in) {
263   out[0] += in[0];
264   out[1] += in[1];
265   out[2] += in[2];
266   out[3] += in[3];
269 // Subtract field elements: out -= in
270 // Assumes in[i] < 2^57
271 static void p224_felem_diff(p224_felem out, const p224_felem in) {
279   // Add 0 mod 2^224-2^96+1 to ensure out > in
285   out[0] -= in[0];
286   out[1] -= in[1];
287   out[2] -= in[2];
288   out[3] -= in[3];
291 // Subtract in unreduced 128-bit mode: out -= in
292 // Assumes in[i] < 2^119
293 static void p224_widefelem_diff(p224_widefelem out, const p224_widefelem in) {
301   // Add 0 mod 2^224-2^96+1 to ensure out > in
310   out[0] -= in[0];
311   out[1] -= in[1];
312   out[2] -= in[2];
313   out[3] -= in[3];
314   out[4] -= in[4];
315   out[5] -= in[5];
316   out[6] -= in[6];
319 // Subtract in mixed mode: out128 -= in64
320 // in[i] < 2^63
321 static void p224_felem_diff_128_64(p224_widefelem out, const p224_felem in) {
330   // Add 0 mod 2^224-2^96+1 to ensure out > in
336   out[0] -= in[0];
337   out[1] -= in[1];
338   out[2] -= in[2];
339   out[3] -= in[3];
364 // Square a field element: out = in^2
365 static void p224_felem_square(p224_widefelem out, const p224_felem in) {
367   tmp0 = 2 * in[0];
368   tmp1 = 2 * in[1];
369   tmp2 = 2 * in[2];
370   out[0] = ((p224_widelimb)in[0]) * in[0];
371   out[1] = ((p224_widelimb)in[0]) * tmp1;
372   out[2] = ((p224_widelimb)in[0]) * tmp2 + ((p224_widelimb)in[1]) * in[1];
373   out[3] = ((p224_widelimb)in[3]) * tmp0 + ((p224_widelimb)in[1]) * tmp2;
374   out[4] = ((p224_widelimb)in[3]) * tmp1 + ((p224_widelimb)in[2]) * in[2];
375   out[5] = ((p224_widelimb)in[3]) * tmp2;
376   out[6] = ((p224_widelimb)in[3]) * in[3];
395 // Requires in[i] < 2^126,
397 static void p224_felem_reduce(p224_felem out, const p224_widefelem in) {
408   output[0] = in[0] + two127p15;
409   output[1] = in[1] + two127m71m55;
410   output[2] = in[2] + two127m71;
411   output[3] = in[3];
412   output[4] = in[4];
414   // Eliminate in[4], in[5], in[6]
415   output[4] += in[6] >> 16;
416   output[3] += (in[6] & 0xffff) << 40;
417   output[2] -= in[6];
419   output[3] += in[5] >> 16;
420   output[2] += (in[5] & 0xffff) << 40;
421   output[1] -= in[5];
459 // Get negative value: out = -in
460 // Requires in[i] < 2^63,
462 static void p224_felem_neg(p224_felem out, const p224_felem in) {
464   p224_felem_diff_128_64(tmp, in);
469 // elements are reduced to in < 2^225, so we only need to check three cases: 0,
471 static p224_limb p224_felem_is_zero(const p224_felem in) {
472   p224_limb zero = in[0] | in[1] | in[2] | in[3];
475   p224_limb two224m96p1 = (in[0] ^ 1) | (in[1] ^ 0x00ffff0000000000) |
476                      (in[2] ^ 0x00ffffffffffffff) |
477                      (in[3] ^ 0x00ffffffffffffff);
479   p224_limb two225m97p2 = (in[0] ^ 2) | (in[1] ^ 0x00fffe0000000000) |
480                      (in[2] ^ 0x00ffffffffffffff) |
481                      (in[3] ^ 0x01ffffffffffffff);
488 static void p224_felem_inv(p224_felem out, const p224_felem in) {
492   p224_felem_square(tmp, in);
494   p224_felem_mul(tmp, in, ftmp);
498   p224_felem_mul(tmp, in, ftmp);
556   p224_felem_mul(tmp, ftmp, in);
566 // Copy in constant time:
567 // if icopy == 1, copy in to out,
569 static void p224_copy_conditional(p224_felem out, const p224_felem in,
574     const p224_limb tmp = copy & (in[i] ^ out[i]);
581 // Points are represented in Jacobian projective coordinates:
852 // p224_get_bit returns the |i|th bit in |in|.
853 static crypto_word_t p224_get_bit(const EC_SCALAR *in, size_t i) {
857   static_assert(sizeof(in->words[0]) == 8, "BN_ULONG is not 64-bit");
858   return (in->words[i >> 6] >> (i & 63)) & 1;
958   int skip = 1;  // Save two point operations in the first round.
1003   int skip = 1;  // Save two point operations in the first round.
1015     // Select the point to add, in constant time.
1031     // Select the point to add, in constant time.
1058   // the generator (two in each of the last 28 rounds) and additions of p (every
1060   int skip = 1;  // Save two point operations in the first round.

Last Index update Fri Aug 22 02:34:01 CST 2025