-
Notifications
You must be signed in to change notification settings - Fork 5
/
fprime.c
140 lines (111 loc) · 2.56 KB
/
fprime.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
/* Arithmetic in prime fields
* Daniel Beer <dlbeer@gmail.com>, 10 Jan 2014
*
* This file is in the public domain.
*/
#include "fprime.h"
static void raw_add(uint8_t *x, const uint8_t *p)
{
uint16_t c = 0;
int i;
for (i = 0; i < FPRIME_SIZE; i++) {
c += ((uint16_t)x[i]) + ((uint16_t)p[i]);
x[i] = c;
c >>= 8;
}
}
static void raw_try_sub(uint8_t *x, const uint8_t *p)
{
uint8_t minusp[FPRIME_SIZE];
uint16_t c = 0;
int i;
for (i = 0; i < FPRIME_SIZE; i++) {
c = ((uint16_t)x[i]) - ((uint16_t)p[i]) - c;
minusp[i] = c;
c = (c >> 8) & 1;
}
fprime_select(x, minusp, x, c);
}
/* Warning: this function is variable-time */
static int prime_msb(const uint8_t *p)
{
int i;
uint8_t x;
for (i = FPRIME_SIZE - 1; i >= 0; i--)
if (p[i])
break;
x = p[i];
i <<= 3;
while (x) {
x >>= 1;
i++;
}
return i - 1;
}
/* Warning: this function may be variable-time in the argument n */
static void shift_n_bits(uint8_t *x, int n)
{
uint16_t c = 0;
int i;
for (i = 0; i < FPRIME_SIZE; i++) {
c |= ((uint16_t)x[i]) << n;
x[i] = c;
c >>= 8;
}
}
static inline int min_int(int a, int b)
{
return a < b ? a : b;
}
void fprime_from_bytes(uint8_t *n,
const uint8_t *x, size_t len,
const uint8_t *modulus)
{
const int preload_total = min_int(prime_msb(modulus) - 1, len << 3);
const int preload_bytes = preload_total >> 3;
const int preload_bits = preload_total & 7;
const int rbits = (len << 3) - preload_total;
int i;
memset(n, 0, FPRIME_SIZE);
for (i = 0; i < preload_bytes; i++)
n[i] = x[len - preload_bytes + i];
if (preload_bits) {
shift_n_bits(n, preload_bits);
n[0] |= x[len - preload_bytes - 1] >> (8 - preload_bits);
}
for (i = rbits - 1; i >= 0; i--) {
const uint8_t bit = (x[i >> 3] >> (i & 7)) & 1;
shift_n_bits(n, 1);
n[0] |= bit;
raw_try_sub(n, modulus);
}
}
void fprime_select(uint8_t *dst,
const uint8_t *zero, const uint8_t *one,
uint8_t condition)
{
const uint8_t mask = -condition;
int i;
for (i = 0; i < FPRIME_SIZE; i++)
dst[i] = zero[i] ^ (mask & (one[i] ^ zero[i]));
}
void fprime_add(uint8_t *r, const uint8_t *a, const uint8_t *modulus)
{
raw_add(r, a);
raw_try_sub(r, modulus);
}
void fprime_mul(uint8_t *r, const uint8_t *a, const uint8_t *b,
const uint8_t *modulus)
{
int i;
memset(r, 0, FPRIME_SIZE);
for (i = prime_msb(modulus); i >= 0; i--) {
const uint8_t bit = (b[i >> 3] >> (i & 7)) & 1;
uint8_t plusa[FPRIME_SIZE];
shift_n_bits(r, 1);
raw_try_sub(r, modulus);
fprime_copy(plusa, r);
fprime_add(plusa, a, modulus);
fprime_select(r, r, plusa, bit);
}
}