The Tor Browser / file revision

 /* This Source Code Form is subject to the terms of the Mozilla Public

  * License, v. 2.0. If a copy of the MPL was not distributed with this

  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 #include "ec2.h"

 #include "mp_gf2m.h"

 #include "mp_gf2m-priv.h"

 #include "mpi.h"

 #include "mpi-priv.h"

 #include <stdlib.h>

 /* Fast reduction for polynomials over a 193-bit curve. Assumes reduction

  * polynomial with terms {193, 15, 0}. */

 mp_err

 ec_GF2m_193_mod(const mp_int *a, mp_int *r, const GFMethod *meth)

 {

 	mp_err res = MP_OKAY;

 	mp_digit *u, z;

 	if (a != r) {

 		MP_CHECKOK(mp_copy(a, r));

 	}

 #ifdef ECL_SIXTY_FOUR_BIT

 	if (MP_USED(r) < 7) {

 		MP_CHECKOK(s_mp_pad(r, 7));

 	}

 	u = MP_DIGITS(r);

 	MP_USED(r) = 7;

 	/* u[6] only has 2 significant bits */

 	z = u[6];

 	u[3] ^= (z << 14) ^ (z >> 1);

 	u[2] ^= (z << 63);

 	z = u[5];

 	u[3] ^= (z >> 50);

 	u[2] ^= (z << 14) ^ (z >> 1);

 	u[1] ^= (z << 63);

 	z = u[4];

 	u[2] ^= (z >> 50);

 	u[1] ^= (z << 14) ^ (z >> 1);

 	u[0] ^= (z << 63);

 	z = u[3] >> 1;				/* z only has 63 significant bits */

 	u[1] ^= (z >> 49);

 	u[0] ^= (z << 15) ^ z;

 	/* clear bits above 193 */

 	u[6] = u[5] = u[4] = 0;

 	u[3] ^= z << 1;

 #else

 	if (MP_USED(r) < 13) {

 		MP_CHECKOK(s_mp_pad(r, 13));

 	}

 	u = MP_DIGITS(r);

 	MP_USED(r) = 13;

 	/* u[12] only has 2 significant bits */

 	z = u[12];

 	u[6] ^= (z << 14) ^ (z >> 1);

 	u[5] ^= (z << 31);

 	z = u[11];

 	u[6] ^= (z >> 18);

 	u[5] ^= (z << 14) ^ (z >> 1);

 	u[4] ^= (z << 31);

 	z = u[10];

 	u[5] ^= (z >> 18);

 	u[4] ^= (z << 14) ^ (z >> 1);

 	u[3] ^= (z << 31);

 	z = u[9];

 	u[4] ^= (z >> 18);

 	u[3] ^= (z << 14) ^ (z >> 1);

 	u[2] ^= (z << 31);

 	z = u[8];

 	u[3] ^= (z >> 18);

 	u[2] ^= (z << 14) ^ (z >> 1);

 	u[1] ^= (z << 31);

 	z = u[7];

 	u[2] ^= (z >> 18);

 	u[1] ^= (z << 14) ^ (z >> 1);

 	u[0] ^= (z << 31);

 	z = u[6] >> 1;				/* z only has 31 significant bits */

 	u[1] ^= (z >> 17);

 	u[0] ^= (z << 15) ^ z;

 	/* clear bits above 193 */

 	u[12] = u[11] = u[10] = u[9] = u[8] = u[7] = 0;

 	u[6] ^= z << 1;

 #endif

 	s_mp_clamp(r);

   CLEANUP:

 	return res;

 }

 /* Fast squaring for polynomials over a 193-bit curve. Assumes reduction

  * polynomial with terms {193, 15, 0}. */

 mp_err

 ec_GF2m_193_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)

 {

 	mp_err res = MP_OKAY;

 	mp_digit *u, *v;

 	v = MP_DIGITS(a);

 #ifdef ECL_SIXTY_FOUR_BIT

 	if (MP_USED(a) < 4) {

 		return mp_bsqrmod(a, meth->irr_arr, r);

 	}

 	if (MP_USED(r) < 7) {

 		MP_CHECKOK(s_mp_pad(r, 7));

 	}

 	MP_USED(r) = 7;

 #else

 	if (MP_USED(a) < 7) {

 		return mp_bsqrmod(a, meth->irr_arr, r);

 	}

 	if (MP_USED(r) < 13) {

 		MP_CHECKOK(s_mp_pad(r, 13));

 	}

 	MP_USED(r) = 13;

 #endif

 	u = MP_DIGITS(r);

 #ifdef ECL_THIRTY_TWO_BIT

 	u[12] = gf2m_SQR0(v[6]);

 	u[11] = gf2m_SQR1(v[5]);

 	u[10] = gf2m_SQR0(v[5]);

 	u[9] = gf2m_SQR1(v[4]);

 	u[8] = gf2m_SQR0(v[4]);

 	u[7] = gf2m_SQR1(v[3]);

 #endif

 	u[6] = gf2m_SQR0(v[3]);

 	u[5] = gf2m_SQR1(v[2]);

 	u[4] = gf2m_SQR0(v[2]);

 	u[3] = gf2m_SQR1(v[1]);

 	u[2] = gf2m_SQR0(v[1]);

 	u[1] = gf2m_SQR1(v[0]);

 	u[0] = gf2m_SQR0(v[0]);

 	return ec_GF2m_193_mod(r, r, meth);

   CLEANUP:

 	return res;

 }

 /* Fast multiplication for polynomials over a 193-bit curve. Assumes

  * reduction polynomial with terms {193, 15, 0}. */

 mp_err

 ec_GF2m_193_mul(const mp_int *a, const mp_int *b, mp_int *r,

 				const GFMethod *meth)

 {

 	mp_err res = MP_OKAY;

 	mp_digit a3 = 0, a2 = 0, a1 = 0, a0, b3 = 0, b2 = 0, b1 = 0, b0;

 #ifdef ECL_THIRTY_TWO_BIT

 	mp_digit a6 = 0, a5 = 0, a4 = 0, b6 = 0, b5 = 0, b4 = 0;

 	mp_digit rm[8];

 #endif

 	if (a == b) {

 		return ec_GF2m_193_sqr(a, r, meth);

 	} else {

 		switch (MP_USED(a)) {

 #ifdef ECL_THIRTY_TWO_BIT

 		case 7:

 			a6 = MP_DIGIT(a, 6);

 		case 6:

 			a5 = MP_DIGIT(a, 5);

 		case 5:

 			a4 = MP_DIGIT(a, 4);

 #endif

 		case 4:

 			a3 = MP_DIGIT(a, 3);

 		case 3:

 			a2 = MP_DIGIT(a, 2);

 		case 2:

 			a1 = MP_DIGIT(a, 1);

 		default:

 			a0 = MP_DIGIT(a, 0);

 		}

 		switch (MP_USED(b)) {

 #ifdef ECL_THIRTY_TWO_BIT

 		case 7:

 			b6 = MP_DIGIT(b, 6);

 		case 6:

 			b5 = MP_DIGIT(b, 5);

 		case 5:

 			b4 = MP_DIGIT(b, 4);

 #endif

 		case 4:

 			b3 = MP_DIGIT(b, 3);

 		case 3:

 			b2 = MP_DIGIT(b, 2);

 		case 2:

 			b1 = MP_DIGIT(b, 1);

 		default:

 			b0 = MP_DIGIT(b, 0);

 		}

 #ifdef ECL_SIXTY_FOUR_BIT

 		MP_CHECKOK(s_mp_pad(r, 8));

 		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);

 		MP_USED(r) = 8;

 		s_mp_clamp(r);

 #else

 		MP_CHECKOK(s_mp_pad(r, 14));

 		s_bmul_3x3(MP_DIGITS(r) + 8, a6, a5, a4, b6, b5, b4);

 		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);

 		s_bmul_4x4(rm, a3, a6 ^ a2, a5 ^ a1, a4 ^ a0, b3, b6 ^ b2, b5 ^ b1,

 				   b4 ^ b0);

 		rm[7] ^= MP_DIGIT(r, 7);

 		rm[6] ^= MP_DIGIT(r, 6);

 		rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 13);

 		rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 12);

 		rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 11);

 		rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 10);

 		rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 9);

 		rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 8);

 		MP_DIGIT(r, 11) ^= rm[7];

 		MP_DIGIT(r, 10) ^= rm[6];

 		MP_DIGIT(r, 9) ^= rm[5];

 		MP_DIGIT(r, 8) ^= rm[4];

 		MP_DIGIT(r, 7) ^= rm[3];

 		MP_DIGIT(r, 6) ^= rm[2];

 		MP_DIGIT(r, 5) ^= rm[1];

 		MP_DIGIT(r, 4) ^= rm[0];

 		MP_USED(r) = 14;

 		s_mp_clamp(r);

 #endif

 		return ec_GF2m_193_mod(r, r, meth);

 	}

   CLEANUP:

 	return res;

 }

 /* Wire in fast field arithmetic for 193-bit curves. */

 mp_err

 ec_group_set_gf2m193(ECGroup *group, ECCurveName name)

 {

 	group->meth->field_mod = &ec_GF2m_193_mod;

 	group->meth->field_mul = &ec_GF2m_193_mul;

 	group->meth->field_sqr = &ec_GF2m_193_sqr;

 	return MP_OKAY;

 }