-
Notifications
You must be signed in to change notification settings - Fork 8
/
base.go
140 lines (118 loc) · 3.3 KB
/
base.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
package fourq
import (
"fmt"
)
// baseFieldElem is an element of the curve's base field, the integers modulo
// p=2^127-1. baseFieldElem is always in reduced form.
type baseFieldElem [2]uint64
func newBaseFieldElem() *baseFieldElem {
return &baseFieldElem{}
}
func (e *baseFieldElem) String() string { return fmt.Sprintf("%16.16x %16.16x", e[1], e[0]) }
func (e *baseFieldElem) GoString() string {
return fmt.Sprintf("baseFieldElem{0x%16.16x, 0x%16.16x}", e[0], e[1])
}
func (e *baseFieldElem) Bytes() [16]byte {
return [16]byte{
byte(e[0]), byte(e[0] >> 8), byte(e[0] >> 16), byte(e[0] >> 24),
byte(e[0] >> 32), byte(e[0] >> 40), byte(e[0] >> 48), byte(e[0] >> 56),
byte(e[1]), byte(e[1] >> 8), byte(e[1] >> 16), byte(e[1] >> 24),
byte(e[1] >> 32), byte(e[1] >> 40), byte(e[1] >> 48), byte(e[1] >> 56),
}
}
func (e *baseFieldElem) Set(a *baseFieldElem) { e[0], e[1] = a[0], a[1] }
func (e *baseFieldElem) SetZero() { e[0], e[1] = 0, 0 }
func (e *baseFieldElem) SetOne() { e[0], e[1] = 1, 0 }
func (e *baseFieldElem) SetBytes(in []byte) {
e[0] = uint64(in[0]) | uint64(in[1])<<8 | uint64(in[2])<<16 |
uint64(in[3])<<24 | uint64(in[4])<<32 | uint64(in[5])<<40 |
uint64(in[6])<<48 | uint64(in[7])<<56
e[1] = uint64(in[8]) | uint64(in[9])<<8 | uint64(in[10])<<16 |
uint64(in[11])<<24 | uint64(in[12])<<32 | uint64(in[13])<<40 |
uint64(in[14])<<48 | uint64(in[15])<<56
}
func (e *baseFieldElem) IsZero() bool { return e[0] == 0 && e[1] == 0 }
func (e *baseFieldElem) Neg(a *baseFieldElem) *baseFieldElem {
e[0] = ^a[0]
e[1] = (^a[1]) & aMask
return e
}
// chain1251 sets e to a^(2^125-1) and returns e.
func (e *baseFieldElem) chain1251(a *baseFieldElem) *baseFieldElem {
t1 := newBaseFieldElem()
t2 := newBaseFieldElem()
t3 := newBaseFieldElem()
t4 := newBaseFieldElem()
t5 := newBaseFieldElem()
bfeSquare(t2, a)
bfeMul(t2, t2, a)
bfeSquare(t3, t2)
bfeSquare(t3, t3)
bfeMul(t3, t3, t2)
bfeSquare(t4, t3)
bfeSquare(t4, t4)
bfeSquare(t4, t4)
bfeSquare(t4, t4)
bfeMul(t4, t4, t3)
bfeSquare(t5, t4)
for i := 0; i < 7; i++ {
bfeSquare(t5, t5)
}
bfeMul(t5, t5, t4)
bfeSquare(t2, t5)
for i := 0; i < 15; i++ {
bfeSquare(t2, t2)
}
bfeMul(t2, t2, t5)
bfeSquare(t1, t2)
for i := 0; i < 31; i++ {
bfeSquare(t1, t1)
}
bfeMul(t1, t1, t2)
for i := 0; i < 32; i++ {
bfeSquare(t1, t1)
}
bfeMul(t1, t2, t1)
for i := 0; i < 16; i++ {
bfeSquare(t1, t1)
}
bfeMul(t1, t1, t5)
for i := 0; i < 8; i++ {
bfeSquare(t1, t1)
}
bfeMul(t1, t1, t4)
for i := 0; i < 4; i++ {
bfeSquare(t1, t1)
}
bfeMul(t1, t1, t3)
bfeSquare(t1, t1)
bfeMul(e, t1, a)
return e
}
// Invert sets e to a^(-1) and returns e.
func (e *baseFieldElem) Invert(a *baseFieldElem) *baseFieldElem {
t := newBaseFieldElem().chain1251(a)
bfeSquare(t, t)
bfeSquare(t, t)
bfeMul(e, t, a)
return e
}
// reduce sets e to zero if it is equal to p. This is the only case where e will
// not naturally be reduce to canonical form.
func (e *baseFieldElem) reduce() {
if e[0] == bMask && e[1] == aMask {
e[0], e[1] = 0, 0
}
}
//go:noescape
func bfeDbl(c, a *baseFieldElem)
//go:noescape
func bfeHalf(c, a *baseFieldElem)
//go:noescape
func bfeAdd(c, a, b *baseFieldElem)
//go:noescape
func bfeSub(c, a, b *baseFieldElem)
//go:noescape
func bfeMul(c, a, b *baseFieldElem)
//go:noescape
func bfeSquare(c, a *baseFieldElem)