forked from
gazagnaire.org/ocaml-crypto
upstream: https://github.com/mirage/mirage-crypto
Merge pull request #132 from hannesm/update-fiat
updates from fiat-crypto main branch
authored by
Hannes Mehnert
and committed by
GitHub
c3445586
b2b19dcc
+843
-887
+4
-3
ec/native/GNUmakefile
+4
-3
ec/native/GNUmakefile
···
2
2
# As a prerequisite, fiat-crypto (https://github.com/mit-plv/fiat-crypto)
3
3
# needs to be cloned and "make standalone-ocaml" invoked
4
4
# The lowest bound of fiat-crypto is git commit
5
-
# 52561d2c59d2ef87af9676ad2039a8c5d8c22a21 (February 24th 2021)
5
+
# dabaf4b3132e8bb4a3f5fcd8366eec6ac9bb4232 (July 16th 2021)
6
+
# Generated on FreeBSD 12.2p2 with coq 8.13.1 (OCaml 4.12.0)
6
7
7
-
WBW_MONT ?= ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier
8
-
UNSAT_SOLINAS ?= ../../../fiat-crypto/src/ExtractionOCaml/unsaturated_solinas --static --use-value-barrier
8
+
WBW_MONT ?= ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier --inline-internal
9
+
UNSAT_SOLINAS ?= ../../../fiat-crypto/src/ExtractionOCaml/unsaturated_solinas --static --use-value-barrier --inline-internal
9
10
N_FUNCS=mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz
10
11
11
12
# The NIST curve P-224 (AKA SECP224R1)
+47
-55
ec/native/curve25519_32.h
+47
-55
ec/native/curve25519_32.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/unsaturated_solinas --static --use-value-barrier 25519 32 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/unsaturated_solinas' --static --use-value-barrier --inline-internal 25519 32 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 */
2
2
/* curve description: 25519 */
3
3
/* machine_wordsize = 32 (from "32") */
4
4
/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 */
···
7
7
/* tight_bounds_multiplier = 1 (from "") */
8
8
/* */
9
9
/* Computed values: */
10
-
/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */
11
-
/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */
12
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
13
-
/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */
10
+
/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */
11
+
/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */
12
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
13
+
/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */
14
14
15
15
#include <stdint.h>
16
16
typedef unsigned char fiat_25519_uint1;
17
17
typedef signed char fiat_25519_int1;
18
+
#ifdef __GNUC__
19
+
# define FIAT_25519_FIAT_INLINE __inline__
20
+
#else
21
+
# define FIAT_25519_FIAT_INLINE
22
+
#endif
23
+
24
+
/* The type fiat_25519_loose_field_element is a field element with loose bounds. */
25
+
/* Bounds: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] */
26
+
typedef uint32_t fiat_25519_loose_field_element[10];
27
+
28
+
/* The type fiat_25519_tight_field_element is a field element with tight bounds. */
29
+
/* Bounds: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] */
30
+
typedef uint32_t fiat_25519_tight_field_element[10];
18
31
19
32
#if (-1 & 3) != 3
20
33
#error "This code only works on a two's complement system"
···
32
45
33
46
/*
34
47
* The function fiat_25519_addcarryx_u26 is an addition with carry.
48
+
*
35
49
* Postconditions:
36
50
* out1 = (arg1 + arg2 + arg3) mod 2^26
37
51
* out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋
···
44
58
* out1: [0x0 ~> 0x3ffffff]
45
59
* out2: [0x0 ~> 0x1]
46
60
*/
47
-
static void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
61
+
static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
48
62
uint32_t x1;
49
63
uint32_t x2;
50
64
fiat_25519_uint1 x3;
···
57
71
58
72
/*
59
73
* The function fiat_25519_subborrowx_u26 is a subtraction with borrow.
74
+
*
60
75
* Postconditions:
61
76
* out1 = (-arg1 + arg2 + -arg3) mod 2^26
62
77
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋
···
69
84
* out1: [0x0 ~> 0x3ffffff]
70
85
* out2: [0x0 ~> 0x1]
71
86
*/
72
-
static void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
87
+
static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
73
88
int32_t x1;
74
89
fiat_25519_int1 x2;
75
90
uint32_t x3;
···
82
97
83
98
/*
84
99
* The function fiat_25519_addcarryx_u25 is an addition with carry.
100
+
*
85
101
* Postconditions:
86
102
* out1 = (arg1 + arg2 + arg3) mod 2^25
87
103
* out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋
···
94
110
* out1: [0x0 ~> 0x1ffffff]
95
111
* out2: [0x0 ~> 0x1]
96
112
*/
97
-
static void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
113
+
static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
98
114
uint32_t x1;
99
115
uint32_t x2;
100
116
fiat_25519_uint1 x3;
···
107
123
108
124
/*
109
125
* The function fiat_25519_subborrowx_u25 is a subtraction with borrow.
126
+
*
110
127
* Postconditions:
111
128
* out1 = (-arg1 + arg2 + -arg3) mod 2^25
112
129
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋
···
119
136
* out1: [0x0 ~> 0x1ffffff]
120
137
* out2: [0x0 ~> 0x1]
121
138
*/
122
-
static void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
139
+
static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
123
140
int32_t x1;
124
141
fiat_25519_int1 x2;
125
142
uint32_t x3;
···
132
149
133
150
/*
134
151
* The function fiat_25519_cmovznz_u32 is a single-word conditional move.
152
+
*
135
153
* Postconditions:
136
154
* out1 = (if arg1 = 0 then arg2 else arg3)
137
155
*
···
142
160
* Output Bounds:
143
161
* out1: [0x0 ~> 0xffffffff]
144
162
*/
145
-
static void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
163
+
static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
146
164
fiat_25519_uint1 x1;
147
165
uint32_t x2;
148
166
uint32_t x3;
···
154
172
155
173
/*
156
174
* The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
175
+
*
157
176
* Postconditions:
158
177
* eval out1 mod m = (eval arg1 * eval arg2) mod m
159
178
*
160
-
* Input Bounds:
161
-
* arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]]
162
-
* arg2: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]]
163
-
* Output Bounds:
164
-
* out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
165
179
*/
166
-
static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) {
180
+
static void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {
167
181
uint64_t x1;
168
182
uint64_t x2;
169
183
uint64_t x3;
···
472
486
473
487
/*
474
488
* The function fiat_25519_carry_square squares a field element and reduces the result.
489
+
*
475
490
* Postconditions:
476
491
* eval out1 mod m = (eval arg1 * eval arg1) mod m
477
492
*
478
-
* Input Bounds:
479
-
* arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]]
480
-
* Output Bounds:
481
-
* out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
482
493
*/
483
-
static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10]) {
494
+
static void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
484
495
uint32_t x1;
485
496
uint32_t x2;
486
497
uint32_t x3;
···
735
746
736
747
/*
737
748
* The function fiat_25519_carry reduces a field element.
749
+
*
738
750
* Postconditions:
739
751
* eval out1 mod m = eval arg1 mod m
740
752
*
741
-
* Input Bounds:
742
-
* arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]]
743
-
* Output Bounds:
744
-
* out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
745
753
*/
746
-
static void fiat_25519_carry(uint32_t out1[10], const uint32_t arg1[10]) {
754
+
static void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
747
755
uint32_t x1;
748
756
uint32_t x2;
749
757
uint32_t x3;
···
802
810
803
811
/*
804
812
* The function fiat_25519_add adds two field elements.
813
+
*
805
814
* Postconditions:
806
815
* eval out1 mod m = (eval arg1 + eval arg2) mod m
807
816
*
808
-
* Input Bounds:
809
-
* arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
810
-
* arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
811
-
* Output Bounds:
812
-
* out1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]]
813
817
*/
814
-
static void fiat_25519_add(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) {
818
+
static void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
815
819
uint32_t x1;
816
820
uint32_t x2;
817
821
uint32_t x3;
···
846
850
847
851
/*
848
852
* The function fiat_25519_sub subtracts two field elements.
853
+
*
849
854
* Postconditions:
850
855
* eval out1 mod m = (eval arg1 - eval arg2) mod m
851
856
*
852
-
* Input Bounds:
853
-
* arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
854
-
* arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
855
-
* Output Bounds:
856
-
* out1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]]
857
857
*/
858
-
static void fiat_25519_sub(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) {
858
+
static void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
859
859
uint32_t x1;
860
860
uint32_t x2;
861
861
uint32_t x3;
···
890
890
891
891
/*
892
892
* The function fiat_25519_opp negates a field element.
893
+
*
893
894
* Postconditions:
894
895
* eval out1 mod m = -eval arg1 mod m
895
896
*
896
-
* Input Bounds:
897
-
* arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
898
-
* Output Bounds:
899
-
* out1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]]
900
897
*/
901
-
static void fiat_25519_opp(uint32_t out1[10], const uint32_t arg1[10]) {
898
+
static void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
902
899
uint32_t x1;
903
900
uint32_t x2;
904
901
uint32_t x3;
···
933
930
934
931
/*
935
932
* The function fiat_25519_selectznz is a multi-limb conditional select.
933
+
*
936
934
* Postconditions:
937
935
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
938
936
*
···
978
976
979
977
/*
980
978
* The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
979
+
*
981
980
* Postconditions:
982
981
* out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
983
982
*
984
-
* Input Bounds:
985
-
* arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
986
983
* Output Bounds:
987
984
* out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
988
985
*/
989
-
static void fiat_25519_to_bytes(uint8_t out1[32], const uint32_t arg1[10]) {
986
+
static void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {
990
987
uint32_t x1;
991
988
fiat_25519_uint1 x2;
992
989
uint32_t x3;
···
1237
1234
1238
1235
/*
1239
1236
* The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
1237
+
*
1240
1238
* Postconditions:
1241
1239
* eval out1 mod m = bytes_eval arg1 mod m
1242
1240
*
1243
1241
* Input Bounds:
1244
1242
* arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
1245
-
* Output Bounds:
1246
-
* out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
1247
1243
*/
1248
-
static void fiat_25519_from_bytes(uint32_t out1[10], const uint8_t arg1[32]) {
1244
+
static void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {
1249
1245
uint32_t x1;
1250
1246
uint32_t x2;
1251
1247
uint32_t x3;
···
1416
1412
1417
1413
/*
1418
1414
* The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
1415
+
*
1419
1416
* Postconditions:
1420
1417
* eval out1 mod m = (121666 * eval arg1) mod m
1421
1418
*
1422
-
* Input Bounds:
1423
-
* arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]]
1424
-
* Output Bounds:
1425
-
* out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]]
1426
1419
*/
1427
-
static void fiat_25519_carry_scmul_121666(uint32_t out1[10], const uint32_t arg1[10]) {
1420
+
static void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
1428
1421
uint64_t x1;
1429
1422
uint64_t x2;
1430
1423
uint64_t x3;
···
1530
1523
out1[8] = x36;
1531
1524
out1[9] = x39;
1532
1525
}
1533
-
+40
-53
ec/native/curve25519_64.h
+40
-53
ec/native/curve25519_64.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/unsaturated_solinas --static --use-value-barrier 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/unsaturated_solinas' --static --use-value-barrier --inline-internal 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 */
2
2
/* curve description: 25519 */
3
3
/* machine_wordsize = 64 (from "64") */
4
4
/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 */
···
7
7
/* tight_bounds_multiplier = 1 (from "") */
8
8
/* */
9
9
/* Computed values: */
10
-
/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */
11
-
/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */
12
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
13
-
/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */
10
+
/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */
11
+
/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */
12
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
13
+
/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */
14
14
15
15
#include <stdint.h>
16
16
typedef unsigned char fiat_25519_uint1;
17
17
typedef signed char fiat_25519_int1;
18
18
#ifdef __GNUC__
19
19
# define FIAT_25519_FIAT_EXTENSION __extension__
20
+
# define FIAT_25519_FIAT_INLINE __inline__
20
21
#else
21
22
# define FIAT_25519_FIAT_EXTENSION
23
+
# define FIAT_25519_FIAT_INLINE
22
24
#endif
23
25
24
26
FIAT_25519_FIAT_EXTENSION typedef signed __int128 fiat_25519_int128;
25
27
FIAT_25519_FIAT_EXTENSION typedef unsigned __int128 fiat_25519_uint128;
26
28
29
+
/* The type fiat_25519_loose_field_element is a field element with loose bounds. */
30
+
/* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */
31
+
typedef uint64_t fiat_25519_loose_field_element[5];
32
+
33
+
/* The type fiat_25519_tight_field_element is a field element with tight bounds. */
34
+
/* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */
35
+
typedef uint64_t fiat_25519_tight_field_element[5];
36
+
27
37
#if (-1 & 3) != 3
28
38
#error "This code only works on a two's complement system"
29
39
#endif
···
40
50
41
51
/*
42
52
* The function fiat_25519_addcarryx_u51 is an addition with carry.
53
+
*
43
54
* Postconditions:
44
55
* out1 = (arg1 + arg2 + arg3) mod 2^51
45
56
* out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋
···
52
63
* out1: [0x0 ~> 0x7ffffffffffff]
53
64
* out2: [0x0 ~> 0x1]
54
65
*/
55
-
static void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
66
+
static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
56
67
uint64_t x1;
57
68
uint64_t x2;
58
69
fiat_25519_uint1 x3;
···
65
76
66
77
/*
67
78
* The function fiat_25519_subborrowx_u51 is a subtraction with borrow.
79
+
*
68
80
* Postconditions:
69
81
* out1 = (-arg1 + arg2 + -arg3) mod 2^51
70
82
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋
···
77
89
* out1: [0x0 ~> 0x7ffffffffffff]
78
90
* out2: [0x0 ~> 0x1]
79
91
*/
80
-
static void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
92
+
static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
81
93
int64_t x1;
82
94
fiat_25519_int1 x2;
83
95
uint64_t x3;
···
90
102
91
103
/*
92
104
* The function fiat_25519_cmovznz_u64 is a single-word conditional move.
105
+
*
93
106
* Postconditions:
94
107
* out1 = (if arg1 = 0 then arg2 else arg3)
95
108
*
···
100
113
* Output Bounds:
101
114
* out1: [0x0 ~> 0xffffffffffffffff]
102
115
*/
103
-
static void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
116
+
static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
104
117
fiat_25519_uint1 x1;
105
118
uint64_t x2;
106
119
uint64_t x3;
···
112
125
113
126
/*
114
127
* The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
128
+
*
115
129
* Postconditions:
116
130
* eval out1 mod m = (eval arg1 * eval arg2) mod m
117
131
*
118
-
* Input Bounds:
119
-
* arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]]
120
-
* arg2: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]]
121
-
* Output Bounds:
122
-
* out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
123
132
*/
124
-
static void fiat_25519_carry_mul(uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) {
133
+
static void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {
125
134
fiat_25519_uint128 x1;
126
135
fiat_25519_uint128 x2;
127
136
fiat_25519_uint128 x3;
···
235
244
236
245
/*
237
246
* The function fiat_25519_carry_square squares a field element and reduces the result.
247
+
*
238
248
* Postconditions:
239
249
* eval out1 mod m = (eval arg1 * eval arg1) mod m
240
250
*
241
-
* Input Bounds:
242
-
* arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]]
243
-
* Output Bounds:
244
-
* out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
245
251
*/
246
-
static void fiat_25519_carry_square(uint64_t out1[5], const uint64_t arg1[5]) {
252
+
static void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
247
253
uint64_t x1;
248
254
uint64_t x2;
249
255
uint64_t x3;
···
353
359
354
360
/*
355
361
* The function fiat_25519_carry reduces a field element.
362
+
*
356
363
* Postconditions:
357
364
* eval out1 mod m = eval arg1 mod m
358
365
*
359
-
* Input Bounds:
360
-
* arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]]
361
-
* Output Bounds:
362
-
* out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
363
366
*/
364
-
static void fiat_25519_carry(uint64_t out1[5], const uint64_t arg1[5]) {
367
+
static void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
365
368
uint64_t x1;
366
369
uint64_t x2;
367
370
uint64_t x3;
···
395
398
396
399
/*
397
400
* The function fiat_25519_add adds two field elements.
401
+
*
398
402
* Postconditions:
399
403
* eval out1 mod m = (eval arg1 + eval arg2) mod m
400
404
*
401
-
* Input Bounds:
402
-
* arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
403
-
* arg2: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
404
-
* Output Bounds:
405
-
* out1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]]
406
405
*/
407
-
static void fiat_25519_add(uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) {
406
+
static void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
408
407
uint64_t x1;
409
408
uint64_t x2;
410
409
uint64_t x3;
···
424
423
425
424
/*
426
425
* The function fiat_25519_sub subtracts two field elements.
426
+
*
427
427
* Postconditions:
428
428
* eval out1 mod m = (eval arg1 - eval arg2) mod m
429
429
*
430
-
* Input Bounds:
431
-
* arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
432
-
* arg2: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
433
-
* Output Bounds:
434
-
* out1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]]
435
430
*/
436
-
static void fiat_25519_sub(uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) {
431
+
static void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
437
432
uint64_t x1;
438
433
uint64_t x2;
439
434
uint64_t x3;
···
453
448
454
449
/*
455
450
* The function fiat_25519_opp negates a field element.
451
+
*
456
452
* Postconditions:
457
453
* eval out1 mod m = -eval arg1 mod m
458
454
*
459
-
* Input Bounds:
460
-
* arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
461
-
* Output Bounds:
462
-
* out1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]]
463
455
*/
464
-
static void fiat_25519_opp(uint64_t out1[5], const uint64_t arg1[5]) {
456
+
static void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
465
457
uint64_t x1;
466
458
uint64_t x2;
467
459
uint64_t x3;
···
481
473
482
474
/*
483
475
* The function fiat_25519_selectznz is a multi-limb conditional select.
476
+
*
484
477
* Postconditions:
485
478
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
486
479
*
···
511
504
512
505
/*
513
506
* The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
507
+
*
514
508
* Postconditions:
515
509
* out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
516
510
*
517
-
* Input Bounds:
518
-
* arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
519
511
* Output Bounds:
520
512
* out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
521
513
*/
522
-
static void fiat_25519_to_bytes(uint8_t out1[32], const uint64_t arg1[5]) {
514
+
static void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {
523
515
uint64_t x1;
524
516
fiat_25519_uint1 x2;
525
517
uint64_t x3;
···
728
720
729
721
/*
730
722
* The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
723
+
*
731
724
* Postconditions:
732
725
* eval out1 mod m = bytes_eval arg1 mod m
733
726
*
734
727
* Input Bounds:
735
728
* arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
736
-
* Output Bounds:
737
-
* out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
738
729
*/
739
-
static void fiat_25519_from_bytes(uint64_t out1[5], const uint8_t arg1[32]) {
730
+
static void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {
740
731
uint64_t x1;
741
732
uint64_t x2;
742
733
uint64_t x3;
···
888
879
889
880
/*
890
881
* The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
882
+
*
891
883
* Postconditions:
892
884
* eval out1 mod m = (121666 * eval arg1) mod m
893
885
*
894
-
* Input Bounds:
895
-
* arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]]
896
-
* Output Bounds:
897
-
* out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]]
898
886
*/
899
-
static void fiat_25519_carry_scmul_121666(uint64_t out1[5], const uint64_t arg1[5]) {
887
+
static void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
900
888
fiat_25519_uint128 x1;
901
889
fiat_25519_uint128 x2;
902
890
fiat_25519_uint128 x3;
···
957
945
out1[3] = x16;
958
946
out1[4] = x19;
959
947
}
960
-
+46
-43
ec/native/np224_32.h
+46
-43
ec/native/np224_32.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier np224 32 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal np224 32 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
2
2
/* curve description: np224 */
3
3
/* machine_wordsize = 32 (from "32") */
4
4
/* requested operations: mul, add, opp, from_montgomery, to_montgomery, one, msat, divstep_precomp, divstep, to_bytes, from_bytes, selectznz */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */
15
+
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in */
18
+
/* if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_np224_uint1;
20
22
typedef signed char fiat_np224_int1;
23
+
#ifdef __GNUC__
24
+
# define FIAT_NP224_FIAT_INLINE __inline__
25
+
#else
26
+
# define FIAT_NP224_FIAT_INLINE
27
+
#endif
28
+
29
+
/* The type fiat_np224_montgomery_domain_field_element is a field element in the Montgomery domain. */
30
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
31
+
typedef uint32_t fiat_np224_montgomery_domain_field_element[7];
32
+
33
+
/* The type fiat_np224_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
34
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
35
+
typedef uint32_t fiat_np224_non_montgomery_domain_field_element[7];
21
36
22
37
#if (-1 & 3) != 3
23
38
#error "This code only works on a two's complement system"
···
35
50
36
51
/*
37
52
* The function fiat_np224_addcarryx_u32 is an addition with carry.
53
+
*
38
54
* Postconditions:
39
55
* out1 = (arg1 + arg2 + arg3) mod 2^32
40
56
* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋
···
47
63
* out1: [0x0 ~> 0xffffffff]
48
64
* out2: [0x0 ~> 0x1]
49
65
*/
50
-
static void fiat_np224_addcarryx_u32(uint32_t* out1, fiat_np224_uint1* out2, fiat_np224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
66
+
static FIAT_NP224_FIAT_INLINE void fiat_np224_addcarryx_u32(uint32_t* out1, fiat_np224_uint1* out2, fiat_np224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
51
67
uint64_t x1;
52
68
uint32_t x2;
53
69
fiat_np224_uint1 x3;
···
60
76
61
77
/*
62
78
* The function fiat_np224_subborrowx_u32 is a subtraction with borrow.
79
+
*
63
80
* Postconditions:
64
81
* out1 = (-arg1 + arg2 + -arg3) mod 2^32
65
82
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋
···
72
89
* out1: [0x0 ~> 0xffffffff]
73
90
* out2: [0x0 ~> 0x1]
74
91
*/
75
-
static void fiat_np224_subborrowx_u32(uint32_t* out1, fiat_np224_uint1* out2, fiat_np224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
92
+
static FIAT_NP224_FIAT_INLINE void fiat_np224_subborrowx_u32(uint32_t* out1, fiat_np224_uint1* out2, fiat_np224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
76
93
int64_t x1;
77
94
fiat_np224_int1 x2;
78
95
uint32_t x3;
···
85
102
86
103
/*
87
104
* The function fiat_np224_mulx_u32 is a multiplication, returning the full double-width result.
105
+
*
88
106
* Postconditions:
89
107
* out1 = (arg1 * arg2) mod 2^32
90
108
* out2 = ⌊arg1 * arg2 / 2^32⌋
···
96
114
* out1: [0x0 ~> 0xffffffff]
97
115
* out2: [0x0 ~> 0xffffffff]
98
116
*/
99
-
static void fiat_np224_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
117
+
static FIAT_NP224_FIAT_INLINE void fiat_np224_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
100
118
uint64_t x1;
101
119
uint32_t x2;
102
120
uint32_t x3;
···
109
127
110
128
/*
111
129
* The function fiat_np224_cmovznz_u32 is a single-word conditional move.
130
+
*
112
131
* Postconditions:
113
132
* out1 = (if arg1 = 0 then arg2 else arg3)
114
133
*
···
119
138
* Output Bounds:
120
139
* out1: [0x0 ~> 0xffffffff]
121
140
*/
122
-
static void fiat_np224_cmovznz_u32(uint32_t* out1, fiat_np224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
141
+
static FIAT_NP224_FIAT_INLINE void fiat_np224_cmovznz_u32(uint32_t* out1, fiat_np224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
123
142
fiat_np224_uint1 x1;
124
143
uint32_t x2;
125
144
uint32_t x3;
···
131
150
132
151
/*
133
152
* The function fiat_np224_mul multiplies two field elements in the Montgomery domain.
153
+
*
134
154
* Preconditions:
135
155
* 0 ≤ eval arg1 < m
136
156
* 0 ≤ eval arg2 < m
···
138
158
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
139
159
* 0 ≤ eval out1 < m
140
160
*
141
-
* Input Bounds:
142
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
143
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
144
-
* Output Bounds:
145
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
146
161
*/
147
-
static void fiat_np224_mul(uint32_t out1[7], const uint32_t arg1[7], const uint32_t arg2[7]) {
162
+
static void fiat_np224_mul(fiat_np224_montgomery_domain_field_element out1, const fiat_np224_montgomery_domain_field_element arg1, const fiat_np224_montgomery_domain_field_element arg2) {
148
163
uint32_t x1;
149
164
uint32_t x2;
150
165
uint32_t x3;
···
1127
1142
1128
1143
/*
1129
1144
* The function fiat_np224_add adds two field elements in the Montgomery domain.
1145
+
*
1130
1146
* Preconditions:
1131
1147
* 0 ≤ eval arg1 < m
1132
1148
* 0 ≤ eval arg2 < m
···
1134
1150
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
1135
1151
* 0 ≤ eval out1 < m
1136
1152
*
1137
-
* Input Bounds:
1138
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1139
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1140
-
* Output Bounds:
1141
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1142
1153
*/
1143
-
static void fiat_np224_add(uint32_t out1[7], const uint32_t arg1[7], const uint32_t arg2[7]) {
1154
+
static void fiat_np224_add(fiat_np224_montgomery_domain_field_element out1, const fiat_np224_montgomery_domain_field_element arg1, const fiat_np224_montgomery_domain_field_element arg2) {
1144
1155
uint32_t x1;
1145
1156
fiat_np224_uint1 x2;
1146
1157
uint32_t x3;
···
1211
1222
1212
1223
/*
1213
1224
* The function fiat_np224_opp negates a field element in the Montgomery domain.
1225
+
*
1214
1226
* Preconditions:
1215
1227
* 0 ≤ eval arg1 < m
1216
1228
* Postconditions:
1217
1229
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
1218
1230
* 0 ≤ eval out1 < m
1219
1231
*
1220
-
* Input Bounds:
1221
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1222
-
* Output Bounds:
1223
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1224
1232
*/
1225
-
static void fiat_np224_opp(uint32_t out1[7], const uint32_t arg1[7]) {
1233
+
static void fiat_np224_opp(fiat_np224_montgomery_domain_field_element out1, const fiat_np224_montgomery_domain_field_element arg1) {
1226
1234
uint32_t x1;
1227
1235
fiat_np224_uint1 x2;
1228
1236
uint32_t x3;
···
1278
1286
1279
1287
/*
1280
1288
* The function fiat_np224_from_montgomery translates a field element out of the Montgomery domain.
1289
+
*
1281
1290
* Preconditions:
1282
1291
* 0 ≤ eval arg1 < m
1283
1292
* Postconditions:
1284
1293
* eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^7) mod m
1285
1294
* 0 ≤ eval out1 < m
1286
1295
*
1287
-
* Input Bounds:
1288
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1289
-
* Output Bounds:
1290
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1291
1296
*/
1292
-
static void fiat_np224_from_montgomery(uint32_t out1[7], const uint32_t arg1[7]) {
1297
+
static void fiat_np224_from_montgomery(fiat_np224_non_montgomery_domain_field_element out1, const fiat_np224_montgomery_domain_field_element arg1) {
1293
1298
uint32_t x1;
1294
1299
uint32_t x2;
1295
1300
uint32_t x3;
···
1929
1934
1930
1935
/*
1931
1936
* The function fiat_np224_to_montgomery translates a field element into the Montgomery domain.
1937
+
*
1932
1938
* Preconditions:
1933
1939
* 0 ≤ eval arg1 < m
1934
1940
* Postconditions:
1935
1941
* eval (from_montgomery out1) mod m = eval arg1 mod m
1936
1942
* 0 ≤ eval out1 < m
1937
1943
*
1938
-
* Input Bounds:
1939
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1940
-
* Output Bounds:
1941
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1942
1944
*/
1943
-
static void fiat_np224_to_montgomery(uint32_t out1[7], const uint32_t arg1[7]) {
1945
+
static void fiat_np224_to_montgomery(fiat_np224_montgomery_domain_field_element out1, const fiat_np224_non_montgomery_domain_field_element arg1) {
1944
1946
uint32_t x1;
1945
1947
uint32_t x2;
1946
1948
uint32_t x3;
···
2865
2867
2866
2868
/*
2867
2869
* The function fiat_np224_set_one returns the field element one in the Montgomery domain.
2870
+
*
2868
2871
* Postconditions:
2869
2872
* eval (from_montgomery out1) mod m = 1 mod m
2870
2873
* 0 ≤ eval out1 < m
2871
2874
*
2872
-
* Input Bounds:
2873
-
* Output Bounds:
2874
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2875
2875
*/
2876
-
static void fiat_np224_set_one(uint32_t out1[7]) {
2876
+
static void fiat_np224_set_one(fiat_np224_montgomery_domain_field_element out1) {
2877
2877
out1[0] = UINT32_C(0xa3a3d5c3);
2878
2878
out1[1] = UINT32_C(0xec22d6ba);
2879
2879
out1[2] = UINT32_C(0x1f470fc1);
···
2884
2884
}
2885
2885
2886
2886
/*
2887
-
* The function fiat_np224_msat returns the saturated represtation of the prime modulus.
2887
+
* The function fiat_np224_msat returns the saturated representation of the prime modulus.
2888
+
*
2888
2889
* Postconditions:
2889
2890
* twos_complement_eval out1 = m
2890
2891
* 0 ≤ eval out1 < m
2891
2892
*
2892
-
* Input Bounds:
2893
2893
* Output Bounds:
2894
2894
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2895
2895
*/
···
2906
2906
2907
2907
/*
2908
2908
* The function fiat_np224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
2909
+
*
2909
2910
* Postconditions:
2910
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
2911
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
2911
2912
* 0 ≤ eval out1 < m
2912
2913
*
2913
-
* Input Bounds:
2914
2914
* Output Bounds:
2915
2915
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2916
2916
*/
···
2926
2926
2927
2927
/*
2928
2928
* The function fiat_np224_divstep computes a divstep.
2929
+
*
2929
2930
* Preconditions:
2930
2931
* 0 ≤ eval arg4 < m
2931
2932
* 0 ≤ eval arg5 < m
···
3334
3335
3335
3336
/*
3336
3337
* The function fiat_np224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
3338
+
*
3337
3339
* Preconditions:
3338
3340
* 0 ≤ eval arg1 < m
3339
3341
* Postconditions:
···
3475
3477
3476
3478
/*
3477
3479
* The function fiat_np224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
3480
+
*
3478
3481
* Preconditions:
3479
3482
* 0 ≤ bytes_eval arg1 < m
3480
3483
* Postconditions:
···
3596
3599
3597
3600
/*
3598
3601
* The function fiat_np224_selectznz is a multi-limb conditional select.
3602
+
*
3599
3603
* Postconditions:
3600
3604
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
3601
3605
*
···
3629
3633
out1[5] = x6;
3630
3634
out1[6] = x7;
3631
3635
}
3632
-
+43
-43
ec/native/np224_64.h
+43
-43
ec/native/np224_64.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier np224 64 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal np224 64 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
2
2
/* curve description: np224 */
3
3
/* machine_wordsize = 64 (from "64") */
4
4
/* requested operations: mul, add, opp, from_montgomery, to_montgomery, one, msat, divstep_precomp, divstep, to_bytes, from_bytes, selectznz */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */
15
+
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */
18
+
/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_np224_uint1;
20
22
typedef signed char fiat_np224_int1;
21
23
#ifdef __GNUC__
22
24
# define FIAT_NP224_FIAT_EXTENSION __extension__
25
+
# define FIAT_NP224_FIAT_INLINE __inline__
23
26
#else
24
27
# define FIAT_NP224_FIAT_EXTENSION
28
+
# define FIAT_NP224_FIAT_INLINE
25
29
#endif
26
30
27
31
FIAT_NP224_FIAT_EXTENSION typedef signed __int128 fiat_np224_int128;
28
32
FIAT_NP224_FIAT_EXTENSION typedef unsigned __int128 fiat_np224_uint128;
29
33
34
+
/* The type fiat_np224_montgomery_domain_field_element is a field element in the Montgomery domain. */
35
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
36
+
typedef uint64_t fiat_np224_montgomery_domain_field_element[4];
37
+
38
+
/* The type fiat_np224_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
39
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
40
+
typedef uint64_t fiat_np224_non_montgomery_domain_field_element[4];
41
+
30
42
#if (-1 & 3) != 3
31
43
#error "This code only works on a two's complement system"
32
44
#endif
···
43
55
44
56
/*
45
57
* The function fiat_np224_addcarryx_u64 is an addition with carry.
58
+
*
46
59
* Postconditions:
47
60
* out1 = (arg1 + arg2 + arg3) mod 2^64
48
61
* out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
···
55
68
* out1: [0x0 ~> 0xffffffffffffffff]
56
69
* out2: [0x0 ~> 0x1]
57
70
*/
58
-
static void fiat_np224_addcarryx_u64(uint64_t* out1, fiat_np224_uint1* out2, fiat_np224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
71
+
static FIAT_NP224_FIAT_INLINE void fiat_np224_addcarryx_u64(uint64_t* out1, fiat_np224_uint1* out2, fiat_np224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
59
72
fiat_np224_uint128 x1;
60
73
uint64_t x2;
61
74
fiat_np224_uint1 x3;
···
68
81
69
82
/*
70
83
* The function fiat_np224_subborrowx_u64 is a subtraction with borrow.
84
+
*
71
85
* Postconditions:
72
86
* out1 = (-arg1 + arg2 + -arg3) mod 2^64
73
87
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
···
80
94
* out1: [0x0 ~> 0xffffffffffffffff]
81
95
* out2: [0x0 ~> 0x1]
82
96
*/
83
-
static void fiat_np224_subborrowx_u64(uint64_t* out1, fiat_np224_uint1* out2, fiat_np224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
97
+
static FIAT_NP224_FIAT_INLINE void fiat_np224_subborrowx_u64(uint64_t* out1, fiat_np224_uint1* out2, fiat_np224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
84
98
fiat_np224_int128 x1;
85
99
fiat_np224_int1 x2;
86
100
uint64_t x3;
···
93
107
94
108
/*
95
109
* The function fiat_np224_mulx_u64 is a multiplication, returning the full double-width result.
110
+
*
96
111
* Postconditions:
97
112
* out1 = (arg1 * arg2) mod 2^64
98
113
* out2 = ⌊arg1 * arg2 / 2^64⌋
···
104
119
* out1: [0x0 ~> 0xffffffffffffffff]
105
120
* out2: [0x0 ~> 0xffffffffffffffff]
106
121
*/
107
-
static void fiat_np224_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
122
+
static FIAT_NP224_FIAT_INLINE void fiat_np224_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
108
123
fiat_np224_uint128 x1;
109
124
uint64_t x2;
110
125
uint64_t x3;
···
117
132
118
133
/*
119
134
* The function fiat_np224_cmovznz_u64 is a single-word conditional move.
135
+
*
120
136
* Postconditions:
121
137
* out1 = (if arg1 = 0 then arg2 else arg3)
122
138
*
···
127
143
* Output Bounds:
128
144
* out1: [0x0 ~> 0xffffffffffffffff]
129
145
*/
130
-
static void fiat_np224_cmovznz_u64(uint64_t* out1, fiat_np224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
146
+
static FIAT_NP224_FIAT_INLINE void fiat_np224_cmovznz_u64(uint64_t* out1, fiat_np224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
131
147
fiat_np224_uint1 x1;
132
148
uint64_t x2;
133
149
uint64_t x3;
···
139
155
140
156
/*
141
157
* The function fiat_np224_mul multiplies two field elements in the Montgomery domain.
158
+
*
142
159
* Preconditions:
143
160
* 0 ≤ eval arg1 < m
144
161
* 0 ≤ eval arg2 < m
···
146
163
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
147
164
* 0 ≤ eval out1 < m
148
165
*
149
-
* Input Bounds:
150
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
151
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
152
-
* Output Bounds:
153
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
154
166
*/
155
-
static void fiat_np224_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
167
+
static void fiat_np224_mul(fiat_np224_montgomery_domain_field_element out1, const fiat_np224_montgomery_domain_field_element arg1, const fiat_np224_montgomery_domain_field_element arg2) {
156
168
uint64_t x1;
157
169
uint64_t x2;
158
170
uint64_t x3;
···
499
511
500
512
/*
501
513
* The function fiat_np224_add adds two field elements in the Montgomery domain.
514
+
*
502
515
* Preconditions:
503
516
* 0 ≤ eval arg1 < m
504
517
* 0 ≤ eval arg2 < m
···
506
519
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
507
520
* 0 ≤ eval out1 < m
508
521
*
509
-
* Input Bounds:
510
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
511
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
512
-
* Output Bounds:
513
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
514
522
*/
515
-
static void fiat_np224_add(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
523
+
static void fiat_np224_add(fiat_np224_montgomery_domain_field_element out1, const fiat_np224_montgomery_domain_field_element arg1, const fiat_np224_montgomery_domain_field_element arg2) {
516
524
uint64_t x1;
517
525
fiat_np224_uint1 x2;
518
526
uint64_t x3;
···
556
564
557
565
/*
558
566
* The function fiat_np224_opp negates a field element in the Montgomery domain.
567
+
*
559
568
* Preconditions:
560
569
* 0 ≤ eval arg1 < m
561
570
* Postconditions:
562
571
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
563
572
* 0 ≤ eval out1 < m
564
573
*
565
-
* Input Bounds:
566
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
567
-
* Output Bounds:
568
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
569
574
*/
570
-
static void fiat_np224_opp(uint64_t out1[4], const uint64_t arg1[4]) {
575
+
static void fiat_np224_opp(fiat_np224_montgomery_domain_field_element out1, const fiat_np224_montgomery_domain_field_element arg1) {
571
576
uint64_t x1;
572
577
fiat_np224_uint1 x2;
573
578
uint64_t x3;
···
602
607
603
608
/*
604
609
* The function fiat_np224_from_montgomery translates a field element out of the Montgomery domain.
610
+
*
605
611
* Preconditions:
606
612
* 0 ≤ eval arg1 < m
607
613
* Postconditions:
608
614
* eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m
609
615
* 0 ≤ eval out1 < m
610
616
*
611
-
* Input Bounds:
612
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
613
-
* Output Bounds:
614
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
615
617
*/
616
-
static void fiat_np224_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) {
618
+
static void fiat_np224_from_montgomery(fiat_np224_non_montgomery_domain_field_element out1, const fiat_np224_montgomery_domain_field_element arg1) {
617
619
uint64_t x1;
618
620
uint64_t x2;
619
621
uint64_t x3;
···
820
822
821
823
/*
822
824
* The function fiat_np224_to_montgomery translates a field element into the Montgomery domain.
825
+
*
823
826
* Preconditions:
824
827
* 0 ≤ eval arg1 < m
825
828
* Postconditions:
826
829
* eval (from_montgomery out1) mod m = eval arg1 mod m
827
830
* 0 ≤ eval out1 < m
828
831
*
829
-
* Input Bounds:
830
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
831
-
* Output Bounds:
832
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
833
832
*/
834
-
static void fiat_np224_to_montgomery(uint64_t out1[4], const uint64_t arg1[4]) {
833
+
static void fiat_np224_to_montgomery(fiat_np224_montgomery_domain_field_element out1, const fiat_np224_non_montgomery_domain_field_element arg1) {
835
834
uint64_t x1;
836
835
uint64_t x2;
837
836
uint64_t x3;
···
1137
1136
1138
1137
/*
1139
1138
* The function fiat_np224_set_one returns the field element one in the Montgomery domain.
1139
+
*
1140
1140
* Postconditions:
1141
1141
* eval (from_montgomery out1) mod m = 1 mod m
1142
1142
* 0 ≤ eval out1 < m
1143
1143
*
1144
-
* Input Bounds:
1145
-
* Output Bounds:
1146
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1147
1144
*/
1148
-
static void fiat_np224_set_one(uint64_t out1[4]) {
1145
+
static void fiat_np224_set_one(fiat_np224_montgomery_domain_field_element out1) {
1149
1146
out1[0] = UINT64_C(0xa3a3d5c300000000);
1150
1147
out1[1] = UINT64_C(0x1f470fc1ec22d6ba);
1151
1148
out1[2] = UINT16_C(0xe95d);
···
1153
1150
}
1154
1151
1155
1152
/*
1156
-
* The function fiat_np224_msat returns the saturated represtation of the prime modulus.
1153
+
* The function fiat_np224_msat returns the saturated representation of the prime modulus.
1154
+
*
1157
1155
* Postconditions:
1158
1156
* twos_complement_eval out1 = m
1159
1157
* 0 ≤ eval out1 < m
1160
1158
*
1161
-
* Input Bounds:
1162
1159
* Output Bounds:
1163
1160
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1164
1161
*/
···
1172
1169
1173
1170
/*
1174
1171
* The function fiat_np224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
1172
+
*
1175
1173
* Postconditions:
1176
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
1174
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
1177
1175
* 0 ≤ eval out1 < m
1178
1176
*
1179
-
* Input Bounds:
1180
1177
* Output Bounds:
1181
1178
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1182
1179
*/
···
1189
1186
1190
1187
/*
1191
1188
* The function fiat_np224_divstep computes a divstep.
1189
+
*
1192
1190
* Preconditions:
1193
1191
* 0 ≤ eval arg4 < m
1194
1192
* 0 ≤ eval arg5 < m
···
1453
1451
1454
1452
/*
1455
1453
* The function fiat_np224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
1454
+
*
1456
1455
* Preconditions:
1457
1456
* 0 ≤ eval arg1 < m
1458
1457
* Postconditions:
···
1600
1599
1601
1600
/*
1602
1601
* The function fiat_np224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
1602
+
*
1603
1603
* Preconditions:
1604
1604
* 0 ≤ bytes_eval arg1 < m
1605
1605
* Postconditions:
···
1724
1724
1725
1725
/*
1726
1726
* The function fiat_np224_selectznz is a multi-limb conditional select.
1727
+
*
1727
1728
* Postconditions:
1728
1729
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
1729
1730
*
···
1748
1749
out1[2] = x3;
1749
1750
out1[3] = x4;
1750
1751
}
1751
-
+46
-43
ec/native/np256_32.h
+46
-43
ec/native/np256_32.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier np256 32 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal np256 32 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
2
2
/* curve description: np256 */
3
3
/* machine_wordsize = 32 (from "32") */
4
4
/* requested operations: mul, add, opp, from_montgomery, to_montgomery, one, msat, divstep_precomp, divstep, to_bytes, from_bytes, selectznz */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
15
+
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */
18
+
/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_np256_uint1;
20
22
typedef signed char fiat_np256_int1;
23
+
#ifdef __GNUC__
24
+
# define FIAT_NP256_FIAT_INLINE __inline__
25
+
#else
26
+
# define FIAT_NP256_FIAT_INLINE
27
+
#endif
28
+
29
+
/* The type fiat_np256_montgomery_domain_field_element is a field element in the Montgomery domain. */
30
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
31
+
typedef uint32_t fiat_np256_montgomery_domain_field_element[8];
32
+
33
+
/* The type fiat_np256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
34
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
35
+
typedef uint32_t fiat_np256_non_montgomery_domain_field_element[8];
21
36
22
37
#if (-1 & 3) != 3
23
38
#error "This code only works on a two's complement system"
···
35
50
36
51
/*
37
52
* The function fiat_np256_addcarryx_u32 is an addition with carry.
53
+
*
38
54
* Postconditions:
39
55
* out1 = (arg1 + arg2 + arg3) mod 2^32
40
56
* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋
···
47
63
* out1: [0x0 ~> 0xffffffff]
48
64
* out2: [0x0 ~> 0x1]
49
65
*/
50
-
static void fiat_np256_addcarryx_u32(uint32_t* out1, fiat_np256_uint1* out2, fiat_np256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
66
+
static FIAT_NP256_FIAT_INLINE void fiat_np256_addcarryx_u32(uint32_t* out1, fiat_np256_uint1* out2, fiat_np256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
51
67
uint64_t x1;
52
68
uint32_t x2;
53
69
fiat_np256_uint1 x3;
···
60
76
61
77
/*
62
78
* The function fiat_np256_subborrowx_u32 is a subtraction with borrow.
79
+
*
63
80
* Postconditions:
64
81
* out1 = (-arg1 + arg2 + -arg3) mod 2^32
65
82
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋
···
72
89
* out1: [0x0 ~> 0xffffffff]
73
90
* out2: [0x0 ~> 0x1]
74
91
*/
75
-
static void fiat_np256_subborrowx_u32(uint32_t* out1, fiat_np256_uint1* out2, fiat_np256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
92
+
static FIAT_NP256_FIAT_INLINE void fiat_np256_subborrowx_u32(uint32_t* out1, fiat_np256_uint1* out2, fiat_np256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
76
93
int64_t x1;
77
94
fiat_np256_int1 x2;
78
95
uint32_t x3;
···
85
102
86
103
/*
87
104
* The function fiat_np256_mulx_u32 is a multiplication, returning the full double-width result.
105
+
*
88
106
* Postconditions:
89
107
* out1 = (arg1 * arg2) mod 2^32
90
108
* out2 = ⌊arg1 * arg2 / 2^32⌋
···
96
114
* out1: [0x0 ~> 0xffffffff]
97
115
* out2: [0x0 ~> 0xffffffff]
98
116
*/
99
-
static void fiat_np256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
117
+
static FIAT_NP256_FIAT_INLINE void fiat_np256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
100
118
uint64_t x1;
101
119
uint32_t x2;
102
120
uint32_t x3;
···
109
127
110
128
/*
111
129
* The function fiat_np256_cmovznz_u32 is a single-word conditional move.
130
+
*
112
131
* Postconditions:
113
132
* out1 = (if arg1 = 0 then arg2 else arg3)
114
133
*
···
119
138
* Output Bounds:
120
139
* out1: [0x0 ~> 0xffffffff]
121
140
*/
122
-
static void fiat_np256_cmovznz_u32(uint32_t* out1, fiat_np256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
141
+
static FIAT_NP256_FIAT_INLINE void fiat_np256_cmovznz_u32(uint32_t* out1, fiat_np256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
123
142
fiat_np256_uint1 x1;
124
143
uint32_t x2;
125
144
uint32_t x3;
···
131
150
132
151
/*
133
152
* The function fiat_np256_mul multiplies two field elements in the Montgomery domain.
153
+
*
134
154
* Preconditions:
135
155
* 0 ≤ eval arg1 < m
136
156
* 0 ≤ eval arg2 < m
···
138
158
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
139
159
* 0 ≤ eval out1 < m
140
160
*
141
-
* Input Bounds:
142
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
143
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
144
-
* Output Bounds:
145
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
146
161
*/
147
-
static void fiat_np256_mul(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) {
162
+
static void fiat_np256_mul(fiat_np256_montgomery_domain_field_element out1, const fiat_np256_montgomery_domain_field_element arg1, const fiat_np256_montgomery_domain_field_element arg2) {
148
163
uint32_t x1;
149
164
uint32_t x2;
150
165
uint32_t x3;
···
1339
1354
1340
1355
/*
1341
1356
* The function fiat_np256_add adds two field elements in the Montgomery domain.
1357
+
*
1342
1358
* Preconditions:
1343
1359
* 0 ≤ eval arg1 < m
1344
1360
* 0 ≤ eval arg2 < m
···
1346
1362
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
1347
1363
* 0 ≤ eval out1 < m
1348
1364
*
1349
-
* Input Bounds:
1350
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1351
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1352
-
* Output Bounds:
1353
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1354
1365
*/
1355
-
static void fiat_np256_add(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) {
1366
+
static void fiat_np256_add(fiat_np256_montgomery_domain_field_element out1, const fiat_np256_montgomery_domain_field_element arg1, const fiat_np256_montgomery_domain_field_element arg2) {
1356
1367
uint32_t x1;
1357
1368
fiat_np256_uint1 x2;
1358
1369
uint32_t x3;
···
1432
1443
1433
1444
/*
1434
1445
* The function fiat_np256_opp negates a field element in the Montgomery domain.
1446
+
*
1435
1447
* Preconditions:
1436
1448
* 0 ≤ eval arg1 < m
1437
1449
* Postconditions:
1438
1450
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
1439
1451
* 0 ≤ eval out1 < m
1440
1452
*
1441
-
* Input Bounds:
1442
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1443
-
* Output Bounds:
1444
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1445
1453
*/
1446
-
static void fiat_np256_opp(uint32_t out1[8], const uint32_t arg1[8]) {
1454
+
static void fiat_np256_opp(fiat_np256_montgomery_domain_field_element out1, const fiat_np256_montgomery_domain_field_element arg1) {
1447
1455
uint32_t x1;
1448
1456
fiat_np256_uint1 x2;
1449
1457
uint32_t x3;
···
1506
1514
1507
1515
/*
1508
1516
* The function fiat_np256_from_montgomery translates a field element out of the Montgomery domain.
1517
+
*
1509
1518
* Preconditions:
1510
1519
* 0 ≤ eval arg1 < m
1511
1520
* Postconditions:
1512
1521
* eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m
1513
1522
* 0 ≤ eval out1 < m
1514
1523
*
1515
-
* Input Bounds:
1516
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1517
-
* Output Bounds:
1518
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1519
1524
*/
1520
-
static void fiat_np256_from_montgomery(uint32_t out1[8], const uint32_t arg1[8]) {
1525
+
static void fiat_np256_from_montgomery(fiat_np256_non_montgomery_domain_field_element out1, const fiat_np256_montgomery_domain_field_element arg1) {
1521
1526
uint32_t x1;
1522
1527
uint32_t x2;
1523
1528
uint32_t x3;
···
2268
2273
2269
2274
/*
2270
2275
* The function fiat_np256_to_montgomery translates a field element into the Montgomery domain.
2276
+
*
2271
2277
* Preconditions:
2272
2278
* 0 ≤ eval arg1 < m
2273
2279
* Postconditions:
2274
2280
* eval (from_montgomery out1) mod m = eval arg1 mod m
2275
2281
* 0 ≤ eval out1 < m
2276
2282
*
2277
-
* Input Bounds:
2278
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2279
-
* Output Bounds:
2280
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2281
2283
*/
2282
-
static void fiat_np256_to_montgomery(uint32_t out1[8], const uint32_t arg1[8]) {
2284
+
static void fiat_np256_to_montgomery(fiat_np256_montgomery_domain_field_element out1, const fiat_np256_non_montgomery_domain_field_element arg1) {
2283
2285
uint32_t x1;
2284
2286
uint32_t x2;
2285
2287
uint32_t x3;
···
3407
3409
3408
3410
/*
3409
3411
* The function fiat_np256_set_one returns the field element one in the Montgomery domain.
3412
+
*
3410
3413
* Postconditions:
3411
3414
* eval (from_montgomery out1) mod m = 1 mod m
3412
3415
* 0 ≤ eval out1 < m
3413
3416
*
3414
-
* Input Bounds:
3415
-
* Output Bounds:
3416
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3417
3417
*/
3418
-
static void fiat_np256_set_one(uint32_t out1[8]) {
3418
+
static void fiat_np256_set_one(fiat_np256_montgomery_domain_field_element out1) {
3419
3419
out1[0] = UINT32_C(0x39cdaaf);
3420
3420
out1[1] = UINT32_C(0xc46353d);
3421
3421
out1[2] = UINT32_C(0x58e8617b);
···
3427
3427
}
3428
3428
3429
3429
/*
3430
-
* The function fiat_np256_msat returns the saturated represtation of the prime modulus.
3430
+
* The function fiat_np256_msat returns the saturated representation of the prime modulus.
3431
+
*
3431
3432
* Postconditions:
3432
3433
* twos_complement_eval out1 = m
3433
3434
* 0 ≤ eval out1 < m
3434
3435
*
3435
-
* Input Bounds:
3436
3436
* Output Bounds:
3437
3437
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3438
3438
*/
···
3450
3450
3451
3451
/*
3452
3452
* The function fiat_np256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
3453
+
*
3453
3454
* Postconditions:
3454
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
3455
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
3455
3456
* 0 ≤ eval out1 < m
3456
3457
*
3457
-
* Input Bounds:
3458
3458
* Output Bounds:
3459
3459
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3460
3460
*/
···
3471
3471
3472
3472
/*
3473
3473
* The function fiat_np256_divstep computes a divstep.
3474
+
*
3474
3475
* Preconditions:
3475
3476
* 0 ≤ eval arg4 < m
3476
3477
* 0 ≤ eval arg5 < m
···
3927
3928
3928
3929
/*
3929
3930
* The function fiat_np256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
3931
+
*
3930
3932
* Preconditions:
3931
3933
* 0 ≤ eval arg1 < m
3932
3934
* Postconditions:
···
4086
4088
4087
4089
/*
4088
4090
* The function fiat_np256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
4091
+
*
4089
4092
* Preconditions:
4090
4093
* 0 ≤ bytes_eval arg1 < m
4091
4094
* Postconditions:
···
4222
4225
4223
4226
/*
4224
4227
* The function fiat_np256_selectznz is a multi-limb conditional select.
4228
+
*
4225
4229
* Postconditions:
4226
4230
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
4227
4231
*
···
4258
4262
out1[6] = x7;
4259
4263
out1[7] = x8;
4260
4264
}
4261
-
+43
-43
ec/native/np256_64.h
+43
-43
ec/native/np256_64.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier np256 64 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal np256 64 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
2
2
/* curve description: np256 */
3
3
/* machine_wordsize = 64 (from "64") */
4
4
/* requested operations: mul, add, opp, from_montgomery, to_montgomery, one, msat, divstep_precomp, divstep, to_bytes, from_bytes, selectznz */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
15
+
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */
18
+
/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_np256_uint1;
20
22
typedef signed char fiat_np256_int1;
21
23
#ifdef __GNUC__
22
24
# define FIAT_NP256_FIAT_EXTENSION __extension__
25
+
# define FIAT_NP256_FIAT_INLINE __inline__
23
26
#else
24
27
# define FIAT_NP256_FIAT_EXTENSION
28
+
# define FIAT_NP256_FIAT_INLINE
25
29
#endif
26
30
27
31
FIAT_NP256_FIAT_EXTENSION typedef signed __int128 fiat_np256_int128;
28
32
FIAT_NP256_FIAT_EXTENSION typedef unsigned __int128 fiat_np256_uint128;
29
33
34
+
/* The type fiat_np256_montgomery_domain_field_element is a field element in the Montgomery domain. */
35
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
36
+
typedef uint64_t fiat_np256_montgomery_domain_field_element[4];
37
+
38
+
/* The type fiat_np256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
39
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
40
+
typedef uint64_t fiat_np256_non_montgomery_domain_field_element[4];
41
+
30
42
#if (-1 & 3) != 3
31
43
#error "This code only works on a two's complement system"
32
44
#endif
···
43
55
44
56
/*
45
57
* The function fiat_np256_addcarryx_u64 is an addition with carry.
58
+
*
46
59
* Postconditions:
47
60
* out1 = (arg1 + arg2 + arg3) mod 2^64
48
61
* out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
···
55
68
* out1: [0x0 ~> 0xffffffffffffffff]
56
69
* out2: [0x0 ~> 0x1]
57
70
*/
58
-
static void fiat_np256_addcarryx_u64(uint64_t* out1, fiat_np256_uint1* out2, fiat_np256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
71
+
static FIAT_NP256_FIAT_INLINE void fiat_np256_addcarryx_u64(uint64_t* out1, fiat_np256_uint1* out2, fiat_np256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
59
72
fiat_np256_uint128 x1;
60
73
uint64_t x2;
61
74
fiat_np256_uint1 x3;
···
68
81
69
82
/*
70
83
* The function fiat_np256_subborrowx_u64 is a subtraction with borrow.
84
+
*
71
85
* Postconditions:
72
86
* out1 = (-arg1 + arg2 + -arg3) mod 2^64
73
87
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
···
80
94
* out1: [0x0 ~> 0xffffffffffffffff]
81
95
* out2: [0x0 ~> 0x1]
82
96
*/
83
-
static void fiat_np256_subborrowx_u64(uint64_t* out1, fiat_np256_uint1* out2, fiat_np256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
97
+
static FIAT_NP256_FIAT_INLINE void fiat_np256_subborrowx_u64(uint64_t* out1, fiat_np256_uint1* out2, fiat_np256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
84
98
fiat_np256_int128 x1;
85
99
fiat_np256_int1 x2;
86
100
uint64_t x3;
···
93
107
94
108
/*
95
109
* The function fiat_np256_mulx_u64 is a multiplication, returning the full double-width result.
110
+
*
96
111
* Postconditions:
97
112
* out1 = (arg1 * arg2) mod 2^64
98
113
* out2 = ⌊arg1 * arg2 / 2^64⌋
···
104
119
* out1: [0x0 ~> 0xffffffffffffffff]
105
120
* out2: [0x0 ~> 0xffffffffffffffff]
106
121
*/
107
-
static void fiat_np256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
122
+
static FIAT_NP256_FIAT_INLINE void fiat_np256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
108
123
fiat_np256_uint128 x1;
109
124
uint64_t x2;
110
125
uint64_t x3;
···
117
132
118
133
/*
119
134
* The function fiat_np256_cmovznz_u64 is a single-word conditional move.
135
+
*
120
136
* Postconditions:
121
137
* out1 = (if arg1 = 0 then arg2 else arg3)
122
138
*
···
127
143
* Output Bounds:
128
144
* out1: [0x0 ~> 0xffffffffffffffff]
129
145
*/
130
-
static void fiat_np256_cmovznz_u64(uint64_t* out1, fiat_np256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
146
+
static FIAT_NP256_FIAT_INLINE void fiat_np256_cmovznz_u64(uint64_t* out1, fiat_np256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
131
147
fiat_np256_uint1 x1;
132
148
uint64_t x2;
133
149
uint64_t x3;
···
139
155
140
156
/*
141
157
* The function fiat_np256_mul multiplies two field elements in the Montgomery domain.
158
+
*
142
159
* Preconditions:
143
160
* 0 ≤ eval arg1 < m
144
161
* 0 ≤ eval arg2 < m
···
146
163
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
147
164
* 0 ≤ eval out1 < m
148
165
*
149
-
* Input Bounds:
150
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
151
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
152
-
* Output Bounds:
153
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
154
166
*/
155
-
static void fiat_np256_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
167
+
static void fiat_np256_mul(fiat_np256_montgomery_domain_field_element out1, const fiat_np256_montgomery_domain_field_element arg1, const fiat_np256_montgomery_domain_field_element arg2) {
156
168
uint64_t x1;
157
169
uint64_t x2;
158
170
uint64_t x3;
···
499
511
500
512
/*
501
513
* The function fiat_np256_add adds two field elements in the Montgomery domain.
514
+
*
502
515
* Preconditions:
503
516
* 0 ≤ eval arg1 < m
504
517
* 0 ≤ eval arg2 < m
···
506
519
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
507
520
* 0 ≤ eval out1 < m
508
521
*
509
-
* Input Bounds:
510
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
511
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
512
-
* Output Bounds:
513
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
514
522
*/
515
-
static void fiat_np256_add(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
523
+
static void fiat_np256_add(fiat_np256_montgomery_domain_field_element out1, const fiat_np256_montgomery_domain_field_element arg1, const fiat_np256_montgomery_domain_field_element arg2) {
516
524
uint64_t x1;
517
525
fiat_np256_uint1 x2;
518
526
uint64_t x3;
···
556
564
557
565
/*
558
566
* The function fiat_np256_opp negates a field element in the Montgomery domain.
567
+
*
559
568
* Preconditions:
560
569
* 0 ≤ eval arg1 < m
561
570
* Postconditions:
562
571
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
563
572
* 0 ≤ eval out1 < m
564
573
*
565
-
* Input Bounds:
566
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
567
-
* Output Bounds:
568
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
569
574
*/
570
-
static void fiat_np256_opp(uint64_t out1[4], const uint64_t arg1[4]) {
575
+
static void fiat_np256_opp(fiat_np256_montgomery_domain_field_element out1, const fiat_np256_montgomery_domain_field_element arg1) {
571
576
uint64_t x1;
572
577
fiat_np256_uint1 x2;
573
578
uint64_t x3;
···
602
607
603
608
/*
604
609
* The function fiat_np256_from_montgomery translates a field element out of the Montgomery domain.
610
+
*
605
611
* Preconditions:
606
612
* 0 ≤ eval arg1 < m
607
613
* Postconditions:
608
614
* eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m
609
615
* 0 ≤ eval out1 < m
610
616
*
611
-
* Input Bounds:
612
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
613
-
* Output Bounds:
614
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
615
617
*/
616
-
static void fiat_np256_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) {
618
+
static void fiat_np256_from_montgomery(fiat_np256_non_montgomery_domain_field_element out1, const fiat_np256_montgomery_domain_field_element arg1) {
617
619
uint64_t x1;
618
620
uint64_t x2;
619
621
uint64_t x3;
···
820
822
821
823
/*
822
824
* The function fiat_np256_to_montgomery translates a field element into the Montgomery domain.
825
+
*
823
826
* Preconditions:
824
827
* 0 ≤ eval arg1 < m
825
828
* Postconditions:
826
829
* eval (from_montgomery out1) mod m = eval arg1 mod m
827
830
* 0 ≤ eval out1 < m
828
831
*
829
-
* Input Bounds:
830
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
831
-
* Output Bounds:
832
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
833
832
*/
834
-
static void fiat_np256_to_montgomery(uint64_t out1[4], const uint64_t arg1[4]) {
833
+
static void fiat_np256_to_montgomery(fiat_np256_montgomery_domain_field_element out1, const fiat_np256_non_montgomery_domain_field_element arg1) {
835
834
uint64_t x1;
836
835
uint64_t x2;
837
836
uint64_t x3;
···
1147
1146
1148
1147
/*
1149
1148
* The function fiat_np256_set_one returns the field element one in the Montgomery domain.
1149
+
*
1150
1150
* Postconditions:
1151
1151
* eval (from_montgomery out1) mod m = 1 mod m
1152
1152
* 0 ≤ eval out1 < m
1153
1153
*
1154
-
* Input Bounds:
1155
-
* Output Bounds:
1156
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1157
1154
*/
1158
-
static void fiat_np256_set_one(uint64_t out1[4]) {
1155
+
static void fiat_np256_set_one(fiat_np256_montgomery_domain_field_element out1) {
1159
1156
out1[0] = UINT64_C(0xc46353d039cdaaf);
1160
1157
out1[1] = UINT64_C(0x4319055258e8617b);
1161
1158
out1[2] = 0x0;
···
1163
1160
}
1164
1161
1165
1162
/*
1166
-
* The function fiat_np256_msat returns the saturated represtation of the prime modulus.
1163
+
* The function fiat_np256_msat returns the saturated representation of the prime modulus.
1164
+
*
1167
1165
* Postconditions:
1168
1166
* twos_complement_eval out1 = m
1169
1167
* 0 ≤ eval out1 < m
1170
1168
*
1171
-
* Input Bounds:
1172
1169
* Output Bounds:
1173
1170
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1174
1171
*/
···
1182
1179
1183
1180
/*
1184
1181
* The function fiat_np256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
1182
+
*
1185
1183
* Postconditions:
1186
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
1184
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
1187
1185
* 0 ≤ eval out1 < m
1188
1186
*
1189
-
* Input Bounds:
1190
1187
* Output Bounds:
1191
1188
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1192
1189
*/
···
1199
1196
1200
1197
/*
1201
1198
* The function fiat_np256_divstep computes a divstep.
1199
+
*
1202
1200
* Preconditions:
1203
1201
* 0 ≤ eval arg4 < m
1204
1202
* 0 ≤ eval arg5 < m
···
1463
1461
1464
1462
/*
1465
1463
* The function fiat_np256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
1464
+
*
1466
1465
* Preconditions:
1467
1466
* 0 ≤ eval arg1 < m
1468
1467
* Postconditions:
···
1630
1629
1631
1630
/*
1632
1631
* The function fiat_np256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
1632
+
*
1633
1633
* Preconditions:
1634
1634
* 0 ≤ bytes_eval arg1 < m
1635
1635
* Postconditions:
···
1770
1770
1771
1771
/*
1772
1772
* The function fiat_np256_selectznz is a multi-limb conditional select.
1773
+
*
1773
1774
* Postconditions:
1774
1775
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
1775
1776
*
···
1794
1795
out1[2] = x3;
1795
1796
out1[3] = x4;
1796
1797
}
1797
-
+46
-43
ec/native/np384_32.h
+46
-43
ec/native/np384_32.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier np384 32 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal np384 32 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
2
2
/* curve description: np384 */
3
3
/* machine_wordsize = 32 (from "32") */
4
4
/* requested operations: mul, add, opp, from_montgomery, to_montgomery, one, msat, divstep_precomp, divstep, to_bytes, from_bytes, selectznz */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */
15
+
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */
18
+
/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_np384_uint1;
20
22
typedef signed char fiat_np384_int1;
23
+
#ifdef __GNUC__
24
+
# define FIAT_NP384_FIAT_INLINE __inline__
25
+
#else
26
+
# define FIAT_NP384_FIAT_INLINE
27
+
#endif
28
+
29
+
/* The type fiat_np384_montgomery_domain_field_element is a field element in the Montgomery domain. */
30
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
31
+
typedef uint32_t fiat_np384_montgomery_domain_field_element[12];
32
+
33
+
/* The type fiat_np384_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
34
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
35
+
typedef uint32_t fiat_np384_non_montgomery_domain_field_element[12];
21
36
22
37
#if (-1 & 3) != 3
23
38
#error "This code only works on a two's complement system"
···
35
50
36
51
/*
37
52
* The function fiat_np384_addcarryx_u32 is an addition with carry.
53
+
*
38
54
* Postconditions:
39
55
* out1 = (arg1 + arg2 + arg3) mod 2^32
40
56
* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋
···
47
63
* out1: [0x0 ~> 0xffffffff]
48
64
* out2: [0x0 ~> 0x1]
49
65
*/
50
-
static void fiat_np384_addcarryx_u32(uint32_t* out1, fiat_np384_uint1* out2, fiat_np384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
66
+
static FIAT_NP384_FIAT_INLINE void fiat_np384_addcarryx_u32(uint32_t* out1, fiat_np384_uint1* out2, fiat_np384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
51
67
uint64_t x1;
52
68
uint32_t x2;
53
69
fiat_np384_uint1 x3;
···
60
76
61
77
/*
62
78
* The function fiat_np384_subborrowx_u32 is a subtraction with borrow.
79
+
*
63
80
* Postconditions:
64
81
* out1 = (-arg1 + arg2 + -arg3) mod 2^32
65
82
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋
···
72
89
* out1: [0x0 ~> 0xffffffff]
73
90
* out2: [0x0 ~> 0x1]
74
91
*/
75
-
static void fiat_np384_subborrowx_u32(uint32_t* out1, fiat_np384_uint1* out2, fiat_np384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
92
+
static FIAT_NP384_FIAT_INLINE void fiat_np384_subborrowx_u32(uint32_t* out1, fiat_np384_uint1* out2, fiat_np384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
76
93
int64_t x1;
77
94
fiat_np384_int1 x2;
78
95
uint32_t x3;
···
85
102
86
103
/*
87
104
* The function fiat_np384_mulx_u32 is a multiplication, returning the full double-width result.
105
+
*
88
106
* Postconditions:
89
107
* out1 = (arg1 * arg2) mod 2^32
90
108
* out2 = ⌊arg1 * arg2 / 2^32⌋
···
96
114
* out1: [0x0 ~> 0xffffffff]
97
115
* out2: [0x0 ~> 0xffffffff]
98
116
*/
99
-
static void fiat_np384_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
117
+
static FIAT_NP384_FIAT_INLINE void fiat_np384_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
100
118
uint64_t x1;
101
119
uint32_t x2;
102
120
uint32_t x3;
···
109
127
110
128
/*
111
129
* The function fiat_np384_cmovznz_u32 is a single-word conditional move.
130
+
*
112
131
* Postconditions:
113
132
* out1 = (if arg1 = 0 then arg2 else arg3)
114
133
*
···
119
138
* Output Bounds:
120
139
* out1: [0x0 ~> 0xffffffff]
121
140
*/
122
-
static void fiat_np384_cmovznz_u32(uint32_t* out1, fiat_np384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
141
+
static FIAT_NP384_FIAT_INLINE void fiat_np384_cmovznz_u32(uint32_t* out1, fiat_np384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
123
142
fiat_np384_uint1 x1;
124
143
uint32_t x2;
125
144
uint32_t x3;
···
131
150
132
151
/*
133
152
* The function fiat_np384_mul multiplies two field elements in the Montgomery domain.
153
+
*
134
154
* Preconditions:
135
155
* 0 ≤ eval arg1 < m
136
156
* 0 ≤ eval arg2 < m
···
138
158
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
139
159
* 0 ≤ eval out1 < m
140
160
*
141
-
* Input Bounds:
142
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
143
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
144
-
* Output Bounds:
145
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
146
161
*/
147
-
static void fiat_np384_mul(uint32_t out1[12], const uint32_t arg1[12], const uint32_t arg2[12]) {
162
+
static void fiat_np384_mul(fiat_np384_montgomery_domain_field_element out1, const fiat_np384_montgomery_domain_field_element arg1, const fiat_np384_montgomery_domain_field_element arg2) {
148
163
uint32_t x1;
149
164
uint32_t x2;
150
165
uint32_t x3;
···
2907
2922
2908
2923
/*
2909
2924
* The function fiat_np384_add adds two field elements in the Montgomery domain.
2925
+
*
2910
2926
* Preconditions:
2911
2927
* 0 ≤ eval arg1 < m
2912
2928
* 0 ≤ eval arg2 < m
···
2914
2930
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
2915
2931
* 0 ≤ eval out1 < m
2916
2932
*
2917
-
* Input Bounds:
2918
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2919
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2920
-
* Output Bounds:
2921
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2922
2933
*/
2923
-
static void fiat_np384_add(uint32_t out1[12], const uint32_t arg1[12], const uint32_t arg2[12]) {
2934
+
static void fiat_np384_add(fiat_np384_montgomery_domain_field_element out1, const fiat_np384_montgomery_domain_field_element arg1, const fiat_np384_montgomery_domain_field_element arg2) {
2924
2935
uint32_t x1;
2925
2936
fiat_np384_uint1 x2;
2926
2937
uint32_t x3;
···
3036
3047
3037
3048
/*
3038
3049
* The function fiat_np384_opp negates a field element in the Montgomery domain.
3050
+
*
3039
3051
* Preconditions:
3040
3052
* 0 ≤ eval arg1 < m
3041
3053
* Postconditions:
3042
3054
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
3043
3055
* 0 ≤ eval out1 < m
3044
3056
*
3045
-
* Input Bounds:
3046
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3047
-
* Output Bounds:
3048
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3049
3057
*/
3050
-
static void fiat_np384_opp(uint32_t out1[12], const uint32_t arg1[12]) {
3058
+
static void fiat_np384_opp(fiat_np384_montgomery_domain_field_element out1, const fiat_np384_montgomery_domain_field_element arg1) {
3051
3059
uint32_t x1;
3052
3060
fiat_np384_uint1 x2;
3053
3061
uint32_t x3;
···
3138
3146
3139
3147
/*
3140
3148
* The function fiat_np384_from_montgomery translates a field element out of the Montgomery domain.
3149
+
*
3141
3150
* Preconditions:
3142
3151
* 0 ≤ eval arg1 < m
3143
3152
* Postconditions:
3144
3153
* eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^12) mod m
3145
3154
* 0 ≤ eval out1 < m
3146
3155
*
3147
-
* Input Bounds:
3148
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3149
-
* Output Bounds:
3150
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3151
3156
*/
3152
-
static void fiat_np384_from_montgomery(uint32_t out1[12], const uint32_t arg1[12]) {
3157
+
static void fiat_np384_from_montgomery(fiat_np384_non_montgomery_domain_field_element out1, const fiat_np384_montgomery_domain_field_element arg1) {
3153
3158
uint32_t x1;
3154
3159
uint32_t x2;
3155
3160
uint32_t x3;
···
4959
4964
4960
4965
/*
4961
4966
* The function fiat_np384_to_montgomery translates a field element into the Montgomery domain.
4967
+
*
4962
4968
* Preconditions:
4963
4969
* 0 ≤ eval arg1 < m
4964
4970
* Postconditions:
4965
4971
* eval (from_montgomery out1) mod m = eval arg1 mod m
4966
4972
* 0 ≤ eval out1 < m
4967
4973
*
4968
-
* Input Bounds:
4969
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
4970
-
* Output Bounds:
4971
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
4972
4974
*/
4973
-
static void fiat_np384_to_montgomery(uint32_t out1[12], const uint32_t arg1[12]) {
4975
+
static void fiat_np384_to_montgomery(fiat_np384_montgomery_domain_field_element out1, const fiat_np384_non_montgomery_domain_field_element arg1) {
4974
4976
uint32_t x1;
4975
4977
uint32_t x2;
4976
4978
uint32_t x3;
···
7630
7632
7631
7633
/*
7632
7634
* The function fiat_np384_set_one returns the field element one in the Montgomery domain.
7635
+
*
7633
7636
* Postconditions:
7634
7637
* eval (from_montgomery out1) mod m = 1 mod m
7635
7638
* 0 ≤ eval out1 < m
7636
7639
*
7637
-
* Input Bounds:
7638
-
* Output Bounds:
7639
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
7640
7640
*/
7641
-
static void fiat_np384_set_one(uint32_t out1[12]) {
7641
+
static void fiat_np384_set_one(fiat_np384_montgomery_domain_field_element out1) {
7642
7642
out1[0] = UINT32_C(0x333ad68d);
7643
7643
out1[1] = UINT32_C(0x1313e695);
7644
7644
out1[2] = UINT32_C(0xb74f5885);
···
7654
7654
}
7655
7655
7656
7656
/*
7657
-
* The function fiat_np384_msat returns the saturated represtation of the prime modulus.
7657
+
* The function fiat_np384_msat returns the saturated representation of the prime modulus.
7658
+
*
7658
7659
* Postconditions:
7659
7660
* twos_complement_eval out1 = m
7660
7661
* 0 ≤ eval out1 < m
7661
7662
*
7662
-
* Input Bounds:
7663
7663
* Output Bounds:
7664
7664
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
7665
7665
*/
···
7681
7681
7682
7682
/*
7683
7683
* The function fiat_np384_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
7684
+
*
7684
7685
* Postconditions:
7685
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
7686
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
7686
7687
* 0 ≤ eval out1 < m
7687
7688
*
7688
-
* Input Bounds:
7689
7689
* Output Bounds:
7690
7690
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
7691
7691
*/
···
7706
7706
7707
7707
/*
7708
7708
* The function fiat_np384_divstep computes a divstep.
7709
+
*
7709
7710
* Preconditions:
7710
7711
* 0 ≤ eval arg4 < m
7711
7712
* 0 ≤ eval arg5 < m
···
8354
8355
8355
8356
/*
8356
8357
* The function fiat_np384_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
8358
+
*
8357
8359
* Preconditions:
8358
8360
* 0 ≤ eval arg1 < m
8359
8361
* Postconditions:
···
8585
8587
8586
8588
/*
8587
8589
* The function fiat_np384_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
8590
+
*
8588
8591
* Preconditions:
8589
8592
* 0 ≤ bytes_eval arg1 < m
8590
8593
* Postconditions:
···
8781
8784
8782
8785
/*
8783
8786
* The function fiat_np384_selectznz is a multi-limb conditional select.
8787
+
*
8784
8788
* Postconditions:
8785
8789
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
8786
8790
*
···
8829
8833
out1[10] = x11;
8830
8834
out1[11] = x12;
8831
8835
}
8832
-
+43
-43
ec/native/np384_64.h
+43
-43
ec/native/np384_64.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier np384 64 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal np384 64 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
2
2
/* curve description: np384 */
3
3
/* machine_wordsize = 64 (from "64") */
4
4
/* requested operations: mul, add, opp, from_montgomery, to_montgomery, one, msat, divstep_precomp, divstep, to_bytes, from_bytes, selectznz */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */
15
+
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in */
18
+
/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_np384_uint1;
20
22
typedef signed char fiat_np384_int1;
21
23
#ifdef __GNUC__
22
24
# define FIAT_NP384_FIAT_EXTENSION __extension__
25
+
# define FIAT_NP384_FIAT_INLINE __inline__
23
26
#else
24
27
# define FIAT_NP384_FIAT_EXTENSION
28
+
# define FIAT_NP384_FIAT_INLINE
25
29
#endif
26
30
27
31
FIAT_NP384_FIAT_EXTENSION typedef signed __int128 fiat_np384_int128;
28
32
FIAT_NP384_FIAT_EXTENSION typedef unsigned __int128 fiat_np384_uint128;
29
33
34
+
/* The type fiat_np384_montgomery_domain_field_element is a field element in the Montgomery domain. */
35
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
36
+
typedef uint64_t fiat_np384_montgomery_domain_field_element[6];
37
+
38
+
/* The type fiat_np384_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
39
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
40
+
typedef uint64_t fiat_np384_non_montgomery_domain_field_element[6];
41
+
30
42
#if (-1 & 3) != 3
31
43
#error "This code only works on a two's complement system"
32
44
#endif
···
43
55
44
56
/*
45
57
* The function fiat_np384_addcarryx_u64 is an addition with carry.
58
+
*
46
59
* Postconditions:
47
60
* out1 = (arg1 + arg2 + arg3) mod 2^64
48
61
* out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
···
55
68
* out1: [0x0 ~> 0xffffffffffffffff]
56
69
* out2: [0x0 ~> 0x1]
57
70
*/
58
-
static void fiat_np384_addcarryx_u64(uint64_t* out1, fiat_np384_uint1* out2, fiat_np384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
71
+
static FIAT_NP384_FIAT_INLINE void fiat_np384_addcarryx_u64(uint64_t* out1, fiat_np384_uint1* out2, fiat_np384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
59
72
fiat_np384_uint128 x1;
60
73
uint64_t x2;
61
74
fiat_np384_uint1 x3;
···
68
81
69
82
/*
70
83
* The function fiat_np384_subborrowx_u64 is a subtraction with borrow.
84
+
*
71
85
* Postconditions:
72
86
* out1 = (-arg1 + arg2 + -arg3) mod 2^64
73
87
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
···
80
94
* out1: [0x0 ~> 0xffffffffffffffff]
81
95
* out2: [0x0 ~> 0x1]
82
96
*/
83
-
static void fiat_np384_subborrowx_u64(uint64_t* out1, fiat_np384_uint1* out2, fiat_np384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
97
+
static FIAT_NP384_FIAT_INLINE void fiat_np384_subborrowx_u64(uint64_t* out1, fiat_np384_uint1* out2, fiat_np384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
84
98
fiat_np384_int128 x1;
85
99
fiat_np384_int1 x2;
86
100
uint64_t x3;
···
93
107
94
108
/*
95
109
* The function fiat_np384_mulx_u64 is a multiplication, returning the full double-width result.
110
+
*
96
111
* Postconditions:
97
112
* out1 = (arg1 * arg2) mod 2^64
98
113
* out2 = ⌊arg1 * arg2 / 2^64⌋
···
104
119
* out1: [0x0 ~> 0xffffffffffffffff]
105
120
* out2: [0x0 ~> 0xffffffffffffffff]
106
121
*/
107
-
static void fiat_np384_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
122
+
static FIAT_NP384_FIAT_INLINE void fiat_np384_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
108
123
fiat_np384_uint128 x1;
109
124
uint64_t x2;
110
125
uint64_t x3;
···
117
132
118
133
/*
119
134
* The function fiat_np384_cmovznz_u64 is a single-word conditional move.
135
+
*
120
136
* Postconditions:
121
137
* out1 = (if arg1 = 0 then arg2 else arg3)
122
138
*
···
127
143
* Output Bounds:
128
144
* out1: [0x0 ~> 0xffffffffffffffff]
129
145
*/
130
-
static void fiat_np384_cmovznz_u64(uint64_t* out1, fiat_np384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
146
+
static FIAT_NP384_FIAT_INLINE void fiat_np384_cmovznz_u64(uint64_t* out1, fiat_np384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
131
147
fiat_np384_uint1 x1;
132
148
uint64_t x2;
133
149
uint64_t x3;
···
139
155
140
156
/*
141
157
* The function fiat_np384_mul multiplies two field elements in the Montgomery domain.
158
+
*
142
159
* Preconditions:
143
160
* 0 ≤ eval arg1 < m
144
161
* 0 ≤ eval arg2 < m
···
146
163
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
147
164
* 0 ≤ eval out1 < m
148
165
*
149
-
* Input Bounds:
150
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
151
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
152
-
* Output Bounds:
153
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
154
166
*/
155
-
static void fiat_np384_mul(uint64_t out1[6], const uint64_t arg1[6], const uint64_t arg2[6]) {
167
+
static void fiat_np384_mul(fiat_np384_montgomery_domain_field_element out1, const fiat_np384_montgomery_domain_field_element arg1, const fiat_np384_montgomery_domain_field_element arg2) {
156
168
uint64_t x1;
157
169
uint64_t x2;
158
170
uint64_t x3;
···
887
899
888
900
/*
889
901
* The function fiat_np384_add adds two field elements in the Montgomery domain.
902
+
*
890
903
* Preconditions:
891
904
* 0 ≤ eval arg1 < m
892
905
* 0 ≤ eval arg2 < m
···
894
907
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
895
908
* 0 ≤ eval out1 < m
896
909
*
897
-
* Input Bounds:
898
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
899
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
900
-
* Output Bounds:
901
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
902
910
*/
903
-
static void fiat_np384_add(uint64_t out1[6], const uint64_t arg1[6], const uint64_t arg2[6]) {
911
+
static void fiat_np384_add(fiat_np384_montgomery_domain_field_element out1, const fiat_np384_montgomery_domain_field_element arg1, const fiat_np384_montgomery_domain_field_element arg2) {
904
912
uint64_t x1;
905
913
fiat_np384_uint1 x2;
906
914
uint64_t x3;
···
962
970
963
971
/*
964
972
* The function fiat_np384_opp negates a field element in the Montgomery domain.
973
+
*
965
974
* Preconditions:
966
975
* 0 ≤ eval arg1 < m
967
976
* Postconditions:
968
977
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
969
978
* 0 ≤ eval out1 < m
970
979
*
971
-
* Input Bounds:
972
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
973
-
* Output Bounds:
974
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
975
980
*/
976
-
static void fiat_np384_opp(uint64_t out1[6], const uint64_t arg1[6]) {
981
+
static void fiat_np384_opp(fiat_np384_montgomery_domain_field_element out1, const fiat_np384_montgomery_domain_field_element arg1) {
977
982
uint64_t x1;
978
983
fiat_np384_uint1 x2;
979
984
uint64_t x3;
···
1022
1027
1023
1028
/*
1024
1029
* The function fiat_np384_from_montgomery translates a field element out of the Montgomery domain.
1030
+
*
1025
1031
* Preconditions:
1026
1032
* 0 ≤ eval arg1 < m
1027
1033
* Postconditions:
1028
1034
* eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^6) mod m
1029
1035
* 0 ≤ eval out1 < m
1030
1036
*
1031
-
* Input Bounds:
1032
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1033
-
* Output Bounds:
1034
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1035
1037
*/
1036
-
static void fiat_np384_from_montgomery(uint64_t out1[6], const uint64_t arg1[6]) {
1038
+
static void fiat_np384_from_montgomery(fiat_np384_non_montgomery_domain_field_element out1, const fiat_np384_montgomery_domain_field_element arg1) {
1037
1039
uint64_t x1;
1038
1040
uint64_t x2;
1039
1041
uint64_t x3;
···
1511
1513
1512
1514
/*
1513
1515
* The function fiat_np384_to_montgomery translates a field element into the Montgomery domain.
1516
+
*
1514
1517
* Preconditions:
1515
1518
* 0 ≤ eval arg1 < m
1516
1519
* Postconditions:
1517
1520
* eval (from_montgomery out1) mod m = eval arg1 mod m
1518
1521
* 0 ≤ eval out1 < m
1519
1522
*
1520
-
* Input Bounds:
1521
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1522
-
* Output Bounds:
1523
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1524
1523
*/
1525
-
static void fiat_np384_to_montgomery(uint64_t out1[6], const uint64_t arg1[6]) {
1524
+
static void fiat_np384_to_montgomery(fiat_np384_montgomery_domain_field_element out1, const fiat_np384_non_montgomery_domain_field_element arg1) {
1526
1525
uint64_t x1;
1527
1526
uint64_t x2;
1528
1527
uint64_t x3;
···
2208
2207
2209
2208
/*
2210
2209
* The function fiat_np384_set_one returns the field element one in the Montgomery domain.
2210
+
*
2211
2211
* Postconditions:
2212
2212
* eval (from_montgomery out1) mod m = 1 mod m
2213
2213
* 0 ≤ eval out1 < m
2214
2214
*
2215
-
* Input Bounds:
2216
-
* Output Bounds:
2217
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
2218
2215
*/
2219
-
static void fiat_np384_set_one(uint64_t out1[6]) {
2216
+
static void fiat_np384_set_one(fiat_np384_montgomery_domain_field_element out1) {
2220
2217
out1[0] = UINT64_C(0x1313e695333ad68d);
2221
2218
out1[1] = UINT64_C(0xa7e5f24db74f5885);
2222
2219
out1[2] = UINT64_C(0x389cb27e0bc8d220);
···
2226
2223
}
2227
2224
2228
2225
/*
2229
-
* The function fiat_np384_msat returns the saturated represtation of the prime modulus.
2226
+
* The function fiat_np384_msat returns the saturated representation of the prime modulus.
2227
+
*
2230
2228
* Postconditions:
2231
2229
* twos_complement_eval out1 = m
2232
2230
* 0 ≤ eval out1 < m
2233
2231
*
2234
-
* Input Bounds:
2235
2232
* Output Bounds:
2236
2233
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
2237
2234
*/
···
2247
2244
2248
2245
/*
2249
2246
* The function fiat_np384_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
2247
+
*
2250
2248
* Postconditions:
2251
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
2249
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
2252
2250
* 0 ≤ eval out1 < m
2253
2251
*
2254
-
* Input Bounds:
2255
2252
* Output Bounds:
2256
2253
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
2257
2254
*/
···
2266
2263
2267
2264
/*
2268
2265
* The function fiat_np384_divstep computes a divstep.
2266
+
*
2269
2267
* Preconditions:
2270
2268
* 0 ≤ eval arg4 < m
2271
2269
* 0 ≤ eval arg5 < m
···
2626
2624
2627
2625
/*
2628
2626
* The function fiat_np384_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
2627
+
*
2629
2628
* Preconditions:
2630
2629
* 0 ≤ eval arg1 < m
2631
2630
* Postconditions:
···
2869
2868
2870
2869
/*
2871
2870
* The function fiat_np384_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
2871
+
*
2872
2872
* Preconditions:
2873
2873
* 0 ≤ bytes_eval arg1 < m
2874
2874
* Postconditions:
···
3071
3071
3072
3072
/*
3073
3073
* The function fiat_np384_selectznz is a multi-limb conditional select.
3074
+
*
3074
3075
* Postconditions:
3075
3076
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
3076
3077
*
···
3101
3102
out1[4] = x5;
3102
3103
out1[5] = x6;
3103
3104
}
3104
-
+46
-43
ec/native/np521_32.h
+46
-43
ec/native/np521_32.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier np521 32 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal np521 32 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
2
2
/* curve description: np521 */
3
3
/* machine_wordsize = 32 (from "32") */
4
4
/* requested operations: mul, add, opp, from_montgomery, to_montgomery, one, msat, divstep_precomp, divstep, to_bytes, from_bytes, selectznz */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) + (z[12] << 0x180) + (z[13] << 0x1a0) + (z[14] << 0x1c0) + (z[15] << 0x1e0) + (z[16] << 2^9) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */
15
+
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) + (z[12] << 0x180) + (z[13] << 0x1a0) + (z[14] << 0x1c0) + (z[15] << 0x1e0) + (z[16] << 2^9) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) + (z[12] << 0x180) + (z[13] << 0x1a0) + (z[14] << 0x1c0) + (z[15] << 0x1e0) + (z[16] << 2^9) in */
18
+
/* if x1 & (2^544-1) < 2^543 then x1 & (2^544-1) else (x1 & (2^544-1)) - 2^544 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_np521_uint1;
20
22
typedef signed char fiat_np521_int1;
23
+
#ifdef __GNUC__
24
+
# define FIAT_NP521_FIAT_INLINE __inline__
25
+
#else
26
+
# define FIAT_NP521_FIAT_INLINE
27
+
#endif
28
+
29
+
/* The type fiat_np521_montgomery_domain_field_element is a field element in the Montgomery domain. */
30
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
31
+
typedef uint32_t fiat_np521_montgomery_domain_field_element[17];
32
+
33
+
/* The type fiat_np521_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
34
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
35
+
typedef uint32_t fiat_np521_non_montgomery_domain_field_element[17];
21
36
22
37
#if (-1 & 3) != 3
23
38
#error "This code only works on a two's complement system"
···
35
50
36
51
/*
37
52
* The function fiat_np521_addcarryx_u32 is an addition with carry.
53
+
*
38
54
* Postconditions:
39
55
* out1 = (arg1 + arg2 + arg3) mod 2^32
40
56
* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋
···
47
63
* out1: [0x0 ~> 0xffffffff]
48
64
* out2: [0x0 ~> 0x1]
49
65
*/
50
-
static void fiat_np521_addcarryx_u32(uint32_t* out1, fiat_np521_uint1* out2, fiat_np521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
66
+
static FIAT_NP521_FIAT_INLINE void fiat_np521_addcarryx_u32(uint32_t* out1, fiat_np521_uint1* out2, fiat_np521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
51
67
uint64_t x1;
52
68
uint32_t x2;
53
69
fiat_np521_uint1 x3;
···
60
76
61
77
/*
62
78
* The function fiat_np521_subborrowx_u32 is a subtraction with borrow.
79
+
*
63
80
* Postconditions:
64
81
* out1 = (-arg1 + arg2 + -arg3) mod 2^32
65
82
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋
···
72
89
* out1: [0x0 ~> 0xffffffff]
73
90
* out2: [0x0 ~> 0x1]
74
91
*/
75
-
static void fiat_np521_subborrowx_u32(uint32_t* out1, fiat_np521_uint1* out2, fiat_np521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
92
+
static FIAT_NP521_FIAT_INLINE void fiat_np521_subborrowx_u32(uint32_t* out1, fiat_np521_uint1* out2, fiat_np521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
76
93
int64_t x1;
77
94
fiat_np521_int1 x2;
78
95
uint32_t x3;
···
85
102
86
103
/*
87
104
* The function fiat_np521_mulx_u32 is a multiplication, returning the full double-width result.
105
+
*
88
106
* Postconditions:
89
107
* out1 = (arg1 * arg2) mod 2^32
90
108
* out2 = ⌊arg1 * arg2 / 2^32⌋
···
96
114
* out1: [0x0 ~> 0xffffffff]
97
115
* out2: [0x0 ~> 0xffffffff]
98
116
*/
99
-
static void fiat_np521_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
117
+
static FIAT_NP521_FIAT_INLINE void fiat_np521_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
100
118
uint64_t x1;
101
119
uint32_t x2;
102
120
uint32_t x3;
···
109
127
110
128
/*
111
129
* The function fiat_np521_cmovznz_u32 is a single-word conditional move.
130
+
*
112
131
* Postconditions:
113
132
* out1 = (if arg1 = 0 then arg2 else arg3)
114
133
*
···
119
138
* Output Bounds:
120
139
* out1: [0x0 ~> 0xffffffff]
121
140
*/
122
-
static void fiat_np521_cmovznz_u32(uint32_t* out1, fiat_np521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
141
+
static FIAT_NP521_FIAT_INLINE void fiat_np521_cmovznz_u32(uint32_t* out1, fiat_np521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
123
142
fiat_np521_uint1 x1;
124
143
uint32_t x2;
125
144
uint32_t x3;
···
131
150
132
151
/*
133
152
* The function fiat_np521_mul multiplies two field elements in the Montgomery domain.
153
+
*
134
154
* Preconditions:
135
155
* 0 ≤ eval arg1 < m
136
156
* 0 ≤ eval arg2 < m
···
138
158
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
139
159
* 0 ≤ eval out1 < m
140
160
*
141
-
* Input Bounds:
142
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
143
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
144
-
* Output Bounds:
145
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
146
161
*/
147
-
static void fiat_np521_mul(uint32_t out1[17], const uint32_t arg1[17], const uint32_t arg2[17]) {
162
+
static void fiat_np521_mul(fiat_np521_montgomery_domain_field_element out1, const fiat_np521_montgomery_domain_field_element arg1, const fiat_np521_montgomery_domain_field_element arg2) {
148
163
uint32_t x1;
149
164
uint32_t x2;
150
165
uint32_t x3;
···
5587
5602
5588
5603
/*
5589
5604
* The function fiat_np521_add adds two field elements in the Montgomery domain.
5605
+
*
5590
5606
* Preconditions:
5591
5607
* 0 ≤ eval arg1 < m
5592
5608
* 0 ≤ eval arg2 < m
···
5594
5610
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
5595
5611
* 0 ≤ eval out1 < m
5596
5612
*
5597
-
* Input Bounds:
5598
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5599
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5600
-
* Output Bounds:
5601
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5602
5613
*/
5603
-
static void fiat_np521_add(uint32_t out1[17], const uint32_t arg1[17], const uint32_t arg2[17]) {
5614
+
static void fiat_np521_add(fiat_np521_montgomery_domain_field_element out1, const fiat_np521_montgomery_domain_field_element arg1, const fiat_np521_montgomery_domain_field_element arg2) {
5604
5615
uint32_t x1;
5605
5616
fiat_np521_uint1 x2;
5606
5617
uint32_t x3;
···
5761
5772
5762
5773
/*
5763
5774
* The function fiat_np521_opp negates a field element in the Montgomery domain.
5775
+
*
5764
5776
* Preconditions:
5765
5777
* 0 ≤ eval arg1 < m
5766
5778
* Postconditions:
5767
5779
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
5768
5780
* 0 ≤ eval out1 < m
5769
5781
*
5770
-
* Input Bounds:
5771
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5772
-
* Output Bounds:
5773
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5774
5782
*/
5775
-
static void fiat_np521_opp(uint32_t out1[17], const uint32_t arg1[17]) {
5783
+
static void fiat_np521_opp(fiat_np521_montgomery_domain_field_element out1, const fiat_np521_montgomery_domain_field_element arg1) {
5776
5784
uint32_t x1;
5777
5785
fiat_np521_uint1 x2;
5778
5786
uint32_t x3;
···
5898
5906
5899
5907
/*
5900
5908
* The function fiat_np521_from_montgomery translates a field element out of the Montgomery domain.
5909
+
*
5901
5910
* Preconditions:
5902
5911
* 0 ≤ eval arg1 < m
5903
5912
* Postconditions:
5904
5913
* eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^17) mod m
5905
5914
* 0 ≤ eval out1 < m
5906
5915
*
5907
-
* Input Bounds:
5908
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5909
-
* Output Bounds:
5910
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5911
5916
*/
5912
-
static void fiat_np521_from_montgomery(uint32_t out1[17], const uint32_t arg1[17]) {
5917
+
static void fiat_np521_from_montgomery(fiat_np521_non_montgomery_domain_field_element out1, const fiat_np521_montgomery_domain_field_element arg1) {
5913
5918
uint32_t x1;
5914
5919
uint32_t x2;
5915
5920
uint32_t x3;
···
9392
9397
9393
9398
/*
9394
9399
* The function fiat_np521_to_montgomery translates a field element into the Montgomery domain.
9400
+
*
9395
9401
* Preconditions:
9396
9402
* 0 ≤ eval arg1 < m
9397
9403
* Postconditions:
9398
9404
* eval (from_montgomery out1) mod m = eval arg1 mod m
9399
9405
* 0 ≤ eval out1 < m
9400
9406
*
9401
-
* Input Bounds:
9402
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
9403
-
* Output Bounds:
9404
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
9405
9407
*/
9406
-
static void fiat_np521_to_montgomery(uint32_t out1[17], const uint32_t arg1[17]) {
9408
+
static void fiat_np521_to_montgomery(fiat_np521_montgomery_domain_field_element out1, const fiat_np521_non_montgomery_domain_field_element arg1) {
9407
9409
uint32_t x1;
9408
9410
uint32_t x2;
9409
9411
uint32_t x3;
···
14649
14651
14650
14652
/*
14651
14653
* The function fiat_np521_set_one returns the field element one in the Montgomery domain.
14654
+
*
14652
14655
* Postconditions:
14653
14656
* eval (from_montgomery out1) mod m = 1 mod m
14654
14657
* 0 ≤ eval out1 < m
14655
14658
*
14656
-
* Input Bounds:
14657
-
* Output Bounds:
14658
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
14659
14659
*/
14660
-
static void fiat_np521_set_one(uint32_t out1[17]) {
14660
+
static void fiat_np521_set_one(fiat_np521_montgomery_domain_field_element out1) {
14661
14661
out1[0] = UINT32_C(0xfb800000);
14662
14662
out1[1] = UINT32_C(0x70b763cd);
14663
14663
out1[2] = UINT32_C(0x28a24824);
···
14678
14678
}
14679
14679
14680
14680
/*
14681
-
* The function fiat_np521_msat returns the saturated represtation of the prime modulus.
14681
+
* The function fiat_np521_msat returns the saturated representation of the prime modulus.
14682
+
*
14682
14683
* Postconditions:
14683
14684
* twos_complement_eval out1 = m
14684
14685
* 0 ≤ eval out1 < m
14685
14686
*
14686
-
* Input Bounds:
14687
14687
* Output Bounds:
14688
14688
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
14689
14689
*/
···
14710
14710
14711
14711
/*
14712
14712
* The function fiat_np521_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
14713
+
*
14713
14714
* Postconditions:
14714
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
14715
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
14715
14716
* 0 ≤ eval out1 < m
14716
14717
*
14717
-
* Input Bounds:
14718
14718
* Output Bounds:
14719
14719
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
14720
14720
*/
···
14740
14740
14741
14741
/*
14742
14742
* The function fiat_np521_divstep computes a divstep.
14743
+
*
14743
14744
* Preconditions:
14744
14745
* 0 ≤ eval arg4 < m
14745
14746
* 0 ≤ eval arg5 < m
···
15628
15629
15629
15630
/*
15630
15631
* The function fiat_np521_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
15632
+
*
15631
15633
* Preconditions:
15632
15634
* 0 ≤ eval arg1 < m
15633
15635
* Postconditions:
···
15939
15941
15940
15942
/*
15941
15943
* The function fiat_np521_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
15944
+
*
15942
15945
* Preconditions:
15943
15946
* 0 ≤ bytes_eval arg1 < m
15944
15947
* Postconditions:
···
16202
16205
16203
16206
/*
16204
16207
* The function fiat_np521_selectznz is a multi-limb conditional select.
16208
+
*
16205
16209
* Postconditions:
16206
16210
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
16207
16211
*
···
16265
16269
out1[15] = x16;
16266
16270
out1[16] = x17;
16267
16271
}
16268
-
+43
-43
ec/native/np521_64.h
+43
-43
ec/native/np521_64.h
···
1
-
/* Autogenerated: ../../../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery --static --use-value-barrier np521 64 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal np521 64 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409 mul add opp from_montgomery to_montgomery one msat divstep_precomp divstep to_bytes from_bytes selectznz */
2
2
/* curve description: np521 */
3
3
/* machine_wordsize = 64 (from "64") */
4
4
/* requested operations: mul, add, opp, from_montgomery, to_montgomery, one, msat, divstep_precomp, divstep, to_bytes, from_bytes, selectznz */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */
15
+
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9) in */
18
+
/* if x1 & (2^576-1) < 2^575 then x1 & (2^576-1) else (x1 & (2^576-1)) - 2^576 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_np521_uint1;
20
22
typedef signed char fiat_np521_int1;
21
23
#ifdef __GNUC__
22
24
# define FIAT_NP521_FIAT_EXTENSION __extension__
25
+
# define FIAT_NP521_FIAT_INLINE __inline__
23
26
#else
24
27
# define FIAT_NP521_FIAT_EXTENSION
28
+
# define FIAT_NP521_FIAT_INLINE
25
29
#endif
26
30
27
31
FIAT_NP521_FIAT_EXTENSION typedef signed __int128 fiat_np521_int128;
28
32
FIAT_NP521_FIAT_EXTENSION typedef unsigned __int128 fiat_np521_uint128;
29
33
34
+
/* The type fiat_np521_montgomery_domain_field_element is a field element in the Montgomery domain. */
35
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
36
+
typedef uint64_t fiat_np521_montgomery_domain_field_element[9];
37
+
38
+
/* The type fiat_np521_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
39
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
40
+
typedef uint64_t fiat_np521_non_montgomery_domain_field_element[9];
41
+
30
42
#if (-1 & 3) != 3
31
43
#error "This code only works on a two's complement system"
32
44
#endif
···
43
55
44
56
/*
45
57
* The function fiat_np521_addcarryx_u64 is an addition with carry.
58
+
*
46
59
* Postconditions:
47
60
* out1 = (arg1 + arg2 + arg3) mod 2^64
48
61
* out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
···
55
68
* out1: [0x0 ~> 0xffffffffffffffff]
56
69
* out2: [0x0 ~> 0x1]
57
70
*/
58
-
static void fiat_np521_addcarryx_u64(uint64_t* out1, fiat_np521_uint1* out2, fiat_np521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
71
+
static FIAT_NP521_FIAT_INLINE void fiat_np521_addcarryx_u64(uint64_t* out1, fiat_np521_uint1* out2, fiat_np521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
59
72
fiat_np521_uint128 x1;
60
73
uint64_t x2;
61
74
fiat_np521_uint1 x3;
···
68
81
69
82
/*
70
83
* The function fiat_np521_subborrowx_u64 is a subtraction with borrow.
84
+
*
71
85
* Postconditions:
72
86
* out1 = (-arg1 + arg2 + -arg3) mod 2^64
73
87
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
···
80
94
* out1: [0x0 ~> 0xffffffffffffffff]
81
95
* out2: [0x0 ~> 0x1]
82
96
*/
83
-
static void fiat_np521_subborrowx_u64(uint64_t* out1, fiat_np521_uint1* out2, fiat_np521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
97
+
static FIAT_NP521_FIAT_INLINE void fiat_np521_subborrowx_u64(uint64_t* out1, fiat_np521_uint1* out2, fiat_np521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
84
98
fiat_np521_int128 x1;
85
99
fiat_np521_int1 x2;
86
100
uint64_t x3;
···
93
107
94
108
/*
95
109
* The function fiat_np521_mulx_u64 is a multiplication, returning the full double-width result.
110
+
*
96
111
* Postconditions:
97
112
* out1 = (arg1 * arg2) mod 2^64
98
113
* out2 = ⌊arg1 * arg2 / 2^64⌋
···
104
119
* out1: [0x0 ~> 0xffffffffffffffff]
105
120
* out2: [0x0 ~> 0xffffffffffffffff]
106
121
*/
107
-
static void fiat_np521_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
122
+
static FIAT_NP521_FIAT_INLINE void fiat_np521_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
108
123
fiat_np521_uint128 x1;
109
124
uint64_t x2;
110
125
uint64_t x3;
···
117
132
118
133
/*
119
134
* The function fiat_np521_cmovznz_u64 is a single-word conditional move.
135
+
*
120
136
* Postconditions:
121
137
* out1 = (if arg1 = 0 then arg2 else arg3)
122
138
*
···
127
143
* Output Bounds:
128
144
* out1: [0x0 ~> 0xffffffffffffffff]
129
145
*/
130
-
static void fiat_np521_cmovznz_u64(uint64_t* out1, fiat_np521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
146
+
static FIAT_NP521_FIAT_INLINE void fiat_np521_cmovznz_u64(uint64_t* out1, fiat_np521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
131
147
fiat_np521_uint1 x1;
132
148
uint64_t x2;
133
149
uint64_t x3;
···
139
155
140
156
/*
141
157
* The function fiat_np521_mul multiplies two field elements in the Montgomery domain.
158
+
*
142
159
* Preconditions:
143
160
* 0 ≤ eval arg1 < m
144
161
* 0 ≤ eval arg2 < m
···
146
163
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
147
164
* 0 ≤ eval out1 < m
148
165
*
149
-
* Input Bounds:
150
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
151
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
152
-
* Output Bounds:
153
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
154
166
*/
155
-
static void fiat_np521_mul(uint64_t out1[9], const uint64_t arg1[9], const uint64_t arg2[9]) {
167
+
static void fiat_np521_mul(fiat_np521_montgomery_domain_field_element out1, const fiat_np521_montgomery_domain_field_element arg1, const fiat_np521_montgomery_domain_field_element arg2) {
156
168
uint64_t x1;
157
169
uint64_t x2;
158
170
uint64_t x3;
···
1739
1751
1740
1752
/*
1741
1753
* The function fiat_np521_add adds two field elements in the Montgomery domain.
1754
+
*
1742
1755
* Preconditions:
1743
1756
* 0 ≤ eval arg1 < m
1744
1757
* 0 ≤ eval arg2 < m
···
1746
1759
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
1747
1760
* 0 ≤ eval out1 < m
1748
1761
*
1749
-
* Input Bounds:
1750
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1751
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1752
-
* Output Bounds:
1753
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1754
1762
*/
1755
-
static void fiat_np521_add(uint64_t out1[9], const uint64_t arg1[9], const uint64_t arg2[9]) {
1763
+
static void fiat_np521_add(fiat_np521_montgomery_domain_field_element out1, const fiat_np521_montgomery_domain_field_element arg1, const fiat_np521_montgomery_domain_field_element arg2) {
1756
1764
uint64_t x1;
1757
1765
fiat_np521_uint1 x2;
1758
1766
uint64_t x3;
···
1841
1849
1842
1850
/*
1843
1851
* The function fiat_np521_opp negates a field element in the Montgomery domain.
1852
+
*
1844
1853
* Preconditions:
1845
1854
* 0 ≤ eval arg1 < m
1846
1855
* Postconditions:
1847
1856
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
1848
1857
* 0 ≤ eval out1 < m
1849
1858
*
1850
-
* Input Bounds:
1851
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1852
-
* Output Bounds:
1853
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1854
1859
*/
1855
-
static void fiat_np521_opp(uint64_t out1[9], const uint64_t arg1[9]) {
1860
+
static void fiat_np521_opp(fiat_np521_montgomery_domain_field_element out1, const fiat_np521_montgomery_domain_field_element arg1) {
1856
1861
uint64_t x1;
1857
1862
fiat_np521_uint1 x2;
1858
1863
uint64_t x3;
···
1922
1927
1923
1928
/*
1924
1929
* The function fiat_np521_from_montgomery translates a field element out of the Montgomery domain.
1930
+
*
1925
1931
* Preconditions:
1926
1932
* 0 ≤ eval arg1 < m
1927
1933
* Postconditions:
1928
1934
* eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^9) mod m
1929
1935
* 0 ≤ eval out1 < m
1930
1936
*
1931
-
* Input Bounds:
1932
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1933
-
* Output Bounds:
1934
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1935
1937
*/
1936
-
static void fiat_np521_from_montgomery(uint64_t out1[9], const uint64_t arg1[9]) {
1938
+
static void fiat_np521_from_montgomery(fiat_np521_non_montgomery_domain_field_element out1, const fiat_np521_montgomery_domain_field_element arg1) {
1937
1939
uint64_t x1;
1938
1940
uint64_t x2;
1939
1941
uint64_t x3;
···
2920
2922
2921
2923
/*
2922
2924
* The function fiat_np521_to_montgomery translates a field element into the Montgomery domain.
2925
+
*
2923
2926
* Preconditions:
2924
2927
* 0 ≤ eval arg1 < m
2925
2928
* Postconditions:
2926
2929
* eval (from_montgomery out1) mod m = eval arg1 mod m
2927
2930
* 0 ≤ eval out1 < m
2928
2931
*
2929
-
* Input Bounds:
2930
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
2931
-
* Output Bounds:
2932
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
2933
2932
*/
2934
-
static void fiat_np521_to_montgomery(uint64_t out1[9], const uint64_t arg1[9]) {
2933
+
static void fiat_np521_to_montgomery(fiat_np521_montgomery_domain_field_element out1, const fiat_np521_non_montgomery_domain_field_element arg1) {
2935
2934
uint64_t x1;
2936
2935
uint64_t x2;
2937
2936
uint64_t x3;
···
4417
4416
4418
4417
/*
4419
4418
* The function fiat_np521_set_one returns the field element one in the Montgomery domain.
4419
+
*
4420
4420
* Postconditions:
4421
4421
* eval (from_montgomery out1) mod m = 1 mod m
4422
4422
* 0 ≤ eval out1 < m
4423
4423
*
4424
-
* Input Bounds:
4425
-
* Output Bounds:
4426
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
4427
4424
*/
4428
-
static void fiat_np521_set_one(uint64_t out1[9]) {
4425
+
static void fiat_np521_set_one(fiat_np521_montgomery_domain_field_element out1) {
4429
4426
out1[0] = UINT64_C(0xfb80000000000000);
4430
4427
out1[1] = UINT64_C(0x28a2482470b763cd);
4431
4428
out1[2] = UINT64_C(0x17e2251b23bb31dc);
···
4438
4435
}
4439
4436
4440
4437
/*
4441
-
* The function fiat_np521_msat returns the saturated represtation of the prime modulus.
4438
+
* The function fiat_np521_msat returns the saturated representation of the prime modulus.
4439
+
*
4442
4440
* Postconditions:
4443
4441
* twos_complement_eval out1 = m
4444
4442
* 0 ≤ eval out1 < m
4445
4443
*
4446
-
* Input Bounds:
4447
4444
* Output Bounds:
4448
4445
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
4449
4446
*/
···
4462
4459
4463
4460
/*
4464
4461
* The function fiat_np521_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
4462
+
*
4465
4463
* Postconditions:
4466
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
4464
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
4467
4465
* 0 ≤ eval out1 < m
4468
4466
*
4469
-
* Input Bounds:
4470
4467
* Output Bounds:
4471
4468
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
4472
4469
*/
···
4484
4481
4485
4482
/*
4486
4483
* The function fiat_np521_divstep computes a divstep.
4484
+
*
4487
4485
* Preconditions:
4488
4486
* 0 ≤ eval arg4 < m
4489
4487
* 0 ≤ eval arg5 < m
···
4988
4986
4989
4987
/*
4990
4988
* The function fiat_np521_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
4989
+
*
4991
4990
* Preconditions:
4992
4991
* 0 ≤ eval arg1 < m
4993
4992
* Postconditions:
···
5315
5314
5316
5315
/*
5317
5316
* The function fiat_np521_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
5317
+
*
5318
5318
* Preconditions:
5319
5319
* 0 ≤ bytes_eval arg1 < m
5320
5320
* Postconditions:
···
5586
5586
5587
5587
/*
5588
5588
* The function fiat_np521_selectznz is a multi-limb conditional select.
5589
+
*
5589
5590
* Postconditions:
5590
5591
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
5591
5592
*
···
5625
5626
out1[7] = x8;
5626
5627
out1[8] = x9;
5627
5628
}
5628
-
+51
-54
ec/native/p224_32.h
+51
-54
ec/native/p224_32.h
···
1
-
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier p224 32 '2^224 - 2^96 + 1' */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal p224 32 '2^224 - 2^96 + 1' */
2
2
/* curve description: p224 */
3
3
/* machine_wordsize = 32 (from "32") */
4
4
/* requested operations: (all) */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */
15
+
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in */
18
+
/* if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_p224_uint1;
20
22
typedef signed char fiat_p224_int1;
23
+
#ifdef __GNUC__
24
+
# define FIAT_P224_FIAT_INLINE __inline__
25
+
#else
26
+
# define FIAT_P224_FIAT_INLINE
27
+
#endif
28
+
29
+
/* The type fiat_p224_montgomery_domain_field_element is a field element in the Montgomery domain. */
30
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
31
+
typedef uint32_t fiat_p224_montgomery_domain_field_element[7];
32
+
33
+
/* The type fiat_p224_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
34
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
35
+
typedef uint32_t fiat_p224_non_montgomery_domain_field_element[7];
21
36
22
37
#if (-1 & 3) != 3
23
38
#error "This code only works on a two's complement system"
···
35
50
36
51
/*
37
52
* The function fiat_p224_addcarryx_u32 is an addition with carry.
53
+
*
38
54
* Postconditions:
39
55
* out1 = (arg1 + arg2 + arg3) mod 2^32
40
56
* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋
···
47
63
* out1: [0x0 ~> 0xffffffff]
48
64
* out2: [0x0 ~> 0x1]
49
65
*/
50
-
static void fiat_p224_addcarryx_u32(uint32_t* out1, fiat_p224_uint1* out2, fiat_p224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
66
+
static FIAT_P224_FIAT_INLINE void fiat_p224_addcarryx_u32(uint32_t* out1, fiat_p224_uint1* out2, fiat_p224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
51
67
uint64_t x1;
52
68
uint32_t x2;
53
69
fiat_p224_uint1 x3;
···
60
76
61
77
/*
62
78
* The function fiat_p224_subborrowx_u32 is a subtraction with borrow.
79
+
*
63
80
* Postconditions:
64
81
* out1 = (-arg1 + arg2 + -arg3) mod 2^32
65
82
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋
···
72
89
* out1: [0x0 ~> 0xffffffff]
73
90
* out2: [0x0 ~> 0x1]
74
91
*/
75
-
static void fiat_p224_subborrowx_u32(uint32_t* out1, fiat_p224_uint1* out2, fiat_p224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
92
+
static FIAT_P224_FIAT_INLINE void fiat_p224_subborrowx_u32(uint32_t* out1, fiat_p224_uint1* out2, fiat_p224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
76
93
int64_t x1;
77
94
fiat_p224_int1 x2;
78
95
uint32_t x3;
···
85
102
86
103
/*
87
104
* The function fiat_p224_mulx_u32 is a multiplication, returning the full double-width result.
105
+
*
88
106
* Postconditions:
89
107
* out1 = (arg1 * arg2) mod 2^32
90
108
* out2 = ⌊arg1 * arg2 / 2^32⌋
···
96
114
* out1: [0x0 ~> 0xffffffff]
97
115
* out2: [0x0 ~> 0xffffffff]
98
116
*/
99
-
static void fiat_p224_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
117
+
static FIAT_P224_FIAT_INLINE void fiat_p224_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
100
118
uint64_t x1;
101
119
uint32_t x2;
102
120
uint32_t x3;
···
109
127
110
128
/*
111
129
* The function fiat_p224_cmovznz_u32 is a single-word conditional move.
130
+
*
112
131
* Postconditions:
113
132
* out1 = (if arg1 = 0 then arg2 else arg3)
114
133
*
···
119
138
* Output Bounds:
120
139
* out1: [0x0 ~> 0xffffffff]
121
140
*/
122
-
static void fiat_p224_cmovznz_u32(uint32_t* out1, fiat_p224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
141
+
static FIAT_P224_FIAT_INLINE void fiat_p224_cmovznz_u32(uint32_t* out1, fiat_p224_uint1 arg1, uint32_t arg2, uint32_t arg3) {
123
142
fiat_p224_uint1 x1;
124
143
uint32_t x2;
125
144
uint32_t x3;
···
131
150
132
151
/*
133
152
* The function fiat_p224_mul multiplies two field elements in the Montgomery domain.
153
+
*
134
154
* Preconditions:
135
155
* 0 ≤ eval arg1 < m
136
156
* 0 ≤ eval arg2 < m
···
138
158
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
139
159
* 0 ≤ eval out1 < m
140
160
*
141
-
* Input Bounds:
142
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
143
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
144
-
* Output Bounds:
145
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
146
161
*/
147
-
static void fiat_p224_mul(uint32_t out1[7], const uint32_t arg1[7], const uint32_t arg2[7]) {
162
+
static void fiat_p224_mul(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1, const fiat_p224_montgomery_domain_field_element arg2) {
148
163
uint32_t x1;
149
164
uint32_t x2;
150
165
uint32_t x3;
···
1001
1016
1002
1017
/*
1003
1018
* The function fiat_p224_square squares a field element in the Montgomery domain.
1019
+
*
1004
1020
* Preconditions:
1005
1021
* 0 ≤ eval arg1 < m
1006
1022
* Postconditions:
1007
1023
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
1008
1024
* 0 ≤ eval out1 < m
1009
1025
*
1010
-
* Input Bounds:
1011
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1012
-
* Output Bounds:
1013
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1014
1026
*/
1015
-
static void fiat_p224_square(uint32_t out1[7], const uint32_t arg1[7]) {
1027
+
static void fiat_p224_square(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1) {
1016
1028
uint32_t x1;
1017
1029
uint32_t x2;
1018
1030
uint32_t x3;
···
1869
1881
1870
1882
/*
1871
1883
* The function fiat_p224_add adds two field elements in the Montgomery domain.
1884
+
*
1872
1885
* Preconditions:
1873
1886
* 0 ≤ eval arg1 < m
1874
1887
* 0 ≤ eval arg2 < m
···
1876
1889
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
1877
1890
* 0 ≤ eval out1 < m
1878
1891
*
1879
-
* Input Bounds:
1880
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1881
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1882
-
* Output Bounds:
1883
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1884
1892
*/
1885
-
static void fiat_p224_add(uint32_t out1[7], const uint32_t arg1[7], const uint32_t arg2[7]) {
1893
+
static void fiat_p224_add(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1, const fiat_p224_montgomery_domain_field_element arg2) {
1886
1894
uint32_t x1;
1887
1895
fiat_p224_uint1 x2;
1888
1896
uint32_t x3;
···
1953
1961
1954
1962
/*
1955
1963
* The function fiat_p224_sub subtracts two field elements in the Montgomery domain.
1964
+
*
1956
1965
* Preconditions:
1957
1966
* 0 ≤ eval arg1 < m
1958
1967
* 0 ≤ eval arg2 < m
···
1960
1969
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
1961
1970
* 0 ≤ eval out1 < m
1962
1971
*
1963
-
* Input Bounds:
1964
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1965
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1966
-
* Output Bounds:
1967
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1968
1972
*/
1969
-
static void fiat_p224_sub(uint32_t out1[7], const uint32_t arg1[7], const uint32_t arg2[7]) {
1973
+
static void fiat_p224_sub(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1, const fiat_p224_montgomery_domain_field_element arg2) {
1970
1974
uint32_t x1;
1971
1975
fiat_p224_uint1 x2;
1972
1976
uint32_t x3;
···
2022
2026
2023
2027
/*
2024
2028
* The function fiat_p224_opp negates a field element in the Montgomery domain.
2029
+
*
2025
2030
* Preconditions:
2026
2031
* 0 ≤ eval arg1 < m
2027
2032
* Postconditions:
2028
2033
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
2029
2034
* 0 ≤ eval out1 < m
2030
2035
*
2031
-
* Input Bounds:
2032
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2033
-
* Output Bounds:
2034
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2035
2036
*/
2036
-
static void fiat_p224_opp(uint32_t out1[7], const uint32_t arg1[7]) {
2037
+
static void fiat_p224_opp(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1) {
2037
2038
uint32_t x1;
2038
2039
fiat_p224_uint1 x2;
2039
2040
uint32_t x3;
···
2089
2090
2090
2091
/*
2091
2092
* The function fiat_p224_from_montgomery translates a field element out of the Montgomery domain.
2093
+
*
2092
2094
* Preconditions:
2093
2095
* 0 ≤ eval arg1 < m
2094
2096
* Postconditions:
2095
2097
* eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^7) mod m
2096
2098
* 0 ≤ eval out1 < m
2097
2099
*
2098
-
* Input Bounds:
2099
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2100
-
* Output Bounds:
2101
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2102
2100
*/
2103
-
static void fiat_p224_from_montgomery(uint32_t out1[7], const uint32_t arg1[7]) {
2101
+
static void fiat_p224_from_montgomery(fiat_p224_non_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1) {
2104
2102
uint32_t x1;
2105
2103
uint32_t x2;
2106
2104
uint32_t x3;
···
2569
2567
2570
2568
/*
2571
2569
* The function fiat_p224_to_montgomery translates a field element into the Montgomery domain.
2570
+
*
2572
2571
* Preconditions:
2573
2572
* 0 ≤ eval arg1 < m
2574
2573
* Postconditions:
2575
2574
* eval (from_montgomery out1) mod m = eval arg1 mod m
2576
2575
* 0 ≤ eval out1 < m
2577
2576
*
2578
-
* Input Bounds:
2579
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2580
-
* Output Bounds:
2581
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2582
2577
*/
2583
-
static void fiat_p224_to_montgomery(uint32_t out1[7], const uint32_t arg1[7]) {
2578
+
static void fiat_p224_to_montgomery(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_non_montgomery_domain_field_element arg1) {
2584
2579
uint32_t x1;
2585
2580
uint32_t x2;
2586
2581
uint32_t x3;
···
3193
3188
3194
3189
/*
3195
3190
* The function fiat_p224_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
3191
+
*
3196
3192
* Preconditions:
3197
3193
* 0 ≤ eval arg1 < m
3198
3194
* Postconditions:
···
3211
3207
3212
3208
/*
3213
3209
* The function fiat_p224_selectznz is a multi-limb conditional select.
3210
+
*
3214
3211
* Postconditions:
3215
3212
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
3216
3213
*
···
3247
3244
3248
3245
/*
3249
3246
* The function fiat_p224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
3247
+
*
3250
3248
* Preconditions:
3251
3249
* 0 ≤ eval arg1 < m
3252
3250
* Postconditions:
···
3388
3386
3389
3387
/*
3390
3388
* The function fiat_p224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
3389
+
*
3391
3390
* Preconditions:
3392
3391
* 0 ≤ bytes_eval arg1 < m
3393
3392
* Postconditions:
···
3509
3508
3510
3509
/*
3511
3510
* The function fiat_p224_set_one returns the field element one in the Montgomery domain.
3511
+
*
3512
3512
* Postconditions:
3513
3513
* eval (from_montgomery out1) mod m = 1 mod m
3514
3514
* 0 ≤ eval out1 < m
3515
3515
*
3516
-
* Input Bounds:
3517
-
* Output Bounds:
3518
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3519
3516
*/
3520
-
static void fiat_p224_set_one(uint32_t out1[7]) {
3517
+
static void fiat_p224_set_one(fiat_p224_montgomery_domain_field_element out1) {
3521
3518
out1[0] = UINT32_C(0xffffffff);
3522
3519
out1[1] = UINT32_C(0xffffffff);
3523
3520
out1[2] = UINT32_C(0xffffffff);
···
3528
3525
}
3529
3526
3530
3527
/*
3531
-
* The function fiat_p224_msat returns the saturated represtation of the prime modulus.
3528
+
* The function fiat_p224_msat returns the saturated representation of the prime modulus.
3529
+
*
3532
3530
* Postconditions:
3533
3531
* twos_complement_eval out1 = m
3534
3532
* 0 ≤ eval out1 < m
3535
3533
*
3536
-
* Input Bounds:
3537
3534
* Output Bounds:
3538
3535
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3539
3536
*/
···
3550
3547
3551
3548
/*
3552
3549
* The function fiat_p224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
3550
+
*
3553
3551
* Postconditions:
3554
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
3552
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
3555
3553
* 0 ≤ eval out1 < m
3556
3554
*
3557
-
* Input Bounds:
3558
3555
* Output Bounds:
3559
3556
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3560
3557
*/
···
3570
3567
3571
3568
/*
3572
3569
* The function fiat_p224_divstep computes a divstep.
3570
+
*
3573
3571
* Preconditions:
3574
3572
* 0 ≤ eval arg4 < m
3575
3573
* 0 ≤ eval arg5 < m
···
3975
3973
out5[5] = x203;
3976
3974
out5[6] = x204;
3977
3975
}
3978
-
+48
-54
ec/native/p224_64.h
+48
-54
ec/native/p224_64.h
···
1
-
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier p224 64 '2^224 - 2^96 + 1' */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal p224 64 '2^224 - 2^96 + 1' */
2
2
/* curve description: p224 */
3
3
/* machine_wordsize = 64 (from "64") */
4
4
/* requested operations: (all) */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */
15
+
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */
18
+
/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_p224_uint1;
20
22
typedef signed char fiat_p224_int1;
21
23
#ifdef __GNUC__
22
24
# define FIAT_P224_FIAT_EXTENSION __extension__
25
+
# define FIAT_P224_FIAT_INLINE __inline__
23
26
#else
24
27
# define FIAT_P224_FIAT_EXTENSION
28
+
# define FIAT_P224_FIAT_INLINE
25
29
#endif
26
30
27
31
FIAT_P224_FIAT_EXTENSION typedef signed __int128 fiat_p224_int128;
28
32
FIAT_P224_FIAT_EXTENSION typedef unsigned __int128 fiat_p224_uint128;
29
33
34
+
/* The type fiat_p224_montgomery_domain_field_element is a field element in the Montgomery domain. */
35
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
36
+
typedef uint64_t fiat_p224_montgomery_domain_field_element[4];
37
+
38
+
/* The type fiat_p224_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
39
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
40
+
typedef uint64_t fiat_p224_non_montgomery_domain_field_element[4];
41
+
30
42
#if (-1 & 3) != 3
31
43
#error "This code only works on a two's complement system"
32
44
#endif
···
43
55
44
56
/*
45
57
* The function fiat_p224_addcarryx_u64 is an addition with carry.
58
+
*
46
59
* Postconditions:
47
60
* out1 = (arg1 + arg2 + arg3) mod 2^64
48
61
* out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
···
55
68
* out1: [0x0 ~> 0xffffffffffffffff]
56
69
* out2: [0x0 ~> 0x1]
57
70
*/
58
-
static void fiat_p224_addcarryx_u64(uint64_t* out1, fiat_p224_uint1* out2, fiat_p224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
71
+
static FIAT_P224_FIAT_INLINE void fiat_p224_addcarryx_u64(uint64_t* out1, fiat_p224_uint1* out2, fiat_p224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
59
72
fiat_p224_uint128 x1;
60
73
uint64_t x2;
61
74
fiat_p224_uint1 x3;
···
68
81
69
82
/*
70
83
* The function fiat_p224_subborrowx_u64 is a subtraction with borrow.
84
+
*
71
85
* Postconditions:
72
86
* out1 = (-arg1 + arg2 + -arg3) mod 2^64
73
87
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
···
80
94
* out1: [0x0 ~> 0xffffffffffffffff]
81
95
* out2: [0x0 ~> 0x1]
82
96
*/
83
-
static void fiat_p224_subborrowx_u64(uint64_t* out1, fiat_p224_uint1* out2, fiat_p224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
97
+
static FIAT_P224_FIAT_INLINE void fiat_p224_subborrowx_u64(uint64_t* out1, fiat_p224_uint1* out2, fiat_p224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
84
98
fiat_p224_int128 x1;
85
99
fiat_p224_int1 x2;
86
100
uint64_t x3;
···
93
107
94
108
/*
95
109
* The function fiat_p224_mulx_u64 is a multiplication, returning the full double-width result.
110
+
*
96
111
* Postconditions:
97
112
* out1 = (arg1 * arg2) mod 2^64
98
113
* out2 = ⌊arg1 * arg2 / 2^64⌋
···
104
119
* out1: [0x0 ~> 0xffffffffffffffff]
105
120
* out2: [0x0 ~> 0xffffffffffffffff]
106
121
*/
107
-
static void fiat_p224_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
122
+
static FIAT_P224_FIAT_INLINE void fiat_p224_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
108
123
fiat_p224_uint128 x1;
109
124
uint64_t x2;
110
125
uint64_t x3;
···
117
132
118
133
/*
119
134
* The function fiat_p224_cmovznz_u64 is a single-word conditional move.
135
+
*
120
136
* Postconditions:
121
137
* out1 = (if arg1 = 0 then arg2 else arg3)
122
138
*
···
127
143
* Output Bounds:
128
144
* out1: [0x0 ~> 0xffffffffffffffff]
129
145
*/
130
-
static void fiat_p224_cmovznz_u64(uint64_t* out1, fiat_p224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
146
+
static FIAT_P224_FIAT_INLINE void fiat_p224_cmovznz_u64(uint64_t* out1, fiat_p224_uint1 arg1, uint64_t arg2, uint64_t arg3) {
131
147
fiat_p224_uint1 x1;
132
148
uint64_t x2;
133
149
uint64_t x3;
···
139
155
140
156
/*
141
157
* The function fiat_p224_mul multiplies two field elements in the Montgomery domain.
158
+
*
142
159
* Preconditions:
143
160
* 0 ≤ eval arg1 < m
144
161
* 0 ≤ eval arg2 < m
···
146
163
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
147
164
* 0 ≤ eval out1 < m
148
165
*
149
-
* Input Bounds:
150
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
151
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
152
-
* Output Bounds:
153
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
154
166
*/
155
-
static void fiat_p224_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
167
+
static void fiat_p224_mul(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1, const fiat_p224_montgomery_domain_field_element arg2) {
156
168
uint64_t x1;
157
169
uint64_t x2;
158
170
uint64_t x3;
···
475
487
476
488
/*
477
489
* The function fiat_p224_square squares a field element in the Montgomery domain.
490
+
*
478
491
* Preconditions:
479
492
* 0 ≤ eval arg1 < m
480
493
* Postconditions:
481
494
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
482
495
* 0 ≤ eval out1 < m
483
496
*
484
-
* Input Bounds:
485
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
486
-
* Output Bounds:
487
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
488
497
*/
489
-
static void fiat_p224_square(uint64_t out1[4], const uint64_t arg1[4]) {
498
+
static void fiat_p224_square(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1) {
490
499
uint64_t x1;
491
500
uint64_t x2;
492
501
uint64_t x3;
···
809
818
810
819
/*
811
820
* The function fiat_p224_add adds two field elements in the Montgomery domain.
821
+
*
812
822
* Preconditions:
813
823
* 0 ≤ eval arg1 < m
814
824
* 0 ≤ eval arg2 < m
···
816
826
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
817
827
* 0 ≤ eval out1 < m
818
828
*
819
-
* Input Bounds:
820
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
821
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
822
-
* Output Bounds:
823
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
824
829
*/
825
-
static void fiat_p224_add(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
830
+
static void fiat_p224_add(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1, const fiat_p224_montgomery_domain_field_element arg2) {
826
831
uint64_t x1;
827
832
fiat_p224_uint1 x2;
828
833
uint64_t x3;
···
866
871
867
872
/*
868
873
* The function fiat_p224_sub subtracts two field elements in the Montgomery domain.
874
+
*
869
875
* Preconditions:
870
876
* 0 ≤ eval arg1 < m
871
877
* 0 ≤ eval arg2 < m
···
873
879
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
874
880
* 0 ≤ eval out1 < m
875
881
*
876
-
* Input Bounds:
877
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
878
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
879
-
* Output Bounds:
880
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
881
882
*/
882
-
static void fiat_p224_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
883
+
static void fiat_p224_sub(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1, const fiat_p224_montgomery_domain_field_element arg2) {
883
884
uint64_t x1;
884
885
fiat_p224_uint1 x2;
885
886
uint64_t x3;
···
914
915
915
916
/*
916
917
* The function fiat_p224_opp negates a field element in the Montgomery domain.
918
+
*
917
919
* Preconditions:
918
920
* 0 ≤ eval arg1 < m
919
921
* Postconditions:
920
922
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
921
923
* 0 ≤ eval out1 < m
922
924
*
923
-
* Input Bounds:
924
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
925
-
* Output Bounds:
926
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
927
925
*/
928
-
static void fiat_p224_opp(uint64_t out1[4], const uint64_t arg1[4]) {
926
+
static void fiat_p224_opp(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1) {
929
927
uint64_t x1;
930
928
fiat_p224_uint1 x2;
931
929
uint64_t x3;
···
960
958
961
959
/*
962
960
* The function fiat_p224_from_montgomery translates a field element out of the Montgomery domain.
961
+
*
963
962
* Preconditions:
964
963
* 0 ≤ eval arg1 < m
965
964
* Postconditions:
966
965
* eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m
967
966
* 0 ≤ eval out1 < m
968
967
*
969
-
* Input Bounds:
970
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
971
-
* Output Bounds:
972
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
973
968
*/
974
-
static void fiat_p224_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) {
969
+
static void fiat_p224_from_montgomery(fiat_p224_non_montgomery_domain_field_element out1, const fiat_p224_montgomery_domain_field_element arg1) {
975
970
uint64_t x1;
976
971
uint64_t x2;
977
972
uint64_t x3;
···
1154
1149
1155
1150
/*
1156
1151
* The function fiat_p224_to_montgomery translates a field element into the Montgomery domain.
1152
+
*
1157
1153
* Preconditions:
1158
1154
* 0 ≤ eval arg1 < m
1159
1155
* Postconditions:
1160
1156
* eval (from_montgomery out1) mod m = eval arg1 mod m
1161
1157
* 0 ≤ eval out1 < m
1162
1158
*
1163
-
* Input Bounds:
1164
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1165
-
* Output Bounds:
1166
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1167
1159
*/
1168
-
static void fiat_p224_to_montgomery(uint64_t out1[4], const uint64_t arg1[4]) {
1160
+
static void fiat_p224_to_montgomery(fiat_p224_montgomery_domain_field_element out1, const fiat_p224_non_montgomery_domain_field_element arg1) {
1169
1161
uint64_t x1;
1170
1162
uint64_t x2;
1171
1163
uint64_t x3;
···
1447
1439
1448
1440
/*
1449
1441
* The function fiat_p224_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
1442
+
*
1450
1443
* Preconditions:
1451
1444
* 0 ≤ eval arg1 < m
1452
1445
* Postconditions:
···
1465
1458
1466
1459
/*
1467
1460
* The function fiat_p224_selectznz is a multi-limb conditional select.
1461
+
*
1468
1462
* Postconditions:
1469
1463
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
1470
1464
*
···
1492
1486
1493
1487
/*
1494
1488
* The function fiat_p224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
1489
+
*
1495
1490
* Preconditions:
1496
1491
* 0 ≤ eval arg1 < m
1497
1492
* Postconditions:
···
1639
1634
1640
1635
/*
1641
1636
* The function fiat_p224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
1637
+
*
1642
1638
* Preconditions:
1643
1639
* 0 ≤ bytes_eval arg1 < m
1644
1640
* Postconditions:
···
1763
1759
1764
1760
/*
1765
1761
* The function fiat_p224_set_one returns the field element one in the Montgomery domain.
1762
+
*
1766
1763
* Postconditions:
1767
1764
* eval (from_montgomery out1) mod m = 1 mod m
1768
1765
* 0 ≤ eval out1 < m
1769
1766
*
1770
-
* Input Bounds:
1771
-
* Output Bounds:
1772
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1773
1767
*/
1774
-
static void fiat_p224_set_one(uint64_t out1[4]) {
1768
+
static void fiat_p224_set_one(fiat_p224_montgomery_domain_field_element out1) {
1775
1769
out1[0] = UINT64_C(0xffffffff00000000);
1776
1770
out1[1] = UINT64_C(0xffffffffffffffff);
1777
1771
out1[2] = 0x0;
···
1779
1773
}
1780
1774
1781
1775
/*
1782
-
* The function fiat_p224_msat returns the saturated represtation of the prime modulus.
1776
+
* The function fiat_p224_msat returns the saturated representation of the prime modulus.
1777
+
*
1783
1778
* Postconditions:
1784
1779
* twos_complement_eval out1 = m
1785
1780
* 0 ≤ eval out1 < m
1786
1781
*
1787
-
* Input Bounds:
1788
1782
* Output Bounds:
1789
1783
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1790
1784
*/
···
1798
1792
1799
1793
/*
1800
1794
* The function fiat_p224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
1795
+
*
1801
1796
* Postconditions:
1802
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
1797
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
1803
1798
* 0 ≤ eval out1 < m
1804
1799
*
1805
-
* Input Bounds:
1806
1800
* Output Bounds:
1807
1801
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1808
1802
*/
···
1815
1809
1816
1810
/*
1817
1811
* The function fiat_p224_divstep computes a divstep.
1812
+
*
1818
1813
* Preconditions:
1819
1814
* 0 ≤ eval arg4 < m
1820
1815
* 0 ≤ eval arg5 < m
···
2076
2071
out5[2] = x125;
2077
2072
out5[3] = x126;
2078
2073
}
2079
-
+51
-54
ec/native/p256_32.h
+51
-54
ec/native/p256_32.h
···
1
-
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier p256 32 '2^256 - 2^224 + 2^192 + 2^96 - 1' */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal p256 32 '2^256 - 2^224 + 2^192 + 2^96 - 1' */
2
2
/* curve description: p256 */
3
3
/* machine_wordsize = 32 (from "32") */
4
4
/* requested operations: (all) */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
15
+
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */
18
+
/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_p256_uint1;
20
22
typedef signed char fiat_p256_int1;
23
+
#ifdef __GNUC__
24
+
# define FIAT_P256_FIAT_INLINE __inline__
25
+
#else
26
+
# define FIAT_P256_FIAT_INLINE
27
+
#endif
28
+
29
+
/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */
30
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
31
+
typedef uint32_t fiat_p256_montgomery_domain_field_element[8];
32
+
33
+
/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
34
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
35
+
typedef uint32_t fiat_p256_non_montgomery_domain_field_element[8];
21
36
22
37
#if (-1 & 3) != 3
23
38
#error "This code only works on a two's complement system"
···
35
50
36
51
/*
37
52
* The function fiat_p256_addcarryx_u32 is an addition with carry.
53
+
*
38
54
* Postconditions:
39
55
* out1 = (arg1 + arg2 + arg3) mod 2^32
40
56
* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋
···
47
63
* out1: [0x0 ~> 0xffffffff]
48
64
* out2: [0x0 ~> 0x1]
49
65
*/
50
-
static void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
66
+
static FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
51
67
uint64_t x1;
52
68
uint32_t x2;
53
69
fiat_p256_uint1 x3;
···
60
76
61
77
/*
62
78
* The function fiat_p256_subborrowx_u32 is a subtraction with borrow.
79
+
*
63
80
* Postconditions:
64
81
* out1 = (-arg1 + arg2 + -arg3) mod 2^32
65
82
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋
···
72
89
* out1: [0x0 ~> 0xffffffff]
73
90
* out2: [0x0 ~> 0x1]
74
91
*/
75
-
static void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
92
+
static FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
76
93
int64_t x1;
77
94
fiat_p256_int1 x2;
78
95
uint32_t x3;
···
85
102
86
103
/*
87
104
* The function fiat_p256_mulx_u32 is a multiplication, returning the full double-width result.
105
+
*
88
106
* Postconditions:
89
107
* out1 = (arg1 * arg2) mod 2^32
90
108
* out2 = ⌊arg1 * arg2 / 2^32⌋
···
96
114
* out1: [0x0 ~> 0xffffffff]
97
115
* out2: [0x0 ~> 0xffffffff]
98
116
*/
99
-
static void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
117
+
static FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
100
118
uint64_t x1;
101
119
uint32_t x2;
102
120
uint32_t x3;
···
109
127
110
128
/*
111
129
* The function fiat_p256_cmovznz_u32 is a single-word conditional move.
130
+
*
112
131
* Postconditions:
113
132
* out1 = (if arg1 = 0 then arg2 else arg3)
114
133
*
···
119
138
* Output Bounds:
120
139
* out1: [0x0 ~> 0xffffffff]
121
140
*/
122
-
static void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
141
+
static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) {
123
142
fiat_p256_uint1 x1;
124
143
uint32_t x2;
125
144
uint32_t x3;
···
131
150
132
151
/*
133
152
* The function fiat_p256_mul multiplies two field elements in the Montgomery domain.
153
+
*
134
154
* Preconditions:
135
155
* 0 ≤ eval arg1 < m
136
156
* 0 ≤ eval arg2 < m
···
138
158
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
139
159
* 0 ≤ eval out1 < m
140
160
*
141
-
* Input Bounds:
142
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
143
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
144
-
* Output Bounds:
145
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
146
161
*/
147
-
static void fiat_p256_mul(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) {
162
+
static void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {
148
163
uint32_t x1;
149
164
uint32_t x2;
150
165
uint32_t x3;
···
1171
1186
1172
1187
/*
1173
1188
* The function fiat_p256_square squares a field element in the Montgomery domain.
1189
+
*
1174
1190
* Preconditions:
1175
1191
* 0 ≤ eval arg1 < m
1176
1192
* Postconditions:
1177
1193
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
1178
1194
* 0 ≤ eval out1 < m
1179
1195
*
1180
-
* Input Bounds:
1181
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1182
-
* Output Bounds:
1183
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
1184
1196
*/
1185
-
static void fiat_p256_square(uint32_t out1[8], const uint32_t arg1[8]) {
1197
+
static void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {
1186
1198
uint32_t x1;
1187
1199
uint32_t x2;
1188
1200
uint32_t x3;
···
2209
2221
2210
2222
/*
2211
2223
* The function fiat_p256_add adds two field elements in the Montgomery domain.
2224
+
*
2212
2225
* Preconditions:
2213
2226
* 0 ≤ eval arg1 < m
2214
2227
* 0 ≤ eval arg2 < m
···
2216
2229
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
2217
2230
* 0 ≤ eval out1 < m
2218
2231
*
2219
-
* Input Bounds:
2220
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2221
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2222
-
* Output Bounds:
2223
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2224
2232
*/
2225
-
static void fiat_p256_add(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) {
2233
+
static void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {
2226
2234
uint32_t x1;
2227
2235
fiat_p256_uint1 x2;
2228
2236
uint32_t x3;
···
2302
2310
2303
2311
/*
2304
2312
* The function fiat_p256_sub subtracts two field elements in the Montgomery domain.
2313
+
*
2305
2314
* Preconditions:
2306
2315
* 0 ≤ eval arg1 < m
2307
2316
* 0 ≤ eval arg2 < m
···
2309
2318
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
2310
2319
* 0 ≤ eval out1 < m
2311
2320
*
2312
-
* Input Bounds:
2313
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2314
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2315
-
* Output Bounds:
2316
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2317
2321
*/
2318
-
static void fiat_p256_sub(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) {
2322
+
static void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {
2319
2323
uint32_t x1;
2320
2324
fiat_p256_uint1 x2;
2321
2325
uint32_t x3;
···
2378
2382
2379
2383
/*
2380
2384
* The function fiat_p256_opp negates a field element in the Montgomery domain.
2385
+
*
2381
2386
* Preconditions:
2382
2387
* 0 ≤ eval arg1 < m
2383
2388
* Postconditions:
2384
2389
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
2385
2390
* 0 ≤ eval out1 < m
2386
2391
*
2387
-
* Input Bounds:
2388
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2389
-
* Output Bounds:
2390
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2391
2392
*/
2392
-
static void fiat_p256_opp(uint32_t out1[8], const uint32_t arg1[8]) {
2393
+
static void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {
2393
2394
uint32_t x1;
2394
2395
fiat_p256_uint1 x2;
2395
2396
uint32_t x3;
···
2452
2453
2453
2454
/*
2454
2455
* The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain.
2456
+
*
2455
2457
* Preconditions:
2456
2458
* 0 ≤ eval arg1 < m
2457
2459
* Postconditions:
2458
2460
* eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m
2459
2461
* 0 ≤ eval out1 < m
2460
2462
*
2461
-
* Input Bounds:
2462
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2463
-
* Output Bounds:
2464
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2465
2463
*/
2466
-
static void fiat_p256_from_montgomery(uint32_t out1[8], const uint32_t arg1[8]) {
2464
+
static void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {
2467
2465
uint32_t x1;
2468
2466
uint32_t x2;
2469
2467
uint32_t x3;
···
2992
2990
2993
2991
/*
2994
2992
* The function fiat_p256_to_montgomery translates a field element into the Montgomery domain.
2993
+
*
2995
2994
* Preconditions:
2996
2995
* 0 ≤ eval arg1 < m
2997
2996
* Postconditions:
2998
2997
* eval (from_montgomery out1) mod m = eval arg1 mod m
2999
2998
* 0 ≤ eval out1 < m
3000
2999
*
3001
-
* Input Bounds:
3002
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3003
-
* Output Bounds:
3004
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
3005
3000
*/
3006
-
static void fiat_p256_to_montgomery(uint32_t out1[8], const uint32_t arg1[8]) {
3001
+
static void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) {
3007
3002
uint32_t x1;
3008
3003
uint32_t x2;
3009
3004
uint32_t x3;
···
3891
3886
3892
3887
/*
3893
3888
* The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
3889
+
*
3894
3890
* Preconditions:
3895
3891
* 0 ≤ eval arg1 < m
3896
3892
* Postconditions:
···
3909
3905
3910
3906
/*
3911
3907
* The function fiat_p256_selectznz is a multi-limb conditional select.
3908
+
*
3912
3909
* Postconditions:
3913
3910
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
3914
3911
*
···
3948
3945
3949
3946
/*
3950
3947
* The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
3948
+
*
3951
3949
* Preconditions:
3952
3950
* 0 ≤ eval arg1 < m
3953
3951
* Postconditions:
···
4107
4105
4108
4106
/*
4109
4107
* The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
4108
+
*
4110
4109
* Preconditions:
4111
4110
* 0 ≤ bytes_eval arg1 < m
4112
4111
* Postconditions:
···
4243
4242
4244
4243
/*
4245
4244
* The function fiat_p256_set_one returns the field element one in the Montgomery domain.
4245
+
*
4246
4246
* Postconditions:
4247
4247
* eval (from_montgomery out1) mod m = 1 mod m
4248
4248
* 0 ≤ eval out1 < m
4249
4249
*
4250
-
* Input Bounds:
4251
-
* Output Bounds:
4252
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
4253
4250
*/
4254
-
static void fiat_p256_set_one(uint32_t out1[8]) {
4251
+
static void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) {
4255
4252
out1[0] = 0x1;
4256
4253
out1[1] = 0x0;
4257
4254
out1[2] = 0x0;
···
4263
4260
}
4264
4261
4265
4262
/*
4266
-
* The function fiat_p256_msat returns the saturated represtation of the prime modulus.
4263
+
* The function fiat_p256_msat returns the saturated representation of the prime modulus.
4264
+
*
4267
4265
* Postconditions:
4268
4266
* twos_complement_eval out1 = m
4269
4267
* 0 ≤ eval out1 < m
4270
4268
*
4271
-
* Input Bounds:
4272
4269
* Output Bounds:
4273
4270
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
4274
4271
*/
···
4286
4283
4287
4284
/*
4288
4285
* The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
4286
+
*
4289
4287
* Postconditions:
4290
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
4288
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
4291
4289
* 0 ≤ eval out1 < m
4292
4290
*
4293
-
* Input Bounds:
4294
4291
* Output Bounds:
4295
4292
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
4296
4293
*/
···
4307
4304
4308
4305
/*
4309
4306
* The function fiat_p256_divstep computes a divstep.
4307
+
*
4310
4308
* Preconditions:
4311
4309
* 0 ≤ eval arg4 < m
4312
4310
* 0 ≤ eval arg5 < m
···
4760
4758
out5[6] = x229;
4761
4759
out5[7] = x230;
4762
4760
}
4763
-
+48
-54
ec/native/p256_64.h
+48
-54
ec/native/p256_64.h
···
1
-
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' */
2
2
/* curve description: p256 */
3
3
/* machine_wordsize = 64 (from "64") */
4
4
/* requested operations: (all) */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
15
+
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */
18
+
/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_p256_uint1;
20
22
typedef signed char fiat_p256_int1;
21
23
#ifdef __GNUC__
22
24
# define FIAT_P256_FIAT_EXTENSION __extension__
25
+
# define FIAT_P256_FIAT_INLINE __inline__
23
26
#else
24
27
# define FIAT_P256_FIAT_EXTENSION
28
+
# define FIAT_P256_FIAT_INLINE
25
29
#endif
26
30
27
31
FIAT_P256_FIAT_EXTENSION typedef signed __int128 fiat_p256_int128;
28
32
FIAT_P256_FIAT_EXTENSION typedef unsigned __int128 fiat_p256_uint128;
29
33
34
+
/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */
35
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
36
+
typedef uint64_t fiat_p256_montgomery_domain_field_element[4];
37
+
38
+
/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
39
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
40
+
typedef uint64_t fiat_p256_non_montgomery_domain_field_element[4];
41
+
30
42
#if (-1 & 3) != 3
31
43
#error "This code only works on a two's complement system"
32
44
#endif
···
43
55
44
56
/*
45
57
* The function fiat_p256_addcarryx_u64 is an addition with carry.
58
+
*
46
59
* Postconditions:
47
60
* out1 = (arg1 + arg2 + arg3) mod 2^64
48
61
* out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
···
55
68
* out1: [0x0 ~> 0xffffffffffffffff]
56
69
* out2: [0x0 ~> 0x1]
57
70
*/
58
-
static void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
71
+
static FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
59
72
fiat_p256_uint128 x1;
60
73
uint64_t x2;
61
74
fiat_p256_uint1 x3;
···
68
81
69
82
/*
70
83
* The function fiat_p256_subborrowx_u64 is a subtraction with borrow.
84
+
*
71
85
* Postconditions:
72
86
* out1 = (-arg1 + arg2 + -arg3) mod 2^64
73
87
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
···
80
94
* out1: [0x0 ~> 0xffffffffffffffff]
81
95
* out2: [0x0 ~> 0x1]
82
96
*/
83
-
static void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
97
+
static FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
84
98
fiat_p256_int128 x1;
85
99
fiat_p256_int1 x2;
86
100
uint64_t x3;
···
93
107
94
108
/*
95
109
* The function fiat_p256_mulx_u64 is a multiplication, returning the full double-width result.
110
+
*
96
111
* Postconditions:
97
112
* out1 = (arg1 * arg2) mod 2^64
98
113
* out2 = ⌊arg1 * arg2 / 2^64⌋
···
104
119
* out1: [0x0 ~> 0xffffffffffffffff]
105
120
* out2: [0x0 ~> 0xffffffffffffffff]
106
121
*/
107
-
static void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
122
+
static FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
108
123
fiat_p256_uint128 x1;
109
124
uint64_t x2;
110
125
uint64_t x3;
···
117
132
118
133
/*
119
134
* The function fiat_p256_cmovznz_u64 is a single-word conditional move.
135
+
*
120
136
* Postconditions:
121
137
* out1 = (if arg1 = 0 then arg2 else arg3)
122
138
*
···
127
143
* Output Bounds:
128
144
* out1: [0x0 ~> 0xffffffffffffffff]
129
145
*/
130
-
static void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
146
+
static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {
131
147
fiat_p256_uint1 x1;
132
148
uint64_t x2;
133
149
uint64_t x3;
···
139
155
140
156
/*
141
157
* The function fiat_p256_mul multiplies two field elements in the Montgomery domain.
158
+
*
142
159
* Preconditions:
143
160
* 0 ≤ eval arg1 < m
144
161
* 0 ≤ eval arg2 < m
···
146
163
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
147
164
* 0 ≤ eval out1 < m
148
165
*
149
-
* Input Bounds:
150
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
151
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
152
-
* Output Bounds:
153
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
154
166
*/
155
-
static void fiat_p256_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
167
+
static void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {
156
168
uint64_t x1;
157
169
uint64_t x2;
158
170
uint64_t x3;
···
451
463
452
464
/*
453
465
* The function fiat_p256_square squares a field element in the Montgomery domain.
466
+
*
454
467
* Preconditions:
455
468
* 0 ≤ eval arg1 < m
456
469
* Postconditions:
457
470
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
458
471
* 0 ≤ eval out1 < m
459
472
*
460
-
* Input Bounds:
461
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
462
-
* Output Bounds:
463
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
464
473
*/
465
-
static void fiat_p256_square(uint64_t out1[4], const uint64_t arg1[4]) {
474
+
static void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {
466
475
uint64_t x1;
467
476
uint64_t x2;
468
477
uint64_t x3;
···
761
770
762
771
/*
763
772
* The function fiat_p256_add adds two field elements in the Montgomery domain.
773
+
*
764
774
* Preconditions:
765
775
* 0 ≤ eval arg1 < m
766
776
* 0 ≤ eval arg2 < m
···
768
778
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
769
779
* 0 ≤ eval out1 < m
770
780
*
771
-
* Input Bounds:
772
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
773
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
774
-
* Output Bounds:
775
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
776
781
*/
777
-
static void fiat_p256_add(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
782
+
static void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {
778
783
uint64_t x1;
779
784
fiat_p256_uint1 x2;
780
785
uint64_t x3;
···
818
823
819
824
/*
820
825
* The function fiat_p256_sub subtracts two field elements in the Montgomery domain.
826
+
*
821
827
* Preconditions:
822
828
* 0 ≤ eval arg1 < m
823
829
* 0 ≤ eval arg2 < m
···
825
831
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
826
832
* 0 ≤ eval out1 < m
827
833
*
828
-
* Input Bounds:
829
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
830
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
831
-
* Output Bounds:
832
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
833
834
*/
834
-
static void fiat_p256_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {
835
+
static void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {
835
836
uint64_t x1;
836
837
fiat_p256_uint1 x2;
837
838
uint64_t x3;
···
866
867
867
868
/*
868
869
* The function fiat_p256_opp negates a field element in the Montgomery domain.
870
+
*
869
871
* Preconditions:
870
872
* 0 ≤ eval arg1 < m
871
873
* Postconditions:
872
874
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
873
875
* 0 ≤ eval out1 < m
874
876
*
875
-
* Input Bounds:
876
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
877
-
* Output Bounds:
878
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
879
877
*/
880
-
static void fiat_p256_opp(uint64_t out1[4], const uint64_t arg1[4]) {
878
+
static void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {
881
879
uint64_t x1;
882
880
fiat_p256_uint1 x2;
883
881
uint64_t x3;
···
912
910
913
911
/*
914
912
* The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain.
913
+
*
915
914
* Preconditions:
916
915
* 0 ≤ eval arg1 < m
917
916
* Postconditions:
918
917
* eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m
919
918
* 0 ≤ eval out1 < m
920
919
*
921
-
* Input Bounds:
922
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
923
-
* Output Bounds:
924
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
925
920
*/
926
-
static void fiat_p256_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) {
921
+
static void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {
927
922
uint64_t x1;
928
923
uint64_t x2;
929
924
uint64_t x3;
···
1070
1065
1071
1066
/*
1072
1067
* The function fiat_p256_to_montgomery translates a field element into the Montgomery domain.
1068
+
*
1073
1069
* Preconditions:
1074
1070
* 0 ≤ eval arg1 < m
1075
1071
* Postconditions:
1076
1072
* eval (from_montgomery out1) mod m = eval arg1 mod m
1077
1073
* 0 ≤ eval out1 < m
1078
1074
*
1079
-
* Input Bounds:
1080
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1081
-
* Output Bounds:
1082
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1083
1075
*/
1084
-
static void fiat_p256_to_montgomery(uint64_t out1[4], const uint64_t arg1[4]) {
1076
+
static void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) {
1085
1077
uint64_t x1;
1086
1078
uint64_t x2;
1087
1079
uint64_t x3;
···
1349
1341
1350
1342
/*
1351
1343
* The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
1344
+
*
1352
1345
* Preconditions:
1353
1346
* 0 ≤ eval arg1 < m
1354
1347
* Postconditions:
···
1367
1360
1368
1361
/*
1369
1362
* The function fiat_p256_selectznz is a multi-limb conditional select.
1363
+
*
1370
1364
* Postconditions:
1371
1365
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
1372
1366
*
···
1394
1388
1395
1389
/*
1396
1390
* The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
1391
+
*
1397
1392
* Preconditions:
1398
1393
* 0 ≤ eval arg1 < m
1399
1394
* Postconditions:
···
1561
1556
1562
1557
/*
1563
1558
* The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
1559
+
*
1564
1560
* Preconditions:
1565
1561
* 0 ≤ bytes_eval arg1 < m
1566
1562
* Postconditions:
···
1701
1697
1702
1698
/*
1703
1699
* The function fiat_p256_set_one returns the field element one in the Montgomery domain.
1700
+
*
1704
1701
* Postconditions:
1705
1702
* eval (from_montgomery out1) mod m = 1 mod m
1706
1703
* 0 ≤ eval out1 < m
1707
1704
*
1708
-
* Input Bounds:
1709
-
* Output Bounds:
1710
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1711
1705
*/
1712
-
static void fiat_p256_set_one(uint64_t out1[4]) {
1706
+
static void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) {
1713
1707
out1[0] = 0x1;
1714
1708
out1[1] = UINT64_C(0xffffffff00000000);
1715
1709
out1[2] = UINT64_C(0xffffffffffffffff);
···
1717
1711
}
1718
1712
1719
1713
/*
1720
-
* The function fiat_p256_msat returns the saturated represtation of the prime modulus.
1714
+
* The function fiat_p256_msat returns the saturated representation of the prime modulus.
1715
+
*
1721
1716
* Postconditions:
1722
1717
* twos_complement_eval out1 = m
1723
1718
* 0 ≤ eval out1 < m
1724
1719
*
1725
-
* Input Bounds:
1726
1720
* Output Bounds:
1727
1721
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1728
1722
*/
···
1736
1730
1737
1731
/*
1738
1732
* The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
1733
+
*
1739
1734
* Postconditions:
1740
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
1735
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
1741
1736
* 0 ≤ eval out1 < m
1742
1737
*
1743
-
* Input Bounds:
1744
1738
* Output Bounds:
1745
1739
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1746
1740
*/
···
1753
1747
1754
1748
/*
1755
1749
* The function fiat_p256_divstep computes a divstep.
1750
+
*
1756
1751
* Preconditions:
1757
1752
* 0 ≤ eval arg4 < m
1758
1753
* 0 ≤ eval arg5 < m
···
2014
2009
out5[2] = x125;
2015
2010
out5[3] = x126;
2016
2011
}
2017
-
+51
-54
ec/native/p384_32.h
+51
-54
ec/native/p384_32.h
···
1
-
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier p384 32 '2^384 - 2^128 - 2^96 + 2^32 - 1' */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal p384 32 '2^384 - 2^128 - 2^96 + 2^32 - 1' */
2
2
/* curve description: p384 */
3
3
/* machine_wordsize = 32 (from "32") */
4
4
/* requested operations: (all) */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */
15
+
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */
18
+
/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_p384_uint1;
20
22
typedef signed char fiat_p384_int1;
23
+
#ifdef __GNUC__
24
+
# define FIAT_P384_FIAT_INLINE __inline__
25
+
#else
26
+
# define FIAT_P384_FIAT_INLINE
27
+
#endif
28
+
29
+
/* The type fiat_p384_montgomery_domain_field_element is a field element in the Montgomery domain. */
30
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
31
+
typedef uint32_t fiat_p384_montgomery_domain_field_element[12];
32
+
33
+
/* The type fiat_p384_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
34
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
35
+
typedef uint32_t fiat_p384_non_montgomery_domain_field_element[12];
21
36
22
37
#if (-1 & 3) != 3
23
38
#error "This code only works on a two's complement system"
···
35
50
36
51
/*
37
52
* The function fiat_p384_addcarryx_u32 is an addition with carry.
53
+
*
38
54
* Postconditions:
39
55
* out1 = (arg1 + arg2 + arg3) mod 2^32
40
56
* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋
···
47
63
* out1: [0x0 ~> 0xffffffff]
48
64
* out2: [0x0 ~> 0x1]
49
65
*/
50
-
static void fiat_p384_addcarryx_u32(uint32_t* out1, fiat_p384_uint1* out2, fiat_p384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
66
+
static FIAT_P384_FIAT_INLINE void fiat_p384_addcarryx_u32(uint32_t* out1, fiat_p384_uint1* out2, fiat_p384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
51
67
uint64_t x1;
52
68
uint32_t x2;
53
69
fiat_p384_uint1 x3;
···
60
76
61
77
/*
62
78
* The function fiat_p384_subborrowx_u32 is a subtraction with borrow.
79
+
*
63
80
* Postconditions:
64
81
* out1 = (-arg1 + arg2 + -arg3) mod 2^32
65
82
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋
···
72
89
* out1: [0x0 ~> 0xffffffff]
73
90
* out2: [0x0 ~> 0x1]
74
91
*/
75
-
static void fiat_p384_subborrowx_u32(uint32_t* out1, fiat_p384_uint1* out2, fiat_p384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
92
+
static FIAT_P384_FIAT_INLINE void fiat_p384_subborrowx_u32(uint32_t* out1, fiat_p384_uint1* out2, fiat_p384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
76
93
int64_t x1;
77
94
fiat_p384_int1 x2;
78
95
uint32_t x3;
···
85
102
86
103
/*
87
104
* The function fiat_p384_mulx_u32 is a multiplication, returning the full double-width result.
105
+
*
88
106
* Postconditions:
89
107
* out1 = (arg1 * arg2) mod 2^32
90
108
* out2 = ⌊arg1 * arg2 / 2^32⌋
···
96
114
* out1: [0x0 ~> 0xffffffff]
97
115
* out2: [0x0 ~> 0xffffffff]
98
116
*/
99
-
static void fiat_p384_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
117
+
static FIAT_P384_FIAT_INLINE void fiat_p384_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
100
118
uint64_t x1;
101
119
uint32_t x2;
102
120
uint32_t x3;
···
109
127
110
128
/*
111
129
* The function fiat_p384_cmovznz_u32 is a single-word conditional move.
130
+
*
112
131
* Postconditions:
113
132
* out1 = (if arg1 = 0 then arg2 else arg3)
114
133
*
···
119
138
* Output Bounds:
120
139
* out1: [0x0 ~> 0xffffffff]
121
140
*/
122
-
static void fiat_p384_cmovznz_u32(uint32_t* out1, fiat_p384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
141
+
static FIAT_P384_FIAT_INLINE void fiat_p384_cmovznz_u32(uint32_t* out1, fiat_p384_uint1 arg1, uint32_t arg2, uint32_t arg3) {
123
142
fiat_p384_uint1 x1;
124
143
uint32_t x2;
125
144
uint32_t x3;
···
131
150
132
151
/*
133
152
* The function fiat_p384_mul multiplies two field elements in the Montgomery domain.
153
+
*
134
154
* Preconditions:
135
155
* 0 ≤ eval arg1 < m
136
156
* 0 ≤ eval arg2 < m
···
138
158
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
139
159
* 0 ≤ eval out1 < m
140
160
*
141
-
* Input Bounds:
142
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
143
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
144
-
* Output Bounds:
145
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
146
161
*/
147
-
static void fiat_p384_mul(uint32_t out1[12], const uint32_t arg1[12], const uint32_t arg2[12]) {
162
+
static void fiat_p384_mul(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1, const fiat_p384_montgomery_domain_field_element arg2) {
148
163
uint32_t x1;
149
164
uint32_t x2;
150
165
uint32_t x3;
···
2691
2706
2692
2707
/*
2693
2708
* The function fiat_p384_square squares a field element in the Montgomery domain.
2709
+
*
2694
2710
* Preconditions:
2695
2711
* 0 ≤ eval arg1 < m
2696
2712
* Postconditions:
2697
2713
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
2698
2714
* 0 ≤ eval out1 < m
2699
2715
*
2700
-
* Input Bounds:
2701
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2702
-
* Output Bounds:
2703
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
2704
2716
*/
2705
-
static void fiat_p384_square(uint32_t out1[12], const uint32_t arg1[12]) {
2717
+
static void fiat_p384_square(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1) {
2706
2718
uint32_t x1;
2707
2719
uint32_t x2;
2708
2720
uint32_t x3;
···
5249
5261
5250
5262
/*
5251
5263
* The function fiat_p384_add adds two field elements in the Montgomery domain.
5264
+
*
5252
5265
* Preconditions:
5253
5266
* 0 ≤ eval arg1 < m
5254
5267
* 0 ≤ eval arg2 < m
···
5256
5269
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
5257
5270
* 0 ≤ eval out1 < m
5258
5271
*
5259
-
* Input Bounds:
5260
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5261
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5262
-
* Output Bounds:
5263
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5264
5272
*/
5265
-
static void fiat_p384_add(uint32_t out1[12], const uint32_t arg1[12], const uint32_t arg2[12]) {
5273
+
static void fiat_p384_add(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1, const fiat_p384_montgomery_domain_field_element arg2) {
5266
5274
uint32_t x1;
5267
5275
fiat_p384_uint1 x2;
5268
5276
uint32_t x3;
···
5378
5386
5379
5387
/*
5380
5388
* The function fiat_p384_sub subtracts two field elements in the Montgomery domain.
5389
+
*
5381
5390
* Preconditions:
5382
5391
* 0 ≤ eval arg1 < m
5383
5392
* 0 ≤ eval arg2 < m
···
5385
5394
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
5386
5395
* 0 ≤ eval out1 < m
5387
5396
*
5388
-
* Input Bounds:
5389
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5390
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5391
-
* Output Bounds:
5392
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5393
5397
*/
5394
-
static void fiat_p384_sub(uint32_t out1[12], const uint32_t arg1[12], const uint32_t arg2[12]) {
5398
+
static void fiat_p384_sub(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1, const fiat_p384_montgomery_domain_field_element arg2) {
5395
5399
uint32_t x1;
5396
5400
fiat_p384_uint1 x2;
5397
5401
uint32_t x3;
···
5482
5486
5483
5487
/*
5484
5488
* The function fiat_p384_opp negates a field element in the Montgomery domain.
5489
+
*
5485
5490
* Preconditions:
5486
5491
* 0 ≤ eval arg1 < m
5487
5492
* Postconditions:
5488
5493
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
5489
5494
* 0 ≤ eval out1 < m
5490
5495
*
5491
-
* Input Bounds:
5492
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5493
-
* Output Bounds:
5494
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5495
5496
*/
5496
-
static void fiat_p384_opp(uint32_t out1[12], const uint32_t arg1[12]) {
5497
+
static void fiat_p384_opp(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1) {
5497
5498
uint32_t x1;
5498
5499
fiat_p384_uint1 x2;
5499
5500
uint32_t x3;
···
5584
5585
5585
5586
/*
5586
5587
* The function fiat_p384_from_montgomery translates a field element out of the Montgomery domain.
5588
+
*
5587
5589
* Preconditions:
5588
5590
* 0 ≤ eval arg1 < m
5589
5591
* Postconditions:
5590
5592
* eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^12) mod m
5591
5593
* 0 ≤ eval out1 < m
5592
5594
*
5593
-
* Input Bounds:
5594
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5595
-
* Output Bounds:
5596
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5597
5595
*/
5598
-
static void fiat_p384_from_montgomery(uint32_t out1[12], const uint32_t arg1[12]) {
5596
+
static void fiat_p384_from_montgomery(fiat_p384_non_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1) {
5599
5597
uint32_t x1;
5600
5598
uint32_t x2;
5601
5599
uint32_t x3;
···
7120
7118
7121
7119
/*
7122
7120
* The function fiat_p384_to_montgomery translates a field element into the Montgomery domain.
7121
+
*
7123
7122
* Preconditions:
7124
7123
* 0 ≤ eval arg1 < m
7125
7124
* Postconditions:
7126
7125
* eval (from_montgomery out1) mod m = eval arg1 mod m
7127
7126
* 0 ≤ eval out1 < m
7128
7127
*
7129
-
* Input Bounds:
7130
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
7131
-
* Output Bounds:
7132
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
7133
7128
*/
7134
-
static void fiat_p384_to_montgomery(uint32_t out1[12], const uint32_t arg1[12]) {
7129
+
static void fiat_p384_to_montgomery(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_non_montgomery_domain_field_element arg1) {
7135
7130
uint32_t x1;
7136
7131
uint32_t x2;
7137
7132
uint32_t x3;
···
8924
8919
8925
8920
/*
8926
8921
* The function fiat_p384_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
8922
+
*
8927
8923
* Preconditions:
8928
8924
* 0 ≤ eval arg1 < m
8929
8925
* Postconditions:
···
8942
8938
8943
8939
/*
8944
8940
* The function fiat_p384_selectznz is a multi-limb conditional select.
8941
+
*
8945
8942
* Postconditions:
8946
8943
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
8947
8944
*
···
8993
8990
8994
8991
/*
8995
8992
* The function fiat_p384_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
8993
+
*
8996
8994
* Preconditions:
8997
8995
* 0 ≤ eval arg1 < m
8998
8996
* Postconditions:
···
9224
9222
9225
9223
/*
9226
9224
* The function fiat_p384_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
9225
+
*
9227
9226
* Preconditions:
9228
9227
* 0 ≤ bytes_eval arg1 < m
9229
9228
* Postconditions:
···
9420
9419
9421
9420
/*
9422
9421
* The function fiat_p384_set_one returns the field element one in the Montgomery domain.
9422
+
*
9423
9423
* Postconditions:
9424
9424
* eval (from_montgomery out1) mod m = 1 mod m
9425
9425
* 0 ≤ eval out1 < m
9426
9426
*
9427
-
* Input Bounds:
9428
-
* Output Bounds:
9429
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
9430
9427
*/
9431
-
static void fiat_p384_set_one(uint32_t out1[12]) {
9428
+
static void fiat_p384_set_one(fiat_p384_montgomery_domain_field_element out1) {
9432
9429
out1[0] = 0x1;
9433
9430
out1[1] = UINT32_C(0xffffffff);
9434
9431
out1[2] = UINT32_C(0xffffffff);
···
9444
9441
}
9445
9442
9446
9443
/*
9447
-
* The function fiat_p384_msat returns the saturated represtation of the prime modulus.
9444
+
* The function fiat_p384_msat returns the saturated representation of the prime modulus.
9445
+
*
9448
9446
* Postconditions:
9449
9447
* twos_complement_eval out1 = m
9450
9448
* 0 ≤ eval out1 < m
9451
9449
*
9452
-
* Input Bounds:
9453
9450
* Output Bounds:
9454
9451
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
9455
9452
*/
···
9471
9468
9472
9469
/*
9473
9470
* The function fiat_p384_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
9471
+
*
9474
9472
* Postconditions:
9475
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
9473
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
9476
9474
* 0 ≤ eval out1 < m
9477
9475
*
9478
-
* Input Bounds:
9479
9476
* Output Bounds:
9480
9477
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
9481
9478
*/
···
9496
9493
9497
9494
/*
9498
9495
* The function fiat_p384_divstep computes a divstep.
9496
+
*
9499
9497
* Preconditions:
9500
9498
* 0 ≤ eval arg4 < m
9501
9499
* 0 ≤ eval arg5 < m
···
10141
10139
out5[10] = x333;
10142
10140
out5[11] = x334;
10143
10141
}
10144
-
+48
-54
ec/native/p384_64.h
+48
-54
ec/native/p384_64.h
···
1
-
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier p384 64 '2^384 - 2^128 - 2^96 + 2^32 - 1' */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal p384 64 '2^384 - 2^128 - 2^96 + 2^32 - 1' */
2
2
/* curve description: p384 */
3
3
/* machine_wordsize = 64 (from "64") */
4
4
/* requested operations: (all) */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */
15
+
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in */
18
+
/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_p384_uint1;
20
22
typedef signed char fiat_p384_int1;
21
23
#ifdef __GNUC__
22
24
# define FIAT_P384_FIAT_EXTENSION __extension__
25
+
# define FIAT_P384_FIAT_INLINE __inline__
23
26
#else
24
27
# define FIAT_P384_FIAT_EXTENSION
28
+
# define FIAT_P384_FIAT_INLINE
25
29
#endif
26
30
27
31
FIAT_P384_FIAT_EXTENSION typedef signed __int128 fiat_p384_int128;
28
32
FIAT_P384_FIAT_EXTENSION typedef unsigned __int128 fiat_p384_uint128;
29
33
34
+
/* The type fiat_p384_montgomery_domain_field_element is a field element in the Montgomery domain. */
35
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
36
+
typedef uint64_t fiat_p384_montgomery_domain_field_element[6];
37
+
38
+
/* The type fiat_p384_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
39
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
40
+
typedef uint64_t fiat_p384_non_montgomery_domain_field_element[6];
41
+
30
42
#if (-1 & 3) != 3
31
43
#error "This code only works on a two's complement system"
32
44
#endif
···
43
55
44
56
/*
45
57
* The function fiat_p384_addcarryx_u64 is an addition with carry.
58
+
*
46
59
* Postconditions:
47
60
* out1 = (arg1 + arg2 + arg3) mod 2^64
48
61
* out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
···
55
68
* out1: [0x0 ~> 0xffffffffffffffff]
56
69
* out2: [0x0 ~> 0x1]
57
70
*/
58
-
static void fiat_p384_addcarryx_u64(uint64_t* out1, fiat_p384_uint1* out2, fiat_p384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
71
+
static FIAT_P384_FIAT_INLINE void fiat_p384_addcarryx_u64(uint64_t* out1, fiat_p384_uint1* out2, fiat_p384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
59
72
fiat_p384_uint128 x1;
60
73
uint64_t x2;
61
74
fiat_p384_uint1 x3;
···
68
81
69
82
/*
70
83
* The function fiat_p384_subborrowx_u64 is a subtraction with borrow.
84
+
*
71
85
* Postconditions:
72
86
* out1 = (-arg1 + arg2 + -arg3) mod 2^64
73
87
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
···
80
94
* out1: [0x0 ~> 0xffffffffffffffff]
81
95
* out2: [0x0 ~> 0x1]
82
96
*/
83
-
static void fiat_p384_subborrowx_u64(uint64_t* out1, fiat_p384_uint1* out2, fiat_p384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
97
+
static FIAT_P384_FIAT_INLINE void fiat_p384_subborrowx_u64(uint64_t* out1, fiat_p384_uint1* out2, fiat_p384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
84
98
fiat_p384_int128 x1;
85
99
fiat_p384_int1 x2;
86
100
uint64_t x3;
···
93
107
94
108
/*
95
109
* The function fiat_p384_mulx_u64 is a multiplication, returning the full double-width result.
110
+
*
96
111
* Postconditions:
97
112
* out1 = (arg1 * arg2) mod 2^64
98
113
* out2 = ⌊arg1 * arg2 / 2^64⌋
···
104
119
* out1: [0x0 ~> 0xffffffffffffffff]
105
120
* out2: [0x0 ~> 0xffffffffffffffff]
106
121
*/
107
-
static void fiat_p384_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
122
+
static FIAT_P384_FIAT_INLINE void fiat_p384_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
108
123
fiat_p384_uint128 x1;
109
124
uint64_t x2;
110
125
uint64_t x3;
···
117
132
118
133
/*
119
134
* The function fiat_p384_cmovznz_u64 is a single-word conditional move.
135
+
*
120
136
* Postconditions:
121
137
* out1 = (if arg1 = 0 then arg2 else arg3)
122
138
*
···
127
143
* Output Bounds:
128
144
* out1: [0x0 ~> 0xffffffffffffffff]
129
145
*/
130
-
static void fiat_p384_cmovznz_u64(uint64_t* out1, fiat_p384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
146
+
static FIAT_P384_FIAT_INLINE void fiat_p384_cmovznz_u64(uint64_t* out1, fiat_p384_uint1 arg1, uint64_t arg2, uint64_t arg3) {
131
147
fiat_p384_uint1 x1;
132
148
uint64_t x2;
133
149
uint64_t x3;
···
139
155
140
156
/*
141
157
* The function fiat_p384_mul multiplies two field elements in the Montgomery domain.
158
+
*
142
159
* Preconditions:
143
160
* 0 ≤ eval arg1 < m
144
161
* 0 ≤ eval arg2 < m
···
146
163
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
147
164
* 0 ≤ eval out1 < m
148
165
*
149
-
* Input Bounds:
150
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
151
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
152
-
* Output Bounds:
153
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
154
166
*/
155
-
static void fiat_p384_mul(uint64_t out1[6], const uint64_t arg1[6], const uint64_t arg2[6]) {
167
+
static void fiat_p384_mul(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1, const fiat_p384_montgomery_domain_field_element arg2) {
156
168
uint64_t x1;
157
169
uint64_t x2;
158
170
uint64_t x3;
···
887
899
888
900
/*
889
901
* The function fiat_p384_square squares a field element in the Montgomery domain.
902
+
*
890
903
* Preconditions:
891
904
* 0 ≤ eval arg1 < m
892
905
* Postconditions:
893
906
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
894
907
* 0 ≤ eval out1 < m
895
908
*
896
-
* Input Bounds:
897
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
898
-
* Output Bounds:
899
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
900
909
*/
901
-
static void fiat_p384_square(uint64_t out1[6], const uint64_t arg1[6]) {
910
+
static void fiat_p384_square(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1) {
902
911
uint64_t x1;
903
912
uint64_t x2;
904
913
uint64_t x3;
···
1633
1642
1634
1643
/*
1635
1644
* The function fiat_p384_add adds two field elements in the Montgomery domain.
1645
+
*
1636
1646
* Preconditions:
1637
1647
* 0 ≤ eval arg1 < m
1638
1648
* 0 ≤ eval arg2 < m
···
1640
1650
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
1641
1651
* 0 ≤ eval out1 < m
1642
1652
*
1643
-
* Input Bounds:
1644
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1645
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1646
-
* Output Bounds:
1647
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1648
1653
*/
1649
-
static void fiat_p384_add(uint64_t out1[6], const uint64_t arg1[6], const uint64_t arg2[6]) {
1654
+
static void fiat_p384_add(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1, const fiat_p384_montgomery_domain_field_element arg2) {
1650
1655
uint64_t x1;
1651
1656
fiat_p384_uint1 x2;
1652
1657
uint64_t x3;
···
1708
1713
1709
1714
/*
1710
1715
* The function fiat_p384_sub subtracts two field elements in the Montgomery domain.
1716
+
*
1711
1717
* Preconditions:
1712
1718
* 0 ≤ eval arg1 < m
1713
1719
* 0 ≤ eval arg2 < m
···
1715
1721
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
1716
1722
* 0 ≤ eval out1 < m
1717
1723
*
1718
-
* Input Bounds:
1719
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1720
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1721
-
* Output Bounds:
1722
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1723
1724
*/
1724
-
static void fiat_p384_sub(uint64_t out1[6], const uint64_t arg1[6], const uint64_t arg2[6]) {
1725
+
static void fiat_p384_sub(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1, const fiat_p384_montgomery_domain_field_element arg2) {
1725
1726
uint64_t x1;
1726
1727
fiat_p384_uint1 x2;
1727
1728
uint64_t x3;
···
1770
1771
1771
1772
/*
1772
1773
* The function fiat_p384_opp negates a field element in the Montgomery domain.
1774
+
*
1773
1775
* Preconditions:
1774
1776
* 0 ≤ eval arg1 < m
1775
1777
* Postconditions:
1776
1778
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
1777
1779
* 0 ≤ eval out1 < m
1778
1780
*
1779
-
* Input Bounds:
1780
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1781
-
* Output Bounds:
1782
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1783
1781
*/
1784
-
static void fiat_p384_opp(uint64_t out1[6], const uint64_t arg1[6]) {
1782
+
static void fiat_p384_opp(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1) {
1785
1783
uint64_t x1;
1786
1784
fiat_p384_uint1 x2;
1787
1785
uint64_t x3;
···
1830
1828
1831
1829
/*
1832
1830
* The function fiat_p384_from_montgomery translates a field element out of the Montgomery domain.
1831
+
*
1833
1832
* Preconditions:
1834
1833
* 0 ≤ eval arg1 < m
1835
1834
* Postconditions:
1836
1835
* eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^6) mod m
1837
1836
* 0 ≤ eval out1 < m
1838
1837
*
1839
-
* Input Bounds:
1840
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1841
-
* Output Bounds:
1842
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1843
1838
*/
1844
-
static void fiat_p384_from_montgomery(uint64_t out1[6], const uint64_t arg1[6]) {
1839
+
static void fiat_p384_from_montgomery(fiat_p384_non_montgomery_domain_field_element out1, const fiat_p384_montgomery_domain_field_element arg1) {
1845
1840
uint64_t x1;
1846
1841
uint64_t x2;
1847
1842
uint64_t x3;
···
2319
2314
2320
2315
/*
2321
2316
* The function fiat_p384_to_montgomery translates a field element into the Montgomery domain.
2317
+
*
2322
2318
* Preconditions:
2323
2319
* 0 ≤ eval arg1 < m
2324
2320
* Postconditions:
2325
2321
* eval (from_montgomery out1) mod m = eval arg1 mod m
2326
2322
* 0 ≤ eval out1 < m
2327
2323
*
2328
-
* Input Bounds:
2329
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
2330
-
* Output Bounds:
2331
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
2332
2324
*/
2333
-
static void fiat_p384_to_montgomery(uint64_t out1[6], const uint64_t arg1[6]) {
2325
+
static void fiat_p384_to_montgomery(fiat_p384_montgomery_domain_field_element out1, const fiat_p384_non_montgomery_domain_field_element arg1) {
2334
2326
uint64_t x1;
2335
2327
uint64_t x2;
2336
2328
uint64_t x3;
···
2962
2954
2963
2955
/*
2964
2956
* The function fiat_p384_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
2957
+
*
2965
2958
* Preconditions:
2966
2959
* 0 ≤ eval arg1 < m
2967
2960
* Postconditions:
···
2980
2973
2981
2974
/*
2982
2975
* The function fiat_p384_selectznz is a multi-limb conditional select.
2976
+
*
2983
2977
* Postconditions:
2984
2978
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
2985
2979
*
···
3013
3007
3014
3008
/*
3015
3009
* The function fiat_p384_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
3010
+
*
3016
3011
* Preconditions:
3017
3012
* 0 ≤ eval arg1 < m
3018
3013
* Postconditions:
···
3256
3251
3257
3252
/*
3258
3253
* The function fiat_p384_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
3254
+
*
3259
3255
* Preconditions:
3260
3256
* 0 ≤ bytes_eval arg1 < m
3261
3257
* Postconditions:
···
3458
3454
3459
3455
/*
3460
3456
* The function fiat_p384_set_one returns the field element one in the Montgomery domain.
3457
+
*
3461
3458
* Postconditions:
3462
3459
* eval (from_montgomery out1) mod m = 1 mod m
3463
3460
* 0 ≤ eval out1 < m
3464
3461
*
3465
-
* Input Bounds:
3466
-
* Output Bounds:
3467
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3468
3462
*/
3469
-
static void fiat_p384_set_one(uint64_t out1[6]) {
3463
+
static void fiat_p384_set_one(fiat_p384_montgomery_domain_field_element out1) {
3470
3464
out1[0] = UINT64_C(0xffffffff00000001);
3471
3465
out1[1] = UINT32_C(0xffffffff);
3472
3466
out1[2] = 0x1;
···
3476
3470
}
3477
3471
3478
3472
/*
3479
-
* The function fiat_p384_msat returns the saturated represtation of the prime modulus.
3473
+
* The function fiat_p384_msat returns the saturated representation of the prime modulus.
3474
+
*
3480
3475
* Postconditions:
3481
3476
* twos_complement_eval out1 = m
3482
3477
* 0 ≤ eval out1 < m
3483
3478
*
3484
-
* Input Bounds:
3485
3479
* Output Bounds:
3486
3480
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3487
3481
*/
···
3497
3491
3498
3492
/*
3499
3493
* The function fiat_p384_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
3494
+
*
3500
3495
* Postconditions:
3501
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
3496
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
3502
3497
* 0 ≤ eval out1 < m
3503
3498
*
3504
-
* Input Bounds:
3505
3499
* Output Bounds:
3506
3500
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3507
3501
*/
···
3516
3510
3517
3511
/*
3518
3512
* The function fiat_p384_divstep computes a divstep.
3513
+
*
3519
3514
* Preconditions:
3520
3515
* 0 ≤ eval arg4 < m
3521
3516
* 0 ≤ eval arg5 < m
···
3873
3868
out5[4] = x177;
3874
3869
out5[5] = x178;
3875
3870
}
3876
-
+51
-54
ec/native/p521_32.h
+51
-54
ec/native/p521_32.h
···
1
-
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier p521 32 '2^521 - 1' */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal p521 32 '2^521 - 1' */
2
2
/* curve description: p521 */
3
3
/* machine_wordsize = 32 (from "32") */
4
4
/* requested operations: (all) */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) + (z[12] << 0x180) + (z[13] << 0x1a0) + (z[14] << 0x1c0) + (z[15] << 0x1e0) + (z[16] << 2^9) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */
15
+
/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) + (z[12] << 0x180) + (z[13] << 0x1a0) + (z[14] << 0x1c0) + (z[15] << 0x1e0) + (z[16] << 2^9) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) + (z[12] << 0x180) + (z[13] << 0x1a0) + (z[14] << 0x1c0) + (z[15] << 0x1e0) + (z[16] << 2^9) in */
18
+
/* if x1 & (2^544-1) < 2^543 then x1 & (2^544-1) else (x1 & (2^544-1)) - 2^544 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_p521_uint1;
20
22
typedef signed char fiat_p521_int1;
23
+
#ifdef __GNUC__
24
+
# define FIAT_P521_FIAT_INLINE __inline__
25
+
#else
26
+
# define FIAT_P521_FIAT_INLINE
27
+
#endif
28
+
29
+
/* The type fiat_p521_montgomery_domain_field_element is a field element in the Montgomery domain. */
30
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
31
+
typedef uint32_t fiat_p521_montgomery_domain_field_element[17];
32
+
33
+
/* The type fiat_p521_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
34
+
/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */
35
+
typedef uint32_t fiat_p521_non_montgomery_domain_field_element[17];
21
36
22
37
#if (-1 & 3) != 3
23
38
#error "This code only works on a two's complement system"
···
35
50
36
51
/*
37
52
* The function fiat_p521_addcarryx_u32 is an addition with carry.
53
+
*
38
54
* Postconditions:
39
55
* out1 = (arg1 + arg2 + arg3) mod 2^32
40
56
* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋
···
47
63
* out1: [0x0 ~> 0xffffffff]
48
64
* out2: [0x0 ~> 0x1]
49
65
*/
50
-
static void fiat_p521_addcarryx_u32(uint32_t* out1, fiat_p521_uint1* out2, fiat_p521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
66
+
static FIAT_P521_FIAT_INLINE void fiat_p521_addcarryx_u32(uint32_t* out1, fiat_p521_uint1* out2, fiat_p521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
51
67
uint64_t x1;
52
68
uint32_t x2;
53
69
fiat_p521_uint1 x3;
···
60
76
61
77
/*
62
78
* The function fiat_p521_subborrowx_u32 is a subtraction with borrow.
79
+
*
63
80
* Postconditions:
64
81
* out1 = (-arg1 + arg2 + -arg3) mod 2^32
65
82
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋
···
72
89
* out1: [0x0 ~> 0xffffffff]
73
90
* out2: [0x0 ~> 0x1]
74
91
*/
75
-
static void fiat_p521_subborrowx_u32(uint32_t* out1, fiat_p521_uint1* out2, fiat_p521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
92
+
static FIAT_P521_FIAT_INLINE void fiat_p521_subborrowx_u32(uint32_t* out1, fiat_p521_uint1* out2, fiat_p521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
76
93
int64_t x1;
77
94
fiat_p521_int1 x2;
78
95
uint32_t x3;
···
85
102
86
103
/*
87
104
* The function fiat_p521_mulx_u32 is a multiplication, returning the full double-width result.
105
+
*
88
106
* Postconditions:
89
107
* out1 = (arg1 * arg2) mod 2^32
90
108
* out2 = ⌊arg1 * arg2 / 2^32⌋
···
96
114
* out1: [0x0 ~> 0xffffffff]
97
115
* out2: [0x0 ~> 0xffffffff]
98
116
*/
99
-
static void fiat_p521_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
117
+
static FIAT_P521_FIAT_INLINE void fiat_p521_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {
100
118
uint64_t x1;
101
119
uint32_t x2;
102
120
uint32_t x3;
···
109
127
110
128
/*
111
129
* The function fiat_p521_cmovznz_u32 is a single-word conditional move.
130
+
*
112
131
* Postconditions:
113
132
* out1 = (if arg1 = 0 then arg2 else arg3)
114
133
*
···
119
138
* Output Bounds:
120
139
* out1: [0x0 ~> 0xffffffff]
121
140
*/
122
-
static void fiat_p521_cmovznz_u32(uint32_t* out1, fiat_p521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
141
+
static FIAT_P521_FIAT_INLINE void fiat_p521_cmovznz_u32(uint32_t* out1, fiat_p521_uint1 arg1, uint32_t arg2, uint32_t arg3) {
123
142
fiat_p521_uint1 x1;
124
143
uint32_t x2;
125
144
uint32_t x3;
···
131
150
132
151
/*
133
152
* The function fiat_p521_mul multiplies two field elements in the Montgomery domain.
153
+
*
134
154
* Preconditions:
135
155
* 0 ≤ eval arg1 < m
136
156
* 0 ≤ eval arg2 < m
···
138
158
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
139
159
* 0 ≤ eval out1 < m
140
160
*
141
-
* Input Bounds:
142
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
143
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
144
-
* Output Bounds:
145
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
146
161
*/
147
-
static void fiat_p521_mul(uint32_t out1[17], const uint32_t arg1[17], const uint32_t arg2[17]) {
162
+
static void fiat_p521_mul(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1, const fiat_p521_montgomery_domain_field_element arg2) {
148
163
uint32_t x1;
149
164
uint32_t x2;
150
165
uint32_t x3;
···
5536
5551
5537
5552
/*
5538
5553
* The function fiat_p521_square squares a field element in the Montgomery domain.
5554
+
*
5539
5555
* Preconditions:
5540
5556
* 0 ≤ eval arg1 < m
5541
5557
* Postconditions:
5542
5558
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
5543
5559
* 0 ≤ eval out1 < m
5544
5560
*
5545
-
* Input Bounds:
5546
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5547
-
* Output Bounds:
5548
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
5549
5561
*/
5550
-
static void fiat_p521_square(uint32_t out1[17], const uint32_t arg1[17]) {
5562
+
static void fiat_p521_square(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1) {
5551
5563
uint32_t x1;
5552
5564
uint32_t x2;
5553
5565
uint32_t x3;
···
10939
10951
10940
10952
/*
10941
10953
* The function fiat_p521_add adds two field elements in the Montgomery domain.
10954
+
*
10942
10955
* Preconditions:
10943
10956
* 0 ≤ eval arg1 < m
10944
10957
* 0 ≤ eval arg2 < m
···
10946
10959
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
10947
10960
* 0 ≤ eval out1 < m
10948
10961
*
10949
-
* Input Bounds:
10950
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
10951
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
10952
-
* Output Bounds:
10953
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
10954
10962
*/
10955
-
static void fiat_p521_add(uint32_t out1[17], const uint32_t arg1[17], const uint32_t arg2[17]) {
10963
+
static void fiat_p521_add(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1, const fiat_p521_montgomery_domain_field_element arg2) {
10956
10964
uint32_t x1;
10957
10965
fiat_p521_uint1 x2;
10958
10966
uint32_t x3;
···
11113
11121
11114
11122
/*
11115
11123
* The function fiat_p521_sub subtracts two field elements in the Montgomery domain.
11124
+
*
11116
11125
* Preconditions:
11117
11126
* 0 ≤ eval arg1 < m
11118
11127
* 0 ≤ eval arg2 < m
···
11120
11129
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
11121
11130
* 0 ≤ eval out1 < m
11122
11131
*
11123
-
* Input Bounds:
11124
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
11125
-
* arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
11126
-
* Output Bounds:
11127
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
11128
11132
*/
11129
-
static void fiat_p521_sub(uint32_t out1[17], const uint32_t arg1[17], const uint32_t arg2[17]) {
11133
+
static void fiat_p521_sub(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1, const fiat_p521_montgomery_domain_field_element arg2) {
11130
11134
uint32_t x1;
11131
11135
fiat_p521_uint1 x2;
11132
11136
uint32_t x3;
···
11252
11256
11253
11257
/*
11254
11258
* The function fiat_p521_opp negates a field element in the Montgomery domain.
11259
+
*
11255
11260
* Preconditions:
11256
11261
* 0 ≤ eval arg1 < m
11257
11262
* Postconditions:
11258
11263
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
11259
11264
* 0 ≤ eval out1 < m
11260
11265
*
11261
-
* Input Bounds:
11262
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
11263
-
* Output Bounds:
11264
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
11265
11266
*/
11266
-
static void fiat_p521_opp(uint32_t out1[17], const uint32_t arg1[17]) {
11267
+
static void fiat_p521_opp(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1) {
11267
11268
uint32_t x1;
11268
11269
fiat_p521_uint1 x2;
11269
11270
uint32_t x3;
···
11389
11390
11390
11391
/*
11391
11392
* The function fiat_p521_from_montgomery translates a field element out of the Montgomery domain.
11393
+
*
11392
11394
* Preconditions:
11393
11395
* 0 ≤ eval arg1 < m
11394
11396
* Postconditions:
11395
11397
* eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^17) mod m
11396
11398
* 0 ≤ eval out1 < m
11397
11399
*
11398
-
* Input Bounds:
11399
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
11400
-
* Output Bounds:
11401
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
11402
11400
*/
11403
-
static void fiat_p521_from_montgomery(uint32_t out1[17], const uint32_t arg1[17]) {
11401
+
static void fiat_p521_from_montgomery(fiat_p521_non_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1) {
11404
11402
uint32_t x1;
11405
11403
uint32_t x2;
11406
11404
uint32_t x3;
···
14832
14830
14833
14831
/*
14834
14832
* The function fiat_p521_to_montgomery translates a field element into the Montgomery domain.
14833
+
*
14835
14834
* Preconditions:
14836
14835
* 0 ≤ eval arg1 < m
14837
14836
* Postconditions:
14838
14837
* eval (from_montgomery out1) mod m = eval arg1 mod m
14839
14838
* 0 ≤ eval out1 < m
14840
14839
*
14841
-
* Input Bounds:
14842
-
* arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
14843
-
* Output Bounds:
14844
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
14845
14840
*/
14846
-
static void fiat_p521_to_montgomery(uint32_t out1[17], const uint32_t arg1[17]) {
14841
+
static void fiat_p521_to_montgomery(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_non_montgomery_domain_field_element arg1) {
14847
14842
uint32_t x1;
14848
14843
uint32_t x2;
14849
14844
uint32_t x3;
···
18084
18079
18085
18080
/*
18086
18081
* The function fiat_p521_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
18082
+
*
18087
18083
* Preconditions:
18088
18084
* 0 ≤ eval arg1 < m
18089
18085
* Postconditions:
···
18102
18098
18103
18099
/*
18104
18100
* The function fiat_p521_selectznz is a multi-limb conditional select.
18101
+
*
18105
18102
* Postconditions:
18106
18103
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
18107
18104
*
···
18168
18165
18169
18166
/*
18170
18167
* The function fiat_p521_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
18168
+
*
18171
18169
* Preconditions:
18172
18170
* 0 ≤ eval arg1 < m
18173
18171
* Postconditions:
···
18479
18477
18480
18478
/*
18481
18479
* The function fiat_p521_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
18480
+
*
18482
18481
* Preconditions:
18483
18482
* 0 ≤ bytes_eval arg1 < m
18484
18483
* Postconditions:
···
18742
18741
18743
18742
/*
18744
18743
* The function fiat_p521_set_one returns the field element one in the Montgomery domain.
18744
+
*
18745
18745
* Postconditions:
18746
18746
* eval (from_montgomery out1) mod m = 1 mod m
18747
18747
* 0 ≤ eval out1 < m
18748
18748
*
18749
-
* Input Bounds:
18750
-
* Output Bounds:
18751
-
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
18752
18749
*/
18753
-
static void fiat_p521_set_one(uint32_t out1[17]) {
18750
+
static void fiat_p521_set_one(fiat_p521_montgomery_domain_field_element out1) {
18754
18751
out1[0] = UINT32_C(0x800000);
18755
18752
out1[1] = 0x0;
18756
18753
out1[2] = 0x0;
···
18771
18768
}
18772
18769
18773
18770
/*
18774
-
* The function fiat_p521_msat returns the saturated represtation of the prime modulus.
18771
+
* The function fiat_p521_msat returns the saturated representation of the prime modulus.
18772
+
*
18775
18773
* Postconditions:
18776
18774
* twos_complement_eval out1 = m
18777
18775
* 0 ≤ eval out1 < m
18778
18776
*
18779
-
* Input Bounds:
18780
18777
* Output Bounds:
18781
18778
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
18782
18779
*/
···
18803
18800
18804
18801
/*
18805
18802
* The function fiat_p521_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
18803
+
*
18806
18804
* Postconditions:
18807
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
18805
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
18808
18806
* 0 ≤ eval out1 < m
18809
18807
*
18810
-
* Input Bounds:
18811
18808
* Output Bounds:
18812
18809
* out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
18813
18810
*/
···
18833
18830
18834
18831
/*
18835
18832
* The function fiat_p521_divstep computes a divstep.
18833
+
*
18836
18834
* Preconditions:
18837
18835
* 0 ≤ eval arg4 < m
18838
18836
* 0 ≤ eval arg5 < m
···
19718
19716
out5[15] = x463;
19719
19717
out5[16] = x464;
19720
19718
}
19721
-
+48
-54
ec/native/p521_64.h
+48
-54
ec/native/p521_64.h
···
1
-
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier p521 64 '2^521 - 1' */
1
+
/* Autogenerated: '../fiat-crypto/src/ExtractionOCaml/word_by_word_montgomery' --static --use-value-barrier --inline-internal p521 64 '2^521 - 1' */
2
2
/* curve description: p521 */
3
3
/* machine_wordsize = 64 (from "64") */
4
4
/* requested operations: (all) */
···
12
12
/* return values. */
13
13
/* */
14
14
/* Computed values: */
15
-
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9) */
16
-
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */
15
+
/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9) */
16
+
/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */
17
+
/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9) in */
18
+
/* if x1 & (2^576-1) < 2^575 then x1 & (2^576-1) else (x1 & (2^576-1)) - 2^576 */
17
19
18
20
#include <stdint.h>
19
21
typedef unsigned char fiat_p521_uint1;
20
22
typedef signed char fiat_p521_int1;
21
23
#ifdef __GNUC__
22
24
# define FIAT_P521_FIAT_EXTENSION __extension__
25
+
# define FIAT_P521_FIAT_INLINE __inline__
23
26
#else
24
27
# define FIAT_P521_FIAT_EXTENSION
28
+
# define FIAT_P521_FIAT_INLINE
25
29
#endif
26
30
27
31
FIAT_P521_FIAT_EXTENSION typedef signed __int128 fiat_p521_int128;
28
32
FIAT_P521_FIAT_EXTENSION typedef unsigned __int128 fiat_p521_uint128;
29
33
34
+
/* The type fiat_p521_montgomery_domain_field_element is a field element in the Montgomery domain. */
35
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
36
+
typedef uint64_t fiat_p521_montgomery_domain_field_element[9];
37
+
38
+
/* The type fiat_p521_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
39
+
/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
40
+
typedef uint64_t fiat_p521_non_montgomery_domain_field_element[9];
41
+
30
42
#if (-1 & 3) != 3
31
43
#error "This code only works on a two's complement system"
32
44
#endif
···
43
55
44
56
/*
45
57
* The function fiat_p521_addcarryx_u64 is an addition with carry.
58
+
*
46
59
* Postconditions:
47
60
* out1 = (arg1 + arg2 + arg3) mod 2^64
48
61
* out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
···
55
68
* out1: [0x0 ~> 0xffffffffffffffff]
56
69
* out2: [0x0 ~> 0x1]
57
70
*/
58
-
static void fiat_p521_addcarryx_u64(uint64_t* out1, fiat_p521_uint1* out2, fiat_p521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
71
+
static FIAT_P521_FIAT_INLINE void fiat_p521_addcarryx_u64(uint64_t* out1, fiat_p521_uint1* out2, fiat_p521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
59
72
fiat_p521_uint128 x1;
60
73
uint64_t x2;
61
74
fiat_p521_uint1 x3;
···
68
81
69
82
/*
70
83
* The function fiat_p521_subborrowx_u64 is a subtraction with borrow.
84
+
*
71
85
* Postconditions:
72
86
* out1 = (-arg1 + arg2 + -arg3) mod 2^64
73
87
* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
···
80
94
* out1: [0x0 ~> 0xffffffffffffffff]
81
95
* out2: [0x0 ~> 0x1]
82
96
*/
83
-
static void fiat_p521_subborrowx_u64(uint64_t* out1, fiat_p521_uint1* out2, fiat_p521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
97
+
static FIAT_P521_FIAT_INLINE void fiat_p521_subborrowx_u64(uint64_t* out1, fiat_p521_uint1* out2, fiat_p521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
84
98
fiat_p521_int128 x1;
85
99
fiat_p521_int1 x2;
86
100
uint64_t x3;
···
93
107
94
108
/*
95
109
* The function fiat_p521_mulx_u64 is a multiplication, returning the full double-width result.
110
+
*
96
111
* Postconditions:
97
112
* out1 = (arg1 * arg2) mod 2^64
98
113
* out2 = ⌊arg1 * arg2 / 2^64⌋
···
104
119
* out1: [0x0 ~> 0xffffffffffffffff]
105
120
* out2: [0x0 ~> 0xffffffffffffffff]
106
121
*/
107
-
static void fiat_p521_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
122
+
static FIAT_P521_FIAT_INLINE void fiat_p521_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {
108
123
fiat_p521_uint128 x1;
109
124
uint64_t x2;
110
125
uint64_t x3;
···
117
132
118
133
/*
119
134
* The function fiat_p521_cmovznz_u64 is a single-word conditional move.
135
+
*
120
136
* Postconditions:
121
137
* out1 = (if arg1 = 0 then arg2 else arg3)
122
138
*
···
127
143
* Output Bounds:
128
144
* out1: [0x0 ~> 0xffffffffffffffff]
129
145
*/
130
-
static void fiat_p521_cmovznz_u64(uint64_t* out1, fiat_p521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
146
+
static FIAT_P521_FIAT_INLINE void fiat_p521_cmovznz_u64(uint64_t* out1, fiat_p521_uint1 arg1, uint64_t arg2, uint64_t arg3) {
131
147
fiat_p521_uint1 x1;
132
148
uint64_t x2;
133
149
uint64_t x3;
···
139
155
140
156
/*
141
157
* The function fiat_p521_mul multiplies two field elements in the Montgomery domain.
158
+
*
142
159
* Preconditions:
143
160
* 0 ≤ eval arg1 < m
144
161
* 0 ≤ eval arg2 < m
···
146
163
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
147
164
* 0 ≤ eval out1 < m
148
165
*
149
-
* Input Bounds:
150
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
151
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
152
-
* Output Bounds:
153
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
154
166
*/
155
-
static void fiat_p521_mul(uint64_t out1[9], const uint64_t arg1[9], const uint64_t arg2[9]) {
167
+
static void fiat_p521_mul(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1, const fiat_p521_montgomery_domain_field_element arg2) {
156
168
uint64_t x1;
157
169
uint64_t x2;
158
170
uint64_t x3;
···
1712
1724
1713
1725
/*
1714
1726
* The function fiat_p521_square squares a field element in the Montgomery domain.
1727
+
*
1715
1728
* Preconditions:
1716
1729
* 0 ≤ eval arg1 < m
1717
1730
* Postconditions:
1718
1731
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
1719
1732
* 0 ≤ eval out1 < m
1720
1733
*
1721
-
* Input Bounds:
1722
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1723
-
* Output Bounds:
1724
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1725
1734
*/
1726
-
static void fiat_p521_square(uint64_t out1[9], const uint64_t arg1[9]) {
1735
+
static void fiat_p521_square(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1) {
1727
1736
uint64_t x1;
1728
1737
uint64_t x2;
1729
1738
uint64_t x3;
···
3283
3292
3284
3293
/*
3285
3294
* The function fiat_p521_add adds two field elements in the Montgomery domain.
3295
+
*
3286
3296
* Preconditions:
3287
3297
* 0 ≤ eval arg1 < m
3288
3298
* 0 ≤ eval arg2 < m
···
3290
3300
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
3291
3301
* 0 ≤ eval out1 < m
3292
3302
*
3293
-
* Input Bounds:
3294
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3295
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3296
-
* Output Bounds:
3297
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3298
3303
*/
3299
-
static void fiat_p521_add(uint64_t out1[9], const uint64_t arg1[9], const uint64_t arg2[9]) {
3304
+
static void fiat_p521_add(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1, const fiat_p521_montgomery_domain_field_element arg2) {
3300
3305
uint64_t x1;
3301
3306
fiat_p521_uint1 x2;
3302
3307
uint64_t x3;
···
3385
3390
3386
3391
/*
3387
3392
* The function fiat_p521_sub subtracts two field elements in the Montgomery domain.
3393
+
*
3388
3394
* Preconditions:
3389
3395
* 0 ≤ eval arg1 < m
3390
3396
* 0 ≤ eval arg2 < m
···
3392
3398
* eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
3393
3399
* 0 ≤ eval out1 < m
3394
3400
*
3395
-
* Input Bounds:
3396
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3397
-
* arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3398
-
* Output Bounds:
3399
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3400
3401
*/
3401
-
static void fiat_p521_sub(uint64_t out1[9], const uint64_t arg1[9], const uint64_t arg2[9]) {
3402
+
static void fiat_p521_sub(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1, const fiat_p521_montgomery_domain_field_element arg2) {
3402
3403
uint64_t x1;
3403
3404
fiat_p521_uint1 x2;
3404
3405
uint64_t x3;
···
3468
3469
3469
3470
/*
3470
3471
* The function fiat_p521_opp negates a field element in the Montgomery domain.
3472
+
*
3471
3473
* Preconditions:
3472
3474
* 0 ≤ eval arg1 < m
3473
3475
* Postconditions:
3474
3476
* eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
3475
3477
* 0 ≤ eval out1 < m
3476
3478
*
3477
-
* Input Bounds:
3478
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3479
-
* Output Bounds:
3480
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3481
3479
*/
3482
-
static void fiat_p521_opp(uint64_t out1[9], const uint64_t arg1[9]) {
3480
+
static void fiat_p521_opp(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1) {
3483
3481
uint64_t x1;
3484
3482
fiat_p521_uint1 x2;
3485
3483
uint64_t x3;
···
3549
3547
3550
3548
/*
3551
3549
* The function fiat_p521_from_montgomery translates a field element out of the Montgomery domain.
3550
+
*
3552
3551
* Preconditions:
3553
3552
* 0 ≤ eval arg1 < m
3554
3553
* Postconditions:
3555
3554
* eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^9) mod m
3556
3555
* 0 ≤ eval out1 < m
3557
3556
*
3558
-
* Input Bounds:
3559
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3560
-
* Output Bounds:
3561
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
3562
3557
*/
3563
-
static void fiat_p521_from_montgomery(uint64_t out1[9], const uint64_t arg1[9]) {
3558
+
static void fiat_p521_from_montgomery(fiat_p521_non_montgomery_domain_field_element out1, const fiat_p521_montgomery_domain_field_element arg1) {
3564
3559
uint64_t x1;
3565
3560
uint64_t x2;
3566
3561
uint64_t x3;
···
4520
4515
4521
4516
/*
4522
4517
* The function fiat_p521_to_montgomery translates a field element into the Montgomery domain.
4518
+
*
4523
4519
* Preconditions:
4524
4520
* 0 ≤ eval arg1 < m
4525
4521
* Postconditions:
4526
4522
* eval (from_montgomery out1) mod m = eval arg1 mod m
4527
4523
* 0 ≤ eval out1 < m
4528
4524
*
4529
-
* Input Bounds:
4530
-
* arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
4531
-
* Output Bounds:
4532
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
4533
4525
*/
4534
-
static void fiat_p521_to_montgomery(uint64_t out1[9], const uint64_t arg1[9]) {
4526
+
static void fiat_p521_to_montgomery(fiat_p521_montgomery_domain_field_element out1, const fiat_p521_non_montgomery_domain_field_element arg1) {
4535
4527
uint64_t x1;
4536
4528
uint64_t x2;
4537
4529
uint64_t x3;
···
5396
5388
5397
5389
/*
5398
5390
* The function fiat_p521_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
5391
+
*
5399
5392
* Preconditions:
5400
5393
* 0 ≤ eval arg1 < m
5401
5394
* Postconditions:
···
5414
5407
5415
5408
/*
5416
5409
* The function fiat_p521_selectznz is a multi-limb conditional select.
5410
+
*
5417
5411
* Postconditions:
5418
5412
* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
5419
5413
*
···
5456
5450
5457
5451
/*
5458
5452
* The function fiat_p521_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
5453
+
*
5459
5454
* Preconditions:
5460
5455
* 0 ≤ eval arg1 < m
5461
5456
* Postconditions:
···
5783
5778
5784
5779
/*
5785
5780
* The function fiat_p521_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
5781
+
*
5786
5782
* Preconditions:
5787
5783
* 0 ≤ bytes_eval arg1 < m
5788
5784
* Postconditions:
···
6054
6050
6055
6051
/*
6056
6052
* The function fiat_p521_set_one returns the field element one in the Montgomery domain.
6053
+
*
6057
6054
* Postconditions:
6058
6055
* eval (from_montgomery out1) mod m = 1 mod m
6059
6056
* 0 ≤ eval out1 < m
6060
6057
*
6061
-
* Input Bounds:
6062
-
* Output Bounds:
6063
-
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
6064
6058
*/
6065
-
static void fiat_p521_set_one(uint64_t out1[9]) {
6059
+
static void fiat_p521_set_one(fiat_p521_montgomery_domain_field_element out1) {
6066
6060
out1[0] = UINT64_C(0x80000000000000);
6067
6061
out1[1] = 0x0;
6068
6062
out1[2] = 0x0;
···
6075
6069
}
6076
6070
6077
6071
/*
6078
-
* The function fiat_p521_msat returns the saturated represtation of the prime modulus.
6072
+
* The function fiat_p521_msat returns the saturated representation of the prime modulus.
6073
+
*
6079
6074
* Postconditions:
6080
6075
* twos_complement_eval out1 = m
6081
6076
* 0 ≤ eval out1 < m
6082
6077
*
6083
-
* Input Bounds:
6084
6078
* Output Bounds:
6085
6079
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
6086
6080
*/
···
6099
6093
6100
6094
/*
6101
6095
* The function fiat_p521_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
6096
+
*
6102
6097
* Postconditions:
6103
-
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)
6098
+
* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
6104
6099
* 0 ≤ eval out1 < m
6105
6100
*
6106
-
* Input Bounds:
6107
6101
* Output Bounds:
6108
6102
* out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
6109
6103
*/
···
6121
6115
6122
6116
/*
6123
6117
* The function fiat_p521_divstep computes a divstep.
6118
+
*
6124
6119
* Preconditions:
6125
6120
* 0 ≤ eval arg4 < m
6126
6121
* 0 ≤ eval arg5 < m
···
6622
6617
out5[7] = x255;
6623
6618
out5[8] = x256;
6624
6619
}
6625
-