Lines Matching defs:mod
81 * out: z = (x + y) mod 2^256
105 * out: z = (x - y) mod 2^256
342 * out: z_out = z_in + x * y mod 2^288
441 * x * 2^256 mod m
462 * R2 = 2^512 mod m
463 * ni = -m^-1 mod 2^32
480 { /* 2^512 mod p */
484 0x00000001, /* -p^-1 mod 2^32 */
495 { /* 2^512 mod n */
499 0xee00bc4f, /* -n^-1 mod 2^32 */
506 * mod must point to a valid m256_mod structure
507 * out: z = (x + y) mod m, in [0, m)
513 const m256_mod *mod)
517 uint32_t carry_sub = u256_sub(r, z, mod->m);
526 * Modular addition mod p
529 * out: z = (x + y) mod p, in [0, p)
543 * mod must point to a valid m256_mod structure
544 * out: z = (x - y) mod m, in [0, m)
550 const m256_mod *mod)
554 (void) u256_add(r, z, mod->m);
562 * Modular subtraction mod p
565 * out: z = (x + y) mod p, in [0, p)
579 * mod must point to a valid m256_mod structure
580 * out: z = (x * y) / 2^256 mod m, in [0, m)
586 const m256_mod *mod)
592 uint32_t m_prime = mod->ni;
600 /* the "mod 2^32" is implicit from the type */
605 c += u288_muladd(a, u, mod->m);
611 uint32_t carry_sub = u256_sub(z, a, mod->m);
620 * out: z = (x * y) / 2^256 mod p, in [0, p)
634 * mod must point to a valid m256_mod structure
635 * out: z_out = z_in * 2^256 mod m, in [0, m)
637 static void m256_prep(uint32_t z[8], const m256_mod *mod)
639 m256_mul(z, z, mod->R2, mod);
646 * mod must point to a valid m256_mod structure
647 * out: z_out = z_in / 2^256 mod m, in [0, m)
648 * That is, z_in was z_actual * 2^256 mod m, and z_out is z_actual
650 static void m256_done(uint32_t z[8], const m256_mod *mod)
654 m256_mul(z, z, one, mod);
661 * mod must point to a valid m256_mod structure
662 * out: z = x * 2^256 mod m, in [0, m)
665 static void m256_set32(uint32_t z[8], uint32_t x, const m256_mod *mod)
668 m256_prep(z, mod);
675 * mod must point to a valid m256_mod structure
676 * such that mod->m % 2^32 >= 2, assumed to be public.
677 * out: z = x^-1 * 2^512 mod m if x != 0,
679 * That is, if x = x_actual * 2^256 mod m, then
680 * z = x_actual^-1 * 2^256 mod m
685 const m256_mod *mod)
699 m256_set32(z, 1, mod);
702 uint32_t limb = mod->m[i] - 2;
706 m256_mul(z, z, bitval, mod);
708 m256_mul(bitval, bitval, bitval, mod);
716 limb = mod->m[i];
724 * mod must point to a valid m256_mod structure
725 * out: z = (p0 * 2^248 + ... + p31) * 2^256 mod m, in [0, m)
730 const uint8_t p[32], const m256_mod *mod)
735 uint32_t lt_m = u256_sub(t, z, mod->m);
739 m256_prep(z, mod);
747 * mod must point to a valid m256_mod structure
749 * z = (p0 * 2^248 + ... + p31) * 2^256 mod m
752 const uint32_t z[8], const m256_mod *mod)
756 m256_done(zi, mod);
798 static const uint32_t p256_b[8] = { /* b * 2^256 mod p */
807 static const uint32_t p256_gx[8] = { /* G_x * 2^256 mod p */
811 static const uint32_t p256_gy[8] = { /* G_y * 2^256 mod p */
1081 /* Compute py_neg = - py mod p (that's the y coordinate of -P) */
1274 * Reduction mod n of a small number
1277 * out: x_out = x_in mod n in [0, n)
1287 * Import integer mod n (Montgomery domain) from hash
1291 * out: z = (h0 * 2^l-8 + ... + h_l) * 2^256 mod n
1351 /* 3. Reduce xr mod n (extra: output it while at it) */
1352 ecdsa_m256_mod_n(xr); /* xr = int(xr) mod n */
1425 m256_inv(s, s, &p256_n); /* s = s^-1 mod n */
1426 m256_mul(u1, e, s, &p256_n); /* u1 = e * s^-1 mod n */
1431 m256_mul(u2, u2, s, &p256_n); /* u2 = r * s^-1 mod n */
1458 /* 7. Reduce xR mod n */
1461 /* 8. Compare xR mod n to r */