xref: /third_party/openssl/crypto/ec/ecp_nistp521.c

122  * Each of the nine values is called a 'limb'. Since the limbs are spaced only
124  * bits of each limb overlap with the least significant bits of the next.
131 typedef uint64_t limb;
132 typedef limb limb_aX __attribute((__aligned__(1)));
133 typedef limb felem[NLIMBS];
136 static const limb bottom57bits = 0x1ffffffffffffff;
137 static const limb bottom58bits = 0x3ffffffffffffff;
145     out[0] = (*((limb *) & in[0])) & bottom58bits;
163     (*((limb *) & out[0])) = in[0];
247 static void felem_scalar(felem out, const felem in, limb scalar)
261 static void felem_scalar64(felem out, limb scalar)
275 static void felem_scalar128(largefelem out, limb scalar)
298     static const limb two62m3 = (((limb) 1) << 62) - (((limb) 1) << 5);
299     static const limb two62m2 = (((limb) 1) << 62) - (((limb) 1) << 4);
324     static const limb two62m3 = (((limb) 1) << 62) - (((limb) 1) << 5);
325     static const limb two62m2 = (((limb) 1) << 62) - (((limb) 1) << 4);
353      * with 58 bits set and one limb with a number with 57 bits set.
355     static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6);
356     static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5);
594 static const limb bottom52bits = 0xfffffffffffff;
607     out[0] = ((limb) in[0]) & bottom58bits;
608     out[1] = ((limb) in[1]) & bottom58bits;
609     out[2] = ((limb) in[2]) & bottom58bits;
610     out[3] = ((limb) in[3]) & bottom58bits;
611     out[4] = ((limb) in[4]) & bottom58bits;
612     out[5] = ((limb) in[5]) & bottom58bits;
613     out[6] = ((limb) in[6]) & bottom58bits;
614     out[7] = ((limb) in[7]) & bottom58bits;
615     out[8] = ((limb) in[8]) & bottom58bits;
619     out[1] += ((limb) in[0]) >> 58;
620     out[1] += (((limb) (in[0] >> 64)) & bottom52bits) << 6;
625     out[2] += ((limb) (in[0] >> 64)) >> 52;
627     out[2] += ((limb) in[1]) >> 58;
628     out[2] += (((limb) (in[1] >> 64)) & bottom52bits) << 6;
629     out[3] += ((limb) (in[1] >> 64)) >> 52;
631     out[3] += ((limb) in[2]) >> 58;
632     out[3] += (((limb) (in[2] >> 64)) & bottom52bits) << 6;
633     out[4] += ((limb) (in[2] >> 64)) >> 52;
635     out[4] += ((limb) in[3]) >> 58;
636     out[4] += (((limb) (in[3] >> 64)) & bottom52bits) << 6;
637     out[5] += ((limb) (in[3] >> 64)) >> 52;
639     out[5] += ((limb) in[4]) >> 58;
640     out[5] += (((limb) (in[4] >> 64)) & bottom52bits) << 6;
641     out[6] += ((limb) (in[4] >> 64)) >> 52;
643     out[6] += ((limb) in[5]) >> 58;
644     out[6] += (((limb) (in[5] >> 64)) & bottom52bits) << 6;
645     out[7] += ((limb) (in[5] >> 64)) >> 52;
647     out[7] += ((limb) in[6]) >> 58;
648     out[7] += (((limb) (in[6] >> 64)) & bottom52bits) << 6;
649     out[8] += ((limb) (in[6] >> 64)) >> 52;
651     out[8] += ((limb) in[7]) >> 58;
652     out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6;
657     overflow1 = ((limb) (in[7] >> 64)) >> 52;
659     overflow1 += ((limb) in[8]) >> 58;
660     overflow1 += (((limb) (in[8] >> 64)) & bottom52bits) << 6;
661     overflow2 = ((limb) (in[8] >> 64)) >> 52;
859  * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
864 static limb felem_is_zero(const felem in)
867     limb is_zero, is_p;
892      * The ninth limb of 2*(2^521-1) is 0x03ffffffffffffff, which is greater
934     return (int)(felem_is_zero(in) & ((limb) 1));
944     limb is_p, is_greater, sign;
945     static const limb two58 = ((limb) 1) << 58;
1186 static void copy_conditional(felem out, const felem in, limb mask)
1190         const limb tmp = mask & (in[i] ^ out[i]);
1213     limb x_equal, y_equal, z1_is_zero, z2_is_zero;
1214     limb points_equal;
1546 static void select_point(const limb idx, unsigned int size,
1550     limb *outlimbs = &out[0][0];
1555         const limb *inlimbs = &pre_comp[i][0][0];
1556         limb mask = i ^ idx;
1591     limb bits;
1647                 copy_conditional(tmp[1], tmp[3], (-(limb) sign));

Indexes created Thu Nov 07 10:32:03 CST 2024