1a8e1175bSopenharmony_ci/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. 2a8e1175bSopenharmony_ci Licensed under the Apache 2.0 License. */ 3a8e1175bSopenharmony_ci 4a8e1175bSopenharmony_ci/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin> 5a8e1175bSopenharmony_ci * KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fbuiltin-uint128 -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c 6a8e1175bSopenharmony_ci * F* version: 059db0c8 7a8e1175bSopenharmony_ci * KreMLin version: 916c37ac 8a8e1175bSopenharmony_ci */ 9a8e1175bSopenharmony_ci 10a8e1175bSopenharmony_ci 11a8e1175bSopenharmony_ci#include "Hacl_Curve25519.h" 12a8e1175bSopenharmony_ci 13a8e1175bSopenharmony_ciextern uint64_t FStar_UInt64_eq_mask(uint64_t x0, uint64_t x1); 14a8e1175bSopenharmony_ci 15a8e1175bSopenharmony_ciextern uint64_t FStar_UInt64_gte_mask(uint64_t x0, uint64_t x1); 16a8e1175bSopenharmony_ci 17a8e1175bSopenharmony_ciextern uint128_t FStar_UInt128_add(uint128_t x0, uint128_t x1); 18a8e1175bSopenharmony_ci 19a8e1175bSopenharmony_ciextern uint128_t FStar_UInt128_add_mod(uint128_t x0, uint128_t x1); 20a8e1175bSopenharmony_ci 21a8e1175bSopenharmony_ciextern uint128_t FStar_UInt128_logand(uint128_t x0, uint128_t x1); 22a8e1175bSopenharmony_ci 23a8e1175bSopenharmony_ciextern uint128_t FStar_UInt128_shift_right(uint128_t x0, uint32_t x1); 24a8e1175bSopenharmony_ci 25a8e1175bSopenharmony_ciextern uint128_t FStar_UInt128_uint64_to_uint128(uint64_t x0); 26a8e1175bSopenharmony_ci 27a8e1175bSopenharmony_ciextern uint64_t FStar_UInt128_uint128_to_uint64(uint128_t x0); 28a8e1175bSopenharmony_ci 29a8e1175bSopenharmony_ciextern uint128_t FStar_UInt128_mul_wide(uint64_t x0, uint64_t x1); 30a8e1175bSopenharmony_ci 31a8e1175bSopenharmony_cistatic void Hacl_Bignum_Modulo_carry_top(uint64_t *b) 32a8e1175bSopenharmony_ci{ 33a8e1175bSopenharmony_ci uint64_t b4 = b[4U]; 34a8e1175bSopenharmony_ci uint64_t b0 = b[0U]; 35a8e1175bSopenharmony_ci uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU; 36a8e1175bSopenharmony_ci uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U); 37a8e1175bSopenharmony_ci b[4U] = b4_; 38a8e1175bSopenharmony_ci b[0U] = b0_; 39a8e1175bSopenharmony_ci} 40a8e1175bSopenharmony_ci 41a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, uint128_t *input) 42a8e1175bSopenharmony_ci{ 43a8e1175bSopenharmony_ci uint32_t i; 44a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 45a8e1175bSopenharmony_ci { 46a8e1175bSopenharmony_ci uint128_t xi = input[i]; 47a8e1175bSopenharmony_ci output[i] = (uint64_t)xi; 48a8e1175bSopenharmony_ci } 49a8e1175bSopenharmony_ci} 50a8e1175bSopenharmony_ci 51a8e1175bSopenharmony_ciinline static void 52a8e1175bSopenharmony_ciHacl_Bignum_Fproduct_sum_scalar_multiplication_(uint128_t *output, uint64_t *input, uint64_t s) 53a8e1175bSopenharmony_ci{ 54a8e1175bSopenharmony_ci uint32_t i; 55a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 56a8e1175bSopenharmony_ci { 57a8e1175bSopenharmony_ci uint128_t xi = output[i]; 58a8e1175bSopenharmony_ci uint64_t yi = input[i]; 59a8e1175bSopenharmony_ci output[i] = xi + (uint128_t)yi * s; 60a8e1175bSopenharmony_ci } 61a8e1175bSopenharmony_ci} 62a8e1175bSopenharmony_ci 63a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fproduct_carry_wide_(uint128_t *tmp) 64a8e1175bSopenharmony_ci{ 65a8e1175bSopenharmony_ci uint32_t i; 66a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) 67a8e1175bSopenharmony_ci { 68a8e1175bSopenharmony_ci uint32_t ctr = i; 69a8e1175bSopenharmony_ci uint128_t tctr = tmp[ctr]; 70a8e1175bSopenharmony_ci uint128_t tctrp1 = tmp[ctr + (uint32_t)1U]; 71a8e1175bSopenharmony_ci uint64_t r0 = (uint64_t)tctr & (uint64_t)0x7ffffffffffffU; 72a8e1175bSopenharmony_ci uint128_t c = tctr >> (uint32_t)51U; 73a8e1175bSopenharmony_ci tmp[ctr] = (uint128_t)r0; 74a8e1175bSopenharmony_ci tmp[ctr + (uint32_t)1U] = tctrp1 + c; 75a8e1175bSopenharmony_ci } 76a8e1175bSopenharmony_ci} 77a8e1175bSopenharmony_ci 78a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output) 79a8e1175bSopenharmony_ci{ 80a8e1175bSopenharmony_ci uint64_t tmp = output[4U]; 81a8e1175bSopenharmony_ci uint64_t b0; 82a8e1175bSopenharmony_ci { 83a8e1175bSopenharmony_ci uint32_t i; 84a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) 85a8e1175bSopenharmony_ci { 86a8e1175bSopenharmony_ci uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U; 87a8e1175bSopenharmony_ci uint64_t z = output[ctr - (uint32_t)1U]; 88a8e1175bSopenharmony_ci output[ctr] = z; 89a8e1175bSopenharmony_ci } 90a8e1175bSopenharmony_ci } 91a8e1175bSopenharmony_ci output[0U] = tmp; 92a8e1175bSopenharmony_ci b0 = output[0U]; 93a8e1175bSopenharmony_ci output[0U] = (uint64_t)19U * b0; 94a8e1175bSopenharmony_ci} 95a8e1175bSopenharmony_ci 96a8e1175bSopenharmony_cistatic void 97a8e1175bSopenharmony_ciHacl_Bignum_Fmul_mul_shift_reduce_(uint128_t *output, uint64_t *input, uint64_t *input2) 98a8e1175bSopenharmony_ci{ 99a8e1175bSopenharmony_ci uint32_t i; 100a8e1175bSopenharmony_ci uint64_t input2i; 101a8e1175bSopenharmony_ci { 102a8e1175bSopenharmony_ci uint32_t i0; 103a8e1175bSopenharmony_ci for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0 = i0 + (uint32_t)1U) 104a8e1175bSopenharmony_ci { 105a8e1175bSopenharmony_ci uint64_t input2i0 = input2[i0]; 106a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i0); 107a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_shift_reduce(input); 108a8e1175bSopenharmony_ci } 109a8e1175bSopenharmony_ci } 110a8e1175bSopenharmony_ci i = (uint32_t)4U; 111a8e1175bSopenharmony_ci input2i = input2[i]; 112a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 113a8e1175bSopenharmony_ci} 114a8e1175bSopenharmony_ci 115a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2) 116a8e1175bSopenharmony_ci{ 117a8e1175bSopenharmony_ci uint64_t tmp[5U] = { 0U }; 118a8e1175bSopenharmony_ci memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); 119a8e1175bSopenharmony_ci KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U); 120a8e1175bSopenharmony_ci { 121a8e1175bSopenharmony_ci uint128_t t[5U]; 122a8e1175bSopenharmony_ci { 123a8e1175bSopenharmony_ci uint32_t _i; 124a8e1175bSopenharmony_ci for (_i = 0U; _i < (uint32_t)5U; ++_i) 125a8e1175bSopenharmony_ci t[_i] = (uint128_t)(uint64_t)0U; 126a8e1175bSopenharmony_ci } 127a8e1175bSopenharmony_ci { 128a8e1175bSopenharmony_ci uint128_t b4; 129a8e1175bSopenharmony_ci uint128_t b0; 130a8e1175bSopenharmony_ci uint128_t b4_; 131a8e1175bSopenharmony_ci uint128_t b0_; 132a8e1175bSopenharmony_ci uint64_t i0; 133a8e1175bSopenharmony_ci uint64_t i1; 134a8e1175bSopenharmony_ci uint64_t i0_; 135a8e1175bSopenharmony_ci uint64_t i1_; 136a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2); 137a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_carry_wide_(t); 138a8e1175bSopenharmony_ci b4 = t[4U]; 139a8e1175bSopenharmony_ci b0 = t[0U]; 140a8e1175bSopenharmony_ci b4_ = b4 & (uint128_t)(uint64_t)0x7ffffffffffffU; 141a8e1175bSopenharmony_ci b0_ = b0 + (uint128_t)(uint64_t)19U * (uint64_t)(b4 >> (uint32_t)51U); 142a8e1175bSopenharmony_ci t[4U] = b4_; 143a8e1175bSopenharmony_ci t[0U] = b0_; 144a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_copy_from_wide_(output, t); 145a8e1175bSopenharmony_ci i0 = output[0U]; 146a8e1175bSopenharmony_ci i1 = output[1U]; 147a8e1175bSopenharmony_ci i0_ = i0 & (uint64_t)0x7ffffffffffffU; 148a8e1175bSopenharmony_ci i1_ = i1 + (i0 >> (uint32_t)51U); 149a8e1175bSopenharmony_ci output[0U] = i0_; 150a8e1175bSopenharmony_ci output[1U] = i1_; 151a8e1175bSopenharmony_ci } 152a8e1175bSopenharmony_ci } 153a8e1175bSopenharmony_ci} 154a8e1175bSopenharmony_ci 155a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fsquare_fsquare__(uint128_t *tmp, uint64_t *output) 156a8e1175bSopenharmony_ci{ 157a8e1175bSopenharmony_ci uint64_t r0 = output[0U]; 158a8e1175bSopenharmony_ci uint64_t r1 = output[1U]; 159a8e1175bSopenharmony_ci uint64_t r2 = output[2U]; 160a8e1175bSopenharmony_ci uint64_t r3 = output[3U]; 161a8e1175bSopenharmony_ci uint64_t r4 = output[4U]; 162a8e1175bSopenharmony_ci uint64_t d0 = r0 * (uint64_t)2U; 163a8e1175bSopenharmony_ci uint64_t d1 = r1 * (uint64_t)2U; 164a8e1175bSopenharmony_ci uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U; 165a8e1175bSopenharmony_ci uint64_t d419 = r4 * (uint64_t)19U; 166a8e1175bSopenharmony_ci uint64_t d4 = d419 * (uint64_t)2U; 167a8e1175bSopenharmony_ci uint128_t s0 = (uint128_t)r0 * r0 + (uint128_t)d4 * r1 + (uint128_t)d2 * r3; 168a8e1175bSopenharmony_ci uint128_t s1 = (uint128_t)d0 * r1 + (uint128_t)d4 * r2 + (uint128_t)(r3 * (uint64_t)19U) * r3; 169a8e1175bSopenharmony_ci uint128_t s2 = (uint128_t)d0 * r2 + (uint128_t)r1 * r1 + (uint128_t)d4 * r3; 170a8e1175bSopenharmony_ci uint128_t s3 = (uint128_t)d0 * r3 + (uint128_t)d1 * r2 + (uint128_t)r4 * d419; 171a8e1175bSopenharmony_ci uint128_t s4 = (uint128_t)d0 * r4 + (uint128_t)d1 * r3 + (uint128_t)r2 * r2; 172a8e1175bSopenharmony_ci tmp[0U] = s0; 173a8e1175bSopenharmony_ci tmp[1U] = s1; 174a8e1175bSopenharmony_ci tmp[2U] = s2; 175a8e1175bSopenharmony_ci tmp[3U] = s3; 176a8e1175bSopenharmony_ci tmp[4U] = s4; 177a8e1175bSopenharmony_ci} 178a8e1175bSopenharmony_ci 179a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fsquare_fsquare_(uint128_t *tmp, uint64_t *output) 180a8e1175bSopenharmony_ci{ 181a8e1175bSopenharmony_ci uint128_t b4; 182a8e1175bSopenharmony_ci uint128_t b0; 183a8e1175bSopenharmony_ci uint128_t b4_; 184a8e1175bSopenharmony_ci uint128_t b0_; 185a8e1175bSopenharmony_ci uint64_t i0; 186a8e1175bSopenharmony_ci uint64_t i1; 187a8e1175bSopenharmony_ci uint64_t i0_; 188a8e1175bSopenharmony_ci uint64_t i1_; 189a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare__(tmp, output); 190a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_carry_wide_(tmp); 191a8e1175bSopenharmony_ci b4 = tmp[4U]; 192a8e1175bSopenharmony_ci b0 = tmp[0U]; 193a8e1175bSopenharmony_ci b4_ = b4 & (uint128_t)(uint64_t)0x7ffffffffffffU; 194a8e1175bSopenharmony_ci b0_ = b0 + (uint128_t)(uint64_t)19U * (uint64_t)(b4 >> (uint32_t)51U); 195a8e1175bSopenharmony_ci tmp[4U] = b4_; 196a8e1175bSopenharmony_ci tmp[0U] = b0_; 197a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp); 198a8e1175bSopenharmony_ci i0 = output[0U]; 199a8e1175bSopenharmony_ci i1 = output[1U]; 200a8e1175bSopenharmony_ci i0_ = i0 & (uint64_t)0x7ffffffffffffU; 201a8e1175bSopenharmony_ci i1_ = i1 + (i0 >> (uint32_t)51U); 202a8e1175bSopenharmony_ci output[0U] = i0_; 203a8e1175bSopenharmony_ci output[1U] = i1_; 204a8e1175bSopenharmony_ci} 205a8e1175bSopenharmony_ci 206a8e1175bSopenharmony_cistatic void 207a8e1175bSopenharmony_ciHacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, uint128_t *tmp, uint32_t count1) 208a8e1175bSopenharmony_ci{ 209a8e1175bSopenharmony_ci uint32_t i; 210a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_(tmp, input); 211a8e1175bSopenharmony_ci for (i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U) 212a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_(tmp, input); 213a8e1175bSopenharmony_ci} 214a8e1175bSopenharmony_ci 215a8e1175bSopenharmony_ciinline static void 216a8e1175bSopenharmony_ciHacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1) 217a8e1175bSopenharmony_ci{ 218a8e1175bSopenharmony_ci KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U); 219a8e1175bSopenharmony_ci { 220a8e1175bSopenharmony_ci uint128_t t[5U]; 221a8e1175bSopenharmony_ci { 222a8e1175bSopenharmony_ci uint32_t _i; 223a8e1175bSopenharmony_ci for (_i = 0U; _i < (uint32_t)5U; ++_i) 224a8e1175bSopenharmony_ci t[_i] = (uint128_t)(uint64_t)0U; 225a8e1175bSopenharmony_ci } 226a8e1175bSopenharmony_ci memcpy(output, input, (uint32_t)5U * sizeof input[0U]); 227a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); 228a8e1175bSopenharmony_ci } 229a8e1175bSopenharmony_ci} 230a8e1175bSopenharmony_ci 231a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1) 232a8e1175bSopenharmony_ci{ 233a8e1175bSopenharmony_ci KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U); 234a8e1175bSopenharmony_ci { 235a8e1175bSopenharmony_ci uint128_t t[5U]; 236a8e1175bSopenharmony_ci { 237a8e1175bSopenharmony_ci uint32_t _i; 238a8e1175bSopenharmony_ci for (_i = 0U; _i < (uint32_t)5U; ++_i) 239a8e1175bSopenharmony_ci t[_i] = (uint128_t)(uint64_t)0U; 240a8e1175bSopenharmony_ci } 241a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); 242a8e1175bSopenharmony_ci } 243a8e1175bSopenharmony_ci} 244a8e1175bSopenharmony_ci 245a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z) 246a8e1175bSopenharmony_ci{ 247a8e1175bSopenharmony_ci uint64_t buf[20U] = { 0U }; 248a8e1175bSopenharmony_ci uint64_t *a0 = buf; 249a8e1175bSopenharmony_ci uint64_t *t00 = buf + (uint32_t)5U; 250a8e1175bSopenharmony_ci uint64_t *b0 = buf + (uint32_t)10U; 251a8e1175bSopenharmony_ci uint64_t *t01; 252a8e1175bSopenharmony_ci uint64_t *b1; 253a8e1175bSopenharmony_ci uint64_t *c0; 254a8e1175bSopenharmony_ci uint64_t *a; 255a8e1175bSopenharmony_ci uint64_t *t0; 256a8e1175bSopenharmony_ci uint64_t *b; 257a8e1175bSopenharmony_ci uint64_t *c; 258a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(a0, z, (uint32_t)1U); 259a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)2U); 260a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(b0, t00, z); 261a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(a0, b0, a0); 262a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)1U); 263a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(b0, t00, b0); 264a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U); 265a8e1175bSopenharmony_ci t01 = buf + (uint32_t)5U; 266a8e1175bSopenharmony_ci b1 = buf + (uint32_t)10U; 267a8e1175bSopenharmony_ci c0 = buf + (uint32_t)15U; 268a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(b1, t01, b1); 269a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U); 270a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(c0, t01, b1); 271a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U); 272a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(t01, t01, c0); 273a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U); 274a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(b1, t01, b1); 275a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U); 276a8e1175bSopenharmony_ci a = buf; 277a8e1175bSopenharmony_ci t0 = buf + (uint32_t)5U; 278a8e1175bSopenharmony_ci b = buf + (uint32_t)10U; 279a8e1175bSopenharmony_ci c = buf + (uint32_t)15U; 280a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(c, t0, b); 281a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U); 282a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(t0, t0, c); 283a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U); 284a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(t0, t0, b); 285a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U); 286a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(out, t0, a); 287a8e1175bSopenharmony_ci} 288a8e1175bSopenharmony_ci 289a8e1175bSopenharmony_ciinline static void Hacl_Bignum_fsum(uint64_t *a, uint64_t *b) 290a8e1175bSopenharmony_ci{ 291a8e1175bSopenharmony_ci uint32_t i; 292a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 293a8e1175bSopenharmony_ci { 294a8e1175bSopenharmony_ci uint64_t xi = a[i]; 295a8e1175bSopenharmony_ci uint64_t yi = b[i]; 296a8e1175bSopenharmony_ci a[i] = xi + yi; 297a8e1175bSopenharmony_ci } 298a8e1175bSopenharmony_ci} 299a8e1175bSopenharmony_ci 300a8e1175bSopenharmony_ciinline static void Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b) 301a8e1175bSopenharmony_ci{ 302a8e1175bSopenharmony_ci uint64_t tmp[5U] = { 0U }; 303a8e1175bSopenharmony_ci uint64_t b0; 304a8e1175bSopenharmony_ci uint64_t b1; 305a8e1175bSopenharmony_ci uint64_t b2; 306a8e1175bSopenharmony_ci uint64_t b3; 307a8e1175bSopenharmony_ci uint64_t b4; 308a8e1175bSopenharmony_ci memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]); 309a8e1175bSopenharmony_ci b0 = tmp[0U]; 310a8e1175bSopenharmony_ci b1 = tmp[1U]; 311a8e1175bSopenharmony_ci b2 = tmp[2U]; 312a8e1175bSopenharmony_ci b3 = tmp[3U]; 313a8e1175bSopenharmony_ci b4 = tmp[4U]; 314a8e1175bSopenharmony_ci tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U; 315a8e1175bSopenharmony_ci tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U; 316a8e1175bSopenharmony_ci tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U; 317a8e1175bSopenharmony_ci tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U; 318a8e1175bSopenharmony_ci tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U; 319a8e1175bSopenharmony_ci { 320a8e1175bSopenharmony_ci uint32_t i; 321a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 322a8e1175bSopenharmony_ci { 323a8e1175bSopenharmony_ci uint64_t xi = a[i]; 324a8e1175bSopenharmony_ci uint64_t yi = tmp[i]; 325a8e1175bSopenharmony_ci a[i] = yi - xi; 326a8e1175bSopenharmony_ci } 327a8e1175bSopenharmony_ci } 328a8e1175bSopenharmony_ci} 329a8e1175bSopenharmony_ci 330a8e1175bSopenharmony_ciinline static void Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s) 331a8e1175bSopenharmony_ci{ 332a8e1175bSopenharmony_ci KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U); 333a8e1175bSopenharmony_ci { 334a8e1175bSopenharmony_ci uint128_t tmp[5U]; 335a8e1175bSopenharmony_ci { 336a8e1175bSopenharmony_ci uint32_t _i; 337a8e1175bSopenharmony_ci for (_i = 0U; _i < (uint32_t)5U; ++_i) 338a8e1175bSopenharmony_ci tmp[_i] = (uint128_t)(uint64_t)0U; 339a8e1175bSopenharmony_ci } 340a8e1175bSopenharmony_ci { 341a8e1175bSopenharmony_ci uint128_t b4; 342a8e1175bSopenharmony_ci uint128_t b0; 343a8e1175bSopenharmony_ci uint128_t b4_; 344a8e1175bSopenharmony_ci uint128_t b0_; 345a8e1175bSopenharmony_ci { 346a8e1175bSopenharmony_ci uint32_t i; 347a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 348a8e1175bSopenharmony_ci { 349a8e1175bSopenharmony_ci uint64_t xi = b[i]; 350a8e1175bSopenharmony_ci tmp[i] = (uint128_t)xi * s; 351a8e1175bSopenharmony_ci } 352a8e1175bSopenharmony_ci } 353a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_carry_wide_(tmp); 354a8e1175bSopenharmony_ci b4 = tmp[4U]; 355a8e1175bSopenharmony_ci b0 = tmp[0U]; 356a8e1175bSopenharmony_ci b4_ = b4 & (uint128_t)(uint64_t)0x7ffffffffffffU; 357a8e1175bSopenharmony_ci b0_ = b0 + (uint128_t)(uint64_t)19U * (uint64_t)(b4 >> (uint32_t)51U); 358a8e1175bSopenharmony_ci tmp[4U] = b4_; 359a8e1175bSopenharmony_ci tmp[0U] = b0_; 360a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp); 361a8e1175bSopenharmony_ci } 362a8e1175bSopenharmony_ci } 363a8e1175bSopenharmony_ci} 364a8e1175bSopenharmony_ci 365a8e1175bSopenharmony_ciinline static void Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b) 366a8e1175bSopenharmony_ci{ 367a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(output, a, b); 368a8e1175bSopenharmony_ci} 369a8e1175bSopenharmony_ci 370a8e1175bSopenharmony_ciinline static void Hacl_Bignum_crecip(uint64_t *output, uint64_t *input) 371a8e1175bSopenharmony_ci{ 372a8e1175bSopenharmony_ci Hacl_Bignum_Crecip_crecip(output, input); 373a8e1175bSopenharmony_ci} 374a8e1175bSopenharmony_ci 375a8e1175bSopenharmony_cistatic void 376a8e1175bSopenharmony_ciHacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr) 377a8e1175bSopenharmony_ci{ 378a8e1175bSopenharmony_ci uint32_t i = ctr - (uint32_t)1U; 379a8e1175bSopenharmony_ci uint64_t ai = a[i]; 380a8e1175bSopenharmony_ci uint64_t bi = b[i]; 381a8e1175bSopenharmony_ci uint64_t x = swap1 & (ai ^ bi); 382a8e1175bSopenharmony_ci uint64_t ai1 = ai ^ x; 383a8e1175bSopenharmony_ci uint64_t bi1 = bi ^ x; 384a8e1175bSopenharmony_ci a[i] = ai1; 385a8e1175bSopenharmony_ci b[i] = bi1; 386a8e1175bSopenharmony_ci} 387a8e1175bSopenharmony_ci 388a8e1175bSopenharmony_cistatic void 389a8e1175bSopenharmony_ciHacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr) 390a8e1175bSopenharmony_ci{ 391a8e1175bSopenharmony_ci if (!(ctr == (uint32_t)0U)) 392a8e1175bSopenharmony_ci { 393a8e1175bSopenharmony_ci uint32_t i; 394a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr); 395a8e1175bSopenharmony_ci i = ctr - (uint32_t)1U; 396a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional_(a, b, swap1, i); 397a8e1175bSopenharmony_ci } 398a8e1175bSopenharmony_ci} 399a8e1175bSopenharmony_ci 400a8e1175bSopenharmony_cistatic void Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap) 401a8e1175bSopenharmony_ci{ 402a8e1175bSopenharmony_ci uint64_t swap1 = (uint64_t)0U - iswap; 403a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U); 404a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U); 405a8e1175bSopenharmony_ci} 406a8e1175bSopenharmony_ci 407a8e1175bSopenharmony_cistatic void Hacl_EC_Point_copy(uint64_t *output, uint64_t *input) 408a8e1175bSopenharmony_ci{ 409a8e1175bSopenharmony_ci memcpy(output, input, (uint32_t)5U * sizeof input[0U]); 410a8e1175bSopenharmony_ci memcpy(output + (uint32_t)5U, 411a8e1175bSopenharmony_ci input + (uint32_t)5U, 412a8e1175bSopenharmony_ci (uint32_t)5U * sizeof (input + (uint32_t)5U)[0U]); 413a8e1175bSopenharmony_ci} 414a8e1175bSopenharmony_ci 415a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input) 416a8e1175bSopenharmony_ci{ 417a8e1175bSopenharmony_ci uint64_t i0 = load64_le(input); 418a8e1175bSopenharmony_ci uint8_t *x00 = input + (uint32_t)6U; 419a8e1175bSopenharmony_ci uint64_t i1 = load64_le(x00); 420a8e1175bSopenharmony_ci uint8_t *x01 = input + (uint32_t)12U; 421a8e1175bSopenharmony_ci uint64_t i2 = load64_le(x01); 422a8e1175bSopenharmony_ci uint8_t *x02 = input + (uint32_t)19U; 423a8e1175bSopenharmony_ci uint64_t i3 = load64_le(x02); 424a8e1175bSopenharmony_ci uint8_t *x0 = input + (uint32_t)24U; 425a8e1175bSopenharmony_ci uint64_t i4 = load64_le(x0); 426a8e1175bSopenharmony_ci uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU; 427a8e1175bSopenharmony_ci uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU; 428a8e1175bSopenharmony_ci uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU; 429a8e1175bSopenharmony_ci uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU; 430a8e1175bSopenharmony_ci uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU; 431a8e1175bSopenharmony_ci output[0U] = output0; 432a8e1175bSopenharmony_ci output[1U] = output1; 433a8e1175bSopenharmony_ci output[2U] = output2; 434a8e1175bSopenharmony_ci output[3U] = output3; 435a8e1175bSopenharmony_ci output[4U] = output4; 436a8e1175bSopenharmony_ci} 437a8e1175bSopenharmony_ci 438a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input) 439a8e1175bSopenharmony_ci{ 440a8e1175bSopenharmony_ci uint64_t t0 = input[0U]; 441a8e1175bSopenharmony_ci uint64_t t1 = input[1U]; 442a8e1175bSopenharmony_ci uint64_t t2 = input[2U]; 443a8e1175bSopenharmony_ci uint64_t t3 = input[3U]; 444a8e1175bSopenharmony_ci uint64_t t4 = input[4U]; 445a8e1175bSopenharmony_ci uint64_t t1_ = t1 + (t0 >> (uint32_t)51U); 446a8e1175bSopenharmony_ci uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU; 447a8e1175bSopenharmony_ci uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U); 448a8e1175bSopenharmony_ci uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU; 449a8e1175bSopenharmony_ci uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U); 450a8e1175bSopenharmony_ci uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU; 451a8e1175bSopenharmony_ci uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U); 452a8e1175bSopenharmony_ci uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU; 453a8e1175bSopenharmony_ci input[0U] = t0_; 454a8e1175bSopenharmony_ci input[1U] = t1__; 455a8e1175bSopenharmony_ci input[2U] = t2__; 456a8e1175bSopenharmony_ci input[3U] = t3__; 457a8e1175bSopenharmony_ci input[4U] = t4_; 458a8e1175bSopenharmony_ci} 459a8e1175bSopenharmony_ci 460a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input) 461a8e1175bSopenharmony_ci{ 462a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_first_carry_pass(input); 463a8e1175bSopenharmony_ci Hacl_Bignum_Modulo_carry_top(input); 464a8e1175bSopenharmony_ci} 465a8e1175bSopenharmony_ci 466a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input) 467a8e1175bSopenharmony_ci{ 468a8e1175bSopenharmony_ci uint64_t t0 = input[0U]; 469a8e1175bSopenharmony_ci uint64_t t1 = input[1U]; 470a8e1175bSopenharmony_ci uint64_t t2 = input[2U]; 471a8e1175bSopenharmony_ci uint64_t t3 = input[3U]; 472a8e1175bSopenharmony_ci uint64_t t4 = input[4U]; 473a8e1175bSopenharmony_ci uint64_t t1_ = t1 + (t0 >> (uint32_t)51U); 474a8e1175bSopenharmony_ci uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU; 475a8e1175bSopenharmony_ci uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U); 476a8e1175bSopenharmony_ci uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU; 477a8e1175bSopenharmony_ci uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U); 478a8e1175bSopenharmony_ci uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU; 479a8e1175bSopenharmony_ci uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U); 480a8e1175bSopenharmony_ci uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU; 481a8e1175bSopenharmony_ci input[0U] = t0_; 482a8e1175bSopenharmony_ci input[1U] = t1__; 483a8e1175bSopenharmony_ci input[2U] = t2__; 484a8e1175bSopenharmony_ci input[3U] = t3__; 485a8e1175bSopenharmony_ci input[4U] = t4_; 486a8e1175bSopenharmony_ci} 487a8e1175bSopenharmony_ci 488a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input) 489a8e1175bSopenharmony_ci{ 490a8e1175bSopenharmony_ci uint64_t i0; 491a8e1175bSopenharmony_ci uint64_t i1; 492a8e1175bSopenharmony_ci uint64_t i0_; 493a8e1175bSopenharmony_ci uint64_t i1_; 494a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_second_carry_pass(input); 495a8e1175bSopenharmony_ci Hacl_Bignum_Modulo_carry_top(input); 496a8e1175bSopenharmony_ci i0 = input[0U]; 497a8e1175bSopenharmony_ci i1 = input[1U]; 498a8e1175bSopenharmony_ci i0_ = i0 & (uint64_t)0x7ffffffffffffU; 499a8e1175bSopenharmony_ci i1_ = i1 + (i0 >> (uint32_t)51U); 500a8e1175bSopenharmony_ci input[0U] = i0_; 501a8e1175bSopenharmony_ci input[1U] = i1_; 502a8e1175bSopenharmony_ci} 503a8e1175bSopenharmony_ci 504a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_trim(uint64_t *input) 505a8e1175bSopenharmony_ci{ 506a8e1175bSopenharmony_ci uint64_t a0 = input[0U]; 507a8e1175bSopenharmony_ci uint64_t a1 = input[1U]; 508a8e1175bSopenharmony_ci uint64_t a2 = input[2U]; 509a8e1175bSopenharmony_ci uint64_t a3 = input[3U]; 510a8e1175bSopenharmony_ci uint64_t a4 = input[4U]; 511a8e1175bSopenharmony_ci uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU); 512a8e1175bSopenharmony_ci uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU); 513a8e1175bSopenharmony_ci uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU); 514a8e1175bSopenharmony_ci uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU); 515a8e1175bSopenharmony_ci uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU); 516a8e1175bSopenharmony_ci uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4; 517a8e1175bSopenharmony_ci uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask); 518a8e1175bSopenharmony_ci uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask); 519a8e1175bSopenharmony_ci uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask); 520a8e1175bSopenharmony_ci uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask); 521a8e1175bSopenharmony_ci uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask); 522a8e1175bSopenharmony_ci input[0U] = a0_; 523a8e1175bSopenharmony_ci input[1U] = a1_; 524a8e1175bSopenharmony_ci input[2U] = a2_; 525a8e1175bSopenharmony_ci input[3U] = a3_; 526a8e1175bSopenharmony_ci input[4U] = a4_; 527a8e1175bSopenharmony_ci} 528a8e1175bSopenharmony_ci 529a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input) 530a8e1175bSopenharmony_ci{ 531a8e1175bSopenharmony_ci uint64_t t0 = input[0U]; 532a8e1175bSopenharmony_ci uint64_t t1 = input[1U]; 533a8e1175bSopenharmony_ci uint64_t t2 = input[2U]; 534a8e1175bSopenharmony_ci uint64_t t3 = input[3U]; 535a8e1175bSopenharmony_ci uint64_t t4 = input[4U]; 536a8e1175bSopenharmony_ci uint64_t o0 = t1 << (uint32_t)51U | t0; 537a8e1175bSopenharmony_ci uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U; 538a8e1175bSopenharmony_ci uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U; 539a8e1175bSopenharmony_ci uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U; 540a8e1175bSopenharmony_ci uint8_t *b0 = output; 541a8e1175bSopenharmony_ci uint8_t *b1 = output + (uint32_t)8U; 542a8e1175bSopenharmony_ci uint8_t *b2 = output + (uint32_t)16U; 543a8e1175bSopenharmony_ci uint8_t *b3 = output + (uint32_t)24U; 544a8e1175bSopenharmony_ci store64_le(b0, o0); 545a8e1175bSopenharmony_ci store64_le(b1, o1); 546a8e1175bSopenharmony_ci store64_le(b2, o2); 547a8e1175bSopenharmony_ci store64_le(b3, o3); 548a8e1175bSopenharmony_ci} 549a8e1175bSopenharmony_ci 550a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input) 551a8e1175bSopenharmony_ci{ 552a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_first_carry_full(input); 553a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_second_carry_full(input); 554a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_trim(input); 555a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_store(output, input); 556a8e1175bSopenharmony_ci} 557a8e1175bSopenharmony_ci 558a8e1175bSopenharmony_cistatic void Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point) 559a8e1175bSopenharmony_ci{ 560a8e1175bSopenharmony_ci uint64_t *x = point; 561a8e1175bSopenharmony_ci uint64_t *z = point + (uint32_t)5U; 562a8e1175bSopenharmony_ci uint64_t buf[10U] = { 0U }; 563a8e1175bSopenharmony_ci uint64_t *zmone = buf; 564a8e1175bSopenharmony_ci uint64_t *sc = buf + (uint32_t)5U; 565a8e1175bSopenharmony_ci Hacl_Bignum_crecip(zmone, z); 566a8e1175bSopenharmony_ci Hacl_Bignum_fmul(sc, x, zmone); 567a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract(scalar, sc); 568a8e1175bSopenharmony_ci} 569a8e1175bSopenharmony_ci 570a8e1175bSopenharmony_cistatic void 571a8e1175bSopenharmony_ciHacl_EC_AddAndDouble_fmonty( 572a8e1175bSopenharmony_ci uint64_t *pp, 573a8e1175bSopenharmony_ci uint64_t *ppq, 574a8e1175bSopenharmony_ci uint64_t *p, 575a8e1175bSopenharmony_ci uint64_t *pq, 576a8e1175bSopenharmony_ci uint64_t *qmqp 577a8e1175bSopenharmony_ci) 578a8e1175bSopenharmony_ci{ 579a8e1175bSopenharmony_ci uint64_t *qx = qmqp; 580a8e1175bSopenharmony_ci uint64_t *x2 = pp; 581a8e1175bSopenharmony_ci uint64_t *z2 = pp + (uint32_t)5U; 582a8e1175bSopenharmony_ci uint64_t *x3 = ppq; 583a8e1175bSopenharmony_ci uint64_t *z3 = ppq + (uint32_t)5U; 584a8e1175bSopenharmony_ci uint64_t *x = p; 585a8e1175bSopenharmony_ci uint64_t *z = p + (uint32_t)5U; 586a8e1175bSopenharmony_ci uint64_t *xprime = pq; 587a8e1175bSopenharmony_ci uint64_t *zprime = pq + (uint32_t)5U; 588a8e1175bSopenharmony_ci uint64_t buf[40U] = { 0U }; 589a8e1175bSopenharmony_ci uint64_t *origx = buf; 590a8e1175bSopenharmony_ci uint64_t *origxprime0 = buf + (uint32_t)5U; 591a8e1175bSopenharmony_ci uint64_t *xxprime0 = buf + (uint32_t)25U; 592a8e1175bSopenharmony_ci uint64_t *zzprime0 = buf + (uint32_t)30U; 593a8e1175bSopenharmony_ci uint64_t *origxprime; 594a8e1175bSopenharmony_ci uint64_t *xx0; 595a8e1175bSopenharmony_ci uint64_t *zz0; 596a8e1175bSopenharmony_ci uint64_t *xxprime; 597a8e1175bSopenharmony_ci uint64_t *zzprime; 598a8e1175bSopenharmony_ci uint64_t *zzzprime; 599a8e1175bSopenharmony_ci uint64_t *zzz; 600a8e1175bSopenharmony_ci uint64_t *xx; 601a8e1175bSopenharmony_ci uint64_t *zz; 602a8e1175bSopenharmony_ci uint64_t scalar; 603a8e1175bSopenharmony_ci memcpy(origx, x, (uint32_t)5U * sizeof x[0U]); 604a8e1175bSopenharmony_ci Hacl_Bignum_fsum(x, z); 605a8e1175bSopenharmony_ci Hacl_Bignum_fdifference(z, origx); 606a8e1175bSopenharmony_ci memcpy(origxprime0, xprime, (uint32_t)5U * sizeof xprime[0U]); 607a8e1175bSopenharmony_ci Hacl_Bignum_fsum(xprime, zprime); 608a8e1175bSopenharmony_ci Hacl_Bignum_fdifference(zprime, origxprime0); 609a8e1175bSopenharmony_ci Hacl_Bignum_fmul(xxprime0, xprime, z); 610a8e1175bSopenharmony_ci Hacl_Bignum_fmul(zzprime0, x, zprime); 611a8e1175bSopenharmony_ci origxprime = buf + (uint32_t)5U; 612a8e1175bSopenharmony_ci xx0 = buf + (uint32_t)15U; 613a8e1175bSopenharmony_ci zz0 = buf + (uint32_t)20U; 614a8e1175bSopenharmony_ci xxprime = buf + (uint32_t)25U; 615a8e1175bSopenharmony_ci zzprime = buf + (uint32_t)30U; 616a8e1175bSopenharmony_ci zzzprime = buf + (uint32_t)35U; 617a8e1175bSopenharmony_ci memcpy(origxprime, xxprime, (uint32_t)5U * sizeof xxprime[0U]); 618a8e1175bSopenharmony_ci Hacl_Bignum_fsum(xxprime, zzprime); 619a8e1175bSopenharmony_ci Hacl_Bignum_fdifference(zzprime, origxprime); 620a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U); 621a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U); 622a8e1175bSopenharmony_ci Hacl_Bignum_fmul(z3, zzzprime, qx); 623a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U); 624a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U); 625a8e1175bSopenharmony_ci zzz = buf + (uint32_t)10U; 626a8e1175bSopenharmony_ci xx = buf + (uint32_t)15U; 627a8e1175bSopenharmony_ci zz = buf + (uint32_t)20U; 628a8e1175bSopenharmony_ci Hacl_Bignum_fmul(x2, xx, zz); 629a8e1175bSopenharmony_ci Hacl_Bignum_fdifference(zz, xx); 630a8e1175bSopenharmony_ci scalar = (uint64_t)121665U; 631a8e1175bSopenharmony_ci Hacl_Bignum_fscalar(zzz, zz, scalar); 632a8e1175bSopenharmony_ci Hacl_Bignum_fsum(zzz, xx); 633a8e1175bSopenharmony_ci Hacl_Bignum_fmul(z2, zzz, zz); 634a8e1175bSopenharmony_ci} 635a8e1175bSopenharmony_ci 636a8e1175bSopenharmony_cistatic void 637a8e1175bSopenharmony_ciHacl_EC_Ladder_SmallLoop_cmult_small_loop_step( 638a8e1175bSopenharmony_ci uint64_t *nq, 639a8e1175bSopenharmony_ci uint64_t *nqpq, 640a8e1175bSopenharmony_ci uint64_t *nq2, 641a8e1175bSopenharmony_ci uint64_t *nqpq2, 642a8e1175bSopenharmony_ci uint64_t *q, 643a8e1175bSopenharmony_ci uint8_t byt 644a8e1175bSopenharmony_ci) 645a8e1175bSopenharmony_ci{ 646a8e1175bSopenharmony_ci uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U); 647a8e1175bSopenharmony_ci uint64_t bit; 648a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional(nq, nqpq, bit0); 649a8e1175bSopenharmony_ci Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q); 650a8e1175bSopenharmony_ci bit = (uint64_t)(byt >> (uint32_t)7U); 651a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit); 652a8e1175bSopenharmony_ci} 653a8e1175bSopenharmony_ci 654a8e1175bSopenharmony_cistatic void 655a8e1175bSopenharmony_ciHacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step( 656a8e1175bSopenharmony_ci uint64_t *nq, 657a8e1175bSopenharmony_ci uint64_t *nqpq, 658a8e1175bSopenharmony_ci uint64_t *nq2, 659a8e1175bSopenharmony_ci uint64_t *nqpq2, 660a8e1175bSopenharmony_ci uint64_t *q, 661a8e1175bSopenharmony_ci uint8_t byt 662a8e1175bSopenharmony_ci) 663a8e1175bSopenharmony_ci{ 664a8e1175bSopenharmony_ci uint8_t byt1; 665a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt); 666a8e1175bSopenharmony_ci byt1 = byt << (uint32_t)1U; 667a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1); 668a8e1175bSopenharmony_ci} 669a8e1175bSopenharmony_ci 670a8e1175bSopenharmony_cistatic void 671a8e1175bSopenharmony_ciHacl_EC_Ladder_SmallLoop_cmult_small_loop( 672a8e1175bSopenharmony_ci uint64_t *nq, 673a8e1175bSopenharmony_ci uint64_t *nqpq, 674a8e1175bSopenharmony_ci uint64_t *nq2, 675a8e1175bSopenharmony_ci uint64_t *nqpq2, 676a8e1175bSopenharmony_ci uint64_t *q, 677a8e1175bSopenharmony_ci uint8_t byt, 678a8e1175bSopenharmony_ci uint32_t i 679a8e1175bSopenharmony_ci) 680a8e1175bSopenharmony_ci{ 681a8e1175bSopenharmony_ci if (!(i == (uint32_t)0U)) 682a8e1175bSopenharmony_ci { 683a8e1175bSopenharmony_ci uint32_t i_ = i - (uint32_t)1U; 684a8e1175bSopenharmony_ci uint8_t byt_; 685a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt); 686a8e1175bSopenharmony_ci byt_ = byt << (uint32_t)2U; 687a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_); 688a8e1175bSopenharmony_ci } 689a8e1175bSopenharmony_ci} 690a8e1175bSopenharmony_ci 691a8e1175bSopenharmony_cistatic void 692a8e1175bSopenharmony_ciHacl_EC_Ladder_BigLoop_cmult_big_loop( 693a8e1175bSopenharmony_ci uint8_t *n1, 694a8e1175bSopenharmony_ci uint64_t *nq, 695a8e1175bSopenharmony_ci uint64_t *nqpq, 696a8e1175bSopenharmony_ci uint64_t *nq2, 697a8e1175bSopenharmony_ci uint64_t *nqpq2, 698a8e1175bSopenharmony_ci uint64_t *q, 699a8e1175bSopenharmony_ci uint32_t i 700a8e1175bSopenharmony_ci) 701a8e1175bSopenharmony_ci{ 702a8e1175bSopenharmony_ci if (!(i == (uint32_t)0U)) 703a8e1175bSopenharmony_ci { 704a8e1175bSopenharmony_ci uint32_t i1 = i - (uint32_t)1U; 705a8e1175bSopenharmony_ci uint8_t byte = n1[i1]; 706a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U); 707a8e1175bSopenharmony_ci Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1); 708a8e1175bSopenharmony_ci } 709a8e1175bSopenharmony_ci} 710a8e1175bSopenharmony_ci 711a8e1175bSopenharmony_cistatic void Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q) 712a8e1175bSopenharmony_ci{ 713a8e1175bSopenharmony_ci uint64_t point_buf[40U] = { 0U }; 714a8e1175bSopenharmony_ci uint64_t *nq = point_buf; 715a8e1175bSopenharmony_ci uint64_t *nqpq = point_buf + (uint32_t)10U; 716a8e1175bSopenharmony_ci uint64_t *nq2 = point_buf + (uint32_t)20U; 717a8e1175bSopenharmony_ci uint64_t *nqpq2 = point_buf + (uint32_t)30U; 718a8e1175bSopenharmony_ci Hacl_EC_Point_copy(nqpq, q); 719a8e1175bSopenharmony_ci nq[0U] = (uint64_t)1U; 720a8e1175bSopenharmony_ci Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U); 721a8e1175bSopenharmony_ci Hacl_EC_Point_copy(result, nq); 722a8e1175bSopenharmony_ci} 723a8e1175bSopenharmony_ci 724a8e1175bSopenharmony_civoid Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint) 725a8e1175bSopenharmony_ci{ 726a8e1175bSopenharmony_ci uint64_t buf0[10U] = { 0U }; 727a8e1175bSopenharmony_ci uint64_t *x0 = buf0; 728a8e1175bSopenharmony_ci uint64_t *z = buf0 + (uint32_t)5U; 729a8e1175bSopenharmony_ci uint64_t *q; 730a8e1175bSopenharmony_ci Hacl_EC_Format_fexpand(x0, basepoint); 731a8e1175bSopenharmony_ci z[0U] = (uint64_t)1U; 732a8e1175bSopenharmony_ci q = buf0; 733a8e1175bSopenharmony_ci { 734a8e1175bSopenharmony_ci uint8_t e[32U] = { 0U }; 735a8e1175bSopenharmony_ci uint8_t e0; 736a8e1175bSopenharmony_ci uint8_t e31; 737a8e1175bSopenharmony_ci uint8_t e01; 738a8e1175bSopenharmony_ci uint8_t e311; 739a8e1175bSopenharmony_ci uint8_t e312; 740a8e1175bSopenharmony_ci uint8_t *scalar; 741a8e1175bSopenharmony_ci memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]); 742a8e1175bSopenharmony_ci e0 = e[0U]; 743a8e1175bSopenharmony_ci e31 = e[31U]; 744a8e1175bSopenharmony_ci e01 = e0 & (uint8_t)248U; 745a8e1175bSopenharmony_ci e311 = e31 & (uint8_t)127U; 746a8e1175bSopenharmony_ci e312 = e311 | (uint8_t)64U; 747a8e1175bSopenharmony_ci e[0U] = e01; 748a8e1175bSopenharmony_ci e[31U] = e312; 749a8e1175bSopenharmony_ci scalar = e; 750a8e1175bSopenharmony_ci { 751a8e1175bSopenharmony_ci uint64_t buf[15U] = { 0U }; 752a8e1175bSopenharmony_ci uint64_t *nq = buf; 753a8e1175bSopenharmony_ci uint64_t *x = nq; 754a8e1175bSopenharmony_ci x[0U] = (uint64_t)1U; 755a8e1175bSopenharmony_ci Hacl_EC_Ladder_cmult(nq, scalar, q); 756a8e1175bSopenharmony_ci Hacl_EC_Format_scalar_of_point(mypublic, nq); 757a8e1175bSopenharmony_ci } 758a8e1175bSopenharmony_ci } 759a8e1175bSopenharmony_ci} 760a8e1175bSopenharmony_ci 761