1a8e1175bSopenharmony_ci/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. 2a8e1175bSopenharmony_ci Licensed under the Apache 2.0 License. */ 3a8e1175bSopenharmony_ci 4a8e1175bSopenharmony_ci/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin> 5a8e1175bSopenharmony_ci * KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c 6a8e1175bSopenharmony_ci * F* version: 059db0c8 7a8e1175bSopenharmony_ci * KreMLin version: 916c37ac 8a8e1175bSopenharmony_ci */ 9a8e1175bSopenharmony_ci 10a8e1175bSopenharmony_ci 11a8e1175bSopenharmony_ci#include "Hacl_Curve25519.h" 12a8e1175bSopenharmony_ci 13a8e1175bSopenharmony_ciextern uint64_t FStar_UInt64_eq_mask(uint64_t x0, uint64_t x1); 14a8e1175bSopenharmony_ci 15a8e1175bSopenharmony_ciextern uint64_t FStar_UInt64_gte_mask(uint64_t x0, uint64_t x1); 16a8e1175bSopenharmony_ci 17a8e1175bSopenharmony_ciextern FStar_UInt128_uint128 18a8e1175bSopenharmony_ciFStar_UInt128_add(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1); 19a8e1175bSopenharmony_ci 20a8e1175bSopenharmony_ciextern FStar_UInt128_uint128 21a8e1175bSopenharmony_ciFStar_UInt128_add_mod(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1); 22a8e1175bSopenharmony_ci 23a8e1175bSopenharmony_ciextern FStar_UInt128_uint128 24a8e1175bSopenharmony_ciFStar_UInt128_logand(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1); 25a8e1175bSopenharmony_ci 26a8e1175bSopenharmony_ciextern FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 x0, uint32_t x1); 27a8e1175bSopenharmony_ci 28a8e1175bSopenharmony_ciextern FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t x0); 29a8e1175bSopenharmony_ci 30a8e1175bSopenharmony_ciextern uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 x0); 31a8e1175bSopenharmony_ci 32a8e1175bSopenharmony_ciextern FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x0, uint64_t x1); 33a8e1175bSopenharmony_ci 34a8e1175bSopenharmony_cistatic void Hacl_Bignum_Modulo_carry_top(uint64_t *b) 35a8e1175bSopenharmony_ci{ 36a8e1175bSopenharmony_ci uint64_t b4 = b[4U]; 37a8e1175bSopenharmony_ci uint64_t b0 = b[0U]; 38a8e1175bSopenharmony_ci uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU; 39a8e1175bSopenharmony_ci uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U); 40a8e1175bSopenharmony_ci b[4U] = b4_; 41a8e1175bSopenharmony_ci b[0U] = b0_; 42a8e1175bSopenharmony_ci} 43a8e1175bSopenharmony_ci 44a8e1175bSopenharmony_ciinline static void 45a8e1175bSopenharmony_ciHacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_uint128 *input) 46a8e1175bSopenharmony_ci{ 47a8e1175bSopenharmony_ci uint32_t i; 48a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 49a8e1175bSopenharmony_ci { 50a8e1175bSopenharmony_ci FStar_UInt128_uint128 xi = input[i]; 51a8e1175bSopenharmony_ci output[i] = FStar_UInt128_uint128_to_uint64(xi); 52a8e1175bSopenharmony_ci } 53a8e1175bSopenharmony_ci} 54a8e1175bSopenharmony_ci 55a8e1175bSopenharmony_ciinline static void 56a8e1175bSopenharmony_ciHacl_Bignum_Fproduct_sum_scalar_multiplication_( 57a8e1175bSopenharmony_ci FStar_UInt128_uint128 *output, 58a8e1175bSopenharmony_ci uint64_t *input, 59a8e1175bSopenharmony_ci uint64_t s 60a8e1175bSopenharmony_ci) 61a8e1175bSopenharmony_ci{ 62a8e1175bSopenharmony_ci uint32_t i; 63a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 64a8e1175bSopenharmony_ci { 65a8e1175bSopenharmony_ci FStar_UInt128_uint128 xi = output[i]; 66a8e1175bSopenharmony_ci uint64_t yi = input[i]; 67a8e1175bSopenharmony_ci output[i] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); 68a8e1175bSopenharmony_ci } 69a8e1175bSopenharmony_ci} 70a8e1175bSopenharmony_ci 71a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_uint128 *tmp) 72a8e1175bSopenharmony_ci{ 73a8e1175bSopenharmony_ci uint32_t i; 74a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) 75a8e1175bSopenharmony_ci { 76a8e1175bSopenharmony_ci uint32_t ctr = i; 77a8e1175bSopenharmony_ci FStar_UInt128_uint128 tctr = tmp[ctr]; 78a8e1175bSopenharmony_ci FStar_UInt128_uint128 tctrp1 = tmp[ctr + (uint32_t)1U]; 79a8e1175bSopenharmony_ci uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU; 80a8e1175bSopenharmony_ci FStar_UInt128_uint128 c = FStar_UInt128_shift_right(tctr, (uint32_t)51U); 81a8e1175bSopenharmony_ci tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); 82a8e1175bSopenharmony_ci tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); 83a8e1175bSopenharmony_ci } 84a8e1175bSopenharmony_ci} 85a8e1175bSopenharmony_ci 86a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output) 87a8e1175bSopenharmony_ci{ 88a8e1175bSopenharmony_ci uint64_t tmp = output[4U]; 89a8e1175bSopenharmony_ci uint64_t b0; 90a8e1175bSopenharmony_ci { 91a8e1175bSopenharmony_ci uint32_t i; 92a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) 93a8e1175bSopenharmony_ci { 94a8e1175bSopenharmony_ci uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U; 95a8e1175bSopenharmony_ci uint64_t z = output[ctr - (uint32_t)1U]; 96a8e1175bSopenharmony_ci output[ctr] = z; 97a8e1175bSopenharmony_ci } 98a8e1175bSopenharmony_ci } 99a8e1175bSopenharmony_ci output[0U] = tmp; 100a8e1175bSopenharmony_ci b0 = output[0U]; 101a8e1175bSopenharmony_ci output[0U] = (uint64_t)19U * b0; 102a8e1175bSopenharmony_ci} 103a8e1175bSopenharmony_ci 104a8e1175bSopenharmony_cistatic void 105a8e1175bSopenharmony_ciHacl_Bignum_Fmul_mul_shift_reduce_( 106a8e1175bSopenharmony_ci FStar_UInt128_uint128 *output, 107a8e1175bSopenharmony_ci uint64_t *input, 108a8e1175bSopenharmony_ci uint64_t *input2 109a8e1175bSopenharmony_ci) 110a8e1175bSopenharmony_ci{ 111a8e1175bSopenharmony_ci uint32_t i; 112a8e1175bSopenharmony_ci uint64_t input2i; 113a8e1175bSopenharmony_ci { 114a8e1175bSopenharmony_ci uint32_t i0; 115a8e1175bSopenharmony_ci for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0 = i0 + (uint32_t)1U) 116a8e1175bSopenharmony_ci { 117a8e1175bSopenharmony_ci uint64_t input2i0 = input2[i0]; 118a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i0); 119a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_shift_reduce(input); 120a8e1175bSopenharmony_ci } 121a8e1175bSopenharmony_ci } 122a8e1175bSopenharmony_ci i = (uint32_t)4U; 123a8e1175bSopenharmony_ci input2i = input2[i]; 124a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 125a8e1175bSopenharmony_ci} 126a8e1175bSopenharmony_ci 127a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2) 128a8e1175bSopenharmony_ci{ 129a8e1175bSopenharmony_ci uint64_t tmp[5U] = { 0U }; 130a8e1175bSopenharmony_ci memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); 131a8e1175bSopenharmony_ci KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U); 132a8e1175bSopenharmony_ci { 133a8e1175bSopenharmony_ci FStar_UInt128_uint128 t[5U]; 134a8e1175bSopenharmony_ci { 135a8e1175bSopenharmony_ci uint32_t _i; 136a8e1175bSopenharmony_ci for (_i = 0U; _i < (uint32_t)5U; ++_i) 137a8e1175bSopenharmony_ci t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 138a8e1175bSopenharmony_ci } 139a8e1175bSopenharmony_ci { 140a8e1175bSopenharmony_ci FStar_UInt128_uint128 b4; 141a8e1175bSopenharmony_ci FStar_UInt128_uint128 b0; 142a8e1175bSopenharmony_ci FStar_UInt128_uint128 b4_; 143a8e1175bSopenharmony_ci FStar_UInt128_uint128 b0_; 144a8e1175bSopenharmony_ci uint64_t i0; 145a8e1175bSopenharmony_ci uint64_t i1; 146a8e1175bSopenharmony_ci uint64_t i0_; 147a8e1175bSopenharmony_ci uint64_t i1_; 148a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2); 149a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_carry_wide_(t); 150a8e1175bSopenharmony_ci b4 = t[4U]; 151a8e1175bSopenharmony_ci b0 = t[0U]; 152a8e1175bSopenharmony_ci b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 153a8e1175bSopenharmony_ci b0_ = 154a8e1175bSopenharmony_ci FStar_UInt128_add(b0, 155a8e1175bSopenharmony_ci FStar_UInt128_mul_wide((uint64_t)19U, 156a8e1175bSopenharmony_ci FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); 157a8e1175bSopenharmony_ci t[4U] = b4_; 158a8e1175bSopenharmony_ci t[0U] = b0_; 159a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_copy_from_wide_(output, t); 160a8e1175bSopenharmony_ci i0 = output[0U]; 161a8e1175bSopenharmony_ci i1 = output[1U]; 162a8e1175bSopenharmony_ci i0_ = i0 & (uint64_t)0x7ffffffffffffU; 163a8e1175bSopenharmony_ci i1_ = i1 + (i0 >> (uint32_t)51U); 164a8e1175bSopenharmony_ci output[0U] = i0_; 165a8e1175bSopenharmony_ci output[1U] = i1_; 166a8e1175bSopenharmony_ci } 167a8e1175bSopenharmony_ci } 168a8e1175bSopenharmony_ci} 169a8e1175bSopenharmony_ci 170a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fsquare_fsquare__(FStar_UInt128_uint128 *tmp, uint64_t *output) 171a8e1175bSopenharmony_ci{ 172a8e1175bSopenharmony_ci uint64_t r0 = output[0U]; 173a8e1175bSopenharmony_ci uint64_t r1 = output[1U]; 174a8e1175bSopenharmony_ci uint64_t r2 = output[2U]; 175a8e1175bSopenharmony_ci uint64_t r3 = output[3U]; 176a8e1175bSopenharmony_ci uint64_t r4 = output[4U]; 177a8e1175bSopenharmony_ci uint64_t d0 = r0 * (uint64_t)2U; 178a8e1175bSopenharmony_ci uint64_t d1 = r1 * (uint64_t)2U; 179a8e1175bSopenharmony_ci uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U; 180a8e1175bSopenharmony_ci uint64_t d419 = r4 * (uint64_t)19U; 181a8e1175bSopenharmony_ci uint64_t d4 = d419 * (uint64_t)2U; 182a8e1175bSopenharmony_ci FStar_UInt128_uint128 183a8e1175bSopenharmony_ci s0 = 184a8e1175bSopenharmony_ci FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0), 185a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(d4, r1)), 186a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(d2, r3)); 187a8e1175bSopenharmony_ci FStar_UInt128_uint128 188a8e1175bSopenharmony_ci s1 = 189a8e1175bSopenharmony_ci FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1), 190a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(d4, r2)), 191a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3)); 192a8e1175bSopenharmony_ci FStar_UInt128_uint128 193a8e1175bSopenharmony_ci s2 = 194a8e1175bSopenharmony_ci FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2), 195a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(r1, r1)), 196a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(d4, r3)); 197a8e1175bSopenharmony_ci FStar_UInt128_uint128 198a8e1175bSopenharmony_ci s3 = 199a8e1175bSopenharmony_ci FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3), 200a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(d1, r2)), 201a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(r4, d419)); 202a8e1175bSopenharmony_ci FStar_UInt128_uint128 203a8e1175bSopenharmony_ci s4 = 204a8e1175bSopenharmony_ci FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4), 205a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(d1, r3)), 206a8e1175bSopenharmony_ci FStar_UInt128_mul_wide(r2, r2)); 207a8e1175bSopenharmony_ci tmp[0U] = s0; 208a8e1175bSopenharmony_ci tmp[1U] = s1; 209a8e1175bSopenharmony_ci tmp[2U] = s2; 210a8e1175bSopenharmony_ci tmp[3U] = s3; 211a8e1175bSopenharmony_ci tmp[4U] = s4; 212a8e1175bSopenharmony_ci} 213a8e1175bSopenharmony_ci 214a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_uint128 *tmp, uint64_t *output) 215a8e1175bSopenharmony_ci{ 216a8e1175bSopenharmony_ci FStar_UInt128_uint128 b4; 217a8e1175bSopenharmony_ci FStar_UInt128_uint128 b0; 218a8e1175bSopenharmony_ci FStar_UInt128_uint128 b4_; 219a8e1175bSopenharmony_ci FStar_UInt128_uint128 b0_; 220a8e1175bSopenharmony_ci uint64_t i0; 221a8e1175bSopenharmony_ci uint64_t i1; 222a8e1175bSopenharmony_ci uint64_t i0_; 223a8e1175bSopenharmony_ci uint64_t i1_; 224a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare__(tmp, output); 225a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_carry_wide_(tmp); 226a8e1175bSopenharmony_ci b4 = tmp[4U]; 227a8e1175bSopenharmony_ci b0 = tmp[0U]; 228a8e1175bSopenharmony_ci b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 229a8e1175bSopenharmony_ci b0_ = 230a8e1175bSopenharmony_ci FStar_UInt128_add(b0, 231a8e1175bSopenharmony_ci FStar_UInt128_mul_wide((uint64_t)19U, 232a8e1175bSopenharmony_ci FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); 233a8e1175bSopenharmony_ci tmp[4U] = b4_; 234a8e1175bSopenharmony_ci tmp[0U] = b0_; 235a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp); 236a8e1175bSopenharmony_ci i0 = output[0U]; 237a8e1175bSopenharmony_ci i1 = output[1U]; 238a8e1175bSopenharmony_ci i0_ = i0 & (uint64_t)0x7ffffffffffffU; 239a8e1175bSopenharmony_ci i1_ = i1 + (i0 >> (uint32_t)51U); 240a8e1175bSopenharmony_ci output[0U] = i0_; 241a8e1175bSopenharmony_ci output[1U] = i1_; 242a8e1175bSopenharmony_ci} 243a8e1175bSopenharmony_ci 244a8e1175bSopenharmony_cistatic void 245a8e1175bSopenharmony_ciHacl_Bignum_Fsquare_fsquare_times_( 246a8e1175bSopenharmony_ci uint64_t *input, 247a8e1175bSopenharmony_ci FStar_UInt128_uint128 *tmp, 248a8e1175bSopenharmony_ci uint32_t count1 249a8e1175bSopenharmony_ci) 250a8e1175bSopenharmony_ci{ 251a8e1175bSopenharmony_ci uint32_t i; 252a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_(tmp, input); 253a8e1175bSopenharmony_ci for (i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U) 254a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_(tmp, input); 255a8e1175bSopenharmony_ci} 256a8e1175bSopenharmony_ci 257a8e1175bSopenharmony_ciinline static void 258a8e1175bSopenharmony_ciHacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1) 259a8e1175bSopenharmony_ci{ 260a8e1175bSopenharmony_ci KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U); 261a8e1175bSopenharmony_ci { 262a8e1175bSopenharmony_ci FStar_UInt128_uint128 t[5U]; 263a8e1175bSopenharmony_ci { 264a8e1175bSopenharmony_ci uint32_t _i; 265a8e1175bSopenharmony_ci for (_i = 0U; _i < (uint32_t)5U; ++_i) 266a8e1175bSopenharmony_ci t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 267a8e1175bSopenharmony_ci } 268a8e1175bSopenharmony_ci memcpy(output, input, (uint32_t)5U * sizeof input[0U]); 269a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); 270a8e1175bSopenharmony_ci } 271a8e1175bSopenharmony_ci} 272a8e1175bSopenharmony_ci 273a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1) 274a8e1175bSopenharmony_ci{ 275a8e1175bSopenharmony_ci KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U); 276a8e1175bSopenharmony_ci { 277a8e1175bSopenharmony_ci FStar_UInt128_uint128 t[5U]; 278a8e1175bSopenharmony_ci { 279a8e1175bSopenharmony_ci uint32_t _i; 280a8e1175bSopenharmony_ci for (_i = 0U; _i < (uint32_t)5U; ++_i) 281a8e1175bSopenharmony_ci t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 282a8e1175bSopenharmony_ci } 283a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); 284a8e1175bSopenharmony_ci } 285a8e1175bSopenharmony_ci} 286a8e1175bSopenharmony_ci 287a8e1175bSopenharmony_ciinline static void Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z) 288a8e1175bSopenharmony_ci{ 289a8e1175bSopenharmony_ci uint64_t buf[20U] = { 0U }; 290a8e1175bSopenharmony_ci uint64_t *a0 = buf; 291a8e1175bSopenharmony_ci uint64_t *t00 = buf + (uint32_t)5U; 292a8e1175bSopenharmony_ci uint64_t *b0 = buf + (uint32_t)10U; 293a8e1175bSopenharmony_ci uint64_t *t01; 294a8e1175bSopenharmony_ci uint64_t *b1; 295a8e1175bSopenharmony_ci uint64_t *c0; 296a8e1175bSopenharmony_ci uint64_t *a; 297a8e1175bSopenharmony_ci uint64_t *t0; 298a8e1175bSopenharmony_ci uint64_t *b; 299a8e1175bSopenharmony_ci uint64_t *c; 300a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(a0, z, (uint32_t)1U); 301a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)2U); 302a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(b0, t00, z); 303a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(a0, b0, a0); 304a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)1U); 305a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(b0, t00, b0); 306a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U); 307a8e1175bSopenharmony_ci t01 = buf + (uint32_t)5U; 308a8e1175bSopenharmony_ci b1 = buf + (uint32_t)10U; 309a8e1175bSopenharmony_ci c0 = buf + (uint32_t)15U; 310a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(b1, t01, b1); 311a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U); 312a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(c0, t01, b1); 313a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U); 314a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(t01, t01, c0); 315a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U); 316a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(b1, t01, b1); 317a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U); 318a8e1175bSopenharmony_ci a = buf; 319a8e1175bSopenharmony_ci t0 = buf + (uint32_t)5U; 320a8e1175bSopenharmony_ci b = buf + (uint32_t)10U; 321a8e1175bSopenharmony_ci c = buf + (uint32_t)15U; 322a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(c, t0, b); 323a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U); 324a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(t0, t0, c); 325a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U); 326a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(t0, t0, b); 327a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U); 328a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(out, t0, a); 329a8e1175bSopenharmony_ci} 330a8e1175bSopenharmony_ci 331a8e1175bSopenharmony_ciinline static void Hacl_Bignum_fsum(uint64_t *a, uint64_t *b) 332a8e1175bSopenharmony_ci{ 333a8e1175bSopenharmony_ci uint32_t i; 334a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 335a8e1175bSopenharmony_ci { 336a8e1175bSopenharmony_ci uint64_t xi = a[i]; 337a8e1175bSopenharmony_ci uint64_t yi = b[i]; 338a8e1175bSopenharmony_ci a[i] = xi + yi; 339a8e1175bSopenharmony_ci } 340a8e1175bSopenharmony_ci} 341a8e1175bSopenharmony_ci 342a8e1175bSopenharmony_ciinline static void Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b) 343a8e1175bSopenharmony_ci{ 344a8e1175bSopenharmony_ci uint64_t tmp[5U] = { 0U }; 345a8e1175bSopenharmony_ci uint64_t b0; 346a8e1175bSopenharmony_ci uint64_t b1; 347a8e1175bSopenharmony_ci uint64_t b2; 348a8e1175bSopenharmony_ci uint64_t b3; 349a8e1175bSopenharmony_ci uint64_t b4; 350a8e1175bSopenharmony_ci memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]); 351a8e1175bSopenharmony_ci b0 = tmp[0U]; 352a8e1175bSopenharmony_ci b1 = tmp[1U]; 353a8e1175bSopenharmony_ci b2 = tmp[2U]; 354a8e1175bSopenharmony_ci b3 = tmp[3U]; 355a8e1175bSopenharmony_ci b4 = tmp[4U]; 356a8e1175bSopenharmony_ci tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U; 357a8e1175bSopenharmony_ci tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U; 358a8e1175bSopenharmony_ci tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U; 359a8e1175bSopenharmony_ci tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U; 360a8e1175bSopenharmony_ci tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U; 361a8e1175bSopenharmony_ci { 362a8e1175bSopenharmony_ci uint32_t i; 363a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 364a8e1175bSopenharmony_ci { 365a8e1175bSopenharmony_ci uint64_t xi = a[i]; 366a8e1175bSopenharmony_ci uint64_t yi = tmp[i]; 367a8e1175bSopenharmony_ci a[i] = yi - xi; 368a8e1175bSopenharmony_ci } 369a8e1175bSopenharmony_ci } 370a8e1175bSopenharmony_ci} 371a8e1175bSopenharmony_ci 372a8e1175bSopenharmony_ciinline static void Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s) 373a8e1175bSopenharmony_ci{ 374a8e1175bSopenharmony_ci KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U); 375a8e1175bSopenharmony_ci { 376a8e1175bSopenharmony_ci FStar_UInt128_uint128 tmp[5U]; 377a8e1175bSopenharmony_ci { 378a8e1175bSopenharmony_ci uint32_t _i; 379a8e1175bSopenharmony_ci for (_i = 0U; _i < (uint32_t)5U; ++_i) 380a8e1175bSopenharmony_ci tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 381a8e1175bSopenharmony_ci } 382a8e1175bSopenharmony_ci { 383a8e1175bSopenharmony_ci FStar_UInt128_uint128 b4; 384a8e1175bSopenharmony_ci FStar_UInt128_uint128 b0; 385a8e1175bSopenharmony_ci FStar_UInt128_uint128 b4_; 386a8e1175bSopenharmony_ci FStar_UInt128_uint128 b0_; 387a8e1175bSopenharmony_ci { 388a8e1175bSopenharmony_ci uint32_t i; 389a8e1175bSopenharmony_ci for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) 390a8e1175bSopenharmony_ci { 391a8e1175bSopenharmony_ci uint64_t xi = b[i]; 392a8e1175bSopenharmony_ci tmp[i] = FStar_UInt128_mul_wide(xi, s); 393a8e1175bSopenharmony_ci } 394a8e1175bSopenharmony_ci } 395a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_carry_wide_(tmp); 396a8e1175bSopenharmony_ci b4 = tmp[4U]; 397a8e1175bSopenharmony_ci b0 = tmp[0U]; 398a8e1175bSopenharmony_ci b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 399a8e1175bSopenharmony_ci b0_ = 400a8e1175bSopenharmony_ci FStar_UInt128_add(b0, 401a8e1175bSopenharmony_ci FStar_UInt128_mul_wide((uint64_t)19U, 402a8e1175bSopenharmony_ci FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); 403a8e1175bSopenharmony_ci tmp[4U] = b4_; 404a8e1175bSopenharmony_ci tmp[0U] = b0_; 405a8e1175bSopenharmony_ci Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp); 406a8e1175bSopenharmony_ci } 407a8e1175bSopenharmony_ci } 408a8e1175bSopenharmony_ci} 409a8e1175bSopenharmony_ci 410a8e1175bSopenharmony_ciinline static void Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b) 411a8e1175bSopenharmony_ci{ 412a8e1175bSopenharmony_ci Hacl_Bignum_Fmul_fmul(output, a, b); 413a8e1175bSopenharmony_ci} 414a8e1175bSopenharmony_ci 415a8e1175bSopenharmony_ciinline static void Hacl_Bignum_crecip(uint64_t *output, uint64_t *input) 416a8e1175bSopenharmony_ci{ 417a8e1175bSopenharmony_ci Hacl_Bignum_Crecip_crecip(output, input); 418a8e1175bSopenharmony_ci} 419a8e1175bSopenharmony_ci 420a8e1175bSopenharmony_cistatic void 421a8e1175bSopenharmony_ciHacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr) 422a8e1175bSopenharmony_ci{ 423a8e1175bSopenharmony_ci uint32_t i = ctr - (uint32_t)1U; 424a8e1175bSopenharmony_ci uint64_t ai = a[i]; 425a8e1175bSopenharmony_ci uint64_t bi = b[i]; 426a8e1175bSopenharmony_ci uint64_t x = swap1 & (ai ^ bi); 427a8e1175bSopenharmony_ci uint64_t ai1 = ai ^ x; 428a8e1175bSopenharmony_ci uint64_t bi1 = bi ^ x; 429a8e1175bSopenharmony_ci a[i] = ai1; 430a8e1175bSopenharmony_ci b[i] = bi1; 431a8e1175bSopenharmony_ci} 432a8e1175bSopenharmony_ci 433a8e1175bSopenharmony_cistatic void 434a8e1175bSopenharmony_ciHacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr) 435a8e1175bSopenharmony_ci{ 436a8e1175bSopenharmony_ci if (!(ctr == (uint32_t)0U)) 437a8e1175bSopenharmony_ci { 438a8e1175bSopenharmony_ci uint32_t i; 439a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr); 440a8e1175bSopenharmony_ci i = ctr - (uint32_t)1U; 441a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional_(a, b, swap1, i); 442a8e1175bSopenharmony_ci } 443a8e1175bSopenharmony_ci} 444a8e1175bSopenharmony_ci 445a8e1175bSopenharmony_cistatic void Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap) 446a8e1175bSopenharmony_ci{ 447a8e1175bSopenharmony_ci uint64_t swap1 = (uint64_t)0U - iswap; 448a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U); 449a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U); 450a8e1175bSopenharmony_ci} 451a8e1175bSopenharmony_ci 452a8e1175bSopenharmony_cistatic void Hacl_EC_Point_copy(uint64_t *output, uint64_t *input) 453a8e1175bSopenharmony_ci{ 454a8e1175bSopenharmony_ci memcpy(output, input, (uint32_t)5U * sizeof input[0U]); 455a8e1175bSopenharmony_ci memcpy(output + (uint32_t)5U, 456a8e1175bSopenharmony_ci input + (uint32_t)5U, 457a8e1175bSopenharmony_ci (uint32_t)5U * sizeof (input + (uint32_t)5U)[0U]); 458a8e1175bSopenharmony_ci} 459a8e1175bSopenharmony_ci 460a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input) 461a8e1175bSopenharmony_ci{ 462a8e1175bSopenharmony_ci uint64_t i0 = load64_le(input); 463a8e1175bSopenharmony_ci uint8_t *x00 = input + (uint32_t)6U; 464a8e1175bSopenharmony_ci uint64_t i1 = load64_le(x00); 465a8e1175bSopenharmony_ci uint8_t *x01 = input + (uint32_t)12U; 466a8e1175bSopenharmony_ci uint64_t i2 = load64_le(x01); 467a8e1175bSopenharmony_ci uint8_t *x02 = input + (uint32_t)19U; 468a8e1175bSopenharmony_ci uint64_t i3 = load64_le(x02); 469a8e1175bSopenharmony_ci uint8_t *x0 = input + (uint32_t)24U; 470a8e1175bSopenharmony_ci uint64_t i4 = load64_le(x0); 471a8e1175bSopenharmony_ci uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU; 472a8e1175bSopenharmony_ci uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU; 473a8e1175bSopenharmony_ci uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU; 474a8e1175bSopenharmony_ci uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU; 475a8e1175bSopenharmony_ci uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU; 476a8e1175bSopenharmony_ci output[0U] = output0; 477a8e1175bSopenharmony_ci output[1U] = output1; 478a8e1175bSopenharmony_ci output[2U] = output2; 479a8e1175bSopenharmony_ci output[3U] = output3; 480a8e1175bSopenharmony_ci output[4U] = output4; 481a8e1175bSopenharmony_ci} 482a8e1175bSopenharmony_ci 483a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input) 484a8e1175bSopenharmony_ci{ 485a8e1175bSopenharmony_ci uint64_t t0 = input[0U]; 486a8e1175bSopenharmony_ci uint64_t t1 = input[1U]; 487a8e1175bSopenharmony_ci uint64_t t2 = input[2U]; 488a8e1175bSopenharmony_ci uint64_t t3 = input[3U]; 489a8e1175bSopenharmony_ci uint64_t t4 = input[4U]; 490a8e1175bSopenharmony_ci uint64_t t1_ = t1 + (t0 >> (uint32_t)51U); 491a8e1175bSopenharmony_ci uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU; 492a8e1175bSopenharmony_ci uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U); 493a8e1175bSopenharmony_ci uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU; 494a8e1175bSopenharmony_ci uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U); 495a8e1175bSopenharmony_ci uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU; 496a8e1175bSopenharmony_ci uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U); 497a8e1175bSopenharmony_ci uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU; 498a8e1175bSopenharmony_ci input[0U] = t0_; 499a8e1175bSopenharmony_ci input[1U] = t1__; 500a8e1175bSopenharmony_ci input[2U] = t2__; 501a8e1175bSopenharmony_ci input[3U] = t3__; 502a8e1175bSopenharmony_ci input[4U] = t4_; 503a8e1175bSopenharmony_ci} 504a8e1175bSopenharmony_ci 505a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input) 506a8e1175bSopenharmony_ci{ 507a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_first_carry_pass(input); 508a8e1175bSopenharmony_ci Hacl_Bignum_Modulo_carry_top(input); 509a8e1175bSopenharmony_ci} 510a8e1175bSopenharmony_ci 511a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input) 512a8e1175bSopenharmony_ci{ 513a8e1175bSopenharmony_ci uint64_t t0 = input[0U]; 514a8e1175bSopenharmony_ci uint64_t t1 = input[1U]; 515a8e1175bSopenharmony_ci uint64_t t2 = input[2U]; 516a8e1175bSopenharmony_ci uint64_t t3 = input[3U]; 517a8e1175bSopenharmony_ci uint64_t t4 = input[4U]; 518a8e1175bSopenharmony_ci uint64_t t1_ = t1 + (t0 >> (uint32_t)51U); 519a8e1175bSopenharmony_ci uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU; 520a8e1175bSopenharmony_ci uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U); 521a8e1175bSopenharmony_ci uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU; 522a8e1175bSopenharmony_ci uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U); 523a8e1175bSopenharmony_ci uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU; 524a8e1175bSopenharmony_ci uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U); 525a8e1175bSopenharmony_ci uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU; 526a8e1175bSopenharmony_ci input[0U] = t0_; 527a8e1175bSopenharmony_ci input[1U] = t1__; 528a8e1175bSopenharmony_ci input[2U] = t2__; 529a8e1175bSopenharmony_ci input[3U] = t3__; 530a8e1175bSopenharmony_ci input[4U] = t4_; 531a8e1175bSopenharmony_ci} 532a8e1175bSopenharmony_ci 533a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input) 534a8e1175bSopenharmony_ci{ 535a8e1175bSopenharmony_ci uint64_t i0; 536a8e1175bSopenharmony_ci uint64_t i1; 537a8e1175bSopenharmony_ci uint64_t i0_; 538a8e1175bSopenharmony_ci uint64_t i1_; 539a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_second_carry_pass(input); 540a8e1175bSopenharmony_ci Hacl_Bignum_Modulo_carry_top(input); 541a8e1175bSopenharmony_ci i0 = input[0U]; 542a8e1175bSopenharmony_ci i1 = input[1U]; 543a8e1175bSopenharmony_ci i0_ = i0 & (uint64_t)0x7ffffffffffffU; 544a8e1175bSopenharmony_ci i1_ = i1 + (i0 >> (uint32_t)51U); 545a8e1175bSopenharmony_ci input[0U] = i0_; 546a8e1175bSopenharmony_ci input[1U] = i1_; 547a8e1175bSopenharmony_ci} 548a8e1175bSopenharmony_ci 549a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_trim(uint64_t *input) 550a8e1175bSopenharmony_ci{ 551a8e1175bSopenharmony_ci uint64_t a0 = input[0U]; 552a8e1175bSopenharmony_ci uint64_t a1 = input[1U]; 553a8e1175bSopenharmony_ci uint64_t a2 = input[2U]; 554a8e1175bSopenharmony_ci uint64_t a3 = input[3U]; 555a8e1175bSopenharmony_ci uint64_t a4 = input[4U]; 556a8e1175bSopenharmony_ci uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU); 557a8e1175bSopenharmony_ci uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU); 558a8e1175bSopenharmony_ci uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU); 559a8e1175bSopenharmony_ci uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU); 560a8e1175bSopenharmony_ci uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU); 561a8e1175bSopenharmony_ci uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4; 562a8e1175bSopenharmony_ci uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask); 563a8e1175bSopenharmony_ci uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask); 564a8e1175bSopenharmony_ci uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask); 565a8e1175bSopenharmony_ci uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask); 566a8e1175bSopenharmony_ci uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask); 567a8e1175bSopenharmony_ci input[0U] = a0_; 568a8e1175bSopenharmony_ci input[1U] = a1_; 569a8e1175bSopenharmony_ci input[2U] = a2_; 570a8e1175bSopenharmony_ci input[3U] = a3_; 571a8e1175bSopenharmony_ci input[4U] = a4_; 572a8e1175bSopenharmony_ci} 573a8e1175bSopenharmony_ci 574a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input) 575a8e1175bSopenharmony_ci{ 576a8e1175bSopenharmony_ci uint64_t t0 = input[0U]; 577a8e1175bSopenharmony_ci uint64_t t1 = input[1U]; 578a8e1175bSopenharmony_ci uint64_t t2 = input[2U]; 579a8e1175bSopenharmony_ci uint64_t t3 = input[3U]; 580a8e1175bSopenharmony_ci uint64_t t4 = input[4U]; 581a8e1175bSopenharmony_ci uint64_t o0 = t1 << (uint32_t)51U | t0; 582a8e1175bSopenharmony_ci uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U; 583a8e1175bSopenharmony_ci uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U; 584a8e1175bSopenharmony_ci uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U; 585a8e1175bSopenharmony_ci uint8_t *b0 = output; 586a8e1175bSopenharmony_ci uint8_t *b1 = output + (uint32_t)8U; 587a8e1175bSopenharmony_ci uint8_t *b2 = output + (uint32_t)16U; 588a8e1175bSopenharmony_ci uint8_t *b3 = output + (uint32_t)24U; 589a8e1175bSopenharmony_ci store64_le(b0, o0); 590a8e1175bSopenharmony_ci store64_le(b1, o1); 591a8e1175bSopenharmony_ci store64_le(b2, o2); 592a8e1175bSopenharmony_ci store64_le(b3, o3); 593a8e1175bSopenharmony_ci} 594a8e1175bSopenharmony_ci 595a8e1175bSopenharmony_cistatic void Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input) 596a8e1175bSopenharmony_ci{ 597a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_first_carry_full(input); 598a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_second_carry_full(input); 599a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_trim(input); 600a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract_store(output, input); 601a8e1175bSopenharmony_ci} 602a8e1175bSopenharmony_ci 603a8e1175bSopenharmony_cistatic void Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point) 604a8e1175bSopenharmony_ci{ 605a8e1175bSopenharmony_ci uint64_t *x = point; 606a8e1175bSopenharmony_ci uint64_t *z = point + (uint32_t)5U; 607a8e1175bSopenharmony_ci uint64_t buf[10U] = { 0U }; 608a8e1175bSopenharmony_ci uint64_t *zmone = buf; 609a8e1175bSopenharmony_ci uint64_t *sc = buf + (uint32_t)5U; 610a8e1175bSopenharmony_ci Hacl_Bignum_crecip(zmone, z); 611a8e1175bSopenharmony_ci Hacl_Bignum_fmul(sc, x, zmone); 612a8e1175bSopenharmony_ci Hacl_EC_Format_fcontract(scalar, sc); 613a8e1175bSopenharmony_ci} 614a8e1175bSopenharmony_ci 615a8e1175bSopenharmony_cistatic void 616a8e1175bSopenharmony_ciHacl_EC_AddAndDouble_fmonty( 617a8e1175bSopenharmony_ci uint64_t *pp, 618a8e1175bSopenharmony_ci uint64_t *ppq, 619a8e1175bSopenharmony_ci uint64_t *p, 620a8e1175bSopenharmony_ci uint64_t *pq, 621a8e1175bSopenharmony_ci uint64_t *qmqp 622a8e1175bSopenharmony_ci) 623a8e1175bSopenharmony_ci{ 624a8e1175bSopenharmony_ci uint64_t *qx = qmqp; 625a8e1175bSopenharmony_ci uint64_t *x2 = pp; 626a8e1175bSopenharmony_ci uint64_t *z2 = pp + (uint32_t)5U; 627a8e1175bSopenharmony_ci uint64_t *x3 = ppq; 628a8e1175bSopenharmony_ci uint64_t *z3 = ppq + (uint32_t)5U; 629a8e1175bSopenharmony_ci uint64_t *x = p; 630a8e1175bSopenharmony_ci uint64_t *z = p + (uint32_t)5U; 631a8e1175bSopenharmony_ci uint64_t *xprime = pq; 632a8e1175bSopenharmony_ci uint64_t *zprime = pq + (uint32_t)5U; 633a8e1175bSopenharmony_ci uint64_t buf[40U] = { 0U }; 634a8e1175bSopenharmony_ci uint64_t *origx = buf; 635a8e1175bSopenharmony_ci uint64_t *origxprime0 = buf + (uint32_t)5U; 636a8e1175bSopenharmony_ci uint64_t *xxprime0 = buf + (uint32_t)25U; 637a8e1175bSopenharmony_ci uint64_t *zzprime0 = buf + (uint32_t)30U; 638a8e1175bSopenharmony_ci uint64_t *origxprime; 639a8e1175bSopenharmony_ci uint64_t *xx0; 640a8e1175bSopenharmony_ci uint64_t *zz0; 641a8e1175bSopenharmony_ci uint64_t *xxprime; 642a8e1175bSopenharmony_ci uint64_t *zzprime; 643a8e1175bSopenharmony_ci uint64_t *zzzprime; 644a8e1175bSopenharmony_ci uint64_t *zzz; 645a8e1175bSopenharmony_ci uint64_t *xx; 646a8e1175bSopenharmony_ci uint64_t *zz; 647a8e1175bSopenharmony_ci uint64_t scalar; 648a8e1175bSopenharmony_ci memcpy(origx, x, (uint32_t)5U * sizeof x[0U]); 649a8e1175bSopenharmony_ci Hacl_Bignum_fsum(x, z); 650a8e1175bSopenharmony_ci Hacl_Bignum_fdifference(z, origx); 651a8e1175bSopenharmony_ci memcpy(origxprime0, xprime, (uint32_t)5U * sizeof xprime[0U]); 652a8e1175bSopenharmony_ci Hacl_Bignum_fsum(xprime, zprime); 653a8e1175bSopenharmony_ci Hacl_Bignum_fdifference(zprime, origxprime0); 654a8e1175bSopenharmony_ci Hacl_Bignum_fmul(xxprime0, xprime, z); 655a8e1175bSopenharmony_ci Hacl_Bignum_fmul(zzprime0, x, zprime); 656a8e1175bSopenharmony_ci origxprime = buf + (uint32_t)5U; 657a8e1175bSopenharmony_ci xx0 = buf + (uint32_t)15U; 658a8e1175bSopenharmony_ci zz0 = buf + (uint32_t)20U; 659a8e1175bSopenharmony_ci xxprime = buf + (uint32_t)25U; 660a8e1175bSopenharmony_ci zzprime = buf + (uint32_t)30U; 661a8e1175bSopenharmony_ci zzzprime = buf + (uint32_t)35U; 662a8e1175bSopenharmony_ci memcpy(origxprime, xxprime, (uint32_t)5U * sizeof xxprime[0U]); 663a8e1175bSopenharmony_ci Hacl_Bignum_fsum(xxprime, zzprime); 664a8e1175bSopenharmony_ci Hacl_Bignum_fdifference(zzprime, origxprime); 665a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U); 666a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U); 667a8e1175bSopenharmony_ci Hacl_Bignum_fmul(z3, zzzprime, qx); 668a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U); 669a8e1175bSopenharmony_ci Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U); 670a8e1175bSopenharmony_ci zzz = buf + (uint32_t)10U; 671a8e1175bSopenharmony_ci xx = buf + (uint32_t)15U; 672a8e1175bSopenharmony_ci zz = buf + (uint32_t)20U; 673a8e1175bSopenharmony_ci Hacl_Bignum_fmul(x2, xx, zz); 674a8e1175bSopenharmony_ci Hacl_Bignum_fdifference(zz, xx); 675a8e1175bSopenharmony_ci scalar = (uint64_t)121665U; 676a8e1175bSopenharmony_ci Hacl_Bignum_fscalar(zzz, zz, scalar); 677a8e1175bSopenharmony_ci Hacl_Bignum_fsum(zzz, xx); 678a8e1175bSopenharmony_ci Hacl_Bignum_fmul(z2, zzz, zz); 679a8e1175bSopenharmony_ci} 680a8e1175bSopenharmony_ci 681a8e1175bSopenharmony_cistatic void 682a8e1175bSopenharmony_ciHacl_EC_Ladder_SmallLoop_cmult_small_loop_step( 683a8e1175bSopenharmony_ci uint64_t *nq, 684a8e1175bSopenharmony_ci uint64_t *nqpq, 685a8e1175bSopenharmony_ci uint64_t *nq2, 686a8e1175bSopenharmony_ci uint64_t *nqpq2, 687a8e1175bSopenharmony_ci uint64_t *q, 688a8e1175bSopenharmony_ci uint8_t byt 689a8e1175bSopenharmony_ci) 690a8e1175bSopenharmony_ci{ 691a8e1175bSopenharmony_ci uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U); 692a8e1175bSopenharmony_ci uint64_t bit; 693a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional(nq, nqpq, bit0); 694a8e1175bSopenharmony_ci Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q); 695a8e1175bSopenharmony_ci bit = (uint64_t)(byt >> (uint32_t)7U); 696a8e1175bSopenharmony_ci Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit); 697a8e1175bSopenharmony_ci} 698a8e1175bSopenharmony_ci 699a8e1175bSopenharmony_cistatic void 700a8e1175bSopenharmony_ciHacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step( 701a8e1175bSopenharmony_ci uint64_t *nq, 702a8e1175bSopenharmony_ci uint64_t *nqpq, 703a8e1175bSopenharmony_ci uint64_t *nq2, 704a8e1175bSopenharmony_ci uint64_t *nqpq2, 705a8e1175bSopenharmony_ci uint64_t *q, 706a8e1175bSopenharmony_ci uint8_t byt 707a8e1175bSopenharmony_ci) 708a8e1175bSopenharmony_ci{ 709a8e1175bSopenharmony_ci uint8_t byt1; 710a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt); 711a8e1175bSopenharmony_ci byt1 = byt << (uint32_t)1U; 712a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1); 713a8e1175bSopenharmony_ci} 714a8e1175bSopenharmony_ci 715a8e1175bSopenharmony_cistatic void 716a8e1175bSopenharmony_ciHacl_EC_Ladder_SmallLoop_cmult_small_loop( 717a8e1175bSopenharmony_ci uint64_t *nq, 718a8e1175bSopenharmony_ci uint64_t *nqpq, 719a8e1175bSopenharmony_ci uint64_t *nq2, 720a8e1175bSopenharmony_ci uint64_t *nqpq2, 721a8e1175bSopenharmony_ci uint64_t *q, 722a8e1175bSopenharmony_ci uint8_t byt, 723a8e1175bSopenharmony_ci uint32_t i 724a8e1175bSopenharmony_ci) 725a8e1175bSopenharmony_ci{ 726a8e1175bSopenharmony_ci if (!(i == (uint32_t)0U)) 727a8e1175bSopenharmony_ci { 728a8e1175bSopenharmony_ci uint32_t i_ = i - (uint32_t)1U; 729a8e1175bSopenharmony_ci uint8_t byt_; 730a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt); 731a8e1175bSopenharmony_ci byt_ = byt << (uint32_t)2U; 732a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_); 733a8e1175bSopenharmony_ci } 734a8e1175bSopenharmony_ci} 735a8e1175bSopenharmony_ci 736a8e1175bSopenharmony_cistatic void 737a8e1175bSopenharmony_ciHacl_EC_Ladder_BigLoop_cmult_big_loop( 738a8e1175bSopenharmony_ci uint8_t *n1, 739a8e1175bSopenharmony_ci uint64_t *nq, 740a8e1175bSopenharmony_ci uint64_t *nqpq, 741a8e1175bSopenharmony_ci uint64_t *nq2, 742a8e1175bSopenharmony_ci uint64_t *nqpq2, 743a8e1175bSopenharmony_ci uint64_t *q, 744a8e1175bSopenharmony_ci uint32_t i 745a8e1175bSopenharmony_ci) 746a8e1175bSopenharmony_ci{ 747a8e1175bSopenharmony_ci if (!(i == (uint32_t)0U)) 748a8e1175bSopenharmony_ci { 749a8e1175bSopenharmony_ci uint32_t i1 = i - (uint32_t)1U; 750a8e1175bSopenharmony_ci uint8_t byte = n1[i1]; 751a8e1175bSopenharmony_ci Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U); 752a8e1175bSopenharmony_ci Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1); 753a8e1175bSopenharmony_ci } 754a8e1175bSopenharmony_ci} 755a8e1175bSopenharmony_ci 756a8e1175bSopenharmony_cistatic void Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q) 757a8e1175bSopenharmony_ci{ 758a8e1175bSopenharmony_ci uint64_t point_buf[40U] = { 0U }; 759a8e1175bSopenharmony_ci uint64_t *nq = point_buf; 760a8e1175bSopenharmony_ci uint64_t *nqpq = point_buf + (uint32_t)10U; 761a8e1175bSopenharmony_ci uint64_t *nq2 = point_buf + (uint32_t)20U; 762a8e1175bSopenharmony_ci uint64_t *nqpq2 = point_buf + (uint32_t)30U; 763a8e1175bSopenharmony_ci Hacl_EC_Point_copy(nqpq, q); 764a8e1175bSopenharmony_ci nq[0U] = (uint64_t)1U; 765a8e1175bSopenharmony_ci Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U); 766a8e1175bSopenharmony_ci Hacl_EC_Point_copy(result, nq); 767a8e1175bSopenharmony_ci} 768a8e1175bSopenharmony_ci 769a8e1175bSopenharmony_civoid Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint) 770a8e1175bSopenharmony_ci{ 771a8e1175bSopenharmony_ci uint64_t buf0[10U] = { 0U }; 772a8e1175bSopenharmony_ci uint64_t *x0 = buf0; 773a8e1175bSopenharmony_ci uint64_t *z = buf0 + (uint32_t)5U; 774a8e1175bSopenharmony_ci uint64_t *q; 775a8e1175bSopenharmony_ci Hacl_EC_Format_fexpand(x0, basepoint); 776a8e1175bSopenharmony_ci z[0U] = (uint64_t)1U; 777a8e1175bSopenharmony_ci q = buf0; 778a8e1175bSopenharmony_ci { 779a8e1175bSopenharmony_ci uint8_t e[32U] = { 0U }; 780a8e1175bSopenharmony_ci uint8_t e0; 781a8e1175bSopenharmony_ci uint8_t e31; 782a8e1175bSopenharmony_ci uint8_t e01; 783a8e1175bSopenharmony_ci uint8_t e311; 784a8e1175bSopenharmony_ci uint8_t e312; 785a8e1175bSopenharmony_ci uint8_t *scalar; 786a8e1175bSopenharmony_ci memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]); 787a8e1175bSopenharmony_ci e0 = e[0U]; 788a8e1175bSopenharmony_ci e31 = e[31U]; 789a8e1175bSopenharmony_ci e01 = e0 & (uint8_t)248U; 790a8e1175bSopenharmony_ci e311 = e31 & (uint8_t)127U; 791a8e1175bSopenharmony_ci e312 = e311 | (uint8_t)64U; 792a8e1175bSopenharmony_ci e[0U] = e01; 793a8e1175bSopenharmony_ci e[31U] = e312; 794a8e1175bSopenharmony_ci scalar = e; 795a8e1175bSopenharmony_ci { 796a8e1175bSopenharmony_ci uint64_t buf[15U] = { 0U }; 797a8e1175bSopenharmony_ci uint64_t *nq = buf; 798a8e1175bSopenharmony_ci uint64_t *x = nq; 799a8e1175bSopenharmony_ci x[0U] = (uint64_t)1U; 800a8e1175bSopenharmony_ci Hacl_EC_Ladder_cmult(nq, scalar, q); 801a8e1175bSopenharmony_ci Hacl_EC_Format_scalar_of_point(mypublic, nq); 802a8e1175bSopenharmony_ci } 803a8e1175bSopenharmony_ci } 804a8e1175bSopenharmony_ci} 805a8e1175bSopenharmony_ci 806