首页 发现 帮助
登录
byuu
/
higan
镜像自地址 https://github.com/byuu/higan
关注 2
点赞 0
派生 0
文件 工单管理 0 Wiki
分支: master
分支列表 标签列表
higan
/
nall
/
elliptic-curve
/
modulo25519-optimized.hpp

modulo25519-optimized.hpp 7.5 KB
永久链接 文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219 
  1. #pragma once
    2. 

  2. 

  3. #include <nall/arithmetic/barrett.hpp>
    4. 

  4. 

  5. namespace nall::EllipticCurve {
    6. 

  6. 

  7. static const uint256_t P = (1_u256 << 255) - 19;
    8. 

  8. 

  9. #define Mask ((1ull << 51) - 1)
    10. 

  10. 

  11. struct Modulo25519 {
    12. 

  12.   Modulo25519() = default;
    13. 

  13.   Modulo25519(const Modulo25519&) = default;
    14. 

  14.   Modulo25519(uint64_t a, uint64_t b = 0, uint64_t c = 0, uint64_t d = 0, uint64_t e = 0) : l{a, b, c, d, e} {}
    15. 

  15.   Modulo25519(uint256_t n);
    16. 

  16. 

  17.   explicit operator bool() const { return (bool)operator()(); }
    18. 

  18.   auto operator[](uint index) -> uint64_t& { return l[index]; }
    19. 

  19.   auto operator[](uint index) const -> uint64_t { return l[index]; }
    20. 

  20.   auto operator()() const -> uint256_t;
    21. 

  21. 

  22. private:
    23. 

  23.   uint64_t l[5];  //51-bits per limb; 255-bits total
    24. 

  24. };
    25. 

  25. 

  26. inline Modulo25519::Modulo25519(uint256_t n) {
    27. 

  27.   l[0] = n >>   0 & Mask;
    28. 

  28.   l[1] = n >>  51 & Mask;
    29. 

  29.   l[2] = n >> 102 & Mask;
    30. 

  30.   l[3] = n >> 153 & Mask;
    31. 

  31.   l[4] = n >> 204 & Mask;
    32. 

  32. }
    33. 

  33. 

  34. inline auto Modulo25519::operator()() const -> uint256_t {
    35. 

  35.   Modulo25519 o = *this;
    36. 

  36. 

  37.   o[1] +=      (o[0] >> 51); o[0] &= Mask;
    38. 

  38.   o[2] +=      (o[1] >> 51); o[1] &= Mask;
    39. 

  39.   o[3] +=      (o[2] >> 51); o[2] &= Mask;
    40. 

  40.   o[4] +=      (o[3] >> 51); o[3] &= Mask;
    41. 

  41.   o[0] += 19 * (o[4] >> 51); o[4] &= Mask;
    42. 

  42. 

  43.   o[1] +=      (o[0] >> 51); o[0] &= Mask;
    44. 

  44.   o[2] +=      (o[1] >> 51); o[1] &= Mask;
    45. 

  45.   o[3] +=      (o[2] >> 51); o[2] &= Mask;
    46. 

  46.   o[4] +=      (o[3] >> 51); o[3] &= Mask;
    47. 

  47.   o[0] += 19 * (o[4] >> 51); o[4] &= Mask;
    48. 

  48. 

  49.   o[0] += 19;
    50. 

  50.   o[1] +=      (o[0] >> 51); o[0] &= Mask;
    51. 

  51.   o[2] +=      (o[1] >> 51); o[1] &= Mask;
    52. 

  52.   o[3] +=      (o[2] >> 51); o[2] &= Mask;
    53. 

  53.   o[4] +=      (o[3] >> 51); o[3] &= Mask;
    54. 

  54.   o[0] += 19 * (o[4] >> 51); o[4] &= Mask;
    55. 

  55. 

  56.   o[0] += Mask - 18;
    57. 

  57.   o[1] += Mask;
    58. 

  58.   o[2] += Mask;
    59. 

  59.   o[3] += Mask;
    60. 

  60.   o[4] += Mask;
    61. 

  61. 

  62.   o[1] += o[0] >> 51; o[0] &= Mask;
    63. 

  63.   o[2] += o[1] >> 51; o[1] &= Mask;
    64. 

  64.   o[3] += o[2] >> 51; o[2] &= Mask;
    65. 

  65.   o[4] += o[3] >> 51; o[3] &= Mask;
    66. 

  66.   o[4] &= Mask;
    67. 

  67. 

  68.   return (uint256_t)o[0] << 0 | (uint256_t)o[1] << 51 | (uint256_t)o[2] << 102 | (uint256_t)o[3] << 153 | (uint256_t)o[4] << 204;
    69. 

  69. }
    70. 

  70. 

  71. inline auto cmove(bool move, Modulo25519& l, const Modulo25519& r) -> void {
    72. 

  72.   uint64_t mask = -move;
    73. 

  73.   l[0] ^= mask & (l[0] ^ r[0]);
    74. 

  74.   l[1] ^= mask & (l[1] ^ r[1]);
    75. 

  75.   l[2] ^= mask & (l[2] ^ r[2]);
    76. 

  76.   l[3] ^= mask & (l[3] ^ r[3]);
    77. 

  77.   l[4] ^= mask & (l[4] ^ r[4]);
    78. 

  78. }
    79. 

  79. 

  80. inline auto cswap(bool swap, Modulo25519& l, Modulo25519& r) -> void {
    81. 

  81.   uint64_t mask = -swap, x;
    82. 

  82.   x = mask & (l[0] ^ r[0]); l[0] ^= x; r[0] ^= x;
    83. 

  83.   x = mask & (l[1] ^ r[1]); l[1] ^= x; r[1] ^= x;
    84. 

  84.   x = mask & (l[2] ^ r[2]); l[2] ^= x; r[2] ^= x;
    85. 

  85.   x = mask & (l[3] ^ r[3]); l[3] ^= x; r[3] ^= x;
    86. 

  86.   x = mask & (l[4] ^ r[4]); l[4] ^= x; r[4] ^= x;
    87. 

  87. }
    88. 

  88. 

  89. inline auto operator-(const Modulo25519& l) -> Modulo25519 {  //P - l
    90. 

  90.   Modulo25519 o;
    91. 

  91.   uint64_t c;
    92. 

  92.   o[0]  = 0xfffffffffffda - l[0];     c = o[0] >> 51; o[0] &= Mask;
    93. 

  93.   o[1]  = 0xffffffffffffe - l[1] + c; c = o[1] >> 51; o[1] &= Mask;
    94. 

  94.   o[2]  = 0xffffffffffffe - l[2] + c; c = o[2] >> 51; o[2] &= Mask;
    95. 

  95.   o[3]  = 0xffffffffffffe - l[3] + c; c = o[3] >> 51; o[3] &= Mask;
    96. 

  96.   o[4]  = 0xffffffffffffe - l[4] + c; c = o[4] >> 51; o[4] &= Mask;
    97. 

  97.   o[0] += c * 19;
    98. 

  98.   return o;
    99. 

  99. }
    100. 

  100. 

  101. inline auto operator+(const Modulo25519& l, const Modulo25519& r) -> Modulo25519 {
    102. 

  102.   Modulo25519 o;
    103. 

  103.   uint64_t c;
    104. 

  104.   o[0]  = l[0] + r[0];     c = o[0] >> 51; o[0] &= Mask;
    105. 

  105.   o[1]  = l[1] + r[1] + c; c = o[1] >> 51; o[1] &= Mask;
    106. 

  106.   o[2]  = l[2] + r[2] + c; c = o[2] >> 51; o[2] &= Mask;
    107. 

  107.   o[3]  = l[3] + r[3] + c; c = o[3] >> 51; o[3] &= Mask;
    108. 

  108.   o[4]  = l[4] + r[4] + c; c = o[4] >> 51; o[4] &= Mask;
    109. 

  109.   o[0] += c * 19;
    110. 

  110.   return o;
    111. 

  111. }
    112. 

  112. 

  113. inline auto operator-(const Modulo25519& l, const Modulo25519& r) -> Modulo25519 {
    114. 

  114.   Modulo25519 o;
    115. 

  115.   uint64_t c;
    116. 

  116.   o[0]  = l[0] + 0x1fffffffffffb4 - r[0];     c = o[0] >> 51; o[0] &= Mask;
    117. 

  117.   o[1]  = l[1] + 0x1ffffffffffffc - r[1] + c; c = o[1] >> 51; o[1] &= Mask;
    118. 

  118.   o[2]  = l[2] + 0x1ffffffffffffc - r[2] + c; c = o[2] >> 51; o[2] &= Mask;
    119. 

  119.   o[3]  = l[3] + 0x1ffffffffffffc - r[3] + c; c = o[3] >> 51; o[3] &= Mask;
    120. 

  120.   o[4]  = l[4] + 0x1ffffffffffffc - r[4] + c; c = o[4] >> 51; o[4] &= Mask;
    121. 

  121.   o[0] += c * 19;
    122. 

  122.   return o;
    123. 

  123. }
    124. 

  124. 

  125. inline auto operator*(const Modulo25519& l, uint64_t scalar) -> Modulo25519 {
    126. 

  126.   Modulo25519 o;
    127. 

  127.   uint128_t a;
    128. 

  128.   a = (uint128_t)l[0] * scalar;                    o[0] = a & Mask;
    129. 

  129.   a = (uint128_t)l[1] * scalar + (a >> 51 & Mask); o[1] = a & Mask;
    130. 

  130.   a = (uint128_t)l[2] * scalar + (a >> 51 & Mask); o[2] = a & Mask;
    131. 

  131.   a = (uint128_t)l[3] * scalar + (a >> 51 & Mask); o[3] = a & Mask;
    132. 

  132.   a = (uint128_t)l[4] * scalar + (a >> 51 & Mask); o[4] = a & Mask;
    133. 

  133.   o[0] += (a >> 51) * 19;
    134. 

  134.   return o;
    135. 

  135. }
    136. 

  136. 

  137. inline auto operator*(const Modulo25519& l, Modulo25519 r) -> Modulo25519 {
    138. 

  138.   uint128_t t[] = {
    139. 

  139.     (uint128_t)r[0] * l[0],
    140. 

  140.     (uint128_t)r[0] * l[1] + (uint128_t)r[1] * l[0],
    141. 

  141.     (uint128_t)r[0] * l[2] + (uint128_t)r[1] * l[1] + (uint128_t)r[2] * l[0],
    142. 

  142.     (uint128_t)r[0] * l[3] + (uint128_t)r[1] * l[2] + (uint128_t)r[2] * l[1] + (uint128_t)r[3] * l[0],
    143. 

  143.     (uint128_t)r[0] * l[4] + (uint128_t)r[1] * l[3] + (uint128_t)r[2] * l[2] + (uint128_t)r[3] * l[1] + (uint128_t)r[4] * l[0]
    144. 

  144.   };
    145. 

  145. 

  146.   r[1] *= 19, r[2] *= 19, r[3] *= 19, r[4] *= 19;
    147. 

  147. 

  148.   t[0] += (uint128_t)r[4] * l[1] + (uint128_t)r[3] * l[2] + (uint128_t)r[2] * l[3] + (uint128_t)r[1] * l[4];
    149. 

  149.   t[1] += (uint128_t)r[4] * l[2] + (uint128_t)r[3] * l[3] + (uint128_t)r[2] * l[4];
    150. 

  150.   t[2] += (uint128_t)r[4] * l[3] + (uint128_t)r[3] * l[4];
    151. 

  151.   t[3] += (uint128_t)r[4] * l[4];
    152. 

  152. 

  153.   uint64_t c; r[0] = t[0] & Mask; c = (uint64_t)(t[0] >> 51);
    154. 

  154.   t[1] += c;  r[1] = t[1] & Mask; c = (uint64_t)(t[1] >> 51);
    155. 

  155.   t[2] += c;  r[2] = t[2] & Mask; c = (uint64_t)(t[2] >> 51);
    156. 

  156.   t[3] += c;  r[3] = t[3] & Mask; c = (uint64_t)(t[3] >> 51);
    157. 

  157.   t[4] += c;  r[4] = t[4] & Mask; c = (uint64_t)(t[4] >> 51);
    158. 

  158. 

  159.   r[0] += c * 19; c = r[0] >> 51; r[0] &= Mask;
    160. 

  160.   r[1] += c;      c = r[1] >> 51; r[1] &= Mask;
    161. 

  161.   r[2] += c;
    162. 

  162.   return r;
    163. 

  163. }
    164. 

  164. 

  165. inline auto operator&(const Modulo25519& lhs, uint256_t rhs) -> uint256_t {
    166. 

  166.   return lhs() & rhs;
    167. 

  167. }
    168. 

  168. 

  169. inline auto square(const Modulo25519& lhs) -> Modulo25519 {
    170. 

  170.   Modulo25519 r{lhs};
    171. 

  171.   Modulo25519 d{r[0] * 2, r[1] * 2, r[2] * 2 * 19, r[4] * 19, r[4] * 19 * 2};
    172. 

  172. 

  173.   uint128_t t[5];
    174. 

  174.   t[0] = (uint128_t)r[0] * r[0] + (uint128_t)d[4] * r[1] + (uint128_t)d[2] * r[3];
    175. 

  175.   t[1] = (uint128_t)d[0] * r[1] + (uint128_t)d[4] * r[2] + (uint128_t)r[3] * r[3] * 19;
    176. 

  176.   t[2] = (uint128_t)d[0] * r[2] + (uint128_t)r[1] * r[1] + (uint128_t)d[4] * r[3];
    177. 

  177.   t[3] = (uint128_t)d[0] * r[3] + (uint128_t)d[1] * r[2] + (uint128_t)r[4] * d[3];
    178. 

  178.   t[4] = (uint128_t)d[0] * r[4] + (uint128_t)d[1] * r[3] + (uint128_t)r[2] * r[2];
    179. 

  179. 

  180.   uint64_t c; r[0] = t[0] & Mask; c = (uint64_t)(t[0] >> 51);
    181. 

  181.   t[1] += c;  r[1] = t[1] & Mask; c = (uint64_t)(t[1] >> 51);
    182. 

  182.   t[2] += c;  r[2] = t[2] & Mask; c = (uint64_t)(t[2] >> 51);
    183. 

  183.   t[3] += c;  r[3] = t[3] & Mask; c = (uint64_t)(t[3] >> 51);
    184. 

  184.   t[4] += c;  r[4] = t[4] & Mask; c = (uint64_t)(t[4] >> 51);
    185. 

  185. 

  186.   r[0] += c * 19; c = r[0] >> 51; r[0] &= Mask;
    187. 

  187.   r[1] += c;      c = r[1] >> 51; r[1] &= Mask;
    188. 

  188.   r[2] += c;
    189. 

  189.   return r;
    190. 

  190. }
    191. 

  191. 

  192. inline auto exponentiate(const Modulo25519& lhs, uint256_t exponent) -> Modulo25519 {
    193. 

  193.   Modulo25519 x = 1, y;
    194. 

  194.   for(uint bit : reverse(range(256))) {
    195. 

  195.     x = square(x);
    196. 

  196.     y = x * lhs;
    197. 

  197.     cmove(exponent >> bit & 1, x, y);
    198. 

  198.   }
    199. 

  199.   return x;
    200. 

  200. }
    201. 

  201. 

  202. inline auto reciprocal(const Modulo25519& lhs) -> Modulo25519 {
    203. 

  203.   return exponentiate(lhs, P - 2);
    204. 

  204. }
    205. 

  205. 

  206. inline auto squareRoot(const Modulo25519& lhs) -> Modulo25519 {
    207. 

  207.   static const Modulo25519 I = exponentiate(Modulo25519(2), P - 1 >> 2);  //I == sqrt(-1)
    208. 

  208.   Modulo25519 x = exponentiate(lhs, P + 3 >> 3);
    209. 

  209.   Modulo25519 y = x * I;
    210. 

  210.   cmove(bool(square(x) - lhs), x, y);
    211. 

  211.   y = -x;
    212. 

  212.   cmove(x & 1, x, y);
    213. 

  213.   return x;
    214. 

  214. }
    215. 

  215. 

  216. #undef Mask
    217. 

  217. 

  218. }
    219. 

  219.