From cb471ba2ec793c6c96d47ec1e121003d55b0823d Mon Sep 17 00:00:00 2001 From: Pavol Rusnak Date: Tue, 28 Mar 2017 18:01:42 +0200 Subject: [PATCH] upgrade ed25519 to forthy42 fork --- Makefile | 1 + ed25519-donna/curve25519-donna-32bit.h | 2 +- ed25519-donna/ed25519-donna-32bit-tables.h | 10 +- ed25519-donna/ed25519-donna-64bit-tables.h | 10 +- ed25519-donna/ed25519-donna-impl-base.h | 177 ++++++++++++++++-- ed25519-donna/ed25519-donna-impl-sse2.h | 153 +++++++++++++-- .../ed25519-donna-portable-identify.h | 3 + ed25519-donna/ed25519.c | 1 + ed25519-donna/modm-donna-32bit.h | 39 ++-- ed25519-donna/modm-donna-64bit.h | 39 ++-- 10 files changed, 346 insertions(+), 89 deletions(-) diff --git a/Makefile b/Makefile index 7d0f8b5ffb..74e766803a 100644 --- a/Makefile +++ b/Makefile @@ -21,6 +21,7 @@ CFLAGS += $(OPTFLAGS) \ -Winit-self \ -Wuninitialized \ -Wformat-security \ + -Wno-unused-function \ -Werror # disable sequence point warning because of AES code diff --git a/ed25519-donna/curve25519-donna-32bit.h b/ed25519-donna/curve25519-donna-32bit.h index b0861acf03..b8fa37d6e4 100644 --- a/ed25519-donna/curve25519-donna-32bit.h +++ b/ed25519-donna/curve25519-donna-32bit.h @@ -403,8 +403,8 @@ static void curve25519_expand(bignum25519 out, const unsigned char in[32]) { static const union { uint8_t b[2]; uint16_t s; } endian_check = {{1,0}}; uint32_t x0,x1,x2,x3,x4,x5,x6,x7; - if (endian_check.s == 1) { + /* Take care, this only works when in is aligned */ x0 = *(uint32_t *)(in + 0); x1 = *(uint32_t *)(in + 4); x2 = *(uint32_t *)(in + 8); diff --git a/ed25519-donna/ed25519-donna-32bit-tables.h b/ed25519-donna/ed25519-donna-32bit-tables.h index c977c26ebc..49022aee26 100644 --- a/ed25519-donna/ed25519-donna-32bit-tables.h +++ b/ed25519-donna/ed25519-donna-32bit-tables.h @@ -1,4 +1,4 @@ -static const ge25519 ALIGN(16) ge25519_basepoint = { +const ge25519 ALIGN(16) ge25519_basepoint = { {0x0325d51a,0x018b5823,0x00f6592a,0x0104a92d,0x01a4b31d,0x01d6dc5c,0x027118fe,0x007fd814,0x013cd6e5,0x0085a4db}, {0x02666658,0x01999999,0x00cccccc,0x01333333,0x01999999,0x00666666,0x03333333,0x00cccccc,0x02666666,0x01999999}, {0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000}, @@ -9,11 +9,11 @@ static const ge25519 ALIGN(16) ge25519_basepoint = { d */ -static const bignum25519 ALIGN(16) ge25519_ecd = { +const bignum25519 ALIGN(16) ge25519_ecd = { 0x035978a3,0x00d37284,0x03156ebd,0x006a0a0e,0x0001c029,0x0179e898,0x03a03cbb,0x01ce7198,0x02e2b6ff,0x01480db3 }; -static const bignum25519 ALIGN(16) ge25519_ec2d = { +const bignum25519 ALIGN(16) ge25519_ec2d = { 0x02b2f159,0x01a6e509,0x022add7a,0x00d4141d,0x00038052,0x00f3d130,0x03407977,0x019ce331,0x01c56dff,0x00901b67 }; @@ -21,11 +21,11 @@ static const bignum25519 ALIGN(16) ge25519_ec2d = { sqrt(-1) */ -static const bignum25519 ALIGN(16) ge25519_sqrtneg1 = { +const bignum25519 ALIGN(16) ge25519_sqrtneg1 = { 0x020ea0b0,0x0186c9d2,0x008f189d,0x0035697f,0x00bd0c60,0x01fbd7a7,0x02804c9e,0x01e16569,0x0004fc1d,0x00ae0c92 }; -static const ge25519_niels ALIGN(16) ge25519_niels_sliding_multiples[32] = { +const ge25519_niels ALIGN(16) ge25519_niels_sliding_multiples[32] = { {{0x0340913e,0x000e4175,0x03d673a2,0x002e8a05,0x03f4e67c,0x008f8a09,0x00c21a34,0x004cf4b8,0x01298f81,0x0113f4be},{0x018c3b85,0x0124f1bd,0x01c325f7,0x0037dc60,0x033e4cb7,0x003d42c2,0x01a44c32,0x014ca4e1,0x03a33d4b,0x001f3e74},{0x037aaa68,0x00448161,0x0093d579,0x011e6556,0x009b67a0,0x0143598c,0x01bee5ee,0x00b50b43,0x0289f0c6,0x01bc45ed}}, {{0x00fcd265,0x0047fa29,0x034faacc,0x01ef2e0d,0x00ef4d4f,0x014bd6bd,0x00f98d10,0x014c5026,0x007555bd,0x00aae456},{0x00ee9730,0x016c2a13,0x017155e4,0x01874432,0x00096a10,0x01016732,0x01a8014f,0x011e9823,0x01b9a80f,0x01e85938},{0x01d0d889,0x01a4cfc3,0x034c4295,0x0110e1ae,0x0162508c,0x00f2db4c,0x0072a2c6,0x0098da2e,0x02f12b9b,0x0168a09a}}, {{0x0047d6ba,0x0060b0e9,0x0136eff2,0x008a5939,0x03540053,0x0064a087,0x02788e5c,0x00be7c67,0x033eb1b5,0x005529f9},{0x00a5bb33,0x00af1102,0x01a05442,0x001e3af7,0x02354123,0x00bfec44,0x01f5862d,0x00dd7ba3,0x03146e20,0x00a51733},{0x012a8285,0x00f6fc60,0x023f9797,0x003e85ee,0x009c3820,0x01bda72d,0x01b3858d,0x00d35683,0x0296b3bb,0x010eaaf9}}, diff --git a/ed25519-donna/ed25519-donna-64bit-tables.h b/ed25519-donna/ed25519-donna-64bit-tables.h index 4a6ff9edae..e5e4490996 100644 --- a/ed25519-donna/ed25519-donna-64bit-tables.h +++ b/ed25519-donna/ed25519-donna-64bit-tables.h @@ -1,23 +1,23 @@ -static const ge25519 ge25519_basepoint = { +const ge25519 ge25519_basepoint = { {0x00062d608f25d51a,0x000412a4b4f6592a,0x00075b7171a4b31d,0x0001ff60527118fe,0x000216936d3cd6e5}, {0x0006666666666658,0x0004cccccccccccc,0x0001999999999999,0x0003333333333333,0x0006666666666666}, {0x0000000000000001,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000}, {0x00068ab3a5b7dda3,0x00000eea2a5eadbb,0x0002af8df483c27e,0x000332b375274732,0x00067875f0fd78b7} }; -static const bignum25519 ge25519_ecd = { +const bignum25519 ge25519_ecd = { 0x00034dca135978a3,0x0001a8283b156ebd,0x0005e7a26001c029,0x000739c663a03cbb,0x00052036cee2b6ff }; -static const bignum25519 ge25519_ec2d = { +const bignum25519 ge25519_ec2d = { 0x00069b9426b2f159,0x00035050762add7a,0x0003cf44c0038052,0x0006738cc7407977,0x0002406d9dc56dff }; -static const bignum25519 ge25519_sqrtneg1 = { +const bignum25519 ge25519_sqrtneg1 = { 0x00061b274a0ea0b0,0x0000d5a5fc8f189d,0x0007ef5e9cbd0c60,0x00078595a6804c9e,0x0002b8324804fc1d }; -static const ge25519_niels ge25519_niels_sliding_multiples[32] = { +const ge25519_niels ge25519_niels_sliding_multiples[32] = { {{0x00003905d740913e,0x0000ba2817d673a2,0x00023e2827f4e67c,0x000133d2e0c21a34,0x00044fd2f9298f81},{0x000493c6f58c3b85,0x0000df7181c325f7,0x0000f50b0b3e4cb7,0x0005329385a44c32,0x00007cf9d3a33d4b},{0x00011205877aaa68,0x000479955893d579,0x00050d66309b67a0,0x0002d42d0dbee5ee,0x0006f117b689f0c6}}, {{0x00011fe8a4fcd265,0x0007bcb8374faacc,0x00052f5af4ef4d4f,0x0005314098f98d10,0x0002ab91587555bd},{0x0005b0a84cee9730,0x00061d10c97155e4,0x0004059cc8096a10,0x00047a608da8014f,0x0007a164e1b9a80f},{0x0006933f0dd0d889,0x00044386bb4c4295,0x0003cb6d3162508c,0x00026368b872a2c6,0x0005a2826af12b9b}}, {{0x000182c3a447d6ba,0x00022964e536eff2,0x000192821f540053,0x0002f9f19e788e5c,0x000154a7e73eb1b5},{0x0002bc4408a5bb33,0x000078ebdda05442,0x0002ffb112354123,0x000375ee8df5862d,0x0002945ccf146e20},{0x0003dbf1812a8285,0x0000fa17ba3f9797,0x0006f69cb49c3820,0x00034d5a0db3858d,0x00043aabe696b3bb}}, diff --git a/ed25519-donna/ed25519-donna-impl-base.h b/ed25519-donna/ed25519-donna-impl-base.h index 48913edcb4..8cc85f216c 100644 --- a/ed25519-donna/ed25519-donna-impl-base.h +++ b/ed25519-donna/ed25519-donna-impl-base.h @@ -176,7 +176,7 @@ ge25519_pnielsadd(ge25519_pniels *r, const ge25519 *p, const ge25519_pniels *q) pack & unpack */ -static void +STATIC void ge25519_pack(unsigned char r[32], const ge25519 *p) { bignum25519 tx, ty, zi; unsigned char parity[32]; @@ -188,8 +188,7 @@ ge25519_pack(unsigned char r[32], const ge25519 *p) { r[31] ^= ((parity[0] & 1) << 7); } -static int -ge25519_unpack_negative_vartime(ge25519 *r, const unsigned char p[32]) { +STATIC int ge25519_unpack_negative_vartime(ge25519 *r, const unsigned char p[32]) { static const unsigned char zero[32] = {0}; static const bignum25519 one = {1}; unsigned char parity = p[31] >> 7; @@ -243,14 +242,20 @@ ge25519_unpack_negative_vartime(ge25519 *r, const unsigned char p[32]) { scalarmults */ +DONNA_INLINE static void ge25519_set_neutral(ge25519 *r) +{ + memset(r, 0, sizeof(ge25519)); + r->y[0] = 1; + r->z[0] = 1; +} + #define S1_SWINDOWSIZE 5 #define S1_TABLE_SIZE (1<<(S1_SWINDOWSIZE-2)) #define S2_SWINDOWSIZE 7 #define S2_TABLE_SIZE (1<<(S2_SWINDOWSIZE-2)) -/* computes [s1]p1 + [s2]basepoint */ -static void -ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256modm s1, const bignum256modm s2) { +/* computes [s1]p1 + [s2]base */ +STATIC void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256modm s1, const bignum256modm s2) { signed char slide1[256], slide2[256]; ge25519_pniels pre1[S1_TABLE_SIZE]; ge25519 d1; @@ -265,10 +270,7 @@ ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256 for (i = 0; i < S1_TABLE_SIZE - 1; i++) ge25519_pnielsadd(&pre1[i+1], &d1, &pre1[i]); - /* set neutral */ - memset(r, 0, sizeof(ge25519)); - r->y[0] = 1; - r->z[0] = 1; + ge25519_set_neutral(r); i = 255; while ((i >= 0) && !(slide1[i] | slide2[i])) @@ -291,11 +293,156 @@ ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256 } } +/* computes [s1]p1 */ +STATIC void ge25519_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256modm s1) { + signed char slide1[256]; + ge25519_pniels pre1[S1_TABLE_SIZE]; + ge25519 d1; + ge25519_p1p1 t; + int32_t i; + contract256_slidingwindow_modm(slide1, s1, S1_SWINDOWSIZE); + + ge25519_double(&d1, p1); + ge25519_full_to_pniels(pre1, p1); + for (i = 0; i < S1_TABLE_SIZE - 1; i++) + ge25519_pnielsadd(&pre1[i+1], &d1, &pre1[i]); + + /* set neutral */ + ge25519_set_neutral(r); + + i = 255; + while ((i >= 0) && !slide1[i]) + i--; + + for (; i >= 0; i--) { + ge25519_double_p1p1(&t, r); + + if (slide1[i]) { + ge25519_p1p1_to_full(r, &t); + ge25519_pnielsadd_p1p1(&t, r, &pre1[abs(slide1[i]) / 2], (unsigned char)slide1[i] >> 7); + } + + ge25519_p1p1_to_partial(r, &t); + } +} + +/* + * The following conditional move stuff uses conditional moves. + * I will check on which compilers this works, and provide suitable + * workarounds for those where it doesn't. + * + * This works on gcc 4.x and above with -O3. Don't use -O2, this will + * cause the code to not generate conditional moves. Don't use any -march= + * with less than i686 on x86 + */ +DONNA_INLINE static void ge25519_cmove_stride4(long * r, long * p, long * pos, long * n, int stride) { + long x0=r[0], x1=r[1], x2=r[2], x3=r[3], y0, y1, y2, y3; + for(; p= 0; i--) { + int k=abs(slide1[i]); + ge25519_double_partial(r, r); + ge25519_double_partial(r, r); + ge25519_double_partial(r, r); + ge25519_double_p1p1(&t, r); + ge25519_move_conditional_pniels_array(&pre, pre1, k, 9); + ge25519_p1p1_to_full(r, &t); + ge25519_pnielsadd_p1p1(&t, r, &pre, (unsigned char)slide1[i] >> 7); + ge25519_p1p1_to_partial(r, &t); + } +} #if !defined(HAVE_GE25519_SCALARMULT_BASE_CHOOSE_NIELS) -static uint32_t +DONNA_INLINE static uint32_t ge25519_windowb_equal(uint32_t b, uint32_t c) { return ((b ^ c) - 1) >> 31; } @@ -306,15 +453,13 @@ ge25519_scalarmult_base_choose_niels(ge25519_niels *t, const uint8_t table[256][ uint32_t sign = (uint32_t)((unsigned char)b >> 7); uint32_t mask = ~(sign - 1); uint32_t u = (b + mask) ^ mask; - uint32_t i; /* ysubx, xaddy, t2d in packed form. initialize to ysubx = 1, xaddy = 1, t2d = 0 */ uint8_t packed[96] = {0}; packed[0] = 1; packed[32] = 1; - for (i = 0; i < 8; i++) - curve25519_move_conditional_bytes(packed, table[(pos * 8) + i], ge25519_windowb_equal(u, i + 1)); + ge25519_move_conditional_niels_array((ge25519_niels *)packed, &table[pos*8], u-1, 8); /* expand in to t */ curve25519_expand(t->ysubx, packed + 0); @@ -362,3 +507,7 @@ ge25519_scalarmult_base_niels(ge25519 *r, const uint8_t basepoint_table[256][96] } } +STATIC void ge25519_scalarmult_base(ge25519 *r, const bignum256modm s) { + ge25519_scalarmult_base_niels(r, ge25519_niels_base_multiples, s); +} + diff --git a/ed25519-donna/ed25519-donna-impl-sse2.h b/ed25519-donna/ed25519-donna-impl-sse2.h index 5fe3416381..67fd8f4954 100644 --- a/ed25519-donna/ed25519-donna-impl-sse2.h +++ b/ed25519-donna/ed25519-donna-impl-sse2.h @@ -149,7 +149,7 @@ ge25519_double(ge25519 *r, const ge25519 *p) { ge25519_p1p1_to_full(r, &t); } -static void +STATIC void ge25519_add(ge25519 *r, const ge25519 *p, const ge25519 *q) { ge25519_p1p1 ALIGN(16) t; ge25519_add_p1p1(&t, p, q); @@ -205,7 +205,7 @@ ge25519_pnielsadd(ge25519_pniels *r, const ge25519 *p, const ge25519_pniels *q) pack & unpack */ -static void +STATIC void ge25519_pack(unsigned char r[32], const ge25519 *p) { bignum25519 ALIGN(16) tx, ty, zi; unsigned char parity[32]; @@ -218,7 +218,7 @@ ge25519_pack(unsigned char r[32], const ge25519 *p) { } -static int +STATIC int ge25519_unpack_negative_vartime(ge25519 *r, const unsigned char p[32]) { static const bignum25519 ALIGN(16) one = {1}; static const unsigned char zero[32] = {0}; @@ -275,12 +275,20 @@ ge25519_unpack_negative_vartime(ge25519 *r, const unsigned char p[32]) { scalarmults */ +DONNA_INLINE static void ge25519_set_neutral(ge25519 *r) +{ + memset(r, 0, sizeof(ge25519)); + r->y[0] = 1; + r->z[0] = 1; +} + #define S1_SWINDOWSIZE 5 #define S1_TABLE_SIZE (1<<(S1_SWINDOWSIZE-2)) #define S2_SWINDOWSIZE 7 #define S2_TABLE_SIZE (1<<(S2_SWINDOWSIZE-2)) -static void +/* computes [s1]p1 + [s2]base */ +STATIC void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256modm s1, const bignum256modm s2) { signed char slide1[256], slide2[256]; ge25519_pniels ALIGN(16) pre1[S1_TABLE_SIZE]; @@ -322,13 +330,131 @@ ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256 } } -#if !defined(HAVE_GE25519_SCALARMULT_BASE_CHOOSE_NIELS) +#ifndef MM16 +# define MM16 __attribute__((aligned(16))) +#endif -static uint32_t -ge25519_windowb_equal(uint32_t b, uint32_t c) { - return ((b ^ c) - 1) >> 31; +STATIC void +ge25519_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256modm s1) { + signed char slide1[256]; + ge25519_pniels MM16 pre1[S1_TABLE_SIZE]; + ge25519 MM16 d1; + ge25519_p1p1 MM16 t; + int32_t i; + + contract256_slidingwindow_modm(slide1, s1, S1_SWINDOWSIZE); + + ge25519_double(&d1, p1); + ge25519_full_to_pniels(pre1, p1); + for (i = 0; i < S1_TABLE_SIZE - 1; i++) + ge25519_pnielsadd(&pre1[i+1], &d1, &pre1[i]); + + /* set neutral */ + memset(r, 0, sizeof(ge25519)); + r->y[0] = 1; + r->z[0] = 1; + + i = 255; + while ((i >= 0) && !slide1[i]) + i--; + + for (; i >= 0; i--) { + ge25519_double_p1p1(&t, r); + + if (slide1[i]) { + ge25519_p1p1_to_full(r, &t); + ge25519_pnielsadd_p1p1(&t, r, &pre1[abs(slide1[i]) / 2], (unsigned char)slide1[i] >> 7); + } + + ge25519_p1p1_to_partial(r, &t); + } } +DONNA_INLINE static void ge25519_cmove_stride4(long * r, long * p, long * pos, long * n, int stride) { + int i; + long x0=p[0], x1=p[1], x2=p[2], x3=p[3], y0, y1, y2, y3; + for(p+=stride; p= 0; i--) { + int k=abs(slide1[i]); + ge25519_double_partial(r, r); + ge25519_double_partial(r, r); + ge25519_double_partial(r, r); + ge25519_double_p1p1(&t, r); + ge25519_move_conditional_pniels_array(&pre, pre1, k, 9); + ge25519_p1p1_to_full(r, &t); + ge25519_pnielsadd_p1p1(&t, r, &pre, (unsigned char)slide1[i] >> 7); + ge25519_p1p1_to_partial(r, &t); + } +} + +#if !defined(HAVE_GE25519_SCALARMULT_BASE_CHOOSE_NIELS) static void ge25519_scalarmult_base_choose_niels(ge25519_niels *t, const uint8_t table[256][96], uint32_t pos, signed char b) { bignum25519 ALIGN(16) neg; @@ -342,8 +468,7 @@ ge25519_scalarmult_base_choose_niels(ge25519_niels *t, const uint8_t table[256][ packed[0] = 1; packed[32] = 1; - for (i = 0; i < 8; i++) - curve25519_move_conditional_bytes(packed, table[(pos * 8) + i], ge25519_windowb_equal(u, i + 1)); + ge25519_move_conditional_niels_array(packed, &table[pos*8], u-1, 8); /* expand in to t */ curve25519_expand(t->ysubx, packed + 0); @@ -355,10 +480,9 @@ ge25519_scalarmult_base_choose_niels(ge25519_niels *t, const uint8_t table[256][ curve25519_neg(neg, t->t2d); curve25519_swap_conditional(t->t2d, neg, sign); } - #endif /* HAVE_GE25519_SCALARMULT_BASE_CHOOSE_NIELS */ -static void +STATIC void ge25519_scalarmult_base_niels(ge25519 *r, const uint8_t table[256][96], const bignum256modm s) { signed char b[64]; uint32_t i; @@ -388,3 +512,8 @@ ge25519_scalarmult_base_niels(ge25519 *r, const uint8_t table[256][96], const bi ge25519_nielsadd2(r, &t); } } + +STATIC void ge25519_scalarmult_base(ge25519 *r, const bignum256modm s) { + ge25519_scalarmult_base_niels(r, ge25519_niels_base_multiples, s); +} + diff --git a/ed25519-donna/ed25519-donna-portable-identify.h b/ed25519-donna/ed25519-donna-portable-identify.h index 26a264cf9e..ee3a01cc4a 100644 --- a/ed25519-donna/ed25519-donna-portable-identify.h +++ b/ed25519-donna/ed25519-donna-portable-identify.h @@ -49,6 +49,9 @@ #define CPU_X86_64 #elif defined(__i586__) || defined(__i686__) || (defined(_M_IX86) && (_M_IX86 >= 500)) #define CPU_X86 500 + #ifdef __SSE2__ + #define ED25519_SSE2 + #endif #elif defined(__i486__) || (defined(_M_IX86) && (_M_IX86 >= 400)) #define CPU_X86 400 #elif defined(__i386__) || (defined(_M_IX86) && (_M_IX86 >= 300)) || defined(__X86__) || defined(_X86_) || defined(__I86__) diff --git a/ed25519-donna/ed25519.c b/ed25519-donna/ed25519.c index 58a755b8d3..b7c35847ec 100644 --- a/ed25519-donna/ed25519.c +++ b/ed25519-donna/ed25519.c @@ -13,6 +13,7 @@ #define ED25519_FN3(fn,suffix) fn##suffix #define ED25519_FN2(fn,suffix) ED25519_FN3(fn,suffix) #define ED25519_FN(fn) ED25519_FN2(fn,ED25519_SUFFIX) +#define STATIC static #include "ed25519-donna.h" #include "ed25519.h" diff --git a/ed25519-donna/modm-donna-32bit.h b/ed25519-donna/modm-donna-32bit.h index dfd76be668..5b17b6a74a 100644 --- a/ed25519-donna/modm-donna-32bit.h +++ b/ed25519-donna/modm-donna-32bit.h @@ -140,8 +140,7 @@ barrett_reduce256_modm(bignum256modm r, const bignum256modm q1, const bignum256m } /* addition modulo m */ -static void -add256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { +STATIC void add256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { bignum256modm_element_t c; c = x[0] + y[0]; r[0] = c & 0x3fffffff; c >>= 30; @@ -158,8 +157,7 @@ add256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { } /* multiplication modulo m */ -static void -mul256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { +STATIC void mul256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { bignum256modm r1, q1; uint64_t c; bignum256modm_element_t f; @@ -204,8 +202,7 @@ mul256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { barrett_reduce256_modm(r, q1, r1); } -static void -expand256_modm(bignum256modm out, const unsigned char *in, size_t len) { +STATIC void expand256_modm(bignum256modm out, const unsigned char *in, size_t len) { unsigned char work[64] = {0}; bignum256modm_element_t x[16]; bignum256modm q1; @@ -257,8 +254,7 @@ expand256_modm(bignum256modm out, const unsigned char *in, size_t len) { barrett_reduce256_modm(out, q1, out); } -static void -expand_raw256_modm(bignum256modm out, const unsigned char in[32]) { +STATIC void expand_raw256_modm(bignum256modm out, const unsigned char in[32]) { bignum256modm_element_t x[8]; x[0] = U8TO32_LE(in + 0); @@ -281,8 +277,7 @@ expand_raw256_modm(bignum256modm out, const unsigned char in[32]) { out[8] = ((x[ 7] >> 16) ) & 0x0000ffff; } -static void -contract256_modm(unsigned char out[32], const bignum256modm in) { +STATIC void contract256_modm(unsigned char out[32], const bignum256modm in) { U32TO8_LE(out + 0, (in[0] ) | (in[1] << 30)); U32TO8_LE(out + 4, (in[1] >> 2) | (in[2] << 28)); U32TO8_LE(out + 8, (in[2] >> 4) | (in[3] << 26)); @@ -295,8 +290,7 @@ contract256_modm(unsigned char out[32], const bignum256modm in) { -static void -contract256_window4_modm(signed char r[64], const bignum256modm in) { +STATIC void contract256_window4_modm(signed char r[64], const bignum256modm in) { char carry; signed char *quads = r; bignum256modm_element_t i, j, v; @@ -331,8 +325,7 @@ contract256_window4_modm(signed char r[64], const bignum256modm in) { r[63] += carry; } -static void -contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int windowsize) { +STATIC void contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int windowsize) { int i,j,k,b; int m = (1 << (windowsize - 1)) - 1, soplen = 256; signed char *bits = r; @@ -379,8 +372,7 @@ contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int wi */ /* out = a - b, a must be larger than b */ -static void -sub256_modm_batch(bignum256modm out, const bignum256modm a, const bignum256modm b, size_t limbsize) { +STATIC void sub256_modm_batch(bignum256modm out, const bignum256modm a, const bignum256modm b, size_t limbsize) { size_t i = 0; bignum256modm_element_t carry = 0; switch (limbsize) { @@ -399,8 +391,7 @@ sub256_modm_batch(bignum256modm out, const bignum256modm a, const bignum256modm /* is a < b */ -static int -lt256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) { +STATIC int lt256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) { switch (limbsize) { case 8: if (a[8] > b[8]) return 0; if (a[8] < b[8]) return 1; case 7: if (a[7] > b[7]) return 0; if (a[7] < b[7]) return 1; @@ -416,8 +407,7 @@ lt256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) } /* is a <= b */ -static int -lte256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) { +STATIC int lte256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) { switch (limbsize) { case 8: if (a[8] > b[8]) return 0; if (a[8] < b[8]) return 1; case 7: if (a[7] > b[7]) return 0; if (a[7] < b[7]) return 1; @@ -434,8 +424,7 @@ lte256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) /* is a == 0 */ -static int -iszero256_modm_batch(const bignum256modm a) { +STATIC int iszero256_modm_batch(const bignum256modm a) { size_t i; for (i = 0; i < 9; i++) if (a[i]) @@ -444,8 +433,7 @@ iszero256_modm_batch(const bignum256modm a) { } /* is a == 1 */ -static int -isone256_modm_batch(const bignum256modm a) { +STATIC int isone256_modm_batch(const bignum256modm a) { size_t i; if (a[0] != 1) return 0; @@ -456,8 +444,7 @@ isone256_modm_batch(const bignum256modm a) { } /* can a fit in to (at most) 128 bits */ -static int -isatmost128bits256_modm_batch(const bignum256modm a) { +STATIC int isatmost128bits256_modm_batch(const bignum256modm a) { uint32_t mask = ((a[8] ) | /* 16 */ (a[7] ) | /* 46 */ diff --git a/ed25519-donna/modm-donna-64bit.h b/ed25519-donna/modm-donna-64bit.h index a47a38a42d..4197f3bf6b 100644 --- a/ed25519-donna/modm-donna-64bit.h +++ b/ed25519-donna/modm-donna-64bit.h @@ -107,8 +107,7 @@ barrett_reduce256_modm(bignum256modm r, const bignum256modm q1, const bignum256m } -static void -add256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { +STATIC void add256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { bignum256modm_element_t c; c = x[0] + y[0]; r[0] = c & 0xffffffffffffff; c >>= 56; @@ -120,8 +119,7 @@ add256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { reduce256_modm(r); } -static void -mul256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { +STATIC void mul256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { bignum256modm q1, r1; uint128_t c, mul; bignum256modm_element_t f; @@ -149,8 +147,7 @@ mul256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) { barrett_reduce256_modm(r, q1, r1); } -static void -expand256_modm(bignum256modm out, const unsigned char *in, size_t len) { +STATIC void expand256_modm(bignum256modm out, const unsigned char *in, size_t len) { unsigned char work[64] = {0}; bignum256modm_element_t x[16]; bignum256modm q1; @@ -186,8 +183,7 @@ expand256_modm(bignum256modm out, const unsigned char *in, size_t len) { barrett_reduce256_modm(out, q1, out); } -static void -expand_raw256_modm(bignum256modm out, const unsigned char in[32]) { +STATIC void expand_raw256_modm(bignum256modm out, const unsigned char in[32]) { bignum256modm_element_t x[4]; x[0] = U8TO64_LE(in + 0); @@ -202,16 +198,14 @@ expand_raw256_modm(bignum256modm out, const unsigned char in[32]) { out[4] = ((x[ 3] >> 32) ) & 0x000000ffffffff; } -static void -contract256_modm(unsigned char out[32], const bignum256modm in) { +STATIC void contract256_modm(unsigned char out[32], const bignum256modm in) { U64TO8_LE(out + 0, (in[0] ) | (in[1] << 56)); U64TO8_LE(out + 8, (in[1] >> 8) | (in[2] << 48)); U64TO8_LE(out + 16, (in[2] >> 16) | (in[3] << 40)); U64TO8_LE(out + 24, (in[3] >> 24) | (in[4] << 32)); } -static void -contract256_window4_modm(signed char r[64], const bignum256modm in) { +STATIC void contract256_window4_modm(signed char r[64], const bignum256modm in) { char carry; signed char *quads = r; bignum256modm_element_t i, j, v, m; @@ -237,8 +231,7 @@ contract256_window4_modm(signed char r[64], const bignum256modm in) { r[63] += carry; } -static void -contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int windowsize) { +STATIC void contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int windowsize) { int i,j,k,b; int m = (1 << (windowsize - 1)) - 1, soplen = 256; signed char *bits = r; @@ -284,8 +277,7 @@ contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int wi */ /* out = a - b, a must be larger than b */ -static void -sub256_modm_batch(bignum256modm out, const bignum256modm a, const bignum256modm b, size_t limbsize) { +STATIC void sub256_modm_batch(bignum256modm out, const bignum256modm a, const bignum256modm b, size_t limbsize) { size_t i = 0; bignum256modm_element_t carry = 0; switch (limbsize) { @@ -300,8 +292,7 @@ sub256_modm_batch(bignum256modm out, const bignum256modm a, const bignum256modm /* is a < b */ -static int -lt256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) { +STATIC int lt256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) { size_t i = 0; bignum256modm_element_t t, carry = 0; switch (limbsize) { @@ -315,8 +306,7 @@ lt256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) } /* is a <= b */ -static int -lte256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) { +STATIC int lte256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) { size_t i = 0; bignum256modm_element_t t, carry = 0; switch (limbsize) { @@ -330,8 +320,7 @@ lte256_modm_batch(const bignum256modm a, const bignum256modm b, size_t limbsize) } /* is a == 0 */ -static int -iszero256_modm_batch(const bignum256modm a) { +STATIC int iszero256_modm_batch(const bignum256modm a) { size_t i; for (i = 0; i < 5; i++) if (a[i]) @@ -340,8 +329,7 @@ iszero256_modm_batch(const bignum256modm a) { } /* is a == 1 */ -static int -isone256_modm_batch(const bignum256modm a) { +STATIC int isone256_modm_batch(const bignum256modm a) { size_t i; for (i = 0; i < 5; i++) if (a[i] != ((i) ? 0 : 1)) @@ -350,8 +338,7 @@ isone256_modm_batch(const bignum256modm a) { } /* can a fit in to (at most) 128 bits */ -static int -isatmost128bits256_modm_batch(const bignum256modm a) { +STATIC int isatmost128bits256_modm_batch(const bignum256modm a) { uint64_t mask = ((a[4] ) | /* 32 */ (a[3] ) | /* 88 */