X-Git-Url: http://www.wagner.pp.ru/gitweb/?p=openssl-gost%2Fengine.git;a=blobdiff_plain;f=ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c;h=19b9f3f83816460772e8323b842af2d2c3ff353d;hp=e9389e681b47be80819d4beb3bd86919c4428b89;hb=HEAD;hpb=bc346202fbb3bc838a19af8c3b0e449926589c7b diff --git a/ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c b/ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c index e9389e6..19b9f3f 100644 --- a/ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c +++ b/ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c @@ -32,6 +32,10 @@ typedef uint64_t fe_t[LIMB_CNT]; typedef uint64_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_CRYPTOPRO_A_PARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -80,18 +84,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_GostR3410_2001_CryptoPro_A_ParamSet 64 5 '2^256 - 617' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_GostR3410_2001_CryptoPro_A_ParamSet 64 5 '2^256 - 617' */ /* curve description: id_GostR3410_2001_CryptoPro_A_ParamSet */ /* machine_wordsize = 64 (from "64") */ /* requested operations: (all) */ /* n = 5 (from "5") */ /* s-c = 2^256 - [(1, 617)] (from "2^256 - 617") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ /* eval z = z[0] + (z[1] << 52) + (z[2] << 103) + (z[3] << 154) + (z[4] << 205) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x1ffffffffffb2e, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ #include typedef unsigned char fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1; @@ -103,6 +108,17 @@ typedef unsigned __int128 fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint128; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_CRYPTOPRO_A_PARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t +fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u64(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_addcarryx_u52 is an addition with carry. * Postconditions: @@ -236,7 +252,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_cmovznz_u64( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u64(x2) & + arg3) | + (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u64((~x2)) & + arg2)); *out1 = x3; } @@ -246,10 +266,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_cmovznz_u64( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * arg2: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] + * arg2: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul( uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { @@ -411,9 +431,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_square( uint64_t out1[5], const uint64_t arg1[5]) { @@ -539,9 +559,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry( uint64_t out1[5], const uint64_t arg1[5]) { @@ -584,10 +604,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_add( uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { @@ -614,10 +634,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_sub( uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { @@ -644,9 +664,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_opp( uint64_t out1[5], const uint64_t arg1[5]) { @@ -710,7 +730,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -741,70 +761,70 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( uint64_t x23; uint64_t x24; uint64_t x25; - uint64_t x26; - uint8_t x27; - uint64_t x28; - uint8_t x29; - uint64_t x30; - uint8_t x31; - uint64_t x32; - uint8_t x33; - uint64_t x34; - uint8_t x35; + uint8_t x26; + uint64_t x27; + uint8_t x28; + uint64_t x29; + uint8_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint8_t x34; + uint64_t x35; uint8_t x36; uint8_t x37; uint64_t x38; - uint64_t x39; - uint8_t x40; - uint64_t x41; - uint8_t x42; - uint64_t x43; - uint8_t x44; - uint64_t x45; - uint8_t x46; - uint64_t x47; - uint8_t x48; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint64_t x46; + uint8_t x47; + uint64_t x48; uint8_t x49; uint8_t x50; uint64_t x51; - uint64_t x52; - uint8_t x53; - uint64_t x54; - uint8_t x55; - uint64_t x56; - uint8_t x57; - uint64_t x58; - uint8_t x59; - uint64_t x60; - uint8_t x61; - uint64_t x62; - uint8_t x63; + uint8_t x52; + uint64_t x53; + uint8_t x54; + uint64_t x55; + uint8_t x56; + uint64_t x57; + uint8_t x58; + uint64_t x59; + uint8_t x60; + uint64_t x61; + uint8_t x62; + uint64_t x63; uint8_t x64; uint8_t x65; uint64_t x66; - uint64_t x67; - uint8_t x68; - uint64_t x69; - uint8_t x70; - uint64_t x71; - uint8_t x72; - uint64_t x73; - uint8_t x74; - uint64_t x75; - uint8_t x76; + uint8_t x67; + uint64_t x68; + uint8_t x69; + uint64_t x70; + uint8_t x71; + uint64_t x72; + uint8_t x73; + uint64_t x74; + uint8_t x75; + uint64_t x76; uint8_t x77; uint8_t x78; uint64_t x79; - uint64_t x80; - uint8_t x81; - uint64_t x82; - uint8_t x83; - uint64_t x84; - uint8_t x85; - uint64_t x86; - uint8_t x87; - uint64_t x88; - uint8_t x89; + uint8_t x80; + uint64_t x81; + uint8_t x82; + uint64_t x83; + uint8_t x84; + uint64_t x85; + uint8_t x86; + uint64_t x87; + uint8_t x88; + uint64_t x89; uint8_t x90; uint8_t x91; fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_subborrowx_u52( @@ -833,104 +853,104 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( x23 = (x18 << 2); x24 = (x16 << 7); x25 = (x14 << 4); - x26 = (x12 >> 8); - x27 = (uint8_t)(x12 & UINT8_C(0xff)); - x28 = (x26 >> 8); - x29 = (uint8_t)(x26 & UINT8_C(0xff)); - x30 = (x28 >> 8); - x31 = (uint8_t)(x28 & UINT8_C(0xff)); - x32 = (x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); - x34 = (x32 >> 8); - x35 = (uint8_t)(x32 & UINT8_C(0xff)); - x36 = (uint8_t)(x34 >> 8); - x37 = (uint8_t)(x34 & UINT8_C(0xff)); - x38 = (x36 + x25); - x39 = (x38 >> 8); - x40 = (uint8_t)(x38 & UINT8_C(0xff)); - x41 = (x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (x41 >> 8); - x44 = (uint8_t)(x41 & UINT8_C(0xff)); - x45 = (x43 >> 8); - x46 = (uint8_t)(x43 & UINT8_C(0xff)); - x47 = (x45 >> 8); - x48 = (uint8_t)(x45 & UINT8_C(0xff)); - x49 = (uint8_t)(x47 >> 8); - x50 = (uint8_t)(x47 & UINT8_C(0xff)); - x51 = (x49 + x24); - x52 = (x51 >> 8); - x53 = (uint8_t)(x51 & UINT8_C(0xff)); - x54 = (x52 >> 8); - x55 = (uint8_t)(x52 & UINT8_C(0xff)); - x56 = (x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); - x58 = (x56 >> 8); - x59 = (uint8_t)(x56 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - x64 = (uint8_t)(x62 >> 8); - x65 = (uint8_t)(x62 & UINT8_C(0xff)); - x66 = (x64 + x23); - x67 = (x66 >> 8); - x68 = (uint8_t)(x66 & UINT8_C(0xff)); - x69 = (x67 >> 8); - x70 = (uint8_t)(x67 & UINT8_C(0xff)); - x71 = (x69 >> 8); - x72 = (uint8_t)(x69 & UINT8_C(0xff)); - x73 = (x71 >> 8); - x74 = (uint8_t)(x71 & UINT8_C(0xff)); - x75 = (x73 >> 8); - x76 = (uint8_t)(x73 & UINT8_C(0xff)); - x77 = (uint8_t)(x75 >> 8); - x78 = (uint8_t)(x75 & UINT8_C(0xff)); - x79 = (x77 + x22); - x80 = (x79 >> 8); - x81 = (uint8_t)(x79 & UINT8_C(0xff)); - x82 = (x80 >> 8); - x83 = (uint8_t)(x80 & UINT8_C(0xff)); - x84 = (x82 >> 8); - x85 = (uint8_t)(x82 & UINT8_C(0xff)); - x86 = (x84 >> 8); - x87 = (uint8_t)(x84 & UINT8_C(0xff)); - x88 = (x86 >> 8); - x89 = (uint8_t)(x86 & UINT8_C(0xff)); - x90 = (uint8_t)(x88 >> 8); - x91 = (uint8_t)(x88 & UINT8_C(0xff)); - out1[0] = x27; - out1[1] = x29; - out1[2] = x31; - out1[3] = x33; - out1[4] = x35; - out1[5] = x37; - out1[6] = x40; - out1[7] = x42; - out1[8] = x44; - out1[9] = x46; - out1[10] = x48; - out1[11] = x50; - out1[12] = x53; - out1[13] = x55; - out1[14] = x57; - out1[15] = x59; - out1[16] = x61; - out1[17] = x63; - out1[18] = x65; - out1[19] = x68; - out1[20] = x70; - out1[21] = x72; - out1[22] = x74; - out1[23] = x76; - out1[24] = x78; - out1[25] = x81; - out1[26] = x83; - out1[27] = x85; - out1[28] = x87; - out1[29] = x89; - out1[30] = x91; - out1[31] = x90; + x26 = (uint8_t)(x12 & UINT8_C(0xff)); + x27 = (x12 >> 8); + x28 = (uint8_t)(x27 & UINT8_C(0xff)); + x29 = (x27 >> 8); + x30 = (uint8_t)(x29 & UINT8_C(0xff)); + x31 = (x29 >> 8); + x32 = (uint8_t)(x31 & UINT8_C(0xff)); + x33 = (x31 >> 8); + x34 = (uint8_t)(x33 & UINT8_C(0xff)); + x35 = (x33 >> 8); + x36 = (uint8_t)(x35 & UINT8_C(0xff)); + x37 = (uint8_t)(x35 >> 8); + x38 = (x25 + (uint64_t)x37); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (x44 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (x24 + (uint64_t)x50); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (x53 >> 8); + x56 = (uint8_t)(x55 & UINT8_C(0xff)); + x57 = (x55 >> 8); + x58 = (uint8_t)(x57 & UINT8_C(0xff)); + x59 = (x57 >> 8); + x60 = (uint8_t)(x59 & UINT8_C(0xff)); + x61 = (x59 >> 8); + x62 = (uint8_t)(x61 & UINT8_C(0xff)); + x63 = (x61 >> 8); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (uint8_t)(x63 >> 8); + x66 = (x23 + (uint64_t)x65); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); + x68 = (x66 >> 8); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); + x70 = (x68 >> 8); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (x74 >> 8); + x77 = (uint8_t)(x76 & UINT8_C(0xff)); + x78 = (uint8_t)(x76 >> 8); + x79 = (x22 + (uint64_t)x78); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (x81 >> 8); + x84 = (uint8_t)(x83 & UINT8_C(0xff)); + x85 = (x83 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (x87 >> 8); + x90 = (uint8_t)(x89 & UINT8_C(0xff)); + x91 = (uint8_t)(x89 >> 8); + out1[0] = x26; + out1[1] = x28; + out1[2] = x30; + out1[3] = x32; + out1[4] = x34; + out1[5] = x36; + out1[6] = x39; + out1[7] = x41; + out1[8] = x43; + out1[9] = x45; + out1[10] = x47; + out1[11] = x49; + out1[12] = x52; + out1[13] = x54; + out1[14] = x56; + out1[15] = x58; + out1[16] = x60; + out1[17] = x62; + out1[18] = x64; + out1[19] = x67; + out1[20] = x69; + out1[21] = x71; + out1[22] = x73; + out1[23] = x75; + out1[24] = x77; + out1[25] = x80; + out1[26] = x82; + out1[27] = x84; + out1[28] = x86; + out1[29] = x88; + out1[30] = x90; + out1[31] = x91; } /* @@ -941,7 +961,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( uint64_t out1[5], const uint8_t arg1[32]) { @@ -978,22 +998,44 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( uint64_t x31; uint8_t x32; uint64_t x33; - uint8_t x34; + uint64_t x34; uint64_t x35; uint64_t x36; uint64_t x37; uint64_t x38; uint64_t x39; - uint64_t x40; - fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x41; + uint8_t x40; + uint64_t x41; uint64_t x42; uint64_t x43; - uint8_t x44; + uint64_t x44; uint64_t x45; uint64_t x46; - uint8_t x47; - uint64_t x48; + uint64_t x47; + fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x48; uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint8_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint8_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; x1 = ((uint64_t)(arg1[31]) << 43); x2 = ((uint64_t)(arg1[30]) << 35); x3 = ((uint64_t)(arg1[29]) << 27); @@ -1026,28 +1068,50 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( x30 = ((uint64_t)(arg1[2]) << 16); x31 = ((uint64_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + x26)))))); - x34 = (uint8_t)(x33 >> 52); - x35 = (x33 & UINT64_C(0xfffffffffffff)); - x36 = (x6 + (x5 + (x4 + (x3 + (x2 + x1))))); - x37 = (x12 + (x11 + (x10 + (x9 + (x8 + x7))))); - x38 = (x19 + (x18 + (x17 + (x16 + (x15 + (x14 + x13)))))); - x39 = (x25 + (x24 + (x23 + (x22 + (x21 + x20))))); - x40 = (x34 + x39); - x41 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x40 >> 51); - x42 = (x40 & UINT64_C(0x7ffffffffffff)); - x43 = (x41 + x38); - x44 = (uint8_t)(x43 >> 51); - x45 = (x43 & UINT64_C(0x7ffffffffffff)); - x46 = (x44 + x37); - x47 = (uint8_t)(x46 >> 51); - x48 = (x46 & UINT64_C(0x7ffffffffffff)); - x49 = (x47 + x36); - out1[0] = x35; - out1[1] = x42; - out1[2] = x45; - out1[3] = x48; - out1[4] = x49; + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x38 & UINT64_C(0xfffffffffffff)); + x40 = (uint8_t)(x38 >> 52); + x41 = (x25 + (uint64_t)x40); + x42 = (x24 + x41); + x43 = (x23 + x42); + x44 = (x22 + x43); + x45 = (x21 + x44); + x46 = (x20 + x45); + x47 = (x46 & UINT64_C(0x7ffffffffffff)); + x48 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x46 >> 51); + x49 = (x19 + (uint64_t)x48); + x50 = (x18 + x49); + x51 = (x17 + x50); + x52 = (x16 + x51); + x53 = (x15 + x52); + x54 = (x14 + x53); + x55 = (x13 + x54); + x56 = (x55 & UINT64_C(0x7ffffffffffff)); + x57 = (uint8_t)(x55 >> 51); + x58 = (x12 + (uint64_t)x57); + x59 = (x11 + x58); + x60 = (x10 + x59); + x61 = (x9 + x60); + x62 = (x8 + x61); + x63 = (x7 + x62); + x64 = (x63 & UINT64_C(0x7ffffffffffff)); + x65 = (uint8_t)(x63 >> 51); + x66 = (x6 + (uint64_t)x65); + x67 = (x5 + x66); + x68 = (x4 + x67); + x69 = (x3 + x68); + x70 = (x2 + x69); + x71 = (x1 + x70); + out1[0] = x39; + out1[1] = x47; + out1[2] = x56; + out1[3] = x64; + out1[4] = x71; } /* END verbatim fiat code */ @@ -3249,9 +3313,9 @@ static int scalar_get_bit(const unsigned char in[32], int idx) { * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". */ -static void scalar_rwnaf(char out[52], const unsigned char in[32]) { +static void scalar_rwnaf(int8_t out[52], const unsigned char in[32]) { int i; - char window, d; + int8_t window, d; window = (in[0] & (DRADIX_WNAF - 1)) | 1; for (i = 0; i < 51; i++) { @@ -3271,9 +3335,9 @@ static void scalar_rwnaf(char out[52], const unsigned char in[32]) { * Compute "textbook" wnaf representation of a scalar. * NB: not constant time */ -static void scalar_wnaf(char out[257], const unsigned char in[32]) { +static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { int i; - char window, d; + int8_t window, d; window = in[0] & (DRADIX_WNAF - 1); for (i = 0; i < 257; i++) { @@ -3287,15 +3351,15 @@ static void scalar_wnaf(char out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], const unsigned char b[32], const pt_aff_t *P) { int i, d, is_neg, is_inf = 1, flipped = 0; - char anaf[257] = {0}; - char bnaf[257] = {0}; - pt_prj_t Q; + int8_t anaf[257] = {0}; + int8_t bnaf[257] = {0}; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -3360,8 +3424,8 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; - char rnaf[52] = {0}; - pt_prj_t Q, lut; + int8_t rnaf[52] = {0}; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -3436,9 +3500,9 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], */ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; - char rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + int8_t rnaf[52] = {0}; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -3499,6 +3563,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -3514,6 +3584,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -3524,6 +3599,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -3538,10 +3619,16 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } + #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_CryptoPro_A_ParamSet( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -3580,6 +3667,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_CryptoPro_A_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -3619,6 +3710,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_CryptoPro_A_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -3665,6 +3760,10 @@ err: typedef uint32_t fe_t[LIMB_CNT]; typedef uint32_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_CRYPTOPRO_A_PARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -3713,18 +3812,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_GostR3410_2001_CryptoPro_A_ParamSet 32 '(auto)' '2^256 - 617' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_GostR3410_2001_CryptoPro_A_ParamSet 32 '(auto)' '2^256 - 617' */ /* curve description: id_GostR3410_2001_CryptoPro_A_ParamSet */ /* machine_wordsize = 32 (from "32") */ /* requested operations: (all) */ /* n = 11 (from "(auto)") */ /* s-c = 2^256 - [(1, 617)] (from "2^256 - 617") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 0, 1] */ /* eval z = z[0] + (z[1] << 24) + (z[2] << 47) + (z[3] << 70) + (z[4] << 94) + (z[5] << 117) + (z[6] << 140) + (z[7] << 163) + (z[8] << 187) + (z[9] << 210) + (z[10] << 233) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x1fffb2e, 0xfffffe, 0xfffffe, 0x1fffffe, 0xfffffe, 0xfffffe, 0xfffffe, 0x1fffffe, 0xfffffe, 0xfffffe, 0xfffffe] */ #include typedef unsigned char fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1; @@ -3734,6 +3834,17 @@ typedef signed char fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_int1; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_CRYPTOPRO_A_PARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t +fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u32(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_addcarryx_u24 is an addition with carry. * Postconditions: @@ -3867,7 +3978,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_cmovznz_u32( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u32(x2) & + arg3) | + (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u32((~x2)) & + arg2)); *out1 = x3; } @@ -3877,10 +3992,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_cmovznz_u32( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] - * arg2: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * arg1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] + * arg2: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul( uint32_t out1[11], const uint32_t arg1[11], const uint32_t arg2[11]) { @@ -4280,9 +4395,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * arg1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_square( uint32_t out1[11], const uint32_t arg1[11]) { @@ -4579,9 +4694,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * arg1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry( uint32_t out1[11], const uint32_t arg1[11]) { @@ -4654,10 +4769,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] - * arg2: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] + * arg2: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: - * out1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * out1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_add( uint32_t out1[11], const uint32_t arg1[11], const uint32_t arg2[11]) { @@ -4702,10 +4817,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] - * arg2: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] + * arg2: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: - * out1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * out1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_sub( uint32_t out1[11], const uint32_t arg1[11], const uint32_t arg2[11]) { @@ -4750,9 +4865,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: - * out1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * out1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_opp( uint32_t out1[11], const uint32_t arg1[11]) { @@ -4858,7 +4973,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -4918,76 +5033,75 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( uint32_t x52; uint32_t x53; uint32_t x54; - uint32_t x55; - uint8_t x56; + uint8_t x55; + uint32_t x56; uint8_t x57; uint8_t x58; uint8_t x59; uint32_t x60; uint8_t x61; uint8_t x62; - uint8_t x63; - uint32_t x64; + uint32_t x63; + uint8_t x64; uint32_t x65; uint8_t x66; uint32_t x67; uint8_t x68; uint8_t x69; - uint8_t x70; - uint32_t x71; + uint32_t x70; + uint8_t x71; uint32_t x72; uint8_t x73; uint32_t x74; uint8_t x75; uint8_t x76; - uint8_t x77; - uint32_t x78; + uint32_t x77; + uint8_t x78; uint32_t x79; uint8_t x80; uint32_t x81; uint8_t x82; uint8_t x83; - uint8_t x84; - uint32_t x85; + uint32_t x84; + uint8_t x85; uint32_t x86; uint8_t x87; uint32_t x88; uint8_t x89; uint8_t x90; - uint8_t x91; - uint32_t x92; + uint32_t x91; + uint8_t x92; uint32_t x93; uint8_t x94; uint32_t x95; uint8_t x96; uint8_t x97; - uint8_t x98; - uint32_t x99; + uint32_t x98; + uint8_t x99; uint32_t x100; uint8_t x101; uint32_t x102; uint8_t x103; uint8_t x104; - uint8_t x105; - uint32_t x106; + uint32_t x105; + uint8_t x106; uint32_t x107; uint8_t x108; uint32_t x109; uint8_t x110; uint8_t x111; - uint8_t x112; - uint32_t x113; + uint32_t x112; + uint8_t x113; uint32_t x114; uint8_t x115; uint32_t x116; uint8_t x117; fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x118; - uint8_t x119; - uint32_t x120; + uint32_t x119; + uint8_t x120; uint32_t x121; uint8_t x122; uint8_t x123; - uint8_t x124; fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_subborrowx_u24( &x1, &x2, 0x0, (arg1[0]), UINT32_C(0xfffd97)); fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_subborrowx_u23( @@ -5043,107 +5157,106 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( x52 = (x32 << 6); x53 = (x30 << 6); x54 = (x28 << 7); - x55 = (x24 >> 8); - x56 = (uint8_t)(x24 & UINT8_C(0xff)); - x57 = (uint8_t)(x55 >> 8); - x58 = (uint8_t)(x55 & UINT8_C(0xff)); - x59 = (uint8_t)(x57 & UINT8_C(0xff)); + x55 = (uint8_t)(x24 & UINT8_C(0xff)); + x56 = (x24 >> 8); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); + x58 = (uint8_t)(x56 >> 8); + x59 = (uint8_t)(x26 & UINT8_C(0xff)); x60 = (x26 >> 8); - x61 = (uint8_t)(x26 & UINT8_C(0xff)); + x61 = (uint8_t)(x60 & UINT8_C(0xff)); x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - x64 = (x62 + x54); - x65 = (x64 >> 8); - x66 = (uint8_t)(x64 & UINT8_C(0xff)); + x63 = (x54 + (uint32_t)x62); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (x63 >> 8); + x66 = (uint8_t)(x65 & UINT8_C(0xff)); x67 = (x65 >> 8); - x68 = (uint8_t)(x65 & UINT8_C(0xff)); + x68 = (uint8_t)(x67 & UINT8_C(0xff)); x69 = (uint8_t)(x67 >> 8); - x70 = (uint8_t)(x67 & UINT8_C(0xff)); - x71 = (x69 + x53); - x72 = (x71 >> 8); - x73 = (uint8_t)(x71 & UINT8_C(0xff)); + x70 = (x53 + (uint32_t)x69); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); x74 = (x72 >> 8); - x75 = (uint8_t)(x72 & UINT8_C(0xff)); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); x76 = (uint8_t)(x74 >> 8); - x77 = (uint8_t)(x74 & UINT8_C(0xff)); - x78 = (x76 + x52); - x79 = (x78 >> 8); - x80 = (uint8_t)(x78 & UINT8_C(0xff)); + x77 = (x52 + (uint32_t)x76); + x78 = (uint8_t)(x77 & UINT8_C(0xff)); + x79 = (x77 >> 8); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); x81 = (x79 >> 8); - x82 = (uint8_t)(x79 & UINT8_C(0xff)); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); x83 = (uint8_t)(x81 >> 8); - x84 = (uint8_t)(x81 & UINT8_C(0xff)); - x85 = (x83 + x51); - x86 = (x85 >> 8); - x87 = (uint8_t)(x85 & UINT8_C(0xff)); + x84 = (x51 + (uint32_t)x83); + x85 = (uint8_t)(x84 & UINT8_C(0xff)); + x86 = (x84 >> 8); + x87 = (uint8_t)(x86 & UINT8_C(0xff)); x88 = (x86 >> 8); - x89 = (uint8_t)(x86 & UINT8_C(0xff)); + x89 = (uint8_t)(x88 & UINT8_C(0xff)); x90 = (uint8_t)(x88 >> 8); - x91 = (uint8_t)(x88 & UINT8_C(0xff)); - x92 = (x90 + x50); - x93 = (x92 >> 8); - x94 = (uint8_t)(x92 & UINT8_C(0xff)); + x91 = (x50 + (uint32_t)x90); + x92 = (uint8_t)(x91 & UINT8_C(0xff)); + x93 = (x91 >> 8); + x94 = (uint8_t)(x93 & UINT8_C(0xff)); x95 = (x93 >> 8); - x96 = (uint8_t)(x93 & UINT8_C(0xff)); + x96 = (uint8_t)(x95 & UINT8_C(0xff)); x97 = (uint8_t)(x95 >> 8); - x98 = (uint8_t)(x95 & UINT8_C(0xff)); - x99 = (x97 + x49); - x100 = (x99 >> 8); - x101 = (uint8_t)(x99 & UINT8_C(0xff)); + x98 = (x49 + (uint32_t)x97); + x99 = (uint8_t)(x98 & UINT8_C(0xff)); + x100 = (x98 >> 8); + x101 = (uint8_t)(x100 & UINT8_C(0xff)); x102 = (x100 >> 8); - x103 = (uint8_t)(x100 & UINT8_C(0xff)); + x103 = (uint8_t)(x102 & UINT8_C(0xff)); x104 = (uint8_t)(x102 >> 8); - x105 = (uint8_t)(x102 & UINT8_C(0xff)); - x106 = (x104 + x48); - x107 = (x106 >> 8); - x108 = (uint8_t)(x106 & UINT8_C(0xff)); + x105 = (x48 + (uint32_t)x104); + x106 = (uint8_t)(x105 & UINT8_C(0xff)); + x107 = (x105 >> 8); + x108 = (uint8_t)(x107 & UINT8_C(0xff)); x109 = (x107 >> 8); - x110 = (uint8_t)(x107 & UINT8_C(0xff)); + x110 = (uint8_t)(x109 & UINT8_C(0xff)); x111 = (uint8_t)(x109 >> 8); - x112 = (uint8_t)(x109 & UINT8_C(0xff)); - x113 = (x111 + x47); - x114 = (x113 >> 8); - x115 = (uint8_t)(x113 & UINT8_C(0xff)); + x112 = (x47 + (uint32_t)x111); + x113 = (uint8_t)(x112 & UINT8_C(0xff)); + x114 = (x112 >> 8); + x115 = (uint8_t)(x114 & UINT8_C(0xff)); x116 = (x114 >> 8); - x117 = (uint8_t)(x114 & UINT8_C(0xff)); + x117 = (uint8_t)(x116 & UINT8_C(0xff)); x118 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x116 >> 8); - x119 = (uint8_t)(x116 & UINT8_C(0xff)); - x120 = (x118 + x46); - x121 = (x120 >> 8); - x122 = (uint8_t)(x120 & UINT8_C(0xff)); + x119 = (x46 + (uint32_t)x118); + x120 = (uint8_t)(x119 & UINT8_C(0xff)); + x121 = (x119 >> 8); + x122 = (uint8_t)(x121 & UINT8_C(0xff)); x123 = (uint8_t)(x121 >> 8); - x124 = (uint8_t)(x121 & UINT8_C(0xff)); - out1[0] = x56; - out1[1] = x58; - out1[2] = x59; - out1[3] = x61; - out1[4] = x63; - out1[5] = x66; - out1[6] = x68; - out1[7] = x70; - out1[8] = x73; - out1[9] = x75; - out1[10] = x77; - out1[11] = x80; - out1[12] = x82; - out1[13] = x84; - out1[14] = x87; - out1[15] = x89; - out1[16] = x91; - out1[17] = x94; - out1[18] = x96; - out1[19] = x98; - out1[20] = x101; - out1[21] = x103; - out1[22] = x105; - out1[23] = x108; - out1[24] = x110; - out1[25] = x112; - out1[26] = x115; - out1[27] = x117; - out1[28] = x119; - out1[29] = x122; - out1[30] = x124; + out1[0] = x55; + out1[1] = x57; + out1[2] = x58; + out1[3] = x59; + out1[4] = x61; + out1[5] = x64; + out1[6] = x66; + out1[7] = x68; + out1[8] = x71; + out1[9] = x73; + out1[10] = x75; + out1[11] = x78; + out1[12] = x80; + out1[13] = x82; + out1[14] = x85; + out1[15] = x87; + out1[16] = x89; + out1[17] = x92; + out1[18] = x94; + out1[19] = x96; + out1[20] = x99; + out1[21] = x101; + out1[22] = x103; + out1[23] = x106; + out1[24] = x108; + out1[25] = x110; + out1[26] = x113; + out1[27] = x115; + out1[28] = x117; + out1[29] = x120; + out1[30] = x122; out1[31] = x123; } @@ -5155,7 +5268,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( uint32_t out1[11], const uint8_t arg1[32]) { @@ -5196,40 +5309,49 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( uint32_t x35; uint32_t x36; uint32_t x37; - uint32_t x38; + fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x38; uint32_t x39; uint32_t x40; uint32_t x41; uint32_t x42; - uint32_t x43; + uint8_t x43; uint32_t x44; - fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x45; + uint32_t x45; uint32_t x46; uint32_t x47; uint8_t x48; uint32_t x49; uint32_t x50; - uint8_t x51; + uint32_t x51; uint32_t x52; - uint32_t x53; - uint8_t x54; + uint8_t x53; + uint32_t x54; uint32_t x55; uint32_t x56; - uint8_t x57; - uint32_t x58; + uint32_t x57; + uint8_t x58; uint32_t x59; - uint8_t x60; + uint32_t x60; uint32_t x61; uint32_t x62; uint8_t x63; uint32_t x64; uint32_t x65; - uint8_t x66; + uint32_t x66; uint32_t x67; - uint32_t x68; - uint8_t x69; + uint8_t x68; + uint32_t x69; uint32_t x70; uint32_t x71; + uint32_t x72; + uint8_t x73; + uint32_t x74; + uint32_t x75; + uint32_t x76; + uint32_t x77; + uint8_t x78; + uint32_t x79; + uint32_t x80; x1 = ((uint32_t)(arg1[31]) << 15); x2 = ((uint32_t)(arg1[30]) << 7); x3 = ((uint32_t)(arg1[29]) << 22); @@ -5262,56 +5384,65 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( x30 = ((uint32_t)(arg1[2]) << 16); x31 = ((uint32_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + x30)); - x34 = (x33 & UINT32_C(0xffffff)); - x35 = (x2 + x1); - x36 = (x5 + (x4 + x3)); - x37 = (x8 + (x7 + x6)); - x38 = (x11 + (x10 + x9)); - x39 = (x14 + (x13 + x12)); - x40 = (x17 + (x16 + x15)); - x41 = (x20 + (x19 + x18)); - x42 = (x23 + (x22 + x21)); - x43 = (x26 + (x25 + x24)); - x44 = (x29 + (x28 + x27)); - x45 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x44 >> 23); - x46 = (x44 & UINT32_C(0x7fffff)); - x47 = (x45 + x43); - x48 = (uint8_t)(x47 >> 23); - x49 = (x47 & UINT32_C(0x7fffff)); - x50 = (x48 + x42); - x51 = (uint8_t)(x50 >> 24); - x52 = (x50 & UINT32_C(0xffffff)); - x53 = (x51 + x41); - x54 = (uint8_t)(x53 >> 23); - x55 = (x53 & UINT32_C(0x7fffff)); - x56 = (x54 + x40); - x57 = (uint8_t)(x56 >> 23); - x58 = (x56 & UINT32_C(0x7fffff)); - x59 = (x57 + x39); - x60 = (uint8_t)(x59 >> 23); - x61 = (x59 & UINT32_C(0x7fffff)); - x62 = (x60 + x38); - x63 = (uint8_t)(x62 >> 24); - x64 = (x62 & UINT32_C(0xffffff)); - x65 = (x63 + x37); - x66 = (uint8_t)(x65 >> 23); - x67 = (x65 & UINT32_C(0x7fffff)); - x68 = (x66 + x36); - x69 = (uint8_t)(x68 >> 23); - x70 = (x68 & UINT32_C(0x7fffff)); - x71 = (x69 + x35); + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x28 + (uint32_t)x29); + x36 = (x27 + x35); + x37 = (x36 & UINT32_C(0x7fffff)); + x38 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x36 >> 23); + x39 = (x26 + (uint32_t)x38); + x40 = (x25 + x39); + x41 = (x24 + x40); + x42 = (x41 & UINT32_C(0x7fffff)); + x43 = (uint8_t)(x41 >> 23); + x44 = (x23 + (uint32_t)x43); + x45 = (x22 + x44); + x46 = (x21 + x45); + x47 = (x46 & UINT32_C(0xffffff)); + x48 = (uint8_t)(x46 >> 24); + x49 = (x20 + (uint32_t)x48); + x50 = (x19 + x49); + x51 = (x18 + x50); + x52 = (x51 & UINT32_C(0x7fffff)); + x53 = (uint8_t)(x51 >> 23); + x54 = (x17 + (uint32_t)x53); + x55 = (x16 + x54); + x56 = (x15 + x55); + x57 = (x56 & UINT32_C(0x7fffff)); + x58 = (uint8_t)(x56 >> 23); + x59 = (x14 + (uint32_t)x58); + x60 = (x13 + x59); + x61 = (x12 + x60); + x62 = (x61 & UINT32_C(0x7fffff)); + x63 = (uint8_t)(x61 >> 23); + x64 = (x11 + (uint32_t)x63); + x65 = (x10 + x64); + x66 = (x9 + x65); + x67 = (x66 & UINT32_C(0xffffff)); + x68 = (uint8_t)(x66 >> 24); + x69 = (x8 + (uint32_t)x68); + x70 = (x7 + x69); + x71 = (x6 + x70); + x72 = (x71 & UINT32_C(0x7fffff)); + x73 = (uint8_t)(x71 >> 23); + x74 = (x5 + (uint32_t)x73); + x75 = (x4 + x74); + x76 = (x3 + x75); + x77 = (x76 & UINT32_C(0x7fffff)); + x78 = (uint8_t)(x76 >> 23); + x79 = (x2 + (uint32_t)x78); + x80 = (x1 + x79); out1[0] = x34; - out1[1] = x46; - out1[2] = x49; - out1[3] = x52; - out1[4] = x55; - out1[5] = x58; - out1[6] = x61; - out1[7] = x64; - out1[8] = x67; - out1[9] = x70; - out1[10] = x71; + out1[1] = x37; + out1[2] = x42; + out1[3] = x47; + out1[4] = x52; + out1[5] = x57; + out1[6] = x62; + out1[7] = x67; + out1[8] = x72; + out1[9] = x77; + out1[10] = x80; } /* END verbatim fiat code */ @@ -8123,9 +8254,9 @@ static int scalar_get_bit(const unsigned char in[32], int idx) { * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". */ -static void scalar_rwnaf(char out[52], const unsigned char in[32]) { +static void scalar_rwnaf(int8_t out[52], const unsigned char in[32]) { int i; - char window, d; + int8_t window, d; window = (in[0] & (DRADIX_WNAF - 1)) | 1; for (i = 0; i < 51; i++) { @@ -8145,9 +8276,9 @@ static void scalar_rwnaf(char out[52], const unsigned char in[32]) { * Compute "textbook" wnaf representation of a scalar. * NB: not constant time */ -static void scalar_wnaf(char out[257], const unsigned char in[32]) { +static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { int i; - char window, d; + int8_t window, d; window = in[0] & (DRADIX_WNAF - 1); for (i = 0; i < 257; i++) { @@ -8161,15 +8292,15 @@ static void scalar_wnaf(char out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], const unsigned char b[32], const pt_aff_t *P) { int i, d, is_neg, is_inf = 1, flipped = 0; - char anaf[257] = {0}; - char bnaf[257] = {0}; - pt_prj_t Q; + int8_t anaf[257] = {0}; + int8_t bnaf[257] = {0}; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -8234,8 +8365,8 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; - char rnaf[52] = {0}; - pt_prj_t Q, lut; + int8_t rnaf[52] = {0}; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -8310,9 +8441,9 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], */ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; - char rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + int8_t rnaf[52] = {0}; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -8373,6 +8504,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -8388,6 +8525,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -8398,6 +8540,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -8412,10 +8560,16 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } + #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_CryptoPro_A_ParamSet( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -8454,6 +8608,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_CryptoPro_A_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -8493,6 +8651,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_CryptoPro_A_ParamSet(const EC_GROUP *group, EC_POINT *r,