From 35d2c614ff6e0c58ac6e052f166bea18aa4b7782 Mon Sep 17 00:00:00 2001 From: Luis Rivera Zamarripa Date: Thu, 20 Aug 2020 12:56:31 +0300 Subject: [PATCH] [ecp] validation with coverity --- ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c | 944 +++++----- ecp_id_GostR3410_2001_CryptoPro_B_ParamSet.c | 697 +++++--- ecp_id_GostR3410_2001_CryptoPro_C_ParamSet.c | 697 +++++--- ecp_id_GostR3410_2001_TestParamSet.c | 693 +++++--- ecp_id_tc26_gost_3410_2012_256_paramSetA.c | 946 +++++----- ecp_id_tc26_gost_3410_2012_512_paramSetA.c | 1660 +++++++++-------- ecp_id_tc26_gost_3410_2012_512_paramSetB.c | 1289 ++++++++------ ecp_id_tc26_gost_3410_2012_512_paramSetC.c | 1662 ++++++++++-------- 8 files changed, 4949 insertions(+), 3639 deletions(-) diff --git a/ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c b/ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c index b309808..19b9f3f 100644 --- a/ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c +++ b/ecp_id_GostR3410_2001_CryptoPro_A_ParamSet.c @@ -32,6 +32,10 @@ typedef uint64_t fe_t[LIMB_CNT]; typedef uint64_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_CRYPTOPRO_A_PARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -80,18 +84,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_GostR3410_2001_CryptoPro_A_ParamSet 64 5 '2^256 - 617' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_GostR3410_2001_CryptoPro_A_ParamSet 64 5 '2^256 - 617' */ /* curve description: id_GostR3410_2001_CryptoPro_A_ParamSet */ /* machine_wordsize = 64 (from "64") */ /* requested operations: (all) */ /* n = 5 (from "5") */ /* s-c = 2^256 - [(1, 617)] (from "2^256 - 617") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ /* eval z = z[0] + (z[1] << 52) + (z[2] << 103) + (z[3] << 154) + (z[4] << 205) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x1ffffffffffb2e, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ #include typedef unsigned char fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1; @@ -103,6 +108,17 @@ typedef unsigned __int128 fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint128; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_CRYPTOPRO_A_PARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t +fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u64(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_addcarryx_u52 is an addition with carry. * Postconditions: @@ -236,7 +252,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_cmovznz_u64( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u64(x2) & + arg3) | + (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u64((~x2)) & + arg2)); *out1 = x3; } @@ -246,10 +266,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_cmovznz_u64( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * arg2: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] + * arg2: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul( uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { @@ -411,9 +431,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_square( uint64_t out1[5], const uint64_t arg1[5]) { @@ -539,9 +559,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry( uint64_t out1[5], const uint64_t arg1[5]) { @@ -584,10 +604,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_add( uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { @@ -614,10 +634,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_sub( uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { @@ -644,9 +664,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_opp( uint64_t out1[5], const uint64_t arg1[5]) { @@ -710,7 +730,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -741,70 +761,70 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( uint64_t x23; uint64_t x24; uint64_t x25; - uint64_t x26; - uint8_t x27; - uint64_t x28; - uint8_t x29; - uint64_t x30; - uint8_t x31; - uint64_t x32; - uint8_t x33; - uint64_t x34; - uint8_t x35; + uint8_t x26; + uint64_t x27; + uint8_t x28; + uint64_t x29; + uint8_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint8_t x34; + uint64_t x35; uint8_t x36; uint8_t x37; uint64_t x38; - uint64_t x39; - uint8_t x40; - uint64_t x41; - uint8_t x42; - uint64_t x43; - uint8_t x44; - uint64_t x45; - uint8_t x46; - uint64_t x47; - uint8_t x48; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint64_t x46; + uint8_t x47; + uint64_t x48; uint8_t x49; uint8_t x50; uint64_t x51; - uint64_t x52; - uint8_t x53; - uint64_t x54; - uint8_t x55; - uint64_t x56; - uint8_t x57; - uint64_t x58; - uint8_t x59; - uint64_t x60; - uint8_t x61; - uint64_t x62; - uint8_t x63; + uint8_t x52; + uint64_t x53; + uint8_t x54; + uint64_t x55; + uint8_t x56; + uint64_t x57; + uint8_t x58; + uint64_t x59; + uint8_t x60; + uint64_t x61; + uint8_t x62; + uint64_t x63; uint8_t x64; uint8_t x65; uint64_t x66; - uint64_t x67; - uint8_t x68; - uint64_t x69; - uint8_t x70; - uint64_t x71; - uint8_t x72; - uint64_t x73; - uint8_t x74; - uint64_t x75; - uint8_t x76; + uint8_t x67; + uint64_t x68; + uint8_t x69; + uint64_t x70; + uint8_t x71; + uint64_t x72; + uint8_t x73; + uint64_t x74; + uint8_t x75; + uint64_t x76; uint8_t x77; uint8_t x78; uint64_t x79; - uint64_t x80; - uint8_t x81; - uint64_t x82; - uint8_t x83; - uint64_t x84; - uint8_t x85; - uint64_t x86; - uint8_t x87; - uint64_t x88; - uint8_t x89; + uint8_t x80; + uint64_t x81; + uint8_t x82; + uint64_t x83; + uint8_t x84; + uint64_t x85; + uint8_t x86; + uint64_t x87; + uint8_t x88; + uint64_t x89; uint8_t x90; uint8_t x91; fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_subborrowx_u52( @@ -833,104 +853,104 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( x23 = (x18 << 2); x24 = (x16 << 7); x25 = (x14 << 4); - x26 = (x12 >> 8); - x27 = (uint8_t)(x12 & UINT8_C(0xff)); - x28 = (x26 >> 8); - x29 = (uint8_t)(x26 & UINT8_C(0xff)); - x30 = (x28 >> 8); - x31 = (uint8_t)(x28 & UINT8_C(0xff)); - x32 = (x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); - x34 = (x32 >> 8); - x35 = (uint8_t)(x32 & UINT8_C(0xff)); - x36 = (uint8_t)(x34 >> 8); - x37 = (uint8_t)(x34 & UINT8_C(0xff)); - x38 = (x36 + x25); - x39 = (x38 >> 8); - x40 = (uint8_t)(x38 & UINT8_C(0xff)); - x41 = (x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (x41 >> 8); - x44 = (uint8_t)(x41 & UINT8_C(0xff)); - x45 = (x43 >> 8); - x46 = (uint8_t)(x43 & UINT8_C(0xff)); - x47 = (x45 >> 8); - x48 = (uint8_t)(x45 & UINT8_C(0xff)); - x49 = (uint8_t)(x47 >> 8); - x50 = (uint8_t)(x47 & UINT8_C(0xff)); - x51 = (x49 + x24); - x52 = (x51 >> 8); - x53 = (uint8_t)(x51 & UINT8_C(0xff)); - x54 = (x52 >> 8); - x55 = (uint8_t)(x52 & UINT8_C(0xff)); - x56 = (x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); - x58 = (x56 >> 8); - x59 = (uint8_t)(x56 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - x64 = (uint8_t)(x62 >> 8); - x65 = (uint8_t)(x62 & UINT8_C(0xff)); - x66 = (x64 + x23); - x67 = (x66 >> 8); - x68 = (uint8_t)(x66 & UINT8_C(0xff)); - x69 = (x67 >> 8); - x70 = (uint8_t)(x67 & UINT8_C(0xff)); - x71 = (x69 >> 8); - x72 = (uint8_t)(x69 & UINT8_C(0xff)); - x73 = (x71 >> 8); - x74 = (uint8_t)(x71 & UINT8_C(0xff)); - x75 = (x73 >> 8); - x76 = (uint8_t)(x73 & UINT8_C(0xff)); - x77 = (uint8_t)(x75 >> 8); - x78 = (uint8_t)(x75 & UINT8_C(0xff)); - x79 = (x77 + x22); - x80 = (x79 >> 8); - x81 = (uint8_t)(x79 & UINT8_C(0xff)); - x82 = (x80 >> 8); - x83 = (uint8_t)(x80 & UINT8_C(0xff)); - x84 = (x82 >> 8); - x85 = (uint8_t)(x82 & UINT8_C(0xff)); - x86 = (x84 >> 8); - x87 = (uint8_t)(x84 & UINT8_C(0xff)); - x88 = (x86 >> 8); - x89 = (uint8_t)(x86 & UINT8_C(0xff)); - x90 = (uint8_t)(x88 >> 8); - x91 = (uint8_t)(x88 & UINT8_C(0xff)); - out1[0] = x27; - out1[1] = x29; - out1[2] = x31; - out1[3] = x33; - out1[4] = x35; - out1[5] = x37; - out1[6] = x40; - out1[7] = x42; - out1[8] = x44; - out1[9] = x46; - out1[10] = x48; - out1[11] = x50; - out1[12] = x53; - out1[13] = x55; - out1[14] = x57; - out1[15] = x59; - out1[16] = x61; - out1[17] = x63; - out1[18] = x65; - out1[19] = x68; - out1[20] = x70; - out1[21] = x72; - out1[22] = x74; - out1[23] = x76; - out1[24] = x78; - out1[25] = x81; - out1[26] = x83; - out1[27] = x85; - out1[28] = x87; - out1[29] = x89; - out1[30] = x91; - out1[31] = x90; + x26 = (uint8_t)(x12 & UINT8_C(0xff)); + x27 = (x12 >> 8); + x28 = (uint8_t)(x27 & UINT8_C(0xff)); + x29 = (x27 >> 8); + x30 = (uint8_t)(x29 & UINT8_C(0xff)); + x31 = (x29 >> 8); + x32 = (uint8_t)(x31 & UINT8_C(0xff)); + x33 = (x31 >> 8); + x34 = (uint8_t)(x33 & UINT8_C(0xff)); + x35 = (x33 >> 8); + x36 = (uint8_t)(x35 & UINT8_C(0xff)); + x37 = (uint8_t)(x35 >> 8); + x38 = (x25 + (uint64_t)x37); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (x44 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (x24 + (uint64_t)x50); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (x53 >> 8); + x56 = (uint8_t)(x55 & UINT8_C(0xff)); + x57 = (x55 >> 8); + x58 = (uint8_t)(x57 & UINT8_C(0xff)); + x59 = (x57 >> 8); + x60 = (uint8_t)(x59 & UINT8_C(0xff)); + x61 = (x59 >> 8); + x62 = (uint8_t)(x61 & UINT8_C(0xff)); + x63 = (x61 >> 8); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (uint8_t)(x63 >> 8); + x66 = (x23 + (uint64_t)x65); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); + x68 = (x66 >> 8); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); + x70 = (x68 >> 8); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (x74 >> 8); + x77 = (uint8_t)(x76 & UINT8_C(0xff)); + x78 = (uint8_t)(x76 >> 8); + x79 = (x22 + (uint64_t)x78); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (x81 >> 8); + x84 = (uint8_t)(x83 & UINT8_C(0xff)); + x85 = (x83 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (x87 >> 8); + x90 = (uint8_t)(x89 & UINT8_C(0xff)); + x91 = (uint8_t)(x89 >> 8); + out1[0] = x26; + out1[1] = x28; + out1[2] = x30; + out1[3] = x32; + out1[4] = x34; + out1[5] = x36; + out1[6] = x39; + out1[7] = x41; + out1[8] = x43; + out1[9] = x45; + out1[10] = x47; + out1[11] = x49; + out1[12] = x52; + out1[13] = x54; + out1[14] = x56; + out1[15] = x58; + out1[16] = x60; + out1[17] = x62; + out1[18] = x64; + out1[19] = x67; + out1[20] = x69; + out1[21] = x71; + out1[22] = x73; + out1[23] = x75; + out1[24] = x77; + out1[25] = x80; + out1[26] = x82; + out1[27] = x84; + out1[28] = x86; + out1[29] = x88; + out1[30] = x90; + out1[31] = x91; } /* @@ -941,7 +961,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( uint64_t out1[5], const uint8_t arg1[32]) { @@ -978,22 +998,44 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( uint64_t x31; uint8_t x32; uint64_t x33; - uint8_t x34; + uint64_t x34; uint64_t x35; uint64_t x36; uint64_t x37; uint64_t x38; uint64_t x39; - uint64_t x40; - fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x41; + uint8_t x40; + uint64_t x41; uint64_t x42; uint64_t x43; - uint8_t x44; + uint64_t x44; uint64_t x45; uint64_t x46; - uint8_t x47; - uint64_t x48; + uint64_t x47; + fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x48; uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint8_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint8_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; x1 = ((uint64_t)(arg1[31]) << 43); x2 = ((uint64_t)(arg1[30]) << 35); x3 = ((uint64_t)(arg1[29]) << 27); @@ -1026,28 +1068,50 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( x30 = ((uint64_t)(arg1[2]) << 16); x31 = ((uint64_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + x26)))))); - x34 = (uint8_t)(x33 >> 52); - x35 = (x33 & UINT64_C(0xfffffffffffff)); - x36 = (x6 + (x5 + (x4 + (x3 + (x2 + x1))))); - x37 = (x12 + (x11 + (x10 + (x9 + (x8 + x7))))); - x38 = (x19 + (x18 + (x17 + (x16 + (x15 + (x14 + x13)))))); - x39 = (x25 + (x24 + (x23 + (x22 + (x21 + x20))))); - x40 = (x34 + x39); - x41 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x40 >> 51); - x42 = (x40 & UINT64_C(0x7ffffffffffff)); - x43 = (x41 + x38); - x44 = (uint8_t)(x43 >> 51); - x45 = (x43 & UINT64_C(0x7ffffffffffff)); - x46 = (x44 + x37); - x47 = (uint8_t)(x46 >> 51); - x48 = (x46 & UINT64_C(0x7ffffffffffff)); - x49 = (x47 + x36); - out1[0] = x35; - out1[1] = x42; - out1[2] = x45; - out1[3] = x48; - out1[4] = x49; + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x38 & UINT64_C(0xfffffffffffff)); + x40 = (uint8_t)(x38 >> 52); + x41 = (x25 + (uint64_t)x40); + x42 = (x24 + x41); + x43 = (x23 + x42); + x44 = (x22 + x43); + x45 = (x21 + x44); + x46 = (x20 + x45); + x47 = (x46 & UINT64_C(0x7ffffffffffff)); + x48 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x46 >> 51); + x49 = (x19 + (uint64_t)x48); + x50 = (x18 + x49); + x51 = (x17 + x50); + x52 = (x16 + x51); + x53 = (x15 + x52); + x54 = (x14 + x53); + x55 = (x13 + x54); + x56 = (x55 & UINT64_C(0x7ffffffffffff)); + x57 = (uint8_t)(x55 >> 51); + x58 = (x12 + (uint64_t)x57); + x59 = (x11 + x58); + x60 = (x10 + x59); + x61 = (x9 + x60); + x62 = (x8 + x61); + x63 = (x7 + x62); + x64 = (x63 & UINT64_C(0x7ffffffffffff)); + x65 = (uint8_t)(x63 >> 51); + x66 = (x6 + (uint64_t)x65); + x67 = (x5 + x66); + x68 = (x4 + x67); + x69 = (x3 + x68); + x70 = (x2 + x69); + x71 = (x1 + x70); + out1[0] = x39; + out1[1] = x47; + out1[2] = x56; + out1[3] = x64; + out1[4] = x71; } /* END verbatim fiat code */ @@ -3287,7 +3351,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -3295,7 +3359,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -3361,7 +3425,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -3437,8 +3501,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -3499,6 +3563,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -3514,6 +3584,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -3524,6 +3599,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -3541,8 +3622,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_CryptoPro_A_ParamSet( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -3581,6 +3667,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_CryptoPro_A_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -3620,6 +3710,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_CryptoPro_A_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -3666,6 +3760,10 @@ err: typedef uint32_t fe_t[LIMB_CNT]; typedef uint32_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_CRYPTOPRO_A_PARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -3714,18 +3812,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_GostR3410_2001_CryptoPro_A_ParamSet 32 '(auto)' '2^256 - 617' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_GostR3410_2001_CryptoPro_A_ParamSet 32 '(auto)' '2^256 - 617' */ /* curve description: id_GostR3410_2001_CryptoPro_A_ParamSet */ /* machine_wordsize = 32 (from "32") */ /* requested operations: (all) */ /* n = 11 (from "(auto)") */ /* s-c = 2^256 - [(1, 617)] (from "2^256 - 617") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 0, 1] */ /* eval z = z[0] + (z[1] << 24) + (z[2] << 47) + (z[3] << 70) + (z[4] << 94) + (z[5] << 117) + (z[6] << 140) + (z[7] << 163) + (z[8] << 187) + (z[9] << 210) + (z[10] << 233) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x1fffb2e, 0xfffffe, 0xfffffe, 0x1fffffe, 0xfffffe, 0xfffffe, 0xfffffe, 0x1fffffe, 0xfffffe, 0xfffffe, 0xfffffe] */ #include typedef unsigned char fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1; @@ -3735,6 +3834,17 @@ typedef signed char fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_int1; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_CRYPTOPRO_A_PARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t +fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u32(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_addcarryx_u24 is an addition with carry. * Postconditions: @@ -3868,7 +3978,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_cmovznz_u32( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u32(x2) & + arg3) | + (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_value_barrier_u32((~x2)) & + arg2)); *out1 = x3; } @@ -3878,10 +3992,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_cmovznz_u32( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] - * arg2: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * arg1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] + * arg2: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul( uint32_t out1[11], const uint32_t arg1[11], const uint32_t arg2[11]) { @@ -4281,9 +4395,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * arg1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_square( uint32_t out1[11], const uint32_t arg1[11]) { @@ -4580,9 +4694,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * arg1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry( uint32_t out1[11], const uint32_t arg1[11]) { @@ -4655,10 +4769,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] - * arg2: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] + * arg2: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: - * out1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * out1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_add( uint32_t out1[11], const uint32_t arg1[11], const uint32_t arg2[11]) { @@ -4703,10 +4817,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] - * arg2: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] + * arg2: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: - * out1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * out1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_sub( uint32_t out1[11], const uint32_t arg1[11], const uint32_t arg2[11]) { @@ -4751,9 +4865,9 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: - * out1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * out1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_opp( uint32_t out1[11], const uint32_t arg1[11]) { @@ -4859,7 +4973,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -4919,76 +5033,75 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( uint32_t x52; uint32_t x53; uint32_t x54; - uint32_t x55; - uint8_t x56; + uint8_t x55; + uint32_t x56; uint8_t x57; uint8_t x58; uint8_t x59; uint32_t x60; uint8_t x61; uint8_t x62; - uint8_t x63; - uint32_t x64; + uint32_t x63; + uint8_t x64; uint32_t x65; uint8_t x66; uint32_t x67; uint8_t x68; uint8_t x69; - uint8_t x70; - uint32_t x71; + uint32_t x70; + uint8_t x71; uint32_t x72; uint8_t x73; uint32_t x74; uint8_t x75; uint8_t x76; - uint8_t x77; - uint32_t x78; + uint32_t x77; + uint8_t x78; uint32_t x79; uint8_t x80; uint32_t x81; uint8_t x82; uint8_t x83; - uint8_t x84; - uint32_t x85; + uint32_t x84; + uint8_t x85; uint32_t x86; uint8_t x87; uint32_t x88; uint8_t x89; uint8_t x90; - uint8_t x91; - uint32_t x92; + uint32_t x91; + uint8_t x92; uint32_t x93; uint8_t x94; uint32_t x95; uint8_t x96; uint8_t x97; - uint8_t x98; - uint32_t x99; + uint32_t x98; + uint8_t x99; uint32_t x100; uint8_t x101; uint32_t x102; uint8_t x103; uint8_t x104; - uint8_t x105; - uint32_t x106; + uint32_t x105; + uint8_t x106; uint32_t x107; uint8_t x108; uint32_t x109; uint8_t x110; uint8_t x111; - uint8_t x112; - uint32_t x113; + uint32_t x112; + uint8_t x113; uint32_t x114; uint8_t x115; uint32_t x116; uint8_t x117; fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x118; - uint8_t x119; - uint32_t x120; + uint32_t x119; + uint8_t x120; uint32_t x121; uint8_t x122; uint8_t x123; - uint8_t x124; fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_subborrowx_u24( &x1, &x2, 0x0, (arg1[0]), UINT32_C(0xfffd97)); fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_subborrowx_u23( @@ -5044,107 +5157,106 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( x52 = (x32 << 6); x53 = (x30 << 6); x54 = (x28 << 7); - x55 = (x24 >> 8); - x56 = (uint8_t)(x24 & UINT8_C(0xff)); - x57 = (uint8_t)(x55 >> 8); - x58 = (uint8_t)(x55 & UINT8_C(0xff)); - x59 = (uint8_t)(x57 & UINT8_C(0xff)); + x55 = (uint8_t)(x24 & UINT8_C(0xff)); + x56 = (x24 >> 8); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); + x58 = (uint8_t)(x56 >> 8); + x59 = (uint8_t)(x26 & UINT8_C(0xff)); x60 = (x26 >> 8); - x61 = (uint8_t)(x26 & UINT8_C(0xff)); + x61 = (uint8_t)(x60 & UINT8_C(0xff)); x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - x64 = (x62 + x54); - x65 = (x64 >> 8); - x66 = (uint8_t)(x64 & UINT8_C(0xff)); + x63 = (x54 + (uint32_t)x62); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (x63 >> 8); + x66 = (uint8_t)(x65 & UINT8_C(0xff)); x67 = (x65 >> 8); - x68 = (uint8_t)(x65 & UINT8_C(0xff)); + x68 = (uint8_t)(x67 & UINT8_C(0xff)); x69 = (uint8_t)(x67 >> 8); - x70 = (uint8_t)(x67 & UINT8_C(0xff)); - x71 = (x69 + x53); - x72 = (x71 >> 8); - x73 = (uint8_t)(x71 & UINT8_C(0xff)); + x70 = (x53 + (uint32_t)x69); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); x74 = (x72 >> 8); - x75 = (uint8_t)(x72 & UINT8_C(0xff)); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); x76 = (uint8_t)(x74 >> 8); - x77 = (uint8_t)(x74 & UINT8_C(0xff)); - x78 = (x76 + x52); - x79 = (x78 >> 8); - x80 = (uint8_t)(x78 & UINT8_C(0xff)); + x77 = (x52 + (uint32_t)x76); + x78 = (uint8_t)(x77 & UINT8_C(0xff)); + x79 = (x77 >> 8); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); x81 = (x79 >> 8); - x82 = (uint8_t)(x79 & UINT8_C(0xff)); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); x83 = (uint8_t)(x81 >> 8); - x84 = (uint8_t)(x81 & UINT8_C(0xff)); - x85 = (x83 + x51); - x86 = (x85 >> 8); - x87 = (uint8_t)(x85 & UINT8_C(0xff)); + x84 = (x51 + (uint32_t)x83); + x85 = (uint8_t)(x84 & UINT8_C(0xff)); + x86 = (x84 >> 8); + x87 = (uint8_t)(x86 & UINT8_C(0xff)); x88 = (x86 >> 8); - x89 = (uint8_t)(x86 & UINT8_C(0xff)); + x89 = (uint8_t)(x88 & UINT8_C(0xff)); x90 = (uint8_t)(x88 >> 8); - x91 = (uint8_t)(x88 & UINT8_C(0xff)); - x92 = (x90 + x50); - x93 = (x92 >> 8); - x94 = (uint8_t)(x92 & UINT8_C(0xff)); + x91 = (x50 + (uint32_t)x90); + x92 = (uint8_t)(x91 & UINT8_C(0xff)); + x93 = (x91 >> 8); + x94 = (uint8_t)(x93 & UINT8_C(0xff)); x95 = (x93 >> 8); - x96 = (uint8_t)(x93 & UINT8_C(0xff)); + x96 = (uint8_t)(x95 & UINT8_C(0xff)); x97 = (uint8_t)(x95 >> 8); - x98 = (uint8_t)(x95 & UINT8_C(0xff)); - x99 = (x97 + x49); - x100 = (x99 >> 8); - x101 = (uint8_t)(x99 & UINT8_C(0xff)); + x98 = (x49 + (uint32_t)x97); + x99 = (uint8_t)(x98 & UINT8_C(0xff)); + x100 = (x98 >> 8); + x101 = (uint8_t)(x100 & UINT8_C(0xff)); x102 = (x100 >> 8); - x103 = (uint8_t)(x100 & UINT8_C(0xff)); + x103 = (uint8_t)(x102 & UINT8_C(0xff)); x104 = (uint8_t)(x102 >> 8); - x105 = (uint8_t)(x102 & UINT8_C(0xff)); - x106 = (x104 + x48); - x107 = (x106 >> 8); - x108 = (uint8_t)(x106 & UINT8_C(0xff)); + x105 = (x48 + (uint32_t)x104); + x106 = (uint8_t)(x105 & UINT8_C(0xff)); + x107 = (x105 >> 8); + x108 = (uint8_t)(x107 & UINT8_C(0xff)); x109 = (x107 >> 8); - x110 = (uint8_t)(x107 & UINT8_C(0xff)); + x110 = (uint8_t)(x109 & UINT8_C(0xff)); x111 = (uint8_t)(x109 >> 8); - x112 = (uint8_t)(x109 & UINT8_C(0xff)); - x113 = (x111 + x47); - x114 = (x113 >> 8); - x115 = (uint8_t)(x113 & UINT8_C(0xff)); + x112 = (x47 + (uint32_t)x111); + x113 = (uint8_t)(x112 & UINT8_C(0xff)); + x114 = (x112 >> 8); + x115 = (uint8_t)(x114 & UINT8_C(0xff)); x116 = (x114 >> 8); - x117 = (uint8_t)(x114 & UINT8_C(0xff)); + x117 = (uint8_t)(x116 & UINT8_C(0xff)); x118 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x116 >> 8); - x119 = (uint8_t)(x116 & UINT8_C(0xff)); - x120 = (x118 + x46); - x121 = (x120 >> 8); - x122 = (uint8_t)(x120 & UINT8_C(0xff)); + x119 = (x46 + (uint32_t)x118); + x120 = (uint8_t)(x119 & UINT8_C(0xff)); + x121 = (x119 >> 8); + x122 = (uint8_t)(x121 & UINT8_C(0xff)); x123 = (uint8_t)(x121 >> 8); - x124 = (uint8_t)(x121 & UINT8_C(0xff)); - out1[0] = x56; - out1[1] = x58; - out1[2] = x59; - out1[3] = x61; - out1[4] = x63; - out1[5] = x66; - out1[6] = x68; - out1[7] = x70; - out1[8] = x73; - out1[9] = x75; - out1[10] = x77; - out1[11] = x80; - out1[12] = x82; - out1[13] = x84; - out1[14] = x87; - out1[15] = x89; - out1[16] = x91; - out1[17] = x94; - out1[18] = x96; - out1[19] = x98; - out1[20] = x101; - out1[21] = x103; - out1[22] = x105; - out1[23] = x108; - out1[24] = x110; - out1[25] = x112; - out1[26] = x115; - out1[27] = x117; - out1[28] = x119; - out1[29] = x122; - out1[30] = x124; + out1[0] = x55; + out1[1] = x57; + out1[2] = x58; + out1[3] = x59; + out1[4] = x61; + out1[5] = x64; + out1[6] = x66; + out1[7] = x68; + out1[8] = x71; + out1[9] = x73; + out1[10] = x75; + out1[11] = x78; + out1[12] = x80; + out1[13] = x82; + out1[14] = x85; + out1[15] = x87; + out1[16] = x89; + out1[17] = x92; + out1[18] = x94; + out1[19] = x96; + out1[20] = x99; + out1[21] = x101; + out1[22] = x103; + out1[23] = x106; + out1[24] = x108; + out1[25] = x110; + out1[26] = x113; + out1[27] = x115; + out1[28] = x117; + out1[29] = x120; + out1[30] = x122; out1[31] = x123; } @@ -5156,7 +5268,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( uint32_t out1[11], const uint8_t arg1[32]) { @@ -5197,40 +5309,49 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( uint32_t x35; uint32_t x36; uint32_t x37; - uint32_t x38; + fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x38; uint32_t x39; uint32_t x40; uint32_t x41; uint32_t x42; - uint32_t x43; + uint8_t x43; uint32_t x44; - fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1 x45; + uint32_t x45; uint32_t x46; uint32_t x47; uint8_t x48; uint32_t x49; uint32_t x50; - uint8_t x51; + uint32_t x51; uint32_t x52; - uint32_t x53; - uint8_t x54; + uint8_t x53; + uint32_t x54; uint32_t x55; uint32_t x56; - uint8_t x57; - uint32_t x58; + uint32_t x57; + uint8_t x58; uint32_t x59; - uint8_t x60; + uint32_t x60; uint32_t x61; uint32_t x62; uint8_t x63; uint32_t x64; uint32_t x65; - uint8_t x66; + uint32_t x66; uint32_t x67; - uint32_t x68; - uint8_t x69; + uint8_t x68; + uint32_t x69; uint32_t x70; uint32_t x71; + uint32_t x72; + uint8_t x73; + uint32_t x74; + uint32_t x75; + uint32_t x76; + uint32_t x77; + uint8_t x78; + uint32_t x79; + uint32_t x80; x1 = ((uint32_t)(arg1[31]) << 15); x2 = ((uint32_t)(arg1[30]) << 7); x3 = ((uint32_t)(arg1[29]) << 22); @@ -5263,56 +5384,65 @@ static void fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_from_bytes( x30 = ((uint32_t)(arg1[2]) << 16); x31 = ((uint32_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + x30)); - x34 = (x33 & UINT32_C(0xffffff)); - x35 = (x2 + x1); - x36 = (x5 + (x4 + x3)); - x37 = (x8 + (x7 + x6)); - x38 = (x11 + (x10 + x9)); - x39 = (x14 + (x13 + x12)); - x40 = (x17 + (x16 + x15)); - x41 = (x20 + (x19 + x18)); - x42 = (x23 + (x22 + x21)); - x43 = (x26 + (x25 + x24)); - x44 = (x29 + (x28 + x27)); - x45 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x44 >> 23); - x46 = (x44 & UINT32_C(0x7fffff)); - x47 = (x45 + x43); - x48 = (uint8_t)(x47 >> 23); - x49 = (x47 & UINT32_C(0x7fffff)); - x50 = (x48 + x42); - x51 = (uint8_t)(x50 >> 24); - x52 = (x50 & UINT32_C(0xffffff)); - x53 = (x51 + x41); - x54 = (uint8_t)(x53 >> 23); - x55 = (x53 & UINT32_C(0x7fffff)); - x56 = (x54 + x40); - x57 = (uint8_t)(x56 >> 23); - x58 = (x56 & UINT32_C(0x7fffff)); - x59 = (x57 + x39); - x60 = (uint8_t)(x59 >> 23); - x61 = (x59 & UINT32_C(0x7fffff)); - x62 = (x60 + x38); - x63 = (uint8_t)(x62 >> 24); - x64 = (x62 & UINT32_C(0xffffff)); - x65 = (x63 + x37); - x66 = (uint8_t)(x65 >> 23); - x67 = (x65 & UINT32_C(0x7fffff)); - x68 = (x66 + x36); - x69 = (uint8_t)(x68 >> 23); - x70 = (x68 & UINT32_C(0x7fffff)); - x71 = (x69 + x35); + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x28 + (uint32_t)x29); + x36 = (x27 + x35); + x37 = (x36 & UINT32_C(0x7fffff)); + x38 = (fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_uint1)(x36 >> 23); + x39 = (x26 + (uint32_t)x38); + x40 = (x25 + x39); + x41 = (x24 + x40); + x42 = (x41 & UINT32_C(0x7fffff)); + x43 = (uint8_t)(x41 >> 23); + x44 = (x23 + (uint32_t)x43); + x45 = (x22 + x44); + x46 = (x21 + x45); + x47 = (x46 & UINT32_C(0xffffff)); + x48 = (uint8_t)(x46 >> 24); + x49 = (x20 + (uint32_t)x48); + x50 = (x19 + x49); + x51 = (x18 + x50); + x52 = (x51 & UINT32_C(0x7fffff)); + x53 = (uint8_t)(x51 >> 23); + x54 = (x17 + (uint32_t)x53); + x55 = (x16 + x54); + x56 = (x15 + x55); + x57 = (x56 & UINT32_C(0x7fffff)); + x58 = (uint8_t)(x56 >> 23); + x59 = (x14 + (uint32_t)x58); + x60 = (x13 + x59); + x61 = (x12 + x60); + x62 = (x61 & UINT32_C(0x7fffff)); + x63 = (uint8_t)(x61 >> 23); + x64 = (x11 + (uint32_t)x63); + x65 = (x10 + x64); + x66 = (x9 + x65); + x67 = (x66 & UINT32_C(0xffffff)); + x68 = (uint8_t)(x66 >> 24); + x69 = (x8 + (uint32_t)x68); + x70 = (x7 + x69); + x71 = (x6 + x70); + x72 = (x71 & UINT32_C(0x7fffff)); + x73 = (uint8_t)(x71 >> 23); + x74 = (x5 + (uint32_t)x73); + x75 = (x4 + x74); + x76 = (x3 + x75); + x77 = (x76 & UINT32_C(0x7fffff)); + x78 = (uint8_t)(x76 >> 23); + x79 = (x2 + (uint32_t)x78); + x80 = (x1 + x79); out1[0] = x34; - out1[1] = x46; - out1[2] = x49; - out1[3] = x52; - out1[4] = x55; - out1[5] = x58; - out1[6] = x61; - out1[7] = x64; - out1[8] = x67; - out1[9] = x70; - out1[10] = x71; + out1[1] = x37; + out1[2] = x42; + out1[3] = x47; + out1[4] = x52; + out1[5] = x57; + out1[6] = x62; + out1[7] = x67; + out1[8] = x72; + out1[9] = x77; + out1[10] = x80; } /* END verbatim fiat code */ @@ -8162,7 +8292,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -8170,7 +8300,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -8236,7 +8366,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -8312,8 +8442,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -8374,6 +8504,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -8389,6 +8525,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -8399,6 +8540,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_A_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -8416,8 +8563,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_CryptoPro_A_ParamSet( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -8456,6 +8608,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_CryptoPro_A_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -8495,6 +8651,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_CryptoPro_A_ParamSet(const EC_GROUP *group, EC_POINT *r, diff --git a/ecp_id_GostR3410_2001_CryptoPro_B_ParamSet.c b/ecp_id_GostR3410_2001_CryptoPro_B_ParamSet.c index 87264e5..05e521e 100644 --- a/ecp_id_GostR3410_2001_CryptoPro_B_ParamSet.c +++ b/ecp_id_GostR3410_2001_CryptoPro_B_ParamSet.c @@ -32,6 +32,10 @@ typedef uint64_t fe_t[LIMB_CNT]; typedef uint64_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_CRYPTOPRO_B_PARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -73,7 +77,7 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: word_by_word_montgomery --static id_GostR3410_2001_CryptoPro_B_ParamSet 64 '2^255 + 3225' */ +/* Autogenerated: word_by_word_montgomery --static --use-value-barrier id_GostR3410_2001_CryptoPro_B_ParamSet 64 '2^255 + 3225' */ /* curve description: id_GostR3410_2001_CryptoPro_B_ParamSet */ /* machine_wordsize = 64 (from "64") */ /* requested operations: (all) */ @@ -100,6 +104,17 @@ typedef unsigned __int128 fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_uint128; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_CRYPTOPRO_B_PARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t +fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_value_barrier_u64(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_addcarryx_u64 is an addition with carry. * Postconditions: @@ -204,7 +219,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_cmovznz_u64( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_value_barrier_u64(x2) & + arg3) | + (fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_value_barrier_u64((~x2)) & + arg2)); *out1 = x3; } @@ -1524,7 +1543,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_montgomery( static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_nonzero( uint64_t *out1, const uint64_t arg1[4]) { uint64_t x1; - x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | (uint64_t)0x0)))); + x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))); *out1 = x1; } @@ -1562,7 +1581,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_selectznz( } /* - * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1579,18 +1598,18 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes( uint64_t x2; uint64_t x3; uint64_t x4; - uint64_t x5; - uint8_t x6; - uint64_t x7; - uint8_t x8; - uint64_t x9; - uint8_t x10; - uint64_t x11; - uint8_t x12; - uint64_t x13; - uint8_t x14; - uint64_t x15; - uint8_t x16; + uint8_t x5; + uint64_t x6; + uint8_t x7; + uint64_t x8; + uint8_t x9; + uint64_t x10; + uint8_t x11; + uint64_t x12; + uint8_t x13; + uint64_t x14; + uint8_t x15; + uint64_t x16; uint8_t x17; uint8_t x18; uint8_t x19; @@ -1608,21 +1627,21 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes( uint8_t x31; uint8_t x32; uint8_t x33; - uint8_t x34; - uint64_t x35; - uint8_t x36; - uint64_t x37; - uint8_t x38; - uint64_t x39; - uint8_t x40; - uint64_t x41; - uint8_t x42; - uint64_t x43; - uint8_t x44; - uint64_t x45; + uint64_t x34; + uint8_t x35; + uint64_t x36; + uint8_t x37; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; uint8_t x46; uint8_t x47; - uint8_t x48; + uint64_t x48; uint8_t x49; uint64_t x50; uint8_t x51; @@ -1634,109 +1653,103 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes( uint8_t x57; uint64_t x58; uint8_t x59; - uint64_t x60; - uint8_t x61; - uint8_t x62; - uint8_t x63; + uint8_t x60; x1 = (arg1[3]); x2 = (arg1[2]); x3 = (arg1[1]); x4 = (arg1[0]); - x5 = (x4 >> 8); - x6 = (uint8_t)(x4 & UINT8_C(0xff)); - x7 = (x5 >> 8); - x8 = (uint8_t)(x5 & UINT8_C(0xff)); - x9 = (x7 >> 8); - x10 = (uint8_t)(x7 & UINT8_C(0xff)); - x11 = (x9 >> 8); - x12 = (uint8_t)(x9 & UINT8_C(0xff)); - x13 = (x11 >> 8); - x14 = (uint8_t)(x11 & UINT8_C(0xff)); - x15 = (x13 >> 8); - x16 = (uint8_t)(x13 & UINT8_C(0xff)); - x17 = (uint8_t)(x15 >> 8); - x18 = (uint8_t)(x15 & UINT8_C(0xff)); - x19 = (uint8_t)(x17 & UINT8_C(0xff)); + x5 = (uint8_t)(x4 & UINT8_C(0xff)); + x6 = (x4 >> 8); + x7 = (uint8_t)(x6 & UINT8_C(0xff)); + x8 = (x6 >> 8); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (x12 >> 8); + x15 = (uint8_t)(x14 & UINT8_C(0xff)); + x16 = (x14 >> 8); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (uint8_t)(x16 >> 8); + x19 = (uint8_t)(x3 & UINT8_C(0xff)); x20 = (x3 >> 8); - x21 = (uint8_t)(x3 & UINT8_C(0xff)); + x21 = (uint8_t)(x20 & UINT8_C(0xff)); x22 = (x20 >> 8); - x23 = (uint8_t)(x20 & UINT8_C(0xff)); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); x24 = (x22 >> 8); - x25 = (uint8_t)(x22 & UINT8_C(0xff)); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); x26 = (x24 >> 8); - x27 = (uint8_t)(x24 & UINT8_C(0xff)); + x27 = (uint8_t)(x26 & UINT8_C(0xff)); x28 = (x26 >> 8); - x29 = (uint8_t)(x26 & UINT8_C(0xff)); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); x30 = (x28 >> 8); - x31 = (uint8_t)(x28 & UINT8_C(0xff)); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); x32 = (uint8_t)(x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); - x34 = (uint8_t)(x32 & UINT8_C(0xff)); - x35 = (x2 >> 8); - x36 = (uint8_t)(x2 & UINT8_C(0xff)); - x37 = (x35 >> 8); - x38 = (uint8_t)(x35 & UINT8_C(0xff)); - x39 = (x37 >> 8); - x40 = (uint8_t)(x37 & UINT8_C(0xff)); - x41 = (x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (x41 >> 8); - x44 = (uint8_t)(x41 & UINT8_C(0xff)); - x45 = (x43 >> 8); - x46 = (uint8_t)(x43 & UINT8_C(0xff)); - x47 = (uint8_t)(x45 >> 8); - x48 = (uint8_t)(x45 & UINT8_C(0xff)); - x49 = (uint8_t)(x47 & UINT8_C(0xff)); - x50 = (x1 >> 8); - x51 = (uint8_t)(x1 & UINT8_C(0xff)); + x33 = (uint8_t)(x2 & UINT8_C(0xff)); + x34 = (x2 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (x36 >> 8); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (uint8_t)(x44 >> 8); + x47 = (uint8_t)(x1 & UINT8_C(0xff)); + x48 = (x1 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (x48 >> 8); + x51 = (uint8_t)(x50 & UINT8_C(0xff)); x52 = (x50 >> 8); - x53 = (uint8_t)(x50 & UINT8_C(0xff)); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); x54 = (x52 >> 8); - x55 = (uint8_t)(x52 & UINT8_C(0xff)); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); x56 = (x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); x58 = (x56 >> 8); - x59 = (uint8_t)(x56 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x6; - out1[1] = x8; - out1[2] = x10; - out1[3] = x12; - out1[4] = x14; - out1[5] = x16; - out1[6] = x18; - out1[7] = x19; - out1[8] = x21; - out1[9] = x23; - out1[10] = x25; - out1[11] = x27; - out1[12] = x29; - out1[13] = x31; - out1[14] = x33; - out1[15] = x34; - out1[16] = x36; - out1[17] = x38; - out1[18] = x40; - out1[19] = x42; - out1[20] = x44; - out1[21] = x46; - out1[22] = x48; - out1[23] = x49; - out1[24] = x51; - out1[25] = x53; - out1[26] = x55; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; + x59 = (uint8_t)(x58 & UINT8_C(0xff)); + x60 = (uint8_t)(x58 >> 8); + out1[0] = x5; + out1[1] = x7; + out1[2] = x9; + out1[3] = x11; + out1[4] = x13; + out1[5] = x15; + out1[6] = x17; + out1[7] = x18; + out1[8] = x19; + out1[9] = x21; + out1[10] = x23; + out1[11] = x25; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x39; + out1[20] = x41; + out1[21] = x43; + out1[22] = x45; + out1[23] = x46; + out1[24] = x47; + out1[25] = x49; + out1[26] = x51; + out1[27] = x53; + out1[28] = x55; + out1[29] = x57; + out1[30] = x59; + out1[31] = x60; } /* - * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -1789,6 +1802,27 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_from_bytes( uint64_t x37; uint64_t x38; uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; x1 = ((uint64_t)(arg1[31]) << 56); x2 = ((uint64_t)(arg1[30]) << 48); x3 = ((uint64_t)(arg1[29]) << 40); @@ -1821,17 +1855,38 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_from_bytes( x30 = ((uint64_t)(arg1[2]) << 16); x31 = ((uint64_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + (x26 + x25))))))); - x34 = (x33 & UINT64_C(0xffffffffffffffff)); - x35 = (x8 + (x7 + (x6 + (x5 + (x4 + (x3 + (x2 + x1))))))); - x36 = (x16 + (x15 + (x14 + (x13 + (x12 + (x11 + (x10 + x9))))))); - x37 = (x24 + (x23 + (x22 + (x21 + (x20 + (x19 + (x18 + x17))))))); - x38 = (x37 & UINT64_C(0xffffffffffffffff)); - x39 = (x36 & UINT64_C(0xffffffffffffffff)); - out1[0] = x34; - out1[1] = x38; - out1[2] = x39; - out1[3] = x35; + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x25 + x38); + x40 = (x23 + (uint64_t)x24); + x41 = (x22 + x40); + x42 = (x21 + x41); + x43 = (x20 + x42); + x44 = (x19 + x43); + x45 = (x18 + x44); + x46 = (x17 + x45); + x47 = (x15 + (uint64_t)x16); + x48 = (x14 + x47); + x49 = (x13 + x48); + x50 = (x12 + x49); + x51 = (x11 + x50); + x52 = (x10 + x51); + x53 = (x9 + x52); + x54 = (x7 + (uint64_t)x8); + x55 = (x6 + x54); + x56 = (x5 + x55); + x57 = (x4 + x56); + x58 = (x3 + x57); + x59 = (x2 + x58); + x60 = (x1 + x59); + out1[0] = x39; + out1[1] = x46; + out1[2] = x53; + out1[3] = x60; } /* END verbatim fiat code */ @@ -3939,7 +3994,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -3947,7 +4002,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -4013,7 +4068,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -4089,8 +4144,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -4151,6 +4206,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -4170,6 +4231,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -4182,6 +4248,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -4203,8 +4275,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_CryptoPro_B_ParamSet( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -4243,6 +4320,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_CryptoPro_B_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -4282,6 +4363,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_CryptoPro_B_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -4328,6 +4413,10 @@ err: typedef uint32_t fe_t[LIMB_CNT]; typedef uint32_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_CRYPTOPRO_B_PARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -4369,7 +4458,7 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: word_by_word_montgomery --static id_GostR3410_2001_CryptoPro_B_ParamSet 32 '2^255 + 3225' */ +/* Autogenerated: word_by_word_montgomery --static --use-value-barrier id_GostR3410_2001_CryptoPro_B_ParamSet 32 '2^255 + 3225' */ /* curve description: id_GostR3410_2001_CryptoPro_B_ParamSet */ /* machine_wordsize = 32 (from "32") */ /* requested operations: (all) */ @@ -4394,6 +4483,17 @@ typedef signed char fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_int1; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_CRYPTOPRO_B_PARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t +fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_value_barrier_u32(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_addcarryx_u32 is an addition with carry. * Postconditions: @@ -4496,7 +4596,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_cmovznz_u32( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_value_barrier_u32(x2) & + arg3) | + (fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_value_barrier_u32((~x2)) & + arg2)); *out1 = x3; } @@ -8079,12 +8183,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_montgomery( static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_nonzero( uint32_t *out1, const uint32_t arg1[8]) { uint32_t x1; - x1 = ((arg1[0]) | - ((arg1[1]) | - ((arg1[2]) | - ((arg1[3]) | - ((arg1[4]) | - ((arg1[5]) | ((arg1[6]) | ((arg1[7]) | (uint32_t)0x0)))))))); + x1 = + ((arg1[0]) | + ((arg1[1]) | + ((arg1[2]) | + ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))); *out1 = x1; } @@ -8138,7 +8241,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_selectznz( } /* - * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -8159,10 +8262,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes( uint32_t x6; uint32_t x7; uint32_t x8; - uint32_t x9; - uint8_t x10; - uint32_t x11; - uint8_t x12; + uint8_t x9; + uint32_t x10; + uint8_t x11; + uint32_t x12; uint8_t x13; uint8_t x14; uint8_t x15; @@ -8172,48 +8275,41 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes( uint8_t x19; uint8_t x20; uint8_t x21; - uint8_t x22; - uint32_t x23; - uint8_t x24; - uint32_t x25; + uint32_t x22; + uint8_t x23; + uint32_t x24; + uint8_t x25; uint8_t x26; uint8_t x27; - uint8_t x28; + uint32_t x28; uint8_t x29; uint32_t x30; uint8_t x31; - uint32_t x32; + uint8_t x32; uint8_t x33; - uint8_t x34; + uint32_t x34; uint8_t x35; - uint8_t x36; - uint32_t x37; + uint32_t x36; + uint8_t x37; uint8_t x38; - uint32_t x39; - uint8_t x40; + uint8_t x39; + uint32_t x40; uint8_t x41; - uint8_t x42; + uint32_t x42; uint8_t x43; - uint32_t x44; + uint8_t x44; uint8_t x45; uint32_t x46; uint8_t x47; - uint8_t x48; + uint32_t x48; uint8_t x49; uint8_t x50; - uint32_t x51; - uint8_t x52; - uint32_t x53; - uint8_t x54; + uint8_t x51; + uint32_t x52; + uint8_t x53; + uint32_t x54; uint8_t x55; uint8_t x56; - uint8_t x57; - uint32_t x58; - uint8_t x59; - uint32_t x60; - uint8_t x61; - uint8_t x62; - uint8_t x63; x1 = (arg1[7]); x2 = (arg1[6]); x3 = (arg1[5]); @@ -8222,97 +8318,90 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes( x6 = (arg1[2]); x7 = (arg1[1]); x8 = (arg1[0]); - x9 = (x8 >> 8); - x10 = (uint8_t)(x8 & UINT8_C(0xff)); - x11 = (x9 >> 8); - x12 = (uint8_t)(x9 & UINT8_C(0xff)); - x13 = (uint8_t)(x11 >> 8); - x14 = (uint8_t)(x11 & UINT8_C(0xff)); - x15 = (uint8_t)(x13 & UINT8_C(0xff)); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (uint8_t)(x12 >> 8); + x15 = (uint8_t)(x7 & UINT8_C(0xff)); x16 = (x7 >> 8); - x17 = (uint8_t)(x7 & UINT8_C(0xff)); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); x18 = (x16 >> 8); - x19 = (uint8_t)(x16 & UINT8_C(0xff)); + x19 = (uint8_t)(x18 & UINT8_C(0xff)); x20 = (uint8_t)(x18 >> 8); - x21 = (uint8_t)(x18 & UINT8_C(0xff)); - x22 = (uint8_t)(x20 & UINT8_C(0xff)); - x23 = (x6 >> 8); - x24 = (uint8_t)(x6 & UINT8_C(0xff)); - x25 = (x23 >> 8); - x26 = (uint8_t)(x23 & UINT8_C(0xff)); - x27 = (uint8_t)(x25 >> 8); - x28 = (uint8_t)(x25 & UINT8_C(0xff)); - x29 = (uint8_t)(x27 & UINT8_C(0xff)); - x30 = (x5 >> 8); - x31 = (uint8_t)(x5 & UINT8_C(0xff)); - x32 = (x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); - x34 = (uint8_t)(x32 >> 8); - x35 = (uint8_t)(x32 & UINT8_C(0xff)); - x36 = (uint8_t)(x34 & UINT8_C(0xff)); - x37 = (x4 >> 8); - x38 = (uint8_t)(x4 & UINT8_C(0xff)); - x39 = (x37 >> 8); - x40 = (uint8_t)(x37 & UINT8_C(0xff)); - x41 = (uint8_t)(x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (uint8_t)(x41 & UINT8_C(0xff)); - x44 = (x3 >> 8); - x45 = (uint8_t)(x3 & UINT8_C(0xff)); - x46 = (x44 >> 8); - x47 = (uint8_t)(x44 & UINT8_C(0xff)); - x48 = (uint8_t)(x46 >> 8); - x49 = (uint8_t)(x46 & UINT8_C(0xff)); - x50 = (uint8_t)(x48 & UINT8_C(0xff)); - x51 = (x2 >> 8); - x52 = (uint8_t)(x2 & UINT8_C(0xff)); - x53 = (x51 >> 8); - x54 = (uint8_t)(x51 & UINT8_C(0xff)); - x55 = (uint8_t)(x53 >> 8); - x56 = (uint8_t)(x53 & UINT8_C(0xff)); - x57 = (uint8_t)(x55 & UINT8_C(0xff)); - x58 = (x1 >> 8); - x59 = (uint8_t)(x1 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x10; - out1[1] = x12; - out1[2] = x14; - out1[3] = x15; - out1[4] = x17; - out1[5] = x19; - out1[6] = x21; - out1[7] = x22; - out1[8] = x24; - out1[9] = x26; - out1[10] = x28; - out1[11] = x29; - out1[12] = x31; - out1[13] = x33; - out1[14] = x35; - out1[15] = x36; - out1[16] = x38; - out1[17] = x40; - out1[18] = x42; - out1[19] = x43; - out1[20] = x45; - out1[21] = x47; - out1[22] = x49; - out1[23] = x50; - out1[24] = x52; - out1[25] = x54; - out1[26] = x56; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; + x21 = (uint8_t)(x6 & UINT8_C(0xff)); + x22 = (x6 >> 8); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); + x24 = (x22 >> 8); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); + x26 = (uint8_t)(x24 >> 8); + x27 = (uint8_t)(x5 & UINT8_C(0xff)); + x28 = (x5 >> 8); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); + x30 = (x28 >> 8); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); + x32 = (uint8_t)(x30 >> 8); + x33 = (uint8_t)(x4 & UINT8_C(0xff)); + x34 = (x4 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (uint8_t)(x36 >> 8); + x39 = (uint8_t)(x3 & UINT8_C(0xff)); + x40 = (x3 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (uint8_t)(x42 >> 8); + x45 = (uint8_t)(x2 & UINT8_C(0xff)); + x46 = (x2 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (uint8_t)(x1 & UINT8_C(0xff)); + x52 = (x1 >> 8); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); + x54 = (x52 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); + x56 = (uint8_t)(x54 >> 8); + out1[0] = x9; + out1[1] = x11; + out1[2] = x13; + out1[3] = x14; + out1[4] = x15; + out1[5] = x17; + out1[6] = x19; + out1[7] = x20; + out1[8] = x21; + out1[9] = x23; + out1[10] = x25; + out1[11] = x26; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x38; + out1[20] = x39; + out1[21] = x41; + out1[22] = x43; + out1[23] = x44; + out1[24] = x45; + out1[25] = x47; + out1[26] = x49; + out1[27] = x50; + out1[28] = x51; + out1[29] = x53; + out1[30] = x55; + out1[31] = x56; } /* - * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -8373,6 +8462,15 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_from_bytes( uint32_t x45; uint32_t x46; uint32_t x47; + uint32_t x48; + uint32_t x49; + uint32_t x50; + uint32_t x51; + uint32_t x52; + uint32_t x53; + uint32_t x54; + uint32_t x55; + uint32_t x56; x1 = ((uint32_t)(arg1[31]) << 24); x2 = ((uint32_t)(arg1[30]) << 16); x3 = ((uint32_t)(arg1[29]) << 8); @@ -8405,29 +8503,38 @@ static void fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_from_bytes( x30 = ((uint32_t)(arg1[2]) << 16); x31 = ((uint32_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + (x30 + x29))); - x34 = (x33 & UINT32_C(0xffffffff)); - x35 = (x4 + (x3 + (x2 + x1))); - x36 = (x8 + (x7 + (x6 + x5))); - x37 = (x12 + (x11 + (x10 + x9))); - x38 = (x16 + (x15 + (x14 + x13))); - x39 = (x20 + (x19 + (x18 + x17))); - x40 = (x24 + (x23 + (x22 + x21))); - x41 = (x28 + (x27 + (x26 + x25))); - x42 = (x41 & UINT32_C(0xffffffff)); - x43 = (x40 & UINT32_C(0xffffffff)); - x44 = (x39 & UINT32_C(0xffffffff)); - x45 = (x38 & UINT32_C(0xffffffff)); - x46 = (x37 & UINT32_C(0xffffffff)); - x47 = (x36 & UINT32_C(0xffffffff)); - out1[0] = x34; - out1[1] = x42; - out1[2] = x43; + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x27 + (uint32_t)x28); + x37 = (x26 + x36); + x38 = (x25 + x37); + x39 = (x23 + (uint32_t)x24); + x40 = (x22 + x39); + x41 = (x21 + x40); + x42 = (x19 + (uint32_t)x20); + x43 = (x18 + x42); + x44 = (x17 + x43); + x45 = (x15 + (uint32_t)x16); + x46 = (x14 + x45); + x47 = (x13 + x46); + x48 = (x11 + (uint32_t)x12); + x49 = (x10 + x48); + x50 = (x9 + x49); + x51 = (x7 + (uint32_t)x8); + x52 = (x6 + x51); + x53 = (x5 + x52); + x54 = (x3 + (uint32_t)x4); + x55 = (x2 + x54); + x56 = (x1 + x55); + out1[0] = x35; + out1[1] = x38; + out1[2] = x41; out1[3] = x44; - out1[4] = x45; - out1[5] = x46; - out1[6] = x47; - out1[7] = x35; + out1[4] = x47; + out1[5] = x50; + out1[6] = x53; + out1[7] = x56; } /* END verbatim fiat code */ @@ -11401,7 +11508,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -11409,7 +11516,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -11475,7 +11582,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -11551,8 +11658,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -11613,6 +11720,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -11632,6 +11745,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -11644,6 +11762,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_B_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -11665,8 +11789,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_CryptoPro_B_ParamSet( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -11705,6 +11834,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_CryptoPro_B_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -11744,6 +11877,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_CryptoPro_B_ParamSet(const EC_GROUP *group, EC_POINT *r, diff --git a/ecp_id_GostR3410_2001_CryptoPro_C_ParamSet.c b/ecp_id_GostR3410_2001_CryptoPro_C_ParamSet.c index c2ada7c..57257a2 100644 --- a/ecp_id_GostR3410_2001_CryptoPro_C_ParamSet.c +++ b/ecp_id_GostR3410_2001_CryptoPro_C_ParamSet.c @@ -32,6 +32,10 @@ typedef uint64_t fe_t[LIMB_CNT]; typedef uint64_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_CRYPTOPRO_C_PARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -73,7 +77,7 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: word_by_word_montgomery --static id_GostR3410_2001_CryptoPro_C_ParamSet 64 0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D759B */ +/* Autogenerated: word_by_word_montgomery --static --use-value-barrier id_GostR3410_2001_CryptoPro_C_ParamSet 64 0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D759B */ /* curve description: id_GostR3410_2001_CryptoPro_C_ParamSet */ /* machine_wordsize = 64 (from "64") */ /* requested operations: (all) */ @@ -100,6 +104,17 @@ typedef unsigned __int128 fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_uint128; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_CRYPTOPRO_C_PARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t +fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_value_barrier_u64(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_addcarryx_u64 is an addition with carry. * Postconditions: @@ -204,7 +219,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_cmovznz_u64( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_value_barrier_u64(x2) & + arg3) | + (fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_value_barrier_u64((~x2)) & + arg2)); *out1 = x3; } @@ -2048,7 +2067,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_montgomery( static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_nonzero( uint64_t *out1, const uint64_t arg1[4]) { uint64_t x1; - x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | (uint64_t)0x0)))); + x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))); *out1 = x1; } @@ -2086,7 +2105,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_selectznz( } /* - * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2103,18 +2122,18 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes( uint64_t x2; uint64_t x3; uint64_t x4; - uint64_t x5; - uint8_t x6; - uint64_t x7; - uint8_t x8; - uint64_t x9; - uint8_t x10; - uint64_t x11; - uint8_t x12; - uint64_t x13; - uint8_t x14; - uint64_t x15; - uint8_t x16; + uint8_t x5; + uint64_t x6; + uint8_t x7; + uint64_t x8; + uint8_t x9; + uint64_t x10; + uint8_t x11; + uint64_t x12; + uint8_t x13; + uint64_t x14; + uint8_t x15; + uint64_t x16; uint8_t x17; uint8_t x18; uint8_t x19; @@ -2132,21 +2151,21 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes( uint8_t x31; uint8_t x32; uint8_t x33; - uint8_t x34; - uint64_t x35; - uint8_t x36; - uint64_t x37; - uint8_t x38; - uint64_t x39; - uint8_t x40; - uint64_t x41; - uint8_t x42; - uint64_t x43; - uint8_t x44; - uint64_t x45; + uint64_t x34; + uint8_t x35; + uint64_t x36; + uint8_t x37; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; uint8_t x46; uint8_t x47; - uint8_t x48; + uint64_t x48; uint8_t x49; uint64_t x50; uint8_t x51; @@ -2158,109 +2177,103 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes( uint8_t x57; uint64_t x58; uint8_t x59; - uint64_t x60; - uint8_t x61; - uint8_t x62; - uint8_t x63; + uint8_t x60; x1 = (arg1[3]); x2 = (arg1[2]); x3 = (arg1[1]); x4 = (arg1[0]); - x5 = (x4 >> 8); - x6 = (uint8_t)(x4 & UINT8_C(0xff)); - x7 = (x5 >> 8); - x8 = (uint8_t)(x5 & UINT8_C(0xff)); - x9 = (x7 >> 8); - x10 = (uint8_t)(x7 & UINT8_C(0xff)); - x11 = (x9 >> 8); - x12 = (uint8_t)(x9 & UINT8_C(0xff)); - x13 = (x11 >> 8); - x14 = (uint8_t)(x11 & UINT8_C(0xff)); - x15 = (x13 >> 8); - x16 = (uint8_t)(x13 & UINT8_C(0xff)); - x17 = (uint8_t)(x15 >> 8); - x18 = (uint8_t)(x15 & UINT8_C(0xff)); - x19 = (uint8_t)(x17 & UINT8_C(0xff)); + x5 = (uint8_t)(x4 & UINT8_C(0xff)); + x6 = (x4 >> 8); + x7 = (uint8_t)(x6 & UINT8_C(0xff)); + x8 = (x6 >> 8); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (x12 >> 8); + x15 = (uint8_t)(x14 & UINT8_C(0xff)); + x16 = (x14 >> 8); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (uint8_t)(x16 >> 8); + x19 = (uint8_t)(x3 & UINT8_C(0xff)); x20 = (x3 >> 8); - x21 = (uint8_t)(x3 & UINT8_C(0xff)); + x21 = (uint8_t)(x20 & UINT8_C(0xff)); x22 = (x20 >> 8); - x23 = (uint8_t)(x20 & UINT8_C(0xff)); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); x24 = (x22 >> 8); - x25 = (uint8_t)(x22 & UINT8_C(0xff)); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); x26 = (x24 >> 8); - x27 = (uint8_t)(x24 & UINT8_C(0xff)); + x27 = (uint8_t)(x26 & UINT8_C(0xff)); x28 = (x26 >> 8); - x29 = (uint8_t)(x26 & UINT8_C(0xff)); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); x30 = (x28 >> 8); - x31 = (uint8_t)(x28 & UINT8_C(0xff)); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); x32 = (uint8_t)(x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); - x34 = (uint8_t)(x32 & UINT8_C(0xff)); - x35 = (x2 >> 8); - x36 = (uint8_t)(x2 & UINT8_C(0xff)); - x37 = (x35 >> 8); - x38 = (uint8_t)(x35 & UINT8_C(0xff)); - x39 = (x37 >> 8); - x40 = (uint8_t)(x37 & UINT8_C(0xff)); - x41 = (x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (x41 >> 8); - x44 = (uint8_t)(x41 & UINT8_C(0xff)); - x45 = (x43 >> 8); - x46 = (uint8_t)(x43 & UINT8_C(0xff)); - x47 = (uint8_t)(x45 >> 8); - x48 = (uint8_t)(x45 & UINT8_C(0xff)); - x49 = (uint8_t)(x47 & UINT8_C(0xff)); - x50 = (x1 >> 8); - x51 = (uint8_t)(x1 & UINT8_C(0xff)); + x33 = (uint8_t)(x2 & UINT8_C(0xff)); + x34 = (x2 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (x36 >> 8); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (uint8_t)(x44 >> 8); + x47 = (uint8_t)(x1 & UINT8_C(0xff)); + x48 = (x1 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (x48 >> 8); + x51 = (uint8_t)(x50 & UINT8_C(0xff)); x52 = (x50 >> 8); - x53 = (uint8_t)(x50 & UINT8_C(0xff)); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); x54 = (x52 >> 8); - x55 = (uint8_t)(x52 & UINT8_C(0xff)); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); x56 = (x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); x58 = (x56 >> 8); - x59 = (uint8_t)(x56 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x6; - out1[1] = x8; - out1[2] = x10; - out1[3] = x12; - out1[4] = x14; - out1[5] = x16; - out1[6] = x18; - out1[7] = x19; - out1[8] = x21; - out1[9] = x23; - out1[10] = x25; - out1[11] = x27; - out1[12] = x29; - out1[13] = x31; - out1[14] = x33; - out1[15] = x34; - out1[16] = x36; - out1[17] = x38; - out1[18] = x40; - out1[19] = x42; - out1[20] = x44; - out1[21] = x46; - out1[22] = x48; - out1[23] = x49; - out1[24] = x51; - out1[25] = x53; - out1[26] = x55; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; + x59 = (uint8_t)(x58 & UINT8_C(0xff)); + x60 = (uint8_t)(x58 >> 8); + out1[0] = x5; + out1[1] = x7; + out1[2] = x9; + out1[3] = x11; + out1[4] = x13; + out1[5] = x15; + out1[6] = x17; + out1[7] = x18; + out1[8] = x19; + out1[9] = x21; + out1[10] = x23; + out1[11] = x25; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x39; + out1[20] = x41; + out1[21] = x43; + out1[22] = x45; + out1[23] = x46; + out1[24] = x47; + out1[25] = x49; + out1[26] = x51; + out1[27] = x53; + out1[28] = x55; + out1[29] = x57; + out1[30] = x59; + out1[31] = x60; } /* - * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -2313,6 +2326,27 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_from_bytes( uint64_t x37; uint64_t x38; uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; x1 = ((uint64_t)(arg1[31]) << 56); x2 = ((uint64_t)(arg1[30]) << 48); x3 = ((uint64_t)(arg1[29]) << 40); @@ -2345,17 +2379,38 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_from_bytes( x30 = ((uint64_t)(arg1[2]) << 16); x31 = ((uint64_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + (x26 + x25))))))); - x34 = (x33 & UINT64_C(0xffffffffffffffff)); - x35 = (x8 + (x7 + (x6 + (x5 + (x4 + (x3 + (x2 + x1))))))); - x36 = (x16 + (x15 + (x14 + (x13 + (x12 + (x11 + (x10 + x9))))))); - x37 = (x24 + (x23 + (x22 + (x21 + (x20 + (x19 + (x18 + x17))))))); - x38 = (x37 & UINT64_C(0xffffffffffffffff)); - x39 = (x36 & UINT64_C(0xffffffffffffffff)); - out1[0] = x34; - out1[1] = x38; - out1[2] = x39; - out1[3] = x35; + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x25 + x38); + x40 = (x23 + (uint64_t)x24); + x41 = (x22 + x40); + x42 = (x21 + x41); + x43 = (x20 + x42); + x44 = (x19 + x43); + x45 = (x18 + x44); + x46 = (x17 + x45); + x47 = (x15 + (uint64_t)x16); + x48 = (x14 + x47); + x49 = (x13 + x48); + x50 = (x12 + x49); + x51 = (x11 + x50); + x52 = (x10 + x51); + x53 = (x9 + x52); + x54 = (x7 + (uint64_t)x8); + x55 = (x6 + x54); + x56 = (x5 + x55); + x57 = (x4 + x56); + x58 = (x3 + x57); + x59 = (x2 + x58); + x60 = (x1 + x59); + out1[0] = x39; + out1[1] = x46; + out1[2] = x53; + out1[3] = x60; } /* END verbatim fiat code */ @@ -4597,7 +4652,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -4605,7 +4660,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -4671,7 +4726,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -4747,8 +4802,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -4809,6 +4864,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -4828,6 +4889,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -4840,6 +4906,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -4861,8 +4933,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_CryptoPro_C_ParamSet( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -4901,6 +4978,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_CryptoPro_C_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -4940,6 +5021,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_CryptoPro_C_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -4986,6 +5071,10 @@ err: typedef uint32_t fe_t[LIMB_CNT]; typedef uint32_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_CRYPTOPRO_C_PARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -5027,7 +5116,7 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: word_by_word_montgomery --static id_GostR3410_2001_CryptoPro_C_ParamSet 32 0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D759B */ +/* Autogenerated: word_by_word_montgomery --static --use-value-barrier id_GostR3410_2001_CryptoPro_C_ParamSet 32 0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D759B */ /* curve description: id_GostR3410_2001_CryptoPro_C_ParamSet */ /* machine_wordsize = 32 (from "32") */ /* requested operations: (all) */ @@ -5052,6 +5141,17 @@ typedef signed char fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_int1; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_CRYPTOPRO_C_PARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t +fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_value_barrier_u32(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_addcarryx_u32 is an addition with carry. * Postconditions: @@ -5154,7 +5254,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_cmovznz_u32( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_value_barrier_u32(x2) & + arg3) | + (fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_value_barrier_u32((~x2)) & + arg2)); *out1 = x3; } @@ -11498,12 +11602,11 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_montgomery( static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_nonzero( uint32_t *out1, const uint32_t arg1[8]) { uint32_t x1; - x1 = ((arg1[0]) | - ((arg1[1]) | - ((arg1[2]) | - ((arg1[3]) | - ((arg1[4]) | - ((arg1[5]) | ((arg1[6]) | ((arg1[7]) | (uint32_t)0x0)))))))); + x1 = + ((arg1[0]) | + ((arg1[1]) | + ((arg1[2]) | + ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))); *out1 = x1; } @@ -11557,7 +11660,7 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_selectznz( } /* - * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -11578,10 +11681,10 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes( uint32_t x6; uint32_t x7; uint32_t x8; - uint32_t x9; - uint8_t x10; - uint32_t x11; - uint8_t x12; + uint8_t x9; + uint32_t x10; + uint8_t x11; + uint32_t x12; uint8_t x13; uint8_t x14; uint8_t x15; @@ -11591,48 +11694,41 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes( uint8_t x19; uint8_t x20; uint8_t x21; - uint8_t x22; - uint32_t x23; - uint8_t x24; - uint32_t x25; + uint32_t x22; + uint8_t x23; + uint32_t x24; + uint8_t x25; uint8_t x26; uint8_t x27; - uint8_t x28; + uint32_t x28; uint8_t x29; uint32_t x30; uint8_t x31; - uint32_t x32; + uint8_t x32; uint8_t x33; - uint8_t x34; + uint32_t x34; uint8_t x35; - uint8_t x36; - uint32_t x37; + uint32_t x36; + uint8_t x37; uint8_t x38; - uint32_t x39; - uint8_t x40; + uint8_t x39; + uint32_t x40; uint8_t x41; - uint8_t x42; + uint32_t x42; uint8_t x43; - uint32_t x44; + uint8_t x44; uint8_t x45; uint32_t x46; uint8_t x47; - uint8_t x48; + uint32_t x48; uint8_t x49; uint8_t x50; - uint32_t x51; - uint8_t x52; - uint32_t x53; - uint8_t x54; + uint8_t x51; + uint32_t x52; + uint8_t x53; + uint32_t x54; uint8_t x55; uint8_t x56; - uint8_t x57; - uint32_t x58; - uint8_t x59; - uint32_t x60; - uint8_t x61; - uint8_t x62; - uint8_t x63; x1 = (arg1[7]); x2 = (arg1[6]); x3 = (arg1[5]); @@ -11641,97 +11737,90 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes( x6 = (arg1[2]); x7 = (arg1[1]); x8 = (arg1[0]); - x9 = (x8 >> 8); - x10 = (uint8_t)(x8 & UINT8_C(0xff)); - x11 = (x9 >> 8); - x12 = (uint8_t)(x9 & UINT8_C(0xff)); - x13 = (uint8_t)(x11 >> 8); - x14 = (uint8_t)(x11 & UINT8_C(0xff)); - x15 = (uint8_t)(x13 & UINT8_C(0xff)); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (uint8_t)(x12 >> 8); + x15 = (uint8_t)(x7 & UINT8_C(0xff)); x16 = (x7 >> 8); - x17 = (uint8_t)(x7 & UINT8_C(0xff)); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); x18 = (x16 >> 8); - x19 = (uint8_t)(x16 & UINT8_C(0xff)); + x19 = (uint8_t)(x18 & UINT8_C(0xff)); x20 = (uint8_t)(x18 >> 8); - x21 = (uint8_t)(x18 & UINT8_C(0xff)); - x22 = (uint8_t)(x20 & UINT8_C(0xff)); - x23 = (x6 >> 8); - x24 = (uint8_t)(x6 & UINT8_C(0xff)); - x25 = (x23 >> 8); - x26 = (uint8_t)(x23 & UINT8_C(0xff)); - x27 = (uint8_t)(x25 >> 8); - x28 = (uint8_t)(x25 & UINT8_C(0xff)); - x29 = (uint8_t)(x27 & UINT8_C(0xff)); - x30 = (x5 >> 8); - x31 = (uint8_t)(x5 & UINT8_C(0xff)); - x32 = (x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); - x34 = (uint8_t)(x32 >> 8); - x35 = (uint8_t)(x32 & UINT8_C(0xff)); - x36 = (uint8_t)(x34 & UINT8_C(0xff)); - x37 = (x4 >> 8); - x38 = (uint8_t)(x4 & UINT8_C(0xff)); - x39 = (x37 >> 8); - x40 = (uint8_t)(x37 & UINT8_C(0xff)); - x41 = (uint8_t)(x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (uint8_t)(x41 & UINT8_C(0xff)); - x44 = (x3 >> 8); - x45 = (uint8_t)(x3 & UINT8_C(0xff)); - x46 = (x44 >> 8); - x47 = (uint8_t)(x44 & UINT8_C(0xff)); - x48 = (uint8_t)(x46 >> 8); - x49 = (uint8_t)(x46 & UINT8_C(0xff)); - x50 = (uint8_t)(x48 & UINT8_C(0xff)); - x51 = (x2 >> 8); - x52 = (uint8_t)(x2 & UINT8_C(0xff)); - x53 = (x51 >> 8); - x54 = (uint8_t)(x51 & UINT8_C(0xff)); - x55 = (uint8_t)(x53 >> 8); - x56 = (uint8_t)(x53 & UINT8_C(0xff)); - x57 = (uint8_t)(x55 & UINT8_C(0xff)); - x58 = (x1 >> 8); - x59 = (uint8_t)(x1 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x10; - out1[1] = x12; - out1[2] = x14; - out1[3] = x15; - out1[4] = x17; - out1[5] = x19; - out1[6] = x21; - out1[7] = x22; - out1[8] = x24; - out1[9] = x26; - out1[10] = x28; - out1[11] = x29; - out1[12] = x31; - out1[13] = x33; - out1[14] = x35; - out1[15] = x36; - out1[16] = x38; - out1[17] = x40; - out1[18] = x42; - out1[19] = x43; - out1[20] = x45; - out1[21] = x47; - out1[22] = x49; - out1[23] = x50; - out1[24] = x52; - out1[25] = x54; - out1[26] = x56; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; + x21 = (uint8_t)(x6 & UINT8_C(0xff)); + x22 = (x6 >> 8); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); + x24 = (x22 >> 8); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); + x26 = (uint8_t)(x24 >> 8); + x27 = (uint8_t)(x5 & UINT8_C(0xff)); + x28 = (x5 >> 8); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); + x30 = (x28 >> 8); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); + x32 = (uint8_t)(x30 >> 8); + x33 = (uint8_t)(x4 & UINT8_C(0xff)); + x34 = (x4 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (uint8_t)(x36 >> 8); + x39 = (uint8_t)(x3 & UINT8_C(0xff)); + x40 = (x3 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (uint8_t)(x42 >> 8); + x45 = (uint8_t)(x2 & UINT8_C(0xff)); + x46 = (x2 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (uint8_t)(x1 & UINT8_C(0xff)); + x52 = (x1 >> 8); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); + x54 = (x52 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); + x56 = (uint8_t)(x54 >> 8); + out1[0] = x9; + out1[1] = x11; + out1[2] = x13; + out1[3] = x14; + out1[4] = x15; + out1[5] = x17; + out1[6] = x19; + out1[7] = x20; + out1[8] = x21; + out1[9] = x23; + out1[10] = x25; + out1[11] = x26; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x38; + out1[20] = x39; + out1[21] = x41; + out1[22] = x43; + out1[23] = x44; + out1[24] = x45; + out1[25] = x47; + out1[26] = x49; + out1[27] = x50; + out1[28] = x51; + out1[29] = x53; + out1[30] = x55; + out1[31] = x56; } /* - * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -11792,6 +11881,15 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_from_bytes( uint32_t x45; uint32_t x46; uint32_t x47; + uint32_t x48; + uint32_t x49; + uint32_t x50; + uint32_t x51; + uint32_t x52; + uint32_t x53; + uint32_t x54; + uint32_t x55; + uint32_t x56; x1 = ((uint32_t)(arg1[31]) << 24); x2 = ((uint32_t)(arg1[30]) << 16); x3 = ((uint32_t)(arg1[29]) << 8); @@ -11824,29 +11922,38 @@ static void fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_from_bytes( x30 = ((uint32_t)(arg1[2]) << 16); x31 = ((uint32_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + (x30 + x29))); - x34 = (x33 & UINT32_C(0xffffffff)); - x35 = (x4 + (x3 + (x2 + x1))); - x36 = (x8 + (x7 + (x6 + x5))); - x37 = (x12 + (x11 + (x10 + x9))); - x38 = (x16 + (x15 + (x14 + x13))); - x39 = (x20 + (x19 + (x18 + x17))); - x40 = (x24 + (x23 + (x22 + x21))); - x41 = (x28 + (x27 + (x26 + x25))); - x42 = (x41 & UINT32_C(0xffffffff)); - x43 = (x40 & UINT32_C(0xffffffff)); - x44 = (x39 & UINT32_C(0xffffffff)); - x45 = (x38 & UINT32_C(0xffffffff)); - x46 = (x37 & UINT32_C(0xffffffff)); - x47 = (x36 & UINT32_C(0xffffffff)); - out1[0] = x34; - out1[1] = x42; - out1[2] = x43; + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x27 + (uint32_t)x28); + x37 = (x26 + x36); + x38 = (x25 + x37); + x39 = (x23 + (uint32_t)x24); + x40 = (x22 + x39); + x41 = (x21 + x40); + x42 = (x19 + (uint32_t)x20); + x43 = (x18 + x42); + x44 = (x17 + x43); + x45 = (x15 + (uint32_t)x16); + x46 = (x14 + x45); + x47 = (x13 + x46); + x48 = (x11 + (uint32_t)x12); + x49 = (x10 + x48); + x50 = (x9 + x49); + x51 = (x7 + (uint32_t)x8); + x52 = (x6 + x51); + x53 = (x5 + x52); + x54 = (x3 + (uint32_t)x4); + x55 = (x2 + x54); + x56 = (x1 + x55); + out1[0] = x35; + out1[1] = x38; + out1[2] = x41; out1[3] = x44; - out1[4] = x45; - out1[5] = x46; - out1[6] = x47; - out1[7] = x35; + out1[4] = x47; + out1[5] = x50; + out1[6] = x53; + out1[7] = x56; } /* END verbatim fiat code */ @@ -14954,7 +15061,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -14962,7 +15069,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -15028,7 +15135,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -15104,8 +15211,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -15166,6 +15273,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -15185,6 +15298,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -15197,6 +15315,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_CryptoPro_C_ParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -15218,8 +15342,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_CryptoPro_C_ParamSet( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -15258,6 +15387,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_CryptoPro_C_ParamSet(const EC_GROUP *group, EC_POINT *r, @@ -15297,6 +15430,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_CryptoPro_C_ParamSet(const EC_GROUP *group, EC_POINT *r, diff --git a/ecp_id_GostR3410_2001_TestParamSet.c b/ecp_id_GostR3410_2001_TestParamSet.c index 410de5a..3163630 100644 --- a/ecp_id_GostR3410_2001_TestParamSet.c +++ b/ecp_id_GostR3410_2001_TestParamSet.c @@ -32,6 +32,10 @@ typedef uint64_t fe_t[LIMB_CNT]; typedef uint64_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_TESTPARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -73,7 +77,7 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: word_by_word_montgomery --static id_GostR3410_2001_TestParamSet 64 '2^255 + 1073' */ +/* Autogenerated: word_by_word_montgomery --static --use-value-barrier id_GostR3410_2001_TestParamSet 64 '2^255 + 1073' */ /* curve description: id_GostR3410_2001_TestParamSet */ /* machine_wordsize = 64 (from "64") */ /* requested operations: (all) */ @@ -100,6 +104,17 @@ typedef unsigned __int128 fiat_id_GostR3410_2001_TestParamSet_uint128; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_TESTPARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t +fiat_id_GostR3410_2001_TestParamSet_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_TestParamSet_value_barrier_u64(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_TestParamSet_addcarryx_u64 is an addition with carry. * Postconditions: @@ -204,7 +219,9 @@ static void fiat_id_GostR3410_2001_TestParamSet_cmovznz_u64( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_TestParamSet_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_TestParamSet_value_barrier_u64(x2) & arg3) | + (fiat_id_GostR3410_2001_TestParamSet_value_barrier_u64((~x2)) & arg2)); *out1 = x3; } @@ -1461,7 +1478,7 @@ static void fiat_id_GostR3410_2001_TestParamSet_to_montgomery( static void fiat_id_GostR3410_2001_TestParamSet_nonzero( uint64_t *out1, const uint64_t arg1[4]) { uint64_t x1; - x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | (uint64_t)0x0)))); + x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))); *out1 = x1; } @@ -1499,7 +1516,7 @@ static void fiat_id_GostR3410_2001_TestParamSet_selectznz( } /* - * The function fiat_id_GostR3410_2001_TestParamSet_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_id_GostR3410_2001_TestParamSet_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1516,18 +1533,18 @@ static void fiat_id_GostR3410_2001_TestParamSet_to_bytes( uint64_t x2; uint64_t x3; uint64_t x4; - uint64_t x5; - uint8_t x6; - uint64_t x7; - uint8_t x8; - uint64_t x9; - uint8_t x10; - uint64_t x11; - uint8_t x12; - uint64_t x13; - uint8_t x14; - uint64_t x15; - uint8_t x16; + uint8_t x5; + uint64_t x6; + uint8_t x7; + uint64_t x8; + uint8_t x9; + uint64_t x10; + uint8_t x11; + uint64_t x12; + uint8_t x13; + uint64_t x14; + uint8_t x15; + uint64_t x16; uint8_t x17; uint8_t x18; uint8_t x19; @@ -1545,21 +1562,21 @@ static void fiat_id_GostR3410_2001_TestParamSet_to_bytes( uint8_t x31; uint8_t x32; uint8_t x33; - uint8_t x34; - uint64_t x35; - uint8_t x36; - uint64_t x37; - uint8_t x38; - uint64_t x39; - uint8_t x40; - uint64_t x41; - uint8_t x42; - uint64_t x43; - uint8_t x44; - uint64_t x45; + uint64_t x34; + uint8_t x35; + uint64_t x36; + uint8_t x37; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; uint8_t x46; uint8_t x47; - uint8_t x48; + uint64_t x48; uint8_t x49; uint64_t x50; uint8_t x51; @@ -1571,109 +1588,103 @@ static void fiat_id_GostR3410_2001_TestParamSet_to_bytes( uint8_t x57; uint64_t x58; uint8_t x59; - uint64_t x60; - uint8_t x61; - uint8_t x62; - uint8_t x63; + uint8_t x60; x1 = (arg1[3]); x2 = (arg1[2]); x3 = (arg1[1]); x4 = (arg1[0]); - x5 = (x4 >> 8); - x6 = (uint8_t)(x4 & UINT8_C(0xff)); - x7 = (x5 >> 8); - x8 = (uint8_t)(x5 & UINT8_C(0xff)); - x9 = (x7 >> 8); - x10 = (uint8_t)(x7 & UINT8_C(0xff)); - x11 = (x9 >> 8); - x12 = (uint8_t)(x9 & UINT8_C(0xff)); - x13 = (x11 >> 8); - x14 = (uint8_t)(x11 & UINT8_C(0xff)); - x15 = (x13 >> 8); - x16 = (uint8_t)(x13 & UINT8_C(0xff)); - x17 = (uint8_t)(x15 >> 8); - x18 = (uint8_t)(x15 & UINT8_C(0xff)); - x19 = (uint8_t)(x17 & UINT8_C(0xff)); + x5 = (uint8_t)(x4 & UINT8_C(0xff)); + x6 = (x4 >> 8); + x7 = (uint8_t)(x6 & UINT8_C(0xff)); + x8 = (x6 >> 8); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (x12 >> 8); + x15 = (uint8_t)(x14 & UINT8_C(0xff)); + x16 = (x14 >> 8); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (uint8_t)(x16 >> 8); + x19 = (uint8_t)(x3 & UINT8_C(0xff)); x20 = (x3 >> 8); - x21 = (uint8_t)(x3 & UINT8_C(0xff)); + x21 = (uint8_t)(x20 & UINT8_C(0xff)); x22 = (x20 >> 8); - x23 = (uint8_t)(x20 & UINT8_C(0xff)); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); x24 = (x22 >> 8); - x25 = (uint8_t)(x22 & UINT8_C(0xff)); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); x26 = (x24 >> 8); - x27 = (uint8_t)(x24 & UINT8_C(0xff)); + x27 = (uint8_t)(x26 & UINT8_C(0xff)); x28 = (x26 >> 8); - x29 = (uint8_t)(x26 & UINT8_C(0xff)); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); x30 = (x28 >> 8); - x31 = (uint8_t)(x28 & UINT8_C(0xff)); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); x32 = (uint8_t)(x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); - x34 = (uint8_t)(x32 & UINT8_C(0xff)); - x35 = (x2 >> 8); - x36 = (uint8_t)(x2 & UINT8_C(0xff)); - x37 = (x35 >> 8); - x38 = (uint8_t)(x35 & UINT8_C(0xff)); - x39 = (x37 >> 8); - x40 = (uint8_t)(x37 & UINT8_C(0xff)); - x41 = (x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (x41 >> 8); - x44 = (uint8_t)(x41 & UINT8_C(0xff)); - x45 = (x43 >> 8); - x46 = (uint8_t)(x43 & UINT8_C(0xff)); - x47 = (uint8_t)(x45 >> 8); - x48 = (uint8_t)(x45 & UINT8_C(0xff)); - x49 = (uint8_t)(x47 & UINT8_C(0xff)); - x50 = (x1 >> 8); - x51 = (uint8_t)(x1 & UINT8_C(0xff)); + x33 = (uint8_t)(x2 & UINT8_C(0xff)); + x34 = (x2 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (x36 >> 8); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (uint8_t)(x44 >> 8); + x47 = (uint8_t)(x1 & UINT8_C(0xff)); + x48 = (x1 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (x48 >> 8); + x51 = (uint8_t)(x50 & UINT8_C(0xff)); x52 = (x50 >> 8); - x53 = (uint8_t)(x50 & UINT8_C(0xff)); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); x54 = (x52 >> 8); - x55 = (uint8_t)(x52 & UINT8_C(0xff)); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); x56 = (x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); x58 = (x56 >> 8); - x59 = (uint8_t)(x56 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x6; - out1[1] = x8; - out1[2] = x10; - out1[3] = x12; - out1[4] = x14; - out1[5] = x16; - out1[6] = x18; - out1[7] = x19; - out1[8] = x21; - out1[9] = x23; - out1[10] = x25; - out1[11] = x27; - out1[12] = x29; - out1[13] = x31; - out1[14] = x33; - out1[15] = x34; - out1[16] = x36; - out1[17] = x38; - out1[18] = x40; - out1[19] = x42; - out1[20] = x44; - out1[21] = x46; - out1[22] = x48; - out1[23] = x49; - out1[24] = x51; - out1[25] = x53; - out1[26] = x55; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; + x59 = (uint8_t)(x58 & UINT8_C(0xff)); + x60 = (uint8_t)(x58 >> 8); + out1[0] = x5; + out1[1] = x7; + out1[2] = x9; + out1[3] = x11; + out1[4] = x13; + out1[5] = x15; + out1[6] = x17; + out1[7] = x18; + out1[8] = x19; + out1[9] = x21; + out1[10] = x23; + out1[11] = x25; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x39; + out1[20] = x41; + out1[21] = x43; + out1[22] = x45; + out1[23] = x46; + out1[24] = x47; + out1[25] = x49; + out1[26] = x51; + out1[27] = x53; + out1[28] = x55; + out1[29] = x57; + out1[30] = x59; + out1[31] = x60; } /* - * The function fiat_id_GostR3410_2001_TestParamSet_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_id_GostR3410_2001_TestParamSet_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -1726,6 +1737,27 @@ static void fiat_id_GostR3410_2001_TestParamSet_from_bytes( uint64_t x37; uint64_t x38; uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; x1 = ((uint64_t)(arg1[31]) << 56); x2 = ((uint64_t)(arg1[30]) << 48); x3 = ((uint64_t)(arg1[29]) << 40); @@ -1758,17 +1790,38 @@ static void fiat_id_GostR3410_2001_TestParamSet_from_bytes( x30 = ((uint64_t)(arg1[2]) << 16); x31 = ((uint64_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + (x26 + x25))))))); - x34 = (x33 & UINT64_C(0xffffffffffffffff)); - x35 = (x8 + (x7 + (x6 + (x5 + (x4 + (x3 + (x2 + x1))))))); - x36 = (x16 + (x15 + (x14 + (x13 + (x12 + (x11 + (x10 + x9))))))); - x37 = (x24 + (x23 + (x22 + (x21 + (x20 + (x19 + (x18 + x17))))))); - x38 = (x37 & UINT64_C(0xffffffffffffffff)); - x39 = (x36 & UINT64_C(0xffffffffffffffff)); - out1[0] = x34; - out1[1] = x38; - out1[2] = x39; - out1[3] = x35; + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x25 + x38); + x40 = (x23 + (uint64_t)x24); + x41 = (x22 + x40); + x42 = (x21 + x41); + x43 = (x20 + x42); + x44 = (x19 + x43); + x45 = (x18 + x44); + x46 = (x17 + x45); + x47 = (x15 + (uint64_t)x16); + x48 = (x14 + x47); + x49 = (x13 + x48); + x50 = (x12 + x49); + x51 = (x11 + x50); + x52 = (x10 + x51); + x53 = (x9 + x52); + x54 = (x7 + (uint64_t)x8); + x55 = (x6 + x54); + x56 = (x5 + x55); + x57 = (x4 + x56); + x58 = (x3 + x57); + x59 = (x2 + x58); + x60 = (x1 + x59); + out1[0] = x39; + out1[1] = x46; + out1[2] = x53; + out1[3] = x60; } /* END verbatim fiat code */ @@ -3872,7 +3925,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -3880,7 +3933,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -3946,7 +3999,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -4022,8 +4075,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -4081,6 +4134,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_TestParamSet_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -4100,6 +4159,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_TestParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -4112,6 +4176,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_TestParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -4133,8 +4203,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_TestParamSet(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, @@ -4174,6 +4249,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_TestParamSet(const EC_GROUP *group, EC_POINT *r, const EC_POINT *q, const BIGNUM *m, @@ -4211,6 +4290,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_TestParamSet(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, @@ -4256,6 +4339,10 @@ err: typedef uint32_t fe_t[LIMB_CNT]; typedef uint32_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_GOSTR3410_2001_TESTPARAMSET_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -4297,7 +4384,7 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: word_by_word_montgomery --static id_GostR3410_2001_TestParamSet 32 '2^255 + 1073' */ +/* Autogenerated: word_by_word_montgomery --static --use-value-barrier id_GostR3410_2001_TestParamSet 32 '2^255 + 1073' */ /* curve description: id_GostR3410_2001_TestParamSet */ /* machine_wordsize = 32 (from "32") */ /* requested operations: (all) */ @@ -4322,6 +4409,17 @@ typedef signed char fiat_id_GostR3410_2001_TestParamSet_int1; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_GOSTR3410_2001_TESTPARAMSET_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t +fiat_id_GostR3410_2001_TestParamSet_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_GostR3410_2001_TestParamSet_value_barrier_u32(x) (x) +#endif + /* * The function fiat_id_GostR3410_2001_TestParamSet_addcarryx_u32 is an addition with carry. * Postconditions: @@ -4426,7 +4524,9 @@ static void fiat_id_GostR3410_2001_TestParamSet_cmovznz_u32( x1 = (!(!arg1)); x2 = ((fiat_id_GostR3410_2001_TestParamSet_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = + ((fiat_id_GostR3410_2001_TestParamSet_value_barrier_u32(x2) & arg3) | + (fiat_id_GostR3410_2001_TestParamSet_value_barrier_u32((~x2)) & arg2)); *out1 = x3; } @@ -7831,12 +7931,11 @@ static void fiat_id_GostR3410_2001_TestParamSet_to_montgomery( static void fiat_id_GostR3410_2001_TestParamSet_nonzero( uint32_t *out1, const uint32_t arg1[8]) { uint32_t x1; - x1 = ((arg1[0]) | - ((arg1[1]) | - ((arg1[2]) | - ((arg1[3]) | - ((arg1[4]) | - ((arg1[5]) | ((arg1[6]) | ((arg1[7]) | (uint32_t)0x0)))))))); + x1 = + ((arg1[0]) | + ((arg1[1]) | + ((arg1[2]) | + ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))); *out1 = x1; } @@ -7890,7 +7989,7 @@ static void fiat_id_GostR3410_2001_TestParamSet_selectznz( } /* - * The function fiat_id_GostR3410_2001_TestParamSet_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_id_GostR3410_2001_TestParamSet_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -7911,10 +8010,10 @@ static void fiat_id_GostR3410_2001_TestParamSet_to_bytes( uint32_t x6; uint32_t x7; uint32_t x8; - uint32_t x9; - uint8_t x10; - uint32_t x11; - uint8_t x12; + uint8_t x9; + uint32_t x10; + uint8_t x11; + uint32_t x12; uint8_t x13; uint8_t x14; uint8_t x15; @@ -7924,48 +8023,41 @@ static void fiat_id_GostR3410_2001_TestParamSet_to_bytes( uint8_t x19; uint8_t x20; uint8_t x21; - uint8_t x22; - uint32_t x23; - uint8_t x24; - uint32_t x25; + uint32_t x22; + uint8_t x23; + uint32_t x24; + uint8_t x25; uint8_t x26; uint8_t x27; - uint8_t x28; + uint32_t x28; uint8_t x29; uint32_t x30; uint8_t x31; - uint32_t x32; + uint8_t x32; uint8_t x33; - uint8_t x34; + uint32_t x34; uint8_t x35; - uint8_t x36; - uint32_t x37; + uint32_t x36; + uint8_t x37; uint8_t x38; - uint32_t x39; - uint8_t x40; + uint8_t x39; + uint32_t x40; uint8_t x41; - uint8_t x42; + uint32_t x42; uint8_t x43; - uint32_t x44; + uint8_t x44; uint8_t x45; uint32_t x46; uint8_t x47; - uint8_t x48; + uint32_t x48; uint8_t x49; uint8_t x50; - uint32_t x51; - uint8_t x52; - uint32_t x53; - uint8_t x54; + uint8_t x51; + uint32_t x52; + uint8_t x53; + uint32_t x54; uint8_t x55; uint8_t x56; - uint8_t x57; - uint32_t x58; - uint8_t x59; - uint32_t x60; - uint8_t x61; - uint8_t x62; - uint8_t x63; x1 = (arg1[7]); x2 = (arg1[6]); x3 = (arg1[5]); @@ -7974,97 +8066,90 @@ static void fiat_id_GostR3410_2001_TestParamSet_to_bytes( x6 = (arg1[2]); x7 = (arg1[1]); x8 = (arg1[0]); - x9 = (x8 >> 8); - x10 = (uint8_t)(x8 & UINT8_C(0xff)); - x11 = (x9 >> 8); - x12 = (uint8_t)(x9 & UINT8_C(0xff)); - x13 = (uint8_t)(x11 >> 8); - x14 = (uint8_t)(x11 & UINT8_C(0xff)); - x15 = (uint8_t)(x13 & UINT8_C(0xff)); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (uint8_t)(x12 >> 8); + x15 = (uint8_t)(x7 & UINT8_C(0xff)); x16 = (x7 >> 8); - x17 = (uint8_t)(x7 & UINT8_C(0xff)); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); x18 = (x16 >> 8); - x19 = (uint8_t)(x16 & UINT8_C(0xff)); + x19 = (uint8_t)(x18 & UINT8_C(0xff)); x20 = (uint8_t)(x18 >> 8); - x21 = (uint8_t)(x18 & UINT8_C(0xff)); - x22 = (uint8_t)(x20 & UINT8_C(0xff)); - x23 = (x6 >> 8); - x24 = (uint8_t)(x6 & UINT8_C(0xff)); - x25 = (x23 >> 8); - x26 = (uint8_t)(x23 & UINT8_C(0xff)); - x27 = (uint8_t)(x25 >> 8); - x28 = (uint8_t)(x25 & UINT8_C(0xff)); - x29 = (uint8_t)(x27 & UINT8_C(0xff)); - x30 = (x5 >> 8); - x31 = (uint8_t)(x5 & UINT8_C(0xff)); - x32 = (x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); - x34 = (uint8_t)(x32 >> 8); - x35 = (uint8_t)(x32 & UINT8_C(0xff)); - x36 = (uint8_t)(x34 & UINT8_C(0xff)); - x37 = (x4 >> 8); - x38 = (uint8_t)(x4 & UINT8_C(0xff)); - x39 = (x37 >> 8); - x40 = (uint8_t)(x37 & UINT8_C(0xff)); - x41 = (uint8_t)(x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (uint8_t)(x41 & UINT8_C(0xff)); - x44 = (x3 >> 8); - x45 = (uint8_t)(x3 & UINT8_C(0xff)); - x46 = (x44 >> 8); - x47 = (uint8_t)(x44 & UINT8_C(0xff)); - x48 = (uint8_t)(x46 >> 8); - x49 = (uint8_t)(x46 & UINT8_C(0xff)); - x50 = (uint8_t)(x48 & UINT8_C(0xff)); - x51 = (x2 >> 8); - x52 = (uint8_t)(x2 & UINT8_C(0xff)); - x53 = (x51 >> 8); - x54 = (uint8_t)(x51 & UINT8_C(0xff)); - x55 = (uint8_t)(x53 >> 8); - x56 = (uint8_t)(x53 & UINT8_C(0xff)); - x57 = (uint8_t)(x55 & UINT8_C(0xff)); - x58 = (x1 >> 8); - x59 = (uint8_t)(x1 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x10; - out1[1] = x12; - out1[2] = x14; - out1[3] = x15; - out1[4] = x17; - out1[5] = x19; - out1[6] = x21; - out1[7] = x22; - out1[8] = x24; - out1[9] = x26; - out1[10] = x28; - out1[11] = x29; - out1[12] = x31; - out1[13] = x33; - out1[14] = x35; - out1[15] = x36; - out1[16] = x38; - out1[17] = x40; - out1[18] = x42; - out1[19] = x43; - out1[20] = x45; - out1[21] = x47; - out1[22] = x49; - out1[23] = x50; - out1[24] = x52; - out1[25] = x54; - out1[26] = x56; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; + x21 = (uint8_t)(x6 & UINT8_C(0xff)); + x22 = (x6 >> 8); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); + x24 = (x22 >> 8); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); + x26 = (uint8_t)(x24 >> 8); + x27 = (uint8_t)(x5 & UINT8_C(0xff)); + x28 = (x5 >> 8); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); + x30 = (x28 >> 8); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); + x32 = (uint8_t)(x30 >> 8); + x33 = (uint8_t)(x4 & UINT8_C(0xff)); + x34 = (x4 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (uint8_t)(x36 >> 8); + x39 = (uint8_t)(x3 & UINT8_C(0xff)); + x40 = (x3 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (uint8_t)(x42 >> 8); + x45 = (uint8_t)(x2 & UINT8_C(0xff)); + x46 = (x2 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (uint8_t)(x1 & UINT8_C(0xff)); + x52 = (x1 >> 8); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); + x54 = (x52 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); + x56 = (uint8_t)(x54 >> 8); + out1[0] = x9; + out1[1] = x11; + out1[2] = x13; + out1[3] = x14; + out1[4] = x15; + out1[5] = x17; + out1[6] = x19; + out1[7] = x20; + out1[8] = x21; + out1[9] = x23; + out1[10] = x25; + out1[11] = x26; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x38; + out1[20] = x39; + out1[21] = x41; + out1[22] = x43; + out1[23] = x44; + out1[24] = x45; + out1[25] = x47; + out1[26] = x49; + out1[27] = x50; + out1[28] = x51; + out1[29] = x53; + out1[30] = x55; + out1[31] = x56; } /* - * The function fiat_id_GostR3410_2001_TestParamSet_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_id_GostR3410_2001_TestParamSet_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -8125,6 +8210,15 @@ static void fiat_id_GostR3410_2001_TestParamSet_from_bytes( uint32_t x45; uint32_t x46; uint32_t x47; + uint32_t x48; + uint32_t x49; + uint32_t x50; + uint32_t x51; + uint32_t x52; + uint32_t x53; + uint32_t x54; + uint32_t x55; + uint32_t x56; x1 = ((uint32_t)(arg1[31]) << 24); x2 = ((uint32_t)(arg1[30]) << 16); x3 = ((uint32_t)(arg1[29]) << 8); @@ -8157,29 +8251,38 @@ static void fiat_id_GostR3410_2001_TestParamSet_from_bytes( x30 = ((uint32_t)(arg1[2]) << 16); x31 = ((uint32_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + (x30 + x29))); - x34 = (x33 & UINT32_C(0xffffffff)); - x35 = (x4 + (x3 + (x2 + x1))); - x36 = (x8 + (x7 + (x6 + x5))); - x37 = (x12 + (x11 + (x10 + x9))); - x38 = (x16 + (x15 + (x14 + x13))); - x39 = (x20 + (x19 + (x18 + x17))); - x40 = (x24 + (x23 + (x22 + x21))); - x41 = (x28 + (x27 + (x26 + x25))); - x42 = (x41 & UINT32_C(0xffffffff)); - x43 = (x40 & UINT32_C(0xffffffff)); - x44 = (x39 & UINT32_C(0xffffffff)); - x45 = (x38 & UINT32_C(0xffffffff)); - x46 = (x37 & UINT32_C(0xffffffff)); - x47 = (x36 & UINT32_C(0xffffffff)); - out1[0] = x34; - out1[1] = x42; - out1[2] = x43; + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x27 + (uint32_t)x28); + x37 = (x26 + x36); + x38 = (x25 + x37); + x39 = (x23 + (uint32_t)x24); + x40 = (x22 + x39); + x41 = (x21 + x40); + x42 = (x19 + (uint32_t)x20); + x43 = (x18 + x42); + x44 = (x17 + x43); + x45 = (x15 + (uint32_t)x16); + x46 = (x14 + x45); + x47 = (x13 + x46); + x48 = (x11 + (uint32_t)x12); + x49 = (x10 + x48); + x50 = (x9 + x49); + x51 = (x7 + (uint32_t)x8); + x52 = (x6 + x51); + x53 = (x5 + x52); + x54 = (x3 + (uint32_t)x4); + x55 = (x2 + x54); + x56 = (x1 + x55); + out1[0] = x35; + out1[1] = x38; + out1[2] = x41; out1[3] = x44; - out1[4] = x45; - out1[5] = x46; - out1[6] = x47; - out1[7] = x35; + out1[4] = x47; + out1[5] = x50; + out1[6] = x53; + out1[7] = x56; } /* END verbatim fiat code */ @@ -11150,7 +11253,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -11158,7 +11261,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -11224,7 +11327,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -11300,8 +11403,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -11359,6 +11462,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_GostR3410_2001_TestParamSet_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -11378,6 +11487,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_TestParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -11390,6 +11504,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_GostR3410_2001_TestParamSet_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -11411,8 +11531,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_GostR3410_2001_TestParamSet(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, @@ -11452,6 +11577,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_GostR3410_2001_TestParamSet(const EC_GROUP *group, EC_POINT *r, const EC_POINT *q, const BIGNUM *m, @@ -11489,6 +11618,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_GostR3410_2001_TestParamSet(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, diff --git a/ecp_id_tc26_gost_3410_2012_256_paramSetA.c b/ecp_id_tc26_gost_3410_2012_256_paramSetA.c index 1528163..9282fb7 100644 --- a/ecp_id_tc26_gost_3410_2012_256_paramSetA.c +++ b/ecp_id_tc26_gost_3410_2012_256_paramSetA.c @@ -32,6 +32,10 @@ typedef uint64_t fe_t[LIMB_CNT]; typedef uint64_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_TC26_GOST_3410_2012_256_PARAMSETA_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -82,18 +86,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_tc26_gost_3410_2012_256_paramSetA 64 5 '2^256 - 617' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_tc26_gost_3410_2012_256_paramSetA 64 5 '2^256 - 617' */ /* curve description: id_tc26_gost_3410_2012_256_paramSetA */ /* machine_wordsize = 64 (from "64") */ /* requested operations: (all) */ /* n = 5 (from "5") */ /* s-c = 2^256 - [(1, 617)] (from "2^256 - 617") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ /* eval z = z[0] + (z[1] << 52) + (z[2] << 103) + (z[3] << 154) + (z[4] << 205) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x1ffffffffffb2e, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ #include typedef unsigned char fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1; @@ -105,6 +110,17 @@ typedef unsigned __int128 fiat_id_tc26_gost_3410_2012_256_paramSetA_uint128; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_TC26_GOST_3410_2012_256_PARAMSETA_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t +fiat_id_tc26_gost_3410_2012_256_paramSetA_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_tc26_gost_3410_2012_256_paramSetA_value_barrier_u64(x) (x) +#endif + /* * The function fiat_id_tc26_gost_3410_2012_256_paramSetA_addcarryx_u52 is an addition with carry. * Postconditions: @@ -238,7 +254,10 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_cmovznz_u64( x1 = (!(!arg1)); x2 = ((fiat_id_tc26_gost_3410_2012_256_paramSetA_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = ((fiat_id_tc26_gost_3410_2012_256_paramSetA_value_barrier_u64(x2) & + arg3) | + (fiat_id_tc26_gost_3410_2012_256_paramSetA_value_barrier_u64((~x2)) & + arg2)); *out1 = x3; } @@ -248,10 +267,10 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_cmovznz_u64( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * arg2: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] + * arg2: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_mul( uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { @@ -412,9 +431,9 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_square( uint64_t out1[5], const uint64_t arg1[5]) { @@ -539,9 +558,9 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry( uint64_t out1[5], const uint64_t arg1[5]) { @@ -584,10 +603,10 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_add( uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { @@ -614,10 +633,10 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_sub( uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { @@ -644,9 +663,9 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_opp( uint64_t out1[5], const uint64_t arg1[5]) { @@ -710,7 +729,7 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -741,70 +760,70 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes( uint64_t x23; uint64_t x24; uint64_t x25; - uint64_t x26; - uint8_t x27; - uint64_t x28; - uint8_t x29; - uint64_t x30; - uint8_t x31; - uint64_t x32; - uint8_t x33; - uint64_t x34; - uint8_t x35; + uint8_t x26; + uint64_t x27; + uint8_t x28; + uint64_t x29; + uint8_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint8_t x34; + uint64_t x35; uint8_t x36; uint8_t x37; uint64_t x38; - uint64_t x39; - uint8_t x40; - uint64_t x41; - uint8_t x42; - uint64_t x43; - uint8_t x44; - uint64_t x45; - uint8_t x46; - uint64_t x47; - uint8_t x48; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint64_t x46; + uint8_t x47; + uint64_t x48; uint8_t x49; uint8_t x50; uint64_t x51; - uint64_t x52; - uint8_t x53; - uint64_t x54; - uint8_t x55; - uint64_t x56; - uint8_t x57; - uint64_t x58; - uint8_t x59; - uint64_t x60; - uint8_t x61; - uint64_t x62; - uint8_t x63; + uint8_t x52; + uint64_t x53; + uint8_t x54; + uint64_t x55; + uint8_t x56; + uint64_t x57; + uint8_t x58; + uint64_t x59; + uint8_t x60; + uint64_t x61; + uint8_t x62; + uint64_t x63; uint8_t x64; uint8_t x65; uint64_t x66; - uint64_t x67; - uint8_t x68; - uint64_t x69; - uint8_t x70; - uint64_t x71; - uint8_t x72; - uint64_t x73; - uint8_t x74; - uint64_t x75; - uint8_t x76; + uint8_t x67; + uint64_t x68; + uint8_t x69; + uint64_t x70; + uint8_t x71; + uint64_t x72; + uint8_t x73; + uint64_t x74; + uint8_t x75; + uint64_t x76; uint8_t x77; uint8_t x78; uint64_t x79; - uint64_t x80; - uint8_t x81; - uint64_t x82; - uint8_t x83; - uint64_t x84; - uint8_t x85; - uint64_t x86; - uint8_t x87; - uint64_t x88; - uint8_t x89; + uint8_t x80; + uint64_t x81; + uint8_t x82; + uint64_t x83; + uint8_t x84; + uint64_t x85; + uint8_t x86; + uint64_t x87; + uint8_t x88; + uint64_t x89; uint8_t x90; uint8_t x91; fiat_id_tc26_gost_3410_2012_256_paramSetA_subborrowx_u52( @@ -833,104 +852,104 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes( x23 = (x18 << 2); x24 = (x16 << 7); x25 = (x14 << 4); - x26 = (x12 >> 8); - x27 = (uint8_t)(x12 & UINT8_C(0xff)); - x28 = (x26 >> 8); - x29 = (uint8_t)(x26 & UINT8_C(0xff)); - x30 = (x28 >> 8); - x31 = (uint8_t)(x28 & UINT8_C(0xff)); - x32 = (x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); - x34 = (x32 >> 8); - x35 = (uint8_t)(x32 & UINT8_C(0xff)); - x36 = (uint8_t)(x34 >> 8); - x37 = (uint8_t)(x34 & UINT8_C(0xff)); - x38 = (x36 + x25); - x39 = (x38 >> 8); - x40 = (uint8_t)(x38 & UINT8_C(0xff)); - x41 = (x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (x41 >> 8); - x44 = (uint8_t)(x41 & UINT8_C(0xff)); - x45 = (x43 >> 8); - x46 = (uint8_t)(x43 & UINT8_C(0xff)); - x47 = (x45 >> 8); - x48 = (uint8_t)(x45 & UINT8_C(0xff)); - x49 = (uint8_t)(x47 >> 8); - x50 = (uint8_t)(x47 & UINT8_C(0xff)); - x51 = (x49 + x24); - x52 = (x51 >> 8); - x53 = (uint8_t)(x51 & UINT8_C(0xff)); - x54 = (x52 >> 8); - x55 = (uint8_t)(x52 & UINT8_C(0xff)); - x56 = (x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); - x58 = (x56 >> 8); - x59 = (uint8_t)(x56 & UINT8_C(0xff)); - x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - x64 = (uint8_t)(x62 >> 8); - x65 = (uint8_t)(x62 & UINT8_C(0xff)); - x66 = (x64 + x23); - x67 = (x66 >> 8); - x68 = (uint8_t)(x66 & UINT8_C(0xff)); - x69 = (x67 >> 8); - x70 = (uint8_t)(x67 & UINT8_C(0xff)); - x71 = (x69 >> 8); - x72 = (uint8_t)(x69 & UINT8_C(0xff)); - x73 = (x71 >> 8); - x74 = (uint8_t)(x71 & UINT8_C(0xff)); - x75 = (x73 >> 8); - x76 = (uint8_t)(x73 & UINT8_C(0xff)); - x77 = (uint8_t)(x75 >> 8); - x78 = (uint8_t)(x75 & UINT8_C(0xff)); - x79 = (x77 + x22); - x80 = (x79 >> 8); - x81 = (uint8_t)(x79 & UINT8_C(0xff)); - x82 = (x80 >> 8); - x83 = (uint8_t)(x80 & UINT8_C(0xff)); - x84 = (x82 >> 8); - x85 = (uint8_t)(x82 & UINT8_C(0xff)); - x86 = (x84 >> 8); - x87 = (uint8_t)(x84 & UINT8_C(0xff)); - x88 = (x86 >> 8); - x89 = (uint8_t)(x86 & UINT8_C(0xff)); - x90 = (uint8_t)(x88 >> 8); - x91 = (uint8_t)(x88 & UINT8_C(0xff)); - out1[0] = x27; - out1[1] = x29; - out1[2] = x31; - out1[3] = x33; - out1[4] = x35; - out1[5] = x37; - out1[6] = x40; - out1[7] = x42; - out1[8] = x44; - out1[9] = x46; - out1[10] = x48; - out1[11] = x50; - out1[12] = x53; - out1[13] = x55; - out1[14] = x57; - out1[15] = x59; - out1[16] = x61; - out1[17] = x63; - out1[18] = x65; - out1[19] = x68; - out1[20] = x70; - out1[21] = x72; - out1[22] = x74; - out1[23] = x76; - out1[24] = x78; - out1[25] = x81; - out1[26] = x83; - out1[27] = x85; - out1[28] = x87; - out1[29] = x89; - out1[30] = x91; - out1[31] = x90; + x26 = (uint8_t)(x12 & UINT8_C(0xff)); + x27 = (x12 >> 8); + x28 = (uint8_t)(x27 & UINT8_C(0xff)); + x29 = (x27 >> 8); + x30 = (uint8_t)(x29 & UINT8_C(0xff)); + x31 = (x29 >> 8); + x32 = (uint8_t)(x31 & UINT8_C(0xff)); + x33 = (x31 >> 8); + x34 = (uint8_t)(x33 & UINT8_C(0xff)); + x35 = (x33 >> 8); + x36 = (uint8_t)(x35 & UINT8_C(0xff)); + x37 = (uint8_t)(x35 >> 8); + x38 = (x25 + (uint64_t)x37); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (x44 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (x24 + (uint64_t)x50); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (x53 >> 8); + x56 = (uint8_t)(x55 & UINT8_C(0xff)); + x57 = (x55 >> 8); + x58 = (uint8_t)(x57 & UINT8_C(0xff)); + x59 = (x57 >> 8); + x60 = (uint8_t)(x59 & UINT8_C(0xff)); + x61 = (x59 >> 8); + x62 = (uint8_t)(x61 & UINT8_C(0xff)); + x63 = (x61 >> 8); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (uint8_t)(x63 >> 8); + x66 = (x23 + (uint64_t)x65); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); + x68 = (x66 >> 8); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); + x70 = (x68 >> 8); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (x74 >> 8); + x77 = (uint8_t)(x76 & UINT8_C(0xff)); + x78 = (uint8_t)(x76 >> 8); + x79 = (x22 + (uint64_t)x78); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (x81 >> 8); + x84 = (uint8_t)(x83 & UINT8_C(0xff)); + x85 = (x83 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (x87 >> 8); + x90 = (uint8_t)(x89 & UINT8_C(0xff)); + x91 = (uint8_t)(x89 >> 8); + out1[0] = x26; + out1[1] = x28; + out1[2] = x30; + out1[3] = x32; + out1[4] = x34; + out1[5] = x36; + out1[6] = x39; + out1[7] = x41; + out1[8] = x43; + out1[9] = x45; + out1[10] = x47; + out1[11] = x49; + out1[12] = x52; + out1[13] = x54; + out1[14] = x56; + out1[15] = x58; + out1[16] = x60; + out1[17] = x62; + out1[18] = x64; + out1[19] = x67; + out1[20] = x69; + out1[21] = x71; + out1[22] = x73; + out1[23] = x75; + out1[24] = x77; + out1[25] = x80; + out1[26] = x82; + out1[27] = x84; + out1[28] = x86; + out1[29] = x88; + out1[30] = x90; + out1[31] = x91; } /* @@ -941,7 +960,7 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_from_bytes( uint64_t out1[5], const uint8_t arg1[32]) { @@ -978,22 +997,44 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_from_bytes( uint64_t x31; uint8_t x32; uint64_t x33; - uint8_t x34; + uint64_t x34; uint64_t x35; uint64_t x36; uint64_t x37; uint64_t x38; uint64_t x39; - uint64_t x40; - fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1 x41; + uint8_t x40; + uint64_t x41; uint64_t x42; uint64_t x43; - uint8_t x44; + uint64_t x44; uint64_t x45; uint64_t x46; - uint8_t x47; - uint64_t x48; + uint64_t x47; + fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1 x48; uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint8_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint8_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; x1 = ((uint64_t)(arg1[31]) << 43); x2 = ((uint64_t)(arg1[30]) << 35); x3 = ((uint64_t)(arg1[29]) << 27); @@ -1026,28 +1067,50 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_from_bytes( x30 = ((uint64_t)(arg1[2]) << 16); x31 = ((uint64_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + x26)))))); - x34 = (uint8_t)(x33 >> 52); - x35 = (x33 & UINT64_C(0xfffffffffffff)); - x36 = (x6 + (x5 + (x4 + (x3 + (x2 + x1))))); - x37 = (x12 + (x11 + (x10 + (x9 + (x8 + x7))))); - x38 = (x19 + (x18 + (x17 + (x16 + (x15 + (x14 + x13)))))); - x39 = (x25 + (x24 + (x23 + (x22 + (x21 + x20))))); - x40 = (x34 + x39); - x41 = (fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1)(x40 >> 51); - x42 = (x40 & UINT64_C(0x7ffffffffffff)); - x43 = (x41 + x38); - x44 = (uint8_t)(x43 >> 51); - x45 = (x43 & UINT64_C(0x7ffffffffffff)); - x46 = (x44 + x37); - x47 = (uint8_t)(x46 >> 51); - x48 = (x46 & UINT64_C(0x7ffffffffffff)); - x49 = (x47 + x36); - out1[0] = x35; - out1[1] = x42; - out1[2] = x45; - out1[3] = x48; - out1[4] = x49; + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x38 & UINT64_C(0xfffffffffffff)); + x40 = (uint8_t)(x38 >> 52); + x41 = (x25 + (uint64_t)x40); + x42 = (x24 + x41); + x43 = (x23 + x42); + x44 = (x22 + x43); + x45 = (x21 + x44); + x46 = (x20 + x45); + x47 = (x46 & UINT64_C(0x7ffffffffffff)); + x48 = (fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1)(x46 >> 51); + x49 = (x19 + (uint64_t)x48); + x50 = (x18 + x49); + x51 = (x17 + x50); + x52 = (x16 + x51); + x53 = (x15 + x52); + x54 = (x14 + x53); + x55 = (x13 + x54); + x56 = (x55 & UINT64_C(0x7ffffffffffff)); + x57 = (uint8_t)(x55 >> 51); + x58 = (x12 + (uint64_t)x57); + x59 = (x11 + x58); + x60 = (x10 + x59); + x61 = (x9 + x60); + x62 = (x8 + x61); + x63 = (x7 + x62); + x64 = (x63 & UINT64_C(0x7ffffffffffff)); + x65 = (uint8_t)(x63 >> 51); + x66 = (x6 + (uint64_t)x65); + x67 = (x5 + x66); + x68 = (x4 + x67); + x69 = (x3 + x68); + x70 = (x2 + x69); + x71 = (x1 + x70); + out1[0] = x39; + out1[1] = x47; + out1[2] = x56; + out1[3] = x64; + out1[4] = x71; } /* END verbatim fiat code */ @@ -3455,7 +3518,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -3463,7 +3526,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -3537,7 +3600,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -3625,8 +3688,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -3698,6 +3761,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -3713,6 +3782,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -3723,6 +3797,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -3740,8 +3820,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_tc26_gost_3410_2012_256_paramSetA( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -3780,6 +3865,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_tc26_gost_3410_2012_256_paramSetA(const EC_GROUP *group, EC_POINT *r, @@ -3819,6 +3908,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_tc26_gost_3410_2012_256_paramSetA(const EC_GROUP *group, EC_POINT *r, @@ -3865,6 +3958,10 @@ err: typedef uint32_t fe_t[LIMB_CNT]; typedef uint32_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_TC26_GOST_3410_2012_256_PARAMSETA_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -3915,18 +4012,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_tc26_gost_3410_2012_256_paramSetA 32 '(auto)' '2^256 - 617' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_tc26_gost_3410_2012_256_paramSetA 32 '(auto)' '2^256 - 617' */ /* curve description: id_tc26_gost_3410_2012_256_paramSetA */ /* machine_wordsize = 32 (from "32") */ /* requested operations: (all) */ /* n = 11 (from "(auto)") */ /* s-c = 2^256 - [(1, 617)] (from "2^256 - 617") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 0, 1] */ /* eval z = z[0] + (z[1] << 24) + (z[2] << 47) + (z[3] << 70) + (z[4] << 94) + (z[5] << 117) + (z[6] << 140) + (z[7] << 163) + (z[8] << 187) + (z[9] << 210) + (z[10] << 233) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x1fffb2e, 0xfffffe, 0xfffffe, 0x1fffffe, 0xfffffe, 0xfffffe, 0xfffffe, 0x1fffffe, 0xfffffe, 0xfffffe, 0xfffffe] */ #include typedef unsigned char fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1; @@ -3936,6 +4034,17 @@ typedef signed char fiat_id_tc26_gost_3410_2012_256_paramSetA_int1; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_TC26_GOST_3410_2012_256_PARAMSETA_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t +fiat_id_tc26_gost_3410_2012_256_paramSetA_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_tc26_gost_3410_2012_256_paramSetA_value_barrier_u32(x) (x) +#endif + /* * The function fiat_id_tc26_gost_3410_2012_256_paramSetA_addcarryx_u24 is an addition with carry. * Postconditions: @@ -4069,7 +4178,10 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_cmovznz_u32( x1 = (!(!arg1)); x2 = ((fiat_id_tc26_gost_3410_2012_256_paramSetA_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = ((fiat_id_tc26_gost_3410_2012_256_paramSetA_value_barrier_u32(x2) & + arg3) | + (fiat_id_tc26_gost_3410_2012_256_paramSetA_value_barrier_u32((~x2)) & + arg2)); *out1 = x3; } @@ -4079,10 +4191,10 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_cmovznz_u32( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] - * arg2: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * arg1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] + * arg2: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_mul( uint32_t out1[11], const uint32_t arg1[11], const uint32_t arg2[11]) { @@ -4482,9 +4594,9 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * arg1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_square( uint32_t out1[11], const uint32_t arg1[11]) { @@ -4781,9 +4893,9 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * arg1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry( uint32_t out1[11], const uint32_t arg1[11]) { @@ -4856,10 +4968,10 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] - * arg2: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] + * arg2: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: - * out1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * out1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_add( uint32_t out1[11], const uint32_t arg1[11], const uint32_t arg2[11]) { @@ -4904,10 +5016,10 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] - * arg2: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] + * arg2: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: - * out1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * out1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_sub( uint32_t out1[11], const uint32_t arg1[11], const uint32_t arg2[11]) { @@ -4952,9 +5064,9 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: - * out1: [[0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x34ccccb], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664], [0x0 ~> 0x1a66664]] + * out1: [[0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x3000000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000], [0x0 ~> 0x1800000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_opp( uint32_t out1[11], const uint32_t arg1[11]) { @@ -5060,7 +5172,7 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * * Input Bounds: - * arg1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * arg1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -5120,76 +5232,75 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes( uint32_t x52; uint32_t x53; uint32_t x54; - uint32_t x55; - uint8_t x56; + uint8_t x55; + uint32_t x56; uint8_t x57; uint8_t x58; uint8_t x59; uint32_t x60; uint8_t x61; uint8_t x62; - uint8_t x63; - uint32_t x64; + uint32_t x63; + uint8_t x64; uint32_t x65; uint8_t x66; uint32_t x67; uint8_t x68; uint8_t x69; - uint8_t x70; - uint32_t x71; + uint32_t x70; + uint8_t x71; uint32_t x72; uint8_t x73; uint32_t x74; uint8_t x75; uint8_t x76; - uint8_t x77; - uint32_t x78; + uint32_t x77; + uint8_t x78; uint32_t x79; uint8_t x80; uint32_t x81; uint8_t x82; uint8_t x83; - uint8_t x84; - uint32_t x85; + uint32_t x84; + uint8_t x85; uint32_t x86; uint8_t x87; uint32_t x88; uint8_t x89; uint8_t x90; - uint8_t x91; - uint32_t x92; + uint32_t x91; + uint8_t x92; uint32_t x93; uint8_t x94; uint32_t x95; uint8_t x96; uint8_t x97; - uint8_t x98; - uint32_t x99; + uint32_t x98; + uint8_t x99; uint32_t x100; uint8_t x101; uint32_t x102; uint8_t x103; uint8_t x104; - uint8_t x105; - uint32_t x106; + uint32_t x105; + uint8_t x106; uint32_t x107; uint8_t x108; uint32_t x109; uint8_t x110; uint8_t x111; - uint8_t x112; - uint32_t x113; + uint32_t x112; + uint8_t x113; uint32_t x114; uint8_t x115; uint32_t x116; uint8_t x117; fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1 x118; - uint8_t x119; - uint32_t x120; + uint32_t x119; + uint8_t x120; uint32_t x121; uint8_t x122; uint8_t x123; - uint8_t x124; fiat_id_tc26_gost_3410_2012_256_paramSetA_subborrowx_u24( &x1, &x2, 0x0, (arg1[0]), UINT32_C(0xfffd97)); fiat_id_tc26_gost_3410_2012_256_paramSetA_subborrowx_u23( @@ -5245,107 +5356,106 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes( x52 = (x32 << 6); x53 = (x30 << 6); x54 = (x28 << 7); - x55 = (x24 >> 8); - x56 = (uint8_t)(x24 & UINT8_C(0xff)); - x57 = (uint8_t)(x55 >> 8); - x58 = (uint8_t)(x55 & UINT8_C(0xff)); - x59 = (uint8_t)(x57 & UINT8_C(0xff)); + x55 = (uint8_t)(x24 & UINT8_C(0xff)); + x56 = (x24 >> 8); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); + x58 = (uint8_t)(x56 >> 8); + x59 = (uint8_t)(x26 & UINT8_C(0xff)); x60 = (x26 >> 8); - x61 = (uint8_t)(x26 & UINT8_C(0xff)); + x61 = (uint8_t)(x60 & UINT8_C(0xff)); x62 = (uint8_t)(x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - x64 = (x62 + x54); - x65 = (x64 >> 8); - x66 = (uint8_t)(x64 & UINT8_C(0xff)); + x63 = (x54 + (uint32_t)x62); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (x63 >> 8); + x66 = (uint8_t)(x65 & UINT8_C(0xff)); x67 = (x65 >> 8); - x68 = (uint8_t)(x65 & UINT8_C(0xff)); + x68 = (uint8_t)(x67 & UINT8_C(0xff)); x69 = (uint8_t)(x67 >> 8); - x70 = (uint8_t)(x67 & UINT8_C(0xff)); - x71 = (x69 + x53); - x72 = (x71 >> 8); - x73 = (uint8_t)(x71 & UINT8_C(0xff)); + x70 = (x53 + (uint32_t)x69); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); x74 = (x72 >> 8); - x75 = (uint8_t)(x72 & UINT8_C(0xff)); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); x76 = (uint8_t)(x74 >> 8); - x77 = (uint8_t)(x74 & UINT8_C(0xff)); - x78 = (x76 + x52); - x79 = (x78 >> 8); - x80 = (uint8_t)(x78 & UINT8_C(0xff)); + x77 = (x52 + (uint32_t)x76); + x78 = (uint8_t)(x77 & UINT8_C(0xff)); + x79 = (x77 >> 8); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); x81 = (x79 >> 8); - x82 = (uint8_t)(x79 & UINT8_C(0xff)); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); x83 = (uint8_t)(x81 >> 8); - x84 = (uint8_t)(x81 & UINT8_C(0xff)); - x85 = (x83 + x51); - x86 = (x85 >> 8); - x87 = (uint8_t)(x85 & UINT8_C(0xff)); + x84 = (x51 + (uint32_t)x83); + x85 = (uint8_t)(x84 & UINT8_C(0xff)); + x86 = (x84 >> 8); + x87 = (uint8_t)(x86 & UINT8_C(0xff)); x88 = (x86 >> 8); - x89 = (uint8_t)(x86 & UINT8_C(0xff)); + x89 = (uint8_t)(x88 & UINT8_C(0xff)); x90 = (uint8_t)(x88 >> 8); - x91 = (uint8_t)(x88 & UINT8_C(0xff)); - x92 = (x90 + x50); - x93 = (x92 >> 8); - x94 = (uint8_t)(x92 & UINT8_C(0xff)); + x91 = (x50 + (uint32_t)x90); + x92 = (uint8_t)(x91 & UINT8_C(0xff)); + x93 = (x91 >> 8); + x94 = (uint8_t)(x93 & UINT8_C(0xff)); x95 = (x93 >> 8); - x96 = (uint8_t)(x93 & UINT8_C(0xff)); + x96 = (uint8_t)(x95 & UINT8_C(0xff)); x97 = (uint8_t)(x95 >> 8); - x98 = (uint8_t)(x95 & UINT8_C(0xff)); - x99 = (x97 + x49); - x100 = (x99 >> 8); - x101 = (uint8_t)(x99 & UINT8_C(0xff)); + x98 = (x49 + (uint32_t)x97); + x99 = (uint8_t)(x98 & UINT8_C(0xff)); + x100 = (x98 >> 8); + x101 = (uint8_t)(x100 & UINT8_C(0xff)); x102 = (x100 >> 8); - x103 = (uint8_t)(x100 & UINT8_C(0xff)); + x103 = (uint8_t)(x102 & UINT8_C(0xff)); x104 = (uint8_t)(x102 >> 8); - x105 = (uint8_t)(x102 & UINT8_C(0xff)); - x106 = (x104 + x48); - x107 = (x106 >> 8); - x108 = (uint8_t)(x106 & UINT8_C(0xff)); + x105 = (x48 + (uint32_t)x104); + x106 = (uint8_t)(x105 & UINT8_C(0xff)); + x107 = (x105 >> 8); + x108 = (uint8_t)(x107 & UINT8_C(0xff)); x109 = (x107 >> 8); - x110 = (uint8_t)(x107 & UINT8_C(0xff)); + x110 = (uint8_t)(x109 & UINT8_C(0xff)); x111 = (uint8_t)(x109 >> 8); - x112 = (uint8_t)(x109 & UINT8_C(0xff)); - x113 = (x111 + x47); - x114 = (x113 >> 8); - x115 = (uint8_t)(x113 & UINT8_C(0xff)); + x112 = (x47 + (uint32_t)x111); + x113 = (uint8_t)(x112 & UINT8_C(0xff)); + x114 = (x112 >> 8); + x115 = (uint8_t)(x114 & UINT8_C(0xff)); x116 = (x114 >> 8); - x117 = (uint8_t)(x114 & UINT8_C(0xff)); + x117 = (uint8_t)(x116 & UINT8_C(0xff)); x118 = (fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1)(x116 >> 8); - x119 = (uint8_t)(x116 & UINT8_C(0xff)); - x120 = (x118 + x46); - x121 = (x120 >> 8); - x122 = (uint8_t)(x120 & UINT8_C(0xff)); + x119 = (x46 + (uint32_t)x118); + x120 = (uint8_t)(x119 & UINT8_C(0xff)); + x121 = (x119 >> 8); + x122 = (uint8_t)(x121 & UINT8_C(0xff)); x123 = (uint8_t)(x121 >> 8); - x124 = (uint8_t)(x121 & UINT8_C(0xff)); - out1[0] = x56; - out1[1] = x58; - out1[2] = x59; - out1[3] = x61; - out1[4] = x63; - out1[5] = x66; - out1[6] = x68; - out1[7] = x70; - out1[8] = x73; - out1[9] = x75; - out1[10] = x77; - out1[11] = x80; - out1[12] = x82; - out1[13] = x84; - out1[14] = x87; - out1[15] = x89; - out1[16] = x91; - out1[17] = x94; - out1[18] = x96; - out1[19] = x98; - out1[20] = x101; - out1[21] = x103; - out1[22] = x105; - out1[23] = x108; - out1[24] = x110; - out1[25] = x112; - out1[26] = x115; - out1[27] = x117; - out1[28] = x119; - out1[29] = x122; - out1[30] = x124; + out1[0] = x55; + out1[1] = x57; + out1[2] = x58; + out1[3] = x59; + out1[4] = x61; + out1[5] = x64; + out1[6] = x66; + out1[7] = x68; + out1[8] = x71; + out1[9] = x73; + out1[10] = x75; + out1[11] = x78; + out1[12] = x80; + out1[13] = x82; + out1[14] = x85; + out1[15] = x87; + out1[16] = x89; + out1[17] = x92; + out1[18] = x94; + out1[19] = x96; + out1[20] = x99; + out1[21] = x101; + out1[22] = x103; + out1[23] = x106; + out1[24] = x108; + out1[25] = x110; + out1[26] = x113; + out1[27] = x115; + out1[28] = x117; + out1[29] = x120; + out1[30] = x122; out1[31] = x123; } @@ -5357,7 +5467,7 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x1199999], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc], [0x0 ~> 0x8ccccc]] + * out1: [[0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x1000000], [0x0 ~> 0x800000], [0x0 ~> 0x800000], [0x0 ~> 0x800000]] */ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_from_bytes( uint32_t out1[11], const uint8_t arg1[32]) { @@ -5398,40 +5508,49 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_from_bytes( uint32_t x35; uint32_t x36; uint32_t x37; - uint32_t x38; + fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1 x38; uint32_t x39; uint32_t x40; uint32_t x41; uint32_t x42; - uint32_t x43; + uint8_t x43; uint32_t x44; - fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1 x45; + uint32_t x45; uint32_t x46; uint32_t x47; uint8_t x48; uint32_t x49; uint32_t x50; - uint8_t x51; + uint32_t x51; uint32_t x52; - uint32_t x53; - uint8_t x54; + uint8_t x53; + uint32_t x54; uint32_t x55; uint32_t x56; - uint8_t x57; - uint32_t x58; + uint32_t x57; + uint8_t x58; uint32_t x59; - uint8_t x60; + uint32_t x60; uint32_t x61; uint32_t x62; uint8_t x63; uint32_t x64; uint32_t x65; - uint8_t x66; + uint32_t x66; uint32_t x67; - uint32_t x68; - uint8_t x69; + uint8_t x68; + uint32_t x69; uint32_t x70; uint32_t x71; + uint32_t x72; + uint8_t x73; + uint32_t x74; + uint32_t x75; + uint32_t x76; + uint32_t x77; + uint8_t x78; + uint32_t x79; + uint32_t x80; x1 = ((uint32_t)(arg1[31]) << 15); x2 = ((uint32_t)(arg1[30]) << 7); x3 = ((uint32_t)(arg1[29]) << 22); @@ -5464,56 +5583,65 @@ static void fiat_id_tc26_gost_3410_2012_256_paramSetA_from_bytes( x30 = ((uint32_t)(arg1[2]) << 16); x31 = ((uint32_t)(arg1[1]) << 8); x32 = (arg1[0]); - x33 = (x32 + (x31 + x30)); - x34 = (x33 & UINT32_C(0xffffff)); - x35 = (x2 + x1); - x36 = (x5 + (x4 + x3)); - x37 = (x8 + (x7 + x6)); - x38 = (x11 + (x10 + x9)); - x39 = (x14 + (x13 + x12)); - x40 = (x17 + (x16 + x15)); - x41 = (x20 + (x19 + x18)); - x42 = (x23 + (x22 + x21)); - x43 = (x26 + (x25 + x24)); - x44 = (x29 + (x28 + x27)); - x45 = (fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1)(x44 >> 23); - x46 = (x44 & UINT32_C(0x7fffff)); - x47 = (x45 + x43); - x48 = (uint8_t)(x47 >> 23); - x49 = (x47 & UINT32_C(0x7fffff)); - x50 = (x48 + x42); - x51 = (uint8_t)(x50 >> 24); - x52 = (x50 & UINT32_C(0xffffff)); - x53 = (x51 + x41); - x54 = (uint8_t)(x53 >> 23); - x55 = (x53 & UINT32_C(0x7fffff)); - x56 = (x54 + x40); - x57 = (uint8_t)(x56 >> 23); - x58 = (x56 & UINT32_C(0x7fffff)); - x59 = (x57 + x39); - x60 = (uint8_t)(x59 >> 23); - x61 = (x59 & UINT32_C(0x7fffff)); - x62 = (x60 + x38); - x63 = (uint8_t)(x62 >> 24); - x64 = (x62 & UINT32_C(0xffffff)); - x65 = (x63 + x37); - x66 = (uint8_t)(x65 >> 23); - x67 = (x65 & UINT32_C(0x7fffff)); - x68 = (x66 + x36); - x69 = (uint8_t)(x68 >> 23); - x70 = (x68 & UINT32_C(0x7fffff)); - x71 = (x69 + x35); + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x28 + (uint32_t)x29); + x36 = (x27 + x35); + x37 = (x36 & UINT32_C(0x7fffff)); + x38 = (fiat_id_tc26_gost_3410_2012_256_paramSetA_uint1)(x36 >> 23); + x39 = (x26 + (uint32_t)x38); + x40 = (x25 + x39); + x41 = (x24 + x40); + x42 = (x41 & UINT32_C(0x7fffff)); + x43 = (uint8_t)(x41 >> 23); + x44 = (x23 + (uint32_t)x43); + x45 = (x22 + x44); + x46 = (x21 + x45); + x47 = (x46 & UINT32_C(0xffffff)); + x48 = (uint8_t)(x46 >> 24); + x49 = (x20 + (uint32_t)x48); + x50 = (x19 + x49); + x51 = (x18 + x50); + x52 = (x51 & UINT32_C(0x7fffff)); + x53 = (uint8_t)(x51 >> 23); + x54 = (x17 + (uint32_t)x53); + x55 = (x16 + x54); + x56 = (x15 + x55); + x57 = (x56 & UINT32_C(0x7fffff)); + x58 = (uint8_t)(x56 >> 23); + x59 = (x14 + (uint32_t)x58); + x60 = (x13 + x59); + x61 = (x12 + x60); + x62 = (x61 & UINT32_C(0x7fffff)); + x63 = (uint8_t)(x61 >> 23); + x64 = (x11 + (uint32_t)x63); + x65 = (x10 + x64); + x66 = (x9 + x65); + x67 = (x66 & UINT32_C(0xffffff)); + x68 = (uint8_t)(x66 >> 24); + x69 = (x8 + (uint32_t)x68); + x70 = (x7 + x69); + x71 = (x6 + x70); + x72 = (x71 & UINT32_C(0x7fffff)); + x73 = (uint8_t)(x71 >> 23); + x74 = (x5 + (uint32_t)x73); + x75 = (x4 + x74); + x76 = (x3 + x75); + x77 = (x76 & UINT32_C(0x7fffff)); + x78 = (uint8_t)(x76 >> 23); + x79 = (x2 + (uint32_t)x78); + x80 = (x1 + x79); out1[0] = x34; - out1[1] = x46; - out1[2] = x49; - out1[3] = x52; - out1[4] = x55; - out1[5] = x58; - out1[6] = x61; - out1[7] = x64; - out1[8] = x67; - out1[9] = x70; - out1[10] = x71; + out1[1] = x37; + out1[2] = x42; + out1[3] = x47; + out1[4] = x52; + out1[5] = x57; + out1[6] = x62; + out1[7] = x67; + out1[8] = x72; + out1[9] = x77; + out1[10] = x80; } /* END verbatim fiat code */ @@ -8464,8 +8592,8 @@ static void point_edwards2legacy(pt_prj_t *Q, const pt_prj_t *P) { /* temporary variables */ fe_t t0; /* constants */ - const limb_t *T = const_T; const limb_t *S = const_S; + const limb_t *T = const_T; const limb_t *X1 = P->X; const limb_t *Y1 = P->Y; const limb_t *Z1 = P->Z; @@ -8492,8 +8620,8 @@ static void point_edwards2legacy(pt_prj_t *Q, const pt_prj_t *P) { */ static void point_legacy2edwards(pt_prj_t *Q, const pt_aff_t *P) { /* constants */ - const limb_t *T = const_T; const limb_t *S = const_S; + const limb_t *T = const_T; const limb_t *X1 = P->X; const limb_t *Y1 = P->Y; limb_t *X3 = Q->X; @@ -8597,7 +8725,7 @@ static void scalar_wnaf(int8_t out[257], const unsigned char in[32]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], @@ -8605,7 +8733,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[32], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[257] = {0}; int8_t bnaf[257] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -8679,7 +8807,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[52] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -8767,8 +8895,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[32], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[52] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -8840,6 +8968,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[32]) { fiat_id_tc26_gost_3410_2012_256_paramSetA_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], const unsigned char a[32], const unsigned char b[32], const unsigned char inx[32], @@ -8855,6 +8989,11 @@ static void point_mul_two(unsigned char outx[32], unsigned char outy[32], fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32]) { pt_aff_t P; @@ -8865,6 +9004,12 @@ static void point_mul_g(unsigned char outx[32], unsigned char outy[32], fiat_id_tc26_gost_3410_2012_256_paramSetA_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[32], unsigned char outy[32], const unsigned char scalar[32], const unsigned char inx[32], @@ -8882,8 +9027,13 @@ static void point_mul(unsigned char outx[32], unsigned char outy[32], #include +/* the zero field element */ static const unsigned char const_zb[32] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_tc26_gost_3410_2012_256_paramSetA( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -8922,6 +9072,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_tc26_gost_3410_2012_256_paramSetA(const EC_GROUP *group, EC_POINT *r, @@ -8961,6 +9115,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_tc26_gost_3410_2012_256_paramSetA(const EC_GROUP *group, EC_POINT *r, diff --git a/ecp_id_tc26_gost_3410_2012_512_paramSetA.c b/ecp_id_tc26_gost_3410_2012_512_paramSetA.c index 8667cc7..5c50d83 100644 --- a/ecp_id_tc26_gost_3410_2012_512_paramSetA.c +++ b/ecp_id_tc26_gost_3410_2012_512_paramSetA.c @@ -32,6 +32,10 @@ typedef uint64_t fe_t[LIMB_CNT]; typedef uint64_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETA_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -80,18 +84,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_tc26_gost_3410_2012_512_paramSetA 64 '(auto)' '2^512 - 569' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_tc26_gost_3410_2012_512_paramSetA 64 '(auto)' '2^512 - 569' */ /* curve description: id_tc26_gost_3410_2012_512_paramSetA */ /* machine_wordsize = 64 (from "64") */ /* requested operations: (all) */ /* n = 10 (from "(auto)") */ /* s-c = 2^512 - [(1, 569)] (from "2^512 - 569") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ /* eval z = z[0] + (z[1] << 52) + (z[2] << 103) + (z[3] << 154) + (z[4] << 205) + (z[5] << 256) + (z[6] << 0x134) + (z[7] << 0x167) + (z[8] << 0x19a) + (z[9] << 0x1cd) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) */ +/* balance = [0x1ffffffffffb8e, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0x1ffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ #include typedef unsigned char fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1; @@ -103,6 +108,17 @@ typedef unsigned __int128 fiat_id_tc26_gost_3410_2012_512_paramSetA_uint128; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETA_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t +fiat_id_tc26_gost_3410_2012_512_paramSetA_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_tc26_gost_3410_2012_512_paramSetA_value_barrier_u64(x) (x) +#endif + /* * The function fiat_id_tc26_gost_3410_2012_512_paramSetA_addcarryx_u52 is an addition with carry. * Postconditions: @@ -236,7 +252,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_cmovznz_u64( x1 = (!(!arg1)); x2 = ((fiat_id_tc26_gost_3410_2012_512_paramSetA_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = ((fiat_id_tc26_gost_3410_2012_512_paramSetA_value_barrier_u64(x2) & + arg3) | + (fiat_id_tc26_gost_3410_2012_512_paramSetA_value_barrier_u64((~x2)) & + arg2)); *out1 = x3; } @@ -246,10 +265,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_cmovznz_u64( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * arg2: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] + * arg2: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_mul( uint64_t out1[10], const uint64_t arg1[10], const uint64_t arg2[10]) { @@ -740,9 +759,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_square( uint64_t out1[10], const uint64_t arg1[10]) { @@ -1030,9 +1049,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry( uint64_t out1[10], const uint64_t arg1[10]) { @@ -1100,10 +1119,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_add( uint64_t out1[10], const uint64_t arg1[10], const uint64_t arg2[10]) { @@ -1145,10 +1164,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_sub( uint64_t out1[10], const uint64_t arg1[10], const uint64_t arg2[10]) { @@ -1190,9 +1209,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_opp( uint64_t out1[10], const uint64_t arg1[10]) { @@ -1291,7 +1310,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..63] * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -1346,70 +1365,70 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( uint64_t x47; uint64_t x48; uint64_t x49; - uint64_t x50; - uint8_t x51; - uint64_t x52; - uint8_t x53; - uint64_t x54; - uint8_t x55; - uint64_t x56; - uint8_t x57; - uint64_t x58; - uint8_t x59; + uint8_t x50; + uint64_t x51; + uint8_t x52; + uint64_t x53; + uint8_t x54; + uint64_t x55; + uint8_t x56; + uint64_t x57; + uint8_t x58; + uint64_t x59; uint8_t x60; uint8_t x61; uint64_t x62; - uint64_t x63; - uint8_t x64; - uint64_t x65; - uint8_t x66; - uint64_t x67; - uint8_t x68; - uint64_t x69; - uint8_t x70; - uint64_t x71; - uint8_t x72; + uint8_t x63; + uint64_t x64; + uint8_t x65; + uint64_t x66; + uint8_t x67; + uint64_t x68; + uint8_t x69; + uint64_t x70; + uint8_t x71; + uint64_t x72; uint8_t x73; uint8_t x74; uint64_t x75; - uint64_t x76; - uint8_t x77; - uint64_t x78; - uint8_t x79; - uint64_t x80; - uint8_t x81; - uint64_t x82; - uint8_t x83; - uint64_t x84; - uint8_t x85; - uint64_t x86; - uint8_t x87; + uint8_t x76; + uint64_t x77; + uint8_t x78; + uint64_t x79; + uint8_t x80; + uint64_t x81; + uint8_t x82; + uint64_t x83; + uint8_t x84; + uint64_t x85; + uint8_t x86; + uint64_t x87; uint8_t x88; uint8_t x89; uint64_t x90; - uint64_t x91; - uint8_t x92; - uint64_t x93; - uint8_t x94; - uint64_t x95; - uint8_t x96; - uint64_t x97; - uint8_t x98; - uint64_t x99; - uint8_t x100; + uint8_t x91; + uint64_t x92; + uint8_t x93; + uint64_t x94; + uint8_t x95; + uint64_t x96; + uint8_t x97; + uint64_t x98; + uint8_t x99; + uint64_t x100; uint8_t x101; uint8_t x102; uint64_t x103; - uint64_t x104; - uint8_t x105; - uint64_t x106; - uint8_t x107; - uint64_t x108; - uint8_t x109; - uint64_t x110; - uint8_t x111; - uint64_t x112; - uint8_t x113; + uint8_t x104; + uint64_t x105; + uint8_t x106; + uint64_t x107; + uint8_t x108; + uint64_t x109; + uint8_t x110; + uint64_t x111; + uint8_t x112; + uint64_t x113; uint8_t x114; uint8_t x115; uint8_t x116; @@ -1424,8 +1443,8 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( uint64_t x125; uint8_t x126; uint8_t x127; - uint8_t x128; - uint64_t x129; + uint64_t x128; + uint8_t x129; uint64_t x130; uint8_t x131; uint64_t x132; @@ -1437,8 +1456,8 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( uint64_t x138; uint8_t x139; uint8_t x140; - uint8_t x141; - uint64_t x142; + uint64_t x141; + uint8_t x142; uint64_t x143; uint8_t x144; uint64_t x145; @@ -1452,8 +1471,8 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( uint64_t x153; uint8_t x154; uint8_t x155; - uint8_t x156; - uint64_t x157; + uint64_t x156; + uint8_t x157; uint64_t x158; uint8_t x159; uint64_t x160; @@ -1465,8 +1484,8 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( uint64_t x166; uint8_t x167; uint8_t x168; - uint8_t x169; - uint64_t x170; + uint64_t x169; + uint8_t x170; uint64_t x171; uint8_t x172; uint64_t x173; @@ -1478,7 +1497,6 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( uint64_t x179; uint8_t x180; uint8_t x181; - uint8_t x182; fiat_id_tc26_gost_3410_2012_512_paramSetA_subborrowx_u52( &x1, &x2, 0x0, (arg1[0]), UINT64_C(0xffffffffffdc7)); fiat_id_tc26_gost_3410_2012_512_paramSetA_subborrowx_u51( @@ -1529,202 +1547,201 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( x47 = (x28 << 2); x48 = (x26 << 7); x49 = (x24 << 4); - x50 = (x22 >> 8); - x51 = (uint8_t)(x22 & UINT8_C(0xff)); - x52 = (x50 >> 8); - x53 = (uint8_t)(x50 & UINT8_C(0xff)); - x54 = (x52 >> 8); - x55 = (uint8_t)(x52 & UINT8_C(0xff)); - x56 = (x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); - x58 = (x56 >> 8); - x59 = (uint8_t)(x56 & UINT8_C(0xff)); - x60 = (uint8_t)(x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (x60 + x49); - x63 = (x62 >> 8); - x64 = (uint8_t)(x62 & UINT8_C(0xff)); - x65 = (x63 >> 8); - x66 = (uint8_t)(x63 & UINT8_C(0xff)); - x67 = (x65 >> 8); - x68 = (uint8_t)(x65 & UINT8_C(0xff)); - x69 = (x67 >> 8); - x70 = (uint8_t)(x67 & UINT8_C(0xff)); - x71 = (x69 >> 8); - x72 = (uint8_t)(x69 & UINT8_C(0xff)); - x73 = (uint8_t)(x71 >> 8); - x74 = (uint8_t)(x71 & UINT8_C(0xff)); - x75 = (x73 + x48); - x76 = (x75 >> 8); - x77 = (uint8_t)(x75 & UINT8_C(0xff)); - x78 = (x76 >> 8); - x79 = (uint8_t)(x76 & UINT8_C(0xff)); - x80 = (x78 >> 8); - x81 = (uint8_t)(x78 & UINT8_C(0xff)); - x82 = (x80 >> 8); - x83 = (uint8_t)(x80 & UINT8_C(0xff)); - x84 = (x82 >> 8); - x85 = (uint8_t)(x82 & UINT8_C(0xff)); - x86 = (x84 >> 8); - x87 = (uint8_t)(x84 & UINT8_C(0xff)); - x88 = (uint8_t)(x86 >> 8); - x89 = (uint8_t)(x86 & UINT8_C(0xff)); - x90 = (x88 + x47); - x91 = (x90 >> 8); - x92 = (uint8_t)(x90 & UINT8_C(0xff)); - x93 = (x91 >> 8); - x94 = (uint8_t)(x91 & UINT8_C(0xff)); - x95 = (x93 >> 8); - x96 = (uint8_t)(x93 & UINT8_C(0xff)); - x97 = (x95 >> 8); - x98 = (uint8_t)(x95 & UINT8_C(0xff)); - x99 = (x97 >> 8); - x100 = (uint8_t)(x97 & UINT8_C(0xff)); - x101 = (uint8_t)(x99 >> 8); - x102 = (uint8_t)(x99 & UINT8_C(0xff)); - x103 = (x101 + x46); - x104 = (x103 >> 8); - x105 = (uint8_t)(x103 & UINT8_C(0xff)); - x106 = (x104 >> 8); - x107 = (uint8_t)(x104 & UINT8_C(0xff)); - x108 = (x106 >> 8); - x109 = (uint8_t)(x106 & UINT8_C(0xff)); - x110 = (x108 >> 8); - x111 = (uint8_t)(x108 & UINT8_C(0xff)); - x112 = (x110 >> 8); - x113 = (uint8_t)(x110 & UINT8_C(0xff)); - x114 = (uint8_t)(x112 >> 8); - x115 = (uint8_t)(x112 & UINT8_C(0xff)); - x116 = (uint8_t)(x114 & UINT8_C(0xff)); + x50 = (uint8_t)(x22 & UINT8_C(0xff)); + x51 = (x22 >> 8); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (x53 >> 8); + x56 = (uint8_t)(x55 & UINT8_C(0xff)); + x57 = (x55 >> 8); + x58 = (uint8_t)(x57 & UINT8_C(0xff)); + x59 = (x57 >> 8); + x60 = (uint8_t)(x59 & UINT8_C(0xff)); + x61 = (uint8_t)(x59 >> 8); + x62 = (x49 + (uint64_t)x61); + x63 = (uint8_t)(x62 & UINT8_C(0xff)); + x64 = (x62 >> 8); + x65 = (uint8_t)(x64 & UINT8_C(0xff)); + x66 = (x64 >> 8); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); + x68 = (x66 >> 8); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); + x70 = (x68 >> 8); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (uint8_t)(x72 >> 8); + x75 = (x48 + (uint64_t)x74); + x76 = (uint8_t)(x75 & UINT8_C(0xff)); + x77 = (x75 >> 8); + x78 = (uint8_t)(x77 & UINT8_C(0xff)); + x79 = (x77 >> 8); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (x81 >> 8); + x84 = (uint8_t)(x83 & UINT8_C(0xff)); + x85 = (x83 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (uint8_t)(x87 >> 8); + x90 = (x47 + (uint64_t)x89); + x91 = (uint8_t)(x90 & UINT8_C(0xff)); + x92 = (x90 >> 8); + x93 = (uint8_t)(x92 & UINT8_C(0xff)); + x94 = (x92 >> 8); + x95 = (uint8_t)(x94 & UINT8_C(0xff)); + x96 = (x94 >> 8); + x97 = (uint8_t)(x96 & UINT8_C(0xff)); + x98 = (x96 >> 8); + x99 = (uint8_t)(x98 & UINT8_C(0xff)); + x100 = (x98 >> 8); + x101 = (uint8_t)(x100 & UINT8_C(0xff)); + x102 = (uint8_t)(x100 >> 8); + x103 = (x46 + (uint64_t)x102); + x104 = (uint8_t)(x103 & UINT8_C(0xff)); + x105 = (x103 >> 8); + x106 = (uint8_t)(x105 & UINT8_C(0xff)); + x107 = (x105 >> 8); + x108 = (uint8_t)(x107 & UINT8_C(0xff)); + x109 = (x107 >> 8); + x110 = (uint8_t)(x109 & UINT8_C(0xff)); + x111 = (x109 >> 8); + x112 = (uint8_t)(x111 & UINT8_C(0xff)); + x113 = (x111 >> 8); + x114 = (uint8_t)(x113 & UINT8_C(0xff)); + x115 = (uint8_t)(x113 >> 8); + x116 = (uint8_t)(x32 & UINT8_C(0xff)); x117 = (x32 >> 8); - x118 = (uint8_t)(x32 & UINT8_C(0xff)); + x118 = (uint8_t)(x117 & UINT8_C(0xff)); x119 = (x117 >> 8); - x120 = (uint8_t)(x117 & UINT8_C(0xff)); + x120 = (uint8_t)(x119 & UINT8_C(0xff)); x121 = (x119 >> 8); - x122 = (uint8_t)(x119 & UINT8_C(0xff)); + x122 = (uint8_t)(x121 & UINT8_C(0xff)); x123 = (x121 >> 8); - x124 = (uint8_t)(x121 & UINT8_C(0xff)); + x124 = (uint8_t)(x123 & UINT8_C(0xff)); x125 = (x123 >> 8); - x126 = (uint8_t)(x123 & UINT8_C(0xff)); + x126 = (uint8_t)(x125 & UINT8_C(0xff)); x127 = (uint8_t)(x125 >> 8); - x128 = (uint8_t)(x125 & UINT8_C(0xff)); - x129 = (x127 + x45); - x130 = (x129 >> 8); - x131 = (uint8_t)(x129 & UINT8_C(0xff)); + x128 = (x45 + (uint64_t)x127); + x129 = (uint8_t)(x128 & UINT8_C(0xff)); + x130 = (x128 >> 8); + x131 = (uint8_t)(x130 & UINT8_C(0xff)); x132 = (x130 >> 8); - x133 = (uint8_t)(x130 & UINT8_C(0xff)); + x133 = (uint8_t)(x132 & UINT8_C(0xff)); x134 = (x132 >> 8); - x135 = (uint8_t)(x132 & UINT8_C(0xff)); + x135 = (uint8_t)(x134 & UINT8_C(0xff)); x136 = (x134 >> 8); - x137 = (uint8_t)(x134 & UINT8_C(0xff)); + x137 = (uint8_t)(x136 & UINT8_C(0xff)); x138 = (x136 >> 8); - x139 = (uint8_t)(x136 & UINT8_C(0xff)); + x139 = (uint8_t)(x138 & UINT8_C(0xff)); x140 = (uint8_t)(x138 >> 8); - x141 = (uint8_t)(x138 & UINT8_C(0xff)); - x142 = (x140 + x44); - x143 = (x142 >> 8); - x144 = (uint8_t)(x142 & UINT8_C(0xff)); + x141 = (x44 + (uint64_t)x140); + x142 = (uint8_t)(x141 & UINT8_C(0xff)); + x143 = (x141 >> 8); + x144 = (uint8_t)(x143 & UINT8_C(0xff)); x145 = (x143 >> 8); - x146 = (uint8_t)(x143 & UINT8_C(0xff)); + x146 = (uint8_t)(x145 & UINT8_C(0xff)); x147 = (x145 >> 8); - x148 = (uint8_t)(x145 & UINT8_C(0xff)); + x148 = (uint8_t)(x147 & UINT8_C(0xff)); x149 = (x147 >> 8); - x150 = (uint8_t)(x147 & UINT8_C(0xff)); + x150 = (uint8_t)(x149 & UINT8_C(0xff)); x151 = (x149 >> 8); - x152 = (uint8_t)(x149 & UINT8_C(0xff)); + x152 = (uint8_t)(x151 & UINT8_C(0xff)); x153 = (x151 >> 8); - x154 = (uint8_t)(x151 & UINT8_C(0xff)); + x154 = (uint8_t)(x153 & UINT8_C(0xff)); x155 = (uint8_t)(x153 >> 8); - x156 = (uint8_t)(x153 & UINT8_C(0xff)); - x157 = (x155 + x43); - x158 = (x157 >> 8); - x159 = (uint8_t)(x157 & UINT8_C(0xff)); + x156 = (x43 + (uint64_t)x155); + x157 = (uint8_t)(x156 & UINT8_C(0xff)); + x158 = (x156 >> 8); + x159 = (uint8_t)(x158 & UINT8_C(0xff)); x160 = (x158 >> 8); - x161 = (uint8_t)(x158 & UINT8_C(0xff)); + x161 = (uint8_t)(x160 & UINT8_C(0xff)); x162 = (x160 >> 8); - x163 = (uint8_t)(x160 & UINT8_C(0xff)); + x163 = (uint8_t)(x162 & UINT8_C(0xff)); x164 = (x162 >> 8); - x165 = (uint8_t)(x162 & UINT8_C(0xff)); + x165 = (uint8_t)(x164 & UINT8_C(0xff)); x166 = (x164 >> 8); - x167 = (uint8_t)(x164 & UINT8_C(0xff)); + x167 = (uint8_t)(x166 & UINT8_C(0xff)); x168 = (uint8_t)(x166 >> 8); - x169 = (uint8_t)(x166 & UINT8_C(0xff)); - x170 = (x168 + x42); - x171 = (x170 >> 8); - x172 = (uint8_t)(x170 & UINT8_C(0xff)); + x169 = (x42 + (uint64_t)x168); + x170 = (uint8_t)(x169 & UINT8_C(0xff)); + x171 = (x169 >> 8); + x172 = (uint8_t)(x171 & UINT8_C(0xff)); x173 = (x171 >> 8); - x174 = (uint8_t)(x171 & UINT8_C(0xff)); + x174 = (uint8_t)(x173 & UINT8_C(0xff)); x175 = (x173 >> 8); - x176 = (uint8_t)(x173 & UINT8_C(0xff)); + x176 = (uint8_t)(x175 & UINT8_C(0xff)); x177 = (x175 >> 8); - x178 = (uint8_t)(x175 & UINT8_C(0xff)); + x178 = (uint8_t)(x177 & UINT8_C(0xff)); x179 = (x177 >> 8); - x180 = (uint8_t)(x177 & UINT8_C(0xff)); + x180 = (uint8_t)(x179 & UINT8_C(0xff)); x181 = (uint8_t)(x179 >> 8); - x182 = (uint8_t)(x179 & UINT8_C(0xff)); - out1[0] = x51; - out1[1] = x53; - out1[2] = x55; - out1[3] = x57; - out1[4] = x59; - out1[5] = x61; - out1[6] = x64; - out1[7] = x66; - out1[8] = x68; - out1[9] = x70; - out1[10] = x72; - out1[11] = x74; - out1[12] = x77; - out1[13] = x79; - out1[14] = x81; - out1[15] = x83; - out1[16] = x85; - out1[17] = x87; - out1[18] = x89; - out1[19] = x92; - out1[20] = x94; - out1[21] = x96; - out1[22] = x98; - out1[23] = x100; - out1[24] = x102; - out1[25] = x105; - out1[26] = x107; - out1[27] = x109; - out1[28] = x111; - out1[29] = x113; - out1[30] = x115; - out1[31] = x116; - out1[32] = x118; - out1[33] = x120; - out1[34] = x122; - out1[35] = x124; - out1[36] = x126; - out1[37] = x128; - out1[38] = x131; - out1[39] = x133; - out1[40] = x135; - out1[41] = x137; - out1[42] = x139; - out1[43] = x141; - out1[44] = x144; - out1[45] = x146; - out1[46] = x148; - out1[47] = x150; - out1[48] = x152; - out1[49] = x154; - out1[50] = x156; - out1[51] = x159; - out1[52] = x161; - out1[53] = x163; - out1[54] = x165; - out1[55] = x167; - out1[56] = x169; - out1[57] = x172; - out1[58] = x174; - out1[59] = x176; - out1[60] = x178; - out1[61] = x180; - out1[62] = x182; + out1[0] = x50; + out1[1] = x52; + out1[2] = x54; + out1[3] = x56; + out1[4] = x58; + out1[5] = x60; + out1[6] = x63; + out1[7] = x65; + out1[8] = x67; + out1[9] = x69; + out1[10] = x71; + out1[11] = x73; + out1[12] = x76; + out1[13] = x78; + out1[14] = x80; + out1[15] = x82; + out1[16] = x84; + out1[17] = x86; + out1[18] = x88; + out1[19] = x91; + out1[20] = x93; + out1[21] = x95; + out1[22] = x97; + out1[23] = x99; + out1[24] = x101; + out1[25] = x104; + out1[26] = x106; + out1[27] = x108; + out1[28] = x110; + out1[29] = x112; + out1[30] = x114; + out1[31] = x115; + out1[32] = x116; + out1[33] = x118; + out1[34] = x120; + out1[35] = x122; + out1[36] = x124; + out1[37] = x126; + out1[38] = x129; + out1[39] = x131; + out1[40] = x133; + out1[41] = x135; + out1[42] = x137; + out1[43] = x139; + out1[44] = x142; + out1[45] = x144; + out1[46] = x146; + out1[47] = x148; + out1[48] = x150; + out1[49] = x152; + out1[50] = x154; + out1[51] = x157; + out1[52] = x159; + out1[53] = x161; + out1[54] = x163; + out1[55] = x165; + out1[56] = x167; + out1[57] = x170; + out1[58] = x172; + out1[59] = x174; + out1[60] = x176; + out1[61] = x178; + out1[62] = x180; out1[63] = x181; } @@ -1736,7 +1753,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_from_bytes( uint64_t out1[10], const uint8_t arg1[64]) { @@ -1805,40 +1822,83 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_from_bytes( uint64_t x63; uint8_t x64; uint64_t x65; - uint8_t x66; + uint64_t x66; uint64_t x67; uint64_t x68; uint64_t x69; uint64_t x70; uint64_t x71; - uint64_t x72; + uint8_t x72; uint64_t x73; uint64_t x74; uint64_t x75; uint64_t x76; uint64_t x77; - fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x78; + uint64_t x78; uint64_t x79; - uint64_t x80; - uint8_t x81; + fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x80; + uint64_t x81; uint64_t x82; uint64_t x83; - uint8_t x84; + uint64_t x84; uint64_t x85; uint64_t x86; uint64_t x87; - uint8_t x88; - uint64_t x89; + uint64_t x88; + uint8_t x89; uint64_t x90; - fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x91; + uint64_t x91; uint64_t x92; uint64_t x93; - uint8_t x94; + uint64_t x94; uint64_t x95; uint64_t x96; uint8_t x97; uint64_t x98; uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + uint64_t x105; + uint64_t x106; + uint64_t x107; + uint64_t x108; + uint64_t x109; + uint64_t x110; + uint8_t x111; + uint64_t x112; + uint64_t x113; + uint64_t x114; + uint64_t x115; + uint64_t x116; + uint64_t x117; + uint64_t x118; + fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + uint64_t x125; + uint64_t x126; + uint64_t x127; + uint8_t x128; + uint64_t x129; + uint64_t x130; + uint64_t x131; + uint64_t x132; + uint64_t x133; + uint64_t x134; + uint64_t x135; + uint8_t x136; + uint64_t x137; + uint64_t x138; + uint64_t x139; + uint64_t x140; + uint64_t x141; + uint64_t x142; x1 = ((uint64_t)(arg1[63]) << 43); x2 = ((uint64_t)(arg1[62]) << 35); x3 = ((uint64_t)(arg1[61]) << 27); @@ -1903,51 +1963,94 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_from_bytes( x62 = ((uint64_t)(arg1[2]) << 16); x63 = ((uint64_t)(arg1[1]) << 8); x64 = (arg1[0]); - x65 = (x64 + (x63 + (x62 + (x61 + (x60 + (x59 + x58)))))); - x66 = (uint8_t)(x65 >> 52); - x67 = (x65 & UINT64_C(0xfffffffffffff)); - x68 = (x6 + (x5 + (x4 + (x3 + (x2 + x1))))); - x69 = (x12 + (x11 + (x10 + (x9 + (x8 + x7))))); - x70 = (x19 + (x18 + (x17 + (x16 + (x15 + (x14 + x13)))))); - x71 = (x25 + (x24 + (x23 + (x22 + (x21 + x20))))); - x72 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + x26)))))); - x73 = (x38 + (x37 + (x36 + (x35 + (x34 + x33))))); - x74 = (x44 + (x43 + (x42 + (x41 + (x40 + x39))))); - x75 = (x51 + (x50 + (x49 + (x48 + (x47 + (x46 + x45)))))); - x76 = (x57 + (x56 + (x55 + (x54 + (x53 + x52))))); - x77 = (x66 + x76); - x78 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x77 >> 51); - x79 = (x77 & UINT64_C(0x7ffffffffffff)); - x80 = (x78 + x75); - x81 = (uint8_t)(x80 >> 51); - x82 = (x80 & UINT64_C(0x7ffffffffffff)); - x83 = (x81 + x74); - x84 = (uint8_t)(x83 >> 51); - x85 = (x83 & UINT64_C(0x7ffffffffffff)); - x86 = (x84 + x73); - x87 = (x86 & UINT64_C(0x7ffffffffffff)); - x88 = (uint8_t)(x72 >> 52); - x89 = (x72 & UINT64_C(0xfffffffffffff)); - x90 = (x88 + x71); - x91 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x90 >> 51); - x92 = (x90 & UINT64_C(0x7ffffffffffff)); - x93 = (x91 + x70); - x94 = (uint8_t)(x93 >> 51); - x95 = (x93 & UINT64_C(0x7ffffffffffff)); - x96 = (x94 + x69); - x97 = (uint8_t)(x96 >> 51); - x98 = (x96 & UINT64_C(0x7ffffffffffff)); - x99 = (x97 + x68); - out1[0] = x67; + x65 = (x63 + (uint64_t)x64); + x66 = (x62 + x65); + x67 = (x61 + x66); + x68 = (x60 + x67); + x69 = (x59 + x68); + x70 = (x58 + x69); + x71 = (x70 & UINT64_C(0xfffffffffffff)); + x72 = (uint8_t)(x70 >> 52); + x73 = (x57 + (uint64_t)x72); + x74 = (x56 + x73); + x75 = (x55 + x74); + x76 = (x54 + x75); + x77 = (x53 + x76); + x78 = (x52 + x77); + x79 = (x78 & UINT64_C(0x7ffffffffffff)); + x80 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x78 >> 51); + x81 = (x51 + (uint64_t)x80); + x82 = (x50 + x81); + x83 = (x49 + x82); + x84 = (x48 + x83); + x85 = (x47 + x84); + x86 = (x46 + x85); + x87 = (x45 + x86); + x88 = (x87 & UINT64_C(0x7ffffffffffff)); + x89 = (uint8_t)(x87 >> 51); + x90 = (x44 + (uint64_t)x89); + x91 = (x43 + x90); + x92 = (x42 + x91); + x93 = (x41 + x92); + x94 = (x40 + x93); + x95 = (x39 + x94); + x96 = (x95 & UINT64_C(0x7ffffffffffff)); + x97 = (uint8_t)(x95 >> 51); + x98 = (x38 + (uint64_t)x97); + x99 = (x37 + x98); + x100 = (x36 + x99); + x101 = (x35 + x100); + x102 = (x34 + x101); + x103 = (x33 + x102); + x104 = (x31 + (uint64_t)x32); + x105 = (x30 + x104); + x106 = (x29 + x105); + x107 = (x28 + x106); + x108 = (x27 + x107); + x109 = (x26 + x108); + x110 = (x109 & UINT64_C(0xfffffffffffff)); + x111 = (uint8_t)(x109 >> 52); + x112 = (x25 + (uint64_t)x111); + x113 = (x24 + x112); + x114 = (x23 + x113); + x115 = (x22 + x114); + x116 = (x21 + x115); + x117 = (x20 + x116); + x118 = (x117 & UINT64_C(0x7ffffffffffff)); + x119 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x117 >> 51); + x120 = (x19 + (uint64_t)x119); + x121 = (x18 + x120); + x122 = (x17 + x121); + x123 = (x16 + x122); + x124 = (x15 + x123); + x125 = (x14 + x124); + x126 = (x13 + x125); + x127 = (x126 & UINT64_C(0x7ffffffffffff)); + x128 = (uint8_t)(x126 >> 51); + x129 = (x12 + (uint64_t)x128); + x130 = (x11 + x129); + x131 = (x10 + x130); + x132 = (x9 + x131); + x133 = (x8 + x132); + x134 = (x7 + x133); + x135 = (x134 & UINT64_C(0x7ffffffffffff)); + x136 = (uint8_t)(x134 >> 51); + x137 = (x6 + (uint64_t)x136); + x138 = (x5 + x137); + x139 = (x4 + x138); + x140 = (x3 + x139); + x141 = (x2 + x140); + x142 = (x1 + x141); + out1[0] = x71; out1[1] = x79; - out1[2] = x82; - out1[3] = x85; - out1[4] = x87; - out1[5] = x89; - out1[6] = x92; - out1[7] = x95; - out1[8] = x98; - out1[9] = x99; + out1[2] = x88; + out1[3] = x96; + out1[4] = x103; + out1[5] = x110; + out1[6] = x118; + out1[7] = x127; + out1[8] = x135; + out1[9] = x142; } /* END verbatim fiat code */ @@ -4277,7 +4380,7 @@ static void scalar_wnaf(int8_t out[513], const unsigned char in[64]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], @@ -4285,7 +4388,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[513] = {0}; int8_t bnaf[513] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -4351,7 +4454,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[103] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -4427,8 +4530,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[103] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -4489,6 +4592,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], const unsigned char a[64], const unsigned char b[64], const unsigned char inx[64], @@ -4504,6 +4613,11 @@ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64]) { pt_aff_t P; @@ -4514,6 +4628,12 @@ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64], const unsigned char inx[64], @@ -4531,8 +4651,13 @@ static void point_mul(unsigned char outx[64], unsigned char outy[64], #include +/* the zero field element */ static const unsigned char const_zb[64] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_tc26_gost_3410_2012_512_paramSetA( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -4571,6 +4696,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_tc26_gost_3410_2012_512_paramSetA(const EC_GROUP *group, EC_POINT *r, @@ -4610,6 +4739,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_tc26_gost_3410_2012_512_paramSetA(const EC_GROUP *group, EC_POINT *r, @@ -4656,6 +4789,10 @@ err: typedef uint32_t fe_t[LIMB_CNT]; typedef uint32_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETA_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -4704,18 +4841,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_tc26_gost_3410_2012_512_paramSetA 32 '(auto)' '2^512 - 569' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_tc26_gost_3410_2012_512_paramSetA 32 '(auto)' '2^512 - 569' */ /* curve description: id_tc26_gost_3410_2012_512_paramSetA */ /* machine_wordsize = 32 (from "32") */ /* requested operations: (all) */ /* n = 23 (from "(auto)") */ /* s-c = 2^512 - [(1, 569)] (from "2^512 - 569") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 0, 1] */ /* eval z = z[0] + (z[1] << 23) + (z[2] << 45) + (z[3] << 67) + (z[4] << 90) + (z[5] << 112) + (z[6] << 134) + (z[7] << 156) + (z[8] << 179) + (z[9] << 201) + (z[10] << 223) + (z[11] << 245) + (z[12] << 0x10c) + (z[13] << 0x122) + (z[14] << 0x138) + (z[15] << 0x14e) + (z[16] << 0x165) + (z[17] << 0x17b) + (z[18] << 0x191) + (z[19] << 0x1a7) + (z[20] << 0x1be) + (z[21] << 0x1d4) + (z[22] << 0x1ea) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) */ +/* balance = [0xfffb8e, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe] */ #include typedef unsigned char fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1; @@ -4725,6 +4863,17 @@ typedef signed char fiat_id_tc26_gost_3410_2012_512_paramSetA_int1; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETA_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t +fiat_id_tc26_gost_3410_2012_512_paramSetA_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_tc26_gost_3410_2012_512_paramSetA_value_barrier_u32(x) (x) +#endif + /* * The function fiat_id_tc26_gost_3410_2012_512_paramSetA_addcarryx_u22 is an addition with carry. * Postconditions: @@ -4858,7 +5007,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_cmovznz_u32( x1 = (!(!arg1)); x2 = ((fiat_id_tc26_gost_3410_2012_512_paramSetA_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = ((fiat_id_tc26_gost_3410_2012_512_paramSetA_value_barrier_u32(x2) & + arg3) | + (fiat_id_tc26_gost_3410_2012_512_paramSetA_value_barrier_u32((~x2)) & + arg2)); *out1 = x3; } @@ -4868,10 +5020,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_cmovznz_u32( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] - * arg2: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * arg1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] + * arg2: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] * Output Bounds: - * out1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * out1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_mul( uint32_t out1[23], const uint32_t arg1[23], const uint32_t arg2[23]) { @@ -6600,9 +6752,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * arg1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] * Output Bounds: - * out1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * out1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_square( uint32_t out1[23], const uint32_t arg1[23]) { @@ -7590,9 +7742,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * arg1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] * Output Bounds: - * out1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * out1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry( uint32_t out1[23], const uint32_t arg1[23]) { @@ -7725,10 +7877,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] - * arg2: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * arg1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] + * arg2: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] * Output Bounds: - * out1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * out1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_add( uint32_t out1[23], const uint32_t arg1[23], const uint32_t arg2[23]) { @@ -7809,10 +7961,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] - * arg2: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * arg1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] + * arg2: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] * Output Bounds: - * out1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * out1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_sub( uint32_t out1[23], const uint32_t arg1[23], const uint32_t arg2[23]) { @@ -7893,9 +8045,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * arg1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] * Output Bounds: - * out1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * out1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_opp( uint32_t out1[23], const uint32_t arg1[23]) { @@ -8085,7 +8237,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..63] * * Input Bounds: - * arg1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * arg1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -8204,150 +8356,148 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( uint32_t x111; uint32_t x112; uint32_t x113; - uint32_t x114; - uint8_t x115; + uint8_t x114; + uint32_t x115; uint8_t x116; uint8_t x117; uint32_t x118; - uint32_t x119; - uint8_t x120; - uint32_t x121; - uint8_t x122; + uint8_t x119; + uint32_t x120; + uint8_t x121; + uint32_t x122; uint8_t x123; uint8_t x124; uint32_t x125; - uint32_t x126; - uint8_t x127; - uint32_t x128; - uint8_t x129; + uint8_t x126; + uint32_t x127; + uint8_t x128; + uint32_t x129; uint8_t x130; uint8_t x131; uint32_t x132; - uint32_t x133; - uint8_t x134; - uint32_t x135; - uint8_t x136; + uint8_t x133; + uint32_t x134; + uint8_t x135; + uint32_t x136; uint8_t x137; uint8_t x138; uint32_t x139; - uint32_t x140; - uint8_t x141; + uint8_t x140; + uint32_t x141; uint8_t x142; uint8_t x143; uint8_t x144; uint32_t x145; uint8_t x146; uint8_t x147; - uint8_t x148; - uint32_t x149; + uint32_t x148; + uint8_t x149; uint32_t x150; uint8_t x151; uint32_t x152; uint8_t x153; uint8_t x154; - uint8_t x155; - uint32_t x156; + uint32_t x155; + uint8_t x156; uint32_t x157; uint8_t x158; uint32_t x159; uint8_t x160; uint8_t x161; - uint8_t x162; - uint32_t x163; + uint32_t x162; + uint8_t x163; uint32_t x164; uint8_t x165; uint32_t x166; uint8_t x167; fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x168; - uint8_t x169; - uint32_t x170; + uint32_t x169; + uint8_t x170; uint32_t x171; uint8_t x172; uint8_t x173; - uint8_t x174; - uint32_t x175; + uint32_t x174; + uint8_t x175; uint32_t x176; uint8_t x177; uint32_t x178; uint8_t x179; uint8_t x180; - uint8_t x181; - uint32_t x182; + uint32_t x181; + uint8_t x182; uint32_t x183; uint8_t x184; uint32_t x185; uint8_t x186; uint8_t x187; - uint8_t x188; - uint32_t x189; + uint32_t x188; + uint8_t x189; uint32_t x190; uint8_t x191; uint32_t x192; uint8_t x193; uint8_t x194; - uint8_t x195; - uint32_t x196; + uint32_t x195; + uint8_t x196; uint32_t x197; uint8_t x198; uint8_t x199; uint8_t x200; - uint8_t x201; - uint32_t x202; + uint32_t x201; + uint8_t x202; uint8_t x203; - uint8_t x204; + uint32_t x204; uint8_t x205; uint32_t x206; - uint32_t x207; - uint8_t x208; - uint32_t x209; + uint8_t x207; + uint32_t x208; + uint8_t x209; uint8_t x210; - uint8_t x211; + uint32_t x211; uint8_t x212; uint32_t x213; - uint32_t x214; - uint8_t x215; - uint32_t x216; + uint8_t x214; + uint32_t x215; + uint8_t x216; uint8_t x217; - uint8_t x218; + uint32_t x218; uint8_t x219; uint32_t x220; - uint32_t x221; - uint8_t x222; - uint32_t x223; - uint8_t x224; - fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x225; + uint8_t x221; + uint32_t x222; + uint8_t x223; + fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x224; + uint32_t x225; uint8_t x226; uint32_t x227; - uint32_t x228; + uint8_t x228; uint8_t x229; - uint8_t x230; + uint32_t x230; uint8_t x231; uint32_t x232; - uint32_t x233; - uint8_t x234; - uint32_t x235; + uint8_t x233; + uint32_t x234; + uint8_t x235; uint8_t x236; - uint8_t x237; + uint32_t x237; uint8_t x238; uint32_t x239; - uint32_t x240; - uint8_t x241; - uint32_t x242; + uint8_t x240; + uint32_t x241; + uint8_t x242; uint8_t x243; - uint8_t x244; + uint32_t x244; uint8_t x245; uint32_t x246; - uint32_t x247; - uint8_t x248; - uint32_t x249; + uint8_t x247; + uint32_t x248; + uint8_t x249; uint8_t x250; - uint8_t x251; + uint32_t x251; uint8_t x252; uint32_t x253; - uint32_t x254; + uint8_t x254; uint8_t x255; - uint8_t x256; - uint8_t x257; fiat_id_tc26_gost_3410_2012_512_paramSetA_subborrowx_u23( &x1, &x2, 0x0, (arg1[0]), UINT32_C(0x7ffdc7)); fiat_id_tc26_gost_3410_2012_512_paramSetA_subborrowx_u22( @@ -8462,214 +8612,212 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( x111 = (x54 << 3); x112 = (x52 << 5); x113 = (x50 << 7); - x114 = (x48 >> 8); - x115 = (uint8_t)(x48 & UINT8_C(0xff)); - x116 = (uint8_t)(x114 >> 8); - x117 = (uint8_t)(x114 & UINT8_C(0xff)); - x118 = (x116 + x113); - x119 = (x118 >> 8); - x120 = (uint8_t)(x118 & UINT8_C(0xff)); - x121 = (x119 >> 8); - x122 = (uint8_t)(x119 & UINT8_C(0xff)); - x123 = (uint8_t)(x121 >> 8); - x124 = (uint8_t)(x121 & UINT8_C(0xff)); - x125 = (x123 + x112); - x126 = (x125 >> 8); - x127 = (uint8_t)(x125 & UINT8_C(0xff)); - x128 = (x126 >> 8); - x129 = (uint8_t)(x126 & UINT8_C(0xff)); - x130 = (uint8_t)(x128 >> 8); - x131 = (uint8_t)(x128 & UINT8_C(0xff)); - x132 = (x130 + x111); - x133 = (x132 >> 8); - x134 = (uint8_t)(x132 & UINT8_C(0xff)); - x135 = (x133 >> 8); - x136 = (uint8_t)(x133 & UINT8_C(0xff)); - x137 = (uint8_t)(x135 >> 8); - x138 = (uint8_t)(x135 & UINT8_C(0xff)); - x139 = (x137 + x110); - x140 = (x139 >> 8); - x141 = (uint8_t)(x139 & UINT8_C(0xff)); - x142 = (uint8_t)(x140 >> 8); - x143 = (uint8_t)(x140 & UINT8_C(0xff)); - x144 = (uint8_t)(x142 & UINT8_C(0xff)); + x114 = (uint8_t)(x48 & UINT8_C(0xff)); + x115 = (x48 >> 8); + x116 = (uint8_t)(x115 & UINT8_C(0xff)); + x117 = (uint8_t)(x115 >> 8); + x118 = (x113 + (uint32_t)x117); + x119 = (uint8_t)(x118 & UINT8_C(0xff)); + x120 = (x118 >> 8); + x121 = (uint8_t)(x120 & UINT8_C(0xff)); + x122 = (x120 >> 8); + x123 = (uint8_t)(x122 & UINT8_C(0xff)); + x124 = (uint8_t)(x122 >> 8); + x125 = (x112 + (uint32_t)x124); + x126 = (uint8_t)(x125 & UINT8_C(0xff)); + x127 = (x125 >> 8); + x128 = (uint8_t)(x127 & UINT8_C(0xff)); + x129 = (x127 >> 8); + x130 = (uint8_t)(x129 & UINT8_C(0xff)); + x131 = (uint8_t)(x129 >> 8); + x132 = (x111 + (uint32_t)x131); + x133 = (uint8_t)(x132 & UINT8_C(0xff)); + x134 = (x132 >> 8); + x135 = (uint8_t)(x134 & UINT8_C(0xff)); + x136 = (x134 >> 8); + x137 = (uint8_t)(x136 & UINT8_C(0xff)); + x138 = (uint8_t)(x136 >> 8); + x139 = (x110 + (uint32_t)x138); + x140 = (uint8_t)(x139 & UINT8_C(0xff)); + x141 = (x139 >> 8); + x142 = (uint8_t)(x141 & UINT8_C(0xff)); + x143 = (uint8_t)(x141 >> 8); + x144 = (uint8_t)(x58 & UINT8_C(0xff)); x145 = (x58 >> 8); - x146 = (uint8_t)(x58 & UINT8_C(0xff)); + x146 = (uint8_t)(x145 & UINT8_C(0xff)); x147 = (uint8_t)(x145 >> 8); - x148 = (uint8_t)(x145 & UINT8_C(0xff)); - x149 = (x147 + x109); - x150 = (x149 >> 8); - x151 = (uint8_t)(x149 & UINT8_C(0xff)); + x148 = (x109 + (uint32_t)x147); + x149 = (uint8_t)(x148 & UINT8_C(0xff)); + x150 = (x148 >> 8); + x151 = (uint8_t)(x150 & UINT8_C(0xff)); x152 = (x150 >> 8); - x153 = (uint8_t)(x150 & UINT8_C(0xff)); + x153 = (uint8_t)(x152 & UINT8_C(0xff)); x154 = (uint8_t)(x152 >> 8); - x155 = (uint8_t)(x152 & UINT8_C(0xff)); - x156 = (x154 + x108); - x157 = (x156 >> 8); - x158 = (uint8_t)(x156 & UINT8_C(0xff)); + x155 = (x108 + (uint32_t)x154); + x156 = (uint8_t)(x155 & UINT8_C(0xff)); + x157 = (x155 >> 8); + x158 = (uint8_t)(x157 & UINT8_C(0xff)); x159 = (x157 >> 8); - x160 = (uint8_t)(x157 & UINT8_C(0xff)); + x160 = (uint8_t)(x159 & UINT8_C(0xff)); x161 = (uint8_t)(x159 >> 8); - x162 = (uint8_t)(x159 & UINT8_C(0xff)); - x163 = (x161 + x107); - x164 = (x163 >> 8); - x165 = (uint8_t)(x163 & UINT8_C(0xff)); + x162 = (x107 + (uint32_t)x161); + x163 = (uint8_t)(x162 & UINT8_C(0xff)); + x164 = (x162 >> 8); + x165 = (uint8_t)(x164 & UINT8_C(0xff)); x166 = (x164 >> 8); - x167 = (uint8_t)(x164 & UINT8_C(0xff)); + x167 = (uint8_t)(x166 & UINT8_C(0xff)); x168 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x166 >> 8); - x169 = (uint8_t)(x166 & UINT8_C(0xff)); - x170 = (x168 + x106); - x171 = (x170 >> 8); - x172 = (uint8_t)(x170 & UINT8_C(0xff)); + x169 = (x106 + (uint32_t)x168); + x170 = (uint8_t)(x169 & UINT8_C(0xff)); + x171 = (x169 >> 8); + x172 = (uint8_t)(x171 & UINT8_C(0xff)); x173 = (uint8_t)(x171 >> 8); - x174 = (uint8_t)(x171 & UINT8_C(0xff)); - x175 = (x173 + x105); - x176 = (x175 >> 8); - x177 = (uint8_t)(x175 & UINT8_C(0xff)); + x174 = (x105 + (uint32_t)x173); + x175 = (uint8_t)(x174 & UINT8_C(0xff)); + x176 = (x174 >> 8); + x177 = (uint8_t)(x176 & UINT8_C(0xff)); x178 = (x176 >> 8); - x179 = (uint8_t)(x176 & UINT8_C(0xff)); + x179 = (uint8_t)(x178 & UINT8_C(0xff)); x180 = (uint8_t)(x178 >> 8); - x181 = (uint8_t)(x178 & UINT8_C(0xff)); - x182 = (x180 + x104); - x183 = (x182 >> 8); - x184 = (uint8_t)(x182 & UINT8_C(0xff)); + x181 = (x104 + (uint32_t)x180); + x182 = (uint8_t)(x181 & UINT8_C(0xff)); + x183 = (x181 >> 8); + x184 = (uint8_t)(x183 & UINT8_C(0xff)); x185 = (x183 >> 8); - x186 = (uint8_t)(x183 & UINT8_C(0xff)); + x186 = (uint8_t)(x185 & UINT8_C(0xff)); x187 = (uint8_t)(x185 >> 8); - x188 = (uint8_t)(x185 & UINT8_C(0xff)); - x189 = (x187 + x103); - x190 = (x189 >> 8); - x191 = (uint8_t)(x189 & UINT8_C(0xff)); + x188 = (x103 + (uint32_t)x187); + x189 = (uint8_t)(x188 & UINT8_C(0xff)); + x190 = (x188 >> 8); + x191 = (uint8_t)(x190 & UINT8_C(0xff)); x192 = (x190 >> 8); - x193 = (uint8_t)(x190 & UINT8_C(0xff)); + x193 = (uint8_t)(x192 & UINT8_C(0xff)); x194 = (uint8_t)(x192 >> 8); - x195 = (uint8_t)(x192 & UINT8_C(0xff)); - x196 = (x194 + x102); - x197 = (x196 >> 8); - x198 = (uint8_t)(x196 & UINT8_C(0xff)); + x195 = (x102 + (uint32_t)x194); + x196 = (uint8_t)(x195 & UINT8_C(0xff)); + x197 = (x195 >> 8); + x198 = (uint8_t)(x197 & UINT8_C(0xff)); x199 = (uint8_t)(x197 >> 8); - x200 = (uint8_t)(x197 & UINT8_C(0xff)); - x201 = (uint8_t)(x199 & UINT8_C(0xff)); - x202 = (x76 >> 8); - x203 = (uint8_t)(x76 & UINT8_C(0xff)); - x204 = (uint8_t)(x202 >> 8); - x205 = (uint8_t)(x202 & UINT8_C(0xff)); - x206 = (x204 + x101); - x207 = (x206 >> 8); - x208 = (uint8_t)(x206 & UINT8_C(0xff)); - x209 = (x207 >> 8); - x210 = (uint8_t)(x207 & UINT8_C(0xff)); - x211 = (uint8_t)(x209 >> 8); - x212 = (uint8_t)(x209 & UINT8_C(0xff)); - x213 = (x211 + x100); - x214 = (x213 >> 8); - x215 = (uint8_t)(x213 & UINT8_C(0xff)); - x216 = (x214 >> 8); - x217 = (uint8_t)(x214 & UINT8_C(0xff)); - x218 = (uint8_t)(x216 >> 8); - x219 = (uint8_t)(x216 & UINT8_C(0xff)); - x220 = (x218 + x99); - x221 = (x220 >> 8); - x222 = (uint8_t)(x220 & UINT8_C(0xff)); - x223 = (x221 >> 8); - x224 = (uint8_t)(x221 & UINT8_C(0xff)); - x225 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x223 >> 8); - x226 = (uint8_t)(x223 & UINT8_C(0xff)); - x227 = (x225 + x98); - x228 = (x227 >> 8); - x229 = (uint8_t)(x227 & UINT8_C(0xff)); - x230 = (uint8_t)(x228 >> 8); - x231 = (uint8_t)(x228 & UINT8_C(0xff)); - x232 = (x230 + x97); - x233 = (x232 >> 8); - x234 = (uint8_t)(x232 & UINT8_C(0xff)); - x235 = (x233 >> 8); - x236 = (uint8_t)(x233 & UINT8_C(0xff)); - x237 = (uint8_t)(x235 >> 8); - x238 = (uint8_t)(x235 & UINT8_C(0xff)); - x239 = (x237 + x96); - x240 = (x239 >> 8); - x241 = (uint8_t)(x239 & UINT8_C(0xff)); - x242 = (x240 >> 8); - x243 = (uint8_t)(x240 & UINT8_C(0xff)); - x244 = (uint8_t)(x242 >> 8); - x245 = (uint8_t)(x242 & UINT8_C(0xff)); - x246 = (x244 + x95); - x247 = (x246 >> 8); - x248 = (uint8_t)(x246 & UINT8_C(0xff)); - x249 = (x247 >> 8); - x250 = (uint8_t)(x247 & UINT8_C(0xff)); - x251 = (uint8_t)(x249 >> 8); - x252 = (uint8_t)(x249 & UINT8_C(0xff)); - x253 = (x251 + x94); - x254 = (x253 >> 8); - x255 = (uint8_t)(x253 & UINT8_C(0xff)); - x256 = (uint8_t)(x254 >> 8); - x257 = (uint8_t)(x254 & UINT8_C(0xff)); - out1[0] = x115; - out1[1] = x117; - out1[2] = x120; - out1[3] = x122; - out1[4] = x124; - out1[5] = x127; - out1[6] = x129; - out1[7] = x131; - out1[8] = x134; - out1[9] = x136; - out1[10] = x138; - out1[11] = x141; - out1[12] = x143; - out1[13] = x144; - out1[14] = x146; - out1[15] = x148; - out1[16] = x151; - out1[17] = x153; - out1[18] = x155; - out1[19] = x158; - out1[20] = x160; - out1[21] = x162; - out1[22] = x165; - out1[23] = x167; - out1[24] = x169; - out1[25] = x172; - out1[26] = x174; - out1[27] = x177; - out1[28] = x179; - out1[29] = x181; - out1[30] = x184; - out1[31] = x186; - out1[32] = x188; - out1[33] = x191; - out1[34] = x193; - out1[35] = x195; - out1[36] = x198; - out1[37] = x200; - out1[38] = x201; - out1[39] = x203; - out1[40] = x205; - out1[41] = x208; - out1[42] = x210; - out1[43] = x212; - out1[44] = x215; - out1[45] = x217; - out1[46] = x219; - out1[47] = x222; - out1[48] = x224; - out1[49] = x226; - out1[50] = x229; - out1[51] = x231; - out1[52] = x234; - out1[53] = x236; - out1[54] = x238; - out1[55] = x241; - out1[56] = x243; - out1[57] = x245; - out1[58] = x248; - out1[59] = x250; - out1[60] = x252; - out1[61] = x255; - out1[62] = x257; - out1[63] = x256; + x200 = (uint8_t)(x76 & UINT8_C(0xff)); + x201 = (x76 >> 8); + x202 = (uint8_t)(x201 & UINT8_C(0xff)); + x203 = (uint8_t)(x201 >> 8); + x204 = (x101 + (uint32_t)x203); + x205 = (uint8_t)(x204 & UINT8_C(0xff)); + x206 = (x204 >> 8); + x207 = (uint8_t)(x206 & UINT8_C(0xff)); + x208 = (x206 >> 8); + x209 = (uint8_t)(x208 & UINT8_C(0xff)); + x210 = (uint8_t)(x208 >> 8); + x211 = (x100 + (uint32_t)x210); + x212 = (uint8_t)(x211 & UINT8_C(0xff)); + x213 = (x211 >> 8); + x214 = (uint8_t)(x213 & UINT8_C(0xff)); + x215 = (x213 >> 8); + x216 = (uint8_t)(x215 & UINT8_C(0xff)); + x217 = (uint8_t)(x215 >> 8); + x218 = (x99 + (uint32_t)x217); + x219 = (uint8_t)(x218 & UINT8_C(0xff)); + x220 = (x218 >> 8); + x221 = (uint8_t)(x220 & UINT8_C(0xff)); + x222 = (x220 >> 8); + x223 = (uint8_t)(x222 & UINT8_C(0xff)); + x224 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x222 >> 8); + x225 = (x98 + (uint32_t)x224); + x226 = (uint8_t)(x225 & UINT8_C(0xff)); + x227 = (x225 >> 8); + x228 = (uint8_t)(x227 & UINT8_C(0xff)); + x229 = (uint8_t)(x227 >> 8); + x230 = (x97 + (uint32_t)x229); + x231 = (uint8_t)(x230 & UINT8_C(0xff)); + x232 = (x230 >> 8); + x233 = (uint8_t)(x232 & UINT8_C(0xff)); + x234 = (x232 >> 8); + x235 = (uint8_t)(x234 & UINT8_C(0xff)); + x236 = (uint8_t)(x234 >> 8); + x237 = (x96 + (uint32_t)x236); + x238 = (uint8_t)(x237 & UINT8_C(0xff)); + x239 = (x237 >> 8); + x240 = (uint8_t)(x239 & UINT8_C(0xff)); + x241 = (x239 >> 8); + x242 = (uint8_t)(x241 & UINT8_C(0xff)); + x243 = (uint8_t)(x241 >> 8); + x244 = (x95 + (uint32_t)x243); + x245 = (uint8_t)(x244 & UINT8_C(0xff)); + x246 = (x244 >> 8); + x247 = (uint8_t)(x246 & UINT8_C(0xff)); + x248 = (x246 >> 8); + x249 = (uint8_t)(x248 & UINT8_C(0xff)); + x250 = (uint8_t)(x248 >> 8); + x251 = (x94 + (uint32_t)x250); + x252 = (uint8_t)(x251 & UINT8_C(0xff)); + x253 = (x251 >> 8); + x254 = (uint8_t)(x253 & UINT8_C(0xff)); + x255 = (uint8_t)(x253 >> 8); + out1[0] = x114; + out1[1] = x116; + out1[2] = x119; + out1[3] = x121; + out1[4] = x123; + out1[5] = x126; + out1[6] = x128; + out1[7] = x130; + out1[8] = x133; + out1[9] = x135; + out1[10] = x137; + out1[11] = x140; + out1[12] = x142; + out1[13] = x143; + out1[14] = x144; + out1[15] = x146; + out1[16] = x149; + out1[17] = x151; + out1[18] = x153; + out1[19] = x156; + out1[20] = x158; + out1[21] = x160; + out1[22] = x163; + out1[23] = x165; + out1[24] = x167; + out1[25] = x170; + out1[26] = x172; + out1[27] = x175; + out1[28] = x177; + out1[29] = x179; + out1[30] = x182; + out1[31] = x184; + out1[32] = x186; + out1[33] = x189; + out1[34] = x191; + out1[35] = x193; + out1[36] = x196; + out1[37] = x198; + out1[38] = x199; + out1[39] = x200; + out1[40] = x202; + out1[41] = x205; + out1[42] = x207; + out1[43] = x209; + out1[44] = x212; + out1[45] = x214; + out1[46] = x216; + out1[47] = x219; + out1[48] = x221; + out1[49] = x223; + out1[50] = x226; + out1[51] = x228; + out1[52] = x231; + out1[53] = x233; + out1[54] = x235; + out1[55] = x238; + out1[56] = x240; + out1[57] = x242; + out1[58] = x245; + out1[59] = x247; + out1[60] = x249; + out1[61] = x252; + out1[62] = x254; + out1[63] = x255; } /* @@ -8680,7 +8828,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * out1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_from_bytes( uint32_t out1[23], const uint8_t arg1[64]) { @@ -8749,90 +8897,106 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_from_bytes( uint32_t x63; uint8_t x64; uint32_t x65; - fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x66; + uint32_t x66; uint32_t x67; - uint32_t x68; + fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x68; uint32_t x69; uint32_t x70; uint32_t x71; uint32_t x72; - uint32_t x73; + uint8_t x73; uint32_t x74; uint32_t x75; uint32_t x76; uint32_t x77; - uint32_t x78; + uint8_t x78; uint32_t x79; uint32_t x80; uint32_t x81; uint32_t x82; - uint32_t x83; + uint8_t x83; uint32_t x84; uint32_t x85; uint32_t x86; uint32_t x87; uint32_t x88; - uint32_t x89; + uint8_t x89; uint32_t x90; - uint8_t x91; + uint32_t x91; uint32_t x92; uint32_t x93; uint8_t x94; uint32_t x95; uint32_t x96; - uint8_t x97; + uint32_t x97; uint32_t x98; - uint32_t x99; + uint8_t x99; uint32_t x100; - uint8_t x101; + uint32_t x101; uint32_t x102; uint32_t x103; uint8_t x104; uint32_t x105; uint32_t x106; - uint8_t x107; - uint32_t x108; + uint32_t x107; + fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x108; uint32_t x109; - uint8_t x110; + uint32_t x110; uint32_t x111; uint32_t x112; - fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x113; + uint8_t x113; uint32_t x114; uint32_t x115; - uint8_t x116; + uint32_t x116; uint32_t x117; - uint32_t x118; - uint8_t x119; + uint8_t x118; + uint32_t x119; uint32_t x120; uint32_t x121; - uint8_t x122; - uint32_t x123; + uint32_t x122; + uint8_t x123; uint32_t x124; uint32_t x125; - uint8_t x126; + uint32_t x126; uint32_t x127; uint32_t x128; uint8_t x129; uint32_t x130; uint32_t x131; - uint8_t x132; + uint32_t x132; uint32_t x133; - uint32_t x134; - uint8_t x135; + uint8_t x134; + uint32_t x135; uint32_t x136; uint32_t x137; - fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x138; - uint32_t x139; + uint32_t x138; + uint8_t x139; uint32_t x140; - uint8_t x141; + uint32_t x141; uint32_t x142; uint32_t x143; uint8_t x144; uint32_t x145; uint32_t x146; - uint8_t x147; - uint32_t x148; + uint32_t x147; + fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1 x148; uint32_t x149; + uint32_t x150; + uint32_t x151; + uint32_t x152; + uint8_t x153; + uint32_t x154; + uint32_t x155; + uint32_t x156; + uint32_t x157; + uint8_t x158; + uint32_t x159; + uint32_t x160; + uint32_t x161; + uint32_t x162; + uint8_t x163; + uint32_t x164; + uint32_t x165; x1 = ((uint32_t)(arg1[63]) << 14); x2 = ((uint32_t)(arg1[62]) << 6); x3 = ((uint32_t)(arg1[61]) << 20); @@ -8897,114 +9061,130 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetA_from_bytes( x62 = ((uint32_t)(arg1[2]) << 16); x63 = ((uint32_t)(arg1[1]) << 8); x64 = (arg1[0]); - x65 = (x64 + (x63 + x62)); - x66 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x65 >> 23); - x67 = (x65 & UINT32_C(0x7fffff)); - x68 = (x2 + x1); - x69 = (x5 + (x4 + x3)); - x70 = (x8 + (x7 + x6)); - x71 = (x11 + (x10 + x9)); - x72 = (x13 + x12); - x73 = (x16 + (x15 + x14)); - x74 = (x19 + (x18 + x17)); - x75 = (x22 + (x21 + x20)); - x76 = (x25 + (x24 + x23)); - x77 = (x27 + x26); - x78 = (x30 + (x29 + x28)); - x79 = (x33 + (x32 + x31)); - x80 = (x36 + (x35 + x34)); - x81 = (x38 + x37); - x82 = (x41 + (x40 + x39)); - x83 = (x44 + (x43 + x42)); - x84 = (x47 + (x46 + x45)); - x85 = (x50 + (x49 + x48)); - x86 = (x52 + x51); - x87 = (x55 + (x54 + x53)); - x88 = (x58 + (x57 + x56)); - x89 = (x61 + (x60 + x59)); - x90 = (x66 + x89); - x91 = (uint8_t)(x90 >> 22); - x92 = (x90 & UINT32_C(0x3fffff)); - x93 = (x91 + x88); - x94 = (uint8_t)(x93 >> 22); - x95 = (x93 & UINT32_C(0x3fffff)); - x96 = (x94 + x87); - x97 = (uint8_t)(x96 >> 23); - x98 = (x96 & UINT32_C(0x7fffff)); - x99 = (x97 + x86); - x100 = (x99 & UINT32_C(0x3fffff)); - x101 = (uint8_t)(x85 >> 22); - x102 = (x85 & UINT32_C(0x3fffff)); - x103 = (x101 + x84); - x104 = (uint8_t)(x103 >> 22); - x105 = (x103 & UINT32_C(0x3fffff)); - x106 = (x104 + x83); - x107 = (uint8_t)(x106 >> 23); - x108 = (x106 & UINT32_C(0x7fffff)); - x109 = (x107 + x82); - x110 = (uint8_t)(x109 >> 22); - x111 = (x109 & UINT32_C(0x3fffff)); - x112 = (x110 + x81); - x113 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x112 >> 22); - x114 = (x112 & UINT32_C(0x3fffff)); - x115 = (x113 + x80); - x116 = (uint8_t)(x115 >> 22); - x117 = (x115 & UINT32_C(0x3fffff)); - x118 = (x116 + x79); - x119 = (uint8_t)(x118 >> 23); - x120 = (x118 & UINT32_C(0x7fffff)); - x121 = (x119 + x78); - x122 = (uint8_t)(x121 >> 22); - x123 = (x121 & UINT32_C(0x3fffff)); - x124 = (x122 + x77); - x125 = (x124 & UINT32_C(0x3fffff)); - x126 = (uint8_t)(x76 >> 22); - x127 = (x76 & UINT32_C(0x3fffff)); - x128 = (x126 + x75); - x129 = (uint8_t)(x128 >> 23); - x130 = (x128 & UINT32_C(0x7fffff)); - x131 = (x129 + x74); - x132 = (uint8_t)(x131 >> 22); - x133 = (x131 & UINT32_C(0x3fffff)); - x134 = (x132 + x73); - x135 = (uint8_t)(x134 >> 22); - x136 = (x134 & UINT32_C(0x3fffff)); - x137 = (x135 + x72); - x138 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x137 >> 22); - x139 = (x137 & UINT32_C(0x3fffff)); - x140 = (x138 + x71); - x141 = (uint8_t)(x140 >> 23); - x142 = (x140 & UINT32_C(0x7fffff)); - x143 = (x141 + x70); - x144 = (uint8_t)(x143 >> 22); - x145 = (x143 & UINT32_C(0x3fffff)); - x146 = (x144 + x69); - x147 = (uint8_t)(x146 >> 22); - x148 = (x146 & UINT32_C(0x3fffff)); - x149 = (x147 + x68); + x65 = (x63 + (uint32_t)x64); + x66 = (x62 + x65); + x67 = (x66 & UINT32_C(0x7fffff)); + x68 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x66 >> 23); + x69 = (x61 + (uint32_t)x68); + x70 = (x60 + x69); + x71 = (x59 + x70); + x72 = (x71 & UINT32_C(0x3fffff)); + x73 = (uint8_t)(x71 >> 22); + x74 = (x58 + (uint32_t)x73); + x75 = (x57 + x74); + x76 = (x56 + x75); + x77 = (x76 & UINT32_C(0x3fffff)); + x78 = (uint8_t)(x76 >> 22); + x79 = (x55 + (uint32_t)x78); + x80 = (x54 + x79); + x81 = (x53 + x80); + x82 = (x81 & UINT32_C(0x7fffff)); + x83 = (uint8_t)(x81 >> 23); + x84 = (x52 + (uint32_t)x83); + x85 = (x51 + x84); + x86 = (x49 + (uint32_t)x50); + x87 = (x48 + x86); + x88 = (x87 & UINT32_C(0x3fffff)); + x89 = (uint8_t)(x87 >> 22); + x90 = (x47 + (uint32_t)x89); + x91 = (x46 + x90); + x92 = (x45 + x91); + x93 = (x92 & UINT32_C(0x3fffff)); + x94 = (uint8_t)(x92 >> 22); + x95 = (x44 + (uint32_t)x94); + x96 = (x43 + x95); + x97 = (x42 + x96); + x98 = (x97 & UINT32_C(0x7fffff)); + x99 = (uint8_t)(x97 >> 23); + x100 = (x41 + (uint32_t)x99); + x101 = (x40 + x100); + x102 = (x39 + x101); + x103 = (x102 & UINT32_C(0x3fffff)); + x104 = (uint8_t)(x102 >> 22); + x105 = (x38 + (uint32_t)x104); + x106 = (x37 + x105); + x107 = (x106 & UINT32_C(0x3fffff)); + x108 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x106 >> 22); + x109 = (x36 + (uint32_t)x108); + x110 = (x35 + x109); + x111 = (x34 + x110); + x112 = (x111 & UINT32_C(0x3fffff)); + x113 = (uint8_t)(x111 >> 22); + x114 = (x33 + (uint32_t)x113); + x115 = (x32 + x114); + x116 = (x31 + x115); + x117 = (x116 & UINT32_C(0x7fffff)); + x118 = (uint8_t)(x116 >> 23); + x119 = (x30 + (uint32_t)x118); + x120 = (x29 + x119); + x121 = (x28 + x120); + x122 = (x121 & UINT32_C(0x3fffff)); + x123 = (uint8_t)(x121 >> 22); + x124 = (x27 + (uint32_t)x123); + x125 = (x26 + x124); + x126 = (x24 + (uint32_t)x25); + x127 = (x23 + x126); + x128 = (x127 & UINT32_C(0x3fffff)); + x129 = (uint8_t)(x127 >> 22); + x130 = (x22 + (uint32_t)x129); + x131 = (x21 + x130); + x132 = (x20 + x131); + x133 = (x132 & UINT32_C(0x7fffff)); + x134 = (uint8_t)(x132 >> 23); + x135 = (x19 + (uint32_t)x134); + x136 = (x18 + x135); + x137 = (x17 + x136); + x138 = (x137 & UINT32_C(0x3fffff)); + x139 = (uint8_t)(x137 >> 22); + x140 = (x16 + (uint32_t)x139); + x141 = (x15 + x140); + x142 = (x14 + x141); + x143 = (x142 & UINT32_C(0x3fffff)); + x144 = (uint8_t)(x142 >> 22); + x145 = (x13 + (uint32_t)x144); + x146 = (x12 + x145); + x147 = (x146 & UINT32_C(0x3fffff)); + x148 = (fiat_id_tc26_gost_3410_2012_512_paramSetA_uint1)(x146 >> 22); + x149 = (x11 + (uint32_t)x148); + x150 = (x10 + x149); + x151 = (x9 + x150); + x152 = (x151 & UINT32_C(0x7fffff)); + x153 = (uint8_t)(x151 >> 23); + x154 = (x8 + (uint32_t)x153); + x155 = (x7 + x154); + x156 = (x6 + x155); + x157 = (x156 & UINT32_C(0x3fffff)); + x158 = (uint8_t)(x156 >> 22); + x159 = (x5 + (uint32_t)x158); + x160 = (x4 + x159); + x161 = (x3 + x160); + x162 = (x161 & UINT32_C(0x3fffff)); + x163 = (uint8_t)(x161 >> 22); + x164 = (x2 + (uint32_t)x163); + x165 = (x1 + x164); out1[0] = x67; - out1[1] = x92; - out1[2] = x95; - out1[3] = x98; - out1[4] = x100; - out1[5] = x102; - out1[6] = x105; - out1[7] = x108; - out1[8] = x111; - out1[9] = x114; - out1[10] = x117; - out1[11] = x120; - out1[12] = x123; + out1[1] = x72; + out1[2] = x77; + out1[3] = x82; + out1[4] = x85; + out1[5] = x88; + out1[6] = x93; + out1[7] = x98; + out1[8] = x103; + out1[9] = x107; + out1[10] = x112; + out1[11] = x117; + out1[12] = x122; out1[13] = x125; - out1[14] = x127; - out1[15] = x130; - out1[16] = x133; - out1[17] = x136; - out1[18] = x139; - out1[19] = x142; - out1[20] = x145; - out1[21] = x148; - out1[22] = x149; + out1[14] = x128; + out1[15] = x133; + out1[16] = x138; + out1[17] = x143; + out1[18] = x147; + out1[19] = x152; + out1[20] = x157; + out1[21] = x162; + out1[22] = x165; } /* END verbatim fiat code */ @@ -12234,7 +12414,7 @@ static void scalar_wnaf(int8_t out[513], const unsigned char in[64]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], @@ -12242,7 +12422,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[513] = {0}; int8_t bnaf[513] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -12308,7 +12488,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[103] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -12384,8 +12564,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[103] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -12446,6 +12626,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { fiat_id_tc26_gost_3410_2012_512_paramSetA_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], const unsigned char a[64], const unsigned char b[64], const unsigned char inx[64], @@ -12461,6 +12647,11 @@ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64]) { pt_aff_t P; @@ -12471,6 +12662,12 @@ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetA_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64], const unsigned char inx[64], @@ -12488,8 +12685,13 @@ static void point_mul(unsigned char outx[64], unsigned char outy[64], #include +/* the zero field element */ static const unsigned char const_zb[64] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_tc26_gost_3410_2012_512_paramSetA( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -12528,6 +12730,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_tc26_gost_3410_2012_512_paramSetA(const EC_GROUP *group, EC_POINT *r, @@ -12567,6 +12773,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_tc26_gost_3410_2012_512_paramSetA(const EC_GROUP *group, EC_POINT *r, diff --git a/ecp_id_tc26_gost_3410_2012_512_paramSetB.c b/ecp_id_tc26_gost_3410_2012_512_paramSetB.c index 83f2112..7b0f4d2 100644 --- a/ecp_id_tc26_gost_3410_2012_512_paramSetB.c +++ b/ecp_id_tc26_gost_3410_2012_512_paramSetB.c @@ -32,6 +32,10 @@ typedef uint64_t fe_t[LIMB_CNT]; typedef uint64_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETB_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -73,7 +77,7 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: word_by_word_montgomery --static id_tc26_gost_3410_2012_512_paramSetB 64 '2^511 + 111' */ +/* Autogenerated: word_by_word_montgomery --static --use-value-barrier id_tc26_gost_3410_2012_512_paramSetB 64 '2^511 + 111' */ /* curve description: id_tc26_gost_3410_2012_512_paramSetB */ /* machine_wordsize = 64 (from "64") */ /* requested operations: (all) */ @@ -100,6 +104,17 @@ typedef unsigned __int128 fiat_id_tc26_gost_3410_2012_512_paramSetB_uint128; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETB_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t +fiat_id_tc26_gost_3410_2012_512_paramSetB_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_tc26_gost_3410_2012_512_paramSetB_value_barrier_u64(x) (x) +#endif + /* * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_addcarryx_u64 is an addition with carry. * Postconditions: @@ -206,7 +221,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_cmovznz_u64( x1 = (!(!arg1)); x2 = ((fiat_id_tc26_gost_3410_2012_512_paramSetB_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = ((fiat_id_tc26_gost_3410_2012_512_paramSetB_value_barrier_u64(x2) & + arg3) | + (fiat_id_tc26_gost_3410_2012_512_paramSetB_value_barrier_u64((~x2)) & + arg2)); *out1 = x3; } @@ -3786,12 +3804,11 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_montgomery( static void fiat_id_tc26_gost_3410_2012_512_paramSetB_nonzero( uint64_t *out1, const uint64_t arg1[8]) { uint64_t x1; - x1 = ((arg1[0]) | - ((arg1[1]) | - ((arg1[2]) | - ((arg1[3]) | - ((arg1[4]) | - ((arg1[5]) | ((arg1[6]) | ((arg1[7]) | (uint64_t)0x0)))))))); + x1 = + ((arg1[0]) | + ((arg1[1]) | + ((arg1[2]) | + ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))); *out1 = x1; } @@ -3845,7 +3862,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_selectznz( } /* - * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3866,18 +3883,18 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( uint64_t x6; uint64_t x7; uint64_t x8; - uint64_t x9; - uint8_t x10; - uint64_t x11; - uint8_t x12; - uint64_t x13; - uint8_t x14; - uint64_t x15; - uint8_t x16; - uint64_t x17; - uint8_t x18; - uint64_t x19; - uint8_t x20; + uint8_t x9; + uint64_t x10; + uint8_t x11; + uint64_t x12; + uint8_t x13; + uint64_t x14; + uint8_t x15; + uint64_t x16; + uint8_t x17; + uint64_t x18; + uint8_t x19; + uint64_t x20; uint8_t x21; uint8_t x22; uint8_t x23; @@ -3895,21 +3912,21 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( uint8_t x35; uint8_t x36; uint8_t x37; - uint8_t x38; - uint64_t x39; - uint8_t x40; - uint64_t x41; - uint8_t x42; - uint64_t x43; - uint8_t x44; - uint64_t x45; - uint8_t x46; - uint64_t x47; - uint8_t x48; - uint64_t x49; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint64_t x46; + uint8_t x47; + uint64_t x48; + uint8_t x49; uint8_t x50; uint8_t x51; - uint8_t x52; + uint64_t x52; uint8_t x53; uint64_t x54; uint8_t x55; @@ -3921,25 +3938,25 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( uint8_t x61; uint64_t x62; uint8_t x63; - uint64_t x64; + uint8_t x64; uint8_t x65; - uint8_t x66; + uint64_t x66; uint8_t x67; - uint8_t x68; - uint64_t x69; - uint8_t x70; - uint64_t x71; - uint8_t x72; - uint64_t x73; - uint8_t x74; - uint64_t x75; - uint8_t x76; - uint64_t x77; + uint64_t x68; + uint8_t x69; + uint64_t x70; + uint8_t x71; + uint64_t x72; + uint8_t x73; + uint64_t x74; + uint8_t x75; + uint64_t x76; + uint8_t x77; uint8_t x78; - uint64_t x79; - uint8_t x80; + uint8_t x79; + uint64_t x80; uint8_t x81; - uint8_t x82; + uint64_t x82; uint8_t x83; uint64_t x84; uint8_t x85; @@ -3949,27 +3966,27 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( uint8_t x89; uint64_t x90; uint8_t x91; - uint64_t x92; + uint8_t x92; uint8_t x93; uint64_t x94; uint8_t x95; - uint8_t x96; + uint64_t x96; uint8_t x97; - uint8_t x98; - uint64_t x99; - uint8_t x100; - uint64_t x101; - uint8_t x102; - uint64_t x103; - uint8_t x104; - uint64_t x105; + uint64_t x98; + uint8_t x99; + uint64_t x100; + uint8_t x101; + uint64_t x102; + uint8_t x103; + uint64_t x104; + uint8_t x105; uint8_t x106; - uint64_t x107; - uint8_t x108; - uint64_t x109; - uint8_t x110; + uint8_t x107; + uint64_t x108; + uint8_t x109; + uint64_t x110; uint8_t x111; - uint8_t x112; + uint64_t x112; uint8_t x113; uint64_t x114; uint8_t x115; @@ -3977,14 +3994,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( uint8_t x117; uint64_t x118; uint8_t x119; - uint64_t x120; - uint8_t x121; - uint64_t x122; - uint8_t x123; - uint64_t x124; - uint8_t x125; - uint8_t x126; - uint8_t x127; + uint8_t x120; x1 = (arg1[7]); x2 = (arg1[6]); x3 = (arg1[5]); @@ -3993,193 +4003,186 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( x6 = (arg1[2]); x7 = (arg1[1]); x8 = (arg1[0]); - x9 = (x8 >> 8); - x10 = (uint8_t)(x8 & UINT8_C(0xff)); - x11 = (x9 >> 8); - x12 = (uint8_t)(x9 & UINT8_C(0xff)); - x13 = (x11 >> 8); - x14 = (uint8_t)(x11 & UINT8_C(0xff)); - x15 = (x13 >> 8); - x16 = (uint8_t)(x13 & UINT8_C(0xff)); - x17 = (x15 >> 8); - x18 = (uint8_t)(x15 & UINT8_C(0xff)); - x19 = (x17 >> 8); - x20 = (uint8_t)(x17 & UINT8_C(0xff)); - x21 = (uint8_t)(x19 >> 8); - x22 = (uint8_t)(x19 & UINT8_C(0xff)); - x23 = (uint8_t)(x21 & UINT8_C(0xff)); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (x12 >> 8); + x15 = (uint8_t)(x14 & UINT8_C(0xff)); + x16 = (x14 >> 8); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (x16 >> 8); + x19 = (uint8_t)(x18 & UINT8_C(0xff)); + x20 = (x18 >> 8); + x21 = (uint8_t)(x20 & UINT8_C(0xff)); + x22 = (uint8_t)(x20 >> 8); + x23 = (uint8_t)(x7 & UINT8_C(0xff)); x24 = (x7 >> 8); - x25 = (uint8_t)(x7 & UINT8_C(0xff)); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); x26 = (x24 >> 8); - x27 = (uint8_t)(x24 & UINT8_C(0xff)); + x27 = (uint8_t)(x26 & UINT8_C(0xff)); x28 = (x26 >> 8); - x29 = (uint8_t)(x26 & UINT8_C(0xff)); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); x30 = (x28 >> 8); - x31 = (uint8_t)(x28 & UINT8_C(0xff)); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); x32 = (x30 >> 8); - x33 = (uint8_t)(x30 & UINT8_C(0xff)); + x33 = (uint8_t)(x32 & UINT8_C(0xff)); x34 = (x32 >> 8); - x35 = (uint8_t)(x32 & UINT8_C(0xff)); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); x36 = (uint8_t)(x34 >> 8); - x37 = (uint8_t)(x34 & UINT8_C(0xff)); - x38 = (uint8_t)(x36 & UINT8_C(0xff)); - x39 = (x6 >> 8); - x40 = (uint8_t)(x6 & UINT8_C(0xff)); - x41 = (x39 >> 8); - x42 = (uint8_t)(x39 & UINT8_C(0xff)); - x43 = (x41 >> 8); - x44 = (uint8_t)(x41 & UINT8_C(0xff)); - x45 = (x43 >> 8); - x46 = (uint8_t)(x43 & UINT8_C(0xff)); - x47 = (x45 >> 8); - x48 = (uint8_t)(x45 & UINT8_C(0xff)); - x49 = (x47 >> 8); - x50 = (uint8_t)(x47 & UINT8_C(0xff)); - x51 = (uint8_t)(x49 >> 8); - x52 = (uint8_t)(x49 & UINT8_C(0xff)); - x53 = (uint8_t)(x51 & UINT8_C(0xff)); - x54 = (x5 >> 8); - x55 = (uint8_t)(x5 & UINT8_C(0xff)); + x37 = (uint8_t)(x6 & UINT8_C(0xff)); + x38 = (x6 >> 8); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (x44 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (uint8_t)(x5 & UINT8_C(0xff)); + x52 = (x5 >> 8); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); + x54 = (x52 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); x56 = (x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); x58 = (x56 >> 8); - x59 = (uint8_t)(x56 & UINT8_C(0xff)); + x59 = (uint8_t)(x58 & UINT8_C(0xff)); x60 = (x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); + x61 = (uint8_t)(x60 & UINT8_C(0xff)); x62 = (x60 >> 8); - x63 = (uint8_t)(x60 & UINT8_C(0xff)); - x64 = (x62 >> 8); - x65 = (uint8_t)(x62 & UINT8_C(0xff)); - x66 = (uint8_t)(x64 >> 8); - x67 = (uint8_t)(x64 & UINT8_C(0xff)); - x68 = (uint8_t)(x66 & UINT8_C(0xff)); - x69 = (x4 >> 8); - x70 = (uint8_t)(x4 & UINT8_C(0xff)); - x71 = (x69 >> 8); - x72 = (uint8_t)(x69 & UINT8_C(0xff)); - x73 = (x71 >> 8); - x74 = (uint8_t)(x71 & UINT8_C(0xff)); - x75 = (x73 >> 8); - x76 = (uint8_t)(x73 & UINT8_C(0xff)); - x77 = (x75 >> 8); - x78 = (uint8_t)(x75 & UINT8_C(0xff)); - x79 = (x77 >> 8); - x80 = (uint8_t)(x77 & UINT8_C(0xff)); - x81 = (uint8_t)(x79 >> 8); - x82 = (uint8_t)(x79 & UINT8_C(0xff)); - x83 = (uint8_t)(x81 & UINT8_C(0xff)); - x84 = (x3 >> 8); - x85 = (uint8_t)(x3 & UINT8_C(0xff)); + x63 = (uint8_t)(x62 & UINT8_C(0xff)); + x64 = (uint8_t)(x62 >> 8); + x65 = (uint8_t)(x4 & UINT8_C(0xff)); + x66 = (x4 >> 8); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); + x68 = (x66 >> 8); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); + x70 = (x68 >> 8); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (x74 >> 8); + x77 = (uint8_t)(x76 & UINT8_C(0xff)); + x78 = (uint8_t)(x76 >> 8); + x79 = (uint8_t)(x3 & UINT8_C(0xff)); + x80 = (x3 >> 8); + x81 = (uint8_t)(x80 & UINT8_C(0xff)); + x82 = (x80 >> 8); + x83 = (uint8_t)(x82 & UINT8_C(0xff)); + x84 = (x82 >> 8); + x85 = (uint8_t)(x84 & UINT8_C(0xff)); x86 = (x84 >> 8); - x87 = (uint8_t)(x84 & UINT8_C(0xff)); + x87 = (uint8_t)(x86 & UINT8_C(0xff)); x88 = (x86 >> 8); - x89 = (uint8_t)(x86 & UINT8_C(0xff)); + x89 = (uint8_t)(x88 & UINT8_C(0xff)); x90 = (x88 >> 8); - x91 = (uint8_t)(x88 & UINT8_C(0xff)); - x92 = (x90 >> 8); - x93 = (uint8_t)(x90 & UINT8_C(0xff)); - x94 = (x92 >> 8); - x95 = (uint8_t)(x92 & UINT8_C(0xff)); - x96 = (uint8_t)(x94 >> 8); - x97 = (uint8_t)(x94 & UINT8_C(0xff)); - x98 = (uint8_t)(x96 & UINT8_C(0xff)); - x99 = (x2 >> 8); - x100 = (uint8_t)(x2 & UINT8_C(0xff)); - x101 = (x99 >> 8); - x102 = (uint8_t)(x99 & UINT8_C(0xff)); - x103 = (x101 >> 8); - x104 = (uint8_t)(x101 & UINT8_C(0xff)); - x105 = (x103 >> 8); - x106 = (uint8_t)(x103 & UINT8_C(0xff)); - x107 = (x105 >> 8); - x108 = (uint8_t)(x105 & UINT8_C(0xff)); - x109 = (x107 >> 8); - x110 = (uint8_t)(x107 & UINT8_C(0xff)); - x111 = (uint8_t)(x109 >> 8); - x112 = (uint8_t)(x109 & UINT8_C(0xff)); - x113 = (uint8_t)(x111 & UINT8_C(0xff)); - x114 = (x1 >> 8); - x115 = (uint8_t)(x1 & UINT8_C(0xff)); + x91 = (uint8_t)(x90 & UINT8_C(0xff)); + x92 = (uint8_t)(x90 >> 8); + x93 = (uint8_t)(x2 & UINT8_C(0xff)); + x94 = (x2 >> 8); + x95 = (uint8_t)(x94 & UINT8_C(0xff)); + x96 = (x94 >> 8); + x97 = (uint8_t)(x96 & UINT8_C(0xff)); + x98 = (x96 >> 8); + x99 = (uint8_t)(x98 & UINT8_C(0xff)); + x100 = (x98 >> 8); + x101 = (uint8_t)(x100 & UINT8_C(0xff)); + x102 = (x100 >> 8); + x103 = (uint8_t)(x102 & UINT8_C(0xff)); + x104 = (x102 >> 8); + x105 = (uint8_t)(x104 & UINT8_C(0xff)); + x106 = (uint8_t)(x104 >> 8); + x107 = (uint8_t)(x1 & UINT8_C(0xff)); + x108 = (x1 >> 8); + x109 = (uint8_t)(x108 & UINT8_C(0xff)); + x110 = (x108 >> 8); + x111 = (uint8_t)(x110 & UINT8_C(0xff)); + x112 = (x110 >> 8); + x113 = (uint8_t)(x112 & UINT8_C(0xff)); + x114 = (x112 >> 8); + x115 = (uint8_t)(x114 & UINT8_C(0xff)); x116 = (x114 >> 8); - x117 = (uint8_t)(x114 & UINT8_C(0xff)); + x117 = (uint8_t)(x116 & UINT8_C(0xff)); x118 = (x116 >> 8); - x119 = (uint8_t)(x116 & UINT8_C(0xff)); - x120 = (x118 >> 8); - x121 = (uint8_t)(x118 & UINT8_C(0xff)); - x122 = (x120 >> 8); - x123 = (uint8_t)(x120 & UINT8_C(0xff)); - x124 = (x122 >> 8); - x125 = (uint8_t)(x122 & UINT8_C(0xff)); - x126 = (uint8_t)(x124 >> 8); - x127 = (uint8_t)(x124 & UINT8_C(0xff)); - out1[0] = x10; - out1[1] = x12; - out1[2] = x14; - out1[3] = x16; - out1[4] = x18; - out1[5] = x20; - out1[6] = x22; - out1[7] = x23; - out1[8] = x25; - out1[9] = x27; - out1[10] = x29; - out1[11] = x31; - out1[12] = x33; - out1[13] = x35; - out1[14] = x37; - out1[15] = x38; - out1[16] = x40; - out1[17] = x42; - out1[18] = x44; - out1[19] = x46; - out1[20] = x48; - out1[21] = x50; - out1[22] = x52; - out1[23] = x53; - out1[24] = x55; - out1[25] = x57; - out1[26] = x59; - out1[27] = x61; - out1[28] = x63; - out1[29] = x65; - out1[30] = x67; - out1[31] = x68; - out1[32] = x70; - out1[33] = x72; - out1[34] = x74; - out1[35] = x76; - out1[36] = x78; - out1[37] = x80; - out1[38] = x82; - out1[39] = x83; - out1[40] = x85; - out1[41] = x87; - out1[42] = x89; - out1[43] = x91; - out1[44] = x93; - out1[45] = x95; - out1[46] = x97; - out1[47] = x98; - out1[48] = x100; - out1[49] = x102; - out1[50] = x104; - out1[51] = x106; - out1[52] = x108; - out1[53] = x110; - out1[54] = x112; - out1[55] = x113; - out1[56] = x115; - out1[57] = x117; - out1[58] = x119; - out1[59] = x121; - out1[60] = x123; - out1[61] = x125; - out1[62] = x127; - out1[63] = x126; + x119 = (uint8_t)(x118 & UINT8_C(0xff)); + x120 = (uint8_t)(x118 >> 8); + out1[0] = x9; + out1[1] = x11; + out1[2] = x13; + out1[3] = x15; + out1[4] = x17; + out1[5] = x19; + out1[6] = x21; + out1[7] = x22; + out1[8] = x23; + out1[9] = x25; + out1[10] = x27; + out1[11] = x29; + out1[12] = x31; + out1[13] = x33; + out1[14] = x35; + out1[15] = x36; + out1[16] = x37; + out1[17] = x39; + out1[18] = x41; + out1[19] = x43; + out1[20] = x45; + out1[21] = x47; + out1[22] = x49; + out1[23] = x50; + out1[24] = x51; + out1[25] = x53; + out1[26] = x55; + out1[27] = x57; + out1[28] = x59; + out1[29] = x61; + out1[30] = x63; + out1[31] = x64; + out1[32] = x65; + out1[33] = x67; + out1[34] = x69; + out1[35] = x71; + out1[36] = x73; + out1[37] = x75; + out1[38] = x77; + out1[39] = x78; + out1[40] = x79; + out1[41] = x81; + out1[42] = x83; + out1[43] = x85; + out1[44] = x87; + out1[45] = x89; + out1[46] = x91; + out1[47] = x92; + out1[48] = x93; + out1[49] = x95; + out1[50] = x97; + out1[51] = x99; + out1[52] = x101; + out1[53] = x103; + out1[54] = x105; + out1[55] = x106; + out1[56] = x107; + out1[57] = x109; + out1[58] = x111; + out1[59] = x113; + out1[60] = x115; + out1[61] = x117; + out1[62] = x119; + out1[63] = x120; } /* - * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -4272,6 +4275,47 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_from_bytes( uint64_t x77; uint64_t x78; uint64_t x79; + uint64_t x80; + uint64_t x81; + uint64_t x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + uint64_t x86; + uint64_t x87; + uint64_t x88; + uint64_t x89; + uint64_t x90; + uint64_t x91; + uint64_t x92; + uint64_t x93; + uint64_t x94; + uint64_t x95; + uint64_t x96; + uint64_t x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + uint64_t x105; + uint64_t x106; + uint64_t x107; + uint64_t x108; + uint64_t x109; + uint64_t x110; + uint64_t x111; + uint64_t x112; + uint64_t x113; + uint64_t x114; + uint64_t x115; + uint64_t x116; + uint64_t x117; + uint64_t x118; + uint64_t x119; + uint64_t x120; x1 = ((uint64_t)(arg1[63]) << 56); x2 = ((uint64_t)(arg1[62]) << 48); x3 = ((uint64_t)(arg1[61]) << 40); @@ -4336,29 +4380,70 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_from_bytes( x62 = ((uint64_t)(arg1[2]) << 16); x63 = ((uint64_t)(arg1[1]) << 8); x64 = (arg1[0]); - x65 = (x64 + (x63 + (x62 + (x61 + (x60 + (x59 + (x58 + x57))))))); - x66 = (x65 & UINT64_C(0xffffffffffffffff)); - x67 = (x8 + (x7 + (x6 + (x5 + (x4 + (x3 + (x2 + x1))))))); - x68 = (x16 + (x15 + (x14 + (x13 + (x12 + (x11 + (x10 + x9))))))); - x69 = (x24 + (x23 + (x22 + (x21 + (x20 + (x19 + (x18 + x17))))))); - x70 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + (x26 + x25))))))); - x71 = (x40 + (x39 + (x38 + (x37 + (x36 + (x35 + (x34 + x33))))))); - x72 = (x48 + (x47 + (x46 + (x45 + (x44 + (x43 + (x42 + x41))))))); - x73 = (x56 + (x55 + (x54 + (x53 + (x52 + (x51 + (x50 + x49))))))); - x74 = (x73 & UINT64_C(0xffffffffffffffff)); - x75 = (x72 & UINT64_C(0xffffffffffffffff)); - x76 = (x71 & UINT64_C(0xffffffffffffffff)); - x77 = (x70 & UINT64_C(0xffffffffffffffff)); - x78 = (x69 & UINT64_C(0xffffffffffffffff)); - x79 = (x68 & UINT64_C(0xffffffffffffffff)); - out1[0] = x66; - out1[1] = x74; - out1[2] = x75; - out1[3] = x76; - out1[4] = x77; - out1[5] = x78; - out1[6] = x79; - out1[7] = x67; + x65 = (x63 + (uint64_t)x64); + x66 = (x62 + x65); + x67 = (x61 + x66); + x68 = (x60 + x67); + x69 = (x59 + x68); + x70 = (x58 + x69); + x71 = (x57 + x70); + x72 = (x55 + (uint64_t)x56); + x73 = (x54 + x72); + x74 = (x53 + x73); + x75 = (x52 + x74); + x76 = (x51 + x75); + x77 = (x50 + x76); + x78 = (x49 + x77); + x79 = (x47 + (uint64_t)x48); + x80 = (x46 + x79); + x81 = (x45 + x80); + x82 = (x44 + x81); + x83 = (x43 + x82); + x84 = (x42 + x83); + x85 = (x41 + x84); + x86 = (x39 + (uint64_t)x40); + x87 = (x38 + x86); + x88 = (x37 + x87); + x89 = (x36 + x88); + x90 = (x35 + x89); + x91 = (x34 + x90); + x92 = (x33 + x91); + x93 = (x31 + (uint64_t)x32); + x94 = (x30 + x93); + x95 = (x29 + x94); + x96 = (x28 + x95); + x97 = (x27 + x96); + x98 = (x26 + x97); + x99 = (x25 + x98); + x100 = (x23 + (uint64_t)x24); + x101 = (x22 + x100); + x102 = (x21 + x101); + x103 = (x20 + x102); + x104 = (x19 + x103); + x105 = (x18 + x104); + x106 = (x17 + x105); + x107 = (x15 + (uint64_t)x16); + x108 = (x14 + x107); + x109 = (x13 + x108); + x110 = (x12 + x109); + x111 = (x11 + x110); + x112 = (x10 + x111); + x113 = (x9 + x112); + x114 = (x7 + (uint64_t)x8); + x115 = (x6 + x114); + x116 = (x5 + x115); + x117 = (x4 + x116); + x118 = (x3 + x117); + x119 = (x2 + x118); + x120 = (x1 + x119); + out1[0] = x71; + out1[1] = x78; + out1[2] = x85; + out1[3] = x92; + out1[4] = x99; + out1[5] = x106; + out1[6] = x113; + out1[7] = x120; } /* END verbatim fiat code */ @@ -6507,7 +6592,7 @@ static void scalar_wnaf(int8_t out[513], const unsigned char in[64]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], @@ -6515,7 +6600,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[513] = {0}; int8_t bnaf[513] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -6581,7 +6666,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[103] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -6657,8 +6742,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[103] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -6719,6 +6804,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { fiat_id_tc26_gost_3410_2012_512_paramSetB_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], const unsigned char a[64], const unsigned char b[64], const unsigned char inx[64], @@ -6738,6 +6829,11 @@ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64]) { pt_aff_t P; @@ -6750,6 +6846,12 @@ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64], const unsigned char inx[64], @@ -6771,8 +6873,13 @@ static void point_mul(unsigned char outx[64], unsigned char outy[64], #include +/* the zero field element */ static const unsigned char const_zb[64] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_tc26_gost_3410_2012_512_paramSetB( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -6811,6 +6918,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_tc26_gost_3410_2012_512_paramSetB(const EC_GROUP *group, EC_POINT *r, @@ -6850,6 +6961,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_tc26_gost_3410_2012_512_paramSetB(const EC_GROUP *group, EC_POINT *r, @@ -6896,6 +7011,10 @@ err: typedef uint32_t fe_t[LIMB_CNT]; typedef uint32_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETB_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -6937,7 +7056,7 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: word_by_word_montgomery --static id_tc26_gost_3410_2012_512_paramSetB 32 '2^511 + 111' */ +/* Autogenerated: word_by_word_montgomery --static --use-value-barrier id_tc26_gost_3410_2012_512_paramSetB 32 '2^511 + 111' */ /* curve description: id_tc26_gost_3410_2012_512_paramSetB */ /* machine_wordsize = 32 (from "32") */ /* requested operations: (all) */ @@ -6962,6 +7081,17 @@ typedef signed char fiat_id_tc26_gost_3410_2012_512_paramSetB_int1; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETB_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t +fiat_id_tc26_gost_3410_2012_512_paramSetB_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_tc26_gost_3410_2012_512_paramSetB_value_barrier_u32(x) (x) +#endif + /* * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_addcarryx_u32 is an addition with carry. * Postconditions: @@ -7066,7 +7196,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_cmovznz_u32( x1 = (!(!arg1)); x2 = ((fiat_id_tc26_gost_3410_2012_512_paramSetB_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = ((fiat_id_tc26_gost_3410_2012_512_paramSetB_value_barrier_u32(x2) & + arg3) | + (fiat_id_tc26_gost_3410_2012_512_paramSetB_value_barrier_u32((~x2)) & + arg2)); *out1 = x3; } @@ -18238,22 +18371,20 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_montgomery( static void fiat_id_tc26_gost_3410_2012_512_paramSetB_nonzero( uint32_t *out1, const uint32_t arg1[16]) { uint32_t x1; - x1 = - ((arg1[0]) | - ((arg1[1]) | - ((arg1[2]) | - ((arg1[3]) | - ((arg1[4]) | - ((arg1[5]) | - ((arg1[6]) | - ((arg1[7]) | - ((arg1[8]) | - ((arg1[9]) | - ((arg1[10]) | - ((arg1[11]) | - ((arg1[12]) | - ((arg1[13]) | - ((arg1[14]) | ((arg1[15]) | (uint32_t)0x0)))))))))))))))); + x1 = ((arg1[0]) | + ((arg1[1]) | + ((arg1[2]) | + ((arg1[3]) | + ((arg1[4]) | + ((arg1[5]) | + ((arg1[6]) | + ((arg1[7]) | + ((arg1[8]) | + ((arg1[9]) | + ((arg1[10]) | + ((arg1[11]) | + ((arg1[12]) | + ((arg1[13]) | ((arg1[14]) | (arg1[15])))))))))))))))); *out1 = x1; } @@ -18339,7 +18470,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_selectznz( } /* - * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -18368,10 +18499,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( uint32_t x14; uint32_t x15; uint32_t x16; - uint32_t x17; - uint8_t x18; - uint32_t x19; - uint8_t x20; + uint8_t x17; + uint32_t x18; + uint8_t x19; + uint32_t x20; uint8_t x21; uint8_t x22; uint8_t x23; @@ -18381,39 +18512,39 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( uint8_t x27; uint8_t x28; uint8_t x29; - uint8_t x30; - uint32_t x31; - uint8_t x32; - uint32_t x33; + uint32_t x30; + uint8_t x31; + uint32_t x32; + uint8_t x33; uint8_t x34; uint8_t x35; - uint8_t x36; + uint32_t x36; uint8_t x37; uint32_t x38; uint8_t x39; - uint32_t x40; + uint8_t x40; uint8_t x41; - uint8_t x42; + uint32_t x42; uint8_t x43; - uint8_t x44; - uint32_t x45; + uint32_t x44; + uint8_t x45; uint8_t x46; - uint32_t x47; - uint8_t x48; + uint8_t x47; + uint32_t x48; uint8_t x49; - uint8_t x50; + uint32_t x50; uint8_t x51; - uint32_t x52; + uint8_t x52; uint8_t x53; uint32_t x54; uint8_t x55; - uint8_t x56; + uint32_t x56; uint8_t x57; uint8_t x58; - uint32_t x59; - uint8_t x60; - uint32_t x61; - uint8_t x62; + uint8_t x59; + uint32_t x60; + uint8_t x61; + uint32_t x62; uint8_t x63; uint8_t x64; uint8_t x65; @@ -18423,39 +18554,39 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( uint8_t x69; uint8_t x70; uint8_t x71; - uint8_t x72; - uint32_t x73; - uint8_t x74; - uint32_t x75; + uint32_t x72; + uint8_t x73; + uint32_t x74; + uint8_t x75; uint8_t x76; uint8_t x77; - uint8_t x78; + uint32_t x78; uint8_t x79; uint32_t x80; uint8_t x81; - uint32_t x82; + uint8_t x82; uint8_t x83; - uint8_t x84; + uint32_t x84; uint8_t x85; - uint8_t x86; - uint32_t x87; + uint32_t x86; + uint8_t x87; uint8_t x88; - uint32_t x89; - uint8_t x90; + uint8_t x89; + uint32_t x90; uint8_t x91; - uint8_t x92; + uint32_t x92; uint8_t x93; - uint32_t x94; + uint8_t x94; uint8_t x95; uint32_t x96; uint8_t x97; - uint8_t x98; + uint32_t x98; uint8_t x99; uint8_t x100; - uint32_t x101; - uint8_t x102; - uint32_t x103; - uint8_t x104; + uint8_t x101; + uint32_t x102; + uint8_t x103; + uint32_t x104; uint8_t x105; uint8_t x106; uint8_t x107; @@ -18464,21 +18595,6 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( uint32_t x110; uint8_t x111; uint8_t x112; - uint8_t x113; - uint8_t x114; - uint32_t x115; - uint8_t x116; - uint32_t x117; - uint8_t x118; - uint8_t x119; - uint8_t x120; - uint8_t x121; - uint32_t x122; - uint8_t x123; - uint32_t x124; - uint8_t x125; - uint8_t x126; - uint8_t x127; x1 = (arg1[15]); x2 = (arg1[14]); x3 = (arg1[13]); @@ -18495,185 +18611,170 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes( x14 = (arg1[2]); x15 = (arg1[1]); x16 = (arg1[0]); - x17 = (x16 >> 8); - x18 = (uint8_t)(x16 & UINT8_C(0xff)); - x19 = (x17 >> 8); - x20 = (uint8_t)(x17 & UINT8_C(0xff)); - x21 = (uint8_t)(x19 >> 8); - x22 = (uint8_t)(x19 & UINT8_C(0xff)); - x23 = (uint8_t)(x21 & UINT8_C(0xff)); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (x16 >> 8); + x19 = (uint8_t)(x18 & UINT8_C(0xff)); + x20 = (x18 >> 8); + x21 = (uint8_t)(x20 & UINT8_C(0xff)); + x22 = (uint8_t)(x20 >> 8); + x23 = (uint8_t)(x15 & UINT8_C(0xff)); x24 = (x15 >> 8); - x25 = (uint8_t)(x15 & UINT8_C(0xff)); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); x26 = (x24 >> 8); - x27 = (uint8_t)(x24 & UINT8_C(0xff)); + x27 = (uint8_t)(x26 & UINT8_C(0xff)); x28 = (uint8_t)(x26 >> 8); - x29 = (uint8_t)(x26 & UINT8_C(0xff)); - x30 = (uint8_t)(x28 & UINT8_C(0xff)); - x31 = (x14 >> 8); - x32 = (uint8_t)(x14 & UINT8_C(0xff)); - x33 = (x31 >> 8); - x34 = (uint8_t)(x31 & UINT8_C(0xff)); - x35 = (uint8_t)(x33 >> 8); - x36 = (uint8_t)(x33 & UINT8_C(0xff)); - x37 = (uint8_t)(x35 & UINT8_C(0xff)); - x38 = (x13 >> 8); - x39 = (uint8_t)(x13 & UINT8_C(0xff)); - x40 = (x38 >> 8); - x41 = (uint8_t)(x38 & UINT8_C(0xff)); - x42 = (uint8_t)(x40 >> 8); - x43 = (uint8_t)(x40 & UINT8_C(0xff)); - x44 = (uint8_t)(x42 & UINT8_C(0xff)); - x45 = (x12 >> 8); - x46 = (uint8_t)(x12 & UINT8_C(0xff)); - x47 = (x45 >> 8); - x48 = (uint8_t)(x45 & UINT8_C(0xff)); - x49 = (uint8_t)(x47 >> 8); - x50 = (uint8_t)(x47 & UINT8_C(0xff)); - x51 = (uint8_t)(x49 & UINT8_C(0xff)); - x52 = (x11 >> 8); - x53 = (uint8_t)(x11 & UINT8_C(0xff)); - x54 = (x52 >> 8); - x55 = (uint8_t)(x52 & UINT8_C(0xff)); - x56 = (uint8_t)(x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); - x58 = (uint8_t)(x56 & UINT8_C(0xff)); - x59 = (x10 >> 8); - x60 = (uint8_t)(x10 & UINT8_C(0xff)); - x61 = (x59 >> 8); - x62 = (uint8_t)(x59 & UINT8_C(0xff)); - x63 = (uint8_t)(x61 >> 8); - x64 = (uint8_t)(x61 & UINT8_C(0xff)); - x65 = (uint8_t)(x63 & UINT8_C(0xff)); - x66 = (x9 >> 8); - x67 = (uint8_t)(x9 & UINT8_C(0xff)); + x29 = (uint8_t)(x14 & UINT8_C(0xff)); + x30 = (x14 >> 8); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); + x32 = (x30 >> 8); + x33 = (uint8_t)(x32 & UINT8_C(0xff)); + x34 = (uint8_t)(x32 >> 8); + x35 = (uint8_t)(x13 & UINT8_C(0xff)); + x36 = (x13 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (x36 >> 8); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (uint8_t)(x38 >> 8); + x41 = (uint8_t)(x12 & UINT8_C(0xff)); + x42 = (x12 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (uint8_t)(x44 >> 8); + x47 = (uint8_t)(x11 & UINT8_C(0xff)); + x48 = (x11 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (x48 >> 8); + x51 = (uint8_t)(x50 & UINT8_C(0xff)); + x52 = (uint8_t)(x50 >> 8); + x53 = (uint8_t)(x10 & UINT8_C(0xff)); + x54 = (x10 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); + x56 = (x54 >> 8); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); + x58 = (uint8_t)(x56 >> 8); + x59 = (uint8_t)(x9 & UINT8_C(0xff)); + x60 = (x9 >> 8); + x61 = (uint8_t)(x60 & UINT8_C(0xff)); + x62 = (x60 >> 8); + x63 = (uint8_t)(x62 & UINT8_C(0xff)); + x64 = (uint8_t)(x62 >> 8); + x65 = (uint8_t)(x8 & UINT8_C(0xff)); + x66 = (x8 >> 8); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); x68 = (x66 >> 8); - x69 = (uint8_t)(x66 & UINT8_C(0xff)); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); x70 = (uint8_t)(x68 >> 8); - x71 = (uint8_t)(x68 & UINT8_C(0xff)); - x72 = (uint8_t)(x70 & UINT8_C(0xff)); - x73 = (x8 >> 8); - x74 = (uint8_t)(x8 & UINT8_C(0xff)); - x75 = (x73 >> 8); - x76 = (uint8_t)(x73 & UINT8_C(0xff)); - x77 = (uint8_t)(x75 >> 8); - x78 = (uint8_t)(x75 & UINT8_C(0xff)); - x79 = (uint8_t)(x77 & UINT8_C(0xff)); - x80 = (x7 >> 8); - x81 = (uint8_t)(x7 & UINT8_C(0xff)); - x82 = (x80 >> 8); - x83 = (uint8_t)(x80 & UINT8_C(0xff)); - x84 = (uint8_t)(x82 >> 8); - x85 = (uint8_t)(x82 & UINT8_C(0xff)); - x86 = (uint8_t)(x84 & UINT8_C(0xff)); - x87 = (x6 >> 8); - x88 = (uint8_t)(x6 & UINT8_C(0xff)); - x89 = (x87 >> 8); - x90 = (uint8_t)(x87 & UINT8_C(0xff)); - x91 = (uint8_t)(x89 >> 8); - x92 = (uint8_t)(x89 & UINT8_C(0xff)); - x93 = (uint8_t)(x91 & UINT8_C(0xff)); - x94 = (x5 >> 8); - x95 = (uint8_t)(x5 & UINT8_C(0xff)); - x96 = (x94 >> 8); - x97 = (uint8_t)(x94 & UINT8_C(0xff)); - x98 = (uint8_t)(x96 >> 8); - x99 = (uint8_t)(x96 & UINT8_C(0xff)); - x100 = (uint8_t)(x98 & UINT8_C(0xff)); - x101 = (x4 >> 8); - x102 = (uint8_t)(x4 & UINT8_C(0xff)); - x103 = (x101 >> 8); - x104 = (uint8_t)(x101 & UINT8_C(0xff)); - x105 = (uint8_t)(x103 >> 8); - x106 = (uint8_t)(x103 & UINT8_C(0xff)); - x107 = (uint8_t)(x105 & UINT8_C(0xff)); - x108 = (x3 >> 8); - x109 = (uint8_t)(x3 & UINT8_C(0xff)); + x71 = (uint8_t)(x7 & UINT8_C(0xff)); + x72 = (x7 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (uint8_t)(x74 >> 8); + x77 = (uint8_t)(x6 & UINT8_C(0xff)); + x78 = (x6 >> 8); + x79 = (uint8_t)(x78 & UINT8_C(0xff)); + x80 = (x78 >> 8); + x81 = (uint8_t)(x80 & UINT8_C(0xff)); + x82 = (uint8_t)(x80 >> 8); + x83 = (uint8_t)(x5 & UINT8_C(0xff)); + x84 = (x5 >> 8); + x85 = (uint8_t)(x84 & UINT8_C(0xff)); + x86 = (x84 >> 8); + x87 = (uint8_t)(x86 & UINT8_C(0xff)); + x88 = (uint8_t)(x86 >> 8); + x89 = (uint8_t)(x4 & UINT8_C(0xff)); + x90 = (x4 >> 8); + x91 = (uint8_t)(x90 & UINT8_C(0xff)); + x92 = (x90 >> 8); + x93 = (uint8_t)(x92 & UINT8_C(0xff)); + x94 = (uint8_t)(x92 >> 8); + x95 = (uint8_t)(x3 & UINT8_C(0xff)); + x96 = (x3 >> 8); + x97 = (uint8_t)(x96 & UINT8_C(0xff)); + x98 = (x96 >> 8); + x99 = (uint8_t)(x98 & UINT8_C(0xff)); + x100 = (uint8_t)(x98 >> 8); + x101 = (uint8_t)(x2 & UINT8_C(0xff)); + x102 = (x2 >> 8); + x103 = (uint8_t)(x102 & UINT8_C(0xff)); + x104 = (x102 >> 8); + x105 = (uint8_t)(x104 & UINT8_C(0xff)); + x106 = (uint8_t)(x104 >> 8); + x107 = (uint8_t)(x1 & UINT8_C(0xff)); + x108 = (x1 >> 8); + x109 = (uint8_t)(x108 & UINT8_C(0xff)); x110 = (x108 >> 8); - x111 = (uint8_t)(x108 & UINT8_C(0xff)); + x111 = (uint8_t)(x110 & UINT8_C(0xff)); x112 = (uint8_t)(x110 >> 8); - x113 = (uint8_t)(x110 & UINT8_C(0xff)); - x114 = (uint8_t)(x112 & UINT8_C(0xff)); - x115 = (x2 >> 8); - x116 = (uint8_t)(x2 & UINT8_C(0xff)); - x117 = (x115 >> 8); - x118 = (uint8_t)(x115 & UINT8_C(0xff)); - x119 = (uint8_t)(x117 >> 8); - x120 = (uint8_t)(x117 & UINT8_C(0xff)); - x121 = (uint8_t)(x119 & UINT8_C(0xff)); - x122 = (x1 >> 8); - x123 = (uint8_t)(x1 & UINT8_C(0xff)); - x124 = (x122 >> 8); - x125 = (uint8_t)(x122 & UINT8_C(0xff)); - x126 = (uint8_t)(x124 >> 8); - x127 = (uint8_t)(x124 & UINT8_C(0xff)); - out1[0] = x18; - out1[1] = x20; - out1[2] = x22; - out1[3] = x23; - out1[4] = x25; - out1[5] = x27; - out1[6] = x29; - out1[7] = x30; - out1[8] = x32; - out1[9] = x34; - out1[10] = x36; - out1[11] = x37; - out1[12] = x39; - out1[13] = x41; - out1[14] = x43; - out1[15] = x44; - out1[16] = x46; - out1[17] = x48; - out1[18] = x50; - out1[19] = x51; - out1[20] = x53; - out1[21] = x55; - out1[22] = x57; - out1[23] = x58; - out1[24] = x60; - out1[25] = x62; - out1[26] = x64; - out1[27] = x65; - out1[28] = x67; - out1[29] = x69; - out1[30] = x71; - out1[31] = x72; - out1[32] = x74; - out1[33] = x76; - out1[34] = x78; - out1[35] = x79; - out1[36] = x81; - out1[37] = x83; - out1[38] = x85; - out1[39] = x86; - out1[40] = x88; - out1[41] = x90; - out1[42] = x92; - out1[43] = x93; - out1[44] = x95; - out1[45] = x97; - out1[46] = x99; - out1[47] = x100; - out1[48] = x102; - out1[49] = x104; - out1[50] = x106; - out1[51] = x107; - out1[52] = x109; - out1[53] = x111; - out1[54] = x113; - out1[55] = x114; - out1[56] = x116; - out1[57] = x118; - out1[58] = x120; - out1[59] = x121; - out1[60] = x123; - out1[61] = x125; - out1[62] = x127; - out1[63] = x126; + out1[0] = x17; + out1[1] = x19; + out1[2] = x21; + out1[3] = x22; + out1[4] = x23; + out1[5] = x25; + out1[6] = x27; + out1[7] = x28; + out1[8] = x29; + out1[9] = x31; + out1[10] = x33; + out1[11] = x34; + out1[12] = x35; + out1[13] = x37; + out1[14] = x39; + out1[15] = x40; + out1[16] = x41; + out1[17] = x43; + out1[18] = x45; + out1[19] = x46; + out1[20] = x47; + out1[21] = x49; + out1[22] = x51; + out1[23] = x52; + out1[24] = x53; + out1[25] = x55; + out1[26] = x57; + out1[27] = x58; + out1[28] = x59; + out1[29] = x61; + out1[30] = x63; + out1[31] = x64; + out1[32] = x65; + out1[33] = x67; + out1[34] = x69; + out1[35] = x70; + out1[36] = x71; + out1[37] = x73; + out1[38] = x75; + out1[39] = x76; + out1[40] = x77; + out1[41] = x79; + out1[42] = x81; + out1[43] = x82; + out1[44] = x83; + out1[45] = x85; + out1[46] = x87; + out1[47] = x88; + out1[48] = x89; + out1[49] = x91; + out1[50] = x93; + out1[51] = x94; + out1[52] = x95; + out1[53] = x97; + out1[54] = x99; + out1[55] = x100; + out1[56] = x101; + out1[57] = x103; + out1[58] = x105; + out1[59] = x106; + out1[60] = x107; + out1[61] = x109; + out1[62] = x111; + out1[63] = x112; } /* - * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_id_tc26_gost_3410_2012_512_paramSetB_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -18782,6 +18883,23 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_from_bytes( uint32_t x93; uint32_t x94; uint32_t x95; + uint32_t x96; + uint32_t x97; + uint32_t x98; + uint32_t x99; + uint32_t x100; + uint32_t x101; + uint32_t x102; + uint32_t x103; + uint32_t x104; + uint32_t x105; + uint32_t x106; + uint32_t x107; + uint32_t x108; + uint32_t x109; + uint32_t x110; + uint32_t x111; + uint32_t x112; x1 = ((uint32_t)(arg1[63]) << 24); x2 = ((uint32_t)(arg1[62]) << 16); x3 = ((uint32_t)(arg1[61]) << 8); @@ -18846,53 +18964,70 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetB_from_bytes( x62 = ((uint32_t)(arg1[2]) << 16); x63 = ((uint32_t)(arg1[1]) << 8); x64 = (arg1[0]); - x65 = (x64 + (x63 + (x62 + x61))); - x66 = (x65 & UINT32_C(0xffffffff)); - x67 = (x4 + (x3 + (x2 + x1))); - x68 = (x8 + (x7 + (x6 + x5))); - x69 = (x12 + (x11 + (x10 + x9))); - x70 = (x16 + (x15 + (x14 + x13))); - x71 = (x20 + (x19 + (x18 + x17))); - x72 = (x24 + (x23 + (x22 + x21))); - x73 = (x28 + (x27 + (x26 + x25))); - x74 = (x32 + (x31 + (x30 + x29))); - x75 = (x36 + (x35 + (x34 + x33))); - x76 = (x40 + (x39 + (x38 + x37))); - x77 = (x44 + (x43 + (x42 + x41))); - x78 = (x48 + (x47 + (x46 + x45))); - x79 = (x52 + (x51 + (x50 + x49))); - x80 = (x56 + (x55 + (x54 + x53))); - x81 = (x60 + (x59 + (x58 + x57))); - x82 = (x81 & UINT32_C(0xffffffff)); - x83 = (x80 & UINT32_C(0xffffffff)); - x84 = (x79 & UINT32_C(0xffffffff)); - x85 = (x78 & UINT32_C(0xffffffff)); - x86 = (x77 & UINT32_C(0xffffffff)); - x87 = (x76 & UINT32_C(0xffffffff)); - x88 = (x75 & UINT32_C(0xffffffff)); - x89 = (x74 & UINT32_C(0xffffffff)); - x90 = (x73 & UINT32_C(0xffffffff)); - x91 = (x72 & UINT32_C(0xffffffff)); - x92 = (x71 & UINT32_C(0xffffffff)); - x93 = (x70 & UINT32_C(0xffffffff)); - x94 = (x69 & UINT32_C(0xffffffff)); - x95 = (x68 & UINT32_C(0xffffffff)); - out1[0] = x66; - out1[1] = x82; - out1[2] = x83; - out1[3] = x84; - out1[4] = x85; - out1[5] = x86; - out1[6] = x87; + x65 = (x63 + (uint32_t)x64); + x66 = (x62 + x65); + x67 = (x61 + x66); + x68 = (x59 + (uint32_t)x60); + x69 = (x58 + x68); + x70 = (x57 + x69); + x71 = (x55 + (uint32_t)x56); + x72 = (x54 + x71); + x73 = (x53 + x72); + x74 = (x51 + (uint32_t)x52); + x75 = (x50 + x74); + x76 = (x49 + x75); + x77 = (x47 + (uint32_t)x48); + x78 = (x46 + x77); + x79 = (x45 + x78); + x80 = (x43 + (uint32_t)x44); + x81 = (x42 + x80); + x82 = (x41 + x81); + x83 = (x39 + (uint32_t)x40); + x84 = (x38 + x83); + x85 = (x37 + x84); + x86 = (x35 + (uint32_t)x36); + x87 = (x34 + x86); + x88 = (x33 + x87); + x89 = (x31 + (uint32_t)x32); + x90 = (x30 + x89); + x91 = (x29 + x90); + x92 = (x27 + (uint32_t)x28); + x93 = (x26 + x92); + x94 = (x25 + x93); + x95 = (x23 + (uint32_t)x24); + x96 = (x22 + x95); + x97 = (x21 + x96); + x98 = (x19 + (uint32_t)x20); + x99 = (x18 + x98); + x100 = (x17 + x99); + x101 = (x15 + (uint32_t)x16); + x102 = (x14 + x101); + x103 = (x13 + x102); + x104 = (x11 + (uint32_t)x12); + x105 = (x10 + x104); + x106 = (x9 + x105); + x107 = (x7 + (uint32_t)x8); + x108 = (x6 + x107); + x109 = (x5 + x108); + x110 = (x3 + (uint32_t)x4); + x111 = (x2 + x110); + x112 = (x1 + x111); + out1[0] = x67; + out1[1] = x70; + out1[2] = x73; + out1[3] = x76; + out1[4] = x79; + out1[5] = x82; + out1[6] = x85; out1[7] = x88; - out1[8] = x89; - out1[9] = x90; - out1[10] = x91; - out1[11] = x92; - out1[12] = x93; - out1[13] = x94; - out1[14] = x95; - out1[15] = x67; + out1[8] = x91; + out1[9] = x94; + out1[10] = x97; + out1[11] = x100; + out1[12] = x103; + out1[13] = x106; + out1[14] = x109; + out1[15] = x112; } /* END verbatim fiat code */ @@ -21941,7 +22076,7 @@ static void scalar_wnaf(int8_t out[513], const unsigned char in[64]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], @@ -21949,7 +22084,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[513] = {0}; int8_t bnaf[513] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -22015,7 +22150,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[103] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -22091,8 +22226,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[103] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -22153,6 +22288,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { fiat_id_tc26_gost_3410_2012_512_paramSetB_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], const unsigned char a[64], const unsigned char b[64], const unsigned char inx[64], @@ -22172,6 +22313,11 @@ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64]) { pt_aff_t P; @@ -22184,6 +22330,12 @@ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetB_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64], const unsigned char inx[64], @@ -22205,8 +22357,13 @@ static void point_mul(unsigned char outx[64], unsigned char outy[64], #include +/* the zero field element */ static const unsigned char const_zb[64] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_tc26_gost_3410_2012_512_paramSetB( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -22245,6 +22402,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_tc26_gost_3410_2012_512_paramSetB(const EC_GROUP *group, EC_POINT *r, @@ -22284,6 +22445,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_tc26_gost_3410_2012_512_paramSetB(const EC_GROUP *group, EC_POINT *r, diff --git a/ecp_id_tc26_gost_3410_2012_512_paramSetC.c b/ecp_id_tc26_gost_3410_2012_512_paramSetC.c index f5d379e..c239f9f 100644 --- a/ecp_id_tc26_gost_3410_2012_512_paramSetC.c +++ b/ecp_id_tc26_gost_3410_2012_512_paramSetC.c @@ -32,6 +32,10 @@ typedef uint64_t fe_t[LIMB_CNT]; typedef uint64_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETC_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -82,18 +86,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_tc26_gost_3410_2012_512_paramSetC 64 '(auto)' '2^512 - 569' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_tc26_gost_3410_2012_512_paramSetC 64 '(auto)' '2^512 - 569' */ /* curve description: id_tc26_gost_3410_2012_512_paramSetC */ /* machine_wordsize = 64 (from "64") */ /* requested operations: (all) */ /* n = 10 (from "(auto)") */ /* s-c = 2^512 - [(1, 569)] (from "2^512 - 569") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ /* eval z = z[0] + (z[1] << 52) + (z[2] << 103) + (z[3] << 154) + (z[4] << 205) + (z[5] << 256) + (z[6] << 0x134) + (z[7] << 0x167) + (z[8] << 0x19a) + (z[9] << 0x1cd) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) */ +/* balance = [0x1ffffffffffb8e, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0x1ffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ #include typedef unsigned char fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1; @@ -105,6 +110,17 @@ typedef unsigned __int128 fiat_id_tc26_gost_3410_2012_512_paramSetC_uint128; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETC_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t +fiat_id_tc26_gost_3410_2012_512_paramSetC_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_tc26_gost_3410_2012_512_paramSetC_value_barrier_u64(x) (x) +#endif + /* * The function fiat_id_tc26_gost_3410_2012_512_paramSetC_addcarryx_u52 is an addition with carry. * Postconditions: @@ -238,7 +254,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_cmovznz_u64( x1 = (!(!arg1)); x2 = ((fiat_id_tc26_gost_3410_2012_512_paramSetC_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = ((fiat_id_tc26_gost_3410_2012_512_paramSetC_value_barrier_u64(x2) & + arg3) | + (fiat_id_tc26_gost_3410_2012_512_paramSetC_value_barrier_u64((~x2)) & + arg2)); *out1 = x3; } @@ -248,10 +267,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_cmovznz_u64( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * arg2: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] + * arg2: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_mul( uint64_t out1[10], const uint64_t arg1[10], const uint64_t arg2[10]) { @@ -742,9 +761,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_square( uint64_t out1[10], const uint64_t arg1[10]) { @@ -1032,9 +1051,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * arg1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry( uint64_t out1[10], const uint64_t arg1[10]) { @@ -1102,10 +1121,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_add( uint64_t out1[10], const uint64_t arg1[10], const uint64_t arg2[10]) { @@ -1147,10 +1166,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] + * arg2: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_sub( uint64_t out1[10], const uint64_t arg1[10], const uint64_t arg2[10]) { @@ -1192,9 +1211,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: - * out1: [[0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x34cccccccccccb], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] + * out1: [[0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x30000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_opp( uint64_t out1[10], const uint64_t arg1[10]) { @@ -1293,7 +1312,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..63] * * Input Bounds: - * arg1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * arg1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -1348,70 +1367,70 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( uint64_t x47; uint64_t x48; uint64_t x49; - uint64_t x50; - uint8_t x51; - uint64_t x52; - uint8_t x53; - uint64_t x54; - uint8_t x55; - uint64_t x56; - uint8_t x57; - uint64_t x58; - uint8_t x59; + uint8_t x50; + uint64_t x51; + uint8_t x52; + uint64_t x53; + uint8_t x54; + uint64_t x55; + uint8_t x56; + uint64_t x57; + uint8_t x58; + uint64_t x59; uint8_t x60; uint8_t x61; uint64_t x62; - uint64_t x63; - uint8_t x64; - uint64_t x65; - uint8_t x66; - uint64_t x67; - uint8_t x68; - uint64_t x69; - uint8_t x70; - uint64_t x71; - uint8_t x72; + uint8_t x63; + uint64_t x64; + uint8_t x65; + uint64_t x66; + uint8_t x67; + uint64_t x68; + uint8_t x69; + uint64_t x70; + uint8_t x71; + uint64_t x72; uint8_t x73; uint8_t x74; uint64_t x75; - uint64_t x76; - uint8_t x77; - uint64_t x78; - uint8_t x79; - uint64_t x80; - uint8_t x81; - uint64_t x82; - uint8_t x83; - uint64_t x84; - uint8_t x85; - uint64_t x86; - uint8_t x87; + uint8_t x76; + uint64_t x77; + uint8_t x78; + uint64_t x79; + uint8_t x80; + uint64_t x81; + uint8_t x82; + uint64_t x83; + uint8_t x84; + uint64_t x85; + uint8_t x86; + uint64_t x87; uint8_t x88; uint8_t x89; uint64_t x90; - uint64_t x91; - uint8_t x92; - uint64_t x93; - uint8_t x94; - uint64_t x95; - uint8_t x96; - uint64_t x97; - uint8_t x98; - uint64_t x99; - uint8_t x100; + uint8_t x91; + uint64_t x92; + uint8_t x93; + uint64_t x94; + uint8_t x95; + uint64_t x96; + uint8_t x97; + uint64_t x98; + uint8_t x99; + uint64_t x100; uint8_t x101; uint8_t x102; uint64_t x103; - uint64_t x104; - uint8_t x105; - uint64_t x106; - uint8_t x107; - uint64_t x108; - uint8_t x109; - uint64_t x110; - uint8_t x111; - uint64_t x112; - uint8_t x113; + uint8_t x104; + uint64_t x105; + uint8_t x106; + uint64_t x107; + uint8_t x108; + uint64_t x109; + uint8_t x110; + uint64_t x111; + uint8_t x112; + uint64_t x113; uint8_t x114; uint8_t x115; uint8_t x116; @@ -1426,8 +1445,8 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( uint64_t x125; uint8_t x126; uint8_t x127; - uint8_t x128; - uint64_t x129; + uint64_t x128; + uint8_t x129; uint64_t x130; uint8_t x131; uint64_t x132; @@ -1439,8 +1458,8 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( uint64_t x138; uint8_t x139; uint8_t x140; - uint8_t x141; - uint64_t x142; + uint64_t x141; + uint8_t x142; uint64_t x143; uint8_t x144; uint64_t x145; @@ -1454,8 +1473,8 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( uint64_t x153; uint8_t x154; uint8_t x155; - uint8_t x156; - uint64_t x157; + uint64_t x156; + uint8_t x157; uint64_t x158; uint8_t x159; uint64_t x160; @@ -1467,8 +1486,8 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( uint64_t x166; uint8_t x167; uint8_t x168; - uint8_t x169; - uint64_t x170; + uint64_t x169; + uint8_t x170; uint64_t x171; uint8_t x172; uint64_t x173; @@ -1480,7 +1499,6 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( uint64_t x179; uint8_t x180; uint8_t x181; - uint8_t x182; fiat_id_tc26_gost_3410_2012_512_paramSetC_subborrowx_u52( &x1, &x2, 0x0, (arg1[0]), UINT64_C(0xffffffffffdc7)); fiat_id_tc26_gost_3410_2012_512_paramSetC_subborrowx_u51( @@ -1531,202 +1549,201 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( x47 = (x28 << 2); x48 = (x26 << 7); x49 = (x24 << 4); - x50 = (x22 >> 8); - x51 = (uint8_t)(x22 & UINT8_C(0xff)); - x52 = (x50 >> 8); - x53 = (uint8_t)(x50 & UINT8_C(0xff)); - x54 = (x52 >> 8); - x55 = (uint8_t)(x52 & UINT8_C(0xff)); - x56 = (x54 >> 8); - x57 = (uint8_t)(x54 & UINT8_C(0xff)); - x58 = (x56 >> 8); - x59 = (uint8_t)(x56 & UINT8_C(0xff)); - x60 = (uint8_t)(x58 >> 8); - x61 = (uint8_t)(x58 & UINT8_C(0xff)); - x62 = (x60 + x49); - x63 = (x62 >> 8); - x64 = (uint8_t)(x62 & UINT8_C(0xff)); - x65 = (x63 >> 8); - x66 = (uint8_t)(x63 & UINT8_C(0xff)); - x67 = (x65 >> 8); - x68 = (uint8_t)(x65 & UINT8_C(0xff)); - x69 = (x67 >> 8); - x70 = (uint8_t)(x67 & UINT8_C(0xff)); - x71 = (x69 >> 8); - x72 = (uint8_t)(x69 & UINT8_C(0xff)); - x73 = (uint8_t)(x71 >> 8); - x74 = (uint8_t)(x71 & UINT8_C(0xff)); - x75 = (x73 + x48); - x76 = (x75 >> 8); - x77 = (uint8_t)(x75 & UINT8_C(0xff)); - x78 = (x76 >> 8); - x79 = (uint8_t)(x76 & UINT8_C(0xff)); - x80 = (x78 >> 8); - x81 = (uint8_t)(x78 & UINT8_C(0xff)); - x82 = (x80 >> 8); - x83 = (uint8_t)(x80 & UINT8_C(0xff)); - x84 = (x82 >> 8); - x85 = (uint8_t)(x82 & UINT8_C(0xff)); - x86 = (x84 >> 8); - x87 = (uint8_t)(x84 & UINT8_C(0xff)); - x88 = (uint8_t)(x86 >> 8); - x89 = (uint8_t)(x86 & UINT8_C(0xff)); - x90 = (x88 + x47); - x91 = (x90 >> 8); - x92 = (uint8_t)(x90 & UINT8_C(0xff)); - x93 = (x91 >> 8); - x94 = (uint8_t)(x91 & UINT8_C(0xff)); - x95 = (x93 >> 8); - x96 = (uint8_t)(x93 & UINT8_C(0xff)); - x97 = (x95 >> 8); - x98 = (uint8_t)(x95 & UINT8_C(0xff)); - x99 = (x97 >> 8); - x100 = (uint8_t)(x97 & UINT8_C(0xff)); - x101 = (uint8_t)(x99 >> 8); - x102 = (uint8_t)(x99 & UINT8_C(0xff)); - x103 = (x101 + x46); - x104 = (x103 >> 8); - x105 = (uint8_t)(x103 & UINT8_C(0xff)); - x106 = (x104 >> 8); - x107 = (uint8_t)(x104 & UINT8_C(0xff)); - x108 = (x106 >> 8); - x109 = (uint8_t)(x106 & UINT8_C(0xff)); - x110 = (x108 >> 8); - x111 = (uint8_t)(x108 & UINT8_C(0xff)); - x112 = (x110 >> 8); - x113 = (uint8_t)(x110 & UINT8_C(0xff)); - x114 = (uint8_t)(x112 >> 8); - x115 = (uint8_t)(x112 & UINT8_C(0xff)); - x116 = (uint8_t)(x114 & UINT8_C(0xff)); + x50 = (uint8_t)(x22 & UINT8_C(0xff)); + x51 = (x22 >> 8); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (x53 >> 8); + x56 = (uint8_t)(x55 & UINT8_C(0xff)); + x57 = (x55 >> 8); + x58 = (uint8_t)(x57 & UINT8_C(0xff)); + x59 = (x57 >> 8); + x60 = (uint8_t)(x59 & UINT8_C(0xff)); + x61 = (uint8_t)(x59 >> 8); + x62 = (x49 + (uint64_t)x61); + x63 = (uint8_t)(x62 & UINT8_C(0xff)); + x64 = (x62 >> 8); + x65 = (uint8_t)(x64 & UINT8_C(0xff)); + x66 = (x64 >> 8); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); + x68 = (x66 >> 8); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); + x70 = (x68 >> 8); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (uint8_t)(x72 >> 8); + x75 = (x48 + (uint64_t)x74); + x76 = (uint8_t)(x75 & UINT8_C(0xff)); + x77 = (x75 >> 8); + x78 = (uint8_t)(x77 & UINT8_C(0xff)); + x79 = (x77 >> 8); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (x81 >> 8); + x84 = (uint8_t)(x83 & UINT8_C(0xff)); + x85 = (x83 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (uint8_t)(x87 >> 8); + x90 = (x47 + (uint64_t)x89); + x91 = (uint8_t)(x90 & UINT8_C(0xff)); + x92 = (x90 >> 8); + x93 = (uint8_t)(x92 & UINT8_C(0xff)); + x94 = (x92 >> 8); + x95 = (uint8_t)(x94 & UINT8_C(0xff)); + x96 = (x94 >> 8); + x97 = (uint8_t)(x96 & UINT8_C(0xff)); + x98 = (x96 >> 8); + x99 = (uint8_t)(x98 & UINT8_C(0xff)); + x100 = (x98 >> 8); + x101 = (uint8_t)(x100 & UINT8_C(0xff)); + x102 = (uint8_t)(x100 >> 8); + x103 = (x46 + (uint64_t)x102); + x104 = (uint8_t)(x103 & UINT8_C(0xff)); + x105 = (x103 >> 8); + x106 = (uint8_t)(x105 & UINT8_C(0xff)); + x107 = (x105 >> 8); + x108 = (uint8_t)(x107 & UINT8_C(0xff)); + x109 = (x107 >> 8); + x110 = (uint8_t)(x109 & UINT8_C(0xff)); + x111 = (x109 >> 8); + x112 = (uint8_t)(x111 & UINT8_C(0xff)); + x113 = (x111 >> 8); + x114 = (uint8_t)(x113 & UINT8_C(0xff)); + x115 = (uint8_t)(x113 >> 8); + x116 = (uint8_t)(x32 & UINT8_C(0xff)); x117 = (x32 >> 8); - x118 = (uint8_t)(x32 & UINT8_C(0xff)); + x118 = (uint8_t)(x117 & UINT8_C(0xff)); x119 = (x117 >> 8); - x120 = (uint8_t)(x117 & UINT8_C(0xff)); + x120 = (uint8_t)(x119 & UINT8_C(0xff)); x121 = (x119 >> 8); - x122 = (uint8_t)(x119 & UINT8_C(0xff)); + x122 = (uint8_t)(x121 & UINT8_C(0xff)); x123 = (x121 >> 8); - x124 = (uint8_t)(x121 & UINT8_C(0xff)); + x124 = (uint8_t)(x123 & UINT8_C(0xff)); x125 = (x123 >> 8); - x126 = (uint8_t)(x123 & UINT8_C(0xff)); + x126 = (uint8_t)(x125 & UINT8_C(0xff)); x127 = (uint8_t)(x125 >> 8); - x128 = (uint8_t)(x125 & UINT8_C(0xff)); - x129 = (x127 + x45); - x130 = (x129 >> 8); - x131 = (uint8_t)(x129 & UINT8_C(0xff)); + x128 = (x45 + (uint64_t)x127); + x129 = (uint8_t)(x128 & UINT8_C(0xff)); + x130 = (x128 >> 8); + x131 = (uint8_t)(x130 & UINT8_C(0xff)); x132 = (x130 >> 8); - x133 = (uint8_t)(x130 & UINT8_C(0xff)); + x133 = (uint8_t)(x132 & UINT8_C(0xff)); x134 = (x132 >> 8); - x135 = (uint8_t)(x132 & UINT8_C(0xff)); + x135 = (uint8_t)(x134 & UINT8_C(0xff)); x136 = (x134 >> 8); - x137 = (uint8_t)(x134 & UINT8_C(0xff)); + x137 = (uint8_t)(x136 & UINT8_C(0xff)); x138 = (x136 >> 8); - x139 = (uint8_t)(x136 & UINT8_C(0xff)); + x139 = (uint8_t)(x138 & UINT8_C(0xff)); x140 = (uint8_t)(x138 >> 8); - x141 = (uint8_t)(x138 & UINT8_C(0xff)); - x142 = (x140 + x44); - x143 = (x142 >> 8); - x144 = (uint8_t)(x142 & UINT8_C(0xff)); + x141 = (x44 + (uint64_t)x140); + x142 = (uint8_t)(x141 & UINT8_C(0xff)); + x143 = (x141 >> 8); + x144 = (uint8_t)(x143 & UINT8_C(0xff)); x145 = (x143 >> 8); - x146 = (uint8_t)(x143 & UINT8_C(0xff)); + x146 = (uint8_t)(x145 & UINT8_C(0xff)); x147 = (x145 >> 8); - x148 = (uint8_t)(x145 & UINT8_C(0xff)); + x148 = (uint8_t)(x147 & UINT8_C(0xff)); x149 = (x147 >> 8); - x150 = (uint8_t)(x147 & UINT8_C(0xff)); + x150 = (uint8_t)(x149 & UINT8_C(0xff)); x151 = (x149 >> 8); - x152 = (uint8_t)(x149 & UINT8_C(0xff)); + x152 = (uint8_t)(x151 & UINT8_C(0xff)); x153 = (x151 >> 8); - x154 = (uint8_t)(x151 & UINT8_C(0xff)); + x154 = (uint8_t)(x153 & UINT8_C(0xff)); x155 = (uint8_t)(x153 >> 8); - x156 = (uint8_t)(x153 & UINT8_C(0xff)); - x157 = (x155 + x43); - x158 = (x157 >> 8); - x159 = (uint8_t)(x157 & UINT8_C(0xff)); + x156 = (x43 + (uint64_t)x155); + x157 = (uint8_t)(x156 & UINT8_C(0xff)); + x158 = (x156 >> 8); + x159 = (uint8_t)(x158 & UINT8_C(0xff)); x160 = (x158 >> 8); - x161 = (uint8_t)(x158 & UINT8_C(0xff)); + x161 = (uint8_t)(x160 & UINT8_C(0xff)); x162 = (x160 >> 8); - x163 = (uint8_t)(x160 & UINT8_C(0xff)); + x163 = (uint8_t)(x162 & UINT8_C(0xff)); x164 = (x162 >> 8); - x165 = (uint8_t)(x162 & UINT8_C(0xff)); + x165 = (uint8_t)(x164 & UINT8_C(0xff)); x166 = (x164 >> 8); - x167 = (uint8_t)(x164 & UINT8_C(0xff)); + x167 = (uint8_t)(x166 & UINT8_C(0xff)); x168 = (uint8_t)(x166 >> 8); - x169 = (uint8_t)(x166 & UINT8_C(0xff)); - x170 = (x168 + x42); - x171 = (x170 >> 8); - x172 = (uint8_t)(x170 & UINT8_C(0xff)); + x169 = (x42 + (uint64_t)x168); + x170 = (uint8_t)(x169 & UINT8_C(0xff)); + x171 = (x169 >> 8); + x172 = (uint8_t)(x171 & UINT8_C(0xff)); x173 = (x171 >> 8); - x174 = (uint8_t)(x171 & UINT8_C(0xff)); + x174 = (uint8_t)(x173 & UINT8_C(0xff)); x175 = (x173 >> 8); - x176 = (uint8_t)(x173 & UINT8_C(0xff)); + x176 = (uint8_t)(x175 & UINT8_C(0xff)); x177 = (x175 >> 8); - x178 = (uint8_t)(x175 & UINT8_C(0xff)); + x178 = (uint8_t)(x177 & UINT8_C(0xff)); x179 = (x177 >> 8); - x180 = (uint8_t)(x177 & UINT8_C(0xff)); + x180 = (uint8_t)(x179 & UINT8_C(0xff)); x181 = (uint8_t)(x179 >> 8); - x182 = (uint8_t)(x179 & UINT8_C(0xff)); - out1[0] = x51; - out1[1] = x53; - out1[2] = x55; - out1[3] = x57; - out1[4] = x59; - out1[5] = x61; - out1[6] = x64; - out1[7] = x66; - out1[8] = x68; - out1[9] = x70; - out1[10] = x72; - out1[11] = x74; - out1[12] = x77; - out1[13] = x79; - out1[14] = x81; - out1[15] = x83; - out1[16] = x85; - out1[17] = x87; - out1[18] = x89; - out1[19] = x92; - out1[20] = x94; - out1[21] = x96; - out1[22] = x98; - out1[23] = x100; - out1[24] = x102; - out1[25] = x105; - out1[26] = x107; - out1[27] = x109; - out1[28] = x111; - out1[29] = x113; - out1[30] = x115; - out1[31] = x116; - out1[32] = x118; - out1[33] = x120; - out1[34] = x122; - out1[35] = x124; - out1[36] = x126; - out1[37] = x128; - out1[38] = x131; - out1[39] = x133; - out1[40] = x135; - out1[41] = x137; - out1[42] = x139; - out1[43] = x141; - out1[44] = x144; - out1[45] = x146; - out1[46] = x148; - out1[47] = x150; - out1[48] = x152; - out1[49] = x154; - out1[50] = x156; - out1[51] = x159; - out1[52] = x161; - out1[53] = x163; - out1[54] = x165; - out1[55] = x167; - out1[56] = x169; - out1[57] = x172; - out1[58] = x174; - out1[59] = x176; - out1[60] = x178; - out1[61] = x180; - out1[62] = x182; + out1[0] = x50; + out1[1] = x52; + out1[2] = x54; + out1[3] = x56; + out1[4] = x58; + out1[5] = x60; + out1[6] = x63; + out1[7] = x65; + out1[8] = x67; + out1[9] = x69; + out1[10] = x71; + out1[11] = x73; + out1[12] = x76; + out1[13] = x78; + out1[14] = x80; + out1[15] = x82; + out1[16] = x84; + out1[17] = x86; + out1[18] = x88; + out1[19] = x91; + out1[20] = x93; + out1[21] = x95; + out1[22] = x97; + out1[23] = x99; + out1[24] = x101; + out1[25] = x104; + out1[26] = x106; + out1[27] = x108; + out1[28] = x110; + out1[29] = x112; + out1[30] = x114; + out1[31] = x115; + out1[32] = x116; + out1[33] = x118; + out1[34] = x120; + out1[35] = x122; + out1[36] = x124; + out1[37] = x126; + out1[38] = x129; + out1[39] = x131; + out1[40] = x133; + out1[41] = x135; + out1[42] = x137; + out1[43] = x139; + out1[44] = x142; + out1[45] = x144; + out1[46] = x146; + out1[47] = x148; + out1[48] = x150; + out1[49] = x152; + out1[50] = x154; + out1[51] = x157; + out1[52] = x159; + out1[53] = x161; + out1[54] = x163; + out1[55] = x165; + out1[56] = x167; + out1[57] = x170; + out1[58] = x172; + out1[59] = x174; + out1[60] = x176; + out1[61] = x178; + out1[62] = x180; out1[63] = x181; } @@ -1738,7 +1755,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x11999999999999], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] + * out1: [[0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x10000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_from_bytes( uint64_t out1[10], const uint8_t arg1[64]) { @@ -1807,40 +1824,83 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_from_bytes( uint64_t x63; uint8_t x64; uint64_t x65; - uint8_t x66; + uint64_t x66; uint64_t x67; uint64_t x68; uint64_t x69; uint64_t x70; uint64_t x71; - uint64_t x72; + uint8_t x72; uint64_t x73; uint64_t x74; uint64_t x75; uint64_t x76; uint64_t x77; - fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x78; + uint64_t x78; uint64_t x79; - uint64_t x80; - uint8_t x81; + fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x80; + uint64_t x81; uint64_t x82; uint64_t x83; - uint8_t x84; + uint64_t x84; uint64_t x85; uint64_t x86; uint64_t x87; - uint8_t x88; - uint64_t x89; + uint64_t x88; + uint8_t x89; uint64_t x90; - fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x91; + uint64_t x91; uint64_t x92; uint64_t x93; - uint8_t x94; + uint64_t x94; uint64_t x95; uint64_t x96; uint8_t x97; uint64_t x98; uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + uint64_t x105; + uint64_t x106; + uint64_t x107; + uint64_t x108; + uint64_t x109; + uint64_t x110; + uint8_t x111; + uint64_t x112; + uint64_t x113; + uint64_t x114; + uint64_t x115; + uint64_t x116; + uint64_t x117; + uint64_t x118; + fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + uint64_t x125; + uint64_t x126; + uint64_t x127; + uint8_t x128; + uint64_t x129; + uint64_t x130; + uint64_t x131; + uint64_t x132; + uint64_t x133; + uint64_t x134; + uint64_t x135; + uint8_t x136; + uint64_t x137; + uint64_t x138; + uint64_t x139; + uint64_t x140; + uint64_t x141; + uint64_t x142; x1 = ((uint64_t)(arg1[63]) << 43); x2 = ((uint64_t)(arg1[62]) << 35); x3 = ((uint64_t)(arg1[61]) << 27); @@ -1905,51 +1965,94 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_from_bytes( x62 = ((uint64_t)(arg1[2]) << 16); x63 = ((uint64_t)(arg1[1]) << 8); x64 = (arg1[0]); - x65 = (x64 + (x63 + (x62 + (x61 + (x60 + (x59 + x58)))))); - x66 = (uint8_t)(x65 >> 52); - x67 = (x65 & UINT64_C(0xfffffffffffff)); - x68 = (x6 + (x5 + (x4 + (x3 + (x2 + x1))))); - x69 = (x12 + (x11 + (x10 + (x9 + (x8 + x7))))); - x70 = (x19 + (x18 + (x17 + (x16 + (x15 + (x14 + x13)))))); - x71 = (x25 + (x24 + (x23 + (x22 + (x21 + x20))))); - x72 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + x26)))))); - x73 = (x38 + (x37 + (x36 + (x35 + (x34 + x33))))); - x74 = (x44 + (x43 + (x42 + (x41 + (x40 + x39))))); - x75 = (x51 + (x50 + (x49 + (x48 + (x47 + (x46 + x45)))))); - x76 = (x57 + (x56 + (x55 + (x54 + (x53 + x52))))); - x77 = (x66 + x76); - x78 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x77 >> 51); - x79 = (x77 & UINT64_C(0x7ffffffffffff)); - x80 = (x78 + x75); - x81 = (uint8_t)(x80 >> 51); - x82 = (x80 & UINT64_C(0x7ffffffffffff)); - x83 = (x81 + x74); - x84 = (uint8_t)(x83 >> 51); - x85 = (x83 & UINT64_C(0x7ffffffffffff)); - x86 = (x84 + x73); - x87 = (x86 & UINT64_C(0x7ffffffffffff)); - x88 = (uint8_t)(x72 >> 52); - x89 = (x72 & UINT64_C(0xfffffffffffff)); - x90 = (x88 + x71); - x91 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x90 >> 51); - x92 = (x90 & UINT64_C(0x7ffffffffffff)); - x93 = (x91 + x70); - x94 = (uint8_t)(x93 >> 51); - x95 = (x93 & UINT64_C(0x7ffffffffffff)); - x96 = (x94 + x69); - x97 = (uint8_t)(x96 >> 51); - x98 = (x96 & UINT64_C(0x7ffffffffffff)); - x99 = (x97 + x68); - out1[0] = x67; + x65 = (x63 + (uint64_t)x64); + x66 = (x62 + x65); + x67 = (x61 + x66); + x68 = (x60 + x67); + x69 = (x59 + x68); + x70 = (x58 + x69); + x71 = (x70 & UINT64_C(0xfffffffffffff)); + x72 = (uint8_t)(x70 >> 52); + x73 = (x57 + (uint64_t)x72); + x74 = (x56 + x73); + x75 = (x55 + x74); + x76 = (x54 + x75); + x77 = (x53 + x76); + x78 = (x52 + x77); + x79 = (x78 & UINT64_C(0x7ffffffffffff)); + x80 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x78 >> 51); + x81 = (x51 + (uint64_t)x80); + x82 = (x50 + x81); + x83 = (x49 + x82); + x84 = (x48 + x83); + x85 = (x47 + x84); + x86 = (x46 + x85); + x87 = (x45 + x86); + x88 = (x87 & UINT64_C(0x7ffffffffffff)); + x89 = (uint8_t)(x87 >> 51); + x90 = (x44 + (uint64_t)x89); + x91 = (x43 + x90); + x92 = (x42 + x91); + x93 = (x41 + x92); + x94 = (x40 + x93); + x95 = (x39 + x94); + x96 = (x95 & UINT64_C(0x7ffffffffffff)); + x97 = (uint8_t)(x95 >> 51); + x98 = (x38 + (uint64_t)x97); + x99 = (x37 + x98); + x100 = (x36 + x99); + x101 = (x35 + x100); + x102 = (x34 + x101); + x103 = (x33 + x102); + x104 = (x31 + (uint64_t)x32); + x105 = (x30 + x104); + x106 = (x29 + x105); + x107 = (x28 + x106); + x108 = (x27 + x107); + x109 = (x26 + x108); + x110 = (x109 & UINT64_C(0xfffffffffffff)); + x111 = (uint8_t)(x109 >> 52); + x112 = (x25 + (uint64_t)x111); + x113 = (x24 + x112); + x114 = (x23 + x113); + x115 = (x22 + x114); + x116 = (x21 + x115); + x117 = (x20 + x116); + x118 = (x117 & UINT64_C(0x7ffffffffffff)); + x119 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x117 >> 51); + x120 = (x19 + (uint64_t)x119); + x121 = (x18 + x120); + x122 = (x17 + x121); + x123 = (x16 + x122); + x124 = (x15 + x123); + x125 = (x14 + x124); + x126 = (x13 + x125); + x127 = (x126 & UINT64_C(0x7ffffffffffff)); + x128 = (uint8_t)(x126 >> 51); + x129 = (x12 + (uint64_t)x128); + x130 = (x11 + x129); + x131 = (x10 + x130); + x132 = (x9 + x131); + x133 = (x8 + x132); + x134 = (x7 + x133); + x135 = (x134 & UINT64_C(0x7ffffffffffff)); + x136 = (uint8_t)(x134 >> 51); + x137 = (x6 + (uint64_t)x136); + x138 = (x5 + x137); + x139 = (x4 + x138); + x140 = (x3 + x139); + x141 = (x2 + x140); + x142 = (x1 + x141); + out1[0] = x71; out1[1] = x79; - out1[2] = x82; - out1[3] = x85; - out1[4] = x87; - out1[5] = x89; - out1[6] = x92; - out1[7] = x95; - out1[8] = x98; - out1[9] = x99; + out1[2] = x88; + out1[3] = x96; + out1[4] = x103; + out1[5] = x110; + out1[6] = x118; + out1[7] = x127; + out1[8] = x135; + out1[9] = x142; } /* END verbatim fiat code */ @@ -4128,8 +4231,8 @@ static void point_edwards2legacy(pt_prj_t *Q, const pt_prj_t *P) { /* temporary variables */ fe_t t0; /* constants */ - const limb_t *S = const_S; const limb_t *T = const_T; + const limb_t *S = const_S; const limb_t *X1 = P->X; const limb_t *Y1 = P->Y; const limb_t *Z1 = P->Z; @@ -4261,7 +4364,7 @@ static void scalar_wnaf(int8_t out[513], const unsigned char in[64]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], @@ -4269,7 +4372,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[513] = {0}; int8_t bnaf[513] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -4343,7 +4446,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[103] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -4431,8 +4534,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[103] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -4504,6 +4607,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], const unsigned char a[64], const unsigned char b[64], const unsigned char inx[64], @@ -4519,6 +4628,11 @@ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64]) { pt_aff_t P; @@ -4529,6 +4643,12 @@ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64], const unsigned char inx[64], @@ -4546,8 +4666,13 @@ static void point_mul(unsigned char outx[64], unsigned char outy[64], #include +/* the zero field element */ static const unsigned char const_zb[64] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_tc26_gost_3410_2012_512_paramSetC( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -4586,6 +4711,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_tc26_gost_3410_2012_512_paramSetC(const EC_GROUP *group, EC_POINT *r, @@ -4625,6 +4754,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_tc26_gost_3410_2012_512_paramSetC(const EC_GROUP *group, EC_POINT *r, @@ -4671,6 +4804,10 @@ err: typedef uint32_t fe_t[LIMB_CNT]; typedef uint32_t limb_t; +#ifdef OPENSSL_NO_ASM +#define FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETC_NO_ASM +#endif + #define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) #define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) @@ -4721,18 +4858,19 @@ typedef struct { * SOFTWARE. */ -/* Autogenerated: unsaturated_solinas --static id_tc26_gost_3410_2012_512_paramSetC 32 '(auto)' '2^512 - 569' */ +/* Autogenerated: unsaturated_solinas --static --use-value-barrier id_tc26_gost_3410_2012_512_paramSetC 32 '(auto)' '2^512 - 569' */ /* curve description: id_tc26_gost_3410_2012_512_paramSetC */ /* machine_wordsize = 32 (from "32") */ /* requested operations: (all) */ /* n = 23 (from "(auto)") */ /* s-c = 2^512 - [(1, 569)] (from "2^512 - 569") */ -/* tight_bounds_multiplier = 1.1 (from "") */ +/* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ /* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 0, 1] */ /* eval z = z[0] + (z[1] << 23) + (z[2] << 45) + (z[3] << 67) + (z[4] << 90) + (z[5] << 112) + (z[6] << 134) + (z[7] << 156) + (z[8] << 179) + (z[9] << 201) + (z[10] << 223) + (z[11] << 245) + (z[12] << 0x10c) + (z[13] << 0x122) + (z[14] << 0x138) + (z[15] << 0x14e) + (z[16] << 0x165) + (z[17] << 0x17b) + (z[18] << 0x191) + (z[19] << 0x1a7) + (z[20] << 0x1be) + (z[21] << 0x1d4) + (z[22] << 0x1ea) */ /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) */ +/* balance = [0xfffb8e, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe, 0xfffffe, 0x7ffffe, 0x7ffffe, 0x7ffffe] */ #include typedef unsigned char fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1; @@ -4742,6 +4880,17 @@ typedef signed char fiat_id_tc26_gost_3410_2012_512_paramSetC_int1; #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_ID_TC26_GOST_3410_2012_512_PARAMSETC_NO_ASM) && \ + (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t +fiat_id_tc26_gost_3410_2012_512_paramSetC_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +#define fiat_id_tc26_gost_3410_2012_512_paramSetC_value_barrier_u32(x) (x) +#endif + /* * The function fiat_id_tc26_gost_3410_2012_512_paramSetC_addcarryx_u22 is an addition with carry. * Postconditions: @@ -4875,7 +5024,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_cmovznz_u32( x1 = (!(!arg1)); x2 = ((fiat_id_tc26_gost_3410_2012_512_paramSetC_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - x3 = ((x2 & arg3) | ((~x2) & arg2)); + x3 = ((fiat_id_tc26_gost_3410_2012_512_paramSetC_value_barrier_u32(x2) & + arg3) | + (fiat_id_tc26_gost_3410_2012_512_paramSetC_value_barrier_u32((~x2)) & + arg2)); *out1 = x3; } @@ -4885,10 +5037,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_cmovznz_u32( * eval out1 mod m = (eval arg1 * eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] - * arg2: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * arg1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] + * arg2: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] * Output Bounds: - * out1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * out1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_mul( uint32_t out1[23], const uint32_t arg1[23], const uint32_t arg2[23]) { @@ -6617,9 +6769,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_mul( * eval out1 mod m = (eval arg1 * eval arg1) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * arg1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] * Output Bounds: - * out1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * out1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_square( uint32_t out1[23], const uint32_t arg1[23]) { @@ -7607,9 +7759,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_square( * eval out1 mod m = eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * arg1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] * Output Bounds: - * out1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * out1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry( uint32_t out1[23], const uint32_t arg1[23]) { @@ -7742,10 +7894,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_carry( * eval out1 mod m = (eval arg1 + eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] - * arg2: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * arg1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] + * arg2: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] * Output Bounds: - * out1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * out1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_add( uint32_t out1[23], const uint32_t arg1[23], const uint32_t arg2[23]) { @@ -7826,10 +7978,10 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_add( * eval out1 mod m = (eval arg1 - eval arg2) mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] - * arg2: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * arg1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] + * arg2: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] * Output Bounds: - * out1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * out1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_sub( uint32_t out1[23], const uint32_t arg1[23], const uint32_t arg2[23]) { @@ -7910,9 +8062,9 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_sub( * eval out1 mod m = -eval arg1 mod m * * Input Bounds: - * arg1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * arg1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] * Output Bounds: - * out1: [[0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0x1a66664], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332], [0x0 ~> 0xd33332]] + * out1: [[0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0x1800000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000], [0x0 ~> 0xc00000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_opp( uint32_t out1[23], const uint32_t arg1[23]) { @@ -8102,7 +8254,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_selectznz( * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..63] * * Input Bounds: - * arg1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * arg1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ @@ -8221,150 +8373,148 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( uint32_t x111; uint32_t x112; uint32_t x113; - uint32_t x114; - uint8_t x115; + uint8_t x114; + uint32_t x115; uint8_t x116; uint8_t x117; uint32_t x118; - uint32_t x119; - uint8_t x120; - uint32_t x121; - uint8_t x122; + uint8_t x119; + uint32_t x120; + uint8_t x121; + uint32_t x122; uint8_t x123; uint8_t x124; uint32_t x125; - uint32_t x126; - uint8_t x127; - uint32_t x128; - uint8_t x129; + uint8_t x126; + uint32_t x127; + uint8_t x128; + uint32_t x129; uint8_t x130; uint8_t x131; uint32_t x132; - uint32_t x133; - uint8_t x134; - uint32_t x135; - uint8_t x136; + uint8_t x133; + uint32_t x134; + uint8_t x135; + uint32_t x136; uint8_t x137; uint8_t x138; uint32_t x139; - uint32_t x140; - uint8_t x141; + uint8_t x140; + uint32_t x141; uint8_t x142; uint8_t x143; uint8_t x144; uint32_t x145; uint8_t x146; uint8_t x147; - uint8_t x148; - uint32_t x149; + uint32_t x148; + uint8_t x149; uint32_t x150; uint8_t x151; uint32_t x152; uint8_t x153; uint8_t x154; - uint8_t x155; - uint32_t x156; + uint32_t x155; + uint8_t x156; uint32_t x157; uint8_t x158; uint32_t x159; uint8_t x160; uint8_t x161; - uint8_t x162; - uint32_t x163; + uint32_t x162; + uint8_t x163; uint32_t x164; uint8_t x165; uint32_t x166; uint8_t x167; fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x168; - uint8_t x169; - uint32_t x170; + uint32_t x169; + uint8_t x170; uint32_t x171; uint8_t x172; uint8_t x173; - uint8_t x174; - uint32_t x175; + uint32_t x174; + uint8_t x175; uint32_t x176; uint8_t x177; uint32_t x178; uint8_t x179; uint8_t x180; - uint8_t x181; - uint32_t x182; + uint32_t x181; + uint8_t x182; uint32_t x183; uint8_t x184; uint32_t x185; uint8_t x186; uint8_t x187; - uint8_t x188; - uint32_t x189; + uint32_t x188; + uint8_t x189; uint32_t x190; uint8_t x191; uint32_t x192; uint8_t x193; uint8_t x194; - uint8_t x195; - uint32_t x196; + uint32_t x195; + uint8_t x196; uint32_t x197; uint8_t x198; uint8_t x199; uint8_t x200; - uint8_t x201; - uint32_t x202; + uint32_t x201; + uint8_t x202; uint8_t x203; - uint8_t x204; + uint32_t x204; uint8_t x205; uint32_t x206; - uint32_t x207; - uint8_t x208; - uint32_t x209; + uint8_t x207; + uint32_t x208; + uint8_t x209; uint8_t x210; - uint8_t x211; + uint32_t x211; uint8_t x212; uint32_t x213; - uint32_t x214; - uint8_t x215; - uint32_t x216; + uint8_t x214; + uint32_t x215; + uint8_t x216; uint8_t x217; - uint8_t x218; + uint32_t x218; uint8_t x219; uint32_t x220; - uint32_t x221; - uint8_t x222; - uint32_t x223; - uint8_t x224; - fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x225; + uint8_t x221; + uint32_t x222; + uint8_t x223; + fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x224; + uint32_t x225; uint8_t x226; uint32_t x227; - uint32_t x228; + uint8_t x228; uint8_t x229; - uint8_t x230; + uint32_t x230; uint8_t x231; uint32_t x232; - uint32_t x233; - uint8_t x234; - uint32_t x235; + uint8_t x233; + uint32_t x234; + uint8_t x235; uint8_t x236; - uint8_t x237; + uint32_t x237; uint8_t x238; uint32_t x239; - uint32_t x240; - uint8_t x241; - uint32_t x242; + uint8_t x240; + uint32_t x241; + uint8_t x242; uint8_t x243; - uint8_t x244; + uint32_t x244; uint8_t x245; uint32_t x246; - uint32_t x247; - uint8_t x248; - uint32_t x249; + uint8_t x247; + uint32_t x248; + uint8_t x249; uint8_t x250; - uint8_t x251; + uint32_t x251; uint8_t x252; uint32_t x253; - uint32_t x254; + uint8_t x254; uint8_t x255; - uint8_t x256; - uint8_t x257; fiat_id_tc26_gost_3410_2012_512_paramSetC_subborrowx_u23( &x1, &x2, 0x0, (arg1[0]), UINT32_C(0x7ffdc7)); fiat_id_tc26_gost_3410_2012_512_paramSetC_subborrowx_u22( @@ -8479,214 +8629,212 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( x111 = (x54 << 3); x112 = (x52 << 5); x113 = (x50 << 7); - x114 = (x48 >> 8); - x115 = (uint8_t)(x48 & UINT8_C(0xff)); - x116 = (uint8_t)(x114 >> 8); - x117 = (uint8_t)(x114 & UINT8_C(0xff)); - x118 = (x116 + x113); - x119 = (x118 >> 8); - x120 = (uint8_t)(x118 & UINT8_C(0xff)); - x121 = (x119 >> 8); - x122 = (uint8_t)(x119 & UINT8_C(0xff)); - x123 = (uint8_t)(x121 >> 8); - x124 = (uint8_t)(x121 & UINT8_C(0xff)); - x125 = (x123 + x112); - x126 = (x125 >> 8); - x127 = (uint8_t)(x125 & UINT8_C(0xff)); - x128 = (x126 >> 8); - x129 = (uint8_t)(x126 & UINT8_C(0xff)); - x130 = (uint8_t)(x128 >> 8); - x131 = (uint8_t)(x128 & UINT8_C(0xff)); - x132 = (x130 + x111); - x133 = (x132 >> 8); - x134 = (uint8_t)(x132 & UINT8_C(0xff)); - x135 = (x133 >> 8); - x136 = (uint8_t)(x133 & UINT8_C(0xff)); - x137 = (uint8_t)(x135 >> 8); - x138 = (uint8_t)(x135 & UINT8_C(0xff)); - x139 = (x137 + x110); - x140 = (x139 >> 8); - x141 = (uint8_t)(x139 & UINT8_C(0xff)); - x142 = (uint8_t)(x140 >> 8); - x143 = (uint8_t)(x140 & UINT8_C(0xff)); - x144 = (uint8_t)(x142 & UINT8_C(0xff)); + x114 = (uint8_t)(x48 & UINT8_C(0xff)); + x115 = (x48 >> 8); + x116 = (uint8_t)(x115 & UINT8_C(0xff)); + x117 = (uint8_t)(x115 >> 8); + x118 = (x113 + (uint32_t)x117); + x119 = (uint8_t)(x118 & UINT8_C(0xff)); + x120 = (x118 >> 8); + x121 = (uint8_t)(x120 & UINT8_C(0xff)); + x122 = (x120 >> 8); + x123 = (uint8_t)(x122 & UINT8_C(0xff)); + x124 = (uint8_t)(x122 >> 8); + x125 = (x112 + (uint32_t)x124); + x126 = (uint8_t)(x125 & UINT8_C(0xff)); + x127 = (x125 >> 8); + x128 = (uint8_t)(x127 & UINT8_C(0xff)); + x129 = (x127 >> 8); + x130 = (uint8_t)(x129 & UINT8_C(0xff)); + x131 = (uint8_t)(x129 >> 8); + x132 = (x111 + (uint32_t)x131); + x133 = (uint8_t)(x132 & UINT8_C(0xff)); + x134 = (x132 >> 8); + x135 = (uint8_t)(x134 & UINT8_C(0xff)); + x136 = (x134 >> 8); + x137 = (uint8_t)(x136 & UINT8_C(0xff)); + x138 = (uint8_t)(x136 >> 8); + x139 = (x110 + (uint32_t)x138); + x140 = (uint8_t)(x139 & UINT8_C(0xff)); + x141 = (x139 >> 8); + x142 = (uint8_t)(x141 & UINT8_C(0xff)); + x143 = (uint8_t)(x141 >> 8); + x144 = (uint8_t)(x58 & UINT8_C(0xff)); x145 = (x58 >> 8); - x146 = (uint8_t)(x58 & UINT8_C(0xff)); + x146 = (uint8_t)(x145 & UINT8_C(0xff)); x147 = (uint8_t)(x145 >> 8); - x148 = (uint8_t)(x145 & UINT8_C(0xff)); - x149 = (x147 + x109); - x150 = (x149 >> 8); - x151 = (uint8_t)(x149 & UINT8_C(0xff)); + x148 = (x109 + (uint32_t)x147); + x149 = (uint8_t)(x148 & UINT8_C(0xff)); + x150 = (x148 >> 8); + x151 = (uint8_t)(x150 & UINT8_C(0xff)); x152 = (x150 >> 8); - x153 = (uint8_t)(x150 & UINT8_C(0xff)); + x153 = (uint8_t)(x152 & UINT8_C(0xff)); x154 = (uint8_t)(x152 >> 8); - x155 = (uint8_t)(x152 & UINT8_C(0xff)); - x156 = (x154 + x108); - x157 = (x156 >> 8); - x158 = (uint8_t)(x156 & UINT8_C(0xff)); + x155 = (x108 + (uint32_t)x154); + x156 = (uint8_t)(x155 & UINT8_C(0xff)); + x157 = (x155 >> 8); + x158 = (uint8_t)(x157 & UINT8_C(0xff)); x159 = (x157 >> 8); - x160 = (uint8_t)(x157 & UINT8_C(0xff)); + x160 = (uint8_t)(x159 & UINT8_C(0xff)); x161 = (uint8_t)(x159 >> 8); - x162 = (uint8_t)(x159 & UINT8_C(0xff)); - x163 = (x161 + x107); - x164 = (x163 >> 8); - x165 = (uint8_t)(x163 & UINT8_C(0xff)); + x162 = (x107 + (uint32_t)x161); + x163 = (uint8_t)(x162 & UINT8_C(0xff)); + x164 = (x162 >> 8); + x165 = (uint8_t)(x164 & UINT8_C(0xff)); x166 = (x164 >> 8); - x167 = (uint8_t)(x164 & UINT8_C(0xff)); + x167 = (uint8_t)(x166 & UINT8_C(0xff)); x168 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x166 >> 8); - x169 = (uint8_t)(x166 & UINT8_C(0xff)); - x170 = (x168 + x106); - x171 = (x170 >> 8); - x172 = (uint8_t)(x170 & UINT8_C(0xff)); + x169 = (x106 + (uint32_t)x168); + x170 = (uint8_t)(x169 & UINT8_C(0xff)); + x171 = (x169 >> 8); + x172 = (uint8_t)(x171 & UINT8_C(0xff)); x173 = (uint8_t)(x171 >> 8); - x174 = (uint8_t)(x171 & UINT8_C(0xff)); - x175 = (x173 + x105); - x176 = (x175 >> 8); - x177 = (uint8_t)(x175 & UINT8_C(0xff)); + x174 = (x105 + (uint32_t)x173); + x175 = (uint8_t)(x174 & UINT8_C(0xff)); + x176 = (x174 >> 8); + x177 = (uint8_t)(x176 & UINT8_C(0xff)); x178 = (x176 >> 8); - x179 = (uint8_t)(x176 & UINT8_C(0xff)); + x179 = (uint8_t)(x178 & UINT8_C(0xff)); x180 = (uint8_t)(x178 >> 8); - x181 = (uint8_t)(x178 & UINT8_C(0xff)); - x182 = (x180 + x104); - x183 = (x182 >> 8); - x184 = (uint8_t)(x182 & UINT8_C(0xff)); + x181 = (x104 + (uint32_t)x180); + x182 = (uint8_t)(x181 & UINT8_C(0xff)); + x183 = (x181 >> 8); + x184 = (uint8_t)(x183 & UINT8_C(0xff)); x185 = (x183 >> 8); - x186 = (uint8_t)(x183 & UINT8_C(0xff)); + x186 = (uint8_t)(x185 & UINT8_C(0xff)); x187 = (uint8_t)(x185 >> 8); - x188 = (uint8_t)(x185 & UINT8_C(0xff)); - x189 = (x187 + x103); - x190 = (x189 >> 8); - x191 = (uint8_t)(x189 & UINT8_C(0xff)); + x188 = (x103 + (uint32_t)x187); + x189 = (uint8_t)(x188 & UINT8_C(0xff)); + x190 = (x188 >> 8); + x191 = (uint8_t)(x190 & UINT8_C(0xff)); x192 = (x190 >> 8); - x193 = (uint8_t)(x190 & UINT8_C(0xff)); + x193 = (uint8_t)(x192 & UINT8_C(0xff)); x194 = (uint8_t)(x192 >> 8); - x195 = (uint8_t)(x192 & UINT8_C(0xff)); - x196 = (x194 + x102); - x197 = (x196 >> 8); - x198 = (uint8_t)(x196 & UINT8_C(0xff)); + x195 = (x102 + (uint32_t)x194); + x196 = (uint8_t)(x195 & UINT8_C(0xff)); + x197 = (x195 >> 8); + x198 = (uint8_t)(x197 & UINT8_C(0xff)); x199 = (uint8_t)(x197 >> 8); - x200 = (uint8_t)(x197 & UINT8_C(0xff)); - x201 = (uint8_t)(x199 & UINT8_C(0xff)); - x202 = (x76 >> 8); - x203 = (uint8_t)(x76 & UINT8_C(0xff)); - x204 = (uint8_t)(x202 >> 8); - x205 = (uint8_t)(x202 & UINT8_C(0xff)); - x206 = (x204 + x101); - x207 = (x206 >> 8); - x208 = (uint8_t)(x206 & UINT8_C(0xff)); - x209 = (x207 >> 8); - x210 = (uint8_t)(x207 & UINT8_C(0xff)); - x211 = (uint8_t)(x209 >> 8); - x212 = (uint8_t)(x209 & UINT8_C(0xff)); - x213 = (x211 + x100); - x214 = (x213 >> 8); - x215 = (uint8_t)(x213 & UINT8_C(0xff)); - x216 = (x214 >> 8); - x217 = (uint8_t)(x214 & UINT8_C(0xff)); - x218 = (uint8_t)(x216 >> 8); - x219 = (uint8_t)(x216 & UINT8_C(0xff)); - x220 = (x218 + x99); - x221 = (x220 >> 8); - x222 = (uint8_t)(x220 & UINT8_C(0xff)); - x223 = (x221 >> 8); - x224 = (uint8_t)(x221 & UINT8_C(0xff)); - x225 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x223 >> 8); - x226 = (uint8_t)(x223 & UINT8_C(0xff)); - x227 = (x225 + x98); - x228 = (x227 >> 8); - x229 = (uint8_t)(x227 & UINT8_C(0xff)); - x230 = (uint8_t)(x228 >> 8); - x231 = (uint8_t)(x228 & UINT8_C(0xff)); - x232 = (x230 + x97); - x233 = (x232 >> 8); - x234 = (uint8_t)(x232 & UINT8_C(0xff)); - x235 = (x233 >> 8); - x236 = (uint8_t)(x233 & UINT8_C(0xff)); - x237 = (uint8_t)(x235 >> 8); - x238 = (uint8_t)(x235 & UINT8_C(0xff)); - x239 = (x237 + x96); - x240 = (x239 >> 8); - x241 = (uint8_t)(x239 & UINT8_C(0xff)); - x242 = (x240 >> 8); - x243 = (uint8_t)(x240 & UINT8_C(0xff)); - x244 = (uint8_t)(x242 >> 8); - x245 = (uint8_t)(x242 & UINT8_C(0xff)); - x246 = (x244 + x95); - x247 = (x246 >> 8); - x248 = (uint8_t)(x246 & UINT8_C(0xff)); - x249 = (x247 >> 8); - x250 = (uint8_t)(x247 & UINT8_C(0xff)); - x251 = (uint8_t)(x249 >> 8); - x252 = (uint8_t)(x249 & UINT8_C(0xff)); - x253 = (x251 + x94); - x254 = (x253 >> 8); - x255 = (uint8_t)(x253 & UINT8_C(0xff)); - x256 = (uint8_t)(x254 >> 8); - x257 = (uint8_t)(x254 & UINT8_C(0xff)); - out1[0] = x115; - out1[1] = x117; - out1[2] = x120; - out1[3] = x122; - out1[4] = x124; - out1[5] = x127; - out1[6] = x129; - out1[7] = x131; - out1[8] = x134; - out1[9] = x136; - out1[10] = x138; - out1[11] = x141; - out1[12] = x143; - out1[13] = x144; - out1[14] = x146; - out1[15] = x148; - out1[16] = x151; - out1[17] = x153; - out1[18] = x155; - out1[19] = x158; - out1[20] = x160; - out1[21] = x162; - out1[22] = x165; - out1[23] = x167; - out1[24] = x169; - out1[25] = x172; - out1[26] = x174; - out1[27] = x177; - out1[28] = x179; - out1[29] = x181; - out1[30] = x184; - out1[31] = x186; - out1[32] = x188; - out1[33] = x191; - out1[34] = x193; - out1[35] = x195; - out1[36] = x198; - out1[37] = x200; - out1[38] = x201; - out1[39] = x203; - out1[40] = x205; - out1[41] = x208; - out1[42] = x210; - out1[43] = x212; - out1[44] = x215; - out1[45] = x217; - out1[46] = x219; - out1[47] = x222; - out1[48] = x224; - out1[49] = x226; - out1[50] = x229; - out1[51] = x231; - out1[52] = x234; - out1[53] = x236; - out1[54] = x238; - out1[55] = x241; - out1[56] = x243; - out1[57] = x245; - out1[58] = x248; - out1[59] = x250; - out1[60] = x252; - out1[61] = x255; - out1[62] = x257; - out1[63] = x256; + x200 = (uint8_t)(x76 & UINT8_C(0xff)); + x201 = (x76 >> 8); + x202 = (uint8_t)(x201 & UINT8_C(0xff)); + x203 = (uint8_t)(x201 >> 8); + x204 = (x101 + (uint32_t)x203); + x205 = (uint8_t)(x204 & UINT8_C(0xff)); + x206 = (x204 >> 8); + x207 = (uint8_t)(x206 & UINT8_C(0xff)); + x208 = (x206 >> 8); + x209 = (uint8_t)(x208 & UINT8_C(0xff)); + x210 = (uint8_t)(x208 >> 8); + x211 = (x100 + (uint32_t)x210); + x212 = (uint8_t)(x211 & UINT8_C(0xff)); + x213 = (x211 >> 8); + x214 = (uint8_t)(x213 & UINT8_C(0xff)); + x215 = (x213 >> 8); + x216 = (uint8_t)(x215 & UINT8_C(0xff)); + x217 = (uint8_t)(x215 >> 8); + x218 = (x99 + (uint32_t)x217); + x219 = (uint8_t)(x218 & UINT8_C(0xff)); + x220 = (x218 >> 8); + x221 = (uint8_t)(x220 & UINT8_C(0xff)); + x222 = (x220 >> 8); + x223 = (uint8_t)(x222 & UINT8_C(0xff)); + x224 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x222 >> 8); + x225 = (x98 + (uint32_t)x224); + x226 = (uint8_t)(x225 & UINT8_C(0xff)); + x227 = (x225 >> 8); + x228 = (uint8_t)(x227 & UINT8_C(0xff)); + x229 = (uint8_t)(x227 >> 8); + x230 = (x97 + (uint32_t)x229); + x231 = (uint8_t)(x230 & UINT8_C(0xff)); + x232 = (x230 >> 8); + x233 = (uint8_t)(x232 & UINT8_C(0xff)); + x234 = (x232 >> 8); + x235 = (uint8_t)(x234 & UINT8_C(0xff)); + x236 = (uint8_t)(x234 >> 8); + x237 = (x96 + (uint32_t)x236); + x238 = (uint8_t)(x237 & UINT8_C(0xff)); + x239 = (x237 >> 8); + x240 = (uint8_t)(x239 & UINT8_C(0xff)); + x241 = (x239 >> 8); + x242 = (uint8_t)(x241 & UINT8_C(0xff)); + x243 = (uint8_t)(x241 >> 8); + x244 = (x95 + (uint32_t)x243); + x245 = (uint8_t)(x244 & UINT8_C(0xff)); + x246 = (x244 >> 8); + x247 = (uint8_t)(x246 & UINT8_C(0xff)); + x248 = (x246 >> 8); + x249 = (uint8_t)(x248 & UINT8_C(0xff)); + x250 = (uint8_t)(x248 >> 8); + x251 = (x94 + (uint32_t)x250); + x252 = (uint8_t)(x251 & UINT8_C(0xff)); + x253 = (x251 >> 8); + x254 = (uint8_t)(x253 & UINT8_C(0xff)); + x255 = (uint8_t)(x253 >> 8); + out1[0] = x114; + out1[1] = x116; + out1[2] = x119; + out1[3] = x121; + out1[4] = x123; + out1[5] = x126; + out1[6] = x128; + out1[7] = x130; + out1[8] = x133; + out1[9] = x135; + out1[10] = x137; + out1[11] = x140; + out1[12] = x142; + out1[13] = x143; + out1[14] = x144; + out1[15] = x146; + out1[16] = x149; + out1[17] = x151; + out1[18] = x153; + out1[19] = x156; + out1[20] = x158; + out1[21] = x160; + out1[22] = x163; + out1[23] = x165; + out1[24] = x167; + out1[25] = x170; + out1[26] = x172; + out1[27] = x175; + out1[28] = x177; + out1[29] = x179; + out1[30] = x182; + out1[31] = x184; + out1[32] = x186; + out1[33] = x189; + out1[34] = x191; + out1[35] = x193; + out1[36] = x196; + out1[37] = x198; + out1[38] = x199; + out1[39] = x200; + out1[40] = x202; + out1[41] = x205; + out1[42] = x207; + out1[43] = x209; + out1[44] = x212; + out1[45] = x214; + out1[46] = x216; + out1[47] = x219; + out1[48] = x221; + out1[49] = x223; + out1[50] = x226; + out1[51] = x228; + out1[52] = x231; + out1[53] = x233; + out1[54] = x235; + out1[55] = x238; + out1[56] = x240; + out1[57] = x242; + out1[58] = x245; + out1[59] = x247; + out1[60] = x249; + out1[61] = x252; + out1[62] = x254; + out1[63] = x255; } /* @@ -8697,7 +8845,7 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes( * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: - * out1: [[0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x8ccccc], [0x0 ~> 0x466666], [0x0 ~> 0x466666], [0x0 ~> 0x466666]] + * out1: [[0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x800000], [0x0 ~> 0x400000], [0x0 ~> 0x400000], [0x0 ~> 0x400000]] */ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_from_bytes( uint32_t out1[23], const uint8_t arg1[64]) { @@ -8766,90 +8914,106 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_from_bytes( uint32_t x63; uint8_t x64; uint32_t x65; - fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x66; + uint32_t x66; uint32_t x67; - uint32_t x68; + fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x68; uint32_t x69; uint32_t x70; uint32_t x71; uint32_t x72; - uint32_t x73; + uint8_t x73; uint32_t x74; uint32_t x75; uint32_t x76; uint32_t x77; - uint32_t x78; + uint8_t x78; uint32_t x79; uint32_t x80; uint32_t x81; uint32_t x82; - uint32_t x83; + uint8_t x83; uint32_t x84; uint32_t x85; uint32_t x86; uint32_t x87; uint32_t x88; - uint32_t x89; + uint8_t x89; uint32_t x90; - uint8_t x91; + uint32_t x91; uint32_t x92; uint32_t x93; uint8_t x94; uint32_t x95; uint32_t x96; - uint8_t x97; + uint32_t x97; uint32_t x98; - uint32_t x99; + uint8_t x99; uint32_t x100; - uint8_t x101; + uint32_t x101; uint32_t x102; uint32_t x103; uint8_t x104; uint32_t x105; uint32_t x106; - uint8_t x107; - uint32_t x108; + uint32_t x107; + fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x108; uint32_t x109; - uint8_t x110; + uint32_t x110; uint32_t x111; uint32_t x112; - fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x113; + uint8_t x113; uint32_t x114; uint32_t x115; - uint8_t x116; + uint32_t x116; uint32_t x117; - uint32_t x118; - uint8_t x119; + uint8_t x118; + uint32_t x119; uint32_t x120; uint32_t x121; - uint8_t x122; - uint32_t x123; + uint32_t x122; + uint8_t x123; uint32_t x124; uint32_t x125; - uint8_t x126; + uint32_t x126; uint32_t x127; uint32_t x128; uint8_t x129; uint32_t x130; uint32_t x131; - uint8_t x132; + uint32_t x132; uint32_t x133; - uint32_t x134; - uint8_t x135; + uint8_t x134; + uint32_t x135; uint32_t x136; uint32_t x137; - fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x138; - uint32_t x139; + uint32_t x138; + uint8_t x139; uint32_t x140; - uint8_t x141; + uint32_t x141; uint32_t x142; uint32_t x143; uint8_t x144; uint32_t x145; uint32_t x146; - uint8_t x147; - uint32_t x148; + uint32_t x147; + fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1 x148; uint32_t x149; + uint32_t x150; + uint32_t x151; + uint32_t x152; + uint8_t x153; + uint32_t x154; + uint32_t x155; + uint32_t x156; + uint32_t x157; + uint8_t x158; + uint32_t x159; + uint32_t x160; + uint32_t x161; + uint32_t x162; + uint8_t x163; + uint32_t x164; + uint32_t x165; x1 = ((uint32_t)(arg1[63]) << 14); x2 = ((uint32_t)(arg1[62]) << 6); x3 = ((uint32_t)(arg1[61]) << 20); @@ -8914,114 +9078,130 @@ static void fiat_id_tc26_gost_3410_2012_512_paramSetC_from_bytes( x62 = ((uint32_t)(arg1[2]) << 16); x63 = ((uint32_t)(arg1[1]) << 8); x64 = (arg1[0]); - x65 = (x64 + (x63 + x62)); - x66 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x65 >> 23); - x67 = (x65 & UINT32_C(0x7fffff)); - x68 = (x2 + x1); - x69 = (x5 + (x4 + x3)); - x70 = (x8 + (x7 + x6)); - x71 = (x11 + (x10 + x9)); - x72 = (x13 + x12); - x73 = (x16 + (x15 + x14)); - x74 = (x19 + (x18 + x17)); - x75 = (x22 + (x21 + x20)); - x76 = (x25 + (x24 + x23)); - x77 = (x27 + x26); - x78 = (x30 + (x29 + x28)); - x79 = (x33 + (x32 + x31)); - x80 = (x36 + (x35 + x34)); - x81 = (x38 + x37); - x82 = (x41 + (x40 + x39)); - x83 = (x44 + (x43 + x42)); - x84 = (x47 + (x46 + x45)); - x85 = (x50 + (x49 + x48)); - x86 = (x52 + x51); - x87 = (x55 + (x54 + x53)); - x88 = (x58 + (x57 + x56)); - x89 = (x61 + (x60 + x59)); - x90 = (x66 + x89); - x91 = (uint8_t)(x90 >> 22); - x92 = (x90 & UINT32_C(0x3fffff)); - x93 = (x91 + x88); - x94 = (uint8_t)(x93 >> 22); - x95 = (x93 & UINT32_C(0x3fffff)); - x96 = (x94 + x87); - x97 = (uint8_t)(x96 >> 23); - x98 = (x96 & UINT32_C(0x7fffff)); - x99 = (x97 + x86); - x100 = (x99 & UINT32_C(0x3fffff)); - x101 = (uint8_t)(x85 >> 22); - x102 = (x85 & UINT32_C(0x3fffff)); - x103 = (x101 + x84); - x104 = (uint8_t)(x103 >> 22); - x105 = (x103 & UINT32_C(0x3fffff)); - x106 = (x104 + x83); - x107 = (uint8_t)(x106 >> 23); - x108 = (x106 & UINT32_C(0x7fffff)); - x109 = (x107 + x82); - x110 = (uint8_t)(x109 >> 22); - x111 = (x109 & UINT32_C(0x3fffff)); - x112 = (x110 + x81); - x113 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x112 >> 22); - x114 = (x112 & UINT32_C(0x3fffff)); - x115 = (x113 + x80); - x116 = (uint8_t)(x115 >> 22); - x117 = (x115 & UINT32_C(0x3fffff)); - x118 = (x116 + x79); - x119 = (uint8_t)(x118 >> 23); - x120 = (x118 & UINT32_C(0x7fffff)); - x121 = (x119 + x78); - x122 = (uint8_t)(x121 >> 22); - x123 = (x121 & UINT32_C(0x3fffff)); - x124 = (x122 + x77); - x125 = (x124 & UINT32_C(0x3fffff)); - x126 = (uint8_t)(x76 >> 22); - x127 = (x76 & UINT32_C(0x3fffff)); - x128 = (x126 + x75); - x129 = (uint8_t)(x128 >> 23); - x130 = (x128 & UINT32_C(0x7fffff)); - x131 = (x129 + x74); - x132 = (uint8_t)(x131 >> 22); - x133 = (x131 & UINT32_C(0x3fffff)); - x134 = (x132 + x73); - x135 = (uint8_t)(x134 >> 22); - x136 = (x134 & UINT32_C(0x3fffff)); - x137 = (x135 + x72); - x138 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x137 >> 22); - x139 = (x137 & UINT32_C(0x3fffff)); - x140 = (x138 + x71); - x141 = (uint8_t)(x140 >> 23); - x142 = (x140 & UINT32_C(0x7fffff)); - x143 = (x141 + x70); - x144 = (uint8_t)(x143 >> 22); - x145 = (x143 & UINT32_C(0x3fffff)); - x146 = (x144 + x69); - x147 = (uint8_t)(x146 >> 22); - x148 = (x146 & UINT32_C(0x3fffff)); - x149 = (x147 + x68); + x65 = (x63 + (uint32_t)x64); + x66 = (x62 + x65); + x67 = (x66 & UINT32_C(0x7fffff)); + x68 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x66 >> 23); + x69 = (x61 + (uint32_t)x68); + x70 = (x60 + x69); + x71 = (x59 + x70); + x72 = (x71 & UINT32_C(0x3fffff)); + x73 = (uint8_t)(x71 >> 22); + x74 = (x58 + (uint32_t)x73); + x75 = (x57 + x74); + x76 = (x56 + x75); + x77 = (x76 & UINT32_C(0x3fffff)); + x78 = (uint8_t)(x76 >> 22); + x79 = (x55 + (uint32_t)x78); + x80 = (x54 + x79); + x81 = (x53 + x80); + x82 = (x81 & UINT32_C(0x7fffff)); + x83 = (uint8_t)(x81 >> 23); + x84 = (x52 + (uint32_t)x83); + x85 = (x51 + x84); + x86 = (x49 + (uint32_t)x50); + x87 = (x48 + x86); + x88 = (x87 & UINT32_C(0x3fffff)); + x89 = (uint8_t)(x87 >> 22); + x90 = (x47 + (uint32_t)x89); + x91 = (x46 + x90); + x92 = (x45 + x91); + x93 = (x92 & UINT32_C(0x3fffff)); + x94 = (uint8_t)(x92 >> 22); + x95 = (x44 + (uint32_t)x94); + x96 = (x43 + x95); + x97 = (x42 + x96); + x98 = (x97 & UINT32_C(0x7fffff)); + x99 = (uint8_t)(x97 >> 23); + x100 = (x41 + (uint32_t)x99); + x101 = (x40 + x100); + x102 = (x39 + x101); + x103 = (x102 & UINT32_C(0x3fffff)); + x104 = (uint8_t)(x102 >> 22); + x105 = (x38 + (uint32_t)x104); + x106 = (x37 + x105); + x107 = (x106 & UINT32_C(0x3fffff)); + x108 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x106 >> 22); + x109 = (x36 + (uint32_t)x108); + x110 = (x35 + x109); + x111 = (x34 + x110); + x112 = (x111 & UINT32_C(0x3fffff)); + x113 = (uint8_t)(x111 >> 22); + x114 = (x33 + (uint32_t)x113); + x115 = (x32 + x114); + x116 = (x31 + x115); + x117 = (x116 & UINT32_C(0x7fffff)); + x118 = (uint8_t)(x116 >> 23); + x119 = (x30 + (uint32_t)x118); + x120 = (x29 + x119); + x121 = (x28 + x120); + x122 = (x121 & UINT32_C(0x3fffff)); + x123 = (uint8_t)(x121 >> 22); + x124 = (x27 + (uint32_t)x123); + x125 = (x26 + x124); + x126 = (x24 + (uint32_t)x25); + x127 = (x23 + x126); + x128 = (x127 & UINT32_C(0x3fffff)); + x129 = (uint8_t)(x127 >> 22); + x130 = (x22 + (uint32_t)x129); + x131 = (x21 + x130); + x132 = (x20 + x131); + x133 = (x132 & UINT32_C(0x7fffff)); + x134 = (uint8_t)(x132 >> 23); + x135 = (x19 + (uint32_t)x134); + x136 = (x18 + x135); + x137 = (x17 + x136); + x138 = (x137 & UINT32_C(0x3fffff)); + x139 = (uint8_t)(x137 >> 22); + x140 = (x16 + (uint32_t)x139); + x141 = (x15 + x140); + x142 = (x14 + x141); + x143 = (x142 & UINT32_C(0x3fffff)); + x144 = (uint8_t)(x142 >> 22); + x145 = (x13 + (uint32_t)x144); + x146 = (x12 + x145); + x147 = (x146 & UINT32_C(0x3fffff)); + x148 = (fiat_id_tc26_gost_3410_2012_512_paramSetC_uint1)(x146 >> 22); + x149 = (x11 + (uint32_t)x148); + x150 = (x10 + x149); + x151 = (x9 + x150); + x152 = (x151 & UINT32_C(0x7fffff)); + x153 = (uint8_t)(x151 >> 23); + x154 = (x8 + (uint32_t)x153); + x155 = (x7 + x154); + x156 = (x6 + x155); + x157 = (x156 & UINT32_C(0x3fffff)); + x158 = (uint8_t)(x156 >> 22); + x159 = (x5 + (uint32_t)x158); + x160 = (x4 + x159); + x161 = (x3 + x160); + x162 = (x161 & UINT32_C(0x3fffff)); + x163 = (uint8_t)(x161 >> 22); + x164 = (x2 + (uint32_t)x163); + x165 = (x1 + x164); out1[0] = x67; - out1[1] = x92; - out1[2] = x95; - out1[3] = x98; - out1[4] = x100; - out1[5] = x102; - out1[6] = x105; - out1[7] = x108; - out1[8] = x111; - out1[9] = x114; - out1[10] = x117; - out1[11] = x120; - out1[12] = x123; + out1[1] = x72; + out1[2] = x77; + out1[3] = x82; + out1[4] = x85; + out1[5] = x88; + out1[6] = x93; + out1[7] = x98; + out1[8] = x103; + out1[9] = x107; + out1[10] = x112; + out1[11] = x117; + out1[12] = x122; out1[13] = x125; - out1[14] = x127; - out1[15] = x130; - out1[16] = x133; - out1[17] = x136; - out1[18] = x139; - out1[19] = x142; - out1[20] = x145; - out1[21] = x148; - out1[22] = x149; + out1[14] = x128; + out1[15] = x133; + out1[16] = x138; + out1[17] = x143; + out1[18] = x147; + out1[19] = x152; + out1[20] = x157; + out1[21] = x162; + out1[22] = x165; } /* END verbatim fiat code */ @@ -12111,7 +12291,7 @@ static void scalar_wnaf(int8_t out[513], const unsigned char in[64]) { } /*- - * Simulateous scalar multiplication: interleaved "textbook" wnaf. + * Simultaneous scalar multiplication: interleaved "textbook" wnaf. * NB: not constant time */ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], @@ -12119,7 +12299,7 @@ static void var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[64], int i, d, is_neg, is_inf = 1, flipped = 0; int8_t anaf[513] = {0}; int8_t bnaf[513] = {0}; - pt_prj_t Q; + pt_prj_t Q = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -12193,7 +12373,7 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], const pt_aff_t *P) { int i, j, d, diff, is_neg; int8_t rnaf[103] = {0}; - pt_prj_t Q, lut; + pt_prj_t Q = {0}, lut = {0}; pt_prj_t precomp[DRADIX / 2]; precomp_wnaf(precomp, P); @@ -12281,8 +12461,8 @@ static void var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[64], static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { int i, j, k, d, diff, is_neg = 0; int8_t rnaf[103] = {0}; - pt_prj_t Q, R; - pt_aff_t lut; + pt_prj_t Q = {0}, R = {0}; + pt_aff_t lut = {0}; scalar_rwnaf(rnaf, scalar); @@ -12354,6 +12534,12 @@ static void fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[64]) { fiat_id_tc26_gost_3410_2012_512_paramSetC_carry_mul(out->Y, Q.Y, Q.Z); } +/*- + * Wrapper: simultaneous scalar mutiplication. + * outx, outy := a * G + b * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], const unsigned char a[64], const unsigned char b[64], const unsigned char inx[64], @@ -12369,6 +12555,11 @@ static void point_mul_two(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes(outy, P.Y); } +/*- + * Wrapper: fixed scalar mutiplication. + * outx, outy := scalar * G + * Everything is LE byte ordering. + */ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64]) { pt_aff_t P; @@ -12379,6 +12570,12 @@ static void point_mul_g(unsigned char outx[64], unsigned char outy[64], fiat_id_tc26_gost_3410_2012_512_paramSetC_to_bytes(outy, P.Y); } +/*- + * Wrapper: variable point scalar mutiplication. + * outx, outy := scalar * P + * where P = (inx, iny). + * Everything is LE byte ordering. + */ static void point_mul(unsigned char outx[64], unsigned char outy[64], const unsigned char scalar[64], const unsigned char inx[64], @@ -12396,8 +12593,13 @@ static void point_mul(unsigned char outx[64], unsigned char outy[64], #include +/* the zero field element */ static const unsigned char const_zb[64] = {0}; +/*- + * An OpenSSL wrapper for simultaneous scalar multiplication. + * r := n * G + m * q + */ int point_mul_two_id_tc26_gost_3410_2012_512_paramSetC( const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, @@ -12436,6 +12638,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for variable point scalar multiplication. + * r := m * q + */ int point_mul_id_tc26_gost_3410_2012_512_paramSetC(const EC_GROUP *group, EC_POINT *r, @@ -12475,6 +12681,10 @@ err: return ret; } +/*- + * An OpenSSL wrapper for fixed scalar multiplication. + * r := n * G + */ int point_mul_g_id_tc26_gost_3410_2012_512_paramSetC(const EC_GROUP *group, EC_POINT *r, -- 2.39.2