صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
torambo.com
/
Momentum-Apps
2
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
شاخه: dev
شاخه‌ها تگ‌ها
Momentum-Apps
/
flipbip
/
lib
/
crypto
/
ed25519_donna
/
modm_donna_32bit.c

modm_donna_32bit.c 25 KB
لینک دائمی تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800 
  1. /*
    2. 

  2. 	Public domain by Andrew M. <liquidsun@gmail.com>
    3. 

  3. */
    4. 

  4. 

  5. #include "ed25519_donna.h"
    6. 

  6. 

  7. /*
    8. 

  8. 	Arithmetic modulo the group order n = 2^252 +  27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989
    9. 

  9. 

  10. 	k = 32
    11. 

  11. 	b = 1 << 8 = 256
    12. 

  12. 	m = 2^252 + 27742317777372353535851937790883648493 = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed
    13. 

  13. 	mu = floor( b^(k*2) / m ) = 0xfffffffffffffffffffffffffffffffeb2106215d086329a7ed9ce5a30a2c131b
    14. 

  14. */
    15. 

  15. 

  16. static const bignum256modm modm_m = {
    17. 

  17.     0x1cf5d3ed,
    18. 

  18.     0x20498c69,
    19. 

  19.     0x2f79cd65,
    20. 

  20.     0x37be77a8,
    21. 

  21.     0x00000014,
    22. 

  22.     0x00000000,
    23. 

  23.     0x00000000,
    24. 

  24.     0x00000000,
    25. 

  25.     0x00001000};
    26. 

  26. 

  27. static const bignum256modm modm_mu = {
    28. 

  28.     0x0a2c131b,
    29. 

  29.     0x3673968c,
    30. 

  30.     0x06329a7e,
    31. 

  31.     0x01885742,
    32. 

  32.     0x3fffeb21,
    33. 

  33.     0x3fffffff,
    34. 

  34.     0x3fffffff,
    35. 

  35.     0x3fffffff,
    36. 

  36.     0x000fffff};
    37. 

  37. 

  38. static bignum256modm_element_t lt_modm(bignum256modm_element_t a, bignum256modm_element_t b) {
    39. 

  39.     return (a - b) >> 31;
    40. 

  40. }
    41. 

  41. 

  42. /* see HAC, Alg. 14.42 Step 4 */
    43. 

  43. void reduce256_modm(bignum256modm r) {
    44. 

  44.     bignum256modm t = {0};
    45. 

  45.     bignum256modm_element_t b = 0, pb = 0, mask = 0;
    46. 

  46. 

  47.     /* t = r - m */
    48. 

  48.     pb = 0;
    49. 

  49.     pb += modm_m[0];
    50. 

  50.     b = lt_modm(r[0], pb);
    51. 

  51.     t[0] = (r[0] - pb + (b << 30));
    52. 

  52.     pb = b;
    53. 

  53.     pb += modm_m[1];
    54. 

  54.     b = lt_modm(r[1], pb);
    55. 

  55.     t[1] = (r[1] - pb + (b << 30));
    56. 

  56.     pb = b;
    57. 

  57.     pb += modm_m[2];
    58. 

  58.     b = lt_modm(r[2], pb);
    59. 

  59.     t[2] = (r[2] - pb + (b << 30));
    60. 

  60.     pb = b;
    61. 

  61.     pb += modm_m[3];
    62. 

  62.     b = lt_modm(r[3], pb);
    63. 

  63.     t[3] = (r[3] - pb + (b << 30));
    64. 

  64.     pb = b;
    65. 

  65.     pb += modm_m[4];
    66. 

  66.     b = lt_modm(r[4], pb);
    67. 

  67.     t[4] = (r[4] - pb + (b << 30));
    68. 

  68.     pb = b;
    69. 

  69.     pb += modm_m[5];
    70. 

  70.     b = lt_modm(r[5], pb);
    71. 

  71.     t[5] = (r[5] - pb + (b << 30));
    72. 

  72.     pb = b;
    73. 

  73.     pb += modm_m[6];
    74. 

  74.     b = lt_modm(r[6], pb);
    75. 

  75.     t[6] = (r[6] - pb + (b << 30));
    76. 

  76.     pb = b;
    77. 

  77.     pb += modm_m[7];
    78. 

  78.     b = lt_modm(r[7], pb);
    79. 

  79.     t[7] = (r[7] - pb + (b << 30));
    80. 

  80.     pb = b;
    81. 

  81.     pb += modm_m[8];
    82. 

  82.     b = lt_modm(r[8], pb);
    83. 

  83.     t[8] = (r[8] - pb + (b << 16));
    84. 

  84. 

  85.     /* keep r if r was smaller than m */
    86. 

  86.     mask = b - 1;
    87. 

  87.     r[0] ^= mask & (r[0] ^ t[0]);
    88. 

  88.     r[1] ^= mask & (r[1] ^ t[1]);
    89. 

  89.     r[2] ^= mask & (r[2] ^ t[2]);
    90. 

  90.     r[3] ^= mask & (r[3] ^ t[3]);
    91. 

  91.     r[4] ^= mask & (r[4] ^ t[4]);
    92. 

  92.     r[5] ^= mask & (r[5] ^ t[5]);
    93. 

  93.     r[6] ^= mask & (r[6] ^ t[6]);
    94. 

  94.     r[7] ^= mask & (r[7] ^ t[7]);
    95. 

  95.     r[8] ^= mask & (r[8] ^ t[8]);
    96. 

  96. }
    97. 

  97. 

  98. /*
    99. 

  99. 	Barrett reduction,  see HAC, Alg. 14.42
    100. 

  100. 

  101. 	Instead of passing in x, pre-process in to q1 and r1 for efficiency
    102. 

  102. */
    103. 

  103. void barrett_reduce256_modm(bignum256modm r, const bignum256modm q1, const bignum256modm r1) {
    104. 

  104.     bignum256modm q3 = {0}, r2 = {0};
    105. 

  105.     uint64_t c = 0;
    106. 

  106.     bignum256modm_element_t f = 0, b = 0, pb = 0;
    107. 

  107. 

  108.     /* q1 = x >> 248 = 264 bits = 9 30 bit elements
    109. 

  109. 	   q2 = mu * q1
    110. 

  110. 	   q3 = (q2 / 256(32+1)) = q2 / (2^8)^(32+1) = q2 >> 264 */
    111. 

  111.     c = mul32x32_64(modm_mu[0], q1[7]) + mul32x32_64(modm_mu[1], q1[6]) +
    112. 

  112.         mul32x32_64(modm_mu[2], q1[5]) + mul32x32_64(modm_mu[3], q1[4]) +
    113. 

  113.         mul32x32_64(modm_mu[4], q1[3]) + mul32x32_64(modm_mu[5], q1[2]) +
    114. 

  114.         mul32x32_64(modm_mu[6], q1[1]) + mul32x32_64(modm_mu[7], q1[0]);
    115. 

  115.     c >>= 30;
    116. 

  116.     c += mul32x32_64(modm_mu[0], q1[8]) + mul32x32_64(modm_mu[1], q1[7]) +
    117. 

  117.          mul32x32_64(modm_mu[2], q1[6]) + mul32x32_64(modm_mu[3], q1[5]) +
    118. 

  118.          mul32x32_64(modm_mu[4], q1[4]) + mul32x32_64(modm_mu[5], q1[3]) +
    119. 

  119.          mul32x32_64(modm_mu[6], q1[2]) + mul32x32_64(modm_mu[7], q1[1]) +
    120. 

  120.          mul32x32_64(modm_mu[8], q1[0]);
    121. 

  121.     f = (bignum256modm_element_t)c;
    122. 

  122.     q3[0] = (f >> 24) & 0x3f;
    123. 

  123.     c >>= 30;
    124. 

  124.     c += mul32x32_64(modm_mu[1], q1[8]) + mul32x32_64(modm_mu[2], q1[7]) +
    125. 

  125.          mul32x32_64(modm_mu[3], q1[6]) + mul32x32_64(modm_mu[4], q1[5]) +
    126. 

  126.          mul32x32_64(modm_mu[5], q1[4]) + mul32x32_64(modm_mu[6], q1[3]) +
    127. 

  127.          mul32x32_64(modm_mu[7], q1[2]) + mul32x32_64(modm_mu[8], q1[1]);
    128. 

  128.     f = (bignum256modm_element_t)c;
    129. 

  129.     q3[0] |= (f << 6) & 0x3fffffff;
    130. 

  130.     q3[1] = (f >> 24) & 0x3f;
    131. 

  131.     c >>= 30;
    132. 

  132.     c += mul32x32_64(modm_mu[2], q1[8]) + mul32x32_64(modm_mu[3], q1[7]) +
    133. 

  133.          mul32x32_64(modm_mu[4], q1[6]) + mul32x32_64(modm_mu[5], q1[5]) +
    134. 

  134.          mul32x32_64(modm_mu[6], q1[4]) + mul32x32_64(modm_mu[7], q1[3]) +
    135. 

  135.          mul32x32_64(modm_mu[8], q1[2]);
    136. 

  136.     f = (bignum256modm_element_t)c;
    137. 

  137.     q3[1] |= (f << 6) & 0x3fffffff;
    138. 

  138.     q3[2] = (f >> 24) & 0x3f;
    139. 

  139.     c >>= 30;
    140. 

  140.     c += mul32x32_64(modm_mu[3], q1[8]) + mul32x32_64(modm_mu[4], q1[7]) +
    141. 

  141.          mul32x32_64(modm_mu[5], q1[6]) + mul32x32_64(modm_mu[6], q1[5]) +
    142. 

  142.          mul32x32_64(modm_mu[7], q1[4]) + mul32x32_64(modm_mu[8], q1[3]);
    143. 

  143.     f = (bignum256modm_element_t)c;
    144. 

  144.     q3[2] |= (f << 6) & 0x3fffffff;
    145. 

  145.     q3[3] = (f >> 24) & 0x3f;
    146. 

  146.     c >>= 30;
    147. 

  147.     c += mul32x32_64(modm_mu[4], q1[8]) + mul32x32_64(modm_mu[5], q1[7]) +
    148. 

  148.          mul32x32_64(modm_mu[6], q1[6]) + mul32x32_64(modm_mu[7], q1[5]) +
    149. 

  149.          mul32x32_64(modm_mu[8], q1[4]);
    150. 

  150.     f = (bignum256modm_element_t)c;
    151. 

  151.     q3[3] |= (f << 6) & 0x3fffffff;
    152. 

  152.     q3[4] = (f >> 24) & 0x3f;
    153. 

  153.     c >>= 30;
    154. 

  154.     c += mul32x32_64(modm_mu[5], q1[8]) + mul32x32_64(modm_mu[6], q1[7]) +
    155. 

  155.          mul32x32_64(modm_mu[7], q1[6]) + mul32x32_64(modm_mu[8], q1[5]);
    156. 

  156.     f = (bignum256modm_element_t)c;
    157. 

  157.     q3[4] |= (f << 6) & 0x3fffffff;
    158. 

  158.     q3[5] = (f >> 24) & 0x3f;
    159. 

  159.     c >>= 30;
    160. 

  160.     c += mul32x32_64(modm_mu[6], q1[8]) + mul32x32_64(modm_mu[7], q1[7]) +
    161. 

  161.          mul32x32_64(modm_mu[8], q1[6]);
    162. 

  162.     f = (bignum256modm_element_t)c;
    163. 

  163.     q3[5] |= (f << 6) & 0x3fffffff;
    164. 

  164.     q3[6] = (f >> 24) & 0x3f;
    165. 

  165.     c >>= 30;
    166. 

  166.     c += mul32x32_64(modm_mu[7], q1[8]) + mul32x32_64(modm_mu[8], q1[7]);
    167. 

  167.     f = (bignum256modm_element_t)c;
    168. 

  168.     q3[6] |= (f << 6) & 0x3fffffff;
    169. 

  169.     q3[7] = (f >> 24) & 0x3f;
    170. 

  170.     c >>= 30;
    171. 

  171.     c += mul32x32_64(modm_mu[8], q1[8]);
    172. 

  172.     f = (bignum256modm_element_t)c;
    173. 

  173.     q3[7] |= (f << 6) & 0x3fffffff;
    174. 

  174.     q3[8] = (bignum256modm_element_t)(c >> 24);
    175. 

  175. 

  176.     /* r1 = (x mod 256^(32+1)) = x mod (2^8)(32+1) = x & ((1 << 264) - 1)
    177. 

  177. 	   r2 = (q3 * m) mod (256^(32+1)) = (q3 * m) & ((1 << 264) - 1) */
    178. 

  178.     c = mul32x32_64(modm_m[0], q3[0]);
    179. 

  179.     r2[0] = (bignum256modm_element_t)(c & 0x3fffffff);
    180. 

  180.     c >>= 30;
    181. 

  181.     c += mul32x32_64(modm_m[0], q3[1]) + mul32x32_64(modm_m[1], q3[0]);
    182. 

  182.     r2[1] = (bignum256modm_element_t)(c & 0x3fffffff);
    183. 

  183.     c >>= 30;
    184. 

  184.     c += mul32x32_64(modm_m[0], q3[2]) + mul32x32_64(modm_m[1], q3[1]) +
    185. 

  185.          mul32x32_64(modm_m[2], q3[0]);
    186. 

  186.     r2[2] = (bignum256modm_element_t)(c & 0x3fffffff);
    187. 

  187.     c >>= 30;
    188. 

  188.     c += mul32x32_64(modm_m[0], q3[3]) + mul32x32_64(modm_m[1], q3[2]) +
    189. 

  189.          mul32x32_64(modm_m[2], q3[1]) + mul32x32_64(modm_m[3], q3[0]);
    190. 

  190.     r2[3] = (bignum256modm_element_t)(c & 0x3fffffff);
    191. 

  191.     c >>= 30;
    192. 

  192.     c += mul32x32_64(modm_m[0], q3[4]) + mul32x32_64(modm_m[1], q3[3]) +
    193. 

  193.          mul32x32_64(modm_m[2], q3[2]) + mul32x32_64(modm_m[3], q3[1]) +
    194. 

  194.          mul32x32_64(modm_m[4], q3[0]);
    195. 

  195.     r2[4] = (bignum256modm_element_t)(c & 0x3fffffff);
    196. 

  196.     c >>= 30;
    197. 

  197.     c += mul32x32_64(modm_m[0], q3[5]) + mul32x32_64(modm_m[1], q3[4]) +
    198. 

  198.          mul32x32_64(modm_m[2], q3[3]) + mul32x32_64(modm_m[3], q3[2]) +
    199. 

  199.          mul32x32_64(modm_m[4], q3[1]) + mul32x32_64(modm_m[5], q3[0]);
    200. 

  200.     r2[5] = (bignum256modm_element_t)(c & 0x3fffffff);
    201. 

  201.     c >>= 30;
    202. 

  202.     c += mul32x32_64(modm_m[0], q3[6]) + mul32x32_64(modm_m[1], q3[5]) +
    203. 

  203.          mul32x32_64(modm_m[2], q3[4]) + mul32x32_64(modm_m[3], q3[3]) +
    204. 

  204.          mul32x32_64(modm_m[4], q3[2]) + mul32x32_64(modm_m[5], q3[1]) +
    205. 

  205.          mul32x32_64(modm_m[6], q3[0]);
    206. 

  206.     r2[6] = (bignum256modm_element_t)(c & 0x3fffffff);
    207. 

  207.     c >>= 30;
    208. 

  208.     c += mul32x32_64(modm_m[0], q3[7]) + mul32x32_64(modm_m[1], q3[6]) +
    209. 

  209.          mul32x32_64(modm_m[2], q3[5]) + mul32x32_64(modm_m[3], q3[4]) +
    210. 

  210.          mul32x32_64(modm_m[4], q3[3]) + mul32x32_64(modm_m[5], q3[2]) +
    211. 

  211.          mul32x32_64(modm_m[6], q3[1]) + mul32x32_64(modm_m[7], q3[0]);
    212. 

  212.     r2[7] = (bignum256modm_element_t)(c & 0x3fffffff);
    213. 

  213.     c >>= 30;
    214. 

  214.     c += mul32x32_64(modm_m[0], q3[8]) + mul32x32_64(modm_m[1], q3[7]) +
    215. 

  215.          mul32x32_64(modm_m[2], q3[6]) + mul32x32_64(modm_m[3], q3[5]) +
    216. 

  216.          mul32x32_64(modm_m[4], q3[4]) + mul32x32_64(modm_m[5], q3[3]) +
    217. 

  217.          mul32x32_64(modm_m[6], q3[2]) + mul32x32_64(modm_m[7], q3[1]) +
    218. 

  218.          mul32x32_64(modm_m[8], q3[0]);
    219. 

  219.     r2[8] = (bignum256modm_element_t)(c & 0xffffff);
    220. 

  220. 

  221.     /* r = r1 - r2
    222. 

  222. 	   if (r < 0) r += (1 << 264) */
    223. 

  223.     pb = 0;
    224. 

  224.     pb += r2[0];
    225. 

  225.     b = lt_modm(r1[0], pb);
    226. 

  226.     r[0] = (r1[0] - pb + (b << 30));
    227. 

  227.     pb = b;
    228. 

  228.     pb += r2[1];
    229. 

  229.     b = lt_modm(r1[1], pb);
    230. 

  230.     r[1] = (r1[1] - pb + (b << 30));
    231. 

  231.     pb = b;
    232. 

  232.     pb += r2[2];
    233. 

  233.     b = lt_modm(r1[2], pb);
    234. 

  234.     r[2] = (r1[2] - pb + (b << 30));
    235. 

  235.     pb = b;
    236. 

  236.     pb += r2[3];
    237. 

  237.     b = lt_modm(r1[3], pb);
    238. 

  238.     r[3] = (r1[3] - pb + (b << 30));
    239. 

  239.     pb = b;
    240. 

  240.     pb += r2[4];
    241. 

  241.     b = lt_modm(r1[4], pb);
    242. 

  242.     r[4] = (r1[4] - pb + (b << 30));
    243. 

  243.     pb = b;
    244. 

  244.     pb += r2[5];
    245. 

  245.     b = lt_modm(r1[5], pb);
    246. 

  246.     r[5] = (r1[5] - pb + (b << 30));
    247. 

  247.     pb = b;
    248. 

  248.     pb += r2[6];
    249. 

  249.     b = lt_modm(r1[6], pb);
    250. 

  250.     r[6] = (r1[6] - pb + (b << 30));
    251. 

  251.     pb = b;
    252. 

  252.     pb += r2[7];
    253. 

  253.     b = lt_modm(r1[7], pb);
    254. 

  254.     r[7] = (r1[7] - pb + (b << 30));
    255. 

  255.     pb = b;
    256. 

  256.     pb += r2[8];
    257. 

  257.     b = lt_modm(r1[8], pb);
    258. 

  258.     r[8] = (r1[8] - pb + (b << 24));
    259. 

  259. 

  260.     reduce256_modm(r);
    261. 

  261.     reduce256_modm(r);
    262. 

  262. }
    263. 

  263. 

  264. /* addition modulo m */
    265. 

  265. void add256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) {
    266. 

  266.     bignum256modm_element_t c = 0;
    267. 

  267. 

  268.     c = x[0] + y[0];
    269. 

  269.     r[0] = c & 0x3fffffff;
    270. 

  270.     c >>= 30;
    271. 

  271.     c += x[1] + y[1];
    272. 

  272.     r[1] = c & 0x3fffffff;
    273. 

  273.     c >>= 30;
    274. 

  274.     c += x[2] + y[2];
    275. 

  275.     r[2] = c & 0x3fffffff;
    276. 

  276.     c >>= 30;
    277. 

  277.     c += x[3] + y[3];
    278. 

  278.     r[3] = c & 0x3fffffff;
    279. 

  279.     c >>= 30;
    280. 

  280.     c += x[4] + y[4];
    281. 

  281.     r[4] = c & 0x3fffffff;
    282. 

  282.     c >>= 30;
    283. 

  283.     c += x[5] + y[5];
    284. 

  284.     r[5] = c & 0x3fffffff;
    285. 

  285.     c >>= 30;
    286. 

  286.     c += x[6] + y[6];
    287. 

  287.     r[6] = c & 0x3fffffff;
    288. 

  288.     c >>= 30;
    289. 

  289.     c += x[7] + y[7];
    290. 

  290.     r[7] = c & 0x3fffffff;
    291. 

  291.     c >>= 30;
    292. 

  292.     c += x[8] + y[8];
    293. 

  293.     r[8] = c;
    294. 

  294. 

  295.     reduce256_modm(r);
    296. 

  296. }
    297. 

  297. 

  298. /* -x modulo m */
    299. 

  299. void neg256_modm(bignum256modm r, const bignum256modm x) {
    300. 

  300.     bignum256modm_element_t b = 0, pb = 0;
    301. 

  301. 

  302.     /* r = m - x */
    303. 

  303.     pb = 0;
    304. 

  304.     pb += x[0];
    305. 

  305.     b = lt_modm(modm_m[0], pb);
    306. 

  306.     r[0] = (modm_m[0] - pb + (b << 30));
    307. 

  307.     pb = b;
    308. 

  308.     pb += x[1];
    309. 

  309.     b = lt_modm(modm_m[1], pb);
    310. 

  310.     r[1] = (modm_m[1] - pb + (b << 30));
    311. 

  311.     pb = b;
    312. 

  312.     pb += x[2];
    313. 

  313.     b = lt_modm(modm_m[2], pb);
    314. 

  314.     r[2] = (modm_m[2] - pb + (b << 30));
    315. 

  315.     pb = b;
    316. 

  316.     pb += x[3];
    317. 

  317.     b = lt_modm(modm_m[3], pb);
    318. 

  318.     r[3] = (modm_m[3] - pb + (b << 30));
    319. 

  319.     pb = b;
    320. 

  320.     pb += x[4];
    321. 

  321.     b = lt_modm(modm_m[4], pb);
    322. 

  322.     r[4] = (modm_m[4] - pb + (b << 30));
    323. 

  323.     pb = b;
    324. 

  324.     pb += x[5];
    325. 

  325.     b = lt_modm(modm_m[5], pb);
    326. 

  326.     r[5] = (modm_m[5] - pb + (b << 30));
    327. 

  327.     pb = b;
    328. 

  328.     pb += x[6];
    329. 

  329.     b = lt_modm(modm_m[6], pb);
    330. 

  330.     r[6] = (modm_m[6] - pb + (b << 30));
    331. 

  331.     pb = b;
    332. 

  332.     pb += x[7];
    333. 

  333.     b = lt_modm(modm_m[7], pb);
    334. 

  334.     r[7] = (modm_m[7] - pb + (b << 30));
    335. 

  335.     pb = b;
    336. 

  336.     pb += x[8];
    337. 

  337.     b = lt_modm(modm_m[8], pb);
    338. 

  338.     r[8] = (modm_m[8] - pb + (b << 16));
    339. 

  339. 

  340.     // if x==0, reduction is required
    341. 

  341.     reduce256_modm(r);
    342. 

  342. }
    343. 

  343. 

  344. /* consts for subtraction, > p */
    345. 

  345. /* Emilia Kasper trick, https://www.imperialviolet.org/2010/12/04/ecc.html */
    346. 

  346. static const uint32_t twoP[] = {
    347. 

  347.     0x5cf5d3ed,
    348. 

  348.     0x60498c68,
    349. 

  349.     0x6f79cd64,
    350. 

  350.     0x77be77a7,
    351. 

  351.     0x40000013,
    352. 

  352.     0x3fffffff,
    353. 

  353.     0x3fffffff,
    354. 

  354.     0x3fffffff,
    355. 

  355.     0xfff};
    356. 

  356. 

  357. /* subtraction x-y % m */
    358. 

  358. void sub256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) {
    359. 

  359.     bignum256modm_element_t c = 0;
    360. 

  360.     c = twoP[0] + x[0] - y[0];
    361. 

  361.     r[0] = c & 0x3fffffff;
    362. 

  362.     c >>= 30;
    363. 

  363.     c += twoP[1] + x[1] - y[1];
    364. 

  364.     r[1] = c & 0x3fffffff;
    365. 

  365.     c >>= 30;
    366. 

  366.     c += twoP[2] + x[2] - y[2];
    367. 

  367.     r[2] = c & 0x3fffffff;
    368. 

  368.     c >>= 30;
    369. 

  369.     c += twoP[3] + x[3] - y[3];
    370. 

  370.     r[3] = c & 0x3fffffff;
    371. 

  371.     c >>= 30;
    372. 

  372.     c += twoP[4] + x[4] - y[4];
    373. 

  373.     r[4] = c & 0x3fffffff;
    374. 

  374.     c >>= 30;
    375. 

  375.     c += twoP[5] + x[5] - y[5];
    376. 

  376.     r[5] = c & 0x3fffffff;
    377. 

  377.     c >>= 30;
    378. 

  378.     c += twoP[6] + x[6] - y[6];
    379. 

  379.     r[6] = c & 0x3fffffff;
    380. 

  380.     c >>= 30;
    381. 

  381.     c += twoP[7] + x[7] - y[7];
    382. 

  382.     r[7] = c & 0x3fffffff;
    383. 

  383.     c >>= 30;
    384. 

  384.     c += twoP[8] + x[8] - y[8];
    385. 

  385.     r[8] = c;
    386. 

  386.     reduce256_modm(r);
    387. 

  387. }
    388. 

  388. 

  389. /* multiplication modulo m */
    390. 

  390. void mul256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) {
    391. 

  391.     bignum256modm r1 = {0}, q1 = {0};
    392. 

  392.     uint64_t c = 0;
    393. 

  393.     bignum256modm_element_t f = 0;
    394. 

  394. 

  395.     /* r1 = (x mod 256^(32+1)) = x mod (2^8)(31+1) = x & ((1 << 264) - 1)
    396. 

  396. 	   q1 = x >> 248 = 264 bits = 9 30 bit elements */
    397. 

  397.     c = mul32x32_64(x[0], y[0]);
    398. 

  398.     f = (bignum256modm_element_t)c;
    399. 

  399.     r1[0] = (f & 0x3fffffff);
    400. 

  400.     c >>= 30;
    401. 

  401.     c += mul32x32_64(x[0], y[1]) + mul32x32_64(x[1], y[0]);
    402. 

  402.     f = (bignum256modm_element_t)c;
    403. 

  403.     r1[1] = (f & 0x3fffffff);
    404. 

  404.     c >>= 30;
    405. 

  405.     c += mul32x32_64(x[0], y[2]) + mul32x32_64(x[1], y[1]) + mul32x32_64(x[2], y[0]);
    406. 

  406.     f = (bignum256modm_element_t)c;
    407. 

  407.     r1[2] = (f & 0x3fffffff);
    408. 

  408.     c >>= 30;
    409. 

  409.     c += mul32x32_64(x[0], y[3]) + mul32x32_64(x[1], y[2]) + mul32x32_64(x[2], y[1]) +
    410. 

  410.          mul32x32_64(x[3], y[0]);
    411. 

  411.     f = (bignum256modm_element_t)c;
    412. 

  412.     r1[3] = (f & 0x3fffffff);
    413. 

  413.     c >>= 30;
    414. 

  414.     c += mul32x32_64(x[0], y[4]) + mul32x32_64(x[1], y[3]) + mul32x32_64(x[2], y[2]) +
    415. 

  415.          mul32x32_64(x[3], y[1]) + mul32x32_64(x[4], y[0]);
    416. 

  416.     f = (bignum256modm_element_t)c;
    417. 

  417.     r1[4] = (f & 0x3fffffff);
    418. 

  418.     c >>= 30;
    419. 

  419.     c += mul32x32_64(x[0], y[5]) + mul32x32_64(x[1], y[4]) + mul32x32_64(x[2], y[3]) +
    420. 

  420.          mul32x32_64(x[3], y[2]) + mul32x32_64(x[4], y[1]) + mul32x32_64(x[5], y[0]);
    421. 

  421.     f = (bignum256modm_element_t)c;
    422. 

  422.     r1[5] = (f & 0x3fffffff);
    423. 

  423.     c >>= 30;
    424. 

  424.     c += mul32x32_64(x[0], y[6]) + mul32x32_64(x[1], y[5]) + mul32x32_64(x[2], y[4]) +
    425. 

  425.          mul32x32_64(x[3], y[3]) + mul32x32_64(x[4], y[2]) + mul32x32_64(x[5], y[1]) +
    426. 

  426.          mul32x32_64(x[6], y[0]);
    427. 

  427.     f = (bignum256modm_element_t)c;
    428. 

  428.     r1[6] = (f & 0x3fffffff);
    429. 

  429.     c >>= 30;
    430. 

  430.     c += mul32x32_64(x[0], y[7]) + mul32x32_64(x[1], y[6]) + mul32x32_64(x[2], y[5]) +
    431. 

  431.          mul32x32_64(x[3], y[4]) + mul32x32_64(x[4], y[3]) + mul32x32_64(x[5], y[2]) +
    432. 

  432.          mul32x32_64(x[6], y[1]) + mul32x32_64(x[7], y[0]);
    433. 

  433.     f = (bignum256modm_element_t)c;
    434. 

  434.     r1[7] = (f & 0x3fffffff);
    435. 

  435.     c >>= 30;
    436. 

  436.     c += mul32x32_64(x[0], y[8]) + mul32x32_64(x[1], y[7]) + mul32x32_64(x[2], y[6]) +
    437. 

  437.          mul32x32_64(x[3], y[5]) + mul32x32_64(x[4], y[4]) + mul32x32_64(x[5], y[3]) +
    438. 

  438.          mul32x32_64(x[6], y[2]) + mul32x32_64(x[7], y[1]) + mul32x32_64(x[8], y[0]);
    439. 

  439.     f = (bignum256modm_element_t)c;
    440. 

  440.     r1[8] = (f & 0x00ffffff);
    441. 

  441.     q1[0] = (f >> 8) & 0x3fffff;
    442. 

  442.     c >>= 30;
    443. 

  443.     c += mul32x32_64(x[1], y[8]) + mul32x32_64(x[2], y[7]) + mul32x32_64(x[3], y[6]) +
    444. 

  444.          mul32x32_64(x[4], y[5]) + mul32x32_64(x[5], y[4]) + mul32x32_64(x[6], y[3]) +
    445. 

  445.          mul32x32_64(x[7], y[2]) + mul32x32_64(x[8], y[1]);
    446. 

  446.     f = (bignum256modm_element_t)c;
    447. 

  447.     q1[0] = (q1[0] | (f << 22)) & 0x3fffffff;
    448. 

  448.     q1[1] = (f >> 8) & 0x3fffff;
    449. 

  449.     c >>= 30;
    450. 

  450.     c += mul32x32_64(x[2], y[8]) + mul32x32_64(x[3], y[7]) + mul32x32_64(x[4], y[6]) +
    451. 

  451.          mul32x32_64(x[5], y[5]) + mul32x32_64(x[6], y[4]) + mul32x32_64(x[7], y[3]) +
    452. 

  452.          mul32x32_64(x[8], y[2]);
    453. 

  453.     f = (bignum256modm_element_t)c;
    454. 

  454.     q1[1] = (q1[1] | (f << 22)) & 0x3fffffff;
    455. 

  455.     q1[2] = (f >> 8) & 0x3fffff;
    456. 

  456.     c >>= 30;
    457. 

  457.     c += mul32x32_64(x[3], y[8]) + mul32x32_64(x[4], y[7]) + mul32x32_64(x[5], y[6]) +
    458. 

  458.          mul32x32_64(x[6], y[5]) + mul32x32_64(x[7], y[4]) + mul32x32_64(x[8], y[3]);
    459. 

  459.     f = (bignum256modm_element_t)c;
    460. 

  460.     q1[2] = (q1[2] | (f << 22)) & 0x3fffffff;
    461. 

  461.     q1[3] = (f >> 8) & 0x3fffff;
    462. 

  462.     c >>= 30;
    463. 

  463.     c += mul32x32_64(x[4], y[8]) + mul32x32_64(x[5], y[7]) + mul32x32_64(x[6], y[6]) +
    464. 

  464.          mul32x32_64(x[7], y[5]) + mul32x32_64(x[8], y[4]);
    465. 

  465.     f = (bignum256modm_element_t)c;
    466. 

  466.     q1[3] = (q1[3] | (f << 22)) & 0x3fffffff;
    467. 

  467.     q1[4] = (f >> 8) & 0x3fffff;
    468. 

  468.     c >>= 30;
    469. 

  469.     c += mul32x32_64(x[5], y[8]) + mul32x32_64(x[6], y[7]) + mul32x32_64(x[7], y[6]) +
    470. 

  470.          mul32x32_64(x[8], y[5]);
    471. 

  471.     f = (bignum256modm_element_t)c;
    472. 

  472.     q1[4] = (q1[4] | (f << 22)) & 0x3fffffff;
    473. 

  473.     q1[5] = (f >> 8) & 0x3fffff;
    474. 

  474.     c >>= 30;
    475. 

  475.     c += mul32x32_64(x[6], y[8]) + mul32x32_64(x[7], y[7]) + mul32x32_64(x[8], y[6]);
    476. 

  476.     f = (bignum256modm_element_t)c;
    477. 

  477.     q1[5] = (q1[5] | (f << 22)) & 0x3fffffff;
    478. 

  478.     q1[6] = (f >> 8) & 0x3fffff;
    479. 

  479.     c >>= 30;
    480. 

  480.     c += mul32x32_64(x[7], y[8]) + mul32x32_64(x[8], y[7]);
    481. 

  481.     f = (bignum256modm_element_t)c;
    482. 

  482.     q1[6] = (q1[6] | (f << 22)) & 0x3fffffff;
    483. 

  483.     q1[7] = (f >> 8) & 0x3fffff;
    484. 

  484.     c >>= 30;
    485. 

  485.     c += mul32x32_64(x[8], y[8]);
    486. 

  486.     f = (bignum256modm_element_t)c;
    487. 

  487.     q1[7] = (q1[7] | (f << 22)) & 0x3fffffff;
    488. 

  488.     q1[8] = (f >> 8) & 0x3fffff;
    489. 

  489. 

  490.     barrett_reduce256_modm(r, q1, r1);
    491. 

  491. }
    492. 

  492. 

  493. void expand256_modm(bignum256modm out, const unsigned char* in, size_t len) {
    494. 

  494.     unsigned char work[64] = {0};
    495. 

  495.     bignum256modm_element_t x[16] = {0};
    496. 

  496.     bignum256modm q1 = {0};
    497. 

  497. 

  498.     memcpy(work, in, len);
    499. 

  499.     x[0] = U8TO32_LE(work + 0);
    500. 

  500.     x[1] = U8TO32_LE(work + 4);
    501. 

  501.     x[2] = U8TO32_LE(work + 8);
    502. 

  502.     x[3] = U8TO32_LE(work + 12);
    503. 

  503.     x[4] = U8TO32_LE(work + 16);
    504. 

  504.     x[5] = U8TO32_LE(work + 20);
    505. 

  505.     x[6] = U8TO32_LE(work + 24);
    506. 

  506.     x[7] = U8TO32_LE(work + 28);
    507. 

  507.     x[8] = U8TO32_LE(work + 32);
    508. 

  508.     x[9] = U8TO32_LE(work + 36);
    509. 

  509.     x[10] = U8TO32_LE(work + 40);
    510. 

  510.     x[11] = U8TO32_LE(work + 44);
    511. 

  511.     x[12] = U8TO32_LE(work + 48);
    512. 

  512.     x[13] = U8TO32_LE(work + 52);
    513. 

  513.     x[14] = U8TO32_LE(work + 56);
    514. 

  514.     x[15] = U8TO32_LE(work + 60);
    515. 

  515. 

  516.     /* r1 = (x mod 256^(32+1)) = x mod (2^8)(31+1) = x & ((1 << 264) - 1) */
    517. 

  517.     out[0] = (x[0]) & 0x3fffffff;
    518. 

  518.     out[1] = ((x[0] >> 30) | (x[1] << 2)) & 0x3fffffff;
    519. 

  519.     out[2] = ((x[1] >> 28) | (x[2] << 4)) & 0x3fffffff;
    520. 

  520.     out[3] = ((x[2] >> 26) | (x[3] << 6)) & 0x3fffffff;
    521. 

  521.     out[4] = ((x[3] >> 24) | (x[4] << 8)) & 0x3fffffff;
    522. 

  522.     out[5] = ((x[4] >> 22) | (x[5] << 10)) & 0x3fffffff;
    523. 

  523.     out[6] = ((x[5] >> 20) | (x[6] << 12)) & 0x3fffffff;
    524. 

  524.     out[7] = ((x[6] >> 18) | (x[7] << 14)) & 0x3fffffff;
    525. 

  525.     out[8] = ((x[7] >> 16) | (x[8] << 16)) & 0x00ffffff;
    526. 

  526. 

  527.     /* 8*31 = 248 bits, no need to reduce */
    528. 

  528.     if(len < 32) return;
    529. 

  529. 

  530.     /* q1 = x >> 248 = 264 bits = 9 30 bit elements */
    531. 

  531.     q1[0] = ((x[7] >> 24) | (x[8] << 8)) & 0x3fffffff;
    532. 

  532.     q1[1] = ((x[8] >> 22) | (x[9] << 10)) & 0x3fffffff;
    533. 

  533.     q1[2] = ((x[9] >> 20) | (x[10] << 12)) & 0x3fffffff;
    534. 

  534.     q1[3] = ((x[10] >> 18) | (x[11] << 14)) & 0x3fffffff;
    535. 

  535.     q1[4] = ((x[11] >> 16) | (x[12] << 16)) & 0x3fffffff;
    536. 

  536.     q1[5] = ((x[12] >> 14) | (x[13] << 18)) & 0x3fffffff;
    537. 

  537.     q1[6] = ((x[13] >> 12) | (x[14] << 20)) & 0x3fffffff;
    538. 

  538.     q1[7] = ((x[14] >> 10) | (x[15] << 22)) & 0x3fffffff;
    539. 

  539.     q1[8] = ((x[15] >> 8));
    540. 

  540. 

  541.     barrett_reduce256_modm(out, q1, out);
    542. 

  542. }
    543. 

  543. 

  544. void expand_raw256_modm(bignum256modm out, const unsigned char in[32]) {
    545. 

  545.     bignum256modm_element_t x[8] = {0};
    546. 

  546. 

  547.     x[0] = U8TO32_LE(in + 0);
    548. 

  548.     x[1] = U8TO32_LE(in + 4);
    549. 

  549.     x[2] = U8TO32_LE(in + 8);
    550. 

  550.     x[3] = U8TO32_LE(in + 12);
    551. 

  551.     x[4] = U8TO32_LE(in + 16);
    552. 

  552.     x[5] = U8TO32_LE(in + 20);
    553. 

  553.     x[6] = U8TO32_LE(in + 24);
    554. 

  554.     x[7] = U8TO32_LE(in + 28);
    555. 

  555. 

  556.     out[0] = (x[0]) & 0x3fffffff;
    557. 

  557.     out[1] = ((x[0] >> 30) | (x[1] << 2)) & 0x3fffffff;
    558. 

  558.     out[2] = ((x[1] >> 28) | (x[2] << 4)) & 0x3fffffff;
    559. 

  559.     out[3] = ((x[2] >> 26) | (x[3] << 6)) & 0x3fffffff;
    560. 

  560.     out[4] = ((x[3] >> 24) | (x[4] << 8)) & 0x3fffffff;
    561. 

  561.     out[5] = ((x[4] >> 22) | (x[5] << 10)) & 0x3fffffff;
    562. 

  562.     out[6] = ((x[5] >> 20) | (x[6] << 12)) & 0x3fffffff;
    563. 

  563.     out[7] = ((x[6] >> 18) | (x[7] << 14)) & 0x3fffffff;
    564. 

  564.     out[8] = ((x[7] >> 16)) & 0x0000ffff;
    565. 

  565. }
    566. 

  566. 

  567. int is_reduced256_modm(const bignum256modm in) {
    568. 

  568.     int i = 0;
    569. 

  569.     uint32_t res1 = 0;
    570. 

  570.     uint32_t res2 = 0;
    571. 

  571.     for(i = 8; i >= 0; i--) {
    572. 

  572.         res1 = (res1 << 1) | (in[i] < modm_m[i]);
    573. 

  573.         res2 = (res2 << 1) | (in[i] > modm_m[i]);
    574. 

  574.     }
    575. 

  575.     return res1 > res2;
    576. 

  576. }
    577. 

  577. 

  578. void contract256_modm(unsigned char out[32], const bignum256modm in) {
    579. 

  579.     U32TO8_LE(out + 0, (in[0]) | (in[1] << 30));
    580. 

  580.     U32TO8_LE(out + 4, (in[1] >> 2) | (in[2] << 28));
    581. 

  581.     U32TO8_LE(out + 8, (in[2] >> 4) | (in[3] << 26));
    582. 

  582.     U32TO8_LE(out + 12, (in[3] >> 6) | (in[4] << 24));
    583. 

  583.     U32TO8_LE(out + 16, (in[4] >> 8) | (in[5] << 22));
    584. 

  584.     U32TO8_LE(out + 20, (in[5] >> 10) | (in[6] << 20));
    585. 

  585.     U32TO8_LE(out + 24, (in[6] >> 12) | (in[7] << 18));
    586. 

  586.     U32TO8_LE(out + 28, (in[7] >> 14) | (in[8] << 16));
    587. 

  587. }
    588. 

  588. 

  589. void contract256_window4_modm(signed char r[64], const bignum256modm in) {
    590. 

  590.     char carry = 0;
    591. 

  591.     signed char* quads = r;
    592. 

  592.     bignum256modm_element_t i = 0, j = 0, v = 0;
    593. 

  593. 

  594.     for(i = 0; i < 8; i += 2) {
    595. 

  595.         v = in[i];
    596. 

  596.         for(j = 0; j < 7; j++) {
    597. 

  597.             *quads++ = (v & 15);
    598. 

  598.             v >>= 4;
    599. 

  599.         }
    600. 

  600.         v |= (in[i + 1] << 2);
    601. 

  601.         for(j = 0; j < 8; j++) {
    602. 

  602.             *quads++ = (v & 15);
    603. 

  603.             v >>= 4;
    604. 

  604.         }
    605. 

  605.     }
    606. 

  606.     v = in[8];
    607. 

  607.     *quads++ = (v & 15);
    608. 

  608.     v >>= 4;
    609. 

  609.     *quads++ = (v & 15);
    610. 

  610.     v >>= 4;
    611. 

  611.     *quads++ = (v & 15);
    612. 

  612.     v >>= 4;
    613. 

  613.     *quads++ = (v & 15);
    614. 

  614.     v >>= 4;
    615. 

  615. 

  616.     /* making it signed */
    617. 

  617.     carry = 0;
    618. 

  618.     for(i = 0; i < 63; i++) {
    619. 

  619.         r[i] += carry;
    620. 

  620.         r[i + 1] += (r[i] >> 4);
    621. 

  621.         r[i] &= 15;
    622. 

  622.         carry = (r[i] >> 3);
    623. 

  623.         r[i] -= (carry << 4);
    624. 

  624.     }
    625. 

  625.     r[63] += carry;
    626. 

  626. }
    627. 

  627. 

  628. void contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int windowsize) {
    629. 

  629.     int i = 0, j = 0, k = 0, b = 0;
    630. 

  630.     int m = (1 << (windowsize - 1)) - 1, soplen = 256;
    631. 

  631.     signed char* bits = r;
    632. 

  632.     bignum256modm_element_t v = 0;
    633. 

  633. 

  634.     /* first put the binary expansion into r  */
    635. 

  635.     for(i = 0; i < 8; i++) {
    636. 

  636.         v = s[i];
    637. 

  637.         for(j = 0; j < 30; j++, v >>= 1) *bits++ = (v & 1);
    638. 

  638.     }
    639. 

  639.     v = s[8];
    640. 

  640.     for(j = 0; j < 16; j++, v >>= 1) *bits++ = (v & 1);
    641. 

  641. 

  642.     /* Making it sliding window */
    643. 

  643.     for(j = 0; j < soplen; j++) {
    644. 

  644.         if(!r[j]) continue;
    645. 

  645. 

  646.         for(b = 1; (b < (soplen - j)) && (b <= 6); b++) {
    647. 

  647.             if((r[j] + (r[j + b] << b)) <= m) {
    648. 

  648.                 r[j] += r[j + b] << b;
    649. 

  649.                 r[j + b] = 0;
    650. 

  650.             } else if((r[j] - (r[j + b] << b)) >= -m) {
    651. 

  651.                 r[j] -= r[j + b] << b;
    652. 

  652.                 for(k = j + b; k < soplen; k++) {
    653. 

  653.                     if(!r[k]) {
    654. 

  654.                         r[k] = 1;
    655. 

  655.                         break;
    656. 

  656.                     }
    657. 

  657.                     r[k] = 0;
    658. 

  658.                 }
    659. 

  659.             } else if(r[j + b]) {
    660. 

  660.                 break;
    661. 

  661.             }
    662. 

  662.         }
    663. 

  663.     }
    664. 

  664. }
    665. 

  665. 

  666. void set256_modm(bignum256modm r, uint64_t v) {
    667. 

  667.     r[0] = (bignum256modm_element_t)(v & 0x3fffffff);
    668. 

  668.     v >>= 30;
    669. 

  669.     r[1] = (bignum256modm_element_t)(v & 0x3fffffff);
    670. 

  670.     v >>= 30;
    671. 

  671.     r[2] = (bignum256modm_element_t)(v & 0x3fffffff);
    672. 

  672.     r[3] = 0;
    673. 

  673.     r[4] = 0;
    674. 

  674.     r[5] = 0;
    675. 

  675.     r[6] = 0;
    676. 

  676.     r[7] = 0;
    677. 

  677.     r[8] = 0;
    678. 

  678. }
    679. 

  679. 

  680. int get256_modm(uint64_t* v, const bignum256modm r) {
    681. 

  681.     *v = 0;
    682. 

  682.     int con1 = 0;
    683. 

  683. 

  684. #define NONZ(x) ((((((int64_t)(x)) - 1) >> 32) + 1) & 1)
    685. 

  685.     bignum256modm_element_t c = 0;
    686. 

  686.     c = r[0];
    687. 

  687.     *v += (uint64_t)c & 0x3fffffff;
    688. 

  688.     c >>= 30; // 30
    689. 

  689.     c += r[1];
    690. 

  690.     *v += ((uint64_t)c & 0x3fffffff) << 30;
    691. 

  691.     c >>= 30; // 60
    692. 

  692.     c += r[2];
    693. 

  693.     *v += ((uint64_t)c & 0xf) << 60;
    694. 

  694.     con1 |= NONZ(c >> 4);
    695. 

  695.     c >>= 30; // 64 bits
    696. 

  696.     c += r[3];
    697. 

  697.     con1 |= NONZ(c);
    698. 

  698.     c >>= 30;
    699. 

  699.     c += r[4];
    700. 

  700.     con1 |= NONZ(c);
    701. 

  701.     c >>= 30;
    702. 

  702.     c += r[5];
    703. 

  703.     con1 |= NONZ(c);
    704. 

  704.     c >>= 30;
    705. 

  705.     c += r[6];
    706. 

  706.     con1 |= NONZ(c);
    707. 

  707.     c >>= 30;
    708. 

  708.     c += r[7];
    709. 

  709.     con1 |= NONZ(c);
    710. 

  710.     c >>= 30;
    711. 

  711.     c += r[8];
    712. 

  712.     con1 |= NONZ(c);
    713. 

  713.     c >>= 30;
    714. 

  714.     con1 |= NONZ(c);
    715. 

  715. #undef NONZ
    716. 

  716. 

  717.     return con1 ^ 1;
    718. 

  718. }
    719. 

  719. 

  720. int eq256_modm(const bignum256modm x, const bignum256modm y) {
    721. 

  721.     size_t differentbits = 0;
    722. 

  722.     int len = bignum256modm_limb_size;
    723. 

  723.     while(len--) {
    724. 

  724.         differentbits |= (*x++ ^ *y++);
    725. 

  725.     }
    726. 

  726.     return (int)(1 & ((differentbits - 1) >> bignum256modm_bits_per_limb));
    727. 

  727. }
    728. 

  728. 

  729. int cmp256_modm(const bignum256modm x, const bignum256modm y) {
    730. 

  730.     int len = 2 * bignum256modm_limb_size;
    731. 

  731.     uint32_t a_gt = 0;
    732. 

  732.     uint32_t b_gt = 0;
    733. 

  733. 

  734.     // 16B chunks
    735. 

  735.     while(len--) {
    736. 

  736.         const uint32_t ln = (const uint32_t)len;
    737. 

  737.         const uint32_t a = (x[ln >> 1] >> 16 * (ln & 1)) & 0xffff;
    738. 

  738.         const uint32_t b = (y[ln >> 1] >> 16 * (ln & 1)) & 0xffff;
    739. 

  739. 

  740.         const uint32_t limb_a_gt = ((b - a) >> 16) & 1;
    741. 

  741.         const uint32_t limb_b_gt = ((a - b) >> 16) & 1;
    742. 

  742.         a_gt |= limb_a_gt & ~b_gt;
    743. 

  743.         b_gt |= limb_b_gt & ~a_gt;
    744. 

  744.     }
    745. 

  745. 

  746.     return a_gt - b_gt;
    747. 

  747. }
    748. 

  748. 

  749. int iszero256_modm(const bignum256modm x) {
    750. 

  750.     size_t differentbits = 0;
    751. 

  751.     int len = bignum256modm_limb_size;
    752. 

  752.     while(len--) {
    753. 

  753.         differentbits |= (*x++);
    754. 

  754.     }
    755. 

  755.     return (int)(1 & ((differentbits - 1) >> bignum256modm_bits_per_limb));
    756. 

  756. }
    757. 

  757. 

  758. void copy256_modm(bignum256modm r, const bignum256modm x) {
    759. 

  759.     r[0] = x[0];
    760. 

  760.     r[1] = x[1];
    761. 

  761.     r[2] = x[2];
    762. 

  762.     r[3] = x[3];
    763. 

  763.     r[4] = x[4];
    764. 

  764.     r[5] = x[5];
    765. 

  765.     r[6] = x[6];
    766. 

  766.     r[7] = x[7];
    767. 

  767.     r[8] = x[8];
    768. 

  768. }
    769. 

  769. 

  770. int check256_modm(const bignum256modm x) {
    771. 

  771.     int ok = 1;
    772. 

  772.     bignum256modm t = {0}, z = {0};
    773. 

  773. 

  774.     ok &= iszero256_modm(x) ^ 1;
    775. 

  775.     barrett_reduce256_modm(t, z, x);
    776. 

  776.     ok &= eq256_modm(t, x);
    777. 

  777.     return ok;
    778. 

  778. }
    779. 

  779. 

  780. void mulsub256_modm(
    781. 

  781.     bignum256modm r,
    782. 

  782.     const bignum256modm a,
    783. 

  783.     const bignum256modm b,
    784. 

  784.     const bignum256modm c) {
    785. 

  785.     //(cc - aa * bb) % l
    786. 

  786.     bignum256modm t = {0};
    787. 

  787.     mul256_modm(t, a, b);
    788. 

  788.     sub256_modm(r, c, t);
    789. 

  789. }
    790. 

  790. 

  791. void muladd256_modm(
    792. 

  792.     bignum256modm r,
    793. 

  793.     const bignum256modm a,
    794. 

  794.     const bignum256modm b,
    795. 

  795.     const bignum256modm c) {
    796. 

  796.     //(cc + aa * bb) % l
    797. 

  797.     bignum256modm t = {0};
    798. 

  798.     mul256_modm(t, a, b);
    799. 

  799.     add256_modm(r, c, t);
    800. 

  800. }
    801.