From 6c2fda803c8fba8709c08e176277a86346cb57c2 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Sat, 26 Jan 2019 20:29:57 -0500 Subject: [PATCH] internal/radix51: make all APIs not consider the receiver an input --- ed25519.go | 2 +- internal/radix51/fe.go | 27 ++++++++++----------------- internal/radix51/fe_mul.go | 2 +- internal/radix51/fe_mul_amd64.go | 2 +- internal/radix51/fe_square_amd64.go | 2 +- internal/radix51/fe_test.go | 4 ++-- 6 files changed, 16 insertions(+), 23 deletions(-) diff --git a/ed25519.go b/ed25519.go index c3277f4..b93de42 100644 --- a/ed25519.go +++ b/ed25519.go @@ -74,7 +74,7 @@ func (curve ed25519Curve) IsOnCurve(x, y *big.Int) bool { lh.Neg(&lh) // -x^2 lh.Add(&lh, &y2) // -x^2 + y^2 lh.Sub(&lh, &rh) // -x^2 + y^2 - 1 - dx^2y^2 - lh.Reduce() // mod p + lh.Reduce(&lh) // mod p return lh.Equal(radix51.Zero) == 1 } diff --git a/internal/radix51/fe.go b/internal/radix51/fe.go index d378d02..1249aa8 100644 --- a/internal/radix51/fe.go +++ b/internal/radix51/fe.go @@ -54,7 +54,9 @@ func (v *FieldElement) SetInt(x uint64) { v[4] = 0 } -func (v *FieldElement) Reduce() { +func (v *FieldElement) Reduce(u *FieldElement) { + v.Set(u) + // Lev v = v[0] + v[1]*2^51 + v[2]*2^102 + v[3]*2^153 + v[4]*2^204 // Reduce each limb below 2^51, propagating carries. v[1] += v[0] >> 51 @@ -247,8 +249,8 @@ func (v *FieldElement) FromBytes(x *[32]byte) { } func (v *FieldElement) ToBytes(r *[32]byte) { - t := *v - t.Reduce() + var t FieldElement + t.Reduce(v) r[0] = byte(t[0] & 0xff) r[1] = byte((t[0] >> 8) & 0xff) @@ -357,17 +359,10 @@ func (v *FieldElement) Select(a, b *FieldElement, cond int) { v[4] = (m & a[4]) | (^m & b[4]) } -// CondNeg sets v to -v if cond == 1, and to v if cond == 0. -func (v *FieldElement) CondNeg(cond int) { - var t FieldElement - t.Neg(v) - - b := uint64(cond) * 0xffffffffffffffff - v[0] ^= b & (v[0] ^ t[0]) - v[1] ^= b & (v[1] ^ t[1]) - v[2] ^= b & (v[2] ^ t[2]) - v[3] ^= b & (v[3] ^ t[3]) - v[4] ^= b & (v[4] ^ t[4]) +// CondNeg sets v to -u if cond == 1, and to u if cond == 0. +func (v *FieldElement) CondNeg(u *FieldElement, cond int) { + v.Neg(u) + v.Select(v, u, cond) } // IsNegative returns 1 if v is negative, and 0 otherwise. @@ -379,7 +374,5 @@ func (v *FieldElement) IsNegative() int { // Abs sets v to |u|. v and u are allowed to overlap. func (v *FieldElement) Abs(u *FieldElement) { - var t FieldElement - t.Neg(u) - v.Select(&t, u, u.IsNegative()) + v.CondNeg(u, u.IsNegative()) } diff --git a/internal/radix51/fe_mul.go b/internal/radix51/fe_mul.go index 64a4493..2c28e4f 100644 --- a/internal/radix51/fe_mul.go +++ b/internal/radix51/fe_mul.go @@ -6,7 +6,7 @@ package radix51 -// Mul sets out = a * b. +// Mul sets out = x * y. func (v *FieldElement) Mul(x, y *FieldElement) { var x0, x1, x2, x3, x4 uint64 var y0, y1, y2, y3, y4 uint64 diff --git a/internal/radix51/fe_mul_amd64.go b/internal/radix51/fe_mul_amd64.go index 887d1cb..d629bb5 100644 --- a/internal/radix51/fe_mul_amd64.go +++ b/internal/radix51/fe_mul_amd64.go @@ -6,7 +6,7 @@ package radix51 -// Mul sets out = a * b. +// Mul sets out = x * y. func (v *FieldElement) Mul(x, y *FieldElement) { feMul(v, x, y) } diff --git a/internal/radix51/fe_square_amd64.go b/internal/radix51/fe_square_amd64.go index cdaae53..7d5b9ff 100644 --- a/internal/radix51/fe_square_amd64.go +++ b/internal/radix51/fe_square_amd64.go @@ -6,7 +6,7 @@ package radix51 -// Square sets v = x*x. +// Square sets v = x * x. func (v *FieldElement) Square(x *FieldElement) { feSquare(v, x) } diff --git a/internal/radix51/fe_test.go b/internal/radix51/fe_test.go index ba6564b..d7343c2 100644 --- a/internal/radix51/fe_test.go +++ b/internal/radix51/fe_test.go @@ -170,7 +170,7 @@ func TestFeInvert(t *testing.T) { xinv.Invert(&x) r.Mul(&x, &xinv) - r.Reduce() + r.Reduce(&r) if !vartimeEqual(one, r) { t.Errorf("inversion identity failed, got: %x", r) @@ -186,7 +186,7 @@ func TestFeInvert(t *testing.T) { xinv.Invert(&x) r.Mul(&x, &xinv) - r.Reduce() + r.Reduce(&r) if !vartimeEqual(one, r) { t.Errorf("random inversion identity failed, got: %x for field element %x", r, x)