cheng/libsodium
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Consistent indentation

Browse Source
This commit is contained in:
Frank Denis 2016-03-09 15:34:32 +01:00
parent 62911edb7f
commit 7c5d30a6a3
2 changed files with 1736 additions and 1727 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

287
src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c
View File

@ -10,6 +10,7 @@ static uint64_t load_3(const unsigned char *in)
result = (uint64_t) in[0];
result |= ((uint64_t) in[1]) << 8;
result |= ((uint64_t) in[2]) << 16;
return result;
}
@ -20,12 +21,13 @@ static uint64_t load_4(const unsigned char *in)
result |= ((uint64_t) in[1]) << 8;
result |= ((uint64_t) in[2]) << 16;
result |= ((uint64_t) in[3]) << 24;
return result;
}
/*
h = 0
*/
h = 0
*/
void fe_0(fe h)
{
@ -33,8 +35,8 @@ void fe_0(fe h)
}
/*
h = 1
*/
h = 1
*/
void fe_1(fe h)
{
@ -44,16 +46,16 @@ void fe_1(fe h)
}
/*
h = f + g
Can overlap h with f or g.
Preconditions:
h = f + g
Can overlap h with f or g.
*
Preconditions:
|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
Postconditions:
*
Postconditions:
|h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
*/
void fe_add(fe h,const fe f,const fe g)
{
@ -100,11 +102,11 @@ void fe_add(fe h,const fe f,const fe g)
}
/*
Replace (f,g) with (g,g) if b == 1;
replace (f,g) with (f,g) if b == 0.
Preconditions: b in {0,1}.
*/
Replace (f,g) with (g,g) if b == 1;
replace (f,g) with (f,g) if b == 0.
*
Preconditions: b in {0,1}.
*/
void fe_cmov(fe f,const fe g,unsigned int b)
{
@ -162,8 +164,8 @@ void fe_cmov(fe f,const fe g,unsigned int b)
}
/*
h = f
*/
h = f
*/
void fe_copy(fe h,const fe f)
{
@ -190,8 +192,8 @@ void fe_copy(fe h,const fe f)
}
/*
Ignores top bit of h.
*/
Ignores top bit of h.
*/
void fe_frombytes(fe h,const unsigned char *s)
{
@ -241,29 +243,29 @@ void fe_frombytes(fe h,const unsigned char *s)
}
/*
Preconditions:
Preconditions:
|h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
Write p=2^255-19; q=floor(h/p).
Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
Proof:
*
Write p=2^255-19; q=floor(h/p).
Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
*
Proof:
Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
*
Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
Then 0<y<1.
*
Write r=h-pq.
Have 0<=r<=p-1=2^255-20.
Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
*
Write x=r+19(2^-255)r+y.
Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
*
Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
*/
*/
void fe_tobytes(unsigned char *s,const fe h)
{
@ -359,27 +361,28 @@ void fe_tobytes(unsigned char *s,const fe h)
}
/*
return 1 if f is in {1,3,5,...,q-2}
return 0 if f is in {0,2,4,...,q-1}
Preconditions:
return 1 if f is in {1,3,5,...,q-2}
return 0 if f is in {0,2,4,...,q-1}
*
Preconditions:
|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
*/
int fe_isnegative(const fe f)
{
unsigned char s[32];
fe_tobytes(s,f);
return s[0] & 1;
}
/*
return 1 if f == 0
return 0 if f != 0
Preconditions:
return 1 if f == 0
return 0 if f != 0
*
Preconditions:
|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
*/
static unsigned char zero[32];
@ -387,40 +390,41 @@ int fe_isnonzero(const fe f)
{
unsigned char s[32];
fe_tobytes(s,f);
return crypto_verify_32(s,zero);
}
/*
h = f * g
Can overlap h with f or g.
Preconditions:
h = f * g
Can overlap h with f or g.
*
Preconditions:
|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
|g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
Postconditions:
*
Postconditions:
|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
*/
*/
/*
Notes on implementation strategy:
Using schoolbook multiplication.
Karatsuba would save a little in some cost models.
Most multiplications by 2 and 19 are 32-bit precomputations;
cheaper than 64-bit postcomputations.
There is one remaining multiplication by 19 in the carry chain;
one *19 precomputation can be merged into this,
but the resulting data flow is considerably less clean.
There are 12 carries below.
10 of them are 2-way parallelizable and vectorizable.
Can get away with 11 carries, but then data flow is much deeper.
With tighter constraints on inputs can squeeze carries into int32.
*/
Notes on implementation strategy:
*
Using schoolbook multiplication.
Karatsuba would save a little in some cost models.
*
Most multiplications by 2 and 19 are 32-bit precomputations;
cheaper than 64-bit postcomputations.
*
There is one remaining multiplication by 19 in the carry chain;
one *19 precomputation can be merged into this,
but the resulting data flow is considerably less clean.
*
There are 12 carries below.
10 of them are 2-way parallelizable and vectorizable.
Can get away with 11 carries, but then data flow is much deeper.
*
With tighter constraints on inputs can squeeze carries into int32.
*/
void fe_mul(fe h,const fe f,const fe g)
{
@ -642,14 +646,14 @@ void fe_mul(fe h,const fe f,const fe g)
}
/*
h = -f
Preconditions:
h = -f
*
Preconditions:
|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
Postconditions:
*
Postconditions:
|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*/
*/
void fe_neg(fe h,const fe f)
{
@ -686,19 +690,19 @@ void fe_neg(fe h,const fe f)
}
/*
h = f * f
Can overlap h with f.
Preconditions:
h = f * f
Can overlap h with f.
*
Preconditions:
|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
Postconditions:
*
Postconditions:
|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
*/
*/
/*
See fe_mul.c for discussion of implementation strategy.
*/
See fe_mul.c for discussion of implementation strategy.
*/
void fe_sq(fe h,const fe f)
{
@ -833,19 +837,19 @@ void fe_sq(fe h,const fe f)
}
/*
h = 2 * f * f
Can overlap h with f.
Preconditions:
h = 2 * f * f
Can overlap h with f.
*
Preconditions:
|f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
Postconditions:
*
Postconditions:
|h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
*/
*/
/*
See fe_mul.c for discussion of implementation strategy.
*/
See fe_mul.c for discussion of implementation strategy.
*/
void fe_sq2(fe h,const fe f)
{
@ -1102,16 +1106,16 @@ void fe_pow22523(fe out,const fe z)
}
/*
h = f - g
Can overlap h with f or g.
Preconditions:
h = f - g
Can overlap h with f or g.
*
Preconditions:
|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
Postconditions:
*
Postconditions:
|h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
*/
void fe_sub(fe h,const fe f,const fe g)
{
@ -1158,8 +1162,8 @@ void fe_sub(fe h,const fe f,const fe g)
}
/*
r = p + q
*/
r = p + q
*/
void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
{
@ -1254,20 +1258,23 @@ int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s)
fe_sub(check,vxx,u); /* vx^2-u */
if (fe_isnonzero(check)) {
fe_add(check,vxx,u); /* vx^2+u */
if (fe_isnonzero(check)) return -1;
if (fe_isnonzero(check)) {
return -1;
}
fe_mul(h->X,h->X,sqrtm1);
}
if (fe_isnegative(h->X) == (s[31] >> 7))
if (fe_isnegative(h->X) == (s[31] >> 7)) {
fe_neg(h->X,h->X);
}
fe_mul(h->T,h->X,h->Y);
return 0;
}
/*
r = p + q
*/
r = p + q
*/
void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
{
@ -1286,8 +1293,8 @@ void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
}
/*
r = p - q
*/
r = p - q
*/
void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
{
@ -1306,8 +1313,8 @@ void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
}
/*
r = p
*/
r = p
*/
extern void ge_p1p1_to_p2(ge_p2 *r,const ge_p1p1 *p)
{
@ -1317,8 +1324,8 @@ extern void ge_p1p1_to_p2(ge_p2 *r,const ge_p1p1 *p)
}
/*
r = p
*/
r = p
*/
extern void ge_p1p1_to_p3(ge_p3 *r,const ge_p1p1 *p)
{
@ -1336,8 +1343,8 @@ void ge_p2_0(ge_p2 *h)
}
/*
r = 2 * p
*/
r = 2 * p
*/
void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p)
{
@ -1363,8 +1370,8 @@ void ge_p3_0(ge_p3 *h)
}
/*
r = p
*/
r = p
*/
/* 2 * d = 16295367250680780974490674513165176452449235426866156013048779062215315747161 */
static const fe d2 = {
@ -1380,8 +1387,8 @@ extern void ge_p3_to_cached(ge_cached *r,const ge_p3 *p)
}
/*
r = p
*/
r = p
*/
extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p)
{
@ -1404,8 +1411,8 @@ void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
}
/*
r = 2 * p
*/
r = 2 * p
*/
void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p)
{
@ -1429,6 +1436,7 @@ static unsigned char equal(signed char b,signed char c)
uint32_t y = x; /* 0: yes; 1..255: no */
y -= 1; /* 4294967295: yes; 0..254: no */
y >>= 31; /* 1: yes; 0: no */
return y;
}
@ -1436,6 +1444,7 @@ static unsigned char negative(signed char b)
{
uint64_t x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
x >>= 63; /* 1: yes; 0: no */
return x;
}
@ -1473,8 +1482,8 @@ static void ge_select(ge_precomp *t,int pos,signed char b)
}
/*
r = p - q
*/
r = p - q
*/
void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
{
@ -1507,20 +1516,20 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h)
}
/*
h = a * B
where a = a[0]+256*a[1]+...+256^31 a[31]
B is the Ed25519 base point (x,4/5) with x positive.
Preconditions:
h = a * B
where a = a[0]+256*a[1]+...+256^31 a[31]
B is the Ed25519 base point (x,4/5) with x positive.
*
Preconditions:
a[31] <= 127
*/
*/
/*
r = a * A + b * B
where a = a[0]+256*a[1]+...+256^31 a[31].
and b = b[0]+256*b[1]+...+256^31 b[31].
B is the Ed25519 base point (x,4/5) with x positive.
*/
r = a * A + b * B
where a = a[0]+256*a[1]+...+256^31 a[31].
and b = b[0]+256*b[1]+...+256^31 b[31].
B is the Ed25519 base point (x,4/5) with x positive.
*/
void ge_double_scalarmult_vartime(ge_p2 *r,const unsigned char *a,const ge_p3 *A,const unsigned char *b)
{
@ -1660,15 +1669,15 @@ void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
}
/*
Input:
Input:
a[0]+256*a[1]+...+256^31*a[31] = a
b[0]+256*b[1]+...+256^31*b[31] = b
c[0]+256*c[1]+...+256^31*c[31] = c
Output:
*
Output:
s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
where l = 2^252 + 27742317777372353535851937790883648493.
*/
*/
void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,const unsigned char *c)
{
@ -1993,14 +2002,14 @@ void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co
}
/*
Input:
Input:
s[0]+256*s[1]+...+256^63*s[63] = s
Output:
*
Output:
s[0]+256*s[1]+...+256^31*s[31] = s mod l
where l = 2^252 + 27742317777372353535851937790883648493.
Overwrites s in place.
*/
*/
void sc_reduce(unsigned char *s)
{

34
src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.h
View File

@ -8,12 +8,12 @@
typedef int32_t fe[10];
/*
fe means field element.
Here the field is \Z/(2^255-19).
An element t, entries t[0]...t[9], represents the integer
t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
Bounds on each t[i] vary depending on context.
*/
fe means field element.
Here the field is \Z/(2^255-19).
An element t, entries t[0]...t[9], represents the integer
t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
Bounds on each t[i] vary depending on context.
*/
#define fe_frombytes crypto_core_curve25519_ref10_fe_frombytes
#define fe_tobytes crypto_core_curve25519_ref10_fe_tobytes
@ -51,18 +51,18 @@ extern void fe_invert(fe,const fe);
extern void fe_pow22523(fe,const fe);
/*
ge means group element.
Here the group is the set of pairs (x,y) of field elements (see fe.h)
satisfying -x^2 + y^2 = 1 + d x^2y^2
where d = -121665/121666.
Representations:
ge means group element.
*
Here the group is the set of pairs (x,y) of field elements (see fe.h)
satisfying -x^2 + y^2 = 1 + d x^2y^2
where d = -121665/121666.
*
Representations:
ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
ge_precomp (Duif): (y+x,y-x,2dxy)
*/
*/
#define ge_p2 crypto_core_curve25519_ref10_ge_p2
typedef struct {
@ -147,9 +147,9 @@ extern void ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,const ge_
extern void ge_scalarmult_vartime(ge_p3 *,const unsigned char *,const ge_p3 *);
/*
The set of scalars is \Z/l
where l = 2^252 + 27742317777372353535851937790883648493.
*/
The set of scalars is \Z/l
where l = 2^252 + 27742317777372353535851937790883648493.
*/
#define sc_reduce crypto_core_curve25519_ref10_sc_reduce
#define sc_muladd crypto_core_curve25519_ref10_sc_muladd