sc_reduce.c (8343B)
1 #include "sc.h" 2 #include "crypto_int64.h" 3 #include "crypto_uint32.h" 4 #include "crypto_uint64.h" 5 6 static crypto_uint64 load_3(const unsigned char *in) 7 { 8 crypto_uint64 result; 9 result = (crypto_uint64) in[0]; 10 result |= ((crypto_uint64) in[1]) << 8; 11 result |= ((crypto_uint64) in[2]) << 16; 12 return result; 13 } 14 15 static crypto_uint64 load_4(const unsigned char *in) 16 { 17 crypto_uint64 result; 18 result = (crypto_uint64) in[0]; 19 result |= ((crypto_uint64) in[1]) << 8; 20 result |= ((crypto_uint64) in[2]) << 16; 21 result |= ((crypto_uint64) in[3]) << 24; 22 return result; 23 } 24 25 /* 26 Input: 27 s[0]+256*s[1]+...+256^63*s[63] = s 28 29 Output: 30 s[0]+256*s[1]+...+256^31*s[31] = s mod l 31 where l = 2^252 + 27742317777372353535851937790883648493. 32 Overwrites s in place. 33 */ 34 35 void sc_reduce(unsigned char *s) 36 { 37 crypto_int64 s0 = 2097151 & load_3(s); 38 crypto_int64 s1 = 2097151 & (load_4(s + 2) >> 5); 39 crypto_int64 s2 = 2097151 & (load_3(s + 5) >> 2); 40 crypto_int64 s3 = 2097151 & (load_4(s + 7) >> 7); 41 crypto_int64 s4 = 2097151 & (load_4(s + 10) >> 4); 42 crypto_int64 s5 = 2097151 & (load_3(s + 13) >> 1); 43 crypto_int64 s6 = 2097151 & (load_4(s + 15) >> 6); 44 crypto_int64 s7 = 2097151 & (load_3(s + 18) >> 3); 45 crypto_int64 s8 = 2097151 & load_3(s + 21); 46 crypto_int64 s9 = 2097151 & (load_4(s + 23) >> 5); 47 crypto_int64 s10 = 2097151 & (load_3(s + 26) >> 2); 48 crypto_int64 s11 = 2097151 & (load_4(s + 28) >> 7); 49 crypto_int64 s12 = 2097151 & (load_4(s + 31) >> 4); 50 crypto_int64 s13 = 2097151 & (load_3(s + 34) >> 1); 51 crypto_int64 s14 = 2097151 & (load_4(s + 36) >> 6); 52 crypto_int64 s15 = 2097151 & (load_3(s + 39) >> 3); 53 crypto_int64 s16 = 2097151 & load_3(s + 42); 54 crypto_int64 s17 = 2097151 & (load_4(s + 44) >> 5); 55 crypto_int64 s18 = 2097151 & (load_3(s + 47) >> 2); 56 crypto_int64 s19 = 2097151 & (load_4(s + 49) >> 7); 57 crypto_int64 s20 = 2097151 & (load_4(s + 52) >> 4); 58 crypto_int64 s21 = 2097151 & (load_3(s + 55) >> 1); 59 crypto_int64 s22 = 2097151 & (load_4(s + 57) >> 6); 60 crypto_int64 s23 = (load_4(s + 60) >> 3); 61 crypto_int64 carry0; 62 crypto_int64 carry1; 63 crypto_int64 carry2; 64 crypto_int64 carry3; 65 crypto_int64 carry4; 66 crypto_int64 carry5; 67 crypto_int64 carry6; 68 crypto_int64 carry7; 69 crypto_int64 carry8; 70 crypto_int64 carry9; 71 crypto_int64 carry10; 72 crypto_int64 carry11; 73 crypto_int64 carry12; 74 crypto_int64 carry13; 75 crypto_int64 carry14; 76 crypto_int64 carry15; 77 crypto_int64 carry16; 78 79 s11 += s23 * 666643; 80 s12 += s23 * 470296; 81 s13 += s23 * 654183; 82 s14 -= s23 * 997805; 83 s15 += s23 * 136657; 84 s16 -= s23 * 683901; 85 s23 = 0; 86 87 s10 += s22 * 666643; 88 s11 += s22 * 470296; 89 s12 += s22 * 654183; 90 s13 -= s22 * 997805; 91 s14 += s22 * 136657; 92 s15 -= s22 * 683901; 93 s22 = 0; 94 95 s9 += s21 * 666643; 96 s10 += s21 * 470296; 97 s11 += s21 * 654183; 98 s12 -= s21 * 997805; 99 s13 += s21 * 136657; 100 s14 -= s21 * 683901; 101 s21 = 0; 102 103 s8 += s20 * 666643; 104 s9 += s20 * 470296; 105 s10 += s20 * 654183; 106 s11 -= s20 * 997805; 107 s12 += s20 * 136657; 108 s13 -= s20 * 683901; 109 s20 = 0; 110 111 s7 += s19 * 666643; 112 s8 += s19 * 470296; 113 s9 += s19 * 654183; 114 s10 -= s19 * 997805; 115 s11 += s19 * 136657; 116 s12 -= s19 * 683901; 117 s19 = 0; 118 119 s6 += s18 * 666643; 120 s7 += s18 * 470296; 121 s8 += s18 * 654183; 122 s9 -= s18 * 997805; 123 s10 += s18 * 136657; 124 s11 -= s18 * 683901; 125 s18 = 0; 126 127 carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= SHL64(carry6,21); 128 carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= SHL64(carry8,21); 129 carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= SHL64(carry10,21); 130 carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= SHL64(carry12,21); 131 carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= SHL64(carry14,21); 132 carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= SHL64(carry16,21); 133 134 carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= SHL64(carry7,21); 135 carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= SHL64(carry9,21); 136 carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= SHL64(carry11,21); 137 carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= SHL64(carry13,21); 138 carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= SHL64(carry15,21); 139 140 s5 += s17 * 666643; 141 s6 += s17 * 470296; 142 s7 += s17 * 654183; 143 s8 -= s17 * 997805; 144 s9 += s17 * 136657; 145 s10 -= s17 * 683901; 146 s17 = 0; 147 148 s4 += s16 * 666643; 149 s5 += s16 * 470296; 150 s6 += s16 * 654183; 151 s7 -= s16 * 997805; 152 s8 += s16 * 136657; 153 s9 -= s16 * 683901; 154 s16 = 0; 155 156 s3 += s15 * 666643; 157 s4 += s15 * 470296; 158 s5 += s15 * 654183; 159 s6 -= s15 * 997805; 160 s7 += s15 * 136657; 161 s8 -= s15 * 683901; 162 s15 = 0; 163 164 s2 += s14 * 666643; 165 s3 += s14 * 470296; 166 s4 += s14 * 654183; 167 s5 -= s14 * 997805; 168 s6 += s14 * 136657; 169 s7 -= s14 * 683901; 170 s14 = 0; 171 172 s1 += s13 * 666643; 173 s2 += s13 * 470296; 174 s3 += s13 * 654183; 175 s4 -= s13 * 997805; 176 s5 += s13 * 136657; 177 s6 -= s13 * 683901; 178 s13 = 0; 179 180 s0 += s12 * 666643; 181 s1 += s12 * 470296; 182 s2 += s12 * 654183; 183 s3 -= s12 * 997805; 184 s4 += s12 * 136657; 185 s5 -= s12 * 683901; 186 s12 = 0; 187 188 carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= SHL64(carry0,21); 189 carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= SHL64(carry2,21); 190 carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= SHL64(carry4,21); 191 carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= SHL64(carry6,21); 192 carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= SHL64(carry8,21); 193 carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= SHL64(carry10,21); 194 195 carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= SHL64(carry1,21); 196 carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= SHL64(carry3,21); 197 carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= SHL64(carry5,21); 198 carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= SHL64(carry7,21); 199 carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= SHL64(carry9,21); 200 carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= SHL64(carry11,21); 201 202 s0 += s12 * 666643; 203 s1 += s12 * 470296; 204 s2 += s12 * 654183; 205 s3 -= s12 * 997805; 206 s4 += s12 * 136657; 207 s5 -= s12 * 683901; 208 s12 = 0; 209 210 carry0 = s0 >> 21; s1 += carry0; s0 -= SHL64(carry0,21); 211 carry1 = s1 >> 21; s2 += carry1; s1 -= SHL64(carry1,21); 212 carry2 = s2 >> 21; s3 += carry2; s2 -= SHL64(carry2,21); 213 carry3 = s3 >> 21; s4 += carry3; s3 -= SHL64(carry3,21); 214 carry4 = s4 >> 21; s5 += carry4; s4 -= SHL64(carry4,21); 215 carry5 = s5 >> 21; s6 += carry5; s5 -= SHL64(carry5,21); 216 carry6 = s6 >> 21; s7 += carry6; s6 -= SHL64(carry6,21); 217 carry7 = s7 >> 21; s8 += carry7; s7 -= SHL64(carry7,21); 218 carry8 = s8 >> 21; s9 += carry8; s8 -= SHL64(carry8,21); 219 carry9 = s9 >> 21; s10 += carry9; s9 -= SHL64(carry9,21); 220 carry10 = s10 >> 21; s11 += carry10; s10 -= SHL64(carry10,21); 221 carry11 = s11 >> 21; s12 += carry11; s11 -= SHL64(carry11,21); 222 223 s0 += s12 * 666643; 224 s1 += s12 * 470296; 225 s2 += s12 * 654183; 226 s3 -= s12 * 997805; 227 s4 += s12 * 136657; 228 s5 -= s12 * 683901; 229 s12 = 0; 230 231 carry0 = s0 >> 21; s1 += carry0; s0 -= SHL64(carry0,21); 232 carry1 = s1 >> 21; s2 += carry1; s1 -= SHL64(carry1,21); 233 carry2 = s2 >> 21; s3 += carry2; s2 -= SHL64(carry2,21); 234 carry3 = s3 >> 21; s4 += carry3; s3 -= SHL64(carry3,21); 235 carry4 = s4 >> 21; s5 += carry4; s4 -= SHL64(carry4,21); 236 carry5 = s5 >> 21; s6 += carry5; s5 -= SHL64(carry5,21); 237 carry6 = s6 >> 21; s7 += carry6; s6 -= SHL64(carry6,21); 238 carry7 = s7 >> 21; s8 += carry7; s7 -= SHL64(carry7,21); 239 carry8 = s8 >> 21; s9 += carry8; s8 -= SHL64(carry8,21); 240 carry9 = s9 >> 21; s10 += carry9; s9 -= SHL64(carry9,21); 241 carry10 = s10 >> 21; s11 += carry10; s10 -= SHL64(carry10,21); 242 243 s[0] = s0 >> 0; 244 s[1] = s0 >> 8; 245 s[2] = (s0 >> 16) | SHL64(s1,5); 246 s[3] = s1 >> 3; 247 s[4] = s1 >> 11; 248 s[5] = (s1 >> 19) | SHL64(s2,2); 249 s[6] = s2 >> 6; 250 s[7] = (s2 >> 14) | SHL64(s3,7); 251 s[8] = s3 >> 1; 252 s[9] = s3 >> 9; 253 s[10] = (s3 >> 17) | SHL64(s4,4); 254 s[11] = s4 >> 4; 255 s[12] = s4 >> 12; 256 s[13] = (s4 >> 20) | SHL64(s5,1); 257 s[14] = s5 >> 7; 258 s[15] = (s5 >> 15) | SHL64(s6,6); 259 s[16] = s6 >> 2; 260 s[17] = s6 >> 10; 261 s[18] = (s6 >> 18) | SHL64(s7,3); 262 s[19] = s7 >> 5; 263 s[20] = s7 >> 13; 264 s[21] = s8 >> 0; 265 s[22] = s8 >> 8; 266 s[23] = (s8 >> 16) | SHL64(s9,5); 267 s[24] = s9 >> 3; 268 s[25] = s9 >> 11; 269 s[26] = (s9 >> 19) | SHL64(s10,2); 270 s[27] = s10 >> 6; 271 s[28] = (s10 >> 14) | SHL64(s11,7); 272 s[29] = s11 >> 1; 273 s[30] = s11 >> 9; 274 s[31] = s11 >> 17; 275 }