fix

src/ecc-edwards.c

@@ -22,6 +22,13 @@
  *
  */
 
+#include <stdint.h>
+#include <string.h>
+
+#include "bn.h"
+#include "mod.h"
+#include "mod25638.h"
+
 /*
  * Identity element: (0,1)
  * Negation: -(x,y) = (-x,y)
@@ -35,8 +42,8 @@
 
 /* d + 2^255 - 19 */
 static const bn256 coefficient_d[1] = {
-  { 0x135978a3, 0x75eb4dca, 0x4141d8ab, 0x00700a4d,
-    0x7779e898, 0x8cc74079, 0x2b6ffe73, 0x52036cee } };
+  {{ 0x135978a3, 0x75eb4dca, 0x4141d8ab, 0x00700a4d,
+     0x7779e898, 0x8cc74079, 0x2b6ffe73, 0x52036cee }} };
 
 
 /**
@@ -61,11 +68,11 @@ static void
 ed_double_25638 (ptc *X, const ptc *A)
 {
   uint32_t borrow;
-  bn256 d[1], e[1];
+  bn256 b[1], d[1], e[1];
 
-  /* Compute: B = (X1 + Y1)^2 : X3_tmp */
-  mod25638_add (X->x, A->x, A->y);
-  mod25638_sqr (X->x, X->x);
+  /* Compute: B = (X1 + Y1)^2 */
+  mod25638_add (b, A->x, A->y);
+  mod25638_sqr (b, b);
 
   /* Compute: C = X1^2        : E      */
   mod25638_sqr (e, A->x);
@@ -81,7 +88,7 @@ ed_double_25638 (ptc *X, const ptc *A)
   if (borrow)
     bn256_add (X->y, X->y, n25638); /* carry ignored */
   else
-    bn256_add (X->z, X->y, n25638); /* dummy calculation */
+    bn256_add (X->x, X->y, n25638); /* dummy calculation */
 
   /* Compute: F = E + D = D - C; where a = -1 : E */
   mod25638_sub (e, d, e);
@@ -93,15 +100,15 @@ ed_double_25638 (ptc *X, const ptc *A)
   mod25638_add (d, d, d);
   mod25638_sub (d, e, d);
 
-  /* Compute: X3 = (B-C-D)*J = (X3_tmp+Y3_tmp)*J  */
-  mod25638_add (X->x, X->y);
+  /* Compute: X3 = (B-C-D)*J = (B+Y3_tmp)*J  */
+  mod25638_add (X->x, b, X->y);
   mod25638_mul (X->x, X->x, d);
 
   /* Compute: Y3 = F*(E-D) = F*Y3_tmp            */
   mod25638_mul (X->y, X->y, e);
 
   /* Z3 = F*J             */
-  mod25638_mul (X->z, d, e);
+  mod25638_mul (X->z, e, d);
 }
 
 
@@ -185,8 +192,8 @@ ed_add_25638 (ptc *X, const ptc *A, const ac *B, int minus)
 
 
 static const bn256 p25519[1] = {
-  {0xffffffed, 0xffffffff, 0xffffffff, 0xffffffff,
-   0xffffffff, 0xffffffff, 0xffffffff, 0x7fffffff } };
+  {{ 0xffffffed, 0xffffffff, 0xffffffff, 0xffffffff,
+     0xffffffff, 0xffffffff, 0xffffffff, 0x7fffffff }} };
 
 /**
  * @brief	X = convert A
@@ -273,3 +280,73 @@ point_is_on_the_curve (const ac *P)
 int
 compute_kP_25519 (ac *X, const bn256 *K, const ac *P);
 #endif
+
+#ifdef PRINT_OUT_TABLE
+static const ptc G[1] = {{
+  {{{ 0x8f25d51a, 0xc9562d60, 0x9525a7b2, 0x692cc760,
+      0xfdd6dc5c, 0xc0a4e231, 0xcd6e53fe, 0x216936d3 }}},
+  {{{ 0x66666658, 0x66666666, 0x66666666, 0x66666666,
+      0x66666666, 0x66666666, 0x66666666, 0x66666666 }}},
+  {{{ 1, 0, 0, 0, 0, 0, 0, 0 }}},
+}};
+
+#include <stdio.h>
+
+static void
+print_point (const ac *X)
+{
+  int i;
+
+  for (i = 0; i < 8; i++)
+    printf ("%08x\n", X->x->word[i]);
+  puts ("");
+  for (i = 0; i < 8; i++)
+    printf ("%08x\n", X->y->word[i]);
+}
+
+
+static const uint8_t *str = "abcdefghijklmnopqrstuvwxyz0123456789";
+
+const uint8_t *
+random_bytes_get (void)
+{
+  return (const uint8_t *)str;
+}
+
+/*
+ * Free pointer to random 32-byte
+ */
+void
+random_bytes_free (const uint8_t *p)
+{
+  (void)p;
+}
+
+
+int
+main (int argc, char *argv[])
+{
+  ac x[1];
+  ptc a[1];
+  int i;
+
+  ed_double_25638 (a, G);
+  ptc_to_ac_25519 (x, a);
+  print_point (x);
+
+  ed_add_25638 (a, G, G, 1);
+  ptc_to_ac_25519 (x, a);
+  print_point (x);
+
+  ed_add_25638 (a, G, G, 0);
+  ptc_to_ac_25519 (x, a);
+  print_point (x);
+
+  for (i = 0; i < 64 - 1; i++)
+    ed_double_25638 (a, a);
+
+  ptc_to_ac_25519 (x, a);
+  print_point (x);
+  return 0;
+}
+#endif

src/mod25638.c

@@ -37,8 +37,13 @@
 
 #include "bn.h"
 #include "mod25638.h"
-#include "muladd_256.h"
 
+#ifndef BN256_C_IMPLEMENTATION
+#define ASM_IMPLEMENTATION 1
+#endif
+
+#if ASM_IMPLEMENTATION
+#include "muladd_256.h"
 #define ADDWORD_256(d_,w_,c_)                    \
  asm ( "ldmia  %[d], { r4, r5, r6, r7 } \n\t"    \
        "adds   r4, r4, %[w]             \n\t"    \
@@ -57,6 +62,7 @@
        : [d] "=&r" (d_), [c] "=&r" (c_)          \
        : "[d]" (d_), [w] "r" (w_)                \
        : "r4", "r5", "r6", "r7", "memory", "cc" )
+#endif
 
 /*
 256      224      192      160      128       96       64       32        0
@@ -69,8 +75,9 @@
 2^256 - 32 - 4 - 2
   0 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffda
 */
-const bn256 n25638[1] = { {0xffffffda, 0xffffffff, 0xffffffff, 0xffffffff,
-			   0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff } };
+const bn256 n25638[1] = {
+  {{0xffffffda, 0xffffffff, 0xffffffff, 0xffffffff,
+    0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff }} };
 
 
 /*
@@ -127,6 +134,7 @@ mod25638_mul (bn256 *X, const bn256 *A, const bn256 *B)
   uint32_t w;
   uint32_t c, c0;
 
+#if ASM_IMPLEMENTATION
   memset (word, 0, sizeof (uint32_t)*BN256_WORDS);
 
   s = A->word;  d = &word[0];  w = B->word[0];  MULADD_256 (s, d, w, c);
@@ -142,7 +150,58 @@ mod25638_mul (bn256 *X, const bn256 *A, const bn256 *B)
   s = word;
   ADDWORD_256 (s, c0, c);
   word[0] += c * 38;
-  memcpy (X->word, word, sizeof X->word);
+  memcpy (X, word, sizeof (bn256));
+#else
+  (void)c;  (void)c0;
+  bn256_mul ((bn512 *)word, A, B);
+
+  s = &word[8]; d = &word[0];  w = 38;
+  {
+    int i;
+    uint32_t r0, r1;
+
+    r0 = r1 = 0;
+    for (i = 0; i < BN256_WORDS; i++)
+      {
+	uint64_t uv;
+	uint32_t u, v;
+	uint32_t carry;
+
+	r0 += d[i];
+	r1 += (r0 < d[i]);
+	carry = (r1 < (r0 < d[i]));
+
+	uv = ((uint64_t)s[i])*w;
+	v = uv;
+	u = (uv >> 32);
+	r0 += v;
+	r1 += (r0 < v);
+	carry += (r1 < (r0 < v));
+	r1 += u;
+	carry += (r1 < u);
+
+	d[i] = r0;
+	r0 = r1;
+	r1 = carry;
+      }
+    d[i] = r0;
+
+    r0 = word[8] * 38;
+    d = word;
+    for (i = 0; i < BN256_WORDS; i++)
+      {
+	uint32_t carry;
+
+	r0 += d[i];
+	carry = (r0 < d[i]);
+	d[i] = r0;
+	r0 = carry;
+      }
+    word[0] += r0 * 38;
+  }
+
+  memcpy (X, word, sizeof (bn256));
+#endif
 }
 
 /**

src/mod25638.h

@@ -1,4 +1,4 @@
-extern const bn256 *n25638;
+extern const bn256 n25638[1];
 
 void mod25638_add (bn256 *X, const bn256 *A, const bn256 *B);
 void mod25638_sub (bn256 *X, const bn256 *A, const bn256 *B);