diff options
Diffstat (limited to '')
| -rw-r--r-- | crypto/src/math/ec/rfc8032/Ed448.cs | 551 |
1 files changed, 505 insertions, 46 deletions
diff --git a/crypto/src/math/ec/rfc8032/Ed448.cs b/crypto/src/math/ec/rfc8032/Ed448.cs index b73aaa7f8..aadb974e4 100644 --- a/crypto/src/math/ec/rfc8032/Ed448.cs +++ b/crypto/src/math/ec/rfc8032/Ed448.cs @@ -1,4 +1,7 @@ using System; +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER +using System.Buffers.Binary; +#endif using System.Diagnostics; using Org.BouncyCastle.Crypto; @@ -162,14 +165,46 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return F.IsZero(t); } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static bool CheckPointVar(ReadOnlySpan<byte> p) + { + if ((p[PointBytes - 1] & 0x7F) != 0x00) + return false; + if (Decode32(p[52..]) < P[13]) + return true; + + int last = p[28] == 0xFF ? 7 : 0; + for (int i = CoordUints - 2; i >= last; --i) + { + if (Decode32(p[(i * 4)..]) < P[i]) + return true; + } + return false; + } + + private static bool CheckScalarVar(ReadOnlySpan<byte> s, Span<uint> n) + { + if (s[ScalarBytes - 1] != 0x00) + return false; + + DecodeScalar(s, n); + return !Nat.Gte(ScalarUints, n, L); + } +#else private static bool CheckPointVar(byte[] p) { if ((p[PointBytes - 1] & 0x7F) != 0x00) return false; + if (Decode32(p, 52) < P[13]) + return true; - uint[] t = new uint[CoordUints]; - Decode32(p, 0, t, 0, CoordUints); - return !Nat.Gte(CoordUints, t, P); + int last = p[28] == 0xFF ? 7 : 0; + for (int i = CoordUints - 2; i >= last; --i) + { + if (Decode32(p, i * 4) < P[i]) + return true; + } + return false; } private static bool CheckScalarVar(byte[] s, uint[] n) @@ -180,6 +215,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 DecodeScalar(s, 0, n); return !Nat.Gte(ScalarUints, n, L); } +#endif private static byte[] Copy(byte[] buf, int off, int len) { @@ -200,11 +236,22 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static uint Decode16(byte[] bs, int off) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + return BinaryPrimitives.ReadUInt16LittleEndian(bs.AsSpan(off)); +#else uint n = bs[off]; n |= (uint)bs[++off] << 8; return n; +#endif } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static uint Decode16(ReadOnlySpan<byte> bs) + { + return BinaryPrimitives.ReadUInt16LittleEndian(bs); + } +#endif + private static uint Decode24(byte[] bs, int off) { uint n = bs[off]; @@ -213,23 +260,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return n; } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static uint Decode24(ReadOnlySpan<byte> bs) + { + uint n = bs[0]; + n |= (uint)bs[1] << 8; + n |= (uint)bs[2] << 16; + return n; + } +#endif + private static uint Decode32(byte[] bs, int off) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off)); +#else uint n = bs[off]; n |= (uint)bs[++off] << 8; n |= (uint)bs[++off] << 16; n |= (uint)bs[++off] << 24; return n; +#endif } #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER private static uint Decode32(ReadOnlySpan<byte> bs) { - uint n = bs[0]; - n |= (uint)bs[1] << 8; - n |= (uint)bs[2] << 16; - n |= (uint)bs[3] << 24; - return n; + return BinaryPrimitives.ReadUInt32LittleEndian(bs); } #endif @@ -322,13 +379,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 bs[++off] = (byte)(n >> 16); } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void Encode24(uint n, Span<byte> bs) + { + bs[0] = (byte)(n); + bs[1] = (byte)(n >> 8); + bs[2] = (byte)(n >> 16); + } +#endif + private static void Encode32(uint n, byte[] bs, int off) { - bs[off] = (byte)(n); - bs[++off] = (byte)(n >> 8); +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n); +#else + bs[ off] = (byte)(n ); + bs[++off] = (byte)(n >> 8); bs[++off] = (byte)(n >> 16); bs[++off] = (byte)(n >> 24); +#endif + } + +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void Encode32(uint n, Span<byte> bs) + { + BinaryPrimitives.WriteUInt32LittleEndian(bs, n); } +#endif private static void Encode56(ulong n, byte[] bs, int off) { @@ -336,6 +413,14 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 Encode24((uint)(n >> 32), bs, off + 4); } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void Encode56(ulong n, Span<byte> bs) + { + Encode32((uint)n, bs); + Encode24((uint)(n >> 32), bs[4..]); + } +#endif + private static int EncodePoint(ref PointProjective p, byte[] r, int rOff) { uint[] x = F.Create(); @@ -438,7 +523,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return (x[w] >> b) & 15U; } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static sbyte[] GetWnafVar(ReadOnlySpan<uint> n, int width) +#else private static sbyte[] GetWnafVar(uint[] n, int width) +#endif { Debug.Assert(n[ScalarUints - 1] <= L[ScalarUints - 1]); Debug.Assert(2 <= width && width <= 8); @@ -559,6 +648,45 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 if (!CheckContextVar(ctx)) throw new ArgumentException("ctx"); +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + Span<byte> RS = stackalloc byte[PointBytes + ScalarBytes]; + RS.CopyFrom(sig.AsSpan(sigOff, PointBytes + ScalarBytes)); + + var R = RS[..PointBytes]; + var S = RS[PointBytes..]; + + if (!CheckPointVar(R)) + return false; + + Span<uint> nS = stackalloc uint[ScalarUints]; + if (!CheckScalarVar(S, nS)) + return false; + + Init(out PointProjective pA); + if (!DecodePointVar(pk, pkOff, true, ref pA)) + return false; + + IXof d = CreateXof(); + Span<byte> h = stackalloc byte[ScalarBytes * 2]; + + Dom4(d, phflag, ctx); + d.BlockUpdate(R); + d.BlockUpdate(pk.AsSpan(pkOff, PointBytes)); + d.BlockUpdate(m.AsSpan(mOff, mLen)); + d.OutputFinal(h); + + Span<byte> k = stackalloc byte[ScalarBytes]; + ReduceScalar(h, k); + + Span<uint> nA = stackalloc uint[ScalarUints]; + DecodeScalar(k, nA); + + Init(out PointProjective pR); + ScalarMultStrausVar(nS, nA, ref pA, ref pR); + + Span<byte> check = stackalloc byte[PointBytes]; + return 0 != EncodePoint(ref pR, check) && check.SequenceEqual(R); +#else byte[] R = Copy(sig, sigOff, PointBytes); byte[] S = Copy(sig, sigOff + PointBytes, ScalarBytes); @@ -592,6 +720,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 byte[] check = new byte[PointBytes]; return 0 != EncodePoint(ref pR, check, 0) && Arrays.AreEqual(check, R); +#endif } private static void Init(out PointAffine r) @@ -1086,41 +1215,46 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static byte[] ReduceScalar(byte[] n) { - ulong x00 = Decode32(n, 0); // x00:32/-- - ulong x01 = (Decode24(n, 4) << 4); // x01:28/-- - ulong x02 = Decode32(n, 7); // x02:32/-- - ulong x03 = (Decode24(n, 11) << 4); // x03:28/-- - ulong x04 = Decode32(n, 14); // x04:32/-- - ulong x05 = (Decode24(n, 18) << 4); // x05:28/-- - ulong x06 = Decode32(n, 21); // x06:32/-- - ulong x07 = (Decode24(n, 25) << 4); // x07:28/-- - ulong x08 = Decode32(n, 28); // x08:32/-- - ulong x09 = (Decode24(n, 32) << 4); // x09:28/-- - ulong x10 = Decode32(n, 35); // x10:32/-- - ulong x11 = (Decode24(n, 39) << 4); // x11:28/-- - ulong x12 = Decode32(n, 42); // x12:32/-- - ulong x13 = (Decode24(n, 46) << 4); // x13:28/-- - ulong x14 = Decode32(n, 49); // x14:32/-- - ulong x15 = (Decode24(n, 53) << 4); // x15:28/-- - ulong x16 = Decode32(n, 56); // x16:32/-- - ulong x17 = (Decode24(n, 60) << 4); // x17:28/-- - ulong x18 = Decode32(n, 63); // x18:32/-- - ulong x19 = (Decode24(n, 67) << 4); // x19:28/-- - ulong x20 = Decode32(n, 70); // x20:32/-- - ulong x21 = (Decode24(n, 74) << 4); // x21:28/-- - ulong x22 = Decode32(n, 77); // x22:32/-- - ulong x23 = (Decode24(n, 81) << 4); // x23:28/-- - ulong x24 = Decode32(n, 84); // x24:32/-- - ulong x25 = (Decode24(n, 88) << 4); // x25:28/-- - ulong x26 = Decode32(n, 91); // x26:32/-- - ulong x27 = (Decode24(n, 95) << 4); // x27:28/-- - ulong x28 = Decode32(n, 98); // x28:32/-- - ulong x29 = (Decode24(n, 102) << 4); // x29:28/-- - ulong x30 = Decode32(n, 105); // x30:32/-- - ulong x31 = (Decode24(n, 109) << 4); // x31:28/-- - ulong x32 = Decode16(n, 112); // x32:16/-- - - // x32 += (x31 >> 28); x31 &= M28UL; + byte[] r = new byte[ScalarBytes]; + +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + ReduceScalar(n, r); +#else + ulong x00 = Decode32(n, 0); // x00:32/-- + ulong x01 = (Decode24(n, 4) << 4); // x01:28/-- + ulong x02 = Decode32(n, 7); // x02:32/-- + ulong x03 = (Decode24(n, 11) << 4); // x03:28/-- + ulong x04 = Decode32(n, 14); // x04:32/-- + ulong x05 = (Decode24(n, 18) << 4); // x05:28/-- + ulong x06 = Decode32(n, 21); // x06:32/-- + ulong x07 = (Decode24(n, 25) << 4); // x07:28/-- + ulong x08 = Decode32(n, 28); // x08:32/-- + ulong x09 = (Decode24(n, 32) << 4); // x09:28/-- + ulong x10 = Decode32(n, 35); // x10:32/-- + ulong x11 = (Decode24(n, 39) << 4); // x11:28/-- + ulong x12 = Decode32(n, 42); // x12:32/-- + ulong x13 = (Decode24(n, 46) << 4); // x13:28/-- + ulong x14 = Decode32(n, 49); // x14:32/-- + ulong x15 = (Decode24(n, 53) << 4); // x15:28/-- + ulong x16 = Decode32(n, 56); // x16:32/-- + ulong x17 = (Decode24(n, 60) << 4); // x17:28/-- + ulong x18 = Decode32(n, 63); // x18:32/-- + ulong x19 = (Decode24(n, 67) << 4); // x19:28/-- + ulong x20 = Decode32(n, 70); // x20:32/-- + ulong x21 = (Decode24(n, 74) << 4); // x21:28/-- + ulong x22 = Decode32(n, 77); // x22:32/-- + ulong x23 = (Decode24(n, 81) << 4); // x23:28/-- + ulong x24 = Decode32(n, 84); // x24:32/-- + ulong x25 = (Decode24(n, 88) << 4); // x25:28/-- + ulong x26 = Decode32(n, 91); // x26:32/-- + ulong x27 = (Decode24(n, 95) << 4); // x27:28/-- + ulong x28 = Decode32(n, 98); // x28:32/-- + ulong x29 = (Decode24(n, 102) << 4); // x29:28/-- + ulong x30 = Decode32(n, 105); // x30:32/-- + ulong x31 = (Decode24(n, 109) << 4); // x31:28/-- + ulong x32 = Decode16(n, 112); // x32:16/-- + + //x32 += (x31 >> 28); x31 &= M28UL; x16 += x32 * L4_0; // x16:42/-- x17 += x32 * L4_1; // x17:41/28 x18 += x32 * L4_2; // x18:43/42 @@ -1348,7 +1482,6 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 Debug.Assert(x15 >> 26 == 0UL); - byte[] r = new byte[ScalarBytes]; Encode56(x00 | (x01 << 28), r, 0); Encode56(x02 | (x03 << 28), r, 7); Encode56(x04 | (x05 << 28), r, 14); @@ -1358,9 +1491,288 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 Encode56(x12 | (x13 << 28), r, 42); Encode56(x14 | (x15 << 28), r, 49); //r[ScalarBytes - 1] = 0; +#endif + return r; } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void ReduceScalar(ReadOnlySpan<byte> n, Span<byte> r) + { + ulong x00 = Decode32(n[ 0..]); // x00:32/-- + ulong x01 = (Decode24(n[ 4..]) << 4); // x01:28/-- + ulong x02 = Decode32(n[ 7..]); // x02:32/-- + ulong x03 = (Decode24(n[11..]) << 4); // x03:28/-- + ulong x04 = Decode32(n[14..]); // x04:32/-- + ulong x05 = (Decode24(n[18..]) << 4); // x05:28/-- + ulong x06 = Decode32(n[21..]); // x06:32/-- + ulong x07 = (Decode24(n[25..]) << 4); // x07:28/-- + ulong x08 = Decode32(n[28..]); // x08:32/-- + ulong x09 = (Decode24(n[32..]) << 4); // x09:28/-- + ulong x10 = Decode32(n[35..]); // x10:32/-- + ulong x11 = (Decode24(n[39..]) << 4); // x11:28/-- + ulong x12 = Decode32(n[42..]); // x12:32/-- + ulong x13 = (Decode24(n[46..]) << 4); // x13:28/-- + ulong x14 = Decode32(n[49..]); // x14:32/-- + ulong x15 = (Decode24(n[53..]) << 4); // x15:28/-- + ulong x16 = Decode32(n[56..]); // x16:32/-- + ulong x17 = (Decode24(n[60..]) << 4); // x17:28/-- + ulong x18 = Decode32(n[63..]); // x18:32/-- + ulong x19 = (Decode24(n[67..]) << 4); // x19:28/-- + ulong x20 = Decode32(n[70..]); // x20:32/-- + ulong x21 = (Decode24(n[74..]) << 4); // x21:28/-- + ulong x22 = Decode32(n[77..]); // x22:32/-- + ulong x23 = (Decode24(n[81..]) << 4); // x23:28/-- + ulong x24 = Decode32(n[84..]); // x24:32/-- + ulong x25 = (Decode24(n[88..]) << 4); // x25:28/-- + ulong x26 = Decode32(n[91..]); // x26:32/-- + ulong x27 = (Decode24(n[95..]) << 4); // x27:28/-- + ulong x28 = Decode32(n[98..]); // x28:32/-- + ulong x29 = (Decode24(n[102..]) << 4); // x29:28/-- + ulong x30 = Decode32(n[105..]); // x30:32/-- + ulong x31 = (Decode24(n[109..]) << 4); // x31:28/-- + ulong x32 = Decode16(n[112..]); // x32:16/-- + + //x32 += (x31 >> 28); x31 &= M28UL; + x16 += x32 * L4_0; // x16:42/-- + x17 += x32 * L4_1; // x17:41/28 + x18 += x32 * L4_2; // x18:43/42 + x19 += x32 * L4_3; // x19:44/28 + x20 += x32 * L4_4; // x20:43/-- + x21 += x32 * L4_5; // x21:44/28 + x22 += x32 * L4_6; // x22:43/41 + x23 += x32 * L4_7; // x23:45/41 + + x31 += (x30 >> 28); x30 &= M28UL; // x31:28/--, x30:28/-- + x15 += x31 * L4_0; // x15:54/-- + x16 += x31 * L4_1; // x16:53/42 + x17 += x31 * L4_2; // x17:55/54 + x18 += x31 * L4_3; // x18:56/44 + x19 += x31 * L4_4; // x19:55/-- + x20 += x31 * L4_5; // x20:56/43 + x21 += x31 * L4_6; // x21:55/53 + x22 += x31 * L4_7; // x22:57/53 + + //x30 += (x29 >> 28); x29 &= M28UL; + x14 += x30 * L4_0; // x14:54/-- + x15 += x30 * L4_1; // x15:54/53 + x16 += x30 * L4_2; // x16:56/-- + x17 += x30 * L4_3; // x17:57/-- + x18 += x30 * L4_4; // x18:56/55 + x19 += x30 * L4_5; // x19:56/55 + x20 += x30 * L4_6; // x20:57/-- + x21 += x30 * L4_7; // x21:57/56 + + x29 += (x28 >> 28); x28 &= M28UL; // x29:28/--, x28:28/-- + x13 += x29 * L4_0; // x13:54/-- + x14 += x29 * L4_1; // x14:54/53 + x15 += x29 * L4_2; // x15:56/-- + x16 += x29 * L4_3; // x16:57/-- + x17 += x29 * L4_4; // x17:57/55 + x18 += x29 * L4_5; // x18:57/55 + x19 += x29 * L4_6; // x19:57/52 + x20 += x29 * L4_7; // x20:58/52 + + //x28 += (x27 >> 28); x27 &= M28UL; + x12 += x28 * L4_0; // x12:54/-- + x13 += x28 * L4_1; // x13:54/53 + x14 += x28 * L4_2; // x14:56/-- + x15 += x28 * L4_3; // x15:57/-- + x16 += x28 * L4_4; // x16:57/55 + x17 += x28 * L4_5; // x17:58/-- + x18 += x28 * L4_6; // x18:58/-- + x19 += x28 * L4_7; // x19:58/53 + + x27 += (x26 >> 28); x26 &= M28UL; // x27:28/--, x26:28/-- + x11 += x27 * L4_0; // x11:54/-- + x12 += x27 * L4_1; // x12:54/53 + x13 += x27 * L4_2; // x13:56/-- + x14 += x27 * L4_3; // x14:57/-- + x15 += x27 * L4_4; // x15:57/55 + x16 += x27 * L4_5; // x16:58/-- + x17 += x27 * L4_6; // x17:58/56 + x18 += x27 * L4_7; // x18:59/-- + + //x26 += (x25 >> 28); x25 &= M28UL; + x10 += x26 * L4_0; // x10:54/-- + x11 += x26 * L4_1; // x11:54/53 + x12 += x26 * L4_2; // x12:56/-- + x13 += x26 * L4_3; // x13:57/-- + x14 += x26 * L4_4; // x14:57/55 + x15 += x26 * L4_5; // x15:58/-- + x16 += x26 * L4_6; // x16:58/56 + x17 += x26 * L4_7; // x17:59/-- + + x25 += (x24 >> 28); x24 &= M28UL; // x25:28/--, x24:28/-- + x09 += x25 * L4_0; // x09:54/-- + x10 += x25 * L4_1; // x10:54/53 + x11 += x25 * L4_2; // x11:56/-- + x12 += x25 * L4_3; // x12:57/-- + x13 += x25 * L4_4; // x13:57/55 + x14 += x25 * L4_5; // x14:58/-- + x15 += x25 * L4_6; // x15:58/56 + x16 += x25 * L4_7; // x16:59/-- + + x21 += (x20 >> 28); x20 &= M28UL; // x21:58/--, x20:28/-- + x22 += (x21 >> 28); x21 &= M28UL; // x22:57/54, x21:28/-- + x23 += (x22 >> 28); x22 &= M28UL; // x23:45/42, x22:28/-- + x24 += (x23 >> 28); x23 &= M28UL; // x24:28/18, x23:28/-- + + x08 += x24 * L4_0; // x08:54/-- + x09 += x24 * L4_1; // x09:55/-- + x10 += x24 * L4_2; // x10:56/46 + x11 += x24 * L4_3; // x11:57/46 + x12 += x24 * L4_4; // x12:57/55 + x13 += x24 * L4_5; // x13:58/-- + x14 += x24 * L4_6; // x14:58/56 + x15 += x24 * L4_7; // x15:59/-- + + x07 += x23 * L4_0; // x07:54/-- + x08 += x23 * L4_1; // x08:54/53 + x09 += x23 * L4_2; // x09:56/53 + x10 += x23 * L4_3; // x10:57/46 + x11 += x23 * L4_4; // x11:57/55 + x12 += x23 * L4_5; // x12:58/-- + x13 += x23 * L4_6; // x13:58/56 + x14 += x23 * L4_7; // x14:59/-- + + x06 += x22 * L4_0; // x06:54/-- + x07 += x22 * L4_1; // x07:54/53 + x08 += x22 * L4_2; // x08:56/-- + x09 += x22 * L4_3; // x09:57/53 + x10 += x22 * L4_4; // x10:57/55 + x11 += x22 * L4_5; // x11:58/-- + x12 += x22 * L4_6; // x12:58/56 + x13 += x22 * L4_7; // x13:59/-- + + x18 += (x17 >> 28); x17 &= M28UL; // x18:59/31, x17:28/-- + x19 += (x18 >> 28); x18 &= M28UL; // x19:58/54, x18:28/-- + x20 += (x19 >> 28); x19 &= M28UL; // x20:30/29, x19:28/-- + x21 += (x20 >> 28); x20 &= M28UL; // x21:28/03, x20:28/-- + + x05 += x21 * L4_0; // x05:54/-- + x06 += x21 * L4_1; // x06:55/-- + x07 += x21 * L4_2; // x07:56/31 + x08 += x21 * L4_3; // x08:57/31 + x09 += x21 * L4_4; // x09:57/56 + x10 += x21 * L4_5; // x10:58/-- + x11 += x21 * L4_6; // x11:58/56 + x12 += x21 * L4_7; // x12:59/-- + + x04 += x20 * L4_0; // x04:54/-- + x05 += x20 * L4_1; // x05:54/53 + x06 += x20 * L4_2; // x06:56/53 + x07 += x20 * L4_3; // x07:57/31 + x08 += x20 * L4_4; // x08:57/55 + x09 += x20 * L4_5; // x09:58/-- + x10 += x20 * L4_6; // x10:58/56 + x11 += x20 * L4_7; // x11:59/-- + + x03 += x19 * L4_0; // x03:54/-- + x04 += x19 * L4_1; // x04:54/53 + x05 += x19 * L4_2; // x05:56/-- + x06 += x19 * L4_3; // x06:57/53 + x07 += x19 * L4_4; // x07:57/55 + x08 += x19 * L4_5; // x08:58/-- + x09 += x19 * L4_6; // x09:58/56 + x10 += x19 * L4_7; // x10:59/-- + + x15 += (x14 >> 28); x14 &= M28UL; // x15:59/31, x14:28/-- + x16 += (x15 >> 28); x15 &= M28UL; // x16:59/32, x15:28/-- + x17 += (x16 >> 28); x16 &= M28UL; // x17:31/29, x16:28/-- + x18 += (x17 >> 28); x17 &= M28UL; // x18:28/04, x17:28/-- + + x02 += x18 * L4_0; // x02:54/-- + x03 += x18 * L4_1; // x03:55/-- + x04 += x18 * L4_2; // x04:56/32 + x05 += x18 * L4_3; // x05:57/32 + x06 += x18 * L4_4; // x06:57/56 + x07 += x18 * L4_5; // x07:58/-- + x08 += x18 * L4_6; // x08:58/56 + x09 += x18 * L4_7; // x09:59/-- + + x01 += x17 * L4_0; // x01:54/-- + x02 += x17 * L4_1; // x02:54/53 + x03 += x17 * L4_2; // x03:56/53 + x04 += x17 * L4_3; // x04:57/32 + x05 += x17 * L4_4; // x05:57/55 + x06 += x17 * L4_5; // x06:58/-- + x07 += x17 * L4_6; // x07:58/56 + x08 += x17 * L4_7; // x08:59/-- + + x16 *= 4; + x16 += (x15 >> 26); x15 &= M26UL; + x16 += 1; // x16:30/01 + + x00 += x16 * L_0; + x01 += x16 * L_1; + x02 += x16 * L_2; + x03 += x16 * L_3; + x04 += x16 * L_4; + x05 += x16 * L_5; + x06 += x16 * L_6; + x07 += x16 * L_7; + + x01 += (x00 >> 28); x00 &= M28UL; + x02 += (x01 >> 28); x01 &= M28UL; + x03 += (x02 >> 28); x02 &= M28UL; + x04 += (x03 >> 28); x03 &= M28UL; + x05 += (x04 >> 28); x04 &= M28UL; + x06 += (x05 >> 28); x05 &= M28UL; + x07 += (x06 >> 28); x06 &= M28UL; + x08 += (x07 >> 28); x07 &= M28UL; + x09 += (x08 >> 28); x08 &= M28UL; + x10 += (x09 >> 28); x09 &= M28UL; + x11 += (x10 >> 28); x10 &= M28UL; + x12 += (x11 >> 28); x11 &= M28UL; + x13 += (x12 >> 28); x12 &= M28UL; + x14 += (x13 >> 28); x13 &= M28UL; + x15 += (x14 >> 28); x14 &= M28UL; + x16 = (x15 >> 26); x15 &= M26UL; + + x16 -= 1; + + Debug.Assert(x16 == 0UL || x16 == ulong.MaxValue); + + x00 -= x16 & L_0; + x01 -= x16 & L_1; + x02 -= x16 & L_2; + x03 -= x16 & L_3; + x04 -= x16 & L_4; + x05 -= x16 & L_5; + x06 -= x16 & L_6; + x07 -= x16 & L_7; + + x01 += (ulong)((long)x00 >> 28); x00 &= M28UL; + x02 += (ulong)((long)x01 >> 28); x01 &= M28UL; + x03 += (ulong)((long)x02 >> 28); x02 &= M28UL; + x04 += (ulong)((long)x03 >> 28); x03 &= M28UL; + x05 += (ulong)((long)x04 >> 28); x04 &= M28UL; + x06 += (ulong)((long)x05 >> 28); x05 &= M28UL; + x07 += (ulong)((long)x06 >> 28); x06 &= M28UL; + x08 += (ulong)((long)x07 >> 28); x07 &= M28UL; + x09 += (ulong)((long)x08 >> 28); x08 &= M28UL; + x10 += (ulong)((long)x09 >> 28); x09 &= M28UL; + x11 += (ulong)((long)x10 >> 28); x10 &= M28UL; + x12 += (ulong)((long)x11 >> 28); x11 &= M28UL; + x13 += (ulong)((long)x12 >> 28); x12 &= M28UL; + x14 += (ulong)((long)x13 >> 28); x13 &= M28UL; + x15 += (ulong)((long)x14 >> 28); x14 &= M28UL; + + Debug.Assert(x15 >> 26 == 0UL); + + Encode56(x00 | (x01 << 28), r); + Encode56(x02 | (x03 << 28), r[7..]); + Encode56(x04 | (x05 << 28), r[14..]); + Encode56(x06 | (x07 << 28), r[21..]); + Encode56(x08 | (x09 << 28), r[28..]); + Encode56(x10 | (x11 << 28), r[35..]); + Encode56(x12 | (x13 << 28), r[42..]); + Encode56(x14 | (x15 << 28), r[49..]); + //r[ScalarBytes - 1] = 0; + } +#endif + private static void ScalarMult(byte[] k, ref PointProjective p, ref PointProjective r) { #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER @@ -1657,6 +2069,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static void ScalarMultStrausVar(uint[] nb, uint[] np, ref PointProjective p, ref PointProjective r) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + ScalarMultStrausVar(nb.AsSpan(), np.AsSpan(), ref p, ref r); +#else Precompute(); sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase); @@ -1693,8 +2108,52 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 PointDouble(ref r); } +#endif } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void ScalarMultStrausVar(ReadOnlySpan<uint> nb, ReadOnlySpan<uint> np, ref PointProjective p, + ref PointProjective r) + { + Precompute(); + + sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase); + sbyte[] ws_p = GetWnafVar(np, WnafWidth); + + int count = 1 << (WnafWidth - 2); + PointProjective[] tp = new PointProjective[count]; + PointPrecomputeVar(ref p, tp, count); + + PointSetNeutral(ref r); + + for (int bit = 446;;) + { + int wb = ws_b[bit]; + if (wb != 0) + { + int sign = wb >> 31; + int index = (wb ^ sign) >> 1; + + PointAddVar(sign != 0, ref PrecompBaseWnaf[index], ref r); + } + + int wp = ws_p[bit]; + if (wp != 0) + { + int sign = wp >> 31; + int index = (wp ^ sign) >> 1; + + PointAddVar(sign != 0, ref tp[index], ref r); + } + + if (--bit < 0) + break; + + PointDouble(ref r); + } + } +#endif + public static void Sign(byte[] sk, int skOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff) { byte phflag = 0x00; |