curve25519-x86_64: simplify the final reduction by adding 19 beforehand - wireguard-linux-compat

diff options

author	Samuel Neves <sneves@dei.uc.pt>	2018-07-28 06:09:52 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2018-07-28 14:51:19 +0200
commit	06bab82a51b769ca96297d09ed96afcbcfb36189 (patch)
tree	24bb343c5933398d320b61ea1eea7a77cb0e5063 /src/noise.h
parent	2ff62d8431b18db111c126dd2ef26e5417da1c62 (diff)

curve25519-x86_64: simplify the final reduction by adding 19 beforehand

Correctness can be quickly verified with the following z3py script: >>> from z3 import * >>> x = BitVec("x", 256) # any 256-bit value >>> ref = URem(x, 2**255 - 19) # correct value >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(38, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x += u # addq %4, %0; adcq $0, %1; adcq $0, %2; adcq $0, %3; >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(0, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x -= u # subq %4, %0; sbbq $0, %1; sbbq $0, %2; sbbq $0, %3; >>> prove(x == ref) proved Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Diffstat (limited to 'src/noise.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: