Lines Matching +full:compute +full:-
29 * - field modulus p
30 * - R^2 mod p (R = 2^(15k) for the smallest k such that R >= p)
31 * - b*R mod p (b is the second curve equation parameter)
123 return &pp[curve - BR_EC_secp256r1]; in id_to_curve()
130 * -- three values, x, y and z, in Montgomery representation
131 * -- affine coordinates are X = x / z^2 and Y = y / z^3
132 * -- for the point at infinity, z = 0
143 * MSUB(d, a) d = d-a (modular)
200 * m = 3*(x + z^2)*(x - z^2)
201 * x' = m^2 - 2*s
202 * y' = m*(s - x') - 8*y^4
216 * Compute z^2 (in t1).
221 * Compute x-z^2 (in t2) and then x+z^2 (in t1).
228 * Compute m = 3*(x+z^2)*(x-z^2) (in t1).
236 * Compute s = 4*x*y^2 (in t2) and 2*y^2 (in t3).
244 * Compute x' = m^2 - 2*s.
251 * Compute z' = 2*y*z.
258 * Compute y' = m*(s - x') - 8*y^4. Note that we already have
277 * h = u2 - u1
278 * r = s2 - s1
279 * x3 = r^2 - h^3 - 2 * u1 * h^2
280 * y3 = r * (u1 * h^2 - x3) - s1 * h^3
288 * -- if s1 == s2 then P1 and/or P2 is infinity, or P1 == P2
289 * -- if s1 != s2 then P1 + P2 == infinity (but neither P1 or P2 is infinity)
292 * -- P1 = 0 and P2 != 0
293 * -- P1 != 0 and P2 = 0
294 * -- P1 = P2
301 * -- Both points are on the same horizontal line (same Y coordinate).
302 * -- Both points are infinity.
303 * -- One point is infinity and the other is on line Y = 0.
306 * source points are non-infinity, then remains only the case where the
311 * -- If the returned value is not the point at infinity, then it was properly
313 * -- Otherwise, if the returned flag is 1, then P1+P2 = 0, and the result
315 * -- Otherwise (result is infinity, flag is 0), then P1 = P2 and we should
322 * Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
330 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
338 * Compute h = u2 - u1 (in t2) and r = s2 - s1 (in t4).
349 * Compute u1*h^2 (in t6) and h^3 (in t5).
356 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
365 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
373 * Compute z3 = h*z1*z2.
384 * -- Coordinates x and y have been freshly decoded in P1 (but not
386 * -- P2x, P2y and P2z are set to, respectively, R^2, b*R and 1.
396 /* Compute x^3 in t1. */
408 /* Compute y^2 in t2. */
411 /* Compare y^2 with x^3 - 3*x + b; they must match. */
430 /* Compute z^3 in t2. */
438 /* Compute y. */
442 /* Compute (1/z^2) in t3. */
445 /* Compute x. */
465 memcpy(t[P1x], P1->c, 3 * I15_LEN * sizeof(uint16_t)); in run_code()
466 memcpy(t[P2x], P2->c, 3 * I15_LEN * sizeof(uint16_t)); in run_code()
492 ctl |= NOT(br_i15_sub(t[d], cc->p, 0)); in run_code()
493 br_i15_sub(t[d], cc->p, ctl); in run_code()
496 br_i15_add(t[d], cc->p, br_i15_sub(t[d], t[a], 1)); in run_code()
499 br_i15_montymul(t[d], t[a], t[b], cc->p, cc->p0i); in run_code()
502 plen = (cc->p[0] - (cc->p[0] >> 4) + 7) >> 3; in run_code()
503 br_i15_encode(tp, plen, cc->p); in run_code()
504 tp[plen - 1] -= 2; in run_code()
506 cc->p, cc->p0i, t[a], t[b]); in run_code()
517 memcpy(P1->c, t[P1x], 3 * I15_LEN * sizeof(uint16_t)); in run_code()
536 P->c[0][0] = P->c[1][0] = P->c[2][0] = cc->p[0]; in point_zero()
556 * We do a simple double-and-add ladder with a 2-bit window in point_mul()
579 while (xlen -- > 0) { in point_mul()
582 for (k = 6; k >= 0; k -= 2) { in point_mul()
614 * -- first byte is 0x04; in point_decode()
615 * -- coordinates X and Y use unsigned big-endian, with the same in point_decode()
624 * much used in practice (there are or were patent-related in point_decode()
636 plen = (cc->p[0] - (cc->p[0] >> 4) + 7) >> 3; in point_decode()
640 r = br_i15_decode_mod(P->c[0], buf + 1, plen, cc->p); in point_decode()
641 r &= br_i15_decode_mod(P->c[1], buf + 1 + plen, plen, cc->p); in point_decode()
655 zlen = ((cc->p[0] + 31) >> 4) * sizeof(uint16_t); in point_decode()
656 memcpy(Q.c[0], cc->R2, zlen); in point_decode()
657 memcpy(Q.c[1], cc->b, zlen); in point_decode()
658 set_one(Q.c[2], cc->p); in point_decode()
676 plen = (cc->p[0] - (cc->p[0] >> 4) + 7) >> 3; in point_encode()
679 set_one(T.c[2], cc->p); in point_encode()
705 *len = cd->generator_len; in api_generator()
706 return cd->generator; in api_generator()
715 *len = cd->order_len; in api_order()
716 return cd->order; in api_order()
736 if (Glen != cc->point_len) { in api_mul()
774 if (len != cc->point_len) { in api_muladd()
788 * We want to compute P+Q. Since the base points A and B are distinct in api_muladd()
789 * from infinity, and the multipliers are non-zero and lower than the in api_muladd()
790 * curve order, then we know that P and Q are non-infinity. This in api_muladd()
792 * -- If P = Q then we must use point_double(). in api_muladd()
793 * -- If P+Q = 0 then we must report an error. in api_muladd()