ref: ed04d47bc8b7ea8eac5f84d71383e6a63c544182
dir: /lib/crypto/ctbig.myr/
use std use "ct" pkg crypto = type ctbig = struct nbit : std.size dig : uint32[:] /* little endian, no leading zeros. */ ;; generic mkctbign : (v : @a, nbit : std.size -> ctbig#) :: numeric,integral @a const ctzero : (nbit : std.size -> ctbig#) const mkctbigle : (v : byte[:], nbit : std.size -> ctbig#) //const mkctbigbe : (v : byte[:], nbit : std.size -> ctbig#) const ctfree : (v : ctbig# -> void) const ctbigdup : (v : ctbig# -> ctbig#) const ctlike : (v : ctbig# -> ctbig#) const ct2big : (v : ctbig# -> std.bigint#) const big2ct : (v : std.bigint#, nbit : std.size -> ctbig#) const ctadd : (r : ctbig#, a : ctbig#, b : ctbig# -> void) const ctsub : (r : ctbig#, a : ctbig#, b : ctbig# -> void) const ctmul : (r : ctbig#, a : ctbig#, b : ctbig# -> void) //const ctdivmod : (r : ctbig#, m : ctbig#, a : ctbig#, b : ctbig# -> void) const ctmodpow : (r : ctbig#, a : ctbig#, b : ctbig# -> void) const ctiszero : (v : ctbig# -> bool) const cteq : (a : ctbig#, b : ctbig# -> bool) const ctne : (a : ctbig#, b : ctbig# -> bool) const ctgt : (a : ctbig#, b : ctbig# -> bool) const ctge : (a : ctbig#, b : ctbig# -> bool) const ctlt : (a : ctbig#, b : ctbig# -> bool) const ctle : (a : ctbig#, b : ctbig# -> bool) ;; const Bits = 32 const Base = 0x100000000ul generic mkctbign = {v : @a, nbit : std.size :: integral,numeric @a var a var val a = std.zalloc() val = (v : uint64) a.nbit = nbit a.dig = std.slalloc(ndig(nbit)) if nbit > 0 a.dig[0] = (val : uint32) ;; if nbit > 32 a.dig[1] = (val >> 32 : uint32) ;; -> clip(a) } const ctzero = {nbit -> std.mk([ .nbit=nbit, .dig=std.slalloc(ndig(nbit)), ]) } const ct2big = {ct -> std.mk([ .sign=1, .dig=std.sldup(ct.dig) ]) } const big2ct = {ct, nbit var v, n, l n = ndig(nbit) l = std.min(n, ct.dig.len) v = std.slzalloc(n) std.slcp(v, ct.dig[:l]) -> clip(std.mk([ .nbit=nbit, .dig=v, ])) } const mkctbigle = {v, nbit var a, last, i, o, off /* It's ok to depend on the length of v here: we can leak the size of the numbers. */ o = 0 a = std.slzalloc(ndig(nbit)) for i = 0; i + 4 <= v.len; i += 4 a[o++] = \ (v[i + 0] << 0 : uint32) | \ (v[i + 1] << 8 : uint32) | \ (v[i + 2] << 16 : uint32) | \ (v[i + 3] << 24 : uint32) ;; last = 0 for i; i < v.len; i++ off = i & 0x3 last |= (v[off] : uint32) << (8 *off) ;; a[o++] = last -> clip(std.mk([.nbit=nbit, .dig=a])) } const ctlike = {v -> std.mk([ .nbit = v.nbit, .dig=std.slzalloc(v.dig.len), ]) } const ctbigdup = {v -> std.mk([ .nbit=v.nbit, .dig=std.sldup(v.dig), ]) } const ctfree = {v std.slfree(v.dig) std.free(v) } const ctadd = {r, a, b var v, i, carry, n checksz(a, b) checksz(a, r) carry = 0 n = max(a.dig.len, b.dig.len) for i = 0; i < n; i++ v = (a.dig[i] : uint64) + (b.dig[i] : uint64) + carry; r.dig[i] = (v : uint32) carry >>= 32 ;; } const ctsub = {r, a, b var borrow, v, i checksz(a, b) checksz(a, r) borrow = 0 for i = 0; i < a.dig.len; i++ v = (a.dig[i] : uint64) - (b.dig[i] : uint64) - borrow borrow = (v & (1<<63)) >> 63 v = mux(borrow, v + Base, v) r.dig[i] = (v : uint32) ;; clip(r) } const ctmul = {r, a, b var i, j var ai, bj, wij var carry, t var w checksz(a, b) checksz(a, r) w = std.slzalloc(a.dig.len + b.dig.len) for j = 0; j < b.dig.len; j++ carry = 0 for i = 0; i < a.dig.len; i++ ai = (a.dig[i] : uint64) bj = (b.dig[j] : uint64) wij = (w[i+j] : uint64) t = ai * bj + wij + carry w[i+j] = (t : uint32) carry = t >> 32 ;; w[i + j] = (carry : uint32) ;; /* safe to leak that a == r; not data dependent */ std.slgrow(&w, a.dig.len) if a == r std.slfree(a.dig) ;; r.dig = w[:a.dig.len] clip(r) } const ctmodpow = {res, a, b /* find rinv, mprime */ /* convert to monty space */ /* do the modpow */ /* and come back */ } const ctiszero = {a var z, zz z = 1 for var i = 0; i < a.dig.len; i++ zz = mux(a.dig[i], 0, 1) z = mux(zz, z, 0) ;; -> (z : bool) } const cteq = {a, b var z, d, e checksz(a, b) e = 1 for var i = 0; i < a.dig.len; i++ z = a.dig[i] - b.dig[i] d = mux(z, 1, 0) e = mux(e, d, 0) ;; -> (e : bool) } const ctne = {a, b var v v = (cteq(a, b) : byte) -> (not(v) : bool) } const ctgt = {a, b var e, d, g checksz(a, b) g = 0 for var i = 0; i < a.dig.len; i++ e = not(a.dig[i] - b.dig[i]) d = gt(a.dig[i], b.dig[i]) g = mux(e, g, d) ;; -> (g : bool) } const ctge = {a, b var v v = (ctlt(a, b) : byte) -> (not(v) : bool) } const ctlt = {a, b var e, d, l checksz(a, b) l = 0 for var i = 0; i < a.dig.len; i++ e = not(a.dig[i] - b.dig[i]) d = gt(a.dig[i], b.dig[i]) l = mux(e, l, d) ;; -> (l : bool) } const ctle = {a, b var v v = (ctgt(a, b) : byte) -> (not(v) : bool) } const ndig = {nbit -> (nbit + 8*sizeof(uint32) - 1)/sizeof(uint32) } const checksz = {a, b std.assert(a.nbit == b.nbit, "mismatched bit sizes") std.assert(a.dig.len == b.dig.len, "mismatched backing sizes") } const clip = {v var mask, edge edge = v.nbit & (Bits - 1) mask = (1 << edge) - 1 v.dig[v.dig.len - 1] &= (mask : uint32) -> v }