File Coverage

src/ec/ec_p256_m15.c

Criterion	Covered	Total	%
statement	0	991	0.0
branch	0	84	0.0
condition			n/a
subroutine			n/a
pod			n/a
total	0	1075	0.0

line	stmt	bran	code
1			/*
2			* Copyright (c) 2017 Thomas Pornin
3			*
4			* Permission is hereby granted, free of charge, to any person obtaining
5			* a copy of this software and associated documentation files (the
6			* "Software"), to deal in the Software without restriction, including
7			* without limitation the rights to use, copy, modify, merge, publish,
8			* distribute, sublicense, and/or sell copies of the Software, and to
9			* permit persons to whom the Software is furnished to do so, subject to
10			* the following conditions:
11			*
12			* The above copyright notice and this permission notice shall be
13			* included in all copies or substantial portions of the Software.
14			*
15			* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16			* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17			* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18			* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19			* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20			* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21			* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22			* SOFTWARE.
23			*/
24
25			#include "inner.h"
26
27			/*
28			* If BR_NO_ARITH_SHIFT is undefined, or defined to 0, then we _assume_
29			* that right-shifting a signed negative integer copies the sign bit
30			* (arithmetic right-shift). This is "implementation-defined behaviour",
31			* i.e. it is not undefined, but it may differ between compilers. Each
32			* compiler is supposed to document its behaviour in that respect. GCC
33			* explicitly defines that an arithmetic right shift is used. We expect
34			* all other compilers to do the same, because underlying CPU offer an
35			* arithmetic right shift opcode that could not be used otherwise.
36			*/
37			#if BR_NO_ARITH_SHIFT
38			#define ARSH(x, n) (((uint32_t)(x) >> (n)) \
39			\| ((-((uint32_t)(x) >> 31)) << (32 - (n))))
40			#else
41			#define ARSH(x, n) (((int32_t )&(x)) >> (n))
42			#endif
43
44			/*
45			* Convert an integer from unsigned big-endian encoding to a sequence of
46			* 13-bit words in little-endian order. The final "partial" word is
47			* returned.
48			*/
49			static uint32_t
50	0		be8_to_le13(uint32_t dst, const unsigned char src, size_t len)
51			{
52			uint32_t acc;
53			int acc_len;
54
55	0		acc = 0;
56	0		acc_len = 0;
57	0	0	while (len -- > 0) {
58	0		acc \|= (uint32_t)src[len] << acc_len;
59	0		acc_len += 8;
60	0	0	if (acc_len >= 13) {
61	0		*dst ++ = acc & 0x1FFF;
62	0		acc >>= 13;
63	0		acc_len -= 13;
64			}
65			}
66	0		return acc;
67			}
68
69			/*
70			* Convert an integer (13-bit words, little-endian) to unsigned
71			* big-endian encoding. The total encoding length is provided; all
72			* the destination bytes will be filled.
73			*/
74			static void
75	0		le13_to_be8(unsigned char dst, size_t len, const uint32_t src)
76			{
77			uint32_t acc;
78			int acc_len;
79
80	0		acc = 0;
81	0		acc_len = 0;
82	0	0	while (len -- > 0) {
83	0	0	if (acc_len < 8) {
84	0		acc \|= (*src ++) << acc_len;
85	0		acc_len += 13;
86			}
87	0		dst[len] = (unsigned char)acc;
88	0		acc >>= 8;
89	0		acc_len -= 8;
90			}
91	0		}
92
93			/*
94			* Normalise an array of words to a strict 13 bits per word. Returned
95			* value is the resulting carry. The source (w) and destination (d)
96			* arrays may be identical, but shall not overlap partially.
97			*/
98			static inline uint32_t
99	0		norm13(uint32_t d, const uint32_t w, size_t len)
100			{
101			size_t u;
102			uint32_t cc;
103
104	0		cc = 0;
105	0	0	for (u = 0; u < len; u ++) {
106			int32_t z;
107
108	0		z = w[u] + cc;
109	0		d[u] = z & 0x1FFF;
110	0		cc = ARSH(z, 13);
111			}
112	0		return cc;
113			}
114
115			/*
116			* mul20() multiplies two 260-bit integers together. Each word must fit
117			* on 13 bits; source operands use 20 words, destination operand
118			* receives 40 words. All overlaps allowed.
119			*
120			* square20() computes the square of a 260-bit integer. Each word must
121			* fit on 13 bits; source operand uses 20 words, destination operand
122			* receives 40 words. All overlaps allowed.
123			*/
124
125			#if BR_SLOW_MUL15
126
127			static void
128			mul20(uint32_t d, const uint32_t a, const uint32_t *b)
129			{
130			/*
131			* Two-level Karatsuba: turns a 20x20 multiplication into
132			* nine 5x5 multiplications. We use 13-bit words but do not
133			* propagate carries immediately, so words may expand:
134			*
135			* - First Karatsuba decomposition turns the 20x20 mul on
136			* 13-bit words into three 10x10 muls, two on 13-bit words
137			* and one on 14-bit words.
138			*
139			* - Second Karatsuba decomposition further splits these into:
140			*
141			* * four 5x5 muls on 13-bit words
142			* * four 5x5 muls on 14-bit words
143			* * one 5x5 mul on 15-bit words
144			*
145			* Highest word value is 8191, 16382 or 32764, for 13-bit, 14-bit
146			* or 15-bit words, respectively.
147			*/
148			uint32_t u[45], v[45], w[90];
149			uint32_t cc;
150			int i;
151
152			#define ZADD(dw, d_off, s1w, s1_off, s2w, s2_off) do { \
153			(dw)[5 * (d_off) + 0] = (s1w)[5 * (s1_off) + 0] \
154			+ (s2w)[5 * (s2_off) + 0]; \
155			(dw)[5 * (d_off) + 1] = (s1w)[5 * (s1_off) + 1] \
156			+ (s2w)[5 * (s2_off) + 1]; \
157			(dw)[5 * (d_off) + 2] = (s1w)[5 * (s1_off) + 2] \
158			+ (s2w)[5 * (s2_off) + 2]; \
159			(dw)[5 * (d_off) + 3] = (s1w)[5 * (s1_off) + 3] \
160			+ (s2w)[5 * (s2_off) + 3]; \
161			(dw)[5 * (d_off) + 4] = (s1w)[5 * (s1_off) + 4] \
162			+ (s2w)[5 * (s2_off) + 4]; \
163			} while (0)
164
165			#define ZADDT(dw, d_off, sw, s_off) do { \
166			(dw)[5 * (d_off) + 0] += (sw)[5 * (s_off) + 0]; \
167			(dw)[5 * (d_off) + 1] += (sw)[5 * (s_off) + 1]; \
168			(dw)[5 * (d_off) + 2] += (sw)[5 * (s_off) + 2]; \
169			(dw)[5 * (d_off) + 3] += (sw)[5 * (s_off) + 3]; \
170			(dw)[5 * (d_off) + 4] += (sw)[5 * (s_off) + 4]; \
171			} while (0)
172
173			#define ZSUB2F(dw, d_off, s1w, s1_off, s2w, s2_off) do { \
174			(dw)[5 * (d_off) + 0] -= (s1w)[5 * (s1_off) + 0] \
175			+ (s2w)[5 * (s2_off) + 0]; \
176			(dw)[5 * (d_off) + 1] -= (s1w)[5 * (s1_off) + 1] \
177			+ (s2w)[5 * (s2_off) + 1]; \
178			(dw)[5 * (d_off) + 2] -= (s1w)[5 * (s1_off) + 2] \
179			+ (s2w)[5 * (s2_off) + 2]; \
180			(dw)[5 * (d_off) + 3] -= (s1w)[5 * (s1_off) + 3] \
181			+ (s2w)[5 * (s2_off) + 3]; \
182			(dw)[5 * (d_off) + 4] -= (s1w)[5 * (s1_off) + 4] \
183			+ (s2w)[5 * (s2_off) + 4]; \
184			} while (0)
185
186			#define CPR1(w, cprcc) do { \
187			uint32_t cprz = (w) + cprcc; \
188			(w) = cprz & 0x1FFF; \
189			cprcc = cprz >> 13; \
190			} while (0)
191
192			#define CPR(dw, d_off) do { \
193			uint32_t cprcc; \
194			cprcc = 0; \
195			CPR1((dw)[(d_off) + 0], cprcc); \
196			CPR1((dw)[(d_off) + 1], cprcc); \
197			CPR1((dw)[(d_off) + 2], cprcc); \
198			CPR1((dw)[(d_off) + 3], cprcc); \
199			CPR1((dw)[(d_off) + 4], cprcc); \
200			CPR1((dw)[(d_off) + 5], cprcc); \
201			CPR1((dw)[(d_off) + 6], cprcc); \
202			CPR1((dw)[(d_off) + 7], cprcc); \
203			CPR1((dw)[(d_off) + 8], cprcc); \
204			(dw)[(d_off) + 9] = cprcc; \
205			} while (0)
206
207			memcpy(u, a, 20 * sizeof *a);
208			ZADD(u, 4, a, 0, a, 1);
209			ZADD(u, 5, a, 2, a, 3);
210			ZADD(u, 6, a, 0, a, 2);
211			ZADD(u, 7, a, 1, a, 3);
212			ZADD(u, 8, u, 6, u, 7);
213
214			memcpy(v, b, 20 * sizeof *b);
215			ZADD(v, 4, b, 0, b, 1);
216			ZADD(v, 5, b, 2, b, 3);
217			ZADD(v, 6, b, 0, b, 2);
218			ZADD(v, 7, b, 1, b, 3);
219			ZADD(v, 8, v, 6, v, 7);
220
221			/*
222			* Do the eight first 8x8 muls. Source words are at most 16382
223			* each, so we can add product results together "as is" in 32-bit
224			* words.
225			*/
226			for (i = 0; i < 40; i += 5) {
227			w[(i << 1) + 0] = MUL15(u[i + 0], v[i + 0]);
228			w[(i << 1) + 1] = MUL15(u[i + 0], v[i + 1])
229			+ MUL15(u[i + 1], v[i + 0]);
230			w[(i << 1) + 2] = MUL15(u[i + 0], v[i + 2])
231			+ MUL15(u[i + 1], v[i + 1])
232			+ MUL15(u[i + 2], v[i + 0]);
233			w[(i << 1) + 3] = MUL15(u[i + 0], v[i + 3])
234			+ MUL15(u[i + 1], v[i + 2])
235			+ MUL15(u[i + 2], v[i + 1])
236			+ MUL15(u[i + 3], v[i + 0]);
237			w[(i << 1) + 4] = MUL15(u[i + 0], v[i + 4])
238			+ MUL15(u[i + 1], v[i + 3])
239			+ MUL15(u[i + 2], v[i + 2])
240			+ MUL15(u[i + 3], v[i + 1])
241			+ MUL15(u[i + 4], v[i + 0]);
242			w[(i << 1) + 5] = MUL15(u[i + 1], v[i + 4])
243			+ MUL15(u[i + 2], v[i + 3])
244			+ MUL15(u[i + 3], v[i + 2])
245			+ MUL15(u[i + 4], v[i + 1]);
246			w[(i << 1) + 6] = MUL15(u[i + 2], v[i + 4])
247			+ MUL15(u[i + 3], v[i + 3])
248			+ MUL15(u[i + 4], v[i + 2]);
249			w[(i << 1) + 7] = MUL15(u[i + 3], v[i + 4])
250			+ MUL15(u[i + 4], v[i + 3]);
251			w[(i << 1) + 8] = MUL15(u[i + 4], v[i + 4]);
252			w[(i << 1) + 9] = 0;
253			}
254
255			/*
256			* For the 9th multiplication, source words are up to 32764,
257			* so we must do some carry propagation. If we add up to
258			* 4 products and the carry is no more than 524224, then the
259			* result fits in 32 bits, and the next carry will be no more
260			* than 524224 (because 4(32764^2)+524224 < 8192524225).
261			*
262			* We thus just skip one of the products in the middle word,
263			* then do a carry propagation (this reduces words to 13 bits
264			* each, except possibly the last, which may use up to 17 bits
265			* or so), then add the missing product.
266			*/
267			w[80 + 0] = MUL15(u[40 + 0], v[40 + 0]);
268			w[80 + 1] = MUL15(u[40 + 0], v[40 + 1])
269			+ MUL15(u[40 + 1], v[40 + 0]);
270			w[80 + 2] = MUL15(u[40 + 0], v[40 + 2])
271			+ MUL15(u[40 + 1], v[40 + 1])
272			+ MUL15(u[40 + 2], v[40 + 0]);
273			w[80 + 3] = MUL15(u[40 + 0], v[40 + 3])
274			+ MUL15(u[40 + 1], v[40 + 2])
275			+ MUL15(u[40 + 2], v[40 + 1])
276			+ MUL15(u[40 + 3], v[40 + 0]);
277			w[80 + 4] = MUL15(u[40 + 0], v[40 + 4])
278			+ MUL15(u[40 + 1], v[40 + 3])
279			+ MUL15(u[40 + 2], v[40 + 2])
280			+ MUL15(u[40 + 3], v[40 + 1]);
281			/* + MUL15(u[40 + 4], v[40 + 0]) */
282			w[80 + 5] = MUL15(u[40 + 1], v[40 + 4])
283			+ MUL15(u[40 + 2], v[40 + 3])
284			+ MUL15(u[40 + 3], v[40 + 2])
285			+ MUL15(u[40 + 4], v[40 + 1]);
286			w[80 + 6] = MUL15(u[40 + 2], v[40 + 4])
287			+ MUL15(u[40 + 3], v[40 + 3])
288			+ MUL15(u[40 + 4], v[40 + 2]);
289			w[80 + 7] = MUL15(u[40 + 3], v[40 + 4])
290			+ MUL15(u[40 + 4], v[40 + 3]);
291			w[80 + 8] = MUL15(u[40 + 4], v[40 + 4]);
292
293			CPR(w, 80);
294
295			w[80 + 4] += MUL15(u[40 + 4], v[40 + 0]);
296
297			/*
298			* The products on 14-bit words in slots 6 and 7 yield values
299			* up to 5*(16382^2) each, and we need to subtract two such
300			* values from the higher word. We need the subtraction to fit
301			* in a _signed_ 32-bit integer, i.e. 31 bits + a sign bit.
302			* However, 10*(16382^2) does not fit. So we must perform a
303			* bit of reduction here.
304			*/
305			CPR(w, 60);
306			CPR(w, 70);
307
308			/*
309			* Recompose results.
310			*/
311
312			/* 0..10..1 into 0..3 /
313			ZSUB2F(w, 8, w, 0, w, 2);
314			ZSUB2F(w, 9, w, 1, w, 3);
315			ZADDT(w, 1, w, 8);
316			ZADDT(w, 2, w, 9);
317
318			/* 2..32..3 into 4..7 /
319			ZSUB2F(w, 10, w, 4, w, 6);
320			ZSUB2F(w, 11, w, 5, w, 7);
321			ZADDT(w, 5, w, 10);
322			ZADDT(w, 6, w, 11);
323
324			/* (0..1+2..3)(0..1+2..3) into 12..15 /
325			ZSUB2F(w, 16, w, 12, w, 14);
326			ZSUB2F(w, 17, w, 13, w, 15);
327			ZADDT(w, 13, w, 16);
328			ZADDT(w, 14, w, 17);
329
330			/* first-level recomposition */
331			ZSUB2F(w, 12, w, 0, w, 4);
332			ZSUB2F(w, 13, w, 1, w, 5);
333			ZSUB2F(w, 14, w, 2, w, 6);
334			ZSUB2F(w, 15, w, 3, w, 7);
335			ZADDT(w, 2, w, 12);
336			ZADDT(w, 3, w, 13);
337			ZADDT(w, 4, w, 14);
338			ZADDT(w, 5, w, 15);
339
340			/*
341			* Perform carry propagation to bring all words down to 13 bits.
342			*/
343			cc = norm13(d, w, 40);
344			d[39] += (cc << 13);
345
346			#undef ZADD
347			#undef ZADDT
348			#undef ZSUB2F
349			#undef CPR1
350			#undef CPR
351			}
352
353			static inline void
354			square20(uint32_t d, const uint32_t a)
355			{
356			mul20(d, a, a);
357			}
358
359			#else
360
361			static void
362	0		mul20(uint32_t d, const uint32_t a, const uint32_t *b)
363			{
364			uint32_t t[39];
365
366	0		t[ 0] = MUL15(a[ 0], b[ 0]);
367	0		t[ 1] = MUL15(a[ 0], b[ 1])
368	0		+ MUL15(a[ 1], b[ 0]);
369	0		t[ 2] = MUL15(a[ 0], b[ 2])
370	0		+ MUL15(a[ 1], b[ 1])
371	0		+ MUL15(a[ 2], b[ 0]);
372	0		t[ 3] = MUL15(a[ 0], b[ 3])
373	0		+ MUL15(a[ 1], b[ 2])
374	0		+ MUL15(a[ 2], b[ 1])
375	0		+ MUL15(a[ 3], b[ 0]);
376	0		t[ 4] = MUL15(a[ 0], b[ 4])
377	0		+ MUL15(a[ 1], b[ 3])
378	0		+ MUL15(a[ 2], b[ 2])
379	0		+ MUL15(a[ 3], b[ 1])
380	0		+ MUL15(a[ 4], b[ 0]);
381	0		t[ 5] = MUL15(a[ 0], b[ 5])
382	0		+ MUL15(a[ 1], b[ 4])
383	0		+ MUL15(a[ 2], b[ 3])
384	0		+ MUL15(a[ 3], b[ 2])
385	0		+ MUL15(a[ 4], b[ 1])
386	0		+ MUL15(a[ 5], b[ 0]);
387	0		t[ 6] = MUL15(a[ 0], b[ 6])
388	0		+ MUL15(a[ 1], b[ 5])
389	0		+ MUL15(a[ 2], b[ 4])
390	0		+ MUL15(a[ 3], b[ 3])
391	0		+ MUL15(a[ 4], b[ 2])
392	0		+ MUL15(a[ 5], b[ 1])
393	0		+ MUL15(a[ 6], b[ 0]);
394	0		t[ 7] = MUL15(a[ 0], b[ 7])
395	0		+ MUL15(a[ 1], b[ 6])
396	0		+ MUL15(a[ 2], b[ 5])
397	0		+ MUL15(a[ 3], b[ 4])
398	0		+ MUL15(a[ 4], b[ 3])
399	0		+ MUL15(a[ 5], b[ 2])
400	0		+ MUL15(a[ 6], b[ 1])
401	0		+ MUL15(a[ 7], b[ 0]);
402	0		t[ 8] = MUL15(a[ 0], b[ 8])
403	0		+ MUL15(a[ 1], b[ 7])
404	0		+ MUL15(a[ 2], b[ 6])
405	0		+ MUL15(a[ 3], b[ 5])
406	0		+ MUL15(a[ 4], b[ 4])
407	0		+ MUL15(a[ 5], b[ 3])
408	0		+ MUL15(a[ 6], b[ 2])
409	0		+ MUL15(a[ 7], b[ 1])
410	0		+ MUL15(a[ 8], b[ 0]);
411	0		t[ 9] = MUL15(a[ 0], b[ 9])
412	0		+ MUL15(a[ 1], b[ 8])
413	0		+ MUL15(a[ 2], b[ 7])
414	0		+ MUL15(a[ 3], b[ 6])
415	0		+ MUL15(a[ 4], b[ 5])
416	0		+ MUL15(a[ 5], b[ 4])
417	0		+ MUL15(a[ 6], b[ 3])
418	0		+ MUL15(a[ 7], b[ 2])
419	0		+ MUL15(a[ 8], b[ 1])
420	0		+ MUL15(a[ 9], b[ 0]);
421	0		t[10] = MUL15(a[ 0], b[10])
422	0		+ MUL15(a[ 1], b[ 9])
423	0		+ MUL15(a[ 2], b[ 8])
424	0		+ MUL15(a[ 3], b[ 7])
425	0		+ MUL15(a[ 4], b[ 6])
426	0		+ MUL15(a[ 5], b[ 5])
427	0		+ MUL15(a[ 6], b[ 4])
428	0		+ MUL15(a[ 7], b[ 3])
429	0		+ MUL15(a[ 8], b[ 2])
430	0		+ MUL15(a[ 9], b[ 1])
431	0		+ MUL15(a[10], b[ 0]);
432	0		t[11] = MUL15(a[ 0], b[11])
433	0		+ MUL15(a[ 1], b[10])
434	0		+ MUL15(a[ 2], b[ 9])
435	0		+ MUL15(a[ 3], b[ 8])
436	0		+ MUL15(a[ 4], b[ 7])
437	0		+ MUL15(a[ 5], b[ 6])
438	0		+ MUL15(a[ 6], b[ 5])
439	0		+ MUL15(a[ 7], b[ 4])
440	0		+ MUL15(a[ 8], b[ 3])
441	0		+ MUL15(a[ 9], b[ 2])
442	0		+ MUL15(a[10], b[ 1])
443	0		+ MUL15(a[11], b[ 0]);
444	0		t[12] = MUL15(a[ 0], b[12])
445	0		+ MUL15(a[ 1], b[11])
446	0		+ MUL15(a[ 2], b[10])
447	0		+ MUL15(a[ 3], b[ 9])
448	0		+ MUL15(a[ 4], b[ 8])
449	0		+ MUL15(a[ 5], b[ 7])
450	0		+ MUL15(a[ 6], b[ 6])
451	0		+ MUL15(a[ 7], b[ 5])
452	0		+ MUL15(a[ 8], b[ 4])
453	0		+ MUL15(a[ 9], b[ 3])
454	0		+ MUL15(a[10], b[ 2])
455	0		+ MUL15(a[11], b[ 1])
456	0		+ MUL15(a[12], b[ 0]);
457	0		t[13] = MUL15(a[ 0], b[13])
458	0		+ MUL15(a[ 1], b[12])
459	0		+ MUL15(a[ 2], b[11])
460	0		+ MUL15(a[ 3], b[10])
461	0		+ MUL15(a[ 4], b[ 9])
462	0		+ MUL15(a[ 5], b[ 8])
463	0		+ MUL15(a[ 6], b[ 7])
464	0		+ MUL15(a[ 7], b[ 6])
465	0		+ MUL15(a[ 8], b[ 5])
466	0		+ MUL15(a[ 9], b[ 4])
467	0		+ MUL15(a[10], b[ 3])
468	0		+ MUL15(a[11], b[ 2])
469	0		+ MUL15(a[12], b[ 1])
470	0		+ MUL15(a[13], b[ 0]);
471	0		t[14] = MUL15(a[ 0], b[14])
472	0		+ MUL15(a[ 1], b[13])
473	0		+ MUL15(a[ 2], b[12])
474	0		+ MUL15(a[ 3], b[11])
475	0		+ MUL15(a[ 4], b[10])
476	0		+ MUL15(a[ 5], b[ 9])
477	0		+ MUL15(a[ 6], b[ 8])
478	0		+ MUL15(a[ 7], b[ 7])
479	0		+ MUL15(a[ 8], b[ 6])
480	0		+ MUL15(a[ 9], b[ 5])
481	0		+ MUL15(a[10], b[ 4])
482	0		+ MUL15(a[11], b[ 3])
483	0		+ MUL15(a[12], b[ 2])
484	0		+ MUL15(a[13], b[ 1])
485	0		+ MUL15(a[14], b[ 0]);
486	0		t[15] = MUL15(a[ 0], b[15])
487	0		+ MUL15(a[ 1], b[14])
488	0		+ MUL15(a[ 2], b[13])
489	0		+ MUL15(a[ 3], b[12])
490	0		+ MUL15(a[ 4], b[11])
491	0		+ MUL15(a[ 5], b[10])
492	0		+ MUL15(a[ 6], b[ 9])
493	0		+ MUL15(a[ 7], b[ 8])
494	0		+ MUL15(a[ 8], b[ 7])
495	0		+ MUL15(a[ 9], b[ 6])
496	0		+ MUL15(a[10], b[ 5])
497	0		+ MUL15(a[11], b[ 4])
498	0		+ MUL15(a[12], b[ 3])
499	0		+ MUL15(a[13], b[ 2])
500	0		+ MUL15(a[14], b[ 1])
501	0		+ MUL15(a[15], b[ 0]);
502	0		t[16] = MUL15(a[ 0], b[16])
503	0		+ MUL15(a[ 1], b[15])
504	0		+ MUL15(a[ 2], b[14])
505	0		+ MUL15(a[ 3], b[13])
506	0		+ MUL15(a[ 4], b[12])
507	0		+ MUL15(a[ 5], b[11])
508	0		+ MUL15(a[ 6], b[10])
509	0		+ MUL15(a[ 7], b[ 9])
510	0		+ MUL15(a[ 8], b[ 8])
511	0		+ MUL15(a[ 9], b[ 7])
512	0		+ MUL15(a[10], b[ 6])
513	0		+ MUL15(a[11], b[ 5])
514	0		+ MUL15(a[12], b[ 4])
515	0		+ MUL15(a[13], b[ 3])
516	0		+ MUL15(a[14], b[ 2])
517	0		+ MUL15(a[15], b[ 1])
518	0		+ MUL15(a[16], b[ 0]);
519	0		t[17] = MUL15(a[ 0], b[17])
520	0		+ MUL15(a[ 1], b[16])
521	0		+ MUL15(a[ 2], b[15])
522	0		+ MUL15(a[ 3], b[14])
523	0		+ MUL15(a[ 4], b[13])
524	0		+ MUL15(a[ 5], b[12])
525	0		+ MUL15(a[ 6], b[11])
526	0		+ MUL15(a[ 7], b[10])
527	0		+ MUL15(a[ 8], b[ 9])
528	0		+ MUL15(a[ 9], b[ 8])
529	0		+ MUL15(a[10], b[ 7])
530	0		+ MUL15(a[11], b[ 6])
531	0		+ MUL15(a[12], b[ 5])
532	0		+ MUL15(a[13], b[ 4])
533	0		+ MUL15(a[14], b[ 3])
534	0		+ MUL15(a[15], b[ 2])
535	0		+ MUL15(a[16], b[ 1])
536	0		+ MUL15(a[17], b[ 0]);
537	0		t[18] = MUL15(a[ 0], b[18])
538	0		+ MUL15(a[ 1], b[17])
539	0		+ MUL15(a[ 2], b[16])
540	0		+ MUL15(a[ 3], b[15])
541	0		+ MUL15(a[ 4], b[14])
542	0		+ MUL15(a[ 5], b[13])
543	0		+ MUL15(a[ 6], b[12])
544	0		+ MUL15(a[ 7], b[11])
545	0		+ MUL15(a[ 8], b[10])
546	0		+ MUL15(a[ 9], b[ 9])
547	0		+ MUL15(a[10], b[ 8])
548	0		+ MUL15(a[11], b[ 7])
549	0		+ MUL15(a[12], b[ 6])
550	0		+ MUL15(a[13], b[ 5])
551	0		+ MUL15(a[14], b[ 4])
552	0		+ MUL15(a[15], b[ 3])
553	0		+ MUL15(a[16], b[ 2])
554	0		+ MUL15(a[17], b[ 1])
555	0		+ MUL15(a[18], b[ 0]);
556	0		t[19] = MUL15(a[ 0], b[19])
557	0		+ MUL15(a[ 1], b[18])
558	0		+ MUL15(a[ 2], b[17])
559	0		+ MUL15(a[ 3], b[16])
560	0		+ MUL15(a[ 4], b[15])
561	0		+ MUL15(a[ 5], b[14])
562	0		+ MUL15(a[ 6], b[13])
563	0		+ MUL15(a[ 7], b[12])
564	0		+ MUL15(a[ 8], b[11])
565	0		+ MUL15(a[ 9], b[10])
566	0		+ MUL15(a[10], b[ 9])
567	0		+ MUL15(a[11], b[ 8])
568	0		+ MUL15(a[12], b[ 7])
569	0		+ MUL15(a[13], b[ 6])
570	0		+ MUL15(a[14], b[ 5])
571	0		+ MUL15(a[15], b[ 4])
572	0		+ MUL15(a[16], b[ 3])
573	0		+ MUL15(a[17], b[ 2])
574	0		+ MUL15(a[18], b[ 1])
575	0		+ MUL15(a[19], b[ 0]);
576	0		t[20] = MUL15(a[ 1], b[19])
577	0		+ MUL15(a[ 2], b[18])
578	0		+ MUL15(a[ 3], b[17])
579	0		+ MUL15(a[ 4], b[16])
580	0		+ MUL15(a[ 5], b[15])
581	0		+ MUL15(a[ 6], b[14])
582	0		+ MUL15(a[ 7], b[13])
583	0		+ MUL15(a[ 8], b[12])
584	0		+ MUL15(a[ 9], b[11])
585	0		+ MUL15(a[10], b[10])
586	0		+ MUL15(a[11], b[ 9])
587	0		+ MUL15(a[12], b[ 8])
588	0		+ MUL15(a[13], b[ 7])
589	0		+ MUL15(a[14], b[ 6])
590	0		+ MUL15(a[15], b[ 5])
591	0		+ MUL15(a[16], b[ 4])
592	0		+ MUL15(a[17], b[ 3])
593	0		+ MUL15(a[18], b[ 2])
594	0		+ MUL15(a[19], b[ 1]);
595	0		t[21] = MUL15(a[ 2], b[19])
596	0		+ MUL15(a[ 3], b[18])
597	0		+ MUL15(a[ 4], b[17])
598	0		+ MUL15(a[ 5], b[16])
599	0		+ MUL15(a[ 6], b[15])
600	0		+ MUL15(a[ 7], b[14])
601	0		+ MUL15(a[ 8], b[13])
602	0		+ MUL15(a[ 9], b[12])
603	0		+ MUL15(a[10], b[11])
604	0		+ MUL15(a[11], b[10])
605	0		+ MUL15(a[12], b[ 9])
606	0		+ MUL15(a[13], b[ 8])
607	0		+ MUL15(a[14], b[ 7])
608	0		+ MUL15(a[15], b[ 6])
609	0		+ MUL15(a[16], b[ 5])
610	0		+ MUL15(a[17], b[ 4])
611	0		+ MUL15(a[18], b[ 3])
612	0		+ MUL15(a[19], b[ 2]);
613	0		t[22] = MUL15(a[ 3], b[19])
614	0		+ MUL15(a[ 4], b[18])
615	0		+ MUL15(a[ 5], b[17])
616	0		+ MUL15(a[ 6], b[16])
617	0		+ MUL15(a[ 7], b[15])
618	0		+ MUL15(a[ 8], b[14])
619	0		+ MUL15(a[ 9], b[13])
620	0		+ MUL15(a[10], b[12])
621	0		+ MUL15(a[11], b[11])
622	0		+ MUL15(a[12], b[10])
623	0		+ MUL15(a[13], b[ 9])
624	0		+ MUL15(a[14], b[ 8])
625	0		+ MUL15(a[15], b[ 7])
626	0		+ MUL15(a[16], b[ 6])
627	0		+ MUL15(a[17], b[ 5])
628	0		+ MUL15(a[18], b[ 4])
629	0		+ MUL15(a[19], b[ 3]);
630	0		t[23] = MUL15(a[ 4], b[19])
631	0		+ MUL15(a[ 5], b[18])
632	0		+ MUL15(a[ 6], b[17])
633	0		+ MUL15(a[ 7], b[16])
634	0		+ MUL15(a[ 8], b[15])
635	0		+ MUL15(a[ 9], b[14])
636	0		+ MUL15(a[10], b[13])
637	0		+ MUL15(a[11], b[12])
638	0		+ MUL15(a[12], b[11])
639	0		+ MUL15(a[13], b[10])
640	0		+ MUL15(a[14], b[ 9])
641	0		+ MUL15(a[15], b[ 8])
642	0		+ MUL15(a[16], b[ 7])
643	0		+ MUL15(a[17], b[ 6])
644	0		+ MUL15(a[18], b[ 5])
645	0		+ MUL15(a[19], b[ 4]);
646	0		t[24] = MUL15(a[ 5], b[19])
647	0		+ MUL15(a[ 6], b[18])
648	0		+ MUL15(a[ 7], b[17])
649	0		+ MUL15(a[ 8], b[16])
650	0		+ MUL15(a[ 9], b[15])
651	0		+ MUL15(a[10], b[14])
652	0		+ MUL15(a[11], b[13])
653	0		+ MUL15(a[12], b[12])
654	0		+ MUL15(a[13], b[11])
655	0		+ MUL15(a[14], b[10])
656	0		+ MUL15(a[15], b[ 9])
657	0		+ MUL15(a[16], b[ 8])
658	0		+ MUL15(a[17], b[ 7])
659	0		+ MUL15(a[18], b[ 6])
660	0		+ MUL15(a[19], b[ 5]);
661	0		t[25] = MUL15(a[ 6], b[19])
662	0		+ MUL15(a[ 7], b[18])
663	0		+ MUL15(a[ 8], b[17])
664	0		+ MUL15(a[ 9], b[16])
665	0		+ MUL15(a[10], b[15])
666	0		+ MUL15(a[11], b[14])
667	0		+ MUL15(a[12], b[13])
668	0		+ MUL15(a[13], b[12])
669	0		+ MUL15(a[14], b[11])
670	0		+ MUL15(a[15], b[10])
671	0		+ MUL15(a[16], b[ 9])
672	0		+ MUL15(a[17], b[ 8])
673	0		+ MUL15(a[18], b[ 7])
674	0		+ MUL15(a[19], b[ 6]);
675	0		t[26] = MUL15(a[ 7], b[19])
676	0		+ MUL15(a[ 8], b[18])
677	0		+ MUL15(a[ 9], b[17])
678	0		+ MUL15(a[10], b[16])
679	0		+ MUL15(a[11], b[15])
680	0		+ MUL15(a[12], b[14])
681	0		+ MUL15(a[13], b[13])
682	0		+ MUL15(a[14], b[12])
683	0		+ MUL15(a[15], b[11])
684	0		+ MUL15(a[16], b[10])
685	0		+ MUL15(a[17], b[ 9])
686	0		+ MUL15(a[18], b[ 8])
687	0		+ MUL15(a[19], b[ 7]);
688	0		t[27] = MUL15(a[ 8], b[19])
689	0		+ MUL15(a[ 9], b[18])
690	0		+ MUL15(a[10], b[17])
691	0		+ MUL15(a[11], b[16])
692	0		+ MUL15(a[12], b[15])
693	0		+ MUL15(a[13], b[14])
694	0		+ MUL15(a[14], b[13])
695	0		+ MUL15(a[15], b[12])
696	0		+ MUL15(a[16], b[11])
697	0		+ MUL15(a[17], b[10])
698	0		+ MUL15(a[18], b[ 9])
699	0		+ MUL15(a[19], b[ 8]);
700	0		t[28] = MUL15(a[ 9], b[19])
701	0		+ MUL15(a[10], b[18])
702	0		+ MUL15(a[11], b[17])
703	0		+ MUL15(a[12], b[16])
704	0		+ MUL15(a[13], b[15])
705	0		+ MUL15(a[14], b[14])
706	0		+ MUL15(a[15], b[13])
707	0		+ MUL15(a[16], b[12])
708	0		+ MUL15(a[17], b[11])
709	0		+ MUL15(a[18], b[10])
710	0		+ MUL15(a[19], b[ 9]);
711	0		t[29] = MUL15(a[10], b[19])
712	0		+ MUL15(a[11], b[18])
713	0		+ MUL15(a[12], b[17])
714	0		+ MUL15(a[13], b[16])
715	0		+ MUL15(a[14], b[15])
716	0		+ MUL15(a[15], b[14])
717	0		+ MUL15(a[16], b[13])
718	0		+ MUL15(a[17], b[12])
719	0		+ MUL15(a[18], b[11])
720	0		+ MUL15(a[19], b[10]);
721	0		t[30] = MUL15(a[11], b[19])
722	0		+ MUL15(a[12], b[18])
723	0		+ MUL15(a[13], b[17])
724	0		+ MUL15(a[14], b[16])
725	0		+ MUL15(a[15], b[15])
726	0		+ MUL15(a[16], b[14])
727	0		+ MUL15(a[17], b[13])
728	0		+ MUL15(a[18], b[12])
729	0		+ MUL15(a[19], b[11]);
730	0		t[31] = MUL15(a[12], b[19])
731	0		+ MUL15(a[13], b[18])
732	0		+ MUL15(a[14], b[17])
733	0		+ MUL15(a[15], b[16])
734	0		+ MUL15(a[16], b[15])
735	0		+ MUL15(a[17], b[14])
736	0		+ MUL15(a[18], b[13])
737	0		+ MUL15(a[19], b[12]);
738	0		t[32] = MUL15(a[13], b[19])
739	0		+ MUL15(a[14], b[18])
740	0		+ MUL15(a[15], b[17])
741	0		+ MUL15(a[16], b[16])
742	0		+ MUL15(a[17], b[15])
743	0		+ MUL15(a[18], b[14])
744	0		+ MUL15(a[19], b[13]);
745	0		t[33] = MUL15(a[14], b[19])
746	0		+ MUL15(a[15], b[18])
747	0		+ MUL15(a[16], b[17])
748	0		+ MUL15(a[17], b[16])
749	0		+ MUL15(a[18], b[15])
750	0		+ MUL15(a[19], b[14]);
751	0		t[34] = MUL15(a[15], b[19])
752	0		+ MUL15(a[16], b[18])
753	0		+ MUL15(a[17], b[17])
754	0		+ MUL15(a[18], b[16])
755	0		+ MUL15(a[19], b[15]);
756	0		t[35] = MUL15(a[16], b[19])
757	0		+ MUL15(a[17], b[18])
758	0		+ MUL15(a[18], b[17])
759	0		+ MUL15(a[19], b[16]);
760	0		t[36] = MUL15(a[17], b[19])
761	0		+ MUL15(a[18], b[18])
762	0		+ MUL15(a[19], b[17]);
763	0		t[37] = MUL15(a[18], b[19])
764	0		+ MUL15(a[19], b[18]);
765	0		t[38] = MUL15(a[19], b[19]);
766	0		d[39] = norm13(d, t, 39);
767	0		}
768
769			static void
770	0		square20(uint32_t d, const uint32_t a)
771			{
772			uint32_t t[39];
773
774	0		t[ 0] = MUL15(a[ 0], a[ 0]);
775	0		t[ 1] = ((MUL15(a[ 0], a[ 1])) << 1);
776	0		t[ 2] = MUL15(a[ 1], a[ 1])
777	0		+ ((MUL15(a[ 0], a[ 2])) << 1);
778	0		t[ 3] = ((MUL15(a[ 0], a[ 3])
779	0		+ MUL15(a[ 1], a[ 2])) << 1);
780	0		t[ 4] = MUL15(a[ 2], a[ 2])
781	0		+ ((MUL15(a[ 0], a[ 4])
782	0		+ MUL15(a[ 1], a[ 3])) << 1);
783	0		t[ 5] = ((MUL15(a[ 0], a[ 5])
784	0		+ MUL15(a[ 1], a[ 4])
785	0		+ MUL15(a[ 2], a[ 3])) << 1);
786	0		t[ 6] = MUL15(a[ 3], a[ 3])
787	0		+ ((MUL15(a[ 0], a[ 6])
788	0		+ MUL15(a[ 1], a[ 5])
789	0		+ MUL15(a[ 2], a[ 4])) << 1);
790	0		t[ 7] = ((MUL15(a[ 0], a[ 7])
791	0		+ MUL15(a[ 1], a[ 6])
792	0		+ MUL15(a[ 2], a[ 5])
793	0		+ MUL15(a[ 3], a[ 4])) << 1);
794	0		t[ 8] = MUL15(a[ 4], a[ 4])
795	0		+ ((MUL15(a[ 0], a[ 8])
796	0		+ MUL15(a[ 1], a[ 7])
797	0		+ MUL15(a[ 2], a[ 6])
798	0		+ MUL15(a[ 3], a[ 5])) << 1);
799	0		t[ 9] = ((MUL15(a[ 0], a[ 9])
800	0		+ MUL15(a[ 1], a[ 8])
801	0		+ MUL15(a[ 2], a[ 7])
802	0		+ MUL15(a[ 3], a[ 6])
803	0		+ MUL15(a[ 4], a[ 5])) << 1);
804	0		t[10] = MUL15(a[ 5], a[ 5])
805	0		+ ((MUL15(a[ 0], a[10])
806	0		+ MUL15(a[ 1], a[ 9])
807	0		+ MUL15(a[ 2], a[ 8])
808	0		+ MUL15(a[ 3], a[ 7])
809	0		+ MUL15(a[ 4], a[ 6])) << 1);
810	0		t[11] = ((MUL15(a[ 0], a[11])
811	0		+ MUL15(a[ 1], a[10])
812	0		+ MUL15(a[ 2], a[ 9])
813	0		+ MUL15(a[ 3], a[ 8])
814	0		+ MUL15(a[ 4], a[ 7])
815	0		+ MUL15(a[ 5], a[ 6])) << 1);
816	0		t[12] = MUL15(a[ 6], a[ 6])
817	0		+ ((MUL15(a[ 0], a[12])
818	0		+ MUL15(a[ 1], a[11])
819	0		+ MUL15(a[ 2], a[10])
820	0		+ MUL15(a[ 3], a[ 9])
821	0		+ MUL15(a[ 4], a[ 8])
822	0		+ MUL15(a[ 5], a[ 7])) << 1);
823	0		t[13] = ((MUL15(a[ 0], a[13])
824	0		+ MUL15(a[ 1], a[12])
825	0		+ MUL15(a[ 2], a[11])
826	0		+ MUL15(a[ 3], a[10])
827	0		+ MUL15(a[ 4], a[ 9])
828	0		+ MUL15(a[ 5], a[ 8])
829	0		+ MUL15(a[ 6], a[ 7])) << 1);
830	0		t[14] = MUL15(a[ 7], a[ 7])
831	0		+ ((MUL15(a[ 0], a[14])
832	0		+ MUL15(a[ 1], a[13])
833	0		+ MUL15(a[ 2], a[12])
834	0		+ MUL15(a[ 3], a[11])
835	0		+ MUL15(a[ 4], a[10])
836	0		+ MUL15(a[ 5], a[ 9])
837	0		+ MUL15(a[ 6], a[ 8])) << 1);
838	0		t[15] = ((MUL15(a[ 0], a[15])
839	0		+ MUL15(a[ 1], a[14])
840	0		+ MUL15(a[ 2], a[13])
841	0		+ MUL15(a[ 3], a[12])
842	0		+ MUL15(a[ 4], a[11])
843	0		+ MUL15(a[ 5], a[10])
844	0		+ MUL15(a[ 6], a[ 9])
845	0		+ MUL15(a[ 7], a[ 8])) << 1);
846	0		t[16] = MUL15(a[ 8], a[ 8])
847	0		+ ((MUL15(a[ 0], a[16])
848	0		+ MUL15(a[ 1], a[15])
849	0		+ MUL15(a[ 2], a[14])
850	0		+ MUL15(a[ 3], a[13])
851	0		+ MUL15(a[ 4], a[12])
852	0		+ MUL15(a[ 5], a[11])
853	0		+ MUL15(a[ 6], a[10])
854	0		+ MUL15(a[ 7], a[ 9])) << 1);
855	0		t[17] = ((MUL15(a[ 0], a[17])
856	0		+ MUL15(a[ 1], a[16])
857	0		+ MUL15(a[ 2], a[15])
858	0		+ MUL15(a[ 3], a[14])
859	0		+ MUL15(a[ 4], a[13])
860	0		+ MUL15(a[ 5], a[12])
861	0		+ MUL15(a[ 6], a[11])
862	0		+ MUL15(a[ 7], a[10])
863	0		+ MUL15(a[ 8], a[ 9])) << 1);
864	0		t[18] = MUL15(a[ 9], a[ 9])
865	0		+ ((MUL15(a[ 0], a[18])
866	0		+ MUL15(a[ 1], a[17])
867	0		+ MUL15(a[ 2], a[16])
868	0		+ MUL15(a[ 3], a[15])
869	0		+ MUL15(a[ 4], a[14])
870	0		+ MUL15(a[ 5], a[13])
871	0		+ MUL15(a[ 6], a[12])
872	0		+ MUL15(a[ 7], a[11])
873	0		+ MUL15(a[ 8], a[10])) << 1);
874	0		t[19] = ((MUL15(a[ 0], a[19])
875	0		+ MUL15(a[ 1], a[18])
876	0		+ MUL15(a[ 2], a[17])
877	0		+ MUL15(a[ 3], a[16])
878	0		+ MUL15(a[ 4], a[15])
879	0		+ MUL15(a[ 5], a[14])
880	0		+ MUL15(a[ 6], a[13])
881	0		+ MUL15(a[ 7], a[12])
882	0		+ MUL15(a[ 8], a[11])
883	0		+ MUL15(a[ 9], a[10])) << 1);
884	0		t[20] = MUL15(a[10], a[10])
885	0		+ ((MUL15(a[ 1], a[19])
886	0		+ MUL15(a[ 2], a[18])
887	0		+ MUL15(a[ 3], a[17])
888	0		+ MUL15(a[ 4], a[16])
889	0		+ MUL15(a[ 5], a[15])
890	0		+ MUL15(a[ 6], a[14])
891	0		+ MUL15(a[ 7], a[13])
892	0		+ MUL15(a[ 8], a[12])
893	0		+ MUL15(a[ 9], a[11])) << 1);
894	0		t[21] = ((MUL15(a[ 2], a[19])
895	0		+ MUL15(a[ 3], a[18])
896	0		+ MUL15(a[ 4], a[17])
897	0		+ MUL15(a[ 5], a[16])
898	0		+ MUL15(a[ 6], a[15])
899	0		+ MUL15(a[ 7], a[14])
900	0		+ MUL15(a[ 8], a[13])
901	0		+ MUL15(a[ 9], a[12])
902	0		+ MUL15(a[10], a[11])) << 1);
903	0		t[22] = MUL15(a[11], a[11])
904	0		+ ((MUL15(a[ 3], a[19])
905	0		+ MUL15(a[ 4], a[18])
906	0		+ MUL15(a[ 5], a[17])
907	0		+ MUL15(a[ 6], a[16])
908	0		+ MUL15(a[ 7], a[15])
909	0		+ MUL15(a[ 8], a[14])
910	0		+ MUL15(a[ 9], a[13])
911	0		+ MUL15(a[10], a[12])) << 1);
912	0		t[23] = ((MUL15(a[ 4], a[19])
913	0		+ MUL15(a[ 5], a[18])
914	0		+ MUL15(a[ 6], a[17])
915	0		+ MUL15(a[ 7], a[16])
916	0		+ MUL15(a[ 8], a[15])
917	0		+ MUL15(a[ 9], a[14])
918	0		+ MUL15(a[10], a[13])
919	0		+ MUL15(a[11], a[12])) << 1);
920	0		t[24] = MUL15(a[12], a[12])
921	0		+ ((MUL15(a[ 5], a[19])
922	0		+ MUL15(a[ 6], a[18])
923	0		+ MUL15(a[ 7], a[17])
924	0		+ MUL15(a[ 8], a[16])
925	0		+ MUL15(a[ 9], a[15])
926	0		+ MUL15(a[10], a[14])
927	0		+ MUL15(a[11], a[13])) << 1);
928	0		t[25] = ((MUL15(a[ 6], a[19])
929	0		+ MUL15(a[ 7], a[18])
930	0		+ MUL15(a[ 8], a[17])
931	0		+ MUL15(a[ 9], a[16])
932	0		+ MUL15(a[10], a[15])
933	0		+ MUL15(a[11], a[14])
934	0		+ MUL15(a[12], a[13])) << 1);
935	0		t[26] = MUL15(a[13], a[13])
936	0		+ ((MUL15(a[ 7], a[19])
937	0		+ MUL15(a[ 8], a[18])
938	0		+ MUL15(a[ 9], a[17])
939	0		+ MUL15(a[10], a[16])
940	0		+ MUL15(a[11], a[15])
941	0		+ MUL15(a[12], a[14])) << 1);
942	0		t[27] = ((MUL15(a[ 8], a[19])
943	0		+ MUL15(a[ 9], a[18])
944	0		+ MUL15(a[10], a[17])
945	0		+ MUL15(a[11], a[16])
946	0		+ MUL15(a[12], a[15])
947	0		+ MUL15(a[13], a[14])) << 1);
948	0		t[28] = MUL15(a[14], a[14])
949	0		+ ((MUL15(a[ 9], a[19])
950	0		+ MUL15(a[10], a[18])
951	0		+ MUL15(a[11], a[17])
952	0		+ MUL15(a[12], a[16])
953	0		+ MUL15(a[13], a[15])) << 1);
954	0		t[29] = ((MUL15(a[10], a[19])
955	0		+ MUL15(a[11], a[18])
956	0		+ MUL15(a[12], a[17])
957	0		+ MUL15(a[13], a[16])
958	0		+ MUL15(a[14], a[15])) << 1);
959	0		t[30] = MUL15(a[15], a[15])
960	0		+ ((MUL15(a[11], a[19])
961	0		+ MUL15(a[12], a[18])
962	0		+ MUL15(a[13], a[17])
963	0		+ MUL15(a[14], a[16])) << 1);
964	0		t[31] = ((MUL15(a[12], a[19])
965	0		+ MUL15(a[13], a[18])
966	0		+ MUL15(a[14], a[17])
967	0		+ MUL15(a[15], a[16])) << 1);
968	0		t[32] = MUL15(a[16], a[16])
969	0		+ ((MUL15(a[13], a[19])
970	0		+ MUL15(a[14], a[18])
971	0		+ MUL15(a[15], a[17])) << 1);
972	0		t[33] = ((MUL15(a[14], a[19])
973	0		+ MUL15(a[15], a[18])
974	0		+ MUL15(a[16], a[17])) << 1);
975	0		t[34] = MUL15(a[17], a[17])
976	0		+ ((MUL15(a[15], a[19])
977	0		+ MUL15(a[16], a[18])) << 1);
978	0		t[35] = ((MUL15(a[16], a[19])
979	0		+ MUL15(a[17], a[18])) << 1);
980	0		t[36] = MUL15(a[18], a[18])
981	0		+ ((MUL15(a[17], a[19])) << 1);
982	0		t[37] = ((MUL15(a[18], a[19])) << 1);
983	0		t[38] = MUL15(a[19], a[19]);
984	0		d[39] = norm13(d, t, 39);
985	0		}
986
987			#endif
988
989			/*
990			* Modulus for field F256 (field for point coordinates in curve P-256).
991			*/
992			static const uint32_t F256[] = {
993			0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x1FFF, 0x001F,
994			0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0400, 0x0000,
995			0x0000, 0x1FF8, 0x1FFF, 0x01FF
996			};
997
998			/*
999			* The 'b' curve equation coefficient for P-256.
1000			*/
1001			static const uint32_t P256_B[] = {
1002			0x004B, 0x1E93, 0x0F89, 0x1C78, 0x03BC, 0x187B, 0x114E, 0x1619,
1003			0x1D06, 0x0328, 0x01AF, 0x0D31, 0x1557, 0x15DE, 0x1ECF, 0x127C,
1004			0x0A3A, 0x0EC5, 0x118D, 0x00B5
1005			};
1006
1007			/*
1008			* Perform a "short reduction" in field F256 (field for curve P-256).
1009			* The source value should be less than 262 bits; on output, it will
1010			* be at most 257 bits, and less than twice the modulus.
1011			*/
1012			static void
1013	0		reduce_f256(uint32_t *d)
1014			{
1015			uint32_t x;
1016
1017	0		x = d[19] >> 9;
1018	0		d[19] &= 0x01FF;
1019	0		d[17] += x << 3;
1020	0		d[14] -= x << 10;
1021	0		d[7] -= x << 5;
1022	0		d[0] += x;
1023	0		norm13(d, d, 20);
1024	0		}
1025
1026			/*
1027			* Perform a "final reduction" in field F256 (field for curve P-256).
1028			* The source value must be less than twice the modulus. If the value
1029			* is not lower than the modulus, then the modulus is subtracted and
1030			* this function returns 1; otherwise, it leaves it untouched and it
1031			* returns 0.
1032			*/
1033			static uint32_t
1034	0		reduce_final_f256(uint32_t *d)
1035			{
1036			uint32_t t[20];
1037			uint32_t cc;
1038			int i;
1039
1040	0		memcpy(t, d, sizeof t);
1041	0		cc = 0;
1042	0	0	for (i = 0; i < 20; i ++) {
1043			uint32_t w;
1044
1045	0		w = t[i] - F256[i] - cc;
1046	0		cc = w >> 31;
1047	0		t[i] = w & 0x1FFF;
1048			}
1049	0		cc ^= 1;
1050	0		CCOPY(cc, d, t, sizeof t);
1051	0		return cc;
1052			}
1053
1054			/*
1055			* Perform a multiplication of two integers modulo
1056			* 2^256-2^224+2^192+2^96-1 (for NIST curve P-256). Operands are arrays
1057			* of 20 words, each containing 13 bits of data, in little-endian order.
1058			* On input, upper word may be up to 13 bits (hence value up to 2^260-1);
1059			* on output, value fits on 257 bits and is lower than twice the modulus.
1060			*/
1061			static void
1062	0		mul_f256(uint32_t d, const uint32_t a, const uint32_t *b)
1063			{
1064			uint32_t t[40], cc;
1065			int i;
1066
1067			/*
1068			* Compute raw multiplication. All result words fit in 13 bits
1069			* each.
1070			*/
1071	0		mul20(t, a, b);
1072
1073			/*
1074			* Modular reduction: each high word in added/subtracted where
1075			* necessary.
1076			*
1077			* The modulus is:
1078			* p = 2^256 - 2^224 + 2^192 + 2^96 - 1
1079			* Therefore:
1080			* 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
1081			*
1082			* For a word x at bit offset n (n >= 256), we have:
1083			* x2^n = x2^(n-32) - x*2^(n-64)
1084			* - x2^(n - 160) + x2^(n-256) mod p
1085			*
1086			* Thus, we can nullify the high word if we reinject it at some
1087			* proper emplacements.
1088			*/
1089	0	0	for (i = 39; i >= 20; i --) {
1090			uint32_t x;
1091
1092	0		x = t[i];
1093	0		t[i - 2] += ARSH(x, 6);
1094	0		t[i - 3] += (x << 7) & 0x1FFF;
1095	0		t[i - 4] -= ARSH(x, 12);
1096	0		t[i - 5] -= (x << 1) & 0x1FFF;
1097	0		t[i - 12] -= ARSH(x, 4);
1098	0		t[i - 13] -= (x << 9) & 0x1FFF;
1099	0		t[i - 19] += ARSH(x, 9);
1100	0		t[i - 20] += (x << 4) & 0x1FFF;
1101			}
1102
1103			/*
1104			* Propagate carries. This is a signed propagation, and the
1105			* result may be negative. The loop above may enlarge values,
1106			* but not two much: worst case is the chain involving t[i - 3],
1107			* in which a value may be added to itself up to 7 times. Since
1108			* starting values are 13-bit each, all words fit on 20 bits
1109			* (21 to account for the sign bit).
1110			*/
1111	0		cc = norm13(t, t, 20);
1112
1113			/*
1114			* Perform modular reduction again for the bits beyond 256 (the carry
1115			* and the bits 256..259). Since the largest shift below is by 10
1116			* bits, and the values fit on 21 bits, values fit in 32-bit words,
1117			* thereby allowing injecting full word values.
1118			*/
1119	0		cc = (cc << 4) \| (t[19] >> 9);
1120	0		t[19] &= 0x01FF;
1121	0		t[17] += cc << 3;
1122	0		t[14] -= cc << 10;
1123	0		t[7] -= cc << 5;
1124	0		t[0] += cc;
1125
1126			/*
1127			* If the carry is negative, then after carry propagation, we may
1128			* end up with a value which is negative, and we don't want that.
1129			* Thus, in that case, we add the modulus. Note that the subtraction
1130			* result, when the carry is negative, is always smaller than the
1131			* modulus, so the extra addition will not make the value exceed
1132			* twice the modulus.
1133			*/
1134	0		cc >>= 31;
1135	0		t[0] -= cc;
1136	0		t[7] += cc << 5;
1137	0		t[14] += cc << 10;
1138	0		t[17] -= cc << 3;
1139	0		t[19] += cc << 9;
1140
1141	0		norm13(d, t, 20);
1142	0		}
1143
1144			/*
1145			* Square an integer modulo 2^256-2^224+2^192+2^96-1 (for NIST curve
1146			* P-256). Operand is an array of 20 words, each containing 13 bits of
1147			* data, in little-endian order. On input, upper word may be up to 13
1148			* bits (hence value up to 2^260-1); on output, value fits on 257 bits
1149			* and is lower than twice the modulus.
1150			*/
1151			static void
1152	0		square_f256(uint32_t d, const uint32_t a)
1153			{
1154			uint32_t t[40], cc;
1155			int i;
1156
1157			/*
1158			* Compute raw square. All result words fit in 13 bits each.
1159			*/
1160	0		square20(t, a);
1161
1162			/*
1163			* Modular reduction: each high word in added/subtracted where
1164			* necessary.
1165			*
1166			* The modulus is:
1167			* p = 2^256 - 2^224 + 2^192 + 2^96 - 1
1168			* Therefore:
1169			* 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p
1170			*
1171			* For a word x at bit offset n (n >= 256), we have:
1172			* x2^n = x2^(n-32) - x*2^(n-64)
1173			* - x2^(n - 160) + x2^(n-256) mod p
1174			*
1175			* Thus, we can nullify the high word if we reinject it at some
1176			* proper emplacements.
1177			*/
1178	0	0	for (i = 39; i >= 20; i --) {
1179			uint32_t x;
1180
1181	0		x = t[i];
1182	0		t[i - 2] += ARSH(x, 6);
1183	0		t[i - 3] += (x << 7) & 0x1FFF;
1184	0		t[i - 4] -= ARSH(x, 12);
1185	0		t[i - 5] -= (x << 1) & 0x1FFF;
1186	0		t[i - 12] -= ARSH(x, 4);
1187	0		t[i - 13] -= (x << 9) & 0x1FFF;
1188	0		t[i - 19] += ARSH(x, 9);
1189	0		t[i - 20] += (x << 4) & 0x1FFF;
1190			}
1191
1192			/*
1193			* Propagate carries. This is a signed propagation, and the
1194			* result may be negative. The loop above may enlarge values,
1195			* but not two much: worst case is the chain involving t[i - 3],
1196			* in which a value may be added to itself up to 7 times. Since
1197			* starting values are 13-bit each, all words fit on 20 bits
1198			* (21 to account for the sign bit).
1199			*/
1200	0		cc = norm13(t, t, 20);
1201
1202			/*
1203			* Perform modular reduction again for the bits beyond 256 (the carry
1204			* and the bits 256..259). Since the largest shift below is by 10
1205			* bits, and the values fit on 21 bits, values fit in 32-bit words,
1206			* thereby allowing injecting full word values.
1207			*/
1208	0		cc = (cc << 4) \| (t[19] >> 9);
1209	0		t[19] &= 0x01FF;
1210	0		t[17] += cc << 3;
1211	0		t[14] -= cc << 10;
1212	0		t[7] -= cc << 5;
1213	0		t[0] += cc;
1214
1215			/*
1216			* If the carry is negative, then after carry propagation, we may
1217			* end up with a value which is negative, and we don't want that.
1218			* Thus, in that case, we add the modulus. Note that the subtraction
1219			* result, when the carry is negative, is always smaller than the
1220			* modulus, so the extra addition will not make the value exceed
1221			* twice the modulus.
1222			*/
1223	0		cc >>= 31;
1224	0		t[0] -= cc;
1225	0		t[7] += cc << 5;
1226	0		t[14] += cc << 10;
1227	0		t[17] -= cc << 3;
1228	0		t[19] += cc << 9;
1229
1230	0		norm13(d, t, 20);
1231	0		}
1232
1233			/*
1234			* Jacobian coordinates for a point in P-256: affine coordinates (X,Y)
1235			* are such that:
1236			* X = x / z^2
1237			* Y = y / z^3
1238			* For the point at infinity, z = 0.
1239			* Each point thus admits many possible representations.
1240			*
1241			* Coordinates are represented in arrays of 32-bit integers, each holding
1242			* 13 bits of data. Values may also be slightly greater than the modulus,
1243			* but they will always be lower than twice the modulus.
1244			*/
1245			typedef struct {
1246			uint32_t x[20];
1247			uint32_t y[20];
1248			uint32_t z[20];
1249			} p256_jacobian;
1250
1251			/*
1252			* Convert a point to affine coordinates:
1253			* - If the point is the point at infinity, then all three coordinates
1254			* are set to 0.
1255			* - Otherwise, the 'z' coordinate is set to 1, and the 'x' and 'y'
1256			* coordinates are the 'X' and 'Y' affine coordinates.
1257			* The coordinates are guaranteed to be lower than the modulus.
1258			*/
1259			static void
1260	0		p256_to_affine(p256_jacobian *P)
1261			{
1262			uint32_t t1[20], t2[20];
1263			int i;
1264
1265			/*
1266			* Invert z with a modular exponentiation: the modulus is
1267			* p = 2^256 - 2^224 + 2^192 + 2^96 - 1, and the exponent is
1268			* p-2. Exponent bit pattern (from high to low) is:
1269			* - 32 bits of value 1
1270			* - 31 bits of value 0
1271			* - 1 bit of value 1
1272			* - 96 bits of value 0
1273			* - 94 bits of value 1
1274			* - 1 bit of value 0
1275			* - 1 bit of value 1
1276			* Thus, we precompute z^(2^31-1) to speed things up.
1277			*
1278			* If z = 0 (point at infinity) then the modular exponentiation
1279			* will yield 0, which leads to the expected result (all three
1280			* coordinates set to 0).
1281			*/
1282
1283			/*
1284			* A simple square-and-multiply for z^(2^31-1). We could save about
1285			* two dozen multiplications here with an addition chain, but
1286			* this would require a bit more code, and extra stack buffers.
1287			*/
1288	0		memcpy(t1, P->z, sizeof P->z);
1289	0	0	for (i = 0; i < 30; i ++) {
1290	0		square_f256(t1, t1);
1291	0		mul_f256(t1, t1, P->z);
1292			}
1293
1294			/*
1295			* Square-and-multiply. Apart from the squarings, we have a few
1296			* multiplications to set bits to 1; we multiply by the original z
1297			* for setting 1 bit, and by t1 for setting 31 bits.
1298			*/
1299	0		memcpy(t2, P->z, sizeof P->z);
1300	0	0	for (i = 1; i < 256; i ++) {
1301	0		square_f256(t2, t2);
1302	0		switch (i) {
1303	0		case 31:
1304			case 190:
1305			case 221:
1306			case 252:
1307	0		mul_f256(t2, t2, t1);
1308	0		break;
1309	0		case 63:
1310			case 253:
1311			case 255:
1312	0		mul_f256(t2, t2, P->z);
1313	0		break;
1314			}
1315			}
1316
1317			/*
1318			* Now that we have 1/z, multiply x by 1/z^2 and y by 1/z^3.
1319			*/
1320	0		mul_f256(t1, t2, t2);
1321	0		mul_f256(P->x, t1, P->x);
1322	0		mul_f256(t1, t1, t2);
1323	0		mul_f256(P->y, t1, P->y);
1324	0		reduce_final_f256(P->x);
1325	0		reduce_final_f256(P->y);
1326
1327			/*
1328			* Multiply z by 1/z. If z = 0, then this will yield 0, otherwise
1329			* this will set z to 1.
1330			*/
1331	0		mul_f256(P->z, P->z, t2);
1332	0		reduce_final_f256(P->z);
1333	0		}
1334
1335			/*
1336			* Double a point in P-256. This function works for all valid points,
1337			* including the point at infinity.
1338			*/
1339			static void
1340	0		p256_double(p256_jacobian *Q)
1341			{
1342			/*
1343			* Doubling formulas are:
1344			*
1345			* s = 4xy^2
1346			* m = 3(x + z^2)(x - z^2)
1347			* x' = m^2 - 2*s
1348			* y' = m(s - x') - 8y^4
1349			* z' = 2yz
1350			*
1351			* These formulas work for all points, including points of order 2
1352			* and points at infinity:
1353			* - If y = 0 then z' = 0. But there is no such point in P-256
1354			* anyway.
1355			* - If z = 0 then z' = 0.
1356			*/
1357			uint32_t t1[20], t2[20], t3[20], t4[20];
1358			int i;
1359
1360			/*
1361			* Compute z^2 in t1.
1362			*/
1363	0		square_f256(t1, Q->z);
1364
1365			/*
1366			* Compute x-z^2 in t2 and x+z^2 in t1.
1367			*/
1368	0	0	for (i = 0; i < 20; i ++) {
1369	0		t2[i] = (F256[i] << 1) + Q->x[i] - t1[i];
1370	0		t1[i] += Q->x[i];
1371			}
1372	0		norm13(t1, t1, 20);
1373	0		norm13(t2, t2, 20);
1374
1375			/*
1376			* Compute 3(x+z^2)(x-z^2) in t1.
1377			*/
1378	0		mul_f256(t3, t1, t2);
1379	0	0	for (i = 0; i < 20; i ++) {
1380	0		t1[i] = MUL15(3, t3[i]);
1381			}
1382	0		norm13(t1, t1, 20);
1383
1384			/*
1385			* Compute 4xy^2 (in t2) and 2*y^2 (in t3).
1386			*/
1387	0		square_f256(t3, Q->y);
1388	0	0	for (i = 0; i < 20; i ++) {
1389	0		t3[i] <<= 1;
1390			}
1391	0		norm13(t3, t3, 20);
1392	0		mul_f256(t2, Q->x, t3);
1393	0	0	for (i = 0; i < 20; i ++) {
1394	0		t2[i] <<= 1;
1395			}
1396	0		norm13(t2, t2, 20);
1397	0		reduce_f256(t2);
1398
1399			/*
1400			* Compute x' = m^2 - 2*s.
1401			*/
1402	0		square_f256(Q->x, t1);
1403	0	0	for (i = 0; i < 20; i ++) {
1404	0		Q->x[i] += (F256[i] << 2) - (t2[i] << 1);
1405			}
1406	0		norm13(Q->x, Q->x, 20);
1407	0		reduce_f256(Q->x);
1408
1409			/*
1410			* Compute z' = 2yz.
1411			*/
1412	0		mul_f256(t4, Q->y, Q->z);
1413	0	0	for (i = 0; i < 20; i ++) {
1414	0		Q->z[i] = t4[i] << 1;
1415			}
1416	0		norm13(Q->z, Q->z, 20);
1417	0		reduce_f256(Q->z);
1418
1419			/*
1420			* Compute y' = m(s - x') - 8y^4. Note that we already have
1421			* 2*y^2 in t3.
1422			*/
1423	0	0	for (i = 0; i < 20; i ++) {
1424	0		t2[i] += (F256[i] << 1) - Q->x[i];
1425			}
1426	0		norm13(t2, t2, 20);
1427	0		mul_f256(Q->y, t1, t2);
1428	0		square_f256(t4, t3);
1429	0	0	for (i = 0; i < 20; i ++) {
1430	0		Q->y[i] += (F256[i] << 2) - (t4[i] << 1);
1431			}
1432	0		norm13(Q->y, Q->y, 20);
1433	0		reduce_f256(Q->y);
1434	0		}
1435
1436			/*
1437			* Add point P2 to point P1.
1438			*
1439			* This function computes the wrong result in the following cases:
1440			*
1441			* - If P1 == 0 but P2 != 0
1442			* - If P1 != 0 but P2 == 0
1443			* - If P1 == P2
1444			*
1445			* In all three cases, P1 is set to the point at infinity.
1446			*
1447			* Returned value is 0 if one of the following occurs:
1448			*
1449			* - P1 and P2 have the same Y coordinate
1450			* - P1 == 0 and P2 == 0
1451			* - The Y coordinate of one of the points is 0 and the other point is
1452			* the point at infinity.
1453			*
1454			* The third case cannot actually happen with valid points, since a point
1455			* with Y == 0 is a point of order 2, and there is no point of order 2 on
1456			* curve P-256.
1457			*
1458			* Therefore, assuming that P1 != 0 and P2 != 0 on input, then the caller
1459			* can apply the following:
1460			*
1461			* - If the result is not the point at infinity, then it is correct.
1462			* - Otherwise, if the returned value is 1, then this is a case of
1463			* P1+P2 == 0, so the result is indeed the point at infinity.
1464			* - Otherwise, P1 == P2, so a "double" operation should have been
1465			* performed.
1466			*/
1467			static uint32_t
1468	0		p256_add(p256_jacobian P1, const p256_jacobian P2)
1469			{
1470			/*
1471			* Addtions formulas are:
1472			*
1473			* u1 = x1 * z2^2
1474			* u2 = x2 * z1^2
1475			* s1 = y1 * z2^3
1476			* s2 = y2 * z1^3
1477			* h = u2 - u1
1478			* r = s2 - s1
1479			* x3 = r^2 - h^3 - 2 * u1 * h^2
1480			* y3 = r * (u1 * h^2 - x3) - s1 * h^3
1481			* z3 = h * z1 * z2
1482			*/
1483			uint32_t t1[20], t2[20], t3[20], t4[20], t5[20], t6[20], t7[20];
1484			uint32_t ret;
1485			int i;
1486
1487			/*
1488			* Compute u1 = x1z2^2 (in t1) and s1 = y1z2^3 (in t3).
1489			*/
1490	0		square_f256(t3, P2->z);
1491	0		mul_f256(t1, P1->x, t3);
1492	0		mul_f256(t4, P2->z, t3);
1493	0		mul_f256(t3, P1->y, t4);
1494
1495			/*
1496			* Compute u2 = x2z1^2 (in t2) and s2 = y2z1^3 (in t4).
1497			*/
1498	0		square_f256(t4, P1->z);
1499	0		mul_f256(t2, P2->x, t4);
1500	0		mul_f256(t5, P1->z, t4);
1501	0		mul_f256(t4, P2->y, t5);
1502
1503			/*
1504			* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
1505			* We need to test whether r is zero, so we will do some extra
1506			* reduce.
1507			*/
1508	0	0	for (i = 0; i < 20; i ++) {
1509	0		t2[i] += (F256[i] << 1) - t1[i];
1510	0		t4[i] += (F256[i] << 1) - t3[i];
1511			}
1512	0		norm13(t2, t2, 20);
1513	0		norm13(t4, t4, 20);
1514	0		reduce_f256(t4);
1515	0		reduce_final_f256(t4);
1516	0		ret = 0;
1517	0	0	for (i = 0; i < 20; i ++) {
1518	0		ret \|= t4[i];
1519			}
1520	0		ret = (ret \| -ret) >> 31;
1521
1522			/*
1523			* Compute u1*h^2 (in t6) and h^3 (in t5);
1524			*/
1525	0		square_f256(t7, t2);
1526	0		mul_f256(t6, t1, t7);
1527	0		mul_f256(t5, t7, t2);
1528
1529			/*
1530			* Compute x3 = r^2 - h^3 - 2u1h^2.
1531			*/
1532	0		square_f256(P1->x, t4);
1533	0	0	for (i = 0; i < 20; i ++) {
1534	0		P1->x[i] += (F256[i] << 3) - t5[i] - (t6[i] << 1);
1535			}
1536	0		norm13(P1->x, P1->x, 20);
1537	0		reduce_f256(P1->x);
1538
1539			/*
1540			* Compute y3 = r(u1h^2 - x3) - s1*h^3.
1541			*/
1542	0	0	for (i = 0; i < 20; i ++) {
1543	0		t6[i] += (F256[i] << 1) - P1->x[i];
1544			}
1545	0		norm13(t6, t6, 20);
1546	0		mul_f256(P1->y, t4, t6);
1547	0		mul_f256(t1, t5, t3);
1548	0	0	for (i = 0; i < 20; i ++) {
1549	0		P1->y[i] += (F256[i] << 1) - t1[i];
1550			}
1551	0		norm13(P1->y, P1->y, 20);
1552	0		reduce_f256(P1->y);
1553
1554			/*
1555			* Compute z3 = hz1z2.
1556			*/
1557	0		mul_f256(t1, P1->z, P2->z);
1558	0		mul_f256(P1->z, t1, t2);
1559
1560	0		return ret;
1561			}
1562
1563			/*
1564			* Add point P2 to point P1. This is a specialised function for the
1565			* case when P2 is a non-zero point in affine coordinate.
1566			*
1567			* This function computes the wrong result in the following cases:
1568			*
1569			* - If P1 == 0
1570			* - If P1 == P2
1571			*
1572			* In both cases, P1 is set to the point at infinity.
1573			*
1574			* Returned value is 0 if one of the following occurs:
1575			*
1576			* - P1 and P2 have the same Y coordinate
1577			* - The Y coordinate of P2 is 0 and P1 is the point at infinity.
1578			*
1579			* The second case cannot actually happen with valid points, since a point
1580			* with Y == 0 is a point of order 2, and there is no point of order 2 on
1581			* curve P-256.
1582			*
1583			* Therefore, assuming that P1 != 0 on input, then the caller
1584			* can apply the following:
1585			*
1586			* - If the result is not the point at infinity, then it is correct.
1587			* - Otherwise, if the returned value is 1, then this is a case of
1588			* P1+P2 == 0, so the result is indeed the point at infinity.
1589			* - Otherwise, P1 == P2, so a "double" operation should have been
1590			* performed.
1591			*/
1592			static uint32_t
1593	0		p256_add_mixed(p256_jacobian P1, const p256_jacobian P2)
1594			{
1595			/*
1596			* Addtions formulas are:
1597			*
1598			* u1 = x1
1599			* u2 = x2 * z1^2
1600			* s1 = y1
1601			* s2 = y2 * z1^3
1602			* h = u2 - u1
1603			* r = s2 - s1
1604			* x3 = r^2 - h^3 - 2 * u1 * h^2
1605			* y3 = r * (u1 * h^2 - x3) - s1 * h^3
1606			* z3 = h * z1
1607			*/
1608			uint32_t t1[20], t2[20], t3[20], t4[20], t5[20], t6[20], t7[20];
1609			uint32_t ret;
1610			int i;
1611
1612			/*
1613			* Compute u1 = x1 (in t1) and s1 = y1 (in t3).
1614			*/
1615	0		memcpy(t1, P1->x, sizeof t1);
1616	0		memcpy(t3, P1->y, sizeof t3);
1617
1618			/*
1619			* Compute u2 = x2z1^2 (in t2) and s2 = y2z1^3 (in t4).
1620			*/
1621	0		square_f256(t4, P1->z);
1622	0		mul_f256(t2, P2->x, t4);
1623	0		mul_f256(t5, P1->z, t4);
1624	0		mul_f256(t4, P2->y, t5);
1625
1626			/*
1627			* Compute h = h2 - u1 (in t2) and r = s2 - s1 (in t4).
1628			* We need to test whether r is zero, so we will do some extra
1629			* reduce.
1630			*/
1631	0	0	for (i = 0; i < 20; i ++) {
1632	0		t2[i] += (F256[i] << 1) - t1[i];
1633	0		t4[i] += (F256[i] << 1) - t3[i];
1634			}
1635	0		norm13(t2, t2, 20);
1636	0		norm13(t4, t4, 20);
1637	0		reduce_f256(t4);
1638	0		reduce_final_f256(t4);
1639	0		ret = 0;
1640	0	0	for (i = 0; i < 20; i ++) {
1641	0		ret \|= t4[i];
1642			}
1643	0		ret = (ret \| -ret) >> 31;
1644
1645			/*
1646			* Compute u1*h^2 (in t6) and h^3 (in t5);
1647			*/
1648	0		square_f256(t7, t2);
1649	0		mul_f256(t6, t1, t7);
1650	0		mul_f256(t5, t7, t2);
1651
1652			/*
1653			* Compute x3 = r^2 - h^3 - 2u1h^2.
1654			*/
1655	0		square_f256(P1->x, t4);
1656	0	0	for (i = 0; i < 20; i ++) {
1657	0		P1->x[i] += (F256[i] << 3) - t5[i] - (t6[i] << 1);
1658			}
1659	0		norm13(P1->x, P1->x, 20);
1660	0		reduce_f256(P1->x);
1661
1662			/*
1663			* Compute y3 = r(u1h^2 - x3) - s1*h^3.
1664			*/
1665	0	0	for (i = 0; i < 20; i ++) {
1666	0		t6[i] += (F256[i] << 1) - P1->x[i];
1667			}
1668	0		norm13(t6, t6, 20);
1669	0		mul_f256(P1->y, t4, t6);
1670	0		mul_f256(t1, t5, t3);
1671	0	0	for (i = 0; i < 20; i ++) {
1672	0		P1->y[i] += (F256[i] << 1) - t1[i];
1673			}
1674	0		norm13(P1->y, P1->y, 20);
1675	0		reduce_f256(P1->y);
1676
1677			/*
1678			* Compute z3 = hz1z2.
1679			*/
1680	0		mul_f256(P1->z, P1->z, t2);
1681
1682	0		return ret;
1683			}
1684
1685			/*
1686			* Decode a P-256 point. This function does not support the point at
1687			* infinity. Returned value is 0 if the point is invalid, 1 otherwise.
1688			*/
1689			static uint32_t
1690	0		p256_decode(p256_jacobian P, const void src, size_t len)
1691			{
1692			const unsigned char *buf;
1693			uint32_t tx[20], ty[20], t1[20], t2[20];
1694			uint32_t bad;
1695			int i;
1696
1697	0	0	if (len != 65) {
1698	0		return 0;
1699			}
1700	0		buf = src;
1701
1702			/*
1703			* First byte must be 0x04 (uncompressed format). We could support
1704			* "hybrid format" (first byte is 0x06 or 0x07, and encodes the
1705			* least significant bit of the Y coordinate), but it is explicitly
1706			* forbidden by RFC 5480 (section 2.2).
1707			*/
1708	0		bad = NEQ(buf[0], 0x04);
1709
1710			/*
1711			* Decode the coordinates, and check that they are both lower
1712			* than the modulus.
1713			*/
1714	0		tx[19] = be8_to_le13(tx, buf + 1, 32);
1715	0		ty[19] = be8_to_le13(ty, buf + 33, 32);
1716	0		bad \|= reduce_final_f256(tx);
1717	0		bad \|= reduce_final_f256(ty);
1718
1719			/*
1720			* Check curve equation.
1721			*/
1722	0		square_f256(t1, tx);
1723	0		mul_f256(t1, tx, t1);
1724	0		square_f256(t2, ty);
1725	0	0	for (i = 0; i < 20; i ++) {
1726	0		t1[i] += (F256[i] << 3) - MUL15(3, tx[i]) + P256_B[i] - t2[i];
1727			}
1728	0		norm13(t1, t1, 20);
1729	0		reduce_f256(t1);
1730	0		reduce_final_f256(t1);
1731	0	0	for (i = 0; i < 20; i ++) {
1732	0		bad \|= t1[i];
1733			}
1734
1735			/*
1736			* Copy coordinates to the point structure.
1737			*/
1738	0		memcpy(P->x, tx, sizeof tx);
1739	0		memcpy(P->y, ty, sizeof ty);
1740	0		memset(P->z, 0, sizeof P->z);
1741	0		P->z[0] = 1;
1742	0		return EQ(bad, 0);
1743			}
1744
1745			/*
1746			* Encode a point into a buffer. This function assumes that the point is
1747			* valid, in affine coordinates, and not the point at infinity.
1748			*/
1749			static void
1750	0		p256_encode(void dst, const p256_jacobian P)
1751			{
1752			unsigned char *buf;
1753
1754	0		buf = dst;
1755	0		buf[0] = 0x04;
1756	0		le13_to_be8(buf + 1, 32, P->x);
1757	0		le13_to_be8(buf + 33, 32, P->y);
1758	0		}
1759
1760			/*
1761			* Multiply a curve point by an integer. The integer is assumed to be
1762			* lower than the curve order, and the base point must not be the point
1763			* at infinity.
1764			*/
1765			static void
1766	0		p256_mul(p256_jacobian P, const unsigned char x, size_t xlen)
1767			{
1768			/*
1769			* qz is a flag that is initially 1, and remains equal to 1
1770			* as long as the point is the point at infinity.
1771			*
1772			* We use a 2-bit window to handle multiplier bits by pairs.
1773			* The precomputed window really is the points P2 and P3.
1774			*/
1775			uint32_t qz;
1776			p256_jacobian P2, P3, Q, T, U;
1777
1778			/*
1779			* Compute window values.
1780			*/
1781	0		P2 = *P;
1782	0		p256_double(&P2);
1783	0		P3 = *P;
1784	0		p256_add(&P3, &P2);
1785
1786			/*
1787			* We start with Q = 0. We process multiplier bits 2 by 2.
1788			*/
1789	0		memset(&Q, 0, sizeof Q);
1790	0		qz = 1;
1791	0	0	while (xlen -- > 0) {
1792			int k;
1793
1794	0	0	for (k = 6; k >= 0; k -= 2) {
1795			uint32_t bits;
1796			uint32_t bnz;
1797
1798	0		p256_double(&Q);
1799	0		p256_double(&Q);
1800	0		T = *P;
1801	0		U = Q;
1802	0		bits = (*x >> k) & (uint32_t)3;
1803	0		bnz = NEQ(bits, 0);
1804	0		CCOPY(EQ(bits, 2), &T, &P2, sizeof T);
1805	0		CCOPY(EQ(bits, 3), &T, &P3, sizeof T);
1806	0		p256_add(&U, &T);
1807	0		CCOPY(bnz & qz, &Q, &T, sizeof Q);
1808	0		CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
1809	0		qz &= ~bnz;
1810			}
1811	0		x ++;
1812			}
1813	0		*P = Q;
1814	0		}
1815
1816			/*
1817			* Precomputed window: k*G points, where G is the curve generator, and k
1818			* is an integer from 1 to 15 (inclusive). The X and Y coordinates of
1819			* the point are encoded as 20 words of 13 bits each (little-endian
1820			* order); 13-bit words are then grouped 2-by-2 into 32-bit words
1821			* (little-endian order within each word).
1822			*/
1823			static const uint32_t Gwin[15][20] = {
1824
1825			{ 0x04C60296, 0x02721176, 0x19D00F4A, 0x102517AC,
1826			0x13B8037D, 0x0748103C, 0x1E730E56, 0x08481FE2,
1827			0x0F97012C, 0x00D605F4, 0x1DFA11F5, 0x0C801A0D,
1828			0x0F670CBB, 0x0AED0CC5, 0x115E0E33, 0x181F0785,
1829			0x13F514A7, 0x0FF30E3B, 0x17171E1A, 0x009F18D0 },
1830
1831			{ 0x1B341978, 0x16911F11, 0x0D9A1A60, 0x1C4E1FC8,
1832			0x1E040969, 0x096A06B0, 0x091C0030, 0x09EF1A29,
1833			0x18C40D03, 0x00F91C9E, 0x13C313D1, 0x096F0748,
1834			0x011419E0, 0x1CC713A6, 0x1DD31DAD, 0x1EE80C36,
1835			0x1ECD0C69, 0x1A0800A4, 0x08861B8E, 0x000E1DD5 },
1836
1837			{ 0x173F1D6C, 0x02CC06F1, 0x14C21FB4, 0x043D1EB6,
1838			0x0F3606B7, 0x1A971C59, 0x1BF71951, 0x01481323,
1839			0x068D0633, 0x00BD12F9, 0x13EA1032, 0x136209E8,
1840			0x1C1E19A7, 0x06C7013E, 0x06C10AB0, 0x14C908BB,
1841			0x05830CE1, 0x1FEF18DD, 0x00620998, 0x010E0D19 },
1842
1843			{ 0x18180852, 0x0604111A, 0x0B771509, 0x1B6F0156,
1844			0x00181FE2, 0x1DCC0AF4, 0x16EF0659, 0x11F70E80,
1845			0x11A912D0, 0x01C414D2, 0x027618C6, 0x05840FC6,
1846			0x100215C4, 0x187E0C3B, 0x12771C96, 0x150C0B5D,
1847			0x0FF705FD, 0x07981C67, 0x1AD20C63, 0x01C11C55 },
1848
1849			{ 0x1E8113ED, 0x0A940370, 0x12920215, 0x1FA31D6F,
1850			0x1F7C0C82, 0x10CD03F7, 0x02640560, 0x081A0B5E,
1851			0x1BD21151, 0x00A21642, 0x0D0B0DA4, 0x0176113F,
1852			0x04440D1D, 0x001A1360, 0x1068012F, 0x1F141E49,
1853			0x10DF136B, 0x0E4F162B, 0x0D44104A, 0x01C1105F },
1854
1855			{ 0x011411A9, 0x01551A4F, 0x0ADA0C6B, 0x01BD0EC8,
1856			0x18120C74, 0x112F1778, 0x099202CB, 0x0C05124B,
1857			0x195316A4, 0x01600685, 0x1E3B1FE2, 0x189014E3,
1858			0x0B5E1FD7, 0x0E0311F8, 0x08E000F7, 0x174E00DE,
1859			0x160702DF, 0x1B5A15BF, 0x03A11237, 0x01D01704 },
1860
1861			{ 0x0C3D12A3, 0x0C501C0C, 0x17AD1300, 0x1715003F,
1862			0x03F719F8, 0x18031ED8, 0x1D980667, 0x0F681896,
1863			0x1B7D00BF, 0x011C14CE, 0x0FA000B4, 0x1C3501B0,
1864			0x0D901C55, 0x06790C10, 0x029E0736, 0x0DEB0400,
1865			0x034F183A, 0x030619B4, 0x0DEF0033, 0x00E71AC7 },
1866
1867			{ 0x1B7D1393, 0x1B3B1076, 0x0BED1B4D, 0x13011F3A,
1868			0x0E0E1238, 0x156A132B, 0x013A02D3, 0x160A0D01,
1869			0x1CED1EE9, 0x00C5165D, 0x184C157E, 0x08141A83,
1870			0x153C0DA5, 0x1ED70F9D, 0x05170D51, 0x02CF13B8,
1871			0x18AE1771, 0x1B04113F, 0x05EC11E9, 0x015A16B3 },
1872
1873			{ 0x04A41EE0, 0x1D1412E4, 0x1C591D79, 0x118511B7,
1874			0x14F00ACB, 0x1AE31E1C, 0x049C0D51, 0x016E061E,
1875			0x1DB71EDF, 0x01D41A35, 0x0E8208FA, 0x14441293,
1876			0x011F1E85, 0x1D54137A, 0x026B114F, 0x151D0832,
1877			0x00A50964, 0x1F9C1E1C, 0x064B12C9, 0x005409D1 },
1878
1879			{ 0x062B123F, 0x0C0D0501, 0x183704C3, 0x08E31120,
1880			0x0A2E0A6C, 0x14440FED, 0x090A0D1E, 0x13271964,
1881			0x0B590A3A, 0x019D1D9B, 0x05780773, 0x09770A91,
1882			0x0F770CA3, 0x053F19D4, 0x02C80DED, 0x1A761304,
1883			0x091E0DD9, 0x15D201B8, 0x151109AA, 0x010F0198 },
1884
1885			{ 0x05E101D1, 0x072314DD, 0x045F1433, 0x1A041541,
1886			0x10B3142E, 0x01840736, 0x1C1B19DB, 0x098B0418,
1887			0x1DBC083B, 0x007D1444, 0x01511740, 0x11DD1F3A,
1888			0x04ED0E2F, 0x1B4B1A62, 0x10480D04, 0x09E911A2,
1889			0x04211AFA, 0x19140893, 0x04D60CC4, 0x01210648 },
1890
1891			{ 0x112703C4, 0x018B1BA1, 0x164C1D50, 0x05160BE0,
1892			0x0BCC1830, 0x01CB1554, 0x13291732, 0x1B2B1918,
1893			0x0DED0817, 0x00E80775, 0x0A2401D3, 0x0BFE08B3,
1894			0x0E531199, 0x058616E9, 0x04770B91, 0x110F0C55,
1895			0x19C11554, 0x0BFB1159, 0x03541C38, 0x000E1C2D },
1896
1897			{ 0x10390C01, 0x02BB0751, 0x0AC5098E, 0x096C17AB,
1898			0x03C90E28, 0x10BD18BF, 0x002E1F2D, 0x092B0986,
1899			0x1BD700AC, 0x002E1F20, 0x1E3D1FD8, 0x077718BB,
1900			0x06F919C4, 0x187407ED, 0x11370E14, 0x081E139C,
1901			0x00481ADB, 0x14AB0289, 0x066A0EBE, 0x00C70ED6 },
1902
1903			{ 0x0694120B, 0x124E1CC9, 0x0E2F0570, 0x17CF081A,
1904			0x078906AC, 0x066D17CF, 0x1B3207F4, 0x0C5705E9,
1905			0x10001C38, 0x00A919DE, 0x06851375, 0x0F900BD8,
1906			0x080401BA, 0x0EEE0D42, 0x1B8B11EA, 0x0B4519F0,
1907			0x090F18C0, 0x062E1508, 0x0DD909F4, 0x01EB067C },
1908
1909			{ 0x0CDC1D5F, 0x0D1818F9, 0x07781636, 0x125B18E8,
1910			0x0D7003AF, 0x13110099, 0x1D9B1899, 0x175C1EB7,
1911			0x0E34171A, 0x01E01153, 0x081A0F36, 0x0B391783,
1912			0x1D1F147E, 0x19CE16D7, 0x11511B21, 0x1F2C10F9,
1913			0x12CA0E51, 0x05A31D39, 0x171A192E, 0x016B0E4F }
1914			};
1915
1916			/*
1917			* Lookup one of the Gwin[] values, by index. This is constant-time.
1918			*/
1919			static void
1920	0		lookup_Gwin(p256_jacobian *T, uint32_t idx)
1921			{
1922			uint32_t xy[20];
1923			uint32_t k;
1924			size_t u;
1925
1926	0		memset(xy, 0, sizeof xy);
1927	0	0	for (k = 0; k < 15; k ++) {
1928			uint32_t m;
1929
1930	0		m = -EQ(idx, k + 1);
1931	0	0	for (u = 0; u < 20; u ++) {
1932	0		xy[u] \|= m & Gwin[k][u];
1933			}
1934			}
1935	0	0	for (u = 0; u < 10; u ++) {
1936	0		T->x[(u << 1) + 0] = xy[u] & 0xFFFF;
1937	0		T->x[(u << 1) + 1] = xy[u] >> 16;
1938	0		T->y[(u << 1) + 0] = xy[u + 10] & 0xFFFF;
1939	0		T->y[(u << 1) + 1] = xy[u + 10] >> 16;
1940			}
1941	0		memset(T->z, 0, sizeof T->z);
1942	0		T->z[0] = 1;
1943	0		}
1944
1945			/*
1946			* Multiply the generator by an integer. The integer is assumed non-zero
1947			* and lower than the curve order.
1948			*/
1949			static void
1950	0		p256_mulgen(p256_jacobian P, const unsigned char x, size_t xlen)
1951			{
1952			/*
1953			* qz is a flag that is initially 1, and remains equal to 1
1954			* as long as the point is the point at infinity.
1955			*
1956			* We use a 4-bit window to handle multiplier bits by groups
1957			* of 4. The precomputed window is constant static data, with
1958			* points in affine coordinates; we use a constant-time lookup.
1959			*/
1960			p256_jacobian Q;
1961			uint32_t qz;
1962
1963	0		memset(&Q, 0, sizeof Q);
1964	0		qz = 1;
1965	0	0	while (xlen -- > 0) {
1966			int k;
1967			unsigned bx;
1968
1969	0		bx = *x ++;
1970	0	0	for (k = 0; k < 2; k ++) {
1971			uint32_t bits;
1972			uint32_t bnz;
1973			p256_jacobian T, U;
1974
1975	0		p256_double(&Q);
1976	0		p256_double(&Q);
1977	0		p256_double(&Q);
1978	0		p256_double(&Q);
1979	0		bits = (bx >> 4) & 0x0F;
1980	0		bnz = NEQ(bits, 0);
1981	0		lookup_Gwin(&T, bits);
1982	0		U = Q;
1983	0		p256_add_mixed(&U, &T);
1984	0		CCOPY(bnz & qz, &Q, &T, sizeof Q);
1985	0		CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
1986	0		qz &= ~bnz;
1987	0		bx <<= 4;
1988			}
1989			}
1990	0		*P = Q;
1991	0		}
1992
1993			static const unsigned char P256_G[] = {
1994			0x04, 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8,
1995			0xBC, 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D,
1996			0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8,
1997			0x98, 0xC2, 0x96, 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F,
1998			0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, 0x0F, 0x9E, 0x16, 0x2B,
1999			0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, 0x40,
2000			0x68, 0x37, 0xBF, 0x51, 0xF5
2001			};
2002
2003			static const unsigned char P256_N[] = {
2004			0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF,
2005			0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD,
2006			0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63,
2007			0x25, 0x51
2008			};
2009
2010			static const unsigned char *
2011	0		api_generator(int curve, size_t *len)
2012			{
2013			(void)curve;
2014	0		*len = sizeof P256_G;
2015	0		return P256_G;
2016			}
2017
2018			static const unsigned char *
2019	0		api_order(int curve, size_t *len)
2020			{
2021			(void)curve;
2022	0		*len = sizeof P256_N;
2023	0		return P256_N;
2024			}
2025
2026			static size_t
2027	0		api_xoff(int curve, size_t *len)
2028			{
2029			(void)curve;
2030	0		*len = 32;
2031	0		return 1;
2032			}
2033
2034			static uint32_t
2035	0		api_mul(unsigned char *G, size_t Glen,
2036			const unsigned char *x, size_t xlen, int curve)
2037			{
2038			uint32_t r;
2039			p256_jacobian P;
2040
2041			(void)curve;
2042	0	0	if (Glen != 65) {
2043	0		return 0;
2044			}
2045	0		r = p256_decode(&P, G, Glen);
2046	0		p256_mul(&P, x, xlen);
2047	0		p256_to_affine(&P);
2048	0		p256_encode(G, &P);
2049	0		return r;
2050			}
2051
2052			static size_t
2053	0		api_mulgen(unsigned char *R,
2054			const unsigned char *x, size_t xlen, int curve)
2055			{
2056			p256_jacobian P;
2057
2058			(void)curve;
2059	0		p256_mulgen(&P, x, xlen);
2060	0		p256_to_affine(&P);
2061	0		p256_encode(R, &P);
2062	0		return 65;
2063			}
2064
2065			static uint32_t
2066	0		api_muladd(unsigned char A, const unsigned char B, size_t len,
2067			const unsigned char *x, size_t xlen,
2068			const unsigned char *y, size_t ylen, int curve)
2069			{
2070			p256_jacobian P, Q;
2071			uint32_t r, t, z;
2072			int i;
2073
2074			(void)curve;
2075	0	0	if (len != 65) {
2076	0		return 0;
2077			}
2078	0		r = p256_decode(&P, A, len);
2079	0		p256_mul(&P, x, xlen);
2080	0	0	if (B == NULL) {
2081	0		p256_mulgen(&Q, y, ylen);
2082			} else {
2083	0		r &= p256_decode(&Q, B, len);
2084	0		p256_mul(&Q, y, ylen);
2085			}
2086
2087			/*
2088			* The final addition may fail in case both points are equal.
2089			*/
2090	0		t = p256_add(&P, &Q);
2091	0		reduce_final_f256(P.z);
2092	0		z = 0;
2093	0	0	for (i = 0; i < 20; i ++) {
2094	0		z \|= P.z[i];
2095			}
2096	0		z = EQ(z, 0);
2097	0		p256_double(&Q);
2098
2099			/*
2100			* If z is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we
2101			* have the following:
2102			*
2103			* z = 0, t = 0 return P (normal addition)
2104			* z = 0, t = 1 return P (normal addition)
2105			* z = 1, t = 0 return Q (a 'double' case)
2106			* z = 1, t = 1 report an error (P+Q = 0)
2107			*/
2108	0		CCOPY(z & ~t, &P, &Q, sizeof Q);
2109	0		p256_to_affine(&P);
2110	0		p256_encode(A, &P);
2111	0		r &= ~(z & t);
2112	0		return r;
2113			}
2114
2115			/* see bearssl_ec.h */
2116			const br_ec_impl br_ec_p256_m15 = {
2117			(uint32_t)0x00800000,
2118			&api_generator,
2119			&api_order,
2120			&api_xoff,
2121			&api_mul,
2122			&api_mulgen,
2123			&api_muladd
2124			};