arnaucube
/
go-iden3-crypto
mirror of https://github.com/arnaucube/go-iden3-crypto.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
26 Branches
7 Tags
4.8 MiB
Branch: feature/goff-0-2-0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'feature/goff-0-2-0'
${ noResults }
go-iden3-crypto/ff/element_square.go

93 lines
3.0 KiB
Raw Permalink Normal View History

Update to goff v0.2.0
4 years ago
  1. // +build !amd64
  3. // Copyright 2020 ConsenSys AG
  4. //
  5. // Licensed under the Apache License, Version 2.0 (the "License");
  6. // you may not use this file except in compliance with the License.
  7. // You may obtain a copy of the License at
  8. //
  9. // http://www.apache.org/licenses/LICENSE-2.0
  10. //
  11. // Unless required by applicable law or agreed to in writing, software
  12. // distributed under the License is distributed on an "AS IS" BASIS,
  13. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14. // See the License for the specific language governing permissions and
  15. // limitations under the License.
  17. // Code generated by goff (v0.2.0) DO NOT EDIT
  19. // Package ff contains field arithmetic operations
  20. package ff
  22. // /!\ WARNING /!\
  23. // this code has not been audited and is provided as-is. In particular,
  24. // there is no security guarantees such as constant time implementation
  25. // or side-channel attack resistance
  26. // /!\ WARNING /!\
  28. import "math/bits"
  30. // Square z = x * x mod q
  31. // see https://hackmd.io/@zkteam/modular_multiplication
  32. func (z *Element) Square(x *Element) *Element {
  34. var p [4]uint64
  36. var u, v uint64
  37. {
  38. // round 0
  39. u, p[0] = bits.Mul64(x[0], x[0])
  40. m := p[0] * 14042775128853446655
  41. C := madd0(m, 4891460686036598785, p[0])
  42. var t uint64
  43. t, u, v = madd1sb(x[0], x[1], u)
  44. C, p[0] = madd2(m, 2896914383306846353, v, C)
  45. t, u, v = madd1s(x[0], x[2], t, u)
  46. C, p[1] = madd2(m, 13281191951274694749, v, C)
  47. _, u, v = madd1s(x[0], x[3], t, u)
  48. p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
  49. }
  50. {
  51. // round 1
  52. m := p[0] * 14042775128853446655
  53. C := madd0(m, 4891460686036598785, p[0])
  54. u, v = madd1(x[1], x[1], p[1])
  55. C, p[0] = madd2(m, 2896914383306846353, v, C)
  56. var t uint64
  57. t, u, v = madd2sb(x[1], x[2], p[2], u)
  58. C, p[1] = madd2(m, 13281191951274694749, v, C)
  59. _, u, v = madd2s(x[1], x[3], p[3], t, u)
  60. p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
  61. }
  62. {
  63. // round 2
  64. m := p[0] * 14042775128853446655
  65. C := madd0(m, 4891460686036598785, p[0])
  66. C, p[0] = madd2(m, 2896914383306846353, p[1], C)
  67. u, v = madd1(x[2], x[2], p[2])
  68. C, p[1] = madd2(m, 13281191951274694749, v, C)
  69. _, u, v = madd2sb(x[2], x[3], p[3], u)
  70. p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
  71. }
  72. {
  73. // round 3
  74. m := p[0] * 14042775128853446655
  75. C := madd0(m, 4891460686036598785, p[0])
  76. C, z[0] = madd2(m, 2896914383306846353, p[1], C)
  77. C, z[1] = madd2(m, 13281191951274694749, p[2], C)
  78. u, v = madd1(x[3], x[3], p[3])
  79. z[3], z[2] = madd3(m, 3486998266802970665, v, C, u)
  80. }
  82. // if z > q --> z -= q
  83. // note: this is NOT constant time
  84. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  85. var b uint64
  86. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  87. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  88. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  89. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  90. }
  91. return z
  93. }