p256_s390x.go

     1  // Copyright 2016 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build s390x
     6  
     7  package elliptic
     8  
     9  import (
    10  	"crypto/subtle"
    11  	"internal/cpu"
    12  	"math/big"
    13  	"unsafe"
    14  )
    15  
    16  const (
    17  	offsetS390xHasVX  = unsafe.Offsetof(cpu.S390X.HasVX)
    18  	offsetS390xHasVE1 = unsafe.Offsetof(cpu.S390X.HasVXE)
    19  )
    20  
    21  type p256CurveFast struct {
    22  	*CurveParams
    23  }
    24  
    25  type p256Point struct {
    26  	x [32]byte
    27  	y [32]byte
    28  	z [32]byte
    29  }
    30  
    31  var (
    32  	p256        Curve
    33  	p256PreFast *[37][64]p256Point
    34  )
    35  
    36  //go:noescape
    37  func p256MulInternalTrampolineSetup()
    38  
    39  //go:noescape
    40  func p256SqrInternalTrampolineSetup()
    41  
    42  //go:noescape
    43  func p256MulInternalVX()
    44  
    45  //go:noescape
    46  func p256MulInternalVMSL()
    47  
    48  //go:noescape
    49  func p256SqrInternalVX()
    50  
    51  //go:noescape
    52  func p256SqrInternalVMSL()
    53  
    54  func initP256Arch() {
    55  	if cpu.S390X.HasVX {
    56  		p256 = p256CurveFast{p256Params}
    57  		initTable()
    58  		return
    59  	}
    60  
    61  	// No vector support, use pure Go implementation.
    62  	p256 = p256Curve{p256Params}
    63  	return
    64  }
    65  
    66  func (curve p256CurveFast) Params() *CurveParams {
    67  	return curve.CurveParams
    68  }
    69  
    70  // Functions implemented in p256_asm_s390x.s
    71  // Montgomery multiplication modulo P256
    72  //
    73  //go:noescape
    74  func p256SqrAsm(res, in1 []byte)
    75  
    76  //go:noescape
    77  func p256MulAsm(res, in1, in2 []byte)
    78  
    79  // Montgomery square modulo P256
    80  func p256Sqr(res, in []byte) {
    81  	p256SqrAsm(res, in)
    82  }
    83  
    84  // Montgomery multiplication by 1
    85  //
    86  //go:noescape
    87  func p256FromMont(res, in []byte)
    88  
    89  // iff cond == 1  val <- -val
    90  //
    91  //go:noescape
    92  func p256NegCond(val *p256Point, cond int)
    93  
    94  // if cond == 0 res <- b; else res <- a
    95  //
    96  //go:noescape
    97  func p256MovCond(res, a, b *p256Point, cond int)
    98  
    99  // Constant time table access
   100  //
   101  //go:noescape
   102  func p256Select(point *p256Point, table []p256Point, idx int)
   103  
   104  //go:noescape
   105  func p256SelectBase(point *p256Point, table []p256Point, idx int)
   106  
   107  // Montgomery multiplication modulo Ord(G)
   108  //
   109  //go:noescape
   110  func p256OrdMul(res, in1, in2 []byte)
   111  
   112  // Montgomery square modulo Ord(G), repeated n times
   113  func p256OrdSqr(res, in []byte, n int) {
   114  	copy(res, in)
   115  	for i := 0; i < n; i += 1 {
   116  		p256OrdMul(res, res, res)
   117  	}
   118  }
   119  
   120  // Point add with P2 being affine point
   121  // If sign == 1 -> P2 = -P2
   122  // If sel == 0 -> P3 = P1
   123  // if zero == 0 -> P3 = P2
   124  //
   125  //go:noescape
   126  func p256PointAddAffineAsm(P3, P1, P2 *p256Point, sign, sel, zero int)
   127  
   128  // Point add
   129  //
   130  //go:noescape
   131  func p256PointAddAsm(P3, P1, P2 *p256Point) int
   132  
   133  //go:noescape
   134  func p256PointDoubleAsm(P3, P1 *p256Point)
   135  
   136  func (curve p256CurveFast) Inverse(k *big.Int) *big.Int {
   137  	if k.Cmp(p256Params.N) >= 0 {
   138  		// This should never happen.
   139  		reducedK := new(big.Int).Mod(k, p256Params.N)
   140  		k = reducedK
   141  	}
   142  
   143  	// table will store precomputed powers of x. The 32 bytes at index
   144  	// i store x^(i+1).
   145  	var table [15][32]byte
   146  
   147  	x := fromBig(k)
   148  	// This code operates in the Montgomery domain where R = 2^256 mod n
   149  	// and n is the order of the scalar field. (See initP256 for the
   150  	// value.) Elements in the Montgomery domain take the form a×R and
   151  	// multiplication of x and y in the calculates (x × y × R^-1) mod n. RR
   152  	// is R×R mod n thus the Montgomery multiplication x and RR gives x×R,
   153  	// i.e. converts x into the Montgomery domain. Stored in BigEndian form
   154  	RR := []byte{0x66, 0xe1, 0x2d, 0x94, 0xf3, 0xd9, 0x56, 0x20, 0x28, 0x45, 0xb2, 0x39, 0x2b, 0x6b, 0xec, 0x59,
   155  		0x46, 0x99, 0x79, 0x9c, 0x49, 0xbd, 0x6f, 0xa6, 0x83, 0x24, 0x4c, 0x95, 0xbe, 0x79, 0xee, 0xa2}
   156  
   157  	p256OrdMul(table[0][:], x, RR)
   158  
   159  	// Prepare the table, no need in constant time access, because the
   160  	// power is not a secret. (Entry 0 is never used.)
   161  	for i := 2; i < 16; i += 2 {
   162  		p256OrdSqr(table[i-1][:], table[(i/2)-1][:], 1)
   163  		p256OrdMul(table[i][:], table[i-1][:], table[0][:])
   164  	}
   165  
   166  	copy(x, table[14][:]) // f
   167  
   168  	p256OrdSqr(x[0:32], x[0:32], 4)
   169  	p256OrdMul(x[0:32], x[0:32], table[14][:]) // ff
   170  	t := make([]byte, 32)
   171  	copy(t, x)
   172  
   173  	p256OrdSqr(x, x, 8)
   174  	p256OrdMul(x, x, t) // ffff
   175  	copy(t, x)
   176  
   177  	p256OrdSqr(x, x, 16)
   178  	p256OrdMul(x, x, t) // ffffffff
   179  	copy(t, x)
   180  
   181  	p256OrdSqr(x, x, 64) // ffffffff0000000000000000
   182  	p256OrdMul(x, x, t)  // ffffffff00000000ffffffff
   183  	p256OrdSqr(x, x, 32) // ffffffff00000000ffffffff00000000
   184  	p256OrdMul(x, x, t)  // ffffffff00000000ffffffffffffffff
   185  
   186  	// Remaining 32 windows
   187  	expLo := [32]byte{0xb, 0xc, 0xe, 0x6, 0xf, 0xa, 0xa, 0xd, 0xa, 0x7, 0x1, 0x7, 0x9, 0xe, 0x8, 0x4,
   188  		0xf, 0x3, 0xb, 0x9, 0xc, 0xa, 0xc, 0x2, 0xf, 0xc, 0x6, 0x3, 0x2, 0x5, 0x4, 0xf}
   189  	for i := 0; i < 32; i++ {
   190  		p256OrdSqr(x, x, 4)
   191  		p256OrdMul(x, x, table[expLo[i]-1][:])
   192  	}
   193  
   194  	// Multiplying by one in the Montgomery domain converts a Montgomery
   195  	// value out of the domain.
   196  	one := []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
   197  		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
   198  	p256OrdMul(x, x, one)
   199  
   200  	return new(big.Int).SetBytes(x)
   201  }
   202  
   203  // fromBig converts a *big.Int into a format used by this code.
   204  func fromBig(big *big.Int) []byte {
   205  	// This could be done a lot more efficiently...
   206  	res := big.Bytes()
   207  	if 32 == len(res) {
   208  		return res
   209  	}
   210  	t := make([]byte, 32)
   211  	offset := 32 - len(res)
   212  	for i := len(res) - 1; i >= 0; i-- {
   213  		t[i+offset] = res[i]
   214  	}
   215  	return t
   216  }
   217  
   218  // p256GetMultiplier makes sure byte array will have 32 byte elements, If the scalar
   219  // is equal or greater than the order of the group, it's reduced modulo that order.
   220  func p256GetMultiplier(in []byte) []byte {
   221  	n := new(big.Int).SetBytes(in)
   222  
   223  	if n.Cmp(p256Params.N) >= 0 {
   224  		n.Mod(n, p256Params.N)
   225  	}
   226  	return fromBig(n)
   227  }
   228  
   229  // p256MulAsm operates in a Montgomery domain with R = 2^256 mod p, where p is the
   230  // underlying field of the curve. (See initP256 for the value.) Thus rr here is
   231  // R×R mod p. See comment in Inverse about how this is used.
   232  var rr = []byte{0x00, 0x00, 0x00, 0x04, 0xff, 0xff, 0xff, 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
   233  	0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03}
   234  
   235  // (This is one, in the Montgomery domain.)
   236  var one = []byte{0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
   237  	0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}
   238  
   239  func maybeReduceModP(in *big.Int) *big.Int {
   240  	if in.Cmp(p256Params.P) < 0 {
   241  		return in
   242  	}
   243  	return new(big.Int).Mod(in, p256Params.P)
   244  }
   245  
   246  func (curve p256CurveFast) CombinedMult(bigX, bigY *big.Int, baseScalar, scalar []byte) (x, y *big.Int) {
   247  	var r1, r2 p256Point
   248  	scalarReduced := p256GetMultiplier(baseScalar)
   249  	r1IsInfinity := scalarIsZero(scalarReduced)
   250  	r1.p256BaseMult(scalarReduced)
   251  
   252  	copy(r2.x[:], fromBig(maybeReduceModP(bigX)))
   253  	copy(r2.y[:], fromBig(maybeReduceModP(bigY)))
   254  	copy(r2.z[:], one)
   255  	p256MulAsm(r2.x[:], r2.x[:], rr[:])
   256  	p256MulAsm(r2.y[:], r2.y[:], rr[:])
   257  
   258  	scalarReduced = p256GetMultiplier(scalar)
   259  	r2IsInfinity := scalarIsZero(scalarReduced)
   260  	r2.p256ScalarMult(p256GetMultiplier(scalar))
   261  
   262  	var sum, double p256Point
   263  	pointsEqual := p256PointAddAsm(&sum, &r1, &r2)
   264  	p256PointDoubleAsm(&double, &r1)
   265  	p256MovCond(&sum, &double, &sum, pointsEqual)
   266  	p256MovCond(&sum, &r1, &sum, r2IsInfinity)
   267  	p256MovCond(&sum, &r2, &sum, r1IsInfinity)
   268  	return sum.p256PointToAffine()
   269  }
   270  
   271  func (curve p256CurveFast) ScalarBaseMult(scalar []byte) (x, y *big.Int) {
   272  	var r p256Point
   273  	r.p256BaseMult(p256GetMultiplier(scalar))
   274  	return r.p256PointToAffine()
   275  }
   276  
   277  func (curve p256CurveFast) ScalarMult(bigX, bigY *big.Int, scalar []byte) (x, y *big.Int) {
   278  	var r p256Point
   279  	copy(r.x[:], fromBig(maybeReduceModP(bigX)))
   280  	copy(r.y[:], fromBig(maybeReduceModP(bigY)))
   281  	copy(r.z[:], one)
   282  	p256MulAsm(r.x[:], r.x[:], rr[:])
   283  	p256MulAsm(r.y[:], r.y[:], rr[:])
   284  	r.p256ScalarMult(p256GetMultiplier(scalar))
   285  	return r.p256PointToAffine()
   286  }
   287  
   288  // scalarIsZero returns 1 if scalar represents the zero value, and zero
   289  // otherwise.
   290  func scalarIsZero(scalar []byte) int {
   291  	b := byte(0)
   292  	for _, s := range scalar {
   293  		b |= s
   294  	}
   295  	return subtle.ConstantTimeByteEq(b, 0)
   296  }
   297  
   298  func (p *p256Point) p256PointToAffine() (x, y *big.Int) {
   299  	zInv := make([]byte, 32)
   300  	zInvSq := make([]byte, 32)
   301  
   302  	p256Inverse(zInv, p.z[:])
   303  	p256Sqr(zInvSq, zInv)
   304  	p256MulAsm(zInv, zInv, zInvSq)
   305  
   306  	p256MulAsm(zInvSq, p.x[:], zInvSq)
   307  	p256MulAsm(zInv, p.y[:], zInv)
   308  
   309  	p256FromMont(zInvSq, zInvSq)
   310  	p256FromMont(zInv, zInv)
   311  
   312  	return new(big.Int).SetBytes(zInvSq), new(big.Int).SetBytes(zInv)
   313  }
   314  
   315  // p256Inverse sets out to in^-1 mod p.
   316  func p256Inverse(out, in []byte) {
   317  	var stack [6 * 32]byte
   318  	p2 := stack[32*0 : 32*0+32]
   319  	p4 := stack[32*1 : 32*1+32]
   320  	p8 := stack[32*2 : 32*2+32]
   321  	p16 := stack[32*3 : 32*3+32]
   322  	p32 := stack[32*4 : 32*4+32]
   323  
   324  	p256Sqr(out, in)
   325  	p256MulAsm(p2, out, in) // 3*p
   326  
   327  	p256Sqr(out, p2)
   328  	p256Sqr(out, out)
   329  	p256MulAsm(p4, out, p2) // f*p
   330  
   331  	p256Sqr(out, p4)
   332  	p256Sqr(out, out)
   333  	p256Sqr(out, out)
   334  	p256Sqr(out, out)
   335  	p256MulAsm(p8, out, p4) // ff*p
   336  
   337  	p256Sqr(out, p8)
   338  
   339  	for i := 0; i < 7; i++ {
   340  		p256Sqr(out, out)
   341  	}
   342  	p256MulAsm(p16, out, p8) // ffff*p
   343  
   344  	p256Sqr(out, p16)
   345  	for i := 0; i < 15; i++ {
   346  		p256Sqr(out, out)
   347  	}
   348  	p256MulAsm(p32, out, p16) // ffffffff*p
   349  
   350  	p256Sqr(out, p32)
   351  
   352  	for i := 0; i < 31; i++ {
   353  		p256Sqr(out, out)
   354  	}
   355  	p256MulAsm(out, out, in)
   356  
   357  	for i := 0; i < 32*4; i++ {
   358  		p256Sqr(out, out)
   359  	}
   360  	p256MulAsm(out, out, p32)
   361  
   362  	for i := 0; i < 32; i++ {
   363  		p256Sqr(out, out)
   364  	}
   365  	p256MulAsm(out, out, p32)
   366  
   367  	for i := 0; i < 16; i++ {
   368  		p256Sqr(out, out)
   369  	}
   370  	p256MulAsm(out, out, p16)
   371  
   372  	for i := 0; i < 8; i++ {
   373  		p256Sqr(out, out)
   374  	}
   375  	p256MulAsm(out, out, p8)
   376  
   377  	p256Sqr(out, out)
   378  	p256Sqr(out, out)
   379  	p256Sqr(out, out)
   380  	p256Sqr(out, out)
   381  	p256MulAsm(out, out, p4)
   382  
   383  	p256Sqr(out, out)
   384  	p256Sqr(out, out)
   385  	p256MulAsm(out, out, p2)
   386  
   387  	p256Sqr(out, out)
   388  	p256Sqr(out, out)
   389  	p256MulAsm(out, out, in)
   390  }
   391  
   392  func boothW5(in uint) (int, int) {
   393  	var s uint = ^((in >> 5) - 1)
   394  	var d uint = (1 << 6) - in - 1
   395  	d = (d & s) | (in & (^s))
   396  	d = (d >> 1) + (d & 1)
   397  	return int(d), int(s & 1)
   398  }
   399  
   400  func boothW7(in uint) (int, int) {
   401  	var s uint = ^((in >> 7) - 1)
   402  	var d uint = (1 << 8) - in - 1
   403  	d = (d & s) | (in & (^s))
   404  	d = (d >> 1) + (d & 1)
   405  	return int(d), int(s & 1)
   406  }
   407  
   408  func initTable() {
   409  	p256PreFast = new([37][64]p256Point) //z coordinate not used
   410  	basePoint := p256Point{
   411  		x: [32]byte{0x18, 0x90, 0x5f, 0x76, 0xa5, 0x37, 0x55, 0xc6, 0x79, 0xfb, 0x73, 0x2b, 0x77, 0x62, 0x25, 0x10,
   412  			0x75, 0xba, 0x95, 0xfc, 0x5f, 0xed, 0xb6, 0x01, 0x79, 0xe7, 0x30, 0xd4, 0x18, 0xa9, 0x14, 0x3c}, //(p256.x*2^256)%p
   413  		y: [32]byte{0x85, 0x71, 0xff, 0x18, 0x25, 0x88, 0x5d, 0x85, 0xd2, 0xe8, 0x86, 0x88, 0xdd, 0x21, 0xf3, 0x25,
   414  			0x8b, 0x4a, 0xb8, 0xe4, 0xba, 0x19, 0xe4, 0x5c, 0xdd, 0xf2, 0x53, 0x57, 0xce, 0x95, 0x56, 0x0a}, //(p256.y*2^256)%p
   415  		z: [32]byte{0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
   416  			0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, //(p256.z*2^256)%p
   417  	}
   418  
   419  	t1 := new(p256Point)
   420  	t2 := new(p256Point)
   421  	*t2 = basePoint
   422  
   423  	zInv := make([]byte, 32)
   424  	zInvSq := make([]byte, 32)
   425  	for j := 0; j < 64; j++ {
   426  		*t1 = *t2
   427  		for i := 0; i < 37; i++ {
   428  			// The window size is 7 so we need to double 7 times.
   429  			if i != 0 {
   430  				for k := 0; k < 7; k++ {
   431  					p256PointDoubleAsm(t1, t1)
   432  				}
   433  			}
   434  			// Convert the point to affine form. (Its values are
   435  			// still in Montgomery form however.)
   436  			p256Inverse(zInv, t1.z[:])
   437  			p256Sqr(zInvSq, zInv)
   438  			p256MulAsm(zInv, zInv, zInvSq)
   439  
   440  			p256MulAsm(t1.x[:], t1.x[:], zInvSq)
   441  			p256MulAsm(t1.y[:], t1.y[:], zInv)
   442  
   443  			copy(t1.z[:], basePoint.z[:])
   444  			// Update the table entry
   445  			copy(p256PreFast[i][j].x[:], t1.x[:])
   446  			copy(p256PreFast[i][j].y[:], t1.y[:])
   447  		}
   448  		if j == 0 {
   449  			p256PointDoubleAsm(t2, &basePoint)
   450  		} else {
   451  			p256PointAddAsm(t2, t2, &basePoint)
   452  		}
   453  	}
   454  }
   455  
   456  func (p *p256Point) p256BaseMult(scalar []byte) {
   457  	wvalue := (uint(scalar[31]) << 1) & 0xff
   458  	sel, sign := boothW7(uint(wvalue))
   459  	p256SelectBase(p, p256PreFast[0][:], sel)
   460  	p256NegCond(p, sign)
   461  
   462  	copy(p.z[:], one[:])
   463  	var t0 p256Point
   464  
   465  	copy(t0.z[:], one[:])
   466  
   467  	index := uint(6)
   468  	zero := sel
   469  
   470  	for i := 1; i < 37; i++ {
   471  		if index < 247 {
   472  			wvalue = ((uint(scalar[31-index/8]) >> (index % 8)) + (uint(scalar[31-index/8-1]) << (8 - (index % 8)))) & 0xff
   473  		} else {
   474  			wvalue = (uint(scalar[31-index/8]) >> (index % 8)) & 0xff
   475  		}
   476  		index += 7
   477  		sel, sign = boothW7(uint(wvalue))
   478  		p256SelectBase(&t0, p256PreFast[i][:], sel)
   479  		p256PointAddAffineAsm(p, p, &t0, sign, sel, zero)
   480  		zero |= sel
   481  	}
   482  }
   483  
   484  func (p *p256Point) p256ScalarMult(scalar []byte) {
   485  	// precomp is a table of precomputed points that stores powers of p
   486  	// from p^1 to p^16.
   487  	var precomp [16]p256Point
   488  	var t0, t1, t2, t3 p256Point
   489  
   490  	// Prepare the table
   491  	*&precomp[0] = *p
   492  
   493  	p256PointDoubleAsm(&t0, p)
   494  	p256PointDoubleAsm(&t1, &t0)
   495  	p256PointDoubleAsm(&t2, &t1)
   496  	p256PointDoubleAsm(&t3, &t2)
   497  	*&precomp[1] = t0  // 2
   498  	*&precomp[3] = t1  // 4
   499  	*&precomp[7] = t2  // 8
   500  	*&precomp[15] = t3 // 16
   501  
   502  	p256PointAddAsm(&t0, &t0, p)
   503  	p256PointAddAsm(&t1, &t1, p)
   504  	p256PointAddAsm(&t2, &t2, p)
   505  	*&precomp[2] = t0 // 3
   506  	*&precomp[4] = t1 // 5
   507  	*&precomp[8] = t2 // 9
   508  
   509  	p256PointDoubleAsm(&t0, &t0)
   510  	p256PointDoubleAsm(&t1, &t1)
   511  	*&precomp[5] = t0 // 6
   512  	*&precomp[9] = t1 // 10
   513  
   514  	p256PointAddAsm(&t2, &t0, p)
   515  	p256PointAddAsm(&t1, &t1, p)
   516  	*&precomp[6] = t2  // 7
   517  	*&precomp[10] = t1 // 11
   518  
   519  	p256PointDoubleAsm(&t0, &t0)
   520  	p256PointDoubleAsm(&t2, &t2)
   521  	*&precomp[11] = t0 // 12
   522  	*&precomp[13] = t2 // 14
   523  
   524  	p256PointAddAsm(&t0, &t0, p)
   525  	p256PointAddAsm(&t2, &t2, p)
   526  	*&precomp[12] = t0 // 13
   527  	*&precomp[14] = t2 // 15
   528  
   529  	// Start scanning the window from top bit
   530  	index := uint(254)
   531  	var sel, sign int
   532  
   533  	wvalue := (uint(scalar[31-index/8]) >> (index % 8)) & 0x3f
   534  	sel, _ = boothW5(uint(wvalue))
   535  	p256Select(p, precomp[:], sel)
   536  	zero := sel
   537  
   538  	for index > 4 {
   539  		index -= 5
   540  		p256PointDoubleAsm(p, p)
   541  		p256PointDoubleAsm(p, p)
   542  		p256PointDoubleAsm(p, p)
   543  		p256PointDoubleAsm(p, p)
   544  		p256PointDoubleAsm(p, p)
   545  
   546  		if index < 247 {
   547  			wvalue = ((uint(scalar[31-index/8]) >> (index % 8)) + (uint(scalar[31-index/8-1]) << (8 - (index % 8)))) & 0x3f
   548  		} else {
   549  			wvalue = (uint(scalar[31-index/8]) >> (index % 8)) & 0x3f
   550  		}
   551  
   552  		sel, sign = boothW5(uint(wvalue))
   553  
   554  		p256Select(&t0, precomp[:], sel)
   555  		p256NegCond(&t0, sign)
   556  		p256PointAddAsm(&t1, p, &t0)
   557  		p256MovCond(&t1, &t1, p, sel)
   558  		p256MovCond(p, &t1, &t0, zero)
   559  		zero |= sel
   560  	}
   561  
   562  	p256PointDoubleAsm(p, p)
   563  	p256PointDoubleAsm(p, p)
   564  	p256PointDoubleAsm(p, p)
   565  	p256PointDoubleAsm(p, p)
   566  	p256PointDoubleAsm(p, p)
   567  
   568  	wvalue = (uint(scalar[31]) << 1) & 0x3f
   569  	sel, sign = boothW5(uint(wvalue))
   570  
   571  	p256Select(&t0, precomp[:], sel)
   572  	p256NegCond(&t0, sign)
   573  	p256PointAddAsm(&t1, p, &t0)
   574  	p256MovCond(&t1, &t1, p, sel)
   575  	p256MovCond(p, &t1, &t0, zero)
   576  }
   577
View as plain text