210 lines
4.3 KiB
Go
210 lines
4.3 KiB
Go
// +build !amd64,!arm64 generic
|
|
|
|
package bn256
|
|
|
|
func gfpCarry(a *gfP, head uint64) {
|
|
b := &gfP{}
|
|
|
|
var carry uint64
|
|
for i, pi := range p2 {
|
|
ai := a[i]
|
|
bi := ai - pi - carry
|
|
b[i] = bi
|
|
carry = (pi&^ai | (pi|^ai)&bi) >> 63
|
|
}
|
|
carry = carry &^ head
|
|
|
|
// If b is negative, then return a.
|
|
// Else return b.
|
|
carry = -carry
|
|
ncarry := ^carry
|
|
for i := 0; i < 4; i++ {
|
|
a[i] = (a[i] & carry) | (b[i] & ncarry)
|
|
}
|
|
}
|
|
|
|
func gfpNeg(c, a *gfP) {
|
|
var carry uint64
|
|
for i, pi := range p2 { // p2 being the prime that defines the base/prime field
|
|
ai := a[i]
|
|
ci := pi - ai - carry
|
|
c[i] = ci
|
|
carry = (ai&^pi | (ai|^pi)&ci) >> 63
|
|
}
|
|
gfpCarry(c, 0)
|
|
}
|
|
|
|
func gfpAdd(c, a, b *gfP) {
|
|
var carry uint64
|
|
for i, ai := range a {
|
|
bi := b[i]
|
|
ci := ai + bi + carry
|
|
c[i] = ci
|
|
carry = (ai&bi | (ai|bi)&^ci) >> 63
|
|
}
|
|
gfpCarry(c, carry)
|
|
}
|
|
|
|
func gfpSub(c, a, b *gfP) {
|
|
t := &gfP{}
|
|
|
|
var carry uint64
|
|
for i, pi := range p2 {
|
|
bi := b[i]
|
|
ti := pi - bi - carry
|
|
t[i] = ti
|
|
carry = (bi&^pi | (bi|^pi)&ti) >> 63
|
|
}
|
|
|
|
carry = 0
|
|
for i, ai := range a {
|
|
ti := t[i]
|
|
ci := ai + ti + carry
|
|
c[i] = ci
|
|
carry = (ai&ti | (ai|ti)&^ci) >> 63
|
|
}
|
|
gfpCarry(c, carry)
|
|
}
|
|
|
|
func mul(a, b [4]uint64) [8]uint64 {
|
|
const (
|
|
mask16 uint64 = 0x0000ffff
|
|
mask32 uint64 = 0xffffffff
|
|
)
|
|
|
|
var buff [32]uint64
|
|
for i, ai := range a {
|
|
a0, a1, a2, a3 := ai&mask16, (ai>>16)&mask16, (ai>>32)&mask16, ai>>48
|
|
|
|
for j, bj := range b {
|
|
b0, b2 := bj&mask32, bj>>32
|
|
|
|
off := 4 * (i + j)
|
|
buff[off+0] += a0 * b0
|
|
buff[off+1] += a1 * b0
|
|
buff[off+2] += a2*b0 + a0*b2
|
|
buff[off+3] += a3*b0 + a1*b2
|
|
buff[off+4] += a2 * b2
|
|
buff[off+5] += a3 * b2
|
|
}
|
|
}
|
|
|
|
for i := uint(1); i < 4; i++ {
|
|
shift := 16 * i
|
|
|
|
var head, carry uint64
|
|
for j := uint(0); j < 8; j++ {
|
|
block := 4 * j
|
|
|
|
xi := buff[block]
|
|
yi := (buff[block+i] << shift) + head
|
|
zi := xi + yi + carry
|
|
buff[block] = zi
|
|
carry = (xi&yi | (xi|yi)&^zi) >> 63
|
|
|
|
head = buff[block+i] >> (64 - shift)
|
|
}
|
|
}
|
|
|
|
return [8]uint64{buff[0], buff[4], buff[8], buff[12], buff[16], buff[20], buff[24], buff[28]}
|
|
}
|
|
|
|
func halfMul(a, b [4]uint64) [4]uint64 {
|
|
const (
|
|
mask16 uint64 = 0x0000ffff
|
|
mask32 uint64 = 0xffffffff
|
|
)
|
|
|
|
var buff [18]uint64
|
|
for i, ai := range a {
|
|
a0, a1, a2, a3 := ai&mask16, (ai>>16)&mask16, (ai>>32)&mask16, ai>>48
|
|
|
|
for j, bj := range b {
|
|
if i+j > 3 {
|
|
break
|
|
}
|
|
b0, b2 := bj&mask32, bj>>32
|
|
|
|
off := 4 * (i + j)
|
|
buff[off+0] += a0 * b0
|
|
buff[off+1] += a1 * b0
|
|
buff[off+2] += a2*b0 + a0*b2
|
|
buff[off+3] += a3*b0 + a1*b2
|
|
buff[off+4] += a2 * b2
|
|
buff[off+5] += a3 * b2
|
|
}
|
|
}
|
|
|
|
for i := uint(1); i < 4; i++ {
|
|
shift := 16 * i
|
|
|
|
var head, carry uint64
|
|
for j := uint(0); j < 4; j++ {
|
|
block := 4 * j
|
|
|
|
xi := buff[block]
|
|
yi := (buff[block+i] << shift) + head
|
|
zi := xi + yi + carry
|
|
buff[block] = zi
|
|
carry = (xi&yi | (xi|yi)&^zi) >> 63
|
|
|
|
head = buff[block+i] >> (64 - shift)
|
|
}
|
|
}
|
|
|
|
return [4]uint64{buff[0], buff[4], buff[8], buff[12]}
|
|
}
|
|
|
|
func gfpMul(c, a, b *gfP) {
|
|
T := mul(*a, *b)
|
|
m := halfMul([4]uint64{T[0], T[1], T[2], T[3]}, np)
|
|
t := mul([4]uint64{m[0], m[1], m[2], m[3]}, p2)
|
|
|
|
var carry uint64
|
|
for i, Ti := range T {
|
|
ti := t[i]
|
|
zi := Ti + ti + carry
|
|
T[i] = zi
|
|
carry = (Ti&ti | (Ti|ti)&^zi) >> 63
|
|
}
|
|
|
|
*c = gfP{T[4], T[5], T[6], T[7]}
|
|
gfpCarry(c, carry)
|
|
}
|
|
|
|
// Util function to compare field elements. Should be defined in gfP files
|
|
// Compares 2 GFp elements
|
|
// Returns 1 if a > b; 0 if a == b; -1 if a < b
|
|
/*
|
|
func gfpCmp(a, b *gfP) int {
|
|
for i := FpUint64Size - 1; i >= 0; i-- { // Remember that the gfP elements are written as little-endian 64-bit words
|
|
if a[i] > b[i] { // As soon as we figure out that the MSByte of A > MSByte of B, we return
|
|
return 1
|
|
} else if a[i] == b[i] { // If the current bytes are equal we continue as we cannot conclude on A and B relation
|
|
continue
|
|
} else { // a[i] < b[i] so we can directly conclude and we return
|
|
return -1
|
|
}
|
|
}
|
|
|
|
return 0
|
|
}
|
|
*/
|
|
|
|
// TODO: Optimize these functions as for now all it's doing is to convert in big.Int
|
|
// and use big integer arithmetic
|
|
// Computes c = a^{exp} in Fp (so mod p)
|
|
/*
|
|
func gfpExp(a *gfP, exp, mod *big.Int) *gfP {
|
|
// Convert the field elements to big.Int
|
|
aBig := a.gFpToBigInt()
|
|
|
|
// Run the big.Int Exp algorithm
|
|
resBig := new(big.Int).Exp(aBig, exp, mod)
|
|
|
|
// Convert the big.Int result back to field element
|
|
res := newGFpFromBigInt(resBig)
|
|
return res
|
|
}
|
|
*/
|