Poly1305 carry propagation now uses loops

Mostly for consistency with 25519 arithmetic.
Also slightly reduces binary size in some cases, most notably -Os.

diff --git a/src/monocypher.c b/src/monocypher.c
index 9f4715e2b5d40ff214e8953579498dc2957b6bec..683e8c2a8a69ef08c1b442cc09cb36059be42689 100644 (file)
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -458,24 +458,19 @@ void crypto_poly1305_final(crypto_poly1305_ctx *ctx, u8 mac[16])
 
     // check if we should subtract 2^130-5 by performing the
     // corresponding carry propagation.
-    const u64 u0 = (u64)5     + ctx->h[0]; // <= 1_00000004
-    const u64 u1 = (u0 >> 32) + ctx->h[1]; // <= 1_00000000
-    const u64 u2 = (u1 >> 32) + ctx->h[2]; // <= 1_00000000
-    const u64 u3 = (u2 >> 32) + ctx->h[3]; // <= 1_00000000
-    const u64 u4 = (u3 >> 32) + ctx->h[4]; // <=          5
-    // u4 indicates how many times we should subtract 2^130-5 (0 or 1)
-
-    // h + pad, minus 2^130-5 if u4 exceeds 3
-    const u64 uu0 = (u4 >> 2) * 5 + ctx->h[0] + ctx->pad[0]; // <= 2_00000003
-    const u64 uu1 = (uu0 >> 32)   + ctx->h[1] + ctx->pad[1]; // <= 2_00000000
-    const u64 uu2 = (uu1 >> 32)   + ctx->h[2] + ctx->pad[2]; // <= 2_00000000
-    const u64 uu3 = (uu2 >> 32)   + ctx->h[3] + ctx->pad[3]; // <= 2_00000000
-
-    store32_le(mac     , (u32)uu0);
-    store32_le(mac +  4, (u32)uu1);
-    store32_le(mac +  8, (u32)uu2);
-    store32_le(mac + 12, (u32)uu3);
-
+    u64 c = 5;
+    FOR (i, 0, 4) {
+        c  += ctx->h[i];
+        c >>= 32;
+    }
+    c += ctx->h[4];
+    c  = (c >> 2) * 5; // shift the carry back to the beginning
+    // c now indicates how many times we should subtract 2^130-5 (0 or 1)
+    FOR (i, 0, 4) {
+        c += (u64)ctx->h[i] + ctx->pad[i];
+        store32_le(mac + i*4, (u32)c);
+        c = c >> 32;
+    }
     WIPE_CTX(ctx);
 }