From: Loup Vaillant Date: Thu, 13 Aug 2020 15:50:07 +0000 (+0200) Subject: Poly1305 carry propagation now uses loops X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=af05efa926ab28ae5820e780af4dda40180765af;p=Monocypher.git Poly1305 carry propagation now uses loops Mostly for consistency with 25519 arithmetic. Also slightly reduces binary size in some cases, most notably -Os. --- diff --git a/src/monocypher.c b/src/monocypher.c index 9f4715e..683e8c2 100644 --- a/src/monocypher.c +++ b/src/monocypher.c @@ -458,24 +458,19 @@ void crypto_poly1305_final(crypto_poly1305_ctx *ctx, u8 mac[16]) // check if we should subtract 2^130-5 by performing the // corresponding carry propagation. - const u64 u0 = (u64)5 + ctx->h[0]; // <= 1_00000004 - const u64 u1 = (u0 >> 32) + ctx->h[1]; // <= 1_00000000 - const u64 u2 = (u1 >> 32) + ctx->h[2]; // <= 1_00000000 - const u64 u3 = (u2 >> 32) + ctx->h[3]; // <= 1_00000000 - const u64 u4 = (u3 >> 32) + ctx->h[4]; // <= 5 - // u4 indicates how many times we should subtract 2^130-5 (0 or 1) - - // h + pad, minus 2^130-5 if u4 exceeds 3 - const u64 uu0 = (u4 >> 2) * 5 + ctx->h[0] + ctx->pad[0]; // <= 2_00000003 - const u64 uu1 = (uu0 >> 32) + ctx->h[1] + ctx->pad[1]; // <= 2_00000000 - const u64 uu2 = (uu1 >> 32) + ctx->h[2] + ctx->pad[2]; // <= 2_00000000 - const u64 uu3 = (uu2 >> 32) + ctx->h[3] + ctx->pad[3]; // <= 2_00000000 - - store32_le(mac , (u32)uu0); - store32_le(mac + 4, (u32)uu1); - store32_le(mac + 8, (u32)uu2); - store32_le(mac + 12, (u32)uu3); - + u64 c = 5; + FOR (i, 0, 4) { + c += ctx->h[i]; + c >>= 32; + } + c += ctx->h[4]; + c = (c >> 2) * 5; // shift the carry back to the beginning + // c now indicates how many times we should subtract 2^130-5 (0 or 1) + FOR (i, 0, 4) { + c += (u64)ctx->h[i] + ctx->pad[i]; + store32_le(mac + i*4, (u32)c); + c = c >> 32; + } WIPE_CTX(ctx); }