1 package goldilocks
2
3 import (
4 "crypto/subtle"
5
6 mlsb "github.com/cloudflare/circl/math/mlsbset"
7 )
8
9 const (
10
11 fxT = 448
12 fxV = 2
13 fxW = 3
14 fx2w1 = 1 << (uint(fxW) - 1)
15 )
16
17
18 func (e twistCurve) ScalarBaseMult(k *Scalar) *twistPoint {
19 m, err := mlsb.New(fxT, fxV, fxW)
20 if err != nil {
21 panic(err)
22 }
23 if m.IsExtended() {
24 panic("not extended")
25 }
26
27 var isZero int
28 if k.IsZero() {
29 isZero = 1
30 }
31 subtle.ConstantTimeCopy(isZero, k[:], order[:])
32
33 minusK := *k
34 isEven := 1 - int(k[0]&0x1)
35 minusK.Neg()
36 subtle.ConstantTimeCopy(isEven, k[:], minusK[:])
37 c, err := m.Encode(k[:])
38 if err != nil {
39 panic(err)
40 }
41
42 gP := c.Exp(groupMLSB{})
43 P := gP.(*twistPoint)
44 P.cneg(uint(isEven))
45 return P
46 }
47
48 type groupMLSB struct{}
49
50 func (e groupMLSB) ExtendedEltP() mlsb.EltP { return nil }
51 func (e groupMLSB) Sqr(x mlsb.EltG) { x.(*twistPoint).Double() }
52 func (e groupMLSB) Mul(x mlsb.EltG, y mlsb.EltP) { x.(*twistPoint).mixAddZ1(y.(*preTwistPointAffine)) }
53 func (e groupMLSB) Identity() mlsb.EltG { return twistCurve{}.Identity() }
54 func (e groupMLSB) NewEltP() mlsb.EltP { return &preTwistPointAffine{} }
55 func (e groupMLSB) Lookup(a mlsb.EltP, v uint, s, u int32) {
56 Tabj := &tabFixMult[v]
57 P := a.(*preTwistPointAffine)
58 for k := range Tabj {
59 P.cmov(&Tabj[k], uint(subtle.ConstantTimeEq(int32(k), u)))
60 }
61 P.cneg(int(s >> 31))
62 }
63
View as plain text