Lines Matching defs:out
77 // Add computes *out = a+b
80 void Add(FieldElement* out, const FieldElement& a, const FieldElement& b) {
82 (*out)[i] = a[i] + b[i];
97 // Subtract computes *out = a-b
100 // out[i] < 2**32
101 void Subtract(FieldElement* out, const FieldElement& a, const FieldElement& b) {
104 (*out)[i] = a[i] + kZero31ModP[i] - b[i];
128 void ReduceLarge(FieldElement* out, LargeFieldElement* inptr) {
145 // As the values become small enough, we start to store them in |out| and use
149 (*out)[i] = static_cast<uint32_t>(in[i] & kBottom28Bits);
154 (*out)[3] += static_cast<uint32_t>(in[8] & 0xffff) << 12; // "-2**96" term
155 (*out)[4] += static_cast<uint32_t>(in[8] >> 16); // rest of "-2**96" term
157 // out[3] < 2**29
158 // out[4] < 2**29
159 // out[1,2,5..7] < 2**28
161 (*out)[0] = static_cast<uint32_t>(in[0] & kBottom28Bits);
162 (*out)[1] += static_cast<uint32_t>((in[0] >> 28) & kBottom28Bits);
163 (*out)[2] += static_cast<uint32_t>(in[0] >> 56);
164 // out[0] < 2**28
165 // out[1..4] < 2**29
166 // out[5..7] < 2**28
169 // Mul computes *out = a*b
172 // out[i] < 2**29
173 void Mul(FieldElement* out, const FieldElement& a, const FieldElement& b) {
183 ReduceLarge(out, &tmp);
186 // Square computes *out = a*a
189 // out[i] < 2**29
190 void Square(FieldElement* out, const FieldElement& a) {
205 ReduceLarge(out, &tmp);
243 // Invert calcuates *out = in**-1 by computing in**(2**224 - 2**96 - 1), i.e.
245 void Invert(FieldElement* out, const FieldElement& in) {
290 Mul(out, f1, f3); // 2**224 - 2**96 - 1
298 FieldElement& out = *inout;
302 out[i+1] += out[i] >> 28;
303 out[i] &= kBottom28Bits;
305 uint32_t top = out[7] >> 28;
306 out[7] &= kBottom28Bits;
309 out[0] -= top;
310 out[3] += top << 12;
312 // We may just have made out[0] negative. So we carry down. If we made
313 // out[0] negative then we know that out[3] is sufficiently positive
316 uint32_t mask = static_cast<uint32_t>(static_cast<int32_t>(out[i]) >> 31);
317 out[i] += (1 << 28) & mask;
318 out[i+1] -= 1 & mask;
321 // We might have pushed out[3] over 2**28 so we perform another, partial
324 out[i+1] += out[i] >> 28;
325 out[i] &= kBottom28Bits;
327 top = out[7] >> 28;
328 out[7] &= kBottom28Bits;
331 out[0] -= top;
332 out[3] += top << 12;
334 // There are two cases to consider for out[3]:
335 // 1) The first time that we eliminated top, we didn't push out[3] over
338 // 2) We did push out[3] over 2**28 the first time that we eliminated top.
340 // the first top, 0xfff1000 <= out[3] <= 0xfffffff. Therefore, after
341 // overflowing and being reduced by the second carry chain, out[3] <=
345 // Again, we may just have made out[0] negative, so do the same carry down.
346 // As before, if we made out[0] negative then we know that out[3] is
349 uint32_t mask = static_cast<uint32_t>(static_cast<int32_t>(out[i]) >> 31);
350 out[i] += (1 << 28) & mask;
351 out[i+1] -= 1 & mask;
363 top_4_all_ones &= out[i];
376 uint32_t bottom_3_non_zero = out[0] | out[1] | out[2];
385 // Everything depends on the value of out[3].
390 uint32_t n = out[3] - 0xffff000;
400 // If out[3] > 0xffff000 then n's MSB will be zero.
406 out[0] -= 1 & mask;
407 out[3] -= 0xffff000 & mask;
408 out[4] -= 0xfffffff & mask;
409 out[5] -= 0xfffffff & mask;
410 out[6] -= 0xfffffff & mask;
411 out[7] -= 0xfffffff & mask;
428 void CopyConditional(Point* out, const Point& a, uint32_t mask);
429 void DoubleJacobian(Point* out, const Point& a);
431 // AddJacobian computes *out = a+b where a != b.
432 void AddJacobian(Point *out,
483 DoubleJacobian(out, a);
500 Subtract(&out->z, z2z2, z1z1);
501 Reduce(&out->z);
502 Mul(&out->z, out->z, h);
510 Square(&out->x, r);
511 Subtract(&out->x, out->x, z1z1);
512 Reduce(&out->x);
519 Subtract(&z1z1, v, out->x);
522 Subtract(&out->y, z1z1, s1);
523 Reduce(&out->y);
525 CopyConditional(out, a, z2_is_zero);
526 CopyConditional(out, b, z1_is_zero);
529 // DoubleJacobian computes *out = a+a.
530 void DoubleJacobian(Point* out, const Point& a) {
549 Add(&out->z, a.y, a.z);
550 Reduce(&out->z);
551 Square(&out->z, out->z);
552 Subtract(&out->z, out->z, gamma);
553 Reduce(&out->z);
554 Subtract(&out->z, out->z, delta);
555 Reduce(&out->z);
562 Square(&out->x, alpha);
563 Subtract(&out->x, out->x, delta);
564 Reduce(&out->x);
571 Subtract(&beta, beta, out->x);
578 Mul(&out->y, alpha, beta);
579 Subtract(&out->y, out->y, gamma);
580 Reduce(&out->y);
583 // CopyConditional sets *out=a if mask is 0xffffffff. mask must be either 0 of
585 void CopyConditional(Point* out, const Point& a, uint32_t mask) {
587 out->x[i] ^= mask & (a.x[i] ^ out->x[i]);
588 out->y[i] ^= mask & (a.y[i] ^ out->y[i]);
589 out->z[i] ^= mask & (a.z[i] ^ out->z[i]);
593 // ScalarMult calculates *out = a*scalar where scalar is a big-endian number of
595 void ScalarMult(Point* out,
599 memset(out, 0, sizeof(*out));
604 DoubleJacobian(out, *out);
607 AddJacobian(&tmp, a, *out);
608 CopyConditional(out, tmp, bit);
614 // little-endian form into 8 words at out, 28 bits per output word.
615 void Get224Bits(uint32_t* out, const uint32_t* in) {
616 out[0] = NetToHost32(in[6]) & kBottom28Bits;
617 out[1] = ((NetToHost32(in[5]) << 4) |
619 out[2] = ((NetToHost32(in[4]) << 8) |
621 out[3] = ((NetToHost32(in[3]) << 12) |
623 out[4] = ((NetToHost32(in[2]) << 16) |
625 out[5] = ((NetToHost32(in[1]) << 20) |
627 out[6] = ((NetToHost32(in[0]) << 24) |
629 out[7] = (NetToHost32(in[0]) >> 4) & kBottom28Bits;
634 // out.
635 void Put224Bits(uint32_t* out, const uint32_t* in) {
636 out[6] = HostToNet32((in[0] >> 0) | (in[1] << 28));
637 out[5] = HostToNet32((in[1] >> 4) | (in[2] << 24));
638 out[4] = HostToNet32((in[2] >> 8) | (in[3] << 20));
639 out[3] = HostToNet32((in[3] >> 12) | (in[4] << 16));
640 out[2] = HostToNet32((in[4] >> 16) | (in[5] << 12));
641 out[1] = HostToNet32((in[5] >> 20) | (in[6] << 8));
642 out[0] = HostToNet32((in[6] >> 24) | (in[7] << 4));
706 void ScalarMult(const Point& in, const uint8_t* scalar, Point* out) {
707 ::ScalarMult(out, in, scalar, 28);
719 void ScalarBaseMult(const uint8_t* scalar, Point* out) {
720 ::ScalarMult(out, kBasePoint, scalar, 28);
723 void Add(const Point& a, const Point& b, Point* out) {
724 AddJacobian(out, a, b);
727 void Negate(const Point& in, Point* out) {
734 Mul(&out->x, in.x, zinv_sq);
738 Subtract(&out->y, kP, y);
739 Reduce(&out->y);
741 memset(&out->z, 0, sizeof(out->z));
742 out->z[0] = 1;
