diff --git a/cmd/aries-agent-mobile/go.mod b/cmd/aries-agent-mobile/go.mod index 3585b7f85..c6cc569f0 100644 --- a/cmd/aries-agent-mobile/go.mod +++ b/cmd/aries-agent-mobile/go.mod @@ -18,6 +18,7 @@ require ( ) require ( + github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c // indirect github.com/PaesslerAG/gval v1.1.0 // indirect github.com/PaesslerAG/jsonpath v0.1.1 // indirect github.com/VictoriaMetrics/fastcache v1.5.7 // indirect @@ -26,16 +27,19 @@ require ( github.com/btcsuite/btcutil v1.0.3-0.20201208143702-a53e38424cce // indirect github.com/cenkalti/backoff/v4 v4.0.2 // indirect github.com/cespare/xxhash/v2 v2.1.1 // indirect + github.com/consensys/bavard v0.1.13 // indirect + github.com/consensys/gnark-crypto v0.9.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/go-jose/go-jose/v3 v3.0.1-0.20221117193127-916db76e8214 // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/tink/go v1.7.0 // indirect github.com/gorilla/mux v1.7.3 // indirect - github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 // indirect + github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0 // indirect github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3 // indirect github.com/hyperledger/aries-framework-go/component/models v0.0.0-20230501135648-a9a7ad029347 // indirect github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e // indirect + github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 // indirect github.com/hyperledger/ursa-wrapper-go v0.3.1 // indirect github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect github.com/kawamuray/jsonpath v0.0.0-20201211160320-7483bafabd7e // indirect @@ -44,6 +48,7 @@ require ( github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 // indirect github.com/minio/sha256-simd v0.1.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/mmcloughlin/addchain v0.4.0 // indirect github.com/mr-tron/base58 v1.2.0 // indirect github.com/multiformats/go-base32 v0.1.0 // indirect github.com/multiformats/go-base36 v0.1.0 // indirect @@ -64,13 +69,15 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect golang.org/x/crypto v0.1.0 // indirect - golang.org/x/sys v0.1.0 // indirect + golang.org/x/sys v0.2.0 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + rsc.io/tmplfunc v0.0.3 // indirect ) replace ( github.com/hyperledger/aries-framework-go => ../../ + github.com/hyperledger/aries-framework-go/component/kmscrypto => ../../component/kmscrypto // github.com/hyperledger/aries-framework-go/component/storage/edv => ../../component/storage/edv // TODO (#2815) remove this once the wallet package doesn't import edv github.com/hyperledger/aries-framework-go/component/storageutil => ../../component/storageutil github.com/hyperledger/aries-framework-go/spi => ../../spi diff --git a/cmd/aries-agent-mobile/go.sum b/cmd/aries-agent-mobile/go.sum index 0d4e95034..8dfc8dc23 100644 --- a/cmd/aries-agent-mobile/go.sum +++ b/cmd/aries-agent-mobile/go.sum @@ -1,3 +1,5 @@ +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c h1:eLCIQV1wI6WBt1T+s2vUWFg7tBB0Xu/+YZSZ877+kyM= +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c/go.mod h1:p0HGSuwoOwAlts8u8rMJrInDo9BEwWUfzTIzdA+QuDo= github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= github.com/PaesslerAG/gval v1.1.0 h1:k3RuxeZDO3eejD4cMPSt+74tUSvTnbGvLx0df4mdwFc= github.com/PaesslerAG/gval v1.1.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= @@ -29,6 +31,10 @@ github.com/cenkalti/backoff/v4 v4.0.2 h1:JIufpQLbh4DkbQoii76ItQIUFzevQSqOLZca4ea github.com/cenkalti/backoff/v4 v4.0.2/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg= github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= +github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= +github.com/consensys/gnark-crypto v0.9.1 h1:mru55qKdWl3E035hAoh1jj9d7hVnYY5pfb6tmovSmII= +github.com/consensys/gnark-crypto v0.9.1/go.mod h1:a2DQL4+5ywF6safEeZFEPGRiiGbjzGFRUN2sg06VuU4= github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -56,6 +62,7 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= +github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= @@ -65,8 +72,6 @@ github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 h1:PCbDSujjQ6oTEnAHgtThNmbS7SPAYEDBlKOnZFE+Ujw= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3/go.mod h1:aEk0vHBmZsAdDfXaI12Kg5ipZGiB3qNqgbPt/e/Hm2s= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3 h1:x5qFQraTX86z9GCwF28IxfnPm6QH5YgHaX+4x97Jwvw= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3/go.mod h1:CvYs4l8X2NrrF93weLOu5RTOIJeVdoZITtjEflyuTyM= github.com/hyperledger/aries-framework-go/component/models v0.0.0-20230501135648-a9a7ad029347 h1:oPGUCpmnm7yxsVllcMQnHF3uc3hy4jfrSCh7nvzXA00= @@ -75,6 +80,8 @@ github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-202210252 github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e/go.mod h1:ACGP1L+WeecDtyA0Mi2E1kqtPLIGrCWPSJ43q2elwX8= github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1 h1:vxZ0DlFNLjgxMdBESLZu895AsI1JWL2SJerphwIn8Po= github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1/go.mod h1:lykx3N+GX+sAWSxO2Ycc4Dz+ynV9b0Fv4NdP+ms4Alc= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 h1:BCR8ZlOZ+deUbWxyY6fpoY8LbB7PR5wGGwCTvWQOU2g= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8/go.mod h1:X+DIyUsaTmalOpmpQfIvFZjKHQedrURQ5t4YqquX7lE= github.com/hyperledger/ursa-wrapper-go v0.3.1 h1:Do+QrVNniY77YK2jTIcyWqj9rm/Yb5SScN0bqCjiibA= github.com/hyperledger/ursa-wrapper-go v0.3.1/go.mod h1:nPSAuMasIzSVciQo22PedBk4Opph6bJ6ia3ms7BH/mk= github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -91,6 +98,7 @@ github.com/klauspost/compress v1.10.0 h1:92XGj1AcYzA6UrVdd4qIIBrT8OroryvRvdmg/If github.com/klauspost/compress v1.10.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 h1:lYpkrQH5ajf0OXOcUbGjvZxxijuBwbbmlSxLiuofa+g= github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1/go.mod h1:pD8RvIylQ358TN4wwqatJ8rNavkEINozVn9DtGI3dfQ= github.com/minio/sha256-simd v0.1.1-0.20190913151208-6de447530771/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= @@ -98,6 +106,9 @@ github.com/minio/sha256-simd v0.1.1 h1:5QHSlgo3nt5yKOJrC7W8w7X+NFl8cMPZm96iu8kKU github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= +github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= +github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc= github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o= github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc= @@ -173,8 +184,8 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= @@ -195,3 +206,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= nhooyr.io/websocket v1.8.3 h1:5UCql+eGVUYcBdr+IvngX2w1xq7g7snC9lSjbfi9qMY= nhooyr.io/websocket v1.8.3/go.mod h1:LiqdCg1Cu7TPWxEvPjPa0TGYxCsy4pHNTN9gGluwBpQ= +rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU= +rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA= diff --git a/cmd/aries-agent-rest/go.mod b/cmd/aries-agent-rest/go.mod index b7199e5a2..9cbc863bd 100644 --- a/cmd/aries-agent-rest/go.mod +++ b/cmd/aries-agent-rest/go.mod @@ -14,11 +14,12 @@ require ( github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20230427134832-0c9969493bd3 github.com/hyperledger/aries-framework-go/spi v0.0.0-20230427134832-0c9969493bd3 github.com/rs/cors v1.7.0 - github.com/spf13/cobra v1.0.0 + github.com/spf13/cobra v1.5.0 github.com/stretchr/testify v1.8.1 ) require ( + github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c // indirect github.com/PaesslerAG/gval v1.1.0 // indirect github.com/PaesslerAG/jsonpath v0.1.1 // indirect github.com/VictoriaMetrics/fastcache v1.5.7 // indirect @@ -27,6 +28,8 @@ require ( github.com/btcsuite/btcutil v1.0.3-0.20201208143702-a53e38424cce // indirect github.com/cenkalti/backoff v2.2.1+incompatible // indirect github.com/cespare/xxhash/v2 v2.1.1 // indirect + github.com/consensys/bavard v0.1.13 // indirect + github.com/consensys/gnark-crypto v0.9.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/go-jose/go-jose/v3 v3.0.1-0.20221117193127-916db76e8214 // indirect github.com/go-kivik/couchdb/v3 v3.2.6 // indirect @@ -36,10 +39,11 @@ require ( github.com/golang/protobuf v1.5.2 // indirect github.com/google/tink/go v1.7.0 // indirect github.com/google/uuid v1.3.0 // indirect - github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 // indirect + github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0 // indirect github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3 // indirect github.com/hyperledger/aries-framework-go/component/models v0.0.0-20230501135648-a9a7ad029347 // indirect github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e // indirect + github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 // indirect github.com/hyperledger/ursa-wrapper-go v0.3.1 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jackc/chunkreader/v2 v2.0.1 // indirect @@ -58,6 +62,7 @@ require ( github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 // indirect github.com/minio/sha256-simd v0.1.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/mmcloughlin/addchain v0.4.0 // indirect github.com/mr-tron/base58 v1.2.0 // indirect github.com/multiformats/go-base32 v0.1.0 // indirect github.com/multiformats/go-base36 v0.1.0 // indirect @@ -88,12 +93,13 @@ require ( go.mongodb.org/mongo-driver v1.8.0 // indirect golang.org/x/net v0.1.0 // indirect golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 // indirect - golang.org/x/sys v0.1.0 // indirect + golang.org/x/sys v0.2.0 // indirect golang.org/x/text v0.4.0 // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect nhooyr.io/websocket v1.8.3 // indirect + rsc.io/tmplfunc v0.0.3 // indirect ) require ( @@ -108,6 +114,7 @@ require ( replace ( github.com/hyperledger/aries-framework-go => ../.. + github.com/hyperledger/aries-framework-go/component/kmscrypto => ../../component/kmscrypto github.com/hyperledger/aries-framework-go/component/models => ../../component/models // github.com/hyperledger/aries-framework-go/component/storage/edv => ../../component/storage/edv // TODO (#2815) remove this once the wallet package doesn't import edv github.com/hyperledger/aries-framework-go/component/storage/leveldb => ../../component/storage/leveldb diff --git a/cmd/aries-agent-rest/go.sum b/cmd/aries-agent-rest/go.sum index 9afc7bbed..c05b94290 100644 --- a/cmd/aries-agent-rest/go.sum +++ b/cmd/aries-agent-rest/go.sum @@ -3,11 +3,12 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c h1:eLCIQV1wI6WBt1T+s2vUWFg7tBB0Xu/+YZSZ877+kyM= +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c/go.mod h1:p0HGSuwoOwAlts8u8rMJrInDo9BEwWUfzTIzdA+QuDo= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY= github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw= -github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= github.com/PaesslerAG/gval v1.1.0 h1:k3RuxeZDO3eejD4cMPSt+74tUSvTnbGvLx0df4mdwFc= github.com/PaesslerAG/gval v1.1.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= @@ -30,7 +31,6 @@ github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156/go.mod h1:Cb/ax github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= -github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A= @@ -63,7 +63,6 @@ github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QH github.com/cenkalti/backoff/v4 v4.1.2 h1:6Yo7N8UP2K6LWZnW94DLVSSrbobcWdVzAYOisuDPIFo= github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= @@ -72,17 +71,18 @@ github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= +github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= +github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= +github.com/consensys/gnark-crypto v0.9.1 h1:mru55qKdWl3E035hAoh1jj9d7hVnYY5pfb6tmovSmII= +github.com/consensys/gnark-crypto v0.9.1/go.mod h1:a2DQL4+5ywF6safEeZFEPGRiiGbjzGFRUN2sg06VuU4= github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe h1:PEmIrUvwG9Yyv+0WKZqjXfSFDeZjs/q15g0m08BYS9k= -github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= -github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -90,7 +90,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/docker/cli v20.10.11+incompatible h1:tXU1ezXcruZQRrMP8RN2z9N91h+6egZTS1gsPsKantc= github.com/docker/docker v20.10.7+incompatible h1:Z6O9Nhsjv+ayUEeI1IojKbYcsGdgYSNqxe1s2MYzUhQ= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -146,7 +145,6 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc= @@ -174,6 +172,7 @@ github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= +github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -188,13 +187,10 @@ github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= @@ -212,7 +208,6 @@ github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= @@ -228,13 +223,13 @@ github.com/hyperledger/aries-framework-go-ext/component/storage/mysql v0.0.0-202 github.com/hyperledger/aries-framework-go-ext/component/storage/mysql v0.0.0-20220629202442-ce8776c10037/go.mod h1:0VNWYQ937z51P4usiHUPz0MImh8tsKEVsHVmAx2z5zA= github.com/hyperledger/aries-framework-go-ext/component/storage/postgresql v0.0.0-20220629202442-ce8776c10037 h1:fQJPZ8kXsCSfCUHyK6zsR1RYwYP2Xz+jSaOlj+Lm1MY= github.com/hyperledger/aries-framework-go-ext/component/storage/postgresql v0.0.0-20220629202442-ce8776c10037/go.mod h1:35iXtsPH1PImVDq8xFHETtrcvyHhJXKcvf82YJ6/z4k= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 h1:PCbDSujjQ6oTEnAHgtThNmbS7SPAYEDBlKOnZFE+Ujw= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3/go.mod h1:aEk0vHBmZsAdDfXaI12Kg5ipZGiB3qNqgbPt/e/Hm2s= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3 h1:x5qFQraTX86z9GCwF28IxfnPm6QH5YgHaX+4x97Jwvw= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3/go.mod h1:CvYs4l8X2NrrF93weLOu5RTOIJeVdoZITtjEflyuTyM= github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e h1:/hrQfwJvHJrwV2FSmfnRp5L6yKY9DqDFqwYyb+oVuDU= github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e/go.mod h1:ACGP1L+WeecDtyA0Mi2E1kqtPLIGrCWPSJ43q2elwX8= github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220509181817-261c3746d03e h1:Jw8qXxl32lfdkxqUOjwLEhsQC2+lT/YtcM7MuOd9+7k= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 h1:BCR8ZlOZ+deUbWxyY6fpoY8LbB7PR5wGGwCTvWQOU2g= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8/go.mod h1:X+DIyUsaTmalOpmpQfIvFZjKHQedrURQ5t4YqquX7lE= github.com/hyperledger/ursa-wrapper-go v0.3.1 h1:Do+QrVNniY77YK2jTIcyWqj9rm/Yb5SScN0bqCjiibA= github.com/hyperledger/ursa-wrapper-go v0.3.1/go.mod h1:nPSAuMasIzSVciQo22PedBk4Opph6bJ6ia3ms7BH/mk= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= @@ -322,6 +317,7 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= @@ -330,7 +326,6 @@ github.com/lib/pq v1.9.0 h1:L8nSXQQzAYByakOFMTwpjRoHsMJklur4Gi59b6VivR8= github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= -github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= @@ -352,7 +347,6 @@ github.com/minio/sha256-simd v0.1.1 h1:5QHSlgo3nt5yKOJrC7W8w7X+NFl8cMPZm96iu8kKU github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= @@ -360,6 +354,9 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= +github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= +github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 h1:rzf0wL0CHVc8CEsgyygG0Mn9CNCCPZqOPaz8RiiHYQk= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -390,7 +387,6 @@ github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OS github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= -github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -422,7 +418,6 @@ github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT9 github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= -github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= @@ -441,7 +436,6 @@ github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= -github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= @@ -449,17 +443,13 @@ github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1: github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= -github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= @@ -469,6 +459,7 @@ github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= @@ -485,20 +476,14 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= -github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= -github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= -github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8= -github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= -github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= +github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= @@ -531,8 +516,6 @@ github.com/tidwall/pretty v1.0.2/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhV github.com/tidwall/sjson v1.1.4 h1:bTSsPLdAYF5QNLSwYsKfBKKTnlGbIuhqL3CpRsjzGhg= github.com/tidwall/sjson v1.1.4/go.mod h1:wXpKXu8CtDjKAZ+3DrKY5ROCorDFahq8l0tey/Lx1fg= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/valyala/fastjson v1.6.3 h1:tAKFnnwmeMGPbwJ7IwxcTPCNr3uIzoIj3/Fh90ra4xc= @@ -551,14 +534,12 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1: github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d h1:splanxYIlg+5LfHAM6xpdFEAYOk8iySO56hMFq6uLyA= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= gitlab.com/flimzy/testy v0.0.3/go.mod h1:YObF4cq711ubd/3U0ydRQQVz7Cnq/ChgJpVwNr/AJac= gitlab.com/flimzy/testy v0.3.2 h1:4djQFwBJ1ayM681Zx7Y3+OKns/E9zAfGFsLc967jfdk= gitlab.com/flimzy/testy v0.3.2/go.mod h1:YObF4cq711ubd/3U0ydRQQVz7Cnq/ChgJpVwNr/AJac= -go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= go.mongodb.org/mongo-driver v1.8.0 h1:R/P/JJzu8LJvJ1lDfph9GLNIKQxEtIHFfnUUUve35zY= @@ -618,7 +599,6 @@ golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -661,8 +641,8 @@ golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -672,7 +652,6 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -737,7 +716,8 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= @@ -747,5 +727,7 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= nhooyr.io/websocket v1.8.3 h1:5UCql+eGVUYcBdr+IvngX2w1xq7g7snC9lSjbfi9qMY= nhooyr.io/websocket v1.8.3/go.mod h1:LiqdCg1Cu7TPWxEvPjPa0TGYxCsy4pHNTN9gGluwBpQ= +rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU= +rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= diff --git a/cmd/aries-js-worker/go.mod b/cmd/aries-js-worker/go.mod index 31da762b2..c19190710 100644 --- a/cmd/aries-js-worker/go.mod +++ b/cmd/aries-js-worker/go.mod @@ -16,6 +16,7 @@ require ( ) require ( + github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c // indirect github.com/PaesslerAG/gval v1.1.0 // indirect github.com/PaesslerAG/jsonpath v0.1.1 // indirect github.com/VictoriaMetrics/fastcache v1.12.0 // indirect @@ -24,17 +25,20 @@ require ( github.com/btcsuite/btcutil v1.0.3-0.20201208143702-a53e38424cce // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect + github.com/consensys/bavard v0.1.13 // indirect + github.com/consensys/gnark-crypto v0.9.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/go-jose/go-jose/v3 v3.0.1-0.20221117193127-916db76e8214 // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/tink/go v1.7.0 // indirect github.com/gorilla/mux v1.7.3 // indirect - github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 // indirect + github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0 // indirect github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3 // indirect github.com/hyperledger/aries-framework-go/component/models v0.0.0-20230501135648-a9a7ad029347 // indirect github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e // indirect github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20230427134832-0c9969493bd3 // indirect + github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 // indirect github.com/hyperledger/ursa-wrapper-go v0.3.1 // indirect github.com/jinzhu/copier v0.3.5 // indirect github.com/kawamuray/jsonpath v0.0.0-20201211160320-7483bafabd7e // indirect @@ -42,6 +46,7 @@ require ( github.com/klauspost/compress v1.10.0 // indirect github.com/klauspost/cpuid/v2 v2.1.2 // indirect github.com/minio/sha256-simd v1.0.0 // indirect + github.com/mmcloughlin/addchain v0.4.0 // indirect github.com/mr-tron/base58 v1.2.0 // indirect github.com/multiformats/go-base32 v0.1.0 // indirect github.com/multiformats/go-base36 v0.1.0 // indirect @@ -63,15 +68,17 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect golang.org/x/crypto v0.1.0 // indirect - golang.org/x/sys v0.1.0 // indirect + golang.org/x/sys v0.2.0 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect lukechampine.com/blake3 v1.1.7 // indirect nhooyr.io/websocket v1.8.3 // indirect + rsc.io/tmplfunc v0.0.3 // indirect ) replace ( github.com/hyperledger/aries-framework-go => ../.. + github.com/hyperledger/aries-framework-go/component/kmscrypto => ../../component/kmscrypto github.com/hyperledger/aries-framework-go/component/storage/edv => ../../component/storage/edv // TODO (#2815) remove this once the wallet package doesn't import edv github.com/hyperledger/aries-framework-go/component/storage/indexeddb => ../../component/storage/indexeddb github.com/hyperledger/aries-framework-go/component/storageutil => ../../component/storageutil diff --git a/cmd/aries-js-worker/go.sum b/cmd/aries-js-worker/go.sum index 4ffba4a97..8671e1a00 100644 --- a/cmd/aries-js-worker/go.sum +++ b/cmd/aries-js-worker/go.sum @@ -1,3 +1,5 @@ +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c h1:eLCIQV1wI6WBt1T+s2vUWFg7tBB0Xu/+YZSZ877+kyM= +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c/go.mod h1:p0HGSuwoOwAlts8u8rMJrInDo9BEwWUfzTIzdA+QuDo= github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= github.com/PaesslerAG/gval v1.1.0 h1:k3RuxeZDO3eejD4cMPSt+74tUSvTnbGvLx0df4mdwFc= github.com/PaesslerAG/gval v1.1.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= @@ -29,6 +31,10 @@ github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8 github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= +github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= +github.com/consensys/gnark-crypto v0.9.1 h1:mru55qKdWl3E035hAoh1jj9d7hVnYY5pfb6tmovSmII= +github.com/consensys/gnark-crypto v0.9.1/go.mod h1:a2DQL4+5ywF6safEeZFEPGRiiGbjzGFRUN2sg06VuU4= github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -55,6 +61,7 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= +github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= @@ -64,13 +71,13 @@ github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 h1:PCbDSujjQ6oTEnAHgtThNmbS7SPAYEDBlKOnZFE+Ujw= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3/go.mod h1:aEk0vHBmZsAdDfXaI12Kg5ipZGiB3qNqgbPt/e/Hm2s= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3 h1:x5qFQraTX86z9GCwF28IxfnPm6QH5YgHaX+4x97Jwvw= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3/go.mod h1:CvYs4l8X2NrrF93weLOu5RTOIJeVdoZITtjEflyuTyM= github.com/hyperledger/aries-framework-go/component/models v0.0.0-20230501135648-a9a7ad029347 h1:oPGUCpmnm7yxsVllcMQnHF3uc3hy4jfrSCh7nvzXA00= github.com/hyperledger/aries-framework-go/component/models v0.0.0-20230501135648-a9a7ad029347/go.mod h1:nF8fHsYY+GZl74AFAQaKAhYWOOSaLVzW/TZ0Sq/6axI= github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1 h1:vxZ0DlFNLjgxMdBESLZu895AsI1JWL2SJerphwIn8Po= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 h1:BCR8ZlOZ+deUbWxyY6fpoY8LbB7PR5wGGwCTvWQOU2g= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8/go.mod h1:X+DIyUsaTmalOpmpQfIvFZjKHQedrURQ5t4YqquX7lE= github.com/hyperledger/ursa-wrapper-go v0.3.1 h1:Do+QrVNniY77YK2jTIcyWqj9rm/Yb5SScN0bqCjiibA= github.com/hyperledger/ursa-wrapper-go v0.3.1/go.mod h1:nPSAuMasIzSVciQo22PedBk4Opph6bJ6ia3ms7BH/mk= github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -91,10 +98,14 @@ github.com/klauspost/cpuid/v2 v2.1.2 h1:XhdX4fqAJUA0yj+kUwMavO0hHrSPAecYdYf1ZmxH github.com/klauspost/cpuid/v2 v2.1.2/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g= github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= +github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= +github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o= github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc= github.com/multiformats/go-base32 v0.1.0 h1:pVx9xoSPqEIQG8o+UbAe7DNi51oej1NtK+aGkbLYxPE= @@ -170,8 +181,8 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220405052023-b1e9470b6e64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= @@ -194,3 +205,5 @@ lukechampine.com/blake3 v1.1.7 h1:GgRMhmdsuK8+ii6UZFDL8Nb+VyMwadAgcJyfYHxG6n0= lukechampine.com/blake3 v1.1.7/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA= nhooyr.io/websocket v1.8.3 h1:5UCql+eGVUYcBdr+IvngX2w1xq7g7snC9lSjbfi9qMY= nhooyr.io/websocket v1.8.3/go.mod h1:LiqdCg1Cu7TPWxEvPjPa0TGYxCsy4pHNTN9gGluwBpQ= +rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU= +rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA= diff --git a/component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs12381g2pub.go b/component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs12381g2pub.go index 855f8caac..9bbe15be0 100644 --- a/component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs12381g2pub.go +++ b/component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs12381g2pub.go @@ -19,14 +19,11 @@ import ( "fmt" "sort" - bls12381 "github.com/kilic/bls12-381" + ml "github.com/IBM/mathlib" ) // nolint:gochecknoglobals -var ( - g1 = bls12381.NewG1() - g2 = bls12381.NewG2() -) +var curve = ml.Curves[ml.BLS12_381_BBS] // BBSG2Pub defines BBS+ signature scheme where public key is a point in the field of G2. // BBS+ signature scheme (as defined in https://eprint.iacr.org/2016/663.pdf, section 4.3). @@ -37,27 +34,33 @@ func New() *BBSG2Pub { return &BBSG2Pub{} } -const ( +// Number of bytes in scalar compressed form. +const frCompressedSize = 32 + +var ( + // nolint:gochecknoglobals // Signature length. - bls12381SignatureLen = 112 + bls12381SignatureLen = curve.CompressedG1ByteSize + 2*frCompressedSize + // nolint:gochecknoglobals // Default BLS 12-381 public key length in G2 field. - bls12381G2PublicKeyLen = 96 + bls12381G2PublicKeyLen = curve.CompressedG2ByteSize + // nolint:gochecknoglobals // Number of bytes in G1 X coordinate. - g1CompressedSize = 48 + g1CompressedSize = curve.CompressedG1ByteSize + // nolint:gochecknoglobals // Number of bytes in G1 X and Y coordinates. - g1UncompressedSize = 96 + g1UncompressedSize = curve.G1ByteSize + // nolint:gochecknoglobals // Number of bytes in G2 X(a, b) and Y(a, b) coordinates. - g2UncompressedSize = 192 - - // Number of bytes in scalar compressed form. - frCompressedSize = 32 + g2UncompressedSize = curve.G2ByteSize + // nolint:gochecknoglobals // Number of bytes in scalar uncompressed form. - frUncompressedSize = 48 + frUncompressedSize = curve.ScalarByteSize ) // Verify makes BLS BBS12-381 signature verification. @@ -213,14 +216,13 @@ func (bbs *BBSG2Pub) SignWithKey(messages [][]byte, privKey *PrivateKey) ([]byte } e, s := createRandSignatureFr(), createRandSignatureFr() - exp := bls12381.NewFr().Set(privKey.FR) - exp.Add(exp, e) - exp.Inverse(exp) + exp := privKey.FR.Copy() + exp = exp.Plus(e) + exp.InvModP(curve.GroupOrder) - sig := g1.New() b := computeB(s, messagesFr, pubKeyWithGenerators) - g1.MulScalar(sig, b, frToRepr(exp)) + sig := b.Mul(frToRepr(exp)) signature := &Signature{ A: sig, @@ -231,12 +233,12 @@ func (bbs *BBSG2Pub) SignWithKey(messages [][]byte, privKey *PrivateKey) ([]byte return signature.ToBytes() } -func computeB(s *bls12381.Fr, messages []*SignatureMessage, key *PublicKeyWithGenerators) *bls12381.PointG1 { +func computeB(s *ml.Zr, messages []*SignatureMessage, key *PublicKeyWithGenerators) *ml.G1 { const basesOffset = 2 cb := newCommitmentBuilder(len(messages) + basesOffset) - cb.add(g1.One(), bls12381.NewFr().One()) + cb.add(curve.GenG1, curve.NewZrFromInt(1)) cb.add(key.h0, s) for i := 0; i < len(messages); i++ { @@ -247,55 +249,55 @@ func computeB(s *bls12381.Fr, messages []*SignatureMessage, key *PublicKeyWithGe } type commitmentBuilder struct { - bases []*bls12381.PointG1 - scalars []*bls12381.Fr + bases []*ml.G1 + scalars []*ml.Zr } func newCommitmentBuilder(expectedSize int) *commitmentBuilder { return &commitmentBuilder{ - bases: make([]*bls12381.PointG1, 0, expectedSize), - scalars: make([]*bls12381.Fr, 0, expectedSize), + bases: make([]*ml.G1, 0, expectedSize), + scalars: make([]*ml.Zr, 0, expectedSize), } } -func (cb *commitmentBuilder) add(base *bls12381.PointG1, scalar *bls12381.Fr) { +func (cb *commitmentBuilder) add(base *ml.G1, scalar *ml.Zr) { cb.bases = append(cb.bases, base) cb.scalars = append(cb.scalars, scalar) } -func (cb *commitmentBuilder) build() *bls12381.PointG1 { +func (cb *commitmentBuilder) build() *ml.G1 { return sumOfG1Products(cb.bases, cb.scalars) } -func sumOfG1Products(bases []*bls12381.PointG1, scalars []*bls12381.Fr) *bls12381.PointG1 { - res := g1.Zero() +func sumOfG1Products(bases []*ml.G1, scalars []*ml.Zr) *ml.G1 { + var res *ml.G1 for i := 0; i < len(bases); i++ { b := bases[i] s := scalars[i] - g := g1.New() - - g1.MulScalar(g, b, frToRepr(s)) - g1.Add(res, res, g) + g := b.Mul(frToRepr(s)) + if res == nil { + res = g + } else { + res.Add(g) + } } return res } -func compareTwoPairings(p1 *bls12381.PointG1, q1 *bls12381.PointG2, - p2 *bls12381.PointG1, q2 *bls12381.PointG2) bool { - engine := bls12381.NewEngine() - - engine.AddPair(p1, q1) - engine.AddPair(p2, q2) +func compareTwoPairings(p1 *ml.G1, q1 *ml.G2, + p2 *ml.G1, q2 *ml.G2) bool { + p := curve.Pairing2(q1, p1, q2, p2) + p = curve.FExp(p) - return engine.Check() + return p.IsUnity() } // ProofNonce is a nonce for Proof of Knowledge proof. type ProofNonce struct { - fr *bls12381.Fr + fr *ml.Zr } // ParseProofNonce creates a new ProofNonce from bytes. @@ -307,5 +309,5 @@ func ParseProofNonce(proofNonceBytes []byte) *ProofNonce { // ToBytes converts ProofNonce into bytes. func (pn *ProofNonce) ToBytes() []byte { - return frToRepr(pn.fr).ToBytes() + return frToRepr(pn.fr).Bytes() } diff --git a/component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs_test.go b/component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs_test.go index 74da5849b..7166a2fdd 100644 --- a/component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs_test.go +++ b/component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs_test.go @@ -182,7 +182,7 @@ func TestBBSG2Pub_VerifyProof(t *testing.T) { err = bls.VerifyProof(revealedMessagesBytes, proofBytesCopy, nonce, pkBytes) require.Error(t, err) - require.EqualError(t, err, "parse signature proof: parse G1 point: point is not on curve") + require.ErrorContains(t, err, "parse signature proof: parse G1 point: failure [set bytes failed") }) t.Run("invalid input public key", func(t *testing.T) { diff --git a/component/kmscrypto/crypto/primitive/bbs12381g2pub/fr.go b/component/kmscrypto/crypto/primitive/bbs12381g2pub/fr.go index 1458375f2..47d611651 100644 --- a/component/kmscrypto/crypto/primitive/bbs12381g2pub/fr.go +++ b/component/kmscrypto/crypto/primitive/bbs12381g2pub/fr.go @@ -9,19 +9,27 @@ package bbs12381g2pub import ( "crypto/rand" - bls12381 "github.com/kilic/bls12-381" + ml "github.com/IBM/mathlib" "golang.org/x/crypto/blake2b" ) -func parseFr(data []byte) *bls12381.Fr { - return bls12381.NewFr().FromBytes(data) +func parseFr(data []byte) *ml.Zr { + return curve.NewZrFromBytes(data) } -func f2192() *bls12381.Fr { - return &bls12381.Fr{0, 0, 0, 1} +// nolint:gochecknoglobals +var f2192Bytes = []byte{ + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, } -func frFromOKM(message []byte) *bls12381.Fr { +func f2192() *ml.Zr { + return curve.NewZrFromBytes(f2192Bytes) +} + +func frFromOKM(message []byte) *ml.Zr { const ( eightBytes = 8 okmMiddle = 24 @@ -35,20 +43,17 @@ func frFromOKM(message []byte) *bls12381.Fr { okm := h.Sum(nil) emptyEightBytes := make([]byte, eightBytes) - elm := bls12381.NewFr().FromBytes(append(emptyEightBytes, okm[:okmMiddle]...)) - elm.Mul(elm, f2192()) + elm := curve.NewZrFromBytes(append(emptyEightBytes, okm[:okmMiddle]...)) + elm = elm.Mul(f2192()) - fr := bls12381.NewFr().FromBytes(append(emptyEightBytes, okm[okmMiddle:]...)) - elm.Add(elm, fr) + fr := curve.NewZrFromBytes(append(emptyEightBytes, okm[okmMiddle:]...)) + elm = elm.Plus(fr) return elm } -func frToRepr(fr *bls12381.Fr) *bls12381.Fr { - frRepr := bls12381.NewFr() - frRepr.Mul(fr, &bls12381.Fr{1}) - - return frRepr +func frToRepr(fr *ml.Zr) *ml.Zr { + return fr.Copy() } func messagesToFr(messages [][]byte) []*SignatureMessage { @@ -61,8 +66,6 @@ func messagesToFr(messages [][]byte) []*SignatureMessage { return messagesFr } -func createRandSignatureFr() *bls12381.Fr { - fr, _ := bls12381.NewFr().Rand(rand.Reader) //nolint:errcheck - - return frToRepr(fr) +func createRandSignatureFr() *ml.Zr { + return curve.NewRandomZr(rand.Reader) } diff --git a/component/kmscrypto/crypto/primitive/bbs12381g2pub/keys.go b/component/kmscrypto/crypto/primitive/bbs12381g2pub/keys.go index b5f9961d4..e68507888 100644 --- a/component/kmscrypto/crypto/primitive/bbs12381g2pub/keys.go +++ b/component/kmscrypto/crypto/primitive/bbs12381g2pub/keys.go @@ -13,35 +13,35 @@ import ( "hash" "io" - bls12381 "github.com/kilic/bls12-381" - "golang.org/x/crypto/blake2b" + ml "github.com/IBM/mathlib" "golang.org/x/crypto/hkdf" - - bls12381intern "github.com/hyperledger/aries-framework-go/component/kmscrypto/internal/third_party/kilic/bls12-381" ) -const ( - seedSize = frCompressedSize +var ( + // nolint:gochecknoglobals + seedSize = frCompressedSize + + // nolint:gochecknoglobals generateKeySalt = "BBS-SIG-KEYGEN-SALT-" ) // PublicKey defines BLS Public Key. type PublicKey struct { - PointG2 *bls12381.PointG2 + PointG2 *ml.G2 } // PrivateKey defines BLS Public Key. type PrivateKey struct { - FR *bls12381.Fr + FR *ml.Zr } // PublicKeyWithGenerators extends PublicKey with a blinding generator h0, a commitment to the secret key w, // and a generator for each message h. type PublicKeyWithGenerators struct { - h0 *bls12381.PointG1 - h []*bls12381.PointG1 + h0 *ml.G1 + h []*ml.G1 - w *bls12381.PointG2 + w *ml.G2 messagesCount int } @@ -52,12 +52,9 @@ func (pk *PublicKey) ToPublicKeyWithGenerators(messagesCount int) (*PublicKeyWit data := calcData(pk, messagesCount) - h0, err := hashToG1(data) - if err != nil { - return nil, fmt.Errorf("create G1 point from hash") - } + h0 := hashToG1(data) - h := make([]*bls12381.PointG1, messagesCount) + h := make([]*ml.G1, messagesCount) for i := 1; i <= messagesCount; i++ { dataCopy := make([]byte, len(data)) @@ -69,10 +66,7 @@ func (pk *PublicKey) ToPublicKeyWithGenerators(messagesCount int) (*PublicKeyWit dataCopy[j+offset] = iBytes[j] } - h[i-1], err = hashToG1(dataCopy) - if err != nil { - return nil, fmt.Errorf("create G1 point from hash: %w", err) - } + h[i-1] = hashToG1(dataCopy) } return &PublicKeyWithGenerators{ @@ -84,7 +78,7 @@ func (pk *PublicKey) ToPublicKeyWithGenerators(messagesCount int) (*PublicKeyWit } func calcData(key *PublicKey, messagesCount int) []byte { - data := g2.ToUncompressed(key.PointG2) + data := key.PointG2.Bytes() data = append(data, 0, 0, 0, 0, 0, 0) @@ -95,23 +89,10 @@ func calcData(key *PublicKey, messagesCount int) []byte { return data } -func hashToG1(data []byte) (*bls12381.PointG1, error) { - dstG1 := []byte("BLS12381G1_XMD:BLAKE2B_SSWU_RO_BBS+_SIGNATURES:1_0_0") - - hashFunc := func() hash.Hash { - // We pass a null key so error is impossible here. - h, _ := blake2b.New512(nil) //nolint:errcheck - return h - } - - g := bls12381intern.NewG1() - - p, err := g.HashToCurveGeneric(data, dstG1, hashFunc) - if err != nil { - return nil, err - } +func hashToG1(data []byte) *ml.G1 { + var dstG1 = []byte("BLS12381G1_XMD:BLAKE2B_SSWU_RO_BBS+_SIGNATURES:1_0_0") - return g1.FromBytes(g.ToBytes(p)) + return curve.HashToG1WithDomain(data, dstG1) } // UnmarshalPrivateKey unmarshals PrivateKey. @@ -129,14 +110,13 @@ func UnmarshalPrivateKey(privKeyBytes []byte) (*PrivateKey, error) { // Marshal marshals PrivateKey. func (k *PrivateKey) Marshal() ([]byte, error) { - bytes := k.FR.ToBytes() + bytes := k.FR.Bytes() return bytes, nil } // PublicKey returns a Public Key as G2 point generated from the Private Key. func (k *PrivateKey) PublicKey() *PublicKey { - pointG2 := g2.One() - g2.MulScalar(pointG2, pointG2, frToRepr(k.FR)) + pointG2 := curve.GenG2.Mul(frToRepr(k.FR)) return &PublicKey{pointG2} } @@ -147,7 +127,7 @@ func UnmarshalPublicKey(pubKeyBytes []byte) (*PublicKey, error) { return nil, errors.New("invalid size of public key") } - pointG2, err := g2.FromCompressed(pubKeyBytes) + pointG2, err := curve.NewG2FromCompressed(pubKeyBytes) if err != nil { return nil, fmt.Errorf("deserialize public key: %w", err) } @@ -159,7 +139,7 @@ func UnmarshalPublicKey(pubKeyBytes []byte) (*PublicKey, error) { // Marshal marshals PublicKey. func (pk *PublicKey) Marshal() ([]byte, error) { - pkBytes := g2.ToCompressed(pk.PointG2) + pkBytes := pk.PointG2.Compressed() return pkBytes, nil } diff --git a/component/kmscrypto/crypto/primitive/bbs12381g2pub/proof_of_knowledge.go b/component/kmscrypto/crypto/primitive/bbs12381g2pub/proof_of_knowledge.go index 1455912e0..359b9720a 100644 --- a/component/kmscrypto/crypto/primitive/bbs12381g2pub/proof_of_knowledge.go +++ b/component/kmscrypto/crypto/primitive/bbs12381g2pub/proof_of_knowledge.go @@ -9,20 +9,20 @@ package bbs12381g2pub import ( "fmt" - bls12381 "github.com/kilic/bls12-381" + ml "github.com/IBM/mathlib" ) // PoKOfSignature is Proof of Knowledge of a Signature that is used by the prover to construct PoKOfSignatureProof. type PoKOfSignature struct { - aPrime *bls12381.PointG1 - aBar *bls12381.PointG1 - d *bls12381.PointG1 + aPrime *ml.G1 + aBar *ml.G1 + d *ml.G1 pokVC1 *ProverCommittedG1 - secrets1 []*bls12381.Fr + secrets1 []*ml.Zr pokVC2 *ProverCommittedG1 - secrets2 []*bls12381.Fr + secrets2 []*ml.Zr revealedMessages map[int]*SignatureMessage } @@ -37,18 +37,15 @@ func NewPoKOfSignature(signature *Signature, messages []*SignatureMessage, revea r1, r2 := createRandSignatureFr(), createRandSignatureFr() b := computeB(signature.S, messages, pubKey) - aPrime := g1.New() - g1.MulScalar(aPrime, signature.A, frToRepr(r1)) + aPrime := signature.A.Mul(frToRepr(r1)) - aBarDenom := g1.New() - g1.MulScalar(aBarDenom, aPrime, frToRepr(signature.E)) + aBarDenom := aPrime.Mul(frToRepr(signature.E)) - aBar := g1.New() - g1.MulScalar(aBar, b, frToRepr(r1)) - g1.Sub(aBar, aBar, aBarDenom) + aBar := b.Mul(frToRepr(r1)) + aBar.Sub(aBarDenom) - r2D := bls12381.NewFr() - r2D.Neg(r2) + r2D := r2.Copy() + r2D.Neg() commitmentBasesCount := 2 cb := newCommitmentBuilder(commitmentBasesCount) @@ -56,13 +53,12 @@ func NewPoKOfSignature(signature *Signature, messages []*SignatureMessage, revea cb.add(pubKey.h0, r2D) d := cb.build() - r3 := bls12381.NewFr() - r3.Inverse(r1) + r3 := r1.Copy() + r3.InvModP(curve.GroupOrder) - sPrime := bls12381.NewFr() - sPrime.Mul(r2, r3) - sPrime.Neg(sPrime) - sPrime.Add(sPrime, signature.S) + sPrime := r2.Mul(r3) + sPrime.Neg() + sPrime = sPrime.Plus(signature.S) pokVC1, secrets1 := newVC1Signature(aPrime, pubKey.h0, signature.E, r2) @@ -91,15 +87,15 @@ func NewPoKOfSignature(signature *Signature, messages []*SignatureMessage, revea }, nil } -func newVC1Signature(aPrime *bls12381.PointG1, h0 *bls12381.PointG1, - e, r2 *bls12381.Fr) (*ProverCommittedG1, []*bls12381.Fr) { +func newVC1Signature(aPrime *ml.G1, h0 *ml.G1, + e, r2 *ml.Zr) (*ProverCommittedG1, []*ml.Zr) { committing1 := NewProverCommittingG1() - secrets1 := make([]*bls12381.Fr, 2) + secrets1 := make([]*ml.Zr, 2) committing1.Commit(aPrime) - sigE := bls12381.NewFr() - sigE.Neg(e) + sigE := e.Copy() + sigE.Neg() secrets1[0] = sigE committing1.Commit(h0) @@ -110,17 +106,17 @@ func newVC1Signature(aPrime *bls12381.PointG1, h0 *bls12381.PointG1, return pokVC1, secrets1 } -func newVC2Signature(d *bls12381.PointG1, r3 *bls12381.Fr, pubKey *PublicKeyWithGenerators, sPrime *bls12381.Fr, - messages []*SignatureMessage, revealedMessages map[int]*SignatureMessage) (*ProverCommittedG1, []*bls12381.Fr) { +func newVC2Signature(d *ml.G1, r3 *ml.Zr, pubKey *PublicKeyWithGenerators, sPrime *ml.Zr, + messages []*SignatureMessage, revealedMessages map[int]*SignatureMessage) (*ProverCommittedG1, []*ml.Zr) { messagesCount := len(messages) committing2 := NewProverCommittingG1() baseSecretsCount := 2 - secrets2 := make([]*bls12381.Fr, 0, baseSecretsCount+messagesCount) + secrets2 := make([]*ml.Zr, 0, baseSecretsCount+messagesCount) committing2.Commit(d) - r3D := bls12381.NewFr() - r3D.Neg(r3) + r3D := r3.Copy() + r3D.Neg() secrets2 = append(secrets2, r3D) @@ -136,8 +132,7 @@ func newVC2Signature(d *bls12381.PointG1, r3 *bls12381.Fr, pubKey *PublicKeyWith committing2.Commit(pubKey.h[i]) sourceFR := messages[i].FR - hiddenFRCopy := bls12381.NewFr() - hiddenFRCopy.Set(sourceFR) + hiddenFRCopy := sourceFR.Copy() secrets2 = append(secrets2, hiddenFRCopy) } @@ -149,7 +144,7 @@ func newVC2Signature(d *bls12381.PointG1, r3 *bls12381.Fr, pubKey *PublicKeyWith // ToBytes converts PoKOfSignature to bytes. func (pos *PoKOfSignature) ToBytes() []byte { - challengeBytes := g1.ToUncompressed(pos.aBar) + challengeBytes := pos.aBar.Bytes() challengeBytes = append(challengeBytes, pos.pokVC1.ToBytes()...) challengeBytes = append(challengeBytes, pos.pokVC2.ToBytes()...) @@ -157,7 +152,7 @@ func (pos *PoKOfSignature) ToBytes() []byte { } // GenerateProof generates PoKOfSignatureProof proof from PoKOfSignature signature. -func (pos *PoKOfSignature) GenerateProof(challengeHash *bls12381.Fr) *PoKOfSignatureProof { +func (pos *PoKOfSignature) GenerateProof(challengeHash *ml.Zr) *PoKOfSignatureProof { return &PoKOfSignatureProof{ aPrime: pos.aPrime, aBar: pos.aBar, @@ -169,9 +164,9 @@ func (pos *PoKOfSignature) GenerateProof(challengeHash *bls12381.Fr) *PoKOfSigna // ProverCommittedG1 helps to generate a ProofG1. type ProverCommittedG1 struct { - bases []*bls12381.PointG1 - blindingFactors []*bls12381.Fr - commitment *bls12381.PointG1 + bases []*ml.G1 + blindingFactors []*ml.Zr + commitment *ml.G1 } // ToBytes converts ProverCommittedG1 to bytes. @@ -179,22 +174,20 @@ func (g *ProverCommittedG1) ToBytes() []byte { bytes := make([]byte, 0) for _, base := range g.bases { - bytes = append(bytes, g1.ToUncompressed(base)...) + bytes = append(bytes, base.Bytes()...) } - return append(bytes, g1.ToUncompressed(g.commitment)...) + return append(bytes, g.commitment.Bytes()...) } // GenerateProof generates proof ProofG1 for all secrets. -func (g *ProverCommittedG1) GenerateProof(challenge *bls12381.Fr, secrets []*bls12381.Fr) *ProofG1 { - responses := make([]*bls12381.Fr, len(g.bases)) +func (g *ProverCommittedG1) GenerateProof(challenge *ml.Zr, secrets []*ml.Zr) *ProofG1 { + responses := make([]*ml.Zr, len(g.bases)) for i := range g.blindingFactors { - c := bls12381.NewFr() - c.Mul(challenge, secrets[i]) + c := challenge.Mul(secrets[i]) - s := bls12381.NewFr() - s.Sub(g.blindingFactors[i], c) + s := g.blindingFactors[i].Minus(c) responses[i] = s } @@ -206,20 +199,20 @@ func (g *ProverCommittedG1) GenerateProof(challenge *bls12381.Fr, secrets []*bls // ProverCommittingG1 is a proof of knowledge of messages in a vector commitment. type ProverCommittingG1 struct { - bases []*bls12381.PointG1 - blindingFactors []*bls12381.Fr + bases []*ml.G1 + blindingFactors []*ml.Zr } // NewProverCommittingG1 creates a new ProverCommittingG1. func NewProverCommittingG1() *ProverCommittingG1 { return &ProverCommittingG1{ - bases: make([]*bls12381.PointG1, 0), - blindingFactors: make([]*bls12381.Fr, 0), + bases: make([]*ml.G1, 0), + blindingFactors: make([]*ml.Zr, 0), } } // Commit append a base point and randomly generated blinding factor. -func (pc *ProverCommittingG1) Commit(base *bls12381.PointG1) { +func (pc *ProverCommittingG1) Commit(base *ml.G1) { pc.bases = append(pc.bases, base) r := createRandSignatureFr() pc.blindingFactors = append(pc.blindingFactors, r) diff --git a/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature.go b/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature.go index 2d7b1c28b..3491e48e4 100644 --- a/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature.go +++ b/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature.go @@ -10,14 +10,14 @@ import ( "errors" "fmt" - bls12381 "github.com/kilic/bls12-381" + ml "github.com/IBM/mathlib" ) // Signature defines BLS signature. type Signature struct { - A *bls12381.PointG1 - E *bls12381.Fr - S *bls12381.Fr + A *ml.G1 + E *ml.Zr + S *ml.Zr } // ParseSignature parses a Signature from bytes. @@ -26,7 +26,7 @@ func ParseSignature(sigBytes []byte) (*Signature, error) { return nil, errors.New("invalid size of signature") } - pointG1, err := g1.FromCompressed(sigBytes[:g1CompressedSize]) + pointG1, err := curve.NewG1FromCompressed(sigBytes[:g1CompressedSize]) if err != nil { return nil, fmt.Errorf("deserialize G1 compressed signature: %w", err) } @@ -45,9 +45,9 @@ func ParseSignature(sigBytes []byte) (*Signature, error) { func (s *Signature) ToBytes() ([]byte, error) { bytes := make([]byte, bls12381SignatureLen) - copy(bytes, g1.ToCompressed(s.A)) - copy(bytes[g1CompressedSize:g1CompressedSize+frCompressedSize], s.E.ToBytes()) - copy(bytes[g1CompressedSize+frCompressedSize:], s.S.ToBytes()) + copy(bytes, s.A.Compressed()) + copy(bytes[g1CompressedSize:g1CompressedSize+frCompressedSize], s.E.Bytes()) + copy(bytes[g1CompressedSize+frCompressedSize:], s.S.Bytes()) return bytes, nil } @@ -56,14 +56,13 @@ func (s *Signature) ToBytes() ([]byte, error) { func (s *Signature) Verify(messages []*SignatureMessage, pubKey *PublicKeyWithGenerators) error { p1 := s.A - q1 := g2.One() - g2.MulScalar(q1, q1, frToRepr(s.E)) - g2.Add(q1, q1, pubKey.w) + q1 := curve.GenG2.Mul(frToRepr(s.E)) + q1.Add(pubKey.w) p2 := computeB(s.S, messages, pubKey) - g1.Neg(p2, p2) + p2.Neg() - if compareTwoPairings(p1, q1, p2, g2.One()) { + if compareTwoPairings(p1, q1, p2, curve.GenG2) { return nil } diff --git a/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature_message.go b/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature_message.go index bd25fa896..33e39ba4e 100644 --- a/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature_message.go +++ b/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature_message.go @@ -7,12 +7,12 @@ SPDX-License-Identifier: Apache-2.0 package bbs12381g2pub import ( - bls12381 "github.com/kilic/bls12-381" + ml "github.com/IBM/mathlib" ) // SignatureMessage defines a message to be used for a signature check. type SignatureMessage struct { - FR *bls12381.Fr + FR *ml.Zr } // ParseSignatureMessage parses SignatureMessage from bytes. diff --git a/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature_proof.go b/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature_proof.go index d4bd1f414..4f1fc3a12 100644 --- a/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature_proof.go +++ b/component/kmscrypto/crypto/primitive/bbs12381g2pub/signature_proof.go @@ -11,15 +11,15 @@ import ( "errors" "fmt" - bls12381 "github.com/kilic/bls12-381" + ml "github.com/IBM/mathlib" ) // PoKOfSignatureProof defines BLS signature proof. // It is the actual proof that is sent from prover to verifier. type PoKOfSignatureProof struct { - aPrime *bls12381.PointG1 - aBar *bls12381.PointG1 - d *bls12381.PointG1 + aPrime *ml.G1 + aBar *ml.G1 + d *ml.G1 proofVC1 *ProofG1 proofVC2 *ProofG1 @@ -33,31 +33,31 @@ func (sp *PoKOfSignatureProof) GetBytesForChallenge(revealedMessages map[int]*Si bytesLen := (7 + hiddenCount) * g1UncompressedSize //nolint:gomnd bytes := make([]byte, 0, bytesLen) - bytes = append(bytes, g1.ToUncompressed(sp.aBar)...) - bytes = append(bytes, g1.ToUncompressed(sp.aPrime)...) - bytes = append(bytes, g1.ToUncompressed(pubKey.h0)...) - bytes = append(bytes, g1.ToUncompressed(sp.proofVC1.commitment)...) - bytes = append(bytes, g1.ToUncompressed(sp.d)...) - bytes = append(bytes, g1.ToUncompressed(pubKey.h0)...) + bytes = append(bytes, sp.aBar.Bytes()...) + bytes = append(bytes, sp.aPrime.Bytes()...) + bytes = append(bytes, pubKey.h0.Bytes()...) + bytes = append(bytes, sp.proofVC1.commitment.Bytes()...) + bytes = append(bytes, sp.d.Bytes()...) + bytes = append(bytes, pubKey.h0.Bytes()...) for i := range pubKey.h { if _, ok := revealedMessages[i]; !ok { - bytes = append(bytes, g1.ToUncompressed(pubKey.h[i])...) + bytes = append(bytes, pubKey.h[i].Bytes()...) } } - bytes = append(bytes, g1.ToUncompressed(sp.proofVC2.commitment)...) + bytes = append(bytes, sp.proofVC2.commitment.Bytes()...) return bytes } // Verify verifies PoKOfSignatureProof. -func (sp *PoKOfSignatureProof) Verify(challenge *bls12381.Fr, pubKey *PublicKeyWithGenerators, +func (sp *PoKOfSignatureProof) Verify(challenge *ml.Zr, pubKey *PublicKeyWithGenerators, revealedMessages map[int]*SignatureMessage, messages []*SignatureMessage) error { - aBar := new(bls12381.PointG1) - g1.Neg(aBar, sp.aBar) + aBar := sp.aBar.Copy() + aBar.Neg() - ok := compareTwoPairings(sp.aPrime, pubKey.w, aBar, g2.One()) + ok := compareTwoPairings(sp.aPrime, pubKey.w, aBar, curve.GenG2) if !ok { return errors.New("bad signature") } @@ -70,10 +70,10 @@ func (sp *PoKOfSignatureProof) Verify(challenge *bls12381.Fr, pubKey *PublicKeyW return sp.verifyVC2Proof(challenge, pubKey, revealedMessages, messages) } -func (sp *PoKOfSignatureProof) verifyVC1Proof(challenge *bls12381.Fr, pubKey *PublicKeyWithGenerators) error { - basesVC1 := []*bls12381.PointG1{sp.aPrime, pubKey.h0} - aBarD := new(bls12381.PointG1) - g1.Sub(aBarD, sp.aBar, sp.d) +func (sp *PoKOfSignatureProof) verifyVC1Proof(challenge *ml.Zr, pubKey *PublicKeyWithGenerators) error { + basesVC1 := []*ml.G1{sp.aPrime, pubKey.h0} + aBarD := sp.aBar.Copy() + aBarD.Sub(sp.d) err := sp.proofVC1.Verify(basesVC1, aBarD, challenge) if err != nil { @@ -83,18 +83,18 @@ func (sp *PoKOfSignatureProof) verifyVC1Proof(challenge *bls12381.Fr, pubKey *Pu return nil } -func (sp *PoKOfSignatureProof) verifyVC2Proof(challenge *bls12381.Fr, pubKey *PublicKeyWithGenerators, +func (sp *PoKOfSignatureProof) verifyVC2Proof(challenge *ml.Zr, pubKey *PublicKeyWithGenerators, revealedMessages map[int]*SignatureMessage, messages []*SignatureMessage) error { revealedMessagesCount := len(revealedMessages) - basesVC2 := make([]*bls12381.PointG1, 0, 2+pubKey.messagesCount-revealedMessagesCount) + basesVC2 := make([]*ml.G1, 0, 2+pubKey.messagesCount-revealedMessagesCount) basesVC2 = append(basesVC2, sp.d, pubKey.h0) - basesDisclosed := make([]*bls12381.PointG1, 0, 1+revealedMessagesCount) - exponents := make([]*bls12381.Fr, 0, 1+revealedMessagesCount) + basesDisclosed := make([]*ml.G1, 0, 1+revealedMessagesCount) + exponents := make([]*ml.Zr, 0, 1+revealedMessagesCount) - basesDisclosed = append(basesDisclosed, g1.One()) - exponents = append(exponents, bls12381.NewFr().One()) + basesDisclosed = append(basesDisclosed, curve.GenG1) + exponents = append(exponents, curve.NewZrFromInt(1)) revealedMessagesInd := 0 @@ -108,18 +108,19 @@ func (sp *PoKOfSignatureProof) verifyVC2Proof(challenge *bls12381.Fr, pubKey *Pu } } - pr := g1.Zero() + // TODO: expose 0 + pr := curve.GenG1.Copy() + pr.Sub(curve.GenG1) for i := 0; i < len(basesDisclosed); i++ { b := basesDisclosed[i] s := exponents[i] - g := g1.New() - g1.MulScalar(g, b, frToRepr(s)) - g1.Add(pr, pr, g) + g := b.Mul(frToRepr(s)) + pr.Add(g) } - g1.Neg(pr, pr) + pr.Neg() err := sp.proofVC2.Verify(basesVC2, pr, challenge) if err != nil { @@ -133,9 +134,9 @@ func (sp *PoKOfSignatureProof) verifyVC2Proof(challenge *bls12381.Fr, pubKey *Pu func (sp *PoKOfSignatureProof) ToBytes() []byte { bytes := make([]byte, 0) - bytes = append(bytes, g1.ToCompressed(sp.aPrime)...) - bytes = append(bytes, g1.ToCompressed(sp.aBar)...) - bytes = append(bytes, g1.ToCompressed(sp.d)...) + bytes = append(bytes, sp.aPrime.Compressed()...) + bytes = append(bytes, sp.aBar.Compressed()...) + bytes = append(bytes, sp.d.Compressed()...) proof1Bytes := sp.proofVC1.ToBytes() lenBytes := make([]byte, 4) @@ -150,12 +151,12 @@ func (sp *PoKOfSignatureProof) ToBytes() []byte { // ProofG1 is a proof of knowledge of a signature and hidden messages. type ProofG1 struct { - commitment *bls12381.PointG1 - responses []*bls12381.Fr + commitment *ml.G1 + responses []*ml.Zr } // NewProofG1 creates a new ProofG1. -func NewProofG1(commitment *bls12381.PointG1, responses []*bls12381.Fr) *ProofG1 { +func NewProofG1(commitment *ml.G1, responses []*ml.Zr) *ProofG1 { return &ProofG1{ commitment: commitment, responses: responses, @@ -163,19 +164,19 @@ func NewProofG1(commitment *bls12381.PointG1, responses []*bls12381.Fr) *ProofG1 } // Verify verifies the ProofG1. -func (pg1 *ProofG1) Verify(bases []*bls12381.PointG1, commitment *bls12381.PointG1, challenge *bls12381.Fr) error { +func (pg1 *ProofG1) Verify(bases []*ml.G1, commitment *ml.G1, challenge *ml.Zr) error { contribution := pg1.getChallengeContribution(bases, commitment, challenge) - g1.Sub(contribution, contribution, pg1.commitment) + contribution.Sub(pg1.commitment) - if !g1.IsZero(contribution) { + if !contribution.IsInfinity() { return errors.New("contribution is not zero") } return nil } -func (pg1 *ProofG1) getChallengeContribution(bases []*bls12381.PointG1, commitment *bls12381.PointG1, - challenge *bls12381.Fr) *bls12381.PointG1 { +func (pg1 *ProofG1) getChallengeContribution(bases []*ml.G1, commitment *ml.G1, + challenge *ml.Zr) *ml.G1 { points := append(bases, commitment) scalars := append(pg1.responses, challenge) @@ -186,7 +187,7 @@ func (pg1 *ProofG1) getChallengeContribution(bases []*bls12381.PointG1, commitme func (pg1 *ProofG1) ToBytes() []byte { bytes := make([]byte, 0) - commitmentBytes := g1.ToCompressed(pg1.commitment) + commitmentBytes := pg1.commitment.Compressed() bytes = append(bytes, commitmentBytes...) lenBytes := make([]byte, 4) @@ -194,7 +195,7 @@ func (pg1 *ProofG1) ToBytes() []byte { bytes = append(bytes, lenBytes...) for i := range pg1.responses { - responseBytes := frToRepr(pg1.responses[i]).ToBytes() + responseBytes := frToRepr(pg1.responses[i]).Bytes() bytes = append(bytes, responseBytes...) } @@ -207,11 +208,11 @@ func ParseSignatureProof(sigProofBytes []byte) (*PoKOfSignatureProof, error) { return nil, errors.New("invalid size of signature proof") } - g1Points := make([]*bls12381.PointG1, 3) + g1Points := make([]*ml.G1, 3) offset := 0 for i := range g1Points { - g1Point, err := g1.FromCompressed(sigProofBytes[offset : offset+g1CompressedSize]) + g1Point, err := curve.NewG1FromCompressed(sigProofBytes[offset : offset+g1CompressedSize]) if err != nil { return nil, fmt.Errorf("parse G1 point: %w", err) } @@ -252,7 +253,7 @@ func ParseProofG1(bytes []byte) (*ProofG1, error) { offset := 0 - commitment, err := g1.FromCompressed(bytes[:g1CompressedSize]) + commitment, err := curve.NewG1FromCompressed(bytes[:g1CompressedSize]) if err != nil { return nil, fmt.Errorf("parse G1 point: %w", err) } @@ -265,7 +266,7 @@ func ParseProofG1(bytes []byte) (*ProofG1, error) { return nil, errors.New("invalid size of G1 signature proof") } - responses := make([]*bls12381.Fr, length) + responses := make([]*ml.Zr, length) for i := 0; i < length; i++ { responses[i] = parseFr(bytes[offset : offset+frCompressedSize]) offset += frCompressedSize diff --git a/component/kmscrypto/doc/jose/jwk/jwk_test.go b/component/kmscrypto/doc/jose/jwk/jwk_test.go index a02165893..1c8640a63 100644 --- a/component/kmscrypto/doc/jose/jwk/jwk_test.go +++ b/component/kmscrypto/doc/jose/jwk/jwk_test.go @@ -356,7 +356,7 @@ func TestJWK_BBSKeyValidation(t *testing.T) { err = jwk4.UnmarshalJSON([]byte(goodJWK)) require.EqualError(t, err, "unable to read BBS+ JWE: jwk invalid public key unmarshal: deserialize "+ - "public key: point is not on curve") + "public key: failure [set bytes failed [point is not on curve]]") }) } diff --git a/component/kmscrypto/go.mod b/component/kmscrypto/go.mod index 295017b30..cf1b4f1fd 100644 --- a/component/kmscrypto/go.mod +++ b/component/kmscrypto/go.mod @@ -7,6 +7,7 @@ module github.com/hyperledger/aries-framework-go/component/kmscrypto go 1.19 require ( + github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c github.com/bluele/gcache v0.0.0-20190518031135-bc40bd653833 github.com/btcsuite/btcd v0.22.0-beta github.com/btcsuite/btcutil v1.0.3-0.20201208143702-a53e38424cce @@ -17,19 +18,24 @@ require ( github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230417184158-344a7f82c4c2 github.com/hyperledger/aries-framework-go/spi v0.0.0-20230417184158-344a7f82c4c2 github.com/hyperledger/ursa-wrapper-go v0.3.1 - github.com/kilic/bls12-381 v0.1.1-0.20210503002446-7b7597926c69 github.com/stretchr/testify v1.8.1 github.com/teserakt-io/golang-ed25519 v0.0.0-20210104091850-3888c087a4c8 golang.org/x/crypto v0.1.0 - golang.org/x/sys v0.1.0 google.golang.org/protobuf v1.28.1 ) require ( + github.com/consensys/bavard v0.1.13 // indirect + github.com/consensys/gnark-crypto v0.9.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 // indirect + github.com/kilic/bls12-381 v0.1.0 // indirect + github.com/mmcloughlin/addchain v0.4.0 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect + golang.org/x/sys v0.2.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + rsc.io/tmplfunc v0.0.3 // indirect ) replace ( diff --git a/component/kmscrypto/go.sum b/component/kmscrypto/go.sum index da5bc5263..2cf79a9d5 100644 --- a/component/kmscrypto/go.sum +++ b/component/kmscrypto/go.sum @@ -1,3 +1,5 @@ +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c h1:eLCIQV1wI6WBt1T+s2vUWFg7tBB0Xu/+YZSZ877+kyM= +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c/go.mod h1:p0HGSuwoOwAlts8u8rMJrInDo9BEwWUfzTIzdA+QuDo= github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII= github.com/bluele/gcache v0.0.0-20190518031135-bc40bd653833 h1:yCfXxYaelOyqnia8F/Yng47qhmfC9nKTRIbYRrRueq4= github.com/bluele/gcache v0.0.0-20190518031135-bc40bd653833/go.mod h1:8c4/i2VlovMO2gBnHGQPN5EJw+H0lx1u/5p+cgsXtCk= @@ -15,6 +17,10 @@ github.com/btcsuite/snappy-go v0.0.0-20151229074030-0bdef8d06723/go.mod h1:8woku github.com/btcsuite/snappy-go v1.0.0/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc= github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792/go.mod h1:ghJtEyQwv5/p4Mg4C0fgbePVuGr935/5ddU9Z3TmDRY= github.com/btcsuite/winsvc v1.0.0/go.mod h1:jsenWakMcC0zFBFurPLEAyrnc/teJEM1O46fmI40EZs= +github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= +github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= +github.com/consensys/gnark-crypto v0.9.1 h1:mru55qKdWl3E035hAoh1jj9d7hVnYY5pfb6tmovSmII= +github.com/consensys/gnark-crypto v0.9.1/go.mod h1:a2DQL4+5ywF6safEeZFEPGRiiGbjzGFRUN2sg06VuU4= github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -32,19 +38,26 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= +github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 h1:BCR8ZlOZ+deUbWxyY6fpoY8LbB7PR5wGGwCTvWQOU2g= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8/go.mod h1:X+DIyUsaTmalOpmpQfIvFZjKHQedrURQ5t4YqquX7lE= github.com/hyperledger/ursa-wrapper-go v0.3.1 h1:Do+QrVNniY77YK2jTIcyWqj9rm/Yb5SScN0bqCjiibA= github.com/hyperledger/ursa-wrapper-go v0.3.1/go.mod h1:nPSAuMasIzSVciQo22PedBk4Opph6bJ6ia3ms7BH/mk= github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jrick/logrotate v1.0.0/go.mod h1:LNinyqDIJnpAur+b8yyulnQw/wDuN1+BYKlTRt3OuAQ= -github.com/kilic/bls12-381 v0.1.1-0.20210503002446-7b7597926c69 h1:kMJlf8z8wUcpyI+FQJIdGjAhfTww1y0AbQEv86bpVQI= -github.com/kilic/bls12-381 v0.1.1-0.20210503002446-7b7597926c69/go.mod h1:tlkavyke+Ac7h8R3gZIjI5LKBcvMlSWnXNMgT3vZXo8= +github.com/kilic/bls12-381 v0.1.0 h1:encrdjqKMEvabVQ7qYOKu1OvhqpK4s47wDYtNiPtlp4= +github.com/kilic/bls12-381 v0.1.0/go.mod h1:vDTTHJONJ6G+P2R74EhnyotQDTliQDnFEwhdmfzw1ig= github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6CZQHDETBtE9HaSEkGmuNXF86RwHhHUvq4= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= +github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= +github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= +github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= @@ -80,9 +93,9 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -99,3 +112,5 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU= +rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA= diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/LICENSE b/component/kmscrypto/internal/third_party/kilic/bls12-381/LICENSE deleted file mode 100644 index 7a4a3ea24..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. \ No newline at end of file diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/README.md b/component/kmscrypto/internal/third_party/kilic/bls12-381/README.md deleted file mode 100644 index 4bce9e655..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/README.md +++ /dev/null @@ -1,29 +0,0 @@ -### High Speed BLS12-381 Implementation in Go - -#### Pairing Instance - -A Group instance or a pairing engine instance _is not_ suitable for concurrent processing since an instance has its own preallocated memory for temporary variables. A new instance must be created for each thread. - -#### Base Field - -x86 optimized base field is generated with [kilic/fp](https://github.com/kilic/fp) and for native go is generated with [goff](https://github.com/ConsenSys/goff). Generated codes are slightly edited in both for further requirements. - -#### Scalar Field - -Both standart big.Int module and x86 optimized implementation are available for scalar field elements and opereations. - -#### Serialization - -Point serialization is in line with [zkcrypto library](https://github.com/zkcrypto/pairing/tree/master/src/bls12_381#serialization). - -#### Hashing to Curve - -Hashing to curve implementations for both G1 and G2 follows `_XMD:SHA-256_SSWU_RO_` and `_XMD:SHA-256_SSWU_NU_` suites as defined in `v7` of [irtf hash to curve draft](https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/). - -#### Benchmarks - -on _2.3 GHz i7_ - -``` -BenchmarkPairing 667720 ns/op -``` diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/README_custom.md b/component/kmscrypto/internal/third_party/kilic/bls12-381/README_custom.md deleted file mode 100644 index 45858964b..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/README_custom.md +++ /dev/null @@ -1,11 +0,0 @@ -This is a fork of [High Speed BLS12-381 Implementation in Go](https://github.com/kilic/bls12-381). -The original README can be found [here](https://github.com/kilic/bls12-381/blob/master/README.md). -The original LICENSE is Apache License 2.0 and can be found [here](https://github.com/kilic/bls12-381/blob/master/LICENSE). - -There are two reasons why we cannot use [original BLS12-381 library](https://github.com/kilic/bls12-381) -`kilic/bls12-381` directly as go module: -- [BBS+ signature schema](https://mattrglobal.github.io/bbs-signatures-spec/) requires `blake2b` hash function - for `hash_to_curve_g1()` while `kilic/bls12-381` uses hardcoded `SHA-256`. A PR to allow selection of hash function - is made but not yet approved (see [here](https://github.com/kilic/bls12-381/pull/25)). -- Patched swuMapG1 to allow for big-endian variant (https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-4.1.1), - for interop reasons. \ No newline at end of file diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/arithmetic_decl.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/arithmetic_decl.go deleted file mode 100644 index 1efd36f73..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/arithmetic_decl.go +++ /dev/null @@ -1,241 +0,0 @@ -// +build amd64,!generic - -package bls12381 - -import ( - "golang.org/x/sys/cpu" -) - -func init() { - if !cpu.X86.HasADX || !cpu.X86.HasBMI2 { - mul = mulNoADX - wmul = wmulNoADX - fromWide = montRedNoADX - mulFR = mulNoADXFR - wmulFR = wmulNoADXFR - wfp2Mul = wfp2MulGeneric - wfp2Square = wfp2SquareGeneric - } -} - -var mul func(c, a, b *fe) = mulADX -var wmul func(c *wfe, a, b *fe) = wmulADX -var fromWide func(c *fe, w *wfe) = montRedADX -var wfp2Mul func(c *wfe2, a, b *fe2) = wfp2MulADX -var wfp2Square func(c *wfe2, b *fe2) = wfp2SquareADX - -func square(c, a *fe) { - mul(c, a, a) -} - -func neg(c, a *fe) { - if a.isZero() { - c.set(a) - } else { - _neg(c, a) - } -} - -//go:noescape -func add(c, a, b *fe) - -//go:noescape -func addAssign(a, b *fe) - -//go:noescape -func ladd(c, a, b *fe) - -//go:noescape -func laddAssign(a, b *fe) - -//go:noescape -func double(c, a *fe) - -//go:noescape -func doubleAssign(a *fe) - -//go:noescape -func ldouble(c, a *fe) - -//go:noescape -func ldoubleAssign(a *fe) - -//go:noescape -func sub(c, a, b *fe) - -//go:noescape -func subAssign(a, b *fe) - -//go:noescape -func lsubAssign(a, b *fe) - -//go:noescape -func _neg(c, a *fe) - -//go:noescape -func mulNoADX(c, a, b *fe) - -//go:noescape -func mulADX(c, a, b *fe) - -//go:noescape -func wmulNoADX(c *wfe, a, b *fe) - -//go:noescape -func wmulADX(c *wfe, a, b *fe) - -//go:noescape -func montRedNoADX(a *fe, w *wfe) - -//go:noescape -func montRedADX(a *fe, w *wfe) - -//go:noescape -func lwadd(c, a, b *wfe) - -//go:noescape -func lwaddAssign(a, b *wfe) - -//go:noescape -func wadd(c, a, b *wfe) - -//go:noescape -func lwdouble(c, a *wfe) - -//go:noescape -func wdouble(c, a *wfe) - -//go:noescape -func lwsub(c, a, b *wfe) - -//go:noescape -func lwsubAssign(a, b *wfe) - -//go:noescape -func wsub(c, a, b *wfe) - -//go:noescape -func fp2Add(c, a, b *fe2) - -//go:noescape -func fp2AddAssign(a, b *fe2) - -//go:noescape -func fp2Ladd(c, a, b *fe2) - -//go:noescape -func fp2LaddAssign(a, b *fe2) - -//go:noescape -func fp2DoubleAssign(a *fe2) - -//go:noescape -func fp2Double(c, a *fe2) - -//go:noescape -func fp2Sub(c, a, b *fe2) - -//go:noescape -func fp2SubAssign(a, b *fe2) - -//go:noescape -func mulByNonResidue(c, a *fe2) - -//go:noescape -func mulByNonResidueAssign(a *fe2) - -//go:noescape -func wfp2Add(c, a, b *wfe2) - -//go:noescape -func wfp2AddAssign(a, b *wfe2) - -//go:noescape -func wfp2Ladd(c, a, b *wfe2) - -//go:noescape -func wfp2LaddAssign(a, b *wfe2) - -//go:noescape -func wfp2AddMixed(c, a, b *wfe2) - -//go:noescape -func wfp2AddMixedAssign(a, b *wfe2) - -//go:noescape -func wfp2Sub(c, a, b *wfe2) - -//go:noescape -func wfp2SubAssign(a, b *wfe2) - -//go:noescape -func wfp2SubMixed(c, a, b *wfe2) - -//go:noescape -func wfp2SubMixedAssign(a, b *wfe2) - -//go:noescape -func wfp2Double(c, a *wfe2) - -//go:noescape -func wfp2DoubleAssign(a *wfe2) - -//go:noescape -func wfp2MulByNonResidue(c, a *wfe2) - -//go:noescape -func wfp2MulByNonResidueAssign(a *wfe2) - -//go:noescape -func wfp2SquareADX(c *wfe2, a *fe2) - -//go:noescape -func wfp2MulADX(c *wfe2, a, b *fe2) - -var mulFR func(c, a, b *Fr) = mulADXFR -var wmulFR func(c *wideFr, a, b *Fr) = wmulADXFR - -func squareFR(c, a *Fr) { - mulFR(c, a, a) -} - -func negFR(c, a *Fr) { - if a.IsZero() { - c.Set(a) - } else { - _negFR(c, a) - } -} - -//go:noescape -func addFR(c, a, b *Fr) - -//go:noescape -func laddAssignFR(a, b *Fr) - -//go:noescape -func doubleFR(c, a *Fr) - -//go:noescape -func subFR(c, a, b *Fr) - -//go:noescape -func lsubAssignFR(a, b *Fr) - -//go:noescape -func _negFR(c, a *Fr) - -//go:noescape -func mulNoADXFR(c, a, b *Fr) - -//go:noescape -func mulADXFR(c, a, b *Fr) - -//go:noescape -func wmulADXFR(c *wideFr, a, b *Fr) - -//go:noescape -func wmulNoADXFR(c *wideFr, a, b *Fr) - -//go:noescape -func waddFR(a, b *wideFr) diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/arithmetic_fallback.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/arithmetic_fallback.go deleted file mode 100644 index dd8e3a99d..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/arithmetic_fallback.go +++ /dev/null @@ -1,62 +0,0 @@ -// +build !amd64 generic - -// Copyright 2020 ConsenSys Software Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by goff (v0.3.5) DO NOT EDIT - -package bls12381 - -import ( - "math/bits" -) - -// madd0 hi = a*b + c (discards lo bits) -func madd0(a, b, c uint64) (hi uint64) { - var carry, lo uint64 - hi, lo = bits.Mul64(a, b) - _, carry = bits.Add64(lo, c, 0) - hi, _ = bits.Add64(hi, 0, carry) - return -} - -// madd1 hi, lo = a*b + c -func madd1(a, b, c uint64) (hi uint64, lo uint64) { - var carry uint64 - hi, lo = bits.Mul64(a, b) - lo, carry = bits.Add64(lo, c, 0) - hi, _ = bits.Add64(hi, 0, carry) - return -} - -// madd2 hi, lo = a*b + c + d -func madd2(a, b, c, d uint64) (hi uint64, lo uint64) { - var carry uint64 - hi, lo = bits.Mul64(a, b) - c, carry = bits.Add64(c, d, 0) - hi, _ = bits.Add64(hi, 0, carry) - lo, carry = bits.Add64(lo, c, 0) - hi, _ = bits.Add64(hi, 0, carry) - return -} - -func madd3(a, b, c, d, e uint64) (hi uint64, lo uint64) { - var carry uint64 - hi, lo = bits.Mul64(a, b) - c, carry = bits.Add64(c, d, 0) - hi, _ = bits.Add64(hi, 0, carry) - lo, carry = bits.Add64(lo, c, 0) - hi, _ = bits.Add64(hi, e, carry) - return -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/bls12_381.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/bls12_381.go deleted file mode 100644 index 8945e3a53..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/bls12_381.go +++ /dev/null @@ -1,316 +0,0 @@ -package bls12381 - -const fpNumberOfLimbs = 6 -const fpByteSize = 48 -const fpBitSize = 381 -const sixWordBitSize = 384 - -// Base Field -// p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab -// r = 2 ^ 384 - -// modulus = p -var modulus = fe{0xb9feffffffffaaab, 0x1eabfffeb153ffff, 0x6730d2a0f6b0f624, 0x64774b84f38512bf, 0x4b1ba7b6434bacd7, 0x1a0111ea397fe69a} - -// -p^(-1) mod 2^64 -var inp uint64 = 0x89f3fffcfffcfffd - -// r1 = r mod p -var r1 = &fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493} - -// one = mod p -var one = r1 - -// zero = 0 -var zero = &fe{} - -// r2 = r^2 mod p -var r2 = &fe{ - 0xf4df1f341c341746, 0x0a76e6a609d104f1, 0x8de5476c4c95b6d5, 0x67eb88a9939d83c0, 0x9a793e85b519952d, 0x11988fe592cae3aa, -} - -// negativeOne = -r mod p -var negativeOne = &fe{ - 0x43f5fffffffcaaae, 0x32b7fff2ed47fffd, 0x07e83a49a2e99d69, 0xeca8f3318332bb7a, 0xef148d1ea0f4c069, 0x040ab3263eff0206, -} - -// negativeOne2 = -1 + 0 * u -var negativeOne2 = &fe2{ - fe{0x43f5fffffffcaaae, 0x32b7fff2ed47fffd, 0x07e83a49a2e99d69, 0xeca8f3318332bb7a, 0xef148d1ea0f4c069, 0x040ab3263eff0206}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, -} - -// twoInv = 2^(-1) -var twoInv = &fe{0x1804000000015554, 0x855000053ab00001, 0x633cb57c253c276f, 0x6e22d1ec31ebb502, 0xd3916126f2d14ca2, 0x17fbb8571a006596} - -// pMinus3Over4 = (p - 3) / 4 -var pMinus3Over4 = bigFromHex("0x680447a8e5ff9a692c6e9ed90d2eb35d91dd2e13ce144afd9cc34a83dac3d8907aaffffac54ffffee7fbfffffffeaaa") - -// pPlus1Over4 = (p + 1) / 4 -var pPlus1Over4 = bigFromHex("0x680447a8e5ff9a692c6e9ed90d2eb35d91dd2e13ce144afd9cc34a83dac3d8907aaffffac54ffffee7fbfffffffeaab") - -// pMinus1Over2 = (p - 1) / 2 -var pMinus1Over2 = bigFromHex("0xd0088f51cbff34d258dd3db21a5d66bb23ba5c279c2895fb39869507b587b120f55ffff58a9ffffdcff7fffffffd555") - -// nonResidue1 = -1 -var nonResidue1 = &fe{0x43f5fffffffcaaae, 0x32b7fff2ed47fffd, 0x07e83a49a2e99d69, 0xeca8f3318332bb7a, 0xef148d1ea0f4c069, 0x040ab3263eff0206} - -// nonResidue2 = (1 + 1 * u) -var nonResidue2 = &fe2{ - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, -} - -// Scalar Field -// q = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 -// Size of six words -// qr = 2 ^ 256 - -var qBig = bigFromHex("0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001") -var q = Fr{0xffffffff00000001, 0x53bda402fffe5bfe, 0x3339d80809a1d805, 0x73eda753299d7d48} - -// var qmodulus = Fr{0xffffffff00000001, 0x53bda402fffe5bfe, 0x3339d80809a1d805, 0x73eda753299d7d48} - -// -q^(-1) mod 2^64 -var qinp uint64 = 0xfffffffeffffffff - -// supress warning: qinp is used in assembly code -var _ = qinp - -// qr1 = qr mod q -var qr1 = &Fr{0x00000001fffffffe, 0x5884b7fa00034802, 0x998c4fefecbc4ff5, 0x1824b159acc5056f} - -// qr2 = qr^2 mod q -var qr2 = &Fr{0xc999e990f3f29c6d, 0x2b6cedcb87925c23, 0x05d314967254398f, 0x0748d9d99f59ff11} - -// Curve Constants - -// b coefficient for G1 -var b = &fe{0xaa270000000cfff3, 0x53cc0032fc34000a, 0x478fe97a6b0a807f, 0xb1d37ebee6ba24d7, 0x8ec9733bbf78ab2f, 0x09d645513d83de7e} - -// b coefficient for G2 -var b2 = &fe2{ - fe{0xaa270000000cfff3, 0x53cc0032fc34000a, 0x478fe97a6b0a807f, 0xb1d37ebee6ba24d7, 0x8ec9733bbf78ab2f, 0x09d645513d83de7e}, - fe{0xaa270000000cfff3, 0x53cc0032fc34000a, 0x478fe97a6b0a807f, 0xb1d37ebee6ba24d7, 0x8ec9733bbf78ab2f, 0x09d645513d83de7e}, -} - -// G1 cofactor -var cofactorG1 = bigFromHex("0x396c8c005555e1568c00aaab0000aaab") - -// G2 cofactor -var cofactorG2 = bigFromHex("5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5") - -// Efficient G1 cofactor -var cofactorEFFG1 = bigFromHex("0xd201000000010001") - -// Efficient G2 cofactor -var cofactorEFFG2 = bigFromHex("0x0bc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551") - -// G1 generator -var g1One = PointG1{ - fe{0x5cb38790fd530c16, 0x7817fc679976fff5, 0x154f95c7143ba1c1, 0xf0ae6acdf3d0e747, 0xedce6ecc21dbf440, 0x120177419e0bfb75}, - fe{0xbaac93d50ce72271, 0x8c22631a7918fd8e, 0xdd595f13570725ce, 0x51ac582950405194, 0x0e1c8c3fad0059c0, 0x0bbc3efc5008a26a}, - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, -} - -var G1One = g1One - -// Negated G1 generator -var g1NegativeOne = PointG1{ - fe{0x5cb38790fd530c16, 0x7817fc679976fff5, 0x154f95c7143ba1c1, 0xf0ae6acdf3d0e747, 0xedce6ecc21dbf440, 0x120177419e0bfb75}, - fe{0xff526c2af318883a, 0x92899ce4383b0270, 0x89d7738d9fa9d055, 0x12caf35ba344c12a, 0x3cff1b76964b5317, 0x0e44d2ede9774430}, - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, -} - -// G2 generator -var g2One = PointG2{ - fe2{ - fe{0xf5f28fa202940a10, 0xb3f5fb2687b4961a, 0xa1a893b53e2ae580, 0x9894999d1a3caee9, 0x6f67b7631863366b, 0x058191924350bcd7}, - fe{0xa5a9c0759e23f606, 0xaaa0c59dbccd60c3, 0x3bb17e18e2867806, 0x1b1ab6cc8541b367, 0xc2b6ed0ef2158547, 0x11922a097360edf3}, - }, - fe2{ - fe{0x4c730af860494c4a, 0x597cfa1f5e369c5a, 0xe7e6856caa0a635a, 0xbbefb5e96e0d495f, 0x07d3a975f0ef25a2, 0x083fd8e7e80dae5}, - fe{0xadc0fc92df64b05d, 0x18aa270a2b1461dc, 0x86adac6a3be4eba0, 0x79495c4ec93da33a, 0xe7175850a43ccaed, 0xb2bc2a163de1bf2}, - }, - fe2{ - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, -} - -var G2One = g2One - -// Psi values for faster cofactor clearing - -// psix = 1 / (nr ^ (p - 1)/3) -var psix = fe2{ - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - fe{0x890dc9e4867545c3, 0x2af322533285a5d5, 0x50880866309b7e2c, 0xa20d1b8c7e881024, 0x14e4f04fe2db9068, 0x14e56d3f1564853a}, -} - -// psiy = 1 / (nr ^ (p - 1)/2) -var psiy = fe2{ - fe{0x3e2f585da55c9ad1, 0x4294213d86c18183, 0x382844c88b623732, 0x92ad2afd19103e18, 0x1d794e4fac7cf0b9, 0x0bd592fc7d825ec8}, - fe{0x7bcfa7a25aa30fda, 0xdc17dec12a927e7c, 0x2f088dd86b4ebef1, 0xd1ca2087da74d4a7, 0x2da2596696cebc1d, 0x0e2b7eedbbfd87d2}, -} - -// Frobenius Coeffs - -// z = -1 -var frobeniusCoeffs2 = [2]fe{ - // z ^ (( p ^ 0 - 1) / 2) - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - // z ^ (( p ^ 1 - 1) / 2) - fe{0x43f5fffffffcaaae, 0x32b7fff2ed47fffd, 0x07e83a49a2e99d69, 0xeca8f3318332bb7a, 0xef148d1ea0f4c069, 0x040ab3263eff0206}, -} - -// z = u + 1 -var frobeniusCoeffs61 = [6]fe2{ - // z ^ (( p ^ 0 - 1) / 3) - fe2{ - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ (( p ^ 1 - 1) / 3) - fe2{ - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - fe{0xcd03c9e48671f071, 0x5dab22461fcda5d2, 0x587042afd3851b95, 0x8eb60ebe01bacb9e, 0x03f97d6e83d050d2, 0x18f0206554638741}, - }, - // z ^ (( p ^ 2 - 1) / 3) - fe2{ - fe{0x30f1361b798a64e8, 0xf3b8ddab7ece5a2a, 0x16a8ca3ac61577f7, 0xc26a2ff874fd029b, 0x3636b76660701c6e, 0x051ba4ab241b6160}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ (( p ^ 3 - 1) / 3) - fe2{ - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - }, - // z ^ (( p ^ 4 - 1) / 3) - fe2{ - fe{0xcd03c9e48671f071, 0x5dab22461fcda5d2, 0x587042afd3851b95, 0x8eb60ebe01bacb9e, 0x03f97d6e83d050d2, 0x18f0206554638741}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ (( p ^ 5 - 1) / 3) - fe2{ - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - fe{0x30f1361b798a64e8, 0xf3b8ddab7ece5a2a, 0x16a8ca3ac61577f7, 0xc26a2ff874fd029b, 0x3636b76660701c6e, 0x051ba4ab241b6160}, - }, -} - -// z = u + 1 -var frobeniusCoeffs62 = [6]fe2{ - // z ^ (( 2 * p ^ 0 - 2) / 3) - fe2{ - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ (( 2 * p ^ 1 - 2) / 3) - fe2{ - fe{0x890dc9e4867545c3, 0x2af322533285a5d5, 0x50880866309b7e2c, 0xa20d1b8c7e881024, 0x14e4f04fe2db9068, 0x14e56d3f1564853a}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ (( 2 * p ^ 2 - 2) / 3) - fe2{ - fe{0xcd03c9e48671f071, 0x5dab22461fcda5d2, 0x587042afd3851b95, 0x8eb60ebe01bacb9e, 0x03f97d6e83d050d2, 0x18f0206554638741}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ (( 2 * p ^ 3 - 2) / 3) - fe2{ - fe{0x43f5fffffffcaaae, 0x32b7fff2ed47fffd, 0x07e83a49a2e99d69, 0xeca8f3318332bb7a, 0xef148d1ea0f4c069, 0x040ab3263eff0206}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ (( 2 * p ^ 4 - 2) / 3) - fe2{ - fe{0x30f1361b798a64e8, 0xf3b8ddab7ece5a2a, 0x16a8ca3ac61577f7, 0xc26a2ff874fd029b, 0x3636b76660701c6e, 0x051ba4ab241b6160}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ (( 2 * p ^ 5 - 2) / 3) - fe2{ - fe{0xecfb361b798dba3a, 0xc100ddb891865a2c, 0x0ec08ff1232bda8e, 0xd5c13cc6f1ca4721, 0x47222a47bf7b5c04, 0x0110f184e51c5f59}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, -} - -var frobeniusCoeffs12 = [12]fe2{ - // z = u + 1 - // z ^ ((p ^ 0 - 1) / 6) - fe2{ - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ ((p ^ 1 - 1) / 6) - fe2{ - fe{0x07089552b319d465, 0xc6695f92b50a8313, 0x97e83cccd117228f, 0xa35baecab2dc29ee, 0x1ce393ea5daace4d, 0x08f2220fb0fb66eb}, - fe{0xb2f66aad4ce5d646, 0x5842a06bfc497cec, 0xcf4895d42599d394, 0xc11b9cba40a8e8d0, 0x2e3813cbe5a0de89, 0x110eefda88847faf}, - }, - // z ^ ((p ^ 2 - 1) / 6) - fe2{ - fe{0xecfb361b798dba3a, 0xc100ddb891865a2c, 0x0ec08ff1232bda8e, 0xd5c13cc6f1ca4721, 0x47222a47bf7b5c04, 0x0110f184e51c5f59}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ ((p ^ 3 - 1) / 6) - fe2{ - fe{0x3e2f585da55c9ad1, 0x4294213d86c18183, 0x382844c88b623732, 0x92ad2afd19103e18, 0x1d794e4fac7cf0b9, 0x0bd592fc7d825ec8}, - fe{0x7bcfa7a25aa30fda, 0xdc17dec12a927e7c, 0x2f088dd86b4ebef1, 0xd1ca2087da74d4a7, 0x2da2596696cebc1d, 0x0e2b7eedbbfd87d2}, - }, - // z ^ ((p ^ 4 - 1) / 6) - fe2{ - fe{0x30f1361b798a64e8, 0xf3b8ddab7ece5a2a, 0x16a8ca3ac61577f7, 0xc26a2ff874fd029b, 0x3636b76660701c6e, 0x051ba4ab241b6160}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ ((p ^ 5 - 1) / 6) - fe2{ - fe{0x3726c30af242c66c, 0x7c2ac1aad1b6fe70, 0xa04007fbba4b14a2, 0xef517c3266341429, 0x0095ba654ed2226b, 0x02e370eccc86f7dd}, - fe{0x82d83cf50dbce43f, 0xa2813e53df9d018f, 0xc6f0caa53c65e181, 0x7525cf528d50fe95, 0x4a85ed50f4798a6b, 0x171da0fd6cf8eebd}, - }, - // z ^ ((p ^ 6 - 1) / 6) - fe2{ - fe{0x43f5fffffffcaaae, 0x32b7fff2ed47fffd, 0x07e83a49a2e99d69, 0xeca8f3318332bb7a, 0xef148d1ea0f4c069, 0x040ab3263eff0206}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ ((p ^ 7 - 1) / 6) - fe2{ - fe{0xb2f66aad4ce5d646, 0x5842a06bfc497cec, 0xcf4895d42599d394, 0xc11b9cba40a8e8d0, 0x2e3813cbe5a0de89, 0x110eefda88847faf}, - fe{0x07089552b319d465, 0xc6695f92b50a8313, 0x97e83cccd117228f, 0xa35baecab2dc29ee, 0x1ce393ea5daace4d, 0x08f2220fb0fb66eb}, - }, - // z ^ ((p ^ 8 - 1) / 6) - fe2{ - fe{0xcd03c9e48671f071, 0x5dab22461fcda5d2, 0x587042afd3851b95, 0x8eb60ebe01bacb9e, 0x03f97d6e83d050d2, 0x18f0206554638741}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ ((p ^ 9 - 1) / 6) - fe2{ - fe{0x7bcfa7a25aa30fda, 0xdc17dec12a927e7c, 0x2f088dd86b4ebef1, 0xd1ca2087da74d4a7, 0x2da2596696cebc1d, 0x0e2b7eedbbfd87d2}, - fe{0x3e2f585da55c9ad1, 0x4294213d86c18183, 0x382844c88b623732, 0x92ad2afd19103e18, 0x1d794e4fac7cf0b9, 0x0bd592fc7d825ec8}, - }, - // z ^ ((p ^ 10 - 1) / 6) - fe2{ - fe{0x890dc9e4867545c3, 0x2af322533285a5d5, 0x50880866309b7e2c, 0xa20d1b8c7e881024, 0x14e4f04fe2db9068, 0x14e56d3f1564853a}, - fe{0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}, - }, - // z ^ ((p ^ 11 - 1) / 6) - fe2{ - fe{0x82d83cf50dbce43f, 0xa2813e53df9d018f, 0xc6f0caa53c65e181, 0x7525cf528d50fe95, 0x4a85ed50f4798a6b, 0x171da0fd6cf8eebd}, - fe{0x3726c30af242c66c, 0x7c2ac1aad1b6fe70, 0xa04007fbba4b14a2, 0xef517c3266341429, 0x0095ba654ed2226b, 0x02e370eccc86f7dd}, - }, -} - -// x - -// var x = bigFromHex("0xd201000000010000") -var x uint64 = 0xd201000000010000 - -// square root - -var sqrtMinus1 = &fe2{*new(fe).zero(), *new(fe).one()} - -var sqrtSqrtMinus1 = &fe2{ - fe{0x3e2f585da55c9ad1, 0x4294213d86c18183, 0x382844c88b623732, 0x92ad2afd19103e18, 0x1d794e4fac7cf0b9, 0x0bd592fc7d825ec8}, - fe{0x7bcfa7a25aa30fda, 0xdc17dec12a927e7c, 0x2f088dd86b4ebef1, 0xd1ca2087da74d4a7, 0x2da2596696cebc1d, 0x0e2b7eedbbfd87d2}, -} - -var sqrtMinusSqrtMinus1 = &fe2{ - fe{0x7bcfa7a25aa30fda, 0xdc17dec12a927e7c, 0x2f088dd86b4ebef1, 0xd1ca2087da74d4a7, 0x2da2596696cebc1d, 0x0e2b7eedbbfd87d2}, - fe{0x7bcfa7a25aa30fda, 0xdc17dec12a927e7c, 0x2f088dd86b4ebef1, 0xd1ca2087da74d4a7, 0x2da2596696cebc1d, 0x0e2b7eedbbfd87d2}, -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/field_element.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/field_element.go deleted file mode 100644 index 4d3e92217..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/field_element.go +++ /dev/null @@ -1,404 +0,0 @@ -package bls12381 - -import ( - "crypto/rand" - "encoding/hex" - "fmt" - "io" - "math/big" -) - -// fe is base field element representation -type fe /*** ***/ [fpNumberOfLimbs]uint64 - -// fe2 is element representation of 'fp2' which is quadratic extention of base field 'fp' -// Representation follows c[0] + c[1] * u encoding order. -type fe2 /** ***/ [2]fe - -// fe6 is element representation of 'fp6' field which is cubic extention of 'fp2' -// Representation follows c[0] + c[1] * v + c[2] * v^2 encoding order. -type fe6 /** ***/ [3]fe2 - -// fe12 is element representation of 'fp12' field which is quadratic extention of 'fp6' -// Representation follows c[0] + c[1] * w encoding order. -type fe12 /** ***/ [2]fe6 - -type wfe /*** ***/ [fpNumberOfLimbs * 2]uint64 -type wfe2 /** ***/ [2]wfe -type wfe6 /** ***/ [3]wfe2 - -func (fe *fe) setBytes(in []byte) *fe { - l := len(in) - if l >= fpByteSize { - l = fpByteSize - } - padded := make([]byte, fpByteSize) - copy(padded[fpByteSize-l:], in[:]) - var a int - for i := 0; i < fpNumberOfLimbs; i++ { - a = fpByteSize - i*8 - fe[i] = uint64(padded[a-1]) | uint64(padded[a-2])<<8 | - uint64(padded[a-3])<<16 | uint64(padded[a-4])<<24 | - uint64(padded[a-5])<<32 | uint64(padded[a-6])<<40 | - uint64(padded[a-7])<<48 | uint64(padded[a-8])<<56 - } - return fe -} - -func (fe *fe) setBig(a *big.Int) *fe { - return fe.setBytes(a.Bytes()) -} - -func (fe *fe) setString(s string) (*fe, error) { - if s[:2] == "0x" { - s = s[2:] - } - bytes, err := hex.DecodeString(s) - if err != nil { - return nil, err - } - return fe.setBytes(bytes), nil -} - -func (fe *fe) set(fe2 *fe) *fe { - fe[0] = fe2[0] - fe[1] = fe2[1] - fe[2] = fe2[2] - fe[3] = fe2[3] - fe[4] = fe2[4] - fe[5] = fe2[5] - return fe -} - -func (fe *fe) bytes() []byte { - out := make([]byte, fpByteSize) - var a int - for i := 0; i < fpNumberOfLimbs; i++ { - a = fpByteSize - i*8 - out[a-1] = byte(fe[i]) - out[a-2] = byte(fe[i] >> 8) - out[a-3] = byte(fe[i] >> 16) - out[a-4] = byte(fe[i] >> 24) - out[a-5] = byte(fe[i] >> 32) - out[a-6] = byte(fe[i] >> 40) - out[a-7] = byte(fe[i] >> 48) - out[a-8] = byte(fe[i] >> 56) - } - return out -} - -func (fe *fe) big() *big.Int { - return new(big.Int).SetBytes(fe.bytes()) -} - -func (fe *fe) string() (s string) { - for i := fpNumberOfLimbs - 1; i >= 0; i-- { - s = fmt.Sprintf("%s%16.16x", s, fe[i]) - } - return "0x" + s -} - -func (fe *fe) zero() *fe { - fe[0] = 0 - fe[1] = 0 - fe[2] = 0 - fe[3] = 0 - fe[4] = 0 - fe[5] = 0 - return fe -} - -func (fe *fe) one() *fe { - return fe.set(r1) -} - -func (fe *fe) rand(r io.Reader) (*fe, error) { - bi, err := rand.Int(r, modulus.big()) - if err != nil { - return nil, err - } - return fe.setBig(bi), nil -} - -func (fe *fe) isValid() bool { - return fe.cmp(&modulus) == -1 -} - -func (fe *fe) isOdd() bool { - var mask uint64 = 1 - return fe[0]&mask != 0 -} - -func (fe *fe) isEven() bool { - var mask uint64 = 1 - return fe[0]&mask == 0 -} - -func (fe *fe) isZero() bool { - return (fe[5] | fe[4] | fe[3] | fe[2] | fe[1] | fe[0]) == 0 -} - -func (fe *fe) isOne() bool { - return fe.equal(r1) -} - -func (fe *fe) cmp(fe2 *fe) int { - for i := fpNumberOfLimbs - 1; i >= 0; i-- { - if fe[i] > fe2[i] { - return 1 - } else if fe[i] < fe2[i] { - return -1 - } - } - return 0 -} - -func (fe *fe) equal(fe2 *fe) bool { - return fe2[0] == fe[0] && fe2[1] == fe[1] && fe2[2] == fe[2] && fe2[3] == fe[3] && fe2[4] == fe[4] && fe2[5] == fe[5] -} - -func (e *fe) signBE() bool { - negZ, z := new(fe), new(fe) - fromMont(z, e) - neg(negZ, z) - return negZ.cmp(z) > -1 -} - -func (e *fe) sign() bool { - r := new(fe) - fromMont(r, e) - return r[0]&1 == 0 -} - -func (e *fe) div2(u uint64) { - e[0] = e[0]>>1 | e[1]<<63 - e[1] = e[1]>>1 | e[2]<<63 - e[2] = e[2]>>1 | e[3]<<63 - e[3] = e[3]>>1 | e[4]<<63 - e[4] = e[4]>>1 | e[5]<<63 - e[5] = e[5]>>1 | u<<63 -} - -func (e *fe) mul2() uint64 { - u := e[5] >> 63 - e[5] = e[5]<<1 | e[4]>>63 - e[4] = e[4]<<1 | e[3]>>63 - e[3] = e[3]<<1 | e[2]>>63 - e[2] = e[2]<<1 | e[1]>>63 - e[1] = e[1]<<1 | e[0]>>63 - e[0] = e[0] << 1 - return u -} - -func (e *fe2) zero() *fe2 { - e[0].zero() - e[1].zero() - return e -} - -func (e *fe2) one() *fe2 { - e[0].one() - e[1].zero() - return e -} - -func (e *fe2) set(e2 *fe2) *fe2 { - e[0].set(&e2[0]) - e[1].set(&e2[1]) - return e -} - -func (e *fe2) fromMont(a *fe2) { - fromMont(&e[0], &a[0]) - fromMont(&e[1], &a[1]) -} - -func (e *fe2) fromWide(w *wfe2) { - fromWide(&e[0], &w[0]) - fromWide(&e[1], &w[1]) -} - -func (e *fe2) rand(r io.Reader) (*fe2, error) { - a0, err := new(fe).rand(r) - if err != nil { - return nil, err - } - e[0].set(a0) - a1, err := new(fe).rand(r) - if err != nil { - return nil, err - } - e[1].set(a1) - return e, nil -} - -func (e *fe2) isOne() bool { - return e[0].isOne() && e[1].isZero() -} - -func (e *fe2) isZero() bool { - return e[0].isZero() && e[1].isZero() -} - -func (e *fe2) equal(e2 *fe2) bool { - return e[0].equal(&e2[0]) && e[1].equal(&e2[1]) -} - -func (e *fe2) signBE() bool { - if !e[1].isZero() { - return e[1].signBE() - } - return e[0].signBE() -} - -func (e *fe2) sign() bool { - r := new(fe) - if !e[0].isZero() { - fromMont(r, &e[0]) - return r[0]&1 == 0 - } - fromMont(r, &e[1]) - return r[0]&1 == 0 -} - -func (e *fe6) zero() *fe6 { - e[0].zero() - e[1].zero() - e[2].zero() - return e -} - -func (e *fe6) one() *fe6 { - e[0].one() - e[1].zero() - e[2].zero() - return e -} - -func (e *fe6) set(e2 *fe6) *fe6 { - e[0].set(&e2[0]) - e[1].set(&e2[1]) - e[2].set(&e2[2]) - return e -} - -func (e *fe6) fromMont(a *fe6) { - e[0].fromMont(&a[0]) - e[1].fromMont(&a[1]) - e[2].fromMont(&a[2]) -} - -func (e *fe6) fromWide(w *wfe6) { - e[0].fromWide(&w[0]) - e[1].fromWide(&w[1]) - e[2].fromWide(&w[2]) -} - -func (e *fe6) rand(r io.Reader) (*fe6, error) { - a0, err := new(fe2).rand(r) - if err != nil { - return nil, err - } - e[0].set(a0) - a1, err := new(fe2).rand(r) - if err != nil { - return nil, err - } - e[1].set(a1) - a2, err := new(fe2).rand(r) - if err != nil { - return nil, err - } - e[2].set(a2) - return e, nil -} - -func (e *fe6) isOne() bool { - return e[0].isOne() && e[1].isZero() && e[2].isZero() -} - -func (e *fe6) isZero() bool { - return e[0].isZero() && e[1].isZero() && e[2].isZero() -} - -func (e *fe6) equal(e2 *fe6) bool { - return e[0].equal(&e2[0]) && e[1].equal(&e2[1]) && e[2].equal(&e2[2]) -} - -func (e *fe12) zero() *fe12 { - e[0].zero() - e[1].zero() - return e -} - -func (e *fe12) one() *fe12 { - e[0].one() - e[1].zero() - return e -} - -func (e *fe12) set(e2 *fe12) *fe12 { - e[0].set(&e2[0]) - e[1].set(&e2[1]) - return e -} - -func (e *fe12) fromMont(a *fe12) { - e[0].fromMont(&a[0]) - e[1].fromMont(&a[1]) -} - -func (e *fe12) rand(r io.Reader) (*fe12, error) { - a0, err := new(fe6).rand(r) - if err != nil { - return nil, err - } - e[0].set(a0) - a1, err := new(fe6).rand(r) - if err != nil { - return nil, err - } - e[1].set(a1) - return e, nil -} - -func (e *fe12) isOne() bool { - return e[0].isOne() && e[1].isZero() -} - -func (e *fe12) isZero() bool { - return e[0].isZero() && e[1].isZero() -} - -func (e *fe12) equal(e2 *fe12) bool { - return e[0].equal(&e2[0]) && e[1].equal(&e2[1]) -} - -func (fe *wfe) set(fe2 *wfe) *wfe { - fe[0] = fe2[0] - fe[1] = fe2[1] - fe[2] = fe2[2] - fe[3] = fe2[3] - fe[4] = fe2[4] - fe[5] = fe2[5] - fe[6] = fe2[6] - fe[7] = fe2[7] - fe[8] = fe2[8] - fe[9] = fe2[9] - fe[10] = fe2[10] - fe[11] = fe2[11] - return fe -} - -func (fe *wfe2) set(fe2 *wfe2) *wfe2 { - fe[0].set(&fe2[0]) - fe[1].set(&fe2[1]) - return fe -} - -func (fe *wfe6) set(fe2 *wfe6) *wfe6 { - fe[0].set(&fe2[0]) - fe[1].set(&fe2[1]) - fe[2].set(&fe2[2]) - return fe -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/fp.go deleted file mode 100644 index a163a222d..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp.go +++ /dev/null @@ -1,372 +0,0 @@ -package bls12381 - -import ( - "errors" - "math/big" -) - -func fromBytes(in []byte) (*fe, error) { - fe := &fe{} - if len(in) != fpByteSize { - return nil, errors.New("input string must be equal 48 bytes") - } - fe.setBytes(in) - if !fe.isValid() { - return nil, errors.New("must be less than modulus") - } - toMont(fe, fe) - return fe, nil -} - -func from64Bytes(in []byte) (*fe, error) { - if len(in) != 32*2 { - return nil, errors.New("input string must be equal 64 bytes") - } - a0 := make([]byte, fpByteSize) - copy(a0[fpByteSize-32:fpByteSize], in[:32]) - a1 := make([]byte, fpByteSize) - copy(a1[fpByteSize-32:fpByteSize], in[32:]) - e0, err := fromBytes(a0) - if err != nil { - return nil, err - } - e1, err := fromBytes(a1) - if err != nil { - return nil, err - } - // F = 2 ^ 256 * R - F := fe{ - 0x75b3cd7c5ce820f, - 0x3ec6ba621c3edb0b, - 0x168a13d82bff6bce, - 0x87663c4bf8c449d2, - 0x15f34c83ddc8d830, - 0xf9628b49caa2e85, - } - - mul(e0, e0, &F) - add(e1, e1, e0) - return e1, nil -} - -func fromBig(in *big.Int) (*fe, error) { - fe := new(fe).setBig(in) - if !fe.isValid() { - return nil, errors.New("invalid input string") - } - toMont(fe, fe) - return fe, nil -} - -func fromString(in string) (*fe, error) { - fe, err := new(fe).setString(in) - if err != nil { - return nil, err - } - if !fe.isValid() { - return nil, errors.New("invalid input string") - } - toMont(fe, fe) - return fe, nil -} - -func toBytes(e *fe) []byte { - e2 := new(fe) - fromMont(e2, e) - return e2.bytes() -} - -func toBig(e *fe) *big.Int { - e2 := new(fe) - fromMont(e2, e) - return e2.big() -} - -func toString(e *fe) (s string) { - e2 := new(fe) - fromMont(e2, e) - return e2.string() -} - -func toMont(c, a *fe) { - mul(c, a, r2) -} - -func fromMont(c, a *fe) { - mul(c, a, &fe{1}) -} - -func wfp2MulGeneric(c *wfe2, a, b *fe2) { - wt0, wt1 := new(wfe), new(wfe) - t0, t1 := new(fe), new(fe) - wmul(wt0, &a[0], &b[0]) - wmul(wt1, &a[1], &b[1]) - wsub(&c[0], wt0, wt1) - lwaddAssign(wt0, wt1) - ladd(t0, &a[0], &a[1]) - ladd(t1, &b[0], &b[1]) - wmul(wt1, t0, t1) - lwsub(&c[1], wt1, wt0) -} - -func wfp2SquareGeneric(c *wfe2, a *fe2) { - t0, t1, t2 := new(fe), new(fe), new(fe) - ladd(t0, &a[0], &a[1]) - sub(t1, &a[0], &a[1]) - ldouble(t2, &a[0]) - wmul(&c[0], t1, t0) - wmul(&c[1], t2, &a[1]) -} - -func exp(c, a *fe, e *big.Int) { - z := new(fe).set(r1) - for i := e.BitLen(); i >= 0; i-- { - mul(z, z, z) - if e.Bit(i) == 1 { - mul(z, z, a) - } - } - c.set(z) -} - -func inverse(inv, e *fe) { - if e.isZero() { - inv.zero() - return - } - u := new(fe).set(&modulus) - v := new(fe).set(e) - s := &fe{1} - r := &fe{0} - var k int - var z uint64 - var found = false - // Phase 1 - for i := 0; i < sixWordBitSize*2; i++ { - if v.isZero() { - found = true - break - } - if u.isEven() { - u.div2(0) - s.mul2() - } else if v.isEven() { - v.div2(0) - z += r.mul2() - } else if u.cmp(v) == 1 { - lsubAssign(u, v) - u.div2(0) - laddAssign(r, s) - s.mul2() - } else { - lsubAssign(v, u) - v.div2(0) - laddAssign(s, r) - z += r.mul2() - } - k += 1 - } - - if !found { - inv.zero() - return - } - - if k < fpBitSize || k > fpBitSize+sixWordBitSize { - inv.zero() - return - } - - if r.cmp(&modulus) != -1 || z > 0 { - lsubAssign(r, &modulus) - } - u.set(&modulus) - lsubAssign(u, r) - - // Phase 2 - for i := k; i < 2*sixWordBitSize; i++ { - double(u, u) - } - inv.set(u) -} - -func inverseBatch(in []fe) { - - n, N, setFirst := 0, len(in), false - - for i := 0; i < len(in); i++ { - if !in[i].isZero() { - n++ - } - } - if n == 0 { - return - } - - tA := make([]fe, n) - tB := make([]fe, n) - - for i, j := 0, 0; i < N; i++ { - if !in[i].isZero() { - if !setFirst { - setFirst = true - tA[j].set(&in[i]) - } else { - mul(&tA[j], &in[i], &tA[j-1]) - } - j = j + 1 - } - } - - inverse(&tB[n-1], &tA[n-1]) - for i, j := N-1, n-1; j != 0; i-- { - if !in[i].isZero() { - mul(&tB[j-1], &tB[j], &in[i]) - j = j - 1 - } - } - - for i, j := 0, 0; i < N; i++ { - if !in[i].isZero() { - if setFirst { - setFirst = false - in[i].set(&tB[j]) - } else { - mul(&in[i], &tA[j-1], &tB[j]) - } - j = j + 1 - } - } -} - -func rsqrt(c, a *fe) bool { - t0, t1 := new(fe), new(fe) - sqrtAddchain(t0, a) - mul(t1, t0, a) - square(t1, t1) - ret := t1.equal(a) - c.set(t0) - return ret -} - -func sqrt(c, a *fe) bool { - u, v := new(fe).set(a), new(fe) - // a ^ (p - 3) / 4 - sqrtAddchain(c, a) - // a ^ (p + 1) / 4 - mul(c, c, u) - - square(v, c) - return u.equal(v) -} - -func _sqrt(c, a *fe) bool { - u, v := new(fe).set(a), new(fe) - exp(c, a, pPlus1Over4) - square(v, c) - return u.equal(v) -} - -func sqrtAddchain(c, a *fe) { - chain := func(c *fe, n int, a *fe) { - for i := 0; i < n; i++ { - square(c, c) - } - mul(c, c, a) - } - - t := make([]fe, 16) - t[13].set(a) - square(&t[0], &t[13]) - mul(&t[8], &t[0], &t[13]) - square(&t[4], &t[0]) - mul(&t[1], &t[8], &t[0]) - mul(&t[6], &t[4], &t[8]) - mul(&t[9], &t[1], &t[4]) - mul(&t[12], &t[6], &t[4]) - mul(&t[3], &t[9], &t[4]) - mul(&t[7], &t[12], &t[4]) - mul(&t[15], &t[3], &t[4]) - mul(&t[10], &t[7], &t[4]) - mul(&t[2], &t[15], &t[4]) - mul(&t[11], &t[10], &t[4]) - square(&t[0], &t[3]) - mul(&t[14], &t[11], &t[4]) - mul(&t[5], &t[0], &t[8]) - mul(&t[4], &t[0], &t[1]) - - chain(&t[0], 12, &t[15]) - chain(&t[0], 7, &t[7]) - chain(&t[0], 4, &t[1]) - chain(&t[0], 6, &t[6]) - chain(&t[0], 7, &t[11]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 2, &t[8]) - chain(&t[0], 6, &t[3]) - chain(&t[0], 6, &t[3]) - chain(&t[0], 6, &t[9]) - chain(&t[0], 3, &t[8]) - chain(&t[0], 7, &t[3]) - chain(&t[0], 4, &t[3]) - chain(&t[0], 6, &t[7]) - chain(&t[0], 6, &t[14]) - chain(&t[0], 3, &t[13]) - chain(&t[0], 8, &t[3]) - chain(&t[0], 7, &t[11]) - chain(&t[0], 5, &t[12]) - chain(&t[0], 6, &t[3]) - chain(&t[0], 6, &t[5]) - chain(&t[0], 4, &t[9]) - chain(&t[0], 8, &t[5]) - chain(&t[0], 4, &t[3]) - chain(&t[0], 7, &t[11]) - chain(&t[0], 9, &t[10]) - chain(&t[0], 2, &t[8]) - chain(&t[0], 5, &t[6]) - chain(&t[0], 7, &t[1]) - chain(&t[0], 7, &t[9]) - chain(&t[0], 6, &t[11]) - chain(&t[0], 5, &t[5]) - chain(&t[0], 5, &t[10]) - chain(&t[0], 5, &t[10]) - chain(&t[0], 8, &t[3]) - chain(&t[0], 7, &t[2]) - chain(&t[0], 9, &t[7]) - chain(&t[0], 5, &t[3]) - chain(&t[0], 3, &t[8]) - chain(&t[0], 8, &t[7]) - chain(&t[0], 3, &t[8]) - chain(&t[0], 7, &t[9]) - chain(&t[0], 9, &t[7]) - chain(&t[0], 6, &t[2]) - chain(&t[0], 6, &t[4]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 4, &t[3]) - chain(&t[0], 3, &t[8]) - chain(&t[0], 8, &t[2]) - chain(&t[0], 7, &t[4]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 4, &t[7]) - chain(&t[0], 4, &t[6]) - chain(&t[0], 7, &t[4]) - chain(&t[0], 5, &t[5]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 5, &t[4]) - chain(&t[0], 4, &t[3]) - chain(&t[0], 6, &t[2]) - chain(&t[0], 4, &t[1]) - square(c, &t[0]) -} - -func isQuadraticNonResidue(a *fe) bool { - if a.isZero() { - return true - } - return !sqrt(new(fe), a) -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp12.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/fp12.go deleted file mode 100644 index 8b5af825c..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp12.go +++ /dev/null @@ -1,303 +0,0 @@ -package bls12381 - -import ( - "errors" - "math/big" -) - -type fp12 struct { - fp12temp - fp6 *fp6 -} - -type fp12temp struct { - t2 [7]*fe2 - t6 [4]*fe6 - wt2 [3]*wfe2 - wt6 [3]*wfe6 -} - -func newFp12Temp() fp12temp { - t2 := [7]*fe2{} - t6 := [4]*fe6{} - for i := 0; i < len(t2); i++ { - t2[i] = &fe2{} - } - for i := 0; i < len(t6); i++ { - t6[i] = &fe6{} - } - wt2 := [3]*wfe2{} - for i := 0; i < len(wt2); i++ { - wt2[i] = &wfe2{} - } - wt6 := [3]*wfe6{} - for i := 0; i < len(wt6); i++ { - wt6[i] = &wfe6{} - } - return fp12temp{t2, t6, wt2, wt6} -} - -func newFp12(fp6 *fp6) *fp12 { - t := newFp12Temp() - if fp6 == nil { - return &fp12{t, newFp6(nil)} - } - return &fp12{t, fp6} -} - -func (e *fp12) fp2() *fp2 { - return e.fp6.fp2 -} - -func (e *fp12) fromBytes(in []byte) (*fe12, error) { - if len(in) != 576 { - return nil, errors.New("input string length must be equal to 576 bytes") - } - fp6 := e.fp6 - c1, err := fp6.fromBytes(in[:6*fpByteSize]) - if err != nil { - return nil, err - } - c0, err := fp6.fromBytes(in[6*fpByteSize:]) - if err != nil { - return nil, err - } - return &fe12{*c0, *c1}, nil -} - -func (e *fp12) toBytes(a *fe12) []byte { - fp6 := e.fp6 - out := make([]byte, 12*fpByteSize) - copy(out[:6*fpByteSize], fp6.toBytes(&a[1])) - copy(out[6*fpByteSize:], fp6.toBytes(&a[0])) - return out -} - -func (e *fp12) new() *fe12 { - return new(fe12) -} - -func (e *fp12) zero() *fe12 { - return new(fe12) -} - -func (e *fp12) one() *fe12 { - return new(fe12).one() -} - -func fp12Add(c, a, b *fe12) { - fp6Add(&c[0], &a[0], &b[0]) - fp6Add(&c[1], &a[1], &b[1]) -} - -func fp12Double(c, a *fe12) { - fp6Double(&c[0], &a[0]) - fp6Double(&c[1], &a[1]) -} - -func fp12Sub(c, a, b *fe12) { - fp6Sub(&c[0], &a[0], &b[0]) - fp6Sub(&c[1], &a[1], &b[1]) - -} - -func fp12Neg(c, a *fe12) { - fp6Neg(&c[0], &a[0]) - fp6Neg(&c[1], &a[1]) -} - -func fp12Conjugate(c, a *fe12) { - c[0].set(&a[0]) - fp6Neg(&c[1], &a[1]) -} - -func (e *fp12) mul(c, a, b *fe12) { - wt, t := e.wt6, e.t6 - e.fp6.wmul(wt[1], &a[0], &b[0]) - e.fp6.wmul(wt[2], &a[1], &b[1]) - fp6Add(t[0], &a[0], &a[1]) - fp6Add(t[3], &b[0], &b[1]) - e.fp6.wmul(wt[0], t[0], t[3]) - wfp6SubAssign(wt[0], wt[1]) - wfp6SubAssign(wt[0], wt[2]) - c[1].fromWide(wt[0]) - e.fp6.wmulByNonResidueAssign(wt[2]) - wfp6AddAssign(wt[1], wt[2]) - c[0].fromWide(wt[1]) - -} - -func (e *fp12) mulAssign(a, b *fe12) { - wt, t := e.wt6, e.t6 - e.fp6.wmul(wt[1], &a[0], &b[0]) - e.fp6.wmul(wt[2], &a[1], &b[1]) - fp6Add(t[0], &a[0], &a[1]) - fp6Add(t[3], &b[0], &b[1]) - e.fp6.wmul(wt[0], t[0], t[3]) - wfp6SubAssign(wt[0], wt[1]) - wfp6SubAssign(wt[0], wt[2]) - a[1].fromWide(wt[0]) - e.fp6.wmulByNonResidueAssign(wt[2]) - wfp6AddAssign(wt[1], wt[2]) - a[0].fromWide(wt[1]) -} - -func (e *fp12) mul014(a *fe12, b0, b1, b4 *fe2) { - wt, t := e.wt6, e.t6 - e.fp6.wmul01(wt[0], &a[0], b0, b1) - e.fp6.wmul1(wt[1], &a[1], b4) - fp2LaddAssign(b1, b4) - fp6Ladd(t[2], &a[1], &a[0]) - e.fp6.wmul01(wt[2], t[2], b0, b1) - wfp6SubAssign(wt[2], wt[0]) - wfp6SubAssign(wt[2], wt[1]) - a[1].fromWide(wt[2]) - e.fp6.wmulByNonResidueAssign(wt[1]) - wfp6AddAssign(wt[0], wt[1]) - a[0].fromWide(wt[0]) -} - -func (e *fp12) square(c, a *fe12) { - t := e.t6 - // Multiplication and Squaring on Pairing-Friendly Fields - // Complex squaring algorithm - // https://eprint.iacr.org/2006/471 - - fp6Add(t[0], &a[0], &a[1]) - e.fp6.mul(t[2], &a[0], &a[1]) - e.fp6.mulByNonResidue(t[1], &a[1]) - fp6AddAssign(t[1], &a[0]) - e.fp6.mulByNonResidue(t[3], t[2]) - e.fp6.mul(t[0], t[0], t[1]) - fp6SubAssign(t[0], t[2]) - fp6Sub(&c[0], t[0], t[3]) - fp6Double(&c[1], t[2]) -} - -func (e *fp12) squareAssign(a *fe12) { - t := e.t6 - // Multiplication and Squaring on Pairing-Friendly Fields - // Complex squaring algorithm - // https://eprint.iacr.org/2006/471 - - fp6Add(t[0], &a[0], &a[1]) - e.fp6.mul(t[2], &a[0], &a[1]) - e.fp6.mulByNonResidue(t[1], &a[1]) - fp6AddAssign(t[1], &a[0]) - e.fp6.mulByNonResidue(t[3], t[2]) - e.fp6.mul(t[0], t[0], t[1]) - fp6SubAssign(t[0], t[2]) - fp6Sub(&a[0], t[0], t[3]) - fp6Double(&a[1], t[2]) -} - -func (e *fp12) inverse(c, a *fe12) { - // Guide to Pairing Based Cryptography - // Algorithm 5.16 - - t := e.t6 - e.fp6.square(t[0], &a[0]) // a0^2 - e.fp6.square(t[1], &a[1]) // a1^2 - e.fp6.mulByNonResidue(t[1], t[1]) // βa1^2 - fp6SubAssign(t[0], t[1]) // v = (a0^2 - a1^2) - e.fp6.inverse(t[1], t[0]) // v = v^-1 - e.fp6.mul(&c[0], &a[0], t[1]) // c0 = a0v - e.fp6.mulAssign(t[1], &a[1]) // - fp6Neg(&c[1], t[1]) // c1 = -a1v -} - -func (e *fp12) exp(c, a *fe12, s *big.Int) { - z := e.one() - for i := s.BitLen() - 1; i >= 0; i-- { - e.square(z, z) - if s.Bit(i) == 1 { - e.mul(z, z, a) - } - } - c.set(z) -} - -func (e *fp12) cyclotomicExp(c, a *fe12, s *big.Int) { - z := e.one() - for i := s.BitLen() - 1; i >= 0; i-- { - e.cyclotomicSquare(z) - if s.Bit(i) == 1 { - e.mul(z, z, a) - } - } - c.set(z) -} - -func (e *fp12) cyclotomicSquare(a *fe12) { - t := e.t2 - // Guide to Pairing Based Cryptography - // 5.5.4 Airthmetic in Cyclotomic Groups - - e.fp4Square(t[3], t[4], &a[0][0], &a[1][1]) - fp2Sub(t[2], t[3], &a[0][0]) - fp2DoubleAssign(t[2]) - fp2Add(&a[0][0], t[2], t[3]) - fp2Add(t[2], t[4], &a[1][1]) - fp2DoubleAssign(t[2]) - fp2Add(&a[1][1], t[2], t[4]) - e.fp4Square(t[3], t[4], &a[1][0], &a[0][2]) - e.fp4Square(t[5], t[6], &a[0][1], &a[1][2]) - fp2Sub(t[2], t[3], &a[0][1]) - fp2DoubleAssign(t[2]) - fp2Add(&a[0][1], t[2], t[3]) - fp2Add(t[2], t[4], &a[1][2]) - fp2DoubleAssign(t[2]) - fp2Add(&a[1][2], t[2], t[4]) - mulByNonResidue(t[3], t[6]) - fp2Add(t[2], t[3], &a[1][0]) - fp2DoubleAssign(t[2]) - fp2Add(&a[1][0], t[2], t[3]) - fp2Sub(t[2], t[5], &a[0][2]) - fp2DoubleAssign(t[2]) - fp2Add(&a[0][2], t[2], t[5]) -} - -func (e *fp12) fp4Square(c0, c1, a0, a1 *fe2) { - wt, t := e.wt2, e.t2 - // Multiplication and Squaring on Pairing-Friendly Fields - // Karatsuba squaring algorithm - // https://eprint.iacr.org/2006/471 - - wfp2Square(wt[0], a0) - wfp2Square(wt[1], a1) - wfp2MulByNonResidue(wt[2], wt[1]) - wfp2AddAssign(wt[2], wt[0]) - c0.fromWide(wt[2]) - fp2Add(t[0], a0, a1) - wfp2Square(wt[2], t[0]) - wfp2SubAssign(wt[2], wt[0]) - wfp2SubAssign(wt[2], wt[1]) - c1.fromWide(wt[2]) -} - -func (e *fp12) frobeniusMap1(a *fe12) { - fp6, fp2 := e.fp6, e.fp6.fp2 - fp6.frobeniusMap1(&a[0]) - fp6.frobeniusMap1(&a[1]) - fp2.mulAssign(&a[1][0], &frobeniusCoeffs12[1]) - fp2.mulAssign(&a[1][1], &frobeniusCoeffs12[1]) - fp2.mulAssign(&a[1][2], &frobeniusCoeffs12[1]) -} - -func (e *fp12) frobeniusMap2(a *fe12) { - fp6, fp2 := e.fp6, e.fp6.fp2 - fp6.frobeniusMap2(&a[0]) - fp6.frobeniusMap2(&a[1]) - fp2.mulAssign(&a[1][0], &frobeniusCoeffs12[2]) - fp2.mulAssign(&a[1][1], &frobeniusCoeffs12[2]) - fp2.mulAssign(&a[1][2], &frobeniusCoeffs12[2]) -} - -func (e *fp12) frobeniusMap3(a *fe12) { - fp6, fp2 := e.fp6, e.fp6.fp2 - fp6.frobeniusMap3(&a[0]) - fp6.frobeniusMap3(&a[1]) - fp2.mulAssign(&a[1][0], &frobeniusCoeffs12[3]) - fp2.mulAssign(&a[1][1], &frobeniusCoeffs12[3]) - fp2.mulAssign(&a[1][2], &frobeniusCoeffs12[3]) -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp2.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/fp2.go deleted file mode 100644 index aad59d32b..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp2.go +++ /dev/null @@ -1,306 +0,0 @@ -package bls12381 - -import ( - "errors" - "math/big" -) - -type fp2Temp struct { - t [3]*fe - w *wfe2 -} - -type fp2 struct { - fp2Temp -} - -func newFp2Temp() fp2Temp { - t := [3]*fe{} - for i := 0; i < len(t); i++ { - t[i] = &fe{} - } - return fp2Temp{t, &wfe2{}} -} - -func newFp2() *fp2 { - t := newFp2Temp() - return &fp2{t} -} - -func (e *fp2) fromBytes(in []byte) (*fe2, error) { - if len(in) != 2*fpByteSize { - return nil, errors.New("input string must be equal to 96 bytes") - } - c1, err := fromBytes(in[:fpByteSize]) - if err != nil { - return nil, err - } - c0, err := fromBytes(in[fpByteSize:]) - if err != nil { - return nil, err - } - return &fe2{*c0, *c1}, nil -} - -func (e *fp2) toBytes(a *fe2) []byte { - out := make([]byte, 2*fpByteSize) - copy(out[:fpByteSize], toBytes(&a[1])) - copy(out[fpByteSize:], toBytes(&a[0])) - return out -} - -func (e *fp2) new() *fe2 { - return new(fe2).zero() -} - -func (e *fp2) zero() *fe2 { - return new(fe2).zero() -} - -func (e *fp2) one() *fe2 { - return new(fe2).one() -} - -func fp2Neg(c, a *fe2) { - neg(&c[0], &a[0]) - neg(&c[1], &a[1]) -} - -func fp2Conjugate(c, a *fe2) { - c[0].set(&a[0]) - neg(&c[1], &a[1]) -} - -func (e *fp2) mul(c, a, b *fe2) { - wfp2Mul(e.w, b, a) - c.fromWide(e.w) -} - -func (e *fp2) mulAssign(a, b *fe2) { - wfp2Mul(e.w, b, a) - a.fromWide(e.w) -} - -func (e *fp2) square(c, a *fe2) { - t := e.t - // Guide to Pairing Based Cryptography - // Algorithm 5.16 - - ladd(t[0], &a[0], &a[1]) // (a0 + a1) - sub(t[1], &a[0], &a[1]) // (a0 - a1) - ldouble(t[2], &a[0]) // 2a0 - mul(&c[0], t[0], t[1]) // c0 = (a0 + a1)(a0 - a1) - mul(&c[1], t[2], &a[1]) // c1 = 2a0a1 -} - -func (e *fp2) squareAssign(a *fe2) { - t := e.t - ladd(t[0], &a[0], &a[1]) - sub(t[1], &a[0], &a[1]) - ldouble(t[2], &a[0]) - mul(&a[0], t[0], t[1]) - mul(&a[1], t[2], &a[1]) -} - -func (e *fp2) mul0(c, a *fe2, b *fe) { - mul(&c[0], &a[0], b) - mul(&c[1], &a[1], b) -} - -func (e *fp2) mul0Assign(a *fe2, b *fe) { - mul(&a[0], &a[0], b) - mul(&a[1], &a[1], b) -} - -func (e *fp2) mulByB(c, a *fe2) { - t := e.t - // c0 = 4a0 - 4a1 - // c1 = 4a0 + 4a1 - double(t[0], &a[0]) - doubleAssign(t[0]) - double(t[1], &a[1]) - doubleAssign(t[1]) - sub(&c[0], t[0], t[1]) - add(&c[1], t[0], t[1]) -} - -func (e *fp2) inverse(c, a *fe2) { - t := e.t - // Guide to Pairing Based Cryptography - // Algorithm 5.16 - - square(t[0], &a[0]) // a0^2 - square(t[1], &a[1]) // a1^2 - addAssign(t[0], t[1]) // a0^2 + a1^2 - inverse(t[0], t[0]) // (a0^2 + a1^2)^-1 - mul(&c[0], &a[0], t[0]) // c0 = a0(a0^2 + a1^2)^-1 - mul(t[0], t[0], &a[1]) // a1(a0^2 + a1^2)^-1 - neg(&c[1], t[0]) // c1 = a1(a0^2 + a1^2)^-1 -} - -func (e *fp2) inverseBatch(in []fe2) { - - n, N, setFirst := 0, len(in), false - - for i := 0; i < len(in); i++ { - if !in[i].isZero() { - n++ - } - } - if n == 0 { - return - } - - tA := make([]fe2, n) - tB := make([]fe2, n) - - // a, ab, abc, abcd, ... - for i, j := 0, 0; i < N; i++ { - if !in[i].isZero() { - if !setFirst { - setFirst = true - tA[j].set(&in[i]) - } else { - e.mul(&tA[j], &in[i], &tA[j-1]) - } - j = j + 1 - } - } - - // (abcd...)^-1 - e.inverse(&tB[n-1], &tA[n-1]) - - // a^-1, ab^-1, abc^-1, abcd^-1, ... - for i, j := N-1, n-1; j != 0; i-- { - if !in[i].isZero() { - e.mul(&tB[j-1], &tB[j], &in[i]) - j = j - 1 - } - } - - // a^-1, b^-1, c^-1, d^-1 - for i, j := 0, 0; i < N; i++ { - if !in[i].isZero() { - if setFirst { - setFirst = false - in[i].set(&tB[j]) - } else { - e.mul(&in[i], &tA[j-1], &tB[j]) - } - j = j + 1 - } - } -} - -func (e *fp2) exp(c, a *fe2, s *big.Int) { - z := e.one() - for i := s.BitLen() - 1; i >= 0; i-- { - e.square(z, z) - if s.Bit(i) == 1 { - e.mul(z, z, a) - } - } - c.set(z) -} - -func (e *fp2) frobeniusMap1(a *fe2) { - fp2Conjugate(a, a) -} - -func (e *fp2) frobeniusMap(a *fe2, power int) { - if power&1 == 1 { - fp2Conjugate(a, a) - } -} - -func (e *fp2) sqrt(c, a *fe2) bool { - u, x0, a1, alpha := &fe2{}, &fe2{}, &fe2{}, &fe2{} - u.set(a) - e.exp(a1, a, pMinus3Over4) - e.square(alpha, a1) - e.mul(alpha, alpha, a) - e.mul(x0, a1, a) - if alpha.equal(negativeOne2) { - neg(&c[0], &x0[1]) - c[1].set(&x0[0]) - return true - } - fp2Add(alpha, alpha, e.one()) - e.exp(alpha, alpha, pMinus1Over2) - e.mul(c, alpha, x0) - e.square(alpha, c) - return alpha.equal(u) -} - -func (e *fp2) isQuadraticNonResidue(a *fe2) bool { - c0, c1 := new(fe), new(fe) - square(c0, &a[0]) - square(c1, &a[1]) - add(c1, c1, c0) - return isQuadraticNonResidue(c1) -} - -// faster square root algorith is adapted from blst library -// https://github.com/supranational/blst/blob/master/src/sqrt.c - -func (e *fp2) sqrtBLST(out, inp *fe2) bool { - aa, bb := new(fe), new(fe) - ret := new(fe2) - square(aa, &inp[0]) - square(bb, &inp[1]) - add(aa, aa, bb) - sqrt(aa, aa) - sub(bb, &inp[0], aa) - add(aa, &inp[0], aa) - if aa.isZero() { - aa.set(bb) - } - mul(aa, aa, twoInv) - rsqrt(&ret[0], aa) - ret[1].set(&inp[1]) - mul(&ret[1], &ret[1], twoInv) - mul(&ret[1], &ret[1], &ret[0]) - mul(&ret[0], &ret[0], aa) - return e.sqrtAlignBLST(out, ret, ret, inp) -} - -func (e *fp2) sqrtAlignBLST(out, ret, sqrt, inp *fe2) bool { - - t0, t1 := new(fe2), new(fe2) - coeff := e.one() - e.square(t0, sqrt) - - // - fp2Sub(t1, t0, inp) - isSqrt := t1.isZero() - - // - fp2Add(t1, t0, inp) - flag := t1.isZero() - if flag { - coeff.set(sqrtMinus1) - } - isSqrt = flag || isSqrt - - // - sub(&t1[0], &t0[0], &inp[1]) - add(&t1[1], &t0[1], &inp[0]) - flag = t1.isZero() - if flag { - coeff.set(sqrtSqrtMinus1) - } - isSqrt = flag || isSqrt - - // - add(&t1[0], &t0[0], &inp[1]) - sub(&t1[1], &t0[1], &inp[0]) - flag = t1.isZero() - if flag { - - coeff.set(sqrtMinusSqrtMinus1) - } - isSqrt = flag || isSqrt - - e.mul(out, coeff, ret) - return isSqrt -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp2_arithmetic_x86.s b/component/kmscrypto/internal/third_party/kilic/bls12-381/fp2_arithmetic_x86.s deleted file mode 100644 index d3d542150..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp2_arithmetic_x86.s +++ /dev/null @@ -1,4025 +0,0 @@ -// +build amd64,!generic - -#include "textflag.h" -#include "funcdata.h" - -// assigned addition with modular reduction -// a = (a + b) % p -TEXT ·fp2AddAssign(SB), NOSPLIT, $0-16 - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, BP - MOVQ R13, BX - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, BP - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC BP, R12 - CMOVQCC BX, R13 - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ 48(DI), R8 - MOVQ 56(DI), R9 - MOVQ 64(DI), R10 - MOVQ 72(DI), R11 - MOVQ 80(DI), R12 - MOVQ 88(DI), R13 - - ADDQ 48(SI), R8 - ADCQ 56(SI), R9 - ADCQ 64(SI), R10 - ADCQ 72(SI), R11 - ADCQ 80(SI), R12 - ADCQ 88(SI), R13 - - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, SI - MOVQ R13, BX - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, SI - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC SI, R12 - CMOVQCC BX, R13 - - MOVQ R8, 48(DI) - MOVQ R9, 56(DI) - MOVQ R10, 64(DI) - MOVQ R11, 72(DI) - MOVQ R12, 80(DI) - MOVQ R13, 88(DI) - - RET -/* | end */ - - -// addition with modular reduction -// c = (a + b) % p -TEXT ·fp2Add(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ c+0(FP), BP - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, SI - MOVQ R13, BX - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, SI - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC SI, R12 - CMOVQCC BX, R13 - - MOVQ R8, (BP) - MOVQ R9, 8(BP) - MOVQ R10, 16(BP) - MOVQ R11, 24(BP) - MOVQ R12, 32(BP) - MOVQ R13, 40(BP) - - MOVQ b+16(FP), SI - - MOVQ 48(DI), R8 - MOVQ 56(DI), R9 - MOVQ 64(DI), R10 - MOVQ 72(DI), R11 - MOVQ 80(DI), R12 - MOVQ 88(DI), R13 - - ADDQ 48(SI), R8 - ADCQ 56(SI), R9 - ADCQ 64(SI), R10 - ADCQ 72(SI), R11 - ADCQ 80(SI), R12 - ADCQ 88(SI), R13 - - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, SI - MOVQ R13, BX - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, SI - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC SI, R12 - CMOVQCC BX, R13 - - MOVQ R8, 48(BP) - MOVQ R9, 56(BP) - MOVQ R10, 64(BP) - MOVQ R11, 72(BP) - MOVQ R12, 80(BP) - MOVQ R13, 88(BP) - - RET -/* | end */ - - -// addition without reduction check -// c = (a + b) -TEXT ·fp2Ladd(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ c+0(FP), AX - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - - MOVQ R8, (AX) - MOVQ R9, 8(AX) - MOVQ R10, 16(AX) - MOVQ R11, 24(AX) - MOVQ R12, 32(AX) - MOVQ R13, 40(AX) - - MOVQ 48(DI), R8 - MOVQ 56(DI), R9 - MOVQ 64(DI), R10 - MOVQ 72(DI), R11 - MOVQ 80(DI), R12 - MOVQ 88(DI), R13 - - ADDQ 48(SI), R8 - ADCQ 56(SI), R9 - ADCQ 64(SI), R10 - ADCQ 72(SI), R11 - ADCQ 80(SI), R12 - ADCQ 88(SI), R13 - - MOVQ R8, 48(AX) - MOVQ R9, 56(AX) - MOVQ R10, 64(AX) - MOVQ R11, 72(AX) - MOVQ R12, 80(AX) - MOVQ R13, 88(AX) - - RET -/* | end */ - - -// addition without reduction check -// c = (a + b) -TEXT ·fp2LaddAssign(SB), NOSPLIT, $0-16 - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ 48(DI), R8 - MOVQ 56(DI), R9 - MOVQ 64(DI), R10 - MOVQ 72(DI), R11 - MOVQ 80(DI), R12 - MOVQ 88(DI), R13 - - ADDQ 48(SI), R8 - ADCQ 56(SI), R9 - ADCQ 64(SI), R10 - ADCQ 72(SI), R11 - ADCQ 80(SI), R12 - ADCQ 88(SI), R13 - - MOVQ R8, 48(DI) - MOVQ R9, 56(DI) - MOVQ R10, 64(DI) - MOVQ R11, 72(DI) - MOVQ R12, 80(DI) - MOVQ R13, 88(DI) - - RET -/* | end */ - - -// subtraction with modular reduction -// c = (a - b) % p -TEXT ·fp2Sub(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - XORQ AX, AX - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - - MOVQ $0xb9feffffffffaaab, R14 - MOVQ $0x1eabfffeb153ffff, R15 - MOVQ $0x6730d2a0f6b0f624, CX - MOVQ $0x64774b84f38512bf, DX - MOVQ $0x4b1ba7b6434bacd7, BP - MOVQ $0x1a0111ea397fe69a, BX - - CMOVQCC AX, R14 - CMOVQCC AX, R15 - CMOVQCC AX, CX - CMOVQCC AX, DX - CMOVQCC AX, BP - CMOVQCC AX, BX - - ADDQ R14, R8 - ADCQ R15, R9 - ADCQ CX, R10 - ADCQ DX, R11 - ADCQ BP, R12 - ADCQ BX, R13 - - MOVQ c+0(FP), BP - MOVQ R8, (BP) - MOVQ R9, 8(BP) - MOVQ R10, 16(BP) - MOVQ R11, 24(BP) - MOVQ R12, 32(BP) - MOVQ R13, 40(BP) - - MOVQ 48(DI), R8 - MOVQ 56(DI), R9 - MOVQ 64(DI), R10 - MOVQ 72(DI), R11 - MOVQ 80(DI), R12 - MOVQ 88(DI), R13 - - SUBQ 48(SI), R8 - SBBQ 56(SI), R9 - SBBQ 64(SI), R10 - SBBQ 72(SI), R11 - SBBQ 80(SI), R12 - SBBQ 88(SI), R13 - - MOVQ $0xb9feffffffffaaab, R14 - MOVQ $0x1eabfffeb153ffff, R15 - MOVQ $0x6730d2a0f6b0f624, CX - MOVQ $0x64774b84f38512bf, DX - MOVQ $0x4b1ba7b6434bacd7, BP - MOVQ $0x1a0111ea397fe69a, BX - - CMOVQCC AX, R14 - CMOVQCC AX, R15 - CMOVQCC AX, CX - CMOVQCC AX, DX - CMOVQCC AX, BP - CMOVQCC AX, BX - - ADDQ R14, R8 - ADCQ R15, R9 - ADCQ CX, R10 - ADCQ DX, R11 - ADCQ BP, R12 - ADCQ BX, R13 - - MOVQ c+0(FP), BP - MOVQ R8, 48(BP) - MOVQ R9, 56(BP) - MOVQ R10, 64(BP) - MOVQ R11, 72(BP) - MOVQ R12, 80(BP) - MOVQ R13, 88(BP) - - RET -/* | end */ - - -// assigned subtraction with modular reduction -// c = (a - b) % p -TEXT ·fp2SubAssign(SB), NOSPLIT, $0-16 - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - XORQ AX, AX - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - - MOVQ $0xb9feffffffffaaab, R14 - MOVQ $0x1eabfffeb153ffff, R15 - MOVQ $0x6730d2a0f6b0f624, CX - MOVQ $0x64774b84f38512bf, DX - MOVQ $0x4b1ba7b6434bacd7, BP - MOVQ $0x1a0111ea397fe69a, BX - - CMOVQCC AX, R14 - CMOVQCC AX, R15 - CMOVQCC AX, CX - CMOVQCC AX, DX - CMOVQCC AX, BP - CMOVQCC AX, BX - - ADDQ R14, R8 - ADCQ R15, R9 - ADCQ CX, R10 - ADCQ DX, R11 - ADCQ BP, R12 - ADCQ BX, R13 - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ 48(DI), R8 - MOVQ 56(DI), R9 - MOVQ 64(DI), R10 - MOVQ 72(DI), R11 - MOVQ 80(DI), R12 - MOVQ 88(DI), R13 - - SUBQ 48(SI), R8 - SBBQ 56(SI), R9 - SBBQ 64(SI), R10 - SBBQ 72(SI), R11 - SBBQ 80(SI), R12 - SBBQ 88(SI), R13 - - MOVQ $0xb9feffffffffaaab, R14 - MOVQ $0x1eabfffeb153ffff, R15 - MOVQ $0x6730d2a0f6b0f624, CX - MOVQ $0x64774b84f38512bf, DX - MOVQ $0x4b1ba7b6434bacd7, BP - MOVQ $0x1a0111ea397fe69a, BX - - CMOVQCC AX, R14 - CMOVQCC AX, R15 - CMOVQCC AX, CX - CMOVQCC AX, DX - CMOVQCC AX, BP - CMOVQCC AX, BX - - ADDQ R14, R8 - ADCQ R15, R9 - ADCQ CX, R10 - ADCQ DX, R11 - ADCQ BP, R12 - ADCQ BX, R13 - - MOVQ R8, 48(DI) - MOVQ R9, 56(DI) - MOVQ R10, 64(DI) - MOVQ R11, 72(DI) - MOVQ R12, 80(DI) - MOVQ R13, 88(DI) - - RET -/* | end */ - - -// assigned doubling with modular reduction -// a = (a + a) % p -TEXT ·fp2DoubleAssign(SB), NOSPLIT, $0-8 - MOVQ a+0(FP), DI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, SI - MOVQ R13, BX - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, SI - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC SI, R12 - CMOVQCC BX, R13 - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ 48(DI), R8 - MOVQ 56(DI), R9 - MOVQ 64(DI), R10 - MOVQ 72(DI), R11 - MOVQ 80(DI), R12 - MOVQ 88(DI), R13 - - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, SI - MOVQ R13, BX - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, SI - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC SI, R12 - CMOVQCC BX, R13 - - MOVQ R8, 48(DI) - MOVQ R9, 56(DI) - MOVQ R10, 64(DI) - MOVQ R11, 72(DI) - MOVQ R12, 80(DI) - MOVQ R13, 88(DI) - - RET -/* | end */ - - -// doubling with modular reduction -// c = (a + a) % p -TEXT ·fp2Double(SB), NOSPLIT, $0-16 - MOVQ a+8(FP), DI - MOVQ c+0(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, BP - MOVQ R13, BX - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, BP - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC BP, R12 - CMOVQCC BX, R13 - - MOVQ R8, (SI) - MOVQ R9, 8(SI) - MOVQ R10, 16(SI) - MOVQ R11, 24(SI) - MOVQ R12, 32(SI) - MOVQ R13, 40(SI) - - MOVQ 48(DI), R8 - MOVQ 56(DI), R9 - MOVQ 64(DI), R10 - MOVQ 72(DI), R11 - MOVQ 80(DI), R12 - MOVQ 88(DI), R13 - - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, BP - MOVQ R13, BX - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, BP - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC BP, R12 - CMOVQCC BX, R13 - - MOVQ R8, 48(SI) - MOVQ R9, 56(SI) - MOVQ R10, 64(SI) - MOVQ R11, 72(SI) - MOVQ R12, 80(SI) - MOVQ R13, 88(SI) - - RET -/* | end */ - - -// a0 = a0 - a1 -// a1 = a0 + a1 -TEXT ·mulByNonResidueAssign(SB), NOSPLIT, $0-8 - MOVQ a+0(FP), DI - XORQ AX, AX - - // a0 - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - // a0 - a1 - SUBQ 48(DI), R8 - SBBQ 56(DI), R9 - SBBQ 64(DI), R10 - SBBQ 72(DI), R11 - SBBQ 80(DI), R12 - SBBQ 88(DI), R13 - - MOVQ $0xb9feffffffffaaab, R14 - MOVQ $0x1eabfffeb153ffff, R15 - MOVQ $0x6730d2a0f6b0f624, CX - MOVQ $0x64774b84f38512bf, DX - MOVQ $0x4b1ba7b6434bacd7, BP - MOVQ $0x1a0111ea397fe69a, BX - - CMOVQCC AX, R14 - CMOVQCC AX, R15 - CMOVQCC AX, CX - CMOVQCC AX, DX - CMOVQCC AX, BP - CMOVQCC AX, BX - - ADDQ R14, R8 - ADCQ R15, R9 - ADCQ CX, R10 - ADCQ DX, R11 - ADCQ BP, R12 - ADCQ BX, R13 - - // a0 - MOVQ (DI), R14 - MOVQ 8(DI), R15 - MOVQ 16(DI), CX - MOVQ 24(DI), DX - MOVQ 32(DI), BP - MOVQ 40(DI), BX - - // a0 = a0 - a1 - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - // a0 + a1 - ADDQ 48(DI), R14 - ADCQ 56(DI), R15 - ADCQ 64(DI), CX - ADCQ 72(DI), DX - ADCQ 80(DI), BP - ADCQ 88(DI), BX - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ CX, R10 - MOVQ DX, R11 - MOVQ BP, R12 - MOVQ BX, R13 - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R8 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R9 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, R10 - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, R11 - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, R12 - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, R13 - - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, CX - CMOVQCC R11, DX - CMOVQCC R12, BP - CMOVQCC R13, BX - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ CX, 64(DI) - MOVQ DX, 72(DI) - MOVQ BP, 80(DI) - MOVQ BX, 88(DI) - RET - - -// c0 = a0 - a1 -// c1 = a0 + a1 -TEXT ·mulByNonResidue(SB), NOSPLIT, $0-16 - MOVQ c+0(FP), SI - MOVQ a+8(FP), DI - XORQ AX, AX - - // a0 - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - // a0 - a1 - SUBQ 48(DI), R8 - SBBQ 56(DI), R9 - SBBQ 64(DI), R10 - SBBQ 72(DI), R11 - SBBQ 80(DI), R12 - SBBQ 88(DI), R13 - - MOVQ $0xb9feffffffffaaab, R14 - MOVQ $0x1eabfffeb153ffff, R15 - MOVQ $0x6730d2a0f6b0f624, CX - MOVQ $0x64774b84f38512bf, DX - MOVQ $0x4b1ba7b6434bacd7, BP - MOVQ $0x1a0111ea397fe69a, BX - - CMOVQCC AX, R14 - CMOVQCC AX, R15 - CMOVQCC AX, CX - CMOVQCC AX, DX - CMOVQCC AX, BP - CMOVQCC AX, BX - - ADDQ R14, R8 - ADCQ R15, R9 - ADCQ CX, R10 - ADCQ DX, R11 - ADCQ BP, R12 - ADCQ BX, R13 - - MOVQ R8, (SI) - MOVQ R9, 8(SI) - MOVQ R10, 16(SI) - MOVQ R11, 24(SI) - MOVQ R12, 32(SI) - MOVQ R13, 40(SI) - - // a0 - MOVQ (DI), R14 - MOVQ 8(DI), R15 - MOVQ 16(DI), CX - MOVQ 24(DI), DX - MOVQ 32(DI), BP - MOVQ 40(DI), BX - - // a0 + a1 - ADDQ 48(DI), R14 - ADCQ 56(DI), R15 - ADCQ 64(DI), CX - ADCQ 72(DI), DX - ADCQ 80(DI), BP - ADCQ 88(DI), BX - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ CX, R10 - MOVQ DX, R11 - MOVQ BP, R12 - MOVQ BX, R13 - - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R8 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R9 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, R10 - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, R11 - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, R12 - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, R13 - - - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, CX - CMOVQCC R11, DX - CMOVQCC R12, BP - CMOVQCC R13, BX - - MOVQ R14, 48(SI) - MOVQ R15, 56(SI) - MOVQ CX, 64(SI) - MOVQ DX, 72(SI) - MOVQ BP, 80(SI) - MOVQ BX, 88(SI) - RET - - -TEXT ·wfp2Add(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ c+0(FP), DX - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), BP - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - ADCQ 64(SI), AX - ADCQ 72(SI), BX - ADCQ 80(SI), CX - ADCQ 88(SI), BP - - MOVQ R8, (DX) - MOVQ R9, 8(DX) - MOVQ R10, 16(DX) - MOVQ R11, 24(DX) - MOVQ R12, 32(DX) - MOVQ R13, 40(DX) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ BP, R13 - - MOVQ $0xb9feffffffffaaab, DX - SUBQ DX, R8 - MOVQ $0x1eabfffeb153ffff, DX - SBBQ DX, R9 - MOVQ $0x6730d2a0f6b0f624, DX - SBBQ DX, R10 - MOVQ $0x64774b84f38512bf, DX - SBBQ DX, R11 - MOVQ $0x4b1ba7b6434bacd7, DX - SBBQ DX, R12 - MOVQ $0x1a0111ea397fe69a, DX - SBBQ DX, R13 - - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, BP - - MOVQ c+0(FP), DX - - MOVQ R14, 48(DX) - MOVQ R15, 56(DX) - MOVQ AX, 64(DX) - MOVQ BX, 72(DX) - MOVQ CX, 80(DX) - MOVQ BP, 88(DX) - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), BP - - ADDQ 96(SI), R8 - ADCQ 104(SI), R9 - ADCQ 112(SI), R10 - ADCQ 120(SI), R11 - ADCQ 128(SI), R12 - ADCQ 136(SI), R13 - ADCQ 144(SI), R14 - ADCQ 152(SI), R15 - ADCQ 160(SI), AX - ADCQ 168(SI), BX - ADCQ 176(SI), CX - ADCQ 184(SI), BP - - MOVQ R8, 96(DX) - MOVQ R9, 104(DX) - MOVQ R10, 112(DX) - MOVQ R11, 120(DX) - MOVQ R12, 128(DX) - MOVQ R13, 136(DX) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ BP, R13 - MOVQ $0xb9feffffffffaaab, DI - SUBQ DI, R8 - MOVQ $0x1eabfffeb153ffff, DI - SBBQ DI, R9 - MOVQ $0x6730d2a0f6b0f624, DI - SBBQ DI, R10 - MOVQ $0x64774b84f38512bf, DI - SBBQ DI, R11 - MOVQ $0x4b1ba7b6434bacd7, DI - SBBQ DI, R12 - MOVQ $0x1a0111ea397fe69a, DI - SBBQ DI, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, BP - - MOVQ R14, 144(DX) - MOVQ R15, 152(DX) - MOVQ AX, 160(DX) - MOVQ BX, 168(DX) - MOVQ CX, 176(DX) - MOVQ BP, 184(DX) - RET - - -TEXT ·wfp2AddAssign(SB), NOSPLIT, $0-16 - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - ADCQ 64(SI), AX - ADCQ 72(SI), BX - ADCQ 80(SI), CX - ADCQ 88(SI), DX - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ DX, R13 - MOVQ $0xb9feffffffffaaab, BP - SUBQ BP, R8 - MOVQ $0x1eabfffeb153ffff, BP - SBBQ BP, R9 - MOVQ $0x6730d2a0f6b0f624, BP - SBBQ BP, R10 - MOVQ $0x64774b84f38512bf, BP - SBBQ BP, R11 - MOVQ $0x4b1ba7b6434bacd7, BP - SBBQ BP, R12 - MOVQ $0x1a0111ea397fe69a, BP - SBBQ BP, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, DX - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), DX - - ADDQ 96(SI), R8 - ADCQ 104(SI), R9 - ADCQ 112(SI), R10 - ADCQ 120(SI), R11 - ADCQ 128(SI), R12 - ADCQ 136(SI), R13 - ADCQ 144(SI), R14 - ADCQ 152(SI), R15 - ADCQ 160(SI), AX - ADCQ 168(SI), BX - ADCQ 176(SI), CX - ADCQ 184(SI), DX - - MOVQ R8, 96(DI) - MOVQ R9, 104(DI) - MOVQ R10, 112(DI) - MOVQ R11, 120(DI) - MOVQ R12, 128(DI) - MOVQ R13, 136(DI) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ DX, R13 - MOVQ $0xb9feffffffffaaab, BP - SUBQ BP, R8 - MOVQ $0x1eabfffeb153ffff, BP - SBBQ BP, R9 - MOVQ $0x6730d2a0f6b0f624, BP - SBBQ BP, R10 - MOVQ $0x64774b84f38512bf, BP - SBBQ BP, R11 - MOVQ $0x4b1ba7b6434bacd7, BP - SBBQ BP, R12 - MOVQ $0x1a0111ea397fe69a, BP - SBBQ BP, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, DX - - MOVQ R14, 144(DI) - MOVQ R15, 152(DI) - MOVQ AX, 160(DI) - MOVQ BX, 168(DI) - MOVQ CX, 176(DI) - MOVQ DX, 184(DI) - RET - - -TEXT ·wfp2AddMixed(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ c+0(FP), DX - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), BP - - ADDQ 96(SI), R8 - ADCQ 104(SI), R9 - ADCQ 112(SI), R10 - ADCQ 120(SI), R11 - ADCQ 128(SI), R12 - ADCQ 136(SI), R13 - ADCQ 144(SI), R14 - ADCQ 152(SI), R15 - ADCQ 160(SI), AX - ADCQ 168(SI), BX - ADCQ 176(SI), CX - ADCQ 184(SI), BP - - MOVQ R8, 96(DX) - MOVQ R9, 104(DX) - MOVQ R10, 112(DX) - MOVQ R11, 120(DX) - MOVQ R12, 128(DX) - MOVQ R13, 136(DX) - MOVQ R14, 144(DX) - MOVQ R15, 152(DX) - MOVQ AX, 160(DX) - MOVQ BX, 168(DX) - MOVQ CX, 176(DX) - MOVQ BP, 184(DX) - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), BP - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - ADCQ 64(SI), AX - ADCQ 72(SI), BX - ADCQ 80(SI), CX - ADCQ 88(SI), BP - - MOVQ R8, (DX) - MOVQ R9, 8(DX) - MOVQ R10, 16(DX) - MOVQ R11, 24(DX) - MOVQ R12, 32(DX) - MOVQ R13, 40(DX) - - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ BP, R13 - MOVQ $0xb9feffffffffaaab, DI - SUBQ DI, R8 - MOVQ $0x1eabfffeb153ffff, DI - SBBQ DI, R9 - MOVQ $0x6730d2a0f6b0f624, DI - SBBQ DI, R10 - MOVQ $0x64774b84f38512bf, DI - SBBQ DI, R11 - MOVQ $0x4b1ba7b6434bacd7, DI - SBBQ DI, R12 - MOVQ $0x1a0111ea397fe69a, DI - SBBQ DI, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, BP - - MOVQ R14, 48(DX) - MOVQ R15, 56(DX) - MOVQ AX, 64(DX) - MOVQ BX, 72(DX) - MOVQ CX, 80(DX) - MOVQ BP, 88(DX) - RET - - -TEXT ·wfp2AddMixedAssign(SB), NOSPLIT, $0-16 - - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), BP - - ADDQ 96(SI), R8 - ADCQ 104(SI), R9 - ADCQ 112(SI), R10 - ADCQ 120(SI), R11 - ADCQ 128(SI), R12 - ADCQ 136(SI), R13 - ADCQ 144(SI), R14 - ADCQ 152(SI), R15 - ADCQ 160(SI), AX - ADCQ 168(SI), BX - ADCQ 176(SI), CX - ADCQ 184(SI), BP - - MOVQ R8, 96(DI) - MOVQ R9, 104(DI) - MOVQ R10, 112(DI) - MOVQ R11, 120(DI) - MOVQ R12, 128(DI) - MOVQ R13, 136(DI) - MOVQ R14, 144(DI) - MOVQ R15, 152(DI) - MOVQ AX, 160(DI) - MOVQ BX, 168(DI) - MOVQ CX, 176(DI) - MOVQ BP, 184(DI) - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), BP - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - ADCQ 64(SI), AX - ADCQ 72(SI), BX - ADCQ 80(SI), CX - ADCQ 88(SI), BP - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ BP, R13 - MOVQ $0xb9feffffffffaaab, SI - SUBQ SI, R8 - MOVQ $0x1eabfffeb153ffff, SI - SBBQ SI, R9 - MOVQ $0x6730d2a0f6b0f624, SI - SBBQ SI, R10 - MOVQ $0x64774b84f38512bf, SI - SBBQ SI, R11 - MOVQ $0x4b1ba7b6434bacd7, SI - SBBQ SI, R12 - MOVQ $0x1a0111ea397fe69a, SI - SBBQ SI, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, BP - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ BP, 88(DI) - RET - - -TEXT ·wfp2Ladd(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ c+0(FP), DX - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), BP - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - ADCQ 64(SI), AX - ADCQ 72(SI), BX - ADCQ 80(SI), CX - ADCQ 88(SI), BP - - MOVQ R8, (DX) - MOVQ R9, 8(DX) - MOVQ R10, 16(DX) - MOVQ R11, 24(DX) - MOVQ R12, 32(DX) - MOVQ R13, 40(DX) - MOVQ R14, 48(DX) - MOVQ R15, 56(DX) - MOVQ AX, 64(DX) - MOVQ BX, 72(DX) - MOVQ CX, 80(DX) - MOVQ BP, 88(DX) - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), BP - - ADDQ 96(SI), R8 - ADCQ 104(SI), R9 - ADCQ 112(SI), R10 - ADCQ 120(SI), R11 - ADCQ 128(SI), R12 - ADCQ 136(SI), R13 - ADCQ 144(SI), R14 - ADCQ 152(SI), R15 - ADCQ 160(SI), AX - ADCQ 168(SI), BX - ADCQ 176(SI), CX - ADCQ 184(SI), BP - - MOVQ R8, 96(DX) - MOVQ R9, 104(DX) - MOVQ R10, 112(DX) - MOVQ R11, 120(DX) - MOVQ R12, 128(DX) - MOVQ R13, 136(DX) - MOVQ R14, 144(DX) - MOVQ R15, 152(DX) - MOVQ AX, 160(DX) - MOVQ BX, 168(DX) - MOVQ CX, 176(DX) - MOVQ BP, 184(DX) - RET - - -TEXT ·wfp2LaddAssign(SB), NOSPLIT, $0-16 - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), BP - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - ADCQ 64(SI), AX - ADCQ 72(SI), BX - ADCQ 80(SI), CX - ADCQ 88(SI), BP - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ BP, 88(DI) - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), BP - - ADDQ 96(SI), R8 - ADCQ 104(SI), R9 - ADCQ 112(SI), R10 - ADCQ 120(SI), R11 - ADCQ 128(SI), R12 - ADCQ 136(SI), R13 - ADCQ 144(SI), R14 - ADCQ 152(SI), R15 - ADCQ 160(SI), AX - ADCQ 168(SI), BX - ADCQ 176(SI), CX - ADCQ 184(SI), BP - - MOVQ R8, 96(DI) - MOVQ R9, 104(DI) - MOVQ R10, 112(DI) - MOVQ R11, 120(DI) - MOVQ R12, 128(DI) - MOVQ R13, 136(DI) - MOVQ R14, 144(DI) - MOVQ R15, 152(DI) - MOVQ AX, 160(DI) - MOVQ BX, 168(DI) - MOVQ CX, 176(DI) - MOVQ BP, 184(DI) - RET - - -TEXT ·wfp2Sub(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ c+0(FP), BP - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - SBBQ 48(SI), R14 - SBBQ 56(SI), R15 - SBBQ 64(SI), AX - SBBQ 72(SI), BX - SBBQ 80(SI), CX - SBBQ 88(SI), DX - - MOVQ R8, (BP) - MOVQ R9, 8(BP) - MOVQ R10, 16(BP) - MOVQ R11, 24(BP) - MOVQ R12, 32(BP) - MOVQ R13, 40(BP) - - MOVQ $0, SI - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC SI, R8 - CMOVQCC SI, R9 - CMOVQCC SI, R10 - CMOVQCC SI, R11 - CMOVQCC SI, R12 - CMOVQCC SI, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - - MOVQ R14, 48(BP) - MOVQ R15, 56(BP) - MOVQ AX, 64(BP) - MOVQ BX, 72(BP) - MOVQ CX, 80(BP) - MOVQ DX, 88(BP) - - MOVQ b+16(FP), SI - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), DX - - SUBQ 96(SI), R8 - SBBQ 104(SI), R9 - SBBQ 112(SI), R10 - SBBQ 120(SI), R11 - SBBQ 128(SI), R12 - SBBQ 136(SI), R13 - SBBQ 144(SI), R14 - SBBQ 152(SI), R15 - SBBQ 160(SI), AX - SBBQ 168(SI), BX - SBBQ 176(SI), CX - SBBQ 184(SI), DX - - MOVQ R8, 96(BP) - MOVQ R9, 104(BP) - MOVQ R10, 112(BP) - MOVQ R11, 120(BP) - MOVQ R12, 128(BP) - MOVQ R13, 136(BP) - - MOVQ $0, SI - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC SI, R8 - CMOVQCC SI, R9 - CMOVQCC SI, R10 - CMOVQCC SI, R11 - CMOVQCC SI, R12 - CMOVQCC SI, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - - MOVQ R14, 144(BP) - MOVQ R15, 152(BP) - MOVQ AX, 160(BP) - MOVQ BX, 168(BP) - MOVQ CX, 176(BP) - MOVQ DX, 184(BP) - RET - - -TEXT ·wfp2SubAssign(SB), NOSPLIT, $0-16 - - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - SBBQ 48(SI), R14 - SBBQ 56(SI), R15 - SBBQ 64(SI), AX - SBBQ 72(SI), BX - SBBQ 80(SI), CX - SBBQ 88(SI), DX - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ $0, BP - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC BP, R8 - CMOVQCC BP, R9 - CMOVQCC BP, R10 - CMOVQCC BP, R11 - CMOVQCC BP, R12 - CMOVQCC BP, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), DX - - SUBQ 96(SI), R8 - SBBQ 104(SI), R9 - SBBQ 112(SI), R10 - SBBQ 120(SI), R11 - SBBQ 128(SI), R12 - SBBQ 136(SI), R13 - SBBQ 144(SI), R14 - SBBQ 152(SI), R15 - SBBQ 160(SI), AX - SBBQ 168(SI), BX - SBBQ 176(SI), CX - SBBQ 184(SI), DX - - MOVQ R8, 96(DI) - MOVQ R9, 104(DI) - MOVQ R10, 112(DI) - MOVQ R11, 120(DI) - MOVQ R12, 128(DI) - MOVQ R13, 136(DI) - - MOVQ $0, BP - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC BP, R8 - CMOVQCC BP, R9 - CMOVQCC BP, R10 - CMOVQCC BP, R11 - CMOVQCC BP, R12 - CMOVQCC BP, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - - MOVQ R14, 144(DI) - MOVQ R15, 152(DI) - MOVQ AX, 160(DI) - MOVQ BX, 168(DI) - MOVQ CX, 176(DI) - MOVQ DX, 184(DI) - RET - -TEXT ·wfp2SubMixed(SB), NOSPLIT, $0-24 - - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - SBBQ 48(SI), R14 - SBBQ 56(SI), R15 - SBBQ 64(SI), AX - SBBQ 72(SI), BX - SBBQ 80(SI), CX - SBBQ 88(SI), DX - - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ $0, BP - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC BP, R8 - CMOVQCC BP, R9 - CMOVQCC BP, R10 - CMOVQCC BP, R11 - CMOVQCC BP, R12 - CMOVQCC BP, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - - MOVQ a+8(FP), DI - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), DX - - SUBQ 96(SI), R8 - SBBQ 104(SI), R9 - SBBQ 112(SI), R10 - SBBQ 120(SI), R11 - SBBQ 128(SI), R12 - SBBQ 136(SI), R13 - SBBQ 144(SI), R14 - SBBQ 152(SI), R15 - SBBQ 160(SI), AX - SBBQ 168(SI), BX - SBBQ 176(SI), CX - SBBQ 184(SI), DX - - MOVQ c+0(FP), DI - MOVQ R8, 96(DI) - MOVQ R9, 104(DI) - MOVQ R10, 112(DI) - MOVQ R11, 120(DI) - MOVQ R12, 128(DI) - MOVQ R13, 136(DI) - MOVQ R14, 144(DI) - MOVQ R15, 152(DI) - MOVQ AX, 160(DI) - MOVQ BX, 168(DI) - MOVQ CX, 176(DI) - MOVQ DX, 184(DI) - RET - -TEXT ·wfp2SubMixedAssign(SB), NOSPLIT, $0-16 - - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - SBBQ 48(SI), R14 - SBBQ 56(SI), R15 - SBBQ 64(SI), AX - SBBQ 72(SI), BX - SBBQ 80(SI), CX - SBBQ 88(SI), DX - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ $0, BP - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC BP, R8 - CMOVQCC BP, R9 - CMOVQCC BP, R10 - CMOVQCC BP, R11 - CMOVQCC BP, R12 - CMOVQCC BP, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), DX - - SUBQ 96(SI), R8 - SBBQ 104(SI), R9 - SBBQ 112(SI), R10 - SBBQ 120(SI), R11 - SBBQ 128(SI), R12 - SBBQ 136(SI), R13 - SBBQ 144(SI), R14 - SBBQ 152(SI), R15 - SBBQ 160(SI), AX - SBBQ 168(SI), BX - SBBQ 176(SI), CX - SBBQ 184(SI), DX - - MOVQ R8, 96(DI) - MOVQ R9, 104(DI) - MOVQ R10, 112(DI) - MOVQ R11, 120(DI) - MOVQ R12, 128(DI) - MOVQ R13, 136(DI) - MOVQ R14, 144(DI) - MOVQ R15, 152(DI) - MOVQ AX, 160(DI) - MOVQ BX, 168(DI) - MOVQ CX, 176(DI) - MOVQ DX, 184(DI) - RET - - -TEXT ·wfp2Double(SB), NOSPLIT, $0-16 - - MOVQ a+8(FP), DI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ R14, R14 - ADCQ R15, R15 - ADCQ AX, AX - ADCQ BX, BX - ADCQ CX, CX - ADCQ DX, DX - - MOVQ c+0(FP), SI - MOVQ R8, (SI) - MOVQ R9, 8(SI) - MOVQ R10, 16(SI) - MOVQ R11, 24(SI) - MOVQ R12, 32(SI) - MOVQ R13, 40(SI) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ DX, R13 - MOVQ $0xb9feffffffffaaab, BP - SUBQ BP, R8 - MOVQ $0x1eabfffeb153ffff, BP - SBBQ BP, R9 - MOVQ $0x6730d2a0f6b0f624, BP - SBBQ BP, R10 - MOVQ $0x64774b84f38512bf, BP - SBBQ BP, R11 - MOVQ $0x4b1ba7b6434bacd7, BP - SBBQ BP, R12 - MOVQ $0x1a0111ea397fe69a, BP - SBBQ BP, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, DX - - MOVQ R14, 48(SI) - MOVQ R15, 56(SI) - MOVQ AX, 64(SI) - MOVQ BX, 72(SI) - MOVQ CX, 80(SI) - MOVQ DX, 88(SI) - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), DX - - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ R14, R14 - ADCQ R15, R15 - ADCQ AX, AX - ADCQ BX, BX - ADCQ CX, CX - ADCQ DX, DX - - MOVQ c+0(FP), SI - MOVQ R8, 96(SI) - MOVQ R9, 104(SI) - MOVQ R10, 112(SI) - MOVQ R11, 120(SI) - MOVQ R12, 128(SI) - MOVQ R13, 136(SI) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ DX, R13 - MOVQ $0xb9feffffffffaaab, DI - SUBQ DI, R8 - MOVQ $0x1eabfffeb153ffff, DI - SBBQ DI, R9 - MOVQ $0x6730d2a0f6b0f624, DI - SBBQ DI, R10 - MOVQ $0x64774b84f38512bf, DI - SBBQ DI, R11 - MOVQ $0x4b1ba7b6434bacd7, DI - SBBQ DI, R12 - MOVQ $0x1a0111ea397fe69a, DI - SBBQ DI, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, DX - - MOVQ R14, 144(SI) - MOVQ R15, 152(SI) - MOVQ AX, 160(SI) - MOVQ BX, 168(SI) - MOVQ CX, 176(SI) - MOVQ DX, 184(SI) - RET - - TEXT ·wfp2DoubleAssign(SB), NOSPLIT, $0-8 - MOVQ a+0(FP), DI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ R14, R14 - ADCQ R15, R15 - ADCQ AX, AX - ADCQ BX, BX - ADCQ CX, CX - ADCQ DX, DX - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ DX, R13 - MOVQ $0xb9feffffffffaaab, SI - SUBQ SI, R8 - MOVQ $0x1eabfffeb153ffff, SI - SBBQ SI, R9 - MOVQ $0x6730d2a0f6b0f624, SI - SBBQ SI, R10 - MOVQ $0x64774b84f38512bf, SI - SBBQ SI, R11 - MOVQ $0x4b1ba7b6434bacd7, SI - SBBQ SI, R12 - MOVQ $0x1a0111ea397fe69a, SI - SBBQ SI, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, DX - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - - MOVQ 96(DI), R8 - MOVQ 104(DI), R9 - MOVQ 112(DI), R10 - MOVQ 120(DI), R11 - MOVQ 128(DI), R12 - MOVQ 136(DI), R13 - MOVQ 144(DI), R14 - MOVQ 152(DI), R15 - MOVQ 160(DI), AX - MOVQ 168(DI), BX - MOVQ 176(DI), CX - MOVQ 184(DI), DX - - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ R14, R14 - ADCQ R15, R15 - ADCQ AX, AX - ADCQ BX, BX - ADCQ CX, CX - ADCQ DX, DX - - MOVQ R8, 96(DI) - MOVQ R9, 104(DI) - MOVQ R10, 112(DI) - MOVQ R11, 120(DI) - MOVQ R12, 128(DI) - MOVQ R13, 136(DI) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ DX, R13 - MOVQ $0xb9feffffffffaaab, SI - SUBQ SI, R8 - MOVQ $0x1eabfffeb153ffff, SI - SBBQ SI, R9 - MOVQ $0x6730d2a0f6b0f624, SI - SBBQ SI, R10 - MOVQ $0x64774b84f38512bf, SI - SBBQ SI, R11 - MOVQ $0x4b1ba7b6434bacd7, SI - SBBQ SI, R12 - MOVQ $0x1a0111ea397fe69a, SI - SBBQ SI, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, DX - - MOVQ R14, 144(DI) - MOVQ R15, 152(DI) - MOVQ AX, 160(DI) - MOVQ BX, 168(DI) - MOVQ CX, 176(DI) - MOVQ DX, 184(DI) - RET - - - -// c1 = a0 + a1 -// c0 = a0 - a1 -TEXT ·wfp2MulByNonResidue(SB), NOSPLIT, $0-16 - MOVQ c+0(FP), SI - MOVQ a+8(FP), DI - - // a0 - a1 - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - SUBQ 96(DI), R8 - SBBQ 104(DI), R9 - SBBQ 112(DI), R10 - SBBQ 120(DI), R11 - SBBQ 128(DI), R12 - SBBQ 136(DI), R13 - SBBQ 144(DI), R14 - SBBQ 152(DI), R15 - SBBQ 160(DI), AX - SBBQ 168(DI), BX - SBBQ 176(DI), CX - SBBQ 184(DI), DX - - MOVQ R8, (SI) - MOVQ R9, 8(SI) - MOVQ R10, 16(SI) - MOVQ R11, 24(SI) - MOVQ R12, 32(SI) - MOVQ R13, 40(SI) - - MOVQ $0, BP - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC BP, R8 - CMOVQCC BP, R9 - CMOVQCC BP, R10 - CMOVQCC BP, R11 - CMOVQCC BP, R12 - CMOVQCC BP, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - - MOVQ R14, 48(SI) - MOVQ R15, 56(SI) - MOVQ AX, 64(SI) - MOVQ BX, 72(SI) - MOVQ CX, 80(SI) - MOVQ DX, 88(SI) - - // a0 + a1 - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - ADDQ 96(DI), R8 - ADCQ 104(DI), R9 - ADCQ 112(DI), R10 - ADCQ 120(DI), R11 - ADCQ 128(DI), R12 - ADCQ 136(DI), R13 - ADCQ 144(DI), R14 - ADCQ 152(DI), R15 - ADCQ 160(DI), AX - ADCQ 168(DI), BX - ADCQ 176(DI), CX - ADCQ 184(DI), DX - - MOVQ R8, 96(SI) - MOVQ R9, 104(SI) - MOVQ R10, 112(SI) - MOVQ R11, 120(SI) - MOVQ R12, 128(SI) - MOVQ R13, 136(SI) - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ DX, R13 - MOVQ $0xb9feffffffffaaab, BP - SUBQ BP, R8 - MOVQ $0x1eabfffeb153ffff, BP - SBBQ BP, R9 - MOVQ $0x6730d2a0f6b0f624, BP - SBBQ BP, R10 - MOVQ $0x64774b84f38512bf, BP - SBBQ BP, R11 - MOVQ $0x4b1ba7b6434bacd7, BP - SBBQ BP, R12 - MOVQ $0x1a0111ea397fe69a, BP - SBBQ BP, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, DX - MOVQ R14, 144(SI) - MOVQ R15, 152(SI) - MOVQ AX, 160(SI) - MOVQ BX, 168(SI) - MOVQ CX, 176(SI) - MOVQ DX, 184(SI) - - RET - - -TEXT ·wfp2MulByNonResidueAssign(SB), NOSPLIT, $64-8 - MOVQ a+0(FP), DI - - // a0 - a1 - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - SUBQ 96(DI), R8 - SBBQ 104(DI), R9 - SBBQ 112(DI), R10 - SBBQ 120(DI), R11 - SBBQ 128(DI), R12 - SBBQ 136(DI), R13 - SBBQ 144(DI), R14 - SBBQ 152(DI), R15 - SBBQ 160(DI), AX - SBBQ 168(DI), BX - SBBQ 176(DI), CX - SBBQ 184(DI), DX - - MOVQ R8, (SP) - MOVQ R9, 8(SP) - MOVQ R10, 16(SP) - MOVQ R11, 24(SP) - MOVQ R12, 32(SP) - MOVQ R13, 40(SP) - - MOVQ $0, BP - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC BP, R8 - CMOVQCC BP, R9 - CMOVQCC BP, R10 - CMOVQCC BP, R11 - CMOVQCC BP, R12 - CMOVQCC BP, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - - - MOVQ 48(DI), R8 - MOVQ 56(DI), R9 - MOVQ 64(DI), R10 - MOVQ 72(DI), R11 - MOVQ 80(DI), R12 - MOVQ 88(DI), R13 - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - - // a0 + a1 - MOVQ (DI), R14 - MOVQ 8(DI), R15 - MOVQ 16(DI), AX - MOVQ 24(DI), BX - MOVQ 32(DI), CX - MOVQ 40(DI), DX - - - ADDQ 96(DI), R14 - ADCQ 104(DI), R15 - ADCQ 112(DI), AX - ADCQ 120(DI), BX - ADCQ 128(DI), CX - ADCQ 136(DI), DX - ADCQ 144(DI), R8 - ADCQ 152(DI), R9 - ADCQ 160(DI), R10 - ADCQ 168(DI), R11 - ADCQ 176(DI), R12 - ADCQ 184(DI), R13 - - MOVQ R14, 96(DI) - MOVQ R15, 104(DI) - MOVQ AX, 112(DI) - MOVQ BX, 120(DI) - MOVQ CX, 128(DI) - MOVQ DX, 136(DI) - - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, AX - MOVQ R11, BX - MOVQ R12, CX - MOVQ R13, DX - MOVQ $0xb9feffffffffaaab, BP - SUBQ BP, R14 - MOVQ $0x1eabfffeb153ffff, BP - SBBQ BP, R15 - MOVQ $0x6730d2a0f6b0f624, BP - SBBQ BP, AX - MOVQ $0x64774b84f38512bf, BP - SBBQ BP, BX - MOVQ $0x4b1ba7b6434bacd7, BP - SBBQ BP, CX - MOVQ $0x1a0111ea397fe69a, BP - SBBQ BP, DX - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC AX, R10 - CMOVQCC BX, R11 - CMOVQCC CX, R12 - CMOVQCC DX, R13 - MOVQ R8, 144(DI) - MOVQ R9, 152(DI) - MOVQ R10, 160(DI) - MOVQ R11, 168(DI) - MOVQ R12, 176(DI) - MOVQ R13, 184(DI) - - MOVQ (SP), R8 - MOVQ 8(SP), R9 - MOVQ 16(SP), R10 - MOVQ 24(SP), R11 - MOVQ 32(SP), R12 - MOVQ 40(SP), R13 - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - RET - - -TEXT ·wfp2SquareADX(SB), NOSPLIT, $96-16 - MOVQ a+8(FP), DI - - // a0 - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - // a1 - MOVQ 48(DI), R15 - MOVQ 56(DI), BX - MOVQ 64(DI), CX - MOVQ 72(DI), DX - MOVQ 80(DI), SI - MOVQ 88(DI), R14 - - // a0 + a1 - ADDQ R8, R15 - ADCQ R9, BX - ADCQ R10, CX - ADCQ R11, DX - ADCQ R12, SI - ADCQ R13, R14 - - XORQ AX, AX - - // store a0 + a1 - MOVQ R15, (SP) - MOVQ BX, 8(SP) - MOVQ CX, 16(SP) - MOVQ DX, 24(SP) - MOVQ SI, 32(SP) - MOVQ R14, 40(SP) - - // a0 - a1 - SUBQ 48(DI), R8 - SBBQ 56(DI), R9 - SBBQ 64(DI), R10 - SBBQ 72(DI), R11 - SBBQ 80(DI), R12 - SBBQ 88(DI), R13 - - - MOVQ $0xb9feffffffffaaab, R14 - MOVQ $0x1eabfffeb153ffff, R15 - MOVQ $0x6730d2a0f6b0f624, CX - MOVQ $0x64774b84f38512bf, DX - MOVQ $0x4b1ba7b6434bacd7, SI - MOVQ $0x1a0111ea397fe69a, BX - CMOVQCC AX, R14 - CMOVQCC AX, R15 - CMOVQCC AX, CX - CMOVQCC AX, DX - CMOVQCC AX, SI - CMOVQCC AX, BX - ADDQ R14, R8 - ADCQ R15, R9 - ADCQ CX, R10 - ADCQ DX, R11 - ADCQ SI, R12 - ADCQ BX, R13 - - // a0 - a1 - MOVQ R8, 48(SP) - MOVQ R9, 56(SP) - MOVQ R10, 64(SP) - MOVQ R11, 72(SP) - MOVQ R12, 80(SP) - MOVQ R13, 88(SP) - - // c0 = (a0 + a1)(a0 - a1) - MOVQ c+0(FP), SI - -/* i0 */ - - XORQ BX, BX - MOVQ 48(SP), DX - - // | a0 * b0 - MULXQ (SP), AX, CX - MOVQ AX, (SI) - - // | a0 * b1 - MULXQ 8(SP), AX, BP - ADCXQ AX, CX - - // | a0 * b2 - MULXQ 16(SP), AX, R9 - ADCXQ AX, BP - - // | a0 * b3 - MULXQ 24(SP), AX, R10 - ADCXQ AX, R9 - - // | a0 * b4 - MULXQ 32(SP), AX, R11 - ADCXQ AX, R10 - - // | a0 * b5 - MULXQ 40(SP), AX, R12 - ADCXQ AX, R11 - ADCXQ BX, R12 - -/* i1 */ - - MOVQ 56(SP), DX - - // | a1 * b0 - MULXQ (SP), AX, R13 - ADOXQ AX, CX - ADCXQ R13, BP - MOVQ CX, 8(SI) - - // | a1 * b1 - MULXQ 8(SP), AX, R13 - ADOXQ AX, BP - ADCXQ R13, R9 - - // | a1 * b2 - MULXQ 16(SP), AX, R13 - ADOXQ AX, R9 - ADCXQ R13, R10 - - // | a1 * b3 - MULXQ 24(SP), AX, R13 - ADOXQ AX, R10 - ADCXQ R13, R11 - - // | a1 * b4 - MULXQ 32(SP), AX, R13 - ADOXQ AX, R11 - ADCXQ R13, R12 - - // | a1 * b5 - MULXQ 40(SP), AX, R13 - ADOXQ AX, R12 - ADOXQ BX, R13 - ADCXQ BX, R13 - -/* i2 */ - - MOVQ 64(SP), DX - - // | a2 * b0 - MULXQ (SP), AX, R14 - ADOXQ AX, BP - ADCXQ R14, R9 - MOVQ BP, 16(SI) - - // | a2 * b1 - MULXQ 8(SP), AX, R14 - ADOXQ AX, R9 - ADCXQ R14, R10 - - // | a2 * b2 - MULXQ 16(SP), AX, R14 - ADOXQ AX, R10 - ADCXQ R14, R11 - - // | a2 * b3 - MULXQ 24(SP), AX, R14 - ADOXQ AX, R11 - ADCXQ R14, R12 - - // | a2 * b4 - MULXQ 32(SP), AX, R14 - ADOXQ AX, R12 - ADCXQ R14, R13 - - // | a2 * b5 - MULXQ 40(SP), AX, R14 - ADOXQ AX, R13 - ADOXQ BX, R14 - ADCXQ BX, R14 - -/* i3 */ - - MOVQ 72(SP), DX - - // | a3 * b0 - MULXQ (SP), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - MOVQ R9, 24(SI) - - // | a3 * b1 - MULXQ 8(SP), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | a3 * b2 - MULXQ 16(SP), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | a3 * b3 - MULXQ 24(SP), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | a3 * b4 - MULXQ 32(SP), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - - // | a3 * b5 - MULXQ 40(SP), AX, R15 - ADOXQ AX, R14 - ADOXQ BX, R15 - ADCXQ BX, R15 - -/* i4 */ - - MOVQ 80(SP), DX - - // | a4 * b0 - MULXQ (SP), AX, CX - ADOXQ AX, R10 - ADCXQ CX, R11 - MOVQ R10, 32(SI) - - // | a4 * b1 - MULXQ 8(SP), AX, CX - ADOXQ AX, R11 - ADCXQ CX, R12 - - // | a4 * b2 - MULXQ 16(SP), AX, CX - ADOXQ AX, R12 - ADCXQ CX, R13 - - // | a4 * b3 - MULXQ 24(SP), AX, CX - ADOXQ AX, R13 - ADCXQ CX, R14 - - // | a4 * b4 - MULXQ 32(SP), AX, CX - ADOXQ AX, R14 - ADCXQ CX, R15 - - // | a4 * b5 - MULXQ 40(SP), AX, CX - ADOXQ AX, R15 - ADOXQ BX, CX - ADCXQ BX, CX - -/* i5 */ - - MOVQ 88(SP), DX - - // | a5 * b0 - MULXQ (SP), AX, R8 - ADOXQ AX, R11 - ADCXQ R8, R12 - MOVQ R11, 40(SI) - - // | a5 * b1 - MULXQ 8(SP), AX, R8 - ADOXQ AX, R12 - ADCXQ R8, R13 - - // | a5 * b2 - MULXQ 16(SP), AX, R8 - ADOXQ AX, R13 - ADCXQ R8, R14 - - // | a5 * b3 - MULXQ 24(SP), AX, R8 - ADOXQ AX, R14 - ADCXQ R8, R15 - - // | a5 * b4 - MULXQ 32(SP), AX, R8 - ADOXQ AX, R15 - ADCXQ R8, CX - - // | a5 * b5 - MULXQ 40(SP), AX, R8 - ADOXQ AX, CX - ADOXQ BX, R8 - ADCXQ BX, R8 - - - // w0 stored - MOVQ R12, 48(SI) - MOVQ R13, 56(SI) - MOVQ R14, 64(SI) - MOVQ R15, 72(SI) - MOVQ CX, 80(SI) - MOVQ R8, 88(SI) - - - // a0 - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - // 2a0 - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - - MOVQ R8, (SP) - MOVQ R9, 8(SP) - MOVQ R10, 16(SP) - MOVQ R11, 24(SP) - MOVQ R12, 32(SP) - MOVQ R13, 40(SP) - - XORQ BX, BX - -/* i0 */ - - MOVQ 48(DI), DX - - // | a0 * b0 - MULXQ (SP), AX, CX - MOVQ AX, 96(SI) - - // | a0 * b1 - MULXQ 8(SP), AX, BP - ADCXQ AX, CX - - // | a0 * b2 - MULXQ 16(SP), AX, R9 - ADCXQ AX, BP - - // | a0 * b3 - MULXQ 24(SP), AX, R10 - ADCXQ AX, R9 - - // | a0 * b4 - MULXQ 32(SP), AX, R11 - ADCXQ AX, R10 - - // | a0 * b5 - MULXQ 40(SP), AX, R12 - ADCXQ AX, R11 - ADCXQ BX, R12 - - // | - -/* i1 */ - - MOVQ 56(DI), DX - - // | a1 * b0 - MULXQ (SP), AX, R13 - ADOXQ AX, CX - ADCXQ R13, BP - MOVQ CX, 104(SI) - - // | a1 * b1 - MULXQ 8(SP), AX, R13 - ADOXQ AX, BP - ADCXQ R13, R9 - - // | a1 * b2 - MULXQ 16(SP), AX, R13 - ADOXQ AX, R9 - ADCXQ R13, R10 - - // | a1 * b3 - MULXQ 24(SP), AX, R13 - ADOXQ AX, R10 - ADCXQ R13, R11 - - // | a1 * b4 - MULXQ 32(SP), AX, R13 - ADOXQ AX, R11 - ADCXQ R13, R12 - - // | a1 * b5 - MULXQ 40(SP), AX, R13 - ADOXQ AX, R12 - ADOXQ BX, R13 - ADCXQ BX, R13 - -/* i2 */ - - MOVQ 64(DI), DX - - // | a2 * b0 - MULXQ (SP), AX, R14 - ADOXQ AX, BP - ADCXQ R14, R9 - MOVQ BP, 112(SI) - - // | a2 * b1 - MULXQ 8(SP), AX, R14 - ADOXQ AX, R9 - ADCXQ R14, R10 - - // | a2 * b2 - MULXQ 16(SP), AX, R14 - ADOXQ AX, R10 - ADCXQ R14, R11 - - // | a2 * b3 - MULXQ 24(SP), AX, R14 - ADOXQ AX, R11 - ADCXQ R14, R12 - - // | a2 * b4 - MULXQ 32(SP), AX, R14 - ADOXQ AX, R12 - ADCXQ R14, R13 - - // | a2 * b5 - MULXQ 40(SP), AX, R14 - ADOXQ AX, R13 - ADOXQ BX, R14 - ADCXQ BX, R14 - -/* i3 */ - - MOVQ 72(DI), DX - - // | a3 * b0 - MULXQ (SP), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - MOVQ R9, 120(SI) - - // | a3 * b1 - MULXQ 8(SP), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | a3 * b2 - MULXQ 16(SP), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | a3 * b3 - MULXQ 24(SP), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | a3 * b4 - MULXQ 32(SP), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - - // | a3 * b5 - MULXQ 40(SP), AX, R15 - ADOXQ AX, R14 - ADOXQ BX, R15 - ADCXQ BX, R15 - -/* i4 */ - - MOVQ 80(DI), DX - - // | a4 * b0 - MULXQ (SP), AX, CX - ADOXQ AX, R10 - ADCXQ CX, R11 - MOVQ R10, 128(SI) - - // | a4 * b1 - MULXQ 8(SP), AX, CX - ADOXQ AX, R11 - ADCXQ CX, R12 - - // | a4 * b2 - MULXQ 16(SP), AX, CX - ADOXQ AX, R12 - ADCXQ CX, R13 - - // | a4 * b3 - MULXQ 24(SP), AX, CX - ADOXQ AX, R13 - ADCXQ CX, R14 - - // | a4 * b4 - MULXQ 32(SP), AX, CX - ADOXQ AX, R14 - ADCXQ CX, R15 - - // | a4 * b5 - MULXQ 40(SP), AX, CX - ADOXQ AX, R15 - ADOXQ BX, CX - ADCXQ BX, CX - -/* i5 */ - - MOVQ 88(DI), DX - - // | a5 * b0 - MULXQ (SP), AX, DI - ADOXQ AX, R11 - ADCXQ DI, R12 - MOVQ R11, 136(SI) - - // | a5 * b1 - MULXQ 8(SP), AX, DI - ADOXQ AX, R12 - ADCXQ DI, R13 - - // | a5 * b2 - MULXQ 16(SP), AX, DI - ADOXQ AX, R13 - ADCXQ DI, R14 - - // | a5 * b3 - MULXQ 24(SP), AX, DI - ADOXQ AX, R14 - ADCXQ DI, R15 - - // | a5 * b4 - MULXQ 32(SP), AX, DI - ADOXQ AX, R15 - ADCXQ DI, CX - - // | a5 * b5 - MULXQ 40(SP), AX, DI - ADOXQ AX, CX - ADOXQ BX, DI - ADCXQ BX, DI - - MOVQ R12, 144(SI) - MOVQ R13, 152(SI) - MOVQ R14, 160(SI) - MOVQ R15, 168(SI) - MOVQ CX, 176(SI) - MOVQ DI, 184(SI) - RET - - -TEXT ·wfp2MulADX(SB), NOSPLIT, $192-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - - -// a0b0 -/* i0 */ - XORQ BX, BX - MOVQ (SI), DX - - // | a0 * b0 - MULXQ (DI), AX, CX - MOVQ AX, (SP) - - // | a0 * b1 - MULXQ 8(DI), AX, BP - ADCXQ AX, CX - - // | a0 * b2 - MULXQ 16(DI), AX, R9 - ADCXQ AX, BP - - // | a0 * b3 - MULXQ 24(DI), AX, R10 - ADCXQ AX, R9 - - // | a0 * b4 - MULXQ 32(DI), AX, R11 - ADCXQ AX, R10 - - // | a0 * b5 - MULXQ 40(DI), AX, R12 - ADCXQ AX, R11 - ADCXQ BX, R12 - -/* i1 */ - - MOVQ 8(SI), DX - - // | a1 * b0 - MULXQ (DI), AX, R13 - ADOXQ AX, CX - ADCXQ R13, BP - MOVQ CX, 8(SP) - - // | a1 * b1 - MULXQ 8(DI), AX, R13 - ADOXQ AX, BP - ADCXQ R13, R9 - - // | a1 * b2 - MULXQ 16(DI), AX, R13 - ADOXQ AX, R9 - ADCXQ R13, R10 - - // | a1 * b3 - MULXQ 24(DI), AX, R13 - ADOXQ AX, R10 - ADCXQ R13, R11 - - // | a1 * b4 - MULXQ 32(DI), AX, R13 - ADOXQ AX, R11 - ADCXQ R13, R12 - - // | a1 * b5 - MULXQ 40(DI), AX, R13 - ADOXQ AX, R12 - ADOXQ BX, R13 - ADCXQ BX, R13 - -/* i2 */ - - MOVQ 16(SI), DX - - // | a2 * b0 - MULXQ (DI), AX, R14 - ADOXQ AX, BP - ADCXQ R14, R9 - MOVQ BP, 16(SP) - - // | a2 * b1 - MULXQ 8(DI), AX, R14 - ADOXQ AX, R9 - ADCXQ R14, R10 - - // | a2 * b2 - MULXQ 16(DI), AX, R14 - ADOXQ AX, R10 - ADCXQ R14, R11 - - // | a2 * b3 - MULXQ 24(DI), AX, R14 - ADOXQ AX, R11 - ADCXQ R14, R12 - - // | a2 * b4 - MULXQ 32(DI), AX, R14 - ADOXQ AX, R12 - ADCXQ R14, R13 - - // | a2 * b5 - MULXQ 40(DI), AX, R14 - ADOXQ AX, R13 - ADOXQ BX, R14 - ADCXQ BX, R14 - -/* i3 */ - - MOVQ 24(SI), DX - - // | a3 * b0 - MULXQ (DI), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - MOVQ R9, 24(SP) - - // | a3 * b1 - MULXQ 8(DI), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | a3 * b2 - MULXQ 16(DI), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | a3 * b3 - MULXQ 24(DI), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | a3 * b4 - MULXQ 32(DI), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - - // | a3 * b5 - MULXQ 40(DI), AX, R15 - ADOXQ AX, R14 - ADOXQ BX, R15 - ADCXQ BX, R15 - -/* i4 */ - - MOVQ 32(SI), DX - - // | a4 * b0 - MULXQ (DI), AX, CX - ADOXQ AX, R10 - ADCXQ CX, R11 - MOVQ R10, 32(SP) - - // | a4 * b1 - MULXQ 8(DI), AX, CX - ADOXQ AX, R11 - ADCXQ CX, R12 - - // | a4 * b2 - MULXQ 16(DI), AX, CX - ADOXQ AX, R12 - ADCXQ CX, R13 - - // | a4 * b3 - MULXQ 24(DI), AX, CX - ADOXQ AX, R13 - ADCXQ CX, R14 - - // | a4 * b4 - MULXQ 32(DI), AX, CX - ADOXQ AX, R14 - ADCXQ CX, R15 - - // | a4 * b5 - MULXQ 40(DI), AX, CX - ADOXQ AX, R15 - ADOXQ BX, CX - ADCXQ BX, CX - -/* i5 */ - - - MOVQ 40(SI), DX - - // | a5 * b0 - MULXQ (DI), AX, R8 - ADOXQ AX, R11 - ADCXQ R8, R12 - MOVQ R11, 40(SP) - - // | a5 * b1 - MULXQ 8(DI), AX, R8 - ADOXQ AX, R12 - ADCXQ R8, R13 - - // | a5 * b2 - MULXQ 16(DI), AX, R8 - ADOXQ AX, R13 - ADCXQ R8, R14 - - // | a5 * b3 - MULXQ 24(DI), AX, R8 - ADOXQ AX, R14 - ADCXQ R8, R15 - - // | a5 * b4 - MULXQ 32(DI), AX, R8 - ADOXQ AX, R15 - ADCXQ R8, CX - - // | a5 * b5 - MULXQ 40(DI), AX, R8 - ADOXQ AX, CX - ADOXQ BX, R8 - ADCXQ BX, R8 - - - // a0b0 stored (0, 88)SP - MOVQ R12, 48(SP) - MOVQ R13, 56(SP) - MOVQ R14, 64(SP) - MOVQ R15, 72(SP) - MOVQ CX, 80(SP) - MOVQ R8, 88(SP) - - -// a1b1 - -/* i0 */ - XORQ BX, BX - MOVQ 48(SI), DX - - // | a0 * b0 - MULXQ 48(DI), AX, CX - MOVQ AX, 96(SP) - - // | a0 * b1 - MULXQ 56(DI), AX, BP - ADCXQ AX, CX - - // | a0 * b2 - MULXQ 64(DI), AX, R9 - ADCXQ AX, BP - - // | a0 * b3 - MULXQ 72(DI), AX, R10 - ADCXQ AX, R9 - - // | a0 * b4 - MULXQ 80(DI), AX, R11 - ADCXQ AX, R10 - - // | a0 * b5 - MULXQ 88(DI), AX, R12 - ADCXQ AX, R11 - ADCXQ BX, R12 - -/* i1 */ - - MOVQ 56(SI), DX - - // | a1 * b0 - MULXQ 48(DI), AX, R13 - ADOXQ AX, CX - ADCXQ R13, BP - MOVQ CX, 104(SP) - - // | a1 * b1 - MULXQ 56(DI), AX, R13 - ADOXQ AX, BP - ADCXQ R13, R9 - - // | a1 * b2 - MULXQ 64(DI), AX, R13 - ADOXQ AX, R9 - ADCXQ R13, R10 - - // | a1 * b3 - MULXQ 72(DI), AX, R13 - ADOXQ AX, R10 - ADCXQ R13, R11 - - // | a1 * b4 - MULXQ 80(DI), AX, R13 - ADOXQ AX, R11 - ADCXQ R13, R12 - - // | a1 * b5 - MULXQ 88(DI), AX, R13 - ADOXQ AX, R12 - ADOXQ BX, R13 - ADCXQ BX, R13 - -/* i2 */ - - MOVQ 64(SI), DX - - // | a2 * b0 - MULXQ 48(DI), AX, R14 - ADOXQ AX, BP - ADCXQ R14, R9 - MOVQ BP, 112(SP) - - // | a2 * b1 - MULXQ 56(DI), AX, R14 - ADOXQ AX, R9 - ADCXQ R14, R10 - - // | a2 * b2 - MULXQ 64(DI), AX, R14 - ADOXQ AX, R10 - ADCXQ R14, R11 - - // | a2 * b3 - MULXQ 72(DI), AX, R14 - ADOXQ AX, R11 - ADCXQ R14, R12 - - // | a2 * b4 - MULXQ 80(DI), AX, R14 - ADOXQ AX, R12 - ADCXQ R14, R13 - - // | a2 * b5 - MULXQ 88(DI), AX, R14 - ADOXQ AX, R13 - ADOXQ BX, R14 - ADCXQ BX, R14 - -/* i3 */ - - MOVQ 72(SI), DX - - // | a3 * b0 - MULXQ 48(DI), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - MOVQ R9, 120(SP) - - // | a3 * b1 - MULXQ 56(DI), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | a3 * b2 - MULXQ 64(DI), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | a3 * b3 - MULXQ 72(DI), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | a3 * b4 - MULXQ 80(DI), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - - // | a3 * b5 - MULXQ 88(DI), AX, R15 - ADOXQ AX, R14 - ADOXQ BX, R15 - ADCXQ BX, R15 - -/* i4 */ - - MOVQ 80(SI), DX - - // | a4 * b0 - MULXQ 48(DI), AX, CX - ADOXQ AX, R10 - ADCXQ CX, R11 - MOVQ R10, 128(SP) - - // | a4 * b1 - MULXQ 56(DI), AX, CX - ADOXQ AX, R11 - ADCXQ CX, R12 - - // | a4 * b2 - MULXQ 64(DI), AX, CX - ADOXQ AX, R12 - ADCXQ CX, R13 - - // | a4 * b3 - MULXQ 72(DI), AX, CX - ADOXQ AX, R13 - ADCXQ CX, R14 - - // | a4 * b4 - MULXQ 80(DI), AX, CX - ADOXQ AX, R14 - ADCXQ CX, R15 - - // | a4 * b5 - MULXQ 88(DI), AX, CX - ADOXQ AX, R15 - ADOXQ BX, CX - ADCXQ BX, CX - -/* i5 */ - - MOVQ 88(SI), DX - - // | a5 * b0 - MULXQ 48(DI), AX, R8 - ADOXQ AX, R11 - ADCXQ R8, R12 - MOVQ R11, 136(SP) - - // | a5 * b1 - MULXQ 56(DI), AX, R8 - ADOXQ AX, R12 - ADCXQ R8, R13 - - // | a5 * b2 - MULXQ 64(DI), AX, R8 - ADOXQ AX, R13 - ADCXQ R8, R14 - - // | a5 * b3 - MULXQ 72(DI), AX, R8 - ADOXQ AX, R14 - ADCXQ R8, R15 - - // | a5 * b4 - MULXQ 80(DI), AX, R8 - ADOXQ AX, R15 - ADCXQ R8, CX - - // | a5 * b5 - MULXQ 88(DI), AX, R8 - ADOXQ AX, CX - ADOXQ BX, R8 - ADCXQ BX, R8 - - -// a1b1 stored (96, 184)SP - MOVQ R12, 144(SP) - MOVQ R13, 152(SP) - MOVQ R14, 160(SP) - MOVQ R15, 168(SP) - MOVQ CX, 176(SP) - MOVQ R8, 184(SP) - - -// a0b0 - a1b1 - MOVQ (SP), R8 - MOVQ 8(SP), R9 - MOVQ 16(SP), R10 - MOVQ 24(SP), R11 - MOVQ 32(SP), R12 - MOVQ 40(SP), R13 - MOVQ 48(SP), R14 - MOVQ 56(SP), R15 - MOVQ 64(SP), AX - MOVQ 72(SP), BX - MOVQ 80(SP), CX - MOVQ 88(SP), DX - SUBQ 96(SP), R8 - SBBQ 104(SP), R9 - SBBQ 112(SP), R10 - SBBQ 120(SP), R11 - SBBQ 128(SP), R12 - SBBQ 136(SP), R13 - // todo this can be avoided - SBBQ 144(SP), R14 - SBBQ 152(SP), R15 - SBBQ 160(SP), AX - SBBQ 168(SP), BX - SBBQ 176(SP), CX - SBBQ 184(SP), DX - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - MOVQ $0, SI - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC SI, R8 - CMOVQCC SI, R9 - CMOVQCC SI, R10 - CMOVQCC SI, R11 - CMOVQCC SI, R12 - CMOVQCC SI, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - -// a0b0 + a1b1 - MOVQ (SP), R8 - MOVQ 8(SP), R9 - MOVQ 16(SP), R10 - MOVQ 24(SP), R11 - MOVQ 32(SP), R12 - MOVQ 40(SP), R13 - MOVQ 48(SP), R14 - MOVQ 56(SP), R15 - MOVQ 64(SP), AX - MOVQ 72(SP), BX - MOVQ 80(SP), CX - MOVQ 88(SP), DX - ADDQ 96(SP), R8 - ADCQ 104(SP), R9 - ADCQ 112(SP), R10 - ADCQ 120(SP), R11 - ADCQ 128(SP), R12 - ADCQ 136(SP), R13 - ADCQ 144(SP), R14 - ADCQ 152(SP), R15 - ADCQ 160(SP), AX - ADCQ 168(SP), BX - ADCQ 176(SP), CX - ADCQ 184(SP), DX - MOVQ R8, 96(SP) - MOVQ R9, 104(SP) - MOVQ R10, 112(SP) - MOVQ R11, 120(SP) - MOVQ R12, 128(SP) - MOVQ R13, 136(SP) - MOVQ R14, 144(SP) - MOVQ R15, 152(SP) - MOVQ AX, 160(SP) - MOVQ BX, 168(SP) - MOVQ CX, 176(SP) - MOVQ DX, 184(SP) -// a0b0 + a1b1 stored (96, 184)SP - -// a0 + a1 - MOVQ a+8(FP), DI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - ADDQ 48(DI), R8 - ADCQ 56(DI), R9 - ADCQ 64(DI), R10 - ADCQ 72(DI), R11 - ADCQ 80(DI), R12 - ADCQ 88(DI), R13 - - MOVQ R8, (SP) - MOVQ R9, 8(SP) - MOVQ R10, 16(SP) - MOVQ R11, 24(SP) - MOVQ R12, 32(SP) - MOVQ R13, 40(SP) -// a0 + a1 storeed (0, 40)SP -// b0 + b1 - MOVQ b+16(FP), DI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - ADDQ 48(DI), R8 - ADCQ 56(DI), R9 - ADCQ 64(DI), R10 - ADCQ 72(DI), R11 - ADCQ 80(DI), R12 - ADCQ 88(DI), R13 - - MOVQ R8, 48(SP) - MOVQ R9, 56(SP) - MOVQ R10, 64(SP) - MOVQ R11, 72(SP) - MOVQ R12, 80(SP) - MOVQ R13, 88(SP) -// b0 + b1 storeed (48, 88)SP -// (a0 + a1)(b0 + b1) - -/* i0 */ - XORQ BX, BX - MOVQ (SP), DX - - // | a0 * b0 - MULXQ 48(SP), AX, CX - MOVQ AX, (SP) - - // | a0 * b1 - MULXQ 56(SP), AX, BP - ADCXQ AX, CX - - // | a0 * b2 - MULXQ 64(SP), AX, R9 - ADCXQ AX, BP - - // | a0 * b3 - MULXQ 72(SP), AX, R10 - ADCXQ AX, R9 - - // | a0 * b4 - MULXQ 80(SP), AX, R11 - ADCXQ AX, R10 - - // | a0 * b5 - MULXQ 88(SP), AX, R12 - ADCXQ AX, R11 - ADCXQ BX, R12 - -/* i1 */ - - MOVQ 8(SP), DX - - // | a1 * b0 - MULXQ 48(SP), AX, R13 - ADOXQ AX, CX - ADCXQ R13, BP - MOVQ CX, 8(SP) - - // | a1 * b1 - MULXQ 56(SP), AX, R13 - ADOXQ AX, BP - ADCXQ R13, R9 - - // | a1 * b2 - MULXQ 64(SP), AX, R13 - ADOXQ AX, R9 - ADCXQ R13, R10 - - // | a1 * b3 - MULXQ 72(SP), AX, R13 - ADOXQ AX, R10 - ADCXQ R13, R11 - - // | a1 * b4 - MULXQ 80(SP), AX, R13 - ADOXQ AX, R11 - ADCXQ R13, R12 - - // | a1 * b5 - MULXQ 88(SP), AX, R13 - ADOXQ AX, R12 - ADOXQ BX, R13 - ADCXQ BX, R13 - -/* i2 */ - - MOVQ 16(SP), DX - - // | a2 * b0 - MULXQ 48(SP), AX, R14 - ADOXQ AX, BP - ADCXQ R14, R9 - MOVQ BP, 16(SP) - - // | a2 * b1 - MULXQ 56(SP), AX, R14 - ADOXQ AX, R9 - ADCXQ R14, R10 - - // | a2 * b2 - MULXQ 64(SP), AX, R14 - ADOXQ AX, R10 - ADCXQ R14, R11 - - // | a2 * b3 - MULXQ 72(SP), AX, R14 - ADOXQ AX, R11 - ADCXQ R14, R12 - - // | a2 * b4 - MULXQ 80(SP), AX, R14 - ADOXQ AX, R12 - ADCXQ R14, R13 - - // | a2 * b5 - MULXQ 88(SP), AX, R14 - ADOXQ AX, R13 - ADOXQ BX, R14 - ADCXQ BX, R14 - -/* i3 */ - - MOVQ 24(SP), DX - - // | a3 * b0 - MULXQ 48(SP), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - MOVQ R9, 24(SP) - - // | a3 * b1 - MULXQ 56(SP), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | a3 * b2 - MULXQ 64(SP), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | a3 * b3 - MULXQ 72(SP), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | a3 * b4 - MULXQ 80(SP), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - - // | a3 * b5 - MULXQ 88(SP), AX, R15 - ADOXQ AX, R14 - ADOXQ BX, R15 - ADCXQ BX, R15 - -/* i4 */ - - MOVQ 32(SP), DX - - // | a4 * b0 - MULXQ 48(SP), AX, CX - ADOXQ AX, R10 - ADCXQ CX, R11 - MOVQ R10, 32(SP) - - // | a4 * b1 - MULXQ 56(SP), AX, CX - ADOXQ AX, R11 - ADCXQ CX, R12 - - // | a4 * b2 - MULXQ 64(SP), AX, CX - ADOXQ AX, R12 - ADCXQ CX, R13 - - // | a4 * b3 - MULXQ 72(SP), AX, CX - ADOXQ AX, R13 - ADCXQ CX, R14 - - // | a4 * b4 - MULXQ 80(SP), AX, CX - ADOXQ AX, R14 - ADCXQ CX, R15 - - // | a4 * b5 - MULXQ 88(SP), AX, CX - ADOXQ AX, R15 - ADOXQ BX, CX - ADCXQ BX, CX - -/* i5 */ - - MOVQ 40(SP), DX - - // | a5 * b0 - MULXQ 48(SP), AX, R8 - ADOXQ AX, R11 - ADCXQ R8, R12 - MOVQ R11, 40(SP) - - // | a5 * b1 - MULXQ 56(SP), AX, R8 - ADOXQ AX, R12 - ADCXQ R8, R13 - - // | a5 * b2 - MULXQ 64(SP), AX, R8 - ADOXQ AX, R13 - ADCXQ R8, R14 - - // | a5 * b3 - MULXQ 72(SP), AX, R8 - ADOXQ AX, R14 - ADCXQ R8, R15 - - // | a5 * b4 - MULXQ 80(SP), AX, R8 - ADOXQ AX, R15 - ADCXQ R8, CX - - // | a5 * b5 - MULXQ 88(SP), AX, R8 - ADOXQ AX, CX - ADOXQ BX, R8 - ADCXQ BX, R8 - - MOVQ R12, 48(SP) - MOVQ R13, 56(SP) - MOVQ R14, 64(SP) - MOVQ R15, 72(SP) - MOVQ CX, 80(SP) - MOVQ R8, 88(SP) - - -// (a0 + a1)(b0 + b1) - (a0b0 + a1b1) - MOVQ (SP), R8 - MOVQ 8(SP), R9 - MOVQ 16(SP), R10 - MOVQ 24(SP), R11 - MOVQ 32(SP), R12 - MOVQ 40(SP), R13 - MOVQ 48(SP), R14 - MOVQ 56(SP), R15 - MOVQ 64(SP), AX - MOVQ 72(SP), BX - MOVQ 80(SP), CX - MOVQ 88(SP), DX - - SUBQ 96(SP), R8 - SBBQ 104(SP), R9 - SBBQ 112(SP), R10 - SBBQ 120(SP), R11 - SBBQ 128(SP), R12 - SBBQ 136(SP), R13 - SBBQ 144(SP), R14 - SBBQ 152(SP), R15 - SBBQ 160(SP), AX - SBBQ 168(SP), BX - SBBQ 176(SP), CX - SBBQ 184(SP), DX - - MOVQ c+0(FP), DI - MOVQ R8, 96(DI) - MOVQ R9, 104(DI) - MOVQ R10, 112(DI) - MOVQ R11, 120(DI) - MOVQ R12, 128(DI) - MOVQ R13, 136(DI) - MOVQ R14, 144(DI) - MOVQ R15, 152(DI) - MOVQ AX, 160(DI) - MOVQ BX, 168(DI) - MOVQ CX, 176(DI) - MOVQ DX, 184(DI) - - RET diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp6.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/fp6.go deleted file mode 100644 index 509b0ec56..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp6.go +++ /dev/null @@ -1,516 +0,0 @@ -package bls12381 - -import ( - "errors" - "math/big" -) - -type fp6Temp struct { - t [5]*fe2 - wt [6]*wfe2 -} - -type fp6 struct { - fp2 *fp2 - fp6Temp -} - -func newFp6Temp() fp6Temp { - t := [5]*fe2{} - for i := 0; i < len(t); i++ { - t[i] = &fe2{} - } - wt := [6]*wfe2{} - for i := 0; i < len(wt); i++ { - wt[i] = &wfe2{} - } - return fp6Temp{t, wt} -} - -func newFp6(f *fp2) *fp6 { - t := newFp6Temp() - if f == nil { - return &fp6{newFp2(), t} - } - return &fp6{f, t} -} - -func (e *fp6) fromBytes(b []byte) (*fe6, error) { - if len(b) != 288 { - return nil, errors.New("input string length must be equal to 288 bytes") - } - fp2 := e.fp2 - u2, err := fp2.fromBytes(b[:2*fpByteSize]) - if err != nil { - return nil, err - } - u1, err := fp2.fromBytes(b[2*fpByteSize : 4*fpByteSize]) - if err != nil { - return nil, err - } - u0, err := fp2.fromBytes(b[4*fpByteSize:]) - if err != nil { - return nil, err - } - return &fe6{*u0, *u1, *u2}, nil -} - -func (e *fp6) toBytes(a *fe6) []byte { - fp2 := e.fp2 - out := make([]byte, 6*fpByteSize) - copy(out[:2*fpByteSize], fp2.toBytes(&a[2])) - copy(out[2*fpByteSize:4*fpByteSize], fp2.toBytes(&a[1])) - copy(out[4*fpByteSize:], fp2.toBytes(&a[0])) - return out -} - -func (e *fp6) new() *fe6 { - return new(fe6) -} - -func (e *fp6) zero() *fe6 { - return new(fe6) -} - -func (e *fp6) one() *fe6 { - return new(fe6).one() -} - -func fp6Ladd(c, a, b *fe6) { - fp2Ladd(&c[0], &a[0], &b[0]) - fp2Ladd(&c[1], &a[1], &b[1]) - fp2Ladd(&c[2], &a[2], &b[2]) -} - -func wfp6SubAssign(a, b *wfe6) { - wfp2SubAssign(&a[0], &b[0]) - wfp2SubAssign(&a[1], &b[1]) - wfp2SubAssign(&a[2], &b[2]) -} - -func wfp6AddAssign(a, b *wfe6) { - wfp2AddAssign(&a[0], &b[0]) - wfp2AddAssign(&a[1], &b[1]) - wfp2AddAssign(&a[2], &b[2]) -} - -func fp6Add(c, a, b *fe6) { - fp2Add(&c[0], &a[0], &b[0]) - fp2Add(&c[1], &a[1], &b[1]) - fp2Add(&c[2], &a[2], &b[2]) -} - -func fp6AddAssign(a, b *fe6) { - fp2AddAssign(&a[0], &b[0]) - fp2AddAssign(&a[1], &b[1]) - fp2AddAssign(&a[2], &b[2]) -} - -func fp6Double(c, a *fe6) { - fp2Double(&c[0], &a[0]) - fp2Double(&c[1], &a[1]) - fp2Double(&c[2], &a[2]) -} - -func fp6DoubleAssign(a *fe6) { - fp2DoubleAssign(&a[0]) - fp2DoubleAssign(&a[1]) - fp2DoubleAssign(&a[2]) -} - -func fp6Sub(c, a, b *fe6) { - fp2Sub(&c[0], &a[0], &b[0]) - fp2Sub(&c[1], &a[1], &b[1]) - fp2Sub(&c[2], &a[2], &b[2]) -} - -func fp6SubAssign(a, b *fe6) { - fp2SubAssign(&a[0], &b[0]) - fp2SubAssign(&a[1], &b[1]) - fp2SubAssign(&a[2], &b[2]) -} - -func fp6Neg(c, a *fe6) { - fp2Neg(&c[0], &a[0]) - fp2Neg(&c[1], &a[1]) - fp2Neg(&c[2], &a[2]) -} - -func (e *fp6) wmul01(c *wfe6, a *fe6, b0, b1 *fe2) { - wt, t := e.wt, e.t - wfp2Mul(wt[0], &a[0], b0) // v0 = b0a0 - wfp2Mul(wt[1], &a[1], b1) // v1 = a1b1 - fp2Ladd(t[2], &a[1], &a[2]) // a1 + a2 - wfp2Mul(wt[2], t[2], b1) // b1(a1 + a2) - wfp2SubAssign(wt[2], wt[1]) // b1(a1 + a2) - v1 - wfp2MulByNonResidueAssign(wt[2]) - fp2Ladd(t[3], &a[0], &a[2]) // a0 + a2 - wfp2Mul(wt[3], t[3], b0) // b0(a0 + a2) - wfp2SubAssign(wt[3], wt[0]) - wfp2Add(&c[2], wt[3], wt[1]) - fp2Ladd(t[0], b0, b1) // (b0 + b1) - fp2Ladd(t[1], &a[0], &a[1]) // (a0 + a1) - wfp2Mul(wt[4], t[0], t[1]) // (a0 + a1)(b0 + b1) - wfp2SubAssign(wt[4], wt[0]) - wfp2Sub(&c[1], wt[4], wt[1]) - wfp2Add(&c[0], wt[2], wt[0]) -} - -func (e *fp6) wmul1(c *wfe6, a *fe6, b1 *fe2) { - wt := e.wt - wfp2Mul(wt[0], &a[2], b1) - wfp2Mul(&c[2], &a[1], b1) - wfp2Mul(&c[1], &a[0], b1) - wfp2MulByNonResidue(&c[0], wt[0]) -} - -func (e *fp6) wmul(c *wfe6, a, b *fe6) { - - wt, t := e.wt, e.t - - // Faster Explicit Formulas for Computing Pairings over Ordinary Curves - // AKLGL - // https://eprint.iacr.org/2010/526.pdf - // Algorithm 3 - - // 1. T0 = a0b0,T1 = a1b1, T2 = a2b2 - wfp2Mul(wt[0], &a[0], &b[0]) - wfp2Mul(wt[1], &a[1], &b[1]) - wfp2Mul(wt[2], &a[2], &b[2]) - // 2. t0 = a1 + a2, t1 = b1 + b2 - fp2Ladd(t[0], &a[1], &a[2]) - fp2Ladd(t[1], &b[1], &b[2]) - // 3. T3 = t0 * t1 - wfp2Mul(wt[3], t[0], t[1]) - // 4. T4 = T1 + T2 - wfp2Add(wt[4], wt[1], wt[2]) - - // 5,6. T3 = T3 - T4 - wfp2SubMixedAssign(wt[3], wt[4]) - - // 7. T4 = β * T3 - wfp2MulByNonResidue(wt[4], wt[3]) - - // 8. T5 = T4 + T0 - wfp2Add(wt[5], wt[4], wt[0]) - - // 9. t0 = a0 + a1, t1 = b0 + b1 - fp2Ladd(t[0], &a[0], &a[1]) - fp2Ladd(t[1], &b[0], &b[1]) - - // 10. T3 = t0 * t1 - wfp2Mul(wt[3], t[0], t[1]) - - // 11. T4 = T0 + T1 - wfp2Add(wt[4], wt[0], wt[1]) - - // 12,13. T3 = T3 - T4 - wfp2SubMixedAssign(wt[3], wt[4]) - - // 14,15. T4 = β * T2 - wfp2MulByNonResidue(wt[4], wt[2]) - - // 17. t0 = a0 + a2, t1 = b0 + b2 - fp2Ladd(t[0], &a[0], &a[2]) - fp2Ladd(t[1], &b[0], &b[2]) - - // 16. T6 = T3 + T4 - wfp2Add(&c[1], wt[3], wt[4]) - - // 18. T3 = t0 * t1 - wfp2Mul(wt[3], t[0], t[1]) - - // 19. T4 = T0 + T2 - wfp2Add(wt[4], wt[0], wt[2]) - - // 20,21. T3 = T3 - T4 - wfp2SubMixedAssign(wt[3], wt[4]) - - // 22,23. T7 = T3 + T1 - wfp2AddMixed(&c[2], wt[3], wt[1]) - - // c = T5, T6, T7 - c[0].set(wt[5]) -} - -func (e *fp6) mul(c *fe6, a, b *fe6) { - wt, t := e.wt, e.t - - // 1. T0 = a0b0,T1 = a1b1, T2 = a2b2 - wfp2Mul(wt[0], &a[0], &b[0]) - wfp2Mul(wt[1], &a[1], &b[1]) - wfp2Mul(wt[2], &a[2], &b[2]) - // 2. t0 = a1 + a2, t1 = b1 + b2 - fp2Ladd(t[0], &a[1], &a[2]) - fp2Ladd(t[1], &b[1], &b[2]) - // 3. T3 = t0 * t1 - wfp2Mul(wt[3], t[0], t[1]) - // 4. T4 = T1 + T2 - wfp2Add(wt[4], wt[1], wt[2]) - - // 5,6. T3 = T3 - T4 - wfp2SubMixedAssign(wt[3], wt[4]) - - // 7. T4 = β * T3 - wfp2MulByNonResidue(wt[4], wt[3]) - - // 8. T5 = T4 + T0 - wfp2Add(wt[5], wt[4], wt[0]) - - // 9. t0 = a0 + a1, t1 = b0 + b1 - fp2Ladd(t[0], &a[0], &a[1]) - fp2Ladd(t[1], &b[0], &b[1]) - - // 10. T3 = t0 * t1 - wfp2Mul(wt[3], t[0], t[1]) - - // 11. T4 = T0 + T1 - wfp2Add(wt[4], wt[0], wt[1]) - - // 12,13. T3 = T3 - T4 - wfp2SubMixed(wt[3], wt[3], wt[4]) - - // 14,15. T4 = β * T2 - wfp2MulByNonResidue(wt[4], wt[2]) - - // 17. t0 = a0 + a2, t1 = b0 + b2 - fp2Ladd(t[0], &a[0], &a[2]) - fp2Ladd(t[1], &b[0], &b[2]) - - // 16. T6 = T3 + T4 - wfp2Add(wt[3], wt[3], wt[4]) - c[1].fromWide(wt[3]) - - // 18. T3 = t0 * t1 - wfp2Mul(wt[3], t[0], t[1]) - - // 19. T4 = T0 + T2 - wfp2Add(wt[4], wt[0], wt[2]) - - // 20,21. T3 = T3 - T4 - wfp2SubMixed(wt[3], wt[3], wt[4]) - - // 22,23. T7 = T3 + T1 - wfp2AddMixed(wt[3], wt[3], wt[1]) - c[2].fromWide(wt[3]) - - // c = T5, T6, T7 - c[0].fromWide(wt[5]) -} - -func (e *fp6) mulAssign(a, b *fe6) { - wt, t := e.wt, e.t - - // Faster Explicit Formulas for Computing Pairings over Ordinary Curves - // AKLGL - // https://eprint.iacr.org/2010/526.pdf - // Algorithm 3 - - // 1. T0 = a0b0,T1 = a1b1, T2 = a2b2 - wfp2Mul(wt[0], &a[0], &b[0]) - wfp2Mul(wt[1], &a[1], &b[1]) - wfp2Mul(wt[2], &a[2], &b[2]) - // 2. t0 = a1 + a2, t1 = b1 + b2 - fp2Ladd(t[0], &a[1], &a[2]) - fp2Ladd(t[1], &b[1], &b[2]) - // 3. T3 = t0 * t1 - wfp2Mul(wt[3], t[0], t[1]) - // 4. T4 = T1 + T2 - wfp2Add(wt[4], wt[1], wt[2]) - - // 5,6. T3 = T3 - T4 - wfp2SubMixed(wt[3], wt[3], wt[4]) - - // 7. T4 = β * T3 - wfp2MulByNonResidue(wt[4], wt[3]) - - // 8. T5 = T4 + T0 - wfp2Add(wt[5], wt[4], wt[0]) - - // 9. t0 = a0 + a1, t1 = b0 + b1 - fp2Ladd(t[0], &a[0], &a[1]) - fp2Ladd(t[1], &b[0], &b[1]) - - // 10. T3 = t0 * t1 - wfp2Mul(wt[3], t[0], t[1]) - - // 11. T4 = T0 + T1 - wfp2Add(wt[4], wt[0], wt[1]) - - // 12,13. T3 = T3 - T4 - wfp2SubMixed(wt[3], wt[3], wt[4]) - - // 14,15. T4 = β * T2 - wfp2MulByNonResidue(wt[4], wt[2]) - - // 17. t0 = a0 + a2, t1 = b0 + b2 - fp2Ladd(t[0], &a[0], &a[2]) - fp2Ladd(t[1], &b[0], &b[2]) - - // 16. T6 = T3 + T4 - wfp2Add(wt[3], wt[3], wt[4]) - a[1].fromWide(wt[3]) - - // 18. T3 = t0 * t1 - wfp2Mul(wt[3], t[0], t[1]) - - // 19. T4 = T0 + T2 - wfp2Add(wt[4], wt[0], wt[2]) - - // 20,21. T3 = T3 - T4 - wfp2SubMixed(wt[3], wt[3], wt[4]) - - // 22,23. T7 = T3 + T1 - wfp2AddMixed(wt[3], wt[3], wt[1]) - a[2].fromWide(wt[3]) - - // a = T5, T6, T7 - a[0].fromWide(wt[5]) -} - -func (e *fp6) square(c, a *fe6) { - wt, t := e.wt, e.t - wfp2Square(wt[0], &a[0]) - wfp2Mul(wt[1], &a[0], &a[1]) - wfp2DoubleAssign(wt[1]) - fp2Sub(t[2], &a[0], &a[1]) - fp2AddAssign(t[2], &a[2]) - wfp2Square(wt[2], t[2]) - wfp2Mul(wt[3], &a[1], &a[2]) - wfp2DoubleAssign(wt[3]) - wfp2Square(wt[4], &a[2]) - wfp2MulByNonResidue(wt[5], wt[3]) - wfp2AddAssign(wt[5], wt[0]) - c[0].fromWide(wt[5]) - wfp2MulByNonResidue(wt[5], wt[4]) - wfp2AddAssign(wt[5], wt[1]) - c[1].fromWide(wt[5]) - wfp2AddAssign(wt[1], wt[2]) - wfp2AddAssign(wt[1], wt[3]) - wfp2AddAssign(wt[0], wt[4]) - wfp2SubAssign(wt[1], wt[0]) - c[2].fromWide(wt[1]) - -} - -func (e *fp6) wsquare(c *wfe6, a *fe6) { - wt, t := e.wt, e.t - wfp2Square(wt[0], &a[0]) - wfp2Mul(wt[1], &a[0], &a[1]) - wfp2DoubleAssign(wt[1]) - fp2Sub(t[2], &a[0], &a[1]) - fp2AddAssign(t[2], &a[2]) - wfp2Square(wt[2], t[2]) - wfp2Mul(wt[3], &a[1], &a[2]) - wfp2DoubleAssign(wt[3]) - wfp2Square(wt[4], &a[2]) - wfp2MulByNonResidue(wt[5], wt[3]) - wfp2Add(&c[0], wt[5], wt[0]) - wfp2MulByNonResidue(wt[5], wt[4]) - wfp2Add(&c[1], wt[1], wt[5]) - wfp2AddAssign(wt[1], wt[2]) - wfp2AddAssign(wt[1], wt[3]) - wfp2AddAssign(wt[0], wt[4]) - wfp2Sub(&c[2], wt[1], wt[0]) -} - -func (e *fp6) mulByNonResidue(c, a *fe6) { - t := e.t - t[0].set(&a[0]) - mulByNonResidue(&c[0], &a[2]) - c[2].set(&a[1]) - c[1].set(t[0]) -} - -func (e *fp6) wmulByNonResidue(c, a *wfe6) { - t := e.wt - t[0].set(&a[0]) - wfp2MulByNonResidue(&c[0], &a[2]) - c[2].set(&a[1]) - c[1].set(t[0]) -} - -func (e *fp6) wmulByNonResidueAssign(a *wfe6) { - t := e.wt - t[0].set(&a[0]) - wfp2MulByNonResidue(&a[0], &a[2]) - a[2].set(&a[1]) - a[1].set(t[0]) -} - -func (e *fp6) mulByBaseField(c, a *fe6, b *fe2) { - fp2 := e.fp2 - fp2.mul(&c[0], &a[0], b) - fp2.mul(&c[1], &a[1], b) - fp2.mul(&c[2], &a[2], b) -} - -func (e *fp6) exp(c, a *fe6, s *big.Int) { - z := e.one() - for i := s.BitLen() - 1; i >= 0; i-- { - e.square(z, z) - if s.Bit(i) == 1 { - e.mul(z, z, a) - } - } - c.set(z) -} - -func (e *fp6) inverse(c, a *fe6) { - fp2, t := e.fp2, e.t - fp2.square(t[0], &a[0]) - fp2.mul(t[1], &a[1], &a[2]) - mulByNonResidueAssign(t[1]) - fp2SubAssign(t[0], t[1]) // A = v0 - βv5 - fp2.square(t[1], &a[1]) // v1 = a1^2 - fp2.mul(t[2], &a[0], &a[2]) // v4 = a0a2 - fp2SubAssign(t[1], t[2]) // C = v1 - v4 - fp2.square(t[2], &a[2]) // v2 = a2^2 - mulByNonResidueAssign(t[2]) // βv2 - fp2.mul(t[3], &a[0], &a[1]) // v3 = a0a1 - fp2SubAssign(t[2], t[3]) // B = βv2 - v3 - fp2.mul(t[3], &a[2], t[2]) // B * a2 - fp2.mul(t[4], &a[1], t[1]) // C * a1 - fp2AddAssign(t[3], t[4]) // Ca1 + Ba2 - mulByNonResidueAssign(t[3]) // β(Ca1 + Ba2) - fp2.mul(t[4], &a[0], t[0]) // Aa0 - fp2AddAssign(t[3], t[4]) // v6 = Aa0 + β(Ca1 + Ba2) - fp2.inverse(t[3], t[3]) // F = v6^-1 - fp2.mul(&c[0], t[0], t[3]) // c0 = AF - fp2.mul(&c[1], t[2], t[3]) // c1 = BF - fp2.mul(&c[2], t[1], t[3]) // c2 = CF -} - -func (e *fp6) frobeniusMap(a *fe6, power int) { - fp2 := e.fp2 - fp2.frobeniusMap(&a[0], power) - fp2.frobeniusMap(&a[1], power) - fp2.frobeniusMap(&a[2], power) - fp2.mulAssign(&a[1], &frobeniusCoeffs61[power%6]) - fp2.mulAssign(&a[2], &frobeniusCoeffs62[power%6]) -} - -func (e *fp6) frobeniusMap1(a *fe6) { - fp2 := e.fp2 - fp2.frobeniusMap1(&a[0]) - fp2.frobeniusMap1(&a[1]) - fp2.frobeniusMap1(&a[2]) - fp2.mulAssign(&a[1], &frobeniusCoeffs61[1]) - fp2.mulAssign(&a[2], &frobeniusCoeffs62[1]) -} - -func (e *fp6) frobeniusMap2(a *fe6) { - e.fp2.mulAssign(&a[1], &frobeniusCoeffs61[2]) - e.fp2.mulAssign(&a[2], &frobeniusCoeffs62[2]) -} - -func (e *fp6) frobeniusMap3(a *fe6) { - t := e.t - e.fp2.frobeniusMap1(&a[0]) - e.fp2.frobeniusMap1(&a[1]) - e.fp2.frobeniusMap1(&a[2]) - neg(&t[0][0], &a[1][1]) - a[1][1].set(&a[1][0]) - a[1][0].set(&t[0][0]) - fp2Neg(&a[2], &a[2]) -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp_arithmetic_x86.s b/component/kmscrypto/internal/third_party/kilic/bls12-381/fp_arithmetic_x86.s deleted file mode 100644 index 04abfe5fe..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp_arithmetic_x86.s +++ /dev/null @@ -1,3894 +0,0 @@ -// +build amd64,!generic - -#include "textflag.h" -#include "funcdata.h" - -// assigned addition with modular reduction -// a = (a + b) % p -TEXT ·addAssign(SB), NOSPLIT, $0-16 - // | - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - // | - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - - // | - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, SI - MOVQ R13, BX - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, SI - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC SI, R12 - CMOVQCC BX, R13 - - // | - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET - -/* | end */ - - -// addition wth modular reduction -// c = (a + b) % p -TEXT ·add(SB), NOSPLIT, $0-24 - // | - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - // | - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - - // | - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, SI - MOVQ R13, BX - MOVQ $0xb9feffffffffaaab, DI - SUBQ DI, R14 - MOVQ $0x1eabfffeb153ffff, DI - SBBQ DI, R15 - MOVQ $0x6730d2a0f6b0f624, DI - SBBQ DI, CX - MOVQ $0x64774b84f38512bf, DI - SBBQ DI, DX - MOVQ $0x4b1ba7b6434bacd7, DI - SBBQ DI, SI - MOVQ $0x1a0111ea397fe69a, DI - SBBQ DI, BX - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC SI, R12 - CMOVQCC BX, R13 - - // | - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET -/* | end */ - - -// addition w/o modular reduction -// c = a + b -TEXT ·ladd(SB), NOSPLIT, $0-24 - // | - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - // | - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - - // | - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET -/* | end */ - - -// assigned addition w/o modular reduction -// a = a + b -TEXT ·laddAssign(SB), NOSPLIT, $0-16 - // | - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - // | - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - - // | - MOVQ a+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET -/* | end */ - - -// subtraction with modular reduction -// c = (a - b) % p -TEXT ·sub(SB), NOSPLIT, $0-24 - // | - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - XORQ AX, AX - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - - // | - MOVQ $0xb9feffffffffaaab, R14 - MOVQ $0x1eabfffeb153ffff, R15 - MOVQ $0x6730d2a0f6b0f624, CX - MOVQ $0x64774b84f38512bf, DX - MOVQ $0x4b1ba7b6434bacd7, SI - MOVQ $0x1a0111ea397fe69a, BX - CMOVQCC AX, R14 - CMOVQCC AX, R15 - CMOVQCC AX, CX - CMOVQCC AX, DX - CMOVQCC AX, SI - CMOVQCC AX, BX - ADDQ R14, R8 - ADCQ R15, R9 - ADCQ CX, R10 - ADCQ DX, R11 - ADCQ SI, R12 - ADCQ BX, R13 - - // | - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET -/* | end */ - - -// assigned subtraction with modular reduction -// a' = (a - b) % p -TEXT ·subAssign(SB), NOSPLIT, $0-16 - // | - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - XORQ AX, AX - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - - // | - MOVQ $0xb9feffffffffaaab, R14 - MOVQ $0x1eabfffeb153ffff, R15 - MOVQ $0x6730d2a0f6b0f624, CX - MOVQ $0x64774b84f38512bf, DX - MOVQ $0x4b1ba7b6434bacd7, SI - MOVQ $0x1a0111ea397fe69a, BX - CMOVQCC AX, R14 - CMOVQCC AX, R15 - CMOVQCC AX, CX - CMOVQCC AX, DX - CMOVQCC AX, SI - CMOVQCC AX, BX - ADDQ R14, R8 - ADCQ R15, R9 - ADCQ CX, R10 - ADCQ DX, R11 - ADCQ SI, R12 - ADCQ BX, R13 - - // | - MOVQ a+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET -/* | end */ - - -// assigned subtraction without modular reduction -// a = a - b -TEXT ·lsubAssign(SB), NOSPLIT, $0-16 - // | - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - - // | - MOVQ a+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET -/* | end */ - - -// doubling with modular reduction -// c = (2 * a) % p -TEXT ·double(SB), NOSPLIT, $0-16 - // | - MOVQ a+8(FP), DI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - - // | - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, SI - MOVQ R13, BX - MOVQ $0xb9feffffffffaaab, DI - SUBQ DI, R14 - MOVQ $0x1eabfffeb153ffff, DI - SBBQ DI, R15 - MOVQ $0x6730d2a0f6b0f624, DI - SBBQ DI, CX - MOVQ $0x64774b84f38512bf, DI - SBBQ DI, DX - MOVQ $0x4b1ba7b6434bacd7, DI - SBBQ DI, SI - MOVQ $0x1a0111ea397fe69a, DI - SBBQ DI, BX - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC SI, R12 - CMOVQCC BX, R13 - - // | - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET -/* | end */ - - -// assigned doubling with modular reduction -// a = (2 * a) % p -TEXT ·doubleAssign(SB), NOSPLIT, $0-8 - // | - MOVQ a+0(FP), DI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - - // | - MOVQ R8, R14 - MOVQ R9, R15 - MOVQ R10, CX - MOVQ R11, DX - MOVQ R12, SI - MOVQ R13, BX - MOVQ $0xb9feffffffffaaab, AX - SUBQ AX, R14 - MOVQ $0x1eabfffeb153ffff, AX - SBBQ AX, R15 - MOVQ $0x6730d2a0f6b0f624, AX - SBBQ AX, CX - MOVQ $0x64774b84f38512bf, AX - SBBQ AX, DX - MOVQ $0x4b1ba7b6434bacd7, AX - SBBQ AX, SI - MOVQ $0x1a0111ea397fe69a, AX - SBBQ AX, BX - CMOVQCC R14, R8 - CMOVQCC R15, R9 - CMOVQCC CX, R10 - CMOVQCC DX, R11 - CMOVQCC SI, R12 - CMOVQCC BX, R13 - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET -/* | end */ - - -// doubling without modular reduction -// c = 2 * a -TEXT ·ldouble(SB), NOSPLIT, $0-16 - // | - MOVQ a+8(FP), DI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - - // | - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - - // | - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - RET -/* | end */ - - -TEXT ·_neg(SB), NOSPLIT, $0-16 - // | - MOVQ a+8(FP), DI - - // | - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - SUBQ (DI), R8 - SBBQ 8(DI), R9 - SBBQ 16(DI), R10 - SBBQ 24(DI), R11 - SBBQ 32(DI), R12 - SBBQ 40(DI), R13 - - // | - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - RET -/* | end */ - - -// multiplication without using MULX/ADX -// c = a * b % p -TEXT ·mulNoADX(SB), NOSPLIT, $24-24 - // | - -/* inputs */ - - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ $0x00, R9 - MOVQ $0x00, R10 - MOVQ $0x00, R11 - MOVQ $0x00, R12 - MOVQ $0x00, R13 - MOVQ $0x00, R14 - MOVQ $0x00, R15 - - // | - -/* i0 */ - - // | a0 @ CX - MOVQ (DI), CX - - // | a0 * b0 - MOVQ (SI), AX - MULQ CX - MOVQ AX, (SP) - MOVQ DX, R8 - - // | a0 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R8 - ADCQ DX, R9 - - // | a0 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - - // | a0 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - - // | a0 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - - // | a0 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - - // | - -/* i1 */ - - // | a1 @ CX - MOVQ 8(DI), CX - MOVQ $0x00, BX - - // | a1 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R8 - ADCQ DX, R9 - ADCQ $0x00, R10 - ADCQ $0x00, BX - MOVQ R8, 8(SP) - MOVQ $0x00, R8 - - // | a1 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - ADCQ BX, R11 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a1 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ BX, R12 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a1 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a1 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - - // | a1 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - - // | - -/* i2 */ - - // | a2 @ CX - MOVQ 16(DI), CX - MOVQ $0x00, BX - - // | a2 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - ADCQ $0x00, R11 - ADCQ $0x00, BX - MOVQ R9, 16(SP) - MOVQ $0x00, R9 - - // | a2 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ BX, R12 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a2 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a2 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a2 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ BX, R15 - - // | a2 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, R15 - - // | - -/* i3 */ - - // | a3 @ CX - MOVQ 24(DI), CX - MOVQ $0x00, BX - - // | a3 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ $0x00, R12 - ADCQ $0x00, BX - - // | a3 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a3 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a3 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ BX, R15 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a3 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, R15 - ADCQ BX, R8 - - // | a3 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R15 - ADCQ DX, R8 - - // | - -/* i4 */ - - // | a4 @ CX - MOVQ 32(DI), CX - MOVQ $0x00, BX - - // | a4 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ $0x00, R13 - ADCQ $0x00, BX - - // | a4 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a4 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ BX, R15 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a4 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, R15 - ADCQ BX, R8 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a4 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R15 - ADCQ DX, R8 - ADCQ BX, R9 - - // | a4 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R8 - ADCQ DX, R9 - - // | - -/* i5 */ - - // | a5 @ CX - MOVQ 40(DI), CX - MOVQ $0x00, BX - - // | a5 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ $0x00, R14 - ADCQ $0x00, BX - - // | a5 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ BX, R15 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a5 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, R15 - ADCQ BX, R8 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a5 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R15 - ADCQ DX, R8 - ADCQ BX, R9 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a5 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R8 - ADCQ DX, R9 - ADCQ $0x00, BX - - // | a5 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, BX - - // | - -/* */ - - // | - // | W - // | 0 (SP) | 1 8(SP) | 2 16(SP) | 3 R10 | 4 R11 | 5 R12 - // | 6 R13 | 7 R14 | 8 R15 | 9 R8 | 10 R9 | 11 BX - - - MOVQ (SP), CX - MOVQ 8(SP), DI - MOVQ 16(SP), SI - MOVQ BX, (SP) - MOVQ R9, 8(SP) - - // | - -/* montgomery reduction */ - - // | - -/* i0 */ - - // | - // | W - // | 0 CX | 1 DI | 2 SI | 3 R10 | 4 R11 | 5 R12 - // | 6 R13 | 7 R14 | 8 R15 | 9 R8 | 10 8(SP) | 11 (SP) - - - // | | u0 = w0 * inp - MOVQ CX, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - // | - -/* */ - - // | j0 - - // | w0 @ CX - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, CX - ADCQ DX, BX - - // | j1 - - // | w1 @ DI - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, DI - ADCQ $0x00, DX - ADDQ BX, DI - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - - // | w2 @ SI - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, SI - ADCQ $0x00, DX - ADDQ BX, SI - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - - // | w3 @ R10 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R10 - ADCQ $0x00, DX - ADDQ BX, R10 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - - // | w4 @ R11 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ BX, R11 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - - // | w5 @ R12 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - - // | w6 @ R13 - ADCQ DX, R13 - ADCQ $0x00, CX - - // | - -/* i1 */ - - // | - // | W - // | 0 - | 1 DI | 2 SI | 3 R10 | 4 R11 | 5 R12 - // | 6 R13 | 7 R14 | 8 R15 | 9 R8 | 10 8(SP) | 11 (SP) - - - // | | u1 = w1 * inp - MOVQ DI, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - // | - -/* */ - - // | j0 - - // | w1 @ DI - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, DI - ADCQ DX, BX - - // | j1 - - // | w2 @ SI - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, SI - ADCQ $0x00, DX - ADDQ BX, SI - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - - // | w3 @ R10 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R10 - ADCQ $0x00, DX - ADDQ BX, R10 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - - // | w4 @ R11 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ BX, R11 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - - // | w5 @ R12 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - - // | w6 @ R13 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ DX, CX - ADDQ BX, R13 - - // | w7 @ R14 - ADCQ CX, R14 - MOVQ $0x00, CX - ADCQ $0x00, CX - - // | - -/* i2 */ - - // | - // | W - // | 0 - | 1 - | 2 SI | 3 R10 | 4 R11 | 5 R12 - // | 6 R13 | 7 R14 | 8 R15 | 9 R8 | 10 8(SP) | 11 (SP) - - - // | | u2 = w2 * inp - MOVQ SI, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - // | - -/* */ - - // | j0 - - // | w2 @ SI - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, SI - ADCQ DX, BX - - // | j1 - - // | w3 @ R10 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, R10 - ADCQ $0x00, DX - ADDQ BX, R10 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - - // | w4 @ R11 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ BX, R11 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - - // | w5 @ R12 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - - // | w6 @ R13 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ $0x00, DX - ADDQ BX, R13 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - - // | w7 @ R14 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R14 - ADCQ DX, CX - ADDQ BX, R14 - - // | w8 @ R15 - ADCQ CX, R15 - MOVQ $0x00, CX - ADCQ $0x00, CX - - // | - -/* i3 */ - - // | - // | W - // | 0 - | 1 - | 2 - | 3 R10 | 4 R11 | 5 R12 - // | 6 R13 | 7 R14 | 8 R15 | 9 R8 | 10 8(SP) | 11 (SP) - - - // | | u3 = w3 * inp - MOVQ R10, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - // | - -/* */ - - // | j0 - - // | w3 @ R10 - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, R10 - ADCQ DX, BX - - // | j1 - - // | w4 @ R11 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ BX, R11 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - - // | w5 @ R12 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - - // | w6 @ R13 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ $0x00, DX - ADDQ BX, R13 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - - // | w7 @ R14 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R14 - ADCQ $0x00, DX - ADDQ BX, R14 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - - // | w8 @ R15 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R15 - ADCQ DX, CX - ADDQ BX, R15 - - // | w9 @ R8 - ADCQ CX, R8 - MOVQ $0x00, CX - ADCQ $0x00, CX - - // | - -/* i4 */ - - // | - // | W - // | 0 - | 1 - | 2 - | 3 - | 4 R11 | 5 R12 - // | 6 R13 | 7 R14 | 8 R15 | 9 R8 | 10 8(SP) | 11 (SP) - - - // | | u4 = w4 * inp - MOVQ R11, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - // | - -/* */ - - // | j0 - - // | w4 @ R11 - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ DX, BX - - // | j1 - - // | w5 @ R12 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - - // | w6 @ R13 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ $0x00, DX - ADDQ BX, R13 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - - // | w7 @ R14 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R14 - ADCQ $0x00, DX - ADDQ BX, R14 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - - // | w8 @ R15 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R15 - ADCQ $0x00, DX - ADDQ BX, R15 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - - // | w9 @ R8 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R8 - ADCQ DX, CX - ADDQ BX, R8 - - // | move to idle register - MOVQ 8(SP), DI - - // | w10 @ DI - ADCQ CX, DI - MOVQ $0x00, CX - ADCQ $0x00, CX - - // | - -/* i5 */ - - // | - // | W - // | 0 - | 1 - | 2 - | 3 - | 4 - | 5 R12 - // | 6 R13 | 7 R14 | 8 R15 | 9 R8 | 10 DI | 11 (SP) - - - // | | u5 = w5 * inp - MOVQ R12, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - // | - -/* */ - - // | j0 - - // | w5 @ R12 - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ DX, BX - - // | j1 - - // | w6 @ R13 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ $0x00, DX - ADDQ BX, R13 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - - // | w7 @ R14 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R14 - ADCQ $0x00, DX - ADDQ BX, R14 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - - // | w8 @ R15 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R15 - ADCQ $0x00, DX - ADDQ BX, R15 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - - // | w9 @ R8 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R8 - ADCQ $0x00, DX - ADDQ BX, R8 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - - // | w10 @ DI - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, DI - ADCQ DX, CX - ADDQ BX, DI - - // | w11 @ CX - ADCQ (SP), CX - - // | - // | W montgomerry reduction ends - // | 0 - | 1 - | 2 - | 3 - | 4 - | 5 - - // | 6 R13 | 7 R14 | 8 R15 | 9 R8 | 10 DI | 11 CX - - - // | - - -/* modular reduction */ - - MOVQ R13, R10 - SUBQ ·modulus+0(SB), R10 - MOVQ R14, R11 - SBBQ ·modulus+8(SB), R11 - MOVQ R15, R12 - SBBQ ·modulus+16(SB), R12 - MOVQ R8, AX - SBBQ ·modulus+24(SB), AX - MOVQ DI, BX - SBBQ ·modulus+32(SB), BX - MOVQ CX, R9 - SBBQ ·modulus+40(SB), R9 - // | - -/* out */ - - MOVQ c+0(FP), SI - CMOVQCC R10, R13 - MOVQ R13, (SI) - CMOVQCC R11, R14 - MOVQ R14, 8(SI) - CMOVQCC R12, R15 - MOVQ R15, 16(SI) - CMOVQCC AX, R8 - MOVQ R8, 24(SI) - CMOVQCC BX, DI - MOVQ DI, 32(SI) - CMOVQCC R9, CX - MOVQ CX, 40(SI) - RET - - // | - -/* end */ - - -// multiplication -// c = a * b % p -TEXT ·mulADX(SB), NOSPLIT, $16-24 - // | - -/* inputs */ - - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - XORQ AX, AX - - // | - -/* i0 */ - - // | a0 @ DX - MOVQ (DI), DX - - // | a0 * b0 - MULXQ (SI), AX, CX - MOVQ AX, (SP) - - // | a0 * b1 - MULXQ 8(SI), AX, R8 - ADCXQ AX, CX - - // | a0 * b2 - MULXQ 16(SI), AX, R9 - ADCXQ AX, R8 - - // | a0 * b3 - MULXQ 24(SI), AX, R10 - ADCXQ AX, R9 - - // | a0 * b4 - MULXQ 32(SI), AX, R11 - ADCXQ AX, R10 - - // | a0 * b5 - MULXQ 40(SI), AX, R12 - ADCXQ AX, R11 - ADCQ $0x00, R12 - - // | - -/* i1 */ - - // | a1 @ DX - MOVQ 8(DI), DX - XORQ R13, R13 - - // | a1 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, CX - ADCXQ BX, R8 - MOVQ CX, 8(SP) - - // | a1 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R8 - ADCXQ BX, R9 - - // | a1 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | a1 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a1 * b4 - MULXQ 32(SI), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | a1 * b5 - MULXQ 40(SI), AX, BX - ADOXQ AX, R12 - ADOXQ R13, R13 - ADCXQ BX, R13 - - // | - -/* i2 */ - - // | a2 @ DX - MOVQ 16(DI), DX - XORQ R14, R14 - - // | a2 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R8 - ADCXQ BX, R9 - - // | a2 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | a2 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a2 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | a2 * b4 - MULXQ 32(SI), AX, BX - ADOXQ AX, R12 - ADCXQ BX, R13 - - // | a2 * b5 - MULXQ 40(SI), AX, BX - ADOXQ AX, R13 - ADOXQ R14, R14 - ADCXQ BX, R14 - - // | - -/* i3 */ - - // | a3 @ DX - MOVQ 24(DI), DX - XORQ R15, R15 - - // | a3 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | a3 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a3 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | a3 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R12 - ADCXQ BX, R13 - - // | a3 * b4 - MULXQ 32(SI), AX, BX - ADOXQ AX, R13 - ADCXQ BX, R14 - - // | a3 * b5 - MULXQ 40(SI), AX, BX - ADOXQ AX, R14 - ADOXQ R15, R15 - ADCXQ BX, R15 - - // | - -/* i4 */ - - // | a4 @ DX - MOVQ 32(DI), DX - XORQ CX, CX - - // | a4 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a4 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | a4 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R12 - ADCXQ BX, R13 - - // | a4 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R13 - ADCXQ BX, R14 - - // | a4 * b4 - MULXQ 32(SI), AX, BX - ADOXQ AX, R14 - ADCXQ BX, R15 - - // | a4 * b5 - MULXQ 40(SI), AX, BX - ADOXQ AX, R15 - ADOXQ CX, CX - ADCXQ BX, CX - - // | - -/* i5 */ - - // | a5 @ DX - MOVQ 40(DI), DX - XORQ DI, DI - - // | a5 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | a5 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R12 - ADCXQ BX, R13 - - // | a5 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R13 - ADCXQ BX, R14 - - // | a5 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R14 - ADCXQ BX, R15 - - // | a5 * b4 - MULXQ 32(SI), AX, BX - ADOXQ AX, R15 - ADCXQ BX, CX - - // | a5 * b5 - MULXQ 40(SI), AX, BX - ADOXQ AX, CX - ADOXQ BX, DI - ADCQ $0x00, DI - - // | - -/* */ - - // | - // | W - // | 0 (SP) | 1 8(SP) | 2 R8 | 3 R9 | 4 R10 | 5 R11 - // | 6 R12 | 7 R13 | 8 R14 | 9 R15 | 10 CX | 11 DI - - - MOVQ (SP), BX - MOVQ 8(SP), SI - MOVQ DI, (SP) - - // | - // | W ready to mont - // | 0 BX | 1 SI | 2 R8 | 3 R9 | 4 R10 | 5 R11 - // | 6 R12 | 7 R13 | 8 R14 | 9 R15 | 10 CX | 11 (SP) - - - // | - -/* montgomery reduction */ - - // | clear flags - XORQ AX, AX - - // | - -/* i0 */ - - // | - // | W - // | 0 BX | 1 SI | 2 R8 | 3 R9 | 4 R10 | 5 R11 - // | 6 R12 | 7 R13 | 8 R14 | 9 R15 | 10 CX | 11 (SP) - - - // | | u0 = w0 * inp - MOVQ BX, DX - MULXQ ·inp+0(SB), DX, DI - - // | - -/* */ - - // | j0 - - // | w0 @ BX - MULXQ ·modulus+0(SB), AX, DI - ADOXQ AX, BX - ADCXQ DI, SI - - // | j1 - - // | w1 @ SI - MULXQ ·modulus+8(SB), AX, DI - ADOXQ AX, SI - ADCXQ DI, R8 - - // | j2 - - // | w2 @ R8 - MULXQ ·modulus+16(SB), AX, DI - ADOXQ AX, R8 - ADCXQ DI, R9 - - // | j3 - - // | w3 @ R9 - MULXQ ·modulus+24(SB), AX, DI - ADOXQ AX, R9 - ADCXQ DI, R10 - - // | j4 - - // | w4 @ R10 - MULXQ ·modulus+32(SB), AX, DI - ADOXQ AX, R10 - ADCXQ DI, R11 - - // | j5 - - // | w5 @ R11 - MULXQ ·modulus+40(SB), AX, DI - ADOXQ AX, R11 - ADCXQ DI, R12 - ADOXQ BX, R12 - ADCXQ BX, BX - MOVQ $0x00, AX - ADOXQ AX, BX - - // | clear flags - XORQ AX, AX - - // | - -/* i1 */ - - // | - // | W - // | 0 - | 1 SI | 2 R8 | 3 R9 | 4 R10 | 5 R11 - // | 6 R12 | 7 R13 | 8 R14 | 9 R15 | 10 CX | 11 (SP) - - - // | | u1 = w1 * inp - MOVQ SI, DX - MULXQ ·inp+0(SB), DX, DI - - // | - -/* */ - - // | j0 - - // | w1 @ SI - MULXQ ·modulus+0(SB), AX, DI - ADOXQ AX, SI - ADCXQ DI, R8 - - // | j1 - - // | w2 @ R8 - MULXQ ·modulus+8(SB), AX, DI - ADOXQ AX, R8 - ADCXQ DI, R9 - - // | j2 - - // | w3 @ R9 - MULXQ ·modulus+16(SB), AX, DI - ADOXQ AX, R9 - ADCXQ DI, R10 - - // | j3 - - // | w4 @ R10 - MULXQ ·modulus+24(SB), AX, DI - ADOXQ AX, R10 - ADCXQ DI, R11 - - // | j4 - - // | w5 @ R11 - MULXQ ·modulus+32(SB), AX, DI - ADOXQ AX, R11 - ADCXQ DI, R12 - - // | j5 - - // | w6 @ R12 - MULXQ ·modulus+40(SB), AX, DI - ADOXQ AX, R12 - ADCXQ DI, R13 - ADOXQ BX, R13 - ADCXQ SI, SI - MOVQ $0x00, AX - ADOXQ AX, SI - - // | clear flags - XORQ AX, AX - - // | - -/* i2 */ - - // | - // | W - // | 0 - | 1 - | 2 R8 | 3 R9 | 4 R10 | 5 R11 - // | 6 R12 | 7 R13 | 8 R14 | 9 R15 | 10 CX | 11 (SP) - - - // | | u2 = w2 * inp - MOVQ R8, DX - MULXQ ·inp+0(SB), DX, DI - - // | - -/* */ - - // | j0 - - // | w2 @ R8 - MULXQ ·modulus+0(SB), AX, DI - ADOXQ AX, R8 - ADCXQ DI, R9 - - // | j1 - - // | w3 @ R9 - MULXQ ·modulus+8(SB), AX, DI - ADOXQ AX, R9 - ADCXQ DI, R10 - - // | j2 - - // | w4 @ R10 - MULXQ ·modulus+16(SB), AX, DI - ADOXQ AX, R10 - ADCXQ DI, R11 - - // | j3 - - // | w5 @ R11 - MULXQ ·modulus+24(SB), AX, DI - ADOXQ AX, R11 - ADCXQ DI, R12 - - // | j4 - - // | w6 @ R12 - MULXQ ·modulus+32(SB), AX, DI - ADOXQ AX, R12 - ADCXQ DI, R13 - - // | j5 - - // | w7 @ R13 - MULXQ ·modulus+40(SB), AX, DI - ADOXQ AX, R13 - ADCXQ DI, R14 - ADOXQ SI, R14 - ADCXQ R8, R8 - MOVQ $0x00, AX - ADOXQ AX, R8 - - // | clear flags - XORQ AX, AX - - // | - -/* i3 */ - - // | - // | W - // | 0 - | 1 - | 2 - | 3 R9 | 4 R10 | 5 R11 - // | 6 R12 | 7 R13 | 8 R14 | 9 R15 | 10 CX | 11 (SP) - - - // | | u3 = w3 * inp - MOVQ R9, DX - MULXQ ·inp+0(SB), DX, DI - - // | - -/* */ - - // | j0 - - // | w3 @ R9 - MULXQ ·modulus+0(SB), AX, DI - ADOXQ AX, R9 - ADCXQ DI, R10 - - // | j1 - - // | w4 @ R10 - MULXQ ·modulus+8(SB), AX, DI - ADOXQ AX, R10 - ADCXQ DI, R11 - - // | j2 - - // | w5 @ R11 - MULXQ ·modulus+16(SB), AX, DI - ADOXQ AX, R11 - ADCXQ DI, R12 - - // | j3 - - // | w6 @ R12 - MULXQ ·modulus+24(SB), AX, DI - ADOXQ AX, R12 - ADCXQ DI, R13 - - // | j4 - - // | w7 @ R13 - MULXQ ·modulus+32(SB), AX, DI - ADOXQ AX, R13 - ADCXQ DI, R14 - - // | j5 - - // | w8 @ R14 - MULXQ ·modulus+40(SB), AX, DI - ADOXQ AX, R14 - ADCXQ DI, R15 - ADOXQ R8, R15 - ADCXQ R9, R9 - MOVQ $0x00, AX - ADOXQ AX, R9 - - // | clear flags - XORQ AX, AX - - // | - -/* i4 */ - - // | - // | W - // | 0 - | 1 - | 2 - | 3 - | 4 R10 | 5 R11 - // | 6 R12 | 7 R13 | 8 R14 | 9 R15 | 10 CX | 11 (SP) - - - // | | u4 = w4 * inp - MOVQ R10, DX - MULXQ ·inp+0(SB), DX, DI - - // | - -/* */ - - // | j0 - - // | w4 @ R10 - MULXQ ·modulus+0(SB), AX, DI - ADOXQ AX, R10 - ADCXQ DI, R11 - - // | j1 - - // | w5 @ R11 - MULXQ ·modulus+8(SB), AX, DI - ADOXQ AX, R11 - ADCXQ DI, R12 - - // | j2 - - // | w6 @ R12 - MULXQ ·modulus+16(SB), AX, DI - ADOXQ AX, R12 - ADCXQ DI, R13 - - // | j3 - - // | w7 @ R13 - MULXQ ·modulus+24(SB), AX, DI - ADOXQ AX, R13 - ADCXQ DI, R14 - - // | j4 - - // | w8 @ R14 - MULXQ ·modulus+32(SB), AX, DI - ADOXQ AX, R14 - ADCXQ DI, R15 - - // | j5 - - // | w9 @ R15 - MULXQ ·modulus+40(SB), AX, DI - ADOXQ AX, R15 - ADCXQ DI, CX - ADOXQ R9, CX - ADCXQ R10, R10 - MOVQ $0x00, AX - ADOXQ AX, R10 - - // | clear flags - XORQ AX, AX - - // | - -/* i5 */ - - // | - // | W - // | 0 - | 1 - | 2 - | 3 - | 4 - | 5 R11 - // | 6 R12 | 7 R13 | 8 R14 | 9 R15 | 10 CX | 11 (SP) - - - // | | u5 = w5 * inp - MOVQ R11, DX - MULXQ ·inp+0(SB), DX, DI - - // | - -/* */ - - // | j0 - - // | w5 @ R11 - MULXQ ·modulus+0(SB), AX, DI - ADOXQ AX, R11 - ADCXQ DI, R12 - - // | j1 - - // | w6 @ R12 - MULXQ ·modulus+8(SB), AX, DI - ADOXQ AX, R12 - ADCXQ DI, R13 - - // | j2 - - // | w7 @ R13 - MULXQ ·modulus+16(SB), AX, DI - ADOXQ AX, R13 - ADCXQ DI, R14 - - // | j3 - - // | w8 @ R14 - MULXQ ·modulus+24(SB), AX, DI - ADOXQ AX, R14 - ADCXQ DI, R15 - - // | j4 - - // | w9 @ R15 - MULXQ ·modulus+32(SB), AX, DI - ADOXQ AX, R15 - ADCXQ DI, CX - - // | j5 - - // | w10 @ CX - MULXQ ·modulus+40(SB), AX, DI - ADOXQ AX, CX - - // | w11 @ (SP) - // | move to an idle register - MOVQ (SP), BX - ADCXQ DI, BX - ADOXQ R10, BX - - // | - // | W montgomery reduction ends - // | 0 - | 1 - | 2 - | 3 - | 4 - | 5 - - // | 6 R12 | 7 R13 | 8 R14 | 9 R15 | 10 CX | 11 BX - - - // | - -/* modular reduction */ - - MOVQ R12, AX - SUBQ ·modulus+0(SB), AX - MOVQ R13, DI - SBBQ ·modulus+8(SB), DI - MOVQ R14, SI - SBBQ ·modulus+16(SB), SI - MOVQ R15, R8 - SBBQ ·modulus+24(SB), R8 - MOVQ CX, R9 - SBBQ ·modulus+32(SB), R9 - MOVQ BX, R10 - SBBQ ·modulus+40(SB), R10 - - // | - -/* out */ - - MOVQ c+0(FP), R11 - CMOVQCC AX, R12 - MOVQ R12, (R11) - CMOVQCC DI, R13 - MOVQ R13, 8(R11) - CMOVQCC SI, R14 - MOVQ R14, 16(R11) - CMOVQCC R8, R15 - MOVQ R15, 24(R11) - CMOVQCC R9, CX - MOVQ CX, 32(R11) - CMOVQCC R10, BX - MOVQ BX, 40(R11) - RET - - // | - -/* end */ - - -// c = a * b -TEXT ·wmulADX(SB), NOSPLIT, $0-24 - // | - -/* inputs */ - - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ c+0(FP), R8 - XORQ BX, BX - -/* i0 */ - - MOVQ (DI), DX - - // | a0 * b0 - MULXQ (SI), AX, CX - MOVQ AX, 0(R8) - - // | a0 * b1 - MULXQ 8(SI), AX, BP - ADCXQ AX, CX - - // | a0 * b2 - MULXQ 16(SI), AX, R9 - ADCXQ AX, BP - - // | a0 * b3 - MULXQ 24(SI), AX, R10 - ADCXQ AX, R9 - - // | a0 * b4 - MULXQ 32(SI), AX, R11 - ADCXQ AX, R10 - - // | a0 * b5 - MULXQ 40(SI), AX, R12 - ADCXQ AX, R11 - ADCXQ BX, R12 - -/* i1 */ - - MOVQ 8(DI), DX - - // | a1 * b0 - MULXQ (SI), AX, R13 - ADOXQ AX, CX - ADCXQ R13, BP - MOVQ CX, 8(R8) - - // | a1 * b1 - MULXQ 8(SI), AX, R13 - ADOXQ AX, BP - ADCXQ R13, R9 - - // | a1 * b2 - MULXQ 16(SI), AX, R13 - ADOXQ AX, R9 - ADCXQ R13, R10 - - // | a1 * b3 - MULXQ 24(SI), AX, R13 - ADOXQ AX, R10 - ADCXQ R13, R11 - - // | a1 * b4 - MULXQ 32(SI), AX, R13 - ADOXQ AX, R11 - ADCXQ R13, R12 - - // | a1 * b5 - MULXQ 40(SI), AX, R13 - ADOXQ AX, R12 - ADOXQ BX, R13 - ADCXQ BX, R13 - -/* i2 */ - - MOVQ 16(DI), DX - - // | a2 * b0 - MULXQ (SI), AX, R14 - ADOXQ AX, BP - ADCXQ R14, R9 - MOVQ BP, 16(R8) - - // | a2 * b1 - MULXQ 8(SI), AX, R14 - ADOXQ AX, R9 - ADCXQ R14, R10 - - // | a2 * b2 - MULXQ 16(SI), AX, R14 - ADOXQ AX, R10 - ADCXQ R14, R11 - - // | a2 * b3 - MULXQ 24(SI), AX, R14 - ADOXQ AX, R11 - ADCXQ R14, R12 - - // | a2 * b4 - MULXQ 32(SI), AX, R14 - ADOXQ AX, R12 - ADCXQ R14, R13 - - // | a2 * b5 - MULXQ 40(SI), AX, R14 - ADOXQ AX, R13 - ADOXQ BX, R14 - ADCXQ BX, R14 - -/* i3 */ - - MOVQ 24(DI), DX - - // | a3 * b0 - MULXQ (SI), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - MOVQ R9, 24(R8) - - // | a3 * b1 - MULXQ 8(SI), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | a3 * b2 - MULXQ 16(SI), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | a3 * b3 - MULXQ 24(SI), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | a3 * b4 - MULXQ 32(SI), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - - // | a3 * b5 - MULXQ 40(SI), AX, R15 - ADOXQ AX, R14 - ADOXQ BX, R15 - ADCXQ BX, R15 - -/* i4 */ - - MOVQ 32(DI), DX - - // | a4 * b0 - MULXQ (SI), AX, CX - ADOXQ AX, R10 - ADCXQ CX, R11 - MOVQ R10, 32(R8) - - // | a4 * b1 - MULXQ 8(SI), AX, CX - ADOXQ AX, R11 - ADCXQ CX, R12 - - // | a4 * b2 - MULXQ 16(SI), AX, CX - ADOXQ AX, R12 - ADCXQ CX, R13 - - // | a4 * b3 - MULXQ 24(SI), AX, CX - ADOXQ AX, R13 - ADCXQ CX, R14 - - // | a4 * b4 - MULXQ 32(SI), AX, CX - ADOXQ AX, R14 - ADCXQ CX, R15 - - // | a4 * b5 - MULXQ 40(SI), AX, CX - ADOXQ AX, R15 - ADOXQ BX, CX - ADCXQ BX, CX - - -/* i5 */ - - MOVQ 40(DI), DX - - // | a5 * b0 - MULXQ (SI), AX, DI - ADOXQ AX, R11 - ADCXQ DI, R12 - MOVQ R11, 40(R8) - - // | a5 * b1 - MULXQ 8(SI), AX, DI - ADOXQ AX, R12 - ADCXQ DI, R13 - - // | a5 * b2 - MULXQ 16(SI), AX, DI - ADOXQ AX, R13 - ADCXQ DI, R14 - - // | a5 * b3 - MULXQ 24(SI), AX, DI - ADOXQ AX, R14 - ADCXQ DI, R15 - - // | a5 * b4 - MULXQ 32(SI), AX, DI - ADOXQ AX, R15 - ADCXQ DI, CX - - // | a5 * b5 - MULXQ 40(SI), AX, DI - ADOXQ AX, CX - ADOXQ BX, DI - ADCXQ BX, DI - - - MOVQ R12, 48(R8) - MOVQ R13, 56(R8) - MOVQ R14, 64(R8) - MOVQ R15, 72(R8) - MOVQ CX, 80(R8) - MOVQ DI, 88(R8) - RET - - -TEXT ·wmulNoADX(SB), NOSPLIT, $0-24 - - MOVQ c+0(FP), BP - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ $0x00, R9 - MOVQ $0x00, R10 - MOVQ $0x00, R11 - MOVQ $0x00, R12 - MOVQ $0x00, R13 - MOVQ $0x00, R14 - MOVQ $0x00, R15 - - // | - -/* i0 */ - - MOVQ (DI), CX - - // | a0 * b0 - MOVQ (SI), AX - MULQ CX - MOVQ AX, 0(BP) - MOVQ DX, R8 - - // | a0 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R8 - ADCQ DX, R9 - - // | a0 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - - // | a0 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - - // | a0 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - - // | a0 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - -/* i1 */ - - MOVQ 8(DI), CX - MOVQ $0x00, BX - - // | a1 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R8 - ADCQ DX, R9 - ADCQ $0x00, R10 - ADCQ $0x00, BX - MOVQ R8, 8(BP) - MOVQ $0x00, R8 - - // | a1 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - ADCQ BX, R11 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a1 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ BX, R12 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a1 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a1 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - - // | a1 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - -/* i2 */ - - MOVQ 16(DI), CX - MOVQ $0x00, BX - - // | a2 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - ADCQ $0x00, R11 - ADCQ $0x00, BX - MOVQ R9, 16(BP) - MOVQ $0x00, R9 - - // | a2 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ BX, R12 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a2 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a2 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a2 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ BX, R15 - - // | a2 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, R15 - -/* i3 */ - - MOVQ 24(DI), CX - MOVQ $0x00, BX - - // | a3 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ $0x00, R12 - ADCQ $0x00, BX - MOVQ R10, 24(BP) - - // | a3 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a3 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a3 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ BX, R15 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a3 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, R15 - ADCQ BX, R8 - - // | a3 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R15 - ADCQ DX, R8 - -/* i4 */ - - MOVQ 32(DI), CX - MOVQ $0x00, BX - - // | a4 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ $0x00, R13 - ADCQ $0x00, BX - MOVQ R11, 32(BP) - - // | a4 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a4 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ BX, R15 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a4 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, R15 - ADCQ BX, R8 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a4 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R15 - ADCQ DX, R8 - ADCQ BX, R9 - - // | a4 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R8 - ADCQ DX, R9 - -/* i5 */ - - MOVQ 40(DI), CX - MOVQ $0x00, BX - - // | a5 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ $0x00, R14 - ADCQ $0x00, BX - MOVQ R12, 40(BP) - - // | a5 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ BX, R15 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a5 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, R15 - ADCQ BX, R8 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a5 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R15 - ADCQ DX, R8 - ADCQ BX, R9 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a5 * b4 - MOVQ 32(SI), AX - MULQ CX - ADDQ AX, R8 - ADCQ DX, R9 - ADCQ $0x00, BX - - // | a5 * b5 - MOVQ 40(SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, BX - - MOVQ R13, 48(BP) - MOVQ R14, 56(BP) - MOVQ R15, 64(BP) - MOVQ R8, 72(BP) - MOVQ R9, 80(BP) - MOVQ BX, 88(BP) - - RET - - -TEXT ·lwadd(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - ADCQ 64(SI), AX - ADCQ 72(SI), BX - ADCQ 80(SI), CX - ADCQ 88(SI), DX - - MOVQ c+0(FP), SI - MOVQ R8, (SI) - MOVQ R9, 8(SI) - MOVQ R10, 16(SI) - MOVQ R11, 24(SI) - MOVQ R12, 32(SI) - MOVQ R13, 40(SI) - MOVQ R14, 48(SI) - MOVQ R15, 56(SI) - MOVQ AX, 64(SI) - MOVQ BX, 72(SI) - MOVQ CX, 80(SI) - MOVQ DX, 88(SI) - RET - - -TEXT ·lwaddAssign(SB), NOSPLIT, $0-16 - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - ADCQ 64(SI), AX - ADCQ 72(SI), BX - ADCQ 80(SI), CX - ADCQ 88(SI), DX - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - RET - - -// double-precision addition w/ upper bound check - // if c > (2^N)p , - // then correct by c = c - (2^N)p - // c = a + b - TEXT ·wadd(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - ADCQ 64(SI), AX - ADCQ 72(SI), BX - ADCQ 80(SI), CX - ADCQ 88(SI), DX - - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ DX, R13 - MOVQ $0xb9feffffffffaaab, SI - SUBQ SI, R8 - MOVQ $0x1eabfffeb153ffff, SI - SBBQ SI, R9 - MOVQ $0x6730d2a0f6b0f624, SI - SBBQ SI, R10 - MOVQ $0x64774b84f38512bf, SI - SBBQ SI, R11 - MOVQ $0x4b1ba7b6434bacd7, SI - SBBQ SI, R12 - MOVQ $0x1a0111ea397fe69a, SI - SBBQ SI, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, DX - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - RET - - -TEXT ·lwsub(SB), NOSPLIT, $0-24 - - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - SBBQ 48(SI), R14 - SBBQ 56(SI), R15 - SBBQ 64(SI), AX - SBBQ 72(SI), BX - SBBQ 80(SI), CX - SBBQ 88(SI), DX - - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - RET - - -TEXT ·lwsubAssign(SB), NOSPLIT, $0-16 - - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - SBBQ 48(SI), R14 - SBBQ 56(SI), R15 - SBBQ 64(SI), AX - SBBQ 72(SI), BX - SBBQ 80(SI), CX - SBBQ 88(SI), DX - - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - RET - - -// double-precision subtraction. -// [AKLGL] Option2 -// https://eprint.iacr.org/2010/526 -// c = (a - b) -// if c is negative, -// then correct by c = c + (2^N)p -TEXT ·wsub(SB), NOSPLIT, $0-24 - - // | - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - SUBQ (SI), R8 - SBBQ 8(SI), R9 - SBBQ 16(SI), R10 - SBBQ 24(SI), R11 - SBBQ 32(SI), R12 - SBBQ 40(SI), R13 - SBBQ 48(SI), R14 - SBBQ 56(SI), R15 - SBBQ 64(SI), AX - SBBQ 72(SI), BX - SBBQ 80(SI), CX - SBBQ 88(SI), DX - - MOVQ c+0(FP), DI - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - - MOVQ $0, SI - MOVQ $0xb9feffffffffaaab, R8 - MOVQ $0x1eabfffeb153ffff, R9 - MOVQ $0x6730d2a0f6b0f624, R10 - MOVQ $0x64774b84f38512bf, R11 - MOVQ $0x4b1ba7b6434bacd7, R12 - MOVQ $0x1a0111ea397fe69a, R13 - CMOVQCC SI, R8 - CMOVQCC SI, R9 - CMOVQCC SI, R10 - CMOVQCC SI, R11 - CMOVQCC SI, R12 - CMOVQCC SI, R13 - ADDQ R8, R14 - ADCQ R9, R15 - ADCQ R10, AX - ADCQ R11, BX - ADCQ R12, CX - ADCQ R13, DX - - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - MOVQ AX, 64(DI) - MOVQ BX, 72(DI) - MOVQ CX, 80(DI) - MOVQ DX, 88(DI) - RET - - - // double-precision doubling w/ upper bound check - // if c > (2^N)p , - // then correct by c = c - (2^N)p - // c = 2 * a - TEXT ·wdouble(SB), NOSPLIT, $0-16 - // | - MOVQ a+8(FP), DI - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - // | - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ R14, R14 - ADCQ R15, R15 - ADCQ AX, AX - ADCQ BX, BX - ADCQ CX, CX - ADCQ DX, DX - - // | - MOVQ c+0(FP), SI - MOVQ R8, (SI) - MOVQ R9, 8(SI) - MOVQ R10, 16(SI) - MOVQ R11, 24(SI) - MOVQ R12, 32(SI) - MOVQ R13, 40(SI) - - // | - MOVQ R14, R8 - MOVQ R15, R9 - MOVQ AX, R10 - MOVQ BX, R11 - MOVQ CX, R12 - MOVQ DX, R13 - MOVQ $0xb9feffffffffaaab, DI - SUBQ DI, R8 - MOVQ $0x1eabfffeb153ffff, DI - SBBQ DI, R9 - MOVQ $0x6730d2a0f6b0f624, DI - SBBQ DI, R10 - MOVQ $0x64774b84f38512bf, DI - SBBQ DI, R11 - MOVQ $0x4b1ba7b6434bacd7, DI - SBBQ DI, R12 - MOVQ $0x1a0111ea397fe69a, DI - SBBQ DI, R13 - CMOVQCC R8, R14 - CMOVQCC R9, R15 - CMOVQCC R10, AX - CMOVQCC R11, BX - CMOVQCC R12, CX - CMOVQCC R13, DX - - // | - MOVQ R14, 48(SI) - MOVQ R15, 56(SI) - MOVQ AX, 64(SI) - MOVQ BX, 72(SI) - MOVQ CX, 80(SI) - MOVQ DX, 88(SI) - RET - - - TEXT ·lwdouble(SB), NOSPLIT, $0-16 - // | - MOVQ a+8(FP), DI - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - MOVQ 64(DI), AX - MOVQ 72(DI), BX - MOVQ 80(DI), CX - MOVQ 88(DI), DX - - // | - ADDQ R8, R8 - ADCQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ R14, R14 - ADCQ R15, R15 - ADCQ AX, AX - ADCQ BX, BX - ADCQ CX, CX - ADCQ DX, DX - - // | - MOVQ c+0(FP), SI - MOVQ R8, (SI) - MOVQ R9, 8(SI) - MOVQ R10, 16(SI) - MOVQ R11, 24(SI) - MOVQ R12, 32(SI) - MOVQ R13, 40(SI) - MOVQ R14, 48(SI) - MOVQ R15, 56(SI) - MOVQ AX, 64(SI) - MOVQ BX, 72(SI) - MOVQ CX, 80(SI) - MOVQ DX, 88(SI) - RET - - -TEXT ·montRedADX(SB), NOSPLIT, $0-16 - - MOVQ w+8(FP), DI - MOVQ 0(DI), BX - MOVQ 8(DI), SI - MOVQ 16(DI), R8 - MOVQ 24(DI), R9 - MOVQ 32(DI), R10 - MOVQ 40(DI), R11 - MOVQ 48(DI), R12 - MOVQ 56(DI), R13 - MOVQ 64(DI), R14 - - XORQ CX, CX - - MOVQ BX, DX - MULXQ ·inp+0(SB), DX, R15 - - // | j0 - MULXQ ·modulus+0(SB), AX, R15 - ADOXQ AX, BX - ADCXQ R15, SI - - // | j1 - MULXQ ·modulus+8(SB), AX, R15 - ADOXQ AX, SI - ADCXQ R15, R8 - - // | j2 - MULXQ ·modulus+16(SB), AX, R15 - ADOXQ AX, R8 - ADCXQ R15, R9 - - // | j3 - MULXQ ·modulus+24(SB), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - - // | j4 - MULXQ ·modulus+32(SB), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | j5 - MULXQ ·modulus+40(SB), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - ADOXQ CX, R12 - ADCXQ CX, BX - ADOXQ CX, BX - -/* i1 */ - - MOVQ SI, DX - MULXQ ·inp+0(SB), DX, R15 - - // | j0 - MULXQ ·modulus+0(SB), AX, R15 - ADOXQ AX, SI - ADCXQ R15, R8 - - // | j1 - MULXQ ·modulus+8(SB), AX, R15 - ADOXQ AX, R8 - ADCXQ R15, R9 - - // | j2 - MULXQ ·modulus+16(SB), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - - // | j3 - MULXQ ·modulus+24(SB), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | j4 - MULXQ ·modulus+32(SB), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | j5 - MULXQ ·modulus+40(SB), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - ADOXQ BX, R13 - ADCXQ CX, SI - ADOXQ CX, SI - - MOVQ 72(DI), BX - -/* i2 */ - - MOVQ R8, DX - MULXQ ·inp+0(SB), DX, R15 - - - // | j0 - MULXQ ·modulus+0(SB), AX, R15 - ADOXQ AX, R8 - ADCXQ R15, R9 - - // | j1 - MULXQ ·modulus+8(SB), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - - // | j2 - MULXQ ·modulus+16(SB), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | j3 - MULXQ ·modulus+24(SB), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | j4 - MULXQ ·modulus+32(SB), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | j5 - MULXQ ·modulus+40(SB), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - ADOXQ SI, R14 - ADCXQ CX, R8 - ADOXQ CX, R8 - - MOVQ 80(DI), SI - -/* i3 */ - - MOVQ R9, DX - MULXQ ·inp+0(SB), DX, R15 - - // | j0 - MULXQ ·modulus+0(SB), AX, R15 - ADOXQ AX, R9 - ADCXQ R15, R10 - - // | j1 - MULXQ ·modulus+8(SB), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | j2 - MULXQ ·modulus+16(SB), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | j3 - MULXQ ·modulus+24(SB), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | j4 - MULXQ ·modulus+32(SB), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - - // | j5 - MULXQ ·modulus+40(SB), AX, R15 - ADOXQ AX, R14 - ADCXQ R15, BX - ADOXQ R8, BX - ADCXQ CX, R9 - ADOXQ CX, R9 - - MOVQ 88(DI), R8 - - -/* i4 */ - - MOVQ R10, DX - MULXQ ·inp+0(SB), DX, R15 - - // | j0 - MULXQ ·modulus+0(SB), AX, R15 - ADOXQ AX, R10 - ADCXQ R15, R11 - - // | j1 - MULXQ ·modulus+8(SB), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | j2 - MULXQ ·modulus+16(SB), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | j3 - MULXQ ·modulus+24(SB), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - - // | j4 - MULXQ ·modulus+32(SB), AX, R15 - ADOXQ AX, R14 - ADCXQ R15, BX - - // | j5 - MULXQ ·modulus+40(SB), AX, R15 - ADOXQ AX, BX - ADCXQ R15, SI - ADOXQ R9, SI - ADCXQ CX, R10 - ADOXQ CX, R10 - - // | - -/* i5 */ - - MOVQ R11, DX - MULXQ ·inp+0(SB), DX, R15 - - // | j0 - MULXQ ·modulus+0(SB), AX, R15 - ADOXQ AX, R11 - ADCXQ R15, R12 - - // | j1 - MULXQ ·modulus+8(SB), AX, R15 - ADOXQ AX, R12 - ADCXQ R15, R13 - - // | j2 - MULXQ ·modulus+16(SB), AX, R15 - ADOXQ AX, R13 - ADCXQ R15, R14 - - // | j3 - MULXQ ·modulus+24(SB), AX, R15 - ADOXQ AX, R14 - ADCXQ R15, BX - - // | j4 - MULXQ ·modulus+32(SB), AX, R15 - ADOXQ AX, BX - ADCXQ R15, SI - - // | j5 - MULXQ ·modulus+40(SB), AX, R15 - ADOXQ AX, SI - ADCXQ R15, R8 - ADOXQ R10, R8 - -/* modular reduction */ - - MOVQ R12, AX - MOVQ R13, DI - MOVQ R14, CX - MOVQ BX, DX - MOVQ SI, R9 - MOVQ R8, R10 - - SUBQ ·modulus+0(SB), AX - SBBQ ·modulus+8(SB), DI - SBBQ ·modulus+16(SB), CX - SBBQ ·modulus+24(SB), DX - SBBQ ·modulus+32(SB), R9 - SBBQ ·modulus+40(SB), R10 - - CMOVQCC AX, R12 - CMOVQCC DI, R13 - CMOVQCC CX, R14 - CMOVQCC DX, BX - CMOVQCC R9, SI - CMOVQCC R10, R8 - - MOVQ a+0(FP), R11 - MOVQ R12, (R11) - MOVQ R13, 8(R11) - MOVQ R14, 16(R11) - MOVQ BX, 24(R11) - MOVQ SI, 32(R11) - MOVQ R8, 40(R11) - RET - -/* end */ - - -TEXT ·montRedNoADX(SB), NOSPLIT, $0-16 - - MOVQ w+8(FP), BP - MOVQ 0(BP), CX - MOVQ 8(BP), DI - MOVQ 16(BP), SI - MOVQ 24(BP), R10 - MOVQ 32(BP), R11 - MOVQ 40(BP), R12 - MOVQ 48(BP), R13 - MOVQ 56(BP), R14 - MOVQ 64(BP), R15 - MOVQ 72(BP), R8 - -/* i0 */ - - MOVQ CX, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - // | j0 - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, CX - ADCQ DX, BX - - // | j1 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, DI - ADCQ $0x00, DX - ADDQ BX, DI - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, SI - ADCQ $0x00, DX - ADDQ BX, SI - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R10 - ADCQ $0x00, DX - ADDQ BX, R10 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ BX, R11 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - - ADCQ DX, R13 - ADCQ $0x00, CX - - -/* i1 */ - - MOVQ DI, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - - // | j0 - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, DI - ADCQ DX, BX - - // | j1 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, SI - ADCQ $0x00, DX - ADDQ BX, SI - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R10 - ADCQ $0x00, DX - ADDQ BX, R10 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ BX, R11 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ DX, CX - ADDQ BX, R13 - - ADCQ CX, R14 - MOVQ $0x00, CX - ADCQ $0x00, CX - - -/* i2 */ - - MOVQ SI, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - -/* */ - - // | j0 - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, SI - ADCQ DX, BX - - // | j1 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, R10 - ADCQ $0x00, DX - ADDQ BX, R10 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ BX, R11 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ $0x00, DX - ADDQ BX, R13 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R14 - ADCQ DX, CX - ADDQ BX, R14 - - ADCQ CX, R15 - MOVQ $0x00, CX - ADCQ $0x00, CX - -/* i3 */ - - MOVQ R10, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - // | j0 - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, R10 - ADCQ DX, BX - - // | j1 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ BX, R11 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ $0x00, DX - ADDQ BX, R13 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R14 - ADCQ $0x00, DX - ADDQ BX, R14 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R15 - ADCQ DX, CX - ADDQ BX, R15 - - ADCQ CX, R8 - MOVQ $0x00, CX - ADCQ $0x00, CX - - // | - -/* i4 */ - - MOVQ R11, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - - // | - -/* */ - - // | j0 - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, R11 - ADCQ DX, BX - - // | j1 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ BX, R12 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ $0x00, DX - ADDQ BX, R13 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R14 - ADCQ $0x00, DX - ADDQ BX, R14 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R15 - ADCQ $0x00, DX - ADDQ BX, R15 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, R8 - ADCQ DX, CX - ADDQ BX, R8 - - MOVQ 80(BP), DI - ADCQ CX, DI - MOVQ $0x00, CX - ADCQ $0x00, CX - -/* i5 */ - - // | | u5 = w5 * inp - MOVQ R12, AX - MULQ ·inp+0(SB) - MOVQ AX, R9 - MOVQ $0x00, BX - -/* */ - - // | j0 - MOVQ ·modulus+0(SB), AX - MULQ R9 - ADDQ AX, R12 - ADCQ DX, BX - - // | j1 - MOVQ ·modulus+8(SB), AX - MULQ R9 - ADDQ AX, R13 - ADCQ $0x00, DX - ADDQ BX, R13 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j2 - MOVQ ·modulus+16(SB), AX - MULQ R9 - ADDQ AX, R14 - ADCQ $0x00, DX - ADDQ BX, R14 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j3 - MOVQ ·modulus+24(SB), AX - MULQ R9 - ADDQ AX, R15 - ADCQ $0x00, DX - ADDQ BX, R15 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j4 - MOVQ ·modulus+32(SB), AX - MULQ R9 - ADDQ AX, R8 - ADCQ $0x00, DX - ADDQ BX, R8 - MOVQ $0x00, BX - ADCQ DX, BX - - // | j5 - MOVQ ·modulus+40(SB), AX - MULQ R9 - ADDQ AX, DI - ADCQ DX, CX - ADDQ BX, DI - - ADCQ 88(BP), CX - -/* modular reduction */ - - MOVQ R13, R10 - SUBQ ·modulus+0(SB), R10 - MOVQ R14, R11 - SBBQ ·modulus+8(SB), R11 - MOVQ R15, R12 - SBBQ ·modulus+16(SB), R12 - MOVQ R8, AX - SBBQ ·modulus+24(SB), AX - MOVQ DI, BX - SBBQ ·modulus+32(SB), BX - MOVQ CX, R9 - SBBQ ·modulus+40(SB), R9 - // | - -/* out */ - - MOVQ a+0(FP), SI - CMOVQCC R10, R13 - MOVQ R13, (SI) - CMOVQCC R11, R14 - MOVQ R14, 8(SI) - CMOVQCC R12, R15 - MOVQ R15, 16(SI) - CMOVQCC AX, R8 - MOVQ R8, 24(SI) - CMOVQCC BX, DI - MOVQ DI, 32(SI) - CMOVQCC R9, CX - MOVQ CX, 40(SI) - RET - - // | - -/* end */ \ No newline at end of file diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp_fallback.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/fp_fallback.go deleted file mode 100644 index 359544861..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fp_fallback.go +++ /dev/null @@ -1,1371 +0,0 @@ -// +build !amd64 generic - -// Copyright 2020 ConsenSys Software Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by goff (v0.3.5) DO NOT EDIT - -// /!\ WARNING /!\ -// this code has not been audited and is provided as-is. In particular, -// there is no security guarantees such as constant time implementation -// or side-channel attack resistance -// /!\ WARNING /!\ - -package bls12381 - -import "math/bits" - -func add(z, x, y *fe) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], y[0], 0) - z[1], carry = bits.Add64(x[1], y[1], carry) - z[2], carry = bits.Add64(x[2], y[2], carry) - z[3], carry = bits.Add64(x[3], y[3], carry) - z[4], carry = bits.Add64(x[4], y[4], carry) - z[5], _ = bits.Add64(x[5], y[5], carry) - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 13402431016077863595, 0) - z[1], b = bits.Sub64(z[1], 2210141511517208575, b) - z[2], b = bits.Sub64(z[2], 7435674573564081700, b) - z[3], b = bits.Sub64(z[3], 7239337960414712511, b) - z[4], b = bits.Sub64(z[4], 5412103778470702295, b) - z[5], _ = bits.Sub64(z[5], 1873798617647539866, b) - } -} - -func addAssign(z, y *fe) { - var carry uint64 - - z[0], carry = bits.Add64(z[0], y[0], 0) - z[1], carry = bits.Add64(z[1], y[1], carry) - z[2], carry = bits.Add64(z[2], y[2], carry) - z[3], carry = bits.Add64(z[3], y[3], carry) - z[4], carry = bits.Add64(z[4], y[4], carry) - z[5], _ = bits.Add64(z[5], y[5], carry) - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 13402431016077863595, 0) - z[1], b = bits.Sub64(z[1], 2210141511517208575, b) - z[2], b = bits.Sub64(z[2], 7435674573564081700, b) - z[3], b = bits.Sub64(z[3], 7239337960414712511, b) - z[4], b = bits.Sub64(z[4], 5412103778470702295, b) - z[5], _ = bits.Sub64(z[5], 1873798617647539866, b) - } -} - -func ladd(z, x, y *fe) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], y[0], 0) - z[1], carry = bits.Add64(x[1], y[1], carry) - z[2], carry = bits.Add64(x[2], y[2], carry) - z[3], carry = bits.Add64(x[3], y[3], carry) - z[4], carry = bits.Add64(x[4], y[4], carry) - z[5], _ = bits.Add64(x[5], y[5], carry) -} - -func laddAssign(z, y *fe) { - var carry uint64 - - z[0], carry = bits.Add64(z[0], y[0], 0) - z[1], carry = bits.Add64(z[1], y[1], carry) - z[2], carry = bits.Add64(z[2], y[2], carry) - z[3], carry = bits.Add64(z[3], y[3], carry) - z[4], carry = bits.Add64(z[4], y[4], carry) - z[5], _ = bits.Add64(z[5], y[5], carry) -} - -func double(z, x *fe) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], x[0], 0) - z[1], carry = bits.Add64(x[1], x[1], carry) - z[2], carry = bits.Add64(x[2], x[2], carry) - z[3], carry = bits.Add64(x[3], x[3], carry) - z[4], carry = bits.Add64(x[4], x[4], carry) - z[5], _ = bits.Add64(x[5], x[5], carry) - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 13402431016077863595, 0) - z[1], b = bits.Sub64(z[1], 2210141511517208575, b) - z[2], b = bits.Sub64(z[2], 7435674573564081700, b) - z[3], b = bits.Sub64(z[3], 7239337960414712511, b) - z[4], b = bits.Sub64(z[4], 5412103778470702295, b) - z[5], _ = bits.Sub64(z[5], 1873798617647539866, b) - } -} - -func doubleAssign(z *fe) { - var carry uint64 - - z[0], carry = bits.Add64(z[0], z[0], 0) - z[1], carry = bits.Add64(z[1], z[1], carry) - z[2], carry = bits.Add64(z[2], z[2], carry) - z[3], carry = bits.Add64(z[3], z[3], carry) - z[4], carry = bits.Add64(z[4], z[4], carry) - z[5], _ = bits.Add64(z[5], z[5], carry) - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 13402431016077863595, 0) - z[1], b = bits.Sub64(z[1], 2210141511517208575, b) - z[2], b = bits.Sub64(z[2], 7435674573564081700, b) - z[3], b = bits.Sub64(z[3], 7239337960414712511, b) - z[4], b = bits.Sub64(z[4], 5412103778470702295, b) - z[5], _ = bits.Sub64(z[5], 1873798617647539866, b) - } -} - -func ldouble(z, x *fe) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], x[0], 0) - z[1], carry = bits.Add64(x[1], x[1], carry) - z[2], carry = bits.Add64(x[2], x[2], carry) - z[3], carry = bits.Add64(x[3], x[3], carry) - z[4], carry = bits.Add64(x[4], x[4], carry) - z[5], _ = bits.Add64(x[5], x[5], carry) -} - -func sub(z, x, y *fe) { - var b uint64 - z[0], b = bits.Sub64(x[0], y[0], 0) - z[1], b = bits.Sub64(x[1], y[1], b) - z[2], b = bits.Sub64(x[2], y[2], b) - z[3], b = bits.Sub64(x[3], y[3], b) - z[4], b = bits.Sub64(x[4], y[4], b) - z[5], b = bits.Sub64(x[5], y[5], b) - if b != 0 { - var c uint64 - z[0], c = bits.Add64(z[0], 13402431016077863595, 0) - z[1], c = bits.Add64(z[1], 2210141511517208575, c) - z[2], c = bits.Add64(z[2], 7435674573564081700, c) - z[3], c = bits.Add64(z[3], 7239337960414712511, c) - z[4], c = bits.Add64(z[4], 5412103778470702295, c) - z[5], _ = bits.Add64(z[5], 1873798617647539866, c) - } -} - -func subAssign(z, y *fe) { - var b uint64 - z[0], b = bits.Sub64(z[0], y[0], 0) - z[1], b = bits.Sub64(z[1], y[1], b) - z[2], b = bits.Sub64(z[2], y[2], b) - z[3], b = bits.Sub64(z[3], y[3], b) - z[4], b = bits.Sub64(z[4], y[4], b) - z[5], b = bits.Sub64(z[5], y[5], b) - if b != 0 { - var c uint64 - z[0], c = bits.Add64(z[0], 13402431016077863595, 0) - z[1], c = bits.Add64(z[1], 2210141511517208575, c) - z[2], c = bits.Add64(z[2], 7435674573564081700, c) - z[3], c = bits.Add64(z[3], 7239337960414712511, c) - z[4], c = bits.Add64(z[4], 5412103778470702295, c) - z[5], _ = bits.Add64(z[5], 1873798617647539866, c) - } -} - -func lsubAssign(z, y *fe) { - var b uint64 - z[0], b = bits.Sub64(z[0], y[0], 0) - z[1], b = bits.Sub64(z[1], y[1], b) - z[2], b = bits.Sub64(z[2], y[2], b) - z[3], b = bits.Sub64(z[3], y[3], b) - z[4], b = bits.Sub64(z[4], y[4], b) - z[5], b = bits.Sub64(z[5], y[5], b) -} - -func neg(z, x *fe) { - if x.isZero() { - z.zero() - return - } - var borrow uint64 - z[0], borrow = bits.Sub64(13402431016077863595, x[0], 0) - z[1], borrow = bits.Sub64(2210141511517208575, x[1], borrow) - z[2], borrow = bits.Sub64(7435674573564081700, x[2], borrow) - z[3], borrow = bits.Sub64(7239337960414712511, x[3], borrow) - z[4], borrow = bits.Sub64(5412103778470702295, x[4], borrow) - z[5], _ = bits.Sub64(1873798617647539866, x[5], borrow) -} - -func mul(z, x, y *fe) { - - var t [6]uint64 - var c [3]uint64 - { - // round 0 - v := x[0] - c[1], c[0] = bits.Mul64(v, y[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd1(v, y[1], c[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd1(v, y[2], c[1]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd1(v, y[3], c[1]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd1(v, y[4], c[1]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd1(v, y[5], c[1]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 1 - v := x[1] - c[1], c[0] = madd1(v, y[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, y[1], c[1], t[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, y[2], c[1], t[2]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, y[3], c[1], t[3]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, y[4], c[1], t[4]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, y[5], c[1], t[5]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 2 - v := x[2] - c[1], c[0] = madd1(v, y[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, y[1], c[1], t[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, y[2], c[1], t[2]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, y[3], c[1], t[3]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, y[4], c[1], t[4]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, y[5], c[1], t[5]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 3 - v := x[3] - c[1], c[0] = madd1(v, y[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, y[1], c[1], t[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, y[2], c[1], t[2]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, y[3], c[1], t[3]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, y[4], c[1], t[4]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, y[5], c[1], t[5]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 4 - v := x[4] - c[1], c[0] = madd1(v, y[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, y[1], c[1], t[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, y[2], c[1], t[2]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, y[3], c[1], t[3]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, y[4], c[1], t[4]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, y[5], c[1], t[5]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 5 - v := x[5] - c[1], c[0] = madd1(v, y[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, y[1], c[1], t[1]) - c[2], z[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, y[2], c[1], t[2]) - c[2], z[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, y[3], c[1], t[3]) - c[2], z[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, y[4], c[1], t[4]) - c[2], z[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, y[5], c[1], t[5]) - z[5], z[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 13402431016077863595, 0) - z[1], b = bits.Sub64(z[1], 2210141511517208575, b) - z[2], b = bits.Sub64(z[2], 7435674573564081700, b) - z[3], b = bits.Sub64(z[3], 7239337960414712511, b) - z[4], b = bits.Sub64(z[4], 5412103778470702295, b) - z[5], _ = bits.Sub64(z[5], 1873798617647539866, b) - } -} - -func square(z, x *fe) { - - var t [6]uint64 - var c [3]uint64 - { - // round 0 - v := x[0] - c[1], c[0] = bits.Mul64(v, x[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd1(v, x[1], c[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd1(v, x[2], c[1]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd1(v, x[3], c[1]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd1(v, x[4], c[1]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd1(v, x[5], c[1]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 1 - v := x[1] - c[1], c[0] = madd1(v, x[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, x[1], c[1], t[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, x[2], c[1], t[2]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, x[3], c[1], t[3]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, x[4], c[1], t[4]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, x[5], c[1], t[5]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 2 - v := x[2] - c[1], c[0] = madd1(v, x[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, x[1], c[1], t[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, x[2], c[1], t[2]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, x[3], c[1], t[3]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, x[4], c[1], t[4]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, x[5], c[1], t[5]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 3 - v := x[3] - c[1], c[0] = madd1(v, x[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, x[1], c[1], t[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, x[2], c[1], t[2]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, x[3], c[1], t[3]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, x[4], c[1], t[4]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, x[5], c[1], t[5]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 4 - v := x[4] - c[1], c[0] = madd1(v, x[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, x[1], c[1], t[1]) - c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, x[2], c[1], t[2]) - c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, x[3], c[1], t[3]) - c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, x[4], c[1], t[4]) - c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, x[5], c[1], t[5]) - t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - { - // round 5 - v := x[5] - c[1], c[0] = madd1(v, x[0], t[0]) - m := c[0] * 9940570264628428797 - c[2] = madd0(m, 13402431016077863595, c[0]) - c[1], c[0] = madd2(v, x[1], c[1], t[1]) - c[2], z[0] = madd2(m, 2210141511517208575, c[2], c[0]) - c[1], c[0] = madd2(v, x[2], c[1], t[2]) - c[2], z[1] = madd2(m, 7435674573564081700, c[2], c[0]) - c[1], c[0] = madd2(v, x[3], c[1], t[3]) - c[2], z[2] = madd2(m, 7239337960414712511, c[2], c[0]) - c[1], c[0] = madd2(v, x[4], c[1], t[4]) - c[2], z[3] = madd2(m, 5412103778470702295, c[2], c[0]) - c[1], c[0] = madd2(v, x[5], c[1], t[5]) - z[5], z[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1]) - } - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 13402431016077863595, 0) - z[1], b = bits.Sub64(z[1], 2210141511517208575, b) - z[2], b = bits.Sub64(z[2], 7435674573564081700, b) - z[3], b = bits.Sub64(z[3], 7239337960414712511, b) - z[4], b = bits.Sub64(z[4], 5412103778470702295, b) - z[5], _ = bits.Sub64(z[5], 1873798617647539866, b) - } -} - -func wadd(z, x, y *wfe) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], y[0], 0) - z[1], carry = bits.Add64(x[1], y[1], carry) - z[2], carry = bits.Add64(x[2], y[2], carry) - z[3], carry = bits.Add64(x[3], y[3], carry) - z[4], carry = bits.Add64(x[4], y[4], carry) - z[5], carry = bits.Add64(x[5], y[5], carry) - z[6], carry = bits.Add64(x[6], y[6], carry) - z[7], carry = bits.Add64(x[7], y[7], carry) - z[8], carry = bits.Add64(x[8], y[8], carry) - z[9], carry = bits.Add64(x[9], y[9], carry) - z[10], carry = bits.Add64(x[10], y[10], carry) - z[11], _ = bits.Add64(x[11], y[11], carry) - - if !(z[11] < 1873798617647539866 || (z[11] == 1873798617647539866 && (z[10] < 5412103778470702295 || (z[10] == 5412103778470702295 && (z[9] < 7239337960414712511 || (z[9] == 7239337960414712511 && (z[8] < 7435674573564081700 || (z[8] == 7435674573564081700 && (z[7] < 2210141511517208575 || (z[7] == 2210141511517208575 && (z[6] < 13402431016077863595))))))))))) { - var b uint64 - z[6], b = bits.Sub64(z[6], 13402431016077863595, 0) - z[7], b = bits.Sub64(z[7], 2210141511517208575, b) - z[8], b = bits.Sub64(z[8], 7435674573564081700, b) - z[9], b = bits.Sub64(z[9], 7239337960414712511, b) - z[10], b = bits.Sub64(z[10], 5412103778470702295, b) - z[11], _ = bits.Sub64(z[11], 1873798617647539866, b) - } -} - -func waddAssign(x, y *wfe) { - wadd(x, x, y) -} - -func lwadd(z, x, y *wfe) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], y[0], 0) - z[1], carry = bits.Add64(x[1], y[1], carry) - z[2], carry = bits.Add64(x[2], y[2], carry) - z[3], carry = bits.Add64(x[3], y[3], carry) - z[4], carry = bits.Add64(x[4], y[4], carry) - z[5], carry = bits.Add64(x[5], y[5], carry) - z[6], carry = bits.Add64(x[6], y[6], carry) - z[7], carry = bits.Add64(x[7], y[7], carry) - z[8], carry = bits.Add64(x[8], y[8], carry) - z[9], carry = bits.Add64(x[9], y[9], carry) - z[10], carry = bits.Add64(x[10], y[10], carry) - z[11], _ = bits.Add64(x[11], y[11], carry) -} - -func lwaddAssign(x, y *wfe) { - lwadd(x, x, y) -} - -func wsub(z, x, y *wfe) { - var b uint64 - z[0], b = bits.Sub64(x[0], y[0], 0) - z[1], b = bits.Sub64(x[1], y[1], b) - z[2], b = bits.Sub64(x[2], y[2], b) - z[3], b = bits.Sub64(x[3], y[3], b) - z[4], b = bits.Sub64(x[4], y[4], b) - z[5], b = bits.Sub64(x[5], y[5], b) - z[6], b = bits.Sub64(x[6], y[6], b) - z[7], b = bits.Sub64(x[7], y[7], b) - z[8], b = bits.Sub64(x[8], y[8], b) - z[9], b = bits.Sub64(x[9], y[9], b) - z[10], b = bits.Sub64(x[10], y[10], b) - z[11], b = bits.Sub64(x[11], y[11], b) - if b != 0 { - var c uint64 - z[6], c = bits.Add64(z[6], 13402431016077863595, 0) - z[7], c = bits.Add64(z[7], 2210141511517208575, c) - z[8], c = bits.Add64(z[8], 7435674573564081700, c) - z[9], c = bits.Add64(z[9], 7239337960414712511, c) - z[10], c = bits.Add64(z[10], 5412103778470702295, c) - z[11], _ = bits.Add64(z[11], 1873798617647539866, c) - } -} - -func wsubAssign(x, y *wfe) { - wsub(x, x, y) -} - -func lwsub(z, x, y *wfe) { - var b uint64 - z[0], b = bits.Sub64(x[0], y[0], 0) - z[1], b = bits.Sub64(x[1], y[1], b) - z[2], b = bits.Sub64(x[2], y[2], b) - z[3], b = bits.Sub64(x[3], y[3], b) - z[4], b = bits.Sub64(x[4], y[4], b) - z[5], b = bits.Sub64(x[5], y[5], b) - z[6], b = bits.Sub64(x[6], y[6], b) - z[7], b = bits.Sub64(x[7], y[7], b) - z[8], b = bits.Sub64(x[8], y[8], b) - z[9], b = bits.Sub64(x[9], y[9], b) - z[10], b = bits.Sub64(x[10], y[10], b) - z[11], b = bits.Sub64(x[11], y[11], b) -} - -func lwsubAssign(x, y *wfe) { - lwsub(x, x, y) -} - -func wdouble(z, x *wfe) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], x[0], 0) - z[1], carry = bits.Add64(x[1], x[1], carry) - z[2], carry = bits.Add64(x[2], x[2], carry) - z[3], carry = bits.Add64(x[3], x[3], carry) - z[4], carry = bits.Add64(x[4], x[4], carry) - z[5], carry = bits.Add64(x[5], x[5], carry) - z[6], carry = bits.Add64(x[6], x[6], carry) - z[7], carry = bits.Add64(x[7], x[7], carry) - z[8], carry = bits.Add64(x[8], x[8], carry) - z[9], carry = bits.Add64(x[9], x[9], carry) - z[10], carry = bits.Add64(x[10], x[10], carry) - z[11], _ = bits.Add64(x[11], x[11], carry) - - if !(z[11] < 1873798617647539866 || (z[11] == 1873798617647539866 && (z[10] < 5412103778470702295 || (z[10] == 5412103778470702295 && (z[9] < 7239337960414712511 || (z[9] == 7239337960414712511 && (z[8] < 7435674573564081700 || (z[8] == 7435674573564081700 && (z[7] < 2210141511517208575 || (z[7] == 2210141511517208575 && (z[6] < 13402431016077863595))))))))))) { - var b uint64 - z[6], b = bits.Sub64(z[6], 13402431016077863595, 0) - z[7], b = bits.Sub64(z[7], 2210141511517208575, b) - z[8], b = bits.Sub64(z[8], 7435674573564081700, b) - z[9], b = bits.Sub64(z[9], 7239337960414712511, b) - z[10], b = bits.Sub64(z[10], 5412103778470702295, b) - z[11], _ = bits.Sub64(z[11], 1873798617647539866, b) - } -} - -func wdoubleAssign(x *wfe) { - wdouble(x, x) -} - -func lwdouble(z, x *wfe) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], x[0], 0) - z[1], carry = bits.Add64(x[1], x[1], carry) - z[2], carry = bits.Add64(x[2], x[2], carry) - z[3], carry = bits.Add64(x[3], x[3], carry) - z[4], carry = bits.Add64(x[4], x[4], carry) - z[5], carry = bits.Add64(x[5], x[5], carry) - z[6], carry = bits.Add64(x[6], x[6], carry) - z[7], carry = bits.Add64(x[7], x[7], carry) - z[8], carry = bits.Add64(x[8], x[8], carry) - z[9], carry = bits.Add64(x[9], x[9], carry) - z[10], carry = bits.Add64(x[10], x[10], carry) - z[11], _ = bits.Add64(x[11], x[11], carry) -} - -func fromWide(c *fe, w *wfe) { - montRed(c, w) -} - -func wmul(w *wfe, a, b *fe) { - - var w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11 uint64 - var a0 = a[0] - var a1 = a[1] - var a2 = a[2] - var a3 = a[3] - var a4 = a[4] - var a5 = a[5] - var b0 = b[0] - var b1 = b[1] - var b2 = b[2] - var b3 = b[3] - var b4 = b[4] - var b5 = b[5] - var u, v, c, t uint64 - - { - // i = 0, j = 0 - c, w0 = bits.Mul64(a0, b0) - - // i = 0, j = 1 - u, v = bits.Mul64(a1, b0) - w1 = v + c - c = u + (v&c|(v|c)&^w1)>>63 - - // i = 0, j = 2 - u, v = bits.Mul64(a2, b0) - w2 = v + c - c = u + (v&c|(v|c)&^w2)>>63 - - // i = 0, j = 3 - u, v = bits.Mul64(a3, b0) - w3 = v + c - c = u + (v&c|(v|c)&^w3)>>63 - - // i = 0, j = 4 - u, v = bits.Mul64(a4, b0) - w4 = v + c - c = u + (v&c|(v|c)&^w4)>>63 - - // i = 0, j = 5 - u, v = bits.Mul64(a5, b0) - w5 = v + c - w6 = u + (v&c|(v|c)&^w5)>>63 - } - - { - - // i = 1, j = 0 - c, v = bits.Mul64(a0, b1) - t = v + w1 - c += (v&w1 | (v|w1)&^t) >> 63 - w1 = t - - // i = 1, j = 1 - u, v = bits.Mul64(a1, b1) - t = v + w2 - u += (v&w2 | (v|w2)&^t) >> 63 - w2 = t + c - c = u + (t&c|(t|c)&^w2)>>63 - - // i = 1, j = 2 - u, v = bits.Mul64(a2, b1) - t = v + w3 - u += (v&w3 | (v|w3)&^t) >> 63 - w3 = t + c - c = u + (t&c|(t|c)&^w3)>>63 - - // i = 1, j = 3 - u, v = bits.Mul64(a3, b1) - t = v + w4 - u += (v&w4 | (v|w4)&^t) >> 63 - w4 = t + c - c = u + (t&c|(t|c)&^w4)>>63 - - // i = 1, j = 4 - u, v = bits.Mul64(a4, b1) - t = v + w5 - u += (v&w5 | (v|w5)&^t) >> 63 - w5 = t + c - c = u + (t&c|(t|c)&^w5)>>63 - - // i = 1, j = 5 - u, v = bits.Mul64(a5, b1) - t = v + w6 - u += (v&w6 | (v|w6)&^t) >> 63 - w6 = t + c - w7 = u + (t&c|(t|c)&^w6)>>63 - } - - { - // i = 2, j = 0 - c, v = bits.Mul64(a0, b2) - t = v + w2 - c += (v&w2 | (v|w2)&^t) >> 63 - w2 = t - - // i = 2, j = 1 - u, v = bits.Mul64(a1, b2) - t = v + w3 - u += (v&w3 | (v|w3)&^t) >> 63 - w3 = t + c - c = u + (t&c|(t|c)&^w3)>>63 - - // i = 2, j = 2 - u, v = bits.Mul64(a2, b2) - t = v + w4 - u += (v&w4 | (v|w4)&^t) >> 63 - w4 = t + c - c = u + (t&c|(t|c)&^w4)>>63 - - // i = 2, j = 3 - u, v = bits.Mul64(a3, b2) - t = v + w5 - u += (v&w5 | (v|w5)&^t) >> 63 - w5 = t + c - c = u + (t&c|(t|c)&^w5)>>63 - - // i = 2, j = 4 - u, v = bits.Mul64(a4, b2) - t = v + w6 - u += (v&w6 | (v|w6)&^t) >> 63 - w6 = t + c - c = u + (t&c|(t|c)&^w6)>>63 - - // i = 2, j = 5 - u, v = bits.Mul64(a5, b2) - t = v + w7 - u += (v&w7 | (v|w7)&^t) >> 63 - w7 = t + c - w8 = u + (t&c|(t|c)&^w7)>>63 - } - - { - // i = 3, j = 0 - c, v = bits.Mul64(a0, b3) - t = v + w3 - c += (v&w3 | (v|w3)&^t) >> 63 - w3 = t - - // i = 3, j = 1 - u, v = bits.Mul64(a1, b3) - t = v + w4 - u += (v&w4 | (v|w4)&^t) >> 63 - w4 = t + c - c = u + (t&c|(t|c)&^w4)>>63 - - // i = 3, j = 2 - u, v = bits.Mul64(a2, b3) - t = v + w5 - u += (v&w5 | (v|w5)&^t) >> 63 - w5 = t + c - c = u + (t&c|(t|c)&^w5)>>63 - - // i = 3, j = 3 - u, v = bits.Mul64(a3, b3) - t = v + w6 - u += (v&w6 | (v|w6)&^t) >> 63 - w6 = t + c - c = u + (t&c|(t|c)&^w6)>>63 - - // i = 3, j = 4 - u, v = bits.Mul64(a4, b3) - t = v + w7 - u += (v&w7 | (v|w7)&^t) >> 63 - w7 = t + c - c = u + (t&c|(t|c)&^w7)>>63 - - // i = 3, j = 5 - u, v = bits.Mul64(a5, b3) - t = v + w8 - u += (v&w8 | (v|w8)&^t) >> 63 - w8 = t + c - w9 = u + (t&c|(t|c)&^w8)>>63 - } - - { - // i = 4, j = 0 - c, v = bits.Mul64(a0, b4) - t = v + w4 - c += (v&w4 | (v|w4)&^t) >> 63 - w4 = t - - // i = 4, j = 1 - u, v = bits.Mul64(a1, b4) - t = v + w5 - u += (v&w5 | (v|w5)&^t) >> 63 - w5 = t + c - c = u + (t&c|(t|c)&^w5)>>63 - - // i = 4, j = 2 - u, v = bits.Mul64(a2, b4) - t = v + w6 - u += (v&w6 | (v|w6)&^t) >> 63 - w6 = t + c - c = u + (t&c|(t|c)&^w6)>>63 - - // i = 4, j = 3 - u, v = bits.Mul64(a3, b4) - t = v + w7 - u += (v&w7 | (v|w7)&^t) >> 63 - w7 = t + c - c = u + (t&c|(t|c)&^w7)>>63 - - // i = 4, j = 4 - u, v = bits.Mul64(a4, b4) - t = v + w8 - u += (v&w8 | (v|w8)&^t) >> 63 - w8 = t + c - c = u + (t&c|(t|c)&^w8)>>63 - - // i = 4, j = 5 - u, v = bits.Mul64(a5, b4) - t = v + w9 - u += (v&w9 | (v|w9)&^t) >> 63 - w9 = t + c - w10 = u + (t&c|(t|c)&^w9)>>63 - } - - { - // i = 5, j = 0 - c, v = bits.Mul64(a0, b5) - t = v + w5 - c += (v&w5 | (v|w5)&^t) >> 63 - w5 = t - - // i = 5, j = 1 - u, v = bits.Mul64(a1, b5) - t = v + w6 - u += (v&w6 | (v|w6)&^t) >> 63 - w6 = t + c - c = u + (t&c|(t|c)&^w6)>>63 - - // i = 5, j = 2 - u, v = bits.Mul64(a2, b5) - t = v + w7 - u += (v&w7 | (v|w7)&^t) >> 63 - w7 = t + c - c = u + (t&c|(t|c)&^w7)>>63 - - // i = 5, j = 3 - u, v = bits.Mul64(a3, b5) - t = v + w8 - u += (v&w8 | (v|w8)&^t) >> 63 - w8 = t + c - c = u + (t&c|(t|c)&^w8)>>63 - - // i = 5, j = 4 - u, v = bits.Mul64(a4, b5) - t = v + w9 - u += (v&w9 | (v|w9)&^t) >> 63 - w9 = t + c - c = u + (t&c|(t|c)&^w9)>>63 - - // i = 5, j = 5 - u, v = bits.Mul64(a5, b5) - t = v + w10 - u += (v&w10 | (v|w10)&^t) >> 63 - w10 = t + c - w11 = u + (t&c|(t|c)&^w10)>>63 - } - - w[0] = w0 - w[1] = w1 - w[2] = w2 - w[3] = w3 - w[4] = w4 - w[5] = w5 - w[6] = w6 - w[7] = w7 - w[8] = w8 - w[9] = w9 - w[10] = w10 - w[11] = w11 -} - -func montRed(c *fe, w *wfe) { - - // Reduces T as T (R^-1) modp - // Handbook of Applied Cryptography - // Hankerson, Menezes, Vanstone - // Algorithm 14.32 Montgomery reduction - - w0 := w[0] - w1 := w[1] - w2 := w[2] - w3 := w[3] - w4 := w[4] - w5 := w[5] - w6 := w[6] - w7 := w[7] - w8 := w[8] - w9 := w[9] - w10 := w[10] - w11 := w[11] - p0 := modulus[0] - p1 := modulus[1] - p2 := modulus[2] - p3 := modulus[3] - p4 := modulus[4] - p5 := modulus[5] - - var e1, e2, el, res uint64 - var t1, t2, u uint64 - - { - - // i = 0 - u = w0 * inp - // - e1, res = bits.Mul64(u, p0) - t1 = res + w0 - e1 += (res&w0 | (res|w0)&^t1) >> 63 - // - e2, res = bits.Mul64(u, p1) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w1 - e2 += (t1&w1 | (t1|w1)&^t2) >> 63 - w1 = t2 - // - e1, res = bits.Mul64(u, p2) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w2 - e1 += (t1&w2 | (t1|w2)&^t2) >> 63 - w2 = t2 - // - e2, res = bits.Mul64(u, p3) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w3 - e2 += (t1&w3 | (t1|w3)&^t2) >> 63 - w3 = t2 - // - e1, res = bits.Mul64(u, p4) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w4 - e1 += (t1&w4 | (t1|w4)&^t2) >> 63 - w4 = t2 - // - e2, res = bits.Mul64(u, p5) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w5 - e2 += (t1&w5 | (t1|w5)&^t2) >> 63 - w5 = t2 - // - t1 = w6 + el - e1 = (w6&el | (w6|el)&^t1) >> 63 - t2 = t1 + e2 - e1 += (t1&e2 | (t1|e2)&^t2) >> 63 - w6 = t2 - el = e1 - } - - { - // i = 1 - u = w1 * inp - // - e1, res = bits.Mul64(u, p0) - t1 = res + w1 - e1 += (res&w1 | (res|w1)&^t1) >> 63 - // - e2, res = bits.Mul64(u, p1) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w2 - e2 += (t1&w2 | (t1|w2)&^t2) >> 63 - w2 = t2 - // - e1, res = bits.Mul64(u, p2) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w3 - e1 += (t1&w3 | (t1|w3)&^t2) >> 63 - w3 = t2 - // - e2, res = bits.Mul64(u, p3) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w4 - e2 += (t1&w4 | (t1|w4)&^t2) >> 63 - w4 = t2 - // - e1, res = bits.Mul64(u, p4) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w5 - e1 += (t1&w5 | (t1|w5)&^t2) >> 63 - w5 = t2 - // - e2, res = bits.Mul64(u, p5) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w6 - e2 += (t1&w6 | (t1|w6)&^t2) >> 63 - w6 = t2 - // - t1 = w7 + el - e1 = (w7&el | (w7|el)&^t1) >> 63 - t2 = t1 + e2 - e1 += (t1&e2 | (t1|e2)&^t2) >> 63 - w7 = t2 - el = e1 - } - - { - // i = 2 - u = w2 * inp - // - e1, res = bits.Mul64(u, p0) - t1 = res + w2 - e1 += (res&w2 | (res|w2)&^t1) >> 63 - // - e2, res = bits.Mul64(u, p1) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w3 - e2 += (t1&w3 | (t1|w3)&^t2) >> 63 - w3 = t2 - // - e1, res = bits.Mul64(u, p2) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w4 - e1 += (t1&w4 | (t1|w4)&^t2) >> 63 - w4 = t2 - // - e2, res = bits.Mul64(u, p3) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w5 - e2 += (t1&w5 | (t1|w5)&^t2) >> 63 - w5 = t2 - // - e1, res = bits.Mul64(u, p4) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w6 - e1 += (t1&w6 | (t1|w6)&^t2) >> 63 - w6 = t2 - // - e2, res = bits.Mul64(u, p5) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w7 - e2 += (t1&w7 | (t1|w7)&^t2) >> 63 - w7 = t2 - // - t1 = w8 + el - e1 = (w8&el | (w8|el)&^t1) >> 63 - t2 = t1 + e2 - e1 += (t1&e2 | (t1|e2)&^t2) >> 63 - w8 = t2 - el = e1 - } - - { - // i = 3 - u = w3 * inp - // - e1, res = bits.Mul64(u, p0) - t1 = res + w3 - e1 += (res&w3 | (res|w3)&^t1) >> 63 - // - e2, res = bits.Mul64(u, p1) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w4 - e2 += (t1&w4 | (t1|w4)&^t2) >> 63 - w4 = t2 - // - e1, res = bits.Mul64(u, p2) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w5 - e1 += (t1&w5 | (t1|w5)&^t2) >> 63 - w5 = t2 - // - e2, res = bits.Mul64(u, p3) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w6 - e2 += (t1&w6 | (t1|w6)&^t2) >> 63 - w6 = t2 - // - e1, res = bits.Mul64(u, p4) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w7 - e1 += (t1&w7 | (t1|w7)&^t2) >> 63 - w7 = t2 - // - e2, res = bits.Mul64(u, p5) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w8 - e2 += (t1&w8 | (t1|w8)&^t2) >> 63 - w8 = t2 - // - t1 = w9 + el - e1 = (w9&el | (w9|el)&^t1) >> 63 - t2 = t1 + e2 - e1 += (t1&e2 | (t1|e2)&^t2) >> 63 - w9 = t2 - el = e1 - } - - { - // i = 4 - u = w4 * inp - // - e1, res = bits.Mul64(u, p0) - t1 = res + w4 - e1 += (res&w4 | (res|w4)&^t1) >> 63 - // - e2, res = bits.Mul64(u, p1) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w5 - e2 += (t1&w5 | (t1|w5)&^t2) >> 63 - w5 = t2 - // - e1, res = bits.Mul64(u, p2) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w6 - e1 += (t1&w6 | (t1|w6)&^t2) >> 63 - w6 = t2 - // - e2, res = bits.Mul64(u, p3) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w7 - e2 += (t1&w7 | (t1|w7)&^t2) >> 63 - w7 = t2 - // - e1, res = bits.Mul64(u, p4) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w8 - e1 += (t1&w8 | (t1|w8)&^t2) >> 63 - w8 = t2 - // - e2, res = bits.Mul64(u, p5) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w9 - e2 += (t1&w9 | (t1|w9)&^t2) >> 63 - w9 = t2 - // - t1 = w10 + el - e1 = (w10&el | (w10|el)&^t1) >> 63 - t2 = t1 + e2 - e1 += (t1&e2 | (t1|e2)&^t2) >> 63 - w10 = t2 - el = e1 - } - - { - // i = 5 - u = w5 * inp - // - e1, res = bits.Mul64(u, p0) - t1 = res + w5 - e1 += (res&w5 | (res|w5)&^t1) >> 63 - // - e2, res = bits.Mul64(u, p1) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w6 - e2 += (t1&w6 | (t1|w6)&^t2) >> 63 - w6 = t2 - // - e1, res = bits.Mul64(u, p2) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w7 - e1 += (t1&w7 | (t1|w7)&^t2) >> 63 - w7 = t2 - // - e2, res = bits.Mul64(u, p3) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w8 - e2 += (t1&w8 | (t1|w8)&^t2) >> 63 - w8 = t2 - // - e1, res = bits.Mul64(u, p4) - t1 = res + e2 - e1 += (res&e2 | (res|e2)&^t1) >> 63 - t2 = t1 + w9 - e1 += (t1&w9 | (t1|w9)&^t2) >> 63 - w9 = t2 - // - e2, res = bits.Mul64(u, p5) - t1 = res + e1 - e2 += (res&e1 | (res|e1)&^t1) >> 63 - t2 = t1 + w10 - e2 += (t1&w10 | (t1|w10)&^t2) >> 63 - w10 = t2 - // - t1 = w11 + el - e1 = (w11&el | (w11|el)&^t1) >> 63 - t2 = t1 + e2 - e1 += (t1&e2 | (t1|e2)&^t2) >> 63 - w11 = t2 - } - - e1-- - c[0] = w6 - ((p0) & ^e1) - e2 = (^w6&p0 | (^w6|p0)&c[0]) >> 63 - c[1] = w7 - ((p1 + e2) & ^e1) - e2 = (^w7&p1 | (^w7|p1)&c[1]) >> 63 - c[2] = w8 - ((p2 + e2) & ^e1) - e2 = (^w8&p2 | (^w8|p2)&c[2]) >> 63 - c[3] = w9 - ((p3 + e2) & ^e1) - e2 = (^w9&p3 | (^w9|p3)&c[3]) >> 63 - c[4] = w10 - ((p4 + e2) & ^e1) - e2 = (^w10&p4 | (^w10|p4)&c[4]) >> 63 - c[5] = w11 - ((p5 + e2) & ^e1) - - sub(c, c, &modulus) -} - -func fp2Add(c, a, b *fe2) { - add(&c[0], &a[0], &b[0]) - add(&c[1], &a[1], &b[1]) -} - -func fp2AddAssign(a, b *fe2) { - addAssign(&a[0], &b[0]) - addAssign(&a[1], &b[1]) -} - -func fp2Ladd(c, a, b *fe2) { - ladd(&c[0], &a[0], &b[0]) - ladd(&c[1], &a[1], &b[1]) -} - -func fp2LaddAssign(a, b *fe2) { - laddAssign(&a[0], &b[0]) - laddAssign(&a[1], &b[1]) -} - -func fp2Double(c, a *fe2) { - double(&c[0], &a[0]) - double(&c[1], &a[1]) -} - -func fp2DoubleAssign(a *fe2) { - doubleAssign(&a[0]) - doubleAssign(&a[1]) -} - -func fp2Ldouble(c, a *fe2) { - ldouble(&c[0], &a[0]) - ldouble(&c[1], &a[1]) -} - -func fp2Sub(c, a, b *fe2) { - sub(&c[0], &a[0], &b[0]) - sub(&c[1], &a[1], &b[1]) -} - -func fp2SubAssign(c, a *fe2) { - subAssign(&c[0], &a[0]) - subAssign(&c[1], &a[1]) -} - -func mulByNonResidue(c, a *fe2) { - t := new(fe) - sub(t, &a[0], &a[1]) - add(&c[1], &a[0], &a[1]) - c[0].set(t) -} - -func mulByNonResidueAssign(a *fe2) { - t := new(fe) - sub(t, &a[0], &a[1]) - add(&a[1], &a[0], &a[1]) - a[0].set(t) -} - -func wfp2Add(c, a, b *wfe2) { - wadd(&c[0], &a[0], &b[0]) - wadd(&c[1], &a[1], &b[1]) -} - -func wfp2AddAssign(c, a *wfe2) { - waddAssign(&c[0], &a[0]) - waddAssign(&c[1], &a[1]) -} - -func wfp2Ladd(c, a, b *wfe2) { - lwadd(&c[0], &a[0], &b[0]) - lwadd(&c[1], &a[1], &b[1]) -} - -func wfp2LaddAssign(a, b *wfe2) { - lwaddAssign(&a[0], &b[0]) - lwaddAssign(&a[1], &b[1]) -} - -func wfp2AddMixed(c, a, b *wfe2) { - wadd(&c[0], &a[0], &b[0]) - lwadd(&c[1], &a[1], &b[1]) -} - -func wfp2AddMixedAssign(a, b *wfe2) { - waddAssign(&a[0], &b[0]) - lwaddAssign(&a[1], &b[1]) -} - -func wfp2Sub(c, a, b *wfe2) { - wsub(&c[0], &a[0], &b[0]) - wsub(&c[1], &a[1], &b[1]) -} - -func wfp2SubAssign(a, b *wfe2) { - wsub(&a[0], &a[0], &b[0]) - wsub(&a[1], &a[1], &b[1]) -} - -func wfp2SubMixed(c, a, b *wfe2) { - wsub(&c[0], &a[0], &b[0]) - lwsub(&c[1], &a[1], &b[1]) -} - -func wfp2SubMixedAssign(a, b *wfe2) { - wsubAssign(&a[0], &b[0]) - lwsubAssign(&a[1], &b[1]) -} - -func wfp2Double(c, a *wfe2) { - wdouble(&c[0], &a[0]) - wdouble(&c[1], &a[1]) -} - -func wfp2DoubleAssign(a *wfe2) { - wdoubleAssign(&a[0]) - wdoubleAssign(&a[1]) -} - -func wfp2MulByNonResidue(c, a *wfe2) { - wt0 := &wfe{} - wadd(wt0, &a[0], &a[1]) - wsub(&c[0], &a[0], &a[1]) - c[1].set(wt0) -} - -func wfp2MulByNonResidueAssign(a *wfe2) { - wt0 := &wfe{} - wadd(wt0, &a[0], &a[1]) - wsub(&a[0], &a[0], &a[1]) - a[1].set(wt0) -} - -var wfp2Mul func(c *wfe2, a, b *fe2) = wfp2MulGeneric -var wfp2Square func(c *wfe2, a *fe2) = wfp2SquareGeneric diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fr.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/fr.go deleted file mode 100644 index 6f4694d35..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fr.go +++ /dev/null @@ -1,399 +0,0 @@ -package bls12381 - -import ( - "crypto/rand" - "io" - "math/big" - "math/bits" -) - -const frByteSize = 32 -const frBitSize = 255 -const frNumberOfLimbs = 4 -const fourWordBitSize = 256 - -type Fr [4]uint64 -type wideFr [8]uint64 - -func NewFr() *Fr { - return &Fr{} -} - -func (e *Fr) Rand(r io.Reader) (*Fr, error) { - bi, err := rand.Int(r, qBig) - if err != nil { - return nil, err - } - _ = e.fromBig(bi) - return e, nil -} - -func (e *Fr) Set(e2 *Fr) *Fr { - e[0] = e2[0] - e[1] = e2[1] - e[2] = e2[2] - e[3] = e2[3] - return e -} - -func (e *Fr) Zero() *Fr { - e[0] = 0 - e[1] = 0 - e[2] = 0 - e[3] = 0 - return e -} - -func (e *Fr) One() *Fr { - e.Set(&Fr{1}) - return e -} - -func (e *Fr) RedOne() *Fr { - e.Set(qr1) - return e -} - -func (e *Fr) FromBytes(in []byte) *Fr { - e.fromBytes(in) - return e -} - -func (e *Fr) RedFromBytes(in []byte) *Fr { - e.fromBytes(in) - e.toMont() - return e -} - -func (e *Fr) fromBytes(in []byte) *Fr { - u := new(big.Int).SetBytes(in) - _ = e.fromBig(u) - return e -} - -func (e *Fr) fromBig(in *big.Int) *Fr { - e.Zero() - _in := new(big.Int).Set(in) - zero := new(big.Int) - c0 := _in.Cmp(zero) - c1 := _in.Cmp(qBig) - if c0 == -1 || c1 == 1 { - _in.Mod(_in, qBig) - } - - words := _in.Bits() // a little-endian Word slice - if bits.UintSize == 64 { // in the 64-bit architecture - for i := 0; i < len(words); i++ { - e[i] = uint64(words[i]) - } - } else { // in the 32-bit architecture - for i := 0; i < len(e); i++ { - j := i * 2 - if j+1 < len(words) { - e[i] = uint64(words[j+1])<<32 | uint64(words[j]) - } else if j < len(words) { - e[i] = uint64(words[j]) - } else { - e[i] = uint64(0) - } - } - } - - return e -} - -func (e *Fr) setUint64(n uint64) *Fr { - e.Zero() - e[0] = n - return e -} - -func (e *Fr) ToBytes() []byte { - return NewFr().Set(e).bytes() -} - -func (e *Fr) RedToBytes() []byte { - out := NewFr().Set(e) - out.fromMont() - return out.bytes() -} - -func (e *Fr) ToBig() *big.Int { - return new(big.Int).SetBytes(e.ToBytes()) -} - -func (e *Fr) RedToBig() *big.Int { - return new(big.Int).SetBytes(e.RedToBytes()) -} - -func (e *Fr) bytes() []byte { - out := make([]byte, frByteSize) - var a int - for i := 0; i < frNumberOfLimbs; i++ { - a = frByteSize - i*8 - out[a-1] = byte(e[i]) - out[a-2] = byte(e[i] >> 8) - out[a-3] = byte(e[i] >> 16) - out[a-4] = byte(e[i] >> 24) - out[a-5] = byte(e[i] >> 32) - out[a-6] = byte(e[i] >> 40) - out[a-7] = byte(e[i] >> 48) - out[a-8] = byte(e[i] >> 56) - } - return out -} - -func (e *Fr) IsZero() bool { - return (e[3] | e[2] | e[1] | e[0]) == 0 -} - -func (e *Fr) IsOne() bool { - return e.Equal(&Fr{1}) -} - -func (e *Fr) IsRedOne() bool { - return e.Equal(qr1) -} - -func (e *Fr) Equal(e2 *Fr) bool { - return e2[0] == e[0] && e2[1] == e[1] && e2[2] == e[2] && e2[3] == e[3] -} - -func (e *Fr) Cmp(e1 *Fr) int { - for i := frNumberOfLimbs - 1; i >= 0; i-- { - if e[i] > e1[i] { - return 1 - } else if e[i] < e1[i] { - return -1 - } - } - return 0 -} - -func (e *Fr) sliceUint64(from int) uint64 { - if from < 64 { - return e[0]>>from | e[1]<<(64-from) - } else if from < 128 { - return e[1]>>(from-64) | e[2]<<(128-from) - } else if from < 192 { - return e[2]>>(from-128) | e[3]<<(192-from) - } - return e[3] >> (from - 192) -} - -func (e *Fr) div2() { - e[0] = e[0]>>1 | e[1]<<63 - e[1] = e[1]>>1 | e[2]<<63 - e[2] = e[2]>>1 | e[3]<<63 - e[3] = e[3] >> 1 -} - -func (e *Fr) mul2() uint64 { - c := e[3] >> 63 - e[3] = e[3]<<1 | e[2]>>63 - e[2] = e[2]<<1 | e[1]>>63 - e[1] = e[1]<<1 | e[0]>>63 - e[0] = e[0] << 1 - return c -} - -func (e *Fr) isEven() bool { - var mask uint64 = 1 - return e[0]&mask == 0 -} - -func (e *Fr) Bit(at int) bool { - if at < 64 { - return (e[0]>>at)&1 == 1 - } else if at < 128 { - return (e[1]>>(at-64))&1 == 1 - } else if at < 192 { - return (e[2]>>(at-128))&1 == 1 - } else if at < 256 { - return (e[3]>>(at-192))&1 == 1 - } - return false -} - -func (e *Fr) toMont() { - e.RedMul(e, qr2) -} - -func (e *Fr) fromMont() { - e.RedMul(e, &Fr{1}) -} - -func (e *Fr) FromRed() { - e.fromMont() -} - -func (e *Fr) ToRed() { - e.toMont() -} - -func (e *Fr) Add(a, b *Fr) { - addFR(e, a, b) -} - -func (e *Fr) Double(a *Fr) { - doubleFR(e, a) -} - -func (e *Fr) Sub(a, b *Fr) { - subFR(e, a, b) -} - -func (e *Fr) Neg(a *Fr) { - negFR(e, a) -} - -func (e *Fr) Mul(a, b *Fr) { - e.RedMul(a, b) - e.toMont() -} - -func (e *Fr) RedMul(a, b *Fr) { - mulFR(e, a, b) -} - -func (e *Fr) Square(a *Fr) { - e.RedSquare(a) - e.toMont() -} - -func (e *Fr) RedSquare(a *Fr) { - squareFR(e, a) -} - -func (e *Fr) RedExp(a *Fr, ee *big.Int) { - z := new(Fr).RedOne() - for i := ee.BitLen(); i >= 0; i-- { - z.RedSquare(z) - if ee.Bit(i) == 1 { - z.RedMul(z, a) - } - } - e.Set(z) -} - -func (e *Fr) Exp(a *Fr, ee *big.Int) { - e.Set(a).toMont() - e.RedExp(e, ee) - e.fromMont() - -} - -func (e *Fr) Inverse(a *Fr) { - e.Set(a).toMont() - e.RedInverse(e) - e.fromMont() -} - -func (e *Fr) RedInverse(ei *Fr) { - if ei.IsZero() { - e.Zero() - return - } - u := new(Fr).Set(&q) - v := new(Fr).Set(ei) - s := &Fr{1} - r := &Fr{0} - var k int - var z uint64 - var found = false - // Phase 1 - for i := 0; i < fourWordBitSize*2; i++ { - if v.IsZero() { - found = true - break - } - if u.isEven() { - u.div2() - s.mul2() - } else if v.isEven() { - v.div2() - z += r.mul2() - } else if u.Cmp(v) == 1 { - lsubAssignFR(u, v) - u.div2() - laddAssignFR(r, s) - s.mul2() - } else { - lsubAssignFR(v, u) - v.div2() - laddAssignFR(s, r) - z += r.mul2() - } - k += 1 - } - - if !found { - e.Zero() - return - } - - if k < frBitSize || k > frBitSize+fourWordBitSize { - e.Zero() - return - } - - if r.Cmp(&q) != -1 || z > 0 { - lsubAssignFR(r, &q) - } - u.Set(&q) - lsubAssignFR(u, r) - - // Phase 2 - for i := k; i < 2*fourWordBitSize; i++ { - doubleFR(u, u) - } - e.Set(u) -} - -func (ew *wideFr) mul(a, b *Fr) { - wmulFR(ew, a, b) -} - -func (ew *wideFr) add(a *wideFr) { - waddFR(ew, a) -} - -func (ew *wideFr) round() *Fr { - ew.add(halfR) - return ew.high() -} - -func (ew *wideFr) high() *Fr { - e := new(Fr) - e[0] = ew[4] - e[1] = ew[5] - e[2] = ew[6] - e[3] = ew[7] - return e -} - -func (ew *wideFr) low() *Fr { - e := new(Fr) - e[0] = ew[0] - e[1] = ew[1] - e[2] = ew[2] - e[3] = ew[3] - return e -} - -func (e *wideFr) bytes() []byte { - out := make([]byte, frByteSize*2) - var a int - for i := 0; i < frNumberOfLimbs*2; i++ { - a = frByteSize*2 - i*8 - out[a-1] = byte(e[i]) - out[a-2] = byte(e[i] >> 8) - out[a-3] = byte(e[i] >> 16) - out[a-4] = byte(e[i] >> 24) - out[a-5] = byte(e[i] >> 32) - out[a-6] = byte(e[i] >> 40) - out[a-7] = byte(e[i] >> 48) - out[a-8] = byte(e[i] >> 56) - } - return out -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fr_arithmetic_x86.s b/component/kmscrypto/internal/third_party/kilic/bls12-381/fr_arithmetic_x86.s deleted file mode 100644 index 0c421a021..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fr_arithmetic_x86.s +++ /dev/null @@ -1,1411 +0,0 @@ -// +build amd64,!generic - -#include "textflag.h" -#include "funcdata.h" - - -// func addFR(c *[4]uint64, a *[4]uint64, b *[4]uint64) -TEXT ·addFR(SB), NOSPLIT, $0-24 - // | - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - - // | - MOVQ (DI), CX - MOVQ 8(DI), DX - MOVQ 16(DI), R8 - MOVQ 24(DI), R9 - ADDQ (SI), CX - ADCQ 8(SI), DX - ADCQ 16(SI), R8 - ADCQ 24(SI), R9 - - // | - MOVQ CX, R10 - MOVQ DX, R11 - MOVQ R8, R12 - MOVQ R9, R13 - SUBQ ·q+0(SB), R10 - SBBQ ·q+8(SB), R11 - SBBQ ·q+16(SB), R12 - SBBQ ·q+24(SB), R13 - - // | - MOVQ c+0(FP), DI - CMOVQCC R10, CX - CMOVQCC R11, DX - CMOVQCC R12, R8 - CMOVQCC R13, R9 - MOVQ CX, (DI) - MOVQ DX, 8(DI) - MOVQ R8, 16(DI) - MOVQ R9, 24(DI) - RET -/* end */ - - -// func laddAssignFR(a *[4]uint64, b *[4]uint64) -TEXT ·laddAssignFR(SB), NOSPLIT, $0-16 - // | - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - // | - MOVQ (DI), CX - MOVQ 8(DI), DX - MOVQ 16(DI), R8 - MOVQ 24(DI), R9 - ADDQ (SI), CX - ADCQ 8(SI), DX - ADCQ 16(SI), R8 - ADCQ 24(SI), R9 - MOVQ CX, (DI) - MOVQ DX, 8(DI) - MOVQ R8, 16(DI) - MOVQ R9, 24(DI) - RET -/* end */ - - -// func doubleFR(c *[4]uint64, a *[4]uint64) -TEXT ·doubleFR(SB), NOSPLIT, $0-16 - // | - MOVQ a+8(FP), DI - - MOVQ (DI), CX - MOVQ 8(DI), DX - MOVQ 16(DI), SI - MOVQ 24(DI), R8 - ADDQ CX, CX - ADCQ DX, DX - ADCQ SI, SI - ADCQ R8, R8 - - // | - MOVQ CX, R9 - MOVQ DX, R10 - MOVQ SI, R11 - MOVQ R8, R12 - SUBQ ·q+0(SB), R9 - SBBQ ·q+8(SB), R10 - SBBQ ·q+16(SB), R11 - SBBQ ·q+24(SB), R12 - - // | - MOVQ c+0(FP), DI - CMOVQCC R9, CX - CMOVQCC R10, DX - CMOVQCC R11, SI - CMOVQCC R12, R8 - MOVQ CX, (DI) - MOVQ DX, 8(DI) - MOVQ SI, 16(DI) - MOVQ R8, 24(DI) - RET -/* end */ - - -// func subFR(c *[4]uint64, a *[4]uint64, b *[4]uint64) -TEXT ·subFR(SB), NOSPLIT, $0-24 - // | - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - XORQ AX, AX - - MOVQ (DI), CX - MOVQ 8(DI), DX - MOVQ 16(DI), R8 - MOVQ 24(DI), R9 - SUBQ (SI), CX - SBBQ 8(SI), DX - SBBQ 16(SI), R8 - SBBQ 24(SI), R9 - - // | - MOVQ ·q+0(SB), SI - MOVQ ·q+8(SB), R10 - MOVQ ·q+16(SB), R11 - MOVQ ·q+24(SB), R12 - CMOVQCC AX, SI - CMOVQCC AX, R10 - CMOVQCC AX, R11 - CMOVQCC AX, R12 - - // | - ADDQ SI, CX - ADCQ R10, DX - ADCQ R11, R8 - ADCQ R12, R9 - - MOVQ c+0(FP), DI - MOVQ CX, (DI) - MOVQ DX, 8(DI) - MOVQ R8, 16(DI) - MOVQ R9, 24(DI) - RET -/* end */ - - -// func lsubAssignFR(a *[4]uint64, b *[4]uint64) -TEXT ·lsubAssignFR(SB), NOSPLIT, $0-16 - // | - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - MOVQ (DI), CX - MOVQ 8(DI), DX - MOVQ 16(DI), R8 - MOVQ 24(DI), R9 - SUBQ (SI), CX - SBBQ 8(SI), DX - SBBQ 16(SI), R8 - SBBQ 24(SI), R9 - MOVQ CX, (DI) - MOVQ DX, 8(DI) - MOVQ R8, 16(DI) - MOVQ R9, 24(DI) - RET -/* end */ - - -// func _negFR(c *[4]uint64, a *[4]uint64) -TEXT ·_negFR(SB), NOSPLIT, $0-16 - // | - MOVQ a+8(FP), DI - - // | - MOVQ ·q+0(SB), CX - SUBQ (DI), CX - MOVQ ·q+8(SB), DX - SBBQ 8(DI), DX - MOVQ ·q+16(SB), SI - SBBQ 16(DI), SI - MOVQ ·q+24(SB), R8 - SBBQ 24(DI), R8 - - // | - MOVQ c+0(FP), DI - MOVQ CX, (DI) - MOVQ DX, 8(DI) - MOVQ SI, 16(DI) - MOVQ R8, 24(DI) - RET -/* end */ - - -// func mulFR(c *[4]uint64, a *[4]uint64, b *[4]uint64) -TEXT ·mulNoADXFR(SB), NOSPLIT, $0-24 - // | - -/* inputs */ - - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ $0x00, R10 - MOVQ $0x00, R11 - MOVQ $0x00, R12 - MOVQ $0x00, R13 - MOVQ $0x00, R14 - - // | - -/* i = 0 */ - - // | a0 @ CX - MOVQ (DI), CX - - // | a0 * b0 - MOVQ (SI), AX - MULQ CX - MOVQ AX, R8 - MOVQ DX, R9 - - // | a0 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - - // | a0 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - - // | a0 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - - // | - -/* i = 1 */ - - // | a1 @ CX - MOVQ 8(DI), CX - MOVQ $0x00, BX - - // | a1 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - ADCQ $0x00, R11 - ADCQ $0x00, BX - - // | a1 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ BX, R12 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a1 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - - // | a1 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - - // | - -/* i = 2 */ - - // | a2 @ CX - MOVQ 16(DI), CX - MOVQ $0x00, BX - - // | a2 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ $0x00, R12 - ADCQ $0x00, BX - - // | a2 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a2 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - - // | a2 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - - // | - -/* i = 3 */ - - // | a3 @ CX - MOVQ 24(DI), CX - MOVQ $0x00, BX - - // | a3 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ $0x00, R13 - ADCQ $0x00, BX - - // | a3 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a3 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ $0x00, BX - - // | a3 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, BX - - // | - -/* */ - - // | - // | W - // | 0 R8 | 1 R9 | 2 R10 | 3 R11 - // | 4 R12 | 5 R13 | 6 R14 | 7 BX - - - // | - -/* montgomery reduction */ - - // | - -/* i = 0 */ - - // | - // | W - // | 0 R8 | 1 R9 | 2 R10 | 3 R11 - // | 4 R12 | 5 R13 | 6 R14 | 7 BX - - - // | | u0 = w0 * inp - MOVQ R8, AX - MULQ ·qinp+0(SB) - MOVQ AX, DI - MOVQ $0x00, CX - - // | - -/* */ - - // | j0 - - // | w0 @ R8 - MOVQ ·q+0(SB), AX - MULQ DI - ADDQ AX, R8 - ADCQ DX, CX - - // | j1 - - // | w1 @ R9 - MOVQ ·q+8(SB), AX - MULQ DI - ADDQ AX, R9 - ADCQ $0x00, DX - ADDQ CX, R9 - MOVQ $0x00, CX - ADCQ DX, CX - - // | j2 - - // | w2 @ R10 - MOVQ ·q+16(SB), AX - MULQ DI - ADDQ AX, R10 - ADCQ $0x00, DX - ADDQ CX, R10 - MOVQ $0x00, CX - ADCQ DX, CX - - // | j3 - - // | w3 @ R11 - MOVQ ·q+24(SB), AX - MULQ DI - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ CX, R11 - - // | w4 @ R12 - ADCQ DX, R12 - ADCQ $0x00, R8 - - // | - -/* i = 1 */ - - // | - // | W - // | 0 - | 1 R9 | 2 R10 | 3 R11 - // | 4 R12 | 5 R13 | 6 R14 | 7 BX - - - // | | u1 = w1 * inp - MOVQ R9, AX - MULQ ·qinp+0(SB) - MOVQ AX, DI - MOVQ $0x00, CX - - // | - -/* */ - - // | j0 - - // | w1 @ R9 - MOVQ ·q+0(SB), AX - MULQ DI - ADDQ AX, R9 - ADCQ DX, CX - - // | j1 - - // | w2 @ R10 - MOVQ ·q+8(SB), AX - MULQ DI - ADDQ AX, R10 - ADCQ $0x00, DX - ADDQ CX, R10 - MOVQ $0x00, CX - ADCQ DX, CX - - // | j2 - - // | w3 @ R11 - MOVQ ·q+16(SB), AX - MULQ DI - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ CX, R11 - MOVQ $0x00, CX - ADCQ DX, CX - - // | j3 - - // | w4 @ R12 - MOVQ ·q+24(SB), AX - MULQ DI - ADDQ AX, R12 - ADCQ DX, R8 - ADDQ CX, R12 - - // | w5 @ R13 - ADCQ R8, R13 - MOVQ $0x00, R8 - ADCQ $0x00, R8 - - // | - -/* i = 2 */ - - // | - // | W - // | 0 - | 1 - | 2 R10 | 3 R11 - // | 4 R12 | 5 R13 | 6 R14 | 7 BX - - - // | | u2 = w2 * inp - MOVQ R10, AX - MULQ ·qinp+0(SB) - MOVQ AX, DI - MOVQ $0x00, CX - - // | - -/* */ - - // | j0 - - // | w2 @ R10 - MOVQ ·q+0(SB), AX - MULQ DI - ADDQ AX, R10 - ADCQ DX, CX - - // | j1 - - // | w3 @ R11 - MOVQ ·q+8(SB), AX - MULQ DI - ADDQ AX, R11 - ADCQ $0x00, DX - ADDQ CX, R11 - MOVQ $0x00, CX - ADCQ DX, CX - - // | j2 - - // | w4 @ R12 - MOVQ ·q+16(SB), AX - MULQ DI - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ CX, R12 - MOVQ $0x00, CX - ADCQ DX, CX - - // | j3 - - // | w5 @ R13 - MOVQ ·q+24(SB), AX - MULQ DI - ADDQ AX, R13 - ADCQ DX, R8 - ADDQ CX, R13 - - // | w6 @ R14 - ADCQ R8, R14 - MOVQ $0x00, R8 - ADCQ $0x00, R8 - - // | - -/* i = 3 */ - - // | - // | W - // | 0 - | 1 - | 2 - | 3 R11 - // | 4 R12 | 5 R13 | 6 R14 | 7 BX - - - // | | u3 = w3 * inp - MOVQ R11, AX - MULQ ·qinp+0(SB) - MOVQ AX, DI - MOVQ $0x00, CX - - // | - -/* */ - - // | j0 - - // | w3 @ R11 - MOVQ ·q+0(SB), AX - MULQ DI - ADDQ AX, R11 - ADCQ DX, CX - - // | j1 - - // | w4 @ R12 - MOVQ ·q+8(SB), AX - MULQ DI - ADDQ AX, R12 - ADCQ $0x00, DX - ADDQ CX, R12 - MOVQ $0x00, CX - ADCQ DX, CX - - // | j2 - - // | w5 @ R13 - MOVQ ·q+16(SB), AX - MULQ DI - ADDQ AX, R13 - ADCQ $0x00, DX - ADDQ CX, R13 - MOVQ $0x00, CX - ADCQ DX, CX - - // | j3 - - // | w6 @ R14 - MOVQ ·q+24(SB), AX - MULQ DI - ADDQ AX, R14 - ADCQ DX, R8 - ADDQ CX, R14 - - // | w-1 @ BX - ADCQ R8, BX - MOVQ $0x00, R8 - ADCQ $0x00, R8 - - // | - // | W montgomerry reduction ends - // | 0 - | 1 - | 2 - | 3 - - // | 4 R12 | 5 R13 | 6 R14 | 7 BX - - - // | - -/* modular reduction */ - - MOVQ R12, SI - SUBQ ·q+0(SB), SI - MOVQ R13, R9 - SBBQ ·q+8(SB), R9 - MOVQ R14, R10 - SBBQ ·q+16(SB), R10 - MOVQ BX, R11 - SBBQ ·q+24(SB), R11 - SBBQ $0x00, R8 - - // | - -/* out */ - - MOVQ c+0(FP), R8 - CMOVQCC SI, R12 - MOVQ R12, (R8) - CMOVQCC R9, R13 - MOVQ R13, 8(R8) - CMOVQCC R10, R14 - MOVQ R14, 16(R8) - CMOVQCC R11, BX - MOVQ BX, 24(R8) - RET -/* end */ - - -// func mulFR(c *[4]uint64, a *[4]uint64, b *[4]uint64) -TEXT ·mulADXFR(SB), NOSPLIT, $0-24 - // | - -/* inputs */ - - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - XORQ AX, AX - - // | - -/* i = 0 */ - - // | a0 @ DX - MOVQ (DI), DX - - // | a0 * b0 - MULXQ (SI), CX, R8 - - // | a0 * b1 - MULXQ 8(SI), AX, R9 - ADCXQ AX, R8 - - // | a0 * b2 - MULXQ 16(SI), AX, R10 - ADCXQ AX, R9 - - // | a0 * b3 - MULXQ 24(SI), AX, R11 - ADCXQ AX, R10 - ADCQ $0x00, R11 - - // | - -/* i = 1 */ - - // | a1 @ DX - MOVQ 8(DI), DX - XORQ R12, R12 - - // | a1 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R8 - ADCXQ BX, R9 - - // | a1 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | a1 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a1 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R11 - ADOXQ R12, R12 - ADCXQ BX, R12 - - // | - -/* i = 2 */ - - // | a2 @ DX - MOVQ 16(DI), DX - XORQ R13, R13 - - // | a2 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | a2 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a2 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | a2 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R12 - ADOXQ R13, R13 - ADCXQ BX, R13 - - // | - -/* i = 3 */ - - // | a3 @ DX - MOVQ 24(DI), DX - XORQ DI, DI - - // | a3 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a3 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | a3 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R12 - ADCXQ BX, R13 - - // | a3 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R13 - ADOXQ BX, DI - ADCQ $0x00, DI - - // | - -/* */ - - // | - // | W - // | 0 CX | 1 R8 | 2 R9 | 3 R10 - // | 4 R11 | 5 R12 | 6 R13 | 7 DI - - - // | - // | W ready to mont - // | 0 CX | 1 R8 | 2 R9 | 3 R10 - // | 4 R11 | 5 R12 | 6 R13 | 7 DI - - - // | - -/* montgomery reduction */ - - // | clear flags - XORQ AX, AX - - // | - -/* i = 0 */ - - // | - // | W - // | 0 CX | 1 R8 | 2 R9 | 3 R10 - // | 4 R11 | 5 R12 | 6 R13 | 7 DI - - - // | | u0 = w0 * inp - MOVQ CX, DX - MULXQ ·qinp+0(SB), DX, BX - - // | - -/* */ - - // | j0 - - // | w0 @ CX - MULXQ ·q+0(SB), AX, BX - ADOXQ AX, CX - ADCXQ BX, R8 - - // | j1 - - // | w1 @ R8 - MULXQ ·q+8(SB), AX, BX - ADOXQ AX, R8 - ADCXQ BX, R9 - - // | j2 - - // | w2 @ R9 - MULXQ ·q+16(SB), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | j3 - - // | w3 @ R10 - MULXQ ·q+24(SB), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - ADOXQ CX, R11 - ADCXQ CX, CX - MOVQ $0x00, AX - ADOXQ AX, CX - - // | clear flags - XORQ AX, AX - - // | - -/* i = 1 */ - - // | - // | W - // | 0 - | 1 R8 | 2 R9 | 3 R10 - // | 4 R11 | 5 R12 | 6 R13 | 7 DI - - - // | | u1 = w1 * inp - MOVQ R8, DX - MULXQ ·qinp+0(SB), DX, BX - - // | - -/* */ - - // | j0 - - // | w1 @ R8 - MULXQ ·q+0(SB), AX, BX - ADOXQ AX, R8 - ADCXQ BX, R9 - - // | j1 - - // | w2 @ R9 - MULXQ ·q+8(SB), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | j2 - - // | w3 @ R10 - MULXQ ·q+16(SB), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | j3 - - // | w4 @ R11 - MULXQ ·q+24(SB), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - ADOXQ CX, R12 - ADCXQ R8, R8 - MOVQ $0x00, AX - ADOXQ AX, R8 - - // | clear flags - XORQ AX, AX - - // | - -/* i = 2 */ - - // | - // | W - // | 0 - | 1 - | 2 R9 | 3 R10 - // | 4 R11 | 5 R12 | 6 R13 | 7 DI - - - // | | u2 = w2 * inp - MOVQ R9, DX - MULXQ ·qinp+0(SB), DX, BX - - // | - -/* */ - - // | j0 - - // | w2 @ R9 - MULXQ ·q+0(SB), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | j1 - - // | w3 @ R10 - MULXQ ·q+8(SB), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | j2 - - // | w4 @ R11 - MULXQ ·q+16(SB), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | j3 - - // | w5 @ R12 - MULXQ ·q+24(SB), AX, BX - ADOXQ AX, R12 - ADCXQ BX, R13 - ADOXQ R8, R13 - ADCXQ R9, R9 - MOVQ $0x00, AX - ADOXQ AX, R9 - - // | clear flags - XORQ AX, AX - - // | - -/* i = 3 */ - - // | - // | W - // | 0 - | 1 - | 2 - | 3 R10 - // | 4 R11 | 5 R12 | 6 R13 | 7 DI - - - // | | u3 = w3 * inp - MOVQ R10, DX - MULXQ ·qinp+0(SB), DX, BX - - // | - -/* */ - - // | j0 - - // | w3 @ R10 - MULXQ ·q+0(SB), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | j1 - - // | w4 @ R11 - MULXQ ·q+8(SB), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | j2 - - // | w5 @ R12 - MULXQ ·q+16(SB), AX, BX - ADOXQ AX, R12 - ADCXQ BX, R13 - - // | j3 - - // | w6 @ R13 - MULXQ ·q+24(SB), AX, BX - ADOXQ AX, R13 - ADCXQ BX, DI - ADOXQ R9, DI - ADCXQ R10, R10 - MOVQ $0x00, AX - ADOXQ AX, R10 - - // | - // | W montgomery reduction ends - // | 0 - | 1 - | 2 - | 3 - - // | 4 R11 | 5 R12 | 6 R13 | 7 DI - - - // | - -/* modular reduction */ - - MOVQ R11, CX - SUBQ ·q+0(SB), CX - MOVQ R12, AX - SBBQ ·q+8(SB), AX - MOVQ R13, BX - SBBQ ·q+16(SB), BX - MOVQ DI, SI - SBBQ ·q+24(SB), SI - SBBQ $0x00, R10 - - // | - -/* out */ - - MOVQ c+0(FP), R10 - CMOVQCC CX, R11 - MOVQ R11, (R10) - CMOVQCC AX, R12 - MOVQ R12, 8(R10) - CMOVQCC BX, R13 - MOVQ R13, 16(R10) - CMOVQCC SI, DI - MOVQ DI, 24(R10) - RET -/* end */ - - -TEXT ·waddFR(SB), NOSPLIT, $0-16 - // | - MOVQ a+0(FP), DI - MOVQ b+8(FP), SI - - // | - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - MOVQ 40(DI), R13 - MOVQ 48(DI), R14 - MOVQ 56(DI), R15 - - // | - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ 16(SI), R10 - ADCQ 24(SI), R11 - ADCQ 32(SI), R12 - ADCQ 40(SI), R13 - ADCQ 48(SI), R14 - ADCQ 56(SI), R15 - - // | - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ R12, 32(DI) - MOVQ R13, 40(DI) - MOVQ R14, 48(DI) - MOVQ R15, 56(DI) - RET -/* end */ - -// func wmulNoADXFR(c *[8]uint64, a *[4]uint64, b *[4]uint64) -TEXT ·wmulNoADXFR(SB), NOSPLIT, $0-24 - // | - -/* inputs */ - - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - MOVQ $0x00, R10 - MOVQ $0x00, R11 - MOVQ $0x00, R12 - MOVQ $0x00, R13 - MOVQ $0x00, R14 - - // | - -/* i = 0 */ - - // | a0 @ CX - MOVQ (DI), CX - - // | a0 * b0 - MOVQ (SI), AX - MULQ CX - MOVQ AX, R8 - MOVQ DX, R9 - - // | a0 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - - // | a0 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - - // | a0 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - - // | - -/* i = 1 */ - - // | a1 @ CX - MOVQ 8(DI), CX - MOVQ $0x00, BX - - // | a1 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R9 - ADCQ DX, R10 - ADCQ $0x00, R11 - ADCQ $0x00, BX - - // | a1 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ BX, R12 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a1 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - - // | a1 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - - // | - -/* i = 2 */ - - // | a2 @ CX - MOVQ 16(DI), CX - MOVQ $0x00, BX - - // | a2 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R10 - ADCQ DX, R11 - ADCQ $0x00, R12 - ADCQ $0x00, BX - - // | a2 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ BX, R13 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a2 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - - // | a2 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - - // | - -/* i = 3 */ - - // | a3 @ CX - MOVQ 24(DI), CX - MOVQ $0x00, BX - - // | a3 * b0 - MOVQ (SI), AX - MULQ CX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ $0x00, R13 - ADCQ $0x00, BX - - // | a3 * b1 - MOVQ 8(SI), AX - MULQ CX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ BX, R14 - MOVQ $0x00, BX - ADCQ $0x00, BX - - // | a3 * b2 - MOVQ 16(SI), AX - MULQ CX - ADDQ AX, R13 - ADCQ DX, R14 - ADCQ $0x00, BX - - // | a3 * b3 - MOVQ 24(SI), AX - MULQ CX - ADDQ AX, R14 - ADCQ DX, BX - - // | - -/* */ - - // | - // | W - // | 0 R8 | 1 R9 | 2 R10 | 3 R11 - // | 4 R12 | 5 R13 | 6 R14 | 7 BX - - MOVQ c+0(FP), AX - MOVQ R8, (AX) - MOVQ R9, 8(AX) - MOVQ R10, 16(AX) - MOVQ R11, 24(AX) - MOVQ R12, 32(AX) - MOVQ R13, 40(AX) - MOVQ R14, 48(AX) - MOVQ BX, 56(AX) - - RET -/* end */ - - -// func wmulADXFR(c *[8]uint64, a *[4]uint64, b *[4]uint64) -TEXT ·wmulADXFR(SB), NOSPLIT, $0-24 - // | - -/* inputs */ - - MOVQ a+8(FP), DI - MOVQ b+16(FP), SI - XORQ AX, AX - - // | - -/* i = 0 */ - - // | a0 @ DX - MOVQ (DI), DX - - // | a0 * b0 - MULXQ (SI), CX, R8 - - // | a0 * b1 - MULXQ 8(SI), AX, R9 - ADCXQ AX, R8 - - // | a0 * b2 - MULXQ 16(SI), AX, R10 - ADCXQ AX, R9 - - // | a0 * b3 - MULXQ 24(SI), AX, R11 - ADCXQ AX, R10 - ADCQ $0x00, R11 - - // | - -/* i = 1 */ - - // | a1 @ DX - MOVQ 8(DI), DX - XORQ R12, R12 - - // | a1 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R8 - ADCXQ BX, R9 - - // | a1 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | a1 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a1 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R11 - ADOXQ R12, R12 - ADCXQ BX, R12 - - // | - -/* i = 2 */ - - // | a2 @ DX - MOVQ 16(DI), DX - XORQ R13, R13 - - // | a2 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R9 - ADCXQ BX, R10 - - // | a2 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a2 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | a2 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R12 - ADOXQ R13, R13 - ADCXQ BX, R13 - - // | - -/* i = 3 */ - - // | a3 @ DX - MOVQ 24(DI), DX - XORQ DI, DI - - // | a3 * b0 - MULXQ (SI), AX, BX - ADOXQ AX, R10 - ADCXQ BX, R11 - - // | a3 * b1 - MULXQ 8(SI), AX, BX - ADOXQ AX, R11 - ADCXQ BX, R12 - - // | a3 * b2 - MULXQ 16(SI), AX, BX - ADOXQ AX, R12 - ADCXQ BX, R13 - - // | a3 * b3 - MULXQ 24(SI), AX, BX - ADOXQ AX, R13 - ADOXQ BX, DI - ADCQ $0x00, DI - - // | - -/* */ - - // | - // | W - // | 0 CX | 1 R8 | 2 R9 | 3 R10 - // | 4 R11 | 5 R12 | 6 R13 | 7 DI - - - MOVQ c+0(FP), AX - MOVQ CX, (AX) - MOVQ R8, 8(AX) - MOVQ R9, 16(AX) - MOVQ R10, 24(AX) - MOVQ R11, 32(AX) - MOVQ R12, 40(AX) - MOVQ R13, 48(AX) - MOVQ DI, 56(AX) - - RET - -/* end */ \ No newline at end of file diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/fr_fallback.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/fr_fallback.go deleted file mode 100644 index 236d3cf3a..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/fr_fallback.go +++ /dev/null @@ -1,383 +0,0 @@ -// +build !amd64 generic - -// Copyright 2020 ConsenSys Software Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by goff (v0.3.5) DO NOT EDIT - -// /!\ WARNING /!\ -// this code has not been audited and is provided as-is. In particular, -// there is no security guarantees such as constant time implementation -// or side-channel attack resistance -// /!\ WARNING /!\ - -package bls12381 - -import "math/bits" - -func addFR(z, x, y *Fr) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], y[0], 0) - z[1], carry = bits.Add64(x[1], y[1], carry) - z[2], carry = bits.Add64(x[2], y[2], carry) - z[3], _ = bits.Add64(x[3], y[3], carry) - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[3] < 8353516859464449352 || (z[3] == 8353516859464449352 && (z[2] < 3691218898639771653 || (z[2] == 3691218898639771653 && (z[1] < 6034159408538082302 || (z[1] == 6034159408538082302 && (z[0] < 18446744069414584321))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 18446744069414584321, 0) - z[1], b = bits.Sub64(z[1], 6034159408538082302, b) - z[2], b = bits.Sub64(z[2], 3691218898639771653, b) - z[3], _ = bits.Sub64(z[3], 8353516859464449352, b) - } -} - -func laddAssignFR(z, y *Fr) { - var carry uint64 - - z[0], carry = bits.Add64(z[0], y[0], 0) - z[1], carry = bits.Add64(z[1], y[1], carry) - z[2], carry = bits.Add64(z[2], y[2], carry) - z[3], _ = bits.Add64(z[3], y[3], carry) -} - -func doubleFR(z, x *Fr) { - var carry uint64 - - z[0], carry = bits.Add64(x[0], x[0], 0) - z[1], carry = bits.Add64(x[1], x[1], carry) - z[2], carry = bits.Add64(x[2], x[2], carry) - z[3], _ = bits.Add64(x[3], x[3], carry) - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[3] < 8353516859464449352 || (z[3] == 8353516859464449352 && (z[2] < 3691218898639771653 || (z[2] == 3691218898639771653 && (z[1] < 6034159408538082302 || (z[1] == 6034159408538082302 && (z[0] < 18446744069414584321))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 18446744069414584321, 0) - z[1], b = bits.Sub64(z[1], 6034159408538082302, b) - z[2], b = bits.Sub64(z[2], 3691218898639771653, b) - z[3], _ = bits.Sub64(z[3], 8353516859464449352, b) - } -} - -func subFR(z, x, y *Fr) { - var b uint64 - z[0], b = bits.Sub64(x[0], y[0], 0) - z[1], b = bits.Sub64(x[1], y[1], b) - z[2], b = bits.Sub64(x[2], y[2], b) - z[3], b = bits.Sub64(x[3], y[3], b) - if b != 0 { - var c uint64 - z[0], c = bits.Add64(z[0], 18446744069414584321, 0) - z[1], c = bits.Add64(z[1], 6034159408538082302, c) - z[2], c = bits.Add64(z[2], 3691218898639771653, c) - z[3], _ = bits.Add64(z[3], 8353516859464449352, c) - } -} - -func lsubAssignFR(z, y *Fr) { - var b uint64 - z[0], b = bits.Sub64(z[0], y[0], 0) - z[1], b = bits.Sub64(z[1], y[1], b) - z[2], b = bits.Sub64(z[2], y[2], b) - z[3], b = bits.Sub64(z[3], y[3], b) -} - -func negFR(z, x *Fr) { - if x.IsZero() { - z.Zero() - return - } - var borrow uint64 - z[0], borrow = bits.Sub64(18446744069414584321, x[0], 0) - z[1], borrow = bits.Sub64(6034159408538082302, x[1], borrow) - z[2], borrow = bits.Sub64(3691218898639771653, x[2], borrow) - z[3], _ = bits.Sub64(8353516859464449352, x[3], borrow) -} - -func mulFR(z, x, y *Fr) { - - var t [4]uint64 - var c [3]uint64 - { - // round 0 - v := x[0] - c[1], c[0] = bits.Mul64(v, y[0]) - m := c[0] * 18446744069414584319 - c[2] = madd0(m, 18446744069414584321, c[0]) - c[1], c[0] = madd1(v, y[1], c[1]) - c[2], t[0] = madd2(m, 6034159408538082302, c[2], c[0]) - c[1], c[0] = madd1(v, y[2], c[1]) - c[2], t[1] = madd2(m, 3691218898639771653, c[2], c[0]) - c[1], c[0] = madd1(v, y[3], c[1]) - t[3], t[2] = madd3(m, 8353516859464449352, c[0], c[2], c[1]) - } - { - // round 1 - v := x[1] - c[1], c[0] = madd1(v, y[0], t[0]) - m := c[0] * 18446744069414584319 - c[2] = madd0(m, 18446744069414584321, c[0]) - c[1], c[0] = madd2(v, y[1], c[1], t[1]) - c[2], t[0] = madd2(m, 6034159408538082302, c[2], c[0]) - c[1], c[0] = madd2(v, y[2], c[1], t[2]) - c[2], t[1] = madd2(m, 3691218898639771653, c[2], c[0]) - c[1], c[0] = madd2(v, y[3], c[1], t[3]) - t[3], t[2] = madd3(m, 8353516859464449352, c[0], c[2], c[1]) - } - { - // round 2 - v := x[2] - c[1], c[0] = madd1(v, y[0], t[0]) - m := c[0] * 18446744069414584319 - c[2] = madd0(m, 18446744069414584321, c[0]) - c[1], c[0] = madd2(v, y[1], c[1], t[1]) - c[2], t[0] = madd2(m, 6034159408538082302, c[2], c[0]) - c[1], c[0] = madd2(v, y[2], c[1], t[2]) - c[2], t[1] = madd2(m, 3691218898639771653, c[2], c[0]) - c[1], c[0] = madd2(v, y[3], c[1], t[3]) - t[3], t[2] = madd3(m, 8353516859464449352, c[0], c[2], c[1]) - } - { - // round 3 - v := x[3] - c[1], c[0] = madd1(v, y[0], t[0]) - m := c[0] * 18446744069414584319 - c[2] = madd0(m, 18446744069414584321, c[0]) - c[1], c[0] = madd2(v, y[1], c[1], t[1]) - c[2], z[0] = madd2(m, 6034159408538082302, c[2], c[0]) - c[1], c[0] = madd2(v, y[2], c[1], t[2]) - c[2], z[1] = madd2(m, 3691218898639771653, c[2], c[0]) - c[1], c[0] = madd2(v, y[3], c[1], t[3]) - z[3], z[2] = madd3(m, 8353516859464449352, c[0], c[2], c[1]) - } - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[3] < 8353516859464449352 || (z[3] == 8353516859464449352 && (z[2] < 3691218898639771653 || (z[2] == 3691218898639771653 && (z[1] < 6034159408538082302 || (z[1] == 6034159408538082302 && (z[0] < 18446744069414584321))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 18446744069414584321, 0) - z[1], b = bits.Sub64(z[1], 6034159408538082302, b) - z[2], b = bits.Sub64(z[2], 3691218898639771653, b) - z[3], _ = bits.Sub64(z[3], 8353516859464449352, b) - } -} - -func squareFR(z, x *Fr) { - - var t [4]uint64 - var c [3]uint64 - { - // round 0 - v := x[0] - c[1], c[0] = bits.Mul64(v, x[0]) - m := c[0] * 18446744069414584319 - c[2] = madd0(m, 18446744069414584321, c[0]) - c[1], c[0] = madd1(v, x[1], c[1]) - c[2], t[0] = madd2(m, 6034159408538082302, c[2], c[0]) - c[1], c[0] = madd1(v, x[2], c[1]) - c[2], t[1] = madd2(m, 3691218898639771653, c[2], c[0]) - c[1], c[0] = madd1(v, x[3], c[1]) - t[3], t[2] = madd3(m, 8353516859464449352, c[0], c[2], c[1]) - } - { - // round 1 - v := x[1] - c[1], c[0] = madd1(v, x[0], t[0]) - m := c[0] * 18446744069414584319 - c[2] = madd0(m, 18446744069414584321, c[0]) - c[1], c[0] = madd2(v, x[1], c[1], t[1]) - c[2], t[0] = madd2(m, 6034159408538082302, c[2], c[0]) - c[1], c[0] = madd2(v, x[2], c[1], t[2]) - c[2], t[1] = madd2(m, 3691218898639771653, c[2], c[0]) - c[1], c[0] = madd2(v, x[3], c[1], t[3]) - t[3], t[2] = madd3(m, 8353516859464449352, c[0], c[2], c[1]) - } - { - // round 2 - v := x[2] - c[1], c[0] = madd1(v, x[0], t[0]) - m := c[0] * 18446744069414584319 - c[2] = madd0(m, 18446744069414584321, c[0]) - c[1], c[0] = madd2(v, x[1], c[1], t[1]) - c[2], t[0] = madd2(m, 6034159408538082302, c[2], c[0]) - c[1], c[0] = madd2(v, x[2], c[1], t[2]) - c[2], t[1] = madd2(m, 3691218898639771653, c[2], c[0]) - c[1], c[0] = madd2(v, x[3], c[1], t[3]) - t[3], t[2] = madd3(m, 8353516859464449352, c[0], c[2], c[1]) - } - { - // round 3 - v := x[3] - c[1], c[0] = madd1(v, x[0], t[0]) - m := c[0] * 18446744069414584319 - c[2] = madd0(m, 18446744069414584321, c[0]) - c[1], c[0] = madd2(v, x[1], c[1], t[1]) - c[2], z[0] = madd2(m, 6034159408538082302, c[2], c[0]) - c[1], c[0] = madd2(v, x[2], c[1], t[2]) - c[2], z[1] = madd2(m, 3691218898639771653, c[2], c[0]) - c[1], c[0] = madd2(v, x[3], c[1], t[3]) - z[3], z[2] = madd3(m, 8353516859464449352, c[0], c[2], c[1]) - } - - // if z > q --> z -= q - // note: this is NOT constant time - if !(z[3] < 8353516859464449352 || (z[3] == 8353516859464449352 && (z[2] < 3691218898639771653 || (z[2] == 3691218898639771653 && (z[1] < 6034159408538082302 || (z[1] == 6034159408538082302 && (z[0] < 18446744069414584321))))))) { - var b uint64 - z[0], b = bits.Sub64(z[0], 18446744069414584321, 0) - z[1], b = bits.Sub64(z[1], 6034159408538082302, b) - z[2], b = bits.Sub64(z[2], 3691218898639771653, b) - z[3], _ = bits.Sub64(z[3], 8353516859464449352, b) - } -} - -func waddFR(z, y *wideFr) { - var carry uint64 - z[0], carry = bits.Add64(z[0], y[0], 0) - z[1], carry = bits.Add64(z[1], y[1], carry) - z[2], carry = bits.Add64(z[2], y[2], carry) - z[3], carry = bits.Add64(z[3], y[3], carry) - z[4], carry = bits.Add64(z[4], y[4], carry) - z[5], carry = bits.Add64(z[5], y[5], carry) - z[6], carry = bits.Add64(z[6], y[6], carry) - z[7], _ = bits.Add64(z[7], y[7], carry) -} - -// We applied custom multiplication since goff does generate multiplication code nested with reduction -func wmulFR(w *wideFr, a, b *Fr) { - // Handbook of Applied Cryptography - // Hankerson, Menezes, Vanstone - // 14.12 Algorithm Multiple-precision multiplication - - var w0, w1, w2, w3, w4, w5, w6, w7 uint64 - var a0 = a[0] - var a1 = a[1] - var a2 = a[2] - var a3 = a[3] - var b0 = b[0] - var b1 = b[1] - var b2 = b[2] - var b3 = b[3] - var u, v, c, t uint64 - - // i = 0, j = 0 - c, w0 = bits.Mul64(a0, b0) - - // i = 0, j = 1 - u, v = bits.Mul64(a1, b0) - w1 = v + c - c = u + (v&c|(v|c)&^w1)>>63 - - // i = 0, j = 2 - u, v = bits.Mul64(a2, b0) - w2 = v + c - c = u + (v&c|(v|c)&^w2)>>63 - - // i = 0, j = 3 - u, v = bits.Mul64(a3, b0) - w3 = v + c - w4 = u + (v&c|(v|c)&^w3)>>63 - - // i = 1, j = 0 - c, v = bits.Mul64(a0, b1) - t = v + w1 - c += (v&w1 | (v|w1)&^t) >> 63 - w1 = t - - // i = 1, j = 1 - u, v = bits.Mul64(a1, b1) - t = v + w2 - u += (v&w2 | (v|w2)&^t) >> 63 - w2 = t + c - c = u + (t&c|(t|c)&^w2)>>63 - - // i = 1, j = 2 - u, v = bits.Mul64(a2, b1) - t = v + w3 - u += (v&w3 | (v|w3)&^t) >> 63 - w3 = t + c - c = u + (t&c|(t|c)&^w3)>>63 - - // i = 1, j = 3 - u, v = bits.Mul64(a3, b1) - t = v + w4 - u += (v&w4 | (v|w4)&^t) >> 63 - w4 = t + c - w5 = u + (t&c|(t|c)&^w4)>>63 - - // i = 2, j = 0 - c, v = bits.Mul64(a0, b2) - t = v + w2 - c += (v&w2 | (v|w2)&^t) >> 63 - w2 = t - - // i = 2, j = 1 - u, v = bits.Mul64(a1, b2) - t = v + w3 - u += (v&w3 | (v|w3)&^t) >> 63 - w3 = t + c - c = u + (t&c|(t|c)&^w3)>>63 - - // i = 2, j = 2 - u, v = bits.Mul64(a2, b2) - t = v + w4 - u += (v&w4 | (v|w4)&^t) >> 63 - w4 = t + c - c = u + (t&c|(t|c)&^w4)>>63 - - // i = 2, j = 3 - u, v = bits.Mul64(a3, b2) - t = v + w5 - u += (v&w5 | (v|w5)&^t) >> 63 - w5 = t + c - w6 = u + (t&c|(t|c)&^w5)>>63 - - // i = 3, j = 0 - c, v = bits.Mul64(a0, b3) - t = v + w3 - c += (v&w3 | (v|w3)&^t) >> 63 - w3 = t - - // i = 3, j = 1 - u, v = bits.Mul64(a1, b3) - t = v + w4 - u += (v&w4 | (v|w4)&^t) >> 63 - w4 = t + c - c = u + (t&c|(t|c)&^w4)>>63 - - // i = 3, j = 2 - u, v = bits.Mul64(a2, b3) - t = v + w5 - u += (v&w5 | (v|w5)&^t) >> 63 - w5 = t + c - c = u + (t&c|(t|c)&^w5)>>63 - - // i = 3, j = 3 - u, v = bits.Mul64(a3, b3) - t = v + w6 - u += (v&w6 | (v|w6)&^t) >> 63 - w6 = t + c - w7 = u + (t&c|(t|c)&^w6)>>63 - - w[0] = w0 - w[1] = w1 - w[2] = w2 - w[3] = w3 - w[4] = w4 - w[5] = w5 - w[6] = w6 - w[7] = w7 -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/g1.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/g1.go deleted file mode 100644 index 20e54ffce..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/g1.go +++ /dev/null @@ -1,846 +0,0 @@ -package bls12381 - -import ( - "errors" - "math" - "math/big" -) - -// PointG1 is type for point in G1 and used for both Affine and Jacobian point representation. -// A point is accounted as in affine form if z is equal to one. -type PointG1 [3]fe - -var wnafMulWindowG1 uint = 5 - -func (p *PointG1) Set(p2 *PointG1) *PointG1 { - p[0].set(&p2[0]) - p[1].set(&p2[1]) - p[2].set(&p2[2]) - return p -} - -func (p *PointG1) Zero() *PointG1 { - p[0].zero() - p[1].one() - p[2].zero() - return p -} - -// IsAffine checks a G1 point whether it is in affine form. -func (p *PointG1) IsAffine() bool { - return p[2].isOne() -} - -type tempG1 struct { - t [9]*fe -} - -// G1 is struct for G1 group. -type G1 struct { - tempG1 -} - -// NewG1 constructs a new G1 instance. -func NewG1() *G1 { - t := newTempG1() - return &G1{t} -} - -func newTempG1() tempG1 { - t := [9]*fe{} - for i := 0; i < 9; i++ { - t[i] = &fe{} - } - return tempG1{t} -} - -// Q returns group order in big.Int. -func (g *G1) Q() *big.Int { - return new(big.Int).Set(qBig) -} - -// FromUncompressed expects byte slice at least 96 bytes and given bytes returns a new point in G1. -// Serialization rules are in line with zcash library. See below for details. -// https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization -// https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html -func (g *G1) FromUncompressed(uncompressed []byte) (*PointG1, error) { - if len(uncompressed) != 2*fpByteSize { - return nil, errors.New("input string length must be equal to 96 bytes") - } - var in [2 * fpByteSize]byte - copy(in[:], uncompressed[:2*fpByteSize]) - if in[0]&(1<<7) != 0 { - return nil, errors.New("compression flag must be zero") - } - if in[0]&(1<<5) != 0 { - return nil, errors.New("sort flag must be zero") - } - if in[0]&(1<<6) != 0 { - for i, v := range in { - if (i == 0 && v != 0x40) || (i != 0 && v != 0x00) { - return nil, errors.New("input string must be zero when infinity flag is set") - } - } - return g.Zero(), nil - } - in[0] &= 0x1f - x, err := fromBytes(in[:fpByteSize]) - if err != nil { - return nil, err - } - y, err := fromBytes(in[fpByteSize:]) - if err != nil { - return nil, err - } - z := new(fe).one() - p := &PointG1{*x, *y, *z} - if !g.IsOnCurve(p) { - return nil, errors.New("point is not on curve") - } - if !g.InCorrectSubgroup(p) { - return nil, errors.New("point is not on correct subgroup") - } - return p, nil -} - -// ToUncompressed given a G1 point returns bytes in uncompressed (x, y) form of the point. -// Serialization rules are in line with zcash library. See below for details. -// https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization -// https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html -func (g *G1) ToUncompressed(p *PointG1) []byte { - out := make([]byte, 2*fpByteSize) - if g.IsZero(p) { - out[0] |= 1 << 6 - return out - } - g.Affine(p) - copy(out[:fpByteSize], toBytes(&p[0])) - copy(out[fpByteSize:], toBytes(&p[1])) - return out -} - -// FromCompressed expects byte slice at least 48 bytes and given bytes returns a new point in G1. -// Serialization rules are in line with zcash library. See below for details. -// https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization -// https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html -func (g *G1) FromCompressed(compressed []byte) (*PointG1, error) { - if len(compressed) != fpByteSize { - return nil, errors.New("input string length must be equal to 48 bytes") - } - var in [fpByteSize]byte - copy(in[:], compressed[:]) - if in[0]&(1<<7) == 0 { - return nil, errors.New("compression flag must be set") - } - if in[0]&(1<<6) != 0 { - // in[0] == (1 << 6) + (1 << 7) - for i, v := range in { - if (i == 0 && v != 0xc0) || (i != 0 && v != 0x00) { - return nil, errors.New("input string must be zero when infinity flag is set") - } - } - return g.Zero(), nil - } - a := in[0]&(1<<5) != 0 - in[0] &= 0x1f - x, err := fromBytes(in[:]) - if err != nil { - return nil, err - } - // solve curve equation - y := &fe{} - square(y, x) - mul(y, y, x) - add(y, y, b) - if ok := sqrt(y, y); !ok { - return nil, errors.New("point is not on curve") - } - if y.signBE() == a { - neg(y, y) - } - z := new(fe).one() - p := &PointG1{*x, *y, *z} - if !g.InCorrectSubgroup(p) { - return nil, errors.New("point is not on correct subgroup") - } - return p, nil -} - -// ToCompressed given a G1 point returns bytes in compressed form of the point. -// Serialization rules are in line with zcash library. See below for details. -// https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization -// https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html -func (g *G1) ToCompressed(p *PointG1) []byte { - out := make([]byte, fpByteSize) - g.Affine(p) - if g.IsZero(p) { - out[0] |= 1 << 6 - } else { - copy(out[:], toBytes(&p[0])) - if !p[1].signBE() { - out[0] |= 1 << 5 - } - } - out[0] |= 1 << 7 - return out -} - -func (g *G1) fromBytesUnchecked(in []byte) (*PointG1, error) { - p0, err := fromBytes(in[:fpByteSize]) - if err != nil { - return nil, err - } - p1, err := fromBytes(in[fpByteSize:]) - if err != nil { - return nil, err - } - p2 := new(fe).one() - return &PointG1{*p0, *p1, *p2}, nil -} - -// FromBytes constructs a new point given uncompressed byte input. -// Input string is expected to be equal to 96 bytes and concatenation of x and y cooridanates. -// (0, 0) is considered as infinity. -func (g *G1) FromBytes(in []byte) (*PointG1, error) { - if len(in) != 2*fpByteSize { - return nil, errors.New("input string length must be equal to 96 bytes") - } - p0, err := fromBytes(in[:fpByteSize]) - if err != nil { - return nil, err - } - p1, err := fromBytes(in[fpByteSize:]) - if err != nil { - return nil, err - } - // check if given input points to infinity - if p0.isZero() && p1.isZero() { - return g.Zero(), nil - } - p2 := new(fe).one() - p := &PointG1{*p0, *p1, *p2} - if !g.IsOnCurve(p) { - return nil, errors.New("point is not on curve") - } - return p, nil -} - -// ToBytes serializes a point into bytes in uncompressed form. -// ToBytes returns (0, 0) if point is infinity. -func (g *G1) ToBytes(p *PointG1) []byte { - out := make([]byte, 2*fpByteSize) - if g.IsZero(p) { - return out - } - g.Affine(p) - copy(out[:fpByteSize], toBytes(&p[0])) - copy(out[fpByteSize:], toBytes(&p[1])) - return out -} - -// New creates a new G1 Point which is equal to zero in other words point at infinity. -func (g *G1) New() *PointG1 { - return g.Zero() -} - -// Zero returns a new G1 Point which is equal to point at infinity. -func (g *G1) Zero() *PointG1 { - return new(PointG1).Zero() -} - -// One returns a new G1 Point which is equal to generator point. -func (g *G1) One() *PointG1 { - p := &PointG1{} - return p.Set(&g1One) -} - -// IsZero returns true if given point is equal to zero. -func (g *G1) IsZero(p *PointG1) bool { - return p[2].isZero() -} - -// Equal checks if given two G1 point is equal in their affine form. -func (g *G1) Equal(p1, p2 *PointG1) bool { - if g.IsZero(p1) { - return g.IsZero(p2) - } - if g.IsZero(p2) { - return g.IsZero(p1) - } - t := g.t - square(t[0], &p1[2]) - square(t[1], &p2[2]) - mul(t[2], t[0], &p2[0]) - mul(t[3], t[1], &p1[0]) - mul(t[0], t[0], &p1[2]) - mul(t[1], t[1], &p2[2]) - mul(t[1], t[1], &p1[1]) - mul(t[0], t[0], &p2[1]) - return t[0].equal(t[1]) && t[2].equal(t[3]) -} - -// InCorrectSubgroup checks whether given point is in correct subgroup. -func (g *G1) InCorrectSubgroup(p *PointG1) bool { - - // Faster Subgroup Checks for BLS12-381 - // S. Bowe - // https://eprint.iacr.org/2019/814.pdf - - mulZ := func(p *PointG1) { - // z = [(x^2 − 1)/3] - z := &Fr{0x0000000055555555, 0x396c8c005555e156} - e := z.toWNAF(wnafMulWindowG1) - g.wnafMul(p, p, e) - } - - // [(x^2 − 1)/3](2σ(P) − P − σ^2(P)) − σ^2(P) ?= O - t0 := g.New().Set(p) - g.glvEndomorphism(t0, t0) - t1 := g.New().Set(t0) // σ(P) - g.glvEndomorphism(t0, t0) // σ^2(P) - g.Double(t1, t1) // 2σ(P) - g.Sub(t1, t1, p) // 2σ(P) − P - g.Sub(t1, t1, t0) // 2σ(P) − P − σ^2(P) - mulZ(t1) // [(x^2 − 1)/3](2σ(P) − P − σ^2(P)) - g.Sub(t1, t1, t0) // [(x^2 − 1)/3](2σ(P) − P − σ^2(P)) − σ^2(P) - return g.IsZero(t1) -} - -// IsOnCurve checks a G1 point is on curve. -func (g *G1) IsOnCurve(p *PointG1) bool { - if g.IsZero(p) { - return true - } - t := g.t - square(t[0], &p[1]) // y^2 - square(t[1], &p[0]) // x^2 - mul(t[1], t[1], &p[0]) // x^3 - if p.IsAffine() { - addAssign(t[1], b) // x^2 + b - return t[0].equal(t[1]) // y^2 ?= x^3 + b - } - square(t[2], &p[2]) // z^2 - square(t[3], t[2]) // z^4 - mul(t[2], t[2], t[3]) // z^6 - mul(t[2], b, t[2]) // b * z^6 - add(t[1], t[1], t[2]) // x^3 + b * z^6 - return t[0].equal(t[1]) // y^2 ?= x^3 + b * z^6 -} - -// IsAffine checks a G1 point whether it is in affine form. -func (g *G1) IsAffine(p *PointG1) bool { - return p[2].isOne() -} - -// Affine returns the affine representation of the given point -func (g *G1) Affine(p *PointG1) *PointG1 { - return g.affine(p, p) -} - -func (g *G1) affine(r, p *PointG1) *PointG1 { - if g.IsZero(p) { - return r.Zero() - } - if !g.IsAffine(p) { - t := g.t - inverse(t[0], &p[2]) // z^-1 - square(t[1], t[0]) // z^-2 - mul(&r[0], &p[0], t[1]) // x = x * z^-2 - mul(t[0], t[0], t[1]) // z^-3 - mul(&r[1], &p[1], t[0]) // y = y * z^-3 - r[2].one() // z = 1 - } else { - r.Set(p) - } - return r -} - -// AffineBatch given multiple of points returns affine representations -func (g *G1) AffineBatch(p []*PointG1) { - inverses := make([]fe, len(p)) - for i := 0; i < len(p); i++ { - inverses[i].set(&p[i][2]) - } - inverseBatch(inverses) - t := g.t - for i := 0; i < len(p); i++ { - if !g.IsAffine(p[i]) && !g.IsZero(p[i]) { - square(t[1], &inverses[i]) - mul(&p[i][0], &p[i][0], t[1]) - mul(t[0], &inverses[i], t[1]) - mul(&p[i][1], &p[i][1], t[0]) - p[i][2].one() - } - } -} - -// Add adds two G1 points p1, p2 and assigns the result to point at first argument. -func (g *G1) Add(r, p1, p2 *PointG1) *PointG1 { - - // http://www.hyperelliptic.org/EFD/gp/auto-shortw-jacobian-0.html#addition-add-2007-bl - if g.IsZero(p1) { - return r.Set(p2) - } - if g.IsZero(p2) { - return r.Set(p1) - } - if g.IsAffine(p2) { - return g.AddMixed(r, p1, p2) - } - t := g.t - square(t[7], &p1[2]) // z1z1 - mul(t[1], &p2[0], t[7]) // u2 = x2 * z1z1 - mul(t[2], &p1[2], t[7]) // z1z1 * z1 - mul(t[0], &p2[1], t[2]) // s2 = y2 * z1z1 * z1 - square(t[8], &p2[2]) // z2z2 - mul(t[3], &p1[0], t[8]) // u1 = x1 * z2z2 - mul(t[4], &p2[2], t[8]) // z2z2 * z2 - mul(t[2], &p1[1], t[4]) // s1 = y1 * z2z2 * z2 - if t[1].equal(t[3]) { - if t[0].equal(t[2]) { - return g.Double(r, p1) - } else { - return r.Zero() - } - } - subAssign(t[1], t[3]) // h = u2 - u1 - double(t[4], t[1]) // 2h - square(t[4], t[4]) // i = 2h^2 - mul(t[5], t[1], t[4]) // j = h*i - subAssign(t[0], t[2]) // s2 - s1 - doubleAssign(t[0]) // r = 2*(s2 - s1) - square(t[6], t[0]) // r^2 - subAssign(t[6], t[5]) // r^2 - j - mul(t[3], t[3], t[4]) // v = u1 * i - double(t[4], t[3]) // 2*v - sub(&r[0], t[6], t[4]) // x3 = r^2 - j - 2*v - sub(t[4], t[3], &r[0]) // v - x3 - mul(t[6], t[2], t[5]) // s1 * j - doubleAssign(t[6]) // 2 * s1 * j - mul(t[0], t[0], t[4]) // r * (v - x3) - sub(&r[1], t[0], t[6]) // y3 = r * (v - x3) - (2 * s1 * j) - add(t[0], &p1[2], &p2[2]) // z1 + z2 - square(t[0], t[0]) // (z1 + z2)^2 - subAssign(t[0], t[7]) // (z1 + z2)^2 - z1z1 - subAssign(t[0], t[8]) // (z1 + z2)^2 - z1z1 - z2z2 - mul(&r[2], t[0], t[1]) // z3 = ((z1 + z2)^2 - z1z1 - z2z2) * h - return r -} - -// Add adds two G1 points p1, p2 and assigns the result to point at first argument. -// Expects the second point p2 in affine form. -func (g *G1) AddMixed(r, p1, p2 *PointG1) *PointG1 { - // http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl - if g.IsZero(p1) { - return r.Set(p2) - } - if g.IsZero(p2) { - return r.Set(p1) - } - t := g.t - square(t[7], &p1[2]) // z1z1 - mul(t[1], &p2[0], t[7]) // u2 = x2 * z1z1 - mul(t[2], &p1[2], t[7]) // z1z1 * z1 - mul(t[0], &p2[1], t[2]) // s2 = y2 * z1z1 * z1 - - if p1[0].equal(t[1]) && p1[1].equal(t[0]) { - return g.Double(r, p1) - } - - sub(t[1], t[1], &p1[0]) // h = u2 - x1 - square(t[2], t[1]) // hh - double(t[4], t[2]) - doubleAssign(t[4]) // 4hh - mul(t[5], t[1], t[4]) // j = h*i - subAssign(t[0], &p1[1]) // s2 - y1 - doubleAssign(t[0]) // r = 2*(s2 - y1) - square(t[6], t[0]) // r^2 - subAssign(t[6], t[5]) // r^2 - j - mul(t[3], &p1[0], t[4]) // v = x1 * i - double(t[4], t[3]) // 2*v - sub(&r[0], t[6], t[4]) // x3 = r^2 - j - 2*v - sub(t[4], t[3], &r[0]) // v - x3 - mul(t[6], &p1[1], t[5]) // y1 * j - doubleAssign(t[6]) // 2 * y1 * j - mul(t[0], t[0], t[4]) // r * (v - x3) - sub(&r[1], t[0], t[6]) // y3 = r * (v - x3) - (2 * y1 * j) - add(t[0], &p1[2], t[1]) // z1 + h - square(t[0], t[0]) // (z1 + h)^2 - subAssign(t[0], t[7]) // (z1 + h)^2 - z1z1 - sub(&r[2], t[0], t[2]) // z3 = (z1 + z2)^2 - z1z1 - hh - return r -} - -// Double doubles a G1 point p and assigns the result to the point at first argument. -func (g *G1) Double(r, p *PointG1) *PointG1 { - // http://www.hyperelliptic.org/EFD/gp/auto-shortw-jacobian-0.html#doubling-dbl-2009-l - if g.IsZero(p) { - return r.Zero() - } - t := g.t - square(t[0], &p[0]) // a = x^2 - square(t[1], &p[1]) // b = y^2 - square(t[2], t[1]) // c = b^2 - add(t[1], &p[0], t[1]) // b + x1 - square(t[1], t[1]) // (b + x1)^2 - subAssign(t[1], t[0]) // (b + x1)^2 - a - subAssign(t[1], t[2]) // (b + x1)^2 - a - c - doubleAssign(t[1]) // d = 2((b+x1)^2 - a - c) - double(t[3], t[0]) // 2a - addAssign(t[0], t[3]) // e = 3a - square(t[4], t[0]) // f = e^2 - double(t[3], t[1]) // 2d - sub(&r[0], t[4], t[3]) // x3 = f - 2d - subAssign(t[1], &r[0]) // d-x3 - doubleAssign(t[2]) // - doubleAssign(t[2]) // - doubleAssign(t[2]) // 8c - mul(t[0], t[0], t[1]) // e * (d - x3) - sub(t[1], t[0], t[2]) // x3 = e * (d - x3) - 8c - mul(t[0], &p[1], &p[2]) // y1 * z1 - r[1].set(t[1]) // - double(&r[2], t[0]) // z3 = 2(y1 * z1) - return r -} - -// Neg negates a G1 point p and assigns the result to the point at first argument. -func (g *G1) Neg(r, p *PointG1) *PointG1 { - r[0].set(&p[0]) - r[2].set(&p[2]) - neg(&r[1], &p[1]) - return r -} - -// Sub subtracts two G1 points p1, p2 and assigns the result to point at first argument. -func (g *G1) Sub(c, a, b *PointG1) *PointG1 { - d := &PointG1{} - g.Neg(d, b) - g.Add(c, a, d) - return c -} - -// MulScalar multiplies a point by given scalar value and assigns the result to point at first argument. -func (g *G1) MulScalar(r, p *PointG1, e *Fr) *PointG1 { - return g.glvMulFr(r, p, e) -} - -// MulScalar multiplies a point by given scalar value in big.Int and assigns the result to point at first argument. -func (g *G1) MulScalarBig(r, p *PointG1, e *big.Int) *PointG1 { - return g.glvMulBig(r, p, e) -} - -func (g *G1) mulScalar(c, p *PointG1, e *Fr) *PointG1 { - q, n := &PointG1{}, &PointG1{} - n.Set(p) - for i := 0; i < frBitSize; i++ { - if e.Bit(i) { - g.Add(q, q, n) - } - g.Double(n, n) - } - return c.Set(q) -} - -func (g *G1) mulScalarBig(c, p *PointG1, e *big.Int) *PointG1 { - q, n := &PointG1{}, &PointG1{} - n.Set(p) - for i := 0; i < frBitSize; i++ { - if e.Bit(i) == 1 { - g.Add(q, q, n) - } - g.Double(n, n) - } - return c.Set(q) -} - -func (g *G1) wnafMulFr(r, p *PointG1, e *Fr) *PointG1 { - wnaf := e.toWNAF(wnafMulWindowG1) - return g.wnafMul(r, p, wnaf) -} - -func (g *G1) wnafMulBig(r, p *PointG1, e *big.Int) *PointG1 { - wnaf := bigToWNAF(e, wnafMulWindowG1) - return g.wnafMul(r, p, wnaf) -} - -func (g *G1) wnafMul(c, p *PointG1, wnaf nafNumber) *PointG1 { - - l := (1 << (wnafMulWindowG1 - 1)) - - twoP, acc := g.New(), new(PointG1).Set(p) - g.Double(twoP, p) - g.Affine(twoP) - - // table = {p, 3p, 5p, ..., -p, -3p, -5p} - table := make([]*PointG1, l*2) - table[0], table[l] = g.New(), g.New() - table[0].Set(p) - g.Neg(table[l], table[0]) - - for i := 1; i < l; i++ { - g.AddMixed(acc, acc, twoP) - table[i], table[i+l] = g.New(), g.New() - table[i].Set(acc) - g.Neg(table[i+l], table[i]) - } - - q := g.Zero() - for i := len(wnaf) - 1; i >= 0; i-- { - if wnaf[i] > 0 { - g.Add(q, q, table[wnaf[i]>>1]) - } else if wnaf[i] < 0 { - g.Add(q, q, table[((-wnaf[i])>>1)+l]) - } - if i != 0 { - g.Double(q, q) - } - } - return c.Set(q) -} - -func (g *G1) glvMulFr(r, p *PointG1, e *Fr) *PointG1 { - return g.glvMul(r, p, new(glvVectorFr).new(e)) -} - -func (g *G1) glvMulBig(r, p *PointG1, e *big.Int) *PointG1 { - return g.glvMul(r, p, new(glvVectorBig).new(e)) -} - -func (g *G1) glvMul(r, p0 *PointG1, v glvVector) *PointG1 { - - w := glvMulWindowG1 - l := 1 << (w - 1) - - // prepare tables - // tableK1 = {P, 3P, 5P, ...} - // tableK2 = {λP, 3λP, 5λP, ...} - tableK1, tableK2 := make([]*PointG1, l), make([]*PointG1, l) - double := g.New() - g.Double(double, p0) - g.affine(double, double) - tableK1[0] = new(PointG1) - tableK1[0].Set(p0) - for i := 1; i < l; i++ { - tableK1[i] = new(PointG1) - g.AddMixed(tableK1[i], tableK1[i-1], double) - } - g.AffineBatch(tableK1) - for i := 0; i < l; i++ { - tableK2[i] = new(PointG1) - g.glvEndomorphism(tableK2[i], tableK1[i]) - } - - // recode small scalars - naf1, naf2 := v.wnaf(w) - lenNAF1, lenNAF2 := len(naf1), len(naf2) - lenNAF := lenNAF1 - if lenNAF2 > lenNAF { - lenNAF = lenNAF2 - } - - acc, p1 := g.New(), g.New() - - // function for naf addition - add := func(table []*PointG1, naf int) { - if naf != 0 { - nafAbs := naf - if nafAbs < 0 { - nafAbs = -nafAbs - } - p1.Set(table[nafAbs>>1]) - if naf < 0 { - g.Neg(p1, p1) - } - g.AddMixed(acc, acc, p1) - } - } - - // sliding - for i := lenNAF - 1; i >= 0; i-- { - if i < lenNAF1 { - add(tableK1, naf1[i]) - } - if i < lenNAF2 { - add(tableK2, naf2[i]) - } - if i != 0 { - g.Double(acc, acc) - } - } - return r.Set(acc) -} - -// MultiExpBig calculates multi exponentiation. Scalar values are received as big.Int type. -// Given pairs of G1 point and scalar values `(P_0, e_0), (P_1, e_1), ... (P_n, e_n)`, -// calculates `r = e_0 * P_0 + e_1 * P_1 + ... + e_n * P_n`. -// Length of points and scalars are expected to be equal, otherwise an error is returned. -// Result is assigned to point at first argument. -func (g *G1) MultiExpBig(r *PointG1, points []*PointG1, scalars []*big.Int) (*PointG1, error) { - if len(points) != len(scalars) { - return nil, errors.New("point and scalar vectors should be in same length") - } - - c := 3 - if len(scalars) >= 32 { - c = int(math.Ceil(math.Log(float64(len(scalars))))) - } - - bucketSize := (1 << c) - 1 - windows := make([]PointG1, 255/c+1) - bucket := make([]PointG1, bucketSize) - - for j := 0; j < len(windows); j++ { - - for i := 0; i < bucketSize; i++ { - bucket[i].Zero() - } - - for i := 0; i < len(scalars); i++ { - index := bucketSize & int(new(big.Int).Rsh(scalars[i], uint(c*j)).Int64()) - if index != 0 { - g.Add(&bucket[index-1], &bucket[index-1], points[i]) - } - } - - acc, sum := g.New(), g.New() - for i := bucketSize - 1; i >= 0; i-- { - g.Add(sum, sum, &bucket[i]) - g.Add(acc, acc, sum) - } - windows[j].Set(acc) - } - - acc := g.New() - for i := len(windows) - 1; i >= 0; i-- { - for j := 0; j < c; j++ { - g.Double(acc, acc) - } - g.Add(acc, acc, &windows[i]) - } - return r.Set(acc), nil -} - -// MultiExp calculates multi exponentiation. Given pairs of G1 point and scalar values `(P_0, e_0), (P_1, e_1), ... (P_n, e_n)`, -// calculates `r = e_0 * P_0 + e_1 * P_1 + ... + e_n * P_n`. Length of points and scalars are expected to be equal, -// otherwise an error is returned. Result is assigned to point at first argument. -func (g *G1) MultiExp(r *PointG1, points []*PointG1, scalars []*Fr) (*PointG1, error) { - if len(points) != len(scalars) { - return nil, errors.New("point and scalar vectors should be in same length") - } - - g.AffineBatch(points) - - c := 3 - if len(scalars) >= 32 { - c = int(math.Ceil(math.Log(float64(len(scalars))))) - } - - bucketSize := (1 << c) - 1 - windows := make([]*PointG1, 255/c+1) - bucket := make([]PointG1, bucketSize) - - for j := 0; j < len(windows); j++ { - - for i := 0; i < bucketSize; i++ { - bucket[i].Zero() - } - - for i := 0; i < len(scalars); i++ { - index := bucketSize & int(scalars[i].sliceUint64(c*j)) - if index != 0 { - g.AddMixed(&bucket[index-1], &bucket[index-1], points[i]) - } - } - - acc, sum := g.New(), g.New() - for i := bucketSize - 1; i >= 0; i-- { - g.Add(sum, sum, &bucket[i]) - g.Add(acc, acc, sum) - } - windows[j] = g.New().Set(acc) - } - - g.AffineBatch(windows) - - acc := g.New() - for i := len(windows) - 1; i >= 0; i-- { - for j := 0; j < c; j++ { - g.Double(acc, acc) - } - g.AddMixed(acc, acc, windows[i]) - } - return r.Set(acc), nil -} - -func (g *G1) ClearCofactor(p *PointG1) *PointG1 { - chain := func(p0 *PointG1, n int, p1 *PointG1) { - for i := 0; i < n; i++ { - g.Double(p0, p0) - } - g.Add(p0, p0, p1) - } - t := g.New().Set(p) - chain(p, 1, t) - chain(p, 2, t) - chain(p, 3, t) - chain(p, 9, t) - chain(p, 32, t) - chain(p, 16, t) - return p -} - -// MapToCurve given a byte slice returns a valid G1 point. -// This mapping function implements the Simplified Shallue-van de Woestijne-Ulas method. -// https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06 -// Input byte slice should be a valid field element, otherwise an error is returned. -func (g *G1) MapToCurve(in []byte) (*PointG1, error) { - u, err := fromBytes(in) - if err != nil { - return nil, err - } - x, y := swuMapG1(u) - isogenyMapG1(x, y) - one := new(fe).one() - p := &PointG1{*x, *y, *one} - g.ClearCofactor(p) - return g.Affine(p), nil -} - -// EncodeToCurve given a message and domain seperator tag returns the hash result -// which is a valid curve point. -// Implementation follows BLS12381G1_XMD:SHA-256_SSWU_NU_ suite at -// https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06 -func (g *G1) EncodeToCurve(msg, domain []byte) (*PointG1, error) { - hashRes, err := hashToFpXMDSHA256(msg, domain, 1) - if err != nil { - return nil, err - } - u := hashRes[0] - x, y := swuMapG1(u) - isogenyMapG1(x, y) - one := new(fe).one() - p := &PointG1{*x, *y, *one} - g.ClearCofactor(p) - return g.Affine(p), nil -} - -// HashToCurve given a message and domain seperator tag returns the hash result -// which is a valid curve point. -// Implementation follows BLS12381G1_XMD:SHA-256_SSWU_RO_ suite at -// https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06 -func (g *G1) HashToCurve(msg, domain []byte) (*PointG1, error) { - hashRes, err := hashToFpXMDSHA256(msg, domain, 2) - if err != nil { - return nil, err - } - u0, u1 := hashRes[0], hashRes[1] - x0, y0 := swuMapG1(u0) - x1, y1 := swuMapG1(u1) - one := new(fe).one() - p0, p1 := &PointG1{*x0, *y0, *one}, &PointG1{*x1, *y1, *one} - g.Add(p0, p0, p1) - g.Affine(p0) - isogenyMapG1(&p0[0], &p0[1]) - g.ClearCofactor(p0) - return g.Affine(p0), nil -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/g1_custom.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/g1_custom.go deleted file mode 100644 index 79eadb6ea..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/g1_custom.go +++ /dev/null @@ -1,30 +0,0 @@ -/* -Copyright SecureKey Technologies Inc. All Rights Reserved. - -SPDX-License-Identifier: Apache-2.0 -*/ - -package bls12381 - -import ( - "hash" -) - -func (g *G1) HashToCurveGeneric(msg, domain []byte, hashFunc func() hash.Hash) (*PointG1, error) { - hashRes, err := hashToFpXMD(hashFunc, msg, domain, 2) - if err != nil { - return nil, err - } - u0, u1 := hashRes[0], hashRes[1] - - x0, y0 := swuMapG1BE(u0) - x1, y1 := swuMapG1BE(u1) - one := new(fe).one() - p0, p1 := &PointG1{*x0, *y0, *one}, &PointG1{*x1, *y1, *one} - - g.Add(p0, p0, p1) - g.Affine(p0) - isogenyMapG1(&p0[0], &p0[1]) - g.ClearCofactor(p0) - return g.Affine(p0), nil -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/g1_custom_test.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/g1_custom_test.go deleted file mode 100644 index 53a636e57..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/g1_custom_test.go +++ /dev/null @@ -1,59 +0,0 @@ -/* -Copyright SecureKey Technologies Inc. All Rights Reserved. - -SPDX-License-Identifier: Apache-2.0 -*/ - -package bls12381 - -import ( - "hash" - "testing" - - "golang.org/x/crypto/blake2b" -) - -func TestG1CustomSerialization(t *testing.T) { - pointG1 := new(PointG1).Zero() - - g := NewG1() - - pointBytes := g.ToBytes(pointG1) - if len(pointBytes) == 0 { - t.Fatal("empty bytes") - } - - pointG1.Set(&PointG1{ - { - 40, - 50, - }, - }) - - pointBytes = g.ToBytes(pointG1) - if len(pointBytes) == 0 { - t.Fatal("empty bytes") - } -} - -func TestHashToCurve(t *testing.T) { - hashFunc := func() hash.Hash { - // We pass a null key so error is impossible here. - h, _ := blake2b.New512(nil) - - return h - } - - g := NewG1() - - curve, err := g.HashToCurveGeneric([]byte("hello"), - []byte("BLS12381G1_XMD:BLAKE2B_SSWU_RO_BBS+_SIGNATURES:1_0_0"), - hashFunc) - if err != nil { - t.Fatal(err) - } - - if len(curve) == 0 { - t.Fatal("empty curve bytes") - } -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/g2.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/g2.go deleted file mode 100644 index 7c56ffd14..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/g2.go +++ /dev/null @@ -1,889 +0,0 @@ -package bls12381 - -import ( - "errors" - "math" - "math/big" -) - -// PointG2 is type for point in G2 and used for both affine and Jacobian representation. -// A point is accounted as in affine form if z is equal to one. -type PointG2 [3]fe2 - -var wnafMulWindowG2 uint = 6 - -// Set copies valeus of one point to another. -func (p *PointG2) Set(p2 *PointG2) *PointG2 { - p[0].set(&p2[0]) - p[1].set(&p2[1]) - p[2].set(&p2[2]) - return p -} - -func (p *PointG2) Zero() *PointG2 { - p[0].zero() - p[1].one() - p[2].zero() - return p -} - -// IsAffine checks a G1 point whether it is in affine form. -func (p *PointG2) IsAffine() bool { - return p[2].isOne() -} - -type tempG2 struct { - t [9]*fe2 -} - -// G2 is struct for G2 group. -type G2 struct { - f *fp2 - tempG2 -} - -// NewG2 constructs a new G2 instance. -func NewG2() *G2 { - return newG2(nil) -} - -func newG2(f *fp2) *G2 { - if f == nil { - f = newFp2() - } - t := newTempG2() - return &G2{f, t} -} - -func newTempG2() tempG2 { - t := [9]*fe2{} - for i := 0; i < 9; i++ { - t[i] = &fe2{} - } - return tempG2{t} -} - -// Q returns group order in big.Int. -func (g *G2) Q() *big.Int { - return new(big.Int).Set(qBig) -} - -// FromUncompressed expects byte slice at least 192 bytes and given bytes returns a new point in G2. -// Serialization rules are in line with zcash library. See below for details. -// https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization -// https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html -func (g *G2) FromUncompressed(uncompressed []byte) (*PointG2, error) { - if len(uncompressed) != 4*fpByteSize { - return nil, errors.New("input string length must be equal to 192 bytes") - } - var in [4 * fpByteSize]byte - copy(in[:], uncompressed[:4*fpByteSize]) - if in[0]&(1<<7) != 0 { - return nil, errors.New("compression flag must be zero") - } - if in[0]&(1<<5) != 0 { - return nil, errors.New("sort flag must be zero") - } - if in[0]&(1<<6) != 0 { - for i, v := range in { - if (i == 0 && v != 0x40) || (i != 0 && v != 0x00) { - return nil, errors.New("input string must be zero when infinity flag is set") - } - } - return g.Zero(), nil - } - in[0] &= 0x1f - x, err := g.f.fromBytes(in[:2*fpByteSize]) - if err != nil { - return nil, err - } - y, err := g.f.fromBytes(in[2*fpByteSize:]) - if err != nil { - return nil, err - } - z := new(fe2).one() - p := &PointG2{*x, *y, *z} - if !g.IsOnCurve(p) { - return nil, errors.New("point is not on curve") - } - if !g.InCorrectSubgroup(p) { - return nil, errors.New("point is not on correct subgroup") - } - return p, nil -} - -// ToUncompressed given a G2 point returns bytes in uncompressed (x, y) form of the point. -// Serialization rules are in line with zcash library. See below for details. -// https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization -// https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html -func (g *G2) ToUncompressed(p *PointG2) []byte { - out := make([]byte, 4*fpByteSize) - g.Affine(p) - if g.IsZero(p) { - out[0] |= 1 << 6 - return out - } - copy(out[:2*fpByteSize], g.f.toBytes(&p[0])) - copy(out[2*fpByteSize:], g.f.toBytes(&p[1])) - return out -} - -// FromCompressed expects byte slice at least 96 bytes and given bytes returns a new point in G2. -// Serialization rules are in line with zcash library. See below for details. -// https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization -// https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html -func (g *G2) FromCompressed(compressed []byte) (*PointG2, error) { - if len(compressed) != 2*fpByteSize { - return nil, errors.New("input string length must be equal to 96 bytes") - } - var in [2 * fpByteSize]byte - copy(in[:], compressed[:]) - if in[0]&(1<<7) == 0 { - return nil, errors.New("compression flag must be set") - } - if in[0]&(1<<6) != 0 { - // in[0] == (1 << 6) + (1 << 7) - for i, v := range in { - if (i == 0 && v != 0xc0) || (i != 0 && v != 0x00) { - return nil, errors.New("input string must be zero when infinity flag is set") - } - } - return g.Zero(), nil - } - a := in[0]&(1<<5) != 0 - in[0] &= 0x1f - x, err := g.f.fromBytes(in[:]) - if err != nil { - return nil, err - } - // solve curve equation - y := &fe2{} - g.f.square(y, x) - g.f.mul(y, y, x) - fp2Add(y, y, b2) - if ok := g.f.sqrt(y, y); !ok { - return nil, errors.New("point is not on curve") - } - if y.signBE() == a { - fp2Neg(y, y) - } - z := new(fe2).one() - p := &PointG2{*x, *y, *z} - if !g.InCorrectSubgroup(p) { - return nil, errors.New("point is not on correct subgroup") - } - return p, nil -} - -// ToCompressed given a G2 point returns bytes in compressed form of the point. -// Serialization rules are in line with zcash library. See below for details. -// https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/README.md#serialization -// https://docs.rs/bls12_381/0.1.1/bls12_381/notes/serialization/index.html -func (g *G2) ToCompressed(p *PointG2) []byte { - out := make([]byte, 2*fpByteSize) - g.Affine(p) - if g.IsZero(p) { - out[0] |= 1 << 6 - } else { - copy(out[:], g.f.toBytes(&p[0])) - if !p[1].signBE() { - out[0] |= 1 << 5 - } - } - out[0] |= 1 << 7 - return out -} - -func (g *G2) fromBytesUnchecked(in []byte) (*PointG2, error) { - p0, err := g.f.fromBytes(in[:2*fpByteSize]) - if err != nil { - return nil, err - } - p1, err := g.f.fromBytes(in[2*fpByteSize:]) - if err != nil { - return nil, err - } - p2 := new(fe2).one() - return &PointG2{*p0, *p1, *p2}, nil -} - -// FromBytes constructs a new point given uncompressed byte input. -// Input string expected to be 192 bytes and concatenation of x and y values -// Point (0, 0) is considered as infinity. -func (g *G2) FromBytes(in []byte) (*PointG2, error) { - if len(in) != 4*fpByteSize { - return nil, errors.New("input string length must be equal to 192 bytes") - } - p0, err := g.f.fromBytes(in[:2*fpByteSize]) - if err != nil { - return nil, err - } - p1, err := g.f.fromBytes(in[2*fpByteSize:]) - if err != nil { - return nil, err - } - // check if given input points to infinity - if p0.isZero() && p1.isZero() { - return g.Zero(), nil - } - p2 := new(fe2).one() - p := &PointG2{*p0, *p1, *p2} - if !g.IsOnCurve(p) { - return nil, errors.New("point is not on curve") - } - return p, nil -} - -// ToBytes serializes a point into bytes in uncompressed form, -// returns (0, 0) if point is infinity. -func (g *G2) ToBytes(p *PointG2) []byte { - out := make([]byte, 4*fpByteSize) - if g.IsZero(p) { - return out - } - g.Affine(p) - copy(out[:2*fpByteSize], g.f.toBytes(&p[0])) - copy(out[2*fpByteSize:], g.f.toBytes(&p[1])) - return out -} - -// New creates a new G2 Point which is equal to zero in other words point at infinity. -func (g *G2) New() *PointG2 { - return new(PointG2).Zero() -} - -// Zero returns a new G2 Point which is equal to point at infinity. -func (g *G2) Zero() *PointG2 { - return new(PointG2).Zero() -} - -// One returns a new G2 Point which is equal to generator point. -func (g *G2) One() *PointG2 { - p := &PointG2{} - return p.Set(&g2One) -} - -// IsZero returns true if given point is equal to zero. -func (g *G2) IsZero(p *PointG2) bool { - return p[2].isZero() -} - -// Equal checks if given two G2 point is equal in their affine form. -func (g *G2) Equal(p1, p2 *PointG2) bool { - if g.IsZero(p1) { - return g.IsZero(p2) - } - if g.IsZero(p2) { - return g.IsZero(p1) - } - t := g.t - g.f.square(t[0], &p1[2]) - g.f.square(t[1], &p2[2]) - g.f.mul(t[2], t[0], &p2[0]) - g.f.mul(t[3], t[1], &p1[0]) - g.f.mulAssign(t[0], &p1[2]) - g.f.mulAssign(t[1], &p2[2]) - g.f.mulAssign(t[1], &p1[1]) - g.f.mulAssign(t[0], &p2[1]) - return t[0].equal(t[1]) && t[2].equal(t[3]) -} - -// IsOnCurve checks a G2 point is on curve. -func (g *G2) IsOnCurve(p *PointG2) bool { - if g.IsZero(p) { - return true - } - t := g.t - g.f.square(t[0], &p[1]) // y^2 - g.f.square(t[1], &p[0]) // x^2 - g.f.mul(t[1], t[1], &p[0]) // x^3 - if p.IsAffine() { - fp2Add(t[1], t[1], b2) // x^2 + b - return t[0].equal(t[1]) // y^2 ?= x^3 + b - } - g.f.square(t[2], &p[2]) // z^2 - g.f.square(t[3], t[2]) // z^4 - g.f.mulAssign(t[2], t[3]) // z^6 - g.f.mulAssign(t[2], b2) // b*z^6 - fp2AddAssign(t[1], t[2]) // x^3 + b * z^6 - return t[0].equal(t[1]) // y^2 ?= x^3 + b * z^6 -} - -// IsAffine checks a G2 point whether it is in affine form. -func (g *G2) IsAffine(p *PointG2) bool { - return p[2].isOne() -} - -// Affine calculates affine form of given G2 point. -func (g *G2) Affine(p *PointG2) *PointG2 { - return g.affine(p, p) -} - -func (g *G2) affine(r, p *PointG2) *PointG2 { - if g.IsZero(p) { - return r.Zero() - } - if !g.IsAffine(p) { - t := g.t - g.f.inverse(t[0], &p[2]) // z^-1 - g.f.square(t[1], t[0]) // z^-2 - g.f.mulAssign(&r[0], t[1]) // x = x * z^-2 - g.f.mulAssign(t[0], t[1]) // z^-3 - g.f.mulAssign(&r[1], t[0]) // y = y * z^-3 - r[2].one() // z = 1 - } else { - r.Set(p) - } - return r -} - -// AffineBatch given multiple of points returns affine representations -func (g *G2) AffineBatch(p []*PointG2) { - inverses := make([]fe2, len(p)) - for i := 0; i < len(p); i++ { - inverses[i].set(&p[i][2]) - } - g.f.inverseBatch(inverses) - t := g.t - for i := 0; i < len(p); i++ { - if !g.IsAffine(p[i]) && !g.IsZero(p[i]) { - g.f.square(t[1], &inverses[i]) - g.f.mulAssign(&p[i][0], t[1]) - g.f.mul(t[0], &inverses[i], t[1]) - g.f.mulAssign(&p[i][1], t[0]) - p[i][2].one() - } - } -} - -// Add adds two G2 points p1, p2 and assigns the result to point at first argument. -func (g *G2) Add(r, p1, p2 *PointG2) *PointG2 { - // http://www.hyperelliptic.org/EFD/gp/auto-shortw-jacobian-0.html#addition-add-2007-bl - if g.IsZero(p1) { - return r.Set(p2) - } - if g.IsZero(p2) { - return r.Set(p1) - } - if g.IsAffine(p2) { - return g.AddMixed(r, p1, p2) - } - t := g.t - g.f.square(t[7], &p1[2]) // z1z1 - g.f.mul(t[1], &p2[0], t[7]) // u2 = x2 * z1z1 - g.f.mul(t[2], &p1[2], t[7]) // z1z1 * z1 - g.f.mul(t[0], &p2[1], t[2]) // s2 = y2 * z1z1 * z1 - g.f.square(t[8], &p2[2]) // z2z2 - g.f.mul(t[3], &p1[0], t[8]) // u1 = x1 * z2z2 - g.f.mul(t[4], &p2[2], t[8]) // z2z2 * z2 - g.f.mul(t[2], &p1[1], t[4]) // s1 = y1 * z2z2 * z2 - if t[1].equal(t[3]) { - if t[0].equal(t[2]) { - return g.Double(r, p1) - } else { - return r.Zero() - } - } - fp2SubAssign(t[1], t[3]) // h = u2 - u1 - fp2Double(t[4], t[1]) // 2h - g.f.squareAssign(t[4]) // i = 2h^2 - g.f.mul(t[5], t[1], t[4]) // j = h*i - fp2SubAssign(t[0], t[2]) // s2 - s1 - fp2DoubleAssign(t[0]) // r = 2*(s2 - s1) - g.f.square(t[6], t[0]) // r^2 - fp2SubAssign(t[6], t[5]) // r^2 - j - g.f.mulAssign(t[3], t[4]) // v = u1 * i - fp2Double(t[4], t[3]) // 2*v - fp2Sub(&r[0], t[6], t[4]) // x3 = r^2 - j - 2*v - fp2Sub(t[4], t[3], &r[0]) // v - x3 - g.f.mul(t[6], t[2], t[5]) // s1 * j - fp2DoubleAssign(t[6]) // 2 * s1 * j - g.f.mulAssign(t[0], t[4]) // r * (v - x3) - fp2Sub(&r[1], t[0], t[6]) // y3 = r * (v - x3) - (2 * s1 * j) - fp2Add(t[0], &p1[2], &p2[2]) // z1 + z2 - g.f.squareAssign(t[0]) // (z1 + z2)^2 - fp2SubAssign(t[0], t[7]) // (z1 + z2)^2 - z1z1 - fp2SubAssign(t[0], t[8]) // (z1 + z2)^2 - z1z1 - z2z2 - g.f.mul(&r[2], t[0], t[1]) // z3 = ((z1 + z2)^2 - z1z1 - z2z2) * h - return r -} - -// Add adds two G1 points p1, p2 and assigns the result to point at first argument. -// Expects the second point p2 in affine form. -func (g *G2) AddMixed(r, p1, p2 *PointG2) *PointG2 { - // http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-madd-2007-bl - if g.IsZero(p1) { - return r.Set(p2) - } - if g.IsZero(p2) { - return r.Set(p1) - } - t := g.t - g.f.square(t[7], &p1[2]) // z1z1 - g.f.mul(t[1], &p2[0], t[7]) // u2 = x2 * z1z1 - g.f.mul(t[2], &p1[2], t[7]) // z1z1 * z1 - g.f.mul(t[0], &p2[1], t[2]) // s2 = y2 * z1z1 * z1 - - if p1[0].equal(t[1]) && p1[1].equal(t[0]) { - return g.Double(r, p1) - } - - fp2SubAssign(t[1], &p1[0]) // h = u2 - x1 - g.f.square(t[2], t[1]) // hh - fp2Double(t[4], t[2]) - fp2DoubleAssign(t[4]) // 4hh - g.f.mul(t[5], t[1], t[4]) // j = h*i - fp2SubAssign(t[0], &p1[1]) // s2 - y1 - fp2DoubleAssign(t[0]) // r = 2*(s2 - y1) - g.f.square(t[6], t[0]) // r^2 - fp2SubAssign(t[6], t[5]) // r^2 - j - g.f.mul(t[3], &p1[0], t[4]) // v = x1 * i - fp2Double(t[4], t[3]) // 2*v - fp2Sub(&r[0], t[6], t[4]) // x3 = r^2 - j - 2*v - fp2Sub(t[4], t[3], &r[0]) // v - x3 - g.f.mul(t[6], &p1[1], t[5]) // y1 * j - fp2DoubleAssign(t[6]) // 2 * y1 * j - g.f.mulAssign(t[0], t[4]) // r * (v - x3) - fp2Sub(&r[1], t[0], t[6]) // y3 = r * (v - x3) - (2 * y1 * j) - fp2Add(t[0], &p1[2], t[1]) // z1 + h - g.f.squareAssign(t[0]) // (z1 + h)^2 - fp2SubAssign(t[0], t[7]) // (z1 + h)^2 - z1z1 - fp2Sub(&r[2], t[0], t[2]) // z3 = (z1 + z2)^2 - z1z1 - hh - return r -} - -// Double doubles a G2 point p and assigns the result to the point at first argument. -func (g *G2) Double(r, p *PointG2) *PointG2 { - // http://www.hyperelliptic.org/EFD/gp/auto-shortw-jacobian-0.html#doubling-dbl-2009-l - if g.IsZero(p) { - return r.Set(p) - } - t := g.t - g.f.square(t[0], &p[0]) // a = x^2 - g.f.square(t[1], &p[1]) // b = y^2 - g.f.square(t[2], t[1]) // c = b^2 - fp2AddAssign(t[1], &p[0]) // b + x1 - g.f.squareAssign(t[1]) // (b + x1)^2 - fp2SubAssign(t[1], t[0]) // (b + x1)^2 - a - fp2SubAssign(t[1], t[2]) // (b + x1)^2 - a - c - fp2DoubleAssign(t[1]) // d = 2((b+x1)^2 - a - c) - fp2Double(t[3], t[0]) // 2a - fp2AddAssign(t[0], t[3]) // e = 3a - g.f.square(t[4], t[0]) // f = e^2 - fp2Double(t[3], t[1]) // 2d - fp2Sub(&r[0], t[4], t[3]) // x3 = f - 2d - fp2SubAssign(t[1], &r[0]) // d-x3 - fp2DoubleAssign(t[2]) // - fp2DoubleAssign(t[2]) // - fp2DoubleAssign(t[2]) // 8c - g.f.mulAssign(t[0], t[1]) // e * (d - x3) - fp2Sub(t[1], t[0], t[2]) // x3 = e * (d - x3) - 8c - g.f.mul(t[0], &p[1], &p[2]) // y1 * z1 - r[1].set(t[1]) // - fp2Double(&r[2], t[0]) // z3 = 2(y1 * z1) - return r -} - -// Neg negates a G2 point p and assigns the result to the point at first argument. -func (g *G2) Neg(r, p *PointG2) *PointG2 { - r[0].set(&p[0]) - fp2Neg(&r[1], &p[1]) - r[2].set(&p[2]) - return r -} - -// Sub subtracts two G2 points p1, p2 and assigns the result to point at first argument. -func (g *G2) Sub(c, a, b *PointG2) *PointG2 { - d := &PointG2{} - g.Neg(d, b) - g.Add(c, a, d) - return c -} - -// MulScalar multiplies a point by given scalar value and assigns the result to point at first argument. -func (g *G2) MulScalar(r, p *PointG2, e *Fr) *PointG2 { - return g.glvMulFr(r, p, e) -} - -// MulScalarBig multiplies a point by given scalar value in big.Int and assigns the result to point at first argument. -func (g *G2) MulScalarBig(r, p *PointG2, e *big.Int) *PointG2 { - return g.glvMulBig(r, p, e) -} - -func (g *G2) mulScalar(c, p *PointG2, e *Fr) *PointG2 { - q, n := &PointG2{}, &PointG2{} - n.Set(p) - for i := 0; i < frBitSize; i++ { - if e.Bit(i) { - g.Add(q, q, n) - } - g.Double(n, n) - } - return c.Set(q) -} - -func (g *G2) mulScalarBig(c, p *PointG2, e *big.Int) *PointG2 { - q, n := &PointG2{}, &PointG2{} - n.Set(p) - l := e.BitLen() - for i := 0; i < l; i++ { - if e.Bit(i) == 1 { - g.Add(q, q, n) - } - g.Double(n, n) - } - return c.Set(q) -} - -func (g *G2) wnafMulFr(r, p *PointG2, e *Fr) *PointG2 { - wnaf := e.toWNAF(wnafMulWindowG2) - return g.wnafMul(r, p, wnaf) -} - -func (g *G2) wnafMulBig(r, p *PointG2, e *big.Int) *PointG2 { - wnaf := bigToWNAF(e, wnafMulWindowG2) - return g.wnafMul(r, p, wnaf) -} - -func (g *G2) wnafMul(c, p *PointG2, wnaf nafNumber) *PointG2 { - - l := (1 << (wnafMulWindowG2 - 1)) - - twoP, acc := g.New(), new(PointG2).Set(p) - g.Double(twoP, p) - g.Affine(twoP) - - // table = {p, 3p, 5p, ..., -p, -3p, -5p} - table := make([]*PointG2, l*2) - table[0], table[l] = g.New(), g.New() - table[0].Set(p) - g.Neg(table[l], table[0]) - - for i := 1; i < l; i++ { - g.AddMixed(acc, acc, twoP) - table[i], table[i+l] = g.New(), g.New() - table[i].Set(acc) - g.Neg(table[i+l], table[i]) - } - - q := g.Zero() - for i := len(wnaf) - 1; i >= 0; i-- { - if wnaf[i] > 0 { - g.Add(q, q, table[wnaf[i]>>1]) - } else if wnaf[i] < 0 { - g.Add(q, q, table[((-wnaf[i])>>1)+l]) - } - if i != 0 { - g.Double(q, q) - } - } - return c.Set(q) -} - -func (g *G2) glvMulFr(r, p *PointG2, e *Fr) *PointG2 { - return g.glvMul(r, p, new(glvVectorFr).new(e)) -} - -func (g *G2) glvMulBig(r, p *PointG2, e *big.Int) *PointG2 { - return g.glvMul(r, p, new(glvVectorBig).new(e)) -} - -func (g *G2) glvMul(r, p0 *PointG2, v glvVector) *PointG2 { - - w := glvMulWindowG2 - l := 1 << (w - 1) - - // prepare tables - // tableK1 = {P, 3P, 5P, ...} - // tableK2 = {λP, 3λP, 5λP, ...} - tableK1, tableK2 := make([]*PointG2, l), make([]*PointG2, l) - double := g.New() - g.Double(double, p0) - g.affine(double, double) - tableK1[0] = new(PointG2) - tableK1[0].Set(p0) - for i := 1; i < l; i++ { - tableK1[i] = new(PointG2) - g.AddMixed(tableK1[i], tableK1[i-1], double) - } - g.AffineBatch(tableK1) - for i := 0; i < l; i++ { - tableK2[i] = new(PointG2) - g.glvEndomorphism(tableK2[i], tableK1[i]) - } - - // recode small scalars - naf1, naf2 := v.wnaf(w) - lenNAF1, lenNAF2 := len(naf1), len(naf2) - lenNAF := lenNAF1 - if lenNAF2 > lenNAF { - lenNAF = lenNAF2 - } - - acc, p1 := g.New(), g.New() - - // function for naf addition - add := func(table []*PointG2, naf int) { - if naf != 0 { - nafAbs := naf - if nafAbs < 0 { - nafAbs = -nafAbs - } - p1.Set(table[nafAbs>>1]) - if naf < 0 { - g.Neg(p1, p1) - } - g.AddMixed(acc, acc, p1) - } - } - - // sliding - for i := lenNAF - 1; i >= 0; i-- { - if i < lenNAF1 { - add(tableK1, naf1[i]) - } - if i < lenNAF2 { - add(tableK2, naf2[i]) - } - if i != 0 { - g.Double(acc, acc) - } - } - return r.Set(acc) -} - -// MultiExpBig calculates multi exponentiation. Scalar values are received as big.Int type. -// Given pairs of G2 point and scalar values `(P_0, e_0), (P_1, e_1), ... (P_n, e_n)`, -// calculates `r = e_0 * P_0 + e_1 * P_1 + ... + e_n * P_n`. -// Length of points and scalars are expected to be equal, otherwise an error is returned. -// Result is assigned to point at first argument. -func (g *G2) MultiExpBig(r *PointG2, points []*PointG2, scalars []*big.Int) (*PointG2, error) { - if len(points) != len(scalars) { - return nil, errors.New("point and scalar vectors should be in same length") - } - - c := 3 - if len(scalars) >= 32 { - c = int(math.Ceil(math.Log(float64(len(scalars))))) - } - - bucketSize := (1 << c) - 1 - windows := make([]PointG2, 255/c+1) - bucket := make([]PointG2, bucketSize) - - for j := 0; j < len(windows); j++ { - - for i := 0; i < bucketSize; i++ { - bucket[i].Zero() - } - - for i := 0; i < len(scalars); i++ { - index := bucketSize & int(new(big.Int).Rsh(scalars[i], uint(c*j)).Int64()) - if index != 0 { - g.Add(&bucket[index-1], &bucket[index-1], points[i]) - } - } - - acc, sum := g.New(), g.New() - for i := bucketSize - 1; i >= 0; i-- { - g.Add(sum, sum, &bucket[i]) - g.Add(acc, acc, sum) - } - windows[j].Set(acc) - } - - acc := g.New() - for i := len(windows) - 1; i >= 0; i-- { - for j := 0; j < c; j++ { - g.Double(acc, acc) - } - g.Add(acc, acc, &windows[i]) - } - return r.Set(acc), nil -} - -// MultiExp calculates multi exponentiation. Given pairs of G2 point and scalar values `(P_0, e_0), (P_1, e_1), ... (P_n, e_n)`, -// calculates `r = e_0 * P_0 + e_1 * P_1 + ... + e_n * P_n`. Length of points and scalars are expected to be equal, -// otherwise an error is returned. Result is assigned to point at first argument. -func (g *G2) MultiExp(r *PointG2, points []*PointG2, scalars []*Fr) (*PointG2, error) { - if len(points) != len(scalars) { - return nil, errors.New("point and scalar vectors should be in same length") - } - - g.AffineBatch(points) - - c := 3 - if len(scalars) >= 32 { - c = int(math.Ceil(math.Log(float64(len(scalars))))) - } - - bucketSize := (1 << c) - 1 - windows := make([]*PointG2, 255/c+1) - bucket := make([]PointG2, bucketSize) - - for j := 0; j < len(windows); j++ { - - for i := 0; i < bucketSize; i++ { - bucket[i].Zero() - } - - for i := 0; i < len(scalars); i++ { - index := bucketSize & int(scalars[i].sliceUint64(c*j)) - if index != 0 { - g.AddMixed(&bucket[index-1], &bucket[index-1], points[i]) - } - } - - acc, sum := g.New(), g.New() - for i := bucketSize - 1; i >= 0; i-- { - g.Add(sum, sum, &bucket[i]) - g.Add(acc, acc, sum) - } - windows[j] = g.New().Set(acc) - } - - g.AffineBatch(windows) - - acc := g.New() - for i := len(windows) - 1; i >= 0; i-- { - for j := 0; j < c; j++ { - g.Double(acc, acc) - } - g.AddMixed(acc, acc, windows[i]) - } - return r.Set(acc), nil -} - -// InCorrectSubgroup checks whether given point is in correct subgroup. -func (g *G2) InCorrectSubgroup(p *PointG2) bool { - - // Faster Subgroup Checks for BLS12-381 - // S. Bowe - // https://eprint.iacr.org/2019/814.pdf - - // [z]ψ^3(P) − ψ^2(P) + P = O - t0, t1 := g.New().Set(p), g.New() - - g.psi(t0) - g.psi(t0) - g.Neg(t1, t0) // - ψ^2(P) - g.psi(t0) // ψ^3(P) - g.mulX(t0) // - x ψ^3(P) - g.Neg(t0, t0) - - g.Add(t0, t0, t1) - g.Add(t0, t0, p) - - return g.IsZero(t0) -} - -// ClearCofactor maps given a G2 point to correct subgroup -func (g *G2) ClearCofactor(p *PointG2) *PointG2 { - - // Efficient hash maps to G2 on BLS curves - // A. Budroni, F. Pintore - // https://eprint.iacr.org/2017/419.pdf - - // [h(ψ)]P = [x^2 − x − 1]P + [x − 1]ψ(P) + ψ^2(2P) - t0, t1, t2, t3 := g.New().Set(p), g.New().Set(p), g.New().Set(p), g.New() - - g.Double(t0, t0) - g.psi(t0) - g.psi(t0) // P2 = ψ^2(2P) - g.psi(t2) // P1 = ψ(P) - g.mulX(t1) // -xP0 - - g.Sub(t3, t1, t2) // -xP0 - P1 - g.mulX(t3) // (x^2)P0 + xP1 - g.Sub(t1, t1, p) // (-x-1)P0 - g.Add(t3, t3, t1) // (x^2-x-1)P0 + xP1 - g.Sub(t3, t3, t2) // (x^2-x-1)P0 + (x-1)P1 - g.Add(t3, t3, t0) // (x^2-x-1)P0 + (x-1)P1 + P2 - return p.Set(t3) -} - -func (g *G2) psi(p *PointG2) { - fp2Conjugate(&p[0], &p[0]) - fp2Conjugate(&p[1], &p[1]) - fp2Conjugate(&p[2], &p[2]) - g.f.mul(&p[0], &p[0], &psix) - g.f.mul(&p[1], &p[1], &psiy) -} - -func (g *G2) mulX(p *PointG2) { - - chain := func(p0 *PointG2, n int, p1 *PointG2) { - g.Add(p0, p0, p1) - for i := 0; i < n; i++ { - g.Double(p0, p0) - } - } - - t := g.New().Set(p) - g.Double(p, t) - chain(p, 2, t) - chain(p, 3, t) - chain(p, 9, t) - chain(p, 32, t) - chain(p, 16, t) -} - -// MapToCurve given a byte slice returns a valid G2 point. -// This mapping function implements the Simplified Shallue-van de Woestijne-Ulas method. -// https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05#section-6.6.2 -// Input byte slice should be a valid field element, otherwise an error is returned. -func (g *G2) MapToCurve(in []byte) (*PointG2, error) { - fp2 := g.f - u, err := fp2.fromBytes(in) - if err != nil { - return nil, err - } - x, y := swuMapG2(fp2, u) - isogenyMapG2(fp2, x, y) - z := new(fe2).one() - q := &PointG2{*x, *y, *z} - g.ClearCofactor(q) - return g.Affine(q), nil -} - -// EncodeToCurve given a message and domain seperator tag returns the hash result -// which is a valid curve point. -// Implementation follows BLS12381G1_XMD:SHA-256_SSWU_NU_ suite at -// https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06 -func (g *G2) EncodeToCurve(msg, domain []byte) (*PointG2, error) { - hashRes, err := hashToFpXMDSHA256(msg, domain, 2) - if err != nil { - return nil, err - } - fp2 := g.f - u := &fe2{*hashRes[0], *hashRes[1]} - x, y := swuMapG2(fp2, u) - isogenyMapG2(fp2, x, y) - z := new(fe2).one() - q := &PointG2{*x, *y, *z} - g.ClearCofactor(q) - return g.Affine(q), nil -} - -// HashToCurve given a message and domain seperator tag returns the hash result -// which is a valid curve point. -// Implementation follows BLS12381G1_XMD:SHA-256_SSWU_RO_ suite at -// https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06 -func (g *G2) HashToCurve(msg, domain []byte) (*PointG2, error) { - hashRes, err := hashToFpXMDSHA256(msg, domain, 4) - if err != nil { - return nil, err - } - fp2 := g.f - u0, u1 := &fe2{*hashRes[0], *hashRes[1]}, &fe2{*hashRes[2], *hashRes[3]} - x0, y0 := swuMapG2(fp2, u0) - x1, y1 := swuMapG2(fp2, u1) - z0 := new(fe2).one() - z1 := new(fe2).one() - p0, p1 := &PointG2{*x0, *y0, *z0}, &PointG2{*x1, *y1, *z1} - g.Add(p0, p0, p1) - g.Affine(p0) - isogenyMapG2(fp2, &p0[0], &p0[1]) - g.ClearCofactor(p0) - return g.Affine(p0), nil -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/glv.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/glv.go deleted file mode 100644 index 0e6181892..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/glv.go +++ /dev/null @@ -1,200 +0,0 @@ -package bls12381 - -import ( - "math/big" -) - -// Guide to Pairing Based Cryptography -// 6.3.2. Decompositions for the k = 12 BLS Family - -// glvQ1 = x^2 * R / q -var glvQ1 = &Fr{0x63f6e522f6cfee30, 0x7c6becf1e01faadd, 0x1, 0} -var glvQ1Big = bigFromHex("0x017c6becf1e01faadd63f6e522f6cfee30") - -// glvQ2 = R / q = 2 -var glvQ2 = &Fr{0x02, 0, 0, 0} -var glvQ2Big = bigFromHex("0x02") - -// glvB1 = x^2 - 1 = 0xac45a4010001a40200000000ffffffff -var glvB1 = &Fr{0x00000000ffffffff, 0xac45a4010001a402, 0, 0} -var glvB1Big = bigFromHex("0xac45a4010001a40200000000ffffffff") - -// glvB2 = x^2 = 0xac45a4010001a4020000000100000000 -var glvB2 = &Fr{0x0000000100000000, 0xac45a4010001a402, 0, 0} -var glvB2Big = bigFromHex("0xac45a4010001a4020000000100000000") - -// glvLambdaA = x^2 - 1 -var glvLambda = &Fr{0x00000000ffffffff, 0xac45a4010001a402, 0, 0} -var glvLambdaBig = bigFromHex("0xac45a4010001a40200000000ffffffff") - -// halfR = 2**256 / 2 -var halfR = &wideFr{0, 0, 0, 0x8000000000000000, 0, 0, 0} -var halfRBig = bigFromHex("0x8000000000000000000000000000000000000000000000000000000000000000") - -// r128 = 2**128 - 1 -var r128 = &Fr{0xffffffffffffffff, 0xffffffffffffffff, 0, 0} - -// glvPhi1 ^ 3 = 1 -var glvPhi1 = &fe{0xcd03c9e48671f071, 0x5dab22461fcda5d2, 0x587042afd3851b95, 0x8eb60ebe01bacb9e, 0x03f97d6e83d050d2, 0x18f0206554638741} - -// glvPhi2 ^ 3 = 1 -var glvPhi2 = &fe{0x30f1361b798a64e8, 0xf3b8ddab7ece5a2a, 0x16a8ca3ac61577f7, 0xc26a2ff874fd029b, 0x3636b76660701c6e, 0x051ba4ab241b6160} - -var glvMulWindowG1 uint = 4 -var glvMulWindowG2 uint = 4 - -type glvVector interface { - wnaf(w uint) (nafNumber, nafNumber) -} - -type glvVectorFr struct { - k1 *Fr - k2 *Fr - neg1 bool - neg2 bool -} - -type glvVectorBig struct { - k1 *big.Int - k2 *big.Int -} - -func (v *glvVectorFr) wnaf(w uint) (nafNumber, nafNumber) { - naf1 := v.k1.toWNAF(w) - naf2 := v.k2.toWNAF(w) - if v.neg1 { - naf1.neg() - } - if !v.neg2 { - naf2.neg() - } - return naf1, naf2 -} - -func (v *glvVectorBig) wnaf(w uint) (nafNumber, nafNumber) { - naf1, naf2 := bigToWNAF(v.k1, w), bigToWNAF(v.k2, w) - zero := new(big.Int) - if v.k1.Cmp(zero) < 0 { - naf1.neg() - } - if v.k2.Cmp(zero) > 0 { - naf2.neg() - } - return naf1, naf2 -} - -func (v *glvVectorFr) new(m *Fr) *glvVectorFr { - // Guide to Pairing Based Cryptography - // 6.3.2. Decompositions for the k = 12 BLS Family - - // alpha1 = round(x^2 * m / r) - alpha1 := alpha1(m) - // alpha2 = round(m / r) - alpha2 := alpha2(m) - - z1, z2 := new(Fr), new(Fr) - - // z1 = (x^2 - 1) * round(x^2 * m / r) - z1.Mul(alpha1, glvB1) - // z2 = x^2 * round(m / r) - z2.Mul(alpha2, glvB2) - - k1, k2 := new(Fr), new(Fr) - // k1 = m - z1 - alpha2 - k1.Sub(m, z1) - k1.Sub(k1, alpha2) - - // k2 = z2 - alpha1 - k2.Sub(z2, alpha1) - - if k1.Cmp(r128) == 1 { - k1.Neg(k1) - v.neg1 = true - } - v.k1 = new(Fr).Set(k1) - if k2.Cmp(r128) == 1 { - k2.Neg(k2) - v.neg2 = true - } - v.k2 = new(Fr).Set(k2) - return v -} - -func (v *glvVectorBig) new(m *big.Int) *glvVectorBig { - // Guide to Pairing Based Cryptography - // 6.3.2. Decompositions for the k = 12 BLS Family - - // alpha1 = round(x^2 * m / r) - alpha1 := new(big.Int).Mul(m, glvQ1Big) - alpha1.Add(alpha1, halfRBig) - alpha1.Rsh(alpha1, fourWordBitSize) - - // alpha2 = round(m / r) - alpha2 := new(big.Int).Mul(m, glvQ2Big) - alpha2.Add(alpha2, halfRBig) - alpha2.Rsh(alpha2, fourWordBitSize) - - z1, z2 := new(big.Int), new(big.Int) - // z1 = (x^2 - 1) * round(x^2 * m / r) - z1.Mul(alpha1, glvB1Big).Mod(z1, qBig) - // z2 = x^2 * round(m / r) - z2.Mul(alpha2, glvB2Big).Mod(z2, qBig) - - k1, k2 := new(big.Int), new(big.Int) - - // k1 = m - z1 - alpha2 - k1.Sub(m, z1) - k1.Sub(k1, alpha2) - - // k2 = z2 - alpha1 - k2.Sub(z2, alpha1) - - v.k1 = new(big.Int).Set(k1) - v.k2 = new(big.Int).Set(k2) - return v -} - -// round(x^2 * m / q) -func alpha1(m *Fr) *Fr { - a := new(wideFr) - a.mul(m, glvQ1) - return a.round() -} - -// round(m / q) -func alpha2(m *Fr) *Fr { - a := new(wideFr) - a.mul(m, glvQ2) - return a.round() -} - -func phi(a, b *fe) { - mul(a, b, glvPhi1) -} - -func (e *fp2) phi(a, b *fe2) { - mul(&a[0], &b[0], glvPhi2) - mul(&a[1], &b[1], glvPhi2) -} - -func (g *G1) glvEndomorphism(r, p *PointG1) { - t := g.Affine(p) - if g.IsZero(p) { - r.Zero() - return - } - r[1].set(&t[1]) - phi(&r[0], &t[0]) - r[2].one() -} - -func (g *G2) glvEndomorphism(r, p *PointG2) { - t := g.Affine(p) - if g.IsZero(p) { - r.Zero() - return - } - r[1].set(&t[1]) - g.f.phi(&r[0], &t[0]) - r[2].one() -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/gt.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/gt.go deleted file mode 100644 index 3e28bb366..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/gt.go +++ /dev/null @@ -1,107 +0,0 @@ -package bls12381 - -import ( - "errors" - "math/big" -) - -// E is type for target group element -type E = fe12 - -// GT is type for target multiplicative group GT. -type GT struct { - fp12 *fp12 -} - -// Set copies given value into the destination -func (e *E) Set(e2 *E) *E { - return e.set(e2) -} - -// One sets a new target group element to one -func (e *E) One() *E { - e = new(fe12).one() - return e -} - -// IsOne returns true if given element equals to one -func (e *E) IsOne() bool { - return e.isOne() -} - -// Equal returns true if given two element is equal, otherwise returns false -func (g *E) Equal(g2 *E) bool { - return g.equal(g2) -} - -// NewGT constructs new target group instance. -func NewGT() *GT { - fp12 := newFp12(nil) - return >{fp12} -} - -// Q returns group order in big.Int. -func (g *GT) Q() *big.Int { - return new(big.Int).Set(qBig) -} - -// FromBytes expects 576 byte input and returns target group element -// FromBytes returns error if given element is not on correct subgroup. -func (g *GT) FromBytes(in []byte) (*E, error) { - e, err := g.fp12.fromBytes(in) - if err != nil { - return nil, err - } - if !g.IsValid(e) { - return e, errors.New("invalid element") - } - return e, nil -} - -// ToBytes serializes target group element. -func (g *GT) ToBytes(e *E) []byte { - return g.fp12.toBytes(e) -} - -// IsValid checks whether given target group element is in correct subgroup. -func (g *GT) IsValid(e *E) bool { - r := g.New() - g.fp12.exp(r, e, qBig) - return r.isOne() -} - -// New initializes a new target group element which is equal to one -func (g *GT) New() *E { - return new(E).One() -} - -// Add adds two field element `a` and `b` and assigns the result to the element in first argument. -func (g *GT) Add(c, a, b *E) { - fp12Add(c, a, b) -} - -// Sub subtracts two field element `a` and `b`, and assigns the result to the element in first argument. -func (g *GT) Sub(c, a, b *E) { - fp12Sub(c, a, b) -} - -// Mul multiplies two field element `a` and `b` and assigns the result to the element in first argument. -func (g *GT) Mul(c, a, b *E) { - g.fp12.mul(c, a, b) -} - -// Square squares an element `a` and assigns the result to the element in first argument. -func (g *GT) Square(c, a *E) { - c.set(a) - g.fp12.cyclotomicSquare(c) -} - -// Exp exponents an element `a` by a scalar `s` and assigns the result to the element in first argument. -func (g *GT) Exp(c, a *E, s *big.Int) { - g.fp12.cyclotomicExp(c, a, s) -} - -// Inverse inverses an element `a` and assigns the result to the element in first argument. -func (g *GT) Inverse(c, a *E) { - g.fp12.inverse(c, a) -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/hash_to_field.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/hash_to_field.go deleted file mode 100644 index 9e4400769..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/hash_to_field.go +++ /dev/null @@ -1,70 +0,0 @@ -package bls12381 - -import ( - "crypto/sha256" - "errors" -) - -func hashToFpXMDSHA256(msg []byte, domain []byte, count int) ([]*fe, error) { - randBytes, err := expandMsgSHA256XMD(msg, domain, count*64) - if err != nil { - return nil, err - } - els := make([]*fe, count) - for i := 0; i < count; i++ { - els[i], err = from64Bytes(randBytes[i*64 : (i+1)*64]) - if err != nil { - return nil, err - } - } - return els, nil -} - -func expandMsgSHA256XMD(msg []byte, domain []byte, outLen int) ([]byte, error) { - h := sha256.New() - domainLen := uint8(len(domain)) - if domainLen > 255 { - return nil, errors.New("invalid domain length") - } - // DST_prime = DST || I2OSP(len(DST), 1) - // b_0 = H(Z_pad || msg || l_i_b_str || I2OSP(0, 1) || DST_prime) - _, _ = h.Write(make([]byte, h.BlockSize())) - _, _ = h.Write(msg) - _, _ = h.Write([]byte{uint8(outLen >> 8), uint8(outLen)}) - _, _ = h.Write([]byte{0}) - _, _ = h.Write(domain) - _, _ = h.Write([]byte{domainLen}) - b0 := h.Sum(nil) - - // b_1 = H(b_0 || I2OSP(1, 1) || DST_prime) - h.Reset() - _, _ = h.Write(b0) - _, _ = h.Write([]byte{1}) - _, _ = h.Write(domain) - _, _ = h.Write([]byte{domainLen}) - b1 := h.Sum(nil) - - // b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime) - ell := (outLen + h.Size() - 1) / h.Size() - bi := b1 - out := make([]byte, outLen) - for i := 1; i < ell; i++ { - h.Reset() - // b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime) - tmp := make([]byte, h.Size()) - for j := 0; j < h.Size(); j++ { - tmp[j] = b0[j] ^ bi[j] - } - _, _ = h.Write(tmp) - _, _ = h.Write([]byte{1 + uint8(i)}) - _, _ = h.Write(domain) - _, _ = h.Write([]byte{domainLen}) - - // b_1 || ... || b_(ell - 1) - copy(out[(i-1)*h.Size():i*h.Size()], bi[:]) - bi = h.Sum(nil) - } - // b_ell - copy(out[(ell-1)*h.Size():], bi[:]) - return out[:outLen], nil -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/hash_to_field_custom.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/hash_to_field_custom.go deleted file mode 100644 index 70081373c..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/hash_to_field_custom.go +++ /dev/null @@ -1,86 +0,0 @@ -/* -SPDX-License-Identifier: Apache-2.0 -(https://github.com/kilic/bls12-381/blob/master/LICENSE) - -Taken from https://github.com/kilic/bls12-381/blob/master/hash_to_field.go -(rev a288617c07f1bd60613c43dbde211b4a911e4791) - -Changes: -1) pass hash function as input for hashToFpXMD() - i.e. don't stick on SHA-256 only. -*/ - -package bls12381 - -import ( - "errors" - "hash" -) - -func hashToFpXMD(f func() hash.Hash, msg []byte, domain []byte, count int) ([]*fe, error) { - randBytes, err := expandMsgXMD(f, msg, domain, count*64) - if err != nil { - return nil, err - } - - els := make([]*fe, count) - for i := 0; i < count; i++ { - var err error - - els[i], err = from64Bytes(randBytes[i*64 : (i+1)*64]) - if err != nil { - return nil, err - } - } - return els, nil -} - -func expandMsgXMD(f func() hash.Hash, msg []byte, domain []byte, outLen int) ([]byte, error) { - h := f() - domainLen := uint8(len(domain)) - if domainLen > 255 { - return nil, errors.New("invalid domain length") - } - - // DST_prime = DST || I2OSP(len(DST), 1) - // b_0 = H(Z_pad || msg || l_i_b_str || I2OSP(0, 1) || DST_prime) - _, _ = h.Write(make([]byte, h.BlockSize())) - _, _ = h.Write(msg) - _, _ = h.Write([]byte{uint8(outLen >> 8), uint8(outLen)}) - _, _ = h.Write([]byte{0}) - _, _ = h.Write(domain) - _, _ = h.Write([]byte{domainLen}) - b0 := h.Sum(nil) - - // b_1 = H(b_0 || I2OSP(1, 1) || DST_prime) - h.Reset() - _, _ = h.Write(b0) - _, _ = h.Write([]byte{1}) - _, _ = h.Write(domain) - _, _ = h.Write([]byte{domainLen}) - b1 := h.Sum(nil) - - // b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime) - ell := (outLen + h.Size() - 1) / h.Size() - bi := b1 - out := make([]byte, outLen) - for i := 1; i < ell; i++ { - h.Reset() - // b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime) - tmp := make([]byte, h.Size()) - for j := 0; j < h.Size(); j++ { - tmp[j] = b0[j] ^ bi[j] - } - _, _ = h.Write(tmp) - _, _ = h.Write([]byte{1 + uint8(i)}) - _, _ = h.Write(domain) - _, _ = h.Write([]byte{domainLen}) - - // b_1 || ... || b_(ell - 1) - copy(out[(i-1)*h.Size():i*h.Size()], bi[:]) - bi = h.Sum(nil) - } - // b_ell - copy(out[(ell-1)*h.Size():], bi[:]) - - return out[:outLen], nil -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/isogeny.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/isogeny.go deleted file mode 100644 index 6a99e44c0..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/isogeny.go +++ /dev/null @@ -1,211 +0,0 @@ -package bls12381 - -// isogenyMapG1 applies 11-isogeny map for BLS12-381 G1 defined at draft-irtf-cfrg-hash-to-curve-06. -func isogenyMapG1(x, y *fe) { - // https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#appendix-C.2 - params := isogenyConstansG1 - degree := 15 - xNum, xDen, yNum, yDen := new(fe), new(fe), new(fe), new(fe) - xNum.set(params[0][degree]) - xDen.set(params[1][degree]) - yNum.set(params[2][degree]) - yDen.set(params[3][degree]) - for i := degree - 1; i >= 0; i-- { - mul(xNum, xNum, x) - mul(xDen, xDen, x) - mul(yNum, yNum, x) - mul(yDen, yDen, x) - add(xNum, xNum, params[0][i]) - add(xDen, xDen, params[1][i]) - add(yNum, yNum, params[2][i]) - add(yDen, yDen, params[3][i]) - } - inverse(xDen, xDen) - inverse(yDen, yDen) - mul(xNum, xNum, xDen) - mul(yNum, yNum, yDen) - mul(yNum, yNum, y) - x.set(xNum) - y.set(yNum) -} - -// isogenyMapG2 applies 11-isogeny map for BLS12-381 G1 defined at draft-irtf-cfrg-hash-to-curve-06. -func isogenyMapG2(e *fp2, x, y *fe2) { - if e == nil { - e = newFp2() - } - // https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#appendix-C.2 - params := isogenyConstantsG2 - degree := 3 - xNum := new(fe2).set(params[0][degree]) - xDen := new(fe2).set(params[1][degree]) - yNum := new(fe2).set(params[2][degree]) - yDen := new(fe2).set(params[3][degree]) - for i := degree - 1; i >= 0; i-- { - e.mul(xNum, xNum, x) - e.mul(xDen, xDen, x) - e.mul(yNum, yNum, x) - e.mul(yDen, yDen, x) - fp2Add(xNum, xNum, params[0][i]) - fp2Add(xDen, xDen, params[1][i]) - fp2Add(yNum, yNum, params[2][i]) - fp2Add(yDen, yDen, params[3][i]) - } - e.inverse(xDen, xDen) - e.inverse(yDen, yDen) - e.mul(xNum, xNum, xDen) - e.mul(yNum, yNum, yDen) - e.mul(yNum, yNum, y) - x.set(xNum) - y.set(yNum) -} - -var isogenyConstansG1 = [4][16]*fe{ - [16]*fe{ - &fe{0x4d18b6f3af00131c, 0x19fa219793fee28c, 0x3f2885f1467f19ae, 0x23dcea34f2ffb304, 0xd15b58d2ffc00054, 0x0913be200a20bef4}, - &fe{0x898985385cdbbd8b, 0x3c79e43cc7d966aa, 0x1597e193f4cd233a, 0x8637ef1e4d6623ad, 0x11b22deed20d827b, 0x07097bc5998784ad}, - &fe{0xa542583a480b664b, 0xfc7169c026e568c6, 0x5ba2ef314ed8b5a6, 0x5b5491c05102f0e7, 0xdf6e99707d2a0079, 0x0784151ed7605524}, - &fe{0x494e212870f72741, 0xab9be52fbda43021, 0x26f5577994e34c3d, 0x049dfee82aefbd60, 0x65dadd7828505289, 0x0e93d431ea011aeb}, - &fe{0x90ee774bd6a74d45, 0x7ada1c8a41bfb185, 0x0f1a8953b325f464, 0x104c24211be4805c, 0x169139d319ea7a8f, 0x09f20ead8e532bf6}, - &fe{0x6ddd93e2f43626b7, 0xa5482c9aa1ccd7bd, 0x143245631883f4bd, 0x2e0a94ccf77ec0db, 0xb0282d480e56489f, 0x18f4bfcbb4368929}, - &fe{0x23c5f0c953402dfd, 0x7a43ff6958ce4fe9, 0x2c390d3d2da5df63, 0xd0df5c98e1f9d70f, 0xffd89869a572b297, 0x1277ffc72f25e8fe}, - &fe{0x79f4f0490f06a8a6, 0x85f894a88030fd81, 0x12da3054b18b6410, 0xe2a57f6505880d65, 0xbba074f260e400f1, 0x08b76279f621d028}, - &fe{0xe67245ba78d5b00b, 0x8456ba9a1f186475, 0x7888bff6e6b33bb4, 0xe21585b9a30f86cb, 0x05a69cdcef55feee, 0x09e699dd9adfa5ac}, - &fe{0x0de5c357bff57107, 0x0a0db4ae6b1a10b2, 0xe256bb67b3b3cd8d, 0x8ad456574e9db24f, 0x0443915f50fd4179, 0x098c4bf7de8b6375}, - &fe{0xe6b0617e7dd929c7, 0xfe6e37d442537375, 0x1dafdeda137a489e, 0xe4efd1ad3f767ceb, 0x4a51d8667f0fe1cf, 0x054fdf4bbf1d821c}, - &fe{0x72db2a50658d767b, 0x8abf91faa257b3d5, 0xe969d6833764ab47, 0x464170142a1009eb, 0xb14f01aadb30be2f, 0x18ae6a856f40715d}, - &fe{0, 0, 0, 0, 0, 0}, - &fe{0, 0, 0, 0, 0, 0}, - &fe{0, 0, 0, 0, 0, 0}, - &fe{0, 0, 0, 0, 0, 0}, - }, - [16]*fe{ - &fe{0xb962a077fdb0f945, 0xa6a9740fefda13a0, 0xc14d568c3ed6c544, 0xb43fc37b908b133e, 0x9c0b3ac929599016, 0x0165aa6c93ad115f}, - &fe{0x23279a3ba506c1d9, 0x92cfca0a9465176a, 0x3b294ab13755f0ff, 0x116dda1c5070ae93, 0xed4530924cec2045, 0x083383d6ed81f1ce}, - &fe{0x9885c2a6449fecfc, 0x4a2b54ccd37733f0, 0x17da9ffd8738c142, 0xa0fba72732b3fafd, 0xff364f36e54b6812, 0x0f29c13c660523e2}, - &fe{0xe349cc118278f041, 0xd487228f2f3204fb, 0xc9d325849ade5150, 0x43a92bd69c15c2df, 0x1c2c7844bc417be4, 0x12025184f407440c}, - &fe{0x587f65ae6acb057b, 0x1444ef325140201f, 0xfbf995e71270da49, 0xccda066072436a42, 0x7408904f0f186bb2, 0x13b93c63edf6c015}, - &fe{0xfb918622cd141920, 0x4a4c64423ecaddb4, 0x0beb232927f7fb26, 0x30f94df6f83a3dc2, 0xaeedd424d780f388, 0x06cc402dd594bbeb}, - &fe{0xd41f761151b23f8f, 0x32a92465435719b3, 0x64f436e888c62cb9, 0xdf70a9a1f757c6e4, 0x6933a38d5b594c81, 0x0c6f7f7237b46606}, - &fe{0x693c08747876c8f7, 0x22c9850bf9cf80f0, 0x8e9071dab950c124, 0x89bc62d61c7baf23, 0xbc6be2d8dad57c23, 0x17916987aa14a122}, - &fe{0x1be3ff439c1316fd, 0x9965243a7571dfa7, 0xc7f7f62962f5cd81, 0x32c6aa9af394361c, 0xbbc2ee18e1c227f4, 0x0c102cbac531bb34}, - &fe{0x997614c97bacbf07, 0x61f86372b99192c0, 0x5b8c95fc14353fc3, 0xca2b066c2a87492f, 0x16178f5bbf698711, 0x12a6dcd7f0f4e0e8}, - &fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - &fe{0, 0, 0, 0, 0, 0}, - &fe{0, 0, 0, 0, 0, 0}, - &fe{0, 0, 0, 0, 0, 0}, - &fe{0, 0, 0, 0, 0, 0}, - &fe{0, 0, 0, 0, 0, 0}, - }, - [16]*fe{ - &fe{0x2b567ff3e2837267, 0x1d4d9e57b958a767, 0xce028fea04bd7373, 0xcc31a30a0b6cd3df, 0x7d7b18a682692693, 0x0d300744d42a0310}, - &fe{0x99c2555fa542493f, 0xfe7f53cc4874f878, 0x5df0608b8f97608a, 0x14e03832052b49c8, 0x706326a6957dd5a4, 0x0a8dadd9c2414555}, - &fe{0x13d942922a5cf63a, 0x357e33e36e261e7d, 0xcf05a27c8456088d, 0x0000bd1de7ba50f0, 0x83d0c7532f8c1fde, 0x13f70bf38bbf2905}, - &fe{0x5c57fd95bfafbdbb, 0x28a359a65e541707, 0x3983ceb4f6360b6d, 0xafe19ff6f97e6d53, 0xb3468f4550192bf7, 0x0bb6cde49d8ba257}, - &fe{0x590b62c7ff8a513f, 0x314b4ce372cacefd, 0x6bef32ce94b8a800, 0x6ddf84a095713d5f, 0x64eace4cb0982191, 0x0386213c651b888d}, - &fe{0xa5310a31111bbcdd, 0xa14ac0f5da148982, 0xf9ad9cc95423d2e9, 0xaa6ec095283ee4a7, 0xcf5b1f022e1c9107, 0x01fddf5aed881793}, - &fe{0x65a572b0d7a7d950, 0xe25c2d8183473a19, 0xc2fcebe7cb877dbd, 0x05b2d36c769a89b0, 0xba12961be86e9efb, 0x07eb1b29c1dfde1f}, - &fe{0x93e09572f7c4cd24, 0x364e929076795091, 0x8569467e68af51b5, 0xa47da89439f5340f, 0xf4fa918082e44d64, 0x0ad52ba3e6695a79}, - &fe{0x911429844e0d5f54, 0xd03f51a3516bb233, 0x3d587e5640536e66, 0xfa86d2a3a9a73482, 0xa90ed5adf1ed5537, 0x149c9c326a5e7393}, - &fe{0x462bbeb03c12921a, 0xdc9af5fa0a274a17, 0x9a558ebde836ebed, 0x649ef8f11a4fae46, 0x8100e1652b3cdc62, 0x1862bd62c291dacb}, - &fe{0x05c9b8ca89f12c26, 0x0194160fa9b9ac4f, 0x6a643d5a6879fa2c, 0x14665bdd8846e19d, 0xbb1d0d53af3ff6bf, 0x12c7e1c3b28962e5}, - &fe{0xb55ebf900b8a3e17, 0xfedc77ec1a9201c4, 0x1f07db10ea1a4df4, 0x0dfbd15dc41a594d, 0x389547f2334a5391, 0x02419f98165871a4}, - &fe{0xb416af000745fc20, 0x8e563e9d1ea6d0f5, 0x7c763e17763a0652, 0x01458ef0159ebbef, 0x8346fe421f96bb13, 0x0d2d7b829ce324d2}, - &fe{0x93096bb538d64615, 0x6f2a2619951d823a, 0x8f66b3ea59514fa4, 0xf563e63704f7092f, 0x724b136c4cf2d9fa, 0x046959cfcfd0bf49}, - &fe{0xea748d4b6e405346, 0x91e9079c2c02d58f, 0x41064965946d9b59, 0xa06731f1d2bbe1ee, 0x07f897e267a33f1b, 0x1017290919210e5f}, - &fe{0x872aa6c17d985097, 0xeecc53161264562a, 0x07afe37afff55002, 0x54759078e5be6838, 0xc4b92d15db8acca8, 0x106d87d1b51d13b9}, - }, - [16]*fe{ - &fe{0xeb6c359d47e52b1c, 0x18ef5f8a10634d60, 0xddfa71a0889d5b7e, 0x723e71dcc5fc1323, 0x52f45700b70d5c69, 0x0a8b981ee47691f1}, - &fe{0x616a3c4f5535b9fb, 0x6f5f037395dbd911, 0xf25f4cc5e35c65da, 0x3e50dffea3c62658, 0x6a33dca523560776, 0x0fadeff77b6bfe3e}, - &fe{0x2be9b66df470059c, 0x24a2c159a3d36742, 0x115dbe7ad10c2a37, 0xb6634a652ee5884d, 0x04fe8bb2b8d81af4, 0x01c2a7a256fe9c41}, - &fe{0xf27bf8ef3b75a386, 0x898b367476c9073f, 0x24482e6b8c2f4e5f, 0xc8e0bbd6fe110806, 0x59b0c17f7631448a, 0x11037cd58b3dbfbd}, - &fe{0x31c7912ea267eec6, 0x1dbf6f1c5fcdb700, 0xd30d4fe3ba86fdb1, 0x3cae528fbee9a2a4, 0xb1cce69b6aa9ad9a, 0x044393bb632d94fb}, - &fe{0xc66ef6efeeb5c7e8, 0x9824c289dd72bb55, 0x71b1a4d2f119981d, 0x104fc1aafb0919cc, 0x0e49df01d942a628, 0x096c3a09773272d4}, - &fe{0x9abc11eb5fadeff4, 0x32dca50a885728f0, 0xfb1fa3721569734c, 0xc4b76271ea6506b3, 0xd466a75599ce728e, 0x0c81d4645f4cb6ed}, - &fe{0x4199f10e5b8be45b, 0xda64e495b1e87930, 0xcb353efe9b33e4ff, 0x9e9efb24aa6424c6, 0xf08d33680a237465, 0x0d3378023e4c7406}, - &fe{0x7eb4ae92ec74d3a5, 0xc341b4aa9fac3497, 0x5be603899e907687, 0x03bfd9cca75cbdeb, 0x564c2935a96bfa93, 0x0ef3c33371e2fdb5}, - &fe{0x7ee91fd449f6ac2e, 0xe5d5bd5cb9357a30, 0x773a8ca5196b1380, 0xd0fda172174ed023, 0x6cb95e0fa776aead, 0x0d22d5a40cec7cff}, - &fe{0xf727e09285fd8519, 0xdc9d55a83017897b, 0x7549d8bd057894ae, 0x178419613d90d8f8, 0xfce95ebdeb5b490a, 0x0467ffaef23fc49e}, - &fe{0xc1769e6a7c385f1b, 0x79bc930deac01c03, 0x5461c75a23ede3b5, 0x6e20829e5c230c45, 0x828e0f1e772a53cd, 0x116aefa749127bff}, - &fe{0x101c10bf2744c10a, 0xbbf18d053a6a3154, 0xa0ecf39ef026f602, 0xfc009d4996dc5153, 0xb9000209d5bd08d3, 0x189e5fe4470cd73c}, - &fe{0x7ebd546ca1575ed2, 0xe47d5a981d081b55, 0x57b2b625b6d4ca21, 0xb0a1ba04228520cc, 0x98738983c2107ff3, 0x13dddbc4799d81d6}, - &fe{0x09319f2e39834935, 0x039e952cbdb05c21, 0x55ba77a9a2f76493, 0xfd04e3dfc6086467, 0xfb95832e7d78742e, 0x0ef9c24eccaf5e0e}, - &fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - }, -} - -var isogenyConstantsG2 = [4][4]*fe2{ - [4]*fe2{ - &fe2{ - fe{0x47f671c71ce05e62, 0x06dd57071206393e, 0x7c80cd2af3fd71a2, 0x048103ea9e6cd062, 0xc54516acc8d037f6, 0x13808f550920ea41}, - fe{0x47f671c71ce05e62, 0x06dd57071206393e, 0x7c80cd2af3fd71a2, 0x048103ea9e6cd062, 0xc54516acc8d037f6, 0x13808f550920ea41}, - }, - &fe2{ - fe{0, 0, 0, 0, 0, 0}, - fe{0x5fe55555554c71d0, 0x873fffdd236aaaa3, 0x6a6b4619b26ef918, 0x21c2888408874945, 0x2836cda7028cabc5, 0x0ac73310a7fd5abd}, - }, - &fe2{ - fe{0x0a0c5555555971c3, 0xdb0c00101f9eaaae, 0xb1fb2f941d797997, 0xd3960742ef416e1c, 0xb70040e2c20556f4, 0x149d7861e581393b}, - fe{0xaff2aaaaaaa638e8, 0x439fffee91b55551, 0xb535a30cd9377c8c, 0x90e144420443a4a2, 0x941b66d3814655e2, 0x0563998853fead5e}, - }, - &fe2{ - fe{0x40aac71c71c725ed, 0x190955557a84e38e, 0xd817050a8f41abc3, 0xd86485d4c87f6fb1, 0x696eb479f885d059, 0x198e1a74328002d2}, - fe{0, 0, 0, 0, 0, 0}, - }, - }, - [4]*fe2{ - &fe2{ - fe{0, 0, 0, 0, 0, 0}, - fe{0x1f3affffff13ab97, 0xf25bfc611da3ff3e, 0xca3757cb3819b208, 0x3e6427366f8cec18, 0x03977bc86095b089, 0x04f69db13f39a952}, - }, - &fe2{ - fe{0x447600000027552e, 0xdcb8009a43480020, 0x6f7ee9ce4a6e8b59, 0xb10330b7c0a95bc6, 0x6140b1fcfb1e54b7, 0x0381be097f0bb4e1}, - fe{0x7588ffffffd8557d, 0x41f3ff646e0bffdf, 0xf7b1e8d2ac426aca, 0xb3741acd32dbb6f8, 0xe9daf5b9482d581f, 0x167f53e0ba7431b8}, - }, - &fe2{ - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - fe{0, 0, 0, 0, 0, 0}, - }, - &fe2{ - fe{0, 0, 0, 0, 0, 0}, - fe{0, 0, 0, 0, 0, 0}, - }, - }, - [4]*fe2{ - &fe2{ - fe{0x96d8f684bdfc77be, 0xb530e4f43b66d0e2, 0x184a88ff379652fd, 0x57cb23ecfae804e1, 0x0fd2e39eada3eba9, 0x08c8055e31c5d5c3}, - fe{0x96d8f684bdfc77be, 0xb530e4f43b66d0e2, 0x184a88ff379652fd, 0x57cb23ecfae804e1, 0x0fd2e39eada3eba9, 0x08c8055e31c5d5c3}, - }, - &fe2{ - fe{0, 0, 0, 0, 0, 0}, - fe{0xbf0a71c71c91b406, 0x4d6d55d28b7638fd, 0x9d82f98e5f205aee, 0xa27aa27b1d1a18d5, 0x02c3b2b2d2938e86, 0x0c7d13420b09807f}, - }, - &fe2{ - fe{0xd7f9555555531c74, 0x21cffff748daaaa8, 0x5a9ad1866c9bbe46, 0x4870a2210221d251, 0x4a0db369c0a32af1, 0x02b1ccc429ff56af}, - fe{0xe205aaaaaaac8e37, 0xfcdc000768795556, 0x0c96011a8a1537dd, 0x1c06a963f163406e, 0x010df44c82a881e6, 0x174f45260f808feb}, - }, - &fe2{ - fe{0xa470bda12f67f35c, 0xc0fe38e23327b425, 0xc9d3d0f2c6f0678d, 0x1c55c9935b5a982e, 0x27f6c0e2f0746764, 0x117c5e6e28aa9054}, - fe{0, 0, 0, 0, 0, 0}, - }, - }, - [4]*fe2{ - &fe2{ - fe{0x0162fffffa765adf, 0x8f7bea480083fb75, 0x561b3c2259e93611, 0x11e19fc1a9c875d5, 0xca713efc00367660, 0x03c6a03d41da1151}, - fe{0x0162fffffa765adf, 0x8f7bea480083fb75, 0x561b3c2259e93611, 0x11e19fc1a9c875d5, 0xca713efc00367660, 0x03c6a03d41da1151}, - }, - &fe2{ - fe{0, 0, 0, 0, 0, 0}, - fe{0x5db0fffffd3b02c5, 0xd713f52358ebfdba, 0x5ea60761a84d161a, 0xbb2c75a34ea6c44a, 0x0ac6735921c1119b, 0x0ee3d913bdacfbf6}, - }, - &fe2{ - fe{0x66b10000003affc5, 0xcb1400e764ec0030, 0xa73e5eb56fa5d106, 0x8984c913a0fe09a9, 0x11e10afb78ad7f13, 0x05429d0e3e918f52}, - fe{0x534dffffffc4aae6, 0x5397ff174c67ffcf, 0xbff273eb870b251d, 0xdaf2827152870915, 0x393a9cbaca9e2dc3, 0x14be74dbfaee5748}, - }, - &fe2{ - fe{0x760900000002fffd, 0xebf4000bc40c0002, 0x5f48985753c758ba, 0x77ce585370525745, 0x5c071a97a256ec6d, 0x15f65ec3fa80e493}, - fe{0, 0, 0, 0, 0, 0}, - }, - }, -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/pairing.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/pairing.go deleted file mode 100644 index abdc0a879..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/pairing.go +++ /dev/null @@ -1,344 +0,0 @@ -package bls12381 - -type pair struct { - g1 *PointG1 - g2 *PointG2 -} - -func newPair(g1 *PointG1, g2 *PointG2) pair { - return pair{g1, g2} -} - -// Engine is BLS12-381 elliptic curve pairing engine -type Engine struct { - G1 *G1 - G2 *G2 - fp12 *fp12 - fp2 *fp2 - pairingEngineTemp - pairs []pair -} - -// NewEngine creates new pairing engine insteace. -func NewEngine() *Engine { - fp2 := newFp2() - fp6 := newFp6(fp2) - fp12 := newFp12(fp6) - g1 := NewG1() - g2 := newG2(fp2) - return &Engine{ - fp2: fp2, - fp12: fp12, - G1: g1, - G2: g2, - pairingEngineTemp: newEngineTemp(), - } -} - -type pairingEngineTemp struct { - t2 [9]*fe2 - t12 [3]fe12 -} - -func newEngineTemp() pairingEngineTemp { - t2 := [9]*fe2{} - for i := 0; i < len(t2); i++ { - t2[i] = &fe2{} - } - t12 := [3]fe12{} - return pairingEngineTemp{t2, t12} -} - -// AddPair adds a g1, g2 point pair to pairing engine -func (e *Engine) AddPair(g1 *PointG1, g2 *PointG2) *Engine { - p := newPair(g1, g2) - if !(e.G1.IsZero(p.g1) || e.G2.IsZero(p.g2)) { - e.G1.Affine(p.g1) - e.G2.Affine(p.g2) - e.pairs = append(e.pairs, p) - } - return e -} - -// AddPairInv adds a G1, G2 point pair to pairing engine. G1 point is negated. -func (e *Engine) AddPairInv(g1 *PointG1, g2 *PointG2) *Engine { - ng1 := e.G1.New().Set(g1) - e.G1.Neg(ng1, g1) - e.AddPair(ng1, g2) - return e -} - -// Reset deletes added pairs. -func (e *Engine) Reset() *Engine { - e.pairs = []pair{} - return e -} - -func (e *Engine) double(f *fe12, r *PointG2, k int) { - fp2, t := e.fp2, e.t2 - - fp2.mul(t[0], &r[0], &r[1]) - fp2.mul0(t[0], t[0], twoInv) - fp2.square(t[1], &r[1]) - fp2.square(t[2], &r[2]) - fp2Double(t[7], t[2]) - fp2AddAssign(t[7], t[2]) - fp2.mulByB(t[3], t[7]) - fp2Double(t[4], t[3]) - fp2AddAssign(t[4], t[3]) - fp2Add(t[5], t[1], t[4]) - fp2.mul0(t[5], t[5], twoInv) - fp2Add(t[6], &r[1], &r[2]) - fp2.squareAssign(t[6]) - fp2Add(t[7], t[2], t[1]) - fp2SubAssign(t[6], t[7]) - - fp2Sub(t[8], t[3], t[1]) - - fp2.square(t[7], &r[0]) - fp2Sub(t[4], t[1], t[4]) - fp2.mul(&r[0], t[4], t[0]) - fp2.square(t[2], t[3]) - fp2Double(t[3], t[2]) - fp2AddAssign(t[3], t[2]) - fp2.squareAssign(t[5]) - fp2Sub(&r[1], t[5], t[3]) - fp2.mul(&r[2], t[1], t[6]) - fp2Double(t[0], t[7]) - - fp2AddAssign(t[0], t[7]) - fp2Neg(t[6], t[6]) - - // line eval - e.fp2.mul0Assign(t[6], &e.pairs[k].g1[1]) - e.fp2.mul0Assign(t[0], &e.pairs[k].g1[0]) - e.fp12.mul014(f, t[8], t[0], t[6]) - -} - -func (e *Engine) add(f *fe12, r *PointG2, k int) { - fp2, t := e.fp2, e.t2 - - fp2.mul(t[0], &e.pairs[k].g2[1], &r[2]) - fp2Neg(t[0], t[0]) - fp2AddAssign(t[0], &r[1]) - fp2.mul(t[1], &e.pairs[k].g2[0], &r[2]) - fp2Neg(t[1], t[1]) - fp2AddAssign(t[1], &r[0]) - fp2.square(t[2], t[0]) - fp2.square(t[3], t[1]) - fp2.mul(t[4], t[1], t[3]) - fp2.mul(t[2], &r[2], t[2]) - fp2.mulAssign(t[3], &r[0]) - fp2Double(t[5], t[3]) - fp2Sub(t[5], t[4], t[5]) - fp2AddAssign(t[5], t[2]) - fp2.mul(&r[0], t[1], t[5]) - fp2SubAssign(t[3], t[5]) - fp2.mulAssign(t[3], t[0]) - fp2.mul(t[2], &r[1], t[4]) - fp2Sub(&r[1], t[3], t[2]) - fp2.mulAssign(&r[2], t[4]) - fp2.mul(t[2], t[1], &e.pairs[k].g2[1]) - fp2.mul(t[3], t[0], &e.pairs[k].g2[0]) - - fp2SubAssign(t[3], t[2]) - fp2Neg(t[0], t[0]) - - // line eval - e.fp2.mul0Assign(t[1], &e.pairs[k].g1[1]) - e.fp2.mul0Assign(t[0], &e.pairs[k].g1[0]) - e.fp12.mul014(f, t[3], t[0], t[1]) -} - -func (e *Engine) nDoubleAdd(f *fe12, r []PointG2, n int) { - for i := 0; i < n; i++ { - e.fp12.squareAssign(f) - for j := 0; j < len(e.pairs); j++ { - e.double(f, &r[j], j) - } - } - for j := 0; j < len(e.pairs); j++ { - e.add(f, &r[j], j) - } -} - -func (e *Engine) nDouble(f *fe12, r []PointG2, n int) { - for i := 0; i < n; i++ { - e.fp12.squareAssign(f) - for j := 0; j < len(e.pairs); j++ { - e.double(f, &r[j], j) - } - } -} - -func (e *Engine) millerLoop(f *fe12) { - f.one() - - r := make([]PointG2, len(e.pairs)) - for i := 0; i < len(e.pairs); i++ { - r[i].Set(e.pairs[i].g2) - } - - for j := 0; j < len(e.pairs); j++ { - e.double(f, &r[j], j) - } - for j := 0; j < len(e.pairs); j++ { - e.add(f, &r[j], j) - } - - e.nDoubleAdd(f, r, 2) - e.nDoubleAdd(f, r, 3) - e.nDoubleAdd(f, r, 9) - e.nDoubleAdd(f, r, 32) - e.nDouble(f, r, 16) - - fp12Conjugate(f, f) -} - -// exp raises element by x = -15132376222941642752 -func (e *Engine) exp(c, a *fe12) { - c.set(a) - e.fp12.cyclotomicSquare(c) // (a ^ 2) - - // (a ^ (2 + 1)) ^ (2 ^ 2) = a ^ 12 - e.fp12.mulAssign(c, a) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - - // (a ^ (12 + 1)) ^ (2 ^ 3) = a ^ 104 - e.fp12.mulAssign(c, a) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - - // (a ^ (104 + 1)) ^ (2 ^ 9) = a ^ 53760 - e.fp12.mulAssign(c, a) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - // (a ^ (53760 + 1)) ^ (2 ^ 32) = a ^ 230901736800256 - e.fp12.mulAssign(c, a) - for i := 0; i < 32; i++ { - e.fp12.cyclotomicSquare(c) - } - - // (a ^ (230901736800256 + 1)) ^ (2 ^ 16) = a ^ 15132376222941642752 - e.fp12.mulAssign(c, a) - for i := 0; i < 16; i++ { - e.fp12.cyclotomicSquare(c) - } - // invert chain result since x is negative - fp12Conjugate(c, c) -} - -// expDrop raises element by x = -15132376222941642752 / 2 -func (e *Engine) expDrop(c, a *fe12) { - c.set(a) - e.fp12.cyclotomicSquare(c) // (a ^ 2) - - // (a ^ (2 + 1)) ^ (2 ^ 2) = a ^ 12 - e.fp12.mulAssign(c, a) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - - // (a ^ (12 + 1)) ^ (2 ^ 3) = a ^ 104 - e.fp12.mulAssign(c, a) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - - // (a ^ (104 + 1)) ^ (2 ^ 9) = a ^ 53760 - e.fp12.mulAssign(c, a) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - e.fp12.cyclotomicSquare(c) - // (a ^ (53760 + 1)) ^ (2 ^ 32) = a ^ 230901736800256 - e.fp12.mulAssign(c, a) - for i := 0; i < 32; i++ { - e.fp12.cyclotomicSquare(c) - } - - // (a ^ (230901736800256 + 1)) ^ (2 ^ 16) = a ^ 15132376222941642752 - e.fp12.mulAssign(c, a) - for i := 0; i < 15; i++ { - e.fp12.cyclotomicSquare(c) - } - // invert chain result since x is negative - fp12Conjugate(c, c) -} - -func (e *Engine) finalExp(f *fe12) { - t := e.t12 - // Efficient Final Exponentiation via Cyclotomic Structure for Pairings over Families of Elliptic Curves - // https: //eprint.iacr.org/2020/875.pdf - - // easy part - fp12Conjugate(&t[0], f) - e.fp12.inverse(f, f) - e.fp12.mulAssign(&t[0], f) - f.set(&t[0]) - e.fp12.frobeniusMap2(f) - e.fp12.mulAssign(f, &t[0]) - - // hard part - t[0].set(f) - e.fp12.cyclotomicSquare(&t[0]) - e.expDrop(&t[1], &t[0]) - fp12Conjugate(&t[2], f) - e.fp12.mulAssign(&t[1], &t[2]) - e.exp(&t[2], &t[1]) - fp12Conjugate(&t[1], &t[1]) - e.fp12.mulAssign(&t[1], &t[2]) - e.exp(&t[2], &t[1]) - e.fp12.frobeniusMap1(&t[1]) - e.fp12.mulAssign(&t[1], &t[2]) - e.fp12.mulAssign(f, &t[0]) - e.exp(&t[0], &t[1]) - e.exp(&t[2], &t[0]) - t[0].set(&t[1]) - e.fp12.frobeniusMap2(&t[0]) - fp12Conjugate(&t[1], &t[1]) - e.fp12.mulAssign(&t[1], &t[2]) - e.fp12.mulAssign(&t[1], &t[0]) - e.fp12.mulAssign(f, &t[1]) -} - -func (e *Engine) calculate() *fe12 { - f := e.fp12.one() - if len(e.pairs) == 0 { - return f - } - e.millerLoop(f) - e.finalExp(f) - return f -} - -// Check computes pairing and checks if result is equal to one -func (e *Engine) Check() bool { - return e.calculate().isOne() -} - -// Result computes pairing and returns target group element as result. -func (e *Engine) Result() *E { - r := e.calculate() - e.Reset() - return r -} - -// GT returns target group instance. -func (e *Engine) GT() *GT { - return NewGT() -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/swu.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/swu.go deleted file mode 100644 index 0569ff0bb..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/swu.go +++ /dev/null @@ -1,142 +0,0 @@ -package bls12381 - -// swuMapG1 is implementation of Simplified Shallue-van de Woestijne-Ulas Method -// follows the implmentation at draft-irtf-cfrg-hash-to-curve-06. -func swuMapG1(u *fe) (*fe, *fe) { - var params = swuParamsForG1 - var tv [4]*fe - for i := 0; i < 4; i++ { - tv[i] = new(fe) - } - square(tv[0], u) - mul(tv[0], tv[0], params.z) - square(tv[1], tv[0]) - x1 := new(fe) - add(x1, tv[0], tv[1]) - inverse(x1, x1) - e1 := x1.isZero() - one := new(fe).one() - add(x1, x1, one) - if e1 { - x1.set(params.zInv) - } - mul(x1, x1, params.minusBOverA) - gx1 := new(fe) - square(gx1, x1) - add(gx1, gx1, params.a) - mul(gx1, gx1, x1) - add(gx1, gx1, params.b) - x2 := new(fe) - mul(x2, tv[0], x1) - mul(tv[1], tv[0], tv[1]) - gx2 := new(fe) - mul(gx2, gx1, tv[1]) - e2 := !isQuadraticNonResidue(gx1) - x, y2 := new(fe), new(fe) - if e2 { - x.set(x1) - y2.set(gx1) - } else { - x.set(x2) - y2.set(gx2) - } - y := new(fe) - sqrt(y, y2) - if y.sign() != u.sign() { - neg(y, y) - } - return x, y -} - -// swuMapG2 is implementation of Simplified Shallue-van de Woestijne-Ulas Method -// defined at draft-irtf-cfrg-hash-to-curve-06. -func swuMapG2(e *fp2, u *fe2) (*fe2, *fe2) { - if e == nil { - e = newFp2() - } - params := swuParamsForG2 - var tv [4]*fe2 - for i := 0; i < 4; i++ { - tv[i] = e.new() - } - e.square(tv[0], u) - e.mul(tv[0], tv[0], params.z) - e.square(tv[1], tv[0]) - x1 := e.new() - fp2Add(x1, tv[0], tv[1]) - e.inverse(x1, x1) - e1 := x1.isZero() - fp2Add(x1, x1, e.one()) - if e1 { - x1.set(params.zInv) - } - e.mul(x1, x1, params.minusBOverA) - gx1 := e.new() - e.square(gx1, x1) - fp2Add(gx1, gx1, params.a) - e.mul(gx1, gx1, x1) - fp2Add(gx1, gx1, params.b) - x2 := e.new() - e.mul(x2, tv[0], x1) - e.mul(tv[1], tv[0], tv[1]) - gx2 := e.new() - e.mul(gx2, gx1, tv[1]) - e2 := !e.isQuadraticNonResidue(gx1) - x, y2 := e.new(), e.new() - if e2 { - x.set(x1) - y2.set(gx1) - } else { - x.set(x2) - y2.set(gx2) - } - y := e.new() - e.sqrtBLST(y, y2) - if y.sign() != u.sign() { - fp2Neg(y, y) - } - return x, y -} - -var swuParamsForG1 = struct { - z *fe - zInv *fe - a *fe - b *fe - minusBOverA *fe -}{ - a: &fe{0x2f65aa0e9af5aa51, 0x86464c2d1e8416c3, 0xb85ce591b7bd31e2, 0x27e11c91b5f24e7c, 0x28376eda6bfc1835, 0x155455c3e5071d85}, - b: &fe{0xfb996971fe22a1e0, 0x9aa93eb35b742d6f, 0x8c476013de99c5c4, 0x873e27c3a221e571, 0xca72b5e45a52d888, 0x06824061418a386b}, - z: &fe{0x886c00000023ffdc, 0x0f70008d3090001d, 0x77672417ed5828c3, 0x9dac23e943dc1740, 0x50553f1b9c131521, 0x078c712fbe0ab6e8}, - zInv: &fe{0x0e8a2e8ba2e83e10, 0x5b28ba2ca4d745d1, 0x678cd5473847377a, 0x4c506dd8a8076116, 0x9bcb227d79284139, 0x0e8d3154b0ba099a}, - minusBOverA: &fe{0x052583c93555a7fe, 0x3b40d72430f93c82, 0x1b75faa0105ec983, 0x2527e7dc63851767, 0x99fffd1f34fc181d, 0x097cab54770ca0d3}, -} - -var swuParamsForG2 = struct { - z *fe2 - zInv *fe2 - a *fe2 - b *fe2 - minusBOverA *fe2 -}{ - a: &fe2{ - fe{0, 0, 0, 0, 0, 0}, - fe{0xe53a000003135242, 0x01080c0fdef80285, 0xe7889edbe340f6bd, 0x0b51375126310601, 0x02d6985717c744ab, 0x1220b4e979ea5467}, - }, - b: &fe2{ - fe{0x22ea00000cf89db2, 0x6ec832df71380aa4, 0x6e1b94403db5a66e, 0x75bf3c53a79473ba, 0x3dd3a569412c0a34, 0x125cdb5e74dc4fd1}, - fe{0x22ea00000cf89db2, 0x6ec832df71380aa4, 0x6e1b94403db5a66e, 0x75bf3c53a79473ba, 0x3dd3a569412c0a34, 0x125cdb5e74dc4fd1}, - }, - z: &fe2{ - fe{0x87ebfffffff9555c, 0x656fffe5da8ffffa, 0x0fd0749345d33ad2, 0xd951e663066576f4, 0xde291a3d41e980d3, 0x0815664c7dfe040d}, - fe{0x43f5fffffffcaaae, 0x32b7fff2ed47fffd, 0x07e83a49a2e99d69, 0xeca8f3318332bb7a, 0xef148d1ea0f4c069, 0x040ab3263eff0206}, - }, - zInv: &fe2{ - fe{0xacd0000000011110, 0x9dd9999dc88ccccd, 0xb5ca2ac9b76352bf, 0xf1b574bcf4bc90ce, 0x42dab41f28a77081, 0x132fc6ac14cd1e12}, - fe{0xe396ffffffff2223, 0x4fbf332fcd0d9998, 0x0c4bbd3c1aff4cc4, 0x6b9c91267926ca58, 0x29ae4da6aef7f496, 0x10692e942f195791}, - }, - minusBOverA: &fe2{ - fe{0x903c555555474fb3, 0x5f98cc95ce451105, 0x9f8e582eefe0fade, 0xc68946b6aebbd062, 0x467a4ad10ee6de53, 0x0e7146f483e23a05}, - fe{0x29c2aaaaaab85af8, 0xbf133368e30eeefa, 0xc7a27a7206cffb45, 0x9dee04ce44c9425c, 0x04a15ce53464ce83, 0x0b8fcaf5b59dac95}, - }, -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/swu_custom.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/swu_custom.go deleted file mode 100644 index 94ee43a0a..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/swu_custom.go +++ /dev/null @@ -1,19 +0,0 @@ -/* -Copyright SecureKey Technologies Inc. All Rights Reserved. - -SPDX-License-Identifier: Apache-2.0 -*/ - -package bls12381 - -// swuMapG1BE is implementation of Simplified Shallue-van de Woestijne-Ulas Method -// follows the implementation at draft-irtf-cfrg-hash-to-curve-06. -// uses big-endian variant: https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-4.1.1 -func swuMapG1BE(u *fe) (*fe, *fe) { - x, y, u := swuMapG1Pre(u) - - if y.signBE() != u.signBE() { - neg(y, y) - } - return x, y -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/swu_mod.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/swu_mod.go deleted file mode 100644 index c0d64c390..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/swu_mod.go +++ /dev/null @@ -1,49 +0,0 @@ -package bls12381 - -// swuMapG1Pre is implementation of Simplified Shallue-van de Woestijne-Ulas Method -// follows the implementation at draft-irtf-cfrg-hash-to-curve-06. -// The swuMapG1 function is modified to perform the sign correction outside. -func swuMapG1Pre(u *fe) (*fe, *fe, *fe) { - var params = swuParamsForG1 - var tv [4]*fe - for i := 0; i < 4; i++ { - tv[i] = new(fe) - } - square(tv[0], u) - mul(tv[0], tv[0], params.z) - square(tv[1], tv[0]) - x1 := new(fe) - add(x1, tv[0], tv[1]) - inverse(x1, x1) - e1 := x1.isZero() - one := new(fe).one() - add(x1, x1, one) - if e1 { - x1.set(params.zInv) - } - mul(x1, x1, params.minusBOverA) - gx1 := new(fe) - square(gx1, x1) - add(gx1, gx1, params.a) - mul(gx1, gx1, x1) - add(gx1, gx1, params.b) - x2 := new(fe) - mul(x2, tv[0], x1) - mul(tv[1], tv[0], tv[1]) - gx2 := new(fe) - mul(gx2, gx1, tv[1]) - e2 := !isQuadraticNonResidue(gx1) - x, y2 := new(fe), new(fe) - if e2 { - x.set(x1) - y2.set(gx1) - } else { - x.set(x2) - y2.set(gx2) - } - y := new(fe) - sqrt(y, y2) - - // This function is modified to perform the sign correction outside. - return x, y, u -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/utils.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/utils.go deleted file mode 100644 index a5fb988e0..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/utils.go +++ /dev/null @@ -1,13 +0,0 @@ -package bls12381 - -import ( - "math/big" -) - -func bigFromHex(hex string) *big.Int { - if len(hex) > 1 && hex[:2] == "0x" { - hex = hex[2:] - } - n, _ := new(big.Int).SetString(hex, 16) - return n -} diff --git a/component/kmscrypto/internal/third_party/kilic/bls12-381/wnaf.go b/component/kmscrypto/internal/third_party/kilic/bls12-381/wnaf.go deleted file mode 100644 index 9ab2d5730..000000000 --- a/component/kmscrypto/internal/third_party/kilic/bls12-381/wnaf.go +++ /dev/null @@ -1,110 +0,0 @@ -package bls12381 - -import ( - "math/big" -) - -type nafNumber []int - -func (n nafNumber) neg() { - for i := 0; i < len(n); i++ { - n[i] = -n[i] - } -} - -var bigZero = big.NewInt(0) -var bigOne = big.NewInt(1) - -func (e *Fr) toWNAF(w uint) nafNumber { - naf := nafNumber{} - if w == 0 { - return naf - } - windowSize, halfSize, mask := 1<<(w+1), 1<= halfSize { - nafSign = nafSign - windowSize - } - naf = append(naf, int(nafSign)) - if nafSign < 0 { - laddAssignFR(ee, z.setUint64(uint64(-nafSign))) - } else { - lsubAssignFR(ee, z.setUint64(uint64(nafSign))) - } - } else { - naf = append(naf, 0) - } - ee.div2() - } - - return naf -} - -func (e *Fr) fromWNAF(naf nafNumber, w uint) *Fr { - if w == 0 { - return e - } - l := (1 << (w - 1)) - table := make([]*Fr, l) - table[0] = new(Fr).One() - two := new(Fr).setUint64(2) - for i := 1; i < l; i++ { - table[i] = new(Fr) - table[i].Add(table[i-1], two) - } - acc := new(Fr).Zero() - for i := len(naf) - 1; i >= 0; i-- { - if naf[i] < 0 { - acc.Sub(acc, table[-naf[i]>>1]) - } else if naf[i] > 0 { - acc.Add(acc, table[naf[i]>>1]) - } - if i != 0 { - acc.Double(acc) - } - } - return e.Set(acc) -} - -// caution: does not cover negative case -func bigToWNAF(e *big.Int, w uint) nafNumber { - naf := nafNumber{} - if w == 0 { - return naf - } - windowSize := new(big.Int).Lsh(bigOne, uint(w+1)) - halfSize := new(big.Int).Rsh(windowSize, 1) - ee := new(big.Int).Abs(e) - for ee.Cmp(bigZero) != 0 { - if ee.Bit(0) == 1 { - nafSign := new(big.Int) - nafSign.Mod(ee, windowSize) - if nafSign.Cmp(halfSize) >= 0 { - nafSign.Sub(nafSign, windowSize) - } - naf = append(naf, int(nafSign.Int64())) - ee.Sub(ee, nafSign) - } else { - naf = append(naf, 0) - } - ee.Rsh(ee, 1) - } - return naf -} - -func bigFromWNAF(naf nafNumber) *big.Int { - acc := new(big.Int) - k := new(big.Int).Set(bigOne) - for i := 0; i < len(naf); i++ { - if naf[i] != 0 { - z := new(big.Int).Mul(k, big.NewInt(int64(naf[i]))) - acc.Add(acc, z) - } - k.Lsh(k, 1) - } - return acc -} diff --git a/component/models/go.mod b/component/models/go.mod index d89bfde35..33e30c5bd 100644 --- a/component/models/go.mod +++ b/component/models/go.mod @@ -12,7 +12,7 @@ require ( github.com/go-jose/go-jose/v3 v3.0.1-0.20221117193127-916db76e8214 github.com/google/tink/go v1.7.0 github.com/google/uuid v1.3.0 - github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 + github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20220322085443-50e8f9bd208b github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230417184158-344a7f82c4c2 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20230427134832-0c9969493bd3 github.com/hyperledger/aries-framework-go/spi v0.0.0-20230417184158-344a7f82c4c2 @@ -24,10 +24,15 @@ require ( ) require ( + github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c // indirect + github.com/consensys/bavard v0.1.13 // indirect + github.com/consensys/gnark-crypto v0.9.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/golang/protobuf v1.5.2 // indirect + github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 // indirect github.com/hyperledger/ursa-wrapper-go v0.3.1 // indirect github.com/kilic/bls12-381 v0.1.1-0.20210503002446-7b7597926c69 // indirect + github.com/mmcloughlin/addchain v0.4.0 // indirect github.com/mr-tron/base58 v1.1.3 // indirect github.com/multiformats/go-base32 v0.0.3 // indirect github.com/multiformats/go-base36 v0.1.0 // indirect @@ -38,9 +43,12 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect golang.org/x/crypto v0.1.0 // indirect - golang.org/x/sys v0.1.0 // indirect + golang.org/x/sys v0.2.0 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + rsc.io/tmplfunc v0.0.3 // indirect ) +replace github.com/hyperledger/aries-framework-go/component/kmscrypto => ../kmscrypto + replace github.com/hyperledger/aries-framework-go/spi => ../../spi diff --git a/component/models/go.sum b/component/models/go.sum index 463e22c6b..3314ceac7 100644 --- a/component/models/go.sum +++ b/component/models/go.sum @@ -1,3 +1,5 @@ +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c h1:eLCIQV1wI6WBt1T+s2vUWFg7tBB0Xu/+YZSZ877+kyM= +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c/go.mod h1:p0HGSuwoOwAlts8u8rMJrInDo9BEwWUfzTIzdA+QuDo= github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII= github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ= github.com/btcsuite/btcd v0.22.0-beta h1:LTDpDKUM5EeOFBPM8IXpinEcmZ6FWfNZbE3lfrfdnWo= @@ -13,6 +15,10 @@ github.com/btcsuite/snappy-go v0.0.0-20151229074030-0bdef8d06723/go.mod h1:8woku github.com/btcsuite/snappy-go v1.0.0/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc= github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792/go.mod h1:ghJtEyQwv5/p4Mg4C0fgbePVuGr935/5ddU9Z3TmDRY= github.com/btcsuite/winsvc v1.0.0/go.mod h1:jsenWakMcC0zFBFurPLEAyrnc/teJEM1O46fmI40EZs= +github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= +github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= +github.com/consensys/gnark-crypto v0.9.1 h1:mru55qKdWl3E035hAoh1jj9d7hVnYY5pfb6tmovSmII= +github.com/consensys/gnark-crypto v0.9.1/go.mod h1:a2DQL4+5ywF6safEeZFEPGRiiGbjzGFRUN2sg06VuU4= github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -29,17 +35,18 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= +github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 h1:PCbDSujjQ6oTEnAHgtThNmbS7SPAYEDBlKOnZFE+Ujw= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3/go.mod h1:aEk0vHBmZsAdDfXaI12Kg5ipZGiB3qNqgbPt/e/Hm2s= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230417184158-344a7f82c4c2 h1:fKaNw6yi5PIXRDmEiOPNIErS6Mv92m03JcAE7wxj/Bk= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230417184158-344a7f82c4c2/go.mod h1:CvYs4l8X2NrrF93weLOu5RTOIJeVdoZITtjEflyuTyM= github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20230427134832-0c9969493bd3 h1:JGYA9l5zTlvsvfnXT9hYPpCokAjmVKX0/r7njba7OX4= github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20230427134832-0c9969493bd3/go.mod h1:aSG2dWjYVzu2PVBtOqsYghaChA5+UUXnBbL+MfVceYQ= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 h1:BCR8ZlOZ+deUbWxyY6fpoY8LbB7PR5wGGwCTvWQOU2g= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8/go.mod h1:X+DIyUsaTmalOpmpQfIvFZjKHQedrURQ5t4YqquX7lE= github.com/hyperledger/ursa-wrapper-go v0.3.1 h1:Do+QrVNniY77YK2jTIcyWqj9rm/Yb5SScN0bqCjiibA= github.com/hyperledger/ursa-wrapper-go v0.3.1/go.mod h1:nPSAuMasIzSVciQo22PedBk4Opph6bJ6ia3ms7BH/mk= github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -50,8 +57,12 @@ github.com/kilic/bls12-381 v0.1.1-0.20210503002446-7b7597926c69/go.mod h1:tlkavy github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6CZQHDETBtE9HaSEkGmuNXF86RwHhHUvq4= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= +github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= +github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= github.com/mr-tron/base58 v1.1.3 h1:v+sk57XuaCKGXpWtVBX8YJzO7hMGx4Aajh4TQbdEFdc= github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc= github.com/multiformats/go-base32 v0.0.3 h1:tw5+NhuwaOjJCC5Pp82QuXbrmLzWg7uxlMFp8Nq/kkI= @@ -107,8 +118,8 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= @@ -125,3 +136,5 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU= +rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA= diff --git a/go.mod b/go.mod index 4a0c94fcb..cf145cafb 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,7 @@ module github.com/hyperledger/aries-framework-go // TODO (#2815): Remove circular dependency between the main module and component/storage/edv require ( + github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c github.com/PaesslerAG/gval v1.1.0 github.com/PaesslerAG/jsonpath v0.1.1 github.com/VictoriaMetrics/fastcache v1.5.7 @@ -19,7 +20,7 @@ require ( github.com/google/tink/go v1.7.0 github.com/google/uuid v1.3.0 github.com/gorilla/mux v1.7.3 - github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 + github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230420151605-a45b1b02336f github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3 github.com/hyperledger/aries-framework-go/component/models v0.0.0-20230501135648-a9a7ad029347 github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e @@ -28,7 +29,6 @@ require ( github.com/hyperledger/ursa-wrapper-go v0.3.1 github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a github.com/kawamuray/jsonpath v0.0.0-20201211160320-7483bafabd7e - github.com/kilic/bls12-381 v0.1.1-0.20210503002446-7b7597926c69 github.com/mitchellh/mapstructure v1.5.0 github.com/multiformats/go-multibase v0.1.1 github.com/multiformats/go-multihash v0.0.13 @@ -47,11 +47,16 @@ require ( require ( github.com/btcsuite/btcd v0.22.0-beta // indirect github.com/cespare/xxhash/v2 v2.1.1 // indirect + github.com/consensys/bavard v0.1.13 // indirect + github.com/consensys/gnark-crypto v0.9.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/golang/snappy v0.0.4 // indirect + github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 // indirect + github.com/kilic/bls12-381 v0.1.1-0.20210503002446-7b7597926c69 // indirect github.com/klauspost/compress v1.10.0 // indirect github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 // indirect github.com/minio/sha256-simd v0.1.1 // indirect + github.com/mmcloughlin/addchain v0.4.0 // indirect github.com/mr-tron/base58 v1.2.0 // indirect github.com/multiformats/go-base32 v0.1.0 // indirect github.com/multiformats/go-base36 v0.1.0 // indirect @@ -64,12 +69,15 @@ require ( github.com/tidwall/pretty v1.0.2 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect - golang.org/x/sys v0.1.0 // indirect + golang.org/x/sys v0.2.0 // indirect golang.org/x/time v0.1.0 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + rsc.io/tmplfunc v0.0.3 // indirect ) +replace github.com/hyperledger/aries-framework-go/component/kmscrypto => ./component/kmscrypto + go 1.19 //replace github.com/square/go-jose/v3 => github.com/go-jose/go-jose/v3 v3.0.1-0.20221117193127-916db76e8214 diff --git a/go.sum b/go.sum index e0ed61def..68d367890 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c h1:eLCIQV1wI6WBt1T+s2vUWFg7tBB0Xu/+YZSZ877+kyM= +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c/go.mod h1:p0HGSuwoOwAlts8u8rMJrInDo9BEwWUfzTIzdA+QuDo= github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= github.com/PaesslerAG/gval v1.1.0 h1:k3RuxeZDO3eejD4cMPSt+74tUSvTnbGvLx0df4mdwFc= github.com/PaesslerAG/gval v1.1.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= @@ -29,6 +31,10 @@ github.com/cenkalti/backoff/v4 v4.0.2 h1:JIufpQLbh4DkbQoii76ItQIUFzevQSqOLZca4ea github.com/cenkalti/backoff/v4 v4.0.2/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg= github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= +github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= +github.com/consensys/gnark-crypto v0.9.1 h1:mru55qKdWl3E035hAoh1jj9d7hVnYY5pfb6tmovSmII= +github.com/consensys/gnark-crypto v0.9.1/go.mod h1:a2DQL4+5ywF6safEeZFEPGRiiGbjzGFRUN2sg06VuU4= github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -57,6 +63,7 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= +github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= @@ -66,8 +73,6 @@ github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 h1:PCbDSujjQ6oTEnAHgtThNmbS7SPAYEDBlKOnZFE+Ujw= -github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3/go.mod h1:aEk0vHBmZsAdDfXaI12Kg5ipZGiB3qNqgbPt/e/Hm2s= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3 h1:x5qFQraTX86z9GCwF28IxfnPm6QH5YgHaX+4x97Jwvw= github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3/go.mod h1:CvYs4l8X2NrrF93weLOu5RTOIJeVdoZITtjEflyuTyM= github.com/hyperledger/aries-framework-go/component/models v0.0.0-20230501135648-a9a7ad029347 h1:oPGUCpmnm7yxsVllcMQnHF3uc3hy4jfrSCh7nvzXA00= @@ -79,6 +84,8 @@ github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-202304271 github.com/hyperledger/aries-framework-go/spi v0.0.0-20230427134832-0c9969493bd3 h1:ytWmOQZIYQfVJ4msFvrqlp6d+ZLhT43wS8rgE2m+J1A= github.com/hyperledger/aries-framework-go/spi v0.0.0-20230427134832-0c9969493bd3/go.mod h1:oryUyWb23l/a3tAP9KW+GBbfcfqp9tZD4y5hSkFrkqI= github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1 h1:vxZ0DlFNLjgxMdBESLZu895AsI1JWL2SJerphwIn8Po= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 h1:BCR8ZlOZ+deUbWxyY6fpoY8LbB7PR5wGGwCTvWQOU2g= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8/go.mod h1:X+DIyUsaTmalOpmpQfIvFZjKHQedrURQ5t4YqquX7lE= github.com/hyperledger/ursa-wrapper-go v0.3.1 h1:Do+QrVNniY77YK2jTIcyWqj9rm/Yb5SScN0bqCjiibA= github.com/hyperledger/ursa-wrapper-go v0.3.1/go.mod h1:nPSAuMasIzSVciQo22PedBk4Opph6bJ6ia3ms7BH/mk= github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -95,6 +102,7 @@ github.com/klauspost/compress v1.10.0 h1:92XGj1AcYzA6UrVdd4qIIBrT8OroryvRvdmg/If github.com/klauspost/compress v1.10.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 h1:lYpkrQH5ajf0OXOcUbGjvZxxijuBwbbmlSxLiuofa+g= github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1/go.mod h1:pD8RvIylQ358TN4wwqatJ8rNavkEINozVn9DtGI3dfQ= github.com/minio/sha256-simd v0.1.1-0.20190913151208-6de447530771/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= @@ -102,6 +110,9 @@ github.com/minio/sha256-simd v0.1.1 h1:5QHSlgo3nt5yKOJrC7W8w7X+NFl8cMPZm96iu8kKU github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= +github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= +github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc= github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o= github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc= @@ -179,8 +190,8 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= @@ -203,3 +214,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= nhooyr.io/websocket v1.8.3 h1:5UCql+eGVUYcBdr+IvngX2w1xq7g7snC9lSjbfi9qMY= nhooyr.io/websocket v1.8.3/go.mod h1:LiqdCg1Cu7TPWxEvPjPa0TGYxCsy4pHNTN9gGluwBpQ= +rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU= +rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA= diff --git a/pkg/crypto/primitive/bbs12381g2pub/signature_proof.go b/pkg/crypto/primitive/bbs12381g2pub/signature_proof.go index 2a3ebaa54..d9c79c83f 100644 --- a/pkg/crypto/primitive/bbs12381g2pub/signature_proof.go +++ b/pkg/crypto/primitive/bbs12381g2pub/signature_proof.go @@ -7,8 +7,7 @@ SPDX-License-Identifier: Apache-2.0 package bbs12381g2pub import ( - bls12381 "github.com/kilic/bls12-381" - + ml "github.com/IBM/mathlib" bbs "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/primitive/bbs12381g2pub" ) @@ -20,7 +19,7 @@ type PoKOfSignatureProof = bbs.PoKOfSignatureProof type ProofG1 = bbs.ProofG1 // NewProofG1 creates a new ProofG1. -func NewProofG1(commitment *bls12381.PointG1, responses []*bls12381.Fr) *ProofG1 { +func NewProofG1(commitment *ml.G1, responses []*ml.Zr) *ProofG1 { return bbs.NewProofG1(commitment, responses) } diff --git a/test/bdd/go.mod b/test/bdd/go.mod index 4cf783cca..d719abe49 100644 --- a/test/bdd/go.mod +++ b/test/bdd/go.mod @@ -28,6 +28,7 @@ require ( require ( github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect + github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c // indirect github.com/Microsoft/go-winio v0.4.16 // indirect github.com/Microsoft/hcsshim v0.8.11 // indirect github.com/PaesslerAG/gval v1.1.0 // indirect @@ -36,6 +37,8 @@ require ( github.com/bluele/gcache v0.0.0-20190518031135-bc40bd653833 // indirect github.com/btcsuite/btcutil v1.0.3-0.20201208143702-a53e38424cce // indirect github.com/cespare/xxhash/v2 v2.1.1 // indirect + github.com/consensys/bavard v0.1.13 // indirect + github.com/consensys/gnark-crypto v0.9.1 // indirect github.com/containerd/cgroups v0.0.0-20201119153540-4cbc285b3327 // indirect github.com/containerd/containerd v1.4.3 // indirect github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7 // indirect @@ -49,10 +52,11 @@ require ( github.com/golang/protobuf v1.5.2 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/tink/go v1.7.0 // indirect - github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0-20230427134832-0c9969493bd3 // indirect + github.com/hyperledger/aries-framework-go/component/kmscrypto v0.0.0 // indirect github.com/hyperledger/aries-framework-go/component/log v0.0.0-20230427134832-0c9969493bd3 // indirect github.com/hyperledger/aries-framework-go/component/models v0.0.0-20230501135648-a9a7ad029347 // indirect github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e // indirect + github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 // indirect github.com/hyperledger/ursa-wrapper-go v0.3.1 // indirect github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect github.com/kawamuray/jsonpath v0.0.0-20201211160320-7483bafabd7e // indirect @@ -61,6 +65,7 @@ require ( github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 // indirect github.com/minio/sha256-simd v0.1.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/mmcloughlin/addchain v0.4.0 // indirect github.com/moby/sys/mountinfo v0.4.0 // indirect github.com/morikuni/aec v1.0.0 // indirect github.com/mr-tron/base58 v1.2.0 // indirect @@ -92,9 +97,10 @@ require ( go.opencensus.io v0.23.0 // indirect golang.org/x/crypto v0.1.0 // indirect golang.org/x/sync v0.0.0-20201207232520-09787c993a3a // indirect - golang.org/x/sys v0.1.0 // indirect + golang.org/x/sys v0.2.0 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + rsc.io/tmplfunc v0.0.3 // indirect ) replace ( diff --git a/test/bdd/go.sum b/test/bdd/go.sum index fe59ff046..b074e9933 100644 --- a/test/bdd/go.sum +++ b/test/bdd/go.sum @@ -3,6 +3,8 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c h1:eLCIQV1wI6WBt1T+s2vUWFg7tBB0Xu/+YZSZ877+kyM= +github.com/IBM/mathlib v0.0.3-0.20230428120512-8afa4e643d4c/go.mod h1:p0HGSuwoOwAlts8u8rMJrInDo9BEwWUfzTIzdA+QuDo= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/Microsoft/go-winio v0.4.15-0.20200113171025-3fe6c5262873/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= @@ -54,6 +56,10 @@ github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmE github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= +github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= +github.com/consensys/gnark-crypto v0.9.1 h1:mru55qKdWl3E035hAoh1jj9d7hVnYY5pfb6tmovSmII= +github.com/consensys/gnark-crypto v0.9.1/go.mod h1:a2DQL4+5ywF6safEeZFEPGRiiGbjzGFRUN2sg06VuU4= github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM= github.com/containerd/cgroups v0.0.0-20201119153540-4cbc285b3327 h1:7grrpcfCtbZLsjtB0DgMuzs1umsJmpzaHMZ6cO6iAWw= @@ -169,6 +175,7 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= +github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -190,6 +197,8 @@ github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e h1:/hrQfwJvHJrwV2FSmfnRp5L6yKY9DqDFqwYyb+oVuDU= github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20221025204933-b807371b6f1e/go.mod h1:ACGP1L+WeecDtyA0Mi2E1kqtPLIGrCWPSJ43q2elwX8= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8 h1:BCR8ZlOZ+deUbWxyY6fpoY8LbB7PR5wGGwCTvWQOU2g= +github.com/hyperledger/fabric-amcl v0.0.0-20210603140002-2670f91851c8/go.mod h1:X+DIyUsaTmalOpmpQfIvFZjKHQedrURQ5t4YqquX7lE= github.com/hyperledger/ursa-wrapper-go v0.3.1 h1:Do+QrVNniY77YK2jTIcyWqj9rm/Yb5SScN0bqCjiibA= github.com/hyperledger/ursa-wrapper-go v0.3.1/go.mod h1:nPSAuMasIzSVciQo22PedBk4Opph6bJ6ia3ms7BH/mk= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= @@ -219,6 +228,7 @@ github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 h1:lYpkrQH5ajf0OXOcUbGjvZxxijuBwbbmlSxLiuofa+g= @@ -230,6 +240,9 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= +github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= +github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= github.com/moby/sys/mount v0.1.0/go.mod h1:FVQFLDRWwyBjDTBNQXDlWnSFREqOo3OKX9aqhmeoo74= github.com/moby/sys/mount v0.2.0 h1:WhCW5B355jtxndN5ovugJlMFJawbUODuW8fSnEH6SSM= github.com/moby/sys/mount v0.2.0/go.mod h1:aAivFE2LB3W4bACsUXChRHQ0qKWsetY4Y9V7sxOougM= @@ -447,8 +460,8 @@ golang.org/x/sys v0.0.0-20200922070232-aee5d888a860/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= @@ -523,3 +536,5 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= nhooyr.io/websocket v1.8.3 h1:5UCql+eGVUYcBdr+IvngX2w1xq7g7snC9lSjbfi9qMY= nhooyr.io/websocket v1.8.3/go.mod h1:LiqdCg1Cu7TPWxEvPjPa0TGYxCsy4pHNTN9gGluwBpQ= +rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU= +rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA=