Revert "optimize gf multiplication"

whyvl · whyvl · commit 66aa9c5e8583 · 2022-10-25T19:46:53.000+01:00
This reverts commit c563649.
diff --git a/kem/mceliece/mceliece348864/mceliece_test.go b/kem/mceliece/mceliece348864/mceliece_test.go
@@ -262,4 +262,30 @@ func TestPolyMul(t *testing.T) {
 		4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094,
 		4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094,
 	})
+
+	fill(&arg1, 8191)
+	fill(&arg2, 1)
+	arg1[0] = 1
+	arg2[0] = 1
+	polyMul(&res, &arg1, &arg2)
+	assertEq(t, &res, []gf{
+		4068, 4068, 18, 4087, 18, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087,
+		4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087,
+		4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087,
+		4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087,
+		4068, 4087, 4068, 4087, 4068, 4087, 4068, 4087,
+	})
+
+	fill(&arg1, 1)
+	fill(&arg2, 8191)
+	arg1[0] = 1
+	arg2[0] = 1
+	polyMul(&res, &arg1, &arg2)
+	assertEq(t, &res, []gf{
+		4086, 4086, 9, 4094, 9, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094,
+		4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094,
+		4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094,
+		4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094,
+		4086, 4094, 4086, 4094, 4086, 4094, 4086, 4094,
+	})
 }
diff --git a/math/gf4096/gf4096.go b/math/gf4096/gf4096.go
@@ -17,27 +17,16 @@ func Add(a, b Gf) Gf {
 
 // Mul calculate the product of two Gf elements.
 func Mul(a, b Gf) Gf {
-	// carry-less multiplication by adding "holes"
-	// see https://www.bearssl.org/constanttime.html#ghash-for-gcm
-	x := uint64(a)
-	y := uint64(b)
-	x0 := x & 0x111111111111
-	x1 := x & 0x222222222222
-	x2 := x & 0x444444444444
-	x3 := x & 0x888888888888
-	y0 := y & 0x111111111111
-	y1 := y & 0x222222222222
-	y2 := y & 0x444444444444
-	y3 := y & 0x888888888888
-	z0 := (x0 * y0) ^ (x1 * y3) ^ (x2 * y2) ^ (x3 * y1)
-	z1 := (x0 * y1) ^ (x1 * y0) ^ (x2 * y3) ^ (x3 * y2)
-	z2 := (x0 * y2) ^ (x1 * y1) ^ (x2 * y0) ^ (x3 * y3)
-	z3 := (x0 * y3) ^ (x1 * y2) ^ (x2 * y1) ^ (x3 * y0)
-	z0 &= 0x111111111111
-	z1 &= 0x222222222222
-	z2 &= 0x444444444444
-	z3 &= 0x888888888888
-	tmp := z0 | z1 | z2 | z3
+	a64 := uint64(a)
+	b64 := uint64(b)
+
+	// if the LSB of b is 1, set tmp to a64, and 0 otherwise
+	tmp := a64 & -(b64 & 1)
+
+	// check if i-th bit of b64 is set, add a64 shifted by i bits if so
+	for i := 1; i < GfBits; i++ {
+		tmp ^= a64 * (b64 & (1 << i))
+	}
 
 	// polynomial reduction
 	t := tmp & 0x7FC000
diff --git a/math/gf4096/gf_test.go b/math/gf4096/gf_test.go
@@ -29,10 +29,14 @@ func TestGeneric(t *testing.T) {
 }
 
 func testDiv(t *testing.T, div tdiv) {
+	assertEq(t, div(6733, 1), 2637)
 	assertEq(t, div(0, 2), 0)
 	assertEq(t, div(4, 2), 2)
+	assertEq(t, div(4096, 2), 0)
 	assertEq(t, div(9, 3), 7)
+	assertEq(t, div(4591, 5), 99)
 	assertEq(t, div(10, 550), 3344)
+	assertEq(t, div(3, 5501), 1763)
 }
 
 func testInv(t *testing.T, inv tinv) {
@@ -41,6 +45,11 @@ func testInv(t *testing.T, inv tinv) {
 	assertEq(t, inv(2), 2052)
 	assertEq(t, inv(3), 4088)
 	assertEq(t, inv(4), 1026)
+	assertEq(t, inv(4095), 1539)
+	assertEq(t, inv(4096), 0)
+	assertEq(t, inv(8191), 1539)
+	assertEq(t, inv(8192), 0)
+	assertEq(t, inv(0xFFFF), 1539)
 }
 
 func testSqr(t *testing.T, sqr tsqr) {
@@ -73,6 +82,9 @@ func testMul(t *testing.T, mul tmul) {
 	assertEq(t, mul(125, 37), 3625)
 	assertEq(t, mul(37, 125), 3625)
 	assertEq(t, mul(4095, 1), 4095)
+	assertEq(t, mul(1, 4095), 4095)
+	assertEq(t, mul(8191, 1), 4086)
+	assertEq(t, mul(1, 8191), 4095)
 	assertEq(t, mul(550, 3344), 10)
 	assertEq(t, mul(3344, 550), 10)
 }
diff --git a/math/gf8192/gf8192.go b/math/gf8192/gf8192.go
@@ -17,27 +17,16 @@ func Add(a, b Gf) Gf {
 
 // Mul calculate the product of two Gf elements.
 func Mul(a, b Gf) Gf {
-	// carry-less multiplication by adding "holes"
-	// see https://www.bearssl.org/constanttime.html#ghash-for-gcm
-	x := uint64(a)
-	y := uint64(b)
-	x0 := x & 0x1111111111111
-	x1 := x & 0x2222222222222
-	x2 := x & 0x4444444444444
-	x3 := x & 0x8888888888888
-	y0 := y & 0x1111111111111
-	y1 := y & 0x2222222222222
-	y2 := y & 0x4444444444444
-	y3 := y & 0x8888888888888
-	z0 := (x0 * y0) ^ (x1 * y3) ^ (x2 * y2) ^ (x3 * y1)
-	z1 := (x0 * y1) ^ (x1 * y0) ^ (x2 * y3) ^ (x3 * y2)
-	z2 := (x0 * y2) ^ (x1 * y1) ^ (x2 * y0) ^ (x3 * y3)
-	z3 := (x0 * y3) ^ (x1 * y2) ^ (x2 * y1) ^ (x3 * y0)
-	z0 &= 0x1111111111111
-	z1 &= 0x2222222222222
-	z2 &= 0x4444444444444
-	z3 &= 0x8888888888888
-	tmp := z0 | z1 | z2 | z3
+	a64 := uint64(a)
+	b64 := uint64(b)
+
+	// if the LSB of b is 1, set tmp to a64, and 0 otherwise
+	tmp := a64 & -(b64 & 1)
+
+	// check if i-th bit of b64 is set, add a64 shifted by i bits if so
+	for i := 1; i < GfBits; i++ {
+		tmp ^= a64 * (b64 & (1 << i))
+	}
 
 	// polynomial reduction
 	t := tmp & 0x1FF0000
