Using exponentiation of inverting scalars.

Author: armfazh

group/decaf448/decaf.go

@@ -84,7 +84,7 @@ func (e *Elt) IsIdentity() bool {
 	b0 := fp.IsZero(&e.p.X)
 	b1 := 1 - fp.IsZero(&e.p.Y)
 	b2 := 1 - fp.IsZero(&e.p.Z)
-	return subtle.ConstantTimeEq(int32(4*b2+2*b1+b0), 0x7) == 1
+	return (b0 & b1 & b2) == 1
 }
 
 // IsEqual returns True if e=a, where = is an equivalence relation.

internal/ted448/constants.go

@@ -44,6 +44,15 @@ var (
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f,
 	}
+	orderMinusTwo = Scalar{
+		0xf1, 0x44, 0x58, 0xab, 0x92, 0xc2, 0x78, 0x23,
+		0x55, 0x8f, 0xc5, 0x8d, 0x72, 0xc2, 0x6c, 0x21,
+		0x90, 0x36, 0xd6, 0xae, 0x49, 0xdb, 0x4e, 0xc4,
+		0xe9, 0x23, 0xca, 0x7c, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f,
+	}
 	// residue448 is 2^448 mod order.
 	residue448 = [4]uint64{
 		0x721cf5b5529eec34, 0x7a4cf635c8e9c2ab, 0xeec492d944a725bf, 0x20cd77058,

internal/ted448/point.go

@@ -46,12 +46,13 @@ func (P *Point) Double() {
 	fp.Add(c, c, c)   // C = 2*z^2
 	fp.Add(h, a, b)   // H = A+B
 	fp.Sqr(e, e)      // (x+y)^2
-	fp.Sub(e, e, h)   // E = (x+y)^2-A-B
+	fp.Sub(e, e, h)   // E = (x+y)^2-A-B = 2xy
 	fp.Sub(g, b, a)   // G = B-A
-	fp.Sub(f, c, g)   // F = C-G
-	fp.Mul(Pz, f, g)  // Z = F * G
-	fp.Mul(Px, e, f)  // X = E * F
-	fp.Mul(Py, g, h)  // Y = G * H, T = E * H
+	fp.Sub(f, c, g)   // F = C-G = 2z^2-y^2+x^2
+	fp.Mul(Pz, f, g)  // Z = F * G = (y^2-x^2)(2z^2-y^2+x^2)
+	fp.Mul(Px, e, f)  // X = E * F = 2xy(2z^2-y^2+x^2)
+	fp.Mul(Py, g, h)  // Y = G * H = (x^2-y^2)(x^2+y^2)
+	// T = E * H = 2xy(x^2+y^2)
 }
 
 // mixAdd calulates P= P+Q, where Q is a precomputed448 point with Z_Q = 1.

internal/ted448/scalar.go

@@ -1,7 +1,6 @@
 package ted448
 
 import (
-	"crypto/rand"
 	"encoding/binary"
 	"math/bits"
 
@@ -202,32 +201,41 @@ func (z *Scalar) Sub(x, y *Scalar) {
 // Mul calculates z = x*y mod order.
 func (z *Scalar) Mul(x, y *Scalar) {
 	var z64, x64, y64 scalar64
-	prod := (&[_N + 1]uint64{})[:]
 	x64.fromScalar(x)
 	y64.fromScalar(y)
+	coremul(&z64, &x64, &y64)
+	z64.modOrder()
+	z64.toScalar(z)
+}
+
+func coremul(z64, x64, y64 *scalar64) {
+	var p64 scalar64
+	prod := (&[_N + 1]uint64{})[:]
 	mulWord(prod, x64[:], y64[_N-1])
-	copy(z64[:], prod[:_N])
-	z64.reduceOneWord(prod[_N])
+	copy(p64[:], prod[:_N])
+	p64.reduceOneWord(prod[_N])
 	for i := _N - 2; i >= 0; i-- {
-		h := z64.leftShift(0)
-		z64.reduceOneWord(h)
+		h := p64.leftShift(0)
+		p64.reduceOneWord(h)
 		mulWord(prod, x64[:], y64[i])
-		c := add(z64[:], z64[:], prod[:_N])
-		z64.reduceOneWord(prod[_N] + c)
+		c := add(p64[:], p64[:], prod[:_N])
+		p64.reduceOneWord(prod[_N] + c)
 	}
-	z64.modOrder()
-	z64.toScalar(z)
+	*z64 = p64
 }
 
 // Inv calculates z = 1/x mod order.
 func (z *Scalar) Inv(x *Scalar) {
-	var t, r Scalar
-	_, _ = rand.Read(r[:])
-	r.Red()
-	t.Mul(x, &r)
-	bigT := conv.BytesLe2BigInt(t[:])
-	bigOrder := conv.BytesLe2BigInt(order[:])
-	bigT.ModInverse(bigT, bigOrder)
-	conv.BigInt2BytesLe(z[:], bigT)
-	z.Mul(z, &r)
+	var x64 scalar64
+	x64.fromScalar(x)
+	t := &scalar64{1}
+	for i := 8*len(orderMinusTwo) - 1; i >= 0; i-- {
+		coremul(t, t, t)
+		b := (orderMinusTwo[i/8] >> uint(i%8)) & 1
+		if b != 0 {
+			coremul(t, t, &x64)
+		}
+	}
+	t.modOrder()
+	t.toScalar(z)
 }