summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/bn/s2n_bignum.h845
-rw-r--r--src/lib/libcrypto/bn/s2n_bignum_internal.h17
2 files changed, 862 insertions, 0 deletions
diff --git a/src/lib/libcrypto/bn/s2n_bignum.h b/src/lib/libcrypto/bn/s2n_bignum.h
new file mode 100644
index 0000000000..d0c1df66eb
--- /dev/null
+++ b/src/lib/libcrypto/bn/s2n_bignum.h
@@ -0,0 +1,845 @@
1// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2// SPDX-License-Identifier: Apache-2.0 OR ISC
3
4// ----------------------------------------------------------------------------
5// C prototypes for s2n-bignum functions, so you can use them in C programs via
6//
7// #include "s2n-bignum.h"
8//
9// The functions are listed in alphabetical order with a brief description
10// in comments for each one. For more detailed documentation see the comment
11// banner at the top of the corresponding assembly (.S) file, and
12// for the last word in what properties it satisfies see the spec in the
13// formal proof (the .ml file in the architecture-specific directory).
14//
15// For some functions there are additional variants with names ending in
16// "_alt". These have the same core mathematical functionality as their
17// non-"alt" versions, but can be better suited to some microarchitectures:
18//
19// - On x86, the "_alt" forms avoid BMI and ADX instruction set
20// extensions, so will run on any x86_64 machine, even older ones
21//
22// - On ARM, the "_alt" forms target machines with higher multiplier
23// throughput, generally offering higher performance there.
24// ----------------------------------------------------------------------------
25
26// Add, z := x + y
27// Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
28extern uint64_t bignum_add (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
29
30// Add modulo p_25519, z := (x + y) mod p_25519, assuming x and y reduced
31// Inputs x[4], y[4]; output z[4]
32extern void bignum_add_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
33
34// Add modulo p_256, z := (x + y) mod p_256, assuming x and y reduced
35// Inputs x[4], y[4]; output z[4]
36extern void bignum_add_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
37
38// Add modulo p_256k1, z := (x + y) mod p_256k1, assuming x and y reduced
39// Inputs x[4], y[4]; output z[4]
40extern void bignum_add_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
41
42// Add modulo p_384, z := (x + y) mod p_384, assuming x and y reduced
43// Inputs x[6], y[6]; output z[6]
44extern void bignum_add_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
45
46// Add modulo p_521, z := (x + y) mod p_521, assuming x and y reduced
47// Inputs x[9], y[9]; output z[9]
48extern void bignum_add_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
49
50// Compute "amontification" constant z :== 2^{128k} (congruent mod m)
51// Input m[k]; output z[k]; temporary buffer t[>=k]
52extern void bignum_amontifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t);
53
54// Almost-Montgomery multiply, z :== (x * y / 2^{64k}) (congruent mod m)
55// Inputs x[k], y[k], m[k]; output z[k]
56extern void bignum_amontmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
57
58// Almost-Montgomery reduce, z :== (x' / 2^{64p}) (congruent mod m)
59// Inputs x[n], m[k], p; output z[k]
60extern void bignum_amontredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p);
61
62// Almost-Montgomery square, z :== (x^2 / 2^{64k}) (congruent mod m)
63// Inputs x[k], m[k]; output z[k]
64extern void bignum_amontsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
65
66// Convert 4-digit (256-bit) bignum to/from big-endian form
67// Input x[4]; output z[4]
68extern void bignum_bigendian_4 (uint64_t z[static 4], uint64_t x[static 4]);
69
70// Convert 6-digit (384-bit) bignum to/from big-endian form
71// Input x[6]; output z[6]
72extern void bignum_bigendian_6 (uint64_t z[static 6], uint64_t x[static 6]);
73
74// Select bitfield starting at bit n with length l <= 64
75// Inputs x[k], n, l; output function return
76extern uint64_t bignum_bitfield (uint64_t k, uint64_t *x, uint64_t n, uint64_t l);
77
78// Return size of bignum in bits
79// Input x[k]; output function return
80extern uint64_t bignum_bitsize (uint64_t k, uint64_t *x);
81
82// Divide by a single (nonzero) word, z := x / m and return x mod m
83// Inputs x[n], m; outputs function return (remainder) and z[k]
84extern uint64_t bignum_cdiv (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m);
85
86// Divide by a single word, z := x / m when known to be exact
87// Inputs x[n], m; output z[k]
88extern void bignum_cdiv_exact (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m);
89
90// Count leading zero digits (64-bit words)
91// Input x[k]; output function return
92extern uint64_t bignum_cld (uint64_t k, uint64_t *x);
93
94// Count leading zero bits
95// Input x[k]; output function return
96extern uint64_t bignum_clz (uint64_t k, uint64_t *x);
97
98// Multiply-add with single-word multiplier, z := z + c * y
99// Inputs c, y[n]; outputs function return (carry-out) and z[k]
100extern uint64_t bignum_cmadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
101
102// Negated multiply-add with single-word multiplier, z := z - c * y
103// Inputs c, y[n]; outputs function return (negative carry-out) and z[k]
104extern uint64_t bignum_cmnegadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
105
106// Find modulus of bignum w.r.t. single nonzero word m, returning x mod m
107// Input x[k], m; output function return
108extern uint64_t bignum_cmod (uint64_t k, uint64_t *x, uint64_t m);
109
110// Multiply by a single word, z := c * y
111// Inputs c, y[n]; outputs function return (carry-out) and z[k]
112extern uint64_t bignum_cmul (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
113
114// Multiply by a single word modulo p_25519, z := (c * x) mod p_25519, assuming x reduced
115// Inputs c, x[4]; output z[4]
116extern void bignum_cmul_p25519 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
117extern void bignum_cmul_p25519_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
118
119// Multiply by a single word modulo p_256, z := (c * x) mod p_256, assuming x reduced
120// Inputs c, x[4]; output z[4]
121extern void bignum_cmul_p256 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
122extern void bignum_cmul_p256_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
123
124// Multiply by a single word modulo p_256k1, z := (c * x) mod p_256k1, assuming x reduced
125// Inputs c, x[4]; output z[4]
126extern void bignum_cmul_p256k1 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
127extern void bignum_cmul_p256k1_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
128
129// Multiply by a single word modulo p_384, z := (c * x) mod p_384, assuming x reduced
130// Inputs c, x[6]; output z[6]
131extern void bignum_cmul_p384 (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]);
132extern void bignum_cmul_p384_alt (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]);
133
134// Multiply by a single word modulo p_521, z := (c * x) mod p_521, assuming x reduced
135// Inputs c, x[9]; output z[9]
136extern void bignum_cmul_p521 (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]);
137extern void bignum_cmul_p521_alt (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]);
138
139// Test bignums for coprimality, gcd(x,y) = 1
140// Inputs x[m], y[n]; output function return; temporary buffer t[>=2*max(m,n)]
141extern uint64_t bignum_coprime (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y, uint64_t *t);
142
143// Copy bignum with zero-extension or truncation, z := x
144// Input x[n]; output z[k]
145extern void bignum_copy (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x);
146
147// Count trailing zero digits (64-bit words)
148// Input x[k]; output function return
149extern uint64_t bignum_ctd (uint64_t k, uint64_t *x);
150
151// Count trailing zero bits
152// Input x[k]; output function return
153extern uint64_t bignum_ctz (uint64_t k, uint64_t *x);
154
155// Convert from almost-Montgomery form, z := (x / 2^256) mod p_256
156// Input x[4]; output z[4]
157extern void bignum_deamont_p256 (uint64_t z[static 4], uint64_t x[static 4]);
158extern void bignum_deamont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
159
160// Convert from almost-Montgomery form, z := (x / 2^256) mod p_256k1
161// Input x[4]; output z[4]
162extern void bignum_deamont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
163
164// Convert from almost-Montgomery form, z := (x / 2^384) mod p_384
165// Input x[6]; output z[6]
166extern void bignum_deamont_p384 (uint64_t z[static 6], uint64_t x[static 6]);
167extern void bignum_deamont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
168
169// Convert from almost-Montgomery form z := (x / 2^576) mod p_521
170// Input x[9]; output z[9]
171extern void bignum_deamont_p521 (uint64_t z[static 9], uint64_t x[static 9]);
172
173// Convert from (almost-)Montgomery form z := (x / 2^{64k}) mod m
174// Inputs x[k], m[k]; output z[k]
175extern void bignum_demont (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
176
177// Convert from Montgomery form z := (x / 2^256) mod p_256, assuming x reduced
178// Input x[4]; output z[4]
179extern void bignum_demont_p256 (uint64_t z[static 4], uint64_t x[static 4]);
180extern void bignum_demont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
181
182// Convert from Montgomery form z := (x / 2^256) mod p_256k1, assuming x reduced
183// Input x[4]; output z[4]
184extern void bignum_demont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
185
186// Convert from Montgomery form z := (x / 2^384) mod p_384, assuming x reduced
187// Input x[6]; output z[6]
188extern void bignum_demont_p384 (uint64_t z[static 6], uint64_t x[static 6]);
189extern void bignum_demont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
190
191// Convert from Montgomery form z := (x / 2^576) mod p_521, assuming x reduced
192// Input x[9]; output z[9]
193extern void bignum_demont_p521 (uint64_t z[static 9], uint64_t x[static 9]);
194
195// Select digit x[n]
196// Inputs x[k], n; output function return
197extern uint64_t bignum_digit (uint64_t k, uint64_t *x, uint64_t n);
198
199// Return size of bignum in digits (64-bit word)
200// Input x[k]; output function return
201extern uint64_t bignum_digitsize (uint64_t k, uint64_t *x);
202
203// Divide bignum by 10: z' := z div 10, returning remainder z mod 10
204// Inputs z[k]; outputs function return (remainder) and z[k]
205extern uint64_t bignum_divmod10 (uint64_t k, uint64_t *z);
206
207// Double modulo p_25519, z := (2 * x) mod p_25519, assuming x reduced
208// Input x[4]; output z[4]
209extern void bignum_double_p25519 (uint64_t z[static 4], uint64_t x[static 4]);
210
211// Double modulo p_256, z := (2 * x) mod p_256, assuming x reduced
212// Input x[4]; output z[4]
213extern void bignum_double_p256 (uint64_t z[static 4], uint64_t x[static 4]);
214
215// Double modulo p_256k1, z := (2 * x) mod p_256k1, assuming x reduced
216// Input x[4]; output z[4]
217extern void bignum_double_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
218
219// Double modulo p_384, z := (2 * x) mod p_384, assuming x reduced
220// Input x[6]; output z[6]
221extern void bignum_double_p384 (uint64_t z[static 6], uint64_t x[static 6]);
222
223// Double modulo p_521, z := (2 * x) mod p_521, assuming x reduced
224// Input x[9]; output z[9]
225extern void bignum_double_p521 (uint64_t z[static 9], uint64_t x[static 9]);
226
227// Extended Montgomery reduce, returning results in input-output buffer
228// Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k]
229extern uint64_t bignum_emontredc (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w);
230
231// Extended Montgomery reduce in 8-digit blocks, results in input-output buffer
232// Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k]
233extern uint64_t bignum_emontredc_8n (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w);
234
235// Test bignums for equality, x = y
236// Inputs x[m], y[n]; output function return
237extern uint64_t bignum_eq (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
238
239// Test bignum for even-ness
240// Input x[k]; output function return
241extern uint64_t bignum_even (uint64_t k, uint64_t *x);
242
243// Convert 4-digit (256-bit) bignum from big-endian bytes
244// Input x[32] (bytes); output z[4]
245extern void bignum_frombebytes_4 (uint64_t z[static 4], uint8_t x[static 32]);
246
247// Convert 6-digit (384-bit) bignum from big-endian bytes
248// Input x[48] (bytes); output z[6]
249extern void bignum_frombebytes_6 (uint64_t z[static 6], uint8_t x[static 48]);
250
251// Convert 4-digit (256-bit) bignum from little-endian bytes
252// Input x[32] (bytes); output z[4]
253extern void bignum_fromlebytes_4 (uint64_t z[static 4], uint8_t x[static 32]);
254
255// Convert 6-digit (384-bit) bignum from little-endian bytes
256// Input x[48] (bytes); output z[6]
257extern void bignum_fromlebytes_6 (uint64_t z[static 6], uint8_t x[static 48]);
258
259// Convert little-endian bytes to 9-digit 528-bit bignum
260// Input x[66] (bytes); output z[9]
261extern void bignum_fromlebytes_p521 (uint64_t z[static 9],uint8_t x[static 66]);
262
263// Compare bignums, x >= y
264// Inputs x[m], y[n]; output function return
265extern uint64_t bignum_ge (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
266
267// Compare bignums, x > y
268// Inputs x[m], y[n]; output function return
269extern uint64_t bignum_gt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
270
271// Halve modulo p_256, z := (x / 2) mod p_256, assuming x reduced
272// Input x[4]; output z[4]
273extern void bignum_half_p256 (uint64_t z[static 4], uint64_t x[static 4]);
274
275// Halve modulo p_256k1, z := (x / 2) mod p_256k1, assuming x reduced
276// Input x[4]; output z[4]
277extern void bignum_half_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
278
279// Halve modulo p_384, z := (x / 2) mod p_384, assuming x reduced
280// Input x[6]; output z[6]
281extern void bignum_half_p384 (uint64_t z[static 6], uint64_t x[static 6]);
282
283// Halve modulo p_521, z := (x / 2) mod p_521, assuming x reduced
284// Input x[9]; output z[9]
285extern void bignum_half_p521 (uint64_t z[static 9], uint64_t x[static 9]);
286
287// Test bignum for zero-ness, x = 0
288// Input x[k]; output function return
289extern uint64_t bignum_iszero (uint64_t k, uint64_t *x);
290
291// Multiply z := x * y
292// Inputs x[16], y[16]; output z[32]; temporary buffer t[>=32]
293extern void bignum_kmul_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t y[static 16], uint64_t t[static 32]);
294
295// Multiply z := x * y
296// Inputs x[32], y[32]; output z[64]; temporary buffer t[>=96]
297extern void bignum_kmul_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t y[static 32], uint64_t t[static 96]);
298
299// Square, z := x^2
300// Input x[16]; output z[32]; temporary buffer t[>=24]
301extern void bignum_ksqr_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t t[static 24]);
302
303// Square, z := x^2
304// Input x[32]; output z[64]; temporary buffer t[>=72]
305extern void bignum_ksqr_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t t[static 72]);
306
307// Compare bignums, x <= y
308// Inputs x[m], y[n]; output function return
309extern uint64_t bignum_le (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
310
311// Convert 4-digit (256-bit) bignum to/from little-endian form
312// Input x[4]; output z[4]
313extern void bignum_littleendian_4 (uint64_t z[static 4], uint64_t x[static 4]);
314
315// Convert 6-digit (384-bit) bignum to/from little-endian form
316// Input x[6]; output z[6]
317extern void bignum_littleendian_6 (uint64_t z[static 6], uint64_t x[static 6]);
318
319// Compare bignums, x < y
320// Inputs x[m], y[n]; output function return
321extern uint64_t bignum_lt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
322
323// Multiply-add, z := z + x * y
324// Inputs x[m], y[n]; outputs function return (carry-out) and z[k]
325extern uint64_t bignum_madd (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
326
327// Reduce modulo group order, z := x mod n_256
328// Input x[k]; output z[4]
329extern void bignum_mod_n256 (uint64_t z[static 4], uint64_t k, uint64_t *x);
330extern void bignum_mod_n256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x);
331
332// Reduce modulo group order, z := x mod n_256
333// Input x[4]; output z[4]
334extern void bignum_mod_n256_4 (uint64_t z[static 4], uint64_t x[static 4]);
335
336// Reduce modulo group order, z := x mod n_256k1
337// Input x[4]; output z[4]
338extern void bignum_mod_n256k1_4 (uint64_t z[static 4], uint64_t x[static 4]);
339
340// Reduce modulo group order, z := x mod n_384
341// Input x[k]; output z[6]
342extern void bignum_mod_n384 (uint64_t z[static 6], uint64_t k, uint64_t *x);
343extern void bignum_mod_n384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x);
344
345// Reduce modulo group order, z := x mod n_384
346// Input x[6]; output z[6]
347extern void bignum_mod_n384_6 (uint64_t z[static 6], uint64_t x[static 6]);
348
349// Reduce modulo group order, z := x mod n_521
350// Input x[9]; output z[9]
351extern void bignum_mod_n521_9 (uint64_t z[static 9], uint64_t x[static 9]);
352extern void bignum_mod_n521_9_alt (uint64_t z[static 9], uint64_t x[static 9]);
353
354// Reduce modulo field characteristic, z := x mod p_25519
355// Input x[4]; output z[4]
356extern void bignum_mod_p25519_4 (uint64_t z[static 4], uint64_t x[static 4]);
357
358// Reduce modulo field characteristic, z := x mod p_256
359// Input x[k]; output z[4]
360extern void bignum_mod_p256 (uint64_t z[static 4], uint64_t k, uint64_t *x);
361extern void bignum_mod_p256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x);
362
363// Reduce modulo field characteristic, z := x mod p_256
364// Input x[4]; output z[4]
365extern void bignum_mod_p256_4 (uint64_t z[static 4], uint64_t x[static 4]);
366
367// Reduce modulo field characteristic, z := x mod p_256k1
368// Input x[4]; output z[4]
369extern void bignum_mod_p256k1_4 (uint64_t z[static 4], uint64_t x[static 4]);
370
371// Reduce modulo field characteristic, z := x mod p_384
372// Input x[k]; output z[6]
373extern void bignum_mod_p384 (uint64_t z[static 6], uint64_t k, uint64_t *x);
374extern void bignum_mod_p384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x);
375
376// Reduce modulo field characteristic, z := x mod p_384
377// Input x[6]; output z[6]
378extern void bignum_mod_p384_6 (uint64_t z[static 6], uint64_t x[static 6]);
379
380// Reduce modulo field characteristic, z := x mod p_521
381// Input x[9]; output z[9]
382extern void bignum_mod_p521_9 (uint64_t z[static 9], uint64_t x[static 9]);
383
384// Add modulo m, z := (x + y) mod m, assuming x and y reduced
385// Inputs x[k], y[k], m[k]; output z[k]
386extern void bignum_modadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
387
388// Double modulo m, z := (2 * x) mod m, assuming x reduced
389// Inputs x[k], m[k]; output z[k]
390extern void bignum_moddouble (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
391
392// Compute "modification" constant z := 2^{64k} mod m
393// Input m[k]; output z[k]; temporary buffer t[>=k]
394extern void bignum_modifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t);
395
396// Invert modulo m, z = (1/a) mod b, assuming b is an odd number > 1, a coprime to b
397// Inputs a[k], b[k]; output z[k]; temporary buffer t[>=3*k]
398extern void bignum_modinv (uint64_t k, uint64_t *z, uint64_t *a, uint64_t *b, uint64_t *t);
399
400// Optionally negate modulo m, z := (-x) mod m (if p nonzero) or z := x (if p zero), assuming x reduced
401// Inputs p, x[k], m[k]; output z[k]
402extern void bignum_modoptneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x, uint64_t *m);
403
404// Subtract modulo m, z := (x - y) mod m, assuming x and y reduced
405// Inputs x[k], y[k], m[k]; output z[k]
406extern void bignum_modsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
407
408// Compute "montification" constant z := 2^{128k} mod m
409// Input m[k]; output z[k]; temporary buffer t[>=k]
410extern void bignum_montifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t);
411
412// Montgomery multiply, z := (x * y / 2^{64k}) mod m
413// Inputs x[k], y[k], m[k]; output z[k]
414extern void bignum_montmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
415
416// Montgomery multiply, z := (x * y / 2^256) mod p_256
417// Inputs x[4], y[4]; output z[4]
418extern void bignum_montmul_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
419extern void bignum_montmul_p256_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
420
421// Montgomery multiply, z := (x * y / 2^256) mod p_256k1
422// Inputs x[4], y[4]; output z[4]
423extern void bignum_montmul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
424extern void bignum_montmul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
425
426// Montgomery multiply, z := (x * y / 2^384) mod p_384
427// Inputs x[6], y[6]; output z[6]
428extern void bignum_montmul_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
429extern void bignum_montmul_p384_alt (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
430
431// Montgomery multiply, z := (x * y / 2^576) mod p_521
432// Inputs x[9], y[9]; output z[9]
433extern void bignum_montmul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
434extern void bignum_montmul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
435
436// Montgomery reduce, z := (x' / 2^{64p}) MOD m
437// Inputs x[n], m[k], p; output z[k]
438extern void bignum_montredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p);
439
440// Montgomery square, z := (x^2 / 2^{64k}) mod m
441// Inputs x[k], m[k]; output z[k]
442extern void bignum_montsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
443
444// Montgomery square, z := (x^2 / 2^256) mod p_256
445// Input x[4]; output z[4]
446extern void bignum_montsqr_p256 (uint64_t z[static 4], uint64_t x[static 4]);
447extern void bignum_montsqr_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
448
449// Montgomery square, z := (x^2 / 2^256) mod p_256k1
450// Input x[4]; output z[4]
451extern void bignum_montsqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
452extern void bignum_montsqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
453
454// Montgomery square, z := (x^2 / 2^384) mod p_384
455// Input x[6]; output z[6]
456extern void bignum_montsqr_p384 (uint64_t z[static 6], uint64_t x[static 6]);
457extern void bignum_montsqr_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
458
459// Montgomery square, z := (x^2 / 2^576) mod p_521
460// Input x[9]; output z[9]
461extern void bignum_montsqr_p521 (uint64_t z[static 9], uint64_t x[static 9]);
462extern void bignum_montsqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]);
463
464// Multiply z := x * y
465// Inputs x[m], y[n]; output z[k]
466extern void bignum_mul (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
467
468// Multiply z := x * y
469// Inputs x[4], y[4]; output z[8]
470extern void bignum_mul_4_8 (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]);
471extern void bignum_mul_4_8_alt (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]);
472
473// Multiply z := x * y
474// Inputs x[6], y[6]; output z[12]
475extern void bignum_mul_6_12 (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]);
476extern void bignum_mul_6_12_alt (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]);
477
478// Multiply z := x * y
479// Inputs x[8], y[8]; output z[16]
480extern void bignum_mul_8_16 (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]);
481extern void bignum_mul_8_16_alt (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]);
482
483// Multiply modulo p_25519, z := (x * y) mod p_25519
484// Inputs x[4], y[4]; output z[4]
485extern void bignum_mul_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
486extern void bignum_mul_p25519_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
487
488// Multiply modulo p_256k1, z := (x * y) mod p_256k1
489// Inputs x[4], y[4]; output z[4]
490extern void bignum_mul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
491extern void bignum_mul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
492
493// Multiply modulo p_521, z := (x * y) mod p_521, assuming x and y reduced
494// Inputs x[9], y[9]; output z[9]
495extern void bignum_mul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
496extern void bignum_mul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
497
498// Multiply bignum by 10 and add word: z := 10 * z + d
499// Inputs z[k], d; outputs function return (carry) and z[k]
500extern uint64_t bignum_muladd10 (uint64_t k, uint64_t *z, uint64_t d);
501
502// Multiplex/select z := x (if p nonzero) or z := y (if p zero)
503// Inputs p, x[k], y[k]; output z[k]
504extern void bignum_mux (uint64_t p, uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y);
505
506// 256-bit multiplex/select z := x (if p nonzero) or z := y (if p zero)
507// Inputs p, x[4], y[4]; output z[4]
508extern void bignum_mux_4 (uint64_t p, uint64_t z[static 4],uint64_t x[static 4], uint64_t y[static 4]);
509
510// 384-bit multiplex/select z := x (if p nonzero) or z := y (if p zero)
511// Inputs p, x[6], y[6]; output z[6]
512extern void bignum_mux_6 (uint64_t p, uint64_t z[static 6],uint64_t x[static 6], uint64_t y[static 6]);
513
514// Select element from 16-element table, z := xs[k*i]
515// Inputs xs[16*k], i; output z[k]
516extern void bignum_mux16 (uint64_t k, uint64_t *z, uint64_t *xs, uint64_t i);
517
518// Negate modulo p_25519, z := (-x) mod p_25519, assuming x reduced
519// Input x[4]; output z[4]
520extern void bignum_neg_p25519 (uint64_t z[static 4], uint64_t x[static 4]);
521
522// Negate modulo p_256, z := (-x) mod p_256, assuming x reduced
523// Input x[4]; output z[4]
524extern void bignum_neg_p256 (uint64_t z[static 4], uint64_t x[static 4]);
525
526// Negate modulo p_256k1, z := (-x) mod p_256k1, assuming x reduced
527// Input x[4]; output z[4]
528extern void bignum_neg_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
529
530// Negate modulo p_384, z := (-x) mod p_384, assuming x reduced
531// Input x[6]; output z[6]
532extern void bignum_neg_p384 (uint64_t z[static 6], uint64_t x[static 6]);
533
534// Negate modulo p_521, z := (-x) mod p_521, assuming x reduced
535// Input x[9]; output z[9]
536extern void bignum_neg_p521 (uint64_t z[static 9], uint64_t x[static 9]);
537
538// Negated modular inverse, z := (-1/x) mod 2^{64k}
539// Input x[k]; output z[k]
540extern void bignum_negmodinv (uint64_t k, uint64_t *z, uint64_t *x);
541
542// Test bignum for nonzero-ness x =/= 0
543// Input x[k]; output function return
544extern uint64_t bignum_nonzero (uint64_t k, uint64_t *x);
545
546// Test 256-bit bignum for nonzero-ness x =/= 0
547// Input x[4]; output function return
548extern uint64_t bignum_nonzero_4(uint64_t x[static 4]);
549
550// Test 384-bit bignum for nonzero-ness x =/= 0
551// Input x[6]; output function return
552extern uint64_t bignum_nonzero_6(uint64_t x[static 6]);
553
554// Normalize bignum in-place by shifting left till top bit is 1
555// Input z[k]; outputs function return (bits shifted left) and z[k]
556extern uint64_t bignum_normalize (uint64_t k, uint64_t *z);
557
558// Test bignum for odd-ness
559// Input x[k]; output function return
560extern uint64_t bignum_odd (uint64_t k, uint64_t *x);
561
562// Convert single digit to bignum, z := n
563// Input n; output z[k]
564extern void bignum_of_word (uint64_t k, uint64_t *z, uint64_t n);
565
566// Optionally add, z := x + y (if p nonzero) or z := x (if p zero)
567// Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k]
568extern uint64_t bignum_optadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y);
569
570// Optionally negate, z := -x (if p nonzero) or z := x (if p zero)
571// Inputs p, x[k]; outputs function return (nonzero input) and z[k]
572extern uint64_t bignum_optneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x);
573
574// Optionally negate modulo p_25519, z := (-x) mod p_25519 (if p nonzero) or z := x (if p zero), assuming x reduced
575// Inputs p, x[4]; output z[4]
576extern void bignum_optneg_p25519 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]);
577
578// Optionally negate modulo p_256, z := (-x) mod p_256 (if p nonzero) or z := x (if p zero), assuming x reduced
579// Inputs p, x[4]; output z[4]
580extern void bignum_optneg_p256 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]);
581
582// Optionally negate modulo p_256k1, z := (-x) mod p_256k1 (if p nonzero) or z := x (if p zero), assuming x reduced
583// Inputs p, x[4]; output z[4]
584extern void bignum_optneg_p256k1 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]);
585
586// Optionally negate modulo p_384, z := (-x) mod p_384 (if p nonzero) or z := x (if p zero), assuming x reduced
587// Inputs p, x[6]; output z[6]
588extern void bignum_optneg_p384 (uint64_t z[static 6], uint64_t p, uint64_t x[static 6]);
589
590// Optionally negate modulo p_521, z := (-x) mod p_521 (if p nonzero) or z := x (if p zero), assuming x reduced
591// Inputs p, x[9]; output z[9]
592extern void bignum_optneg_p521 (uint64_t z[static 9], uint64_t p, uint64_t x[static 9]);
593
594// Optionally subtract, z := x - y (if p nonzero) or z := x (if p zero)
595// Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k]
596extern uint64_t bignum_optsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y);
597
598// Optionally subtract or add, z := x + sgn(p) * y interpreting p as signed
599// Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k]
600extern uint64_t bignum_optsubadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y);
601
602// Return bignum of power of 2, z := 2^n
603// Input n; output z[k]
604extern void bignum_pow2 (uint64_t k, uint64_t *z, uint64_t n);
605
606// Shift bignum left by c < 64 bits z := x * 2^c
607// Inputs x[n], c; outputs function return (carry-out) and z[k]
608extern uint64_t bignum_shl_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c);
609
610// Shift bignum right by c < 64 bits z := floor(x / 2^c)
611// Inputs x[n], c; outputs function return (bits shifted out) and z[k]
612extern uint64_t bignum_shr_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c);
613
614// Square, z := x^2
615// Input x[n]; output z[k]
616extern void bignum_sqr (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x);
617
618// Square, z := x^2
619// Input x[4]; output z[8]
620extern void bignum_sqr_4_8 (uint64_t z[static 8], uint64_t x[static 4]);
621extern void bignum_sqr_4_8_alt (uint64_t z[static 8], uint64_t x[static 4]);
622
623// Square, z := x^2
624// Input x[6]; output z[12]
625extern void bignum_sqr_6_12 (uint64_t z[static 12], uint64_t x[static 6]);
626extern void bignum_sqr_6_12_alt (uint64_t z[static 12], uint64_t x[static 6]);
627
628// Square, z := x^2
629// Input x[8]; output z[16]
630extern void bignum_sqr_8_16 (uint64_t z[static 16], uint64_t x[static 8]);
631extern void bignum_sqr_8_16_alt (uint64_t z[static 16], uint64_t x[static 8]);
632
633// Square modulo p_25519, z := (x^2) mod p_25519
634// Input x[4]; output z[4]
635extern void bignum_sqr_p25519 (uint64_t z[static 4], uint64_t x[static 4]);
636extern void bignum_sqr_p25519_alt (uint64_t z[static 4], uint64_t x[static 4]);
637
638// Square modulo p_256k1, z := (x^2) mod p_256k1
639// Input x[4]; output z[4]
640extern void bignum_sqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
641extern void bignum_sqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
642
643// Square modulo p_521, z := (x^2) mod p_521, assuming x reduced
644// Input x[9]; output z[9]
645extern void bignum_sqr_p521 (uint64_t z[static 9], uint64_t x[static 9]);
646extern void bignum_sqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]);
647
648// Subtract, z := x - y
649// Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
650extern uint64_t bignum_sub (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
651
652// Subtract modulo p_25519, z := (x - y) mod p_25519, assuming x and y reduced
653// Inputs x[4], y[4]; output z[4]
654extern void bignum_sub_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
655
656// Subtract modulo p_256, z := (x - y) mod p_256, assuming x and y reduced
657// Inputs x[4], y[4]; output z[4]
658extern void bignum_sub_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
659
660// Subtract modulo p_256k1, z := (x - y) mod p_256k1, assuming x and y reduced
661// Inputs x[4], y[4]; output z[4]
662extern void bignum_sub_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
663
664// Subtract modulo p_384, z := (x - y) mod p_384, assuming x and y reduced
665// Inputs x[6], y[6]; output z[6]
666extern void bignum_sub_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
667
668// Subtract modulo p_521, z := (x - y) mod p_521, assuming x and y reduced
669// Inputs x[9], y[9]; output z[9]
670extern void bignum_sub_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
671
672// Convert 4-digit (256-bit) bignum to big-endian bytes
673// Input x[4]; output z[32] (bytes)
674extern void bignum_tobebytes_4 (uint8_t z[static 32], uint64_t x[static 4]);
675
676// Convert 6-digit (384-bit) bignum to big-endian bytes
677// Input x[6]; output z[48] (bytes)
678extern void bignum_tobebytes_6 (uint8_t z[static 48], uint64_t x[static 6]);
679
680// Convert 4-digit (256-bit) bignum to little-endian bytes
681// Input x[4]; output z[32] (bytes)
682extern void bignum_tolebytes_4 (uint8_t z[static 32], uint64_t x[static 4]);
683
684// Convert 6-digit (384-bit) bignum to little-endian bytes
685// Input x[6]; output z[48] (bytes)
686extern void bignum_tolebytes_6 (uint8_t z[static 48], uint64_t x[static 6]);
687
688// Convert 9-digit 528-bit bignum to little-endian bytes
689// Input x[6]; output z[66] (bytes)
690extern void bignum_tolebytes_p521 (uint8_t z[static 66], uint64_t x[static 9]);
691
692// Convert to Montgomery form z := (2^256 * x) mod p_256
693// Input x[4]; output z[4]
694extern void bignum_tomont_p256 (uint64_t z[static 4], uint64_t x[static 4]);
695extern void bignum_tomont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
696
697// Convert to Montgomery form z := (2^256 * x) mod p_256k1
698// Input x[4]; output z[4]
699extern void bignum_tomont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
700extern void bignum_tomont_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
701
702// Convert to Montgomery form z := (2^384 * x) mod p_384
703// Input x[6]; output z[6]
704extern void bignum_tomont_p384 (uint64_t z[static 6], uint64_t x[static 6]);
705extern void bignum_tomont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
706
707// Convert to Montgomery form z := (2^576 * x) mod p_521
708// Input x[9]; output z[9]
709extern void bignum_tomont_p521 (uint64_t z[static 9], uint64_t x[static 9]);
710
711// Triple modulo p_256, z := (3 * x) mod p_256
712// Input x[4]; output z[4]
713extern void bignum_triple_p256 (uint64_t z[static 4], uint64_t x[static 4]);
714extern void bignum_triple_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
715
716// Triple modulo p_256k1, z := (3 * x) mod p_256k1
717// Input x[4]; output z[4]
718extern void bignum_triple_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
719extern void bignum_triple_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
720
721// Triple modulo p_384, z := (3 * x) mod p_384
722// Input x[6]; output z[6]
723extern void bignum_triple_p384 (uint64_t z[static 6], uint64_t x[static 6]);
724extern void bignum_triple_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
725
726// Triple modulo p_521, z := (3 * x) mod p_521, assuming x reduced
727// Input x[9]; output z[9]
728extern void bignum_triple_p521 (uint64_t z[static 9], uint64_t x[static 9]);
729extern void bignum_triple_p521_alt (uint64_t z[static 9], uint64_t x[static 9]);
730
731// Montgomery ladder step for curve25519
732// Inputs point[8], pp[16], b; output rr[16]
733extern void curve25519_ladderstep(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b);
734extern void curve25519_ladderstep_alt(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b);
735
736// Projective scalar multiplication, x coordinate only, for curve25519
737// Inputs scalar[4], point[4]; output res[8]
738extern void curve25519_pxscalarmul(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]);
739extern void curve25519_pxscalarmul_alt(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]);
740
741// x25519 function for curve25519
742// Inputs scalar[4], point[4]; output res[4]
743extern void curve25519_x25519(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]);
744extern void curve25519_x25519_alt(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]);
745
746// x25519 function for curve25519 on base element 9
747// Input scalar[4]; output res[4]
748extern void curve25519_x25519base(uint64_t res[static 4],uint64_t scalar[static 4]);
749extern void curve25519_x25519base_alt(uint64_t res[static 4],uint64_t scalar[static 4]);
750
751// Extended projective addition for edwards25519
752// Inputs p1[16], p2[16]; output p3[16]
753extern void edwards25519_epadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]);
754extern void edwards25519_epadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]);
755
756// Extended projective doubling for edwards25519
757// Inputs p1[12]; output p3[16]
758extern void edwards25519_epdouble(uint64_t p3[static 16],uint64_t p1[static 12]);
759extern void edwards25519_epdouble_alt(uint64_t p3[static 16],uint64_t p1[static 12]);
760
761// Projective doubling for edwards25519
762// Inputs p1[12]; output p3[12]
763extern void edwards25519_pdouble(uint64_t p3[static 12],uint64_t p1[static 12]);
764extern void edwards25519_pdouble_alt(uint64_t p3[static 12],uint64_t p1[static 12]);
765
766// Extended projective + precomputed mixed addition for edwards25519
767// Inputs p1[16], p2[12]; output p3[16]
768extern void edwards25519_pepadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]);
769extern void edwards25519_pepadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]);
770
771// Point addition on NIST curve P-256 in Montgomery-Jacobian coordinates
772// Inputs p1[12], p2[12]; output p3[12]
773extern void p256_montjadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]);
774
775// Point doubling on NIST curve P-256 in Montgomery-Jacobian coordinates
776// Inputs p1[12]; output p3[12]
777extern void p256_montjdouble(uint64_t p3[static 12],uint64_t p1[static 12]);
778
779// Point mixed addition on NIST curve P-256 in Montgomery-Jacobian coordinates
780// Inputs p1[12], p2[8]; output p3[12]
781extern void p256_montjmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]);
782
783// Point addition on NIST curve P-384 in Montgomery-Jacobian coordinates
784// Inputs p1[18], p2[18]; output p3[18]
785extern void p384_montjadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 18]);
786
787// Point doubling on NIST curve P-384 in Montgomery-Jacobian coordinates
788// Inputs p1[18]; output p3[18]
789extern void p384_montjdouble(uint64_t p3[static 18],uint64_t p1[static 18]);
790
791// Point mixed addition on NIST curve P-384 in Montgomery-Jacobian coordinates
792// Inputs p1[18], p2[12]; output p3[18]
793extern void p384_montjmixadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 12]);
794
795// Point addition on NIST curve P-521 in Jacobian coordinates
796// Inputs p1[27], p2[27]; output p3[27]
797extern void p521_jadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 27]);
798
799// Point doubling on NIST curve P-521 in Jacobian coordinates
800// Input p1[27]; output p3[27]
801extern void p521_jdouble(uint64_t p3[static 27],uint64_t p1[static 27]);
802
803// Point mixed addition on NIST curve P-521 in Jacobian coordinates
804// Inputs p1[27], p2[18]; output p3[27]
805extern void p521_jmixadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 18]);
806
807// Point addition on SECG curve secp256k1 in Jacobian coordinates
808// Inputs p1[12], p2[12]; output p3[12]
809extern void secp256k1_jadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]);
810
811// Point doubling on SECG curve secp256k1 in Jacobian coordinates
812// Input p1[12]; output p3[12]
813extern void secp256k1_jdouble(uint64_t p3[static 12],uint64_t p1[static 12]);
814
815// Point mixed addition on SECG curve secp256k1 in Jacobian coordinates
816// Inputs p1[12], p2[8]; output p3[12]
817extern void secp256k1_jmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]);
818
819// Reverse the bytes in a single word
820// Input a; output function return
821extern uint64_t word_bytereverse (uint64_t a);
822
823// Count leading zero bits in a single word
824// Input a; output function return
825extern uint64_t word_clz (uint64_t a);
826
827// Count trailing zero bits in a single word
828// Input a; output function return
829extern uint64_t word_ctz (uint64_t a);
830
831// Return maximum of two unsigned 64-bit words
832// Inputs a, b; output function return
833extern uint64_t word_max (uint64_t a, uint64_t b);
834
835// Return minimum of two unsigned 64-bit words
836// Inputs a, b; output function return
837extern uint64_t word_min (uint64_t a, uint64_t b);
838
839// Single-word negated modular inverse (-1/a) mod 2^64
840// Input a; output function return
841extern uint64_t word_negmodinv (uint64_t a);
842
843// Single-word reciprocal, 2^64 + ret = ceil(2^128/a) - 1 if MSB of "a" is set
844// Input a; output function return
845extern uint64_t word_recip (uint64_t a);
diff --git a/src/lib/libcrypto/bn/s2n_bignum_internal.h b/src/lib/libcrypto/bn/s2n_bignum_internal.h
new file mode 100644
index 0000000000..ac675836f3
--- /dev/null
+++ b/src/lib/libcrypto/bn/s2n_bignum_internal.h
@@ -0,0 +1,17 @@
1
2#ifdef __APPLE__
3# define S2N_BN_SYMBOL(NAME) _##NAME
4#else
5# define S2N_BN_SYMBOL(name) name
6#endif
7
8#define S2N_BN_SYM_VISIBILITY_DIRECTIVE(name) .globl S2N_BN_SYMBOL(name)
9#ifdef S2N_BN_HIDE_SYMBOLS
10# ifdef __APPLE__
11# define S2N_BN_SYM_PRIVACY_DIRECTIVE(name) .private_extern S2N_BN_SYMBOL(name)
12# else
13# define S2N_BN_SYM_PRIVACY_DIRECTIVE(name) .hidden S2N_BN_SYMBOL(name)
14# endif
15#else
16# define S2N_BN_SYM_PRIVACY_DIRECTIVE(name) /* NO-OP: S2N_BN_SYM_PRIVACY_DIRECTIVE */
17#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 12:53:51 +0000