geFromBytesVartime_ static method

int geFromBytesVartime_(
  1. GroupElementP3 h,
  2. List<int> s
)

Implementation

static int geFromBytesVartime_(GroupElementP3 h, List<int> s) {
  s.asMin32("geFromBytesVartime");
  FieldElement u = FieldElement();
  FieldElement v = FieldElement();
  FieldElement vxx = FieldElement();
  FieldElement check = FieldElement();

  /* From fe_frombytes.c */

  BigInt h0 = _load4(s, 0);
  BigInt h1 = _load3(s, 4) << 6;
  BigInt h2 = _load3(s, 7) << 5;
  BigInt h3 = _load3(s, 10) << 3;
  BigInt h4 = _load3(s, 13) << 2;
  BigInt h5 = _load4(s, 16);
  BigInt h6 = _load3(s, 20) << 7;
  BigInt h7 = _load3(s, 23) << 5;
  BigInt h8 = _load3(s, 26) << 4;
  BigInt h9 = (_load3(s, 29) & BigInt.from(8388607)) << 2;
  BigInt carry0;
  BigInt carry1;
  BigInt carry2;
  BigInt carry3;
  BigInt carry4;
  BigInt carry5;
  BigInt carry6;
  BigInt carry7;
  BigInt carry8;
  BigInt carry9;

  /* Validate the number to be canonical */
  if (h9 == 33554428.toBig &&
      h8 == 268435440.toBig &&
      h7 == 536870880.toBig &&
      h6 == 2147483520.toBig &&
      h5 == 4294967295.toBig &&
      h4 == 67108860.toBig &&
      h3 == 134217720.toBig &&
      h2 == 536870880.toBig &&
      h1 == 1073741760.toBig &&
      h0 >= 4294967277.toBig) {
    return -1;
  }

  carry9 = (h9 + _bitMaskFor24) >> 25;
  h0 += carry9 * BigInt.from(19);
  h9 -= carry9 << 25;
  carry1 = (h1 + _bitMaskFor24) >> 25;
  h2 += carry1;
  h1 -= carry1 << 25;
  carry3 = (h3 + _bitMaskFor24) >> 25;
  h4 += carry3;
  h3 -= carry3 << 25;
  carry5 = (h5 + _bitMaskFor24) >> 25;
  h6 += carry5;
  h5 -= carry5 << 25;
  carry7 = (h7 + _bitMaskFor24) >> 25;
  h8 += carry7;
  h7 -= carry7 << 25;

  carry0 = (h0 + _bitMaskFor25) >> 26;
  h1 += carry0;
  h0 -= carry0 << 26;
  carry2 = (h2 + _bitMaskFor25) >> 26;
  h3 += carry2;
  h2 -= carry2 << 26;
  carry4 = (h4 + _bitMaskFor25) >> 26;
  h5 += carry4;
  h4 -= carry4 << 26;
  carry6 = (h6 + _bitMaskFor25) >> 26;
  h7 += carry6;
  h6 -= carry6 << 26;
  carry8 = (h8 + _bitMaskFor25) >> 26;
  h9 += carry8;
  h8 -= carry8 << 26;

  h.y.h[0] = h0.toInt32;
  h.y.h[1] = h1.toInt32;
  h.y.h[2] = h2.toInt32;
  h.y.h[3] = h3.toInt32;
  h.y.h[4] = h4.toInt32;
  h.y.h[5] = h5.toInt32;
  h.y.h[6] = h6.toInt32;
  h.y.h[7] = h7.toInt32;
  h.y.h[8] = h8.toInt32;
  h.y.h[9] = h9.toInt32;

  /* End fe_frombytes.c */

  fe1(h.z);
  feSq(u, h.y);
  feMul(v, u, CryptoOpsConst.d);
  feSub(u, u, h.z); /* u = y^2-1 */
  feAdd(v, v, h.z); /* v = dy^2+1 */

  feDivpowm1(h.x, u, v); /* x = uv^3(uv^7)^((q-5)/8) */

  feSq(vxx, h.x);
  feMul(vxx, vxx, v);
  feSub(check, vxx, u); /* vx^2-u */
  if (feIsnonzero(check) != 0) {
    feAdd(check, vxx, u); /* vx^2+u */
    if (feIsnonzero(check) != 0) {
      return -1;
    }
    feMul(h.x, h.x, CryptoOpsConst.feSqrtm1);
  }

  if (feIsnegative(h.x) != (s[31] >> 7)) {
    /* If x = 0, the sign must be positive */
    if (feIsnonzero(h.x) == 0) {
      return -1;
    }
    feNeg(h.x, h.x);
  }

  feMul(h.t, h.x, h.y);
  return 0;
}