geFromBytesVartime_ static method
Implementation
static int geFromBytesVartime_(GroupElementP3 h, List<int> s) {
s.asMin32("geFromBytesVartime");
FieldElement u = FieldElement();
FieldElement v = FieldElement();
FieldElement vxx = FieldElement();
FieldElement check = FieldElement();
/* From fe_frombytes.c */
BigInt h0 = _load4(s, 0);
BigInt h1 = _load3(s, 4) << 6;
BigInt h2 = _load3(s, 7) << 5;
BigInt h3 = _load3(s, 10) << 3;
BigInt h4 = _load3(s, 13) << 2;
BigInt h5 = _load4(s, 16);
BigInt h6 = _load3(s, 20) << 7;
BigInt h7 = _load3(s, 23) << 5;
BigInt h8 = _load3(s, 26) << 4;
BigInt h9 = (_load3(s, 29) & BigInt.from(8388607)) << 2;
BigInt carry0;
BigInt carry1;
BigInt carry2;
BigInt carry3;
BigInt carry4;
BigInt carry5;
BigInt carry6;
BigInt carry7;
BigInt carry8;
BigInt carry9;
/* Validate the number to be canonical */
if (h9 == 33554428.toBig &&
h8 == 268435440.toBig &&
h7 == 536870880.toBig &&
h6 == 2147483520.toBig &&
h5 == 4294967295.toBig &&
h4 == 67108860.toBig &&
h3 == 134217720.toBig &&
h2 == 536870880.toBig &&
h1 == 1073741760.toBig &&
h0 >= 4294967277.toBig) {
return -1;
}
carry9 = (h9 + _bitMaskFor24) >> 25;
h0 += carry9 * BigInt.from(19);
h9 -= carry9 << 25;
carry1 = (h1 + _bitMaskFor24) >> 25;
h2 += carry1;
h1 -= carry1 << 25;
carry3 = (h3 + _bitMaskFor24) >> 25;
h4 += carry3;
h3 -= carry3 << 25;
carry5 = (h5 + _bitMaskFor24) >> 25;
h6 += carry5;
h5 -= carry5 << 25;
carry7 = (h7 + _bitMaskFor24) >> 25;
h8 += carry7;
h7 -= carry7 << 25;
carry0 = (h0 + _bitMaskFor25) >> 26;
h1 += carry0;
h0 -= carry0 << 26;
carry2 = (h2 + _bitMaskFor25) >> 26;
h3 += carry2;
h2 -= carry2 << 26;
carry4 = (h4 + _bitMaskFor25) >> 26;
h5 += carry4;
h4 -= carry4 << 26;
carry6 = (h6 + _bitMaskFor25) >> 26;
h7 += carry6;
h6 -= carry6 << 26;
carry8 = (h8 + _bitMaskFor25) >> 26;
h9 += carry8;
h8 -= carry8 << 26;
h.y.h[0] = h0.toInt32;
h.y.h[1] = h1.toInt32;
h.y.h[2] = h2.toInt32;
h.y.h[3] = h3.toInt32;
h.y.h[4] = h4.toInt32;
h.y.h[5] = h5.toInt32;
h.y.h[6] = h6.toInt32;
h.y.h[7] = h7.toInt32;
h.y.h[8] = h8.toInt32;
h.y.h[9] = h9.toInt32;
/* End fe_frombytes.c */
fe1(h.z);
feSq(u, h.y);
feMul(v, u, CryptoOpsConst.d);
feSub(u, u, h.z); /* u = y^2-1 */
feAdd(v, v, h.z); /* v = dy^2+1 */
feDivpowm1(h.x, u, v); /* x = uv^3(uv^7)^((q-5)/8) */
feSq(vxx, h.x);
feMul(vxx, vxx, v);
feSub(check, vxx, u); /* vx^2-u */
if (feIsnonzero(check) != 0) {
feAdd(check, vxx, u); /* vx^2+u */
if (feIsnonzero(check) != 0) {
return -1;
}
feMul(h.x, h.x, CryptoOpsConst.feSqrtm1);
}
if (feIsnegative(h.x) != (s[31] >> 7)) {
/* If x = 0, the sign must be positive */
if (feIsnonzero(h.x) == 0) {
return -1;
}
feNeg(h.x, h.x);
}
feMul(h.t, h.x, h.y);
return 0;
}