p256-cm4 0.4.0

P256-Cortex-M4 re-written in rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383

#![allow(non_snake_case)]

use core::arch::naked_asm;

mod sqrmod;
pub(crate) use sqrmod::P256_sqrmod;

mod add_sub;
pub(crate) use add_sub::{P256_add_mod_n, P256_addmod, P256_submod};

pub(crate) mod jacobian;
pub use jacobian::P256_double_j;

pub(crate) mod montgomery;
pub use montgomery::{Montgomery, P256_from_montgomery, P256_to_montgomery};

mod sqrt;
pub(crate) use sqrt::P256_modinv_sqrt;

mod matrix;
pub use matrix::{P256_divsteps2_31, P256_matrix_mul_fg_9, P256_matrix_mul_mod_n};

mod mulmod;
pub(crate) use mulmod::{P256_mul_mod_n, P256_mulmod};

mod verify;
pub use verify::P256_verify_last_step;

mod util;
pub use util::{
    P256_check_range_n, P256_check_range_p, P256_negate_mod_n_if, P256_negate_mod_p_if,
    add_sub_helper, mul288x288,
};

mod reduce;
pub(crate) use reduce::{
    P256_reduce_mod_n_32bytes, P256_reduce_mod_n_64bytes, P256_reduce_mod_n_once,
};

/// The order of the P256 curve.
///
/// Code that relies on this static being fewer than 4096 bytes away
/// must be in the same `.p256-cortex-m4` section.
#[unsafe(link_section = ".p256-cortex-m4")]
pub(crate) static P256_ORDER: [u32; 9] = [
    0xFC632551, 0xF3B9CAC2, 0xA7179E84, 0xBCE6FAAD, 0xFFFFFFFF, 0xFFFFFFFF, 0, 0xFFFFFFFF, 0,
];

/// Code that relies on this static being fewer than 4096 bytes away
/// must be in the same `.p256-cortex-m4` section.
#[unsafe(link_section = ".p256-cortex-m4")]
pub(crate) static P256_B: [u32; 8] = [
    0x29c4bddf, 0xd89cdf62, 0x78843090, 0xacf005cd, 0xf7212ed6, 0xe5a220ab, 0x04874834, 0xdc30061d,
];

/// Code that relies on this static being fewer than 4096 bytes away
/// must be in the same `.p256-cortex-m4` section.
#[unsafe(link_section = ".p256-cortex-m4")]
pub(crate) static P256_PRIME: [u32; 8] =
    [0xffffffff, 0xffffffff, 0xffffffff, 0, 0, 0, 1, 0xffffffff];

/// Check if a point `xy` is on the `p256` curve.
///
/// # Inputs
/// `r1` shall contain `x`, a valid [`*const Montgomery`](`Montgomery`).
///
/// `r2` shall contain `y`, a valid [`*const Montgomery`](`Montgomery`).
///
/// # Return
/// On return, `r0` will contain `1` if `xy` is on the `p256` curve. Otherwise, `r0` will contain `0`.
///
/// All other registers are clobbered.
///
/// # Safety
/// The caller must ensure that the ABI for this function is upheld. It is impossible to do so from
/// normal rust code, so it must only be called from other inline assembly.
// TODO: make this `extern "custom"` once that is stabilized (https://github.com/rust-lang/rust/issues/140829)
#[unsafe(no_mangle)]
#[unsafe(link_section = ".p256-cortex-m4")]
#[unsafe(naked)]
pub unsafe extern "C" fn P256_point_is_on_curve(
    x: *const Montgomery,
    y: *const Montgomery,
) -> bool {
    naked_asm!(
        "
            push {{r0, r4-r11, lr}}
            // frame push {{r0, r4-r11, lr}}
            // frame address sp, 40

            // We verify y^2 - x(x^2 - 3) = b

            // y^2
            ldm r1, {{r0-r7}}
            bl {P256_sqrmod}
            push {{r0-r7}}
            // frame address sp, 72

            // x^2
            ldr r0, [sp,#32]
            ldm r0, {{r0-r7}}
            bl {P256_sqrmod}
            push {{r0-r7}}
            // frame address sp, 104

            // x^2 - 3
            mov r1, sp
            adr r2, 1f
            bl {P256_submod}
            stm sp, {{r0-r7}}

            // x(x^2 - 3)
            ldr r1, [sp,#64]
            mov r2, sp
            bl {P256_mulmod}
            stm sp, {{r0-r7}}

            // y^2 - x(x^2 - 3)
            add r1, sp, #32
            mov r2, sp
            bl {P256_submod}

            // compare with b
            adr r8, {P256_B}
            ldm r8!, {{r9-r12}}
            eors r0, r9
            ittt eq
            eorseq r1, r10
            eorseq r2, r11
            eorseq r3, r12
            ldm r8, {{r9-r12}}
            itttt eq
            eorseq r4, r9
            eorseq r5, r10
            eorseq r6, r11
            eorseq r7, r12
            mov r0, #0
            it eq
            moveq r0, #1

            add sp, #68
            //frame address sp,36

            pop {{r4-r11,pc}}

            .align 2
        1: // three_mont, the Montgomery representation of the number `3`.
            .word 0x3
            .word 0x0
            .word 0x0
            .word 0xfffffffd
            .word 0xffffffff
            .word 0xffffffff
            .word 0xfffffffc
            .word 0x2
        ",
        P256_mulmod = sym P256_mulmod,
        P256_submod = sym P256_submod,
        P256_sqrmod = sym P256_sqrmod,
        P256_B = sym P256_B,
    )
}

/// For inputs `A*R mod p` and `N`, computes the result of performing `A^2*R mod p` `N` times.
///
/// > **Note**: this function simply calls [`P256_sqrmod`] `N` times in an efficient manner.
///
/// # Inputs
/// Registers `r0` through `r7` shall contain `A*R mod p`.
///
/// Register `r8` shall contain `N`, the amount of times to perform the squaring operation.
///
/// # Return
/// On return the result of the operation will be contained in registers `r0` through `r7`.
///
/// All other registers are clobbered.
///
/// # Safety
/// The caller must ensure that the ABI for this function is upheld. It is impossible to do so from
/// normal rust code, so it must only be called from other inline assembly.
// TODO: make this `extern "custom"` once that is stabilized (https://github.com/rust-lang/rust/issues/140829)
#[unsafe(naked)]
#[unsafe(no_mangle)]
pub unsafe extern "C" fn P256_sqrmod_many() {
    naked_asm!(
        "
            push {{r8, lr}}
            // frame push {{r8, lr}}
        0:
            bl {P256_sqrmod}

            ldr r8, [sp, #0]
            subs r8, r8, #1
            str r8, [sp, #0]
            bne 0b

            pop {{r8, pc}}
        ",
        P256_sqrmod = sym P256_sqrmod,
    )
}

/// If the inputs are `A*R mod p` and `B*R mod p`, calculate the result
/// of performing the operation `A^2*R mod p` `N` times, and multiplying that value by `B*R mod p`.
///
/// # Inputs
/// `r0` through `r7` shall contain `A*R mod p`.
///
/// `r8` shall contain `N`.
///
/// `r9` shall contain a valid `*const [u32; 8]`, whose dereference is `B*R mod p`.
///
/// # Return
/// `r0` through `r7` will contain the result of the computation.
///
/// All other registers are clobbered.
///
/// # Safety
/// The caller must ensure that the ABI for this function is upheld. It is impossible to do so from
/// normal rust code, so it must only be called from other inline assembly.
// TODO: make this `extern "custom"` once that is stabilized (https://github.com/rust-lang/rust/issues/140829)
#[unsafe(naked)]
#[unsafe(no_mangle)]
pub unsafe extern "C" fn P256_sqrmod_many_and_mulmod() {
    naked_asm!(
        "
            push {{r9, lr}}
            // frame push {{r9, lr}}
            bl {P256_sqrmod_many}
            push {{r0-r7}}
            // frame address sp, 40
            mov r1, sp
            ldr r2, [sp,#32]
            bl {P256_mulmod}
            add sp, #36
            // frame address sp, 4
            pop {{pc}}
        ",
        P256_sqrmod_many = sym P256_sqrmod_many,
        P256_mulmod = sym P256_mulmod,
    )
}

#[unsafe(no_mangle)]
#[unsafe(link_section = ".p256-cortex-m4")]
#[unsafe(naked)]
pub unsafe extern "C" fn P256_decompress_point(
    y: *const Montgomery,
    x: *const Montgomery,
    parity: u32,
) -> bool {
    naked_asm!(
        "
            push {{r0, r2, r4-r11, lr}}
            // frame push {{r0, r2, r4-r11, lr}}
            // frame address sp,44
            sub sp, #32
            // frame address sp, 76

            mov r0,sp
            bl {P256_to_montgomery}
            ldm sp, {{r0-r7}}

            bl {P256_sqrmod}
            push {{r0-r7}}

            mov r1, sp
            adr r2, {P256_B}
            bl {P256_submod}
            stm sp, {{r0-r7}}
            // frame address sp, 108

            add r1, sp, #32
            mov r2, sp
            bl {P256_mulmod}
            stm sp, {{r0-r7}}

            mov r1, sp
            adr r2, {P256_B}
            bl {P256_addmod}
            stm sp, {{r0-r7}}

            mov r8, #1
            bl {P256_modinv_sqrt}
            add r8, sp, #32
            stm r8, {{r0-r7}}

            bl {P256_sqrmod}

            pop {{r8-r11}}
            // frame address sp, 92
            eors r8, r0
            ittt eq
            eorseq r9, r1
            eorseq r10, r2
            eorseq r11, r3
            pop {{r8-r11}}
            // frame address sp, 76
            itttt eq
            eorseq r8, r4
            eorseq r9, r5
            eorseq r10, r6
            eorseq r11, r7
            it ne
            movne r0, #0
            bne 0f

            mov r0, sp
            mov r1, sp
            bl {P256_from_montgomery}

            ldr r3, [sp]
            ldrd r0, r1, [sp, #32]
            and r2, r3, #1
            eors r2, r1
            mov r1, sp
            adr r3, {P256_PRIME}
            bl {P256_negate_mod_m_if}
            movs r0, #1
        0:
            add sp, #32 + 8
            // frame address sp, 36
            pop {{r4-r11, pc}}
        ",
        P256_to_montgomery = sym P256_to_montgomery,
        P256_from_montgomery = sym P256_from_montgomery,
        P256_sqrmod = sym P256_sqrmod,
        P256_mulmod = sym P256_mulmod,
        P256_submod = sym P256_submod,
        P256_addmod = sym P256_addmod,
        P256_negate_mod_m_if = sym P256_negate_mod_m_if,
        P256_modinv_sqrt = sym P256_modinv_sqrt,
        P256_B = sym P256_B,
        P256_PRIME = sym P256_PRIME,
    )
}

/// Given inputs `a`, `should_negate` and `m`:
/// 1. If `should_negate == 1`, compute `m - a`.
/// 2. Else, copy `a`.
///
/// # Inputs
/// `r0` shall contain a valid `*mut [u32; 8]`.
///
/// `r1` shall contain `a`, a valid `*const [u32; 8]`, where `1 <= a <= m - 1`.
///
/// `r2` shall contain `should_negate`, a `u32` that is either 1 or 0.
///
/// `r3` shall contain `m`, a valid `*const [u32; 8]`.
///
/// # Return
/// On return, the dereference of the input value of `r0` shall contain the result of the computation.
///
/// > **Note**: `r0` will be overriden during the execution of this function (it is callee-saved).
#[unsafe(no_mangle)]
#[unsafe(naked)]
pub unsafe extern "C" fn P256_negate_mod_m_if() {
    naked_asm!(
        "
                push {r4-r8, lr}
                // frame push {r4-r8,lr}
                rsb r8, r2, #1
                movs r6, #8
                subs r7, r7 // set r7=0 and C=1
            0:
                ldm r1!, {r4, r12}
                ldm r3!, {r5, lr}
                sbcs r5, r5, r4
                umull r4, r7, r8, r4
                umaal r4, r7, r2, r5
                sbcs lr, lr, r12
                umull r12, r7, r8, r12
                umaal r12, r7, r2, lr
                stm r0!, {r4,r12}
                sub r6, #2
                cbz r6, 1f
                b 0b
            1:
                pop {r4-r8, pc}
        ",
        options(raw)
    )
}