Source file src/crypto/internal/nistec/p256.go

     1  // Copyright 2022 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Code generated by generate.go. DO NOT EDIT.
     6  
     7  //go:build (!amd64 && !arm64 && !ppc64le && !s390x) || purego
     8  
     9  package nistec
    10  
    11  import (
    12  	"crypto/internal/nistec/fiat"
    13  	"crypto/subtle"
    14  	"errors"
    15  	"sync"
    16  )
    17  
    18  // p256ElementLength is the length of an element of the base or scalar field,
    19  // which have the same bytes length for all NIST P curves.
    20  const p256ElementLength = 32
    21  
    22  // P256Point is a P256 point. The zero value is NOT valid.
    23  type P256Point struct {
    24  	// The point is represented in projective coordinates (X:Y:Z),
    25  	// where x = X/Z and y = Y/Z.
    26  	x, y, z *fiat.P256Element
    27  }
    28  
    29  // NewP256Point returns a new P256Point representing the point at infinity point.
    30  func NewP256Point() *P256Point {
    31  	return &P256Point{
    32  		x: new(fiat.P256Element),
    33  		y: new(fiat.P256Element).One(),
    34  		z: new(fiat.P256Element),
    35  	}
    36  }
    37  
    38  // SetGenerator sets p to the canonical generator and returns p.
    39  func (p *P256Point) SetGenerator() *P256Point {
    40  	p.x.SetBytes([]byte{0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x3, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96})
    41  	p.y.SetBytes([]byte{0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0xf, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5})
    42  	p.z.One()
    43  	return p
    44  }
    45  
    46  // Set sets p = q and returns p.
    47  func (p *P256Point) Set(q *P256Point) *P256Point {
    48  	p.x.Set(q.x)
    49  	p.y.Set(q.y)
    50  	p.z.Set(q.z)
    51  	return p
    52  }
    53  
    54  // SetBytes sets p to the compressed, uncompressed, or infinity value encoded in
    55  // b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on
    56  // the curve, it returns nil and an error, and the receiver is unchanged.
    57  // Otherwise, it returns p.
    58  func (p *P256Point) SetBytes(b []byte) (*P256Point, error) {
    59  	switch {
    60  	// Point at infinity.
    61  	case len(b) == 1 && b[0] == 0:
    62  		return p.Set(NewP256Point()), nil
    63  
    64  	// Uncompressed form.
    65  	case len(b) == 1+2*p256ElementLength && b[0] == 4:
    66  		x, err := new(fiat.P256Element).SetBytes(b[1 : 1+p256ElementLength])
    67  		if err != nil {
    68  			return nil, err
    69  		}
    70  		y, err := new(fiat.P256Element).SetBytes(b[1+p256ElementLength:])
    71  		if err != nil {
    72  			return nil, err
    73  		}
    74  		if err := p256CheckOnCurve(x, y); err != nil {
    75  			return nil, err
    76  		}
    77  		p.x.Set(x)
    78  		p.y.Set(y)
    79  		p.z.One()
    80  		return p, nil
    81  
    82  	// Compressed form.
    83  	case len(b) == 1+p256ElementLength && (b[0] == 2 || b[0] == 3):
    84  		x, err := new(fiat.P256Element).SetBytes(b[1:])
    85  		if err != nil {
    86  			return nil, err
    87  		}
    88  
    89  		// y² = x³ - 3x + b
    90  		y := p256Polynomial(new(fiat.P256Element), x)
    91  		if !p256Sqrt(y, y) {
    92  			return nil, errors.New("invalid P256 compressed point encoding")
    93  		}
    94  
    95  		// Select the positive or negative root, as indicated by the least
    96  		// significant bit, based on the encoding type byte.
    97  		otherRoot := new(fiat.P256Element)
    98  		otherRoot.Sub(otherRoot, y)
    99  		cond := y.Bytes()[p256ElementLength-1]&1 ^ b[0]&1
   100  		y.Select(otherRoot, y, int(cond))
   101  
   102  		p.x.Set(x)
   103  		p.y.Set(y)
   104  		p.z.One()
   105  		return p, nil
   106  
   107  	default:
   108  		return nil, errors.New("invalid P256 point encoding")
   109  	}
   110  }
   111  
   112  var _p256B *fiat.P256Element
   113  var _p256BOnce sync.Once
   114  
   115  func p256B() *fiat.P256Element {
   116  	_p256BOnce.Do(func() {
   117  		_p256B, _ = new(fiat.P256Element).SetBytes([]byte{0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb, 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x6, 0xb0, 0xcc, 0x53, 0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b})
   118  	})
   119  	return _p256B
   120  }
   121  
   122  // p256Polynomial sets y2 to x³ - 3x + b, and returns y2.
   123  func p256Polynomial(y2, x *fiat.P256Element) *fiat.P256Element {
   124  	y2.Square(x)
   125  	y2.Mul(y2, x)
   126  
   127  	threeX := new(fiat.P256Element).Add(x, x)
   128  	threeX.Add(threeX, x)
   129  	y2.Sub(y2, threeX)
   130  
   131  	return y2.Add(y2, p256B())
   132  }
   133  
   134  func p256CheckOnCurve(x, y *fiat.P256Element) error {
   135  	// y² = x³ - 3x + b
   136  	rhs := p256Polynomial(new(fiat.P256Element), x)
   137  	lhs := new(fiat.P256Element).Square(y)
   138  	if rhs.Equal(lhs) != 1 {
   139  		return errors.New("P256 point not on curve")
   140  	}
   141  	return nil
   142  }
   143  
   144  // Bytes returns the uncompressed or infinity encoding of p, as specified in
   145  // SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at
   146  // infinity is shorter than all other encodings.
   147  func (p *P256Point) Bytes() []byte {
   148  	// This function is outlined to make the allocations inline in the caller
   149  	// rather than happen on the heap.
   150  	var out [1 + 2*p256ElementLength]byte
   151  	return p.bytes(&out)
   152  }
   153  
   154  func (p *P256Point) bytes(out *[1 + 2*p256ElementLength]byte) []byte {
   155  	if p.z.IsZero() == 1 {
   156  		return append(out[:0], 0)
   157  	}
   158  
   159  	zinv := new(fiat.P256Element).Invert(p.z)
   160  	x := new(fiat.P256Element).Mul(p.x, zinv)
   161  	y := new(fiat.P256Element).Mul(p.y, zinv)
   162  
   163  	buf := append(out[:0], 4)
   164  	buf = append(buf, x.Bytes()...)
   165  	buf = append(buf, y.Bytes()...)
   166  	return buf
   167  }
   168  
   169  // BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1,
   170  // Version 2.0, Section 2.3.5, or an error if p is the point at infinity.
   171  func (p *P256Point) BytesX() ([]byte, error) {
   172  	// This function is outlined to make the allocations inline in the caller
   173  	// rather than happen on the heap.
   174  	var out [p256ElementLength]byte
   175  	return p.bytesX(&out)
   176  }
   177  
   178  func (p *P256Point) bytesX(out *[p256ElementLength]byte) ([]byte, error) {
   179  	if p.z.IsZero() == 1 {
   180  		return nil, errors.New("P256 point is the point at infinity")
   181  	}
   182  
   183  	zinv := new(fiat.P256Element).Invert(p.z)
   184  	x := new(fiat.P256Element).Mul(p.x, zinv)
   185  
   186  	return append(out[:0], x.Bytes()...), nil
   187  }
   188  
   189  // BytesCompressed returns the compressed or infinity encoding of p, as
   190  // specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the
   191  // point at infinity is shorter than all other encodings.
   192  func (p *P256Point) BytesCompressed() []byte {
   193  	// This function is outlined to make the allocations inline in the caller
   194  	// rather than happen on the heap.
   195  	var out [1 + p256ElementLength]byte
   196  	return p.bytesCompressed(&out)
   197  }
   198  
   199  func (p *P256Point) bytesCompressed(out *[1 + p256ElementLength]byte) []byte {
   200  	if p.z.IsZero() == 1 {
   201  		return append(out[:0], 0)
   202  	}
   203  
   204  	zinv := new(fiat.P256Element).Invert(p.z)
   205  	x := new(fiat.P256Element).Mul(p.x, zinv)
   206  	y := new(fiat.P256Element).Mul(p.y, zinv)
   207  
   208  	// Encode the sign of the y coordinate (indicated by the least significant
   209  	// bit) as the encoding type (2 or 3).
   210  	buf := append(out[:0], 2)
   211  	buf[0] |= y.Bytes()[p256ElementLength-1] & 1
   212  	buf = append(buf, x.Bytes()...)
   213  	return buf
   214  }
   215  
   216  // Add sets q = p1 + p2, and returns q. The points may overlap.
   217  func (q *P256Point) Add(p1, p2 *P256Point) *P256Point {
   218  	// Complete addition formula for a = -3 from "Complete addition formulas for
   219  	// prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2.
   220  
   221  	t0 := new(fiat.P256Element).Mul(p1.x, p2.x)  // t0 := X1 * X2
   222  	t1 := new(fiat.P256Element).Mul(p1.y, p2.y)  // t1 := Y1 * Y2
   223  	t2 := new(fiat.P256Element).Mul(p1.z, p2.z)  // t2 := Z1 * Z2
   224  	t3 := new(fiat.P256Element).Add(p1.x, p1.y)  // t3 := X1 + Y1
   225  	t4 := new(fiat.P256Element).Add(p2.x, p2.y)  // t4 := X2 + Y2
   226  	t3.Mul(t3, t4)                               // t3 := t3 * t4
   227  	t4.Add(t0, t1)                               // t4 := t0 + t1
   228  	t3.Sub(t3, t4)                               // t3 := t3 - t4
   229  	t4.Add(p1.y, p1.z)                           // t4 := Y1 + Z1
   230  	x3 := new(fiat.P256Element).Add(p2.y, p2.z)  // X3 := Y2 + Z2
   231  	t4.Mul(t4, x3)                               // t4 := t4 * X3
   232  	x3.Add(t1, t2)                               // X3 := t1 + t2
   233  	t4.Sub(t4, x3)                               // t4 := t4 - X3
   234  	x3.Add(p1.x, p1.z)                           // X3 := X1 + Z1
   235  	y3 := new(fiat.P256Element).Add(p2.x, p2.z)  // Y3 := X2 + Z2
   236  	x3.Mul(x3, y3)                               // X3 := X3 * Y3
   237  	y3.Add(t0, t2)                               // Y3 := t0 + t2
   238  	y3.Sub(x3, y3)                               // Y3 := X3 - Y3
   239  	z3 := new(fiat.P256Element).Mul(p256B(), t2) // Z3 := b * t2
   240  	x3.Sub(y3, z3)                               // X3 := Y3 - Z3
   241  	z3.Add(x3, x3)                               // Z3 := X3 + X3
   242  	x3.Add(x3, z3)                               // X3 := X3 + Z3
   243  	z3.Sub(t1, x3)                               // Z3 := t1 - X3
   244  	x3.Add(t1, x3)                               // X3 := t1 + X3
   245  	y3.Mul(p256B(), y3)                          // Y3 := b * Y3
   246  	t1.Add(t2, t2)                               // t1 := t2 + t2
   247  	t2.Add(t1, t2)                               // t2 := t1 + t2
   248  	y3.Sub(y3, t2)                               // Y3 := Y3 - t2
   249  	y3.Sub(y3, t0)                               // Y3 := Y3 - t0
   250  	t1.Add(y3, y3)                               // t1 := Y3 + Y3
   251  	y3.Add(t1, y3)                               // Y3 := t1 + Y3
   252  	t1.Add(t0, t0)                               // t1 := t0 + t0
   253  	t0.Add(t1, t0)                               // t0 := t1 + t0
   254  	t0.Sub(t0, t2)                               // t0 := t0 - t2
   255  	t1.Mul(t4, y3)                               // t1 := t4 * Y3
   256  	t2.Mul(t0, y3)                               // t2 := t0 * Y3
   257  	y3.Mul(x3, z3)                               // Y3 := X3 * Z3
   258  	y3.Add(y3, t2)                               // Y3 := Y3 + t2
   259  	x3.Mul(t3, x3)                               // X3 := t3 * X3
   260  	x3.Sub(x3, t1)                               // X3 := X3 - t1
   261  	z3.Mul(t4, z3)                               // Z3 := t4 * Z3
   262  	t1.Mul(t3, t0)                               // t1 := t3 * t0
   263  	z3.Add(z3, t1)                               // Z3 := Z3 + t1
   264  
   265  	q.x.Set(x3)
   266  	q.y.Set(y3)
   267  	q.z.Set(z3)
   268  	return q
   269  }
   270  
   271  // Double sets q = p + p, and returns q. The points may overlap.
   272  func (q *P256Point) Double(p *P256Point) *P256Point {
   273  	// Complete addition formula for a = -3 from "Complete addition formulas for
   274  	// prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2.
   275  
   276  	t0 := new(fiat.P256Element).Square(p.x)      // t0 := X ^ 2
   277  	t1 := new(fiat.P256Element).Square(p.y)      // t1 := Y ^ 2
   278  	t2 := new(fiat.P256Element).Square(p.z)      // t2 := Z ^ 2
   279  	t3 := new(fiat.P256Element).Mul(p.x, p.y)    // t3 := X * Y
   280  	t3.Add(t3, t3)                               // t3 := t3 + t3
   281  	z3 := new(fiat.P256Element).Mul(p.x, p.z)    // Z3 := X * Z
   282  	z3.Add(z3, z3)                               // Z3 := Z3 + Z3
   283  	y3 := new(fiat.P256Element).Mul(p256B(), t2) // Y3 := b * t2
   284  	y3.Sub(y3, z3)                               // Y3 := Y3 - Z3
   285  	x3 := new(fiat.P256Element).Add(y3, y3)      // X3 := Y3 + Y3
   286  	y3.Add(x3, y3)                               // Y3 := X3 + Y3
   287  	x3.Sub(t1, y3)                               // X3 := t1 - Y3
   288  	y3.Add(t1, y3)                               // Y3 := t1 + Y3
   289  	y3.Mul(x3, y3)                               // Y3 := X3 * Y3
   290  	x3.Mul(x3, t3)                               // X3 := X3 * t3
   291  	t3.Add(t2, t2)                               // t3 := t2 + t2
   292  	t2.Add(t2, t3)                               // t2 := t2 + t3
   293  	z3.Mul(p256B(), z3)                          // Z3 := b * Z3
   294  	z3.Sub(z3, t2)                               // Z3 := Z3 - t2
   295  	z3.Sub(z3, t0)                               // Z3 := Z3 - t0
   296  	t3.Add(z3, z3)                               // t3 := Z3 + Z3
   297  	z3.Add(z3, t3)                               // Z3 := Z3 + t3
   298  	t3.Add(t0, t0)                               // t3 := t0 + t0
   299  	t0.Add(t3, t0)                               // t0 := t3 + t0
   300  	t0.Sub(t0, t2)                               // t0 := t0 - t2
   301  	t0.Mul(t0, z3)                               // t0 := t0 * Z3
   302  	y3.Add(y3, t0)                               // Y3 := Y3 + t0
   303  	t0.Mul(p.y, p.z)                             // t0 := Y * Z
   304  	t0.Add(t0, t0)                               // t0 := t0 + t0
   305  	z3.Mul(t0, z3)                               // Z3 := t0 * Z3
   306  	x3.Sub(x3, z3)                               // X3 := X3 - Z3
   307  	z3.Mul(t0, t1)                               // Z3 := t0 * t1
   308  	z3.Add(z3, z3)                               // Z3 := Z3 + Z3
   309  	z3.Add(z3, z3)                               // Z3 := Z3 + Z3
   310  
   311  	q.x.Set(x3)
   312  	q.y.Set(y3)
   313  	q.z.Set(z3)
   314  	return q
   315  }
   316  
   317  // Select sets q to p1 if cond == 1, and to p2 if cond == 0.
   318  func (q *P256Point) Select(p1, p2 *P256Point, cond int) *P256Point {
   319  	q.x.Select(p1.x, p2.x, cond)
   320  	q.y.Select(p1.y, p2.y, cond)
   321  	q.z.Select(p1.z, p2.z, cond)
   322  	return q
   323  }
   324  
   325  // A p256Table holds the first 15 multiples of a point at offset -1, so [1]P
   326  // is at table[0], [15]P is at table[14], and [0]P is implicitly the identity
   327  // point.
   328  type p256Table [15]*P256Point
   329  
   330  // Select selects the n-th multiple of the table base point into p. It works in
   331  // constant time by iterating over every entry of the table. n must be in [0, 15].
   332  func (table *p256Table) Select(p *P256Point, n uint8) {
   333  	if n >= 16 {
   334  		panic("nistec: internal error: p256Table called with out-of-bounds value")
   335  	}
   336  	p.Set(NewP256Point())
   337  	for i := uint8(1); i < 16; i++ {
   338  		cond := subtle.ConstantTimeByteEq(i, n)
   339  		p.Select(table[i-1], p, cond)
   340  	}
   341  }
   342  
   343  // ScalarMult sets p = scalar * q, and returns p.
   344  func (p *P256Point) ScalarMult(q *P256Point, scalar []byte) (*P256Point, error) {
   345  	// Compute a p256Table for the base point q. The explicit NewP256Point
   346  	// calls get inlined, letting the allocations live on the stack.
   347  	var table = p256Table{NewP256Point(), NewP256Point(), NewP256Point(),
   348  		NewP256Point(), NewP256Point(), NewP256Point(), NewP256Point(),
   349  		NewP256Point(), NewP256Point(), NewP256Point(), NewP256Point(),
   350  		NewP256Point(), NewP256Point(), NewP256Point(), NewP256Point()}
   351  	table[0].Set(q)
   352  	for i := 1; i < 15; i += 2 {
   353  		table[i].Double(table[i/2])
   354  		table[i+1].Add(table[i], q)
   355  	}
   356  
   357  	// Instead of doing the classic double-and-add chain, we do it with a
   358  	// four-bit window: we double four times, and then add [0-15]P.
   359  	t := NewP256Point()
   360  	p.Set(NewP256Point())
   361  	for i, byte := range scalar {
   362  		// No need to double on the first iteration, as p is the identity at
   363  		// this point, and [N]∞ = ∞.
   364  		if i != 0 {
   365  			p.Double(p)
   366  			p.Double(p)
   367  			p.Double(p)
   368  			p.Double(p)
   369  		}
   370  
   371  		windowValue := byte >> 4
   372  		table.Select(t, windowValue)
   373  		p.Add(p, t)
   374  
   375  		p.Double(p)
   376  		p.Double(p)
   377  		p.Double(p)
   378  		p.Double(p)
   379  
   380  		windowValue = byte & 0b1111
   381  		table.Select(t, windowValue)
   382  		p.Add(p, t)
   383  	}
   384  
   385  	return p, nil
   386  }
   387  
   388  var p256GeneratorTable *[p256ElementLength * 2]p256Table
   389  var p256GeneratorTableOnce sync.Once
   390  
   391  // generatorTable returns a sequence of p256Tables. The first table contains
   392  // multiples of G. Each successive table is the previous table doubled four
   393  // times.
   394  func (p *P256Point) generatorTable() *[p256ElementLength * 2]p256Table {
   395  	p256GeneratorTableOnce.Do(func() {
   396  		p256GeneratorTable = new([p256ElementLength * 2]p256Table)
   397  		base := NewP256Point().SetGenerator()
   398  		for i := 0; i < p256ElementLength*2; i++ {
   399  			p256GeneratorTable[i][0] = NewP256Point().Set(base)
   400  			for j := 1; j < 15; j++ {
   401  				p256GeneratorTable[i][j] = NewP256Point().Add(p256GeneratorTable[i][j-1], base)
   402  			}
   403  			base.Double(base)
   404  			base.Double(base)
   405  			base.Double(base)
   406  			base.Double(base)
   407  		}
   408  	})
   409  	return p256GeneratorTable
   410  }
   411  
   412  // ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and
   413  // returns p.
   414  func (p *P256Point) ScalarBaseMult(scalar []byte) (*P256Point, error) {
   415  	if len(scalar) != p256ElementLength {
   416  		return nil, errors.New("invalid scalar length")
   417  	}
   418  	tables := p.generatorTable()
   419  
   420  	// This is also a scalar multiplication with a four-bit window like in
   421  	// ScalarMult, but in this case the doublings are precomputed. The value
   422  	// [windowValue]G added at iteration k would normally get doubled
   423  	// (totIterations-k)×4 times, but with a larger precomputation we can
   424  	// instead add [2^((totIterations-k)×4)][windowValue]G and avoid the
   425  	// doublings between iterations.
   426  	t := NewP256Point()
   427  	p.Set(NewP256Point())
   428  	tableIndex := len(tables) - 1
   429  	for _, byte := range scalar {
   430  		windowValue := byte >> 4
   431  		tables[tableIndex].Select(t, windowValue)
   432  		p.Add(p, t)
   433  		tableIndex--
   434  
   435  		windowValue = byte & 0b1111
   436  		tables[tableIndex].Select(t, windowValue)
   437  		p.Add(p, t)
   438  		tableIndex--
   439  	}
   440  
   441  	return p, nil
   442  }
   443  
   444  // p256Sqrt sets e to a square root of x. If x is not a square, p256Sqrt returns
   445  // false and e is unchanged. e and x can overlap.
   446  func p256Sqrt(e, x *fiat.P256Element) (isSquare bool) {
   447  	candidate := new(fiat.P256Element)
   448  	p256SqrtCandidate(candidate, x)
   449  	square := new(fiat.P256Element).Square(candidate)
   450  	if square.Equal(x) != 1 {
   451  		return false
   452  	}
   453  	e.Set(candidate)
   454  	return true
   455  }
   456  
   457  // p256SqrtCandidate sets z to a square root candidate for x. z and x must not overlap.
   458  func p256SqrtCandidate(z, x *fiat.P256Element) {
   459  	// Since p = 3 mod 4, exponentiation by (p + 1) / 4 yields a square root candidate.
   460  	//
   461  	// The sequence of 7 multiplications and 253 squarings is derived from the
   462  	// following addition chain generated with github.com/mmcloughlin/addchain v0.4.0.
   463  	//
   464  	//	_10       = 2*1
   465  	//	_11       = 1 + _10
   466  	//	_1100     = _11 << 2
   467  	//	_1111     = _11 + _1100
   468  	//	_11110000 = _1111 << 4
   469  	//	_11111111 = _1111 + _11110000
   470  	//	x16       = _11111111 << 8 + _11111111
   471  	//	x32       = x16 << 16 + x16
   472  	//	return      ((x32 << 32 + 1) << 96 + 1) << 94
   473  	//
   474  	var t0 = new(fiat.P256Element)
   475  
   476  	z.Square(x)
   477  	z.Mul(x, z)
   478  	t0.Square(z)
   479  	for s := 1; s < 2; s++ {
   480  		t0.Square(t0)
   481  	}
   482  	z.Mul(z, t0)
   483  	t0.Square(z)
   484  	for s := 1; s < 4; s++ {
   485  		t0.Square(t0)
   486  	}
   487  	z.Mul(z, t0)
   488  	t0.Square(z)
   489  	for s := 1; s < 8; s++ {
   490  		t0.Square(t0)
   491  	}
   492  	z.Mul(z, t0)
   493  	t0.Square(z)
   494  	for s := 1; s < 16; s++ {
   495  		t0.Square(t0)
   496  	}
   497  	z.Mul(z, t0)
   498  	for s := 0; s < 32; s++ {
   499  		z.Square(z)
   500  	}
   501  	z.Mul(x, z)
   502  	for s := 0; s < 96; s++ {
   503  		z.Square(z)
   504  	}
   505  	z.Mul(x, z)
   506  	for s := 0; s < 94; s++ {
   507  		z.Square(z)
   508  	}
   509  }
   510  

View as plain text