1package goldilocks
 2
 3import (
 4	"crypto/subtle"
 5
 6	mlsb "github.com/cloudflare/circl/math/mlsbset"
 7)
 8
 9const (
10	// MLSBRecoding parameters
11	fxT   = 448
12	fxV   = 2
13	fxW   = 3
14	fx2w1 = 1 << (uint(fxW) - 1)
15)
16
17// ScalarBaseMult returns kG where G is the generator point.
18func (e twistCurve) ScalarBaseMult(k *Scalar) *twistPoint {
19	m, err := mlsb.New(fxT, fxV, fxW)
20	if err != nil {
21		panic(err)
22	}
23	if m.IsExtended() {
24		panic("not extended")
25	}
26
27	var isZero int
28	if k.IsZero() {
29		isZero = 1
30	}
31	subtle.ConstantTimeCopy(isZero, k[:], order[:])
32
33	minusK := *k
34	isEven := 1 - int(k[0]&0x1)
35	minusK.Neg()
36	subtle.ConstantTimeCopy(isEven, k[:], minusK[:])
37	c, err := m.Encode(k[:])
38	if err != nil {
39		panic(err)
40	}
41
42	gP := c.Exp(groupMLSB{})
43	P := gP.(*twistPoint)
44	P.cneg(uint(isEven))
45	return P
46}
47
48type groupMLSB struct{}
49
50func (e groupMLSB) ExtendedEltP() mlsb.EltP      { return nil }
51func (e groupMLSB) Sqr(x mlsb.EltG)              { x.(*twistPoint).Double() }
52func (e groupMLSB) Mul(x mlsb.EltG, y mlsb.EltP) { x.(*twistPoint).mixAddZ1(y.(*preTwistPointAffine)) }
53func (e groupMLSB) Identity() mlsb.EltG          { return twistCurve{}.Identity() }
54func (e groupMLSB) NewEltP() mlsb.EltP           { return &preTwistPointAffine{} }
55func (e groupMLSB) Lookup(a mlsb.EltP, v uint, s, u int32) {
56	Tabj := &tabFixMult[v]
57	P := a.(*preTwistPointAffine)
58	for k := range Tabj {
59		P.cmov(&Tabj[k], uint(subtle.ConstantTimeEq(int32(k), u)))
60	}
61	P.cneg(int(s >> 31))
62}