From 42b6b426ce6366bbe18c3631713e8b90216e6ac9 Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@gmail.com>
Date: Wed, 17 May 2017 21:27:32 +0700
Subject: [PATCH] Alternative cmov implementation

---
 src/field_10x26_impl.h | 41 +++++++++++++++++------------------------
 src/field_5x52_impl.h  | 32 +++++++++++++++++---------------
 2 files changed, 34 insertions(+), 39 deletions(-)

diff --git a/src/field_10x26_impl.h b/src/field_10x26_impl.h
index 234c13a644..5eedaaf337 100644
--- a/src/field_10x26_impl.h
+++ b/src/field_10x26_impl.h
@@ -11,6 +11,21 @@
 #include "num.h"
 #include "field.h"
 
+static SECP256K1_INLINE void secp256k1_fe_cmov_limbs(uint32_t *r, const uint32_t *a, int len, int flag) {
+    int i;
+    uint32_t diff, rest, r_i;
+    static const uint32_t half = 0x55555555UL;
+    VERIFY_CHECK(flag == 0 || flag == 1);
+    rest = half << flag;
+    for (i=0; i<len; i++) {
+        r_i = r[i];
+        diff = r_i ^ a[i];
+        r_i ^= (diff & half);
+        r_i ^= (diff & rest);
+        r[i] = r_i;
+    }
+}
+
 #ifdef VERIFY
 static void secp256k1_fe_verify(const secp256k1_fe *a) {
     const uint32_t *d = a->n;
@@ -1092,19 +1107,7 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {
 }
 
 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
-    uint32_t mask0, mask1;
-    mask0 = flag + ~((uint32_t)0);
-    mask1 = ~mask0;
-    r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
-    r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
-    r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
-    r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
-    r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
-    r->n[5] = (r->n[5] & mask0) | (a->n[5] & mask1);
-    r->n[6] = (r->n[6] & mask0) | (a->n[6] & mask1);
-    r->n[7] = (r->n[7] & mask0) | (a->n[7] & mask1);
-    r->n[8] = (r->n[8] & mask0) | (a->n[8] & mask1);
-    r->n[9] = (r->n[9] & mask0) | (a->n[9] & mask1);
+    secp256k1_fe_cmov_limbs(r->n, a->n, 10, flag);
 #ifdef VERIFY
     if (a->magnitude > r->magnitude) {
         r->magnitude = a->magnitude;
@@ -1114,17 +1117,7 @@ static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_
 }
 
 static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) {
-    uint32_t mask0, mask1;
-    mask0 = flag + ~((uint32_t)0);
-    mask1 = ~mask0;
-    r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
-    r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
-    r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
-    r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
-    r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
-    r->n[5] = (r->n[5] & mask0) | (a->n[5] & mask1);
-    r->n[6] = (r->n[6] & mask0) | (a->n[6] & mask1);
-    r->n[7] = (r->n[7] & mask0) | (a->n[7] & mask1);
+    secp256k1_fe_cmov_limbs(r->n, a->n, 8, flag);
 }
 
 static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) {
diff --git a/src/field_5x52_impl.h b/src/field_5x52_impl.h
index 8e8b286baf..97e3265b6b 100644
--- a/src/field_5x52_impl.h
+++ b/src/field_5x52_impl.h
@@ -29,6 +29,21 @@
  *  output.
  */
 
+static SECP256K1_INLINE void secp256k1_fe_cmov_limbs(uint64_t *r, const uint64_t *a, int len, int flag) {
+    int i;
+    uint64_t diff, rest, r_i;
+    static const uint64_t half = 0x5555555555555555ULL;
+    VERIFY_CHECK(flag == 0 || flag == 1);
+    rest = half << flag;
+    for (i=0; i<len; i++) {
+        r_i = r[i];
+        diff = r_i ^ a[i];
+        r_i ^= (diff & half);
+        r_i ^= (diff & rest);
+        r[i] = r_i;
+    }
+}
+
 #ifdef VERIFY
 static void secp256k1_fe_verify(const secp256k1_fe *a) {
     const uint64_t *d = a->n;
@@ -445,14 +460,7 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {
 }
 
 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
-    uint64_t mask0, mask1;
-    mask0 = flag + ~((uint64_t)0);
-    mask1 = ~mask0;
-    r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
-    r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
-    r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
-    r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
-    r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
+    secp256k1_fe_cmov_limbs(r->n, a->n, 5, flag);
 #ifdef VERIFY
     if (a->magnitude > r->magnitude) {
         r->magnitude = a->magnitude;
@@ -462,13 +470,7 @@ static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_
 }
 
 static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) {
-    uint64_t mask0, mask1;
-    mask0 = flag + ~((uint64_t)0);
-    mask1 = ~mask0;
-    r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
-    r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
-    r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
-    r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
+    secp256k1_fe_cmov_limbs(r->n, a->n, 4, flag);
 }
 
 static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) {