Constify the ladder

2026-01-20 14:25:16 +00:00 · 2020-08-15 11:48:34 +02:00 · 2020-08-15 11:48:34 +02:00 · 5ab69633b7
commit 5ab69633b7
parent d86cde5752
2 changed files with 16 additions and 23 deletions
--- a/lib/std/crypto/25519/curve25519.zig
+++ b/lib/std/crypto/25519/curve25519.zig
@ -43,28 +43,21 @@ pub const Curve25519 = struct {
        var swap: u8 = 0;
        var pos: usize = bits - 1;
        while (true) : (pos -= 1) {
-            const b = (s[pos >> 3] >> @truncate(u3, pos)) & 1;
-            swap ^= b;
+            const bit = (s[pos >> 3] >> @truncate(u3, pos)) & 1;
+            swap ^= bit;
            Fe.cSwap2(&x2, &x3, &z2, &z3, swap);
-            swap = b;
-            var tmp0 = x3.sub(z3);
-            var tmp1 = x2.sub(z2);
-            x2 = x2.add(z2);
-            z2 = x3.add(z3);
-            z3 = tmp0.mul(x2);
-            z2 = z2.mul(tmp1);
-            tmp0 = tmp1.sq();
-            tmp1 = x2.sq();
-            x3 = z3.add(z2);
-            z2 = z3.sub(z2);
-            x2 = tmp1.mul(tmp0);
-            tmp1 = tmp1.sub(tmp0);
-            z2 = z2.sq();
-            z3 = tmp1.mul32(121666);
-            x3 = x3.sq();
-            tmp0 = tmp0.add(z3);
-            z3 = x1.mul(z2);
-            z2 = tmp1.mul(tmp0);
+            swap = bit;
+            const a = x2.add(z2);
+            const b = x2.sub(z2);
+            const aa = a.sq();
+            const bb = b.sq();
+            x2 = aa.mul(bb);
+            const e = aa.sub(bb);
+            const da = x3.sub(z3).mul(a);
+            const cb = x3.add(z3).mul(b);
+            x3 = da.add(cb).sq();
+            z3 = x1.mul(da.sub(cb).sq());
+            z2 = e.mul(bb.add(e.mul32(121666)));
            if (pos == 0) break;
        }
        Fe.cSwap2(&x2, &x3, &z2, &z3, swap);
--- a/lib/std/crypto/25519/edwards25519.zig
+++ b/lib/std/crypto/25519/edwards25519.zig
@ -130,8 +130,8 @@ pub const Edwards25519 = struct {
        var pos: usize = 252;
        while (true) : (pos -= 4) {
            q = q.dbl().dbl().dbl().dbl();
-            const b = (s[pos >> 3] >> @truncate(u3, pos)) & 0xf;
-            q = q.add(pcSelect(pc, b));
+            const bit = (s[pos >> 3] >> @truncate(u3, pos)) & 0xf;
+            q = q.add(pcSelect(pc, bit));
            if (pos == 0) break;
        }
        try q.rejectIdentity();