sm2ec/fiat: regenerate to include more functions and scalar/order related

internal/sm2ec/fiat/generate.go

@@ -30,6 +30,13 @@ var curves = []struct {
 		FiatType: "[4]uint64",
 		BytesLen: 32,
 	},
+	{
+		Element:  "SM2P256OrderElement",
+		Prime:    "2^256 - 2^224 - 188730267045675049073202170516080344797",
+		Prefix:   "sm2p256scalar",
+		FiatType: "[4]uint64",
+		BytesLen: 32,
+	},	
 }
 
 func main() {
@@ -70,7 +77,7 @@ func main() {
 			"--doc-prepend-header", "Code generated by Fiat Cryptography. DO NOT EDIT.",
 			"--package-name", "fiat", "--no-prefix-fiat", c.Prefix, "64", c.Prime,
 			"mul", "square", "add", "sub", "one", "from_montgomery", "to_montgomery",
-			"selectznz", "to_bytes", "from_bytes")
+			"selectznz", "to_bytes", "from_bytes", "nonzero", "opp", "msat", "divstep", "divstep_precomp")
 		cmd.Stderr = os.Stderr
 		out, err := cmd.Output()
 		if err != nil {

internal/sm2ec/fiat/sm2p256_fiat64.go

@@ -1,12 +1,12 @@
 // Code generated by Fiat Cryptography. DO NOT EDIT.
 //
-// Autogenerated: word_by_word_montgomery --lang Go --no-wide-int --cmovznz-by-mul --relax-primitive-carry-to-bitwidth 32,64 --internal-static --public-function-case camelCase --public-type-case camelCase --private-function-case camelCase --private-type-case camelCase --doc-text-before-function-name '' --doc-newline-before-package-declaration --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --package-name fiat --no-prefix-fiat sm2p256 64 '2^256 - 2^224 - 2^96 + 2^64 - 1' mul square add sub one from_montgomery to_montgomery selectznz to_bytes from_bytes
+// Autogenerated: word_by_word_montgomery --lang Go --no-wide-int --cmovznz-by-mul --relax-primitive-carry-to-bitwidth 32,64 --internal-static --public-function-case camelCase --public-type-case camelCase --private-function-case camelCase --private-type-case camelCase --doc-text-before-function-name '' --doc-newline-before-package-declaration --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --package-name fiat --no-prefix-fiat sm2p256 64 '2^256 - 2^224 - 2^96 + 2^64 - 1' mul square add sub one from_montgomery to_montgomery selectznz to_bytes from_bytes nonzero opp msat divstep divstep_precomp
 //
 // curve description: sm2p256
 //
 // machine_wordsize = 64 (from "64")
 //
-// requested operations: mul, square, add, sub, one, from_montgomery, to_montgomery, selectznz, to_bytes, from_bytes
+// requested operations: mul, square, add, sub, one, from_montgomery, to_montgomery, selectznz, to_bytes, from_bytes, nonzero, opp, msat, divstep, divstep_precomp
 //
 // m = 0xfffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff (from "2^256 - 2^224 - 2^96 + 2^64 - 1")
 //
@@ -41,7 +41,7 @@ package fiat
 import "math/bits"
 
 type sm2p256Uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927
-type sm2p256Int1 int64   // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927
+type sm2p256Int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927
 
 // The type sm2p256MontgomeryDomainFieldElement is a field element in the Montgomery domain.
 //
@@ -1315,7 +1315,7 @@ func sm2p256ToMontgomery(out1 *sm2p256MontgomeryDomainFieldElement, arg1 *sm2p25
 // sm2p256Selectznz is a multi-limb conditional select.
 //
 // Postconditions:
-//   eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
+//   out1 = (if arg1 = 0 then arg2 else arg3)
 //
 // Input Bounds:
 //   arg1: [0x0 ~> 0x1]
@@ -1522,3 +1522,334 @@ func sm2p256FromBytes(out1 *[4]uint64, arg1 *[32]uint8) {
 	out1[2] = x53
 	out1[3] = x60
 }
+
+// sm2p256Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
+//
+// Preconditions:
+//   0 ≤ eval arg1 < m
+// Postconditions:
+//   out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0
+//
+// Input Bounds:
+//   arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+// Output Bounds:
+//   out1: [0x0 ~> 0xffffffffffffffff]
+func sm2p256Nonzero(out1 *uint64, arg1 *[4]uint64) {
+	x1 := (arg1[0] | (arg1[1] | (arg1[2] | arg1[3])))
+	*out1 = x1
+}
+
+// sm2p256Opp negates a field element in the Montgomery domain.
+//
+// Preconditions:
+//   0 ≤ eval arg1 < m
+// Postconditions:
+//   eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
+//   0 ≤ eval out1 < m
+//
+func sm2p256Opp(out1 *sm2p256MontgomeryDomainFieldElement, arg1 *sm2p256MontgomeryDomainFieldElement) {
+	var x1 uint64
+	var x2 uint64
+	x1, x2 = bits.Sub64(uint64(0x0), arg1[0], uint64(0x0))
+	var x3 uint64
+	var x4 uint64
+	x3, x4 = bits.Sub64(uint64(0x0), arg1[1], uint64(sm2p256Uint1(x2)))
+	var x5 uint64
+	var x6 uint64
+	x5, x6 = bits.Sub64(uint64(0x0), arg1[2], uint64(sm2p256Uint1(x4)))
+	var x7 uint64
+	var x8 uint64
+	x7, x8 = bits.Sub64(uint64(0x0), arg1[3], uint64(sm2p256Uint1(x6)))
+	var x9 uint64
+	sm2p256CmovznzU64(&x9, sm2p256Uint1(x8), uint64(0x0), 0xffffffffffffffff)
+	var x10 uint64
+	var x11 uint64
+	x10, x11 = bits.Add64(x1, x9, uint64(0x0))
+	var x12 uint64
+	var x13 uint64
+	x12, x13 = bits.Add64(x3, (x9 & 0xffffffff00000000), uint64(sm2p256Uint1(x11)))
+	var x14 uint64
+	var x15 uint64
+	x14, x15 = bits.Add64(x5, x9, uint64(sm2p256Uint1(x13)))
+	var x16 uint64
+	x16, _ = bits.Add64(x7, (x9 & 0xfffffffeffffffff), uint64(sm2p256Uint1(x15)))
+	out1[0] = x10
+	out1[1] = x12
+	out1[2] = x14
+	out1[3] = x16
+}
+
+// sm2p256Msat returns the saturated representation of the prime modulus.
+//
+// Postconditions:
+//   twos_complement_eval out1 = m
+//   0 ≤ eval out1 < m
+//
+// Output Bounds:
+//   out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+func sm2p256Msat(out1 *[5]uint64) {
+	out1[0] = 0xffffffffffffffff
+	out1[1] = 0xffffffff00000000
+	out1[2] = 0xffffffffffffffff
+	out1[3] = 0xfffffffeffffffff
+	out1[4] = uint64(0x0)
+}
+
+// sm2p256Divstep computes a divstep.
+//
+// Preconditions:
+//   0 ≤ eval arg4 < m
+//   0 ≤ eval arg5 < m
+// Postconditions:
+//   out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)
+//   twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)
+//   twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋)
+//   eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)
+//   eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)
+//   0 ≤ eval out5 < m
+//   0 ≤ eval out5 < m
+//   0 ≤ eval out2 < m
+//   0 ≤ eval out3 < m
+//
+// Input Bounds:
+//   arg1: [0x0 ~> 0xffffffffffffffff]
+//   arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+//   arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+//   arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+//   arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+// Output Bounds:
+//   out1: [0x0 ~> 0xffffffffffffffff]
+//   out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+//   out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+//   out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+//   out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+func sm2p256Divstep(out1 *uint64, out2 *[5]uint64, out3 *[5]uint64, out4 *[4]uint64, out5 *[4]uint64, arg1 uint64, arg2 *[5]uint64, arg3 *[5]uint64, arg4 *[4]uint64, arg5 *[4]uint64) {
+	var x1 uint64
+	x1, _ = bits.Add64((^arg1), uint64(0x1), uint64(0x0))
+	x3 := (sm2p256Uint1((x1 >> 63)) & (sm2p256Uint1(arg3[0]) & 0x1))
+	var x4 uint64
+	x4, _ = bits.Add64((^arg1), uint64(0x1), uint64(0x0))
+	var x6 uint64
+	sm2p256CmovznzU64(&x6, x3, arg1, x4)
+	var x7 uint64
+	sm2p256CmovznzU64(&x7, x3, arg2[0], arg3[0])
+	var x8 uint64
+	sm2p256CmovznzU64(&x8, x3, arg2[1], arg3[1])
+	var x9 uint64
+	sm2p256CmovznzU64(&x9, x3, arg2[2], arg3[2])
+	var x10 uint64
+	sm2p256CmovznzU64(&x10, x3, arg2[3], arg3[3])
+	var x11 uint64
+	sm2p256CmovznzU64(&x11, x3, arg2[4], arg3[4])
+	var x12 uint64
+	var x13 uint64
+	x12, x13 = bits.Add64(uint64(0x1), (^arg2[0]), uint64(0x0))
+	var x14 uint64
+	var x15 uint64
+	x14, x15 = bits.Add64(uint64(0x0), (^arg2[1]), uint64(sm2p256Uint1(x13)))
+	var x16 uint64
+	var x17 uint64
+	x16, x17 = bits.Add64(uint64(0x0), (^arg2[2]), uint64(sm2p256Uint1(x15)))
+	var x18 uint64
+	var x19 uint64
+	x18, x19 = bits.Add64(uint64(0x0), (^arg2[3]), uint64(sm2p256Uint1(x17)))
+	var x20 uint64
+	x20, _ = bits.Add64(uint64(0x0), (^arg2[4]), uint64(sm2p256Uint1(x19)))
+	var x22 uint64
+	sm2p256CmovznzU64(&x22, x3, arg3[0], x12)
+	var x23 uint64
+	sm2p256CmovznzU64(&x23, x3, arg3[1], x14)
+	var x24 uint64
+	sm2p256CmovznzU64(&x24, x3, arg3[2], x16)
+	var x25 uint64
+	sm2p256CmovznzU64(&x25, x3, arg3[3], x18)
+	var x26 uint64
+	sm2p256CmovznzU64(&x26, x3, arg3[4], x20)
+	var x27 uint64
+	sm2p256CmovznzU64(&x27, x3, arg4[0], arg5[0])
+	var x28 uint64
+	sm2p256CmovznzU64(&x28, x3, arg4[1], arg5[1])
+	var x29 uint64
+	sm2p256CmovznzU64(&x29, x3, arg4[2], arg5[2])
+	var x30 uint64
+	sm2p256CmovznzU64(&x30, x3, arg4[3], arg5[3])
+	var x31 uint64
+	var x32 uint64
+	x31, x32 = bits.Add64(x27, x27, uint64(0x0))
+	var x33 uint64
+	var x34 uint64
+	x33, x34 = bits.Add64(x28, x28, uint64(sm2p256Uint1(x32)))
+	var x35 uint64
+	var x36 uint64
+	x35, x36 = bits.Add64(x29, x29, uint64(sm2p256Uint1(x34)))
+	var x37 uint64
+	var x38 uint64
+	x37, x38 = bits.Add64(x30, x30, uint64(sm2p256Uint1(x36)))
+	var x39 uint64
+	var x40 uint64
+	x39, x40 = bits.Sub64(x31, 0xffffffffffffffff, uint64(0x0))
+	var x41 uint64
+	var x42 uint64
+	x41, x42 = bits.Sub64(x33, 0xffffffff00000000, uint64(sm2p256Uint1(x40)))
+	var x43 uint64
+	var x44 uint64
+	x43, x44 = bits.Sub64(x35, 0xffffffffffffffff, uint64(sm2p256Uint1(x42)))
+	var x45 uint64
+	var x46 uint64
+	x45, x46 = bits.Sub64(x37, 0xfffffffeffffffff, uint64(sm2p256Uint1(x44)))
+	var x48 uint64
+	_, x48 = bits.Sub64(uint64(sm2p256Uint1(x38)), uint64(0x0), uint64(sm2p256Uint1(x46)))
+	x49 := arg4[3]
+	x50 := arg4[2]
+	x51 := arg4[1]
+	x52 := arg4[0]
+	var x53 uint64
+	var x54 uint64
+	x53, x54 = bits.Sub64(uint64(0x0), x52, uint64(0x0))
+	var x55 uint64
+	var x56 uint64
+	x55, x56 = bits.Sub64(uint64(0x0), x51, uint64(sm2p256Uint1(x54)))
+	var x57 uint64
+	var x58 uint64
+	x57, x58 = bits.Sub64(uint64(0x0), x50, uint64(sm2p256Uint1(x56)))
+	var x59 uint64
+	var x60 uint64
+	x59, x60 = bits.Sub64(uint64(0x0), x49, uint64(sm2p256Uint1(x58)))
+	var x61 uint64
+	sm2p256CmovznzU64(&x61, sm2p256Uint1(x60), uint64(0x0), 0xffffffffffffffff)
+	var x62 uint64
+	var x63 uint64
+	x62, x63 = bits.Add64(x53, x61, uint64(0x0))
+	var x64 uint64
+	var x65 uint64
+	x64, x65 = bits.Add64(x55, (x61 & 0xffffffff00000000), uint64(sm2p256Uint1(x63)))
+	var x66 uint64
+	var x67 uint64
+	x66, x67 = bits.Add64(x57, x61, uint64(sm2p256Uint1(x65)))
+	var x68 uint64
+	x68, _ = bits.Add64(x59, (x61 & 0xfffffffeffffffff), uint64(sm2p256Uint1(x67)))
+	var x70 uint64
+	sm2p256CmovznzU64(&x70, x3, arg5[0], x62)
+	var x71 uint64
+	sm2p256CmovznzU64(&x71, x3, arg5[1], x64)
+	var x72 uint64
+	sm2p256CmovznzU64(&x72, x3, arg5[2], x66)
+	var x73 uint64
+	sm2p256CmovznzU64(&x73, x3, arg5[3], x68)
+	x74 := (sm2p256Uint1(x22) & 0x1)
+	var x75 uint64
+	sm2p256CmovznzU64(&x75, x74, uint64(0x0), x7)
+	var x76 uint64
+	sm2p256CmovznzU64(&x76, x74, uint64(0x0), x8)
+	var x77 uint64
+	sm2p256CmovznzU64(&x77, x74, uint64(0x0), x9)
+	var x78 uint64
+	sm2p256CmovznzU64(&x78, x74, uint64(0x0), x10)
+	var x79 uint64
+	sm2p256CmovznzU64(&x79, x74, uint64(0x0), x11)
+	var x80 uint64
+	var x81 uint64
+	x80, x81 = bits.Add64(x22, x75, uint64(0x0))
+	var x82 uint64
+	var x83 uint64
+	x82, x83 = bits.Add64(x23, x76, uint64(sm2p256Uint1(x81)))
+	var x84 uint64
+	var x85 uint64
+	x84, x85 = bits.Add64(x24, x77, uint64(sm2p256Uint1(x83)))
+	var x86 uint64
+	var x87 uint64
+	x86, x87 = bits.Add64(x25, x78, uint64(sm2p256Uint1(x85)))
+	var x88 uint64
+	x88, _ = bits.Add64(x26, x79, uint64(sm2p256Uint1(x87)))
+	var x90 uint64
+	sm2p256CmovznzU64(&x90, x74, uint64(0x0), x27)
+	var x91 uint64
+	sm2p256CmovznzU64(&x91, x74, uint64(0x0), x28)
+	var x92 uint64
+	sm2p256CmovznzU64(&x92, x74, uint64(0x0), x29)
+	var x93 uint64
+	sm2p256CmovznzU64(&x93, x74, uint64(0x0), x30)
+	var x94 uint64
+	var x95 uint64
+	x94, x95 = bits.Add64(x70, x90, uint64(0x0))
+	var x96 uint64
+	var x97 uint64
+	x96, x97 = bits.Add64(x71, x91, uint64(sm2p256Uint1(x95)))
+	var x98 uint64
+	var x99 uint64
+	x98, x99 = bits.Add64(x72, x92, uint64(sm2p256Uint1(x97)))
+	var x100 uint64
+	var x101 uint64
+	x100, x101 = bits.Add64(x73, x93, uint64(sm2p256Uint1(x99)))
+	var x102 uint64
+	var x103 uint64
+	x102, x103 = bits.Sub64(x94, 0xffffffffffffffff, uint64(0x0))
+	var x104 uint64
+	var x105 uint64
+	x104, x105 = bits.Sub64(x96, 0xffffffff00000000, uint64(sm2p256Uint1(x103)))
+	var x106 uint64
+	var x107 uint64
+	x106, x107 = bits.Sub64(x98, 0xffffffffffffffff, uint64(sm2p256Uint1(x105)))
+	var x108 uint64
+	var x109 uint64
+	x108, x109 = bits.Sub64(x100, 0xfffffffeffffffff, uint64(sm2p256Uint1(x107)))
+	var x111 uint64
+	_, x111 = bits.Sub64(uint64(sm2p256Uint1(x101)), uint64(0x0), uint64(sm2p256Uint1(x109)))
+	var x112 uint64
+	x112, _ = bits.Add64(x6, uint64(0x1), uint64(0x0))
+	x114 := ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff))
+	x115 := ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff))
+	x116 := ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff))
+	x117 := ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff))
+	x118 := ((x88 & 0x8000000000000000) | (x88 >> 1))
+	var x119 uint64
+	sm2p256CmovznzU64(&x119, sm2p256Uint1(x48), x39, x31)
+	var x120 uint64
+	sm2p256CmovznzU64(&x120, sm2p256Uint1(x48), x41, x33)
+	var x121 uint64
+	sm2p256CmovznzU64(&x121, sm2p256Uint1(x48), x43, x35)
+	var x122 uint64
+	sm2p256CmovznzU64(&x122, sm2p256Uint1(x48), x45, x37)
+	var x123 uint64
+	sm2p256CmovznzU64(&x123, sm2p256Uint1(x111), x102, x94)
+	var x124 uint64
+	sm2p256CmovznzU64(&x124, sm2p256Uint1(x111), x104, x96)
+	var x125 uint64
+	sm2p256CmovznzU64(&x125, sm2p256Uint1(x111), x106, x98)
+	var x126 uint64
+	sm2p256CmovznzU64(&x126, sm2p256Uint1(x111), x108, x100)
+	*out1 = x112
+	out2[0] = x7
+	out2[1] = x8
+	out2[2] = x9
+	out2[3] = x10
+	out2[4] = x11
+	out3[0] = x114
+	out3[1] = x115
+	out3[2] = x116
+	out3[3] = x117
+	out3[4] = x118
+	out4[0] = x119
+	out4[1] = x120
+	out4[2] = x121
+	out4[3] = x122
+	out5[0] = x123
+	out5[1] = x124
+	out5[2] = x125
+	out5[3] = x126
+}
+
+// sm2p256DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
+//
+// Postconditions:
+//   eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
+//   0 ≤ eval out1 < m
+//
+// Output Bounds:
+//   out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
+func sm2p256DivstepPrecomp(out1 *[4]uint64) {
+	out1[0] = 0x500000028ffffffe
+	out1[1] = 0xe80000009ffffffe
+	out1[2] = 0xd00000018ffffffe
+	out1[3] = 0x280000011ffffffd
+}

internal/sm2ec/fiat/sm2p256scalar.go

@@ -0,0 +1,133 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by generate.go. DO NOT EDIT.
+
+package fiat
+
+import (
+	"crypto/subtle"
+	"errors"
+)
+
+// SM2P256OrderElement is an integer modulo 2^256 - 2^224 - 188730267045675049073202170516080344797.
+//
+// The zero value is a valid zero element.
+type SM2P256OrderElement struct {
+	// Values are represented internally always in the Montgomery domain, and
+	// converted in Bytes and SetBytes.
+	x sm2p256scalarMontgomeryDomainFieldElement
+}
+
+const sm2p256scalarElementLen = 32
+
+type sm2p256scalarUntypedFieldElement = [4]uint64
+
+// One sets e = 1, and returns e.
+func (e *SM2P256OrderElement) One() *SM2P256OrderElement {
+	sm2p256scalarSetOne(&e.x)
+	return e
+}
+
+// Equal returns 1 if e == t, and zero otherwise.
+func (e *SM2P256OrderElement) Equal(t *SM2P256OrderElement) int {
+	eBytes := e.Bytes()
+	tBytes := t.Bytes()
+	return subtle.ConstantTimeCompare(eBytes, tBytes)
+}
+
+// IsZero returns 1 if e == 0, and zero otherwise.
+func (e *SM2P256OrderElement) IsZero() int {
+	zero := make([]byte, sm2p256scalarElementLen)
+	eBytes := e.Bytes()
+	return subtle.ConstantTimeCompare(eBytes, zero)
+}
+
+// Set sets e = t, and returns e.
+func (e *SM2P256OrderElement) Set(t *SM2P256OrderElement) *SM2P256OrderElement {
+	e.x = t.x
+	return e
+}
+
+// Bytes returns the 32-byte big-endian encoding of e.
+func (e *SM2P256OrderElement) Bytes() []byte {
+	// This function is outlined to make the allocations inline in the caller
+	// rather than happen on the heap.
+	var out [sm2p256scalarElementLen]byte
+	return e.bytes(&out)
+}
+
+func (e *SM2P256OrderElement) bytes(out *[sm2p256scalarElementLen]byte) []byte {
+	var tmp sm2p256scalarNonMontgomeryDomainFieldElement
+	sm2p256scalarFromMontgomery(&tmp, &e.x)
+	sm2p256scalarToBytes(out, (*sm2p256scalarUntypedFieldElement)(&tmp))
+	sm2p256scalarInvertEndianness(out[:])
+	return out[:]
+}
+
+// SetBytes sets e = v, where v is a big-endian 32-byte encoding, and returns e.
+// If v is not 32 bytes or it encodes a value higher than 2^256 - 2^224 - 188730267045675049073202170516080344797,
+// SetBytes returns nil and an error, and e is unchanged.
+func (e *SM2P256OrderElement) SetBytes(v []byte) (*SM2P256OrderElement, error) {
+	if len(v) != sm2p256scalarElementLen {
+		return nil, errors.New("invalid SM2P256OrderElement encoding")
+	}
+	/*
+	// Check for non-canonical encodings (p + k, 2p + k, etc.) by comparing to
+	// the encoding of -1 mod p, so p - 1, the highest canonical encoding.
+	var minusOneEncoding = new(SM2P256OrderElement).Sub(
+		new(SM2P256OrderElement), new(SM2P256OrderElement).One()).Bytes()
+	for i := range v {
+		if v[i] < minusOneEncoding[i] {
+			break
+		}
+		if v[i] > minusOneEncoding[i] {
+			return nil, errors.New("invalid SM2P256OrderElement encoding")
+		}
+	}*/
+	var in [sm2p256scalarElementLen]byte
+	copy(in[:], v)
+	sm2p256scalarInvertEndianness(in[:])
+	var tmp sm2p256scalarNonMontgomeryDomainFieldElement
+	sm2p256scalarFromBytes((*sm2p256scalarUntypedFieldElement)(&tmp), &in)
+	sm2p256scalarToMontgomery(&e.x, &tmp)
+	return e, nil
+}
+
+// Add sets e = t1 + t2, and returns e.
+func (e *SM2P256OrderElement) Add(t1, t2 *SM2P256OrderElement) *SM2P256OrderElement {
+	sm2p256scalarAdd(&e.x, &t1.x, &t2.x)
+	return e
+}
+
+// Sub sets e = t1 - t2, and returns e.
+func (e *SM2P256OrderElement) Sub(t1, t2 *SM2P256OrderElement) *SM2P256OrderElement {
+	sm2p256scalarSub(&e.x, &t1.x, &t2.x)
+	return e
+}
+
+// Mul sets e = t1 * t2, and returns e.
+func (e *SM2P256OrderElement) Mul(t1, t2 *SM2P256OrderElement) *SM2P256OrderElement {
+	sm2p256scalarMul(&e.x, &t1.x, &t2.x)
+	return e
+}
+
+// Square sets e = t * t, and returns e.
+func (e *SM2P256OrderElement) Square(t *SM2P256OrderElement) *SM2P256OrderElement {
+	sm2p256scalarSquare(&e.x, &t.x)
+	return e
+}
+
+// Select sets v to a if cond == 1, and to b if cond == 0.
+func (v *SM2P256OrderElement) Select(a, b *SM2P256OrderElement, cond int) *SM2P256OrderElement {
+	sm2p256scalarSelectznz((*sm2p256scalarUntypedFieldElement)(&v.x), sm2p256scalarUint1(cond),
+		(*sm2p256scalarUntypedFieldElement)(&b.x), (*sm2p256scalarUntypedFieldElement)(&a.x))
+	return v
+}
+
+func sm2p256scalarInvertEndianness(v []byte) {
+	for i := 0; i < len(v)/2; i++ {
+		v[i], v[len(v)-1-i] = v[len(v)-1-i], v[i]
+	}
+}

internal/sm2ec/fiat/sm2p256scalar_invert.go

@@ -0,0 +1,201 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Code generated by addchain. DO NOT EDIT.
+package fiat
+
+// Invert sets e = 1/x, and returns e.
+//
+// If x == 0, Invert returns e = 0.
+func (e *SM2P256OrderElement) Invert(x *SM2P256OrderElement) *SM2P256OrderElement {
+	// Inversion is implemented as exponentiation with exponent p − 2.
+	// The sequence of 41 multiplications and 253 squarings is derived from the
+	// following addition chain generated with github.com/mmcloughlin/addchain v0.4.0.
+	//
+	//	_10      = 2*1
+	//	_11      = 1 + _10
+	//	_100     = 1 + _11
+	//	_101     = 1 + _100
+	//	_111     = _10 + _101
+	//	_1001    = _10 + _111
+	//	_1101    = _100 + _1001
+	//	_1111    = _10 + _1101
+	//	_11110   = 2*_1111
+	//	_11111   = 1 + _11110
+	//	_111110  = 2*_11111
+	//	_111111  = 1 + _111110
+	//	_1111110 = 2*_111111
+	//	i20      = _1111110 << 6 + _1111110
+	//	x18      = i20 << 5 + _111111
+	//	x31      = x18 << 13 + i20 + 1
+	//	i42      = 2*x31
+	//	i44      = i42 << 2
+	//	i140     = ((i44 << 32 + i44) << 29 + i42) << 33
+	//	i150     = ((i44 + i140 + _111) << 4 + _111) << 3
+	//	i170     = ((1 + i150) << 11 + _1111) << 6 + _11111
+	//	i183     = ((i170 << 5 + _1101) << 3 + _11) << 3
+	//	i198     = ((1 + i183) << 7 + _111) << 5 + _11
+	//	i219     = ((i198 << 9 + _101) << 5 + _101) << 5
+	//	i231     = ((_1101 + i219) << 5 + _1001) << 4 + _1101
+	//	i244     = ((i231 << 2 + _11) << 7 + _111111) << 2
+	//	i262     = ((1 + i244) << 10 + _1001) << 5 + _111
+	//	i277     = ((i262 << 5 + _111) << 4 + _101) << 4
+	//	return     ((_101 + i277) << 9 + _1001) << 5 + 1
+	//
+	var z = new(SM2P256OrderElement).Set(e)
+	var t0 = new(SM2P256OrderElement)
+	var t1 = new(SM2P256OrderElement)
+	var t2 = new(SM2P256OrderElement)
+	var t3 = new(SM2P256OrderElement)
+	var t4 = new(SM2P256OrderElement)
+	var t5 = new(SM2P256OrderElement)
+	var t6 = new(SM2P256OrderElement)
+	var t7 = new(SM2P256OrderElement)
+	var t8 = new(SM2P256OrderElement)
+	var t9 = new(SM2P256OrderElement)
+
+	t2.Square(x)
+	t3.Mul(x, t2)
+	t4.Mul(x, t3)
+	t0.Mul(x, t4)
+	t1.Mul(t2, t0)
+	z.Mul(t2, t1)
+	t4.Mul(t4, z)
+	t6.Mul(t2, t4)
+	t2.Square(t6)
+	t5.Mul(x, t2)
+	t2.Square(t5)
+	t2.Mul(x, t2)
+	t7.Square(t2)
+	t8.Square(t7)
+	for s := 1; s < 6; s++ {
+		t8.Square(t8)
+	}
+	t7.Mul(t7, t8)
+	t8.Square(t7)
+	for s := 1; s < 5; s++ {
+		t8.Square(t8)
+	}
+	t8.Mul(t2, t8)
+	for s := 0; s < 13; s++ {
+		t8.Square(t8)
+	}
+	t7.Mul(t7, t8)
+	t7.Mul(x, t7)
+	t8.Square(t7)
+	t7.Square(t8)
+	for s := 1; s < 2; s++ {
+		t7.Square(t7)
+	}
+	t9.Square(t7)
+	for s := 1; s < 32; s++ {
+		t9.Square(t9)
+	}
+	t9.Mul(t7, t9)
+	for s := 0; s < 29; s++ {
+		t9.Square(t9)
+	}
+	t8.Mul(t8, t9)
+	for s := 0; s < 33; s++ {
+		t8.Square(t8)
+	}
+	t7.Mul(t7, t8)
+	t7.Mul(t1, t7)
+	for s := 0; s < 4; s++ {
+		t7.Square(t7)
+	}
+	t7.Mul(t1, t7)
+	for s := 0; s < 3; s++ {
+		t7.Square(t7)
+	}
+	t7.Mul(x, t7)
+	for s := 0; s < 11; s++ {
+		t7.Square(t7)
+	}
+	t6.Mul(t6, t7)
+	for s := 0; s < 6; s++ {
+		t6.Square(t6)
+	}
+	t5.Mul(t5, t6)
+	for s := 0; s < 5; s++ {
+		t5.Square(t5)
+	}
+	t5.Mul(t4, t5)
+	for s := 0; s < 3; s++ {
+		t5.Square(t5)
+	}
+	t5.Mul(t3, t5)
+	for s := 0; s < 3; s++ {
+		t5.Square(t5)
+	}
+	t5.Mul(x, t5)
+	for s := 0; s < 7; s++ {
+		t5.Square(t5)
+	}
+	t5.Mul(t1, t5)
+	for s := 0; s < 5; s++ {
+		t5.Square(t5)
+	}
+	t5.Mul(t3, t5)
+	for s := 0; s < 9; s++ {
+		t5.Square(t5)
+	}
+	t5.Mul(t0, t5)
+	for s := 0; s < 5; s++ {
+		t5.Square(t5)
+	}
+	t5.Mul(t0, t5)
+	for s := 0; s < 5; s++ {
+		t5.Square(t5)
+	}
+	t5.Mul(t4, t5)
+	for s := 0; s < 5; s++ {
+		t5.Square(t5)
+	}
+	t5.Mul(z, t5)
+	for s := 0; s < 4; s++ {
+		t5.Square(t5)
+	}
+	t4.Mul(t4, t5)
+	for s := 0; s < 2; s++ {
+		t4.Square(t4)
+	}
+	t3.Mul(t3, t4)
+	for s := 0; s < 7; s++ {
+		t3.Square(t3)
+	}
+	t2.Mul(t2, t3)
+	for s := 0; s < 2; s++ {
+		t2.Square(t2)
+	}
+	t2.Mul(x, t2)
+	for s := 0; s < 10; s++ {
+		t2.Square(t2)
+	}
+	t2.Mul(z, t2)
+	for s := 0; s < 5; s++ {
+		t2.Square(t2)
+	}
+	t2.Mul(t1, t2)
+	for s := 0; s < 5; s++ {
+		t2.Square(t2)
+	}
+	t1.Mul(t1, t2)
+	for s := 0; s < 4; s++ {
+		t1.Square(t1)
+	}
+	t1.Mul(t0, t1)
+	for s := 0; s < 4; s++ {
+		t1.Square(t1)
+	}
+	t0.Mul(t0, t1)
+	for s := 0; s < 9; s++ {
+		t0.Square(t0)
+	}
+	z.Mul(z, t0)
+	for s := 0; s < 5; s++ {
+		z.Square(z)
+	}
+	z.Mul(x, z)
+	return e.Set(z)
+}

internal/sm2ec/sm2p256_ord.go

@@ -20,87 +20,12 @@ func P256OrdInverse(k []byte) ([]byte, error) {
 		return nil, errors.New("invalid scalar length")
 	}
 	x := new(fiat.SM2P256OrderElement)
-	_1 := new(fiat.SM2P256OrderElement)
+	_, err := x.SetBytes(k)
-	_, err := _1.SetBytes(k)
 	if err != nil {
 		return nil, err
 	}
-
+	xinv := new(fiat.SM2P256OrderElement).Invert(x)
-	_11 := new(fiat.SM2P256OrderElement)
+	return xinv.Bytes(), nil
-	_101 := new(fiat.SM2P256OrderElement)
-	_111 := new(fiat.SM2P256OrderElement)
-	_1111 := new(fiat.SM2P256OrderElement)
-	_10101 := new(fiat.SM2P256OrderElement)
-	_101111 := new(fiat.SM2P256OrderElement)
-	t := new(fiat.SM2P256OrderElement)
-	m := new(fiat.SM2P256OrderElement)
-
-	m.Square(_1)
-	_11.Mul(m, _1)
-	_101.Mul(m, _11)
-	_111.Mul(m, _101)
-	x.Square(_101)
-	_1111.Mul(_101, x)
-
-	t.Square(x)
-	_10101.Mul(t, _1)
-	x.Square(_10101)
-	_101111.Mul(x, _101)
-	x.Mul(_10101, x)
-	t.Square(x)
-	t.Square(t)
-
-	m.Mul(t, m)
-	t.Mul(t, _11)
-	x.Square(t)
-	for i := 1; i < 8; i++ {
-		x.Square(x)
-	}
-	m.Mul(x, m)
-	x.Mul(x, t)
-
-	t.Square(x)
-	for i := 1; i < 16; i++ {
-		t.Square(t)
-	}
-	m.Mul(t, m)
-	t.Mul(t, x)
-
-	x.Square(m)
-	for i := 1; i < 32; i++ {
-		x.Square(x)
-	}
-	x.Mul(x, t)
-	for i := 0; i < 32; i++ {
-		x.Square(x)
-	}
-	x.Mul(x, t)
-	for i := 0; i < 32; i++ {
-		x.Square(x)
-	}
-	x.Mul(x, t)
-
-	sqrs := []uint8{
-		4, 3, 11, 5, 3, 5, 1,
-		3, 7, 5, 9, 7, 5, 5,
-		4, 5, 2, 2, 7, 3, 5,
-		5, 6, 2, 6, 3, 5,
-	}
-	muls := []*fiat.SM2P256OrderElement{
-		_111, _1, _1111, _1111, _101, _10101, _1,
-		_1, _111, _11, _101, _10101, _10101, _111,
-		_111, _1111, _11, _1, _1, _1, _111,
-		_111, _10101, _1, _1, _1, _1}
-
-	for i, s := range sqrs {
-		for j := 0; j < int(s); j++ {
-			x.Square(x)
-		}
-		x.Mul(x, muls[i])
-	}
-
-	return x.Bytes(), nil
-
 }
 
 // P256OrdMul multiplication modulo org(G).