in FourQ_32bit/crypto_util.c [46:133]
ECCRYPTO_STATUS decode(const unsigned char* Pencoded, point_t P)
{ // Decode point P
// SECURITY NOTE: this function does not run in constant time.
velm_t r, t, t0, t1, t2, t3, t4;
v2elm_t u, v, one = {0};
digit_t sign_dec;
vpoint_extproj_t R;
vpoint_t VP;
unsigned int i, sign;
one[0] = 1;
memmove((unsigned char*)P->y, Pencoded, 32); // Decoding y-coordinate and sign
sign = (unsigned int)(Pencoded[31] >> 7);
P->y[1][NWORDS_FIELD-1] &= mask7fff;
from_std_to_ext(P->y, VP->y);
v2sqr1271(VP->y, u);
v2mul1271(u, (digit_t*)&PARAMETER_d, v);
v2sub1271(u, one, u);
v2add1271(v, one, v);
vsqr1271(&v[0], t0); // t0 = v0^2
vsqr1271(&v[VWORDS_FIELD], t1); // t1 = v1^2
vadd1271(t0, t1, t0); // t0 = t0+t1
vmul1271(&u[0], &v[0], t1); // t1 = u0*v0
vmul1271(&u[VWORDS_FIELD], &v[VWORDS_FIELD], t2); // t2 = u1*v1
vadd1271(t1, t2, t1); // t1 = t1+t2
vmul1271(&u[VWORDS_FIELD], &v[0], t2); // t2 = u1*v0
vmul1271(&u[0], &v[VWORDS_FIELD], t3); // t3 = u0*v1
vsub1271(t2, t3, t2); // t2 = t2-t3
vsqr1271(t1, t3); // t3 = t1^2
vsqr1271(t2, t4); // t4 = t2^2
vadd1271(t3, t4, t3); // t3 = t3+t4
for (i = 0; i < 125; i++) { // t3 = t3^(2^125)
vsqr1271(t3, t3);
}
vadd1271(t1, t3, t); // t = t1+t3
vmod1271(t, t);
if (is_zero_ct(t, VWORDS_FIELD) == true) {
vsub1271(t1, t3, t); // t = t1-t3
}
vadd1271(t, t, t); // t = 2*t
vsqr1271(t0, t3); // t3 = t0^2
vmul1271(t0, t3, t3); // t3 = t3*t0
vmul1271(t, t3, t3); // t3 = t3*t
vexp1251(t3, r); // r = t3^(2^125-1)
vmul1271(t0, r, t3); // t3 = t0*r
vmul1271(t, t3, &VP->x[0]); // x0 = t*t3
vsqr1271(&VP->x[0], t1);
vmul1271(t0, t1, t1); // t1 = t0*x0^2
vdiv1271(&VP->x[0]); // x0 = x0/2
vmul1271(t2, t3, &VP->x[VWORDS_FIELD]); // x1 = t3*t2
vsub1271(t, t1, t);
vmod1271(t, t);
if (is_zero_ct(t, VWORDS_FIELD) == false) { // If t != t1 then swap x0 and x1
memmove((unsigned char*)t0, (unsigned char*)&VP->x[0], 20);
memmove((unsigned char*)&VP->x[0], (unsigned char*)&VP->x[VWORDS_FIELD], 20);
memmove((unsigned char*)&VP->x[VWORDS_FIELD], (unsigned char*)t0, 20);
}
v2mod1271(VP->x, VP->x);
if (is_zero_ct(VP->x, VWORDS_FIELD) == true) {
sign_dec = VP->x[2*VWORDS_FIELD-1] >> 22;
} else {
sign_dec = VP->x[VWORDS_FIELD-1] >> 22;
}
if (sign != (unsigned int)sign_dec) { // If sign of x-coordinate decoded != input sign bit, then negate x-coordinate
v2neg1271(VP->x);
}
v2mod1271(VP->x, R->x);
v2mod1271(VP->y, R->y);
if (ecc_point_validate(R) == false) {
vneg1271(&R->x[VWORDS_FIELD]);
if (ecc_point_validate(R) == false) { // Final point validation
return ECCRYPTO_ERROR;
}
}
v2mod1271(R->x, R->x);
from_ext_to_std(R->x, P->x);
from_ext_to_std(R->y, P->y);
return ECCRYPTO_SUCCESS;
}