我正在尝试实现D.J. Bernstein的Poly1305算法。在poly1305_init函数中完成他的C实现here时,我无法弄清楚他在这部分中用来实现性能而没有定时攻击的算术策略是什么:
void poly1305_init(poly1305_context *ctx, const unsigned char key[32]) {
poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
/* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
st->r[0] = (U8TO32(&key[ 0]) ) & 0x3ffffff;
st->r[1] = (U8TO32(&key[ 3]) >> 2) & 0x3ffff03;
st->r[2] = (U8TO32(&key[ 6]) >> 4) & 0x3ffc0ff;
st->r[3] = (U8TO32(&key[ 9]) >> 6) & 0x3f03fff;
st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff;
......
......
}
typedef struct poly1305_state_internal_t {
unsigned long r[5];
unsigned long h[5];
unsigned long pad[4];
size_t leftover;
unsigned char buffer[poly1305_block_size];
unsigned char final;
} poly1305_state_internal_t;
typedef struct poly1305_context {
size_t aligner;
unsigned char opaque[136];
} poly1305_context;
我了解了此文件中代码的所有其余部分。谁能帮助我了解他所使用的逻辑?