ecc-256.c 5.66 KB
Newer Older
1
/* ecc-256.c
2
3
4

   Compile time constant (but machine dependent) tables.

5
   Copyright (C) 2013, 2014 Niels Möller
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/
Niels Möller's avatar
Niels Möller committed
33

34
/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
Niels Möller's avatar
Niels Möller committed
35
36
37
38
39
40
41

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>

42
#include "ecc.h"
Niels Möller's avatar
Niels Möller committed
43
44
#include "ecc-internal.h"

45
46
47
48
49
#if HAVE_NATIVE_ecc_256_redc
# define USE_REDC 1
#else
# define USE_REDC (ECC_REDC_SIZE != 0)
#endif
Niels Möller's avatar
Niels Möller committed
50
51
52

#include "ecc-256.h"

Niels Möller's avatar
Niels Möller committed
53
54
55
56
57
#if HAVE_NATIVE_ecc_256_redc
# define ecc_256_redc nettle_ecc_256_redc
void
ecc_256_redc (const struct ecc_curve *ecc, mp_limb_t *rp);
#else /* !HAVE_NATIVE_ecc_256_redc */
58
59
60
61
62
63
64
65
# if ECC_REDC_SIZE > 0 
#   define ecc_256_redc ecc_pp1_redc
# elif ECC_REDC_SIZE == 0
#   define ecc_256_redc NULL
# else
#  error Configuration error
# endif
#endif /* !HAVE_NATIVE_ecc_256_redc */
Niels Möller's avatar
Niels Möller committed
66

Niels Möller's avatar
Niels Möller committed
67
#if ECC_BMODP_SIZE < ECC_LIMB_SIZE
68
69
#define ecc_256_modp ecc_mod
#define ecc_256_modq ecc_mod
Niels Möller's avatar
Niels Möller committed
70
71
72
#elif GMP_NUMB_BITS == 64

static void
73
ecc_256_modp (const struct ecc_modulo *p, mp_limb_t *rp)
Niels Möller's avatar
Niels Möller committed
74
75
76
77
{
  mp_limb_t u1, u0;
  mp_size_t n;

78
  n = 2*p->size;
Niels Möller's avatar
Niels Möller committed
79
80
81
82
  u1 = rp[--n];
  u0 = rp[n-1];

  /* This is not particularly fast, but should work well with assembly implementation. */
83
  for (; n >= p->size; n--)
Niels Möller's avatar
Niels Möller committed
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
    {
      mp_limb_t q2, q1, q0, t, cy;

      /* <q2, q1, q0> = v * u1 + <u1,u0>, with v = 2^32 - 1:

	   +---+---+
	   | u1| u0|
	   +---+---+
	       |-u1|
	     +-+-+-+
	     | u1|
       +---+-+-+-+-+
       | q2| q1| q0|
       +---+---+---+
      */
      q1 = u1 - (u1 > u0);
      q0 = u0 - u1;
      t = u1 << 32;
      q0 += t;
      t = (u1 >> 32) + (q0 < t) + 1;
      q1 += t;
      q2 = q1 < t;

      /* Compute candidate remainder */
      u1 = u0 + (q1 << 32) - q1;
      t = -(mp_limb_t) (u1 > q0);
      u1 -= t & 0xffffffff;
      q1 += t;
      q2 += t + (q1 < t);

      assert (q2 < 2);

      /* We multiply by two low limbs of p, 2^96 - 1, so we could use
	 shifts rather than mul. */
118
119
      t = mpn_submul_1 (rp + n - 4, p->m, 2, q1);
      t += cnd_sub_n (q2, rp + n - 3, p->m, 1);
Niels Möller's avatar
Niels Möller committed
120
121
122
123
124
125
126
      t += (-q2) & 0xffffffff;

      u0 = rp[n-2];
      cy = (u0 < t);
      u0 -= t;
      t = (u1 < cy);
      u1 -= cy;
127
      u1 += cnd_add_n (t, rp + n - 4, p->m, 3);
Niels Möller's avatar
Niels Möller committed
128
129
130
131
132
133
134
      u1 -= (-t) & 0xffffffff;
    }
  rp[2] = u0;
  rp[3] = u1;
}

static void
135
ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp)
Niels Möller's avatar
Niels Möller committed
136
137
138
139
{
  mp_limb_t u2, u1, u0;
  mp_size_t n;

140
  n = 2*q->size;
Niels Möller's avatar
Niels Möller committed
141
142
143
144
  u2 = rp[--n];
  u1 = rp[n-1];

  /* This is not particularly fast, but should work well with assembly implementation. */
145
  for (; n >= q->size; n--)
Niels Möller's avatar
Niels Möller committed
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
    {
      mp_limb_t q2, q1, q0, t, c1, c0;

      u0 = rp[n-2];
      
      /* <q2, q1, q0> = v * u2 + <u2,u1>, same method as above.

	   +---+---+
	   | u2| u1|
	   +---+---+
	       |-u2|
	     +-+-+-+
	     | u2|
       +---+-+-+-+-+
       | q2| q1| q0|
       +---+---+---+
      */
      q1 = u2 - (u2 > u1);
      q0 = u1 - u2;
      t = u2 << 32;
      q0 += t;
      t = (u2 >> 32) + (q0 < t) + 1;
      q1 += t;
      q2 = q1 < t;

      /* Compute candidate remainder, <u1, u0> - <q2, q1> * (2^128 - 2^96 + 2^64 - 1)
         <u1, u0> + 2^64 q2 + (2^96 - 2^64 + 1) q1 (mod 2^128)

	   +---+---+
	   | u1| u0|
	   +---+---+
	   | q2| q1|
	   +---+---+
	   |-q1|
	 +-+-+-+
	 | q1|
       --+-+-+-+---+
           | u2| u1|
	   +---+---+
      */	 
      u2 = u1 + q2 - q1;
      u1 = u0 + q1;
      u2 += (u1 < q1);
      u2 += (q1 << 32);

      t = -(mp_limb_t) (u2 >= q0);
      q1 += t;
      q2 += t + (q1 < t);
      u1 += t;
      u2 += (t << 32) + (u1 < t);

      assert (q2 < 2);

199
200
201
      c0 = cnd_sub_n (q2, rp + n - 3, q->m, 1);
      c0 += (-q2) & q->m[1];
      t = mpn_submul_1 (rp + n - 4, q->m, 2, q1);
Niels Möller's avatar
Niels Möller committed
202
203
204
205
206
207
208
209
210
211
212
213
214
215
      c0 += t;
      c1 = c0 < t;
      
      /* Construct underflow condition. */
      c1 += (u1 < c0);
      t = - (mp_limb_t) (u2 < c1);

      u1 -= c0;
      u2 -= c1;

      /* Conditional add of p */
      u1 += t;
      u2 += (t<<32) + (u0 < t);

216
      t = cnd_add_n (t, rp + n - 4, q->m, 2);
Niels Möller's avatar
Niels Möller committed
217
218
219
220
221
222
223
224
225
226
227
228
229
      u1 += t;
      u2 += (u1 < t);
    }
  rp[2] = u1;
  rp[3] = u2;
}
      
#else
#error Unsupported parameters
#endif

const struct ecc_curve nettle_secp_256r1 =
{
Niels Möller's avatar
Niels Möller committed
230
231
232
233
234
235
236
237
238
  {
    256,
    ECC_LIMB_SIZE,    
    ECC_BMODP_SIZE,
    ECC_REDC_SIZE,
    ecc_p,
    ecc_Bmodp,
    ecc_Bmodp_shifted,
    ecc_redc_ppm1,
239
240
    ecc_256_modp,
    USE_REDC ? ecc_256_redc : ecc_256_modp,
Niels Möller's avatar
Niels Möller committed
241
242
243
244
245
246
247
248
249
250
  },
  {
    256,
    ECC_LIMB_SIZE,    
    ECC_BMODQ_SIZE,
    0,
    ecc_q,
    ecc_Bmodq,
    ecc_Bmodq_shifted,
    NULL,
251
252
    ecc_256_modq,
    ecc_256_modq,
Niels Möller's avatar
Niels Möller committed
253
254
  },

Niels Möller's avatar
Niels Möller committed
255
256
257
  USE_REDC,
  ECC_PIPPENGER_K,
  ECC_PIPPENGER_C,
258

259
  ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
260
261
262
263
  ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
  ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
  ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),

264
  ecc_add_jjj,
265
266
267
268
  ecc_mul_a,
  ecc_mul_g,
  ecc_j_to_a,

Niels Möller's avatar
Niels Möller committed
269
270
  ecc_b,
  ecc_g,
271
  NULL,
Niels Möller's avatar
Niels Möller committed
272
273
274
275
276
  ecc_pp1h,
  ecc_unit,
  ecc_qp1h,
  ecc_table
};