ecc_eh_to_a interface change, optionally reduce x mod q.

d5ca2c64 · Niels Möller · 91784d65 · d5ca2c64 · d5ca2c64 · d5ca2c64
Commit d5ca2c64 authored Aug 28, 2014 by Niels Möller
--- a/ChangeLog
+++ b/ChangeLog
 2014-08-28  Niels Möller  <nisse@lysator.liu.se>

+	* ecc-eh-to-a.c (ecc_eh_to_a): Analogous change as for ecc_j_to_a.
+	The modulo q case (op == 2) is hardcoded for curve25519.
+
 	* ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert
 	back from redc form. When producing x coordiante only optionally
 	reduce it modulo q. Completely changes the meaning of the "flags"

--- a/curve25519-mul-g.c
+++ b/curve25519-mul-g.c
@@ -64,7 +64,7 @@ curve25519_mul_g (uint8_t *r, const uint8_t *n)
  mpn_set_base256_le (x, ecc_size, t, CURVE25519_SIZE);

  ecc_mul_g_eh (&nettle_curve25519, p, x, scratch_out);
-  ecc_eh_to_a (&nettle_curve25519, 2, x, p, scratch_out);
+  ecc_eh_to_a (&nettle_curve25519, 1, x, p, scratch_out);

  mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc_size);
  gmp_free_limbs (scratch, itch);

--- a/curve25519-mul.c
+++ b/curve25519-mul.c
@@ -82,7 +82,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
  mpn_set_base256_le (s, ecc->size, t, CURVE25519_SIZE);
  
  ecc_mul_a_eh (ecc, x, s, x, scratch_out);
-  ecc_eh_to_a (ecc, 2, s, x, scratch_out);
+  ecc_eh_to_a (ecc, 1, s, x, scratch_out);
  mpn_get_base256_le (q, CURVE25519_SIZE, s, ecc->size);

  gmp_free_limbs (scratch, itch);

--- a/ecc-eh-to-a.c
+++ b/ecc-eh-to-a.c
@@ -33,6 +33,8 @@
 # include "config.h"
 #endif

+#include <assert.h>
+
 #include "ecc.h"
 #include "ecc-internal.h"

@@ -47,7 +49,7 @@ ecc_eh_to_a_itch (const struct ecc_curve *ecc)
   coordinates on the corresponding Montgomery curve. */
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
-	     int flags,
+	     int op,
 	     mp_limb_t *r, const mp_limb_t *p,
 	     mp_limb_t *scratch)
 {
@@ -88,10 +90,24 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
  cy = mpn_sub_n (xp, tp, ecc->p, ecc->size);
  cnd_copy (cy, xp, tp, ecc->size);

-  if (flags & 2)
-    /* Skip y coordinate */
-    return;
-  
+  if (op)
+    {
+      /* Skip y coordinate */
+      if (op > 1)
+	{
+	  /* Reduce modulo q. FIXME: Hardcoded for curve25519,
+	     duplicates end of ecc_25519_modq. */
+	  mp_limb_t cy;
+	  unsigned shift;
+	  assert (ecc->bit_size == 255);
+	  shift = 252 - GMP_NUMB_BITS * (ecc->size - 1);
+	  cy = mpn_submul_1 (xp, ecc->q, ecc->size,
+			     xp[ecc->size-1] >> shift);
+	  assert (cy < 2);
+	  cnd_add_n (cy, xp, ecc->q, ecc->size);
+	}
+      return;
+    }
  ecc_modp_add (ecc, sp, wp, vp); /* FIXME: Redundant. Also the (W +
 				     V) Z^-1 multiplication is
 				     redundant. */

--- a/ecc.h
+++ b/ecc.h
@@ -206,7 +206,7 @@ mp_size_t
 ecc_eh_to_a_itch (const struct ecc_curve *ecc);
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
-	     int flags,
+	     int op,
 	     mp_limb_t *r, const mp_limb_t *p,
 	     mp_limb_t *scratch);