ecc-256.c 5.71 KB
Newer Older
1
/* ecc-256.c
2
3
4

   Compile time constant (but machine dependent) tables.

5
   Copyright (C) 2013, 2014 Niels Möller
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/
Niels Möller's avatar
Niels Möller committed
33

34
/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
Niels Möller's avatar
Niels Möller committed
35
36
37
38
39
40
41

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>

42
#include "ecc.h"
Niels Möller's avatar
Niels Möller committed
43
44
#include "ecc-internal.h"

45
46
47
48
49
#if HAVE_NATIVE_ecc_256_redc
# define USE_REDC 1
#else
# define USE_REDC (ECC_REDC_SIZE != 0)
#endif
Niels Möller's avatar
Niels Möller committed
50
51
52

#include "ecc-256.h"

Niels Möller's avatar
Niels Möller committed
53
54
55
56
57
#if HAVE_NATIVE_ecc_256_redc
# define ecc_256_redc nettle_ecc_256_redc
void
ecc_256_redc (const struct ecc_curve *ecc, mp_limb_t *rp);
#else /* !HAVE_NATIVE_ecc_256_redc */
58
59
60
61
62
63
64
65
# if ECC_REDC_SIZE > 0 
#   define ecc_256_redc ecc_pp1_redc
# elif ECC_REDC_SIZE == 0
#   define ecc_256_redc NULL
# else
#  error Configuration error
# endif
#endif /* !HAVE_NATIVE_ecc_256_redc */
Niels Möller's avatar
Niels Möller committed
66

Niels Möller's avatar
Niels Möller committed
67
68
69
70
71
72
73
74
75
76
77
#if ECC_BMODP_SIZE < ECC_LIMB_SIZE
#define ecc_256_modp ecc_generic_modp
#define ecc_256_modq ecc_generic_modq
#elif GMP_NUMB_BITS == 64

static void
ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
{
  mp_limb_t u1, u0;
  mp_size_t n;

Niels Möller's avatar
Niels Möller committed
78
  n = 2*ecc->p.size;
Niels Möller's avatar
Niels Möller committed
79
80
81
82
  u1 = rp[--n];
  u0 = rp[n-1];

  /* This is not particularly fast, but should work well with assembly implementation. */
Niels Möller's avatar
Niels Möller committed
83
  for (; n >= ecc->p.size; n--)
Niels Möller's avatar
Niels Möller committed
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
    {
      mp_limb_t q2, q1, q0, t, cy;

      /* <q2, q1, q0> = v * u1 + <u1,u0>, with v = 2^32 - 1:

	   +---+---+
	   | u1| u0|
	   +---+---+
	       |-u1|
	     +-+-+-+
	     | u1|
       +---+-+-+-+-+
       | q2| q1| q0|
       +---+---+---+
      */
      q1 = u1 - (u1 > u0);
      q0 = u0 - u1;
      t = u1 << 32;
      q0 += t;
      t = (u1 >> 32) + (q0 < t) + 1;
      q1 += t;
      q2 = q1 < t;

      /* Compute candidate remainder */
      u1 = u0 + (q1 << 32) - q1;
      t = -(mp_limb_t) (u1 > q0);
      u1 -= t & 0xffffffff;
      q1 += t;
      q2 += t + (q1 < t);

      assert (q2 < 2);

      /* We multiply by two low limbs of p, 2^96 - 1, so we could use
	 shifts rather than mul. */
Niels Möller's avatar
Niels Möller committed
118
119
      t = mpn_submul_1 (rp + n - 4, ecc->p.m, 2, q1);
      t += cnd_sub_n (q2, rp + n - 3, ecc->p.m, 1);
Niels Möller's avatar
Niels Möller committed
120
121
122
123
124
125
126
      t += (-q2) & 0xffffffff;

      u0 = rp[n-2];
      cy = (u0 < t);
      u0 -= t;
      t = (u1 < cy);
      u1 -= cy;
Niels Möller's avatar
Niels Möller committed
127
      u1 += cnd_add_n (t, rp + n - 4, ecc->p.m, 3);
Niels Möller's avatar
Niels Möller committed
128
129
130
131
132
133
134
135
136
137
138
139
      u1 -= (-t) & 0xffffffff;
    }
  rp[2] = u0;
  rp[3] = u1;
}

static void
ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
{
  mp_limb_t u2, u1, u0;
  mp_size_t n;

Niels Möller's avatar
Niels Möller committed
140
  n = 2*ecc->q.size;
Niels Möller's avatar
Niels Möller committed
141
142
143
144
  u2 = rp[--n];
  u1 = rp[n-1];

  /* This is not particularly fast, but should work well with assembly implementation. */
Niels Möller's avatar
Niels Möller committed
145
  for (; n >= ecc->q.size; n--)
Niels Möller's avatar
Niels Möller committed
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
    {
      mp_limb_t q2, q1, q0, t, c1, c0;

      u0 = rp[n-2];
      
      /* <q2, q1, q0> = v * u2 + <u2,u1>, same method as above.

	   +---+---+
	   | u2| u1|
	   +---+---+
	       |-u2|
	     +-+-+-+
	     | u2|
       +---+-+-+-+-+
       | q2| q1| q0|
       +---+---+---+
      */
      q1 = u2 - (u2 > u1);
      q0 = u1 - u2;
      t = u2 << 32;
      q0 += t;
      t = (u2 >> 32) + (q0 < t) + 1;
      q1 += t;
      q2 = q1 < t;

      /* Compute candidate remainder, <u1, u0> - <q2, q1> * (2^128 - 2^96 + 2^64 - 1)
         <u1, u0> + 2^64 q2 + (2^96 - 2^64 + 1) q1 (mod 2^128)

	   +---+---+
	   | u1| u0|
	   +---+---+
	   | q2| q1|
	   +---+---+
	   |-q1|
	 +-+-+-+
	 | q1|
       --+-+-+-+---+
           | u2| u1|
	   +---+---+
      */	 
      u2 = u1 + q2 - q1;
      u1 = u0 + q1;
      u2 += (u1 < q1);
      u2 += (q1 << 32);

      t = -(mp_limb_t) (u2 >= q0);
      q1 += t;
      q2 += t + (q1 < t);
      u1 += t;
      u2 += (t << 32) + (u1 < t);

      assert (q2 < 2);

Niels Möller's avatar
Niels Möller committed
199
200
201
      c0 = cnd_sub_n (q2, rp + n - 3, ecc->q.m, 1);
      c0 += (-q2) & ecc->q.m[1];
      t = mpn_submul_1 (rp + n - 4, ecc->q.m, 2, q1);
Niels Möller's avatar
Niels Möller committed
202
203
204
205
206
207
208
209
210
211
212
213
214
215
      c0 += t;
      c1 = c0 < t;
      
      /* Construct underflow condition. */
      c1 += (u1 < c0);
      t = - (mp_limb_t) (u2 < c1);

      u1 -= c0;
      u2 -= c1;

      /* Conditional add of p */
      u1 += t;
      u2 += (t<<32) + (u0 < t);

Niels Möller's avatar
Niels Möller committed
216
      t = cnd_add_n (t, rp + n - 4, ecc->q.m, 2);
Niels Möller's avatar
Niels Möller committed
217
218
219
220
221
222
223
224
225
226
227
228
229
      u1 += t;
      u2 += (u1 < t);
    }
  rp[2] = u1;
  rp[3] = u2;
}
      
#else
#error Unsupported parameters
#endif

const struct ecc_curve nettle_secp_256r1 =
{
Niels Möller's avatar
Niels Möller committed
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
  {
    256,
    ECC_LIMB_SIZE,    
    ECC_BMODP_SIZE,
    ECC_REDC_SIZE,
    ecc_p,
    ecc_Bmodp,
    ecc_Bmodp_shifted,
    ecc_redc_ppm1,
  },
  {
    256,
    ECC_LIMB_SIZE,    
    ECC_BMODQ_SIZE,
    0,
    ecc_q,
    ecc_Bmodq,
    ecc_Bmodq_shifted,
    NULL,
  },

Niels Möller's avatar
Niels Möller committed
251
252
253
  USE_REDC,
  ECC_PIPPENGER_K,
  ECC_PIPPENGER_C,
254

255
  ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
256
257
258
259
  ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
  ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
  ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),

260
261
262
263
264
  ecc_256_modp,
  ecc_256_redc,
  USE_REDC ? ecc_256_redc : ecc_256_modp,
  ecc_256_modq,

265
  ecc_add_jjj,
266
267
268
269
  ecc_mul_a,
  ecc_mul_g,
  ecc_j_to_a,

Niels Möller's avatar
Niels Möller committed
270
271
  ecc_b,
  ecc_g,
272
  NULL,
Niels Möller's avatar
Niels Möller committed
273
274
275
276
277
  ecc_pp1h,
  ecc_unit,
  ecc_qp1h,
  ecc_table
};