ecc_eh_to_a interface change, optionally reduce x mod q.

ChangeLog

 2014-08-28  Niels Möller  <nisse@lysator.liu.se>
 
+	* ecc-eh-to-a.c (ecc_eh_to_a): Analogous change as for ecc_j_to_a.
+	The modulo q case (op == 2) is hardcoded for curve25519.
+
 	* ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert
 	back from redc form. When producing x coordiante only optionally
 	reduce it modulo q. Completely changes the meaning of the "flags"

curve25519-mul-g.c

@@ -64,7 +64,7 @@ curve25519_mul_g (uint8_t *r, const uint8_t *n)
   mpn_set_base256_le (x, ecc_size, t, CURVE25519_SIZE);
 
   ecc_mul_g_eh (&nettle_curve25519, p, x, scratch_out);
-  ecc_eh_to_a (&nettle_curve25519, 2, x, p, scratch_out);
+  ecc_eh_to_a (&nettle_curve25519, 1, x, p, scratch_out);
 
   mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc_size);
   gmp_free_limbs (scratch, itch);

curve25519-mul.c

@@ -82,7 +82,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
   mpn_set_base256_le (s, ecc->size, t, CURVE25519_SIZE);
   
   ecc_mul_a_eh (ecc, x, s, x, scratch_out);
-  ecc_eh_to_a (ecc, 2, s, x, scratch_out);
+  ecc_eh_to_a (ecc, 1, s, x, scratch_out);
   mpn_get_base256_le (q, CURVE25519_SIZE, s, ecc->size);
 
   gmp_free_limbs (scratch, itch);

ecc-eh-to-a.c

@@ -33,6 +33,8 @@
 # include "config.h"
 #endif
 
+#include <assert.h>
+
 #include "ecc.h"
 #include "ecc-internal.h"
 
@@ -47,7 +49,7 @@ ecc_eh_to_a_itch (const struct ecc_curve *ecc)
    coordinates on the corresponding Montgomery curve. */
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
-	     int flags,
+	     int op,
 	     mp_limb_t *r, const mp_limb_t *p,
 	     mp_limb_t *scratch)
 {
@@ -88,10 +90,24 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
   cy = mpn_sub_n (xp, tp, ecc->p, ecc->size);
   cnd_copy (cy, xp, tp, ecc->size);
 
-  if (flags & 2)
+  if (op)
+    {
       /* Skip y coordinate */
+      if (op > 1)
+	{
+	  /* Reduce modulo q. FIXME: Hardcoded for curve25519,
+	     duplicates end of ecc_25519_modq. */
+	  mp_limb_t cy;
+	  unsigned shift;
+	  assert (ecc->bit_size == 255);
+	  shift = 252 - GMP_NUMB_BITS * (ecc->size - 1);
+	  cy = mpn_submul_1 (xp, ecc->q, ecc->size,
+			     xp[ecc->size-1] >> shift);
+	  assert (cy < 2);
+	  cnd_add_n (cy, xp, ecc->q, ecc->size);
+	}
       return;
-  
+    }
   ecc_modp_add (ecc, sp, wp, vp); /* FIXME: Redundant. Also the (W +
 				     V) Z^-1 multiplication is
 				     redundant. */

ecc.h

@@ -206,7 +206,7 @@ mp_size_t
 ecc_eh_to_a_itch (const struct ecc_curve *ecc);
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
-	     int flags,
+	     int op,
 	     mp_limb_t *r, const mp_limb_t *p,
 	     mp_limb_t *scratch);