ecc-256.c 6.13 KB
Newer Older
1
/* ecc-256.c
2
3
4

   Compile time constant (but machine dependent) tables.

5
   Copyright (C) 2013, 2014 Niels Möller
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/
Niels Möller's avatar
Niels Möller committed
33

34
/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
Niels Möller's avatar
Niels Möller committed
35
36
37
38
39
40
41

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>

42
#include "ecc.h"
Niels Möller's avatar
Niels Möller committed
43
44
#include "ecc-internal.h"

45
46
47
48
49
#if HAVE_NATIVE_ecc_256_redc
# define USE_REDC 1
#else
# define USE_REDC (ECC_REDC_SIZE != 0)
#endif
Niels Möller's avatar
Niels Möller committed
50
51
52

#include "ecc-256.h"

Niels Möller's avatar
Niels Möller committed
53
54
55
#if HAVE_NATIVE_ecc_256_redc
# define ecc_256_redc nettle_ecc_256_redc
void
56
ecc_256_redc (const struct ecc_modulo *p, mp_limb_t *rp);
Niels Möller's avatar
Niels Möller committed
57
#else /* !HAVE_NATIVE_ecc_256_redc */
58
59
60
61
62
63
64
65
# if ECC_REDC_SIZE > 0 
#   define ecc_256_redc ecc_pp1_redc
# elif ECC_REDC_SIZE == 0
#   define ecc_256_redc NULL
# else
#  error Configuration error
# endif
#endif /* !HAVE_NATIVE_ecc_256_redc */
Niels Möller's avatar
Niels Möller committed
66

Niels Möller's avatar
Niels Möller committed
67
#if ECC_BMODP_SIZE < ECC_LIMB_SIZE
68
69
#define ecc_256_modp ecc_mod
#define ecc_256_modq ecc_mod
Niels Möller's avatar
Niels Möller committed
70
71
72
#elif GMP_NUMB_BITS == 64

static void
73
ecc_256_modp (const struct ecc_modulo *p, mp_limb_t *rp)
Niels Möller's avatar
Niels Möller committed
74
75
76
77
{
  mp_limb_t u1, u0;
  mp_size_t n;

78
  n = 2*p->size;
Niels Möller's avatar
Niels Möller committed
79
80
81
82
  u1 = rp[--n];
  u0 = rp[n-1];

  /* This is not particularly fast, but should work well with assembly implementation. */
83
  for (; n >= p->size; n--)
Niels Möller's avatar
Niels Möller committed
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
    {
      mp_limb_t q2, q1, q0, t, cy;

      /* <q2, q1, q0> = v * u1 + <u1,u0>, with v = 2^32 - 1:

	   +---+---+
	   | u1| u0|
	   +---+---+
	       |-u1|
	     +-+-+-+
	     | u1|
       +---+-+-+-+-+
       | q2| q1| q0|
       +---+---+---+
      */
      q1 = u1 - (u1 > u0);
      q0 = u0 - u1;
      t = u1 << 32;
      q0 += t;
      t = (u1 >> 32) + (q0 < t) + 1;
      q1 += t;
      q2 = q1 < t;

      /* Compute candidate remainder */
      u1 = u0 + (q1 << 32) - q1;
      t = -(mp_limb_t) (u1 > q0);
      u1 -= t & 0xffffffff;
      q1 += t;
      q2 += t + (q1 < t);

      assert (q2 < 2);

116
117
118
119
120
121
122
123
124
125
126
127
128
      /*
	 n-1 n-2 n-3 n-4
        +---+---+---+---+
        | u1| u0| u low |
        +---+---+---+---+
          - | q1(2^96-1)|
            +-------+---+
            |q2(2^.)|
            +-------+

	 We multiply by two low limbs of p, 2^96 - 1, so we could use
	 shifts rather than mul.
      */
129
130
      t = mpn_submul_1 (rp + n - 4, p->m, 2, q1);
      t += cnd_sub_n (q2, rp + n - 3, p->m, 1);
Niels Möller's avatar
Niels Möller committed
131
132
133
134
135
136
137
      t += (-q2) & 0xffffffff;

      u0 = rp[n-2];
      cy = (u0 < t);
      u0 -= t;
      t = (u1 < cy);
      u1 -= cy;
138
139
140
141

      cy = cnd_add_n (t, rp + n - 4, p->m, 2);
      u0 += cy;
      u1 += (u0 < cy);
Niels Möller's avatar
Niels Möller committed
142
143
144
145
146
147
148
      u1 -= (-t) & 0xffffffff;
    }
  rp[2] = u0;
  rp[3] = u1;
}

static void
149
ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp)
Niels Möller's avatar
Niels Möller committed
150
151
152
153
{
  mp_limb_t u2, u1, u0;
  mp_size_t n;

154
  n = 2*q->size;
Niels Möller's avatar
Niels Möller committed
155
156
157
158
  u2 = rp[--n];
  u1 = rp[n-1];

  /* This is not particularly fast, but should work well with assembly implementation. */
159
  for (; n >= q->size; n--)
Niels Möller's avatar
Niels Möller committed
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
    {
      mp_limb_t q2, q1, q0, t, c1, c0;

      u0 = rp[n-2];
      
      /* <q2, q1, q0> = v * u2 + <u2,u1>, same method as above.

	   +---+---+
	   | u2| u1|
	   +---+---+
	       |-u2|
	     +-+-+-+
	     | u2|
       +---+-+-+-+-+
       | q2| q1| q0|
       +---+---+---+
      */
      q1 = u2 - (u2 > u1);
      q0 = u1 - u2;
      t = u2 << 32;
      q0 += t;
      t = (u2 >> 32) + (q0 < t) + 1;
      q1 += t;
      q2 = q1 < t;

      /* Compute candidate remainder, <u1, u0> - <q2, q1> * (2^128 - 2^96 + 2^64 - 1)
         <u1, u0> + 2^64 q2 + (2^96 - 2^64 + 1) q1 (mod 2^128)

	   +---+---+
	   | u1| u0|
	   +---+---+
	   | q2| q1|
	   +---+---+
	   |-q1|
	 +-+-+-+
	 | q1|
       --+-+-+-+---+
           | u2| u1|
	   +---+---+
      */	 
      u2 = u1 + q2 - q1;
      u1 = u0 + q1;
      u2 += (u1 < q1);
      u2 += (q1 << 32);

      t = -(mp_limb_t) (u2 >= q0);
      q1 += t;
      q2 += t + (q1 < t);
      u1 += t;
      u2 += (t << 32) + (u1 < t);

      assert (q2 < 2);

213
214
215
      c0 = cnd_sub_n (q2, rp + n - 3, q->m, 1);
      c0 += (-q2) & q->m[1];
      t = mpn_submul_1 (rp + n - 4, q->m, 2, q1);
Niels Möller's avatar
Niels Möller committed
216
217
218
219
220
221
222
223
224
225
226
227
      c0 += t;
      c1 = c0 < t;
      
      /* Construct underflow condition. */
      c1 += (u1 < c0);
      t = - (mp_limb_t) (u2 < c1);

      u1 -= c0;
      u2 -= c1;

      /* Conditional add of p */
      u1 += t;
228
      u2 += (t<<32) + (u1 < t);
Niels Möller's avatar
Niels Möller committed
229

230
      t = cnd_add_n (t, rp + n - 4, q->m, 2);
Niels Möller's avatar
Niels Möller committed
231
232
233
234
235
236
237
238
239
240
241
      u1 += t;
      u2 += (u1 < t);
    }
  rp[2] = u1;
  rp[3] = u2;
}
      
#else
#error Unsupported parameters
#endif

242
const struct ecc_curve _nettle_secp_256r1 =
Niels Möller's avatar
Niels Möller committed
243
{
Niels Möller's avatar
Niels Möller committed
244
245
246
247
248
  {
    256,
    ECC_LIMB_SIZE,    
    ECC_BMODP_SIZE,
    ECC_REDC_SIZE,
249
    ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
250
    0,
251

Niels Möller's avatar
Niels Möller committed
252
253
254
255
    ecc_p,
    ecc_Bmodp,
    ecc_Bmodp_shifted,
    ecc_redc_ppm1,
256
257

    ecc_pp1h,
258
259
    ecc_256_modp,
    USE_REDC ? ecc_256_redc : ecc_256_modp,
260
    ecc_mod_inv,
261
    NULL,
Niels Möller's avatar
Niels Möller committed
262
263
264
265
266
267
  },
  {
    256,
    ECC_LIMB_SIZE,    
    ECC_BMODQ_SIZE,
    0,
268
    ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
269
    0,
270

Niels Möller's avatar
Niels Möller committed
271
272
273
274
    ecc_q,
    ecc_Bmodq,
    ecc_Bmodq_shifted,
    NULL,
275
276
    ecc_qp1h,

277
278
    ecc_256_modq,
    ecc_256_modq,
279
    ecc_mod_inv,
280
    NULL,
Niels Möller's avatar
Niels Möller committed
281
282
  },

Niels Möller's avatar
Niels Möller committed
283
284
285
  USE_REDC,
  ECC_PIPPENGER_K,
  ECC_PIPPENGER_C,
286

287
  ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
288
289
290
291
  ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
  ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
  ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),

292
  ecc_add_jjj,
293
294
295
296
  ecc_mul_a,
  ecc_mul_g,
  ecc_j_to_a,

Niels Möller's avatar
Niels Möller committed
297
298
  ecc_b,
  ecc_g,
299
  NULL,
Niels Möller's avatar
Niels Möller committed
300
301
302
  ecc_unit,
  ecc_table
};
303
304
305

const struct ecc_curve *nettle_get_secp_256r1(void)
{
306
  return &_nettle_secp_256r1;
307
}