ecc-384.c 4.86 KB
Newer Older
1
/* ecc-384.c
2
3
4

   Compile time constant (but machine dependent) tables.

5
   Copyright (C) 2013, 2014 Niels Möller
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/
Niels Möller's avatar
Niels Möller committed
33

34
/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
Niels Möller's avatar
Niels Möller committed
35
36
37
38
39
40
41

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>

42
#include "ecc.h"
Niels Möller's avatar
Niels Möller committed
43
44
45
46
47
48
#include "ecc-internal.h"

#define USE_REDC 0

#include "ecc-384.h"

Niels Möller's avatar
Niels Möller committed
49
50
51
#if HAVE_NATIVE_ecc_384_modp
#define ecc_384_modp nettle_ecc_384_modp
void
52
ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp);
Niels Möller's avatar
Niels Möller committed
53
54
#elif GMP_NUMB_BITS == 32

Niels Möller's avatar
Niels Möller committed
55
56
57
58
59
60
61
62
63
64
/* Use that 2^{384} = 2^{128} + 2^{96} - 2^{32} + 1, and eliminate 256
   bits at a time.

   We can get carry == 2 in the first iteration, and I think *only* in
   the first iteration. */

/* p is 12 limbs, and B^12 - p = B^4 + B^3 - B + 1. We can eliminate
   almost 8 at a time. Do only 7, to avoid additional carry
   propagation, followed by 5. */
static void
65
ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp)
Niels Möller's avatar
Niels Möller committed
66
67
68
69
70
71
72
73
{
  mp_limb_t cy, bw;

  /* Reduce from 24 to 17 limbs. */
  cy = mpn_add_n (rp + 4, rp + 4, rp + 16, 8);
  cy = sec_add_1 (rp + 12, rp + 12, 3, cy);

  bw = mpn_sub_n (rp + 5, rp + 5, rp + 16, 8);
74
  bw = sec_sub_1 (rp + 13, rp + 13, 3, bw);
Niels Möller's avatar
Niels Möller committed
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

  cy += mpn_add_n (rp + 7, rp + 7, rp + 16, 8);
  cy = sec_add_1 (rp + 15, rp + 15, 1, cy);

  cy += mpn_add_n (rp + 8, rp + 8, rp + 16, 8);
  assert (bw <= cy);
  cy -= bw;

  assert (cy <= 2);  
  rp[16] = cy;

  /* Reduce from 17 to 12 limbs */
  cy = mpn_add_n (rp, rp, rp + 12, 5);
  cy = sec_add_1 (rp + 5, rp + 5, 3, cy);
  
  bw = mpn_sub_n (rp + 1, rp + 1, rp + 12, 5);
91
  bw = sec_sub_1 (rp + 6, rp + 6, 6, bw);
Niels Möller's avatar
Niels Möller committed
92
93
94
95
96
97
98
99
100
101
  
  cy += mpn_add_n (rp + 3, rp + 3, rp + 12, 5);
  cy = sec_add_1 (rp + 8, rp + 8, 1, cy);

  cy += mpn_add_n (rp + 4, rp + 4, rp + 12, 5);
  cy = sec_add_1 (rp + 9, rp + 9, 3, cy);

  assert (cy >= bw);
  cy -= bw;
  assert (cy <= 1);
102
  cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE);
Niels Möller's avatar
Niels Möller committed
103
104
105
106
107
108
  assert (cy == 0);
}
#elif GMP_NUMB_BITS == 64
/* p is 6 limbs, and B^6 - p = B^2 + 2^32 (B - 1) + 1. Eliminate 3
   (almost 4) limbs at a time. */
static void
109
ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp)
Niels Möller's avatar
Niels Möller committed
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
{
  mp_limb_t tp[6];
  mp_limb_t cy;

  /* Reduce from 12 to 9 limbs */
  tp[0] = 0; /* FIXME: Could use mpn_sub_nc */
  mpn_copyi (tp + 1, rp + 8, 3);
  tp[4] = rp[11] - mpn_sub_n (tp, tp, rp + 8, 4);
  tp[5] = mpn_lshift (tp, tp, 5, 32);

  cy = mpn_add_n (rp + 2, rp + 2, rp + 8, 4);
  cy = sec_add_1 (rp + 6, rp + 6, 2, cy);

  cy += mpn_add_n (rp + 2, rp + 2, tp, 6);
  cy += mpn_add_n (rp + 4, rp + 4, rp + 8, 4);

  assert (cy <= 2);
  rp[8] = cy;

  /* Reduce from 9 to 6 limbs */
  tp[0] = 0;
  mpn_copyi (tp + 1, rp + 6, 2);
132
  tp[3] = rp[8] - mpn_sub_n (tp, tp, rp + 6, 3);
Niels Möller's avatar
Niels Möller committed
133
134
135
136
137
138
139
140
141
142
  tp[4] = mpn_lshift (tp, tp, 4, 32);

  cy = mpn_add_n (rp, rp, rp + 6, 3);
  cy = sec_add_1 (rp + 3, rp + 3, 2, cy);
  cy += mpn_add_n (rp, rp, tp, 5);
  cy += mpn_add_n (rp + 2, rp + 2, rp + 6, 3);

  cy = sec_add_1 (rp + 5, rp + 5, 1, cy);
  assert (cy <= 1);

143
  cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE);
Niels Möller's avatar
Niels Möller committed
144
145
146
  assert (cy == 0);  
}
#else
147
#define ecc_384_modp ecc_mod
Niels Möller's avatar
Niels Möller committed
148
149
#endif
  
150
const struct ecc_curve _nettle_secp_384r1 =
Niels Möller's avatar
Niels Möller committed
151
{
Niels Möller's avatar
Niels Möller committed
152
153
154
155
156
  {
    384,
    ECC_LIMB_SIZE,    
    ECC_BMODP_SIZE,
    ECC_REDC_SIZE,
157
    ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
158
    0,
159

Niels Möller's avatar
Niels Möller committed
160
161
162
163
    ecc_p,
    ecc_Bmodp,
    ecc_Bmodp_shifted,
    ecc_redc_ppm1,
164
165
    ecc_pp1h,

166
167
    ecc_384_modp,
    ecc_384_modp,
168
    ecc_mod_inv,
169
    NULL,
Niels Möller's avatar
Niels Möller committed
170
171
172
173
174
175
  },
  {
    384,
    ECC_LIMB_SIZE,    
    ECC_BMODQ_SIZE,
    0,
176
    ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
177
    0,
178

Niels Möller's avatar
Niels Möller committed
179
180
181
182
    ecc_q,
    ecc_Bmodq,
    ecc_Bmodq_shifted,
    NULL,
183
184
    ecc_qp1h,

185
186
    ecc_mod,
    ecc_mod,
187
    ecc_mod_inv,
188
    NULL,
Niels Möller's avatar
Niels Möller committed
189
190
  },

Niels Möller's avatar
Niels Möller committed
191
192
193
  USE_REDC,
  ECC_PIPPENGER_K,
  ECC_PIPPENGER_C,
194

195
  ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
196
197
198
199
  ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
  ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
  ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),

200
  ecc_add_jjj,
201
202
203
204
  ecc_mul_a,
  ecc_mul_g,
  ecc_j_to_a,

Niels Möller's avatar
Niels Möller committed
205
206
  ecc_b,
  ecc_g,
207
  NULL,
Niels Möller's avatar
Niels Möller committed
208
209
210
  ecc_unit,
  ecc_table
};
211
212
213

const struct ecc_curve *nettle_get_secp_384r1(void)
{
214
  return &_nettle_secp_384r1;
215
}