Merge branch 'curve448' into master

ChangeLog

+2019-11-21  Niels Möller  <nisse@lysator.liu.se>
+
+	* Merge curve448 preparations, from September 2017.
+
+2017-09-23  Niels Möller  <nisse@lysator.liu.se>
+
+	* eccdata.c: Reorganize curve25519 precomputation to work directly
+	with the twisted Edwards curve, with new point addition based on a
+	patch from Daiki Ueno.
+	* ecc-25519.c (_nettle_curve25519): Update for removed Montgomery
+	curve constant.
+
+	* ecc-internal.h (struct ecc_curve): Delete unused pointer
+	edwards_root. Update all instances.
+	* eccdata.c (output_curve): Don't output it.
+
+	* testsuite/ecc-add-test.c (test_main): Reduce test duplication.
+	Use ecc->add_hhh_itch.
+	* testsuite/ecc-dup-test.c (test_main): Reduce test duplication.
+	Use ecc->dup_itch.
+
+2017-09-23  Daiki Ueno  <dueno@redhat.com>
+
+	* ecc-eh-to-a.c (ecc_eh_to_a): Use ecc->q.bit_size, instead of
+	hard-coded value for curve25519.
+	* eddsa-sign.c (_eddsa_sign): Likewise.
+
+	* ecc-internal.h (ecc_dup_func): New typedef.
+	(struct ecc_curve): New constants add_hh_itch and dup_itch, new
+	function pointers add_hh and dup.
+	* ecc-192.c, ecc-224.c, ecc-256.c, ecc-384.c, ecc-521.c,
+	ecc-25519.c: Update accordingly.
+	* ecc-mul-g-eh.c (ecc_mul_g_eh): Use new function pointers.
+	* ecc-mul-a-eh.c (ecc_mul_a_eh, table_init, ecc_mul_a_eh):
+	Likewise.
+	* testsuite/ecc-dup-test.c (test_main): Likewise.
+	* testsuite/ecc-add-test.c (test_main): Likewise.
+
 2019-10-01  Niels Möller  <nisse@lysator.liu.se>
 
 	* testsuite/testutils.c (test_cipher_cfb8): Reset destination area

ecc-192.c

@@ -155,19 +155,22 @@ const struct ecc_curve _nettle_secp_192r1 =
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
+  ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
   ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
+  ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
   ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
 
+  ecc_add_jja,
   ecc_add_jjj,
+  ecc_dup_jj,
   ecc_mul_a,
   ecc_mul_g,
   ecc_j_to_a,
 
   ecc_b,
   ecc_g,
-  NULL,
   ecc_unit,
   ecc_table
 };

ecc-224.c

@@ -107,19 +107,22 @@ const struct ecc_curve _nettle_secp_224r1 =
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
+  ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
   ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
+  ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
   ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
 
+  ecc_add_jja,
   ecc_add_jjj,
+  ecc_dup_jj,
   ecc_mul_a,
   ecc_mul_g,
   ecc_j_to_a,
 
   ecc_b,
   ecc_g,
-  NULL,
   ecc_unit,
   ecc_table
 };

ecc-25519.c

@@ -335,19 +335,22 @@ const struct ecc_curve _nettle_curve25519 =
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
+  ECC_ADD_EH_ITCH (ECC_LIMB_SIZE),
   ECC_ADD_EHH_ITCH (ECC_LIMB_SIZE),
+  ECC_DUP_EH_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE),
   ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_25519_INV_ITCH),
 
+  ecc_add_eh,
   ecc_add_ehh,
+  ecc_dup_eh,
   ecc_mul_a_eh,
   ecc_mul_g_eh,
   ecc_eh_to_a,
 
-  ecc_d, /* Use the Edwards curve constant. */
+  ecc_b, /* Edwards curve constant. */
   ecc_g,
-  ecc_edwards,
   ecc_unit,
   ecc_table
 };

ecc-256.c

@@ -284,19 +284,22 @@ const struct ecc_curve _nettle_secp_256r1 =
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
+  ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
   ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
+  ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
   ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
 
+  ecc_add_jja,
   ecc_add_jjj,
+  ecc_dup_jj,
   ecc_mul_a,
   ecc_mul_g,
   ecc_j_to_a,
 
   ecc_b,
   ecc_g,
-  NULL,
   ecc_unit,
   ecc_table
 };

ecc-384.c

@@ -192,19 +192,22 @@ const struct ecc_curve _nettle_secp_384r1 =
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
+  ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
   ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
+  ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
   ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
 
+  ecc_add_jja,
   ecc_add_jjj,
+  ecc_dup_jj,
   ecc_mul_a,
   ecc_mul_g,
   ecc_j_to_a,
 
   ecc_b,
   ecc_g,
-  NULL,
   ecc_unit,
   ecc_table
 };

ecc-521.c

@@ -120,19 +120,22 @@ const struct ecc_curve _nettle_secp_521r1 =
   ECC_PIPPENGER_K,
   ECC_PIPPENGER_C,
 
+  ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
   ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
+  ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
   ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
   ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
 
+  ecc_add_jja,
   ecc_add_jjj,
+  ecc_dup_jj,
   ecc_mul_a,
   ecc_mul_g,
   ecc_j_to_a,
 
   ecc_b,
   ecc_g,
-  NULL,
   ecc_unit,
   ecc_table
 };

ecc-eh-to-a.c

@@ -68,12 +68,13 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
       /* Skip y coordinate */
       if (op > 1)
 	{
-	  /* Reduce modulo q. FIXME: Hardcoded for curve25519,
-	     duplicates end of ecc_25519_modq. FIXME: Is this needed
-	     at all? Full reduction mod p is maybe sufficient. */
+	  /* Reduce modulo q. Hardcoded for curve25519, duplicates end
+	     of ecc_25519_modq. FIXME: Is this needed at all? op > 0
+	     is only used by ecdsa code, and ecdsa on Edwards curves
+	     makes little sense and is is only used by tests. */
 	  unsigned shift;
 	  assert (ecc->p.bit_size == 255);
-	  shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1);
+	  shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1);
 	  cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size,
 			     r[ecc->p.size-1] >> shift);
 	  assert (cy < 2);

ecc-internal.h

@@ -118,6 +118,10 @@ typedef void ecc_add_func (const struct ecc_curve *ecc,
 			   const mp_limb_t *p, const mp_limb_t *q,
 			   mp_limb_t *scratch);
 
+typedef void ecc_dup_func (const struct ecc_curve *ecc,
+			   mp_limb_t *r, const mp_limb_t *p,
+			   mp_limb_t *scratch);
+
 typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r,
 			     const mp_limb_t *np, mp_limb_t *scratch);
 
@@ -174,12 +178,16 @@ struct ecc_curve
   unsigned short pippenger_k;
   unsigned short pippenger_c;
 
+  unsigned short add_hh_itch;
   unsigned short add_hhh_itch;
+  unsigned short dup_itch;
   unsigned short mul_itch;
   unsigned short mul_g_itch;
   unsigned short h_to_a_itch;
 
+  ecc_add_func *add_hh;
   ecc_add_func *add_hhh;
+  ecc_dup_func *dup;
   ecc_mul_func *mul;
   ecc_mul_g_func *mul_g;
   ecc_h_to_a_func *h_to_a;
@@ -189,9 +197,6 @@ struct ecc_curve
   /* Generator, x coordinate followed by y (affine coordinates).
      Currently used only by the test suite. */
   const mp_limb_t *g;
-  /* If non-NULL, the constant needed for transformation to the
-     equivalent Edwards curve. */
-  const mp_limb_t *edwards_root;
 
   /* For redc, same as B mod p, otherwise 1. */
   const mp_limb_t *unit;
@@ -281,18 +286,16 @@ ecc_a_to_j (const struct ecc_curve *ecc,
 
 /* Converts a point P in jacobian coordinates into a point R in affine
    coordinates. If op == 1, produce x coordinate only. If op == 2,
-   produce the x coordinate only, and also reduce it modulo q. FIXME:
-   For the public interface, have separate functions for the three
-   cases, and use this flag argument only for the internal ecc->h_to_a
-   function. */
+   produce the x coordinate only, and also reduce it modulo q. */
 void
 ecc_j_to_a (const struct ecc_curve *ecc,
 	    int op,
 	    mp_limb_t *r, const mp_limb_t *p,
 	    mp_limb_t *scratch);
 
-/* Converts a point P on an Edwards curve to affine coordinates on
-   the corresponding Montgomery curve. */
+/* Converts a point P in homogeneous coordinates on an Edwards curve
+   to affine coordinates. Meaning of op is the same as for
+   ecc_j_to_a. */
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
 	     int op,

ecc-mul-a-eh.c

@@ -75,8 +75,8 @@ ecc_mul_a_eh (const struct ecc_curve *ecc,
 	{
 	  int digit;
 
-	  ecc_dup_eh (ecc, r, r, scratch_out);
-	  ecc_add_ehh (ecc, tp, r, pe, scratch_out);
+	  ecc->dup (ecc, r, r, scratch_out);
+	  ecc->add_hhh (ecc, tp, r, pe, scratch_out);
 
 	  digit = (w & bit) > 0;
 	  /* If we had a one-bit, use the sum. */
@@ -107,8 +107,8 @@ table_init (const struct ecc_curve *ecc,
 
   for (j = 2; j < size; j += 2)
     {
-      ecc_dup_eh (ecc, TABLE(j), TABLE(j/2), scratch);
-      ecc_add_ehh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch);
+      ecc->dup (ecc, TABLE(j), TABLE(j/2), scratch);
+      ecc->add_hhh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch);
     }
 }
 
@@ -163,11 +163,11 @@ ecc_mul_a_eh (const struct ecc_curve *ecc,
 	  bits |= w >> shift;
 	}
       for (j = 0; j < ECC_MUL_A_EH_WBITS; j++)
-	ecc_dup_eh (ecc, r, r, scratch_out);
+	ecc->dup (ecc, r, r, scratch_out);
 
       bits &= TABLE_MASK;
       sec_tabselect (tp, 3*ecc->p.size, table, TABLE_SIZE, bits);
-      ecc_add_ehh (ecc, r, tp, r, scratch_out);
+      ecc->add_hhh (ecc, r, tp, r, scratch_out);
     }
 #undef table
 #undef tp

ecc-mul-g-eh.c

@@ -64,7 +64,7 @@ ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r,
 
   for (i = k; i-- > 0; )
     {
-      ecc_dup_eh (ecc, r, r, scratch);
+      ecc->dup (ecc, r, r, scratch);
       for (j = 0; j * c < bit_rows; j++)
 	{
 	  unsigned bits;
@@ -93,7 +93,7 @@ ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r,
 			  + (2*ecc->p.size * (mp_size_t) j << c)),
 			 1<<c, bits);
 
-	  ecc_add_eh (ecc, r, r, tp, scratch_out);
+	  ecc->add_hh (ecc, r, r, tp, scratch_out);
 	}
     }
 #undef tp

eddsa-sign.c

@@ -93,7 +93,7 @@ _eddsa_sign (const struct ecc_curve *ecc,
     unsigned shift;
     mp_limb_t cy;
     assert (ecc->p.bit_size == 255);
-    shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1);
+    shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1);
     cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size,
 		       sp[ecc->p.size-1] >> shift);
     assert (cy < 2);

testsuite/ecc-add-test.c

 #include "testutils.h"
+#include <assert.h>
 
 void
 test_main (void)
@@ -12,74 +13,68 @@ test_main (void)
       mp_limb_t *g2 = xalloc_limbs (ecc_size_j (ecc));
       mp_limb_t *g3 = xalloc_limbs (ecc_size_j (ecc));
       mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc));
-      mp_limb_t *scratch = xalloc_limbs (ECC_ADD_JJJ_ITCH(ecc->p.size));
+      mp_limb_t *scratch = xalloc_limbs (ecc->add_hhh_itch);
+
+      ASSERT (ecc->dup_itch <= ecc->add_hhh_itch);
+
+      ecc_a_to_j (ecc, g, ecc->g);
 
       if (ecc->p.bit_size == 255)
 	{
 	  mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc));
+
+	  ASSERT (ecc->add_hh == ecc_add_eh);
+	  ASSERT (ecc->add_hhh == ecc_add_ehh);
+	  ASSERT (ecc->add_hh_itch <= ecc->add_hhh_itch);
+
 	  /* Zero point has x = 0, y = 1, z = 1 */
 	  mpn_zero (z, 3*ecc->p.size);
 	  z[ecc->p.size] = z[2*ecc->p.size] = 1;
-	  
-	  ecc_a_to_j (ecc, g, ecc->g);
 
-	  ecc_add_ehh (ecc, p, z, z, scratch);
+	  ecc->add_hhh (ecc, p, z, z, scratch);
 	  test_ecc_mul_h (i, 0, p);
 
-	  ecc_add_eh (ecc, p, z, z, scratch);
+	  ecc->add_hh (ecc, p, z, z, scratch);
 	  test_ecc_mul_h (i, 0, p);
 
-	  ecc_add_ehh (ecc, p, g, p, scratch);
+	  ecc->add_hhh (ecc, p, g, p, scratch);
 	  test_ecc_mul_h (i, 1, p);
 
-	  ecc_add_eh (ecc, p, z, g, scratch);
+	  ecc->add_hh (ecc, p, z, g, scratch);
 	  test_ecc_mul_h (i, 1, p);
 
-	  ecc_add_ehh (ecc, g2, g, p, scratch);
+	  ecc->add_hhh (ecc, g2, g, p, scratch);
 	  test_ecc_mul_h (i, 2, g2);
 
-	  ecc_add_eh (ecc, g2, g, g, scratch);
+	  ecc->add_hh (ecc, g2, g, g, scratch);
 	  test_ecc_mul_h (i, 2, g2);
 
-	  ecc_add_ehh (ecc, g3, g, g2, scratch);
-	  test_ecc_mul_h (i, 3, g3);
-
-	  ecc_add_eh (ecc, g3, g2, g, scratch);
-	  test_ecc_mul_h (i, 3, g3);
-
-	  ecc_add_ehh (ecc, p, g, g3, scratch);
-	  test_ecc_mul_h (i, 4, p);
-
-	  ecc_add_eh (ecc, p, g3, g, scratch);
-	  test_ecc_mul_h (i, 4, p);
-
-	  ecc_add_ehh (ecc, p, g2, g2, scratch);
-	  test_ecc_mul_h (i, 4, p);
-
 	  free (z);
 	}
       else
 	{
-	  ecc_a_to_j (ecc, g, ecc->g);
+	  ASSERT (ecc->add_hhh == ecc_add_jjj);
+	  ASSERT (ecc->dup == ecc_dup_jj);
+	}
 
-	  ecc_dup_jj (ecc, g2, g, scratch);
-	  test_ecc_mul_h (i, 2, g2);
+      ecc->dup (ecc, g2, g, scratch);
+      test_ecc_mul_h (i, 2, g2);
 
-	  ecc_add_jjj (ecc, g3, g, g2, scratch);
-	  test_ecc_mul_h (i, 3, g3);
+      ecc->add_hhh (ecc, g3, g, g2, scratch);
+      test_ecc_mul_h (i, 3, g3);
 
-	  ecc_add_jjj (ecc, g3, g2, g, scratch);
-	  test_ecc_mul_h (i, 3, g3);
+      ecc->add_hhh (ecc, g3, g2, g, scratch);
+      test_ecc_mul_h (i, 3, g3);
 
-	  ecc_add_jjj (ecc, p, g, g3, scratch);
-	  test_ecc_mul_h (i, 4, p);
+      ecc->add_hhh (ecc, p, g, g3, scratch);
+      test_ecc_mul_h (i, 4, p);
 
-	  ecc_add_jjj (ecc, p, g3, g, scratch);
-	  test_ecc_mul_h (i, 4, p);
+      ecc->add_hhh (ecc, p, g3, g, scratch);
+      test_ecc_mul_h (i, 4, p);
+
+      ecc->dup (ecc, p, g2, scratch);
+      test_ecc_mul_h (i, 4, p);
 
-	  ecc_dup_jj (ecc, p, g2, scratch);
-	  test_ecc_mul_h (i, 4, p);
-	}
       free (g);
       free (g2);
       free (g3);

testsuite/ecc-dup-test.c

@@ -10,37 +10,34 @@ test_main (void)
       const struct ecc_curve *ecc = ecc_curves[i];
       mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc));
       mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc));
-      mp_limb_t *scratch = xalloc_limbs (ECC_DUP_EH_ITCH(ecc->p.size));;
+      mp_limb_t *scratch = xalloc_limbs (ecc->dup_itch);
+
+      ecc_a_to_j (ecc, g, ecc->g);
 
       if (ecc->p.bit_size == 255)
 	{
 	  mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc));
+
+	  ASSERT (ecc->dup == ecc_dup_eh);
+
 	  /* Zero point has x = 0, y = 1, z = 1 */
 	  mpn_zero (z, 3*ecc->p.size);
 	  z[ecc->p.size] = z[2*ecc->p.size] = 1;
 	  
-	  ecc_a_to_j (ecc, g, ecc->g);
-
-	  ecc_dup_eh (ecc, p, z, scratch);
+	  ecc->dup (ecc, p, z, scratch);
 	  test_ecc_mul_h (i, 0, p);
 
-	  ecc_dup_eh (ecc, p, g, scratch);
-	  test_ecc_mul_h (i, 2, p);
-
-	  ecc_dup_eh (ecc, p, p, scratch);
-	  test_ecc_mul_h (i, 4, p);
 	  free (z);
 	}
       else
-	{
-	  ecc_a_to_j (ecc, g, ecc->g);
+	ASSERT (ecc->dup == ecc_dup_jj);
 
-	  ecc_dup_jj (ecc, p, g, scratch);
-	  test_ecc_mul_h (i, 2, p);
+      ecc->dup (ecc, p, g, scratch);
+      test_ecc_mul_h (i, 2, p);
+
+      ecc->dup (ecc, p, p, scratch);
+      test_ecc_mul_h (i, 4, p);
 
-	  ecc_dup_jj (ecc, p, p, scratch);
-	  test_ecc_mul_h (i, 4, p);
-	}
       free (p);
       free (g);
       free (scratch);