Commit 889a582f authored by Niels Möller's avatar Niels Möller

Merge branch 'curve448' into master

parents 85fd4910 5fffda51
2019-11-21 Niels Möller <nisse@lysator.liu.se>
* Merge curve448 preparations, from September 2017.
2017-09-23 Niels Möller <nisse@lysator.liu.se>
* eccdata.c: Reorganize curve25519 precomputation to work directly
with the twisted Edwards curve, with new point addition based on a
patch from Daiki Ueno.
* ecc-25519.c (_nettle_curve25519): Update for removed Montgomery
curve constant.
* ecc-internal.h (struct ecc_curve): Delete unused pointer
edwards_root. Update all instances.
* eccdata.c (output_curve): Don't output it.
* testsuite/ecc-add-test.c (test_main): Reduce test duplication.
Use ecc->add_hhh_itch.
* testsuite/ecc-dup-test.c (test_main): Reduce test duplication.
Use ecc->dup_itch.
2017-09-23 Daiki Ueno <dueno@redhat.com>
* ecc-eh-to-a.c (ecc_eh_to_a): Use ecc->q.bit_size, instead of
hard-coded value for curve25519.
* eddsa-sign.c (_eddsa_sign): Likewise.
* ecc-internal.h (ecc_dup_func): New typedef.
(struct ecc_curve): New constants add_hh_itch and dup_itch, new
function pointers add_hh and dup.
* ecc-192.c, ecc-224.c, ecc-256.c, ecc-384.c, ecc-521.c,
ecc-25519.c: Update accordingly.
* ecc-mul-g-eh.c (ecc_mul_g_eh): Use new function pointers.
* ecc-mul-a-eh.c (ecc_mul_a_eh, table_init, ecc_mul_a_eh):
Likewise.
* testsuite/ecc-dup-test.c (test_main): Likewise.
* testsuite/ecc-add-test.c (test_main): Likewise.
2019-10-01 Niels Möller <nisse@lysator.liu.se>
* testsuite/testutils.c (test_cipher_cfb8): Reset destination area
......
......@@ -155,19 +155,22 @@ const struct ecc_curve _nettle_secp_192r1 =
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
ecc_add_jja,
ecc_add_jjj,
ecc_dup_jj,
ecc_mul_a,
ecc_mul_g,
ecc_j_to_a,
ecc_b,
ecc_g,
NULL,
ecc_unit,
ecc_table
};
......
......@@ -107,19 +107,22 @@ const struct ecc_curve _nettle_secp_224r1 =
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
ecc_add_jja,
ecc_add_jjj,
ecc_dup_jj,
ecc_mul_a,
ecc_mul_g,
ecc_j_to_a,
ecc_b,
ecc_g,
NULL,
ecc_unit,
ecc_table
};
......
......@@ -335,19 +335,22 @@ const struct ecc_curve _nettle_curve25519 =
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
ECC_ADD_EH_ITCH (ECC_LIMB_SIZE),
ECC_ADD_EHH_ITCH (ECC_LIMB_SIZE),
ECC_DUP_EH_ITCH (ECC_LIMB_SIZE),
ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE),
ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE),
ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_25519_INV_ITCH),
ecc_add_eh,
ecc_add_ehh,
ecc_dup_eh,
ecc_mul_a_eh,
ecc_mul_g_eh,
ecc_eh_to_a,
ecc_d, /* Use the Edwards curve constant. */
ecc_b, /* Edwards curve constant. */
ecc_g,
ecc_edwards,
ecc_unit,
ecc_table
};
......@@ -284,19 +284,22 @@ const struct ecc_curve _nettle_secp_256r1 =
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
ecc_add_jja,
ecc_add_jjj,
ecc_dup_jj,
ecc_mul_a,
ecc_mul_g,
ecc_j_to_a,
ecc_b,
ecc_g,
NULL,
ecc_unit,
ecc_table
};
......
......@@ -192,19 +192,22 @@ const struct ecc_curve _nettle_secp_384r1 =
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
ecc_add_jja,
ecc_add_jjj,
ecc_dup_jj,
ecc_mul_a,
ecc_mul_g,
ecc_j_to_a,
ecc_b,
ecc_g,
NULL,
ecc_unit,
ecc_table
};
......
......@@ -120,19 +120,22 @@ const struct ecc_curve _nettle_secp_521r1 =
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
ecc_add_jja,
ecc_add_jjj,
ecc_dup_jj,
ecc_mul_a,
ecc_mul_g,
ecc_j_to_a,
ecc_b,
ecc_g,
NULL,
ecc_unit,
ecc_table
};
......
......@@ -68,12 +68,13 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
/* Skip y coordinate */
if (op > 1)
{
/* Reduce modulo q. FIXME: Hardcoded for curve25519,
duplicates end of ecc_25519_modq. FIXME: Is this needed
at all? Full reduction mod p is maybe sufficient. */
/* Reduce modulo q. Hardcoded for curve25519, duplicates end
of ecc_25519_modq. FIXME: Is this needed at all? op > 0
is only used by ecdsa code, and ecdsa on Edwards curves
makes little sense and is is only used by tests. */
unsigned shift;
assert (ecc->p.bit_size == 255);
shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1);
shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1);
cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size,
r[ecc->p.size-1] >> shift);
assert (cy < 2);
......
......@@ -118,6 +118,10 @@ typedef void ecc_add_func (const struct ecc_curve *ecc,
const mp_limb_t *p, const mp_limb_t *q,
mp_limb_t *scratch);
typedef void ecc_dup_func (const struct ecc_curve *ecc,
mp_limb_t *r, const mp_limb_t *p,
mp_limb_t *scratch);
typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r,
const mp_limb_t *np, mp_limb_t *scratch);
......@@ -174,12 +178,16 @@ struct ecc_curve
unsigned short pippenger_k;
unsigned short pippenger_c;
unsigned short add_hh_itch;
unsigned short add_hhh_itch;
unsigned short dup_itch;
unsigned short mul_itch;
unsigned short mul_g_itch;
unsigned short h_to_a_itch;
ecc_add_func *add_hh;
ecc_add_func *add_hhh;
ecc_dup_func *dup;
ecc_mul_func *mul;
ecc_mul_g_func *mul_g;
ecc_h_to_a_func *h_to_a;
......@@ -189,9 +197,6 @@ struct ecc_curve
/* Generator, x coordinate followed by y (affine coordinates).
Currently used only by the test suite. */
const mp_limb_t *g;
/* If non-NULL, the constant needed for transformation to the
equivalent Edwards curve. */
const mp_limb_t *edwards_root;
/* For redc, same as B mod p, otherwise 1. */
const mp_limb_t *unit;
......@@ -281,18 +286,16 @@ ecc_a_to_j (const struct ecc_curve *ecc,
/* Converts a point P in jacobian coordinates into a point R in affine
coordinates. If op == 1, produce x coordinate only. If op == 2,
produce the x coordinate only, and also reduce it modulo q. FIXME:
For the public interface, have separate functions for the three
cases, and use this flag argument only for the internal ecc->h_to_a
function. */
produce the x coordinate only, and also reduce it modulo q. */
void
ecc_j_to_a (const struct ecc_curve *ecc,
int op,
mp_limb_t *r, const mp_limb_t *p,
mp_limb_t *scratch);
/* Converts a point P on an Edwards curve to affine coordinates on
the corresponding Montgomery curve. */
/* Converts a point P in homogeneous coordinates on an Edwards curve
to affine coordinates. Meaning of op is the same as for
ecc_j_to_a. */
void
ecc_eh_to_a (const struct ecc_curve *ecc,
int op,
......
......@@ -75,8 +75,8 @@ ecc_mul_a_eh (const struct ecc_curve *ecc,
{
int digit;
ecc_dup_eh (ecc, r, r, scratch_out);
ecc_add_ehh (ecc, tp, r, pe, scratch_out);
ecc->dup (ecc, r, r, scratch_out);
ecc->add_hhh (ecc, tp, r, pe, scratch_out);
digit = (w & bit) > 0;
/* If we had a one-bit, use the sum. */
......@@ -107,8 +107,8 @@ table_init (const struct ecc_curve *ecc,
for (j = 2; j < size; j += 2)
{
ecc_dup_eh (ecc, TABLE(j), TABLE(j/2), scratch);
ecc_add_ehh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch);
ecc->dup (ecc, TABLE(j), TABLE(j/2), scratch);
ecc->add_hhh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch);
}
}
......@@ -163,11 +163,11 @@ ecc_mul_a_eh (const struct ecc_curve *ecc,
bits |= w >> shift;
}
for (j = 0; j < ECC_MUL_A_EH_WBITS; j++)
ecc_dup_eh (ecc, r, r, scratch_out);
ecc->dup (ecc, r, r, scratch_out);
bits &= TABLE_MASK;
sec_tabselect (tp, 3*ecc->p.size, table, TABLE_SIZE, bits);
ecc_add_ehh (ecc, r, tp, r, scratch_out);
ecc->add_hhh (ecc, r, tp, r, scratch_out);
}
#undef table
#undef tp
......
......@@ -64,7 +64,7 @@ ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r,
for (i = k; i-- > 0; )
{
ecc_dup_eh (ecc, r, r, scratch);
ecc->dup (ecc, r, r, scratch);
for (j = 0; j * c < bit_rows; j++)
{
unsigned bits;
......@@ -93,7 +93,7 @@ ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r,
+ (2*ecc->p.size * (mp_size_t) j << c)),
1<<c, bits);
ecc_add_eh (ecc, r, r, tp, scratch_out);
ecc->add_hh (ecc, r, r, tp, scratch_out);
}
}
#undef tp
......
This diff is collapsed.
......@@ -93,7 +93,7 @@ _eddsa_sign (const struct ecc_curve *ecc,
unsigned shift;
mp_limb_t cy;
assert (ecc->p.bit_size == 255);
shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1);
shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1);
cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size,
sp[ecc->p.size-1] >> shift);
assert (cy < 2);
......
#include "testutils.h"
#include <assert.h>
void
test_main (void)
......@@ -12,74 +13,68 @@ test_main (void)
mp_limb_t *g2 = xalloc_limbs (ecc_size_j (ecc));
mp_limb_t *g3 = xalloc_limbs (ecc_size_j (ecc));
mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc));
mp_limb_t *scratch = xalloc_limbs (ECC_ADD_JJJ_ITCH(ecc->p.size));
mp_limb_t *scratch = xalloc_limbs (ecc->add_hhh_itch);
ASSERT (ecc->dup_itch <= ecc->add_hhh_itch);
ecc_a_to_j (ecc, g, ecc->g);
if (ecc->p.bit_size == 255)
{
mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc));
ASSERT (ecc->add_hh == ecc_add_eh);
ASSERT (ecc->add_hhh == ecc_add_ehh);
ASSERT (ecc->add_hh_itch <= ecc->add_hhh_itch);
/* Zero point has x = 0, y = 1, z = 1 */
mpn_zero (z, 3*ecc->p.size);
z[ecc->p.size] = z[2*ecc->p.size] = 1;
ecc_a_to_j (ecc, g, ecc->g);
ecc_add_ehh (ecc, p, z, z, scratch);
ecc->add_hhh (ecc, p, z, z, scratch);
test_ecc_mul_h (i, 0, p);
ecc_add_eh (ecc, p, z, z, scratch);
ecc->add_hh (ecc, p, z, z, scratch);
test_ecc_mul_h (i, 0, p);
ecc_add_ehh (ecc, p, g, p, scratch);
ecc->add_hhh (ecc, p, g, p, scratch);
test_ecc_mul_h (i, 1, p);
ecc_add_eh (ecc, p, z, g, scratch);
ecc->add_hh (ecc, p, z, g, scratch);
test_ecc_mul_h (i, 1, p);
ecc_add_ehh (ecc, g2, g, p, scratch);
ecc->add_hhh (ecc, g2, g, p, scratch);
test_ecc_mul_h (i, 2, g2);
ecc_add_eh (ecc, g2, g, g, scratch);
ecc->add_hh (ecc, g2, g, g, scratch);
test_ecc_mul_h (i, 2, g2);
ecc_add_ehh (ecc, g3, g, g2, scratch);
test_ecc_mul_h (i, 3, g3);
ecc_add_eh (ecc, g3, g2, g, scratch);
test_ecc_mul_h (i, 3, g3);
ecc_add_ehh (ecc, p, g, g3, scratch);
test_ecc_mul_h (i, 4, p);
ecc_add_eh (ecc, p, g3, g, scratch);
test_ecc_mul_h (i, 4, p);
ecc_add_ehh (ecc, p, g2, g2, scratch);
test_ecc_mul_h (i, 4, p);
free (z);
}
else
{
ecc_a_to_j (ecc, g, ecc->g);
ASSERT (ecc->add_hhh == ecc_add_jjj);
ASSERT (ecc->dup == ecc_dup_jj);
}
ecc_dup_jj (ecc, g2, g, scratch);
ecc->dup (ecc, g2, g, scratch);
test_ecc_mul_h (i, 2, g2);
ecc_add_jjj (ecc, g3, g, g2, scratch);
ecc->add_hhh (ecc, g3, g, g2, scratch);
test_ecc_mul_h (i, 3, g3);
ecc_add_jjj (ecc, g3, g2, g, scratch);
ecc->add_hhh (ecc, g3, g2, g, scratch);
test_ecc_mul_h (i, 3, g3);
ecc_add_jjj (ecc, p, g, g3, scratch);
ecc->add_hhh (ecc, p, g, g3, scratch);
test_ecc_mul_h (i, 4, p);
ecc_add_jjj (ecc, p, g3, g, scratch);
ecc->add_hhh (ecc, p, g3, g, scratch);
test_ecc_mul_h (i, 4, p);
ecc_dup_jj (ecc, p, g2, scratch);
ecc->dup (ecc, p, g2, scratch);
test_ecc_mul_h (i, 4, p);
}
free (g);
free (g2);
free (g3);
......
......@@ -10,37 +10,34 @@ test_main (void)
const struct ecc_curve *ecc = ecc_curves[i];
mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc));
mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc));
mp_limb_t *scratch = xalloc_limbs (ECC_DUP_EH_ITCH(ecc->p.size));;
mp_limb_t *scratch = xalloc_limbs (ecc->dup_itch);
ecc_a_to_j (ecc, g, ecc->g);
if (ecc->p.bit_size == 255)
{
mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc));
ASSERT (ecc->dup == ecc_dup_eh);
/* Zero point has x = 0, y = 1, z = 1 */
mpn_zero (z, 3*ecc->p.size);
z[ecc->p.size] = z[2*ecc->p.size] = 1;
ecc_a_to_j (ecc, g, ecc->g);
ecc_dup_eh (ecc, p, z, scratch);
ecc->dup (ecc, p, z, scratch);
test_ecc_mul_h (i, 0, p);
ecc_dup_eh (ecc, p, g, scratch);
test_ecc_mul_h (i, 2, p);
ecc_dup_eh (ecc, p, p, scratch);
test_ecc_mul_h (i, 4, p);
free (z);
}
else
{
ecc_a_to_j (ecc, g, ecc->g);
ASSERT (ecc->dup == ecc_dup_jj);
ecc_dup_jj (ecc, p, g, scratch);
ecc->dup (ecc, p, g, scratch);
test_ecc_mul_h (i, 2, p);
ecc_dup_jj (ecc, p, p, scratch);
ecc->dup (ecc, p, p, scratch);
test_ecc_mul_h (i, 4, p);
}
free (p);
free (g);
free (scratch);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment