Commit a78c9459 authored by Niels Möller's avatar Niels Möller

Introduced struct ecc_modulo.

parent 2b552abd
2014-09-22 Niels Möller <nisse@lysator.liu.se>
* ecc-internal.h (struct ecc_modulo): New struct, collecting
constants needed for modulo arithmetic.
(struct ecc_curve): Use struct ecc_modulo for p and q arithmetic.
Updated all ecc-related files.
2014-09-17 Niels Möller <nisse@lysator.liu.se>
* gmp-glue.c (mpn_get_base256_le): Fixed missing update of rn
......
......@@ -46,11 +46,11 @@ void
curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
mp_limb_t *scratch)
{
#define vp (p + ecc->size)
#define wp (p + 2*ecc->size)
#define vp (p + ecc->p.size)
#define wp (p + 2*ecc->p.size)
#define t0 scratch
#define t1 (scratch + ecc->size)
#define t2 (scratch + 2*ecc->size)
#define t1 (scratch + ecc->p.size)
#define t2 (scratch + 2*ecc->p.size)
const struct ecc_curve *ecc = &nettle_curve25519;
mp_limb_t cy;
......@@ -71,8 +71,8 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
ecc_modp_add (ecc, t0, wp, vp);
ecc_modp_mul (ecc, t2, t0, t1);
cy = mpn_sub_n (xp, t2, ecc->p, ecc->size);
cnd_copy (cy, xp, t2, ecc->size);
cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
cnd_copy (cy, xp, t2, ecc->p.size);
#undef vp
#undef wp
#undef t0
......
......@@ -49,23 +49,23 @@ curve25519_mul_g (uint8_t *r, const uint8_t *n)
mp_limb_t *scratch;
mp_size_t itch;
#define p scratch
#define x (scratch + 3*ecc->size)
#define scratch_out (scratch + 4*ecc->size)
#define ng scratch
#define x (scratch + 3*ecc->p.size)
#define scratch_out (scratch + 4*ecc->p.size)
memcpy (t, n, sizeof(t));
t[0] &= ~7;
t[CURVE25519_SIZE-1] = (t[CURVE25519_SIZE-1] & 0x3f) | 0x40;
itch = 4*ecc->size + ecc->mul_g_itch;
itch = 4*ecc->p.size + ecc->mul_g_itch;
scratch = gmp_alloc_limbs (itch);
mpn_set_base256_le (x, ecc->size, t, CURVE25519_SIZE);
mpn_set_base256_le (x, ecc->p.size, t, CURVE25519_SIZE);
ecc_mul_g_eh (ecc, p, x, scratch_out);
curve25519_eh_to_x (x, p, scratch_out);
ecc_mul_g_eh (ecc, ng, x, scratch_out);
curve25519_eh_to_x (x, ng, scratch_out);
mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->size);
mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->p.size);
gmp_free_limbs (scratch, itch);
#undef p
#undef x
......
......@@ -54,30 +54,30 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
overlap C, D, and CB overlap A, D. And possibly reusing some of
x2, z2, x3, z3. */
#define x1 scratch
#define x2 (scratch + ecc->size)
#define z2 (scratch + 2*ecc->size)
#define x3 (scratch + 3*ecc->size)
#define z3 (scratch + 4*ecc->size)
#define A (scratch + 5*ecc->size)
#define B (scratch + 6*ecc->size)
#define C (scratch + 7*ecc->size)
#define D (scratch + 8*ecc->size)
#define AA (scratch + 9*ecc->size)
#define BB (scratch +10*ecc->size)
#define E (scratch + 10*ecc->size) /* Overlap BB */
#define DA (scratch + 9*ecc->size) /* Overlap AA */
#define CB (scratch + 10*ecc->size) /* Overlap BB */
itch = ecc->size * 12;
#define x2 (scratch + ecc->p.size)
#define z2 (scratch + 2*ecc->p.size)
#define x3 (scratch + 3*ecc->p.size)
#define z3 (scratch + 4*ecc->p.size)
#define A (scratch + 5*ecc->p.size)
#define B (scratch + 6*ecc->p.size)
#define C (scratch + 7*ecc->p.size)
#define D (scratch + 8*ecc->p.size)
#define AA (scratch + 9*ecc->p.size)
#define BB (scratch +10*ecc->p.size)
#define E (scratch + 10*ecc->p.size) /* Overlap BB */
#define DA (scratch + 9*ecc->p.size) /* Overlap AA */
#define CB (scratch + 10*ecc->p.size) /* Overlap BB */
itch = ecc->p.size * 12;
scratch = gmp_alloc_limbs (itch);
mpn_set_base256_le (x1, ecc->size, p, CURVE25519_SIZE);
mpn_set_base256_le (x1, ecc->p.size, p, CURVE25519_SIZE);
/* Initialize, x2 = x1, z2 = 1 */
mpn_copyi (x2, x1, ecc->size);
mpn_copyi (x2, x1, ecc->p.size);
z2[0] = 1;
mpn_zero (z2+1, ecc->size - 1);
mpn_zero (z2+1, ecc->p.size - 1);
/* Get x3, z3 from doubling. Since bit 254 is forced to 1. */
ecc_modp_add (ecc, A, x2, z2);
......@@ -93,7 +93,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
{
int bit = (n[i/8] >> (i & 7)) & 1;
cnd_swap (bit, x2, x3, 2*ecc->size);
cnd_swap (bit, x2, x3, 2*ecc->p.size);
/* Formulas from draft-turner-thecurve25519function-00-Mont. We
compute new coordinates in memory-address order, since mul
......@@ -118,7 +118,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
ecc_modp_sqr (ecc, DA, C);
ecc_modp_mul (ecc, z3, DA, x1);
cnd_swap (bit, x2, x3, 2*ecc->size);
cnd_swap (bit, x2, x3, 2*ecc->p.size);
}
/* Do the 3 low zero bits, just duplicating x2 */
for ( ; i >= 0; i--)
......@@ -134,9 +134,9 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
}
ecc_modp_inv (ecc, x3, z2, z3);
ecc_modp_mul (ecc, z3, x2, x3);
cy = mpn_sub_n (x2, z3, ecc->p, ecc->size);
cnd_copy (cy, x2, z3, ecc->size);
mpn_get_base256_le (q, CURVE25519_SIZE, x2, ecc->size);
cy = mpn_sub_n (x2, z3, ecc->p.m, ecc->p.size);
cnd_copy (cy, x2, z3, ecc->p.size);
mpn_get_base256_le (q, CURVE25519_SIZE, x2, ecc->p.size);
gmp_free_limbs (scratch, itch);
return 1;
......
......@@ -112,13 +112,28 @@ ecc_192_modp (const struct ecc_curve *ecc UNUSED, mp_limb_t *rp)
const struct ecc_curve nettle_secp_192r1 =
{
192,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
192,
ECC_BMODQ_SIZE,
{
192,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
ECC_REDC_SIZE,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_redc_ppm1,
},
{
192,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_Bmodq_shifted,
NULL,
},
USE_REDC,
ECC_REDC_SIZE,
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
......@@ -137,18 +152,11 @@ const struct ecc_curve nettle_secp_192r1 =
ecc_mul_g,
ecc_j_to_a,
ecc_p,
ecc_b,
ecc_q,
ecc_g,
NULL,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h,
ecc_redc_ppm1,
ecc_unit,
ecc_Bmodq,
ecc_Bmodq_shifted,
ecc_qp1h,
ecc_table
};
......
......@@ -64,13 +64,28 @@ ecc_224_modp (const struct ecc_curve *ecc, mp_limb_t *rp);
const struct ecc_curve nettle_secp_224r1 =
{
224,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
224,
ECC_BMODQ_SIZE,
{
224,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
-ECC_REDC_SIZE,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_redc_ppm1,
},
{
224,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_Bmodq_shifted,
NULL,
},
USE_REDC,
ECC_REDC_SIZE,
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
......@@ -89,18 +104,11 @@ const struct ecc_curve nettle_secp_224r1 =
ecc_mul_g,
ecc_j_to_a,
ecc_p,
ecc_b,
ecc_q,
ecc_g,
NULL,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h,
ecc_redc_ppm1,
ecc_unit,
ecc_Bmodq,
ecc_Bmodq_shifted,
ecc_qp1h,
ecc_table
};
......@@ -87,17 +87,17 @@ ecc_25519_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
for (n = ECC_LIMB_SIZE; n-- > 0;)
{
cy = mpn_submul_1 (rp + n,
ecc->Bmodq_shifted, ECC_LIMB_SIZE,
ecc->q.B_shifted, ECC_LIMB_SIZE,
rp[n + ECC_LIMB_SIZE]);
/* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */
assert (cy < 2);
cnd_add_n (cy, rp+n, ecc->q, ECC_LIMB_SIZE);
cnd_add_n (cy, rp+n, ecc->q.m, ECC_LIMB_SIZE);
}
cy = mpn_submul_1 (rp, ecc->q, ECC_LIMB_SIZE,
cy = mpn_submul_1 (rp, ecc->q.m, ECC_LIMB_SIZE,
rp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS));
assert (cy < 2);
cnd_add_n (cy, rp, ecc->q, ECC_LIMB_SIZE);
cnd_add_n (cy, rp, ecc->q.m, ECC_LIMB_SIZE);
}
/* Needs 2*ecc->size limbs at rp, and 2*ecc->size additional limbs of
......@@ -200,8 +200,8 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap)
ecc_modp_mul (ecc, xp, t0, ap); /* a^{(p+3)/8 */
ecc_modp_mul (ecc, bp, t0, xp); /* a^{(p-1)/4} */
/* Check if b == 1 (mod p) */
if (mpn_cmp (bp, ecc->p, ECC_LIMB_SIZE) >= 0)
mpn_sub_n (bp, bp, ecc->p, ECC_LIMB_SIZE);
if (mpn_cmp (bp, ecc->p.m, ECC_LIMB_SIZE) >= 0)
mpn_sub_n (bp, bp, ecc->p.m, ECC_LIMB_SIZE);
if (mpn_cmp (bp, ecc->unit, ECC_LIMB_SIZE) == 0)
{
mpn_copyi (rp, xp, ECC_LIMB_SIZE);
......@@ -210,7 +210,7 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap)
else
{
mpn_add_1 (bp, bp, ECC_LIMB_SIZE, 1);
if (mpn_cmp (bp, ecc->p, ECC_LIMB_SIZE) == 0)
if (mpn_cmp (bp, ecc->p.m, ECC_LIMB_SIZE) == 0)
{
ecc_modp_mul (&nettle_curve25519, bp, xp, ecc_sqrt_z);
mpn_copyi (rp, bp, ECC_LIMB_SIZE);
......@@ -232,13 +232,28 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap)
const struct ecc_curve nettle_curve25519 =
{
255,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
253,
ECC_BMODQ_SIZE,
{
255,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
0,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
NULL,
},
{
253,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */
NULL,
},
0, /* No redc */
0,
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
......@@ -257,18 +272,11 @@ const struct ecc_curve nettle_curve25519 =
ecc_mul_g_eh,
ecc_eh_to_a,
ecc_p,
ecc_d, /* Use the Edwards curve constant. */
ecc_q,
ecc_g,
ecc_edwards,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h,
ecc_redc_ppm1,
ecc_unit,
ecc_Bmodq,
ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */
ecc_qp1h,
ecc_table
};
......@@ -75,12 +75,12 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
mp_limb_t u1, u0;
mp_size_t n;
n = 2*ecc->size;
n = 2*ecc->p.size;
u1 = rp[--n];
u0 = rp[n-1];
/* This is not particularly fast, but should work well with assembly implementation. */
for (; n >= ecc->size; n--)
for (; n >= ecc->p.size; n--)
{
mp_limb_t q2, q1, q0, t, cy;
......@@ -115,8 +115,8 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
/* We multiply by two low limbs of p, 2^96 - 1, so we could use
shifts rather than mul. */
t = mpn_submul_1 (rp + n - 4, ecc->p, 2, q1);
t += cnd_sub_n (q2, rp + n - 3, ecc->p, 1);
t = mpn_submul_1 (rp + n - 4, ecc->p.m, 2, q1);
t += cnd_sub_n (q2, rp + n - 3, ecc->p.m, 1);
t += (-q2) & 0xffffffff;
u0 = rp[n-2];
......@@ -124,7 +124,7 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
u0 -= t;
t = (u1 < cy);
u1 -= cy;
u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3);
u1 += cnd_add_n (t, rp + n - 4, ecc->p.m, 3);
u1 -= (-t) & 0xffffffff;
}
rp[2] = u0;
......@@ -137,12 +137,12 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
mp_limb_t u2, u1, u0;
mp_size_t n;
n = 2*ecc->size;
n = 2*ecc->q.size;
u2 = rp[--n];
u1 = rp[n-1];
/* This is not particularly fast, but should work well with assembly implementation. */
for (; n >= ecc->size; n--)
for (; n >= ecc->q.size; n--)
{
mp_limb_t q2, q1, q0, t, c1, c0;
......@@ -196,9 +196,9 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
assert (q2 < 2);
c0 = cnd_sub_n (q2, rp + n - 3, ecc->q, 1);
c0 += (-q2) & ecc->q[1];
t = mpn_submul_1 (rp + n - 4, ecc->q, 2, q1);
c0 = cnd_sub_n (q2, rp + n - 3, ecc->q.m, 1);
c0 += (-q2) & ecc->q.m[1];
t = mpn_submul_1 (rp + n - 4, ecc->q.m, 2, q1);
c0 += t;
c1 = c0 < t;
......@@ -213,7 +213,7 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
u1 += t;
u2 += (t<<32) + (u0 < t);
t = cnd_add_n (t, rp + n - 4, ecc->q, 2);
t = cnd_add_n (t, rp + n - 4, ecc->q.m, 2);
u1 += t;
u2 += (u1 < t);
}
......@@ -227,13 +227,28 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
const struct ecc_curve nettle_secp_256r1 =
{
256,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
256,
ECC_BMODQ_SIZE,
{
256,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
ECC_REDC_SIZE,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_redc_ppm1,
},
{
256,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_Bmodq_shifted,
NULL,
},
USE_REDC,
ECC_REDC_SIZE,
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
......@@ -252,18 +267,11 @@ const struct ecc_curve nettle_secp_256r1 =
ecc_mul_g,
ecc_j_to_a,
ecc_p,
ecc_b,
ecc_q,
ecc_g,
NULL,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h,
ecc_redc_ppm1,
ecc_unit,
ecc_Bmodq,
ecc_Bmodq_shifted,
ecc_qp1h,
ecc_table
};
......@@ -140,7 +140,7 @@ ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
cy = sec_add_1 (rp + 5, rp + 5, 1, cy);
assert (cy <= 1);
cy = cnd_add_n (cy, rp, ecc->Bmodp, ECC_LIMB_SIZE);
cy = cnd_add_n (cy, rp, ecc->p.B, ECC_LIMB_SIZE);
assert (cy == 0);
}
#else
......@@ -149,13 +149,28 @@ ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
const struct ecc_curve nettle_secp_384r1 =
{
384,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
384,
ECC_BMODQ_SIZE,
{
384,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
ECC_REDC_SIZE,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_redc_ppm1,
},
{
384,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_Bmodq_shifted,
NULL,
},
USE_REDC,
ECC_REDC_SIZE,
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
......@@ -174,18 +189,11 @@ const struct ecc_curve nettle_secp_384r1 =
ecc_mul_g,
ecc_j_to_a,
ecc_p,
ecc_b,
ecc_q,
ecc_g,
NULL,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h,
ecc_redc_ppm1,
ecc_unit,
ecc_Bmodq,
ecc_Bmodq_shifted,
ecc_qp1h,
ecc_table
};
......@@ -77,13 +77,28 @@ ecc_521_modp (const struct ecc_curve *ecc UNUSED, mp_limb_t *rp)
const struct ecc_curve nettle_secp_521r1 =
{
521,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
521,
ECC_BMODQ_SIZE,
{
521,
ECC_LIMB_SIZE,
ECC_BMODP_SIZE,
ECC_REDC_SIZE,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_redc_ppm1,
},
{
521,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_Bmodq_shifted,
NULL,
},
USE_REDC,
ECC_REDC_SIZE,
ECC_PIPPENGER_K,
ECC_PIPPENGER_C,
......@@ -102,18 +117,11 @@ const struct ecc_curve nettle_secp_521r1 =
ecc_mul_g,
ecc_j_to_a,
ecc_p,
ecc_b,
ecc_q,
ecc_g,
NULL,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h,
ecc_redc_ppm1,
ecc_unit,
ecc_Bmodq,
ecc_Bmodq_shifted,
ecc_qp1h,
ecc_table
};
......
......@@ -44,16 +44,16 @@ ecc_a_to_j (const struct ecc_curve *ecc,
{
if (ecc->use_redc)
{
mpn_copyd (r + ecc->size, p, 2*ecc->size);
mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size);
mpn_zero (r, ecc->size);
mpn_zero (r, ecc->p.size);
ecc->modp (ecc, r);
mpn_zero (r + ecc->size, ecc->size);
ecc->modp (ecc, r + ecc->size);
mpn_zero (r + ecc->p.size, ecc->p.size);
ecc->modp (ecc, r + ecc->p.size);
}
else if (r != p)
mpn_copyi (r, p, 2*ecc->size);
mpn_copyi (r, p, 2*ecc->p.size);
mpn_copyi (r + 2*ecc->size, ecc->unit, ecc->size);
mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size);
}
......@@ -39,7 +39,7 @@
mp_size_t
ecc_add_eh_itch (const struct ecc_curve *ecc)
{
return ECC_ADD_EH_ITCH (ecc->size);
return ECC_ADD_EH_ITCH (ecc->p.size);
}
/* Add two points on an Edwards curve, with result and first point in
......@@ -50,15 +50,15 @@ ecc_add_eh (const struct ecc_curve *ecc,
mp_limb_t *scratch)
{
#define x1 p
#define y1 (p + ecc->size)
#define z1 (p + 2*ecc->size)
#define y1 (p + ecc->p.size)
#define z1 (p + 2*ecc->p.size)
#define x2 q
#define y2 (q + ecc->size)
#define y2 (q + ecc->p.size)
#define x3 r
#define y3 (r + ecc->size)
#define z3 (r + 2*ecc->size)
#define y3 (r + ecc->p.size)
#define z3 (r + 2*ecc->p.size)
/* Formulas (from djb,
http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl):
......@@ -77,10 +77,10 @@ ecc_add_eh (const struct ecc_curve *ecc,
z3 = F*G mul
*/
#define C (scratch)
#define D (scratch + 1*ecc->size)
#define T (scratch + 2*ecc->size)
#define E (scratch + 3*ecc->size)
#define B (scratch + 4*ecc->size)
#define D (scratch + 1*ecc->p.size)
#define T (scratch + 2*ecc->p.size)
#define E (scratch + 3*ecc->p.size)
#define B (scratch + 4*ecc->p.size)
#define F D
#define G E
......@@ -109,5 +109,5 @@ ecc_add_eh (const struct ecc_curve *ecc,
/* z3 */
ecc_modp_mul (ecc, B, F, G);
mpn_copyi (z3, B, ecc->size);
mpn_copyi (z3, B, ecc->p.size);
}
......@@ -39,7 +39,7 @@
mp_size_t
ecc_add_ehh_itch (const struct ecc_curve *ecc)
{
return ECC_ADD_EHH_ITCH (ecc->size);
return ECC_ADD_EHH_ITCH (ecc->p.size);
}
/* Add two points on an Edwards curve, in homogeneous coordinates */
......@@ -49,16 +49,16 @@ ecc_add_ehh (const struct ecc_curve *ecc,
mp_limb_t *scratch)
{
#define x1 p
#define y1 (p + ecc->size)
#define z1 (p + 2*ecc->size)
#define y1 (p + ecc->p.size)
#define z1 (p + 2*ecc->p.size)
#define x2 q
#define y2 (q + ecc->size)
#define z2 (q + 2*ecc->size)
#define y2 (q + ecc->p.size)
#define z2 (q + 2*ecc->p.size)
#define x3 r
#define y3 (r + ecc->size)
#define z3 (r + 2*ecc->size)
#define y3 (r + ecc->p.size)
#define z3 (r + 2*ecc->p.size)