Commit a78c9459 authored by Niels Möller's avatar Niels Möller

Introduced struct ecc_modulo.

parent 2b552abd
2014-09-22 Niels Möller <nisse@lysator.liu.se>
* ecc-internal.h (struct ecc_modulo): New struct, collecting
constants needed for modulo arithmetic.
(struct ecc_curve): Use struct ecc_modulo for p and q arithmetic.
Updated all ecc-related files.
2014-09-17 Niels Möller <nisse@lysator.liu.se> 2014-09-17 Niels Möller <nisse@lysator.liu.se>
* gmp-glue.c (mpn_get_base256_le): Fixed missing update of rn * gmp-glue.c (mpn_get_base256_le): Fixed missing update of rn
......
...@@ -46,11 +46,11 @@ void ...@@ -46,11 +46,11 @@ void
curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
mp_limb_t *scratch) mp_limb_t *scratch)
{ {
#define vp (p + ecc->size) #define vp (p + ecc->p.size)
#define wp (p + 2*ecc->size) #define wp (p + 2*ecc->p.size)
#define t0 scratch #define t0 scratch
#define t1 (scratch + ecc->size) #define t1 (scratch + ecc->p.size)
#define t2 (scratch + 2*ecc->size) #define t2 (scratch + 2*ecc->p.size)
const struct ecc_curve *ecc = &nettle_curve25519; const struct ecc_curve *ecc = &nettle_curve25519;
mp_limb_t cy; mp_limb_t cy;
...@@ -71,8 +71,8 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, ...@@ -71,8 +71,8 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
ecc_modp_add (ecc, t0, wp, vp); ecc_modp_add (ecc, t0, wp, vp);
ecc_modp_mul (ecc, t2, t0, t1); ecc_modp_mul (ecc, t2, t0, t1);
cy = mpn_sub_n (xp, t2, ecc->p, ecc->size); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
cnd_copy (cy, xp, t2, ecc->size); cnd_copy (cy, xp, t2, ecc->p.size);
#undef vp #undef vp
#undef wp #undef wp
#undef t0 #undef t0
......
...@@ -49,23 +49,23 @@ curve25519_mul_g (uint8_t *r, const uint8_t *n) ...@@ -49,23 +49,23 @@ curve25519_mul_g (uint8_t *r, const uint8_t *n)
mp_limb_t *scratch; mp_limb_t *scratch;
mp_size_t itch; mp_size_t itch;
#define p scratch #define ng scratch
#define x (scratch + 3*ecc->size) #define x (scratch + 3*ecc->p.size)
#define scratch_out (scratch + 4*ecc->size) #define scratch_out (scratch + 4*ecc->p.size)
memcpy (t, n, sizeof(t)); memcpy (t, n, sizeof(t));
t[0] &= ~7; t[0] &= ~7;
t[CURVE25519_SIZE-1] = (t[CURVE25519_SIZE-1] & 0x3f) | 0x40; t[CURVE25519_SIZE-1] = (t[CURVE25519_SIZE-1] & 0x3f) | 0x40;
itch = 4*ecc->size + ecc->mul_g_itch; itch = 4*ecc->p.size + ecc->mul_g_itch;
scratch = gmp_alloc_limbs (itch); scratch = gmp_alloc_limbs (itch);
mpn_set_base256_le (x, ecc->size, t, CURVE25519_SIZE); mpn_set_base256_le (x, ecc->p.size, t, CURVE25519_SIZE);
ecc_mul_g_eh (ecc, p, x, scratch_out); ecc_mul_g_eh (ecc, ng, x, scratch_out);
curve25519_eh_to_x (x, p, scratch_out); curve25519_eh_to_x (x, ng, scratch_out);
mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->size); mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->p.size);
gmp_free_limbs (scratch, itch); gmp_free_limbs (scratch, itch);
#undef p #undef p
#undef x #undef x
......
...@@ -54,30 +54,30 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) ...@@ -54,30 +54,30 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
overlap C, D, and CB overlap A, D. And possibly reusing some of overlap C, D, and CB overlap A, D. And possibly reusing some of
x2, z2, x3, z3. */ x2, z2, x3, z3. */
#define x1 scratch #define x1 scratch
#define x2 (scratch + ecc->size) #define x2 (scratch + ecc->p.size)
#define z2 (scratch + 2*ecc->size) #define z2 (scratch + 2*ecc->p.size)
#define x3 (scratch + 3*ecc->size) #define x3 (scratch + 3*ecc->p.size)
#define z3 (scratch + 4*ecc->size) #define z3 (scratch + 4*ecc->p.size)
#define A (scratch + 5*ecc->size) #define A (scratch + 5*ecc->p.size)
#define B (scratch + 6*ecc->size) #define B (scratch + 6*ecc->p.size)
#define C (scratch + 7*ecc->size) #define C (scratch + 7*ecc->p.size)
#define D (scratch + 8*ecc->size) #define D (scratch + 8*ecc->p.size)
#define AA (scratch + 9*ecc->size) #define AA (scratch + 9*ecc->p.size)
#define BB (scratch +10*ecc->size) #define BB (scratch +10*ecc->p.size)
#define E (scratch + 10*ecc->size) /* Overlap BB */ #define E (scratch + 10*ecc->p.size) /* Overlap BB */
#define DA (scratch + 9*ecc->size) /* Overlap AA */ #define DA (scratch + 9*ecc->p.size) /* Overlap AA */
#define CB (scratch + 10*ecc->size) /* Overlap BB */ #define CB (scratch + 10*ecc->p.size) /* Overlap BB */
itch = ecc->size * 12; itch = ecc->p.size * 12;
scratch = gmp_alloc_limbs (itch); scratch = gmp_alloc_limbs (itch);
mpn_set_base256_le (x1, ecc->size, p, CURVE25519_SIZE); mpn_set_base256_le (x1, ecc->p.size, p, CURVE25519_SIZE);
/* Initialize, x2 = x1, z2 = 1 */ /* Initialize, x2 = x1, z2 = 1 */
mpn_copyi (x2, x1, ecc->size); mpn_copyi (x2, x1, ecc->p.size);
z2[0] = 1; z2[0] = 1;
mpn_zero (z2+1, ecc->size - 1); mpn_zero (z2+1, ecc->p.size - 1);
/* Get x3, z3 from doubling. Since bit 254 is forced to 1. */ /* Get x3, z3 from doubling. Since bit 254 is forced to 1. */
ecc_modp_add (ecc, A, x2, z2); ecc_modp_add (ecc, A, x2, z2);
...@@ -93,7 +93,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) ...@@ -93,7 +93,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
{ {
int bit = (n[i/8] >> (i & 7)) & 1; int bit = (n[i/8] >> (i & 7)) & 1;
cnd_swap (bit, x2, x3, 2*ecc->size); cnd_swap (bit, x2, x3, 2*ecc->p.size);
/* Formulas from draft-turner-thecurve25519function-00-Mont. We /* Formulas from draft-turner-thecurve25519function-00-Mont. We
compute new coordinates in memory-address order, since mul compute new coordinates in memory-address order, since mul
...@@ -118,7 +118,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) ...@@ -118,7 +118,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
ecc_modp_sqr (ecc, DA, C); ecc_modp_sqr (ecc, DA, C);
ecc_modp_mul (ecc, z3, DA, x1); ecc_modp_mul (ecc, z3, DA, x1);
cnd_swap (bit, x2, x3, 2*ecc->size); cnd_swap (bit, x2, x3, 2*ecc->p.size);
} }
/* Do the 3 low zero bits, just duplicating x2 */ /* Do the 3 low zero bits, just duplicating x2 */
for ( ; i >= 0; i--) for ( ; i >= 0; i--)
...@@ -134,9 +134,9 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) ...@@ -134,9 +134,9 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
} }
ecc_modp_inv (ecc, x3, z2, z3); ecc_modp_inv (ecc, x3, z2, z3);
ecc_modp_mul (ecc, z3, x2, x3); ecc_modp_mul (ecc, z3, x2, x3);
cy = mpn_sub_n (x2, z3, ecc->p, ecc->size); cy = mpn_sub_n (x2, z3, ecc->p.m, ecc->p.size);
cnd_copy (cy, x2, z3, ecc->size); cnd_copy (cy, x2, z3, ecc->p.size);
mpn_get_base256_le (q, CURVE25519_SIZE, x2, ecc->size); mpn_get_base256_le (q, CURVE25519_SIZE, x2, ecc->p.size);
gmp_free_limbs (scratch, itch); gmp_free_limbs (scratch, itch);
return 1; return 1;
......
...@@ -112,13 +112,28 @@ ecc_192_modp (const struct ecc_curve *ecc UNUSED, mp_limb_t *rp) ...@@ -112,13 +112,28 @@ ecc_192_modp (const struct ecc_curve *ecc UNUSED, mp_limb_t *rp)
const struct ecc_curve nettle_secp_192r1 = const struct ecc_curve nettle_secp_192r1 =
{ {
192, {
ECC_LIMB_SIZE, 192,
ECC_BMODP_SIZE, ECC_LIMB_SIZE,
192, ECC_BMODP_SIZE,
ECC_BMODQ_SIZE, ECC_REDC_SIZE,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_redc_ppm1,
},
{
192,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_Bmodq_shifted,
NULL,
},
USE_REDC, USE_REDC,
ECC_REDC_SIZE,
ECC_PIPPENGER_K, ECC_PIPPENGER_K,
ECC_PIPPENGER_C, ECC_PIPPENGER_C,
...@@ -137,18 +152,11 @@ const struct ecc_curve nettle_secp_192r1 = ...@@ -137,18 +152,11 @@ const struct ecc_curve nettle_secp_192r1 =
ecc_mul_g, ecc_mul_g,
ecc_j_to_a, ecc_j_to_a,
ecc_p,
ecc_b, ecc_b,
ecc_q,
ecc_g, ecc_g,
NULL, NULL,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h, ecc_pp1h,
ecc_redc_ppm1,
ecc_unit, ecc_unit,
ecc_Bmodq,
ecc_Bmodq_shifted,
ecc_qp1h, ecc_qp1h,
ecc_table ecc_table
}; };
......
...@@ -64,13 +64,28 @@ ecc_224_modp (const struct ecc_curve *ecc, mp_limb_t *rp); ...@@ -64,13 +64,28 @@ ecc_224_modp (const struct ecc_curve *ecc, mp_limb_t *rp);
const struct ecc_curve nettle_secp_224r1 = const struct ecc_curve nettle_secp_224r1 =
{ {
224, {
ECC_LIMB_SIZE, 224,
ECC_BMODP_SIZE, ECC_LIMB_SIZE,
224, ECC_BMODP_SIZE,
ECC_BMODQ_SIZE, -ECC_REDC_SIZE,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_redc_ppm1,
},
{
224,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_Bmodq_shifted,
NULL,
},
USE_REDC, USE_REDC,
ECC_REDC_SIZE,
ECC_PIPPENGER_K, ECC_PIPPENGER_K,
ECC_PIPPENGER_C, ECC_PIPPENGER_C,
...@@ -89,18 +104,11 @@ const struct ecc_curve nettle_secp_224r1 = ...@@ -89,18 +104,11 @@ const struct ecc_curve nettle_secp_224r1 =
ecc_mul_g, ecc_mul_g,
ecc_j_to_a, ecc_j_to_a,
ecc_p,
ecc_b, ecc_b,
ecc_q,
ecc_g, ecc_g,
NULL, NULL,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h, ecc_pp1h,
ecc_redc_ppm1,
ecc_unit, ecc_unit,
ecc_Bmodq,
ecc_Bmodq_shifted,
ecc_qp1h, ecc_qp1h,
ecc_table ecc_table
}; };
...@@ -87,17 +87,17 @@ ecc_25519_modq (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -87,17 +87,17 @@ ecc_25519_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
for (n = ECC_LIMB_SIZE; n-- > 0;) for (n = ECC_LIMB_SIZE; n-- > 0;)
{ {
cy = mpn_submul_1 (rp + n, cy = mpn_submul_1 (rp + n,
ecc->Bmodq_shifted, ECC_LIMB_SIZE, ecc->q.B_shifted, ECC_LIMB_SIZE,
rp[n + ECC_LIMB_SIZE]); rp[n + ECC_LIMB_SIZE]);
/* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */ /* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */
assert (cy < 2); assert (cy < 2);
cnd_add_n (cy, rp+n, ecc->q, ECC_LIMB_SIZE); cnd_add_n (cy, rp+n, ecc->q.m, ECC_LIMB_SIZE);
} }
cy = mpn_submul_1 (rp, ecc->q, ECC_LIMB_SIZE, cy = mpn_submul_1 (rp, ecc->q.m, ECC_LIMB_SIZE,
rp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS)); rp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS));
assert (cy < 2); assert (cy < 2);
cnd_add_n (cy, rp, ecc->q, ECC_LIMB_SIZE); cnd_add_n (cy, rp, ecc->q.m, ECC_LIMB_SIZE);
} }
/* Needs 2*ecc->size limbs at rp, and 2*ecc->size additional limbs of /* Needs 2*ecc->size limbs at rp, and 2*ecc->size additional limbs of
...@@ -200,8 +200,8 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap) ...@@ -200,8 +200,8 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap)
ecc_modp_mul (ecc, xp, t0, ap); /* a^{(p+3)/8 */ ecc_modp_mul (ecc, xp, t0, ap); /* a^{(p+3)/8 */
ecc_modp_mul (ecc, bp, t0, xp); /* a^{(p-1)/4} */ ecc_modp_mul (ecc, bp, t0, xp); /* a^{(p-1)/4} */
/* Check if b == 1 (mod p) */ /* Check if b == 1 (mod p) */
if (mpn_cmp (bp, ecc->p, ECC_LIMB_SIZE) >= 0) if (mpn_cmp (bp, ecc->p.m, ECC_LIMB_SIZE) >= 0)
mpn_sub_n (bp, bp, ecc->p, ECC_LIMB_SIZE); mpn_sub_n (bp, bp, ecc->p.m, ECC_LIMB_SIZE);
if (mpn_cmp (bp, ecc->unit, ECC_LIMB_SIZE) == 0) if (mpn_cmp (bp, ecc->unit, ECC_LIMB_SIZE) == 0)
{ {
mpn_copyi (rp, xp, ECC_LIMB_SIZE); mpn_copyi (rp, xp, ECC_LIMB_SIZE);
...@@ -210,7 +210,7 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap) ...@@ -210,7 +210,7 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap)
else else
{ {
mpn_add_1 (bp, bp, ECC_LIMB_SIZE, 1); mpn_add_1 (bp, bp, ECC_LIMB_SIZE, 1);
if (mpn_cmp (bp, ecc->p, ECC_LIMB_SIZE) == 0) if (mpn_cmp (bp, ecc->p.m, ECC_LIMB_SIZE) == 0)
{ {
ecc_modp_mul (&nettle_curve25519, bp, xp, ecc_sqrt_z); ecc_modp_mul (&nettle_curve25519, bp, xp, ecc_sqrt_z);
mpn_copyi (rp, bp, ECC_LIMB_SIZE); mpn_copyi (rp, bp, ECC_LIMB_SIZE);
...@@ -232,13 +232,28 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap) ...@@ -232,13 +232,28 @@ ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap)
const struct ecc_curve nettle_curve25519 = const struct ecc_curve nettle_curve25519 =
{ {
255, {
ECC_LIMB_SIZE, 255,
ECC_BMODP_SIZE, ECC_LIMB_SIZE,
253, ECC_BMODP_SIZE,
ECC_BMODQ_SIZE, 0,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
NULL,
},
{
253,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */
NULL,
},
0, /* No redc */ 0, /* No redc */
0,
ECC_PIPPENGER_K, ECC_PIPPENGER_K,
ECC_PIPPENGER_C, ECC_PIPPENGER_C,
...@@ -257,18 +272,11 @@ const struct ecc_curve nettle_curve25519 = ...@@ -257,18 +272,11 @@ const struct ecc_curve nettle_curve25519 =
ecc_mul_g_eh, ecc_mul_g_eh,
ecc_eh_to_a, ecc_eh_to_a,
ecc_p,
ecc_d, /* Use the Edwards curve constant. */ ecc_d, /* Use the Edwards curve constant. */
ecc_q,
ecc_g, ecc_g,
ecc_edwards, ecc_edwards,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h, ecc_pp1h,
ecc_redc_ppm1,
ecc_unit, ecc_unit,
ecc_Bmodq,
ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */
ecc_qp1h, ecc_qp1h,
ecc_table ecc_table
}; };
...@@ -75,12 +75,12 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -75,12 +75,12 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
mp_limb_t u1, u0; mp_limb_t u1, u0;
mp_size_t n; mp_size_t n;
n = 2*ecc->size; n = 2*ecc->p.size;
u1 = rp[--n]; u1 = rp[--n];
u0 = rp[n-1]; u0 = rp[n-1];
/* This is not particularly fast, but should work well with assembly implementation. */ /* This is not particularly fast, but should work well with assembly implementation. */
for (; n >= ecc->size; n--) for (; n >= ecc->p.size; n--)
{ {
mp_limb_t q2, q1, q0, t, cy; mp_limb_t q2, q1, q0, t, cy;
...@@ -115,8 +115,8 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -115,8 +115,8 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
/* We multiply by two low limbs of p, 2^96 - 1, so we could use /* We multiply by two low limbs of p, 2^96 - 1, so we could use
shifts rather than mul. */ shifts rather than mul. */
t = mpn_submul_1 (rp + n - 4, ecc->p, 2, q1); t = mpn_submul_1 (rp + n - 4, ecc->p.m, 2, q1);
t += cnd_sub_n (q2, rp + n - 3, ecc->p, 1); t += cnd_sub_n (q2, rp + n - 3, ecc->p.m, 1);
t += (-q2) & 0xffffffff; t += (-q2) & 0xffffffff;
u0 = rp[n-2]; u0 = rp[n-2];
...@@ -124,7 +124,7 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -124,7 +124,7 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
u0 -= t; u0 -= t;
t = (u1 < cy); t = (u1 < cy);
u1 -= cy; u1 -= cy;
u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3); u1 += cnd_add_n (t, rp + n - 4, ecc->p.m, 3);
u1 -= (-t) & 0xffffffff; u1 -= (-t) & 0xffffffff;
} }
rp[2] = u0; rp[2] = u0;
...@@ -137,12 +137,12 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -137,12 +137,12 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
mp_limb_t u2, u1, u0; mp_limb_t u2, u1, u0;
mp_size_t n; mp_size_t n;
n = 2*ecc->size; n = 2*ecc->q.size;
u2 = rp[--n]; u2 = rp[--n];
u1 = rp[n-1]; u1 = rp[n-1];
/* This is not particularly fast, but should work well with assembly implementation. */ /* This is not particularly fast, but should work well with assembly implementation. */
for (; n >= ecc->size; n--) for (; n >= ecc->q.size; n--)
{ {
mp_limb_t q2, q1, q0, t, c1, c0; mp_limb_t q2, q1, q0, t, c1, c0;
...@@ -196,9 +196,9 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -196,9 +196,9 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
assert (q2 < 2); assert (q2 < 2);
c0 = cnd_sub_n (q2, rp + n - 3, ecc->q, 1); c0 = cnd_sub_n (q2, rp + n - 3, ecc->q.m, 1);
c0 += (-q2) & ecc->q[1]; c0 += (-q2) & ecc->q.m[1];
t = mpn_submul_1 (rp + n - 4, ecc->q, 2, q1); t = mpn_submul_1 (rp + n - 4, ecc->q.m, 2, q1);
c0 += t; c0 += t;
c1 = c0 < t; c1 = c0 < t;
...@@ -213,7 +213,7 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -213,7 +213,7 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
u1 += t; u1 += t;
u2 += (t<<32) + (u0 < t); u2 += (t<<32) + (u0 < t);
t = cnd_add_n (t, rp + n - 4, ecc->q, 2); t = cnd_add_n (t, rp + n - 4, ecc->q.m, 2);
u1 += t; u1 += t;
u2 += (u1 < t); u2 += (u1 < t);
} }
...@@ -227,13 +227,28 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -227,13 +227,28 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
const struct ecc_curve nettle_secp_256r1 = const struct ecc_curve nettle_secp_256r1 =
{ {
256, {
ECC_LIMB_SIZE, 256,
ECC_BMODP_SIZE, ECC_LIMB_SIZE,
256, ECC_BMODP_SIZE,
ECC_BMODQ_SIZE, ECC_REDC_SIZE,
ecc_p,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_redc_ppm1,
},
{
256,
ECC_LIMB_SIZE,
ECC_BMODQ_SIZE,
0,
ecc_q,
ecc_Bmodq,
ecc_Bmodq_shifted,
NULL,
},
USE_REDC, USE_REDC,
ECC_REDC_SIZE,
ECC_PIPPENGER_K, ECC_PIPPENGER_K,
ECC_PIPPENGER_C, ECC_PIPPENGER_C,
...@@ -252,18 +267,11 @@ const struct ecc_curve nettle_secp_256r1 = ...@@ -252,18 +267,11 @@ const struct ecc_curve nettle_secp_256r1 =
ecc_mul_g, ecc_mul_g,
ecc_j_to_a, ecc_j_to_a,
ecc_p,
ecc_b, ecc_b,
ecc_q,
ecc_g, ecc_g,
NULL, NULL,
ecc_Bmodp,
ecc_Bmodp_shifted,
ecc_pp1h, ecc_pp1h,
ecc_redc_ppm1,
ecc_unit, ecc_unit,
ecc_Bmodq,
ecc_Bmodq_shifted,
ecc_qp1h, ecc_qp1h,
ecc_table ecc_table
}; };
...@@ -140,7 +140,7 @@ ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -140,7 +140,7 @@ ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
cy = sec_add_1 (rp + 5, rp + 5, 1, cy); cy = sec_add_1 (rp + 5, rp + 5, 1, cy);
assert (cy <= 1); assert (cy <= 1);
cy = cnd_add_n (cy, rp, ecc->Bmodp, ECC_LIMB_SIZE); cy = cnd_add_n (cy, rp, ecc->p.B, ECC_LIMB_SIZE);
assert (cy == 0); assert (cy == 0);
} }
#else #else
...@@ -149,13 +149,28 @@ ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp) ...@@ -149,13 +149,28 @@ ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
const struct ecc_curve nettle_secp_384r1 = const struct ecc_curve nettle_secp_384r1 =
{ {
384, {
ECC_LIMB_SIZE, 384,
ECC_BMODP_SIZE,