From d5ca2c640aed5084dc2dc49c8c281edab7e6c182 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Thu, 28 Aug 2014 11:50:37 +0200
Subject: [PATCH] ecc_eh_to_a interface change, optionally reduce x mod q.

---
 ChangeLog          |  3 +++
 curve25519-mul-g.c |  2 +-
 curve25519-mul.c   |  2 +-
 ecc-eh-to-a.c      | 26 +++++++++++++++++++++-----
 ecc.h              |  2 +-
 5 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index be68acc1..b8e8a40d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2014-08-28  Niels Möller  <nisse@lysator.liu.se>
 
+	* ecc-eh-to-a.c (ecc_eh_to_a): Analogous change as for ecc_j_to_a.
+	The modulo q case (op == 2) is hardcoded for curve25519.
+
 	* ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert
 	back from redc form. When producing x coordiante only optionally
 	reduce it modulo q. Completely changes the meaning of the "flags"
diff --git a/curve25519-mul-g.c b/curve25519-mul-g.c
index f98bee3d..a695dad0 100644
--- a/curve25519-mul-g.c
+++ b/curve25519-mul-g.c
@@ -64,7 +64,7 @@ curve25519_mul_g (uint8_t *r, const uint8_t *n)
   mpn_set_base256_le (x, ecc_size, t, CURVE25519_SIZE);
 
   ecc_mul_g_eh (&nettle_curve25519, p, x, scratch_out);
-  ecc_eh_to_a (&nettle_curve25519, 2, x, p, scratch_out);
+  ecc_eh_to_a (&nettle_curve25519, 1, x, p, scratch_out);
 
   mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc_size);
   gmp_free_limbs (scratch, itch);
diff --git a/curve25519-mul.c b/curve25519-mul.c
index ddc50eb5..e94e26b4 100644
--- a/curve25519-mul.c
+++ b/curve25519-mul.c
@@ -82,7 +82,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
   mpn_set_base256_le (s, ecc->size, t, CURVE25519_SIZE);
   
   ecc_mul_a_eh (ecc, x, s, x, scratch_out);
-  ecc_eh_to_a (ecc, 2, s, x, scratch_out);
+  ecc_eh_to_a (ecc, 1, s, x, scratch_out);
   mpn_get_base256_le (q, CURVE25519_SIZE, s, ecc->size);
 
   gmp_free_limbs (scratch, itch);
diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c
index fd953bf3..80a450d9 100644
--- a/ecc-eh-to-a.c
+++ b/ecc-eh-to-a.c
@@ -33,6 +33,8 @@
 # include "config.h"
 #endif
 
+#include <assert.h>
+
 #include "ecc.h"
 #include "ecc-internal.h"
 
@@ -47,7 +49,7 @@ ecc_eh_to_a_itch (const struct ecc_curve *ecc)
    coordinates on the corresponding Montgomery curve. */
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
-	     int flags,
+	     int op,
 	     mp_limb_t *r, const mp_limb_t *p,
 	     mp_limb_t *scratch)
 {
@@ -88,10 +90,24 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
   cy = mpn_sub_n (xp, tp, ecc->p, ecc->size);
   cnd_copy (cy, xp, tp, ecc->size);
 
-  if (flags & 2)
-    /* Skip y coordinate */
-    return;
-  
+  if (op)
+    {
+      /* Skip y coordinate */
+      if (op > 1)
+	{
+	  /* Reduce modulo q. FIXME: Hardcoded for curve25519,
+	     duplicates end of ecc_25519_modq. */
+	  mp_limb_t cy;
+	  unsigned shift;
+	  assert (ecc->bit_size == 255);
+	  shift = 252 - GMP_NUMB_BITS * (ecc->size - 1);
+	  cy = mpn_submul_1 (xp, ecc->q, ecc->size,
+			     xp[ecc->size-1] >> shift);
+	  assert (cy < 2);
+	  cnd_add_n (cy, xp, ecc->q, ecc->size);
+	}
+      return;
+    }
   ecc_modp_add (ecc, sp, wp, vp); /* FIXME: Redundant. Also the (W +
 				     V) Z^-1 multiplication is
 				     redundant. */
diff --git a/ecc.h b/ecc.h
index 2d8fc49f..0d07ee5d 100644
--- a/ecc.h
+++ b/ecc.h
@@ -206,7 +206,7 @@ mp_size_t
 ecc_eh_to_a_itch (const struct ecc_curve *ecc);
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
-	     int flags,
+	     int op,
 	     mp_limb_t *r, const mp_limb_t *p,
 	     mp_limb_t *scratch);
 
-- 
GitLab