From 6d7612dad5b7f7f3fd6fa834ba2f13f1a7a2f237 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sun, 8 Nov 2020 22:39:25 +0100
Subject: [PATCH] Updated itch macros for ecc point multiplication and
 signatures

---
 ChangeLog          |  8 ++++++++
 ecc-ecdsa-sign.c   |  2 +-
 ecc-gostdsa-sign.c |  2 +-
 ecc-internal.h     | 16 ++++++++--------
 ecc-mul-a-eh.c     |  2 +-
 ecc-mul-g.c        |  2 +-
 eddsa-pubkey.c     |  4 ++--
 eddsa-sign.c       |  4 ++--
 8 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3998f5d7..9dfd044c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2020-11-08  Niels Möller  <nisse@lysator.liu.se>
 
+	* eddsa-sign.c (_eddsa_sign_itch): Update, since now point
+	multiplication needs less scratch than point compression.
+	* eddsa-pubkey.c (_eddsa_public_key_itch): Likewise.
+
+	* ecc-internal.h: Update *_ITCH macros for point multiplication
+	and signatures. They need slightly less scratch after optimization
+	of the point addition functions.
+
 	* ecc-mul-m.c (ecc_mul_m): Reduce scratch need.
 	(ecc_mul_m): Optimize swapping, with only a single mpn_cnd_swap
 	per iteration.
diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c
index e79a636a..10e1de22 100644
--- a/ecc-ecdsa-sign.c
+++ b/ecc-ecdsa-sign.c
@@ -47,7 +47,7 @@ mp_size_t
 ecc_ecdsa_sign_itch (const struct ecc_curve *ecc)
 {
   /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for
-     ecc_mul_g and ecc_mul_g_eh. */
+     ecc_mul_g. */
   return ECC_ECDSA_SIGN_ITCH (ecc->p.size);
 }
 
diff --git a/ecc-gostdsa-sign.c b/ecc-gostdsa-sign.c
index 351ce93e..c924122c 100644
--- a/ecc-gostdsa-sign.c
+++ b/ecc-gostdsa-sign.c
@@ -46,7 +46,7 @@ mp_size_t
 ecc_gostdsa_sign_itch (const struct ecc_curve *ecc)
 {
   /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for
-     ecc_mul_g and ecc_mul_g_eh. */
+     ecc_mul_g. */
   return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size);
 }
 
diff --git a/ecc-internal.h b/ecc-internal.h
index 39166f85..b4dfad2e 100644
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -453,23 +453,23 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
 #define ECC_ADD_EHH_ITCH(size) (4*(size))
 #define ECC_ADD_TH_ITCH(size) (4*(size))
 #define ECC_ADD_THH_ITCH(size) (4*(size))
-#define ECC_MUL_G_ITCH(size) (9*(size))
-#define ECC_MUL_G_EH_ITCH(size) (9*(size))
+#define ECC_MUL_G_ITCH(size) (8*(size))
+#define ECC_MUL_G_EH_ITCH(size) (7*(size))
 #if ECC_MUL_A_WBITS == 0
-#define ECC_MUL_A_ITCH(size) (12*(size))
+#define ECC_MUL_A_ITCH(size) (11*(size))
 #else
 #define ECC_MUL_A_ITCH(size) \
-  (((3 << ECC_MUL_A_WBITS) + 11) * (size))
+  (((3 << ECC_MUL_A_WBITS) + 8) * (size))
 #endif
 #if ECC_MUL_A_EH_WBITS == 0
-#define ECC_MUL_A_EH_ITCH(size) (12*(size))
+#define ECC_MUL_A_EH_ITCH(size) (10*(size))
 #else
 #define ECC_MUL_A_EH_ITCH(size) \
-  (((3 << ECC_MUL_A_EH_WBITS) + 10) * (size))
+  (((3 << ECC_MUL_A_EH_WBITS) + 7) * (size))
 #endif
 #define ECC_MUL_M_ITCH(size) (8*(size))
-#define ECC_ECDSA_SIGN_ITCH(size) (12*(size))
-#define ECC_GOSTDSA_SIGN_ITCH(size) (12*(size))
+#define ECC_ECDSA_SIGN_ITCH(size) (11*(size))
+#define ECC_GOSTDSA_SIGN_ITCH(size) (11*(size))
 #define ECC_MOD_RANDOM_ITCH(size) (size)
 #define ECC_HASH_ITCH(size) (1+(size))
 
diff --git a/ecc-mul-a-eh.c b/ecc-mul-a-eh.c
index b0aa2697..1eb3efcc 100644
--- a/ecc-mul-a-eh.c
+++ b/ecc-mul-a-eh.c
@@ -39,7 +39,7 @@
 #include "ecc-internal.h"
 
 /* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_ehh,
-   total 12 ecc->p.size
+   total 10 ecc->p.size
 
    Window algorithm needs (3<<w) * ecc->p.size for the table,
    3*ecc->p.size for a temporary point, and scratch for
diff --git a/ecc-mul-g.c b/ecc-mul-g.c
index c4a1b5bb..dcc7c3ea 100644
--- a/ecc-mul-g.c
+++ b/ecc-mul-g.c
@@ -45,7 +45,7 @@ ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r,
 	   const mp_limb_t *np, mp_limb_t *scratch)
 {
   /* Scratch need determined by the ecc_add_jja call. Current total is
-     9 * ecc->p.size, at most 648 bytes. */
+     8 * ecc->p.size, at most 576 bytes. */
 #define tp scratch
 #define scratch_out (scratch + 3*ecc->p.size)
 
diff --git a/eddsa-pubkey.c b/eddsa-pubkey.c
index 72726e56..646d1954 100644
--- a/eddsa-pubkey.c
+++ b/eddsa-pubkey.c
@@ -43,8 +43,8 @@
 mp_size_t
 _eddsa_public_key_itch (const struct ecc_curve *ecc)
 {
-  assert (_eddsa_compress_itch (ecc) <= ecc->mul_g_itch);
-  return 3*ecc->p.size + ecc->mul_g_itch;
+  assert (ecc->mul_g_itch <= _eddsa_compress_itch (ecc));
+  return 3*ecc->p.size + _eddsa_compress_itch (ecc);
 }
 
 void
diff --git a/eddsa-sign.c b/eddsa-sign.c
index c1a23cd7..f5dda6f0 100644
--- a/eddsa-sign.c
+++ b/eddsa-sign.c
@@ -45,8 +45,8 @@
 mp_size_t
 _eddsa_sign_itch (const struct ecc_curve *ecc)
 {
-  assert (_eddsa_compress_itch (ecc) <= ecc->mul_g_itch);
-  return 5*ecc->p.size + ecc->mul_g_itch;
+  assert (ecc->mul_g_itch <= _eddsa_compress_itch (ecc));
+  return 5*ecc->p.size + _eddsa_compress_itch (ecc);
 }
 
 void
-- 
GitLab