| blob | 6f3ec3c25055eb7d79af28a06ba43f2b54b8dc05 |
1 /* $OpenBSD: ecp_nistp256.c,v 1.18 2017/05/02 03:59:44 deraadt Exp $ */
2 /*
3 * Written by Adam Langley (Google) for the OpenSSL project
4 */
5 /*
6 * Copyright (c) 2011 Google Inc.
7 *
8 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above
10 * copyright notice and this permission notice appear in all copies.
11 *
12 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */
21 /*
22 * A 64-bit implementation of the NIST P-256 elliptic curve point multiplication
23 *
24 * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c.
25 * Otherwise based on Emilia's P224 work, which was inspired by my curve25519
26 * work which got its smarts from Daniel J. Bernstein's work on the same.
27 */
29 #include <stdint.h>
30 #include <string.h>
32 #include <openssl/opensslconf.h>
34 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
36 #include <openssl/err.h>
39 #if defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1))
40 /* even with gcc, the typedef won't work for 32-bit platforms */
43 #else
45 #endif
52 /* The underlying field.
53 *
54 * P256 operates over GF(2^256-2^224+2^192+2^96-1). We can serialise an element
55 * of this field into 32 bytes. We call this an felem_bytearray. */
59 /* These are the parameters of P256, taken from FIPS 186-3, page 86. These
60 * values are big-endian. */
82 };
84 /* The representation of field elements.
85 * ------------------------------------
86 *
87 * We represent field elements with either four 128-bit values, eight 128-bit
88 * values, or four 64-bit values. The field element represented is:
89 * v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + v[3]*2^192 (mod p)
90 * or:
91 * v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + ... + v[8]*2^512 (mod p)
92 *
93 * 128-bit values are called 'limbs'. Since the limbs are spaced only 64 bits
94 * apart, but are 128-bits wide, the most significant bits of each limb overlap
95 * with the least significant bits of the next.
96 *
97 * A field element with four limbs is an 'felem'. One with eight limbs is a
98 * 'longfelem'
99 *
100 * A field element with four, 64-bit values is called a 'smallfelem'. Small
101 * values are used as intermediate values before multiplication.
102 */
104 #define NLIMBS 4
111 /* This is the value of the prime as four 64-bit words, little-endian. */
116 /* bin32_to_felem takes a little-endian byte array and converts it into felem
117 * form. This assumes that the CPU is little-endian. */
118 static void
120 {
125 }
127 /* smallfelem_to_bin32 takes a smallfelem and serialises into a little endian,
128 * 32 byte array. This assumes that the CPU is little-endian. */
129 static void
131 {
136 }
138 /* To preserve endianness when using BN_bn2bin and BN_bin2bn */
139 static void
141 {
145 }
147 /* BN_to_felem converts an OpenSSL BIGNUM into an felem */
148 static int
150 {
151 felem_bytearray b_in;
152 felem_bytearray b_out;
155 /* BN_bn2bin eats leading zeroes */
161 }
165 }
170 }
172 /* felem_to_BN converts an felem into an OpenSSL BIGNUM */
175 {
180 }
183 /* Field operations
184 * ---------------- */
186 static void
188 {
193 }
195 static void
197 {
202 }
204 static void
206 {
211 }
213 /* felem_sum sets out = out + in. */
214 static void
216 {
221 }
223 /* felem_small_sum sets out = out + in. */
224 static void
226 {
231 }
233 /* felem_scalar sets out = out * scalar */
234 static void
236 {
241 }
243 /* longfelem_scalar sets out = out * scalar */
244 static void
246 {
255 }
257 #define two105m41m9 (((limb)1) << 105) - (((limb)1) << 41) - (((limb)1) << 9)
258 #define two105 (((limb)1) << 105)
259 #define two105m41p9 (((limb)1) << 105) - (((limb)1) << 41) + (((limb)1) << 9)
261 /* zero105 is 0 mod p */
264 /* smallfelem_neg sets |out| to |-small|
265 * On exit:
266 * out[i] < out[i] + 2^105
267 */
268 static void
270 {
271 /* In order to prevent underflow, we subtract from 0 mod p. */
276 }
278 /* felem_diff subtracts |in| from |out|
279 * On entry:
280 * in[i] < 2^104
281 * On exit:
282 * out[i] < out[i] + 2^105
283 */
284 static void
286 {
287 /* In order to prevent underflow, we add 0 mod p before subtracting. */
297 }
299 #define two107m43m11 (((limb)1) << 107) - (((limb)1) << 43) - (((limb)1) << 11)
300 #define two107 (((limb)1) << 107)
301 #define two107m43p11 (((limb)1) << 107) - (((limb)1) << 43) + (((limb)1) << 11)
303 /* zero107 is 0 mod p */
306 /* An alternative felem_diff for larger inputs |in|
307 * felem_diff_zero107 subtracts |in| from |out|
308 * On entry:
309 * in[i] < 2^106
310 * On exit:
311 * out[i] < out[i] + 2^107
312 */
313 static void
315 {
316 /* In order to prevent underflow, we add 0 mod p before subtracting. */
326 }
328 /* longfelem_diff subtracts |in| from |out|
329 * On entry:
330 * in[i] < 7*2^67
331 * On exit:
332 * out[i] < out[i] + 2^70 + 2^40
333 */
334 static void
336 {
340 static const limb two70m40m38p6 = (((limb) 1) << 70) - (((limb) 1) << 40) - (((limb) 1) << 38) + (((limb) 1) << 6);
343 /* add 0 mod p to avoid underflow */
353 /* in[i] < 7*2^67 < 2^70 - 2^40 - 2^38 + 2^6 */
362 }
364 #define two64m0 (((limb)1) << 64) - 1
365 #define two110p32m0 (((limb)1) << 110) + (((limb)1) << 32) - 1
366 #define two64m46 (((limb)1) << 64) - (((limb)1) << 46)
367 #define two64m32 (((limb)1) << 64) - (((limb)1) << 32)
369 /* zero110 is 0 mod p */
372 /* felem_shrink converts an felem into a smallfelem. The result isn't quite
373 * minimal as the value may be greater than p.
374 *
375 * On entry:
376 * in[i] < 2^109
377 * On exit:
378 * out[i] < 2^64
379 */
380 static void
382 {
383 felem tmp;
388 /* Carry 2->3 */
390 /* tmp[3] < 2^110 */
395 /* tmp[0] < 2**110, tmp[1] < 2^111, tmp[2] < 2**65 */
397 /*
398 * We perform two partial reductions where we eliminate the high-word
399 * of tmp[3]. We don't update the other words till the end.
400 */
405 /* tmp[3] < 2^79 */
413 /* tmp[3] < 2^64 + 2^47 */
415 /*
416 * This adjusts the other two words to complete the two partial
417 * reductions.
418 */
422 /*
423 * In order to make space in tmp[3] for the carry from 2 -> 3, we
424 * conditionally subtract kPrime if tmp[3] is large enough.
425 */
427 /* As tmp[3] < 2^65, high is either 1 or 0 */
430 /*
431 * high is: all ones if the high word of tmp[3] is 1 all zeros if
432 * the high word of tmp[3] if 0
433 */
436 /*
437 * mask is: all ones if the MSB of low is 1 all zeros if the MSB
438 * of low if 0
439 */
442 /* if low was greater than kPrime3Test then the MSB is zero */
445 /*
446 * low is: all ones if low was > kPrime3Test all zeros if low was
447 * <= kPrime3Test
448 */
452 /* kPrime[2] is zero, so omitted */
454 /* tmp[3] < 2**64 - 2**32 + 1 */
462 /* tmp[i] < 2^64 */
468 }
470 /* smallfelem_expand converts a smallfelem to an felem */
471 static void
473 {
478 }
480 /* smallfelem_square sets |out| = |small|^2
481 * On entry:
482 * small[i] < 2^64
483 * On exit:
484 * out[i] < 7 * 2^64 < 2^67
485 */
486 static void
488 {
489 limb a;
557 }
559 /* felem_square sets |out| = |in|^2
560 * On entry:
561 * in[i] < 2^109
562 * On exit:
563 * out[i] < 7 * 2^64 < 2^67
564 */
565 static void
567 {
571 }
573 /* smallfelem_mul sets |out| = |small1| * |small2|
574 * On entry:
575 * small1[i] < 2^64
576 * small2[i] < 2^64
577 * On exit:
578 * out[i] < 7 * 2^64 < 2^67
579 */
580 static void
582 {
583 limb a;
687 }
689 /* felem_mul sets |out| = |in1| * |in2|
690 * On entry:
691 * in1[i] < 2^109
692 * in2[i] < 2^109
693 * On exit:
694 * out[i] < 7 * 2^64 < 2^67
695 */
696 static void
698 {
703 }
705 /* felem_small_mul sets |out| = |small1| * |in2|
706 * On entry:
707 * small1[i] < 2^64
708 * in2[i] < 2^109
709 * On exit:
710 * out[i] < 7 * 2^64 < 2^67
711 */
712 static void
714 {
715 smallfelem small2;
718 }
720 #define two100m36m4 (((limb)1) << 100) - (((limb)1) << 36) - (((limb)1) << 4)
721 #define two100 (((limb)1) << 100)
722 #define two100m36p4 (((limb)1) << 100) - (((limb)1) << 36) + (((limb)1) << 4)
723 /* zero100 is 0 mod p */
726 /* Internal function for the different flavours of felem_reduce.
727 * felem_reduce_ reduces the higher coefficients in[4]-in[7].
728 * On entry:
729 * out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7]
730 * out[1] >= in[7] + 2^32*in[4]
731 * out[2] >= in[5] + 2^32*in[5]
732 * out[3] >= in[4] + 2^32*in[5] + 2^32*in[6]
733 * On exit:
734 * out[0] <= out[0] + in[4] + 2^32*in[5]
735 * out[1] <= out[1] + in[5] + 2^33*in[6]
736 * out[2] <= out[2] + in[7] + 2*in[6] + 2^33*in[7]
737 * out[3] <= out[3] + 2^32*in[4] + 3*in[7]
738 */
739 static void
741 {
742 int128_t c;
743 /* combine common terms from below */
752 /* the remaining terms */
753 /* 256: [(0,1),(96,-1),(192,-1),(224,1)] */
757 /* 320: [(32,1),(64,1),(128,-1),(160,-1),(224,-1)] */
760 /* 384: [(0,-1),(32,-1),(96,2),(128,2),(224,-1)] */
767 /* 448: [(0,-1),(32,-1),(64,-1),(128,1),(160,2),(192,3)] */
772 }
774 /* felem_reduce converts a longfelem into an felem.
775 * To be called directly after felem_square or felem_mul.
776 * On entry:
777 * in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64
778 * in[4] < 7*2^64, in[5] < 5*2^64, in[6] < 3*2^64, in[7] < 2*64
779 * On exit:
780 * out[i] < 2^101
781 */
782 static void
784 {
792 /*
793 * out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
794 * out[1] > 2^100 - 2^64 - 7*2^96 > 0 out[2] > 2^100 - 2^36 + 2^4 -
795 * 5*2^64 - 5*2^96 > 0 out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96
796 * - 3*2^96 > 0
797 *
798 * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101 out[1] < 2^100 +
799 * 3*2^64 + 5*2^64 + 3*2^97 < 2^101 out[2] < 2^100 + 5*2^64 + 2^64 +
800 * 3*2^65 + 2^97 < 2^101 out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 <
801 * 2^101
802 */
803 }
805 /* felem_reduce_zero105 converts a larger longfelem into an felem.
806 * On entry:
807 * in[0] < 2^71
808 * On exit:
809 * out[i] < 2^106
810 */
811 static void
813 {
821 /*
822 * out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
823 * out[1] > 2^105 - 2^71 - 2^103 > 0 out[2] > 2^105 - 2^41 + 2^9 -
824 * 2^71 - 2^103 > 0 out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 -
825 * 2^103 > 0
826 *
827 * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 out[1] < 2^105 + 2^71 +
828 * 2^71 + 2^103 < 2^106 out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 <
829 * 2^106 out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106
830 */
831 }
833 /* subtract_u64 sets *result = *result - v and *carry to one if the subtraction
834 * underflowed. */
835 static void
837 {
842 }
844 /* felem_contract converts |in| to its unique, minimal representation.
845 * On entry:
846 * in[i] < 2^109
847 */
848 static void
850 {
855 /* small is minimal except that the value might be > p */
857 all_equal_so_far--;
858 /*
859 * We are doing a constant time test if out >= kPrime. We need to
860 * compare each u64, from most-significant to least significant. For
861 * each one, if all words so far have been equal (m is all ones) then
862 * a non-equal result is the answer. Otherwise we continue.
863 */
865 u64 equal;
867 /*
868 * if out[i] > kPrime[i] then a will underflow and the high
869 * 64-bits will all be set.
870 */
873 /*
874 * if kPrime[i] == out[i] then |equal| will be all zeros and
875 * the decrement will make it all ones.
876 */
878 equal--;
888 }
890 /*
891 * if all_equal_so_far is still all ones then the two values are
892 * equal and so out >= kPrime is true.
893 */
896 /* if out >= kPrime then we subtract kPrime. */
910 }
912 static void
914 {
915 longfelem longtmp;
916 felem tmp;
921 }
923 static void
925 {
926 longfelem longtmp;
927 felem tmp;
932 }
934 /* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
935 * otherwise.
936 * On entry:
937 * small[i] < 2^64
938 */
939 static limb
941 {
942 limb result;
943 u64 is_p;
946 is_zero--;
959 is_p--;
973 }
975 static int
977 {
979 }
981 /* felem_inv calculates |out| = |in|^{-1}
982 *
983 * Based on Fermat's Little Theorem:
984 * a^p = a (mod p)
985 * a^{p-1} = 1 (mod p)
986 * a^{p-2} = a^{-1} (mod p)
987 */
988 static void
990 {
992 /* each e_I will hold |in|^{2^I - 1} */
994 longfelem tmp;
1081 }
1083 static void
1085 {
1086 felem tmp;
1091 }
1093 /* Group operations
1094 * ----------------
1095 *
1096 * Building on top of the field operations we have the operations on the
1097 * elliptic curve group itself. Points on the curve are represented in Jacobian
1098 * coordinates */
1100 /* point_double calculates 2*(x_in, y_in, z_in)
1101 *
1102 * The method is taken from:
1103 * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
1104 *
1105 * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
1106 * while x_out == y_in is not (maybe this works, but it's not tested). */
1107 static void
1110 {
1116 /* ftmp[i] < 2^106 */
1118 /* ftmp2[i] < 2^106 */
1120 /* delta = z^2 */
1123 /* delta[i] < 2^101 */
1125 /* gamma = y^2 */
1128 /* gamma[i] < 2^101 */
1131 /* beta = x*gamma */
1134 /* beta[i] < 2^101 */
1136 /* alpha = 3*(x-delta)*(x+delta) */
1138 /* ftmp[i] < 2^105 + 2^106 < 2^107 */
1140 /* ftmp2[i] < 2^105 + 2^106 < 2^107 */
1142 /* ftmp2[i] < 3 * 2^107 < 2^109 */
1145 /* alpha[i] < 2^101 */
1148 /* x' = alpha^2 - 8*beta */
1153 /* ftmp[i] < 8 * 2^101 = 2^104 */
1155 /* x_out[i] < 2^105 + 2^101 < 2^106 */
1157 /* z' = (y + z)^2 - gamma - delta */
1159 /* delta[i] < 2^101 + 2^101 = 2^102 */
1162 /* ftmp[i] < 2^106 + 2^106 = 2^107 */
1166 /* z_out[i] < 2^105 + 2^101 < 2^106 */
1168 /* y' = alpha*(4*beta - x') - 8*gamma^2 */
1170 /* beta[i] < 4 * 2^101 = 2^103 */
1172 /* beta[i] < 2^107 + 2^103 < 2^108 */
1174 /* tmp[i] < 7 * 2^64 < 2^67 */
1176 /* tmp2[i] < 7 * 2^64 */
1178 /* tmp2[i] < 8 * 7 * 2^64 = 7 * 2^67 */
1180 /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
1182 /* y_out[i] < 2^106 */
1183 }
1185 /* point_double_small is the same as point_double, except that it operates on
1186 * smallfelems */
1187 static void
1190 {
1202 }
1204 /* copy_conditional copies in to out iff mask is all ones. */
1205 static void
1207 {
1212 }
1213 }
1215 /* copy_small_conditional copies in to out iff mask is all ones. */
1216 static void
1218 {
1223 }
1224 }
1226 /* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
1227 *
1228 * The method is taken from:
1229 * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
1230 * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
1231 *
1232 * This function includes a branch for checking whether the two input points
1233 * are equal, (while not equal to the point at infinity). This case never
1234 * happens during single point multiplication, so there is no timing leak for
1235 * ECDH or ECDSA signing. */
1236 static void
1240 {
1251 /* ftmp = z1z1 = z1**2 */
1254 /* ftmp[i] < 2^101 */
1258 /* ftmp2 = z2z2 = z2**2 */
1261 /* ftmp2[i] < 2^101 */
1266 /* u1 = ftmp3 = x1*z2z2 */
1269 /* ftmp3[i] < 2^101 */
1271 /* ftmp5 = z1 + z2 */
1274 /* ftmp5[i] < 2^107 */
1276 /* ftmp5 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2 */
1279 /* ftmp2 = z2z2 + z1z1 */
1281 /* ftmp2[i] < 2^101 + 2^101 = 2^102 */
1283 /* ftmp5[i] < 2^105 + 2^101 < 2^106 */
1285 /* ftmp2 = z2 * z2z2 */
1289 /* s1 = ftmp2 = y1 * z2**3 */
1292 /* ftmp6[i] < 2^101 */
1294 /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
1296 /* u1 = ftmp3 = x1*z2z2 */
1298 /* ftmp3[i] < 2^106 */
1300 /* ftmp5 = 2z1z2 */
1303 /* ftmp5[i] < 2*2^106 = 2^107 */
1305 /* s1 = ftmp2 = y1 * z2**3 */
1307 /* ftmp6[i] < 2^106 */
1308 }
1310 /* u2 = x2*z1z1 */
1314 /* h = ftmp4 = u2 - u1 */
1316 /* ftmp4[i] < 2^107 + 2^101 < 2^108 */
1321 /* z_out = ftmp5 * h */
1324 /* z_out[i] < 2^101 */
1326 /* ftmp = z1 * z1z1 */
1330 /* s2 = tmp = y2 * z1**3 */
1334 /* r = ftmp5 = (s2 - s1)*2 */
1336 /* ftmp5[i] < 2^107 + 2^107 = 2^108 */
1338 /* ftmp5[i] < 2^109 */
1345 }
1346 /* I = ftmp = (2h)**2 */
1349 /* ftmp[i] < 2*2^108 = 2^109 */
1353 /* J = ftmp2 = h * I */
1357 /* V = ftmp4 = U1 * I */
1361 /* x_out = r**2 - J - 2V */
1367 /* ftmp4[i] < 2*2^101 + 2^101 < 2^103 */
1369 /* x_out[i] < 2^105 + 2^101 */
1371 /* y_out = r(V-x_out) - 2 * s1 * J */
1373 /* ftmp3[i] < 2^107 + 2^101 < 2^108 */
1377 /* tmp2[i] < 2*2^67 = 2^68 */
1379 /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
1381 /* y_out[i] < 2^106 */
1392 }
1394 /* point_add_small is the same as point_add, except that it operates on
1395 * smallfelems */
1396 static void
1400 {
1410 }
1412 /* Base point pre computation
1413 * --------------------------
1414 *
1415 * Two different sorts of precomputed tables are used in the following code.
1416 * Each contain various points on the curve, where each point is three field
1417 * elements (x, y, z).
1418 *
1419 * For the base point table, z is usually 1 (0 for the point at infinity).
1420 * This table has 2 * 16 elements, starting with the following:
1421 * index | bits | point
1422 * ------+---------+------------------------------
1423 * 0 | 0 0 0 0 | 0G
1424 * 1 | 0 0 0 1 | 1G
1425 * 2 | 0 0 1 0 | 2^64G
1426 * 3 | 0 0 1 1 | (2^64 + 1)G
1427 * 4 | 0 1 0 0 | 2^128G
1428 * 5 | 0 1 0 1 | (2^128 + 1)G
1429 * 6 | 0 1 1 0 | (2^128 + 2^64)G
1430 * 7 | 0 1 1 1 | (2^128 + 2^64 + 1)G
1431 * 8 | 1 0 0 0 | 2^192G
1432 * 9 | 1 0 0 1 | (2^192 + 1)G
1433 * 10 | 1 0 1 0 | (2^192 + 2^64)G
1434 * 11 | 1 0 1 1 | (2^192 + 2^64 + 1)G
1435 * 12 | 1 1 0 0 | (2^192 + 2^128)G
1436 * 13 | 1 1 0 1 | (2^192 + 2^128 + 1)G
1437 * 14 | 1 1 1 0 | (2^192 + 2^128 + 2^64)G
1438 * 15 | 1 1 1 1 | (2^192 + 2^128 + 2^64 + 1)G
1439 * followed by a copy of this with each element multiplied by 2^32.
1440 *
1441 * The reason for this is so that we can clock bits into four different
1442 * locations when doing simple scalar multiplies against the base point,
1443 * and then another four locations using the second 16 elements.
1444 *
1445 * Tables for other points have table[i] = iG for i in 0 .. 16. */
1447 /* gmul is the table of precomputed base points */
1546 /* select_point selects the |idx|th point from a precomputation table and
1547 * copies it to out. */
1548 static void
1549 select_point(const u64 idx, unsigned int size, const smallfelem pre_comp[16][3], smallfelem out[3])
1550 {
1562 mask--;
1565 }
1566 }
1568 /* get_bit returns the |i|th bit in |in| */
1569 static char
1571 {
1575 }
1577 /* Interleaved point multiplication using precomputed point multiples:
1578 * The small point multiples 0*P, 1*P, ..., 17*P are in pre_comp[],
1579 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
1580 * of the generator, using certain (large) precomputed multiples in g_pre_comp.
1581 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
1582 static void
1586 {
1591 u64 bits;
1594 /* set nq to the point at infinity */
1597 /*
1598 * Loop over all scalars msb-to-lsb, interleaving additions of
1599 * multiples of the generator (two in each of the last 32 rounds) and
1600 * additions of other points multiples (every 5th round).
1601 */
1603 * round */
1605 /* double */
1609 /* add multiples of the generator */
1611 /* first, look 32 bits upwards */
1616 /* select the point to add, in constant time */
1628 }
1630 /* second, look at the current position */
1635 /* select the point to add, in constant time */
1640 }
1641 /* do other additions every 5 doublings */
1643 /* loop over all scalars */
1653 /*
1654 * select the point to add or subtract, in
1655 * constant time
1656 */
1659 * negative point */
1672 }
1673 }
1674 }
1675 }
1679 }
1681 /* Precomputation for the group generator. */
1689 {
1701 ec_GFp_simple_group_check_discriminant,
1708 ec_GFp_simple_set_Jprojective_coordinates_GFp,
1710 ec_GFp_simple_get_Jprojective_coordinates_GFp,
1712 ec_GFp_simple_point_set_affine_coordinates,
1714 ec_GFp_nistp256_point_get_affine_coordinates,
1728 };
1731 }
1733 /******************************************************************************/
1734 /* FUNCTIONS TO MANAGE PRECOMPUTATION
1735 */
1739 {
1745 }
1749 }
1753 {
1756 /* no need to actually copy, these objects never change! */
1760 }
1762 static void
1764 {
1776 }
1778 static void
1780 {
1792 }
1794 /******************************************************************************/
1795 /* OPENSSL EC_METHOD FUNCTIONS
1796 */
1798 int
1800 {
1805 }
1807 int
1810 {
1830 }
1833 err:
1837 }
1839 /* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
1840 * (X', Y') = (X/Z^2, Y/Z^3) */
1841 int
1844 {
1847 longfelem tmp;
1852 }
1866 }
1867 }
1877 }
1878 }
1880 }
1882 static void
1883 make_points_affine(size_t num, smallfelem points[ /* num */ ][3], smallfelem tmp_smallfelems[ /* num+1 */ ])
1884 {
1885 /*
1886 * Runs in constant time, unless an input is the point at infinity
1887 * (which normally shouldn't happen).
1888 */
1890 num,
1891 points,
1893 tmp_smallfelems,
1901 }
1903 /* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
1904 * Result is stored in r (r can equal one of the inputs). */
1905 int
1909 {
1915 felem_bytearray g_secret;
1919 felem_bytearray tmp;
1944 nistp256_pre_comp_clear_free);
1946 /* we have precomputation, try to use it */
1948 else
1949 /* try to use the standard precomputation */
1954 /* get the generator from precomputation */
1960 }
1965 /* precomputation matches generator */
1967 else
1968 /*
1969 * we don't have valid precomputation: treat the
1970 * generator as a random point
1971 */
1972 num_points++;
1973 }
1976 /*
1977 * unless we precompute multiples for just one or two
1978 * points, converting those into affine form is time
1979 * well spent
1980 */
1982 }
1986 /* XXX should do more int overflow checking */
1989 }
1993 }
1994 /*
1995 * we treat NULL scalars as 0, and NULL points as points at
1996 * infinity, i.e., they contribute nothing to the linear
1997 * combination
1998 */
2001 /*
2002 * we didn't have a valid precomputation, so
2003 * we pick the generator
2004 */
2005 {
2009 /* the i^th point */
2010 {
2013 }
2015 /* reduce scalar to 0 <= scalar < 2^256 */
2017 /*
2018 * this is an unusual input, and we
2019 * don't guarantee constant-timeness
2020 */
2024 }
2029 /* precompute multiples */
2047 }
2048 }
2049 }
2050 }
2053 }
2054 /* the scalar for the generator */
2057 /* reduce scalar to 0 <= scalar < 2^256 */
2059 /*
2060 * this is an unusual input, and we don't guarantee
2061 * constant-timeness
2062 */
2066 }
2071 /* do the multiplication with generator precomputation */
2074 g_secret,
2076 g_pre_comp);
2078 /* do the multiplication without generator precomputation */
2082 /* reduce the output to its unique minimal representation */
2090 }
2093 err:
2101 }
2103 int
2105 {
2115 /* throw away old precomputation */
2125 /* get the generator */
2137 /* if the generator is the standard one, use built-in precomputation */
2142 }
2150 /*
2151 * compute 2^64*G, 2^128*G, 2^192*G for the first table, 2^32*G,
2152 * 2^96*G, 2^160*G, 2^224*G for the second one
2153 */
2162 }
2172 }
2173 }
2175 /* g_pre_comp[i][0] is the point at infinity */
2177 /* the remaining multiples */
2178 /* 2^64*G + 2^128*G resp. 2^96*G + 2^160*G */
2183 /* 2^64*G + 2^192*G resp. 2^96*G + 2^224*G */
2188 /* 2^128*G + 2^192*G resp. 2^160*G + 2^224*G */
2193 /*
2194 * 2^64*G + 2^128*G + 2^192*G resp. 2^96*G + 2^160*G +
2195 * 2^224*G
2196 */
2202 /* odd multiples: add G resp. 2^32*G */
2204 pre->g_pre_comp[i][2 * j + 1][0], pre->g_pre_comp[i][2 * j + 1][1], pre->g_pre_comp[i][2 * j + 1][2],
2207 }
2208 }
2216 err:
2222 }
2224 int
2226 {
2231 else
2233 }
2234 #endif