mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-01 19:28:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove some vestiges of the old decaf template approach

Browse Source 
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
This commit is contained in:
Matt Caswell 2017-11-16 16:58:20 +00:00
parent e777257746
commit 88ba7e71e0
2 changed files with 89 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
crypto/ec/curve448/decaf.c
View File

@ -19,13 +19,6 @@
#include "ed448.h"
#include "curve448_lcl.h"
/* Template stuff */
#define SCALAR_BITS DECAF_448_SCALAR_BITS
#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
#define scalar_t curve448_scalar_t
#define point_t curve448_point_t
#define precomputed_s curve448_precomputed_s
#define COFACTOR 4
/* Comb config: number of combs, n, t, s. */
@ -37,7 +30,7 @@
#define DECAF_WNAF_VAR_TABLE_BITS 3
static const int EDWARDS_D = -39081;
static const scalar_t precomputed_scalarmul_adjustment = {{{
static const curve448_scalar_t precomputed_scalarmul_adjustment = {{{
SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)
}}};
@ -63,11 +56,11 @@ typedef struct { gf a, b, c; } niels_s, niels_t[1];
typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1];
/* Precomputed base */
struct precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };
struct curve448_precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };
extern const gf curve448_precomputed_base_as_fe[];
const precomputed_s *curve448_precomputed_base =
(const precomputed_s *) &curve448_precomputed_base_as_fe;
const curve448_precomputed_s *curve448_precomputed_base =
(const curve448_precomputed_s *) &curve448_precomputed_base_as_fe;
/** Inverse. */
static void
@ -83,12 +76,12 @@ gf_invert(gf y, const gf x, int assert_nonzero) {
}
/** identity = (0,1) */
const point_t curve448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
const curve448_point_t curve448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
static DECAF_NOINLINE void
point_double_internal (
point_t p,
const point_t q,
curve448_point_t p,
const curve448_point_t q,
int before_double
) {
gf a, b, c, d;
@ -109,7 +102,7 @@ point_double_internal (
if (!before_double) gf_mul ( p->t, b, d );
}
void curve448_point_double(point_t p, const point_t q) {
void curve448_point_double(curve448_point_t p, const curve448_point_t q) {
point_double_internal(p,q,0);
}
@ -125,7 +118,7 @@ cond_neg_niels (
static DECAF_NOINLINE void pt_to_pniels (
pniels_t b,
const point_t a
const curve448_point_t a
) {
gf_sub ( b->n->a, a->y, a->x );
gf_add ( b->n->b, a->x, a->y );
@ -134,7 +127,7 @@ static DECAF_NOINLINE void pt_to_pniels (
}
static DECAF_NOINLINE void pniels_to_pt (
point_t e,
curve448_point_t e,
const pniels_t d
) {
gf eu;
@ -148,7 +141,7 @@ static DECAF_NOINLINE void pniels_to_pt (
static DECAF_NOINLINE void
niels_to_pt (
point_t e,
curve448_point_t e,
const niels_t n
) {
gf_add ( e->y, n->b, n->a );
@ -159,7 +152,7 @@ niels_to_pt (
static DECAF_NOINLINE void
add_niels_to_pt (
point_t d,
curve448_point_t d,
const niels_t e,
int before_double
) {
@ -181,7 +174,7 @@ add_niels_to_pt (
static DECAF_NOINLINE void
sub_niels_from_pt (
point_t d,
curve448_point_t d,
const niels_t e,
int before_double
) {
@ -203,7 +196,7 @@ sub_niels_from_pt (
static void
add_pniels_to_pt (
point_t p,
curve448_point_t p,
const pniels_t pn,
int before_double
) {
@ -215,7 +208,7 @@ add_pniels_to_pt (
static void
sub_pniels_from_pt (
point_t p,
curve448_point_t p,
const pniels_t pn,
int before_double
) {
@ -225,7 +218,7 @@ sub_pniels_from_pt (
sub_niels_from_pt( p, pn->n, before_double );
}
decaf_bool_t curve448_point_eq ( const point_t p, const point_t q ) {
decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_t q ) {
/* equality mod 2-torsion compares x/y */
gf a, b;
gf_mul ( a, p->y, q->x );
@ -236,7 +229,7 @@ decaf_bool_t curve448_point_eq ( const point_t p, const point_t q ) {
}
decaf_bool_t curve448_point_valid (
const point_t p
const curve448_point_t p
) {
gf a,b,c;
gf_mul(a,p->x,p->y);
@ -265,15 +258,15 @@ constant_time_lookup_niels (
}
void curve448_precomputed_scalarmul (
point_t out,
const precomputed_s *table,
const scalar_t scalar
curve448_point_t out,
const curve448_precomputed_s *table,
const curve448_scalar_t scalar
) {
int i;
unsigned j,k;
const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
scalar_t scalar1x;
curve448_scalar_t scalar1x;
curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment);
curve448_scalar_halve(scalar1x,scalar1x);
@ -287,7 +280,7 @@ void curve448_precomputed_scalarmul (
for (k=0; k<t; k++) {
unsigned int bit = i + s*(k + j*t);
if (bit < SCALAR_BITS) {
if (bit < DECAF_448_SCALAR_BITS) {
tab |= (scalar1x->limb[bit/WBITS] >> (bit%WBITS) & 1) << k;
}
}
@ -313,12 +306,12 @@ void curve448_precomputed_scalarmul (
void curve448_point_mul_by_ratio_and_encode_like_eddsa (
uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
const point_t p
const curve448_point_t p
) {
/* The point is now on the twisted curve. Move it to untwisted. */
gf x, y, z, t;
point_t q;
curve448_point_t q;
curve448_point_copy(q,p);
{
@ -359,7 +352,7 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa (
decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio (
point_t p,
curve448_point_t p,
const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
) {
uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];
@ -515,9 +508,9 @@ void decaf_ed448_convert_public_key_to_x448 (
void curve448_point_mul_by_ratio_and_encode_like_x448 (
uint8_t out[X_PUBLIC_BYTES],
const point_t p
const curve448_point_t p
) {
point_t q;
curve448_point_t q;
curve448_point_copy(q,p);
gf_invert(q->t,q->x,0); /* 1/x */
gf_mul(q->z,q->t,q->y); /* y/x */
@ -538,14 +531,14 @@ void decaf_x448_derive_public_key (
scalar2[X_PRIVATE_BYTES-1] &= ~(-1u<<((X_PRIVATE_BITS+7)%8));
scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8);
scalar_t the_scalar;
curve448_scalar_t the_scalar;
curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2));
/* Compensate for the encoding ratio */
for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
curve448_scalar_halve(the_scalar,the_scalar);
}
point_t p;
curve448_point_t p;
curve448_precomputed_scalarmul(p,curve448_precomputed_base,the_scalar);
curve448_point_mul_by_ratio_and_encode_like_x448(out,p);
curve448_point_destroy(p);
@ -561,10 +554,10 @@ struct smvt_control {
static int recode_wnaf (
struct smvt_control *control, /* [nbits/(table_bits+1) + 3] */
const scalar_t scalar,
const curve448_scalar_t scalar,
unsigned int table_bits
) {
unsigned int table_size = SCALAR_BITS/(table_bits+1) + 3;
unsigned int table_size = DECAF_448_SCALAR_BITS/(table_bits+1) + 3;
int position = table_size - 1; /* at the end */
/* place the end marker */
@ -582,8 +575,8 @@ static int recode_wnaf (
unsigned int w;
const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2;
for (w = 1; w<(SCALAR_BITS-1)/16+3; w++) {
if (w < (SCALAR_BITS-1)/16+1) {
for (w = 1; w<(DECAF_448_SCALAR_BITS-1)/16+3; w++) {
if (w < (DECAF_448_SCALAR_BITS-1)/16+1) {
/* Refill the 16 high bits of current */
current += (uint32_t)((scalar->limb[w/B_OVER_16]>>(16*(w%B_OVER_16)))<<16);
}
@ -614,10 +607,10 @@ static int recode_wnaf (
static void
prepare_wnaf_table(
pniels_t *output,
const point_t working,
const curve448_point_t working,
unsigned int tbits
) {
point_t tmp;
curve448_point_t tmp;
int i;
pt_to_pniels(output[0], working);
@ -643,15 +636,15 @@ extern const gf curve448_precomputed_wnaf_as_fe[];
static const niels_t *curve448_wnaf_base = (const niels_t *)curve448_precomputed_wnaf_as_fe;
void curve448_base_double_scalarmul_non_secret (
point_t combo,
const scalar_t scalar1,
const point_t base2,
const scalar_t scalar2
curve448_point_t combo,
const curve448_scalar_t scalar1,
const curve448_point_t base2,
const curve448_scalar_t scalar2
) {
const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS,
table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS;
struct smvt_control control_var[SCALAR_BITS/(table_bits_var+1)+3];
struct smvt_control control_pre[SCALAR_BITS/(table_bits_pre+1)+3];
struct smvt_control control_var[DECAF_448_SCALAR_BITS/(table_bits_var+1)+3];
struct smvt_control control_pre[DECAF_448_SCALAR_BITS/(table_bits_pre+1)+3];
int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
@ -714,9 +707,9 @@ void curve448_base_double_scalarmul_non_secret (
}
void curve448_point_destroy (
point_t point
curve448_point_t point
) {
OPENSSL_cleanse(point, sizeof(point_t));
OPENSSL_cleanse(point, sizeof(curve448_point_t));
}
int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],

98
crypto/ec/curve448/scalar.c
View File

@ -17,14 +17,8 @@
#include "constant_time.h"
#include "point_448.h"
/* Template stuff */
#define SCALAR_BITS DECAF_448_SCALAR_BITS
#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
#define scalar_t curve448_scalar_t
static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull;
static const scalar_t sc_p = {{{
static const curve448_scalar_t sc_p = {{{
SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)
}}}, sc_r2 = {{{
SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), SC_LIMB(0x3402a939f823b729)
@ -33,21 +27,21 @@ static const scalar_t sc_p = {{{
#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */
const scalar_t curve448_scalar_one = {{{1}}}, curve448_scalar_zero = {{{0}}};
const curve448_scalar_t curve448_scalar_one = {{{1}}}, curve448_scalar_zero = {{{0}}};
/** {extra,accum} - sub +? p
* Must have extra <= 1
*/
static DECAF_NOINLINE void sc_subx(
scalar_t out,
const decaf_word_t accum[SCALAR_LIMBS],
const scalar_t sub,
const scalar_t p,
curve448_scalar_t out,
const decaf_word_t accum[DECAF_448_SCALAR_LIMBS],
const curve448_scalar_t sub,
const curve448_scalar_t p,
decaf_word_t extra
) {
decaf_dsword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + accum[i]) - sub->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
@ -55,7 +49,7 @@ static DECAF_NOINLINE void sc_subx(
decaf_word_t borrow = chain+extra; /* = 0 or -1 */
chain = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
out->limb[i] = chain;
chain >>= WBITS;
@ -63,20 +57,20 @@ static DECAF_NOINLINE void sc_subx(
}
static DECAF_NOINLINE void sc_montmul (
scalar_t out,
const scalar_t a,
const scalar_t b
curve448_scalar_t out,
const curve448_scalar_t a,
const curve448_scalar_t b
) {
unsigned int i,j;
decaf_word_t accum[SCALAR_LIMBS+1] = {0};
decaf_word_t accum[DECAF_448_SCALAR_LIMBS+1] = {0};
decaf_word_t hi_carry = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
decaf_word_t mand = a->limb[i];
const decaf_word_t *mier = b->limb;
decaf_dword_t chain = 0;
for (j=0; j<SCALAR_LIMBS; j++) {
for (j=0; j<DECAF_448_SCALAR_LIMBS; j++) {
chain += ((decaf_dword_t)mand)*mier[j] + accum[j];
accum[j] = chain;
chain >>= WBITS;
@ -86,7 +80,7 @@ static DECAF_NOINLINE void sc_montmul (
mand = accum[0] * MONTGOMERY_FACTOR;
chain = 0;
mier = sc_p->limb;
for (j=0; j<SCALAR_LIMBS; j++) {
for (j=0; j<DECAF_448_SCALAR_LIMBS; j++) {
chain += (decaf_dword_t)mand*mier[j] + accum[j];
if (j) accum[j-1] = chain;
chain >>= WBITS;
@ -101,30 +95,30 @@ static DECAF_NOINLINE void sc_montmul (
}
void curve448_scalar_mul (
scalar_t out,
const scalar_t a,
const scalar_t b
curve448_scalar_t out,
const curve448_scalar_t a,
const curve448_scalar_t b
) {
sc_montmul(out,a,b);
sc_montmul(out,out,sc_r2);
}
void curve448_scalar_sub (
scalar_t out,
const scalar_t a,
const scalar_t b
curve448_scalar_t out,
const curve448_scalar_t a,
const curve448_scalar_t b
) {
sc_subx(out, a->limb, b, sc_p, 0);
}
void curve448_scalar_add (
scalar_t out,
const scalar_t a,
const scalar_t b
curve448_scalar_t out,
const curve448_scalar_t a,
const curve448_scalar_t b
) {
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + b->limb[i];
out->limb[i] = chain;
chain >>= WBITS;
@ -133,12 +127,12 @@ void curve448_scalar_add (
}
static DECAF_INLINE void scalar_decode_short (
scalar_t s,
curve448_scalar_t s,
const unsigned char *ser,
unsigned int nbytes
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
decaf_word_t out = 0;
for (j=0; j<sizeof(decaf_word_t) && k<nbytes; j++,k++) {
out |= ((decaf_word_t)ser[k])<<(8*j);
@ -148,13 +142,13 @@ static DECAF_INLINE void scalar_decode_short (
}
decaf_error_t curve448_scalar_decode(
scalar_t s,
const unsigned char ser[SCALAR_SER_BYTES]
curve448_scalar_t s,
const unsigned char ser[DECAF_448_SCALAR_BYTES]
) {
unsigned int i;
scalar_decode_short(s, ser, SCALAR_SER_BYTES);
scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES);
decaf_dsword_t accum = 0;
for (i=0; i<SCALAR_LIMBS; i++) {
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
}
/* Here accum == 0 or -1 */
@ -165,13 +159,13 @@ decaf_error_t curve448_scalar_decode(
}
void curve448_scalar_destroy (
scalar_t scalar
curve448_scalar_t scalar
) {
OPENSSL_cleanse(scalar, sizeof(scalar_t));
OPENSSL_cleanse(scalar, sizeof(curve448_scalar_t));
}
void curve448_scalar_decode_long(
scalar_t s,
curve448_scalar_t s,
const unsigned char *ser,
size_t ser_len
) {
@ -181,14 +175,14 @@ void curve448_scalar_decode_long(
}
size_t i;
scalar_t t1, t2;
curve448_scalar_t t1, t2;
i = ser_len - (ser_len%SCALAR_SER_BYTES);
if (i==ser_len) i -= SCALAR_SER_BYTES;
i = ser_len - (ser_len%DECAF_448_SCALAR_BYTES);
if (i==ser_len) i -= DECAF_448_SCALAR_BYTES;
scalar_decode_short(t1, &ser[i], ser_len-i);
if (ser_len == sizeof(scalar_t)) {
if (ser_len == sizeof(curve448_scalar_t)) {
assert(i==0);
/* ham-handed reduce */
curve448_scalar_mul(s,t1,curve448_scalar_one);
@ -197,7 +191,7 @@ void curve448_scalar_decode_long(
}
while (i) {
i -= SCALAR_SER_BYTES;
i -= DECAF_448_SCALAR_BYTES;
sc_montmul(t1,t1,sc_r2);
ignore_result( curve448_scalar_decode(t2, ser+i) );
curve448_scalar_add(t1, t1, t2);
@ -209,11 +203,11 @@ void curve448_scalar_decode_long(
}
void curve448_scalar_encode(
unsigned char ser[SCALAR_SER_BYTES],
const scalar_t s
unsigned char ser[DECAF_448_SCALAR_BYTES],
const curve448_scalar_t s
) {
unsigned int i,j,k=0;
for (i=0; i<SCALAR_LIMBS; i++) {
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
for (j=0; j<sizeof(decaf_word_t); j++,k++) {
ser[k] = s->limb[i] >> (8*j);
}
@ -221,18 +215,18 @@ void curve448_scalar_encode(
}
void curve448_scalar_halve (
scalar_t out,
const scalar_t a
curve448_scalar_t out,
const curve448_scalar_t a
) {
decaf_word_t mask = -(a->limb[0] & 1);
decaf_dword_t chain = 0;
unsigned int i;
for (i=0; i<SCALAR_LIMBS; i++) {
for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
out->limb[i] = chain;
chain >>= DECAF_WORD_BITS;
}
for (i=0; i<SCALAR_LIMBS-1; i++) {
for (i=0; i<DECAF_448_SCALAR_LIMBS-1; i++) {
out->limb[i] = out->limb[i]>>1 | out->limb[i+1]<<(WBITS-1);
}
out->limb[i] = out->limb[i]>>1 | chain<<(WBITS-1);