]>
Commit | Line | Data |
---|---|---|
35b73a1f | 1 | /* |
1212818e | 2 | * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. |
aa8f3d76 | 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
65e81670 | 4 | * |
4f22f405 RS |
5 | * Licensed under the OpenSSL license (the "License"). You may not use |
6 | * this file except in compliance with the License. You can obtain a copy | |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
65e81670 | 9 | */ |
4f22f405 | 10 | |
5c6bf031 | 11 | #include <openssl/err.h> |
b5acbf91 | 12 | #include "ec_local.h" |
0657bf9c | 13 | |
0f113f3e MC |
14 | EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, |
15 | const BIGNUM *b, BN_CTX *ctx) | |
16 | { | |
17 | const EC_METHOD *meth; | |
18 | EC_GROUP *ret; | |
5c6bf031 | 19 | |
62f29eb1 | 20 | #if defined(OPENSSL_BN_ASM_MONT) |
0f113f3e MC |
21 | /* |
22 | * This might appear controversial, but the fact is that generic | |
23 | * prime method was observed to deliver better performance even | |
24 | * for NIST primes on a range of platforms, e.g.: 60%-15% | |
25 | * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25% | |
26 | * in 32-bit build and 35%--12% in 64-bit build on Core2... | |
27 | * Coefficients are relative to optimized bn_nist.c for most | |
28 | * intensive ECDSA verify and ECDH operations for 192- and 521- | |
29 | * bit keys respectively. Choice of these boundary values is | |
30 | * arguable, because the dependency of improvement coefficient | |
31 | * from key length is not a "monotone" curve. For example while | |
32 | * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's | |
33 | * generally faster, sometimes "respectfully" faster, sometimes | |
34 | * "tolerably" slower... What effectively happens is that loop | |
35 | * with bn_mul_add_words is put against bn_mul_mont, and the | |
36 | * latter "wins" on short vectors. Correct solution should be | |
37 | * implementing dedicated NxN multiplication subroutines for | |
38 | * small N. But till it materializes, let's stick to generic | |
39 | * prime method... | |
40 | * <appro> | |
41 | */ | |
42 | meth = EC_GFp_mont_method(); | |
fdf6dac8 | 43 | #else |
0f113f3e MC |
44 | if (BN_nist_mod_func(p)) |
45 | meth = EC_GFp_nist_method(); | |
46 | else | |
47 | meth = EC_GFp_mont_method(); | |
fdf6dac8 | 48 | #endif |
0657bf9c | 49 | |
0f113f3e MC |
50 | ret = EC_GROUP_new(meth); |
51 | if (ret == NULL) | |
52 | return NULL; | |
0657bf9c | 53 | |
9cc570d4 | 54 | if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { |
0f113f3e MC |
55 | EC_GROUP_clear_free(ret); |
56 | return NULL; | |
57 | } | |
58 | ||
59 | return ret; | |
60 | } | |
7793f30e | 61 | |
b3310161 | 62 | #ifndef OPENSSL_NO_EC2M |
0f113f3e MC |
63 | EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, |
64 | const BIGNUM *b, BN_CTX *ctx) | |
65 | { | |
66 | const EC_METHOD *meth; | |
67 | EC_GROUP *ret; | |
68 | ||
69 | meth = EC_GF2m_simple_method(); | |
70 | ||
71 | ret = EC_GROUP_new(meth); | |
72 | if (ret == NULL) | |
73 | return NULL; | |
7793f30e | 74 | |
9cc570d4 | 75 | if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { |
0f113f3e MC |
76 | EC_GROUP_clear_free(ret); |
77 | return NULL; | |
78 | } | |
7793f30e | 79 | |
0f113f3e MC |
80 | return ret; |
81 | } | |
b3310161 | 82 | #endif |