[thirdparty/openssl.git] / crypto / ec / ec_cvt.c

/*
 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/err.h>
#include "crypto/bn.h"
#include "ec_lcl.h"

EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
                                 const BIGNUM *b, BN_CTX *ctx)
{
    const EC_METHOD *meth;
    EC_GROUP *ret;

#if defined(OPENSSL_BN_ASM_MONT)
    /*
     * This might appear controversial, but the fact is that generic
     * prime method was observed to deliver better performance even
     * for NIST primes on a range of platforms, e.g.: 60%-15%
     * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
     * in 32-bit build and 35%--12% in 64-bit build on Core2...
     * Coefficients are relative to optimized bn_nist.c for most
     * intensive ECDSA verify and ECDH operations for 192- and 521-
     * bit keys respectively. Choice of these boundary values is
     * arguable, because the dependency of improvement coefficient
     * from key length is not a "monotone" curve. For example while
     * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
     * generally faster, sometimes "respectfully" faster, sometimes
     * "tolerably" slower... What effectively happens is that loop
     * with bn_mul_add_words is put against bn_mul_mont, and the
     * latter "wins" on short vectors. Correct solution should be
     * implementing dedicated NxN multiplication subroutines for
     * small N. But till it materializes, let's stick to generic
     * prime method...
     *                                              <appro>
     */
    meth = EC_GFp_mont_method();
#else
    if (BN_nist_mod_func(p))
        meth = EC_GFp_nist_method();
    else
        meth = EC_GFp_mont_method();
#endif

    ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth);
    if (ret == NULL)
        return NULL;

    if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
        EC_GROUP_clear_free(ret);
        return NULL;
    }

    return ret;
}

#ifndef OPENSSL_NO_EC2M
EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
                                  const BIGNUM *b, BN_CTX *ctx)
{
    const EC_METHOD *meth;
    EC_GROUP *ret;

    meth = EC_GF2m_simple_method();

    ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth);
    if (ret == NULL)
        return NULL;

    if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
        EC_GROUP_clear_free(ret);
        return NULL;
    }

    return ret;
}
#endif
Commit	Line	Data
35b73a1f	1	/*
1212818e	2	* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76	3	* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
65e81670	4	*
a7f182b7	5	* Licensed under the Apache License 2.0 (the "License"). You may not use
4f22f405 RS	6	* this file except in compliance with the License. You can obtain a copy
	7	* in the file LICENSE in the source distribution or at
	8	* https://www.openssl.org/source/license.html
65e81670	9	*/
4f22f405	10
5c6bf031	11	#include <openssl/err.h>
25f2138b	12	#include "crypto/bn.h"
65e81670	13	#include "ec_lcl.h"
0657bf9c	14
0f113f3e MC	15	EC_GROUP EC_GROUP_new_curve_GFp(const BIGNUM p, const BIGNUM *a,
	16	const BIGNUM b, BN_CTX ctx)
	17	{
	18	const EC_METHOD *meth;
	19	EC_GROUP *ret;
5c6bf031	20
62f29eb1	21	#if defined(OPENSSL_BN_ASM_MONT)
0f113f3e MC	22	/*
	23	* This might appear controversial, but the fact is that generic
	24	* prime method was observed to deliver better performance even
	25	* for NIST primes on a range of platforms, e.g.: 60%-15%
	26	* improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
	27	* in 32-bit build and 35%--12% in 64-bit build on Core2...
	28	* Coefficients are relative to optimized bn_nist.c for most
	29	* intensive ECDSA verify and ECDH operations for 192- and 521-
	30	* bit keys respectively. Choice of these boundary values is
	31	* arguable, because the dependency of improvement coefficient
	32	* from key length is not a "monotone" curve. For example while
	33	* 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
	34	* generally faster, sometimes "respectfully" faster, sometimes
	35	* "tolerably" slower... What effectively happens is that loop
	36	* with bn_mul_add_words is put against bn_mul_mont, and the
	37	* latter "wins" on short vectors. Correct solution should be
	38	* implementing dedicated NxN multiplication subroutines for
	39	* small N. But till it materializes, let's stick to generic
	40	* prime method...
	41	* <appro>
	42	*/
	43	meth = EC_GFp_mont_method();
fdf6dac8	44	#else
0f113f3e MC	45	if (BN_nist_mod_func(p))
	46	meth = EC_GFp_nist_method();
	47	else
	48	meth = EC_GFp_mont_method();
fdf6dac8	49	#endif
0657bf9c	50
a9612d6c	51	ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth);
0f113f3e MC	52	if (ret == NULL)
0f113f3e MC	53	return NULL;
0657bf9c	54
9cc570d4	55	if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
0f113f3e MC	56	EC_GROUP_clear_free(ret);
	57	return NULL;
	58	}
	59
	60	return ret;
	61	}
7793f30e	62
b3310161	63	#ifndef OPENSSL_NO_EC2M
0f113f3e MC	64	EC_GROUP EC_GROUP_new_curve_GF2m(const BIGNUM p, const BIGNUM *a,
	65	const BIGNUM b, BN_CTX ctx)
	66	{
	67	const EC_METHOD *meth;
	68	EC_GROUP *ret;
	69
	70	meth = EC_GF2m_simple_method();
	71
a9612d6c	72	ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth);
0f113f3e MC	73	if (ret == NULL)
0f113f3e MC	74	return NULL;
7793f30e	75
9cc570d4	76	if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
0f113f3e MC	77	EC_GROUP_clear_free(ret);
	78	return NULL;
	79	}
7793f30e	80
0f113f3e MC	81	return ret;
0f113f3e MC	82	}
b3310161	83	#endif