+2020-10-28 Niels Möller <nisse@lysator.liu.se>
+
+ * gmp-glue.h (cnd_add_n, cnd_sub_n, cnd_swap): Deleted, use
+ corresponding functions mpn_cnd_add_n, mpn_cnd_sub_n,
+ mpn_cnd_swap, available from GMP version 6.1.0. Update all
+ callers, in particular, mpn_cnd_add_n and mpn_cnd_sub_n has one
+ more argument than the old functions.
+
+ * gmp-glue.c (mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap)
+ [NETTLE_USE_MINI_GMP]: Fallback definitions or mini-gmp builds.
+
2020-10-14 Niels Möller <nisse@lysator.liu.se>
* ecc-mod-arith.c (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Moved
rp[n + ECC_LIMB_SIZE]);
/* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */
assert (cy < 2);
- cnd_add_n (cy, rp+n, q->m, ECC_LIMB_SIZE);
+ mpn_cnd_add_n (cy, rp+n, rp+n, q->m, ECC_LIMB_SIZE);
}
cy = mpn_submul_1 (rp, q->m, ECC_LIMB_SIZE,
rp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS));
assert (cy < 2);
- cnd_add_n (cy, rp, q->m, ECC_LIMB_SIZE);
+ mpn_cnd_add_n (cy, rp, rp, q->m, ECC_LIMB_SIZE);
}
/* Computes a^{(p-5)/8} = a^{2^{252}-3} mod m. Needs 5 * n scratch
+ sec_add_1 (xp, xp, ECC_LIMB_SIZE - 1, 19 * (hi >> (GMP_NUMB_BITS - PHIGH_BITS)));
#endif
cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE);
- cnd_add_n (cy, xp, p->m, ECC_LIMB_SIZE);
+ mpn_cnd_add_n (cy, xp, xp, p->m, ECC_LIMB_SIZE);
for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++)
w |= xp[i];
tp[4] = c4 + (c7 >> 32) + (tp[3] < c3);
tp[5] = tp[6] = 0;
c7 = mpn_add_n (rp, rp, tp, 7);
- c7 = cnd_add_n (c7, rp, m->B, 7);
+ c7 = mpn_cnd_add_n (c7, rp, rp, m->B, 7);
assert (c7 == 0);
}
#else
mp_limb_t w;
mp_size_t i;
cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE);
- cnd_add_n (cy, xp, p->m, ECC_LIMB_SIZE);
+ mpn_cnd_add_n (cy, xp, xp, p->m, ECC_LIMB_SIZE);
for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++)
w |= xp[i];
{
mp_limb_t cy;
cy = mpn_add_n (rp, ap, bp, m->size);
- cy = cnd_add_n (cy, rp, m->B, m->size);
- cy = cnd_add_n (cy, rp, m->B, m->size);
+ cy = mpn_cnd_add_n (cy, rp, rp, m->B, m->size);
+ cy = mpn_cnd_add_n (cy, rp, rp, m->B, m->size);
assert (cy == 0);
}
{
mp_limb_t cy;
cy = mpn_sub_n (rp, ap, bp, m->size);
- cy = cnd_sub_n (cy, rp, m->B, m->size);
- cy = cnd_sub_n (cy, rp, m->B, m->size);
+ cy = mpn_cnd_sub_n (cy, rp, rp, m->B, m->size);
+ cy = mpn_cnd_sub_n (cy, rp, rp, m->B, m->size);
assert (cy == 0);
}
hi = mpn_mul_1 (rp, ap, m->size, b);
hi = mpn_addmul_1 (rp, m->B, m->size, hi);
assert (hi <= 1);
- hi = cnd_add_n (hi, rp, m->B, m->size);
+ hi = mpn_cnd_add_n (hi, rp, rp, m->B, m->size);
/* Sufficient if b < B^size / p */
assert (hi == 0);
}
hi = mpn_addmul_1 (rp, ap, m->size, b);
hi = mpn_addmul_1 (rp, m->B, m->size, hi);
assert (hi <= 1);
- hi = cnd_add_n (hi, rp, m->B, m->size);
+ hi = mpn_cnd_add_n (hi, rp, rp, m->B, m->size);
/* Sufficient roughly if b < B^size / p */
assert (hi == 0);
}
hi = mpn_submul_1 (rp, ap, m->size, b);
hi = mpn_submul_1 (rp, m->B, m->size, hi);
assert (hi <= 1);
- hi = cnd_sub_n (hi, rp, m->B, m->size);
+ hi = mpn_cnd_sub_n (hi, rp, rp, m->B, m->size);
/* Sufficient roughly if b < B^size / p */
assert (hi == 0);
}
assert (bp[0] & 1);
odd = ap[0] & 1;
- swap = cnd_sub_n (odd, ap, bp, n);
- cnd_add_n (swap, bp, ap, n);
+ swap = mpn_cnd_sub_n (odd, ap, ap, bp, n);
+ mpn_cnd_add_n (swap, bp, bp, ap, n);
cnd_neg (swap, ap, ap, n);
- cnd_swap (swap, up, vp, n);
- cy = cnd_sub_n (odd, up, vp, n);
- cy -= cnd_add_n (cy, up, m->m, n);
+ mpn_cnd_swap (swap, up, vp, n);
+ cy = mpn_cnd_sub_n (odd, up, up, vp, n);
+ cy -= mpn_cnd_add_n (cy, up, up, m->m, n);
assert (cy == 0);
cy = mpn_rshift (ap, ap, n, 1);
assert (cy == 0);
cy = mpn_rshift (up, up, n, 1);
- cy = cnd_add_n (cy, up, m->mp1h, n);
+ cy = mpn_cnd_add_n (cy, up, up, m->mp1h, n);
assert (cy == 0);
}
assert ( (ap[0] | ap[n-1]) == 0);
rp[rn+i] = mpn_addmul_1 (rp + rn - mn + i, m->B, bn, rp[rn+i]);
hi = mpn_add_n (rp + rn - sn, rp + rn - sn, rp + rn, sn);
- hi = cnd_add_n (hi, rp + rn - mn, m->B, mn);
+ hi = mpn_cnd_add_n (hi, rp + rn - mn, rp + rn - mn, m->B, mn);
assert (hi == 0);
}
}
}
else
{
- hi = cnd_add_n (hi, rp, m->B_shifted, mn);
+ hi = mpn_cnd_add_n (hi, rp, rp, m->B_shifted, mn);
assert (hi == 0);
}
}
{
int bit = (n[i/8] >> (i & 7)) & 1;
- cnd_swap (bit, x2, x3, 2*m->size);
+ mpn_cnd_swap (bit, x2, x3, 2*m->size);
/* Formulas from RFC 7748. We compute new coordinates in
memory-address order, since mul and sqr clobbers higher
ecc_mod_sqr (m, DA, C);
ecc_mod_mul (m, z3, DA, px);
- /* FIXME: Could be combined with the loop's initial cnd_swap. */
- cnd_swap (bit, x2, x3, 2*m->size);
+ /* FIXME: Could be combined with the loop's initial mpn_cnd_swap. */
+ mpn_cnd_swap (bit, x2, x3, 2*m->size);
}
/* Do the low zero bits, just duplicating x2 */
for (i = 0; i < bit_low; i++)
rp[i] = mpn_submul_1 (rp + i + k,
m->redc_mpm1, m->size - k, rp[i]);
hi = mpn_sub_n (rp, rp + m->size, rp, m->size);
- cy = cnd_add_n (hi, rp, m->m, m->size);
+ cy = mpn_cnd_add_n (hi, rp, rp, m->m, m->size);
assert (cy == hi);
if (shift > 0)
}
else
{
- cy = cnd_sub_n (hi, rp, m->m, m->size);
+ cy = mpn_cnd_sub_n (hi, rp, rp, m->m, m->size);
assert (cy == hi);
}
}
cy = sec_add_1 (rp + 5, rp + 5, 1, cy);
assert (cy <= 1);
- cy = cnd_add_n (cy, rp, ecc_Bmodp, 6);
+ cy = mpn_cnd_add_n (cy, rp, rp, ecc_Bmodp, 6);
assert (cy == 0);
}
#elif GMP_NUMB_BITS == 64
cy += mpn_add_n (rp + 1, rp + 1, rp + 3, 2);
assert (cy <= 1);
- cy = cnd_add_n (cy, rp, ecc_Bmodp, 3);
+ cy = mpn_cnd_add_n (cy, rp, rp, ecc_Bmodp, 3);
assert (cy == 0);
}
shifts rather than mul.
*/
t = mpn_submul_1 (rp + n - 4, p->m, 2, q1);
- t += cnd_sub_n (q2, rp + n - 3, p->m, 1);
+ t += mpn_cnd_sub_n (q2, rp + n - 3, rp + n - 3, p->m, 1);
t += (-q2) & 0xffffffff;
u0 = rp[n-2];
t = (u1 < cy);
u1 -= cy;
- cy = cnd_add_n (t, rp + n - 4, p->m, 2);
+ cy = mpn_cnd_add_n (t, rp + n - 4, rp + n - 4, p->m, 2);
u0 += cy;
u1 += (u0 < cy);
u1 -= (-t) & 0xffffffff;
assert (q2 < 2);
- c0 = cnd_sub_n (q2, rp + n - 3, q->m, 1);
+ c0 = mpn_cnd_sub_n (q2, rp + n - 3, rp + n - 3, q->m, 1);
c0 += (-q2) & q->m[1];
t = mpn_submul_1 (rp + n - 4, q->m, 2, q1);
c0 += t;
u1 += t;
u2 += (t<<32) + (u1 < t);
- t = cnd_add_n (t, rp + n - 4, q->m, 2);
+ t = mpn_cnd_add_n (t, rp + n - 4, rp + n - 4, q->m, 2);
u1 += t;
u2 += (u1 < t);
}
assert (cy >= bw);
cy -= bw;
assert (cy <= 1);
- cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE);
+ cy = mpn_cnd_add_n (cy, rp, rp, p->B, ECC_LIMB_SIZE);
assert (cy == 0);
}
#elif GMP_NUMB_BITS == 64
cy = sec_add_1 (rp + 5, rp + 5, 1, cy);
assert (cy <= 1);
- cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE);
+ cy = mpn_cnd_add_n (cy, rp, rp, p->B, ECC_LIMB_SIZE);
assert (cy == 0);
}
#else
hi = mpn_addmul_1 (rp + m->size, m->B, m->size, hi);
assert (hi <= 1);
- hi = cnd_add_n (hi, rp + m->size, m->B, m->size);
+ hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m->size);
assert (hi == 0);
}
m->mod (m, rp);
cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size, q);
assert (cy < 2);
- cy -= cnd_add_n (cy, sp, ecc->q.m, ecc->p.size);
+ cy -= mpn_cnd_add_n (cy, sp, sp, ecc->q.m, ecc->p.size);
assert (cy == 0);
mpn_get_base256_le (signature + nbytes, nbytes, sp, ecc->q.size);
#include "gmp-glue.h"
+#if NETTLE_USE_MINI_GMP
+mp_limb_t
+mpn_cnd_add_n (mp_limb_t cnd, mp_limb_t *rp,
+ const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n)
+{
+ mp_limb_t cy, mask;
+ mp_size_t i;
+
+ mask = -(mp_limb_t) (cnd != 0);
+
+ for (i = 0, cy = 0; i < n; i++)
+ {
+ mp_limb_t rl = ap[i] + cy;
+ mp_limb_t bl = bp[i] & mask;
+ cy = (rl < cy);
+ rl += bl;
+ cy += (rl < bl);
+ rp[i] = rl;
+ }
+ return cy;
+}
+
+mp_limb_t
+mpn_cnd_sub_n (mp_limb_t cnd, mp_limb_t *rp,
+ const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n)
+{
+ mp_limb_t cy, mask;
+ mp_size_t i;
+
+ mask = -(mp_limb_t) (cnd != 0);
+
+ for (i = 0, cy = 0; i < n; i++)
+ {
+ mp_limb_t al = ap[i];
+ mp_limb_t bl = bp[i] & mask;
+ mp_limb_t sl;
+ sl = al - cy;
+ cy = (al < cy) + (sl < bl);
+ sl -= bl;
+ rp[i] = sl;
+ }
+ return cy;
+}
+
void
-cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n)
+mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n)
{
- mp_limb_t mask = - (mp_limb_t) (cnd != 0);
+ volatile mp_limb_t mask = - (mp_limb_t) (cnd != 0);
mp_size_t i;
for (i = 0; i < n; i++)
{
}
}
+#endif /* NETTLE_USE_MINI_GMP */
+
/* Additional convenience functions. */
int
#include "bignum.h"
-#define cnd_swap _nettle_cnd_swap
#define mpz_limbs_cmp _nettle_mpz_limbs_cmp
#define mpz_limbs_read_n _nettle_mpz_limbs_read_n
#define mpz_limbs_copy _nettle_mpz_limbs_copy
} while (0)
#define TMP_GMP_FREE(name) (gmp_free(name, tmp_##name##_size))
+#if NETTLE_USE_MINI_GMP
+mp_limb_t
+mpn_cnd_add_n (mp_limb_t cnd, mp_limb_t *rp,
+ const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n);
-/* Use only in-place operations, so we can fall back to addmul_1/submul_1 */
-#ifdef mpn_cnd_add_n
-# define cnd_add_n(cnd, rp, ap, n) mpn_cnd_add_n ((cnd), (rp), (rp), (ap), (n))
-# define cnd_sub_n(cnd, rp, ap, n) mpn_cnd_sub_n ((cnd), (rp), (rp), (ap), (n))
-#else
-# define cnd_add_n(cnd, rp, ap, n) mpn_addmul_1 ((rp), (ap), (n), (cnd) != 0)
-# define cnd_sub_n(cnd, rp, ap, n) mpn_submul_1 ((rp), (ap), (n), (cnd) != 0)
+mp_limb_t
+mpn_cnd_sub_n (mp_limb_t cnd, mp_limb_t *rp,
+ const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n);
+
+void
+mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n);
#endif
#define NETTLE_OCTET_SIZE_TO_LIMB_SIZE(n) \
(((n) * 8 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
-void
-cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n);
-
/* Convenience functions */
int
mpz_limbs_cmp (mpz_srcptr a, const mp_limb_t *bp, mp_size_t bn);
sec_mod_mul (scratch_out, r_mod_q, qn, mpz_limbs_read (key->c), cn, pp, pn,
scratch_out + cn + qn);
cy = mpn_sub_n (r_mod_p, r_mod_p, scratch_out, pn);
- cnd_add_n (cy, r_mod_p, pp, pn);
+ mpn_cnd_add_n (cy, r_mod_p, r_mod_p, pp, pn);
/* Finally, compute x = r_mod_q + q r_mod_p' */
sec_mul (scratch_out, qp, qn, r_mod_p, pn, scratch_out + pn + qn);
projects / thirdparty / nettle.git / commitdiff
