New function ecc_mod_pow_127m1, used for ecc_secp224r1_inv.

diff --git a/ChangeLog b/ChangeLog
index b6f8f3882e6d2e74f1c16dfb63047c99cbe20c12..4cc12d7a94951b5da28ede3ad96bc5e41e5990cb 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,8 @@
        (test_sqrt_ratio): Renamed function (was test_modulo).
        (test_main): Test sqrt function, for curves that define it.
 
+       * ecc-secp224r1.c (ecc_mod_pow_127m1): New function.
+
 2021-11-07  Niels Möller  <nisse@lysator.liu.se>
 
        * ecc-internal.h (struct ecc_modulo): Renamed sqrt_itch to

diff --git a/ecc-secp224r1.c b/ecc-secp224r1.c
index 767eccf7e87f2f746fb1f4f8ec5bc01c35fea762..269c30a4869e1b7e56e652d739994bf901b93267 100644 (file)
--- a/ecc-secp224r1.c
+++ b/ecc-secp224r1.c
@@ -61,20 +61,13 @@ ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp);
 # error Configuration error
 #endif
 
-#define ECC_SECP224R1_INV_ITCH (4*ECC_LIMB_SIZE)
-
+/* Computes a^{2^{127} - 1} mod m. Also produces the intermediate value a^{2^{96} - 1}.
+   Needs 3*ECC_LIMB_SIZE scratch. */
 static void
-ecc_secp224r1_inv (const struct ecc_modulo *p,
-                  mp_limb_t *rp, const mp_limb_t *ap,
-                  mp_limb_t *scratch)
+ecc_mod_pow_127m1 (const struct ecc_modulo *m,
+                  mp_limb_t *rp, mp_limb_t *a96m1, const mp_limb_t *ap, mp_limb_t *scratch)
 {
-#define a7 scratch
-#define t0 (scratch + 1*ECC_LIMB_SIZE)
-#define a31m1 t0
-#define a96m1 a7
-#define tp (scratch + 2*ECC_LIMB_SIZE)
-
-  /* Addition chain for p - 2 = 2^{224} - 2^{96} - 1
+  /* Addition chain for 2^127 - 1:
 
        7           = 1 + 2 (2+1)                       2 S + 2 M
        2^{31} - 1  = 1 + 2 (2^{15} + 1)(1 + 2 (2^7 + 1) (1 + 2 (2^3+1) * 7))
@@ -84,31 +77,62 @@ ecc_secp224r1_inv (const struct ecc_modulo *p,
        2^{96} - 1  = 2^{31}(2^{65} - 1) + 2^{31} - 1  31 S +   M
        2^{127} - 1 = 2^{31}(2^{96} - 1) + 2^{31} - 1  31 S +   M
 
-       2^{224} - 2^{96} - 1                           97 S +   M
+     This addition chain needs 126 squarings and 12 multiplies.
+  */
+#define a7 a96m1
+#define t0 scratch
+#define a31m1 t0
+#define tp (scratch + ECC_LIMB_SIZE)
+
+  ecc_mod_sqr        (m, rp, ap, tp);          /* a^2 */
+  ecc_mod_mul        (m, rp, rp, ap, tp);      /* a^3 */
+  ecc_mod_sqr        (m, rp, rp, tp);          /* a^6 */
+  ecc_mod_mul        (m, a7, rp, ap, tp);      /* a^{2^3-1} a7 */
+
+  ecc_mod_pow_2kp1   (m, rp, a7, 3, tp);       /* a^{2^6 - 1} */
+  ecc_mod_sqr        (m, rp, rp, tp);          /* a^{2^7 - 2} */
+  ecc_mod_mul        (m, rp, rp, ap, tp);      /* a^{2^7 - 1} */
+  ecc_mod_pow_2kp1   (m, t0, rp, 7, tp);       /* a^{2^14 - 1} */
+  ecc_mod_sqr        (m, rp, t0, tp);          /* a^{2^15 - 2} */
+  ecc_mod_mul        (m, rp, rp, ap, tp);      /* a^{2^15 - 1} */
+  ecc_mod_pow_2kp1   (m, t0, rp, 15, tp);      /* a^{2^30 - 1} */
+  ecc_mod_sqr        (m, rp, t0, tp);          /* a^{2^31 - 2} */
+  ecc_mod_mul        (m, a31m1, rp, ap, tp);   /* a^{2^31 - 1} a7, a31m1 */
+
+  ecc_mod_pow_2k_mul (m, rp, a31m1, 3, a7, tp); /* a^{2^34 - 1} a31m1 */
+  ecc_mod_pow_2k_mul (m, rp, rp, 31, a31m1, tp); /* a^{2^65 - 1} a31m1 */
+  ecc_mod_pow_2k_mul (m, a96m1, rp, 31, a31m1, tp); /* a^{2^96 - 1} a31m1, a96m1 */
+  ecc_mod_pow_2k_mul (m, rp, a96m1, 31, a31m1, tp); /* a^{2^{127} - 1} a96m1 */
+#undef a7
+#undef t0
+#undef a31m1
+#undef tp
+}
+
+#define ECC_SECP224R1_INV_ITCH (4*ECC_LIMB_SIZE)
+
+static void
+ecc_secp224r1_inv (const struct ecc_modulo *p,
+                  mp_limb_t *rp, const mp_limb_t *ap,
+                  mp_limb_t *scratch)
+{
+#define a96m1 scratch
+#define tp (scratch + ECC_LIMB_SIZE)
+
+  /* Compute a^{p - 2}, with
+
+       p-2 = 2^{224} - 2^{96} - 1
                    = 2^{97}(2^{127} - 1) + 2^{96} - 1
 
-       This addition chain needs 223 squarings and 13 multiplies.
+     This addition chain needs 97 squarings and one multiply in
+     addition to ecc_mod_pow_127m1, for a total of 223 squarings and
+     13 multiplies.
   */
-  ecc_mod_sqr (p, rp, ap, tp);         /* a^2 */
-  ecc_mod_mul (p, rp, rp, ap, tp);     /* a^3 */
-  ecc_mod_sqr (p, rp, rp, tp);         /* a^6 */
-  ecc_mod_mul (p, a7, rp, ap, tp);     /* a^{2^3-1} a7 */
-
-  ecc_mod_pow_2kp1 (p, rp, a7, 3, tp); /* a^{2^6 - 1} */
-  ecc_mod_sqr (p, rp, rp, tp);         /* a^{2^7 - 2} */
-  ecc_mod_mul (p, rp, rp, ap, tp);             /* a^{2^7 - 1} */
-  ecc_mod_pow_2kp1 (p, t0, rp, 7, tp); /* a^{2^14 - 1} */
-  ecc_mod_sqr (p, rp, t0, tp);         /* a^{2^15 - 2} */
-  ecc_mod_mul (p, rp, rp, ap, tp);             /* a^{2^15 - 1} */
-  ecc_mod_pow_2kp1 (p, t0, rp, 15, tp);        /* a^{2^30 - 1} */
-  ecc_mod_sqr (p, rp, t0, tp);         /* a^{2^31 - 2} */
-  ecc_mod_mul (p, a31m1, rp, ap, tp);  /* a^{2^31 - 1} a7, a31m1 */
-
-  ecc_mod_pow_2k_mul (p, rp, a31m1, 3, a7, tp); /* a^{2^34 - 1} a31m1 */
-  ecc_mod_pow_2k_mul (p, rp, rp, 31, a31m1, tp); /* a^{2^65 - 1} a31m1 */
-  ecc_mod_pow_2k_mul (p, a96m1, rp, 31, a31m1, tp); /* a^{2^96 - 1} a31m1, a96m1 */
-  ecc_mod_pow_2k_mul (p, rp, a96m1, 31, a31m1, tp); /* a^{2^{127} - 1} a96m1 */
+  ecc_mod_pow_127m1 (p, rp, a96m1, ap, tp);
   ecc_mod_pow_2k_mul (p, rp, rp, 97, a96m1, tp); /* a^{2^{224} - 2^{96} - 1 */
+
+#undef a96m1
+#undef tp
 }