Reduce scratch need for ecc_add_eh

diff --git a/ChangeLog b/ChangeLog
index 01cc3f74784b578e53739f81db9330b9aeae5a64..4e6716db2243e9df44edab4e5480aa25aba5dc85 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2020-11-03  Niels Möller  <nisse@lysator.liu.se>
+
+       * ecc-add-eh.c (ecc_add_eh): Reduce scratch need.
+       * ecc-internal.h (ECC_ADD_EH_ITCH): Now 4*size.
+
 2020-11-02  Niels Möller  <nisse@lysator.liu.se>
 
        * ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need.

diff --git a/ecc-add-eh.c b/ecc-add-eh.c
index 20adcf382d63f9ede5780647c8cf224182c499ee..d5bde042a1c1451ab8b63c5b8342c9701a732477 100644 (file)
--- a/ecc-add-eh.c
+++ b/ecc-add-eh.c
@@ -70,38 +70,38 @@ ecc_add_eh (const struct ecc_curve *ecc,
      y3 = z1*G*(D-C)   2 mul           F, G
      z3 = F*G          mul
   */
-#define C (scratch)
-#define D (scratch + 1*ecc->p.size)
-#define T (scratch + 2*ecc->p.size)
-#define E (scratch + 3*ecc->p.size)
-#define B (scratch + 4*ecc->p.size)
-#define F D
+#define T scratch
+#define E (scratch + 1*ecc->p.size)
 #define G E
+#define C (scratch + 2*ecc->p.size)
+#define D (scratch + 3*ecc->p.size)
+#define B D
 
-  ecc_mod_mul (&ecc->p, C, x1, x2, C);
-  ecc_mod_mul (&ecc->p, D, y1, y2, D);
+  /* Use T as scratch, clobber E */
+  ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */
+  ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */
   ecc_mod_add (&ecc->p, x3, x1, y1);
   ecc_mod_add (&ecc->p, y3, x2, y2);
-  ecc_mod_mul (&ecc->p, T, x3, y3, T);
+  ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */
   ecc_mod_sub (&ecc->p, T, T, C);
   ecc_mod_sub (&ecc->p, T, T, D);
-  ecc_mod_mul (&ecc->p, x3, C, D, x3);
-  ecc_mod_mul (&ecc->p, E, x3, ecc->b, E);
+  /* Can now use x3 as scratch, without breaking in-place operation. */
+  ecc_mod_mul (&ecc->p, T, T, z1, x3);
 
-  ecc_mod_sub (&ecc->p, C, D, C);
-  ecc_mod_sqr (&ecc->p, B, z1, B);
-  ecc_mod_sub (&ecc->p, F, B, E);
-  ecc_mod_add (&ecc->p, G, B, E);
+  ecc_mod_mul (&ecc->p, E, C, D, x3);  /* C, D, T, E */
+  ecc_mod_mul (&ecc->p, E, E, ecc->b, x3);
 
-  /* x3 */
-  ecc_mod_mul (&ecc->p, B, F, T, B);
-  ecc_mod_mul (&ecc->p, x3, B, z1, x3);
+  ecc_mod_sub (&ecc->p, C, D, C);      /* C, T, E */
+  ecc_mod_mul (&ecc->p, C, C, z1, x3);
 
-  /* y3 */
-  ecc_mod_mul (&ecc->p, B, G, z1, B);
-  ecc_mod_mul (&ecc->p, y3, B, C, y3); /* Clobbers z1 in case r == p. */
+  ecc_mod_sqr (&ecc->p, B, z1, x3);    /* C, T, E, B */
+  ecc_mod_sub (&ecc->p, x3, B, E);
+  ecc_mod_add (&ecc->p, G, B, E);      /* C, T, G */
 
-  /* z3 */
-  ecc_mod_mul (&ecc->p, B, F, G, B);
-  mpn_copyi (z3, B, ecc->p.size);
+  /* Can now use y3 as scratch, without breaking in-place operation. */
+  ecc_mod_mul (&ecc->p, y3, C, G, y3); /* T G */
+
+  /* Can use C--D as scratch */
+  ecc_mod_mul (&ecc->p, z3, x3, G, C); /* T */
+  ecc_mod_mul (&ecc->p, x3, x3, T, C);
 }

diff --git a/ecc-internal.h b/ecc-internal.h
index 52bea1c9ecb62e7df130e5077ee11acc65392189..abe25f6491de5be2ca7be8ebec94b7a6ed59c910 100644 (file)
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -449,7 +449,7 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
 #define ECC_DUP_TH_ITCH(size) (5*(size))
 #define ECC_ADD_JJA_ITCH(size) (6*(size))
 #define ECC_ADD_JJJ_ITCH(size) (8*(size))
-#define ECC_ADD_EH_ITCH(size) (6*(size))
+#define ECC_ADD_EH_ITCH(size) (4*(size))
 #define ECC_ADD_EHH_ITCH(size) (7*(size))
 #define ECC_ADD_TH_ITCH(size) (6*(size))
 #define ECC_ADD_THH_ITCH(size) (7*(size))