2014-08-28 Niels Möller <nisse@lysator.liu.se>
+ * ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert
+ back from redc form. When producing x coordiante only optionally
+ reduce it modulo q. Completely changes the meaning of the "flags"
+ argument, and renames it to "op". Update all users of this
+ function or ecc->h_to_a.
+
+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use new ecc_j_to_a modulo q
+ feature.
+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise.
+
* testsuite/symbols-test: Regexp fixes, to better filter out
get_pc_thunk functions.
*/
ecc_mul_g (ecc, P, kp, P + 3*ecc->size);
- /* x coordinate only */
- ecc_j_to_a (ecc, 3, rp, P, P + 3*ecc->size);
-
- /* We need to reduce x coordinate mod ecc->q. It should already
- be < 2*ecc->q, so one subtraction should suffice. */
- cy = mpn_sub_n (scratch, rp, ecc->q, ecc->size);
- cnd_copy (cy == 0, rp, scratch, ecc->size);
+ /* x coordinate only, modulo q */
+ ecc_j_to_a (ecc, 2, rp, P, P + 3*ecc->size);
/* Invert k, uses 5 * ecc->size including scratch */
mpn_copyi (hp, kp, ecc->size);
/* Total storage: 6*ecc->size + ECC_ADD_JJJ_ITCH (ecc->size) */
ecc_add_jjj (ecc, P1, P1, P2, u1);
}
- ecc_j_to_a (ecc, 3, P2, P1, u1);
-
- if (mpn_cmp (P2, ecc->q, ecc->size) >= 0)
- mpn_sub_n (P2, P2, ecc->q, ecc->size);
+ /* x coordinate only, modulo q */
+ ecc_j_to_a (ecc, 2, P2, P1, u1);
return (mpn_cmp (rp, P2, ecc->size) == 0);
#undef P2
void
ecc_j_to_a (const struct ecc_curve *ecc,
- int flags,
+ int op,
mp_limb_t *r, const mp_limb_t *p,
mp_limb_t *scratch)
{
ecc_modp_inv (ecc, izp, up, up + ecc->size);
- if (flags & 1)
- {
- /* Divide this common factor by B */
- mpn_copyi (izBp, izp, ecc->size);
- mpn_zero (izBp + ecc->size, ecc->size);
- ecc->redc (ecc, izBp);
+ /* Divide this common factor by B */
+ mpn_copyi (izBp, izp, ecc->size);
+ mpn_zero (izBp + ecc->size, ecc->size);
+ ecc->redc (ecc, izBp);
- ecc_modp_mul (ecc, iz2p, izp, izBp);
- }
- else
- ecc_modp_sqr (ecc, iz2p, izp);
+ ecc_modp_mul (ecc, iz2p, izp, izBp);
}
else
{
cy = mpn_sub_n (r, iz3p, ecc->p, ecc->size);
cnd_copy (cy, r, iz3p, ecc->size);
- if (flags & 2)
- /* Skip y coordinate */
- return;
-
+ if (op)
+ {
+ /* Skip y coordinate */
+ if (op > 1)
+ {
+ /* Also reduce the x coordinate mod ecc->q. It should
+ already be < 2*ecc->q, so one subtraction should
+ suffice. */
+ cy = mpn_sub_n (scratch, r, ecc->q, ecc->size);
+ cnd_copy (cy == 0, r, scratch, ecc->size);
+ }
+ return;
+ }
ecc_modp_mul (ecc, iz3p, iz2p, izp);
ecc_modp_mul (ecc, tp, iz3p, p + ecc->size);
/* And a similar subtraction. */
TMP_ALLOC (scratch, itch);
ecc->mul_g (ecc, scratch, n->p, scratch + 3*size);
- ecc->h_to_a (ecc, 1, r->p, scratch, scratch + 3*size);
+ ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size);
}
assert (p->ecc == ecc);
ecc->mul (ecc, scratch, n->p, p->p, scratch + 3*size);
- ecc->h_to_a (ecc, 1, r->p, scratch, scratch + 3*size);
+ ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size);
gmp_free_limbs (scratch, itch);
}
\f
/* Low-level interface */
-/* Points on a curve are represented as arrays of mp_limb_t. For some
- curves, point coordinates are represented in montgomery form. We
- use either affine coordinates x,y, or Jacobian coordinates X, Y, Z,
- where x = X/Z^2 and y = X/Z^2.
-
+/* Points on a curve are represented as arrays of mp_limb_t, with
+ curve-specific representation. For the secp curves, we use Jacobian
+ coordinates (possibly in Montgomery for for mod multiplication).
+ For curve25519 we use homogeneous coordiantes on an equivalent
+ Edwards curve. The suffix "_h" denotes this internal
+ representation.
+
Since we use additive notation for the groups, the infinity point
on the curve is denoted 0. The infinity point can be represented
with x = y = 0 in affine coordinates, and Z = 0 in Jacobian
mp_limb_t *r, const mp_limb_t *p);
/* Converts a point P in jacobian coordinates into a point R in affine
- coordinates. If FLAGS has bit 0 set, and the curve uses montgomery
- coordinates, also undo the montgomery conversion. If flags has bit
- 1 set, produce x coordinate only. */
+ coordinates. If op == 1, produce x coordinate only. If op == 2,
+ produce the x coordiante only, and in also it modulo q. FIXME: For
+ the public interface, have separate for the three cases, and use
+ this flag argument only for the internal ecc->h_to_a function. */
mp_size_t
ecc_j_to_a_itch (const struct ecc_curve *ecc);
void
ecc_j_to_a (const struct ecc_curve *ecc,
- int flags,
+ int op,
mp_limb_t *r, const mp_limb_t *p,
mp_limb_t *scratch);
ecc_modq_random (key->ecc, key->p, random_ctx, random, p);
ecc_mul_g (pub->ecc, p, key->p, p + 3*pub->ecc->size);
- ecc_j_to_a (pub->ecc, 1, pub->p, p, p + 3*pub->ecc->size);
+ ecc_j_to_a (pub->ecc, 0, pub->p, p, p + 3*pub->ecc->size);
}
n[0] = 1;
ecc_mul_a (ecc, p, n, ecc->g, scratch);
- ecc_j_to_a (ecc, 1, p, p, scratch);
+ ecc_j_to_a (ecc, 0, p, p, scratch);
if (mpn_cmp (p, ecc->g, 2*size != 0))
die ("curve %d: ecc_mul_a with n = 1 failed.\n", ecc->bit_size);
/* (order - 1) * g = - g */
mpn_sub_1 (n, ecc->q, size, 1);
ecc_mul_a (ecc, p, n, ecc->g, scratch);
- ecc_j_to_a (ecc, 1, p, p, scratch);
+ ecc_j_to_a (ecc, 0, p, p, scratch);
mpn_sub_n (p + size, ecc->p, p + size, size);
if (mpn_cmp (p, ecc->g, 2*size) != 0)
{
n[size - 1] %= ecc->q[size - 1];
ecc_mul_a (ecc, p, n, ecc->g, scratch);
- ecc_j_to_a (ecc, 1, p, p, scratch);
+ ecc_j_to_a (ecc, 0, p, p, scratch);
ecc_mul_g (ecc, q, n, scratch);
- ecc_j_to_a (ecc, 1, q, q, scratch);
+ ecc_j_to_a (ecc, 0, q, q, scratch);
if (mpn_cmp (p, q, 2*size))
{
n[0] = 1;
ecc_mul_g (ecc, p, n, scratch);
- ecc_j_to_a (ecc, 1, p, p, scratch);
+ ecc_j_to_a (ecc, 0, p, p, scratch);
if (mpn_cmp (p, ecc->g, 2*size != 0))
{
/* (order - 1) * g = - g */
mpn_sub_1 (n, ecc->q, size, 1);
ecc_mul_g (ecc, p, n, scratch);
- ecc_j_to_a (ecc, 1, p, p, scratch);
+ ecc_j_to_a (ecc, 0, p, p, scratch);
mpn_sub_n (p + size, ecc->p, p + size, size);
if (mpn_cmp (p, ecc->g, 2*size) != 0)
{
const struct ecc_curve *ecc = ecc_curves[curve];
mp_limb_t *np = xalloc_limbs (ecc_size_a (ecc));
mp_limb_t *scratch = xalloc_limbs (ecc_j_to_a_itch(ecc));
- ecc_j_to_a (ecc, 1, np, p, scratch);
+ ecc_j_to_a (ecc, 0, np, p, scratch);
test_ecc_mul_a (curve, n, np);
projects / thirdparty / nettle.git / commitdiff
