ecc_eh_to_a interface change, optionally reduce x mod q.

diff --git a/ChangeLog b/ChangeLog
index be68acc18c8fd2969a63cbd8d37a3a473b42b1f7..b8e8a40dc1897c6bbd5c10c8fd50fd4ac9167774 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2014-08-28  Niels Möller  <nisse@lysator.liu.se>
 
+       * ecc-eh-to-a.c (ecc_eh_to_a): Analogous change as for ecc_j_to_a.
+       The modulo q case (op == 2) is hardcoded for curve25519.
+
        * ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert
        back from redc form. When producing x coordiante only optionally
        reduce it modulo q. Completely changes the meaning of the "flags"

diff --git a/curve25519-mul-g.c b/curve25519-mul-g.c
index f98bee3d4198c755f33d12612ec109160b6b8558..a695dad0d332568db2e0f284c2c8eb74707c2a2c 100644 (file)
--- a/curve25519-mul-g.c
+++ b/curve25519-mul-g.c
@@ -64,7 +64,7 @@ curve25519_mul_g (uint8_t *r, const uint8_t *n)
   mpn_set_base256_le (x, ecc_size, t, CURVE25519_SIZE);
 
   ecc_mul_g_eh (&nettle_curve25519, p, x, scratch_out);
-  ecc_eh_to_a (&nettle_curve25519, 2, x, p, scratch_out);
+  ecc_eh_to_a (&nettle_curve25519, 1, x, p, scratch_out);
 
   mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc_size);
   gmp_free_limbs (scratch, itch);

diff --git a/curve25519-mul.c b/curve25519-mul.c
index ddc50eb5e5922e84639821bf9fbd34ab6f4652e5..e94e26b41602c107154da0c7df5ee9970bd0d741 100644 (file)
--- a/curve25519-mul.c
+++ b/curve25519-mul.c
@@ -82,7 +82,7 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
   mpn_set_base256_le (s, ecc->size, t, CURVE25519_SIZE);
   
   ecc_mul_a_eh (ecc, x, s, x, scratch_out);
-  ecc_eh_to_a (ecc, 2, s, x, scratch_out);
+  ecc_eh_to_a (ecc, 1, s, x, scratch_out);
   mpn_get_base256_le (q, CURVE25519_SIZE, s, ecc->size);
 
   gmp_free_limbs (scratch, itch);

diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c
index fd953bf34d16fdc21aa4266adbb4f9ab74dc0869..80a450d96a7ead5aecb6f0f9ba8173ba0fd8d9da 100644 (file)
--- a/ecc-eh-to-a.c
+++ b/ecc-eh-to-a.c
@@ -33,6 +33,8 @@
 # include "config.h"
 #endif
 
+#include <assert.h>
+
 #include "ecc.h"
 #include "ecc-internal.h"
 
@@ -47,7 +49,7 @@ ecc_eh_to_a_itch (const struct ecc_curve *ecc)
    coordinates on the corresponding Montgomery curve. */
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
-            int flags,
+            int op,
             mp_limb_t *r, const mp_limb_t *p,
             mp_limb_t *scratch)
 {
@@ -88,10 +90,24 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
   cy = mpn_sub_n (xp, tp, ecc->p, ecc->size);
   cnd_copy (cy, xp, tp, ecc->size);
 
-  if (flags & 2)
-    /* Skip y coordinate */
-    return;
-  
+  if (op)
+    {
+      /* Skip y coordinate */
+      if (op > 1)
+       {
+         /* Reduce modulo q. FIXME: Hardcoded for curve25519,
+            duplicates end of ecc_25519_modq. */
+         mp_limb_t cy;
+         unsigned shift;
+         assert (ecc->bit_size == 255);
+         shift = 252 - GMP_NUMB_BITS * (ecc->size - 1);
+         cy = mpn_submul_1 (xp, ecc->q, ecc->size,
+                            xp[ecc->size-1] >> shift);
+         assert (cy < 2);
+         cnd_add_n (cy, xp, ecc->q, ecc->size);
+       }
+      return;
+    }
   ecc_modp_add (ecc, sp, wp, vp); /* FIXME: Redundant. Also the (W +
                                     V) Z^-1 multiplication is
                                     redundant. */

diff --git a/ecc.h b/ecc.h
index 2d8fc49f66c834e7884eb39775fcd4fdcbaf2033..0d07ee5d62fc2f070a146abf46f77fa59d29e24c 100644 (file)
--- a/ecc.h
+++ b/ecc.h
@@ -206,7 +206,7 @@ mp_size_t
 ecc_eh_to_a_itch (const struct ecc_curve *ecc);
 void
 ecc_eh_to_a (const struct ecc_curve *ecc,
-            int flags,
+            int op,
             mp_limb_t *r, const mp_limb_t *p,
             mp_limb_t *scratch);