+2014-09-02 Niels Möller <nisse@lysator.liu.se>
+
+ * curve25519-eh-to-x.c (curve25519_eh_to_x): New file, new
+ function. The curve25519 transform currently done by ecc_eh_to_a,
+ but which should eventually be eliminted from that function.
+ * Makefile.in (hogweed_SOURCES): Added curve25519-eh-to-x.c.
+ * ecc-internal.h (curve25519_eh_to_x): Declare it.
+ * curve25519-mul.c (curve25519_mul): Use it.
+ * curve25519-mul-g.c (curve25519_mul_g): Likewise.
+
2014-08-29 Niels Möller <nisse@lysator.liu.se>
* testsuite/testutils.c (test_ecc_mul_j): Renamed, to ...
--- /dev/null
+/* curve25519-x.c
+
+ Copyright (C) 2014 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <string.h>
+
+#include "curve25519.h"
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+/* Transform a point on the twisted Edwards curve to the curve25519
+ Montgomery curve, and return the x coordinate. */
+void
+curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
+ mp_limb_t *scratch)
+{
+#define vp (p + ecc->size)
+#define wp (p + 2*ecc->size)
+#define t0 scratch
+#define t1 (scratch + ecc->size)
+#define t2 (scratch + 2*ecc->size)
+
+ const struct ecc_curve *ecc = &nettle_curve25519;
+ mp_limb_t cy;
+
+ /* If u = U/W and v = V/W are the coordiantes of the point on the
+ Edwards curve we get the curve25519 x coordinate as
+
+ x = (1+v) / (1-v) = (W + V) / (W - V)
+ */
+ /* NOTE: For the infinity point, this subtraction gives zero (mod
+ p), which isn't invertible. For curve25519, the desired output is
+ x = 0, and we should be fine, since ecc_modp_inv returns 0
+ in this case. */
+ ecc_modp_sub (ecc, t0, wp, vp);
+ /* Needs 3*size scratch, for a total of 5*size */
+ ecc_modp_inv (ecc, t1, t0, t2);
+
+ ecc_modp_add (ecc, t0, wp, vp);
+ ecc_modp_mul (ecc, t2, t0, t1);
+
+ cy = mpn_sub_n (xp, t2, ecc->p, ecc->size);
+ cnd_copy (cy, xp, t2, ecc->size);
+#undef vp
+#undef wp
+#undef t0
+#undef t1
+#undef t2
+}
mpn_set_base256_le (x, ecc_size, t, CURVE25519_SIZE);
ecc_mul_g_eh (&nettle_curve25519, p, x, scratch_out);
- ecc_eh_to_a (&nettle_curve25519, 1, x, p, scratch_out);
+ curve25519_eh_to_x (x, p, scratch_out);
mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc_size);
gmp_free_limbs (scratch, itch);
mpn_set_base256_le (s, ecc->size, t, CURVE25519_SIZE);
ecc_mul_a_eh (ecc, x, s, x, scratch_out);
- ecc_eh_to_a (ecc, 1, s, x, scratch_out);
+ curve25519_eh_to_x (s, x, scratch_out);
mpn_get_base256_le (q, CURVE25519_SIZE, s, ecc->size);
gmp_free_limbs (scratch, itch);
#define sec_tabselect _nettle_sec_tabselect
#define sec_modinv _nettle_sec_modinv
#define ecc_25519_sqrt _nettle_ecc_25519_sqrt
+#define curve25519_eh_to_x _nettle_curve25519_eh_to_x
#define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
int
ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap);
+void
+curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
+ mp_limb_t *scratch);
+
/* Current scratch needs: */
#define ECC_MODINV_ITCH(size) (3*(size))
#define ECC_J_TO_A_ITCH(size) (5*(size))
projects / thirdparty / nettle.git / commitdiff
