From: Niels Möller Date: Mon, 8 Nov 2021 19:03:11 +0000 (+0100) Subject: New function ecc_mod_pow_127m1, used for ecc_secp224r1_inv. X-Git-Tag: nettle_3.8_release_20220602~77 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4be1725f756b79b05b8f5b4a8d73a2680599982d;p=thirdparty%2Fnettle.git New function ecc_mod_pow_127m1, used for ecc_secp224r1_inv. --- diff --git a/ChangeLog b/ChangeLog index b6f8f388..4cc12d7a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,8 @@ (test_sqrt_ratio): Renamed function (was test_modulo). (test_main): Test sqrt function, for curves that define it. + * ecc-secp224r1.c (ecc_mod_pow_127m1): New function. + 2021-11-07 Niels Möller * ecc-internal.h (struct ecc_modulo): Renamed sqrt_itch to diff --git a/ecc-secp224r1.c b/ecc-secp224r1.c index 767eccf7..269c30a4 100644 --- a/ecc-secp224r1.c +++ b/ecc-secp224r1.c @@ -61,20 +61,13 @@ ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); # error Configuration error #endif -#define ECC_SECP224R1_INV_ITCH (4*ECC_LIMB_SIZE) - +/* Computes a^{2^{127} - 1} mod m. Also produces the intermediate value a^{2^{96} - 1}. + Needs 3*ECC_LIMB_SIZE scratch. */ static void -ecc_secp224r1_inv (const struct ecc_modulo *p, - mp_limb_t *rp, const mp_limb_t *ap, - mp_limb_t *scratch) +ecc_mod_pow_127m1 (const struct ecc_modulo *m, + mp_limb_t *rp, mp_limb_t *a96m1, const mp_limb_t *ap, mp_limb_t *scratch) { -#define a7 scratch -#define t0 (scratch + 1*ECC_LIMB_SIZE) -#define a31m1 t0 -#define a96m1 a7 -#define tp (scratch + 2*ECC_LIMB_SIZE) - - /* Addition chain for p - 2 = 2^{224} - 2^{96} - 1 + /* Addition chain for 2^127 - 1: 7 = 1 + 2 (2+1) 2 S + 2 M 2^{31} - 1 = 1 + 2 (2^{15} + 1)(1 + 2 (2^7 + 1) (1 + 2 (2^3+1) * 7)) @@ -84,31 +77,62 @@ ecc_secp224r1_inv (const struct ecc_modulo *p, 2^{96} - 1 = 2^{31}(2^{65} - 1) + 2^{31} - 1 31 S + M 2^{127} - 1 = 2^{31}(2^{96} - 1) + 2^{31} - 1 31 S + M - 2^{224} - 2^{96} - 1 97 S + M + This addition chain needs 126 squarings and 12 multiplies. + */ +#define a7 a96m1 +#define t0 scratch +#define a31m1 t0 +#define tp (scratch + ECC_LIMB_SIZE) + + ecc_mod_sqr (m, rp, ap, tp); /* a^2 */ + ecc_mod_mul (m, rp, rp, ap, tp); /* a^3 */ + ecc_mod_sqr (m, rp, rp, tp); /* a^6 */ + ecc_mod_mul (m, a7, rp, ap, tp); /* a^{2^3-1} a7 */ + + ecc_mod_pow_2kp1 (m, rp, a7, 3, tp); /* a^{2^6 - 1} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^7 - 2} */ + ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^7 - 1} */ + ecc_mod_pow_2kp1 (m, t0, rp, 7, tp); /* a^{2^14 - 1} */ + ecc_mod_sqr (m, rp, t0, tp); /* a^{2^15 - 2} */ + ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^15 - 1} */ + ecc_mod_pow_2kp1 (m, t0, rp, 15, tp); /* a^{2^30 - 1} */ + ecc_mod_sqr (m, rp, t0, tp); /* a^{2^31 - 2} */ + ecc_mod_mul (m, a31m1, rp, ap, tp); /* a^{2^31 - 1} a7, a31m1 */ + + ecc_mod_pow_2k_mul (m, rp, a31m1, 3, a7, tp); /* a^{2^34 - 1} a31m1 */ + ecc_mod_pow_2k_mul (m, rp, rp, 31, a31m1, tp); /* a^{2^65 - 1} a31m1 */ + ecc_mod_pow_2k_mul (m, a96m1, rp, 31, a31m1, tp); /* a^{2^96 - 1} a31m1, a96m1 */ + ecc_mod_pow_2k_mul (m, rp, a96m1, 31, a31m1, tp); /* a^{2^{127} - 1} a96m1 */ +#undef a7 +#undef t0 +#undef a31m1 +#undef tp +} + +#define ECC_SECP224R1_INV_ITCH (4*ECC_LIMB_SIZE) + +static void +ecc_secp224r1_inv (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *scratch) +{ +#define a96m1 scratch +#define tp (scratch + ECC_LIMB_SIZE) + + /* Compute a^{p - 2}, with + + p-2 = 2^{224} - 2^{96} - 1 = 2^{97}(2^{127} - 1) + 2^{96} - 1 - This addition chain needs 223 squarings and 13 multiplies. + This addition chain needs 97 squarings and one multiply in + addition to ecc_mod_pow_127m1, for a total of 223 squarings and + 13 multiplies. */ - ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ - ecc_mod_mul (p, rp, rp, ap, tp); /* a^3 */ - ecc_mod_sqr (p, rp, rp, tp); /* a^6 */ - ecc_mod_mul (p, a7, rp, ap, tp); /* a^{2^3-1} a7 */ - - ecc_mod_pow_2kp1 (p, rp, a7, 3, tp); /* a^{2^6 - 1} */ - ecc_mod_sqr (p, rp, rp, tp); /* a^{2^7 - 2} */ - ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^7 - 1} */ - ecc_mod_pow_2kp1 (p, t0, rp, 7, tp); /* a^{2^14 - 1} */ - ecc_mod_sqr (p, rp, t0, tp); /* a^{2^15 - 2} */ - ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^15 - 1} */ - ecc_mod_pow_2kp1 (p, t0, rp, 15, tp); /* a^{2^30 - 1} */ - ecc_mod_sqr (p, rp, t0, tp); /* a^{2^31 - 2} */ - ecc_mod_mul (p, a31m1, rp, ap, tp); /* a^{2^31 - 1} a7, a31m1 */ - - ecc_mod_pow_2k_mul (p, rp, a31m1, 3, a7, tp); /* a^{2^34 - 1} a31m1 */ - ecc_mod_pow_2k_mul (p, rp, rp, 31, a31m1, tp); /* a^{2^65 - 1} a31m1 */ - ecc_mod_pow_2k_mul (p, a96m1, rp, 31, a31m1, tp); /* a^{2^96 - 1} a31m1, a96m1 */ - ecc_mod_pow_2k_mul (p, rp, a96m1, 31, a31m1, tp); /* a^{2^{127} - 1} a96m1 */ + ecc_mod_pow_127m1 (p, rp, a96m1, ap, tp); ecc_mod_pow_2k_mul (p, rp, rp, 97, a96m1, tp); /* a^{2^{224} - 2^{96} - 1 */ + +#undef a96m1 +#undef tp }