From: Niels Möller Date: Mon, 2 Nov 2020 20:13:45 +0000 (+0100) Subject: Reduce scratch need for ecc_curve25519_inv X-Git-Tag: nettle_3.7rc1~52^2~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4fec7f37891f2b34a8d89caa818b886f07053b5;p=thirdparty%2Fnettle.git Reduce scratch need for ecc_curve25519_inv --- diff --git a/ChangeLog b/ChangeLog index cf5b4ce2..4eebab5b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2020-11-02 Niels Möller + + * ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need. + (ecc_curve25519_inv): Likewise. + 2020-11-01 Niels Möller * ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument diff --git a/ecc-curve25519.c b/ecc-curve25519.c index 88a955bc..409e2968 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -100,7 +100,7 @@ ecc_curve25519_modq (const struct ecc_modulo *q, mp_limb_t *rp, mp_limb_t *xp) mpn_cnd_add_n (cy, rp, xp, q->m, ECC_LIMB_SIZE); } -/* Computes a^{(p-5)/8} = a^{2^{252}-3} mod m. Needs 5 * n scratch +/* Computes a^{(p-5)/8} = a^{2^{252}-3} mod m. Needs 4 * n scratch space. */ static void ecc_mod_pow_252m3 (const struct ecc_modulo *m, @@ -108,7 +108,7 @@ ecc_mod_pow_252m3 (const struct ecc_modulo *m, { #define a7 scratch #define t0 (scratch + ECC_LIMB_SIZE) -#define t1 (scratch + 3*ECC_LIMB_SIZE) +#define tp (scratch + 2*ECC_LIMB_SIZE) /* a^{2^252 - 3} = a^{(p-5)/8}, using the addition chain 2^252 - 3 @@ -125,53 +125,50 @@ ecc_mod_pow_252m3 (const struct ecc_modulo *m, = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^3+1)*7))) */ - ecc_mod_pow_2kp1 (m, t0, ap, 1, t1); /* a^3 */ - ecc_mod_sqr (m, rp, t0, rp); /* a^6 */ - ecc_mod_mul (m, a7, rp, ap, a7); /* a^7 */ - ecc_mod_pow_2kp1 (m, rp, a7, 3, t0); /* a^63 = a^{2^6-1} */ - ecc_mod_sqr (m, t0, rp, t0); /* a^{2^7-2} */ - ecc_mod_mul (m, rp, t0, ap, rp); /* a^{2^7-1} */ - ecc_mod_pow_2kp1 (m, t0, rp, 7, t1); /* a^{2^14-1}*/ - ecc_mod_pow_2kp1 (m, rp, t0, 14, t1); /* a^{2^28-1} */ - ecc_mod_sqr (m, t0, rp, t0); /* a^{2^29-2} */ - ecc_mod_sqr (m, t1, t0, t1); /* a^{2^30-4} */ - ecc_mod_sqr (m, t0, t1, t0); /* a^{2^31-8} */ - ecc_mod_mul (m, rp, t0, a7, rp); /* a^{2^31-1} */ - ecc_mod_pow_2kp1 (m, t0, rp, 31, t1); /* a^{2^62-1} */ - ecc_mod_pow_2kp1 (m, rp, t0, 62, t1); /* a^{2^124-1}*/ - ecc_mod_sqr (m, t0, rp, t0); /* a^{2^125-2} */ - ecc_mod_mul (m, rp, t0, ap, rp); /* a^{2^125-1} */ - ecc_mod_pow_2kp1 (m, t0, rp, 125, t1);/* a^{2^250-1} */ - ecc_mod_sqr (m, rp, t0, rp); /* a^{2^251-2} */ - ecc_mod_sqr (m, t0, rp, t0); /* a^{2^252-4} */ - ecc_mod_mul (m, rp, t0, ap, rp); /* a^{2^252-3} */ -#undef t0 -#undef t1 + ecc_mod_pow_2kp1 (m, a7, ap, 1, tp); /* a^3 */ + ecc_mod_sqr (m, a7, a7, tp); /* a^6 */ + ecc_mod_mul (m, a7, a7, ap, tp); /* a^7 */ + ecc_mod_pow_2kp1 (m, rp, a7, 3, tp); /* a^63 = a^{2^6-1} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^7-2} */ + ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^7-1} */ + ecc_mod_pow_2kp1 (m, t0, rp, 7, tp); /* a^{2^14-1}*/ + ecc_mod_pow_2kp1 (m, rp, t0, 14, tp); /* a^{2^28-1} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^29-2} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^30-4} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^31-8} */ + ecc_mod_mul (m, rp, rp, a7, tp); /* a^{2^31-1} */ + ecc_mod_pow_2kp1 (m, t0, rp, 31, tp); /* a^{2^62-1} */ + ecc_mod_pow_2kp1 (m, rp, t0, 62, tp); /* a^{2^124-1}*/ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^125-2} */ + ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^125-1} */ + ecc_mod_pow_2kp1 (m, t0, rp, 125, tp);/* a^{2^250-1} */ + ecc_mod_sqr (m, rp, t0, tp); /* a^{2^251-2} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^252-4} */ + ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^252-3} */ #undef a7 +#undef t0 +#undef tp } -/* Needs 5*ECC_LIMB_SIZE scratch space. */ -#define ECC_25519_INV_ITCH (5*ECC_LIMB_SIZE) +/* Scratch as for ecc_mod_pow_252m3 above. */ +#define ECC_25519_INV_ITCH (4*ECC_LIMB_SIZE) -static void ecc_curve25519_inv (const struct ecc_modulo *p, - mp_limb_t *rp, const mp_limb_t *ap, - mp_limb_t *scratch) +static void +ecc_curve25519_inv (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *scratch) { -#define t0 scratch - /* Addition chain p - 2 = 2^{255} - 21 = 1 + 2 (1 + 4 (2^{252}-3)) */ - ecc_mod_pow_252m3 (p, rp, ap, t0); - ecc_mod_sqr (p, t0, rp, t0); - ecc_mod_sqr (p, rp, t0, rp); - ecc_mod_mul (p, t0, ap, rp, t0); - ecc_mod_sqr (p, rp, t0, rp); - ecc_mod_mul (p, t0, ap, rp, t0); - mpn_copyi (rp, t0, ECC_LIMB_SIZE); /* FIXME: Eliminate copy? */ -#undef t0 + ecc_mod_pow_252m3 (p, rp, ap, scratch); + ecc_mod_sqr (p, rp, rp, scratch); + ecc_mod_sqr (p, rp, rp, scratch); + ecc_mod_mul (p, rp, ap, rp, scratch); + ecc_mod_sqr (p, rp, rp, scratch); + ecc_mod_mul (p, rp, ap, rp, scratch); } /* First, do a canonical reduction, then check if zero */