[git] GCRYPT - branch, master, updated. libgcrypt-1.8.1-10-g1d5f726
by NIIBE Yutaka
cvs at cvs.gnupg.org
Tue Aug 29 03:14:54 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, master has been updated
via 1d5f726668b9cc32d6bb601f2329987058146c6c (commit)
via fab712d654b2ccd24696ed90bc239860a128ad5b (commit)
via 1ac3d3637dd80013b78e03b9b9f582091710d908 (commit)
via e9be23c4ad9f42c9d3198c706f912b7e27f574bc (commit)
via 449459a2770d3aecb1f36502bf1903e0cbd2873e (commit)
via 9ed0fb37bd637d1a2e9498c24097cfeadec682ec (commit)
via d4cd381defe5b37dda19bbda0986bdd38065bd31 (commit)
from 52af575ae4d6961edf459d5ba7f7a8057ed4cb80 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1d5f726668b9cc32d6bb601f2329987058146c6c
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Aug 23 13:03:07 2017 +0900
ecc: Fix ec_mulm_25519.
* mpi/ec.c (ec_mulm_25519): Improve reduction to 25519.
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/mpi/ec.c b/mpi/ec.c
index ffdf3d1..88e2fab 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -455,13 +455,10 @@ ec_mulm_25519 (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx)
m[LIMB_SIZE_25519] += cy;
memset (m, 0, wsize * BYTES_PER_MPI_LIMB);
- m[0] = m[LIMB_SIZE_25519] * 2 * 19;
- cy = _gcry_mpih_add_n (wp, wp, m, wsize);
-
msb = (wp[LIMB_SIZE_25519-1] >> (255 % BITS_PER_MPI_LIMB));
- m[0] = (cy * 2 + msb) * 19;
- _gcry_mpih_add_n (wp, wp, m, wsize);
+ m[0] = (m[LIMB_SIZE_25519] * 2 + msb) * 19;
wp[LIMB_SIZE_25519-1] &= ~(1UL << (255 % BITS_PER_MPI_LIMB));
+ _gcry_mpih_add_n (wp, wp, m, wsize);
m[0] = 0;
cy = _gcry_mpih_sub_n (wp, wp, ctx->p->d, wsize);
commit fab712d654b2ccd24696ed90bc239860a128ad5b
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Aug 23 12:46:20 2017 +0900
ecc: Use 25519 method also for ed25519.
* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Don't use mpi_add
since it resizes to have more limbs.
* mpi/ec.c (point_resize): Fix for Edwards curve.
(ec_p_init): Support Edwards curve.
(_gcry_mpi_ec_get_affine): Use the methods.
(dup_point_edwards, add_points_edwards, sub_points_edwards): Ditto.
(_gcry_mpi_ec_mul_point): Resize MPIs of point to fixed size.
(_gcry_mpi_ec_curve_point): Use the methods.
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/cipher/Makefile.am b/cipher/Makefile.am
index 95c4510..ee99262 100644
--- a/cipher/Makefile.am
+++ b/cipher/Makefile.am
@@ -21,7 +21,7 @@
# Need to include ../src in addition to top_srcdir because gcrypt.h is
# a built header.
-AM_CPPFLAGS = -I../src -I$(top_srcdir)/src
+AM_CPPFLAGS = -I../src -I$(top_srcdir)/src -I../mpi -I$(top_srcdir)/mpi
AM_CFLAGS = $(GPG_ERROR_CFLAGS)
AM_CCASFLAGS = $(NOEXECSTACK_FLAGS)
diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c
index 3488ed3..86d0b4e 100644
--- a/cipher/ecc-curves.c
+++ b/cipher/ecc-curves.c
@@ -26,6 +26,7 @@
#include "g10lib.h"
#include "mpi.h"
+#include "mpi-internal.h"
#include "cipher.h"
#include "context.h"
#include "ec-context.h"
@@ -563,13 +564,25 @@ _gcry_ecc_fill_in_curve (unsigned int nbits, const char *name,
{
curve->a = scanval (domain_parms[idx].a);
if (curve->a->sign)
- mpi_add (curve->a, curve->p, curve->a);
+ {
+ mpi_resize (curve->a, curve->p->nlimbs);
+ _gcry_mpih_sub_n (curve->a->d, curve->p->d,
+ curve->a->d, curve->p->nlimbs);
+ curve->a->nlimbs = curve->p->nlimbs;
+ curve->a->sign = 0;
+ }
}
if (!curve->b)
{
curve->b = scanval (domain_parms[idx].b);
if (curve->b->sign)
- mpi_add (curve->b, curve->p, curve->b);
+ {
+ mpi_resize (curve->b, curve->p->nlimbs);
+ _gcry_mpih_sub_n (curve->b->d, curve->p->d,
+ curve->b->d, curve->p->nlimbs);
+ curve->b->nlimbs = curve->p->nlimbs;
+ curve->b->sign = 0;
+ }
}
if (!curve->n)
curve->n = scanval (domain_parms[idx].n);
diff --git a/mpi/ec.c b/mpi/ec.c
index a47e223..ffdf3d1 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -156,28 +156,17 @@ _gcry_mpi_point_copy (gcry_mpi_point_t point)
static void
point_resize (mpi_point_t p, mpi_ec_t ctx)
{
- size_t nlimbs;
+ size_t nlimbs = ctx->p->nlimbs;
- if (ctx->model == MPI_EC_MONTGOMERY)
- {
- nlimbs = ctx->p->nlimbs;
+ mpi_resize (p->x, nlimbs);
+ p->x->nlimbs = nlimbs;
+ mpi_resize (p->z, nlimbs);
+ p->z->nlimbs = nlimbs;
- mpi_resize (p->x, nlimbs);
- mpi_resize (p->z, nlimbs);
- p->x->nlimbs = nlimbs;
- p->z->nlimbs = nlimbs;
- }
- else
+ if (ctx->model != MPI_EC_MONTGOMERY)
{
- /*
- * For now, we allocate enough limbs for our EC computation of ec_*.
- * Once we will improve ec_* to be constant size (and constant
- * time), NLIMBS can be ctx->p->nlimbs.
- */
- nlimbs = 2*ctx->p->nlimbs+1;
- mpi_resize (p->x, nlimbs);
mpi_resize (p->y, nlimbs);
- mpi_resize (p->z, nlimbs);
+ p->y->nlimbs = nlimbs;
}
}
@@ -657,6 +646,13 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model,
mpi_resize (ctx->a, ctx->p->nlimbs);
ctx->a->nlimbs = ctx->p->nlimbs;
+
+ mpi_resize (ctx->b, ctx->p->nlimbs);
+ ctx->b->nlimbs = ctx->p->nlimbs;
+
+ for (i=0; i< DIM(ctx->t.scratch); i++)
+ ctx->t.scratch[i]->nlimbs = ctx->p->nlimbs;
+
break;
}
@@ -909,10 +905,21 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, mpi_point_t point,
z = mpi_new (0);
ec_invm (z, point->z, ctx);
+ mpi_resize (z, ctx->p->nlimbs);
+ z->nlimbs = ctx->p->nlimbs;
+
if (x)
- ec_mulm (x, point->x, z, ctx);
+ {
+ mpi_resize (x, ctx->p->nlimbs);
+ x->nlimbs = ctx->p->nlimbs;
+ ctx->mulm (x, point->x, z, ctx);
+ }
if (y)
- ec_mulm (y, point->y, z, ctx);
+ {
+ mpi_resize (y, ctx->p->nlimbs);
+ y->nlimbs = ctx->p->nlimbs;
+ ctx->mulm (y, point->y, z, ctx);
+ }
_gcry_mpi_release (z);
}
@@ -1041,41 +1048,41 @@ dup_point_edwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
/* Compute: (X_3 : Y_3 : Z_3) = 2( X_1 : Y_1 : Z_1 ) */
/* B = (X_1 + Y_1)^2 */
- ec_addm (B, X1, Y1, ctx);
- ec_pow2 (B, B, ctx);
+ ctx->addm (B, X1, Y1, ctx);
+ ctx->pow2 (B, B, ctx);
/* C = X_1^2 */
/* D = Y_1^2 */
- ec_pow2 (C, X1, ctx);
- ec_pow2 (D, Y1, ctx);
+ ctx->pow2 (C, X1, ctx);
+ ctx->pow2 (D, Y1, ctx);
/* E = aC */
if (ctx->dialect == ECC_DIALECT_ED25519)
- mpi_sub (E, ctx->p, C);
+ ctx->subm (E, ctx->p, C, ctx);
else
- ec_mulm (E, ctx->a, C, ctx);
+ ctx->mulm (E, ctx->a, C, ctx);
/* F = E + D */
- ec_addm (F, E, D, ctx);
+ ctx->addm (F, E, D, ctx);
/* H = Z_1^2 */
- ec_pow2 (H, Z1, ctx);
+ ctx->pow2 (H, Z1, ctx);
/* J = F - 2H */
- ec_mul2 (J, H, ctx);
- ec_subm (J, F, J, ctx);
+ ctx->mul2 (J, H, ctx);
+ ctx->subm (J, F, J, ctx);
/* X_3 = (B - C - D) · J */
- ec_subm (X3, B, C, ctx);
- ec_subm (X3, X3, D, ctx);
- ec_mulm (X3, X3, J, ctx);
+ ctx->subm (X3, B, C, ctx);
+ ctx->subm (X3, X3, D, ctx);
+ ctx->mulm (X3, X3, J, ctx);
/* Y_3 = F · (E - D) */
- ec_subm (Y3, E, D, ctx);
- ec_mulm (Y3, Y3, F, ctx);
+ ctx->subm (Y3, E, D, ctx);
+ ctx->mulm (Y3, Y3, F, ctx);
/* Z_3 = F · J */
- ec_mulm (Z3, F, J, ctx);
+ ctx->mulm (Z3, F, J, ctx);
#undef X1
#undef Y1
@@ -1293,54 +1300,56 @@ add_points_edwards (mpi_point_t result,
#define G (ctx->t.scratch[6])
#define tmp (ctx->t.scratch[7])
+ point_resize (result, ctx);
+
/* Compute: (X_3 : Y_3 : Z_3) = (X_1 : Y_1 : Z_1) + (X_2 : Y_2 : Z_3) */
/* A = Z1 · Z2 */
- ec_mulm (A, Z1, Z2, ctx);
+ ctx->mulm (A, Z1, Z2, ctx);
/* B = A^2 */
- ec_pow2 (B, A, ctx);
+ ctx->pow2 (B, A, ctx);
/* C = X1 · X2 */
- ec_mulm (C, X1, X2, ctx);
+ ctx->mulm (C, X1, X2, ctx);
/* D = Y1 · Y2 */
- ec_mulm (D, Y1, Y2, ctx);
+ ctx->mulm (D, Y1, Y2, ctx);
/* E = d · C · D */
- ec_mulm (E, ctx->b, C, ctx);
- ec_mulm (E, E, D, ctx);
+ ctx->mulm (E, ctx->b, C, ctx);
+ ctx->mulm (E, E, D, ctx);
/* F = B - E */
- ec_subm (F, B, E, ctx);
+ ctx->subm (F, B, E, ctx);
/* G = B + E */
- ec_addm (G, B, E, ctx);
+ ctx->addm (G, B, E, ctx);
/* X_3 = A · F · ((X_1 + Y_1) · (X_2 + Y_2) - C - D) */
- ec_addm (tmp, X1, Y1, ctx);
- ec_addm (X3, X2, Y2, ctx);
- ec_mulm (X3, X3, tmp, ctx);
- ec_subm (X3, X3, C, ctx);
- ec_subm (X3, X3, D, ctx);
- ec_mulm (X3, X3, F, ctx);
- ec_mulm (X3, X3, A, ctx);
+ ctx->addm (tmp, X1, Y1, ctx);
+ ctx->addm (X3, X2, Y2, ctx);
+ ctx->mulm (X3, X3, tmp, ctx);
+ ctx->subm (X3, X3, C, ctx);
+ ctx->subm (X3, X3, D, ctx);
+ ctx->mulm (X3, X3, F, ctx);
+ ctx->mulm (X3, X3, A, ctx);
/* Y_3 = A · G · (D - aC) */
if (ctx->dialect == ECC_DIALECT_ED25519)
{
- ec_addm (Y3, D, C, ctx);
+ ctx->addm (Y3, D, C, ctx);
}
else
{
- ec_mulm (Y3, ctx->a, C, ctx);
- ec_subm (Y3, D, Y3, ctx);
+ ctx->mulm (Y3, ctx->a, C, ctx);
+ ctx->subm (Y3, D, Y3, ctx);
}
- ec_mulm (Y3, Y3, G, ctx);
- ec_mulm (Y3, Y3, A, ctx);
+ ctx->mulm (Y3, Y3, G, ctx);
+ ctx->mulm (Y3, Y3, A, ctx);
/* Z_3 = F · G */
- ec_mulm (Z3, F, G, ctx);
+ ctx->mulm (Z3, F, G, ctx);
#undef X1
@@ -1451,7 +1460,7 @@ sub_points_edwards (mpi_point_t result,
{
mpi_point_t p2i = _gcry_mpi_point_new (0);
point_set (p2i, p2);
- mpi_sub (p2i->x, ctx->p, p2i->x);
+ ctx->subm (p2i->x, ctx->p, p2i->x, ctx);
add_points_edwards (result, p1, p2i, ctx);
_gcry_mpi_point_release (p2i);
}
@@ -1515,6 +1524,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
mpi_set_ui (result->x, 0);
mpi_set_ui (result->y, 1);
mpi_set_ui (result->z, 1);
+ point_resize (point, ctx);
}
if (mpi_is_secure (scalar))
@@ -1536,6 +1546,12 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
}
else
{
+ if (ctx->model == MPI_EC_EDWARDS)
+ {
+ point_resize (result, ctx);
+ point_resize (point, ctx);
+ }
+
for (j=nbits-1; j >= 0; j--)
{
_gcry_mpi_ec_dup_point (result, result, ctx);
@@ -1778,19 +1794,21 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx)
if (_gcry_mpi_ec_get_affine (x, y, point, ctx))
goto leave;
+ mpi_resize (w, ctx->p->nlimbs);
+ w->nlimbs = ctx->p->nlimbs;
+
/* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */
- ec_pow2 (x, x, ctx);
- ec_pow2 (y, y, ctx);
+ ctx->pow2 (x, x, ctx);
+ ctx->pow2 (y, y, ctx);
if (ctx->dialect == ECC_DIALECT_ED25519)
- mpi_sub (w, ctx->p, x);
+ ctx->subm (w, ctx->p, x, ctx);
else
- ec_mulm (w, ctx->a, x, ctx);
- ec_addm (w, w, y, ctx);
- ec_subm (w, w, mpi_const (MPI_C_ONE), ctx);
- ec_mulm (x, x, y, ctx);
- ec_mulm (x, x, ctx->b, ctx);
- ec_subm (w, w, x, ctx);
- if (!mpi_cmp_ui (w, 0))
+ ctx->mulm (w, ctx->a, x, ctx);
+ ctx->addm (w, w, y, ctx);
+ ctx->mulm (x, x, y, ctx);
+ ctx->mulm (x, x, ctx->b, ctx);
+ ctx->subm (w, w, x, ctx);
+ if (!mpi_cmp_ui (w, 1))
res = 1;
}
break;
commit 1ac3d3637dd80013b78e03b9b9f582091710d908
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Aug 23 12:43:38 2017 +0900
ecc: Clean up curve specific method support.
* src/ec-context.h (struct mpi_ec_ctx_s): Remove MOD method.
* mpi/ec.c (ec_mod_25519): Remove.
(ec_p_init): Follow the removal of the MOD method.
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/mpi/ec.c b/mpi/ec.c
index 06536be..a47e223 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -380,12 +380,6 @@ mpih_set_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize, unsigned long set)
/* Routines for 2^255 - 19. */
-static void
-ec_mod_25519 (gcry_mpi_t w, mpi_ec_t ec)
-{
- _gcry_mpi_mod (w, w, ec->p);
-}
-
#define LIMB_SIZE_25519 ((256+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB)
static void
@@ -502,7 +496,6 @@ struct field_table {
const char *p;
/* computation routines for the field. */
- void (* mod) (gcry_mpi_t w, mpi_ec_t ctx);
void (* addm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
void (* subm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
void (* mulm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
@@ -513,14 +506,13 @@ struct field_table {
static const struct field_table field_table[] = {
{
"0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
- ec_mod_25519,
ec_addm_25519,
ec_subm_25519,
ec_mulm_25519,
ec_mul2_25519,
ec_pow2_25519
},
- { NULL, NULL, NULL, NULL, NULL, NULL, NULL },
+ { NULL, NULL, NULL, NULL, NULL, NULL },
};
/* Force recomputation of all helper variables. */
@@ -639,7 +631,6 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model,
ctx->t.scratch[i] = mpi_alloc_like (ctx->p);
}
- ctx->mod = ec_mod;
ctx->addm = ec_addm;
ctx->subm = ec_subm;
ctx->mulm = ec_mulm;
@@ -657,7 +648,6 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model,
if (!mpi_cmp (p, f_p))
{
- ctx->mod = field_table[i].mod;
ctx->addm = field_table[i].addm;
ctx->subm = field_table[i].subm;
ctx->mulm = field_table[i].mulm;
diff --git a/src/ec-context.h b/src/ec-context.h
index 18b26a5..e48ef6f 100644
--- a/src/ec-context.h
+++ b/src/ec-context.h
@@ -68,7 +68,6 @@ struct mpi_ec_ctx_s
} t;
/* Curve specific computation routines for the field. */
- void (* mod) (gcry_mpi_t w, mpi_ec_t ec);
void (* addm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
void (* subm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ec);
void (* mulm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
commit e9be23c4ad9f42c9d3198c706f912b7e27f574bc
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Aug 23 11:11:17 2017 +0900
ecc: Relax condition for 25519 computations.
* mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519): Check number
of limbs, allocated more is OK.
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/mpi/ec.c b/mpi/ec.c
index b0eed97..06536be 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -396,7 +396,7 @@ ec_addm_25519 (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx)
mpi_limb_t n[LIMB_SIZE_25519];
mpi_limb_t borrow;
- if (w->alloced != wsize || u->alloced != wsize || v->alloced != wsize)
+ if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
log_bug ("addm_25519: different sizes\n");
memset (n, 0, sizeof n);
@@ -419,7 +419,7 @@ ec_subm_25519 (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx)
mpi_limb_t n[LIMB_SIZE_25519];
mpi_limb_t borrow;
- if (w->alloced != wsize || u->alloced != wsize || v->alloced != wsize)
+ if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
log_bug ("subm_25519: different sizes\n");
memset (n, 0, sizeof n);
@@ -444,7 +444,7 @@ ec_mulm_25519 (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx)
int msb;
(void)ctx;
- if (w->alloced != wsize || u->alloced != wsize || v->alloced != wsize)
+ if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
log_bug ("mulm_25519: different sizes\n");
up = u->d;
commit 449459a2770d3aecb1f36502bf1903e0cbd2873e
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Aug 23 10:22:21 2017 +0900
ecc: Fix ec_mulm_25519.
* mpi/ec.c (ec_mulm_25519): Fix the cases of 0 to 18.
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/mpi/ec.c b/mpi/ec.c
index d51be20..b0eed97 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -479,6 +479,11 @@ ec_mulm_25519 (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx)
m[0] = (cy * 2 + msb) * 19;
_gcry_mpih_add_n (wp, wp, m, wsize);
wp[LIMB_SIZE_25519-1] &= ~(1UL << (255 % BITS_PER_MPI_LIMB));
+
+ m[0] = 0;
+ cy = _gcry_mpih_sub_n (wp, wp, ctx->p->d, wsize);
+ mpih_set_cond (m, ctx->p->d, wsize, (cy != 0UL));
+ _gcry_mpih_add_n (wp, wp, m, wsize);
}
static void
commit 9ed0fb37bd637d1a2e9498c24097cfeadec682ec
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Aug 23 08:48:53 2017 +0900
ecc: field specific routines for 25519.
* mpi/ec.c (point_resize): Improve for X25519.
(mpih_set_cond): New.
(ec_mod_25519, ec_addm_25519, ec_subm_25519, ec_mulm_25519)
(ec_mul2_25519, ec_pow2_25519): New.
(ec_p_init): Fill by FIELD_TABLE.
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/mpi/ec.c b/mpi/ec.c
index 74ee11d..d51be20 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -156,17 +156,29 @@ _gcry_mpi_point_copy (gcry_mpi_point_t point)
static void
point_resize (mpi_point_t p, mpi_ec_t ctx)
{
- /*
- * For now, we allocate enough limbs for our EC computation of ec_*.
- * Once we will improve ec_* to be constant size (and constant
- * time), NLIMBS can be ctx->p->nlimbs.
- */
- size_t nlimbs = 2*ctx->p->nlimbs+1;
-
- mpi_resize (p->x, nlimbs);
- if (ctx->model != MPI_EC_MONTGOMERY)
- mpi_resize (p->y, nlimbs);
- mpi_resize (p->z, nlimbs);
+ size_t nlimbs;
+
+ if (ctx->model == MPI_EC_MONTGOMERY)
+ {
+ nlimbs = ctx->p->nlimbs;
+
+ mpi_resize (p->x, nlimbs);
+ mpi_resize (p->z, nlimbs);
+ p->x->nlimbs = nlimbs;
+ p->z->nlimbs = nlimbs;
+ }
+ else
+ {
+ /*
+ * For now, we allocate enough limbs for our EC computation of ec_*.
+ * Once we will improve ec_* to be constant size (and constant
+ * time), NLIMBS can be ctx->p->nlimbs.
+ */
+ nlimbs = 2*ctx->p->nlimbs+1;
+ mpi_resize (p->x, nlimbs);
+ mpi_resize (p->y, nlimbs);
+ mpi_resize (p->z, nlimbs);
+ }
}
@@ -351,8 +363,161 @@ ec_invm (gcry_mpi_t x, gcry_mpi_t a, mpi_ec_t ctx)
log_mpidump (" p", ctx->p);
}
}
+
+static void
+mpih_set_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize, unsigned long set)
+{
+ mpi_size_t i;
+ mpi_limb_t mask = ((mpi_limb_t)0) - set;
+ mpi_limb_t x;
+
+ for (i = 0; i < usize; i++)
+ {
+ x = mask & (wp[i] ^ up[i]);
+ wp[i] = wp[i] ^ x;
+ }
+}
+
+/* Routines for 2^255 - 19. */
+
+static void
+ec_mod_25519 (gcry_mpi_t w, mpi_ec_t ec)
+{
+ _gcry_mpi_mod (w, w, ec->p);
+}
+
+#define LIMB_SIZE_25519 ((256+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB)
+
+static void
+ec_addm_25519 (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx)
+{
+ mpi_ptr_t wp, up, vp;
+ mpi_size_t wsize = LIMB_SIZE_25519;
+ mpi_limb_t n[LIMB_SIZE_25519];
+ mpi_limb_t borrow;
+
+ if (w->alloced != wsize || u->alloced != wsize || v->alloced != wsize)
+ log_bug ("addm_25519: different sizes\n");
+
+ memset (n, 0, sizeof n);
+ up = u->d;
+ vp = v->d;
+ wp = w->d;
+
+ _gcry_mpih_add_n (wp, up, vp, wsize);
+ borrow = _gcry_mpih_sub_n (wp, wp, ctx->p->d, wsize);
+ mpih_set_cond (n, ctx->p->d, wsize, (borrow != 0UL));
+ _gcry_mpih_add_n (wp, wp, n, wsize);
+ wp[LIMB_SIZE_25519-1] &= ~(1UL << (255 % BITS_PER_MPI_LIMB));
+}
+
+static void
+ec_subm_25519 (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx)
+{
+ mpi_ptr_t wp, up, vp;
+ mpi_size_t wsize = LIMB_SIZE_25519;
+ mpi_limb_t n[LIMB_SIZE_25519];
+ mpi_limb_t borrow;
+
+ if (w->alloced != wsize || u->alloced != wsize || v->alloced != wsize)
+ log_bug ("subm_25519: different sizes\n");
+
+ memset (n, 0, sizeof n);
+ up = u->d;
+ vp = v->d;
+ wp = w->d;
+
+ borrow = _gcry_mpih_sub_n (wp, up, vp, wsize);
+ mpih_set_cond (n, ctx->p->d, wsize, (borrow != 0UL));
+ _gcry_mpih_add_n (wp, wp, n, wsize);
+ wp[LIMB_SIZE_25519-1] &= ~(1UL << (255 % BITS_PER_MPI_LIMB));
+}
+static void
+ec_mulm_25519 (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx)
+{
+ mpi_ptr_t wp, up, vp;
+ mpi_size_t wsize = LIMB_SIZE_25519;
+ mpi_limb_t n[LIMB_SIZE_25519*2];
+ mpi_limb_t m[LIMB_SIZE_25519+1];
+ mpi_limb_t cy;
+ int msb;
+
+ (void)ctx;
+ if (w->alloced != wsize || u->alloced != wsize || v->alloced != wsize)
+ log_bug ("mulm_25519: different sizes\n");
+
+ up = u->d;
+ vp = v->d;
+ wp = w->d;
+
+ _gcry_mpih_mul_n (n, up, vp, wsize);
+ memcpy (wp, n, wsize * BYTES_PER_MPI_LIMB);
+ wp[LIMB_SIZE_25519-1] &= ~(1UL << (255 % BITS_PER_MPI_LIMB));
+
+ memcpy (m, n+LIMB_SIZE_25519-1, (wsize+1) * BYTES_PER_MPI_LIMB);
+ _gcry_mpih_rshift (m, m, LIMB_SIZE_25519+1, (255 % BITS_PER_MPI_LIMB));
+
+ memcpy (n, m, wsize * BYTES_PER_MPI_LIMB);
+ cy = _gcry_mpih_lshift (m, m, LIMB_SIZE_25519, 4);
+ m[LIMB_SIZE_25519] = cy;
+ cy = _gcry_mpih_add_n (m, m, n, wsize);
+ m[LIMB_SIZE_25519] += cy;
+ cy = _gcry_mpih_add_n (m, m, n, wsize);
+ m[LIMB_SIZE_25519] += cy;
+ cy = _gcry_mpih_add_n (m, m, n, wsize);
+ m[LIMB_SIZE_25519] += cy;
+
+ cy = _gcry_mpih_add_n (wp, wp, m, wsize);
+ m[LIMB_SIZE_25519] += cy;
+
+ memset (m, 0, wsize * BYTES_PER_MPI_LIMB);
+ m[0] = m[LIMB_SIZE_25519] * 2 * 19;
+ cy = _gcry_mpih_add_n (wp, wp, m, wsize);
+
+ msb = (wp[LIMB_SIZE_25519-1] >> (255 % BITS_PER_MPI_LIMB));
+ m[0] = (cy * 2 + msb) * 19;
+ _gcry_mpih_add_n (wp, wp, m, wsize);
+ wp[LIMB_SIZE_25519-1] &= ~(1UL << (255 % BITS_PER_MPI_LIMB));
+}
+static void
+ec_mul2_25519 (gcry_mpi_t w, gcry_mpi_t u, mpi_ec_t ctx)
+{
+ ec_addm_25519 (w, u, u, ctx);
+}
+
+static void
+ec_pow2_25519 (gcry_mpi_t w, const gcry_mpi_t b, mpi_ec_t ctx)
+{
+ ec_mulm_25519 (w, b, b, ctx);
+}
+
+struct field_table {
+ const char *p;
+
+ /* computation routines for the field. */
+ void (* mod) (gcry_mpi_t w, mpi_ec_t ctx);
+ void (* addm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
+ void (* subm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
+ void (* mulm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
+ void (* mul2) (gcry_mpi_t w, gcry_mpi_t u, mpi_ec_t ctx);
+ void (* pow2) (gcry_mpi_t w, const gcry_mpi_t b, mpi_ec_t ctx);
+};
+
+static const struct field_table field_table[] = {
+ {
+ "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+ ec_mod_25519,
+ ec_addm_25519,
+ ec_subm_25519,
+ ec_mulm_25519,
+ ec_mul2_25519,
+ ec_pow2_25519
+ },
+ { NULL, NULL, NULL, NULL, NULL, NULL, NULL },
+};
+
/* Force recomputation of all helper variables. */
void
_gcry_mpi_ec_get_reset (mpi_ec_t ec)
@@ -473,8 +638,35 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model,
ctx->addm = ec_addm;
ctx->subm = ec_subm;
ctx->mulm = ec_mulm;
- ctx->pow2 = ec_pow2;
ctx->mul2 = ec_mul2;
+ ctx->pow2 = ec_pow2;
+
+ for (i=0; field_table[i].p; i++)
+ {
+ gcry_mpi_t f_p;
+ gpg_err_code_t rc;
+
+ rc = _gcry_mpi_scan (&f_p, GCRYMPI_FMT_HEX, field_table[i].p, 0, NULL);
+ if (rc)
+ log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc));
+
+ if (!mpi_cmp (p, f_p))
+ {
+ ctx->mod = field_table[i].mod;
+ ctx->addm = field_table[i].addm;
+ ctx->subm = field_table[i].subm;
+ ctx->mulm = field_table[i].mulm;
+ ctx->mul2 = field_table[i].mul2;
+ ctx->pow2 = field_table[i].pow2;
+ _gcry_mpi_release (f_p);
+
+ mpi_resize (ctx->a, ctx->p->nlimbs);
+ ctx->a->nlimbs = ctx->p->nlimbs;
+ break;
+ }
+
+ _gcry_mpi_release (f_p);
+ }
/* Prepare for fast reduction. */
/* FIXME: need a test for NIST values. However it does not gain us
@@ -1365,6 +1557,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
mpi_point_struct p1_, p2_;
mpi_point_t q1, q2, prd, sum;
unsigned long sw;
+ mpi_size_t rsize;
/* Compute scalar point multiplication with Montgomery Ladder.
Note that we don't use Y-coordinate in the points at all.
@@ -1385,6 +1578,9 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
point_resize (&p1_, ctx);
point_resize (&p2_, ctx);
+ mpi_resize (point->x, ctx->p->nlimbs);
+ point->x->nlimbs = ctx->p->nlimbs;
+
q1 = &p1;
q2 = &p2;
prd = &p1_;
@@ -1406,7 +1602,9 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
sw = (nbits & 1);
point_swap_cond (&p1, &p1_, sw, ctx);
- if (p1.z->nlimbs == 0)
+ rsize = p1.z->nlimbs;
+ MPN_NORMALIZE (p1.z->d, rsize);
+ if (rsize == 0)
{
mpi_set_ui (result->x, 1);
mpi_set_ui (result->z, 0);
commit d4cd381defe5b37dda19bbda0986bdd38065bd31
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Mon Aug 21 14:32:08 2017 +0900
ecc: Add field specific computation methods.
* src/ec-context.h (struct mpi_ec_ctx_s): Add methods.
* mpi/ec.c (ec_p_init): Initialize the default methods.
(montgomery_ladder): Use the methods.
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/mpi/ec.c b/mpi/ec.c
index 4c16603..74ee11d 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -469,6 +469,13 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model,
ctx->t.scratch[i] = mpi_alloc_like (ctx->p);
}
+ ctx->mod = ec_mod;
+ ctx->addm = ec_addm;
+ ctx->subm = ec_subm;
+ ctx->mulm = ec_mulm;
+ ctx->pow2 = ec_pow2;
+ ctx->mul2 = ec_mul2;
+
/* Prepare for fast reduction. */
/* FIXME: need a test for NIST values. However it does not gain us
any real advantage, for 384 bits it is actually slower than using
@@ -1177,24 +1184,24 @@ montgomery_ladder (mpi_point_t prd, mpi_point_t sum,
mpi_point_t p1, mpi_point_t p2, gcry_mpi_t dif_x,
mpi_ec_t ctx)
{
- ec_addm (sum->x, p2->x, p2->z, ctx);
- ec_subm (p2->z, p2->x, p2->z, ctx);
- ec_addm (prd->x, p1->x, p1->z, ctx);
- ec_subm (p1->z, p1->x, p1->z, ctx);
- ec_mulm (p2->x, p1->z, sum->x, ctx);
- ec_mulm (p2->z, prd->x, p2->z, ctx);
- ec_pow2 (p1->x, prd->x, ctx);
- ec_pow2 (p1->z, p1->z, ctx);
- ec_addm (sum->x, p2->x, p2->z, ctx);
- ec_subm (p2->z, p2->x, p2->z, ctx);
- ec_mulm (prd->x, p1->x, p1->z, ctx);
- ec_subm (p1->z, p1->x, p1->z, ctx);
- ec_pow2 (sum->x, sum->x, ctx);
- ec_pow2 (sum->z, p2->z, ctx);
- ec_mulm (prd->z, p1->z, ctx->a, ctx); /* CTX->A: (a-2)/4 */
- ec_mulm (sum->z, sum->z, dif_x, ctx);
- ec_addm (prd->z, p1->x, prd->z, ctx);
- ec_mulm (prd->z, prd->z, p1->z, ctx);
+ ctx->addm (sum->x, p2->x, p2->z, ctx);
+ ctx->subm (p2->z, p2->x, p2->z, ctx);
+ ctx->addm (prd->x, p1->x, p1->z, ctx);
+ ctx->subm (p1->z, p1->x, p1->z, ctx);
+ ctx->mulm (p2->x, p1->z, sum->x, ctx);
+ ctx->mulm (p2->z, prd->x, p2->z, ctx);
+ ctx->pow2 (p1->x, prd->x, ctx);
+ ctx->pow2 (p1->z, p1->z, ctx);
+ ctx->addm (sum->x, p2->x, p2->z, ctx);
+ ctx->subm (p2->z, p2->x, p2->z, ctx);
+ ctx->mulm (prd->x, p1->x, p1->z, ctx);
+ ctx->subm (p1->z, p1->x, p1->z, ctx);
+ ctx->pow2 (sum->x, sum->x, ctx);
+ ctx->pow2 (sum->z, p2->z, ctx);
+ ctx->mulm (prd->z, p1->z, ctx->a, ctx); /* CTX->A: (a-2)/4 */
+ ctx->mulm (sum->z, sum->z, dif_x, ctx);
+ ctx->addm (prd->z, p1->x, prd->z, ctx);
+ ctx->mulm (prd->z, prd->z, p1->z, ctx);
}
diff --git a/src/ec-context.h b/src/ec-context.h
index d74fb69..18b26a5 100644
--- a/src/ec-context.h
+++ b/src/ec-context.h
@@ -66,6 +66,14 @@ struct mpi_ec_ctx_s
/* gcry_mpi_t s[10]; */
/* gcry_mpi_t c; */
} t;
+
+ /* Curve specific computation routines for the field. */
+ void (* mod) (gcry_mpi_t w, mpi_ec_t ec);
+ void (* addm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
+ void (* subm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ec);
+ void (* mulm) (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, mpi_ec_t ctx);
+ void (* pow2) (gcry_mpi_t w, const gcry_mpi_t b, mpi_ec_t ctx);
+ void (* mul2) (gcry_mpi_t w, gcry_mpi_t u, mpi_ec_t ctx);
};
-----------------------------------------------------------------------
Summary of changes:
cipher/Makefile.am | 2 +-
cipher/ecc-curves.c | 17 ++-
mpi/ec.c | 369 +++++++++++++++++++++++++++++++++++++++++-----------
src/ec-context.h | 7 +
4 files changed, 315 insertions(+), 80 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits
More information about the Gcrypt-devel
mailing list