Remove some vestiges of the old decaf template approach (88ba7e71) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

crypto/ec/curve448/decaf.c

+43 −50

Original line number	Diff line number	Diff line
		@@ -19,13 +19,6 @@
		#include "ed448.h"
		#include "curve448_lcl.h"

		/* Template stuff */
		#define SCALAR_BITS DECAF_448_SCALAR_BITS
		#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
		#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
		#define scalar_t curve448_scalar_t
		#define point_t curve448_point_t
		#define precomputed_s curve448_precomputed_s
		#define COFACTOR 4

		/* Comb config: number of combs, n, t, s. */
		@@ -37,7 +30,7 @@
		#define DECAF_WNAF_VAR_TABLE_BITS 3

		static const int EDWARDS_D = -39081;
		static const scalar_t precomputed_scalarmul_adjustment = {{{
		static const curve448_scalar_t precomputed_scalarmul_adjustment = {{{
		SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)
		}}};

		@@ -63,11 +56,11 @@ typedef struct { gf a, b, c; } niels_s, niels_t[1];
		typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1];

		/* Precomputed base */
		struct precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };
		struct curve448_precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };

		extern const gf curve448_precomputed_base_as_fe[];
		const precomputed_s *curve448_precomputed_base =
		(const precomputed_s *) &curve448_precomputed_base_as_fe;
		const curve448_precomputed_s *curve448_precomputed_base =
		(const curve448_precomputed_s *) &curve448_precomputed_base_as_fe;

		/** Inverse. */
		static void
		@@ -83,12 +76,12 @@ gf_invert(gf y, const gf x, int assert_nonzero) {
		}

		/** identity = (0,1) */
		const point_t curve448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};
		const curve448_point_t curve448_point_identity = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};

		static DECAF_NOINLINE void
		point_double_internal (
		point_t p,
		const point_t q,
		curve448_point_t p,
		const curve448_point_t q,
		int before_double
		) {
		gf a, b, c, d;
		@@ -109,7 +102,7 @@ point_double_internal (
		if (!before_double) gf_mul ( p->t, b, d );
		}

		void curve448_point_double(point_t p, const point_t q) {
		void curve448_point_double(curve448_point_t p, const curve448_point_t q) {
		point_double_internal(p,q,0);
		}

		@@ -125,7 +118,7 @@ cond_neg_niels (

		static DECAF_NOINLINE void pt_to_pniels (
		pniels_t b,
		const point_t a
		const curve448_point_t a
		) {
		gf_sub ( b->n->a, a->y, a->x );
		gf_add ( b->n->b, a->x, a->y );
		@@ -134,7 +127,7 @@ static DECAF_NOINLINE void pt_to_pniels (
		}

		static DECAF_NOINLINE void pniels_to_pt (
		point_t e,
		curve448_point_t e,
		const pniels_t d
		) {
		gf eu;
		@@ -148,7 +141,7 @@ static DECAF_NOINLINE void pniels_to_pt (

		static DECAF_NOINLINE void
		niels_to_pt (
		point_t e,
		curve448_point_t e,
		const niels_t n
		) {
		gf_add ( e->y, n->b, n->a );
		@@ -159,7 +152,7 @@ niels_to_pt (

		static DECAF_NOINLINE void
		add_niels_to_pt (
		point_t d,
		curve448_point_t d,
		const niels_t e,
		int before_double
		) {
		@@ -181,7 +174,7 @@ add_niels_to_pt (

		static DECAF_NOINLINE void
		sub_niels_from_pt (
		point_t d,
		curve448_point_t d,
		const niels_t e,
		int before_double
		) {
		@@ -203,7 +196,7 @@ sub_niels_from_pt (

		static void
		add_pniels_to_pt (
		point_t p,
		curve448_point_t p,
		const pniels_t pn,
		int before_double
		) {
		@@ -215,7 +208,7 @@ add_pniels_to_pt (

		static void
		sub_pniels_from_pt (
		point_t p,
		curve448_point_t p,
		const pniels_t pn,
		int before_double
		) {
		@@ -225,7 +218,7 @@ sub_pniels_from_pt (
		sub_niels_from_pt( p, pn->n, before_double );
		}

		decaf_bool_t curve448_point_eq ( const point_t p, const point_t q ) {
		decaf_bool_t curve448_point_eq ( const curve448_point_t p, const curve448_point_t q ) {
		/* equality mod 2-torsion compares x/y */
		gf a, b;
		gf_mul ( a, p->y, q->x );
		@@ -236,7 +229,7 @@ decaf_bool_t curve448_point_eq ( const point_t p, const point_t q ) {
		}

		decaf_bool_t curve448_point_valid (
		const point_t p
		const curve448_point_t p
		) {
		gf a,b,c;
		gf_mul(a,p->x,p->y);
		@@ -265,15 +258,15 @@ constant_time_lookup_niels (
		}

		void curve448_precomputed_scalarmul (
		point_t out,
		const precomputed_s *table,
		const scalar_t scalar
		curve448_point_t out,
		const curve448_precomputed_s *table,
		const curve448_scalar_t scalar
		) {
		int i;
		unsigned j,k;
		const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;

		scalar_t scalar1x;
		curve448_scalar_t scalar1x;
		curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment);
		curve448_scalar_halve(scalar1x,scalar1x);

		@@ -287,7 +280,7 @@ void curve448_precomputed_scalarmul (

		for (k=0; k<t; k++) {
		unsigned int bit = i + s(k + jt);
		if (bit < SCALAR_BITS) {
		if (bit < DECAF_448_SCALAR_BITS) {
		tab \|= (scalar1x->limb[bit/WBITS] >> (bit%WBITS) & 1) << k;
		}
		}
		@@ -313,12 +306,12 @@ void curve448_precomputed_scalarmul (

		void curve448_point_mul_by_ratio_and_encode_like_eddsa (
		uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
		const point_t p
		const curve448_point_t p
		) {

		/* The point is now on the twisted curve. Move it to untwisted. */
		gf x, y, z, t;
		point_t q;
		curve448_point_t q;
		curve448_point_copy(q,p);

		{
		@@ -359,7 +352,7 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa (


		decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio (
		point_t p,
		curve448_point_t p,
		const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
		) {
		uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];
		@@ -515,9 +508,9 @@ void decaf_ed448_convert_public_key_to_x448 (

		void curve448_point_mul_by_ratio_and_encode_like_x448 (
		uint8_t out[X_PUBLIC_BYTES],
		const point_t p
		const curve448_point_t p
		) {
		point_t q;
		curve448_point_t q;
		curve448_point_copy(q,p);
		gf_invert(q->t,q->x,0); /* 1/x */
		gf_mul(q->z,q->t,q->y); /* y/x */
		@@ -538,14 +531,14 @@ void decaf_x448_derive_public_key (
		scalar2[X_PRIVATE_BYTES-1] &= ~(-1u<<((X_PRIVATE_BITS+7)%8));
		scalar2[X_PRIVATE_BYTES-1] \|= 1<<((X_PRIVATE_BITS+7)%8);

		scalar_t the_scalar;
		curve448_scalar_t the_scalar;
		curve448_scalar_decode_long(the_scalar,scalar2,sizeof(scalar2));

		/* Compensate for the encoding ratio */
		for (unsigned i=1; i<DECAF_X448_ENCODE_RATIO; i<<=1) {
		curve448_scalar_halve(the_scalar,the_scalar);
		}
		point_t p;
		curve448_point_t p;
		curve448_precomputed_scalarmul(p,curve448_precomputed_base,the_scalar);
		curve448_point_mul_by_ratio_and_encode_like_x448(out,p);
		curve448_point_destroy(p);
		@@ -561,10 +554,10 @@ struct smvt_control {

		static int recode_wnaf (
		struct smvt_control control, / [nbits/(table_bits+1) + 3] */
		const scalar_t scalar,
		const curve448_scalar_t scalar,
		unsigned int table_bits
		) {
		unsigned int table_size = SCALAR_BITS/(table_bits+1) + 3;
		unsigned int table_size = DECAF_448_SCALAR_BITS/(table_bits+1) + 3;
		int position = table_size - 1; /* at the end */

		/* place the end marker */
		@@ -582,8 +575,8 @@ static int recode_wnaf (

		unsigned int w;
		const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2;
		for (w = 1; w<(SCALAR_BITS-1)/16+3; w++) {
		if (w < (SCALAR_BITS-1)/16+1) {
		for (w = 1; w<(DECAF_448_SCALAR_BITS-1)/16+3; w++) {
		if (w < (DECAF_448_SCALAR_BITS-1)/16+1) {
		/* Refill the 16 high bits of current */
		current += (uint32_t)((scalar->limb[w/B_OVER_16]>>(16*(w%B_OVER_16)))<<16);
		}
		@@ -614,10 +607,10 @@ static int recode_wnaf (
		static void
		prepare_wnaf_table(
		pniels_t *output,
		const point_t working,
		const curve448_point_t working,
		unsigned int tbits
		) {
		point_t tmp;
		curve448_point_t tmp;
		int i;
		pt_to_pniels(output[0], working);

		@@ -643,15 +636,15 @@ extern const gf curve448_precomputed_wnaf_as_fe[];
		static const niels_t curve448_wnaf_base = (const niels_t )curve448_precomputed_wnaf_as_fe;

		void curve448_base_double_scalarmul_non_secret (
		point_t combo,
		const scalar_t scalar1,
		const point_t base2,
		const scalar_t scalar2
		curve448_point_t combo,
		const curve448_scalar_t scalar1,
		const curve448_point_t base2,
		const curve448_scalar_t scalar2
		) {
		const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS,
		table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS;
		struct smvt_control control_var[SCALAR_BITS/(table_bits_var+1)+3];
		struct smvt_control control_pre[SCALAR_BITS/(table_bits_pre+1)+3];
		struct smvt_control control_var[DECAF_448_SCALAR_BITS/(table_bits_var+1)+3];
		struct smvt_control control_pre[DECAF_448_SCALAR_BITS/(table_bits_pre+1)+3];

		int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
		int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
		@@ -714,9 +707,9 @@ void curve448_base_double_scalarmul_non_secret (
		}

		void curve448_point_destroy (
		point_t point
		curve448_point_t point
		) {
		OPENSSL_cleanse(point, sizeof(point_t));
		OPENSSL_cleanse(point, sizeof(curve448_point_t));
		}

		int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],

crypto/ec/curve448/scalar.c

+46 −52

Original line number	Diff line number	Diff line
		@@ -17,14 +17,8 @@
		#include "constant_time.h"
		#include "point_448.h"

		/* Template stuff */
		#define SCALAR_BITS DECAF_448_SCALAR_BITS
		#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES
		#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS
		#define scalar_t curve448_scalar_t

		static const decaf_word_t MONTGOMERY_FACTOR = (decaf_word_t)0x3bd440fae918bc5ull;
		static const scalar_t sc_p = {{{
		static const curve448_scalar_t sc_p = {{{
		SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)
		}}}, sc_r2 = {{{
		SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), SC_LIMB(0x3402a939f823b729)
		@@ -33,21 +27,21 @@ static const scalar_t sc_p = {{{

		#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */

		const scalar_t curve448_scalar_one = {{{1}}}, curve448_scalar_zero = {{{0}}};
		const curve448_scalar_t curve448_scalar_one = {{{1}}}, curve448_scalar_zero = {{{0}}};

		/** {extra,accum} - sub +? p
		* Must have extra <= 1
		*/
		static DECAF_NOINLINE void sc_subx(
		scalar_t out,
		const decaf_word_t accum[SCALAR_LIMBS],
		const scalar_t sub,
		const scalar_t p,
		curve448_scalar_t out,
		const decaf_word_t accum[DECAF_448_SCALAR_LIMBS],
		const curve448_scalar_t sub,
		const curve448_scalar_t p,
		decaf_word_t extra
		) {
		decaf_dsword_t chain = 0;
		unsigned int i;
		for (i=0; i<SCALAR_LIMBS; i++) {
		for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
		chain = (chain + accum[i]) - sub->limb[i];
		out->limb[i] = chain;
		chain >>= WBITS;
		@@ -55,7 +49,7 @@ static DECAF_NOINLINE void sc_subx(
		decaf_word_t borrow = chain+extra; /* = 0 or -1 */

		chain = 0;
		for (i=0; i<SCALAR_LIMBS; i++) {
		for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
		chain = (chain + out->limb[i]) + (p->limb[i] & borrow);
		out->limb[i] = chain;
		chain >>= WBITS;
		@@ -63,20 +57,20 @@ static DECAF_NOINLINE void sc_subx(
		}

		static DECAF_NOINLINE void sc_montmul (
		scalar_t out,
		const scalar_t a,
		const scalar_t b
		curve448_scalar_t out,
		const curve448_scalar_t a,
		const curve448_scalar_t b
		) {
		unsigned int i,j;
		decaf_word_t accum[SCALAR_LIMBS+1] = {0};
		decaf_word_t accum[DECAF_448_SCALAR_LIMBS+1] = {0};
		decaf_word_t hi_carry = 0;

		for (i=0; i<SCALAR_LIMBS; i++) {
		for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
		decaf_word_t mand = a->limb[i];
		const decaf_word_t *mier = b->limb;

		decaf_dword_t chain = 0;
		for (j=0; j<SCALAR_LIMBS; j++) {
		for (j=0; j<DECAF_448_SCALAR_LIMBS; j++) {
		chain += ((decaf_dword_t)mand)*mier[j] + accum[j];
		accum[j] = chain;
		chain >>= WBITS;
		@@ -86,7 +80,7 @@ static DECAF_NOINLINE void sc_montmul (
		mand = accum[0] * MONTGOMERY_FACTOR;
		chain = 0;
		mier = sc_p->limb;
		for (j=0; j<SCALAR_LIMBS; j++) {
		for (j=0; j<DECAF_448_SCALAR_LIMBS; j++) {
		chain += (decaf_dword_t)mand*mier[j] + accum[j];
		if (j) accum[j-1] = chain;
		chain >>= WBITS;
		@@ -101,30 +95,30 @@ static DECAF_NOINLINE void sc_montmul (
		}

		void curve448_scalar_mul (
		scalar_t out,
		const scalar_t a,
		const scalar_t b
		curve448_scalar_t out,
		const curve448_scalar_t a,
		const curve448_scalar_t b
		) {
		sc_montmul(out,a,b);
		sc_montmul(out,out,sc_r2);
		}

		void curve448_scalar_sub (
		scalar_t out,
		const scalar_t a,
		const scalar_t b
		curve448_scalar_t out,
		const curve448_scalar_t a,
		const curve448_scalar_t b
		) {
		sc_subx(out, a->limb, b, sc_p, 0);
		}

		void curve448_scalar_add (
		scalar_t out,
		const scalar_t a,
		const scalar_t b
		curve448_scalar_t out,
		const curve448_scalar_t a,
		const curve448_scalar_t b
		) {
		decaf_dword_t chain = 0;
		unsigned int i;
		for (i=0; i<SCALAR_LIMBS; i++) {
		for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
		chain = (chain + a->limb[i]) + b->limb[i];
		out->limb[i] = chain;
		chain >>= WBITS;
		@@ -133,12 +127,12 @@ void curve448_scalar_add (
		}

		static DECAF_INLINE void scalar_decode_short (
		scalar_t s,
		curve448_scalar_t s,
		const unsigned char *ser,
		unsigned int nbytes
		) {
		unsigned int i,j,k=0;
		for (i=0; i<SCALAR_LIMBS; i++) {
		for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
		decaf_word_t out = 0;
		for (j=0; j<sizeof(decaf_word_t) && k<nbytes; j++,k++) {
		out \|= ((decaf_word_t)ser[k])<<(8*j);
		@@ -148,13 +142,13 @@ static DECAF_INLINE void scalar_decode_short (
		}

		decaf_error_t curve448_scalar_decode(
		scalar_t s,
		const unsigned char ser[SCALAR_SER_BYTES]
		curve448_scalar_t s,
		const unsigned char ser[DECAF_448_SCALAR_BYTES]
		) {
		unsigned int i;
		scalar_decode_short(s, ser, SCALAR_SER_BYTES);
		scalar_decode_short(s, ser, DECAF_448_SCALAR_BYTES);
		decaf_dsword_t accum = 0;
		for (i=0; i<SCALAR_LIMBS; i++) {
		for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
		accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;
		}
		/* Here accum == 0 or -1 */
		@@ -165,13 +159,13 @@ decaf_error_t curve448_scalar_decode(
		}

		void curve448_scalar_destroy (
		scalar_t scalar
		curve448_scalar_t scalar
		) {
		OPENSSL_cleanse(scalar, sizeof(scalar_t));
		OPENSSL_cleanse(scalar, sizeof(curve448_scalar_t));
		}

		void curve448_scalar_decode_long(
		scalar_t s,
		curve448_scalar_t s,
		const unsigned char *ser,
		size_t ser_len
		) {
		@@ -181,14 +175,14 @@ void curve448_scalar_decode_long(
		}

		size_t i;
		scalar_t t1, t2;
		curve448_scalar_t t1, t2;

		i = ser_len - (ser_len%SCALAR_SER_BYTES);
		if (i==ser_len) i -= SCALAR_SER_BYTES;
		i = ser_len - (ser_len%DECAF_448_SCALAR_BYTES);
		if (i==ser_len) i -= DECAF_448_SCALAR_BYTES;

		scalar_decode_short(t1, &ser[i], ser_len-i);

		if (ser_len == sizeof(scalar_t)) {
		if (ser_len == sizeof(curve448_scalar_t)) {
		assert(i==0);
		/* ham-handed reduce */
		curve448_scalar_mul(s,t1,curve448_scalar_one);
		@@ -197,7 +191,7 @@ void curve448_scalar_decode_long(
		}

		while (i) {
		i -= SCALAR_SER_BYTES;
		i -= DECAF_448_SCALAR_BYTES;
		sc_montmul(t1,t1,sc_r2);
		ignore_result( curve448_scalar_decode(t2, ser+i) );
		curve448_scalar_add(t1, t1, t2);
		@@ -209,11 +203,11 @@ void curve448_scalar_decode_long(
		}

		void curve448_scalar_encode(
		unsigned char ser[SCALAR_SER_BYTES],
		const scalar_t s
		unsigned char ser[DECAF_448_SCALAR_BYTES],
		const curve448_scalar_t s
		) {
		unsigned int i,j,k=0;
		for (i=0; i<SCALAR_LIMBS; i++) {
		for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
		for (j=0; j<sizeof(decaf_word_t); j++,k++) {
		ser[k] = s->limb[i] >> (8*j);
		}
		@@ -221,18 +215,18 @@ void curve448_scalar_encode(
		}

		void curve448_scalar_halve (
		scalar_t out,
		const scalar_t a
		curve448_scalar_t out,
		const curve448_scalar_t a
		) {
		decaf_word_t mask = -(a->limb[0] & 1);
		decaf_dword_t chain = 0;
		unsigned int i;
		for (i=0; i<SCALAR_LIMBS; i++) {
		for (i=0; i<DECAF_448_SCALAR_LIMBS; i++) {
		chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);
		out->limb[i] = chain;
		chain >>= DECAF_WORD_BITS;
		}
		for (i=0; i<SCALAR_LIMBS-1; i++) {
		for (i=0; i<DECAF_448_SCALAR_LIMBS-1; i++) {
		out->limb[i] = out->limb[i]>>1 \| out->limb[i+1]<<(WBITS-1);
		}
		out->limb[i] = out->limb[i]>>1 \| chain<<(WBITS-1);