p256-x86_64.c
Go to the documentation of this file.
1 /*
2  * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2014, Intel Corporation. All Rights Reserved.
4  *
5  * Licensed under the OpenSSL license (the "License"). You may not use
6  * this file except in compliance with the License. You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  *
10  * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)
11  * (1) Intel Corporation, Israel Development Center, Haifa, Israel
12  * (2) University of Haifa, Israel
13  *
14  * Reference:
15  * S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with
16  * 256 Bit Primes"
17  */
18 
19 #include <openssl/ec.h>
20 
21 #include <assert.h>
22 #include <stdint.h>
23 #include <string.h>
24 
25 #include <openssl/bn.h>
26 #include <openssl/cpu.h>
27 #include <openssl/crypto.h>
28 #include <openssl/err.h>
29 
30 #include "../bn/internal.h"
31 #include "../delocate.h"
32 #include "../../internal.h"
33 #include "internal.h"
34 #include "p256-x86_64.h"
35 
36 
37 #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
38  !defined(OPENSSL_SMALL)
39 
40 typedef P256_POINT_AFFINE PRECOMP256_ROW[64];
41 
42 // One converted into the Montgomery domain
43 static const BN_ULONG ONE[P256_LIMBS] = {
44  TOBN(0x00000000, 0x00000001), TOBN(0xffffffff, 0x00000000),
45  TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0xfffffffe),
46 };
47 
48 // Precomputed tables for the default generator
49 #include "p256-x86_64-table.h"
50 
51 // Recode window to a signed digit, see |ec_GFp_nistp_recode_scalar_bits| in
52 // util.c for details
53 static crypto_word_t booth_recode_w5(crypto_word_t in) {
54  crypto_word_t s, d;
55 
56  s = ~((in >> 5) - 1);
57  d = (1 << 6) - in - 1;
58  d = (d & s) | (in & ~s);
59  d = (d >> 1) + (d & 1);
60 
61  return (d << 1) + (s & 1);
62 }
63 
64 static crypto_word_t booth_recode_w7(crypto_word_t in) {
65  crypto_word_t s, d;
66 
67  s = ~((in >> 7) - 1);
68  d = (1 << 8) - in - 1;
69  d = (d & s) | (in & ~s);
70  d = (d >> 1) + (d & 1);
71 
72  return (d << 1) + (s & 1);
73 }
74 
75 // copy_conditional copies |src| to |dst| if |move| is one and leaves it as-is
76 // if |move| is zero.
77 //
78 // WARNING: this breaks the usual convention of constant-time functions
79 // returning masks.
80 static void copy_conditional(BN_ULONG dst[P256_LIMBS],
81  const BN_ULONG src[P256_LIMBS], BN_ULONG move) {
82  BN_ULONG mask1 = ((BN_ULONG)0) - move;
83  BN_ULONG mask2 = ~mask1;
84 
85  dst[0] = (src[0] & mask1) ^ (dst[0] & mask2);
86  dst[1] = (src[1] & mask1) ^ (dst[1] & mask2);
87  dst[2] = (src[2] & mask1) ^ (dst[2] & mask2);
88  dst[3] = (src[3] & mask1) ^ (dst[3] & mask2);
89  if (P256_LIMBS == 8) {
90  dst[4] = (src[4] & mask1) ^ (dst[4] & mask2);
91  dst[5] = (src[5] & mask1) ^ (dst[5] & mask2);
92  dst[6] = (src[6] & mask1) ^ (dst[6] & mask2);
93  dst[7] = (src[7] & mask1) ^ (dst[7] & mask2);
94  }
95 }
96 
97 // is_not_zero returns one iff in != 0 and zero otherwise.
98 //
99 // WARNING: this breaks the usual convention of constant-time functions
100 // returning masks.
101 //
102 // (define-fun is_not_zero ((in (_ BitVec 64))) (_ BitVec 64)
103 // (bvlshr (bvor in (bvsub #x0000000000000000 in)) #x000000000000003f)
104 // )
105 //
106 // (declare-fun x () (_ BitVec 64))
107 //
108 // (assert (and (= x #x0000000000000000) (= (is_not_zero x) #x0000000000000001)))
109 // (check-sat)
110 //
111 // (assert (and (not (= x #x0000000000000000)) (= (is_not_zero x) #x0000000000000000)))
112 // (check-sat)
113 //
114 static BN_ULONG is_not_zero(BN_ULONG in) {
115  in |= (0 - in);
116  in >>= BN_BITS2 - 1;
117  return in;
118 }
119 
120 // ecp_nistz256_mod_inverse_sqr_mont sets |r| to (|in| * 2^-256)^-2 * 2^256 mod
121 // p. That is, |r| is the modular inverse square of |in| for input and output in
122 // the Montgomery domain.
123 static void ecp_nistz256_mod_inverse_sqr_mont(BN_ULONG r[P256_LIMBS],
124  const BN_ULONG in[P256_LIMBS]) {
125  // This implements the addition chain described in
126  // https://briansmith.org/ecc-inversion-addition-chains-01#p256_field_inversion
127  BN_ULONG x2[P256_LIMBS], x3[P256_LIMBS], x6[P256_LIMBS], x12[P256_LIMBS],
128  x15[P256_LIMBS], x30[P256_LIMBS], x32[P256_LIMBS];
129  ecp_nistz256_sqr_mont(x2, in); // 2^2 - 2^1
130  ecp_nistz256_mul_mont(x2, x2, in); // 2^2 - 2^0
131 
132  ecp_nistz256_sqr_mont(x3, x2); // 2^3 - 2^1
133  ecp_nistz256_mul_mont(x3, x3, in); // 2^3 - 2^0
134 
135  ecp_nistz256_sqr_mont(x6, x3);
136  for (int i = 1; i < 3; i++) {
137  ecp_nistz256_sqr_mont(x6, x6);
138  } // 2^6 - 2^3
139  ecp_nistz256_mul_mont(x6, x6, x3); // 2^6 - 2^0
140 
141  ecp_nistz256_sqr_mont(x12, x6);
142  for (int i = 1; i < 6; i++) {
143  ecp_nistz256_sqr_mont(x12, x12);
144  } // 2^12 - 2^6
145  ecp_nistz256_mul_mont(x12, x12, x6); // 2^12 - 2^0
146 
147  ecp_nistz256_sqr_mont(x15, x12);
148  for (int i = 1; i < 3; i++) {
149  ecp_nistz256_sqr_mont(x15, x15);
150  } // 2^15 - 2^3
151  ecp_nistz256_mul_mont(x15, x15, x3); // 2^15 - 2^0
152 
153  ecp_nistz256_sqr_mont(x30, x15);
154  for (int i = 1; i < 15; i++) {
155  ecp_nistz256_sqr_mont(x30, x30);
156  } // 2^30 - 2^15
157  ecp_nistz256_mul_mont(x30, x30, x15); // 2^30 - 2^0
158 
159  ecp_nistz256_sqr_mont(x32, x30);
160  ecp_nistz256_sqr_mont(x32, x32); // 2^32 - 2^2
161  ecp_nistz256_mul_mont(x32, x32, x2); // 2^32 - 2^0
162 
163  BN_ULONG ret[P256_LIMBS];
164  ecp_nistz256_sqr_mont(ret, x32);
165  for (int i = 1; i < 31 + 1; i++) {
166  ecp_nistz256_sqr_mont(ret, ret);
167  } // 2^64 - 2^32
168  ecp_nistz256_mul_mont(ret, ret, in); // 2^64 - 2^32 + 2^0
169 
170  for (int i = 0; i < 96 + 32; i++) {
171  ecp_nistz256_sqr_mont(ret, ret);
172  } // 2^192 - 2^160 + 2^128
173  ecp_nistz256_mul_mont(ret, ret, x32); // 2^192 - 2^160 + 2^128 + 2^32 - 2^0
174 
175  for (int i = 0; i < 32; i++) {
176  ecp_nistz256_sqr_mont(ret, ret);
177  } // 2^224 - 2^192 + 2^160 + 2^64 - 2^32
178  ecp_nistz256_mul_mont(ret, ret, x32); // 2^224 - 2^192 + 2^160 + 2^64 - 2^0
179 
180  for (int i = 0; i < 30; i++) {
181  ecp_nistz256_sqr_mont(ret, ret);
182  } // 2^254 - 2^222 + 2^190 + 2^94 - 2^30
183  ecp_nistz256_mul_mont(ret, ret, x30); // 2^254 - 2^222 + 2^190 + 2^94 - 2^0
184 
185  ecp_nistz256_sqr_mont(ret, ret);
186  ecp_nistz256_sqr_mont(r, ret); // 2^256 - 2^224 + 2^192 + 2^96 - 2^2
187 }
188 
189 // r = p * p_scalar
190 static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
191  const EC_RAW_POINT *p,
192  const EC_SCALAR *p_scalar) {
193  assert(p != NULL);
194  assert(p_scalar != NULL);
195  assert(group->field.width == P256_LIMBS);
196 
197  static const size_t kWindowSize = 5;
198  static const crypto_word_t kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;
199 
200  // A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should
201  // add no more than 63 bytes of overhead. Thus, |table| should require
202  // ~1599 ((96 * 16) + 63) bytes of stack space.
203  alignas(64) P256_POINT table[16];
204  uint8_t p_str[33];
205  OPENSSL_memcpy(p_str, p_scalar->bytes, 32);
206  p_str[32] = 0;
207 
208  // table[0] is implicitly (0,0,0) (the point at infinity), therefore it is
209  // not stored. All other values are actually stored with an offset of -1 in
210  // table.
211  P256_POINT *row = table;
212  assert(group->field.width == P256_LIMBS);
213  OPENSSL_memcpy(row[1 - 1].X, p->X.words, P256_LIMBS * sizeof(BN_ULONG));
214  OPENSSL_memcpy(row[1 - 1].Y, p->Y.words, P256_LIMBS * sizeof(BN_ULONG));
215  OPENSSL_memcpy(row[1 - 1].Z, p->Z.words, P256_LIMBS * sizeof(BN_ULONG));
216 
217  ecp_nistz256_point_double(&row[2 - 1], &row[1 - 1]);
218  ecp_nistz256_point_add(&row[3 - 1], &row[2 - 1], &row[1 - 1]);
219  ecp_nistz256_point_double(&row[4 - 1], &row[2 - 1]);
220  ecp_nistz256_point_double(&row[6 - 1], &row[3 - 1]);
221  ecp_nistz256_point_double(&row[8 - 1], &row[4 - 1]);
222  ecp_nistz256_point_double(&row[12 - 1], &row[6 - 1]);
223  ecp_nistz256_point_add(&row[5 - 1], &row[4 - 1], &row[1 - 1]);
224  ecp_nistz256_point_add(&row[7 - 1], &row[6 - 1], &row[1 - 1]);
225  ecp_nistz256_point_add(&row[9 - 1], &row[8 - 1], &row[1 - 1]);
226  ecp_nistz256_point_add(&row[13 - 1], &row[12 - 1], &row[1 - 1]);
227  ecp_nistz256_point_double(&row[14 - 1], &row[7 - 1]);
228  ecp_nistz256_point_double(&row[10 - 1], &row[5 - 1]);
229  ecp_nistz256_point_add(&row[15 - 1], &row[14 - 1], &row[1 - 1]);
230  ecp_nistz256_point_add(&row[11 - 1], &row[10 - 1], &row[1 - 1]);
231  ecp_nistz256_point_double(&row[16 - 1], &row[8 - 1]);
232 
233  BN_ULONG tmp[P256_LIMBS];
234  alignas(32) P256_POINT h;
235  size_t index = 255;
236  crypto_word_t wvalue = p_str[(index - 1) / 8];
237  wvalue = (wvalue >> ((index - 1) % 8)) & kMask;
238 
239  ecp_nistz256_select_w5(r, table, booth_recode_w5(wvalue) >> 1);
240 
241  while (index >= 5) {
242  if (index != 255) {
243  size_t off = (index - 1) / 8;
244 
245  wvalue = (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;
246  wvalue = (wvalue >> ((index - 1) % 8)) & kMask;
247 
248  wvalue = booth_recode_w5(wvalue);
249 
250  ecp_nistz256_select_w5(&h, table, wvalue >> 1);
251 
252  ecp_nistz256_neg(tmp, h.Y);
253  copy_conditional(h.Y, tmp, (wvalue & 1));
254 
255  ecp_nistz256_point_add(r, r, &h);
256  }
257 
258  index -= kWindowSize;
259 
260  ecp_nistz256_point_double(r, r);
261  ecp_nistz256_point_double(r, r);
262  ecp_nistz256_point_double(r, r);
263  ecp_nistz256_point_double(r, r);
264  ecp_nistz256_point_double(r, r);
265  }
266 
267  // Final window
268  wvalue = p_str[0];
269  wvalue = (wvalue << 1) & kMask;
270 
271  wvalue = booth_recode_w5(wvalue);
272 
273  ecp_nistz256_select_w5(&h, table, wvalue >> 1);
274 
275  ecp_nistz256_neg(tmp, h.Y);
276  copy_conditional(h.Y, tmp, wvalue & 1);
277 
278  ecp_nistz256_point_add(r, r, &h);
279 }
280 
281 typedef union {
282  P256_POINT p;
283  P256_POINT_AFFINE a;
284 } p256_point_union_t;
285 
286 static crypto_word_t calc_first_wvalue(size_t *index, const uint8_t p_str[33]) {
287  static const size_t kWindowSize = 7;
288  static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
289  *index = kWindowSize;
290 
291  crypto_word_t wvalue = (p_str[0] << 1) & kMask;
292  return booth_recode_w7(wvalue);
293 }
294 
295 static crypto_word_t calc_wvalue(size_t *index, const uint8_t p_str[33]) {
296  static const size_t kWindowSize = 7;
297  static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
298 
299  const size_t off = (*index - 1) / 8;
300  crypto_word_t wvalue =
301  (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;
302  wvalue = (wvalue >> ((*index - 1) % 8)) & kMask;
303  *index += kWindowSize;
304 
305  return booth_recode_w7(wvalue);
306 }
307 
308 static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
309  const EC_RAW_POINT *p,
310  const EC_SCALAR *scalar) {
311  alignas(32) P256_POINT out;
312  ecp_nistz256_windowed_mul(group, &out, p, scalar);
313 
314  assert(group->field.width == P256_LIMBS);
315  OPENSSL_memcpy(r->X.words, out.X, P256_LIMBS * sizeof(BN_ULONG));
316  OPENSSL_memcpy(r->Y.words, out.Y, P256_LIMBS * sizeof(BN_ULONG));
317  OPENSSL_memcpy(r->Z.words, out.Z, P256_LIMBS * sizeof(BN_ULONG));
318 }
319 
320 static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
321  const EC_SCALAR *scalar) {
322  alignas(32) p256_point_union_t t, p;
323 
324  uint8_t p_str[33];
325  OPENSSL_memcpy(p_str, scalar->bytes, 32);
326  p_str[32] = 0;
327 
328  // First window
329  size_t index = 0;
330  crypto_word_t wvalue = calc_first_wvalue(&index, p_str);
331 
332  ecp_nistz256_select_w7(&p.a, ecp_nistz256_precomputed[0], wvalue >> 1);
333  ecp_nistz256_neg(p.p.Z, p.p.Y);
334  copy_conditional(p.p.Y, p.p.Z, wvalue & 1);
335 
336  // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p|
337  // is infinity and |ONE| otherwise. |p| was computed from the table, so it
338  // is infinity iff |wvalue >> 1| is zero.
339  OPENSSL_memset(p.p.Z, 0, sizeof(p.p.Z));
340  copy_conditional(p.p.Z, ONE, is_not_zero(wvalue >> 1));
341 
342  for (int i = 1; i < 37; i++) {
343  wvalue = calc_wvalue(&index, p_str);
344 
345  ecp_nistz256_select_w7(&t.a, ecp_nistz256_precomputed[i], wvalue >> 1);
346 
347  ecp_nistz256_neg(t.p.Z, t.a.Y);
348  copy_conditional(t.a.Y, t.p.Z, wvalue & 1);
349 
350  // Note |ecp_nistz256_point_add_affine| does not work if |p.p| and |t.a|
351  // are the same non-infinity point.
352  ecp_nistz256_point_add_affine(&p.p, &p.p, &t.a);
353  }
354 
355  assert(group->field.width == P256_LIMBS);
356  OPENSSL_memcpy(r->X.words, p.p.X, P256_LIMBS * sizeof(BN_ULONG));
357  OPENSSL_memcpy(r->Y.words, p.p.Y, P256_LIMBS * sizeof(BN_ULONG));
358  OPENSSL_memcpy(r->Z.words, p.p.Z, P256_LIMBS * sizeof(BN_ULONG));
359 }
360 
361 static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
362  EC_RAW_POINT *r,
363  const EC_SCALAR *g_scalar,
364  const EC_RAW_POINT *p_,
365  const EC_SCALAR *p_scalar) {
366  assert(p_ != NULL && p_scalar != NULL && g_scalar != NULL);
367 
368  alignas(32) p256_point_union_t t, p;
369  uint8_t p_str[33];
370  OPENSSL_memcpy(p_str, g_scalar->bytes, 32);
371  p_str[32] = 0;
372 
373  // First window
374  size_t index = 0;
375  size_t wvalue = calc_first_wvalue(&index, p_str);
376 
377  // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p|
378  // is infinity and |ONE| otherwise. |p| was computed from the table, so it
379  // is infinity iff |wvalue >> 1| is zero.
380  if ((wvalue >> 1) != 0) {
381  OPENSSL_memcpy(&p.a, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1],
382  sizeof(p.a));
383  OPENSSL_memcpy(&p.p.Z, ONE, sizeof(p.p.Z));
384  } else {
385  OPENSSL_memset(&p.a, 0, sizeof(p.a));
386  OPENSSL_memset(p.p.Z, 0, sizeof(p.p.Z));
387  }
388 
389  if ((wvalue & 1) == 1) {
390  ecp_nistz256_neg(p.p.Y, p.p.Y);
391  }
392 
393  for (int i = 1; i < 37; i++) {
394  wvalue = calc_wvalue(&index, p_str);
395 
396  if ((wvalue >> 1) == 0) {
397  continue;
398  }
399 
400  OPENSSL_memcpy(&t.a, &ecp_nistz256_precomputed[i][(wvalue >> 1) - 1],
401  sizeof(p.a));
402 
403  if ((wvalue & 1) == 1) {
404  ecp_nistz256_neg(t.a.Y, t.a.Y);
405  }
406 
407  // Note |ecp_nistz256_point_add_affine| does not work if |p.p| and |t.a|
408  // are the same non-infinity point, so it is important that we compute the
409  // |g_scalar| term before the |p_scalar| term.
410  ecp_nistz256_point_add_affine(&p.p, &p.p, &t.a);
411  }
412 
413  ecp_nistz256_windowed_mul(group, &t.p, p_, p_scalar);
414  ecp_nistz256_point_add(&p.p, &p.p, &t.p);
415 
416  assert(group->field.width == P256_LIMBS);
417  OPENSSL_memcpy(r->X.words, p.p.X, P256_LIMBS * sizeof(BN_ULONG));
418  OPENSSL_memcpy(r->Y.words, p.p.Y, P256_LIMBS * sizeof(BN_ULONG));
419  OPENSSL_memcpy(r->Z.words, p.p.Z, P256_LIMBS * sizeof(BN_ULONG));
420 }
421 
422 static int ecp_nistz256_get_affine(const EC_GROUP *group,
423  const EC_RAW_POINT *point, EC_FELEM *x,
424  EC_FELEM *y) {
425  if (ec_GFp_simple_is_at_infinity(group, point)) {
426  OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
427  return 0;
428  }
429 
430  BN_ULONG z_inv2[P256_LIMBS];
431  assert(group->field.width == P256_LIMBS);
432  ecp_nistz256_mod_inverse_sqr_mont(z_inv2, point->Z.words);
433 
434  if (x != NULL) {
435  ecp_nistz256_mul_mont(x->words, z_inv2, point->X.words);
436  }
437 
438  if (y != NULL) {
439  ecp_nistz256_sqr_mont(z_inv2, z_inv2); // z^-4
440  ecp_nistz256_mul_mont(y->words, point->Y.words, point->Z.words); // y * z
441  ecp_nistz256_mul_mont(y->words, y->words, z_inv2); // y * z^-3
442  }
443 
444  return 1;
445 }
446 
447 static void ecp_nistz256_add(const EC_GROUP *group, EC_RAW_POINT *r,
448  const EC_RAW_POINT *a_, const EC_RAW_POINT *b_) {
449  P256_POINT a, b;
450  OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG));
451  OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG));
452  OPENSSL_memcpy(a.Z, a_->Z.words, P256_LIMBS * sizeof(BN_ULONG));
453  OPENSSL_memcpy(b.X, b_->X.words, P256_LIMBS * sizeof(BN_ULONG));
454  OPENSSL_memcpy(b.Y, b_->Y.words, P256_LIMBS * sizeof(BN_ULONG));
455  OPENSSL_memcpy(b.Z, b_->Z.words, P256_LIMBS * sizeof(BN_ULONG));
456  ecp_nistz256_point_add(&a, &a, &b);
457  OPENSSL_memcpy(r->X.words, a.X, P256_LIMBS * sizeof(BN_ULONG));
458  OPENSSL_memcpy(r->Y.words, a.Y, P256_LIMBS * sizeof(BN_ULONG));
459  OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG));
460 }
461 
462 static void ecp_nistz256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
463  const EC_RAW_POINT *a_) {
464  P256_POINT a;
465  OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG));
466  OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG));
467  OPENSSL_memcpy(a.Z, a_->Z.words, P256_LIMBS * sizeof(BN_ULONG));
468  ecp_nistz256_point_double(&a, &a);
469  OPENSSL_memcpy(r->X.words, a.X, P256_LIMBS * sizeof(BN_ULONG));
470  OPENSSL_memcpy(r->Y.words, a.Y, P256_LIMBS * sizeof(BN_ULONG));
471  OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG));
472 }
473 
474 static void ecp_nistz256_inv0_mod_ord(const EC_GROUP *group, EC_SCALAR *out,
475  const EC_SCALAR *in) {
476  // table[i] stores a power of |in| corresponding to the matching enum value.
477  enum {
478  // The following indices specify the power in binary.
479  i_1 = 0,
480  i_10,
481  i_11,
482  i_101,
483  i_111,
484  i_1010,
485  i_1111,
486  i_10101,
487  i_101010,
488  i_101111,
489  // The following indices specify 2^N-1, or N ones in a row.
490  i_x6,
491  i_x8,
492  i_x16,
493  i_x32
494  };
495  BN_ULONG table[15][P256_LIMBS];
496 
497  // https://briansmith.org/ecc-inversion-addition-chains-01#p256_scalar_inversion
498  //
499  // Even though this code path spares 12 squarings, 4.5%, and 13
500  // multiplications, 25%, the overall sign operation is not that much faster,
501  // not more that 2%. Most of the performance of this function comes from the
502  // scalar operations.
503 
504  // Pre-calculate powers.
505  OPENSSL_memcpy(table[i_1], in->words, P256_LIMBS * sizeof(BN_ULONG));
506 
507  ecp_nistz256_ord_sqr_mont(table[i_10], table[i_1], 1);
508 
509  ecp_nistz256_ord_mul_mont(table[i_11], table[i_1], table[i_10]);
510 
511  ecp_nistz256_ord_mul_mont(table[i_101], table[i_11], table[i_10]);
512 
513  ecp_nistz256_ord_mul_mont(table[i_111], table[i_101], table[i_10]);
514 
515  ecp_nistz256_ord_sqr_mont(table[i_1010], table[i_101], 1);
516 
517  ecp_nistz256_ord_mul_mont(table[i_1111], table[i_1010], table[i_101]);
518 
519  ecp_nistz256_ord_sqr_mont(table[i_10101], table[i_1010], 1);
520  ecp_nistz256_ord_mul_mont(table[i_10101], table[i_10101], table[i_1]);
521 
522  ecp_nistz256_ord_sqr_mont(table[i_101010], table[i_10101], 1);
523 
524  ecp_nistz256_ord_mul_mont(table[i_101111], table[i_101010], table[i_101]);
525 
526  ecp_nistz256_ord_mul_mont(table[i_x6], table[i_101010], table[i_10101]);
527 
528  ecp_nistz256_ord_sqr_mont(table[i_x8], table[i_x6], 2);
529  ecp_nistz256_ord_mul_mont(table[i_x8], table[i_x8], table[i_11]);
530 
531  ecp_nistz256_ord_sqr_mont(table[i_x16], table[i_x8], 8);
532  ecp_nistz256_ord_mul_mont(table[i_x16], table[i_x16], table[i_x8]);
533 
534  ecp_nistz256_ord_sqr_mont(table[i_x32], table[i_x16], 16);
535  ecp_nistz256_ord_mul_mont(table[i_x32], table[i_x32], table[i_x16]);
536 
537  // Compute |in| raised to the order-2.
538  ecp_nistz256_ord_sqr_mont(out->words, table[i_x32], 64);
539  ecp_nistz256_ord_mul_mont(out->words, out->words, table[i_x32]);
540  static const struct {
541  uint8_t p, i;
542  } kChain[27] = {{32, i_x32}, {6, i_101111}, {5, i_111}, {4, i_11},
543  {5, i_1111}, {5, i_10101}, {4, i_101}, {3, i_101},
544  {3, i_101}, {5, i_111}, {9, i_101111}, {6, i_1111},
545  {2, i_1}, {5, i_1}, {6, i_1111}, {5, i_111},
546  {4, i_111}, {5, i_111}, {5, i_101}, {3, i_11},
547  {10, i_101111}, {2, i_11}, {5, i_11}, {5, i_11},
548  {3, i_1}, {7, i_10101}, {6, i_1111}};
549  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kChain); i++) {
550  ecp_nistz256_ord_sqr_mont(out->words, out->words, kChain[i].p);
551  ecp_nistz256_ord_mul_mont(out->words, out->words, table[kChain[i].i]);
552  }
553 }
554 
555 static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
556  EC_SCALAR *out,
557  const EC_SCALAR *in) {
558  if ((OPENSSL_ia32cap_get()[1] & (1 << 28)) == 0) {
559  // No AVX support; fallback to generic code.
560  return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in);
561  }
562 
563  assert(group->order.width == P256_LIMBS);
564  if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.d)) {
565  return 0;
566  }
567 
568  // The result should be returned in the Montgomery domain.
569  ec_scalar_to_montgomery(group, out, out);
570  return 1;
571 }
572 
573 static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
574  const EC_RAW_POINT *p,
575  const EC_SCALAR *r) {
576  if (ec_GFp_simple_is_at_infinity(group, p)) {
577  return 0;
578  }
579 
580  assert(group->order.width == P256_LIMBS);
581  assert(group->field.width == P256_LIMBS);
582 
583  // We wish to compare X/Z^2 with r. This is equivalent to comparing X with
584  // r*Z^2. Note that X and Z are represented in Montgomery form, while r is
585  // not.
586  BN_ULONG r_Z2[P256_LIMBS], Z2_mont[P256_LIMBS], X[P256_LIMBS];
587  ecp_nistz256_mul_mont(Z2_mont, p->Z.words, p->Z.words);
588  ecp_nistz256_mul_mont(r_Z2, r->words, Z2_mont);
589  ecp_nistz256_from_mont(X, p->X.words);
590 
591  if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) {
592  return 1;
593  }
594 
595  // During signing the x coefficient is reduced modulo the group order.
596  // Therefore there is a small possibility, less than 1/2^128, that group_order
597  // < p.x < P. in that case we need not only to compare against |r| but also to
598  // compare against r+group_order.
599  if (bn_less_than_words(r->words, group->field_minus_order.words,
600  P256_LIMBS)) {
601  // We can ignore the carry because: r + group_order < p < 2^256.
602  bn_add_words(r_Z2, r->words, group->order.d, P256_LIMBS);
603  ecp_nistz256_mul_mont(r_Z2, r_Z2, Z2_mont);
604  if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) {
605  return 1;
606  }
607  }
608 
609  return 0;
610 }
611 
612 DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) {
613  out->group_init = ec_GFp_mont_group_init;
614  out->group_finish = ec_GFp_mont_group_finish;
615  out->group_set_curve = ec_GFp_mont_group_set_curve;
616  out->point_get_affine_coordinates = ecp_nistz256_get_affine;
617  out->add = ecp_nistz256_add;
618  out->dbl = ecp_nistz256_dbl;
619  out->mul = ecp_nistz256_point_mul;
620  out->mul_base = ecp_nistz256_point_mul_base;
621  out->mul_public = ecp_nistz256_points_mul_public;
622  out->felem_mul = ec_GFp_mont_felem_mul;
623  out->felem_sqr = ec_GFp_mont_felem_sqr;
624  out->felem_to_bytes = ec_GFp_mont_felem_to_bytes;
625  out->felem_from_bytes = ec_GFp_mont_felem_from_bytes;
626  out->scalar_inv0_montgomery = ecp_nistz256_inv0_mod_ord;
627  out->scalar_to_montgomery_inv_vartime =
628  ecp_nistz256_scalar_to_montgomery_inv_vartime;
629  out->cmp_x_coordinate = ecp_nistz256_cmp_x_coordinate;
630 }
631 
632 #endif /* !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
633  !defined(OPENSSL_SMALL) */
EC_SCALAR::bytes
uint8_t bytes[EC_MAX_BYTES]
Definition: third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h:105
bn.h
dst
static const char dst[]
Definition: test-fs-copyfile.c:37
gen_build_yaml.out
dictionary out
Definition: src/benchmark/gen_build_yaml.py:24
ec_method_st
Definition: third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h:463
OPENSSL_memcmp
static int OPENSSL_memcmp(const void *s1, const void *s2, size_t n)
Definition: third_party/boringssl-with-bazel/src/crypto/internal.h:811
X
#define X(c)
ec_GFp_simple_is_at_infinity
#define ec_GFp_simple_is_at_infinity
Definition: boringssl_prefix_symbols.h:3082
ec_GFp_mont_group_set_curve
#define ec_GFp_mont_group_set_curve
Definition: boringssl_prefix_symbols.h:3066
ecp_nistz256_point_double
#define ecp_nistz256_point_double
Definition: boringssl_prefix_symbols.h:3151
scalar
Definition: spake25519.c:317
y
const double y
Definition: bloaty/third_party/googletest/googlemock/test/gmock-matchers_test.cc:3611
OPENSSL_PUT_ERROR
#define OPENSSL_PUT_ERROR(library, reason)
Definition: err.h:423
p_
std::unique_ptr< unsigned char[]> p_
Definition: abseil-cpp/absl/container/internal/layout_test.cc:1627
string.h
OPENSSL_ARRAY_SIZE
#define OPENSSL_ARRAY_SIZE(array)
Definition: third_party/boringssl-with-bazel/src/crypto/internal.h:179
absl::FormatConversionChar::s
@ s
a
int a
Definition: abseil-cpp/absl/container/internal/hash_policy_traits_test.cc:88
xds_manager.p
p
Definition: xds_manager.py:60
uint8_t
unsigned char uint8_t
Definition: stdint-msvc2008.h:78
ec_GFp_mont_felem_from_bytes
#define ec_GFp_mont_felem_from_bytes
Definition: boringssl_prefix_symbols.h:3060
OPENSSL_memset
static void * OPENSSL_memset(void *dst, int c, size_t n)
Definition: third_party/boringssl-with-bazel/src/crypto/internal.h:835
EC_RAW_POINT
Definition: third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h:260
bn_add_words
#define bn_add_words
Definition: boringssl_prefix_symbols.h:2851
ec_GFp_mont_group_finish
#define ec_GFp_mont_group_finish
Definition: boringssl_prefix_symbols.h:3064
in
const char * in
Definition: third_party/abseil-cpp/absl/strings/internal/str_format/parser_test.cc:391
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
ec_scalar_to_montgomery
#define ec_scalar_to_montgomery
Definition: boringssl_prefix_symbols.h:3138
EC_GFp_nistz256_method
const EC_METHOD * EC_GFp_nistz256_method(void)
ec_GFp_mont_felem_mul
#define ec_GFp_mont_felem_mul
Definition: boringssl_prefix_symbols.h:3061
ecp_nistz256_neg
#define ecp_nistz256_neg
Definition: boringssl_prefix_symbols.h:3146
ecp_nistz256_point_add_affine
#define ecp_nistz256_point_add_affine
Definition: boringssl_prefix_symbols.h:3150
OPENSSL_memcpy
static void * OPENSSL_memcpy(void *dst, const void *src, size_t n)
Definition: third_party/boringssl-with-bazel/src/crypto/internal.h:819
err.h
crypto.h
ecp_nistz256_select_w5
#define ecp_nistz256_select_w5
Definition: boringssl_prefix_symbols.h:3152
ecp_nistz256_ord_sqr_mont
#define ecp_nistz256_ord_sqr_mont
Definition: boringssl_prefix_symbols.h:3148
ec_GFp_mont_felem_to_bytes
#define ec_GFp_mont_felem_to_bytes
Definition: boringssl_prefix_symbols.h:3063
x
int x
Definition: bloaty/third_party/googletest/googlemock/test/gmock-matchers_test.cc:3610
ecp_nistz256_sqr_mont
#define ecp_nistz256_sqr_mont
Definition: boringssl_prefix_symbols.h:3154
p256-x86_64-table.h
a_
arena< N > & a_
Definition: cxa_demangle.cpp:4778
ec_GFp_mont_felem_sqr
#define ec_GFp_mont_felem_sqr
Definition: boringssl_prefix_symbols.h:3062
b
uint64_t b
Definition: abseil-cpp/absl/container/internal/layout_test.cc:53
EC_FELEM
Definition: third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h:195
ecp_nistz256_precomputed
static const PRECOMP256_ROW ecp_nistz256_precomputed[37]
Definition: p256-x86_64-table.h:25
d
static const fe d
Definition: curve25519_tables.h:19
stdint.h
ecp_nistz256_point_add
#define ecp_nistz256_point_add
Definition: boringssl_prefix_symbols.h:3149
point
Definition: bloaty/third_party/zlib/examples/zran.c:67
ecp_nistz256_mul_mont
#define ecp_nistz256_mul_mont
Definition: boringssl_prefix_symbols.h:3145
upload.group
group
Definition: bloaty/third_party/googletest/googlemock/scripts/upload.py:397
bn_less_than_words
#define bn_less_than_words
Definition: boringssl_prefix_symbols.h:2865
p256-x86_64.h
absl::str_format_internal::LengthMod::t
@ t
index
int index
Definition: bloaty/third_party/protobuf/php/ext/google/protobuf/protobuf.h:1184
internal.h
ret
UniquePtr< SSL_SESSION > ret
Definition: ssl_x509.cc:1029
ec_group_st
Definition: third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h:573
fix_build_deps.r
r
Definition: fix_build_deps.py:491
ec_simple_scalar_to_montgomery_inv_vartime
#define ec_simple_scalar_to_montgomery_inv_vartime
Definition: boringssl_prefix_symbols.h:3142
ecp_nistz256_select_w7
#define ecp_nistz256_select_w7
Definition: boringssl_prefix_symbols.h:3153
beeu_mod_inverse_vartime
#define beeu_mod_inverse_vartime
Definition: boringssl_prefix_symbols.h:2844
ecp_nistz256_ord_mul_mont
#define ecp_nistz256_ord_mul_mont
Definition: boringssl_prefix_symbols.h:3147
ec_GFp_mont_group_init
#define ec_GFp_mont_group_init
Definition: boringssl_prefix_symbols.h:3065
scalar::bytes
uint8_t bytes[32]
Definition: spake25519.c:318
cpu.h
b_
const char * b_
Definition: bloaty/third_party/protobuf/src/google/protobuf/stubs/common_unittest.cc:194
table
uint8_t table[256]
Definition: hpack_parser.cc:456
EC_SCALAR
Definition: third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h:103
EC_R_POINT_AT_INFINITY
#define EC_R_POINT_AT_INFINITY
Definition: ec.h:426
autogen_x86imm.tmp
tmp
Definition: autogen_x86imm.py:12
DEFINE_METHOD_FUNCTION
#define DEFINE_METHOD_FUNCTION(type, name)
Definition: delocate.h:84
ec.h
absl::str_format_internal::LengthMod::h
@ h
i
uint64_t i
Definition: abseil-cpp/absl/container/btree_benchmark.cc:230

grpc
Author(s):
autogenerated on Fri May 16 2025 02:59:38