The Tor Browser / annotate

security/nss/lib/freebl/ecl/ec2_163.c@b8a032363ba2 (annotated)

security/nss/lib/freebl/ecl/ec2_163.c

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4
michael@0 5 #include "ec2.h"
michael@0 6 #include "mp_gf2m.h"
michael@0 7 #include "mp_gf2m-priv.h"
michael@0 8 #include "mpi.h"
michael@0 9 #include "mpi-priv.h"
michael@0 10 #include <stdlib.h>
michael@0 11
michael@0 12 /* Fast reduction for polynomials over a 163-bit curve. Assumes reduction
michael@0 13 * polynomial with terms {163, 7, 6, 3, 0}. */
michael@0 14 mp_err
michael@0 15 ec_GF2m_163_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
michael@0 16 {
michael@0 17 mp_err res = MP_OKAY;
michael@0 18 mp_digit *u, z;
michael@0 19
michael@0 20 if (a != r) {
michael@0 21 MP_CHECKOK(mp_copy(a, r));
michael@0 22 }
michael@0 23 #ifdef ECL_SIXTY_FOUR_BIT
michael@0 24 if (MP_USED(r) < 6) {
michael@0 25 MP_CHECKOK(s_mp_pad(r, 6));
michael@0 26 }
michael@0 27 u = MP_DIGITS(r);
michael@0 28 MP_USED(r) = 6;
michael@0 29
michael@0 30 /* u[5] only has 6 significant bits */
michael@0 31 z = u[5];
michael@0 32 u[2] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
michael@0 33 z = u[4];
michael@0 34 u[2] ^= (z >> 28) ^ (z >> 29) ^ (z >> 32) ^ (z >> 35);
michael@0 35 u[1] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
michael@0 36 z = u[3];
michael@0 37 u[1] ^= (z >> 28) ^ (z >> 29) ^ (z >> 32) ^ (z >> 35);
michael@0 38 u[0] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
michael@0 39 z = u[2] >> 35; /* z only has 29 significant bits */
michael@0 40 u[0] ^= (z << 7) ^ (z << 6) ^ (z << 3) ^ z;
michael@0 41 /* clear bits above 163 */
michael@0 42 u[5] = u[4] = u[3] = 0;
michael@0 43 u[2] ^= z << 35;
michael@0 44 #else
michael@0 45 if (MP_USED(r) < 11) {
michael@0 46 MP_CHECKOK(s_mp_pad(r, 11));
michael@0 47 }
michael@0 48 u = MP_DIGITS(r);
michael@0 49 MP_USED(r) = 11;
michael@0 50
michael@0 51 /* u[11] only has 6 significant bits */
michael@0 52 z = u[10];
michael@0 53 u[5] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
michael@0 54 u[4] ^= (z << 29);
michael@0 55 z = u[9];
michael@0 56 u[5] ^= (z >> 28) ^ (z >> 29);
michael@0 57 u[4] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
michael@0 58 u[3] ^= (z << 29);
michael@0 59 z = u[8];
michael@0 60 u[4] ^= (z >> 28) ^ (z >> 29);
michael@0 61 u[3] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
michael@0 62 u[2] ^= (z << 29);
michael@0 63 z = u[7];
michael@0 64 u[3] ^= (z >> 28) ^ (z >> 29);
michael@0 65 u[2] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
michael@0 66 u[1] ^= (z << 29);
michael@0 67 z = u[6];
michael@0 68 u[2] ^= (z >> 28) ^ (z >> 29);
michael@0 69 u[1] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
michael@0 70 u[0] ^= (z << 29);
michael@0 71 z = u[5] >> 3; /* z only has 29 significant bits */
michael@0 72 u[1] ^= (z >> 25) ^ (z >> 26);
michael@0 73 u[0] ^= (z << 7) ^ (z << 6) ^ (z << 3) ^ z;
michael@0 74 /* clear bits above 163 */
michael@0 75 u[11] = u[10] = u[9] = u[8] = u[7] = u[6] = 0;
michael@0 76 u[5] ^= z << 3;
michael@0 77 #endif
michael@0 78 s_mp_clamp(r);
michael@0 79
michael@0 80 CLEANUP:
michael@0 81 return res;
michael@0 82 }
michael@0 83
michael@0 84 /* Fast squaring for polynomials over a 163-bit curve. Assumes reduction
michael@0 85 * polynomial with terms {163, 7, 6, 3, 0}. */
michael@0 86 mp_err
michael@0 87 ec_GF2m_163_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
michael@0 88 {
michael@0 89 mp_err res = MP_OKAY;
michael@0 90 mp_digit *u, *v;
michael@0 91
michael@0 92 v = MP_DIGITS(a);
michael@0 93
michael@0 94 #ifdef ECL_SIXTY_FOUR_BIT
michael@0 95 if (MP_USED(a) < 3) {
michael@0 96 return mp_bsqrmod(a, meth->irr_arr, r);
michael@0 97 }
michael@0 98 if (MP_USED(r) < 6) {
michael@0 99 MP_CHECKOK(s_mp_pad(r, 6));
michael@0 100 }
michael@0 101 MP_USED(r) = 6;
michael@0 102 #else
michael@0 103 if (MP_USED(a) < 6) {
michael@0 104 return mp_bsqrmod(a, meth->irr_arr, r);
michael@0 105 }
michael@0 106 if (MP_USED(r) < 12) {
michael@0 107 MP_CHECKOK(s_mp_pad(r, 12));
michael@0 108 }
michael@0 109 MP_USED(r) = 12;
michael@0 110 #endif
michael@0 111 u = MP_DIGITS(r);
michael@0 112
michael@0 113 #ifdef ECL_THIRTY_TWO_BIT
michael@0 114 u[11] = gf2m_SQR1(v[5]);
michael@0 115 u[10] = gf2m_SQR0(v[5]);
michael@0 116 u[9] = gf2m_SQR1(v[4]);
michael@0 117 u[8] = gf2m_SQR0(v[4]);
michael@0 118 u[7] = gf2m_SQR1(v[3]);
michael@0 119 u[6] = gf2m_SQR0(v[3]);
michael@0 120 #endif
michael@0 121 u[5] = gf2m_SQR1(v[2]);
michael@0 122 u[4] = gf2m_SQR0(v[2]);
michael@0 123 u[3] = gf2m_SQR1(v[1]);
michael@0 124 u[2] = gf2m_SQR0(v[1]);
michael@0 125 u[1] = gf2m_SQR1(v[0]);
michael@0 126 u[0] = gf2m_SQR0(v[0]);
michael@0 127 return ec_GF2m_163_mod(r, r, meth);
michael@0 128
michael@0 129 CLEANUP:
michael@0 130 return res;
michael@0 131 }
michael@0 132
michael@0 133 /* Fast multiplication for polynomials over a 163-bit curve. Assumes
michael@0 134 * reduction polynomial with terms {163, 7, 6, 3, 0}. */
michael@0 135 mp_err
michael@0 136 ec_GF2m_163_mul(const mp_int *a, const mp_int *b, mp_int *r,
michael@0 137 const GFMethod *meth)
michael@0 138 {
michael@0 139 mp_err res = MP_OKAY;
michael@0 140 mp_digit a2 = 0, a1 = 0, a0, b2 = 0, b1 = 0, b0;
michael@0 141
michael@0 142 #ifdef ECL_THIRTY_TWO_BIT
michael@0 143 mp_digit a5 = 0, a4 = 0, a3 = 0, b5 = 0, b4 = 0, b3 = 0;
michael@0 144 mp_digit rm[6];
michael@0 145 #endif
michael@0 146
michael@0 147 if (a == b) {
michael@0 148 return ec_GF2m_163_sqr(a, r, meth);
michael@0 149 } else {
michael@0 150 switch (MP_USED(a)) {
michael@0 151 #ifdef ECL_THIRTY_TWO_BIT
michael@0 152 case 6:
michael@0 153 a5 = MP_DIGIT(a, 5);
michael@0 154 case 5:
michael@0 155 a4 = MP_DIGIT(a, 4);
michael@0 156 case 4:
michael@0 157 a3 = MP_DIGIT(a, 3);
michael@0 158 #endif
michael@0 159 case 3:
michael@0 160 a2 = MP_DIGIT(a, 2);
michael@0 161 case 2:
michael@0 162 a1 = MP_DIGIT(a, 1);
michael@0 163 default:
michael@0 164 a0 = MP_DIGIT(a, 0);
michael@0 165 }
michael@0 166 switch (MP_USED(b)) {
michael@0 167 #ifdef ECL_THIRTY_TWO_BIT
michael@0 168 case 6:
michael@0 169 b5 = MP_DIGIT(b, 5);
michael@0 170 case 5:
michael@0 171 b4 = MP_DIGIT(b, 4);
michael@0 172 case 4:
michael@0 173 b3 = MP_DIGIT(b, 3);
michael@0 174 #endif
michael@0 175 case 3:
michael@0 176 b2 = MP_DIGIT(b, 2);
michael@0 177 case 2:
michael@0 178 b1 = MP_DIGIT(b, 1);
michael@0 179 default:
michael@0 180 b0 = MP_DIGIT(b, 0);
michael@0 181 }
michael@0 182 #ifdef ECL_SIXTY_FOUR_BIT
michael@0 183 MP_CHECKOK(s_mp_pad(r, 6));
michael@0 184 s_bmul_3x3(MP_DIGITS(r), a2, a1, a0, b2, b1, b0);
michael@0 185 MP_USED(r) = 6;
michael@0 186 s_mp_clamp(r);
michael@0 187 #else
michael@0 188 MP_CHECKOK(s_mp_pad(r, 12));
michael@0 189 s_bmul_3x3(MP_DIGITS(r) + 6, a5, a4, a3, b5, b4, b3);
michael@0 190 s_bmul_3x3(MP_DIGITS(r), a2, a1, a0, b2, b1, b0);
michael@0 191 s_bmul_3x3(rm, a5 ^ a2, a4 ^ a1, a3 ^ a0, b5 ^ b2, b4 ^ b1,
michael@0 192 b3 ^ b0);
michael@0 193 rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 11);
michael@0 194 rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 10);
michael@0 195 rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 9);
michael@0 196 rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 8);
michael@0 197 rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 7);
michael@0 198 rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 6);
michael@0 199 MP_DIGIT(r, 8) ^= rm[5];
michael@0 200 MP_DIGIT(r, 7) ^= rm[4];
michael@0 201 MP_DIGIT(r, 6) ^= rm[3];
michael@0 202 MP_DIGIT(r, 5) ^= rm[2];
michael@0 203 MP_DIGIT(r, 4) ^= rm[1];
michael@0 204 MP_DIGIT(r, 3) ^= rm[0];
michael@0 205 MP_USED(r) = 12;
michael@0 206 s_mp_clamp(r);
michael@0 207 #endif
michael@0 208 return ec_GF2m_163_mod(r, r, meth);
michael@0 209 }
michael@0 210
michael@0 211 CLEANUP:
michael@0 212 return res;
michael@0 213 }
michael@0 214
michael@0 215 /* Wire in fast field arithmetic for 163-bit curves. */
michael@0 216 mp_err
michael@0 217 ec_group_set_gf2m163(ECGroup *group, ECCurveName name)
michael@0 218 {
michael@0 219 group->meth->field_mod = &ec_GF2m_163_mod;
michael@0 220 group->meth->field_mul = &ec_GF2m_163_mul;
michael@0 221 group->meth->field_sqr = &ec_GF2m_163_sqr;
michael@0 222 return MP_OKAY;
michael@0 223 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial