The Tor Browser / annotate

security/nss/lib/freebl/ecl/ec2_233.c@b8a032363ba2 (annotated)

security/nss/lib/freebl/ecl/ec2_233.c

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4
michael@0 5 #include "ec2.h"
michael@0 6 #include "mp_gf2m.h"
michael@0 7 #include "mp_gf2m-priv.h"
michael@0 8 #include "mpi.h"
michael@0 9 #include "mpi-priv.h"
michael@0 10 #include <stdlib.h>
michael@0 11
michael@0 12 /* Fast reduction for polynomials over a 233-bit curve. Assumes reduction
michael@0 13 * polynomial with terms {233, 74, 0}. */
michael@0 14 mp_err
michael@0 15 ec_GF2m_233_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
michael@0 16 {
michael@0 17 mp_err res = MP_OKAY;
michael@0 18 mp_digit *u, z;
michael@0 19
michael@0 20 if (a != r) {
michael@0 21 MP_CHECKOK(mp_copy(a, r));
michael@0 22 }
michael@0 23 #ifdef ECL_SIXTY_FOUR_BIT
michael@0 24 if (MP_USED(r) < 8) {
michael@0 25 MP_CHECKOK(s_mp_pad(r, 8));
michael@0 26 }
michael@0 27 u = MP_DIGITS(r);
michael@0 28 MP_USED(r) = 8;
michael@0 29
michael@0 30 /* u[7] only has 18 significant bits */
michael@0 31 z = u[7];
michael@0 32 u[4] ^= (z << 33) ^ (z >> 41);
michael@0 33 u[3] ^= (z << 23);
michael@0 34 z = u[6];
michael@0 35 u[4] ^= (z >> 31);
michael@0 36 u[3] ^= (z << 33) ^ (z >> 41);
michael@0 37 u[2] ^= (z << 23);
michael@0 38 z = u[5];
michael@0 39 u[3] ^= (z >> 31);
michael@0 40 u[2] ^= (z << 33) ^ (z >> 41);
michael@0 41 u[1] ^= (z << 23);
michael@0 42 z = u[4];
michael@0 43 u[2] ^= (z >> 31);
michael@0 44 u[1] ^= (z << 33) ^ (z >> 41);
michael@0 45 u[0] ^= (z << 23);
michael@0 46 z = u[3] >> 41; /* z only has 23 significant bits */
michael@0 47 u[1] ^= (z << 10);
michael@0 48 u[0] ^= z;
michael@0 49 /* clear bits above 233 */
michael@0 50 u[7] = u[6] = u[5] = u[4] = 0;
michael@0 51 u[3] ^= z << 41;
michael@0 52 #else
michael@0 53 if (MP_USED(r) < 15) {
michael@0 54 MP_CHECKOK(s_mp_pad(r, 15));
michael@0 55 }
michael@0 56 u = MP_DIGITS(r);
michael@0 57 MP_USED(r) = 15;
michael@0 58
michael@0 59 /* u[14] only has 18 significant bits */
michael@0 60 z = u[14];
michael@0 61 u[9] ^= (z << 1);
michael@0 62 u[7] ^= (z >> 9);
michael@0 63 u[6] ^= (z << 23);
michael@0 64 z = u[13];
michael@0 65 u[9] ^= (z >> 31);
michael@0 66 u[8] ^= (z << 1);
michael@0 67 u[6] ^= (z >> 9);
michael@0 68 u[5] ^= (z << 23);
michael@0 69 z = u[12];
michael@0 70 u[8] ^= (z >> 31);
michael@0 71 u[7] ^= (z << 1);
michael@0 72 u[5] ^= (z >> 9);
michael@0 73 u[4] ^= (z << 23);
michael@0 74 z = u[11];
michael@0 75 u[7] ^= (z >> 31);
michael@0 76 u[6] ^= (z << 1);
michael@0 77 u[4] ^= (z >> 9);
michael@0 78 u[3] ^= (z << 23);
michael@0 79 z = u[10];
michael@0 80 u[6] ^= (z >> 31);
michael@0 81 u[5] ^= (z << 1);
michael@0 82 u[3] ^= (z >> 9);
michael@0 83 u[2] ^= (z << 23);
michael@0 84 z = u[9];
michael@0 85 u[5] ^= (z >> 31);
michael@0 86 u[4] ^= (z << 1);
michael@0 87 u[2] ^= (z >> 9);
michael@0 88 u[1] ^= (z << 23);
michael@0 89 z = u[8];
michael@0 90 u[4] ^= (z >> 31);
michael@0 91 u[3] ^= (z << 1);
michael@0 92 u[1] ^= (z >> 9);
michael@0 93 u[0] ^= (z << 23);
michael@0 94 z = u[7] >> 9; /* z only has 23 significant bits */
michael@0 95 u[3] ^= (z >> 22);
michael@0 96 u[2] ^= (z << 10);
michael@0 97 u[0] ^= z;
michael@0 98 /* clear bits above 233 */
michael@0 99 u[14] = u[13] = u[12] = u[11] = u[10] = u[9] = u[8] = 0;
michael@0 100 u[7] ^= z << 9;
michael@0 101 #endif
michael@0 102 s_mp_clamp(r);
michael@0 103
michael@0 104 CLEANUP:
michael@0 105 return res;
michael@0 106 }
michael@0 107
michael@0 108 /* Fast squaring for polynomials over a 233-bit curve. Assumes reduction
michael@0 109 * polynomial with terms {233, 74, 0}. */
michael@0 110 mp_err
michael@0 111 ec_GF2m_233_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
michael@0 112 {
michael@0 113 mp_err res = MP_OKAY;
michael@0 114 mp_digit *u, *v;
michael@0 115
michael@0 116 v = MP_DIGITS(a);
michael@0 117
michael@0 118 #ifdef ECL_SIXTY_FOUR_BIT
michael@0 119 if (MP_USED(a) < 4) {
michael@0 120 return mp_bsqrmod(a, meth->irr_arr, r);
michael@0 121 }
michael@0 122 if (MP_USED(r) < 8) {
michael@0 123 MP_CHECKOK(s_mp_pad(r, 8));
michael@0 124 }
michael@0 125 MP_USED(r) = 8;
michael@0 126 #else
michael@0 127 if (MP_USED(a) < 8) {
michael@0 128 return mp_bsqrmod(a, meth->irr_arr, r);
michael@0 129 }
michael@0 130 if (MP_USED(r) < 15) {
michael@0 131 MP_CHECKOK(s_mp_pad(r, 15));
michael@0 132 }
michael@0 133 MP_USED(r) = 15;
michael@0 134 #endif
michael@0 135 u = MP_DIGITS(r);
michael@0 136
michael@0 137 #ifdef ECL_THIRTY_TWO_BIT
michael@0 138 u[14] = gf2m_SQR0(v[7]);
michael@0 139 u[13] = gf2m_SQR1(v[6]);
michael@0 140 u[12] = gf2m_SQR0(v[6]);
michael@0 141 u[11] = gf2m_SQR1(v[5]);
michael@0 142 u[10] = gf2m_SQR0(v[5]);
michael@0 143 u[9] = gf2m_SQR1(v[4]);
michael@0 144 u[8] = gf2m_SQR0(v[4]);
michael@0 145 #endif
michael@0 146 u[7] = gf2m_SQR1(v[3]);
michael@0 147 u[6] = gf2m_SQR0(v[3]);
michael@0 148 u[5] = gf2m_SQR1(v[2]);
michael@0 149 u[4] = gf2m_SQR0(v[2]);
michael@0 150 u[3] = gf2m_SQR1(v[1]);
michael@0 151 u[2] = gf2m_SQR0(v[1]);
michael@0 152 u[1] = gf2m_SQR1(v[0]);
michael@0 153 u[0] = gf2m_SQR0(v[0]);
michael@0 154 return ec_GF2m_233_mod(r, r, meth);
michael@0 155
michael@0 156 CLEANUP:
michael@0 157 return res;
michael@0 158 }
michael@0 159
michael@0 160 /* Fast multiplication for polynomials over a 233-bit curve. Assumes
michael@0 161 * reduction polynomial with terms {233, 74, 0}. */
michael@0 162 mp_err
michael@0 163 ec_GF2m_233_mul(const mp_int *a, const mp_int *b, mp_int *r,
michael@0 164 const GFMethod *meth)
michael@0 165 {
michael@0 166 mp_err res = MP_OKAY;
michael@0 167 mp_digit a3 = 0, a2 = 0, a1 = 0, a0, b3 = 0, b2 = 0, b1 = 0, b0;
michael@0 168
michael@0 169 #ifdef ECL_THIRTY_TWO_BIT
michael@0 170 mp_digit a7 = 0, a6 = 0, a5 = 0, a4 = 0, b7 = 0, b6 = 0, b5 = 0, b4 =
michael@0 171 0;
michael@0 172 mp_digit rm[8];
michael@0 173 #endif
michael@0 174
michael@0 175 if (a == b) {
michael@0 176 return ec_GF2m_233_sqr(a, r, meth);
michael@0 177 } else {
michael@0 178 switch (MP_USED(a)) {
michael@0 179 #ifdef ECL_THIRTY_TWO_BIT
michael@0 180 case 8:
michael@0 181 a7 = MP_DIGIT(a, 7);
michael@0 182 case 7:
michael@0 183 a6 = MP_DIGIT(a, 6);
michael@0 184 case 6:
michael@0 185 a5 = MP_DIGIT(a, 5);
michael@0 186 case 5:
michael@0 187 a4 = MP_DIGIT(a, 4);
michael@0 188 #endif
michael@0 189 case 4:
michael@0 190 a3 = MP_DIGIT(a, 3);
michael@0 191 case 3:
michael@0 192 a2 = MP_DIGIT(a, 2);
michael@0 193 case 2:
michael@0 194 a1 = MP_DIGIT(a, 1);
michael@0 195 default:
michael@0 196 a0 = MP_DIGIT(a, 0);
michael@0 197 }
michael@0 198 switch (MP_USED(b)) {
michael@0 199 #ifdef ECL_THIRTY_TWO_BIT
michael@0 200 case 8:
michael@0 201 b7 = MP_DIGIT(b, 7);
michael@0 202 case 7:
michael@0 203 b6 = MP_DIGIT(b, 6);
michael@0 204 case 6:
michael@0 205 b5 = MP_DIGIT(b, 5);
michael@0 206 case 5:
michael@0 207 b4 = MP_DIGIT(b, 4);
michael@0 208 #endif
michael@0 209 case 4:
michael@0 210 b3 = MP_DIGIT(b, 3);
michael@0 211 case 3:
michael@0 212 b2 = MP_DIGIT(b, 2);
michael@0 213 case 2:
michael@0 214 b1 = MP_DIGIT(b, 1);
michael@0 215 default:
michael@0 216 b0 = MP_DIGIT(b, 0);
michael@0 217 }
michael@0 218 #ifdef ECL_SIXTY_FOUR_BIT
michael@0 219 MP_CHECKOK(s_mp_pad(r, 8));
michael@0 220 s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
michael@0 221 MP_USED(r) = 8;
michael@0 222 s_mp_clamp(r);
michael@0 223 #else
michael@0 224 MP_CHECKOK(s_mp_pad(r, 16));
michael@0 225 s_bmul_4x4(MP_DIGITS(r) + 8, a7, a6, a5, a4, b7, b6, b5, b4);
michael@0 226 s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
michael@0 227 s_bmul_4x4(rm, a7 ^ a3, a6 ^ a2, a5 ^ a1, a4 ^ a0, b7 ^ b3,
michael@0 228 b6 ^ b2, b5 ^ b1, b4 ^ b0);
michael@0 229 rm[7] ^= MP_DIGIT(r, 7) ^ MP_DIGIT(r, 15);
michael@0 230 rm[6] ^= MP_DIGIT(r, 6) ^ MP_DIGIT(r, 14);
michael@0 231 rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 13);
michael@0 232 rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 12);
michael@0 233 rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 11);
michael@0 234 rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 10);
michael@0 235 rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 9);
michael@0 236 rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 8);
michael@0 237 MP_DIGIT(r, 11) ^= rm[7];
michael@0 238 MP_DIGIT(r, 10) ^= rm[6];
michael@0 239 MP_DIGIT(r, 9) ^= rm[5];
michael@0 240 MP_DIGIT(r, 8) ^= rm[4];
michael@0 241 MP_DIGIT(r, 7) ^= rm[3];
michael@0 242 MP_DIGIT(r, 6) ^= rm[2];
michael@0 243 MP_DIGIT(r, 5) ^= rm[1];
michael@0 244 MP_DIGIT(r, 4) ^= rm[0];
michael@0 245 MP_USED(r) = 16;
michael@0 246 s_mp_clamp(r);
michael@0 247 #endif
michael@0 248 return ec_GF2m_233_mod(r, r, meth);
michael@0 249 }
michael@0 250
michael@0 251 CLEANUP:
michael@0 252 return res;
michael@0 253 }
michael@0 254
michael@0 255 /* Wire in fast field arithmetic for 233-bit curves. */
michael@0 256 mp_err
michael@0 257 ec_group_set_gf2m233(ECGroup *group, ECCurveName name)
michael@0 258 {
michael@0 259 group->meth->field_mod = &ec_GF2m_233_mod;
michael@0 260 group->meth->field_mul = &ec_GF2m_233_mul;
michael@0 261 group->meth->field_sqr = &ec_GF2m_233_sqr;
michael@0 262 return MP_OKAY;
michael@0 263 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial