release/src/router/nettle/ecc-mul-g.c

   1 /* ecc-mul-g.c */
   2
   3 /* nettle, low-level cryptographics library
   4  *
   5  * Copyright (C) 2013 Niels Möller
   6  *
   7  * The nettle library is free software; you can redistribute it and/or modify
   8  * it under the terms of the GNU Lesser General Public License as published by
   9  * the Free Software Foundation; either version 2.1 of the License, or (at your
  10  * option) any later version.
  11  *
  12  * The nettle library is distributed in the hope that it will be useful, but
  13  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  14  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
  15  * License for more details.
  16  *
  17  * You should have received a copy of the GNU Lesser General Public License
  18  * along with the nettle library; see the file COPYING.LIB.  If not, write to
  19  * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  20  * MA 02111-1301, USA.
  21  */
  22
  23 /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
  24
  25 #if HAVE_CONFIG_H
  26 # include "config.h"
  27 #endif
  28
  29 #include <assert.h>
  30
  31 #include "ecc.h"
  32 #include "ecc-internal.h"
  33
  34 mp_size_t
  35 ecc_mul_g_itch (const struct ecc_curve *ecc)
  36 {
  37   /* Needs 3*ecc->size + scratch for ecc_add_jja. */
  38   return ECC_MUL_G_ITCH (ecc->size);
  39 }
  40
  41 void
  42 ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r,
  43            const mp_limb_t *np, mp_limb_t *scratch)
  44 {
  45   /* Scratch need determined by the ecc_add_jja call. Current total is
  46      9 * ecc->size, at most 648 bytes. */
  47 #define tp scratch
  48 #define scratch_out (scratch + 3*ecc->size)
  49
  50   unsigned k, c;
  51   unsigned i, j;
  52   unsigned bit_rows;
  53
  54   int is_zero;
  55
  56   k = ecc->pippenger_k;
  57   c = ecc->pippenger_c;
  58
  59   bit_rows = (ecc->bit_size + k - 1) / k;
  60
  61   mpn_zero (r, 3*ecc->size);
  62
  63   for (i = k, is_zero = 1; i-- > 0; )
  64     {
  65       ecc_dup_jj (ecc, r, r, scratch);
  66       for (j = 0; j * c < bit_rows; j++)
  67         {
  68           unsigned bits;
  69           /* Avoid the mp_bitcnt_t type for compatibility with older GMP
  70              versions. */
  71           unsigned bit_index;
  72
  73           /* Extract c bits from n, stride k, starting at i + kcj,
  74              ending at i + k (cj + c - 1)*/
  75           for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; )
  76             {
  77               mp_size_t limb_index;
  78               unsigned shift;
  79
  80               bit_index -= k;
  81
  82               limb_index = bit_index / GMP_NUMB_BITS;
  83               if (limb_index >= ecc->size)
  84                 continue;
  85
  86               shift = bit_index % GMP_NUMB_BITS;
  87               bits = (bits << 1) | ((np[limb_index] >> shift) & 1);
  88             }
  89           sec_tabselect (tp, 2*ecc->size,
  90                          (ecc->pippenger_table
  91                           + (2*ecc->size * (mp_size_t) j << c)),
  92                          1<<c, bits);
  93           cnd_copy (is_zero, r, tp, 2*ecc->size);
  94           cnd_copy (is_zero, r + 2*ecc->size, ecc->unit, ecc->size);
  95
  96           ecc_add_jja (ecc, tp, r, tp, scratch_out);
  97           /* Use the sum when valid. ecc_add_jja produced garbage if
  98              is_zero != 0 or bits == 0, . */
  99           cnd_copy (bits & (is_zero - 1), r, tp, 3*ecc->size);
 100           is_zero &= (bits == 0);
 101         }
 102     }
 103 #undef tp
 104 #undef scratch_out
 105 }