Revert changes to mod_p521 flow

It is not necessary to save the middle limb upfront as overwriting it is the desired result: in the first step we are reducing modulo 2^{512+biL}. Arguably, the original flow is more intuitive and easier to see the idea behind it. Signed-off-by: Janos Follath <janos.follath@arm.com> Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-28 08:37:25 +00:00 · 2023-02-07 15:24:57 +00:00 · 2023-02-07 15:24:57 +00:00 · 13c3aa13af
commit 13c3aa13af
parent b50aeb8f05
1 changed files with 5 additions and 8 deletions
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@ -5222,12 +5222,6 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n)
        return 0;
    }

-    /* Save and clear the A1 content of the shared limb to prevent it
-       from overwrite. */
-    mbedtls_mpi_uint remainder[P521_WIDTH] = { 0 };
-    remainder[0] = N_p[P521_WIDTH - 1] >> 9;
-    N_p[P521_WIDTH - 1] &= P521_MASK;
-
    if (N_n > P521_WIDTH) {
        /* Helper references for top part of N */
        mbedtls_mpi_uint *NT_p = N_p + P521_WIDTH;
@ -5236,14 +5230,17 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n)
        /* Split N as A0 + 2^(512 + biL) A1 and compute A0 + 2^(biL - 9) * A1.
         * This can be done in place. */
        mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9);
-        carry = mbedtls_mpi_core_mla(N_p, P521_WIDTH - 1, NT_p, NT_n, shift);
+        carry = mbedtls_mpi_core_mla(N_p, P521_WIDTH, NT_p, NT_n, shift);

        /* Clear top part */
        memset(NT_p, 0, sizeof(mbedtls_mpi_uint) * NT_n);
    }

+    mbedtls_mpi_uint remainder[P521_WIDTH] = { 0 };
+    remainder[0] = carry << (biL - 9);
+    remainder[0] += (N_p[P521_WIDTH - 1] >> 9);
+    N_p[P521_WIDTH - 1] &= P521_MASK;
    (void) mbedtls_mpi_core_add(N_p, N_p, remainder, P521_WIDTH);
-    N_p[P521_WIDTH - 1] += carry;

    return 0;
 }