From 2fad7ae02a6e2dcc75f5c8f83e2fc3d2acd60442 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 14 Mar 2017 13:13:13 +0100 Subject: [PATCH] Start actually splitting computation Temporary state is quite inefficient: pre-computed table is recomputed every single time. This is WIP obviously. --- library/ecp.c | 68 ++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 59 insertions(+), 9 deletions(-) diff --git a/library/ecp.c b/library/ecp.c index d402e5c104..3505b20416 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -104,10 +104,14 @@ void mbedtls_ecp_set_max_ops( unsigned max_ops ) * Restart context type for interrupted operations */ struct mbedtls_ecp_restart { - unsigned char fake_it; /* for tests: should we fake early return? */ + unsigned ops_done; /* number of operations done this time */ mbedtls_mpi m; /* saved argument: scalar */ mbedtls_ecp_point P; /* saved argument: point */ mbedtls_ecp_point R; /* current intermediate result */ + enum { + ecp_rs_init = 0, + ecp_rs_final_norm, + } state; }; /* @@ -129,7 +133,37 @@ static void ecp_restart_free( mbedtls_ecp_restart_ctx *ctx ) mbedtls_mpi_free( &ctx->m ); mbedtls_ecp_point_free( &ctx->P ); mbedtls_ecp_point_free( &ctx->R ); + + memset( ctx, 0, sizeof( mbedtls_ecp_restart_ctx ) ); } + +/* + * Operation counts + */ +#define ECP_OPS_DBL 8 /* see ecp_double_jac() */ +#define ECP_OPS_ADD 11 /* see ecp_add_mixed() */ +#define ECP_OPS_INV 120 /* empirical equivalent */ + +/* + * Check if we can do the next step + */ +static int ecp_check_budget( const mbedtls_ecp_group *grp, unsigned ops ) +{ + if( grp->rs != NULL ) + { + /* avoid infinite loops: always allow first step */ + if( grp->rs->ops_done != 0 && grp->rs->ops_done + ops > ecp_max_ops ) + return( MBEDTLS_ERR_ECP_IN_PROGRESS ); + + grp->rs->ops_done += ops; + } + + return( 0 ); +} + +#define ECP_BUDGET( ops ) MBEDTLS_MPI_CHK( ecp_check_budget( grp, ops ) ); +#else +#define ECP_BUDGET( ops ) #endif /* MBEDTLS_ECP_EARLY_RETURN */ #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \ @@ -1465,12 +1499,26 @@ static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp, RR = &grp->rs->R; #endif - MBEDTLS_MPI_CHK( ecp_comb_recode_scalar( grp, m, k, d, w, &parity_trick ) ); +#if defined(MBEDTLS_ECP_EARLY_RETURN) + if( grp->rs == NULL || grp->rs->state < ecp_rs_final_norm ) +#endif + { + MBEDTLS_MPI_CHK( ecp_comb_recode_scalar( grp, m, k, d, w, + &parity_trick ) ); + MBEDTLS_MPI_CHK( ecp_mul_comb_core( grp, RR, T, pre_len, k, d, + f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, RR, parity_trick ) ); - MBEDTLS_MPI_CHK( ecp_mul_comb_core( grp, RR, T, pre_len, k, d, f_rng, p_rng ) ); +#if defined(MBEDTLS_ECP_EARLY_RETURN) + if( grp->rs != NULL ) + grp->rs->state++; +#endif - MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, RR, parity_trick ) ); + /* XXX: temporary: should have counted some ops */ + ECP_BUDGET( 42 ); + } + ECP_BUDGET( ECP_OPS_INV ); MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) ); #if defined(MBEDTLS_ECP_EARLY_RETURN) @@ -1555,12 +1603,10 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &grp->rs->m, m ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &grp->rs->P, P ) ); } -#endif - /* XXX: temporary */ -#if defined(MBEDTLS_ECP_EARLY_RETURN) - if( grp->rs && ++grp->rs->fake_it != 0 ) - return( MBEDTLS_ERR_ECP_IN_PROGRESS ); + /* new start for ops counts */ + if( grp->rs != NULL ) + grp->rs->ops_done = 0; #endif /* Is P the base point ? */ @@ -1614,6 +1660,10 @@ cleanup: mbedtls_free( T ); } + /* don't free R while in progress in case R == P */ +#if defined(MBEDTLS_ECP_EARLY_RETURN) + if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) +#endif if( ret != 0 ) mbedtls_ecp_point_free( R );