Add a second round of carry reduction for P192 fast reduction

The first round of carry reduction can generate a carry so a second round is needed. Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-04-10 15:45:34 +00:00 · 2023-03-28 15:03:20 +02:00 · 2023-03-28 15:03:20 +02:00 · 514806bbe9
commit 514806bbe9
parent da018175de
1 changed files with 12 additions and 2 deletions
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@ -4897,7 +4897,7 @@ static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry)
 #define A(i)        Np + (i) * WIDTH
 #define ADD(i)      add64(p, A(i), &c)
 #define NEXT        p += WIDTH; carry64(p, &c)
-#define LAST        p += WIDTH; *p = c; while (++p < end) *p = 0
+#define LAST        p += WIDTH; do *p = 0; while (++p < end)
 #define RESET       last_carry[0] = c; c = 0; p = Np
 #define ADD_LAST    add64(p, last_carry, &c)

@ -4934,13 +4934,23 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn)

    RESET;

+    /* Use the reduction for the carry as well:
+     * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
+     * It can generate a carry. */
+    ADD_LAST; NEXT;                 // A0 += last_carry
+    ADD_LAST; NEXT;                 // A1 += last_carry
+                                    // A2 += carry
+
+    RESET;
+
    /* Use the reduction for the carry as well:
     * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
     */
    ADD_LAST; NEXT;                 // A0 += last_carry
    ADD_LAST; NEXT;                 // A1 += last_carry
+                                    // A2 += carry

-    LAST;                           // A2 += carry
+    LAST;

    return 0;
 }