mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-27 06:41:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Introduce macro wrappers for ECC modular arithmetic

Browse Source 
This improves readibility and prepares for further changes
like the introduction of a single double-width temporary for
ECP arithmetic.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit is contained in:
Hanno Becker 2022-01-04 04:55:11 +00:00
parent 76f897d699
commit ce29ae84dd
1 changed files with 146 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

255
library/ecp.c
View File

@ -1093,9 +1093,11 @@ cleanup:
* Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
* N->s < 0 is a very fast test, which fails only if N is 0
*/
#define MOD_SUB( N ) \
while( (N).s < 0 && mbedtls_mpi_cmp_int( &(N), 0 ) != 0 ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &(N), &(N), &grp->P ) )
#define MOD_SUB( N ) \
do { \
while( (N)->s < 0 && mbedtls_mpi_cmp_int( (N), 0 ) != 0 ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( (N), (N), &grp->P ) ); \
} while( 0 )
#if ( defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
!( defined(MBEDTLS_ECP_NO_FALLBACK) && \
@ -1111,7 +1113,7 @@ static inline int mbedtls_mpi_sub_mod( const mbedtls_ecp_group *grp,
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( X, A, B ) );
MOD_SUB( *X );
MOD_SUB( X );
cleanup:
return( ret );
}
@ -1122,9 +1124,9 @@ cleanup:
* We known P, N and the result are positive, so sub_abs is correct, and
* a bit faster.
*/
#define MOD_ADD( N ) \
while( mbedtls_mpi_cmp_mpi( &(N), &grp->P ) >= 0 ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &(N), &(N), &grp->P ) )
#define MOD_ADD( N ) \
while( mbedtls_mpi_cmp_mpi( (N), &grp->P ) >= 0 ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( (N), (N), &grp->P ) )
static inline int mbedtls_mpi_add_mod( const mbedtls_ecp_group *grp,
mbedtls_mpi *X,
@ -1133,7 +1135,7 @@ static inline int mbedtls_mpi_add_mod( const mbedtls_ecp_group *grp,
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, A, B ) );
MOD_ADD( *X );
MOD_ADD( X );
cleanup:
return( ret );
}
@ -1146,11 +1148,27 @@ static inline int mbedtls_mpi_mul_int_mod( const mbedtls_ecp_group *grp,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( X, A, c ) );
MOD_ADD( *X );
MOD_ADD( X );
cleanup:
return( ret );
}
static inline int mbedtls_mpi_sub_int_mod( const mbedtls_ecp_group *grp,
mbedtls_mpi *X,
const mbedtls_mpi *A,
mbedtls_mpi_uint c )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( X, A, c ) );
MOD_SUB( X );
cleanup:
return( ret );
}
#define MPI_ECP_SUB_INT( X, A, c ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int_mod( grp, X, A, c ) )
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
!( defined(MBEDTLS_ECP_NO_FALLBACK) && \
defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
@ -1161,12 +1179,33 @@ static inline int mbedtls_mpi_shift_l_mod( const mbedtls_ecp_group *grp,
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( X, count ) );
MOD_ADD( *X );
MOD_ADD( X );
cleanup:
return( ret );
}
#endif /* All functions referencing mbedtls_mpi_shift_l_mod() are alt-implemented without fallback */
#define MPI_ECP_ADD( X, A, B ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, X, A, B ) )
#define MPI_ECP_SUB( X, A, B ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, X, A, B ) )
#define MPI_ECP_MUL( X, A, B ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, X, A, B ) )
#define MPI_ECP_MUL_INT( X, A, c ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int_mod( grp, X, A, c ) )
#define MPI_ECP_INV( dst, src ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( (dst), (src), &grp->P ) )
#define MPI_ECP_MOV( X, A ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) )
#define MPI_ECP_SHIFT_L( X, count ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l_mod( grp, X, count ) )
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
/*
* For curves in short Weierstrass form, we do all the internal operations in
@ -1197,16 +1236,11 @@ static int ecp_normalize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
mbedtls_mpi T;
mbedtls_mpi_init( &T );
/* T <- 1 / Z */
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &T, &pt->Z, &grp->P ) );
/* Y' <- Y*T = Y / Z */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &pt->Y, &pt->Y, &T ) );
/* T <- T^2 = 1 / Z^2 */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T, &T, &T ) );
/* X <- X * T = X / Z^2 */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &pt->X, &pt->X, &T ) );
/* Y'' <- Y' * T = Y / Z^3 */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &pt->Y, &pt->Y, &T ) );
MPI_ECP_INV( &T, &pt->Z ); /* T <- 1 / Z */
MPI_ECP_MUL( &pt->Y, &pt->Y, &T ); /* Y' <- Y*T = Y / Z */
MPI_ECP_MUL( &T, &T, &T ); /* T <- T^2 = 1 / Z^2 */
MPI_ECP_MUL( &pt->X, &pt->X, &T ); /* X <- X * T = X / Z^2 */
MPI_ECP_MUL( &pt->Y, &pt->Y, &T ); /* Y'' <- Y' * T = Y / Z^3 */
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
@ -1258,16 +1292,16 @@ static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
/*
* c[i] = Z_0 * ... * Z_i
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &c[0], &T[0]->Z ) );
MPI_ECP_MOV( &c[0], &T[0]->Z );
for( i = 1; i < T_size; i++ )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &c[i], &c[i-1], &T[i]->Z ) );
MPI_ECP_MUL( &c[i], &c[i-1], &T[i]->Z );
}
/*
* u = 1 / (Z_0 * ... * Z_n) mod P
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &u, &c[T_size-1], &grp->P ) );
MPI_ECP_INV( &u, &c[T_size-1] );
for( i = T_size - 1; ; i-- )
{
@ -1275,22 +1309,23 @@ static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
* Zi = 1 / Z_i mod p
* u = 1 / (Z_0 * ... * Z_i) mod P
*/
if( i == 0 ) {
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Zi, &u ) );
if( i == 0 )
{
MPI_ECP_MOV( &Zi, &u );
}
else
{
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &Zi, &u, &c[i-1] ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &u, &u, &T[i]->Z ) );
MPI_ECP_MUL( &Zi, &u, &c[i-1] );
MPI_ECP_MUL( &u, &u, &T[i]->Z );
}
/*
* proceed as in normalize()
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &ZZi, &Zi, &Zi ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T[i]->X, &T[i]->X, &ZZi ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T[i]->Y, &T[i]->Y, &ZZi ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T[i]->Y, &T[i]->Y, &Zi ) );
MPI_ECP_MUL( &ZZi, &Zi, &Zi );
MPI_ECP_MUL( &T[i]->X, &T[i]->X, &ZZi );
MPI_ECP_MUL( &T[i]->Y, &T[i]->Y, &ZZi );
MPI_ECP_MUL( &T[i]->Y, &T[i]->Y, &Zi );
/*
* Post-precessing: reclaim some memory by shrinking coordinates
@ -1380,52 +1415,52 @@ static int ecp_double_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
if( grp->A.p == NULL )
{
/* M = 3(X + Z^2)(X - Z^2) */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S, &P->Z, &P->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, &T, &P->X, &S ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &U, &P->X, &S ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S, &T, &U ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int_mod( grp, &M, &S, 3 ) );
MPI_ECP_MUL( &S, &P->Z, &P->Z );
MPI_ECP_ADD( &T, &P->X, &S );
MPI_ECP_SUB( &U, &P->X, &S );
MPI_ECP_MUL( &S, &T, &U );
MPI_ECP_MUL_INT( &M, &S, 3 );
}
else
{
/* M = 3.X^2 */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod ( grp, &S, &P->X, &P->X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int_mod( grp, &M, &S, 3 ) );
MPI_ECP_MUL( &S, &P->X, &P->X );
MPI_ECP_MUL_INT( &M, &S, 3 );
/* Optimize away for "koblitz" curves with A = 0 */
if( mbedtls_mpi_cmp_int( &grp->A, 0 ) != 0 )
{
/* M += A.Z^4 */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S, &P->Z, &P->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T, &S, &S ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S, &T, &grp->A ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, &M, &M, &S ) );
MPI_ECP_MUL( &S, &P->Z, &P->Z );
MPI_ECP_MUL( &T, &S, &S );
MPI_ECP_MUL( &S, &T, &grp->A );
MPI_ECP_ADD( &M, &M, &S );
}
}
/* S = 4.X.Y^2 */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T, &P->Y, &P->Y ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l_mod( grp, &T, 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S, &P->X, &T ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l_mod( grp, &S, 1 ) );
MPI_ECP_MUL( &T, &P->Y, &P->Y );
MPI_ECP_SHIFT_L( &T, 1 );
MPI_ECP_MUL( &S, &P->X, &T );
MPI_ECP_SHIFT_L( &S, 1 );
/* U = 8.Y^4 */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &U, &T, &T ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l_mod( grp, &U, 1 ) );
MPI_ECP_MUL( &U, &T, &T );
MPI_ECP_SHIFT_L( &U, 1 );
/* T = M^2 - 2.S */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T, &M, &M ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &T, &T, &S ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &T, &T, &S ) );
MPI_ECP_MUL( &T, &M, &M );
MPI_ECP_SUB( &T, &T, &S );
MPI_ECP_SUB( &T, &T, &S );
/* S = M(S - T) - U */
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &S, &S, &T ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S, &S, &M ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &S, &S, &U ) );
MPI_ECP_SUB( &S, &S, &T );
MPI_ECP_MUL( &S, &S, &M );
MPI_ECP_SUB( &S, &S, &U );
/* U = 2.Y.Z */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &U, &P->Y, &P->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l_mod( grp, &U, 1 ) );
MPI_ECP_MUL( &U, &P->Y, &P->Z );
MPI_ECP_SHIFT_L( &U, 1 );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->X, &T ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Y, &S ) );
@ -1494,12 +1529,12 @@ static int ecp_add_mixed( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); mbedtls_mpi_init( &T3 ); mbedtls_mpi_init( &T4 );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T1, &P->Z, &P->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T2, &T1, &P->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T1, &T1, &Q->X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T2, &T2, &Q->Y ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &T1, &T1, &P->X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &T2, &T2, &P->Y ) );
MPI_ECP_MUL( &T1, &P->Z, &P->Z );
MPI_ECP_MUL( &T2, &T1, &P->Z );
MPI_ECP_MUL( &T1, &T1, &Q->X );
MPI_ECP_MUL( &T2, &T2, &Q->Y );
MPI_ECP_SUB( &T1, &T1, &P->X );
MPI_ECP_SUB( &T2, &T2, &P->Y );
/* Special cases (2) and (3) */
if( mbedtls_mpi_cmp_int( &T1, 0 ) == 0 )
@ -1516,19 +1551,21 @@ static int ecp_add_mixed( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
}
}
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, Z, &P->Z, &T1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T3, &T1, &T1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T4, &T3, &T1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T3, &T3, &P->X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T1, &T3 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l_mod( grp, &T1, 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, X, &T2, &T2 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, X, X, &T1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, X, X, &T4 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &T3, &T3, X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T3, &T3, &T2 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &T4, &T4, &P->Y ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, Y, &T3, &T4 ) );
MPI_ECP_MUL( Z, &P->Z, &T1 );
MPI_ECP_MUL( &T3, &T1, &T1 );
MPI_ECP_MUL( &T4, &T3, &T1 );
MPI_ECP_MUL( &T3, &T3, &P->X );
MPI_ECP_MOV( &T1, &T3 );
MPI_ECP_SHIFT_L( &T1, 1 );
MPI_ECP_MUL( X, &T2, &T2 );
MPI_ECP_SUB( X, X, &T1 );
MPI_ECP_SUB( X, X, &T4 );
MPI_ECP_SUB( &T3, &T3, X );
MPI_ECP_MUL( &T3, &T3, &T2 );
MPI_ECP_MUL( &T4, &T4, &P->Y );
MPI_ECP_SUB( Y, &T3, &T4 );
cleanup:
@ -1565,15 +1602,15 @@ static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
MBEDTLS_MPI_CHK( mbedtls_mpi_random( &l, 2, &grp->P, f_rng, p_rng ) );
/* Z = l * Z */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &pt->Z, &pt->Z, &l ) );
MPI_ECP_MUL( &pt->Z, &pt->Z, &l );
/* X = l^2 * X */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &ll, &l, &l ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &pt->X, &pt->X, &ll ) );
MPI_ECP_MUL( &ll, &l, &l );
MPI_ECP_MUL( &pt->X, &pt->X, &ll );
/* Y = l^3 * Y */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &ll, &ll, &l ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &pt->Y, &pt->Y, &ll ) );
MPI_ECP_MUL( &ll, &ll, &l );
MPI_ECP_MUL( &pt->Y, &pt->Y, &ll );
cleanup:
mbedtls_mpi_free( &l ); mbedtls_mpi_free( &ll );
@ -2263,8 +2300,8 @@ static int ecp_normalize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P
return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &P->Z, &P->Z, &grp->P ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &P->X, &P->X, &P->Z ) );
MPI_ECP_INV( &P->Z, &P->Z );
MPI_ECP_MUL( &P->X, &P->X, &P->Z );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
cleanup:
@ -2298,8 +2335,8 @@ static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P
/* Generate l such that 1 < l < p */
MBEDTLS_MPI_CHK( mbedtls_mpi_random( &l, 2, &grp->P, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &P->X, &P->X, &l ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &P->Z, &P->Z, &l ) );
MPI_ECP_MUL( &P->X, &P->X, &l );
MPI_ECP_MUL( &P->Z, &P->Z, &l );
cleanup:
mbedtls_mpi_free( &l );
@ -2345,24 +2382,24 @@ static int ecp_double_add_mxz( const mbedtls_ecp_group *grp,
mbedtls_mpi_init( &BB ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &C );
mbedtls_mpi_init( &D ); mbedtls_mpi_init( &DA ); mbedtls_mpi_init( &CB );
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, &A, &P->X, &P->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &AA, &A, &A ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &B, &P->X, &P->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &BB, &B, &B ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &E, &AA, &BB ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, &C, &Q->X, &Q->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &D, &Q->X, &Q->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &DA, &D, &A ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &CB, &C, &B ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, &S->X, &DA, &CB ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S->X, &S->X, &S->X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &S->Z, &DA, &CB ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S->Z, &S->Z, &S->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S->Z, d, &S->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &R->X, &AA, &BB ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &R->Z, &grp->A, &E ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, &R->Z, &BB, &R->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &R->Z, &E, &R->Z ) );
MPI_ECP_ADD( &A, &P->X, &P->Z );
MPI_ECP_MUL( &AA, &A, &A );
MPI_ECP_SUB( &B, &P->X, &P->Z );
MPI_ECP_MUL( &BB, &B, &B );
MPI_ECP_SUB( &E, &AA, &BB );
MPI_ECP_ADD( &C, &Q->X, &Q->Z );
MPI_ECP_SUB( &D, &Q->X, &Q->Z );
MPI_ECP_MUL( &DA, &D, &A );
MPI_ECP_MUL( &CB, &C, &B );
MPI_ECP_ADD( &S->X, &DA, &CB );
MPI_ECP_MUL( &S->X, &S->X, &S->X );
MPI_ECP_SUB( &S->Z, &DA, &CB );
MPI_ECP_MUL( &S->Z, &S->Z, &S->Z );
MPI_ECP_MUL( &S->Z, d, &S->Z );
MPI_ECP_MUL( &R->X, &AA, &BB );
MPI_ECP_MUL( &R->Z, &grp->A, &E );
MPI_ECP_ADD( &R->Z, &BB, &R->Z );
MPI_ECP_MUL( &R->Z, &E, &R->Z );
cleanup:
mbedtls_mpi_free( &A ); mbedtls_mpi_free( &AA ); mbedtls_mpi_free( &B );
@ -2402,7 +2439,7 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
mbedtls_mpi_free( &R->Y );
/* RP.X might be sligtly larger than P, so reduce it */
MOD_ADD( RP.X );
MOD_ADD( &RP.X );
/* Randomize coordinates of the starting point */
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
@ -2571,21 +2608,21 @@ static int ecp_check_pubkey_sw( const mbedtls_ecp_group *grp, const mbedtls_ecp_
* YY = Y^2
* RHS = X (X^2 + A) + B = X^3 + A X + B
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &YY, &pt->Y, &pt->Y ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &RHS, &pt->X, &pt->X ) );
MPI_ECP_MUL( &YY, &pt->Y, &pt->Y );
MPI_ECP_MUL( &RHS, &pt->X, &pt->X );
/* Special case for A = -3 */
if( grp->A.p == NULL )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &RHS, &RHS, 3 ) ); MOD_SUB( RHS );
MPI_ECP_SUB_INT( &RHS, &RHS, 3 );
}
else
{
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, &RHS, &RHS, &grp->A ) );
MPI_ECP_ADD( &RHS, &RHS, &grp->A );
}
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &RHS, &RHS, &pt->X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, &RHS, &RHS, &grp->B ) );
MPI_ECP_MUL( &RHS, &RHS, &pt->X );
MPI_ECP_ADD( &RHS, &RHS, &grp->B );
if( mbedtls_mpi_cmp_mpi( &YY, &RHS ) != 0 )
ret = MBEDTLS_ERR_ECP_INVALID_KEY;