summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ec/ec2_mult.c
diff options
context:
space:
mode:
authormiod <>2014-04-13 15:16:40 +0000
committermiod <>2014-04-13 15:16:40 +0000
commitdbf195d7fd4efbe4ee578f1dc5c72e7f3deadf18 (patch)
tree0de23bccc2c4fc24d466d6a4291987efc8e44770 /src/lib/libcrypto/ec/ec2_mult.c
parent210506dd94a697493eb809fb31df7283912ded73 (diff)
parent52628ee3f51f011b463aaedb1a28aa0524b43cb3 (diff)
downloadopenbsd-dbf195d7fd4efbe4ee578f1dc5c72e7f3deadf18.tar.gz
openbsd-dbf195d7fd4efbe4ee578f1dc5c72e7f3deadf18.tar.bz2
openbsd-dbf195d7fd4efbe4ee578f1dc5c72e7f3deadf18.zip
This commit was generated by cvs2git to track changes on a CVS vendor
branch.
Diffstat (limited to 'src/lib/libcrypto/ec/ec2_mult.c')
-rw-r--r--src/lib/libcrypto/ec/ec2_mult.c27
1 files changed, 16 insertions, 11 deletions
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c
index 26f4a783fc..1c575dc47a 100644
--- a/src/lib/libcrypto/ec/ec2_mult.c
+++ b/src/lib/libcrypto/ec/ec2_mult.c
@@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
208 return ret; 208 return ret;
209 } 209 }
210 210
211
211/* Computes scalar*point and stores the result in r. 212/* Computes scalar*point and stores the result in r.
212 * point can not equal r. 213 * point can not equal r.
213 * Uses algorithm 2P of 214 * Uses a modified algorithm 2P of
214 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over 215 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
215 * GF(2^m) without precomputation" (CHES '99, LNCS 1717). 216 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
217 *
218 * To protect against side-channel attack the function uses constant time swap,
219 * avoiding conditional branches.
216 */ 220 */
217static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 221static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
218 const EC_POINT *point, BN_CTX *ctx) 222 const EC_POINT *point, BN_CTX *ctx)
@@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
246 x2 = &r->X; 250 x2 = &r->X;
247 z2 = &r->Y; 251 z2 = &r->Y;
248 252
253 bn_wexpand(x1, group->field.top);
254 bn_wexpand(z1, group->field.top);
255 bn_wexpand(x2, group->field.top);
256 bn_wexpand(z2, group->field.top);
257
249 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ 258 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
250 if (!BN_one(z1)) goto err; /* z1 = 1 */ 259 if (!BN_one(z1)) goto err; /* z1 = 1 */
251 if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ 260 if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
@@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
270 word = scalar->d[i]; 279 word = scalar->d[i];
271 while (mask) 280 while (mask)
272 { 281 {
273 if (word & mask) 282 BN_consttime_swap(word & mask, x1, x2, group->field.top);
274 { 283 BN_consttime_swap(word & mask, z1, z2, group->field.top);
275 if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; 284 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
276 if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; 285 if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
277 } 286 BN_consttime_swap(word & mask, x1, x2, group->field.top);
278 else 287 BN_consttime_swap(word & mask, z1, z2, group->field.top);
279 {
280 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
281 if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
282 }
283 mask >>= 1; 288 mask >>= 1;
284 } 289 }
285 mask = BN_TBIT; 290 mask = BN_TBIT;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 14:42:08 +0000