Re: [PATCH 4/8] ecc: Add add_hh and dup members to ecc_curve
Daiki Ueno writes: > From: Daiki Ueno > > This makes it possible to share the same code for curve25519 and > curve448 primitives, which use different underlying formulas for > addition and doubling. Applied now, with some additional test cleanups. Result on branch curve448. /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Re: [PATCH 4/8] ecc: Add add_hh and dup members to ecc_curve
ni...@lysator.liu.se (Niels Möller) writes:
> I think it would be nice if the new function pointers could be used to
> reduce duplication in this test as well as ecc-dup-test.c.
See below patch (generated with -b, to ignore the indentation
change).
To be applied on top of your patch, does it look ok?
Regards,
/Niels
diff --git a/testsuite/ecc-add-test.c b/testsuite/ecc-add-test.c
index 8e88a76..05a0562 100644
--- a/testsuite/ecc-add-test.c
+++ b/testsuite/ecc-add-test.c
@@ -15,18 +15,19 @@ test_main (void)
mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc));
mp_limb_t *scratch = xalloc_limbs (ECC_ADD_JJJ_ITCH(ecc->p.size));
+ ecc_a_to_j (ecc, g, ecc->g);
+
if (ecc->p.bit_size == 255)
{
mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc));
+
+ ASSERT (ecc->add_hh == ecc_add_eh);
+ ASSERT (ecc->add_hhh == ecc_add_ehh);
+
/* Zero point has x = 0, y = 1, z = 1 */
mpn_zero (z, 3*ecc->p.size);
z[ecc->p.size] = z[2*ecc->p.size] = 1;
- assert (ecc->add_hh == ecc_add_eh);
- assert (ecc->add_hhh == ecc_add_ehh);
-
- ecc_a_to_j (ecc, g, ecc->g);
-
ecc->add_hhh (ecc, p, z, z, scratch);
test_ecc_mul_h (i, 0, p);
@@ -45,29 +46,13 @@ test_main (void)
ecc->add_hh (ecc, g2, g, g, scratch);
test_ecc_mul_h (i, 2, g2);
- ecc->add_hhh (ecc, g3, g, g2, scratch);
- test_ecc_mul_h (i, 3, g3);
-
- ecc->add_hh (ecc, g3, g2, g, scratch);
- test_ecc_mul_h (i, 3, g3);
-
- ecc->add_hhh (ecc, p, g, g3, scratch);
- test_ecc_mul_h (i, 4, p);
-
- ecc->add_hh (ecc, p, g3, g, scratch);
- test_ecc_mul_h (i, 4, p);
-
- ecc->add_hhh (ecc, p, g2, g2, scratch);
- test_ecc_mul_h (i, 4, p);
-
free (z);
}
else
{
- assert (ecc->add_hhh == ecc_add_jjj);
- assert (ecc->dup == ecc_dup_jj);
-
- ecc_a_to_j (ecc, g, ecc->g);
+ ASSERT (ecc->add_hhh == ecc_add_jjj);
+ ASSERT (ecc->dup == ecc_dup_jj);
+ }
ecc->dup (ecc, g2, g, scratch);
test_ecc_mul_h (i, 2, g2);
@@ -86,7 +71,7 @@ test_main (void)
ecc->dup (ecc, p, g2, scratch);
test_ecc_mul_h (i, 4, p);
- }
+
free (g);
free (g2);
free (g3);
diff --git a/testsuite/ecc-dup-test.c b/testsuite/ecc-dup-test.c
index f987b16..784b8cc 100644
--- a/testsuite/ecc-dup-test.c
+++ b/testsuite/ecc-dup-test.c
@@ -12,35 +12,32 @@ test_main (void)
mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc));
mp_limb_t *scratch = xalloc_limbs (ECC_DUP_EH_ITCH(ecc->p.size));;
+ ecc_a_to_j (ecc, g, ecc->g);
+
if (ecc->p.bit_size == 255)
{
mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc));
+
+ ASSERT (ecc->dup == ecc_dup_eh);
+
/* Zero point has x = 0, y = 1, z = 1 */
mpn_zero (z, 3*ecc->p.size);
z[ecc->p.size] = z[2*ecc->p.size] = 1;
- ecc_a_to_j (ecc, g, ecc->g);
-
ecc->dup (ecc, p, z, scratch);
test_ecc_mul_h (i, 0, p);
- ecc->dup (ecc, p, g, scratch);
- test_ecc_mul_h (i, 2, p);
-
- ecc->dup (ecc, p, p, scratch);
- test_ecc_mul_h (i, 4, p);
free (z);
}
else
- {
- ecc_a_to_j (ecc, g, ecc->g);
+ ASSERT (ecc->dup == ecc_dup_jj);
ecc->dup (ecc, p, g, scratch);
test_ecc_mul_h (i, 2, p);
ecc->dup (ecc, p, p, scratch);
test_ecc_mul_h (i, 4, p);
- }
+
free (p);
free (g);
free (scratch);
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
___
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Re: [PATCH 4/8] ecc: Add add_hh and dup members to ecc_curve
Daiki Ueno writes: > This makes it possible to share the same code for curve25519 and > curve448 primitives, which use different underlying formulas for > addition and doubling. Makes sense. I've tried to verify using examples/ecc-benchmark that there's no performance degradation for curve25519, due to the extra indirection. > --- a/testsuite/ecc-add-test.c > +++ b/testsuite/ecc-add-test.c > @@ -1,4 +1,5 @@ > #include "testutils.h" > +#include > > void > test_main (void) > @@ -20,64 +21,70 @@ test_main (void) > /* Zero point has x = 0, y = 1, z = 1 */ > mpn_zero (z, 3*ecc->p.size); > z[ecc->p.size] = z[2*ecc->p.size] = 1; > - > + > + assert (ecc->add_hh == ecc_add_eh); > + assert (ecc->add_hhh == ecc_add_ehh); > + > ecc_a_to_j (ecc, g, ecc->g); > > - ecc_add_ehh (ecc, p, z, z, scratch); > + ecc->add_hhh (ecc, p, z, z, scratch); > test_ecc_mul_h (i, 0, p); I think it would be nice if the new function pointers could be used to reduce duplication in this test as well as ecc-dup-test.c. Edwards curves (curve25519, and then later curve448) should have a few additional tests (since they use "complete" formulas), involving the zero point, and add of one point to itself. But the rest of the tests could be the same for the other curves. Would you like to give it a try, or should I? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
[PATCH 4/8] ecc: Add add_hh and dup members to ecc_curve
From: Daiki Ueno This makes it possible to share the same code for curve25519 and curve448 primitives, which use different underlying formulas for addition and doubling. Signed-off-by: Daiki Ueno --- ecc-192.c| 4 ecc-224.c| 4 ecc-25519.c | 4 ecc-256.c| 4 ecc-384.c| 4 ecc-521.c| 4 ecc-internal.h | 8 ecc-mul-a-eh.c | 12 ++-- ecc-mul-g-eh.c | 4 ++-- testsuite/ecc-add-test.c | 43 +-- testsuite/ecc-dup-test.c | 10 +- 11 files changed, 70 insertions(+), 31 deletions(-) diff --git a/ecc-192.c b/ecc-192.c index 5c52b043..1fbbcded 100644 --- a/ecc-192.c +++ b/ecc-192.c @@ -155,12 +155,16 @@ const struct ecc_curve nettle_secp_192r1 = ECC_PIPPENGER_K, ECC_PIPPENGER_C, + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), + ecc_add_jja, ecc_add_jjj, + ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, diff --git a/ecc-224.c b/ecc-224.c index cdb42197..b1ff0578 100644 --- a/ecc-224.c +++ b/ecc-224.c @@ -107,12 +107,16 @@ const struct ecc_curve nettle_secp_224r1 = ECC_PIPPENGER_K, ECC_PIPPENGER_C, + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), + ecc_add_jja, ecc_add_jjj, + ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, diff --git a/ecc-25519.c b/ecc-25519.c index 92de49be..16073ecf 100644 --- a/ecc-25519.c +++ b/ecc-25519.c @@ -335,12 +335,16 @@ const struct ecc_curve _nettle_curve25519 = ECC_PIPPENGER_K, ECC_PIPPENGER_C, + ECC_ADD_EH_ITCH (ECC_LIMB_SIZE), ECC_ADD_EHH_ITCH (ECC_LIMB_SIZE), + ECC_DUP_EH_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_25519_INV_ITCH), + ecc_add_eh, ecc_add_ehh, + ecc_dup_eh, ecc_mul_a_eh, ecc_mul_g_eh, ecc_eh_to_a, diff --git a/ecc-256.c b/ecc-256.c index e757985c..d0870657 100644 --- a/ecc-256.c +++ b/ecc-256.c @@ -284,12 +284,16 @@ const struct ecc_curve nettle_secp_256r1 = ECC_PIPPENGER_K, ECC_PIPPENGER_C, + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), + ecc_add_jja, ecc_add_jjj, + ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, diff --git a/ecc-384.c b/ecc-384.c index a393c61f..006c4568 100644 --- a/ecc-384.c +++ b/ecc-384.c @@ -192,12 +192,16 @@ const struct ecc_curve nettle_secp_384r1 = ECC_PIPPENGER_K, ECC_PIPPENGER_C, + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), + ecc_add_jja, ecc_add_jjj, + ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, diff --git a/ecc-521.c b/ecc-521.c index 1a08f209..9d32b54e 100644 --- a/ecc-521.c +++ b/ecc-521.c @@ -120,12 +120,16 @@ const struct ecc_curve nettle_secp_521r1 = ECC_PIPPENGER_K, ECC_PIPPENGER_C, + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), + ecc_add_jja, ecc_add_jjj, + ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, diff --git a/ecc-internal.h b/ecc-internal.h index ce1e34fb..643277c0 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -112,6 +112,10 @@ typedef void ecc_add_func (const struct ecc_curve *ecc, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); +typedef void ecc_dup_func (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *scratch); + typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); @@ -168,12 +172,16 @@ struct ecc_curve unsigned short pippenger_k; unsigned short pippenger_c; + unsigned short add_hh_itch; unsigned short add_hhh_itch; + unsigned short dup_itch; unsigned short mul_itch; unsigned short mul_g_itch; unsigned short h_to_a_itch; + ecc_add_func *add_hh; ecc_add_func *add_hhh; + ecc_dup_func *dup; ecc_mul_func *mul; ecc_mul_g_func *mul_g; ecc_h_to_a_func *h_to_a; diff --git a/ecc-mul-a-eh.c b/ecc-mul-a-eh.c index cf743236..e9b22cd4 100644 --- a/ecc-mul-a-eh.c +++
