Simplify ec_GFp_simple_points_make_affine.
Replace the tree-like structure by a linear approach, with fewer special
cases to handle value 0.
(Imported from upstream's d5213519c0ed87c71136084e7e843a4125ecc024.)
Change-Id: Icdd4815066bdbab0d2c0020db6a8cacc49b3d82a
Reviewed-on: https://boringssl-review.googlesource.com/1400
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/ec/simple.c b/crypto/ec/simple.c
index c62deb0..2c85746 100644
--- a/crypto/ec/simple.c
+++ b/crypto/ec/simple.c
@@ -1195,159 +1195,135 @@
int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
EC_POINT *points[], BN_CTX *ctx) {
BN_CTX *new_ctx = NULL;
- BIGNUM *tmp0, *tmp1;
- size_t pow2 = 0;
- BIGNUM **heap = NULL;
+ BIGNUM *tmp, *tmp_Z;
+ BIGNUM **prod_Z = NULL;
size_t i;
int ret = 0;
- if (num == 0)
+ if (num == 0) {
return 1;
+ }
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
BN_CTX_start(ctx);
- tmp0 = BN_CTX_get(ctx);
- tmp1 = BN_CTX_get(ctx);
- if (tmp0 == NULL || tmp1 == NULL)
+ tmp = BN_CTX_get(ctx);
+ tmp_Z = BN_CTX_get(ctx);
+ if (tmp == NULL || tmp_Z == NULL) {
goto err;
+ }
- /* Before converting the individual points, compute inverses of all Z values.
- * Modular inversion is rather slow, but luckily we can do with a single
- * explicit inversion, plus about 3 multiplications per input value.
- */
-
- pow2 = 1;
- while (num > pow2)
- pow2 <<= 1;
- /* Now pow2 is the smallest power of 2 satifsying pow2 >= num.
- * We need twice that. */
- pow2 <<= 1;
-
- heap = OPENSSL_malloc(pow2 * sizeof heap[0]);
- if (heap == NULL)
+ prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
+ if (prod_Z == NULL) {
goto err;
-
- /* TODO(bmoeller): There is no reason to use this tree structure.
- * We should instead proceed sequentially, exactly as in
- * ec_GFp_nistp_points_make_affine_internal, which makes everything
- * much simpler. */
-
- /* The array is used as a binary tree, exactly as in heapsort:
- *
- * heap[1]
- * heap[2] heap[3]
- * heap[4] heap[5] heap[6] heap[7]
- * heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15]
- *
- * We put the Z's in the last line;
- * then we set each other node to the product of its two child-nodes (where
- * empty or 0 entries are treated as ones);
- * then we invert heap[1];
- * then we invert each other node by replacing it by the product of its
- * parent (after inversion) and its sibling (before inversion).
- */
- heap[0] = NULL;
- for (i = pow2 / 2 - 1; i > 0; i--)
- heap[i] = NULL;
- for (i = 0; i < num; i++)
- heap[pow2 / 2 + i] = &points[i]->Z;
- for (i = pow2 / 2 + num; i < pow2; i++)
- heap[i] = NULL;
-
- /* set each node to the product of its children */
- for (i = pow2 / 2 - 1; i > 0; i--) {
- heap[i] = BN_new();
- if (heap[i] == NULL)
- goto err;
-
- if (heap[2 * i] != NULL) {
- if ((heap[2 * i + 1] == NULL) || BN_is_zero(heap[2 * i + 1])) {
- if (!BN_copy(heap[i], heap[2 * i]))
- goto err;
- } else {
- if (BN_is_zero(heap[2 * i])) {
- if (!BN_copy(heap[i], heap[2 * i + 1]))
- goto err;
- } else {
- if (!group->meth->field_mul(group, heap[i], heap[2 * i],
- heap[2 * i + 1], ctx))
- goto err;
- }
- }
- }
}
-
- /* invert heap[1] */
- if (!BN_is_zero(heap[1])) {
- if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx)) {
- OPENSSL_PUT_ERROR(EC, ec_GFp_simple_points_make_affine, ERR_R_BN_LIB);
- goto err;
- }
- }
- if (group->meth->field_encode != 0) {
- /* in the Montgomery case, we just turned R*H (representing H)
- * into 1/(R*H), but we need R*(1/H) (representing 1/H);
- * i.e. we have need to multiply by the Montgomery factor twice */
- if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) {
- goto err;
- }
- if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) {
+ memset(prod_Z, 0, num * sizeof(prod_Z[0]));
+ for (i = 0; i < num; i++) {
+ prod_Z[i] = BN_new();
+ if (prod_Z[i] == NULL) {
goto err;
}
}
- /* set other heap[i]'s to their inverses */
- for (i = 2; i < pow2 / 2 + num; i += 2) {
- /* i is even */
- if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1])) {
- if (!BN_is_zero(heap[i])) {
- if (!group->meth->field_mul(group, tmp0, heap[i / 2], heap[i + 1], ctx))
- goto err;
- if (!group->meth->field_mul(group, tmp1, heap[i / 2], heap[i], ctx))
- goto err;
- if (!BN_copy(heap[i], tmp0))
- goto err;
- if (!BN_copy(heap[i + 1], tmp1))
- goto err;
- } else {
- if (!BN_copy(heap[i + 1], heap[i / 2]))
- goto err;
+ /* Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
+ * skipping any zero-valued inputs (pretend that they're 1). */
+
+ if (!BN_is_zero(&points[0]->Z)) {
+ if (!BN_copy(prod_Z[0], &points[0]->Z)) {
+ goto err;
+ }
+ } else {
+ if (group->meth->field_set_to_one != 0) {
+ if (!group->meth->field_set_to_one(group, prod_Z[0], ctx)) {
+ goto err;
}
} else {
- if (!BN_copy(heap[i], heap[i / 2]))
+ if (!BN_one(prod_Z[0])) {
goto err;
+ }
}
}
- /* we have replaced all non-zero Z's by their inverses, now fix up all the
- * points */
+ for (i = 1; i < num; i++) {
+ if (!BN_is_zero(&points[i]->Z)) {
+ if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1],
+ &points[i]->Z, ctx)) {
+ goto err;
+ }
+ } else {
+ if (!BN_copy(prod_Z[i], prod_Z[i - 1])) {
+ goto err;
+ }
+ }
+ }
+
+ /* Now use a single explicit inversion to replace every
+ * non-zero points[i]->Z by its inverse. */
+
+ if (!BN_mod_inverse(tmp, prod_Z[num - 1], &group->field, ctx)) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_simple_points_make_affine, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ if (group->meth->field_encode != NULL) {
+ /* In the Montgomery case, we just turned R*H (representing H)
+ * into 1/(R*H), but we need R*(1/H) (representing 1/H);
+ * i.e. we need to multiply by the Montgomery factor twice. */
+ if (!group->meth->field_encode(group, tmp, tmp, ctx) ||
+ !group->meth->field_encode(group, tmp, tmp, ctx)) {
+ goto err;
+ }
+ }
+
+ for (i = num - 1; i > 0; --i) {
+ /* Loop invariant: tmp is the product of the inverses of
+ * points[0]->Z .. points[i]->Z (zero-valued inputs skipped). */
+ if (BN_is_zero(&points[i]->Z)) {
+ continue;
+ }
+
+ /* Set tmp_Z to the inverse of points[i]->Z (as product
+ * of Z inverses 0 .. i, Z values 0 .. i - 1). */
+ if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx) ||
+ /* Update tmp to satisfy the loop invariant for i - 1. */
+ !group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx) ||
+ /* Replace points[i]->Z by its inverse. */
+ !BN_copy(&points[i]->Z, tmp_Z)) {
+ goto err;
+ }
+ }
+
+ /* Replace points[0]->Z by its inverse. */
+ if (!BN_is_zero(&points[0]->Z) && !BN_copy(&points[0]->Z, tmp)) {
+ goto err;
+ }
+
+ /* Finally, fix up the X and Y coordinates for all points. */
for (i = 0; i < num; i++) {
EC_POINT *p = points[i];
if (!BN_is_zero(&p->Z)) {
- /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
+ /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1). */
+ if (!group->meth->field_sqr(group, tmp, &p->Z, ctx) ||
+ !group->meth->field_mul(group, &p->X, &p->X, tmp, ctx) ||
+ !group->meth->field_mul(group, tmp, tmp, &p->Z, ctx) ||
+ !group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) {
+ goto err;
+ }
- if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx))
- goto err;
- if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx))
- goto err;
-
- if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx))
- goto err;
- if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx))
- goto err;
-
- if (group->meth->field_set_to_one != 0) {
- if (!group->meth->field_set_to_one(group, &p->Z, ctx))
+ if (group->meth->field_set_to_one != NULL) {
+ if (!group->meth->field_set_to_one(group, &p->Z, ctx)) {
goto err;
+ }
} else {
- if (!BN_one(&p->Z))
+ if (!BN_one(&p->Z)) {
goto err;
+ }
}
p->Z_is_one = 1;
}
@@ -1357,16 +1333,18 @@
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
+ if (new_ctx != NULL) {
BN_CTX_free(new_ctx);
- if (heap != NULL) {
- /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */
- for (i = pow2 / 2 - 1; i > 0; i--) {
- if (heap[i] != NULL)
- BN_clear_free(heap[i]);
- }
- OPENSSL_free(heap);
}
+ if (prod_Z != NULL) {
+ for (i = 0; i < num; i++) {
+ if (prod_Z[i] != NULL) {
+ BN_clear_free(prod_Z[i]);
+ }
+ }
+ OPENSSL_free(prod_Z);
+ }
+
return ret;
}
