Add additional constants to make_curve25519_tables.py.
These are also constants that depend on the field representation.
Change-Id: I22333c099352ad64eb27fe15ffdc38c6ae7c07ff
Reviewed-on: https://boringssl-review.googlesource.com/24746
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/third_party/fiat/curve25519.c b/third_party/fiat/curve25519.c
index ee5a161..be887bd 100644
--- a/third_party/fiat/curve25519.c
+++ b/third_party/fiat/curve25519.c
@@ -911,11 +911,7 @@
s[31] ^= fe_isnegative(&x) << 7;
}
-static const fe d = {{56195235, 13857412, 51736253, 6949390, 114729,
- 24766616, 60832955, 30306712, 48412415, 21499315}};
-
-static const fe sqrtm1 = {{34513072, 25610706, 9377949, 3500415, 12389472,
- 33281959, 41962654, 31548777, 326685, 11406482}};
+#include "./curve25519_tables.h"
int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) {
fe u;
@@ -996,9 +992,6 @@
fe_copy(&r->Z, &p->Z);
}
-static const fe d2 = {{45281625, 27714825, 36363642, 13898781, 229458,
- 15978800, 54557047, 27058993, 29715967, 9444199}};
-
// r = p
void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
fe_add(&r->YplusX, &p->Y, &p->X);
@@ -1193,8 +1186,6 @@
}
}
-#include "./curve25519_tables.h"
-
#if defined(OPENSSL_SMALL)
void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {
diff --git a/third_party/fiat/curve25519_tables.h b/third_party/fiat/curve25519_tables.h
index a05702d..a36c7ff 100644
--- a/third_party/fiat/curve25519_tables.h
+++ b/third_party/fiat/curve25519_tables.h
@@ -24,6 +24,15 @@
// ./make_curve25519_tables.py > curve25519_tables.h
+static const fe d = {{56195235, 13857412, 51736253, 6949390, 114729, 24766616,
+ 60832955, 30306712, 48412415, 21499315}};
+
+static const fe sqrtm1 = {{34513072, 25610706, 9377949, 3500415, 12389472,
+ 33281959, 41962654, 31548777, 326685, 11406482}};
+
+static const fe d2 = {{45281625, 27714825, 36363642, 13898781, 229458, 15978800,
+ 54557047, 27058993, 29715967, 9444199}};
+
#if defined(OPENSSL_SMALL)
// This block of code replaces the standard base-point table with a much smaller
diff --git a/third_party/fiat/make_curve25519_tables.py b/third_party/fiat/make_curve25519_tables.py
index 3318dbf..11c349b 100755
--- a/third_party/fiat/make_curve25519_tables.py
+++ b/third_party/fiat/make_curve25519_tables.py
@@ -31,6 +31,9 @@
def modp_inv(x):
return pow(x, p-2, p)
+# Square root of -1
+modp_sqrt_m1 = pow(2, (p-1) // 4, p)
+
# Compute corresponding x-coordinate, with low bit corresponding to
# sign, or return None on failure
def recover_x(y, sign):
@@ -107,6 +110,8 @@
return ret
def main():
+ d2 = (2 * d) % p
+
small_precomp = bytearray()
for i in range(1, 16):
s = (i&1) | ((i&2) << (64-1)) | ((i&4) << (128-2)) | ((i&8) << (192-3))
@@ -154,6 +159,21 @@
// ./make_curve25519_tables.py > curve25519_tables.h
+static const fe d = {{
+""")
+ buf.write(", ".join(map(str, to_base_25_5(d))))
+ buf.write("""}};
+
+static const fe sqrtm1 = {{
+""")
+ buf.write(", ".join(map(str, to_base_25_5(modp_sqrt_m1))))
+ buf.write("""}};
+
+static const fe d2 = {{
+""")
+ buf.write(", ".join(map(str, to_base_25_5(d2))))
+ buf.write("""}};
+
#if defined(OPENSSL_SMALL)
// This block of code replaces the standard base-point table with a much smaller
