commit 4111dd2fc215e49ff3b01e735da087ee72779758
author David Benjamin <davidben@google.com> Sat Jan 20 09:11:50 2018 -0500
committer Adam Langley <agl@google.com> Tue Jan 23 21:06:42 2018 +0000
tree a788a0d0799c6c195e0960f89265fc02e808e194
parent 186df3a655fcd290f7d74b5415091149cc164289

Don't compute a per-scalar window size in wNAF code.

Simplify things slightly. The probability of the scalar being small
enough to go down a window size is astronomically small. (2^-186 for
P-256 and 2^-84 for P-384.)

Change-Id: Ie879f0b06bcfd1e6e6e3bf3f54e0d7d6567525a4
Reviewed-on: https://boringssl-review.googlesource.com/25144
Reviewed-by: Adam Langley <agl@google.com>

crypto/fipsmodule/ec/wnaf.c

diff --git a/crypto/fipsmodule/ec/wnaf.c b/crypto/fipsmodule/ec/wnaf.c
index e3b6437..d0a79f7 100644
--- a/crypto/fipsmodule/ec/wnaf.c
+++ b/crypto/fipsmodule/ec/wnaf.c
@@ -242,7 +242,6 @@
   int k;
   int r_is_inverted = 0;
   int r_is_at_infinity = 1;
-  size_t *wsize = NULL;      // individual window sizes
   int8_t **wNAF = NULL;  // individual wNAFs
   size_t *wNAF_len = NULL;
   size_t max_len = 0;
@@ -298,7 +297,6 @@
   }
 
 
-  wsize = OPENSSL_malloc(total_num * sizeof(wsize[0]));
   wNAF_len = OPENSSL_malloc(total_num * sizeof(wNAF_len[0]));
   wNAF = OPENSSL_malloc(total_num * sizeof(wNAF[0]));
   val_sub = OPENSSL_malloc(total_num * sizeof(val_sub[0]));
@@ -308,22 +306,15 @@
     OPENSSL_memset(wNAF, 0, total_num * sizeof(wNAF[0]));
   }
 
-  if (!wsize || !wNAF_len || !wNAF || !val_sub) {
+  if (!wNAF_len || !wNAF || !val_sub) {
     OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
     goto err;
   }
 
-  // num_val will be the total number of temporarily precomputed points
-  num_val = 0;
-
+  size_t wsize = window_bits_for_scalar_size(BN_num_bits(&group->order));
   for (i = 0; i < total_num; i++) {
-    size_t bits;
-
-    bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(g_scalar);
-    wsize[i] = window_bits_for_scalar_size(bits);
-    num_val += (size_t)1 << (wsize[i] - 1);
     wNAF[i] =
-        compute_wNAF((i < num ? scalars[i] : g_scalar), wsize[i], &wNAF_len[i]);
+        compute_wNAF((i < num ? scalars[i] : g_scalar), wsize, &wNAF_len[i]);
     if (wNAF[i] == NULL) {
       goto err;
     }
@@ -332,6 +323,8 @@
     }
   }
 
+  // num_val is the total number of temporarily precomputed points
+  num_val = total_num * ((size_t)1 << (wsize - 1));
   // All points we precompute now go into a single array 'val'. 'val_sub[i]' is
   // a pointer to the subarray for the i-th point.
   val = OPENSSL_malloc(num_val * sizeof(val[0]));
@@ -345,7 +338,7 @@
   v = val;
   for (i = 0; i < total_num; i++) {
     val_sub[i] = v;
-    for (j = 0; j < ((size_t)1 << (wsize[i] - 1)); j++) {
+    for (j = 0; j < ((size_t)1 << (wsize - 1)); j++) {
       *v = EC_POINT_new(group);
       if (*v == NULL) {
         goto err;
@@ -376,11 +369,11 @@
       goto err;
     }
 
-    if (wsize[i] > 1) {
+    if (wsize > 1) {
       if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) {
         goto err;
       }
-      for (j = 1; j < ((size_t)1 << (wsize[i] - 1)); j++) {
+      for (j = 1; j < ((size_t)1 << (wsize - 1)); j++) {
         if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) {
           goto err;
         }
@@ -453,7 +446,6 @@
   }
   BN_CTX_free(new_ctx);
   EC_POINT_free(tmp);
-  OPENSSL_free(wsize);
   OPENSSL_free(wNAF_len);
   if (wNAF != NULL) {
     for (i = 0; i < total_num; i++) {