Move ecp_nistz256_from_mont out of the header
It used to be hand-written in assembly, so we tested it explicitly. But
it's now a thin wrapper over mul_mont. Remove the ABI tests (no longer
necessary) and convert the FromMont test vectors to MulMont.
Change-Id: I94696ac7d1f548072702a717183dec8001a47ecb
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/70807
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/fipsmodule/ec/p256-nistz.c.inc b/crypto/fipsmodule/ec/p256-nistz.c.inc
index 7d3e2fb..d0d6a069 100644
--- a/crypto/fipsmodule/ec/p256-nistz.c.inc
+++ b/crypto/fipsmodule/ec/p256-nistz.c.inc
@@ -39,7 +39,7 @@
typedef P256_POINT_AFFINE PRECOMP256_ROW[64];
// One converted into the Montgomery domain
-static const BN_ULONG ONE[P256_LIMBS] = {
+static const BN_ULONG ONE_MONT[P256_LIMBS] = {
TOBN(0x00000000, 0x00000001), TOBN(0xffffffff, 0x00000000),
TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0xfffffffe),
};
@@ -116,6 +116,14 @@
return in;
}
+// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain
+// by multiplying with 1.
+static void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS],
+ const BN_ULONG in[P256_LIMBS]) {
+ static const BN_ULONG ONE[P256_LIMBS] = {1};
+ ecp_nistz256_mul_mont(res, in, ONE);
+}
+
// ecp_nistz256_mod_inverse_sqr_mont sets |r| to (|in| * 2^-256)^-2 * 2^256 mod
// p. That is, |r| is the modular inverse square of |in| for input and output in
// the Montgomery domain.
@@ -328,12 +336,12 @@
copy_conditional(t.Y, p.Z, wvalue & 1);
// Convert |t| from affine to Jacobian coordinates. We set Z to zero if |t|
- // is infinity and |ONE| otherwise. |t| was computed from the table, so it
- // is infinity iff |wvalue >> 1| is zero.
+ // is infinity and |ONE_MONT| otherwise. |t| was computed from the table, so
+ // it is infinity iff |wvalue >> 1| is zero.
OPENSSL_memcpy(p.X, t.X, sizeof(p.X));
OPENSSL_memcpy(p.Y, t.Y, sizeof(p.Y));
OPENSSL_memset(p.Z, 0, sizeof(p.Z));
- copy_conditional(p.Z, ONE, is_not_zero(wvalue >> 1));
+ copy_conditional(p.Z, ONE_MONT, is_not_zero(wvalue >> 1));
for (int i = 1; i < 37; i++) {
wvalue = calc_wvalue(&index, p_str);
@@ -372,14 +380,14 @@
size_t wvalue = calc_first_wvalue(&index, p_str);
// Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p|
- // is infinity and |ONE| otherwise. |p| was computed from the table, so it
- // is infinity iff |wvalue >> 1| is zero.
+ // is infinity and |ONE_MONT| otherwise. |p| was computed from the table, so
+ // it is infinity iff |wvalue >> 1| is zero.
if ((wvalue >> 1) != 0) {
OPENSSL_memcpy(p.X, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].X,
sizeof(p.X));
OPENSSL_memcpy(p.Y, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].Y,
sizeof(p.Y));
- OPENSSL_memcpy(p.Z, ONE, sizeof(p.Z));
+ OPENSSL_memcpy(p.Z, ONE_MONT, sizeof(p.Z));
} else {
OPENSSL_memset(p.X, 0, sizeof(p.X));
OPENSSL_memset(p.Y, 0, sizeof(p.Y));
diff --git a/crypto/fipsmodule/ec/p256-nistz.h b/crypto/fipsmodule/ec/p256-nistz.h
index 3f5ea02..99aae95 100644
--- a/crypto/fipsmodule/ec/p256-nistz.h
+++ b/crypto/fipsmodule/ec/p256-nistz.h
@@ -56,14 +56,6 @@
void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS],
const BN_ULONG a[P256_LIMBS]);
-// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain
-// by multiplying with 1.
-static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS],
- const BN_ULONG in[P256_LIMBS]) {
- static const BN_ULONG ONE[P256_LIMBS] = { 1 };
- ecp_nistz256_mul_mont(res, in, ONE);
-}
-
// P-256 scalar operations.
//
diff --git a/crypto/fipsmodule/ec/p256-nistz_test.cc b/crypto/fipsmodule/ec/p256-nistz_test.cc
index 263db50..781d1f8 100644
--- a/crypto/fipsmodule/ec/p256-nistz_test.cc
+++ b/crypto/fipsmodule/ec/p256-nistz_test.cc
@@ -362,20 +362,6 @@
}
}
-static void TestFromMont(FileTest *t) {
- BN_ULONG a[P256_LIMBS], result[P256_LIMBS];
- ASSERT_TRUE(GetFieldElement(t, a, "A"));
- ASSERT_TRUE(GetFieldElement(t, result, "Result"));
-
- BN_ULONG ret[P256_LIMBS];
- ecp_nistz256_from_mont(ret, a);
- EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
-
- OPENSSL_memcpy(ret, a, sizeof(ret));
- ecp_nistz256_from_mont(ret, ret /* a */);
- EXPECT_FIELD_ELEMENTS_EQUAL(result, ret);
-}
-
static void TestPointAdd(FileTest *t) {
P256_POINT a, b;
P256_POINT_AFFINE result;
@@ -493,8 +479,6 @@
TestNegate(t);
} else if (t->GetParameter() == "MulMont") {
TestMulMont(t);
- } else if (t->GetParameter() == "FromMont") {
- TestFromMont(t);
} else if (t->GetParameter() == "PointAdd") {
TestPointAdd(t);
} else if (t->GetParameter() == "OrdMulMont") {
@@ -514,7 +498,6 @@
CHECK_ABI(ecp_nistz256_neg, b, a);
CHECK_ABI(ecp_nistz256_mul_mont, c, a, b);
CHECK_ABI(ecp_nistz256_sqr_mont, c, a);
- CHECK_ABI(ecp_nistz256_from_mont, c, a);
CHECK_ABI(ecp_nistz256_ord_mul_mont, c, a, b);
// Check a few different loop counts.
diff --git a/crypto/fipsmodule/ec/p256-nistz_tests.txt b/crypto/fipsmodule/ec/p256-nistz_tests.txt
index 8bc301e..099564f 100644
--- a/crypto/fipsmodule/ec/p256-nistz_tests.txt
+++ b/crypto/fipsmodule/ec/p256-nistz_tests.txt
@@ -1138,49 +1138,54 @@
B = 71c328ce472ae74b5028b21f9d1997e0f7dbcee979a8f9fdecfa5d37d359c835
Result = c3472fafd01fc3ed93a91ab65411cb852bd5839603a02ca6cdfbadcb9ac474a0
-
-# Montgomery conversion tests.
-#
-# The following tests satisfy A * 2^-256 = Result (mod P).
-
-Test = FromMont
+Test = MulMont
A = 0585a3dada9bb283fd8db4fc46c106d28f95b8cf159a405891196dbb9ce0b5cf
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = d198d054d25a069c40cdeeb968a5562a67c3ef659297169e4be872f234897dc0
-Test = FromMont
+Test = MulMont
A = 9ff49a4a3f810fd34ca6f37fb1b3c40e61bc0492227e91e41cbe06bd58ba65b8
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = 326a061b2047d9ba4eddaba9b1fe253d5b2a24e268e3f8810767bef8cda07643
-Test = FromMont
+Test = MulMont
A = 05a69f8f646494be65affbd44d0536ca098d6f3640e80b5e48764ab78928cf58
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = 5a6f9c7025d4063480c400fe6f271cf3a3d2c43f9e1ceac21a88208c28329731
-Test = FromMont
+Test = MulMont
A = 256481a9e52d692719330a6f1208d9eca4ddd919aee06e234cbbde77d245501b
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = fe9fc86a2ff61a0c981d5e86c5472248e071e9639521c5be43947bfffc7d5858
-Test = FromMont
+Test = MulMont
A = 2062ef333cadefc36ced52a2ea7e4215b1fca29283baa1e3be76e321f1b213f0
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = 961ce39c3bf1d699b4b61ded8a5beae6eb6185d21f1df435b079b1f6a79dc738
-Test = FromMont
+Test = MulMont
A = 97241c3651a8f9d2fc02730f15c3e09e48d2e645cfe927385cb81d3f454414fb
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = 2114225803efe7b6c7fbb290cb946da4e78697aad5624c2d3fe9fb568460b93c
-Test = FromMont
+Test = MulMont
A = 1aae0ad2c8ac988e11beda32ca7257f4d4de41f4b74452fa46f0a3bafb39262a
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = 77c884131c34a2c3acce8a69dc5cf55987b7999c70586a9ef3c0dfb634900296
-Test = FromMont
+Test = MulMont
A = 034de033e2d38cf8bec8a994414b64a2fce7c83c5d81efc3d21448225071e85d
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = 984fecbde84f393133fb602777b4395c56449d2cbbd7d8ae428b2ee6f82a2956
-Test = FromMont
+Test = MulMont
A = d2b296c2004b2761b6781311c924cbf5ff56dcc0900ed5cd24f5dd2e07f32633
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = ddcff6e031b859a814ce8f37b71c10cd5fb642af54af72deabb95adcb99307b1
-Test = FromMont
+Test = MulMont
A = 8f525e6af50a62fc176dec75bdf48f70ba8ab97323ba78c643ef07f6457ba070
+B = 0000000000000000000000000000000000000000000000000000000000000001
Result = 8fa95d57aae2fff79045654501478f7a394b27b8b54113a25ac74662606f767c
