Move ecp_nistz256_from_mont out of the header It used to be hand-written in assembly, so we tested it explicitly. But it's now a thin wrapper over mul_mont. Remove the ABI tests (no longer necessary) and convert the FromMont test vectors to MulMont. Change-Id: I94696ac7d1f548072702a717183dec8001a47ecb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/70807 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/fipsmodule/ec/p256-nistz.c.inc b/crypto/fipsmodule/ec/p256-nistz.c.inc index 7d3e2fb..d0d6a069 100644 --- a/crypto/fipsmodule/ec/p256-nistz.c.inc +++ b/crypto/fipsmodule/ec/p256-nistz.c.inc
@@ -39,7 +39,7 @@ typedef P256_POINT_AFFINE PRECOMP256_ROW[64]; // One converted into the Montgomery domain -static const BN_ULONG ONE[P256_LIMBS] = { +static const BN_ULONG ONE_MONT[P256_LIMBS] = { TOBN(0x00000000, 0x00000001), TOBN(0xffffffff, 0x00000000), TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0xfffffffe), }; @@ -116,6 +116,14 @@ return in; } +// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain +// by multiplying with 1. +static void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS], + const BN_ULONG in[P256_LIMBS]) { + static const BN_ULONG ONE[P256_LIMBS] = {1}; + ecp_nistz256_mul_mont(res, in, ONE); +} + // ecp_nistz256_mod_inverse_sqr_mont sets |r| to (|in| * 2^-256)^-2 * 2^256 mod // p. That is, |r| is the modular inverse square of |in| for input and output in // the Montgomery domain. @@ -328,12 +336,12 @@ copy_conditional(t.Y, p.Z, wvalue & 1); // Convert |t| from affine to Jacobian coordinates. We set Z to zero if |t| - // is infinity and |ONE| otherwise. |t| was computed from the table, so it - // is infinity iff |wvalue >> 1| is zero. + // is infinity and |ONE_MONT| otherwise. |t| was computed from the table, so + // it is infinity iff |wvalue >> 1| is zero. OPENSSL_memcpy(p.X, t.X, sizeof(p.X)); OPENSSL_memcpy(p.Y, t.Y, sizeof(p.Y)); OPENSSL_memset(p.Z, 0, sizeof(p.Z)); - copy_conditional(p.Z, ONE, is_not_zero(wvalue >> 1)); + copy_conditional(p.Z, ONE_MONT, is_not_zero(wvalue >> 1)); for (int i = 1; i < 37; i++) { wvalue = calc_wvalue(&index, p_str); @@ -372,14 +380,14 @@ size_t wvalue = calc_first_wvalue(&index, p_str); // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p| - // is infinity and |ONE| otherwise. |p| was computed from the table, so it - // is infinity iff |wvalue >> 1| is zero. + // is infinity and |ONE_MONT| otherwise. |p| was computed from the table, so + // it is infinity iff |wvalue >> 1| is zero. if ((wvalue >> 1) != 0) { OPENSSL_memcpy(p.X, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].X, sizeof(p.X)); OPENSSL_memcpy(p.Y, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].Y, sizeof(p.Y)); - OPENSSL_memcpy(p.Z, ONE, sizeof(p.Z)); + OPENSSL_memcpy(p.Z, ONE_MONT, sizeof(p.Z)); } else { OPENSSL_memset(p.X, 0, sizeof(p.X)); OPENSSL_memset(p.Y, 0, sizeof(p.Y));
diff --git a/crypto/fipsmodule/ec/p256-nistz.h b/crypto/fipsmodule/ec/p256-nistz.h index 3f5ea02..99aae95 100644 --- a/crypto/fipsmodule/ec/p256-nistz.h +++ b/crypto/fipsmodule/ec/p256-nistz.h
@@ -56,14 +56,6 @@ void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS]); -// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain -// by multiplying with 1. -static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG in[P256_LIMBS]) { - static const BN_ULONG ONE[P256_LIMBS] = { 1 }; - ecp_nistz256_mul_mont(res, in, ONE); -} - // P-256 scalar operations. //
diff --git a/crypto/fipsmodule/ec/p256-nistz_test.cc b/crypto/fipsmodule/ec/p256-nistz_test.cc index 263db50..781d1f8 100644 --- a/crypto/fipsmodule/ec/p256-nistz_test.cc +++ b/crypto/fipsmodule/ec/p256-nistz_test.cc
@@ -362,20 +362,6 @@ } } -static void TestFromMont(FileTest *t) { - BN_ULONG a[P256_LIMBS], result[P256_LIMBS]; - ASSERT_TRUE(GetFieldElement(t, a, "A")); - ASSERT_TRUE(GetFieldElement(t, result, "Result")); - - BN_ULONG ret[P256_LIMBS]; - ecp_nistz256_from_mont(ret, a); - EXPECT_FIELD_ELEMENTS_EQUAL(result, ret); - - OPENSSL_memcpy(ret, a, sizeof(ret)); - ecp_nistz256_from_mont(ret, ret /* a */); - EXPECT_FIELD_ELEMENTS_EQUAL(result, ret); -} - static void TestPointAdd(FileTest *t) { P256_POINT a, b; P256_POINT_AFFINE result; @@ -493,8 +479,6 @@ TestNegate(t); } else if (t->GetParameter() == "MulMont") { TestMulMont(t); - } else if (t->GetParameter() == "FromMont") { - TestFromMont(t); } else if (t->GetParameter() == "PointAdd") { TestPointAdd(t); } else if (t->GetParameter() == "OrdMulMont") { @@ -514,7 +498,6 @@ CHECK_ABI(ecp_nistz256_neg, b, a); CHECK_ABI(ecp_nistz256_mul_mont, c, a, b); CHECK_ABI(ecp_nistz256_sqr_mont, c, a); - CHECK_ABI(ecp_nistz256_from_mont, c, a); CHECK_ABI(ecp_nistz256_ord_mul_mont, c, a, b); // Check a few different loop counts.
diff --git a/crypto/fipsmodule/ec/p256-nistz_tests.txt b/crypto/fipsmodule/ec/p256-nistz_tests.txt index 8bc301e..099564f 100644 --- a/crypto/fipsmodule/ec/p256-nistz_tests.txt +++ b/crypto/fipsmodule/ec/p256-nistz_tests.txt
@@ -1138,49 +1138,54 @@ B = 71c328ce472ae74b5028b21f9d1997e0f7dbcee979a8f9fdecfa5d37d359c835 Result = c3472fafd01fc3ed93a91ab65411cb852bd5839603a02ca6cdfbadcb9ac474a0 - -# Montgomery conversion tests. -# -# The following tests satisfy A * 2^-256 = Result (mod P). - -Test = FromMont +Test = MulMont A = 0585a3dada9bb283fd8db4fc46c106d28f95b8cf159a405891196dbb9ce0b5cf +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = d198d054d25a069c40cdeeb968a5562a67c3ef659297169e4be872f234897dc0 -Test = FromMont +Test = MulMont A = 9ff49a4a3f810fd34ca6f37fb1b3c40e61bc0492227e91e41cbe06bd58ba65b8 +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = 326a061b2047d9ba4eddaba9b1fe253d5b2a24e268e3f8810767bef8cda07643 -Test = FromMont +Test = MulMont A = 05a69f8f646494be65affbd44d0536ca098d6f3640e80b5e48764ab78928cf58 +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = 5a6f9c7025d4063480c400fe6f271cf3a3d2c43f9e1ceac21a88208c28329731 -Test = FromMont +Test = MulMont A = 256481a9e52d692719330a6f1208d9eca4ddd919aee06e234cbbde77d245501b +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = fe9fc86a2ff61a0c981d5e86c5472248e071e9639521c5be43947bfffc7d5858 -Test = FromMont +Test = MulMont A = 2062ef333cadefc36ced52a2ea7e4215b1fca29283baa1e3be76e321f1b213f0 +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = 961ce39c3bf1d699b4b61ded8a5beae6eb6185d21f1df435b079b1f6a79dc738 -Test = FromMont +Test = MulMont A = 97241c3651a8f9d2fc02730f15c3e09e48d2e645cfe927385cb81d3f454414fb +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = 2114225803efe7b6c7fbb290cb946da4e78697aad5624c2d3fe9fb568460b93c -Test = FromMont +Test = MulMont A = 1aae0ad2c8ac988e11beda32ca7257f4d4de41f4b74452fa46f0a3bafb39262a +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = 77c884131c34a2c3acce8a69dc5cf55987b7999c70586a9ef3c0dfb634900296 -Test = FromMont +Test = MulMont A = 034de033e2d38cf8bec8a994414b64a2fce7c83c5d81efc3d21448225071e85d +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = 984fecbde84f393133fb602777b4395c56449d2cbbd7d8ae428b2ee6f82a2956 -Test = FromMont +Test = MulMont A = d2b296c2004b2761b6781311c924cbf5ff56dcc0900ed5cd24f5dd2e07f32633 +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = ddcff6e031b859a814ce8f37b71c10cd5fb642af54af72deabb95adcb99307b1 -Test = FromMont +Test = MulMont A = 8f525e6af50a62fc176dec75bdf48f70ba8ab97323ba78c643ef07f6457ba070 +B = 0000000000000000000000000000000000000000000000000000000000000001 Result = 8fa95d57aae2fff79045654501478f7a394b27b8b54113a25ac74662606f767c