Use the output buffer as a temporary buffer to store clamped private scalars

This might help avoid leaving a copy of the scalar on the stack.

Also use the same parameters names in donna as other implementations.
Maybe not the best possible names, but at least, things are consistent.
This commit is contained in:
Frank Denis 2017-10-24 17:41:32 +02:00
parent e254a654dc
commit 58fa4172a5
4 changed files with 75 additions and 74 deletions

View File

@ -501,29 +501,27 @@ crecip(felem out, const felem z)
/* 2^255 - 21 */ fmul(out, t0, a); /* 2^255 - 21 */ fmul(out, t0, a);
} }
static const unsigned char basepoint[32] = { 9 };
static int static int
crypto_scalarmult_curve25519_donna_c64(unsigned char *mypublic, crypto_scalarmult_curve25519_donna_c64(unsigned char *q,
const unsigned char *secret, const unsigned char *n,
const unsigned char *basepoint) const unsigned char *p)
{ {
limb bp[5], x[5], z[5], zmone[5]; limb bp[5], x[5], z[5], zmone[5];
uint8_t e[32]; unsigned char *t = q;
int i; int i;
for (i = 0; i < 32; ++i) { for (i = 0; i < 32; ++i) {
e[i] = secret[i]; t[i] = n[i];
} }
e[0] &= 248; t[0] &= 248;
e[31] &= 127; t[31] &= 127;
e[31] |= 64; t[31] |= 64;
fexpand(bp, basepoint); fexpand(bp, p);
cmult(x, z, e, bp); cmult(x, z, t, bp);
crecip(zmone, z); crecip(zmone, z);
fmul(z, x, zmone); fmul(z, x, zmone);
fcontract(mypublic, z); fcontract(q, z);
return 0; return 0;
} }
@ -532,6 +530,8 @@ static int
crypto_scalarmult_curve25519_donna_c64_base(unsigned char *q, crypto_scalarmult_curve25519_donna_c64_base(unsigned char *q,
const unsigned char *n) const unsigned char *n)
{ {
static const unsigned char basepoint[32] = { 9 };
return crypto_scalarmult_curve25519_donna_c64(q, n, basepoint); return crypto_scalarmult_curve25519_donna_c64(q, n, basepoint);
} }

View File

@ -177,7 +177,7 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
const unsigned char *n, const unsigned char *n,
const unsigned char *p) const unsigned char *p)
{ {
unsigned char e[32]; unsigned char *t = q;
unsigned int i; unsigned int i;
fe x1; fe x1;
fe x2; fe x2;
@ -190,12 +190,12 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
unsigned int swap; unsigned int swap;
unsigned int b; unsigned int b;
for (i = 0; i < 32; ++i) { for (i = 0; i < 32; i++) {
e[i] = n[i]; t[i] = n[i];
} }
e[0] &= 248; t[0] &= 248;
e[31] &= 127; t[31] &= 127;
e[31] |= 64; t[31] |= 64;
fe_frombytes(x1, p); fe_frombytes(x1, p);
fe_1(x2); fe_1(x2);
fe_0(z2); fe_0(z2);
@ -204,7 +204,7 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
swap = 0; swap = 0;
for (pos = 254; pos >= 0; --pos) { for (pos = 254; pos >= 0; --pos) {
b = e[pos / 8] >> (pos & 7); b = t[pos / 8] >> (pos & 7);
b &= 1; b &= 1;
swap ^= b; swap ^= b;
fe_cswap(x2, x3, swap); fe_cswap(x2, x3, swap);
@ -255,18 +255,18 @@ static int
crypto_scalarmult_curve25519_ref10_base(unsigned char *q, crypto_scalarmult_curve25519_ref10_base(unsigned char *q,
const unsigned char *n) const unsigned char *n)
{ {
unsigned char e[32]; unsigned char *t = q;
ge_p3 A; ge_p3 A;
fe pk; fe pk;
unsigned int i; unsigned int i;
for (i = 0; i < 32; ++i) { for (i = 0; i < 32; i++) {
e[i] = n[i]; t[i] = n[i];
} }
e[0] &= 248; t[0] &= 248;
e[31] &= 127; t[31] &= 127;
e[31] |= 64; t[31] |= 64;
ge_scalarmult_base(&A, e); ge_scalarmult_base(&A, t);
edwards_to_montgomery(pk, A.Y, A.Z); edwards_to_montgomery(pk, A.Y, A.Z);
fe_tobytes(q, pk); fe_tobytes(q, pk);

View File

@ -25,22 +25,22 @@ static int
crypto_scalarmult_curve25519_sandy2x(unsigned char *q, const unsigned char *n, crypto_scalarmult_curve25519_sandy2x(unsigned char *q, const unsigned char *n,
const unsigned char *p) const unsigned char *p)
{ {
unsigned char e[32]; unsigned char *t = q;
unsigned int i;
fe var[3]; fe var[3];
fe51 x_51; fe51 x_51;
fe51 z_51; fe51 z_51;
unsigned int i;
for (i = 0;i < 32;++i) e[i] = n[i]; for (i = 0; i < 32; i++) {
e[0] &= 248; t[i] = n[i];
e[31] &= 127; }
e[31] |= 64; t[0] &= 248;
t[31] &= 127;
t[31] |= 64;
fe_frombytes(x1, p); fe_frombytes(x1, p);
ladder(var, e); ladder(var, t);
z_51.v[0] = (z2[1] << 26) + z2[0]; z_51.v[0] = (z2[1] << 26) + z2[0];
z_51.v[1] = (z2[3] << 26) + z2[2]; z_51.v[1] = (z2[3] << 26) + z2[2];
@ -71,20 +71,20 @@ static int
crypto_scalarmult_curve25519_sandy2x_base(unsigned char *q, crypto_scalarmult_curve25519_sandy2x_base(unsigned char *q,
const unsigned char *n) const unsigned char *n)
{ {
unsigned char e[32]; unsigned char *t = q;
unsigned int i;
fe var[3]; fe var[3];
fe51 x_51; fe51 x_51;
fe51 z_51; fe51 z_51;
unsigned int i;
for (i = 0;i < 32;++i) e[i] = n[i]; for (i = 0;i < 32; i++) {
e[0] &= 248; t[i] = n[i];
e[31] &= 127; }
e[31] |= 64; t[0] &= 248;
t[31] &= 127;
t[31] |= 64;
ladder_base(var, e); ladder_base(var, t);
z_51.v[0] = (z2[1] << 26) + z2[0]; z_51.v[0] = (z2[1] << 26) + z2[0];
z_51.v[1] = (z2[3] << 26) + z2[2]; z_51.v[1] = (z2[3] << 26) + z2[2];

View File

@ -3,6 +3,7 @@
#include "crypto_scalarmult_ed25519.h" #include "crypto_scalarmult_ed25519.h"
#include "private/curve25519_ref10.h" #include "private/curve25519_ref10.h"
#include "utils.h"
static int static int
_crypto_scalarmult_ed25519_is_inf(const unsigned char s[32]) _crypto_scalarmult_ed25519_is_inf(const unsigned char s[32])
@ -31,7 +32,7 @@ int
crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n, crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
const unsigned char *p) const unsigned char *p)
{ {
unsigned char t[32]; unsigned char *t = q;
ge_p3 Q; ge_p3 Q;
ge_p3 P; ge_p3 P;
unsigned int i; unsigned int i;
@ -59,7 +60,7 @@ int
crypto_scalarmult_ed25519_base(unsigned char *q, crypto_scalarmult_ed25519_base(unsigned char *q,
const unsigned char *n) const unsigned char *n)
{ {
unsigned char t[32]; unsigned char *t = q;
ge_p3 Q; ge_p3 Q;
unsigned int i; unsigned int i;