Use the output buffer as a temporary buffer to store clamped private scalars
This might help avoid leaving a copy of the scalar on the stack. Also use the same parameters names in donna as other implementations. Maybe not the best possible names, but at least, things are consistent.
This commit is contained in:
parent
e254a654dc
commit
58fa4172a5
@ -501,29 +501,27 @@ crecip(felem out, const felem z)
|
|||||||
/* 2^255 - 21 */ fmul(out, t0, a);
|
/* 2^255 - 21 */ fmul(out, t0, a);
|
||||||
}
|
}
|
||||||
|
|
||||||
static const unsigned char basepoint[32] = { 9 };
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
crypto_scalarmult_curve25519_donna_c64(unsigned char *mypublic,
|
crypto_scalarmult_curve25519_donna_c64(unsigned char *q,
|
||||||
const unsigned char *secret,
|
const unsigned char *n,
|
||||||
const unsigned char *basepoint)
|
const unsigned char *p)
|
||||||
{
|
{
|
||||||
limb bp[5], x[5], z[5], zmone[5];
|
limb bp[5], x[5], z[5], zmone[5];
|
||||||
uint8_t e[32];
|
unsigned char *t = q;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
for (i = 0; i < 32; ++i) {
|
for (i = 0; i < 32; ++i) {
|
||||||
e[i] = secret[i];
|
t[i] = n[i];
|
||||||
}
|
}
|
||||||
e[0] &= 248;
|
t[0] &= 248;
|
||||||
e[31] &= 127;
|
t[31] &= 127;
|
||||||
e[31] |= 64;
|
t[31] |= 64;
|
||||||
|
|
||||||
fexpand(bp, basepoint);
|
fexpand(bp, p);
|
||||||
cmult(x, z, e, bp);
|
cmult(x, z, t, bp);
|
||||||
crecip(zmone, z);
|
crecip(zmone, z);
|
||||||
fmul(z, x, zmone);
|
fmul(z, x, zmone);
|
||||||
fcontract(mypublic, z);
|
fcontract(q, z);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -532,6 +530,8 @@ static int
|
|||||||
crypto_scalarmult_curve25519_donna_c64_base(unsigned char *q,
|
crypto_scalarmult_curve25519_donna_c64_base(unsigned char *q,
|
||||||
const unsigned char *n)
|
const unsigned char *n)
|
||||||
{
|
{
|
||||||
|
static const unsigned char basepoint[32] = { 9 };
|
||||||
|
|
||||||
return crypto_scalarmult_curve25519_donna_c64(q, n, basepoint);
|
return crypto_scalarmult_curve25519_donna_c64(q, n, basepoint);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -177,7 +177,7 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
|
|||||||
const unsigned char *n,
|
const unsigned char *n,
|
||||||
const unsigned char *p)
|
const unsigned char *p)
|
||||||
{
|
{
|
||||||
unsigned char e[32];
|
unsigned char *t = q;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
fe x1;
|
fe x1;
|
||||||
fe x2;
|
fe x2;
|
||||||
@ -190,12 +190,12 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
|
|||||||
unsigned int swap;
|
unsigned int swap;
|
||||||
unsigned int b;
|
unsigned int b;
|
||||||
|
|
||||||
for (i = 0; i < 32; ++i) {
|
for (i = 0; i < 32; i++) {
|
||||||
e[i] = n[i];
|
t[i] = n[i];
|
||||||
}
|
}
|
||||||
e[0] &= 248;
|
t[0] &= 248;
|
||||||
e[31] &= 127;
|
t[31] &= 127;
|
||||||
e[31] |= 64;
|
t[31] |= 64;
|
||||||
fe_frombytes(x1, p);
|
fe_frombytes(x1, p);
|
||||||
fe_1(x2);
|
fe_1(x2);
|
||||||
fe_0(z2);
|
fe_0(z2);
|
||||||
@ -204,7 +204,7 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
|
|||||||
|
|
||||||
swap = 0;
|
swap = 0;
|
||||||
for (pos = 254; pos >= 0; --pos) {
|
for (pos = 254; pos >= 0; --pos) {
|
||||||
b = e[pos / 8] >> (pos & 7);
|
b = t[pos / 8] >> (pos & 7);
|
||||||
b &= 1;
|
b &= 1;
|
||||||
swap ^= b;
|
swap ^= b;
|
||||||
fe_cswap(x2, x3, swap);
|
fe_cswap(x2, x3, swap);
|
||||||
@ -255,18 +255,18 @@ static int
|
|||||||
crypto_scalarmult_curve25519_ref10_base(unsigned char *q,
|
crypto_scalarmult_curve25519_ref10_base(unsigned char *q,
|
||||||
const unsigned char *n)
|
const unsigned char *n)
|
||||||
{
|
{
|
||||||
unsigned char e[32];
|
unsigned char *t = q;
|
||||||
ge_p3 A;
|
ge_p3 A;
|
||||||
fe pk;
|
fe pk;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < 32; ++i) {
|
for (i = 0; i < 32; i++) {
|
||||||
e[i] = n[i];
|
t[i] = n[i];
|
||||||
}
|
}
|
||||||
e[0] &= 248;
|
t[0] &= 248;
|
||||||
e[31] &= 127;
|
t[31] &= 127;
|
||||||
e[31] |= 64;
|
t[31] |= 64;
|
||||||
ge_scalarmult_base(&A, e);
|
ge_scalarmult_base(&A, t);
|
||||||
edwards_to_montgomery(pk, A.Y, A.Z);
|
edwards_to_montgomery(pk, A.Y, A.Z);
|
||||||
fe_tobytes(q, pk);
|
fe_tobytes(q, pk);
|
||||||
|
|
||||||
|
@ -25,22 +25,22 @@ static int
|
|||||||
crypto_scalarmult_curve25519_sandy2x(unsigned char *q, const unsigned char *n,
|
crypto_scalarmult_curve25519_sandy2x(unsigned char *q, const unsigned char *n,
|
||||||
const unsigned char *p)
|
const unsigned char *p)
|
||||||
{
|
{
|
||||||
unsigned char e[32];
|
unsigned char *t = q;
|
||||||
unsigned int i;
|
|
||||||
|
|
||||||
fe var[3];
|
fe var[3];
|
||||||
|
|
||||||
fe51 x_51;
|
fe51 x_51;
|
||||||
fe51 z_51;
|
fe51 z_51;
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0;i < 32;++i) e[i] = n[i];
|
for (i = 0; i < 32; i++) {
|
||||||
e[0] &= 248;
|
t[i] = n[i];
|
||||||
e[31] &= 127;
|
}
|
||||||
e[31] |= 64;
|
t[0] &= 248;
|
||||||
|
t[31] &= 127;
|
||||||
|
t[31] |= 64;
|
||||||
|
|
||||||
fe_frombytes(x1, p);
|
fe_frombytes(x1, p);
|
||||||
|
|
||||||
ladder(var, e);
|
ladder(var, t);
|
||||||
|
|
||||||
z_51.v[0] = (z2[1] << 26) + z2[0];
|
z_51.v[0] = (z2[1] << 26) + z2[0];
|
||||||
z_51.v[1] = (z2[3] << 26) + z2[2];
|
z_51.v[1] = (z2[3] << 26) + z2[2];
|
||||||
@ -71,20 +71,20 @@ static int
|
|||||||
crypto_scalarmult_curve25519_sandy2x_base(unsigned char *q,
|
crypto_scalarmult_curve25519_sandy2x_base(unsigned char *q,
|
||||||
const unsigned char *n)
|
const unsigned char *n)
|
||||||
{
|
{
|
||||||
unsigned char e[32];
|
unsigned char *t = q;
|
||||||
unsigned int i;
|
|
||||||
|
|
||||||
fe var[3];
|
fe var[3];
|
||||||
|
|
||||||
fe51 x_51;
|
fe51 x_51;
|
||||||
fe51 z_51;
|
fe51 z_51;
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0;i < 32;++i) e[i] = n[i];
|
for (i = 0;i < 32; i++) {
|
||||||
e[0] &= 248;
|
t[i] = n[i];
|
||||||
e[31] &= 127;
|
}
|
||||||
e[31] |= 64;
|
t[0] &= 248;
|
||||||
|
t[31] &= 127;
|
||||||
|
t[31] |= 64;
|
||||||
|
|
||||||
ladder_base(var, e);
|
ladder_base(var, t);
|
||||||
|
|
||||||
z_51.v[0] = (z2[1] << 26) + z2[0];
|
z_51.v[0] = (z2[1] << 26) + z2[0];
|
||||||
z_51.v[1] = (z2[3] << 26) + z2[2];
|
z_51.v[1] = (z2[3] << 26) + z2[2];
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
|
|
||||||
#include "crypto_scalarmult_ed25519.h"
|
#include "crypto_scalarmult_ed25519.h"
|
||||||
#include "private/curve25519_ref10.h"
|
#include "private/curve25519_ref10.h"
|
||||||
|
#include "utils.h"
|
||||||
|
|
||||||
static int
|
static int
|
||||||
_crypto_scalarmult_ed25519_is_inf(const unsigned char s[32])
|
_crypto_scalarmult_ed25519_is_inf(const unsigned char s[32])
|
||||||
@ -31,7 +32,7 @@ int
|
|||||||
crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
|
crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
|
||||||
const unsigned char *p)
|
const unsigned char *p)
|
||||||
{
|
{
|
||||||
unsigned char t[32];
|
unsigned char *t = q;
|
||||||
ge_p3 Q;
|
ge_p3 Q;
|
||||||
ge_p3 P;
|
ge_p3 P;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
@ -59,7 +60,7 @@ int
|
|||||||
crypto_scalarmult_ed25519_base(unsigned char *q,
|
crypto_scalarmult_ed25519_base(unsigned char *q,
|
||||||
const unsigned char *n)
|
const unsigned char *n)
|
||||||
{
|
{
|
||||||
unsigned char t[32];
|
unsigned char *t = q;
|
||||||
ge_p3 Q;
|
ge_p3 Q;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user