Add additional constants to make_curve25519_tables.py.

These are also constants that depend on the field representation. Change-Id: I22333c099352ad64eb27fe15ffdc38c6ae7c07ff Reviewed-on: https://boringssl-review.googlesource.com/24746 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-01-09 16:06:34 +01:00 · 2018-01-09 16:06:34 +01:00 · 0c1eafc6fe
commit 0c1eafc6fe
parent 522ad7e8fc
3 changed files with 30 additions and 10 deletions
--- a/third_party/fiat/curve25519.c
+++ b/third_party/fiat/curve25519.c
@ -911,11 +911,7 @@ static void ge_p3_tobytes(uint8_t s[32], const ge_p3 *h) {
  s[31] ^= fe_isnegative(&x) << 7;
 }

-static const fe d = {{56195235, 13857412, 51736253, 6949390,   114729,
-                     24766616,  60832955, 30306712,  48412415, 21499315}};
-
-static const fe sqrtm1 = {{34513072, 25610706,  9377949,  3500415, 12389472,
-                          33281959,   41962654, 31548777, 326685,  11406482}};
+#include "./curve25519_tables.h"

 int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) {
  fe u;
@ -996,9 +992,6 @@ static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
  fe_copy(&r->Z, &p->Z);
 }

-static const fe d2 = {{45281625, 27714825,  36363642, 13898781, 229458,
-                      15978800,  54557047, 27058993,  29715967, 9444199}};
-
 // r = p
 void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
  fe_add(&r->YplusX, &p->Y, &p->X);
@ -1193,8 +1186,6 @@ void x25519_ge_scalarmult_small_precomp(
  }
 }

-#include "./curve25519_tables.h"
-
 #if defined(OPENSSL_SMALL)

 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {
--- a/third_party/fiat/curve25519_tables.h
+++ b/third_party/fiat/curve25519_tables.h
@ -24,6 +24,15 @@
 //    ./make_curve25519_tables.py > curve25519_tables.h


+static const fe d = {{56195235, 13857412, 51736253, 6949390, 114729, 24766616,
+                      60832955, 30306712, 48412415, 21499315}};
+
+static const fe sqrtm1 = {{34513072, 25610706, 9377949, 3500415, 12389472,
+                           33281959, 41962654, 31548777, 326685, 11406482}};
+
+static const fe d2 = {{45281625, 27714825, 36363642, 13898781, 229458, 15978800,
+                       54557047, 27058993, 29715967, 9444199}};
+
 #if defined(OPENSSL_SMALL)

 // This block of code replaces the standard base-point table with a much smaller
--- a/third_party/fiat/make_curve25519_tables.py
+++ b/third_party/fiat/make_curve25519_tables.py
@ -31,6 +31,9 @@ p = 2**255 - 19
 def modp_inv(x):
    return pow(x, p-2, p)

+# Square root of -1
+modp_sqrt_m1 = pow(2, (p-1) // 4, p)
+
 # Compute corresponding x-coordinate, with low bit corresponding to
 # sign, or return None on failure
 def recover_x(y, sign):
@ -107,6 +110,8 @@ def to_base_25_5(x):
    return ret

 def main():
+    d2 = (2 * d) % p
+
    small_precomp = bytearray()
    for i in range(1, 16):
        s = (i&1) | ((i&2) << (64-1)) | ((i&4) << (128-2)) | ((i&8) << (192-3))
@ -154,6 +159,21 @@ def main():
 //    ./make_curve25519_tables.py > curve25519_tables.h


+static const fe d = {{
+""")
+    buf.write(", ".join(map(str, to_base_25_5(d))))
+    buf.write("""}};
+
+static const fe sqrtm1 = {{
+""")
+    buf.write(", ".join(map(str, to_base_25_5(modp_sqrt_m1))))
+    buf.write("""}};
+
+static const fe d2 = {{
+""")
+    buf.write(", ".join(map(str, to_base_25_5(d2))))
+    buf.write("""}};
+
 #if defined(OPENSSL_SMALL)

 // This block of code replaces the standard base-point table with a much smaller