Remove field_minus_order from EC_GROUP.

One less value to initialize statically. Instead, just check if r + order < p. It's one additional comparison, but those have negligible cost here. Bug: 20 Change-Id: Iabc9c1894b58aeba45282e3360e38fe843eb7139 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60927 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2023-02-12 10:33:19 -05:00 · 2023-02-12 10:33:19 -05:00 · 5eab868eaa
commit 5eab868eaa
parent 49bfec5f82
5 changed files with 14 additions and 32 deletions
--- a/crypto/fipsmodule/ec/ec.c
+++ b/crypto/fipsmodule/ec/ec.c
@ -311,17 +311,6 @@ static int ec_group_set_generator(EC_GROUP *group, const EC_AFFINE *generator,
  }

  group->field_greater_than_order = BN_cmp(&group->field, order) > 0;
-  if (group->field_greater_than_order) {
-    BIGNUM tmp;
-    BN_init(&tmp);
-    int ok =
-        BN_sub(&tmp, &group->field, order) &&
-        bn_copy_words(group->field_minus_order.words, group->field.width, &tmp);
-    BN_free(&tmp);
-    if (!ok) {
-      return 0;
-    }
-  }

  group->generator = EC_POINT_new(group);
  if (group->generator == NULL) {
--- a/crypto/fipsmodule/ec/ec_montgomery.c
+++ b/crypto/fipsmodule/ec/ec_montgomery.c
@ -485,10 +485,11 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,
  // Therefore there is a small possibility, less than 1/2^128, that group_order
  // < p.x < P. in that case we need not only to compare against |r| but also to
  // compare against r+group_order.
-  if (bn_less_than_words(r->words, group->field_minus_order.words,
-                         group->field.width)) {
-    // We can ignore the carry because: r + group_order < p < 2^256.
-    bn_add_words(r_Z2.words, r->words, group->order->N.d, group->field.width);
+  BN_ULONG carry =
+      bn_add_words(r_Z2.words, r->words, group->order->N.d, group->field.width);
+  if (carry == 0 &&
+      bn_less_than_words(r_Z2.words, group->field.d, group->field.width)) {
+    // r + group_order < p, so compare (r + group_order) * Z^2 against X.
    ec_GFp_mont_felem_mul(group, &r_Z2, &r_Z2, &Z2_mont);
    if (ec_felem_equal(group, &r_Z2, &X)) {
      return 1;
--- a/crypto/fipsmodule/ec/internal.h
+++ b/crypto/fipsmodule/ec/internal.h
@ -421,7 +421,7 @@ void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask,

 // ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group
 // order, with |r|. It returns one if the values match and zero if |p| is the
-// point at infinity of the values do not match.
+// point at infinity of the values do not match. |p| is treated as public.
 int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,
                        const EC_SCALAR *r);

@ -615,13 +615,6 @@ struct ec_group_st {
  // otherwise.
  int field_greater_than_order;

-  // field_minus_order, if |field_greater_than_order| is true, is |field| minus
-  // |order| represented as an |EC_FELEM|. Otherwise, it is zero.
-  //
-  // Note: unlike |EC_FELEM|s used as intermediate values internal to the
-  // |EC_METHOD|, this value is not encoded in Montgomery form.
-  EC_FELEM field_minus_order;
-
  CRYPTO_refcount_t references;

  BN_MONT_CTX *mont;  // Montgomery structure.
--- a/crypto/fipsmodule/ec/p256-nistz.c
+++ b/crypto/fipsmodule/ec/p256-nistz.c
@ -599,10 +599,9 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,
  // Therefore there is a small possibility, less than 1/2^128, that group_order
  // < p.x < P. in that case we need not only to compare against |r| but also to
  // compare against r+group_order.
-  if (bn_less_than_words(r->words, group->field_minus_order.words,
-                         P256_LIMBS)) {
-    // We can ignore the carry because: r + group_order < p < 2^256.
-    bn_add_words(r_Z2, r->words, group->order->N.d, P256_LIMBS);
+  BN_ULONG carry = bn_add_words(r_Z2, r->words, group->order->N.d, P256_LIMBS);
+  if (carry == 0 && bn_less_than_words(r_Z2, group->field.d, P256_LIMBS)) {
+    // r + group_order < p, so compare (r + group_order) * Z^2 against X.
    ecp_nistz256_mul_mont(r_Z2, r_Z2, Z2_mont);
    if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) {
      return 1;
--- a/crypto/fipsmodule/ec/p256.c
+++ b/crypto/fipsmodule/ec/p256.c
@ -711,11 +711,11 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
  // < p.x < P. in that case we need not only to compare against |r| but also to
  // compare against r+group_order.
  assert(group->field.width == group->order->N.width);
-  if (bn_less_than_words(r->words, group->field_minus_order.words,
-                         group->field.width)) {
-    // We can ignore the carry because: r + group_order < p < 2^256.
-    EC_FELEM tmp;
-    bn_add_words(tmp.words, r->words, group->order->N.d, group->order->N.width);
+  EC_FELEM tmp;
+  BN_ULONG carry =
+      bn_add_words(tmp.words, r->words, group->order->N.d, group->field.width);
+  if (carry == 0 &&
+      bn_less_than_words(tmp.words, group->field.d, group->field.width)) {
    fiat_p256_from_generic(r_Z2, &tmp);
    fiat_p256_mul(r_Z2, r_Z2, Z2_mont);
    if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {