fixup! core/crypto: Start work on the NIST curves

Author: Yawning

core/crypto/_weierstrass/p256_test.odin

@@ -93,12 +93,13 @@ test_p256_g_y :: proc(t: ^testing.T) {
 
 @(test)
 test_p256_scalarmul :: proc(t: ^testing.T) {
-	p, q, r: Point_p256r1
+	g, p, q, r: Point_p256r1
 	sc: Scalar_p256r1
 	b: [1]byte
 	tmp: [32]byte
 
-	pt_generator(&p)
+	pt_generator(&g)
+	pt_identity(&p)
 	pt_identity(&q)
 	pt_identity(&r)
 
@@ -110,13 +111,16 @@ test_p256_scalarmul :: proc(t: ^testing.T) {
 		s := string(hex.encode(tmp[:], context.temp_allocator))
 
 		if i != 0 {
-			pt_add(&q, &q, &p)
+			pt_add(&p, &p, &g)
 		}
-		pt_scalar_mul(&r, &p, &sc)
+		pt_scalar_mul(&q, &g, &sc)
+		pt_scalar_mul_generator(&r, &sc)
+		pt_rescale(&p, &p)
 		pt_rescale(&q, &q)
 		pt_rescale(&r, &r)
 
-		testing.expectf(t, pt_equal(&q, &r) == 1, "sc: %s, %v %v", s, q, r)
+		testing.expectf(t, pt_equal(&p, &q) == 1, "sc: %s, %v %v", s, q, r)
+		testing.expectf(t, pt_equal(&p, &r) == 1, "sc: %s, %v %v", s, q, r)
 	}
 }
 

core/crypto/_weierstrass/point.odin

@@ -255,7 +255,7 @@ pt_add :: proc "contextless" (p, a, b: ^$T) {
 }
 
 @(private)
-pt_add_mixed :: proc "contextless" (p, a, b: ^$T) {
+pt_add_mixed :: proc "contextless" (p, a: ^$T, x2, y2: ^$U) {
 	// Algorithm 5 from "Complete addition formulas for prime
 	// order elliptic curves" by Renes, Costello, and Batina.
 	//
@@ -266,7 +266,7 @@ pt_add_mixed :: proc "contextless" (p, a, b: ^$T) {
 	// The operation costs are `11M + 2mb + 23a` saving
 	// `1M + 6a` over `pt_add`.
 
-	when T == Point_p256r1 {
+	when T == Point_p256r1 && U == Field_Element_p256r1 {
 		t0, t1, t2, t3, t4, b_fe: Field_Element_p256r1
 		x3, y3, z3: Field_Element_p256r1
 		defer fe_clear_vec([]^Field_Element_p256r1{&t0, &t1, &t2, &t3, &t4, &x3, &y3, &z3})
@@ -275,7 +275,6 @@ pt_add_mixed :: proc "contextless" (p, a, b: ^$T) {
 	}
 
 	x1, y1, z1 := &a._x, &a._y, &a._z
-	x2, y2 := &b._x, &b._y
 
 	fe_b(&b_fe)
 
@@ -533,15 +532,17 @@ is_on_curve :: proc "contextless" (x, y: ^$T) -> bool {
 @(private)
 set_yy_candidate :: proc "contextless" (maybe_yy, x: ^$T) {
 	// RHS: x^3 + ax + b
-	a_x, b_fe: T
+	rhs, tmp: T
 
-	fe_square(maybe_yy, x)
-	fe_mul(maybe_yy, maybe_yy, x)
+	fe_square(&tmp, x)
+	fe_mul(&rhs, &tmp, x)
 
-	fe_a(&a_x)
-	fe_mul(&a_x, &a_x, x)
-	fe_add(maybe_yy, maybe_yy, &a_x)
+	fe_a(&tmp)
+	fe_mul(&tmp, &tmp, x)
+	fe_add(&rhs, &rhs, &tmp)
 
-	fe_b(&b_fe)
-	fe_add(maybe_yy, maybe_yy, &b_fe)
+	fe_b(&tmp)
+	fe_add(maybe_yy, &rhs, &tmp)
+
+	fe_clear(&rhs)
 }

core/crypto/_weierstrass/scalar_mul.odin

@@ -2,7 +2,6 @@ package _weierstrass
 
 import "core:math/bits"
 import "core:mem"
-import "core:slice"
 
 pt_scalar_mul :: proc "contextless" (
 	p, a: ^$T,
@@ -11,15 +10,15 @@ pt_scalar_mul :: proc "contextless" (
 ) {
 	when T == Point_p256r1 && S == Scalar_p256r1 {
 		p_tbl: Multiply_Table_p256r1 = ---
-		q, tmp: Point_p256r1
+		q, tmp: Point_p256r1 = ---, ---
 		SC_SZ :: SC_SIZE_P256R1
 	} else {
 		#panic("weierstrass: invalid curve")
 	}
 
 	mul_tbl_set(&p_tbl, a, unsafe_is_vartime)
 
-	b: [SC_SZ]byte
+	b: [SC_SZ]byte = ---
 	sc_bytes(b[:], sc)
 
 	pt_identity(&q)
@@ -32,16 +31,13 @@ pt_scalar_mul :: proc "contextless" (
 			pt_double(&q, &q)
 			pt_double(&q, &q)
 		}
-
-		mul_tbl_lookup(&tmp, &p_tbl, u64(hi), unsafe_is_vartime)
-		pt_add(&q, &q, &tmp)
+		mul_tbl_lookup_add(&q, &tmp, &p_tbl, u64(hi), unsafe_is_vartime)
 
 		pt_double(&q, &q)
 		pt_double(&q, &q)
 		pt_double(&q, &q)
 		pt_double(&q, &q)
-		mul_tbl_lookup(&tmp, &p_tbl, u64(lo), unsafe_is_vartime)
-		pt_add(&q, &q, &tmp)
+		mul_tbl_lookup_add(&q, &tmp, &p_tbl, u64(lo), unsafe_is_vartime)
 	}
 
 	pt_set(p, &q)
@@ -53,6 +49,50 @@ pt_scalar_mul :: proc "contextless" (
 	}
 }
 
+pt_scalar_mul_generator :: proc "contextless" (
+	p: ^$T,
+	sc: ^$S,
+	unsafe_is_vartime: bool = false,
+) {
+	when T == Point_p256r1 && S == Scalar_p256r1 {
+		p_tbl := &Gen_Multiply_Table_p256r1
+		tmp: Point_p256r1 = ---
+		SC_SZ :: SC_SIZE_P256R1
+	} else {
+		#panic("weierstrass: invalid curve")
+	}
+
+	b: [SC_SZ]byte
+	sc_bytes(b[:], sc)
+
+	// Note: The point doublings can be eliminated entirely
+	// at the cost of having 64 Gen_Multiply_Table's, but
+	// that's a considerable amount of data.
+	pt_identity(p)
+	for limb_byte, i in b {
+		hi, lo := (limb_byte >> 4) & 0x0f, limb_byte & 0x0f
+
+		if i != 0 {
+			pt_double(p, p)
+			pt_double(p, p)
+			pt_double(p, p)
+			pt_double(p, p)
+		}
+		mul_affine_tbl_lookup_add(p, &tmp, p_tbl, u64(hi), unsafe_is_vartime)
+
+		pt_double(p, p)
+		pt_double(p, p)
+		pt_double(p, p)
+		pt_double(p, p)
+		mul_affine_tbl_lookup_add(p, &tmp, p_tbl, u64(lo), unsafe_is_vartime)
+	}
+
+	if !unsafe_is_vartime {
+		mem.zero_explicit(&b, size_of(b))
+		pt_clear(&tmp)
+	}
+}
+
 @(private = "file")
 Multiply_Table_p256r1 :: [15]Point_p256r1
 
@@ -81,26 +121,131 @@ mul_tbl_set :: proc "contextless"(
 }
 
 @(private = "file")
-mul_tbl_lookup :: proc "contextless" (
-	point: ^$T,
+mul_tbl_lookup_add :: proc "contextless" (
+	point, tmp: ^$T,
 	tbl: ^$U,
 	idx: u64,
 	unsafe_is_vartime: bool,
  ) {
 	if unsafe_is_vartime {
 		switch idx {
 		case 0:
-			pt_identity(point)
 		case:
-			pt_set(point, &tbl[idx - 1])
+			pt_add(point, point, &tbl[idx - 1])
 		}
 		return
 	}
 
-	pt_identity(point)
+	pt_identity(tmp)
 	for i in u64(1)..<16 {
 		_, ctrl := bits.sub_u64(0, (i ~ idx), 0)
-		pt_cond_select(point, point, &tbl[i - 1], int(~ctrl) & 1)
+		pt_cond_select(tmp, tmp, &tbl[i - 1], int(~ctrl) & 1)
+	}
+
+	pt_add(point, point, tmp)
+}
+
+@(private = "file")
+Affine_Point_p256r1 :: struct {
+	_x: Field_Element_p256r1,
+	_y: Field_Element_p256r1,
+}
+
+@(private = "file")
+mul_affine_tbl_lookup_add :: proc "contextless" (
+	point, tmp: ^$T,
+	tbl: ^$U,
+	idx: u64,
+	unsafe_is_vartime: bool,
+) {
+	if unsafe_is_vartime {
+		switch idx {
+		case 0:
+		case:
+			pt_add_mixed(point, point, &tbl[idx - 1]._x, &tbl[idx - 1]._y)
+		}
+		return
 	}
+
+	pt_identity(tmp)
+	for i in u64(1)..<16 {
+		_, borrow := bits.sub_u64(0, (i ~ idx), 0)
+		ctrl := int(~borrow & 1)
+		fe_cond_select(&tmp._x, &tmp._x, &tbl[i - 1]._x, ctrl)
+		fe_cond_select(&tmp._y, &tmp._y, &tbl[i - 1]._y, ctrl)
+	}
+
+	// The mixed addition formula assumes that the addend is not
+	// the neutral element.  Do the addition regardless, and then
+	// conditionally select the right result.
+	pt_add_mixed(tmp, point, &tmp._x, &tmp._y)
+
+	_, borrow := bits.sub_u64(0, idx, 0)
+	pt_cond_select(point, point, tmp, int(borrow) & 1)
 }
 
+@(private = "file")
+Gen_Multiply_Table_p256r1 := [15]Affine_Point_p256r1 {
+	{
+		{8784043285714375740, 8483257759279461889, 8789745728267363600, 1770019616739251654},
+		{15992936863339206154, 10037038012062884956, 15197544864945402661, 9615747158586711429},
+	},
+	{
+		{9583737883674400333, 12279877754802111101, 8296198976379850969, 17778859909846088251},
+		{3401986641240187301, 1525831644595056632, 1849003687033449918, 8702493044913179195},
+	},
+	{
+		{18423170064697770279, 12693387071620743675, 7398701556189346968, 2779682216903406718},
+		{12703629940499916779, 6358598532389273114, 8683512038509439374, 15415938252666293255},
+	},
+	{
+		{8408419572923862476, 5066733120953500019, 926242532005776114, 6301489109130024811},
+		{3285079390283344806, 1685054835664548935, 7740622190510199342, 9561507292862134371},
+	},
+	{
+		{13698695174800826869, 10442832251048252285, 10672604962207744524, 14485711676978308040},
+		{16947216143812808464, 8342189264337602603, 3837253281927274344, 8331789856935110934},
+	},
+	{
+		{4627808394696681034, 6174000022702321214, 15351247319787348909, 1371147458593240691},
+		{10651965436787680331, 2998319090323362997, 17592419471314886417, 11874181791118522207},
+	},
+	{
+		{524165018444839759, 3157588572894920951, 17599692088379947784, 1421537803477597699},
+		{2902517390503550285, 7440776657136679901, 17263207614729765269, 16928425260420958311},
+	},
+	{
+		{2878166099891431311, 5056053391262430293, 10345032411278802027, 13214556496570163981},
+		{17698482058276194679, 2441850938900527637, 1314061001345252336, 6263402014353842038},
+
+	},
+	{
+		{8487436533858443496, 12386798851261442113, 3224748875345095424, 16166568617729909099},
+		{2213369110503306004, 6246347469485852131, 3129440554298978074, 605269941184323483},
+	},
+	{
+		{3177531230451277512, 11022989490494865721, 8321856985295555401, 14727273563873821327},
+		{876865438755954294, 14139765236890058248, 6880705719513638354, 8678887646434118325},
+
+	},
+	{
+		{16896703203004244996, 11377226897030111200, 2302364246994590389, 4499255394192625779},
+		{1906858144627445384, 2670515414718439880, 868537809054295101, 7535366755622172814},
+	},
+	{
+		{339769604981749608, 12384581172556225075, 2596838235904096350, 5684069910326796630},
+		{913125548148611907, 1661497269948077623, 2892028918424825190, 9220412792897768138},
+	},
+	{
+		{14754959387565938441, 1023838193204581133, 13599978343236540433, 8323909593307920217},
+		{3852032956982813055, 7526785533690696419, 8993798556223495105, 18140648187477079959},
+	},
+	{
+		{11692087196810962506, 1328079167955601379, 1664008958165329504, 18063501818261063470},
+		{2861243404839114859, 13702578580056324034, 16781565866279299035, 1524194541633674171},
+	},
+	{
+		{8267721299596412251, 273633183929630283, 17164190306640434032, 16332882679719778825},
+		{4663567915067622493, 15521151801790569253, 7273215397645141911, 2324445691280731636},
+	},
+}