/src/nettle/ecc-add-thh.c
| Line | Count | Source (jump to first uncovered line) | 
| 1 |  | /* ecc-add-thh.c | 
| 2 |  |  | 
| 3 |  |    Copyright (C) 2014 Niels Möller | 
| 4 |  |  | 
| 5 |  |    This file is part of GNU Nettle. | 
| 6 |  |  | 
| 7 |  |    GNU Nettle is free software: you can redistribute it and/or | 
| 8 |  |    modify it under the terms of either: | 
| 9 |  |  | 
| 10 |  |      * the GNU Lesser General Public License as published by the Free | 
| 11 |  |        Software Foundation; either version 3 of the License, or (at your | 
| 12 |  |        option) any later version. | 
| 13 |  |  | 
| 14 |  |    or | 
| 15 |  |  | 
| 16 |  |      * the GNU General Public License as published by the Free | 
| 17 |  |        Software Foundation; either version 2 of the License, or (at your | 
| 18 |  |        option) any later version. | 
| 19 |  |  | 
| 20 |  |    or both in parallel, as here. | 
| 21 |  |  | 
| 22 |  |    GNU Nettle is distributed in the hope that it will be useful, | 
| 23 |  |    but WITHOUT ANY WARRANTY; without even the implied warranty of | 
| 24 |  |    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU | 
| 25 |  |    General Public License for more details. | 
| 26 |  |  | 
| 27 |  |    You should have received copies of the GNU General Public License and | 
| 28 |  |    the GNU Lesser General Public License along with this program.  If | 
| 29 |  |    not, see http://www.gnu.org/licenses/. | 
| 30 |  | */ | 
| 31 |  |  | 
| 32 |  | #if HAVE_CONFIG_H | 
| 33 |  | # include "config.h" | 
| 34 |  | #endif | 
| 35 |  |  | 
| 36 |  | #include "ecc.h" | 
| 37 |  | #include "ecc-internal.h" | 
| 38 |  |  | 
| 39 |  | /* Add two points on an Edwards curve, in homogeneous coordinates */ | 
| 40 |  | void | 
| 41 |  | ecc_add_thh (const struct ecc_curve *ecc, | 
| 42 |  |        mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, | 
| 43 |  |        mp_limb_t *scratch) | 
| 44 | 0 | { | 
| 45 | 0 | #define x1 p | 
| 46 | 0 | #define y1 (p + ecc->p.size) | 
| 47 | 0 | #define z1 (p + 2*ecc->p.size) | 
| 48 |  | 
 | 
| 49 | 0 | #define x2 q | 
| 50 | 0 | #define y2 (q + ecc->p.size) | 
| 51 | 0 | #define z2 (q + 2*ecc->p.size) | 
| 52 |  | 
 | 
| 53 | 0 | #define x3 r | 
| 54 | 0 | #define y3 (r + ecc->p.size) | 
| 55 | 0 | #define z3 (r + 2*ecc->p.size) | 
| 56 |  |  | 
| 57 |  |   /* Formulas (from djb, | 
| 58 |  |      http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#addition-add-2008-bbjlp): | 
| 59 |  |  | 
| 60 |  |      Computation  Operation Live variables | 
| 61 |  |  | 
| 62 |  |      C = x1*x2    mul   C | 
| 63 |  |      D = y1*y2    mul   C, D | 
| 64 |  |      T = (x1+y1)(x2+y2) - C - D, mul  C, D, T | 
| 65 |  |      E = b*C*D    2 mul   C, E, T (Replace C <-- D - C) | 
| 66 |  |      A = z1*z2    mul   A, C, E, T | 
| 67 |  |      B = A^2    sqr   A, B, C, E, T | 
| 68 |  |      F = B - E        A, B, C, E, F, T | 
| 69 |  |      G = B + E          A, C, F, G, T | 
| 70 |  |      x3 = A*F*T   2 mul   A, C, G | 
| 71 |  |      y3 = A*G*(D+C) 2 mul   F, G | 
| 72 |  |      z3 = F*G   mul | 
| 73 |  |  | 
| 74 |  |      11M + S | 
| 75 |  |  | 
| 76 |  |      We have different sign for E, hence swapping F and G, because our | 
| 77 |  |      ecc->b corresponds to -b above. | 
| 78 |  |   */ | 
| 79 | 0 | #define T scratch | 
| 80 | 0 | #define E (scratch + 1*ecc->p.size) | 
| 81 | 0 | #define F E | 
| 82 | 0 | #define C (scratch + 2*ecc->p.size) | 
| 83 | 0 | #define D (scratch + 3*ecc->p.size) | 
| 84 | 0 | #define B D | 
| 85 |  |  | 
| 86 |  |   /* Use T as scratch, clobber E */ | 
| 87 | 0 |   ecc_mod_mul (&ecc->p, C, x1, x2, T);  /* C */ | 
| 88 | 0 |   ecc_mod_mul (&ecc->p, D, y1, y2, T);  /* C, D */ | 
| 89 | 0 |   ecc_mod_add (&ecc->p, x3, x1, y1); | 
| 90 | 0 |   ecc_mod_add (&ecc->p, y3, x2, y2); | 
| 91 | 0 |   ecc_mod_mul (&ecc->p, T, x3, y3, T);  /* C, D, T */ | 
| 92 |  |  | 
| 93 |  |   /* Can now use x3 as scratch, without breaking in-place operation. */ | 
| 94 | 0 |   ecc_mod_mul (&ecc->p, E, C, D, x3);  /* C, D, T, E */ | 
| 95 | 0 |   ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); | 
| 96 | 0 |   ecc_mod_add (&ecc->p, C, D, C);  /* C, T, E */ | 
| 97 | 0 |   ecc_mod_sub (&ecc->p, T, T, C); | 
| 98 |  | 
 | 
| 99 | 0 |   ecc_mod_mul (&ecc->p, B, z1, z2, x3); | 
| 100 | 0 |   ecc_mod_mul (&ecc->p, T, T, B, x3); | 
| 101 | 0 |   ecc_mod_mul (&ecc->p, C, C, B, x3); | 
| 102 | 0 |   ecc_mod_sqr (&ecc->p, B, B, x3); | 
| 103 |  | 
 | 
| 104 | 0 |   ecc_mod_add (&ecc->p, x3, B, E); | 
| 105 | 0 |   ecc_mod_sub (&ecc->p, F, B, E);  /* C, T, F */ | 
| 106 |  |  | 
| 107 |  |   /* Can now use y3 as scratch, without breaking in-place operation. */ | 
| 108 | 0 |   ecc_mod_mul (&ecc->p, y3, C, F, y3);  /* T G */ | 
| 109 |  |  | 
| 110 |  |   /* Can use C--D as scratch */ | 
| 111 | 0 |   ecc_mod_mul (&ecc->p, z3, x3, F, C);  /* T */ | 
| 112 | 0 |   ecc_mod_mul (&ecc->p, x3, x3, T, C); | 
| 113 | 0 | } |