/src/nettle/ecc-secp384r1.c

Source (jump to first uncovered line)
/* ecc-secp384r1.c

   Compile time constant (but machine dependent) tables.

   Copyright (C) 2013, 2014 Niels Möller

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/

/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>

#include "ecc-internal.h"

#define USE_REDC 0

#include "ecc-secp384r1.h"

#if HAVE_NATIVE_ecc_secp384r1_modp
#define ecc_secp384r1_modp _nettle_ecc_secp384r1_modp
void
ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp);
#elif GMP_NUMB_BITS == 32

/* Use that 2^{384} = 2^{128} + 2^{96} - 2^{32} + 1, and eliminate 256
   bits at a time.

   We can get carry == 2 in the first iteration, and I think *only* in
   the first iteration. */

/* p is 12 limbs, and B^12 - p = B^4 + B^3 - B + 1. We can eliminate
   almost 8 at a time. Do only 7, to avoid additional carry
   propagation, followed by 5. */
static void
ecc_secp384r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp)
{
  mp_limb_t cy, bw;

  /* Reduce from 24 to 17 limbs. */
  cy = mpn_add_n (xp + 4, xp + 4, xp + 16, 8);
  cy = sec_add_1 (xp + 12, xp + 12, 3, cy);

  bw = mpn_sub_n (xp + 5, xp + 5, xp + 16, 8);
  bw = sec_sub_1 (xp + 13, xp + 13, 3, bw);

  cy += mpn_add_n (xp + 7, xp + 7, xp + 16, 8);
  cy = sec_add_1 (xp + 15, xp + 15, 1, cy);

  cy += mpn_add_n (xp + 8, xp + 8, xp + 16, 8);
  assert (bw <= cy);
  cy -= bw;

  assert (cy <= 2);  
  xp[16] = cy;

  /* Reduce from 17 to 12 limbs */
  cy = mpn_add_n (xp, xp, xp + 12, 5);
  cy = sec_add_1 (xp + 5, xp + 5, 3, cy);
  
  bw = mpn_sub_n (xp + 1, xp + 1, xp + 12, 5);
  bw = sec_sub_1 (xp + 6, xp + 6, 6, bw);
  
  cy += mpn_add_n (xp + 3, xp + 3, xp + 12, 5);
  cy = sec_add_1 (xp + 8, xp + 8, 1, cy);

  cy += mpn_add_n (xp + 4, xp + 4, xp + 12, 5);
  cy = sec_add_1 (xp + 9, xp + 9, 3, cy);

  assert (cy >= bw);
  cy -= bw;
  assert (cy <= 1);
  cy = mpn_cnd_add_n (cy, rp, xp, p->B, ECC_LIMB_SIZE);
  assert (cy == 0);
}
#elif GMP_NUMB_BITS == 64
/* p is 6 limbs, and B^6 - p = B^2 + 2^32 (B - 1) + 1. Eliminate 3
   (almost 4) limbs at a time. */
static void
ecc_secp384r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp)
{
  mp_limb_t tp[6];
  mp_limb_t cy;

  /* Reduce from 12 to 9 limbs */
  tp[0] = 0; /* FIXME: Could use mpn_sub_nc */
  mpn_copyi (tp + 1, xp + 8, 3);
  tp[4] = xp[11] - mpn_sub_n (tp, tp, xp + 8, 4);
  tp[5] = mpn_lshift (tp, tp, 5, 32);

  cy = mpn_add_n (xp + 2, xp + 2, xp + 8, 4);
  cy = sec_add_1 (xp + 6, xp + 6, 2, cy);

  cy += mpn_add_n (xp + 2, xp + 2, tp, 6);
  cy += mpn_add_n (xp + 4, xp + 4, xp + 8, 4);

  assert_maybe (cy <= 2);
  xp[8] = cy;

  /* Reduce from 9 to 6 limbs */
  tp[0] = 0;
  mpn_copyi (tp + 1, xp + 6, 2);
  tp[3] = xp[8] - mpn_sub_n (tp, tp, xp + 6, 3);
  tp[4] = mpn_lshift (tp, tp, 4, 32);

  cy = mpn_add_n (xp, xp, xp + 6, 3);
  cy = sec_add_1 (xp + 3, xp + 3, 2, cy);
  cy += mpn_add_n (xp, xp, tp, 5);
  cy += mpn_add_n (xp + 2, xp + 2, xp + 6, 3);

  cy = sec_add_1 (xp + 5, xp + 5, 1, cy);
  assert_maybe (cy <= 1);

  cy = mpn_cnd_add_n (cy, xp, xp, p->B, ECC_LIMB_SIZE);
  assert_maybe (cy == 0);
  mpn_copyi (rp, xp, ECC_LIMB_SIZE);
}
#else
#define ecc_secp384r1_modp ecc_mod
#endif

/* Computes a^{2^{288} -2^{32} - 1} mod m. Also produces the
   intermediate value a^{2^{30} - 1}. Needs 5*ECC_LIMB_SIZE
   scratch. */
static void
ecc_mod_pow_288m32m1 (const struct ecc_modulo *m,
          mp_limb_t *rp, mp_limb_t *a30m1,
          const mp_limb_t *ap, mp_limb_t *scratch)
{
  /*
    Addition chain for 2^{288} - 2^{32} - 1:

    2^2 - 1 = 1 + 2
    2^4 - 1 = (2^2 + 1) * (2^2 - 1)
    2^5 - 1 = 1 + 2(2^4 - 1)
    2^{10} - 1 = (2^5 + 1) (2^5 - 1)
    2^{15} - 1 = 2^5 (2^{10} - 1) + (2^5-1)
    2^{30} - 1 = (2^{15} + 1) (2^{15} - 1)
    2^{32} - 4 = 2^2 (2^{30} - 1)
    2^{32} - 1 = (2^{32} - 4) + 3
    2^{60} - 1 = 2^{28}(2^{32} - 4) + (2^{30} - 1)
    2^{120} - 1 = (2^{60} + 1) (2^{60} - 1)
    2^{240} - 1 = (2^{120} + 1)(2^{120} - 1)
    2^{255} - 1 = 2^{15} (2^{240} - 1) + 2^{15} - 1
    2^{288} - 2^{32} - 1 = 2^{33} (2^{255} - 1) + 2^{32} - 1

    Total 287 squarings, and 12 multiplies.

    The specific sqr/mul schedule is from Routine 3.2.12 of
    "Mathematical routines for the NIST prime elliptic curves", April
    5, 2010, author unknown.
  */

#define t0 scratch
#define a3 (scratch + ECC_LIMB_SIZE)
#define a5m1 a30m1
#define a15m1 (scratch + 2*ECC_LIMB_SIZE)
#define a32m1 a3
#define tp (scratch + 3*ECC_LIMB_SIZE)

  ecc_mod_sqr        (m, t0, ap, tp);      /* a^2 */
  ecc_mod_mul        (m, a3, t0, ap, tp);    /* a^3 */
  ecc_mod_pow_2kp1   (m, rp, a3, 2, tp);    /* a^(2^4 - 1) */
  ecc_mod_sqr        (m, t0, rp, tp);      /* a^(2^5 - 2) */
  ecc_mod_mul        (m, a5m1, t0, ap, tp);    /* a^(2^5 - 1) */
  ecc_mod_pow_2kp1   (m, t0, a5m1, 5, tp);    /* a^(2^10 - 1) */
  ecc_mod_pow_2k_mul (m, a15m1, t0, 5, a5m1, tp);  /* a^(2^15 - 1) a5m1*/
  ecc_mod_pow_2kp1   (m, a30m1, a15m1, 15, tp);   /* a^(2^30 - 1) */
  ecc_mod_pow_2k     (m, t0, a30m1, 2, tp);    /* a^(2^32 - 4) */
  ecc_mod_mul        (m, a32m1, t0, a3, tp);    /* a^(2^32 - 1) a3 */
  ecc_mod_pow_2k_mul (m, rp, t0, 28, a30m1, tp);  /* a^(2^60 - 1) a32m4 */
  ecc_mod_pow_2kp1   (m, t0, rp, 60, tp);   /* a^(2^120 - 1) */
  ecc_mod_pow_2kp1   (m, rp, t0, 120, tp);    /* a^(2^240 - 1) */
  ecc_mod_pow_2k_mul (m, t0, rp, 15, a15m1, tp);  /* a^(2^255 - 1) a15m1 */
  ecc_mod_pow_2k_mul (m, rp, t0, 33, a32m1, tp);  /* a^(2^288 - 2^32 - 1) a32m1 */

#undef t0
#undef a3
#undef a5m1
#undef a15m1
#undef a32m1
#undef tp
}

#define ECC_SECP384R1_INV_ITCH (6*ECC_LIMB_SIZE)

static void
ecc_secp384r1_inv (const struct ecc_modulo *p,
       mp_limb_t *rp, const mp_limb_t *ap,
       mp_limb_t *scratch)
{
  /*
    Addition chain for

    p - 2 = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 3

    Start with

      a^{2^{288} - 2^{32} - 1}

    and then use

      2^{382} - 2^{126} - 2^{94} + 2^{30} - 1
         = 2^{94} (2^{288} - 2^{32} - 1) + 2^{30} - 1

      2^{384} - 2^{128} - 2^{96} + 2^{32} - 3
         = 2^2 (2^{382} - 2^{126} - 2^{94} + 2^{30} - 1) + 1

    This addition chain needs 96 additional squarings and 2
    multiplies, for a total of 383 squarings and 14 multiplies.
  */

#define a30m1 scratch
#define tp (scratch + ECC_LIMB_SIZE)

  ecc_mod_pow_288m32m1 (p, rp, a30m1, ap, tp);
  ecc_mod_pow_2k_mul (p, rp, rp, 94, a30m1, tp); /* a^{2^{382} - 2^{126} - 2^{94} + 2^{30} - 1 */
  ecc_mod_pow_2k_mul (p, rp, rp, 2, ap, tp);

#undef a30m1
#undef tp
}

/* To guarantee that inputs to ecc_mod_zero_p are in the required range. */
#if ECC_LIMB_SIZE * GMP_NUMB_BITS != 384
#error Unsupported limb size
#endif

#define ECC_SECP384R1_SQRT_ITCH (6*ECC_LIMB_SIZE)

static int
ecc_secp384r1_sqrt (const struct ecc_modulo *m,
        mp_limb_t *rp,
        const mp_limb_t *cp,
        mp_limb_t *scratch)
{
  /* This computes the square root modulo p384 using the identity:

     sqrt(c) = c^(2^382 − 2^126 - 2^94 + 2^30)  (mod P-384)

     which can be seen as a special case of Tonelli-Shanks with e=1.

     Starting with

       a^{2^{288} - 2^{32} - 1}

     and then use

       2^352 - 2^96 - 2^64 + 1
         = 2^64 (2^{288} - 2^{32} - 1) + 1
       2^382 − 2^126 - 2^94 + 2^30
         = 2^30 (2^352 - 2^96 - 2^64 + 1)

     An additional 94 squarings and 2 multiplies, for a total of for a
     total of 381 squarings and 14 multiplies.
  */

#define t0 scratch
#define tp (scratch + ECC_LIMB_SIZE)

  ecc_mod_pow_288m32m1 (m, rp, t0, cp, tp);
  ecc_mod_pow_2k_mul (m, t0, rp, 64, cp, tp);    /* c^(2^352 - 2^96 - 2^64 + 1) */
  ecc_mod_pow_2k     (m, rp, t0, 30, tp);    /* c^(2^382 - 2^126 - 2^94 + 2^30) */

  ecc_mod_sqr (m, t0, rp, tp);
  ecc_mod_sub (m, t0, t0, cp);

  return ecc_mod_zero_p (m, t0);

#undef t0
#undef tp
}


const struct ecc_curve _nettle_secp_384r1 =
{
  {
    384,
    ECC_LIMB_SIZE,    
    ECC_BMODP_SIZE,
    ECC_REDC_SIZE,
    ECC_SECP384R1_INV_ITCH,
    ECC_SECP384R1_SQRT_ITCH,
    0,

    ecc_p,
    ecc_Bmodp,
    ecc_Bmodp_shifted,
    ecc_Bm2p,
    ecc_redc_ppm1,
    ecc_pp1h,

    ecc_secp384r1_modp,
    ecc_secp384r1_modp,
    ecc_secp384r1_inv,
    ecc_secp384r1_sqrt,
    NULL,
  },
  {
    384,
    ECC_LIMB_SIZE,    
    ECC_BMODQ_SIZE,
    0,
    ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
    0,
    0,

    ecc_q,
    ecc_Bmodq,
    ecc_Bmodq_shifted,
    ecc_Bm2q,
    NULL,
    ecc_qp1h,

    ecc_mod,
    ecc_mod,
    ecc_mod_inv,
    NULL,
    NULL,
  },

  USE_REDC,
  ECC_PIPPENGER_K,
  ECC_PIPPENGER_C,

  ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
  ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
  ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
  ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
  ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
  ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP384R1_INV_ITCH),

  ecc_add_jja,
  ecc_add_jjj,
  ecc_dup_jj,
  ecc_mul_a,
  ecc_mul_g,
  ecc_j_to_a,

  ecc_b,
  ecc_unit,
  ecc_table
};

const struct ecc_curve *nettle_get_secp_384r1(void)
{
  return &_nettle_secp_384r1;
}

Coverage Report

Created: 2025-03-06 07:58

Line	Count	Source (jump to first uncovered line)
1		/* ecc-secp384r1.c
2
3		Compile time constant (but machine dependent) tables.
4
5		Copyright (C) 2013, 2014 Niels Möller
6
7		This file is part of GNU Nettle.
8
9		GNU Nettle is free software: you can redistribute it and/or
10		modify it under the terms of either:
11
12		* the GNU Lesser General Public License as published by the Free
13		Software Foundation; either version 3 of the License, or (at your
14		option) any later version.
15
16		or
17
18		* the GNU General Public License as published by the Free
19		Software Foundation; either version 2 of the License, or (at your
20		option) any later version.
21
22		or both in parallel, as here.
23
24		GNU Nettle is distributed in the hope that it will be useful,
25		but WITHOUT ANY WARRANTY; without even the implied warranty of
26		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
27		General Public License for more details.
28
29		You should have received copies of the GNU General Public License and
30		the GNU Lesser General Public License along with this program. If
31		not, see http://www.gnu.org/licenses/.
32		*/
33
34		/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
35
36		#if HAVE_CONFIG_H
37		# include "config.h"
38		#endif
39
40		#include <assert.h>
41
42		#include "ecc-internal.h"
43
44		#define USE_REDC 0
45
46		#include "ecc-secp384r1.h"
47
48		#if HAVE_NATIVE_ecc_secp384r1_modp
49		#define ecc_secp384r1_modp _nettle_ecc_secp384r1_modp
50		void
51		ecc_secp384r1_modp (const struct ecc_modulo m, mp_limb_t rp, mp_limb_t *xp);
52		#elif GMP_NUMB_BITS == 32
53
54		/* Use that 2^{384} = 2^{128} + 2^{96} - 2^{32} + 1, and eliminate 256
55		bits at a time.
56
57		We can get carry == 2 in the first iteration, and I think only in
58		the first iteration. */
59
60		/* p is 12 limbs, and B^12 - p = B^4 + B^3 - B + 1. We can eliminate
61		almost 8 at a time. Do only 7, to avoid additional carry
62		propagation, followed by 5. */
63		static void
64		ecc_secp384r1_modp (const struct ecc_modulo p, mp_limb_t rp, mp_limb_t *xp)
65		{
66		mp_limb_t cy, bw;
67
68		/* Reduce from 24 to 17 limbs. */
69		cy = mpn_add_n (xp + 4, xp + 4, xp + 16, 8);
70		cy = sec_add_1 (xp + 12, xp + 12, 3, cy);
71
72		bw = mpn_sub_n (xp + 5, xp + 5, xp + 16, 8);
73		bw = sec_sub_1 (xp + 13, xp + 13, 3, bw);
74
75		cy += mpn_add_n (xp + 7, xp + 7, xp + 16, 8);
76		cy = sec_add_1 (xp + 15, xp + 15, 1, cy);
77
78		cy += mpn_add_n (xp + 8, xp + 8, xp + 16, 8);
79		assert (bw <= cy);
80		cy -= bw;
81
82		assert (cy <= 2);
83		xp[16] = cy;
84
85		/* Reduce from 17 to 12 limbs */
86		cy = mpn_add_n (xp, xp, xp + 12, 5);
87		cy = sec_add_1 (xp + 5, xp + 5, 3, cy);
88
89		bw = mpn_sub_n (xp + 1, xp + 1, xp + 12, 5);
90		bw = sec_sub_1 (xp + 6, xp + 6, 6, bw);
91
92		cy += mpn_add_n (xp + 3, xp + 3, xp + 12, 5);
93		cy = sec_add_1 (xp + 8, xp + 8, 1, cy);
94
95		cy += mpn_add_n (xp + 4, xp + 4, xp + 12, 5);
96		cy = sec_add_1 (xp + 9, xp + 9, 3, cy);
97
98		assert (cy >= bw);
99		cy -= bw;
100		assert (cy <= 1);
101		cy = mpn_cnd_add_n (cy, rp, xp, p->B, ECC_LIMB_SIZE);
102		assert (cy == 0);
103		}
104		#elif GMP_NUMB_BITS == 64
105		/* p is 6 limbs, and B^6 - p = B^2 + 2^32 (B - 1) + 1. Eliminate 3
106		(almost 4) limbs at a time. */
107		static void
108		ecc_secp384r1_modp (const struct ecc_modulo p, mp_limb_t rp, mp_limb_t *xp)
109	0	{
110	0	mp_limb_t tp[6];
111	0	mp_limb_t cy;
112
113		/* Reduce from 12 to 9 limbs */
114	0	tp[0] = 0; /* FIXME: Could use mpn_sub_nc */
115	0	mpn_copyi (tp + 1, xp + 8, 3);
116	0	tp[4] = xp[11] - mpn_sub_n (tp, tp, xp + 8, 4);
117	0	tp[5] = mpn_lshift (tp, tp, 5, 32);
118
119	0	cy = mpn_add_n (xp + 2, xp + 2, xp + 8, 4);
120	0	cy = sec_add_1 (xp + 6, xp + 6, 2, cy);
121
122	0	cy += mpn_add_n (xp + 2, xp + 2, tp, 6);
123	0	cy += mpn_add_n (xp + 4, xp + 4, xp + 8, 4);
124
125	0	assert_maybe (cy <= 2);
126	0	xp[8] = cy;
127
128		/* Reduce from 9 to 6 limbs */
129	0	tp[0] = 0;
130	0	mpn_copyi (tp + 1, xp + 6, 2);
131	0	tp[3] = xp[8] - mpn_sub_n (tp, tp, xp + 6, 3);
132	0	tp[4] = mpn_lshift (tp, tp, 4, 32);
133
134	0	cy = mpn_add_n (xp, xp, xp + 6, 3);
135	0	cy = sec_add_1 (xp + 3, xp + 3, 2, cy);
136	0	cy += mpn_add_n (xp, xp, tp, 5);
137	0	cy += mpn_add_n (xp + 2, xp + 2, xp + 6, 3);
138
139	0	cy = sec_add_1 (xp + 5, xp + 5, 1, cy);
140	0	assert_maybe (cy <= 1);
141
142	0	cy = mpn_cnd_add_n (cy, xp, xp, p->B, ECC_LIMB_SIZE);
143	0	assert_maybe (cy == 0);
144	0	mpn_copyi (rp, xp, ECC_LIMB_SIZE);
145	0	}
146		#else
147		#define ecc_secp384r1_modp ecc_mod
148		#endif
149
150		/* Computes a^{2^{288} -2^{32} - 1} mod m. Also produces the
151		intermediate value a^{2^{30} - 1}. Needs 5*ECC_LIMB_SIZE
152		scratch. */
153		static void
154		ecc_mod_pow_288m32m1 (const struct ecc_modulo *m,
155		mp_limb_t rp, mp_limb_t a30m1,
156		const mp_limb_t ap, mp_limb_t scratch)
157	0	{
158		/*
159		Addition chain for 2^{288} - 2^{32} - 1:
160
161		2^2 - 1 = 1 + 2
162		2^4 - 1 = (2^2 + 1) * (2^2 - 1)
163		2^5 - 1 = 1 + 2(2^4 - 1)
164		2^{10} - 1 = (2^5 + 1) (2^5 - 1)
165		2^{15} - 1 = 2^5 (2^{10} - 1) + (2^5-1)
166		2^{30} - 1 = (2^{15} + 1) (2^{15} - 1)
167		2^{32} - 4 = 2^2 (2^{30} - 1)
168		2^{32} - 1 = (2^{32} - 4) + 3
169		2^{60} - 1 = 2^{28}(2^{32} - 4) + (2^{30} - 1)
170		2^{120} - 1 = (2^{60} + 1) (2^{60} - 1)
171		2^{240} - 1 = (2^{120} + 1)(2^{120} - 1)
172		2^{255} - 1 = 2^{15} (2^{240} - 1) + 2^{15} - 1
173		2^{288} - 2^{32} - 1 = 2^{33} (2^{255} - 1) + 2^{32} - 1
174
175		Total 287 squarings, and 12 multiplies.
176
177		The specific sqr/mul schedule is from Routine 3.2.12 of
178		"Mathematical routines for the NIST prime elliptic curves", April
179		5, 2010, author unknown.
180		*/
181
182	0	#define t0 scratch
183	0	#define a3 (scratch + ECC_LIMB_SIZE)
184	0	#define a5m1 a30m1
185	0	#define a15m1 (scratch + 2*ECC_LIMB_SIZE)
186	0	#define a32m1 a3
187	0	#define tp (scratch + 3*ECC_LIMB_SIZE)
188
189	0	ecc_mod_sqr (m, t0, ap, tp); /* a^2 */
190	0	ecc_mod_mul (m, a3, t0, ap, tp); /* a^3 */
191	0	ecc_mod_pow_2kp1 (m, rp, a3, 2, tp); /* a^(2^4 - 1) */
192	0	ecc_mod_sqr (m, t0, rp, tp); /* a^(2^5 - 2) */
193	0	ecc_mod_mul (m, a5m1, t0, ap, tp); /* a^(2^5 - 1) */
194	0	ecc_mod_pow_2kp1 (m, t0, a5m1, 5, tp); /* a^(2^10 - 1) */
195	0	ecc_mod_pow_2k_mul (m, a15m1, t0, 5, a5m1, tp); /* a^(2^15 - 1) a5m1*/
196	0	ecc_mod_pow_2kp1 (m, a30m1, a15m1, 15, tp); /* a^(2^30 - 1) */
197	0	ecc_mod_pow_2k (m, t0, a30m1, 2, tp); /* a^(2^32 - 4) */
198	0	ecc_mod_mul (m, a32m1, t0, a3, tp); /* a^(2^32 - 1) a3 */
199	0	ecc_mod_pow_2k_mul (m, rp, t0, 28, a30m1, tp); /* a^(2^60 - 1) a32m4 */
200	0	ecc_mod_pow_2kp1 (m, t0, rp, 60, tp); /* a^(2^120 - 1) */
201	0	ecc_mod_pow_2kp1 (m, rp, t0, 120, tp); /* a^(2^240 - 1) */
202	0	ecc_mod_pow_2k_mul (m, t0, rp, 15, a15m1, tp); /* a^(2^255 - 1) a15m1 */
203	0	ecc_mod_pow_2k_mul (m, rp, t0, 33, a32m1, tp); /* a^(2^288 - 2^32 - 1) a32m1 */
204
205	0	#undef t0
206	0	#undef a3
207	0	#undef a5m1
208	0	#undef a15m1
209	0	#undef a32m1
210	0	#undef tp
211	0	}
212
213		#define ECC_SECP384R1_INV_ITCH (6*ECC_LIMB_SIZE)
214
215		static void
216		ecc_secp384r1_inv (const struct ecc_modulo *p,
217		mp_limb_t rp, const mp_limb_t ap,
218		mp_limb_t *scratch)
219	0	{
220		/*
221		Addition chain for
222
223		p - 2 = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 3
224
225		Start with
226
227		a^{2^{288} - 2^{32} - 1}
228
229		and then use
230
231		2^{382} - 2^{126} - 2^{94} + 2^{30} - 1
232		= 2^{94} (2^{288} - 2^{32} - 1) + 2^{30} - 1
233
234		2^{384} - 2^{128} - 2^{96} + 2^{32} - 3
235		= 2^2 (2^{382} - 2^{126} - 2^{94} + 2^{30} - 1) + 1
236
237		This addition chain needs 96 additional squarings and 2
238		multiplies, for a total of 383 squarings and 14 multiplies.
239		*/
240
241	0	#define a30m1 scratch
242	0	#define tp (scratch + ECC_LIMB_SIZE)
243
244	0	ecc_mod_pow_288m32m1 (p, rp, a30m1, ap, tp);
245	0	ecc_mod_pow_2k_mul (p, rp, rp, 94, a30m1, tp); /* a^{2^{382} - 2^{126} - 2^{94} + 2^{30} - 1 */
246	0	ecc_mod_pow_2k_mul (p, rp, rp, 2, ap, tp);
247
248	0	#undef a30m1
249	0	#undef tp
250	0	}
251
252		/* To guarantee that inputs to ecc_mod_zero_p are in the required range. */
253		#if ECC_LIMB_SIZE * GMP_NUMB_BITS != 384
254		#error Unsupported limb size
255		#endif
256
257		#define ECC_SECP384R1_SQRT_ITCH (6*ECC_LIMB_SIZE)
258
259		static int
260		ecc_secp384r1_sqrt (const struct ecc_modulo *m,
261		mp_limb_t *rp,
262		const mp_limb_t *cp,
263		mp_limb_t *scratch)
264	0	{
265		/* This computes the square root modulo p384 using the identity:
266
267		sqrt(c) = c^(2^382 − 2^126 - 2^94 + 2^30) (mod P-384)
268
269		which can be seen as a special case of Tonelli-Shanks with e=1.
270
271		Starting with
272
273		a^{2^{288} - 2^{32} - 1}
274
275		and then use
276
277		2^352 - 2^96 - 2^64 + 1
278		= 2^64 (2^{288} - 2^{32} - 1) + 1
279		2^382 − 2^126 - 2^94 + 2^30
280		= 2^30 (2^352 - 2^96 - 2^64 + 1)
281
282		An additional 94 squarings and 2 multiplies, for a total of for a
283		total of 381 squarings and 14 multiplies.
284		*/
285
286	0	#define t0 scratch
287	0	#define tp (scratch + ECC_LIMB_SIZE)
288
289	0	ecc_mod_pow_288m32m1 (m, rp, t0, cp, tp);
290	0	ecc_mod_pow_2k_mul (m, t0, rp, 64, cp, tp); /* c^(2^352 - 2^96 - 2^64 + 1) */
291	0	ecc_mod_pow_2k (m, rp, t0, 30, tp); /* c^(2^382 - 2^126 - 2^94 + 2^30) */
292
293	0	ecc_mod_sqr (m, t0, rp, tp);
294	0	ecc_mod_sub (m, t0, t0, cp);
295
296	0	return ecc_mod_zero_p (m, t0);
297
298	0	#undef t0
299	0	#undef tp
300	0	}
301
302
303		const struct ecc_curve _nettle_secp_384r1 =
304		{
305		{
306		384,
307		ECC_LIMB_SIZE,
308		ECC_BMODP_SIZE,
309		ECC_REDC_SIZE,
310		ECC_SECP384R1_INV_ITCH,
311		ECC_SECP384R1_SQRT_ITCH,
312		0,
313
314		ecc_p,
315		ecc_Bmodp,
316		ecc_Bmodp_shifted,
317		ecc_Bm2p,
318		ecc_redc_ppm1,
319		ecc_pp1h,
320
321		ecc_secp384r1_modp,
322		ecc_secp384r1_modp,
323		ecc_secp384r1_inv,
324		ecc_secp384r1_sqrt,
325		NULL,
326		},
327		{
328		384,
329		ECC_LIMB_SIZE,
330		ECC_BMODQ_SIZE,
331		0,
332		ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
333		0,
334		0,
335
336		ecc_q,
337		ecc_Bmodq,
338		ecc_Bmodq_shifted,
339		ecc_Bm2q,
340		NULL,
341		ecc_qp1h,
342
343		ecc_mod,
344		ecc_mod,
345		ecc_mod_inv,
346		NULL,
347		NULL,
348		},
349
350		USE_REDC,
351		ECC_PIPPENGER_K,
352		ECC_PIPPENGER_C,
353
354		ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
355		ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
356		ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
357		ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
358		ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
359		ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP384R1_INV_ITCH),
360
361		ecc_add_jja,
362		ecc_add_jjj,
363		ecc_dup_jj,
364		ecc_mul_a,
365		ecc_mul_g,
366		ecc_j_to_a,
367
368		ecc_b,
369		ecc_unit,
370		ecc_table
371		};
372
373		const struct ecc_curve *nettle_get_secp_384r1(void)
374	0	{
375	0	return &_nettle_secp_384r1;
376	0	}