3 /* Generate compile time constant (but machine dependent) tables. */
5 /* nettle, low-level cryptographics library
7 * Copyright (C) 2013 Niels Möller
9 * The nettle library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published by
11 * the Free Software Foundation; either version 2.1 of the License, or (at your
12 * option) any later version.
14 * The nettle library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
17 * License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with the nettle library; see the file COPYING.LIB. If not, write to
21 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
25 /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
34 /* Affine coordinates, for simplicity. Infinity point represented as x
42 /* Represents an elliptic curve of the form
44 y^2 = x^3 - 3x + b (mod p)
60 /* Table for pippenger's algorithm.
63 i 2^c + j_0 + j_1 2 + j_2 2^2 + ... + j_{c-1} 2^{c-1}
67 2^{ikc} ( j_0 + j_1 2^k + j_2 2^{2k} + ... + j_{c-1} 2^{(c-1)k}) g
70 struct ecc_point *table;
72 /* If non-NULL, holds 2g, 3g, 4g */
73 struct ecc_point *ref;
77 ecc_init (struct ecc_point *p)
84 ecc_clear (struct ecc_point *p)
91 ecc_zero_p (const struct ecc_point *p)
93 return mpz_sgn (p->x) == 0 && mpz_sgn (p->y) == 0;
97 ecc_equal_p (const struct ecc_point *p, const struct ecc_point *q)
99 return mpz_cmp (p->x, q->x) == 0 && mpz_cmp (p->y, q->y) == 0;
103 ecc_set_zero (struct ecc_point *r)
105 mpz_set_ui (r->x, 0);
106 mpz_set_ui (r->y, 0);
110 ecc_set (struct ecc_point *r, const struct ecc_point *p)
112 mpz_set (r->x, p->x);
113 mpz_set (r->y, p->y);
117 ecc_dup (const struct ecc_curve *ecc,
118 struct ecc_point *r, const struct ecc_point *p)
133 mpz_mul_ui (m, p->y, 2);
134 mpz_invert (m, m, ecc->p);
136 /* t = 3 (x^2 - 1) * m */
137 mpz_mul (t, p->x, p->x);
138 mpz_mod (t, t, ecc->p);
139 mpz_sub_ui (t, t, 1);
140 mpz_mul_ui (t, t, 3);
145 /* mpz_submul_ui (x, p->x, 2); not available in mini-gmp */
146 mpz_mul_ui (m, p->x, 2);
148 mpz_mod (x, x, ecc->p);
150 /* y' = (x - x') * t - y */
151 mpz_sub (y, p->x, x);
153 mpz_sub (y, y, p->y);
154 mpz_mod (y, y, ecc->p);
167 ecc_add (const struct ecc_curve *ecc,
168 struct ecc_point *r, const struct ecc_point *p, const struct ecc_point *q)
173 else if (ecc_zero_p (q))
176 else if (mpz_cmp (p->x, q->x) == 0)
178 if (mpz_cmp (p->y, q->y) == 0)
191 /* t = (q_y - p_y) / (q_x - p_x) */
192 mpz_sub (t, q->x, p->x);
193 mpz_invert (t, t, ecc->p);
194 mpz_sub (s, q->y, p->y);
196 mpz_mod (t, t, ecc->p);
198 /* x' = t^2 - p_x - q_x */
200 mpz_sub (x, x, p->x);
201 mpz_sub (x, x, q->x);
202 mpz_mod (x, x, ecc->p);
204 /* y' = (x - x') * t - y */
205 mpz_sub (y, p->x, x);
207 mpz_sub (y, y, p->y);
208 mpz_mod (y, y, ecc->p);
221 ecc_mul_binary (const struct ecc_curve *ecc,
222 struct ecc_point *r, const mpz_t n, const struct ecc_point *p)
224 /* Avoid the mp_bitcnt_t type for compatibility with older GMP
229 assert (mpz_sgn (n) > 0);
233 /* Index of highest one bit */
234 for (k = mpz_sizeinbase (n, 2) - 1; k-- > 0; )
237 if (mpz_tstbit (n, k))
238 ecc_add (ecc, r, r, p);
242 static struct ecc_point *
245 struct ecc_point *p = malloc (n * sizeof(*p));
250 fprintf (stderr, "Virtual memory exhausted.\n");
253 for (i = 0; i < n; i++)
260 ecc_set_str (struct ecc_point *p,
261 const char *x, const char *y)
263 mpz_set_str (p->x, x, 16);
264 mpz_set_str (p->y, y, 16);
268 ecc_curve_init_str (struct ecc_curve *ecc,
269 const char *p, const char *b, const char *q,
270 const char *gx, const char *gy)
272 mpz_init_set_str (ecc->p, p, 16);
273 mpz_init_set_str (ecc->b, b, 16);
274 mpz_init_set_str (ecc->q, q, 16);
276 ecc_set_str (&ecc->g, gx, gy);
278 ecc->pippenger_k = 0;
279 ecc->pippenger_c = 0;
286 ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size)
291 ecc_curve_init_str (ecc,
292 /* p = 2^{192} - 2^{64} - 1 */
293 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
296 "64210519e59c80e70fa7e9ab72243049"
299 "ffffffffffffffffffffffff99def836"
302 "188da80eb03090f67cbf20eb43a18800"
305 "07192b95ffc8da78631011ed6b24cdd5"
307 ecc->ref = ecc_alloc (3);
308 ecc_set_str (&ecc->ref[0], /* 2 g */
309 "dafebf5828783f2ad35534631588a3f629a70fb16982a888",
310 "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab");
312 ecc_set_str (&ecc->ref[1], /* 3 g */
313 "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da",
314 "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd");
316 ecc_set_str (&ecc->ref[2], /* 4 g */
317 "35433907297cc378b0015703374729d7a4fe46647084e4ba",
318 "a2649984f2135c301ea3acb0776cd4f125389b311db3be32");
322 ecc_curve_init_str (ecc,
323 /* p = 2^{224} - 2^{96} + 1 */
324 "ffffffffffffffffffffffffffffffff"
325 "000000000000000000000001",
327 "b4050a850c04b3abf54132565044b0b7"
328 "d7bfd8ba270b39432355ffb4",
330 "ffffffffffffffffffffffffffff16a2"
331 "e0b8f03e13dd29455c5c2a3d",
333 "b70e0cbd6bb4bf7f321390b94a03c1d3"
334 "56c21122343280d6115c1d21",
336 "bd376388b5f723fb4c22dfe6cd4375a0"
337 "5a07476444d5819985007e34");
339 ecc->ref = ecc_alloc (3);
340 ecc_set_str (&ecc->ref[0], /* 2 g */
341 "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6",
342 "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb");
344 ecc_set_str (&ecc->ref[1], /* 3 g */
345 "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04",
346 "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925");
348 ecc_set_str (&ecc->ref[2], /* 4 g */
349 "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301",
350 "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9");
354 ecc_curve_init_str (ecc,
355 /* p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1 */
356 "FFFFFFFF000000010000000000000000"
357 "00000000FFFFFFFFFFFFFFFFFFFFFFFF",
359 "5AC635D8AA3A93E7B3EBBD55769886BC"
360 "651D06B0CC53B0F63BCE3C3E27D2604B",
362 "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
363 "BCE6FAADA7179E84F3B9CAC2FC632551",
365 "6B17D1F2E12C4247F8BCE6E563A440F2"
366 "77037D812DEB33A0F4A13945D898C296",
368 "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16"
369 "2BCE33576B315ECECBB6406837BF51F5");
371 ecc->ref = ecc_alloc (3);
372 ecc_set_str (&ecc->ref[0], /* 2 g */
373 "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978",
374 "7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1");
376 ecc_set_str (&ecc->ref[1], /* 3 g */
377 "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c",
378 "8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032");
380 ecc_set_str (&ecc->ref[2], /* 4 g */
381 "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852",
382 "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6");
386 ecc_curve_init_str (ecc,
387 /* p = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 1 */
388 "ffffffffffffffffffffffffffffffff"
389 "fffffffffffffffffffffffffffffffe"
390 "ffffffff0000000000000000ffffffff",
392 "b3312fa7e23ee7e4988e056be3f82d19"
393 "181d9c6efe8141120314088f5013875a"
394 "c656398d8a2ed19d2a85c8edd3ec2aef",
396 "ffffffffffffffffffffffffffffffff"
397 "ffffffffffffffffc7634d81f4372ddf"
398 "581a0db248b0a77aecec196accc52973",
400 "aa87ca22be8b05378eb1c71ef320ad74"
401 "6e1d3b628ba79b9859f741e082542a38"
402 "5502f25dbf55296c3a545e3872760ab7",
404 "3617de4a96262c6f5d9e98bf9292dc29"
405 "f8f41dbd289a147ce9da3113b5f0b8c0"
406 "0a60b1ce1d7e819d7a431d7c90ea0e5f");
408 ecc->ref = ecc_alloc (3);
409 ecc_set_str (&ecc->ref[0], /* 2 g */
410 "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e4fe0e86ebe0e64f85b96a9c75295df61",
411 "8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab4255ffd43e94d39e22d61501e700a940e80");
413 ecc_set_str (&ecc->ref[1], /* 3 g */
414 "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6b408bbae5026580d02d7e5c70500c831",
415 "c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eacc24abd6be4b5d298b65f28600a2f1df1");
417 ecc_set_str (&ecc->ref[2], /* 4 g */
418 "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d1589a1597e3a5120e1efd631c63e1835",
419 "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dced7387be37bba569549f1c02b270ed67");
423 ecc_curve_init_str (ecc,
424 "1ff" /* p = 2^{521} - 1 */
425 "ffffffffffffffffffffffffffffffff"
426 "ffffffffffffffffffffffffffffffff"
427 "ffffffffffffffffffffffffffffffff"
428 "ffffffffffffffffffffffffffffffff",
431 "953eb9618e1c9a1f929a21a0b68540ee"
432 "a2da725b99b315f3b8b489918ef109e1"
433 "56193951ec7e937b1652c0bd3bb1bf07"
434 "3573df883d2c34f1ef451fd46b503f00",
437 "ffffffffffffffffffffffffffffffff"
438 "fffffffffffffffffffffffffffffffa"
439 "51868783bf2f966b7fcc0148f709a5d0"
440 "3bb5c9b8899c47aebb6fb71e91386409",
443 "858e06b70404e9cd9e3ecb662395b442"
444 "9c648139053fb521f828af606b4d3dba"
445 "a14b5e77efe75928fe1dc127a2ffa8de"
446 "3348b3c1856a429bf97e7e31c2e5bd66",
449 "39296a789a3bc0045c8a5fb42c7d1bd9"
450 "98f54449579b446817afbd17273e662c"
451 "97ee72995ef42640c550b9013fad0761"
452 "353c7086a272c24088be94769fd16650");
454 ecc->ref = ecc_alloc (3);
455 ecc_set_str (&ecc->ref[0], /* 2 g */
456 "433c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d",
457 "f4bb8cc7f86db26700a7f3eceeeed3f0b5c6b5107c4da97740ab21a29906c42dbbb3e377de9f251f6b93937fa99a3248f4eafcbe95edc0f4f71be356d661f41b02");
459 ecc_set_str (&ecc->ref[1], /* 3 g */
460 "1a73d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d",
461 "13e9b03b97dfa62ddd9979f86c6cab814f2f1557fa82a9d0317d2f8ab1fa355ceec2e2dd4cf8dc575b02d5aced1dec3c70cf105c9bc93a590425f588ca1ee86c0e5");
463 ecc_set_str (&ecc->ref[2], /* 4 g */
464 "35b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3",
465 "82096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f279f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d");
469 fprintf (stderr, "No known curve for size %d\n", bit_size);
472 ecc->bit_size = bit_size;
476 ecc_pippenger_precompute (struct ecc_curve *ecc, unsigned k, unsigned c)
478 unsigned p = (ecc->bit_size + k-1) / k;
479 unsigned M = (p + c-1)/c;
482 ecc->pippenger_k = k;
483 ecc->pippenger_c = c;
484 ecc->table_size = M << c;
485 ecc->table = ecc_alloc (ecc->table_size);
487 /* Compute the first 2^c entries */
488 ecc_set_zero (&ecc->table[0]);
489 ecc_set (&ecc->table[1], &ecc->g);
491 for (j = 2; j < (1U<<c); j <<= 1)
493 /* T[j] = 2^k T[j/2] */
494 ecc_dup (ecc, &ecc->table[j], &ecc->table[j/2]);
495 for (i = 1; i < k; i++)
496 ecc_dup (ecc, &ecc->table[j], &ecc->table[j]);
498 for (i = 1; i < j; i++)
499 ecc_add (ecc, &ecc->table[j + i], &ecc->table[j], &ecc->table[i]);
501 for (j = 1<<c; j < ecc->table_size; j++)
503 /* T[j] = 2^{kc} T[j-2^c] */
504 ecc_dup (ecc, &ecc->table[j], &ecc->table[j - (1<<c)]);
505 for (i = 1; i < k*c; i++)
506 ecc_dup (ecc, &ecc->table[j], &ecc->table[j]);
511 ecc_mul_pippenger (const struct ecc_curve *ecc,
512 struct ecc_point *r, const mpz_t n_input)
521 mpz_mod (n, n_input, ecc->q);
524 k = ecc->pippenger_k;
525 c = ecc->pippenger_c;
527 bit_rows = (ecc->bit_size + k - 1) / k;
529 for (i = k; i-- > 0; )
532 for (j = 0; j * c < bit_rows; j++)
537 /* Extract c bits of the exponent, stride k, starting at i + kcj, ending at
539 for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; )
542 bits = (bits << 1) | mpz_tstbit (n, bit_index);
545 ecc_add (ecc, r, r, &ecc->table[(j << c) | bits]);
551 #define ASSERT_EQUAL(p, q) do { \
552 if (!ecc_equal_p (p, q)) \
554 fprintf (stderr, "%s:%d: ASSERT_EQUAL (%s, %s) failed.\n", \
555 __FILE__, __LINE__, #p, #q); \
556 fprintf (stderr, "p = ("); \
557 mpz_out_str (stderr, 16, (p)->x); \
558 fprintf (stderr, ",\n "); \
559 mpz_out_str (stderr, 16, (p)->y); \
560 fprintf (stderr, ")\nq = ("); \
561 mpz_out_str (stderr, 16, (q)->x); \
562 fprintf (stderr, ",\n "); \
563 mpz_out_str (stderr, 16, (q)->y); \
564 fprintf (stderr, ")\n"); \
569 #define ASSERT_ZERO(p) do { \
570 if (!ecc_zero_p (p)) \
572 fprintf (stderr, "%s:%d: ASSERT_ZERO (%s) failed.\n", \
573 __FILE__, __LINE__, #p); \
574 fprintf (stderr, "p = ("); \
575 mpz_out_str (stderr, 16, (p)->x); \
576 fprintf (stderr, ",\n "); \
577 mpz_out_str (stderr, 16, (p)->y); \
578 fprintf (stderr, ")\n"); \
584 ecc_curve_check (const struct ecc_curve *ecc)
586 struct ecc_point p, q;
593 ecc_dup (ecc, &p, &ecc->g);
595 ASSERT_EQUAL (&p, &ecc->ref[0]);
598 fprintf (stderr, "g2 = ");
599 mpz_out_str (stderr, 16, p.x);
600 fprintf (stderr, "\n ");
601 mpz_out_str (stderr, 16, p.y);
602 fprintf (stderr, "\n");
604 ecc_add (ecc, &q, &p, &ecc->g);
606 ASSERT_EQUAL (&q, &ecc->ref[1]);
609 fprintf (stderr, "g3 = ");
610 mpz_out_str (stderr, 16, q.x);
611 fprintf (stderr, "\n ");
612 mpz_out_str (stderr, 16, q.y);
613 fprintf (stderr, "\n");
616 ecc_add (ecc, &q, &q, &ecc->g);
618 ASSERT_EQUAL (&q, &ecc->ref[2]);
621 fprintf (stderr, "g4 = ");
622 mpz_out_str (stderr, 16, q.x);
623 fprintf (stderr, "\n ");
624 mpz_out_str (stderr, 16, q.y);
625 fprintf (stderr, "\n");
628 ecc_dup (ecc, &q, &p);
630 ASSERT_EQUAL (&q, &ecc->ref[2]);
633 fprintf (stderr, "g4 = ");
634 mpz_out_str (stderr, 16, q.x);
635 fprintf (stderr, "\n ");
636 mpz_out_str (stderr, 16, q.y);
637 fprintf (stderr, "\n");
640 ecc_mul_binary (ecc, &p, ecc->q, &ecc->g);
643 ecc_mul_pippenger (ecc, &q, ecc->q);
652 output_digits (const mpz_t x,
653 unsigned size, unsigned bits_per_limb)
665 mpz_setbit (mask, bits_per_limb);
666 mpz_sub_ui (mask, mask, 1);
668 suffix = bits_per_limb > 32 ? "ULL" : "UL";
672 for (i = 0; i < size; i++)
677 mpz_and (limb, mask, t);
679 mpz_out_str (stdout, 16, limb);
680 printf ("%s,", suffix);
681 mpz_tdiv_q_2exp (t, t, bits_per_limb);
690 output_bignum (const char *name, const mpz_t x,
691 unsigned size, unsigned bits_per_limb)
693 printf ("static const mp_limb_t %s[%d] = {", name, size);
694 output_digits (x, size, bits_per_limb);
699 output_point (const char *name, const struct ecc_point *p,
700 unsigned size, unsigned bits_per_limb)
703 printf("static const mp_limb_t %s[%u] = {", name, 2*size);
705 output_digits (p->x, size, bits_per_limb);
706 output_digits (p->y, size, bits_per_limb);
713 output_point_redc (const char *name, const struct ecc_curve *ecc,
714 const struct ecc_point *p,
715 unsigned size, unsigned bits_per_limb)
721 printf("static const mp_limb_t %s[%u] = {", name, 2*size);
723 mpz_mul_2exp (t, p->x, size * bits_per_limb);
724 mpz_mod (t, t, ecc->p);
726 output_digits (t, size, bits_per_limb);
728 mpz_mul_2exp (t, p->y, size * bits_per_limb);
729 mpz_mod (t, t, ecc->p);
731 output_digits (t, size, bits_per_limb);
740 output_modulo (const char *name, const mpz_t x,
741 unsigned size, unsigned bits_per_limb)
748 mpz_setbit (mod, bits_per_limb * size);
749 mpz_mod (mod, mod, x);
751 bits = mpz_sizeinbase (mod, 2);
752 assert (bits <= size * bits_per_limb - 32);
754 output_bignum (name, mod, size, bits_per_limb);
761 output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb)
763 unsigned limb_size = (ecc->bit_size + bits_per_limb - 1)/bits_per_limb;
771 printf ("/* For NULL. */\n#include <stddef.h>\n");
773 printf ("#define ECC_LIMB_SIZE %u\n", limb_size);
774 printf ("#define ECC_PIPPENGER_K %u\n", ecc->pippenger_k);
775 printf ("#define ECC_PIPPENGER_C %u\n", ecc->pippenger_c);
777 output_bignum ("ecc_p", ecc->p, limb_size, bits_per_limb);
778 output_bignum ("ecc_b", ecc->b, limb_size, bits_per_limb);
779 output_bignum ("ecc_q", ecc->q, limb_size, bits_per_limb);
780 output_point ("ecc_g", &ecc->g, limb_size, bits_per_limb);
781 output_point_redc ("ecc_redc_g", ecc, &ecc->g, limb_size, bits_per_limb);
783 bits = output_modulo ("ecc_Bmodp", ecc->p, limb_size, bits_per_limb);
784 printf ("#define ECC_BMODP_SIZE %u\n",
785 (bits + bits_per_limb - 1) / bits_per_limb);
786 bits = output_modulo ("ecc_Bmodq", ecc->q, limb_size, bits_per_limb);
787 printf ("#define ECC_BMODQ_SIZE %u\n",
788 (bits + bits_per_limb - 1) / bits_per_limb);
790 if (ecc->bit_size < limb_size * bits_per_limb)
795 mpz_setbit (t, ecc->bit_size);
796 mpz_sub (t, t, ecc->p);
797 output_bignum ("ecc_Bmodp_shifted", t, limb_size, bits_per_limb);
799 shift = limb_size * bits_per_limb - ecc->bit_size;
802 /* Check condition for reducing hi limbs. If s is the
803 normalization shift and n is the bit size (so that s + n
804 = limb_size * bite_per_limb), then we need
806 (2^n - 1) + (2^s - 1) (2^n - p) < 2p
812 To a allow a carry limb to be added in at the same time,
813 substitute s+1 for s.
815 /* FIXME: For ecdsa verify, we actually need the stricter
817 mpz_mul_2exp (t, t, shift + 1);
818 if (mpz_cmp (t, ecc->p) > 0)
820 fprintf (stderr, "Reduction condition failed for %u-bit curve.\n",
826 mpz_setbit (t, ecc->bit_size);
827 mpz_sub (t, t, ecc->q);
828 output_bignum ("ecc_Bmodq_shifted", t, limb_size, bits_per_limb);
832 printf ("#define ecc_Bmodp_shifted ecc_Bmodp\n");
833 printf ("#define ecc_Bmodq_shifted ecc_Bmodq\n");
836 mpz_add_ui (t, ecc->p, 1);
837 mpz_fdiv_q_2exp (t, t, 1);
838 output_bignum ("ecc_pp1h", t, limb_size, bits_per_limb);
840 mpz_add_ui (t, ecc->q, 1);
841 mpz_fdiv_q_2exp (t, t, 1);
842 output_bignum ("ecc_qp1h", t, limb_size, bits_per_limb);
844 /* Trailing zeros in p+1 correspond to trailing ones in p. */
845 redc_limbs = mpz_scan0 (ecc->p, 0) / bits_per_limb;
848 mpz_add_ui (t, ecc->p, 1);
849 mpz_fdiv_q_2exp (t, t, redc_limbs * bits_per_limb);
850 output_bignum ("ecc_redc_ppm1", t, limb_size - redc_limbs, bits_per_limb);
854 /* Trailing zeros in p-1 correspond to zeros just above the low
856 redc_limbs = mpz_scan1 (ecc->p, 1) / bits_per_limb;
859 printf ("#define ecc_redc_ppm1 (ecc_p + %d)\n",
861 redc_limbs = -redc_limbs;
864 printf ("#define ecc_redc_ppm1 NULL\n");
866 printf ("#define ECC_REDC_SIZE %d\n", redc_limbs);
868 printf ("#if USE_REDC\n");
869 printf ("#define ecc_unit ecc_Bmodp\n");
871 printf ("static const mp_limb_t ecc_table[%lu] = {",
872 (unsigned long) (2*ecc->table_size * limb_size));
873 for (i = 0; i < ecc->table_size; i++)
874 output_point_redc (NULL, ecc, &ecc->table[i], limb_size, bits_per_limb);
880 mpz_init_set_ui (t, 1);
881 output_bignum ("ecc_unit", t, limb_size, bits_per_limb);
883 printf ("static const mp_limb_t ecc_table[%lu] = {",
884 (unsigned long) (2*ecc->table_size * limb_size));
885 for (i = 0; i < ecc->table_size; i++)
886 output_point (NULL, &ecc->table[i], limb_size, bits_per_limb);
895 main (int argc, char **argv)
897 struct ecc_curve ecc;
901 fprintf (stderr, "Usage: %s CURVE-BITS K C [BITS-PER-LIMB]\n", argv[0]);
905 ecc_curve_init (&ecc, atoi(argv[1]));
907 ecc_pippenger_precompute (&ecc, atoi(argv[2]), atoi(argv[3]));
909 fprintf (stderr, "Table size: %lu entries\n",
910 (unsigned long) ecc.table_size);
912 ecc_curve_check (&ecc);
915 output_curve (&ecc, atoi(argv[4]));
projects / platform / upstream / nettle.git / blob