3 /* nettle, low-level cryptographics library
5 * Copyright (C) 2013 Niels Möller
7 * The nettle library is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU Lesser General Public License as published by
9 * the Free Software Foundation; either version 2.1 of the License, or (at your
10 * option) any later version.
12 * The nettle library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
15 * License for more details.
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with the nettle library; see the file COPYING.LIB. If not, write to
19 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
23 /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
30 #include "ecc-internal.h"
33 ecc_add_jjj_itch (const struct ecc_curve *ecc)
35 /* Needs 8 * ecc->size */
36 return ECC_ADD_JJJ_ITCH (ecc->size);
40 ecc_add_jjj (const struct ecc_curve *ecc,
41 mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q,
44 /* Formulas, from djb,
45 http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl:
47 Computation Operation Live variables
50 Z2Z2 = Z2^2 sqr Z1Z1, Z2Z2
51 U1 = X1*Z2Z2 mul Z1Z1, Z2Z2, U1
52 U2 = X2*Z1Z1 mul Z1Z1, Z2Z2, U1, U2
53 H = U2-U1 Z1Z1, Z2Z2, U1, H
54 Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H sqr, mul Z1Z1, Z2Z2, U1, H
55 S1 = Y1*Z2*Z2Z2 mul, mul Z1Z1, U1, H, S1
56 S2 = Y2*Z1*Z1Z1 mul, mul U1, H, S1, S2
57 W = 2*(S2-S1) (djb: r) U1, H, S1, W
58 I = (2*H)^2 sqr U1, H, S1, W, I
59 J = H*I mul U1, S1, W, J, V
60 V = U1*I mul S1, W, J, V
61 X3 = W^2-J-2*V sqr S1, W, J, V
62 Y3 = W*(V-X3)-2*S1*J mul, mul
64 mp_limb_t *z1z1 = scratch;
65 mp_limb_t *z2z2 = scratch + ecc->size;
66 mp_limb_t *u1 = scratch + 2*ecc->size;
67 mp_limb_t *u2 = scratch + 3*ecc->size;
68 mp_limb_t *s1 = scratch; /* overlap z1z1 */
69 mp_limb_t *s2 = scratch + ecc->size; /* overlap z2z2 */
70 mp_limb_t *i = scratch + 4*ecc->size;
71 mp_limb_t *j = scratch + 5*ecc->size;
72 mp_limb_t *v = scratch + 6*ecc->size;
74 /* z1^2, z2^2, u1 = x1 x2^2, u2 = x2 z1^2 - u1 */
75 ecc_modp_sqr (ecc, z1z1, p + 2*ecc->size);
76 ecc_modp_sqr (ecc, z2z2, q + 2*ecc->size);
77 ecc_modp_mul (ecc, u1, p, z2z2);
78 ecc_modp_mul (ecc, u2, q, z1z1);
79 ecc_modp_sub (ecc, u2, u2, u1); /* Store h in u2 */
81 /* z3, use i, j, v as scratch, result at i. */
82 ecc_modp_add (ecc, i, p + 2*ecc->size, q + 2*ecc->size);
83 ecc_modp_sqr (ecc, v, i);
84 ecc_modp_sub (ecc, v, v, z1z1);
85 ecc_modp_sub (ecc, v, v, z2z2);
86 ecc_modp_mul (ecc, i, v, u2);
87 /* Delayed write, to support in-place operation. */
89 /* s1 = y1 z2^3, s2 = y2 z1^3, scratch at j and v */
90 ecc_modp_mul (ecc, j, z1z1, p + 2*ecc->size); /* z1^3 */
91 ecc_modp_mul (ecc, v, z2z2, q + 2*ecc->size); /* z2^3 */
92 ecc_modp_mul (ecc, s1, p + ecc->size, v);
93 ecc_modp_mul (ecc, v, j, q + ecc->size);
94 ecc_modp_sub (ecc, s2, v, s1);
95 ecc_modp_mul_1 (ecc, s2, s2, 2);
98 mpn_copyi (r + 2*ecc->size, i, ecc->size);
101 ecc_modp_sqr (ecc, i, u2);
102 ecc_modp_mul_1 (ecc, i, i, 4);
103 ecc_modp_mul (ecc, j, u2, i);
104 ecc_modp_mul (ecc, v, u1, i);
106 /* now, u1, u2 and i are free for reuse .*/
107 /* x3, use u1, u2 as scratch */
108 ecc_modp_sqr (ecc, u1, s2);
109 ecc_modp_sub (ecc, r, u1, j);
110 ecc_modp_submul_1 (ecc, r, v, 2);
113 ecc_modp_mul (ecc, u1, s1, j); /* Frees j */
114 ecc_modp_sub (ecc, u2, v, r); /* Frees v */
115 ecc_modp_mul (ecc, i, s2, u2);
116 ecc_modp_submul_1 (ecc, i, u1, 2);
117 mpn_copyi (r + ecc->size, i, ecc->size);
projects / external / nettle.git / blob