2 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
12 #include <openssl/err.h>
14 #include "internal/cryptlib.h"
15 #include "internal/bn_int.h"
17 #include "internal/refcount.h"
20 * This file implements the wNAF-based interleaving multi-exponentiation method
22 * http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp
23 * You might now find it here:
24 * http://link.springer.com/chapter/10.1007%2F3-540-45537-X_13
25 * http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf
26 * For multiplication with precomputation, we use wNAF splitting, formerly at:
27 * http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp
30 /* structure for precomputed multiples of the generator */
31 struct ec_pre_comp_st {
32 const EC_GROUP *group; /* parent EC_GROUP object */
33 size_t blocksize; /* block size for wNAF splitting */
34 size_t numblocks; /* max. number of blocks for which we have
36 size_t w; /* window size */
37 EC_POINT **points; /* array with pre-calculated multiples of
38 * generator: 'num' pointers to EC_POINT
39 * objects followed by a NULL */
40 size_t num; /* numblocks * 2^(w-1) */
41 CRYPTO_REF_COUNT references;
45 static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group)
47 EC_PRE_COMP *ret = NULL;
52 ret = OPENSSL_zalloc(sizeof(*ret));
54 ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
59 ret->blocksize = 8; /* default */
60 ret->w = 4; /* default */
63 ret->lock = CRYPTO_THREAD_lock_new();
64 if (ret->lock == NULL) {
65 ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
72 EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *pre)
76 CRYPTO_UP_REF(&pre->references, &i, pre->lock);
80 void EC_ec_pre_comp_free(EC_PRE_COMP *pre)
87 CRYPTO_DOWN_REF(&pre->references, &i, pre->lock);
88 REF_PRINT_COUNT("EC_ec", pre);
91 REF_ASSERT_ISNT(i < 0);
93 if (pre->points != NULL) {
96 for (pts = pre->points; *pts != NULL; pts++)
98 OPENSSL_free(pre->points);
100 CRYPTO_THREAD_lock_free(pre->lock);
104 #define EC_POINT_BN_set_flags(P, flags) do { \
105 BN_set_flags((P)->X, (flags)); \
106 BN_set_flags((P)->Y, (flags)); \
107 BN_set_flags((P)->Z, (flags)); \
111 * This functions computes a single point multiplication over the EC group,
112 * using, at a high level, a Montgomery ladder with conditional swaps, with
113 * various timing attack defenses.
115 * It performs either a fixed point multiplication
116 * (scalar * generator)
117 * when point is NULL, or a variable point multiplication
119 * when point is not NULL.
121 * `scalar` cannot be NULL and should be in the range [0,n) otherwise all
122 * constant time bets are off (where n is the cardinality of the EC group).
124 * NB: This says nothing about the constant-timeness of the ladder step
125 * implementation (i.e., the default implementation is based on EC_POINT_add and
126 * EC_POINT_dbl, which of course are not constant time themselves) or the
127 * underlying multiprecision arithmetic.
129 * The product is stored in `r`.
131 * Returns 1 on success, 0 otherwise.
134 int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
135 const BIGNUM *scalar, const EC_POINT *point,
138 int i, cardinality_bits, group_top, kbit, pbit, Z_is_one;
142 BIGNUM *lambda = NULL;
143 BIGNUM *cardinality = NULL;
144 BN_CTX *new_ctx = NULL;
147 /* early exit if the input point is the point at infinity */
148 if (point != NULL && EC_POINT_is_at_infinity(group, point))
149 return EC_POINT_set_to_infinity(group, r);
151 if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
156 if (((p = EC_POINT_new(group)) == NULL)
157 || ((s = EC_POINT_new(group)) == NULL)) {
158 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_MALLOC_FAILURE);
163 if (!EC_POINT_copy(p, group->generator)) {
164 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB);
168 if (!EC_POINT_copy(p, point)) {
169 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB);
174 EC_POINT_BN_set_flags(p, BN_FLG_CONSTTIME);
175 EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME);
176 EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
178 cardinality = BN_CTX_get(ctx);
179 lambda = BN_CTX_get(ctx);
182 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_MALLOC_FAILURE);
186 if (!BN_mul(cardinality, group->order, group->cofactor, ctx)) {
187 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
192 * Group cardinalities are often on a word boundary.
193 * So when we pad the scalar, some timing diff might
194 * pop if it needs to be expanded due to carries.
195 * So expand ahead of time.
197 cardinality_bits = BN_num_bits(cardinality);
198 group_top = bn_get_top(cardinality);
199 if ((bn_wexpand(k, group_top + 1) == NULL)
200 || (bn_wexpand(lambda, group_top + 1) == NULL)) {
201 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
205 if (!BN_copy(k, scalar)) {
206 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
210 BN_set_flags(k, BN_FLG_CONSTTIME);
212 if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) {
214 * this is an unusual input, and we don't guarantee
217 if (!BN_nnmod(k, k, cardinality, ctx)) {
218 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
223 if (!BN_add(lambda, k, cardinality)) {
224 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
227 BN_set_flags(lambda, BN_FLG_CONSTTIME);
228 if (!BN_add(k, lambda, cardinality)) {
229 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
233 * lambda := scalar + cardinality
234 * k := scalar + 2*cardinality
236 kbit = BN_is_bit_set(lambda, cardinality_bits);
237 BN_consttime_swap(kbit, k, lambda, group_top + 1);
239 group_top = bn_get_top(group->field);
240 if ((bn_wexpand(s->X, group_top) == NULL)
241 || (bn_wexpand(s->Y, group_top) == NULL)
242 || (bn_wexpand(s->Z, group_top) == NULL)
243 || (bn_wexpand(r->X, group_top) == NULL)
244 || (bn_wexpand(r->Y, group_top) == NULL)
245 || (bn_wexpand(r->Z, group_top) == NULL)
246 || (bn_wexpand(p->X, group_top) == NULL)
247 || (bn_wexpand(p->Y, group_top) == NULL)
248 || (bn_wexpand(p->Z, group_top) == NULL)) {
249 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
254 * Apply coordinate blinding for EC_POINT.
256 * The underlying EC_METHOD can optionally implement this function:
257 * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
258 * success or if coordinate blinding is not implemented for this
261 if (!ec_point_blind_coordinates(group, p, ctx)) {
262 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_POINT_COORDINATES_BLIND_FAILURE);
266 /* Initialize the Montgomery ladder */
267 if (!ec_point_ladder_pre(group, r, s, p, ctx)) {
268 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_LADDER_PRE_FAILURE);
272 /* top bit is a 1, in a fixed pos */
275 #define EC_POINT_CSWAP(c, a, b, w, t) do { \
276 BN_consttime_swap(c, (a)->X, (b)->X, w); \
277 BN_consttime_swap(c, (a)->Y, (b)->Y, w); \
278 BN_consttime_swap(c, (a)->Z, (b)->Z, w); \
279 t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \
280 (a)->Z_is_one ^= (t); \
281 (b)->Z_is_one ^= (t); \
285 * The ladder step, with branches, is
287 * k[i] == 0: S = add(R, S), R = dbl(R)
288 * k[i] == 1: R = add(S, R), S = dbl(S)
290 * Swapping R, S conditionally on k[i] leaves you with state
292 * k[i] == 0: T, U = R, S
293 * k[i] == 1: T, U = S, R
295 * Then perform the ECC ops.
300 * Which leaves you with state
302 * k[i] == 0: U = add(R, S), T = dbl(R)
303 * k[i] == 1: U = add(S, R), T = dbl(S)
305 * Swapping T, U conditionally on k[i] leaves you with state
307 * k[i] == 0: R, S = T, U
308 * k[i] == 1: R, S = U, T
310 * Which leaves you with state
312 * k[i] == 0: S = add(R, S), R = dbl(R)
313 * k[i] == 1: R = add(S, R), S = dbl(S)
315 * So we get the same logic, but instead of a branch it's a
316 * conditional swap, followed by ECC ops, then another conditional swap.
318 * Optimization: The end of iteration i and start of i-1 looks like
325 * CSWAP(k[i-1], R, S)
327 * CSWAP(k[i-1], R, S)
330 * So instead of two contiguous swaps, you can merge the condition
331 * bits and do a single swap.
333 * k[i] k[i-1] Outcome
339 * This is XOR. pbit tracks the previous bit of k.
342 for (i = cardinality_bits - 1; i >= 0; i--) {
343 kbit = BN_is_bit_set(k, i) ^ pbit;
344 EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one);
346 /* Perform a single step of the Montgomery ladder */
347 if (!ec_point_ladder_step(group, r, s, p, ctx)) {
348 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_LADDER_STEP_FAILURE);
352 * pbit logic merges this cswap with that of the
357 /* one final cswap to move the right value into r */
358 EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one);
359 #undef EC_POINT_CSWAP
361 /* Finalize ladder (and recover full point coordinates) */
362 if (!ec_point_ladder_post(group, r, s, p, ctx)) {
363 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_LADDER_POST_FAILURE);
373 BN_CTX_free(new_ctx);
378 #undef EC_POINT_BN_set_flags
381 * TODO: table should be optimised for the wNAF-based implementation,
382 * sometimes smaller windows will give better performance (thus the
383 * boundaries should be increased)
385 #define EC_window_bits_for_scalar_size(b) \
396 * \sum scalars[i]*points[i],
399 * in the addition if scalar != NULL
401 int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
402 size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
405 BN_CTX *new_ctx = NULL;
406 const EC_POINT *generator = NULL;
407 EC_POINT *tmp = NULL;
409 size_t blocksize = 0, numblocks = 0; /* for wNAF splitting */
410 size_t pre_points_per_block = 0;
413 int r_is_inverted = 0;
414 int r_is_at_infinity = 1;
415 size_t *wsize = NULL; /* individual window sizes */
416 signed char **wNAF = NULL; /* individual wNAFs */
417 size_t *wNAF_len = NULL;
420 EC_POINT **val = NULL; /* precomputation */
422 EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or
423 * 'pre_comp->points' */
424 const EC_PRE_COMP *pre_comp = NULL;
425 int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be
426 * treated like other scalars, i.e.
427 * precomputation is not available */
430 if (!ec_point_is_compat(r, group)) {
431 ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
435 if ((scalar == NULL) && (num == 0)) {
436 return EC_POINT_set_to_infinity(group, r);
439 if (!BN_is_zero(group->order) && !BN_is_zero(group->cofactor)) {
441 * Handle the common cases where the scalar is secret, enforcing a
442 * scalar multiplication implementation based on a Montgomery ladder,
443 * with various timing attack defenses.
445 if ((scalar != NULL) && (num == 0)) {
447 * In this case we want to compute scalar * GeneratorPoint: this
448 * codepath is reached most prominently by (ephemeral) key
449 * generation of EC cryptosystems (i.e. ECDSA keygen and sign setup,
450 * ECDH keygen/first half), where the scalar is always secret. This
451 * is why we ignore if BN_FLG_CONSTTIME is actually set and we
452 * always call the ladder version.
454 return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx);
456 if ((scalar == NULL) && (num == 1)) {
458 * In this case we want to compute scalar * VariablePoint: this
459 * codepath is reached most prominently by the second half of ECDH,
460 * where the secret scalar is multiplied by the peer's public point.
461 * To protect the secret scalar, we ignore if BN_FLG_CONSTTIME is
462 * actually set and we always call the ladder version.
464 return ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx);
468 for (i = 0; i < num; i++) {
469 if (!ec_point_is_compat(points[i], group)) {
470 ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
476 ctx = new_ctx = BN_CTX_new();
481 if (scalar != NULL) {
482 generator = EC_GROUP_get0_generator(group);
483 if (generator == NULL) {
484 ECerr(EC_F_EC_WNAF_MUL, EC_R_UNDEFINED_GENERATOR);
488 /* look if we can use precomputed multiples of generator */
490 pre_comp = group->pre_comp.ec;
491 if (pre_comp && pre_comp->numblocks
492 && (EC_POINT_cmp(group, generator, pre_comp->points[0], ctx) ==
494 blocksize = pre_comp->blocksize;
497 * determine maximum number of blocks that wNAF splitting may
498 * yield (NB: maximum wNAF length is bit length plus one)
500 numblocks = (BN_num_bits(scalar) / blocksize) + 1;
503 * we cannot use more blocks than we have precomputation for
505 if (numblocks > pre_comp->numblocks)
506 numblocks = pre_comp->numblocks;
508 pre_points_per_block = (size_t)1 << (pre_comp->w - 1);
510 /* check that pre_comp looks sane */
511 if (pre_comp->num != (pre_comp->numblocks * pre_points_per_block)) {
512 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
516 /* can't use precomputation */
519 num_scalar = 1; /* treat 'scalar' like 'num'-th element of
524 totalnum = num + numblocks;
526 wsize = OPENSSL_malloc(totalnum * sizeof(wsize[0]));
527 wNAF_len = OPENSSL_malloc(totalnum * sizeof(wNAF_len[0]));
528 /* include space for pivot */
529 wNAF = OPENSSL_malloc((totalnum + 1) * sizeof(wNAF[0]));
530 val_sub = OPENSSL_malloc(totalnum * sizeof(val_sub[0]));
532 /* Ensure wNAF is initialised in case we end up going to err */
534 wNAF[0] = NULL; /* preliminary pivot */
536 if (wsize == NULL || wNAF_len == NULL || wNAF == NULL || val_sub == NULL) {
537 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
542 * num_val will be the total number of temporarily precomputed points
546 for (i = 0; i < num + num_scalar; i++) {
549 bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
550 wsize[i] = EC_window_bits_for_scalar_size(bits);
551 num_val += (size_t)1 << (wsize[i] - 1);
552 wNAF[i + 1] = NULL; /* make sure we always have a pivot */
554 bn_compute_wNAF((i < num ? scalars[i] : scalar), wsize[i],
558 if (wNAF_len[i] > max_len)
559 max_len = wNAF_len[i];
563 /* we go here iff scalar != NULL */
565 if (pre_comp == NULL) {
566 if (num_scalar != 1) {
567 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
570 /* we have already generated a wNAF for 'scalar' */
572 signed char *tmp_wNAF = NULL;
575 if (num_scalar != 0) {
576 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
581 * use the window size for which we have precomputation
583 wsize[num] = pre_comp->w;
584 tmp_wNAF = bn_compute_wNAF(scalar, wsize[num], &tmp_len);
588 if (tmp_len <= max_len) {
590 * One of the other wNAFs is at least as long as the wNAF
591 * belonging to the generator, so wNAF splitting will not buy
596 totalnum = num + 1; /* don't use wNAF splitting */
597 wNAF[num] = tmp_wNAF;
598 wNAF[num + 1] = NULL;
599 wNAF_len[num] = tmp_len;
601 * pre_comp->points starts with the points that we need here:
603 val_sub[num] = pre_comp->points;
606 * don't include tmp_wNAF directly into wNAF array - use wNAF
607 * splitting and include the blocks
611 EC_POINT **tmp_points;
613 if (tmp_len < numblocks * blocksize) {
615 * possibly we can do with fewer blocks than estimated
617 numblocks = (tmp_len + blocksize - 1) / blocksize;
618 if (numblocks > pre_comp->numblocks) {
619 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
620 OPENSSL_free(tmp_wNAF);
623 totalnum = num + numblocks;
626 /* split wNAF in 'numblocks' parts */
628 tmp_points = pre_comp->points;
630 for (i = num; i < totalnum; i++) {
631 if (i < totalnum - 1) {
632 wNAF_len[i] = blocksize;
633 if (tmp_len < blocksize) {
634 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
635 OPENSSL_free(tmp_wNAF);
638 tmp_len -= blocksize;
641 * last block gets whatever is left (this could be
642 * more or less than 'blocksize'!)
644 wNAF_len[i] = tmp_len;
647 wNAF[i] = OPENSSL_malloc(wNAF_len[i]);
648 if (wNAF[i] == NULL) {
649 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
650 OPENSSL_free(tmp_wNAF);
653 memcpy(wNAF[i], pp, wNAF_len[i]);
654 if (wNAF_len[i] > max_len)
655 max_len = wNAF_len[i];
657 if (*tmp_points == NULL) {
658 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
659 OPENSSL_free(tmp_wNAF);
662 val_sub[i] = tmp_points;
663 tmp_points += pre_points_per_block;
666 OPENSSL_free(tmp_wNAF);
672 * All points we precompute now go into a single array 'val'.
673 * 'val_sub[i]' is a pointer to the subarray for the i-th point, or to a
674 * subarray of 'pre_comp->points' if we already have precomputation.
676 val = OPENSSL_malloc((num_val + 1) * sizeof(val[0]));
678 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
681 val[num_val] = NULL; /* pivot element */
683 /* allocate points for precomputation */
685 for (i = 0; i < num + num_scalar; i++) {
687 for (j = 0; j < ((size_t)1 << (wsize[i] - 1)); j++) {
688 *v = EC_POINT_new(group);
694 if (!(v == val + num_val)) {
695 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
699 if ((tmp = EC_POINT_new(group)) == NULL)
703 * prepare precomputed values:
704 * val_sub[i][0] := points[i]
705 * val_sub[i][1] := 3 * points[i]
706 * val_sub[i][2] := 5 * points[i]
709 for (i = 0; i < num + num_scalar; i++) {
711 if (!EC_POINT_copy(val_sub[i][0], points[i]))
714 if (!EC_POINT_copy(val_sub[i][0], generator))
719 if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx))
721 for (j = 1; j < ((size_t)1 << (wsize[i] - 1)); j++) {
723 (group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx))
729 if (!EC_POINTs_make_affine(group, num_val, val, ctx))
732 r_is_at_infinity = 1;
734 for (k = max_len - 1; k >= 0; k--) {
735 if (!r_is_at_infinity) {
736 if (!EC_POINT_dbl(group, r, r, ctx))
740 for (i = 0; i < totalnum; i++) {
741 if (wNAF_len[i] > (size_t)k) {
742 int digit = wNAF[i][k];
751 if (is_neg != r_is_inverted) {
752 if (!r_is_at_infinity) {
753 if (!EC_POINT_invert(group, r, ctx))
756 r_is_inverted = !r_is_inverted;
761 if (r_is_at_infinity) {
762 if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
764 r_is_at_infinity = 0;
767 (group, r, r, val_sub[i][digit >> 1], ctx))
775 if (r_is_at_infinity) {
776 if (!EC_POINT_set_to_infinity(group, r))
780 if (!EC_POINT_invert(group, r, ctx))
787 BN_CTX_free(new_ctx);
790 OPENSSL_free(wNAF_len);
794 for (w = wNAF; *w != NULL; w++)
800 for (v = val; *v != NULL; v++)
801 EC_POINT_clear_free(*v);
805 OPENSSL_free(val_sub);
810 * ec_wNAF_precompute_mult()
811 * creates an EC_PRE_COMP object with preprecomputed multiples of the generator
812 * for use with wNAF splitting as implemented in ec_wNAF_mul().
814 * 'pre_comp->points' is an array of multiples of the generator
815 * of the following form:
816 * points[0] = generator;
817 * points[1] = 3 * generator;
819 * points[2^(w-1)-1] = (2^(w-1)-1) * generator;
820 * points[2^(w-1)] = 2^blocksize * generator;
821 * points[2^(w-1)+1] = 3 * 2^blocksize * generator;
823 * points[2^(w-1)*(numblocks-1)-1] = (2^(w-1)) * 2^(blocksize*(numblocks-2)) * generator
824 * points[2^(w-1)*(numblocks-1)] = 2^(blocksize*(numblocks-1)) * generator
826 * points[2^(w-1)*numblocks-1] = (2^(w-1)) * 2^(blocksize*(numblocks-1)) * generator
827 * points[2^(w-1)*numblocks] = NULL
829 int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
831 const EC_POINT *generator;
832 EC_POINT *tmp_point = NULL, *base = NULL, **var;
833 BN_CTX *new_ctx = NULL;
835 size_t i, bits, w, pre_points_per_block, blocksize, numblocks, num;
836 EC_POINT **points = NULL;
837 EC_PRE_COMP *pre_comp;
840 /* if there is an old EC_PRE_COMP object, throw it away */
841 EC_pre_comp_free(group);
842 if ((pre_comp = ec_pre_comp_new(group)) == NULL)
845 generator = EC_GROUP_get0_generator(group);
846 if (generator == NULL) {
847 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR);
852 ctx = new_ctx = BN_CTX_new();
859 order = EC_GROUP_get0_order(group);
862 if (BN_is_zero(order)) {
863 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
867 bits = BN_num_bits(order);
869 * The following parameters mean we precompute (approximately) one point
870 * per bit. TBD: The combination 8, 4 is perfect for 160 bits; for other
871 * bit lengths, other parameter combinations might provide better
876 if (EC_window_bits_for_scalar_size(bits) > w) {
877 /* let's not make the window too small ... */
878 w = EC_window_bits_for_scalar_size(bits);
881 numblocks = (bits + blocksize - 1) / blocksize; /* max. number of blocks
885 pre_points_per_block = (size_t)1 << (w - 1);
886 num = pre_points_per_block * numblocks; /* number of points to compute
889 points = OPENSSL_malloc(sizeof(*points) * (num + 1));
890 if (points == NULL) {
891 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
896 var[num] = NULL; /* pivot */
897 for (i = 0; i < num; i++) {
898 if ((var[i] = EC_POINT_new(group)) == NULL) {
899 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
904 if ((tmp_point = EC_POINT_new(group)) == NULL
905 || (base = EC_POINT_new(group)) == NULL) {
906 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
910 if (!EC_POINT_copy(base, generator))
913 /* do the precomputation */
914 for (i = 0; i < numblocks; i++) {
917 if (!EC_POINT_dbl(group, tmp_point, base, ctx))
920 if (!EC_POINT_copy(*var++, base))
923 for (j = 1; j < pre_points_per_block; j++, var++) {
925 * calculate odd multiples of the current base point
927 if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx))
931 if (i < numblocks - 1) {
933 * get the next base (multiply current one by 2^blocksize)
937 if (blocksize <= 2) {
938 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_INTERNAL_ERROR);
942 if (!EC_POINT_dbl(group, base, tmp_point, ctx))
944 for (k = 2; k < blocksize; k++) {
945 if (!EC_POINT_dbl(group, base, base, ctx))
951 if (!EC_POINTs_make_affine(group, num, points, ctx))
954 pre_comp->group = group;
955 pre_comp->blocksize = blocksize;
956 pre_comp->numblocks = numblocks;
958 pre_comp->points = points;
961 SETPRECOMP(group, ec, pre_comp);
968 BN_CTX_free(new_ctx);
969 EC_ec_pre_comp_free(pre_comp);
973 for (p = points; *p != NULL; p++)
975 OPENSSL_free(points);
977 EC_POINT_free(tmp_point);
982 int ec_wNAF_have_precompute_mult(const EC_GROUP *group)
984 return HAVEPRECOMP(group, ec);
projects / oweals / openssl.git / blob