From 32535011664d6f1634d78e2783d829db130751df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Olivier=20Ch=C3=A9ron?= Date: Tue, 21 Nov 2017 19:25:41 +0100 Subject: [PATCH] Time-constant P256.scalarAdd and P256.scalarSub --- Crypto/PubKey/ECC/P256.hs | 29 ++++++++--------------------- cbits/p256/p256.c | 20 ++++++++++++++++++++ 2 files changed, 28 insertions(+), 21 deletions(-) diff --git a/Crypto/PubKey/ECC/P256.hs b/Crypto/PubKey/ECC/P256.hs index 9259f8e..0a3d704 100644 --- a/Crypto/PubKey/ECC/P256.hs +++ b/Crypto/PubKey/ECC/P256.hs @@ -222,34 +222,21 @@ scalarIsZero s = unsafeDoIO $ withScalar s $ \d -> do result <- ccryptonite_p256_is_zero d return $ result /= 0 -scalarNeedReducing :: Ptr P256Scalar -> IO Bool -scalarNeedReducing d = do - c <- ccryptonite_p256_cmp d ccryptonite_SECP256r1_n - return (c >= 0) - -- | Perform addition between two scalars -- -- > a + b scalarAdd :: Scalar -> Scalar -> Scalar scalarAdd a b = - withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb -> do - carry <- ccryptonite_p256_add pa pb d - when (carry /= 0) $ void $ ccryptonite_p256_sub d ccryptonite_SECP256r1_n d - needReducing <- scalarNeedReducing d - when needReducing $ do - ccryptonite_p256_mod ccryptonite_SECP256r1_n d d + withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb -> + ccryptonite_p256e_modadd ccryptonite_SECP256r1_n pa pb d -- | Perform subtraction between two scalars -- -- > a - b scalarSub :: Scalar -> Scalar -> Scalar scalarSub a b = - withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb -> do - borrow <- ccryptonite_p256_sub pa pb d - when (borrow /= 0) $ void $ ccryptonite_p256_add d ccryptonite_SECP256r1_n d - --needReducing <- scalarNeedReducing d - --when needReducing $ do - -- ccryptonite_p256_mod ccryptonite_SECP256r1_n d d + withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb -> + ccryptonite_p256e_modsub ccryptonite_SECP256r1_n pa pb d -- | Give the inverse of the scalar -- @@ -352,12 +339,12 @@ foreign import ccall "cryptonite_p256_is_zero" ccryptonite_p256_is_zero :: Ptr P256Scalar -> IO CInt foreign import ccall "cryptonite_p256_clear" ccryptonite_p256_clear :: Ptr P256Scalar -> IO () -foreign import ccall "cryptonite_p256_add" - ccryptonite_p256_add :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO CInt +foreign import ccall "cryptonite_p256e_modadd" + ccryptonite_p256e_modadd :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO () foreign import ccall "cryptonite_p256_add_d" ccryptonite_p256_add_d :: Ptr P256Scalar -> P256Digit -> Ptr P256Scalar -> IO CInt -foreign import ccall "cryptonite_p256_sub" - ccryptonite_p256_sub :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO CInt +foreign import ccall "cryptonite_p256e_modsub" + ccryptonite_p256e_modsub :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO () foreign import ccall "cryptonite_p256_cmp" ccryptonite_p256_cmp :: Ptr P256Scalar -> Ptr P256Scalar -> IO CInt foreign import ccall "cryptonite_p256_mod" diff --git a/cbits/p256/p256.c b/cbits/p256/p256.c index 4f6a573..ec69f64 100644 --- a/cbits/p256/p256.c +++ b/cbits/p256/p256.c @@ -386,3 +386,23 @@ void cryptonite_p256_to_bin(const cryptonite_p256_int* src, uint8_t dst[P256_NBY p += 4; } } + +/* + "p256e" functions are not part of the original source +*/ + +// c = a + b mod MOD +void cryptonite_p256e_modadd(const cryptonite_p256_int* MOD, const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c) { + int carry = cryptonite_p256_add(a, b, c); + + // same as cryptonite_p256_mod, but with top = carry + addM(MOD, 0, P256_DIGITS(c), subM(MOD, carry, P256_DIGITS(c), -1)); +} + +// c = a - b mod MOD +void cryptonite_p256e_modsub(const cryptonite_p256_int* MOD, const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c) { + int borrow = cryptonite_p256_sub(a, b, c); + + // use borrow as mask in order to make difference positive when necessary + addM(MOD, 0, P256_DIGITS(c), borrow); +}