Add additional constants to make_curve25519_tables.py.

These are also constants that depend on the field representation. Change-Id: I22333c099352ad64eb27fe15ffdc38c6ae7c07ff Reviewed-on: https://boringssl-review.googlesource.com/24746 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
vor 6 Jahren · 0c1eafc6fe
--- a/third_party/fiat/curve25519.c
+++ b/third_party/fiat/curve25519.c
@@ -911,11 +911,7 @@ static void ge_p3_tobytes(uint8_t s[32], const ge_p3 *h) {
  s[31] ^= fe_isnegative(&x) << 7;
 }

 static const fe d = {{56195235, 13857412, 51736253, 6949390,   114729,
                     24766616,  60832955, 30306712,  48412415, 21499315}};

 static const fe sqrtm1 = {{34513072, 25610706,  9377949,  3500415, 12389472,
                          33281959,   41962654, 31548777, 326685,  11406482}};
 #include "./curve25519_tables.h"

 int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) {
  fe u;
@@ -996,9 +992,6 @@ static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
  fe_copy(&r->Z, &p->Z);
 }

 static const fe d2 = {{45281625, 27714825,  36363642, 13898781, 229458,
                      15978800,  54557047, 27058993,  29715967, 9444199}};

 // r = p
 void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
  fe_add(&r->YplusX, &p->Y, &p->X);
@@ -1193,8 +1186,6 @@ void x25519_ge_scalarmult_small_precomp(
  }
 }

 #include "./curve25519_tables.h"

 #if defined(OPENSSL_SMALL)

 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {
--- a/third_party/fiat/curve25519_tables.h
+++ b/third_party/fiat/curve25519_tables.h
@@ -24,6 +24,15 @@
 //    ./make_curve25519_tables.py > curve25519_tables.h


 static const fe d = {{56195235, 13857412, 51736253, 6949390, 114729, 24766616,
                      60832955, 30306712, 48412415, 21499315}};

 static const fe sqrtm1 = {{34513072, 25610706, 9377949, 3500415, 12389472,
                           33281959, 41962654, 31548777, 326685, 11406482}};

 static const fe d2 = {{45281625, 27714825, 36363642, 13898781, 229458, 15978800,
                       54557047, 27058993, 29715967, 9444199}};

 #if defined(OPENSSL_SMALL)

 // This block of code replaces the standard base-point table with a much smaller
--- a/third_party/fiat/make_curve25519_tables.py
+++ b/third_party/fiat/make_curve25519_tables.py
@@ -31,6 +31,9 @@ p = 2**255 - 19
 def modp_inv(x):
    return pow(x, p-2, p)

 # Square root of -1
 modp_sqrt_m1 = pow(2, (p-1) // 4, p)

 # Compute corresponding x-coordinate, with low bit corresponding to
 # sign, or return None on failure
 def recover_x(y, sign):
@@ -107,6 +110,8 @@ def to_base_25_5(x):
    return ret

 def main():
    d2 = (2 * d) % p

    small_precomp = bytearray()
    for i in range(1, 16):
        s = (i&1) | ((i&2) << (64-1)) | ((i&4) << (128-2)) | ((i&8) << (192-3))
@@ -154,6 +159,21 @@ def main():
 //    ./make_curve25519_tables.py > curve25519_tables.h


 static const fe d = {{
 """)
    buf.write(", ".join(map(str, to_base_25_5(d))))
    buf.write("""}};

 static const fe sqrtm1 = {{
 """)
    buf.write(", ".join(map(str, to_base_25_5(modp_sqrt_m1))))
    buf.write("""}};

 static const fe d2 = {{
 """)
    buf.write(", ".join(map(str, to_base_25_5(d2))))
    buf.write("""}};

 #if defined(OPENSSL_SMALL)

 // This block of code replaces the standard base-point table with a much smaller