From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Thu, 11 Mar 2021 19:37:41 +0100
Subject: [PATCH] New functions ecc_mod_mul_canonical and
 ecc_mod_sqr_canonical.

* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
New functions.
* ecc-internal.h: Declare and document new functions.
* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
* ecc-j-to-a.c (ecc_j_to_a): Likewise.
* ecc-mul-m.c (ecc_mul_m): Likewise.

(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
---
 ChangeLog            | 11 +++++++++++
 curve25519-eh-to-x.c |  6 +-----
 curve448-eh-to-x.c   |  5 +----
 ecc-eh-to-a.c        | 12 ++----------
 ecc-internal.h       | 15 +++++++++++++++
 ecc-j-to-a.c         | 15 +++------------
 ecc-mod-arith.c      | 24 ++++++++++++++++++++++++
 ecc-mul-m.c          |  6 ++----
 8 files changed, 59 insertions(+), 35 deletions(-)

#diff --git a/ChangeLog b/ChangeLog
#index fd138d82..5cc5c188 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,3 +1,14 @@
#+2021-03-11  Niels Möller  <nisse@lysator.liu.se>
#+
#+	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
#+	New functions.
#+	* ecc-internal.h: Declare and document new functions.
#+	* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
#+	* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
#+	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
#+	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
#+	* ecc-mul-m.c (ecc_mul_m): Likewise.
#+
# 2021-02-17  Niels Möller  <nisse@lysator.liu.se>
# 
# 	* Released Nettle-3.7.1.
--- a/curve25519-eh-to-x.c
+++ b/curve25519-eh-to-x.c
@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
 #define t2 (scratch + 2*ecc->p.size)
 
   const struct ecc_curve *ecc = &_nettle_curve25519;
-  mp_limb_t cy;
 
   /* If u = U/W and v = V/W are the coordiantes of the point on the
      Edwards curve we get the curve25519 x coordinate as
@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
   ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
   
   ecc_mod_add (&ecc->p, t0, wp, vp);
-  ecc_mod_mul (&ecc->p, t2, t0, t1);
-
-  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, xp, t2, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
 #undef vp
 #undef wp
 #undef t0
--- a/curve448-eh-to-x.c
+++ b/curve448-eh-to-x.c
@@ -52,7 +52,6 @@ curve448_eh_to_x (mp_limb_t *xp, const m
 #define t2 (scratch + 2*ecc->p.size)
 
   const struct ecc_curve *ecc = &_nettle_curve448;
-  mp_limb_t cy;
 
   /* If u = U/W and v = V/W are the coordinates of the point on
      edwards448 we get the curve448 x coordinate as
@@ -62,10 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const m
   /* Needs a total of 9*size storage. */
   ecc->p.invert (&ecc->p, t0, p, t1 + ecc->p.size);
   ecc_mod_mul (&ecc->p, t1, t0, vp);
-  ecc_mod_mul (&ecc->p, t2, t1, t1);
+  ecc_mod_mul_canonical (&ecc->p, xp, t1, t1, t2);
 
-  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, xp, t2, ecc->p.size);
 #undef vp
 #undef t0
 #undef t1
--- a/ecc-eh-to-a.c
+++ b/ecc-eh-to-a.c
@@ -54,18 +54,11 @@ ecc_eh_to_a (const struct ecc_curve *ecc
 #define yp (p + ecc->p.size)
 #define zp (p + 2*ecc->p.size)
 
-  mp_limb_t cy;
-
   assert(op == 0);
 
   /* Needs 2*size + scratch for the invert call. */
   ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
 
-  ecc_mod_mul (&ecc->p, tp, xp, izp);
-  cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, r, tp, ecc->p.size);
-
-  ecc_mod_mul (&ecc->p, tp, yp, izp);
-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
+  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
 }
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -49,6 +49,8 @@
 #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
 #define ecc_mod_mul _nettle_ecc_mod_mul
 #define ecc_mod_sqr _nettle_ecc_mod_sqr
+#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
+#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
 #define ecc_mod_random _nettle_ecc_mod_random
 #define ecc_mod _nettle_ecc_mod
 #define ecc_mod_inv _nettle_ecc_mod_inv
@@ -256,6 +258,19 @@ void
 ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
 	     const mp_limb_t *ap);
 
+/* These mul and sqr functions produce a canonical result, 0 <= R < M.
+   Requirements on input and output areas are similar to the above
+   functions, except that it is *not* allowed to pass rp = rp +
+   m->size.
+ */
+void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+		       const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp);
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+		       const mp_limb_t *ap, mp_limb_t *tp);
+
 /* mod q operations. */
 void
 ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
--- a/ecc-j-to-a.c
+++ b/ecc-j-to-a.c
@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
 #define izBp (scratch + 3*ecc->p.size)
 #define tp    scratch
 
-  mp_limb_t cy;
-
   if (ecc->use_redc)
     {
       /* Set v = (r_z / B^2)^-1,
@@ -86,17 +84,13 @@ ecc_j_to_a (const struct ecc_curve *ecc,
       ecc_mod_sqr (&ecc->p, iz2p, izp);
     }
 
-  ecc_mod_mul (&ecc->p, iz3p, iz2p, p);
-  /* ecc_mod (and ecc_mod_mul) may return a value up to 2p - 1, so
-     do a conditional subtraction. */
-  cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, r, iz3p, ecc->p.size);
-
+  ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
   if (op)
     {
       /* Skip y coordinate */
       if (op > 1)
 	{
+	  mp_limb_t cy;
 	  /* Also reduce the x coordinate mod ecc->q. It should
 	     already be < 2*ecc->q, so one subtraction should
 	     suffice. */
@@ -106,10 +100,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
       return;
     }
   ecc_mod_mul (&ecc->p, iz3p, iz2p, izp);
-  ecc_mod_mul (&ecc->p, tp, iz3p, p + ecc->p.size);
-  /* And a similar subtraction. */
-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
 
 #undef izp
 #undef up
--- a/ecc-mod-arith.c
+++ b/ecc-mod-arith.c
@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
 }
 
 void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+		       const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
+{
+  mp_limb_t cy;
+  mpn_mul_n (tp + m->size, ap, bp, m->size);
+  m->reduce (m, tp + m->size);
+
+  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+		       const mp_limb_t *ap, mp_limb_t *tp)
+{
+  mp_limb_t cy;
+  mpn_sqr (tp + m->size, ap, m->size);
+  m->reduce (m, tp + m->size);
+
+  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
 ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
 	     const mp_limb_t *ap)
 {