git.openssl.org Git - openssl.git/commit

author	Billy Brumley <bbrumley@gmail.com>
	Thu, 19 Jul 2018 08:16:07 +0000 (11:16 +0300)
committer	Andy Polyakov <appro@openssl.org>
	Thu, 26 Jul 2018 17:41:16 +0000 (19:41 +0200)
commit	9d91530d2d7da1447b7be8631b269599023430e7
tree	cf21727c4f3a8e8bac4f53388dd3eeb555e9d2f4	tree \| snapshot
parent	793f19e47c69558e39c702da75c27e0509baf379	commit \| diff

EC GFp ladder

This commit leverages the Montgomery ladder scaffold introduced in #6690
(alongside a specialized Lopez-Dahab ladder for binary curves) to
provide a specialized differential addition-and-double implementation to
speedup prime curves, while keeping all the features of
`ec_scalar_mul_ladder` against SCA attacks.

The arithmetic in ladder_pre, ladder_step and ladder_post is auto
generated with tooling, from the following formulae:

- `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel
  elliptic curve multiplication resistant against side channel attacks",
  as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
- `ladder_step`: differential addition-and-doubling Eq. (8) and (10)
  from Izu-Takagi "A fast parallel elliptic curve multiplication
  resistant against side channel attacks", as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3
- `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye
  "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to
  work in projective coordinates.

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6772)

CHANGES		diff \| blob \| history
crypto/ec/ec_lcl.h		diff \| blob \| history
crypto/ec/ecp_mont.c		diff \| blob \| history
crypto/ec/ecp_nist.c		diff \| blob \| history
crypto/ec/ecp_smpl.c		diff \| blob \| history