EC P-256: Have non-nistz256 ECDSA verification use WNAF-based multipl…

…ication.
briansmith · Oct 23, 2023 · faf67e2 · faf67e2
1 parent e0763a1
commit faf67e2
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 15 deletions.
diff --git a/src/ec/suite_b/ops.rs b/src/ec/suite_b/ops.rs
@@ -358,20 +358,6 @@ pub struct PrivateScalarOps {
     pub oneRR_mod_n: Scalar<RR>, // 1 * R**2 (mod n). TOOD: Use One<RR>.
 }
 
-// XXX: Inefficient and unnecessarily depends on `PrivateKeyOps`. TODO: implement interleaved wNAF
-// multiplication.
-#[cfg(not(any(target_arch = "aarch64", target_arch = "x86_64")))]
-fn twin_mul_inefficient(
-    ops: &PrivateKeyOps,
-    g_scalar: &Scalar,
-    p_scalar: &Scalar,
-    p_xy: &(Elem<R>, Elem<R>),
-) -> Point {
-    let scaled_g = ops.point_mul_base(g_scalar);
-    let scaled_p = ops.point_mul(p_scalar, p_xy);
-    ops.common.point_sum(&scaled_g, &scaled_p)
-}
-
 // This assumes n < q < 2*n.
 pub fn elem_reduced_to_scalar(ops: &CommonOps, elem: &Elem<Unencoded>) -> Scalar<Unencoded> {
     let num_limbs = ops.num_limbs;
@@ -948,6 +934,17 @@ mod tests {
         );
     }
 
+    #[test]
+    fn p256_point_mul_p_test() {
+        point_mul_tests(
+            &p256::PRIVATE_KEY_OPS,
+            test_file!("ops/p256_point_mul_tests.txt"),
+            |p_scalar, p| {
+                let g_scalar = Scalar::zero();
+                points_mul_vartime(&p256::COMMON_OPS, &g_scalar, &p256::GENERATOR, p_scalar, p)
+            },
+        );
+    }
     #[test]
     fn p384_point_mul_test() {
         point_mul_tests(

diff --git a/src/ec/suite_b/ops/p256.rs b/src/ec/suite_b/ops/p256.rs
@@ -34,6 +34,12 @@ pub static COMMON_OPS: CommonOps = CommonOps {
     point_add_jacobian_impl: p256_point_add,
 };
 
+#[cfg(any(test, not(any(target_arch = "aarch64", target_arch = "x86_64"))))]
+pub(super) static GENERATOR: (Elem<R>, Elem<R>) = (
+    Elem::from_hex("18905f76a53755c679fb732b7762251075ba95fc5fedb60179e730d418a9143c"),
+    Elem::from_hex("8571ff1825885d85d2e88688dd21f3258b4ab8e4ba19e45cddf25357ce95560a"),
+);
+
 pub static PRIVATE_KEY_OPS: PrivateKeyOps = PrivateKeyOps {
     common: &COMMON_OPS,
     elem_inv_squared: p256_elem_inv_squared,
@@ -120,7 +126,8 @@ pub static PUBLIC_SCALAR_OPS: PublicScalarOps = PublicScalarOps {
 
     #[cfg(not(any(target_arch = "aarch64", target_arch = "x86_64")))]
     twin_mul: |g_scalar, p_scalar, p_xy| {
-        twin_mul_inefficient(&PRIVATE_KEY_OPS, g_scalar, p_scalar, p_xy)
+        // TODO: Make use of precomputed multiples of `g` that already exist.
+        vartime::points_mul_vartime(&COMMON_OPS, g_scalar, &GENERATOR, p_scalar, p_xy)
     },
 
     q_minus_n: Elem::from_hex("4319055358e8617b0c46353d039cdaae"),