P-256 ECDSA verification: Use optimized nistz256 verification.

Import the optimized nistz256 verification from BoringSSL.
briansmith · Oct 17, 2023 · a44ea32 · a44ea32
1 parent 4ca32f7
commit a44ea32
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 18 deletions.
diff --git a/build.rs b/build.rs
@@ -958,6 +958,7 @@ fn prefix_all_symbols(pp: char, prefix_prefix: &str, prefix: &str) -> String {
  "p256_point_double",
  "p256_point_mul",
  "p256_point_mul_base",
+ "p256_points_mul_public",
  "p256_scalar_mul_mont",
  "p256_scalar_sqr_rep_mont",
  "p256_sqr_mont",

diff --git a/crypto/fipsmodule/ec/p256-nistz.c b/crypto/fipsmodule/ec/p256-nistz.c
@@ -284,18 +284,14 @@ void p256_point_mul_base(P256_POINT *r, const Limb scalar[P256_LIMBS]) {
  limbs_copy(r->Z, p.Z, P256_LIMBS);
 }
 
-#if 0
-
-static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
- EC_JACOBIAN *r,
- const EC_SCALAR *g_scalar,
- const EC_JACOBIAN *p_,
- const EC_SCALAR *p_scalar) {
- assert(p_ != NULL && p_scalar != NULL && g_scalar != NULL);
-
+void p256_points_mul_public(P256_POINT *r,
+ const Limb g_scalar[P256_LIMBS],
+ const Limb p_scalar[P256_LIMBS],
+ const Limb p_x[P256_LIMBS],
+ const Limb p_y[P256_LIMBS]) {
  alignas(32) P256_POINT p;
  uint8_t p_str[33];
- OPENSSL_memcpy(p_str, g_scalar->words, 32);
+ OPENSSL_memcpy(p_str, g_scalar, 32);
  p_str[32] = 0;
 
  // First window
@@ -341,15 +337,12 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
  }
 
  alignas(32) P256_POINT tmp;
- ecp_nistz256_windowed_mul(group, &tmp, p_, p_scalar);
+ ecp_nistz256_windowed_mul(&tmp, p_scalar, p_x, p_y);
  ecp_nistz256_point_add(&p, &p, &tmp);
 
- assert(group->field.N.width == P256_LIMBS);
- OPENSSL_memcpy(r->X.words, p.X, P256_LIMBS * sizeof(BN_ULONG));
- OPENSSL_memcpy(r->Y.words, p.Y, P256_LIMBS * sizeof(BN_ULONG));
- OPENSSL_memcpy(r->Z.words, p.Z, P256_LIMBS * sizeof(BN_ULONG));
+ OPENSSL_memcpy(r->X, p.X, P256_LIMBS * sizeof(BN_ULONG));
+ OPENSSL_memcpy(r->Y, p.Y, P256_LIMBS * sizeof(BN_ULONG));
+ OPENSSL_memcpy(r->Z, p.Z, P256_LIMBS * sizeof(BN_ULONG));
 }
 
-#endif
-
 #endif /* defined(OPENSSL_USE_NISTZ256) */
diff --git a/src/ec/suite_b/ops/p256.rs b/src/ec/suite_b/ops/p256.rs
@@ -114,13 +114,36 @@ pub static SCALAR_OPS: ScalarOps = ScalarOps {
 pub static PUBLIC_SCALAR_OPS: PublicScalarOps = PublicScalarOps {
  scalar_ops: &SCALAR_OPS,
  public_key_ops: &PUBLIC_KEY_OPS,
+
+ #[cfg(any(target_arch = "aarch64", target_arch = "x86_64"))]
+ twin_mul: twin_mul_nistz256,
+
+ #[cfg(not(any(target_arch = "aarch64", target_arch = "x86_64")))]
  twin_mul: |g_scalar, p_scalar, p_xy| {
  super::twin_mul_inefficient(&PRIVATE_KEY_OPS, g_scalar, p_scalar, p_xy)
  },
 
  q_minus_n: Elem::from_hex("4319055358e8617b0c46353d039cdaae"),
 };
 
+#[cfg(any(target_arch = "aarch64", target_arch = "x86_64"))]
+fn twin_mul_nistz256(g_scalar: &Scalar, p_scalar: &Scalar, (p_x, p_y): &(Elem<R>, Elem<R>)) -> Point {
+ prefixed_extern! {
+ fn p256_points_mul_public(r: *mut Limb, // [3][COMMON_OPS.num_limbs]
+ g_scalar: *const Limb, // [COMMON_OPS.num_limbs]
+ p_scalar: *const Limb, // [COMMON_OPS.num_limbs]
+ p_x: *const Limb, // [COMMON_OPS.num_limbs]
+ p_y: *const Limb, // [COMMON_OPS.num_limbs]
+ );
+ }
+ let mut r = Point::new_at_infinity();
+ unsafe {
+ p256_points_mul_public(r.xyz.as_mut_ptr(), g_scalar.limbs.as_ptr(),
+ p_scalar.limbs.as_ptr(), p_x.limbs.as_ptr(), p_y.limbs.as_ptr());
+ }
+ r
+}
+
 pub static PRIVATE_SCALAR_OPS: PrivateScalarOps = PrivateScalarOps {
  scalar_ops: &SCALAR_OPS,
 
@@ -273,7 +296,6 @@ prefixed_extern! {
  p_x: *const Limb, // [COMMON_OPS.num_limbs]
  p_y: *const Limb, // [COMMON_OPS.num_limbs]
  );
-
  fn p256_scalar_mul_mont(
  r: *mut Limb, // [COMMON_OPS.num_limbs]
  a: *const Limb, // [COMMON_OPS.num_limbs]