From: Loup Vaillant Date: Fri, 3 Aug 2018 16:47:15 +0000 (+0200) Subject: Full pre-computed table for EdDSA signatures X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=21c7b7ad3d4ba4af6ab83a4c8d1cc1eb8ed0a669;p=Monocypher.git Full pre-computed table for EdDSA signatures The main gain for now comes from reducing the amount of constant time lookup. We could reduce the table's size even further, *or* save a few multiplications. I'm currently a little suspicious of the way I generated the table. If it passes the tests, it shouldn't have any error, but it still requires some checking. --- diff --git a/src/monocypher.c b/src/monocypher.c index 504513c..0f552ce 100644 --- a/src/monocypher.c +++ b/src/monocypher.c @@ -1541,7 +1541,12 @@ static void ge_precompute(ge_cached lut[8], const ge *P1) } } -static const fe base_comb [8] = { +static const fe base_comb [32] = { + {0x0000000, 0x0000000, 0x0000000, 0x0000000, 0x0000000, + 0x0000000, 0x0000000, 0x0000000, 0x0000000, 0x0000000}, + {0x0000001, 0x0000000, 0x0000000, 0x0000000, 0x0000000, + 0x0000000, 0x0000000, 0x0000000, 0x0000000, 0x0000000}, + {0x325d51a, 0x18b5823, 0x0f6592a, 0x104a92d, 0x1a4b31d, 0x1d6dc5c, 0x27118fe, 0x07fd814, 0x13cd6e5, 0x085a4db}, {0x2666658, 0x1999999, 0x0cccccc, 0x1333333, 0x1999999, @@ -1552,15 +1557,70 @@ static const fe base_comb [8] = { {0x2e45313, 0x1be95e0, 0x160d1e3, 0x045d481, 0x15042d8, 0x01b7c4f, 0x1ed7693, 0x004bbad, 0x02ea4ed, 0x00c96ed}, + {0x1ccfba2, 0x00199d8, 0x318834e, 0x197f9d3, 0x0b37588, + 0x11950ab, 0x2cdf91d, 0x1ffb70f, 0x279c294, 0x03aea46}, + {0x2515e46, 0x16fc77f, 0x2b37cbc, 0x1c3386c, 0x16ad747, + 0x12c93a1, 0x3876f61, 0x1e5b0b2, 0x3eabea7, 0x060c11c}, + {0x0b7e824, 0x011eb98, 0x07cbf90, 0x04e1739, 0x2639a17, 0x14e29a0, 0x29cc270, 0x06592a5, 0x3f3c45f, 0x1309ebf}, {0x3f5a66b, 0x0af4452, 0x093cb77, 0x0f28d26, 0x24342f8, 0x0c29c3a, 0x08f5b13, 0x10fb2be, 0x26526dc, 0x17cb267}, + {0x00c969a, 0x0bf4a5a, 0x39cdf7c, 0x0418f65, 0x2c39bb0, + 0x0c36053, 0x1e0df46, 0x091f156, 0x152b88e, 0x1b99395}, + {0x3afd09b, 0x14a991e, 0x24204a6, 0x0c4f62a, 0x0d8e445, + 0x1b85145, 0x2fe499c, 0x117cd53, 0x0fa4cb5, 0x0e0f144}, + + {0x3abca05, 0x0c398d0, 0x0c8317e, 0x09cdfc5, 0x14e01c1, + 0x18f5e86, 0x006e1f1, 0x0897903, 0x1dd81f3, 0x1b7caf0}, + {0x3be3a34, 0x0fdb677, 0x034313e, 0x0ecfca7, 0x3a57531, + 0x19249a1, 0x0a98777, 0x0eb1130, 0x3137a68, 0x1818b77}, + + {0xff9d5a63, 0xff71a307, 0xfe1d4a50, 0xff0b504c, 0x1cfcccc, + 0xff071f21, 0x0cdbe3e, 0x0781b09, 0xfef7225f, 0x0c7b676}, + {0x0363667, 0x0649015, 0x1023cce, 0x09d6889, 0x1ee14ca, + 0xff3bb73e, 0xff8e09a5, 0x065d601, 0xffdfdaa9, 0x0f51ca4}, + {0x3dad28d, 0x0b59131, 0x3a4db6f, 0x10dc0eb, 0x1ea777b, 0x07e177d, 0x2821b8e, 0x1cf85b1, 0x1e38185, 0x06f1ebc}, {0x0314833, 0x0bd9640, 0x0e1f95e, 0x09318d9, 0x07409f8, 0x15dc049, 0x377c3bc, 0x1e5ef4b, 0x1855661, 0x1876427}, + + {0x3b06838, 0x13f28c1, 0x3e210b9, 0x12b2a63, 0x3ebeacd, + 0x16f53a5, 0x3263a6d, 0x04068ca, 0x297ad5e, 0x00b1870}, + {0x0f259bc, 0x018dd41, 0x005f098, 0x1b338e3, 0x2198ff5, + 0x0bffaf3, 0x016e96e, 0x077b232, 0x26e5a93, 0x10b6831}, + + {0xfef4ca3a, 0x0bb309a, 0x0cae292, 0x06e8318, 0xffac1855, + 0xff4f586a, 0xffc5e2bc, 0xffb1de19, 0xff3a064f, 0xffc598f3}, + {0xfeda2dd9, 0x03f8343, 0xff0c84ee, 0xffb7d140, 0xfe94c180, + 0x0da6c0e, 0x02f3179, 0x0da68ef, 0xffd1c006, 0xff747d5c}, + + {0x0f46f3f, 0x1bf7613, 0x39924e1, 0x005e15a, 0x08f9e93, + 0x19f0229, 0x3f4eb18, 0x01e92da, 0x0e0b5ee, 0x0f3b84c}, + {0x1f2ed09, 0x0e45d8f, 0x1d2f498, 0x0843ea5, 0x063d977, + 0x11d1f47, 0x1e7f933, 0x0f2340c, 0x0593f82, 0x0fc8dd5}, + + {0x3adf1d1, 0x0d93748, 0x20832d2, 0x1afbbfb, 0x28a26a7, + 0x18db034, 0x28cd70d, 0x06b0922, 0x15876d2, 0x1da053c}, + {0x2b523fb, 0x12b33fa, 0x049d1aa, 0x07f597a, 0x1a36d8c, + 0x1cfa837, 0x27ad5c5, 0x152cdd4, 0x3ed6b22, 0x036f67a}, + + {0xffa942c7, 0x0a0c074, 0xfec8e2f1, 0x01e3624, 0x02e5412, + 0x0c911fc, 0xff065c31, 0xff3b308f, 0xffcfa37c, 0xffb709f4}, + {0x0b33e6b, 0xffe32ec1, 0xfe378912, 0xffce613d, 0x0648ae0, + 0xff092e83, 0xfe6cb95b, 0x029a38b, 0xff10beaa, 0xffc8231c}, + + {0x27a8746, 0x095a01b, 0x3b81141, 0x0b3588e, 0x37d1f77, + 0x0d8d910, 0x3d83e75, 0x1c00071, 0x048fc12, 0x0c34ea1}, + {0x1a28906, 0x12b4d3e, 0x1b0a07b, 0x0153a8f, 0x1779e72, + 0x00c9352, 0x0adcd19, 0x119555c, 0x3a6d02b, 0x0eac750}, + + {0x1be5ff0, 0x0c4036d, 0x186470d, 0x1ec03b5, 0x1c6532a, + 0x1c9f27a, 0x3ef151a, 0x1092853, 0x3cab011, 0x191f3be}, + {0x23d583f, 0x0f6d664, 0x1cb1b62, 0x1bf0053, 0x0212a46, + 0x02ed620, 0x1e4a29e, 0x0ef22f1, 0x1990c7e, 0x09460ea}, }; // Variable time! P, sP, and sB must not be secret! @@ -1568,7 +1628,7 @@ static void ge_double_scalarmult_vartime(ge *sum, const ge *P, u8 p[32], u8 b[32]) { ge B; - ge_from_xy(&B, base_comb[0], base_comb[1]); + ge_from_xy(&B, base_comb[2], base_comb[3]); // cached points for addition ge_cached cP[8]; ge_precompute(cP, P); @@ -1588,16 +1648,12 @@ static void ge_double_scalarmult_vartime(ge *sum, const ge *P, static void ge_scalarmult_base(ge *p, const u8 scalar[32]) { // Expand the comb into a proper look up table - ge comb [16]; ge_cached ccomb[16]; - ge_zero (comb + 0); ge_cache(ccomb+0, comb+0); - ge_from_xy(comb + 1, base_comb[0], base_comb[1]); ge_cache(ccomb+1, comb+1); - ge_from_xy(comb + 2, base_comb[2], base_comb[3]); ge_cache(ccomb+2, comb+2); - ge_from_xy(comb + 4, base_comb[4], base_comb[5]); ge_cache(ccomb+4, comb+4); - ge_from_xy(comb + 8, base_comb[6], base_comb[7]); ge_cache(ccomb+8, comb+8); - FOR (i, 3, 4) {ge_add(comb+i,comb+i-2,ccomb+2); ge_cache(ccomb+i,comb+i);} - FOR (i, 5, 8) {ge_add(comb+i,comb+i-4,ccomb+4); ge_cache(ccomb+i,comb+i);} - FOR (i, 9, 16) {ge_add(comb+i,comb+i-8,ccomb+8); ge_cache(ccomb+i,comb+i);} + FOR (i, 0, 16) { + ge tmp; + ge_from_xy(&tmp, base_comb[i*2], base_comb[i*2+1]); + ge_cache(&ccomb[i], &tmp); + } // Double and add ladder ge_cached tmp; @@ -1614,7 +1670,6 @@ static void ge_scalarmult_base(ge *p, const u8 scalar[32]) i32 select = (1 & (((i ^ nibble) - 1) >> 8)) - 1; fe_ccopy(tmp.Ym, ccomb[i].Ym, select); fe_ccopy(tmp.Yp, ccomb[i].Yp, select); - fe_ccopy(tmp.Z , ccomb[i].Z , select); fe_ccopy(tmp.T2, ccomb[i].T2, select); } ge_add(p, p, &tmp);