Revert "add more precomputation to ecdsa signing"

This reverts commit 06dd166.
trezor · Jul 2, 2014 · 3747ba4 · 3747ba4
1 parent 3308cc6
commit 3747ba4
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 611 deletions.
diff --git a/bignum.c b/bignum.c
@@ -303,20 +303,14 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
 void bn_inverse(bignum256 *x, const bignum256 *prime)
 {
 	int i, j, k, len1, len2, mask;
-	uint8_t buf[32];
-	uint32_t u[8], v[8], s[9], r[10], temp32;
-	uint64_t temp, temp2;
+	uint32_t u[9], v[9], s[10], r[10], temp, temp2;
 	bn_fast_mod(x, prime);
 	bn_mod(x, prime);
-	bn_write_be(prime, buf);
-	for (i = 0; i < 8; i++) {
-		u[i] = read_be(buf + 28 - i * 4);
-	}
-	bn_write_be(x, buf);
-	for (i = 0; i < 8; i++) {
-		v[i] = read_be(buf + 28 - i * 4);
+	for (i = 0; i < 9; i++) {
+		u[i] = prime->val[i];
+		v[i] = x->val[i];
 	}
-	len1 = 8;
+	len1 = 9;
 	s[0] = 1;
 	r[0] = 0;
 	len2 = 1;
@@ -333,13 +327,13 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
 			if (i == 0) break;
 			mask = (1 << i) - 1;
 			for (j = 0; j + 1 < len1; j++) {
-				u[j] = (u[j] >> i) | ((u[j + 1] & mask) << (32 - i));
+				u[j] = (u[j] >> i) | ((u[j + 1] & mask) << (30 - i));
 			}
 			u[j] = (u[j] >> i);
-			mask = (1 << (32 - i)) - 1;
-			s[len2] = s[len2 - 1] >> (32 - i);
+			mask = (1 << (30 - i)) - 1;
+			s[len2] = s[len2 - 1] >> (30 - i);
 			for (j = len2 - 1; j > 0; j--) {
-				s[j] = (s[j - 1] >> (32 - i)) | ((s[j] & mask) << i);
+				s[j] = (s[j - 1] >> (30 - i)) | ((s[j] & mask) << i);
 			}
 			s[0] = (s[0] & mask) << i;
 			if (s[len2]) {
@@ -355,13 +349,13 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
 			if (i == 0) break;
 			mask = (1 << i) - 1;
 			for (j = 0; j + 1 < len1; j++) {
-				v[j] = (v[j] >> i) | ((v[j + 1] & mask) << (32 - i));
+				v[j] = (v[j] >> i) | ((v[j + 1] & mask) << (30 - i));
 			}
 			v[j] = (v[j] >> i);
-			mask = (1 << (32 - i)) - 1;
-			r[len2] = r[len2 - 1] >> (32 - i);
+			mask = (1 << (30 - i)) - 1;
+			r[len2] = r[len2 - 1] >> (30 - i);
 			for (j = len2 - 1; j > 0; j--) {
-				r[j] = (r[j - 1] >> (32 - i)) | ((r[j] & mask) << i);
+				r[j] = (r[j - 1] >> (30 - i)) | ((r[j] & mask) << i);
 			}
 			r[0] = (r[0] & mask) << i;
 			if (r[len2]) {
@@ -374,51 +368,47 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
 		i = len1 - 1;
 		while (i > 0 && u[i] == v[i]) i--;
 		if (u[i] > v[i]) {
-			temp = 0x100000000ull + u[0] - v[0];
-			u[0] = (temp >> 1) & 0x7FFFFFFF;
-			temp >>= 32;
+			temp = 0x40000000u + u[0] - v[0];
+			u[0] = (temp >> 1) & 0x1FFFFFFF;
+			temp >>= 30;
 			for (i = 1; i < len1; i++) {
-				temp += 0xFFFFFFFFull + u[i] - v[i];
-				u[i - 1] += (temp & 1) << 31;
-				u[i] = (temp >> 1) & 0x7FFFFFFF;
-				temp >>= 32;
+				temp += 0x3FFFFFFFu + u[i] - v[i];
+				u[i - 1] += (temp & 1) << 29;
+				u[i] = (temp >> 1) & 0x1FFFFFFF;
+				temp >>= 30;
 			}
 			temp = temp2 = 0;
 			for (i = 0; i < len2; i++) {
-				temp += s[i];
-				temp += r[i];
-				temp2 += s[i];
-				temp2 += s[i];
-				r[i] = temp;
-				s[i] = temp2;
-				temp >>= 32;
-				temp2 >>= 32;
+				temp += s[i] + r[i];
+				temp2 += s[i] << 1;
+				r[i] = temp & 0x3FFFFFFF;
+				s[i] = temp2 & 0x3FFFFFFF;
+				temp >>= 30;
+				temp2 >>= 30;
 			}
 			if (temp != 0 || temp2 != 0) {
 				r[len2] = temp;
 				s[len2] = temp2;
 				len2++;
 			}
 		} else {
-			temp = 0x100000000ull + v[0] - u[0];
-			v[0] = (temp >> 1) & 0x7FFFFFFF;
-			temp >>= 32;
+			temp = 0x40000000u + v[0] - u[0];
+			v[0] = (temp >> 1) & 0x1FFFFFFF;
+			temp >>= 30;
 			for (i = 1; i < len1; i++) {
-				temp += 0xFFFFFFFFull + v[i] - u[i];
-				v[i - 1] += (temp & 1) << 31;
-				v[i] = (temp >> 1) & 0x7FFFFFFF;
-				temp >>= 32;
+				temp += 0x3FFFFFFFu + v[i] - u[i];
+				v[i - 1] += (temp & 1) << 29;
+				v[i] = (temp >> 1) & 0x1FFFFFFF;
+				temp >>= 30;
 			}
 			temp = temp2 = 0;
 			for (i = 0; i < len2; i++) {
-				temp += s[i];
-				temp += r[i];
-				temp2 += r[i];
-				temp2 += r[i];
-				s[i] = temp;
-				r[i] = temp2;
-				temp >>= 32;
-				temp2 >>= 32;
+				temp += s[i] + r[i];
+				temp2 += r[i] << 1;
+				s[i] = temp & 0x3FFFFFFF;
+				r[i] = temp2 & 0x3FFFFFFF;
+				temp >>= 30;
+				temp2 >>= 30;
 			}
 			if (temp != 0 || temp2 != 0) {
 				s[len2] = temp;
@@ -429,33 +419,21 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
 		if (u[len1 - 1] == 0 && v[len1 - 1] == 0) len1--;
 		k++;
 	}
-
-	j = r[0] >> 30;
-	r[0] = r[0] & 0x3FFFFFFFu;
-	for (i = 1; i < len2; i++) {
-		uint32_t q = r[i] >> (30 - 2 * i);
-		r[i] = ((r[i] << (2 * i)) & 0x3FFFFFFFu) + j;
-		j=q;
-	}
-	r[i] = j;
-	i++;
-	for (; i < 9; i++) r[i] = 0;
-
 	i = 8;
 	while (i > 0 && r[i] == prime->val[i]) i--;
 	if (r[i] >= prime->val[i]) {
-		temp32 = 1;
+		temp = 1;
 		for (i = 0; i < 9; i++) {
-			temp32 += 0x3FFFFFFF + r[i] - prime->val[i];
-			r[i] = temp32 & 0x3FFFFFFF;
-			temp32 >>= 30;
+			temp += 0x3FFFFFFF + r[i] - prime->val[i];
+			r[i] = temp & 0x3FFFFFFF;
+			temp >>= 30;
 		}
 	}
-	temp32 = 1;
+	temp = 1;
 	for (i = 0; i < 9; i++) {
-		temp32 += 0x3FFFFFFF + prime->val[i] - r[i];
-		r[i] = temp32 & 0x3FFFFFFF;
-		temp32 >>= 30;
+		temp += 0x3FFFFFFF + prime->val[i] - r[i];
+		r[i] = temp & 0x3FFFFFFF;
+		temp >>= 30;
 	}
 	int done = 0;
 #if USE_PRECOMPUTED_IV
@@ -471,14 +449,14 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
 	if (!done) {
 		for (j = 0; j < k; j++) {
 			if (r[0] & 1) {
-				temp32 = r[0] + prime->val[0];
-				r[0] = (temp32 >> 1) & 0x1FFFFFFF;
-				temp32 >>= 30;
+				temp = r[0] + prime->val[0];
+				r[0] = (temp >> 1) & 0x1FFFFFFF;
+				temp >>= 30;
 				for (i = 1; i < 9; i++) {
-					temp32 += r[i] + prime->val[i];
-					r[i - 1] += (temp32 & 1) << 29;
-					r[i] = (temp32 >> 1) & 0x1FFFFFFF;
-					temp32 >>= 30;
+					temp += r[i] + prime->val[i];
+					r[i - 1] += (temp & 1) << 29;
+					r[i] = (temp >> 1) & 0x1FFFFFFF;
+					temp >>= 30;
 				}
 			} else {
 				for (i = 0; i < 8; i++) {

diff --git a/ecdsa.c b/ecdsa.c
@@ -123,39 +123,38 @@ void point_multiply(const bignum256 *k, const curve_point *p, curve_point *res)
 // res = k * G
 void scalar_multiply(const bignum256 *k, curve_point *res)
 {
-	int i;
+	int i, j;
 	// result is zero
 	int is_zero = 1;
+#if USE_PRECOMPUTED_CP
+	int exp = 0;
+#else
 	curve_point curr;
 	// initial res
 	memcpy(&curr, &G256k1, sizeof(curve_point));
-	for (i = 0; i < 256; i++) {
-		if (k->val[i / 30] & (1u << (i % 30))) {
-			if (is_zero) {
+#endif
+	for (i = 0; i < 9; i++) {
+		for (j = 0; j < 30; j++) {
+			if (i == 8 && (k->val[i] >> j) == 0) break;
+			if (k->val[i] & (1u << j)) {
+				if (is_zero) {
 #if USE_PRECOMPUTED_CP
-				if (i < 255 && (k->val[(i + 1) / 30] & (1u << ((i + 1) % 30)))) {
-					memcpy(res, secp256k1_cp2 + i, sizeof(curve_point));
-					i++;
-				} else {
-					memcpy(res, secp256k1_cp + i, sizeof(curve_point));
-				}
+					memcpy(res, secp256k1_cp + exp, sizeof(curve_point));
 #else
-				memcpy(res, &curr, sizeof(curve_point));
+					memcpy(res, &curr, sizeof(curve_point));
 #endif
-				is_zero = 0;
-			} else {
-#if USE_PRECOMPUTED_CP
-				if (i < 255 && (k->val[(i + 1) / 30] & (1u << ((i + 1) % 30)))) {
-					point_add(secp256k1_cp2 + i, res);
-					i++;
+					is_zero = 0;
 				} else {
-					point_add(secp256k1_cp + i, res);
-				}
+#if USE_PRECOMPUTED_CP
+					point_add(secp256k1_cp + exp, res);
 #else
-				point_add(&curr, res);
+					point_add(&curr, res);
 #endif
+				}
 			}
-#if ! USE_PRECOMPUTED_CP
+#if USE_PRECOMPUTED_CP
+			exp++;
+#else
 			point_double(&curr);
 #endif
 		}