Update invert calls for curve25519_eh_to_x and curve448_eh_to_x

3 files changed, 22 insertions, 19 deletions

diff --git a/ChangeLog b/ChangeLog
index 5d774a5f..3bb77d84 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,9 @@
 	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
 	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
 	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise.
+	* curve25519-eh-to-x.c (curve25519_eh_to_x): Likewise.
+	* curve448-eh-to-x.c (curve448_eh_to_x): Update invert call, and
+	reduce scratch need from 9*size to 5*size.
 	* ecc-internal.h (ECC_MOD_INV_ITCH, ECC_J_TO_A_ITCH)
 	(ECC_EH_TO_A_ITCH): Update accordingly, but no change in total
 	scratch need.
diff --git a/curve25519-eh-to-x.c b/curve25519-eh-to-x.c
index 08ad3d91..f0f1920d 100644
--- a/curve25519-eh-to-x.c
+++ b/curve25519-eh-to-x.c
@@ -50,12 +50,12 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
 #define wp (p + 2*ecc->p.size)
 #define t0 scratch
 #define t1 (scratch + ecc->p.size)
-#define t2 (scratch + 2*ecc->p.size)
+#define tp (scratch + 2*ecc->p.size)
 
   const struct ecc_curve *ecc = &_nettle_curve25519;
   mp_limb_t cy;
 
-  /* If u = U/W and v = V/W are the coordiantes of the point on the
+  /* If u = U/W and v = V/W are the coordinates of the point on the
      Edwards curve we get the curve25519 x coordinate as
 
      x = (1+v) / (1-v) = (W + V) / (W - V)
@@ -65,17 +65,17 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
      x = 0, and we should be fine, since ecc_mod_inv for ecc->p returns 0
      in this case. */
   ecc_mod_sub (&ecc->p, t0, wp, vp);
-  /* Needs a total of 5*size storage. */
-  ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
+  /* Needs a total of 6*size storage. */
+  ecc->p.invert (&ecc->p, t1, t0, tp);
   
   ecc_mod_add (&ecc->p, t0, wp, vp);
-  ecc_mod_mul (&ecc->p, t2, t0, t1, t2);
+  ecc_mod_mul (&ecc->p, t0, t0, t1, tp);
 
-  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, xp, t2, ecc->p.size);
+  cy = mpn_sub_n (xp, t0, ecc->p.m, ecc->p.size);
+  cnd_copy (cy, xp, t0, ecc->p.size);
 #undef vp
 #undef wp
 #undef t0
 #undef t1
-#undef t2
+#undef tp
 }
diff --git a/curve448-eh-to-x.c b/curve448-eh-to-x.c
index 6e3367ee..8f3f8c45 100644
--- a/curve448-eh-to-x.c
+++ b/curve448-eh-to-x.c
@@ -46,10 +46,10 @@
 void
 curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch)
 {
+#define up p
 #define vp (p + ecc->p.size)
 #define t0 scratch
-#define t1 (scratch + ecc->p.size)
-#define t2 (scratch + 2*ecc->p.size)
+#define tp (scratch + ecc->p.size)
 
   const struct ecc_curve *ecc = &_nettle_curve448;
   mp_limb_t cy;
@@ -59,15 +59,15 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch)
 
      x = v^2 / u^2 = (V/W)^2 / (U/W)^2 = (V/U)^2
   */
-  /* Needs a total of 9*size storage. */
-  ecc->p.invert (&ecc->p, t0, p, t1 + ecc->p.size);
-  ecc_mod_mul (&ecc->p, t1, t0, vp, t1);
-  ecc_mod_mul (&ecc->p, t2, t1, t1, t2);
-
-  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, xp, t2, ecc->p.size);
+  /* Needs a total of 5*size storage. */
+  ecc->p.invert (&ecc->p, t0, up, tp);
+  ecc_mod_mul (&ecc->p, t0, t0, vp, tp);
+  ecc_mod_sqr (&ecc->p, t0, t0, tp);
+
+  cy = mpn_sub_n (xp, t0, ecc->p.m, ecc->p.size);
+  cnd_copy (cy, xp, t0, ecc->p.size);
+#undef up
 #undef vp
 #undef t0
-#undef t1
-#undef t2
+#undef tp
 }