diff options
author | Billy Brumley <bbrumley@gmail.com> | 2020-03-28 20:35:43 +0200 |
---|---|---|
committer | Nicola Tuveri <nic.tuv@gmail.com> | 2020-04-01 18:50:20 +0300 |
commit | a4a93bbfb0e679eaa249f77c7c4e7e823ca870ef (patch) | |
tree | dc1cdbca101c0ba69519ca94ea33ca5f0090456a /crypto/ec/ec_mult.c | |
parent | 09736245b174a37abb87fb7ceb55462d940ff2bb (diff) | |
download | openssl-new-a4a93bbfb0e679eaa249f77c7c4e7e823ca870ef.tar.gz |
[crypto/ec] Ladder tweaks
- Convert to affine coords on ladder entry. This lets us use more efficient
ladder step formulae.
- Convert to affine coords on ladder exit. This prevents the current code
awkwardness where conversion happens twice during serialization: first to
fetch the buffer size, then again to fetch the coords.
- Instead of projectively blinding the input point, blind both accumulators
independently.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11435)
Diffstat (limited to 'crypto/ec/ec_mult.c')
-rw-r--r-- | crypto/ec/ec_mult.c | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 17aacf877b..2d3fc50acf 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -266,17 +266,10 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, goto err; } - /*- - * Apply coordinate blinding for EC_POINT. - * - * The underlying EC_METHOD can optionally implement this function: - * ec_point_blind_coordinates() returns 0 in case of errors or 1 on - * success or if coordinate blinding is not implemented for this - * group. - */ - if (!ec_point_blind_coordinates(group, p, ctx)) { - ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_POINT_COORDINATES_BLIND_FAILURE); - goto err; + /* ensure input point is in affine coords for ladder step efficiency */ + if (!p->Z_is_one && !EC_POINT_make_affine(group, p, ctx)) { + ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB); + goto err; } /* Initialize the Montgomery ladder */ |