diff options
author | Tim Hudson <tjh@openssl.org> | 2014-12-28 12:48:40 +1000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2014-12-30 22:10:26 +0000 |
commit | 1d97c8435171a7af575f73c526d79e1ef0ee5960 (patch) | |
tree | 99405d276f1713c41130162ac64f6b01c95a0751 /crypto/ec | |
parent | aa8a9266f91ce05068c5bf7eab44263c99d366f3 (diff) |
mark all block comments that need format preserving so that
indent will not alter them when reformatting comments
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'crypto/ec')
-rw-r--r-- | crypto/ec/ec.h | 2 | ||||
-rw-r--r-- | crypto/ec/ec2_mult.c | 9 | ||||
-rw-r--r-- | crypto/ec/ec2_smpl.c | 6 | ||||
-rw-r--r-- | crypto/ec/ec_lcl.h | 3 | ||||
-rw-r--r-- | crypto/ec/ec_mult.c | 6 | ||||
-rw-r--r-- | crypto/ec/ecp_nistp224.c | 33 | ||||
-rw-r--r-- | crypto/ec/ecp_nistp256.c | 75 | ||||
-rw-r--r-- | crypto/ec/ecp_nistp521.c | 78 | ||||
-rw-r--r-- | crypto/ec/ecp_nistputil.c | 2 | ||||
-rw-r--r-- | crypto/ec/ecp_smpl.c | 12 |
10 files changed, 150 insertions, 76 deletions
diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index f448aacc0e..477e476d08 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -118,7 +118,7 @@ typedef enum { typedef struct ec_method_st EC_METHOD; typedef struct ec_group_st - /* + /*- EC_METHOD *meth; -- field definition -- curve coefficients diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c index cc3ec83932..c261b816b5 100644 --- a/crypto/ec/ec2_mult.c +++ b/crypto/ec/ec2_mult.c @@ -143,7 +143,8 @@ static int gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM return ret; } -/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) +/*- + * Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) * using Montgomery point multiplication algorithm Mxy() in appendix of * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over * GF(2^m) without precomputation" (CHES '99, LNCS 1717). @@ -212,7 +213,8 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG } -/* Computes scalar*point and stores the result in r. +/*- + * Computes scalar*point and stores the result in r. * point can not equal r. * Uses a modified algorithm 2P of * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over @@ -318,7 +320,8 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, } -/* Computes the sum +/*- + * Computes the sum * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1] * gracefully ignoring NULL scalar values. */ diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 0bf87e6af9..716036079a 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -586,7 +586,8 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_ lh = BN_CTX_get(ctx); if (lh == NULL) goto err; - /* We have a curve defined by a Weierstrass equation + /*- + * We have a curve defined by a Weierstrass equation * y^2 + x*y = x^3 + a*x^2 + b. * <=> x^3 + a*x^2 + x*y + b + y^2 = 0 * <=> ((x + a) * x + y ) * x + b + y^2 = 0 @@ -606,7 +607,8 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_ } -/* Indicates whether two points are equal. +/*- + * Indicates whether two points are equal. * Return values: * -1 error * 0 equal (in affine coordinates) diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index abd73eeee8..b7982d91de 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -117,7 +117,8 @@ struct ec_method_st { void (*point_clear_finish)(EC_POINT *); int (*point_copy)(EC_POINT *, const EC_POINT *); - /* used by EC_POINT_set_to_infinity, + /*- + * used by EC_POINT_set_to_infinity, * EC_POINT_set_Jprojective_coordinates_GFp, * EC_POINT_get_Jprojective_coordinates_GFp, * EC_POINT_set_affine_coordinates_GFp, ..._GF2m, diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 3b5be30ff4..eb83c62dcd 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -482,7 +482,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, if (!(tmp = EC_POINT_new(group))) goto err; - /* prepare precomputed values: + /*- + * prepare precomputed values: * val_sub[i][0] := points[i] * val_sub[i][1] := 3 * points[i] * val_sub[i][2] := 5 * points[i] @@ -607,7 +608,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, } -/* ec_wNAF_precompute_mult() +/*- + * ec_wNAF_precompute_mult() * creates an EC_PRE_COMP object with preprecomputed multiples of the generator * for use with wNAF splitting as implemented in ec_wNAF_mul(). * diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index bf8021c6cf..4c76827db8 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -46,7 +46,8 @@ typedef int64_t s64; /******************************************************************************/ -/* INTERNAL REPRESENTATION OF FIELD ELEMENTS +/*- + * INTERNAL REPRESENTATION OF FIELD ELEMENTS * * Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3 * using 64-bit coefficients called 'limbs', @@ -94,7 +95,8 @@ static const felem_bytearray nistp224_curve_params[5] = { 0x44,0xd5,0x81,0x99,0x85,0x00,0x7e,0x34} }; -/* Precomputed multiples of the standard generator +/*- + * Precomputed multiples of the standard generator * Points are given in coordinates (X, Y, Z) where Z normally is 1 * (0 for the point at infinity). * For each field element, slice a_0 is word 0, etc. @@ -573,9 +575,11 @@ static void felem_reduce(felem out, const widefelem in) /* output[3] <= 2^56 + 2^16 */ out[2] = output[2] & 0x00ffffffffffffff; - /* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, + /*- + * out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, * out[3] <= 2^56 + 2^16 (due to final carry), - * so out < 2*p */ + * so out < 2*p + */ out[3] = output[3]; } @@ -752,13 +756,15 @@ copy_conditional(felem out, const felem in, limb icopy) * */ -/* Double an elliptic curve point: +/*- + * Double an elliptic curve point: * (X', Y', Z') = 2 * (X, Y, Z), where * X' = (3 * (X - Z^2) * (X + Z^2))^2 - 8 * X * Y^2 * Y' = 3 * (X - Z^2) * (X + Z^2) * (4 * X * Y^2 - X') - 8 * Y^2 * Z' = (Y + Z)^2 - Y^2 - Z^2 = 2 * Y * Z * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed, - * while x_out == y_in is not (maybe this works, but it's not tested). */ + * while x_out == y_in is not (maybe this works, but it's not tested). + */ static void point_double(felem x_out, felem y_out, felem z_out, const felem x_in, const felem y_in, const felem z_in) @@ -830,7 +836,8 @@ point_double(felem x_out, felem y_out, felem z_out, felem_reduce(y_out, tmp); } -/* Add two elliptic curve points: +/*- + * Add two elliptic curve points: * (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where * X_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1)^2 - (Z_1^2 * X_2 - Z_2^2 * X_1)^3 - * 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2 @@ -968,8 +975,10 @@ static void point_add(felem x3, felem y3, felem z3, felem_scalar(ftmp5, 2); /* ftmp5[i] < 2 * 2^57 = 2^58 */ - /* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 - - 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */ + /*- + * x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 - + * 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 + */ felem_diff_128_64(tmp2, ftmp5); /* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */ felem_reduce(x_out, tmp2); @@ -982,8 +991,10 @@ static void point_add(felem x3, felem y3, felem z3, felem_mul(tmp2, ftmp3, ftmp2); /* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */ - /* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) - - z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */ + /*- + * y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) - + * z2^3*y1*(z1^2*x2 - z2^2*x1)^3 + */ widefelem_diff(tmp2, tmp); /* tmp2[i] < 2^118 + 2^120 < 2^121 */ felem_reduce(y_out, tmp2); diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index 2f9bb57fdc..cd87161093 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -79,7 +79,8 @@ static const felem_bytearray nistp256_curve_params[5] = { 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5} }; -/* The representation of field elements. +/*- + * The representation of field elements. * ------------------------------------ * * We represent field elements with either four 128-bit values, eight 128-bit @@ -248,7 +249,8 @@ static void longfelem_scalar(longfelem out, const u64 scalar) /* zero105 is 0 mod p */ static const felem zero105 = { two105m41m9, two105, two105m41p9, two105m41p9 }; -/* smallfelem_neg sets |out| to |-small| +/*- + * smallfelem_neg sets |out| to |-small| * On exit: * out[i] < out[i] + 2^105 */ @@ -261,7 +263,8 @@ static void smallfelem_neg(felem out, const smallfelem small) out[3] = zero105[3] - small[3]; } -/* felem_diff subtracts |in| from |out| +/*- + * felem_diff subtracts |in| from |out| * On entry: * in[i] < 2^104 * On exit: @@ -288,7 +291,8 @@ static void felem_diff(felem out, const felem in) /* zero107 is 0 mod p */ static const felem zero107 = { two107m43m11, two107, two107m43p11, two107m43p11 }; -/* An alternative felem_diff for larger inputs |in| +/*- + * An alternative felem_diff for larger inputs |in| * felem_diff_zero107 subtracts |in| from |out| * On entry: * in[i] < 2^106 @@ -309,7 +313,8 @@ static void felem_diff_zero107(felem out, const felem in) out[3] -= in[3]; } -/* longfelem_diff subtracts |in| from |out| +/*- + * longfelem_diff subtracts |in| from |out| * On entry: * in[i] < 7*2^67 * On exit: @@ -352,7 +357,8 @@ static void longfelem_diff(longfelem out, const longfelem in) /* zero110 is 0 mod p */ static const felem zero110 = { two64m0, two110p32m0, two64m46, two64m32 }; -/* felem_shrink converts an felem into a smallfelem. The result isn't quite +/*- + * felem_shrink converts an felem into a smallfelem. The result isn't quite * minimal as the value may be greater than p. * * On entry: @@ -404,12 +410,14 @@ static void felem_shrink(smallfelem out, const felem in) /* As tmp[3] < 2^65, high is either 1 or 0 */ high <<= 63; high >>= 63; - /* high is: + /*- + * high is: * all ones if the high word of tmp[3] is 1 * all zeros if the high word of tmp[3] if 0 */ low = tmp[3]; mask = low >> 63; - /* mask is: + /*- + * mask is: * all ones if the MSB of low is 1 * all zeros if the MSB of low if 0 */ low &= bottom63bits; @@ -417,7 +425,8 @@ static void felem_shrink(smallfelem out, const felem in) /* if low was greater than kPrime3Test then the MSB is zero */ low = ~low; low >>= 63; - /* low is: + /*- + * low is: * all ones if low was > kPrime3Test * all zeros if low was <= kPrime3Test */ mask = (mask & low) | high; @@ -447,7 +456,8 @@ static void smallfelem_expand(felem out, const smallfelem in) out[3] = in[3]; } -/* smallfelem_square sets |out| = |small|^2 +/*- + * smallfelem_square sets |out| = |small|^2 * On entry: * small[i] < 2^64 * On exit: @@ -525,7 +535,8 @@ static void smallfelem_square(longfelem out, const smallfelem small) out[7] = high; } -/* felem_square sets |out| = |in|^2 +/*- + * felem_square sets |out| = |in|^2 * On entry: * in[i] < 2^109 * On exit: @@ -538,7 +549,8 @@ static void felem_square(longfelem out, const felem in) smallfelem_square(out, small); } -/* smallfelem_mul sets |out| = |small1| * |small2| +/*- + * smallfelem_mul sets |out| = |small1| * |small2| * On entry: * small1[i] < 2^64 * small2[i] < 2^64 @@ -653,7 +665,8 @@ static void smallfelem_mul(longfelem out, const smallfelem small1, const smallfe out[7] = high; } -/* felem_mul sets |out| = |in1| * |in2| +/*- + * felem_mul sets |out| = |in1| * |in2| * On entry: * in1[i] < 2^109 * in2[i] < 2^109 @@ -668,7 +681,8 @@ static void felem_mul(longfelem out, const felem in1, const felem in2) smallfelem_mul(out, small1, small2); } -/* felem_small_mul sets |out| = |small1| * |in2| +/*- + * felem_small_mul sets |out| = |small1| * |in2| * On entry: * small1[i] < 2^64 * in2[i] < 2^109 @@ -688,7 +702,8 @@ static void felem_small_mul(longfelem out, const smallfelem small1, const felem /* zero100 is 0 mod p */ static const felem zero100 = { two100m36m4, two100, two100m36p4, two100m36p4 }; -/* Internal function for the different flavours of felem_reduce. +/*- + * Internal function for the different flavours of felem_reduce. * felem_reduce_ reduces the higher coefficients in[4]-in[7]. * On entry: * out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7] @@ -735,7 +750,8 @@ static void felem_reduce_(felem out, const longfelem in) out[3] += (in[7] * 3); } -/* felem_reduce converts a longfelem into an felem. +/*- + * felem_reduce converts a longfelem into an felem. * To be called directly after felem_square or felem_mul. * On entry: * in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64 @@ -752,7 +768,8 @@ static void felem_reduce(felem out, const longfelem in) felem_reduce_(out, in); - /* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0 + /*- + * out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0 * out[1] > 2^100 - 2^64 - 7*2^96 > 0 * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0 * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0 @@ -764,7 +781,8 @@ static void felem_reduce(felem out, const longfelem in) */ } -/* felem_reduce_zero105 converts a larger longfelem into an felem. +/*- + * felem_reduce_zero105 converts a larger longfelem into an felem. * On entry: * in[0] < 2^71 * On exit: @@ -779,7 +797,8 @@ static void felem_reduce_zero105(felem out, const longfelem in) felem_reduce_(out, in); - /* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0 + /*- + * out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0 * out[1] > 2^105 - 2^71 - 2^103 > 0 * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0 * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0 @@ -881,7 +900,8 @@ static void smallfelem_mul_contract(smallfelem out, const smallfelem in1, const felem_contract(out, tmp); } -/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0 +/*- + * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0 * otherwise. * On entry: * small[i] < 2^64 @@ -926,7 +946,8 @@ static int smallfelem_is_zero_int(const smallfelem small) return (int) (smallfelem_is_zero(small) & ((limb)1)); } -/* felem_inv calculates |out| = |in|^{-1} +/*- + * felem_inv calculates |out| = |in|^{-1} * * Based on Fermat's Little Theorem: * a^p = a (mod p) @@ -1005,14 +1026,16 @@ static void smallfelem_inv_contract(smallfelem out, const smallfelem in) felem_contract(out, tmp); } -/* Group operations +/*- + * Group operations * ---------------- * * Building on top of the field operations we have the operations on the * elliptic curve group itself. Points on the curve are represented in Jacobian * coordinates */ -/* point_double calculates 2*(x_in, y_in, z_in) +/*- + * point_double calculates 2*(x_in, y_in, z_in) * * The method is taken from: * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b @@ -1140,7 +1163,8 @@ copy_small_conditional(felem out, const smallfelem in, limb mask) } } -/* point_add calcuates (x1, y1, z1) + (x2, y2, z2) +/*- + * point_add calcuates (x1, y1, z1) + (x2, y2, z2) * * The method is taken from: * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl, @@ -1329,7 +1353,8 @@ static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3, felem_shrink(z3, felem_z3); } -/* Base point pre computation +/*- + * Base point pre computation * -------------------------- * * Two different sorts of precomputed tables are used in the following code. diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 178b655f7f..7ff3a0b1be 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -109,7 +109,8 @@ static const felem_bytearray nistp521_curve_params[5] = 0x66, 0x50} }; -/* The representation of field elements. +/*- + * The representation of field elements. * ------------------------------------ * * We represent field elements with nine values. These values are either 64 or @@ -291,7 +292,8 @@ static void felem_scalar128(largefelem out, limb scalar) out[8] *= scalar; } -/* felem_neg sets |out| to |-in| +/*- + * felem_neg sets |out| to |-in| * On entry: * in[i] < 2^59 + 2^14 * On exit: @@ -314,7 +316,8 @@ static void felem_neg(felem out, const felem in) out[8] = two62m2 - in[8]; } -/* felem_diff64 subtracts |in| from |out| +/*- + * felem_diff64 subtracts |in| from |out| * On entry: * in[i] < 2^59 + 2^14 * On exit: @@ -337,7 +340,8 @@ static void felem_diff64(felem out, const felem in) out[8] += two62m2 - in[8]; } -/* felem_diff_128_64 subtracts |in| from |out| +/*- + * felem_diff_128_64 subtracts |in| from |out| * On entry: * in[i] < 2^62 + 2^17 * On exit: @@ -360,7 +364,8 @@ static void felem_diff_128_64(largefelem out, const felem in) out[8] += two63m5 - in[8]; } -/* felem_diff_128_64 subtracts |in| from |out| +/*- + * felem_diff_128_64 subtracts |in| from |out| * On entry: * in[i] < 2^126 * On exit: @@ -383,7 +388,8 @@ static void felem_diff128(largefelem out, const largefelem in) out[8] += (two127m69 - in[8]); } -/* felem_square sets |out| = |in|^2 +/*- + * felem_square sets |out| = |in|^2 * On entry: * in[i] < 2^62 * On exit: @@ -395,7 +401,8 @@ static void felem_square(largefelem out, const felem in) felem_scalar(inx2, in, 2); felem_scalar(inx4, in, 4); - /* We have many cases were we want to do + /*- + * We have many cases were we want to do * in[x] * in[y] + * in[y] * in[x] * This is obviously just @@ -474,7 +481,8 @@ static void felem_square(largefelem out, const felem in) out[7] += ((uint128_t) in[8]) * inx2[8]; } -/* felem_mul sets |out| = |in1| * |in2| +/*- + * felem_mul sets |out| = |in1| * |in2| * On entry: * in1[i] < 2^64 * in2[i] < 2^63 @@ -589,7 +597,8 @@ static void felem_mul(largefelem out, const felem in1, const felem in2) static const limb bottom52bits = 0xfffffffffffff; -/* felem_reduce converts a largefelem to an felem. +/*- + * felem_reduce converts a largefelem to an felem. * On entry: * in[i] < 2^128 * On exit: @@ -677,7 +686,8 @@ static void felem_mul_reduce(felem out, const felem in1, const felem in2) felem_reduce(out, tmp); } -/* felem_inv calculates |out| = |in|^{-1} +/*- + * felem_inv calculates |out| = |in|^{-1} * * Based on Fermat's Little Theorem: * a^p = a (mod p) @@ -769,7 +779,8 @@ static const felem kPrime = 0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff }; -/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0 +/*- + * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0 * otherwise. * On entry: * in[i] < 2^59 + 2^14 @@ -834,7 +845,8 @@ static int felem_is_zero_int(const felem in) return (int) (felem_is_zero(in) & ((limb)1)); } -/* felem_contract converts |in| to its unique, minimal representation. +/*- + * felem_contract converts |in| to its unique, minimal representation. * On entry: * in[i] < 2^59 + 2^14 */ @@ -930,14 +942,16 @@ static void felem_contract(felem out, const felem in) sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign); } -/* Group operations +/*- + * Group operations * ---------------- * * Building on top of the field operations we have the operations on the * elliptic curve group itself. Points on the curve are represented in Jacobian * coordinates */ -/* point_double calcuates 2*(x_in, y_in, z_in) +/*- + * point_double calcuates 2*(x_in, y_in, z_in) * * The method is taken from: * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b @@ -974,11 +988,13 @@ point_double(felem x_out, felem y_out, felem z_out, felem_scalar64(ftmp2, 3); /* ftmp2[i] < 3*2^60 + 3*2^15 */ felem_mul(tmp, ftmp, ftmp2); - /* tmp[i] < 17(3*2^121 + 3*2^76) + /*- + * tmp[i] < 17(3*2^121 + 3*2^76) * = 61*2^121 + 61*2^76 * < 64*2^121 + 64*2^76 * = 2^127 + 2^82 - * < 2^128 */ + * < 2^128 + */ felem_reduce(alpha, tmp); /* x' = alpha^2 - 8*beta */ @@ -1011,22 +1027,30 @@ point_double(felem x_out, felem y_out, felem z_out, felem_diff64(beta, x_out); /* beta[i] < 2^61 + 2^60 + 2^16 */ felem_mul(tmp, alpha, beta); - /* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16)) + /*- + * tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16)) * = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30) * = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30) - * < 2^128 */ + * < 2^128 + */ felem_square(tmp2, gamma); - /* tmp2[i] < 17*(2^59 + 2^14)^2 - * = 17*(2^118 + 2^74 + 2^28) */ + /*- + * tmp2[i] < 17*(2^59 + 2^14)^2 + * = 17*(2^118 + 2^74 + 2^28) + */ felem_scalar128(tmp2, 8); - /* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28) + /*- + * tmp2[i] < 8*17*(2^118 + 2^74 + 2^28) * = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31 - * < 2^126 */ + * < 2^126 + */ felem_diff128(tmp, tmp2); - /* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30) + /*- + * tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30) * = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 + * 2^74 + 2^69 + 2^34 + 2^30 - * < 2^128 */ + * < 2^128 + */ felem_reduce(y_out, tmp); } @@ -1042,7 +1066,8 @@ copy_conditional(felem out, const felem in, limb mask) } } -/* point_add calcuates (x1, y1, z1) + (x2, y2, z2) +/*- + * point_add calcuates (x1, y1, z1) + (x2, y2, z2) * * The method is taken from * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl, @@ -1205,7 +1230,8 @@ static void point_add(felem x3, felem y3, felem z3, felem_assign(z3, z_out); } -/* Base point pre computation +/*- + * Base point pre computation * -------------------------- * * Two different sorts of precomputed tables are used in the following code. diff --git a/crypto/ec/ecp_nistputil.c b/crypto/ec/ecp_nistputil.c index c8140c807f..4ab42d814c 100644 --- a/crypto/ec/ecp_nistputil.c +++ b/crypto/ec/ecp_nistputil.c @@ -107,7 +107,7 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, } } -/* +/*- * This function looks at 5+1 scalar bits (5 current, 1 adjacent less * significant bit), and recodes them into a signed digit for use in fast point * multiplication: the use of signed rather than unsigned digits means that diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index c2192b3051..bd9f7dfda7 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -320,9 +320,11 @@ int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) if (!BN_copy(b, group->b)) goto err; } - /* check the discriminant: + /*- + * check the discriminant: * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p) - * 0 =< a, b < p */ + * 0 =< a, b < p + */ if (BN_is_zero(a)) { if (BN_is_zero(b)) goto err; @@ -975,7 +977,8 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C Z6 = BN_CTX_get(ctx); if (Z6 == NULL) goto err; - /* We have a curve defined by a Weierstrass equation + /*- + * We have a curve defined by a Weierstrass equation * y^2 = x^3 + a*x + b. * The point to consider is given in Jacobian projective coordinates * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3). @@ -1081,7 +1084,8 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT * Zb23 = BN_CTX_get(ctx); if (Zb23 == NULL) goto end; - /* We have to decide whether + /*- + * We have to decide whether * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3), * or equivalently, whether * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3). |