crypto/ec/ec_mult.c

181  * Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
184  *     scalar = \sum_j r[j]*2^j
189 static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
198     if (BN_is_zero(scalar)) {
218     if (BN_is_negative(scalar)) {
222     if (scalar->d == NULL || scalar->top == 0) {
227     len = BN_num_bits(scalar);
231                                   * BN_num_bits(scalar) + 1) */
236     window_val = scalar->d[0] & mask;
288         window_val += bit * BN_is_bit_set(scalar, j + w);
325  * It performs either a fixed scalar point multiplication
326  *          (scalar * generator)
327  * when point is NULL, or a generic scalar point multiplication
328  *          (scalar * point)
331  * scalar should be in the range [0,n) otherwise all constant time bets are off.
341                             const BIGNUM *scalar, const EC_POINT *point,
379      * So when we pad the scalar, some timing diff might
389     if (!BN_copy(k, scalar))
409      * lambda := scalar + cardinality
410      * k := scalar + 2*cardinality
549  *      scalar*generator
550  * in the addition if scalar != NULL
552 int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
576     int num_scalar = 0;         /* flag: will be set to 1 if 'scalar' must be
586     if ((scalar == NULL) && (num == 0)) {
592          * Handle the common cases where the scalar is secret, enforcing a constant
593          * time scalar multiplication algorithm.
595         if ((scalar != NULL) && (num == 0)) {
597              * In this case we want to compute scalar * GeneratorPoint: this
600              * keygen/first half), where the scalar is always secret. This is why
604             return ec_mul_consttime(group, r, scalar, NULL, ctx);
606         if ((scalar == NULL) && (num == 1)) {
608              * In this case we want to compute scalar * GenericPoint: this codepath
610              * secret scalar is multiplied by the peer's public point. To protect
611              * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and
631     if (scalar != NULL) {
653             numblocks = (BN_num_bits(scalar) / blocksize) + 1;
672             num_scalar = 1;     /* treat 'scalar' like 'num'-th element of
702         bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
707             compute_wNAF((i < num ? scalars[i] : scalar), wsize[i],
716         /* we go here iff scalar != NULL */
723             /* we have already generated a wNAF for 'scalar' */
737             tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len);