[ec] Rewrite scalar_mult_base in C

For performance. This implies the need to get generator points from C as
well. The pre-computed tables are stored in static memory, and computed
lazily.

Author: Firobe

ec/mirage_crypto_ec.ml

@@ -62,6 +62,7 @@ module type Dsa = sig
   module K_gen (H : Mirage_crypto.Hash.S) : sig
     val generate : key:priv -> Cstruct.t -> Cstruct.t
   end
+  val force_precomputation : unit -> unit
 end
 
 module type Dh_dsa = sig
@@ -108,6 +109,8 @@ module type Foreign = sig
 
   val double_c : out_point -> point -> unit
   val add_c : out_point -> point -> point -> unit
+  val scalar_mult_base_c : out_point -> string -> unit
+  val force_precomputation_c : unit -> unit
 end
 
 module type Field_element = sig
@@ -125,6 +128,7 @@ module type Field_element = sig
   val to_octets : field_element -> string
   val double_point : point -> point
   val add_point : point -> point -> point
+  val scalar_mult_base_point : scalar -> point
 end
 
 module Make_field_element (P : Parameters) (F : Foreign) : Field_element = struct
@@ -213,6 +217,11 @@ module Make_field_element (P : Parameters) (F : Foreign) : Field_element = struc
     let tmp = out_point () in
     F.add_c tmp a b;
     out_p_to_p tmp
+
+  let scalar_mult_base_point (Scalar d) =
+    let tmp = out_point () in
+    F.scalar_mult_base_c tmp d;
+    out_p_to_p tmp
 end
 
 module type Point = sig
@@ -226,6 +235,8 @@ module type Point = sig
   val x_of_finite_point : point -> string
   val params_g : point
   val select : bool -> then_:point -> else_:point -> point
+  val scalar_mult_base : scalar -> point
+  val force_precomputation : unit -> unit
 end
 
 module Make_point (P : Parameters) (F : Foreign) : Point = struct
@@ -406,6 +417,9 @@ module Make_point (P : Parameters) (F : Foreign) : Point = struct
         of_octets buf
       | 0x00 | 0x04 -> Error `Invalid_length
       | _ -> Error `Invalid_format
+
+  let scalar_mult_base = Fe.scalar_mult_base_point
+  let force_precomputation = F.force_precomputation_c
 end
 
 module type Scalar = sig
@@ -414,8 +428,8 @@ module type Scalar = sig
   val of_octets : string -> (scalar, error) result
   val to_octets : scalar -> string
   val scalar_mult : scalar -> point -> point
-
   val scalar_mult_base : scalar -> point
+  val force_precomputation : unit -> unit
 end
 
 module Make_scalar (Param : Parameters) (P : Point) : Scalar = struct
@@ -435,62 +449,6 @@ module Make_scalar (Param : Parameters) (P : Point) : Scalar = struct
 
   let to_octets (Scalar buf) = rev_string buf
 
-  (* Use a sliding window optimization method for scalar multiplication
-     Hard-coded window size = 4
-     Implementation inspired from Go's crypto library
-        https://github.com/golang/go/blob/a5cd894318677359f6d07ee74f9004d28b4d164c/src/crypto/internal/nistec/p256.go#L317
-  *)
-  module Precomputed = struct
-    (* Pre-compute multiples of the generator point *)
-    let pre_compute_multiples () =
-      let len = Param.fe_length * 2 in
-      let one_table _ = Array.init 15 (fun _ -> P.at_infinity ()) in
-      let table = Array.init len one_table in
-      let base = ref P.params_g in
-      for i = 0 to len - 1 do
-        table.(i).(0) <- !base;
-        for j = 1 to 14 do
-          table.(i).(j) <- P.add !base table.(i).(j - 1)
-        done;
-        base := P.double !base;
-        base := P.double !base;
-        base := P.double !base;
-        base := P.double !base
-      done;
-      table
-
-    (* Select the n-th element of the table
-       without leaking information about [n] *)
-    let table_select table n =
-      let p = ref (P.at_infinity ()) in
-      for i = 1 to 15 do
-        let cond = not (Eqaf.bool_of_int (n - i)) in
-        p := P.select cond ~then_:table.(i - 1) ~else_:!p
-      done;
-      !p
-
-    (* Returns [kG] by decomposing [k] in binary form, and adding
-       [2^0G * k_0 + 2^1G * k_1 + ...] in constant time using
-       pre-computed values of 2^iG *)
-    let scalar_mult_base (Scalar k) tables =
-      let p = ref (P.at_infinity ()) in
-      let index = ref 0 in (* Index increases since k is big-endian *)
-      for i = 0 to String.length k - 1 do
-          let byte = String.get_uint8 k i in
-          let winValue = byte land 0b1111 in
-          p := P.add !p (table_select tables.(!index) winValue);
-          incr index;
-          let winValue = byte lsr 4 in
-          p := P.add !p (table_select tables.(!index) winValue);
-          incr index
-      done;
-      !p
-
-    let scalar_mult_base =
-      let tables = pre_compute_multiples () in
-      fun d -> scalar_mult_base d tables
-  end
-
   (* Branchless Montgomery ladder method *)
   let scalar_mult (Scalar s) p =
     let r0 = ref (P.at_infinity ()) in
@@ -506,7 +464,9 @@ module Make_scalar (Param : Parameters) (P : Point) : Scalar = struct
     !r0
 
   (* Specialization of [scalar_mult d p] when [p] is the generator *)
-  let scalar_mult_base = Precomputed.scalar_mult_base
+  let scalar_mult_base = P.scalar_mult_base
+
+  let force_precomputation = P.force_precomputation
 end
 
 module Make_dh (Param : Parameters) (P : Point) (S : Scalar) : Dh = struct
@@ -818,6 +778,8 @@ module Make_dsa (Param : Parameters) (F : Fn) (P : Point) (S : Scalar) (H : Mira
 
   let verify ~key (r, s) digest =
     verify_octets ~key (Cstruct.to_string r, Cstruct.to_string s) (Cstruct.to_string digest)
+
+  let force_precomputation = S.force_precomputation
 end
 
 module P224 : Dh_dsa = struct
@@ -849,6 +811,8 @@ module P224 : Dh_dsa = struct
     external select_c : out_field_element -> bool -> field_element -> field_element -> unit = "mc_p224_select" [@@noalloc]
     external double_c : out_point -> point -> unit = "mc_p224_point_double" [@@noalloc]
     external add_c : out_point -> point -> point -> unit = "mc_p224_point_add" [@@noalloc]
+    external scalar_mult_base_c : out_point -> string -> unit = "mc_p224_scalar_mult_base" [@@noalloc]
+    external force_precomputation_c : unit -> unit = "mc_p224_force_precomputation" [@@noalloc]
   end
 
   module Foreign_n = struct
@@ -898,6 +862,8 @@ module P256 : Dh_dsa  = struct
     external select_c : out_field_element -> bool -> field_element -> field_element -> unit = "mc_p256_select" [@@noalloc]
     external double_c : out_point -> point -> unit = "mc_p256_point_double" [@@noalloc]
     external add_c : out_point -> point -> point -> unit = "mc_p256_point_add" [@@noalloc]
+    external scalar_mult_base_c : out_point -> string -> unit = "mc_p256_scalar_mult_base" [@@noalloc]
+    external force_precomputation_c : unit -> unit = "mc_p256_force_precomputation" [@@noalloc]
   end
 
   module Foreign_n = struct
@@ -948,6 +914,8 @@ module P384 : Dh_dsa = struct
     external select_c : out_field_element -> bool -> field_element -> field_element -> unit = "mc_p384_select" [@@noalloc]
     external double_c : out_point -> point -> unit = "mc_p384_point_double" [@@noalloc]
     external add_c : out_point -> point -> point -> unit = "mc_p384_point_add" [@@noalloc]
+    external scalar_mult_base_c : out_point -> string -> unit = "mc_p384_scalar_mult_base" [@@noalloc]
+    external force_precomputation_c : unit -> unit = "mc_p384_force_precomputation" [@@noalloc]
   end
 
   module Foreign_n = struct
@@ -999,6 +967,8 @@ module P521 : Dh_dsa = struct
     external select_c : out_field_element -> bool -> field_element -> field_element -> unit = "mc_p521_select" [@@noalloc]
     external double_c : out_point -> point -> unit = "mc_p521_point_double" [@@noalloc]
     external add_c : out_point -> point -> point -> unit = "mc_p521_point_add" [@@noalloc]
+    external scalar_mult_base_c : out_point -> string -> unit = "mc_p521_scalar_mult_base" [@@noalloc]
+    external force_precomputation_c : unit -> unit = "mc_p521_force_precomputation" [@@noalloc]
   end
 
   module Foreign_n = struct

ec/mirage_crypto_ec.mli

@@ -129,6 +129,8 @@ module type Dsa = sig
     (** [generate ~key digest] deterministically takes the given private key
         and message digest to a [k] suitable for seeding the signing process. *)
   end
+
+  val force_precomputation : unit -> unit
 end
 
 (** Elliptic curve with Diffie-Hellman and DSA. *)

ec/native/p224_stubs.c

@@ -15,6 +15,12 @@
 #define LEN_PRIME 224
 #define CURVE_DESCRIPTION fiat_p224
 
+#define FE_LENGTH 28
+
+// Generator point, see https://neuromancer.sk/std/nist/P-224
+static uint8_t gb_x[FE_LENGTH] = {0xb7, 0xe, 0xc, 0xbd, 0x6b, 0xb4, 0xbf, 0x7f, 0x32, 0x13, 0x90, 0xb9, 0x4a, 0x3, 0xc1, 0xd3, 0x56, 0xc2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xd6, 0x11, 0x5c, 0x1d, 0x21};
+static uint8_t gb_y[FE_LENGTH] = {0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x7, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, 0x85, 0x0, 0x7e, 0x34};
+
 #include "inversion_template.h"
 #include "point_operations.h"
 
@@ -139,3 +145,20 @@ CAMLprim value mc_p224_select(value out, value bit, value t, value f)
 	);
 	CAMLreturn(Val_unit);
 }
+
+CAMLprim value mc_p224_scalar_mult_base(value out, value s)
+{
+    CAMLparam2(out, s);
+    scalar_mult_base(
+		(WORD *) Bytes_val(Field(out, 0)),
+		(WORD *) Bytes_val(Field(out, 1)),
+		(WORD *) Bytes_val(Field(out, 2)),
+        (uint8_t *) String_val(s),
+        caml_string_length(s)
+    );
+    CAMLreturn(Val_unit);
+}
+
+CAMLprim void mc_p224_force_precomputation(void) {
+    compute_generator_table();
+}

ec/native/p256_stubs.c

@@ -15,6 +15,12 @@
 #define LEN_PRIME 256
 #define CURVE_DESCRIPTION fiat_p256
 
+#define FE_LENGTH 32
+
+// Generator point, see https://neuromancer.sk/std/nist/P-256
+static uint8_t gb_x[FE_LENGTH] = {0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x3, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96};
+static uint8_t gb_y[FE_LENGTH] = {0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0xf, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5};
+
 #include "inversion_template.h"
 #include "point_operations.h"
 
@@ -139,3 +145,21 @@ CAMLprim value mc_p256_select(value out, value bit, value t, value f)
 	);
 	CAMLreturn(Val_unit);
 }
+
+
+CAMLprim value mc_p256_scalar_mult_base(value out, value s)
+{
+    CAMLparam2(out, s);
+    scalar_mult_base(
+		(WORD *) Bytes_val(Field(out, 0)),
+		(WORD *) Bytes_val(Field(out, 1)),
+		(WORD *) Bytes_val(Field(out, 2)),
+        (uint8_t *) String_val(s),
+        caml_string_length(s)
+    );
+    CAMLreturn(Val_unit);
+}
+
+CAMLprim void mc_p256_force_precomputation(void) {
+    compute_generator_table();
+}

ec/native/p384_stubs.c

@@ -15,6 +15,12 @@
 #define LEN_PRIME 384
 #define CURVE_DESCRIPTION fiat_p384
 
+#define FE_LENGTH 48
+
+// Generator point, see https://neuromancer.sk/std/nist/P-384
+static uint8_t gb_x[FE_LENGTH] = {0xaa, 0x87, 0xca, 0x22, 0xbe, 0x8b, 0x5, 0x37, 0x8e, 0xb1, 0xc7, 0x1e, 0xf3, 0x20, 0xad, 0x74, 0x6e, 0x1d, 0x3b, 0x62, 0x8b, 0xa7, 0x9b, 0x98, 0x59, 0xf7, 0x41, 0xe0, 0x82, 0x54, 0x2a, 0x38, 0x55, 0x2, 0xf2, 0x5d, 0xbf, 0x55, 0x29, 0x6c, 0x3a, 0x54, 0x5e, 0x38, 0x72, 0x76, 0xa, 0xb7};
+static uint8_t gb_y[FE_LENGTH] = {0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0xa, 0x60, 0xb1, 0xce, 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0xe, 0x5f};
+
 #include "inversion_template.h"
 #include "point_operations.h"
 
@@ -139,3 +145,20 @@ CAMLprim value mc_p384_select(value out, value bit, value t, value f)
 	);
 	CAMLreturn(Val_unit);
 }
+
+CAMLprim value mc_p384_scalar_mult_base(value out, value s)
+{
+    CAMLparam2(out, s);
+    scalar_mult_base(
+		(WORD *) Bytes_val(Field(out, 0)),
+		(WORD *) Bytes_val(Field(out, 1)),
+		(WORD *) Bytes_val(Field(out, 2)),
+        (uint8_t *) String_val(s),
+        caml_string_length(s)
+    );
+    CAMLreturn(Val_unit);
+}
+
+CAMLprim void mc_p384_force_precomputation(void) {
+    compute_generator_table();
+}

ec/native/p521_stubs.c

@@ -15,6 +15,12 @@
 #define LEN_PRIME 521
 #define CURVE_DESCRIPTION fiat_p521
 
+#define FE_LENGTH 66
+
+// Generator point, see https://neuromancer.sk/std/nist/P-521
+static uint8_t gb_x[FE_LENGTH] = {0x0, 0xc6, 0x85, 0x8e, 0x6, 0xb7, 0x4, 0x4, 0xe9, 0xcd, 0x9e, 0x3e, 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x5, 0x3f, 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b, 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff, 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e, 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66};
+static uint8_t gb_y[FE_LENGTH] = {0x1, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x4, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x1, 0x3f, 0xad, 0x7, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50};
+
 #include "inversion_template.h"
 #include "point_operations.h"
 
@@ -139,3 +145,20 @@ CAMLprim value mc_p521_select(value out, value bit, value t, value f)
 	);
 	CAMLreturn(Val_unit);
 }
+
+CAMLprim value mc_p521_scalar_mult_base(value out, value s)
+{
+    CAMLparam2(out, s);
+    scalar_mult_base(
+		(WORD *) Bytes_val(Field(out, 0)),
+		(WORD *) Bytes_val(Field(out, 1)),
+		(WORD *) Bytes_val(Field(out, 2)),
+        (uint8_t *) String_val(s),
+        caml_string_length(s)
+    );
+    CAMLreturn(Val_unit);
+}
+
+CAMLprim void mc_p521_force_precomputation(void) {
+    compute_generator_table();
+}