[crypto] Support direct reduction only for Montgomery constant R^2 mod N

The only remaining use case for direct reduction (outside of the unit tests) is in calculating the constant R^2 mod N used during Montgomery multiplication. The current implementation of direct reduction requires a writable copy of the modulus (to allow for shifting), and both the modulus and the result buffer must be padded to be large enough to hold (R^2 - N), which is twice the size of the actual values involved. For the special case of reducing R^2 mod N (or any power of two mod N), we can run the same algorithm without needing either a writable copy of the modulus or a padded result buffer. The working state required is only two bits larger than the result buffer, and these additional bits may be held in local variables instead. Rewrite bigint_reduce() to handle only this use case, and remove the no longer necessary uses of double-sized big integers. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-01-21 18:30:56 +03:00 · 2025-02-13 13:35:45 +00:00
parent 5056e8ad93
commit 8e6b914c53
4 changed files with 247 additions and 259 deletions
--- a/src/tests/bigint_test.c
+++ b/src/tests/bigint_test.c
@@ -185,14 +185,14 @@ void bigint_multiply_sample ( const bigint_element_t *multiplicand0,
 	bigint_multiply ( multiplicand, multiplier, result );
 }

-void bigint_reduce_sample ( bigint_element_t *modulus0,
-			    bigint_element_t *value0, unsigned int size ) {
+void bigint_reduce_sample ( const bigint_element_t *modulus0,
+			    bigint_element_t *result0, unsigned int size ) {
+	const bigint_t ( size ) __attribute__ (( may_alias ))
+		*modulus = ( ( const void * ) modulus0 );
 	bigint_t ( size ) __attribute__ (( may_alias ))
-		*modulus = ( ( void * ) modulus0 );
-	bigint_t ( size ) __attribute__ (( may_alias ))
-		*value = ( ( void * ) value0 );
+		*result = ( ( void * ) result0 );

-	bigint_reduce ( modulus, value );
+	bigint_reduce ( modulus, result );
 }

 void bigint_mod_invert_sample ( const bigint_element_t *invertend0,
@@ -553,42 +553,35 @@ void bigint_mod_exp_sample ( const bigint_element_t *base0,
 	} while ( 0 )

 /**
- * Report result of big integer modular direct reduction test
+ * Report result of big integer modular direct reduction of R^2 test
 *
 * @v modulus		Big integer modulus
- * @v value		Big integer to be reduced
 * @v expected		Big integer expected result
 */
-#define bigint_reduce_ok( modulus, value, expected ) do {		\
+#define bigint_reduce_ok( modulus, expected ) do {			\
 	static const uint8_t modulus_raw[] = modulus;			\
-	static const uint8_t value_raw[] = value;			\
 	static const uint8_t expected_raw[] = expected;			\
 	uint8_t result_raw[ sizeof ( expected_raw ) ];			\
 	unsigned int size =						\
 		bigint_required_size ( sizeof ( modulus_raw ) );	\
 	bigint_t ( size ) modulus_temp;					\
-	bigint_t ( size ) value_temp;					\
+	bigint_t ( size ) result_temp;					\
 	{} /* Fix emacs alignment */					\
 									\
 	assert ( bigint_size ( &modulus_temp ) ==			\
-		 bigint_size ( &value_temp ) );				\
+		 bigint_size ( &result_temp ) );			\
+	assert ( sizeof ( result_temp ) == sizeof ( result_raw ) );	\
 	bigint_init ( &modulus_temp, modulus_raw,			\
 		      sizeof ( modulus_raw ) );				\
-	bigint_init ( &value_temp, value_raw, sizeof ( value_raw ) );	\
-	DBG ( "Modular reduce:\n" );					\
+	DBG ( "Modular reduce R^2:\n" );				\
 	DBG_HDA ( 0, &modulus_temp, sizeof ( modulus_temp ) );		\
-	DBG_HDA ( 0, &value_temp, sizeof ( value_temp ) );		\
-	bigint_reduce ( &modulus_temp, &value_temp );			\
-	DBG_HDA ( 0, &value_temp, sizeof ( value_temp ) );		\
-	bigint_done ( &value_temp, result_raw, sizeof ( result_raw ) );	\
+	bigint_reduce ( &modulus_temp, &result_temp );			\
+	DBG_HDA ( 0, &result_temp, sizeof ( result_temp ) );		\
+	bigint_done ( &result_temp, result_raw,				\
+		      sizeof ( result_raw ) );				\
 									\
 	ok ( memcmp ( result_raw, expected_raw,				\
 		      sizeof ( result_raw ) ) == 0 );			\
-									\
-	bigint_init ( &value_temp, modulus_raw,				\
-		      sizeof ( modulus_raw ) );				\
-	ok ( memcmp ( &modulus_temp, &value_temp,			\
-		      sizeof ( modulus_temp ) ) == 0 );			\
 	} while ( 0 )

 /**
@@ -1801,39 +1794,46 @@ static void bigint_test_exec ( void ) {
 				      0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 				      0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 				      0x00, 0x00, 0x00, 0x01 ) );
-	bigint_reduce_ok ( BIGINT ( 0xaf ),
-			   BIGINT ( 0x00 ),
-			   BIGINT ( 0x00 ) );
-	bigint_reduce_ok ( BIGINT ( 0xab ),
-			   BIGINT ( 0xab ),
-			   BIGINT ( 0x00 ) );
-	bigint_reduce_ok ( BIGINT ( 0xcc, 0x9d, 0xa0, 0x79, 0x96, 0x6a, 0x46,
-				    0xd5, 0xb4, 0x30, 0xd2, 0x2b, 0xbf ),
-			   BIGINT ( 0x1d, 0x97, 0x63, 0xc9, 0x97, 0xcd, 0x43,
-				    0xcb, 0x8e, 0x71, 0xac, 0x41, 0xdd ),
-			   BIGINT ( 0x1d, 0x97, 0x63, 0xc9, 0x97, 0xcd, 0x43,
-				    0xcb, 0x8e, 0x71, 0xac, 0x41, 0xdd ) );
-	bigint_reduce_ok ( BIGINT ( 0x21, 0xfa, 0x4f, 0xce, 0x0f, 0x0f, 0x4d,
-				    0x43, 0xaa, 0xad, 0x21, 0x30, 0xe5 ),
-			   BIGINT ( 0x21, 0xfa, 0x4f, 0xce, 0x0f, 0x0f, 0x4d,
-				    0x43, 0xaa, 0xad, 0x21, 0x30, 0xe5 ),
-			   BIGINT ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-				    0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ) );
 	bigint_reduce_ok ( BIGINT ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-				    0x00, 0x00, 0x00, 0xf3, 0x65, 0x35, 0x41,
-				    0x66, 0x65 ),
-			   BIGINT ( 0xf9, 0x78, 0x96, 0x39, 0xee, 0x98, 0x42,
-				    0x6a, 0xb8, 0x74, 0x0b, 0xe8, 0x5c, 0x76,
-				    0x34, 0xaf ),
+				    0x00 ),
 			   BIGINT ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-				    0x00, 0x00, 0x00, 0xb3, 0x07, 0xe8, 0xb7,
-				    0x01, 0xf6 ) );
-	bigint_reduce_ok ( BIGINT ( 0x47, 0xaa, 0x88, 0x00, 0xd0, 0x30, 0x62,
-				    0xfb, 0x5d, 0x55 ),
-			   BIGINT ( 0xfe, 0x30, 0xe1, 0xc6, 0x65, 0x97, 0x48,
-				    0x2e, 0x94, 0xd4 ),
-			   BIGINT ( 0x27, 0x31, 0x49, 0xc3, 0xf5, 0x06, 0x1f,
-				    0x3c, 0x7c, 0xd5 ) );
+				    0x00 ) );
+	bigint_reduce_ok ( BIGINT ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+				    0x01 ),
+			   BIGINT ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+				    0x00 ) );
+	bigint_reduce_ok ( BIGINT ( 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
+				    0x00 ),
+			   BIGINT ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+				    0x00 ) );
+	bigint_reduce_ok ( BIGINT ( 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+				    0x00 ),
+			   BIGINT ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+				    0x00 ) );
+	bigint_reduce_ok ( BIGINT ( 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+				    0xff ),
+			   BIGINT ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+				    0x01 ) );
+	bigint_reduce_ok ( BIGINT ( 0x39, 0x18, 0x47, 0xc9, 0xa2, 0x1d, 0x4b,
+				    0xa6 ),
+			   BIGINT ( 0x30, 0x9d, 0xcc, 0xac, 0xd6, 0xf9, 0x2f,
+				    0xa0 ) );
+	bigint_reduce_ok ( BIGINT ( 0x81, 0x96, 0xdb, 0x36, 0xa6, 0xb7, 0x41,
+				    0x45, 0x92, 0x37, 0x7d, 0x48, 0x1b, 0x2f,
+				    0x3c, 0xa6 ),
+			   BIGINT ( 0x4a, 0x68, 0x25, 0xf7, 0x2b, 0x72, 0x91,
+				    0x6e, 0x09, 0x83, 0xca, 0xf1, 0x45, 0x79,
+				    0x84, 0x18 ) );
+	bigint_reduce_ok ( BIGINT ( 0x84, 0x2d, 0xe4, 0x1c, 0xc3, 0x11, 0x4f,
+				    0xa0, 0x90, 0x4b, 0xa9, 0xa1, 0xdf, 0xed,
+				    0x4b, 0xe0, 0xb7, 0xfc, 0x5e, 0xd1, 0x91,
+				    0x59, 0x4d, 0xc2, 0xae, 0x2f, 0x46, 0x9e,
+				    0x32, 0x6e, 0xf4, 0x67 ),
+			   BIGINT ( 0x46, 0xdd, 0x36, 0x6c, 0x0b, 0xac, 0x3a,
+				    0x8f, 0x9a, 0x25, 0x90, 0xb2, 0x39, 0xe9,
+				    0xa4, 0x65, 0xc1, 0xd4, 0xc1, 0x99, 0x61,
+				    0x95, 0x47, 0xab, 0x4f, 0xd7, 0xad, 0xd4,
+				    0x3e, 0xe9, 0x9c, 0xfc ) );
 	bigint_mod_invert_ok ( BIGINT ( 0x01 ), BIGINT ( 0x01 ) );
 	bigint_mod_invert_ok ( BIGINT ( 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 					0xff, 0xff ),