From: Thomas Pornin Date: Sun, 15 Jan 2017 02:32:13 +0000 (+0100) Subject: New basic implementation of Curve25519 (generic i15 code, experimental). X-Git-Tag: v0.4~20 X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=commitdiff_plain;h=2f9c953af45299f8546df8984d5262e767a7d943 New basic implementation of Curve25519 (generic i15 code, experimental). --- diff --git a/Makefile b/Makefile index 4c627f5..ac5f241 100644 --- a/Makefile +++ b/Makefile @@ -47,7 +47,7 @@ TESTX509 = testx509 TESTMATH = testmath OBJCODEC = $(BUILD)/ccopy.o $(BUILD)/dec16be.o $(BUILD)/dec16le.o $(BUILD)/dec32be.o $(BUILD)/dec32le.o $(BUILD)/dec64be.o $(BUILD)/dec64le.o $(BUILD)/enc16be.o $(BUILD)/enc16le.o $(BUILD)/enc32be.o $(BUILD)/enc32le.o $(BUILD)/enc64be.o $(BUILD)/enc64le.o $(BUILD)/pemdec.o -OBJEC = $(BUILD)/ec_p256_i15.o $(BUILD)/ec_prime_i15.o $(BUILD)/ec_prime_i31.o $(BUILD)/ec_secp256r1.o $(BUILD)/ec_secp384r1.o $(BUILD)/ec_secp521r1.o $(BUILD)/ecdsa_atr.o $(BUILD)/ecdsa_i15_bits.o $(BUILD)/ecdsa_i15_sign_asn1.o $(BUILD)/ecdsa_i15_sign_raw.o $(BUILD)/ecdsa_i15_vrfy_asn1.o $(BUILD)/ecdsa_i15_vrfy_raw.o $(BUILD)/ecdsa_i31_bits.o $(BUILD)/ecdsa_i31_sign_asn1.o $(BUILD)/ecdsa_i31_sign_raw.o $(BUILD)/ecdsa_i31_vrfy_asn1.o $(BUILD)/ecdsa_i31_vrfy_raw.o $(BUILD)/ecdsa_rta.o +OBJEC = $(BUILD)/ec_c25519_i15.o $(BUILD)/ec_curve25519.o $(BUILD)/ec_p256_m15.o $(BUILD)/ec_prime_i15.o $(BUILD)/ec_prime_i31.o $(BUILD)/ec_secp256r1.o $(BUILD)/ec_secp384r1.o $(BUILD)/ec_secp521r1.o $(BUILD)/ecdsa_atr.o $(BUILD)/ecdsa_i15_bits.o $(BUILD)/ecdsa_i15_sign_asn1.o $(BUILD)/ecdsa_i15_sign_raw.o $(BUILD)/ecdsa_i15_vrfy_asn1.o $(BUILD)/ecdsa_i15_vrfy_raw.o $(BUILD)/ecdsa_i31_bits.o $(BUILD)/ecdsa_i31_sign_asn1.o $(BUILD)/ecdsa_i31_sign_raw.o $(BUILD)/ecdsa_i31_vrfy_asn1.o $(BUILD)/ecdsa_i31_vrfy_raw.o $(BUILD)/ecdsa_rta.o # $(BUILD)/ec_prime_i31_secp256r1.o $(BUILD)/ec_prime_i31_secp384r1.o $(BUILD)/ec_prime_i31_secp521r1.o OBJHASH = $(BUILD)/dig_oid.o $(BUILD)/dig_size.o $(BUILD)/ghash_ctmul.o $(BUILD)/ghash_ctmul32.o $(BUILD)/ghash_ctmul64.o $(BUILD)/md5.o $(BUILD)/md5sha1.o $(BUILD)/multihash.o $(BUILD)/sha1.o $(BUILD)/sha2big.o $(BUILD)/sha2small.o OBJINT15 = $(BUILD)/i15_core.o $(BUILD)/i15_ext1.o $(BUILD)/i15_ext2.o @@ -162,8 +162,14 @@ $(BUILD)/ec_g_secp384r1.o: src/ec/ec_g_secp384r1.c $(HEADERS) $(BUILD)/ec_g_secp521r1.o: src/ec/ec_g_secp521r1.c $(HEADERS) $(CC) $(CFLAGS) -c -o $(BUILD)/ec_g_secp521r1.o src/ec/ec_g_secp521r1.c -$(BUILD)/ec_p256_i15.o: src/ec/ec_p256_i15.c $(HEADERS) - $(CC) $(CFLAGS) -c -o $(BUILD)/ec_p256_i15.o src/ec/ec_p256_i15.c +$(BUILD)/ec_c25519_i15.o: src/ec/ec_c25519_i15.c $(HEADERS) + $(CC) $(CFLAGS) -c -o $(BUILD)/ec_c25519_i15.o src/ec/ec_c25519_i15.c + +$(BUILD)/ec_curve25519.o: src/ec/ec_curve25519.c $(HEADERS) + $(CC) $(CFLAGS) -c -o $(BUILD)/ec_curve25519.o src/ec/ec_curve25519.c + +$(BUILD)/ec_p256_m15.o: src/ec/ec_p256_m15.c $(HEADERS) + $(CC) $(CFLAGS) -c -o $(BUILD)/ec_p256_m15.o src/ec/ec_p256_m15.c $(BUILD)/ec_prime_i15.o: src/ec/ec_prime_i15.c $(HEADERS) $(CC) $(CFLAGS) -c -o $(BUILD)/ec_prime_i15.o src/ec/ec_prime_i15.c diff --git a/inc/bearssl_ec.h b/inc/bearssl_ec.h index 908d532..2c84bad 100644 --- a/inc/bearssl_ec.h +++ b/inc/bearssl_ec.h @@ -218,6 +218,12 @@ /** \brief Identifier for named curve brainpoolP512r1. */ #define BR_EC_brainpoolP512r1 28 +/** \brief Identifier for named curve Curve25519. */ +#define BR_EC_curve25519 29 + +/** \brief Identifier for named curve Curve448. */ +#define BR_EC_curve448 30 + /** * \brief Structure for an EC public key. */ @@ -411,7 +417,16 @@ extern const br_ec_impl br_ec_prime_i15; * reduction thanks to the field modulus special format. Only 32-bit * multiplications are used (with 32-bit results, not 64-bit). */ -extern const br_ec_impl br_ec_p256_i15; +extern const br_ec_impl br_ec_p256_m15; + +/** + * \brief EC implementation "i15" (generic code) for Curve25519. + * + * This implementation uses the generic code for modular integers (with + * 15-bit words) to support Curve25519. The `muladd()` method is not + * implemented. + */ +extern const br_ec_impl br_ec_c25519_i15; /** * \brief Convert a signature from "raw" to "asn1". diff --git a/src/ec/ec_c25519_i15.c b/src/ec/ec_c25519_i15.c new file mode 100644 index 0000000..79560ae --- /dev/null +++ b/src/ec/ec_c25519_i15.c @@ -0,0 +1,303 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +/* + * Parameters for the field: + * - field modulus p = 2^255-19 + * - R^2 mod p (R = 2^(15k) for the smallest k such that R >= p) + */ + +static const uint16_t C255_P[] = { + 0x0110, + 0x7FED, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, + 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, 0x7FFF, + 0x7FFF +}; + +#define P0I 0x4A1B + +static const uint16_t C255_R2[] = { + 0x0110, + 0x0169, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000 +}; + +static const uint16_t C255_A24[] = { + 0x0110, + 0x45D3, 0x0046, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000 +}; + +static const unsigned char GEN[] = { + 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +static const unsigned char ORDER[] = { + 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6, + 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED +}; + +static const unsigned char * +api_generator(int curve, size_t *len) +{ + (void)curve; + *len = 32; + return GEN; +} + +static const unsigned char * +api_order(int curve, size_t *len) +{ + (void)curve; + *len = 32; + return ORDER; +} + +static void +cswap(uint16_t *a, uint16_t *b, uint32_t ctl) +{ + int i; + + ctl = -ctl; + for (i = 0; i < 18; i ++) { + uint32_t aw, bw, tw; + + aw = a[i]; + bw = b[i]; + tw = ctl & (aw ^ bw); + a[i] = aw ^ tw; + b[i] = bw ^ tw; + } +} + +static void +c255_add(uint16_t *d, const uint16_t *a, const uint16_t *b) +{ + uint32_t ctl; + uint16_t t[18]; + + memcpy(t, a, sizeof t); + ctl = br_i15_add(t, b, 1); + ctl |= NOT(br_i15_sub(t, C255_P, 0)); + br_i15_sub(t, C255_P, ctl); + memcpy(d, t, sizeof t); +} + +static void +c255_sub(uint16_t *d, const uint16_t *a, const uint16_t *b) +{ + uint16_t t[18]; + + memcpy(t, a, sizeof t); + br_i15_add(t, C255_P, br_i15_sub(t, b, 1)); + memcpy(d, t, sizeof t); +} + +static void +c255_mul(uint16_t *d, const uint16_t *a, const uint16_t *b) +{ + uint16_t t[18]; + + br_i15_montymul(t, a, b, C255_P, P0I); + memcpy(d, t, sizeof t); +} + +static void +byteswap(unsigned char *G) +{ + int i; + + for (i = 0; i < 16; i ++) { + unsigned char t; + + t = G[i]; + G[i] = G[31 - i]; + G[31 - i] = t; + } +} + +static uint32_t +api_mul(unsigned char *G, size_t Glen, + const unsigned char *kb, size_t kblen, int curve) +{ + uint16_t x1[18], x2[18], x3[18], z2[18], z3[18]; + uint16_t a[18], aa[18], b[18], bb[18]; + uint16_t c[18], d[18], e[18], da[18], cb[18]; + unsigned char k[32]; + uint32_t swap; + int i; + + (void)curve; + + /* + * Points are encoded over exactly 32 bytes. Multipliers must fit + * in 32 bytes as well. + * RFC 7748 mandates that the high bit of the last point byte must + * be ignored/cleared. + */ + if (Glen != 32 || kblen > 32) { + return 0; + } + G[31] &= 0x7F; + + /* + * Byteswap the point encoding, because it uses little-endian, and + * the generic decoding routine uses big-endian. + */ + byteswap(G); + + /* + * Initialise variables x1, x2, z2, x3 and z3. We set all of them + * into Montgomery representation. + */ + br_i15_decode_reduce(a, G, 32, C255_P); + br_i15_montymul(x1, a, C255_R2, C255_P, P0I); + memcpy(x3, x1, sizeof x1); + br_i15_zero(z2, C255_P[0]); + memcpy(x2, z2, sizeof z2); + x2[1] = 19; + memcpy(z3, x2, sizeof x2); + + memcpy(k, kb, kblen); + memset(k + kblen, 0, (sizeof k) - kblen); + k[0] &= 0xF8; + k[31] &= 0x7F; + k[31] |= 0x40; + + swap = 0; + for (i = 254; i >= 0; i --) { + uint32_t kt; + + kt = (k[i >> 3] >> (i & 7)) & 1; + swap ^= kt; + cswap(x2, x3, swap); + cswap(z2, z3, swap); + swap = kt; + + c255_add(a, x2, z2); + c255_mul(aa, a, a); + c255_sub(b, x2, z2); + c255_mul(bb, b, b); + c255_sub(e, aa, bb); + c255_add(c, x3, z3); + c255_sub(d, x3, z3); + c255_mul(da, d, a); + c255_mul(cb, c, b); + c255_add(x3, da, cb); + c255_mul(x3, x3, x3); + c255_sub(z3, da, cb); + c255_mul(z3, z3, z3); + c255_mul(z3, z3, x1); + c255_mul(x2, aa, bb); + c255_mul(z2, C255_A24, e); + c255_add(z2, z2, aa); + c255_mul(z2, e, z2); + } + cswap(x2, x3, swap); + cswap(z2, z3, swap); + + /* + * Inverse z2 with a modular exponentiation. This is a simple + * square-and-multiply algorithm; we mutualise most non-squarings + * since the exponent contains almost only ones. + */ + memcpy(a, z2, sizeof z2); + for (i = 0; i < 15; i ++) { + c255_mul(a, a, a); + c255_mul(a, a, z2); + } + memcpy(b, a, sizeof a); + for (i = 0; i < 14; i ++) { + int j; + + for (j = 0; j < 16; j ++) { + c255_mul(b, b, b); + } + c255_mul(b, b, a); + } + for (i = 14; i >= 0; i --) { + c255_mul(b, b, b); + if ((0xFFEB >> i) & 1) { + c255_mul(b, z2, b); + } + } + c255_mul(x2, x2, b); + br_i15_from_monty(x2, C255_P, P0I); + br_i15_encode(G, 32, x2); + byteswap(G); + return 1; +} + +static size_t +api_mulgen(unsigned char *R, + const unsigned char *x, size_t xlen, int curve) +{ + const unsigned char *G; + size_t Glen; + + G = api_generator(curve, &Glen); + memcpy(R, G, Glen); + api_mul(R, Glen, x, xlen, curve); + return Glen; +} + +static uint32_t +api_muladd(unsigned char *A, const unsigned char *B, size_t len, + const unsigned char *x, size_t xlen, + const unsigned char *y, size_t ylen, int curve) +{ + /* + * We don't implement this method, since it is used for ECDSA + * only, and there is no ECDSA over Curve25519 (which instead + * uses EdDSA). + */ + (void)A; + (void)B; + (void)len; + (void)x; + (void)xlen; + (void)y; + (void)ylen; + (void)curve; + return 0; +} + +/* see bearssl_ec.h */ +const br_ec_impl br_ec_c25519_i15 = { + (uint32_t)0x20000000, + &api_generator, + &api_order, + &api_mul, + &api_mulgen, + &api_muladd +}; diff --git a/src/ec/ec_curve25519.c b/src/ec/ec_curve25519.c new file mode 100644 index 0000000..de1a8f8 --- /dev/null +++ b/src/ec/ec_curve25519.c @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +static const unsigned char GEN[] = { + 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +static const unsigned char ORDER[] = { + 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6, + 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED +}; + +/* see inner.h */ +const br_ec_curve_def br_curve25519 = { + BR_EC_curve25519, + ORDER, sizeof ORDER, + GEN, sizeof GEN +}; diff --git a/src/ec/ec_p256_i15.c b/src/ec/ec_p256_m15.c similarity index 99% rename from src/ec/ec_p256_i15.c rename to src/ec/ec_p256_m15.c index 68ab73a..99c7224 100644 --- a/src/ec/ec_p256_i15.c +++ b/src/ec/ec_p256_m15.c @@ -2075,7 +2075,7 @@ api_muladd(unsigned char *A, const unsigned char *B, size_t len, } /* see bearssl_ec.h */ -const br_ec_impl br_ec_p256_i15 = { +const br_ec_impl br_ec_p256_m15 = { (uint32_t)0x00800000, &api_generator, &api_order, diff --git a/src/inner.h b/src/inner.h index fd764bc..9123a42 100644 --- a/src/inner.h +++ b/src/inner.h @@ -1456,6 +1456,8 @@ extern const br_ec_curve_def br_secp256r1; extern const br_ec_curve_def br_secp384r1; extern const br_ec_curve_def br_secp521r1; +extern const br_ec_curve_def br_curve25519; + #if 0 /* obsolete */ /* diff --git a/src/int/i15_core.c b/src/int/i15_core.c index 5ae3b31..a33469a 100644 --- a/src/int/i15_core.c +++ b/src/int/i15_core.c @@ -263,7 +263,8 @@ br_i15_montymul(uint16_t *d, const uint16_t *x, const uint16_t *y, uint32_t f, xu, r, zh; xu = x[u + 1]; - f = MUL15(d[1] + MUL15(x[u + 1], y[1]), m0i) & 0x7FFF; + f = MUL15((d[1] + MUL15(x[u + 1], y[1])) & 0x7FFF, m0i) + & 0x7FFF; r = 0; for (v = 0; v < len4; v += 4) { @@ -297,7 +298,7 @@ br_i15_montymul(uint16_t *d, const uint16_t *x, const uint16_t *y, zh = dh + r; d[len] = zh & 0x7FFF; - dh = zh >> 31; + dh = zh >> 15; } /* diff --git a/test/test_crypto.c b/test/test_crypto.c index 69b6f7d..ddba9ac 100644 --- a/test/test_crypto.c +++ b/test/test_crypto.c @@ -4912,12 +4912,60 @@ test_EC_prime_i31(void) } static void -test_EC_p256_i15(void) +test_EC_p256_m15(void) { - test_EC_KAT("EC_p256_i15", &br_ec_p256_i15, + test_EC_KAT("EC_p256_m15", &br_ec_p256_m15, (uint32_t)1 << BR_EC_secp256r1); } +const struct { + const char *scalar; + const char *u_in; + const char *u_out; +} C25519_KAT[] = { + { "A546E36BF0527C9D3B16154B82465EDD62144C0AC1FC5A18506A2244BA449AC4", + "E6DB6867583030DB3594C1A424B15F7C726624EC26B3353B10A903A6D0AB1C4C", + "C3DA55379DE9C6908E94EA4DF28D084F32ECCF03491C71F754B4075577A28552" }, + { "4B66E9D4D1B4673C5AD22691957D6AF5C11B6421E0EA01D42CA4169E7918BA0D", + "E5210F12786811D3F4B7959D0538AE2C31DBE7106FC03C3EFC4CD549C715A493", + "95CBDE9476E8907D7AADE45CB4B873F88B595A68799FA152E6F8F7647AAC7957" }, + { 0, 0, 0 } +}; + +static void +test_EC_c25519(const char *name, const br_ec_impl *iec) +{ + size_t v; + + printf("Test %s: ", name); + fflush(stdout); + for (v = 0; C25519_KAT[v].scalar; v ++) { + unsigned char bu[32], bk[32], br[32]; + + hextobin(bk, C25519_KAT[v].scalar); + hextobin(bu, C25519_KAT[v].u_in); + hextobin(br, C25519_KAT[v].u_out); + if (!iec->mul(bu, sizeof bu, bk, sizeof bk, BR_EC_curve25519)) { + fprintf(stderr, "Curve25519 multiplication failed\n"); + exit(EXIT_FAILURE); + } + if (memcmp(bu, br, sizeof bu) != 0) { + fprintf(stderr, "Curve25519 failed KAT\n"); + exit(EXIT_FAILURE); + } + printf("."); + fflush(stdout); + } + printf(" done.\n"); + fflush(stdout); +} + +static void +test_EC_c25519_i15(void) +{ + test_EC_c25519("EC_c25519_i15", &br_ec_c25519_i15); +} + static const unsigned char EC_P256_PUB_POINT[] = { 0x04, 0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D, 0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35, 0x6D, @@ -5462,8 +5510,9 @@ static const struct { STU(GHASH_ctmul64), STU(EC_prime_i15), STU(EC_prime_i31), - STU(EC_p256_i15), + STU(EC_p256_m15), /* STU(EC_prime_i32), */ + STU(EC_c25519_i15), STU(ECDSA_i15), STU(ECDSA_i31), { 0, 0 } diff --git a/test/test_speed.c b/test/test_speed.c index 47fed91..48f5fe3 100644 --- a/test/test_speed.c +++ b/test/test_speed.c @@ -685,10 +685,10 @@ test_speed_ec_inner(const char *name, } static void -test_speed_ec_p256_i15(void) +test_speed_ec_p256_m15(void) { - test_speed_ec_inner("EC i15/spec P-256", - &br_ec_p256_i15, &br_secp256r1); + test_speed_ec_inner("EC m15 P-256", + &br_ec_p256_m15, &br_secp256r1); } static void @@ -707,6 +707,13 @@ test_speed_ec_prime_i31(void) test_speed_ec_inner("EC i31 P-521", &br_ec_prime_i31, &br_secp521r1); } +static void +test_speed_ec_c25519_i15(void) +{ + test_speed_ec_inner("EC i15 C25519", + &br_ec_c25519_i15, &br_curve25519); +} + static void test_speed_ecdsa_inner(const char *name, const br_ec_impl *impl, const br_ec_curve_def *cd, @@ -793,10 +800,10 @@ test_speed_ecdsa_inner(const char *name, } static void -test_speed_ecdsa_p256_i15(void) +test_speed_ecdsa_p256_m15(void) { - test_speed_ecdsa_inner("ECDSA i15 P-256 (spec)", - &br_ec_p256_i15, &br_secp256r1, + test_speed_ecdsa_inner("ECDSA m15 P-256", + &br_ec_p256_m15, &br_secp256r1, &br_ecdsa_i15_sign_asn1, &br_ecdsa_i15_vrfy_asn1); } @@ -1245,10 +1252,11 @@ static const struct { STU(rsa_i15), STU(rsa_i31), STU(rsa_i32), - STU(ec_p256_i15), + STU(ec_p256_m15), STU(ec_prime_i15), STU(ec_prime_i31), - STU(ecdsa_p256_i15), + STU(ec_c25519_i15), + STU(ecdsa_p256_m15), STU(ecdsa_i15), STU(ecdsa_i31),