crypto/ec/ec_cvt.c - third_party/openssl - Git at Google

 /*
  * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
  */

 /*
  * ECDSA low level APIs are deprecated for public use, but still ok for
  * internal use.
  */
 #include "internal/deprecated.h"

 #include <openssl/err.h>
 #include "crypto/bn.h"
 #include "ec_local.h"

 EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
                                  const BIGNUM *b, BN_CTX *ctx)
 {
     const EC_METHOD *meth;
     EC_GROUP *ret;

 #if defined(OPENSSL_BN_ASM_MONT)
     /*
      * This might appear controversial, but the fact is that generic
      * prime method was observed to deliver better performance even
      * for NIST primes on a range of platforms, e.g.: 60%-15%
      * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
      * in 32-bit build and 35%--12% in 64-bit build on Core2...
      * Coefficients are relative to optimized bn_nist.c for most
      * intensive ECDSA verify and ECDH operations for 192- and 521-
      * bit keys respectively. Choice of these boundary values is
      * arguable, because the dependency of improvement coefficient
      * from key length is not a "monotone" curve. For example while
      * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
      * generally faster, sometimes "respectfully" faster, sometimes
      * "tolerably" slower... What effectively happens is that loop
      * with bn_mul_add_words is put against bn_mul_mont, and the
      * latter "wins" on short vectors. Correct solution should be
      * implementing dedicated NxN multiplication subroutines for
      * small N. But till it materializes, let's stick to generic
      * prime method...
      *                                              <appro>
      */
     meth = EC_GFp_mont_method();
 #else
     if (BN_nist_mod_func(p))
         meth = EC_GFp_nist_method();
     else
         meth = EC_GFp_mont_method();
 #endif

     ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
     if (ret == NULL)
         return NULL;

     if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
         EC_GROUP_free(ret);
         return NULL;
     }

     return ret;
 }

 #ifndef OPENSSL_NO_EC2M
 EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
                                   const BIGNUM *b, BN_CTX *ctx)
 {
     const EC_METHOD *meth;
     EC_GROUP *ret;

     meth = EC_GF2m_simple_method();

     ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
     if (ret == NULL)
         return NULL;

     if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
         EC_GROUP_free(ret);
         return NULL;
     }

     return ret;
 }
 #endif
	/*
	* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
	* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
	*
	* Licensed under the Apache License 2.0 (the "License"). You may not use
	* this file except in compliance with the License. You can obtain a copy
	* in the file LICENSE in the source distribution or at
	* https://www.openssl.org/source/license.html
	*/

	/*
	* ECDSA low level APIs are deprecated for public use, but still ok for
	* internal use.
	*/
	#include "internal/deprecated.h"

	#include <openssl/err.h>
	#include "crypto/bn.h"
	#include "ec_local.h"

	EC_GROUP EC_GROUP_new_curve_GFp(const BIGNUM p, const BIGNUM *a,
	const BIGNUM b, BN_CTX ctx)
	{
	const EC_METHOD *meth;
	EC_GROUP *ret;

	#if defined(OPENSSL_BN_ASM_MONT)
	/*
	* This might appear controversial, but the fact is that generic
	* prime method was observed to deliver better performance even
	* for NIST primes on a range of platforms, e.g.: 60%-15%
	* improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
	* in 32-bit build and 35%--12% in 64-bit build on Core2...
	* Coefficients are relative to optimized bn_nist.c for most
	* intensive ECDSA verify and ECDH operations for 192- and 521-
	* bit keys respectively. Choice of these boundary values is
	* arguable, because the dependency of improvement coefficient
	* from key length is not a "monotone" curve. For example while
	* 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
	* generally faster, sometimes "respectfully" faster, sometimes
	* "tolerably" slower... What effectively happens is that loop
	* with bn_mul_add_words is put against bn_mul_mont, and the
	* latter "wins" on short vectors. Correct solution should be
	* implementing dedicated NxN multiplication subroutines for
	* small N. But till it materializes, let's stick to generic
	* prime method...
	* <appro>
	*/
	meth = EC_GFp_mont_method();
	#else
	if (BN_nist_mod_func(p))
	meth = EC_GFp_nist_method();
	else
	meth = EC_GFp_mont_method();
	#endif

	ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
	if (ret == NULL)
	return NULL;

	if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
	EC_GROUP_free(ret);
	return NULL;
	}

	return ret;
	}

	#ifndef OPENSSL_NO_EC2M
	EC_GROUP EC_GROUP_new_curve_GF2m(const BIGNUM p, const BIGNUM *a,
	const BIGNUM b, BN_CTX ctx)
	{
	const EC_METHOD *meth;
	EC_GROUP *ret;

	meth = EC_GF2m_simple_method();

	ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
	if (ret == NULL)
	return NULL;

	if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
	EC_GROUP_free(ret);
	return NULL;
	}

	return ret;
	}
	#endif