grpc 1.24.0 → 1.25.0.pre1

data/third_party/boringssl/crypto/fipsmodule/ec/oct.c

@@ -74,22 +74,18 @@
 
 
 static size_t ec_GFp_simple_point2oct(const EC_GROUP *group,
-                                      const EC_POINT *point,
+                                      const EC_RAW_POINT *point,
                                       point_conversion_form_t form,
-                                      uint8_t *buf, size_t len, BN_CTX *ctx) {
-  size_t ret = 0;
-  BN_CTX *new_ctx = NULL;
-  int used_ctx = 0;
-
-  if ((form != POINT_CONVERSION_COMPRESSED) &&
-      (form != POINT_CONVERSION_UNCOMPRESSED)) {
+                                      uint8_t *buf, size_t len) {
+  if (form != POINT_CONVERSION_COMPRESSED &&
+      form != POINT_CONVERSION_UNCOMPRESSED) {
     OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FORM);
-    goto err;
+    return 0;
   }
 
-  if (EC_POINT_is_at_infinity(group, point)) {
+  if (ec_GFp_simple_is_at_infinity(group, point)) {
     OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
-    goto err;
+    return 0;
   }
 
   const size_t field_len = BN_num_bytes(&group->field);
@@ -103,64 +99,31 @@ static size_t ec_GFp_simple_point2oct(const EC_GROUP *group,
   if (buf != NULL) {
     if (len < output_len) {
       OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
-      goto err;
-    }
-
-    if (ctx == NULL) {
-      ctx = new_ctx = BN_CTX_new();
-      if (ctx == NULL) {
-        goto err;
-      }
+      return 0;
     }
 
-    BN_CTX_start(ctx);
-    used_ctx = 1;
-    BIGNUM *x = BN_CTX_get(ctx);
-    BIGNUM *y = BN_CTX_get(ctx);
-    if (y == NULL) {
-      goto err;
+    uint8_t y_buf[EC_MAX_BYTES];
+    size_t field_len_out;
+    if (!ec_point_get_affine_coordinate_bytes(
+            group, buf + 1 /* x */,
+            form == POINT_CONVERSION_COMPRESSED ? y_buf : buf + 1 + field_len,
+            &field_len_out, field_len, point)) {
+      return 0;
     }
 
-    if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) {
-      goto err;
+    if (field_len_out != field_len) {
+      OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
+      return 0;
     }
 
-    if ((form == POINT_CONVERSION_COMPRESSED) &&
-        BN_is_odd(y)) {
-      buf[0] = form + 1;
+    if (form == POINT_CONVERSION_COMPRESSED) {
+      buf[0] = form + (y_buf[field_len - 1] & 1);
     } else {
       buf[0] = form;
     }
-    size_t i = 1;
-
-    if (!BN_bn2bin_padded(buf + i, field_len, x)) {
-      OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-      goto err;
-    }
-    i += field_len;
-
-    if (form == POINT_CONVERSION_UNCOMPRESSED) {
-      if (!BN_bn2bin_padded(buf + i, field_len, y)) {
-        OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-        goto err;
-      }
-      i += field_len;
-    }
-
-    if (i != output_len) {
-      OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-      goto err;
-    }
   }
 
-  ret = output_len;
-
-err:
-  if (used_ctx) {
-    BN_CTX_end(ctx);
-  }
-  BN_CTX_free(new_ctx);
-  return ret;
+  return output_len;
 }
 
 static int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
@@ -263,7 +226,7 @@ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
     OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);
     return 0;
   }
-  return ec_GFp_simple_point2oct(group, point, form, buf, len, ctx);
+  return ec_GFp_simple_point2oct(group, &point->raw, form, buf, len);
 }
 
 int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group,

data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c

@@ -203,40 +203,65 @@ static void p224_felem_to_bin28(uint8_t out[28], const p224_felem in) {
   }
 }
 
-// To preserve endianness when using BN_bn2bin and BN_bin2bn
-static void p224_flip_endian(uint8_t *out, const uint8_t *in, size_t len) {
-  for (size_t i = 0; i < len; ++i) {
-    out[i] = in[len - 1 - i];
-  }
+static void p224_generic_to_felem(p224_felem out, const EC_FELEM *in) {
+  p224_bin28_to_felem(out, in->bytes);
 }
 
-// From OpenSSL BIGNUM to internal representation
-static int p224_BN_to_felem(p224_felem out, const BIGNUM *bn) {
-  // BN_bn2bin eats leading zeroes
-  p224_felem_bytearray b_out;
-  OPENSSL_memset(b_out, 0, sizeof(b_out));
-  size_t num_bytes = BN_num_bytes(bn);
-  if (num_bytes > sizeof(b_out) ||
-      BN_is_negative(bn)) {
-    OPENSSL_PUT_ERROR(EC, EC_R_BIGNUM_OUT_OF_RANGE);
-    return 0;
-  }
+// Requires 0 <= in < 2*p (always call p224_felem_reduce first)
+static void p224_felem_to_generic(EC_FELEM *out, const p224_felem in) {
+  // Reduce to unique minimal representation.
+  static const int64_t two56 = ((p224_limb)1) << 56;
+  // 0 <= in < 2*p, p = 2^224 - 2^96 + 1
+  // if in > p , reduce in = in - 2^224 + 2^96 - 1
+  int64_t tmp[4], a;
+  tmp[0] = in[0];
+  tmp[1] = in[1];
+  tmp[2] = in[2];
+  tmp[3] = in[3];
+  // Case 1: a = 1 iff in >= 2^224
+  a = (in[3] >> 56);
+  tmp[0] -= a;
+  tmp[1] += a << 40;
+  tmp[3] &= 0x00ffffffffffffff;
+  // Case 2: a = 0 iff p <= in < 2^224, i.e., the high 128 bits are all 1 and
+  // the lower part is non-zero
+  a = ((in[3] & in[2] & (in[1] | 0x000000ffffffffff)) + 1) |
+      (((int64_t)(in[0] + (in[1] & 0x000000ffffffffff)) - 1) >> 63);
+  a &= 0x00ffffffffffffff;
+  // turn a into an all-one mask (if a = 0) or an all-zero mask
+  a = (a - 1) >> 63;
+  // subtract 2^224 - 2^96 + 1 if a is all-one
+  tmp[3] &= a ^ 0xffffffffffffffff;
+  tmp[2] &= a ^ 0xffffffffffffffff;
+  tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;
+  tmp[0] -= 1 & a;
 
-  p224_felem_bytearray b_in;
-  num_bytes = BN_bn2bin(bn, b_in);
-  p224_flip_endian(b_out, b_in, num_bytes);
-  p224_bin28_to_felem(out, b_out);
-  return 1;
-}
+  // eliminate negative coefficients: if tmp[0] is negative, tmp[1] must
+  // be non-zero, so we only need one step
+  a = tmp[0] >> 63;
+  tmp[0] += two56 & a;
+  tmp[1] -= 1 & a;
 
-// From internal representation to OpenSSL BIGNUM
-static BIGNUM *p224_felem_to_BN(BIGNUM *out, const p224_felem in) {
-  p224_felem_bytearray b_in, b_out;
-  p224_felem_to_bin28(b_in, in);
-  p224_flip_endian(b_out, b_in, sizeof(b_out));
-  return BN_bin2bn(b_out, sizeof(b_out), out);
+  // carry 1 -> 2 -> 3
+  tmp[2] += tmp[1] >> 56;
+  tmp[1] &= 0x00ffffffffffffff;
+
+  tmp[3] += tmp[2] >> 56;
+  tmp[2] &= 0x00ffffffffffffff;
+
+  // Now 0 <= tmp < p
+  p224_felem tmp2;
+  tmp2[0] = tmp[0];
+  tmp2[1] = tmp[1];
+  tmp2[2] = tmp[2];
+  tmp2[3] = tmp[3];
+
+  p224_felem_to_bin28(out->bytes, tmp2);
+  // 224 is not a multiple of 64, so zero the remaining bytes.
+  OPENSSL_memset(out->bytes + 28, 0, 32 - 28);
 }
 
+
 // Field operations, using the internal representation of field elements.
 // NB! These operations are specific to our point multiplication and cannot be
 // expected to be correct in general - e.g., multiplication with a large scalar
@@ -447,55 +472,6 @@ static void p224_felem_reduce(p224_felem out, const p224_widefelem in) {
   out[3] = output[3];
 }
 
-// Reduce to unique minimal representation.
-// Requires 0 <= in < 2*p (always call p224_felem_reduce first)
-static void p224_felem_contract(p224_felem out, const p224_felem in) {
-  static const int64_t two56 = ((p224_limb)1) << 56;
-  // 0 <= in < 2*p, p = 2^224 - 2^96 + 1
-  // if in > p , reduce in = in - 2^224 + 2^96 - 1
-  int64_t tmp[4], a;
-  tmp[0] = in[0];
-  tmp[1] = in[1];
-  tmp[2] = in[2];
-  tmp[3] = in[3];
-  // Case 1: a = 1 iff in >= 2^224
-  a = (in[3] >> 56);
-  tmp[0] -= a;
-  tmp[1] += a << 40;
-  tmp[3] &= 0x00ffffffffffffff;
-  // Case 2: a = 0 iff p <= in < 2^224, i.e., the high 128 bits are all 1 and
-  // the lower part is non-zero
-  a = ((in[3] & in[2] & (in[1] | 0x000000ffffffffff)) + 1) |
-      (((int64_t)(in[0] + (in[1] & 0x000000ffffffffff)) - 1) >> 63);
-  a &= 0x00ffffffffffffff;
-  // turn a into an all-one mask (if a = 0) or an all-zero mask
-  a = (a - 1) >> 63;
-  // subtract 2^224 - 2^96 + 1 if a is all-one
-  tmp[3] &= a ^ 0xffffffffffffffff;
-  tmp[2] &= a ^ 0xffffffffffffffff;
-  tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;
-  tmp[0] -= 1 & a;
-
-  // eliminate negative coefficients: if tmp[0] is negative, tmp[1] must
-  // be non-zero, so we only need one step
-  a = tmp[0] >> 63;
-  tmp[0] += two56 & a;
-  tmp[1] -= 1 & a;
-
-  // carry 1 -> 2 -> 3
-  tmp[2] += tmp[1] >> 56;
-  tmp[1] &= 0x00ffffffffffffff;
-
-  tmp[3] += tmp[2] >> 56;
-  tmp[2] &= 0x00ffffffffffffff;
-
-  // Now 0 <= out < p
-  out[0] = tmp[0];
-  out[1] = tmp[1];
-  out[2] = tmp[2];
-  out[3] = tmp[3];
-}
-
 // Get negative value: out = -in
 // Requires in[i] < 2^63,
 // ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16
@@ -782,7 +758,9 @@ static void p224_point_add(p224_felem x3, p224_felem y3, p224_felem z3,
   z1_is_zero = p224_felem_is_zero(z1);
   z2_is_zero = p224_felem_is_zero(z2);
   // In affine coordinates, (X_1, Y_1) == (X_2, Y_2)
-  if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
+  p224_limb is_nontrivial_double =
+      x_equal & y_equal & (1 - z1_is_zero) & (1 - z2_is_zero);
+  if (is_nontrivial_double) {
     p224_point_double(x3, y3, z3, x1, y1, z1);
     return;
   }
@@ -895,196 +873,295 @@ static char p224_get_bit(const p224_felem_bytearray in, size_t i) {
   return (in[i >> 3] >> (i & 7)) & 1;
 }
 
-// Interleaved point multiplication using precomputed point multiples:
-// The small point multiples 0*P, 1*P, ..., 16*P are in p_pre_comp, the scalars
-// in p_scalar, if non-NULL. If g_scalar is non-NULL, we also add this multiple
-// of the generator, using certain (large) precomputed multiples in
-// g_p224_pre_comp. Output point (X, Y, Z) is stored in x_out, y_out, z_out
-static void p224_batch_mul(p224_felem x_out, p224_felem y_out, p224_felem z_out,
-                           const uint8_t *p_scalar, const uint8_t *g_scalar,
-                           const p224_felem p_pre_comp[17][3]) {
-  p224_felem nq[3], tmp[4];
-  uint64_t bits;
-  uint8_t sign, digit;
+// Takes the Jacobian coordinates (X, Y, Z) of a point and returns
+// (X', Y') = (X/Z^2, Y/Z^3)
+static int ec_GFp_nistp224_point_get_affine_coordinates(
+    const EC_GROUP *group, const EC_RAW_POINT *point, EC_FELEM *x,
+    EC_FELEM *y) {
+  if (ec_GFp_simple_is_at_infinity(group, point)) {
+    OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
+    return 0;
+  }
 
-  // set nq to the point at infinity
-  OPENSSL_memset(nq, 0, 3 * sizeof(p224_felem));
+  p224_felem z1, z2;
+  p224_widefelem tmp;
+  p224_generic_to_felem(z1, &point->Z);
+  p224_felem_inv(z2, z1);
+  p224_felem_square(tmp, z2);
+  p224_felem_reduce(z1, tmp);
 
-  // Loop over both scalars msb-to-lsb, interleaving additions of multiples of
-  // the generator (two in each of the last 28 rounds) and additions of p (every
-  // 5th round).
-  int skip = 1;  // save two point operations in the first round
-  size_t i = p_scalar != NULL ? 220 : 27;
-  for (;;) {
-    // double
-    if (!skip) {
-      p224_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
+  if (x != NULL) {
+    p224_felem x_in, x_out;
+    p224_generic_to_felem(x_in, &point->X);
+    p224_felem_mul(tmp, x_in, z1);
+    p224_felem_reduce(x_out, tmp);
+    p224_felem_to_generic(x, x_out);
+  }
+
+  if (y != NULL) {
+    p224_felem y_in, y_out;
+    p224_generic_to_felem(y_in, &point->Y);
+    p224_felem_mul(tmp, z1, z2);
+    p224_felem_reduce(z1, tmp);
+    p224_felem_mul(tmp, y_in, z1);
+    p224_felem_reduce(y_out, tmp);
+    p224_felem_to_generic(y, y_out);
+  }
+
+  return 1;
+}
+
+static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_RAW_POINT *r,
+                                const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
+  p224_felem x1, y1, z1, x2, y2, z2;
+  p224_generic_to_felem(x1, &a->X);
+  p224_generic_to_felem(y1, &a->Y);
+  p224_generic_to_felem(z1, &a->Z);
+  p224_generic_to_felem(x2, &b->X);
+  p224_generic_to_felem(y2, &b->Y);
+  p224_generic_to_felem(z2, &b->Z);
+  p224_point_add(x1, y1, z1, x1, y1, z1, 0 /* both Jacobian */, x2, y2, z2);
+  // The outputs are already reduced, but still need to be contracted.
+  p224_felem_to_generic(&r->X, x1);
+  p224_felem_to_generic(&r->Y, y1);
+  p224_felem_to_generic(&r->Z, z1);
+}
+
+static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
+                                const EC_RAW_POINT *a) {
+  p224_felem x, y, z;
+  p224_generic_to_felem(x, &a->X);
+  p224_generic_to_felem(y, &a->Y);
+  p224_generic_to_felem(z, &a->Z);
+  p224_point_double(x, y, z, x, y, z);
+  // The outputs are already reduced, but still need to be contracted.
+  p224_felem_to_generic(&r->X, x);
+  p224_felem_to_generic(&r->Y, y);
+  p224_felem_to_generic(&r->Z, z);
+}
+
+static void ec_GFp_nistp224_make_precomp(p224_felem out[17][3],
+                                         const EC_RAW_POINT *p) {
+  OPENSSL_memset(out[0], 0, sizeof(p224_felem) * 3);
+
+  p224_generic_to_felem(out[1][0], &p->X);
+  p224_generic_to_felem(out[1][1], &p->Y);
+  p224_generic_to_felem(out[1][2], &p->Z);
+
+  for (size_t j = 2; j <= 16; ++j) {
+    if (j & 1) {
+      p224_point_add(out[j][0], out[j][1], out[j][2], out[1][0], out[1][1],
+                     out[1][2], 0, out[j - 1][0], out[j - 1][1], out[j - 1][2]);
+    } else {
+      p224_point_double(out[j][0], out[j][1], out[j][2], out[j / 2][0],
+                        out[j / 2][1], out[j / 2][2]);
     }
+  }
+}
 
-    // add multiples of the generator
-    if (g_scalar != NULL && i <= 27) {
-      // first, look 28 bits upwards
-      bits = p224_get_bit(g_scalar, i + 196) << 3;
-      bits |= p224_get_bit(g_scalar, i + 140) << 2;
-      bits |= p224_get_bit(g_scalar, i + 84) << 1;
-      bits |= p224_get_bit(g_scalar, i + 28);
-      // select the point to add, in constant time
-      p224_select_point(bits, 16, g_p224_pre_comp[1], tmp);
+static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
+                                      const EC_RAW_POINT *p,
+                                      const EC_SCALAR *scalar) {
+  p224_felem p_pre_comp[17][3];
+  ec_GFp_nistp224_make_precomp(p_pre_comp, p);
 
-      if (!skip) {
-        p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
-                  tmp[0], tmp[1], tmp[2]);
-      } else {
-        OPENSSL_memcpy(nq, tmp, 3 * sizeof(p224_felem));
-        skip = 0;
-      }
+  // Set nq to the point at infinity.
+  p224_felem nq[3], tmp[4];
+  OPENSSL_memset(nq, 0, 3 * sizeof(p224_felem));
 
-      // second, look at the current position
-      bits = p224_get_bit(g_scalar, i + 168) << 3;
-      bits |= p224_get_bit(g_scalar, i + 112) << 2;
-      bits |= p224_get_bit(g_scalar, i + 56) << 1;
-      bits |= p224_get_bit(g_scalar, i);
-      // select the point to add, in constant time
-      p224_select_point(bits, 16, g_p224_pre_comp[0], tmp);
-      p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
-                     tmp[0], tmp[1], tmp[2]);
+  int skip = 1;  // Save two point operations in the first round.
+  for (size_t i = 220; i < 221; i--) {
+    if (!skip) {
+      p224_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
     }
 
-    // do other additions every 5 doublings
-    if (p_scalar != NULL && i % 5 == 0) {
-      bits = p224_get_bit(p_scalar, i + 4) << 5;
-      bits |= p224_get_bit(p_scalar, i + 3) << 4;
-      bits |= p224_get_bit(p_scalar, i + 2) << 3;
-      bits |= p224_get_bit(p_scalar, i + 1) << 2;
-      bits |= p224_get_bit(p_scalar, i) << 1;
-      bits |= p224_get_bit(p_scalar, i - 1);
+    // Add every 5 doublings.
+    if (i % 5 == 0) {
+      uint64_t bits = p224_get_bit(scalar->bytes, i + 4) << 5;
+      bits |= p224_get_bit(scalar->bytes, i + 3) << 4;
+      bits |= p224_get_bit(scalar->bytes, i + 2) << 3;
+      bits |= p224_get_bit(scalar->bytes, i + 1) << 2;
+      bits |= p224_get_bit(scalar->bytes, i) << 1;
+      bits |= p224_get_bit(scalar->bytes, i - 1);
+      uint8_t sign, digit;
       ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
 
-      // select the point to add or subtract
-      p224_select_point(digit, 17, p_pre_comp, tmp);
+      // Select the point to add or subtract.
+      p224_select_point(digit, 17, (const p224_felem(*)[3])p_pre_comp, tmp);
       p224_felem_neg(tmp[3], tmp[1]);  // (X, -Y, Z) is the negative point
       p224_copy_conditional(tmp[1], tmp[3], sign);
 
       if (!skip) {
         p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 0 /* mixed */,
-                  tmp[0], tmp[1], tmp[2]);
+                       tmp[0], tmp[1], tmp[2]);
       } else {
         OPENSSL_memcpy(nq, tmp, 3 * sizeof(p224_felem));
         skip = 0;
       }
     }
-
-    if (i == 0) {
-      break;
-    }
-    --i;
   }
-  p224_felem_assign(x_out, nq[0]);
-  p224_felem_assign(y_out, nq[1]);
-  p224_felem_assign(z_out, nq[2]);
-}
 
-// Takes the Jacobian coordinates (X, Y, Z) of a point and returns
-// (X', Y') = (X/Z^2, Y/Z^3)
-static int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
-                                                        const EC_POINT *point,
-                                                        BIGNUM *x, BIGNUM *y,
-                                                        BN_CTX *ctx) {
-  p224_felem z1, z2, x_in, y_in, x_out, y_out;
-  p224_widefelem tmp;
+  // Reduce the output to its unique minimal representation.
+  p224_felem_to_generic(&r->X, nq[0]);
+  p224_felem_to_generic(&r->Y, nq[1]);
+  p224_felem_to_generic(&r->Z, nq[2]);
+}
 
-  if (EC_POINT_is_at_infinity(group, point)) {
-    OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
-    return 0;
-  }
+static void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group,
+                                           EC_RAW_POINT *r,
+                                           const EC_SCALAR *scalar) {
+  // Set nq to the point at infinity.
+  p224_felem nq[3], tmp[3];
+  OPENSSL_memset(nq, 0, 3 * sizeof(p224_felem));
 
-  if (!p224_BN_to_felem(x_in, &point->X) ||
-      !p224_BN_to_felem(y_in, &point->Y) ||
-      !p224_BN_to_felem(z1, &point->Z)) {
-    return 0;
-  }
+  int skip = 1;  // Save two point operations in the first round.
+  for (size_t i = 27; i < 28; i--) {
+    // double
+    if (!skip) {
+      p224_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
+    }
 
-  p224_felem_inv(z2, z1);
-  p224_felem_square(tmp, z2);
-  p224_felem_reduce(z1, tmp);
+    // First, look 28 bits upwards.
+    uint64_t bits = p224_get_bit(scalar->bytes, i + 196) << 3;
+    bits |= p224_get_bit(scalar->bytes, i + 140) << 2;
+    bits |= p224_get_bit(scalar->bytes, i + 84) << 1;
+    bits |= p224_get_bit(scalar->bytes, i + 28);
+    // Select the point to add, in constant time.
+    p224_select_point(bits, 16, g_p224_pre_comp[1], tmp);
 
-  if (x != NULL) {
-    p224_felem_mul(tmp, x_in, z1);
-    p224_felem_reduce(x_in, tmp);
-    p224_felem_contract(x_out, x_in);
-    if (!p224_felem_to_BN(x, x_out)) {
-      OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
-      return 0;
+    if (!skip) {
+      p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
+                     tmp[0], tmp[1], tmp[2]);
+    } else {
+      OPENSSL_memcpy(nq, tmp, 3 * sizeof(p224_felem));
+      skip = 0;
     }
-  }
 
-  if (y != NULL) {
-    p224_felem_mul(tmp, z1, z2);
-    p224_felem_reduce(z1, tmp);
-    p224_felem_mul(tmp, y_in, z1);
-    p224_felem_reduce(y_in, tmp);
-    p224_felem_contract(y_out, y_in);
-    if (!p224_felem_to_BN(y, y_out)) {
-      OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
-      return 0;
-    }
+    // Second, look at the current position/
+    bits = p224_get_bit(scalar->bytes, i + 168) << 3;
+    bits |= p224_get_bit(scalar->bytes, i + 112) << 2;
+    bits |= p224_get_bit(scalar->bytes, i + 56) << 1;
+    bits |= p224_get_bit(scalar->bytes, i);
+    // Select the point to add, in constant time.
+    p224_select_point(bits, 16, g_p224_pre_comp[0], tmp);
+    p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
+                   tmp[0], tmp[1], tmp[2]);
   }
 
-  return 1;
+  // Reduce the output to its unique minimal representation.
+  p224_felem_to_generic(&r->X, nq[0]);
+  p224_felem_to_generic(&r->Y, nq[1]);
+  p224_felem_to_generic(&r->Z, nq[2]);
 }
 
-static int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
-                                      const EC_SCALAR *g_scalar,
-                                      const EC_POINT *p,
-                                      const EC_SCALAR *p_scalar, BN_CTX *ctx) {
+static void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group,
+                                             EC_RAW_POINT *r,
+                                             const EC_SCALAR *g_scalar,
+                                             const EC_RAW_POINT *p,
+                                             const EC_SCALAR *p_scalar) {
+  // TODO(davidben): If P-224 ECDSA verify performance ever matters, using
+  // |ec_compute_wNAF| for |p_scalar| would likely be an easy improvement.
   p224_felem p_pre_comp[17][3];
-  p224_felem x_in, y_in, z_in, x_out, y_out, z_out;
-
-  if (p != NULL && p_scalar != NULL) {
-    // We treat NULL scalars as 0, and NULL points as points at infinity, i.e.,
-    // they contribute nothing to the linear combination.
-    OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp));
-    // precompute multiples
-    if (!p224_BN_to_felem(x_out, &p->X) ||
-        !p224_BN_to_felem(y_out, &p->Y) ||
-        !p224_BN_to_felem(z_out, &p->Z)) {
-      return 0;
+  ec_GFp_nistp224_make_precomp(p_pre_comp, p);
+
+  // Set nq to the point at infinity.
+  p224_felem nq[3], tmp[3];
+  OPENSSL_memset(nq, 0, 3 * sizeof(p224_felem));
+
+  // Loop over both scalars msb-to-lsb, interleaving additions of multiples of
+  // the generator (two in each of the last 28 rounds) and additions of p (every
+  // 5th round).
+  int skip = 1;  // Save two point operations in the first round.
+  for (size_t i = 220; i < 221; i--) {
+    if (!skip) {
+      p224_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
     }
 
-    p224_felem_assign(p_pre_comp[1][0], x_out);
-    p224_felem_assign(p_pre_comp[1][1], y_out);
-    p224_felem_assign(p_pre_comp[1][2], z_out);
+    // Add multiples of the generator.
+    if (i <= 27) {
+      // First, look 28 bits upwards.
+      uint64_t bits = p224_get_bit(g_scalar->bytes, i + 196) << 3;
+      bits |= p224_get_bit(g_scalar->bytes, i + 140) << 2;
+      bits |= p224_get_bit(g_scalar->bytes, i + 84) << 1;
+      bits |= p224_get_bit(g_scalar->bytes, i + 28);
 
-    for (size_t j = 2; j <= 16; ++j) {
-      if (j & 1) {
-        p224_point_add(p_pre_comp[j][0], p_pre_comp[j][1], p_pre_comp[j][2],
-                  p_pre_comp[1][0], p_pre_comp[1][1], p_pre_comp[1][2],
-                  0, p_pre_comp[j - 1][0], p_pre_comp[j - 1][1],
-                  p_pre_comp[j - 1][2]);
+      p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
+                     g_p224_pre_comp[1][bits][0], g_p224_pre_comp[1][bits][1],
+                     g_p224_pre_comp[1][bits][2]);
+      assert(!skip);
+
+      // Second, look at the current position.
+      bits = p224_get_bit(g_scalar->bytes, i + 168) << 3;
+      bits |= p224_get_bit(g_scalar->bytes, i + 112) << 2;
+      bits |= p224_get_bit(g_scalar->bytes, i + 56) << 1;
+      bits |= p224_get_bit(g_scalar->bytes, i);
+      p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
+                     g_p224_pre_comp[0][bits][0], g_p224_pre_comp[0][bits][1],
+                     g_p224_pre_comp[0][bits][2]);
+    }
+
+    // Incorporate |p_scalar| every 5 doublings.
+    if (i % 5 == 0) {
+      uint64_t bits = p224_get_bit(p_scalar->bytes, i + 4) << 5;
+      bits |= p224_get_bit(p_scalar->bytes, i + 3) << 4;
+      bits |= p224_get_bit(p_scalar->bytes, i + 2) << 3;
+      bits |= p224_get_bit(p_scalar->bytes, i + 1) << 2;
+      bits |= p224_get_bit(p_scalar->bytes, i) << 1;
+      bits |= p224_get_bit(p_scalar->bytes, i - 1);
+      uint8_t sign, digit;
+      ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
+
+      // Select the point to add or subtract.
+      OPENSSL_memcpy(tmp, p_pre_comp[digit], 3 * sizeof(p224_felem));
+      if (sign) {
+        p224_felem_neg(tmp[1], tmp[1]);  // (X, -Y, Z) is the negative point
+      }
+
+      if (!skip) {
+        p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 0 /* mixed */,
+                       tmp[0], tmp[1], tmp[2]);
       } else {
-        p224_point_double(p_pre_comp[j][0], p_pre_comp[j][1],
-                     p_pre_comp[j][2], p_pre_comp[j / 2][0],
-                     p_pre_comp[j / 2][1], p_pre_comp[j / 2][2]);
+        OPENSSL_memcpy(nq, tmp, 3 * sizeof(p224_felem));
+        skip = 0;
       }
     }
   }
 
-  p224_batch_mul(x_out, y_out, z_out,
-                 (p != NULL && p_scalar != NULL) ? p_scalar->bytes : NULL,
-                 g_scalar != NULL ? g_scalar->bytes : NULL,
-                 (const p224_felem(*)[3])p_pre_comp);
-
-  // reduce the output to its unique minimal representation
-  p224_felem_contract(x_in, x_out);
-  p224_felem_contract(y_in, y_out);
-  p224_felem_contract(z_in, z_out);
-  if (!p224_felem_to_BN(&r->X, x_in) ||
-      !p224_felem_to_BN(&r->Y, y_in) ||
-      !p224_felem_to_BN(&r->Z, z_in)) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
-    return 0;
-  }
-  return 1;
+  // Reduce the output to its unique minimal representation.
+  p224_felem_to_generic(&r->X, nq[0]);
+  p224_felem_to_generic(&r->Y, nq[1]);
+  p224_felem_to_generic(&r->Z, nq[2]);
+}
+
+static void ec_GFp_nistp224_felem_mul(const EC_GROUP *group, EC_FELEM *r,
+                                      const EC_FELEM *a, const EC_FELEM *b) {
+  p224_felem felem1, felem2;
+  p224_widefelem wide;
+  p224_generic_to_felem(felem1, a);
+  p224_generic_to_felem(felem2, b);
+  p224_felem_mul(wide, felem1, felem2);
+  p224_felem_reduce(felem1, wide);
+  p224_felem_to_generic(r, felem1);
+}
+
+static void ec_GFp_nistp224_felem_sqr(const EC_GROUP *group, EC_FELEM *r,
+                                      const EC_FELEM *a) {
+  p224_felem felem;
+  p224_generic_to_felem(felem, a);
+  p224_widefelem wide;
+  p224_felem_square(wide, felem);
+  p224_felem_reduce(felem, wide);
+  p224_felem_to_generic(r, felem);
+}
+
+static int ec_GFp_nistp224_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out,
+                                           const BIGNUM *in) {
+  return bn_copy_words(out->words, group->field.width, in);
+}
+
+static int ec_GFp_nistp224_felem_to_bignum(const EC_GROUP *group, BIGNUM *out,
+                                           const EC_FELEM *in) {
+  return bn_set_words(out, in->words, group->field.width);
 }
 
 DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp224_method) {
@@ -1093,12 +1170,18 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp224_method) {
   out->group_set_curve = ec_GFp_simple_group_set_curve;
   out->point_get_affine_coordinates =
       ec_GFp_nistp224_point_get_affine_coordinates;
-  out->mul = ec_GFp_nistp224_points_mul;
-  out->mul_public = ec_GFp_nistp224_points_mul;
-  out->field_mul = ec_GFp_simple_field_mul;
-  out->field_sqr = ec_GFp_simple_field_sqr;
-  out->field_encode = NULL;
-  out->field_decode = NULL;
-};
+  out->add = ec_GFp_nistp224_add;
+  out->dbl = ec_GFp_nistp224_dbl;
+  out->mul = ec_GFp_nistp224_point_mul;
+  out->mul_base = ec_GFp_nistp224_point_mul_base;
+  out->mul_public = ec_GFp_nistp224_point_mul_public;
+  out->felem_mul = ec_GFp_nistp224_felem_mul;
+  out->felem_sqr = ec_GFp_nistp224_felem_sqr;
+  out->bignum_to_felem = ec_GFp_nistp224_bignum_to_felem;
+  out->felem_to_bignum = ec_GFp_nistp224_felem_to_bignum;
+  out->scalar_inv_montgomery = ec_simple_scalar_inv_montgomery;
+  out->scalar_inv_montgomery_vartime = ec_GFp_simple_mont_inv_mod_ord_vartime;
+  out->cmp_x_coordinate = ec_GFp_simple_cmp_x_coordinate;
+}
 
 #endif  // BORINGSSL_HAS_UINT128 && !SMALL