grpc 1.24.0 → 1.25.0.pre1

data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.h

@@ -23,6 +23,8 @@
 
 #include <openssl/bn.h>
 
+#include "../bn/internal.h"
+
 #if defined(__cplusplus)
 extern "C" {
 #endif
@@ -61,6 +63,40 @@ static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS],
   ecp_nistz256_mul_mont(res, in, ONE);
 }
 
+// ecp_nistz256_to_mont sets |res| to |in|, converted to Montgomery domain
+// by multiplying with RR = 2^512 mod P precomputed for NIST P256 curve.
+static inline void ecp_nistz256_to_mont(BN_ULONG res[P256_LIMBS],
+                                        const BN_ULONG in[P256_LIMBS]) {
+  static const BN_ULONG RR[P256_LIMBS] = {
+      TOBN(0x00000000, 0x00000003), TOBN(0xfffffffb, 0xffffffff),
+      TOBN(0xffffffff, 0xfffffffe), TOBN(0x00000004, 0xfffffffd)};
+  ecp_nistz256_mul_mont(res, in, RR);
+}
+
+
+// P-256 scalar operations.
+//
+// The following functions compute modulo N, where N is the order of P-256. They
+// take fully-reduced inputs and give fully-reduced outputs.
+
+// ecp_nistz256_ord_mul_mont sets |res| to |a| * |b| where inputs and outputs
+// are in Montgomery form. That is, |res| is |a| * |b| * 2^-256 mod N.
+void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS],
+                               const BN_ULONG a[P256_LIMBS],
+                               const BN_ULONG b[P256_LIMBS]);
+
+// ecp_nistz256_ord_sqr_mont sets |res| to |a|^(2*|rep|) where inputs and
+// outputs are in Montgomery form. That is, |res| is
+// (|a| * 2^-256)^(2*|rep|) * 2^256 mod N.
+void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS],
+                               const BN_ULONG a[P256_LIMBS], BN_ULONG rep);
+
+// beeu_mod_inverse_vartime sets out = a^-1 mod p using a Euclidean algorithm.
+// Assumption: 0 < a < p < 2^(256) and p is odd.
+int beeu_mod_inverse_vartime(BN_ULONG out[P256_LIMBS],
+                             const BN_ULONG a[P256_LIMBS],
+                             const BN_ULONG p[P256_LIMBS]);
+
 
 // P-256 point operations.
 //

data/third_party/boringssl/crypto/fipsmodule/ec/scalar.c

@@ -0,0 +1,96 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "internal.h"
+#include "../bn/internal.h"
+#include "../../internal.h"
+
+
+int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
+                        const BIGNUM *in) {
+  if (!bn_copy_words(out->words, group->order.width, in) ||
+      !bn_less_than_words(out->words, group->order.d, group->order.width)) {
+    OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);
+    return 0;
+  }
+  return 1;
+}
+
+int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a,
+                            const EC_SCALAR *b) {
+  return OPENSSL_memcmp(a->words, b->words,
+                        group->order.width * sizeof(BN_ULONG)) == 0;
+}
+
+int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {
+  BN_ULONG mask = 0;
+  for (int i = 0; i < group->order.width; i++) {
+    mask |= a->words[i];
+  }
+  return mask == 0;
+}
+
+int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
+                             const uint8_t additional_data[32]) {
+  return bn_rand_range_words(out->words, 1, group->order.d, group->order.width,
+                             additional_data);
+}
+
+void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,
+                   const EC_SCALAR *b) {
+  const BIGNUM *order = &group->order;
+  BN_ULONG tmp[EC_MAX_WORDS];
+  bn_mod_add_words(r->words, a->words, b->words, order->d, tmp, order->width);
+  OPENSSL_cleanse(tmp, sizeof(tmp));
+}
+
+void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r,
+                             const EC_SCALAR *a) {
+  const BIGNUM *order = &group->order;
+  bn_to_montgomery_small(r->words, a->words, order->width, group->order_mont);
+}
+
+void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r,
+                               const EC_SCALAR *a) {
+  const BIGNUM *order = &group->order;
+  bn_from_montgomery_small(r->words, a->words, order->width, group->order_mont);
+}
+
+void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r,
+                              const EC_SCALAR *a, const EC_SCALAR *b) {
+  const BIGNUM *order = &group->order;
+  bn_mod_mul_montgomery_small(r->words, a->words, b->words, order->width,
+                              group->order_mont);
+}
+
+void ec_simple_scalar_inv_montgomery(const EC_GROUP *group, EC_SCALAR *r,
+                                     const EC_SCALAR *a) {
+  const BIGNUM *order = &group->order;
+  bn_mod_inverse_prime_mont_small(r->words, a->words, order->width,
+                                  group->order_mont);
+}
+
+void ec_scalar_inv_montgomery(const EC_GROUP *group, EC_SCALAR *r,
+                              const EC_SCALAR *a) {
+  group->meth->scalar_inv_montgomery(group, r, a);
+}
+
+int ec_scalar_inv_montgomery_vartime(const EC_GROUP *group, EC_SCALAR *r,
+                                     const EC_SCALAR *a) {
+  return group->meth->scalar_inv_montgomery_vartime(group, r, a);
+}

data/third_party/boringssl/crypto/fipsmodule/ec/simple.c

@@ -90,18 +90,12 @@
 
 int ec_GFp_simple_group_init(EC_GROUP *group) {
   BN_init(&group->field);
-  BN_init(&group->a);
-  BN_init(&group->b);
-  BN_init(&group->one);
   group->a_is_minus3 = 0;
   return 1;
 }
 
 void ec_GFp_simple_group_finish(EC_GROUP *group) {
   BN_free(&group->field);
-  BN_free(&group->a);
-  BN_free(&group->b);
-  BN_free(&group->one);
 }
 
 int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
@@ -109,7 +103,6 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
                                   BN_CTX *ctx) {
   int ret = 0;
   BN_CTX *new_ctx = NULL;
-  BIGNUM *tmp_a;
 
   // p must be a prime > 3
   if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
@@ -125,8 +118,8 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
   }
 
   BN_CTX_start(ctx);
-  tmp_a = BN_CTX_get(ctx);
-  if (tmp_a == NULL) {
+  BIGNUM *tmp = BN_CTX_get(ctx);
+  if (tmp == NULL) {
     goto err;
   }
 
@@ -139,37 +132,24 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
   bn_set_minimal_width(&group->field);
 
   // group->a
-  if (!BN_nnmod(tmp_a, a, &group->field, ctx)) {
-    goto err;
-  }
-  if (group->meth->field_encode) {
-    if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {
-      goto err;
-    }
-  } else if (!BN_copy(&group->a, tmp_a)) {
+  if (!BN_nnmod(tmp, a, &group->field, ctx) ||
+      !ec_bignum_to_felem(group, &group->a, tmp)) {
     goto err;
   }
 
-  // group->b
-  if (!BN_nnmod(&group->b, b, &group->field, ctx)) {
-    goto err;
-  }
-  if (group->meth->field_encode &&
-      !group->meth->field_encode(group, &group->b, &group->b, ctx)) {
+  // group->a_is_minus3
+  if (!BN_add_word(tmp, 3)) {
     goto err;
   }
+  group->a_is_minus3 = (0 == BN_cmp(tmp, &group->field));
 
-  // group->a_is_minus3
-  if (!BN_add_word(tmp_a, 3)) {
+  // group->b
+  if (!BN_nnmod(tmp, b, &group->field, ctx) ||
+      !ec_bignum_to_felem(group, &group->b, tmp)) {
     goto err;
   }
-  group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
 
-  if (group->meth->field_encode != NULL) {
-    if (!group->meth->field_encode(group, &group->one, BN_value_one(), ctx)) {
-      goto err;
-    }
-  } else if (!BN_copy(&group->one, BN_value_one())) {
+  if (!ec_bignum_to_felem(group, &group->one, BN_value_one())) {
     goto err;
   }
 
@@ -182,489 +162,67 @@ err:
 }
 
 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
-                                  BIGNUM *b, BN_CTX *ctx) {
-  int ret = 0;
-  BN_CTX *new_ctx = NULL;
-
-  if (p != NULL && !BN_copy(p, &group->field)) {
+                                  BIGNUM *b) {
+  if ((p != NULL && !BN_copy(p, &group->field)) ||
+      (a != NULL && !ec_felem_to_bignum(group, a, &group->a)) ||
+      (b != NULL && !ec_felem_to_bignum(group, b, &group->b))) {
     return 0;
   }
-
-  if (a != NULL || b != NULL) {
-    if (group->meth->field_decode) {
-      if (ctx == NULL) {
-        ctx = new_ctx = BN_CTX_new();
-        if (ctx == NULL) {
-          return 0;
-        }
-      }
-      if (a != NULL && !group->meth->field_decode(group, a, &group->a, ctx)) {
-        goto err;
-      }
-      if (b != NULL && !group->meth->field_decode(group, b, &group->b, ctx)) {
-        goto err;
-      }
-    } else {
-      if (a != NULL && !BN_copy(a, &group->a)) {
-        goto err;
-      }
-      if (b != NULL && !BN_copy(b, &group->b)) {
-        goto err;
-      }
-    }
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_free(new_ctx);
-  return ret;
-}
-
-unsigned ec_GFp_simple_group_get_degree(const EC_GROUP *group) {
-  return BN_num_bits(&group->field);
-}
-
-int ec_GFp_simple_point_init(EC_POINT *point) {
-  BN_init(&point->X);
-  BN_init(&point->Y);
-  BN_init(&point->Z);
-
   return 1;
 }
 
-void ec_GFp_simple_point_finish(EC_POINT *point) {
-  BN_free(&point->X);
-  BN_free(&point->Y);
-  BN_free(&point->Z);
-}
-
-int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) {
-  if (!BN_copy(&dest->X, &src->X) ||
-      !BN_copy(&dest->Y, &src->Y) ||
-      !BN_copy(&dest->Z, &src->Z)) {
-    return 0;
-  }
-
-  return 1;
+void ec_GFp_simple_point_init(EC_RAW_POINT *point) {
+  OPENSSL_memset(&point->X, 0, sizeof(EC_FELEM));
+  OPENSSL_memset(&point->Y, 0, sizeof(EC_FELEM));
+  OPENSSL_memset(&point->Z, 0, sizeof(EC_FELEM));
 }
 
-int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
-                                        EC_POINT *point) {
-  BN_zero(&point->Z);
-  return 1;
+void ec_GFp_simple_point_copy(EC_RAW_POINT *dest, const EC_RAW_POINT *src) {
+  OPENSSL_memcpy(&dest->X, &src->X, sizeof(EC_FELEM));
+  OPENSSL_memcpy(&dest->Y, &src->Y, sizeof(EC_FELEM));
+  OPENSSL_memcpy(&dest->Z, &src->Z, sizeof(EC_FELEM));
 }
 
-static int set_Jprojective_coordinate_GFp(const EC_GROUP *group, BIGNUM *out,
-                                          const BIGNUM *in, BN_CTX *ctx) {
-  if (in == NULL) {
-    return 1;
-  }
-  if (BN_is_negative(in) ||
-      BN_cmp(in, &group->field) >= 0) {
-    OPENSSL_PUT_ERROR(EC, EC_R_COORDINATES_OUT_OF_RANGE);
-    return 0;
-  }
-  if (group->meth->field_encode) {
-    return group->meth->field_encode(group, out, in, ctx);
-  }
-  return BN_copy(out, in) != NULL;
+void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
+                                         EC_RAW_POINT *point) {
+  // Although it is strictly only necessary to zero Z, we zero the entire point
+  // in case |point| was stack-allocated and yet to be initialized.
+  ec_GFp_simple_point_init(point);
 }
 
 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
-                                               EC_POINT *point, const BIGNUM *x,
-                                               const BIGNUM *y, BN_CTX *ctx) {
+                                               EC_RAW_POINT *point,
+                                               const BIGNUM *x,
+                                               const BIGNUM *y) {
   if (x == NULL || y == NULL) {
     OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
     return 0;
   }
 
-  BN_CTX *new_ctx = NULL;
-  int ret = 0;
-
-  if (ctx == NULL) {
-    ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      return 0;
-    }
-  }
-
-  if (!set_Jprojective_coordinate_GFp(group, &point->X, x, ctx) ||
-      !set_Jprojective_coordinate_GFp(group, &point->Y, y, ctx) ||
-      !BN_copy(&point->Z, &group->one)) {
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_free(new_ctx);
-  return ret;
-}
-
-int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
-                      const EC_POINT *b, BN_CTX *ctx) {
-  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
-                   BN_CTX *);
-  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
-  const BIGNUM *p;
-  BN_CTX *new_ctx = NULL;
-  BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
-  int ret = 0;
-
-  if (a == b) {
-    return EC_POINT_dbl(group, r, a, ctx);
-  }
-  if (EC_POINT_is_at_infinity(group, a)) {
-    return EC_POINT_copy(r, b);
-  }
-  if (EC_POINT_is_at_infinity(group, b)) {
-    return EC_POINT_copy(r, a);
-  }
-
-  field_mul = group->meth->field_mul;
-  field_sqr = group->meth->field_sqr;
-  p = &group->field;
-
-  if (ctx == NULL) {
-    ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      return 0;
-    }
-  }
-
-  BN_CTX_start(ctx);
-  n0 = BN_CTX_get(ctx);
-  n1 = BN_CTX_get(ctx);
-  n2 = BN_CTX_get(ctx);
-  n3 = BN_CTX_get(ctx);
-  n4 = BN_CTX_get(ctx);
-  n5 = BN_CTX_get(ctx);
-  n6 = BN_CTX_get(ctx);
-  if (n6 == NULL) {
-    goto end;
-  }
-
-  // Note that in this function we must not read components of 'a' or 'b'
-  // once we have written the corresponding components of 'r'.
-  // ('r' might be one of 'a' or 'b'.)
-
-  // n1, n2
-  int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;
-
-  if (b_Z_is_one) {
-    if (!BN_copy(n1, &a->X) || !BN_copy(n2, &a->Y)) {
-      goto end;
-    }
-    // n1 = X_a
-    // n2 = Y_a
-  } else {
-    if (!field_sqr(group, n0, &b->Z, ctx) ||
-        !field_mul(group, n1, &a->X, n0, ctx)) {
-      goto end;
-    }
-    // n1 = X_a * Z_b^2
-
-    if (!field_mul(group, n0, n0, &b->Z, ctx) ||
-        !field_mul(group, n2, &a->Y, n0, ctx)) {
-      goto end;
-    }
-    // n2 = Y_a * Z_b^3
-  }
-
-  // n3, n4
-  int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;
-  if (a_Z_is_one) {
-    if (!BN_copy(n3, &b->X) || !BN_copy(n4, &b->Y)) {
-      goto end;
-    }
-    // n3 = X_b
-    // n4 = Y_b
-  } else {
-    if (!field_sqr(group, n0, &a->Z, ctx) ||
-        !field_mul(group, n3, &b->X, n0, ctx)) {
-      goto end;
-    }
-    // n3 = X_b * Z_a^2
-
-    if (!field_mul(group, n0, n0, &a->Z, ctx) ||
-        !field_mul(group, n4, &b->Y, n0, ctx)) {
-      goto end;
-    }
-    // n4 = Y_b * Z_a^3
-  }
-
-  // n5, n6
-  if (!bn_mod_sub_consttime(n5, n1, n3, p, ctx) ||
-      !bn_mod_sub_consttime(n6, n2, n4, p, ctx)) {
-    goto end;
-  }
-  // n5 = n1 - n3
-  // n6 = n2 - n4
-
-  if (BN_is_zero(n5)) {
-    if (BN_is_zero(n6)) {
-      // a is the same point as b
-      BN_CTX_end(ctx);
-      ret = EC_POINT_dbl(group, r, a, ctx);
-      ctx = NULL;
-      goto end;
-    } else {
-      // a is the inverse of b
-      BN_zero(&r->Z);
-      ret = 1;
-      goto end;
-    }
-  }
-
-  // 'n7', 'n8'
-  if (!bn_mod_add_consttime(n1, n1, n3, p, ctx) ||
-      !bn_mod_add_consttime(n2, n2, n4, p, ctx)) {
-    goto end;
-  }
-  // 'n7' = n1 + n3
-  // 'n8' = n2 + n4
-
-  // Z_r
-  if (a_Z_is_one && b_Z_is_one) {
-    if (!BN_copy(&r->Z, n5)) {
-      goto end;
-    }
-  } else {
-    if (a_Z_is_one) {
-      if (!BN_copy(n0, &b->Z)) {
-        goto end;
-      }
-    } else if (b_Z_is_one) {
-      if (!BN_copy(n0, &a->Z)) {
-        goto end;
-      }
-    } else if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) {
-      goto end;
-    }
-    if (!field_mul(group, &r->Z, n0, n5, ctx)) {
-      goto end;
-    }
-  }
-
-  // Z_r = Z_a * Z_b * n5
-
-  // X_r
-  if (!field_sqr(group, n0, n6, ctx) ||
-      !field_sqr(group, n4, n5, ctx) ||
-      !field_mul(group, n3, n1, n4, ctx) ||
-      !bn_mod_sub_consttime(&r->X, n0, n3, p, ctx)) {
-    goto end;
-  }
-  // X_r = n6^2 - n5^2 * 'n7'
-
-  // 'n9'
-  if (!bn_mod_lshift1_consttime(n0, &r->X, p, ctx) ||
-      !bn_mod_sub_consttime(n0, n3, n0, p, ctx)) {
-    goto end;
-  }
-  // n9 = n5^2 * 'n7' - 2 * X_r
-
-  // Y_r
-  if (!field_mul(group, n0, n0, n6, ctx) ||
-      !field_mul(group, n5, n4, n5, ctx)) {
-    goto end;  // now n5 is n5^3
-  }
-  if (!field_mul(group, n1, n2, n5, ctx) ||
-      !bn_mod_sub_consttime(n0, n0, n1, p, ctx)) {
-    goto end;
-  }
-  if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
-    goto end;
-  }
-  // now  0 <= n0 < 2*p,  and n0 is even
-  if (!BN_rshift1(&r->Y, n0)) {
-    goto end;
-  }
-  // Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2
-
-  ret = 1;
-
-end:
-  if (ctx) {
-    // otherwise we already called BN_CTX_end
-    BN_CTX_end(ctx);
-  }
-  BN_CTX_free(new_ctx);
-  return ret;
-}
-
-int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
-                      BN_CTX *ctx) {
-  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
-                   BN_CTX *);
-  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
-  const BIGNUM *p;
-  BN_CTX *new_ctx = NULL;
-  BIGNUM *n0, *n1, *n2, *n3;
-  int ret = 0;
-
-  if (EC_POINT_is_at_infinity(group, a)) {
-    BN_zero(&r->Z);
-    return 1;
-  }
-
-  field_mul = group->meth->field_mul;
-  field_sqr = group->meth->field_sqr;
-  p = &group->field;
-
-  if (ctx == NULL) {
-    ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      return 0;
-    }
-  }
-
-  BN_CTX_start(ctx);
-  n0 = BN_CTX_get(ctx);
-  n1 = BN_CTX_get(ctx);
-  n2 = BN_CTX_get(ctx);
-  n3 = BN_CTX_get(ctx);
-  if (n3 == NULL) {
-    goto err;
-  }
-
-  // Note that in this function we must not read components of 'a'
-  // once we have written the corresponding components of 'r'.
-  // ('r' might the same as 'a'.)
-
-  // n1
-  if (BN_cmp(&a->Z, &group->one) == 0) {
-    if (!field_sqr(group, n0, &a->X, ctx) ||
-        !bn_mod_lshift1_consttime(n1, n0, p, ctx) ||
-        !bn_mod_add_consttime(n0, n0, n1, p, ctx) ||
-        !bn_mod_add_consttime(n1, n0, &group->a, p, ctx)) {
-      goto err;
-    }
-    // n1 = 3 * X_a^2 + a_curve
-  } else if (group->a_is_minus3) {
-    if (!field_sqr(group, n1, &a->Z, ctx) ||
-        !bn_mod_add_consttime(n0, &a->X, n1, p, ctx) ||
-        !bn_mod_sub_consttime(n2, &a->X, n1, p, ctx) ||
-        !field_mul(group, n1, n0, n2, ctx) ||
-        !bn_mod_lshift1_consttime(n0, n1, p, ctx) ||
-        !bn_mod_add_consttime(n1, n0, n1, p, ctx)) {
-      goto err;
-    }
-    // n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
-    //    = 3 * X_a^2 - 3 * Z_a^4
-  } else {
-    if (!field_sqr(group, n0, &a->X, ctx) ||
-        !bn_mod_lshift1_consttime(n1, n0, p, ctx) ||
-        !bn_mod_add_consttime(n0, n0, n1, p, ctx) ||
-        !field_sqr(group, n1, &a->Z, ctx) ||
-        !field_sqr(group, n1, n1, ctx) ||
-        !field_mul(group, n1, n1, &group->a, ctx) ||
-        !bn_mod_add_consttime(n1, n1, n0, p, ctx)) {
-      goto err;
-    }
-    // n1 = 3 * X_a^2 + a_curve * Z_a^4
-  }
-
-  // Z_r
-  if (BN_cmp(&a->Z, &group->one) == 0) {
-    if (!BN_copy(n0, &a->Y)) {
-      goto err;
-    }
-  } else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {
-    goto err;
-  }
-  if (!bn_mod_lshift1_consttime(&r->Z, n0, p, ctx)) {
-    goto err;
-  }
-  // Z_r = 2 * Y_a * Z_a
-
-  // n2
-  if (!field_sqr(group, n3, &a->Y, ctx) ||
-      !field_mul(group, n2, &a->X, n3, ctx) ||
-      !bn_mod_lshift_consttime(n2, n2, 2, p, ctx)) {
-    goto err;
-  }
-  // n2 = 4 * X_a * Y_a^2
-
-  // X_r
-  if (!bn_mod_lshift1_consttime(n0, n2, p, ctx) ||
-      !field_sqr(group, &r->X, n1, ctx) ||
-      !bn_mod_sub_consttime(&r->X, &r->X, n0, p, ctx)) {
-    goto err;
-  }
-  // X_r = n1^2 - 2 * n2
-
-  // n3
-  if (!field_sqr(group, n0, n3, ctx) ||
-      !bn_mod_lshift_consttime(n3, n0, 3, p, ctx)) {
-    goto err;
-  }
-  // n3 = 8 * Y_a^4
-
-  // Y_r
-  if (!bn_mod_sub_consttime(n0, n2, &r->X, p, ctx) ||
-      !field_mul(group, n0, n1, n0, ctx) ||
-      !bn_mod_sub_consttime(&r->Y, n0, n3, p, ctx)) {
-    goto err;
+  if (!ec_bignum_to_felem(group, &point->X, x) ||
+      !ec_bignum_to_felem(group, &point->Y, y)) {
+    return 0;
   }
-  // Y_r = n1 * (n2 - X_r) - n3
+  OPENSSL_memcpy(&point->Z, &group->one, sizeof(EC_FELEM));
 
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  BN_CTX_free(new_ctx);
-  return ret;
+  return 1;
 }
 
-int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) {
-  if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y)) {
-    // point is its own inverse
-    return 1;
-  }
-
-  return BN_usub(&point->Y, &group->field, &point->Y);
+void ec_GFp_simple_invert(const EC_GROUP *group, EC_RAW_POINT *point) {
+  ec_felem_neg(group, &point->Y, &point->Y);
 }
 
-int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) {
-  return BN_is_zero(&point->Z);
+int ec_GFp_simple_is_at_infinity(const EC_GROUP *group,
+                                 const EC_RAW_POINT *point) {
+  return ec_felem_non_zero_mask(group, &point->Z) == 0;
 }
 
-int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
-                              BN_CTX *ctx) {
-  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
-                   BN_CTX *);
-  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
-  const BIGNUM *p;
-  BN_CTX *new_ctx = NULL;
-  BIGNUM *rh, *tmp, *Z4, *Z6;
-  int ret = 0;
-
-  if (EC_POINT_is_at_infinity(group, point)) {
+int ec_GFp_simple_is_on_curve(const EC_GROUP *group,
+                              const EC_RAW_POINT *point) {
+  if (ec_GFp_simple_is_at_infinity(group, point)) {
     return 1;
   }
 
-  field_mul = group->meth->field_mul;
-  field_sqr = group->meth->field_sqr;
-  p = &group->field;
-
-  if (ctx == NULL) {
-    ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      return 0;
-    }
-  }
-
-  BN_CTX_start(ctx);
-  rh = BN_CTX_get(ctx);
-  tmp = BN_CTX_get(ctx);
-  Z4 = BN_CTX_get(ctx);
-  Z6 = BN_CTX_get(ctx);
-  if (Z6 == NULL) {
-    goto err;
-  }
-
   // We have a curve defined by a Weierstrass equation
   //      y^2 = x^3 + a*x + b.
   // The point to consider is given in Jacobian projective coordinates
@@ -674,79 +232,53 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
   //      Y^2 = X^3 + a*X*Z^4 + b*Z^6.
   // To test this, we add up the right-hand side in 'rh'.
 
+  void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,
+                          const EC_FELEM *b) = group->meth->felem_mul;
+  void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =
+      group->meth->felem_sqr;
+
   // rh := X^2
-  if (!field_sqr(group, rh, &point->X, ctx)) {
-    goto err;
-  }
+  EC_FELEM rh;
+  felem_sqr(group, &rh, &point->X);
 
-  if (BN_cmp(&point->Z, &group->one) != 0) {
-    if (!field_sqr(group, tmp, &point->Z, ctx) ||
-        !field_sqr(group, Z4, tmp, ctx) ||
-        !field_mul(group, Z6, Z4, tmp, ctx)) {
-      goto err;
-    }
+  EC_FELEM tmp, Z4, Z6;
+  if (!ec_felem_equal(group, &point->Z, &group->one)) {
+    felem_sqr(group, &tmp, &point->Z);
+    felem_sqr(group, &Z4, &tmp);
+    felem_mul(group, &Z6, &Z4, &tmp);
 
     // rh := (rh + a*Z^4)*X
     if (group->a_is_minus3) {
-      if (!bn_mod_lshift1_consttime(tmp, Z4, p, ctx) ||
-          !bn_mod_add_consttime(tmp, tmp, Z4, p, ctx) ||
-          !bn_mod_sub_consttime(rh, rh, tmp, p, ctx) ||
-          !field_mul(group, rh, rh, &point->X, ctx)) {
-        goto err;
-      }
+      ec_felem_add(group, &tmp, &Z4, &Z4);
+      ec_felem_add(group, &tmp, &tmp, &Z4);
+      ec_felem_sub(group, &rh, &rh, &tmp);
+      felem_mul(group, &rh, &rh, &point->X);
     } else {
-      if (!field_mul(group, tmp, Z4, &group->a, ctx) ||
-          !bn_mod_add_consttime(rh, rh, tmp, p, ctx) ||
-          !field_mul(group, rh, rh, &point->X, ctx)) {
-        goto err;
-      }
+      felem_mul(group, &tmp, &Z4, &group->a);
+      ec_felem_add(group, &rh, &rh, &tmp);
+      felem_mul(group, &rh, &rh, &point->X);
     }
 
     // rh := rh + b*Z^6
-    if (!field_mul(group, tmp, &group->b, Z6, ctx) ||
-        !bn_mod_add_consttime(rh, rh, tmp, p, ctx)) {
-      goto err;
-    }
+    felem_mul(group, &tmp, &group->b, &Z6);
+    ec_felem_add(group, &rh, &rh, &tmp);
   } else {
     // rh := (rh + a)*X
-    if (!bn_mod_add_consttime(rh, rh, &group->a, p, ctx) ||
-        !field_mul(group, rh, rh, &point->X, ctx)) {
-      goto err;
-    }
+    ec_felem_add(group, &rh, &rh, &group->a);
+    felem_mul(group, &rh, &rh, &point->X);
     // rh := rh + b
-    if (!bn_mod_add_consttime(rh, rh, &group->b, p, ctx)) {
-      goto err;
-    }
+    ec_felem_add(group, &rh, &rh, &group->b);
   }
 
   // 'lh' := Y^2
-  if (!field_sqr(group, tmp, &point->Y, ctx)) {
-    goto err;
-  }
-
-  ret = (0 == BN_ucmp(tmp, rh));
-
-err:
-  BN_CTX_end(ctx);
-  BN_CTX_free(new_ctx);
-  return ret;
+  felem_sqr(group, &tmp, &point->Y);
+  return ec_felem_equal(group, &tmp, &rh);
 }
 
-int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
-                      const EC_POINT *b, BN_CTX *ctx) {
-  // return values:
-  //  -1   error
-  //   0   equal (in affine coordinates)
-  //   1   not equal
-
-  int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
-                   BN_CTX *);
-  int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
-  BN_CTX *new_ctx = NULL;
-  BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
-  const BIGNUM *tmp1_, *tmp2_;
-  int ret = -1;
-
+int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_RAW_POINT *a,
+                      const EC_RAW_POINT *b) {
+  // Note this function returns zero if |a| and |b| are equal and 1 if they are
+  // not equal.
   if (ec_GFp_simple_is_at_infinity(group, a)) {
     return ec_GFp_simple_is_at_infinity(group, b) ? 0 : 1;
   }
@@ -755,292 +287,94 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
     return 1;
   }
 
-  int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;
-  int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;
+  int a_Z_is_one = ec_felem_equal(group, &a->Z, &group->one);
+  int b_Z_is_one = ec_felem_equal(group, &b->Z, &group->one);
 
   if (a_Z_is_one && b_Z_is_one) {
-    return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
+    return !ec_felem_equal(group, &a->X, &b->X) ||
+           !ec_felem_equal(group, &a->Y, &b->Y);
   }
 
-  field_mul = group->meth->field_mul;
-  field_sqr = group->meth->field_sqr;
-
-  if (ctx == NULL) {
-    ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      return -1;
-    }
-  }
-
-  BN_CTX_start(ctx);
-  tmp1 = BN_CTX_get(ctx);
-  tmp2 = BN_CTX_get(ctx);
-  Za23 = BN_CTX_get(ctx);
-  Zb23 = BN_CTX_get(ctx);
-  if (Zb23 == NULL) {
-    goto end;
-  }
+  void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,
+                          const EC_FELEM *b) = group->meth->felem_mul;
+  void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =
+      group->meth->felem_sqr;
 
   // We have to decide whether
   //     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
   // or equivalently, whether
   //     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
 
+  EC_FELEM tmp1, tmp2, Za23, Zb23;
+  const EC_FELEM *tmp1_, *tmp2_;
   if (!b_Z_is_one) {
-    if (!field_sqr(group, Zb23, &b->Z, ctx) ||
-        !field_mul(group, tmp1, &a->X, Zb23, ctx)) {
-      goto end;
-    }
-    tmp1_ = tmp1;
+    felem_sqr(group, &Zb23, &b->Z);
+    felem_mul(group, &tmp1, &a->X, &Zb23);
+    tmp1_ = &tmp1;
   } else {
     tmp1_ = &a->X;
   }
   if (!a_Z_is_one) {
-    if (!field_sqr(group, Za23, &a->Z, ctx) ||
-        !field_mul(group, tmp2, &b->X, Za23, ctx)) {
-      goto end;
-    }
-    tmp2_ = tmp2;
+    felem_sqr(group, &Za23, &a->Z);
+    felem_mul(group, &tmp2, &b->X, &Za23);
+    tmp2_ = &tmp2;
   } else {
     tmp2_ = &b->X;
   }
 
-  // compare  X_a*Z_b^2  with  X_b*Z_a^2
-  if (BN_cmp(tmp1_, tmp2_) != 0) {
-    ret = 1;  // points differ
-    goto end;
+  // Compare  X_a*Z_b^2  with  X_b*Z_a^2.
+  if (!ec_felem_equal(group, tmp1_, tmp2_)) {
+    return 1;  // The points differ.
   }
 
-
   if (!b_Z_is_one) {
-    if (!field_mul(group, Zb23, Zb23, &b->Z, ctx) ||
-        !field_mul(group, tmp1, &a->Y, Zb23, ctx)) {
-      goto end;
-    }
-    // tmp1_ = tmp1
+    felem_mul(group, &Zb23, &Zb23, &b->Z);
+    felem_mul(group, &tmp1, &a->Y, &Zb23);
+    // tmp1_ = &tmp1
   } else {
     tmp1_ = &a->Y;
   }
   if (!a_Z_is_one) {
-    if (!field_mul(group, Za23, Za23, &a->Z, ctx) ||
-        !field_mul(group, tmp2, &b->Y, Za23, ctx)) {
-      goto end;
-    }
-    // tmp2_ = tmp2
+    felem_mul(group, &Za23, &Za23, &a->Z);
+    felem_mul(group, &tmp2, &b->Y, &Za23);
+    // tmp2_ = &tmp2
   } else {
     tmp2_ = &b->Y;
   }
 
-  // compare  Y_a*Z_b^3  with  Y_b*Z_a^3
-  if (BN_cmp(tmp1_, tmp2_) != 0) {
-    ret = 1;  // points differ
-    goto end;
+  // Compare  Y_a*Z_b^3  with  Y_b*Z_a^3.
+  if (!ec_felem_equal(group, tmp1_, tmp2_)) {
+    return 1;  // The points differ.
   }
 
-  // points are equal
-  ret = 0;
-
-end:
-  BN_CTX_end(ctx);
-  BN_CTX_free(new_ctx);
-  return ret;
+  // The points are equal.
+  return 0;
 }
 
-int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
-                              BN_CTX *ctx) {
-  BN_CTX *new_ctx = NULL;
-  BIGNUM *x, *y;
-  int ret = 0;
-
-  if (BN_cmp(&point->Z, &group->one) == 0 ||
-      EC_POINT_is_at_infinity(group, point)) {
-    return 1;
-  }
-
-  if (ctx == NULL) {
-    ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      return 0;
-    }
-  }
-
-  BN_CTX_start(ctx);
-  x = BN_CTX_get(ctx);
-  y = BN_CTX_get(ctx);
-  if (y == NULL) {
-    goto err;
-  }
-
-  if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) ||
-      !EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
-    goto err;
-  }
-  if (BN_cmp(&point->Z, &group->one) != 0) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  BN_CTX_free(new_ctx);
-  return ret;
+int ec_GFp_simple_mont_inv_mod_ord_vartime(const EC_GROUP *group,
+                                           EC_SCALAR *out,
+                                           const EC_SCALAR *in) {
+  // This implementation (in fact) runs in constant time,
+  // even though for this interface it is not mandatory.
+
+  // out = in^-1 in the Montgomery domain. This is
+  // |ec_scalar_to_montgomery| followed by |ec_scalar_inv_montgomery|, but
+  // |ec_scalar_inv_montgomery| followed by |ec_scalar_from_montgomery| is
+  // equivalent and slightly more efficient.
+  ec_scalar_inv_montgomery(group, out, in);
+  ec_scalar_from_montgomery(group, out, out);
+  return 1;
 }
 
-int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
-                                     EC_POINT *points[], BN_CTX *ctx) {
-  BN_CTX *new_ctx = NULL;
-  BIGNUM *tmp, *tmp_Z;
-  BIGNUM **prod_Z = NULL;
-  int ret = 0;
-
-  if (num == 0) {
-    return 1;
-  }
-
-  if (ctx == NULL) {
-    ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL) {
-      return 0;
-    }
-  }
-
-  BN_CTX_start(ctx);
-  tmp = BN_CTX_get(ctx);
-  tmp_Z = BN_CTX_get(ctx);
-  if (tmp == NULL || tmp_Z == NULL) {
-    goto err;
-  }
-
-  prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
-  if (prod_Z == NULL) {
-    goto err;
-  }
-  OPENSSL_memset(prod_Z, 0, num * sizeof(prod_Z[0]));
-  for (size_t i = 0; i < num; i++) {
-    prod_Z[i] = BN_new();
-    if (prod_Z[i] == NULL) {
-      goto err;
-    }
-  }
-
-  // Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
-  // skipping any zero-valued inputs (pretend that they're 1).
-
-  if (!BN_is_zero(&points[0]->Z)) {
-    if (!BN_copy(prod_Z[0], &points[0]->Z)) {
-      goto err;
-    }
-  } else {
-    if (BN_copy(prod_Z[0], &group->one) == NULL) {
-      goto err;
-    }
-  }
-
-  for (size_t i = 1; i < num; i++) {
-    if (!BN_is_zero(&points[i]->Z)) {
-      if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1],
-                                  &points[i]->Z, ctx)) {
-        goto err;
-      }
-    } else {
-      if (!BN_copy(prod_Z[i], prod_Z[i - 1])) {
-        goto err;
-      }
-    }
-  }
-
-  // Now use a single explicit inversion to replace every non-zero points[i]->Z
-  // by its inverse. We use |BN_mod_inverse_odd| instead of doing a constant-
-  // time inversion using Fermat's Little Theorem because this function is
-  // usually only used for converting multiples of a public key point to
-  // affine, and a public key point isn't secret. If we were to use Fermat's
-  // Little Theorem then the cost of the inversion would usually be so high
-  // that converting the multiples to affine would be counterproductive.
-  int no_inverse;
-  if (!BN_mod_inverse_odd(tmp, &no_inverse, prod_Z[num - 1], &group->field,
-                          ctx)) {
-    OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
-    goto err;
-  }
-
-  if (group->meth->field_encode != NULL) {
-    // In the Montgomery case, we just turned R*H (representing H)
-    // into 1/(R*H), but we need R*(1/H) (representing 1/H);
-    // i.e. we need to multiply by the Montgomery factor twice.
-    if (!group->meth->field_encode(group, tmp, tmp, ctx) ||
-        !group->meth->field_encode(group, tmp, tmp, ctx)) {
-      goto err;
-    }
-  }
-
-  for (size_t i = num - 1; i > 0; --i) {
-    // Loop invariant: tmp is the product of the inverses of
-    // points[0]->Z .. points[i]->Z (zero-valued inputs skipped).
-    if (BN_is_zero(&points[i]->Z)) {
-      continue;
-    }
-
-    // Set tmp_Z to the inverse of points[i]->Z (as product
-    // of Z inverses 0 .. i, Z values 0 .. i - 1).
-    if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx) ||
-        // Update tmp to satisfy the loop invariant for i - 1.
-        !group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx) ||
-        // Replace points[i]->Z by its inverse.
-        !BN_copy(&points[i]->Z, tmp_Z)) {
-      goto err;
-    }
-  }
-
-  // Replace points[0]->Z by its inverse.
-  if (!BN_is_zero(&points[0]->Z) && !BN_copy(&points[0]->Z, tmp)) {
-    goto err;
-  }
-
-  // Finally, fix up the X and Y coordinates for all points.
-  for (size_t i = 0; i < num; i++) {
-    EC_POINT *p = points[i];
-
-    if (!BN_is_zero(&p->Z)) {
-      // turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1).
-      if (!group->meth->field_sqr(group, tmp, &p->Z, ctx) ||
-          !group->meth->field_mul(group, &p->X, &p->X, tmp, ctx) ||
-          !group->meth->field_mul(group, tmp, tmp, &p->Z, ctx) ||
-          !group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) {
-        goto err;
-      }
-
-      if (BN_copy(&p->Z, &group->one) == NULL) {
-        goto err;
-      }
-    }
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  BN_CTX_free(new_ctx);
-  if (prod_Z != NULL) {
-    for (size_t i = 0; i < num; i++) {
-      if (prod_Z[i] == NULL) {
-        break;
-      }
-      BN_clear_free(prod_Z[i]);
-    }
-    OPENSSL_free(prod_Z);
+int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p,
+                                   const EC_SCALAR *r) {
+  if (ec_GFp_simple_is_at_infinity(group, p)) {
+    // |ec_get_x_coordinate_as_scalar| will check this internally, but this way
+    // we do not push to the error queue.
+    return 0;
   }
 
-  return ret;
-}
-
-int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
-                            const BIGNUM *b, BN_CTX *ctx) {
-  return BN_mod_mul(r, a, b, &group->field, ctx);
-}
-
-int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
-                            BN_CTX *ctx) {
-  return BN_mod_sqr(r, a, &group->field, ctx);
+  EC_SCALAR x;
+  return ec_get_x_coordinate_as_scalar(group, &x, p) &&
+         ec_scalar_equal_vartime(group, &x, r);
 }