grpc 1.28.0 → 1.31.0.pre2

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-x86_64.c

@@ -50,8 +50,8 @@ static const BN_ULONG ONE[P256_LIMBS] = {
 
 // Recode window to a signed digit, see |ec_GFp_nistp_recode_scalar_bits| in
 // util.c for details
-static unsigned booth_recode_w5(unsigned in) {
-  unsigned s, d;
+static crypto_word_t booth_recode_w5(crypto_word_t in) {
+  crypto_word_t s, d;
 
   s = ~((in >> 5) - 1);
   d = (1 << 6) - in - 1;
@@ -61,8 +61,8 @@ static unsigned booth_recode_w5(unsigned in) {
   return (d << 1) + (s & 1);
 }
 
-static unsigned booth_recode_w7(unsigned in) {
-  unsigned s, d;
+static crypto_word_t booth_recode_w7(crypto_word_t in) {
+  crypto_word_t s, d;
 
   s = ~((in >> 7) - 1);
   d = (1 << 8) - in - 1;
@@ -117,86 +117,73 @@ static BN_ULONG is_not_zero(BN_ULONG in) {
   return in;
 }
 
-// ecp_nistz256_mod_inverse_mont sets |r| to (|in| * 2^-256)^-1 * 2^256 mod p.
-// That is, |r| is the modular inverse of |in| for input and output in the
-// Montgomery domain.
-static void ecp_nistz256_mod_inverse_mont(BN_ULONG r[P256_LIMBS],
-                                          const BN_ULONG in[P256_LIMBS]) {
-  /* The poly is ffffffff 00000001 00000000 00000000 00000000 ffffffff ffffffff
-     ffffffff
-     We use FLT and used poly-2 as exponent */
-  BN_ULONG p2[P256_LIMBS];
-  BN_ULONG p4[P256_LIMBS];
-  BN_ULONG p8[P256_LIMBS];
-  BN_ULONG p16[P256_LIMBS];
-  BN_ULONG p32[P256_LIMBS];
-  BN_ULONG res[P256_LIMBS];
-  int i;
-
-  ecp_nistz256_sqr_mont(res, in);
-  ecp_nistz256_mul_mont(p2, res, in);  // 3*p
-
-  ecp_nistz256_sqr_mont(res, p2);
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_mul_mont(p4, res, p2);  // f*p
-
-  ecp_nistz256_sqr_mont(res, p4);
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_mul_mont(p8, res, p4);  // ff*p
-
-  ecp_nistz256_sqr_mont(res, p8);
-  for (i = 0; i < 7; i++) {
-    ecp_nistz256_sqr_mont(res, res);
-  }
-  ecp_nistz256_mul_mont(p16, res, p8);  // ffff*p
-
-  ecp_nistz256_sqr_mont(res, p16);
-  for (i = 0; i < 15; i++) {
-    ecp_nistz256_sqr_mont(res, res);
-  }
-  ecp_nistz256_mul_mont(p32, res, p16);  // ffffffff*p
-
-  ecp_nistz256_sqr_mont(res, p32);
-  for (i = 0; i < 31; i++) {
-    ecp_nistz256_sqr_mont(res, res);
-  }
-  ecp_nistz256_mul_mont(res, res, in);
-
-  for (i = 0; i < 32 * 4; i++) {
-    ecp_nistz256_sqr_mont(res, res);
-  }
-  ecp_nistz256_mul_mont(res, res, p32);
-
-  for (i = 0; i < 32; i++) {
-    ecp_nistz256_sqr_mont(res, res);
-  }
-  ecp_nistz256_mul_mont(res, res, p32);
-
-  for (i = 0; i < 16; i++) {
-    ecp_nistz256_sqr_mont(res, res);
-  }
-  ecp_nistz256_mul_mont(res, res, p16);
-
-  for (i = 0; i < 8; i++) {
-    ecp_nistz256_sqr_mont(res, res);
-  }
-  ecp_nistz256_mul_mont(res, res, p8);
-
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_mul_mont(res, res, p4);
-
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_mul_mont(res, res, p2);
-
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_sqr_mont(res, res);
-  ecp_nistz256_mul_mont(r, res, in);
+// ecp_nistz256_mod_inverse_sqr_mont sets |r| to (|in| * 2^-256)^-2 * 2^256 mod
+// p. That is, |r| is the modular inverse square of |in| for input and output in
+// the Montgomery domain.
+static void ecp_nistz256_mod_inverse_sqr_mont(BN_ULONG r[P256_LIMBS],
+                                              const BN_ULONG in[P256_LIMBS]) {
+  // This implements the addition chain described in
+  // https://briansmith.org/ecc-inversion-addition-chains-01#p256_field_inversion
+  BN_ULONG x2[P256_LIMBS], x3[P256_LIMBS], x6[P256_LIMBS], x12[P256_LIMBS],
+      x15[P256_LIMBS], x30[P256_LIMBS], x32[P256_LIMBS];
+  ecp_nistz256_sqr_mont(x2, in);      // 2^2 - 2^1
+  ecp_nistz256_mul_mont(x2, x2, in);  // 2^2 - 2^0
+
+  ecp_nistz256_sqr_mont(x3, x2);      // 2^3 - 2^1
+  ecp_nistz256_mul_mont(x3, x3, in);  // 2^3 - 2^0
+
+  ecp_nistz256_sqr_mont(x6, x3);
+  for (int i = 1; i < 3; i++) {
+    ecp_nistz256_sqr_mont(x6, x6);
+  }                                   // 2^6 - 2^3
+  ecp_nistz256_mul_mont(x6, x6, x3);  // 2^6 - 2^0
+
+  ecp_nistz256_sqr_mont(x12, x6);
+  for (int i = 1; i < 6; i++) {
+    ecp_nistz256_sqr_mont(x12, x12);
+  }                                     // 2^12 - 2^6
+  ecp_nistz256_mul_mont(x12, x12, x6);  // 2^12 - 2^0
+
+  ecp_nistz256_sqr_mont(x15, x12);
+  for (int i = 1; i < 3; i++) {
+    ecp_nistz256_sqr_mont(x15, x15);
+  }                                     // 2^15 - 2^3
+  ecp_nistz256_mul_mont(x15, x15, x3);  // 2^15 - 2^0
+
+  ecp_nistz256_sqr_mont(x30, x15);
+  for (int i = 1; i < 15; i++) {
+    ecp_nistz256_sqr_mont(x30, x30);
+  }                                      // 2^30 - 2^15
+  ecp_nistz256_mul_mont(x30, x30, x15);  // 2^30 - 2^0
+
+  ecp_nistz256_sqr_mont(x32, x30);
+  ecp_nistz256_sqr_mont(x32, x32);      // 2^32 - 2^2
+  ecp_nistz256_mul_mont(x32, x32, x2);  // 2^32 - 2^0
+
+  BN_ULONG ret[P256_LIMBS];
+  ecp_nistz256_sqr_mont(ret, x32);
+  for (int i = 1; i < 31 + 1; i++) {
+    ecp_nistz256_sqr_mont(ret, ret);
+  }                                     // 2^64 - 2^32
+  ecp_nistz256_mul_mont(ret, ret, in);  // 2^64 - 2^32 + 2^0
+
+  for (int i = 0; i < 96 + 32; i++) {
+    ecp_nistz256_sqr_mont(ret, ret);
+  }                                      // 2^192 - 2^160 + 2^128
+  ecp_nistz256_mul_mont(ret, ret, x32);  // 2^192 - 2^160 + 2^128 + 2^32 - 2^0
+
+  for (int i = 0; i < 32; i++) {
+    ecp_nistz256_sqr_mont(ret, ret);
+  }                                      // 2^224 - 2^192 + 2^160 + 2^64 - 2^32
+  ecp_nistz256_mul_mont(ret, ret, x32);  // 2^224 - 2^192 + 2^160 + 2^64 - 2^0
+
+  for (int i = 0; i < 30; i++) {
+    ecp_nistz256_sqr_mont(ret, ret);
+  }                                      // 2^254 - 2^222 + 2^190 + 2^94 - 2^30
+  ecp_nistz256_mul_mont(ret, ret, x30);  // 2^254 - 2^222 + 2^190 + 2^94 - 2^0
+
+  ecp_nistz256_sqr_mont(ret, ret);
+  ecp_nistz256_sqr_mont(r, ret);  // 2^256 - 2^224 + 2^192 + 2^96 - 2^2
 }
 
 // r = p * p_scalar
@@ -207,8 +194,8 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
   assert(p_scalar != NULL);
   assert(group->field.width == P256_LIMBS);
 
-  static const unsigned kWindowSize = 5;
-  static const unsigned kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;
+  static const size_t kWindowSize = 5;
+  static const crypto_word_t kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;
 
   // A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should
   // add no more than 63 bytes of overhead. Thus, |table| should require
@@ -245,17 +232,17 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
 
   BN_ULONG tmp[P256_LIMBS];
   alignas(32) P256_POINT h;
-  unsigned index = 255;
-  unsigned wvalue = p_str[(index - 1) / 8];
+  size_t index = 255;
+  crypto_word_t wvalue = p_str[(index - 1) / 8];
   wvalue = (wvalue >> ((index - 1) % 8)) & kMask;
 
   ecp_nistz256_select_w5(r, table, booth_recode_w5(wvalue) >> 1);
 
   while (index >= 5) {
     if (index != 255) {
-      unsigned off = (index - 1) / 8;
+      size_t off = (index - 1) / 8;
 
-      wvalue = p_str[off] | p_str[off + 1] << 8;
+      wvalue = (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;
       wvalue = (wvalue >> ((index - 1) % 8)) & kMask;
 
       wvalue = booth_recode_w5(wvalue);
@@ -296,21 +283,22 @@ typedef union {
   P256_POINT_AFFINE a;
 } p256_point_union_t;
 
-static unsigned calc_first_wvalue(unsigned *index, const uint8_t p_str[33]) {
-  static const unsigned kWindowSize = 7;
-  static const unsigned kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
+static crypto_word_t calc_first_wvalue(size_t *index, const uint8_t p_str[33]) {
+  static const size_t kWindowSize = 7;
+  static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
   *index = kWindowSize;
 
-  unsigned wvalue = (p_str[0] << 1) & kMask;
+  crypto_word_t wvalue = (p_str[0] << 1) & kMask;
   return booth_recode_w7(wvalue);
 }
 
-static unsigned calc_wvalue(unsigned *index, const uint8_t p_str[33]) {
-  static const unsigned kWindowSize = 7;
-  static const unsigned kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
+static crypto_word_t calc_wvalue(size_t *index, const uint8_t p_str[33]) {
+  static const size_t kWindowSize = 7;
+  static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
 
-  const unsigned off = (*index - 1) / 8;
-  unsigned wvalue = p_str[off] | p_str[off + 1] << 8;
+  const size_t off = (*index - 1) / 8;
+  crypto_word_t wvalue =
+      (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;
   wvalue = (wvalue >> ((*index - 1) % 8)) & kMask;
   *index += kWindowSize;
 
@@ -338,8 +326,8 @@ static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
   p_str[32] = 0;
 
   // First window
-  unsigned index = 0;
-  unsigned wvalue = calc_first_wvalue(&index, p_str);
+  size_t index = 0;
+  crypto_word_t wvalue = calc_first_wvalue(&index, p_str);
 
   ecp_nistz256_select_w7(&p.a, ecp_nistz256_precomputed[0], wvalue >> 1);
   ecp_nistz256_neg(p.p.Z, p.p.Y);
@@ -383,8 +371,8 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group,
   p_str[32] = 0;
 
   // First window
-  unsigned index = 0;
-  unsigned wvalue = calc_first_wvalue(&index, p_str);
+  size_t index = 0;
+  size_t wvalue = calc_first_wvalue(&index, p_str);
 
   // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p|
   // is infinity and |ONE| otherwise. |p| was computed from the table, so it
@@ -440,24 +428,17 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group,
   }
 
   BN_ULONG z_inv2[P256_LIMBS];
-  BN_ULONG z_inv3[P256_LIMBS];
   assert(group->field.width == P256_LIMBS);
-  ecp_nistz256_mod_inverse_mont(z_inv3, point->Z.words);
-  ecp_nistz256_sqr_mont(z_inv2, z_inv3);
-
-  // Instead of using |ecp_nistz256_from_mont| to convert the |x| coordinate
-  // and then calling |ecp_nistz256_from_mont| again to convert the |y|
-  // coordinate below, convert the common factor |z_inv2| once now, saving one
-  // reduction.
-  ecp_nistz256_from_mont(z_inv2, z_inv2);
+  ecp_nistz256_mod_inverse_sqr_mont(z_inv2, point->Z.words);
 
   if (x != NULL) {
     ecp_nistz256_mul_mont(x->words, z_inv2, point->X.words);
   }
 
   if (y != NULL) {
-    ecp_nistz256_mul_mont(z_inv3, z_inv3, z_inv2);
-    ecp_nistz256_mul_mont(y->words, z_inv3, point->Y.words);
+    ecp_nistz256_sqr_mont(z_inv2, z_inv2);                            // z^-4
+    ecp_nistz256_mul_mont(y->words, point->Y.words, point->Z.words);  // y * z
+    ecp_nistz256_mul_mont(y->words, y->words, z_inv2);  // y * z^-3
   }
 
   return 1;
@@ -490,8 +471,8 @@ static void ecp_nistz256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
   OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG));
 }
 
-static void ecp_nistz256_inv_mod_ord(const EC_GROUP *group, EC_SCALAR *out,
-                                     const EC_SCALAR *in) {
+static void ecp_nistz256_inv0_mod_ord(const EC_GROUP *group, EC_SCALAR *out,
+                                      const EC_SCALAR *in) {
   // table[i] stores a power of |in| corresponding to the matching enum value.
   enum {
     // The following indices specify the power in binary.
@@ -571,12 +552,12 @@ static void ecp_nistz256_inv_mod_ord(const EC_GROUP *group, EC_SCALAR *out,
   }
 }
 
-static int ecp_nistz256_mont_inv_mod_ord_vartime(const EC_GROUP *group,
+static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,
                                                  EC_SCALAR *out,
                                                  const EC_SCALAR *in) {
   if ((OPENSSL_ia32cap_get()[1] & (1 << 28)) == 0) {
     // No AVX support; fallback to generic code.
-    return ec_GFp_simple_mont_inv_mod_ord_vartime(group, out, in);
+    return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in);
   }
 
   assert(group->order.width == P256_LIMBS);
@@ -640,10 +621,11 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) {
   out->mul_public = ecp_nistz256_points_mul_public;
   out->felem_mul = ec_GFp_mont_felem_mul;
   out->felem_sqr = ec_GFp_mont_felem_sqr;
-  out->bignum_to_felem = ec_GFp_mont_bignum_to_felem;
-  out->felem_to_bignum = ec_GFp_mont_felem_to_bignum;
-  out->scalar_inv_montgomery = ecp_nistz256_inv_mod_ord;
-  out->scalar_inv_montgomery_vartime = ecp_nistz256_mont_inv_mod_ord_vartime;
+  out->felem_to_bytes = ec_GFp_mont_felem_to_bytes;
+  out->felem_from_bytes = ec_GFp_mont_felem_from_bytes;
+  out->scalar_inv0_montgomery = ecp_nistz256_inv0_mod_ord;
+  out->scalar_to_montgomery_inv_vartime =
+      ecp_nistz256_scalar_to_montgomery_inv_vartime;
   out->cmp_x_coordinate = ecp_nistz256_cmp_x_coordinate;
 }
 

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c

@@ -0,0 +1,740 @@
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+// An implementation of the NIST P-256 elliptic curve point multiplication.
+// 256-bit Montgomery form for 64 and 32-bit. Field operations are generated by
+// Fiat, which lives in //third_party/fiat.
+
+#include <openssl/base.h>
+
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/type_check.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include "../../internal.h"
+#include "../delocate.h"
+#include "./internal.h"
+
+
+// MSVC does not implement uint128_t, and crashes with intrinsics
+#if defined(BORINGSSL_HAS_UINT128)
+#define BORINGSSL_NISTP256_64BIT 1
+#include "../../../third_party/fiat/p256_64.h"
+#else
+#include "../../../third_party/fiat/p256_32.h"
+#endif
+
+
+// utility functions, handwritten
+
+#if defined(BORINGSSL_NISTP256_64BIT)
+#define FIAT_P256_NLIMBS 4
+typedef uint64_t fiat_p256_limb_t;
+typedef uint64_t fiat_p256_felem[FIAT_P256_NLIMBS];
+static const fiat_p256_felem fiat_p256_one = {0x1, 0xffffffff00000000,
+                                              0xffffffffffffffff, 0xfffffffe};
+#else  // 64BIT; else 32BIT
+#define FIAT_P256_NLIMBS 8
+typedef uint32_t fiat_p256_limb_t;
+typedef uint32_t fiat_p256_felem[FIAT_P256_NLIMBS];
+static const fiat_p256_felem fiat_p256_one = {
+    0x1, 0x0, 0x0, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0x0};
+#endif  // 64BIT
+
+
+static fiat_p256_limb_t fiat_p256_nz(
+    const fiat_p256_limb_t in1[FIAT_P256_NLIMBS]) {
+  fiat_p256_limb_t ret;
+  fiat_p256_nonzero(&ret, in1);
+  return ret;
+}
+
+static void fiat_p256_copy(fiat_p256_limb_t out[FIAT_P256_NLIMBS],
+                           const fiat_p256_limb_t in1[FIAT_P256_NLIMBS]) {
+  for (size_t i = 0; i < FIAT_P256_NLIMBS; i++) {
+    out[i] = in1[i];
+  }
+}
+
+static void fiat_p256_cmovznz(fiat_p256_limb_t out[FIAT_P256_NLIMBS],
+                              fiat_p256_limb_t t,
+                              const fiat_p256_limb_t z[FIAT_P256_NLIMBS],
+                              const fiat_p256_limb_t nz[FIAT_P256_NLIMBS]) {
+  fiat_p256_selectznz(out, !!t, z, nz);
+}
+
+static void fiat_p256_from_generic(fiat_p256_felem out, const EC_FELEM *in) {
+  fiat_p256_from_bytes(out, in->bytes);
+}
+
+static void fiat_p256_to_generic(EC_FELEM *out, const fiat_p256_felem in) {
+  // This works because 256 is a multiple of 64, so there are no excess bytes to
+  // zero when rounding up to |BN_ULONG|s.
+  OPENSSL_STATIC_ASSERT(
+      256 / 8 == sizeof(BN_ULONG) * ((256 + BN_BITS2 - 1) / BN_BITS2),
+      "fiat_p256_to_bytes leaves bytes uninitialized");
+  fiat_p256_to_bytes(out->bytes, in);
+}
+
+// fiat_p256_inv_square calculates |out| = |in|^{-2}
+//
+// Based on Fermat's Little Theorem:
+//   a^p = a (mod p)
+//   a^{p-1} = 1 (mod p)
+//   a^{p-3} = a^{-2} (mod p)
+static void fiat_p256_inv_square(fiat_p256_felem out,
+                                 const fiat_p256_felem in) {
+  // This implements the addition chain described in
+  // https://briansmith.org/ecc-inversion-addition-chains-01#p256_field_inversion
+  fiat_p256_felem x2, x3, x6, x12, x15, x30, x32;
+  fiat_p256_square(x2, in);   // 2^2 - 2^1
+  fiat_p256_mul(x2, x2, in);  // 2^2 - 2^0
+
+  fiat_p256_square(x3, x2);   // 2^3 - 2^1
+  fiat_p256_mul(x3, x3, in);  // 2^3 - 2^0
+
+  fiat_p256_square(x6, x3);
+  for (int i = 1; i < 3; i++) {
+    fiat_p256_square(x6, x6);
+  }                           // 2^6 - 2^3
+  fiat_p256_mul(x6, x6, x3);  // 2^6 - 2^0
+
+  fiat_p256_square(x12, x6);
+  for (int i = 1; i < 6; i++) {
+    fiat_p256_square(x12, x12);
+  }                             // 2^12 - 2^6
+  fiat_p256_mul(x12, x12, x6);  // 2^12 - 2^0
+
+  fiat_p256_square(x15, x12);
+  for (int i = 1; i < 3; i++) {
+    fiat_p256_square(x15, x15);
+  }                             // 2^15 - 2^3
+  fiat_p256_mul(x15, x15, x3);  // 2^15 - 2^0
+
+  fiat_p256_square(x30, x15);
+  for (int i = 1; i < 15; i++) {
+    fiat_p256_square(x30, x30);
+  }                              // 2^30 - 2^15
+  fiat_p256_mul(x30, x30, x15);  // 2^30 - 2^0
+
+  fiat_p256_square(x32, x30);
+  fiat_p256_square(x32, x32);   // 2^32 - 2^2
+  fiat_p256_mul(x32, x32, x2);  // 2^32 - 2^0
+
+  fiat_p256_felem ret;
+  fiat_p256_square(ret, x32);
+  for (int i = 1; i < 31 + 1; i++) {
+    fiat_p256_square(ret, ret);
+  }                             // 2^64 - 2^32
+  fiat_p256_mul(ret, ret, in);  // 2^64 - 2^32 + 2^0
+
+  for (int i = 0; i < 96 + 32; i++) {
+    fiat_p256_square(ret, ret);
+  }                              // 2^192 - 2^160 + 2^128
+  fiat_p256_mul(ret, ret, x32);  // 2^192 - 2^160 + 2^128 + 2^32 - 2^0
+
+  for (int i = 0; i < 32; i++) {
+    fiat_p256_square(ret, ret);
+  }                              // 2^224 - 2^192 + 2^160 + 2^64 - 2^32
+  fiat_p256_mul(ret, ret, x32);  // 2^224 - 2^192 + 2^160 + 2^64 - 2^0
+
+  for (int i = 0; i < 30; i++) {
+    fiat_p256_square(ret, ret);
+  }                              // 2^254 - 2^222 + 2^190 + 2^94 - 2^30
+  fiat_p256_mul(ret, ret, x30);  // 2^254 - 2^222 + 2^190 + 2^94 - 2^0
+
+  fiat_p256_square(ret, ret);
+  fiat_p256_square(out, ret);  // 2^256 - 2^224 + 2^192 + 2^96 - 2^2
+}
+
+// Group operations
+// ----------------
+//
+// Building on top of the field operations we have the operations on the
+// elliptic curve group itself. Points on the curve are represented in Jacobian
+// coordinates.
+//
+// Both operations were transcribed to Coq and proven to correspond to naive
+// implementations using Affine coordinates, for all suitable fields.  In the
+// Coq proofs, issues of constant-time execution and memory layout (aliasing)
+// conventions were not considered. Specification of affine coordinates:
+// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Spec/WeierstrassCurve.v#L28>
+// As a sanity check, a proof that these points form a commutative group:
+// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/AffineProofs.v#L33>
+
+// fiat_p256_point_double calculates 2*(x_in, y_in, z_in)
+//
+// The method is taken from:
+//   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
+//
+// Coq transcription and correctness proof:
+// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/Jacobian.v#L93>
+// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/Jacobian.v#L201>
+//
+// Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
+// while x_out == y_in is not (maybe this works, but it's not tested).
+static void fiat_p256_point_double(fiat_p256_felem x_out, fiat_p256_felem y_out,
+                                   fiat_p256_felem z_out,
+                                   const fiat_p256_felem x_in,
+                                   const fiat_p256_felem y_in,
+                                   const fiat_p256_felem z_in) {
+  fiat_p256_felem delta, gamma, beta, ftmp, ftmp2, tmptmp, alpha, fourbeta;
+  // delta = z^2
+  fiat_p256_square(delta, z_in);
+  // gamma = y^2
+  fiat_p256_square(gamma, y_in);
+  // beta = x*gamma
+  fiat_p256_mul(beta, x_in, gamma);
+
+  // alpha = 3*(x-delta)*(x+delta)
+  fiat_p256_sub(ftmp, x_in, delta);
+  fiat_p256_add(ftmp2, x_in, delta);
+
+  fiat_p256_add(tmptmp, ftmp2, ftmp2);
+  fiat_p256_add(ftmp2, ftmp2, tmptmp);
+  fiat_p256_mul(alpha, ftmp, ftmp2);
+
+  // x' = alpha^2 - 8*beta
+  fiat_p256_square(x_out, alpha);
+  fiat_p256_add(fourbeta, beta, beta);
+  fiat_p256_add(fourbeta, fourbeta, fourbeta);
+  fiat_p256_add(tmptmp, fourbeta, fourbeta);
+  fiat_p256_sub(x_out, x_out, tmptmp);
+
+  // z' = (y + z)^2 - gamma - delta
+  fiat_p256_add(delta, gamma, delta);
+  fiat_p256_add(ftmp, y_in, z_in);
+  fiat_p256_square(z_out, ftmp);
+  fiat_p256_sub(z_out, z_out, delta);
+
+  // y' = alpha*(4*beta - x') - 8*gamma^2
+  fiat_p256_sub(y_out, fourbeta, x_out);
+  fiat_p256_add(gamma, gamma, gamma);
+  fiat_p256_square(gamma, gamma);
+  fiat_p256_mul(y_out, alpha, y_out);
+  fiat_p256_add(gamma, gamma, gamma);
+  fiat_p256_sub(y_out, y_out, gamma);
+}
+
+// fiat_p256_point_add calculates (x1, y1, z1) + (x2, y2, z2)
+//
+// The method is taken from:
+//   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
+// adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
+//
+// Coq transcription and correctness proof:
+// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/Jacobian.v#L135>
+// <https://github.com/mit-plv/fiat-crypto/blob/79f8b5f39ed609339f0233098dee1a3c4e6b3080/src/Curves/Weierstrass/Jacobian.v#L205>
+//
+// This function includes a branch for checking whether the two input points
+// are equal, (while not equal to the point at infinity). This case never
+// happens during single point multiplication, so there is no timing leak for
+// ECDH or ECDSA signing.
+static void fiat_p256_point_add(fiat_p256_felem x3, fiat_p256_felem y3,
+                                fiat_p256_felem z3, const fiat_p256_felem x1,
+                                const fiat_p256_felem y1,
+                                const fiat_p256_felem z1, const int mixed,
+                                const fiat_p256_felem x2,
+                                const fiat_p256_felem y2,
+                                const fiat_p256_felem z2) {
+  fiat_p256_felem x_out, y_out, z_out;
+  fiat_p256_limb_t z1nz = fiat_p256_nz(z1);
+  fiat_p256_limb_t z2nz = fiat_p256_nz(z2);
+
+  // z1z1 = z1z1 = z1**2
+  fiat_p256_felem z1z1;
+  fiat_p256_square(z1z1, z1);
+
+  fiat_p256_felem u1, s1, two_z1z2;
+  if (!mixed) {
+    // z2z2 = z2**2
+    fiat_p256_felem z2z2;
+    fiat_p256_square(z2z2, z2);
+
+    // u1 = x1*z2z2
+    fiat_p256_mul(u1, x1, z2z2);
+
+    // two_z1z2 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2
+    fiat_p256_add(two_z1z2, z1, z2);
+    fiat_p256_square(two_z1z2, two_z1z2);
+    fiat_p256_sub(two_z1z2, two_z1z2, z1z1);
+    fiat_p256_sub(two_z1z2, two_z1z2, z2z2);
+
+    // s1 = y1 * z2**3
+    fiat_p256_mul(s1, z2, z2z2);
+    fiat_p256_mul(s1, s1, y1);
+  } else {
+    // We'll assume z2 = 1 (special case z2 = 0 is handled later).
+
+    // u1 = x1*z2z2
+    fiat_p256_copy(u1, x1);
+    // two_z1z2 = 2z1z2
+    fiat_p256_add(two_z1z2, z1, z1);
+    // s1 = y1 * z2**3
+    fiat_p256_copy(s1, y1);
+  }
+
+  // u2 = x2*z1z1
+  fiat_p256_felem u2;
+  fiat_p256_mul(u2, x2, z1z1);
+
+  // h = u2 - u1
+  fiat_p256_felem h;
+  fiat_p256_sub(h, u2, u1);
+
+  fiat_p256_limb_t xneq = fiat_p256_nz(h);
+
+  // z_out = two_z1z2 * h
+  fiat_p256_mul(z_out, h, two_z1z2);
+
+  // z1z1z1 = z1 * z1z1
+  fiat_p256_felem z1z1z1;
+  fiat_p256_mul(z1z1z1, z1, z1z1);
+
+  // s2 = y2 * z1**3
+  fiat_p256_felem s2;
+  fiat_p256_mul(s2, y2, z1z1z1);
+
+  // r = (s2 - s1)*2
+  fiat_p256_felem r;
+  fiat_p256_sub(r, s2, s1);
+  fiat_p256_add(r, r, r);
+
+  fiat_p256_limb_t yneq = fiat_p256_nz(r);
+
+  fiat_p256_limb_t is_nontrivial_double = constant_time_is_zero_w(xneq | yneq) &
+                                          ~constant_time_is_zero_w(z1nz) &
+                                          ~constant_time_is_zero_w(z2nz);
+  if (is_nontrivial_double) {
+    fiat_p256_point_double(x3, y3, z3, x1, y1, z1);
+    return;
+  }
+
+  // I = (2h)**2
+  fiat_p256_felem i;
+  fiat_p256_add(i, h, h);
+  fiat_p256_square(i, i);
+
+  // J = h * I
+  fiat_p256_felem j;
+  fiat_p256_mul(j, h, i);
+
+  // V = U1 * I
+  fiat_p256_felem v;
+  fiat_p256_mul(v, u1, i);
+
+  // x_out = r**2 - J - 2V
+  fiat_p256_square(x_out, r);
+  fiat_p256_sub(x_out, x_out, j);
+  fiat_p256_sub(x_out, x_out, v);
+  fiat_p256_sub(x_out, x_out, v);
+
+  // y_out = r(V-x_out) - 2 * s1 * J
+  fiat_p256_sub(y_out, v, x_out);
+  fiat_p256_mul(y_out, y_out, r);
+  fiat_p256_felem s1j;
+  fiat_p256_mul(s1j, s1, j);
+  fiat_p256_sub(y_out, y_out, s1j);
+  fiat_p256_sub(y_out, y_out, s1j);
+
+  fiat_p256_cmovznz(x_out, z1nz, x2, x_out);
+  fiat_p256_cmovznz(x3, z2nz, x1, x_out);
+  fiat_p256_cmovznz(y_out, z1nz, y2, y_out);
+  fiat_p256_cmovznz(y3, z2nz, y1, y_out);
+  fiat_p256_cmovznz(z_out, z1nz, z2, z_out);
+  fiat_p256_cmovznz(z3, z2nz, z1, z_out);
+}
+
+#include "./p256_table.h"
+
+// fiat_p256_select_point_affine selects the |idx-1|th point from a
+// precomputation table and copies it to out. If |idx| is zero, the output is
+// the point at infinity.
+static void fiat_p256_select_point_affine(
+    const fiat_p256_limb_t idx, size_t size,
+    const fiat_p256_felem pre_comp[/*size*/][2], fiat_p256_felem out[3]) {
+  OPENSSL_memset(out, 0, sizeof(fiat_p256_felem) * 3);
+  for (size_t i = 0; i < size; i++) {
+    fiat_p256_limb_t mismatch = i ^ (idx - 1);
+    fiat_p256_cmovznz(out[0], mismatch, pre_comp[i][0], out[0]);
+    fiat_p256_cmovznz(out[1], mismatch, pre_comp[i][1], out[1]);
+  }
+  fiat_p256_cmovznz(out[2], idx, out[2], fiat_p256_one);
+}
+
+// fiat_p256_select_point selects the |idx|th point from a precomputation table
+// and copies it to out.
+static void fiat_p256_select_point(const fiat_p256_limb_t idx, size_t size,
+                                   const fiat_p256_felem pre_comp[/*size*/][3],
+                                   fiat_p256_felem out[3]) {
+  OPENSSL_memset(out, 0, sizeof(fiat_p256_felem) * 3);
+  for (size_t i = 0; i < size; i++) {
+    fiat_p256_limb_t mismatch = i ^ idx;
+    fiat_p256_cmovznz(out[0], mismatch, pre_comp[i][0], out[0]);
+    fiat_p256_cmovznz(out[1], mismatch, pre_comp[i][1], out[1]);
+    fiat_p256_cmovznz(out[2], mismatch, pre_comp[i][2], out[2]);
+  }
+}
+
+// fiat_p256_get_bit returns the |i|th bit in |in|
+static crypto_word_t fiat_p256_get_bit(const uint8_t *in, int i) {
+  if (i < 0 || i >= 256) {
+    return 0;
+  }
+  return (in[i >> 3] >> (i & 7)) & 1;
+}
+
+// OPENSSL EC_METHOD FUNCTIONS
+
+// Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
+// (X/Z^2, Y/Z^3).
+static int ec_GFp_nistp256_point_get_affine_coordinates(
+    const EC_GROUP *group, const EC_RAW_POINT *point, EC_FELEM *x_out,
+    EC_FELEM *y_out) {
+  if (ec_GFp_simple_is_at_infinity(group, point)) {
+    OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
+    return 0;
+  }
+
+  fiat_p256_felem z1, z2;
+  fiat_p256_from_generic(z1, &point->Z);
+  fiat_p256_inv_square(z2, z1);
+
+  if (x_out != NULL) {
+    fiat_p256_felem x;
+    fiat_p256_from_generic(x, &point->X);
+    fiat_p256_mul(x, x, z2);
+    fiat_p256_to_generic(x_out, x);
+  }
+
+  if (y_out != NULL) {
+    fiat_p256_felem y;
+    fiat_p256_from_generic(y, &point->Y);
+    fiat_p256_square(z2, z2);  // z^-4
+    fiat_p256_mul(y, y, z1);   // y * z
+    fiat_p256_mul(y, y, z2);   // y * z^-3
+    fiat_p256_to_generic(y_out, y);
+  }
+
+  return 1;
+}
+
+static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_RAW_POINT *r,
+                                const EC_RAW_POINT *a, const EC_RAW_POINT *b) {
+  fiat_p256_felem x1, y1, z1, x2, y2, z2;
+  fiat_p256_from_generic(x1, &a->X);
+  fiat_p256_from_generic(y1, &a->Y);
+  fiat_p256_from_generic(z1, &a->Z);
+  fiat_p256_from_generic(x2, &b->X);
+  fiat_p256_from_generic(y2, &b->Y);
+  fiat_p256_from_generic(z2, &b->Z);
+  fiat_p256_point_add(x1, y1, z1, x1, y1, z1, 0 /* both Jacobian */, x2, y2,
+                      z2);
+  fiat_p256_to_generic(&r->X, x1);
+  fiat_p256_to_generic(&r->Y, y1);
+  fiat_p256_to_generic(&r->Z, z1);
+}
+
+static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
+                                const EC_RAW_POINT *a) {
+  fiat_p256_felem x, y, z;
+  fiat_p256_from_generic(x, &a->X);
+  fiat_p256_from_generic(y, &a->Y);
+  fiat_p256_from_generic(z, &a->Z);
+  fiat_p256_point_double(x, y, z, x, y, z);
+  fiat_p256_to_generic(&r->X, x);
+  fiat_p256_to_generic(&r->Y, y);
+  fiat_p256_to_generic(&r->Z, z);
+}
+
+static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r,
+                                      const EC_RAW_POINT *p,
+                                      const EC_SCALAR *scalar) {
+  fiat_p256_felem p_pre_comp[17][3];
+  OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp));
+  // Precompute multiples.
+  fiat_p256_from_generic(p_pre_comp[1][0], &p->X);
+  fiat_p256_from_generic(p_pre_comp[1][1], &p->Y);
+  fiat_p256_from_generic(p_pre_comp[1][2], &p->Z);
+  for (size_t j = 2; j <= 16; ++j) {
+    if (j & 1) {
+      fiat_p256_point_add(p_pre_comp[j][0], p_pre_comp[j][1], p_pre_comp[j][2],
+                          p_pre_comp[1][0], p_pre_comp[1][1], p_pre_comp[1][2],
+                          0, p_pre_comp[j - 1][0], p_pre_comp[j - 1][1],
+                          p_pre_comp[j - 1][2]);
+    } else {
+      fiat_p256_point_double(p_pre_comp[j][0], p_pre_comp[j][1],
+                             p_pre_comp[j][2], p_pre_comp[j / 2][0],
+                             p_pre_comp[j / 2][1], p_pre_comp[j / 2][2]);
+    }
+  }
+
+  // Set nq to the point at infinity.
+  fiat_p256_felem nq[3] = {{0}, {0}, {0}}, ftmp, tmp[3];
+
+  // Loop over |scalar| msb-to-lsb, incorporating |p_pre_comp| every 5th round.
+  int skip = 1;  // Save two point operations in the first round.
+  for (size_t i = 255; i < 256; i--) {
+    // double
+    if (!skip) {
+      fiat_p256_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
+    }
+
+    // do other additions every 5 doublings
+    if (i % 5 == 0) {
+      crypto_word_t bits = fiat_p256_get_bit(scalar->bytes, i + 4) << 5;
+      bits |= fiat_p256_get_bit(scalar->bytes, i + 3) << 4;
+      bits |= fiat_p256_get_bit(scalar->bytes, i + 2) << 3;
+      bits |= fiat_p256_get_bit(scalar->bytes, i + 1) << 2;
+      bits |= fiat_p256_get_bit(scalar->bytes, i) << 1;
+      bits |= fiat_p256_get_bit(scalar->bytes, i - 1);
+      crypto_word_t sign, digit;
+      ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
+
+      // select the point to add or subtract, in constant time.
+      fiat_p256_select_point((fiat_p256_limb_t)digit, 17,
+                             (const fiat_p256_felem(*)[3])p_pre_comp, tmp);
+      fiat_p256_opp(ftmp, tmp[1]);  // (X, -Y, Z) is the negative point.
+      fiat_p256_cmovznz(tmp[1], (fiat_p256_limb_t)sign, tmp[1], ftmp);
+
+      if (!skip) {
+        fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2],
+                            0 /* mixed */, tmp[0], tmp[1], tmp[2]);
+      } else {
+        fiat_p256_copy(nq[0], tmp[0]);
+        fiat_p256_copy(nq[1], tmp[1]);
+        fiat_p256_copy(nq[2], tmp[2]);
+        skip = 0;
+      }
+    }
+  }
+
+  fiat_p256_to_generic(&r->X, nq[0]);
+  fiat_p256_to_generic(&r->Y, nq[1]);
+  fiat_p256_to_generic(&r->Z, nq[2]);
+}
+
+static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group,
+                                           EC_RAW_POINT *r,
+                                           const EC_SCALAR *scalar) {
+  // Set nq to the point at infinity.
+  fiat_p256_felem nq[3] = {{0}, {0}, {0}}, tmp[3];
+
+  int skip = 1;  // Save two point operations in the first round.
+  for (size_t i = 31; i < 32; i--) {
+    if (!skip) {
+      fiat_p256_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
+    }
+
+    // First, look 32 bits upwards.
+    crypto_word_t bits = fiat_p256_get_bit(scalar->bytes, i + 224) << 3;
+    bits |= fiat_p256_get_bit(scalar->bytes, i + 160) << 2;
+    bits |= fiat_p256_get_bit(scalar->bytes, i + 96) << 1;
+    bits |= fiat_p256_get_bit(scalar->bytes, i + 32);
+    // Select the point to add, in constant time.
+    fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15,
+                                  fiat_p256_g_pre_comp[1], tmp);
+
+    if (!skip) {
+      fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2],
+                          1 /* mixed */, tmp[0], tmp[1], tmp[2]);
+    } else {
+      fiat_p256_copy(nq[0], tmp[0]);
+      fiat_p256_copy(nq[1], tmp[1]);
+      fiat_p256_copy(nq[2], tmp[2]);
+      skip = 0;
+    }
+
+    // Second, look at the current position.
+    bits = fiat_p256_get_bit(scalar->bytes, i + 192) << 3;
+    bits |= fiat_p256_get_bit(scalar->bytes, i + 128) << 2;
+    bits |= fiat_p256_get_bit(scalar->bytes, i + 64) << 1;
+    bits |= fiat_p256_get_bit(scalar->bytes, i);
+    // Select the point to add, in constant time.
+    fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15,
+                                  fiat_p256_g_pre_comp[0], tmp);
+    fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
+                        tmp[0], tmp[1], tmp[2]);
+  }
+
+  fiat_p256_to_generic(&r->X, nq[0]);
+  fiat_p256_to_generic(&r->Y, nq[1]);
+  fiat_p256_to_generic(&r->Z, nq[2]);
+}
+
+static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,
+                                             EC_RAW_POINT *r,
+                                             const EC_SCALAR *g_scalar,
+                                             const EC_RAW_POINT *p,
+                                             const EC_SCALAR *p_scalar) {
+#define P256_WSIZE_PUBLIC 4
+  // Precompute multiples of |p|. p_pre_comp[i] is (2*i+1) * |p|.
+  fiat_p256_felem p_pre_comp[1 << (P256_WSIZE_PUBLIC - 1)][3];
+  fiat_p256_from_generic(p_pre_comp[0][0], &p->X);
+  fiat_p256_from_generic(p_pre_comp[0][1], &p->Y);
+  fiat_p256_from_generic(p_pre_comp[0][2], &p->Z);
+  fiat_p256_felem p2[3];
+  fiat_p256_point_double(p2[0], p2[1], p2[2], p_pre_comp[0][0],
+                         p_pre_comp[0][1], p_pre_comp[0][2]);
+  for (size_t i = 1; i < OPENSSL_ARRAY_SIZE(p_pre_comp); i++) {
+    fiat_p256_point_add(p_pre_comp[i][0], p_pre_comp[i][1], p_pre_comp[i][2],
+                        p_pre_comp[i - 1][0], p_pre_comp[i - 1][1],
+                        p_pre_comp[i - 1][2], 0 /* not mixed */, p2[0], p2[1],
+                        p2[2]);
+  }
+
+  // Set up the coefficients for |p_scalar|.
+  int8_t p_wNAF[257];
+  ec_compute_wNAF(group, p_wNAF, p_scalar, 256, P256_WSIZE_PUBLIC);
+
+  // Set |ret| to the point at infinity.
+  int skip = 1;  // Save some point operations.
+  fiat_p256_felem ret[3] = {{0}, {0}, {0}};
+  for (int i = 256; i >= 0; i--) {
+    if (!skip) {
+      fiat_p256_point_double(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2]);
+    }
+
+    // For the |g_scalar|, we use the precomputed table without the
+    // constant-time lookup.
+    if (i <= 31) {
+      // First, look 32 bits upwards.
+      crypto_word_t bits = fiat_p256_get_bit(g_scalar->bytes, i + 224) << 3;
+      bits |= fiat_p256_get_bit(g_scalar->bytes, i + 160) << 2;
+      bits |= fiat_p256_get_bit(g_scalar->bytes, i + 96) << 1;
+      bits |= fiat_p256_get_bit(g_scalar->bytes, i + 32);
+      if (bits != 0) {
+        size_t index = (size_t)(bits - 1);
+        fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
+                            1 /* mixed */, fiat_p256_g_pre_comp[1][index][0],
+                            fiat_p256_g_pre_comp[1][index][1],
+                            fiat_p256_one);
+        skip = 0;
+      }
+
+      // Second, look at the current position.
+      bits = fiat_p256_get_bit(g_scalar->bytes, i + 192) << 3;
+      bits |= fiat_p256_get_bit(g_scalar->bytes, i + 128) << 2;
+      bits |= fiat_p256_get_bit(g_scalar->bytes, i + 64) << 1;
+      bits |= fiat_p256_get_bit(g_scalar->bytes, i);
+      if (bits != 0) {
+        size_t index = (size_t)(bits - 1);
+        fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
+                            1 /* mixed */, fiat_p256_g_pre_comp[0][index][0],
+                            fiat_p256_g_pre_comp[0][index][1],
+                            fiat_p256_one);
+        skip = 0;
+      }
+    }
+
+    int digit = p_wNAF[i];
+    if (digit != 0) {
+      assert(digit & 1);
+      size_t idx = (size_t)(digit < 0 ? (-digit) >> 1 : digit >> 1);
+      fiat_p256_felem *y = &p_pre_comp[idx][1], tmp;
+      if (digit < 0) {
+        fiat_p256_opp(tmp, p_pre_comp[idx][1]);
+        y = &tmp;
+      }
+      if (!skip) {
+        fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],
+                            0 /* not mixed */, p_pre_comp[idx][0], *y,
+                            p_pre_comp[idx][2]);
+      } else {
+        fiat_p256_copy(ret[0], p_pre_comp[idx][0]);
+        fiat_p256_copy(ret[1], *y);
+        fiat_p256_copy(ret[2], p_pre_comp[idx][2]);
+        skip = 0;
+      }
+    }
+  }
+
+  fiat_p256_to_generic(&r->X, ret[0]);
+  fiat_p256_to_generic(&r->Y, ret[1]);
+  fiat_p256_to_generic(&r->Z, ret[2]);
+}
+
+static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,
+                                            const EC_RAW_POINT *p,
+                                            const EC_SCALAR *r) {
+  if (ec_GFp_simple_is_at_infinity(group, p)) {
+    return 0;
+  }
+
+  // We wish to compare X/Z^2 with r. This is equivalent to comparing X with
+  // r*Z^2. Note that X and Z are represented in Montgomery form, while r is
+  // not.
+  fiat_p256_felem Z2_mont;
+  fiat_p256_from_generic(Z2_mont, &p->Z);
+  fiat_p256_mul(Z2_mont, Z2_mont, Z2_mont);
+
+  fiat_p256_felem r_Z2;
+  fiat_p256_from_bytes(r_Z2, r->bytes);  // r < order < p, so this is valid.
+  fiat_p256_mul(r_Z2, r_Z2, Z2_mont);
+
+  fiat_p256_felem X;
+  fiat_p256_from_generic(X, &p->X);
+  fiat_p256_from_montgomery(X, X);
+
+  if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {
+    return 1;
+  }
+
+  // During signing the x coefficient is reduced modulo the group order.
+  // Therefore there is a small possibility, less than 1/2^128, that group_order
+  // < p.x < P. in that case we need not only to compare against |r| but also to
+  // compare against r+group_order.
+  assert(group->field.width == group->order.width);
+  if (bn_less_than_words(r->words, group->field_minus_order.words,
+                         group->field.width)) {
+    // We can ignore the carry because: r + group_order < p < 2^256.
+    EC_FELEM tmp;
+    bn_add_words(tmp.words, r->words, group->order.d, group->order.width);
+    fiat_p256_from_generic(r_Z2, &tmp);
+    fiat_p256_mul(r_Z2, r_Z2, Z2_mont);
+    if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {
+      return 1;
+    }
+  }
+
+  return 0;
+}
+
+DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) {
+  out->group_init = ec_GFp_mont_group_init;
+  out->group_finish = ec_GFp_mont_group_finish;
+  out->group_set_curve = ec_GFp_mont_group_set_curve;
+  out->point_get_affine_coordinates =
+      ec_GFp_nistp256_point_get_affine_coordinates;
+  out->add = ec_GFp_nistp256_add;
+  out->dbl = ec_GFp_nistp256_dbl;
+  out->mul = ec_GFp_nistp256_point_mul;
+  out->mul_base = ec_GFp_nistp256_point_mul_base;
+  out->mul_public = ec_GFp_nistp256_point_mul_public;
+  out->felem_mul = ec_GFp_mont_felem_mul;
+  out->felem_sqr = ec_GFp_mont_felem_sqr;
+  out->felem_to_bytes = ec_GFp_mont_felem_to_bytes;
+  out->felem_from_bytes = ec_GFp_mont_felem_from_bytes;
+  out->scalar_inv0_montgomery = ec_simple_scalar_inv0_montgomery;
+  out->scalar_to_montgomery_inv_vartime =
+      ec_simple_scalar_to_montgomery_inv_vartime;
+  out->cmp_x_coordinate = ec_GFp_nistp256_cmp_x_coordinate;
+}
+
+#undef BORINGSSL_NISTP256_64BIT