Add another option to reduce EC memory usage

Also document speed/memory trade-offs better.
2013-12-30 18:41:16 +01:00 · 2013-12-30 18:41:16 +01:00 · 9e4191c3e7
commit 9e4191c3e7
parent 70896a023e
3 changed files with 31 additions and 3 deletions
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -1874,6 +1874,7 @@
 //
 #define POLARSSL_ECP_MAX_BITS             521 /**< Maximum bit size of groups */
 #define POLARSSL_ECP_WINDOW_SIZE            6 /**< Maximum window size used */
+#define POLARSSL_ECP_FIXED_POINT_OPTIM      1 /**< Enable fixed-point speed-up */

 // Entropy options
 //
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@ -178,11 +178,33 @@ ecp_keypair;
 * Minimum value: 2. Maximum value: 7.
 *
 * Result is an array of at most ( 1 << ( POLARSSL_ECP_WINDOW_SIZE - 1 ) )
- * points used for point multiplication.
+ * points used for point multiplication. This value is directly tied to EC
+ * peak memory usage, so decreasing it by one should roughly cut memory usage
+ * by two (if large curves are in use).
 *
- * Reduction in size may reduce speed for big curves.
+ * Reduction in size may reduce speed, but larger curves are impacted first.
+ * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1):
+ *      w-size:     6       5       4       3       2
+ *      521       145     141     135     120      97
+ *      384       214     209     198     177     146
+ *      256       320     320     303     262     226
+ *      224       475     475     453     398     342
+ *      192       640     640     633     587     476
 */
 #define POLARSSL_ECP_WINDOW_SIZE    6   /**< Maximum window size used */
+
+/*
+ * Trade memory for speed on fixed-point multiplication.
+ *
+ * This speeds up repeated multiplication of the generator (that is, the
+ * multiplication in ECDSA signatures, and half of the multiplications in
+ * ECDSA verification and ECDHE) by a factor roughly 3 to 4.
+ *
+ * The cost is increasing EC peak memory usage by a factor roughly 2.
+ *
+ * Change this value to 0 to reduce peak memory usage.
+ */
+#define POLARSSL_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up */
 #endif

 /*
--- a/library/ecp.c
+++ b/library/ecp.c
@ -1315,12 +1315,17 @@ static int ecp_mul_comb( ecp_group *grp, ecp_point *R,

    /*
     * If P == G, pre-compute a bit more, since this may be re-used later.
-     * Just adding one ups the cost of the first mul by at most 3%.
+     * Just adding one avoids upping the cost of the first mul too much,
+     * and the memory cost too.
     */
+#if POLARSSL_ECP_FIXED_POINT_OPTIM == 1
    p_eq_g = ( mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
               mpi_cmp_mpi( &P->X, &grp->G.X ) == 0 );
    if( p_eq_g )
        w++;
+#else
+    p_eq_g = 0;
+#endif

    /*
     * Make sure w is within bounds.