Skip to content

ECDSA remove branching from the FSM #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
peter-drotos merged 1 commit into from
Mar 11, 2026
Merged

ECDSA remove branching from the FSM #9

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 24 additions & 31 deletions src/ecdsa.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ module Config = struct
let gpq_y = Z.of_string "0x388f7b0f632de8140fe337e62a37f3566500a99934c2231b6cb9fd7584b8e672"
let gpq_z = Z.one

(* Point at infinity *)
(* Point at infinity (z = 0) *)
let infinity_x = Z.zero
let infinity_y = Z.one
let infinity_z = Z.zero
Expand Down Expand Up @@ -229,6 +229,10 @@ let create scope (i : _ I.t) =
let reg_file = Array.init Config.num_regs ~f:(fun _ -> Variable.reg spec ~width) in

(* Hardcoded point constants *)
let const_infx = of_z ~width Config.infinity_x in
let const_infy = of_z ~width Config.infinity_y in
let const_infz = of_z ~width Config.infinity_z in

let const_gx = of_z ~width Config.generator_x in
let const_gy = of_z ~width Config.generator_y in
let const_gz = of_z ~width Config.generator_z in
Expand Down Expand Up @@ -263,9 +267,6 @@ let create scope (i : _ I.t) =
let current_bit_u1 = bit_select_dynamic u1_reg.value bit_pos.value in
let current_bit_u2 = bit_select_dynamic u2_reg.value bit_pos.value in

(* Check if P is point at infinity (z1 = 0) *)
let p_is_infinity = reg_file.(Config.z1).value ==:. 0 in

(* Unified instruction decode over full program *)
let pc_decode field w =
mux pc.value
Expand Down Expand Up @@ -346,9 +347,9 @@ let create scope (i : _ I.t) =
bit_pos <-- ones bit_cnt_width;
doubling <-- vdd;
last_step <-- gnd;
reg_file.(Config.x1) <-- of_z ~width Config.infinity_x;
reg_file.(Config.y1) <-- of_z ~width Config.infinity_y;
reg_file.(Config.z1) <-- of_z ~width Config.infinity_z;
reg_file.(Config.x1) <-- const_infx;
reg_file.(Config.y1) <-- const_infy;
reg_file.(Config.z1) <-- const_infz;

sm.set_next Loop;
];
Expand All @@ -365,17 +366,13 @@ let create scope (i : _ I.t) =
(* In Doubling phase, next will be Adding *)
doubling <-- gnd;

(* only calculate if P != infinity, can be skipped otherwise *)
if_ (~:p_is_infinity) [
(* Initialize and start point_add program *)
reg_file.(Config.x2) <-- reg_file.(Config.x1).value;
reg_file.(Config.y2) <-- reg_file.(Config.y1).value;
reg_file.(Config.z2) <-- reg_file.(Config.z1).value;
pc <--. point_add_start;
sm.set_next Run_point_add;
] [
sm.set_next Loop;
];
(* could skip the doubling if P is infinity, but do it anyway for side-channel resistance *)
(* Initialize and start point_add program *)
reg_file.(Config.x2) <-- reg_file.(Config.x1).value;
reg_file.(Config.y2) <-- reg_file.(Config.y1).value;
reg_file.(Config.z2) <-- reg_file.(Config.z1).value;
pc <--. point_add_start;
sm.set_next Run_point_add;
]
@@ [
(* In Adding phase, next will be Doubling *)
Expand All @@ -384,19 +381,15 @@ let create scope (i : _ I.t) =
last_step <-- (bit_pos.value ==:. 0);
bit_pos <-- bit_pos.value -:. 1;

(* add only needed if either of the current u1 or u2 bits is set, skip otherwise *)
if_ (current_bit_u1 ||: current_bit_u2) [
(* Initialize and start point_add program *)
(* Shamir's trick: adding G, Q or precomputed G+Q *)
(* Reminder: R = u1*G + u2*Q *)
reg_file.(Config.x2) <-- mux2 ~:current_bit_u2 const_gx (mux2 ~:current_bit_u1 const_qx const_gpqx);
reg_file.(Config.y2) <-- mux2 ~:current_bit_u2 const_gy (mux2 ~:current_bit_u1 const_qy const_gpqy);
reg_file.(Config.z2) <-- mux2 ~:current_bit_u2 const_gz (mux2 ~:current_bit_u1 const_qz const_gpqz);
pc <--. point_add_start;
sm.set_next Run_point_add;
] [
sm.set_next Loop;
];
(* could skip the add if both bits are zero, but do it anyway for side-channel resistance *)
(* Initialize and start point_add program *)
(* Shamir's trick: adding G, Q or precomputed G+Q *)
(* Reminder: R = u1*G + u2*Q *)
reg_file.(Config.x2) <-- mux2 ~:current_bit_u2 (mux2 ~:current_bit_u1 const_infx const_gx) (mux2 ~:current_bit_u1 const_qx const_gpqx);
reg_file.(Config.y2) <-- mux2 ~:current_bit_u2 (mux2 ~:current_bit_u1 const_infy const_gy) (mux2 ~:current_bit_u1 const_qy const_gpqy);
reg_file.(Config.z2) <-- mux2 ~:current_bit_u2 (mux2 ~:current_bit_u1 const_infz const_gz) (mux2 ~:current_bit_u1 const_qz const_gpqz);
pc <--. point_add_start;
sm.set_next Run_point_add;
];
];

Expand Down