EC2M Lopez-Dahab ladder implementation

This commit uses the new ladder scaffold to implement a specialized
ladder step based on differential addition-and-doubling in mixed
Lopez-Dahab projective coordinates, modified to independently blind the
operands.

The arithmetic in `ladder_pre`, `ladder_step` and `ladder_post` is
auto generated with tooling:
- see, e.g., "Guide to ECC" Alg 3.40 for reference about the
  `ladder_pre` implementation;
- see https://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
  for the differential addition-and-doubling formulas implemented in
  `ladder_step`;
- see, e.g., "Fast Multiplication on Elliptic Curves over GF(2**m)
  without Precomputation" (Lopez and Dahab, CHES 1999) Appendix Alg Mxy
  for the `ladder_post` implementation to recover the `(x,y)` result in
  affine coordinates.

Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)

1 files changed, 4 insertions, 0 deletions

diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
index 6e701e2..6c1d9b7 100644
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -70,6 +70,10 @@ static const ERR_STRING_DATA EC_str_functs[] = {
      "ec_GF2m_simple_group_check_discriminant"},
     {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, 0),
      "ec_GF2m_simple_group_set_curve"},
+    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_LADDER_POST, 0),
+     "ec_GF2m_simple_ladder_post"},
+    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_LADDER_PRE, 0),
+     "ec_GF2m_simple_ladder_pre"},
     {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_OCT2POINT, 0),
      "ec_GF2m_simple_oct2point"},
     {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_POINT2OCT, 0),