From 7548fbf9adb02f746269058069884addca5032dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Vejpustek?= <ondrej.vejpustek@satoshilabs.com>
Date: Sun, 1 Sep 2024 20:52:30 +0200
Subject: [PATCH] refactor(crypto): do not use precomputed table for ed25519

---
 crypto/ed25519-donna/ed25519-donna-basepoint-table.c | 3 +++
 crypto/ed25519-donna/ed25519-donna-basepoint-table.h | 4 ++++
 crypto/ed25519-donna/ed25519-donna-impl-base.c       | 5 +++++
 3 files changed, 12 insertions(+)

diff --git a/crypto/ed25519-donna/ed25519-donna-basepoint-table.c b/crypto/ed25519-donna/ed25519-donna-basepoint-table.c
index cd5d187281..d4c998610e 100644
--- a/crypto/ed25519-donna/ed25519-donna-basepoint-table.c
+++ b/crypto/ed25519-donna/ed25519-donna-basepoint-table.c
@@ -1,5 +1,7 @@
 #include "ed25519-donna.h"
+#include "options.h"
 
+#if !OPTIMIZE_SIZE_ED25519
 /* multiples of the base point in packed {ysubx, xaddy, t2d} form */
 const uint8_t ALIGN(16) ge25519_niels_base_multiples[256][96] = {
 	{0x3e,0x91,0x40,0xd7,0x05,0x39,0x10,0x9d,0xb3,0xbe,0x40,0xd1,0x05,0x9f,0x39,0xfd,0x09,0x8a,0x8f,0x68,0x34,0x84,0xc1,0xa5,0x67,0x12,0xf8,0x98,0x92,0x2f,0xfd,0x44,0x85,0x3b,0x8c,0xf5,0xc6,0x93,0xbc,0x2f,0x19,0x0e,0x8c,0xfb,0xc6,0x2d,0x93,0xcf,0xc2,0x42,0x3d,0x64,0x98,0x48,0x0b,0x27,0x65,0xba,0xd4,0x33,0x3a,0x9d,0xcf,0x07,0x59,0xbb,0x6f,0x4b,0x67,0x15,0xbd,0xdb,0xea,0xa5,0xa2,0xee,0x00,0x3f,0xe1,0x41,0xfa,0xc6,0x57,0xc9,0x1c,0x9d,0xd4,0xcd,0xca,0xec,0x16,0xaf,0x1f,0xbe,0x0e,0x4f},
@@ -259,3 +261,4 @@ const uint8_t ALIGN(16) ge25519_niels_base_multiples[256][96] = {
 	{0x33,0x3e,0xed,0x2e,0xb3,0x07,0x13,0x46,0xe7,0x81,0x55,0xa4,0x33,0x2f,0x04,0xae,0x66,0x03,0x5f,0x19,0xd3,0x49,0x44,0xc9,0x58,0x48,0x31,0x6c,0x8a,0x5d,0x7d,0x0b,0xb9,0xb0,0x10,0x5e,0xaa,0xaf,0x6a,0x2a,0xa9,0x1a,0x04,0xef,0x70,0xa3,0xf0,0x78,0x1f,0xd6,0x3a,0xaa,0x77,0xfb,0x3e,0x77,0xe1,0xd9,0x4b,0xa7,0xa2,0xa5,0xec,0x44,0x43,0xd5,0x95,0x7b,0x32,0x48,0xd4,0x25,0x1d,0x0f,0x34,0xa3,0x00,0x83,0xd3,0x70,0x2b,0xc5,0xe1,0x60,0x1c,0x53,0x1c,0xde,0xe4,0xe9,0x7d,0x2c,0x51,0x24,0x22,0x27},
 	{0x2e,0x34,0xc5,0x49,0xaf,0x92,0xbc,0x1a,0xd0,0xfa,0xe6,0xb2,0x11,0xd8,0xee,0xff,0x29,0x4e,0xc8,0xfc,0x8d,0x8c,0xa2,0xef,0x43,0xc5,0x4c,0xa4,0x18,0xdf,0xb5,0x11,0xfc,0x75,0xa9,0x42,0x8a,0xbb,0x7b,0xbf,0x58,0xa3,0xad,0x96,0x77,0x39,0x5c,0x8c,0x48,0xaa,0xed,0xcd,0x6f,0xc7,0x7f,0xe2,0xa6,0x20,0xbc,0xf6,0xd7,0x5f,0x73,0x19,0x66,0x42,0xc8,0x42,0xd0,0x90,0xab,0xe3,0x7e,0x54,0x19,0x7f,0x0f,0x8e,0x84,0xeb,0xb9,0x97,0xa4,0x65,0xd0,0xa1,0x03,0x25,0x5f,0x89,0xdf,0x91,0x11,0x91,0xef,0x0f}
 };
+#endif
diff --git a/crypto/ed25519-donna/ed25519-donna-basepoint-table.h b/crypto/ed25519-donna/ed25519-donna-basepoint-table.h
index 9c0cdfc0cf..bb2485d111 100644
--- a/crypto/ed25519-donna/ed25519-donna-basepoint-table.h
+++ b/crypto/ed25519-donna/ed25519-donna-basepoint-table.h
@@ -1,2 +1,6 @@
+#include "options.h"
+
+#if !OPTIMIZE_SIZE_ED25519
 /* multiples of the base point in packed {ysubx, xaddy, t2d} form */
 extern const uint8_t ALIGN(16) ge25519_niels_base_multiples[256][96];
+#endif
diff --git a/crypto/ed25519-donna/ed25519-donna-impl-base.c b/crypto/ed25519-donna/ed25519-donna-impl-base.c
index 4598c3923f..f186677cc8 100644
--- a/crypto/ed25519-donna/ed25519-donna-impl-base.c
+++ b/crypto/ed25519-donna/ed25519-donna-impl-base.c
@@ -1,6 +1,7 @@
 #include <assert.h>
 #include "ed25519-donna.h"
 #include "memzero.h"
+#include "options.h"
 
 /* sqrt(x) is such an integer y that 0 <= y <= p - 1, y % 2 = 0, and y^2 = x (mod p). */
 /* d = -121665 / 121666 */
@@ -726,5 +727,9 @@ int ge25519_unpack_vartime(ge25519 *r, const unsigned char *s){
 }
 
 void ge25519_scalarmult_base_wrapper(ge25519 *r, const bignum256modm s){
+#if OPTIMIZE_SIZE_ED25519
+        ge25519_scalarmult(r, &ge25519_basepoint, s);
+#else
 	ge25519_scalarmult_base_niels(r, ge25519_niels_base_multiples, s);
+#endif
 }