Make WINDOW_G configurable

This makes WINDOW_G a configurable value in the range of [2..24].
The upper limit of 24 is a defensive choice. The code is probably
correct for values up to 33 but those larger values yield in huge
tables (>= 256MiB), which are i) unlikely to be really benefitial
in practice and ii) increasingly difficult to test.

Author: real-or-random

configure.ac

@@ -151,6 +151,16 @@ AC_ARG_WITH([scalar], [AS_HELP_STRING([--with-scalar=64bit|32bit|auto],
 AC_ARG_WITH([asm], [AS_HELP_STRING([--with-asm=x86_64|arm|no|auto]
 [Specify assembly optimizations to use. Default is auto (experimental: arm)])],[req_asm=$withval], [req_asm=auto])
 
+# Default is window size 16 (or window size 15 with endomorphism) which needs 1.375 MiB. */
+AC_ARG_WITH([ecmult-window], [AS_HELP_STRING([--with-ecmult-window=SIZE],
+[window size for ecmult precomputation for verification, specified as integer in range [2..24],]
+[or in range [3..25] if endomorphisms optimization is used [default=16].]
+[Larger values result in better performance at the cost of an exponentially larger precomputed table.]
+[The table will need to store 2^(SIZE-2) * 64 bytes of data but can be larger in memory due]
+[to platform-specific padding and alignment.]
+)],
+[set_ecmult_window=$withval], [set_ecmult_window=16])
+
 AC_CHECK_TYPES([__int128])
 
 if test x"$enable_coverage" = x"yes"; then
@@ -387,6 +397,18 @@ case $set_scalar in
   ;;
 esac
 
+#set ecmult window size
+if test x"$use_endomorphism" = x"yes"; then
+  if test "$set_ecmult_window" -lt 3 -o "$set_ecmult_window" -gt 25 ; then
+    AC_MSG_ERROR([[Window size for ecmult precomputation must be in range [3..25] if endomorphism optimization is enabled.]])
+  fi
+else
+  if test "$set_ecmult_window" -lt 2 -o "$set_ecmult_window" -gt 24 ; then
+    AC_MSG_ERROR([[Window size for ecmult precomputation must be in range [2..24] if endomorphism optimization is disabled.]])
+  fi
+fi
+AC_DEFINE_UNQUOTED(ECMULT_WINDOW_SIZE, $set_ecmult_window, [Set window size for ecmult precomputation])
+
 if test x"$use_tests" = x"yes"; then
   SECP_OPENSSL_CHECK
   if test x"$has_openssl_ec" = x"yes"; then
@@ -516,6 +538,7 @@ echo "  asm                 = $set_asm"
 echo "  bignum              = $set_bignum"
 echo "  field               = $set_field"
 echo "  scalar              = $set_scalar"
+echo "  ecmult window size  = $set_ecmult_window"
 echo
 echo "  CC                  = $CC"
 echo "  CFLAGS              = $CFLAGS"

src/ecmult_impl.h

@@ -30,16 +30,24 @@
 #  endif
 #else
 /* optimal for 128-bit and 256-bit exponents. */
-#define WINDOW_A 5
-/** larger numbers may result in slightly better performance, at the cost of
-    exponentially larger precomputed tables. */
-#ifdef USE_ENDOMORPHISM
-/** Two tables for window size 15: 1.375 MiB. */
-#define WINDOW_G 15
-#else
-/** One table for window size 16: 1.375 MiB. */
-#define WINDOW_G 16
+#  define WINDOW_A 5
+#  ifdef USE_ENDOMORPHISM
+#    define WINDOW_G ((ECMULT_WINDOW_SIZE)-1)
+#  else
+#    define WINDOW_G (ECMULT_WINDOW_SIZE)
+#  endif
 #endif
+
+/* Noone will ever need more than a window size of 24.
+ * (The code probably works with window sizes up to 33 but
+ * it is not tested for it. For WINDOW_G >= 34, the
+ * expansion of ECMULT_TABLE_SIZE(WINDOW_G) will overflow. */
+#if WINDOW_G < 2 || WINDOW_G > 24
+#  ifdef USE_ENDOMORPHISM
+#    error Set ECMULT_WINDOW_SIZE to an integer in range [3..25] if endomorphism optimization is enabled.
+#  else
+#    error Set ECMULT_WINDOW_SIZE to an integer in range [2..24] if endomorphism optimization is disabled.
+#  endif
 #endif
 
 #ifdef USE_ENDOMORPHISM