summary refs log tree commit diff
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2014-03-03 21:11:12 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2014-03-03 21:11:12 +0700
commit2341ac87e251e4c23c6cebdba277b518d18fdd11 (patch)
tree42616bd14605c77b50df9195eabb3099ccf8651a
parentShare single temp variable across calls in Sqrt() (diff)
downloadBouncyCastle.NET-ed25519-2341ac87e251e4c23c6cebdba277b518d18fdd11.tar.xz
Refactoring in the Nat* classes and some new method variations
Improved reduction in some fields
-rw-r--r--crypto/src/math/ec/Nat.cs352
-rw-r--r--crypto/src/math/ec/custom/sec/Curve25519Field.cs7
-rw-r--r--crypto/src/math/ec/custom/sec/Nat192.cs75
-rw-r--r--crypto/src/math/ec/custom/sec/Nat224.cs85
-rw-r--r--crypto/src/math/ec/custom/sec/Nat256.cs148
-rw-r--r--crypto/src/math/ec/custom/sec/Nat384.cs4
-rw-r--r--crypto/src/math/ec/custom/sec/Nat512.cs4
-rw-r--r--crypto/src/math/ec/custom/sec/SecP192K1Field.cs2
-rw-r--r--crypto/src/math/ec/custom/sec/SecP192R1Field.cs12
-rw-r--r--crypto/src/math/ec/custom/sec/SecP224K1Field.cs2
-rw-r--r--crypto/src/math/ec/custom/sec/SecP224R1Field.cs17
-rw-r--r--crypto/src/math/ec/custom/sec/SecP256K1Field.cs27
-rw-r--r--crypto/src/math/ec/custom/sec/SecP256R1Field.cs16
-rw-r--r--crypto/src/math/ec/custom/sec/SecP384R1Field.cs53
-rw-r--r--crypto/src/math/ec/custom/sec/SecP521R1Field.cs17
15 files changed, 634 insertions, 187 deletions
diff --git a/crypto/src/math/ec/Nat.cs b/crypto/src/math/ec/Nat.cs
index 9d2290ba7..8dbd6780d 100644
--- a/crypto/src/math/ec/Nat.cs
+++ b/crypto/src/math/ec/Nat.cs
@@ -7,6 +7,8 @@ namespace Org.BouncyCastle.Math.EC
 {
     internal abstract class Nat
     {
+        private const ulong M = 0xFFFFFFFFUL;
+
         public static uint Add(int len, uint[] x, uint[] y, uint[] z)
         {
             ulong c = 0;
@@ -43,18 +45,28 @@ namespace Org.BouncyCastle.Math.EC
             return (uint)c;
         }
 
-        // TODO Re-write to allow full range for x?
-        public static uint AddDWord(int len, ulong x, uint[] z, int zOff)
+        public static uint AddDWordAt(int len, ulong x, uint[] z, int zPos)
         {
-            Debug.Assert(zOff <= (len - 2));
-            ulong c = x;
-            c += (ulong)z[zOff + 0];
-            z[zOff + 0] = (uint)c;
+            Debug.Assert(zPos <= (len - 2));
+            ulong c = (ulong)z[zPos + 0] + (x & M);
+            z[zPos + 0] = (uint)c;
             c >>= 32;
-            c += (ulong)z[zOff + 1];
-            z[zOff + 1] = (uint)c;
+            c += (ulong)z[zPos + 1] + (x >> 32);
+            z[zPos + 1] = (uint)c;
             c >>= 32;
-            return c == 0 ? 0 : Inc(len, z, zOff + 2);
+            return c == 0 ? 0 : IncAt(len, z, zPos + 2);
+        }
+
+        public static uint AddTo(int len, uint[] x, uint[] z)
+        {
+            ulong c = 0;
+            for (int i = 0; i < len; ++i)
+            {
+                c += (ulong)x[i] + z[i];
+                z[i] = (uint)c;
+                c >>= 32;
+            }
+            return (uint)c;
         }
 
         public static uint AddTo(int len, uint[] x, int xOff, uint[] z, int zOff)
@@ -69,23 +81,22 @@ namespace Org.BouncyCastle.Math.EC
             return (uint)c;
         }
 
-        public static uint AddWord(int len, uint x, uint[] z, int zOff)
+        public static uint AddWordAt(int len, uint x, uint[] z, int zPos)
         {
-            Debug.Assert(zOff < len);
-            ulong c = (ulong)x + z[zOff + 0];
-            z[zOff + 0] = (uint)c;
+            Debug.Assert(zPos <= (len - 1));
+            ulong c = (ulong)x + z[zPos];
+            z[zPos] = (uint)c;
             c >>= 32;
-            return c == 0 ? 0 : Inc(len, z, 1);
+            return c == 0 ? 0 : IncAt(len, z, zPos + 1);
         }
 
-        public static uint AddWordExt(int len, uint x, uint[] zz, int zzOff)
+        public static uint AddWordAt(int len, uint x, uint[] z, int zOff, int zPos)
         {
-            int extLen = len << 1;
-            Debug.Assert(zzOff < extLen);
-            ulong c = (ulong)x + zz[zzOff];
-            zz[zzOff] = (uint)c;
+            Debug.Assert(zPos <= (len - 1));
+            ulong c = (ulong)x + z[zOff + zPos];
+            z[zOff + zPos] = (uint)c;
             c >>= 32;
-            return c == 0 ? 0 : Inc(extLen, zz, zzOff + 1);
+            return c == 0 ? 0 : IncAt(len, z, zOff, zPos + 1);
         }
 
         public static void Copy(int len, uint[] x, uint[] z)
@@ -105,10 +116,9 @@ namespace Org.BouncyCastle.Math.EC
             return new uint[len];
         }
 
-        public static int Dec(int len, uint[] z, int zOff)
+        public static int Dec(int len, uint[] z)
         {
-            Debug.Assert(zOff <= len);
-            for (int i = zOff; i < len; ++i)
+            for (int i = 0; i < len; ++i)
             {
                 if (--z[i] != uint.MaxValue)
                 {
@@ -118,6 +128,48 @@ namespace Org.BouncyCastle.Math.EC
             return -1;
         }
 
+        public static int Dec(int len, uint[] x, uint[] z)
+        {
+            int i = 0;
+            while (i < len)
+            {
+                uint c = x[i] - 1;
+                z[i++] = c;
+                if (c != uint.MaxValue)
+                {
+                    Array.Copy(x, i, z, i, len - i);
+                    return 0;
+                }
+            }
+            return -1;
+        }
+
+        public static int DecAt(int len, uint[] z, int zPos)
+        {
+            Debug.Assert(zPos <= len);
+            for (int i = zPos; i < len; ++i)
+            {
+                if (--z[i] != uint.MaxValue)
+                {
+                    return 0;
+                }
+            }
+            return -1;
+        }
+
+        public static int DecAt(int len, uint[] z, int zOff, int zPos)
+        {
+            Debug.Assert(zPos <= len);
+            for (int i = zPos; i < len; ++i)
+            {
+                if (--z[zOff + i] != uint.MaxValue)
+                {
+                    return 0;
+                }
+            }
+            return -1;
+        }
+
         public static bool Eq(int len, uint[] x, uint[] y)
         {
             for (int i = len - 1; i >= 0; --i)
@@ -174,10 +226,9 @@ namespace Org.BouncyCastle.Math.EC
             return true;
         }
 
-        public static uint Inc(int len, uint[] z, int zOff)
+        public static uint Inc(int len, uint[] z)
         {
-            Debug.Assert(zOff <= len);
-            for (int i = zOff; i < len; ++i)
+            for (int i = 0; i < len; ++i)
             {
                 if (++z[i] != uint.MinValue)
                 {
@@ -187,6 +238,48 @@ namespace Org.BouncyCastle.Math.EC
             return 1;
         }
 
+        public static uint Inc(int len, uint[] x, uint[] z)
+        {
+            int i = 0;
+            while (i < len)
+            {
+                uint c = x[i] + 1;
+                z[i++] = c;
+                if (c != 0)
+                {
+                    Array.Copy(x, i, z, i, len - i);
+                    return 0;
+                }
+            }
+            return 1;
+        }
+
+        public static uint IncAt(int len, uint[] z, int zPos)
+        {
+            Debug.Assert(zPos <= len);
+            for (int i = zPos; i < len; ++i)
+            {
+                if (++z[i] != uint.MinValue)
+                {
+                    return 0;
+                }
+            }
+            return 1;
+        }
+
+        public static uint IncAt(int len, uint[] z, int zOff, int zPos)
+        {
+            Debug.Assert(zPos <= len);
+            for (int i = zPos; i < len; ++i)
+            {
+                if (++z[zOff + i] != uint.MinValue)
+                {
+                    return 0;
+                }
+            }
+            return 1;
+        }
+
         public static bool IsOne(int len, uint[] x)
         {
             if (x[0] != 1)
@@ -231,11 +324,11 @@ namespace Org.BouncyCastle.Math.EC
 
         public static void Mul(int len, uint[] x, int xOff, uint[] y, int yOff, uint[] zz, int zzOff)
         {
-            zz[len] = (uint)MulWord(len, x[xOff + 0], y, yOff, zz, zzOff);
+            zz[zzOff + len] = (uint)MulWord(len, x[xOff], y, yOff, zz, zzOff);
 
             for (int i = 1; i < len; ++i)
             {
-                zz[i + len] = (uint)MulWordAddTo(len, x[xOff + i], y, yOff, zz, zzOff + i);
+                zz[zzOff + i + len] = (uint)MulWordAddTo(len, x[xOff + i], y, yOff, zz, zzOff + i);
             }
         }
 
@@ -295,20 +388,20 @@ namespace Org.BouncyCastle.Math.EC
             return (uint)c;
         }
 
-        public static uint MulWordDwordAdd(int len, uint x, ulong y, uint[] z, int zOff)
+        public static uint MulWordDwordAddAt(int len, uint x, ulong y, uint[] z, int zPos)
         {
-            Debug.Assert(zOff <= (len - 3));
+            Debug.Assert(zPos <= (len - 3));
             ulong c = 0, xVal = (ulong)x;
-            c += xVal * (uint)y + z[zOff + 0];
-            z[zOff + 0] = (uint)c;
+            c += xVal * (uint)y + z[zPos + 0];
+            z[zPos + 0] = (uint)c;
             c >>= 32;
-            c += xVal * (y >> 32) + z[zOff + 1];
-            z[zOff + 1] = (uint)c;
+            c += xVal * (y >> 32) + z[zPos + 1];
+            z[zPos + 1] = (uint)c;
             c >>= 32;
-            c += (ulong)z[zOff + 2];
-            z[zOff + 2] = (uint)c;
+            c += (ulong)z[zPos + 2];
+            z[zPos + 2] = (uint)c;
             c >>= 32;
-            return c == 0 ? 0 : Inc(len, z, zOff + 3);
+            return c == 0 ? 0 : IncAt(len, z, zPos + 3);
         }
 
         public static uint ShiftDownBit(int len, uint[] z, uint c)
@@ -323,6 +416,18 @@ namespace Org.BouncyCastle.Math.EC
             return c << 31;
         }
 
+        public static uint ShiftDownBit(int len, uint[] z, int zOff, uint c)
+        {
+            int i = len;
+            while (--i >= 0)
+            {
+                uint next = z[zOff + i];
+                z[zOff + i] = (next >> 1) | (c << 31);
+                c = next;
+            }
+            return c << 31;
+        }
+
         public static uint ShiftDownBit(int len, uint[] x, uint c, uint[] z)
         {
             int i = len;
@@ -335,27 +440,65 @@ namespace Org.BouncyCastle.Math.EC
             return c << 31;
         }
 
-        public static uint ShiftDownBits(int len, uint[] x, int bits, uint c)
+        public static uint ShiftDownBit(int len, uint[] x, int xOff, uint c, uint[] z, int zOff)
+        {
+            int i = len;
+            while (--i >= 0)
+            {
+                uint next = x[xOff + i];
+                z[zOff + i] = (next >> 1) | (c << 31);
+                c = next;
+            }
+            return c << 31;
+        }
+
+        public static uint ShiftDownBits(int len, uint[] z, int bits, uint c)
+        {
+            Debug.Assert(bits > 0 && bits < 32);
+            int i = len;
+            while (--i >= 0)
+            {
+                uint next = z[i];
+                z[i] = (next >> bits) | (c << -bits);
+                c = next;
+            }
+            return c << -bits;
+        }
+
+        public static uint ShiftDownBits(int len, uint[] z, int zOff, int bits, uint c)
+        {
+            Debug.Assert(bits > 0 && bits < 32);
+            int i = len;
+            while (--i >= 0)
+            {
+                uint next = z[zOff + i];
+                z[zOff + i] = (next >> bits) | (c << -bits);
+                c = next;
+            }
+            return c << -bits;
+        }
+
+        public static uint ShiftDownBits(int len, uint[] x, int bits, uint c, uint[] z)
         {
             Debug.Assert(bits > 0 && bits < 32);
             int i = len;
             while (--i >= 0)
             {
                 uint next = x[i];
-                x[i] = (next >> bits) | (c << -bits);
+                z[i] = (next >> bits) | (c << -bits);
                 c = next;
             }
             return c << -bits;
         }
 
-        public static uint ShiftDownBits(int len, uint[] x, int xOff, int bits, uint c, uint[] z)
+        public static uint ShiftDownBits(int len, uint[] x, int xOff, int bits, uint c, uint[] z, int zOff)
         {
             Debug.Assert(bits > 0 && bits < 32);
             int i = len;
             while (--i >= 0)
             {
                 uint next = x[xOff + i];
-                z[i] = (next >> bits) | (c << -bits);
+                z[zOff + i] = (next >> bits) | (c << -bits);
                 c = next;
             }
             return c << -bits;
@@ -406,12 +549,12 @@ namespace Org.BouncyCastle.Math.EC
             return c >> 31;
         }
 
-        public static uint ShiftUpBit(int len, uint[] x, int xOff, uint c, uint[] z)
+        public static uint ShiftUpBit(int len, uint[] x, int xOff, uint c, uint[] z, int zOff)
         {
             for (int i = 0; i < len; ++i)
             {
                 uint next = x[xOff + i];
-                z[i] = (next << 1) | (c >> 31);
+                z[zOff + i] = (next << 1) | (c >> 31);
                 c = next;
             }
             return c >> 31;
@@ -429,6 +572,18 @@ namespace Org.BouncyCastle.Math.EC
             return c >> -bits;
         }
 
+        public static uint ShiftUpBits(int len, uint[] z, int zOff, int bits, uint c)
+        {
+            Debug.Assert(bits > 0 && bits < 32);
+            for (int i = 0; i < len; ++i)
+            {
+                uint next = z[zOff + i];
+                z[zOff + i] = (next << bits) | (c >> -bits);
+                c = next;
+            }
+            return c >> -bits;
+        }
+
         public static uint ShiftUpBits(int len, uint[] x, int bits, uint c, uint[] z)
         {
             Debug.Assert(bits > 0 && bits < 32);
@@ -441,6 +596,18 @@ namespace Org.BouncyCastle.Math.EC
             return c >> -bits;
         }
 
+        public static uint ShiftUpBits(int len, uint[] x, int xOff, int bits, uint c, uint[] z, int zOff)
+        {
+            Debug.Assert(bits > 0 && bits < 32);
+            for (int i = 0; i < len; ++i)
+            {
+                uint next = x[xOff + i];
+                z[zOff + i] = (next << bits) | (c >> -bits);
+                c = next;
+            }
+            return c >> -bits;
+        }
+
         public static void Square(int len, uint[] x, uint[] zz)
         {
             int extLen = len << 1;
@@ -459,12 +626,36 @@ namespace Org.BouncyCastle.Math.EC
             for (int i = 1; i < len; ++i)
             {
                 c = SquareWordAdd(x, i, zz);
-                AddWordExt(len, c, zz, i << 1);
+                AddWordAt(extLen, c, zz, i << 1);
             }
 
             ShiftUpBit(extLen, zz, x[0] << 31);
         }
 
+        public static void Square(int len, uint[] x, int xOff, uint[] zz, int zzOff)
+        {
+            int extLen = len << 1;
+            uint c = 0;
+            int j = len, k = extLen;
+            do
+            {
+                ulong xVal = (ulong)x[xOff + --j];
+                ulong p = xVal * xVal;
+                zz[zzOff + --k] = (c << 31) | (uint)(p >> 33);
+                zz[zzOff + --k] = (uint)(p >> 1);
+                c = (uint)p;
+            }
+            while (j > 0);
+
+            for (int i = 1; i < len; ++i)
+            {
+                c = SquareWordAdd(x, xOff, i, zz, zzOff);
+                AddWordAt(extLen, c, zz, zzOff, i << 1);
+            }
+
+            ShiftUpBit(extLen, zz, zzOff, x[xOff] << 31);
+        }
+
         public static uint SquareWordAdd(uint[] x, int xPos, uint[] z)
         {
             ulong c = 0, xVal = (ulong)x[xPos];
@@ -479,6 +670,21 @@ namespace Org.BouncyCastle.Math.EC
             return (uint)c;
         }
 
+        public static uint SquareWordAdd(uint[] x, int xOff, int xPos, uint[] z, int zOff)
+        {
+            ulong c = 0, xVal = (ulong)x[xOff + xPos];
+            int i = 0;
+            do
+            {
+                c += xVal * (x[xOff + i] & M) + (z[xPos + zOff] & M);
+                z[xPos + zOff] = (uint)c;
+                c >>= 32;
+                ++zOff;
+            }
+            while (++i < xPos);
+            return (uint)c;
+        }
+
         public static int Sub(int len, uint[] x, uint[] y, uint[] z)
         {
             long c = 0;
@@ -491,6 +697,18 @@ namespace Org.BouncyCastle.Math.EC
             return (int)c;
         }
 
+        public static int Sub(int len, uint[] x, int xOff, uint[] y, int yOff, uint[] z, int zOff)
+        {
+            long c = 0;
+            for (int i = 0; i < len; ++i)
+            {
+                c += (long)x[xOff + i] - y[yOff + i];
+                z[zOff + i] = (uint)c;
+                c >>= 32;
+            }
+            return (int)c;
+        }
+
         public static int SubBothFrom(int len, uint[] x, uint[] y, uint[] z)
         {
             long c = 0;
@@ -515,18 +733,28 @@ namespace Org.BouncyCastle.Math.EC
             return (int)c;
         }
 
-        // TODO Re-write to allow full range for x?
-        public static int SubDWord(int len, ulong x, uint[] z)
+        public static int SubDWordAt(int len, ulong x, uint[] z, int zPos)
         {
-            Debug.Assert(len >= 2);
-            long c = -(long)x;
-            c += (long)z[0];
-            z[0] = (uint)c;
+            Debug.Assert(zPos <= (len - 2));
+            long c = (long)z[zPos + 0] - (long)(x & M);
+            z[zPos + 0] = (uint)c;
             c >>= 32;
-            c += (long)z[1];
-            z[1] = (uint)c;
+            c += (long)z[zPos + 1] - (long)(x >> 32);
+            z[zPos + 1] = (uint)c;
             c >>= 32;
-            return c == 0 ? 0 : Dec(len, z, 2);
+            return c == 0 ? 0 : DecAt(len, z, zPos + 2);
+        }
+
+        public static int SubFrom(int len, uint[] x, uint[] z)
+        {
+            long c = 0;
+            for (int i = 0; i < len; ++i)
+            {
+                c += (long)z[i] - x[i];
+                z[i] = (uint)c;
+                c >>= 32;
+            }
+            return (int)c;
         }
 
         public static int SubFrom(int len, uint[] x, int xOff, uint[] z, int zOff)
@@ -541,6 +769,24 @@ namespace Org.BouncyCastle.Math.EC
             return (int)c;
         }
 
+        public static int SubWordAt(int len, uint x, uint[] z, int zPos)
+        {
+            Debug.Assert(zPos <= (len - 1));
+            long c = (long)z[zPos] - x;
+            z[zPos] = (uint)c;
+            c >>= 32;
+            return c == 0 ? 0 : DecAt(len, z, zPos + 1);
+        }
+
+        public static int SubWordAt(int len, uint x, uint[] z, int zOff, int zPos)
+        {
+            Debug.Assert(zPos <= (len - 1));
+            long c = (long)z[zOff + zPos] - x;
+            z[zOff + zPos] = (uint)c;
+            c >>= 32;
+            return c == 0 ? 0 : DecAt(len, z, zOff, zPos + 1);
+        }
+
         public static BigInteger ToBigInteger(int len, uint[] x)
         {
             byte[] bs = new byte[len << 2];
diff --git a/crypto/src/math/ec/custom/sec/Curve25519Field.cs b/crypto/src/math/ec/custom/sec/Curve25519Field.cs
index be9878911..a11659a60 100644
--- a/crypto/src/math/ec/custom/sec/Curve25519Field.cs
+++ b/crypto/src/math/ec/custom/sec/Curve25519Field.cs
@@ -47,10 +47,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
         public static uint[] FromBigInteger(BigInteger x)
         {
             uint[] z = Nat256.FromBigInteger(x);
-            if (Nat256.Gte(z, P))
+            while (Nat256.Gte(z, P))
             {
-                Nat256.AddWord(PInv, z, 0);
-                z[7] &= P7;
+                Nat256.SubFrom(P, z);
             }
             return z;
         }
@@ -92,7 +91,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             Debug.Assert(xx[15] >> 30 == 0);
 
             uint xx07 = xx[7];
-            Nat.ShiftUpBit(8, xx, 8, xx07, z);
+            Nat.ShiftUpBit(8, xx, 8, xx07, z, 0);
             uint c = Nat256.MulByWordAddTo(PInv, xx, z) << 1;
             uint z07 = z[7];
             z[7] = z07 & P7;
diff --git a/crypto/src/math/ec/custom/sec/Nat192.cs b/crypto/src/math/ec/custom/sec/Nat192.cs
index 7b7937aff..c7c09bbfc 100644
--- a/crypto/src/math/ec/custom/sec/Nat192.cs
+++ b/crypto/src/math/ec/custom/sec/Nat192.cs
@@ -83,6 +83,30 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (uint)c;
         }
 
+        public static uint AddTo(uint[] x, uint[] z)
+        {
+            ulong c = 0;
+            c += (ulong)x[0] + z[0];
+            z[0] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[1] + z[1];
+            z[1] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[2] + z[2];
+            z[2] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[3] + z[3];
+            z[3] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[4] + z[4];
+            z[4] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[5] + z[5];
+            z[5] = (uint)c;
+            c >>= 32;
+            return (uint)c;
+        }
+
         public static uint AddTo(uint[] x, int xOff, uint[] z, int zOff, uint cIn)
         {
             ulong c = cIn;
@@ -1051,27 +1075,50 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (int)c;
         }
 
-        public static int SubFromExt(uint[] x, int xOff, uint[] zz, int zzOff)
+        public static int SubFrom(uint[] x, uint[] z)
         {
-            Debug.Assert(zzOff <= 6);
             long c = 0;
-            c += (long)zz[zzOff + 0] - x[xOff + 0];
-            zz[zzOff + 0] = (uint)c;
+            c += (long)z[0] - x[0];
+            z[0] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 1] - x[xOff + 1];
-            zz[zzOff + 1] = (uint)c;
+            c += (long)z[1] - x[1];
+            z[1] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 2] - x[xOff + 2];
-            zz[zzOff + 2] = (uint)c;
+            c += (long)z[2] - x[2];
+            z[2] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 3] - x[xOff + 3];
-            zz[zzOff + 3] = (uint)c;
+            c += (long)z[3] - x[3];
+            z[3] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 4] - x[xOff + 4];
-            zz[zzOff + 4] = (uint)c;
+            c += (long)z[4] - x[4];
+            z[4] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 5] - x[xOff + 5];
-            zz[zzOff + 5] = (uint)c;
+            c += (long)z[5] - x[5];
+            z[5] = (uint)c;
+            c >>= 32;
+            return (int)c;
+        }
+
+        public static int SubFrom(uint[] x, int xOff, uint[] z, int zOff)
+        {
+            long c = 0;
+            c += (long)z[zOff + 0] - x[xOff + 0];
+            z[zOff + 0] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 1] - x[xOff + 1];
+            z[zOff + 1] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 2] - x[xOff + 2];
+            z[zOff + 2] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 3] - x[xOff + 3];
+            z[zOff + 3] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 4] - x[xOff + 4];
+            z[zOff + 4] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 5] - x[xOff + 5];
+            z[zOff + 5] = (uint)c;
             c >>= 32;
             return (int)c;
         }
diff --git a/crypto/src/math/ec/custom/sec/Nat224.cs b/crypto/src/math/ec/custom/sec/Nat224.cs
index abc55b3e7..9ea85cba2 100644
--- a/crypto/src/math/ec/custom/sec/Nat224.cs
+++ b/crypto/src/math/ec/custom/sec/Nat224.cs
@@ -143,6 +143,33 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (uint)c;
         }
 
+        public static uint AddTo(uint[] x, uint[] z)
+        {
+            ulong c = 0;
+            c += (ulong)x[0] + z[0];
+            z[0] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[1] + z[1];
+            z[1] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[2] + z[2];
+            z[2] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[3] + z[3];
+            z[3] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[4] + z[4];
+            z[4] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[5] + z[5];
+            z[5] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[6] + z[6];
+            z[6] = (uint)c;
+            c >>= 32;
+            return (uint)c;
+        }
+
         public static uint AddTo(uint[] x, int xOff, uint[] z, int zOff, uint cIn)
         {
             ulong c = cIn;
@@ -1247,30 +1274,56 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (int)c;
         }
 
-        public static int SubFromExt(uint[] x, int xOff, uint[] zz, int zzOff)
+        public static int SubFrom(uint[] x, uint[] z)
         {
-            Debug.Assert(zzOff <= 7);
             long c = 0;
-            c += (long)zz[zzOff + 0] - x[xOff + 0];
-            zz[zzOff + 0] = (uint)c;
+            c += (long)z[0] - x[0];
+            z[0] = (uint)c;
+            c >>= 32;
+            c += (long)z[1] - x[1];
+            z[1] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 1] - x[xOff + 1];
-            zz[zzOff + 1] = (uint)c;
+            c += (long)z[2] - x[2];
+            z[2] = (uint)c;
+            c >>= 32;
+            c += (long)z[3] - x[3];
+            z[3] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 2] - x[xOff + 2];
-            zz[zzOff + 2] = (uint)c;
+            c += (long)z[4] - x[4];
+            z[4] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 3] - x[xOff + 3];
-            zz[zzOff + 3] = (uint)c;
+            c += (long)z[5] - x[5];
+            z[5] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 4] - x[xOff + 4];
-            zz[zzOff + 4] = (uint)c;
+            c += (long)z[6] - x[6];
+            z[6] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 5] - x[xOff + 5];
-            zz[zzOff + 5] = (uint)c;
+            return (int)c;
+        }
+
+        public static int SubFrom(uint[] x, int xOff, uint[] z, int zOff)
+        {
+            long c = 0;
+            c += (long)z[zOff + 0] - x[xOff + 0];
+            z[zOff + 0] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 6] - x[xOff + 6];
-            zz[zzOff + 6] = (uint)c;
+            c += (long)z[zOff + 1] - x[xOff + 1];
+            z[zOff + 1] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 2] - x[xOff + 2];
+            z[zOff + 2] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 3] - x[xOff + 3];
+            z[zOff + 3] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 4] - x[xOff + 4];
+            z[zOff + 4] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 5] - x[xOff + 5];
+            z[zOff + 5] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 6] - x[xOff + 6];
+            z[zOff + 6] = (uint)c;
             c >>= 32;
             return (int)c;
         }
diff --git a/crypto/src/math/ec/custom/sec/Nat256.cs b/crypto/src/math/ec/custom/sec/Nat256.cs
index beb9ab5ed..335c181fa 100644
--- a/crypto/src/math/ec/custom/sec/Nat256.cs
+++ b/crypto/src/math/ec/custom/sec/Nat256.cs
@@ -69,6 +69,17 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (uint)c;
         }
 
+        public static uint Add33To(uint x, uint[] z)
+        {
+            ulong c = (ulong)z[0] + x;
+            z[0] = (uint)c;
+            c >>= 32;
+            c += (ulong)z[1] + 1;
+            z[1] = (uint)c;
+            c >>= 32;
+            return c == 0 ? 0 : Inc(z, 2);
+        }
+
         public static uint AddBothTo(uint[] x, uint[] y, uint[] z)
         {
             ulong c = 0;
@@ -129,18 +140,16 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (uint)c;
         }
 
-        // TODO Re-write to allow full range for x?
-        public static uint AddDWord(ulong x, uint[] z, int zOff)
+        public static uint AddDWordAt(ulong x, uint[] z, int zPos)
         {
-            Debug.Assert(zOff <= 6);
-            ulong c = x;
-            c += (ulong)z[zOff + 0];
-            z[zOff + 0] = (uint)c;
+            Debug.Assert(zPos <= 6);
+            ulong c = (ulong)z[zPos + 0] + (x & M);
+            z[zPos + 0] = (uint)c;
             c >>= 32;
-            c += (ulong)z[zOff + 1];
-            z[zOff + 1] = (uint)c;
+            c += (ulong)z[zPos + 1] + (x >> 32);
+            z[zPos + 1] = (uint)c;
             c >>= 32;
-            return c == 0 ? 0 : Inc(z, zOff + 2);
+            return c == 0 ? 0 : Inc(z, zPos + 2);
         }
 
         public static uint AddExt(uint[] xx, uint[] yy, uint[] zz)
@@ -155,6 +164,36 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (uint)c;
         }
 
+        public static uint AddTo(uint[] x, uint[] z)
+        {
+            ulong c = 0;
+            c += (ulong)x[ 0] + z[ 0];
+            z[ 0] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[ 1] + z[ 1];
+            z[ 1] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[ 2] + z[ 2];
+            z[ 2] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[ 3] + z[ 3];
+            z[ 3] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[ 4] + z[ 4];
+            z[ 4] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[ 5] + z[ 5];
+            z[ 5] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[ 6] + z[ 6];
+            z[ 6] = (uint)c;
+            c >>= 32;
+            c += (ulong)x[ 7] + z[ 7];
+            z[ 7] = (uint)c;
+            c >>= 32;
+            return (uint)c;
+        }
+
         public static uint AddTo(uint[] x, int xOff, uint[] z, int zOff, uint cIn)
         {
             ulong c = cIn;
@@ -1298,6 +1337,17 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (int)c;
         }
 
+        public static int Sub33From(uint x, uint[] z)
+        {
+            long c = (long)z[0] - x;
+            z[0] = (uint)c;
+            c >>= 32;
+            c += (long)z[1] - 1;
+            z[1] = (uint)c;
+            c >>= 32;
+            return c == 0 ? 0 : Dec(z, 2);
+        }
+
         public static int SubBothFrom(uint[] x, uint[] y, uint[] z)
         {
             long c = 0;
@@ -1328,17 +1378,16 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (int)c;
         }
 
-        // TODO Re-write to allow full range for x?
-        public static int SubDWord(ulong x, uint[] z)
+        public static int SubDWordAt(ulong x, uint[] z, int zPos)
         {
-            long c = -(long)x;
-            c += (long)z[0];
-            z[0] = (uint)c;
+            Debug.Assert(zPos <= 6);
+            long c = (long)z[zPos + 0] - (long)(x & M);
+            z[zPos + 0] = (uint)c;
             c >>= 32;
-            c += (long)z[1];
-            z[1] = (uint)c;
+            c += (long)z[zPos + 1] - (long)(x >> 32);
+            z[zPos + 1] = (uint)c;
             c >>= 32;
-            return c == 0 ? 0 : Dec(z, 2);
+            return c == 0 ? 0 : Dec(z, zPos + 2);
         }
 
         public static int SubExt(uint[] xx, uint[] yy, uint[] zz)
@@ -1353,33 +1402,62 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             return (int)c;
         }
 
-        public static int SubFromExt(uint[] x, int xOff, uint[] zz, int zzOff)
+        public static int SubFrom(uint[] x, uint[] z)
         {
-            Debug.Assert(zzOff <= 8);
             long c = 0;
-            c += (long)zz[zzOff + 0] - x[xOff + 0];
-            zz[zzOff + 0] = (uint)c;
+            c += (long)z[0] - x[0];
+            z[0] = (uint)c;
+            c >>= 32;
+            c += (long)z[1] - x[1];
+            z[1] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 1] - x[xOff + 1];
-            zz[zzOff + 1] = (uint)c;
+            c += (long)z[2] - x[2];
+            z[2] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 2] - x[xOff + 2];
-            zz[zzOff + 2] = (uint)c;
+            c += (long)z[3] - x[3];
+            z[3] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 3] - x[xOff + 3];
-            zz[zzOff + 3] = (uint)c;
+            c += (long)z[4] - x[4];
+            z[4] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 4] - x[xOff + 4];
-            zz[zzOff + 4] = (uint)c;
+            c += (long)z[5] - x[5];
+            z[5] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 5] - x[xOff + 5];
-            zz[zzOff + 5] = (uint)c;
+            c += (long)z[6] - x[6];
+            z[6] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 6] - x[xOff + 6];
-            zz[zzOff + 6] = (uint)c;
+            c += (long)z[7] - x[7];
+            z[7] = (uint)c;
             c >>= 32;
-            c += (long)zz[zzOff + 7] - x[xOff + 7];
-            zz[zzOff + 7] = (uint)c;
+            return (int)c;
+        }
+
+        public static int SubFrom(uint[] x, int xOff, uint[] z, int zOff)
+        {
+            long c = 0;
+            c += (long)z[zOff + 0] - x[xOff + 0];
+            z[zOff + 0] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 1] - x[xOff + 1];
+            z[zOff + 1] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 2] - x[xOff + 2];
+            z[zOff + 2] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 3] - x[xOff + 3];
+            z[zOff + 3] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 4] - x[xOff + 4];
+            z[zOff + 4] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 5] - x[xOff + 5];
+            z[zOff + 5] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 6] - x[xOff + 6];
+            z[zOff + 6] = (uint)c;
+            c >>= 32;
+            c += (long)z[zOff + 7] - x[xOff + 7];
+            z[zOff + 7] = (uint)c;
             c >>= 32;
             return (int)c;
         }
diff --git a/crypto/src/math/ec/custom/sec/Nat384.cs b/crypto/src/math/ec/custom/sec/Nat384.cs
index 273ee2d65..dd93e68b6 100644
--- a/crypto/src/math/ec/custom/sec/Nat384.cs
+++ b/crypto/src/math/ec/custom/sec/Nat384.cs
@@ -21,7 +21,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             Nat192.Mul(dx, dy, tt);
 
             c18 += neg ? Nat.AddTo(12, tt, 0, zz, 6) : (uint)Nat.SubFrom(12, tt, 0, zz, 6);
-            Nat.AddWordExt(12, c18, zz, 18);
+            Nat.AddWordAt(24, c18, zz, 18);
         }
 
         public static void Square(uint[] x, uint[] zz)
@@ -40,7 +40,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             Nat192.Square(dx, m);
 
             c18 += (uint)Nat.SubFrom(12, m, 0, zz, 6);
-            Nat.AddWordExt(12, c18, zz, 18);
+            Nat.AddWordAt(24, c18, zz, 18);
         }
     }
 }
diff --git a/crypto/src/math/ec/custom/sec/Nat512.cs b/crypto/src/math/ec/custom/sec/Nat512.cs
index 7f1475306..46e10f995 100644
--- a/crypto/src/math/ec/custom/sec/Nat512.cs
+++ b/crypto/src/math/ec/custom/sec/Nat512.cs
@@ -21,7 +21,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             Nat256.Mul(dx, dy, tt);
 
             c24 += neg ? Nat.AddTo(16, tt, 0, zz, 8) : (uint)Nat.SubFrom(16, tt, 0, zz, 8);
-            Nat.AddWordExt(16, c24, zz, 24); 
+            Nat.AddWordAt(32, c24, zz, 24); 
         }
 
         public static void Square(uint[] x, uint[] zz)
@@ -40,7 +40,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             Nat256.Square(dx, m);
 
             c24 += (uint)Nat.SubFrom(16, m, 0, zz, 8);
-            Nat.AddWordExt(16, c24, zz, 24); 
+            Nat.AddWordAt(32, c24, zz, 24); 
         }
     }
 }
diff --git a/crypto/src/math/ec/custom/sec/SecP192K1Field.cs b/crypto/src/math/ec/custom/sec/SecP192K1Field.cs
index bdcf0319e..9b3d12536 100644
--- a/crypto/src/math/ec/custom/sec/SecP192K1Field.cs
+++ b/crypto/src/math/ec/custom/sec/SecP192K1Field.cs
@@ -47,7 +47,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint[] z = Nat192.FromBigInteger(x);
             if (z[5] == P5 && Nat192.Gte(z, P))
             {
-                Nat192.AddDWord(PInv, z, 0);
+                Nat192.SubFrom(P, z);
             }
             return z;
         }
diff --git a/crypto/src/math/ec/custom/sec/SecP192R1Field.cs b/crypto/src/math/ec/custom/sec/SecP192R1Field.cs
index c338911e3..b4c33d4e7 100644
--- a/crypto/src/math/ec/custom/sec/SecP192R1Field.cs
+++ b/crypto/src/math/ec/custom/sec/SecP192R1Field.cs
@@ -17,7 +17,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat192.Add(x, y, z);
             if (c != 0 || (z[5] == P5 && Nat192.Gte(z, P)))
             {
-                Nat192.Sub(z, P, z);
+                Nat192.SubFrom(P, z);
             }
         }
 
@@ -36,7 +36,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat192.Inc(z, 0);
             if (c != 0 || (z[5] == P5 && Nat192.Gte(z, P)))
             {
-                Nat192.Sub(z, P, z);
+                Nat192.SubFrom(P, z);
             }
         }
 
@@ -45,7 +45,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint[] z = Nat192.FromBigInteger(x);
             if (z[5] == P5 && Nat192.Gte(z, P))
             {
-                Nat192.Sub(z, P, z);
+                Nat192.SubFrom(P, z);
             }
             return z;
         }
@@ -126,7 +126,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             if ((x != 0 && (Nat192.AddWord(x, z, 0) + Nat192.AddWord(x, z, 2) != 0))
                 || (z[5] == P5 && Nat192.Gte(z, P)))
             {
-                Nat192.Sub(z, P, z);
+                Nat192.SubFrom(P, z);
             }
         }
 
@@ -157,7 +157,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             int c = Nat192.Sub(x, y, z);
             if (c != 0)
             {
-                Nat192.Add(z, P, z);
+                Nat192.AddTo(P, z);
             }
         }
 
@@ -175,7 +175,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat192.ShiftUpBit(x, 0, z);
             if (c != 0 || (z[5] == P5 && Nat192.Gte(z, P)))
             {
-                Nat192.Sub(z, P, z);
+                Nat192.SubFrom(P, z);
             }
         }
     }
diff --git a/crypto/src/math/ec/custom/sec/SecP224K1Field.cs b/crypto/src/math/ec/custom/sec/SecP224K1Field.cs
index dd754e80e..13fb4e557 100644
--- a/crypto/src/math/ec/custom/sec/SecP224K1Field.cs
+++ b/crypto/src/math/ec/custom/sec/SecP224K1Field.cs
@@ -48,7 +48,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint[] z = Nat224.FromBigInteger(x);
             if (z[6] == P6 && Nat224.Gte(z, P))
             {
-                Nat224.AddDWord(PInv, z, 0);
+                Nat224.SubFrom(P, z);
             }
             return z;
         }
diff --git a/crypto/src/math/ec/custom/sec/SecP224R1Field.cs b/crypto/src/math/ec/custom/sec/SecP224R1Field.cs
index bd6656b27..ee5407beb 100644
--- a/crypto/src/math/ec/custom/sec/SecP224R1Field.cs
+++ b/crypto/src/math/ec/custom/sec/SecP224R1Field.cs
@@ -17,7 +17,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat224.Add(x, y, z);
             if (c != 0 || (z[6] == P6 && Nat224.Gte(z, P)))
             {
-                Nat224.Sub(z, P, z);
+                Nat224.SubFrom(P, z);
             }
         }
 
@@ -36,7 +36,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat224.Inc(z, 0);
             if (c != 0 || (z[6] == P6 && Nat224.Gte(z, P)))
             {
-                Nat224.Sub(z, P, z);
+                Nat224.SubFrom(P, z);
             }
         }
 
@@ -45,7 +45,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint[] z = Nat224.FromBigInteger(x);
             if (z[6] == P6 && Nat224.Gte(z, P))
             {
-                Nat224.Sub(z, P, z);
+                Nat224.SubFrom(P, z);
             }
             return z;
         }
@@ -121,10 +121,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             }
             else
             {
-                while (c < 0)
-                {
-                    c += (int)Nat224.Add(z, P, z);
-                }
+                Nat224.AddTo(P, z);
             }
         }
 
@@ -133,7 +130,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             if ((x != 0 && (Nat224.SubWord(x, z, 0) + Nat224.AddWord(x, z, 3) != 0))
                 || (z[6] == P6 && Nat224.Gte(z, P)))
             {
-                Nat224.Sub(z, P, z);
+                Nat224.SubFrom(P, z);
             }
         }
 
@@ -164,7 +161,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             int c = Nat224.Sub(x, y, z);
             if (c != 0)
             {
-                Nat224.Add(z, P, z);
+                Nat224.AddTo(P, z);
             }
         }
 
@@ -182,7 +179,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat224.ShiftUpBit(x, 0, z);
             if (c != 0 || (z[6] == P6 && Nat224.Gte(z, P)))
             {
-                Nat224.Sub(z, P, z);
+                Nat224.SubFrom(P, z);
             }
         }
     }
diff --git a/crypto/src/math/ec/custom/sec/SecP256K1Field.cs b/crypto/src/math/ec/custom/sec/SecP256K1Field.cs
index 13938da54..91144c017 100644
--- a/crypto/src/math/ec/custom/sec/SecP256K1Field.cs
+++ b/crypto/src/math/ec/custom/sec/SecP256K1Field.cs
@@ -11,9 +11,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
         internal static readonly uint[] PExt = new uint[]{ 0x000E90A1, 0x000007A2, 0x00000001, 0x00000000, 0x00000000,
             0x00000000, 0x00000000, 0x00000000, 0xFFFFF85E, 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
             0xFFFFFFFF, 0xFFFFFFFF };
+        private static readonly uint[] PExtInv = new uint[]{ 0xFFF16F5F, 0xFFFFF85D, 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF,
+            0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x000007A1, 0x00000002 };
         private const uint P7 = 0xFFFFFFFF;
         private const uint PExt15 = 0xFFFFFFFF;
-        private const ulong PInv = 0x00000001000003D1UL;
         private const uint PInv33 = 0x3D1;
 
         public static void Add(uint[] x, uint[] y, uint[] z)
@@ -21,7 +22,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat256.Add(x, y, z);
             if (c != 0 || (z[7] == P7 && Nat256.Gte(z, P)))
             {
-                Nat256.AddDWord(PInv, z, 0);
+                Nat256.Add33To(PInv33, z);
             }
         }
 
@@ -30,7 +31,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat256.AddExt(xx, yy, zz);
             if (c != 0 || (zz[15] == PExt15 && Nat256.GteExt(zz, PExt)))
             {
-                Nat256.SubExt(zz, PExt, zz);
+                if (Nat.AddTo(PExtInv.Length, PExtInv, zz) != 0)
+                {
+                    Nat256.IncExt(zz, PExtInv.Length);
+                }
             }
         }
 
@@ -40,7 +44,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat256.Inc(z, 0);
             if (c != 0 || (z[7] == P7 && Nat256.Gte(z, P)))
             {
-                Nat256.AddDWord(PInv, z, 0);
+                Nat256.Add33To(PInv33, z);
             }
         }
 
@@ -49,7 +53,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint[] z = Nat256.FromBigInteger(x);
             if (z[7] == P7 && Nat256.Gte(z, P))
             {
-                Nat256.AddDWord(PInv, z, 0);
+                Nat256.SubFrom(P, z);
             }
             return z;
         }
@@ -95,7 +99,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
 
             if (c != 0 || (z[7] == P7 && Nat256.Gte(z, P)))
             {
-                Nat256.AddDWord(PInv, z, 0);
+                Nat256.Add33To(PInv33, z);
             }
         }
 
@@ -104,7 +108,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             if ((x != 0 && Nat256.Mul33WordAdd(PInv33, x, z, 0) != 0)
                 || (z[7] == P7 && Nat256.Gte(z, P)))
             {
-                Nat256.AddDWord(PInv, z, 0);
+                Nat256.Add33To(PInv33, z);
             }
         }
 
@@ -135,7 +139,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             int c = Nat256.Sub(x, y, z);
             if (c != 0)
             {
-                Nat256.SubDWord(PInv, z);
+                Nat256.Sub33From(PInv33, z);
             }
         }
 
@@ -144,7 +148,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             int c = Nat256.SubExt(xx, yy, zz);
             if (c != 0)
             {
-                Nat256.AddExt(zz, PExt, zz);
+                if (Nat.SubFrom(PExtInv.Length, PExtInv, zz) != 0)
+                {
+                    Nat256.DecExt(zz, PExtInv.Length);
+                }
             }
         }
 
@@ -153,7 +160,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat256.ShiftUpBit(x, 0, z);
             if (c != 0 || (z[7] == P7 && Nat256.Gte(z, P)))
             {
-                Nat256.AddDWord(PInv, z, 0);
+                Nat256.Add33To(PInv33, z);
             }
         }
     }
diff --git a/crypto/src/math/ec/custom/sec/SecP256R1Field.cs b/crypto/src/math/ec/custom/sec/SecP256R1Field.cs
index 4d98b5508..253f7b489 100644
--- a/crypto/src/math/ec/custom/sec/SecP256R1Field.cs
+++ b/crypto/src/math/ec/custom/sec/SecP256R1Field.cs
@@ -20,7 +20,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat256.Add(x, y, z);
             if (c != 0 || (z[7] == P7 && Nat256.Gte(z, P)))
             {
-                Nat256.Sub(z, P, z);
+                Nat256.SubFrom(P, z);
             }
         }
 
@@ -39,7 +39,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat256.Inc(z, 0);
             if (c != 0 || (z[7] == P7 && Nat256.Gte(z, P)))
             {
-                Nat256.Sub(z, P, z);
+                Nat256.SubFrom(P, z);
             }
         }
 
@@ -48,7 +48,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint[] z = Nat256.FromBigInteger(x);
             if (z[7] == P7 && Nat256.Gte(z, P))
             {
-                Nat256.Sub(z, P, z);
+                Nat256.SubFrom(P, z);
             }
             return z;
         }
@@ -133,11 +133,11 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             {
                 while (c < -1)
                 {
-                    c += (int)Nat256.Add(z, _2P, z) + 1;
+                    c += (int)Nat256.AddTo(_2P, z) + 1;
                 }
                 while (c < 0)
                 {
-                    c += (int)Nat256.Add(z, P, z);
+                    c += (int)Nat256.AddTo(P, z);
                 }
             }
         }
@@ -180,7 +180,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
 
             if (cc != 0 || (z[7] == P7 && Nat256.Gte(z, P)))
             {
-                Nat256.Sub(z, P, z);
+                Nat256.SubFrom(P, z);
             }
         }
 
@@ -211,7 +211,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             int c = Nat256.Sub(x, y, z);
             if (c != 0)
             {
-                Nat256.Add(z, P, z);
+                Nat256.AddTo(P, z);
             }
         }
 
@@ -229,7 +229,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat256.ShiftUpBit(x, 0, z);
             if (c != 0 || (z[7] == P7 && Nat256.Gte(z, P)))
             {
-                Nat256.Sub(z, P, z);
+                Nat256.SubFrom(P, z);
             }
         }
     }
diff --git a/crypto/src/math/ec/custom/sec/SecP384R1Field.cs b/crypto/src/math/ec/custom/sec/SecP384R1Field.cs
index 91c5dd81d..f41c0b8dd 100644
--- a/crypto/src/math/ec/custom/sec/SecP384R1Field.cs
+++ b/crypto/src/math/ec/custom/sec/SecP384R1Field.cs
@@ -11,6 +11,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
         internal static readonly uint[] PExt = new uint[]{ 0x00000001, 0xFFFFFFFE, 0x00000000, 0x00000002, 0x00000000, 0xFFFFFFFE,
             0x00000000, 0x00000002, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0xFFFFFFFE, 0x00000001, 0x00000000,
             0xFFFFFFFE, 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF };
+        private static readonly uint[] PInv = new uint[]{ 0x00000001, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000001 };
+        private static readonly uint[] PExtInv = new uint[]{ 0xFFFFFFFF, 0x00000001, 0xFFFFFFFF, 0xFFFFFFFD, 0xFFFFFFFF, 0x00000001,
+            0xFFFFFFFF, 0xFFFFFFFD, 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000001, 0xFFFFFFFE, 0xFFFFFFFF,
+            0x00000001, 0x00000002 };
         private const uint P11 = 0xFFFFFFFF;
         private const uint PExt23 = 0xFFFFFFFF;
 
@@ -19,7 +23,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat.Add(12, x, y, z);
             if (c != 0 || (z[11] == P11 && Nat.Gte(12, z, P)))
             {
-                Nat.Sub(12, z, P, z);
+                if (Nat.AddTo(PInv.Length, PInv, z) != 0)
+                {
+                    Nat.IncAt(12, z, PInv.Length);
+                }
             }
         }
 
@@ -28,17 +35,22 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat.Add(24, xx, yy, zz);
             if (c != 0 || (zz[23] == PExt23 && Nat.Gte(24, zz, PExt)))
             {
-                Nat.Sub(24, zz, PExt, zz);
+                if (Nat.AddTo(PExtInv.Length, PExtInv, zz) != 0)
+                {
+                    Nat.IncAt(24, zz, PExtInv.Length);
+                }
             }
         }
 
         public static void AddOne(uint[] x, uint[] z)
         {
-            Nat.Copy(12, x, z);
-            uint c = Nat.Inc(12, z, 0);
+            uint c = Nat.Inc(12, x, z);
             if (c != 0 || (z[11] == P11 && Nat.Gte(12, z, P)))
             {
-                Nat.Sub(12, z, P, z);
+                if (Nat.AddTo(PInv.Length, PInv, z) != 0)
+                {
+                    Nat.IncAt(12, z, PInv.Length);
+                }
             }
         }
 
@@ -47,7 +59,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint[] z = Nat.FromBigInteger(384, x);
             if (z[11] == P11 && Nat.Gte(12, z, P))
             {
-                Nat.Sub(12, z, P, z);
+                Nat.SubFrom(12, P, z);
             }
             return z;
         }
@@ -133,12 +145,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             {
                 Reduce32((uint)c, z);
             }
-            else
+            else if (Nat.SubFrom(PInv.Length, PInv, z) != 0)
             {
-                while (c < 0)
-                {
-                    c += (int)Nat256.Add(z, P, z);
-                }
+                Nat.DecAt(12, z, PInv.Length);
             }
         }
 
@@ -169,10 +178,13 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
                 Debug.Assert(cc == 0 || cc == 1);
             }
 
-            if ((cc != 0 && Nat.Inc(12, z, 5) != 0)
+            if ((cc != 0 && Nat.IncAt(12, z, 5) != 0)
                 || (z[11] == P11 && Nat.Gte(12, z, P)))
             {
-                Nat.Sub(12, z, P, z);
+                if (Nat.AddTo(PInv.Length, PInv, z) != 0)
+                {
+                    Nat.IncAt(12, z, PInv.Length);
+                }
             }
         }
 
@@ -203,7 +215,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             int c = Nat.Sub(12, x, y, z);
             if (c != 0)
             {
-                Nat.Add(12, z, P, z);
+                if (Nat.SubFrom(PInv.Length, PInv, z) != 0)
+                {
+                    Nat.DecAt(12, z, PInv.Length);
+                }
             }
         }
 
@@ -212,7 +227,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             int c = Nat.Sub(24, xx, yy, zz);
             if (c != 0)
             {
-                Nat.Add(24, zz, PExt, zz);
+                if (Nat.SubFrom(PExtInv.Length, PExtInv, zz) != 0)
+                {
+                    Nat.DecAt(24, zz, PExtInv.Length);
+                }
             }
         }
 
@@ -221,7 +239,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat.ShiftUpBit(12, x, 0, z);
             if (c != 0 || (z[11] == P11 && Nat.Gte(12, z, P)))
             {
-                Nat.Sub(12, z, P, z);
+                if (Nat.AddTo(PInv.Length, PInv, z) != 0)
+                {
+                    Nat.IncAt(12, z, PInv.Length);
+                }
             }
         }
     }
diff --git a/crypto/src/math/ec/custom/sec/SecP521R1Field.cs b/crypto/src/math/ec/custom/sec/SecP521R1Field.cs
index 7b2c7bada..3896e09d1 100644
--- a/crypto/src/math/ec/custom/sec/SecP521R1Field.cs
+++ b/crypto/src/math/ec/custom/sec/SecP521R1Field.cs
@@ -15,7 +15,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             uint c = Nat.Add(16, x, y, z) + x[16] + y[16];
             if (c > P16 || (c == P16 && Nat.Eq(16, z, P)))
             {
-                c += Nat.Inc(16, z, 0);
+                c += Nat.Inc(16, z);
                 c &= P16;
             }
             z[16] = c;
@@ -23,11 +23,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
 
         public static void AddOne(uint[] x, uint[] z)
         {
-            Nat.Copy(16, x, z);
-            uint c = Nat.Inc(16, z, 0) + x[16];
+            uint c = Nat.Inc(16, x, z) + x[16];
             if (c > P16 || (c == P16 && Nat.Eq(16, z, P)))
             {
-                c += Nat.Inc(16, z, 0);
+                c += Nat.Inc(16, z);
                 c &= P16;
             }
             z[16] = c;
@@ -73,12 +72,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
         {
             Debug.Assert(xx[32] >> 18 == 0);
             uint xx32 = xx[32];
-            uint c = Nat.ShiftDownBits(16, xx, 16, 9, xx32, z) >> 23;
+            uint c = Nat.ShiftDownBits(16, xx, 16, 9, xx32, z, 0) >> 23;
             c += xx32 >> 9;
             c += Nat.Add(16, z, xx, z);
             if (c > P16 || (c == P16 && Nat.Eq(16, z, P)))
             {
-                c += Nat.Inc(16, z, 0);
+                c += Nat.Inc(16, z);
                 c &= P16;
             }
             z[16] = c;
@@ -87,10 +86,10 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
         public static void Reduce23(uint[] z)
         {
             uint z16 = z[16];
-            uint c = Nat.AddWord(16, z16 >> 9, z, 0) + (z16 & P16);
+            uint c = Nat.AddWordAt(16, z16 >> 9, z, 0) + (z16 & P16);
             if (c > P16 || (c == P16 && Nat.Eq(16, z, P)))
             {
-                c += Nat.Inc(16, z, 0);
+                c += Nat.Inc(16, z);
                 c &= P16;
             }
             z[16] = c;
@@ -122,7 +121,7 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
             int c = Nat.Sub(16, x, y, z) + (int)(x[16] - y[16]);
             if (c < 0)
             {
-                c += Nat.Dec(16, z, 0);
+                c += Nat.Dec(16, z);
                 c &= P16;
             }
             z[16] = (uint)c;