1 /* $OpenBSD: ecp_smpl.c,v 1.29 2018/11/15 05:53:31 tb Exp $ */
2 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project.
4 * Includes code written by Bodo Moeller for the OpenSSL project.
6 /* ====================================================================
7 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@openssl.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
59 /* ====================================================================
60 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
62 * and contributed to the OpenSSL project.
65 #include <openssl/err.h>
71 EC_GFp_simple_method(void)
73 static const EC_METHOD ret = {
74 .flags = EC_FLAGS_DEFAULT_OCT,
75 .field_type = NID_X9_62_prime_field,
76 .group_init = ec_GFp_simple_group_init,
77 .group_finish = ec_GFp_simple_group_finish,
78 .group_clear_finish = ec_GFp_simple_group_clear_finish,
79 .group_copy = ec_GFp_simple_group_copy,
80 .group_set_curve = ec_GFp_simple_group_set_curve,
81 .group_get_curve = ec_GFp_simple_group_get_curve,
82 .group_get_degree = ec_GFp_simple_group_get_degree,
83 .group_check_discriminant =
84 ec_GFp_simple_group_check_discriminant,
85 .point_init = ec_GFp_simple_point_init,
86 .point_finish = ec_GFp_simple_point_finish,
87 .point_clear_finish = ec_GFp_simple_point_clear_finish,
88 .point_copy = ec_GFp_simple_point_copy,
89 .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
90 .point_set_Jprojective_coordinates_GFp =
91 ec_GFp_simple_set_Jprojective_coordinates_GFp,
92 .point_get_Jprojective_coordinates_GFp =
93 ec_GFp_simple_get_Jprojective_coordinates_GFp,
94 .point_set_affine_coordinates =
95 ec_GFp_simple_point_set_affine_coordinates,
96 .point_get_affine_coordinates =
97 ec_GFp_simple_point_get_affine_coordinates,
98 .add = ec_GFp_simple_add,
99 .dbl = ec_GFp_simple_dbl,
100 .invert = ec_GFp_simple_invert,
101 .is_at_infinity = ec_GFp_simple_is_at_infinity,
102 .is_on_curve = ec_GFp_simple_is_on_curve,
103 .point_cmp = ec_GFp_simple_cmp,
104 .make_affine = ec_GFp_simple_make_affine,
105 .points_make_affine = ec_GFp_simple_points_make_affine,
106 .mul_generator_ct = ec_GFp_simple_mul_generator_ct,
107 .mul_single_ct = ec_GFp_simple_mul_single_ct,
108 .mul_double_nonct = ec_GFp_simple_mul_double_nonct,
109 .field_mul = ec_GFp_simple_field_mul,
110 .field_sqr = ec_GFp_simple_field_sqr,
111 .blind_coordinates = ec_GFp_simple_blind_coordinates,
118 /* Most method functions in this file are designed to work with
119 * non-trivial representations of field elements if necessary
120 * (see ecp_mont.c): while standard modular addition and subtraction
121 * are used, the field_mul and field_sqr methods will be used for
122 * multiplication, and field_encode and field_decode (if defined)
123 * will be used for converting between representations.
125 * Functions ec_GFp_simple_points_make_affine() and
126 * ec_GFp_simple_point_get_affine_coordinates() specifically assume
127 * that if a non-trivial representation is used, it is a Montgomery
128 * representation (i.e. 'encoding' means multiplying by some factor R).
133 ec_GFp_simple_group_init(EC_GROUP * group)
135 BN_init(&group->field);
138 group->a_is_minus3 = 0;
144 ec_GFp_simple_group_finish(EC_GROUP * group)
146 BN_free(&group->field);
153 ec_GFp_simple_group_clear_finish(EC_GROUP * group)
155 BN_clear_free(&group->field);
156 BN_clear_free(&group->a);
157 BN_clear_free(&group->b);
162 ec_GFp_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src)
164 if (!BN_copy(&dest->field, &src->field))
166 if (!BN_copy(&dest->a, &src->a))
168 if (!BN_copy(&dest->b, &src->b))
171 dest->a_is_minus3 = src->a_is_minus3;
178 ec_GFp_simple_group_set_curve(EC_GROUP * group,
179 const BIGNUM * p, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
182 BN_CTX *new_ctx = NULL;
185 /* p must be a prime > 3 */
186 if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
187 ECerror(EC_R_INVALID_FIELD);
191 ctx = new_ctx = BN_CTX_new();
196 if ((tmp_a = BN_CTX_get(ctx)) == NULL)
200 if (!BN_copy(&group->field, p))
202 BN_set_negative(&group->field, 0);
205 if (!BN_nnmod(tmp_a, a, p, ctx))
207 if (group->meth->field_encode) {
208 if (!group->meth->field_encode(group, &group->a, tmp_a, ctx))
210 } else if (!BN_copy(&group->a, tmp_a))
214 if (!BN_nnmod(&group->b, b, p, ctx))
216 if (group->meth->field_encode)
217 if (!group->meth->field_encode(group, &group->b, &group->b, ctx))
220 /* group->a_is_minus3 */
221 if (!BN_add_word(tmp_a, 3))
223 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
229 BN_CTX_free(new_ctx);
235 ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BIGNUM * b, BN_CTX * ctx)
238 BN_CTX *new_ctx = NULL;
241 if (!BN_copy(p, &group->field))
244 if (a != NULL || b != NULL) {
245 if (group->meth->field_decode) {
247 ctx = new_ctx = BN_CTX_new();
252 if (!group->meth->field_decode(group, a, &group->a, ctx))
256 if (!group->meth->field_decode(group, b, &group->b, ctx))
261 if (!BN_copy(a, &group->a))
265 if (!BN_copy(b, &group->b))
273 BN_CTX_free(new_ctx);
279 ec_GFp_simple_group_get_degree(const EC_GROUP * group)
281 return BN_num_bits(&group->field);
286 ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
289 BIGNUM *a, *b, *order, *tmp_1, *tmp_2;
290 const BIGNUM *p = &group->field;
291 BN_CTX *new_ctx = NULL;
294 ctx = new_ctx = BN_CTX_new();
296 ECerror(ERR_R_MALLOC_FAILURE);
301 if ((a = BN_CTX_get(ctx)) == NULL)
303 if ((b = BN_CTX_get(ctx)) == NULL)
305 if ((tmp_1 = BN_CTX_get(ctx)) == NULL)
307 if ((tmp_2 = BN_CTX_get(ctx)) == NULL)
309 if ((order = BN_CTX_get(ctx)) == NULL)
312 if (group->meth->field_decode) {
313 if (!group->meth->field_decode(group, a, &group->a, ctx))
315 if (!group->meth->field_decode(group, b, &group->b, ctx))
318 if (!BN_copy(a, &group->a))
320 if (!BN_copy(b, &group->b))
325 * check the discriminant: y^2 = x^3 + a*x + b is an elliptic curve
326 * <=> 4*a^3 + 27*b^2 != 0 (mod p) 0 =< a, b < p
331 } else if (!BN_is_zero(b)) {
332 if (!BN_mod_sqr(tmp_1, a, p, ctx))
334 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
336 if (!BN_lshift(tmp_1, tmp_2, 2))
340 if (!BN_mod_sqr(tmp_2, b, p, ctx))
342 if (!BN_mul_word(tmp_2, 27))
346 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
356 BN_CTX_free(new_ctx);
362 ec_GFp_simple_point_init(EC_POINT * point)
374 ec_GFp_simple_point_finish(EC_POINT * point)
383 ec_GFp_simple_point_clear_finish(EC_POINT * point)
385 BN_clear_free(&point->X);
386 BN_clear_free(&point->Y);
387 BN_clear_free(&point->Z);
393 ec_GFp_simple_point_copy(EC_POINT * dest, const EC_POINT * src)
395 if (!BN_copy(&dest->X, &src->X))
397 if (!BN_copy(&dest->Y, &src->Y))
399 if (!BN_copy(&dest->Z, &src->Z))
401 dest->Z_is_one = src->Z_is_one;
408 ec_GFp_simple_point_set_to_infinity(const EC_GROUP * group, EC_POINT * point)
417 ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP * group, EC_POINT * point,
418 const BIGNUM * x, const BIGNUM * y, const BIGNUM * z, BN_CTX * ctx)
420 BN_CTX *new_ctx = NULL;
424 ctx = new_ctx = BN_CTX_new();
429 if (!BN_nnmod(&point->X, x, &group->field, ctx))
431 if (group->meth->field_encode) {
432 if (!group->meth->field_encode(group, &point->X, &point->X, ctx))
437 if (!BN_nnmod(&point->Y, y, &group->field, ctx))
439 if (group->meth->field_encode) {
440 if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx))
447 if (!BN_nnmod(&point->Z, z, &group->field, ctx))
449 Z_is_one = BN_is_one(&point->Z);
450 if (group->meth->field_encode) {
451 if (Z_is_one && (group->meth->field_set_to_one != 0)) {
452 if (!group->meth->field_set_to_one(group, &point->Z, ctx))
455 if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx))
459 point->Z_is_one = Z_is_one;
464 BN_CTX_free(new_ctx);
470 ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP * group, const EC_POINT * point,
471 BIGNUM * x, BIGNUM * y, BIGNUM * z, BN_CTX * ctx)
473 BN_CTX *new_ctx = NULL;
476 if (group->meth->field_decode != 0) {
478 ctx = new_ctx = BN_CTX_new();
483 if (!group->meth->field_decode(group, x, &point->X, ctx))
487 if (!group->meth->field_decode(group, y, &point->Y, ctx))
491 if (!group->meth->field_decode(group, z, &point->Z, ctx))
496 if (!BN_copy(x, &point->X))
500 if (!BN_copy(y, &point->Y))
504 if (!BN_copy(z, &point->Z))
512 BN_CTX_free(new_ctx);
518 ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * point,
519 const BIGNUM * x, const BIGNUM * y, BN_CTX * ctx)
521 if (x == NULL || y == NULL) {
522 /* unlike for projective coordinates, we do not tolerate this */
523 ECerror(ERR_R_PASSED_NULL_PARAMETER);
526 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
531 ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POINT * point,
532 BIGNUM * x, BIGNUM * y, BN_CTX * ctx)
534 BN_CTX *new_ctx = NULL;
535 BIGNUM *Z, *Z_1, *Z_2, *Z_3;
539 if (EC_POINT_is_at_infinity(group, point) > 0) {
540 ECerror(EC_R_POINT_AT_INFINITY);
544 ctx = new_ctx = BN_CTX_new();
549 if ((Z = BN_CTX_get(ctx)) == NULL)
551 if ((Z_1 = BN_CTX_get(ctx)) == NULL)
553 if ((Z_2 = BN_CTX_get(ctx)) == NULL)
555 if ((Z_3 = BN_CTX_get(ctx)) == NULL)
558 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
560 if (group->meth->field_decode) {
561 if (!group->meth->field_decode(group, Z, &point->Z, ctx))
569 if (group->meth->field_decode) {
571 if (!group->meth->field_decode(group, x, &point->X, ctx))
575 if (!group->meth->field_decode(group, y, &point->Y, ctx))
580 if (!BN_copy(x, &point->X))
584 if (!BN_copy(y, &point->Y))
589 if (!BN_mod_inverse_ct(Z_1, Z_, &group->field, ctx)) {
590 ECerror(ERR_R_BN_LIB);
593 if (group->meth->field_encode == 0) {
594 /* field_sqr works on standard representation */
595 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))
598 if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx))
604 * in the Montgomery case, field_mul will cancel out
605 * Montgomery factor in X:
607 if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx))
611 if (group->meth->field_encode == 0) {
612 /* field_mul works on standard representation */
613 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))
616 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx))
621 * in the Montgomery case, field_mul will cancel out
622 * Montgomery factor in Y:
624 if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx))
633 BN_CTX_free(new_ctx);
638 ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx)
640 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
641 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
643 BN_CTX *new_ctx = NULL;
644 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
648 return EC_POINT_dbl(group, r, a, ctx);
649 if (EC_POINT_is_at_infinity(group, a) > 0)
650 return EC_POINT_copy(r, b);
651 if (EC_POINT_is_at_infinity(group, b) > 0)
652 return EC_POINT_copy(r, a);
654 field_mul = group->meth->field_mul;
655 field_sqr = group->meth->field_sqr;
659 ctx = new_ctx = BN_CTX_new();
664 if ((n0 = BN_CTX_get(ctx)) == NULL)
666 if ((n1 = BN_CTX_get(ctx)) == NULL)
668 if ((n2 = BN_CTX_get(ctx)) == NULL)
670 if ((n3 = BN_CTX_get(ctx)) == NULL)
672 if ((n4 = BN_CTX_get(ctx)) == NULL)
674 if ((n5 = BN_CTX_get(ctx)) == NULL)
676 if ((n6 = BN_CTX_get(ctx)) == NULL)
680 * Note that in this function we must not read components of 'a' or
681 * 'b' once we have written the corresponding components of 'r'. ('r'
682 * might be one of 'a' or 'b'.)
687 if (!BN_copy(n1, &a->X))
689 if (!BN_copy(n2, &a->Y))
694 if (!field_sqr(group, n0, &b->Z, ctx))
696 if (!field_mul(group, n1, &a->X, n0, ctx))
698 /* n1 = X_a * Z_b^2 */
700 if (!field_mul(group, n0, n0, &b->Z, ctx))
702 if (!field_mul(group, n2, &a->Y, n0, ctx))
704 /* n2 = Y_a * Z_b^3 */
709 if (!BN_copy(n3, &b->X))
711 if (!BN_copy(n4, &b->Y))
716 if (!field_sqr(group, n0, &a->Z, ctx))
718 if (!field_mul(group, n3, &b->X, n0, ctx))
720 /* n3 = X_b * Z_a^2 */
722 if (!field_mul(group, n0, n0, &a->Z, ctx))
724 if (!field_mul(group, n4, &b->Y, n0, ctx))
726 /* n4 = Y_b * Z_a^3 */
730 if (!BN_mod_sub_quick(n5, n1, n3, p))
732 if (!BN_mod_sub_quick(n6, n2, n4, p))
737 if (BN_is_zero(n5)) {
738 if (BN_is_zero(n6)) {
739 /* a is the same point as b */
741 ret = EC_POINT_dbl(group, r, a, ctx);
745 /* a is the inverse of b */
753 if (!BN_mod_add_quick(n1, n1, n3, p))
755 if (!BN_mod_add_quick(n2, n2, n4, p))
761 if (a->Z_is_one && b->Z_is_one) {
762 if (!BN_copy(&r->Z, n5))
766 if (!BN_copy(n0, &b->Z))
768 } else if (b->Z_is_one) {
769 if (!BN_copy(n0, &a->Z))
772 if (!field_mul(group, n0, &a->Z, &b->Z, ctx))
775 if (!field_mul(group, &r->Z, n0, n5, ctx))
779 /* Z_r = Z_a * Z_b * n5 */
782 if (!field_sqr(group, n0, n6, ctx))
784 if (!field_sqr(group, n4, n5, ctx))
786 if (!field_mul(group, n3, n1, n4, ctx))
788 if (!BN_mod_sub_quick(&r->X, n0, n3, p))
790 /* X_r = n6^2 - n5^2 * 'n7' */
793 if (!BN_mod_lshift1_quick(n0, &r->X, p))
795 if (!BN_mod_sub_quick(n0, n3, n0, p))
797 /* n9 = n5^2 * 'n7' - 2 * X_r */
800 if (!field_mul(group, n0, n0, n6, ctx))
802 if (!field_mul(group, n5, n4, n5, ctx))
803 goto end; /* now n5 is n5^3 */
804 if (!field_mul(group, n1, n2, n5, ctx))
806 if (!BN_mod_sub_quick(n0, n0, n1, p))
809 if (!BN_add(n0, n0, p))
811 /* now 0 <= n0 < 2*p, and n0 is even */
812 if (!BN_rshift1(&r->Y, n0))
814 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
819 if (ctx) /* otherwise we already called BN_CTX_end */
821 BN_CTX_free(new_ctx);
827 ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_CTX * ctx)
829 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
830 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
832 BN_CTX *new_ctx = NULL;
833 BIGNUM *n0, *n1, *n2, *n3;
836 if (EC_POINT_is_at_infinity(group, a) > 0) {
841 field_mul = group->meth->field_mul;
842 field_sqr = group->meth->field_sqr;
846 ctx = new_ctx = BN_CTX_new();
851 if ((n0 = BN_CTX_get(ctx)) == NULL)
853 if ((n1 = BN_CTX_get(ctx)) == NULL)
855 if ((n2 = BN_CTX_get(ctx)) == NULL)
857 if ((n3 = BN_CTX_get(ctx)) == NULL)
861 * Note that in this function we must not read components of 'a' once
862 * we have written the corresponding components of 'r'. ('r' might
868 if (!field_sqr(group, n0, &a->X, ctx))
870 if (!BN_mod_lshift1_quick(n1, n0, p))
872 if (!BN_mod_add_quick(n0, n0, n1, p))
874 if (!BN_mod_add_quick(n1, n0, &group->a, p))
876 /* n1 = 3 * X_a^2 + a_curve */
877 } else if (group->a_is_minus3) {
878 if (!field_sqr(group, n1, &a->Z, ctx))
880 if (!BN_mod_add_quick(n0, &a->X, n1, p))
882 if (!BN_mod_sub_quick(n2, &a->X, n1, p))
884 if (!field_mul(group, n1, n0, n2, ctx))
886 if (!BN_mod_lshift1_quick(n0, n1, p))
888 if (!BN_mod_add_quick(n1, n0, n1, p))
891 * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) = 3 * X_a^2 - 3 *
895 if (!field_sqr(group, n0, &a->X, ctx))
897 if (!BN_mod_lshift1_quick(n1, n0, p))
899 if (!BN_mod_add_quick(n0, n0, n1, p))
901 if (!field_sqr(group, n1, &a->Z, ctx))
903 if (!field_sqr(group, n1, n1, ctx))
905 if (!field_mul(group, n1, n1, &group->a, ctx))
907 if (!BN_mod_add_quick(n1, n1, n0, p))
909 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
914 if (!BN_copy(n0, &a->Y))
917 if (!field_mul(group, n0, &a->Y, &a->Z, ctx))
920 if (!BN_mod_lshift1_quick(&r->Z, n0, p))
923 /* Z_r = 2 * Y_a * Z_a */
926 if (!field_sqr(group, n3, &a->Y, ctx))
928 if (!field_mul(group, n2, &a->X, n3, ctx))
930 if (!BN_mod_lshift_quick(n2, n2, 2, p))
932 /* n2 = 4 * X_a * Y_a^2 */
935 if (!BN_mod_lshift1_quick(n0, n2, p))
937 if (!field_sqr(group, &r->X, n1, ctx))
939 if (!BN_mod_sub_quick(&r->X, &r->X, n0, p))
941 /* X_r = n1^2 - 2 * n2 */
944 if (!field_sqr(group, n0, n3, ctx))
946 if (!BN_mod_lshift_quick(n3, n0, 3, p))
951 if (!BN_mod_sub_quick(n0, n2, &r->X, p))
953 if (!field_mul(group, n0, n1, n0, ctx))
955 if (!BN_mod_sub_quick(&r->Y, n0, n3, p))
957 /* Y_r = n1 * (n2 - X_r) - n3 */
963 BN_CTX_free(new_ctx);
969 ec_GFp_simple_invert(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx)
971 if (EC_POINT_is_at_infinity(group, point) > 0 || BN_is_zero(&point->Y))
972 /* point is its own inverse */
975 return BN_usub(&point->Y, &group->field, &point->Y);
980 ec_GFp_simple_is_at_infinity(const EC_GROUP * group, const EC_POINT * point)
982 return BN_is_zero(&point->Z);
987 ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX * ctx)
989 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
990 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
992 BN_CTX *new_ctx = NULL;
993 BIGNUM *rh, *tmp, *Z4, *Z6;
996 if (EC_POINT_is_at_infinity(group, point) > 0)
999 field_mul = group->meth->field_mul;
1000 field_sqr = group->meth->field_sqr;
1004 ctx = new_ctx = BN_CTX_new();
1009 if ((rh = BN_CTX_get(ctx)) == NULL)
1011 if ((tmp = BN_CTX_get(ctx)) == NULL)
1013 if ((Z4 = BN_CTX_get(ctx)) == NULL)
1015 if ((Z6 = BN_CTX_get(ctx)) == NULL)
1019 * We have a curve defined by a Weierstrass equation y^2 = x^3 + a*x
1020 * + b. The point to consider is given in Jacobian projective
1021 * coordinates where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
1022 * Substituting this and multiplying by Z^6 transforms the above
1023 * equation into Y^2 = X^3 + a*X*Z^4 + b*Z^6. To test this, we add up
1024 * the right-hand side in 'rh'.
1028 if (!field_sqr(group, rh, &point->X, ctx))
1031 if (!point->Z_is_one) {
1032 if (!field_sqr(group, tmp, &point->Z, ctx))
1034 if (!field_sqr(group, Z4, tmp, ctx))
1036 if (!field_mul(group, Z6, Z4, tmp, ctx))
1039 /* rh := (rh + a*Z^4)*X */
1040 if (group->a_is_minus3) {
1041 if (!BN_mod_lshift1_quick(tmp, Z4, p))
1043 if (!BN_mod_add_quick(tmp, tmp, Z4, p))
1045 if (!BN_mod_sub_quick(rh, rh, tmp, p))
1047 if (!field_mul(group, rh, rh, &point->X, ctx))
1050 if (!field_mul(group, tmp, Z4, &group->a, ctx))
1052 if (!BN_mod_add_quick(rh, rh, tmp, p))
1054 if (!field_mul(group, rh, rh, &point->X, ctx))
1058 /* rh := rh + b*Z^6 */
1059 if (!field_mul(group, tmp, &group->b, Z6, ctx))
1061 if (!BN_mod_add_quick(rh, rh, tmp, p))
1064 /* point->Z_is_one */
1066 /* rh := (rh + a)*X */
1067 if (!BN_mod_add_quick(rh, rh, &group->a, p))
1069 if (!field_mul(group, rh, rh, &point->X, ctx))
1072 if (!BN_mod_add_quick(rh, rh, &group->b, p))
1077 if (!field_sqr(group, tmp, &point->Y, ctx))
1080 ret = (0 == BN_ucmp(tmp, rh));
1084 BN_CTX_free(new_ctx);
1090 ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx)
1093 * return values: -1 error 0 equal (in affine coordinates) 1
1097 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1098 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1099 BN_CTX *new_ctx = NULL;
1100 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1101 const BIGNUM *tmp1_, *tmp2_;
1104 if (EC_POINT_is_at_infinity(group, a) > 0) {
1105 return EC_POINT_is_at_infinity(group, b) > 0 ? 0 : 1;
1107 if (EC_POINT_is_at_infinity(group, b) > 0)
1110 if (a->Z_is_one && b->Z_is_one) {
1111 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
1113 field_mul = group->meth->field_mul;
1114 field_sqr = group->meth->field_sqr;
1117 ctx = new_ctx = BN_CTX_new();
1122 if ((tmp1 = BN_CTX_get(ctx)) == NULL)
1124 if ((tmp2 = BN_CTX_get(ctx)) == NULL)
1126 if ((Za23 = BN_CTX_get(ctx)) == NULL)
1128 if ((Zb23 = BN_CTX_get(ctx)) == NULL)
1132 * We have to decide whether (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2,
1133 * Y_b/Z_b^3), or equivalently, whether (X_a*Z_b^2, Y_a*Z_b^3) =
1134 * (X_b*Z_a^2, Y_b*Z_a^3).
1138 if (!field_sqr(group, Zb23, &b->Z, ctx))
1140 if (!field_mul(group, tmp1, &a->X, Zb23, ctx))
1146 if (!field_sqr(group, Za23, &a->Z, ctx))
1148 if (!field_mul(group, tmp2, &b->X, Za23, ctx))
1154 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1155 if (BN_cmp(tmp1_, tmp2_) != 0) {
1156 ret = 1; /* points differ */
1160 if (!field_mul(group, Zb23, Zb23, &b->Z, ctx))
1162 if (!field_mul(group, tmp1, &a->Y, Zb23, ctx))
1168 if (!field_mul(group, Za23, Za23, &a->Z, ctx))
1170 if (!field_mul(group, tmp2, &b->Y, Za23, ctx))
1176 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1177 if (BN_cmp(tmp1_, tmp2_) != 0) {
1178 ret = 1; /* points differ */
1181 /* points are equal */
1186 BN_CTX_free(new_ctx);
1192 ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx)
1194 BN_CTX *new_ctx = NULL;
1198 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point) > 0)
1202 ctx = new_ctx = BN_CTX_new();
1207 if ((x = BN_CTX_get(ctx)) == NULL)
1209 if ((y = BN_CTX_get(ctx)) == NULL)
1212 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
1214 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
1216 if (!point->Z_is_one) {
1217 ECerror(ERR_R_INTERNAL_ERROR);
1224 BN_CTX_free(new_ctx);
1230 ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * points[], BN_CTX * ctx)
1232 BN_CTX *new_ctx = NULL;
1233 BIGNUM *tmp0, *tmp1;
1235 BIGNUM **heap = NULL;
1243 ctx = new_ctx = BN_CTX_new();
1248 if ((tmp0 = BN_CTX_get(ctx)) == NULL)
1250 if ((tmp1 = BN_CTX_get(ctx)) == NULL)
1254 * Before converting the individual points, compute inverses of all Z
1255 * values. Modular inversion is rather slow, but luckily we can do
1256 * with a single explicit inversion, plus about 3 multiplications per
1264 * Now pow2 is the smallest power of 2 satifsying pow2 >= num. We
1269 heap = reallocarray(NULL, pow2, sizeof heap[0]);
1274 * The array is used as a binary tree, exactly as in heapsort:
1276 * heap[1] heap[2] heap[3] heap[4] heap[5]
1277 * heap[6] heap[7] heap[8]heap[9] heap[10]heap[11]
1278 * heap[12]heap[13] heap[14] heap[15]
1280 * We put the Z's in the last line; then we set each other node to the
1281 * product of its two child-nodes (where empty or 0 entries are
1282 * treated as ones); then we invert heap[1]; then we invert each
1283 * other node by replacing it by the product of its parent (after
1284 * inversion) and its sibling (before inversion).
1287 for (i = pow2 / 2 - 1; i > 0; i--)
1289 for (i = 0; i < num; i++)
1290 heap[pow2 / 2 + i] = &points[i]->Z;
1291 for (i = pow2 / 2 + num; i < pow2; i++)
1294 /* set each node to the product of its children */
1295 for (i = pow2 / 2 - 1; i > 0; i--) {
1297 if (heap[i] == NULL)
1300 if (heap[2 * i] != NULL) {
1301 if ((heap[2 * i + 1] == NULL) || BN_is_zero(heap[2 * i + 1])) {
1302 if (!BN_copy(heap[i], heap[2 * i]))
1305 if (BN_is_zero(heap[2 * i])) {
1306 if (!BN_copy(heap[i], heap[2 * i + 1]))
1309 if (!group->meth->field_mul(group, heap[i],
1310 heap[2 * i], heap[2 * i + 1], ctx))
1317 /* invert heap[1] */
1318 if (!BN_is_zero(heap[1])) {
1319 if (!BN_mod_inverse_ct(heap[1], heap[1], &group->field, ctx)) {
1320 ECerror(ERR_R_BN_LIB);
1324 if (group->meth->field_encode != 0) {
1326 * in the Montgomery case, we just turned R*H (representing
1327 * H) into 1/(R*H), but we need R*(1/H) (representing
1328 * 1/H); i.e. we have need to multiply by the Montgomery
1331 if (!group->meth->field_encode(group, heap[1], heap[1], ctx))
1333 if (!group->meth->field_encode(group, heap[1], heap[1], ctx))
1336 /* set other heap[i]'s to their inverses */
1337 for (i = 2; i < pow2 / 2 + num; i += 2) {
1339 if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1])) {
1340 if (!group->meth->field_mul(group, tmp0, heap[i / 2], heap[i + 1], ctx))
1342 if (!group->meth->field_mul(group, tmp1, heap[i / 2], heap[i], ctx))
1344 if (!BN_copy(heap[i], tmp0))
1346 if (!BN_copy(heap[i + 1], tmp1))
1349 if (!BN_copy(heap[i], heap[i / 2]))
1355 * we have replaced all non-zero Z's by their inverses, now fix up
1358 for (i = 0; i < num; i++) {
1359 EC_POINT *p = points[i];
1361 if (!BN_is_zero(&p->Z)) {
1362 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1364 if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx))
1366 if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx))
1369 if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx))
1371 if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx))
1374 if (group->meth->field_set_to_one != 0) {
1375 if (!group->meth->field_set_to_one(group, &p->Z, ctx))
1389 BN_CTX_free(new_ctx);
1392 * heap[pow2/2] .. heap[pow2-1] have not been allocated
1395 for (i = pow2 / 2 - 1; i > 0; i--) {
1396 BN_clear_free(heap[i]);
1405 ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
1407 return BN_mod_mul(r, a, b, &group->field, ctx);
1411 ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx)
1413 return BN_mod_sqr(r, a, &group->field, ctx);
1417 * Apply randomization of EC point projective coordinates:
1419 * (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z)
1421 * where lambda is in the interval [1, group->field).
1424 ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx)
1426 BIGNUM *lambda = NULL;
1431 if ((lambda = BN_CTX_get(ctx)) == NULL)
1433 if ((tmp = BN_CTX_get(ctx)) == NULL)
1436 /* Generate lambda in [1, group->field - 1] */
1437 if (!bn_rand_interval(lambda, BN_value_one(), &group->field))
1440 if (group->meth->field_encode != NULL &&
1441 !group->meth->field_encode(group, lambda, lambda, ctx))
1444 /* Z = lambda * Z */
1445 if (!group->meth->field_mul(group, &p->Z, lambda, &p->Z, ctx))
1448 /* tmp = lambda^2 */
1449 if (!group->meth->field_sqr(group, tmp, lambda, ctx))
1452 /* X = lambda^2 * X */
1453 if (!group->meth->field_mul(group, &p->X, tmp, &p->X, ctx))
1456 /* tmp = lambda^3 */
1457 if (!group->meth->field_mul(group, tmp, tmp, lambda, ctx))
1460 /* Y = lambda^3 * Y */
1461 if (!group->meth->field_mul(group, &p->Y, tmp, &p->Y, ctx))
1464 /* Disable optimized arithmetics after replacing Z by lambda * Z. */
1475 #define EC_POINT_BN_set_flags(P, flags) do { \
1476 BN_set_flags(&(P)->X, (flags)); \
1477 BN_set_flags(&(P)->Y, (flags)); \
1478 BN_set_flags(&(P)->Z, (flags)); \
1481 #define EC_POINT_CSWAP(c, a, b, w, t) do { \
1482 if (!BN_swap_ct(c, &(a)->X, &(b)->X, w) || \
1483 !BN_swap_ct(c, &(a)->Y, &(b)->Y, w) || \
1484 !BN_swap_ct(c, &(a)->Z, &(b)->Z, w)) \
1486 t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \
1487 (a)->Z_is_one ^= (t); \
1488 (b)->Z_is_one ^= (t); \
1492 * This function computes (in constant time) a point multiplication over the
1495 * At a high level, it is Montgomery ladder with conditional swaps.
1497 * It performs either a fixed point multiplication
1498 * (scalar * generator)
1499 * when point is NULL, or a variable point multiplication
1501 * when point is not NULL.
1503 * scalar should be in the range [0,n) otherwise all constant time bets are off.
1505 * NB: This says nothing about EC_POINT_add and EC_POINT_dbl,
1506 * which of course are not constant time themselves.
1508 * The product is stored in r.
1510 * Returns 1 on success, 0 otherwise.
1513 ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
1514 const EC_POINT *point, BN_CTX *ctx)
1516 int i, cardinality_bits, group_top, kbit, pbit, Z_is_one;
1519 BIGNUM *lambda = NULL;
1520 BIGNUM *cardinality = NULL;
1521 BN_CTX *new_ctx = NULL;
1524 if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL)
1529 if ((s = EC_POINT_new(group)) == NULL)
1532 if (point == NULL) {
1533 if (!EC_POINT_copy(s, group->generator))
1536 if (!EC_POINT_copy(s, point))
1540 EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
1542 if ((cardinality = BN_CTX_get(ctx)) == NULL)
1544 if ((lambda = BN_CTX_get(ctx)) == NULL)
1546 if ((k = BN_CTX_get(ctx)) == NULL)
1548 if (!BN_mul(cardinality, &group->order, &group->cofactor, ctx))
1552 * Group cardinalities are often on a word boundary.
1553 * So when we pad the scalar, some timing diff might
1554 * pop if it needs to be expanded due to carries.
1555 * So expand ahead of time.
1557 cardinality_bits = BN_num_bits(cardinality);
1558 group_top = cardinality->top;
1559 if ((bn_wexpand(k, group_top + 2) == NULL) ||
1560 (bn_wexpand(lambda, group_top + 2) == NULL))
1563 if (!BN_copy(k, scalar))
1566 BN_set_flags(k, BN_FLG_CONSTTIME);
1568 if (BN_num_bits(k) > cardinality_bits || BN_is_negative(k)) {
1570 * This is an unusual input, and we don't guarantee
1573 if (!BN_nnmod(k, k, cardinality, ctx))
1577 if (!BN_add(lambda, k, cardinality))
1579 BN_set_flags(lambda, BN_FLG_CONSTTIME);
1580 if (!BN_add(k, lambda, cardinality))
1583 * lambda := scalar + cardinality
1584 * k := scalar + 2*cardinality
1586 kbit = BN_is_bit_set(lambda, cardinality_bits);
1587 if (!BN_swap_ct(kbit, k, lambda, group_top + 2))
1590 group_top = group->field.top;
1591 if ((bn_wexpand(&s->X, group_top) == NULL) ||
1592 (bn_wexpand(&s->Y, group_top) == NULL) ||
1593 (bn_wexpand(&s->Z, group_top) == NULL) ||
1594 (bn_wexpand(&r->X, group_top) == NULL) ||
1595 (bn_wexpand(&r->Y, group_top) == NULL) ||
1596 (bn_wexpand(&r->Z, group_top) == NULL))
1600 * Apply coordinate blinding for EC_POINT if the underlying EC_METHOD
1603 if (!ec_point_blind_coordinates(group, s, ctx))
1606 /* top bit is a 1, in a fixed pos */
1607 if (!EC_POINT_copy(r, s))
1610 EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME);
1612 if (!EC_POINT_dbl(group, s, s, ctx))
1618 * The ladder step, with branches, is
1620 * k[i] == 0: S = add(R, S), R = dbl(R)
1621 * k[i] == 1: R = add(S, R), S = dbl(S)
1623 * Swapping R, S conditionally on k[i] leaves you with state
1625 * k[i] == 0: T, U = R, S
1626 * k[i] == 1: T, U = S, R
1628 * Then perform the ECC ops.
1633 * Which leaves you with state
1635 * k[i] == 0: U = add(R, S), T = dbl(R)
1636 * k[i] == 1: U = add(S, R), T = dbl(S)
1638 * Swapping T, U conditionally on k[i] leaves you with state
1640 * k[i] == 0: R, S = T, U
1641 * k[i] == 1: R, S = U, T
1643 * Which leaves you with state
1645 * k[i] == 0: S = add(R, S), R = dbl(R)
1646 * k[i] == 1: R = add(S, R), S = dbl(S)
1648 * So we get the same logic, but instead of a branch it's a
1649 * conditional swap, followed by ECC ops, then another conditional swap.
1651 * Optimization: The end of iteration i and start of i-1 looks like
1658 * CSWAP(k[i-1], R, S)
1660 * CSWAP(k[i-1], R, S)
1663 * So instead of two contiguous swaps, you can merge the condition
1664 * bits and do a single swap.
1666 * k[i] k[i-1] Outcome
1672 * This is XOR. pbit tracks the previous bit of k.
1675 for (i = cardinality_bits - 1; i >= 0; i--) {
1676 kbit = BN_is_bit_set(k, i) ^ pbit;
1677 EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one);
1678 if (!EC_POINT_add(group, s, r, s, ctx))
1680 if (!EC_POINT_dbl(group, r, r, ctx))
1683 * pbit logic merges this cswap with that of the
1688 /* one final cswap to move the right value into r */
1689 EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one);
1697 BN_CTX_free(new_ctx);
1702 #undef EC_POINT_BN_set_flags
1703 #undef EC_POINT_CSWAP
1706 ec_GFp_simple_mul_generator_ct(const EC_GROUP *group, EC_POINT *r,
1707 const BIGNUM *scalar, BN_CTX *ctx)
1709 return ec_GFp_simple_mul_ct(group, r, scalar, NULL, ctx);
1713 ec_GFp_simple_mul_single_ct(const EC_GROUP *group, EC_POINT *r,
1714 const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx)
1716 return ec_GFp_simple_mul_ct(group, r, scalar, point, ctx);
1720 ec_GFp_simple_mul_double_nonct(const EC_GROUP *group, EC_POINT *r,
1721 const BIGNUM *g_scalar, const BIGNUM *p_scalar, const EC_POINT *point,
1724 return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx);
projects / dragonfly.git / blob