1 /* crypto/ec/ecp_smpl.c */
2 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project.
4 * Includes code written by Bodo Moeller for the OpenSSL project.
6 /* ====================================================================
7 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@openssl.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
59 /* ====================================================================
60 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
62 * and contributed to the OpenSSL project.
65 #include <openssl/err.h>
66 #include <openssl/symhacks.h>
69 #include <openssl/fips.h>
74 const EC_METHOD *EC_GFp_simple_method(void)
77 return fips_ec_gfp_simple_method();
79 static const EC_METHOD ret = {
81 NID_X9_62_prime_field,
82 ec_GFp_simple_group_init,
83 ec_GFp_simple_group_finish,
84 ec_GFp_simple_group_clear_finish,
85 ec_GFp_simple_group_copy,
86 ec_GFp_simple_group_set_curve,
87 ec_GFp_simple_group_get_curve,
88 ec_GFp_simple_group_get_degree,
89 ec_GFp_simple_group_check_discriminant,
90 ec_GFp_simple_point_init,
91 ec_GFp_simple_point_finish,
92 ec_GFp_simple_point_clear_finish,
93 ec_GFp_simple_point_copy,
94 ec_GFp_simple_point_set_to_infinity,
95 ec_GFp_simple_set_Jprojective_coordinates_GFp,
96 ec_GFp_simple_get_Jprojective_coordinates_GFp,
97 ec_GFp_simple_point_set_affine_coordinates,
98 ec_GFp_simple_point_get_affine_coordinates,
102 ec_GFp_simple_invert,
103 ec_GFp_simple_is_at_infinity,
104 ec_GFp_simple_is_on_curve,
106 ec_GFp_simple_make_affine,
107 ec_GFp_simple_points_make_affine,
109 0 /* precompute_mult */,
110 0 /* have_precompute_mult */,
111 ec_GFp_simple_field_mul,
112 ec_GFp_simple_field_sqr,
114 0 /* field_encode */,
115 0 /* field_decode */,
116 0 /* field_set_to_one */ };
123 /* Most method functions in this file are designed to work with
124 * non-trivial representations of field elements if necessary
125 * (see ecp_mont.c): while standard modular addition and subtraction
126 * are used, the field_mul and field_sqr methods will be used for
127 * multiplication, and field_encode and field_decode (if defined)
128 * will be used for converting between representations.
130 * Functions ec_GFp_simple_points_make_affine() and
131 * ec_GFp_simple_point_get_affine_coordinates() specifically assume
132 * that if a non-trivial representation is used, it is a Montgomery
133 * representation (i.e. 'encoding' means multiplying by some factor R).
137 int ec_GFp_simple_group_init(EC_GROUP *group)
139 BN_init(&group->field);
142 group->a_is_minus3 = 0;
147 void ec_GFp_simple_group_finish(EC_GROUP *group)
149 BN_free(&group->field);
155 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
157 BN_clear_free(&group->field);
158 BN_clear_free(&group->a);
159 BN_clear_free(&group->b);
163 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
165 if (!BN_copy(&dest->field, &src->field)) return 0;
166 if (!BN_copy(&dest->a, &src->a)) return 0;
167 if (!BN_copy(&dest->b, &src->b)) return 0;
169 dest->a_is_minus3 = src->a_is_minus3;
175 int ec_GFp_simple_group_set_curve(EC_GROUP *group,
176 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
179 BN_CTX *new_ctx = NULL;
182 /* p must be a prime > 3 */
183 if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
185 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
191 ctx = new_ctx = BN_CTX_new();
197 tmp_a = BN_CTX_get(ctx);
198 if (tmp_a == NULL) goto err;
201 if (!BN_copy(&group->field, p)) goto err;
202 BN_set_negative(&group->field, 0);
205 if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
206 if (group->meth->field_encode)
207 { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; }
209 if (!BN_copy(&group->a, tmp_a)) goto err;
212 if (!BN_nnmod(&group->b, b, p, ctx)) goto err;
213 if (group->meth->field_encode)
214 if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err;
216 /* group->a_is_minus3 */
217 if (!BN_add_word(tmp_a, 3)) goto err;
218 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
225 BN_CTX_free(new_ctx);
230 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
233 BN_CTX *new_ctx = NULL;
237 if (!BN_copy(p, &group->field)) return 0;
240 if (a != NULL || b != NULL)
242 if (group->meth->field_decode)
246 ctx = new_ctx = BN_CTX_new();
252 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
256 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
263 if (!BN_copy(a, &group->a)) goto err;
267 if (!BN_copy(b, &group->b)) goto err;
276 BN_CTX_free(new_ctx);
281 int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
283 return BN_num_bits(&group->field);
287 int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
290 BIGNUM *a,*b,*order,*tmp_1,*tmp_2;
291 const BIGNUM *p = &group->field;
292 BN_CTX *new_ctx = NULL;
296 ctx = new_ctx = BN_CTX_new();
299 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
306 tmp_1 = BN_CTX_get(ctx);
307 tmp_2 = BN_CTX_get(ctx);
308 order = BN_CTX_get(ctx);
309 if (order == NULL) goto err;
311 if (group->meth->field_decode)
313 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
314 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
318 if (!BN_copy(a, &group->a)) goto err;
319 if (!BN_copy(b, &group->b)) goto err;
322 /* check the discriminant:
323 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
327 if (BN_is_zero(b)) goto err;
329 else if (!BN_is_zero(b))
331 if (!BN_mod_sqr(tmp_1, a, p, ctx)) goto err;
332 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx)) goto err;
333 if (!BN_lshift(tmp_1, tmp_2, 2)) goto err;
336 if (!BN_mod_sqr(tmp_2, b, p, ctx)) goto err;
337 if (!BN_mul_word(tmp_2, 27)) goto err;
340 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx)) goto err;
341 if (BN_is_zero(a)) goto err;
349 BN_CTX_free(new_ctx);
354 int ec_GFp_simple_point_init(EC_POINT *point)
365 void ec_GFp_simple_point_finish(EC_POINT *point)
373 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
375 BN_clear_free(&point->X);
376 BN_clear_free(&point->Y);
377 BN_clear_free(&point->Z);
382 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
384 if (!BN_copy(&dest->X, &src->X)) return 0;
385 if (!BN_copy(&dest->Y, &src->Y)) return 0;
386 if (!BN_copy(&dest->Z, &src->Z)) return 0;
387 dest->Z_is_one = src->Z_is_one;
393 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
401 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
402 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
404 BN_CTX *new_ctx = NULL;
409 ctx = new_ctx = BN_CTX_new();
416 if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err;
417 if (group->meth->field_encode)
419 if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err;
425 if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err;
426 if (group->meth->field_encode)
428 if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
436 if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err;
437 Z_is_one = BN_is_one(&point->Z);
438 if (group->meth->field_encode)
440 if (Z_is_one && (group->meth->field_set_to_one != 0))
442 if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err;
446 if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
449 point->Z_is_one = Z_is_one;
456 BN_CTX_free(new_ctx);
461 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
462 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
464 BN_CTX *new_ctx = NULL;
467 if (group->meth->field_decode != 0)
471 ctx = new_ctx = BN_CTX_new();
478 if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
482 if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
486 if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err;
493 if (!BN_copy(x, &point->X)) goto err;
497 if (!BN_copy(y, &point->Y)) goto err;
501 if (!BN_copy(z, &point->Z)) goto err;
509 BN_CTX_free(new_ctx);
514 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
515 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
517 if (x == NULL || y == NULL)
519 /* unlike for projective coordinates, we do not tolerate this */
520 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
524 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
528 int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
529 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
531 BN_CTX *new_ctx = NULL;
532 BIGNUM *Z, *Z_1, *Z_2, *Z_3;
536 if (EC_POINT_is_at_infinity(group, point))
538 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
544 ctx = new_ctx = BN_CTX_new();
551 Z_1 = BN_CTX_get(ctx);
552 Z_2 = BN_CTX_get(ctx);
553 Z_3 = BN_CTX_get(ctx);
554 if (Z_3 == NULL) goto err;
556 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
558 if (group->meth->field_decode)
560 if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
570 if (group->meth->field_decode)
574 if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
578 if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
585 if (!BN_copy(x, &point->X)) goto err;
589 if (!BN_copy(y, &point->Y)) goto err;
595 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
597 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
601 if (group->meth->field_encode == 0)
603 /* field_sqr works on standard representation */
604 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err;
608 if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err;
613 /* in the Montgomery case, field_mul will cancel out Montgomery factor in X: */
614 if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx)) goto err;
619 if (group->meth->field_encode == 0)
621 /* field_mul works on standard representation */
622 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
626 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
629 /* in the Montgomery case, field_mul will cancel out Montgomery factor in Y: */
630 if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx)) goto err;
639 BN_CTX_free(new_ctx);
643 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
645 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
646 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
648 BN_CTX *new_ctx = NULL;
649 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
653 return EC_POINT_dbl(group, r, a, ctx);
654 if (EC_POINT_is_at_infinity(group, a))
655 return EC_POINT_copy(r, b);
656 if (EC_POINT_is_at_infinity(group, b))
657 return EC_POINT_copy(r, a);
659 field_mul = group->meth->field_mul;
660 field_sqr = group->meth->field_sqr;
665 ctx = new_ctx = BN_CTX_new();
671 n0 = BN_CTX_get(ctx);
672 n1 = BN_CTX_get(ctx);
673 n2 = BN_CTX_get(ctx);
674 n3 = BN_CTX_get(ctx);
675 n4 = BN_CTX_get(ctx);
676 n5 = BN_CTX_get(ctx);
677 n6 = BN_CTX_get(ctx);
678 if (n6 == NULL) goto end;
680 /* Note that in this function we must not read components of 'a' or 'b'
681 * once we have written the corresponding components of 'r'.
682 * ('r' might be one of 'a' or 'b'.)
688 if (!BN_copy(n1, &a->X)) goto end;
689 if (!BN_copy(n2, &a->Y)) goto end;
695 if (!field_sqr(group, n0, &b->Z, ctx)) goto end;
696 if (!field_mul(group, n1, &a->X, n0, ctx)) goto end;
697 /* n1 = X_a * Z_b^2 */
699 if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end;
700 if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end;
701 /* n2 = Y_a * Z_b^3 */
707 if (!BN_copy(n3, &b->X)) goto end;
708 if (!BN_copy(n4, &b->Y)) goto end;
714 if (!field_sqr(group, n0, &a->Z, ctx)) goto end;
715 if (!field_mul(group, n3, &b->X, n0, ctx)) goto end;
716 /* n3 = X_b * Z_a^2 */
718 if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end;
719 if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end;
720 /* n4 = Y_b * Z_a^3 */
724 if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
725 if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
733 /* a is the same point as b */
735 ret = EC_POINT_dbl(group, r, a, ctx);
741 /* a is the inverse of b */
750 if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
751 if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
756 if (a->Z_is_one && b->Z_is_one)
758 if (!BN_copy(&r->Z, n5)) goto end;
763 { if (!BN_copy(n0, &b->Z)) goto end; }
764 else if (b->Z_is_one)
765 { if (!BN_copy(n0, &a->Z)) goto end; }
767 { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; }
768 if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end;
771 /* Z_r = Z_a * Z_b * n5 */
774 if (!field_sqr(group, n0, n6, ctx)) goto end;
775 if (!field_sqr(group, n4, n5, ctx)) goto end;
776 if (!field_mul(group, n3, n1, n4, ctx)) goto end;
777 if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end;
778 /* X_r = n6^2 - n5^2 * 'n7' */
781 if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end;
782 if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
783 /* n9 = n5^2 * 'n7' - 2 * X_r */
786 if (!field_mul(group, n0, n0, n6, ctx)) goto end;
787 if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
788 if (!field_mul(group, n1, n2, n5, ctx)) goto end;
789 if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
791 if (!BN_add(n0, n0, p)) goto end;
792 /* now 0 <= n0 < 2*p, and n0 is even */
793 if (!BN_rshift1(&r->Y, n0)) goto end;
794 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
799 if (ctx) /* otherwise we already called BN_CTX_end */
802 BN_CTX_free(new_ctx);
807 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
809 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
810 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
812 BN_CTX *new_ctx = NULL;
813 BIGNUM *n0, *n1, *n2, *n3;
816 if (EC_POINT_is_at_infinity(group, a))
823 field_mul = group->meth->field_mul;
824 field_sqr = group->meth->field_sqr;
829 ctx = new_ctx = BN_CTX_new();
835 n0 = BN_CTX_get(ctx);
836 n1 = BN_CTX_get(ctx);
837 n2 = BN_CTX_get(ctx);
838 n3 = BN_CTX_get(ctx);
839 if (n3 == NULL) goto err;
841 /* Note that in this function we must not read components of 'a'
842 * once we have written the corresponding components of 'r'.
843 * ('r' might the same as 'a'.)
849 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
850 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
851 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
852 if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err;
853 /* n1 = 3 * X_a^2 + a_curve */
855 else if (group->a_is_minus3)
857 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
858 if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err;
859 if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err;
860 if (!field_mul(group, n1, n0, n2, ctx)) goto err;
861 if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
862 if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
863 /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
864 * = 3 * X_a^2 - 3 * Z_a^4 */
868 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
869 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
870 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
871 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
872 if (!field_sqr(group, n1, n1, ctx)) goto err;
873 if (!field_mul(group, n1, n1, &group->a, ctx)) goto err;
874 if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
875 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
881 if (!BN_copy(n0, &a->Y)) goto err;
885 if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err;
887 if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err;
889 /* Z_r = 2 * Y_a * Z_a */
892 if (!field_sqr(group, n3, &a->Y, ctx)) goto err;
893 if (!field_mul(group, n2, &a->X, n3, ctx)) goto err;
894 if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
895 /* n2 = 4 * X_a * Y_a^2 */
898 if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
899 if (!field_sqr(group, &r->X, n1, ctx)) goto err;
900 if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err;
901 /* X_r = n1^2 - 2 * n2 */
904 if (!field_sqr(group, n0, n3, ctx)) goto err;
905 if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
909 if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err;
910 if (!field_mul(group, n0, n1, n0, ctx)) goto err;
911 if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err;
912 /* Y_r = n1 * (n2 - X_r) - n3 */
919 BN_CTX_free(new_ctx);
924 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
926 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
927 /* point is its own inverse */
930 return BN_usub(&point->Y, &group->field, &point->Y);
934 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
936 return BN_is_zero(&point->Z);
940 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
942 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
943 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
945 BN_CTX *new_ctx = NULL;
946 BIGNUM *rh, *tmp, *Z4, *Z6;
949 if (EC_POINT_is_at_infinity(group, point))
952 field_mul = group->meth->field_mul;
953 field_sqr = group->meth->field_sqr;
958 ctx = new_ctx = BN_CTX_new();
964 rh = BN_CTX_get(ctx);
965 tmp = BN_CTX_get(ctx);
966 Z4 = BN_CTX_get(ctx);
967 Z6 = BN_CTX_get(ctx);
968 if (Z6 == NULL) goto err;
970 /* We have a curve defined by a Weierstrass equation
971 * y^2 = x^3 + a*x + b.
972 * The point to consider is given in Jacobian projective coordinates
973 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
974 * Substituting this and multiplying by Z^6 transforms the above equation into
975 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
976 * To test this, we add up the right-hand side in 'rh'.
980 if (!field_sqr(group, rh, &point->X, ctx)) goto err;
982 if (!point->Z_is_one)
984 if (!field_sqr(group, tmp, &point->Z, ctx)) goto err;
985 if (!field_sqr(group, Z4, tmp, ctx)) goto err;
986 if (!field_mul(group, Z6, Z4, tmp, ctx)) goto err;
988 /* rh := (rh + a*Z^4)*X */
989 if (group->a_is_minus3)
991 if (!BN_mod_lshift1_quick(tmp, Z4, p)) goto err;
992 if (!BN_mod_add_quick(tmp, tmp, Z4, p)) goto err;
993 if (!BN_mod_sub_quick(rh, rh, tmp, p)) goto err;
994 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
998 if (!field_mul(group, tmp, Z4, &group->a, ctx)) goto err;
999 if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
1000 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1003 /* rh := rh + b*Z^6 */
1004 if (!field_mul(group, tmp, &group->b, Z6, ctx)) goto err;
1005 if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
1009 /* point->Z_is_one */
1011 /* rh := (rh + a)*X */
1012 if (!BN_mod_add_quick(rh, rh, &group->a, p)) goto err;
1013 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1015 if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
1019 if (!field_sqr(group, tmp, &point->Y, ctx)) goto err;
1021 ret = (0 == BN_ucmp(tmp, rh));
1025 if (new_ctx != NULL)
1026 BN_CTX_free(new_ctx);
1031 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
1035 * 0 equal (in affine coordinates)
1039 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1040 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1041 BN_CTX *new_ctx = NULL;
1042 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1043 const BIGNUM *tmp1_, *tmp2_;
1046 if (EC_POINT_is_at_infinity(group, a))
1048 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1051 if (EC_POINT_is_at_infinity(group, b))
1054 if (a->Z_is_one && b->Z_is_one)
1056 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
1059 field_mul = group->meth->field_mul;
1060 field_sqr = group->meth->field_sqr;
1064 ctx = new_ctx = BN_CTX_new();
1070 tmp1 = BN_CTX_get(ctx);
1071 tmp2 = BN_CTX_get(ctx);
1072 Za23 = BN_CTX_get(ctx);
1073 Zb23 = BN_CTX_get(ctx);
1074 if (Zb23 == NULL) goto end;
1076 /* We have to decide whether
1077 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1078 * or equivalently, whether
1079 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1084 if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end;
1085 if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end;
1092 if (!field_sqr(group, Za23, &a->Z, ctx)) goto end;
1093 if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end;
1099 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1100 if (BN_cmp(tmp1_, tmp2_) != 0)
1102 ret = 1; /* points differ */
1109 if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end;
1110 if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end;
1117 if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end;
1118 if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end;
1124 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1125 if (BN_cmp(tmp1_, tmp2_) != 0)
1127 ret = 1; /* points differ */
1131 /* points are equal */
1136 if (new_ctx != NULL)
1137 BN_CTX_free(new_ctx);
1142 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1144 BN_CTX *new_ctx = NULL;
1148 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1153 ctx = new_ctx = BN_CTX_new();
1159 x = BN_CTX_get(ctx);
1160 y = BN_CTX_get(ctx);
1161 if (y == NULL) goto err;
1163 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1164 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1165 if (!point->Z_is_one)
1167 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1175 if (new_ctx != NULL)
1176 BN_CTX_free(new_ctx);
1181 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
1183 BN_CTX *new_ctx = NULL;
1184 BIGNUM *tmp0, *tmp1;
1186 BIGNUM **heap = NULL;
1195 ctx = new_ctx = BN_CTX_new();
1201 tmp0 = BN_CTX_get(ctx);
1202 tmp1 = BN_CTX_get(ctx);
1203 if (tmp0 == NULL || tmp1 == NULL) goto err;
1205 /* Before converting the individual points, compute inverses of all Z values.
1206 * Modular inversion is rather slow, but luckily we can do with a single
1207 * explicit inversion, plus about 3 multiplications per input value.
1213 /* Now pow2 is the smallest power of 2 satifsying pow2 >= num.
1214 * We need twice that. */
1217 heap = OPENSSL_malloc(pow2 * sizeof heap[0]);
1218 if (heap == NULL) goto err;
1220 /* The array is used as a binary tree, exactly as in heapsort:
1224 * heap[4] heap[5] heap[6] heap[7]
1225 * heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15]
1227 * We put the Z's in the last line;
1228 * then we set each other node to the product of its two child-nodes (where
1229 * empty or 0 entries are treated as ones);
1230 * then we invert heap[1];
1231 * then we invert each other node by replacing it by the product of its
1232 * parent (after inversion) and its sibling (before inversion).
1235 for (i = pow2/2 - 1; i > 0; i--)
1237 for (i = 0; i < num; i++)
1238 heap[pow2/2 + i] = &points[i]->Z;
1239 for (i = pow2/2 + num; i < pow2; i++)
1242 /* set each node to the product of its children */
1243 for (i = pow2/2 - 1; i > 0; i--)
1246 if (heap[i] == NULL) goto err;
1248 if (heap[2*i] != NULL)
1250 if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1]))
1252 if (!BN_copy(heap[i], heap[2*i])) goto err;
1256 if (BN_is_zero(heap[2*i]))
1258 if (!BN_copy(heap[i], heap[2*i + 1])) goto err;
1262 if (!group->meth->field_mul(group, heap[i],
1263 heap[2*i], heap[2*i + 1], ctx)) goto err;
1269 /* invert heap[1] */
1270 if (!BN_is_zero(heap[1]))
1272 if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx))
1274 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1278 if (group->meth->field_encode != 0)
1280 /* in the Montgomery case, we just turned R*H (representing H)
1281 * into 1/(R*H), but we need R*(1/H) (representing 1/H);
1282 * i.e. we have need to multiply by the Montgomery factor twice */
1283 if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
1284 if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
1287 /* set other heap[i]'s to their inverses */
1288 for (i = 2; i < pow2/2 + num; i += 2)
1291 if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1]))
1293 if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err;
1294 if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err;
1295 if (!BN_copy(heap[i], tmp0)) goto err;
1296 if (!BN_copy(heap[i + 1], tmp1)) goto err;
1300 if (!BN_copy(heap[i], heap[i/2])) goto err;
1304 /* we have replaced all non-zero Z's by their inverses, now fix up all the points */
1305 for (i = 0; i < num; i++)
1307 EC_POINT *p = points[i];
1309 if (!BN_is_zero(&p->Z))
1311 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1313 if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err;
1314 if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err;
1316 if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err;
1317 if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err;
1319 if (group->meth->field_set_to_one != 0)
1321 if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err;
1325 if (!BN_one(&p->Z)) goto err;
1335 if (new_ctx != NULL)
1336 BN_CTX_free(new_ctx);
1339 /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */
1340 for (i = pow2/2 - 1; i > 0; i--)
1342 if (heap[i] != NULL)
1343 BN_clear_free(heap[i]);
1351 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
1353 return BN_mod_mul(r, a, b, &group->field, ctx);
1357 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
1359 return BN_mod_sqr(r, a, &group->field, ctx);
tuxillo's projects / dragonfly.git / blob