1 /* crypto/ec/ecp_smpl.c */
2 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project.
4 * Includes code written by Bodo Moeller for the OpenSSL project.
6 /* ====================================================================
7 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@openssl.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
59 /* ====================================================================
60 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
62 * and contributed to the OpenSSL project.
67 #include <openssl/err.h>
68 #include <openssl/symhacks.h>
72 const EC_METHOD *EC_GFp_simple_method(void)
74 static const EC_METHOD ret = {
76 NID_X9_62_prime_field,
77 ec_GFp_simple_group_init,
78 ec_GFp_simple_group_finish,
79 ec_GFp_simple_group_clear_finish,
80 ec_GFp_simple_group_copy,
81 ec_GFp_simple_group_set_curve,
82 ec_GFp_simple_group_get_curve,
83 ec_GFp_simple_group_get_degree,
84 ec_GFp_simple_group_check_discriminant,
85 ec_GFp_simple_point_init,
86 ec_GFp_simple_point_finish,
87 ec_GFp_simple_point_clear_finish,
88 ec_GFp_simple_point_copy,
89 ec_GFp_simple_point_set_to_infinity,
90 ec_GFp_simple_set_Jprojective_coordinates_GFp,
91 ec_GFp_simple_get_Jprojective_coordinates_GFp,
92 ec_GFp_simple_point_set_affine_coordinates,
93 ec_GFp_simple_point_get_affine_coordinates,
98 ec_GFp_simple_is_at_infinity,
99 ec_GFp_simple_is_on_curve,
101 ec_GFp_simple_make_affine,
102 ec_GFp_simple_points_make_affine,
104 0 /* precompute_mult */,
105 0 /* have_precompute_mult */,
106 ec_GFp_simple_field_mul,
107 ec_GFp_simple_field_sqr,
109 0 /* field_encode */,
110 0 /* field_decode */,
111 0 /* field_set_to_one */ };
118 * Most method functions in this file are designed to work with
119 * non-trivial representations of field elements if necessary
120 * (see ecp_mont.c): while standard modular addition and subtraction
121 * are used, the field_mul and field_sqr methods will be used for
122 * multiplication, and field_encode and field_decode (if defined)
123 * will be used for converting between representations.
125 * Functions ec_GFp_simple_points_make_affine() and
126 * ec_GFp_simple_point_get_affine_coordinates() specifically assume
127 * that if a non-trivial representation is used, it is a Montgomery
128 * representation (i.e. 'encoding' means multiplying by some factor R).
132 int ec_GFp_simple_group_init(EC_GROUP *group)
134 group->field = BN_new();
137 if(!group->field || !group->a || !group->b)
139 if(!group->field) BN_free(group->field);
140 if(!group->a) BN_free(group->a);
141 if(!group->b) BN_free(group->b);
144 group->a_is_minus3 = 0;
149 void ec_GFp_simple_group_finish(EC_GROUP *group)
151 BN_free(group->field);
157 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
159 BN_clear_free(group->field);
160 BN_clear_free(group->a);
161 BN_clear_free(group->b);
165 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
167 if (!BN_copy(dest->field, src->field)) return 0;
168 if (!BN_copy(dest->a, src->a)) return 0;
169 if (!BN_copy(dest->b, src->b)) return 0;
171 dest->a_is_minus3 = src->a_is_minus3;
177 int ec_GFp_simple_group_set_curve(EC_GROUP *group,
178 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
181 BN_CTX *new_ctx = NULL;
184 /* p must be a prime > 3 */
185 if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
187 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
193 ctx = new_ctx = BN_CTX_new();
199 tmp_a = BN_CTX_get(ctx);
200 if (tmp_a == NULL) goto err;
203 if (!BN_copy(group->field, p)) goto err;
204 BN_set_negative(group->field, 0);
207 if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
208 if (group->meth->field_encode)
209 { if (!group->meth->field_encode(group, group->a, tmp_a, ctx)) goto err; }
211 if (!BN_copy(group->a, tmp_a)) goto err;
214 if (!BN_nnmod(group->b, b, p, ctx)) goto err;
215 if (group->meth->field_encode)
216 if (!group->meth->field_encode(group, group->b, group->b, ctx)) goto err;
218 /* group->a_is_minus3 */
219 if (!BN_add_word(tmp_a, 3)) goto err;
220 group->a_is_minus3 = (0 == BN_cmp(tmp_a, group->field));
227 BN_CTX_free(new_ctx);
232 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
235 BN_CTX *new_ctx = NULL;
239 if (!BN_copy(p, group->field)) return 0;
242 if (a != NULL || b != NULL)
244 if (group->meth->field_decode)
248 ctx = new_ctx = BN_CTX_new();
254 if (!group->meth->field_decode(group, a, group->a, ctx)) goto err;
258 if (!group->meth->field_decode(group, b, group->b, ctx)) goto err;
265 if (!BN_copy(a, group->a)) goto err;
269 if (!BN_copy(b, group->b)) goto err;
278 BN_CTX_free(new_ctx);
283 int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
285 return BN_num_bits(group->field);
289 int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
292 BIGNUM *a,*b,*order,*tmp_1,*tmp_2;
293 const BIGNUM *p = group->field;
294 BN_CTX *new_ctx = NULL;
298 ctx = new_ctx = BN_CTX_new();
301 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
308 tmp_1 = BN_CTX_get(ctx);
309 tmp_2 = BN_CTX_get(ctx);
310 order = BN_CTX_get(ctx);
311 if (order == NULL) goto err;
313 if (group->meth->field_decode)
315 if (!group->meth->field_decode(group, a, group->a, ctx)) goto err;
316 if (!group->meth->field_decode(group, b, group->b, ctx)) goto err;
320 if (!BN_copy(a, group->a)) goto err;
321 if (!BN_copy(b, group->b)) goto err;
325 * check the discriminant:
326 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
331 if (BN_is_zero(b)) goto err;
333 else if (!BN_is_zero(b))
335 if (!BN_mod_sqr(tmp_1, a, p, ctx)) goto err;
336 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx)) goto err;
337 if (!BN_lshift(tmp_1, tmp_2, 2)) goto err;
340 if (!BN_mod_sqr(tmp_2, b, p, ctx)) goto err;
341 if (!BN_mul_word(tmp_2, 27)) goto err;
344 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx)) goto err;
345 if (BN_is_zero(a)) goto err;
353 BN_CTX_free(new_ctx);
358 int ec_GFp_simple_point_init(EC_POINT *point)
365 if(!point->X || !point->Y || !point->Z)
367 if(point->X) BN_free(point->X);
368 if(point->Y) BN_free(point->Y);
369 if(point->Z) BN_free(point->Z);
376 void ec_GFp_simple_point_finish(EC_POINT *point)
384 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
386 BN_clear_free(point->X);
387 BN_clear_free(point->Y);
388 BN_clear_free(point->Z);
393 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
395 if (!BN_copy(dest->X, src->X)) return 0;
396 if (!BN_copy(dest->Y, src->Y)) return 0;
397 if (!BN_copy(dest->Z, src->Z)) return 0;
398 dest->Z_is_one = src->Z_is_one;
404 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
412 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
413 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
415 BN_CTX *new_ctx = NULL;
420 ctx = new_ctx = BN_CTX_new();
427 if (!BN_nnmod(point->X, x, group->field, ctx)) goto err;
428 if (group->meth->field_encode)
430 if (!group->meth->field_encode(group, point->X, point->X, ctx)) goto err;
436 if (!BN_nnmod(point->Y, y, group->field, ctx)) goto err;
437 if (group->meth->field_encode)
439 if (!group->meth->field_encode(group, point->Y, point->Y, ctx)) goto err;
447 if (!BN_nnmod(point->Z, z, group->field, ctx)) goto err;
448 Z_is_one = BN_is_one(point->Z);
449 if (group->meth->field_encode)
451 if (Z_is_one && (group->meth->field_set_to_one != 0))
453 if (!group->meth->field_set_to_one(group, point->Z, ctx)) goto err;
457 if (!group->meth->field_encode(group, point->Z, point->Z, ctx)) goto err;
460 point->Z_is_one = Z_is_one;
467 BN_CTX_free(new_ctx);
472 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
473 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
475 BN_CTX *new_ctx = NULL;
478 if (group->meth->field_decode != 0)
482 ctx = new_ctx = BN_CTX_new();
489 if (!group->meth->field_decode(group, x, point->X, ctx)) goto err;
493 if (!group->meth->field_decode(group, y, point->Y, ctx)) goto err;
497 if (!group->meth->field_decode(group, z, point->Z, ctx)) goto err;
504 if (!BN_copy(x, point->X)) goto err;
508 if (!BN_copy(y, point->Y)) goto err;
512 if (!BN_copy(z, point->Z)) goto err;
520 BN_CTX_free(new_ctx);
525 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
526 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
528 if (x == NULL || y == NULL)
530 /* unlike for projective coordinates, we do not tolerate this */
531 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
535 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
539 int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
540 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
542 BN_CTX *new_ctx = NULL;
543 BIGNUM *Z, *Z_1, *Z_2, *Z_3;
547 if (EC_POINT_is_at_infinity(group, point))
549 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
555 ctx = new_ctx = BN_CTX_new();
562 Z_1 = BN_CTX_get(ctx);
563 Z_2 = BN_CTX_get(ctx);
564 Z_3 = BN_CTX_get(ctx);
565 if (Z_3 == NULL) goto err;
567 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
569 if (group->meth->field_decode)
571 if (!group->meth->field_decode(group, Z, point->Z, ctx)) goto err;
581 if (group->meth->field_decode)
585 if (!group->meth->field_decode(group, x, point->X, ctx)) goto err;
589 if (!group->meth->field_decode(group, y, point->Y, ctx)) goto err;
596 if (!BN_copy(x, point->X)) goto err;
600 if (!BN_copy(y, point->Y)) goto err;
606 if (!BN_mod_inverse(Z_1, Z_, group->field, ctx))
608 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
612 if (group->meth->field_encode == 0)
614 /* field_sqr works on standard representation */
615 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err;
619 if (!BN_mod_sqr(Z_2, Z_1, group->field, ctx)) goto err;
624 /* in the Montgomery case, field_mul will cancel out Montgomery factor in X: */
625 if (!group->meth->field_mul(group, x, point->X, Z_2, ctx)) goto err;
630 if (group->meth->field_encode == 0)
632 /* field_mul works on standard representation */
633 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
637 if (!BN_mod_mul(Z_3, Z_2, Z_1, group->field, ctx)) goto err;
640 /* in the Montgomery case, field_mul will cancel out Montgomery factor in Y: */
641 if (!group->meth->field_mul(group, y, point->Y, Z_3, ctx)) goto err;
650 BN_CTX_free(new_ctx);
654 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
656 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
657 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
659 BN_CTX *new_ctx = NULL;
660 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
664 return EC_POINT_dbl(group, r, a, ctx);
665 if (EC_POINT_is_at_infinity(group, a))
666 return EC_POINT_copy(r, b);
667 if (EC_POINT_is_at_infinity(group, b))
668 return EC_POINT_copy(r, a);
670 field_mul = group->meth->field_mul;
671 field_sqr = group->meth->field_sqr;
676 ctx = new_ctx = BN_CTX_new();
682 n0 = BN_CTX_get(ctx);
683 n1 = BN_CTX_get(ctx);
684 n2 = BN_CTX_get(ctx);
685 n3 = BN_CTX_get(ctx);
686 n4 = BN_CTX_get(ctx);
687 n5 = BN_CTX_get(ctx);
688 n6 = BN_CTX_get(ctx);
689 if (n6 == NULL) goto end;
691 /* Note that in this function we must not read components of 'a' or 'b'
692 * once we have written the corresponding components of 'r'.
693 * ('r' might be one of 'a' or 'b'.)
699 if (!BN_copy(n1, a->X)) goto end;
700 if (!BN_copy(n2, a->Y)) goto end;
706 if (!field_sqr(group, n0, b->Z, ctx)) goto end;
707 if (!field_mul(group, n1, a->X, n0, ctx)) goto end;
708 /* n1 = X_a * Z_b^2 */
710 if (!field_mul(group, n0, n0, b->Z, ctx)) goto end;
711 if (!field_mul(group, n2, a->Y, n0, ctx)) goto end;
712 /* n2 = Y_a * Z_b^3 */
718 if (!BN_copy(n3, b->X)) goto end;
719 if (!BN_copy(n4, b->Y)) goto end;
725 if (!field_sqr(group, n0, a->Z, ctx)) goto end;
726 if (!field_mul(group, n3, b->X, n0, ctx)) goto end;
727 /* n3 = X_b * Z_a^2 */
729 if (!field_mul(group, n0, n0, a->Z, ctx)) goto end;
730 if (!field_mul(group, n4, b->Y, n0, ctx)) goto end;
731 /* n4 = Y_b * Z_a^3 */
735 if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
736 if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
744 /* a is the same point as b */
746 ret = EC_POINT_dbl(group, r, a, ctx);
752 /* a is the inverse of b */
761 if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
762 if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
767 if (a->Z_is_one && b->Z_is_one)
769 if (!BN_copy(r->Z, n5)) goto end;
774 { if (!BN_copy(n0, b->Z)) goto end; }
775 else if (b->Z_is_one)
776 { if (!BN_copy(n0, a->Z)) goto end; }
778 { if (!field_mul(group, n0, a->Z, b->Z, ctx)) goto end; }
779 if (!field_mul(group, r->Z, n0, n5, ctx)) goto end;
782 /* Z_r = Z_a * Z_b * n5 */
785 if (!field_sqr(group, n0, n6, ctx)) goto end;
786 if (!field_sqr(group, n4, n5, ctx)) goto end;
787 if (!field_mul(group, n3, n1, n4, ctx)) goto end;
788 if (!BN_mod_sub_quick(r->X, n0, n3, p)) goto end;
789 /* X_r = n6^2 - n5^2 * 'n7' */
792 if (!BN_mod_lshift1_quick(n0, r->X, p)) goto end;
793 if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
794 /* n9 = n5^2 * 'n7' - 2 * X_r */
797 if (!field_mul(group, n0, n0, n6, ctx)) goto end;
798 if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
799 if (!field_mul(group, n1, n2, n5, ctx)) goto end;
800 if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
802 if (!BN_add(n0, n0, p)) goto end;
803 /* now 0 <= n0 < 2*p, and n0 is even */
804 if (!BN_rshift1(r->Y, n0)) goto end;
805 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
810 if (ctx) /* otherwise we already called BN_CTX_end */
813 BN_CTX_free(new_ctx);
818 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
820 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
821 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
823 BN_CTX *new_ctx = NULL;
824 BIGNUM *n0, *n1, *n2, *n3;
827 if (EC_POINT_is_at_infinity(group, a))
834 field_mul = group->meth->field_mul;
835 field_sqr = group->meth->field_sqr;
840 ctx = new_ctx = BN_CTX_new();
846 n0 = BN_CTX_get(ctx);
847 n1 = BN_CTX_get(ctx);
848 n2 = BN_CTX_get(ctx);
849 n3 = BN_CTX_get(ctx);
850 if (n3 == NULL) goto err;
852 /* Note that in this function we must not read components of 'a'
853 * once we have written the corresponding components of 'r'.
854 * ('r' might the same as 'a'.)
860 if (!field_sqr(group, n0, a->X, ctx)) goto err;
861 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
862 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
863 if (!BN_mod_add_quick(n1, n0, group->a, p)) goto err;
864 /* n1 = 3 * X_a^2 + a_curve */
866 else if (group->a_is_minus3)
868 if (!field_sqr(group, n1, a->Z, ctx)) goto err;
869 if (!BN_mod_add_quick(n0, a->X, n1, p)) goto err;
870 if (!BN_mod_sub_quick(n2, a->X, n1, p)) goto err;
871 if (!field_mul(group, n1, n0, n2, ctx)) goto err;
872 if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
873 if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
874 /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
875 * = 3 * X_a^2 - 3 * Z_a^4 */
879 if (!field_sqr(group, n0, a->X, ctx)) goto err;
880 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
881 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
882 if (!field_sqr(group, n1, a->Z, ctx)) goto err;
883 if (!field_sqr(group, n1, n1, ctx)) goto err;
884 if (!field_mul(group, n1, n1, group->a, ctx)) goto err;
885 if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
886 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
892 if (!BN_copy(n0, a->Y)) goto err;
896 if (!field_mul(group, n0, a->Y, a->Z, ctx)) goto err;
898 if (!BN_mod_lshift1_quick(r->Z, n0, p)) goto err;
900 /* Z_r = 2 * Y_a * Z_a */
903 if (!field_sqr(group, n3, a->Y, ctx)) goto err;
904 if (!field_mul(group, n2, a->X, n3, ctx)) goto err;
905 if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
906 /* n2 = 4 * X_a * Y_a^2 */
909 if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
910 if (!field_sqr(group, r->X, n1, ctx)) goto err;
911 if (!BN_mod_sub_quick(r->X, r->X, n0, p)) goto err;
912 /* X_r = n1^2 - 2 * n2 */
915 if (!field_sqr(group, n0, n3, ctx)) goto err;
916 if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
920 if (!BN_mod_sub_quick(n0, n2, r->X, p)) goto err;
921 if (!field_mul(group, n0, n1, n0, ctx)) goto err;
922 if (!BN_mod_sub_quick(r->Y, n0, n3, p)) goto err;
923 /* Y_r = n1 * (n2 - X_r) - n3 */
930 BN_CTX_free(new_ctx);
935 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
937 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(point->Y))
938 /* point is its own inverse */
941 return BN_usub(point->Y, group->field, point->Y);
945 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
947 return BN_is_zero(point->Z);
951 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
953 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
954 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
956 BN_CTX *new_ctx = NULL;
957 BIGNUM *rh, *tmp, *Z4, *Z6;
960 if (EC_POINT_is_at_infinity(group, point))
963 field_mul = group->meth->field_mul;
964 field_sqr = group->meth->field_sqr;
969 ctx = new_ctx = BN_CTX_new();
975 rh = BN_CTX_get(ctx);
976 tmp = BN_CTX_get(ctx);
977 Z4 = BN_CTX_get(ctx);
978 Z6 = BN_CTX_get(ctx);
979 if (Z6 == NULL) goto err;
982 * We have a curve defined by a Weierstrass equation
983 * y^2 = x^3 + a*x + b.
984 * The point to consider is given in Jacobian projective coordinates
985 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
986 * Substituting this and multiplying by Z^6 transforms the above equation into
987 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
988 * To test this, we add up the right-hand side in 'rh'.
992 if (!field_sqr(group, rh, point->X, ctx)) goto err;
994 if (!point->Z_is_one)
996 if (!field_sqr(group, tmp, point->Z, ctx)) goto err;
997 if (!field_sqr(group, Z4, tmp, ctx)) goto err;
998 if (!field_mul(group, Z6, Z4, tmp, ctx)) goto err;
1000 /* rh := (rh + a*Z^4)*X */
1001 if (group->a_is_minus3)
1003 if (!BN_mod_lshift1_quick(tmp, Z4, p)) goto err;
1004 if (!BN_mod_add_quick(tmp, tmp, Z4, p)) goto err;
1005 if (!BN_mod_sub_quick(rh, rh, tmp, p)) goto err;
1006 if (!field_mul(group, rh, rh, point->X, ctx)) goto err;
1010 if (!field_mul(group, tmp, Z4, group->a, ctx)) goto err;
1011 if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
1012 if (!field_mul(group, rh, rh, point->X, ctx)) goto err;
1015 /* rh := rh + b*Z^6 */
1016 if (!field_mul(group, tmp, group->b, Z6, ctx)) goto err;
1017 if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
1021 /* point->Z_is_one */
1023 /* rh := (rh + a)*X */
1024 if (!BN_mod_add_quick(rh, rh, group->a, p)) goto err;
1025 if (!field_mul(group, rh, rh, point->X, ctx)) goto err;
1027 if (!BN_mod_add_quick(rh, rh, group->b, p)) goto err;
1031 if (!field_sqr(group, tmp, point->Y, ctx)) goto err;
1033 ret = (0 == BN_ucmp(tmp, rh));
1037 if (new_ctx != NULL)
1038 BN_CTX_free(new_ctx);
1043 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
1047 * 0 equal (in affine coordinates)
1051 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1052 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1053 BN_CTX *new_ctx = NULL;
1054 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1055 const BIGNUM *tmp1_, *tmp2_;
1058 if (EC_POINT_is_at_infinity(group, a))
1060 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1063 if (EC_POINT_is_at_infinity(group, b))
1066 if (a->Z_is_one && b->Z_is_one)
1068 return ((BN_cmp(a->X, b->X) == 0) && BN_cmp(a->Y, b->Y) == 0) ? 0 : 1;
1071 field_mul = group->meth->field_mul;
1072 field_sqr = group->meth->field_sqr;
1076 ctx = new_ctx = BN_CTX_new();
1082 tmp1 = BN_CTX_get(ctx);
1083 tmp2 = BN_CTX_get(ctx);
1084 Za23 = BN_CTX_get(ctx);
1085 Zb23 = BN_CTX_get(ctx);
1086 if (Zb23 == NULL) goto end;
1089 * We have to decide whether
1090 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1091 * or equivalently, whether
1092 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1097 if (!field_sqr(group, Zb23, b->Z, ctx)) goto end;
1098 if (!field_mul(group, tmp1, a->X, Zb23, ctx)) goto end;
1105 if (!field_sqr(group, Za23, a->Z, ctx)) goto end;
1106 if (!field_mul(group, tmp2, b->X, Za23, ctx)) goto end;
1112 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1113 if (BN_cmp(tmp1_, tmp2_) != 0)
1115 ret = 1; /* points differ */
1122 if (!field_mul(group, Zb23, Zb23, b->Z, ctx)) goto end;
1123 if (!field_mul(group, tmp1, a->Y, Zb23, ctx)) goto end;
1130 if (!field_mul(group, Za23, Za23, a->Z, ctx)) goto end;
1131 if (!field_mul(group, tmp2, b->Y, Za23, ctx)) goto end;
1137 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1138 if (BN_cmp(tmp1_, tmp2_) != 0)
1140 ret = 1; /* points differ */
1144 /* points are equal */
1149 if (new_ctx != NULL)
1150 BN_CTX_free(new_ctx);
1155 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1157 BN_CTX *new_ctx = NULL;
1161 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1166 ctx = new_ctx = BN_CTX_new();
1172 x = BN_CTX_get(ctx);
1173 y = BN_CTX_get(ctx);
1174 if (y == NULL) goto err;
1176 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1177 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1178 if (!point->Z_is_one)
1180 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1188 if (new_ctx != NULL)
1189 BN_CTX_free(new_ctx);
1194 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
1196 BN_CTX *new_ctx = NULL;
1197 BIGNUM *tmp, *tmp_Z;
1198 BIGNUM **prod_Z = NULL;
1207 ctx = new_ctx = BN_CTX_new();
1213 tmp = BN_CTX_get(ctx);
1214 tmp_Z = BN_CTX_get(ctx);
1215 if (tmp == NULL || tmp_Z == NULL) goto err;
1217 prod_Z = OPENSSL_malloc(num * sizeof prod_Z[0]);
1218 if (prod_Z == NULL) goto err;
1219 for (i = 0; i < num; i++)
1221 prod_Z[i] = BN_new();
1222 if (prod_Z[i] == NULL) goto err;
1225 /* Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
1226 * skipping any zero-valued inputs (pretend that they're 1). */
1228 if (!BN_is_zero(points[0]->Z))
1230 if (!BN_copy(prod_Z[0], points[0]->Z)) goto err;
1234 if (group->meth->field_set_to_one != 0)
1236 if (!group->meth->field_set_to_one(group, prod_Z[0], ctx)) goto err;
1240 if (!BN_one(prod_Z[0])) goto err;
1244 for (i = 1; i < num; i++)
1246 if (!BN_is_zero(points[i]->Z))
1248 if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1], points[i]->Z, ctx)) goto err;
1252 if (!BN_copy(prod_Z[i], prod_Z[i - 1])) goto err;
1256 /* Now use a single explicit inversion to replace every
1257 * non-zero points[i]->Z by its inverse. */
1259 if (!BN_mod_inverse(tmp, prod_Z[num - 1], group->field, ctx))
1261 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1264 if (group->meth->field_encode != 0)
1266 /* In the Montgomery case, we just turned R*H (representing H)
1267 * into 1/(R*H), but we need R*(1/H) (representing 1/H);
1268 * i.e. we need to multiply by the Montgomery factor twice. */
1269 if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err;
1270 if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err;
1273 for (i = num - 1; i > 0; --i)
1275 /* Loop invariant: tmp is the product of the inverses of
1276 * points[0]->Z .. points[i]->Z (zero-valued inputs skipped). */
1277 if (!BN_is_zero(points[i]->Z))
1279 /* Set tmp_Z to the inverse of points[i]->Z (as product
1280 * of Z inverses 0 .. i, Z values 0 .. i - 1). */
1281 if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx)) goto err;
1282 /* Update tmp to satisfy the loop invariant for i - 1. */
1283 if (!group->meth->field_mul(group, tmp, tmp, points[i]->Z, ctx)) goto err;
1284 /* Replace points[i]->Z by its inverse. */
1285 if (!BN_copy(points[i]->Z, tmp_Z)) goto err;
1289 if (!BN_is_zero(points[0]->Z))
1291 /* Replace points[0]->Z by its inverse. */
1292 if (!BN_copy(points[0]->Z, tmp)) goto err;
1295 /* Finally, fix up the X and Y coordinates for all points. */
1297 for (i = 0; i < num; i++)
1299 EC_POINT *p = points[i];
1301 if (!BN_is_zero(p->Z))
1303 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1305 if (!group->meth->field_sqr(group, tmp, p->Z, ctx)) goto err;
1306 if (!group->meth->field_mul(group, p->X, p->X, tmp, ctx)) goto err;
1308 if (!group->meth->field_mul(group, tmp, tmp, p->Z, ctx)) goto err;
1309 if (!group->meth->field_mul(group, p->Y, p->Y, tmp, ctx)) goto err;
1311 if (group->meth->field_set_to_one != 0)
1313 if (!group->meth->field_set_to_one(group, p->Z, ctx)) goto err;
1317 if (!BN_one(p->Z)) goto err;
1327 if (new_ctx != NULL)
1328 BN_CTX_free(new_ctx);
1331 for (i = 0; i < num; i++)
1333 if (prod_Z[i] == NULL) break;
1334 BN_clear_free(prod_Z[i]);
1336 OPENSSL_free(prod_Z);
1342 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
1344 return BN_mod_mul(r, a, b, group->field, ctx);
1348 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
1350 return BN_mod_sqr(r, a, group->field, ctx);
projects / openssl.git / blob