1 /* crypto/ec/ecp_smpl.c */
2 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project. */
4 /* ====================================================================
5 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * openssl-core@openssl.org.
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
33 * 6. Redistributions of any form whatsoever must retain the following
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com).
58 #include <openssl/err.h>
63 const EC_METHOD *EC_GFp_simple_method(void)
65 static const EC_METHOD ret = {
66 ec_GFp_simple_group_init,
67 ec_GFp_simple_group_finish,
68 ec_GFp_simple_group_clear_finish,
69 ec_GFp_simple_group_copy,
70 ec_GFp_simple_group_set_curve_GFp,
71 ec_GFp_simple_group_get_curve_GFp,
72 ec_GFp_simple_group_set_generator,
73 ec_GFp_simple_group_get0_generator,
74 ec_GFp_simple_group_get_order,
75 ec_GFp_simple_group_get_cofactor,
76 ec_GFp_simple_point_init,
77 ec_GFp_simple_point_finish,
78 ec_GFp_simple_point_clear_finish,
79 ec_GFp_simple_point_copy,
80 ec_GFp_simple_point_set_to_infinity,
81 ec_GFp_simple_set_Jprojective_coordinates_GFp,
82 ec_GFp_simple_get_Jprojective_coordinates_GFp,
83 ec_GFp_simple_point_set_affine_coordinates_GFp,
84 ec_GFp_simple_point_get_affine_coordinates_GFp,
85 ec_GFp_simple_set_compressed_coordinates_GFp,
86 ec_GFp_simple_point2oct,
87 ec_GFp_simple_oct2point,
91 ec_GFp_simple_is_at_infinity,
92 ec_GFp_simple_is_on_curve,
94 ec_GFp_simple_make_affine,
95 ec_GFp_simple_field_mul,
96 ec_GFp_simple_field_sqr,
98 0 /* field_decode */ };
104 int ec_GFp_simple_group_init(EC_GROUP *group)
106 BN_init(&group->field);
109 group->a_is_minus3 = 0;
110 group->generator = NULL;
111 BN_init(&group->order);
112 BN_init(&group->cofactor);
117 void ec_GFp_simple_group_finish(EC_GROUP *group)
119 BN_free(&group->field);
122 if (group->generator != NULL)
123 EC_POINT_free(group->generator);
124 BN_free(&group->order);
125 BN_free(&group->cofactor);
129 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
131 BN_clear_free(&group->field);
132 BN_clear_free(&group->a);
133 BN_clear_free(&group->b);
134 if (group->generator != NULL)
136 EC_POINT_clear_free(group->generator);
137 group->generator = NULL;
139 BN_clear_free(&group->order);
140 BN_clear_free(&group->cofactor);
144 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
146 if (!BN_copy(&dest->field, &src->field)) return 0;
147 if (!BN_copy(&dest->a, &src->a)) return 0;
148 if (!BN_copy(&dest->b, &src->b)) return 0;
150 dest->a_is_minus3 = src->a_is_minus3;
152 if (src->generator != NULL)
154 if (dest->generator == NULL)
156 dest->generator = EC_POINT_new(dest);
157 if (dest->generator == NULL) return 0;
159 if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
163 /* src->generator == NULL */
164 if (dest->generator != NULL)
166 EC_POINT_clear_free(dest->generator);
167 dest->generator = NULL;
171 if (!BN_copy(&dest->order, &src->order)) return 0;
172 if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
178 int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
179 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
182 BN_CTX *new_ctx = NULL;
185 /* p must be a prime > 3 */
186 if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
188 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP, EC_R_INVALID_FIELD);
194 ctx = new_ctx = BN_CTX_new();
200 tmp_a = BN_CTX_get(ctx);
201 if (tmp_a == NULL) goto err;
204 if (!BN_copy(&group->field, p)) goto err;
205 group->field.neg = 0;
208 if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
209 if (group->meth->field_encode)
210 { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; }
212 if (!BN_copy(&group->a, tmp_a)) goto err;
215 if (!BN_nnmod(&group->b, b, p, ctx)) goto err;
216 if (group->meth->field_encode)
217 if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err;
219 /* group->a_is_minus3 */
220 if (!BN_add_word(tmp_a, 3)) goto err;
221 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
228 BN_CTX_free(new_ctx);
233 int ec_GFp_simple_group_get_curve_GFp(EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
236 BN_CTX *new_ctx = NULL;
240 if (!BN_copy(p, &group->field)) return 0;
243 if (a != NULL || b != NULL)
245 if (group->meth->field_decode)
249 ctx = new_ctx = BN_CTX_new();
255 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
259 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
266 if (!BN_copy(a, &group->a)) goto err;
270 if (!BN_copy(b, &group->b)) goto err;
279 BN_CTX_free(new_ctx);
285 int ec_GFp_simple_group_set_generator(EC_GROUP *group, const EC_POINT *generator,
286 const BIGNUM *order, const BIGNUM *cofactor)
290 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
294 if (group->generator == NULL)
296 group->generator = EC_POINT_new(group);
297 if (group->generator == NULL) return 0;
299 if (!EC_POINT_copy(group->generator, generator)) return 0;
302 { if (!BN_copy(&group->order, order)) return 0; }
304 { if (!BN_zero(&group->order)) return 0; }
306 if (cofactor != NULL)
307 { if (!BN_copy(&group->cofactor, cofactor)) return 0; }
309 { if (!BN_zero(&group->cofactor)) return 0; }
315 EC_POINT *ec_GFp_simple_group_get0_generator(EC_GROUP *group)
317 return group->generator;
321 int ec_GFp_simple_group_get_order(EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
323 if (!BN_copy(order, &group->order))
326 return !BN_is_zero(&group->order);
330 int ec_GFp_simple_group_get_cofactor(EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
332 if (!BN_copy(cofactor, &group->cofactor))
335 return !BN_is_zero(&group->cofactor);
339 int ec_GFp_simple_point_init(EC_POINT *point)
350 void ec_GFp_simple_point_finish(EC_POINT *point)
358 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
360 BN_clear_free(&point->X);
361 BN_clear_free(&point->Y);
362 BN_clear_free(&point->Z);
367 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
369 if (!BN_copy(&dest->X, &src->X)) return 0;
370 if (!BN_copy(&dest->Y, &src->Y)) return 0;
371 if (!BN_copy(&dest->Z, &src->Z)) return 0;
372 dest->Z_is_one = src->Z_is_one;
378 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
381 return (BN_zero(&point->Z));
385 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
386 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
388 BN_CTX *new_ctx = NULL;
393 ctx = new_ctx = BN_CTX_new();
400 if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err;
401 if (group->meth->field_encode)
403 if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err;
409 if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err;
410 if (group->meth->field_encode)
412 if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
420 if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err;
421 Z_is_one = BN_is_one(&point->Z);
422 if (group->meth->field_encode)
424 if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
426 point->Z_is_one = Z_is_one;
433 BN_CTX_free(new_ctx);
438 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
439 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
441 BN_CTX *new_ctx = NULL;
444 if (group->meth->field_decode != 0)
448 ctx = new_ctx = BN_CTX_new();
455 if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
459 if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
463 if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err;
470 if (!BN_copy(x, &point->X)) goto err;
474 if (!BN_copy(y, &point->Y)) goto err;
478 if (!BN_copy(z, &point->Z)) goto err;
486 BN_CTX_free(new_ctx);
491 int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
492 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
494 if (x == NULL || y == NULL)
496 /* unlike for projective coordinates, we do not tolerate this */
497 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_PASSED_NULL_PARAMETER);
501 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
505 int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
506 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
508 BN_CTX *new_ctx = NULL;
509 BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3;
510 const BIGNUM *X_, *Y_, *Z_;
513 if (EC_POINT_is_at_infinity(group, point))
515 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_POINT_AT_INFINITY);
521 ctx = new_ctx = BN_CTX_new();
530 Z_1 = BN_CTX_get(ctx);
531 Z_2 = BN_CTX_get(ctx);
532 Z_3 = BN_CTX_get(ctx);
533 if (Z_3 == NULL) goto err;
535 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
537 if (group->meth->field_decode)
539 if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err;
540 if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err;
541 if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
542 X_ = X; Y_ = Y; Z_ = Z;
555 if (!BN_copy(x, X_)) goto err;
559 if (!BN_copy(y, Y_)) goto err;
564 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
566 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_BN_LIB);
569 if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err;
573 if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err;
578 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
579 if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err;
588 BN_CTX_free(new_ctx);
593 int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
594 const BIGNUM *x, int y_bit, BN_CTX *ctx)
596 BN_CTX *new_ctx = NULL;
597 BIGNUM *tmp1, *tmp2, *y;
602 ctx = new_ctx = BN_CTX_new();
607 y_bit = (y_bit != 0);
610 tmp1 = BN_CTX_get(ctx);
611 tmp2 = BN_CTX_get(ctx);
613 if (y == NULL) goto err;
615 /* Recover y. We have a Weierstrass equation
616 * y^2 = x^3 + a*x + b,
617 * so y is one of the square roots of x^3 + a*x + b.
621 if (!BN_mod_sqr(tmp2, x, &group->field, ctx)) goto err;
622 if (!BN_mod_mul(tmp1, tmp2, x, &group->field, ctx)) goto err;
624 /* tmp1 := tmp1 + a*x */
625 if (group->a_is_minus3)
627 if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err;
628 if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err;
629 if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
633 if (!BN_mod_mul(tmp2, &group->a, x, &group->field, ctx)) goto err;
634 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
637 /* tmp1 := tmp1 + b */
638 if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err;
640 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
642 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_BN_LIB);
645 /* If tmp1 is not a square (i.e. there is no point on the curve with
646 * our x), then y now is a nonsense value too */
648 if (y_bit != BN_is_odd(y))
654 kron = BN_kronecker(x, &group->field, ctx);
655 if (kron == -2) goto err;
658 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSION_BIT);
660 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
663 if (!BN_usub(y, &group->field, y)) goto err;
665 if (y_bit != BN_is_odd(y))
667 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_INTERNAL_ERROR);
671 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
678 BN_CTX_free(new_ctx);
683 size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
684 unsigned char *buf, size_t len, BN_CTX *ctx)
687 BN_CTX *new_ctx = NULL;
690 size_t field_len, i, skip;
692 if ((form != POINT_CONVERSION_COMPRESSED)
693 && (form != POINT_CONVERSION_UNCOMPRESSED)
694 && (form != POINT_CONVERSION_HYBRID))
696 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
700 if (EC_POINT_is_at_infinity(group, point))
702 /* encodes to a single 0 octet */
707 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
716 /* ret := required output buffer length */
717 field_len = BN_num_bytes(&group->field);
718 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
720 /* if 'buf' is NULL, just return required length */
725 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
731 ctx = new_ctx = BN_CTX_new();
740 if (y == NULL) goto err;
742 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
744 if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
751 skip = field_len - BN_num_bytes(x);
752 if (skip > field_len)
754 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
762 skip = BN_bn2bin(x, buf + i);
764 if (i != 1 + field_len)
766 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
770 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
772 skip = field_len - BN_num_bytes(y);
773 if (skip > field_len)
775 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
783 skip = BN_bn2bin(y, buf + i);
789 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
797 BN_CTX_free(new_ctx);
804 BN_CTX_free(new_ctx);
809 int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
810 const unsigned char *buf, size_t len, BN_CTX *ctx)
812 point_conversion_form_t form;
814 BN_CTX *new_ctx = NULL;
816 size_t field_len, enc_len;
821 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
827 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
828 && (form != POINT_CONVERSION_UNCOMPRESSED)
829 && (form != POINT_CONVERSION_HYBRID))
831 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
834 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
836 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
844 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
848 return EC_POINT_set_to_infinity(group, point);
851 field_len = BN_num_bytes(&group->field);
852 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
856 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
862 ctx = new_ctx = BN_CTX_new();
870 if (y == NULL) goto err;
872 if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
873 if (BN_ucmp(x, &group->field) >= 0)
875 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
879 if (form == POINT_CONVERSION_COMPRESSED)
881 if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err;
885 if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
886 if (BN_ucmp(y, &group->field) >= 0)
888 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
891 if (form == POINT_CONVERSION_HYBRID)
893 if (y_bit != BN_is_odd(y))
895 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
900 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
903 if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
905 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
914 BN_CTX_free(new_ctx);
919 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
921 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
922 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
924 BN_CTX *new_ctx = NULL;
925 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
929 return EC_POINT_dbl(group, r, a, ctx);
930 if (EC_POINT_is_at_infinity(group, a))
931 return EC_POINT_copy(r, b);
932 if (EC_POINT_is_at_infinity(group, b))
933 return EC_POINT_copy(r, a);
935 field_mul = group->meth->field_mul;
936 field_sqr = group->meth->field_sqr;
941 ctx = new_ctx = BN_CTX_new();
947 n0 = BN_CTX_get(ctx);
948 n1 = BN_CTX_get(ctx);
949 n2 = BN_CTX_get(ctx);
950 n3 = BN_CTX_get(ctx);
951 n4 = BN_CTX_get(ctx);
952 n5 = BN_CTX_get(ctx);
953 n6 = BN_CTX_get(ctx);
954 if (n6 == NULL) goto end;
956 /* Note that in this function we must not read components of 'a' or 'b'
957 * once we have written the corresponding components of 'r'.
958 * ('r' might be one of 'a' or 'b'.)
964 if (!BN_copy(n1, &a->X)) goto end;
965 if (!BN_copy(n2, &a->Y)) goto end;
971 if (!field_sqr(group, n0, &b->Z, ctx)) goto end;
972 if (!field_mul(group, n1, &a->X, n0, ctx)) goto end;
973 /* n1 = X_a * Z_b^2 */
975 if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end;
976 if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end;
977 /* n2 = Y_a * Z_b^3 */
983 if (!BN_copy(n3, &b->X)) goto end;
984 if (!BN_copy(n4, &b->Y)) goto end;
990 if (!field_sqr(group, n0, &a->Z, ctx)) goto end;
991 if (!field_mul(group, n3, &b->X, n0, ctx)) goto end;
992 /* n3 = X_b * Z_a^2 */
994 if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end;
995 if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end;
996 /* n4 = Y_b * Z_a^3 */
1000 if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
1001 if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
1009 /* a is the same point as b */
1011 ret = EC_POINT_dbl(group, r, a, ctx);
1017 /* a is the inverse of b */
1018 if (!BN_zero(&r->Z)) goto end;
1026 if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
1027 if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
1028 /* 'n7' = n1 + n3 */
1029 /* 'n8' = n2 + n4 */
1032 if (a->Z_is_one && b->Z_is_one)
1034 if (!BN_copy(&r->Z, n5)) goto end;
1039 { if (!BN_copy(n0, &b->Z)) goto end; }
1040 else if (b->Z_is_one)
1041 { if (!BN_copy(n0, &a->Z)) goto end; }
1043 { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; }
1044 if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end;
1047 /* Z_r = Z_a * Z_b * n5 */
1050 if (!field_sqr(group, n0, n6, ctx)) goto end;
1051 if (!field_sqr(group, n4, n5, ctx)) goto end;
1052 if (!field_mul(group, n3, n1, n4, ctx)) goto end;
1053 if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end;
1054 /* X_r = n6^2 - n5^2 * 'n7' */
1057 if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end;
1058 if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
1059 /* n9 = n5^2 * 'n7' - 2 * X_r */
1062 if (!field_mul(group, n0, n0, n6, ctx)) goto end;
1063 if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
1064 if (!field_mul(group, n1, n2, n5, ctx)) goto end;
1065 if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
1067 if (!BN_add(n0, n0, p)) goto end;
1068 /* now 0 <= n0 < 2*p, and n0 is even */
1069 if (!BN_rshift1(&r->Y, n0)) goto end;
1070 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
1075 if (ctx) /* otherwise we already called BN_CTX_end */
1077 if (new_ctx != NULL)
1078 BN_CTX_free(new_ctx);
1083 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
1085 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1086 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1088 BN_CTX *new_ctx = NULL;
1089 BIGNUM *n0, *n1, *n2, *n3;
1092 if (EC_POINT_is_at_infinity(group, a))
1094 if (!BN_zero(&r->Z)) return 0;
1099 field_mul = group->meth->field_mul;
1100 field_sqr = group->meth->field_sqr;
1105 ctx = new_ctx = BN_CTX_new();
1111 n0 = BN_CTX_get(ctx);
1112 n1 = BN_CTX_get(ctx);
1113 n2 = BN_CTX_get(ctx);
1114 n3 = BN_CTX_get(ctx);
1115 if (n3 == NULL) goto err;
1117 /* Note that in this function we must not read components of 'a'
1118 * once we have written the corresponding components of 'r'.
1119 * ('r' might the same as 'a'.)
1125 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
1126 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
1127 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
1128 if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err;
1129 /* n1 = 3 * X_a^2 + a_curve */
1131 else if (group->a_is_minus3)
1133 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
1134 if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err;
1135 if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err;
1136 if (!field_mul(group, n1, n0, n2, ctx)) goto err;
1137 if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
1138 if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
1139 /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
1140 * = 3 * X_a^2 - 3 * Z_a^4 */
1144 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
1145 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
1146 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
1147 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
1148 if (!field_sqr(group, n1, n1, ctx)) goto err;
1149 if (!field_mul(group, n1, n1, &group->a, ctx)) goto err;
1150 if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
1151 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
1157 if (!BN_copy(n0, &a->Y)) goto err;
1161 if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err;
1163 if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err;
1165 /* Z_r = 2 * Y_a * Z_a */
1168 if (!field_sqr(group, n3, &a->Y, ctx)) goto err;
1169 if (!field_mul(group, n2, &a->X, n3, ctx)) goto err;
1170 if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
1171 /* n2 = 4 * X_a * Y_a^2 */
1174 if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
1175 if (!field_sqr(group, &r->X, n1, ctx)) goto err;
1176 if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err;
1177 /* X_r = n1^2 - 2 * n2 */
1180 if (!field_sqr(group, n0, n3, ctx)) goto err;
1181 if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
1182 /* n3 = 8 * Y_a^4 */
1185 if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err;
1186 if (!field_mul(group, n0, n1, n0, ctx)) goto err;
1187 if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err;
1188 /* Y_r = n1 * (n2 - X_r) - n3 */
1194 if (new_ctx != NULL)
1195 BN_CTX_free(new_ctx);
1200 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1202 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
1203 /* point is its own inverse */
1206 return BN_usub(&point->Y, &group->field, &point->Y);
1210 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
1212 return BN_is_zero(&point->Z);
1216 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
1218 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1219 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1221 BN_CTX *new_ctx = NULL;
1222 BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6;
1225 if (EC_POINT_is_at_infinity(group, point))
1228 field_mul = group->meth->field_mul;
1229 field_sqr = group->meth->field_sqr;
1234 ctx = new_ctx = BN_CTX_new();
1240 rh = BN_CTX_get(ctx);
1241 tmp1 = BN_CTX_get(ctx);
1242 tmp2 = BN_CTX_get(ctx);
1243 Z4 = BN_CTX_get(ctx);
1244 Z6 = BN_CTX_get(ctx);
1245 if (Z6 == NULL) goto err;
1247 /* We have a curve defined by a Weierstrass equation
1248 * y^2 = x^3 + a*x + b.
1249 * The point to consider is given in Jacobian projective coordinates
1250 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
1251 * Substituting this and multiplying by Z^6 transforms the above equation into
1252 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
1253 * To test this, we add up the right-hand side in 'rh'.
1257 if (!field_sqr(group, rh, &point->X, ctx)) goto err;
1258 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1260 if (!point->Z_is_one)
1262 if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err;
1263 if (!field_sqr(group, Z4, tmp1, ctx)) goto err;
1264 if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err;
1266 /* rh := rh + a*X*Z^4 */
1267 if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err;
1268 if (group->a_is_minus3)
1270 if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err;
1271 if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err;
1272 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
1276 if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err;
1277 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
1280 /* rh := rh + b*Z^6 */
1281 if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err;
1282 if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err;
1286 /* point->Z_is_one */
1288 /* rh := rh + a*X */
1289 if (group->a_is_minus3)
1291 if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err;
1292 if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err;
1293 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
1297 if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err;
1298 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
1302 if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
1306 if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err;
1308 ret = (0 == BN_cmp(tmp1, rh));
1312 if (new_ctx != NULL)
1313 BN_CTX_free(new_ctx);
1318 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
1322 * 0 equal (in affine coordinates)
1326 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1327 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1328 BN_CTX *new_ctx = NULL;
1329 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1330 const BIGNUM *tmp1_, *tmp2_;
1333 if (EC_POINT_is_at_infinity(group, a))
1335 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1338 if (a->Z_is_one && b->Z_is_one)
1340 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
1343 field_mul = group->meth->field_mul;
1344 field_sqr = group->meth->field_sqr;
1348 ctx = new_ctx = BN_CTX_new();
1354 tmp1 = BN_CTX_get(ctx);
1355 tmp2 = BN_CTX_get(ctx);
1356 Za23 = BN_CTX_get(ctx);
1357 Zb23 = BN_CTX_get(ctx);
1358 if (Zb23 == NULL) goto end;
1360 /* We have to decide whether
1361 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1362 * or equivalently, whether
1363 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1368 if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end;
1369 if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end;
1376 if (!field_sqr(group, Za23, &a->Z, ctx)) goto end;
1377 if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end;
1383 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1384 if (BN_cmp(tmp1_, tmp2_) != 0)
1386 ret = 1; /* points differ */
1393 if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end;
1394 if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end;
1398 if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end;
1399 if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end;
1401 /* tmp1_ and tmp2_ are still ok */
1403 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1404 if (BN_cmp(tmp1_, tmp2_) != 0)
1406 ret = 1; /* points differ */
1410 /* points are equal */
1415 if (new_ctx != NULL)
1416 BN_CTX_free(new_ctx);
1421 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1423 BN_CTX *new_ctx = NULL;
1427 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1432 ctx = new_ctx = BN_CTX_new();
1438 x = BN_CTX_get(ctx);
1439 y = BN_CTX_get(ctx);
1440 if (y == NULL) goto err;
1442 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1443 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1444 if (!point->Z_is_one)
1446 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1454 if (new_ctx != NULL)
1455 BN_CTX_free(new_ctx);
1460 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
1462 return BN_mod_mul(r, a, b, &group->field, ctx);
1466 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
1468 return BN_mod_sqr(r, a, &group->field, ctx);
projects / openssl.git / blob