1 /* ====================================================================
2 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
5 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
6 * to the OpenSSL project.
8 * The ECC Code is licensed pursuant to the OpenSSL open source
9 * license provided below.
11 * In addition, Sun covenants to all licensees who provide a reciprocal
12 * covenant with respect to their own patents if any, not to sue under
13 * current and future patent claims necessarily infringed by the making,
14 * using, practicing, selling, offering for sale and/or otherwise
15 * disposing of the ECC Code as delivered hereunder (or portions thereof),
16 * provided that such covenant shall not apply:
17 * 1) for code that a licensee deletes from the ECC Code;
18 * 2) separates from the ECC Code; or
19 * 3) for infringements caused by:
20 * i) the modification of the ECC Code or
21 * ii) the combination of the ECC Code with other software or
22 * devices where such combination causes the infringement.
24 * The software is originally written by Sheueling Chang Shantz and
25 * Douglas Stebila of Sun Microsystems Laboratories.
30 * NOTE: This file is licensed pursuant to the OpenSSL license below and may
31 * be modified; but after modifications, the above covenant may no longer
32 * apply! In such cases, the corresponding paragraph ["In addition, Sun
33 * covenants ... causes the infringement."] and this note can be edited out;
34 * but please keep the Sun copyright notice and attribution.
37 /* ====================================================================
38 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
40 * Redistribution and use in source and binary forms, with or without
41 * modification, are permitted provided that the following conditions
44 * 1. Redistributions of source code must retain the above copyright
45 * notice, this list of conditions and the following disclaimer.
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in
49 * the documentation and/or other materials provided with the
52 * 3. All advertising materials mentioning features or use of this
53 * software must display the following acknowledgment:
54 * "This product includes software developed by the OpenSSL Project
55 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
57 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
58 * endorse or promote products derived from this software without
59 * prior written permission. For written permission, please contact
60 * openssl-core@openssl.org.
62 * 5. Products derived from this software may not be called "OpenSSL"
63 * nor may "OpenSSL" appear in their names without prior written
64 * permission of the OpenSSL Project.
66 * 6. Redistributions of any form whatsoever must retain the following
68 * "This product includes software developed by the OpenSSL Project
69 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
71 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
72 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
73 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
74 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
75 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
76 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
77 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
78 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
79 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
80 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
81 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
82 * OF THE POSSIBILITY OF SUCH DAMAGE.
83 * ====================================================================
85 * This product includes cryptographic software written by Eric Young
86 * (eay@cryptsoft.com). This product includes software written by Tim
87 * Hudson (tjh@cryptsoft.com).
94 #include "internal/cryptlib.h"
97 #ifndef OPENSSL_NO_EC2M
100 * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
103 # define MAX_ITERATIONS 50
105 static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21,
106 64, 65, 68, 69, 80, 81, 84, 85
109 /* Platform-specific macros to accelerate squaring. */
110 # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
112 SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
113 SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
114 SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
115 SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF]
117 SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
118 SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
119 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
120 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
122 # ifdef THIRTY_TWO_BIT
124 SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
125 SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF]
127 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
128 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
131 # if !defined(OPENSSL_BN_ASM_GF2m)
133 * Product of two polynomials a, b each with degree < BN_BITS2 - 1, result is
134 * a polynomial r with degree < 2 * BN_BITS - 1 The caller MUST ensure that
135 * the variables have the right amount of space allocated.
137 # ifdef THIRTY_TWO_BIT
138 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
141 register BN_ULONG h, l, s;
142 BN_ULONG tab[8], top2b = a >> 30;
143 register BN_ULONG a1, a2, a4;
145 a1 = a & (0x3FFFFFFF);
156 tab[7] = a1 ^ a2 ^ a4;
160 s = tab[b >> 3 & 0x7];
163 s = tab[b >> 6 & 0x7];
166 s = tab[b >> 9 & 0x7];
169 s = tab[b >> 12 & 0x7];
172 s = tab[b >> 15 & 0x7];
175 s = tab[b >> 18 & 0x7];
178 s = tab[b >> 21 & 0x7];
181 s = tab[b >> 24 & 0x7];
184 s = tab[b >> 27 & 0x7];
191 /* compensate for the top two bits of a */
206 # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
207 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
210 register BN_ULONG h, l, s;
211 BN_ULONG tab[16], top3b = a >> 61;
212 register BN_ULONG a1, a2, a4, a8;
214 a1 = a & (0x1FFFFFFFFFFFFFFFULL);
226 tab[7] = a1 ^ a2 ^ a4;
230 tab[11] = a1 ^ a2 ^ a8;
232 tab[13] = a1 ^ a4 ^ a8;
233 tab[14] = a2 ^ a4 ^ a8;
234 tab[15] = a1 ^ a2 ^ a4 ^ a8;
238 s = tab[b >> 4 & 0xF];
241 s = tab[b >> 8 & 0xF];
244 s = tab[b >> 12 & 0xF];
247 s = tab[b >> 16 & 0xF];
250 s = tab[b >> 20 & 0xF];
253 s = tab[b >> 24 & 0xF];
256 s = tab[b >> 28 & 0xF];
259 s = tab[b >> 32 & 0xF];
262 s = tab[b >> 36 & 0xF];
265 s = tab[b >> 40 & 0xF];
268 s = tab[b >> 44 & 0xF];
271 s = tab[b >> 48 & 0xF];
274 s = tab[b >> 52 & 0xF];
277 s = tab[b >> 56 & 0xF];
284 /* compensate for the top three bits of a */
305 * Product of two polynomials a, b each with degree < 2 * BN_BITS2 - 1,
306 * result is a polynomial r with degree < 4 * BN_BITS2 - 1 The caller MUST
307 * ensure that the variables have the right amount of space allocated.
309 static void bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0,
310 const BN_ULONG b1, const BN_ULONG b0)
313 /* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */
314 bn_GF2m_mul_1x1(r + 3, r + 2, a1, b1);
315 bn_GF2m_mul_1x1(r + 1, r, a0, b0);
316 bn_GF2m_mul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1);
317 /* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */
318 r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */
319 r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */
322 void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1,
327 * Add polynomials a and b and store result in r; r could be a or b, a and b
328 * could be equal; r is the bitwise XOR of a and b.
330 int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
333 const BIGNUM *at, *bt;
338 if (a->top < b->top) {
346 if (bn_wexpand(r, at->top) == NULL)
349 for (i = 0; i < bt->top; i++) {
350 r->d[i] = at->d[i] ^ bt->d[i];
352 for (; i < at->top; i++) {
363 * Some functions allow for representation of the irreducible polynomials
364 * as an int[], say p. The irreducible f(t) is then of the form:
365 * t^p[0] + t^p[1] + ... + t^p[k]
366 * where m = p[0] > p[1] > ... > p[k] = 0.
369 /* Performs modular reduction of a and store result in r. r could be a. */
370 int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[])
379 /* reduction mod 1 => return 0 */
385 * Since the algorithm does reduction in the r value, if a != r, copy the
386 * contents of a into r so we can do reduction in r.
389 if (!bn_wexpand(r, a->top))
391 for (j = 0; j < a->top; j++) {
398 /* start reduction */
399 dN = p[0] / BN_BITS2;
400 for (j = r->top - 1; j > dN;) {
408 for (k = 1; p[k] != 0; k++) {
409 /* reducing component t^p[k] */
414 z[j - n] ^= (zz >> d0);
416 z[j - n - 1] ^= (zz << d1);
419 /* reducing component t^0 */
421 d0 = p[0] % BN_BITS2;
423 z[j - n] ^= (zz >> d0);
425 z[j - n - 1] ^= (zz << d1);
428 /* final round of reduction */
431 d0 = p[0] % BN_BITS2;
437 /* clear up the top d1 bits */
439 z[dN] = (z[dN] << d1) >> d1;
442 z[0] ^= zz; /* reduction t^0 component */
444 for (k = 1; p[k] != 0; k++) {
447 /* reducing component t^p[k] */
449 d0 = p[k] % BN_BITS2;
452 if (d0 && (tmp_ulong = zz >> d1))
453 z[n + 1] ^= tmp_ulong;
463 * Performs modular reduction of a by p and store result in r. r could be a.
464 * This function calls down to the BN_GF2m_mod_arr implementation; this wrapper
465 * function is only provided for convenience; for best performance, use the
466 * BN_GF2m_mod_arr function.
468 int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
474 ret = BN_GF2m_poly2arr(p, arr, OSSL_NELEM(arr));
475 if (!ret || ret > (int)OSSL_NELEM(arr)) {
476 BNerr(BN_F_BN_GF2M_MOD, BN_R_INVALID_LENGTH);
479 ret = BN_GF2m_mod_arr(r, a, arr);
485 * Compute the product of two polynomials a and b, reduce modulo p, and store
486 * the result in r. r could be a or b; a could be b.
488 int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
489 const int p[], BN_CTX *ctx)
491 int zlen, i, j, k, ret = 0;
493 BN_ULONG x1, x0, y1, y0, zz[4];
499 return BN_GF2m_mod_sqr_arr(r, a, p, ctx);
503 if ((s = BN_CTX_get(ctx)) == NULL)
506 zlen = a->top + b->top + 4;
507 if (!bn_wexpand(s, zlen))
511 for (i = 0; i < zlen; i++)
514 for (j = 0; j < b->top; j += 2) {
516 y1 = ((j + 1) == b->top) ? 0 : b->d[j + 1];
517 for (i = 0; i < a->top; i += 2) {
519 x1 = ((i + 1) == a->top) ? 0 : a->d[i + 1];
520 bn_GF2m_mul_2x2(zz, x1, x0, y1, y0);
521 for (k = 0; k < 4; k++)
522 s->d[i + j + k] ^= zz[k];
527 if (BN_GF2m_mod_arr(r, s, p))
537 * Compute the product of two polynomials a and b, reduce modulo p, and store
538 * the result in r. r could be a or b; a could equal b. This function calls
539 * down to the BN_GF2m_mod_mul_arr implementation; this wrapper function is
540 * only provided for convenience; for best performance, use the
541 * BN_GF2m_mod_mul_arr function.
543 int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
544 const BIGNUM *p, BN_CTX *ctx)
547 const int max = BN_num_bits(p) + 1;
552 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
554 ret = BN_GF2m_poly2arr(p, arr, max);
555 if (!ret || ret > max) {
556 BNerr(BN_F_BN_GF2M_MOD_MUL, BN_R_INVALID_LENGTH);
559 ret = BN_GF2m_mod_mul_arr(r, a, b, arr, ctx);
566 /* Square a, reduce the result mod p, and store it in a. r could be a. */
567 int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
575 if ((s = BN_CTX_get(ctx)) == NULL)
577 if (!bn_wexpand(s, 2 * a->top))
580 for (i = a->top - 1; i >= 0; i--) {
581 s->d[2 * i + 1] = SQR1(a->d[i]);
582 s->d[2 * i] = SQR0(a->d[i]);
587 if (!BN_GF2m_mod_arr(r, s, p))
597 * Square a, reduce the result mod p, and store it in a. r could be a. This
598 * function calls down to the BN_GF2m_mod_sqr_arr implementation; this
599 * wrapper function is only provided for convenience; for best performance,
600 * use the BN_GF2m_mod_sqr_arr function.
602 int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
605 const int max = BN_num_bits(p) + 1;
610 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
612 ret = BN_GF2m_poly2arr(p, arr, max);
613 if (!ret || ret > max) {
614 BNerr(BN_F_BN_GF2M_MOD_SQR, BN_R_INVALID_LENGTH);
617 ret = BN_GF2m_mod_sqr_arr(r, a, arr, ctx);
625 * Invert a, reduce modulo p, and store the result in r. r could be a. Uses
626 * Modified Almost Inverse Algorithm (Algorithm 10) from Hankerson, D.,
627 * Hernandez, J.L., and Menezes, A. "Software Implementation of Elliptic
628 * Curve Cryptography Over Binary Fields".
630 int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
632 BIGNUM *b, *c = NULL, *u = NULL, *v = NULL, *tmp;
640 if ((b = BN_CTX_get(ctx)) == NULL)
642 if ((c = BN_CTX_get(ctx)) == NULL)
644 if ((u = BN_CTX_get(ctx)) == NULL)
646 if ((v = BN_CTX_get(ctx)) == NULL)
649 if (!BN_GF2m_mod(u, a, p))
661 while (!BN_is_odd(u)) {
664 if (!BN_rshift1(u, u))
667 if (!BN_GF2m_add(b, b, p))
670 if (!BN_rshift1(b, b))
674 if (BN_abs_is_word(u, 1))
677 if (BN_num_bits(u) < BN_num_bits(v)) {
686 if (!BN_GF2m_add(u, u, v))
688 if (!BN_GF2m_add(b, b, c))
694 int ubits = BN_num_bits(u);
695 int vbits = BN_num_bits(v); /* v is copy of p */
697 BN_ULONG *udp, *bdp, *vdp, *cdp;
699 if (!bn_wexpand(u, top))
702 for (i = u->top; i < top; i++)
705 if (!bn_wexpand(b, top))
709 for (i = 1; i < top; i++)
712 if (!bn_wexpand(c, top))
715 for (i = 0; i < top; i++)
718 vdp = v->d; /* It pays off to "cache" *->d pointers,
719 * because it allows optimizer to be more
720 * aggressive. But we don't have to "cache"
721 * p->d, because *p is declared 'const'... */
723 while (ubits && !(udp[0] & 1)) {
724 BN_ULONG u0, u1, b0, b1, mask;
728 mask = (BN_ULONG)0 - (b0 & 1);
729 b0 ^= p->d[0] & mask;
730 for (i = 0; i < top - 1; i++) {
732 udp[i] = ((u0 >> 1) | (u1 << (BN_BITS2 - 1))) & BN_MASK2;
734 b1 = bdp[i + 1] ^ (p->d[i + 1] & mask);
735 bdp[i] = ((b0 >> 1) | (b1 << (BN_BITS2 - 1))) & BN_MASK2;
743 if (ubits <= BN_BITS2) {
744 if (udp[0] == 0) /* poly was reducible */
765 for (i = 0; i < top; i++) {
769 if (ubits == vbits) {
771 int utop = (ubits - 1) / BN_BITS2;
773 while ((ul = udp[utop]) == 0 && utop)
775 ubits = utop * BN_BITS2 + BN_num_bits_word(ul);
788 # ifdef BN_DEBUG /* BN_CTX_end would complain about the
799 * Invert xx, reduce modulo p, and store the result in r. r could be xx.
800 * This function calls down to the BN_GF2m_mod_inv implementation; this
801 * wrapper function is only provided for convenience; for best performance,
802 * use the BN_GF2m_mod_inv function.
804 int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const int p[],
812 if ((field = BN_CTX_get(ctx)) == NULL)
814 if (!BN_GF2m_arr2poly(p, field))
817 ret = BN_GF2m_mod_inv(r, xx, field, ctx);
825 # ifndef OPENSSL_SUN_GF2M_DIV
827 * Divide y by x, reduce modulo p, and store the result in r. r could be x
828 * or y, x could equal y.
830 int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x,
831 const BIGNUM *p, BN_CTX *ctx)
841 xinv = BN_CTX_get(ctx);
845 if (!BN_GF2m_mod_inv(xinv, x, p, ctx))
847 if (!BN_GF2m_mod_mul(r, y, xinv, p, ctx))
858 * Divide y by x, reduce modulo p, and store the result in r. r could be x
859 * or y, x could equal y. Uses algorithm Modular_Division_GF(2^m) from
860 * Chang-Shantz, S. "From Euclid's GCD to Montgomery Multiplication to the
863 int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x,
864 const BIGNUM *p, BN_CTX *ctx)
866 BIGNUM *a, *b, *u, *v;
882 /* reduce x and y mod p */
883 if (!BN_GF2m_mod(u, y, p))
885 if (!BN_GF2m_mod(a, x, p))
890 while (!BN_is_odd(a)) {
891 if (!BN_rshift1(a, a))
894 if (!BN_GF2m_add(u, u, p))
896 if (!BN_rshift1(u, u))
901 if (BN_GF2m_cmp(b, a) > 0) {
902 if (!BN_GF2m_add(b, b, a))
904 if (!BN_GF2m_add(v, v, u))
907 if (!BN_rshift1(b, b))
910 if (!BN_GF2m_add(v, v, p))
912 if (!BN_rshift1(v, v))
914 } while (!BN_is_odd(b));
915 } else if (BN_abs_is_word(a, 1))
918 if (!BN_GF2m_add(a, a, b))
920 if (!BN_GF2m_add(u, u, v))
923 if (!BN_rshift1(a, a))
926 if (!BN_GF2m_add(u, u, p))
928 if (!BN_rshift1(u, u))
930 } while (!BN_is_odd(a));
946 * Divide yy by xx, reduce modulo p, and store the result in r. r could be xx
947 * * or yy, xx could equal yy. This function calls down to the
948 * BN_GF2m_mod_div implementation; this wrapper function is only provided for
949 * convenience; for best performance, use the BN_GF2m_mod_div function.
951 int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx,
952 const int p[], BN_CTX *ctx)
961 if ((field = BN_CTX_get(ctx)) == NULL)
963 if (!BN_GF2m_arr2poly(p, field))
966 ret = BN_GF2m_mod_div(r, yy, xx, field, ctx);
975 * Compute the bth power of a, reduce modulo p, and store the result in r. r
976 * could be a. Uses simple square-and-multiply algorithm A.5.1 from IEEE
979 int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
980 const int p[], BN_CTX *ctx)
991 if (BN_abs_is_word(b, 1))
992 return (BN_copy(r, a) != NULL);
995 if ((u = BN_CTX_get(ctx)) == NULL)
998 if (!BN_GF2m_mod_arr(u, a, p))
1001 n = BN_num_bits(b) - 1;
1002 for (i = n - 1; i >= 0; i--) {
1003 if (!BN_GF2m_mod_sqr_arr(u, u, p, ctx))
1005 if (BN_is_bit_set(b, i)) {
1006 if (!BN_GF2m_mod_mul_arr(u, u, a, p, ctx))
1020 * Compute the bth power of a, reduce modulo p, and store the result in r. r
1021 * could be a. This function calls down to the BN_GF2m_mod_exp_arr
1022 * implementation; this wrapper function is only provided for convenience;
1023 * for best performance, use the BN_GF2m_mod_exp_arr function.
1025 int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
1026 const BIGNUM *p, BN_CTX *ctx)
1029 const int max = BN_num_bits(p) + 1;
1034 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
1036 ret = BN_GF2m_poly2arr(p, arr, max);
1037 if (!ret || ret > max) {
1038 BNerr(BN_F_BN_GF2M_MOD_EXP, BN_R_INVALID_LENGTH);
1041 ret = BN_GF2m_mod_exp_arr(r, a, b, arr, ctx);
1049 * Compute the square root of a, reduce modulo p, and store the result in r.
1050 * r could be a. Uses exponentiation as in algorithm A.4.1 from IEEE P1363.
1052 int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const int p[],
1061 /* reduction mod 1 => return 0 */
1067 if ((u = BN_CTX_get(ctx)) == NULL)
1070 if (!BN_set_bit(u, p[0] - 1))
1072 ret = BN_GF2m_mod_exp_arr(r, a, u, p, ctx);
1081 * Compute the square root of a, reduce modulo p, and store the result in r.
1082 * r could be a. This function calls down to the BN_GF2m_mod_sqrt_arr
1083 * implementation; this wrapper function is only provided for convenience;
1084 * for best performance, use the BN_GF2m_mod_sqrt_arr function.
1086 int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
1089 const int max = BN_num_bits(p) + 1;
1093 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
1095 ret = BN_GF2m_poly2arr(p, arr, max);
1096 if (!ret || ret > max) {
1097 BNerr(BN_F_BN_GF2M_MOD_SQRT, BN_R_INVALID_LENGTH);
1100 ret = BN_GF2m_mod_sqrt_arr(r, a, arr, ctx);
1108 * Find r such that r^2 + r = a mod p. r could be a. If no r exists returns
1109 * 0. Uses algorithms A.4.7 and A.4.6 from IEEE P1363.
1111 int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[],
1114 int ret = 0, count = 0, j;
1115 BIGNUM *a, *z, *rho, *w, *w2, *tmp;
1120 /* reduction mod 1 => return 0 */
1126 a = BN_CTX_get(ctx);
1127 z = BN_CTX_get(ctx);
1128 w = BN_CTX_get(ctx);
1132 if (!BN_GF2m_mod_arr(a, a_, p))
1135 if (BN_is_zero(a)) {
1141 if (p[0] & 0x1) { /* m is odd */
1142 /* compute half-trace of a */
1145 for (j = 1; j <= (p[0] - 1) / 2; j++) {
1146 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1148 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1150 if (!BN_GF2m_add(z, z, a))
1154 } else { /* m is even */
1156 rho = BN_CTX_get(ctx);
1157 w2 = BN_CTX_get(ctx);
1158 tmp = BN_CTX_get(ctx);
1162 if (!BN_rand(rho, p[0], 0, 0))
1164 if (!BN_GF2m_mod_arr(rho, rho, p))
1167 if (!BN_copy(w, rho))
1169 for (j = 1; j <= p[0] - 1; j++) {
1170 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1172 if (!BN_GF2m_mod_sqr_arr(w2, w, p, ctx))
1174 if (!BN_GF2m_mod_mul_arr(tmp, w2, a, p, ctx))
1176 if (!BN_GF2m_add(z, z, tmp))
1178 if (!BN_GF2m_add(w, w2, rho))
1182 } while (BN_is_zero(w) && (count < MAX_ITERATIONS));
1183 if (BN_is_zero(w)) {
1184 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR, BN_R_TOO_MANY_ITERATIONS);
1189 if (!BN_GF2m_mod_sqr_arr(w, z, p, ctx))
1191 if (!BN_GF2m_add(w, z, w))
1193 if (BN_GF2m_cmp(w, a)) {
1194 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR, BN_R_NO_SOLUTION);
1210 * Find r such that r^2 + r = a mod p. r could be a. If no r exists returns
1211 * 0. This function calls down to the BN_GF2m_mod_solve_quad_arr
1212 * implementation; this wrapper function is only provided for convenience;
1213 * for best performance, use the BN_GF2m_mod_solve_quad_arr function.
1215 int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
1219 const int max = BN_num_bits(p) + 1;
1223 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
1225 ret = BN_GF2m_poly2arr(p, arr, max);
1226 if (!ret || ret > max) {
1227 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD, BN_R_INVALID_LENGTH);
1230 ret = BN_GF2m_mod_solve_quad_arr(r, a, arr, ctx);
1238 * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
1239 * x^i) into an array of integers corresponding to the bits with non-zero
1240 * coefficient. Array is terminated with -1. Up to max elements of the array
1241 * will be filled. Return value is total number of array elements that would
1242 * be filled if array was large enough.
1244 int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
1252 for (i = a->top - 1; i >= 0; i--) {
1254 /* skip word if a->d[i] == 0 */
1257 for (j = BN_BITS2 - 1; j >= 0; j--) {
1258 if (a->d[i] & mask) {
1260 p[k] = BN_BITS2 * i + j;
1276 * Convert the coefficient array representation of a polynomial to a
1277 * bit-string. The array must be terminated by -1.
1279 int BN_GF2m_arr2poly(const int p[], BIGNUM *a)
1285 for (i = 0; p[i] != -1; i++) {
1286 if (BN_set_bit(a, p[i]) == 0)
projects / openssl.git / blob