2 * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
13 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
14 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
15 * to the OpenSSL project.
17 * The ECC Code is licensed pursuant to the OpenSSL open source
18 * license provided below.
24 #include "internal/cryptlib.h"
27 #ifndef OPENSSL_NO_EC2M
30 * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
33 # define MAX_ITERATIONS 50
35 static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21,
36 64, 65, 68, 69, 80, 81, 84, 85
39 /* Platform-specific macros to accelerate squaring. */
40 # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
42 SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
43 SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
44 SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
45 SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF]
47 SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
48 SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
49 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
50 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
52 # ifdef THIRTY_TWO_BIT
54 SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
55 SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF]
57 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
58 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
61 # if !defined(OPENSSL_BN_ASM_GF2m)
63 * Product of two polynomials a, b each with degree < BN_BITS2 - 1, result is
64 * a polynomial r with degree < 2 * BN_BITS - 1 The caller MUST ensure that
65 * the variables have the right amount of space allocated.
67 # ifdef THIRTY_TWO_BIT
68 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
71 register BN_ULONG h, l, s;
72 BN_ULONG tab[8], top2b = a >> 30;
73 register BN_ULONG a1, a2, a4;
75 a1 = a & (0x3FFFFFFF);
86 tab[7] = a1 ^ a2 ^ a4;
90 s = tab[b >> 3 & 0x7];
93 s = tab[b >> 6 & 0x7];
96 s = tab[b >> 9 & 0x7];
99 s = tab[b >> 12 & 0x7];
102 s = tab[b >> 15 & 0x7];
105 s = tab[b >> 18 & 0x7];
108 s = tab[b >> 21 & 0x7];
111 s = tab[b >> 24 & 0x7];
114 s = tab[b >> 27 & 0x7];
121 /* compensate for the top two bits of a */
136 # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
137 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
140 register BN_ULONG h, l, s;
141 BN_ULONG tab[16], top3b = a >> 61;
142 register BN_ULONG a1, a2, a4, a8;
144 a1 = a & (0x1FFFFFFFFFFFFFFFULL);
156 tab[7] = a1 ^ a2 ^ a4;
160 tab[11] = a1 ^ a2 ^ a8;
162 tab[13] = a1 ^ a4 ^ a8;
163 tab[14] = a2 ^ a4 ^ a8;
164 tab[15] = a1 ^ a2 ^ a4 ^ a8;
168 s = tab[b >> 4 & 0xF];
171 s = tab[b >> 8 & 0xF];
174 s = tab[b >> 12 & 0xF];
177 s = tab[b >> 16 & 0xF];
180 s = tab[b >> 20 & 0xF];
183 s = tab[b >> 24 & 0xF];
186 s = tab[b >> 28 & 0xF];
189 s = tab[b >> 32 & 0xF];
192 s = tab[b >> 36 & 0xF];
195 s = tab[b >> 40 & 0xF];
198 s = tab[b >> 44 & 0xF];
201 s = tab[b >> 48 & 0xF];
204 s = tab[b >> 52 & 0xF];
207 s = tab[b >> 56 & 0xF];
214 /* compensate for the top three bits of a */
235 * Product of two polynomials a, b each with degree < 2 * BN_BITS2 - 1,
236 * result is a polynomial r with degree < 4 * BN_BITS2 - 1 The caller MUST
237 * ensure that the variables have the right amount of space allocated.
239 static void bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0,
240 const BN_ULONG b1, const BN_ULONG b0)
243 /* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */
244 bn_GF2m_mul_1x1(r + 3, r + 2, a1, b1);
245 bn_GF2m_mul_1x1(r + 1, r, a0, b0);
246 bn_GF2m_mul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1);
247 /* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */
248 r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */
249 r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */
252 void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1,
257 * Add polynomials a and b and store result in r; r could be a or b, a and b
258 * could be equal; r is the bitwise XOR of a and b.
260 int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
263 const BIGNUM *at, *bt;
268 if (a->top < b->top) {
276 if (bn_wexpand(r, at->top) == NULL)
279 for (i = 0; i < bt->top; i++) {
280 r->d[i] = at->d[i] ^ bt->d[i];
282 for (; i < at->top; i++) {
293 * Some functions allow for representation of the irreducible polynomials
294 * as an int[], say p. The irreducible f(t) is then of the form:
295 * t^p[0] + t^p[1] + ... + t^p[k]
296 * where m = p[0] > p[1] > ... > p[k] = 0.
299 /* Performs modular reduction of a and store result in r. r could be a. */
300 int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[])
309 /* reduction mod 1 => return 0 */
315 * Since the algorithm does reduction in the r value, if a != r, copy the
316 * contents of a into r so we can do reduction in r.
319 if (!bn_wexpand(r, a->top))
321 for (j = 0; j < a->top; j++) {
328 /* start reduction */
329 dN = p[0] / BN_BITS2;
330 for (j = r->top - 1; j > dN;) {
338 for (k = 1; p[k] != 0; k++) {
339 /* reducing component t^p[k] */
344 z[j - n] ^= (zz >> d0);
346 z[j - n - 1] ^= (zz << d1);
349 /* reducing component t^0 */
351 d0 = p[0] % BN_BITS2;
353 z[j - n] ^= (zz >> d0);
355 z[j - n - 1] ^= (zz << d1);
358 /* final round of reduction */
361 d0 = p[0] % BN_BITS2;
367 /* clear up the top d1 bits */
369 z[dN] = (z[dN] << d1) >> d1;
372 z[0] ^= zz; /* reduction t^0 component */
374 for (k = 1; p[k] != 0; k++) {
377 /* reducing component t^p[k] */
379 d0 = p[k] % BN_BITS2;
382 if (d0 && (tmp_ulong = zz >> d1))
383 z[n + 1] ^= tmp_ulong;
393 * Performs modular reduction of a by p and store result in r. r could be a.
394 * This function calls down to the BN_GF2m_mod_arr implementation; this wrapper
395 * function is only provided for convenience; for best performance, use the
396 * BN_GF2m_mod_arr function.
398 int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
404 ret = BN_GF2m_poly2arr(p, arr, OSSL_NELEM(arr));
405 if (!ret || ret > (int)OSSL_NELEM(arr)) {
406 BNerr(BN_F_BN_GF2M_MOD, BN_R_INVALID_LENGTH);
409 ret = BN_GF2m_mod_arr(r, a, arr);
415 * Compute the product of two polynomials a and b, reduce modulo p, and store
416 * the result in r. r could be a or b; a could be b.
418 int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
419 const int p[], BN_CTX *ctx)
421 int zlen, i, j, k, ret = 0;
423 BN_ULONG x1, x0, y1, y0, zz[4];
429 return BN_GF2m_mod_sqr_arr(r, a, p, ctx);
433 if ((s = BN_CTX_get(ctx)) == NULL)
436 zlen = a->top + b->top + 4;
437 if (!bn_wexpand(s, zlen))
441 for (i = 0; i < zlen; i++)
444 for (j = 0; j < b->top; j += 2) {
446 y1 = ((j + 1) == b->top) ? 0 : b->d[j + 1];
447 for (i = 0; i < a->top; i += 2) {
449 x1 = ((i + 1) == a->top) ? 0 : a->d[i + 1];
450 bn_GF2m_mul_2x2(zz, x1, x0, y1, y0);
451 for (k = 0; k < 4; k++)
452 s->d[i + j + k] ^= zz[k];
457 if (BN_GF2m_mod_arr(r, s, p))
467 * Compute the product of two polynomials a and b, reduce modulo p, and store
468 * the result in r. r could be a or b; a could equal b. This function calls
469 * down to the BN_GF2m_mod_mul_arr implementation; this wrapper function is
470 * only provided for convenience; for best performance, use the
471 * BN_GF2m_mod_mul_arr function.
473 int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
474 const BIGNUM *p, BN_CTX *ctx)
477 const int max = BN_num_bits(p) + 1;
482 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
484 ret = BN_GF2m_poly2arr(p, arr, max);
485 if (!ret || ret > max) {
486 BNerr(BN_F_BN_GF2M_MOD_MUL, BN_R_INVALID_LENGTH);
489 ret = BN_GF2m_mod_mul_arr(r, a, b, arr, ctx);
496 /* Square a, reduce the result mod p, and store it in a. r could be a. */
497 int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
505 if ((s = BN_CTX_get(ctx)) == NULL)
507 if (!bn_wexpand(s, 2 * a->top))
510 for (i = a->top - 1; i >= 0; i--) {
511 s->d[2 * i + 1] = SQR1(a->d[i]);
512 s->d[2 * i] = SQR0(a->d[i]);
517 if (!BN_GF2m_mod_arr(r, s, p))
527 * Square a, reduce the result mod p, and store it in a. r could be a. This
528 * function calls down to the BN_GF2m_mod_sqr_arr implementation; this
529 * wrapper function is only provided for convenience; for best performance,
530 * use the BN_GF2m_mod_sqr_arr function.
532 int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
535 const int max = BN_num_bits(p) + 1;
540 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
542 ret = BN_GF2m_poly2arr(p, arr, max);
543 if (!ret || ret > max) {
544 BNerr(BN_F_BN_GF2M_MOD_SQR, BN_R_INVALID_LENGTH);
547 ret = BN_GF2m_mod_sqr_arr(r, a, arr, ctx);
555 * Invert a, reduce modulo p, and store the result in r. r could be a. Uses
556 * Modified Almost Inverse Algorithm (Algorithm 10) from Hankerson, D.,
557 * Hernandez, J.L., and Menezes, A. "Software Implementation of Elliptic
558 * Curve Cryptography Over Binary Fields".
560 int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
562 BIGNUM *b, *c = NULL, *u = NULL, *v = NULL, *tmp;
570 if ((b = BN_CTX_get(ctx)) == NULL)
572 if ((c = BN_CTX_get(ctx)) == NULL)
574 if ((u = BN_CTX_get(ctx)) == NULL)
576 if ((v = BN_CTX_get(ctx)) == NULL)
579 if (!BN_GF2m_mod(u, a, p))
591 while (!BN_is_odd(u)) {
594 if (!BN_rshift1(u, u))
597 if (!BN_GF2m_add(b, b, p))
600 if (!BN_rshift1(b, b))
604 if (BN_abs_is_word(u, 1))
607 if (BN_num_bits(u) < BN_num_bits(v)) {
616 if (!BN_GF2m_add(u, u, v))
618 if (!BN_GF2m_add(b, b, c))
624 int ubits = BN_num_bits(u);
625 int vbits = BN_num_bits(v); /* v is copy of p */
627 BN_ULONG *udp, *bdp, *vdp, *cdp;
629 if (!bn_wexpand(u, top))
632 for (i = u->top; i < top; i++)
635 if (!bn_wexpand(b, top))
639 for (i = 1; i < top; i++)
642 if (!bn_wexpand(c, top))
645 for (i = 0; i < top; i++)
648 vdp = v->d; /* It pays off to "cache" *->d pointers,
649 * because it allows optimizer to be more
650 * aggressive. But we don't have to "cache"
651 * p->d, because *p is declared 'const'... */
653 while (ubits && !(udp[0] & 1)) {
654 BN_ULONG u0, u1, b0, b1, mask;
658 mask = (BN_ULONG)0 - (b0 & 1);
659 b0 ^= p->d[0] & mask;
660 for (i = 0; i < top - 1; i++) {
662 udp[i] = ((u0 >> 1) | (u1 << (BN_BITS2 - 1))) & BN_MASK2;
664 b1 = bdp[i + 1] ^ (p->d[i + 1] & mask);
665 bdp[i] = ((b0 >> 1) | (b1 << (BN_BITS2 - 1))) & BN_MASK2;
673 if (ubits <= BN_BITS2) {
674 if (udp[0] == 0) /* poly was reducible */
695 for (i = 0; i < top; i++) {
699 if (ubits == vbits) {
701 int utop = (ubits - 1) / BN_BITS2;
703 while ((ul = udp[utop]) == 0 && utop)
705 ubits = utop * BN_BITS2 + BN_num_bits_word(ul);
718 # ifdef BN_DEBUG /* BN_CTX_end would complain about the
729 * Invert xx, reduce modulo p, and store the result in r. r could be xx.
730 * This function calls down to the BN_GF2m_mod_inv implementation; this
731 * wrapper function is only provided for convenience; for best performance,
732 * use the BN_GF2m_mod_inv function.
734 int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const int p[],
742 if ((field = BN_CTX_get(ctx)) == NULL)
744 if (!BN_GF2m_arr2poly(p, field))
747 ret = BN_GF2m_mod_inv(r, xx, field, ctx);
755 # ifndef OPENSSL_SUN_GF2M_DIV
757 * Divide y by x, reduce modulo p, and store the result in r. r could be x
758 * or y, x could equal y.
760 int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x,
761 const BIGNUM *p, BN_CTX *ctx)
771 xinv = BN_CTX_get(ctx);
775 if (!BN_GF2m_mod_inv(xinv, x, p, ctx))
777 if (!BN_GF2m_mod_mul(r, y, xinv, p, ctx))
788 * Divide y by x, reduce modulo p, and store the result in r. r could be x
789 * or y, x could equal y. Uses algorithm Modular_Division_GF(2^m) from
790 * Chang-Shantz, S. "From Euclid's GCD to Montgomery Multiplication to the
793 int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x,
794 const BIGNUM *p, BN_CTX *ctx)
796 BIGNUM *a, *b, *u, *v;
812 /* reduce x and y mod p */
813 if (!BN_GF2m_mod(u, y, p))
815 if (!BN_GF2m_mod(a, x, p))
820 while (!BN_is_odd(a)) {
821 if (!BN_rshift1(a, a))
824 if (!BN_GF2m_add(u, u, p))
826 if (!BN_rshift1(u, u))
831 if (BN_GF2m_cmp(b, a) > 0) {
832 if (!BN_GF2m_add(b, b, a))
834 if (!BN_GF2m_add(v, v, u))
837 if (!BN_rshift1(b, b))
840 if (!BN_GF2m_add(v, v, p))
842 if (!BN_rshift1(v, v))
844 } while (!BN_is_odd(b));
845 } else if (BN_abs_is_word(a, 1))
848 if (!BN_GF2m_add(a, a, b))
850 if (!BN_GF2m_add(u, u, v))
853 if (!BN_rshift1(a, a))
856 if (!BN_GF2m_add(u, u, p))
858 if (!BN_rshift1(u, u))
860 } while (!BN_is_odd(a));
876 * Divide yy by xx, reduce modulo p, and store the result in r. r could be xx
877 * * or yy, xx could equal yy. This function calls down to the
878 * BN_GF2m_mod_div implementation; this wrapper function is only provided for
879 * convenience; for best performance, use the BN_GF2m_mod_div function.
881 int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx,
882 const int p[], BN_CTX *ctx)
891 if ((field = BN_CTX_get(ctx)) == NULL)
893 if (!BN_GF2m_arr2poly(p, field))
896 ret = BN_GF2m_mod_div(r, yy, xx, field, ctx);
905 * Compute the bth power of a, reduce modulo p, and store the result in r. r
906 * could be a. Uses simple square-and-multiply algorithm A.5.1 from IEEE
909 int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
910 const int p[], BN_CTX *ctx)
921 if (BN_abs_is_word(b, 1))
922 return (BN_copy(r, a) != NULL);
925 if ((u = BN_CTX_get(ctx)) == NULL)
928 if (!BN_GF2m_mod_arr(u, a, p))
931 n = BN_num_bits(b) - 1;
932 for (i = n - 1; i >= 0; i--) {
933 if (!BN_GF2m_mod_sqr_arr(u, u, p, ctx))
935 if (BN_is_bit_set(b, i)) {
936 if (!BN_GF2m_mod_mul_arr(u, u, a, p, ctx))
950 * Compute the bth power of a, reduce modulo p, and store the result in r. r
951 * could be a. This function calls down to the BN_GF2m_mod_exp_arr
952 * implementation; this wrapper function is only provided for convenience;
953 * for best performance, use the BN_GF2m_mod_exp_arr function.
955 int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
956 const BIGNUM *p, BN_CTX *ctx)
959 const int max = BN_num_bits(p) + 1;
964 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
966 ret = BN_GF2m_poly2arr(p, arr, max);
967 if (!ret || ret > max) {
968 BNerr(BN_F_BN_GF2M_MOD_EXP, BN_R_INVALID_LENGTH);
971 ret = BN_GF2m_mod_exp_arr(r, a, b, arr, ctx);
979 * Compute the square root of a, reduce modulo p, and store the result in r.
980 * r could be a. Uses exponentiation as in algorithm A.4.1 from IEEE P1363.
982 int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const int p[],
991 /* reduction mod 1 => return 0 */
997 if ((u = BN_CTX_get(ctx)) == NULL)
1000 if (!BN_set_bit(u, p[0] - 1))
1002 ret = BN_GF2m_mod_exp_arr(r, a, u, p, ctx);
1011 * Compute the square root of a, reduce modulo p, and store the result in r.
1012 * r could be a. This function calls down to the BN_GF2m_mod_sqrt_arr
1013 * implementation; this wrapper function is only provided for convenience;
1014 * for best performance, use the BN_GF2m_mod_sqrt_arr function.
1016 int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
1019 const int max = BN_num_bits(p) + 1;
1023 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
1025 ret = BN_GF2m_poly2arr(p, arr, max);
1026 if (!ret || ret > max) {
1027 BNerr(BN_F_BN_GF2M_MOD_SQRT, BN_R_INVALID_LENGTH);
1030 ret = BN_GF2m_mod_sqrt_arr(r, a, arr, ctx);
1038 * Find r such that r^2 + r = a mod p. r could be a. If no r exists returns
1039 * 0. Uses algorithms A.4.7 and A.4.6 from IEEE P1363.
1041 int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[],
1044 int ret = 0, count = 0, j;
1045 BIGNUM *a, *z, *rho, *w, *w2, *tmp;
1050 /* reduction mod 1 => return 0 */
1056 a = BN_CTX_get(ctx);
1057 z = BN_CTX_get(ctx);
1058 w = BN_CTX_get(ctx);
1062 if (!BN_GF2m_mod_arr(a, a_, p))
1065 if (BN_is_zero(a)) {
1071 if (p[0] & 0x1) { /* m is odd */
1072 /* compute half-trace of a */
1075 for (j = 1; j <= (p[0] - 1) / 2; j++) {
1076 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1078 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1080 if (!BN_GF2m_add(z, z, a))
1084 } else { /* m is even */
1086 rho = BN_CTX_get(ctx);
1087 w2 = BN_CTX_get(ctx);
1088 tmp = BN_CTX_get(ctx);
1092 if (!BN_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
1094 if (!BN_GF2m_mod_arr(rho, rho, p))
1097 if (!BN_copy(w, rho))
1099 for (j = 1; j <= p[0] - 1; j++) {
1100 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1102 if (!BN_GF2m_mod_sqr_arr(w2, w, p, ctx))
1104 if (!BN_GF2m_mod_mul_arr(tmp, w2, a, p, ctx))
1106 if (!BN_GF2m_add(z, z, tmp))
1108 if (!BN_GF2m_add(w, w2, rho))
1112 } while (BN_is_zero(w) && (count < MAX_ITERATIONS));
1113 if (BN_is_zero(w)) {
1114 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR, BN_R_TOO_MANY_ITERATIONS);
1119 if (!BN_GF2m_mod_sqr_arr(w, z, p, ctx))
1121 if (!BN_GF2m_add(w, z, w))
1123 if (BN_GF2m_cmp(w, a)) {
1124 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR, BN_R_NO_SOLUTION);
1140 * Find r such that r^2 + r = a mod p. r could be a. If no r exists returns
1141 * 0. This function calls down to the BN_GF2m_mod_solve_quad_arr
1142 * implementation; this wrapper function is only provided for convenience;
1143 * for best performance, use the BN_GF2m_mod_solve_quad_arr function.
1145 int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
1149 const int max = BN_num_bits(p) + 1;
1153 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
1155 ret = BN_GF2m_poly2arr(p, arr, max);
1156 if (!ret || ret > max) {
1157 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD, BN_R_INVALID_LENGTH);
1160 ret = BN_GF2m_mod_solve_quad_arr(r, a, arr, ctx);
1168 * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
1169 * x^i) into an array of integers corresponding to the bits with non-zero
1170 * coefficient. Array is terminated with -1. Up to max elements of the array
1171 * will be filled. Return value is total number of array elements that would
1172 * be filled if array was large enough.
1174 int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
1182 for (i = a->top - 1; i >= 0; i--) {
1184 /* skip word if a->d[i] == 0 */
1187 for (j = BN_BITS2 - 1; j >= 0; j--) {
1188 if (a->d[i] & mask) {
1190 p[k] = BN_BITS2 * i + j;
1206 * Convert the coefficient array representation of a polynomial to a
1207 * bit-string. The array must be terminated by -1.
1209 int BN_GF2m_arr2poly(const int p[], BIGNUM *a)
1215 for (i = 0; p[i] != -1; i++) {
1216 if (BN_set_bit(a, p[i]) == 0)
projects / openssl.git / blob