2 * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 #include <openssl/err.h>
13 #include "crypto/bn.h"
16 #ifndef OPENSSL_NO_EC2M
19 * Initialize a GF(2^m)-based EC_GROUP structure. Note that all other members
20 * are handled by EC_GROUP_new.
22 int ec_GF2m_simple_group_init(EC_GROUP *group)
24 group->field = BN_new();
28 if (group->field == NULL || group->a == NULL || group->b == NULL) {
29 BN_free(group->field);
38 * Free a GF(2^m)-based EC_GROUP structure. Note that all other members are
39 * handled by EC_GROUP_free.
41 void ec_GF2m_simple_group_finish(EC_GROUP *group)
43 BN_free(group->field);
49 * Clear and free a GF(2^m)-based EC_GROUP structure. Note that all other
50 * members are handled by EC_GROUP_clear_free.
52 void ec_GF2m_simple_group_clear_finish(EC_GROUP *group)
54 BN_clear_free(group->field);
55 BN_clear_free(group->a);
56 BN_clear_free(group->b);
66 * Copy a GF(2^m)-based EC_GROUP structure. Note that all other members are
67 * handled by EC_GROUP_copy.
69 int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
71 if (!BN_copy(dest->field, src->field))
73 if (!BN_copy(dest->a, src->a))
75 if (!BN_copy(dest->b, src->b))
77 dest->poly[0] = src->poly[0];
78 dest->poly[1] = src->poly[1];
79 dest->poly[2] = src->poly[2];
80 dest->poly[3] = src->poly[3];
81 dest->poly[4] = src->poly[4];
82 dest->poly[5] = src->poly[5];
83 if (bn_wexpand(dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) ==
86 if (bn_wexpand(dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) ==
89 bn_set_all_zero(dest->a);
90 bn_set_all_zero(dest->b);
94 /* Set the curve parameters of an EC_GROUP structure. */
95 int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
96 const BIGNUM *p, const BIGNUM *a,
97 const BIGNUM *b, BN_CTX *ctx)
102 if (!BN_copy(group->field, p))
104 i = BN_GF2m_poly2arr(group->field, group->poly, 6) - 1;
105 if ((i != 5) && (i != 3)) {
106 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
111 if (!BN_GF2m_mod_arr(group->a, a, group->poly))
113 if (bn_wexpand(group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2)
116 bn_set_all_zero(group->a);
119 if (!BN_GF2m_mod_arr(group->b, b, group->poly))
121 if (bn_wexpand(group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2)
124 bn_set_all_zero(group->b);
132 * Get the curve parameters of an EC_GROUP structure. If p, a, or b are NULL
133 * then there values will not be set but the method will return with success.
135 int ec_GF2m_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p,
136 BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
141 if (!BN_copy(p, group->field))
146 if (!BN_copy(a, group->a))
151 if (!BN_copy(b, group->b))
162 * Gets the degree of the field. For a curve over GF(2^m) this is the value
165 int ec_GF2m_simple_group_get_degree(const EC_GROUP *group)
167 return BN_num_bits(group->field) - 1;
171 * Checks the discriminant of the curve. y^2 + x*y = x^3 + a*x^2 + b is an
172 * elliptic curve <=> b != 0 (mod p)
174 int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group,
180 BN_CTX *new_ctx = NULL;
183 ctx = new_ctx = BN_CTX_new();
185 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT,
186 ERR_R_MALLOC_FAILURE);
196 if (!BN_GF2m_mod_arr(b, group->b, group->poly))
200 * check the discriminant: y^2 + x*y = x^3 + a*x^2 + b is an elliptic
201 * curve <=> b != 0 (mod p)
211 BN_CTX_free(new_ctx);
216 /* Initializes an EC_POINT. */
217 int ec_GF2m_simple_point_init(EC_POINT *point)
223 if (point->X == NULL || point->Y == NULL || point->Z == NULL) {
232 /* Frees an EC_POINT. */
233 void ec_GF2m_simple_point_finish(EC_POINT *point)
240 /* Clears and frees an EC_POINT. */
241 void ec_GF2m_simple_point_clear_finish(EC_POINT *point)
243 BN_clear_free(point->X);
244 BN_clear_free(point->Y);
245 BN_clear_free(point->Z);
250 * Copy the contents of one EC_POINT into another. Assumes dest is
253 int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
255 if (!BN_copy(dest->X, src->X))
257 if (!BN_copy(dest->Y, src->Y))
259 if (!BN_copy(dest->Z, src->Z))
261 dest->Z_is_one = src->Z_is_one;
262 dest->curve_name = src->curve_name;
268 * Set an EC_POINT to the point at infinity. A point at infinity is
269 * represented by having Z=0.
271 int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group,
280 * Set the coordinates of an EC_POINT using affine coordinates. Note that
281 * the simple implementation only uses affine coordinates.
283 int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group,
286 const BIGNUM *y, BN_CTX *ctx)
289 if (x == NULL || y == NULL) {
290 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES,
291 ERR_R_PASSED_NULL_PARAMETER);
295 if (!BN_copy(point->X, x))
297 BN_set_negative(point->X, 0);
298 if (!BN_copy(point->Y, y))
300 BN_set_negative(point->Y, 0);
301 if (!BN_copy(point->Z, BN_value_one()))
303 BN_set_negative(point->Z, 0);
312 * Gets the affine coordinates of an EC_POINT. Note that the simple
313 * implementation only uses affine coordinates.
315 int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group,
316 const EC_POINT *point,
317 BIGNUM *x, BIGNUM *y,
322 if (EC_POINT_is_at_infinity(group, point)) {
323 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES,
324 EC_R_POINT_AT_INFINITY);
328 if (BN_cmp(point->Z, BN_value_one())) {
329 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES,
330 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
334 if (!BN_copy(x, point->X))
336 BN_set_negative(x, 0);
339 if (!BN_copy(y, point->Y))
341 BN_set_negative(y, 0);
350 * Computes a + b and stores the result in r. r could be a or b, a could be
351 * b. Uses algorithm A.10.2 of IEEE P1363.
353 int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
354 const EC_POINT *b, BN_CTX *ctx)
356 BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t;
359 BN_CTX *new_ctx = NULL;
362 if (EC_POINT_is_at_infinity(group, a)) {
363 if (!EC_POINT_copy(r, b))
368 if (EC_POINT_is_at_infinity(group, b)) {
369 if (!EC_POINT_copy(r, a))
376 ctx = new_ctx = BN_CTX_new();
383 x0 = BN_CTX_get(ctx);
384 y0 = BN_CTX_get(ctx);
385 x1 = BN_CTX_get(ctx);
386 y1 = BN_CTX_get(ctx);
387 x2 = BN_CTX_get(ctx);
388 y2 = BN_CTX_get(ctx);
395 if (!BN_copy(x0, a->X))
397 if (!BN_copy(y0, a->Y))
400 if (!EC_POINT_get_affine_coordinates(group, a, x0, y0, ctx))
404 if (!BN_copy(x1, b->X))
406 if (!BN_copy(y1, b->Y))
409 if (!EC_POINT_get_affine_coordinates(group, b, x1, y1, ctx))
413 if (BN_GF2m_cmp(x0, x1)) {
414 if (!BN_GF2m_add(t, x0, x1))
416 if (!BN_GF2m_add(s, y0, y1))
418 if (!group->meth->field_div(group, s, s, t, ctx))
420 if (!group->meth->field_sqr(group, x2, s, ctx))
422 if (!BN_GF2m_add(x2, x2, group->a))
424 if (!BN_GF2m_add(x2, x2, s))
426 if (!BN_GF2m_add(x2, x2, t))
429 if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1)) {
430 if (!EC_POINT_set_to_infinity(group, r))
435 if (!group->meth->field_div(group, s, y1, x1, ctx))
437 if (!BN_GF2m_add(s, s, x1))
440 if (!group->meth->field_sqr(group, x2, s, ctx))
442 if (!BN_GF2m_add(x2, x2, s))
444 if (!BN_GF2m_add(x2, x2, group->a))
448 if (!BN_GF2m_add(y2, x1, x2))
450 if (!group->meth->field_mul(group, y2, y2, s, ctx))
452 if (!BN_GF2m_add(y2, y2, x2))
454 if (!BN_GF2m_add(y2, y2, y1))
457 if (!EC_POINT_set_affine_coordinates(group, r, x2, y2, ctx))
465 BN_CTX_free(new_ctx);
471 * Computes 2 * a and stores the result in r. r could be a. Uses algorithm
472 * A.10.2 of IEEE P1363.
474 int ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
477 return ec_GF2m_simple_add(group, r, a, a, ctx);
480 int ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
482 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(point->Y))
483 /* point is its own inverse */
486 if (!EC_POINT_make_affine(group, point, ctx))
488 return BN_GF2m_add(point->Y, point->X, point->Y);
491 /* Indicates whether the given point is the point at infinity. */
492 int ec_GF2m_simple_is_at_infinity(const EC_GROUP *group,
493 const EC_POINT *point)
495 return BN_is_zero(point->Z);
499 * Determines whether the given EC_POINT is an actual point on the curve defined
500 * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation:
501 * y^2 + x*y = x^3 + a*x^2 + b.
503 int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
508 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
509 const BIGNUM *, BN_CTX *);
510 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
512 BN_CTX *new_ctx = NULL;
515 if (EC_POINT_is_at_infinity(group, point))
518 field_mul = group->meth->field_mul;
519 field_sqr = group->meth->field_sqr;
521 /* only support affine coordinates */
522 if (!point->Z_is_one)
527 ctx = new_ctx = BN_CTX_new();
534 y2 = BN_CTX_get(ctx);
535 lh = BN_CTX_get(ctx);
540 * We have a curve defined by a Weierstrass equation
541 * y^2 + x*y = x^3 + a*x^2 + b.
542 * <=> x^3 + a*x^2 + x*y + b + y^2 = 0
543 * <=> ((x + a) * x + y ) * x + b + y^2 = 0
545 if (!BN_GF2m_add(lh, point->X, group->a))
547 if (!field_mul(group, lh, lh, point->X, ctx))
549 if (!BN_GF2m_add(lh, lh, point->Y))
551 if (!field_mul(group, lh, lh, point->X, ctx))
553 if (!BN_GF2m_add(lh, lh, group->b))
555 if (!field_sqr(group, y2, point->Y, ctx))
557 if (!BN_GF2m_add(lh, lh, y2))
559 ret = BN_is_zero(lh);
564 BN_CTX_free(new_ctx);
570 * Indicates whether two points are equal.
573 * 0 equal (in affine coordinates)
576 int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
577 const EC_POINT *b, BN_CTX *ctx)
579 BIGNUM *aX, *aY, *bX, *bY;
582 BN_CTX *new_ctx = NULL;
585 if (EC_POINT_is_at_infinity(group, a)) {
586 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
589 if (EC_POINT_is_at_infinity(group, b))
592 if (a->Z_is_one && b->Z_is_one) {
593 return ((BN_cmp(a->X, b->X) == 0) && BN_cmp(a->Y, b->Y) == 0) ? 0 : 1;
598 ctx = new_ctx = BN_CTX_new();
605 aX = BN_CTX_get(ctx);
606 aY = BN_CTX_get(ctx);
607 bX = BN_CTX_get(ctx);
608 bY = BN_CTX_get(ctx);
612 if (!EC_POINT_get_affine_coordinates(group, a, aX, aY, ctx))
614 if (!EC_POINT_get_affine_coordinates(group, b, bX, bY, ctx))
616 ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
621 BN_CTX_free(new_ctx);
626 /* Forces the given EC_POINT to internally use affine coordinates. */
627 int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
633 BN_CTX *new_ctx = NULL;
636 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
641 ctx = new_ctx = BN_CTX_new();
653 if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
655 if (!BN_copy(point->X, x))
657 if (!BN_copy(point->Y, y))
659 if (!BN_one(point->Z))
668 BN_CTX_free(new_ctx);
674 * Forces each of the EC_POINTs in the given array to use affine coordinates.
676 int ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num,
677 EC_POINT *points[], BN_CTX *ctx)
681 for (i = 0; i < num; i++) {
682 if (!group->meth->make_affine(group, points[i], ctx))
689 /* Wrapper to simple binary polynomial field multiplication implementation. */
690 int ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r,
691 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
693 return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx);
696 /* Wrapper to simple binary polynomial field squaring implementation. */
697 int ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r,
698 const BIGNUM *a, BN_CTX *ctx)
700 return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx);
703 /* Wrapper to simple binary polynomial field division implementation. */
704 int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r,
705 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
707 return BN_GF2m_mod_div(r, a, b, group->field, ctx);
711 * Lopez-Dahab ladder, pre step.
712 * See e.g. "Guide to ECC" Alg 3.40.
713 * Modified to blind s and r independently.
717 int ec_GF2m_simple_ladder_pre(const EC_GROUP *group,
718 EC_POINT *r, EC_POINT *s,
719 EC_POINT *p, BN_CTX *ctx)
721 /* if p is not affine, something is wrong */
722 if (p->Z_is_one == 0)
725 /* s blinding: make sure lambda (s->Z here) is not zero */
727 if (!BN_priv_rand_ex(s->Z, BN_num_bits(group->field) - 1,
728 BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, ctx)) {
729 ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);
732 } while (BN_is_zero(s->Z));
734 /* if field_encode defined convert between representations */
735 if ((group->meth->field_encode != NULL
736 && !group->meth->field_encode(group, s->Z, s->Z, ctx))
737 || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx))
740 /* r blinding: make sure lambda (r->Y here for storage) is not zero */
742 if (!BN_priv_rand_ex(r->Y, BN_num_bits(group->field) - 1,
743 BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, ctx)) {
744 ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);
747 } while (BN_is_zero(r->Y));
749 if ((group->meth->field_encode != NULL
750 && !group->meth->field_encode(group, r->Y, r->Y, ctx))
751 || !group->meth->field_sqr(group, r->Z, p->X, ctx)
752 || !group->meth->field_sqr(group, r->X, r->Z, ctx)
753 || !BN_GF2m_add(r->X, r->X, group->b)
754 || !group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
755 || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx))
765 * Ladder step: differential addition-and-doubling, mixed Lopez-Dahab coords.
766 * http://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
767 * s := r + s, r := 2r
770 int ec_GF2m_simple_ladder_step(const EC_GROUP *group,
771 EC_POINT *r, EC_POINT *s,
772 EC_POINT *p, BN_CTX *ctx)
774 if (!group->meth->field_mul(group, r->Y, r->Z, s->X, ctx)
775 || !group->meth->field_mul(group, s->X, r->X, s->Z, ctx)
776 || !group->meth->field_sqr(group, s->Y, r->Z, ctx)
777 || !group->meth->field_sqr(group, r->Z, r->X, ctx)
778 || !BN_GF2m_add(s->Z, r->Y, s->X)
779 || !group->meth->field_sqr(group, s->Z, s->Z, ctx)
780 || !group->meth->field_mul(group, s->X, r->Y, s->X, ctx)
781 || !group->meth->field_mul(group, r->Y, s->Z, p->X, ctx)
782 || !BN_GF2m_add(s->X, s->X, r->Y)
783 || !group->meth->field_sqr(group, r->Y, r->Z, ctx)
784 || !group->meth->field_mul(group, r->Z, r->Z, s->Y, ctx)
785 || !group->meth->field_sqr(group, s->Y, s->Y, ctx)
786 || !group->meth->field_mul(group, s->Y, s->Y, group->b, ctx)
787 || !BN_GF2m_add(r->X, r->Y, s->Y))
794 * Recover affine (x,y) result from Lopez-Dahab r and s, affine p.
795 * See e.g. "Fast Multiplication on Elliptic Curves over GF(2**m)
796 * without Precomputation" (Lopez and Dahab, CHES 1999),
800 int ec_GF2m_simple_ladder_post(const EC_GROUP *group,
801 EC_POINT *r, EC_POINT *s,
802 EC_POINT *p, BN_CTX *ctx)
805 BIGNUM *t0, *t1, *t2 = NULL;
807 if (BN_is_zero(r->Z))
808 return EC_POINT_set_to_infinity(group, r);
810 if (BN_is_zero(s->Z)) {
811 if (!EC_POINT_copy(r, p)
812 || !EC_POINT_invert(group, r, ctx)) {
813 ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_POST, ERR_R_EC_LIB);
820 t0 = BN_CTX_get(ctx);
821 t1 = BN_CTX_get(ctx);
822 t2 = BN_CTX_get(ctx);
824 ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_POST, ERR_R_MALLOC_FAILURE);
828 if (!group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
829 || !group->meth->field_mul(group, t1, p->X, r->Z, ctx)
830 || !BN_GF2m_add(t1, r->X, t1)
831 || !group->meth->field_mul(group, t2, p->X, s->Z, ctx)
832 || !group->meth->field_mul(group, r->Z, r->X, t2, ctx)
833 || !BN_GF2m_add(t2, t2, s->X)
834 || !group->meth->field_mul(group, t1, t1, t2, ctx)
835 || !group->meth->field_sqr(group, t2, p->X, ctx)
836 || !BN_GF2m_add(t2, p->Y, t2)
837 || !group->meth->field_mul(group, t2, t2, t0, ctx)
838 || !BN_GF2m_add(t1, t2, t1)
839 || !group->meth->field_mul(group, t2, p->X, t0, ctx)
840 || !group->meth->field_inv(group, t2, t2, ctx)
841 || !group->meth->field_mul(group, t1, t1, t2, ctx)
842 || !group->meth->field_mul(group, r->X, r->Z, t2, ctx)
843 || !BN_GF2m_add(t2, p->X, r->X)
844 || !group->meth->field_mul(group, t2, t2, t1, ctx)
845 || !BN_GF2m_add(r->Y, p->Y, t2)
851 /* GF(2^m) field elements should always have BIGNUM::neg = 0 */
852 BN_set_negative(r->X, 0);
853 BN_set_negative(r->Y, 0);
863 int ec_GF2m_simple_points_mul(const EC_GROUP *group, EC_POINT *r,
864 const BIGNUM *scalar, size_t num,
865 const EC_POINT *points[],
866 const BIGNUM *scalars[],
873 * We limit use of the ladder only to the following cases:
875 * Fixed point mul: scalar != NULL && num == 0;
876 * - r := scalars[0] * points[0]
877 * Variable point mul: scalar == NULL && num == 1;
878 * - r := scalar * G + scalars[0] * points[0]
879 * used, e.g., in ECDSA verification: scalar != NULL && num == 1
881 * In any other case (num > 1) we use the default wNAF implementation.
883 * We also let the default implementation handle degenerate cases like group
884 * order or cofactor set to 0.
886 if (num > 1 || BN_is_zero(group->order) || BN_is_zero(group->cofactor))
887 return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
889 if (scalar != NULL && num == 0)
890 /* Fixed point multiplication */
891 return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx);
893 if (scalar == NULL && num == 1)
894 /* Variable point multiplication */
895 return ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx);
898 * Double point multiplication:
899 * r := scalar * G + scalars[0] * points[0]
902 if ((t = EC_POINT_new(group)) == NULL) {
903 ECerr(EC_F_EC_GF2M_SIMPLE_POINTS_MUL, ERR_R_MALLOC_FAILURE);
907 if (!ec_scalar_mul_ladder(group, t, scalar, NULL, ctx)
908 || !ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx)
909 || !EC_POINT_add(group, r, t, r, ctx))
920 * Computes the multiplicative inverse of a in GF(2^m), storing the result in r.
921 * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
922 * SCA hardening is with blinding: BN_GF2m_mod_inv does that.
924 static int ec_GF2m_simple_field_inv(const EC_GROUP *group, BIGNUM *r,
925 const BIGNUM *a, BN_CTX *ctx)
929 if (!(ret = BN_GF2m_mod_inv(r, a, group->field, ctx)))
930 ECerr(EC_F_EC_GF2M_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
934 const EC_METHOD *EC_GF2m_simple_method(void)
936 static const EC_METHOD ret = {
937 EC_FLAGS_DEFAULT_OCT,
938 NID_X9_62_characteristic_two_field,
939 ec_GF2m_simple_group_init,
940 ec_GF2m_simple_group_finish,
941 ec_GF2m_simple_group_clear_finish,
942 ec_GF2m_simple_group_copy,
943 ec_GF2m_simple_group_set_curve,
944 ec_GF2m_simple_group_get_curve,
945 ec_GF2m_simple_group_get_degree,
946 ec_group_simple_order_bits,
947 ec_GF2m_simple_group_check_discriminant,
948 ec_GF2m_simple_point_init,
949 ec_GF2m_simple_point_finish,
950 ec_GF2m_simple_point_clear_finish,
951 ec_GF2m_simple_point_copy,
952 ec_GF2m_simple_point_set_to_infinity,
953 0, /* set_Jprojective_coordinates_GFp */
954 0, /* get_Jprojective_coordinates_GFp */
955 ec_GF2m_simple_point_set_affine_coordinates,
956 ec_GF2m_simple_point_get_affine_coordinates,
957 0, /* point_set_compressed_coordinates */
962 ec_GF2m_simple_invert,
963 ec_GF2m_simple_is_at_infinity,
964 ec_GF2m_simple_is_on_curve,
966 ec_GF2m_simple_make_affine,
967 ec_GF2m_simple_points_make_affine,
968 ec_GF2m_simple_points_mul,
969 0, /* precompute_mult */
970 0, /* have_precompute_mult */
971 ec_GF2m_simple_field_mul,
972 ec_GF2m_simple_field_sqr,
973 ec_GF2m_simple_field_div,
974 ec_GF2m_simple_field_inv,
975 0, /* field_encode */
976 0, /* field_decode */
977 0, /* field_set_to_one */
978 ec_key_simple_priv2oct,
979 ec_key_simple_oct2priv,
981 ec_key_simple_generate_key,
982 ec_key_simple_check_key,
983 ec_key_simple_generate_public_key,
986 ecdh_simple_compute_key,
987 ecdsa_simple_sign_setup,
988 ecdsa_simple_sign_sig,
989 ecdsa_simple_verify_sig,
990 0, /* field_inverse_mod_ord */
991 0, /* blind_coordinates */
992 ec_GF2m_simple_ladder_pre,
993 ec_GF2m_simple_ladder_step,
994 ec_GF2m_simple_ladder_post
projects / openssl.git / blob