1 /* crypto/ec/ecp_smpl.c */
2 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project.
4 * Includes code written by Bodo Moeller for the OpenSSL project.
6 /* ====================================================================
7 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@openssl.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
59 /* ====================================================================
60 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
61 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
62 * and contributed to the OpenSSL project.
65 #include <openssl/err.h>
66 #include <openssl/symhacks.h>
70 const EC_METHOD *EC_GFp_simple_method(void)
72 static const EC_METHOD ret = {
73 NID_X9_62_prime_field,
74 ec_GFp_simple_group_init,
75 ec_GFp_simple_group_finish,
76 ec_GFp_simple_group_clear_finish,
77 ec_GFp_simple_group_copy,
78 ec_GFp_simple_group_set_curve,
79 ec_GFp_simple_group_get_curve,
80 ec_GFp_simple_group_get_degree,
81 ec_GFp_simple_group_check_discriminant,
82 ec_GFp_simple_point_init,
83 ec_GFp_simple_point_finish,
84 ec_GFp_simple_point_clear_finish,
85 ec_GFp_simple_point_copy,
86 ec_GFp_simple_point_set_to_infinity,
87 ec_GFp_simple_set_Jprojective_coordinates_GFp,
88 ec_GFp_simple_get_Jprojective_coordinates_GFp,
89 ec_GFp_simple_point_set_affine_coordinates,
90 ec_GFp_simple_point_get_affine_coordinates,
91 ec_GFp_simple_set_compressed_coordinates,
92 ec_GFp_simple_point2oct,
93 ec_GFp_simple_oct2point,
98 0 /* precompute_mult */,
99 ec_GFp_simple_is_at_infinity,
100 ec_GFp_simple_is_on_curve,
102 ec_GFp_simple_make_affine,
103 ec_GFp_simple_points_make_affine,
104 ec_GFp_simple_field_mul,
105 ec_GFp_simple_field_sqr,
107 0 /* field_encode */,
108 0 /* field_decode */,
109 0 /* field_set_to_one */ };
115 int ec_GFp_simple_group_init(EC_GROUP *group)
117 BN_init(&group->field);
120 group->a_is_minus3 = 0;
125 void ec_GFp_simple_group_finish(EC_GROUP *group)
127 BN_free(&group->field);
133 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
135 BN_clear_free(&group->field);
136 BN_clear_free(&group->a);
137 BN_clear_free(&group->b);
141 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
143 if (!BN_copy(&dest->field, &src->field)) return 0;
144 if (!BN_copy(&dest->a, &src->a)) return 0;
145 if (!BN_copy(&dest->b, &src->b)) return 0;
147 dest->a_is_minus3 = src->a_is_minus3;
153 int ec_GFp_simple_group_set_curve(EC_GROUP *group,
154 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
157 BN_CTX *new_ctx = NULL;
160 /* p must be a prime > 3 */
161 if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
163 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
169 ctx = new_ctx = BN_CTX_new();
175 tmp_a = BN_CTX_get(ctx);
176 if (tmp_a == NULL) goto err;
179 if (!BN_copy(&group->field, p)) goto err;
180 group->field.neg = 0;
183 if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
184 if (group->meth->field_encode)
185 { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; }
187 if (!BN_copy(&group->a, tmp_a)) goto err;
190 if (!BN_nnmod(&group->b, b, p, ctx)) goto err;
191 if (group->meth->field_encode)
192 if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err;
194 /* group->a_is_minus3 */
195 if (!BN_add_word(tmp_a, 3)) goto err;
196 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
203 BN_CTX_free(new_ctx);
208 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
211 BN_CTX *new_ctx = NULL;
215 if (!BN_copy(p, &group->field)) return 0;
218 if (a != NULL || b != NULL)
220 if (group->meth->field_decode)
224 ctx = new_ctx = BN_CTX_new();
230 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
234 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
241 if (!BN_copy(a, &group->a)) goto err;
245 if (!BN_copy(b, &group->b)) goto err;
254 BN_CTX_free(new_ctx);
259 int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
261 return BN_num_bits(&group->field);
265 int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
268 BIGNUM *a,*b,*order,*tmp_1,*tmp_2;
269 const BIGNUM *p = &group->field;
270 BN_CTX *new_ctx = NULL;
274 ctx = new_ctx = BN_CTX_new();
277 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
284 tmp_1 = BN_CTX_get(ctx);
285 tmp_2 = BN_CTX_get(ctx);
286 order = BN_CTX_get(ctx);
287 if (order == NULL) goto err;
289 if (group->meth->field_decode)
291 if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
292 if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
296 if (!BN_copy(a, &group->a)) goto err;
297 if (!BN_copy(b, &group->b)) goto err;
300 /* check the discriminant:
301 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
305 if (BN_is_zero(b)) goto err;
307 else if (!BN_is_zero(b))
309 if (!BN_mod_sqr(tmp_1, a, p, ctx)) goto err;
310 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx)) goto err;
311 if (!BN_lshift(tmp_1, tmp_2, 2)) goto err;
314 if (!BN_mod_sqr(tmp_2, b, p, ctx)) goto err;
315 if (!BN_mul_word(tmp_2, 27)) goto err;
318 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx)) goto err;
319 if (BN_is_zero(a)) goto err;
326 BN_CTX_free(new_ctx);
331 int ec_GFp_simple_point_init(EC_POINT *point)
342 void ec_GFp_simple_point_finish(EC_POINT *point)
350 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
352 BN_clear_free(&point->X);
353 BN_clear_free(&point->Y);
354 BN_clear_free(&point->Z);
359 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
361 if (!BN_copy(&dest->X, &src->X)) return 0;
362 if (!BN_copy(&dest->Y, &src->Y)) return 0;
363 if (!BN_copy(&dest->Z, &src->Z)) return 0;
364 dest->Z_is_one = src->Z_is_one;
370 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
373 return (BN_zero(&point->Z));
377 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
378 const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
380 BN_CTX *new_ctx = NULL;
385 ctx = new_ctx = BN_CTX_new();
392 if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err;
393 if (group->meth->field_encode)
395 if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err;
401 if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err;
402 if (group->meth->field_encode)
404 if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
412 if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err;
413 Z_is_one = BN_is_one(&point->Z);
414 if (group->meth->field_encode)
416 if (Z_is_one && (group->meth->field_set_to_one != 0))
418 if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err;
422 if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
425 point->Z_is_one = Z_is_one;
432 BN_CTX_free(new_ctx);
437 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
438 BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
440 BN_CTX *new_ctx = NULL;
443 if (group->meth->field_decode != 0)
447 ctx = new_ctx = BN_CTX_new();
454 if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
458 if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
462 if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err;
469 if (!BN_copy(x, &point->X)) goto err;
473 if (!BN_copy(y, &point->Y)) goto err;
477 if (!BN_copy(z, &point->Z)) goto err;
485 BN_CTX_free(new_ctx);
490 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
491 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
493 if (x == NULL || y == NULL)
495 /* unlike for projective coordinates, we do not tolerate this */
496 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
500 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
504 int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
505 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
507 BN_CTX *new_ctx = NULL;
508 BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3;
509 const BIGNUM *X_, *Y_, *Z_;
512 if (EC_POINT_is_at_infinity(group, point))
514 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
520 ctx = new_ctx = BN_CTX_new();
529 Z_1 = BN_CTX_get(ctx);
530 Z_2 = BN_CTX_get(ctx);
531 Z_3 = BN_CTX_get(ctx);
532 if (Z_3 == NULL) goto err;
534 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
536 if (group->meth->field_decode)
538 if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err;
539 if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err;
540 if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
541 X_ = X; Y_ = Y; Z_ = Z;
554 if (!BN_copy(x, X_)) goto err;
558 if (!BN_copy(y, Y_)) goto err;
563 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
565 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
569 if (group->meth->field_encode == 0)
571 /* field_sqr works on standard representation */
572 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err;
576 if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err;
581 if (group->meth->field_encode == 0)
583 /* field_mul works on standard representation */
584 if (!group->meth->field_mul(group, x, X_, Z_2, ctx)) goto err;
588 if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err;
594 if (group->meth->field_encode == 0)
596 /* field_mul works on standard representation */
597 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
598 if (!group->meth->field_mul(group, y, Y_, Z_3, ctx)) goto err;
603 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
604 if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err;
614 BN_CTX_free(new_ctx);
619 int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
620 const BIGNUM *x_, int y_bit, BN_CTX *ctx)
622 BN_CTX *new_ctx = NULL;
623 BIGNUM *tmp1, *tmp2, *x, *y;
628 ctx = new_ctx = BN_CTX_new();
633 y_bit = (y_bit != 0);
636 tmp1 = BN_CTX_get(ctx);
637 tmp2 = BN_CTX_get(ctx);
640 if (y == NULL) goto err;
642 /* Recover y. We have a Weierstrass equation
643 * y^2 = x^3 + a*x + b,
644 * so y is one of the square roots of x^3 + a*x + b.
648 if (!BN_nnmod(x, x_, &group->field,ctx)) goto err;
649 if (group->meth->field_decode == 0)
651 /* field_{sqr,mul} work on standard representation */
652 if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err;
653 if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) goto err;
657 if (!BN_mod_sqr(tmp2, x_, &group->field, ctx)) goto err;
658 if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) goto err;
661 /* tmp1 := tmp1 + a*x */
662 if (group->a_is_minus3)
664 if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err;
665 if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err;
666 if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
670 if (group->meth->field_decode)
672 if (!group->meth->field_decode(group, tmp2, &group->a, ctx)) goto err;
673 if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) goto err;
677 /* field_mul works on standard representation */
678 if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) goto err;
681 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
684 /* tmp1 := tmp1 + b */
685 if (group->meth->field_decode)
687 if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err;
688 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
692 if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err;
695 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
697 unsigned long err = ERR_peek_error();
699 if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE)
701 (void)ERR_get_error();
702 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
705 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
708 /* If tmp1 is not a square (i.e. there is no point on the curve with
709 * our x), then y now is a nonsense value too */
711 if (y_bit != BN_is_odd(y))
717 kron = BN_kronecker(x, &group->field, ctx);
718 if (kron == -2) goto err;
721 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSION_BIT);
723 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
726 if (!BN_usub(y, &group->field, y)) goto err;
728 if (y_bit != BN_is_odd(y))
730 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_INTERNAL_ERROR);
734 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
741 BN_CTX_free(new_ctx);
746 size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
747 unsigned char *buf, size_t len, BN_CTX *ctx)
750 BN_CTX *new_ctx = NULL;
753 size_t field_len, i, skip;
755 if ((form != POINT_CONVERSION_COMPRESSED)
756 && (form != POINT_CONVERSION_UNCOMPRESSED)
757 && (form != POINT_CONVERSION_HYBRID))
759 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
763 if (EC_POINT_is_at_infinity(group, point))
765 /* encodes to a single 0 octet */
770 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
779 /* ret := required output buffer length */
780 field_len = BN_num_bytes(&group->field);
781 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
783 /* if 'buf' is NULL, just return required length */
788 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
794 ctx = new_ctx = BN_CTX_new();
803 if (y == NULL) goto err;
805 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
807 if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
814 skip = field_len - BN_num_bytes(x);
815 if (skip > field_len)
817 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
825 skip = BN_bn2bin(x, buf + i);
827 if (i != 1 + field_len)
829 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
833 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
835 skip = field_len - BN_num_bytes(y);
836 if (skip > field_len)
838 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
846 skip = BN_bn2bin(y, buf + i);
852 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
860 BN_CTX_free(new_ctx);
867 BN_CTX_free(new_ctx);
872 int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
873 const unsigned char *buf, size_t len, BN_CTX *ctx)
875 point_conversion_form_t form;
877 BN_CTX *new_ctx = NULL;
879 size_t field_len, enc_len;
884 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
890 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
891 && (form != POINT_CONVERSION_UNCOMPRESSED)
892 && (form != POINT_CONVERSION_HYBRID))
894 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
897 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
899 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
907 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
911 return EC_POINT_set_to_infinity(group, point);
914 field_len = BN_num_bytes(&group->field);
915 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
919 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
925 ctx = new_ctx = BN_CTX_new();
933 if (y == NULL) goto err;
935 if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
936 if (BN_ucmp(x, &group->field) >= 0)
938 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
942 if (form == POINT_CONVERSION_COMPRESSED)
944 if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err;
948 if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
949 if (BN_ucmp(y, &group->field) >= 0)
951 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
954 if (form == POINT_CONVERSION_HYBRID)
956 if (y_bit != BN_is_odd(y))
958 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
963 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
966 if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
968 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
977 BN_CTX_free(new_ctx);
982 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
984 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
985 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
987 BN_CTX *new_ctx = NULL;
988 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
992 return EC_POINT_dbl(group, r, a, ctx);
993 if (EC_POINT_is_at_infinity(group, a))
994 return EC_POINT_copy(r, b);
995 if (EC_POINT_is_at_infinity(group, b))
996 return EC_POINT_copy(r, a);
998 field_mul = group->meth->field_mul;
999 field_sqr = group->meth->field_sqr;
1004 ctx = new_ctx = BN_CTX_new();
1010 n0 = BN_CTX_get(ctx);
1011 n1 = BN_CTX_get(ctx);
1012 n2 = BN_CTX_get(ctx);
1013 n3 = BN_CTX_get(ctx);
1014 n4 = BN_CTX_get(ctx);
1015 n5 = BN_CTX_get(ctx);
1016 n6 = BN_CTX_get(ctx);
1017 if (n6 == NULL) goto end;
1019 /* Note that in this function we must not read components of 'a' or 'b'
1020 * once we have written the corresponding components of 'r'.
1021 * ('r' might be one of 'a' or 'b'.)
1027 if (!BN_copy(n1, &a->X)) goto end;
1028 if (!BN_copy(n2, &a->Y)) goto end;
1034 if (!field_sqr(group, n0, &b->Z, ctx)) goto end;
1035 if (!field_mul(group, n1, &a->X, n0, ctx)) goto end;
1036 /* n1 = X_a * Z_b^2 */
1038 if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end;
1039 if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end;
1040 /* n2 = Y_a * Z_b^3 */
1046 if (!BN_copy(n3, &b->X)) goto end;
1047 if (!BN_copy(n4, &b->Y)) goto end;
1053 if (!field_sqr(group, n0, &a->Z, ctx)) goto end;
1054 if (!field_mul(group, n3, &b->X, n0, ctx)) goto end;
1055 /* n3 = X_b * Z_a^2 */
1057 if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end;
1058 if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end;
1059 /* n4 = Y_b * Z_a^3 */
1063 if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
1064 if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
1072 /* a is the same point as b */
1074 ret = EC_POINT_dbl(group, r, a, ctx);
1080 /* a is the inverse of b */
1081 if (!BN_zero(&r->Z)) goto end;
1089 if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
1090 if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
1091 /* 'n7' = n1 + n3 */
1092 /* 'n8' = n2 + n4 */
1095 if (a->Z_is_one && b->Z_is_one)
1097 if (!BN_copy(&r->Z, n5)) goto end;
1102 { if (!BN_copy(n0, &b->Z)) goto end; }
1103 else if (b->Z_is_one)
1104 { if (!BN_copy(n0, &a->Z)) goto end; }
1106 { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; }
1107 if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end;
1110 /* Z_r = Z_a * Z_b * n5 */
1113 if (!field_sqr(group, n0, n6, ctx)) goto end;
1114 if (!field_sqr(group, n4, n5, ctx)) goto end;
1115 if (!field_mul(group, n3, n1, n4, ctx)) goto end;
1116 if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end;
1117 /* X_r = n6^2 - n5^2 * 'n7' */
1120 if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end;
1121 if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
1122 /* n9 = n5^2 * 'n7' - 2 * X_r */
1125 if (!field_mul(group, n0, n0, n6, ctx)) goto end;
1126 if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
1127 if (!field_mul(group, n1, n2, n5, ctx)) goto end;
1128 if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
1130 if (!BN_add(n0, n0, p)) goto end;
1131 /* now 0 <= n0 < 2*p, and n0 is even */
1132 if (!BN_rshift1(&r->Y, n0)) goto end;
1133 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
1138 if (ctx) /* otherwise we already called BN_CTX_end */
1140 if (new_ctx != NULL)
1141 BN_CTX_free(new_ctx);
1146 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
1148 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1149 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1151 BN_CTX *new_ctx = NULL;
1152 BIGNUM *n0, *n1, *n2, *n3;
1155 if (EC_POINT_is_at_infinity(group, a))
1157 if (!BN_zero(&r->Z)) return 0;
1162 field_mul = group->meth->field_mul;
1163 field_sqr = group->meth->field_sqr;
1168 ctx = new_ctx = BN_CTX_new();
1174 n0 = BN_CTX_get(ctx);
1175 n1 = BN_CTX_get(ctx);
1176 n2 = BN_CTX_get(ctx);
1177 n3 = BN_CTX_get(ctx);
1178 if (n3 == NULL) goto err;
1180 /* Note that in this function we must not read components of 'a'
1181 * once we have written the corresponding components of 'r'.
1182 * ('r' might the same as 'a'.)
1188 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
1189 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
1190 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
1191 if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err;
1192 /* n1 = 3 * X_a^2 + a_curve */
1194 else if (group->a_is_minus3)
1196 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
1197 if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err;
1198 if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err;
1199 if (!field_mul(group, n1, n0, n2, ctx)) goto err;
1200 if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
1201 if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
1202 /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
1203 * = 3 * X_a^2 - 3 * Z_a^4 */
1207 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
1208 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
1209 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
1210 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
1211 if (!field_sqr(group, n1, n1, ctx)) goto err;
1212 if (!field_mul(group, n1, n1, &group->a, ctx)) goto err;
1213 if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
1214 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
1220 if (!BN_copy(n0, &a->Y)) goto err;
1224 if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err;
1226 if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err;
1228 /* Z_r = 2 * Y_a * Z_a */
1231 if (!field_sqr(group, n3, &a->Y, ctx)) goto err;
1232 if (!field_mul(group, n2, &a->X, n3, ctx)) goto err;
1233 if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
1234 /* n2 = 4 * X_a * Y_a^2 */
1237 if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
1238 if (!field_sqr(group, &r->X, n1, ctx)) goto err;
1239 if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err;
1240 /* X_r = n1^2 - 2 * n2 */
1243 if (!field_sqr(group, n0, n3, ctx)) goto err;
1244 if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
1245 /* n3 = 8 * Y_a^4 */
1248 if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err;
1249 if (!field_mul(group, n0, n1, n0, ctx)) goto err;
1250 if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err;
1251 /* Y_r = n1 * (n2 - X_r) - n3 */
1257 if (new_ctx != NULL)
1258 BN_CTX_free(new_ctx);
1263 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1265 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
1266 /* point is its own inverse */
1269 return BN_usub(&point->Y, &group->field, &point->Y);
1273 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
1275 return BN_is_zero(&point->Z);
1279 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
1281 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1282 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1284 BN_CTX *new_ctx = NULL;
1285 BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6;
1288 if (EC_POINT_is_at_infinity(group, point))
1291 field_mul = group->meth->field_mul;
1292 field_sqr = group->meth->field_sqr;
1297 ctx = new_ctx = BN_CTX_new();
1303 rh = BN_CTX_get(ctx);
1304 tmp1 = BN_CTX_get(ctx);
1305 tmp2 = BN_CTX_get(ctx);
1306 Z4 = BN_CTX_get(ctx);
1307 Z6 = BN_CTX_get(ctx);
1308 if (Z6 == NULL) goto err;
1310 /* We have a curve defined by a Weierstrass equation
1311 * y^2 = x^3 + a*x + b.
1312 * The point to consider is given in Jacobian projective coordinates
1313 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
1314 * Substituting this and multiplying by Z^6 transforms the above equation into
1315 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
1316 * To test this, we add up the right-hand side in 'rh'.
1320 if (!field_sqr(group, rh, &point->X, ctx)) goto err;
1321 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1323 if (!point->Z_is_one)
1325 if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err;
1326 if (!field_sqr(group, Z4, tmp1, ctx)) goto err;
1327 if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err;
1329 /* rh := rh + a*X*Z^4 */
1330 if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err;
1331 if (group->a_is_minus3)
1333 if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err;
1334 if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err;
1335 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
1339 if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err;
1340 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
1343 /* rh := rh + b*Z^6 */
1344 if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err;
1345 if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err;
1349 /* point->Z_is_one */
1351 /* rh := rh + a*X */
1352 if (group->a_is_minus3)
1354 if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err;
1355 if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err;
1356 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
1360 if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err;
1361 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
1365 if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
1369 if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err;
1371 ret = (0 == BN_cmp(tmp1, rh));
1375 if (new_ctx != NULL)
1376 BN_CTX_free(new_ctx);
1381 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
1385 * 0 equal (in affine coordinates)
1389 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
1390 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1391 BN_CTX *new_ctx = NULL;
1392 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1393 const BIGNUM *tmp1_, *tmp2_;
1396 if (EC_POINT_is_at_infinity(group, a))
1398 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1401 if (a->Z_is_one && b->Z_is_one)
1403 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
1406 field_mul = group->meth->field_mul;
1407 field_sqr = group->meth->field_sqr;
1411 ctx = new_ctx = BN_CTX_new();
1417 tmp1 = BN_CTX_get(ctx);
1418 tmp2 = BN_CTX_get(ctx);
1419 Za23 = BN_CTX_get(ctx);
1420 Zb23 = BN_CTX_get(ctx);
1421 if (Zb23 == NULL) goto end;
1423 /* We have to decide whether
1424 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1425 * or equivalently, whether
1426 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1431 if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end;
1432 if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end;
1439 if (!field_sqr(group, Za23, &a->Z, ctx)) goto end;
1440 if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end;
1446 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1447 if (BN_cmp(tmp1_, tmp2_) != 0)
1449 ret = 1; /* points differ */
1456 if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end;
1457 if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end;
1464 if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end;
1465 if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end;
1471 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1472 if (BN_cmp(tmp1_, tmp2_) != 0)
1474 ret = 1; /* points differ */
1478 /* points are equal */
1483 if (new_ctx != NULL)
1484 BN_CTX_free(new_ctx);
1489 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1491 BN_CTX *new_ctx = NULL;
1495 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1500 ctx = new_ctx = BN_CTX_new();
1506 x = BN_CTX_get(ctx);
1507 y = BN_CTX_get(ctx);
1508 if (y == NULL) goto err;
1510 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1511 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1512 if (!point->Z_is_one)
1514 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1522 if (new_ctx != NULL)
1523 BN_CTX_free(new_ctx);
1528 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
1530 BN_CTX *new_ctx = NULL;
1531 BIGNUM *tmp0, *tmp1;
1533 BIGNUM **heap = NULL;
1542 ctx = new_ctx = BN_CTX_new();
1548 tmp0 = BN_CTX_get(ctx);
1549 tmp1 = BN_CTX_get(ctx);
1550 if (tmp0 == NULL || tmp1 == NULL) goto err;
1552 /* Before converting the individual points, compute inverses of all Z values.
1553 * Modular inversion is rather slow, but luckily we can do with a single
1554 * explicit inversion, plus about 3 multiplications per input value.
1560 /* Now pow2 is the smallest power of 2 satifsying pow2 >= num.
1561 * We need twice that. */
1564 heap = OPENSSL_malloc(pow2 * sizeof heap[0]);
1565 if (heap == NULL) goto err;
1567 /* The array is used as a binary tree, exactly as in heapsort:
1571 * heap[4] heap[5] heap[6] heap[7]
1572 * heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15]
1574 * We put the Z's in the last line;
1575 * then we set each other node to the product of its two child-nodes (where
1576 * empty or 0 entries are treated as ones);
1577 * then we invert heap[1];
1578 * then we invert each other node by replacing it by the product of its
1579 * parent (after inversion) and its sibling (before inversion).
1582 for (i = pow2/2 - 1; i > 0; i--)
1584 for (i = 0; i < num; i++)
1585 heap[pow2/2 + i] = &points[i]->Z;
1586 for (i = pow2/2 + num; i < pow2; i++)
1589 /* set each node to the product of its children */
1590 for (i = pow2/2 - 1; i > 0; i--)
1593 if (heap[i] == NULL) goto err;
1595 if (heap[2*i] != NULL)
1597 if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1]))
1599 if (!BN_copy(heap[i], heap[2*i])) goto err;
1603 if (BN_is_zero(heap[2*i]))
1605 if (!BN_copy(heap[i], heap[2*i + 1])) goto err;
1609 if (!group->meth->field_mul(group, heap[i],
1610 heap[2*i], heap[2*i + 1], ctx)) goto err;
1616 /* invert heap[1] */
1617 if (!BN_is_zero(heap[1]))
1619 if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx))
1621 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1625 if (group->meth->field_encode != 0)
1627 /* in the Montgomery case, we just turned R*H (representing H)
1628 * into 1/(R*H), but we need R*(1/H) (representing 1/H);
1629 * i.e. we have need to multiply by the Montgomery factor twice */
1630 if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
1631 if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
1634 /* set other heap[i]'s to their inverses */
1635 for (i = 2; i < pow2/2 + num; i += 2)
1638 if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1]))
1640 if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err;
1641 if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err;
1642 if (!BN_copy(heap[i], tmp0)) goto err;
1643 if (!BN_copy(heap[i + 1], tmp1)) goto err;
1647 if (!BN_copy(heap[i], heap[i/2])) goto err;
1651 /* we have replaced all non-zero Z's by their inverses, now fix up all the points */
1652 for (i = 0; i < num; i++)
1654 EC_POINT *p = points[i];
1656 if (!BN_is_zero(&p->Z))
1658 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1660 if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err;
1661 if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err;
1663 if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err;
1664 if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err;
1666 if (group->meth->field_set_to_one != 0)
1668 if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err;
1672 if (!BN_one(&p->Z)) goto err;
1682 if (new_ctx != NULL)
1683 BN_CTX_free(new_ctx);
1686 /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */
1687 for (i = pow2/2 - 1; i > 0; i--)
1689 if (heap[i] != NULL)
1690 BN_clear_free(heap[i]);
1698 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
1700 return BN_mod_mul(r, a, b, &group->field, ctx);
1704 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
1706 return BN_mod_sqr(r, a, &group->field, ctx);
projects / openssl.git / blob