2 * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
13 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
14 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
15 * to the OpenSSL project.
17 * The ECC Code is licensed pursuant to the OpenSSL open source
18 * license provided below.
20 * The software is originally written by Sheueling Chang Shantz and
21 * Douglas Stebila of Sun Microsystems Laboratories.
25 #include <openssl/err.h>
27 #include "internal/bn_int.h"
30 #ifndef OPENSSL_NO_EC2M
32 const EC_METHOD *EC_GF2m_simple_method(void)
34 static const EC_METHOD ret = {
36 NID_X9_62_characteristic_two_field,
37 ec_GF2m_simple_group_init,
38 ec_GF2m_simple_group_finish,
39 ec_GF2m_simple_group_clear_finish,
40 ec_GF2m_simple_group_copy,
41 ec_GF2m_simple_group_set_curve,
42 ec_GF2m_simple_group_get_curve,
43 ec_GF2m_simple_group_get_degree,
44 ec_group_simple_order_bits,
45 ec_GF2m_simple_group_check_discriminant,
46 ec_GF2m_simple_point_init,
47 ec_GF2m_simple_point_finish,
48 ec_GF2m_simple_point_clear_finish,
49 ec_GF2m_simple_point_copy,
50 ec_GF2m_simple_point_set_to_infinity,
51 0 /* set_Jprojective_coordinates_GFp */ ,
52 0 /* get_Jprojective_coordinates_GFp */ ,
53 ec_GF2m_simple_point_set_affine_coordinates,
54 ec_GF2m_simple_point_get_affine_coordinates,
58 ec_GF2m_simple_invert,
59 ec_GF2m_simple_is_at_infinity,
60 ec_GF2m_simple_is_on_curve,
62 ec_GF2m_simple_make_affine,
63 ec_GF2m_simple_points_make_affine,
66 * the following three method functions are defined in ec2_mult.c
69 ec_GF2m_precompute_mult,
70 ec_GF2m_have_precompute_mult,
72 ec_GF2m_simple_field_mul,
73 ec_GF2m_simple_field_sqr,
74 ec_GF2m_simple_field_div,
75 0 /* field_encode */ ,
76 0 /* field_decode */ ,
77 0, /* field_set_to_one */
78 ec_key_simple_priv2oct,
79 ec_key_simple_oct2priv,
81 ec_key_simple_generate_key,
82 ec_key_simple_check_key,
83 ec_key_simple_generate_public_key,
86 ecdh_simple_compute_key,
87 0 /* blind_coordinates */
94 * Initialize a GF(2^m)-based EC_GROUP structure. Note that all other members
95 * are handled by EC_GROUP_new.
97 int ec_GF2m_simple_group_init(EC_GROUP *group)
99 group->field = BN_new();
103 if (group->field == NULL || group->a == NULL || group->b == NULL) {
104 BN_free(group->field);
113 * Free a GF(2^m)-based EC_GROUP structure. Note that all other members are
114 * handled by EC_GROUP_free.
116 void ec_GF2m_simple_group_finish(EC_GROUP *group)
118 BN_free(group->field);
124 * Clear and free a GF(2^m)-based EC_GROUP structure. Note that all other
125 * members are handled by EC_GROUP_clear_free.
127 void ec_GF2m_simple_group_clear_finish(EC_GROUP *group)
129 BN_clear_free(group->field);
130 BN_clear_free(group->a);
131 BN_clear_free(group->b);
141 * Copy a GF(2^m)-based EC_GROUP structure. Note that all other members are
142 * handled by EC_GROUP_copy.
144 int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
146 if (!BN_copy(dest->field, src->field))
148 if (!BN_copy(dest->a, src->a))
150 if (!BN_copy(dest->b, src->b))
152 dest->poly[0] = src->poly[0];
153 dest->poly[1] = src->poly[1];
154 dest->poly[2] = src->poly[2];
155 dest->poly[3] = src->poly[3];
156 dest->poly[4] = src->poly[4];
157 dest->poly[5] = src->poly[5];
158 if (bn_wexpand(dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) ==
161 if (bn_wexpand(dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) ==
164 bn_set_all_zero(dest->a);
165 bn_set_all_zero(dest->b);
169 /* Set the curve parameters of an EC_GROUP structure. */
170 int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
171 const BIGNUM *p, const BIGNUM *a,
172 const BIGNUM *b, BN_CTX *ctx)
177 if (!BN_copy(group->field, p))
179 i = BN_GF2m_poly2arr(group->field, group->poly, 6) - 1;
180 if ((i != 5) && (i != 3)) {
181 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
186 if (!BN_GF2m_mod_arr(group->a, a, group->poly))
188 if (bn_wexpand(group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2)
191 bn_set_all_zero(group->a);
194 if (!BN_GF2m_mod_arr(group->b, b, group->poly))
196 if (bn_wexpand(group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2)
199 bn_set_all_zero(group->b);
207 * Get the curve parameters of an EC_GROUP structure. If p, a, or b are NULL
208 * then there values will not be set but the method will return with success.
210 int ec_GF2m_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p,
211 BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
216 if (!BN_copy(p, group->field))
221 if (!BN_copy(a, group->a))
226 if (!BN_copy(b, group->b))
237 * Gets the degree of the field. For a curve over GF(2^m) this is the value
240 int ec_GF2m_simple_group_get_degree(const EC_GROUP *group)
242 return BN_num_bits(group->field) - 1;
246 * Checks the discriminant of the curve. y^2 + x*y = x^3 + a*x^2 + b is an
247 * elliptic curve <=> b != 0 (mod p)
249 int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group,
254 BN_CTX *new_ctx = NULL;
257 ctx = new_ctx = BN_CTX_new();
259 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT,
260 ERR_R_MALLOC_FAILURE);
269 if (!BN_GF2m_mod_arr(b, group->b, group->poly))
273 * check the discriminant: y^2 + x*y = x^3 + a*x^2 + b is an elliptic
274 * curve <=> b != 0 (mod p)
284 BN_CTX_free(new_ctx);
288 /* Initializes an EC_POINT. */
289 int ec_GF2m_simple_point_init(EC_POINT *point)
295 if (point->X == NULL || point->Y == NULL || point->Z == NULL) {
304 /* Frees an EC_POINT. */
305 void ec_GF2m_simple_point_finish(EC_POINT *point)
312 /* Clears and frees an EC_POINT. */
313 void ec_GF2m_simple_point_clear_finish(EC_POINT *point)
315 BN_clear_free(point->X);
316 BN_clear_free(point->Y);
317 BN_clear_free(point->Z);
322 * Copy the contents of one EC_POINT into another. Assumes dest is
325 int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
327 if (!BN_copy(dest->X, src->X))
329 if (!BN_copy(dest->Y, src->Y))
331 if (!BN_copy(dest->Z, src->Z))
333 dest->Z_is_one = src->Z_is_one;
334 dest->curve_name = src->curve_name;
340 * Set an EC_POINT to the point at infinity. A point at infinity is
341 * represented by having Z=0.
343 int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group,
352 * Set the coordinates of an EC_POINT using affine coordinates. Note that
353 * the simple implementation only uses affine coordinates.
355 int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group,
358 const BIGNUM *y, BN_CTX *ctx)
361 if (x == NULL || y == NULL) {
362 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES,
363 ERR_R_PASSED_NULL_PARAMETER);
367 if (!BN_copy(point->X, x))
369 BN_set_negative(point->X, 0);
370 if (!BN_copy(point->Y, y))
372 BN_set_negative(point->Y, 0);
373 if (!BN_copy(point->Z, BN_value_one()))
375 BN_set_negative(point->Z, 0);
384 * Gets the affine coordinates of an EC_POINT. Note that the simple
385 * implementation only uses affine coordinates.
387 int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group,
388 const EC_POINT *point,
389 BIGNUM *x, BIGNUM *y,
394 if (EC_POINT_is_at_infinity(group, point)) {
395 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES,
396 EC_R_POINT_AT_INFINITY);
400 if (BN_cmp(point->Z, BN_value_one())) {
401 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES,
402 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
406 if (!BN_copy(x, point->X))
408 BN_set_negative(x, 0);
411 if (!BN_copy(y, point->Y))
413 BN_set_negative(y, 0);
422 * Computes a + b and stores the result in r. r could be a or b, a could be
423 * b. Uses algorithm A.10.2 of IEEE P1363.
425 int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
426 const EC_POINT *b, BN_CTX *ctx)
428 BN_CTX *new_ctx = NULL;
429 BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t;
432 if (EC_POINT_is_at_infinity(group, a)) {
433 if (!EC_POINT_copy(r, b))
438 if (EC_POINT_is_at_infinity(group, b)) {
439 if (!EC_POINT_copy(r, a))
445 ctx = new_ctx = BN_CTX_new();
451 x0 = BN_CTX_get(ctx);
452 y0 = BN_CTX_get(ctx);
453 x1 = BN_CTX_get(ctx);
454 y1 = BN_CTX_get(ctx);
455 x2 = BN_CTX_get(ctx);
456 y2 = BN_CTX_get(ctx);
463 if (!BN_copy(x0, a->X))
465 if (!BN_copy(y0, a->Y))
468 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, x0, y0, ctx))
472 if (!BN_copy(x1, b->X))
474 if (!BN_copy(y1, b->Y))
477 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, x1, y1, ctx))
481 if (BN_GF2m_cmp(x0, x1)) {
482 if (!BN_GF2m_add(t, x0, x1))
484 if (!BN_GF2m_add(s, y0, y1))
486 if (!group->meth->field_div(group, s, s, t, ctx))
488 if (!group->meth->field_sqr(group, x2, s, ctx))
490 if (!BN_GF2m_add(x2, x2, group->a))
492 if (!BN_GF2m_add(x2, x2, s))
494 if (!BN_GF2m_add(x2, x2, t))
497 if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1)) {
498 if (!EC_POINT_set_to_infinity(group, r))
503 if (!group->meth->field_div(group, s, y1, x1, ctx))
505 if (!BN_GF2m_add(s, s, x1))
508 if (!group->meth->field_sqr(group, x2, s, ctx))
510 if (!BN_GF2m_add(x2, x2, s))
512 if (!BN_GF2m_add(x2, x2, group->a))
516 if (!BN_GF2m_add(y2, x1, x2))
518 if (!group->meth->field_mul(group, y2, y2, s, ctx))
520 if (!BN_GF2m_add(y2, y2, x2))
522 if (!BN_GF2m_add(y2, y2, y1))
525 if (!EC_POINT_set_affine_coordinates_GF2m(group, r, x2, y2, ctx))
532 BN_CTX_free(new_ctx);
537 * Computes 2 * a and stores the result in r. r could be a. Uses algorithm
538 * A.10.2 of IEEE P1363.
540 int ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
543 return ec_GF2m_simple_add(group, r, a, a, ctx);
546 int ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
548 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(point->Y))
549 /* point is its own inverse */
552 if (!EC_POINT_make_affine(group, point, ctx))
554 return BN_GF2m_add(point->Y, point->X, point->Y);
557 /* Indicates whether the given point is the point at infinity. */
558 int ec_GF2m_simple_is_at_infinity(const EC_GROUP *group,
559 const EC_POINT *point)
561 return BN_is_zero(point->Z);
565 * Determines whether the given EC_POINT is an actual point on the curve defined
566 * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation:
567 * y^2 + x*y = x^3 + a*x^2 + b.
569 int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
573 BN_CTX *new_ctx = NULL;
575 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
576 const BIGNUM *, BN_CTX *);
577 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
579 if (EC_POINT_is_at_infinity(group, point))
582 field_mul = group->meth->field_mul;
583 field_sqr = group->meth->field_sqr;
585 /* only support affine coordinates */
586 if (!point->Z_is_one)
590 ctx = new_ctx = BN_CTX_new();
596 y2 = BN_CTX_get(ctx);
597 lh = BN_CTX_get(ctx);
602 * We have a curve defined by a Weierstrass equation
603 * y^2 + x*y = x^3 + a*x^2 + b.
604 * <=> x^3 + a*x^2 + x*y + b + y^2 = 0
605 * <=> ((x + a) * x + y ) * x + b + y^2 = 0
607 if (!BN_GF2m_add(lh, point->X, group->a))
609 if (!field_mul(group, lh, lh, point->X, ctx))
611 if (!BN_GF2m_add(lh, lh, point->Y))
613 if (!field_mul(group, lh, lh, point->X, ctx))
615 if (!BN_GF2m_add(lh, lh, group->b))
617 if (!field_sqr(group, y2, point->Y, ctx))
619 if (!BN_GF2m_add(lh, lh, y2))
621 ret = BN_is_zero(lh);
625 BN_CTX_free(new_ctx);
630 * Indicates whether two points are equal.
633 * 0 equal (in affine coordinates)
636 int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
637 const EC_POINT *b, BN_CTX *ctx)
639 BIGNUM *aX, *aY, *bX, *bY;
640 BN_CTX *new_ctx = NULL;
643 if (EC_POINT_is_at_infinity(group, a)) {
644 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
647 if (EC_POINT_is_at_infinity(group, b))
650 if (a->Z_is_one && b->Z_is_one) {
651 return ((BN_cmp(a->X, b->X) == 0) && BN_cmp(a->Y, b->Y) == 0) ? 0 : 1;
655 ctx = new_ctx = BN_CTX_new();
661 aX = BN_CTX_get(ctx);
662 aY = BN_CTX_get(ctx);
663 bX = BN_CTX_get(ctx);
664 bY = BN_CTX_get(ctx);
668 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, aX, aY, ctx))
670 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, bX, bY, ctx))
672 ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
677 BN_CTX_free(new_ctx);
681 /* Forces the given EC_POINT to internally use affine coordinates. */
682 int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
685 BN_CTX *new_ctx = NULL;
689 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
693 ctx = new_ctx = BN_CTX_new();
704 if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx))
706 if (!BN_copy(point->X, x))
708 if (!BN_copy(point->Y, y))
710 if (!BN_one(point->Z))
719 BN_CTX_free(new_ctx);
724 * Forces each of the EC_POINTs in the given array to use affine coordinates.
726 int ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num,
727 EC_POINT *points[], BN_CTX *ctx)
731 for (i = 0; i < num; i++) {
732 if (!group->meth->make_affine(group, points[i], ctx))
739 /* Wrapper to simple binary polynomial field multiplication implementation. */
740 int ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r,
741 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
743 return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx);
746 /* Wrapper to simple binary polynomial field squaring implementation. */
747 int ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r,
748 const BIGNUM *a, BN_CTX *ctx)
750 return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx);
753 /* Wrapper to simple binary polynomial field division implementation. */
754 int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r,
755 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
757 return BN_GF2m_mod_div(r, a, b, group->field, ctx);
projects / openssl.git / blob