1 /* crypto/ec/ec2_smpl.c */
2 /* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
12 * The software is originally written by Sheueling Chang Shantz and
13 * Douglas Stebila of Sun Microsystems Laboratories.
16 /* ====================================================================
17 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
23 * 1. Redistributions of source code must retain the above copyright
24 * notice, this list of conditions and the following disclaimer.
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in
28 * the documentation and/or other materials provided with the
31 * 3. All advertising materials mentioning features or use of this
32 * software must display the following acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
37 * endorse or promote products derived from this software without
38 * prior written permission. For written permission, please contact
39 * openssl-core@openssl.org.
41 * 5. Products derived from this software may not be called "OpenSSL"
42 * nor may "OpenSSL" appear in their names without prior written
43 * permission of the OpenSSL Project.
45 * 6. Redistributions of any form whatsoever must retain the following
47 * "This product includes software developed by the OpenSSL Project
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
61 * OF THE POSSIBILITY OF SUCH DAMAGE.
62 * ====================================================================
64 * This product includes cryptographic software written by Eric Young
65 * (eay@cryptsoft.com). This product includes software written by Tim
66 * Hudson (tjh@cryptsoft.com).
70 #include <openssl/err.h>
72 #include "internal/bn_int.h"
75 #ifndef OPENSSL_NO_EC2M
77 const EC_METHOD *EC_GF2m_simple_method(void)
79 static const EC_METHOD ret = {
81 NID_X9_62_characteristic_two_field,
82 ec_GF2m_simple_group_init,
83 ec_GF2m_simple_group_finish,
84 ec_GF2m_simple_group_clear_finish,
85 ec_GF2m_simple_group_copy,
86 ec_GF2m_simple_group_set_curve,
87 ec_GF2m_simple_group_get_curve,
88 ec_GF2m_simple_group_get_degree,
89 ec_GF2m_simple_group_check_discriminant,
90 ec_GF2m_simple_point_init,
91 ec_GF2m_simple_point_finish,
92 ec_GF2m_simple_point_clear_finish,
93 ec_GF2m_simple_point_copy,
94 ec_GF2m_simple_point_set_to_infinity,
95 0 /* set_Jprojective_coordinates_GFp */ ,
96 0 /* get_Jprojective_coordinates_GFp */ ,
97 ec_GF2m_simple_point_set_affine_coordinates,
98 ec_GF2m_simple_point_get_affine_coordinates,
102 ec_GF2m_simple_invert,
103 ec_GF2m_simple_is_at_infinity,
104 ec_GF2m_simple_is_on_curve,
106 ec_GF2m_simple_make_affine,
107 ec_GF2m_simple_points_make_affine,
110 * the following three method functions are defined in ec2_mult.c
113 ec_GF2m_precompute_mult,
114 ec_GF2m_have_precompute_mult,
116 ec_GF2m_simple_field_mul,
117 ec_GF2m_simple_field_sqr,
118 ec_GF2m_simple_field_div,
119 0 /* field_encode */ ,
120 0 /* field_decode */ ,
121 0 /* field_set_to_one */
128 * Initialize a GF(2^m)-based EC_GROUP structure. Note that all other members
129 * are handled by EC_GROUP_new.
131 int ec_GF2m_simple_group_init(EC_GROUP *group)
133 group->field = BN_new();
137 if (group->field == NULL || group->a == NULL || group->b == NULL) {
138 BN_free(group->field);
147 * Free a GF(2^m)-based EC_GROUP structure. Note that all other members are
148 * handled by EC_GROUP_free.
150 void ec_GF2m_simple_group_finish(EC_GROUP *group)
152 BN_free(group->field);
158 * Clear and free a GF(2^m)-based EC_GROUP structure. Note that all other
159 * members are handled by EC_GROUP_clear_free.
161 void ec_GF2m_simple_group_clear_finish(EC_GROUP *group)
163 BN_clear_free(group->field);
164 BN_clear_free(group->a);
165 BN_clear_free(group->b);
175 * Copy a GF(2^m)-based EC_GROUP structure. Note that all other members are
176 * handled by EC_GROUP_copy.
178 int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
180 if (!BN_copy(dest->field, src->field))
182 if (!BN_copy(dest->a, src->a))
184 if (!BN_copy(dest->b, src->b))
186 dest->poly[0] = src->poly[0];
187 dest->poly[1] = src->poly[1];
188 dest->poly[2] = src->poly[2];
189 dest->poly[3] = src->poly[3];
190 dest->poly[4] = src->poly[4];
191 dest->poly[5] = src->poly[5];
192 if (bn_wexpand(dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) ==
195 if (bn_wexpand(dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) ==
198 bn_set_all_zero(dest->a);
199 bn_set_all_zero(dest->b);
203 /* Set the curve parameters of an EC_GROUP structure. */
204 int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
205 const BIGNUM *p, const BIGNUM *a,
206 const BIGNUM *b, BN_CTX *ctx)
211 if (!BN_copy(group->field, p))
213 i = BN_GF2m_poly2arr(group->field, group->poly, 6) - 1;
214 if ((i != 5) && (i != 3)) {
215 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
220 if (!BN_GF2m_mod_arr(group->a, a, group->poly))
222 if (bn_wexpand(group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2)
225 bn_set_all_zero(group->a);
228 if (!BN_GF2m_mod_arr(group->b, b, group->poly))
230 if (bn_wexpand(group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2)
233 bn_set_all_zero(group->b);
241 * Get the curve parameters of an EC_GROUP structure. If p, a, or b are NULL
242 * then there values will not be set but the method will return with success.
244 int ec_GF2m_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p,
245 BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
250 if (!BN_copy(p, group->field))
255 if (!BN_copy(a, group->a))
260 if (!BN_copy(b, group->b))
271 * Gets the degree of the field. For a curve over GF(2^m) this is the value
274 int ec_GF2m_simple_group_get_degree(const EC_GROUP *group)
276 return BN_num_bits(group->field) - 1;
280 * Checks the discriminant of the curve. y^2 + x*y = x^3 + a*x^2 + b is an
281 * elliptic curve <=> b != 0 (mod p)
283 int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group,
288 BN_CTX *new_ctx = NULL;
291 ctx = new_ctx = BN_CTX_new();
293 ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT,
294 ERR_R_MALLOC_FAILURE);
303 if (!BN_GF2m_mod_arr(b, group->b, group->poly))
307 * check the discriminant: y^2 + x*y = x^3 + a*x^2 + b is an elliptic
308 * curve <=> b != 0 (mod p)
318 BN_CTX_free(new_ctx);
322 /* Initializes an EC_POINT. */
323 int ec_GF2m_simple_point_init(EC_POINT *point)
329 if (point->X == NULL || point->Y == NULL || point->Z == NULL) {
338 /* Frees an EC_POINT. */
339 void ec_GF2m_simple_point_finish(EC_POINT *point)
346 /* Clears and frees an EC_POINT. */
347 void ec_GF2m_simple_point_clear_finish(EC_POINT *point)
349 BN_clear_free(point->X);
350 BN_clear_free(point->Y);
351 BN_clear_free(point->Z);
356 * Copy the contents of one EC_POINT into another. Assumes dest is
359 int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
361 if (!BN_copy(dest->X, src->X))
363 if (!BN_copy(dest->Y, src->Y))
365 if (!BN_copy(dest->Z, src->Z))
367 dest->Z_is_one = src->Z_is_one;
373 * Set an EC_POINT to the point at infinity. A point at infinity is
374 * represented by having Z=0.
376 int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group,
385 * Set the coordinates of an EC_POINT using affine coordinates. Note that
386 * the simple implementation only uses affine coordinates.
388 int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group,
391 const BIGNUM *y, BN_CTX *ctx)
394 if (x == NULL || y == NULL) {
395 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES,
396 ERR_R_PASSED_NULL_PARAMETER);
400 if (!BN_copy(point->X, x))
402 BN_set_negative(point->X, 0);
403 if (!BN_copy(point->Y, y))
405 BN_set_negative(point->Y, 0);
406 if (!BN_copy(point->Z, BN_value_one()))
408 BN_set_negative(point->Z, 0);
417 * Gets the affine coordinates of an EC_POINT. Note that the simple
418 * implementation only uses affine coordinates.
420 int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group,
421 const EC_POINT *point,
422 BIGNUM *x, BIGNUM *y,
427 if (EC_POINT_is_at_infinity(group, point)) {
428 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES,
429 EC_R_POINT_AT_INFINITY);
433 if (BN_cmp(point->Z, BN_value_one())) {
434 ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES,
435 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
439 if (!BN_copy(x, point->X))
441 BN_set_negative(x, 0);
444 if (!BN_copy(y, point->Y))
446 BN_set_negative(y, 0);
455 * Computes a + b and stores the result in r. r could be a or b, a could be
456 * b. Uses algorithm A.10.2 of IEEE P1363.
458 int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
459 const EC_POINT *b, BN_CTX *ctx)
461 BN_CTX *new_ctx = NULL;
462 BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t;
465 if (EC_POINT_is_at_infinity(group, a)) {
466 if (!EC_POINT_copy(r, b))
471 if (EC_POINT_is_at_infinity(group, b)) {
472 if (!EC_POINT_copy(r, a))
478 ctx = new_ctx = BN_CTX_new();
484 x0 = BN_CTX_get(ctx);
485 y0 = BN_CTX_get(ctx);
486 x1 = BN_CTX_get(ctx);
487 y1 = BN_CTX_get(ctx);
488 x2 = BN_CTX_get(ctx);
489 y2 = BN_CTX_get(ctx);
496 if (!BN_copy(x0, a->X))
498 if (!BN_copy(y0, a->Y))
501 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, x0, y0, ctx))
505 if (!BN_copy(x1, b->X))
507 if (!BN_copy(y1, b->Y))
510 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, x1, y1, ctx))
514 if (BN_GF2m_cmp(x0, x1)) {
515 if (!BN_GF2m_add(t, x0, x1))
517 if (!BN_GF2m_add(s, y0, y1))
519 if (!group->meth->field_div(group, s, s, t, ctx))
521 if (!group->meth->field_sqr(group, x2, s, ctx))
523 if (!BN_GF2m_add(x2, x2, group->a))
525 if (!BN_GF2m_add(x2, x2, s))
527 if (!BN_GF2m_add(x2, x2, t))
530 if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1)) {
531 if (!EC_POINT_set_to_infinity(group, r))
536 if (!group->meth->field_div(group, s, y1, x1, ctx))
538 if (!BN_GF2m_add(s, s, x1))
541 if (!group->meth->field_sqr(group, x2, s, ctx))
543 if (!BN_GF2m_add(x2, x2, s))
545 if (!BN_GF2m_add(x2, x2, group->a))
549 if (!BN_GF2m_add(y2, x1, x2))
551 if (!group->meth->field_mul(group, y2, y2, s, ctx))
553 if (!BN_GF2m_add(y2, y2, x2))
555 if (!BN_GF2m_add(y2, y2, y1))
558 if (!EC_POINT_set_affine_coordinates_GF2m(group, r, x2, y2, ctx))
565 BN_CTX_free(new_ctx);
570 * Computes 2 * a and stores the result in r. r could be a. Uses algorithm
571 * A.10.2 of IEEE P1363.
573 int ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
576 return ec_GF2m_simple_add(group, r, a, a, ctx);
579 int ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
581 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(point->Y))
582 /* point is its own inverse */
585 if (!EC_POINT_make_affine(group, point, ctx))
587 return BN_GF2m_add(point->Y, point->X, point->Y);
590 /* Indicates whether the given point is the point at infinity. */
591 int ec_GF2m_simple_is_at_infinity(const EC_GROUP *group,
592 const EC_POINT *point)
594 return BN_is_zero(point->Z);
598 * Determines whether the given EC_POINT is an actual point on the curve defined
599 * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation:
600 * y^2 + x*y = x^3 + a*x^2 + b.
602 int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
606 BN_CTX *new_ctx = NULL;
608 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
609 const BIGNUM *, BN_CTX *);
610 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
612 if (EC_POINT_is_at_infinity(group, point))
615 field_mul = group->meth->field_mul;
616 field_sqr = group->meth->field_sqr;
618 /* only support affine coordinates */
619 if (!point->Z_is_one)
623 ctx = new_ctx = BN_CTX_new();
629 y2 = BN_CTX_get(ctx);
630 lh = BN_CTX_get(ctx);
635 * We have a curve defined by a Weierstrass equation
636 * y^2 + x*y = x^3 + a*x^2 + b.
637 * <=> x^3 + a*x^2 + x*y + b + y^2 = 0
638 * <=> ((x + a) * x + y ) * x + b + y^2 = 0
640 if (!BN_GF2m_add(lh, point->X, group->a))
642 if (!field_mul(group, lh, lh, point->X, ctx))
644 if (!BN_GF2m_add(lh, lh, point->Y))
646 if (!field_mul(group, lh, lh, point->X, ctx))
648 if (!BN_GF2m_add(lh, lh, group->b))
650 if (!field_sqr(group, y2, point->Y, ctx))
652 if (!BN_GF2m_add(lh, lh, y2))
654 ret = BN_is_zero(lh);
658 BN_CTX_free(new_ctx);
663 * Indicates whether two points are equal.
666 * 0 equal (in affine coordinates)
669 int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
670 const EC_POINT *b, BN_CTX *ctx)
672 BIGNUM *aX, *aY, *bX, *bY;
673 BN_CTX *new_ctx = NULL;
676 if (EC_POINT_is_at_infinity(group, a)) {
677 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
680 if (EC_POINT_is_at_infinity(group, b))
683 if (a->Z_is_one && b->Z_is_one) {
684 return ((BN_cmp(a->X, b->X) == 0) && BN_cmp(a->Y, b->Y) == 0) ? 0 : 1;
688 ctx = new_ctx = BN_CTX_new();
694 aX = BN_CTX_get(ctx);
695 aY = BN_CTX_get(ctx);
696 bX = BN_CTX_get(ctx);
697 bY = BN_CTX_get(ctx);
701 if (!EC_POINT_get_affine_coordinates_GF2m(group, a, aX, aY, ctx))
703 if (!EC_POINT_get_affine_coordinates_GF2m(group, b, bX, bY, ctx))
705 ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
710 BN_CTX_free(new_ctx);
714 /* Forces the given EC_POINT to internally use affine coordinates. */
715 int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
718 BN_CTX *new_ctx = NULL;
722 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
726 ctx = new_ctx = BN_CTX_new();
737 if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx))
739 if (!BN_copy(point->X, x))
741 if (!BN_copy(point->Y, y))
743 if (!BN_one(point->Z))
752 BN_CTX_free(new_ctx);
757 * Forces each of the EC_POINTs in the given array to use affine coordinates.
759 int ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num,
760 EC_POINT *points[], BN_CTX *ctx)
764 for (i = 0; i < num; i++) {
765 if (!group->meth->make_affine(group, points[i], ctx))
772 /* Wrapper to simple binary polynomial field multiplication implementation. */
773 int ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r,
774 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
776 return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx);
779 /* Wrapper to simple binary polynomial field squaring implementation. */
780 int ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r,
781 const BIGNUM *a, BN_CTX *ctx)
783 return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx);
786 /* Wrapper to simple binary polynomial field division implementation. */
787 int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r,
788 const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
790 return BN_GF2m_mod_div(r, a, b, group->field, ctx);
projects / openssl.git / blob