1 /* crypto/ec/ec_mult.c */
2 /* ====================================================================
3 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
31 * 6. Redistributions of any form whatsoever must retain the following
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
56 #include <openssl/err.h>
61 /* TODO: width-m NAFs */
63 /* TODO: optional Lim-Lee precomputation for the generator */
66 /* this is just BN_window_bits_for_exponent_size from bn_lcl.h for now;
67 * the table should be updated for EC */ /* TODO */
68 #define EC_window_bits_for_scalar_size(b) \
75 * \sum scalars[i]*points[i]
78 * is included in the addition if scalar != NULL
80 int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
81 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
83 BN_CTX *new_ctx = NULL;
84 EC_POINT *generator = NULL;
89 int r_is_at_infinity = 1;
91 size_t *wsize = NULL; /* individual window sizes */
92 unsigned long *wbits = NULL; /* individual window contents */
93 int *wpos = NULL; /* position of bottom bit of current individual windows
94 * (wpos[i] is valid if wbits[i] != 0) */
96 EC_POINT **val = NULL; /* precomputation */
98 EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */
103 generator = EC_GROUP_get0_generator(group);
104 if (generator == NULL)
106 ECerr(EC_F_EC_POINTS_MUL, EC_R_UNDEFINED_GENERATOR);
111 for (i = 0; i < num; i++)
113 if (group->meth != points[i]->meth)
115 ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
120 totalnum = num + (scalar != NULL);
122 wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]);
123 wbits = OPENSSL_malloc(totalnum * sizeof wbits[0]);
124 wpos = OPENSSL_malloc(totalnum * sizeof wpos[0]);
125 if (wsize == NULL || wbits == NULL || wpos == NULL) goto err;
127 /* num_val := total number of points to precompute */
129 for (i = 0; i < totalnum; i++)
133 bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
134 wsize[i] = EC_window_bits_for_scalar_size(bits);
135 num_val += 1 << (wsize[i] - 1);
142 /* all precomputed points go into a single array 'val',
143 * 'val_sub[i]' is a pointer to the subarray for the i-th point */
144 val = OPENSSL_malloc((num_val + 1) * sizeof val[0]);
145 if (val == NULL) goto err;
146 val[num_val] = NULL; /* pivot element */
148 val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
149 if (val_sub == NULL) goto err;
151 /* allocate points for precomputation */
153 for (i = 0; i < totalnum; i++)
156 for (j = 0; j < (1 << (wsize[i] - 1)); j++)
158 *v = EC_POINT_new(group);
159 if (*v == NULL) goto err;
163 if (!(v == val + num_val))
165 ECerr(EC_F_EC_POINTS_MUL, ERR_R_INTERNAL_ERROR);
171 ctx = new_ctx = BN_CTX_new();
176 tmp = EC_POINT_new(group);
177 if (tmp == NULL) goto err;
179 /* prepare precomputed values:
180 * val_sub[i][0] := points[i]
181 * val_sub[i][1] := 3 * points[i]
182 * val_sub[i][2] := 5 * points[i]
185 for (i = 0; i < totalnum; i++)
189 if (!EC_POINT_copy(val_sub[i][0], points[i])) goto err;
192 if (!EC_POINT_invert(group, val_sub[i][0], ctx)) goto err;
197 if (!EC_POINT_copy(val_sub[i][0], generator)) goto err;
200 if (!EC_POINT_invert(group, val_sub[i][0], ctx)) goto err;
206 if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) goto err;
207 for (j = 1; j < (1 << (wsize[i] - 1)); j++)
209 if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err;
214 #if 1 /* optional, maybe we should only do this if total_num > 1 */
215 if (!EC_POINTs_make_affine(group, num_val, val, ctx)) goto err;
218 r_is_at_infinity = 1;
220 for (k = max_bits - 1; k >= 0; k--)
222 if (!r_is_at_infinity)
224 if (!EC_POINT_dbl(group, r, r, ctx)) goto err;
227 for (i = 0; i < totalnum; i++)
233 s = i < num ? scalars[i] : scalar;
235 if (BN_is_bit_set(s, k))
237 /* look at bits k - wsize[i] + 1 .. k for this window */
238 t = k - wsize[i] + 1;
239 while (!BN_is_bit_set(s, t)) /* BN_is_bit_set is false for t < 0 */
243 for (t = k - 1; t >= wpos[i]; t--)
246 if (BN_is_bit_set(s, t))
249 /* now wbits[i] is the odd bit pattern at bits wpos[i] .. k */
253 if ((wbits[i] != 0) && (wpos[i] == k))
255 if (r_is_at_infinity)
257 if (!EC_POINT_copy(r, val_sub[i][wbits[i] >> 1])) goto err;
258 r_is_at_infinity = 0;
262 if (!EC_POINT_add(group, r, r, val_sub[i][wbits[i] >> 1], ctx)) goto err;
269 if (r_is_at_infinity)
270 if (!EC_POINT_set_to_infinity(group, r)) goto err;
276 BN_CTX_free(new_ctx);
287 for (v = val; *v != NULL; v++)
288 EC_POINT_clear_free(*v);
294 OPENSSL_free(val_sub);
300 int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
302 const EC_POINT *points[1];
303 const BIGNUM *scalars[1];
306 scalars[0] = p_scalar;
308 return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx);
312 int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
314 const EC_POINT *generator;
315 BN_CTX *new_ctx = NULL;
319 generator = EC_GROUP_get0_generator(group);
320 if (generator == NULL)
322 ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR);
328 ctx = new_ctx = BN_CTX_new();
334 order = BN_CTX_get(ctx);
335 if (order == NULL) goto err;
337 if (!EC_GROUP_get_order(group, order, ctx)) return 0;
338 if (BN_is_zero(order))
340 ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
351 BN_CTX_free(new_ctx);
projects / openssl.git / blob