5 * Elliptic Curve Arithmetic Functions
7 * Copyright (C) Lenka Fibikova 2000
17 #include <openssl/bn.h>
19 #include "../bn/bn_modfs.h" /* XXX */
20 #include "../bn/bn_mont2.h" /* XXX */
28 ret=(EC_POINT *)malloc(sizeof(EC_POINT));
29 if (ret == NULL) return NULL;
35 if (ret->X == NULL || ret->Y == NULL || ret->Z == NULL)
37 if (ret->X != NULL) BN_free(ret->X);
38 if (ret->Y != NULL) BN_free(ret->Y);
39 if (ret->Z != NULL) BN_free(ret->Z);
47 void ECP_clear_free(EC_POINT *P)
49 if (P == NULL) return;
52 if (P->X != NULL) BN_clear_free(P->X);
53 if (P->Y != NULL) BN_clear_free(P->Y);
54 if (P->Z != NULL) BN_clear_free(P->Z);
59 void ECP_clear_free_precompute(ECP_PRECOMPUTE *prec)
64 if (prec == NULL) return;
68 max <<= (prec->r - 1);
70 for (i = 0; i < max; i++)
72 if (prec->Pi[i] != NULL) ECP_clear_free(prec->Pi[i]);
79 int ECP_is_on_ec(EC_POINT *P, EC *E, BN_CTX *ctx)
81 BIGNUM *n0, *n1, *n2, *p;
86 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
89 assert(E->A != NULL && E->B != NULL && E->p != NULL);
93 assert(!P->is_in_mont);
95 if (ECP_is_infty(P)) return 1;
100 n2 = BN_CTX_get(ctx);
106 Pnorm = (ECP_is_norm(P));
110 if (!BN_mod_mul(n0, P->Z, P->Z, p, ctx)) goto err;
111 if (!BN_mod_mul(n1, n0, n0, p, ctx)) goto err;
112 if (!BN_mod_mul(n2, n0, n1, p, ctx)) goto err;
115 if (!BN_mod_mul(n0, P->X, P->X, p, ctx)) goto err;
116 if (!BN_mod_mul(n0, n0, P->X, p, ctx)) goto err;
120 if (!BN_mod_mul(n1, P->X, E->A, p, ctx)) goto err;
124 if (!BN_mod_mul(n1, n1, P->X, p, ctx)) goto err;
125 if (!BN_mod_mul(n1, n1, E->A, p, ctx)) goto err;
127 if (!BN_mod_add(n0, n0, n1, p, ctx)) goto err;
131 if (!BN_mod_add(n0, n0, E->B, p, ctx)) goto err;
135 if (!BN_mod_mul(n2, n2, E->B, p, ctx)) goto err;
136 if (!BN_mod_add(n0, n0, n2, p, ctx)) goto err;
139 if (!BN_mod_mul(n1, P->Y, P->Y, p, ctx)) goto err;
152 EC_POINT *ECP_generate(BIGNUM *x, BIGNUM *z,EC *E, BN_CTX *ctx)
153 /* x == NULL || z = 0 -> point of infinity */
154 /* z == NULL || z = 1 -> normalized */
157 EC_POINT *ret = NULL;
158 int Pnorm, Pinfty, X0, A0;
161 assert(E->A != NULL && E->B != NULL && E->p != NULL && E->h != NULL);
165 Pinfty = (x == NULL);
169 Pnorm = BN_is_one(z);
170 Pinfty = (Pinfty || BN_is_zero(z));
175 if ((ret = ECP_new()) == NULL) return NULL;
176 if (!BN_zero(ret->Z))
185 A0 = BN_is_zero(E->A);
187 if ((ret = ECP_new()) == NULL) return NULL;
192 n0 = BN_CTX_get(ctx);
193 n1 = BN_CTX_get(ctx);
194 if (n1 == NULL) goto err;
196 if (!BN_zero(n0)) goto err;
197 if (!BN_zero(n1)) goto err;
201 if (!BN_mod_sqr(n0, x, E->p, ctx)) goto err;
202 if (!BN_mod_mul(n0, n0, x, E->p, ctx)) goto err; /* x^3 */
207 if (!BN_mod_mul(n1, E->A, x, E->p, ctx)) goto err; /* Ax */
208 if (!BN_mod_add(n0, n0, n1, E->p, ctx)) goto err; /* x^3 + Ax */
211 if (!BN_is_zero(E->B))
212 if (!BN_mod_add(n0, n0, E->B, E->p, ctx)) goto err; /* x^3 + Ax +B */
214 if (!BN_mod_sqrt(ret->Y, n0, E->p, ctx)) goto err;
215 if (BN_copy(ret->X, x) == NULL) goto err;
219 if (!BN_one(ret->Z)) goto err;
223 if (BN_copy(ret->Z, z) == NULL) goto err;
224 if (!BN_mod_sqr(n0, z, E->p, ctx)) goto err;
225 if (!BN_mod_mul(ret->X, ret->X, n0, E->p, ctx)) goto err;
226 if (!BN_mod_mul(n0, n0, z, E->p, ctx)) goto err;
227 if (!BN_mod_mul(ret->Y, ret->Y, n0, E->p, ctx)) goto err;
231 if (!ECP_is_on_ec(ret, E, ctx)) goto err;
238 if (ret != NULL) ECP_clear_free(ret);
244 int ECP_ecp2bin(EC_POINT *P, unsigned char *to, int form)
245 /* form = 1 ... compressed
252 assert (P->X != NULL && P->Y != NULL && P->Z != NULL);
253 assert (!P->is_in_mont);
254 assert (ECP_is_norm(P) || ECP_is_infty(P));
256 assert (form > 0 && form < 4);
258 if (BN_is_zero(P->Z))
264 bx = BN_num_bytes(P->X);
265 if (form == 1 ) bytes = bx + 1;
268 by = BN_num_bytes(P->Y);
269 bytes = (bx > by ? bx : by);
270 bytes = bytes * 2 + 1;
272 memset(to, 0, bytes);
276 case 1: to[0] = 2; break;
277 case 2: to[0] = 4; break;
278 case 3: to[0] = 6; break;
280 if (form != 2) to[0] += BN_is_bit_set(P->Y, 0);
283 if ((BN_bn2bin(P->X, to + 1)) != bx) return 0;
286 if ((BN_bn2bin(P->Y, to + bx + 1)) != by) return 0;
293 int ECP_bin2ecp(unsigned char *from, int len, EC_POINT *P, EC *E, BN_CTX *ctx)
300 assert (E->A != NULL && E->B != NULL && E->p != NULL);
301 assert (!E->is_in_mont);
303 assert (ctx != NULL);
304 assert (from != NULL);
306 assert (P->X != NULL && P->Y != NULL && P->Z != NULL);
308 if (len == 1 && from[0] != 0) return 0;
310 if (len == 0 || len == 1)
312 if (!BN_zero(P->Z)) return 0;
321 if ((x = BN_new()) == NULL) return 0;
322 if (BN_bin2bn(from + 1, len - 1, x) == NULL) return 0;
324 pp = ECP_generate(x, NULL, E, ctx);
326 if (pp == NULL) return 0;
331 if (BN_is_bit_set(P->Y, 0) != y)
332 if (!BN_sub(P->Y, E->p, P->Y)) return 0;
339 if (BN_bin2bn(from + 1, y, P->X) == NULL) return 0;
340 if (BN_bin2bn(from + y + 1, y, P->Y) == NULL) return 0;
341 if (!BN_set_word(P->Z, 1)) return 0;
349 if (!ECP_is_on_ec(P, E, ctx)) return 0;
354 int ECP_normalize(EC_POINT *P, EC *E, BN_CTX *ctx)
359 assert (P->X != NULL && P->Y != NULL && P->Z != NULL);
362 assert (E->A != NULL && E->B != NULL && E->p != NULL);
364 assert (ctx != NULL);
366 if (ECP_is_norm(P)) return 1;
367 if (ECP_is_infty(P)) return 0;
369 if ((zm = BN_mod_inverse(P->Z, P->Z, E->p, ctx)) == NULL) return 0;
371 assert(!P->is_in_mont);
376 if (z == NULL) goto err;
378 if (!BN_mod_mul(z, zm, zm, E->p, ctx)) goto err;
379 if (!BN_mod_mul(P->X, P->X, z, E->p, ctx)) goto err;
381 if (!BN_mod_mul(z, z, zm, E->p, ctx)) goto err;
382 if (!BN_mod_mul(P->Y, P->Y, z, E->p, ctx)) goto err;
384 if (!BN_one(P->Z)) goto err;
386 if (zm != NULL) BN_clear_free(zm);
392 if (zm != NULL) BN_clear_free(zm);
398 int ECP_copy(EC_POINT *R, EC_POINT *P)
401 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
404 assert(R->X != NULL && R->Y != NULL && R->Z != NULL);
406 if (BN_copy(R->X, P->X) == NULL) return 0;
407 if (BN_copy(R->Y, P->Y) == NULL) return 0;
408 if (BN_copy(R->Z, P->Z) == NULL) return 0;
409 R->is_in_mont = P->is_in_mont;
415 EC_POINT *ECP_dup(EC_POINT *P)
420 if (ret == NULL) return NULL;
422 if (!ECP_copy(ret, P))
432 EC_POINT *ECP_minus(EC_POINT *P, BIGNUM *p) /* mont || non-mont */
437 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
441 assert(BN_cmp(P->Y, p) < 0);
444 if (ret == NULL) return NULL;
446 if (BN_is_zero(ret->Y)) return ret;
448 if (!BN_sub(ret->Y, p, ret->Y))
459 int ECP_cmp(EC_POINT *P, EC_POINT *Q, BIGNUM *p, BN_CTX *ctx)
467 BIGNUM *n0, *n1, *n2, *n3, *n4;
471 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
474 assert(Q->X != NULL && Q->Y != NULL && Q->Z != NULL);
479 assert(!P->is_in_mont);
480 assert(!Q->is_in_mont);
482 if (ECP_is_infty(P) && ECP_is_infty(Q)) return 0;
483 if (ECP_is_infty(P) || ECP_is_infty(Q)) return 1;
486 Pnorm = (ECP_is_norm(P));
487 Qnorm = (ECP_is_norm(Q));
490 n0 = BN_CTX_get(ctx);
491 n1 = BN_CTX_get(ctx);
492 n2 = BN_CTX_get(ctx);
493 n3 = BN_CTX_get(ctx);
494 n4 = BN_CTX_get(ctx);
495 if (n4 == NULL) goto err;
499 if (BN_copy(n1, P->X) == NULL) goto err; /* L1 = x_p */
500 if (BN_copy(n2, P->Y) == NULL) goto err; /* L2 = y_p */
504 if (!BN_sqr(n0, Q->Z, ctx)) goto err;
505 if (!BN_mod_mul(n1, P->X, n0, p, ctx)) goto err; /* L1 = x_p * z_q^2 */
507 if (!BN_mod_mul(n0, n0, Q->Z, p, ctx)) goto err;
508 if (!BN_mod_mul(n2, P->Y, n0, p, ctx)) goto err; /* L2 = y_p * z_q^3 */
513 if (BN_copy(n3, Q->X) == NULL) goto err; /* L3 = x_q */
514 if (BN_copy(n4, Q->Y) == NULL) goto err; /* L4 = y_q */
518 if (!BN_sqr(n0, P->Z, ctx)) goto err;
519 if (!BN_mod_mul(n3, Q->X, n0, p, ctx)) goto err; /* L3 = x_q * z_p^2 */
521 if (!BN_mod_mul(n0, n0, P->Z, p, ctx)) goto err;
522 if (!BN_mod_mul(n4, Q->Y, n0, p, ctx)) goto err; /* L4 = y_q * z_p^3 */
525 if (!BN_mod_sub(n0, n1, n3, p, ctx)) goto err; /* L5 = L1 - L3 */
533 if (!BN_mod_sub(n0, n2, n4, p, ctx)) goto err; /* L6 = L2 - L4 */
550 int ECP_double(EC_POINT *R, EC_POINT *P, EC *E, BN_CTX *ctx)
553 BIGNUM *n0, *n1, *n2, *n3, *p;
557 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
560 assert(R->X != NULL && R->Y != NULL && R->Z != NULL);
563 assert(E->A != NULL && E->B != NULL && E->p != NULL && E->h != NULL);
567 assert(!P->is_in_mont);
571 if (!BN_zero(R->Z)) return 0;
575 Pnorm = (ECP_is_norm(P));
576 A0 = (BN_is_zero(E->A));
579 n0 = BN_CTX_get(ctx);
580 n1 = BN_CTX_get(ctx);
581 n2 = BN_CTX_get(ctx);
582 n3 = BN_CTX_get(ctx);
583 if (n3 == NULL) goto err;
590 if (!BN_mod_sqr(n1, P->X, p, ctx)) goto err;
591 if (!BN_mul_word(n1, 3)) goto err;
592 if (!A0) /* if A = 0: L1 = 3 * x^2 + a * z^4 = 3 * x ^2 */
593 if (!BN_mod_add(n1, n1, E->A, p, ctx)) goto err; /* L1 = 3 * x^2 + a * z^4 = 3 * x^2 + a */
597 if (!BN_mod_sqr(n0, P->Z, p, ctx)) goto err;
598 if (!BN_mod_mul(n0, n0, n0, p, ctx)) goto err;
599 if (!BN_mod_mul(n0, n0, E->A, p, ctx)) goto err;
600 if (!BN_mod_sqr(n1, P->X, p, ctx)) goto err;
601 if (!BN_mul_word(n1, 3)) goto err;
602 if (!BN_mod_add(n1, n1, n0, p, ctx)) goto err; /* L1 = 3 * x^2 + a * z^4 */
608 if (BN_copy(n0, P->Y) == NULL) goto err;
612 if (!BN_mod_mul(n0, P->Y, P->Z, p, ctx)) goto err;
614 if (!BN_lshift1(n0, n0)) goto err;
615 if (!BN_smod(R->Z, n0, p, ctx)) goto err; /* Z = 2 * y * z */
618 if (!BN_mod_sqr(n3, P->Y, p, ctx)) goto err;
619 if (!BN_mod_mul(n2, P->X, n3, p, ctx)) goto err;
620 if (!BN_lshift(n2, n2, 2)) goto err;
621 if (!BN_smod(n2, n2, p, ctx)) goto err; /* L2 = 4 * x * y^2 */
624 if (!BN_lshift1(n0, n2)) goto err;
625 if (!BN_mod_sqr(R->X, n1, p, ctx)) goto err;
626 if (!BN_mod_sub(R->X, R->X, n0, p, ctx)) goto err; /* X = L1^2 - 2 * L2 */
629 if (!BN_mod_sqr(n0, n3, p, ctx)) goto err;
630 if (!BN_lshift(n3, n0, 3)) goto err;
631 if (!BN_smod(n3, n3, p, ctx)) goto err; /* L3 = 8 * y^4 */
634 if (!BN_mod_sub(n0, n2, R->X, p, ctx)) goto err;
635 if (!BN_mod_mul(n0, n1, n0, p, ctx)) goto err;
636 if (!BN_mod_sub(R->Y, n0, n3, p, ctx)) goto err; /* Y = L1 * (L2 - X) - L3 */
640 if (!ECP_is_on_ec(R, E, ctx)) return 0;
652 int ECP_add(EC_POINT *R, EC_POINT *P, EC_POINT *Q, EC *E, BN_CTX *ctx)
653 /* R <- P + Q (on E) */
655 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6, *p;
659 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
662 assert(Q->X != NULL && Q->Y != NULL && Q->Z != NULL);
665 assert(R->X != NULL && R->Y != NULL && R->Z != NULL);
668 assert(E->A != NULL && E->B != NULL && E->p != NULL && E->h != NULL);
669 assert(!BN_is_zero(E->h));;
673 assert(!P->is_in_mont);
674 assert(!Q->is_in_mont);
676 if (P == Q) return ECP_double(R, P, E, ctx);
678 if (ECP_is_infty(P)) return ECP_copy(R, Q);
679 if (ECP_is_infty(Q)) return ECP_copy(R, P);
681 Pnorm = (ECP_is_norm(P));
682 Qnorm = (ECP_is_norm(Q));
685 n0 = BN_CTX_get(ctx);
686 n1 = BN_CTX_get(ctx);
687 n2 = BN_CTX_get(ctx);
688 n3 = BN_CTX_get(ctx);
689 n4 = BN_CTX_get(ctx);
690 n5 = BN_CTX_get(ctx);
691 n6 = BN_CTX_get(ctx);
692 if (n6 == NULL) goto err;
699 if (BN_copy(n1, P->X) == NULL) goto err; /* L1 = x_p */
700 if (BN_copy(n2, P->Y) == NULL) goto err; /* L2 = y_p */
704 if (!BN_sqr(n0, Q->Z, ctx)) goto err;
705 if (!BN_mod_mul(n1, P->X, n0, p, ctx)) goto err; /* L1 = x_p * z_q^2 */
707 if (!BN_mod_mul(n0, n0, Q->Z, p, ctx)) goto err;
708 if (!BN_mod_mul(n2, P->Y, n0, p, ctx)) goto err; /* L2 = y_p * z_q^3 */
714 if (BN_copy(n3, Q->X) == NULL) goto err; /* L3 = x_q */
715 if (BN_copy(n4, Q->Y) == NULL) goto err; /* L4 = y_q */
719 if (!BN_sqr(n0, P->Z, ctx)) goto err;
720 if (!BN_mod_mul(n3, Q->X, n0, p, ctx)) goto err; /* L3 = x_q * z_p^2 */
722 if (!BN_mod_mul(n0, n0, P->Z, p, ctx)) goto err;
723 if (!BN_mod_mul(n4, Q->Y, n0, p, ctx)) goto err; /* L4 = y_q * z_p^3 */
727 if (!BN_mod_sub(n5, n1, n3, p, ctx)) goto err; /* L5 = L1 - L3 */
728 if (!BN_mod_sub(n6, n2, n4, p, ctx)) goto err; /* L6 = L2 - L4 */
733 if (BN_is_zero(n6)) /* P = Q => P + Q = 2P */
736 return ECP_double(R, P, E, ctx);
738 else /* P = -Q => P + Q = \infty */
741 if (!BN_zero(R->Z)) return 0;
747 if (!BN_mod_add(n1, n1, n3, p, ctx)) goto err; /* L7 = L1 + L3 */
748 if (!BN_mod_add(n2, n2, n4, p, ctx)) goto err; /* L8 = L2 + L4 */
753 if (BN_copy(n0, Q->Z) == NULL) goto err;
757 if (!BN_mod_mul(n0, P->Z, Q->Z, p, ctx)) goto err;
759 if (!BN_mod_mul(R->Z, n0, n5, p, ctx)) goto err; /* Z = z_p * z_q * L_5 */
762 if (!BN_mod_sqr(n0, n6, p, ctx)) goto err;
763 if (!BN_mod_sqr(n4, n5, p, ctx)) goto err;
764 if (!BN_mod_mul(n3, n1, n4, p, ctx)) goto err;
765 if (!BN_mod_sub(R->X, n0, n3, p, ctx)) goto err; /* X = L6^2 - L5^2 * L7 */
768 if (!BN_lshift1(n0, R->X)) goto err;
769 if (!BN_mod_sub(n0, n3, n0, p, ctx)) goto err; /* L9 = L5^2 * L7 - 2X */
772 if (!BN_mod_mul(n0, n0, n6, p, ctx)) goto err;
773 if (!BN_mod_mul(n5, n4, n5, p, ctx)) goto err;
774 if (!BN_mod_mul(n1, n2, n5, p, ctx)) goto err;
775 if (!BN_mod_sub(n0, n0, n1, p, ctx)) goto err;
776 if (!BN_mod_mul(R->Y, n0, E->h, p, ctx)) goto err; /* Y = (L6 * L9 - L8 * L5^3) / 2 */
781 if (!ECP_is_on_ec(R, E, ctx)) return 0;
793 ECP_PRECOMPUTE *ECP_precompute(int r, EC_POINT *P, EC *E, BN_CTX *ctx)
800 assert(!P->is_in_mont);
801 assert(!E->is_in_mont);
803 ret=(ECP_PRECOMPUTE *)malloc(sizeof(ECP_PRECOMPUTE));
804 if (ret == NULL) return NULL;
811 ret->Pi=(EC_POINT **)malloc(sizeof(EC_POINT *) * max);
812 if (ret->Pi == NULL) goto err;
816 if ((P2 = ECP_new()) == NULL) goto err;
817 if (!ECP_double(P2, P, E, ctx)) goto err;
820 if((ret->Pi[0] = ECP_dup(P)) == NULL) goto err;
823 /* P_i = P_(i-1) + P2 */
824 for (i = 1; i < max; i++)
826 if ((ret->Pi[i] = ECP_new()) == NULL) goto err;
828 if (!ECP_add(ret->Pi[i], P2, ret->Pi[i - 1], E, ctx)) goto err;
838 ECP_clear_free_precompute(ret);
843 int ECP_multiply(EC_POINT *R, BIGNUM *k, ECP_PRECOMPUTE *prec, EC *E, BN_CTX *ctx)
850 assert(R->X != NULL && R->Y != NULL && R->Z != NULL);
853 assert(E->A != NULL && E->B != NULL && E->p != NULL && E->h != NULL);
859 assert(prec != NULL);
861 assert(!E->is_in_mont);
865 if (!BN_zero(R->Z)) return 0;
876 if (!BN_zero(R->Z)) return 0;
881 if (!BN_is_bit_set(k, j))
883 if (!ECP_double(R, R, E, ctx)) return 0;
889 if (nextw < -1) nextw = -1;
891 while(!BN_is_bit_set(k, t))
894 if (!ECP_double(R, R, E, ctx)) return 0;
904 if (BN_is_bit_set(k, j)) h++;
905 if (!ECP_double(R, R, E, ctx)) return 0;
907 if (!ECP_double(R, R, E, ctx)) return 0;
911 if (!ECP_add(R, R, prec->Pi[h], E, ctx)) return 0;
913 for (; j > nextw; j--)
915 if (!ECP_double(R, R, E, ctx)) return 0;
929 int ECP_to_montgomery(EC_POINT *P, BN_MONTGOMERY *mont, BN_CTX *ctx)
932 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
934 assert(mont != NULL);
935 assert(mont->p != NULL);
939 if (P->is_in_mont) return 1;
941 if (!BN_lshift(P->X, P->X, mont->R_num_bits)) return 0;
942 if (!BN_mod(P->X, P->X, mont->p, ctx)) return 0;
944 if (!BN_lshift(P->Y, P->Y, mont->R_num_bits)) return 0;
945 if (!BN_mod(P->Y, P->Y, mont->p, ctx)) return 0;
947 if (!BN_lshift(P->Z, P->Z, mont->R_num_bits)) return 0;
948 if (!BN_mod(P->Z, P->Z, mont->p, ctx)) return 0;
955 int ECP_from_montgomery(EC_POINT *P, BN_MONTGOMERY *mont, BN_CTX *ctx)
959 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
961 assert(mont != NULL);
962 assert(mont->p != NULL);
966 if (!P->is_in_mont) return 1;
968 if (!BN_mont_red(P->X, mont, ctx)) return 0;
969 if (!BN_mont_red(P->Y, mont, ctx)) return 0;
970 if (!BN_mont_red(P->Z, mont, ctx)) return 0;
977 int ECP_mont_cmp(EC_POINT *P, EC_POINT *Q, BN_MONTGOMERY *mont, BN_CTX *ctx)
985 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *p;
988 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
991 assert(Q->X != NULL && Q->Y != NULL && Q->Z != NULL);
993 assert(mont != NULL);
994 assert(mont->p != NULL);
999 if (!ECP_to_montgomery(P, mont, ctx)) return 0;
1002 if (!ECP_to_montgomery(Q, mont, ctx)) return 0;
1005 if (ECP_is_infty(P) && ECP_is_infty(Q)) return 0;
1006 if (ECP_is_infty(P) || ECP_is_infty(Q)) return 1;
1010 n0 = BN_CTX_get(ctx);
1011 n1 = BN_CTX_get(ctx);
1012 n2 = BN_CTX_get(ctx);
1013 n3 = BN_CTX_get(ctx);
1014 n4 = BN_CTX_get(ctx);
1015 n5 = BN_CTX_get(ctx);
1016 if (n5 == 0) goto err;
1022 if (!BN_mont_mod_mul(n5, Q->Z, Q->Z, mont, ctx)) goto err;
1023 if (!BN_mont_mod_mul(n1, P->X, n5, mont, ctx)) goto err; /* L1 = x_p * z_q^2 */
1025 if (!BN_mont_mod_mul(n0, n5, Q->Z, mont, ctx)) goto err;
1026 if (!BN_mont_mod_mul(n2, P->Y, n0, mont, ctx)) goto err; /* L2 = y_p * z_q^3 */
1028 if (!BN_mont_mod_mul(n5, P->Z, P->Z, mont, ctx)) goto err;
1029 if (!BN_mont_mod_mul(n3, Q->X, n5, mont, ctx)) goto err; /* L3 = x_q * z_p^2 */
1031 if (!BN_mont_mod_mul(n0, n5, P->Z, mont, ctx)) goto err;
1032 if (!BN_mont_mod_mul(n4, Q->Y, n0, mont, ctx)) goto err; /* L4 = y_q * z_p^3 */
1035 if (!BN_mod_sub_quick(n0, n1, n3, p)) goto err; /* L5 = L1 - L3 */
1037 if (!BN_is_zero(n0))
1043 if (!BN_mod_sub_quick(n0, n2, n4, p)) goto err; /* L6 = L2 - L4 */
1045 if (!BN_is_zero(n0))
1060 int ECP_mont_double(EC_POINT *R, EC_POINT *P, EC *E, BN_MONTGOMERY *mont, BN_CTX *ctx)
1061 /* R <- 2P (on E) */
1063 BIGNUM *n0, *n1, *n2, *n3, *p;
1066 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
1069 assert(R->X != NULL && R->Y != NULL && R->Z != NULL);
1072 assert(E->A != NULL && E->B != NULL && E->p != NULL && E->h != NULL);
1074 assert(ctx != NULL);
1077 if (!ECP_to_montgomery(P, mont, ctx)) return 0;
1080 if (!EC_to_montgomery(E, mont, ctx)) return 0;
1084 if (ECP_is_infty(P))
1086 if (!BN_zero(R->Z)) return 0;
1092 n0 = BN_CTX_get(ctx);
1093 n1 = BN_CTX_get(ctx);
1094 n2 = BN_CTX_get(ctx);
1095 n3 = BN_CTX_get(ctx);
1096 if (n3 == 0) goto err;
1101 if (!BN_mont_mod_mul(n0, P->Z, P->Z, mont, ctx)) goto err;
1102 if (!BN_mont_mod_mul(n2, n0, n0, mont, ctx)) goto err;
1103 if (!BN_mont_mod_mul(n0, n2, E->A, mont, ctx)) goto err;
1104 if (!BN_mont_mod_mul(n1, P->X, P->X, mont, ctx)) goto err;
1105 if (!BN_mod_lshift1_quick(n2, n1, p)) goto err;
1106 if (!BN_mod_add_quick(n1, n1, n2, p)) goto err;
1107 if (!BN_mod_add_quick(n1, n1, n0, p)) goto err; /* L1 = 3 * x^2 + a * z^4 */
1110 if (!BN_mont_mod_mul(n0, P->Y, P->Z, mont, ctx)) goto err;
1111 if (!BN_mod_lshift1_quick(R->Z, n0, p)) goto err; /* Z = 2 * y * z */
1114 if (!BN_mont_mod_mul(n3, P->Y, P->Y, mont, ctx)) goto err;
1115 if (!BN_mont_mod_mul(n2, P->X, n3, mont, ctx)) goto err;
1116 if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err; /* L2 = 4 * x * y^2 */
1119 if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
1120 if (!BN_mont_mod_mul(R->X, n1, n1, mont, ctx)) goto err;
1121 if (!BN_mod_sub_quick(R->X, R->X, n0, p)) goto err; /* X = L1^2 - 2 * L2 */
1124 if (!BN_mont_mod_mul(n0, n3, n3, mont, ctx)) goto err;
1125 if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err; /* L3 = 8 * y^4 */
1129 if (!BN_mod_sub_quick(n2, n2, R->X, p)) goto err;
1130 if (!BN_mont_mod_mul(n0, n1, n2, mont, ctx)) goto err;
1131 if (!BN_mod_sub_quick(R->Y, n0, n3, p)) goto err; /* Y = L1 * (L2 - X) - L3 */
1142 int ECP_mont_add(EC_POINT *R, EC_POINT *P, EC_POINT *Q, EC *E, BN_MONTGOMERY *mont, BN_CTX *ctx)
1143 /* R <- P + Q (on E) */
1145 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6, *p;
1148 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
1151 assert(Q->X != NULL && Q->Y != NULL && Q->Z != NULL);
1154 assert(R->X != NULL && R->Y != NULL && R->Z != NULL);
1157 assert(E->A != NULL && E->B != NULL && E->p != NULL && E->h != NULL);
1158 assert(!BN_is_zero(E->h));;
1160 assert(ctx != NULL);
1163 if (!ECP_to_montgomery(Q, mont, ctx)) return 0;
1166 if (!ECP_to_montgomery(P, mont, ctx)) return 0;
1169 if (!EC_to_montgomery(E, mont, ctx)) return 0;
1171 if (P == Q) return ECP_mont_double(R, P, E, mont, ctx);
1173 if (ECP_is_infty(P)) return ECP_copy(R, Q);
1174 if (ECP_is_infty(Q)) return ECP_copy(R, P);
1178 n0 = BN_CTX_get(ctx);
1179 n1 = BN_CTX_get(ctx);
1180 n2 = BN_CTX_get(ctx);
1181 n3 = BN_CTX_get(ctx);
1182 n4 = BN_CTX_get(ctx);
1183 n5 = BN_CTX_get(ctx);
1184 n6 = BN_CTX_get(ctx);
1185 if (n6 == NULL) goto err;
1193 if (!BN_mont_mod_mul(n6, Q->Z, Q->Z, mont, ctx)) goto err;
1194 if (!BN_mont_mod_mul(n1, P->X, n6, mont, ctx)) goto err; /* L1 = x_p * z_q^2 */
1196 if (!BN_mont_mod_mul(n0, n6, Q->Z, mont, ctx)) goto err;
1197 if (!BN_mont_mod_mul(n2, P->Y, n0, mont, ctx)) goto err; /* L2 = y_p * z_q^3 */
1201 if (!BN_mont_mod_mul(n6, P->Z, P->Z, mont, ctx)) goto err;
1202 if (!BN_mont_mod_mul(n3, Q->X, n6, mont, ctx)) goto err; /* L3 = x_q * z_p^2 */
1204 if (!BN_mont_mod_mul(n0, n6, P->Z, mont, ctx)) goto err;
1205 if (!BN_mont_mod_mul(n4, Q->Y, n0, mont, ctx)) goto err; /* L4 = y_q * z_p^3 */
1209 if (!BN_mod_sub_quick(n5, n1, n3, p)) goto err; /* L5 = L1 - L3 */
1210 if (!BN_mod_sub_quick(n6, n2, n4, p)) goto err; /*L6 = L2 - L4 */
1216 if (BN_is_zero(n6)) /* P = Q => P + Q = 2P */
1219 return ECP_mont_double(R, P, E, mont, ctx);
1221 else /* P = -Q => P + Q = \infty */
1224 if (!BN_zero(R->Z)) return 0;
1230 if (!BN_mod_add_quick(n1, n1, n3, p)) goto err; /* L7 = L1 + L3 */
1231 if (!BN_mod_add_quick(n2, n2, n4, p)) goto err; /* L8 = L2 + L4 */
1235 if (!BN_mont_mod_mul(n0, P->Z, Q->Z, mont, ctx)) goto err;
1236 if (!BN_mont_mod_mul(R->Z, n0, n5, mont, ctx)) goto err; /* Z = z_p * z_q * L_5 */
1240 if (!BN_mont_mod_mul(n0, n6, n6, mont, ctx)) goto err;
1241 if (!BN_mont_mod_mul(n4, n5, n5, mont, ctx)) goto err;
1242 if (!BN_mont_mod_mul(n3, n1, n4, mont, ctx)) goto err;
1243 if (!BN_mod_sub_quick(R->X, n0, n3, p)) goto err; /* X = L6^2 - L5^2 * L7 */
1247 if (!BN_mod_lshift1_quick(n0, R->X, p)) goto err;
1248 if (!BN_mod_sub_quick(n3, n3, n0, p)) goto err; /* L9 = L5^2 * L7 - 2X */
1252 if (!BN_mont_mod_mul(n0, n3, n6, mont, ctx)) goto err;
1253 if (!BN_mont_mod_mul(n6, n4, n5, mont, ctx)) goto err;
1254 if (!BN_mont_mod_mul(n1, n2, n6, mont, ctx)) goto err;
1255 if (!BN_mod_sub_quick(n0, n0, n1, p)) goto err;
1256 if (!BN_mont_mod_mul(R->Y, n0, E->h, mont, ctx)) goto err; /* Y = (L6 * L9 - L8 * L5^3) / 2 */
1268 ECP_PRECOMPUTE *ECP_mont_precompute(int r, EC_POINT *P, EC *E, BN_MONTGOMERY *mont, BN_CTX *ctx)
1270 ECP_PRECOMPUTE *ret;
1275 assert(r < sizeof(unsigned int) * 8 - 1);
1277 assert(mont != NULL);
1278 assert(mont->p != NULL);
1281 if (!ECP_to_montgomery(P, mont, ctx)) return 0;
1284 if (!EC_to_montgomery(E, mont, ctx)) return 0;
1286 ret=(ECP_PRECOMPUTE *)malloc(sizeof(ECP_PRECOMPUTE));
1287 if (ret == NULL) return NULL;
1294 ret->Pi=(EC_POINT **)malloc(sizeof(EC_POINT *) * max);
1295 if (ret->Pi == NULL) goto err;
1299 if ((P2 = ECP_new()) == NULL) goto err;
1300 if (!ECP_mont_double(P2, P, E, mont, ctx)) goto err;
1303 if((ret->Pi[0] = ECP_dup(P)) == NULL) goto err;
1306 /* P_i = P_(i-1) + P2 */
1307 for (i = 1; i < max; i++)
1309 if ((ret->Pi[i] = ECP_new()) == NULL) goto err;
1310 if (!ECP_mont_add(ret->Pi[i], P2, ret->Pi[i - 1], E, mont, ctx)) goto err;
1320 ECP_clear_free_precompute(ret);
1325 int ECP_mont_multiply(EC_POINT *R, BIGNUM *k, ECP_PRECOMPUTE *prec, EC *E, BN_MONTGOMERY *mont, BN_CTX *ctx)
1326 /* R = [k]P P = prec->Pi[0]*/
1332 assert(R->X != NULL && R->Y != NULL && R->Z != NULL);
1335 assert(E->A != NULL && E->B != NULL && E->p != NULL && E->h != NULL);
1340 assert(ctx != NULL);
1341 assert(prec != NULL);
1343 assert(mont != NULL);
1344 assert(mont->p != NULL);
1347 if (!EC_to_montgomery(E, mont, ctx)) return 0;
1352 if (!BN_zero(R->Z)) return 0;
1362 if (!BN_zero(R->Z)) return 0;
1367 if (!BN_is_bit_set(k, j))
1369 if (!ECP_mont_double(R, R, E, mont, ctx)) return 0;
1375 if (nextw < -1) nextw = -1;
1377 while(!BN_is_bit_set(k, t))
1380 if (!ECP_mont_double(R, R, E, mont, ctx)) return 0;
1390 if (BN_is_bit_set(k, j)) h++;
1391 if (!ECP_mont_double(R, R, E, mont, ctx)) return 0;
1393 if (!ECP_mont_double(R, R, E, mont, ctx)) return 0;
1397 if (!ECP_mont_add(R, R, prec->Pi[h], E, mont, ctx)) return 0;
1399 for (; j > nextw; j--)
1401 if (!ECP_mont_double(R, R, E, mont, ctx)) return 0;
1411 int ECP_mont_multiply2(EC_POINT *R, BIGNUM *k, EC_POINT *P, EC *E, BN_MONTGOMERY *mont, BN_CTX *ctx)
1419 assert(R->X != NULL && R->Y != NULL && R->Z != NULL);
1422 assert(P->X != NULL && P->Y != NULL && P->Z != NULL);
1425 assert(E->A != NULL && E->B != NULL && E->p != NULL && E->h != NULL);
1430 assert(ctx != NULL);
1432 assert(mont != NULL);
1433 assert(mont->p != NULL);
1436 if (!EC_to_montgomery(E, mont, ctx)) return 0;
1439 if (!ECP_to_montgomery(P, mont, ctx)) return 0;
1444 if (!BN_zero(R->Z)) return 0;
1449 if ((h = BN_dup(k)) == NULL) return 0;
1451 if (!BN_lshift1(h, h)) goto err;
1452 if (!BN_add(h, h, k)) goto err;
1454 if (!ECP_copy(R, P)) goto err;
1455 if ((mP = ECP_mont_minus(P, mont)) == NULL) goto err;
1457 for(j = BN_num_bits(h) - 2; j > 0; j--)
1459 if (!ECP_mont_double(R, R, E, mont, ctx)) goto err;
1460 kj = BN_is_bit_set(k, j);
1461 hj = BN_is_bit_set(h, j);
1462 if (hj == 1 && kj == 0)
1463 if (!ECP_mont_add(R, R, P, E, mont, ctx)) goto err;
1464 if (hj == 0 && kj == 1)
1465 if (!ECP_mont_add(R, R, mP, E, mont, ctx)) goto err;
1468 if (h != NULL) BN_free(h);
1469 if (mP != NULL) ECP_clear_free(mP);
1473 if (h != NULL) BN_free(h);
1474 if (mP != NULL) ECP_clear_free(mP);
1478 #endif /* MONTGOMERY */
projects / openssl.git / blob