2 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
12 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
13 * and contributed to the OpenSSL project.
16 #include <openssl/err.h>
17 #include <openssl/symhacks.h>
21 const EC_METHOD *EC_GFp_simple_method(void)
23 static const EC_METHOD ret = {
25 NID_X9_62_prime_field,
26 ec_GFp_simple_group_init,
27 ec_GFp_simple_group_finish,
28 ec_GFp_simple_group_clear_finish,
29 ec_GFp_simple_group_copy,
30 ec_GFp_simple_group_set_curve,
31 ec_GFp_simple_group_get_curve,
32 ec_GFp_simple_group_get_degree,
33 ec_group_simple_order_bits,
34 ec_GFp_simple_group_check_discriminant,
35 ec_GFp_simple_point_init,
36 ec_GFp_simple_point_finish,
37 ec_GFp_simple_point_clear_finish,
38 ec_GFp_simple_point_copy,
39 ec_GFp_simple_point_set_to_infinity,
40 ec_GFp_simple_set_Jprojective_coordinates_GFp,
41 ec_GFp_simple_get_Jprojective_coordinates_GFp,
42 ec_GFp_simple_point_set_affine_coordinates,
43 ec_GFp_simple_point_get_affine_coordinates,
48 ec_GFp_simple_is_at_infinity,
49 ec_GFp_simple_is_on_curve,
51 ec_GFp_simple_make_affine,
52 ec_GFp_simple_points_make_affine,
54 0 /* precompute_mult */ ,
55 0 /* have_precompute_mult */ ,
56 ec_GFp_simple_field_mul,
57 ec_GFp_simple_field_sqr,
59 0 /* field_encode */ ,
60 0 /* field_decode */ ,
61 0, /* field_set_to_one */
62 ec_key_simple_priv2oct,
63 ec_key_simple_oct2priv,
65 ec_key_simple_generate_key,
66 ec_key_simple_check_key,
67 ec_key_simple_generate_public_key,
70 ecdh_simple_compute_key,
71 ec_GFp_simple_blind_coordinates
78 * Most method functions in this file are designed to work with
79 * non-trivial representations of field elements if necessary
80 * (see ecp_mont.c): while standard modular addition and subtraction
81 * are used, the field_mul and field_sqr methods will be used for
82 * multiplication, and field_encode and field_decode (if defined)
83 * will be used for converting between representations.
85 * Functions ec_GFp_simple_points_make_affine() and
86 * ec_GFp_simple_point_get_affine_coordinates() specifically assume
87 * that if a non-trivial representation is used, it is a Montgomery
88 * representation (i.e. 'encoding' means multiplying by some factor R).
91 int ec_GFp_simple_group_init(EC_GROUP *group)
93 group->field = BN_new();
96 if (group->field == NULL || group->a == NULL || group->b == NULL) {
97 BN_free(group->field);
102 group->a_is_minus3 = 0;
106 void ec_GFp_simple_group_finish(EC_GROUP *group)
108 BN_free(group->field);
113 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
115 BN_clear_free(group->field);
116 BN_clear_free(group->a);
117 BN_clear_free(group->b);
120 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
122 if (!BN_copy(dest->field, src->field))
124 if (!BN_copy(dest->a, src->a))
126 if (!BN_copy(dest->b, src->b))
129 dest->a_is_minus3 = src->a_is_minus3;
134 int ec_GFp_simple_group_set_curve(EC_GROUP *group,
135 const BIGNUM *p, const BIGNUM *a,
136 const BIGNUM *b, BN_CTX *ctx)
139 BN_CTX *new_ctx = NULL;
142 /* p must be a prime > 3 */
143 if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
144 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
149 ctx = new_ctx = BN_CTX_new();
155 tmp_a = BN_CTX_get(ctx);
160 if (!BN_copy(group->field, p))
162 BN_set_negative(group->field, 0);
165 if (!BN_nnmod(tmp_a, a, p, ctx))
167 if (group->meth->field_encode) {
168 if (!group->meth->field_encode(group, group->a, tmp_a, ctx))
170 } else if (!BN_copy(group->a, tmp_a))
174 if (!BN_nnmod(group->b, b, p, ctx))
176 if (group->meth->field_encode)
177 if (!group->meth->field_encode(group, group->b, group->b, ctx))
180 /* group->a_is_minus3 */
181 if (!BN_add_word(tmp_a, 3))
183 group->a_is_minus3 = (0 == BN_cmp(tmp_a, group->field));
189 BN_CTX_free(new_ctx);
193 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
194 BIGNUM *b, BN_CTX *ctx)
197 BN_CTX *new_ctx = NULL;
200 if (!BN_copy(p, group->field))
204 if (a != NULL || b != NULL) {
205 if (group->meth->field_decode) {
207 ctx = new_ctx = BN_CTX_new();
212 if (!group->meth->field_decode(group, a, group->a, ctx))
216 if (!group->meth->field_decode(group, b, group->b, ctx))
221 if (!BN_copy(a, group->a))
225 if (!BN_copy(b, group->b))
234 BN_CTX_free(new_ctx);
238 int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
240 return BN_num_bits(group->field);
243 int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
246 BIGNUM *a, *b, *order, *tmp_1, *tmp_2;
247 const BIGNUM *p = group->field;
248 BN_CTX *new_ctx = NULL;
251 ctx = new_ctx = BN_CTX_new();
253 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT,
254 ERR_R_MALLOC_FAILURE);
261 tmp_1 = BN_CTX_get(ctx);
262 tmp_2 = BN_CTX_get(ctx);
263 order = BN_CTX_get(ctx);
267 if (group->meth->field_decode) {
268 if (!group->meth->field_decode(group, a, group->a, ctx))
270 if (!group->meth->field_decode(group, b, group->b, ctx))
273 if (!BN_copy(a, group->a))
275 if (!BN_copy(b, group->b))
280 * check the discriminant:
281 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
287 } else if (!BN_is_zero(b)) {
288 if (!BN_mod_sqr(tmp_1, a, p, ctx))
290 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
292 if (!BN_lshift(tmp_1, tmp_2, 2))
296 if (!BN_mod_sqr(tmp_2, b, p, ctx))
298 if (!BN_mul_word(tmp_2, 27))
302 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
312 BN_CTX_free(new_ctx);
316 int ec_GFp_simple_point_init(EC_POINT *point)
323 if (point->X == NULL || point->Y == NULL || point->Z == NULL) {
332 void ec_GFp_simple_point_finish(EC_POINT *point)
339 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
341 BN_clear_free(point->X);
342 BN_clear_free(point->Y);
343 BN_clear_free(point->Z);
347 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
349 if (!BN_copy(dest->X, src->X))
351 if (!BN_copy(dest->Y, src->Y))
353 if (!BN_copy(dest->Z, src->Z))
355 dest->Z_is_one = src->Z_is_one;
356 dest->curve_name = src->curve_name;
361 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
369 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group,
376 BN_CTX *new_ctx = NULL;
380 ctx = new_ctx = BN_CTX_new();
386 if (!BN_nnmod(point->X, x, group->field, ctx))
388 if (group->meth->field_encode) {
389 if (!group->meth->field_encode(group, point->X, point->X, ctx))
395 if (!BN_nnmod(point->Y, y, group->field, ctx))
397 if (group->meth->field_encode) {
398 if (!group->meth->field_encode(group, point->Y, point->Y, ctx))
406 if (!BN_nnmod(point->Z, z, group->field, ctx))
408 Z_is_one = BN_is_one(point->Z);
409 if (group->meth->field_encode) {
410 if (Z_is_one && (group->meth->field_set_to_one != 0)) {
411 if (!group->meth->field_set_to_one(group, point->Z, ctx))
415 meth->field_encode(group, point->Z, point->Z, ctx))
419 point->Z_is_one = Z_is_one;
425 BN_CTX_free(new_ctx);
429 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
430 const EC_POINT *point,
431 BIGNUM *x, BIGNUM *y,
432 BIGNUM *z, BN_CTX *ctx)
434 BN_CTX *new_ctx = NULL;
437 if (group->meth->field_decode != 0) {
439 ctx = new_ctx = BN_CTX_new();
445 if (!group->meth->field_decode(group, x, point->X, ctx))
449 if (!group->meth->field_decode(group, y, point->Y, ctx))
453 if (!group->meth->field_decode(group, z, point->Z, ctx))
458 if (!BN_copy(x, point->X))
462 if (!BN_copy(y, point->Y))
466 if (!BN_copy(z, point->Z))
474 BN_CTX_free(new_ctx);
478 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
481 const BIGNUM *y, BN_CTX *ctx)
483 if (x == NULL || y == NULL) {
485 * unlike for projective coordinates, we do not tolerate this
487 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES,
488 ERR_R_PASSED_NULL_PARAMETER);
492 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y,
493 BN_value_one(), ctx);
496 int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
497 const EC_POINT *point,
498 BIGNUM *x, BIGNUM *y,
501 BN_CTX *new_ctx = NULL;
502 BIGNUM *Z, *Z_1, *Z_2, *Z_3;
506 if (EC_POINT_is_at_infinity(group, point)) {
507 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
508 EC_R_POINT_AT_INFINITY);
513 ctx = new_ctx = BN_CTX_new();
520 Z_1 = BN_CTX_get(ctx);
521 Z_2 = BN_CTX_get(ctx);
522 Z_3 = BN_CTX_get(ctx);
526 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
528 if (group->meth->field_decode) {
529 if (!group->meth->field_decode(group, Z, point->Z, ctx))
537 if (group->meth->field_decode) {
539 if (!group->meth->field_decode(group, x, point->X, ctx))
543 if (!group->meth->field_decode(group, y, point->Y, ctx))
548 if (!BN_copy(x, point->X))
552 if (!BN_copy(y, point->Y))
557 if (!BN_mod_inverse(Z_1, Z_, group->field, ctx)) {
558 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
563 if (group->meth->field_encode == 0) {
564 /* field_sqr works on standard representation */
565 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))
568 if (!BN_mod_sqr(Z_2, Z_1, group->field, ctx))
574 * in the Montgomery case, field_mul will cancel out Montgomery
577 if (!group->meth->field_mul(group, x, point->X, Z_2, ctx))
582 if (group->meth->field_encode == 0) {
584 * field_mul works on standard representation
586 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))
589 if (!BN_mod_mul(Z_3, Z_2, Z_1, group->field, ctx))
594 * in the Montgomery case, field_mul will cancel out Montgomery
597 if (!group->meth->field_mul(group, y, point->Y, Z_3, ctx))
606 BN_CTX_free(new_ctx);
610 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
611 const EC_POINT *b, BN_CTX *ctx)
613 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
614 const BIGNUM *, BN_CTX *);
615 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
617 BN_CTX *new_ctx = NULL;
618 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
622 return EC_POINT_dbl(group, r, a, ctx);
623 if (EC_POINT_is_at_infinity(group, a))
624 return EC_POINT_copy(r, b);
625 if (EC_POINT_is_at_infinity(group, b))
626 return EC_POINT_copy(r, a);
628 field_mul = group->meth->field_mul;
629 field_sqr = group->meth->field_sqr;
633 ctx = new_ctx = BN_CTX_new();
639 n0 = BN_CTX_get(ctx);
640 n1 = BN_CTX_get(ctx);
641 n2 = BN_CTX_get(ctx);
642 n3 = BN_CTX_get(ctx);
643 n4 = BN_CTX_get(ctx);
644 n5 = BN_CTX_get(ctx);
645 n6 = BN_CTX_get(ctx);
650 * Note that in this function we must not read components of 'a' or 'b'
651 * once we have written the corresponding components of 'r'. ('r' might
652 * be one of 'a' or 'b'.)
657 if (!BN_copy(n1, a->X))
659 if (!BN_copy(n2, a->Y))
664 if (!field_sqr(group, n0, b->Z, ctx))
666 if (!field_mul(group, n1, a->X, n0, ctx))
668 /* n1 = X_a * Z_b^2 */
670 if (!field_mul(group, n0, n0, b->Z, ctx))
672 if (!field_mul(group, n2, a->Y, n0, ctx))
674 /* n2 = Y_a * Z_b^3 */
679 if (!BN_copy(n3, b->X))
681 if (!BN_copy(n4, b->Y))
686 if (!field_sqr(group, n0, a->Z, ctx))
688 if (!field_mul(group, n3, b->X, n0, ctx))
690 /* n3 = X_b * Z_a^2 */
692 if (!field_mul(group, n0, n0, a->Z, ctx))
694 if (!field_mul(group, n4, b->Y, n0, ctx))
696 /* n4 = Y_b * Z_a^3 */
700 if (!BN_mod_sub_quick(n5, n1, n3, p))
702 if (!BN_mod_sub_quick(n6, n2, n4, p))
707 if (BN_is_zero(n5)) {
708 if (BN_is_zero(n6)) {
709 /* a is the same point as b */
711 ret = EC_POINT_dbl(group, r, a, ctx);
715 /* a is the inverse of b */
724 if (!BN_mod_add_quick(n1, n1, n3, p))
726 if (!BN_mod_add_quick(n2, n2, n4, p))
732 if (a->Z_is_one && b->Z_is_one) {
733 if (!BN_copy(r->Z, n5))
737 if (!BN_copy(n0, b->Z))
739 } else if (b->Z_is_one) {
740 if (!BN_copy(n0, a->Z))
743 if (!field_mul(group, n0, a->Z, b->Z, ctx))
746 if (!field_mul(group, r->Z, n0, n5, ctx))
750 /* Z_r = Z_a * Z_b * n5 */
753 if (!field_sqr(group, n0, n6, ctx))
755 if (!field_sqr(group, n4, n5, ctx))
757 if (!field_mul(group, n3, n1, n4, ctx))
759 if (!BN_mod_sub_quick(r->X, n0, n3, p))
761 /* X_r = n6^2 - n5^2 * 'n7' */
764 if (!BN_mod_lshift1_quick(n0, r->X, p))
766 if (!BN_mod_sub_quick(n0, n3, n0, p))
768 /* n9 = n5^2 * 'n7' - 2 * X_r */
771 if (!field_mul(group, n0, n0, n6, ctx))
773 if (!field_mul(group, n5, n4, n5, ctx))
774 goto end; /* now n5 is n5^3 */
775 if (!field_mul(group, n1, n2, n5, ctx))
777 if (!BN_mod_sub_quick(n0, n0, n1, p))
780 if (!BN_add(n0, n0, p))
782 /* now 0 <= n0 < 2*p, and n0 is even */
783 if (!BN_rshift1(r->Y, n0))
785 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
790 if (ctx) /* otherwise we already called BN_CTX_end */
792 BN_CTX_free(new_ctx);
796 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
799 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
800 const BIGNUM *, BN_CTX *);
801 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
803 BN_CTX *new_ctx = NULL;
804 BIGNUM *n0, *n1, *n2, *n3;
807 if (EC_POINT_is_at_infinity(group, a)) {
813 field_mul = group->meth->field_mul;
814 field_sqr = group->meth->field_sqr;
818 ctx = new_ctx = BN_CTX_new();
824 n0 = BN_CTX_get(ctx);
825 n1 = BN_CTX_get(ctx);
826 n2 = BN_CTX_get(ctx);
827 n3 = BN_CTX_get(ctx);
832 * Note that in this function we must not read components of 'a' once we
833 * have written the corresponding components of 'r'. ('r' might the same
839 if (!field_sqr(group, n0, a->X, ctx))
841 if (!BN_mod_lshift1_quick(n1, n0, p))
843 if (!BN_mod_add_quick(n0, n0, n1, p))
845 if (!BN_mod_add_quick(n1, n0, group->a, p))
847 /* n1 = 3 * X_a^2 + a_curve */
848 } else if (group->a_is_minus3) {
849 if (!field_sqr(group, n1, a->Z, ctx))
851 if (!BN_mod_add_quick(n0, a->X, n1, p))
853 if (!BN_mod_sub_quick(n2, a->X, n1, p))
855 if (!field_mul(group, n1, n0, n2, ctx))
857 if (!BN_mod_lshift1_quick(n0, n1, p))
859 if (!BN_mod_add_quick(n1, n0, n1, p))
862 * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
863 * = 3 * X_a^2 - 3 * Z_a^4
866 if (!field_sqr(group, n0, a->X, ctx))
868 if (!BN_mod_lshift1_quick(n1, n0, p))
870 if (!BN_mod_add_quick(n0, n0, n1, p))
872 if (!field_sqr(group, n1, a->Z, ctx))
874 if (!field_sqr(group, n1, n1, ctx))
876 if (!field_mul(group, n1, n1, group->a, ctx))
878 if (!BN_mod_add_quick(n1, n1, n0, p))
880 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
885 if (!BN_copy(n0, a->Y))
888 if (!field_mul(group, n0, a->Y, a->Z, ctx))
891 if (!BN_mod_lshift1_quick(r->Z, n0, p))
894 /* Z_r = 2 * Y_a * Z_a */
897 if (!field_sqr(group, n3, a->Y, ctx))
899 if (!field_mul(group, n2, a->X, n3, ctx))
901 if (!BN_mod_lshift_quick(n2, n2, 2, p))
903 /* n2 = 4 * X_a * Y_a^2 */
906 if (!BN_mod_lshift1_quick(n0, n2, p))
908 if (!field_sqr(group, r->X, n1, ctx))
910 if (!BN_mod_sub_quick(r->X, r->X, n0, p))
912 /* X_r = n1^2 - 2 * n2 */
915 if (!field_sqr(group, n0, n3, ctx))
917 if (!BN_mod_lshift_quick(n3, n0, 3, p))
922 if (!BN_mod_sub_quick(n0, n2, r->X, p))
924 if (!field_mul(group, n0, n1, n0, ctx))
926 if (!BN_mod_sub_quick(r->Y, n0, n3, p))
928 /* Y_r = n1 * (n2 - X_r) - n3 */
934 BN_CTX_free(new_ctx);
938 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
940 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(point->Y))
941 /* point is its own inverse */
944 return BN_usub(point->Y, group->field, point->Y);
947 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
949 return BN_is_zero(point->Z);
952 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
955 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
956 const BIGNUM *, BN_CTX *);
957 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
959 BN_CTX *new_ctx = NULL;
960 BIGNUM *rh, *tmp, *Z4, *Z6;
963 if (EC_POINT_is_at_infinity(group, point))
966 field_mul = group->meth->field_mul;
967 field_sqr = group->meth->field_sqr;
971 ctx = new_ctx = BN_CTX_new();
977 rh = BN_CTX_get(ctx);
978 tmp = BN_CTX_get(ctx);
979 Z4 = BN_CTX_get(ctx);
980 Z6 = BN_CTX_get(ctx);
985 * We have a curve defined by a Weierstrass equation
986 * y^2 = x^3 + a*x + b.
987 * The point to consider is given in Jacobian projective coordinates
988 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
989 * Substituting this and multiplying by Z^6 transforms the above equation into
990 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
991 * To test this, we add up the right-hand side in 'rh'.
995 if (!field_sqr(group, rh, point->X, ctx))
998 if (!point->Z_is_one) {
999 if (!field_sqr(group, tmp, point->Z, ctx))
1001 if (!field_sqr(group, Z4, tmp, ctx))
1003 if (!field_mul(group, Z6, Z4, tmp, ctx))
1006 /* rh := (rh + a*Z^4)*X */
1007 if (group->a_is_minus3) {
1008 if (!BN_mod_lshift1_quick(tmp, Z4, p))
1010 if (!BN_mod_add_quick(tmp, tmp, Z4, p))
1012 if (!BN_mod_sub_quick(rh, rh, tmp, p))
1014 if (!field_mul(group, rh, rh, point->X, ctx))
1017 if (!field_mul(group, tmp, Z4, group->a, ctx))
1019 if (!BN_mod_add_quick(rh, rh, tmp, p))
1021 if (!field_mul(group, rh, rh, point->X, ctx))
1025 /* rh := rh + b*Z^6 */
1026 if (!field_mul(group, tmp, group->b, Z6, ctx))
1028 if (!BN_mod_add_quick(rh, rh, tmp, p))
1031 /* point->Z_is_one */
1033 /* rh := (rh + a)*X */
1034 if (!BN_mod_add_quick(rh, rh, group->a, p))
1036 if (!field_mul(group, rh, rh, point->X, ctx))
1039 if (!BN_mod_add_quick(rh, rh, group->b, p))
1044 if (!field_sqr(group, tmp, point->Y, ctx))
1047 ret = (0 == BN_ucmp(tmp, rh));
1051 BN_CTX_free(new_ctx);
1055 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
1056 const EC_POINT *b, BN_CTX *ctx)
1061 * 0 equal (in affine coordinates)
1065 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
1066 const BIGNUM *, BN_CTX *);
1067 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1068 BN_CTX *new_ctx = NULL;
1069 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1070 const BIGNUM *tmp1_, *tmp2_;
1073 if (EC_POINT_is_at_infinity(group, a)) {
1074 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1077 if (EC_POINT_is_at_infinity(group, b))
1080 if (a->Z_is_one && b->Z_is_one) {
1081 return ((BN_cmp(a->X, b->X) == 0) && BN_cmp(a->Y, b->Y) == 0) ? 0 : 1;
1084 field_mul = group->meth->field_mul;
1085 field_sqr = group->meth->field_sqr;
1088 ctx = new_ctx = BN_CTX_new();
1094 tmp1 = BN_CTX_get(ctx);
1095 tmp2 = BN_CTX_get(ctx);
1096 Za23 = BN_CTX_get(ctx);
1097 Zb23 = BN_CTX_get(ctx);
1102 * We have to decide whether
1103 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1104 * or equivalently, whether
1105 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1109 if (!field_sqr(group, Zb23, b->Z, ctx))
1111 if (!field_mul(group, tmp1, a->X, Zb23, ctx))
1117 if (!field_sqr(group, Za23, a->Z, ctx))
1119 if (!field_mul(group, tmp2, b->X, Za23, ctx))
1125 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1126 if (BN_cmp(tmp1_, tmp2_) != 0) {
1127 ret = 1; /* points differ */
1132 if (!field_mul(group, Zb23, Zb23, b->Z, ctx))
1134 if (!field_mul(group, tmp1, a->Y, Zb23, ctx))
1140 if (!field_mul(group, Za23, Za23, a->Z, ctx))
1142 if (!field_mul(group, tmp2, b->Y, Za23, ctx))
1148 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1149 if (BN_cmp(tmp1_, tmp2_) != 0) {
1150 ret = 1; /* points differ */
1154 /* points are equal */
1159 BN_CTX_free(new_ctx);
1163 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
1166 BN_CTX *new_ctx = NULL;
1170 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1174 ctx = new_ctx = BN_CTX_new();
1180 x = BN_CTX_get(ctx);
1181 y = BN_CTX_get(ctx);
1185 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
1187 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
1189 if (!point->Z_is_one) {
1190 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1198 BN_CTX_free(new_ctx);
1202 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
1203 EC_POINT *points[], BN_CTX *ctx)
1205 BN_CTX *new_ctx = NULL;
1206 BIGNUM *tmp, *tmp_Z;
1207 BIGNUM **prod_Z = NULL;
1215 ctx = new_ctx = BN_CTX_new();
1221 tmp = BN_CTX_get(ctx);
1222 tmp_Z = BN_CTX_get(ctx);
1223 if (tmp == NULL || tmp_Z == NULL)
1226 prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
1229 for (i = 0; i < num; i++) {
1230 prod_Z[i] = BN_new();
1231 if (prod_Z[i] == NULL)
1236 * Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
1237 * skipping any zero-valued inputs (pretend that they're 1).
1240 if (!BN_is_zero(points[0]->Z)) {
1241 if (!BN_copy(prod_Z[0], points[0]->Z))
1244 if (group->meth->field_set_to_one != 0) {
1245 if (!group->meth->field_set_to_one(group, prod_Z[0], ctx))
1248 if (!BN_one(prod_Z[0]))
1253 for (i = 1; i < num; i++) {
1254 if (!BN_is_zero(points[i]->Z)) {
1256 meth->field_mul(group, prod_Z[i], prod_Z[i - 1], points[i]->Z,
1260 if (!BN_copy(prod_Z[i], prod_Z[i - 1]))
1266 * Now use a single explicit inversion to replace every non-zero
1267 * points[i]->Z by its inverse.
1270 if (!BN_mod_inverse(tmp, prod_Z[num - 1], group->field, ctx)) {
1271 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1274 if (group->meth->field_encode != 0) {
1276 * In the Montgomery case, we just turned R*H (representing H) into
1277 * 1/(R*H), but we need R*(1/H) (representing 1/H); i.e. we need to
1278 * multiply by the Montgomery factor twice.
1280 if (!group->meth->field_encode(group, tmp, tmp, ctx))
1282 if (!group->meth->field_encode(group, tmp, tmp, ctx))
1286 for (i = num - 1; i > 0; --i) {
1288 * Loop invariant: tmp is the product of the inverses of points[0]->Z
1289 * .. points[i]->Z (zero-valued inputs skipped).
1291 if (!BN_is_zero(points[i]->Z)) {
1293 * Set tmp_Z to the inverse of points[i]->Z (as product of Z
1294 * inverses 0 .. i, Z values 0 .. i - 1).
1297 meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx))
1300 * Update tmp to satisfy the loop invariant for i - 1.
1302 if (!group->meth->field_mul(group, tmp, tmp, points[i]->Z, ctx))
1304 /* Replace points[i]->Z by its inverse. */
1305 if (!BN_copy(points[i]->Z, tmp_Z))
1310 if (!BN_is_zero(points[0]->Z)) {
1311 /* Replace points[0]->Z by its inverse. */
1312 if (!BN_copy(points[0]->Z, tmp))
1316 /* Finally, fix up the X and Y coordinates for all points. */
1318 for (i = 0; i < num; i++) {
1319 EC_POINT *p = points[i];
1321 if (!BN_is_zero(p->Z)) {
1322 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1324 if (!group->meth->field_sqr(group, tmp, p->Z, ctx))
1326 if (!group->meth->field_mul(group, p->X, p->X, tmp, ctx))
1329 if (!group->meth->field_mul(group, tmp, tmp, p->Z, ctx))
1331 if (!group->meth->field_mul(group, p->Y, p->Y, tmp, ctx))
1334 if (group->meth->field_set_to_one != 0) {
1335 if (!group->meth->field_set_to_one(group, p->Z, ctx))
1349 BN_CTX_free(new_ctx);
1350 if (prod_Z != NULL) {
1351 for (i = 0; i < num; i++) {
1352 if (prod_Z[i] == NULL)
1354 BN_clear_free(prod_Z[i]);
1356 OPENSSL_free(prod_Z);
1361 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1362 const BIGNUM *b, BN_CTX *ctx)
1364 return BN_mod_mul(r, a, b, group->field, ctx);
1367 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1370 return BN_mod_sqr(r, a, group->field, ctx);
1374 * Apply randomization of EC point projective coordinates:
1376 * (X, Y ,Z ) = (lambda^2*X, lambda^3*Y, lambda*Z)
1377 * lambda = [1,group->field)
1380 int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
1384 BIGNUM *lambda = NULL;
1385 BIGNUM *temp = NULL;
1388 lambda = BN_CTX_get(ctx);
1389 temp = BN_CTX_get(ctx);
1391 ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
1395 /* make sure lambda is not zero */
1397 if (!BN_rand_range(lambda, group->field)) {
1398 ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_BN_LIB);
1401 } while (BN_is_zero(lambda));
1403 /* if field_encode defined convert between representations */
1404 if (group->meth->field_encode != NULL
1405 && !group->meth->field_encode(group, lambda, lambda, ctx))
1407 if (!group->meth->field_mul(group, p->Z, p->Z, lambda, ctx))
1409 if (!group->meth->field_sqr(group, temp, lambda, ctx))
1411 if (!group->meth->field_mul(group, p->X, p->X, temp, ctx))
1413 if (!group->meth->field_mul(group, temp, temp, lambda, ctx))
1415 if (!group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
projects / openssl.git / blob