2 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
12 * ECDSA low level APIs are deprecated for public use, but still ok for
15 #include "internal/deprecated.h"
17 #include <openssl/err.h>
18 #include <openssl/symhacks.h>
22 const EC_METHOD *EC_GFp_simple_method(void)
24 static const EC_METHOD ret = {
26 NID_X9_62_prime_field,
27 ec_GFp_simple_group_init,
28 ec_GFp_simple_group_finish,
29 ec_GFp_simple_group_clear_finish,
30 ec_GFp_simple_group_copy,
31 ec_GFp_simple_group_set_curve,
32 ec_GFp_simple_group_get_curve,
33 ec_GFp_simple_group_get_degree,
34 ec_group_simple_order_bits,
35 ec_GFp_simple_group_check_discriminant,
36 ec_GFp_simple_point_init,
37 ec_GFp_simple_point_finish,
38 ec_GFp_simple_point_clear_finish,
39 ec_GFp_simple_point_copy,
40 ec_GFp_simple_point_set_to_infinity,
41 ec_GFp_simple_point_set_affine_coordinates,
42 ec_GFp_simple_point_get_affine_coordinates,
47 ec_GFp_simple_is_at_infinity,
48 ec_GFp_simple_is_on_curve,
50 ec_GFp_simple_make_affine,
51 ec_GFp_simple_points_make_affine,
53 0 /* precompute_mult */ ,
54 0 /* have_precompute_mult */ ,
55 ec_GFp_simple_field_mul,
56 ec_GFp_simple_field_sqr,
58 ec_GFp_simple_field_inv,
59 0 /* field_encode */ ,
60 0 /* field_decode */ ,
61 0, /* field_set_to_one */
62 ec_key_simple_priv2oct,
63 ec_key_simple_oct2priv,
65 ec_key_simple_generate_key,
66 ec_key_simple_check_key,
67 ec_key_simple_generate_public_key,
70 ecdh_simple_compute_key,
71 ecdsa_simple_sign_setup,
72 ecdsa_simple_sign_sig,
73 ecdsa_simple_verify_sig,
74 0, /* field_inverse_mod_ord */
75 ec_GFp_simple_blind_coordinates,
76 ec_GFp_simple_ladder_pre,
77 ec_GFp_simple_ladder_step,
78 ec_GFp_simple_ladder_post
85 * Most method functions in this file are designed to work with
86 * non-trivial representations of field elements if necessary
87 * (see ecp_mont.c): while standard modular addition and subtraction
88 * are used, the field_mul and field_sqr methods will be used for
89 * multiplication, and field_encode and field_decode (if defined)
90 * will be used for converting between representations.
92 * Functions ec_GFp_simple_points_make_affine() and
93 * ec_GFp_simple_point_get_affine_coordinates() specifically assume
94 * that if a non-trivial representation is used, it is a Montgomery
95 * representation (i.e. 'encoding' means multiplying by some factor R).
98 int ec_GFp_simple_group_init(EC_GROUP *group)
100 group->field = BN_new();
103 if (group->field == NULL || group->a == NULL || group->b == NULL) {
104 BN_free(group->field);
109 group->a_is_minus3 = 0;
113 void ec_GFp_simple_group_finish(EC_GROUP *group)
115 BN_free(group->field);
120 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
122 BN_clear_free(group->field);
123 BN_clear_free(group->a);
124 BN_clear_free(group->b);
127 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
129 if (!BN_copy(dest->field, src->field))
131 if (!BN_copy(dest->a, src->a))
133 if (!BN_copy(dest->b, src->b))
136 dest->a_is_minus3 = src->a_is_minus3;
141 int ec_GFp_simple_group_set_curve(EC_GROUP *group,
142 const BIGNUM *p, const BIGNUM *a,
143 const BIGNUM *b, BN_CTX *ctx)
146 BN_CTX *new_ctx = NULL;
149 /* p must be a prime > 3 */
150 if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
151 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
156 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
162 tmp_a = BN_CTX_get(ctx);
167 if (!BN_copy(group->field, p))
169 BN_set_negative(group->field, 0);
172 if (!BN_nnmod(tmp_a, a, p, ctx))
174 if (group->meth->field_encode) {
175 if (!group->meth->field_encode(group, group->a, tmp_a, ctx))
177 } else if (!BN_copy(group->a, tmp_a))
181 if (!BN_nnmod(group->b, b, p, ctx))
183 if (group->meth->field_encode)
184 if (!group->meth->field_encode(group, group->b, group->b, ctx))
187 /* group->a_is_minus3 */
188 if (!BN_add_word(tmp_a, 3))
190 group->a_is_minus3 = (0 == BN_cmp(tmp_a, group->field));
196 BN_CTX_free(new_ctx);
200 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
201 BIGNUM *b, BN_CTX *ctx)
204 BN_CTX *new_ctx = NULL;
207 if (!BN_copy(p, group->field))
211 if (a != NULL || b != NULL) {
212 if (group->meth->field_decode) {
214 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
219 if (!group->meth->field_decode(group, a, group->a, ctx))
223 if (!group->meth->field_decode(group, b, group->b, ctx))
228 if (!BN_copy(a, group->a))
232 if (!BN_copy(b, group->b))
241 BN_CTX_free(new_ctx);
245 int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
247 return BN_num_bits(group->field);
250 int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
253 BIGNUM *a, *b, *order, *tmp_1, *tmp_2;
254 const BIGNUM *p = group->field;
255 BN_CTX *new_ctx = NULL;
258 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
260 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT,
261 ERR_R_MALLOC_FAILURE);
268 tmp_1 = BN_CTX_get(ctx);
269 tmp_2 = BN_CTX_get(ctx);
270 order = BN_CTX_get(ctx);
274 if (group->meth->field_decode) {
275 if (!group->meth->field_decode(group, a, group->a, ctx))
277 if (!group->meth->field_decode(group, b, group->b, ctx))
280 if (!BN_copy(a, group->a))
282 if (!BN_copy(b, group->b))
287 * check the discriminant:
288 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
294 } else if (!BN_is_zero(b)) {
295 if (!BN_mod_sqr(tmp_1, a, p, ctx))
297 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
299 if (!BN_lshift(tmp_1, tmp_2, 2))
303 if (!BN_mod_sqr(tmp_2, b, p, ctx))
305 if (!BN_mul_word(tmp_2, 27))
309 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
318 BN_CTX_free(new_ctx);
322 int ec_GFp_simple_point_init(EC_POINT *point)
329 if (point->X == NULL || point->Y == NULL || point->Z == NULL) {
338 void ec_GFp_simple_point_finish(EC_POINT *point)
345 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
347 BN_clear_free(point->X);
348 BN_clear_free(point->Y);
349 BN_clear_free(point->Z);
353 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
355 if (!BN_copy(dest->X, src->X))
357 if (!BN_copy(dest->Y, src->Y))
359 if (!BN_copy(dest->Z, src->Z))
361 dest->Z_is_one = src->Z_is_one;
362 dest->curve_name = src->curve_name;
367 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
375 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group,
382 BN_CTX *new_ctx = NULL;
386 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
392 if (!BN_nnmod(point->X, x, group->field, ctx))
394 if (group->meth->field_encode) {
395 if (!group->meth->field_encode(group, point->X, point->X, ctx))
401 if (!BN_nnmod(point->Y, y, group->field, ctx))
403 if (group->meth->field_encode) {
404 if (!group->meth->field_encode(group, point->Y, point->Y, ctx))
412 if (!BN_nnmod(point->Z, z, group->field, ctx))
414 Z_is_one = BN_is_one(point->Z);
415 if (group->meth->field_encode) {
416 if (Z_is_one && (group->meth->field_set_to_one != 0)) {
417 if (!group->meth->field_set_to_one(group, point->Z, ctx))
421 meth->field_encode(group, point->Z, point->Z, ctx))
425 point->Z_is_one = Z_is_one;
431 BN_CTX_free(new_ctx);
435 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
436 const EC_POINT *point,
437 BIGNUM *x, BIGNUM *y,
438 BIGNUM *z, BN_CTX *ctx)
440 BN_CTX *new_ctx = NULL;
443 if (group->meth->field_decode != 0) {
445 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
451 if (!group->meth->field_decode(group, x, point->X, ctx))
455 if (!group->meth->field_decode(group, y, point->Y, ctx))
459 if (!group->meth->field_decode(group, z, point->Z, ctx))
464 if (!BN_copy(x, point->X))
468 if (!BN_copy(y, point->Y))
472 if (!BN_copy(z, point->Z))
480 BN_CTX_free(new_ctx);
484 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
487 const BIGNUM *y, BN_CTX *ctx)
489 if (x == NULL || y == NULL) {
491 * unlike for projective coordinates, we do not tolerate this
493 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES,
494 ERR_R_PASSED_NULL_PARAMETER);
498 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y,
499 BN_value_one(), ctx);
502 int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
503 const EC_POINT *point,
504 BIGNUM *x, BIGNUM *y,
507 BN_CTX *new_ctx = NULL;
508 BIGNUM *Z, *Z_1, *Z_2, *Z_3;
512 if (EC_POINT_is_at_infinity(group, point)) {
513 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
514 EC_R_POINT_AT_INFINITY);
519 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
526 Z_1 = BN_CTX_get(ctx);
527 Z_2 = BN_CTX_get(ctx);
528 Z_3 = BN_CTX_get(ctx);
532 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
534 if (group->meth->field_decode) {
535 if (!group->meth->field_decode(group, Z, point->Z, ctx))
543 if (group->meth->field_decode) {
545 if (!group->meth->field_decode(group, x, point->X, ctx))
549 if (!group->meth->field_decode(group, y, point->Y, ctx))
554 if (!BN_copy(x, point->X))
558 if (!BN_copy(y, point->Y))
563 if (!group->meth->field_inv(group, Z_1, Z_, ctx)) {
564 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
569 if (group->meth->field_encode == 0) {
570 /* field_sqr works on standard representation */
571 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))
574 if (!BN_mod_sqr(Z_2, Z_1, group->field, ctx))
580 * in the Montgomery case, field_mul will cancel out Montgomery
583 if (!group->meth->field_mul(group, x, point->X, Z_2, ctx))
588 if (group->meth->field_encode == 0) {
590 * field_mul works on standard representation
592 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))
595 if (!BN_mod_mul(Z_3, Z_2, Z_1, group->field, ctx))
600 * in the Montgomery case, field_mul will cancel out Montgomery
603 if (!group->meth->field_mul(group, y, point->Y, Z_3, ctx))
612 BN_CTX_free(new_ctx);
616 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
617 const EC_POINT *b, BN_CTX *ctx)
619 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
620 const BIGNUM *, BN_CTX *);
621 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
623 BN_CTX *new_ctx = NULL;
624 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
628 return EC_POINT_dbl(group, r, a, ctx);
629 if (EC_POINT_is_at_infinity(group, a))
630 return EC_POINT_copy(r, b);
631 if (EC_POINT_is_at_infinity(group, b))
632 return EC_POINT_copy(r, a);
634 field_mul = group->meth->field_mul;
635 field_sqr = group->meth->field_sqr;
639 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
645 n0 = BN_CTX_get(ctx);
646 n1 = BN_CTX_get(ctx);
647 n2 = BN_CTX_get(ctx);
648 n3 = BN_CTX_get(ctx);
649 n4 = BN_CTX_get(ctx);
650 n5 = BN_CTX_get(ctx);
651 n6 = BN_CTX_get(ctx);
656 * Note that in this function we must not read components of 'a' or 'b'
657 * once we have written the corresponding components of 'r'. ('r' might
658 * be one of 'a' or 'b'.)
663 if (!BN_copy(n1, a->X))
665 if (!BN_copy(n2, a->Y))
670 if (!field_sqr(group, n0, b->Z, ctx))
672 if (!field_mul(group, n1, a->X, n0, ctx))
674 /* n1 = X_a * Z_b^2 */
676 if (!field_mul(group, n0, n0, b->Z, ctx))
678 if (!field_mul(group, n2, a->Y, n0, ctx))
680 /* n2 = Y_a * Z_b^3 */
685 if (!BN_copy(n3, b->X))
687 if (!BN_copy(n4, b->Y))
692 if (!field_sqr(group, n0, a->Z, ctx))
694 if (!field_mul(group, n3, b->X, n0, ctx))
696 /* n3 = X_b * Z_a^2 */
698 if (!field_mul(group, n0, n0, a->Z, ctx))
700 if (!field_mul(group, n4, b->Y, n0, ctx))
702 /* n4 = Y_b * Z_a^3 */
706 if (!BN_mod_sub_quick(n5, n1, n3, p))
708 if (!BN_mod_sub_quick(n6, n2, n4, p))
713 if (BN_is_zero(n5)) {
714 if (BN_is_zero(n6)) {
715 /* a is the same point as b */
717 ret = EC_POINT_dbl(group, r, a, ctx);
721 /* a is the inverse of b */
730 if (!BN_mod_add_quick(n1, n1, n3, p))
732 if (!BN_mod_add_quick(n2, n2, n4, p))
738 if (a->Z_is_one && b->Z_is_one) {
739 if (!BN_copy(r->Z, n5))
743 if (!BN_copy(n0, b->Z))
745 } else if (b->Z_is_one) {
746 if (!BN_copy(n0, a->Z))
749 if (!field_mul(group, n0, a->Z, b->Z, ctx))
752 if (!field_mul(group, r->Z, n0, n5, ctx))
756 /* Z_r = Z_a * Z_b * n5 */
759 if (!field_sqr(group, n0, n6, ctx))
761 if (!field_sqr(group, n4, n5, ctx))
763 if (!field_mul(group, n3, n1, n4, ctx))
765 if (!BN_mod_sub_quick(r->X, n0, n3, p))
767 /* X_r = n6^2 - n5^2 * 'n7' */
770 if (!BN_mod_lshift1_quick(n0, r->X, p))
772 if (!BN_mod_sub_quick(n0, n3, n0, p))
774 /* n9 = n5^2 * 'n7' - 2 * X_r */
777 if (!field_mul(group, n0, n0, n6, ctx))
779 if (!field_mul(group, n5, n4, n5, ctx))
780 goto end; /* now n5 is n5^3 */
781 if (!field_mul(group, n1, n2, n5, ctx))
783 if (!BN_mod_sub_quick(n0, n0, n1, p))
786 if (!BN_add(n0, n0, p))
788 /* now 0 <= n0 < 2*p, and n0 is even */
789 if (!BN_rshift1(r->Y, n0))
791 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
797 BN_CTX_free(new_ctx);
801 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
804 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
805 const BIGNUM *, BN_CTX *);
806 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
808 BN_CTX *new_ctx = NULL;
809 BIGNUM *n0, *n1, *n2, *n3;
812 if (EC_POINT_is_at_infinity(group, a)) {
818 field_mul = group->meth->field_mul;
819 field_sqr = group->meth->field_sqr;
823 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
829 n0 = BN_CTX_get(ctx);
830 n1 = BN_CTX_get(ctx);
831 n2 = BN_CTX_get(ctx);
832 n3 = BN_CTX_get(ctx);
837 * Note that in this function we must not read components of 'a' once we
838 * have written the corresponding components of 'r'. ('r' might the same
844 if (!field_sqr(group, n0, a->X, ctx))
846 if (!BN_mod_lshift1_quick(n1, n0, p))
848 if (!BN_mod_add_quick(n0, n0, n1, p))
850 if (!BN_mod_add_quick(n1, n0, group->a, p))
852 /* n1 = 3 * X_a^2 + a_curve */
853 } else if (group->a_is_minus3) {
854 if (!field_sqr(group, n1, a->Z, ctx))
856 if (!BN_mod_add_quick(n0, a->X, n1, p))
858 if (!BN_mod_sub_quick(n2, a->X, n1, p))
860 if (!field_mul(group, n1, n0, n2, ctx))
862 if (!BN_mod_lshift1_quick(n0, n1, p))
864 if (!BN_mod_add_quick(n1, n0, n1, p))
867 * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
868 * = 3 * X_a^2 - 3 * Z_a^4
871 if (!field_sqr(group, n0, a->X, ctx))
873 if (!BN_mod_lshift1_quick(n1, n0, p))
875 if (!BN_mod_add_quick(n0, n0, n1, p))
877 if (!field_sqr(group, n1, a->Z, ctx))
879 if (!field_sqr(group, n1, n1, ctx))
881 if (!field_mul(group, n1, n1, group->a, ctx))
883 if (!BN_mod_add_quick(n1, n1, n0, p))
885 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
890 if (!BN_copy(n0, a->Y))
893 if (!field_mul(group, n0, a->Y, a->Z, ctx))
896 if (!BN_mod_lshift1_quick(r->Z, n0, p))
899 /* Z_r = 2 * Y_a * Z_a */
902 if (!field_sqr(group, n3, a->Y, ctx))
904 if (!field_mul(group, n2, a->X, n3, ctx))
906 if (!BN_mod_lshift_quick(n2, n2, 2, p))
908 /* n2 = 4 * X_a * Y_a^2 */
911 if (!BN_mod_lshift1_quick(n0, n2, p))
913 if (!field_sqr(group, r->X, n1, ctx))
915 if (!BN_mod_sub_quick(r->X, r->X, n0, p))
917 /* X_r = n1^2 - 2 * n2 */
920 if (!field_sqr(group, n0, n3, ctx))
922 if (!BN_mod_lshift_quick(n3, n0, 3, p))
927 if (!BN_mod_sub_quick(n0, n2, r->X, p))
929 if (!field_mul(group, n0, n1, n0, ctx))
931 if (!BN_mod_sub_quick(r->Y, n0, n3, p))
933 /* Y_r = n1 * (n2 - X_r) - n3 */
939 BN_CTX_free(new_ctx);
943 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
945 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(point->Y))
946 /* point is its own inverse */
949 return BN_usub(point->Y, group->field, point->Y);
952 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
954 return BN_is_zero(point->Z);
957 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
960 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
961 const BIGNUM *, BN_CTX *);
962 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
964 BN_CTX *new_ctx = NULL;
965 BIGNUM *rh, *tmp, *Z4, *Z6;
968 if (EC_POINT_is_at_infinity(group, point))
971 field_mul = group->meth->field_mul;
972 field_sqr = group->meth->field_sqr;
976 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
982 rh = BN_CTX_get(ctx);
983 tmp = BN_CTX_get(ctx);
984 Z4 = BN_CTX_get(ctx);
985 Z6 = BN_CTX_get(ctx);
990 * We have a curve defined by a Weierstrass equation
991 * y^2 = x^3 + a*x + b.
992 * The point to consider is given in Jacobian projective coordinates
993 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
994 * Substituting this and multiplying by Z^6 transforms the above equation into
995 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
996 * To test this, we add up the right-hand side in 'rh'.
1000 if (!field_sqr(group, rh, point->X, ctx))
1003 if (!point->Z_is_one) {
1004 if (!field_sqr(group, tmp, point->Z, ctx))
1006 if (!field_sqr(group, Z4, tmp, ctx))
1008 if (!field_mul(group, Z6, Z4, tmp, ctx))
1011 /* rh := (rh + a*Z^4)*X */
1012 if (group->a_is_minus3) {
1013 if (!BN_mod_lshift1_quick(tmp, Z4, p))
1015 if (!BN_mod_add_quick(tmp, tmp, Z4, p))
1017 if (!BN_mod_sub_quick(rh, rh, tmp, p))
1019 if (!field_mul(group, rh, rh, point->X, ctx))
1022 if (!field_mul(group, tmp, Z4, group->a, ctx))
1024 if (!BN_mod_add_quick(rh, rh, tmp, p))
1026 if (!field_mul(group, rh, rh, point->X, ctx))
1030 /* rh := rh + b*Z^6 */
1031 if (!field_mul(group, tmp, group->b, Z6, ctx))
1033 if (!BN_mod_add_quick(rh, rh, tmp, p))
1036 /* point->Z_is_one */
1038 /* rh := (rh + a)*X */
1039 if (!BN_mod_add_quick(rh, rh, group->a, p))
1041 if (!field_mul(group, rh, rh, point->X, ctx))
1044 if (!BN_mod_add_quick(rh, rh, group->b, p))
1049 if (!field_sqr(group, tmp, point->Y, ctx))
1052 ret = (0 == BN_ucmp(tmp, rh));
1056 BN_CTX_free(new_ctx);
1060 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
1061 const EC_POINT *b, BN_CTX *ctx)
1066 * 0 equal (in affine coordinates)
1070 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
1071 const BIGNUM *, BN_CTX *);
1072 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1073 BN_CTX *new_ctx = NULL;
1074 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1075 const BIGNUM *tmp1_, *tmp2_;
1078 if (EC_POINT_is_at_infinity(group, a)) {
1079 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1082 if (EC_POINT_is_at_infinity(group, b))
1085 if (a->Z_is_one && b->Z_is_one) {
1086 return ((BN_cmp(a->X, b->X) == 0) && BN_cmp(a->Y, b->Y) == 0) ? 0 : 1;
1089 field_mul = group->meth->field_mul;
1090 field_sqr = group->meth->field_sqr;
1093 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
1099 tmp1 = BN_CTX_get(ctx);
1100 tmp2 = BN_CTX_get(ctx);
1101 Za23 = BN_CTX_get(ctx);
1102 Zb23 = BN_CTX_get(ctx);
1107 * We have to decide whether
1108 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1109 * or equivalently, whether
1110 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1114 if (!field_sqr(group, Zb23, b->Z, ctx))
1116 if (!field_mul(group, tmp1, a->X, Zb23, ctx))
1122 if (!field_sqr(group, Za23, a->Z, ctx))
1124 if (!field_mul(group, tmp2, b->X, Za23, ctx))
1130 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1131 if (BN_cmp(tmp1_, tmp2_) != 0) {
1132 ret = 1; /* points differ */
1137 if (!field_mul(group, Zb23, Zb23, b->Z, ctx))
1139 if (!field_mul(group, tmp1, a->Y, Zb23, ctx))
1145 if (!field_mul(group, Za23, Za23, a->Z, ctx))
1147 if (!field_mul(group, tmp2, b->Y, Za23, ctx))
1153 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1154 if (BN_cmp(tmp1_, tmp2_) != 0) {
1155 ret = 1; /* points differ */
1159 /* points are equal */
1164 BN_CTX_free(new_ctx);
1168 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
1171 BN_CTX *new_ctx = NULL;
1175 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1179 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
1185 x = BN_CTX_get(ctx);
1186 y = BN_CTX_get(ctx);
1190 if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
1192 if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
1194 if (!point->Z_is_one) {
1195 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1203 BN_CTX_free(new_ctx);
1207 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
1208 EC_POINT *points[], BN_CTX *ctx)
1210 BN_CTX *new_ctx = NULL;
1211 BIGNUM *tmp, *tmp_Z;
1212 BIGNUM **prod_Z = NULL;
1220 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
1226 tmp = BN_CTX_get(ctx);
1227 tmp_Z = BN_CTX_get(ctx);
1231 prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
1234 for (i = 0; i < num; i++) {
1235 prod_Z[i] = BN_new();
1236 if (prod_Z[i] == NULL)
1241 * Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
1242 * skipping any zero-valued inputs (pretend that they're 1).
1245 if (!BN_is_zero(points[0]->Z)) {
1246 if (!BN_copy(prod_Z[0], points[0]->Z))
1249 if (group->meth->field_set_to_one != 0) {
1250 if (!group->meth->field_set_to_one(group, prod_Z[0], ctx))
1253 if (!BN_one(prod_Z[0]))
1258 for (i = 1; i < num; i++) {
1259 if (!BN_is_zero(points[i]->Z)) {
1261 meth->field_mul(group, prod_Z[i], prod_Z[i - 1], points[i]->Z,
1265 if (!BN_copy(prod_Z[i], prod_Z[i - 1]))
1271 * Now use a single explicit inversion to replace every non-zero
1272 * points[i]->Z by its inverse.
1275 if (!group->meth->field_inv(group, tmp, prod_Z[num - 1], ctx)) {
1276 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1279 if (group->meth->field_encode != 0) {
1281 * In the Montgomery case, we just turned R*H (representing H) into
1282 * 1/(R*H), but we need R*(1/H) (representing 1/H); i.e. we need to
1283 * multiply by the Montgomery factor twice.
1285 if (!group->meth->field_encode(group, tmp, tmp, ctx))
1287 if (!group->meth->field_encode(group, tmp, tmp, ctx))
1291 for (i = num - 1; i > 0; --i) {
1293 * Loop invariant: tmp is the product of the inverses of points[0]->Z
1294 * .. points[i]->Z (zero-valued inputs skipped).
1296 if (!BN_is_zero(points[i]->Z)) {
1298 * Set tmp_Z to the inverse of points[i]->Z (as product of Z
1299 * inverses 0 .. i, Z values 0 .. i - 1).
1302 meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx))
1305 * Update tmp to satisfy the loop invariant for i - 1.
1307 if (!group->meth->field_mul(group, tmp, tmp, points[i]->Z, ctx))
1309 /* Replace points[i]->Z by its inverse. */
1310 if (!BN_copy(points[i]->Z, tmp_Z))
1315 if (!BN_is_zero(points[0]->Z)) {
1316 /* Replace points[0]->Z by its inverse. */
1317 if (!BN_copy(points[0]->Z, tmp))
1321 /* Finally, fix up the X and Y coordinates for all points. */
1323 for (i = 0; i < num; i++) {
1324 EC_POINT *p = points[i];
1326 if (!BN_is_zero(p->Z)) {
1327 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1329 if (!group->meth->field_sqr(group, tmp, p->Z, ctx))
1331 if (!group->meth->field_mul(group, p->X, p->X, tmp, ctx))
1334 if (!group->meth->field_mul(group, tmp, tmp, p->Z, ctx))
1336 if (!group->meth->field_mul(group, p->Y, p->Y, tmp, ctx))
1339 if (group->meth->field_set_to_one != 0) {
1340 if (!group->meth->field_set_to_one(group, p->Z, ctx))
1354 BN_CTX_free(new_ctx);
1355 if (prod_Z != NULL) {
1356 for (i = 0; i < num; i++) {
1357 if (prod_Z[i] == NULL)
1359 BN_clear_free(prod_Z[i]);
1361 OPENSSL_free(prod_Z);
1366 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1367 const BIGNUM *b, BN_CTX *ctx)
1369 return BN_mod_mul(r, a, b, group->field, ctx);
1372 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1375 return BN_mod_sqr(r, a, group->field, ctx);
1379 * Computes the multiplicative inverse of a in GF(p), storing the result in r.
1380 * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
1381 * Since we don't have a Mont structure here, SCA hardening is with blinding.
1382 * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.)
1384 int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1388 BN_CTX *new_ctx = NULL;
1392 && (ctx = new_ctx = BN_CTX_secure_new_ex(group->libctx)) == NULL)
1396 if ((e = BN_CTX_get(ctx)) == NULL)
1400 if (!BN_priv_rand_range_ex(e, group->field, ctx))
1402 } while (BN_is_zero(e));
1405 if (!group->meth->field_mul(group, r, a, e, ctx))
1407 /* r := 1/(a * e) */
1408 if (!BN_mod_inverse(r, r, group->field, ctx)) {
1409 ECerr(EC_F_EC_GFP_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
1412 /* r := e/(a * e) = 1/a */
1413 if (!group->meth->field_mul(group, r, r, e, ctx))
1420 BN_CTX_free(new_ctx);
1425 * Apply randomization of EC point projective coordinates:
1427 * (X, Y ,Z ) = (lambda^2*X, lambda^3*Y, lambda*Z)
1428 * lambda = [1,group->field)
1431 int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
1435 BIGNUM *lambda = NULL;
1436 BIGNUM *temp = NULL;
1439 lambda = BN_CTX_get(ctx);
1440 temp = BN_CTX_get(ctx);
1442 ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
1447 * Make sure lambda is not zero.
1448 * If the RNG fails, we cannot blind but nevertheless want
1449 * code to continue smoothly and not clobber the error stack.
1453 ret = BN_priv_rand_range_ex(lambda, group->field, ctx);
1459 } while (BN_is_zero(lambda));
1461 /* if field_encode defined convert between representations */
1462 if ((group->meth->field_encode != NULL
1463 && !group->meth->field_encode(group, lambda, lambda, ctx))
1464 || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
1465 || !group->meth->field_sqr(group, temp, lambda, ctx)
1466 || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
1467 || !group->meth->field_mul(group, temp, temp, lambda, ctx)
1468 || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
1481 * - p: affine coordinates
1484 * - s := p, r := 2p: blinded projective (homogeneous) coordinates
1486 * For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve
1487 * multiplication resistant against side channel attacks" appendix, described at
1488 * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
1489 * simplified for Z1=1.
1491 * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z)
1492 * for any non-zero \lambda that holds for projective (homogeneous) coords.
1494 int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
1495 EC_POINT *r, EC_POINT *s,
1496 EC_POINT *p, BN_CTX *ctx)
1498 BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL;
1506 if (!p->Z_is_one /* r := 2p */
1507 || !group->meth->field_sqr(group, t3, p->X, ctx)
1508 || !BN_mod_sub_quick(t4, t3, group->a, group->field)
1509 || !group->meth->field_sqr(group, t4, t4, ctx)
1510 || !group->meth->field_mul(group, t5, p->X, group->b, ctx)
1511 || !BN_mod_lshift_quick(t5, t5, 3, group->field)
1512 /* r->X coord output */
1513 || !BN_mod_sub_quick(r->X, t4, t5, group->field)
1514 || !BN_mod_add_quick(t1, t3, group->a, group->field)
1515 || !group->meth->field_mul(group, t2, p->X, t1, ctx)
1516 || !BN_mod_add_quick(t2, group->b, t2, group->field)
1517 /* r->Z coord output */
1518 || !BN_mod_lshift_quick(r->Z, t2, 2, group->field))
1521 /* make sure lambda (r->Y here for storage) is not zero */
1523 if (!BN_priv_rand_range_ex(r->Y, group->field, ctx))
1525 } while (BN_is_zero(r->Y));
1527 /* make sure lambda (s->Z here for storage) is not zero */
1529 if (!BN_priv_rand_range_ex(s->Z, group->field, ctx))
1531 } while (BN_is_zero(s->Z));
1533 /* if field_encode defined convert between representations */
1534 if (group->meth->field_encode != NULL
1535 && (!group->meth->field_encode(group, r->Y, r->Y, ctx)
1536 || !group->meth->field_encode(group, s->Z, s->Z, ctx)))
1539 /* blind r and s independently */
1540 if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
1541 || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx)
1542 || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */
1553 * - s, r: projective (homogeneous) coordinates
1554 * - p: affine coordinates
1557 * - s := r + s, r := 2r: projective (homogeneous) coordinates
1559 * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
1560 * "A fast parallel elliptic curve multiplication resistant against side channel
1561 * attacks", as described at
1562 * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4
1564 int ec_GFp_simple_ladder_step(const EC_GROUP *group,
1565 EC_POINT *r, EC_POINT *s,
1566 EC_POINT *p, BN_CTX *ctx)
1569 BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
1572 t0 = BN_CTX_get(ctx);
1573 t1 = BN_CTX_get(ctx);
1574 t2 = BN_CTX_get(ctx);
1575 t3 = BN_CTX_get(ctx);
1576 t4 = BN_CTX_get(ctx);
1577 t5 = BN_CTX_get(ctx);
1578 t6 = BN_CTX_get(ctx);
1581 || !group->meth->field_mul(group, t6, r->X, s->X, ctx)
1582 || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
1583 || !group->meth->field_mul(group, t4, r->X, s->Z, ctx)
1584 || !group->meth->field_mul(group, t3, r->Z, s->X, ctx)
1585 || !group->meth->field_mul(group, t5, group->a, t0, ctx)
1586 || !BN_mod_add_quick(t5, t6, t5, group->field)
1587 || !BN_mod_add_quick(t6, t3, t4, group->field)
1588 || !group->meth->field_mul(group, t5, t6, t5, ctx)
1589 || !group->meth->field_sqr(group, t0, t0, ctx)
1590 || !BN_mod_lshift_quick(t2, group->b, 2, group->field)
1591 || !group->meth->field_mul(group, t0, t2, t0, ctx)
1592 || !BN_mod_lshift1_quick(t5, t5, group->field)
1593 || !BN_mod_sub_quick(t3, t4, t3, group->field)
1594 /* s->Z coord output */
1595 || !group->meth->field_sqr(group, s->Z, t3, ctx)
1596 || !group->meth->field_mul(group, t4, s->Z, p->X, ctx)
1597 || !BN_mod_add_quick(t0, t0, t5, group->field)
1598 /* s->X coord output */
1599 || !BN_mod_sub_quick(s->X, t0, t4, group->field)
1600 || !group->meth->field_sqr(group, t4, r->X, ctx)
1601 || !group->meth->field_sqr(group, t5, r->Z, ctx)
1602 || !group->meth->field_mul(group, t6, t5, group->a, ctx)
1603 || !BN_mod_add_quick(t1, r->X, r->Z, group->field)
1604 || !group->meth->field_sqr(group, t1, t1, ctx)
1605 || !BN_mod_sub_quick(t1, t1, t4, group->field)
1606 || !BN_mod_sub_quick(t1, t1, t5, group->field)
1607 || !BN_mod_sub_quick(t3, t4, t6, group->field)
1608 || !group->meth->field_sqr(group, t3, t3, ctx)
1609 || !group->meth->field_mul(group, t0, t5, t1, ctx)
1610 || !group->meth->field_mul(group, t0, t2, t0, ctx)
1611 /* r->X coord output */
1612 || !BN_mod_sub_quick(r->X, t3, t0, group->field)
1613 || !BN_mod_add_quick(t3, t4, t6, group->field)
1614 || !group->meth->field_sqr(group, t4, t5, ctx)
1615 || !group->meth->field_mul(group, t4, t4, t2, ctx)
1616 || !group->meth->field_mul(group, t1, t1, t3, ctx)
1617 || !BN_mod_lshift1_quick(t1, t1, group->field)
1618 /* r->Z coord output */
1619 || !BN_mod_add_quick(r->Z, t4, t1, group->field))
1631 * - s, r: projective (homogeneous) coordinates
1632 * - p: affine coordinates
1635 * - r := (x,y): affine coordinates
1637 * Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass
1638 * Elliptic Curves and Side-Channel Attacks", modified to work in mixed
1639 * projective coords, i.e. p is affine and (r,s) in projective (homogeneous)
1640 * coords, and return r in affine coordinates.
1642 * X4 = two*Y1*X2*Z3*Z2;
1643 * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2);
1644 * Z4 = two*Y1*Z3*SQR(Z2);
1647 * - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch);
1648 * - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch);
1649 * - Y1==0 implies p has order 2, so either r or s are infinity and handled by
1650 * one of the BN_is_zero(...) branches.
1652 int ec_GFp_simple_ladder_post(const EC_GROUP *group,
1653 EC_POINT *r, EC_POINT *s,
1654 EC_POINT *p, BN_CTX *ctx)
1657 BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
1659 if (BN_is_zero(r->Z))
1660 return EC_POINT_set_to_infinity(group, r);
1662 if (BN_is_zero(s->Z)) {
1663 if (!EC_POINT_copy(r, p)
1664 || !EC_POINT_invert(group, r, ctx))
1670 t0 = BN_CTX_get(ctx);
1671 t1 = BN_CTX_get(ctx);
1672 t2 = BN_CTX_get(ctx);
1673 t3 = BN_CTX_get(ctx);
1674 t4 = BN_CTX_get(ctx);
1675 t5 = BN_CTX_get(ctx);
1676 t6 = BN_CTX_get(ctx);
1679 || !BN_mod_lshift1_quick(t4, p->Y, group->field)
1680 || !group->meth->field_mul(group, t6, r->X, t4, ctx)
1681 || !group->meth->field_mul(group, t6, s->Z, t6, ctx)
1682 || !group->meth->field_mul(group, t5, r->Z, t6, ctx)
1683 || !BN_mod_lshift1_quick(t1, group->b, group->field)
1684 || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
1685 || !group->meth->field_sqr(group, t3, r->Z, ctx)
1686 || !group->meth->field_mul(group, t2, t3, t1, ctx)
1687 || !group->meth->field_mul(group, t6, r->Z, group->a, ctx)
1688 || !group->meth->field_mul(group, t1, p->X, r->X, ctx)
1689 || !BN_mod_add_quick(t1, t1, t6, group->field)
1690 || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
1691 || !group->meth->field_mul(group, t0, p->X, r->Z, ctx)
1692 || !BN_mod_add_quick(t6, r->X, t0, group->field)
1693 || !group->meth->field_mul(group, t6, t6, t1, ctx)
1694 || !BN_mod_add_quick(t6, t6, t2, group->field)
1695 || !BN_mod_sub_quick(t0, t0, r->X, group->field)
1696 || !group->meth->field_sqr(group, t0, t0, ctx)
1697 || !group->meth->field_mul(group, t0, t0, s->X, ctx)
1698 || !BN_mod_sub_quick(t0, t6, t0, group->field)
1699 || !group->meth->field_mul(group, t1, s->Z, t4, ctx)
1700 || !group->meth->field_mul(group, t1, t3, t1, ctx)
1701 || (group->meth->field_decode != NULL
1702 && !group->meth->field_decode(group, t1, t1, ctx))
1703 || !group->meth->field_inv(group, t1, t1, ctx)
1704 || (group->meth->field_encode != NULL
1705 && !group->meth->field_encode(group, t1, t1, ctx))
1706 || !group->meth->field_mul(group, r->X, t5, t1, ctx)
1707 || !group->meth->field_mul(group, r->Y, t0, t1, ctx))
1710 if (group->meth->field_set_to_one != NULL) {
1711 if (!group->meth->field_set_to_one(group, r->Z, ctx))
projects / openssl.git / blob