2 * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
12 * ECDSA low level APIs are deprecated for public use, but still ok for
15 #include "internal/deprecated.h"
17 #include <openssl/err.h>
18 #include <openssl/symhacks.h>
22 const EC_METHOD *EC_GFp_simple_method(void)
24 static const EC_METHOD ret = {
26 NID_X9_62_prime_field,
27 ec_GFp_simple_group_init,
28 ec_GFp_simple_group_finish,
29 ec_GFp_simple_group_clear_finish,
30 ec_GFp_simple_group_copy,
31 ec_GFp_simple_group_set_curve,
32 ec_GFp_simple_group_get_curve,
33 ec_GFp_simple_group_get_degree,
34 ec_group_simple_order_bits,
35 ec_GFp_simple_group_check_discriminant,
36 ec_GFp_simple_point_init,
37 ec_GFp_simple_point_finish,
38 ec_GFp_simple_point_clear_finish,
39 ec_GFp_simple_point_copy,
40 ec_GFp_simple_point_set_to_infinity,
41 ec_GFp_simple_set_Jprojective_coordinates_GFp,
42 ec_GFp_simple_get_Jprojective_coordinates_GFp,
43 ec_GFp_simple_point_set_affine_coordinates,
44 ec_GFp_simple_point_get_affine_coordinates,
49 ec_GFp_simple_is_at_infinity,
50 ec_GFp_simple_is_on_curve,
52 ec_GFp_simple_make_affine,
53 ec_GFp_simple_points_make_affine,
55 0 /* precompute_mult */ ,
56 0 /* have_precompute_mult */ ,
57 ec_GFp_simple_field_mul,
58 ec_GFp_simple_field_sqr,
60 ec_GFp_simple_field_inv,
61 0 /* field_encode */ ,
62 0 /* field_decode */ ,
63 0, /* field_set_to_one */
64 ec_key_simple_priv2oct,
65 ec_key_simple_oct2priv,
67 ec_key_simple_generate_key,
68 ec_key_simple_check_key,
69 ec_key_simple_generate_public_key,
72 ecdh_simple_compute_key,
73 ecdsa_simple_sign_setup,
74 ecdsa_simple_sign_sig,
75 ecdsa_simple_verify_sig,
76 0, /* field_inverse_mod_ord */
77 ec_GFp_simple_blind_coordinates,
78 ec_GFp_simple_ladder_pre,
79 ec_GFp_simple_ladder_step,
80 ec_GFp_simple_ladder_post
87 * Most method functions in this file are designed to work with
88 * non-trivial representations of field elements if necessary
89 * (see ecp_mont.c): while standard modular addition and subtraction
90 * are used, the field_mul and field_sqr methods will be used for
91 * multiplication, and field_encode and field_decode (if defined)
92 * will be used for converting between representations.
94 * Functions ec_GFp_simple_points_make_affine() and
95 * ec_GFp_simple_point_get_affine_coordinates() specifically assume
96 * that if a non-trivial representation is used, it is a Montgomery
97 * representation (i.e. 'encoding' means multiplying by some factor R).
100 int ec_GFp_simple_group_init(EC_GROUP *group)
102 group->field = BN_new();
105 if (group->field == NULL || group->a == NULL || group->b == NULL) {
106 BN_free(group->field);
111 group->a_is_minus3 = 0;
115 void ec_GFp_simple_group_finish(EC_GROUP *group)
117 BN_free(group->field);
122 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
124 BN_clear_free(group->field);
125 BN_clear_free(group->a);
126 BN_clear_free(group->b);
129 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
131 if (!BN_copy(dest->field, src->field))
133 if (!BN_copy(dest->a, src->a))
135 if (!BN_copy(dest->b, src->b))
138 dest->a_is_minus3 = src->a_is_minus3;
143 int ec_GFp_simple_group_set_curve(EC_GROUP *group,
144 const BIGNUM *p, const BIGNUM *a,
145 const BIGNUM *b, BN_CTX *ctx)
148 BN_CTX *new_ctx = NULL;
151 /* p must be a prime > 3 */
152 if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
153 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
158 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
164 tmp_a = BN_CTX_get(ctx);
169 if (!BN_copy(group->field, p))
171 BN_set_negative(group->field, 0);
174 if (!BN_nnmod(tmp_a, a, p, ctx))
176 if (group->meth->field_encode) {
177 if (!group->meth->field_encode(group, group->a, tmp_a, ctx))
179 } else if (!BN_copy(group->a, tmp_a))
183 if (!BN_nnmod(group->b, b, p, ctx))
185 if (group->meth->field_encode)
186 if (!group->meth->field_encode(group, group->b, group->b, ctx))
189 /* group->a_is_minus3 */
190 if (!BN_add_word(tmp_a, 3))
192 group->a_is_minus3 = (0 == BN_cmp(tmp_a, group->field));
198 BN_CTX_free(new_ctx);
202 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
203 BIGNUM *b, BN_CTX *ctx)
206 BN_CTX *new_ctx = NULL;
209 if (!BN_copy(p, group->field))
213 if (a != NULL || b != NULL) {
214 if (group->meth->field_decode) {
216 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
221 if (!group->meth->field_decode(group, a, group->a, ctx))
225 if (!group->meth->field_decode(group, b, group->b, ctx))
230 if (!BN_copy(a, group->a))
234 if (!BN_copy(b, group->b))
243 BN_CTX_free(new_ctx);
247 int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
249 return BN_num_bits(group->field);
252 int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
255 BIGNUM *a, *b, *order, *tmp_1, *tmp_2;
256 const BIGNUM *p = group->field;
257 BN_CTX *new_ctx = NULL;
260 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
262 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT,
263 ERR_R_MALLOC_FAILURE);
270 tmp_1 = BN_CTX_get(ctx);
271 tmp_2 = BN_CTX_get(ctx);
272 order = BN_CTX_get(ctx);
276 if (group->meth->field_decode) {
277 if (!group->meth->field_decode(group, a, group->a, ctx))
279 if (!group->meth->field_decode(group, b, group->b, ctx))
282 if (!BN_copy(a, group->a))
284 if (!BN_copy(b, group->b))
289 * check the discriminant:
290 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
296 } else if (!BN_is_zero(b)) {
297 if (!BN_mod_sqr(tmp_1, a, p, ctx))
299 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
301 if (!BN_lshift(tmp_1, tmp_2, 2))
305 if (!BN_mod_sqr(tmp_2, b, p, ctx))
307 if (!BN_mul_word(tmp_2, 27))
311 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
320 BN_CTX_free(new_ctx);
324 int ec_GFp_simple_point_init(EC_POINT *point)
331 if (point->X == NULL || point->Y == NULL || point->Z == NULL) {
340 void ec_GFp_simple_point_finish(EC_POINT *point)
347 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
349 BN_clear_free(point->X);
350 BN_clear_free(point->Y);
351 BN_clear_free(point->Z);
355 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
357 if (!BN_copy(dest->X, src->X))
359 if (!BN_copy(dest->Y, src->Y))
361 if (!BN_copy(dest->Z, src->Z))
363 dest->Z_is_one = src->Z_is_one;
364 dest->curve_name = src->curve_name;
369 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
377 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group,
384 BN_CTX *new_ctx = NULL;
388 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
394 if (!BN_nnmod(point->X, x, group->field, ctx))
396 if (group->meth->field_encode) {
397 if (!group->meth->field_encode(group, point->X, point->X, ctx))
403 if (!BN_nnmod(point->Y, y, group->field, ctx))
405 if (group->meth->field_encode) {
406 if (!group->meth->field_encode(group, point->Y, point->Y, ctx))
414 if (!BN_nnmod(point->Z, z, group->field, ctx))
416 Z_is_one = BN_is_one(point->Z);
417 if (group->meth->field_encode) {
418 if (Z_is_one && (group->meth->field_set_to_one != 0)) {
419 if (!group->meth->field_set_to_one(group, point->Z, ctx))
423 meth->field_encode(group, point->Z, point->Z, ctx))
427 point->Z_is_one = Z_is_one;
433 BN_CTX_free(new_ctx);
437 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
438 const EC_POINT *point,
439 BIGNUM *x, BIGNUM *y,
440 BIGNUM *z, BN_CTX *ctx)
442 BN_CTX *new_ctx = NULL;
445 if (group->meth->field_decode != 0) {
447 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
453 if (!group->meth->field_decode(group, x, point->X, ctx))
457 if (!group->meth->field_decode(group, y, point->Y, ctx))
461 if (!group->meth->field_decode(group, z, point->Z, ctx))
466 if (!BN_copy(x, point->X))
470 if (!BN_copy(y, point->Y))
474 if (!BN_copy(z, point->Z))
482 BN_CTX_free(new_ctx);
486 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
489 const BIGNUM *y, BN_CTX *ctx)
491 if (x == NULL || y == NULL) {
493 * unlike for projective coordinates, we do not tolerate this
495 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES,
496 ERR_R_PASSED_NULL_PARAMETER);
500 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y,
501 BN_value_one(), ctx);
504 int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
505 const EC_POINT *point,
506 BIGNUM *x, BIGNUM *y,
509 BN_CTX *new_ctx = NULL;
510 BIGNUM *Z, *Z_1, *Z_2, *Z_3;
514 if (EC_POINT_is_at_infinity(group, point)) {
515 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
516 EC_R_POINT_AT_INFINITY);
521 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
528 Z_1 = BN_CTX_get(ctx);
529 Z_2 = BN_CTX_get(ctx);
530 Z_3 = BN_CTX_get(ctx);
534 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
536 if (group->meth->field_decode) {
537 if (!group->meth->field_decode(group, Z, point->Z, ctx))
545 if (group->meth->field_decode) {
547 if (!group->meth->field_decode(group, x, point->X, ctx))
551 if (!group->meth->field_decode(group, y, point->Y, ctx))
556 if (!BN_copy(x, point->X))
560 if (!BN_copy(y, point->Y))
565 if (!group->meth->field_inv(group, Z_1, Z_, ctx)) {
566 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
571 if (group->meth->field_encode == 0) {
572 /* field_sqr works on standard representation */
573 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))
576 if (!BN_mod_sqr(Z_2, Z_1, group->field, ctx))
582 * in the Montgomery case, field_mul will cancel out Montgomery
585 if (!group->meth->field_mul(group, x, point->X, Z_2, ctx))
590 if (group->meth->field_encode == 0) {
592 * field_mul works on standard representation
594 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))
597 if (!BN_mod_mul(Z_3, Z_2, Z_1, group->field, ctx))
602 * in the Montgomery case, field_mul will cancel out Montgomery
605 if (!group->meth->field_mul(group, y, point->Y, Z_3, ctx))
614 BN_CTX_free(new_ctx);
618 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
619 const EC_POINT *b, BN_CTX *ctx)
621 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
622 const BIGNUM *, BN_CTX *);
623 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
625 BN_CTX *new_ctx = NULL;
626 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
630 return EC_POINT_dbl(group, r, a, ctx);
631 if (EC_POINT_is_at_infinity(group, a))
632 return EC_POINT_copy(r, b);
633 if (EC_POINT_is_at_infinity(group, b))
634 return EC_POINT_copy(r, a);
636 field_mul = group->meth->field_mul;
637 field_sqr = group->meth->field_sqr;
641 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
647 n0 = BN_CTX_get(ctx);
648 n1 = BN_CTX_get(ctx);
649 n2 = BN_CTX_get(ctx);
650 n3 = BN_CTX_get(ctx);
651 n4 = BN_CTX_get(ctx);
652 n5 = BN_CTX_get(ctx);
653 n6 = BN_CTX_get(ctx);
658 * Note that in this function we must not read components of 'a' or 'b'
659 * once we have written the corresponding components of 'r'. ('r' might
660 * be one of 'a' or 'b'.)
665 if (!BN_copy(n1, a->X))
667 if (!BN_copy(n2, a->Y))
672 if (!field_sqr(group, n0, b->Z, ctx))
674 if (!field_mul(group, n1, a->X, n0, ctx))
676 /* n1 = X_a * Z_b^2 */
678 if (!field_mul(group, n0, n0, b->Z, ctx))
680 if (!field_mul(group, n2, a->Y, n0, ctx))
682 /* n2 = Y_a * Z_b^3 */
687 if (!BN_copy(n3, b->X))
689 if (!BN_copy(n4, b->Y))
694 if (!field_sqr(group, n0, a->Z, ctx))
696 if (!field_mul(group, n3, b->X, n0, ctx))
698 /* n3 = X_b * Z_a^2 */
700 if (!field_mul(group, n0, n0, a->Z, ctx))
702 if (!field_mul(group, n4, b->Y, n0, ctx))
704 /* n4 = Y_b * Z_a^3 */
708 if (!BN_mod_sub_quick(n5, n1, n3, p))
710 if (!BN_mod_sub_quick(n6, n2, n4, p))
715 if (BN_is_zero(n5)) {
716 if (BN_is_zero(n6)) {
717 /* a is the same point as b */
719 ret = EC_POINT_dbl(group, r, a, ctx);
723 /* a is the inverse of b */
732 if (!BN_mod_add_quick(n1, n1, n3, p))
734 if (!BN_mod_add_quick(n2, n2, n4, p))
740 if (a->Z_is_one && b->Z_is_one) {
741 if (!BN_copy(r->Z, n5))
745 if (!BN_copy(n0, b->Z))
747 } else if (b->Z_is_one) {
748 if (!BN_copy(n0, a->Z))
751 if (!field_mul(group, n0, a->Z, b->Z, ctx))
754 if (!field_mul(group, r->Z, n0, n5, ctx))
758 /* Z_r = Z_a * Z_b * n5 */
761 if (!field_sqr(group, n0, n6, ctx))
763 if (!field_sqr(group, n4, n5, ctx))
765 if (!field_mul(group, n3, n1, n4, ctx))
767 if (!BN_mod_sub_quick(r->X, n0, n3, p))
769 /* X_r = n6^2 - n5^2 * 'n7' */
772 if (!BN_mod_lshift1_quick(n0, r->X, p))
774 if (!BN_mod_sub_quick(n0, n3, n0, p))
776 /* n9 = n5^2 * 'n7' - 2 * X_r */
779 if (!field_mul(group, n0, n0, n6, ctx))
781 if (!field_mul(group, n5, n4, n5, ctx))
782 goto end; /* now n5 is n5^3 */
783 if (!field_mul(group, n1, n2, n5, ctx))
785 if (!BN_mod_sub_quick(n0, n0, n1, p))
788 if (!BN_add(n0, n0, p))
790 /* now 0 <= n0 < 2*p, and n0 is even */
791 if (!BN_rshift1(r->Y, n0))
793 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
799 BN_CTX_free(new_ctx);
803 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
806 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
807 const BIGNUM *, BN_CTX *);
808 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
810 BN_CTX *new_ctx = NULL;
811 BIGNUM *n0, *n1, *n2, *n3;
814 if (EC_POINT_is_at_infinity(group, a)) {
820 field_mul = group->meth->field_mul;
821 field_sqr = group->meth->field_sqr;
825 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
831 n0 = BN_CTX_get(ctx);
832 n1 = BN_CTX_get(ctx);
833 n2 = BN_CTX_get(ctx);
834 n3 = BN_CTX_get(ctx);
839 * Note that in this function we must not read components of 'a' once we
840 * have written the corresponding components of 'r'. ('r' might the same
846 if (!field_sqr(group, n0, a->X, ctx))
848 if (!BN_mod_lshift1_quick(n1, n0, p))
850 if (!BN_mod_add_quick(n0, n0, n1, p))
852 if (!BN_mod_add_quick(n1, n0, group->a, p))
854 /* n1 = 3 * X_a^2 + a_curve */
855 } else if (group->a_is_minus3) {
856 if (!field_sqr(group, n1, a->Z, ctx))
858 if (!BN_mod_add_quick(n0, a->X, n1, p))
860 if (!BN_mod_sub_quick(n2, a->X, n1, p))
862 if (!field_mul(group, n1, n0, n2, ctx))
864 if (!BN_mod_lshift1_quick(n0, n1, p))
866 if (!BN_mod_add_quick(n1, n0, n1, p))
869 * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
870 * = 3 * X_a^2 - 3 * Z_a^4
873 if (!field_sqr(group, n0, a->X, ctx))
875 if (!BN_mod_lshift1_quick(n1, n0, p))
877 if (!BN_mod_add_quick(n0, n0, n1, p))
879 if (!field_sqr(group, n1, a->Z, ctx))
881 if (!field_sqr(group, n1, n1, ctx))
883 if (!field_mul(group, n1, n1, group->a, ctx))
885 if (!BN_mod_add_quick(n1, n1, n0, p))
887 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
892 if (!BN_copy(n0, a->Y))
895 if (!field_mul(group, n0, a->Y, a->Z, ctx))
898 if (!BN_mod_lshift1_quick(r->Z, n0, p))
901 /* Z_r = 2 * Y_a * Z_a */
904 if (!field_sqr(group, n3, a->Y, ctx))
906 if (!field_mul(group, n2, a->X, n3, ctx))
908 if (!BN_mod_lshift_quick(n2, n2, 2, p))
910 /* n2 = 4 * X_a * Y_a^2 */
913 if (!BN_mod_lshift1_quick(n0, n2, p))
915 if (!field_sqr(group, r->X, n1, ctx))
917 if (!BN_mod_sub_quick(r->X, r->X, n0, p))
919 /* X_r = n1^2 - 2 * n2 */
922 if (!field_sqr(group, n0, n3, ctx))
924 if (!BN_mod_lshift_quick(n3, n0, 3, p))
929 if (!BN_mod_sub_quick(n0, n2, r->X, p))
931 if (!field_mul(group, n0, n1, n0, ctx))
933 if (!BN_mod_sub_quick(r->Y, n0, n3, p))
935 /* Y_r = n1 * (n2 - X_r) - n3 */
941 BN_CTX_free(new_ctx);
945 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
947 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(point->Y))
948 /* point is its own inverse */
951 return BN_usub(point->Y, group->field, point->Y);
954 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
956 return BN_is_zero(point->Z);
959 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
962 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
963 const BIGNUM *, BN_CTX *);
964 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
966 BN_CTX *new_ctx = NULL;
967 BIGNUM *rh, *tmp, *Z4, *Z6;
970 if (EC_POINT_is_at_infinity(group, point))
973 field_mul = group->meth->field_mul;
974 field_sqr = group->meth->field_sqr;
978 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
984 rh = BN_CTX_get(ctx);
985 tmp = BN_CTX_get(ctx);
986 Z4 = BN_CTX_get(ctx);
987 Z6 = BN_CTX_get(ctx);
992 * We have a curve defined by a Weierstrass equation
993 * y^2 = x^3 + a*x + b.
994 * The point to consider is given in Jacobian projective coordinates
995 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
996 * Substituting this and multiplying by Z^6 transforms the above equation into
997 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
998 * To test this, we add up the right-hand side in 'rh'.
1002 if (!field_sqr(group, rh, point->X, ctx))
1005 if (!point->Z_is_one) {
1006 if (!field_sqr(group, tmp, point->Z, ctx))
1008 if (!field_sqr(group, Z4, tmp, ctx))
1010 if (!field_mul(group, Z6, Z4, tmp, ctx))
1013 /* rh := (rh + a*Z^4)*X */
1014 if (group->a_is_minus3) {
1015 if (!BN_mod_lshift1_quick(tmp, Z4, p))
1017 if (!BN_mod_add_quick(tmp, tmp, Z4, p))
1019 if (!BN_mod_sub_quick(rh, rh, tmp, p))
1021 if (!field_mul(group, rh, rh, point->X, ctx))
1024 if (!field_mul(group, tmp, Z4, group->a, ctx))
1026 if (!BN_mod_add_quick(rh, rh, tmp, p))
1028 if (!field_mul(group, rh, rh, point->X, ctx))
1032 /* rh := rh + b*Z^6 */
1033 if (!field_mul(group, tmp, group->b, Z6, ctx))
1035 if (!BN_mod_add_quick(rh, rh, tmp, p))
1038 /* point->Z_is_one */
1040 /* rh := (rh + a)*X */
1041 if (!BN_mod_add_quick(rh, rh, group->a, p))
1043 if (!field_mul(group, rh, rh, point->X, ctx))
1046 if (!BN_mod_add_quick(rh, rh, group->b, p))
1051 if (!field_sqr(group, tmp, point->Y, ctx))
1054 ret = (0 == BN_ucmp(tmp, rh));
1058 BN_CTX_free(new_ctx);
1062 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
1063 const EC_POINT *b, BN_CTX *ctx)
1068 * 0 equal (in affine coordinates)
1072 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
1073 const BIGNUM *, BN_CTX *);
1074 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1075 BN_CTX *new_ctx = NULL;
1076 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1077 const BIGNUM *tmp1_, *tmp2_;
1080 if (EC_POINT_is_at_infinity(group, a)) {
1081 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1084 if (EC_POINT_is_at_infinity(group, b))
1087 if (a->Z_is_one && b->Z_is_one) {
1088 return ((BN_cmp(a->X, b->X) == 0) && BN_cmp(a->Y, b->Y) == 0) ? 0 : 1;
1091 field_mul = group->meth->field_mul;
1092 field_sqr = group->meth->field_sqr;
1095 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
1101 tmp1 = BN_CTX_get(ctx);
1102 tmp2 = BN_CTX_get(ctx);
1103 Za23 = BN_CTX_get(ctx);
1104 Zb23 = BN_CTX_get(ctx);
1109 * We have to decide whether
1110 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1111 * or equivalently, whether
1112 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1116 if (!field_sqr(group, Zb23, b->Z, ctx))
1118 if (!field_mul(group, tmp1, a->X, Zb23, ctx))
1124 if (!field_sqr(group, Za23, a->Z, ctx))
1126 if (!field_mul(group, tmp2, b->X, Za23, ctx))
1132 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1133 if (BN_cmp(tmp1_, tmp2_) != 0) {
1134 ret = 1; /* points differ */
1139 if (!field_mul(group, Zb23, Zb23, b->Z, ctx))
1141 if (!field_mul(group, tmp1, a->Y, Zb23, ctx))
1147 if (!field_mul(group, Za23, Za23, a->Z, ctx))
1149 if (!field_mul(group, tmp2, b->Y, Za23, ctx))
1155 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1156 if (BN_cmp(tmp1_, tmp2_) != 0) {
1157 ret = 1; /* points differ */
1161 /* points are equal */
1166 BN_CTX_free(new_ctx);
1170 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
1173 BN_CTX *new_ctx = NULL;
1177 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1181 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
1187 x = BN_CTX_get(ctx);
1188 y = BN_CTX_get(ctx);
1192 if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
1194 if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
1196 if (!point->Z_is_one) {
1197 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1205 BN_CTX_free(new_ctx);
1209 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
1210 EC_POINT *points[], BN_CTX *ctx)
1212 BN_CTX *new_ctx = NULL;
1213 BIGNUM *tmp, *tmp_Z;
1214 BIGNUM **prod_Z = NULL;
1222 ctx = new_ctx = BN_CTX_new_ex(group->libctx);
1228 tmp = BN_CTX_get(ctx);
1229 tmp_Z = BN_CTX_get(ctx);
1233 prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
1236 for (i = 0; i < num; i++) {
1237 prod_Z[i] = BN_new();
1238 if (prod_Z[i] == NULL)
1243 * Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
1244 * skipping any zero-valued inputs (pretend that they're 1).
1247 if (!BN_is_zero(points[0]->Z)) {
1248 if (!BN_copy(prod_Z[0], points[0]->Z))
1251 if (group->meth->field_set_to_one != 0) {
1252 if (!group->meth->field_set_to_one(group, prod_Z[0], ctx))
1255 if (!BN_one(prod_Z[0]))
1260 for (i = 1; i < num; i++) {
1261 if (!BN_is_zero(points[i]->Z)) {
1263 meth->field_mul(group, prod_Z[i], prod_Z[i - 1], points[i]->Z,
1267 if (!BN_copy(prod_Z[i], prod_Z[i - 1]))
1273 * Now use a single explicit inversion to replace every non-zero
1274 * points[i]->Z by its inverse.
1277 if (!group->meth->field_inv(group, tmp, prod_Z[num - 1], ctx)) {
1278 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1281 if (group->meth->field_encode != 0) {
1283 * In the Montgomery case, we just turned R*H (representing H) into
1284 * 1/(R*H), but we need R*(1/H) (representing 1/H); i.e. we need to
1285 * multiply by the Montgomery factor twice.
1287 if (!group->meth->field_encode(group, tmp, tmp, ctx))
1289 if (!group->meth->field_encode(group, tmp, tmp, ctx))
1293 for (i = num - 1; i > 0; --i) {
1295 * Loop invariant: tmp is the product of the inverses of points[0]->Z
1296 * .. points[i]->Z (zero-valued inputs skipped).
1298 if (!BN_is_zero(points[i]->Z)) {
1300 * Set tmp_Z to the inverse of points[i]->Z (as product of Z
1301 * inverses 0 .. i, Z values 0 .. i - 1).
1304 meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx))
1307 * Update tmp to satisfy the loop invariant for i - 1.
1309 if (!group->meth->field_mul(group, tmp, tmp, points[i]->Z, ctx))
1311 /* Replace points[i]->Z by its inverse. */
1312 if (!BN_copy(points[i]->Z, tmp_Z))
1317 if (!BN_is_zero(points[0]->Z)) {
1318 /* Replace points[0]->Z by its inverse. */
1319 if (!BN_copy(points[0]->Z, tmp))
1323 /* Finally, fix up the X and Y coordinates for all points. */
1325 for (i = 0; i < num; i++) {
1326 EC_POINT *p = points[i];
1328 if (!BN_is_zero(p->Z)) {
1329 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1331 if (!group->meth->field_sqr(group, tmp, p->Z, ctx))
1333 if (!group->meth->field_mul(group, p->X, p->X, tmp, ctx))
1336 if (!group->meth->field_mul(group, tmp, tmp, p->Z, ctx))
1338 if (!group->meth->field_mul(group, p->Y, p->Y, tmp, ctx))
1341 if (group->meth->field_set_to_one != 0) {
1342 if (!group->meth->field_set_to_one(group, p->Z, ctx))
1356 BN_CTX_free(new_ctx);
1357 if (prod_Z != NULL) {
1358 for (i = 0; i < num; i++) {
1359 if (prod_Z[i] == NULL)
1361 BN_clear_free(prod_Z[i]);
1363 OPENSSL_free(prod_Z);
1368 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1369 const BIGNUM *b, BN_CTX *ctx)
1371 return BN_mod_mul(r, a, b, group->field, ctx);
1374 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1377 return BN_mod_sqr(r, a, group->field, ctx);
1381 * Computes the multiplicative inverse of a in GF(p), storing the result in r.
1382 * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
1383 * Since we don't have a Mont structure here, SCA hardening is with blinding.
1384 * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.)
1386 int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1390 BN_CTX *new_ctx = NULL;
1394 && (ctx = new_ctx = BN_CTX_secure_new_ex(group->libctx)) == NULL)
1398 if ((e = BN_CTX_get(ctx)) == NULL)
1402 if (!BN_priv_rand_range_ex(e, group->field, ctx))
1404 } while (BN_is_zero(e));
1407 if (!group->meth->field_mul(group, r, a, e, ctx))
1409 /* r := 1/(a * e) */
1410 if (!BN_mod_inverse(r, r, group->field, ctx)) {
1411 ECerr(EC_F_EC_GFP_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
1414 /* r := e/(a * e) = 1/a */
1415 if (!group->meth->field_mul(group, r, r, e, ctx))
1422 BN_CTX_free(new_ctx);
1427 * Apply randomization of EC point projective coordinates:
1429 * (X, Y ,Z ) = (lambda^2*X, lambda^3*Y, lambda*Z)
1430 * lambda = [1,group->field)
1433 int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
1437 BIGNUM *lambda = NULL;
1438 BIGNUM *temp = NULL;
1441 lambda = BN_CTX_get(ctx);
1442 temp = BN_CTX_get(ctx);
1444 ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
1449 * Make sure lambda is not zero.
1450 * If the RNG fails, we cannot blind but nevertheless want
1451 * code to continue smoothly and not clobber the error stack.
1455 ret = BN_priv_rand_range_ex(lambda, group->field, ctx);
1461 } while (BN_is_zero(lambda));
1463 /* if field_encode defined convert between representations */
1464 if ((group->meth->field_encode != NULL
1465 && !group->meth->field_encode(group, lambda, lambda, ctx))
1466 || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
1467 || !group->meth->field_sqr(group, temp, lambda, ctx)
1468 || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
1469 || !group->meth->field_mul(group, temp, temp, lambda, ctx)
1470 || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
1483 * - p: affine coordinates
1486 * - s := p, r := 2p: blinded projective (homogeneous) coordinates
1488 * For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve
1489 * multiplication resistant against side channel attacks" appendix, described at
1490 * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
1491 * simplified for Z1=1.
1493 * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z)
1494 * for any non-zero \lambda that holds for projective (homogeneous) coords.
1496 int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
1497 EC_POINT *r, EC_POINT *s,
1498 EC_POINT *p, BN_CTX *ctx)
1500 BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL;
1508 if (!p->Z_is_one /* r := 2p */
1509 || !group->meth->field_sqr(group, t3, p->X, ctx)
1510 || !BN_mod_sub_quick(t4, t3, group->a, group->field)
1511 || !group->meth->field_sqr(group, t4, t4, ctx)
1512 || !group->meth->field_mul(group, t5, p->X, group->b, ctx)
1513 || !BN_mod_lshift_quick(t5, t5, 3, group->field)
1514 /* r->X coord output */
1515 || !BN_mod_sub_quick(r->X, t4, t5, group->field)
1516 || !BN_mod_add_quick(t1, t3, group->a, group->field)
1517 || !group->meth->field_mul(group, t2, p->X, t1, ctx)
1518 || !BN_mod_add_quick(t2, group->b, t2, group->field)
1519 /* r->Z coord output */
1520 || !BN_mod_lshift_quick(r->Z, t2, 2, group->field))
1523 /* make sure lambda (r->Y here for storage) is not zero */
1525 if (!BN_priv_rand_range_ex(r->Y, group->field, ctx))
1527 } while (BN_is_zero(r->Y));
1529 /* make sure lambda (s->Z here for storage) is not zero */
1531 if (!BN_priv_rand_range_ex(s->Z, group->field, ctx))
1533 } while (BN_is_zero(s->Z));
1535 /* if field_encode defined convert between representations */
1536 if (group->meth->field_encode != NULL
1537 && (!group->meth->field_encode(group, r->Y, r->Y, ctx)
1538 || !group->meth->field_encode(group, s->Z, s->Z, ctx)))
1541 /* blind r and s independently */
1542 if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
1543 || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx)
1544 || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */
1555 * - s, r: projective (homogeneous) coordinates
1556 * - p: affine coordinates
1559 * - s := r + s, r := 2r: projective (homogeneous) coordinates
1561 * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
1562 * "A fast parallel elliptic curve multiplication resistant against side channel
1563 * attacks", as described at
1564 * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4
1566 int ec_GFp_simple_ladder_step(const EC_GROUP *group,
1567 EC_POINT *r, EC_POINT *s,
1568 EC_POINT *p, BN_CTX *ctx)
1571 BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
1574 t0 = BN_CTX_get(ctx);
1575 t1 = BN_CTX_get(ctx);
1576 t2 = BN_CTX_get(ctx);
1577 t3 = BN_CTX_get(ctx);
1578 t4 = BN_CTX_get(ctx);
1579 t5 = BN_CTX_get(ctx);
1580 t6 = BN_CTX_get(ctx);
1583 || !group->meth->field_mul(group, t6, r->X, s->X, ctx)
1584 || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
1585 || !group->meth->field_mul(group, t4, r->X, s->Z, ctx)
1586 || !group->meth->field_mul(group, t3, r->Z, s->X, ctx)
1587 || !group->meth->field_mul(group, t5, group->a, t0, ctx)
1588 || !BN_mod_add_quick(t5, t6, t5, group->field)
1589 || !BN_mod_add_quick(t6, t3, t4, group->field)
1590 || !group->meth->field_mul(group, t5, t6, t5, ctx)
1591 || !group->meth->field_sqr(group, t0, t0, ctx)
1592 || !BN_mod_lshift_quick(t2, group->b, 2, group->field)
1593 || !group->meth->field_mul(group, t0, t2, t0, ctx)
1594 || !BN_mod_lshift1_quick(t5, t5, group->field)
1595 || !BN_mod_sub_quick(t3, t4, t3, group->field)
1596 /* s->Z coord output */
1597 || !group->meth->field_sqr(group, s->Z, t3, ctx)
1598 || !group->meth->field_mul(group, t4, s->Z, p->X, ctx)
1599 || !BN_mod_add_quick(t0, t0, t5, group->field)
1600 /* s->X coord output */
1601 || !BN_mod_sub_quick(s->X, t0, t4, group->field)
1602 || !group->meth->field_sqr(group, t4, r->X, ctx)
1603 || !group->meth->field_sqr(group, t5, r->Z, ctx)
1604 || !group->meth->field_mul(group, t6, t5, group->a, ctx)
1605 || !BN_mod_add_quick(t1, r->X, r->Z, group->field)
1606 || !group->meth->field_sqr(group, t1, t1, ctx)
1607 || !BN_mod_sub_quick(t1, t1, t4, group->field)
1608 || !BN_mod_sub_quick(t1, t1, t5, group->field)
1609 || !BN_mod_sub_quick(t3, t4, t6, group->field)
1610 || !group->meth->field_sqr(group, t3, t3, ctx)
1611 || !group->meth->field_mul(group, t0, t5, t1, ctx)
1612 || !group->meth->field_mul(group, t0, t2, t0, ctx)
1613 /* r->X coord output */
1614 || !BN_mod_sub_quick(r->X, t3, t0, group->field)
1615 || !BN_mod_add_quick(t3, t4, t6, group->field)
1616 || !group->meth->field_sqr(group, t4, t5, ctx)
1617 || !group->meth->field_mul(group, t4, t4, t2, ctx)
1618 || !group->meth->field_mul(group, t1, t1, t3, ctx)
1619 || !BN_mod_lshift1_quick(t1, t1, group->field)
1620 /* r->Z coord output */
1621 || !BN_mod_add_quick(r->Z, t4, t1, group->field))
1633 * - s, r: projective (homogeneous) coordinates
1634 * - p: affine coordinates
1637 * - r := (x,y): affine coordinates
1639 * Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass
1640 * Elliptic Curves and Side-Channel Attacks", modified to work in mixed
1641 * projective coords, i.e. p is affine and (r,s) in projective (homogeneous)
1642 * coords, and return r in affine coordinates.
1644 * X4 = two*Y1*X2*Z3*Z2;
1645 * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2);
1646 * Z4 = two*Y1*Z3*SQR(Z2);
1649 * - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch);
1650 * - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch);
1651 * - Y1==0 implies p has order 2, so either r or s are infinity and handled by
1652 * one of the BN_is_zero(...) branches.
1654 int ec_GFp_simple_ladder_post(const EC_GROUP *group,
1655 EC_POINT *r, EC_POINT *s,
1656 EC_POINT *p, BN_CTX *ctx)
1659 BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
1661 if (BN_is_zero(r->Z))
1662 return EC_POINT_set_to_infinity(group, r);
1664 if (BN_is_zero(s->Z)) {
1665 if (!EC_POINT_copy(r, p)
1666 || !EC_POINT_invert(group, r, ctx))
1672 t0 = BN_CTX_get(ctx);
1673 t1 = BN_CTX_get(ctx);
1674 t2 = BN_CTX_get(ctx);
1675 t3 = BN_CTX_get(ctx);
1676 t4 = BN_CTX_get(ctx);
1677 t5 = BN_CTX_get(ctx);
1678 t6 = BN_CTX_get(ctx);
1681 || !BN_mod_lshift1_quick(t4, p->Y, group->field)
1682 || !group->meth->field_mul(group, t6, r->X, t4, ctx)
1683 || !group->meth->field_mul(group, t6, s->Z, t6, ctx)
1684 || !group->meth->field_mul(group, t5, r->Z, t6, ctx)
1685 || !BN_mod_lshift1_quick(t1, group->b, group->field)
1686 || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
1687 || !group->meth->field_sqr(group, t3, r->Z, ctx)
1688 || !group->meth->field_mul(group, t2, t3, t1, ctx)
1689 || !group->meth->field_mul(group, t6, r->Z, group->a, ctx)
1690 || !group->meth->field_mul(group, t1, p->X, r->X, ctx)
1691 || !BN_mod_add_quick(t1, t1, t6, group->field)
1692 || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
1693 || !group->meth->field_mul(group, t0, p->X, r->Z, ctx)
1694 || !BN_mod_add_quick(t6, r->X, t0, group->field)
1695 || !group->meth->field_mul(group, t6, t6, t1, ctx)
1696 || !BN_mod_add_quick(t6, t6, t2, group->field)
1697 || !BN_mod_sub_quick(t0, t0, r->X, group->field)
1698 || !group->meth->field_sqr(group, t0, t0, ctx)
1699 || !group->meth->field_mul(group, t0, t0, s->X, ctx)
1700 || !BN_mod_sub_quick(t0, t6, t0, group->field)
1701 || !group->meth->field_mul(group, t1, s->Z, t4, ctx)
1702 || !group->meth->field_mul(group, t1, t3, t1, ctx)
1703 || (group->meth->field_decode != NULL
1704 && !group->meth->field_decode(group, t1, t1, ctx))
1705 || !group->meth->field_inv(group, t1, t1, ctx)
1706 || (group->meth->field_encode != NULL
1707 && !group->meth->field_encode(group, t1, t1, ctx))
1708 || !group->meth->field_mul(group, r->X, t5, t1, ctx)
1709 || !group->meth->field_mul(group, r->Y, t0, t1, ctx))
1712 if (group->meth->field_set_to_one != NULL) {
1713 if (!group->meth->field_set_to_one(group, r->Z, ctx))
projects / openssl.git / blob