- BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
- return ret;
- }
-
-
-int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
- {
- BN_CTX *new_ctx = NULL;
- BIGNUM *tmp, *tmp_Z;
- BIGNUM **prod_Z = NULL;
- size_t i;
- int ret = 0;
-
- if (num == 0)
- return 1;
-
- if (ctx == NULL)
- {
- ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
- return 0;
- }
-
- BN_CTX_start(ctx);
- tmp = BN_CTX_get(ctx);
- tmp_Z = BN_CTX_get(ctx);
- if (tmp == NULL || tmp_Z == NULL) goto err;
-
- prod_Z = OPENSSL_malloc(num * sizeof prod_Z[0]);
- if (prod_Z == NULL) goto err;
- for (i = 0; i < num; i++)
- {
- prod_Z[i] = BN_new();
- if (prod_Z[i] == NULL) goto err;
- }
-
- /* Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
- * skipping any zero-valued inputs (pretend that they're 1). */
-
- if (!BN_is_zero(&points[0]->Z))
- {
- if (!BN_copy(prod_Z[0], &points[0]->Z)) goto err;
- }
- else
- {
- if (group->meth->field_set_to_one != 0)
- {
- if (!group->meth->field_set_to_one(group, prod_Z[0], ctx)) goto err;
- }
- else
- {
- if (!BN_one(prod_Z[0])) goto err;
- }
- }
-
- for (i = 1; i < num; i++)
- {
- if (!BN_is_zero(&points[i]->Z))
- {
- if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1], &points[i]->Z, ctx)) goto err;
- }
- else
- {
- if (!BN_copy(prod_Z[i], prod_Z[i - 1])) goto err;
- }
- }
-
- /* Now use a single explicit inversion to replace every
- * non-zero points[i]->Z by its inverse. */
-
- if (!BN_mod_inverse(tmp, prod_Z[num - 1], &group->field, ctx))
- {
- ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
- goto err;
- }
- if (group->meth->field_encode != 0)
- {
- /* In the Montgomery case, we just turned R*H (representing H)
- * into 1/(R*H), but we need R*(1/H) (representing 1/H);
- * i.e. we need to multiply by the Montgomery factor twice. */
- if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err;
- if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err;
- }
-
- for (i = num - 1; i > 0; --i)
- {
- /* Loop invariant: tmp is the product of the inverses of
- * points[0]->Z .. points[i]->Z (zero-valued inputs skipped). */
- if (!BN_is_zero(&points[i]->Z))
- {
- /* Set tmp_Z to the inverse of points[i]->Z (as product
- * of Z inverses 0 .. i, Z values 0 .. i - 1). */
- if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx)) goto err;
- /* Update tmp to satisfy the loop invariant for i - 1. */
- if (!group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx)) goto err;
- /* Replace points[i]->Z by its inverse. */
- if (!BN_copy(&points[i]->Z, tmp_Z)) goto err;
- }
- }
-
- if (!BN_is_zero(&points[0]->Z))
- {
- /* Replace points[0]->Z by its inverse. */
- if (!BN_copy(&points[0]->Z, tmp)) goto err;
- }
-
- /* Finally, fix up the X and Y coordinates for all points. */
-
- for (i = 0; i < num; i++)
- {
- EC_POINT *p = points[i];
-
- if (!BN_is_zero(&p->Z))
- {
- /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
-
- if (!group->meth->field_sqr(group, tmp, &p->Z, ctx)) goto err;
- if (!group->meth->field_mul(group, &p->X, &p->X, tmp, ctx)) goto err;
-
- if (!group->meth->field_mul(group, tmp, tmp, &p->Z, ctx)) goto err;
- if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) goto err;
-
- if (group->meth->field_set_to_one != 0)
- {
- if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err;
- }
- else
- {
- if (!BN_one(&p->Z)) goto err;
- }
- p->Z_is_one = 1;
- }
- }
-
- ret = 1;
+ BN_CTX_end(ctx);
+ BN_CTX_free(new_ctx);
+ if (prod_Z != NULL) {
+ for (i = 0; i < num; i++) {
+ if (prod_Z[i] == NULL)
+ break;
+ BN_clear_free(prod_Z[i]);
+ }
+ OPENSSL_free(prod_Z);
+ }
+ return ret;
+}
+
+int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+ const BIGNUM *b, BN_CTX *ctx)
+{
+ return BN_mod_mul(r, a, b, group->field, ctx);
+}
+
+int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *ctx)
+{
+ return BN_mod_sqr(r, a, group->field, ctx);
+}
+
+/*-
+ * Computes the multiplicative inverse of a in GF(p), storing the result in r.
+ * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
+ * Since we don't have a Mont structure here, SCA hardening is with blinding.
+ * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.)
+ */
+int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *ctx)
+{
+ BIGNUM *e = NULL;
+ BN_CTX *new_ctx = NULL;
+ int ret = 0;
+
+ if (ctx == NULL
+ && (ctx = new_ctx = BN_CTX_secure_new_ex(group->libctx)) == NULL)
+ return 0;
+
+ BN_CTX_start(ctx);
+ if ((e = BN_CTX_get(ctx)) == NULL)
+ goto err;
+
+ do {
+ if (!BN_priv_rand_range_ex(e, group->field, ctx))
+ goto err;
+ } while (BN_is_zero(e));
+
+ /* r := a * e */
+ if (!group->meth->field_mul(group, r, a, e, ctx))
+ goto err;
+ /* r := 1/(a * e) */
+ if (!BN_mod_inverse(r, r, group->field, ctx)) {
+ ECerr(EC_F_EC_GFP_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
+ goto err;
+ }
+ /* r := e/(a * e) = 1/a */
+ if (!group->meth->field_mul(group, r, r, e, ctx))
+ goto err;
+
+ ret = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ BN_CTX_free(new_ctx);
+ return ret;
+}
+
+/*-
+ * Apply randomization of EC point projective coordinates:
+ *
+ * (X, Y ,Z ) = (lambda^2*X, lambda^3*Y, lambda*Z)
+ * lambda = [1,group->field)
+ *
+ */
+int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
+ BN_CTX *ctx)
+{
+ int ret = 0;
+ BIGNUM *lambda = NULL;
+ BIGNUM *temp = NULL;
+
+ BN_CTX_start(ctx);
+ lambda = BN_CTX_get(ctx);
+ temp = BN_CTX_get(ctx);
+ if (temp == NULL) {
+ ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+
+ /*-
+ * Make sure lambda is not zero.
+ * If the RNG fails, we cannot blind but nevertheless want
+ * code to continue smoothly and not clobber the error stack.
+ */
+ do {
+ ERR_set_mark();
+ ret = BN_priv_rand_range_ex(lambda, group->field, ctx);
+ ERR_pop_to_mark();
+ if (ret == 0) {
+ ret = 1;
+ goto end;
+ }
+ } while (BN_is_zero(lambda));
+
+ /* if field_encode defined convert between representations */
+ if ((group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, lambda, lambda, ctx))
+ || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
+ || !group->meth->field_sqr(group, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
+ || !group->meth->field_mul(group, temp, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
+ goto end;
+
+ p->Z_is_one = 0;
+ ret = 1;
+
+ end:
+ BN_CTX_end(ctx);
+ return ret;
+}
+
+/*-
+ * Input:
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := p, r := 2p: blinded projective (homogeneous) coordinates
+ *
+ * For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve
+ * multiplication resistant against side channel attacks" appendix, described at
+ * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
+ * simplified for Z1=1.
+ *
+ * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z)
+ * for any non-zero \lambda that holds for projective (homogeneous) coords.
+ */
+int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx)
+{
+ BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL;
+
+ t1 = s->Z;
+ t2 = r->Z;
+ t3 = s->X;
+ t4 = r->X;
+ t5 = s->Y;
+
+ if (!p->Z_is_one /* r := 2p */
+ || !group->meth->field_sqr(group, t3, p->X, ctx)
+ || !BN_mod_sub_quick(t4, t3, group->a, group->field)
+ || !group->meth->field_sqr(group, t4, t4, ctx)
+ || !group->meth->field_mul(group, t5, p->X, group->b, ctx)
+ || !BN_mod_lshift_quick(t5, t5, 3, group->field)
+ /* r->X coord output */
+ || !BN_mod_sub_quick(r->X, t4, t5, group->field)
+ || !BN_mod_add_quick(t1, t3, group->a, group->field)
+ || !group->meth->field_mul(group, t2, p->X, t1, ctx)
+ || !BN_mod_add_quick(t2, group->b, t2, group->field)
+ /* r->Z coord output */
+ || !BN_mod_lshift_quick(r->Z, t2, 2, group->field))
+ return 0;
+
+ /* make sure lambda (r->Y here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range_ex(r->Y, group->field, ctx))
+ return 0;
+ } while (BN_is_zero(r->Y));
+
+ /* make sure lambda (s->Z here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range_ex(s->Z, group->field, ctx))
+ return 0;
+ } while (BN_is_zero(s->Z));
+
+ /* if field_encode defined convert between representations */
+ if (group->meth->field_encode != NULL
+ && (!group->meth->field_encode(group, r->Y, r->Y, ctx)
+ || !group->meth->field_encode(group, s->Z, s->Z, ctx)))
+ return 0;
+
+ /* blind r and s independently */
+ if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
+ || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx)
+ || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */
+ return 0;
+
+ r->Z_is_one = 0;
+ s->Z_is_one = 0;
+
+ return 1;
+}
+
+/*-
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := r + s, r := 2r: projective (homogeneous) coordinates
+ *
+ * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
+ * "A fast parallel elliptic curve multiplication resistant against side channel
+ * attacks", as described at
+ * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4
+ */
+int ec_GFp_simple_ladder_step(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx)
+{
+ int ret = 0;
+ BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
+
+ BN_CTX_start(ctx);
+ t0 = BN_CTX_get(ctx);
+ t1 = BN_CTX_get(ctx);
+ t2 = BN_CTX_get(ctx);
+ t3 = BN_CTX_get(ctx);
+ t4 = BN_CTX_get(ctx);
+ t5 = BN_CTX_get(ctx);
+ t6 = BN_CTX_get(ctx);
+
+ if (t6 == NULL
+ || !group->meth->field_mul(group, t6, r->X, s->X, ctx)
+ || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
+ || !group->meth->field_mul(group, t4, r->X, s->Z, ctx)
+ || !group->meth->field_mul(group, t3, r->Z, s->X, ctx)
+ || !group->meth->field_mul(group, t5, group->a, t0, ctx)
+ || !BN_mod_add_quick(t5, t6, t5, group->field)
+ || !BN_mod_add_quick(t6, t3, t4, group->field)
+ || !group->meth->field_mul(group, t5, t6, t5, ctx)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !BN_mod_lshift_quick(t2, group->b, 2, group->field)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
+ || !BN_mod_lshift1_quick(t5, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t3, group->field)
+ /* s->Z coord output */
+ || !group->meth->field_sqr(group, s->Z, t3, ctx)
+ || !group->meth->field_mul(group, t4, s->Z, p->X, ctx)
+ || !BN_mod_add_quick(t0, t0, t5, group->field)
+ /* s->X coord output */
+ || !BN_mod_sub_quick(s->X, t0, t4, group->field)
+ || !group->meth->field_sqr(group, t4, r->X, ctx)
+ || !group->meth->field_sqr(group, t5, r->Z, ctx)
+ || !group->meth->field_mul(group, t6, t5, group->a, ctx)
+ || !BN_mod_add_quick(t1, r->X, r->Z, group->field)
+ || !group->meth->field_sqr(group, t1, t1, ctx)
+ || !BN_mod_sub_quick(t1, t1, t4, group->field)
+ || !BN_mod_sub_quick(t1, t1, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t3, t3, ctx)
+ || !group->meth->field_mul(group, t0, t5, t1, ctx)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
+ /* r->X coord output */
+ || !BN_mod_sub_quick(r->X, t3, t0, group->field)
+ || !BN_mod_add_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t4, t5, ctx)
+ || !group->meth->field_mul(group, t4, t4, t2, ctx)
+ || !group->meth->field_mul(group, t1, t1, t3, ctx)
+ || !BN_mod_lshift1_quick(t1, t1, group->field)
+ /* r->Z coord output */
+ || !BN_mod_add_quick(r->Z, t4, t1, group->field))
+ goto err;
+
+ ret = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ return ret;
+}
+
+/*-
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - r := (x,y): affine coordinates
+ *
+ * Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass
+ * Elliptic Curves and Side-Channel Attacks", modified to work in mixed
+ * projective coords, i.e. p is affine and (r,s) in projective (homogeneous)
+ * coords, and return r in affine coordinates.
+ *
+ * X4 = two*Y1*X2*Z3*Z2;
+ * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2);
+ * Z4 = two*Y1*Z3*SQR(Z2);
+ *
+ * Z4 != 0 because:
+ * - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch);
+ * - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch);
+ * - Y1==0 implies p has order 2, so either r or s are infinity and handled by
+ * one of the BN_is_zero(...) branches.
+ */
+int ec_GFp_simple_ladder_post(const EC_GROUP *group,
+ EC_POINT *r, EC_POINT *s,
+ EC_POINT *p, BN_CTX *ctx)
+{
+ int ret = 0;
+ BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
+
+ if (BN_is_zero(r->Z))
+ return EC_POINT_set_to_infinity(group, r);
+
+ if (BN_is_zero(s->Z)) {
+ if (!EC_POINT_copy(r, p)
+ || !EC_POINT_invert(group, r, ctx))
+ return 0;
+ return 1;
+ }
+
+ BN_CTX_start(ctx);
+ t0 = BN_CTX_get(ctx);
+ t1 = BN_CTX_get(ctx);
+ t2 = BN_CTX_get(ctx);
+ t3 = BN_CTX_get(ctx);
+ t4 = BN_CTX_get(ctx);
+ t5 = BN_CTX_get(ctx);
+ t6 = BN_CTX_get(ctx);
+
+ if (t6 == NULL
+ || !BN_mod_lshift1_quick(t4, p->Y, group->field)
+ || !group->meth->field_mul(group, t6, r->X, t4, ctx)
+ || !group->meth->field_mul(group, t6, s->Z, t6, ctx)
+ || !group->meth->field_mul(group, t5, r->Z, t6, ctx)
+ || !BN_mod_lshift1_quick(t1, group->b, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
+ || !group->meth->field_sqr(group, t3, r->Z, ctx)
+ || !group->meth->field_mul(group, t2, t3, t1, ctx)
+ || !group->meth->field_mul(group, t6, r->Z, group->a, ctx)
+ || !group->meth->field_mul(group, t1, p->X, r->X, ctx)
+ || !BN_mod_add_quick(t1, t1, t6, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
+ || !group->meth->field_mul(group, t0, p->X, r->Z, ctx)
+ || !BN_mod_add_quick(t6, r->X, t0, group->field)
+ || !group->meth->field_mul(group, t6, t6, t1, ctx)
+ || !BN_mod_add_quick(t6, t6, t2, group->field)
+ || !BN_mod_sub_quick(t0, t0, r->X, group->field)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !group->meth->field_mul(group, t0, t0, s->X, ctx)
+ || !BN_mod_sub_quick(t0, t6, t0, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t4, ctx)
+ || !group->meth->field_mul(group, t1, t3, t1, ctx)
+ || (group->meth->field_decode != NULL
+ && !group->meth->field_decode(group, t1, t1, ctx))
+ || !group->meth->field_inv(group, t1, t1, ctx)
+ || (group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, t1, t1, ctx))
+ || !group->meth->field_mul(group, r->X, t5, t1, ctx)
+ || !group->meth->field_mul(group, r->Y, t0, t1, ctx))
+ goto err;
+
+ if (group->meth->field_set_to_one != NULL) {
+ if (!group->meth->field_set_to_one(group, r->Z, ctx))
+ goto err;
+ } else {
+ if (!BN_one(r->Z))
+ goto err;
+ }
+
+ r->Z_is_one = 1;
+ ret = 1;