1 /* crypto/ec/ecp_smpl.c */
3 * Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
4 * for the OpenSSL project. Includes code written by Bodo Moeller for the
7 /* ====================================================================
8 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in
19 * the documentation and/or other materials provided with the
22 * 3. All advertising materials mentioning features or use of this
23 * software must display the following acknowledgment:
24 * "This product includes software developed by the OpenSSL Project
25 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
27 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
28 * endorse or promote products derived from this software without
29 * prior written permission. For written permission, please contact
30 * openssl-core@openssl.org.
32 * 5. Products derived from this software may not be called "OpenSSL"
33 * nor may "OpenSSL" appear in their names without prior written
34 * permission of the OpenSSL Project.
36 * 6. Redistributions of any form whatsoever must retain the following
38 * "This product includes software developed by the OpenSSL Project
39 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
41 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
42 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
44 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
45 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
46 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
47 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
48 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
49 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
50 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
51 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
52 * OF THE POSSIBILITY OF SUCH DAMAGE.
53 * ====================================================================
55 * This product includes cryptographic software written by Eric Young
56 * (eay@cryptsoft.com). This product includes software written by Tim
57 * Hudson (tjh@cryptsoft.com).
60 /* ====================================================================
61 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
62 * Portions of this software developed by SUN MICROSYSTEMS, INC.,
63 * and contributed to the OpenSSL project.
66 #include <openssl/err.h>
67 #include <openssl/symhacks.h>
71 const EC_METHOD *EC_GFp_simple_method(void)
73 static const EC_METHOD ret = {
74 NID_X9_62_prime_field,
75 ec_GFp_simple_group_init,
76 ec_GFp_simple_group_finish,
77 ec_GFp_simple_group_clear_finish,
78 ec_GFp_simple_group_copy,
79 ec_GFp_simple_group_set_curve,
80 ec_GFp_simple_group_get_curve,
81 ec_GFp_simple_group_get_degree,
82 ec_GFp_simple_group_check_discriminant,
83 ec_GFp_simple_point_init,
84 ec_GFp_simple_point_finish,
85 ec_GFp_simple_point_clear_finish,
86 ec_GFp_simple_point_copy,
87 ec_GFp_simple_point_set_to_infinity,
88 ec_GFp_simple_set_Jprojective_coordinates_GFp,
89 ec_GFp_simple_get_Jprojective_coordinates_GFp,
90 ec_GFp_simple_point_set_affine_coordinates,
91 ec_GFp_simple_point_get_affine_coordinates,
92 ec_GFp_simple_set_compressed_coordinates,
93 ec_GFp_simple_point2oct,
94 ec_GFp_simple_oct2point,
98 ec_GFp_simple_is_at_infinity,
99 ec_GFp_simple_is_on_curve,
101 ec_GFp_simple_make_affine,
102 ec_GFp_simple_points_make_affine,
104 0 /* precompute_mult */ ,
105 0 /* have_precompute_mult */ ,
106 ec_GFp_simple_field_mul,
107 ec_GFp_simple_field_sqr,
109 0 /* field_encode */ ,
110 0 /* field_decode */ ,
111 0 /* field_set_to_one */
118 * Most method functions in this file are designed to work with
119 * non-trivial representations of field elements if necessary
120 * (see ecp_mont.c): while standard modular addition and subtraction
121 * are used, the field_mul and field_sqr methods will be used for
122 * multiplication, and field_encode and field_decode (if defined)
123 * will be used for converting between representations.
125 * Functions ec_GFp_simple_points_make_affine() and
126 * ec_GFp_simple_point_get_affine_coordinates() specifically assume
127 * that if a non-trivial representation is used, it is a Montgomery
128 * representation (i.e. 'encoding' means multiplying by some factor R).
131 int ec_GFp_simple_group_init(EC_GROUP *group)
133 BN_init(&group->field);
136 group->a_is_minus3 = 0;
140 void ec_GFp_simple_group_finish(EC_GROUP *group)
142 BN_free(&group->field);
147 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
149 BN_clear_free(&group->field);
150 BN_clear_free(&group->a);
151 BN_clear_free(&group->b);
154 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
156 if (!BN_copy(&dest->field, &src->field))
158 if (!BN_copy(&dest->a, &src->a))
160 if (!BN_copy(&dest->b, &src->b))
163 dest->a_is_minus3 = src->a_is_minus3;
168 int ec_GFp_simple_group_set_curve(EC_GROUP *group,
169 const BIGNUM *p, const BIGNUM *a,
170 const BIGNUM *b, BN_CTX *ctx)
173 BN_CTX *new_ctx = NULL;
176 /* p must be a prime > 3 */
177 if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
178 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
183 ctx = new_ctx = BN_CTX_new();
189 tmp_a = BN_CTX_get(ctx);
194 if (!BN_copy(&group->field, p))
196 BN_set_negative(&group->field, 0);
199 if (!BN_nnmod(tmp_a, a, p, ctx))
201 if (group->meth->field_encode) {
202 if (!group->meth->field_encode(group, &group->a, tmp_a, ctx))
204 } else if (!BN_copy(&group->a, tmp_a))
208 if (!BN_nnmod(&group->b, b, p, ctx))
210 if (group->meth->field_encode)
211 if (!group->meth->field_encode(group, &group->b, &group->b, ctx))
214 /* group->a_is_minus3 */
215 if (!BN_add_word(tmp_a, 3))
217 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
224 BN_CTX_free(new_ctx);
228 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
229 BIGNUM *b, BN_CTX *ctx)
232 BN_CTX *new_ctx = NULL;
235 if (!BN_copy(p, &group->field))
239 if (a != NULL || b != NULL) {
240 if (group->meth->field_decode) {
242 ctx = new_ctx = BN_CTX_new();
247 if (!group->meth->field_decode(group, a, &group->a, ctx))
251 if (!group->meth->field_decode(group, b, &group->b, ctx))
256 if (!BN_copy(a, &group->a))
260 if (!BN_copy(b, &group->b))
270 BN_CTX_free(new_ctx);
274 int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
276 return BN_num_bits(&group->field);
279 int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
282 BIGNUM *a, *b, *order, *tmp_1, *tmp_2;
283 const BIGNUM *p = &group->field;
284 BN_CTX *new_ctx = NULL;
287 ctx = new_ctx = BN_CTX_new();
289 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT,
290 ERR_R_MALLOC_FAILURE);
297 tmp_1 = BN_CTX_get(ctx);
298 tmp_2 = BN_CTX_get(ctx);
299 order = BN_CTX_get(ctx);
303 if (group->meth->field_decode) {
304 if (!group->meth->field_decode(group, a, &group->a, ctx))
306 if (!group->meth->field_decode(group, b, &group->b, ctx))
309 if (!BN_copy(a, &group->a))
311 if (!BN_copy(b, &group->b))
316 * check the discriminant:
317 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
323 } else if (!BN_is_zero(b)) {
324 if (!BN_mod_sqr(tmp_1, a, p, ctx))
326 if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
328 if (!BN_lshift(tmp_1, tmp_2, 2))
332 if (!BN_mod_sqr(tmp_2, b, p, ctx))
334 if (!BN_mul_word(tmp_2, 27))
338 if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
349 BN_CTX_free(new_ctx);
353 int ec_GFp_simple_point_init(EC_POINT *point)
363 void ec_GFp_simple_point_finish(EC_POINT *point)
370 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
372 BN_clear_free(&point->X);
373 BN_clear_free(&point->Y);
374 BN_clear_free(&point->Z);
378 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
380 if (!BN_copy(&dest->X, &src->X))
382 if (!BN_copy(&dest->Y, &src->Y))
384 if (!BN_copy(&dest->Z, &src->Z))
386 dest->Z_is_one = src->Z_is_one;
391 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
399 int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group,
406 BN_CTX *new_ctx = NULL;
410 ctx = new_ctx = BN_CTX_new();
416 if (!BN_nnmod(&point->X, x, &group->field, ctx))
418 if (group->meth->field_encode) {
419 if (!group->meth->field_encode(group, &point->X, &point->X, ctx))
425 if (!BN_nnmod(&point->Y, y, &group->field, ctx))
427 if (group->meth->field_encode) {
428 if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx))
436 if (!BN_nnmod(&point->Z, z, &group->field, ctx))
438 Z_is_one = BN_is_one(&point->Z);
439 if (group->meth->field_encode) {
440 if (Z_is_one && (group->meth->field_set_to_one != 0)) {
441 if (!group->meth->field_set_to_one(group, &point->Z, ctx))
445 meth->field_encode(group, &point->Z, &point->Z, ctx))
449 point->Z_is_one = Z_is_one;
456 BN_CTX_free(new_ctx);
460 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
461 const EC_POINT *point,
462 BIGNUM *x, BIGNUM *y,
463 BIGNUM *z, BN_CTX *ctx)
465 BN_CTX *new_ctx = NULL;
468 if (group->meth->field_decode != 0) {
470 ctx = new_ctx = BN_CTX_new();
476 if (!group->meth->field_decode(group, x, &point->X, ctx))
480 if (!group->meth->field_decode(group, y, &point->Y, ctx))
484 if (!group->meth->field_decode(group, z, &point->Z, ctx))
489 if (!BN_copy(x, &point->X))
493 if (!BN_copy(y, &point->Y))
497 if (!BN_copy(z, &point->Z))
506 BN_CTX_free(new_ctx);
510 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
513 const BIGNUM *y, BN_CTX *ctx)
515 if (x == NULL || y == NULL) {
517 * unlike for projective coordinates, we do not tolerate this
519 ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES,
520 ERR_R_PASSED_NULL_PARAMETER);
524 return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y,
525 BN_value_one(), ctx);
528 int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
529 const EC_POINT *point,
530 BIGNUM *x, BIGNUM *y,
533 BN_CTX *new_ctx = NULL;
534 BIGNUM *Z, *Z_1, *Z_2, *Z_3;
538 if (EC_POINT_is_at_infinity(group, point)) {
539 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
540 EC_R_POINT_AT_INFINITY);
545 ctx = new_ctx = BN_CTX_new();
552 Z_1 = BN_CTX_get(ctx);
553 Z_2 = BN_CTX_get(ctx);
554 Z_3 = BN_CTX_get(ctx);
558 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
560 if (group->meth->field_decode) {
561 if (!group->meth->field_decode(group, Z, &point->Z, ctx))
569 if (group->meth->field_decode) {
571 if (!group->meth->field_decode(group, x, &point->X, ctx))
575 if (!group->meth->field_decode(group, y, &point->Y, ctx))
580 if (!BN_copy(x, &point->X))
584 if (!BN_copy(y, &point->Y))
589 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx)) {
590 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
595 if (group->meth->field_encode == 0) {
596 /* field_sqr works on standard representation */
597 if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))
600 if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx))
606 * in the Montgomery case, field_mul will cancel out Montgomery
609 if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx))
614 if (group->meth->field_encode == 0) {
616 * field_mul works on standard representation
618 if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))
621 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx))
626 * in the Montgomery case, field_mul will cancel out Montgomery
629 if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx))
639 BN_CTX_free(new_ctx);
643 int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
645 const BIGNUM *x_, int y_bit,
648 BN_CTX *new_ctx = NULL;
649 BIGNUM *tmp1, *tmp2, *x, *y;
652 /* clear error queue */
656 ctx = new_ctx = BN_CTX_new();
661 y_bit = (y_bit != 0);
664 tmp1 = BN_CTX_get(ctx);
665 tmp2 = BN_CTX_get(ctx);
672 * Recover y. We have a Weierstrass equation
673 * y^2 = x^3 + a*x + b,
674 * so y is one of the square roots of x^3 + a*x + b.
678 if (!BN_nnmod(x, x_, &group->field, ctx))
680 if (group->meth->field_decode == 0) {
681 /* field_{sqr,mul} work on standard representation */
682 if (!group->meth->field_sqr(group, tmp2, x_, ctx))
684 if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx))
687 if (!BN_mod_sqr(tmp2, x_, &group->field, ctx))
689 if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx))
693 /* tmp1 := tmp1 + a*x */
694 if (group->a_is_minus3) {
695 if (!BN_mod_lshift1_quick(tmp2, x, &group->field))
697 if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field))
699 if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field))
702 if (group->meth->field_decode) {
703 if (!group->meth->field_decode(group, tmp2, &group->a, ctx))
705 if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx))
708 /* field_mul works on standard representation */
709 if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx))
713 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field))
717 /* tmp1 := tmp1 + b */
718 if (group->meth->field_decode) {
719 if (!group->meth->field_decode(group, tmp2, &group->b, ctx))
721 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field))
724 if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field))
728 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) {
729 unsigned long err = ERR_peek_last_error();
731 if (ERR_GET_LIB(err) == ERR_LIB_BN
732 && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {
734 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES,
735 EC_R_INVALID_COMPRESSED_POINT);
737 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES,
742 if (y_bit != BN_is_odd(y)) {
746 kron = BN_kronecker(x, &group->field, ctx);
751 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES,
752 EC_R_INVALID_COMPRESSION_BIT);
755 * BN_mod_sqrt() should have cought this error (not a square)
757 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES,
758 EC_R_INVALID_COMPRESSED_POINT);
761 if (!BN_usub(y, &group->field, y))
764 if (y_bit != BN_is_odd(y)) {
765 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES,
766 ERR_R_INTERNAL_ERROR);
770 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
778 BN_CTX_free(new_ctx);
782 size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point,
783 point_conversion_form_t form,
784 unsigned char *buf, size_t len, BN_CTX *ctx)
787 BN_CTX *new_ctx = NULL;
790 size_t field_len, i, skip;
792 if ((form != POINT_CONVERSION_COMPRESSED)
793 && (form != POINT_CONVERSION_UNCOMPRESSED)
794 && (form != POINT_CONVERSION_HYBRID)) {
795 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
799 if (EC_POINT_is_at_infinity(group, point)) {
800 /* encodes to a single 0 octet */
803 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
811 /* ret := required output buffer length */
812 field_len = BN_num_bytes(&group->field);
815 POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len;
817 /* if 'buf' is NULL, just return required length */
820 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
825 ctx = new_ctx = BN_CTX_new();
837 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
840 if ((form == POINT_CONVERSION_COMPRESSED
841 || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
848 skip = field_len - BN_num_bytes(x);
849 if (skip > field_len) {
850 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
857 skip = BN_bn2bin(x, buf + i);
859 if (i != 1 + field_len) {
860 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
864 if (form == POINT_CONVERSION_UNCOMPRESSED
865 || form == POINT_CONVERSION_HYBRID) {
866 skip = field_len - BN_num_bytes(y);
867 if (skip > field_len) {
868 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
875 skip = BN_bn2bin(y, buf + i);
880 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
888 BN_CTX_free(new_ctx);
895 BN_CTX_free(new_ctx);
899 int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
900 const unsigned char *buf, size_t len, BN_CTX *ctx)
902 point_conversion_form_t form;
904 BN_CTX *new_ctx = NULL;
906 size_t field_len, enc_len;
910 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
916 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
917 && (form != POINT_CONVERSION_UNCOMPRESSED)
918 && (form != POINT_CONVERSION_HYBRID)) {
919 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
922 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit) {
923 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
929 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
933 return EC_POINT_set_to_infinity(group, point);
936 field_len = BN_num_bytes(&group->field);
939 POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len;
941 if (len != enc_len) {
942 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
947 ctx = new_ctx = BN_CTX_new();
958 if (!BN_bin2bn(buf + 1, field_len, x))
960 if (BN_ucmp(x, &group->field) >= 0) {
961 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
965 if (form == POINT_CONVERSION_COMPRESSED) {
966 if (!EC_POINT_set_compressed_coordinates_GFp
967 (group, point, x, y_bit, ctx))
970 if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
972 if (BN_ucmp(y, &group->field) >= 0) {
973 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
976 if (form == POINT_CONVERSION_HYBRID) {
977 if (y_bit != BN_is_odd(y)) {
978 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
983 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
987 /* test required by X9.62 */
988 if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
989 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
998 BN_CTX_free(new_ctx);
1002 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
1003 const EC_POINT *b, BN_CTX *ctx)
1005 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
1006 const BIGNUM *, BN_CTX *);
1007 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1009 BN_CTX *new_ctx = NULL;
1010 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
1014 return EC_POINT_dbl(group, r, a, ctx);
1015 if (EC_POINT_is_at_infinity(group, a))
1016 return EC_POINT_copy(r, b);
1017 if (EC_POINT_is_at_infinity(group, b))
1018 return EC_POINT_copy(r, a);
1020 field_mul = group->meth->field_mul;
1021 field_sqr = group->meth->field_sqr;
1025 ctx = new_ctx = BN_CTX_new();
1031 n0 = BN_CTX_get(ctx);
1032 n1 = BN_CTX_get(ctx);
1033 n2 = BN_CTX_get(ctx);
1034 n3 = BN_CTX_get(ctx);
1035 n4 = BN_CTX_get(ctx);
1036 n5 = BN_CTX_get(ctx);
1037 n6 = BN_CTX_get(ctx);
1042 * Note that in this function we must not read components of 'a' or 'b'
1043 * once we have written the corresponding components of 'r'. ('r' might
1044 * be one of 'a' or 'b'.)
1049 if (!BN_copy(n1, &a->X))
1051 if (!BN_copy(n2, &a->Y))
1056 if (!field_sqr(group, n0, &b->Z, ctx))
1058 if (!field_mul(group, n1, &a->X, n0, ctx))
1060 /* n1 = X_a * Z_b^2 */
1062 if (!field_mul(group, n0, n0, &b->Z, ctx))
1064 if (!field_mul(group, n2, &a->Y, n0, ctx))
1066 /* n2 = Y_a * Z_b^3 */
1071 if (!BN_copy(n3, &b->X))
1073 if (!BN_copy(n4, &b->Y))
1078 if (!field_sqr(group, n0, &a->Z, ctx))
1080 if (!field_mul(group, n3, &b->X, n0, ctx))
1082 /* n3 = X_b * Z_a^2 */
1084 if (!field_mul(group, n0, n0, &a->Z, ctx))
1086 if (!field_mul(group, n4, &b->Y, n0, ctx))
1088 /* n4 = Y_b * Z_a^3 */
1092 if (!BN_mod_sub_quick(n5, n1, n3, p))
1094 if (!BN_mod_sub_quick(n6, n2, n4, p))
1099 if (BN_is_zero(n5)) {
1100 if (BN_is_zero(n6)) {
1101 /* a is the same point as b */
1103 ret = EC_POINT_dbl(group, r, a, ctx);
1107 /* a is the inverse of b */
1116 if (!BN_mod_add_quick(n1, n1, n3, p))
1118 if (!BN_mod_add_quick(n2, n2, n4, p))
1120 /* 'n7' = n1 + n3 */
1121 /* 'n8' = n2 + n4 */
1124 if (a->Z_is_one && b->Z_is_one) {
1125 if (!BN_copy(&r->Z, n5))
1129 if (!BN_copy(n0, &b->Z))
1131 } else if (b->Z_is_one) {
1132 if (!BN_copy(n0, &a->Z))
1135 if (!field_mul(group, n0, &a->Z, &b->Z, ctx))
1138 if (!field_mul(group, &r->Z, n0, n5, ctx))
1142 /* Z_r = Z_a * Z_b * n5 */
1145 if (!field_sqr(group, n0, n6, ctx))
1147 if (!field_sqr(group, n4, n5, ctx))
1149 if (!field_mul(group, n3, n1, n4, ctx))
1151 if (!BN_mod_sub_quick(&r->X, n0, n3, p))
1153 /* X_r = n6^2 - n5^2 * 'n7' */
1156 if (!BN_mod_lshift1_quick(n0, &r->X, p))
1158 if (!BN_mod_sub_quick(n0, n3, n0, p))
1160 /* n9 = n5^2 * 'n7' - 2 * X_r */
1163 if (!field_mul(group, n0, n0, n6, ctx))
1165 if (!field_mul(group, n5, n4, n5, ctx))
1166 goto end; /* now n5 is n5^3 */
1167 if (!field_mul(group, n1, n2, n5, ctx))
1169 if (!BN_mod_sub_quick(n0, n0, n1, p))
1172 if (!BN_add(n0, n0, p))
1174 /* now 0 <= n0 < 2*p, and n0 is even */
1175 if (!BN_rshift1(&r->Y, n0))
1177 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
1182 if (ctx) /* otherwise we already called BN_CTX_end */
1184 if (new_ctx != NULL)
1185 BN_CTX_free(new_ctx);
1189 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
1192 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
1193 const BIGNUM *, BN_CTX *);
1194 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1196 BN_CTX *new_ctx = NULL;
1197 BIGNUM *n0, *n1, *n2, *n3;
1200 if (EC_POINT_is_at_infinity(group, a)) {
1206 field_mul = group->meth->field_mul;
1207 field_sqr = group->meth->field_sqr;
1211 ctx = new_ctx = BN_CTX_new();
1217 n0 = BN_CTX_get(ctx);
1218 n1 = BN_CTX_get(ctx);
1219 n2 = BN_CTX_get(ctx);
1220 n3 = BN_CTX_get(ctx);
1225 * Note that in this function we must not read components of 'a' once we
1226 * have written the corresponding components of 'r'. ('r' might the same
1232 if (!field_sqr(group, n0, &a->X, ctx))
1234 if (!BN_mod_lshift1_quick(n1, n0, p))
1236 if (!BN_mod_add_quick(n0, n0, n1, p))
1238 if (!BN_mod_add_quick(n1, n0, &group->a, p))
1240 /* n1 = 3 * X_a^2 + a_curve */
1241 } else if (group->a_is_minus3) {
1242 if (!field_sqr(group, n1, &a->Z, ctx))
1244 if (!BN_mod_add_quick(n0, &a->X, n1, p))
1246 if (!BN_mod_sub_quick(n2, &a->X, n1, p))
1248 if (!field_mul(group, n1, n0, n2, ctx))
1250 if (!BN_mod_lshift1_quick(n0, n1, p))
1252 if (!BN_mod_add_quick(n1, n0, n1, p))
1255 * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
1256 * = 3 * X_a^2 - 3 * Z_a^4
1259 if (!field_sqr(group, n0, &a->X, ctx))
1261 if (!BN_mod_lshift1_quick(n1, n0, p))
1263 if (!BN_mod_add_quick(n0, n0, n1, p))
1265 if (!field_sqr(group, n1, &a->Z, ctx))
1267 if (!field_sqr(group, n1, n1, ctx))
1269 if (!field_mul(group, n1, n1, &group->a, ctx))
1271 if (!BN_mod_add_quick(n1, n1, n0, p))
1273 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
1278 if (!BN_copy(n0, &a->Y))
1281 if (!field_mul(group, n0, &a->Y, &a->Z, ctx))
1284 if (!BN_mod_lshift1_quick(&r->Z, n0, p))
1287 /* Z_r = 2 * Y_a * Z_a */
1290 if (!field_sqr(group, n3, &a->Y, ctx))
1292 if (!field_mul(group, n2, &a->X, n3, ctx))
1294 if (!BN_mod_lshift_quick(n2, n2, 2, p))
1296 /* n2 = 4 * X_a * Y_a^2 */
1299 if (!BN_mod_lshift1_quick(n0, n2, p))
1301 if (!field_sqr(group, &r->X, n1, ctx))
1303 if (!BN_mod_sub_quick(&r->X, &r->X, n0, p))
1305 /* X_r = n1^2 - 2 * n2 */
1308 if (!field_sqr(group, n0, n3, ctx))
1310 if (!BN_mod_lshift_quick(n3, n0, 3, p))
1312 /* n3 = 8 * Y_a^4 */
1315 if (!BN_mod_sub_quick(n0, n2, &r->X, p))
1317 if (!field_mul(group, n0, n1, n0, ctx))
1319 if (!BN_mod_sub_quick(&r->Y, n0, n3, p))
1321 /* Y_r = n1 * (n2 - X_r) - n3 */
1327 if (new_ctx != NULL)
1328 BN_CTX_free(new_ctx);
1332 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1334 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
1335 /* point is its own inverse */
1338 return BN_usub(&point->Y, &group->field, &point->Y);
1341 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
1343 return BN_is_zero(&point->Z);
1346 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
1349 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
1350 const BIGNUM *, BN_CTX *);
1351 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1353 BN_CTX *new_ctx = NULL;
1354 BIGNUM *rh, *tmp, *Z4, *Z6;
1357 if (EC_POINT_is_at_infinity(group, point))
1360 field_mul = group->meth->field_mul;
1361 field_sqr = group->meth->field_sqr;
1365 ctx = new_ctx = BN_CTX_new();
1371 rh = BN_CTX_get(ctx);
1372 tmp = BN_CTX_get(ctx);
1373 Z4 = BN_CTX_get(ctx);
1374 Z6 = BN_CTX_get(ctx);
1379 * We have a curve defined by a Weierstrass equation
1380 * y^2 = x^3 + a*x + b.
1381 * The point to consider is given in Jacobian projective coordinates
1382 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
1383 * Substituting this and multiplying by Z^6 transforms the above equation into
1384 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
1385 * To test this, we add up the right-hand side in 'rh'.
1389 if (!field_sqr(group, rh, &point->X, ctx))
1392 if (!point->Z_is_one) {
1393 if (!field_sqr(group, tmp, &point->Z, ctx))
1395 if (!field_sqr(group, Z4, tmp, ctx))
1397 if (!field_mul(group, Z6, Z4, tmp, ctx))
1400 /* rh := (rh + a*Z^4)*X */
1401 if (group->a_is_minus3) {
1402 if (!BN_mod_lshift1_quick(tmp, Z4, p))
1404 if (!BN_mod_add_quick(tmp, tmp, Z4, p))
1406 if (!BN_mod_sub_quick(rh, rh, tmp, p))
1408 if (!field_mul(group, rh, rh, &point->X, ctx))
1411 if (!field_mul(group, tmp, Z4, &group->a, ctx))
1413 if (!BN_mod_add_quick(rh, rh, tmp, p))
1415 if (!field_mul(group, rh, rh, &point->X, ctx))
1419 /* rh := rh + b*Z^6 */
1420 if (!field_mul(group, tmp, &group->b, Z6, ctx))
1422 if (!BN_mod_add_quick(rh, rh, tmp, p))
1425 /* point->Z_is_one */
1427 /* rh := (rh + a)*X */
1428 if (!BN_mod_add_quick(rh, rh, &group->a, p))
1430 if (!field_mul(group, rh, rh, &point->X, ctx))
1433 if (!BN_mod_add_quick(rh, rh, &group->b, p))
1438 if (!field_sqr(group, tmp, &point->Y, ctx))
1441 ret = (0 == BN_ucmp(tmp, rh));
1445 if (new_ctx != NULL)
1446 BN_CTX_free(new_ctx);
1450 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
1451 const EC_POINT *b, BN_CTX *ctx)
1456 * 0 equal (in affine coordinates)
1460 int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
1461 const BIGNUM *, BN_CTX *);
1462 int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
1463 BN_CTX *new_ctx = NULL;
1464 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
1465 const BIGNUM *tmp1_, *tmp2_;
1468 if (EC_POINT_is_at_infinity(group, a)) {
1469 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
1472 if (EC_POINT_is_at_infinity(group, b))
1475 if (a->Z_is_one && b->Z_is_one) {
1476 return ((BN_cmp(&a->X, &b->X) == 0)
1477 && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
1480 field_mul = group->meth->field_mul;
1481 field_sqr = group->meth->field_sqr;
1484 ctx = new_ctx = BN_CTX_new();
1490 tmp1 = BN_CTX_get(ctx);
1491 tmp2 = BN_CTX_get(ctx);
1492 Za23 = BN_CTX_get(ctx);
1493 Zb23 = BN_CTX_get(ctx);
1498 * We have to decide whether
1499 * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
1500 * or equivalently, whether
1501 * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
1505 if (!field_sqr(group, Zb23, &b->Z, ctx))
1507 if (!field_mul(group, tmp1, &a->X, Zb23, ctx))
1513 if (!field_sqr(group, Za23, &a->Z, ctx))
1515 if (!field_mul(group, tmp2, &b->X, Za23, ctx))
1521 /* compare X_a*Z_b^2 with X_b*Z_a^2 */
1522 if (BN_cmp(tmp1_, tmp2_) != 0) {
1523 ret = 1; /* points differ */
1528 if (!field_mul(group, Zb23, Zb23, &b->Z, ctx))
1530 if (!field_mul(group, tmp1, &a->Y, Zb23, ctx))
1536 if (!field_mul(group, Za23, Za23, &a->Z, ctx))
1538 if (!field_mul(group, tmp2, &b->Y, Za23, ctx))
1544 /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
1545 if (BN_cmp(tmp1_, tmp2_) != 0) {
1546 ret = 1; /* points differ */
1550 /* points are equal */
1555 if (new_ctx != NULL)
1556 BN_CTX_free(new_ctx);
1560 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
1563 BN_CTX *new_ctx = NULL;
1567 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1571 ctx = new_ctx = BN_CTX_new();
1577 x = BN_CTX_get(ctx);
1578 y = BN_CTX_get(ctx);
1582 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
1584 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
1586 if (!point->Z_is_one) {
1587 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1595 if (new_ctx != NULL)
1596 BN_CTX_free(new_ctx);
1600 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
1601 EC_POINT *points[], BN_CTX *ctx)
1603 BN_CTX *new_ctx = NULL;
1604 BIGNUM *tmp, *tmp_Z;
1605 BIGNUM **prod_Z = NULL;
1613 ctx = new_ctx = BN_CTX_new();
1619 tmp = BN_CTX_get(ctx);
1620 tmp_Z = BN_CTX_get(ctx);
1621 if (tmp == NULL || tmp_Z == NULL)
1624 prod_Z = OPENSSL_malloc(num * sizeof prod_Z[0]);
1627 for (i = 0; i < num; i++) {
1628 prod_Z[i] = BN_new();
1629 if (prod_Z[i] == NULL)
1634 * Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
1635 * skipping any zero-valued inputs (pretend that they're 1).
1638 if (!BN_is_zero(&points[0]->Z)) {
1639 if (!BN_copy(prod_Z[0], &points[0]->Z))
1642 if (group->meth->field_set_to_one != 0) {
1643 if (!group->meth->field_set_to_one(group, prod_Z[0], ctx))
1646 if (!BN_one(prod_Z[0]))
1651 for (i = 1; i < num; i++) {
1652 if (!BN_is_zero(&points[i]->Z)) {
1653 if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1],
1654 &points[i]->Z, ctx))
1657 if (!BN_copy(prod_Z[i], prod_Z[i - 1]))
1663 * Now use a single explicit inversion to replace every non-zero
1664 * points[i]->Z by its inverse.
1667 if (!BN_mod_inverse(tmp, prod_Z[num - 1], &group->field, ctx)) {
1668 ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
1671 if (group->meth->field_encode != 0) {
1673 * In the Montgomery case, we just turned R*H (representing H) into
1674 * 1/(R*H), but we need R*(1/H) (representing 1/H); i.e. we need to
1675 * multiply by the Montgomery factor twice.
1677 if (!group->meth->field_encode(group, tmp, tmp, ctx))
1679 if (!group->meth->field_encode(group, tmp, tmp, ctx))
1683 for (i = num - 1; i > 0; --i) {
1685 * Loop invariant: tmp is the product of the inverses of points[0]->Z
1686 * .. points[i]->Z (zero-valued inputs skipped).
1688 if (!BN_is_zero(&points[i]->Z)) {
1690 * Set tmp_Z to the inverse of points[i]->Z (as product of Z
1691 * inverses 0 .. i, Z values 0 .. i - 1).
1694 meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx))
1697 * Update tmp to satisfy the loop invariant for i - 1.
1699 if (!group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx))
1701 /* Replace points[i]->Z by its inverse. */
1702 if (!BN_copy(&points[i]->Z, tmp_Z))
1707 if (!BN_is_zero(&points[0]->Z)) {
1708 /* Replace points[0]->Z by its inverse. */
1709 if (!BN_copy(&points[0]->Z, tmp))
1713 /* Finally, fix up the X and Y coordinates for all points. */
1715 for (i = 0; i < num; i++) {
1716 EC_POINT *p = points[i];
1718 if (!BN_is_zero(&p->Z)) {
1719 /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */
1721 if (!group->meth->field_sqr(group, tmp, &p->Z, ctx))
1723 if (!group->meth->field_mul(group, &p->X, &p->X, tmp, ctx))
1726 if (!group->meth->field_mul(group, tmp, tmp, &p->Z, ctx))
1728 if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx))
1731 if (group->meth->field_set_to_one != 0) {
1732 if (!group->meth->field_set_to_one(group, &p->Z, ctx))
1746 if (new_ctx != NULL)
1747 BN_CTX_free(new_ctx);
1748 if (prod_Z != NULL) {
1749 for (i = 0; i < num; i++) {
1750 if (prod_Z[i] == NULL)
1752 BN_clear_free(prod_Z[i]);
1754 OPENSSL_free(prod_Z);
1759 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1760 const BIGNUM *b, BN_CTX *ctx)
1762 return BN_mod_mul(r, a, b, &group->field, ctx);
1765 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1768 return BN_mod_sqr(r, a, &group->field, ctx);
projects / FreeBSD / releng / 9.3.git / blob