d58bb7e55a
The implementation of EC is introduced from libgcrypt as the basic algorithm of elliptic curve, which can be more perfectly integrated with MPI implementation. Some other algorithms will be developed based on mpi ecc, such as SM2. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Tested-by: Xufeng Zhang <yunbo.xufeng@linux.alibaba.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
1510 lines
36 KiB
C
1510 lines
36 KiB
C
/* ec.c - Elliptic Curve functions
|
|
* Copyright (C) 2007 Free Software Foundation, Inc.
|
|
* Copyright (C) 2013 g10 Code GmbH
|
|
*
|
|
* This file is part of Libgcrypt.
|
|
*
|
|
* Libgcrypt is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as
|
|
* published by the Free Software Foundation; either version 2.1 of
|
|
* the License, or (at your option) any later version.
|
|
*
|
|
* Libgcrypt is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "mpi-internal.h"
|
|
#include "longlong.h"
|
|
|
|
#define point_init(a) mpi_point_init((a))
|
|
#define point_free(a) mpi_point_free_parts((a))
|
|
|
|
#define log_error(fmt, ...) pr_err(fmt, ##__VA_ARGS__)
|
|
#define log_fatal(fmt, ...) pr_err(fmt, ##__VA_ARGS__)
|
|
|
|
#define DIM(v) (sizeof(v)/sizeof((v)[0]))
|
|
|
|
|
|
/* Create a new point option. NBITS gives the size in bits of one
|
|
* coordinate; it is only used to pre-allocate some resources and
|
|
* might also be passed as 0 to use a default value.
|
|
*/
|
|
MPI_POINT mpi_point_new(unsigned int nbits)
|
|
{
|
|
MPI_POINT p;
|
|
|
|
(void)nbits; /* Currently not used. */
|
|
|
|
p = kmalloc(sizeof(*p), GFP_KERNEL);
|
|
if (p)
|
|
mpi_point_init(p);
|
|
return p;
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_point_new);
|
|
|
|
/* Release the point object P. P may be NULL. */
|
|
void mpi_point_release(MPI_POINT p)
|
|
{
|
|
if (p) {
|
|
mpi_point_free_parts(p);
|
|
kfree(p);
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_point_release);
|
|
|
|
/* Initialize the fields of a point object. gcry_mpi_point_free_parts
|
|
* may be used to release the fields.
|
|
*/
|
|
void mpi_point_init(MPI_POINT p)
|
|
{
|
|
p->x = mpi_new(0);
|
|
p->y = mpi_new(0);
|
|
p->z = mpi_new(0);
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_point_init);
|
|
|
|
/* Release the parts of a point object. */
|
|
void mpi_point_free_parts(MPI_POINT p)
|
|
{
|
|
mpi_free(p->x); p->x = NULL;
|
|
mpi_free(p->y); p->y = NULL;
|
|
mpi_free(p->z); p->z = NULL;
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_point_free_parts);
|
|
|
|
/* Set the value from S into D. */
|
|
static void point_set(MPI_POINT d, MPI_POINT s)
|
|
{
|
|
mpi_set(d->x, s->x);
|
|
mpi_set(d->y, s->y);
|
|
mpi_set(d->z, s->z);
|
|
}
|
|
|
|
static void point_resize(MPI_POINT p, struct mpi_ec_ctx *ctx)
|
|
{
|
|
size_t nlimbs = ctx->p->nlimbs;
|
|
|
|
mpi_resize(p->x, nlimbs);
|
|
p->x->nlimbs = nlimbs;
|
|
mpi_resize(p->z, nlimbs);
|
|
p->z->nlimbs = nlimbs;
|
|
|
|
if (ctx->model != MPI_EC_MONTGOMERY) {
|
|
mpi_resize(p->y, nlimbs);
|
|
p->y->nlimbs = nlimbs;
|
|
}
|
|
}
|
|
|
|
static void point_swap_cond(MPI_POINT d, MPI_POINT s, unsigned long swap,
|
|
struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_swap_cond(d->x, s->x, swap);
|
|
if (ctx->model != MPI_EC_MONTGOMERY)
|
|
mpi_swap_cond(d->y, s->y, swap);
|
|
mpi_swap_cond(d->z, s->z, swap);
|
|
}
|
|
|
|
|
|
/* W = W mod P. */
|
|
static void ec_mod(MPI w, struct mpi_ec_ctx *ec)
|
|
{
|
|
if (ec->t.p_barrett)
|
|
mpi_mod_barrett(w, w, ec->t.p_barrett);
|
|
else
|
|
mpi_mod(w, w, ec->p);
|
|
}
|
|
|
|
static void ec_addm(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_add(w, u, v);
|
|
ec_mod(w, ctx);
|
|
}
|
|
|
|
static void ec_subm(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ec)
|
|
{
|
|
mpi_sub(w, u, v);
|
|
while (w->sign)
|
|
mpi_add(w, w, ec->p);
|
|
/*ec_mod(w, ec);*/
|
|
}
|
|
|
|
static void ec_mulm(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_mul(w, u, v);
|
|
ec_mod(w, ctx);
|
|
}
|
|
|
|
/* W = 2 * U mod P. */
|
|
static void ec_mul2(MPI w, MPI u, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_lshift(w, u, 1);
|
|
ec_mod(w, ctx);
|
|
}
|
|
|
|
static void ec_powm(MPI w, const MPI b, const MPI e,
|
|
struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_powm(w, b, e, ctx->p);
|
|
/* mpi_abs(w); */
|
|
}
|
|
|
|
/* Shortcut for
|
|
* ec_powm(B, B, mpi_const(MPI_C_TWO), ctx);
|
|
* for easier optimization.
|
|
*/
|
|
static void ec_pow2(MPI w, const MPI b, struct mpi_ec_ctx *ctx)
|
|
{
|
|
/* Using mpi_mul is slightly faster (at least on amd64). */
|
|
/* mpi_powm(w, b, mpi_const(MPI_C_TWO), ctx->p); */
|
|
ec_mulm(w, b, b, ctx);
|
|
}
|
|
|
|
/* Shortcut for
|
|
* ec_powm(B, B, mpi_const(MPI_C_THREE), ctx);
|
|
* for easier optimization.
|
|
*/
|
|
static void ec_pow3(MPI w, const MPI b, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_powm(w, b, mpi_const(MPI_C_THREE), ctx->p);
|
|
}
|
|
|
|
static void ec_invm(MPI x, MPI a, struct mpi_ec_ctx *ctx)
|
|
{
|
|
if (!mpi_invm(x, a, ctx->p))
|
|
log_error("ec_invm: inverse does not exist:\n");
|
|
}
|
|
|
|
static void mpih_set_cond(mpi_ptr_t wp, mpi_ptr_t up,
|
|
mpi_size_t usize, unsigned long set)
|
|
{
|
|
mpi_size_t i;
|
|
mpi_limb_t mask = ((mpi_limb_t)0) - set;
|
|
mpi_limb_t x;
|
|
|
|
for (i = 0; i < usize; i++) {
|
|
x = mask & (wp[i] ^ up[i]);
|
|
wp[i] = wp[i] ^ x;
|
|
}
|
|
}
|
|
|
|
/* Routines for 2^255 - 19. */
|
|
|
|
#define LIMB_SIZE_25519 ((256+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB)
|
|
|
|
static void ec_addm_25519(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_ptr_t wp, up, vp;
|
|
mpi_size_t wsize = LIMB_SIZE_25519;
|
|
mpi_limb_t n[LIMB_SIZE_25519];
|
|
mpi_limb_t borrow;
|
|
|
|
if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
|
|
log_bug("addm_25519: different sizes\n");
|
|
|
|
memset(n, 0, sizeof(n));
|
|
up = u->d;
|
|
vp = v->d;
|
|
wp = w->d;
|
|
|
|
mpihelp_add_n(wp, up, vp, wsize);
|
|
borrow = mpihelp_sub_n(wp, wp, ctx->p->d, wsize);
|
|
mpih_set_cond(n, ctx->p->d, wsize, (borrow != 0UL));
|
|
mpihelp_add_n(wp, wp, n, wsize);
|
|
wp[LIMB_SIZE_25519-1] &= ~((mpi_limb_t)1 << (255 % BITS_PER_MPI_LIMB));
|
|
}
|
|
|
|
static void ec_subm_25519(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_ptr_t wp, up, vp;
|
|
mpi_size_t wsize = LIMB_SIZE_25519;
|
|
mpi_limb_t n[LIMB_SIZE_25519];
|
|
mpi_limb_t borrow;
|
|
|
|
if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
|
|
log_bug("subm_25519: different sizes\n");
|
|
|
|
memset(n, 0, sizeof(n));
|
|
up = u->d;
|
|
vp = v->d;
|
|
wp = w->d;
|
|
|
|
borrow = mpihelp_sub_n(wp, up, vp, wsize);
|
|
mpih_set_cond(n, ctx->p->d, wsize, (borrow != 0UL));
|
|
mpihelp_add_n(wp, wp, n, wsize);
|
|
wp[LIMB_SIZE_25519-1] &= ~((mpi_limb_t)1 << (255 % BITS_PER_MPI_LIMB));
|
|
}
|
|
|
|
static void ec_mulm_25519(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_ptr_t wp, up, vp;
|
|
mpi_size_t wsize = LIMB_SIZE_25519;
|
|
mpi_limb_t n[LIMB_SIZE_25519*2];
|
|
mpi_limb_t m[LIMB_SIZE_25519+1];
|
|
mpi_limb_t cy;
|
|
int msb;
|
|
|
|
(void)ctx;
|
|
if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
|
|
log_bug("mulm_25519: different sizes\n");
|
|
|
|
up = u->d;
|
|
vp = v->d;
|
|
wp = w->d;
|
|
|
|
mpihelp_mul_n(n, up, vp, wsize);
|
|
memcpy(wp, n, wsize * BYTES_PER_MPI_LIMB);
|
|
wp[LIMB_SIZE_25519-1] &= ~((mpi_limb_t)1 << (255 % BITS_PER_MPI_LIMB));
|
|
|
|
memcpy(m, n+LIMB_SIZE_25519-1, (wsize+1) * BYTES_PER_MPI_LIMB);
|
|
mpihelp_rshift(m, m, LIMB_SIZE_25519+1, (255 % BITS_PER_MPI_LIMB));
|
|
|
|
memcpy(n, m, wsize * BYTES_PER_MPI_LIMB);
|
|
cy = mpihelp_lshift(m, m, LIMB_SIZE_25519, 4);
|
|
m[LIMB_SIZE_25519] = cy;
|
|
cy = mpihelp_add_n(m, m, n, wsize);
|
|
m[LIMB_SIZE_25519] += cy;
|
|
cy = mpihelp_add_n(m, m, n, wsize);
|
|
m[LIMB_SIZE_25519] += cy;
|
|
cy = mpihelp_add_n(m, m, n, wsize);
|
|
m[LIMB_SIZE_25519] += cy;
|
|
|
|
cy = mpihelp_add_n(wp, wp, m, wsize);
|
|
m[LIMB_SIZE_25519] += cy;
|
|
|
|
memset(m, 0, wsize * BYTES_PER_MPI_LIMB);
|
|
msb = (wp[LIMB_SIZE_25519-1] >> (255 % BITS_PER_MPI_LIMB));
|
|
m[0] = (m[LIMB_SIZE_25519] * 2 + msb) * 19;
|
|
wp[LIMB_SIZE_25519-1] &= ~((mpi_limb_t)1 << (255 % BITS_PER_MPI_LIMB));
|
|
mpihelp_add_n(wp, wp, m, wsize);
|
|
|
|
m[0] = 0;
|
|
cy = mpihelp_sub_n(wp, wp, ctx->p->d, wsize);
|
|
mpih_set_cond(m, ctx->p->d, wsize, (cy != 0UL));
|
|
mpihelp_add_n(wp, wp, m, wsize);
|
|
}
|
|
|
|
static void ec_mul2_25519(MPI w, MPI u, struct mpi_ec_ctx *ctx)
|
|
{
|
|
ec_addm_25519(w, u, u, ctx);
|
|
}
|
|
|
|
static void ec_pow2_25519(MPI w, const MPI b, struct mpi_ec_ctx *ctx)
|
|
{
|
|
ec_mulm_25519(w, b, b, ctx);
|
|
}
|
|
|
|
/* Routines for 2^448 - 2^224 - 1. */
|
|
|
|
#define LIMB_SIZE_448 ((448+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB)
|
|
#define LIMB_SIZE_HALF_448 ((LIMB_SIZE_448+1)/2)
|
|
|
|
static void ec_addm_448(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_ptr_t wp, up, vp;
|
|
mpi_size_t wsize = LIMB_SIZE_448;
|
|
mpi_limb_t n[LIMB_SIZE_448];
|
|
mpi_limb_t cy;
|
|
|
|
if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
|
|
log_bug("addm_448: different sizes\n");
|
|
|
|
memset(n, 0, sizeof(n));
|
|
up = u->d;
|
|
vp = v->d;
|
|
wp = w->d;
|
|
|
|
cy = mpihelp_add_n(wp, up, vp, wsize);
|
|
mpih_set_cond(n, ctx->p->d, wsize, (cy != 0UL));
|
|
mpihelp_sub_n(wp, wp, n, wsize);
|
|
}
|
|
|
|
static void ec_subm_448(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_ptr_t wp, up, vp;
|
|
mpi_size_t wsize = LIMB_SIZE_448;
|
|
mpi_limb_t n[LIMB_SIZE_448];
|
|
mpi_limb_t borrow;
|
|
|
|
if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
|
|
log_bug("subm_448: different sizes\n");
|
|
|
|
memset(n, 0, sizeof(n));
|
|
up = u->d;
|
|
vp = v->d;
|
|
wp = w->d;
|
|
|
|
borrow = mpihelp_sub_n(wp, up, vp, wsize);
|
|
mpih_set_cond(n, ctx->p->d, wsize, (borrow != 0UL));
|
|
mpihelp_add_n(wp, wp, n, wsize);
|
|
}
|
|
|
|
static void ec_mulm_448(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx)
|
|
{
|
|
mpi_ptr_t wp, up, vp;
|
|
mpi_size_t wsize = LIMB_SIZE_448;
|
|
mpi_limb_t n[LIMB_SIZE_448*2];
|
|
mpi_limb_t a2[LIMB_SIZE_HALF_448];
|
|
mpi_limb_t a3[LIMB_SIZE_HALF_448];
|
|
mpi_limb_t b0[LIMB_SIZE_HALF_448];
|
|
mpi_limb_t b1[LIMB_SIZE_HALF_448];
|
|
mpi_limb_t cy;
|
|
int i;
|
|
#if (LIMB_SIZE_HALF_448 > LIMB_SIZE_448/2)
|
|
mpi_limb_t b1_rest, a3_rest;
|
|
#endif
|
|
|
|
if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
|
|
log_bug("mulm_448: different sizes\n");
|
|
|
|
up = u->d;
|
|
vp = v->d;
|
|
wp = w->d;
|
|
|
|
mpihelp_mul_n(n, up, vp, wsize);
|
|
|
|
for (i = 0; i < (wsize + 1) / 2; i++) {
|
|
b0[i] = n[i];
|
|
b1[i] = n[i+wsize/2];
|
|
a2[i] = n[i+wsize];
|
|
a3[i] = n[i+wsize+wsize/2];
|
|
}
|
|
|
|
#if (LIMB_SIZE_HALF_448 > LIMB_SIZE_448/2)
|
|
b0[LIMB_SIZE_HALF_448-1] &= ((mpi_limb_t)1UL << 32)-1;
|
|
a2[LIMB_SIZE_HALF_448-1] &= ((mpi_limb_t)1UL << 32)-1;
|
|
|
|
b1_rest = 0;
|
|
a3_rest = 0;
|
|
|
|
for (i = (wsize + 1) / 2 - 1; i >= 0; i--) {
|
|
mpi_limb_t b1v, a3v;
|
|
b1v = b1[i];
|
|
a3v = a3[i];
|
|
b1[i] = (b1_rest << 32) | (b1v >> 32);
|
|
a3[i] = (a3_rest << 32) | (a3v >> 32);
|
|
b1_rest = b1v & (((mpi_limb_t)1UL << 32)-1);
|
|
a3_rest = a3v & (((mpi_limb_t)1UL << 32)-1);
|
|
}
|
|
#endif
|
|
|
|
cy = mpihelp_add_n(b0, b0, a2, LIMB_SIZE_HALF_448);
|
|
cy += mpihelp_add_n(b0, b0, a3, LIMB_SIZE_HALF_448);
|
|
for (i = 0; i < (wsize + 1) / 2; i++)
|
|
wp[i] = b0[i];
|
|
#if (LIMB_SIZE_HALF_448 > LIMB_SIZE_448/2)
|
|
wp[LIMB_SIZE_HALF_448-1] &= (((mpi_limb_t)1UL << 32)-1);
|
|
#endif
|
|
|
|
#if (LIMB_SIZE_HALF_448 > LIMB_SIZE_448/2)
|
|
cy = b0[LIMB_SIZE_HALF_448-1] >> 32;
|
|
#endif
|
|
|
|
cy = mpihelp_add_1(b1, b1, LIMB_SIZE_HALF_448, cy);
|
|
cy += mpihelp_add_n(b1, b1, a2, LIMB_SIZE_HALF_448);
|
|
cy += mpihelp_add_n(b1, b1, a3, LIMB_SIZE_HALF_448);
|
|
cy += mpihelp_add_n(b1, b1, a3, LIMB_SIZE_HALF_448);
|
|
#if (LIMB_SIZE_HALF_448 > LIMB_SIZE_448/2)
|
|
b1_rest = 0;
|
|
for (i = (wsize + 1) / 2 - 1; i >= 0; i--) {
|
|
mpi_limb_t b1v = b1[i];
|
|
b1[i] = (b1_rest << 32) | (b1v >> 32);
|
|
b1_rest = b1v & (((mpi_limb_t)1UL << 32)-1);
|
|
}
|
|
wp[LIMB_SIZE_HALF_448-1] |= (b1_rest << 32);
|
|
#endif
|
|
for (i = 0; i < wsize / 2; i++)
|
|
wp[i+(wsize + 1) / 2] = b1[i];
|
|
|
|
#if (LIMB_SIZE_HALF_448 > LIMB_SIZE_448/2)
|
|
cy = b1[LIMB_SIZE_HALF_448-1];
|
|
#endif
|
|
|
|
memset(n, 0, wsize * BYTES_PER_MPI_LIMB);
|
|
|
|
#if (LIMB_SIZE_HALF_448 > LIMB_SIZE_448/2)
|
|
n[LIMB_SIZE_HALF_448-1] = cy << 32;
|
|
#else
|
|
n[LIMB_SIZE_HALF_448] = cy;
|
|
#endif
|
|
n[0] = cy;
|
|
mpihelp_add_n(wp, wp, n, wsize);
|
|
|
|
memset(n, 0, wsize * BYTES_PER_MPI_LIMB);
|
|
cy = mpihelp_sub_n(wp, wp, ctx->p->d, wsize);
|
|
mpih_set_cond(n, ctx->p->d, wsize, (cy != 0UL));
|
|
mpihelp_add_n(wp, wp, n, wsize);
|
|
}
|
|
|
|
static void ec_mul2_448(MPI w, MPI u, struct mpi_ec_ctx *ctx)
|
|
{
|
|
ec_addm_448(w, u, u, ctx);
|
|
}
|
|
|
|
static void ec_pow2_448(MPI w, const MPI b, struct mpi_ec_ctx *ctx)
|
|
{
|
|
ec_mulm_448(w, b, b, ctx);
|
|
}
|
|
|
|
struct field_table {
|
|
const char *p;
|
|
|
|
/* computation routines for the field. */
|
|
void (*addm)(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx);
|
|
void (*subm)(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx);
|
|
void (*mulm)(MPI w, MPI u, MPI v, struct mpi_ec_ctx *ctx);
|
|
void (*mul2)(MPI w, MPI u, struct mpi_ec_ctx *ctx);
|
|
void (*pow2)(MPI w, const MPI b, struct mpi_ec_ctx *ctx);
|
|
};
|
|
|
|
static const struct field_table field_table[] = {
|
|
{
|
|
"0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
|
|
ec_addm_25519,
|
|
ec_subm_25519,
|
|
ec_mulm_25519,
|
|
ec_mul2_25519,
|
|
ec_pow2_25519
|
|
},
|
|
{
|
|
"0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
|
|
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
|
|
ec_addm_448,
|
|
ec_subm_448,
|
|
ec_mulm_448,
|
|
ec_mul2_448,
|
|
ec_pow2_448
|
|
},
|
|
{ NULL, NULL, NULL, NULL, NULL, NULL },
|
|
};
|
|
|
|
/* Force recomputation of all helper variables. */
|
|
static void mpi_ec_get_reset(struct mpi_ec_ctx *ec)
|
|
{
|
|
ec->t.valid.a_is_pminus3 = 0;
|
|
ec->t.valid.two_inv_p = 0;
|
|
}
|
|
|
|
/* Accessor for helper variable. */
|
|
static int ec_get_a_is_pminus3(struct mpi_ec_ctx *ec)
|
|
{
|
|
MPI tmp;
|
|
|
|
if (!ec->t.valid.a_is_pminus3) {
|
|
ec->t.valid.a_is_pminus3 = 1;
|
|
tmp = mpi_alloc_like(ec->p);
|
|
mpi_sub_ui(tmp, ec->p, 3);
|
|
ec->t.a_is_pminus3 = !mpi_cmp(ec->a, tmp);
|
|
mpi_free(tmp);
|
|
}
|
|
|
|
return ec->t.a_is_pminus3;
|
|
}
|
|
|
|
/* Accessor for helper variable. */
|
|
static MPI ec_get_two_inv_p(struct mpi_ec_ctx *ec)
|
|
{
|
|
if (!ec->t.valid.two_inv_p) {
|
|
ec->t.valid.two_inv_p = 1;
|
|
if (!ec->t.two_inv_p)
|
|
ec->t.two_inv_p = mpi_alloc(0);
|
|
ec_invm(ec->t.two_inv_p, mpi_const(MPI_C_TWO), ec);
|
|
}
|
|
return ec->t.two_inv_p;
|
|
}
|
|
|
|
static const char *const curve25519_bad_points[] = {
|
|
"0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed",
|
|
"0x0000000000000000000000000000000000000000000000000000000000000000",
|
|
"0x0000000000000000000000000000000000000000000000000000000000000001",
|
|
"0x00b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebe0",
|
|
"0x57119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c5f",
|
|
"0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec",
|
|
"0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee",
|
|
NULL
|
|
};
|
|
|
|
static const char *const curve448_bad_points[] = {
|
|
"0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
|
|
"ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
|
|
"0x00000000000000000000000000000000000000000000000000000000"
|
|
"00000000000000000000000000000000000000000000000000000000",
|
|
"0x00000000000000000000000000000000000000000000000000000000"
|
|
"00000000000000000000000000000000000000000000000000000001",
|
|
"0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
|
|
"fffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
|
|
"0xffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
|
|
"00000000000000000000000000000000000000000000000000000000",
|
|
NULL
|
|
};
|
|
|
|
static const char *const *bad_points_table[] = {
|
|
curve25519_bad_points,
|
|
curve448_bad_points,
|
|
};
|
|
|
|
static void mpi_ec_coefficient_normalize(MPI a, MPI p)
|
|
{
|
|
if (a->sign) {
|
|
mpi_resize(a, p->nlimbs);
|
|
mpihelp_sub_n(a->d, p->d, a->d, p->nlimbs);
|
|
a->nlimbs = p->nlimbs;
|
|
a->sign = 0;
|
|
}
|
|
}
|
|
|
|
/* This function initialized a context for elliptic curve based on the
|
|
* field GF(p). P is the prime specifying this field, A is the first
|
|
* coefficient. CTX is expected to be zeroized.
|
|
*/
|
|
void mpi_ec_init(struct mpi_ec_ctx *ctx, enum gcry_mpi_ec_models model,
|
|
enum ecc_dialects dialect,
|
|
int flags, MPI p, MPI a, MPI b)
|
|
{
|
|
int i;
|
|
static int use_barrett = -1 /* TODO: 1 or -1 */;
|
|
|
|
mpi_ec_coefficient_normalize(a, p);
|
|
mpi_ec_coefficient_normalize(b, p);
|
|
|
|
/* Fixme: Do we want to check some constraints? e.g. a < p */
|
|
|
|
ctx->model = model;
|
|
ctx->dialect = dialect;
|
|
ctx->flags = flags;
|
|
if (dialect == ECC_DIALECT_ED25519)
|
|
ctx->nbits = 256;
|
|
else
|
|
ctx->nbits = mpi_get_nbits(p);
|
|
ctx->p = mpi_copy(p);
|
|
ctx->a = mpi_copy(a);
|
|
ctx->b = mpi_copy(b);
|
|
|
|
ctx->t.p_barrett = use_barrett > 0 ? mpi_barrett_init(ctx->p, 0) : NULL;
|
|
|
|
mpi_ec_get_reset(ctx);
|
|
|
|
if (model == MPI_EC_MONTGOMERY) {
|
|
for (i = 0; i < DIM(bad_points_table); i++) {
|
|
MPI p_candidate = mpi_scanval(bad_points_table[i][0]);
|
|
int match_p = !mpi_cmp(ctx->p, p_candidate);
|
|
int j;
|
|
|
|
mpi_free(p_candidate);
|
|
if (!match_p)
|
|
continue;
|
|
|
|
for (j = 0; i < DIM(ctx->t.scratch) && bad_points_table[i][j]; j++)
|
|
ctx->t.scratch[j] = mpi_scanval(bad_points_table[i][j]);
|
|
}
|
|
} else {
|
|
/* Allocate scratch variables. */
|
|
for (i = 0; i < DIM(ctx->t.scratch); i++)
|
|
ctx->t.scratch[i] = mpi_alloc_like(ctx->p);
|
|
}
|
|
|
|
ctx->addm = ec_addm;
|
|
ctx->subm = ec_subm;
|
|
ctx->mulm = ec_mulm;
|
|
ctx->mul2 = ec_mul2;
|
|
ctx->pow2 = ec_pow2;
|
|
|
|
for (i = 0; field_table[i].p; i++) {
|
|
MPI f_p;
|
|
|
|
f_p = mpi_scanval(field_table[i].p);
|
|
if (!f_p)
|
|
break;
|
|
|
|
if (!mpi_cmp(p, f_p)) {
|
|
ctx->addm = field_table[i].addm;
|
|
ctx->subm = field_table[i].subm;
|
|
ctx->mulm = field_table[i].mulm;
|
|
ctx->mul2 = field_table[i].mul2;
|
|
ctx->pow2 = field_table[i].pow2;
|
|
mpi_free(f_p);
|
|
|
|
mpi_resize(ctx->a, ctx->p->nlimbs);
|
|
ctx->a->nlimbs = ctx->p->nlimbs;
|
|
|
|
mpi_resize(ctx->b, ctx->p->nlimbs);
|
|
ctx->b->nlimbs = ctx->p->nlimbs;
|
|
|
|
for (i = 0; i < DIM(ctx->t.scratch) && ctx->t.scratch[i]; i++)
|
|
ctx->t.scratch[i]->nlimbs = ctx->p->nlimbs;
|
|
|
|
break;
|
|
}
|
|
|
|
mpi_free(f_p);
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_ec_init);
|
|
|
|
void mpi_ec_deinit(struct mpi_ec_ctx *ctx)
|
|
{
|
|
int i;
|
|
|
|
mpi_barrett_free(ctx->t.p_barrett);
|
|
|
|
/* Domain parameter. */
|
|
mpi_free(ctx->p);
|
|
mpi_free(ctx->a);
|
|
mpi_free(ctx->b);
|
|
mpi_point_release(ctx->G);
|
|
mpi_free(ctx->n);
|
|
|
|
/* The key. */
|
|
mpi_point_release(ctx->Q);
|
|
mpi_free(ctx->d);
|
|
|
|
/* Private data of ec.c. */
|
|
mpi_free(ctx->t.two_inv_p);
|
|
|
|
for (i = 0; i < DIM(ctx->t.scratch); i++)
|
|
mpi_free(ctx->t.scratch[i]);
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_ec_deinit);
|
|
|
|
/* Compute the affine coordinates from the projective coordinates in
|
|
* POINT. Set them into X and Y. If one coordinate is not required,
|
|
* X or Y may be passed as NULL. CTX is the usual context. Returns: 0
|
|
* on success or !0 if POINT is at infinity.
|
|
*/
|
|
int mpi_ec_get_affine(MPI x, MPI y, MPI_POINT point, struct mpi_ec_ctx *ctx)
|
|
{
|
|
if (!mpi_cmp_ui(point->z, 0))
|
|
return -1;
|
|
|
|
switch (ctx->model) {
|
|
case MPI_EC_WEIERSTRASS: /* Using Jacobian coordinates. */
|
|
{
|
|
MPI z1, z2, z3;
|
|
|
|
z1 = mpi_new(0);
|
|
z2 = mpi_new(0);
|
|
ec_invm(z1, point->z, ctx); /* z1 = z^(-1) mod p */
|
|
ec_mulm(z2, z1, z1, ctx); /* z2 = z^(-2) mod p */
|
|
|
|
if (x)
|
|
ec_mulm(x, point->x, z2, ctx);
|
|
|
|
if (y) {
|
|
z3 = mpi_new(0);
|
|
ec_mulm(z3, z2, z1, ctx); /* z3 = z^(-3) mod p */
|
|
ec_mulm(y, point->y, z3, ctx);
|
|
mpi_free(z3);
|
|
}
|
|
|
|
mpi_free(z2);
|
|
mpi_free(z1);
|
|
}
|
|
return 0;
|
|
|
|
case MPI_EC_MONTGOMERY:
|
|
{
|
|
if (x)
|
|
mpi_set(x, point->x);
|
|
|
|
if (y) {
|
|
log_fatal("%s: Getting Y-coordinate on %s is not supported\n",
|
|
"mpi_ec_get_affine", "Montgomery");
|
|
return -1;
|
|
}
|
|
}
|
|
return 0;
|
|
|
|
case MPI_EC_EDWARDS:
|
|
{
|
|
MPI z;
|
|
|
|
z = mpi_new(0);
|
|
ec_invm(z, point->z, ctx);
|
|
|
|
mpi_resize(z, ctx->p->nlimbs);
|
|
z->nlimbs = ctx->p->nlimbs;
|
|
|
|
if (x) {
|
|
mpi_resize(x, ctx->p->nlimbs);
|
|
x->nlimbs = ctx->p->nlimbs;
|
|
ctx->mulm(x, point->x, z, ctx);
|
|
}
|
|
if (y) {
|
|
mpi_resize(y, ctx->p->nlimbs);
|
|
y->nlimbs = ctx->p->nlimbs;
|
|
ctx->mulm(y, point->y, z, ctx);
|
|
}
|
|
|
|
mpi_free(z);
|
|
}
|
|
return 0;
|
|
|
|
default:
|
|
return -1;
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_ec_get_affine);
|
|
|
|
/* RESULT = 2 * POINT (Weierstrass version). */
|
|
static void dup_point_weierstrass(MPI_POINT result,
|
|
MPI_POINT point, struct mpi_ec_ctx *ctx)
|
|
{
|
|
#define x3 (result->x)
|
|
#define y3 (result->y)
|
|
#define z3 (result->z)
|
|
#define t1 (ctx->t.scratch[0])
|
|
#define t2 (ctx->t.scratch[1])
|
|
#define t3 (ctx->t.scratch[2])
|
|
#define l1 (ctx->t.scratch[3])
|
|
#define l2 (ctx->t.scratch[4])
|
|
#define l3 (ctx->t.scratch[5])
|
|
|
|
if (!mpi_cmp_ui(point->y, 0) || !mpi_cmp_ui(point->z, 0)) {
|
|
/* P_y == 0 || P_z == 0 => [1:1:0] */
|
|
mpi_set_ui(x3, 1);
|
|
mpi_set_ui(y3, 1);
|
|
mpi_set_ui(z3, 0);
|
|
} else {
|
|
if (ec_get_a_is_pminus3(ctx)) {
|
|
/* Use the faster case. */
|
|
/* L1 = 3(X - Z^2)(X + Z^2) */
|
|
/* T1: used for Z^2. */
|
|
/* T2: used for the right term. */
|
|
ec_pow2(t1, point->z, ctx);
|
|
ec_subm(l1, point->x, t1, ctx);
|
|
ec_mulm(l1, l1, mpi_const(MPI_C_THREE), ctx);
|
|
ec_addm(t2, point->x, t1, ctx);
|
|
ec_mulm(l1, l1, t2, ctx);
|
|
} else {
|
|
/* Standard case. */
|
|
/* L1 = 3X^2 + aZ^4 */
|
|
/* T1: used for aZ^4. */
|
|
ec_pow2(l1, point->x, ctx);
|
|
ec_mulm(l1, l1, mpi_const(MPI_C_THREE), ctx);
|
|
ec_powm(t1, point->z, mpi_const(MPI_C_FOUR), ctx);
|
|
ec_mulm(t1, t1, ctx->a, ctx);
|
|
ec_addm(l1, l1, t1, ctx);
|
|
}
|
|
/* Z3 = 2YZ */
|
|
ec_mulm(z3, point->y, point->z, ctx);
|
|
ec_mul2(z3, z3, ctx);
|
|
|
|
/* L2 = 4XY^2 */
|
|
/* T2: used for Y2; required later. */
|
|
ec_pow2(t2, point->y, ctx);
|
|
ec_mulm(l2, t2, point->x, ctx);
|
|
ec_mulm(l2, l2, mpi_const(MPI_C_FOUR), ctx);
|
|
|
|
/* X3 = L1^2 - 2L2 */
|
|
/* T1: used for L2^2. */
|
|
ec_pow2(x3, l1, ctx);
|
|
ec_mul2(t1, l2, ctx);
|
|
ec_subm(x3, x3, t1, ctx);
|
|
|
|
/* L3 = 8Y^4 */
|
|
/* T2: taken from above. */
|
|
ec_pow2(t2, t2, ctx);
|
|
ec_mulm(l3, t2, mpi_const(MPI_C_EIGHT), ctx);
|
|
|
|
/* Y3 = L1(L2 - X3) - L3 */
|
|
ec_subm(y3, l2, x3, ctx);
|
|
ec_mulm(y3, y3, l1, ctx);
|
|
ec_subm(y3, y3, l3, ctx);
|
|
}
|
|
|
|
#undef x3
|
|
#undef y3
|
|
#undef z3
|
|
#undef t1
|
|
#undef t2
|
|
#undef t3
|
|
#undef l1
|
|
#undef l2
|
|
#undef l3
|
|
}
|
|
|
|
/* RESULT = 2 * POINT (Montgomery version). */
|
|
static void dup_point_montgomery(MPI_POINT result,
|
|
MPI_POINT point, struct mpi_ec_ctx *ctx)
|
|
{
|
|
(void)result;
|
|
(void)point;
|
|
(void)ctx;
|
|
log_fatal("%s: %s not yet supported\n",
|
|
"mpi_ec_dup_point", "Montgomery");
|
|
}
|
|
|
|
/* RESULT = 2 * POINT (Twisted Edwards version). */
|
|
static void dup_point_edwards(MPI_POINT result,
|
|
MPI_POINT point, struct mpi_ec_ctx *ctx)
|
|
{
|
|
#define X1 (point->x)
|
|
#define Y1 (point->y)
|
|
#define Z1 (point->z)
|
|
#define X3 (result->x)
|
|
#define Y3 (result->y)
|
|
#define Z3 (result->z)
|
|
#define B (ctx->t.scratch[0])
|
|
#define C (ctx->t.scratch[1])
|
|
#define D (ctx->t.scratch[2])
|
|
#define E (ctx->t.scratch[3])
|
|
#define F (ctx->t.scratch[4])
|
|
#define H (ctx->t.scratch[5])
|
|
#define J (ctx->t.scratch[6])
|
|
|
|
/* Compute: (X_3 : Y_3 : Z_3) = 2( X_1 : Y_1 : Z_1 ) */
|
|
|
|
/* B = (X_1 + Y_1)^2 */
|
|
ctx->addm(B, X1, Y1, ctx);
|
|
ctx->pow2(B, B, ctx);
|
|
|
|
/* C = X_1^2 */
|
|
/* D = Y_1^2 */
|
|
ctx->pow2(C, X1, ctx);
|
|
ctx->pow2(D, Y1, ctx);
|
|
|
|
/* E = aC */
|
|
if (ctx->dialect == ECC_DIALECT_ED25519)
|
|
ctx->subm(E, ctx->p, C, ctx);
|
|
else
|
|
ctx->mulm(E, ctx->a, C, ctx);
|
|
|
|
/* F = E + D */
|
|
ctx->addm(F, E, D, ctx);
|
|
|
|
/* H = Z_1^2 */
|
|
ctx->pow2(H, Z1, ctx);
|
|
|
|
/* J = F - 2H */
|
|
ctx->mul2(J, H, ctx);
|
|
ctx->subm(J, F, J, ctx);
|
|
|
|
/* X_3 = (B - C - D) · J */
|
|
ctx->subm(X3, B, C, ctx);
|
|
ctx->subm(X3, X3, D, ctx);
|
|
ctx->mulm(X3, X3, J, ctx);
|
|
|
|
/* Y_3 = F · (E - D) */
|
|
ctx->subm(Y3, E, D, ctx);
|
|
ctx->mulm(Y3, Y3, F, ctx);
|
|
|
|
/* Z_3 = F · J */
|
|
ctx->mulm(Z3, F, J, ctx);
|
|
|
|
#undef X1
|
|
#undef Y1
|
|
#undef Z1
|
|
#undef X3
|
|
#undef Y3
|
|
#undef Z3
|
|
#undef B
|
|
#undef C
|
|
#undef D
|
|
#undef E
|
|
#undef F
|
|
#undef H
|
|
#undef J
|
|
}
|
|
|
|
/* RESULT = 2 * POINT */
|
|
static void
|
|
mpi_ec_dup_point(MPI_POINT result, MPI_POINT point, struct mpi_ec_ctx *ctx)
|
|
{
|
|
switch (ctx->model) {
|
|
case MPI_EC_WEIERSTRASS:
|
|
dup_point_weierstrass(result, point, ctx);
|
|
break;
|
|
case MPI_EC_MONTGOMERY:
|
|
dup_point_montgomery(result, point, ctx);
|
|
break;
|
|
case MPI_EC_EDWARDS:
|
|
dup_point_edwards(result, point, ctx);
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* RESULT = P1 + P2 (Weierstrass version).*/
|
|
static void add_points_weierstrass(MPI_POINT result,
|
|
MPI_POINT p1, MPI_POINT p2,
|
|
struct mpi_ec_ctx *ctx)
|
|
{
|
|
#define x1 (p1->x)
|
|
#define y1 (p1->y)
|
|
#define z1 (p1->z)
|
|
#define x2 (p2->x)
|
|
#define y2 (p2->y)
|
|
#define z2 (p2->z)
|
|
#define x3 (result->x)
|
|
#define y3 (result->y)
|
|
#define z3 (result->z)
|
|
#define l1 (ctx->t.scratch[0])
|
|
#define l2 (ctx->t.scratch[1])
|
|
#define l3 (ctx->t.scratch[2])
|
|
#define l4 (ctx->t.scratch[3])
|
|
#define l5 (ctx->t.scratch[4])
|
|
#define l6 (ctx->t.scratch[5])
|
|
#define l7 (ctx->t.scratch[6])
|
|
#define l8 (ctx->t.scratch[7])
|
|
#define l9 (ctx->t.scratch[8])
|
|
#define t1 (ctx->t.scratch[9])
|
|
#define t2 (ctx->t.scratch[10])
|
|
|
|
if ((!mpi_cmp(x1, x2)) && (!mpi_cmp(y1, y2)) && (!mpi_cmp(z1, z2))) {
|
|
/* Same point; need to call the duplicate function. */
|
|
mpi_ec_dup_point(result, p1, ctx);
|
|
} else if (!mpi_cmp_ui(z1, 0)) {
|
|
/* P1 is at infinity. */
|
|
mpi_set(x3, p2->x);
|
|
mpi_set(y3, p2->y);
|
|
mpi_set(z3, p2->z);
|
|
} else if (!mpi_cmp_ui(z2, 0)) {
|
|
/* P2 is at infinity. */
|
|
mpi_set(x3, p1->x);
|
|
mpi_set(y3, p1->y);
|
|
mpi_set(z3, p1->z);
|
|
} else {
|
|
int z1_is_one = !mpi_cmp_ui(z1, 1);
|
|
int z2_is_one = !mpi_cmp_ui(z2, 1);
|
|
|
|
/* l1 = x1 z2^2 */
|
|
/* l2 = x2 z1^2 */
|
|
if (z2_is_one)
|
|
mpi_set(l1, x1);
|
|
else {
|
|
ec_pow2(l1, z2, ctx);
|
|
ec_mulm(l1, l1, x1, ctx);
|
|
}
|
|
if (z1_is_one)
|
|
mpi_set(l2, x2);
|
|
else {
|
|
ec_pow2(l2, z1, ctx);
|
|
ec_mulm(l2, l2, x2, ctx);
|
|
}
|
|
/* l3 = l1 - l2 */
|
|
ec_subm(l3, l1, l2, ctx);
|
|
/* l4 = y1 z2^3 */
|
|
ec_powm(l4, z2, mpi_const(MPI_C_THREE), ctx);
|
|
ec_mulm(l4, l4, y1, ctx);
|
|
/* l5 = y2 z1^3 */
|
|
ec_powm(l5, z1, mpi_const(MPI_C_THREE), ctx);
|
|
ec_mulm(l5, l5, y2, ctx);
|
|
/* l6 = l4 - l5 */
|
|
ec_subm(l6, l4, l5, ctx);
|
|
|
|
if (!mpi_cmp_ui(l3, 0)) {
|
|
if (!mpi_cmp_ui(l6, 0)) {
|
|
/* P1 and P2 are the same - use duplicate function. */
|
|
mpi_ec_dup_point(result, p1, ctx);
|
|
} else {
|
|
/* P1 is the inverse of P2. */
|
|
mpi_set_ui(x3, 1);
|
|
mpi_set_ui(y3, 1);
|
|
mpi_set_ui(z3, 0);
|
|
}
|
|
} else {
|
|
/* l7 = l1 + l2 */
|
|
ec_addm(l7, l1, l2, ctx);
|
|
/* l8 = l4 + l5 */
|
|
ec_addm(l8, l4, l5, ctx);
|
|
/* z3 = z1 z2 l3 */
|
|
ec_mulm(z3, z1, z2, ctx);
|
|
ec_mulm(z3, z3, l3, ctx);
|
|
/* x3 = l6^2 - l7 l3^2 */
|
|
ec_pow2(t1, l6, ctx);
|
|
ec_pow2(t2, l3, ctx);
|
|
ec_mulm(t2, t2, l7, ctx);
|
|
ec_subm(x3, t1, t2, ctx);
|
|
/* l9 = l7 l3^2 - 2 x3 */
|
|
ec_mul2(t1, x3, ctx);
|
|
ec_subm(l9, t2, t1, ctx);
|
|
/* y3 = (l9 l6 - l8 l3^3)/2 */
|
|
ec_mulm(l9, l9, l6, ctx);
|
|
ec_powm(t1, l3, mpi_const(MPI_C_THREE), ctx); /* fixme: Use saved value*/
|
|
ec_mulm(t1, t1, l8, ctx);
|
|
ec_subm(y3, l9, t1, ctx);
|
|
ec_mulm(y3, y3, ec_get_two_inv_p(ctx), ctx);
|
|
}
|
|
}
|
|
|
|
#undef x1
|
|
#undef y1
|
|
#undef z1
|
|
#undef x2
|
|
#undef y2
|
|
#undef z2
|
|
#undef x3
|
|
#undef y3
|
|
#undef z3
|
|
#undef l1
|
|
#undef l2
|
|
#undef l3
|
|
#undef l4
|
|
#undef l5
|
|
#undef l6
|
|
#undef l7
|
|
#undef l8
|
|
#undef l9
|
|
#undef t1
|
|
#undef t2
|
|
}
|
|
|
|
/* RESULT = P1 + P2 (Montgomery version).*/
|
|
static void add_points_montgomery(MPI_POINT result,
|
|
MPI_POINT p1, MPI_POINT p2,
|
|
struct mpi_ec_ctx *ctx)
|
|
{
|
|
(void)result;
|
|
(void)p1;
|
|
(void)p2;
|
|
(void)ctx;
|
|
log_fatal("%s: %s not yet supported\n",
|
|
"mpi_ec_add_points", "Montgomery");
|
|
}
|
|
|
|
/* RESULT = P1 + P2 (Twisted Edwards version).*/
|
|
static void add_points_edwards(MPI_POINT result,
|
|
MPI_POINT p1, MPI_POINT p2,
|
|
struct mpi_ec_ctx *ctx)
|
|
{
|
|
#define X1 (p1->x)
|
|
#define Y1 (p1->y)
|
|
#define Z1 (p1->z)
|
|
#define X2 (p2->x)
|
|
#define Y2 (p2->y)
|
|
#define Z2 (p2->z)
|
|
#define X3 (result->x)
|
|
#define Y3 (result->y)
|
|
#define Z3 (result->z)
|
|
#define A (ctx->t.scratch[0])
|
|
#define B (ctx->t.scratch[1])
|
|
#define C (ctx->t.scratch[2])
|
|
#define D (ctx->t.scratch[3])
|
|
#define E (ctx->t.scratch[4])
|
|
#define F (ctx->t.scratch[5])
|
|
#define G (ctx->t.scratch[6])
|
|
#define tmp (ctx->t.scratch[7])
|
|
|
|
point_resize(result, ctx);
|
|
|
|
/* Compute: (X_3 : Y_3 : Z_3) = (X_1 : Y_1 : Z_1) + (X_2 : Y_2 : Z_3) */
|
|
|
|
/* A = Z1 · Z2 */
|
|
ctx->mulm(A, Z1, Z2, ctx);
|
|
|
|
/* B = A^2 */
|
|
ctx->pow2(B, A, ctx);
|
|
|
|
/* C = X1 · X2 */
|
|
ctx->mulm(C, X1, X2, ctx);
|
|
|
|
/* D = Y1 · Y2 */
|
|
ctx->mulm(D, Y1, Y2, ctx);
|
|
|
|
/* E = d · C · D */
|
|
ctx->mulm(E, ctx->b, C, ctx);
|
|
ctx->mulm(E, E, D, ctx);
|
|
|
|
/* F = B - E */
|
|
ctx->subm(F, B, E, ctx);
|
|
|
|
/* G = B + E */
|
|
ctx->addm(G, B, E, ctx);
|
|
|
|
/* X_3 = A · F · ((X_1 + Y_1) · (X_2 + Y_2) - C - D) */
|
|
ctx->addm(tmp, X1, Y1, ctx);
|
|
ctx->addm(X3, X2, Y2, ctx);
|
|
ctx->mulm(X3, X3, tmp, ctx);
|
|
ctx->subm(X3, X3, C, ctx);
|
|
ctx->subm(X3, X3, D, ctx);
|
|
ctx->mulm(X3, X3, F, ctx);
|
|
ctx->mulm(X3, X3, A, ctx);
|
|
|
|
/* Y_3 = A · G · (D - aC) */
|
|
if (ctx->dialect == ECC_DIALECT_ED25519) {
|
|
ctx->addm(Y3, D, C, ctx);
|
|
} else {
|
|
ctx->mulm(Y3, ctx->a, C, ctx);
|
|
ctx->subm(Y3, D, Y3, ctx);
|
|
}
|
|
ctx->mulm(Y3, Y3, G, ctx);
|
|
ctx->mulm(Y3, Y3, A, ctx);
|
|
|
|
/* Z_3 = F · G */
|
|
ctx->mulm(Z3, F, G, ctx);
|
|
|
|
|
|
#undef X1
|
|
#undef Y1
|
|
#undef Z1
|
|
#undef X2
|
|
#undef Y2
|
|
#undef Z2
|
|
#undef X3
|
|
#undef Y3
|
|
#undef Z3
|
|
#undef A
|
|
#undef B
|
|
#undef C
|
|
#undef D
|
|
#undef E
|
|
#undef F
|
|
#undef G
|
|
#undef tmp
|
|
}
|
|
|
|
/* Compute a step of Montgomery Ladder (only use X and Z in the point).
|
|
* Inputs: P1, P2, and x-coordinate of DIF = P1 - P1.
|
|
* Outputs: PRD = 2 * P1 and SUM = P1 + P2.
|
|
*/
|
|
static void montgomery_ladder(MPI_POINT prd, MPI_POINT sum,
|
|
MPI_POINT p1, MPI_POINT p2, MPI dif_x,
|
|
struct mpi_ec_ctx *ctx)
|
|
{
|
|
ctx->addm(sum->x, p2->x, p2->z, ctx);
|
|
ctx->subm(p2->z, p2->x, p2->z, ctx);
|
|
ctx->addm(prd->x, p1->x, p1->z, ctx);
|
|
ctx->subm(p1->z, p1->x, p1->z, ctx);
|
|
ctx->mulm(p2->x, p1->z, sum->x, ctx);
|
|
ctx->mulm(p2->z, prd->x, p2->z, ctx);
|
|
ctx->pow2(p1->x, prd->x, ctx);
|
|
ctx->pow2(p1->z, p1->z, ctx);
|
|
ctx->addm(sum->x, p2->x, p2->z, ctx);
|
|
ctx->subm(p2->z, p2->x, p2->z, ctx);
|
|
ctx->mulm(prd->x, p1->x, p1->z, ctx);
|
|
ctx->subm(p1->z, p1->x, p1->z, ctx);
|
|
ctx->pow2(sum->x, sum->x, ctx);
|
|
ctx->pow2(sum->z, p2->z, ctx);
|
|
ctx->mulm(prd->z, p1->z, ctx->a, ctx); /* CTX->A: (a-2)/4 */
|
|
ctx->mulm(sum->z, sum->z, dif_x, ctx);
|
|
ctx->addm(prd->z, p1->x, prd->z, ctx);
|
|
ctx->mulm(prd->z, prd->z, p1->z, ctx);
|
|
}
|
|
|
|
/* RESULT = P1 + P2 */
|
|
void mpi_ec_add_points(MPI_POINT result,
|
|
MPI_POINT p1, MPI_POINT p2,
|
|
struct mpi_ec_ctx *ctx)
|
|
{
|
|
switch (ctx->model) {
|
|
case MPI_EC_WEIERSTRASS:
|
|
add_points_weierstrass(result, p1, p2, ctx);
|
|
break;
|
|
case MPI_EC_MONTGOMERY:
|
|
add_points_montgomery(result, p1, p2, ctx);
|
|
break;
|
|
case MPI_EC_EDWARDS:
|
|
add_points_edwards(result, p1, p2, ctx);
|
|
break;
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_ec_add_points);
|
|
|
|
/* Scalar point multiplication - the main function for ECC. If takes
|
|
* an integer SCALAR and a POINT as well as the usual context CTX.
|
|
* RESULT will be set to the resulting point.
|
|
*/
|
|
void mpi_ec_mul_point(MPI_POINT result,
|
|
MPI scalar, MPI_POINT point,
|
|
struct mpi_ec_ctx *ctx)
|
|
{
|
|
MPI x1, y1, z1, k, h, yy;
|
|
unsigned int i, loops;
|
|
struct gcry_mpi_point p1, p2, p1inv;
|
|
|
|
if (ctx->model == MPI_EC_EDWARDS) {
|
|
/* Simple left to right binary method. Algorithm 3.27 from
|
|
* {author={Hankerson, Darrel and Menezes, Alfred J. and Vanstone, Scott},
|
|
* title = {Guide to Elliptic Curve Cryptography},
|
|
* year = {2003}, isbn = {038795273X},
|
|
* url = {http://www.cacr.math.uwaterloo.ca/ecc/},
|
|
* publisher = {Springer-Verlag New York, Inc.}}
|
|
*/
|
|
unsigned int nbits;
|
|
int j;
|
|
|
|
if (mpi_cmp(scalar, ctx->p) >= 0)
|
|
nbits = mpi_get_nbits(scalar);
|
|
else
|
|
nbits = mpi_get_nbits(ctx->p);
|
|
|
|
mpi_set_ui(result->x, 0);
|
|
mpi_set_ui(result->y, 1);
|
|
mpi_set_ui(result->z, 1);
|
|
point_resize(point, ctx);
|
|
|
|
point_resize(result, ctx);
|
|
point_resize(point, ctx);
|
|
|
|
for (j = nbits-1; j >= 0; j--) {
|
|
mpi_ec_dup_point(result, result, ctx);
|
|
if (mpi_test_bit(scalar, j))
|
|
mpi_ec_add_points(result, result, point, ctx);
|
|
}
|
|
return;
|
|
} else if (ctx->model == MPI_EC_MONTGOMERY) {
|
|
unsigned int nbits;
|
|
int j;
|
|
struct gcry_mpi_point p1_, p2_;
|
|
MPI_POINT q1, q2, prd, sum;
|
|
unsigned long sw;
|
|
mpi_size_t rsize;
|
|
int scalar_copied = 0;
|
|
|
|
/* Compute scalar point multiplication with Montgomery Ladder.
|
|
* Note that we don't use Y-coordinate in the points at all.
|
|
* RESULT->Y will be filled by zero.
|
|
*/
|
|
|
|
nbits = mpi_get_nbits(scalar);
|
|
point_init(&p1);
|
|
point_init(&p2);
|
|
point_init(&p1_);
|
|
point_init(&p2_);
|
|
mpi_set_ui(p1.x, 1);
|
|
mpi_free(p2.x);
|
|
p2.x = mpi_copy(point->x);
|
|
mpi_set_ui(p2.z, 1);
|
|
|
|
point_resize(&p1, ctx);
|
|
point_resize(&p2, ctx);
|
|
point_resize(&p1_, ctx);
|
|
point_resize(&p2_, ctx);
|
|
|
|
mpi_resize(point->x, ctx->p->nlimbs);
|
|
point->x->nlimbs = ctx->p->nlimbs;
|
|
|
|
q1 = &p1;
|
|
q2 = &p2;
|
|
prd = &p1_;
|
|
sum = &p2_;
|
|
|
|
for (j = nbits-1; j >= 0; j--) {
|
|
MPI_POINT t;
|
|
|
|
sw = mpi_test_bit(scalar, j);
|
|
point_swap_cond(q1, q2, sw, ctx);
|
|
montgomery_ladder(prd, sum, q1, q2, point->x, ctx);
|
|
point_swap_cond(prd, sum, sw, ctx);
|
|
t = q1; q1 = prd; prd = t;
|
|
t = q2; q2 = sum; sum = t;
|
|
}
|
|
|
|
mpi_clear(result->y);
|
|
sw = (nbits & 1);
|
|
point_swap_cond(&p1, &p1_, sw, ctx);
|
|
|
|
rsize = p1.z->nlimbs;
|
|
MPN_NORMALIZE(p1.z->d, rsize);
|
|
if (rsize == 0) {
|
|
mpi_set_ui(result->x, 1);
|
|
mpi_set_ui(result->z, 0);
|
|
} else {
|
|
z1 = mpi_new(0);
|
|
ec_invm(z1, p1.z, ctx);
|
|
ec_mulm(result->x, p1.x, z1, ctx);
|
|
mpi_set_ui(result->z, 1);
|
|
mpi_free(z1);
|
|
}
|
|
|
|
point_free(&p1);
|
|
point_free(&p2);
|
|
point_free(&p1_);
|
|
point_free(&p2_);
|
|
if (scalar_copied)
|
|
mpi_free(scalar);
|
|
return;
|
|
}
|
|
|
|
x1 = mpi_alloc_like(ctx->p);
|
|
y1 = mpi_alloc_like(ctx->p);
|
|
h = mpi_alloc_like(ctx->p);
|
|
k = mpi_copy(scalar);
|
|
yy = mpi_copy(point->y);
|
|
|
|
if (mpi_has_sign(k)) {
|
|
k->sign = 0;
|
|
ec_invm(yy, yy, ctx);
|
|
}
|
|
|
|
if (!mpi_cmp_ui(point->z, 1)) {
|
|
mpi_set(x1, point->x);
|
|
mpi_set(y1, yy);
|
|
} else {
|
|
MPI z2, z3;
|
|
|
|
z2 = mpi_alloc_like(ctx->p);
|
|
z3 = mpi_alloc_like(ctx->p);
|
|
ec_mulm(z2, point->z, point->z, ctx);
|
|
ec_mulm(z3, point->z, z2, ctx);
|
|
ec_invm(z2, z2, ctx);
|
|
ec_mulm(x1, point->x, z2, ctx);
|
|
ec_invm(z3, z3, ctx);
|
|
ec_mulm(y1, yy, z3, ctx);
|
|
mpi_free(z2);
|
|
mpi_free(z3);
|
|
}
|
|
z1 = mpi_copy(mpi_const(MPI_C_ONE));
|
|
|
|
mpi_mul(h, k, mpi_const(MPI_C_THREE)); /* h = 3k */
|
|
loops = mpi_get_nbits(h);
|
|
if (loops < 2) {
|
|
/* If SCALAR is zero, the above mpi_mul sets H to zero and thus
|
|
* LOOPs will be zero. To avoid an underflow of I in the main
|
|
* loop we set LOOP to 2 and the result to (0,0,0).
|
|
*/
|
|
loops = 2;
|
|
mpi_clear(result->x);
|
|
mpi_clear(result->y);
|
|
mpi_clear(result->z);
|
|
} else {
|
|
mpi_set(result->x, point->x);
|
|
mpi_set(result->y, yy);
|
|
mpi_set(result->z, point->z);
|
|
}
|
|
mpi_free(yy); yy = NULL;
|
|
|
|
p1.x = x1; x1 = NULL;
|
|
p1.y = y1; y1 = NULL;
|
|
p1.z = z1; z1 = NULL;
|
|
point_init(&p2);
|
|
point_init(&p1inv);
|
|
|
|
/* Invert point: y = p - y mod p */
|
|
point_set(&p1inv, &p1);
|
|
ec_subm(p1inv.y, ctx->p, p1inv.y, ctx);
|
|
|
|
for (i = loops-2; i > 0; i--) {
|
|
mpi_ec_dup_point(result, result, ctx);
|
|
if (mpi_test_bit(h, i) == 1 && mpi_test_bit(k, i) == 0) {
|
|
point_set(&p2, result);
|
|
mpi_ec_add_points(result, &p2, &p1, ctx);
|
|
}
|
|
if (mpi_test_bit(h, i) == 0 && mpi_test_bit(k, i) == 1) {
|
|
point_set(&p2, result);
|
|
mpi_ec_add_points(result, &p2, &p1inv, ctx);
|
|
}
|
|
}
|
|
|
|
point_free(&p1);
|
|
point_free(&p2);
|
|
point_free(&p1inv);
|
|
mpi_free(h);
|
|
mpi_free(k);
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_ec_mul_point);
|
|
|
|
/* Return true if POINT is on the curve described by CTX. */
|
|
int mpi_ec_curve_point(MPI_POINT point, struct mpi_ec_ctx *ctx)
|
|
{
|
|
int res = 0;
|
|
MPI x, y, w;
|
|
|
|
x = mpi_new(0);
|
|
y = mpi_new(0);
|
|
w = mpi_new(0);
|
|
|
|
/* Check that the point is in range. This needs to be done here and
|
|
* not after conversion to affine coordinates.
|
|
*/
|
|
if (mpi_cmpabs(point->x, ctx->p) >= 0)
|
|
goto leave;
|
|
if (mpi_cmpabs(point->y, ctx->p) >= 0)
|
|
goto leave;
|
|
if (mpi_cmpabs(point->z, ctx->p) >= 0)
|
|
goto leave;
|
|
|
|
switch (ctx->model) {
|
|
case MPI_EC_WEIERSTRASS:
|
|
{
|
|
MPI xxx;
|
|
|
|
if (mpi_ec_get_affine(x, y, point, ctx))
|
|
goto leave;
|
|
|
|
xxx = mpi_new(0);
|
|
|
|
/* y^2 == x^3 + a·x + b */
|
|
ec_pow2(y, y, ctx);
|
|
|
|
ec_pow3(xxx, x, ctx);
|
|
ec_mulm(w, ctx->a, x, ctx);
|
|
ec_addm(w, w, ctx->b, ctx);
|
|
ec_addm(w, w, xxx, ctx);
|
|
|
|
if (!mpi_cmp(y, w))
|
|
res = 1;
|
|
|
|
mpi_free(xxx);
|
|
}
|
|
break;
|
|
|
|
case MPI_EC_MONTGOMERY:
|
|
{
|
|
#define xx y
|
|
/* With Montgomery curve, only X-coordinate is valid. */
|
|
if (mpi_ec_get_affine(x, NULL, point, ctx))
|
|
goto leave;
|
|
|
|
/* The equation is: b * y^2 == x^3 + a · x^2 + x */
|
|
/* We check if right hand is quadratic residue or not by
|
|
* Euler's criterion.
|
|
*/
|
|
/* CTX->A has (a-2)/4 and CTX->B has b^-1 */
|
|
ec_mulm(w, ctx->a, mpi_const(MPI_C_FOUR), ctx);
|
|
ec_addm(w, w, mpi_const(MPI_C_TWO), ctx);
|
|
ec_mulm(w, w, x, ctx);
|
|
ec_pow2(xx, x, ctx);
|
|
ec_addm(w, w, xx, ctx);
|
|
ec_addm(w, w, mpi_const(MPI_C_ONE), ctx);
|
|
ec_mulm(w, w, x, ctx);
|
|
ec_mulm(w, w, ctx->b, ctx);
|
|
#undef xx
|
|
/* Compute Euler's criterion: w^(p-1)/2 */
|
|
#define p_minus1 y
|
|
ec_subm(p_minus1, ctx->p, mpi_const(MPI_C_ONE), ctx);
|
|
mpi_rshift(p_minus1, p_minus1, 1);
|
|
ec_powm(w, w, p_minus1, ctx);
|
|
|
|
res = !mpi_cmp_ui(w, 1);
|
|
#undef p_minus1
|
|
}
|
|
break;
|
|
|
|
case MPI_EC_EDWARDS:
|
|
{
|
|
if (mpi_ec_get_affine(x, y, point, ctx))
|
|
goto leave;
|
|
|
|
mpi_resize(w, ctx->p->nlimbs);
|
|
w->nlimbs = ctx->p->nlimbs;
|
|
|
|
/* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */
|
|
ctx->pow2(x, x, ctx);
|
|
ctx->pow2(y, y, ctx);
|
|
if (ctx->dialect == ECC_DIALECT_ED25519)
|
|
ctx->subm(w, ctx->p, x, ctx);
|
|
else
|
|
ctx->mulm(w, ctx->a, x, ctx);
|
|
ctx->addm(w, w, y, ctx);
|
|
ctx->mulm(x, x, y, ctx);
|
|
ctx->mulm(x, x, ctx->b, ctx);
|
|
ctx->subm(w, w, x, ctx);
|
|
if (!mpi_cmp_ui(w, 1))
|
|
res = 1;
|
|
}
|
|
break;
|
|
}
|
|
|
|
leave:
|
|
mpi_free(w);
|
|
mpi_free(x);
|
|
mpi_free(y);
|
|
|
|
return res;
|
|
}
|
|
EXPORT_SYMBOL_GPL(mpi_ec_curve_point);
|