| blob | b5ff56c2527762b78f322db5f4d1cb3dd0bb3ced |
1 /* crypto/ec/ecp_nistp224.c */
2 /*
3 * Written by Emilia Kasper (Google) for the OpenSSL project.
4 */
5 /* Copyright 2011 Google Inc.
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 *
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
21 /*
22 * A 64-bit implementation of the NIST P-224 elliptic curve point multiplication
23 *
24 * Inspired by Daniel J. Bernstein's public domain nistp224 implementation
25 * and Adam Langley's public domain 64-bit C implementation of curve25519
26 */
28 #include <openssl/opensslconf.h>
29 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
31 #ifndef OPENSSL_SYS_VMS
32 #include <stdint.h>
33 #else
34 #include <inttypes.h>
35 #endif
37 #include <string.h>
38 #include <openssl/err.h>
41 #if defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1))
42 /* even with gcc, the typedef won't work for 32-bit platforms */
44 #else
46 #endif
53 /******************************************************************************/
54 /* INTERNAL REPRESENTATION OF FIELD ELEMENTS
55 *
56 * Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3
57 * using 64-bit coefficients called 'limbs',
58 * and sometimes (for multiplication results) as
59 * b_0 + 2^56*b_1 + 2^112*b_2 + 2^168*b_3 + 2^224*b_4 + 2^280*b_5 + 2^336*b_6
60 * using 128-bit coefficients called 'widelimbs'.
61 * A 4-limb representation is an 'felem';
62 * a 7-widelimb representation is a 'widefelem'.
63 * Even within felems, bits of adjacent limbs overlap, and we don't always
64 * reduce the representations: we ensure that inputs to each felem
65 * multiplication satisfy a_i < 2^60, so outputs satisfy b_i < 4*2^60*2^60,
66 * and fit into a 128-bit word without overflow. The coefficients are then
67 * again partially reduced to obtain an felem satisfying a_i < 2^57.
68 * We only reduce to the unique minimal representation at the end of the
69 * computation.
70 */
78 /* Field element represented as a byte arrary.
79 * 28*8 = 224 bits is also the group order size for the elliptic curve,
80 * and we also use this type for scalars for point multiplication.
81 */
100 };
102 /* Precomputed multiples of the standard generator
103 * Points are given in coordinates (X, Y, Z) where Z normally is 1
104 * (0 for the point at infinity).
105 * For each field element, slice a_0 is word 0, etc.
106 *
107 * The table has 2 * 16 elements, starting with the following:
108 * index | bits | point
109 * ------+---------+------------------------------
110 * 0 | 0 0 0 0 | 0G
111 * 1 | 0 0 0 1 | 1G
112 * 2 | 0 0 1 0 | 2^56G
113 * 3 | 0 0 1 1 | (2^56 + 1)G
114 * 4 | 0 1 0 0 | 2^112G
115 * 5 | 0 1 0 1 | (2^112 + 1)G
116 * 6 | 0 1 1 0 | (2^112 + 2^56)G
117 * 7 | 0 1 1 1 | (2^112 + 2^56 + 1)G
118 * 8 | 1 0 0 0 | 2^168G
119 * 9 | 1 0 0 1 | (2^168 + 1)G
120 * 10 | 1 0 1 0 | (2^168 + 2^56)G
121 * 11 | 1 0 1 1 | (2^168 + 2^56 + 1)G
122 * 12 | 1 1 0 0 | (2^168 + 2^112)G
123 * 13 | 1 1 0 1 | (2^168 + 2^112 + 1)G
124 * 14 | 1 1 1 0 | (2^168 + 2^112 + 2^56)G
125 * 15 | 1 1 1 1 | (2^168 + 2^112 + 2^56 + 1)G
126 * followed by a copy of this with each element multiplied by 2^28.
127 *
128 * The reason for this is so that we can clock bits into four different
129 * locations when doing simple scalar multiplies against the base point,
130 * and then another four locations using the second 16 elements.
131 */
230 /* Precomputation for the group generator. */
237 {
239 EC_FLAGS_DEFAULT_OCT,
240 NID_X9_62_prime_field,
241 ec_GFp_nistp224_group_init,
242 ec_GFp_simple_group_finish,
243 ec_GFp_simple_group_clear_finish,
244 ec_GFp_nist_group_copy,
245 ec_GFp_nistp224_group_set_curve,
246 ec_GFp_simple_group_get_curve,
247 ec_GFp_simple_group_get_degree,
248 ec_GFp_simple_group_check_discriminant,
249 ec_GFp_simple_point_init,
250 ec_GFp_simple_point_finish,
251 ec_GFp_simple_point_clear_finish,
252 ec_GFp_simple_point_copy,
253 ec_GFp_simple_point_set_to_infinity,
254 ec_GFp_simple_set_Jprojective_coordinates_GFp,
255 ec_GFp_simple_get_Jprojective_coordinates_GFp,
256 ec_GFp_simple_point_set_affine_coordinates,
257 ec_GFp_nistp224_point_get_affine_coordinates,
261 ec_GFp_simple_add,
262 ec_GFp_simple_dbl,
263 ec_GFp_simple_invert,
264 ec_GFp_simple_is_at_infinity,
265 ec_GFp_simple_is_on_curve,
266 ec_GFp_simple_cmp,
267 ec_GFp_simple_make_affine,
268 ec_GFp_simple_points_make_affine,
269 ec_GFp_nistp224_points_mul,
270 ec_GFp_nistp224_precompute_mult,
271 ec_GFp_nistp224_have_precompute_mult,
272 ec_GFp_nist_field_mul,
273 ec_GFp_nist_field_sqr,
280 }
282 /* Helper functions to convert field elements to/from internal representation */
284 {
289 }
292 {
295 {
300 }
301 }
303 /* To preserve endianness when using BN_bn2bin and BN_bin2bn */
305 {
309 }
311 /* From OpenSSL BIGNUM to internal representation */
313 {
314 felem_bytearray b_in;
315 felem_bytearray b_out;
318 /* BN_bn2bin eats leading zeroes */
322 {
325 }
327 {
330 }
335 }
337 /* From internal representation to OpenSSL BIGNUM */
339 {
344 }
346 /******************************************************************************/
347 /* FIELD OPERATIONS
348 *
349 * Field operations, using the internal representation of field elements.
350 * NB! These operations are specific to our point multiplication and cannot be
351 * expected to be correct in general - e.g., multiplication with a large scalar
352 * will cause an overflow.
353 *
354 */
357 {
362 }
365 {
370 }
372 /* Sum two field elements: out += in */
374 {
379 }
381 /* Get negative value: out = -in */
382 /* Assumes in[i] < 2^57 */
384 {
390 /* Set to 0 mod 2^224-2^96+1 to ensure out > in */
395 }
397 /* Subtract field elements: out -= in */
398 /* Assumes in[i] < 2^57 */
400 {
406 /* Add 0 mod 2^224-2^96+1 to ensure out > in */
416 }
418 /* Subtract in unreduced 128-bit mode: out -= in */
419 /* Assumes in[i] < 2^119 */
421 {
428 /* Add 0 mod 2^224-2^96+1 to ensure out > in */
444 }
446 /* Subtract in mixed mode: out128 -= in64 */
447 /* in[i] < 2^63 */
449 {
457 /* Add 0 mod 2^224-2^96+1 to ensure out > in */
467 }
469 /* Multiply a field element by a scalar: out = out * scalar
470 * The scalars we actually use are small, so results fit without overflow */
472 {
477 }
479 /* Multiply an unreduced field element by a scalar: out = out * scalar
480 * The scalars we actually use are small, so results fit without overflow */
482 {
490 }
492 /* Square a field element: out = in^2 */
494 {
505 }
507 /* Multiply two field elements: out = in1 * in2 */
509 {
520 }
522 /* Reduce seven 128-bit coefficients to four 64-bit coefficients.
523 * Requires in[i] < 2^126,
524 * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16 */
526 {
535 /* Add 0 mod 2^224-2^96+1 to ensure all differences are positive */
542 /* Eliminate in[4], in[5], in[6] */
555 /* Carry 2 -> 3 -> 4 */
562 /* Now output[2] < 2^56, output[3] < 2^56, output[4] < 2^72 */
564 /* Eliminate output[4] */
566 /* output[2] < 2^56 + 2^56 = 2^57 */
570 /* Carry 0 -> 1 -> 2 -> 3 */
575 /* output[2] < 2^57 + 2^72 */
578 /* output[3] <= 2^56 + 2^16 */
581 /* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
582 * out[3] <= 2^56 + 2^16 (due to final carry),
583 * so out < 2*p */
585 }
588 {
589 widefelem tmp;
592 }
595 {
596 widefelem tmp;
599 }
601 /* Reduce to unique minimal representation.
602 * Requires 0 <= in < 2*p (always call felem_reduce first) */
604 {
606 /* 0 <= in < 2*p, p = 2^224 - 2^96 + 1 */
607 /* if in > p , reduce in = in - 2^224 + 2^96 - 1 */
613 /* Case 1: a = 1 iff in >= 2^224 */
618 /* Case 2: a = 0 iff p <= in < 2^224, i.e.,
619 * the high 128 bits are all 1 and the lower part is non-zero */
623 /* turn a into an all-one mask (if a = 0) or an all-zero mask */
625 /* subtract 2^224 - 2^96 + 1 if a is all-one*/
631 /* eliminate negative coefficients: if tmp[0] is negative, tmp[1] must
632 * be non-zero, so we only need one step */
637 /* carry 1 -> 2 -> 3 */
644 /* Now 0 <= out < p */
649 }
651 /* Zero-check: returns 1 if input is 0, and 0 otherwise.
652 * We know that field elements are reduced to in < 2^225,
653 * so we only need to check three cases: 0, 2^224 - 2^96 + 1,
654 * and 2^225 - 2^97 + 2 */
656 {
668 }
671 {
673 }
675 /* Invert a field element */
676 /* Computation chain copied from djb's code */
678 {
680 widefelem tmp;
693 {
695 }
699 {
701 }
705 {
707 }
711 {
713 }
717 {
719 }
722 {
724 }
729 {
731 }
733 }
735 /* Copy in constant time:
736 * if icopy == 1, copy in to out,
737 * if icopy == 0, copy out to itself. */
738 static void
740 {
742 /* icopy is a (64-bit) 0 or 1, so copy is either all-zero or all-one */
745 {
748 }
749 }
751 /******************************************************************************/
752 /* ELLIPTIC CURVE POINT OPERATIONS
753 *
754 * Points are represented in Jacobian projective coordinates:
755 * (X, Y, Z) corresponds to the affine point (X/Z^2, Y/Z^3),
756 * or to the point at infinity if Z == 0.
757 *
758 */
760 /* Double an elliptic curve point:
761 * (X', Y', Z') = 2 * (X, Y, Z), where
762 * X' = (3 * (X - Z^2) * (X + Z^2))^2 - 8 * X * Y^2
763 * Y' = 3 * (X - Z^2) * (X + Z^2) * (4 * X * Y^2 - X') - 8 * Y^2
764 * Z' = (Y + Z)^2 - Y^2 - Z^2 = 2 * Y * Z
765 * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed,
766 * while x_out == y_in is not (maybe this works, but it's not tested). */
767 static void
770 {
777 /* delta = z^2 */
781 /* gamma = y^2 */
785 /* beta = x*gamma */
789 /* alpha = 3*(x-delta)*(x+delta) */
791 /* ftmp[i] < 2^57 + 2^58 + 2 < 2^59 */
793 /* ftmp2[i] < 2^57 + 2^57 = 2^58 */
795 /* ftmp2[i] < 3 * 2^58 < 2^60 */
797 /* tmp[i] < 2^60 * 2^59 * 4 = 2^121 */
800 /* x' = alpha^2 - 8*beta */
802 /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
805 /* ftmp[i] < 8 * 2^57 = 2^60 */
807 /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
810 /* z' = (y + z)^2 - gamma - delta */
812 /* delta[i] < 2^57 + 2^57 = 2^58 */
815 /* ftmp[i] < 2^57 + 2^57 = 2^58 */
817 /* tmp[i] < 4 * 2^58 * 2^58 = 2^118 */
819 /* tmp[i] < 2^118 + 2^64 + 8 < 2^119 */
822 /* y' = alpha*(4*beta - x') - 8*gamma^2 */
824 /* beta[i] < 4 * 2^57 = 2^59 */
826 /* beta[i] < 2^59 + 2^58 + 2 < 2^60 */
828 /* tmp[i] < 4 * 2^57 * 2^60 = 2^119 */
830 /* tmp2[i] < 4 * 2^57 * 2^57 = 2^116 */
832 /* tmp2[i] < 8 * 2^116 = 2^119 */
834 /* tmp[i] < 2^119 + 2^120 < 2^121 */
836 }
838 /* Add two elliptic curve points:
839 * (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where
840 * X_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1)^2 - (Z_1^2 * X_2 - Z_2^2 * X_1)^3 -
841 * 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2
842 * Y_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1) * (Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2 - X_3) -
843 * Z_2^3 * Y_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^3
844 * Z_3 = (Z_1^2 * X_2 - Z_2^2 * X_1) * (Z_1 * Z_2)
845 *
846 * This runs faster if 'mixed' is set, which requires Z_2 = 1 or Z_2 = 0.
847 */
849 /* This function is not entirely constant-time:
850 * it includes a branch for checking whether the two input points are equal,
851 * (while not equal to the point at infinity).
852 * This case never happens during single point multiplication,
853 * so there is no timing leak for ECDH or ECDSA signing. */
857 {
863 {
864 /* ftmp2 = z2^2 */
868 /* ftmp4 = z2^3 */
872 /* ftmp4 = z2^3*y1 */
876 /* ftmp2 = z2^2*x1 */
879 }
880 else
881 {
882 /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
884 /* ftmp4 = z2^3*y1 */
887 /* ftmp2 = z2^2*x1 */
889 }
891 /* ftmp = z1^2 */
895 /* ftmp3 = z1^3 */
899 /* tmp = z1^3*y2 */
901 /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
903 /* ftmp3 = z1^3*y2 - z2^3*y1 */
905 /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
908 /* tmp = z1^2*x2 */
910 /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
912 /* ftmp = z1^2*x2 - z2^2*x1 */
914 /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
917 /* the formulae are incorrect if the points are equal
918 * so we check for this and do doubling if this happens */
923 /* In affine coordinates, (X_1, Y_1) == (X_2, Y_2) */
925 {
928 }
930 /* ftmp5 = z1*z2 */
932 {
935 }
936 else
937 {
938 /* special case z2 = 0 is handled later */
940 }
942 /* z_out = (z1^2*x2 - z2^2*x1)*(z1*z2) */
946 /* ftmp = (z1^2*x2 - z2^2*x1)^2 */
951 /* ftmp5 = (z1^2*x2 - z2^2*x1)^3 */
955 /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
959 /* tmp = z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
961 /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
963 /* tmp2 = (z1^3*y2 - z2^3*y1)^2 */
965 /* tmp2[i] < 4 * 2^57 * 2^57 < 2^116 */
967 /* tmp2 = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 */
969 /* tmp2[i] < 2^116 + 2^64 + 8 < 2^117 */
971 /* ftmp5 = 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
974 /* ftmp5[i] < 2 * 2^57 = 2^58 */
976 /* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
977 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
979 /* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
982 /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out */
984 /* ftmp2[i] < 2^57 + 2^58 + 2 < 2^59 */
986 /* tmp2 = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) */
988 /* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
990 /* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
991 z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
993 /* tmp2[i] < 2^118 + 2^120 < 2^121 */
996 /* the result (x_out, y_out, z_out) is incorrect if one of the inputs is
997 * the point at infinity, so we need to check for this separately */
999 /* if point 1 is at infinity, copy point 2 to output, and vice versa */
1009 }
1011 /* select_point selects the |idx|th point from a precomputation table and
1012 * copies it to out. */
1013 static void select_point(const u64 idx, unsigned int size, const felem pre_comp[/*size*/][3], felem out[3])
1014 {
1020 {
1027 mask--;
1030 }
1031 }
1033 /* get_bit returns the |i|th bit in |in| */
1035 {
1039 }
1041 /* Interleaved point multiplication using precomputed point multiples:
1042 * The small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[],
1043 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
1044 * of the generator, using certain (large) precomputed multiples in g_pre_comp.
1045 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
1049 {
1054 u64 bits;
1057 /* set nq to the point at infinity */
1060 /* Loop over all scalars msb-to-lsb, interleaving additions
1061 * of multiples of the generator (two in each of the last 28 rounds)
1062 * and additions of other points multiples (every 5th round).
1063 */
1066 {
1067 /* double */
1071 /* add multiples of the generator */
1073 {
1074 /* first, look 28 bits upwards */
1079 /* select the point to add, in constant time */
1083 {
1087 }
1088 else
1089 {
1092 }
1094 /* second, look at the current position */
1099 /* select the point to add, in constant time */
1104 }
1106 /* do other additions every 5 doublings */
1108 {
1109 /* loop over all scalars */
1111 {
1120 /* select the point to add or subtract */
1126 {
1130 }
1131 else
1132 {
1135 }
1136 }
1137 }
1138 }
1142 }
1144 /******************************************************************************/
1145 /* FUNCTIONS TO MANAGE PRECOMPUTATION
1146 */
1149 {
1153 {
1156 }
1160 }
1163 {
1166 /* no need to actually copy, these objects never change! */
1170 }
1173 {
1185 }
1188 {
1201 }
1203 /******************************************************************************/
1204 /* OPENSSL EC_METHOD FUNCTIONS
1205 */
1208 {
1213 }
1217 {
1233 {
1235 EC_R_WRONG_CURVE_PARAMETERS);
1237 }
1240 err:
1245 }
1247 /* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
1248 * (X', Y') = (X/Z^2, Y/Z^3) */
1251 {
1253 widefelem tmp;
1256 {
1258 EC_R_POINT_AT_INFINITY);
1260 }
1268 {
1271 ERR_R_BN_LIB);
1273 }
1274 }
1279 {
1282 ERR_R_BN_LIB);
1284 }
1285 }
1287 }
1289 static void make_points_affine(size_t num, felem points[/*num*/][3], felem tmp_felems[/*num+1*/])
1290 {
1291 /* Runs in constant time, unless an input is the point at infinity
1292 * (which normally shouldn't happen). */
1294 num,
1295 points,
1297 tmp_felems,
1305 }
1307 /* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
1308 * Result is stored in r (r can equal one of the inputs). */
1312 {
1319 felem_bytearray g_secret;
1323 felem_bytearray tmp;
1344 {
1347 nistp224_pre_comp_clear_free);
1349 /* we have precomputation, try to use it */
1351 else
1352 /* try to use the standard precomputation */
1357 /* get the generator from precomputation */
1361 {
1364 }
1369 /* precomputation matches generator */
1371 else
1372 /* we don't have valid precomputation:
1373 * treat the generator as a random point */
1375 }
1378 {
1380 {
1381 /* unless we precompute multiples for just one or two points,
1382 * converting those into affine form is time well spent */
1384 }
1390 {
1393 }
1395 /* we treat NULL scalars as 0, and NULL points as points at infinity,
1396 * i.e., they contribute nothing to the linear combination */
1400 {
1402 /* the generator */
1403 {
1406 }
1407 else
1408 /* the i^th point */
1409 {
1412 }
1414 {
1415 /* reduce scalar to 0 <= scalar < 2^224 */
1417 {
1418 /* this is an unusual input, and we don't guarantee
1419 * constant-timeness */
1421 {
1424 }
1426 }
1427 else
1430 /* precompute multiples */
1438 {
1440 {
1445 }
1446 else
1447 {
1451 }
1452 }
1453 }
1454 }
1457 }
1459 /* the scalar for the generator */
1461 {
1463 /* reduce scalar to 0 <= scalar < 2^224 */
1465 {
1466 /* this is an unusual input, and we don't guarantee
1467 * constant-timeness */
1469 {
1472 }
1474 }
1475 else
1478 /* do the multiplication with generator precomputation*/
1481 g_secret,
1483 g_pre_comp);
1484 }
1485 else
1486 /* do the multiplication without generator precomputation */
1490 /* reduce the output to its unique minimal representation */
1496 {
1499 }
1502 err:
1515 }
1518 {
1527 /* throw away old precomputation */
1536 /* get the generator */
1547 /* if the generator is the standard one, use built-in precomputation */
1549 {
1553 }
1558 /* compute 2^56*G, 2^112*G, 2^168*G for the first table,
1559 * 2^28*G, 2^84*G, 2^140*G, 2^196*G for the second one
1560 */
1562 {
1567 {
1571 }
1578 {
1582 }
1583 }
1585 {
1586 /* g_pre_comp[i][0] is the point at infinity */
1588 /* the remaining multiples */
1589 /* 2^56*G + 2^112*G resp. 2^84*G + 2^140*G */
1596 /* 2^56*G + 2^168*G resp. 2^84*G + 2^196*G */
1603 /* 2^112*G + 2^168*G resp. 2^140*G + 2^196*G */
1610 /* 2^56*G + 2^112*G + 2^168*G resp. 2^84*G + 2^140*G + 2^196*G */
1618 {
1619 /* odd multiples: add G resp. 2^28*G */
1626 }
1627 }
1635 err:
1644 }
1647 {
1652 else
1654 }
1656 #else
1658 #endif