|
1 /* ********************************************************************* |
|
2 * |
|
3 * Sun elects to have this file available under and governed by the |
|
4 * Mozilla Public License Version 1.1 ("MPL") (see |
|
5 * http://www.mozilla.org/MPL/ for full license text). For the avoidance |
|
6 * of doubt and subject to the following, Sun also elects to allow |
|
7 * licensees to use this file under the MPL, the GNU General Public |
|
8 * License version 2 only or the Lesser General Public License version |
|
9 * 2.1 only. Any references to the "GNU General Public License version 2 |
|
10 * or later" or "GPL" in the following shall be construed to mean the |
|
11 * GNU General Public License version 2 only. Any references to the "GNU |
|
12 * Lesser General Public License version 2.1 or later" or "LGPL" in the |
|
13 * following shall be construed to mean the GNU Lesser General Public |
|
14 * License version 2.1 only. However, the following notice accompanied |
|
15 * the original version of this file: |
|
16 * |
|
17 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
|
18 * |
|
19 * The contents of this file are subject to the Mozilla Public License Version |
|
20 * 1.1 (the "License"); you may not use this file except in compliance with |
|
21 * the License. You may obtain a copy of the License at |
|
22 * http://www.mozilla.org/MPL/ |
|
23 * |
|
24 * Software distributed under the License is distributed on an "AS IS" basis, |
|
25 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License |
|
26 * for the specific language governing rights and limitations under the |
|
27 * License. |
|
28 * |
|
29 * The Original Code is the elliptic curve math library for binary polynomial field curves. |
|
30 * |
|
31 * The Initial Developer of the Original Code is |
|
32 * Sun Microsystems, Inc. |
|
33 * Portions created by the Initial Developer are Copyright (C) 2003 |
|
34 * the Initial Developer. All Rights Reserved. |
|
35 * |
|
36 * Contributor(s): |
|
37 * Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories |
|
38 * |
|
39 * Alternatively, the contents of this file may be used under the terms of |
|
40 * either the GNU General Public License Version 2 or later (the "GPL"), or |
|
41 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), |
|
42 * in which case the provisions of the GPL or the LGPL are applicable instead |
|
43 * of those above. If you wish to allow use of your version of this file only |
|
44 * under the terms of either the GPL or the LGPL, and not to allow others to |
|
45 * use your version of this file under the terms of the MPL, indicate your |
|
46 * decision by deleting the provisions above and replace them with the notice |
|
47 * and other provisions required by the GPL or the LGPL. If you do not delete |
|
48 * the provisions above, a recipient may use your version of this file under |
|
49 * the terms of any one of the MPL, the GPL or the LGPL. |
|
50 * |
|
51 *********************************************************************** */ |
|
52 /* |
|
53 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. |
|
54 * Use is subject to license terms. |
|
55 */ |
|
56 |
|
57 #pragma ident "%Z%%M% %I% %E% SMI" |
|
58 |
|
59 #include "ec2.h" |
|
60 #include "mplogic.h" |
|
61 #include "mp_gf2m.h" |
|
62 #ifndef _KERNEL |
|
63 #include <stdlib.h> |
|
64 #endif |
|
65 |
|
66 /* Checks if point P(px, py) is at infinity. Uses affine coordinates. */ |
|
67 mp_err |
|
68 ec_GF2m_pt_is_inf_aff(const mp_int *px, const mp_int *py) |
|
69 { |
|
70 |
|
71 if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) { |
|
72 return MP_YES; |
|
73 } else { |
|
74 return MP_NO; |
|
75 } |
|
76 |
|
77 } |
|
78 |
|
79 /* Sets P(px, py) to be the point at infinity. Uses affine coordinates. */ |
|
80 mp_err |
|
81 ec_GF2m_pt_set_inf_aff(mp_int *px, mp_int *py) |
|
82 { |
|
83 mp_zero(px); |
|
84 mp_zero(py); |
|
85 return MP_OKAY; |
|
86 } |
|
87 |
|
88 /* Computes R = P + Q based on IEEE P1363 A.10.2. Elliptic curve points P, |
|
89 * Q, and R can all be identical. Uses affine coordinates. */ |
|
90 mp_err |
|
91 ec_GF2m_pt_add_aff(const mp_int *px, const mp_int *py, const mp_int *qx, |
|
92 const mp_int *qy, mp_int *rx, mp_int *ry, |
|
93 const ECGroup *group) |
|
94 { |
|
95 mp_err res = MP_OKAY; |
|
96 mp_int lambda, tempx, tempy; |
|
97 |
|
98 MP_DIGITS(&lambda) = 0; |
|
99 MP_DIGITS(&tempx) = 0; |
|
100 MP_DIGITS(&tempy) = 0; |
|
101 MP_CHECKOK(mp_init(&lambda, FLAG(px))); |
|
102 MP_CHECKOK(mp_init(&tempx, FLAG(px))); |
|
103 MP_CHECKOK(mp_init(&tempy, FLAG(px))); |
|
104 /* if P = inf, then R = Q */ |
|
105 if (ec_GF2m_pt_is_inf_aff(px, py) == 0) { |
|
106 MP_CHECKOK(mp_copy(qx, rx)); |
|
107 MP_CHECKOK(mp_copy(qy, ry)); |
|
108 res = MP_OKAY; |
|
109 goto CLEANUP; |
|
110 } |
|
111 /* if Q = inf, then R = P */ |
|
112 if (ec_GF2m_pt_is_inf_aff(qx, qy) == 0) { |
|
113 MP_CHECKOK(mp_copy(px, rx)); |
|
114 MP_CHECKOK(mp_copy(py, ry)); |
|
115 res = MP_OKAY; |
|
116 goto CLEANUP; |
|
117 } |
|
118 /* if px != qx, then lambda = (py+qy) / (px+qx), tempx = a + lambda^2 |
|
119 * + lambda + px + qx */ |
|
120 if (mp_cmp(px, qx) != 0) { |
|
121 MP_CHECKOK(group->meth->field_add(py, qy, &tempy, group->meth)); |
|
122 MP_CHECKOK(group->meth->field_add(px, qx, &tempx, group->meth)); |
|
123 MP_CHECKOK(group->meth-> |
|
124 field_div(&tempy, &tempx, &lambda, group->meth)); |
|
125 MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth)); |
|
126 MP_CHECKOK(group->meth-> |
|
127 field_add(&tempx, &lambda, &tempx, group->meth)); |
|
128 MP_CHECKOK(group->meth-> |
|
129 field_add(&tempx, &group->curvea, &tempx, group->meth)); |
|
130 MP_CHECKOK(group->meth-> |
|
131 field_add(&tempx, px, &tempx, group->meth)); |
|
132 MP_CHECKOK(group->meth-> |
|
133 field_add(&tempx, qx, &tempx, group->meth)); |
|
134 } else { |
|
135 /* if py != qy or qx = 0, then R = inf */ |
|
136 if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qx) == 0)) { |
|
137 mp_zero(rx); |
|
138 mp_zero(ry); |
|
139 res = MP_OKAY; |
|
140 goto CLEANUP; |
|
141 } |
|
142 /* lambda = qx + qy / qx */ |
|
143 MP_CHECKOK(group->meth->field_div(qy, qx, &lambda, group->meth)); |
|
144 MP_CHECKOK(group->meth-> |
|
145 field_add(&lambda, qx, &lambda, group->meth)); |
|
146 /* tempx = a + lambda^2 + lambda */ |
|
147 MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth)); |
|
148 MP_CHECKOK(group->meth-> |
|
149 field_add(&tempx, &lambda, &tempx, group->meth)); |
|
150 MP_CHECKOK(group->meth-> |
|
151 field_add(&tempx, &group->curvea, &tempx, group->meth)); |
|
152 } |
|
153 /* ry = (qx + tempx) * lambda + tempx + qy */ |
|
154 MP_CHECKOK(group->meth->field_add(qx, &tempx, &tempy, group->meth)); |
|
155 MP_CHECKOK(group->meth-> |
|
156 field_mul(&tempy, &lambda, &tempy, group->meth)); |
|
157 MP_CHECKOK(group->meth-> |
|
158 field_add(&tempy, &tempx, &tempy, group->meth)); |
|
159 MP_CHECKOK(group->meth->field_add(&tempy, qy, ry, group->meth)); |
|
160 /* rx = tempx */ |
|
161 MP_CHECKOK(mp_copy(&tempx, rx)); |
|
162 |
|
163 CLEANUP: |
|
164 mp_clear(&lambda); |
|
165 mp_clear(&tempx); |
|
166 mp_clear(&tempy); |
|
167 return res; |
|
168 } |
|
169 |
|
170 /* Computes R = P - Q. Elliptic curve points P, Q, and R can all be |
|
171 * identical. Uses affine coordinates. */ |
|
172 mp_err |
|
173 ec_GF2m_pt_sub_aff(const mp_int *px, const mp_int *py, const mp_int *qx, |
|
174 const mp_int *qy, mp_int *rx, mp_int *ry, |
|
175 const ECGroup *group) |
|
176 { |
|
177 mp_err res = MP_OKAY; |
|
178 mp_int nqy; |
|
179 |
|
180 MP_DIGITS(&nqy) = 0; |
|
181 MP_CHECKOK(mp_init(&nqy, FLAG(px))); |
|
182 /* nqy = qx+qy */ |
|
183 MP_CHECKOK(group->meth->field_add(qx, qy, &nqy, group->meth)); |
|
184 MP_CHECKOK(group->point_add(px, py, qx, &nqy, rx, ry, group)); |
|
185 CLEANUP: |
|
186 mp_clear(&nqy); |
|
187 return res; |
|
188 } |
|
189 |
|
190 /* Computes R = 2P. Elliptic curve points P and R can be identical. Uses |
|
191 * affine coordinates. */ |
|
192 mp_err |
|
193 ec_GF2m_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx, |
|
194 mp_int *ry, const ECGroup *group) |
|
195 { |
|
196 return group->point_add(px, py, px, py, rx, ry, group); |
|
197 } |
|
198 |
|
199 /* by default, this routine is unused and thus doesn't need to be compiled */ |
|
200 #ifdef ECL_ENABLE_GF2M_PT_MUL_AFF |
|
201 /* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and |
|
202 * R can be identical. Uses affine coordinates. */ |
|
203 mp_err |
|
204 ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py, |
|
205 mp_int *rx, mp_int *ry, const ECGroup *group) |
|
206 { |
|
207 mp_err res = MP_OKAY; |
|
208 mp_int k, k3, qx, qy, sx, sy; |
|
209 int b1, b3, i, l; |
|
210 |
|
211 MP_DIGITS(&k) = 0; |
|
212 MP_DIGITS(&k3) = 0; |
|
213 MP_DIGITS(&qx) = 0; |
|
214 MP_DIGITS(&qy) = 0; |
|
215 MP_DIGITS(&sx) = 0; |
|
216 MP_DIGITS(&sy) = 0; |
|
217 MP_CHECKOK(mp_init(&k)); |
|
218 MP_CHECKOK(mp_init(&k3)); |
|
219 MP_CHECKOK(mp_init(&qx)); |
|
220 MP_CHECKOK(mp_init(&qy)); |
|
221 MP_CHECKOK(mp_init(&sx)); |
|
222 MP_CHECKOK(mp_init(&sy)); |
|
223 |
|
224 /* if n = 0 then r = inf */ |
|
225 if (mp_cmp_z(n) == 0) { |
|
226 mp_zero(rx); |
|
227 mp_zero(ry); |
|
228 res = MP_OKAY; |
|
229 goto CLEANUP; |
|
230 } |
|
231 /* Q = P, k = n */ |
|
232 MP_CHECKOK(mp_copy(px, &qx)); |
|
233 MP_CHECKOK(mp_copy(py, &qy)); |
|
234 MP_CHECKOK(mp_copy(n, &k)); |
|
235 /* if n < 0 then Q = -Q, k = -k */ |
|
236 if (mp_cmp_z(n) < 0) { |
|
237 MP_CHECKOK(group->meth->field_add(&qx, &qy, &qy, group->meth)); |
|
238 MP_CHECKOK(mp_neg(&k, &k)); |
|
239 } |
|
240 #ifdef ECL_DEBUG /* basic double and add method */ |
|
241 l = mpl_significant_bits(&k) - 1; |
|
242 MP_CHECKOK(mp_copy(&qx, &sx)); |
|
243 MP_CHECKOK(mp_copy(&qy, &sy)); |
|
244 for (i = l - 1; i >= 0; i--) { |
|
245 /* S = 2S */ |
|
246 MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group)); |
|
247 /* if k_i = 1, then S = S + Q */ |
|
248 if (mpl_get_bit(&k, i) != 0) { |
|
249 MP_CHECKOK(group-> |
|
250 point_add(&sx, &sy, &qx, &qy, &sx, &sy, group)); |
|
251 } |
|
252 } |
|
253 #else /* double and add/subtract method from |
|
254 * standard */ |
|
255 /* k3 = 3 * k */ |
|
256 MP_CHECKOK(mp_set_int(&k3, 3)); |
|
257 MP_CHECKOK(mp_mul(&k, &k3, &k3)); |
|
258 /* S = Q */ |
|
259 MP_CHECKOK(mp_copy(&qx, &sx)); |
|
260 MP_CHECKOK(mp_copy(&qy, &sy)); |
|
261 /* l = index of high order bit in binary representation of 3*k */ |
|
262 l = mpl_significant_bits(&k3) - 1; |
|
263 /* for i = l-1 downto 1 */ |
|
264 for (i = l - 1; i >= 1; i--) { |
|
265 /* S = 2S */ |
|
266 MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group)); |
|
267 b3 = MP_GET_BIT(&k3, i); |
|
268 b1 = MP_GET_BIT(&k, i); |
|
269 /* if k3_i = 1 and k_i = 0, then S = S + Q */ |
|
270 if ((b3 == 1) && (b1 == 0)) { |
|
271 MP_CHECKOK(group-> |
|
272 point_add(&sx, &sy, &qx, &qy, &sx, &sy, group)); |
|
273 /* if k3_i = 0 and k_i = 1, then S = S - Q */ |
|
274 } else if ((b3 == 0) && (b1 == 1)) { |
|
275 MP_CHECKOK(group-> |
|
276 point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group)); |
|
277 } |
|
278 } |
|
279 #endif |
|
280 /* output S */ |
|
281 MP_CHECKOK(mp_copy(&sx, rx)); |
|
282 MP_CHECKOK(mp_copy(&sy, ry)); |
|
283 |
|
284 CLEANUP: |
|
285 mp_clear(&k); |
|
286 mp_clear(&k3); |
|
287 mp_clear(&qx); |
|
288 mp_clear(&qy); |
|
289 mp_clear(&sx); |
|
290 mp_clear(&sy); |
|
291 return res; |
|
292 } |
|
293 #endif |
|
294 |
|
295 /* Validates a point on a GF2m curve. */ |
|
296 mp_err |
|
297 ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group) |
|
298 { |
|
299 mp_err res = MP_NO; |
|
300 mp_int accl, accr, tmp, pxt, pyt; |
|
301 |
|
302 MP_DIGITS(&accl) = 0; |
|
303 MP_DIGITS(&accr) = 0; |
|
304 MP_DIGITS(&tmp) = 0; |
|
305 MP_DIGITS(&pxt) = 0; |
|
306 MP_DIGITS(&pyt) = 0; |
|
307 MP_CHECKOK(mp_init(&accl, FLAG(px))); |
|
308 MP_CHECKOK(mp_init(&accr, FLAG(px))); |
|
309 MP_CHECKOK(mp_init(&tmp, FLAG(px))); |
|
310 MP_CHECKOK(mp_init(&pxt, FLAG(px))); |
|
311 MP_CHECKOK(mp_init(&pyt, FLAG(px))); |
|
312 |
|
313 /* 1: Verify that publicValue is not the point at infinity */ |
|
314 if (ec_GF2m_pt_is_inf_aff(px, py) == MP_YES) { |
|
315 res = MP_NO; |
|
316 goto CLEANUP; |
|
317 } |
|
318 /* 2: Verify that the coordinates of publicValue are elements |
|
319 * of the field. |
|
320 */ |
|
321 if ((MP_SIGN(px) == MP_NEG) || (mp_cmp(px, &group->meth->irr) >= 0) || |
|
322 (MP_SIGN(py) == MP_NEG) || (mp_cmp(py, &group->meth->irr) >= 0)) { |
|
323 res = MP_NO; |
|
324 goto CLEANUP; |
|
325 } |
|
326 /* 3: Verify that publicValue is on the curve. */ |
|
327 if (group->meth->field_enc) { |
|
328 group->meth->field_enc(px, &pxt, group->meth); |
|
329 group->meth->field_enc(py, &pyt, group->meth); |
|
330 } else { |
|
331 mp_copy(px, &pxt); |
|
332 mp_copy(py, &pyt); |
|
333 } |
|
334 /* left-hand side: y^2 + x*y */ |
|
335 MP_CHECKOK( group->meth->field_sqr(&pyt, &accl, group->meth) ); |
|
336 MP_CHECKOK( group->meth->field_mul(&pxt, &pyt, &tmp, group->meth) ); |
|
337 MP_CHECKOK( group->meth->field_add(&accl, &tmp, &accl, group->meth) ); |
|
338 /* right-hand side: x^3 + a*x^2 + b */ |
|
339 MP_CHECKOK( group->meth->field_sqr(&pxt, &tmp, group->meth) ); |
|
340 MP_CHECKOK( group->meth->field_mul(&pxt, &tmp, &accr, group->meth) ); |
|
341 MP_CHECKOK( group->meth->field_mul(&group->curvea, &tmp, &tmp, group->meth) ); |
|
342 MP_CHECKOK( group->meth->field_add(&tmp, &accr, &accr, group->meth) ); |
|
343 MP_CHECKOK( group->meth->field_add(&accr, &group->curveb, &accr, group->meth) ); |
|
344 /* check LHS - RHS == 0 */ |
|
345 MP_CHECKOK( group->meth->field_add(&accl, &accr, &accr, group->meth) ); |
|
346 if (mp_cmp_z(&accr) != 0) { |
|
347 res = MP_NO; |
|
348 goto CLEANUP; |
|
349 } |
|
350 /* 4: Verify that the order of the curve times the publicValue |
|
351 * is the point at infinity. |
|
352 */ |
|
353 MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) ); |
|
354 if (ec_GF2m_pt_is_inf_aff(&pxt, &pyt) != MP_YES) { |
|
355 res = MP_NO; |
|
356 goto CLEANUP; |
|
357 } |
|
358 |
|
359 res = MP_YES; |
|
360 |
|
361 CLEANUP: |
|
362 mp_clear(&accl); |
|
363 mp_clear(&accr); |
|
364 mp_clear(&tmp); |
|
365 mp_clear(&pxt); |
|
366 mp_clear(&pyt); |
|
367 return res; |
|
368 } |