2 * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
11 #include <openssl/err.h>
13 #include "internal/bn_int.h"
16 #ifndef OPENSSL_NO_EC2M
19 * Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective
21 * Uses algorithm Mdouble in appendix of
22 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
23 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
24 * modified to not require precomputation of c=b^{2^{m-1}}.
26 static int gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z,
32 /* Since Mdouble is static we can guarantee that ctx != NULL. */
38 if (!group->meth->field_sqr(group, x, x, ctx))
40 if (!group->meth->field_sqr(group, t1, z, ctx))
42 if (!group->meth->field_mul(group, z, x, t1, ctx))
44 if (!group->meth->field_sqr(group, x, x, ctx))
46 if (!group->meth->field_sqr(group, t1, t1, ctx))
48 if (!group->meth->field_mul(group, t1, group->b, t1, ctx))
50 if (!BN_GF2m_add(x, x, t1))
61 * Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery
62 * projective coordinates.
63 * Uses algorithm Madd in appendix of
64 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
65 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
67 static int gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1,
68 BIGNUM *z1, const BIGNUM *x2, const BIGNUM *z2,
74 /* Since Madd is static we can guarantee that ctx != NULL. */
83 if (!group->meth->field_mul(group, x1, x1, z2, ctx))
85 if (!group->meth->field_mul(group, z1, z1, x2, ctx))
87 if (!group->meth->field_mul(group, t2, x1, z1, ctx))
89 if (!BN_GF2m_add(z1, z1, x1))
91 if (!group->meth->field_sqr(group, z1, z1, ctx))
93 if (!group->meth->field_mul(group, x1, z1, t1, ctx))
95 if (!BN_GF2m_add(x1, x1, t2))
106 * Compute the x, y affine coordinates from the point (x1, z1) (x2, z2)
107 * using Montgomery point multiplication algorithm Mxy() in appendix of
108 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
109 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
112 * 1 if return value should be the point at infinity
115 static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y,
116 BIGNUM *x1, BIGNUM *z1, BIGNUM *x2, BIGNUM *z2,
119 BIGNUM *t3, *t4, *t5;
122 if (BN_is_zero(z1)) {
128 if (BN_is_zero(z2)) {
131 if (!BN_GF2m_add(z2, x, y))
136 /* Since Mxy is static we can guarantee that ctx != NULL. */
138 t3 = BN_CTX_get(ctx);
139 t4 = BN_CTX_get(ctx);
140 t5 = BN_CTX_get(ctx);
147 if (!group->meth->field_mul(group, t3, z1, z2, ctx))
150 if (!group->meth->field_mul(group, z1, z1, x, ctx))
152 if (!BN_GF2m_add(z1, z1, x1))
154 if (!group->meth->field_mul(group, z2, z2, x, ctx))
156 if (!group->meth->field_mul(group, x1, z2, x1, ctx))
158 if (!BN_GF2m_add(z2, z2, x2))
161 if (!group->meth->field_mul(group, z2, z2, z1, ctx))
163 if (!group->meth->field_sqr(group, t4, x, ctx))
165 if (!BN_GF2m_add(t4, t4, y))
167 if (!group->meth->field_mul(group, t4, t4, t3, ctx))
169 if (!BN_GF2m_add(t4, t4, z2))
172 if (!group->meth->field_mul(group, t3, t3, x, ctx))
174 if (!group->meth->field_div(group, t3, t5, t3, ctx))
176 if (!group->meth->field_mul(group, t4, t3, t4, ctx))
178 if (!group->meth->field_mul(group, x2, x1, t3, ctx))
180 if (!BN_GF2m_add(z2, x2, x))
183 if (!group->meth->field_mul(group, z2, z2, t4, ctx))
185 if (!BN_GF2m_add(z2, z2, y))
196 * Computes scalar*point and stores the result in r.
197 * point can not equal r.
198 * Uses a modified algorithm 2P of
199 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
200 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
202 * To protect against side-channel attack the function uses constant time swap,
203 * avoiding conditional branches.
205 static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group,
207 const BIGNUM *scalar,
208 const EC_POINT *point,
211 BIGNUM *x1, *x2, *z1, *z2;
212 int ret = 0, i, group_top;
216 ECerr(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY, EC_R_INVALID_ARGUMENT);
220 /* if result should be point at infinity */
221 if ((scalar == NULL) || BN_is_zero(scalar) || (point == NULL) ||
222 EC_POINT_is_at_infinity(group, point)) {
223 return EC_POINT_set_to_infinity(group, r);
226 /* only support affine coordinates */
227 if (!point->Z_is_one)
231 * Since point_multiply is static we can guarantee that ctx != NULL.
234 x1 = BN_CTX_get(ctx);
235 z1 = BN_CTX_get(ctx);
242 group_top = bn_get_top(group->field);
243 if (bn_wexpand(x1, group_top) == NULL
244 || bn_wexpand(z1, group_top) == NULL
245 || bn_wexpand(x2, group_top) == NULL
246 || bn_wexpand(z2, group_top) == NULL)
249 if (!BN_GF2m_mod_arr(x1, point->X, group->poly))
250 goto err; /* x1 = x */
252 goto err; /* z1 = 1 */
253 if (!group->meth->field_sqr(group, z2, x1, ctx))
254 goto err; /* z2 = x1^2 = x^2 */
255 if (!group->meth->field_sqr(group, x2, z2, ctx))
257 if (!BN_GF2m_add(x2, x2, group->b))
258 goto err; /* x2 = x^4 + b */
260 /* find top most bit and go one past it */
261 i = bn_get_top(scalar) - 1;
263 word = bn_get_words(scalar)[i];
264 while (!(word & mask))
267 /* if top most bit was at word break, go to next word */
273 for (; i >= 0; i--) {
274 word = bn_get_words(scalar)[i];
276 BN_consttime_swap(word & mask, x1, x2, group_top);
277 BN_consttime_swap(word & mask, z1, z2, group_top);
278 if (!gf2m_Madd(group, point->X, x2, z2, x1, z1, ctx))
280 if (!gf2m_Mdouble(group, x1, z1, ctx))
282 BN_consttime_swap(word & mask, x1, x2, group_top);
283 BN_consttime_swap(word & mask, z1, z2, group_top);
289 /* convert out of "projective" coordinates */
290 i = gf2m_Mxy(group, point->X, point->Y, x1, z1, x2, z2, ctx);
294 if (!EC_POINT_set_to_infinity(group, r))
302 /* GF(2^m) field elements should always have BIGNUM::neg = 0 */
303 BN_set_negative(r->X, 0);
304 BN_set_negative(r->Y, 0);
315 * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
316 * gracefully ignoring NULL scalar values.
318 int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r,
319 const BIGNUM *scalar, size_t num,
320 const EC_POINT *points[], const BIGNUM *scalars[],
323 BN_CTX *new_ctx = NULL;
327 EC_POINT *acc = NULL;
330 ctx = new_ctx = BN_CTX_new();
336 * This implementation is more efficient than the wNAF implementation for
337 * 2 or fewer points. Use the ec_wNAF_mul implementation for 3 or more
338 * points, or if we can perform a fast multiplication based on
341 if ((scalar && (num > 1)) || (num > 2)
342 || (num == 0 && EC_GROUP_have_precompute_mult(group))) {
343 ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
347 if ((p = EC_POINT_new(group)) == NULL)
349 if ((acc = EC_POINT_new(group)) == NULL)
352 if (!EC_POINT_set_to_infinity(group, acc))
356 if (!ec_GF2m_montgomery_point_multiply
357 (group, p, scalar, group->generator, ctx))
359 if (BN_is_negative(scalar))
360 if (!group->meth->invert(group, p, ctx))
362 if (!group->meth->add(group, acc, acc, p, ctx))
366 for (i = 0; i < num; i++) {
367 if (!ec_GF2m_montgomery_point_multiply
368 (group, p, scalars[i], points[i], ctx))
370 if (BN_is_negative(scalars[i]))
371 if (!group->meth->invert(group, p, ctx))
373 if (!group->meth->add(group, acc, acc, p, ctx))
377 if (!EC_POINT_copy(r, acc))
385 BN_CTX_free(new_ctx);
390 * Precomputation for point multiplication: fall back to wNAF methods because
391 * ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate
394 int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
396 return ec_wNAF_precompute_mult(group, ctx);
399 int ec_GF2m_have_precompute_mult(const EC_GROUP *group)
401 return ec_wNAF_have_precompute_mult(group);