1 /* crypto/ec/ecp_smpl.c */
2 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3 * for the OpenSSL project. */
4 /* ====================================================================
5 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * openssl-core@openssl.org.
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
33 * 6. Redistributions of any form whatsoever must retain the following
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com).
58 #include <openssl/err.h>
63 const EC_METHOD *EC_GFp_simple_method(void)
65 static const EC_METHOD ret = {
66 ec_GFp_simple_group_init,
67 ec_GFp_simple_group_set_curve_GFp,
68 ec_GFp_simple_group_finish,
69 ec_GFp_simple_group_clear_finish,
70 ec_GFp_simple_group_copy,
71 ec_GFp_simple_group_set_generator,
72 /* TODO: 'set' and 'get' functions for EC_GROUPs */
73 ec_GFp_simple_point_init,
74 ec_GFp_simple_point_finish,
75 ec_GFp_simple_point_clear_finish,
76 ec_GFp_simple_point_copy,
77 ec_GFp_simple_point_set_to_infinity,
78 ec_GFp_simple_point_set_affine_coordinates_GFp,
79 ec_GFp_simple_point_get_affine_coordinates_GFp,
80 /* TODO: other 'set' and 'get' functions for EC_POINTs */
81 ec_GFp_simple_point2oct,
82 ec_GFp_simple_oct2point,
85 ec_GFp_simple_is_at_infinity,
86 ec_GFp_simple_is_on_curve,
87 ec_GFp_simple_make_affine,
88 ec_GFp_simple_field_mul,
89 ec_GFp_simple_field_sqr,
91 0 /* field_decode */ };
97 int ec_GFp_simple_group_init(EC_GROUP *group)
99 BN_init(&group->field);
102 group->a_is_minus3 = 0;
103 group->generator = NULL;
104 BN_init(&group->order);
105 BN_init(&group->cofactor);
110 int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
111 const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
114 BN_CTX *new_ctx = NULL;
119 ctx = new_ctx = BN_CTX_new();
125 tmp_a = BN_CTX_get(ctx);
126 if (tmp_a == NULL) goto err;
129 if (!BN_copy(&group->field, p)) goto err;
130 group->field.neg = 0;
133 if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
134 if (group->meth->field_encode)
135 { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; }
137 if (!BN_copy(&group->a, tmp_a)) goto err;
140 if (!BN_nnmod(&group->b, b, p, ctx)) goto err;
141 if (group->meth->field_encode)
142 if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err;
144 /* group->a_is_minus3 */
145 if (!BN_add_word(tmp_a, 3)) goto err;
146 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
153 BN_CTX_free(new_ctx);
158 void ec_GFp_simple_group_finish(EC_GROUP *group)
160 BN_free(&group->field);
163 if (group->generator != NULL)
164 EC_POINT_free(group->generator);
165 BN_free(&group->order);
166 BN_free(&group->cofactor);
170 void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
172 BN_clear_free(&group->field);
173 BN_clear_free(&group->a);
174 BN_clear_free(&group->b);
175 if (group->generator != NULL)
177 EC_POINT_clear_free(group->generator);
178 group->generator = NULL;
180 BN_clear_free(&group->order);
181 BN_clear_free(&group->cofactor);
185 int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
187 if (!BN_copy(&dest->field, &src->field)) return 0;
188 if (!BN_copy(&dest->a, &src->a)) return 0;
189 if (!BN_copy(&dest->b, &src->b)) return 0;
191 dest->a_is_minus3 = src->a_is_minus3;
193 if (src->generator != NULL)
195 if (dest->generator == NULL)
197 dest->generator = EC_POINT_new(dest);
198 if (dest->generator == NULL) return 0;
200 if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
204 /* src->generator == NULL */
205 if (dest->generator != NULL)
207 EC_POINT_clear_free(dest->generator);
208 dest->generator = NULL;
212 if (!BN_copy(&dest->order, &src->order)) return 0;
213 if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
219 int ec_GFp_simple_group_set_generator(EC_GROUP *group, const EC_POINT *generator,
220 const BIGNUM *order, const BIGNUM *cofactor)
224 ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
228 if (group->generator == NULL)
230 group->generator = EC_POINT_new(group);
231 if (group->generator == NULL) return 0;
233 if (!EC_POINT_copy(group->generator, generator)) return 0;
236 { if (!BN_copy(&group->order, order)) return 0; }
238 { if (!BN_zero(&group->order)) return 0; }
240 if (cofactor != NULL)
241 { if (!BN_copy(&group->cofactor, cofactor)) return 0; }
243 { if (!BN_zero(&group->cofactor)) return 0; }
249 /* TODO: 'set' and 'get' functions for EC_GROUPs */
252 int ec_GFp_simple_point_init(EC_POINT *point)
263 void ec_GFp_simple_point_finish(EC_POINT *point)
271 void ec_GFp_simple_point_clear_finish(EC_POINT *point)
273 BN_clear_free(&point->X);
274 BN_clear_free(&point->Y);
275 BN_clear_free(&point->Z);
280 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
282 if (!BN_copy(&dest->X, &src->X)) return 0;
283 if (!BN_copy(&dest->Y, &src->Y)) return 0;
284 if (!BN_copy(&dest->Z, &src->Z)) return 0;
285 dest->Z_is_one = src->Z_is_one;
291 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
294 return (BN_zero(&point->Z));
298 int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
299 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
301 BN_CTX *new_ctx = NULL;
304 if (!BN_copy(&point->X, x)) goto err;
305 if (!BN_copy(&point->Y, y)) goto err;
306 if (!BN_one(&point->Z)) goto err;
308 if (group->meth->field_encode)
312 ctx = new_ctx = BN_CTX_new();
317 if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err;
318 if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
319 if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
326 BN_CTX_free(new_ctx);
331 int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
332 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
334 BN_CTX *new_ctx = NULL;
335 BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3;
336 const BIGNUM *X_, *Y_, *Z_;
339 if (EC_POINT_is_at_infinity(group, point))
341 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_POINT_AT_INFINITY);
347 ctx = new_ctx = BN_CTX_new();
356 Z_1 = BN_CTX_get(ctx);
357 Z_2 = BN_CTX_get(ctx);
358 Z_3 = BN_CTX_get(ctx);
359 if (Z_3 == NULL) goto err;
361 /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
363 if (group->meth->field_decode)
365 if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err;
366 if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err;
367 if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
368 X_ = X; Y_ = Y; Z_ = Z;
379 if (!BN_copy(x, X_)) goto err;
380 if (!BN_copy(y, Y_)) goto err;
384 if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
386 ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_BN_LIB);
389 if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err;
390 if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
392 if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err;
393 if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err;
401 BN_CTX_free(new_ctx);
406 /* TODO: other 'set' and 'get' functions for EC_POINTs */
409 size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
410 unsigned char *buf, size_t len, BN_CTX *ctx)
413 BN_CTX *new_ctx = NULL;
416 size_t field_len, i, skip;
418 if ((form != POINT_CONVERSION_COMPRESSED)
419 && (form != POINT_CONVERSION_UNCOMPRESSED)
420 && (form != POINT_CONVERSION_HYBRID))
422 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
426 if (EC_POINT_is_at_infinity(group, point))
428 /* encodes to a single 0 octet */
433 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
442 /* ret := required output buffer length */
443 field_len = BN_num_bytes(&group->field);
444 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
446 /* if 'buf' is NULL, just return required length */
451 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
457 ctx = new_ctx = BN_CTX_new();
466 if (y == NULL) goto err;
468 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
470 if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_bit_set(y, 0))
477 skip = field_len - BN_num_bytes(x);
478 if (skip > field_len)
480 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
488 skip = BN_bn2bin(x, buf + i);
490 if (i != 1 + field_len)
492 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
496 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
498 skip = field_len - BN_num_bytes(y);
499 if (skip > field_len)
501 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
509 skip = BN_bn2bin(y, buf + i);
515 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
523 BN_CTX_free(new_ctx);
530 BN_CTX_free(new_ctx);
535 int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
536 const unsigned char *buf, size_t len, BN_CTX *ctx)
538 point_conversion_form_t form;
540 BN_CTX *new_ctx = NULL;
542 size_t field_len, enc_len;
547 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
553 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
554 && (form != POINT_CONVERSION_UNCOMPRESSED)
555 && (form != POINT_CONVERSION_HYBRID))
557 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
560 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
562 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
570 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
574 return EC_POINT_set_to_infinity(group, point);
577 field_len = BN_num_bytes(&group->field);
578 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
582 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
588 ctx = new_ctx = BN_CTX_new();
596 if (y == NULL) goto err;
598 if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
599 if (BN_ucmp(x, &group->field) >= 0)
601 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
605 if (form != POINT_CONVERSION_COMPRESSED)
607 if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
608 if (BN_ucmp(y, &group->field) >= 0)
610 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
613 if (form == POINT_CONVERSION_HYBRID)
615 if (y_bit != BN_is_bit_set(y, 0))
617 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
623 if (form == POINT_CONVERSION_COMPRESSED)
625 /* Recover y. We have a Weierstrass equation
626 * y^2 = x^3 + a*x + b,
627 * so y is one of the square roots of x^3 + a*x + b.
632 tmp1 = BN_CTX_get(ctx);
633 tmp2 = BN_CTX_get(ctx);
634 if (tmp2 == NULL) goto err;
637 if (!BN_mod_sqr(tmp2, x, &group->field, ctx)) goto err;
638 if (!BN_mod_mul(tmp1, tmp2, x, &group->field, ctx)) goto err;
640 /* tmp1 := tmp1 + a*x */
641 if (group->a_is_minus3)
643 if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err;
644 if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err;
645 if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
649 if (!BN_mod_mul(tmp2, &group->a, x, &group->field, ctx)) goto err;
650 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
653 /* tmp1 := tmp1 + b */
654 if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err;
656 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
658 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, ERR_R_BN_LIB);
662 if (y_bit != BN_is_bit_set(y, 0))
664 if (!BN_usub(y, &group->field, y)) goto err;
666 if (y_bit != BN_is_bit_set(y, 0))
668 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, ERR_R_INTERNAL_ERROR);
673 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
675 if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
677 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
686 BN_CTX_free(new_ctx);
691 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
693 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
694 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
696 BN_CTX *new_ctx = NULL;
697 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
701 return EC_POINT_dbl(group, r, a, ctx);
702 if (EC_POINT_is_at_infinity(group, a))
703 return EC_POINT_copy(r, b);
704 if (EC_POINT_is_at_infinity(group, b))
705 return EC_POINT_copy(r, a);
707 field_mul = group->meth->field_mul;
708 field_sqr = group->meth->field_sqr;
713 ctx = new_ctx = BN_CTX_new();
719 n0 = BN_CTX_get(ctx);
720 n1 = BN_CTX_get(ctx);
721 n2 = BN_CTX_get(ctx);
722 n3 = BN_CTX_get(ctx);
723 n4 = BN_CTX_get(ctx);
724 n5 = BN_CTX_get(ctx);
725 n6 = BN_CTX_get(ctx);
726 if (n6 == NULL) goto end;
731 if (!BN_copy(n1, &a->X)) goto end;
732 if (!BN_copy(n2, &a->Y)) goto end;
738 if (!field_sqr(group, n0, &b->Z, ctx)) goto end;
739 if (!field_mul(group, n1, &a->X, n0, ctx)) goto end;
740 /* n1 = X_a * Z_b^2 */
742 if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end;
743 if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end;
744 /* n2 = Y_a * Z_b^3 */
750 if (!BN_copy(n3, &b->X)) goto end;
751 if (!BN_copy(n4, &b->Y)) goto end;
757 if (!field_sqr(group, n0, &a->Z, ctx)) goto end;
758 if (!field_mul(group, n3, &b->X, n0, ctx)) goto end;
759 /* n3 = X_b * Z_a^2 */
761 if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end;
762 if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end;
763 /* n4 = Y_b * Z_a^3 */
767 if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
768 if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
776 /* a is the same point as b */
778 ret = EC_POINT_dbl(group, r, a, ctx);
784 /* a is the inverse of b */
785 if (!BN_zero(&r->Z)) goto end;
793 if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
794 if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
799 if (a->Z_is_one && b->Z_is_one)
801 if (!BN_copy(&r->Z, n5)) goto end;
806 { if (!BN_copy(n0, &b->Z)) goto end; }
807 else if (b->Z_is_one)
808 { if (!BN_copy(n0, &a->Z)) goto end; }
810 { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; }
811 if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end;
814 /* Z_r = Z_a * Z_b * n5 */
817 if (!field_sqr(group, n0, n6, ctx)) goto end;
818 if (!field_sqr(group, n4, n5, ctx)) goto end;
819 if (!field_mul(group, n3, n1, n4, ctx)) goto end;
820 if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end;
821 /* X_r = n6^2 - n5^2 * 'n7' */
824 if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end;
825 if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
826 /* n9 = n5^2 * 'n7' - 2 * X_r */
829 if (!field_mul(group, n0, n0, n6, ctx)) goto end;
830 if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
831 if (!field_mul(group, n1, n2, n5, ctx)) goto end;
832 if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
834 if (!BN_add(n0, n0, p)) goto end;
835 /* now 0 <= n0 < 2*p, and n0 is even */
836 if (!BN_rshift1(&r->Y, n0)) goto end;
837 /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
842 if (ctx) /* otherwise we already called BN_CTX_end */
845 BN_CTX_free(new_ctx);
850 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
852 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
853 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
855 BN_CTX *new_ctx = NULL;
856 BIGNUM *n0, *n1, *n2, *n3;
859 if (EC_POINT_is_at_infinity(group, a))
861 if (!BN_zero(&r->Z)) return 0;
866 field_mul = group->meth->field_mul;
867 field_sqr = group->meth->field_sqr;
872 ctx = new_ctx = BN_CTX_new();
878 n0 = BN_CTX_get(ctx);
879 n1 = BN_CTX_get(ctx);
880 n2 = BN_CTX_get(ctx);
881 n3 = BN_CTX_get(ctx);
882 if (n3 == NULL) goto err;
887 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
888 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
889 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
890 if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err;
891 /* n1 = 3 * X_a^2 + a_curve */
893 else if (group->a_is_minus3)
895 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
896 if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err;
897 if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err;
898 if (!field_mul(group, n1, n0, n2, ctx)) goto err;
899 if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
900 if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
901 /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
902 * = 3 * X_a^2 - 3 * Z_a^4 */
906 if (!field_sqr(group, n0, &a->X, ctx)) goto err;
907 if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
908 if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
909 if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
910 if (!field_sqr(group, n1, n1, ctx)) goto err;
911 if (!field_mul(group, n1, n1, &group->a, ctx)) goto err;
912 if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
913 /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
919 if (!BN_copy(n0, &a->Y)) goto err;
923 if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err;
925 if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err;
927 /* Z_r = 2 * Y_a * Z_a */
930 if (!field_sqr(group, n3, &a->Y, ctx)) goto err;
931 if (!field_mul(group, n2, &a->X, n3, ctx)) goto err;
932 if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
933 /* n2 = 4 * X_a * Y_a^2 */
936 if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
937 if (!field_sqr(group, &r->X, n1, ctx)) goto err;
938 if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err;
939 /* X_r = n1^2 - 2 * n2 */
942 if (!field_sqr(group, n0, n3, ctx)) goto err;
943 if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
947 if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err;
948 if (!field_mul(group, n0, n1, n0, ctx)) goto err;
949 if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err;
950 /* Y_r = n1 * (n2 - X_r) - n3 */
957 BN_CTX_free(new_ctx);
962 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
964 return BN_is_zero(&point->Z);
968 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
970 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
971 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
973 BN_CTX *new_ctx = NULL;
974 BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6;
977 if (EC_POINT_is_at_infinity(group, point))
980 field_mul = group->meth->field_mul;
981 field_sqr = group->meth->field_sqr;
986 ctx = new_ctx = BN_CTX_new();
992 rh = BN_CTX_get(ctx);
993 tmp1 = BN_CTX_get(ctx);
994 tmp2 = BN_CTX_get(ctx);
995 Z4 = BN_CTX_get(ctx);
996 Z6 = BN_CTX_get(ctx);
997 if (Z6 == NULL) goto err;
999 /* We have a curve defined by a Weierstrass equation
1000 * y^2 = x^3 + a*x + b.
1001 * The point to consider is given in Jacobian projective coordinates
1002 * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
1003 * Substituting this and multiplying by Z^6 transforms the above equation into
1004 * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
1005 * To test this, we add up the right-hand side in 'rh'.
1009 if (!field_sqr(group, rh, &point->X, ctx)) goto err;
1010 if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
1012 if (!point->Z_is_one)
1014 if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err;
1015 if (!field_sqr(group, Z4, tmp1, ctx)) goto err;
1016 if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err;
1018 /* rh := rh + a*X*Z^4 */
1019 if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err;
1020 if (&group->a_is_minus3)
1022 if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err;
1023 if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err;
1024 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
1028 if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err;
1029 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
1032 /* rh := rh + b*Z^6 */
1033 if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err;
1034 if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err;
1038 /* point->Z_is_one */
1040 /* rh := rh + a*X */
1041 if (&group->a_is_minus3)
1043 if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err;
1044 if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err;
1045 if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
1049 if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err;
1050 if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
1054 if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
1058 if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err;
1060 ret = (0 == BN_cmp(tmp1, rh));
1064 if (new_ctx != NULL)
1065 BN_CTX_free(new_ctx);
1070 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
1072 BN_CTX *new_ctx = NULL;
1076 if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
1081 ctx = new_ctx = BN_CTX_new();
1087 x = BN_CTX_get(ctx);
1088 y = BN_CTX_get(ctx);
1089 if (y == NULL) goto err;
1091 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1092 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
1093 if (!point->Z_is_one)
1095 ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
1103 if (new_ctx != NULL)
1104 BN_CTX_free(new_ctx);
1109 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
1111 return BN_mod_mul(r, a, b, &group->field, ctx);
1115 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
1117 return BN_mod_sqr(r, a, &group->field, ctx);
projects / oweals / openssl.git / blob