| blob | 643e9a69a68674c42edd250533d506226746c658 |
1 /* $OpenBSD: ecp_nistp224.c,v 1.22 2018/07/15 16:27:39 tb Exp $ */
2 /*
3 * Written by Emilia Kasper (Google) for the OpenSSL project.
4 */
5 /*
6 * Copyright (c) 2011 Google Inc.
7 *
8 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above
10 * copyright notice and this permission notice appear in all copies.
11 *
12 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */
21 /*
22 * A 64-bit implementation of the NIST P-224 elliptic curve point multiplication
23 *
24 * Inspired by Daniel J. Bernstein's public domain nistp224 implementation
25 * and Adam Langley's public domain 64-bit C implementation of curve25519
26 */
28 #include <stdint.h>
29 #include <string.h>
31 #include <openssl/opensslconf.h>
33 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
35 #include <openssl/err.h>
38 #if defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1))
39 /* even with gcc, the typedef won't work for 32-bit platforms */
41 #else
43 #endif
50 /******************************************************************************/
51 /* INTERNAL REPRESENTATION OF FIELD ELEMENTS
52 *
53 * Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3
54 * using 64-bit coefficients called 'limbs',
55 * and sometimes (for multiplication results) as
56 * b_0 + 2^56*b_1 + 2^112*b_2 + 2^168*b_3 + 2^224*b_4 + 2^280*b_5 + 2^336*b_6
57 * using 128-bit coefficients called 'widelimbs'.
58 * A 4-limb representation is an 'felem';
59 * a 7-widelimb representation is a 'widefelem'.
60 * Even within felems, bits of adjacent limbs overlap, and we don't always
61 * reduce the representations: we ensure that inputs to each felem
62 * multiplication satisfy a_i < 2^60, so outputs satisfy b_i < 4*2^60*2^60,
63 * and fit into a 128-bit word without overflow. The coefficients are then
64 * again partially reduced to obtain an felem satisfying a_i < 2^57.
65 * We only reduce to the unique minimal representation at the end of the
66 * computation.
67 */
75 /* Field element represented as a byte arrary.
76 * 28*8 = 224 bits is also the group order size for the elliptic curve,
77 * and we also use this type for scalars for point multiplication.
78 */
97 };
99 /* Precomputed multiples of the standard generator
100 * Points are given in coordinates (X, Y, Z) where Z normally is 1
101 * (0 for the point at infinity).
102 * For each field element, slice a_0 is word 0, etc.
103 *
104 * The table has 2 * 16 elements, starting with the following:
105 * index | bits | point
106 * ------+---------+------------------------------
107 * 0 | 0 0 0 0 | 0G
108 * 1 | 0 0 0 1 | 1G
109 * 2 | 0 0 1 0 | 2^56G
110 * 3 | 0 0 1 1 | (2^56 + 1)G
111 * 4 | 0 1 0 0 | 2^112G
112 * 5 | 0 1 0 1 | (2^112 + 1)G
113 * 6 | 0 1 1 0 | (2^112 + 2^56)G
114 * 7 | 0 1 1 1 | (2^112 + 2^56 + 1)G
115 * 8 | 1 0 0 0 | 2^168G
116 * 9 | 1 0 0 1 | (2^168 + 1)G
117 * 10 | 1 0 1 0 | (2^168 + 2^56)G
118 * 11 | 1 0 1 1 | (2^168 + 2^56 + 1)G
119 * 12 | 1 1 0 0 | (2^168 + 2^112)G
120 * 13 | 1 1 0 1 | (2^168 + 2^112 + 1)G
121 * 14 | 1 1 1 0 | (2^168 + 2^112 + 2^56)G
122 * 15 | 1 1 1 1 | (2^168 + 2^112 + 2^56 + 1)G
123 * followed by a copy of this with each element multiplied by 2^28.
124 *
125 * The reason for this is so that we can clock bits into four different
126 * locations when doing simple scalar multiplies against the base point,
127 * and then another four locations using the second 16 elements.
128 */
227 /* Precomputation for the group generator. */
235 {
247 ec_GFp_simple_group_check_discriminant,
254 ec_GFp_simple_set_Jprojective_coordinates_GFp,
256 ec_GFp_simple_get_Jprojective_coordinates_GFp,
258 ec_GFp_simple_point_set_affine_coordinates,
260 ec_GFp_nistp224_point_get_affine_coordinates,
274 };
277 }
279 /* Helper functions to convert field elements to/from internal representation */
280 static void
282 {
287 }
289 static void
291 {
298 }
299 }
301 /* To preserve endianness when using BN_bn2bin and BN_bin2bn */
302 static void
304 {
308 }
310 /* From OpenSSL BIGNUM to internal representation */
311 static int
313 {
314 felem_bytearray b_in;
315 felem_bytearray b_out;
318 /* BN_bn2bin eats leading zeroes */
324 }
328 }
333 }
335 /* From internal representation to OpenSSL BIGNUM */
338 {
343 }
345 /******************************************************************************/
346 /* FIELD OPERATIONS
347 *
348 * Field operations, using the internal representation of field elements.
349 * NB! These operations are specific to our point multiplication and cannot be
350 * expected to be correct in general - e.g., multiplication with a large scalar
351 * will cause an overflow.
352 *
353 */
355 static void
357 {
362 }
364 static void
366 {
371 }
373 /* Sum two field elements: out += in */
374 static void
376 {
381 }
383 /* Get negative value: out = -in */
384 /* Assumes in[i] < 2^57 */
385 static void
387 {
393 /* Set to 0 mod 2^224-2^96+1 to ensure out > in */
398 }
400 /* Subtract field elements: out -= in */
401 /* Assumes in[i] < 2^57 */
402 static void
404 {
410 /* Add 0 mod 2^224-2^96+1 to ensure out > in */
420 }
422 /* Subtract in unreduced 128-bit mode: out -= in */
423 /* Assumes in[i] < 2^119 */
424 static void
426 {
433 /* Add 0 mod 2^224-2^96+1 to ensure out > in */
449 }
451 /* Subtract in mixed mode: out128 -= in64 */
452 /* in[i] < 2^63 */
453 static void
455 {
463 /* Add 0 mod 2^224-2^96+1 to ensure out > in */
473 }
475 /* Multiply a field element by a scalar: out = out * scalar
476 * The scalars we actually use are small, so results fit without overflow */
477 static void
479 {
484 }
486 /* Multiply an unreduced field element by a scalar: out = out * scalar
487 * The scalars we actually use are small, so results fit without overflow */
488 static void
490 {
498 }
500 /* Square a field element: out = in^2 */
501 static void
503 {
516 }
518 /* Multiply two field elements: out = in1 * in2 */
519 static void
521 {
532 }
534 /* Reduce seven 128-bit coefficients to four 64-bit coefficients.
535 * Requires in[i] < 2^126,
536 * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16 */
537 static void
539 {
548 /* Add 0 mod 2^224-2^96+1 to ensure all differences are positive */
555 /* Eliminate in[4], in[5], in[6] */
568 /* Carry 2 -> 3 -> 4 */
575 /* Now output[2] < 2^56, output[3] < 2^56, output[4] < 2^72 */
577 /* Eliminate output[4] */
579 /* output[2] < 2^56 + 2^56 = 2^57 */
583 /* Carry 0 -> 1 -> 2 -> 3 */
588 /* output[2] < 2^57 + 2^72 */
591 /* output[3] <= 2^56 + 2^16 */
594 /*
595 * out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16
596 * (due to final carry), so out < 2*p
597 */
599 }
601 static void
603 {
604 widefelem tmp;
607 }
609 static void
611 {
612 widefelem tmp;
615 }
617 /* Reduce to unique minimal representation.
618 * Requires 0 <= in < 2*p (always call felem_reduce first) */
619 static void
621 {
623 /* 0 <= in < 2*p, p = 2^224 - 2^96 + 1 */
624 /* if in > p , reduce in = in - 2^224 + 2^96 - 1 */
630 /* Case 1: a = 1 iff in >= 2^224 */
635 /*
636 * Case 2: a = 0 iff p <= in < 2^224, i.e., the high 128 bits are all
637 * 1 and the lower part is non-zero
638 */
642 /* turn a into an all-one mask (if a = 0) or an all-zero mask */
644 /* subtract 2^224 - 2^96 + 1 if a is all-one */
650 /*
651 * eliminate negative coefficients: if tmp[0] is negative, tmp[1]
652 * must be non-zero, so we only need one step
653 */
658 /* carry 1 -> 2 -> 3 */
665 /* Now 0 <= out < p */
670 }
672 /* Zero-check: returns 1 if input is 0, and 0 otherwise.
673 * We know that field elements are reduced to in < 2^225,
674 * so we only need to check three cases: 0, 2^224 - 2^96 + 1,
675 * and 2^225 - 2^97 + 2 */
676 static limb
678 {
690 }
692 static limb
694 {
696 }
698 /* Invert a field element */
699 /* Computation chain copied from djb's code */
700 static void
702 {
704 widefelem tmp;
728 }
736 }
744 }
752 }
760 }
766 }
776 }
779 }
781 /* Copy in constant time:
782 * if icopy == 1, copy in to out,
783 * if icopy == 0, copy out to itself. */
784 static void
786 {
788 /* icopy is a (64-bit) 0 or 1, so copy is either all-zero or all-one */
793 }
794 }
796 /******************************************************************************/
797 /* ELLIPTIC CURVE POINT OPERATIONS
798 *
799 * Points are represented in Jacobian projective coordinates:
800 * (X, Y, Z) corresponds to the affine point (X/Z^2, Y/Z^3),
801 * or to the point at infinity if Z == 0.
802 *
803 */
805 /* Double an elliptic curve point:
806 * (X', Y', Z') = 2 * (X, Y, Z), where
807 * X' = (3 * (X - Z^2) * (X + Z^2))^2 - 8 * X * Y^2
808 * Y' = 3 * (X - Z^2) * (X + Z^2) * (4 * X * Y^2 - X') - 8 * Y^2
809 * Z' = (Y + Z)^2 - Y^2 - Z^2 = 2 * Y * Z
810 * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed,
811 * while x_out == y_in is not (maybe this works, but it's not tested). */
812 static void
815 {
822 /* delta = z^2 */
826 /* gamma = y^2 */
830 /* beta = x*gamma */
834 /* alpha = 3*(x-delta)*(x+delta) */
836 /* ftmp[i] < 2^57 + 2^58 + 2 < 2^59 */
838 /* ftmp2[i] < 2^57 + 2^57 = 2^58 */
840 /* ftmp2[i] < 3 * 2^58 < 2^60 */
842 /* tmp[i] < 2^60 * 2^59 * 4 = 2^121 */
845 /* x' = alpha^2 - 8*beta */
847 /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
850 /* ftmp[i] < 8 * 2^57 = 2^60 */
852 /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
855 /* z' = (y + z)^2 - gamma - delta */
857 /* delta[i] < 2^57 + 2^57 = 2^58 */
860 /* ftmp[i] < 2^57 + 2^57 = 2^58 */
862 /* tmp[i] < 4 * 2^58 * 2^58 = 2^118 */
864 /* tmp[i] < 2^118 + 2^64 + 8 < 2^119 */
867 /* y' = alpha*(4*beta - x') - 8*gamma^2 */
869 /* beta[i] < 4 * 2^57 = 2^59 */
871 /* beta[i] < 2^59 + 2^58 + 2 < 2^60 */
873 /* tmp[i] < 4 * 2^57 * 2^60 = 2^119 */
875 /* tmp2[i] < 4 * 2^57 * 2^57 = 2^116 */
877 /* tmp2[i] < 8 * 2^116 = 2^119 */
879 /* tmp[i] < 2^119 + 2^120 < 2^121 */
881 }
883 /* Add two elliptic curve points:
884 * (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where
885 * X_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1)^2 - (Z_1^2 * X_2 - Z_2^2 * X_1)^3 -
886 * 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2
887 * Y_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1) * (Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2 - X_3) -
888 * Z_2^3 * Y_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^3
889 * Z_3 = (Z_1^2 * X_2 - Z_2^2 * X_1) * (Z_1 * Z_2)
890 *
891 * This runs faster if 'mixed' is set, which requires Z_2 = 1 or Z_2 = 0.
892 */
894 /* This function is not entirely constant-time:
895 * it includes a branch for checking whether the two input points are equal,
896 * (while not equal to the point at infinity).
897 * This case never happens during single point multiplication,
898 * so there is no timing leak for ECDH or ECDSA signing. */
899 static void
903 {
909 /* ftmp2 = z2^2 */
913 /* ftmp4 = z2^3 */
917 /* ftmp4 = z2^3*y1 */
921 /* ftmp2 = z2^2*x1 */
925 /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
927 /* ftmp4 = z2^3*y1 */
930 /* ftmp2 = z2^2*x1 */
932 }
934 /* ftmp = z1^2 */
938 /* ftmp3 = z1^3 */
942 /* tmp = z1^3*y2 */
944 /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
946 /* ftmp3 = z1^3*y2 - z2^3*y1 */
948 /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
951 /* tmp = z1^2*x2 */
953 /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
955 /* ftmp = z1^2*x2 - z2^2*x1 */
957 /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
960 /*
961 * the formulae are incorrect if the points are equal so we check for
962 * this and do doubling if this happens
963 */
968 /* In affine coordinates, (X_1, Y_1) == (X_2, Y_2) */
972 }
973 /* ftmp5 = z1*z2 */
978 /* special case z2 = 0 is handled later */
980 }
982 /* z_out = (z1^2*x2 - z2^2*x1)*(z1*z2) */
986 /* ftmp = (z1^2*x2 - z2^2*x1)^2 */
991 /* ftmp5 = (z1^2*x2 - z2^2*x1)^3 */
995 /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
999 /* tmp = z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
1001 /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
1003 /* tmp2 = (z1^3*y2 - z2^3*y1)^2 */
1005 /* tmp2[i] < 4 * 2^57 * 2^57 < 2^116 */
1007 /* tmp2 = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 */
1009 /* tmp2[i] < 2^116 + 2^64 + 8 < 2^117 */
1011 /* ftmp5 = 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
1014 /* ftmp5[i] < 2 * 2^57 = 2^58 */
1016 /*
1017 * x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
1018 * 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2
1019 */
1021 /* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
1024 /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out */
1026 /* ftmp2[i] < 2^57 + 2^58 + 2 < 2^59 */
1028 /* tmp2 = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) */
1030 /* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
1032 /*
1033 * y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 -
1034 * x_out) - z2^3*y1*(z1^2*x2 - z2^2*x1)^3
1035 */
1037 /* tmp2[i] < 2^118 + 2^120 < 2^121 */
1040 /*
1041 * the result (x_out, y_out, z_out) is incorrect if one of the inputs
1042 * is the point at infinity, so we need to check for this separately
1043 */
1045 /* if point 1 is at infinity, copy point 2 to output, and vice versa */
1055 }
1057 /* select_point selects the |idx|th point from a precomputation table and
1058 * copies it to out. */
1059 static void
1060 select_point(const u64 idx, unsigned int size, const felem pre_comp[ /* size */ ][3], felem out[3])
1061 {
1073 mask--;
1076 }
1077 }
1079 /* get_bit returns the |i|th bit in |in| */
1080 static char
1082 {
1086 }
1088 /* Interleaved point multiplication using precomputed point multiples:
1089 * The small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[],
1090 * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
1091 * of the generator, using certain (large) precomputed multiples in g_pre_comp.
1092 * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
1093 static void
1097 {
1102 u64 bits;
1105 /* set nq to the point at infinity */
1108 /*
1109 * Loop over all scalars msb-to-lsb, interleaving additions of
1110 * multiples of the generator (two in each of the last 28 rounds) and
1111 * additions of other points multiples (every 5th round).
1112 */
1114 * round */
1116 /* double */
1120 /* add multiples of the generator */
1122 /* first, look 28 bits upwards */
1127 /* select the point to add, in constant time */
1137 }
1139 /* second, look at the current position */
1144 /* select the point to add, in constant time */
1149 }
1150 /* do other additions every 5 doublings */
1152 /* loop over all scalars */
1162 /* select the point to add or subtract */
1165 * negative point */
1175 }
1176 }
1177 }
1178 }
1182 }
1184 /******************************************************************************/
1185 /* FUNCTIONS TO MANAGE PRECOMPUTATION
1186 */
1190 {
1196 }
1200 }
1204 {
1207 /* no need to actually copy, these objects never change! */
1211 }
1213 static void
1215 {
1227 }
1229 static void
1231 {
1243 }
1245 /******************************************************************************/
1246 /* OPENSSL EC_METHOD FUNCTIONS
1247 */
1249 int
1251 {
1256 }
1258 int
1261 {
1281 }
1284 err:
1288 }
1290 /* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
1291 * (X', Y') = (X/Z^2, Y/Z^3) */
1292 int
1295 {
1297 widefelem tmp;
1302 }
1316 }
1317 }
1327 }
1328 }
1330 }
1332 static void
1334 {
1335 /*
1336 * Runs in constant time, unless an input is the point at infinity
1337 * (which normally shouldn't happen).
1338 */
1340 num,
1341 points,
1343 tmp_felems,
1351 }
1353 /* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
1354 * Result is stored in r (r can equal one of the inputs). */
1355 int
1359 {
1366 felem_bytearray g_secret;
1370 felem_bytearray tmp;
1394 nistp224_pre_comp_clear_free);
1396 /* we have precomputation, try to use it */
1398 else
1399 /* try to use the standard precomputation */
1404 /* get the generator from precomputation */
1410 }
1415 /* precomputation matches generator */
1417 else
1418 /*
1419 * we don't have valid precomputation: treat the
1420 * generator as a random point
1421 */
1423 }
1426 /*
1427 * unless we precompute multiples for just one or two
1428 * points, converting those into affine form is time
1429 * well spent
1430 */
1432 }
1436 /* XXX should do more int overflow checking */
1439 }
1443 }
1444 /*
1445 * we treat NULL scalars as 0, and NULL points as points at
1446 * infinity, i.e., they contribute nothing to the linear
1447 * combination
1448 */
1451 /* the generator */
1452 {
1456 /* the i^th point */
1457 {
1460 }
1462 /* reduce scalar to 0 <= scalar < 2^224 */
1464 /*
1465 * this is an unusual input, and we
1466 * don't guarantee constant-timeness
1467 */
1471 }
1476 /* precompute multiples */
1494 }
1495 }
1496 }
1497 }
1500 }
1501 /* the scalar for the generator */
1504 /* reduce scalar to 0 <= scalar < 2^224 */
1506 /*
1507 * this is an unusual input, and we don't guarantee
1508 * constant-timeness
1509 */
1513 }
1518 /* do the multiplication with generator precomputation */
1521 g_secret,
1523 g_pre_comp);
1525 /* do the multiplication without generator precomputation */
1529 /* reduce the output to its unique minimal representation */
1537 }
1540 err:
1548 }
1550 int
1552 {
1561 /* throw away old precomputation */
1571 /* get the generator */
1583 /* if the generator is the standard one, use built-in precomputation */
1588 }
1593 /*
1594 * compute 2^56*G, 2^112*G, 2^168*G for the first table, 2^28*G,
1595 * 2^84*G, 2^140*G, 2^196*G for the second one
1596 */
1605 }
1615 }
1616 }
1618 /* g_pre_comp[i][0] is the point at infinity */
1620 /* the remaining multiples */
1621 /* 2^56*G + 2^112*G resp. 2^84*G + 2^140*G */
1628 /* 2^56*G + 2^168*G resp. 2^84*G + 2^196*G */
1635 /* 2^112*G + 2^168*G resp. 2^140*G + 2^196*G */
1642 /*
1643 * 2^56*G + 2^112*G + 2^168*G resp. 2^84*G + 2^140*G +
1644 * 2^196*G
1645 */
1653 /* odd multiples: add G resp. 2^28*G */
1660 }
1661 }
1669 err:
1675 }
1677 int
1679 {
1684 else
1686 }
1688 #endif