ec/impl/ec2_193.c

4272N/A/*
4272N/A * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
4272N/A * Use is subject to license terms.
4272N/A *
4272N/A * This library is free software; you can redistribute it and/or
4272N/A * modify it under the terms of the GNU Lesser General Public
4272N/A * License as published by the Free Software Foundation; either
4272N/A * version 2.1 of the License, or (at your option) any later version.
1674N/A *
4272N/A * This library is distributed in the hope that it will be useful,
4272N/A * but WITHOUT ANY WARRANTY; without even the implied warranty of
4272N/A * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
4272N/A * Lesser General Public License for more details.
1674N/A *
4272N/A * You should have received a copy of the GNU Lesser General Public License
4272N/A * along with this library; if not, write to the Free Software Foundation,
4272N/A * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1674N/A *
4272N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
4272N/A * or visit www.oracle.com if you need additional information or have any
4272N/A * questions.
4272N/A */
4272N/A
4272N/A/* *********************************************************************
1674N/A *
1674N/A * The Original Code is the elliptic curve math library for binary polynomial field curves.
1674N/A *
1674N/A * The Initial Developer of the Original Code is
1674N/A * Sun Microsystems, Inc.
1674N/A * Portions created by the Initial Developer are Copyright (C) 2003
1674N/A * the Initial Developer. All Rights Reserved.
1674N/A *
1674N/A * Contributor(s):
1674N/A *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
1674N/A *   Stephen Fung <fungstep@hotmail.com>, and
1674N/A *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
1674N/A *
1674N/A *********************************************************************** */
1674N/A
1674N/A#include "ec2.h"
1674N/A#include "mp_gf2m.h"
1674N/A#include "mp_gf2m-priv.h"
1674N/A#include "mpi.h"
1674N/A#include "mpi-priv.h"
1674N/A#ifndef _KERNEL
1674N/A#include <stdlib.h>
1674N/A#endif
1674N/A
1674N/A/* Fast reduction for polynomials over a 193-bit curve. Assumes reduction
1674N/A * polynomial with terms {193, 15, 0}. */
1674N/Amp_err
1674N/Aec_GF2m_193_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A        mp_digit *u, z;
1674N/A
1674N/A        if (a != r) {
1674N/A                MP_CHECKOK(mp_copy(a, r));
1674N/A        }
1674N/A#ifdef ECL_SIXTY_FOUR_BIT
1674N/A        if (MP_USED(r) < 7) {
1674N/A                MP_CHECKOK(s_mp_pad(r, 7));
1674N/A        }
1674N/A        u = MP_DIGITS(r);
1674N/A        MP_USED(r) = 7;
1674N/A
1674N/A        /* u[6] only has 2 significant bits */
1674N/A        z = u[6];
1674N/A        u[3] ^= (z << 14) ^ (z >> 1);
1674N/A        u[2] ^= (z << 63);
1674N/A        z = u[5];
1674N/A        u[3] ^= (z >> 50);
1674N/A        u[2] ^= (z << 14) ^ (z >> 1);
1674N/A        u[1] ^= (z << 63);
1674N/A        z = u[4];
1674N/A        u[2] ^= (z >> 50);
1674N/A        u[1] ^= (z << 14) ^ (z >> 1);
1674N/A        u[0] ^= (z << 63);
1674N/A        z = u[3] >> 1;                          /* z only has 63 significant bits */
1674N/A        u[1] ^= (z >> 49);
1674N/A        u[0] ^= (z << 15) ^ z;
1674N/A        /* clear bits above 193 */
1674N/A        u[6] = u[5] = u[4] = 0;
1674N/A        u[3] ^= z << 1;
1674N/A#else
1674N/A        if (MP_USED(r) < 13) {
1674N/A                MP_CHECKOK(s_mp_pad(r, 13));
1674N/A        }
1674N/A        u = MP_DIGITS(r);
1674N/A        MP_USED(r) = 13;
1674N/A
1674N/A        /* u[12] only has 2 significant bits */
1674N/A        z = u[12];
1674N/A        u[6] ^= (z << 14) ^ (z >> 1);
1674N/A        u[5] ^= (z << 31);
1674N/A        z = u[11];
1674N/A        u[6] ^= (z >> 18);
1674N/A        u[5] ^= (z << 14) ^ (z >> 1);
1674N/A        u[4] ^= (z << 31);
1674N/A        z = u[10];
1674N/A        u[5] ^= (z >> 18);
1674N/A        u[4] ^= (z << 14) ^ (z >> 1);
1674N/A        u[3] ^= (z << 31);
1674N/A        z = u[9];
1674N/A        u[4] ^= (z >> 18);
1674N/A        u[3] ^= (z << 14) ^ (z >> 1);
1674N/A        u[2] ^= (z << 31);
1674N/A        z = u[8];
1674N/A        u[3] ^= (z >> 18);
1674N/A        u[2] ^= (z << 14) ^ (z >> 1);
1674N/A        u[1] ^= (z << 31);
1674N/A        z = u[7];
1674N/A        u[2] ^= (z >> 18);
1674N/A        u[1] ^= (z << 14) ^ (z >> 1);
1674N/A        u[0] ^= (z << 31);
1674N/A        z = u[6] >> 1;                          /* z only has 31 significant bits */
1674N/A        u[1] ^= (z >> 17);
1674N/A        u[0] ^= (z << 15) ^ z;
1674N/A        /* clear bits above 193 */
1674N/A        u[12] = u[11] = u[10] = u[9] = u[8] = u[7] = 0;
1674N/A        u[6] ^= z << 1;
1674N/A#endif
1674N/A        s_mp_clamp(r);
1674N/A
1674N/A  CLEANUP:
1674N/A        return res;
1674N/A}
1674N/A
1674N/A/* Fast squaring for polynomials over a 193-bit curve. Assumes reduction
1674N/A * polynomial with terms {193, 15, 0}. */
1674N/Amp_err
1674N/Aec_GF2m_193_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A        mp_digit *u, *v;
1674N/A
1674N/A        v = MP_DIGITS(a);
1674N/A
1674N/A#ifdef ECL_SIXTY_FOUR_BIT
1674N/A        if (MP_USED(a) < 4) {
1674N/A                return mp_bsqrmod(a, meth->irr_arr, r);
1674N/A        }
1674N/A        if (MP_USED(r) < 7) {
1674N/A                MP_CHECKOK(s_mp_pad(r, 7));
1674N/A        }
1674N/A        MP_USED(r) = 7;
1674N/A#else
1674N/A        if (MP_USED(a) < 7) {
1674N/A                return mp_bsqrmod(a, meth->irr_arr, r);
1674N/A        }
1674N/A        if (MP_USED(r) < 13) {
1674N/A                MP_CHECKOK(s_mp_pad(r, 13));
1674N/A        }
1674N/A        MP_USED(r) = 13;
1674N/A#endif
1674N/A        u = MP_DIGITS(r);
1674N/A
1674N/A#ifdef ECL_THIRTY_TWO_BIT
1674N/A        u[12] = gf2m_SQR0(v[6]);
1674N/A        u[11] = gf2m_SQR1(v[5]);
1674N/A        u[10] = gf2m_SQR0(v[5]);
1674N/A        u[9] = gf2m_SQR1(v[4]);
1674N/A        u[8] = gf2m_SQR0(v[4]);
1674N/A        u[7] = gf2m_SQR1(v[3]);
1674N/A#endif
1674N/A        u[6] = gf2m_SQR0(v[3]);
1674N/A        u[5] = gf2m_SQR1(v[2]);
1674N/A        u[4] = gf2m_SQR0(v[2]);
1674N/A        u[3] = gf2m_SQR1(v[1]);
1674N/A        u[2] = gf2m_SQR0(v[1]);
1674N/A        u[1] = gf2m_SQR1(v[0]);
1674N/A        u[0] = gf2m_SQR0(v[0]);
1674N/A        return ec_GF2m_193_mod(r, r, meth);
1674N/A
1674N/A  CLEANUP:
1674N/A        return res;
1674N/A}
1674N/A
1674N/A/* Fast multiplication for polynomials over a 193-bit curve. Assumes
1674N/A * reduction polynomial with terms {193, 15, 0}. */
1674N/Amp_err
1674N/Aec_GF2m_193_mul(const mp_int *a, const mp_int *b, mp_int *r,
1674N/A                                const GFMethod *meth)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A        mp_digit a3 = 0, a2 = 0, a1 = 0, a0, b3 = 0, b2 = 0, b1 = 0, b0;
1674N/A
1674N/A#ifdef ECL_THIRTY_TWO_BIT
1674N/A        mp_digit a6 = 0, a5 = 0, a4 = 0, b6 = 0, b5 = 0, b4 = 0;
1674N/A        mp_digit rm[8];
1674N/A#endif
1674N/A
1674N/A        if (a == b) {
1674N/A                return ec_GF2m_193_sqr(a, r, meth);
1674N/A        } else {
1674N/A                switch (MP_USED(a)) {
1674N/A#ifdef ECL_THIRTY_TWO_BIT
1674N/A                case 7:
1674N/A                        a6 = MP_DIGIT(a, 6);
1674N/A                case 6:
1674N/A                        a5 = MP_DIGIT(a, 5);
1674N/A                case 5:
1674N/A                        a4 = MP_DIGIT(a, 4);
1674N/A#endif
1674N/A                case 4:
1674N/A                        a3 = MP_DIGIT(a, 3);
1674N/A                case 3:
1674N/A                        a2 = MP_DIGIT(a, 2);
1674N/A                case 2:
1674N/A                        a1 = MP_DIGIT(a, 1);
1674N/A                default:
1674N/A                        a0 = MP_DIGIT(a, 0);
1674N/A                }
1674N/A                switch (MP_USED(b)) {
1674N/A#ifdef ECL_THIRTY_TWO_BIT
1674N/A                case 7:
1674N/A                        b6 = MP_DIGIT(b, 6);
1674N/A                case 6:
1674N/A                        b5 = MP_DIGIT(b, 5);
1674N/A                case 5:
1674N/A                        b4 = MP_DIGIT(b, 4);
1674N/A#endif
1674N/A                case 4:
1674N/A                        b3 = MP_DIGIT(b, 3);
1674N/A                case 3:
1674N/A                        b2 = MP_DIGIT(b, 2);
1674N/A                case 2:
1674N/A                        b1 = MP_DIGIT(b, 1);
1674N/A                default:
1674N/A                        b0 = MP_DIGIT(b, 0);
1674N/A                }
1674N/A#ifdef ECL_SIXTY_FOUR_BIT
1674N/A                MP_CHECKOK(s_mp_pad(r, 8));
1674N/A                s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
1674N/A                MP_USED(r) = 8;
1674N/A                s_mp_clamp(r);
1674N/A#else
1674N/A                MP_CHECKOK(s_mp_pad(r, 14));
1674N/A                s_bmul_3x3(MP_DIGITS(r) + 8, a6, a5, a4, b6, b5, b4);
1674N/A                s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
1674N/A                s_bmul_4x4(rm, a3, a6 ^ a2, a5 ^ a1, a4 ^ a0, b3, b6 ^ b2, b5 ^ b1,
1674N/A                                   b4 ^ b0);
1674N/A                rm[7] ^= MP_DIGIT(r, 7);
1674N/A                rm[6] ^= MP_DIGIT(r, 6);
1674N/A                rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 13);
1674N/A                rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 12);
1674N/A                rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 11);
1674N/A                rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 10);
1674N/A                rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 9);
1674N/A                rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 8);
1674N/A                MP_DIGIT(r, 11) ^= rm[7];
1674N/A                MP_DIGIT(r, 10) ^= rm[6];
1674N/A                MP_DIGIT(r, 9) ^= rm[5];
1674N/A                MP_DIGIT(r, 8) ^= rm[4];
1674N/A                MP_DIGIT(r, 7) ^= rm[3];
1674N/A                MP_DIGIT(r, 6) ^= rm[2];
1674N/A                MP_DIGIT(r, 5) ^= rm[1];
1674N/A                MP_DIGIT(r, 4) ^= rm[0];
1674N/A                MP_USED(r) = 14;
1674N/A                s_mp_clamp(r);
1674N/A#endif
1674N/A                return ec_GF2m_193_mod(r, r, meth);
1674N/A        }
1674N/A
1674N/A  CLEANUP:
1674N/A        return res;
1674N/A}
1674N/A
1674N/A/* Wire in fast field arithmetic for 193-bit curves. */
1674N/Amp_err
1674N/Aec_group_set_gf2m193(ECGroup *group, ECCurveName name)
1674N/A{
1674N/A        group->meth->field_mod = &ec_GF2m_193_mod;
1674N/A        group->meth->field_mul = &ec_GF2m_193_mul;
1674N/A        group->meth->field_sqr = &ec_GF2m_193_sqr;
1674N/A        return MP_OKAY;
1674N/A}