ec/impl/ecp_jm.c

4272N/A/*
4272N/A * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
4272N/A * Use is subject to license terms.
4272N/A *
4272N/A * This library is free software; you can redistribute it and/or
4272N/A * modify it under the terms of the GNU Lesser General Public
4272N/A * License as published by the Free Software Foundation; either
4272N/A * version 2.1 of the License, or (at your option) any later version.
1674N/A *
4272N/A * This library is distributed in the hope that it will be useful,
4272N/A * but WITHOUT ANY WARRANTY; without even the implied warranty of
4272N/A * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
4272N/A * Lesser General Public License for more details.
1674N/A *
4272N/A * You should have received a copy of the GNU Lesser General Public License
4272N/A * along with this library; if not, write to the Free Software Foundation,
4272N/A * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1674N/A *
4272N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
4272N/A * or visit www.oracle.com if you need additional information or have any
4272N/A * questions.
4272N/A */
4272N/A
4272N/A/* *********************************************************************
1674N/A *
1674N/A * The Original Code is the elliptic curve math library for prime field curves.
1674N/A *
1674N/A * The Initial Developer of the Original Code is
1674N/A * Sun Microsystems, Inc.
1674N/A * Portions created by the Initial Developer are Copyright (C) 2003
1674N/A * the Initial Developer. All Rights Reserved.
1674N/A *
1674N/A * Contributor(s):
1674N/A *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
1674N/A *
1674N/A *********************************************************************** */
1674N/A
1674N/A#include "ecp.h"
1674N/A#include "ecl-priv.h"
1674N/A#include "mplogic.h"
1674N/A#ifndef _KERNEL
1674N/A#include <stdlib.h>
1674N/A#endif
1674N/A
1674N/A#define MAX_SCRATCH 6
1674N/A
1674N/A/* Computes R = 2P.  Elliptic curve points P and R can be identical.  Uses
1674N/A * Modified Jacobian coordinates.
1674N/A *
1674N/A * Assumes input is already field-encoded using field_enc, and returns
1674N/A * output that is still field-encoded.
1674N/A *
1674N/A */
1674N/Amp_err
1674N/Aec_GFp_pt_dbl_jm(const mp_int *px, const mp_int *py, const mp_int *pz,
1674N/A                                 const mp_int *paz4, mp_int *rx, mp_int *ry, mp_int *rz,
1674N/A                                 mp_int *raz4, mp_int scratch[], const ECGroup *group)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A        mp_int *t0, *t1, *M, *S;
1674N/A
1674N/A        t0 = &scratch[0];
1674N/A        t1 = &scratch[1];
1674N/A        M = &scratch[2];
1674N/A        S = &scratch[3];
1674N/A
1674N/A#if MAX_SCRATCH < 4
1674N/A#error "Scratch array defined too small "
1674N/A#endif
1674N/A
1674N/A        /* Check for point at infinity */
1674N/A        if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
1674N/A                /* Set r = pt at infinity by setting rz = 0 */
1674N/A
1674N/A                MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz));
1674N/A                goto CLEANUP;
1674N/A        }
1674N/A
1674N/A        /* M = 3 (px^2) + a*(pz^4) */
1674N/A        MP_CHECKOK(group->meth->field_sqr(px, t0, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_add(t0, t0, M, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_add(t0, M, t0, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_add(t0, paz4, M, group->meth));
1674N/A
1674N/A        /* rz = 2 * py * pz */
1674N/A        MP_CHECKOK(group->meth->field_mul(py, pz, S, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_add(S, S, rz, group->meth));
1674N/A
1674N/A        /* t0 = 2y^2 , t1 = 8y^4 */
1674N/A        MP_CHECKOK(group->meth->field_sqr(py, t0, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_add(t0, t0, t0, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_sqr(t0, t1, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_add(t1, t1, t1, group->meth));
1674N/A
1674N/A        /* S = 4 * px * py^2 = 2 * px * t0 */
1674N/A        MP_CHECKOK(group->meth->field_mul(px, t0, S, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_add(S, S, S, group->meth));
1674N/A
1674N/A
1674N/A        /* rx = M^2 - 2S */
1674N/A        MP_CHECKOK(group->meth->field_sqr(M, rx, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_sub(rx, S, rx, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_sub(rx, S, rx, group->meth));
1674N/A
1674N/A        /* ry = M * (S - rx) - t1 */
1674N/A        MP_CHECKOK(group->meth->field_sub(S, rx, S, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_mul(S, M, ry, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_sub(ry, t1, ry, group->meth));
1674N/A
1674N/A        /* ra*z^4 = 2*t1*(apz4) */
1674N/A        MP_CHECKOK(group->meth->field_mul(paz4, t1, raz4, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_add(raz4, raz4, raz4, group->meth));
1674N/A
1674N/A
1674N/A  CLEANUP:
1674N/A        return res;
1674N/A}
1674N/A
1674N/A/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
1674N/A * (qx, qy, 1).  Elliptic curve points P, Q, and R can all be identical.
1674N/A * Uses mixed Modified_Jacobian-affine coordinates. Assumes input is
1674N/A * already field-encoded using field_enc, and returns output that is still
1674N/A * field-encoded. */
1674N/Amp_err
1674N/Aec_GFp_pt_add_jm_aff(const mp_int *px, const mp_int *py, const mp_int *pz,
1674N/A                                         const mp_int *paz4, const mp_int *qx,
1674N/A                                         const mp_int *qy, mp_int *rx, mp_int *ry, mp_int *rz,
1674N/A                                         mp_int *raz4, mp_int scratch[], const ECGroup *group)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A        mp_int *A, *B, *C, *D, *C2, *C3;
1674N/A
1674N/A        A = &scratch[0];
1674N/A        B = &scratch[1];
1674N/A        C = &scratch[2];
1674N/A        D = &scratch[3];
1674N/A        C2 = &scratch[4];
1674N/A        C3 = &scratch[5];
1674N/A
1674N/A#if MAX_SCRATCH < 6
1674N/A#error "Scratch array defined too small "
1674N/A#endif
1674N/A
1674N/A        /* If either P or Q is the point at infinity, then return the other
1674N/A         * point */
1674N/A        if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
1674N/A                MP_CHECKOK(ec_GFp_pt_aff2jac(qx, qy, rx, ry, rz, group));
1674N/A                MP_CHECKOK(group->meth->field_sqr(rz, raz4, group->meth));
1674N/A                MP_CHECKOK(group->meth->field_sqr(raz4, raz4, group->meth));
1674N/A                MP_CHECKOK(group->meth->
1674N/A                                   field_mul(raz4, &group->curvea, raz4, group->meth));
1674N/A                goto CLEANUP;
1674N/A        }
1674N/A        if (ec_GFp_pt_is_inf_aff(qx, qy) == MP_YES) {
1674N/A                MP_CHECKOK(mp_copy(px, rx));
1674N/A                MP_CHECKOK(mp_copy(py, ry));
1674N/A                MP_CHECKOK(mp_copy(pz, rz));
1674N/A                MP_CHECKOK(mp_copy(paz4, raz4));
1674N/A                goto CLEANUP;
1674N/A        }
1674N/A
1674N/A        /* A = qx * pz^2, B = qy * pz^3 */
1674N/A        MP_CHECKOK(group->meth->field_sqr(pz, A, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_mul(A, pz, B, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_mul(A, qx, A, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_mul(B, qy, B, group->meth));
1674N/A
1674N/A        /* C = A - px, D = B - py */
1674N/A        MP_CHECKOK(group->meth->field_sub(A, px, C, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_sub(B, py, D, group->meth));
1674N/A
1674N/A        /* C2 = C^2, C3 = C^3 */
1674N/A        MP_CHECKOK(group->meth->field_sqr(C, C2, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_mul(C, C2, C3, group->meth));
1674N/A
1674N/A        /* rz = pz * C */
1674N/A        MP_CHECKOK(group->meth->field_mul(pz, C, rz, group->meth));
1674N/A
1674N/A        /* C = px * C^2 */
1674N/A        MP_CHECKOK(group->meth->field_mul(px, C2, C, group->meth));
1674N/A        /* A = D^2 */
1674N/A        MP_CHECKOK(group->meth->field_sqr(D, A, group->meth));
1674N/A
1674N/A        /* rx = D^2 - (C^3 + 2 * (px * C^2)) */
1674N/A        MP_CHECKOK(group->meth->field_add(C, C, rx, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_add(C3, rx, rx, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_sub(A, rx, rx, group->meth));
1674N/A
1674N/A        /* C3 = py * C^3 */
1674N/A        MP_CHECKOK(group->meth->field_mul(py, C3, C3, group->meth));
1674N/A
1674N/A        /* ry = D * (px * C^2 - rx) - py * C^3 */
1674N/A        MP_CHECKOK(group->meth->field_sub(C, rx, ry, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_mul(D, ry, ry, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_sub(ry, C3, ry, group->meth));
1674N/A
1674N/A        /* raz4 = a * rz^4 */
1674N/A        MP_CHECKOK(group->meth->field_sqr(rz, raz4, group->meth));
1674N/A        MP_CHECKOK(group->meth->field_sqr(raz4, raz4, group->meth));
1674N/A        MP_CHECKOK(group->meth->
1674N/A                           field_mul(raz4, &group->curvea, raz4, group->meth));
1674N/ACLEANUP:
1674N/A        return res;
1674N/A}
1674N/A
1674N/A/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
1674N/A * curve points P and R can be identical. Uses mixed Modified-Jacobian
1674N/A * co-ordinates for doubling and Chudnovsky Jacobian coordinates for
1674N/A * additions. Assumes input is already field-encoded using field_enc, and
1674N/A * returns output that is still field-encoded. Uses 5-bit window NAF
1674N/A * method (algorithm 11) for scalar-point multiplication from Brown,
1674N/A * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic
1674N/A * Curves Over Prime Fields. */
1674N/Amp_err
1674N/Aec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
1674N/A                                          mp_int *rx, mp_int *ry, const ECGroup *group)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A        mp_int precomp[16][2], rz, tpx, tpy;
1674N/A        mp_int raz4;
1674N/A        mp_int scratch[MAX_SCRATCH];
1674N/A        signed char *naf = NULL;
1674N/A        int i, orderBitSize;
1674N/A
1674N/A        MP_DIGITS(&rz) = 0;
1674N/A        MP_DIGITS(&raz4) = 0;
1674N/A        MP_DIGITS(&tpx) = 0;
1674N/A        MP_DIGITS(&tpy) = 0;
1674N/A        for (i = 0; i < 16; i++) {
1674N/A                MP_DIGITS(&precomp[i][0]) = 0;
1674N/A                MP_DIGITS(&precomp[i][1]) = 0;
1674N/A        }
1674N/A        for (i = 0; i < MAX_SCRATCH; i++) {
1674N/A                MP_DIGITS(&scratch[i]) = 0;
1674N/A        }
1674N/A
1674N/A        ARGCHK(group != NULL, MP_BADARG);
1674N/A        ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
1674N/A
1674N/A        /* initialize precomputation table */
1674N/A        MP_CHECKOK(mp_init(&tpx, FLAG(n)));
1674N/A        MP_CHECKOK(mp_init(&tpy, FLAG(n)));;
1674N/A        MP_CHECKOK(mp_init(&rz, FLAG(n)));
1674N/A        MP_CHECKOK(mp_init(&raz4, FLAG(n)));
1674N/A
1674N/A        for (i = 0; i < 16; i++) {
1674N/A                MP_CHECKOK(mp_init(&precomp[i][0], FLAG(n)));
1674N/A                MP_CHECKOK(mp_init(&precomp[i][1], FLAG(n)));
1674N/A        }
1674N/A        for (i = 0; i < MAX_SCRATCH; i++) {
1674N/A                MP_CHECKOK(mp_init(&scratch[i], FLAG(n)));
1674N/A        }
1674N/A
1674N/A        /* Set out[8] = P */
1674N/A        MP_CHECKOK(mp_copy(px, &precomp[8][0]));
1674N/A        MP_CHECKOK(mp_copy(py, &precomp[8][1]));
1674N/A
1674N/A        /* Set (tpx, tpy) = 2P */
1674N/A        MP_CHECKOK(group->
1674N/A                           point_dbl(&precomp[8][0], &precomp[8][1], &tpx, &tpy,
1674N/A                                                 group));
1674N/A
1674N/A        /* Set 3P, 5P, ..., 15P */
1674N/A        for (i = 8; i < 15; i++) {
1674N/A                MP_CHECKOK(group->
1674N/A                                   point_add(&precomp[i][0], &precomp[i][1], &tpx, &tpy,
1674N/A                                                         &precomp[i + 1][0], &precomp[i + 1][1],
1674N/A                                                         group));
1674N/A        }
1674N/A
1674N/A        /* Set -15P, -13P, ..., -P */
1674N/A        for (i = 0; i < 8; i++) {
1674N/A                MP_CHECKOK(mp_copy(&precomp[15 - i][0], &precomp[i][0]));
1674N/A                MP_CHECKOK(group->meth->
1674N/A                                   field_neg(&precomp[15 - i][1], &precomp[i][1],
1674N/A                                                         group->meth));
1674N/A        }
1674N/A
1674N/A        /* R = inf */
1674N/A        MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz));
1674N/A
1674N/A        orderBitSize = mpl_significant_bits(&group->order);
1674N/A
1674N/A        /* Allocate memory for NAF */
1674N/A#ifdef _KERNEL
1674N/A        naf = (signed char *) kmem_alloc((orderBitSize + 1), FLAG(n));
1674N/A#else
1674N/A        naf = (signed char *) malloc(sizeof(signed char) * (orderBitSize + 1));
1674N/A        if (naf == NULL) {
1674N/A                res = MP_MEM;
1674N/A                goto CLEANUP;
1674N/A        }
1674N/A#endif
1674N/A
1674N/A        /* Compute 5NAF */
1674N/A        ec_compute_wNAF(naf, orderBitSize, n, 5);
1674N/A
1674N/A        /* wNAF method */
1674N/A        for (i = orderBitSize; i >= 0; i--) {
1674N/A                /* R = 2R */
1674N/A                ec_GFp_pt_dbl_jm(rx, ry, &rz, &raz4, rx, ry, &rz,
1674N/A                                             &raz4, scratch, group);
1674N/A                if (naf[i] != 0) {
1674N/A                        ec_GFp_pt_add_jm_aff(rx, ry, &rz, &raz4,
1674N/A                                                                 &precomp[(naf[i] + 15) / 2][0],
1674N/A                                                                 &precomp[(naf[i] + 15) / 2][1], rx, ry,
1674N/A                                                                 &rz, &raz4, scratch, group);
1674N/A                }
1674N/A        }
1674N/A
1674N/A        /* convert result S to affine coordinates */
1674N/A        MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
1674N/A
1674N/A  CLEANUP:
1674N/A        for (i = 0; i < MAX_SCRATCH; i++) {
1674N/A                mp_clear(&scratch[i]);
1674N/A        }
1674N/A        for (i = 0; i < 16; i++) {
1674N/A                mp_clear(&precomp[i][0]);
1674N/A                mp_clear(&precomp[i][1]);
1674N/A        }
1674N/A        mp_clear(&tpx);
1674N/A        mp_clear(&tpy);
1674N/A        mp_clear(&rz);
1674N/A        mp_clear(&raz4);
1674N/A#ifdef _KERNEL
1674N/A        kmem_free(naf, (orderBitSize + 1));
1674N/A#else
1674N/A        free(naf);
1674N/A#endif
1674N/A        return res;
1674N/A}