ec/impl/ecp_mont.c

4272N/A/*
4272N/A * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
4272N/A * Use is subject to license terms.
4272N/A *
4272N/A * This library is free software; you can redistribute it and/or
4272N/A * modify it under the terms of the GNU Lesser General Public
4272N/A * License as published by the Free Software Foundation; either
4272N/A * version 2.1 of the License, or (at your option) any later version.
1674N/A *
4272N/A * This library is distributed in the hope that it will be useful,
4272N/A * but WITHOUT ANY WARRANTY; without even the implied warranty of
4272N/A * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
4272N/A * Lesser General Public License for more details.
1674N/A *
4272N/A * You should have received a copy of the GNU Lesser General Public License
4272N/A * along with this library; if not, write to the Free Software Foundation,
4272N/A * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1674N/A *
4272N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
4272N/A * or visit www.oracle.com if you need additional information or have any
4272N/A * questions.
4272N/A */
4272N/A
4272N/A/* *********************************************************************
1674N/A *
1674N/A * The Original Code is the elliptic curve math library.
1674N/A *
1674N/A * The Initial Developer of the Original Code is
1674N/A * Sun Microsystems, Inc.
1674N/A * Portions created by the Initial Developer are Copyright (C) 2003
1674N/A * the Initial Developer. All Rights Reserved.
1674N/A *
1674N/A * Contributor(s):
1674N/A *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
1674N/A *
1674N/A *********************************************************************** */
1674N/A
1674N/A/* Uses Montgomery reduction for field arithmetic.  See mpi/mpmontg.c for
1674N/A * code implementation. */
1674N/A
1674N/A#include "mpi.h"
1674N/A#include "mplogic.h"
1674N/A#include "mpi-priv.h"
1674N/A#include "ecl-priv.h"
1674N/A#include "ecp.h"
1674N/A#ifndef _KERNEL
1674N/A#include <stdlib.h>
1674N/A#include <stdio.h>
1674N/A#endif
1674N/A
1674N/A/* Construct a generic GFMethod for arithmetic over prime fields with
1674N/A * irreducible irr. */
1674N/AGFMethod *
1674N/AGFMethod_consGFp_mont(const mp_int *irr)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A        int i;
1674N/A        GFMethod *meth = NULL;
1674N/A        mp_mont_modulus *mmm;
1674N/A
1674N/A        meth = GFMethod_consGFp(irr);
1674N/A        if (meth == NULL)
1674N/A                return NULL;
1674N/A
1674N/A#ifdef _KERNEL
1674N/A        mmm = (mp_mont_modulus *) kmem_alloc(sizeof(mp_mont_modulus),
1674N/A            FLAG(irr));
1674N/A#else
1674N/A        mmm = (mp_mont_modulus *) malloc(sizeof(mp_mont_modulus));
1674N/A#endif
1674N/A        if (mmm == NULL) {
1674N/A                res = MP_MEM;
1674N/A                goto CLEANUP;
1674N/A        }
1674N/A
1674N/A        meth->field_mul = &ec_GFp_mul_mont;
1674N/A        meth->field_sqr = &ec_GFp_sqr_mont;
1674N/A        meth->field_div = &ec_GFp_div_mont;
1674N/A        meth->field_enc = &ec_GFp_enc_mont;
1674N/A        meth->field_dec = &ec_GFp_dec_mont;
1674N/A        meth->extra1 = mmm;
1674N/A        meth->extra2 = NULL;
1674N/A        meth->extra_free = &ec_GFp_extra_free_mont;
1674N/A
1674N/A        mmm->N = meth->irr;
1674N/A        i = mpl_significant_bits(&meth->irr);
1674N/A        i += MP_DIGIT_BIT - 1;
1674N/A        mmm->b = i - i % MP_DIGIT_BIT;
1674N/A        mmm->n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(&meth->irr, 0));
1674N/A
1674N/A  CLEANUP:
1674N/A        if (res != MP_OKAY) {
1674N/A                GFMethod_free(meth);
1674N/A                return NULL;
1674N/A        }
1674N/A        return meth;
1674N/A}
1674N/A
1674N/A/* Wrapper functions for generic prime field arithmetic. */
1674N/A
1674N/A/* Field multiplication using Montgomery reduction. */
1674N/Amp_err
1674N/Aec_GFp_mul_mont(const mp_int *a, const mp_int *b, mp_int *r,
1674N/A                                const GFMethod *meth)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A
1674N/A#ifdef MP_MONT_USE_MP_MUL
1674N/A        /* if MP_MONT_USE_MP_MUL is defined, then the function s_mp_mul_mont
1674N/A         * is not implemented and we have to use mp_mul and s_mp_redc directly
1674N/A         */
1674N/A        MP_CHECKOK(mp_mul(a, b, r));
1674N/A        MP_CHECKOK(s_mp_redc(r, (mp_mont_modulus *) meth->extra1));
1674N/A#else
1674N/A        mp_int s;
1674N/A
1674N/A        MP_DIGITS(&s) = 0;
1674N/A        /* s_mp_mul_mont doesn't allow source and destination to be the same */
1674N/A        if ((a == r) || (b == r)) {
1674N/A                MP_CHECKOK(mp_init(&s, FLAG(a)));
1674N/A                MP_CHECKOK(s_mp_mul_mont
1674N/A                                   (a, b, &s, (mp_mont_modulus *) meth->extra1));
1674N/A                MP_CHECKOK(mp_copy(&s, r));
1674N/A                mp_clear(&s);
1674N/A        } else {
1674N/A                return s_mp_mul_mont(a, b, r, (mp_mont_modulus *) meth->extra1);
1674N/A        }
1674N/A#endif
1674N/A  CLEANUP:
1674N/A        return res;
1674N/A}
1674N/A
1674N/A/* Field squaring using Montgomery reduction. */
1674N/Amp_err
1674N/Aec_GFp_sqr_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
1674N/A{
1674N/A        return ec_GFp_mul_mont(a, a, r, meth);
1674N/A}
1674N/A
1674N/A/* Field division using Montgomery reduction. */
1674N/Amp_err
1674N/Aec_GFp_div_mont(const mp_int *a, const mp_int *b, mp_int *r,
1674N/A                                const GFMethod *meth)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A
1674N/A        /* if A=aZ represents a encoded in montgomery coordinates with Z and #
1674N/A         * and \ respectively represent multiplication and division in
1674N/A         * montgomery coordinates, then A\B = (a/b)Z = (A/B)Z and Binv =
1674N/A         * (1/b)Z = (1/B)(Z^2) where B # Binv = Z */
1674N/A        MP_CHECKOK(ec_GFp_div(a, b, r, meth));
1674N/A        MP_CHECKOK(ec_GFp_enc_mont(r, r, meth));
1674N/A        if (a == NULL) {
1674N/A                MP_CHECKOK(ec_GFp_enc_mont(r, r, meth));
1674N/A        }
1674N/A  CLEANUP:
1674N/A        return res;
1674N/A}
1674N/A
1674N/A/* Encode a field element in Montgomery form. See s_mp_to_mont in
1674N/A * mpi/mpmontg.c */
1674N/Amp_err
1674N/Aec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
1674N/A{
1674N/A        mp_mont_modulus *mmm;
1674N/A        mp_err res = MP_OKAY;
1674N/A
1674N/A        mmm = (mp_mont_modulus *) meth->extra1;
1674N/A        MP_CHECKOK(mpl_lsh(a, r, mmm->b));
1674N/A        MP_CHECKOK(mp_mod(r, &mmm->N, r));
1674N/A  CLEANUP:
1674N/A        return res;
1674N/A}
1674N/A
1674N/A/* Decode a field element from Montgomery form. */
1674N/Amp_err
1674N/Aec_GFp_dec_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
1674N/A{
1674N/A        mp_err res = MP_OKAY;
1674N/A
1674N/A        if (a != r) {
1674N/A                MP_CHECKOK(mp_copy(a, r));
1674N/A        }
1674N/A        MP_CHECKOK(s_mp_redc(r, (mp_mont_modulus *) meth->extra1));
1674N/A  CLEANUP:
1674N/A        return res;
1674N/A}
1674N/A
1674N/A/* Free the memory allocated to the extra fields of Montgomery GFMethod
1674N/A * object. */
1674N/Avoid
1674N/Aec_GFp_extra_free_mont(GFMethod *meth)
1674N/A{
1674N/A        if (meth->extra1 != NULL) {
1674N/A#ifdef _KERNEL
1674N/A                kmem_free(meth->extra1, sizeof(mp_mont_modulus));
1674N/A#else
1674N/A                free(meth->extra1);
1674N/A#endif
1674N/A                meth->extra1 = NULL;
1674N/A        }
1674N/A}