1 /* Originally written by Bodo Moeller for the OpenSSL project. 2 * ==================================================================== 3 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * [email protected]. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 * This product includes cryptographic software written by Eric Young 51 * ([email protected]). This product includes software written by Tim 52 * Hudson ([email protected]). 53 * 54 */ 55 /* ==================================================================== 56 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 57 * 58 * Portions of the attached software ("Contribution") are developed by 59 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 60 * 61 * The Contribution is licensed pursuant to the OpenSSL open source 62 * license provided above. 63 * 64 * The elliptic curve binary polynomial software is originally written by 65 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems 66 * Laboratories. */ 67 68 #ifndef OPENSSL_HEADER_EC_INTERNAL_H 69 #define OPENSSL_HEADER_EC_INTERNAL_H 70 71 #include <openssl/base.h> 72 73 #include <assert.h> 74 75 #include <openssl/bn.h> 76 #include <openssl/ec.h> 77 #include <openssl/ex_data.h> 78 79 #include "../bn/internal.h" 80 81 #if defined(__cplusplus) 82 extern "C" { 83 #endif 84 85 86 // EC internals. 87 88 89 // Cap the size of all field elements and scalars, including custom curves, to 90 // 66 bytes, large enough to fit secp521r1 and brainpoolP512r1, which appear to 91 // be the largest fields anyone plausibly uses. 92 #define EC_MAX_BYTES 66 93 #define EC_MAX_WORDS ((EC_MAX_BYTES + BN_BYTES - 1) / BN_BYTES) 94 #define EC_MAX_COMPRESSED (EC_MAX_BYTES + 1) 95 #define EC_MAX_UNCOMPRESSED (2 * EC_MAX_BYTES + 1) 96 97 static_assert(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS, 98 "bn_*_small functions not usable"); 99 100 101 // Scalars. 102 103 // An EC_SCALAR is an integer fully reduced modulo the order. Only the first 104 // |order->width| words are used. An |EC_SCALAR| is specific to an |EC_GROUP| 105 // and must not be mixed between groups. 106 typedef struct { 107 BN_ULONG words[EC_MAX_WORDS]; 108 } EC_SCALAR; 109 110 // ec_bignum_to_scalar converts |in| to an |EC_SCALAR| and writes it to 111 // |*out|. It returns one on success and zero if |in| is out of range. 112 OPENSSL_EXPORT int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, 113 const BIGNUM *in); 114 115 // ec_scalar_to_bytes serializes |in| as a big-endian bytestring to |out| and 116 // sets |*out_len| to the number of bytes written. The number of bytes written 117 // is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|. 118 OPENSSL_EXPORT void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, 119 size_t *out_len, const EC_SCALAR *in); 120 121 // ec_scalar_from_bytes deserializes |in| and stores the resulting scalar over 122 // group |group| to |out|. It returns one on success and zero if |in| is 123 // invalid. 124 OPENSSL_EXPORT int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, 125 const uint8_t *in, size_t len); 126 127 // ec_scalar_reduce sets |out| to |words|, reduced modulo the group order. 128 // |words| must be less than order^2. |num| must be at most twice the width of 129 // group order. This function treats |words| as secret. 130 void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out, 131 const BN_ULONG *words, size_t num); 132 133 // ec_random_nonzero_scalar sets |out| to a uniformly selected random value from 134 // 1 to |group->order| - 1. It returns one on success and zero on error. 135 int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, 136 const uint8_t additional_data[32]); 137 138 // ec_scalar_equal_vartime returns one if |a| and |b| are equal and zero 139 // otherwise. Both values are treated as public. 140 int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a, 141 const EC_SCALAR *b); 142 143 // ec_scalar_is_zero returns one if |a| is zero and zero otherwise. 144 int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a); 145 146 // ec_scalar_add sets |r| to |a| + |b|. 147 void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, 148 const EC_SCALAR *b); 149 150 // ec_scalar_sub sets |r| to |a| - |b|. 151 void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, 152 const EC_SCALAR *b); 153 154 // ec_scalar_neg sets |r| to -|a|. 155 void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); 156 157 // ec_scalar_to_montgomery sets |r| to |a| in Montgomery form. 158 void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r, 159 const EC_SCALAR *a); 160 161 // ec_scalar_to_montgomery sets |r| to |a| converted from Montgomery form. 162 void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r, 163 const EC_SCALAR *a); 164 165 // ec_scalar_mul_montgomery sets |r| to |a| * |b| where inputs and outputs are 166 // in Montgomery form. 167 void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r, 168 const EC_SCALAR *a, const EC_SCALAR *b); 169 170 // ec_scalar_inv0_montgomery sets |r| to |a|^-1 where inputs and outputs are in 171 // Montgomery form. If |a| is zero, |r| is set to zero. 172 void ec_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, 173 const EC_SCALAR *a); 174 175 // ec_scalar_to_montgomery_inv_vartime sets |r| to |a|^-1 R. That is, it takes 176 // in |a| not in Montgomery form and computes the inverse in Montgomery form. It 177 // returns one on success and zero if |a| has no inverse. This function assumes 178 // |a| is public and may leak information about it via timing. 179 // 180 // Note this is not the same operation as |ec_scalar_inv0_montgomery|. 181 int ec_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *r, 182 const EC_SCALAR *a); 183 184 // ec_scalar_select, in constant time, sets |out| to |a| if |mask| is all ones 185 // and |b| if |mask| is all zeros. 186 void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask, 187 const EC_SCALAR *a, const EC_SCALAR *b); 188 189 190 // Field elements. 191 192 // An EC_FELEM represents a field element. Only the first |field->width| words 193 // are used. An |EC_FELEM| is specific to an |EC_GROUP| and must not be mixed 194 // between groups. Additionally, the representation (whether or not elements are 195 // represented in Montgomery-form) may vary between |EC_METHOD|s. 196 typedef struct { 197 BN_ULONG words[EC_MAX_WORDS]; 198 } EC_FELEM; 199 200 // ec_felem_one returns one in |group|'s field. 201 const EC_FELEM *ec_felem_one(const EC_GROUP *group); 202 203 // ec_bignum_to_felem converts |in| to an |EC_FELEM|. It returns one on success 204 // and zero if |in| is out of range. 205 int ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in); 206 207 // ec_felem_to_bignum converts |in| to a |BIGNUM|. It returns one on success and 208 // zero on allocation failure. 209 int ec_felem_to_bignum(const EC_GROUP *group, BIGNUM *out, const EC_FELEM *in); 210 211 // ec_felem_to_bytes serializes |in| as a big-endian bytestring to |out| and 212 // sets |*out_len| to the number of bytes written. The number of bytes written 213 // is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|. 214 void ec_felem_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, 215 const EC_FELEM *in); 216 217 // ec_felem_from_bytes deserializes |in| and stores the resulting field element 218 // to |out|. It returns one on success and zero if |in| is invalid. 219 int ec_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in, 220 size_t len); 221 222 // ec_felem_neg sets |out| to -|a|. 223 void ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a); 224 225 // ec_felem_add sets |out| to |a| + |b|. 226 void ec_felem_add(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, 227 const EC_FELEM *b); 228 229 // ec_felem_add sets |out| to |a| - |b|. 230 void ec_felem_sub(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, 231 const EC_FELEM *b); 232 233 // ec_felem_non_zero_mask returns all ones if |a| is non-zero and all zeros 234 // otherwise. 235 BN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a); 236 237 // ec_felem_select, in constant time, sets |out| to |a| if |mask| is all ones 238 // and |b| if |mask| is all zeros. 239 void ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask, 240 const EC_FELEM *a, const EC_FELEM *b); 241 242 // ec_felem_equal returns one if |a| and |b| are equal and zero otherwise. 243 int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b); 244 245 246 // Points. 247 // 248 // Points may represented in affine coordinates as |EC_AFFINE| or Jacobian 249 // coordinates as |EC_JACOBIAN|. Affine coordinates directly represent a 250 // point on the curve, but point addition over affine coordinates requires 251 // costly field inversions, so arithmetic is done in Jacobian coordinates. 252 // Converting from affine to Jacobian is cheap, while converting from Jacobian 253 // to affine costs a field inversion. (Jacobian coordinates amortize the field 254 // inversions needed in a sequence of point operations.) 255 256 // An EC_JACOBIAN represents an elliptic curve point in Jacobian coordinates. 257 // Unlike |EC_POINT|, it is a plain struct which can be stack-allocated and 258 // needs no cleanup. It is specific to an |EC_GROUP| and must not be mixed 259 // between groups. 260 typedef struct { 261 // X, Y, and Z are Jacobian projective coordinates. They represent 262 // (X/Z^2, Y/Z^3) if Z != 0 and the point at infinity otherwise. 263 EC_FELEM X, Y, Z; 264 } EC_JACOBIAN; 265 266 // An EC_AFFINE represents an elliptic curve point in affine coordinates. 267 // coordinates. Note the point at infinity cannot be represented in affine 268 // coordinates. 269 typedef struct { 270 EC_FELEM X, Y; 271 } EC_AFFINE; 272 273 // ec_affine_to_jacobian converts |p| to Jacobian form and writes the result to 274 // |*out|. This operation is very cheap and only costs a few copies. 275 void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out, 276 const EC_AFFINE *p); 277 278 // ec_jacobian_to_affine converts |p| to affine form and writes the result to 279 // |*out|. It returns one on success and zero if |p| was the point at infinity. 280 // This operation performs a field inversion and should only be done once per 281 // point. 282 // 283 // If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is 284 // slightly faster. 285 OPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, 286 const EC_JACOBIAN *p); 287 288 // ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian 289 // coordinates to affine coordinates and writes the results to |out|. It returns 290 // one on success and zero if any of the input points were infinity. 291 // 292 // This function is not implemented for all curves. Add implementations as 293 // needed. 294 int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out, 295 const EC_JACOBIAN *in, size_t num); 296 297 // ec_point_set_affine_coordinates sets |out|'s to a point with affine 298 // coordinates |x| and |y|. It returns one if the point is on the curve and 299 // zero otherwise. If the point is not on the curve, the value of |out| is 300 // undefined. 301 int ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out, 302 const EC_FELEM *x, const EC_FELEM *y); 303 304 // ec_point_mul_no_self_test does the same as |EC_POINT_mul|, but doesn't try to 305 // run the self-test first. This is for use in the self tests themselves, to 306 // prevent an infinite loop. 307 int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, 308 const BIGNUM *g_scalar, const EC_POINT *p, 309 const BIGNUM *p_scalar, BN_CTX *ctx); 310 311 // ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered 312 // secret. 313 int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r, 314 const EC_JACOBIAN *p, const EC_SCALAR *scalar); 315 316 // ec_point_mul_scalar_base sets |r| to generator * |scalar|. |scalar| is 317 // treated as secret. 318 int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r, 319 const EC_SCALAR *scalar); 320 321 // ec_point_mul_scalar_batch sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + 322 // |p2| * |scalar2|. |p2| may be NULL to skip that term. 323 // 324 // The inputs are treated as secret, however, this function leaks information 325 // about whether intermediate computations add a point to itself. Callers must 326 // ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly 327 // distributed and independent of the scalars, which should be uniformly 328 // selected and not under the attackers control. This ensures the doubling case 329 // will occur with negligible probability. 330 // 331 // This function is not implemented for all curves. Add implementations as 332 // needed. 333 // 334 // TODO(davidben): This function does not use base point tables. For now, it is 335 // only used with the generic |EC_GFp_mont_method| implementation which has 336 // none. If generalizing to tuned curves, this may be useful. However, we still 337 // must double up to the least efficient input, so precomputed tables can only 338 // save table setup and allow a wider window size. 339 int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r, 340 const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, 341 const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, 342 const EC_JACOBIAN *p2, const EC_SCALAR *scalar2); 343 344 #define EC_MONT_PRECOMP_COMB_SIZE 5 345 346 // An |EC_PRECOMP| stores precomputed information about a point, to optimize 347 // repeated multiplications involving it. It is a union so different 348 // |EC_METHOD|s can store different information in it. 349 typedef union { 350 EC_AFFINE comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1]; 351 } EC_PRECOMP; 352 353 // ec_init_precomp precomputes multiples of |p| and writes the result to |out|. 354 // It returns one on success and zero on error. The resulting table may be used 355 // with |ec_point_mul_scalar_precomp|. This function will fail if |p| is the 356 // point at infinity. 357 // 358 // This function is not implemented for all curves. Add implementations as 359 // needed. 360 int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, 361 const EC_JACOBIAN *p); 362 363 // ec_point_mul_scalar_precomp sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + 364 // |p2| * |scalar2|. |p1| or |p2| may be NULL to skip the corresponding term. 365 // The points are represented as |EC_PRECOMP| and must be initialized with 366 // |ec_init_precomp|. This function runs faster than |ec_point_mul_scalar_batch| 367 // but requires setup work per input point, so it is only appropriate for points 368 // which are used frequently. 369 // 370 // The inputs are treated as secret, however, this function leaks information 371 // about whether intermediate computations add a point to itself. Callers must 372 // ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly 373 // distributed and independent of the scalars, which should be uniformly 374 // selected and not under the attackers control. This ensures the doubling case 375 // will occur with negligible probability. 376 // 377 // This function is not implemented for all curves. Add implementations as 378 // needed. 379 // 380 // TODO(davidben): This function does not use base point tables. For now, it is 381 // only used with the generic |EC_GFp_mont_method| implementation which has 382 // none. If generalizing to tuned curves, we should add a parameter for the base 383 // point and arrange for the generic implementation to have base point tables 384 // available. 385 int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r, 386 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 387 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 388 const EC_PRECOMP *p2, const EC_SCALAR *scalar2); 389 390 // ec_point_mul_scalar_public sets |r| to 391 // generator * |g_scalar| + |p| * |p_scalar|. It assumes that the inputs are 392 // public so there is no concern about leaking their values through timing. 393 OPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group, 394 EC_JACOBIAN *r, 395 const EC_SCALAR *g_scalar, 396 const EC_JACOBIAN *p, 397 const EC_SCALAR *p_scalar); 398 399 // ec_point_mul_scalar_public_batch sets |r| to the sum of generator * 400 // |g_scalar| and |points[i]| * |scalars[i]| where |points| and |scalars| have 401 // |num| elements. It assumes that the inputs are public so there is no concern 402 // about leaking their values through timing. |g_scalar| may be NULL to skip 403 // that term. 404 // 405 // This function is not implemented for all curves. Add implementations as 406 // needed. 407 int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, 408 const EC_SCALAR *g_scalar, 409 const EC_JACOBIAN *points, 410 const EC_SCALAR *scalars, size_t num); 411 412 // ec_point_select, in constant time, sets |out| to |a| if |mask| is all ones 413 // and |b| if |mask| is all zeros. 414 void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask, 415 const EC_JACOBIAN *a, const EC_JACOBIAN *b); 416 417 // ec_affine_select behaves like |ec_point_select| but acts on affine points. 418 void ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask, 419 const EC_AFFINE *a, const EC_AFFINE *b); 420 421 // ec_precomp_select behaves like |ec_point_select| but acts on |EC_PRECOMP|. 422 void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask, 423 const EC_PRECOMP *a, const EC_PRECOMP *b); 424 425 // ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group 426 // order, with |r|. It returns one if the values match and zero if |p| is the 427 // point at infinity of the values do not match. |p| is treated as public. 428 int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, 429 const EC_SCALAR *r); 430 431 // ec_get_x_coordinate_as_scalar sets |*out| to |p|'s x-coordinate, modulo 432 // |group->order|. It returns one on success and zero if |p| is the point at 433 // infinity. 434 int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, 435 const EC_JACOBIAN *p); 436 437 // ec_get_x_coordinate_as_bytes writes |p|'s affine x-coordinate to |out|, which 438 // must have at must |max_out| bytes. It sets |*out_len| to the number of bytes 439 // written. The value is written big-endian and zero-padded to the size of the 440 // field. This function returns one on success and zero on failure. 441 int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, 442 size_t *out_len, size_t max_out, 443 const EC_JACOBIAN *p); 444 445 // ec_point_byte_len returns the number of bytes in the byte representation of 446 // a non-infinity point in |group|, encoded according to |form|, or zero if 447 // |form| is invalid. 448 size_t ec_point_byte_len(const EC_GROUP *group, point_conversion_form_t form); 449 450 // ec_point_to_bytes encodes |point| according to |form| and writes the result 451 // |buf|. It returns the size of the output on success or zero on error. At most 452 // |max_out| bytes will be written. The buffer should be at least 453 // |ec_point_byte_len| long to guarantee success. 454 size_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point, 455 point_conversion_form_t form, uint8_t *buf, 456 size_t max_out); 457 458 // ec_point_from_uncompressed parses |in| as a point in uncompressed form and 459 // sets the result to |out|. It returns one on success and zero if the input was 460 // invalid. 461 int ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out, 462 const uint8_t *in, size_t len); 463 464 // ec_set_to_safe_point sets |out| to an arbitrary point on |group|, either the 465 // generator or the point at infinity. This is used to guard against callers of 466 // external APIs not checking the return value. 467 void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out); 468 469 // ec_affine_jacobian_equal returns one if |a| and |b| represent the same point 470 // and zero otherwise. It treats both inputs as secret. 471 int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a, 472 const EC_JACOBIAN *b); 473 474 475 // Implementation details. 476 477 struct ec_method_st { 478 // point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates 479 // of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success 480 // and zero if |p| is the point at infinity. It leaks whether |p| was the 481 // point at infinity, but otherwise treats |p| as secret. 482 int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_JACOBIAN *p, 483 EC_FELEM *x, EC_FELEM *y); 484 485 // jacobian_to_affine_batch implements |ec_jacobian_to_affine_batch|. 486 int (*jacobian_to_affine_batch)(const EC_GROUP *group, EC_AFFINE *out, 487 const EC_JACOBIAN *in, size_t num); 488 489 // add sets |r| to |a| + |b|. 490 void (*add)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a, 491 const EC_JACOBIAN *b); 492 // dbl sets |r| to |a| + |a|. 493 void (*dbl)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a); 494 495 // mul sets |r| to |scalar|*|p|. 496 void (*mul)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p, 497 const EC_SCALAR *scalar); 498 // mul_base sets |r| to |scalar|*generator. 499 void (*mul_base)(const EC_GROUP *group, EC_JACOBIAN *r, 500 const EC_SCALAR *scalar); 501 // mul_batch implements |ec_mul_scalar_batch|. 502 void (*mul_batch)(const EC_GROUP *group, EC_JACOBIAN *r, 503 const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, 504 const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, 505 const EC_JACOBIAN *p2, const EC_SCALAR *scalar2); 506 // mul_public sets |r| to |g_scalar|*generator + |p_scalar|*|p|. It assumes 507 // that the inputs are public so there is no concern about leaking their 508 // values through timing. 509 // 510 // This function may be omitted if |mul_public_batch| is provided. 511 void (*mul_public)(const EC_GROUP *group, EC_JACOBIAN *r, 512 const EC_SCALAR *g_scalar, const EC_JACOBIAN *p, 513 const EC_SCALAR *p_scalar); 514 // mul_public_batch implements |ec_point_mul_scalar_public_batch|. 515 int (*mul_public_batch)(const EC_GROUP *group, EC_JACOBIAN *r, 516 const EC_SCALAR *g_scalar, const EC_JACOBIAN *points, 517 const EC_SCALAR *scalars, size_t num); 518 519 // init_precomp implements |ec_init_precomp|. 520 int (*init_precomp)(const EC_GROUP *group, EC_PRECOMP *out, 521 const EC_JACOBIAN *p); 522 // mul_precomp implements |ec_point_mul_scalar_precomp|. 523 void (*mul_precomp)(const EC_GROUP *group, EC_JACOBIAN *r, 524 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 525 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 526 const EC_PRECOMP *p2, const EC_SCALAR *scalar2); 527 528 // felem_mul and felem_sqr implement multiplication and squaring, 529 // respectively, so that the generic |EC_POINT_add| and |EC_POINT_dbl| 530 // implementations can work both with |EC_GFp_mont_method| and the tuned 531 // operations. 532 // 533 // TODO(davidben): This constrains |EC_FELEM|'s internal representation, adds 534 // many indirect calls in the middle of the generic code, and a bunch of 535 // conversions. If p224-64.c were easily convertable to Montgomery form, we 536 // could say |EC_FELEM| is always in Montgomery form. If we routed the rest of 537 // simple.c to |EC_METHOD|, we could give |EC_POINT| an |EC_METHOD|-specific 538 // representation and say |EC_FELEM| is purely a |EC_GFp_mont_method| type. 539 void (*felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a, 540 const EC_FELEM *b); 541 void (*felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a); 542 543 void (*felem_to_bytes)(const EC_GROUP *group, uint8_t *out, size_t *out_len, 544 const EC_FELEM *in); 545 int (*felem_from_bytes)(const EC_GROUP *group, EC_FELEM *out, 546 const uint8_t *in, size_t len); 547 548 // felem_reduce sets |out| to |words|, reduced modulo the field size, p. 549 // |words| must be less than p^2. |num| must be at most twice the width of p. 550 // This function treats |words| as secret. 551 // 552 // This function is only used in hash-to-curve and may be omitted in curves 553 // that do not support it. 554 void (*felem_reduce)(const EC_GROUP *group, EC_FELEM *out, 555 const BN_ULONG *words, size_t num); 556 557 // felem_exp sets |out| to |a|^|exp|. It treats |a| is secret but |exp| as 558 // public. 559 // 560 // This function is used in hash-to-curve and may be NULL in curves not used 561 // with hash-to-curve. 562 // 563 // TODO(https://crbug.com/boringssl/567): hash-to-curve uses this as part of 564 // computing a square root, which is what compressed coordinates ultimately 565 // needs to avoid |BIGNUM|. Can we unify this a bit? By generalizing to 566 // arbitrary exponentiation, we also miss an opportunity to use a specialized 567 // addition chain. 568 void (*felem_exp)(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, 569 const BN_ULONG *exp, size_t num_exp); 570 571 // scalar_inv0_montgomery implements |ec_scalar_inv0_montgomery|. 572 void (*scalar_inv0_montgomery)(const EC_GROUP *group, EC_SCALAR *out, 573 const EC_SCALAR *in); 574 575 // scalar_to_montgomery_inv_vartime implements 576 // |ec_scalar_to_montgomery_inv_vartime|. 577 int (*scalar_to_montgomery_inv_vartime)(const EC_GROUP *group, EC_SCALAR *out, 578 const EC_SCALAR *in); 579 580 // cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group 581 // order, with |r|. It returns one if the values match and zero if |p| is the 582 // point at infinity of the values do not match. 583 int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_JACOBIAN *p, 584 const EC_SCALAR *r); 585 } /* EC_METHOD */; 586 587 const EC_METHOD *EC_GFp_mont_method(void); 588 589 struct ec_point_st { 590 // group is an owning reference to |group|, unless this is 591 // |group->generator|. 592 EC_GROUP *group; 593 // raw is the group-specific point data. Functions that take |EC_POINT| 594 // typically check consistency with |EC_GROUP| while functions that take 595 // |EC_JACOBIAN| do not. Thus accesses to this field should be externally 596 // checked for consistency. 597 EC_JACOBIAN raw; 598 } /* EC_POINT */; 599 600 struct ec_group_st { 601 const EC_METHOD *meth; 602 603 // Unlike all other |EC_POINT|s, |generator| does not own |generator->group| 604 // to avoid a reference cycle. Additionally, Z is guaranteed to be one, so X 605 // and Y are suitable for use as an |EC_AFFINE|. Before |has_order| is set, Z 606 // is one, but X and Y are uninitialized. 607 EC_POINT generator; 608 609 BN_MONT_CTX order; 610 BN_MONT_CTX field; 611 612 EC_FELEM a, b; // Curve coefficients. 613 614 // comment is a human-readable string describing the curve. 615 const char *comment; 616 617 int curve_name; // optional NID for named curve 618 uint8_t oid[9]; 619 uint8_t oid_len; 620 621 // a_is_minus3 is one if |a| is -3 mod |field| and zero otherwise. Point 622 // arithmetic is optimized for -3. 623 int a_is_minus3; 624 625 // has_order is one if |generator| and |order| have been initialized. 626 int has_order; 627 628 // field_greater_than_order is one if |field| is greate than |order| and zero 629 // otherwise. 630 int field_greater_than_order; 631 632 CRYPTO_refcount_t references; 633 } /* EC_GROUP */; 634 635 EC_GROUP *ec_group_new(const EC_METHOD *meth, const BIGNUM *p, const BIGNUM *a, 636 const BIGNUM *b, BN_CTX *ctx); 637 638 void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, 639 const EC_JACOBIAN *p, const EC_SCALAR *scalar); 640 void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, 641 const EC_SCALAR *scalar); 642 void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r, 643 const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, 644 const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, 645 const EC_JACOBIAN *p2, const EC_SCALAR *scalar2); 646 int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, 647 const EC_JACOBIAN *p); 648 void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r, 649 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 650 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 651 const EC_PRECOMP *p2, const EC_SCALAR *scalar2); 652 void ec_GFp_mont_felem_reduce(const EC_GROUP *group, EC_FELEM *out, 653 const BN_ULONG *words, size_t num); 654 void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out, 655 const EC_FELEM *a, const BN_ULONG *exp, 656 size_t num_exp); 657 658 // ec_compute_wNAF writes the modified width-(w+1) Non-Adjacent Form (wNAF) of 659 // |scalar| to |out|. |out| must have room for |bits| + 1 elements, each of 660 // which will be either zero or odd with an absolute value less than 2^w 661 // satisfying 662 // scalar = \sum_j out[j]*2^j 663 // where at most one of any w+1 consecutive digits is non-zero 664 // with the exception that the most significant digit may be only 665 // w-1 zeros away from that next non-zero digit. 666 void ec_compute_wNAF(const EC_GROUP *group, int8_t *out, 667 const EC_SCALAR *scalar, size_t bits, int w); 668 669 int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, 670 const EC_SCALAR *g_scalar, 671 const EC_JACOBIAN *points, 672 const EC_SCALAR *scalars, size_t num); 673 674 // method functions in simple.c 675 int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, 676 const BIGNUM *b, BN_CTX *); 677 int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, 678 BIGNUM *b); 679 void ec_GFp_simple_point_init(EC_JACOBIAN *); 680 void ec_GFp_simple_point_copy(EC_JACOBIAN *, const EC_JACOBIAN *); 681 void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_JACOBIAN *); 682 void ec_GFp_mont_add(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a, 683 const EC_JACOBIAN *b); 684 void ec_GFp_mont_dbl(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a); 685 void ec_GFp_simple_invert(const EC_GROUP *, EC_JACOBIAN *); 686 int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_JACOBIAN *); 687 int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_JACOBIAN *); 688 int ec_GFp_simple_points_equal(const EC_GROUP *, const EC_JACOBIAN *a, 689 const EC_JACOBIAN *b); 690 void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, 691 const EC_SCALAR *a); 692 693 int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, 694 EC_SCALAR *r, 695 const EC_SCALAR *a); 696 697 int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, 698 const EC_SCALAR *r); 699 700 void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out, 701 size_t *out_len, const EC_FELEM *in); 702 int ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, 703 const uint8_t *in, size_t len); 704 705 // method functions in montgomery.c 706 void ec_GFp_mont_felem_mul(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a, 707 const EC_FELEM *b); 708 void ec_GFp_mont_felem_sqr(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a); 709 710 void ec_GFp_mont_felem_to_bytes(const EC_GROUP *group, uint8_t *out, 711 size_t *out_len, const EC_FELEM *in); 712 int ec_GFp_mont_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, 713 const uint8_t *in, size_t len); 714 715 void ec_GFp_nistp_recode_scalar_bits(crypto_word_t *sign, crypto_word_t *digit, 716 crypto_word_t in); 717 718 const EC_METHOD *EC_GFp_nistp224_method(void); 719 const EC_METHOD *EC_GFp_nistp256_method(void); 720 721 // EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with 722 // x86-64 optimized P256. See http://eprint.iacr.org/2013/816. 723 const EC_METHOD *EC_GFp_nistz256_method(void); 724 725 // An EC_WRAPPED_SCALAR is an |EC_SCALAR| with a parallel |BIGNUM| 726 // representation. It exists to support the |EC_KEY_get0_private_key| API. 727 typedef struct { 728 BIGNUM bignum; 729 EC_SCALAR scalar; 730 } EC_WRAPPED_SCALAR; 731 732 struct ec_key_st { 733 EC_GROUP *group; 734 735 // Ideally |pub_key| would be an |EC_AFFINE| so serializing it does not pay an 736 // inversion each time, but the |EC_KEY_get0_public_key| API implies public 737 // keys are stored in an |EC_POINT|-compatible form. 738 EC_POINT *pub_key; 739 EC_WRAPPED_SCALAR *priv_key; 740 741 unsigned int enc_flag; 742 point_conversion_form_t conv_form; 743 744 CRYPTO_refcount_t references; 745 746 ECDSA_METHOD *ecdsa_meth; 747 748 CRYPTO_EX_DATA ex_data; 749 } /* EC_KEY */; 750 751 752 #if defined(__cplusplus) 753 } // extern C 754 #endif 755 756 #endif // OPENSSL_HEADER_EC_INTERNAL_H 757