/src/botan/src/lib/pubkey/ec_group/curve_gfp.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Elliptic curves over GF(p) Montgomery Representation |
3 | | * (C) 2014,2015,2018 Jack Lloyd |
4 | | * 2016 Matthias Gierlings |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/curve_gfp.h> |
10 | | |
11 | | #include <botan/numthry.h> |
12 | | #include <botan/reducer.h> |
13 | | #include <botan/internal/curve_nistp.h> |
14 | | #include <botan/internal/monty.h> |
15 | | #include <botan/internal/mp_core.h> |
16 | | |
17 | | namespace Botan { |
18 | | |
19 | | namespace { |
20 | | |
21 | | class CurveGFp_Montgomery final : public CurveGFp_Repr { |
22 | | public: |
23 | | CurveGFp_Montgomery(const BigInt& p, const BigInt& a, const BigInt& b) : |
24 | 0 | m_p(p), m_a(a), m_b(b), m_p_words(m_p.sig_words()), m_p_dash(monty_inverse(m_p.word_at(0))) { |
25 | 0 | Modular_Reducer mod_p(m_p); |
26 | |
|
27 | 0 | m_r.set_bit(m_p_words * BOTAN_MP_WORD_BITS); |
28 | 0 | m_r = mod_p.reduce(m_r); |
29 | |
|
30 | 0 | m_r2 = mod_p.square(m_r); |
31 | 0 | m_r3 = mod_p.multiply(m_r, m_r2); |
32 | 0 | m_a_r = mod_p.multiply(m_r, m_a); |
33 | 0 | m_b_r = mod_p.multiply(m_r, m_b); |
34 | |
|
35 | 0 | m_a_is_zero = m_a.is_zero(); |
36 | 0 | m_a_is_minus_3 = (m_a + 3 == m_p); |
37 | 0 | } |
38 | | |
39 | 0 | bool a_is_zero() const override { return m_a_is_zero; } |
40 | | |
41 | 0 | bool a_is_minus_3() const override { return m_a_is_minus_3; } |
42 | | |
43 | 0 | const BigInt& get_a() const override { return m_a; } |
44 | | |
45 | 0 | const BigInt& get_b() const override { return m_b; } |
46 | | |
47 | 0 | const BigInt& get_p() const override { return m_p; } |
48 | | |
49 | 0 | const BigInt& get_a_rep() const override { return m_a_r; } |
50 | | |
51 | 0 | const BigInt& get_b_rep() const override { return m_b_r; } |
52 | | |
53 | 0 | const BigInt& get_1_rep() const override { return m_r; } |
54 | | |
55 | 0 | bool is_one(const BigInt& x) const override { return x == m_r; } |
56 | | |
57 | 0 | size_t get_p_words() const override { return m_p_words; } |
58 | | |
59 | 0 | size_t get_ws_size() const override { return 2 * m_p_words; } |
60 | | |
61 | | BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; |
62 | | |
63 | | void to_curve_rep(BigInt& x, secure_vector<word>& ws) const override; |
64 | | |
65 | | void from_curve_rep(BigInt& x, secure_vector<word>& ws) const override; |
66 | | |
67 | | void curve_mul_words( |
68 | | BigInt& z, const word x_words[], size_t x_size, const BigInt& y, secure_vector<word>& ws) const override; |
69 | | |
70 | | void curve_sqr_words(BigInt& z, const word x_words[], size_t x_size, secure_vector<word>& ws) const override; |
71 | | |
72 | | private: |
73 | | BigInt m_p; |
74 | | BigInt m_a, m_b; |
75 | | BigInt m_a_r, m_b_r; |
76 | | size_t m_p_words; // cache of m_p.sig_words() |
77 | | |
78 | | // Montgomery parameters |
79 | | BigInt m_r, m_r2, m_r3; |
80 | | word m_p_dash; |
81 | | |
82 | | bool m_a_is_zero; |
83 | | bool m_a_is_minus_3; |
84 | | }; |
85 | | |
86 | 0 | BigInt CurveGFp_Montgomery::invert_element(const BigInt& x, secure_vector<word>& ws) const { |
87 | | // Should we use Montgomery inverse instead? |
88 | 0 | const BigInt inv = inverse_mod(x, m_p); |
89 | 0 | BigInt res; |
90 | 0 | curve_mul(res, inv, m_r3, ws); |
91 | 0 | return res; |
92 | 0 | } |
93 | | |
94 | 0 | void CurveGFp_Montgomery::to_curve_rep(BigInt& x, secure_vector<word>& ws) const { |
95 | 0 | const BigInt tx = x; |
96 | 0 | curve_mul(x, tx, m_r2, ws); |
97 | 0 | } |
98 | | |
99 | 0 | void CurveGFp_Montgomery::from_curve_rep(BigInt& z, secure_vector<word>& ws) const { |
100 | 0 | if(ws.size() < get_ws_size()) { |
101 | 0 | ws.resize(get_ws_size()); |
102 | 0 | } |
103 | |
|
104 | 0 | const size_t output_size = 2 * m_p_words; |
105 | 0 | if(z.size() < output_size) { |
106 | 0 | z.grow_to(output_size); |
107 | 0 | } |
108 | |
|
109 | 0 | bigint_monty_redc(z.mutable_data(), m_p.data(), m_p_words, m_p_dash, ws.data(), ws.size()); |
110 | 0 | } |
111 | | |
112 | | void CurveGFp_Montgomery::curve_mul_words( |
113 | 0 | BigInt& z, const word x_w[], size_t x_size, const BigInt& y, secure_vector<word>& ws) const { |
114 | 0 | BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words); |
115 | |
|
116 | 0 | if(ws.size() < get_ws_size()) { |
117 | 0 | ws.resize(get_ws_size()); |
118 | 0 | } |
119 | |
|
120 | 0 | const size_t output_size = 2 * m_p_words; |
121 | 0 | if(z.size() < output_size) { |
122 | 0 | z.grow_to(output_size); |
123 | 0 | } |
124 | |
|
125 | 0 | bigint_mul(z.mutable_data(), |
126 | 0 | z.size(), |
127 | 0 | x_w, |
128 | 0 | x_size, |
129 | 0 | std::min(m_p_words, x_size), |
130 | 0 | y.data(), |
131 | 0 | y.size(), |
132 | 0 | std::min(m_p_words, y.size()), |
133 | 0 | ws.data(), |
134 | 0 | ws.size()); |
135 | |
|
136 | 0 | bigint_monty_redc(z.mutable_data(), m_p.data(), m_p_words, m_p_dash, ws.data(), ws.size()); |
137 | 0 | } |
138 | | |
139 | 0 | void CurveGFp_Montgomery::curve_sqr_words(BigInt& z, const word x[], size_t x_size, secure_vector<word>& ws) const { |
140 | 0 | if(ws.size() < get_ws_size()) { |
141 | 0 | ws.resize(get_ws_size()); |
142 | 0 | } |
143 | |
|
144 | 0 | const size_t output_size = 2 * m_p_words; |
145 | 0 | if(z.size() < output_size) { |
146 | 0 | z.grow_to(output_size); |
147 | 0 | } |
148 | |
|
149 | 0 | bigint_sqr(z.mutable_data(), z.size(), x, x_size, std::min(m_p_words, x_size), ws.data(), ws.size()); |
150 | |
|
151 | 0 | bigint_monty_redc(z.mutable_data(), m_p.data(), m_p_words, m_p_dash, ws.data(), ws.size()); |
152 | 0 | } |
153 | | |
154 | | class CurveGFp_NIST : public CurveGFp_Repr { |
155 | | public: |
156 | | CurveGFp_NIST(size_t p_bits, const BigInt& a, const BigInt& b) : |
157 | 1 | m_1(1), m_a(a), m_b(b), m_p_words((p_bits + BOTAN_MP_WORD_BITS - 1) / BOTAN_MP_WORD_BITS) { |
158 | | // All Solinas prime curves are assumed a == -3 |
159 | 1 | } |
160 | | |
161 | 3.12M | bool a_is_zero() const override { return false; } |
162 | | |
163 | 3.12M | bool a_is_minus_3() const override { return true; } |
164 | | |
165 | 1.37k | const BigInt& get_a() const override { return m_a; } |
166 | | |
167 | 1.37k | const BigInt& get_b() const override { return m_b; } |
168 | | |
169 | 24.4k | const BigInt& get_1_rep() const override { return m_1; } |
170 | | |
171 | 288k | size_t get_p_words() const override { return m_p_words; } |
172 | | |
173 | 70.5M | size_t get_ws_size() const override { return 2 * m_p_words; } |
174 | | |
175 | 0 | const BigInt& get_a_rep() const override { return m_a; } |
176 | | |
177 | 0 | const BigInt& get_b_rep() const override { return m_b; } |
178 | | |
179 | 43.9k | bool is_one(const BigInt& x) const override { return x == 1; } |
180 | | |
181 | 1.70k | void to_curve_rep(BigInt& x, secure_vector<word>& ws) const override { redc_mod_p(x, ws); } |
182 | | |
183 | 43.9k | void from_curve_rep(BigInt& x, secure_vector<word>& ws) const override { redc_mod_p(x, ws); } |
184 | | |
185 | | virtual void redc_mod_p(BigInt& z, secure_vector<word>& ws) const = 0; |
186 | | |
187 | | BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; |
188 | | |
189 | | void curve_mul_words( |
190 | | BigInt& z, const word x_words[], size_t x_size, const BigInt& y, secure_vector<word>& ws) const override; |
191 | | |
192 | 613k | void curve_mul_tmp(BigInt& x, const BigInt& y, BigInt& tmp, secure_vector<word>& ws) const { |
193 | 613k | curve_mul(tmp, x, y, ws); |
194 | 613k | x.swap(tmp); |
195 | 613k | } |
196 | | |
197 | 16.7M | void curve_sqr_tmp(BigInt& x, BigInt& tmp, secure_vector<word>& ws) const { |
198 | 16.7M | curve_sqr(tmp, x, ws); |
199 | 16.7M | x.swap(tmp); |
200 | 16.7M | } |
201 | | |
202 | | void curve_sqr_words(BigInt& z, const word x_words[], size_t x_size, secure_vector<word>& ws) const override; |
203 | | |
204 | | private: |
205 | | // Curve parameters |
206 | | BigInt m_1; |
207 | | BigInt m_a, m_b; |
208 | | size_t m_p_words; // cache of m_p.sig_words() |
209 | | }; |
210 | | |
211 | 0 | BigInt CurveGFp_NIST::invert_element(const BigInt& x, secure_vector<word>& ws) const { |
212 | 0 | BOTAN_UNUSED(ws); |
213 | 0 | return inverse_mod(x, get_p()); |
214 | 0 | } |
215 | | |
216 | | void CurveGFp_NIST::curve_mul_words( |
217 | 30.4M | BigInt& z, const word x_w[], size_t x_size, const BigInt& y, secure_vector<word>& ws) const { |
218 | 30.4M | BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words); |
219 | | |
220 | 30.4M | if(ws.size() < get_ws_size()) { |
221 | 0 | ws.resize(get_ws_size()); |
222 | 0 | } |
223 | | |
224 | 30.4M | const size_t output_size = 2 * m_p_words; |
225 | 30.4M | if(z.size() < output_size) { |
226 | 118k | z.grow_to(output_size); |
227 | 118k | } |
228 | | |
229 | 30.4M | bigint_mul(z.mutable_data(), |
230 | 30.4M | z.size(), |
231 | 30.4M | x_w, |
232 | 30.4M | x_size, |
233 | 30.4M | std::min(m_p_words, x_size), |
234 | 30.4M | y.data(), |
235 | 30.4M | y.size(), |
236 | 30.4M | std::min(m_p_words, y.size()), |
237 | 30.4M | ws.data(), |
238 | 30.4M | ws.size()); |
239 | | |
240 | 30.4M | this->redc_mod_p(z, ws); |
241 | 30.4M | } |
242 | | |
243 | 35.2M | void CurveGFp_NIST::curve_sqr_words(BigInt& z, const word x[], size_t x_size, secure_vector<word>& ws) const { |
244 | 35.2M | if(ws.size() < get_ws_size()) { |
245 | 48.8k | ws.resize(get_ws_size()); |
246 | 48.8k | } |
247 | | |
248 | 35.2M | const size_t output_size = 2 * m_p_words; |
249 | 35.2M | if(z.size() < output_size) { |
250 | 3.22M | z.grow_to(output_size); |
251 | 3.22M | } |
252 | | |
253 | 35.2M | bigint_sqr(z.mutable_data(), output_size, x, x_size, std::min(m_p_words, x_size), ws.data(), ws.size()); |
254 | | |
255 | 35.2M | this->redc_mod_p(z, ws); |
256 | 35.2M | } |
257 | | |
258 | | /** |
259 | | * The NIST P-192 curve |
260 | | */ |
261 | | class CurveGFp_P192 final : public CurveGFp_NIST { |
262 | | public: |
263 | 0 | CurveGFp_P192(const BigInt& a, const BigInt& b) : CurveGFp_NIST(192, a, b) {} |
264 | | |
265 | 0 | const BigInt& get_p() const override { return prime_p192(); } |
266 | | |
267 | | private: |
268 | 0 | void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p192(x, ws); } |
269 | | }; |
270 | | |
271 | | /** |
272 | | * The NIST P-224 curve |
273 | | */ |
274 | | class CurveGFp_P224 final : public CurveGFp_NIST { |
275 | | public: |
276 | 0 | CurveGFp_P224(const BigInt& a, const BigInt& b) : CurveGFp_NIST(224, a, b) {} |
277 | | |
278 | 0 | const BigInt& get_p() const override { return prime_p224(); } |
279 | | |
280 | | private: |
281 | 0 | void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p224(x, ws); } |
282 | | }; |
283 | | |
284 | | /** |
285 | | * The NIST P-256 curve |
286 | | */ |
287 | | class CurveGFp_P256 final : public CurveGFp_NIST { |
288 | | public: |
289 | 0 | CurveGFp_P256(const BigInt& a, const BigInt& b) : CurveGFp_NIST(256, a, b) {} |
290 | | |
291 | 0 | const BigInt& get_p() const override { return prime_p256(); } |
292 | | |
293 | | private: |
294 | 0 | void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p256(x, ws); } |
295 | | |
296 | | BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; |
297 | | }; |
298 | | |
299 | 0 | BigInt CurveGFp_P256::invert_element(const BigInt& x, secure_vector<word>& ws) const { |
300 | 0 | BigInt r, p2, p4, p8, p16, p32, tmp; |
301 | |
|
302 | 0 | curve_sqr(r, x, ws); |
303 | |
|
304 | 0 | curve_mul(p2, r, x, ws); |
305 | 0 | curve_sqr(r, p2, ws); |
306 | 0 | curve_sqr_tmp(r, tmp, ws); |
307 | |
|
308 | 0 | curve_mul(p4, r, p2, ws); |
309 | |
|
310 | 0 | curve_sqr(r, p4, ws); |
311 | 0 | for(size_t i = 0; i != 3; ++i) { |
312 | 0 | curve_sqr_tmp(r, tmp, ws); |
313 | 0 | } |
314 | 0 | curve_mul(p8, r, p4, ws); |
315 | |
|
316 | 0 | curve_sqr(r, p8, ws); |
317 | 0 | for(size_t i = 0; i != 7; ++i) { |
318 | 0 | curve_sqr_tmp(r, tmp, ws); |
319 | 0 | } |
320 | 0 | curve_mul(p16, r, p8, ws); |
321 | |
|
322 | 0 | curve_sqr(r, p16, ws); |
323 | 0 | for(size_t i = 0; i != 15; ++i) { |
324 | 0 | curve_sqr_tmp(r, tmp, ws); |
325 | 0 | } |
326 | 0 | curve_mul(p32, r, p16, ws); |
327 | |
|
328 | 0 | curve_sqr(r, p32, ws); |
329 | 0 | for(size_t i = 0; i != 31; ++i) { |
330 | 0 | curve_sqr_tmp(r, tmp, ws); |
331 | 0 | } |
332 | 0 | curve_mul_tmp(r, x, tmp, ws); |
333 | |
|
334 | 0 | for(size_t i = 0; i != 32 * 4; ++i) { |
335 | 0 | curve_sqr_tmp(r, tmp, ws); |
336 | 0 | } |
337 | 0 | curve_mul_tmp(r, p32, tmp, ws); |
338 | |
|
339 | 0 | for(size_t i = 0; i != 32; ++i) { |
340 | 0 | curve_sqr_tmp(r, tmp, ws); |
341 | 0 | } |
342 | 0 | curve_mul_tmp(r, p32, tmp, ws); |
343 | |
|
344 | 0 | for(size_t i = 0; i != 16; ++i) { |
345 | 0 | curve_sqr_tmp(r, tmp, ws); |
346 | 0 | } |
347 | 0 | curve_mul_tmp(r, p16, tmp, ws); |
348 | 0 | for(size_t i = 0; i != 8; ++i) { |
349 | 0 | curve_sqr_tmp(r, tmp, ws); |
350 | 0 | } |
351 | 0 | curve_mul_tmp(r, p8, tmp, ws); |
352 | |
|
353 | 0 | for(size_t i = 0; i != 4; ++i) { |
354 | 0 | curve_sqr_tmp(r, tmp, ws); |
355 | 0 | } |
356 | 0 | curve_mul_tmp(r, p4, tmp, ws); |
357 | |
|
358 | 0 | for(size_t i = 0; i != 2; ++i) { |
359 | 0 | curve_sqr_tmp(r, tmp, ws); |
360 | 0 | } |
361 | 0 | curve_mul_tmp(r, p2, tmp, ws); |
362 | |
|
363 | 0 | for(size_t i = 0; i != 2; ++i) { |
364 | 0 | curve_sqr_tmp(r, tmp, ws); |
365 | 0 | } |
366 | 0 | curve_mul_tmp(r, x, tmp, ws); |
367 | |
|
368 | 0 | return r; |
369 | 0 | } |
370 | | |
371 | | /** |
372 | | * The NIST P-384 curve |
373 | | */ |
374 | | class CurveGFp_P384 final : public CurveGFp_NIST { |
375 | | public: |
376 | 1 | CurveGFp_P384(const BigInt& a, const BigInt& b) : CurveGFp_NIST(384, a, b) {} |
377 | | |
378 | 4.78M | const BigInt& get_p() const override { return prime_p384(); } |
379 | | |
380 | | private: |
381 | 65.7M | void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p384(x, ws); } |
382 | | |
383 | | BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; |
384 | | }; |
385 | | |
386 | 43.8k | BigInt CurveGFp_P384::invert_element(const BigInt& x, secure_vector<word>& ws) const { |
387 | | // From https://briansmith.org/ecc-inversion-addition-chains-01 |
388 | | |
389 | 43.8k | BigInt r, x2, x3, x15, x30, tmp, rl; |
390 | | |
391 | 43.8k | r = x; |
392 | 43.8k | curve_sqr_tmp(r, tmp, ws); |
393 | 43.8k | curve_mul_tmp(r, x, tmp, ws); |
394 | 43.8k | x2 = r; |
395 | | |
396 | 43.8k | curve_sqr_tmp(r, tmp, ws); |
397 | 43.8k | curve_mul_tmp(r, x, tmp, ws); |
398 | | |
399 | 43.8k | x3 = r; |
400 | | |
401 | 175k | for(size_t i = 0; i != 3; ++i) { |
402 | 131k | curve_sqr_tmp(r, tmp, ws); |
403 | 131k | } |
404 | 43.8k | curve_mul_tmp(r, x3, tmp, ws); |
405 | | |
406 | 43.8k | rl = r; |
407 | 306k | for(size_t i = 0; i != 6; ++i) { |
408 | 263k | curve_sqr_tmp(r, tmp, ws); |
409 | 263k | } |
410 | 43.8k | curve_mul_tmp(r, rl, tmp, ws); |
411 | | |
412 | 175k | for(size_t i = 0; i != 3; ++i) { |
413 | 131k | curve_sqr_tmp(r, tmp, ws); |
414 | 131k | } |
415 | 43.8k | curve_mul_tmp(r, x3, tmp, ws); |
416 | | |
417 | 43.8k | x15 = r; |
418 | 701k | for(size_t i = 0; i != 15; ++i) { |
419 | 657k | curve_sqr_tmp(r, tmp, ws); |
420 | 657k | } |
421 | 43.8k | curve_mul_tmp(r, x15, tmp, ws); |
422 | | |
423 | 43.8k | x30 = r; |
424 | 1.35M | for(size_t i = 0; i != 30; ++i) { |
425 | 1.31M | curve_sqr_tmp(r, tmp, ws); |
426 | 1.31M | } |
427 | 43.8k | curve_mul_tmp(r, x30, tmp, ws); |
428 | | |
429 | 43.8k | rl = r; |
430 | 2.67M | for(size_t i = 0; i != 60; ++i) { |
431 | 2.63M | curve_sqr_tmp(r, tmp, ws); |
432 | 2.63M | } |
433 | 43.8k | curve_mul_tmp(r, rl, tmp, ws); |
434 | | |
435 | 43.8k | rl = r; |
436 | 5.30M | for(size_t i = 0; i != 120; ++i) { |
437 | 5.26M | curve_sqr_tmp(r, tmp, ws); |
438 | 5.26M | } |
439 | 43.8k | curve_mul_tmp(r, rl, tmp, ws); |
440 | | |
441 | 701k | for(size_t i = 0; i != 15; ++i) { |
442 | 657k | curve_sqr_tmp(r, tmp, ws); |
443 | 657k | } |
444 | 43.8k | curve_mul_tmp(r, x15, tmp, ws); |
445 | | |
446 | 1.40M | for(size_t i = 0; i != 31; ++i) { |
447 | 1.35M | curve_sqr_tmp(r, tmp, ws); |
448 | 1.35M | } |
449 | 43.8k | curve_mul_tmp(r, x30, tmp, ws); |
450 | | |
451 | 131k | for(size_t i = 0; i != 2; ++i) { |
452 | 87.7k | curve_sqr_tmp(r, tmp, ws); |
453 | 87.7k | } |
454 | 43.8k | curve_mul_tmp(r, x2, tmp, ws); |
455 | | |
456 | 4.16M | for(size_t i = 0; i != 94; ++i) { |
457 | 4.12M | curve_sqr_tmp(r, tmp, ws); |
458 | 4.12M | } |
459 | 43.8k | curve_mul_tmp(r, x30, tmp, ws); |
460 | | |
461 | 131k | for(size_t i = 0; i != 2; ++i) { |
462 | 87.7k | curve_sqr_tmp(r, tmp, ws); |
463 | 87.7k | } |
464 | | |
465 | 43.8k | curve_mul_tmp(r, x, tmp, ws); |
466 | | |
467 | 43.8k | return r; |
468 | 43.8k | } |
469 | | |
470 | | /** |
471 | | * The NIST P-521 curve |
472 | | */ |
473 | | class CurveGFp_P521 final : public CurveGFp_NIST { |
474 | | public: |
475 | 0 | CurveGFp_P521(const BigInt& a, const BigInt& b) : CurveGFp_NIST(521, a, b) {} |
476 | | |
477 | 0 | const BigInt& get_p() const override { return prime_p521(); } |
478 | | |
479 | | private: |
480 | 0 | void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p521(x, ws); } |
481 | | |
482 | | BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override; |
483 | | }; |
484 | | |
485 | 0 | BigInt CurveGFp_P521::invert_element(const BigInt& x, secure_vector<word>& ws) const { |
486 | | // Addition chain from https://eprint.iacr.org/2014/852.pdf section |
487 | |
|
488 | 0 | BigInt r; |
489 | 0 | BigInt rl; |
490 | 0 | BigInt a7; |
491 | 0 | BigInt tmp; |
492 | |
|
493 | 0 | curve_sqr(r, x, ws); |
494 | 0 | curve_mul_tmp(r, x, tmp, ws); |
495 | |
|
496 | 0 | curve_sqr_tmp(r, tmp, ws); |
497 | 0 | curve_mul_tmp(r, x, tmp, ws); |
498 | |
|
499 | 0 | rl = r; |
500 | |
|
501 | 0 | for(size_t i = 0; i != 3; ++i) { |
502 | 0 | curve_sqr_tmp(r, tmp, ws); |
503 | 0 | } |
504 | 0 | curve_mul_tmp(r, rl, tmp, ws); |
505 | |
|
506 | 0 | curve_sqr_tmp(r, tmp, ws); |
507 | 0 | curve_mul_tmp(r, x, tmp, ws); |
508 | 0 | a7 = r; // need this value later |
509 | |
|
510 | 0 | curve_sqr_tmp(r, tmp, ws); |
511 | 0 | curve_mul_tmp(r, x, tmp, ws); |
512 | |
|
513 | 0 | rl = r; |
514 | 0 | for(size_t i = 0; i != 8; ++i) { |
515 | 0 | curve_sqr_tmp(r, tmp, ws); |
516 | 0 | } |
517 | 0 | curve_mul_tmp(r, rl, tmp, ws); |
518 | |
|
519 | 0 | rl = r; |
520 | 0 | for(size_t i = 0; i != 16; ++i) { |
521 | 0 | curve_sqr_tmp(r, tmp, ws); |
522 | 0 | } |
523 | 0 | curve_mul_tmp(r, rl, tmp, ws); |
524 | |
|
525 | 0 | rl = r; |
526 | 0 | for(size_t i = 0; i != 32; ++i) { |
527 | 0 | curve_sqr_tmp(r, tmp, ws); |
528 | 0 | } |
529 | 0 | curve_mul_tmp(r, rl, tmp, ws); |
530 | |
|
531 | 0 | rl = r; |
532 | 0 | for(size_t i = 0; i != 64; ++i) { |
533 | 0 | curve_sqr_tmp(r, tmp, ws); |
534 | 0 | } |
535 | 0 | curve_mul_tmp(r, rl, tmp, ws); |
536 | |
|
537 | 0 | rl = r; |
538 | 0 | for(size_t i = 0; i != 128; ++i) { |
539 | 0 | curve_sqr_tmp(r, tmp, ws); |
540 | 0 | } |
541 | 0 | curve_mul_tmp(r, rl, tmp, ws); |
542 | |
|
543 | 0 | rl = r; |
544 | 0 | for(size_t i = 0; i != 256; ++i) { |
545 | 0 | curve_sqr_tmp(r, tmp, ws); |
546 | 0 | } |
547 | 0 | curve_mul_tmp(r, rl, tmp, ws); |
548 | |
|
549 | 0 | for(size_t i = 0; i != 7; ++i) { |
550 | 0 | curve_sqr_tmp(r, tmp, ws); |
551 | 0 | } |
552 | 0 | curve_mul_tmp(r, a7, tmp, ws); |
553 | |
|
554 | 0 | for(size_t i = 0; i != 2; ++i) { |
555 | 0 | curve_sqr_tmp(r, tmp, ws); |
556 | 0 | } |
557 | 0 | curve_mul_tmp(r, x, tmp, ws); |
558 | |
|
559 | 0 | return r; |
560 | 0 | } |
561 | | |
562 | | } // namespace |
563 | | |
564 | 1 | std::shared_ptr<CurveGFp_Repr> CurveGFp::choose_repr(const BigInt& p, const BigInt& a, const BigInt& b) { |
565 | 1 | if(p == prime_p192()) { |
566 | 0 | return std::make_shared<CurveGFp_P192>(a, b); |
567 | 0 | } |
568 | 1 | if(p == prime_p224()) { |
569 | 0 | return std::make_shared<CurveGFp_P224>(a, b); |
570 | 0 | } |
571 | 1 | if(p == prime_p256()) { |
572 | 0 | return std::make_shared<CurveGFp_P256>(a, b); |
573 | 0 | } |
574 | 1 | if(p == prime_p384()) { |
575 | 1 | return std::make_shared<CurveGFp_P384>(a, b); |
576 | 1 | } |
577 | 0 | if(p == prime_p521()) { |
578 | 0 | return std::make_shared<CurveGFp_P521>(a, b); |
579 | 0 | } |
580 | | |
581 | 0 | return std::make_shared<CurveGFp_Montgomery>(p, a, b); |
582 | 0 | } |
583 | | |
584 | | } // namespace Botan |