/src/botan/src/lib/pubkey/ec_group/curve_gfp.cpp

Source (jump to first uncovered line)
/*
* Elliptic curves over GF(p) Montgomery Representation
* (C) 2014,2015,2018 Jack Lloyd
*     2016 Matthias Gierlings
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/curve_gfp.h>
#include <botan/curve_nistp.h>
#include <botan/numthry.h>
#include <botan/reducer.h>
#include <botan/internal/mp_core.h>
#include <botan/internal/mp_asmi.h>

namespace Botan {

namespace {

class CurveGFp_Montgomery final : public CurveGFp_Repr
   {
   public:
      CurveGFp_Montgomery(const BigInt& p, const BigInt& a, const BigInt& b) :
         m_p(p), m_a(a), m_b(b),
         m_p_words(m_p.sig_words()),
         m_p_dash(monty_inverse(m_p.word_at(0)))
         {
         Modular_Reducer mod_p(m_p);

         m_r.set_bit(m_p_words * BOTAN_MP_WORD_BITS);
         m_r = mod_p.reduce(m_r);

         m_r2  = mod_p.square(m_r);
         m_r3  = mod_p.multiply(m_r, m_r2);
         m_a_r = mod_p.multiply(m_r, m_a);
         m_b_r = mod_p.multiply(m_r, m_b);

         m_a_is_zero = m_a.is_zero();
         m_a_is_minus_3 = (m_a + 3 == m_p);
         }

      bool a_is_zero() const override { return m_a_is_zero; }
      bool a_is_minus_3() const override { return m_a_is_minus_3; }

      const BigInt& get_a() const override { return m_a; }

      const BigInt& get_b() const override { return m_b; }

      const BigInt& get_p() const override { return m_p; }

      const BigInt& get_a_rep() const override { return m_a_r; }

      const BigInt& get_b_rep() const override { return m_b_r; }

      const BigInt& get_1_rep() const override { return m_r; }

      bool is_one(const BigInt& x) const override { return x == m_r; }

      size_t get_p_words() const override { return m_p_words; }

      size_t get_ws_size() const override { return 2*m_p_words + 4; }

      BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;

      void to_curve_rep(BigInt& x, secure_vector<word>& ws) const override;

      void from_curve_rep(BigInt& x, secure_vector<word>& ws) const override;

      void curve_mul_words(BigInt& z,
                           const word x_words[],
                           const size_t x_size,
                           const BigInt& y,
                           secure_vector<word>& ws) const override;

      void curve_sqr_words(BigInt& z,
                           const word x_words[],
                           size_t x_size,
                           secure_vector<word>& ws) const override;

   private:
      BigInt m_p;
      BigInt m_a, m_b;
      BigInt m_a_r, m_b_r;
      size_t m_p_words; // cache of m_p.sig_words()

      // Montgomery parameters
      BigInt m_r, m_r2, m_r3;
      word m_p_dash;

      bool m_a_is_zero;
      bool m_a_is_minus_3;
   };

BigInt CurveGFp_Montgomery::invert_element(const BigInt& x, secure_vector<word>& ws) const
   {
   // Should we use Montgomery inverse instead?
   const BigInt inv = inverse_mod(x, m_p);
   BigInt res;
   curve_mul(res, inv, m_r3, ws);
   return res;
   }

void CurveGFp_Montgomery::to_curve_rep(BigInt& x, secure_vector<word>& ws) const
   {
   const BigInt tx = x;
   curve_mul(x, tx, m_r2, ws);
   }

void CurveGFp_Montgomery::from_curve_rep(BigInt& z, secure_vector<word>& ws) const
   {
   if(ws.size() < get_ws_size())
      ws.resize(get_ws_size());

   const size_t output_size = 2*m_p_words + 2;
   if(z.size() < output_size)
      z.grow_to(output_size);

   bigint_monty_redc(z.mutable_data(),
                     m_p.data(), m_p_words, m_p_dash,
                     ws.data(), ws.size());
   }

void CurveGFp_Montgomery::curve_mul_words(BigInt& z,
                                          const word x_w[],
                                          size_t x_size,
                                          const BigInt& y,
                                          secure_vector<word>& ws) const
   {
   BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words);

   if(ws.size() < get_ws_size())
      ws.resize(get_ws_size());

   const size_t output_size = 2*m_p_words + 2;
   if(z.size() < output_size)
      z.grow_to(output_size);

   bigint_mul(z.mutable_data(), z.size(),
              x_w, x_size, std::min(m_p_words, x_size),
              y.data(), y.size(), std::min(m_p_words, y.size()),
              ws.data(), ws.size());

   bigint_monty_redc(z.mutable_data(),
                     m_p.data(), m_p_words, m_p_dash,
                     ws.data(), ws.size());
   }

void CurveGFp_Montgomery::curve_sqr_words(BigInt& z,
                                          const word x[],
                                          size_t x_size,
                                          secure_vector<word>& ws) const
   {
   if(ws.size() < get_ws_size())
      ws.resize(get_ws_size());

   const size_t output_size = 2*m_p_words + 2;
   if(z.size() < output_size)
      z.grow_to(output_size);

   bigint_sqr(z.mutable_data(), z.size(),
              x, x_size, std::min(m_p_words, x_size),
              ws.data(), ws.size());

   bigint_monty_redc(z.mutable_data(),
                     m_p.data(), m_p_words, m_p_dash,
                     ws.data(), ws.size());
   }

class CurveGFp_NIST : public CurveGFp_Repr
   {
   public:
      CurveGFp_NIST(size_t p_bits, const BigInt& a, const BigInt& b) :
         m_1(1), m_a(a), m_b(b), m_p_words((p_bits + BOTAN_MP_WORD_BITS - 1) / BOTAN_MP_WORD_BITS)
         {
         // All Solinas prime curves are assumed a == -3
         }

      bool a_is_zero() const override { return false; }
      bool a_is_minus_3() const override { return true; }

      const BigInt& get_a() const override { return m_a; }

      const BigInt& get_b() const override { return m_b; }

      const BigInt& get_1_rep() const override { return m_1; }

      size_t get_p_words() const override { return m_p_words; }

      size_t get_ws_size() const override { return 2*m_p_words + 4; }

      const BigInt& get_a_rep() const override { return m_a; }

      const BigInt& get_b_rep() const override { return m_b; }

      bool is_one(const BigInt& x) const override { return x == 1; }

      void to_curve_rep(BigInt& x, secure_vector<word>& ws) const override
         { redc_mod_p(x, ws); }

      void from_curve_rep(BigInt& x, secure_vector<word>& ws) const override
         { redc_mod_p(x, ws); }

      virtual void redc_mod_p(BigInt& z, secure_vector<word>& ws) const = 0;

      BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;

      void curve_mul_words(BigInt& z,
                           const word x_words[],
                           const size_t x_size,
                           const BigInt& y,
                           secure_vector<word>& ws) const override;

      void curve_mul_tmp(BigInt& x, const BigInt& y, BigInt& tmp, secure_vector<word>& ws) const
         {
         curve_mul(tmp, x, y, ws);
         x.swap(tmp);
         }

      void curve_sqr_tmp(BigInt& x, BigInt& tmp, secure_vector<word>& ws) const
         {
         curve_sqr(tmp, x, ws);
         x.swap(tmp);
         }

      void curve_sqr_words(BigInt& z,
                           const word x_words[],
                           size_t x_size,
                           secure_vector<word>& ws) const override;
   private:
      // Curve parameters
      BigInt m_1;
      BigInt m_a, m_b;
      size_t m_p_words; // cache of m_p.sig_words()
   };

BigInt CurveGFp_NIST::invert_element(const BigInt& x, secure_vector<word>& ws) const
   {
   BOTAN_UNUSED(ws);
   return inverse_mod(x, get_p());
   }

void CurveGFp_NIST::curve_mul_words(BigInt& z,
                                    const word x_w[],
                                    size_t x_size,
                                    const BigInt& y,
                                    secure_vector<word>& ws) const
   {
   BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words);

   if(ws.size() < get_ws_size())
      ws.resize(get_ws_size());

   const size_t output_size = 2*m_p_words + 2;
   if(z.size() < output_size)
      z.grow_to(output_size);

   bigint_mul(z.mutable_data(), z.size(),
              x_w, x_size, std::min(m_p_words, x_size),
              y.data(), y.size(), std::min(m_p_words, y.size()),
              ws.data(), ws.size());

   this->redc_mod_p(z, ws);
   }

void CurveGFp_NIST::curve_sqr_words(BigInt& z, const word x[], size_t x_size,
                                    secure_vector<word>& ws) const
   {
   if(ws.size() < get_ws_size())
      ws.resize(get_ws_size());

   const size_t output_size = 2*m_p_words + 2;
   if(z.size() < output_size)
      z.grow_to(output_size);

   bigint_sqr(z.mutable_data(), output_size,
              x, x_size, std::min(m_p_words, x_size),
              ws.data(), ws.size());

   this->redc_mod_p(z, ws);
   }

/**
* The NIST P-192 curve
*/
class CurveGFp_P192 final : public CurveGFp_NIST
   {
   public:
      CurveGFp_P192(const BigInt& a, const BigInt& b) : CurveGFp_NIST(192, a, b) {}
      const BigInt& get_p() const override { return prime_p192(); }
   private:
      void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p192(x, ws); }
   };

/**
* The NIST P-224 curve
*/
class CurveGFp_P224 final : public CurveGFp_NIST
   {
   public:
      CurveGFp_P224(const BigInt& a, const BigInt& b) : CurveGFp_NIST(224, a, b) {}
      const BigInt& get_p() const override { return prime_p224(); }
   private:
      void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p224(x, ws); }
   };

/**
* The NIST P-256 curve
*/
class CurveGFp_P256 final : public CurveGFp_NIST
   {
   public:
      CurveGFp_P256(const BigInt& a, const BigInt& b) : CurveGFp_NIST(256, a, b) {}
      const BigInt& get_p() const override { return prime_p256(); }
   private:
      void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p256(x, ws); }
      BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;
   };

BigInt CurveGFp_P256::invert_element(const BigInt& x, secure_vector<word>& ws) const
   {
   BigInt r, p2, p4, p8, p16, p32, tmp;

   curve_sqr(r, x, ws);

   curve_mul(p2, r, x, ws);
   curve_sqr(r, p2, ws);
   curve_sqr_tmp(r, tmp, ws);

   curve_mul(p4, r, p2, ws);

   curve_sqr(r, p4, ws);
   for(size_t i = 0; i != 3; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul(p8, r, p4, ws);

   curve_sqr(r, p8, ws);
   for(size_t i = 0; i != 7; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul(p16, r, p8, ws);

   curve_sqr(r, p16, ws);
   for(size_t i = 0; i != 15; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul(p32, r, p16, ws);

   curve_sqr(r, p32, ws);
   for(size_t i = 0; i != 31; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x, tmp, ws);

   for(size_t i = 0; i != 32*4; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, p32, tmp, ws);

   for(size_t i = 0; i != 32; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, p32, tmp, ws);

   for(size_t i = 0; i != 16; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, p16, tmp, ws);
   for(size_t i = 0; i != 8; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, p8, tmp, ws);

   for(size_t i = 0; i != 4; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, p4, tmp, ws);

   for(size_t i = 0; i != 2; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, p2, tmp, ws);

   for(size_t i = 0; i != 2; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x, tmp, ws);

   return r;
   }

/**
* The NIST P-384 curve
*/
class CurveGFp_P384 final : public CurveGFp_NIST
   {
   public:
      CurveGFp_P384(const BigInt& a, const BigInt& b) : CurveGFp_NIST(384, a, b) {}
      const BigInt& get_p() const override { return prime_p384(); }
   private:
      void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p384(x, ws); }
      BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;
   };

BigInt CurveGFp_P384::invert_element(const BigInt& x, secure_vector<word>& ws) const
   {
   // From https://briansmith.org/ecc-inversion-addition-chains-01

   BigInt r, x2, x3, x15, x30, tmp, rl;

   r = x;
   curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x, tmp, ws);
   x2 = r;

   curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x, tmp, ws);

   x3 = r;

   for(size_t i = 0; i != 3; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x3, tmp, ws);

   rl = r;
   for(size_t i = 0; i != 6; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, rl, tmp, ws);

   for(size_t i = 0; i != 3; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x3, tmp, ws);

   x15 = r;
   for(size_t i = 0; i != 15; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x15, tmp, ws);

   x30 = r;
   for(size_t i = 0; i != 30; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x30, tmp, ws);

   rl = r;
   for(size_t i = 0; i != 60; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, rl, tmp, ws);

   rl = r;
   for(size_t i = 0; i != 120; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, rl, tmp, ws);

   for(size_t i = 0; i != 15; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x15, tmp, ws);

   for(size_t i = 0; i != 31; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x30, tmp, ws);

   for(size_t i = 0; i != 2; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x2, tmp, ws);

   for(size_t i = 0; i != 94; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x30, tmp, ws);

   for(size_t i = 0; i != 2; ++i)
      curve_sqr_tmp(r, tmp, ws);

   curve_mul_tmp(r, x, tmp, ws);

   return r;
   }

/**
* The NIST P-521 curve
*/
class CurveGFp_P521 final : public CurveGFp_NIST
   {
   public:
      CurveGFp_P521(const BigInt& a, const BigInt& b) : CurveGFp_NIST(521, a, b) {}
      const BigInt& get_p() const override { return prime_p521(); }
   private:
      void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p521(x, ws); }
      BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;
   };

BigInt CurveGFp_P521::invert_element(const BigInt& x, secure_vector<word>& ws) const
   {
   // Addition chain from https://eprint.iacr.org/2014/852.pdf section

   BigInt r;
   BigInt rl;
   BigInt a7;
   BigInt tmp;

   curve_sqr(r, x, ws);
   curve_mul_tmp(r, x, tmp, ws);

   curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x, tmp, ws);

   rl = r;

   for(size_t i = 0; i != 3; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, rl, tmp, ws);

   curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x, tmp, ws);
   a7 = r; // need this value later

   curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, x, tmp, ws);

   rl = r;
   for(size_t i = 0; i != 8; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, rl, tmp, ws);

   rl = r;
   for(size_t i = 0; i != 16; ++i)
      curve_sqr_tmp(r, tmp, ws);
   curve_mul_tmp(r, rl, tmp, ws);

    rl = r;
    for(size_t i = 0; i != 32; ++i)
        curve_sqr_tmp(r, tmp, ws);
    curve_mul_tmp(r, rl, tmp, ws);

    rl = r;
    for(size_t i = 0; i != 64; ++i)
        curve_sqr_tmp(r, tmp, ws);
    curve_mul_tmp(r, rl, tmp, ws);

    rl = r;
    for(size_t i = 0; i != 128; ++i)
        curve_sqr_tmp(r, tmp, ws);
    curve_mul_tmp(r, rl, tmp, ws);

    rl = r;
    for(size_t i = 0; i != 256; ++i)
        curve_sqr_tmp(r, tmp, ws);
    curve_mul_tmp(r, rl, tmp, ws);

    for(size_t i = 0; i != 7; ++i)
        curve_sqr_tmp(r, tmp, ws);
    curve_mul_tmp(r, a7, tmp, ws);

    for(size_t i = 0; i != 2; ++i)
       curve_sqr_tmp(r, tmp, ws);
    curve_mul_tmp(r, x, tmp, ws);

    return r;
   }

}

std::shared_ptr<CurveGFp_Repr>
CurveGFp::choose_repr(const BigInt& p, const BigInt& a, const BigInt& b)
   {
   if(p == prime_p192())
      return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P192(a, b));
   if(p == prime_p224())
      return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P224(a, b));
   if(p == prime_p256())
      return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P256(a, b));
   if(p == prime_p384())
      return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P384(a, b));
   if(p == prime_p521())
      return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P521(a, b));

   return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_Montgomery(p, a, b));
   }

}

Coverage Report

Created: 2020-02-14 15:38

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Elliptic curves over GF(p) Montgomery Representation
3		* (C) 2014,2015,2018 Jack Lloyd
4		* 2016 Matthias Gierlings
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/curve_gfp.h>
10		#include <botan/curve_nistp.h>
11		#include <botan/numthry.h>
12		#include <botan/reducer.h>
13		#include <botan/internal/mp_core.h>
14		#include <botan/internal/mp_asmi.h>
15
16		namespace Botan {
17
18		namespace {
19
20		class CurveGFp_Montgomery final : public CurveGFp_Repr
21		{
22		public:
23		CurveGFp_Montgomery(const BigInt& p, const BigInt& a, const BigInt& b) :
24		m_p(p), m_a(a), m_b(b),
25		m_p_words(m_p.sig_words()),
26		m_p_dash(monty_inverse(m_p.word_at(0)))
27	620	{
28	620	Modular_Reducer mod_p(m_p);
29	620
30	620	m_r.set_bit(m_p_words * BOTAN_MP_WORD_BITS);
31	620	m_r = mod_p.reduce(m_r);
32	620
33	620	m_r2 = mod_p.square(m_r);
34	620	m_r3 = mod_p.multiply(m_r, m_r2);
35	620	m_a_r = mod_p.multiply(m_r, m_a);
36	620	m_b_r = mod_p.multiply(m_r, m_b);
37	620
38	620	m_a_is_zero = m_a.is_zero();
39	620	m_a_is_minus_3 = (m_a + 3 == m_p);
40	620	}
41
42	2.11M	bool a_is_zero() const override { return m_a_is_zero; }
43	1.99M	bool a_is_minus_3() const override { return m_a_is_minus_3; }
44
45	5.19k	const BigInt& get_a() const override { return m_a; }
46
47	5.19k	const BigInt& get_b() const override { return m_b; }
48
49	3.68M	const BigInt& get_p() const override { return m_p; }
50
51	1.92M	const BigInt& get_a_rep() const override { return m_a_r; }
52
53	11.2k	const BigInt& get_b_rep() const override { return m_b_r; }
54
55	47.7k	const BigInt& get_1_rep() const override { return m_r; }
56
57	34.4k	bool is_one(const BigInt& x) const override { return x == m_r; }
58
59	401k	size_t get_p_words() const override { return m_p_words; }
60
61	48.2M	size_t get_ws_size() const override { return 2*m_p_words + 4; }
62
63		BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;
64
65		void to_curve_rep(BigInt& x, secure_vector<word>& ws) const override;
66
67		void from_curve_rep(BigInt& x, secure_vector<word>& ws) const override;
68
69		void curve_mul_words(BigInt& z,
70		const word x_words[],
71		const size_t x_size,
72		const BigInt& y,
73		secure_vector<word>& ws) const override;
74
75		void curve_sqr_words(BigInt& z,
76		const word x_words[],
77		size_t x_size,
78		secure_vector<word>& ws) const override;
79
80		private:
81		BigInt m_p;
82		BigInt m_a, m_b;
83		BigInt m_a_r, m_b_r;
84		size_t m_p_words; // cache of m_p.sig_words()
85
86		// Montgomery parameters
87		BigInt m_r, m_r2, m_r3;
88		word m_p_dash;
89
90		bool m_a_is_zero;
91		bool m_a_is_minus_3;
92		};
93
94		BigInt CurveGFp_Montgomery::invert_element(const BigInt& x, secure_vector<word>& ws) const
95	34.9k	{
96	34.9k	// Should we use Montgomery inverse instead?
97	34.9k	const BigInt inv = inverse_mod(x, m_p);
98	34.9k	BigInt res;
99	34.9k	curve_mul(res, inv, m_r3, ws);
100	34.9k	return res;
101	34.9k	}
102
103		void CurveGFp_Montgomery::to_curve_rep(BigInt& x, secure_vector<word>& ws) const
104	7.57k	{
105	7.57k	const BigInt tx = x;
106	7.57k	curve_mul(x, tx, m_r2, ws);
107	7.57k	}
108
109		void CurveGFp_Montgomery::from_curve_rep(BigInt& z, secure_vector<word>& ws) const
110	54.0k	{
111	54.0k	if(ws.size() < get_ws_size())
112	254	ws.resize(get_ws_size());
113	54.0k
114	54.0k	const size_t output_size = 2*m_p_words + 2;
115	54.0k	if(z.size() < output_size)
116	10.9k	z.grow_to(output_size);
117	54.0k
118	54.0k	bigint_monty_redc(z.mutable_data(),
119	54.0k	m_p.data(), m_p_words, m_p_dash,
120	54.0k	ws.data(), ws.size());
121	54.0k	}
122
123		void CurveGFp_Montgomery::curve_mul_words(BigInt& z,
124		const word x_w[],
125		size_t x_size,
126		const BigInt& y,
127		secure_vector<word>& ws) const
128	26.3M	{
129	26.3M	BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words);
130	26.3M
131	26.3M	if(ws.size() < get_ws_size())
132	0	ws.resize(get_ws_size());
133	26.3M
134	26.3M	const size_t output_size = 2*m_p_words + 2;
135	26.3M	if(z.size() < output_size)
136	1.73M	z.grow_to(output_size);
137	26.3M
138	26.3M	bigint_mul(z.mutable_data(), z.size(),
139	26.3M	x_w, x_size, std::min(m_p_words, x_size),
140	26.3M	y.data(), y.size(), std::min(m_p_words, y.size()),
141	26.3M	ws.data(), ws.size());
142	26.3M
143	26.3M	bigint_monty_redc(z.mutable_data(),
144	26.3M	m_p.data(), m_p_words, m_p_dash,
145	26.3M	ws.data(), ws.size());
146	26.3M	}
147
148		void CurveGFp_Montgomery::curve_sqr_words(BigInt& z,
149		const word x[],
150		size_t x_size,
151		secure_vector<word>& ws) const
152	18.1M	{
153	18.1M	if(ws.size() < get_ws_size())
154	51.9k	ws.resize(get_ws_size());
155	18.1M
156	18.1M	const size_t output_size = 2*m_p_words + 2;
157	18.1M	if(z.size() < output_size)
158	168k	z.grow_to(output_size);
159	18.1M
160	18.1M	bigint_sqr(z.mutable_data(), z.size(),
161	18.1M	x, x_size, std::min(m_p_words, x_size),
162	18.1M	ws.data(), ws.size());
163	18.1M
164	18.1M	bigint_monty_redc(z.mutable_data(),
165	18.1M	m_p.data(), m_p_words, m_p_dash,
166	18.1M	ws.data(), ws.size());
167	18.1M	}
168
169		class CurveGFp_NIST : public CurveGFp_Repr
170		{
171		public:
172		CurveGFp_NIST(size_t p_bits, const BigInt& a, const BigInt& b) :
173		m_1(1), m_a(a), m_b(b), m_p_words((p_bits + BOTAN_MP_WORD_BITS - 1) / BOTAN_MP_WORD_BITS)
174	665	{
175	665	// All Solinas prime curves are assumed a == -3
176	665	}
177
178	9.13M	bool a_is_zero() const override { return false; }
179	9.13M	bool a_is_minus_3() const override { return true; }
180
181	19.1k	const BigInt& get_a() const override { return m_a; }
182
183	19.1k	const BigInt& get_b() const override { return m_b; }
184
185	113k	const BigInt& get_1_rep() const override { return m_1; }
186
187	1.06M	size_t get_p_words() const override { return m_p_words; }
188
189	221M	size_t get_ws_size() const override { return 2*m_p_words + 4; }
190
191	33.0k	const BigInt& get_a_rep() const override { return m_a; }
192
193	45.2k	const BigInt& get_b_rep() const override { return m_b; }
194
195	112k	bool is_one(const BigInt& x) const override { return x == 1; }
196
197		void to_curve_rep(BigInt& x, secure_vector<word>& ws) const override
198	29.0k	{ redc_mod_p(x, ws); }
199
200		void from_curve_rep(BigInt& x, secure_vector<word>& ws) const override
201	190k	{ redc_mod_p(x, ws); }
202
203		virtual void redc_mod_p(BigInt& z, secure_vector<word>& ws) const = 0;
204
205		BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;
206
207		void curve_mul_words(BigInt& z,
208		const word x_words[],
209		const size_t x_size,
210		const BigInt& y,
211		secure_vector<word>& ws) const override;
212
213		void curve_mul_tmp(BigInt& x, const BigInt& y, BigInt& tmp, secure_vector<word>& ws) const
214	1.34M	{
215	1.34M	curve_mul(tmp, x, y, ws);
216	1.34M	x.swap(tmp);
217	1.34M	}
218
219		void curve_sqr_tmp(BigInt& x, BigInt& tmp, secure_vector<word>& ws) const
220	45.6M	{
221	45.6M	curve_sqr(tmp, x, ws);
222	45.6M	x.swap(tmp);
223	45.6M	}
224
225		void curve_sqr_words(BigInt& z,
226		const word x_words[],
227		size_t x_size,
228		secure_vector<word>& ws) const override;
229		private:
230		// Curve parameters
231		BigInt m_1;
232		BigInt m_a, m_b;
233		size_t m_p_words; // cache of m_p.sig_words()
234		};
235
236		BigInt CurveGFp_NIST::invert_element(const BigInt& x, secure_vector<word>& ws) const
237	407	{
238	407	BOTAN_UNUSED(ws);
239	407	return inverse_mod(x, get_p());
240	407	}
241
242		void CurveGFp_NIST::curve_mul_words(BigInt& z,
243		const word x_w[],
244		size_t x_size,
245		const BigInt& y,
246		secure_vector<word>& ws) const
247	101M	{
248	101M	BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words);
249	101M
250	101M	if(ws.size() < get_ws_size())
251	0	ws.resize(get_ws_size());
252	101M
253	101M	const size_t output_size = 2*m_p_words + 2;
254	101M	if(z.size() < output_size)
255	28.6M	z.grow_to(output_size);
256	101M
257	101M	bigint_mul(z.mutable_data(), z.size(),
258	101M	x_w, x_size, std::min(m_p_words, x_size),
259	101M	y.data(), y.size(), std::min(m_p_words, y.size()),
260	101M	ws.data(), ws.size());
261	101M
262	101M	this->redc_mod_p(z, ws);
263	101M	}
264
265		void CurveGFp_NIST::curve_sqr_words(BigInt& z, const word x[], size_t x_size,
266		secure_vector<word>& ws) const
267	104M	{
268	104M	if(ws.size() < get_ws_size())
269	185k	ws.resize(get_ws_size());
270	104M
271	104M	const size_t output_size = 2*m_p_words + 2;
272	104M	if(z.size() < output_size)
273	41.5M	z.grow_to(output_size);
274	104M
275	104M	bigint_sqr(z.mutable_data(), output_size,
276	104M	x, x_size, std::min(m_p_words, x_size),
277	104M	ws.data(), ws.size());
278	104M
279	104M	this->redc_mod_p(z, ws);
280	104M	}
281
282		/**
283		* The NIST P-192 curve
284		*/
285		class CurveGFp_P192 final : public CurveGFp_NIST
286		{
287		public:
288	25	CurveGFp_P192(const BigInt& a, const BigInt& b) : CurveGFp_NIST(192, a, b) {}
289	23.3k	const BigInt& get_p() const override { return prime_p192(); }
290		private:
291	375k	void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p192(x, ws); }
292		};
293
294		/**
295		* The NIST P-224 curve
296		*/
297		class CurveGFp_P224 final : public CurveGFp_NIST
298		{
299		public:
300	261	CurveGFp_P224(const BigInt& a, const BigInt& b) : CurveGFp_NIST(224, a, b) {}
301	290k	const BigInt& get_p() const override { return prime_p224(); }
302		private:
303	4.83M	void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p224(x, ws); }
304		};
305
306		/**
307		* The NIST P-256 curve
308		*/
309		class CurveGFp_P256 final : public CurveGFp_NIST
310		{
311		public:
312	18	CurveGFp_P256(const BigInt& a, const BigInt& b) : CurveGFp_NIST(256, a, b) {}
313	2.90M	const BigInt& get_p() const override { return prime_p256(); }
314		private:
315	38.1M	void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p256(x, ws); }
316		BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;
317		};
318
319		BigInt CurveGFp_P256::invert_element(const BigInt& x, secure_vector<word>& ws) const
320	32.3k	{
321	32.3k	BigInt r, p2, p4, p8, p16, p32, tmp;
322	32.3k
323	32.3k	curve_sqr(r, x, ws);
324	32.3k
325	32.3k	curve_mul(p2, r, x, ws);
326	32.3k	curve_sqr(r, p2, ws);
327	32.3k	curve_sqr_tmp(r, tmp, ws);
328	32.3k
329	32.3k	curve_mul(p4, r, p2, ws);
330	32.3k
331	32.3k	curve_sqr(r, p4, ws);
332	129k	for(size_t i = 0; i != 3; ++i)
333	96.9k	curve_sqr_tmp(r, tmp, ws);
334	32.3k	curve_mul(p8, r, p4, ws);
335	32.3k
336	32.3k	curve_sqr(r, p8, ws);
337	258k	for(size_t i = 0; i != 7; ++i)
338	226k	curve_sqr_tmp(r, tmp, ws);
339	32.3k	curve_mul(p16, r, p8, ws);
340	32.3k
341	32.3k	curve_sqr(r, p16, ws);
342	517k	for(size_t i = 0; i != 15; ++i)
343	484k	curve_sqr_tmp(r, tmp, ws);
344	32.3k	curve_mul(p32, r, p16, ws);
345	32.3k
346	32.3k	curve_sqr(r, p32, ws);
347	1.03M	for(size_t i = 0; i != 31; ++i)
348	1.00M	curve_sqr_tmp(r, tmp, ws);
349	32.3k	curve_mul_tmp(r, x, tmp, ws);
350	32.3k
351	4.17M	for(size_t i = 0; i != 32*4; ++i)
352	4.13M	curve_sqr_tmp(r, tmp, ws);
353	32.3k	curve_mul_tmp(r, p32, tmp, ws);
354	32.3k
355	1.06M	for(size_t i = 0; i != 32; ++i)
356	1.03M	curve_sqr_tmp(r, tmp, ws);
357	32.3k	curve_mul_tmp(r, p32, tmp, ws);
358	32.3k
359	549k	for(size_t i = 0; i != 16; ++i)
360	517k	curve_sqr_tmp(r, tmp, ws);
361	32.3k	curve_mul_tmp(r, p16, tmp, ws);
362	290k	for(size_t i = 0; i != 8; ++i)
363	258k	curve_sqr_tmp(r, tmp, ws);
364	32.3k	curve_mul_tmp(r, p8, tmp, ws);
365	32.3k
366	161k	for(size_t i = 0; i != 4; ++i)
367	129k	curve_sqr_tmp(r, tmp, ws);
368	32.3k	curve_mul_tmp(r, p4, tmp, ws);
369	32.3k
370	96.9k	for(size_t i = 0; i != 2; ++i)
371	64.6k	curve_sqr_tmp(r, tmp, ws);
372	32.3k	curve_mul_tmp(r, p2, tmp, ws);
373	32.3k
374	96.9k	for(size_t i = 0; i != 2; ++i)
375	64.6k	curve_sqr_tmp(r, tmp, ws);
376	32.3k	curve_mul_tmp(r, x, tmp, ws);
377	32.3k
378	32.3k	return r;
379	32.3k	}
380
381		/**
382		* The NIST P-384 curve
383		*/
384		class CurveGFp_P384 final : public CurveGFp_NIST
385		{
386		public:
387	88	CurveGFp_P384(const BigInt& a, const BigInt& b) : CurveGFp_NIST(384, a, b) {}
388	3.83M	const BigInt& get_p() const override { return prime_p384(); }
389		private:
390	52.3M	void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p384(x, ws); }
391		BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;
392		};
393
394		BigInt CurveGFp_P384::invert_element(const BigInt& x, secure_vector<word>& ws) const
395	32.3k	{
396	32.3k	// From https://briansmith.org/ecc-inversion-addition-chains-01
397	32.3k
398	32.3k	BigInt r, x2, x3, x15, x30, tmp, rl;
399	32.3k
400	32.3k	r = x;
401	32.3k	curve_sqr_tmp(r, tmp, ws);
402	32.3k	curve_mul_tmp(r, x, tmp, ws);
403	32.3k	x2 = r;
404	32.3k
405	32.3k	curve_sqr_tmp(r, tmp, ws);
406	32.3k	curve_mul_tmp(r, x, tmp, ws);
407	32.3k
408	32.3k	x3 = r;
409	32.3k
410	129k	for(size_t i = 0; i != 3; ++i)
411	97.0k	curve_sqr_tmp(r, tmp, ws);
412	32.3k	curve_mul_tmp(r, x3, tmp, ws);
413	32.3k
414	32.3k	rl = r;
415	226k	for(size_t i = 0; i != 6; ++i)
416	194k	curve_sqr_tmp(r, tmp, ws);
417	32.3k	curve_mul_tmp(r, rl, tmp, ws);
418	32.3k
419	129k	for(size_t i = 0; i != 3; ++i)
420	97.0k	curve_sqr_tmp(r, tmp, ws);
421	32.3k	curve_mul_tmp(r, x3, tmp, ws);
422	32.3k
423	32.3k	x15 = r;
424	517k	for(size_t i = 0; i != 15; ++i)
425	485k	curve_sqr_tmp(r, tmp, ws);
426	32.3k	curve_mul_tmp(r, x15, tmp, ws);
427	32.3k
428	32.3k	x30 = r;
429	1.00M	for(size_t i = 0; i != 30; ++i)
430	970k	curve_sqr_tmp(r, tmp, ws);
431	32.3k	curve_mul_tmp(r, x30, tmp, ws);
432	32.3k
433	32.3k	rl = r;
434	1.97M	for(size_t i = 0; i != 60; ++i)
435	1.94M	curve_sqr_tmp(r, tmp, ws);
436	32.3k	curve_mul_tmp(r, rl, tmp, ws);
437	32.3k
438	32.3k	rl = r;
439	3.91M	for(size_t i = 0; i != 120; ++i)
440	3.88M	curve_sqr_tmp(r, tmp, ws);
441	32.3k	curve_mul_tmp(r, rl, tmp, ws);
442	32.3k
443	517k	for(size_t i = 0; i != 15; ++i)
444	485k	curve_sqr_tmp(r, tmp, ws);
445	32.3k	curve_mul_tmp(r, x15, tmp, ws);
446	32.3k
447	1.03M	for(size_t i = 0; i != 31; ++i)
448	1.00M	curve_sqr_tmp(r, tmp, ws);
449	32.3k	curve_mul_tmp(r, x30, tmp, ws);
450	32.3k
451	97.0k	for(size_t i = 0; i != 2; ++i)
452	64.7k	curve_sqr_tmp(r, tmp, ws);
453	32.3k	curve_mul_tmp(r, x2, tmp, ws);
454	32.3k
455	3.07M	for(size_t i = 0; i != 94; ++i)
456	3.04M	curve_sqr_tmp(r, tmp, ws);
457	32.3k	curve_mul_tmp(r, x30, tmp, ws);
458	32.3k
459	97.0k	for(size_t i = 0; i != 2; ++i)
460	64.7k	curve_sqr_tmp(r, tmp, ws);
461	32.3k
462	32.3k	curve_mul_tmp(r, x, tmp, ws);
463	32.3k
464	32.3k	return r;
465	32.3k	}
466
467		/**
468		* The NIST P-521 curve
469		*/
470		class CurveGFp_P521 final : public CurveGFp_NIST
471		{
472		public:
473	273	CurveGFp_P521(const BigInt& a, const BigInt& b) : CurveGFp_NIST(521, a, b) {}
474	8.04M	const BigInt& get_p() const override { return prime_p521(); }
475		private:
476	110M	void redc_mod_p(BigInt& x, secure_vector<word>& ws) const override { redc_p521(x, ws); }
477		BigInt invert_element(const BigInt& x, secure_vector<word>& ws) const override;
478		};
479
480		BigInt CurveGFp_P521::invert_element(const BigInt& x, secure_vector<word>& ws) const
481	48.5k	{
482	48.5k	// Addition chain from https://eprint.iacr.org/2014/852.pdf section
483	48.5k
484	48.5k	BigInt r;
485	48.5k	BigInt rl;
486	48.5k	BigInt a7;
487	48.5k	BigInt tmp;
488	48.5k
489	48.5k	curve_sqr(r, x, ws);
490	48.5k	curve_mul_tmp(r, x, tmp, ws);
491	48.5k
492	48.5k	curve_sqr_tmp(r, tmp, ws);
493	48.5k	curve_mul_tmp(r, x, tmp, ws);
494	48.5k
495	48.5k	rl = r;
496	48.5k
497	194k	for(size_t i = 0; i != 3; ++i)
498	145k	curve_sqr_tmp(r, tmp, ws);
499	48.5k	curve_mul_tmp(r, rl, tmp, ws);
500	48.5k
501	48.5k	curve_sqr_tmp(r, tmp, ws);
502	48.5k	curve_mul_tmp(r, x, tmp, ws);
503	48.5k	a7 = r; // need this value later
504	48.5k
505	48.5k	curve_sqr_tmp(r, tmp, ws);
506	48.5k	curve_mul_tmp(r, x, tmp, ws);
507	48.5k
508	48.5k	rl = r;
509	437k	for(size_t i = 0; i != 8; ++i)
510	388k	curve_sqr_tmp(r, tmp, ws);
511	48.5k	curve_mul_tmp(r, rl, tmp, ws);
512	48.5k
513	48.5k	rl = r;
514	825k	for(size_t i = 0; i != 16; ++i)
515	777k	curve_sqr_tmp(r, tmp, ws);
516	48.5k	curve_mul_tmp(r, rl, tmp, ws);
517	48.5k
518	48.5k	rl = r;
519	1.60M	for(size_t i = 0; i != 32; ++i)
520	1.55M	curve_sqr_tmp(r, tmp, ws);
521	48.5k	curve_mul_tmp(r, rl, tmp, ws);
522	48.5k
523	48.5k	rl = r;
524	3.15M	for(size_t i = 0; i != 64; ++i)
525	3.10M	curve_sqr_tmp(r, tmp, ws);
526	48.5k	curve_mul_tmp(r, rl, tmp, ws);
527	48.5k
528	48.5k	rl = r;
529	6.26M	for(size_t i = 0; i != 128; ++i)
530	6.21M	curve_sqr_tmp(r, tmp, ws);
531	48.5k	curve_mul_tmp(r, rl, tmp, ws);
532	48.5k
533	48.5k	rl = r;
534	12.4M	for(size_t i = 0; i != 256; ++i)
535	12.4M	curve_sqr_tmp(r, tmp, ws);
536	48.5k	curve_mul_tmp(r, rl, tmp, ws);
537	48.5k
538	388k	for(size_t i = 0; i != 7; ++i)
539	340k	curve_sqr_tmp(r, tmp, ws);
540	48.5k	curve_mul_tmp(r, a7, tmp, ws);
541	48.5k
542	145k	for(size_t i = 0; i != 2; ++i)
543	97.1k	curve_sqr_tmp(r, tmp, ws);
544	48.5k	curve_mul_tmp(r, x, tmp, ws);
545	48.5k
546	48.5k	return r;
547	48.5k	}
548
549		}
550
551		std::shared_ptr<CurveGFp_Repr>
552		CurveGFp::choose_repr(const BigInt& p, const BigInt& a, const BigInt& b)
553	1.28k	{
554	1.28k	if(p == prime_p192())
555	25	return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P192(a, b));
556	1.26k	if(p == prime_p224())
557	261	return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P224(a, b));
558	999	if(p == prime_p256())
559	18	return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P256(a, b));
560	981	if(p == prime_p384())
561	88	return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P384(a, b));
562	893	if(p == prime_p521())
563	273	return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_P521(a, b));
564	620
565	620	return std::shared_ptr<CurveGFp_Repr>(new CurveGFp_Montgomery(p, a, b));
566	620	}
567
568		}