/src/nss/lib/freebl/ecl/ecp_aff.c

Source (jump to first uncovered line)
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "ecp.h"
#include "mplogic.h"
#include <stdlib.h>

/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
mp_err
ec_GFp_pt_is_inf_aff(const mp_int *px, const mp_int *py)
{

    if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) {
        return MP_YES;
    } else {
        return MP_NO;
    }
}

/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
mp_err
ec_GFp_pt_set_inf_aff(mp_int *px, mp_int *py)
{
    mp_zero(px);
    mp_zero(py);
    return MP_OKAY;
}

/* Computes R = P + Q based on IEEE P1363 A.10.1. Elliptic curve points P,
 * Q, and R can all be identical. Uses affine coordinates. Assumes input
 * is already field-encoded using field_enc, and returns output that is
 * still field-encoded. */
mp_err
ec_GFp_pt_add_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
                  const mp_int *qy, mp_int *rx, mp_int *ry,
                  const ECGroup *group)
{
    mp_err res = MP_OKAY;
    mp_int lambda, temp, tempx, tempy;

    MP_DIGITS(&lambda) = 0;
    MP_DIGITS(&temp) = 0;
    MP_DIGITS(&tempx) = 0;
    MP_DIGITS(&tempy) = 0;
    MP_CHECKOK(mp_init(&lambda));
    MP_CHECKOK(mp_init(&temp));
    MP_CHECKOK(mp_init(&tempx));
    MP_CHECKOK(mp_init(&tempy));
    /* if P = inf, then R = Q */
    if (ec_GFp_pt_is_inf_aff(px, py) == 0) {
        MP_CHECKOK(mp_copy(qx, rx));
        MP_CHECKOK(mp_copy(qy, ry));
        res = MP_OKAY;
        goto CLEANUP;
    }
    /* if Q = inf, then R = P */
    if (ec_GFp_pt_is_inf_aff(qx, qy) == 0) {
        MP_CHECKOK(mp_copy(px, rx));
        MP_CHECKOK(mp_copy(py, ry));
        res = MP_OKAY;
        goto CLEANUP;
    }
    /* if px != qx, then lambda = (py-qy) / (px-qx) */
    if (mp_cmp(px, qx) != 0) {
        MP_CHECKOK(group->meth->field_sub(py, qy, &tempy, group->meth));
        MP_CHECKOK(group->meth->field_sub(px, qx, &tempx, group->meth));
        MP_CHECKOK(group->meth->field_div(&tempy, &tempx, &lambda, group->meth));
    } else {
        /* if py != qy or qy = 0, then R = inf */
        if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qy) == 0)) {
            mp_zero(rx);
            mp_zero(ry);
            res = MP_OKAY;
            goto CLEANUP;
        }
        /* lambda = (3qx^2+a) / (2qy) */
        MP_CHECKOK(group->meth->field_sqr(qx, &tempx, group->meth));
        MP_CHECKOK(mp_set_int(&temp, 3));
        if (group->meth->field_enc) {
            MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth));
        }
        MP_CHECKOK(group->meth->field_mul(&tempx, &temp, &tempx, group->meth));
        MP_CHECKOK(group->meth->field_add(&tempx, &group->curvea, &tempx, group->meth));
        MP_CHECKOK(mp_set_int(&temp, 2));
        if (group->meth->field_enc) {
            MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth));
        }
        MP_CHECKOK(group->meth->field_mul(qy, &temp, &tempy, group->meth));
        MP_CHECKOK(group->meth->field_div(&tempx, &tempy, &lambda, group->meth));
    }
    /* rx = lambda^2 - px - qx */
    MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
    MP_CHECKOK(group->meth->field_sub(&tempx, px, &tempx, group->meth));
    MP_CHECKOK(group->meth->field_sub(&tempx, qx, &tempx, group->meth));
    /* ry = (x1-x2) * lambda - y1 */
    MP_CHECKOK(group->meth->field_sub(qx, &tempx, &tempy, group->meth));
    MP_CHECKOK(group->meth->field_mul(&tempy, &lambda, &tempy, group->meth));
    MP_CHECKOK(group->meth->field_sub(&tempy, qy, &tempy, group->meth));
    MP_CHECKOK(mp_copy(&tempx, rx));
    MP_CHECKOK(mp_copy(&tempy, ry));

CLEANUP:
    mp_clear(&lambda);
    mp_clear(&temp);
    mp_clear(&tempx);
    mp_clear(&tempy);
    return res;
}

/* Computes R = P - Q. Elliptic curve points P, Q, and R can all be
 * identical. Uses affine coordinates. Assumes input is already
 * field-encoded using field_enc, and returns output that is still
 * field-encoded. */
mp_err
ec_GFp_pt_sub_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
                  const mp_int *qy, mp_int *rx, mp_int *ry,
                  const ECGroup *group)
{
    mp_err res = MP_OKAY;
    mp_int nqy;

    MP_DIGITS(&nqy) = 0;
    MP_CHECKOK(mp_init(&nqy));
    /* nqy = -qy */
    MP_CHECKOK(group->meth->field_neg(qy, &nqy, group->meth));
    res = group->point_add(px, py, qx, &nqy, rx, ry, group);
CLEANUP:
    mp_clear(&nqy);
    return res;
}

/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses
 * affine coordinates. Assumes input is already field-encoded using
 * field_enc, and returns output that is still field-encoded. */
mp_err
ec_GFp_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
                  mp_int *ry, const ECGroup *group)
{
    return ec_GFp_pt_add_aff(px, py, px, py, rx, ry, group);
}

/* by default, this routine is unused and thus doesn't need to be compiled */
#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and
 * R can be identical. Uses affine coordinates. Assumes input is already
 * field-encoded using field_enc, and returns output that is still
 * field-encoded. */
mp_err
ec_GFp_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py,
                  mp_int *rx, mp_int *ry, const ECGroup *group)
{
    mp_err res = MP_OKAY;
    mp_int k, k3, qx, qy, sx, sy;
    int b1, b3, i, l;

    MP_DIGITS(&k) = 0;
    MP_DIGITS(&k3) = 0;
    MP_DIGITS(&qx) = 0;
    MP_DIGITS(&qy) = 0;
    MP_DIGITS(&sx) = 0;
    MP_DIGITS(&sy) = 0;
    MP_CHECKOK(mp_init(&k));
    MP_CHECKOK(mp_init(&k3));
    MP_CHECKOK(mp_init(&qx));
    MP_CHECKOK(mp_init(&qy));
    MP_CHECKOK(mp_init(&sx));
    MP_CHECKOK(mp_init(&sy));

    /* if n = 0 then r = inf */
    if (mp_cmp_z(n) == 0) {
        mp_zero(rx);
        mp_zero(ry);
        res = MP_OKAY;
        goto CLEANUP;
    }
    /* Q = P, k = n */
    MP_CHECKOK(mp_copy(px, &qx));
    MP_CHECKOK(mp_copy(py, &qy));
    MP_CHECKOK(mp_copy(n, &k));
    /* if n < 0 then Q = -Q, k = -k */
    if (mp_cmp_z(n) < 0) {
        MP_CHECKOK(group->meth->field_neg(&qy, &qy, group->meth));
        MP_CHECKOK(mp_neg(&k, &k));
    }
#ifdef ECL_DEBUG /* basic double and add method */
    l = mpl_significant_bits(&k) - 1;
    MP_CHECKOK(mp_copy(&qx, &sx));
    MP_CHECKOK(mp_copy(&qy, &sy));
    for (i = l - 1; i >= 0; i--) {
        /* S = 2S */
        MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
        /* if k_i = 1, then S = S + Q */
        if (mpl_get_bit(&k, i) != 0) {
            MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
        }
    }
#else /* double and add/subtract method from \
       * standard */
    /* k3 = 3 * k */
    MP_CHECKOK(mp_set_int(&k3, 3));
    MP_CHECKOK(mp_mul(&k, &k3, &k3));
    /* S = Q */
    MP_CHECKOK(mp_copy(&qx, &sx));
    MP_CHECKOK(mp_copy(&qy, &sy));
    /* l = index of high order bit in binary representation of 3*k */
    l = mpl_significant_bits(&k3) - 1;
    /* for i = l-1 downto 1 */
    for (i = l - 1; i >= 1; i--) {
        /* S = 2S */
        MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
        b3 = MP_GET_BIT(&k3, i);
        b1 = MP_GET_BIT(&k, i);
        /* if k3_i = 1 and k_i = 0, then S = S + Q */
        if ((b3 == 1) && (b1 == 0)) {
            MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
            /* if k3_i = 0 and k_i = 1, then S = S - Q */
        } else if ((b3 == 0) && (b1 == 1)) {
            MP_CHECKOK(group->point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group));
        }
    }
#endif
    /* output S */
    MP_CHECKOK(mp_copy(&sx, rx));
    MP_CHECKOK(mp_copy(&sy, ry));

CLEANUP:
    mp_clear(&k);
    mp_clear(&k3);
    mp_clear(&qx);
    mp_clear(&qy);
    mp_clear(&sx);
    mp_clear(&sy);
    return res;
}
#endif

/* Validates a point on a GFp curve. */
mp_err
ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group)
{
    mp_err res = MP_NO;
    mp_int accl, accr, tmp, pxt, pyt;

    MP_DIGITS(&accl) = 0;
    MP_DIGITS(&accr) = 0;
    MP_DIGITS(&tmp) = 0;
    MP_DIGITS(&pxt) = 0;
    MP_DIGITS(&pyt) = 0;
    MP_CHECKOK(mp_init(&accl));
    MP_CHECKOK(mp_init(&accr));
    MP_CHECKOK(mp_init(&tmp));
    MP_CHECKOK(mp_init(&pxt));
    MP_CHECKOK(mp_init(&pyt));

    /* 1: Verify that publicValue is not the point at infinity */
    if (ec_GFp_pt_is_inf_aff(px, py) == MP_YES) {
        res = MP_NO;
        goto CLEANUP;
    }
    /* 2: Verify that the coordinates of publicValue are elements
     *    of the field.
     */
    if ((MP_SIGN(px) == MP_NEG) || (mp_cmp(px, &group->meth->irr) >= 0) ||
        (MP_SIGN(py) == MP_NEG) || (mp_cmp(py, &group->meth->irr) >= 0)) {
        res = MP_NO;
        goto CLEANUP;
    }
    /* 3: Verify that publicValue is on the curve. */
    if (group->meth->field_enc) {
        group->meth->field_enc(px, &pxt, group->meth);
        group->meth->field_enc(py, &pyt, group->meth);
    } else {
        MP_CHECKOK(mp_copy(px, &pxt));
        MP_CHECKOK(mp_copy(py, &pyt));
    }
    /* left-hand side: y^2  */
    MP_CHECKOK(group->meth->field_sqr(&pyt, &accl, group->meth));
    /* right-hand side: x^3 + a*x + b = (x^2 + a)*x + b by Horner's rule */
    MP_CHECKOK(group->meth->field_sqr(&pxt, &tmp, group->meth));
    MP_CHECKOK(group->meth->field_add(&tmp, &group->curvea, &tmp, group->meth));
    MP_CHECKOK(group->meth->field_mul(&tmp, &pxt, &accr, group->meth));
    MP_CHECKOK(group->meth->field_add(&accr, &group->curveb, &accr, group->meth));
    /* check LHS - RHS == 0 */
    MP_CHECKOK(group->meth->field_sub(&accl, &accr, &accr, group->meth));
    if (mp_cmp_z(&accr) != 0) {
        res = MP_NO;
        goto CLEANUP;
    }
    /* 4: Verify that the order of the curve times the publicValue
     *    is the point at infinity.
     */
    MP_CHECKOK(ECPoint_mul(group, &group->order, px, py, &pxt, &pyt));
    if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
        res = MP_NO;
        goto CLEANUP;
    }

    res = MP_YES;

CLEANUP:
    mp_clear(&accl);
    mp_clear(&accr);
    mp_clear(&tmp);
    mp_clear(&pxt);
    mp_clear(&pyt);
    return res;
}

Coverage Report

Created: 2024-02-25 06:31

Line	Count	Source (jump to first uncovered line)
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5		#include "ecp.h"
6		#include "mplogic.h"
7		#include <stdlib.h>
8
9		/* Checks if point P(px, py) is at infinity. Uses affine coordinates. */
10		mp_err
11		ec_GFp_pt_is_inf_aff(const mp_int px, const mp_int py)
12	33.6k	{
13
14	33.6k	if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) {
15	14.2k	return MP_YES;
16	19.4k	} else {
17	19.4k	return MP_NO;
18	19.4k	}
19	33.6k	}
20
21		/* Sets P(px, py) to be the point at infinity. Uses affine coordinates. */
22		mp_err
23		ec_GFp_pt_set_inf_aff(mp_int px, mp_int py)
24	0	{
25	0	mp_zero(px);
26	0	mp_zero(py);
27	0	return MP_OKAY;
28	0	}
29
30		/* Computes R = P + Q based on IEEE P1363 A.10.1. Elliptic curve points P,
31		* Q, and R can all be identical. Uses affine coordinates. Assumes input
32		* is already field-encoded using field_enc, and returns output that is
33		* still field-encoded. */
34		mp_err
35		ec_GFp_pt_add_aff(const mp_int px, const mp_int py, const mp_int *qx,
36		const mp_int qy, mp_int rx, mp_int *ry,
37		const ECGroup *group)
38	0	{
39	0	mp_err res = MP_OKAY;
40	0	mp_int lambda, temp, tempx, tempy;
41
42	0	MP_DIGITS(&lambda) = 0;
43	0	MP_DIGITS(&temp) = 0;
44	0	MP_DIGITS(&tempx) = 0;
45	0	MP_DIGITS(&tempy) = 0;
46	0	MP_CHECKOK(mp_init(&lambda));
47	0	MP_CHECKOK(mp_init(&temp));
48	0	MP_CHECKOK(mp_init(&tempx));
49	0	MP_CHECKOK(mp_init(&tempy));
50		/* if P = inf, then R = Q */
51	0	if (ec_GFp_pt_is_inf_aff(px, py) == 0) {
52	0	MP_CHECKOK(mp_copy(qx, rx));
53	0	MP_CHECKOK(mp_copy(qy, ry));
54	0	res = MP_OKAY;
55	0	goto CLEANUP;
56	0	}
57		/* if Q = inf, then R = P */
58	0	if (ec_GFp_pt_is_inf_aff(qx, qy) == 0) {
59	0	MP_CHECKOK(mp_copy(px, rx));
60	0	MP_CHECKOK(mp_copy(py, ry));
61	0	res = MP_OKAY;
62	0	goto CLEANUP;
63	0	}
64		/* if px != qx, then lambda = (py-qy) / (px-qx) */
65	0	if (mp_cmp(px, qx) != 0) {
66	0	MP_CHECKOK(group->meth->field_sub(py, qy, &tempy, group->meth));
67	0	MP_CHECKOK(group->meth->field_sub(px, qx, &tempx, group->meth));
68	0	MP_CHECKOK(group->meth->field_div(&tempy, &tempx, &lambda, group->meth));
69	0	} else {
70		/* if py != qy or qy = 0, then R = inf */
71	0	if (((mp_cmp(py, qy) != 0)) \|\| (mp_cmp_z(qy) == 0)) {
72	0	mp_zero(rx);
73	0	mp_zero(ry);
74	0	res = MP_OKAY;
75	0	goto CLEANUP;
76	0	}
77		/* lambda = (3qx^2+a) / (2qy) */
78	0	MP_CHECKOK(group->meth->field_sqr(qx, &tempx, group->meth));
79	0	MP_CHECKOK(mp_set_int(&temp, 3));
80	0	if (group->meth->field_enc) {
81	0	MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth));
82	0	}
83	0	MP_CHECKOK(group->meth->field_mul(&tempx, &temp, &tempx, group->meth));
84	0	MP_CHECKOK(group->meth->field_add(&tempx, &group->curvea, &tempx, group->meth));
85	0	MP_CHECKOK(mp_set_int(&temp, 2));
86	0	if (group->meth->field_enc) {
87	0	MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth));
88	0	}
89	0	MP_CHECKOK(group->meth->field_mul(qy, &temp, &tempy, group->meth));
90	0	MP_CHECKOK(group->meth->field_div(&tempx, &tempy, &lambda, group->meth));
91	0	}
92		/* rx = lambda^2 - px - qx */
93	0	MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
94	0	MP_CHECKOK(group->meth->field_sub(&tempx, px, &tempx, group->meth));
95	0	MP_CHECKOK(group->meth->field_sub(&tempx, qx, &tempx, group->meth));
96		/* ry = (x1-x2) * lambda - y1 */
97	0	MP_CHECKOK(group->meth->field_sub(qx, &tempx, &tempy, group->meth));
98	0	MP_CHECKOK(group->meth->field_mul(&tempy, &lambda, &tempy, group->meth));
99	0	MP_CHECKOK(group->meth->field_sub(&tempy, qy, &tempy, group->meth));
100	0	MP_CHECKOK(mp_copy(&tempx, rx));
101	0	MP_CHECKOK(mp_copy(&tempy, ry));
102
103	0	CLEANUP:
104	0	mp_clear(&lambda);
105	0	mp_clear(&temp);
106	0	mp_clear(&tempx);
107	0	mp_clear(&tempy);
108	0	return res;
109	0	}
110
111		/* Computes R = P - Q. Elliptic curve points P, Q, and R can all be
112		* identical. Uses affine coordinates. Assumes input is already
113		* field-encoded using field_enc, and returns output that is still
114		* field-encoded. */
115		mp_err
116		ec_GFp_pt_sub_aff(const mp_int px, const mp_int py, const mp_int *qx,
117		const mp_int qy, mp_int rx, mp_int *ry,
118		const ECGroup *group)
119	0	{
120	0	mp_err res = MP_OKAY;
121	0	mp_int nqy;
122
123	0	MP_DIGITS(&nqy) = 0;
124	0	MP_CHECKOK(mp_init(&nqy));
125		/* nqy = -qy */
126	0	MP_CHECKOK(group->meth->field_neg(qy, &nqy, group->meth));
127	0	res = group->point_add(px, py, qx, &nqy, rx, ry, group);
128	0	CLEANUP:
129	0	mp_clear(&nqy);
130	0	return res;
131	0	}
132
133		/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses
134		* affine coordinates. Assumes input is already field-encoded using
135		* field_enc, and returns output that is still field-encoded. */
136		mp_err
137		ec_GFp_pt_dbl_aff(const mp_int px, const mp_int py, mp_int *rx,
138		mp_int ry, const ECGroup group)
139	0	{
140	0	return ec_GFp_pt_add_aff(px, py, px, py, rx, ry, group);
141	0	}
142
143		/* by default, this routine is unused and thus doesn't need to be compiled */
144		#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
145		/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and
146		* R can be identical. Uses affine coordinates. Assumes input is already
147		* field-encoded using field_enc, and returns output that is still
148		* field-encoded. */
149		mp_err
150		ec_GFp_pt_mul_aff(const mp_int n, const mp_int px, const mp_int *py,
151		mp_int rx, mp_int ry, const ECGroup *group)
152		{
153		mp_err res = MP_OKAY;
154		mp_int k, k3, qx, qy, sx, sy;
155		int b1, b3, i, l;
156
157		MP_DIGITS(&k) = 0;
158		MP_DIGITS(&k3) = 0;
159		MP_DIGITS(&qx) = 0;
160		MP_DIGITS(&qy) = 0;
161		MP_DIGITS(&sx) = 0;
162		MP_DIGITS(&sy) = 0;
163		MP_CHECKOK(mp_init(&k));
164		MP_CHECKOK(mp_init(&k3));
165		MP_CHECKOK(mp_init(&qx));
166		MP_CHECKOK(mp_init(&qy));
167		MP_CHECKOK(mp_init(&sx));
168		MP_CHECKOK(mp_init(&sy));
169
170		/* if n = 0 then r = inf */
171		if (mp_cmp_z(n) == 0) {
172		mp_zero(rx);
173		mp_zero(ry);
174		res = MP_OKAY;
175		goto CLEANUP;
176		}
177		/* Q = P, k = n */
178		MP_CHECKOK(mp_copy(px, &qx));
179		MP_CHECKOK(mp_copy(py, &qy));
180		MP_CHECKOK(mp_copy(n, &k));
181		/* if n < 0 then Q = -Q, k = -k */
182		if (mp_cmp_z(n) < 0) {
183		MP_CHECKOK(group->meth->field_neg(&qy, &qy, group->meth));
184		MP_CHECKOK(mp_neg(&k, &k));
185		}
186		#ifdef ECL_DEBUG /* basic double and add method */
187		l = mpl_significant_bits(&k) - 1;
188		MP_CHECKOK(mp_copy(&qx, &sx));
189		MP_CHECKOK(mp_copy(&qy, &sy));
190		for (i = l - 1; i >= 0; i--) {
191		/* S = 2S */
192		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
193		/* if k_i = 1, then S = S + Q */
194		if (mpl_get_bit(&k, i) != 0) {
195		MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
196		}
197		}
198		#else /* double and add/subtract method from \
199		* standard */
200		/* k3 = 3 * k */
201		MP_CHECKOK(mp_set_int(&k3, 3));
202		MP_CHECKOK(mp_mul(&k, &k3, &k3));
203		/* S = Q */
204		MP_CHECKOK(mp_copy(&qx, &sx));
205		MP_CHECKOK(mp_copy(&qy, &sy));
206		/* l = index of high order bit in binary representation of 3k /
207		l = mpl_significant_bits(&k3) - 1;
208		/* for i = l-1 downto 1 */
209		for (i = l - 1; i >= 1; i--) {
210		/* S = 2S */
211		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
212		b3 = MP_GET_BIT(&k3, i);
213		b1 = MP_GET_BIT(&k, i);
214		/* if k3_i = 1 and k_i = 0, then S = S + Q */
215		if ((b3 == 1) && (b1 == 0)) {
216		MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
217		/* if k3_i = 0 and k_i = 1, then S = S - Q */
218		} else if ((b3 == 0) && (b1 == 1)) {
219		MP_CHECKOK(group->point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group));
220		}
221		}
222		#endif
223		/* output S */
224		MP_CHECKOK(mp_copy(&sx, rx));
225		MP_CHECKOK(mp_copy(&sy, ry));
226
227		CLEANUP:
228		mp_clear(&k);
229		mp_clear(&k3);
230		mp_clear(&qx);
231		mp_clear(&qy);
232		mp_clear(&sx);
233		mp_clear(&sy);
234		return res;
235		}
236		#endif
237
238		/* Validates a point on a GFp curve. */
239		mp_err
240		ec_GFp_validate_point(const mp_int px, const mp_int py, const ECGroup *group)
241	19.4k	{
242	19.4k	mp_err res = MP_NO;
243	19.4k	mp_int accl, accr, tmp, pxt, pyt;
244
245	19.4k	MP_DIGITS(&accl) = 0;
246	19.4k	MP_DIGITS(&accr) = 0;
247	19.4k	MP_DIGITS(&tmp) = 0;
248	19.4k	MP_DIGITS(&pxt) = 0;
249	19.4k	MP_DIGITS(&pyt) = 0;
250	19.4k	MP_CHECKOK(mp_init(&accl));
251	19.4k	MP_CHECKOK(mp_init(&accr));
252	19.4k	MP_CHECKOK(mp_init(&tmp));
253	19.4k	MP_CHECKOK(mp_init(&pxt));
254	19.4k	MP_CHECKOK(mp_init(&pyt));
255
256		/* 1: Verify that publicValue is not the point at infinity */
257	19.4k	if (ec_GFp_pt_is_inf_aff(px, py) == MP_YES) {
258	6	res = MP_NO;
259	6	goto CLEANUP;
260	6	}
261		/* 2: Verify that the coordinates of publicValue are elements
262		* of the field.
263		*/
264	19.4k	if ((MP_SIGN(px) == MP_NEG) \|\| (mp_cmp(px, &group->meth->irr) >= 0) \|\|
265	19.4k	(MP_SIGN(py) == MP_NEG) \|\| (mp_cmp(py, &group->meth->irr) >= 0)) {
266	6	res = MP_NO;
267	6	goto CLEANUP;
268	6	}
269		/* 3: Verify that publicValue is on the curve. */
270	19.4k	if (group->meth->field_enc) {
271	0	group->meth->field_enc(px, &pxt, group->meth);
272	0	group->meth->field_enc(py, &pyt, group->meth);
273	19.4k	} else {
274	19.4k	MP_CHECKOK(mp_copy(px, &pxt));
275	19.4k	MP_CHECKOK(mp_copy(py, &pyt));
276	19.4k	}
277		/* left-hand side: y^2 */
278	19.4k	MP_CHECKOK(group->meth->field_sqr(&pyt, &accl, group->meth));
279		/* right-hand side: x^3 + ax + b = (x^2 + a)x + b by Horner's rule */
280	19.4k	MP_CHECKOK(group->meth->field_sqr(&pxt, &tmp, group->meth));
281	19.4k	MP_CHECKOK(group->meth->field_add(&tmp, &group->curvea, &tmp, group->meth));
282	19.4k	MP_CHECKOK(group->meth->field_mul(&tmp, &pxt, &accr, group->meth));
283	19.4k	MP_CHECKOK(group->meth->field_add(&accr, &group->curveb, &accr, group->meth));
284		/* check LHS - RHS == 0 */
285	19.4k	MP_CHECKOK(group->meth->field_sub(&accl, &accr, &accr, group->meth));
286	19.4k	if (mp_cmp_z(&accr) != 0) {
287	5.15k	res = MP_NO;
288	5.15k	goto CLEANUP;
289	5.15k	}
290		/* 4: Verify that the order of the curve times the publicValue
291		* is the point at infinity.
292		*/
293	14.2k	MP_CHECKOK(ECPoint_mul(group, &group->order, px, py, &pxt, &pyt));
294	14.2k	if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
295	0	res = MP_NO;
296	0	goto CLEANUP;
297	0	}
298
299	14.2k	res = MP_YES;
300
301	19.4k	CLEANUP:
302	19.4k	mp_clear(&accl);
303	19.4k	mp_clear(&accr);
304	19.4k	mp_clear(&tmp);
305	19.4k	mp_clear(&pxt);
306	19.4k	mp_clear(&pyt);
307	19.4k	return res;
308	14.2k	}