/src/openssl30/crypto/ec/ecp_nistz256.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright (c) 2014, Intel Corporation. All Rights Reserved. |
4 | | * Copyright (c) 2015, CloudFlare, Inc. |
5 | | * |
6 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7 | | * this file except in compliance with the License. You can obtain a copy |
8 | | * in the file LICENSE in the source distribution or at |
9 | | * https://www.openssl.org/source/license.html |
10 | | * |
11 | | * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1, 3) |
12 | | * (1) Intel Corporation, Israel Development Center, Haifa, Israel |
13 | | * (2) University of Haifa, Israel |
14 | | * (3) CloudFlare, Inc. |
15 | | * |
16 | | * Reference: |
17 | | * S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with |
18 | | * 256 Bit Primes" |
19 | | */ |
20 | | |
21 | | /* |
22 | | * ECDSA low level APIs are deprecated for public use, but still ok for |
23 | | * internal use. |
24 | | */ |
25 | | #include "internal/deprecated.h" |
26 | | |
27 | | #include <string.h> |
28 | | |
29 | | #include "internal/cryptlib.h" |
30 | | #include "crypto/bn.h" |
31 | | #include "ec_local.h" |
32 | | #include "internal/refcount.h" |
33 | | |
34 | | #if BN_BITS2 != 64 |
35 | | # define TOBN(hi,lo) lo,hi |
36 | | #else |
37 | 17.5k | # define TOBN(hi,lo) ((BN_ULONG)hi<<32|lo) |
38 | | #endif |
39 | | |
40 | | #if defined(__GNUC__) |
41 | 4.76k | # define ALIGN32 __attribute((aligned(32))) |
42 | | #elif defined(_MSC_VER) |
43 | | # define ALIGN32 __declspec(align(32)) |
44 | | #else |
45 | | # define ALIGN32 |
46 | | #endif |
47 | | |
48 | 1.18k | #define ALIGNPTR(p,N) ((unsigned char *)p+N-(size_t)p%N) |
49 | 389k | #define P256_LIMBS (256/BN_BITS2) |
50 | | |
51 | | typedef unsigned short u16; |
52 | | |
53 | | typedef struct { |
54 | | BN_ULONG X[P256_LIMBS]; |
55 | | BN_ULONG Y[P256_LIMBS]; |
56 | | BN_ULONG Z[P256_LIMBS]; |
57 | | } P256_POINT; |
58 | | |
59 | | typedef struct { |
60 | | BN_ULONG X[P256_LIMBS]; |
61 | | BN_ULONG Y[P256_LIMBS]; |
62 | | } P256_POINT_AFFINE; |
63 | | |
64 | | typedef P256_POINT_AFFINE PRECOMP256_ROW[64]; |
65 | | |
66 | | /* structure for precomputed multiples of the generator */ |
67 | | struct nistz256_pre_comp_st { |
68 | | const EC_GROUP *group; /* Parent EC_GROUP object */ |
69 | | size_t w; /* Window size */ |
70 | | /* |
71 | | * Constant time access to the X and Y coordinates of the pre-computed, |
72 | | * generator multiplies, in the Montgomery domain. Pre-calculated |
73 | | * multiplies are stored in affine form. |
74 | | */ |
75 | | PRECOMP256_ROW *precomp; |
76 | | void *precomp_storage; |
77 | | CRYPTO_REF_COUNT references; |
78 | | CRYPTO_RWLOCK *lock; |
79 | | }; |
80 | | |
81 | | /* Functions implemented in assembly */ |
82 | | /* |
83 | | * Most of below mentioned functions *preserve* the property of inputs |
84 | | * being fully reduced, i.e. being in [0, modulus) range. Simply put if |
85 | | * inputs are fully reduced, then output is too. Note that reverse is |
86 | | * not true, in sense that given partially reduced inputs output can be |
87 | | * either, not unlikely reduced. And "most" in first sentence refers to |
88 | | * the fact that given the calculations flow one can tolerate that |
89 | | * addition, 1st function below, produces partially reduced result *if* |
90 | | * multiplications by 2 and 3, which customarily use addition, fully |
91 | | * reduce it. This effectively gives two options: a) addition produces |
92 | | * fully reduced result [as long as inputs are, just like remaining |
93 | | * functions]; b) addition is allowed to produce partially reduced |
94 | | * result, but multiplications by 2 and 3 perform additional reduction |
95 | | * step. Choice between the two can be platform-specific, but it was a) |
96 | | * in all cases so far... |
97 | | */ |
98 | | /* Modular add: res = a+b mod P */ |
99 | | void ecp_nistz256_add(BN_ULONG res[P256_LIMBS], |
100 | | const BN_ULONG a[P256_LIMBS], |
101 | | const BN_ULONG b[P256_LIMBS]); |
102 | | /* Modular mul by 2: res = 2*a mod P */ |
103 | | void ecp_nistz256_mul_by_2(BN_ULONG res[P256_LIMBS], |
104 | | const BN_ULONG a[P256_LIMBS]); |
105 | | /* Modular mul by 3: res = 3*a mod P */ |
106 | | void ecp_nistz256_mul_by_3(BN_ULONG res[P256_LIMBS], |
107 | | const BN_ULONG a[P256_LIMBS]); |
108 | | |
109 | | /* Modular div by 2: res = a/2 mod P */ |
110 | | void ecp_nistz256_div_by_2(BN_ULONG res[P256_LIMBS], |
111 | | const BN_ULONG a[P256_LIMBS]); |
112 | | /* Modular sub: res = a-b mod P */ |
113 | | void ecp_nistz256_sub(BN_ULONG res[P256_LIMBS], |
114 | | const BN_ULONG a[P256_LIMBS], |
115 | | const BN_ULONG b[P256_LIMBS]); |
116 | | /* Modular neg: res = -a mod P */ |
117 | | void ecp_nistz256_neg(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS]); |
118 | | /* Montgomery mul: res = a*b*2^-256 mod P */ |
119 | | void ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS], |
120 | | const BN_ULONG a[P256_LIMBS], |
121 | | const BN_ULONG b[P256_LIMBS]); |
122 | | /* Montgomery sqr: res = a*a*2^-256 mod P */ |
123 | | void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS], |
124 | | const BN_ULONG a[P256_LIMBS]); |
125 | | /* Convert a number from Montgomery domain, by multiplying with 1 */ |
126 | | void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS], |
127 | | const BN_ULONG in[P256_LIMBS]); |
128 | | /* Convert a number to Montgomery domain, by multiplying with 2^512 mod P*/ |
129 | | void ecp_nistz256_to_mont(BN_ULONG res[P256_LIMBS], |
130 | | const BN_ULONG in[P256_LIMBS]); |
131 | | /* Functions that perform constant time access to the precomputed tables */ |
132 | | void ecp_nistz256_scatter_w5(P256_POINT *val, |
133 | | const P256_POINT *in_t, int idx); |
134 | | void ecp_nistz256_gather_w5(P256_POINT *val, |
135 | | const P256_POINT *in_t, int idx); |
136 | | void ecp_nistz256_scatter_w7(P256_POINT_AFFINE *val, |
137 | | const P256_POINT_AFFINE *in_t, int idx); |
138 | | void ecp_nistz256_gather_w7(P256_POINT_AFFINE *val, |
139 | | const P256_POINT_AFFINE *in_t, int idx); |
140 | | |
141 | | /* One converted into the Montgomery domain */ |
142 | | static const BN_ULONG ONE[P256_LIMBS] = { |
143 | | TOBN(0x00000000, 0x00000001), TOBN(0xffffffff, 0x00000000), |
144 | | TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0xfffffffe) |
145 | | }; |
146 | | |
147 | | static NISTZ256_PRE_COMP *ecp_nistz256_pre_comp_new(const EC_GROUP *group); |
148 | | |
149 | | /* Precomputed tables for the default generator */ |
150 | | extern const PRECOMP256_ROW ecp_nistz256_precomputed[37]; |
151 | | |
152 | | /* Recode window to a signed digit, see ecp_nistputil.c for details */ |
153 | | static unsigned int _booth_recode_w5(unsigned int in) |
154 | 61.3k | { |
155 | 61.3k | unsigned int s, d; |
156 | | |
157 | 61.3k | s = ~((in >> 5) - 1); |
158 | 61.3k | d = (1 << 6) - in - 1; |
159 | 61.3k | d = (d & s) | (in & ~s); |
160 | 61.3k | d = (d >> 1) + (d & 1); |
161 | | |
162 | 61.3k | return (d << 1) + (s & 1); |
163 | 61.3k | } |
164 | | |
165 | | static unsigned int _booth_recode_w7(unsigned int in) |
166 | 135k | { |
167 | 135k | unsigned int s, d; |
168 | | |
169 | 135k | s = ~((in >> 7) - 1); |
170 | 135k | d = (1 << 8) - in - 1; |
171 | 135k | d = (d & s) | (in & ~s); |
172 | 135k | d = (d >> 1) + (d & 1); |
173 | | |
174 | 135k | return (d << 1) + (s & 1); |
175 | 135k | } |
176 | | |
177 | | static void copy_conditional(BN_ULONG dst[P256_LIMBS], |
178 | | const BN_ULONG src[P256_LIMBS], BN_ULONG move) |
179 | 195k | { |
180 | 195k | BN_ULONG mask1 = 0-move; |
181 | 195k | BN_ULONG mask2 = ~mask1; |
182 | | |
183 | 195k | dst[0] = (src[0] & mask1) ^ (dst[0] & mask2); |
184 | 195k | dst[1] = (src[1] & mask1) ^ (dst[1] & mask2); |
185 | 195k | dst[2] = (src[2] & mask1) ^ (dst[2] & mask2); |
186 | 195k | dst[3] = (src[3] & mask1) ^ (dst[3] & mask2); |
187 | 195k | if (P256_LIMBS == 8) { |
188 | 0 | dst[4] = (src[4] & mask1) ^ (dst[4] & mask2); |
189 | 0 | dst[5] = (src[5] & mask1) ^ (dst[5] & mask2); |
190 | 0 | dst[6] = (src[6] & mask1) ^ (dst[6] & mask2); |
191 | 0 | dst[7] = (src[7] & mask1) ^ (dst[7] & mask2); |
192 | 0 | } |
193 | 195k | } |
194 | | |
195 | | static BN_ULONG is_zero(BN_ULONG in) |
196 | 18.9k | { |
197 | 18.9k | in |= (0 - in); |
198 | 18.9k | in = ~in; |
199 | 18.9k | in >>= BN_BITS2 - 1; |
200 | 18.9k | return in; |
201 | 18.9k | } |
202 | | |
203 | | static BN_ULONG is_equal(const BN_ULONG a[P256_LIMBS], |
204 | | const BN_ULONG b[P256_LIMBS]) |
205 | 7.33k | { |
206 | 7.33k | BN_ULONG res; |
207 | | |
208 | 7.33k | res = a[0] ^ b[0]; |
209 | 7.33k | res |= a[1] ^ b[1]; |
210 | 7.33k | res |= a[2] ^ b[2]; |
211 | 7.33k | res |= a[3] ^ b[3]; |
212 | 7.33k | if (P256_LIMBS == 8) { |
213 | 0 | res |= a[4] ^ b[4]; |
214 | 0 | res |= a[5] ^ b[5]; |
215 | 0 | res |= a[6] ^ b[6]; |
216 | 0 | res |= a[7] ^ b[7]; |
217 | 0 | } |
218 | | |
219 | 7.33k | return is_zero(res); |
220 | 7.33k | } |
221 | | |
222 | | static BN_ULONG is_one(const BIGNUM *z) |
223 | 8.43k | { |
224 | 8.43k | BN_ULONG res = 0; |
225 | 8.43k | BN_ULONG *a = bn_get_words(z); |
226 | | |
227 | 8.43k | if (bn_get_top(z) == (P256_LIMBS - P256_LIMBS / 8)) { |
228 | 7.95k | res = a[0] ^ ONE[0]; |
229 | 7.95k | res |= a[1] ^ ONE[1]; |
230 | 7.95k | res |= a[2] ^ ONE[2]; |
231 | 7.95k | res |= a[3] ^ ONE[3]; |
232 | 7.95k | if (P256_LIMBS == 8) { |
233 | 0 | res |= a[4] ^ ONE[4]; |
234 | 0 | res |= a[5] ^ ONE[5]; |
235 | 0 | res |= a[6] ^ ONE[6]; |
236 | | /* |
237 | | * no check for a[7] (being zero) on 32-bit platforms, |
238 | | * because value of "one" takes only 7 limbs. |
239 | | */ |
240 | 0 | } |
241 | 7.95k | res = is_zero(res); |
242 | 7.95k | } |
243 | | |
244 | 8.43k | return res; |
245 | 8.43k | } |
246 | | |
247 | | /* |
248 | | * For reference, this macro is used only when new ecp_nistz256 assembly |
249 | | * module is being developed. For example, configure with |
250 | | * -DECP_NISTZ256_REFERENCE_IMPLEMENTATION and implement only functions |
251 | | * performing simplest arithmetic operations on 256-bit vectors. Then |
252 | | * work on implementation of higher-level functions performing point |
253 | | * operations. Then remove ECP_NISTZ256_REFERENCE_IMPLEMENTATION |
254 | | * and never define it again. (The correct macro denoting presence of |
255 | | * ecp_nistz256 module is ECP_NISTZ256_ASM.) |
256 | | */ |
257 | | #ifndef ECP_NISTZ256_REFERENCE_IMPLEMENTATION |
258 | | void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a); |
259 | | void ecp_nistz256_point_add(P256_POINT *r, |
260 | | const P256_POINT *a, const P256_POINT *b); |
261 | | void ecp_nistz256_point_add_affine(P256_POINT *r, |
262 | | const P256_POINT *a, |
263 | | const P256_POINT_AFFINE *b); |
264 | | #else |
265 | | /* Point double: r = 2*a */ |
266 | | static void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a) |
267 | | { |
268 | | BN_ULONG S[P256_LIMBS]; |
269 | | BN_ULONG M[P256_LIMBS]; |
270 | | BN_ULONG Zsqr[P256_LIMBS]; |
271 | | BN_ULONG tmp0[P256_LIMBS]; |
272 | | |
273 | | const BN_ULONG *in_x = a->X; |
274 | | const BN_ULONG *in_y = a->Y; |
275 | | const BN_ULONG *in_z = a->Z; |
276 | | |
277 | | BN_ULONG *res_x = r->X; |
278 | | BN_ULONG *res_y = r->Y; |
279 | | BN_ULONG *res_z = r->Z; |
280 | | |
281 | | ecp_nistz256_mul_by_2(S, in_y); |
282 | | |
283 | | ecp_nistz256_sqr_mont(Zsqr, in_z); |
284 | | |
285 | | ecp_nistz256_sqr_mont(S, S); |
286 | | |
287 | | ecp_nistz256_mul_mont(res_z, in_z, in_y); |
288 | | ecp_nistz256_mul_by_2(res_z, res_z); |
289 | | |
290 | | ecp_nistz256_add(M, in_x, Zsqr); |
291 | | ecp_nistz256_sub(Zsqr, in_x, Zsqr); |
292 | | |
293 | | ecp_nistz256_sqr_mont(res_y, S); |
294 | | ecp_nistz256_div_by_2(res_y, res_y); |
295 | | |
296 | | ecp_nistz256_mul_mont(M, M, Zsqr); |
297 | | ecp_nistz256_mul_by_3(M, M); |
298 | | |
299 | | ecp_nistz256_mul_mont(S, S, in_x); |
300 | | ecp_nistz256_mul_by_2(tmp0, S); |
301 | | |
302 | | ecp_nistz256_sqr_mont(res_x, M); |
303 | | |
304 | | ecp_nistz256_sub(res_x, res_x, tmp0); |
305 | | ecp_nistz256_sub(S, S, res_x); |
306 | | |
307 | | ecp_nistz256_mul_mont(S, S, M); |
308 | | ecp_nistz256_sub(res_y, S, res_y); |
309 | | } |
310 | | |
311 | | /* Point addition: r = a+b */ |
312 | | static void ecp_nistz256_point_add(P256_POINT *r, |
313 | | const P256_POINT *a, const P256_POINT *b) |
314 | | { |
315 | | BN_ULONG U2[P256_LIMBS], S2[P256_LIMBS]; |
316 | | BN_ULONG U1[P256_LIMBS], S1[P256_LIMBS]; |
317 | | BN_ULONG Z1sqr[P256_LIMBS]; |
318 | | BN_ULONG Z2sqr[P256_LIMBS]; |
319 | | BN_ULONG H[P256_LIMBS], R[P256_LIMBS]; |
320 | | BN_ULONG Hsqr[P256_LIMBS]; |
321 | | BN_ULONG Rsqr[P256_LIMBS]; |
322 | | BN_ULONG Hcub[P256_LIMBS]; |
323 | | |
324 | | BN_ULONG res_x[P256_LIMBS]; |
325 | | BN_ULONG res_y[P256_LIMBS]; |
326 | | BN_ULONG res_z[P256_LIMBS]; |
327 | | |
328 | | BN_ULONG in1infty, in2infty; |
329 | | |
330 | | const BN_ULONG *in1_x = a->X; |
331 | | const BN_ULONG *in1_y = a->Y; |
332 | | const BN_ULONG *in1_z = a->Z; |
333 | | |
334 | | const BN_ULONG *in2_x = b->X; |
335 | | const BN_ULONG *in2_y = b->Y; |
336 | | const BN_ULONG *in2_z = b->Z; |
337 | | |
338 | | /* |
339 | | * Infinity in encoded as (,,0) |
340 | | */ |
341 | | in1infty = (in1_z[0] | in1_z[1] | in1_z[2] | in1_z[3]); |
342 | | if (P256_LIMBS == 8) |
343 | | in1infty |= (in1_z[4] | in1_z[5] | in1_z[6] | in1_z[7]); |
344 | | |
345 | | in2infty = (in2_z[0] | in2_z[1] | in2_z[2] | in2_z[3]); |
346 | | if (P256_LIMBS == 8) |
347 | | in2infty |= (in2_z[4] | in2_z[5] | in2_z[6] | in2_z[7]); |
348 | | |
349 | | in1infty = is_zero(in1infty); |
350 | | in2infty = is_zero(in2infty); |
351 | | |
352 | | ecp_nistz256_sqr_mont(Z2sqr, in2_z); /* Z2^2 */ |
353 | | ecp_nistz256_sqr_mont(Z1sqr, in1_z); /* Z1^2 */ |
354 | | |
355 | | ecp_nistz256_mul_mont(S1, Z2sqr, in2_z); /* S1 = Z2^3 */ |
356 | | ecp_nistz256_mul_mont(S2, Z1sqr, in1_z); /* S2 = Z1^3 */ |
357 | | |
358 | | ecp_nistz256_mul_mont(S1, S1, in1_y); /* S1 = Y1*Z2^3 */ |
359 | | ecp_nistz256_mul_mont(S2, S2, in2_y); /* S2 = Y2*Z1^3 */ |
360 | | ecp_nistz256_sub(R, S2, S1); /* R = S2 - S1 */ |
361 | | |
362 | | ecp_nistz256_mul_mont(U1, in1_x, Z2sqr); /* U1 = X1*Z2^2 */ |
363 | | ecp_nistz256_mul_mont(U2, in2_x, Z1sqr); /* U2 = X2*Z1^2 */ |
364 | | ecp_nistz256_sub(H, U2, U1); /* H = U2 - U1 */ |
365 | | |
366 | | /* |
367 | | * The formulae are incorrect if the points are equal so we check for |
368 | | * this and do doubling if this happens. |
369 | | * |
370 | | * Points here are in Jacobian projective coordinates (Xi, Yi, Zi) |
371 | | * that are bound to the affine coordinates (xi, yi) by the following |
372 | | * equations: |
373 | | * - xi = Xi / (Zi)^2 |
374 | | * - y1 = Yi / (Zi)^3 |
375 | | * |
376 | | * For the sake of optimization, the algorithm operates over |
377 | | * intermediate variables U1, U2 and S1, S2 that are derived from |
378 | | * the projective coordinates: |
379 | | * - U1 = X1 * (Z2)^2 ; U2 = X2 * (Z1)^2 |
380 | | * - S1 = Y1 * (Z2)^3 ; S2 = Y2 * (Z1)^3 |
381 | | * |
382 | | * It is easy to prove that is_equal(U1, U2) implies that the affine |
383 | | * x-coordinates are equal, or either point is at infinity. |
384 | | * Likewise is_equal(S1, S2) implies that the affine y-coordinates are |
385 | | * equal, or either point is at infinity. |
386 | | * |
387 | | * The special case of either point being the point at infinity (Z1 or Z2 |
388 | | * is zero), is handled separately later on in this function, so we avoid |
389 | | * jumping to point_double here in those special cases. |
390 | | * |
391 | | * When both points are inverse of each other, we know that the affine |
392 | | * x-coordinates are equal, and the y-coordinates have different sign. |
393 | | * Therefore since U1 = U2, we know H = 0, and therefore Z3 = H*Z1*Z2 |
394 | | * will equal 0, thus the result is infinity, if we simply let this |
395 | | * function continue normally. |
396 | | * |
397 | | * We use bitwise operations to avoid potential side-channels introduced by |
398 | | * the short-circuiting behaviour of boolean operators. |
399 | | */ |
400 | | if (is_equal(U1, U2) & ~in1infty & ~in2infty & is_equal(S1, S2)) { |
401 | | /* |
402 | | * This is obviously not constant-time but it should never happen during |
403 | | * single point multiplication, so there is no timing leak for ECDH or |
404 | | * ECDSA signing. |
405 | | */ |
406 | | ecp_nistz256_point_double(r, a); |
407 | | return; |
408 | | } |
409 | | |
410 | | ecp_nistz256_sqr_mont(Rsqr, R); /* R^2 */ |
411 | | ecp_nistz256_mul_mont(res_z, H, in1_z); /* Z3 = H*Z1*Z2 */ |
412 | | ecp_nistz256_sqr_mont(Hsqr, H); /* H^2 */ |
413 | | ecp_nistz256_mul_mont(res_z, res_z, in2_z); /* Z3 = H*Z1*Z2 */ |
414 | | ecp_nistz256_mul_mont(Hcub, Hsqr, H); /* H^3 */ |
415 | | |
416 | | ecp_nistz256_mul_mont(U2, U1, Hsqr); /* U1*H^2 */ |
417 | | ecp_nistz256_mul_by_2(Hsqr, U2); /* 2*U1*H^2 */ |
418 | | |
419 | | ecp_nistz256_sub(res_x, Rsqr, Hsqr); |
420 | | ecp_nistz256_sub(res_x, res_x, Hcub); |
421 | | |
422 | | ecp_nistz256_sub(res_y, U2, res_x); |
423 | | |
424 | | ecp_nistz256_mul_mont(S2, S1, Hcub); |
425 | | ecp_nistz256_mul_mont(res_y, R, res_y); |
426 | | ecp_nistz256_sub(res_y, res_y, S2); |
427 | | |
428 | | copy_conditional(res_x, in2_x, in1infty); |
429 | | copy_conditional(res_y, in2_y, in1infty); |
430 | | copy_conditional(res_z, in2_z, in1infty); |
431 | | |
432 | | copy_conditional(res_x, in1_x, in2infty); |
433 | | copy_conditional(res_y, in1_y, in2infty); |
434 | | copy_conditional(res_z, in1_z, in2infty); |
435 | | |
436 | | memcpy(r->X, res_x, sizeof(res_x)); |
437 | | memcpy(r->Y, res_y, sizeof(res_y)); |
438 | | memcpy(r->Z, res_z, sizeof(res_z)); |
439 | | } |
440 | | |
441 | | /* Point addition when b is known to be affine: r = a+b */ |
442 | | static void ecp_nistz256_point_add_affine(P256_POINT *r, |
443 | | const P256_POINT *a, |
444 | | const P256_POINT_AFFINE *b) |
445 | | { |
446 | | BN_ULONG U2[P256_LIMBS], S2[P256_LIMBS]; |
447 | | BN_ULONG Z1sqr[P256_LIMBS]; |
448 | | BN_ULONG H[P256_LIMBS], R[P256_LIMBS]; |
449 | | BN_ULONG Hsqr[P256_LIMBS]; |
450 | | BN_ULONG Rsqr[P256_LIMBS]; |
451 | | BN_ULONG Hcub[P256_LIMBS]; |
452 | | |
453 | | BN_ULONG res_x[P256_LIMBS]; |
454 | | BN_ULONG res_y[P256_LIMBS]; |
455 | | BN_ULONG res_z[P256_LIMBS]; |
456 | | |
457 | | BN_ULONG in1infty, in2infty; |
458 | | |
459 | | const BN_ULONG *in1_x = a->X; |
460 | | const BN_ULONG *in1_y = a->Y; |
461 | | const BN_ULONG *in1_z = a->Z; |
462 | | |
463 | | const BN_ULONG *in2_x = b->X; |
464 | | const BN_ULONG *in2_y = b->Y; |
465 | | |
466 | | /* |
467 | | * Infinity in encoded as (,,0) |
468 | | */ |
469 | | in1infty = (in1_z[0] | in1_z[1] | in1_z[2] | in1_z[3]); |
470 | | if (P256_LIMBS == 8) |
471 | | in1infty |= (in1_z[4] | in1_z[5] | in1_z[6] | in1_z[7]); |
472 | | |
473 | | /* |
474 | | * In affine representation we encode infinity as (0,0), which is |
475 | | * not on the curve, so it is OK |
476 | | */ |
477 | | in2infty = (in2_x[0] | in2_x[1] | in2_x[2] | in2_x[3] | |
478 | | in2_y[0] | in2_y[1] | in2_y[2] | in2_y[3]); |
479 | | if (P256_LIMBS == 8) |
480 | | in2infty |= (in2_x[4] | in2_x[5] | in2_x[6] | in2_x[7] | |
481 | | in2_y[4] | in2_y[5] | in2_y[6] | in2_y[7]); |
482 | | |
483 | | in1infty = is_zero(in1infty); |
484 | | in2infty = is_zero(in2infty); |
485 | | |
486 | | ecp_nistz256_sqr_mont(Z1sqr, in1_z); /* Z1^2 */ |
487 | | |
488 | | ecp_nistz256_mul_mont(U2, in2_x, Z1sqr); /* U2 = X2*Z1^2 */ |
489 | | ecp_nistz256_sub(H, U2, in1_x); /* H = U2 - U1 */ |
490 | | |
491 | | ecp_nistz256_mul_mont(S2, Z1sqr, in1_z); /* S2 = Z1^3 */ |
492 | | |
493 | | ecp_nistz256_mul_mont(res_z, H, in1_z); /* Z3 = H*Z1*Z2 */ |
494 | | |
495 | | ecp_nistz256_mul_mont(S2, S2, in2_y); /* S2 = Y2*Z1^3 */ |
496 | | ecp_nistz256_sub(R, S2, in1_y); /* R = S2 - S1 */ |
497 | | |
498 | | ecp_nistz256_sqr_mont(Hsqr, H); /* H^2 */ |
499 | | ecp_nistz256_sqr_mont(Rsqr, R); /* R^2 */ |
500 | | ecp_nistz256_mul_mont(Hcub, Hsqr, H); /* H^3 */ |
501 | | |
502 | | ecp_nistz256_mul_mont(U2, in1_x, Hsqr); /* U1*H^2 */ |
503 | | ecp_nistz256_mul_by_2(Hsqr, U2); /* 2*U1*H^2 */ |
504 | | |
505 | | ecp_nistz256_sub(res_x, Rsqr, Hsqr); |
506 | | ecp_nistz256_sub(res_x, res_x, Hcub); |
507 | | ecp_nistz256_sub(H, U2, res_x); |
508 | | |
509 | | ecp_nistz256_mul_mont(S2, in1_y, Hcub); |
510 | | ecp_nistz256_mul_mont(H, H, R); |
511 | | ecp_nistz256_sub(res_y, H, S2); |
512 | | |
513 | | copy_conditional(res_x, in2_x, in1infty); |
514 | | copy_conditional(res_x, in1_x, in2infty); |
515 | | |
516 | | copy_conditional(res_y, in2_y, in1infty); |
517 | | copy_conditional(res_y, in1_y, in2infty); |
518 | | |
519 | | copy_conditional(res_z, ONE, in1infty); |
520 | | copy_conditional(res_z, in1_z, in2infty); |
521 | | |
522 | | memcpy(r->X, res_x, sizeof(res_x)); |
523 | | memcpy(r->Y, res_y, sizeof(res_y)); |
524 | | memcpy(r->Z, res_z, sizeof(res_z)); |
525 | | } |
526 | | #endif |
527 | | |
528 | | /* r = in^-1 mod p */ |
529 | | static void ecp_nistz256_mod_inverse(BN_ULONG r[P256_LIMBS], |
530 | | const BN_ULONG in[P256_LIMBS]) |
531 | 25.1k | { |
532 | | /* |
533 | | * The poly is ffffffff 00000001 00000000 00000000 00000000 ffffffff |
534 | | * ffffffff ffffffff We use FLT and used poly-2 as exponent |
535 | | */ |
536 | 25.1k | BN_ULONG p2[P256_LIMBS]; |
537 | 25.1k | BN_ULONG p4[P256_LIMBS]; |
538 | 25.1k | BN_ULONG p8[P256_LIMBS]; |
539 | 25.1k | BN_ULONG p16[P256_LIMBS]; |
540 | 25.1k | BN_ULONG p32[P256_LIMBS]; |
541 | 25.1k | BN_ULONG res[P256_LIMBS]; |
542 | 25.1k | int i; |
543 | | |
544 | 25.1k | ecp_nistz256_sqr_mont(res, in); |
545 | 25.1k | ecp_nistz256_mul_mont(p2, res, in); /* 3*p */ |
546 | | |
547 | 25.1k | ecp_nistz256_sqr_mont(res, p2); |
548 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
549 | 25.1k | ecp_nistz256_mul_mont(p4, res, p2); /* f*p */ |
550 | | |
551 | 25.1k | ecp_nistz256_sqr_mont(res, p4); |
552 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
553 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
554 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
555 | 25.1k | ecp_nistz256_mul_mont(p8, res, p4); /* ff*p */ |
556 | | |
557 | 25.1k | ecp_nistz256_sqr_mont(res, p8); |
558 | 201k | for (i = 0; i < 7; i++) |
559 | 175k | ecp_nistz256_sqr_mont(res, res); |
560 | 25.1k | ecp_nistz256_mul_mont(p16, res, p8); /* ffff*p */ |
561 | | |
562 | 25.1k | ecp_nistz256_sqr_mont(res, p16); |
563 | 402k | for (i = 0; i < 15; i++) |
564 | 377k | ecp_nistz256_sqr_mont(res, res); |
565 | 25.1k | ecp_nistz256_mul_mont(p32, res, p16); /* ffffffff*p */ |
566 | | |
567 | 25.1k | ecp_nistz256_sqr_mont(res, p32); |
568 | 804k | for (i = 0; i < 31; i++) |
569 | 779k | ecp_nistz256_sqr_mont(res, res); |
570 | 25.1k | ecp_nistz256_mul_mont(res, res, in); |
571 | | |
572 | 3.24M | for (i = 0; i < 32 * 4; i++) |
573 | 3.21M | ecp_nistz256_sqr_mont(res, res); |
574 | 25.1k | ecp_nistz256_mul_mont(res, res, p32); |
575 | | |
576 | 829k | for (i = 0; i < 32; i++) |
577 | 804k | ecp_nistz256_sqr_mont(res, res); |
578 | 25.1k | ecp_nistz256_mul_mont(res, res, p32); |
579 | | |
580 | 427k | for (i = 0; i < 16; i++) |
581 | 402k | ecp_nistz256_sqr_mont(res, res); |
582 | 25.1k | ecp_nistz256_mul_mont(res, res, p16); |
583 | | |
584 | 226k | for (i = 0; i < 8; i++) |
585 | 201k | ecp_nistz256_sqr_mont(res, res); |
586 | 25.1k | ecp_nistz256_mul_mont(res, res, p8); |
587 | | |
588 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
589 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
590 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
591 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
592 | 25.1k | ecp_nistz256_mul_mont(res, res, p4); |
593 | | |
594 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
595 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
596 | 25.1k | ecp_nistz256_mul_mont(res, res, p2); |
597 | | |
598 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
599 | 25.1k | ecp_nistz256_sqr_mont(res, res); |
600 | 25.1k | ecp_nistz256_mul_mont(res, res, in); |
601 | | |
602 | 25.1k | memcpy(r, res, sizeof(res)); |
603 | 25.1k | } |
604 | | |
605 | | /* |
606 | | * ecp_nistz256_bignum_to_field_elem copies the contents of |in| to |out| and |
607 | | * returns one if it fits. Otherwise it returns zero. |
608 | | */ |
609 | | __owur static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS], |
610 | | const BIGNUM *in) |
611 | 81.1k | { |
612 | 81.1k | return bn_copy_words(out, in, P256_LIMBS); |
613 | 81.1k | } |
614 | | |
615 | | /* r = sum(scalar[i]*point[i]) */ |
616 | | __owur static int ecp_nistz256_windowed_mul(const EC_GROUP *group, |
617 | | P256_POINT *r, |
618 | | const BIGNUM **scalar, |
619 | | const EC_POINT **point, |
620 | | size_t num, BN_CTX *ctx) |
621 | 1.18k | { |
622 | 1.18k | size_t i; |
623 | 1.18k | int j, ret = 0; |
624 | 1.18k | unsigned int idx; |
625 | 1.18k | unsigned char (*p_str)[33] = NULL; |
626 | 1.18k | const unsigned int window_size = 5; |
627 | 1.18k | const unsigned int mask = (1 << (window_size + 1)) - 1; |
628 | 1.18k | unsigned int wvalue; |
629 | 1.18k | P256_POINT *temp; /* place for 5 temporary points */ |
630 | 1.18k | const BIGNUM **scalars = NULL; |
631 | 1.18k | P256_POINT (*table)[16] = NULL; |
632 | 1.18k | void *table_storage = NULL; |
633 | | |
634 | 1.18k | if ((num * 16 + 6) > OPENSSL_MALLOC_MAX_NELEMS(P256_POINT) |
635 | 1.18k | || (table_storage = |
636 | 1.18k | OPENSSL_malloc((num * 16 + 5) * sizeof(P256_POINT) + 64)) == NULL |
637 | 1.18k | || (p_str = |
638 | 1.18k | OPENSSL_malloc(num * 33 * sizeof(unsigned char))) == NULL |
639 | 1.18k | || (scalars = OPENSSL_malloc(num * sizeof(BIGNUM *))) == NULL) { |
640 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); |
641 | 0 | goto err; |
642 | 0 | } |
643 | | |
644 | 1.18k | table = (void *)ALIGNPTR(table_storage, 64); |
645 | 1.18k | temp = (P256_POINT *)(table + num); |
646 | | |
647 | 2.36k | for (i = 0; i < num; i++) { |
648 | 1.18k | P256_POINT *row = table[i]; |
649 | | |
650 | | /* This is an unusual input, we don't guarantee constant-timeness. */ |
651 | 1.18k | if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) { |
652 | 0 | BIGNUM *mod; |
653 | |
|
654 | 0 | if ((mod = BN_CTX_get(ctx)) == NULL) |
655 | 0 | goto err; |
656 | 0 | if (!BN_nnmod(mod, scalar[i], group->order, ctx)) { |
657 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); |
658 | 0 | goto err; |
659 | 0 | } |
660 | 0 | scalars[i] = mod; |
661 | 0 | } else |
662 | 1.18k | scalars[i] = scalar[i]; |
663 | | |
664 | 5.87k | for (j = 0; j < bn_get_top(scalars[i]) * BN_BYTES; j += BN_BYTES) { |
665 | 4.69k | BN_ULONG d = bn_get_words(scalars[i])[j / BN_BYTES]; |
666 | | |
667 | 4.69k | p_str[i][j + 0] = (unsigned char)d; |
668 | 4.69k | p_str[i][j + 1] = (unsigned char)(d >> 8); |
669 | 4.69k | p_str[i][j + 2] = (unsigned char)(d >> 16); |
670 | 4.69k | p_str[i][j + 3] = (unsigned char)(d >>= 24); |
671 | 4.69k | if (BN_BYTES == 8) { |
672 | 4.69k | d >>= 8; |
673 | 4.69k | p_str[i][j + 4] = (unsigned char)d; |
674 | 4.69k | p_str[i][j + 5] = (unsigned char)(d >> 8); |
675 | 4.69k | p_str[i][j + 6] = (unsigned char)(d >> 16); |
676 | 4.69k | p_str[i][j + 7] = (unsigned char)(d >> 24); |
677 | 4.69k | } |
678 | 4.69k | } |
679 | 2.52k | for (; j < 33; j++) |
680 | 1.34k | p_str[i][j] = 0; |
681 | | |
682 | 1.18k | if (!ecp_nistz256_bignum_to_field_elem(temp[0].X, point[i]->X) |
683 | 1.18k | || !ecp_nistz256_bignum_to_field_elem(temp[0].Y, point[i]->Y) |
684 | 1.18k | || !ecp_nistz256_bignum_to_field_elem(temp[0].Z, point[i]->Z)) { |
685 | 0 | ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE); |
686 | 0 | goto err; |
687 | 0 | } |
688 | | |
689 | | /* |
690 | | * row[0] is implicitly (0,0,0) (the point at infinity), therefore it |
691 | | * is not stored. All other values are actually stored with an offset |
692 | | * of -1 in table. |
693 | | */ |
694 | | |
695 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[0], 1); |
696 | 1.18k | ecp_nistz256_point_double(&temp[1], &temp[0]); /*1+1=2 */ |
697 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[1], 2); |
698 | 1.18k | ecp_nistz256_point_add (&temp[2], &temp[1], &temp[0]); /*2+1=3 */ |
699 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[2], 3); |
700 | 1.18k | ecp_nistz256_point_double(&temp[1], &temp[1]); /*2*2=4 */ |
701 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[1], 4); |
702 | 1.18k | ecp_nistz256_point_double(&temp[2], &temp[2]); /*2*3=6 */ |
703 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[2], 6); |
704 | 1.18k | ecp_nistz256_point_add (&temp[3], &temp[1], &temp[0]); /*4+1=5 */ |
705 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[3], 5); |
706 | 1.18k | ecp_nistz256_point_add (&temp[4], &temp[2], &temp[0]); /*6+1=7 */ |
707 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[4], 7); |
708 | 1.18k | ecp_nistz256_point_double(&temp[1], &temp[1]); /*2*4=8 */ |
709 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[1], 8); |
710 | 1.18k | ecp_nistz256_point_double(&temp[2], &temp[2]); /*2*6=12 */ |
711 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[2], 12); |
712 | 1.18k | ecp_nistz256_point_double(&temp[3], &temp[3]); /*2*5=10 */ |
713 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[3], 10); |
714 | 1.18k | ecp_nistz256_point_double(&temp[4], &temp[4]); /*2*7=14 */ |
715 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[4], 14); |
716 | 1.18k | ecp_nistz256_point_add (&temp[2], &temp[2], &temp[0]); /*12+1=13*/ |
717 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[2], 13); |
718 | 1.18k | ecp_nistz256_point_add (&temp[3], &temp[3], &temp[0]); /*10+1=11*/ |
719 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[3], 11); |
720 | 1.18k | ecp_nistz256_point_add (&temp[4], &temp[4], &temp[0]); /*14+1=15*/ |
721 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[4], 15); |
722 | 1.18k | ecp_nistz256_point_add (&temp[2], &temp[1], &temp[0]); /*8+1=9 */ |
723 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[2], 9); |
724 | 1.18k | ecp_nistz256_point_double(&temp[1], &temp[1]); /*2*8=16 */ |
725 | 1.18k | ecp_nistz256_scatter_w5 (row, &temp[1], 16); |
726 | 1.18k | } |
727 | | |
728 | 1.18k | idx = 255; |
729 | | |
730 | 1.18k | wvalue = p_str[0][(idx - 1) / 8]; |
731 | 1.18k | wvalue = (wvalue >> ((idx - 1) % 8)) & mask; |
732 | | |
733 | | /* |
734 | | * We gather to temp[0], because we know it's position relative |
735 | | * to table |
736 | | */ |
737 | 1.18k | ecp_nistz256_gather_w5(&temp[0], table[0], _booth_recode_w5(wvalue) >> 1); |
738 | 1.18k | memcpy(r, &temp[0], sizeof(temp[0])); |
739 | | |
740 | 61.3k | while (idx >= 5) { |
741 | 119k | for (i = (idx == 255 ? 1 : 0); i < num; i++) { |
742 | 59.0k | unsigned int off = (idx - 1) / 8; |
743 | | |
744 | 59.0k | wvalue = p_str[i][off] | p_str[i][off + 1] << 8; |
745 | 59.0k | wvalue = (wvalue >> ((idx - 1) % 8)) & mask; |
746 | | |
747 | 59.0k | wvalue = _booth_recode_w5(wvalue); |
748 | | |
749 | 59.0k | ecp_nistz256_gather_w5(&temp[0], table[i], wvalue >> 1); |
750 | | |
751 | 59.0k | ecp_nistz256_neg(temp[1].Y, temp[0].Y); |
752 | 59.0k | copy_conditional(temp[0].Y, temp[1].Y, (wvalue & 1)); |
753 | | |
754 | 59.0k | ecp_nistz256_point_add(r, r, &temp[0]); |
755 | 59.0k | } |
756 | | |
757 | 60.1k | idx -= window_size; |
758 | | |
759 | 60.1k | ecp_nistz256_point_double(r, r); |
760 | 60.1k | ecp_nistz256_point_double(r, r); |
761 | 60.1k | ecp_nistz256_point_double(r, r); |
762 | 60.1k | ecp_nistz256_point_double(r, r); |
763 | 60.1k | ecp_nistz256_point_double(r, r); |
764 | 60.1k | } |
765 | | |
766 | | /* Final window */ |
767 | 2.36k | for (i = 0; i < num; i++) { |
768 | 1.18k | wvalue = p_str[i][0]; |
769 | 1.18k | wvalue = (wvalue << 1) & mask; |
770 | | |
771 | 1.18k | wvalue = _booth_recode_w5(wvalue); |
772 | | |
773 | 1.18k | ecp_nistz256_gather_w5(&temp[0], table[i], wvalue >> 1); |
774 | | |
775 | 1.18k | ecp_nistz256_neg(temp[1].Y, temp[0].Y); |
776 | 1.18k | copy_conditional(temp[0].Y, temp[1].Y, wvalue & 1); |
777 | | |
778 | 1.18k | ecp_nistz256_point_add(r, r, &temp[0]); |
779 | 1.18k | } |
780 | | |
781 | 1.18k | ret = 1; |
782 | 1.18k | err: |
783 | 1.18k | OPENSSL_free(table_storage); |
784 | 1.18k | OPENSSL_free(p_str); |
785 | 1.18k | OPENSSL_free(scalars); |
786 | 1.18k | return ret; |
787 | 1.18k | } |
788 | | |
789 | | /* Coordinates of G, for which we have precomputed tables */ |
790 | | static const BN_ULONG def_xG[P256_LIMBS] = { |
791 | | TOBN(0x79e730d4, 0x18a9143c), TOBN(0x75ba95fc, 0x5fedb601), |
792 | | TOBN(0x79fb732b, 0x77622510), TOBN(0x18905f76, 0xa53755c6) |
793 | | }; |
794 | | |
795 | | static const BN_ULONG def_yG[P256_LIMBS] = { |
796 | | TOBN(0xddf25357, 0xce95560a), TOBN(0x8b4ab8e4, 0xba19e45c), |
797 | | TOBN(0xd2e88688, 0xdd21f325), TOBN(0x8571ff18, 0x25885d85) |
798 | | }; |
799 | | |
800 | | /* |
801 | | * ecp_nistz256_is_affine_G returns one if |generator| is the standard, P-256 |
802 | | * generator. |
803 | | */ |
804 | | static int ecp_nistz256_is_affine_G(const EC_POINT *generator) |
805 | 3.66k | { |
806 | 3.66k | return (bn_get_top(generator->X) == P256_LIMBS) && |
807 | 3.66k | (bn_get_top(generator->Y) == P256_LIMBS) && |
808 | 3.66k | is_equal(bn_get_words(generator->X), def_xG) && |
809 | 3.66k | is_equal(bn_get_words(generator->Y), def_yG) && |
810 | 3.66k | is_one(generator->Z); |
811 | 3.66k | } |
812 | | |
813 | | __owur static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) |
814 | 0 | { |
815 | | /* |
816 | | * We precompute a table for a Booth encoded exponent (wNAF) based |
817 | | * computation. Each table holds 64 values for safe access, with an |
818 | | * implicit value of infinity at index zero. We use window of size 7, and |
819 | | * therefore require ceil(256/7) = 37 tables. |
820 | | */ |
821 | 0 | const BIGNUM *order; |
822 | 0 | EC_POINT *P = NULL, *T = NULL; |
823 | 0 | const EC_POINT *generator; |
824 | 0 | NISTZ256_PRE_COMP *pre_comp; |
825 | 0 | BN_CTX *new_ctx = NULL; |
826 | 0 | int i, j, k, ret = 0; |
827 | 0 | size_t w; |
828 | |
|
829 | 0 | PRECOMP256_ROW *preComputedTable = NULL; |
830 | 0 | unsigned char *precomp_storage = NULL; |
831 | | |
832 | | /* if there is an old NISTZ256_PRE_COMP object, throw it away */ |
833 | 0 | EC_pre_comp_free(group); |
834 | 0 | generator = EC_GROUP_get0_generator(group); |
835 | 0 | if (generator == NULL) { |
836 | 0 | ERR_raise(ERR_LIB_EC, EC_R_UNDEFINED_GENERATOR); |
837 | 0 | return 0; |
838 | 0 | } |
839 | | |
840 | 0 | if (ecp_nistz256_is_affine_G(generator)) { |
841 | | /* |
842 | | * No need to calculate tables for the standard generator because we |
843 | | * have them statically. |
844 | | */ |
845 | 0 | return 1; |
846 | 0 | } |
847 | | |
848 | 0 | if ((pre_comp = ecp_nistz256_pre_comp_new(group)) == NULL) |
849 | 0 | return 0; |
850 | | |
851 | 0 | if (ctx == NULL) { |
852 | 0 | ctx = new_ctx = BN_CTX_new_ex(group->libctx); |
853 | 0 | if (ctx == NULL) |
854 | 0 | goto err; |
855 | 0 | } |
856 | | |
857 | 0 | BN_CTX_start(ctx); |
858 | |
|
859 | 0 | order = EC_GROUP_get0_order(group); |
860 | 0 | if (order == NULL) |
861 | 0 | goto err; |
862 | | |
863 | 0 | if (BN_is_zero(order)) { |
864 | 0 | ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_ORDER); |
865 | 0 | goto err; |
866 | 0 | } |
867 | | |
868 | 0 | w = 7; |
869 | |
|
870 | 0 | if ((precomp_storage = |
871 | 0 | OPENSSL_malloc(37 * 64 * sizeof(P256_POINT_AFFINE) + 64)) == NULL) { |
872 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); |
873 | 0 | goto err; |
874 | 0 | } |
875 | | |
876 | 0 | preComputedTable = (void *)ALIGNPTR(precomp_storage, 64); |
877 | |
|
878 | 0 | P = EC_POINT_new(group); |
879 | 0 | T = EC_POINT_new(group); |
880 | 0 | if (P == NULL || T == NULL) |
881 | 0 | goto err; |
882 | | |
883 | | /* |
884 | | * The zero entry is implicitly infinity, and we skip it, storing other |
885 | | * values with -1 offset. |
886 | | */ |
887 | 0 | if (!EC_POINT_copy(T, generator)) |
888 | 0 | goto err; |
889 | | |
890 | 0 | for (k = 0; k < 64; k++) { |
891 | 0 | if (!EC_POINT_copy(P, T)) |
892 | 0 | goto err; |
893 | 0 | for (j = 0; j < 37; j++) { |
894 | 0 | P256_POINT_AFFINE temp; |
895 | | /* |
896 | | * It would be faster to use EC_POINTs_make_affine and |
897 | | * make multiple points affine at the same time. |
898 | | */ |
899 | 0 | if (group->meth->make_affine == NULL |
900 | 0 | || !group->meth->make_affine(group, P, ctx)) |
901 | 0 | goto err; |
902 | 0 | if (!ecp_nistz256_bignum_to_field_elem(temp.X, P->X) || |
903 | 0 | !ecp_nistz256_bignum_to_field_elem(temp.Y, P->Y)) { |
904 | 0 | ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE); |
905 | 0 | goto err; |
906 | 0 | } |
907 | 0 | ecp_nistz256_scatter_w7(preComputedTable[j], &temp, k); |
908 | 0 | for (i = 0; i < 7; i++) { |
909 | 0 | if (!EC_POINT_dbl(group, P, P, ctx)) |
910 | 0 | goto err; |
911 | 0 | } |
912 | 0 | } |
913 | 0 | if (!EC_POINT_add(group, T, T, generator, ctx)) |
914 | 0 | goto err; |
915 | 0 | } |
916 | | |
917 | 0 | pre_comp->group = group; |
918 | 0 | pre_comp->w = w; |
919 | 0 | pre_comp->precomp = preComputedTable; |
920 | 0 | pre_comp->precomp_storage = precomp_storage; |
921 | 0 | precomp_storage = NULL; |
922 | 0 | SETPRECOMP(group, nistz256, pre_comp); |
923 | 0 | pre_comp = NULL; |
924 | 0 | ret = 1; |
925 | |
|
926 | 0 | err: |
927 | 0 | BN_CTX_end(ctx); |
928 | 0 | BN_CTX_free(new_ctx); |
929 | |
|
930 | 0 | EC_nistz256_pre_comp_free(pre_comp); |
931 | 0 | OPENSSL_free(precomp_storage); |
932 | 0 | EC_POINT_free(P); |
933 | 0 | EC_POINT_free(T); |
934 | 0 | return ret; |
935 | 0 | } |
936 | | |
937 | | __owur static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group, |
938 | | const P256_POINT_AFFINE *in, |
939 | | BN_CTX *ctx) |
940 | 0 | { |
941 | 0 | int ret = 0; |
942 | |
|
943 | 0 | if ((ret = bn_set_words(out->X, in->X, P256_LIMBS)) |
944 | 0 | && (ret = bn_set_words(out->Y, in->Y, P256_LIMBS)) |
945 | 0 | && (ret = bn_set_words(out->Z, ONE, P256_LIMBS))) |
946 | 0 | out->Z_is_one = 1; |
947 | |
|
948 | 0 | return ret; |
949 | 0 | } |
950 | | |
951 | | /* r = scalar*G + sum(scalars[i]*points[i]) */ |
952 | | __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, |
953 | | EC_POINT *r, |
954 | | const BIGNUM *scalar, |
955 | | size_t num, |
956 | | const EC_POINT *points[], |
957 | | const BIGNUM *scalars[], BN_CTX *ctx) |
958 | 4.76k | { |
959 | 4.76k | int i = 0, ret = 0, no_precomp_for_generator = 0, p_is_infinity = 0; |
960 | 4.76k | unsigned char p_str[33] = { 0 }; |
961 | 4.76k | const PRECOMP256_ROW *preComputedTable = NULL; |
962 | 4.76k | const NISTZ256_PRE_COMP *pre_comp = NULL; |
963 | 4.76k | const EC_POINT *generator = NULL; |
964 | 4.76k | const BIGNUM **new_scalars = NULL; |
965 | 4.76k | const EC_POINT **new_points = NULL; |
966 | 4.76k | unsigned int idx = 0; |
967 | 4.76k | const unsigned int window_size = 7; |
968 | 4.76k | const unsigned int mask = (1 << (window_size + 1)) - 1; |
969 | 4.76k | unsigned int wvalue; |
970 | 4.76k | ALIGN32 union { |
971 | 4.76k | P256_POINT p; |
972 | 4.76k | P256_POINT_AFFINE a; |
973 | 4.76k | } t, p; |
974 | 4.76k | BIGNUM *tmp_scalar; |
975 | | |
976 | 4.76k | if ((num + 1) == 0 || (num + 1) > OPENSSL_MALLOC_MAX_NELEMS(void *)) { |
977 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); |
978 | 0 | return 0; |
979 | 0 | } |
980 | | |
981 | 4.76k | memset(&p, 0, sizeof(p)); |
982 | 4.76k | BN_CTX_start(ctx); |
983 | | |
984 | 4.76k | if (scalar) { |
985 | 3.66k | generator = EC_GROUP_get0_generator(group); |
986 | 3.66k | if (generator == NULL) { |
987 | 0 | ERR_raise(ERR_LIB_EC, EC_R_UNDEFINED_GENERATOR); |
988 | 0 | goto err; |
989 | 0 | } |
990 | | |
991 | | /* look if we can use precomputed multiples of generator */ |
992 | 3.66k | pre_comp = group->pre_comp.nistz256; |
993 | | |
994 | 3.66k | if (pre_comp) { |
995 | | /* |
996 | | * If there is a precomputed table for the generator, check that |
997 | | * it was generated with the same generator. |
998 | | */ |
999 | 0 | EC_POINT *pre_comp_generator = EC_POINT_new(group); |
1000 | 0 | if (pre_comp_generator == NULL) |
1001 | 0 | goto err; |
1002 | | |
1003 | 0 | ecp_nistz256_gather_w7(&p.a, pre_comp->precomp[0], 1); |
1004 | 0 | if (!ecp_nistz256_set_from_affine(pre_comp_generator, |
1005 | 0 | group, &p.a, ctx)) { |
1006 | 0 | EC_POINT_free(pre_comp_generator); |
1007 | 0 | goto err; |
1008 | 0 | } |
1009 | | |
1010 | 0 | if (0 == EC_POINT_cmp(group, generator, pre_comp_generator, ctx)) |
1011 | 0 | preComputedTable = (const PRECOMP256_ROW *)pre_comp->precomp; |
1012 | |
|
1013 | 0 | EC_POINT_free(pre_comp_generator); |
1014 | 0 | } |
1015 | | |
1016 | 3.66k | if (preComputedTable == NULL && ecp_nistz256_is_affine_G(generator)) { |
1017 | | /* |
1018 | | * If there is no precomputed data, but the generator is the |
1019 | | * default, a hardcoded table of precomputed data is used. This |
1020 | | * is because applications, such as Apache, do not use |
1021 | | * EC_KEY_precompute_mult. |
1022 | | */ |
1023 | 3.66k | preComputedTable = ecp_nistz256_precomputed; |
1024 | 3.66k | } |
1025 | | |
1026 | 3.66k | if (preComputedTable) { |
1027 | 3.66k | BN_ULONG infty; |
1028 | | |
1029 | 3.66k | if ((BN_num_bits(scalar) > 256) |
1030 | 3.66k | || BN_is_negative(scalar)) { |
1031 | 9 | if ((tmp_scalar = BN_CTX_get(ctx)) == NULL) |
1032 | 0 | goto err; |
1033 | | |
1034 | 9 | if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) { |
1035 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); |
1036 | 0 | goto err; |
1037 | 0 | } |
1038 | 9 | scalar = tmp_scalar; |
1039 | 9 | } |
1040 | | |
1041 | 18.2k | for (i = 0; i < bn_get_top(scalar) * BN_BYTES; i += BN_BYTES) { |
1042 | 14.5k | BN_ULONG d = bn_get_words(scalar)[i / BN_BYTES]; |
1043 | | |
1044 | 14.5k | p_str[i + 0] = (unsigned char)d; |
1045 | 14.5k | p_str[i + 1] = (unsigned char)(d >> 8); |
1046 | 14.5k | p_str[i + 2] = (unsigned char)(d >> 16); |
1047 | 14.5k | p_str[i + 3] = (unsigned char)(d >>= 24); |
1048 | 14.5k | if (BN_BYTES == 8) { |
1049 | 14.5k | d >>= 8; |
1050 | 14.5k | p_str[i + 4] = (unsigned char)d; |
1051 | 14.5k | p_str[i + 5] = (unsigned char)(d >> 8); |
1052 | 14.5k | p_str[i + 6] = (unsigned char)(d >> 16); |
1053 | 14.5k | p_str[i + 7] = (unsigned char)(d >> 24); |
1054 | 14.5k | } |
1055 | 14.5k | } |
1056 | | |
1057 | 8.14k | for (; i < 33; i++) |
1058 | 4.48k | p_str[i] = 0; |
1059 | | |
1060 | | /* First window */ |
1061 | 3.66k | wvalue = (p_str[0] << 1) & mask; |
1062 | 3.66k | idx += window_size; |
1063 | | |
1064 | 3.66k | wvalue = _booth_recode_w7(wvalue); |
1065 | | |
1066 | 3.66k | ecp_nistz256_gather_w7(&p.a, preComputedTable[0], |
1067 | 3.66k | wvalue >> 1); |
1068 | | |
1069 | 3.66k | ecp_nistz256_neg(p.p.Z, p.p.Y); |
1070 | 3.66k | copy_conditional(p.p.Y, p.p.Z, wvalue & 1); |
1071 | | |
1072 | | /* |
1073 | | * Since affine infinity is encoded as (0,0) and |
1074 | | * Jacobian is (,,0), we need to harmonize them |
1075 | | * by assigning "one" or zero to Z. |
1076 | | */ |
1077 | 3.66k | infty = (p.p.X[0] | p.p.X[1] | p.p.X[2] | p.p.X[3] | |
1078 | 3.66k | p.p.Y[0] | p.p.Y[1] | p.p.Y[2] | p.p.Y[3]); |
1079 | 3.66k | if (P256_LIMBS == 8) |
1080 | 0 | infty |= (p.p.X[4] | p.p.X[5] | p.p.X[6] | p.p.X[7] | |
1081 | 0 | p.p.Y[4] | p.p.Y[5] | p.p.Y[6] | p.p.Y[7]); |
1082 | | |
1083 | 3.66k | infty = 0 - is_zero(infty); |
1084 | 3.66k | infty = ~infty; |
1085 | | |
1086 | 3.66k | p.p.Z[0] = ONE[0] & infty; |
1087 | 3.66k | p.p.Z[1] = ONE[1] & infty; |
1088 | 3.66k | p.p.Z[2] = ONE[2] & infty; |
1089 | 3.66k | p.p.Z[3] = ONE[3] & infty; |
1090 | 3.66k | if (P256_LIMBS == 8) { |
1091 | 0 | p.p.Z[4] = ONE[4] & infty; |
1092 | 0 | p.p.Z[5] = ONE[5] & infty; |
1093 | 0 | p.p.Z[6] = ONE[6] & infty; |
1094 | 0 | p.p.Z[7] = ONE[7] & infty; |
1095 | 0 | } |
1096 | | |
1097 | 135k | for (i = 1; i < 37; i++) { |
1098 | 131k | unsigned int off = (idx - 1) / 8; |
1099 | 131k | wvalue = p_str[off] | p_str[off + 1] << 8; |
1100 | 131k | wvalue = (wvalue >> ((idx - 1) % 8)) & mask; |
1101 | 131k | idx += window_size; |
1102 | | |
1103 | 131k | wvalue = _booth_recode_w7(wvalue); |
1104 | | |
1105 | 131k | ecp_nistz256_gather_w7(&t.a, |
1106 | 131k | preComputedTable[i], wvalue >> 1); |
1107 | | |
1108 | 131k | ecp_nistz256_neg(t.p.Z, t.a.Y); |
1109 | 131k | copy_conditional(t.a.Y, t.p.Z, wvalue & 1); |
1110 | | |
1111 | 131k | ecp_nistz256_point_add_affine(&p.p, &p.p, &t.a); |
1112 | 131k | } |
1113 | 3.66k | } else { |
1114 | 0 | p_is_infinity = 1; |
1115 | 0 | no_precomp_for_generator = 1; |
1116 | 0 | } |
1117 | 3.66k | } else |
1118 | 1.10k | p_is_infinity = 1; |
1119 | | |
1120 | 4.76k | if (no_precomp_for_generator) { |
1121 | | /* |
1122 | | * Without a precomputed table for the generator, it has to be |
1123 | | * handled like a normal point. |
1124 | | */ |
1125 | 0 | new_scalars = OPENSSL_malloc((num + 1) * sizeof(BIGNUM *)); |
1126 | 0 | if (new_scalars == NULL) { |
1127 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); |
1128 | 0 | goto err; |
1129 | 0 | } |
1130 | | |
1131 | 0 | new_points = OPENSSL_malloc((num + 1) * sizeof(EC_POINT *)); |
1132 | 0 | if (new_points == NULL) { |
1133 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); |
1134 | 0 | goto err; |
1135 | 0 | } |
1136 | | |
1137 | 0 | memcpy(new_scalars, scalars, num * sizeof(BIGNUM *)); |
1138 | 0 | new_scalars[num] = scalar; |
1139 | 0 | memcpy(new_points, points, num * sizeof(EC_POINT *)); |
1140 | 0 | new_points[num] = generator; |
1141 | |
|
1142 | 0 | scalars = new_scalars; |
1143 | 0 | points = new_points; |
1144 | 0 | num++; |
1145 | 0 | } |
1146 | | |
1147 | 4.76k | if (num) { |
1148 | 1.18k | P256_POINT *out = &t.p; |
1149 | 1.18k | if (p_is_infinity) |
1150 | 1.10k | out = &p.p; |
1151 | | |
1152 | 1.18k | if (!ecp_nistz256_windowed_mul(group, out, scalars, points, num, ctx)) |
1153 | 0 | goto err; |
1154 | | |
1155 | 1.18k | if (!p_is_infinity) |
1156 | 78 | ecp_nistz256_point_add(&p.p, &p.p, out); |
1157 | 1.18k | } |
1158 | | |
1159 | | /* Not constant-time, but we're only operating on the public output. */ |
1160 | 4.76k | if (!bn_set_words(r->X, p.p.X, P256_LIMBS) || |
1161 | 4.76k | !bn_set_words(r->Y, p.p.Y, P256_LIMBS) || |
1162 | 4.76k | !bn_set_words(r->Z, p.p.Z, P256_LIMBS)) { |
1163 | 0 | goto err; |
1164 | 0 | } |
1165 | 4.76k | r->Z_is_one = is_one(r->Z) & 1; |
1166 | | |
1167 | 4.76k | ret = 1; |
1168 | | |
1169 | 4.76k | err: |
1170 | 4.76k | BN_CTX_end(ctx); |
1171 | 4.76k | OPENSSL_free(new_points); |
1172 | 4.76k | OPENSSL_free(new_scalars); |
1173 | 4.76k | return ret; |
1174 | 4.76k | } |
1175 | | |
1176 | | __owur static int ecp_nistz256_get_affine(const EC_GROUP *group, |
1177 | | const EC_POINT *point, |
1178 | | BIGNUM *x, BIGNUM *y, BN_CTX *ctx) |
1179 | 25.1k | { |
1180 | 25.1k | BN_ULONG z_inv2[P256_LIMBS]; |
1181 | 25.1k | BN_ULONG z_inv3[P256_LIMBS]; |
1182 | 25.1k | BN_ULONG x_aff[P256_LIMBS]; |
1183 | 25.1k | BN_ULONG y_aff[P256_LIMBS]; |
1184 | 25.1k | BN_ULONG point_x[P256_LIMBS], point_y[P256_LIMBS], point_z[P256_LIMBS]; |
1185 | 25.1k | BN_ULONG x_ret[P256_LIMBS], y_ret[P256_LIMBS]; |
1186 | | |
1187 | 25.1k | if (EC_POINT_is_at_infinity(group, point)) { |
1188 | 0 | ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY); |
1189 | 0 | return 0; |
1190 | 0 | } |
1191 | | |
1192 | 25.1k | if (!ecp_nistz256_bignum_to_field_elem(point_x, point->X) || |
1193 | 25.1k | !ecp_nistz256_bignum_to_field_elem(point_y, point->Y) || |
1194 | 25.1k | !ecp_nistz256_bignum_to_field_elem(point_z, point->Z)) { |
1195 | 0 | ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE); |
1196 | 0 | return 0; |
1197 | 0 | } |
1198 | | |
1199 | 25.1k | ecp_nistz256_mod_inverse(z_inv3, point_z); |
1200 | 25.1k | ecp_nistz256_sqr_mont(z_inv2, z_inv3); |
1201 | 25.1k | ecp_nistz256_mul_mont(x_aff, z_inv2, point_x); |
1202 | | |
1203 | 25.1k | if (x != NULL) { |
1204 | 25.1k | ecp_nistz256_from_mont(x_ret, x_aff); |
1205 | 25.1k | if (!bn_set_words(x, x_ret, P256_LIMBS)) |
1206 | 0 | return 0; |
1207 | 25.1k | } |
1208 | | |
1209 | 25.1k | if (y != NULL) { |
1210 | 22.3k | ecp_nistz256_mul_mont(z_inv3, z_inv3, z_inv2); |
1211 | 22.3k | ecp_nistz256_mul_mont(y_aff, z_inv3, point_y); |
1212 | 22.3k | ecp_nistz256_from_mont(y_ret, y_aff); |
1213 | 22.3k | if (!bn_set_words(y, y_ret, P256_LIMBS)) |
1214 | 0 | return 0; |
1215 | 22.3k | } |
1216 | | |
1217 | 25.1k | return 1; |
1218 | 25.1k | } |
1219 | | |
1220 | | static NISTZ256_PRE_COMP *ecp_nistz256_pre_comp_new(const EC_GROUP *group) |
1221 | 0 | { |
1222 | 0 | NISTZ256_PRE_COMP *ret = NULL; |
1223 | |
|
1224 | 0 | if (!group) |
1225 | 0 | return NULL; |
1226 | | |
1227 | 0 | ret = OPENSSL_zalloc(sizeof(*ret)); |
1228 | |
|
1229 | 0 | if (ret == NULL) { |
1230 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); |
1231 | 0 | return ret; |
1232 | 0 | } |
1233 | | |
1234 | 0 | ret->group = group; |
1235 | 0 | ret->w = 6; /* default */ |
1236 | 0 | ret->references = 1; |
1237 | |
|
1238 | 0 | ret->lock = CRYPTO_THREAD_lock_new(); |
1239 | 0 | if (ret->lock == NULL) { |
1240 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); |
1241 | 0 | OPENSSL_free(ret); |
1242 | 0 | return NULL; |
1243 | 0 | } |
1244 | 0 | return ret; |
1245 | 0 | } |
1246 | | |
1247 | | NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *p) |
1248 | 0 | { |
1249 | 0 | int i; |
1250 | 0 | if (p != NULL) |
1251 | 0 | CRYPTO_UP_REF(&p->references, &i, p->lock); |
1252 | 0 | return p; |
1253 | 0 | } |
1254 | | |
1255 | | void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *pre) |
1256 | 0 | { |
1257 | 0 | int i; |
1258 | |
|
1259 | 0 | if (pre == NULL) |
1260 | 0 | return; |
1261 | | |
1262 | 0 | CRYPTO_DOWN_REF(&pre->references, &i, pre->lock); |
1263 | 0 | REF_PRINT_COUNT("EC_nistz256", pre); |
1264 | 0 | if (i > 0) |
1265 | 0 | return; |
1266 | 0 | REF_ASSERT_ISNT(i < 0); |
1267 | |
|
1268 | 0 | OPENSSL_free(pre->precomp_storage); |
1269 | 0 | CRYPTO_THREAD_lock_free(pre->lock); |
1270 | 0 | OPENSSL_free(pre); |
1271 | 0 | } |
1272 | | |
1273 | | |
1274 | | static int ecp_nistz256_window_have_precompute_mult(const EC_GROUP *group) |
1275 | 0 | { |
1276 | | /* There is a hard-coded table for the default generator. */ |
1277 | 0 | const EC_POINT *generator = EC_GROUP_get0_generator(group); |
1278 | |
|
1279 | 0 | if (generator != NULL && ecp_nistz256_is_affine_G(generator)) { |
1280 | | /* There is a hard-coded table for the default generator. */ |
1281 | 0 | return 1; |
1282 | 0 | } |
1283 | | |
1284 | 0 | return HAVEPRECOMP(group, nistz256); |
1285 | 0 | } |
1286 | | |
1287 | | #if defined(__x86_64) || defined(__x86_64__) || \ |
1288 | | defined(_M_AMD64) || defined(_M_X64) || \ |
1289 | | defined(__powerpc64__) || defined(_ARCH_PP64) || \ |
1290 | | defined(__aarch64__) |
1291 | | /* |
1292 | | * Montgomery mul modulo Order(P): res = a*b*2^-256 mod Order(P) |
1293 | | */ |
1294 | | void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS], |
1295 | | const BN_ULONG a[P256_LIMBS], |
1296 | | const BN_ULONG b[P256_LIMBS]); |
1297 | | void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS], |
1298 | | const BN_ULONG a[P256_LIMBS], |
1299 | | BN_ULONG rep); |
1300 | | |
1301 | | static int ecp_nistz256_inv_mod_ord(const EC_GROUP *group, BIGNUM *r, |
1302 | | const BIGNUM *x, BN_CTX *ctx) |
1303 | 2.18k | { |
1304 | | /* RR = 2^512 mod ord(p256) */ |
1305 | 2.18k | static const BN_ULONG RR[P256_LIMBS] = { |
1306 | 2.18k | TOBN(0x83244c95,0xbe79eea2), TOBN(0x4699799c,0x49bd6fa6), |
1307 | 2.18k | TOBN(0x2845b239,0x2b6bec59), TOBN(0x66e12d94,0xf3d95620) |
1308 | 2.18k | }; |
1309 | | /* The constant 1 (unlike ONE that is one in Montgomery representation) */ |
1310 | 2.18k | static const BN_ULONG one[P256_LIMBS] = { |
1311 | 2.18k | TOBN(0,1), TOBN(0,0), TOBN(0,0), TOBN(0,0) |
1312 | 2.18k | }; |
1313 | | /* |
1314 | | * We don't use entry 0 in the table, so we omit it and address |
1315 | | * with -1 offset. |
1316 | | */ |
1317 | 2.18k | BN_ULONG table[15][P256_LIMBS]; |
1318 | 2.18k | BN_ULONG out[P256_LIMBS], t[P256_LIMBS]; |
1319 | 2.18k | int i, ret = 0; |
1320 | 2.18k | enum { |
1321 | 2.18k | i_1 = 0, i_10, i_11, i_101, i_111, i_1010, i_1111, |
1322 | 2.18k | i_10101, i_101010, i_101111, i_x6, i_x8, i_x16, i_x32 |
1323 | 2.18k | }; |
1324 | | |
1325 | | /* |
1326 | | * Catch allocation failure early. |
1327 | | */ |
1328 | 2.18k | if (bn_wexpand(r, P256_LIMBS) == NULL) { |
1329 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); |
1330 | 0 | goto err; |
1331 | 0 | } |
1332 | | |
1333 | 2.18k | if ((BN_num_bits(x) > 256) || BN_is_negative(x)) { |
1334 | 0 | BIGNUM *tmp; |
1335 | |
|
1336 | 0 | if ((tmp = BN_CTX_get(ctx)) == NULL |
1337 | 0 | || !BN_nnmod(tmp, x, group->order, ctx)) { |
1338 | 0 | ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); |
1339 | 0 | goto err; |
1340 | 0 | } |
1341 | 0 | x = tmp; |
1342 | 0 | } |
1343 | | |
1344 | 2.18k | if (!ecp_nistz256_bignum_to_field_elem(t, x)) { |
1345 | 0 | ERR_raise(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE); |
1346 | 0 | goto err; |
1347 | 0 | } |
1348 | | |
1349 | 2.18k | ecp_nistz256_ord_mul_mont(table[0], t, RR); |
1350 | | #if 0 |
1351 | | /* |
1352 | | * Original sparse-then-fixed-window algorithm, retained for reference. |
1353 | | */ |
1354 | | for (i = 2; i < 16; i += 2) { |
1355 | | ecp_nistz256_ord_sqr_mont(table[i-1], table[i/2-1], 1); |
1356 | | ecp_nistz256_ord_mul_mont(table[i], table[i-1], table[0]); |
1357 | | } |
1358 | | |
1359 | | /* |
1360 | | * The top 128bit of the exponent are highly redudndant, so we |
1361 | | * perform an optimized flow |
1362 | | */ |
1363 | | ecp_nistz256_ord_sqr_mont(t, table[15-1], 4); /* f0 */ |
1364 | | ecp_nistz256_ord_mul_mont(t, t, table[15-1]); /* ff */ |
1365 | | |
1366 | | ecp_nistz256_ord_sqr_mont(out, t, 8); /* ff00 */ |
1367 | | ecp_nistz256_ord_mul_mont(out, out, t); /* ffff */ |
1368 | | |
1369 | | ecp_nistz256_ord_sqr_mont(t, out, 16); /* ffff0000 */ |
1370 | | ecp_nistz256_ord_mul_mont(t, t, out); /* ffffffff */ |
1371 | | |
1372 | | ecp_nistz256_ord_sqr_mont(out, t, 64); /* ffffffff0000000000000000 */ |
1373 | | ecp_nistz256_ord_mul_mont(out, out, t); /* ffffffff00000000ffffffff */ |
1374 | | |
1375 | | ecp_nistz256_ord_sqr_mont(out, out, 32); /* ffffffff00000000ffffffff00000000 */ |
1376 | | ecp_nistz256_ord_mul_mont(out, out, t); /* ffffffff00000000ffffffffffffffff */ |
1377 | | |
1378 | | /* |
1379 | | * The bottom 128 bit of the exponent are processed with fixed 4-bit window |
1380 | | */ |
1381 | | for(i = 0; i < 32; i++) { |
1382 | | /* expLo - the low 128 bits of the exponent we use (ord(p256) - 2), |
1383 | | * split into nibbles */ |
1384 | | static const unsigned char expLo[32] = { |
1385 | | 0xb,0xc,0xe,0x6,0xf,0xa,0xa,0xd,0xa,0x7,0x1,0x7,0x9,0xe,0x8,0x4, |
1386 | | 0xf,0x3,0xb,0x9,0xc,0xa,0xc,0x2,0xf,0xc,0x6,0x3,0x2,0x5,0x4,0xf |
1387 | | }; |
1388 | | |
1389 | | ecp_nistz256_ord_sqr_mont(out, out, 4); |
1390 | | /* The exponent is public, no need in constant-time access */ |
1391 | | ecp_nistz256_ord_mul_mont(out, out, table[expLo[i]-1]); |
1392 | | } |
1393 | | #else |
1394 | | /* |
1395 | | * https://briansmith.org/ecc-inversion-addition-chains-01#p256_scalar_inversion |
1396 | | * |
1397 | | * Even though this code path spares 12 squarings, 4.5%, and 13 |
1398 | | * multiplications, 25%, on grand scale sign operation is not that |
1399 | | * much faster, not more that 2%... |
1400 | | */ |
1401 | | |
1402 | | /* pre-calculate powers */ |
1403 | 2.18k | ecp_nistz256_ord_sqr_mont(table[i_10], table[i_1], 1); |
1404 | | |
1405 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_11], table[i_1], table[i_10]); |
1406 | | |
1407 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_101], table[i_11], table[i_10]); |
1408 | | |
1409 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_111], table[i_101], table[i_10]); |
1410 | | |
1411 | 2.18k | ecp_nistz256_ord_sqr_mont(table[i_1010], table[i_101], 1); |
1412 | | |
1413 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_1111], table[i_1010], table[i_101]); |
1414 | | |
1415 | 2.18k | ecp_nistz256_ord_sqr_mont(table[i_10101], table[i_1010], 1); |
1416 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_10101], table[i_10101], table[i_1]); |
1417 | | |
1418 | 2.18k | ecp_nistz256_ord_sqr_mont(table[i_101010], table[i_10101], 1); |
1419 | | |
1420 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_101111], table[i_101010], table[i_101]); |
1421 | | |
1422 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_x6], table[i_101010], table[i_10101]); |
1423 | | |
1424 | 2.18k | ecp_nistz256_ord_sqr_mont(table[i_x8], table[i_x6], 2); |
1425 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_x8], table[i_x8], table[i_11]); |
1426 | | |
1427 | 2.18k | ecp_nistz256_ord_sqr_mont(table[i_x16], table[i_x8], 8); |
1428 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_x16], table[i_x16], table[i_x8]); |
1429 | | |
1430 | 2.18k | ecp_nistz256_ord_sqr_mont(table[i_x32], table[i_x16], 16); |
1431 | 2.18k | ecp_nistz256_ord_mul_mont(table[i_x32], table[i_x32], table[i_x16]); |
1432 | | |
1433 | | /* calculations */ |
1434 | 2.18k | ecp_nistz256_ord_sqr_mont(out, table[i_x32], 64); |
1435 | 2.18k | ecp_nistz256_ord_mul_mont(out, out, table[i_x32]); |
1436 | | |
1437 | 61.2k | for (i = 0; i < 27; i++) { |
1438 | 59.1k | static const struct { unsigned char p, i; } chain[27] = { |
1439 | 59.1k | { 32, i_x32 }, { 6, i_101111 }, { 5, i_111 }, |
1440 | 59.1k | { 4, i_11 }, { 5, i_1111 }, { 5, i_10101 }, |
1441 | 59.1k | { 4, i_101 }, { 3, i_101 }, { 3, i_101 }, |
1442 | 59.1k | { 5, i_111 }, { 9, i_101111 }, { 6, i_1111 }, |
1443 | 59.1k | { 2, i_1 }, { 5, i_1 }, { 6, i_1111 }, |
1444 | 59.1k | { 5, i_111 }, { 4, i_111 }, { 5, i_111 }, |
1445 | 59.1k | { 5, i_101 }, { 3, i_11 }, { 10, i_101111 }, |
1446 | 59.1k | { 2, i_11 }, { 5, i_11 }, { 5, i_11 }, |
1447 | 59.1k | { 3, i_1 }, { 7, i_10101 }, { 6, i_1111 } |
1448 | 59.1k | }; |
1449 | | |
1450 | 59.1k | ecp_nistz256_ord_sqr_mont(out, out, chain[i].p); |
1451 | 59.1k | ecp_nistz256_ord_mul_mont(out, out, table[chain[i].i]); |
1452 | 59.1k | } |
1453 | 2.18k | #endif |
1454 | 2.18k | ecp_nistz256_ord_mul_mont(out, out, one); |
1455 | | |
1456 | | /* |
1457 | | * Can't fail, but check return code to be consistent anyway. |
1458 | | */ |
1459 | 2.18k | if (!bn_set_words(r, out, P256_LIMBS)) |
1460 | 0 | goto err; |
1461 | | |
1462 | 2.18k | ret = 1; |
1463 | 2.18k | err: |
1464 | 2.18k | return ret; |
1465 | 2.18k | } |
1466 | | #else |
1467 | | # define ecp_nistz256_inv_mod_ord NULL |
1468 | | #endif |
1469 | | |
1470 | | const EC_METHOD *EC_GFp_nistz256_method(void) |
1471 | 57.6k | { |
1472 | 57.6k | static const EC_METHOD ret = { |
1473 | 57.6k | EC_FLAGS_DEFAULT_OCT, |
1474 | 57.6k | NID_X9_62_prime_field, |
1475 | 57.6k | ossl_ec_GFp_mont_group_init, |
1476 | 57.6k | ossl_ec_GFp_mont_group_finish, |
1477 | 57.6k | ossl_ec_GFp_mont_group_clear_finish, |
1478 | 57.6k | ossl_ec_GFp_mont_group_copy, |
1479 | 57.6k | ossl_ec_GFp_mont_group_set_curve, |
1480 | 57.6k | ossl_ec_GFp_simple_group_get_curve, |
1481 | 57.6k | ossl_ec_GFp_simple_group_get_degree, |
1482 | 57.6k | ossl_ec_group_simple_order_bits, |
1483 | 57.6k | ossl_ec_GFp_simple_group_check_discriminant, |
1484 | 57.6k | ossl_ec_GFp_simple_point_init, |
1485 | 57.6k | ossl_ec_GFp_simple_point_finish, |
1486 | 57.6k | ossl_ec_GFp_simple_point_clear_finish, |
1487 | 57.6k | ossl_ec_GFp_simple_point_copy, |
1488 | 57.6k | ossl_ec_GFp_simple_point_set_to_infinity, |
1489 | 57.6k | ossl_ec_GFp_simple_point_set_affine_coordinates, |
1490 | 57.6k | ecp_nistz256_get_affine, |
1491 | 57.6k | 0, 0, 0, |
1492 | 57.6k | ossl_ec_GFp_simple_add, |
1493 | 57.6k | ossl_ec_GFp_simple_dbl, |
1494 | 57.6k | ossl_ec_GFp_simple_invert, |
1495 | 57.6k | ossl_ec_GFp_simple_is_at_infinity, |
1496 | 57.6k | ossl_ec_GFp_simple_is_on_curve, |
1497 | 57.6k | ossl_ec_GFp_simple_cmp, |
1498 | 57.6k | ossl_ec_GFp_simple_make_affine, |
1499 | 57.6k | ossl_ec_GFp_simple_points_make_affine, |
1500 | 57.6k | ecp_nistz256_points_mul, /* mul */ |
1501 | 57.6k | ecp_nistz256_mult_precompute, /* precompute_mult */ |
1502 | 57.6k | ecp_nistz256_window_have_precompute_mult, /* have_precompute_mult */ |
1503 | 57.6k | ossl_ec_GFp_mont_field_mul, |
1504 | 57.6k | ossl_ec_GFp_mont_field_sqr, |
1505 | 57.6k | 0, /* field_div */ |
1506 | 57.6k | ossl_ec_GFp_mont_field_inv, |
1507 | 57.6k | ossl_ec_GFp_mont_field_encode, |
1508 | 57.6k | ossl_ec_GFp_mont_field_decode, |
1509 | 57.6k | ossl_ec_GFp_mont_field_set_to_one, |
1510 | 57.6k | ossl_ec_key_simple_priv2oct, |
1511 | 57.6k | ossl_ec_key_simple_oct2priv, |
1512 | 57.6k | 0, /* set private */ |
1513 | 57.6k | ossl_ec_key_simple_generate_key, |
1514 | 57.6k | ossl_ec_key_simple_check_key, |
1515 | 57.6k | ossl_ec_key_simple_generate_public_key, |
1516 | 57.6k | 0, /* keycopy */ |
1517 | 57.6k | 0, /* keyfinish */ |
1518 | 57.6k | ossl_ecdh_simple_compute_key, |
1519 | 57.6k | ossl_ecdsa_simple_sign_setup, |
1520 | 57.6k | ossl_ecdsa_simple_sign_sig, |
1521 | 57.6k | ossl_ecdsa_simple_verify_sig, |
1522 | 57.6k | ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */ |
1523 | 57.6k | 0, /* blind_coordinates */ |
1524 | 57.6k | 0, /* ladder_pre */ |
1525 | 57.6k | 0, /* ladder_step */ |
1526 | 57.6k | 0 /* ladder_post */ |
1527 | 57.6k | }; |
1528 | | |
1529 | 57.6k | return &ret; |
1530 | 57.6k | } |