TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 52a422f6a10519d2999ece44ede0d09da8793e0c / . / library / ecp.c
blob: 13bdaa4848af78cba8c4c9113d600f9c4d0b95e4 [file] [log] [blame]
Manuel Pégourié-Gonnard39d2adb2012-10-31 09:26:55 +0100[diff] [blame]1/*
2 * Elliptic curves over GF(p)
3 *
4 * Copyright (C) 2012, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
26/*
27 * References:
28 *
Manuel Pégourié-Gonnard883f3132012-11-02 09:40:25 +0100[diff] [blame]29 * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
Manuel Pégourié-Gonnard39d2adb2012-10-31 09:26:55 +0100[diff] [blame]30 * Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
31 */
32
33#include "polarssl/config.h"
34
35#if defined(POLARSSL_ECP_C)
36
37#include "polarssl/ecp.h"
38
Manuel Pégourié-Gonnard1e8c8ec2012-10-31 19:24:21 +0100[diff] [blame]39/*
Manuel Pégourié-Gonnardb505c272012-11-05 17:27:54 +0100[diff] [blame]40 * Initialize (the components of) a point
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]41 */
42void ecp_point_init( ecp_point *pt )
43{
44 if( pt == NULL )
45 return;
46
47 pt->is_zero = 1;
Manuel Pégourié-Gonnardb505c272012-11-05 17:27:54 +0100[diff] [blame]48 mpi_init( &pt->X );
49 mpi_init( &pt->Y );
50}
51
52/*
53 * Initialize (the components of) a group
54 */
55void ecp_group_init( ecp_group *grp )
56{
57 if( grp == NULL )
58 return;
59
60 mpi_init( &grp->P );
61 mpi_init( &grp->B );
62 ecp_point_init( &grp->G );
63 mpi_init( &grp->N );
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]64}
65
66/*
Manuel Pégourié-Gonnard1e8c8ec2012-10-31 19:24:21 +0100[diff] [blame]67 * Unallocate (the components of) a point
68 */
69void ecp_point_free( ecp_point *pt )
70{
71 if( pt == NULL )
72 return;
73
Manuel Pégourié-Gonnard5179e462012-10-31 19:37:54 +0100[diff] [blame]74 pt->is_zero = 1;
Manuel Pégourié-Gonnard1e8c8ec2012-10-31 19:24:21 +0100[diff] [blame]75 mpi_free( &( pt->X ) );
76 mpi_free( &( pt->Y ) );
77}
78
79/*
80 * Unallocate (the components of) a group
81 */
82void ecp_group_free( ecp_group *grp )
83{
84 if( grp == NULL )
85 return;
86
Manuel Pégourié-Gonnard883f3132012-11-02 09:40:25 +0100[diff] [blame]87 mpi_free( &grp->P );
88 mpi_free( &grp->B );
89 ecp_point_free( &grp->G );
90 mpi_free( &grp->N );
Manuel Pégourié-Gonnard1e8c8ec2012-10-31 19:24:21 +0100[diff] [blame]91}
Manuel Pégourié-Gonnard39d2adb2012-10-31 09:26:55 +0100[diff] [blame]92
Manuel Pégourié-Gonnard883f3132012-11-02 09:40:25 +0100[diff] [blame]93/*
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]94 * Set point to zero
95 */
96void ecp_set_zero( ecp_point *pt )
97{
98 pt->is_zero = 1;
Manuel Pégourié-Gonnardb505c272012-11-05 17:27:54 +0100[diff] [blame]99 mpi_free( &pt->X );
100 mpi_free( &pt->Y );
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]101}
102
103/*
Manuel Pégourié-Gonnard883f3132012-11-02 09:40:25 +0100[diff] [blame]104 * Copy the contents of Q into P
105 */
106int ecp_copy( ecp_point *P, const ecp_point *Q )
107{
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]108 int ret = 0;
Manuel Pégourié-Gonnard883f3132012-11-02 09:40:25 +0100[diff] [blame]109
Manuel Pégourié-Gonnardb505c272012-11-05 17:27:54 +0100[diff] [blame]110 if( Q->is_zero ) {
111 ecp_set_zero( P );
112 return( ret );
113 }
114
Manuel Pégourié-Gonnard883f3132012-11-02 09:40:25 +0100[diff] [blame]115 P->is_zero = Q->is_zero;
116 MPI_CHK( mpi_copy( &P->X, &Q->X ) );
117 MPI_CHK( mpi_copy( &P->Y, &Q->Y ) );
118
119cleanup:
120 return( ret );
121}
Manuel Pégourié-Gonnard5179e462012-10-31 19:37:54 +0100[diff] [blame]122
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]123/*
Manuel Pégourié-Gonnard847395a2012-11-05 13:13:44 +0100[diff] [blame]124 * Import a non-zero point from ASCII strings
125 */
126int ecp_point_read_string( ecp_point *P, int radix,
127 const char *x, const char *y )
128{
129 int ret = 0;
130
131 P->is_zero = 0;
132 MPI_CHK( mpi_read_string( &P->X, radix, x ) );
133 MPI_CHK( mpi_read_string( &P->Y, radix, y ) );
134
135cleanup:
136 return( ret );
137}
138
139/*
140 * Import an ECP group from ASCII strings
141 */
142int ecp_group_read_string( ecp_group *grp, int radix,
143 const char *p, const char *b,
144 const char *gx, const char *gy, const char *n)
145{
146 int ret = 0;
147
148 MPI_CHK( mpi_read_string( &grp->P, radix, p ) );
149 MPI_CHK( mpi_read_string( &grp->B, radix, b ) );
150 MPI_CHK( ecp_point_read_string( &grp->G, radix, gx, gy ) );
151 MPI_CHK( mpi_read_string( &grp->N, radix, n ) );
152
153cleanup:
154 return( ret );
155}
156
Manuel Pégourié-Gonnarda5402fe2012-11-07 20:24:05 +0100[diff] [blame]157/*
158 * Set a group using well-known domain parameters
159 */
160int ecp_use_known_dp( ecp_group *grp, size_t index )
161{
162 switch( index )
163 {
164 case POLARSSL_ECP_DP_SECP192R1:
165 return( ecp_group_read_string( grp, 16,
166 POLARSSL_ECP_SECP192R1_P,
167 POLARSSL_ECP_SECP192R1_B,
168 POLARSSL_ECP_SECP192R1_GX,
169 POLARSSL_ECP_SECP192R1_GY,
170 POLARSSL_ECP_SECP192R1_N )
171 );
172 case POLARSSL_ECP_DP_SECP224R1:
173 return( ecp_group_read_string( grp, 16,
174 POLARSSL_ECP_SECP224R1_P,
175 POLARSSL_ECP_SECP224R1_B,
176 POLARSSL_ECP_SECP224R1_GX,
177 POLARSSL_ECP_SECP224R1_GY,
178 POLARSSL_ECP_SECP224R1_N )
179 );
180 case POLARSSL_ECP_DP_SECP256R1:
181 return( ecp_group_read_string( grp, 16,
182 POLARSSL_ECP_SECP256R1_P,
183 POLARSSL_ECP_SECP256R1_B,
184 POLARSSL_ECP_SECP256R1_GX,
185 POLARSSL_ECP_SECP256R1_GY,
186 POLARSSL_ECP_SECP256R1_N )
187 );
188 case POLARSSL_ECP_DP_SECP384R1:
189 return( ecp_group_read_string( grp, 16,
190 POLARSSL_ECP_SECP384R1_P,
191 POLARSSL_ECP_SECP384R1_B,
192 POLARSSL_ECP_SECP384R1_GX,
193 POLARSSL_ECP_SECP384R1_GY,
194 POLARSSL_ECP_SECP384R1_N )
195 );
196 case POLARSSL_ECP_DP_SECP521R1:
197 return( ecp_group_read_string( grp, 16,
198 POLARSSL_ECP_SECP521R1_P,
199 POLARSSL_ECP_SECP521R1_B,
200 POLARSSL_ECP_SECP521R1_GX,
201 POLARSSL_ECP_SECP521R1_GY,
202 POLARSSL_ECP_SECP521R1_N )
203 );
204 }
205
206 return( POLARSSL_ERR_ECP_GENERIC );
207}
Manuel Pégourié-Gonnardab38b702012-11-05 17:34:55 +0100[diff] [blame]208
Manuel Pégourié-Gonnard847395a2012-11-05 13:13:44 +0100[diff] [blame]209/*
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]210 * Addition: R = P + Q, generic case (P != Q, P != 0, Q != 0, R != 0)
211 * Cf SEC1 v2 p. 7, item 4
212 */
213static int ecp_add_generic( const ecp_group *grp, ecp_point *R,
214 const ecp_point *P, const ecp_point *Q )
215{
216 int ret = 0;
Manuel Pégourié-Gonnardab38b702012-11-05 17:34:55 +0100[diff] [blame]217 mpi DX, DY, K, L, LL, X, Y;
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]218
219 mpi_init( &DX ); mpi_init( &DY ); mpi_init( &K ); mpi_init( &L );
Manuel Pégourié-Gonnardab38b702012-11-05 17:34:55 +0100[diff] [blame]220 mpi_init( &LL ); mpi_init( &X ); mpi_init( &Y );
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]221
222 /*
223 * L = (Q.Y - P.Y) / (Q.X - P.X) mod p
224 */
225 MPI_CHK( mpi_sub_mpi( &DY, &Q->Y, &P->Y ) );
226 MPI_CHK( mpi_sub_mpi( &DX, &Q->X, &P->X ) );
227 MPI_CHK( mpi_inv_mod( &K, &DX, &grp->P ) );
228 MPI_CHK( mpi_mul_mpi( &K, &K, &DY ) );
229 MPI_CHK( mpi_mod_mpi( &L, &K, &grp->P ) );
230
231 /*
232 * LL = L^2 mod p
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]233 */
234 MPI_CHK( mpi_mul_mpi( &LL, &L, &L ) );
235 MPI_CHK( mpi_mod_mpi( &LL, &LL, &grp->P ) );
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]236
237 /*
Manuel Pégourié-Gonnardab38b702012-11-05 17:34:55 +0100[diff] [blame]238 * X = L^2 - P.X - Q.X
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]239 */
Manuel Pégourié-Gonnardab38b702012-11-05 17:34:55 +0100[diff] [blame]240 MPI_CHK( mpi_sub_mpi( &X, &LL, &P->X ) );
241 MPI_CHK( mpi_sub_mpi( &X, &X, &Q->X ) );
242
243 /*
244 * Y = L * (P.X - X) - P.Y
245 */
246 MPI_CHK( mpi_sub_mpi( &Y, &P->X, &X) );
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]247 MPI_CHK( mpi_mul_mpi( &Y, &Y, &L ) );
248 MPI_CHK( mpi_sub_mpi( &Y, &Y, &P->Y ) );
249
250 /*
251 * R = (X mod p, Y mod p)
252 */
253 R->is_zero = 0;
254 MPI_CHK( mpi_mod_mpi( &R->X, &X, &grp->P ) );
255 MPI_CHK( mpi_mod_mpi( &R->Y, &Y, &grp->P ) );
256
257cleanup:
258
259 mpi_free( &DX ); mpi_free( &DY ); mpi_free( &K ); mpi_free( &L );
Manuel Pégourié-Gonnardab38b702012-11-05 17:34:55 +0100[diff] [blame]260 mpi_free( &LL ); mpi_free( &X ); mpi_free( &Y );
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]261
262 return( ret );
263}
264
265/*
266 * Doubling: R = 2 * P, generic case (P != 0, R != 0)
Manuel Pégourié-Gonnardde532ee2012-11-06 16:10:47 +0100[diff] [blame]267 * Cf SEC1 v2 p. 7, item 5
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]268 */
269static int ecp_double_generic( const ecp_group *grp, ecp_point *R,
270 const ecp_point *P )
271{
272 int ret = 0;
Manuel Pégourié-Gonnardde532ee2012-11-06 16:10:47 +0100[diff] [blame]273 mpi LN, LD, K, L, LL, X, Y;
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]274
Manuel Pégourié-Gonnardde532ee2012-11-06 16:10:47 +0100[diff] [blame]275 mpi_init( &LN ); mpi_init( &LD ); mpi_init( &K ); mpi_init( &L );
276 mpi_init( &LL ); mpi_init( &X ); mpi_init( &Y );
277
278 /*
279 * L = 3 (P.X - 1) (P.X + 1) / (2 P.Y) mod p
280 */
281 MPI_CHK( mpi_copy( &LD, &P->Y ) );
282 MPI_CHK( mpi_shift_l( &LD, 1 ) );
283 MPI_CHK( mpi_inv_mod( &K, &LD, &grp->P ) );
284 MPI_CHK( mpi_mul_int( &K, &K, 3 ) );
285 MPI_CHK( mpi_sub_int( &LN, &P->X, 1 ) );
286 MPI_CHK( mpi_mul_mpi( &K, &K, &LN ) );
287 MPI_CHK( mpi_add_int( &LN, &P->X, 1 ) );
288 MPI_CHK( mpi_mul_mpi( &K, &K, &LN ) );
289 MPI_CHK( mpi_mod_mpi( &L, &K, &grp->P ) );
290
291 /*
292 * LL = L^2 mod p
293 */
294 MPI_CHK( mpi_mul_mpi( &LL, &L, &L ) );
295 MPI_CHK( mpi_mod_mpi( &LL, &LL, &grp->P ) );
296
297 /*
298 * X = L^2 - 2 * P.X
299 */
300 MPI_CHK( mpi_sub_mpi( &X, &LL, &P->X ) );
301 MPI_CHK( mpi_sub_mpi( &X, &X, &P->X ) );
302
303 /*
304 * Y = L * (P.X - X) - P.Y
305 */
306 MPI_CHK( mpi_sub_mpi( &Y, &P->X, &X) );
307 MPI_CHK( mpi_mul_mpi( &Y, &Y, &L ) );
308 MPI_CHK( mpi_sub_mpi( &Y, &Y, &P->Y ) );
309
310 /*
311 * R = (X mod p, Y mod p)
312 */
313 R->is_zero = 0;
314 MPI_CHK( mpi_mod_mpi( &R->X, &X, &grp->P ) );
315 MPI_CHK( mpi_mod_mpi( &R->Y, &Y, &grp->P ) );
316
317cleanup:
318
Manuel Pégourié-Gonnardb4ab8a82012-11-06 18:13:32 +0100[diff] [blame]319 mpi_free( &LN ); mpi_free( &LD ); mpi_free( &K ); mpi_free( &L );
320 mpi_free( &LL ); mpi_free( &X ); mpi_free( &Y );
Manuel Pégourié-Gonnardae180d02012-11-02 18:14:40 +0100[diff] [blame]321
322 return( ret );
323}
324
325/*
326 * Addition: R = P + Q, cf p. 7 of SEC1 v2
327 */
328int ecp_add( const ecp_group *grp, ecp_point *R,
329 const ecp_point *P, const ecp_point *Q )
330{
331 int ret = 0;
332
333 if( P->is_zero )
334 {
335 ret = ecp_copy( R, Q );
336 }
337 else if( Q->is_zero )
338 {
339 ret = ecp_copy( R, P );
340 }
341 else if( mpi_cmp_mpi( &P->X, &Q->X ) != 0 )
342 {
343 ret = ecp_add_generic( grp, R, P, Q );
344 }
345 else if( mpi_cmp_int( &P->Y, 0 ) == 0 ||
346 mpi_cmp_mpi( &P->Y, &Q->Y ) != 0 )
347 {
348 ecp_set_zero( R );
349 }
350 else
351 {
352 /*
353 * P == Q
354 */
355 ret = ecp_double_generic( grp, R, P );
356 }
357
358 return ret;
359}
360
Manuel Pégourié-Gonnardefaa31e2012-11-06 21:34:35 +0100[diff] [blame]361/*
362 * Integer multiplication: R = m * P
363 * Using Montgomery's Ladder to avoid leaking information about m
364 */
365int ecp_mul( const ecp_group *grp, ecp_point *R,
366 const mpi *m, const ecp_point *P )
367{
368 int ret = 0;
369 size_t pos;
370 ecp_point A, B;
371
372 ecp_point_init( &A ); ecp_point_init( &B );
373
374 /*
375 * The general method works only for m >= 2
376 */
377 if( mpi_cmp_int( m, 0 ) == 0 ) {
378 ecp_set_zero( R );
379 goto cleanup;
380 }
381
382 if( mpi_cmp_int( m, 1 ) == 0 ) {
383 MPI_CHK( ecp_copy( R, P ) );
384 goto cleanup;
385 }
386
387 MPI_CHK( ecp_copy( &A, P ) );
388 MPI_CHK( ecp_add( grp, &B, P, P ) );
389
390 for( pos = mpi_msb( m ) - 2; ; pos-- )
391 {
392 if( mpi_get_bit( m, pos ) == 0 )
393 {
394 MPI_CHK( ecp_add( grp, &B, &A, &B ) );
395 MPI_CHK( ecp_add( grp, &A, &A, &A ) ) ;
396 }
397 else
398 {
399 MPI_CHK( ecp_add( grp, &A, &A, &B ) );
400 MPI_CHK( ecp_add( grp, &B, &B, &B ) ) ;
401 }
402
403 if( pos == 0 )
404 break;
405 }
406
407 MPI_CHK( ecp_copy( R, &A ) );
408
409cleanup:
410
411 ecp_point_free( &A ); ecp_point_free( &B );
412
413 return( ret );
414}
415
416
Manuel Pégourié-Gonnard39d2adb2012-10-31 09:26:55 +0100[diff] [blame]417#if defined(POLARSSL_SELF_TEST)
418
Manuel Pégourié-Gonnardb505c272012-11-05 17:27:54 +0100[diff] [blame]419/*
Manuel Pégourié-Gonnard39d2adb2012-10-31 09:26:55 +0100[diff] [blame]420 * Checkup routine
421 */
422int ecp_self_test( int verbose )
423{
Manuel Pégourié-Gonnard4b8c3f22012-11-07 21:39:45 +0100[diff] [blame]424 return( verbose++ );
Manuel Pégourié-Gonnard39d2adb2012-10-31 09:26:55 +0100[diff] [blame]425}
426
427#endif
428
429#endif