31 typedef int (*hash_to_group_func_t)(const EC_GROUP *group, EC_RAW_POINT *out,
33 typedef int (*hash_to_scalar_func_t)(const EC_GROUP *group, EC_SCALAR *out,
37   const EC_GROUP *group;  member
52   method->group = EC_GROUP_new_by_curve_name(curve_nid);  in voprf_init_method()
53   if (method->group == NULL) {  in voprf_init_method()
63 static int cbb_add_point(CBB *out, const EC_GROUP *group,  in cbb_add_point()  argument
66       ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0);  in cbb_add_point()
73          ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, p,  in cbb_add_point()
78 static int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) {  in cbs_get_point()  argument
80   size_t plen = 1 + 2 * BN_num_bytes(&group->field);  in cbs_get_point()
82       !ec_point_from_uncompressed(group, out, CBS_data(&child),  in cbs_get_point()
89 static int scalar_to_cbb(CBB *out, const EC_GROUP *group,  in scalar_to_cbb()  argument
92   size_t scalar_len = BN_num_bytes(&group->order);  in scalar_to_cbb()
97   ec_scalar_to_bytes(group, buf, &scalar_len, scalar);  in scalar_to_cbb()
101 static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {  in scalar_from_cbs()  argument
102   size_t scalar_len = BN_num_bytes(&group->order);  in scalar_from_cbs()
109   ec_scalar_from_bytes(group, out, CBS_data(&tmp), CBS_len(&tmp));  in scalar_from_cbs()
115   const EC_GROUP *group = method->group;  in voprf_generate_key()  local
119   if (!ec_random_nonzero_scalar(group, &priv, kDefaultAdditionalData) ||  in voprf_generate_key()
120       !ec_point_mul_scalar_base(group, &pub, &priv) ||  in voprf_generate_key()
121       !ec_jacobian_to_affine(group, &pub_affine, &pub)) {  in voprf_generate_key()
126   if (!scalar_to_cbb(out_private, group, &priv) ||  in voprf_generate_key()
127       !cbb_add_point(out_public, group, &pub_affine)) {  in voprf_generate_key()
138   const EC_GROUP *group = method->group;  in voprf_client_key_from_bytes()  local
139   if (!ec_point_from_uncompressed(group, &key->pubs, in, len)) {  in voprf_client_key_from_bytes()
150   const EC_GROUP *group = method->group;  in voprf_issuer_key_from_bytes()  local
151   if (!ec_scalar_from_bytes(group, &key->xs, in, len)) {  in voprf_issuer_key_from_bytes()
158   if (!ec_point_mul_scalar_base(group, &pub, &key->xs) ||  in voprf_issuer_key_from_bytes()
159       !ec_jacobian_to_affine(group, &key->pubs, &pub)) {  in voprf_issuer_key_from_bytes()
168   const EC_GROUP *group = method->group;  in STACK_OF()  local
191     if (!ec_random_nonzero_scalar(group, &r,  in STACK_OF()
198     ec_scalar_inv0_montgomery(group, &pretoken->r, &r);  in STACK_OF()
200     ec_scalar_from_montgomery(group, &r, &r);  in STACK_OF()
201     ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);  in STACK_OF()
205     if (!method->hash_to_group(group, &P, pretoken->t) ||  in STACK_OF()
206         !ec_point_mul_scalar(group, &Tp, &P, &r) ||  in STACK_OF()
207         !ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) {  in STACK_OF()
211     if (!cbb_add_point(cbb, group, &pretoken->Tp)) {  in STACK_OF()
236       !cbb_add_point(&cbb, method->group, X) ||  in hash_to_scalar_dleq()
237       !cbb_add_point(&cbb, method->group, T) ||  in hash_to_scalar_dleq()
238       !cbb_add_point(&cbb, method->group, W) ||  in hash_to_scalar_dleq()
239       !cbb_add_point(&cbb, method->group, K0) ||  in hash_to_scalar_dleq()
240       !cbb_add_point(&cbb, method->group, K1) ||  in hash_to_scalar_dleq()
242       !method->hash_to_scalar(method->group, out, buf, len)) {  in hash_to_scalar_dleq()
274       !method->hash_to_scalar(method->group, out, buf, len)) {  in hash_to_scalar_batch()
290   const EC_GROUP *group = method->group;  in dleq_generate()  local
304       !ec_random_nonzero_scalar(group, &r, kDefaultAdditionalData) ||  in dleq_generate()
306       !ec_point_mul_scalar_base(group, &jacobians[idx_k0], &r) ||  in dleq_generate()
307       !ec_point_mul_scalar(group, &jacobians[idx_k1], T, &r))  {  in dleq_generate()
314   if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {  in dleq_generate()
328   ec_scalar_to_montgomery(group, &c_mont, &c);  in dleq_generate()
332   ec_scalar_mul_montgomery(group, &u, &priv->xs, &c_mont);  in dleq_generate()
333   ec_scalar_add(group, &u, &r, &u);  in dleq_generate()
336   if (!scalar_to_cbb(cbb, group, &c) ||  in dleq_generate()
337       !scalar_to_cbb(cbb, group, &u)) {  in dleq_generate()
345 static int mul_public_2(const EC_GROUP *group, EC_RAW_POINT *out,  in mul_public_2()  argument
350   return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points,  in mul_public_2()
357   const EC_GROUP *group = method->group;  in dleq_verify()  local
371   if (!scalar_from_cbs(cbs, group, &c) ||  in dleq_verify()
372       !scalar_from_cbs(cbs, group, &u)) {  in dleq_verify()
379   ec_affine_to_jacobian(group, &pubs, &pub->pubs);  in dleq_verify()
381   ec_scalar_neg(group, &minus_c, &c);  in dleq_verify()
382   if (!ec_point_mul_scalar_public(group, &jacobians[idx_k0], &u, &pubs,  in dleq_verify()
384       !mul_public_2(group, &jacobians[idx_k1], T, &u, W, &minus_c)) {  in dleq_verify()
392   if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {  in dleq_verify()
405   if (!ec_scalar_equal_vartime(group, &c, &calculated)) {  in dleq_verify()
416   const EC_GROUP *group = method->group;  in voprf_sign()  local
438       !cbb_add_point(&batch_cbb, method->group, &key->pubs)) {  in voprf_sign()
446     if (!cbs_get_point(cbs, group, &BT_affine)) {  in voprf_sign()
450     ec_affine_to_jacobian(group, &BT, &BT_affine);  in voprf_sign()
451     if (!ec_point_mul_scalar(group, &Z, &BT, &key->xs) ||  in voprf_sign()
452         !ec_jacobian_to_affine(group, &Z_affine, &Z) ||  in voprf_sign()
453         !cbb_add_point(cbb, group, &Z_affine)) {  in voprf_sign()
457     if (!cbb_add_point(&batch_cbb, group, &BT_affine) ||  in voprf_sign()
458         !cbb_add_point(&batch_cbb, group, &Z_affine)) {  in voprf_sign()
480   if (!ec_point_mul_scalar_public_batch(group, &BT_batch,  in voprf_sign()
483       !ec_point_mul_scalar_public_batch(group, &Z_batch,  in voprf_sign()
497   size_t point_len = 1 + 2 * BN_num_bytes(&group->field);  in voprf_sign()
517   const EC_GROUP *group = method->group;  in STACK_OF()  local
544       !cbb_add_point(&batch_cbb, method->group, &key->pubs)) {  in STACK_OF()
554     if (!cbs_get_point(cbs, group, &Z_affine)) {  in STACK_OF()
559     ec_affine_to_jacobian(group, &BTs[i], &pretoken->Tp);  in STACK_OF()
560     ec_affine_to_jacobian(group, &Zs[i], &Z_affine);  in STACK_OF()
562     if (!cbb_add_point(&batch_cbb, group, &pretoken->Tp) ||  in STACK_OF()
563         !cbb_add_point(&batch_cbb, group, &Z_affine)) {  in STACK_OF()
572     if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) ||  in STACK_OF()
573         !ec_jacobian_to_affine(group, &N_affine, &N)) {  in STACK_OF()
580     size_t point_len = 1 + 2 * BN_num_bytes(&group->field);  in STACK_OF()
584         !cbb_add_point(&token_cbb, group, &N_affine) ||  in STACK_OF()
611   if (!ec_point_mul_scalar_public_batch(group, &BT_batch,  in STACK_OF()
613       !ec_point_mul_scalar_public_batch(group, &Z_batch,  in STACK_OF()
643   const EC_GROUP *group = method->group;  in voprf_read()  local
648       !cbs_get_point(&cbs, group, &Ws) ||  in voprf_read()
656   if (!method->hash_to_group(group, &T, out_nonce)) {  in voprf_read()
661   if (!ec_point_mul_scalar(group, &Ws_calculated, &T, &key->xs) ||  in voprf_read()
662       !ec_affine_jacobian_equal(group, &Ws, &Ws_calculated)) {  in voprf_read()
673 static int voprf_exp2_hash_to_group(const EC_GROUP *group, EC_RAW_POINT *out,  in voprf_exp2_hash_to_group()  argument
677       group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);  in voprf_exp2_hash_to_group()
680 static int voprf_exp2_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out,  in voprf_exp2_hash_to_scalar()  argument
684       group, out, kHashCLabel, sizeof(kHashCLabel), buf, len);  in voprf_exp2_hash_to_scalar()