1 /* Originally written by Bodo Moeller for the OpenSSL project. 2 * ==================================================================== 3 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 * This product includes cryptographic software written by Eric Young 51 * (eay@cryptsoft.com). This product includes software written by Tim 52 * Hudson (tjh@cryptsoft.com). 53 * 54 */ 55 /* ==================================================================== 56 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 57 * 58 * Portions of the attached software ("Contribution") are developed by 59 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 60 * 61 * The Contribution is licensed pursuant to the OpenSSL open source 62 * license provided above. 63 * 64 * The elliptic curve binary polynomial software is originally written by 65 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems 66 * Laboratories. */ 67 68 #ifndef OPENSSL_HEADER_EC_INTERNAL_H 69 #define OPENSSL_HEADER_EC_INTERNAL_H 70 71 #include <openssl/base.h> 72 73 #include <assert.h> 74 75 #include <openssl/bn.h> 76 #include <openssl/ec.h> 77 #include <openssl/ex_data.h> 78 79 #include "../bn/internal.h" 80 81 #if defined(__cplusplus) 82 extern "C" { 83 #endif 84 85 86 // EC internals. 87 88 89 // Cap the size of all field elements and scalars, including custom curves, to 90 // 66 bytes, large enough to fit secp521r1 and brainpoolP512r1, which appear to 91 // be the largest fields anyone plausibly uses. 92 #define EC_MAX_BYTES 66 93 #define EC_MAX_WORDS ((EC_MAX_BYTES + BN_BYTES - 1) / BN_BYTES) 94 #define EC_MAX_COMPRESSED (EC_MAX_BYTES + 1) 95 #define EC_MAX_UNCOMPRESSED (2 * EC_MAX_BYTES + 1) 96 97 static_assert(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS, 98 "bn_*_small functions not usable"); 99 100 101 // Scalars. 102 103 // An EC_SCALAR is an integer fully reduced modulo the order. Only the first 104 // |order->width| words are used. An |EC_SCALAR| is specific to an |EC_GROUP| 105 // and must not be mixed between groups. 106 typedef struct { 107 BN_ULONG words[EC_MAX_WORDS]; 108 } EC_SCALAR; 109 110 // ec_bignum_to_scalar converts |in| to an |EC_SCALAR| and writes it to 111 // |*out|. It returns one on success and zero if |in| is out of range. 112 OPENSSL_EXPORT int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, 113 const BIGNUM *in); 114 115 // ec_scalar_to_bytes serializes |in| as a big-endian bytestring to |out| and 116 // sets |*out_len| to the number of bytes written. The number of bytes written 117 // is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|. 118 OPENSSL_EXPORT void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, 119 size_t *out_len, const EC_SCALAR *in); 120 121 // ec_scalar_from_bytes deserializes |in| and stores the resulting scalar over 122 // group |group| to |out|. It returns one on success and zero if |in| is 123 // invalid. 124 OPENSSL_EXPORT int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, 125 const uint8_t *in, size_t len); 126 127 // ec_scalar_reduce sets |out| to |words|, reduced modulo the group order. 128 // |words| must be less than order^2. |num| must be at most twice the width of 129 // group order. This function treats |words| as secret. 130 void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out, 131 const BN_ULONG *words, size_t num); 132 133 // ec_random_nonzero_scalar sets |out| to a uniformly selected random value from 134 // 1 to |group->order| - 1. It returns one on success and zero on error. 135 int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, 136 const uint8_t additional_data[32]); 137 138 // ec_scalar_equal_vartime returns one if |a| and |b| are equal and zero 139 // otherwise. Both values are treated as public. 140 int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a, 141 const EC_SCALAR *b); 142 143 // ec_scalar_is_zero returns one if |a| is zero and zero otherwise. 144 int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a); 145 146 // ec_scalar_add sets |r| to |a| + |b|. 147 void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, 148 const EC_SCALAR *b); 149 150 // ec_scalar_sub sets |r| to |a| - |b|. 151 void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, 152 const EC_SCALAR *b); 153 154 // ec_scalar_neg sets |r| to -|a|. 155 void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); 156 157 // ec_scalar_to_montgomery sets |r| to |a| in Montgomery form. 158 void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r, 159 const EC_SCALAR *a); 160 161 // ec_scalar_to_montgomery sets |r| to |a| converted from Montgomery form. 162 void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r, 163 const EC_SCALAR *a); 164 165 // ec_scalar_mul_montgomery sets |r| to |a| * |b| where inputs and outputs are 166 // in Montgomery form. 167 void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r, 168 const EC_SCALAR *a, const EC_SCALAR *b); 169 170 // ec_scalar_inv0_montgomery sets |r| to |a|^-1 where inputs and outputs are in 171 // Montgomery form. If |a| is zero, |r| is set to zero. 172 void ec_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, 173 const EC_SCALAR *a); 174 175 // ec_scalar_to_montgomery_inv_vartime sets |r| to |a|^-1 R. That is, it takes 176 // in |a| not in Montgomery form and computes the inverse in Montgomery form. It 177 // returns one on success and zero if |a| has no inverse. This function assumes 178 // |a| is public and may leak information about it via timing. 179 // 180 // Note this is not the same operation as |ec_scalar_inv0_montgomery|. 181 int ec_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *r, 182 const EC_SCALAR *a); 183 184 // ec_scalar_select, in constant time, sets |out| to |a| if |mask| is all ones 185 // and |b| if |mask| is all zeros. 186 void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask, 187 const EC_SCALAR *a, const EC_SCALAR *b); 188 189 190 // Field elements. 191 192 // An EC_FELEM represents a field element. Only the first |field->width| words 193 // are used. An |EC_FELEM| is specific to an |EC_GROUP| and must not be mixed 194 // between groups. Additionally, the representation (whether or not elements are 195 // represented in Montgomery-form) may vary between |EC_METHOD|s. 196 typedef struct { 197 BN_ULONG words[EC_MAX_WORDS]; 198 } EC_FELEM; 199 200 // ec_bignum_to_felem converts |in| to an |EC_FELEM|. It returns one on success 201 // and zero if |in| is out of range. 202 int ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in); 203 204 // ec_felem_to_bignum converts |in| to a |BIGNUM|. It returns one on success and 205 // zero on allocation failure. 206 int ec_felem_to_bignum(const EC_GROUP *group, BIGNUM *out, const EC_FELEM *in); 207 208 // ec_felem_to_bytes serializes |in| as a big-endian bytestring to |out| and 209 // sets |*out_len| to the number of bytes written. The number of bytes written 210 // is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|. 211 void ec_felem_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, 212 const EC_FELEM *in); 213 214 // ec_felem_from_bytes deserializes |in| and stores the resulting field element 215 // to |out|. It returns one on success and zero if |in| is invalid. 216 int ec_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in, 217 size_t len); 218 219 // ec_felem_neg sets |out| to -|a|. 220 void ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a); 221 222 // ec_felem_add sets |out| to |a| + |b|. 223 void ec_felem_add(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, 224 const EC_FELEM *b); 225 226 // ec_felem_add sets |out| to |a| - |b|. 227 void ec_felem_sub(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, 228 const EC_FELEM *b); 229 230 // ec_felem_non_zero_mask returns all ones if |a| is non-zero and all zeros 231 // otherwise. 232 BN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a); 233 234 // ec_felem_select, in constant time, sets |out| to |a| if |mask| is all ones 235 // and |b| if |mask| is all zeros. 236 void ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask, 237 const EC_FELEM *a, const EC_FELEM *b); 238 239 // ec_felem_equal returns one if |a| and |b| are equal and zero otherwise. 240 int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b); 241 242 243 // Points. 244 // 245 // Points may represented in affine coordinates as |EC_AFFINE| or Jacobian 246 // coordinates as |EC_RAW_POINT|. Affine coordinates directly represent a 247 // point on the curve, but point addition over affine coordinates requires 248 // costly field inversions, so arithmetic is done in Jacobian coordinates. 249 // Converting from affine to Jacobian is cheap, while converting from Jacobian 250 // to affine costs a field inversion. (Jacobian coordinates amortize the field 251 // inversions needed in a sequence of point operations.) 252 // 253 // TODO(davidben): Rename |EC_RAW_POINT| to |EC_JACOBIAN|. 254 255 // An EC_RAW_POINT represents an elliptic curve point in Jacobian coordinates. 256 // Unlike |EC_POINT|, it is a plain struct which can be stack-allocated and 257 // needs no cleanup. It is specific to an |EC_GROUP| and must not be mixed 258 // between groups. 259 typedef struct { 260 // X, Y, and Z are Jacobian projective coordinates. They represent 261 // (X/Z^2, Y/Z^3) if Z != 0 and the point at infinity otherwise. 262 EC_FELEM X, Y, Z; 263 } EC_RAW_POINT; 264 265 // An EC_AFFINE represents an elliptic curve point in affine coordinates. 266 // coordinates. Note the point at infinity cannot be represented in affine 267 // coordinates. 268 typedef struct { 269 EC_FELEM X, Y; 270 } EC_AFFINE; 271 272 // ec_affine_to_jacobian converts |p| to Jacobian form and writes the result to 273 // |*out|. This operation is very cheap and only costs a few copies. 274 void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out, 275 const EC_AFFINE *p); 276 277 // ec_jacobian_to_affine converts |p| to affine form and writes the result to 278 // |*out|. It returns one on success and zero if |p| was the point at infinity. 279 // This operation performs a field inversion and should only be done once per 280 // point. 281 // 282 // If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is 283 // slightly faster. 284 OPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, 285 const EC_RAW_POINT *p); 286 287 // ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian 288 // coordinates to affine coordinates and writes the results to |out|. It returns 289 // one on success and zero if any of the input points were infinity. 290 // 291 // This function is not implemented for all curves. Add implementations as 292 // needed. 293 int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out, 294 const EC_RAW_POINT *in, size_t num); 295 296 // ec_point_set_affine_coordinates sets |out|'s to a point with affine 297 // coordinates |x| and |y|. It returns one if the point is on the curve and 298 // zero otherwise. If the point is not on the curve, the value of |out| is 299 // undefined. 300 int ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out, 301 const EC_FELEM *x, const EC_FELEM *y); 302 303 // ec_point_mul_no_self_test does the same as |EC_POINT_mul|, but doesn't try to 304 // run the self-test first. This is for use in the self tests themselves, to 305 // prevent an infinite loop. 306 int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, 307 const BIGNUM *g_scalar, const EC_POINT *p, 308 const BIGNUM *p_scalar, BN_CTX *ctx); 309 310 // ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered 311 // secret. 312 int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r, 313 const EC_RAW_POINT *p, const EC_SCALAR *scalar); 314 315 // ec_point_mul_scalar_base sets |r| to generator * |scalar|. |scalar| is 316 // treated as secret. 317 int ec_point_mul_scalar_base(const EC_GROUP *group, EC_RAW_POINT *r, 318 const EC_SCALAR *scalar); 319 320 // ec_point_mul_scalar_batch sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + 321 // |p2| * |scalar2|. |p2| may be NULL to skip that term. 322 // 323 // The inputs are treated as secret, however, this function leaks information 324 // about whether intermediate computations add a point to itself. Callers must 325 // ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly 326 // distributed and independent of the scalars, which should be uniformly 327 // selected and not under the attackers control. This ensures the doubling case 328 // will occur with negligible probability. 329 // 330 // This function is not implemented for all curves. Add implementations as 331 // needed. 332 // 333 // TODO(davidben): This function does not use base point tables. For now, it is 334 // only used with the generic |EC_GFp_mont_method| implementation which has 335 // none. If generalizing to tuned curves, this may be useful. However, we still 336 // must double up to the least efficient input, so precomputed tables can only 337 // save table setup and allow a wider window size. 338 int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_RAW_POINT *r, 339 const EC_RAW_POINT *p0, const EC_SCALAR *scalar0, 340 const EC_RAW_POINT *p1, const EC_SCALAR *scalar1, 341 const EC_RAW_POINT *p2, const EC_SCALAR *scalar2); 342 343 #define EC_MONT_PRECOMP_COMB_SIZE 5 344 345 // An |EC_PRECOMP| stores precomputed information about a point, to optimize 346 // repeated multiplications involving it. It is a union so different 347 // |EC_METHOD|s can store different information in it. 348 typedef union { 349 EC_AFFINE comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1]; 350 } EC_PRECOMP; 351 352 // ec_init_precomp precomputes multiples of |p| and writes the result to |out|. 353 // It returns one on success and zero on error. The resulting table may be used 354 // with |ec_point_mul_scalar_precomp|. This function will fail if |p| is the 355 // point at infinity. 356 // 357 // This function is not implemented for all curves. Add implementations as 358 // needed. 359 int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, 360 const EC_RAW_POINT *p); 361 362 // ec_point_mul_scalar_precomp sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + 363 // |p2| * |scalar2|. |p1| or |p2| may be NULL to skip the corresponding term. 364 // The points are represented as |EC_PRECOMP| and must be initialized with 365 // |ec_init_precomp|. This function runs faster than |ec_point_mul_scalar_batch| 366 // but requires setup work per input point, so it is only appropriate for points 367 // which are used frequently. 368 // 369 // The inputs are treated as secret, however, this function leaks information 370 // about whether intermediate computations add a point to itself. Callers must 371 // ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly 372 // distributed and independent of the scalars, which should be uniformly 373 // selected and not under the attackers control. This ensures the doubling case 374 // will occur with negligible probability. 375 // 376 // This function is not implemented for all curves. Add implementations as 377 // needed. 378 // 379 // TODO(davidben): This function does not use base point tables. For now, it is 380 // only used with the generic |EC_GFp_mont_method| implementation which has 381 // none. If generalizing to tuned curves, we should add a parameter for the base 382 // point and arrange for the generic implementation to have base point tables 383 // available. 384 int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_RAW_POINT *r, 385 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 386 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 387 const EC_PRECOMP *p2, const EC_SCALAR *scalar2); 388 389 // ec_point_mul_scalar_public sets |r| to 390 // generator * |g_scalar| + |p| * |p_scalar|. It assumes that the inputs are 391 // public so there is no concern about leaking their values through timing. 392 OPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group, 393 EC_RAW_POINT *r, 394 const EC_SCALAR *g_scalar, 395 const EC_RAW_POINT *p, 396 const EC_SCALAR *p_scalar); 397 398 // ec_point_mul_scalar_public_batch sets |r| to the sum of generator * 399 // |g_scalar| and |points[i]| * |scalars[i]| where |points| and |scalars| have 400 // |num| elements. It assumes that the inputs are public so there is no concern 401 // about leaking their values through timing. |g_scalar| may be NULL to skip 402 // that term. 403 // 404 // This function is not implemented for all curves. Add implementations as 405 // needed. 406 int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, 407 const EC_SCALAR *g_scalar, 408 const EC_RAW_POINT *points, 409 const EC_SCALAR *scalars, size_t num); 410 411 // ec_point_select, in constant time, sets |out| to |a| if |mask| is all ones 412 // and |b| if |mask| is all zeros. 413 void ec_point_select(const EC_GROUP *group, EC_RAW_POINT *out, BN_ULONG mask, 414 const EC_RAW_POINT *a, const EC_RAW_POINT *b); 415 416 // ec_affine_select behaves like |ec_point_select| but acts on affine points. 417 void ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask, 418 const EC_AFFINE *a, const EC_AFFINE *b); 419 420 // ec_precomp_select behaves like |ec_point_select| but acts on |EC_PRECOMP|. 421 void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask, 422 const EC_PRECOMP *a, const EC_PRECOMP *b); 423 424 // ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group 425 // order, with |r|. It returns one if the values match and zero if |p| is the 426 // point at infinity of the values do not match. 427 int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p, 428 const EC_SCALAR *r); 429 430 // ec_get_x_coordinate_as_scalar sets |*out| to |p|'s x-coordinate, modulo 431 // |group->order|. It returns one on success and zero if |p| is the point at 432 // infinity. 433 int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, 434 const EC_RAW_POINT *p); 435 436 // ec_get_x_coordinate_as_bytes writes |p|'s affine x-coordinate to |out|, which 437 // must have at must |max_out| bytes. It sets |*out_len| to the number of bytes 438 // written. The value is written big-endian and zero-padded to the size of the 439 // field. This function returns one on success and zero on failure. 440 int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, 441 size_t *out_len, size_t max_out, 442 const EC_RAW_POINT *p); 443 444 // ec_point_byte_len returns the number of bytes in the byte representation of 445 // a non-infinity point in |group|, encoded according to |form|, or zero if 446 // |form| is invalid. 447 size_t ec_point_byte_len(const EC_GROUP *group, point_conversion_form_t form); 448 449 // ec_point_to_bytes encodes |point| according to |form| and writes the result 450 // |buf|. It returns the size of the output on success or zero on error. At most 451 // |max_out| bytes will be written. The buffer should be at least 452 // |ec_point_byte_len| long to guarantee success. 453 size_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point, 454 point_conversion_form_t form, uint8_t *buf, 455 size_t max_out); 456 457 // ec_point_from_uncompressed parses |in| as a point in uncompressed form and 458 // sets the result to |out|. It returns one on success and zero if the input was 459 // invalid. 460 int ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out, 461 const uint8_t *in, size_t len); 462 463 // ec_set_to_safe_point sets |out| to an arbitrary point on |group|, either the 464 // generator or the point at infinity. This is used to guard against callers of 465 // external APIs not checking the return value. 466 void ec_set_to_safe_point(const EC_GROUP *group, EC_RAW_POINT *out); 467 468 // ec_affine_jacobian_equal returns one if |a| and |b| represent the same point 469 // and zero otherwise. It treats both inputs as secret. 470 int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a, 471 const EC_RAW_POINT *b); 472 473 474 // Implementation details. 475 476 struct ec_method_st { 477 int (*group_init)(EC_GROUP *); 478 void (*group_finish)(EC_GROUP *); 479 int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, 480 const BIGNUM *b, BN_CTX *); 481 482 // point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates 483 // of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success 484 // and zero if |p| is the point at infinity. 485 int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_RAW_POINT *p, 486 EC_FELEM *x, EC_FELEM *y); 487 488 // jacobian_to_affine_batch implements |ec_jacobian_to_affine_batch|. 489 int (*jacobian_to_affine_batch)(const EC_GROUP *group, EC_AFFINE *out, 490 const EC_RAW_POINT *in, size_t num); 491 492 // add sets |r| to |a| + |b|. 493 void (*add)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a, 494 const EC_RAW_POINT *b); 495 // dbl sets |r| to |a| + |a|. 496 void (*dbl)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *a); 497 498 // mul sets |r| to |scalar|*|p|. 499 void (*mul)(const EC_GROUP *group, EC_RAW_POINT *r, const EC_RAW_POINT *p, 500 const EC_SCALAR *scalar); 501 // mul_base sets |r| to |scalar|*generator. 502 void (*mul_base)(const EC_GROUP *group, EC_RAW_POINT *r, 503 const EC_SCALAR *scalar); 504 // mul_batch implements |ec_mul_scalar_batch|. 505 void (*mul_batch)(const EC_GROUP *group, EC_RAW_POINT *r, 506 const EC_RAW_POINT *p0, const EC_SCALAR *scalar0, 507 const EC_RAW_POINT *p1, const EC_SCALAR *scalar1, 508 const EC_RAW_POINT *p2, const EC_SCALAR *scalar2); 509 // mul_public sets |r| to |g_scalar|*generator + |p_scalar|*|p|. It assumes 510 // that the inputs are public so there is no concern about leaking their 511 // values through timing. 512 // 513 // This function may be omitted if |mul_public_batch| is provided. 514 void (*mul_public)(const EC_GROUP *group, EC_RAW_POINT *r, 515 const EC_SCALAR *g_scalar, const EC_RAW_POINT *p, 516 const EC_SCALAR *p_scalar); 517 // mul_public_batch implements |ec_point_mul_scalar_public_batch|. 518 int (*mul_public_batch)(const EC_GROUP *group, EC_RAW_POINT *r, 519 const EC_SCALAR *g_scalar, const EC_RAW_POINT *points, 520 const EC_SCALAR *scalars, size_t num); 521 522 // init_precomp implements |ec_init_precomp|. 523 int (*init_precomp)(const EC_GROUP *group, EC_PRECOMP *out, 524 const EC_RAW_POINT *p); 525 // mul_precomp implements |ec_point_mul_scalar_precomp|. 526 void (*mul_precomp)(const EC_GROUP *group, EC_RAW_POINT *r, 527 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 528 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 529 const EC_PRECOMP *p2, const EC_SCALAR *scalar2); 530 531 // felem_mul and felem_sqr implement multiplication and squaring, 532 // respectively, so that the generic |EC_POINT_add| and |EC_POINT_dbl| 533 // implementations can work both with |EC_GFp_mont_method| and the tuned 534 // operations. 535 // 536 // TODO(davidben): This constrains |EC_FELEM|'s internal representation, adds 537 // many indirect calls in the middle of the generic code, and a bunch of 538 // conversions. If p224-64.c were easily convertable to Montgomery form, we 539 // could say |EC_FELEM| is always in Montgomery form. If we routed the rest of 540 // simple.c to |EC_METHOD|, we could give |EC_POINT| an |EC_METHOD|-specific 541 // representation and say |EC_FELEM| is purely a |EC_GFp_mont_method| type. 542 void (*felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a, 543 const EC_FELEM *b); 544 void (*felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a); 545 546 void (*felem_to_bytes)(const EC_GROUP *group, uint8_t *out, size_t *out_len, 547 const EC_FELEM *in); 548 int (*felem_from_bytes)(const EC_GROUP *group, EC_FELEM *out, 549 const uint8_t *in, size_t len); 550 551 // felem_reduce sets |out| to |words|, reduced modulo the field size, p. 552 // |words| must be less than p^2. |num| must be at most twice the width of p. 553 // This function treats |words| as secret. 554 // 555 // This function is only used in hash-to-curve and may be omitted in curves 556 // that do not support it. 557 void (*felem_reduce)(const EC_GROUP *group, EC_FELEM *out, 558 const BN_ULONG *words, size_t num); 559 560 // felem_exp sets |out| to |a|^|exp|. It treats |a| is secret but |exp| as 561 // public. 562 // 563 // This function is used in hash-to-curve and may be NULL in curves not used 564 // with hash-to-curve. 565 // 566 // TODO(https://crbug.com/boringssl/567): hash-to-curve uses this as part of 567 // computing a square root, which is what compressed coordinates ultimately 568 // needs to avoid |BIGNUM|. Can we unify this a bit? By generalizing to 569 // arbitrary exponentiation, we also miss an opportunity to use a specialized 570 // addition chain. 571 void (*felem_exp)(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, 572 const BN_ULONG *exp, size_t num_exp); 573 574 // scalar_inv0_montgomery implements |ec_scalar_inv0_montgomery|. 575 void (*scalar_inv0_montgomery)(const EC_GROUP *group, EC_SCALAR *out, 576 const EC_SCALAR *in); 577 578 // scalar_to_montgomery_inv_vartime implements 579 // |ec_scalar_to_montgomery_inv_vartime|. 580 int (*scalar_to_montgomery_inv_vartime)(const EC_GROUP *group, EC_SCALAR *out, 581 const EC_SCALAR *in); 582 583 // cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group 584 // order, with |r|. It returns one if the values match and zero if |p| is the 585 // point at infinity of the values do not match. 586 int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_RAW_POINT *p, 587 const EC_SCALAR *r); 588 } /* EC_METHOD */; 589 590 const EC_METHOD *EC_GFp_mont_method(void); 591 592 struct ec_group_st { 593 const EC_METHOD *meth; 594 595 // Unlike all other |EC_POINT|s, |generator| does not own |generator->group| 596 // to avoid a reference cycle. Additionally, Z is guaranteed to be one, so X 597 // and Y are suitable for use as an |EC_AFFINE|. 598 EC_POINT *generator; 599 BIGNUM order; 600 601 int curve_name; // optional NID for named curve 602 603 BN_MONT_CTX *order_mont; // data for ECDSA inverse 604 605 // The following members are handled by the method functions, 606 // even if they appear generic 607 608 BIGNUM field; // For curves over GF(p), this is the modulus. 609 610 EC_FELEM a, b; // Curve coefficients. 611 612 // a_is_minus3 is one if |a| is -3 mod |field| and zero otherwise. Point 613 // arithmetic is optimized for -3. 614 int a_is_minus3; 615 616 // field_greater_than_order is one if |field| is greate than |order| and zero 617 // otherwise. 618 int field_greater_than_order; 619 620 // field_minus_order, if |field_greater_than_order| is true, is |field| minus 621 // |order| represented as an |EC_FELEM|. Otherwise, it is zero. 622 // 623 // Note: unlike |EC_FELEM|s used as intermediate values internal to the 624 // |EC_METHOD|, this value is not encoded in Montgomery form. 625 EC_FELEM field_minus_order; 626 627 CRYPTO_refcount_t references; 628 629 BN_MONT_CTX *mont; // Montgomery structure. 630 631 EC_FELEM one; // The value one. 632 } /* EC_GROUP */; 633 634 struct ec_point_st { 635 // group is an owning reference to |group|, unless this is 636 // |group->generator|. 637 EC_GROUP *group; 638 // raw is the group-specific point data. Functions that take |EC_POINT| 639 // typically check consistency with |EC_GROUP| while functions that take 640 // |EC_RAW_POINT| do not. Thus accesses to this field should be externally 641 // checked for consistency. 642 EC_RAW_POINT raw; 643 } /* EC_POINT */; 644 645 EC_GROUP *ec_group_new(const EC_METHOD *meth); 646 647 void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r, 648 const EC_RAW_POINT *p, const EC_SCALAR *scalar); 649 void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r, 650 const EC_SCALAR *scalar); 651 void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r, 652 const EC_RAW_POINT *p0, const EC_SCALAR *scalar0, 653 const EC_RAW_POINT *p1, const EC_SCALAR *scalar1, 654 const EC_RAW_POINT *p2, const EC_SCALAR *scalar2); 655 int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, 656 const EC_RAW_POINT *p); 657 void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r, 658 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 659 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 660 const EC_PRECOMP *p2, const EC_SCALAR *scalar2); 661 void ec_GFp_mont_felem_reduce(const EC_GROUP *group, EC_FELEM *out, 662 const BN_ULONG *words, size_t num); 663 void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out, 664 const EC_FELEM *a, const BN_ULONG *exp, 665 size_t num_exp); 666 667 // ec_compute_wNAF writes the modified width-(w+1) Non-Adjacent Form (wNAF) of 668 // |scalar| to |out|. |out| must have room for |bits| + 1 elements, each of 669 // which will be either zero or odd with an absolute value less than 2^w 670 // satisfying 671 // scalar = \sum_j out[j]*2^j 672 // where at most one of any w+1 consecutive digits is non-zero 673 // with the exception that the most significant digit may be only 674 // w-1 zeros away from that next non-zero digit. 675 void ec_compute_wNAF(const EC_GROUP *group, int8_t *out, 676 const EC_SCALAR *scalar, size_t bits, int w); 677 678 int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r, 679 const EC_SCALAR *g_scalar, 680 const EC_RAW_POINT *points, 681 const EC_SCALAR *scalars, size_t num); 682 683 // method functions in simple.c 684 int ec_GFp_simple_group_init(EC_GROUP *); 685 void ec_GFp_simple_group_finish(EC_GROUP *); 686 int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, 687 const BIGNUM *b, BN_CTX *); 688 int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, 689 BIGNUM *b); 690 void ec_GFp_simple_point_init(EC_RAW_POINT *); 691 void ec_GFp_simple_point_copy(EC_RAW_POINT *, const EC_RAW_POINT *); 692 void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_RAW_POINT *); 693 void ec_GFp_mont_add(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a, 694 const EC_RAW_POINT *b); 695 void ec_GFp_mont_dbl(const EC_GROUP *, EC_RAW_POINT *r, const EC_RAW_POINT *a); 696 void ec_GFp_simple_invert(const EC_GROUP *, EC_RAW_POINT *); 697 int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_RAW_POINT *); 698 int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_RAW_POINT *); 699 int ec_GFp_simple_points_equal(const EC_GROUP *, const EC_RAW_POINT *a, 700 const EC_RAW_POINT *b); 701 void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, 702 const EC_SCALAR *a); 703 704 int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, 705 EC_SCALAR *r, 706 const EC_SCALAR *a); 707 708 int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p, 709 const EC_SCALAR *r); 710 711 void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out, 712 size_t *out_len, const EC_FELEM *in); 713 int ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, 714 const uint8_t *in, size_t len); 715 716 // method functions in montgomery.c 717 int ec_GFp_mont_group_init(EC_GROUP *); 718 int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, 719 const BIGNUM *b, BN_CTX *); 720 void ec_GFp_mont_group_finish(EC_GROUP *); 721 void ec_GFp_mont_felem_mul(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a, 722 const EC_FELEM *b); 723 void ec_GFp_mont_felem_sqr(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a); 724 725 void ec_GFp_mont_felem_to_bytes(const EC_GROUP *group, uint8_t *out, 726 size_t *out_len, const EC_FELEM *in); 727 int ec_GFp_mont_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, 728 const uint8_t *in, size_t len); 729 730 void ec_GFp_nistp_recode_scalar_bits(crypto_word_t *sign, crypto_word_t *digit, 731 crypto_word_t in); 732 733 const EC_METHOD *EC_GFp_nistp224_method(void); 734 const EC_METHOD *EC_GFp_nistp256_method(void); 735 736 // EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with 737 // x86-64 optimized P256. See http://eprint.iacr.org/2013/816. 738 const EC_METHOD *EC_GFp_nistz256_method(void); 739 740 // An EC_WRAPPED_SCALAR is an |EC_SCALAR| with a parallel |BIGNUM| 741 // representation. It exists to support the |EC_KEY_get0_private_key| API. 742 typedef struct { 743 BIGNUM bignum; 744 EC_SCALAR scalar; 745 } EC_WRAPPED_SCALAR; 746 747 struct ec_key_st { 748 EC_GROUP *group; 749 750 // Ideally |pub_key| would be an |EC_AFFINE| so serializing it does not pay an 751 // inversion each time, but the |EC_KEY_get0_public_key| API implies public 752 // keys are stored in an |EC_POINT|-compatible form. 753 EC_POINT *pub_key; 754 EC_WRAPPED_SCALAR *priv_key; 755 756 unsigned int enc_flag; 757 point_conversion_form_t conv_form; 758 759 CRYPTO_refcount_t references; 760 761 ECDSA_METHOD *ecdsa_meth; 762 763 CRYPTO_EX_DATA ex_data; 764 } /* EC_KEY */; 765 766 struct built_in_curve { 767 int nid; 768 const uint8_t *oid; 769 uint8_t oid_len; 770 // comment is a human-readable string describing the curve. 771 const char *comment; 772 // param_len is the number of bytes needed to store a field element. 773 uint8_t param_len; 774 // params points to an array of 6*|param_len| bytes which hold the field 775 // elements of the following (in big-endian order): prime, a, b, generator x, 776 // generator y, order. 777 const uint8_t *params; 778 const EC_METHOD *method; 779 }; 780 781 #define OPENSSL_NUM_BUILT_IN_CURVES 4 782 783 struct built_in_curves { 784 struct built_in_curve curves[OPENSSL_NUM_BUILT_IN_CURVES]; 785 }; 786 787 // OPENSSL_built_in_curves returns a pointer to static information about 788 // standard curves. The array is terminated with an entry where |nid| is 789 // |NID_undef|. 790 const struct built_in_curves *OPENSSL_built_in_curves(void); 791 792 #if defined(__cplusplus) 793 } // extern C 794 #endif 795 796 #endif // OPENSSL_HEADER_EC_INTERNAL_H 797