1 /* 2 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved. 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #ifndef OPENSSL_HEADER_EC_INTERNAL_H 12 #define OPENSSL_HEADER_EC_INTERNAL_H 13 14 #include <openssl/base.h> 15 16 #include <assert.h> 17 18 #include <openssl/bn.h> 19 #include <openssl/ec.h> 20 #include <openssl/ex_data.h> 21 22 #include "../bn/internal.h" 23 24 #if defined(__cplusplus) 25 extern "C" { 26 #endif 27 28 29 // EC internals. 30 31 32 // Cap the size of all field elements and scalars, including custom curves, to 33 // 66 bytes, large enough to fit secp521r1 and brainpoolP512r1, which appear to 34 // be the largest fields anyone plausibly uses. 35 #define EC_MAX_BYTES 66 36 #define EC_MAX_WORDS ((EC_MAX_BYTES + BN_BYTES - 1) / BN_BYTES) 37 #define EC_MAX_COMPRESSED (EC_MAX_BYTES + 1) 38 #define EC_MAX_UNCOMPRESSED (2 * EC_MAX_BYTES + 1) 39 40 static_assert(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS, 41 "bn_*_small functions not usable"); 42 43 44 // Scalars. 45 46 // An EC_SCALAR is an integer fully reduced modulo the order. Only the first 47 // |order->width| words are used. An |EC_SCALAR| is specific to an |EC_GROUP| 48 // and must not be mixed between groups. 49 typedef struct { 50 BN_ULONG words[EC_MAX_WORDS]; 51 } EC_SCALAR; 52 53 // ec_bignum_to_scalar converts |in| to an |EC_SCALAR| and writes it to 54 // |*out|. It returns one on success and zero if |in| is out of range. 55 OPENSSL_EXPORT int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, 56 const BIGNUM *in); 57 58 // ec_scalar_to_bytes serializes |in| as a big-endian bytestring to |out| and 59 // sets |*out_len| to the number of bytes written. The number of bytes written 60 // is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|. 61 OPENSSL_EXPORT void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, 62 size_t *out_len, const EC_SCALAR *in); 63 64 // ec_scalar_from_bytes deserializes |in| and stores the resulting scalar over 65 // group |group| to |out|. It returns one on success and zero if |in| is 66 // invalid. 67 OPENSSL_EXPORT int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, 68 const uint8_t *in, size_t len); 69 70 // ec_scalar_reduce sets |out| to |words|, reduced modulo the group order. 71 // |words| must be less than order^2. |num| must be at most twice the width of 72 // group order. This function treats |words| as secret. 73 void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out, 74 const BN_ULONG *words, size_t num); 75 76 // ec_random_nonzero_scalar sets |out| to a uniformly selected random value from 77 // zero to |group->order| - 1. It returns one on success and zero on error. 78 int ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out, 79 const uint8_t additional_data[32]); 80 81 // ec_random_nonzero_scalar sets |out| to a uniformly selected random value from 82 // 1 to |group->order| - 1. It returns one on success and zero on error. 83 int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, 84 const uint8_t additional_data[32]); 85 86 // ec_scalar_equal_vartime returns one if |a| and |b| are equal and zero 87 // otherwise. Both values are treated as public. 88 int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a, 89 const EC_SCALAR *b); 90 91 // ec_scalar_is_zero returns one if |a| is zero and zero otherwise. 92 int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a); 93 94 // ec_scalar_add sets |r| to |a| + |b|. 95 void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, 96 const EC_SCALAR *b); 97 98 // ec_scalar_sub sets |r| to |a| - |b|. 99 void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, 100 const EC_SCALAR *b); 101 102 // ec_scalar_neg sets |r| to -|a|. 103 void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); 104 105 // ec_scalar_to_montgomery sets |r| to |a| in Montgomery form. 106 void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r, 107 const EC_SCALAR *a); 108 109 // ec_scalar_to_montgomery sets |r| to |a| converted from Montgomery form. 110 void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r, 111 const EC_SCALAR *a); 112 113 // ec_scalar_mul_montgomery sets |r| to |a| * |b| where inputs and outputs are 114 // in Montgomery form. 115 void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r, 116 const EC_SCALAR *a, const EC_SCALAR *b); 117 118 // ec_scalar_inv0_montgomery sets |r| to |a|^-1 where inputs and outputs are in 119 // Montgomery form. If |a| is zero, |r| is set to zero. 120 void ec_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, 121 const EC_SCALAR *a); 122 123 // ec_scalar_to_montgomery_inv_vartime sets |r| to |a|^-1 R. That is, it takes 124 // in |a| not in Montgomery form and computes the inverse in Montgomery form. It 125 // returns one on success and zero if |a| has no inverse. This function assumes 126 // |a| is public and may leak information about it via timing. 127 // 128 // Note this is not the same operation as |ec_scalar_inv0_montgomery|. 129 int ec_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *r, 130 const EC_SCALAR *a); 131 132 // ec_scalar_select, in constant time, sets |out| to |a| if |mask| is all ones 133 // and |b| if |mask| is all zeros. 134 void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask, 135 const EC_SCALAR *a, const EC_SCALAR *b); 136 137 138 // Field elements. 139 140 // An EC_FELEM represents a field element. Only the first |field->width| words 141 // are used. An |EC_FELEM| is specific to an |EC_GROUP| and must not be mixed 142 // between groups. Additionally, the representation (whether or not elements are 143 // represented in Montgomery-form) may vary between |EC_METHOD|s. 144 typedef struct { 145 BN_ULONG words[EC_MAX_WORDS]; 146 } EC_FELEM; 147 148 // ec_felem_one returns one in |group|'s field. 149 const EC_FELEM *ec_felem_one(const EC_GROUP *group); 150 151 // ec_bignum_to_felem converts |in| to an |EC_FELEM|. It returns one on success 152 // and zero if |in| is out of range. 153 int ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in); 154 155 // ec_felem_to_bignum converts |in| to a |BIGNUM|. It returns one on success and 156 // zero on allocation failure. 157 int ec_felem_to_bignum(const EC_GROUP *group, BIGNUM *out, const EC_FELEM *in); 158 159 // ec_felem_to_bytes serializes |in| as a big-endian bytestring to |out| and 160 // sets |*out_len| to the number of bytes written. The number of bytes written 161 // is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|. 162 void ec_felem_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, 163 const EC_FELEM *in); 164 165 // ec_felem_from_bytes deserializes |in| and stores the resulting field element 166 // to |out|. It returns one on success and zero if |in| is invalid. 167 int ec_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in, 168 size_t len); 169 170 // ec_felem_neg sets |out| to -|a|. 171 void ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a); 172 173 // ec_felem_add sets |out| to |a| + |b|. 174 void ec_felem_add(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, 175 const EC_FELEM *b); 176 177 // ec_felem_add sets |out| to |a| - |b|. 178 void ec_felem_sub(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, 179 const EC_FELEM *b); 180 181 // ec_felem_non_zero_mask returns all ones if |a| is non-zero and all zeros 182 // otherwise. 183 BN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a); 184 185 // ec_felem_select, in constant time, sets |out| to |a| if |mask| is all ones 186 // and |b| if |mask| is all zeros. 187 void ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask, 188 const EC_FELEM *a, const EC_FELEM *b); 189 190 // ec_felem_equal returns one if |a| and |b| are equal and zero otherwise. 191 int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b); 192 193 194 // Points. 195 // 196 // Points may represented in affine coordinates as |EC_AFFINE| or Jacobian 197 // coordinates as |EC_JACOBIAN|. Affine coordinates directly represent a 198 // point on the curve, but point addition over affine coordinates requires 199 // costly field inversions, so arithmetic is done in Jacobian coordinates. 200 // Converting from affine to Jacobian is cheap, while converting from Jacobian 201 // to affine costs a field inversion. (Jacobian coordinates amortize the field 202 // inversions needed in a sequence of point operations.) 203 204 // An EC_JACOBIAN represents an elliptic curve point in Jacobian coordinates. 205 // Unlike |EC_POINT|, it is a plain struct which can be stack-allocated and 206 // needs no cleanup. It is specific to an |EC_GROUP| and must not be mixed 207 // between groups. 208 typedef struct { 209 // X, Y, and Z are Jacobian projective coordinates. They represent 210 // (X/Z^2, Y/Z^3) if Z != 0 and the point at infinity otherwise. 211 EC_FELEM X, Y, Z; 212 } EC_JACOBIAN; 213 214 // An EC_AFFINE represents an elliptic curve point in affine coordinates. 215 // coordinates. Note the point at infinity cannot be represented in affine 216 // coordinates. 217 typedef struct { 218 EC_FELEM X, Y; 219 } EC_AFFINE; 220 221 // ec_affine_to_jacobian converts |p| to Jacobian form and writes the result to 222 // |*out|. This operation is very cheap and only costs a few copies. 223 void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out, 224 const EC_AFFINE *p); 225 226 // ec_jacobian_to_affine converts |p| to affine form and writes the result to 227 // |*out|. It returns one on success and zero if |p| was the point at infinity. 228 // This operation performs a field inversion and should only be done once per 229 // point. 230 // 231 // If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is 232 // slightly faster. 233 OPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, 234 const EC_JACOBIAN *p); 235 236 // ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian 237 // coordinates to affine coordinates and writes the results to |out|. It returns 238 // one on success and zero if any of the input points were infinity. 239 // 240 // This function is not implemented for all curves. Add implementations as 241 // needed. 242 int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out, 243 const EC_JACOBIAN *in, size_t num); 244 245 // ec_point_set_affine_coordinates sets |out|'s to a point with affine 246 // coordinates |x| and |y|. It returns one if the point is on the curve and 247 // zero otherwise. If the point is not on the curve, the value of |out| is 248 // undefined. 249 int ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out, 250 const EC_FELEM *x, const EC_FELEM *y); 251 252 // ec_point_mul_no_self_test does the same as |EC_POINT_mul|, but doesn't try to 253 // run the self-test first. This is for use in the self tests themselves, to 254 // prevent an infinite loop. 255 int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, 256 const BIGNUM *g_scalar, const EC_POINT *p, 257 const BIGNUM *p_scalar, BN_CTX *ctx); 258 259 // ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered 260 // secret. 261 int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r, 262 const EC_JACOBIAN *p, const EC_SCALAR *scalar); 263 264 // ec_point_mul_scalar_base sets |r| to generator * |scalar|. |scalar| is 265 // treated as secret. 266 int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r, 267 const EC_SCALAR *scalar); 268 269 // ec_point_mul_scalar_batch sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + 270 // |p2| * |scalar2|. |p2| may be NULL to skip that term. 271 // 272 // The inputs are treated as secret, however, this function leaks information 273 // about whether intermediate computations add a point to itself. Callers must 274 // ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly 275 // distributed and independent of the scalars, which should be uniformly 276 // selected and not under the attackers control. This ensures the doubling case 277 // will occur with negligible probability. 278 // 279 // This function is not implemented for all curves. Add implementations as 280 // needed. 281 // 282 // TODO(davidben): This function does not use base point tables. For now, it is 283 // only used with the generic |EC_GFp_mont_method| implementation which has 284 // none. If generalizing to tuned curves, this may be useful. However, we still 285 // must double up to the least efficient input, so precomputed tables can only 286 // save table setup and allow a wider window size. 287 int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r, 288 const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, 289 const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, 290 const EC_JACOBIAN *p2, const EC_SCALAR *scalar2); 291 292 #define EC_MONT_PRECOMP_COMB_SIZE 5 293 294 // An |EC_PRECOMP| stores precomputed information about a point, to optimize 295 // repeated multiplications involving it. It is a union so different 296 // |EC_METHOD|s can store different information in it. 297 typedef union { 298 EC_AFFINE comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1]; 299 } EC_PRECOMP; 300 301 // ec_init_precomp precomputes multiples of |p| and writes the result to |out|. 302 // It returns one on success and zero on error. The resulting table may be used 303 // with |ec_point_mul_scalar_precomp|. This function will fail if |p| is the 304 // point at infinity. 305 // 306 // This function is not implemented for all curves. Add implementations as 307 // needed. 308 int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, 309 const EC_JACOBIAN *p); 310 311 // ec_point_mul_scalar_precomp sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + 312 // |p2| * |scalar2|. |p1| or |p2| may be NULL to skip the corresponding term. 313 // The points are represented as |EC_PRECOMP| and must be initialized with 314 // |ec_init_precomp|. This function runs faster than |ec_point_mul_scalar_batch| 315 // but requires setup work per input point, so it is only appropriate for points 316 // which are used frequently. 317 // 318 // The inputs are treated as secret, however, this function leaks information 319 // about whether intermediate computations add a point to itself. Callers must 320 // ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly 321 // distributed and independent of the scalars, which should be uniformly 322 // selected and not under the attackers control. This ensures the doubling case 323 // will occur with negligible probability. 324 // 325 // This function is not implemented for all curves. Add implementations as 326 // needed. 327 // 328 // TODO(davidben): This function does not use base point tables. For now, it is 329 // only used with the generic |EC_GFp_mont_method| implementation which has 330 // none. If generalizing to tuned curves, we should add a parameter for the base 331 // point and arrange for the generic implementation to have base point tables 332 // available. 333 int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r, 334 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 335 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 336 const EC_PRECOMP *p2, const EC_SCALAR *scalar2); 337 338 // ec_point_mul_scalar_public sets |r| to 339 // generator * |g_scalar| + |p| * |p_scalar|. It assumes that the inputs are 340 // public so there is no concern about leaking their values through timing. 341 OPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group, 342 EC_JACOBIAN *r, 343 const EC_SCALAR *g_scalar, 344 const EC_JACOBIAN *p, 345 const EC_SCALAR *p_scalar); 346 347 // ec_point_mul_scalar_public_batch sets |r| to the sum of generator * 348 // |g_scalar| and |points[i]| * |scalars[i]| where |points| and |scalars| have 349 // |num| elements. It assumes that the inputs are public so there is no concern 350 // about leaking their values through timing. |g_scalar| may be NULL to skip 351 // that term. 352 // 353 // This function is not implemented for all curves. Add implementations as 354 // needed. 355 int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, 356 const EC_SCALAR *g_scalar, 357 const EC_JACOBIAN *points, 358 const EC_SCALAR *scalars, size_t num); 359 360 // ec_point_select, in constant time, sets |out| to |a| if |mask| is all ones 361 // and |b| if |mask| is all zeros. 362 void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask, 363 const EC_JACOBIAN *a, const EC_JACOBIAN *b); 364 365 // ec_affine_select behaves like |ec_point_select| but acts on affine points. 366 void ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask, 367 const EC_AFFINE *a, const EC_AFFINE *b); 368 369 // ec_precomp_select behaves like |ec_point_select| but acts on |EC_PRECOMP|. 370 void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask, 371 const EC_PRECOMP *a, const EC_PRECOMP *b); 372 373 // ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group 374 // order, with |r|. It returns one if the values match and zero if |p| is the 375 // point at infinity of the values do not match. |p| is treated as public. 376 int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, 377 const EC_SCALAR *r); 378 379 // ec_get_x_coordinate_as_scalar sets |*out| to |p|'s x-coordinate, modulo 380 // |group->order|. It returns one on success and zero if |p| is the point at 381 // infinity. 382 int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, 383 const EC_JACOBIAN *p); 384 385 // ec_get_x_coordinate_as_bytes writes |p|'s affine x-coordinate to |out|, which 386 // must have at must |max_out| bytes. It sets |*out_len| to the number of bytes 387 // written. The value is written big-endian and zero-padded to the size of the 388 // field. This function returns one on success and zero on failure. 389 int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, 390 size_t *out_len, size_t max_out, 391 const EC_JACOBIAN *p); 392 393 // ec_point_byte_len returns the number of bytes in the byte representation of 394 // a non-infinity point in |group|, encoded according to |form|, or zero if 395 // |form| is invalid. 396 size_t ec_point_byte_len(const EC_GROUP *group, point_conversion_form_t form); 397 398 // ec_point_to_bytes encodes |point| according to |form| and writes the result 399 // |buf|. It returns the size of the output on success or zero on error. At most 400 // |max_out| bytes will be written. The buffer should be at least 401 // |ec_point_byte_len| long to guarantee success. 402 size_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point, 403 point_conversion_form_t form, uint8_t *buf, 404 size_t max_out); 405 406 // ec_point_from_uncompressed parses |in| as a point in uncompressed form and 407 // sets the result to |out|. It returns one on success and zero if the input was 408 // invalid. 409 int ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out, 410 const uint8_t *in, size_t len); 411 412 // ec_set_to_safe_point sets |out| to an arbitrary point on |group|, either the 413 // generator or the point at infinity. This is used to guard against callers of 414 // external APIs not checking the return value. 415 void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out); 416 417 // ec_affine_jacobian_equal returns one if |a| and |b| represent the same point 418 // and zero otherwise. It treats both inputs as secret. 419 int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a, 420 const EC_JACOBIAN *b); 421 422 423 // Implementation details. 424 425 struct ec_method_st { 426 // point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates 427 // of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success 428 // and zero if |p| is the point at infinity. It leaks whether |p| was the 429 // point at infinity, but otherwise treats |p| as secret. 430 int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_JACOBIAN *p, 431 EC_FELEM *x, EC_FELEM *y); 432 433 // jacobian_to_affine_batch implements |ec_jacobian_to_affine_batch|. 434 int (*jacobian_to_affine_batch)(const EC_GROUP *group, EC_AFFINE *out, 435 const EC_JACOBIAN *in, size_t num); 436 437 // add sets |r| to |a| + |b|. 438 void (*add)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a, 439 const EC_JACOBIAN *b); 440 // dbl sets |r| to |a| + |a|. 441 void (*dbl)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a); 442 443 // mul sets |r| to |scalar|*|p|. 444 void (*mul)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p, 445 const EC_SCALAR *scalar); 446 // mul_base sets |r| to |scalar|*generator. 447 void (*mul_base)(const EC_GROUP *group, EC_JACOBIAN *r, 448 const EC_SCALAR *scalar); 449 // mul_batch implements |ec_mul_scalar_batch|. 450 void (*mul_batch)(const EC_GROUP *group, EC_JACOBIAN *r, 451 const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, 452 const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, 453 const EC_JACOBIAN *p2, const EC_SCALAR *scalar2); 454 // mul_public sets |r| to |g_scalar|*generator + |p_scalar|*|p|. It assumes 455 // that the inputs are public so there is no concern about leaking their 456 // values through timing. 457 // 458 // This function may be omitted if |mul_public_batch| is provided. 459 void (*mul_public)(const EC_GROUP *group, EC_JACOBIAN *r, 460 const EC_SCALAR *g_scalar, const EC_JACOBIAN *p, 461 const EC_SCALAR *p_scalar); 462 // mul_public_batch implements |ec_point_mul_scalar_public_batch|. 463 int (*mul_public_batch)(const EC_GROUP *group, EC_JACOBIAN *r, 464 const EC_SCALAR *g_scalar, const EC_JACOBIAN *points, 465 const EC_SCALAR *scalars, size_t num); 466 467 // init_precomp implements |ec_init_precomp|. 468 int (*init_precomp)(const EC_GROUP *group, EC_PRECOMP *out, 469 const EC_JACOBIAN *p); 470 // mul_precomp implements |ec_point_mul_scalar_precomp|. 471 void (*mul_precomp)(const EC_GROUP *group, EC_JACOBIAN *r, 472 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 473 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 474 const EC_PRECOMP *p2, const EC_SCALAR *scalar2); 475 476 // felem_mul and felem_sqr implement multiplication and squaring, 477 // respectively, so that the generic |EC_POINT_add| and |EC_POINT_dbl| 478 // implementations can work both with |EC_GFp_mont_method| and the tuned 479 // operations. 480 // 481 // TODO(davidben): This constrains |EC_FELEM|'s internal representation, adds 482 // many indirect calls in the middle of the generic code, and a bunch of 483 // conversions. If p224-64.c were easily convertable to Montgomery form, we 484 // could say |EC_FELEM| is always in Montgomery form. If we routed the rest of 485 // simple.c to |EC_METHOD|, we could give |EC_POINT| an |EC_METHOD|-specific 486 // representation and say |EC_FELEM| is purely a |EC_GFp_mont_method| type. 487 void (*felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a, 488 const EC_FELEM *b); 489 void (*felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a); 490 491 void (*felem_to_bytes)(const EC_GROUP *group, uint8_t *out, size_t *out_len, 492 const EC_FELEM *in); 493 int (*felem_from_bytes)(const EC_GROUP *group, EC_FELEM *out, 494 const uint8_t *in, size_t len); 495 496 // felem_reduce sets |out| to |words|, reduced modulo the field size, p. 497 // |words| must be less than p^2. |num| must be at most twice the width of p. 498 // This function treats |words| as secret. 499 // 500 // This function is only used in hash-to-curve and may be omitted in curves 501 // that do not support it. 502 void (*felem_reduce)(const EC_GROUP *group, EC_FELEM *out, 503 const BN_ULONG *words, size_t num); 504 505 // felem_exp sets |out| to |a|^|exp|. It treats |a| is secret but |exp| as 506 // public. 507 // 508 // This function is used in hash-to-curve and may be NULL in curves not used 509 // with hash-to-curve. 510 // 511 // TODO(https://crbug.com/boringssl/567): hash-to-curve uses this as part of 512 // computing a square root, which is what compressed coordinates ultimately 513 // needs to avoid |BIGNUM|. Can we unify this a bit? By generalizing to 514 // arbitrary exponentiation, we also miss an opportunity to use a specialized 515 // addition chain. 516 void (*felem_exp)(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, 517 const BN_ULONG *exp, size_t num_exp); 518 519 // scalar_inv0_montgomery implements |ec_scalar_inv0_montgomery|. 520 void (*scalar_inv0_montgomery)(const EC_GROUP *group, EC_SCALAR *out, 521 const EC_SCALAR *in); 522 523 // scalar_to_montgomery_inv_vartime implements 524 // |ec_scalar_to_montgomery_inv_vartime|. 525 int (*scalar_to_montgomery_inv_vartime)(const EC_GROUP *group, EC_SCALAR *out, 526 const EC_SCALAR *in); 527 528 // cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group 529 // order, with |r|. It returns one if the values match and zero if |p| is the 530 // point at infinity of the values do not match. 531 int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_JACOBIAN *p, 532 const EC_SCALAR *r); 533 } /* EC_METHOD */; 534 535 const EC_METHOD *EC_GFp_mont_method(void); 536 537 struct ec_point_st { 538 // group is an owning reference to |group|, unless this is 539 // |group->generator|. 540 EC_GROUP *group; 541 // raw is the group-specific point data. Functions that take |EC_POINT| 542 // typically check consistency with |EC_GROUP| while functions that take 543 // |EC_JACOBIAN| do not. Thus accesses to this field should be externally 544 // checked for consistency. 545 EC_JACOBIAN raw; 546 } /* EC_POINT */; 547 548 struct ec_group_st { 549 const EC_METHOD *meth; 550 551 // Unlike all other |EC_POINT|s, |generator| does not own |generator->group| 552 // to avoid a reference cycle. Additionally, Z is guaranteed to be one, so X 553 // and Y are suitable for use as an |EC_AFFINE|. Before |has_order| is set, Z 554 // is one, but X and Y are uninitialized. 555 EC_POINT generator; 556 557 BN_MONT_CTX order; 558 BN_MONT_CTX field; 559 560 EC_FELEM a, b; // Curve coefficients. 561 562 // comment is a human-readable string describing the curve. 563 const char *comment; 564 565 int curve_name; // optional NID for named curve 566 uint8_t oid[9]; 567 uint8_t oid_len; 568 569 // a_is_minus3 is one if |a| is -3 mod |field| and zero otherwise. Point 570 // arithmetic is optimized for -3. 571 int a_is_minus3; 572 573 // has_order is one if |generator| and |order| have been initialized. 574 int has_order; 575 576 // field_greater_than_order is one if |field| is greate than |order| and zero 577 // otherwise. 578 int field_greater_than_order; 579 580 CRYPTO_refcount_t references; 581 } /* EC_GROUP */; 582 583 EC_GROUP *ec_group_new(const EC_METHOD *meth, const BIGNUM *p, const BIGNUM *a, 584 const BIGNUM *b, BN_CTX *ctx); 585 586 void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, 587 const EC_JACOBIAN *p, const EC_SCALAR *scalar); 588 void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, 589 const EC_SCALAR *scalar); 590 void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r, 591 const EC_JACOBIAN *p0, const EC_SCALAR *scalar0, 592 const EC_JACOBIAN *p1, const EC_SCALAR *scalar1, 593 const EC_JACOBIAN *p2, const EC_SCALAR *scalar2); 594 int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, 595 const EC_JACOBIAN *p); 596 void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r, 597 const EC_PRECOMP *p0, const EC_SCALAR *scalar0, 598 const EC_PRECOMP *p1, const EC_SCALAR *scalar1, 599 const EC_PRECOMP *p2, const EC_SCALAR *scalar2); 600 void ec_GFp_mont_felem_reduce(const EC_GROUP *group, EC_FELEM *out, 601 const BN_ULONG *words, size_t num); 602 void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out, 603 const EC_FELEM *a, const BN_ULONG *exp, 604 size_t num_exp); 605 606 // ec_compute_wNAF writes the modified width-(w+1) Non-Adjacent Form (wNAF) of 607 // |scalar| to |out|. |out| must have room for |bits| + 1 elements, each of 608 // which will be either zero or odd with an absolute value less than 2^w 609 // satisfying 610 // scalar = \sum_j out[j]*2^j 611 // where at most one of any w+1 consecutive digits is non-zero 612 // with the exception that the most significant digit may be only 613 // w-1 zeros away from that next non-zero digit. 614 void ec_compute_wNAF(const EC_GROUP *group, int8_t *out, 615 const EC_SCALAR *scalar, size_t bits, int w); 616 617 int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, 618 const EC_SCALAR *g_scalar, 619 const EC_JACOBIAN *points, 620 const EC_SCALAR *scalars, size_t num); 621 622 // method functions in simple.c 623 int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, 624 const BIGNUM *b, BN_CTX *); 625 int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, 626 BIGNUM *b); 627 void ec_GFp_simple_point_init(EC_JACOBIAN *); 628 void ec_GFp_simple_point_copy(EC_JACOBIAN *, const EC_JACOBIAN *); 629 void ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_JACOBIAN *); 630 void ec_GFp_mont_add(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a, 631 const EC_JACOBIAN *b); 632 void ec_GFp_mont_dbl(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a); 633 void ec_GFp_simple_invert(const EC_GROUP *, EC_JACOBIAN *); 634 int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_JACOBIAN *); 635 int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_JACOBIAN *); 636 int ec_GFp_simple_points_equal(const EC_GROUP *, const EC_JACOBIAN *a, 637 const EC_JACOBIAN *b); 638 void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, 639 const EC_SCALAR *a); 640 641 int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, 642 EC_SCALAR *r, 643 const EC_SCALAR *a); 644 645 int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, 646 const EC_SCALAR *r); 647 648 void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out, 649 size_t *out_len, const EC_FELEM *in); 650 int ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, 651 const uint8_t *in, size_t len); 652 653 // method functions in montgomery.c 654 void ec_GFp_mont_felem_mul(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a, 655 const EC_FELEM *b); 656 void ec_GFp_mont_felem_sqr(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a); 657 658 void ec_GFp_mont_felem_to_bytes(const EC_GROUP *group, uint8_t *out, 659 size_t *out_len, const EC_FELEM *in); 660 int ec_GFp_mont_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, 661 const uint8_t *in, size_t len); 662 663 void ec_GFp_nistp_recode_scalar_bits(crypto_word_t *sign, crypto_word_t *digit, 664 crypto_word_t in); 665 666 const EC_METHOD *EC_GFp_nistp224_method(void); 667 const EC_METHOD *EC_GFp_nistp256_method(void); 668 669 // EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with 670 // x86-64 optimized P256. See http://eprint.iacr.org/2013/816. 671 const EC_METHOD *EC_GFp_nistz256_method(void); 672 673 // An EC_WRAPPED_SCALAR is an |EC_SCALAR| with a parallel |BIGNUM| 674 // representation. It exists to support the |EC_KEY_get0_private_key| API. 675 typedef struct { 676 BIGNUM bignum; 677 EC_SCALAR scalar; 678 } EC_WRAPPED_SCALAR; 679 680 struct ec_key_st { 681 EC_GROUP *group; 682 683 // Ideally |pub_key| would be an |EC_AFFINE| so serializing it does not pay an 684 // inversion each time, but the |EC_KEY_get0_public_key| API implies public 685 // keys are stored in an |EC_POINT|-compatible form. 686 EC_POINT *pub_key; 687 EC_WRAPPED_SCALAR *priv_key; 688 689 unsigned int enc_flag; 690 point_conversion_form_t conv_form; 691 692 CRYPTO_refcount_t references; 693 694 ECDSA_METHOD *ecdsa_meth; 695 696 CRYPTO_EX_DATA ex_data; 697 } /* EC_KEY */; 698 699 700 #if defined(__cplusplus) 701 } // extern C 702 #endif 703 704 #endif // OPENSSL_HEADER_EC_INTERNAL_H 705