Dmitry Baryshkov authored Jan 07, 2020 and Niels Möller committed Jan 10, 2020

Rename curve functions to use curve names instead of just bits.
Otherwise function names can easily become confusing after adding other
curves.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Dmitry Baryshkov authored Jan 07, 2020 and Niels Möller committed Jan 10, 2020

There is no need to keep optimized ECC functions in public namespace
(nettle_*), move them to internal namespace (_nettle_*).

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Dmitry Baryshkov authored Jan 07, 2020 and Niels Möller committed Jan 10, 2020

In preparation to adding GOST curves support, rename source files and
use curve name as eccdata parameter.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Nikos Mavrogiannopoulos authored Jan 03, 2020 and Niels Möller committed Jan 06, 2020

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Nikos Mavrogiannopoulos authored Jan 03, 2020 and Niels Möller committed Jan 06, 2020

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

* eddsa-internal.h (struct ecc_eddsa): New struct for eddsa
parameters.
* ed25519-sha512.c (_nettle_ed25519_sha512): New parameter struct.
* eddsa-expand.c (_eddsa_expand_key): Replace input
struct nettle_hash with struct ecc_eddsa, and generalize for
ed448. Update all callers.
* eddsa-sign.c (_eddsa_sign): Likewise.
* eddsa-verify.c (_eddsa_verify): Likewise.
* eddsa-compress.c (_eddsa_compress): Store sign bit in most
significant bit of last byte, as specified by RFC 8032.
* eddsa-decompress.c (_eddsa_decompress): Corresponding update.
Also generalize to support ed448, and make validity checks
stricter.
* testsuite/eddsa-sign-test.c (test_ed25519_sign): New function.
(test_main): Use it.
* testsuite/eddsa-verify-test.c (test_ed25519): New function.
(test_main): Use it.

* bignum.h: Drop unreleted include of nettle-meta.h.
* pss.h: Include nettle-meta.h explicitly.
* eddsa-internal.h: Likewise.

* shake256.c (sha3_256_shake): New file and function.
* Makefile.in (nettle_SOURCES): Add shake256.c.
* testsuite/testutils.c (test_hash): Allow arbitrary digest size,
if hash->digest_size == 0.
* testsuite/shake.awk: New script to extract test vectors.
* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c.
(DISTFILES): Add shake.awk.

* ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use
add_hh rather than add_hhh.
(table_init) [[ECC_MUL_A_EH_WBITS > 0]: Likewise.
* ecc-internal.h (ECC_MUL_A_EH_ITCH) [ECC_MUL_A_EH_WBITS == 0]:
Reduced from 13*n to 12*n.

* eddsa-verify.c (_eddsa_verify): Use function pointer rather than
calling ecc_add_eh directly. Preparation for eddsa over curve448.

* curve25519-mul.c (curve25519_mul): Use ecc_mul_m.
* curve448-mul.c (curve448_mul): Likewise.

* ecc-mul-m.c (ecc_mul_m): New file and function. Implements
multipliction for curves in Montgomery representation, as used for
curve25519 and curve448. Extracted from curve25519_mul.
* ecc-internal.h (ecc_mul_m): Declare.
(ECC_MUL_M_ITCH): New macro.
* Makefile.in (hogweed_SOURCES): Add ecc-mul-m.c.

We now have h_to_a_itch <= mul_itch, mul_g_itch. Add asserts at a few
places relying on this.
(ECC_ECDSA_KEYGEN_ITCH, ECC_MAX): Delete macros.
(ECC_ECDSA_SIGN_ITCH): Revert previous change.

* ecc-448.c (ecc_mod_pow_446m224m1): Reduce scratch space from 9*n
to 6*n.
(ECC_448_INV_ITCH, ECC_448_SQRT_ITCH): Reduce accordingly.
* curve448-mul.c (curve448_mul): Reduce allocation from 14*n to 12*n.

* x86_64/ecc-curve448-modp.asm (nettle_ecc_curve448_modp): New
assembly function.
* ecc-448.c (ecc_448_modp) [HAVE_NATIVE_ecc_curve448_modp]: Use
native nettle_ecc_curve448_modp if available.
* configure.ac (asm_hogweed_optional_list): Add ecc-curve448-modp.asm.
(HAVE_NATIVE_ecc_curve448_modp): New config.h define.

* ecc-eh-to-a.c (ecc_eh_to_a): Require op == 0, delete code only
used for non-standard ecdsa over curve25519.
* testsuite/ecdsa-sign-test.c (test_main): Delete test of ecdsa
over curve25519.
* testsuite/ecdsa-verify-test.c (test_main): Likewise.
* testsuite/ecdsa-keygen-test.c (test_main): Exclude curve25519
from test.

* configure.ac: Use AC_TRY_LINK rather than AC_TRY_COMPILE to
check for __builtin_bswap64. Since calling an non-existing
function typically results in a warning only at compile time, but
fails at link time. Patch contributed by by George Koehler.

* testsuite/testutils.c (test_cipher_cfb8): Add cast of size_t to
unsigned long for argument to fprintf.

* ecc-448.c (ecc_448_modp) [GMP_NUMB_BITS == 64]: New function.

Daiki Ueno authored Nov 30, 2019 and Niels Möller committed Nov 30, 2019

This patch adds the necessary primitives for "curve448", defined in
RFC 7748.  Those primitives are namely: addition, doubling, scalar
multiplication of the generator or an arbitrary point, inversion, and
square root.

Current gost support in gnutls depends on nettle internals.