ecc-internal.h 8.63 KB
Newer Older
1 2
/* ecc-internal.h

3
   Copyright (C) 2013, 2014 Niels Möller
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/
Niels Möller's avatar
Niels Möller committed
31

32
/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
Niels Möller's avatar
Niels Möller committed
33 34 35 36

#ifndef NETTLE_ECC_INTERNAL_H_INCLUDED
#define NETTLE_ECC_INTERNAL_H_INCLUDED

37
#include "nettle-types.h"
38
#include "bignum.h"
Niels Möller's avatar
Niels Möller committed
39
#include "ecc-curve.h"
40
#include "gmp-glue.h"
Niels Möller's avatar
Niels Möller committed
41 42

/* Name mangling */
43 44
#define ecc_pp1_redc _nettle_ecc_pp1_redc
#define ecc_pm1_redc _nettle_ecc_pm1_redc
45 46 47 48 49 50 51
#define ecc_mod_add _nettle_ecc_mod_add
#define ecc_mod_sub _nettle_ecc_mod_sub
#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1
#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1
#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
#define ecc_mod_mul _nettle_ecc_mod_mul
#define ecc_mod_sqr _nettle_ecc_mod_sqr
52 53
#define ecc_modq_random _nettle_ecc_modq_random
#define ecc_mod _nettle_ecc_mod
54
#define ecc_mod_inv _nettle_ecc_mod_inv
55
#define ecc_hash _nettle_ecc_hash
Niels Möller's avatar
Niels Möller committed
56 57 58 59 60
#define cnd_copy _nettle_cnd_copy
#define sec_add_1 _nettle_sec_add_1
#define sec_sub_1 _nettle_sec_sub_1
#define sec_tabselect _nettle_sec_tabselect
#define sec_modinv _nettle_sec_modinv
61
#define ecc_25519_sqrt _nettle_ecc_25519_sqrt
62
#define curve25519_eh_to_x _nettle_curve25519_eh_to_x
Niels Möller's avatar
Niels Möller committed
63

64 65
#define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)

Niels Möller's avatar
Niels Möller committed
66 67
/* Window size for ecc_mul_a. Using 4 bits seems like a good choice,
   for both Intel x86_64 and ARM Cortex A9. For the larger curves, of
68
   384 and 521 bits, we could improve speed by a few percent if we go
Niels Möller's avatar
Niels Möller committed
69 70 71
   up to 5 bits, but I don't think that's worth doubling the
   storage. */
#define ECC_MUL_A_WBITS 4
72 73
/* And for ecc_mul_a_eh */
#define ECC_MUL_A_EH_WBITS 4
74

75
struct ecc_modulo;
Niels Möller's avatar
Niels Möller committed
76 77 78

/* Reduces from 2*ecc->size to ecc->size. */
/* Required to return a result < 2q. This property is inherited by
79
   mod_mul and mod_sqr. */
80
typedef void ecc_mod_func (const struct ecc_modulo *m, mp_limb_t *rp);
Niels Möller's avatar
Niels Möller committed
81

82 83 84 85
typedef void ecc_mod_inv_func (const struct ecc_modulo *m,
			       mp_limb_t *vp, mp_limb_t *ap,
			       mp_limb_t *scratch);

86 87 88 89 90
typedef void ecc_add_func (const struct ecc_curve *ecc,
			   mp_limb_t *r,
			   const mp_limb_t *p, const mp_limb_t *q,
			   mp_limb_t *scratch);

91 92 93 94 95 96 97 98 99 100 101 102 103
typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r,
			     const mp_limb_t *np, mp_limb_t *scratch);

typedef void ecc_mul_func (const struct ecc_curve *ecc,
			   mp_limb_t *r,
			   const mp_limb_t *np, const mp_limb_t *p,
			   mp_limb_t *scratch);

typedef void ecc_h_to_a_func (const struct ecc_curve *ecc,
			      int flags,
			      mp_limb_t *r, const mp_limb_t *p,
			      mp_limb_t *scratch);

104 105 106 107 108 109 110 111 112 113 114 115 116 117 118
struct ecc_modulo
{
  unsigned short bit_size;
  unsigned short size;
  unsigned short B_size;
  unsigned short redc_size;

  const mp_limb_t *m;
  /* B^size mod m. Expected to have at least 32 leading zeros
     (equality for secp_256r1). */
  const mp_limb_t *B;
  /* 2^{bit_size} - p, same value as above, but shifted. */
  const mp_limb_t *B_shifted;
  /* m +/- 1, for redc, excluding redc_size low limbs. */
  const mp_limb_t *redc_mpm1;
119 120
  /* (m+1)/2 */
  const mp_limb_t *mp1h;
121 122 123

  ecc_mod_func *mod;
  ecc_mod_func *reduce;
124
  ecc_mod_inv_func *invert;
125 126
};

Niels Möller's avatar
Niels Möller committed
127 128 129 130 131 132
/* Represents an elliptic curve of the form

     y^2 = x^3 - 3x + b (mod p)
*/
struct ecc_curve
{
Niels Möller's avatar
Niels Möller committed
133 134 135 136 137 138 139
  /* The prime p. */
  struct ecc_modulo p;
  /* Group order. FIXME: Currently, many fucntions rely on q.size ==
     p.size. This has to change for radix-51 implementation of
     curve25519 mod p arithmetic. */
  struct ecc_modulo q;

Niels Möller's avatar
Niels Möller committed
140 141 142 143
  unsigned short use_redc;
  unsigned short pippenger_k;
  unsigned short pippenger_c;

144
  unsigned short add_hhh_itch;
145 146 147 148
  unsigned short mul_itch;
  unsigned short mul_g_itch;
  unsigned short h_to_a_itch;

149
  ecc_add_func *add_hhh;
150 151 152 153
  ecc_mul_func *mul;
  ecc_mul_g_func *mul_g;
  ecc_h_to_a_func *h_to_a;

Niels Möller's avatar
Niels Möller committed
154
  /* Curve constant */
Niels Möller's avatar
Niels Möller committed
155
  const mp_limb_t *b;
156
  /* Generator, x coordinate followed by y (affine coordinates).
Niels Möller's avatar
Niels Möller committed
157
     Currently used only by the test suite. */
Niels Möller's avatar
Niels Möller committed
158
  const mp_limb_t *g;
159 160 161
  /* If non-NULL, the constant needed for transformation to the
     equivalent Edwards curve. */
  const mp_limb_t *edwards_root;
Niels Möller's avatar
Niels Möller committed
162

163
  /* For redc, same as B mod p, otherwise 1. */
Niels Möller's avatar
Niels Möller committed
164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179
  const mp_limb_t *unit;

  /* Tables for multiplying by the generator, size determined by k and
     c. The first 2^c entries are defined by

       T[  j_0 +   j_1 2 +     ... + j_{c-1} 2^{c-1} ]
         = j_0 g + j_1 2^k g + ... + j_{c-1} 2^{k(c-1)} g

     The following entries differ by powers of 2^{kc},

       T[i] = 2^{kc} T[i-2^c]
  */  
  const mp_limb_t *pippenger_table;
};

/* In-place reduction. */
180
ecc_mod_func ecc_mod;
181 182
ecc_mod_func ecc_pp1_redc;
ecc_mod_func ecc_pm1_redc;
Niels Möller's avatar
Niels Möller committed
183

184 185
ecc_mod_inv_func ecc_mod_inv;

Niels Möller's avatar
Niels Möller committed
186
void
187 188
ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp,
	     const mp_limb_t *ap, const mp_limb_t *bp);
Niels Möller's avatar
Niels Möller committed
189
void
190 191
ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp,
	     const mp_limb_t *ap, const mp_limb_t *bp);
Niels Möller's avatar
Niels Möller committed
192 193

void
194 195
ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
	       const mp_limb_t *ap, const mp_limb_t b);
Niels Möller's avatar
Niels Möller committed
196 197

void
198 199
ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
		  const mp_limb_t *ap, mp_limb_t b);
Niels Möller's avatar
Niels Möller committed
200
void
201 202
ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
		  const mp_limb_t *ap, mp_limb_t b);
Niels Möller's avatar
Niels Möller committed
203 204 205

/* NOTE: mul and sqr needs 2*ecc->size limbs at rp */
void
206 207
ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp,
	     const mp_limb_t *ap, const mp_limb_t *bp);
Niels Möller's avatar
Niels Möller committed
208 209

void
210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231
ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
	     const mp_limb_t *ap);

#define ecc_modp_add(ecc, r, a, b) \
  ecc_mod_add (&(ecc)->p, (r), (a), (b))
#define ecc_modp_sub(ecc, r, a, b) \
  ecc_mod_sub (&(ecc)->p, (r), (a), (b))
#define ecc_modp_mul_1(ecc, r, a, b) \
  ecc_mod_mul_1 (&(ecc)->p, (r), (a), (b))
#define ecc_modp_addmul_1(ecc, r, a, b) \
  ecc_mod_addmul_1 (&(ecc)->p, (r), (a), (b))
#define ecc_modp_submul_1(ecc, r, a, b) \
  ecc_mod_submul_1 (&(ecc)->p, (r), (a), (b))
#define ecc_modp_mul(ecc, r, a, b) \
  ecc_mod_mul (&(ecc)->p, (r), (a), (b))
#define ecc_modp_sqr(ecc, r, a) \
  ecc_mod_sqr (&(ecc)->p, (r), (a))

#define ecc_modq_add(ecc, r, a, b) \
  ecc_mod_add (&(ecc)->q, (r), (a), (b))
#define ecc_modq_mul(ecc, r, a, b) \
  ecc_mod_mul (&(ecc)->q, (r), (a), (b))
Niels Möller's avatar
Niels Möller committed
232 233

/* mod q operations. */
234 235 236 237 238 239 240
void
ecc_modq_random (const struct ecc_curve *ecc, mp_limb_t *xp,
		 void *ctx, nettle_random_func *random, mp_limb_t *scratch);

void
ecc_hash (const struct ecc_curve *ecc,
	  mp_limb_t *hp,
Niels Möller's avatar
Niels Möller committed
241
	  size_t length, const uint8_t *digest);
242

Niels Möller's avatar
Niels Möller committed
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257
void
cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n);

mp_limb_t
sec_add_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b);

mp_limb_t
sec_sub_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b);

void
sec_tabselect (mp_limb_t *rp, mp_size_t rn,
	       const mp_limb_t *table, unsigned tn,
	       unsigned k);


258 259 260
int
ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap);

261 262 263 264
void
curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
		    mp_limb_t *scratch);

Niels Möller's avatar
Niels Möller committed
265 266 267
/* Current scratch needs: */
#define ECC_MODINV_ITCH(size) (3*(size))
#define ECC_J_TO_A_ITCH(size) (5*(size))
268
#define ECC_EH_TO_A_ITCH(size) (4*(size))
Niels Möller's avatar
Niels Möller committed
269
#define ECC_DUP_JJ_ITCH(size) (5*(size))
270
#define ECC_DUP_EH_ITCH(size) (5*(size))
Niels Möller's avatar
Niels Möller committed
271 272
#define ECC_ADD_JJA_ITCH(size) (6*(size))
#define ECC_ADD_JJJ_ITCH(size) (8*(size))
273
#define ECC_ADD_EH_ITCH(size) (6*(size))
274
#define ECC_ADD_EHH_ITCH(size) (7*(size))
Niels Möller's avatar
Niels Möller committed
275
#define ECC_MUL_G_ITCH(size) (9*(size))
276
#define ECC_MUL_G_EH_ITCH(size) (9*(size))
Niels Möller's avatar
Niels Möller committed
277 278 279 280 281 282
#if ECC_MUL_A_WBITS == 0
#define ECC_MUL_A_ITCH(size) (12*(size))
#else
#define ECC_MUL_A_ITCH(size) \
  (((3 << ECC_MUL_A_WBITS) + 11) * (size))
#endif
283 284 285 286 287 288
#if ECC_MUL_A_EH_WBITS == 0
#define ECC_MUL_A_EH_ITCH(size) (13*(size))
#else
#define ECC_MUL_A_EH_ITCH(size) \
  (((3 << ECC_MUL_A_EH_WBITS) + 10) * (size))
#endif
289 290 291
#define ECC_ECDSA_SIGN_ITCH(size) (12*(size))
#define ECC_MODQ_RANDOM_ITCH(size) (size)
#define ECC_HASH_ITCH(size) (1+(size))
Niels Möller's avatar
Niels Möller committed
292 293

#endif /* NETTLE_ECC_INTERNAL_H_INCLUDED */