ecc-internal.h 14 KB
Newer Older
1 2
/* ecc-internal.h

3
   Copyright (C) 2013, 2014 Niels Möller
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/
Niels Möller's avatar
Niels Möller committed
31

32
/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
Niels Möller's avatar
Niels Möller committed
33 34 35 36

#ifndef NETTLE_ECC_INTERNAL_H_INCLUDED
#define NETTLE_ECC_INTERNAL_H_INCLUDED

37
#include "nettle-types.h"
38
#include "bignum.h"
Niels Möller's avatar
Niels Möller committed
39
#include "ecc-curve.h"
40
#include "gmp-glue.h"
Niels Möller's avatar
Niels Möller committed
41 42

/* Name mangling */
43 44
#define ecc_pp1_redc _nettle_ecc_pp1_redc
#define ecc_pm1_redc _nettle_ecc_pm1_redc
45 46 47 48 49 50 51
#define ecc_mod_add _nettle_ecc_mod_add
#define ecc_mod_sub _nettle_ecc_mod_sub
#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1
#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1
#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
#define ecc_mod_mul _nettle_ecc_mod_mul
#define ecc_mod_sqr _nettle_ecc_mod_sqr
52
#define ecc_mod_random _nettle_ecc_mod_random
53
#define ecc_mod _nettle_ecc_mod
54
#define ecc_mod_inv _nettle_ecc_mod_inv
55
#define ecc_hash _nettle_ecc_hash
56 57 58 59 60 61 62 63 64
#define ecc_a_to_j _nettle_ecc_a_to_j
#define ecc_j_to_a _nettle_ecc_j_to_a
#define ecc_eh_to_a _nettle_ecc_eh_to_a
#define ecc_dup_jj _nettle_ecc_dup_jj
#define ecc_add_jja _nettle_ecc_add_jja
#define ecc_add_jjj _nettle_ecc_add_jjj
#define ecc_dup_eh _nettle_ecc_dup_eh
#define ecc_add_eh _nettle_ecc_add_eh
#define ecc_add_ehh _nettle_ecc_add_ehh
65 66 67
#define ecc_dup_th _nettle_ecc_dup_th
#define ecc_add_th _nettle_ecc_add_th
#define ecc_add_thh _nettle_ecc_add_thh
68 69 70 71
#define ecc_mul_g _nettle_ecc_mul_g
#define ecc_mul_a _nettle_ecc_mul_a
#define ecc_mul_g_eh _nettle_ecc_mul_g_eh
#define ecc_mul_a_eh _nettle_ecc_mul_a_eh
Niels Möller's avatar
Niels Möller committed
72
#define ecc_mul_m _nettle_ecc_mul_m
Niels Möller's avatar
Niels Möller committed
73 74 75 76 77
#define cnd_copy _nettle_cnd_copy
#define sec_add_1 _nettle_sec_add_1
#define sec_sub_1 _nettle_sec_sub_1
#define sec_tabselect _nettle_sec_tabselect
#define sec_modinv _nettle_sec_modinv
78
#define curve25519_eh_to_x _nettle_curve25519_eh_to_x
Daiki Ueno's avatar
Daiki Ueno committed
79
#define curve448_eh_to_x _nettle_curve448_eh_to_x
Niels Möller's avatar
Niels Möller committed
80

81 82 83 84 85 86
extern const struct ecc_curve _nettle_secp_192r1;
extern const struct ecc_curve _nettle_secp_224r1;
extern const struct ecc_curve _nettle_secp_256r1;
extern const struct ecc_curve _nettle_secp_384r1;
extern const struct ecc_curve _nettle_secp_521r1;

87 88 89 90 91
/* Keep this structure internal for now. It's misnamed (since it's
   really implementing the equivalent twisted Edwards curve, with
   different coordinates). And we're not quite ready to provide
   general ecc operations over an arbitrary type of curve. */
extern const struct ecc_curve _nettle_curve25519;
Daiki Ueno's avatar
Daiki Ueno committed
92
extern const struct ecc_curve _nettle_curve448;
93

94 95
#define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)

Niels Möller's avatar
Niels Möller committed
96 97
/* Window size for ecc_mul_a. Using 4 bits seems like a good choice,
   for both Intel x86_64 and ARM Cortex A9. For the larger curves, of
98
   384 and 521 bits, we could improve speed by a few percent if we go
Niels Möller's avatar
Niels Möller committed
99 100 101
   up to 5 bits, but I don't think that's worth doubling the
   storage. */
#define ECC_MUL_A_WBITS 4
102 103
/* And for ecc_mul_a_eh */
#define ECC_MUL_A_EH_WBITS 4
104

105
struct ecc_modulo;
Niels Möller's avatar
Niels Möller committed
106 107 108

/* Reduces from 2*ecc->size to ecc->size. */
/* Required to return a result < 2q. This property is inherited by
109
   mod_mul and mod_sqr. */
110
typedef void ecc_mod_func (const struct ecc_modulo *m, mp_limb_t *rp);
Niels Möller's avatar
Niels Möller committed
111

112
typedef void ecc_mod_inv_func (const struct ecc_modulo *m,
113
			       mp_limb_t *vp, const mp_limb_t *ap,
114 115
			       mp_limb_t *scratch);

116 117 118 119 120 121
/* Computes the square root of (u/v) (mod p) */
typedef int ecc_mod_sqrt_func (const struct ecc_modulo *m,
			       mp_limb_t *rp,
			       const mp_limb_t *up, const mp_limb_t *vp,
			       mp_limb_t *scratch);

122 123 124 125 126
typedef void ecc_add_func (const struct ecc_curve *ecc,
			   mp_limb_t *r,
			   const mp_limb_t *p, const mp_limb_t *q,
			   mp_limb_t *scratch);

127 128 129 130
typedef void ecc_dup_func (const struct ecc_curve *ecc,
			   mp_limb_t *r, const mp_limb_t *p,
			   mp_limb_t *scratch);

131 132 133 134 135 136 137 138 139 140 141 142 143
typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r,
			     const mp_limb_t *np, mp_limb_t *scratch);

typedef void ecc_mul_func (const struct ecc_curve *ecc,
			   mp_limb_t *r,
			   const mp_limb_t *np, const mp_limb_t *p,
			   mp_limb_t *scratch);

typedef void ecc_h_to_a_func (const struct ecc_curve *ecc,
			      int flags,
			      mp_limb_t *r, const mp_limb_t *p,
			      mp_limb_t *scratch);

144 145 146 147 148 149
struct ecc_modulo
{
  unsigned short bit_size;
  unsigned short size;
  unsigned short B_size;
  unsigned short redc_size;
150
  unsigned short invert_itch;
151
  unsigned short sqrt_itch;
152 153 154 155 156 157 158 159 160

  const mp_limb_t *m;
  /* B^size mod m. Expected to have at least 32 leading zeros
     (equality for secp_256r1). */
  const mp_limb_t *B;
  /* 2^{bit_size} - p, same value as above, but shifted. */
  const mp_limb_t *B_shifted;
  /* m +/- 1, for redc, excluding redc_size low limbs. */
  const mp_limb_t *redc_mpm1;
161 162
  /* (m+1)/2 */
  const mp_limb_t *mp1h;
163 164 165

  ecc_mod_func *mod;
  ecc_mod_func *reduce;
166
  ecc_mod_inv_func *invert;
167
  ecc_mod_sqrt_func *sqrt;
168 169
};

Niels Möller's avatar
Niels Möller committed
170 171 172 173 174 175
/* Represents an elliptic curve of the form

     y^2 = x^3 - 3x + b (mod p)
*/
struct ecc_curve
{
Niels Möller's avatar
Niels Möller committed
176 177 178 179 180 181 182
  /* The prime p. */
  struct ecc_modulo p;
  /* Group order. FIXME: Currently, many fucntions rely on q.size ==
     p.size. This has to change for radix-51 implementation of
     curve25519 mod p arithmetic. */
  struct ecc_modulo q;

Niels Möller's avatar
Niels Möller committed
183 184 185 186
  unsigned short use_redc;
  unsigned short pippenger_k;
  unsigned short pippenger_c;

187
  unsigned short add_hh_itch;
188
  unsigned short add_hhh_itch;
189
  unsigned short dup_itch;
190 191 192 193
  unsigned short mul_itch;
  unsigned short mul_g_itch;
  unsigned short h_to_a_itch;

194
  ecc_add_func *add_hh;
195
  ecc_add_func *add_hhh;
196
  ecc_dup_func *dup;
197 198 199 200
  ecc_mul_func *mul;
  ecc_mul_g_func *mul_g;
  ecc_h_to_a_func *h_to_a;

Niels Möller's avatar
Niels Möller committed
201
  /* Curve constant */
Niels Möller's avatar
Niels Möller committed
202
  const mp_limb_t *b;
203
  /* Generator, x coordinate followed by y (affine coordinates).
Niels Möller's avatar
Niels Möller committed
204
     Currently used only by the test suite. */
Niels Möller's avatar
Niels Möller committed
205 206
  const mp_limb_t *g;

207
  /* For redc, same as B mod p, otherwise 1. */
Niels Möller's avatar
Niels Möller committed
208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223
  const mp_limb_t *unit;

  /* Tables for multiplying by the generator, size determined by k and
     c. The first 2^c entries are defined by

       T[  j_0 +   j_1 2 +     ... + j_{c-1} 2^{c-1} ]
         = j_0 g + j_1 2^k g + ... + j_{c-1} 2^{k(c-1)} g

     The following entries differ by powers of 2^{kc},

       T[i] = 2^{kc} T[i-2^c]
  */  
  const mp_limb_t *pippenger_table;
};

/* In-place reduction. */
224
ecc_mod_func ecc_mod;
225 226
ecc_mod_func ecc_pp1_redc;
ecc_mod_func ecc_pm1_redc;
Niels Möller's avatar
Niels Möller committed
227

228 229
ecc_mod_inv_func ecc_mod_inv;

Niels Möller's avatar
Niels Möller committed
230
void
231 232
ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp,
	     const mp_limb_t *ap, const mp_limb_t *bp);
Niels Möller's avatar
Niels Möller committed
233
void
234 235
ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp,
	     const mp_limb_t *ap, const mp_limb_t *bp);
Niels Möller's avatar
Niels Möller committed
236 237

void
238 239
ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
	       const mp_limb_t *ap, const mp_limb_t b);
Niels Möller's avatar
Niels Möller committed
240 241

void
242 243
ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
		  const mp_limb_t *ap, mp_limb_t b);
Niels Möller's avatar
Niels Möller committed
244
void
245 246
ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp,
		  const mp_limb_t *ap, mp_limb_t b);
Niels Möller's avatar
Niels Möller committed
247

Niels Möller's avatar
Niels Möller committed
248
/* The mul and sqr functions need 2*m->size limbs at rp */
Niels Möller's avatar
Niels Möller committed
249
void
250 251
ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp,
	     const mp_limb_t *ap, const mp_limb_t *bp);
Niels Möller's avatar
Niels Möller committed
252 253

void
254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275
ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
	     const mp_limb_t *ap);

#define ecc_modp_add(ecc, r, a, b) \
  ecc_mod_add (&(ecc)->p, (r), (a), (b))
#define ecc_modp_sub(ecc, r, a, b) \
  ecc_mod_sub (&(ecc)->p, (r), (a), (b))
#define ecc_modp_mul_1(ecc, r, a, b) \
  ecc_mod_mul_1 (&(ecc)->p, (r), (a), (b))
#define ecc_modp_addmul_1(ecc, r, a, b) \
  ecc_mod_addmul_1 (&(ecc)->p, (r), (a), (b))
#define ecc_modp_submul_1(ecc, r, a, b) \
  ecc_mod_submul_1 (&(ecc)->p, (r), (a), (b))
#define ecc_modp_mul(ecc, r, a, b) \
  ecc_mod_mul (&(ecc)->p, (r), (a), (b))
#define ecc_modp_sqr(ecc, r, a) \
  ecc_mod_sqr (&(ecc)->p, (r), (a))

#define ecc_modq_add(ecc, r, a, b) \
  ecc_mod_add (&(ecc)->q, (r), (a), (b))
#define ecc_modq_mul(ecc, r, a, b) \
  ecc_mod_mul (&(ecc)->q, (r), (a), (b))
Niels Möller's avatar
Niels Möller committed
276 277

/* mod q operations. */
278
void
279 280
ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
		void *ctx, nettle_random_func *random, mp_limb_t *scratch);
281 282

void
283
ecc_hash (const struct ecc_modulo *m,
284
	  mp_limb_t *hp,
Niels Möller's avatar
Niels Möller committed
285
	  size_t length, const uint8_t *digest);
286

287 288 289 290 291 292 293 294
/* Converts a point P in affine coordinates into a point R in jacobian
   coordinates. */
void
ecc_a_to_j (const struct ecc_curve *ecc,
	    mp_limb_t *r, const mp_limb_t *p);

/* Converts a point P in jacobian coordinates into a point R in affine
   coordinates. If op == 1, produce x coordinate only. If op == 2,
Niels Möller's avatar
Niels Möller committed
295
   produce the x coordinate only, and also reduce it modulo q. */
296 297 298 299 300 301
void
ecc_j_to_a (const struct ecc_curve *ecc,
	    int op,
	    mp_limb_t *r, const mp_limb_t *p,
	    mp_limb_t *scratch);

Niels Möller's avatar
Niels Möller committed
302 303 304
/* Converts a point P in homogeneous coordinates on an Edwards curve
   to affine coordinates. Meaning of op is the same as for
   ecc_j_to_a. */
305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337
void
ecc_eh_to_a (const struct ecc_curve *ecc,
	     int op,
	     mp_limb_t *r, const mp_limb_t *p,
	     mp_limb_t *scratch);

/* Group operations */

/* Point doubling, with jacobian input and output. Corner cases:
   Correctly sets R = 0 (r_Z = 0) if p = 0 or 2p = 0. */
void
ecc_dup_jj (const struct ecc_curve *ecc,
	    mp_limb_t *r, const mp_limb_t *p,
	    mp_limb_t *scratch);

/* Point addition, with jacobian output, one jacobian input and one
   affine input. Corner cases: Fails for the cases

     P = Q != 0                       Duplication of non-zero point
     P = 0, Q != 0 or P != 0, Q = 0   One input zero
   
     Correctly gives R = 0 if P = Q = 0 or P = -Q. */
void
ecc_add_jja (const struct ecc_curve *ecc,
	     mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q,
	     mp_limb_t *scratch);

/* Point addition with Jacobian input and output. */
void
ecc_add_jjj (const struct ecc_curve *ecc,
	     mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q,
	     mp_limb_t *scratch);

Daiki Ueno's avatar
Daiki Ueno committed
338
/* Point doubling on a twisted Edwards curve, with homogeneous
339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354
   cooordinates. */
void
ecc_dup_eh (const struct ecc_curve *ecc,
	    mp_limb_t *r, const mp_limb_t *p,
	    mp_limb_t *scratch);

void
ecc_add_eh (const struct ecc_curve *ecc,
	    mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q,
	    mp_limb_t *scratch);

void
ecc_add_ehh (const struct ecc_curve *ecc,
	     mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q,
	     mp_limb_t *scratch);

Daiki Ueno's avatar
Daiki Ueno committed
355
void
356 357 358
ecc_dup_th (const struct ecc_curve *ecc,
	    mp_limb_t *r, const mp_limb_t *p,
	    mp_limb_t *scratch);
Daiki Ueno's avatar
Daiki Ueno committed
359 360

void
361 362 363
ecc_add_th (const struct ecc_curve *ecc,
	    mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q,
	    mp_limb_t *scratch);
Daiki Ueno's avatar
Daiki Ueno committed
364 365

void
366 367 368
ecc_add_thh (const struct ecc_curve *ecc,
	     mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q,
	     mp_limb_t *scratch);
Daiki Ueno's avatar
Daiki Ueno committed
369

370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396
/* Computes N * the group generator. N is an array of ecc_size()
   limbs. It must be in the range 0 < N < group order, then R != 0,
   and the algorithm can work without any intermediate values getting
   to zero. */ 
void
ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r,
	   const mp_limb_t *np, mp_limb_t *scratch);

/* Computes N * P. The scalar N is the same as for ecc_mul_g. P is a
   non-zero point on the curve, in affine coordinates. Output R is a
   non-zero point, in Jacobian coordinates. */
void
ecc_mul_a (const struct ecc_curve *ecc,
	   mp_limb_t *r,
	   const mp_limb_t *np, const mp_limb_t *p,
	   mp_limb_t *scratch);

void
ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r,
	      const mp_limb_t *np, mp_limb_t *scratch);

void
ecc_mul_a_eh (const struct ecc_curve *ecc,
	      mp_limb_t *r,
	      const mp_limb_t *np, const mp_limb_t *p,
	      mp_limb_t *scratch);

Niels Möller's avatar
Niels Möller committed
397 398 399 400 401 402 403
void
ecc_mul_m (const struct ecc_modulo *m,
	   mp_limb_t a24,
	   unsigned bit_low, unsigned bit_high,
	   mp_limb_t *qx, const uint8_t *n, const mp_limb_t *px,
	   mp_limb_t *scratch);

Niels Möller's avatar
Niels Möller committed
404 405 406 407 408 409 410 411 412 413 414 415 416 417
void
cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n);

mp_limb_t
sec_add_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b);

mp_limb_t
sec_sub_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b);

void
sec_tabselect (mp_limb_t *rp, mp_size_t rn,
	       const mp_limb_t *table, unsigned tn,
	       unsigned k);

418 419 420 421
void
curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
		    mp_limb_t *scratch);

Daiki Ueno's avatar
Daiki Ueno committed
422 423 424 425
void
curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p,
		  mp_limb_t *scratch);

Niels Möller's avatar
Niels Möller committed
426
/* Current scratch needs: */
427
#define ECC_MOD_INV_ITCH(size) (2*(size))
Niels Möller's avatar
Niels Möller committed
428
#define ECC_J_TO_A_ITCH(size) (5*(size))
429
#define ECC_EH_TO_A_ITCH(size, inv) (2*(size)+(inv))
Niels Möller's avatar
Niels Möller committed
430
#define ECC_DUP_JJ_ITCH(size) (5*(size))
431
#define ECC_DUP_EH_ITCH(size) (5*(size))
432
#define ECC_DUP_TH_ITCH(size) (5*(size))
Niels Möller's avatar
Niels Möller committed
433 434
#define ECC_ADD_JJA_ITCH(size) (6*(size))
#define ECC_ADD_JJJ_ITCH(size) (8*(size))
435
#define ECC_ADD_EH_ITCH(size) (6*(size))
436
#define ECC_ADD_EHH_ITCH(size) (7*(size))
437 438
#define ECC_ADD_TH_ITCH(size) (6*(size))
#define ECC_ADD_THH_ITCH(size) (7*(size))
Niels Möller's avatar
Niels Möller committed
439
#define ECC_MUL_G_ITCH(size) (9*(size))
440
#define ECC_MUL_G_EH_ITCH(size) (9*(size))
Niels Möller's avatar
Niels Möller committed
441 442 443 444 445 446
#if ECC_MUL_A_WBITS == 0
#define ECC_MUL_A_ITCH(size) (12*(size))
#else
#define ECC_MUL_A_ITCH(size) \
  (((3 << ECC_MUL_A_WBITS) + 11) * (size))
#endif
447
#if ECC_MUL_A_EH_WBITS == 0
448
#define ECC_MUL_A_EH_ITCH(size) (12*(size))
449 450 451 452
#else
#define ECC_MUL_A_EH_ITCH(size) \
  (((3 << ECC_MUL_A_EH_WBITS) + 10) * (size))
#endif
Niels Möller's avatar
Niels Möller committed
453
#define ECC_MUL_M_ITCH(size) (11*(size))
Niels Möller's avatar
Niels Möller committed
454
#define ECC_ECDSA_SIGN_ITCH(size) (12*(size))
455
#define ECC_MOD_RANDOM_ITCH(size) (size)
456
#define ECC_HASH_ITCH(size) (1+(size))
Niels Möller's avatar
Niels Möller committed
457 458

#endif /* NETTLE_ECC_INTERNAL_H_INCLUDED */