ecc-internal.h 8.74 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
/* ecc-internal.h

   Copyright (C) 2013 Niels Möller

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/
Niels Möller's avatar
Niels Möller committed
31

32
/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
Niels Möller's avatar
Niels Möller committed
33
34
35
36

#ifndef NETTLE_ECC_INTERNAL_H_INCLUDED
#define NETTLE_ECC_INTERNAL_H_INCLUDED

37
#include "nettle-types.h"
38
#include "bignum.h"
Niels Möller's avatar
Niels Möller committed
39
#include "ecc-curve.h"
40
#include "gmp-glue.h"
Niels Möller's avatar
Niels Möller committed
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

/* Name mangling */
#define ecc_generic_modp _nettle_ecc_generic_modp
#define ecc_generic_redc _nettle_ecc_generic_redc
#define ecc_generic_modq _nettle_ecc_generic_modq
#define ecc_modp_add _nettle_ecc_modp_add
#define ecc_modp_sub _nettle_ecc_modp_sub
#define ecc_modp_mul_1 _nettle_ecc_modp_mul_1
#define ecc_modp_addmul_1 _nettle_ecc_modp_addmul_1
#define ecc_modp_submul_1 _nettle_ecc_modp_submul_1
#define ecc_modp_mul _nettle_ecc_modp_mul
#define ecc_modp_sqr _nettle_ecc_modp_sqr
#define ecc_modp_inv _nettle_ecc_modp_inv
#define ecc_modq_mul _nettle_ecc_modq_mul
#define ecc_modq_add _nettle_ecc_modq_add
#define ecc_modq_inv _nettle_ecc_modq_inv
57
58
59
#define ecc_modq_random _nettle_ecc_modq_random
#define ecc_mod _nettle_ecc_mod
#define ecc_hash _nettle_ecc_hash
Niels Möller's avatar
Niels Möller committed
60
61
62
63
64
#define cnd_copy _nettle_cnd_copy
#define sec_add_1 _nettle_sec_add_1
#define sec_sub_1 _nettle_sec_sub_1
#define sec_tabselect _nettle_sec_tabselect
#define sec_modinv _nettle_sec_modinv
65
#define ecc_25519_sqrt _nettle_ecc_25519_sqrt
Niels Möller's avatar
Niels Möller committed
66

67
68
#define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)

Niels Möller's avatar
Niels Möller committed
69
70
/* Window size for ecc_mul_a. Using 4 bits seems like a good choice,
   for both Intel x86_64 and ARM Cortex A9. For the larger curves, of
71
   384 and 521 bits, we could improve speed by a few percent if we go
Niels Möller's avatar
Niels Möller committed
72
73
74
   up to 5 bits, but I don't think that's worth doubling the
   storage. */
#define ECC_MUL_A_WBITS 4
75
76
/* And for ecc_mul_a_eh */
#define ECC_MUL_A_EH_WBITS 4
77

Niels Möller's avatar
Niels Möller committed
78
79
80
81
82
83

/* Reduces from 2*ecc->size to ecc->size. */
/* Required to return a result < 2q. This property is inherited by
   modp_mul and modp_add. */
typedef void ecc_mod_func (const struct ecc_curve *ecc, mp_limb_t *rp);

84
85
86
87
88
89
90
91
92
93
94
95
96
typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r,
			     const mp_limb_t *np, mp_limb_t *scratch);

typedef void ecc_mul_func (const struct ecc_curve *ecc,
			   mp_limb_t *r,
			   const mp_limb_t *np, const mp_limb_t *p,
			   mp_limb_t *scratch);

typedef void ecc_h_to_a_func (const struct ecc_curve *ecc,
			      int flags,
			      mp_limb_t *r, const mp_limb_t *p,
			      mp_limb_t *scratch);

Niels Möller's avatar
Niels Möller committed
97
98
99
100
101
102
103
104
105
106
107
108
/* Represents an elliptic curve of the form

     y^2 = x^3 - 3x + b (mod p)
*/
struct ecc_curve
{
  unsigned short bit_size;
  /* Limb size of elements in the base field, size of a point is
     2*size in affine coordinates and 3*size in jacobian
     coordinates. */
  unsigned short size;
  unsigned short Bmodp_size;
109
  unsigned short q_bit_size;
Niels Möller's avatar
Niels Möller committed
110
111
112
113
114
115
116
117
  unsigned short Bmodq_size;
  unsigned short use_redc;
  /* +k if p+1 has k low zero limbs, -k if p-1 has k low zero
     limbs. */
  short redc_size;
  unsigned short pippenger_k;
  unsigned short pippenger_c;

118
119
120
121
  unsigned short mul_itch;
  unsigned short mul_g_itch;
  unsigned short h_to_a_itch;

122
123
124
125
  ecc_mod_func *modp;
  ecc_mod_func *redc;
  ecc_mod_func *reduce;
  ecc_mod_func *modq;
126
127
128
129
130

  ecc_mul_func *mul;
  ecc_mul_g_func *mul_g;
  ecc_h_to_a_func *h_to_a;

Niels Möller's avatar
Niels Möller committed
131
132
133
134
135
  /* The prime p. */
  const mp_limb_t *p;
  const mp_limb_t *b;
  /* Group order. */
  const mp_limb_t *q;
136
137
  /* Generator, x coordinate followed by y (affine coordinates).
   Currently used only by the test suite. */
Niels Möller's avatar
Niels Möller committed
138
  const mp_limb_t *g;
139
140
141
  /* If non-NULL, the constant needed for transformation to the
     equivalent Edwards curve. */
  const mp_limb_t *edwards_root;
Niels Möller's avatar
Niels Möller committed
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223

  /* B^size mod p. Expected to have at least 32 leading zeros
     (equality for secp_256r1). */
  const mp_limb_t *Bmodp;
  /* 2^{bit_size} - p, same value as above, but shifted. */
  const mp_limb_t *Bmodp_shifted;
  /* (p+1)/2 */
  const mp_limb_t *pp1h;
  /* p +/- 1, for redc, excluding |redc_size| low limbs. */
  const mp_limb_t *redc_ppm1;
  /* For redc, same as Bmodp, otherwise 1. */
  const mp_limb_t *unit;

  /* Similarly, B^size mod q */
  const mp_limb_t *Bmodq;
  /* 2^{bit_size} - q, same value as above, but shifted. */
  const mp_limb_t *Bmodq_shifted;
  /* (q+1)/2 */
  const mp_limb_t *qp1h;
  
  /* Tables for multiplying by the generator, size determined by k and
     c. The first 2^c entries are defined by

       T[  j_0 +   j_1 2 +     ... + j_{c-1} 2^{c-1} ]
         = j_0 g + j_1 2^k g + ... + j_{c-1} 2^{k(c-1)} g

     The following entries differ by powers of 2^{kc},

       T[i] = 2^{kc} T[i-2^c]
  */  
  const mp_limb_t *pippenger_table;
};

/* In-place reduction. */
ecc_mod_func ecc_generic_modp;
ecc_mod_func ecc_generic_redc;
ecc_mod_func ecc_generic_modq;


void
ecc_modp_add (const struct ecc_curve *ecc, mp_limb_t *rp,
	      const mp_limb_t *ap, const mp_limb_t *bp);
void
ecc_modp_sub (const struct ecc_curve *ecc, mp_limb_t *rp,
	      const mp_limb_t *ap, const mp_limb_t *bp);

void
ecc_modp_mul_1 (const struct ecc_curve *ecc, mp_limb_t *rp,
		const mp_limb_t *ap, const mp_limb_t b);

void
ecc_modp_addmul_1 (const struct ecc_curve *ecc, mp_limb_t *rp,
		   const mp_limb_t *ap, mp_limb_t b);
void
ecc_modp_submul_1 (const struct ecc_curve *ecc, mp_limb_t *rp,
		   const mp_limb_t *ap, mp_limb_t b);

/* NOTE: mul and sqr needs 2*ecc->size limbs at rp */
void
ecc_modp_mul (const struct ecc_curve *ecc, mp_limb_t *rp,
	      const mp_limb_t *ap, const mp_limb_t *bp);

void
ecc_modp_sqr (const struct ecc_curve *ecc, mp_limb_t *rp,
	      const mp_limb_t *ap);

void
ecc_modp_inv (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap,
	      mp_limb_t *scratch);

/* mod q operations. */
void
ecc_modq_mul (const struct ecc_curve *ecc, mp_limb_t *rp,
	      const mp_limb_t *ap, const mp_limb_t *bp);
void
ecc_modq_add (const struct ecc_curve *ecc, mp_limb_t *rp,
	      const mp_limb_t *ap, const mp_limb_t *bp);

void
ecc_modq_inv (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap,
	      mp_limb_t *scratch);

224
225
226
227
void
ecc_modq_random (const struct ecc_curve *ecc, mp_limb_t *xp,
		 void *ctx, nettle_random_func *random, mp_limb_t *scratch);

Niels Möller's avatar
Niels Möller committed
228
229
230
231
232
void
ecc_mod (mp_limb_t *rp, mp_size_t rn, mp_size_t mn,
	 const mp_limb_t *bp, mp_size_t bn,
	 const mp_limb_t *b_shifted, unsigned shift);

233
234
235
void
ecc_hash (const struct ecc_curve *ecc,
	  mp_limb_t *hp,
Niels Möller's avatar
Niels Möller committed
236
	  size_t length, const uint8_t *digest);
237

Niels Möller's avatar
Niels Möller committed
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
void
cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n);

mp_limb_t
sec_add_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b);

mp_limb_t
sec_sub_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b);

void
sec_tabselect (mp_limb_t *rp, mp_size_t rn,
	       const mp_limb_t *table, unsigned tn,
	       unsigned k);

void
sec_modinv (mp_limb_t *vp, mp_limb_t *ap, mp_size_t n,
	    const mp_limb_t *mp, const mp_limb_t *mp1h, mp_size_t bit_size,
	    mp_limb_t *scratch);

257
258
259
int
ecc_25519_sqrt(mp_limb_t *rp, const mp_limb_t *ap);

Niels Möller's avatar
Niels Möller committed
260
261
262
/* Current scratch needs: */
#define ECC_MODINV_ITCH(size) (3*(size))
#define ECC_J_TO_A_ITCH(size) (5*(size))
263
#define ECC_EH_TO_A_ITCH(size) (5*(size))
264
#define ECC_A_TO_EH_ITCH(size) (2*(size))
Niels Möller's avatar
Niels Möller committed
265
#define ECC_DUP_JJ_ITCH(size) (5*(size))
266
#define ECC_DUP_EH_ITCH(size) (5*(size))
Niels Möller's avatar
Niels Möller committed
267
268
#define ECC_ADD_JJA_ITCH(size) (6*(size))
#define ECC_ADD_JJJ_ITCH(size) (8*(size))
269
#define ECC_ADD_EH_ITCH(size) (6*(size))
270
#define ECC_ADD_EHH_ITCH(size) (7*(size))
Niels Möller's avatar
Niels Möller committed
271
#define ECC_MUL_G_ITCH(size) (9*(size))
272
#define ECC_MUL_G_EH_ITCH(size) (9*(size))
Niels Möller's avatar
Niels Möller committed
273
274
275
276
277
278
#if ECC_MUL_A_WBITS == 0
#define ECC_MUL_A_ITCH(size) (12*(size))
#else
#define ECC_MUL_A_ITCH(size) \
  (((3 << ECC_MUL_A_WBITS) + 11) * (size))
#endif
279
280
281
282
283
284
#if ECC_MUL_A_EH_WBITS == 0
#define ECC_MUL_A_EH_ITCH(size) (13*(size))
#else
#define ECC_MUL_A_EH_ITCH(size) \
  (((3 << ECC_MUL_A_EH_WBITS) + 10) * (size))
#endif
285
286
#define ECC_ECDSA_SIGN_ITCH(size) (12*(size))
#define ECC_ECDSA_VERIFY_ITCH(size) \
Niels Möller's avatar
Niels Möller committed
287
  (6*(size) + ECC_MUL_A_ITCH ((size)))
288
289
#define ECC_MODQ_RANDOM_ITCH(size) (size)
#define ECC_HASH_ITCH(size) (1+(size))
Niels Möller's avatar
Niels Möller committed
290
291

#endif /* NETTLE_ECC_INTERNAL_H_INCLUDED */