From cf4675dc7b7dcad802a47475af63ed30e07a54f6 Mon Sep 17 00:00:00 2001
From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date: Thu, 16 Jan 2020 01:36:09 +0300
Subject: [PATCH] Add support for GOST GC512A curve

Add support for GC512A curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
tc26-gost-3410-12-512-paramSetA (RFC 7836).

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
---
 .gitignore               |   1 +
 Makefile.in              |  14 ++++-
 ecc-curve.h              |   1 +
 ecc-gost-gc512a.c        | 128 +++++++++++++++++++++++++++++++++++++++
 ecc-internal.h           |   1 +
 eccdata.c                |  38 ++++++++++++
 examples/ecc-benchmark.c |   1 +
 testsuite/testutils.c    |  18 +++++-
 8 files changed, 198 insertions(+), 4 deletions(-)
 create mode 100644 ecc-gost-gc512a.c

diff --git a/.gitignore b/.gitignore
index 4454ade5..2e64c187 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ core
 /ecc-curve25519.h
 /ecc-curve448.h
 /ecc-gc256b.h
+/ecc-gc512a.h
 /ecc-secp192r1.h
 /ecc-secp224r1.h
 /ecc-secp256r1.h
diff --git a/Makefile.in b/Makefile.in
index 807f422d..eb1c6c33 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -176,7 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 		  ecc-mod.c ecc-mod-inv.c \
 		  ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
 		  ecc-curve25519.c ecc-curve448.c \
-		  ecc-gost-gc256b.c \
+		  ecc-gost-gc256b.c ecc-gost-gc512a.c \
 		  ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
 		  ecc-secp384r1.c ecc-secp521r1.c \
 		  ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -385,6 +385,15 @@ ecc-curve448.h: eccdata.stamp
 ecc-gost-gc256b.h: eccdata.stamp
 	./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@
 
+# Some reasonable choices for 512:
+# k = 22, c =  6, S = 256, T = 110 ( 88 A + 22 D) 32 KB
+# k = 29, c =  6, S = 192, T = 116 ( 87 A + 29 D) 24 KB
+# k = 21, c =  5, S = 160, T = 126 (105 A + 21 D) 20 KB
+# k = 43, c =  6, S = 128, T = 129 ( 86 A + 43 D) 16 KB
+# k = 35, c =  5, S =  96, T = 140 (105 A + 35 D) 12 KB
+ecc-gost-gc512a.h: eccdata.stamp
+	./eccdata$(EXEEXT_FOR_BUILD) gost_gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@
+
 eccdata.stamp: eccdata.c
 	$(MAKE) eccdata$(EXEEXT_FOR_BUILD)
 	echo stamp > eccdata.stamp
@@ -392,6 +401,7 @@ eccdata.stamp: eccdata.c
 ecc-curve25519.$(OBJEXT): ecc-curve25519.h
 ecc-curve448.$(OBJEXT): ecc-curve448.h
 ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h
+ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h
 ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
 ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
 ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h
@@ -645,7 +655,7 @@ distcheck: dist
 clean-here:
 	-rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \
 		ecc-curve25519.h ecc-curve448.h \
-		ecc-gost-gc256b.h \
+		ecc-gost-gc256b.h ecc-gost-gc512a.h \
 		ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
 		ecc-secp384r1.h ecc-secp521r1.h \
 		aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index da07b023..8f050404 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -44,6 +44,7 @@ extern "C" {
 struct ecc_curve;
 
 const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void);
 const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
 const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
 const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void);
diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c
new file mode 100644
index 00000000..4baec1f5
--- /dev/null
+++ b/ecc-gost-gc512a.c
@@ -0,0 +1,128 @@
+/* ecc-gost-gc512a.c
+
+   Copyright (C) 2016-2020 Dmitry Eremin-Solenikov
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC 0
+
+#include "ecc-gost-gc512a.h"
+
+static void
+ecc_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp)
+{
+  mp_size_t mn = m->size;
+  mp_limb_t hi;
+
+  hi = mpn_addmul_1(rp, rp + mn, mn, 0x239);
+  hi = sec_add_1 (rp, rp, mn, hi * 0x239);
+  hi = sec_add_1 (rp, rp, mn, hi * 0x239);
+  assert(hi == 0);
+}
+
+#define ecc_gc512a_modp ecc_gc512a_modp
+#define ecc_gc512a_modq ecc_mod
+
+const struct ecc_curve _nettle_gost_gc512a =
+{
+  {
+    512,
+    ECC_LIMB_SIZE,
+    ECC_BMODP_SIZE,
+    ECC_REDC_SIZE,
+    ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
+    0,
+
+    ecc_p,
+    ecc_Bmodp,
+    ecc_Bmodp_shifted,
+    ecc_redc_ppm1,
+
+    ecc_pp1h,
+    ecc_gc512a_modp,
+    ecc_gc512a_modp,
+    ecc_mod_inv,
+    NULL,
+  },
+  {
+    512,
+    ECC_LIMB_SIZE,
+    ECC_BMODQ_SIZE,
+    0,
+    ECC_MOD_INV_ITCH (ECC_LIMB_SIZE),
+    0,
+
+    ecc_q,
+    ecc_Bmodq,
+    ecc_Bmodq_shifted,
+    NULL,
+    ecc_qp1h,
+
+    ecc_gc512a_modq,
+    ecc_gc512a_modq,
+    ecc_mod_inv,
+    NULL,
+  },
+
+  USE_REDC,
+  ECC_PIPPENGER_K,
+  ECC_PIPPENGER_C,
+
+  ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE),
+  ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE),
+  ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE),
+  ECC_MUL_A_ITCH (ECC_LIMB_SIZE),
+  ECC_MUL_G_ITCH (ECC_LIMB_SIZE),
+  ECC_J_TO_A_ITCH (ECC_LIMB_SIZE),
+
+  ecc_add_jja,
+  ecc_add_jjj,
+  ecc_dup_jj,
+  ecc_mul_a,
+  ecc_mul_g,
+  ecc_j_to_a,
+
+  ecc_b,
+  ecc_g,
+  ecc_unit,
+  ecc_table
+};
+
+const struct ecc_curve *nettle_get_gost_gc512a(void)
+{
+  return &_nettle_gost_gc512a;
+}
diff --git a/ecc-internal.h b/ecc-internal.h
index 53305bc0..cef13665 100644
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -93,6 +93,7 @@ extern const struct ecc_curve _nettle_curve448;
 
 /* GOST curves, visible with underscore prefix for now */
 extern const struct ecc_curve _nettle_gost_gc256b;
+extern const struct ecc_curve _nettle_gost_gc512a;
 
 #define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
 
diff --git a/eccdata.c b/eccdata.c
index fd27d56a..06b6937a 100644
--- a/eccdata.c
+++ b/eccdata.c
@@ -705,6 +705,44 @@ ecc_curve_init (struct ecc_curve *ecc, const char *curve)
 		   "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7",
 		   "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741");
 
+    }
+  else if (!strcmp (curve, "gost_gc512a"))
+    {
+      ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS,
+			  "ffffffffffffffffffffffffffffffff"
+			  "ffffffffffffffffffffffffffffffff"
+			  "ffffffffffffffffffffffffffffffff"
+			  "fffffffffffffffffffffffffffffdc7",
+			  "e8c2505dedfc86ddc1bd0b2b6667f1da"
+			  "34b82574761cb0e879bd081cfd0b6265"
+			  "ee3cb090f30d27614cb4574010da90dd"
+			  "862ef9d4ebee4761503190785a71c760",
+			  "ffffffffffffffffffffffffffffffff"
+			  "ffffffffffffffffffffffffffffffff"
+			  "27e69532f48d89116ff22b8d4e056060"
+			  "9b4b38abfad2b85dcacdb1411f10b275",
+			  "00000000000000000000000000000000"
+			  "00000000000000000000000000000000"
+			  "00000000000000000000000000000000"
+			  "00000000000000000000000000000003",
+			  "7503cfe87a836ae3a61b8816e25450e6"
+			  "ce5e1c93acf1abc1778064fdcbefa921"
+			  "df1626be4fd036e93d75e6a50e3a41e9"
+			  "8028fe5fc235f5b889a589cb5215f2a4");
+
+      ecc->ref = ecc_alloc (3);
+      ecc_set_str (&ecc->ref[0], /* 2 g */
+		   "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c",
+		   "c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051");
+
+      ecc_set_str (&ecc->ref[1], /* 3 g */
+		   "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba543d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3",
+		   "3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb311d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6");
+
+      ecc_set_str (&ecc->ref[2], /* 4 g */
+		   "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef257452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16",
+		   "3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929");
+
     }
   else if (!strcmp (curve, "curve448"))
     {
diff --git a/examples/ecc-benchmark.c b/examples/ecc-benchmark.c
index 42035ca0..a529cf16 100644
--- a/examples/ecc-benchmark.c
+++ b/examples/ecc-benchmark.c
@@ -315,6 +315,7 @@ const struct ecc_curve * const curves[] = {
   &_nettle_curve448,
   &_nettle_secp_521r1,
   &_nettle_gost_gc256b,
+  &_nettle_gost_gc512a,
 };
 
 #define numberof(x)  (sizeof (x) / sizeof ((x)[0]))
diff --git a/testsuite/testutils.c b/testsuite/testutils.c
index 086bcbc8..61d52d92 100644
--- a/testsuite/testutils.c
+++ b/testsuite/testutils.c
@@ -1678,6 +1678,7 @@ const struct ecc_curve * const ecc_curves[] = {
   &_nettle_curve25519,
   &_nettle_curve448,
   &_nettle_gost_gc256b,
+  &_nettle_gost_gc512a,
   NULL
 };
 
@@ -1729,7 +1730,7 @@ void
 test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p)
 {
   /* For each curve, the points 2 g, 3 g and 4 g */
-  static const struct ecc_ref_point ref[8][3] = {
+  static const struct ecc_ref_point ref[9][3] = {
     { { "dafebf5828783f2ad35534631588a3f629a70fb16982a888",
 	"dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab" },
       { "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da",
@@ -1804,9 +1805,22 @@ test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p)
 	"76bcd1ca9a23b041d4d9baf507a6cd821267a94c838768e8486117796b788a51" },
       { "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7",
 	"83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741" },
+    },
+    { { "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f"
+	"4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c",
+	"c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92"
+	"ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051" },
+      { "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba5"
+	"43d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3",
+	"3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb3"
+	"11d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6" },
+      { "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef25"
+	"7452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16",
+	"3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850"
+	"da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929" },
     }
   };
-  assert (curve < 8);
+  assert (curve < 9);
   assert (n <= 4);
   if (n == 0)
     {
-- 
2.24.1