From e741c9385af4eaecd4329199803163adeb3ce350 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Mon, 18 Aug 2014 22:22:31 +0200
Subject: [PATCH] Implemented curve25519_mul.
---
ChangeLog | 4 +++
Makefile.in | 2 +-
curve25519-mul.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
curve25519.h | 4 +++
4 files changed, 99 insertions(+), 1 deletion(-)
create mode 100644 curve25519-mul.c
diff --git a/ChangeLog b/ChangeLog
index b488d7e5..241b93d5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
2014-08-18 Niels Möller <nisse@lysator.liu.se>
+ * curve25519-mul.c (curve25519_mul): New file and function.
+ * curve25519.h (curve25519_mul): Declare it.
+ * Makefile.in (hogweed_SOURCES): Added curve25519-mul.c.
+
* curve25519-mul-g.c (curve25519_mul_g): Renamed file and
function, updated callers.
* curve25519-base.c (curve25519_base): ... old names.
diff --git a/Makefile.in b/Makefile.in
index 87400e67..c3f29e31 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -174,7 +174,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \
ecc-ecdsa-sign.c ecdsa-sign.c \
ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \
- curve25519-mul-g.c \
+ curve25519-mul-g.c curve25519-mul.c \
$(OPT_HOGWEED_SOURCES)
HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \
diff --git a/curve25519-mul.c b/curve25519-mul.c
new file mode 100644
index 00000000..ddc50eb5
--- /dev/null
+++ b/curve25519-mul.c
@@ -0,0 +1,90 @@
+/* curve25519-mul.c
+
+ Copyright (C) 2014 Niels Möller
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <string.h>
+
+#include "curve25519.h"
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+/* Intended to be compatible with NaCl's crypto_scalarmult. NOTE: Not
+ side-channel silent, due to the sqrt. */
+int
+curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
+{
+ uint8_t t[CURVE25519_SIZE];
+ mp_size_t itch;
+ mp_limb_t *scratch;
+ const struct ecc_curve *ecc = &nettle_curve25519;
+
+#define x scratch
+#define y (scratch + ecc->size)
+#define s (scratch + 3*ecc->size)
+#define scratch_out (scratch + 4*ecc->size)
+
+ itch = 5*ecc->size + ECC_MUL_A_EH_ITCH (ecc->size);
+ scratch = gmp_alloc_limbs (itch);
+
+ mpn_set_base256_le (x, ecc->size, p, CURVE25519_SIZE);
+
+ /* First compute y coordinate, from
+
+ y^2 = x^3 + b x^2 + x = (x^2 + bx + 1) x
+ */
+ ecc_modp_sqr (&nettle_curve25519, y, x);
+ ecc_modp_addmul_1 (&nettle_curve25519, y, x, 0x76d06ULL);
+ ecc_modp_add (ecc, s, y, ecc->unit);
+ ecc_modp_mul (ecc, y, s, x);
+
+ /* FIXME: Pass s as scratch space to ecc_25519_sqrt */
+ if (!ecc_25519_sqrt (y, y))
+ /* y-coordinate doesn't belong to base field F_p. FIXME: Implement
+ case of y in F_{p^2}? */
+ return 0;
+
+ memcpy (t, n, sizeof(t));
+ t[0] &= ~7;
+ t[CURVE25519_SIZE-1] = (t[CURVE25519_SIZE-1] & 0x3f) | 0x40;
+
+ mpn_set_base256_le (s, ecc->size, t, CURVE25519_SIZE);
+
+ ecc_mul_a_eh (ecc, x, s, x, scratch_out);
+ ecc_eh_to_a (ecc, 2, s, x, scratch_out);
+ mpn_get_base256_le (q, CURVE25519_SIZE, s, ecc->size);
+
+ gmp_free_limbs (scratch, itch);
+ return 1;
+}
diff --git a/curve25519.h b/curve25519.h
index 03cb151d..bcf579d7 100644
--- a/curve25519.h
+++ b/curve25519.h
@@ -40,10 +40,14 @@ extern "C" {
/* Name mangling */
#define curve25519_mul_g nettle_curve25519_mul_g
+#define curve25519_mul nettle_curve25519_mul
#define CURVE25519_SIZE 32
void
curve25519_mul_g (uint8_t *q, const uint8_t *n);
+int
+curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p);
+
#endif /* NETTLE_CURVE25519_H */
--
GitLab