/* * Copyright 2013 The Android Open Source Project * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * Neither the name of Google Inc. nor the names of its contributors may * be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ // This is an implementation of the P256 elliptic curve group. It's written to // be portable and still constant-time. // // WARNING: Implementing these functions in a constant-time manner is far from // obvious. Be careful when touching this code. // // See http://www.imperialviolet.org/2010/12/04/ecc.html ([1]) for background. #include "p256/p256_gf.h" /* Field element operations: */ /* felem_inv calculates |out| = |in|^{-1} * * Based on Fermat's Little Theorem: * a^p = a (mod p) * a^{p-1} = 1 (mod p) * a^{p-2} = a^{-1} (mod p) */ static void felem_inv(felem out, const felem in) { felem ftmp, ftmp2; /* each e_I will hold |in|^{2^I - 1} */ felem e2, e4, e8, e16, e32, e64; unsigned i; felem_square(ftmp, in); /* 2^1 */ felem_mul(ftmp, in, ftmp); /* 2^2 - 2^0 */ felem_assign(e2, ftmp); felem_square(ftmp, ftmp); /* 2^3 - 2^1 */ felem_square(ftmp, ftmp); /* 2^4 - 2^2 */ felem_mul(ftmp, ftmp, e2); /* 2^4 - 2^0 */ felem_assign(e4, ftmp); felem_square(ftmp, ftmp); /* 2^5 - 2^1 */ felem_square(ftmp, ftmp); /* 2^6 - 2^2 */ felem_square(ftmp, ftmp); /* 2^7 - 2^3 */ felem_square(ftmp, ftmp); /* 2^8 - 2^4 */ felem_mul(ftmp, ftmp, e4); /* 2^8 - 2^0 */ felem_assign(e8, ftmp); for (i = 0; i < 8; i++) { felem_square(ftmp, ftmp); } /* 2^16 - 2^8 */ felem_mul(ftmp, ftmp, e8); /* 2^16 - 2^0 */ felem_assign(e16, ftmp); for (i = 0; i < 16; i++) { felem_square(ftmp, ftmp); } /* 2^32 - 2^16 */ felem_mul(ftmp, ftmp, e16); /* 2^32 - 2^0 */ felem_assign(e32, ftmp); for (i = 0; i < 32; i++) { felem_square(ftmp, ftmp); } /* 2^64 - 2^32 */ felem_assign(e64, ftmp); felem_mul(ftmp, ftmp, in); /* 2^64 - 2^32 + 2^0 */ for (i = 0; i < 192; i++) { felem_square(ftmp, ftmp); } /* 2^256 - 2^224 + 2^192 */ felem_mul(ftmp2, e64, e32); /* 2^64 - 2^0 */ for (i = 0; i < 16; i++) { felem_square(ftmp2, ftmp2); } /* 2^80 - 2^16 */ felem_mul(ftmp2, ftmp2, e16); /* 2^80 - 2^0 */ for (i = 0; i < 8; i++) { felem_square(ftmp2, ftmp2); } /* 2^88 - 2^8 */ felem_mul(ftmp2, ftmp2, e8); /* 2^88 - 2^0 */ for (i = 0; i < 4; i++) { felem_square(ftmp2, ftmp2); } /* 2^92 - 2^4 */ felem_mul(ftmp2, ftmp2, e4); /* 2^92 - 2^0 */ felem_square(ftmp2, ftmp2); /* 2^93 - 2^1 */ felem_square(ftmp2, ftmp2); /* 2^94 - 2^2 */ felem_mul(ftmp2, ftmp2, e2); /* 2^94 - 2^0 */ felem_square(ftmp2, ftmp2); /* 2^95 - 2^1 */ felem_square(ftmp2, ftmp2); /* 2^96 - 2^2 */ felem_mul(ftmp2, ftmp2, in); /* 2^96 - 3 */ felem_mul(out, ftmp2, ftmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */ } /* Group operations: * * Elements of the elliptic curve group are represented in Jacobian * coordinates: (x, y, z). An affine point (x', y') is x'=x/z**2, y'=y/z**3 in * Jacobian form. */ /* point_double sets {x_out,y_out,z_out} = 2*{x,y,z}. * * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l */ static void point_double(felem x_out, felem y_out, felem z_out, const felem x, const felem y, const felem z) { felem delta, gamma, alpha, beta, tmp, tmp2; felem_square(delta, z); felem_square(gamma, y); felem_mul(beta, x, gamma); felem_sum(tmp, x, delta); felem_diff(tmp2, x, delta); felem_mul(alpha, tmp, tmp2); felem_scalar_3(alpha); felem_sum(tmp, y, z); felem_square(tmp, tmp); felem_diff(tmp, tmp, gamma); felem_diff(z_out, tmp, delta); felem_scalar_4(beta); felem_square(x_out, alpha); felem_diff(x_out, x_out, beta); felem_diff(x_out, x_out, beta); felem_diff(tmp, beta, x_out); felem_mul(tmp, alpha, tmp); felem_square(tmp2, gamma); felem_scalar_8(tmp2); felem_diff(y_out, tmp, tmp2); } /* point_add_mixed sets {x_out,y_out,z_out} = {x1,y1,z1} + {x2,y2,1}. * (i.e. the second point is affine.) * * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl * * Note that this function does not handle P+P, infinity+P nor P+infinity * correctly. */ static void point_add_mixed(felem x_out, felem y_out, felem z_out, const felem x1, const felem y1, const felem z1, const felem x2, const felem y2) { felem z1z1, z1z1z1, s2, u2, h, i, j, r, rr, v, tmp; felem_square(z1z1, z1); felem_sum(tmp, z1, z1); felem_mul(u2, x2, z1z1); felem_mul(z1z1z1, z1, z1z1); felem_mul(s2, y2, z1z1z1); felem_diff(h, u2, x1); felem_sum(i, h, h); felem_square(i, i); felem_mul(j, h, i); felem_diff(r, s2, y1); felem_sum(r, r, r); felem_mul(v, x1, i); felem_mul(z_out, tmp, h); felem_square(rr, r); felem_diff(x_out, rr, j); felem_diff(x_out, x_out, v); felem_diff(x_out, x_out, v); felem_diff(tmp, v, x_out); felem_mul(y_out, tmp, r); felem_mul(tmp, y1, j); felem_diff(y_out, y_out, tmp); felem_diff(y_out, y_out, tmp); } /* point_add sets {x_out,y_out,z_out} = {x1,y1,z1} + {x2,y2,z2}. * * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl * * Note that this function does not handle P+P, infinity+P nor P+infinity * correctly. */ static void point_add(felem x_out, felem y_out, felem z_out, const felem x1, const felem y1, const felem z1, const felem x2, const felem y2, const felem z2) { felem z1z1, z1z1z1, z2z2, z2z2z2, s1, s2, u1, u2, h, i, j, r, rr, v, tmp; felem_square(z1z1, z1); felem_square(z2z2, z2); felem_mul(u1, x1, z2z2); felem_sum(tmp, z1, z2); felem_square(tmp, tmp); felem_diff(tmp, tmp, z1z1); felem_diff(tmp, tmp, z2z2); felem_mul(z2z2z2, z2, z2z2); felem_mul(s1, y1, z2z2z2); felem_mul(u2, x2, z1z1); felem_mul(z1z1z1, z1, z1z1); felem_mul(s2, y2, z1z1z1); felem_diff(h, u2, u1); felem_sum(i, h, h); felem_square(i, i); felem_mul(j, h, i); felem_diff(r, s2, s1); felem_sum(r, r, r); felem_mul(v, u1, i); felem_mul(z_out, tmp, h); felem_square(rr, r); felem_diff(x_out, rr, j); felem_diff(x_out, x_out, v); felem_diff(x_out, x_out, v); felem_diff(tmp, v, x_out); felem_mul(y_out, tmp, r); felem_mul(tmp, s1, j); felem_diff(y_out, y_out, tmp); felem_diff(y_out, y_out, tmp); } /* point_add_or_double_vartime sets {x_out,y_out,z_out} = {x1,y1,z1} + * {x2,y2,z2}. * * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl * * This function handles the case where {x1,y1,z1}={x2,y2,z2}. */ static void point_add_or_double_vartime( felem x_out, felem y_out, felem z_out, const felem x1, const felem y1, const felem z1, const felem x2, const felem y2, const felem z2) { felem z1z1, z1z1z1, z2z2, z2z2z2, s1, s2, u1, u2, h, i, j, r, rr, v, tmp; char x_equal, y_equal; felem_square(z1z1, z1); felem_square(z2z2, z2); felem_mul(u1, x1, z2z2); felem_sum(tmp, z1, z2); felem_square(tmp, tmp); felem_diff(tmp, tmp, z1z1); felem_diff(tmp, tmp, z2z2); felem_mul(z2z2z2, z2, z2z2); felem_mul(s1, y1, z2z2z2); felem_mul(u2, x2, z1z1); felem_mul(z1z1z1, z1, z1z1); felem_mul(s2, y2, z1z1z1); felem_diff(h, u2, u1); x_equal = felem_is_zero_vartime(h); felem_sum(i, h, h); felem_square(i, i); felem_mul(j, h, i); felem_diff(r, s2, s1); y_equal = felem_is_zero_vartime(r); if (x_equal && y_equal) { point_double(x_out, y_out, z_out, x1, y1, z1); return; } felem_sum(r, r, r); felem_mul(v, u1, i); felem_mul(z_out, tmp, h); felem_square(rr, r); felem_diff(x_out, rr, j); felem_diff(x_out, x_out, v); felem_diff(x_out, x_out, v); felem_diff(tmp, v, x_out); felem_mul(y_out, tmp, r); felem_mul(tmp, s1, j); felem_diff(y_out, y_out, tmp); felem_diff(y_out, y_out, tmp); } /* copy_conditional sets out=in if mask = -1 in constant time. * * On entry: mask is either 0 or -1. */ static void copy_conditional(felem out, const felem in, limb mask) { int i; for (i = 0; i < NLIMBS; i++) { const limb tmp = mask & (in[i] ^ out[i]); out[i] ^= tmp; } } /* select_affine_point sets {out_x,out_y} to the index'th entry of table. * On entry: index < 16, table[0] must be zero. */ static void select_affine_point(felem out_x, felem out_y, const limb* table, limb index) { limb i, j; memset(out_x, 0, sizeof(felem)); memset(out_y, 0, sizeof(felem)); for (i = 1; i < 16; i++) { limb mask = i ^ index; mask |= mask >> 2; mask |= mask >> 1; mask &= 1; mask--; for (j = 0; j < NLIMBS; j++, table++) { out_x[j] |= *table & mask; } for (j = 0; j < NLIMBS; j++, table++) { out_y[j] |= *table & mask; } } } /* select_jacobian_point sets {out_x,out_y,out_z} to the index'th entry of * table. On entry: index < 16, table[0] must be zero. */ static void select_jacobian_point(felem out_x, felem out_y, felem out_z, const limb* table, limb index) { limb i, j; memset(out_x, 0, sizeof(felem)); memset(out_y, 0, sizeof(felem)); memset(out_z, 0, sizeof(felem)); /* The implicit value at index 0 is all zero. We don't need to perform that * iteration of the loop because we already set out_* to zero. */ table += 3 * NLIMBS; // Hit all entries to obscure cache profiling. for (i = 1; i < 16; i++) { limb mask = i ^ index; mask |= mask >> 2; mask |= mask >> 1; mask &= 1; mask--; for (j = 0; j < NLIMBS; j++, table++) { out_x[j] |= *table & mask; } for (j = 0; j < NLIMBS; j++, table++) { out_y[j] |= *table & mask; } for (j = 0; j < NLIMBS; j++, table++) { out_z[j] |= *table & mask; } } } /* scalar_base_mult sets {nx,ny,nz} = scalar*G where scalar is a little-endian * number. Note that the value of scalar must be less than the order of the * group. */ static void scalar_base_mult(felem nx, felem ny, felem nz, const cryptonite_p256_int* scalar) { int i, j; limb n_is_infinity_mask = -1, p_is_noninfinite_mask, mask; u32 table_offset; felem px, py; felem tx, ty, tz; memset(nx, 0, sizeof(felem)); memset(ny, 0, sizeof(felem)); memset(nz, 0, sizeof(felem)); /* The loop adds bits at positions 0, 64, 128 and 192, followed by * positions 32,96,160 and 224 and does this 32 times. */ for (i = 0; i < 32; i++) { if (i) { point_double(nx, ny, nz, nx, ny, nz); } table_offset = 0; for (j = 0; j <= 32; j += 32) { char bit0 = cryptonite_p256_get_bit(scalar, 31 - i + j); char bit1 = cryptonite_p256_get_bit(scalar, 95 - i + j); char bit2 = cryptonite_p256_get_bit(scalar, 159 - i + j); char bit3 = cryptonite_p256_get_bit(scalar, 223 - i + j); limb index = bit0 | (bit1 << 1) | (bit2 << 2) | (bit3 << 3); select_affine_point(px, py, kPrecomputed + table_offset, index); table_offset += 30 * NLIMBS; /* Since scalar is less than the order of the group, we know that * {nx,ny,nz} != {px,py,1}, unless both are zero, which we handle * below. */ point_add_mixed(tx, ty, tz, nx, ny, nz, px, py); /* The result of point_add_mixed is incorrect if {nx,ny,nz} is zero * (a.k.a. the point at infinity). We handle that situation by * copying the point from the table. */ copy_conditional(nx, px, n_is_infinity_mask); copy_conditional(ny, py, n_is_infinity_mask); copy_conditional(nz, kOne, n_is_infinity_mask); /* Equally, the result is also wrong if the point from the table is * zero, which happens when the index is zero. We handle that by * only copying from {tx,ty,tz} to {nx,ny,nz} if index != 0. */ p_is_noninfinite_mask = NON_ZERO_TO_ALL_ONES(index); mask = p_is_noninfinite_mask & ~n_is_infinity_mask; copy_conditional(nx, tx, mask); copy_conditional(ny, ty, mask); copy_conditional(nz, tz, mask); /* If p was not zero, then n is now non-zero. */ n_is_infinity_mask &= ~p_is_noninfinite_mask; } } } /* point_to_affine converts a Jacobian point to an affine point. If the input * is the point at infinity then it returns (0, 0) in constant time. */ static void point_to_affine(felem x_out, felem y_out, const felem nx, const felem ny, const felem nz) { felem z_inv, z_inv_sq; felem_inv(z_inv, nz); felem_square(z_inv_sq, z_inv); felem_mul(x_out, nx, z_inv_sq); felem_mul(z_inv, z_inv, z_inv_sq); felem_mul(y_out, ny, z_inv); } /* scalar_base_mult sets {nx,ny,nz} = scalar*{x,y}. */ static void scalar_mult(felem nx, felem ny, felem nz, const felem x, const felem y, const cryptonite_p256_int* scalar) { int i; felem px, py, pz, tx, ty, tz; felem precomp[16][3]; limb n_is_infinity_mask, index, p_is_noninfinite_mask, mask; /* We precompute 0,1,2,... times {x,y}. */ memset(precomp, 0, sizeof(felem) * 3); memcpy(&precomp[1][0], x, sizeof(felem)); memcpy(&precomp[1][1], y, sizeof(felem)); memcpy(&precomp[1][2], kOne, sizeof(felem)); for (i = 2; i < 16; i += 2) { point_double(precomp[i][0], precomp[i][1], precomp[i][2], precomp[i / 2][0], precomp[i / 2][1], precomp[i / 2][2]); point_add_mixed(precomp[i + 1][0], precomp[i + 1][1], precomp[i + 1][2], precomp[i][0], precomp[i][1], precomp[i][2], x, y); } memset(nx, 0, sizeof(felem)); memset(ny, 0, sizeof(felem)); memset(nz, 0, sizeof(felem)); n_is_infinity_mask = -1; /* We add in a window of four bits each iteration and do this 64 times. */ for (i = 0; i < 256; i += 4) { if (i) { point_double(nx, ny, nz, nx, ny, nz); point_double(nx, ny, nz, nx, ny, nz); point_double(nx, ny, nz, nx, ny, nz); point_double(nx, ny, nz, nx, ny, nz); } index = (cryptonite_p256_get_bit(scalar, 255 - i - 0) << 3) | (cryptonite_p256_get_bit(scalar, 255 - i - 1) << 2) | (cryptonite_p256_get_bit(scalar, 255 - i - 2) << 1) | cryptonite_p256_get_bit(scalar, 255 - i - 3); /* See the comments in scalar_base_mult about handling infinities. */ select_jacobian_point(px, py, pz, precomp[0][0], index); point_add(tx, ty, tz, nx, ny, nz, px, py, pz); copy_conditional(nx, px, n_is_infinity_mask); copy_conditional(ny, py, n_is_infinity_mask); copy_conditional(nz, pz, n_is_infinity_mask); p_is_noninfinite_mask = NON_ZERO_TO_ALL_ONES(index); mask = p_is_noninfinite_mask & ~n_is_infinity_mask; copy_conditional(nx, tx, mask); copy_conditional(ny, ty, mask); copy_conditional(nz, tz, mask); n_is_infinity_mask &= ~p_is_noninfinite_mask; } } /* cryptonite_p256_base_point_mul sets {out_x,out_y} = nG, where n is < the * order of the group. */ void cryptonite_p256_base_point_mul(const cryptonite_p256_int* n, cryptonite_p256_int* out_x, cryptonite_p256_int* out_y) { felem x, y, z; scalar_base_mult(x, y, z, n); { felem x_affine, y_affine; point_to_affine(x_affine, y_affine, x, y, z); from_montgomery(out_x, x_affine); from_montgomery(out_y, y_affine); } } /* cryptonite_p256_points_mul_vartime sets {out_x,out_y} = n1*G + n2*{in_x,in_y}, where * n1 and n2 are < the order of the group. * * As indicated by the name, this function operates in variable time. This * is safe because it's used for signature validation which doesn't deal * with secrets. */ void cryptonite_p256_points_mul_vartime( const cryptonite_p256_int* n1, const cryptonite_p256_int* n2, const cryptonite_p256_int* in_x, const cryptonite_p256_int* in_y, cryptonite_p256_int* out_x, cryptonite_p256_int* out_y) { felem x1, y1, z1, x2, y2, z2, px, py; /* If both scalars are zero, then the result is the point at infinity. */ if (cryptonite_p256_is_zero(n1) != 0 && cryptonite_p256_is_zero(n2) != 0) { cryptonite_p256_clear(out_x); cryptonite_p256_clear(out_y); return; } to_montgomery(px, in_x); to_montgomery(py, in_y); scalar_base_mult(x1, y1, z1, n1); scalar_mult(x2, y2, z2, px, py, n2); if (cryptonite_p256_is_zero(n2) != 0) { /* If n2 == 0, then {x2,y2,z2} is zero and the result is just * {x1,y1,z1}. */ } else if (cryptonite_p256_is_zero(n1) != 0) { /* If n1 == 0, then {x1,y1,z1} is zero and the result is just * {x2,y2,z2}. */ memcpy(x1, x2, sizeof(x2)); memcpy(y1, y2, sizeof(y2)); memcpy(z1, z2, sizeof(z2)); } else { /* This function handles the case where {x1,y1,z1} == {x2,y2,z2}. */ point_add_or_double_vartime(x1, y1, z1, x1, y1, z1, x2, y2, z2); } point_to_affine(px, py, x1, y1, z1); from_montgomery(out_x, px); from_montgomery(out_y, py); } /* this function is not part of the original source add 2 points together. so far untested. probably vartime, as it use point_add_or_double_vartime */ void cryptonite_p256e_point_add( const cryptonite_p256_int *in_x1, const cryptonite_p256_int *in_y1, const cryptonite_p256_int *in_x2, const cryptonite_p256_int *in_y2, cryptonite_p256_int *out_x, cryptonite_p256_int *out_y) { felem x, y, z, px1, py1, px2, py2; to_montgomery(px1, in_x1); to_montgomery(py1, in_y1); to_montgomery(px2, in_x2); to_montgomery(py2, in_y2); point_add_or_double_vartime(x, y, z, px1, py1, kOne, px2, py2, kOne); point_to_affine(px1, py1, x, y, z); from_montgomery(out_x, px1); from_montgomery(out_y, py1); } /* this function is not part of the original source negate a point, i.e. (out_x, out_y) = (in_x, -in_y) */ void cryptonite_p256e_point_negate( const cryptonite_p256_int *in_x, const cryptonite_p256_int *in_y, cryptonite_p256_int *out_x, cryptonite_p256_int *out_y) { memcpy(out_x, in_x, P256_NBYTES); cryptonite_p256_sub(&cryptonite_SECP256r1_p, in_y, out_y); } /* this function is not part of the original source cryptonite_p256e_point_mul sets {out_x,out_y} = n*{in_x,in_y}, where n is < the order of the group. */ void cryptonite_p256e_point_mul(const cryptonite_p256_int* n, const cryptonite_p256_int* in_x, const cryptonite_p256_int* in_y, cryptonite_p256_int* out_x, cryptonite_p256_int* out_y) { felem x, y, z, px, py; to_montgomery(px, in_x); to_montgomery(py, in_y); scalar_mult(x, y, z, px, py, n); point_to_affine(px, py, x, y, z); from_montgomery(out_x, px); from_montgomery(out_y, py); }