1 /* Originally written by Bodo Moeller for the OpenSSL project.
2 * ====================================================================
3 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
31 * 6. Redistributions of any form whatsoever must retain the following
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
55 /* ====================================================================
56 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
58 * Portions of the attached software ("Contribution") are developed by
59 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
61 * The Contribution is licensed pursuant to the OpenSSL open source
62 * license provided above.
64 * The elliptic curve binary polynomial software is originally written by
65 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
68 #include <openssl/ec.h>
72 #include <openssl/bn.h>
73 #include <openssl/err.h>
74 #include <openssl/mem.h>
77 #include "../../internal.h"
80 // Most method functions in this file are designed to work with non-trivial
81 // representations of field elements if necessary (see ecp_mont.c): while
82 // standard modular addition and subtraction are used, the field_mul and
83 // field_sqr methods will be used for multiplication, and field_encode and
84 // field_decode (if defined) will be used for converting between
87 // Functions here specifically assume that if a non-trivial representation is
88 // used, it is a Montgomery representation (i.e. 'encoding' means multiplying
91 int ec_GFp_simple_group_init(EC_GROUP *group) {
92 BN_init(&group->field);
96 group->a_is_minus3 = 0;
100 void ec_GFp_simple_group_finish(EC_GROUP *group) {
101 BN_free(&group->field);
104 BN_free(&group->one);
107 int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
108 const BIGNUM *a, const BIGNUM *b,
111 BN_CTX *new_ctx = NULL;
114 // p must be a prime > 3
115 if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
116 OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);
121 ctx = new_ctx = BN_CTX_new();
128 tmp_a = BN_CTX_get(ctx);
134 if (!BN_copy(&group->field, p)) {
137 BN_set_negative(&group->field, 0);
138 // Store the field in minimal form, so it can be used with |BN_ULONG| arrays.
139 bn_set_minimal_width(&group->field);
142 if (!BN_nnmod(tmp_a, a, &group->field, ctx)) {
145 if (group->meth->field_encode) {
146 if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {
149 } else if (!BN_copy(&group->a, tmp_a)) {
154 if (!BN_nnmod(&group->b, b, &group->field, ctx)) {
157 if (group->meth->field_encode &&
158 !group->meth->field_encode(group, &group->b, &group->b, ctx)) {
162 // group->a_is_minus3
163 if (!BN_add_word(tmp_a, 3)) {
166 group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
168 if (group->meth->field_encode != NULL) {
169 if (!group->meth->field_encode(group, &group->one, BN_value_one(), ctx)) {
172 } else if (!BN_copy(&group->one, BN_value_one())) {
180 BN_CTX_free(new_ctx);
184 int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
185 BIGNUM *b, BN_CTX *ctx) {
187 BN_CTX *new_ctx = NULL;
189 if (p != NULL && !BN_copy(p, &group->field)) {
193 if (a != NULL || b != NULL) {
194 if (group->meth->field_decode) {
196 ctx = new_ctx = BN_CTX_new();
201 if (a != NULL && !group->meth->field_decode(group, a, &group->a, ctx)) {
204 if (b != NULL && !group->meth->field_decode(group, b, &group->b, ctx)) {
208 if (a != NULL && !BN_copy(a, &group->a)) {
211 if (b != NULL && !BN_copy(b, &group->b)) {
220 BN_CTX_free(new_ctx);
224 unsigned ec_GFp_simple_group_get_degree(const EC_GROUP *group) {
225 return BN_num_bits(&group->field);
228 int ec_GFp_simple_point_init(EC_POINT *point) {
236 void ec_GFp_simple_point_finish(EC_POINT *point) {
242 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) {
243 if (!BN_copy(&dest->X, &src->X) ||
244 !BN_copy(&dest->Y, &src->Y) ||
245 !BN_copy(&dest->Z, &src->Z)) {
252 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,
258 static int set_Jprojective_coordinate_GFp(const EC_GROUP *group, BIGNUM *out,
259 const BIGNUM *in, BN_CTX *ctx) {
263 if (BN_is_negative(in) ||
264 BN_cmp(in, &group->field) >= 0) {
265 OPENSSL_PUT_ERROR(EC, EC_R_COORDINATES_OUT_OF_RANGE);
268 if (group->meth->field_encode) {
269 return group->meth->field_encode(group, out, in, ctx);
271 return BN_copy(out, in) != NULL;
274 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group,
275 EC_POINT *point, const BIGNUM *x,
276 const BIGNUM *y, BN_CTX *ctx) {
277 if (x == NULL || y == NULL) {
278 OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
282 BN_CTX *new_ctx = NULL;
286 ctx = new_ctx = BN_CTX_new();
292 if (!set_Jprojective_coordinate_GFp(group, &point->X, x, ctx) ||
293 !set_Jprojective_coordinate_GFp(group, &point->Y, y, ctx) ||
294 !BN_copy(&point->Z, &group->one)) {
301 BN_CTX_free(new_ctx);
305 int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
306 const EC_POINT *b, BN_CTX *ctx) {
307 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
309 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
311 BN_CTX *new_ctx = NULL;
312 BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
316 return EC_POINT_dbl(group, r, a, ctx);
318 if (EC_POINT_is_at_infinity(group, a)) {
319 return EC_POINT_copy(r, b);
321 if (EC_POINT_is_at_infinity(group, b)) {
322 return EC_POINT_copy(r, a);
325 field_mul = group->meth->field_mul;
326 field_sqr = group->meth->field_sqr;
330 ctx = new_ctx = BN_CTX_new();
337 n0 = BN_CTX_get(ctx);
338 n1 = BN_CTX_get(ctx);
339 n2 = BN_CTX_get(ctx);
340 n3 = BN_CTX_get(ctx);
341 n4 = BN_CTX_get(ctx);
342 n5 = BN_CTX_get(ctx);
343 n6 = BN_CTX_get(ctx);
348 // Note that in this function we must not read components of 'a' or 'b'
349 // once we have written the corresponding components of 'r'.
350 // ('r' might be one of 'a' or 'b'.)
353 int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;
356 if (!BN_copy(n1, &a->X) || !BN_copy(n2, &a->Y)) {
362 if (!field_sqr(group, n0, &b->Z, ctx) ||
363 !field_mul(group, n1, &a->X, n0, ctx)) {
368 if (!field_mul(group, n0, n0, &b->Z, ctx) ||
369 !field_mul(group, n2, &a->Y, n0, ctx)) {
376 int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;
378 if (!BN_copy(n3, &b->X) || !BN_copy(n4, &b->Y)) {
384 if (!field_sqr(group, n0, &a->Z, ctx) ||
385 !field_mul(group, n3, &b->X, n0, ctx)) {
390 if (!field_mul(group, n0, n0, &a->Z, ctx) ||
391 !field_mul(group, n4, &b->Y, n0, ctx)) {
398 if (!bn_mod_sub_consttime(n5, n1, n3, p, ctx) ||
399 !bn_mod_sub_consttime(n6, n2, n4, p, ctx)) {
405 if (BN_is_zero(n5)) {
406 if (BN_is_zero(n6)) {
407 // a is the same point as b
409 ret = EC_POINT_dbl(group, r, a, ctx);
413 // a is the inverse of b
421 if (!bn_mod_add_consttime(n1, n1, n3, p, ctx) ||
422 !bn_mod_add_consttime(n2, n2, n4, p, ctx)) {
429 if (a_Z_is_one && b_Z_is_one) {
430 if (!BN_copy(&r->Z, n5)) {
435 if (!BN_copy(n0, &b->Z)) {
438 } else if (b_Z_is_one) {
439 if (!BN_copy(n0, &a->Z)) {
442 } else if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) {
445 if (!field_mul(group, &r->Z, n0, n5, ctx)) {
450 // Z_r = Z_a * Z_b * n5
453 if (!field_sqr(group, n0, n6, ctx) ||
454 !field_sqr(group, n4, n5, ctx) ||
455 !field_mul(group, n3, n1, n4, ctx) ||
456 !bn_mod_sub_consttime(&r->X, n0, n3, p, ctx)) {
459 // X_r = n6^2 - n5^2 * 'n7'
462 if (!bn_mod_lshift1_consttime(n0, &r->X, p, ctx) ||
463 !bn_mod_sub_consttime(n0, n3, n0, p, ctx)) {
466 // n9 = n5^2 * 'n7' - 2 * X_r
469 if (!field_mul(group, n0, n0, n6, ctx) ||
470 !field_mul(group, n5, n4, n5, ctx)) {
471 goto end; // now n5 is n5^3
473 if (!field_mul(group, n1, n2, n5, ctx) ||
474 !bn_mod_sub_consttime(n0, n0, n1, p, ctx)) {
477 if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
480 // now 0 <= n0 < 2*p, and n0 is even
481 if (!BN_rshift1(&r->Y, n0)) {
484 // Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2
490 // otherwise we already called BN_CTX_end
493 BN_CTX_free(new_ctx);
497 int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
499 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
501 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
503 BN_CTX *new_ctx = NULL;
504 BIGNUM *n0, *n1, *n2, *n3;
507 if (EC_POINT_is_at_infinity(group, a)) {
512 field_mul = group->meth->field_mul;
513 field_sqr = group->meth->field_sqr;
517 ctx = new_ctx = BN_CTX_new();
524 n0 = BN_CTX_get(ctx);
525 n1 = BN_CTX_get(ctx);
526 n2 = BN_CTX_get(ctx);
527 n3 = BN_CTX_get(ctx);
532 // Note that in this function we must not read components of 'a'
533 // once we have written the corresponding components of 'r'.
534 // ('r' might the same as 'a'.)
537 if (BN_cmp(&a->Z, &group->one) == 0) {
538 if (!field_sqr(group, n0, &a->X, ctx) ||
539 !bn_mod_lshift1_consttime(n1, n0, p, ctx) ||
540 !bn_mod_add_consttime(n0, n0, n1, p, ctx) ||
541 !bn_mod_add_consttime(n1, n0, &group->a, p, ctx)) {
544 // n1 = 3 * X_a^2 + a_curve
545 } else if (group->a_is_minus3) {
546 if (!field_sqr(group, n1, &a->Z, ctx) ||
547 !bn_mod_add_consttime(n0, &a->X, n1, p, ctx) ||
548 !bn_mod_sub_consttime(n2, &a->X, n1, p, ctx) ||
549 !field_mul(group, n1, n0, n2, ctx) ||
550 !bn_mod_lshift1_consttime(n0, n1, p, ctx) ||
551 !bn_mod_add_consttime(n1, n0, n1, p, ctx)) {
554 // n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
555 // = 3 * X_a^2 - 3 * Z_a^4
557 if (!field_sqr(group, n0, &a->X, ctx) ||
558 !bn_mod_lshift1_consttime(n1, n0, p, ctx) ||
559 !bn_mod_add_consttime(n0, n0, n1, p, ctx) ||
560 !field_sqr(group, n1, &a->Z, ctx) ||
561 !field_sqr(group, n1, n1, ctx) ||
562 !field_mul(group, n1, n1, &group->a, ctx) ||
563 !bn_mod_add_consttime(n1, n1, n0, p, ctx)) {
566 // n1 = 3 * X_a^2 + a_curve * Z_a^4
570 if (BN_cmp(&a->Z, &group->one) == 0) {
571 if (!BN_copy(n0, &a->Y)) {
574 } else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {
577 if (!bn_mod_lshift1_consttime(&r->Z, n0, p, ctx)) {
580 // Z_r = 2 * Y_a * Z_a
583 if (!field_sqr(group, n3, &a->Y, ctx) ||
584 !field_mul(group, n2, &a->X, n3, ctx) ||
585 !bn_mod_lshift_consttime(n2, n2, 2, p, ctx)) {
588 // n2 = 4 * X_a * Y_a^2
591 if (!bn_mod_lshift1_consttime(n0, n2, p, ctx) ||
592 !field_sqr(group, &r->X, n1, ctx) ||
593 !bn_mod_sub_consttime(&r->X, &r->X, n0, p, ctx)) {
596 // X_r = n1^2 - 2 * n2
599 if (!field_sqr(group, n0, n3, ctx) ||
600 !bn_mod_lshift_consttime(n3, n0, 3, p, ctx)) {
606 if (!bn_mod_sub_consttime(n0, n2, &r->X, p, ctx) ||
607 !field_mul(group, n0, n1, n0, ctx) ||
608 !bn_mod_sub_consttime(&r->Y, n0, n3, p, ctx)) {
611 // Y_r = n1 * (n2 - X_r) - n3
617 BN_CTX_free(new_ctx);
621 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) {
622 if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y)) {
623 // point is its own inverse
627 return BN_usub(&point->Y, &group->field, &point->Y);
630 int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) {
631 return BN_is_zero(&point->Z);
634 int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
636 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
638 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
640 BN_CTX *new_ctx = NULL;
641 BIGNUM *rh, *tmp, *Z4, *Z6;
644 if (EC_POINT_is_at_infinity(group, point)) {
648 field_mul = group->meth->field_mul;
649 field_sqr = group->meth->field_sqr;
653 ctx = new_ctx = BN_CTX_new();
660 rh = BN_CTX_get(ctx);
661 tmp = BN_CTX_get(ctx);
662 Z4 = BN_CTX_get(ctx);
663 Z6 = BN_CTX_get(ctx);
668 // We have a curve defined by a Weierstrass equation
669 // y^2 = x^3 + a*x + b.
670 // The point to consider is given in Jacobian projective coordinates
671 // where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
672 // Substituting this and multiplying by Z^6 transforms the above equation
674 // Y^2 = X^3 + a*X*Z^4 + b*Z^6.
675 // To test this, we add up the right-hand side in 'rh'.
678 if (!field_sqr(group, rh, &point->X, ctx)) {
682 if (BN_cmp(&point->Z, &group->one) != 0) {
683 if (!field_sqr(group, tmp, &point->Z, ctx) ||
684 !field_sqr(group, Z4, tmp, ctx) ||
685 !field_mul(group, Z6, Z4, tmp, ctx)) {
689 // rh := (rh + a*Z^4)*X
690 if (group->a_is_minus3) {
691 if (!bn_mod_lshift1_consttime(tmp, Z4, p, ctx) ||
692 !bn_mod_add_consttime(tmp, tmp, Z4, p, ctx) ||
693 !bn_mod_sub_consttime(rh, rh, tmp, p, ctx) ||
694 !field_mul(group, rh, rh, &point->X, ctx)) {
698 if (!field_mul(group, tmp, Z4, &group->a, ctx) ||
699 !bn_mod_add_consttime(rh, rh, tmp, p, ctx) ||
700 !field_mul(group, rh, rh, &point->X, ctx)) {
706 if (!field_mul(group, tmp, &group->b, Z6, ctx) ||
707 !bn_mod_add_consttime(rh, rh, tmp, p, ctx)) {
712 if (!bn_mod_add_consttime(rh, rh, &group->a, p, ctx) ||
713 !field_mul(group, rh, rh, &point->X, ctx)) {
717 if (!bn_mod_add_consttime(rh, rh, &group->b, p, ctx)) {
723 if (!field_sqr(group, tmp, &point->Y, ctx)) {
727 ret = (0 == BN_ucmp(tmp, rh));
731 BN_CTX_free(new_ctx);
735 int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
736 const EC_POINT *b, BN_CTX *ctx) {
739 // 0 equal (in affine coordinates)
742 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
744 int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
745 BN_CTX *new_ctx = NULL;
746 BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
747 const BIGNUM *tmp1_, *tmp2_;
750 if (ec_GFp_simple_is_at_infinity(group, a)) {
751 return ec_GFp_simple_is_at_infinity(group, b) ? 0 : 1;
754 if (ec_GFp_simple_is_at_infinity(group, b)) {
758 int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;
759 int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;
761 if (a_Z_is_one && b_Z_is_one) {
762 return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
765 field_mul = group->meth->field_mul;
766 field_sqr = group->meth->field_sqr;
769 ctx = new_ctx = BN_CTX_new();
776 tmp1 = BN_CTX_get(ctx);
777 tmp2 = BN_CTX_get(ctx);
778 Za23 = BN_CTX_get(ctx);
779 Zb23 = BN_CTX_get(ctx);
784 // We have to decide whether
785 // (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
786 // or equivalently, whether
787 // (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
790 if (!field_sqr(group, Zb23, &b->Z, ctx) ||
791 !field_mul(group, tmp1, &a->X, Zb23, ctx)) {
799 if (!field_sqr(group, Za23, &a->Z, ctx) ||
800 !field_mul(group, tmp2, &b->X, Za23, ctx)) {
808 // compare X_a*Z_b^2 with X_b*Z_a^2
809 if (BN_cmp(tmp1_, tmp2_) != 0) {
810 ret = 1; // points differ
816 if (!field_mul(group, Zb23, Zb23, &b->Z, ctx) ||
817 !field_mul(group, tmp1, &a->Y, Zb23, ctx)) {
825 if (!field_mul(group, Za23, Za23, &a->Z, ctx) ||
826 !field_mul(group, tmp2, &b->Y, Za23, ctx)) {
834 // compare Y_a*Z_b^3 with Y_b*Z_a^3
835 if (BN_cmp(tmp1_, tmp2_) != 0) {
836 ret = 1; // points differ
845 BN_CTX_free(new_ctx);
849 int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
851 BN_CTX *new_ctx = NULL;
855 if (BN_cmp(&point->Z, &group->one) == 0 ||
856 EC_POINT_is_at_infinity(group, point)) {
861 ctx = new_ctx = BN_CTX_new();
874 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) ||
875 !EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
878 if (BN_cmp(&point->Z, &group->one) != 0) {
879 OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
887 BN_CTX_free(new_ctx);
891 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
892 EC_POINT *points[], BN_CTX *ctx) {
893 BN_CTX *new_ctx = NULL;
895 BIGNUM **prod_Z = NULL;
903 ctx = new_ctx = BN_CTX_new();
910 tmp = BN_CTX_get(ctx);
911 tmp_Z = BN_CTX_get(ctx);
912 if (tmp == NULL || tmp_Z == NULL) {
916 prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
917 if (prod_Z == NULL) {
920 OPENSSL_memset(prod_Z, 0, num * sizeof(prod_Z[0]));
921 for (size_t i = 0; i < num; i++) {
922 prod_Z[i] = BN_new();
923 if (prod_Z[i] == NULL) {
928 // Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
929 // skipping any zero-valued inputs (pretend that they're 1).
931 if (!BN_is_zero(&points[0]->Z)) {
932 if (!BN_copy(prod_Z[0], &points[0]->Z)) {
936 if (BN_copy(prod_Z[0], &group->one) == NULL) {
941 for (size_t i = 1; i < num; i++) {
942 if (!BN_is_zero(&points[i]->Z)) {
943 if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1],
944 &points[i]->Z, ctx)) {
948 if (!BN_copy(prod_Z[i], prod_Z[i - 1])) {
954 // Now use a single explicit inversion to replace every non-zero points[i]->Z
955 // by its inverse. We use |BN_mod_inverse_odd| instead of doing a constant-
956 // time inversion using Fermat's Little Theorem because this function is
957 // usually only used for converting multiples of a public key point to
958 // affine, and a public key point isn't secret. If we were to use Fermat's
959 // Little Theorem then the cost of the inversion would usually be so high
960 // that converting the multiples to affine would be counterproductive.
962 if (!BN_mod_inverse_odd(tmp, &no_inverse, prod_Z[num - 1], &group->field,
964 OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
968 if (group->meth->field_encode != NULL) {
969 // In the Montgomery case, we just turned R*H (representing H)
970 // into 1/(R*H), but we need R*(1/H) (representing 1/H);
971 // i.e. we need to multiply by the Montgomery factor twice.
972 if (!group->meth->field_encode(group, tmp, tmp, ctx) ||
973 !group->meth->field_encode(group, tmp, tmp, ctx)) {
978 for (size_t i = num - 1; i > 0; --i) {
979 // Loop invariant: tmp is the product of the inverses of
980 // points[0]->Z .. points[i]->Z (zero-valued inputs skipped).
981 if (BN_is_zero(&points[i]->Z)) {
985 // Set tmp_Z to the inverse of points[i]->Z (as product
986 // of Z inverses 0 .. i, Z values 0 .. i - 1).
987 if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx) ||
988 // Update tmp to satisfy the loop invariant for i - 1.
989 !group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx) ||
990 // Replace points[i]->Z by its inverse.
991 !BN_copy(&points[i]->Z, tmp_Z)) {
996 // Replace points[0]->Z by its inverse.
997 if (!BN_is_zero(&points[0]->Z) && !BN_copy(&points[0]->Z, tmp)) {
1001 // Finally, fix up the X and Y coordinates for all points.
1002 for (size_t i = 0; i < num; i++) {
1003 EC_POINT *p = points[i];
1005 if (!BN_is_zero(&p->Z)) {
1006 // turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1).
1007 if (!group->meth->field_sqr(group, tmp, &p->Z, ctx) ||
1008 !group->meth->field_mul(group, &p->X, &p->X, tmp, ctx) ||
1009 !group->meth->field_mul(group, tmp, tmp, &p->Z, ctx) ||
1010 !group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) {
1014 if (BN_copy(&p->Z, &group->one) == NULL) {
1024 BN_CTX_free(new_ctx);
1025 if (prod_Z != NULL) {
1026 for (size_t i = 0; i < num; i++) {
1027 if (prod_Z[i] == NULL) {
1030 BN_clear_free(prod_Z[i]);
1032 OPENSSL_free(prod_Z);
1038 int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1039 const BIGNUM *b, BN_CTX *ctx) {
1040 return BN_mod_mul(r, a, b, &group->field, ctx);
1043 int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1045 return BN_mod_sqr(r, a, &group->field, ctx);
git://repos.xcallymotion.com / motion2.git / blob