ECC curves y^2 = x^3 + ax + b

Author: karel-m

demos/tv_gen.c

@@ -637,7 +637,7 @@ void ecc_gen(void)
 {
    FILE         *out;
    unsigned char str[512];
-   void          *k, *order, *modulus;
+   void          *k, *order, *modulus, *a;
    ecc_point    *G, *R;
    int           x;
 
@@ -648,26 +648,29 @@ void ecc_gen(void)
    mp_init(&k);
    mp_init(&order);
    mp_init(&modulus);
+   mp_init(&a);
 
    for (x = 0; ltc_ecc_sets[x].size != 0; x++) {
-        fprintf(out, "ECC-%d\n", ltc_ecc_sets[x].size*8);
+
+        fprintf(out, "%s\n", ltc_ecc_sets[x].name);
         mp_set(k, 1);
 
         mp_read_radix(order,   (char *)ltc_ecc_sets[x].order, 16);
         mp_read_radix(modulus, (char *)ltc_ecc_sets[x].prime, 16);
+        mp_read_radix(a,       (char *)ltc_ecc_sets[x].A,     16);
         mp_read_radix(G->x,    (char *)ltc_ecc_sets[x].Gx,    16);
         mp_read_radix(G->y,    (char *)ltc_ecc_sets[x].Gy,    16);
         mp_set(G->z, 1);
 
         while (mp_cmp(k, order) == LTC_MP_LT) {
-            ltc_mp.ecc_ptmul(k, G, R, modulus, 1);
+            ltc_mp.ecc_ptmul(k, G, R, a, modulus, 1);
             mp_tohex(k,    (char*)str); fprintf(out, "%s, ", (char*)str);
             mp_tohex(R->x, (char*)str); fprintf(out, "%s, ", (char*)str);
             mp_tohex(R->y, (char*)str); fprintf(out, "%s\n", (char*)str);
             mp_mul_d(k, 3, k);
         }
    }
-   mp_clear_multi(k, order, modulus, NULL);
+   mp_clear_multi(k, order, modulus, a, NULL);
    ltc_ecc_del_point(G);
    ltc_ecc_del_point(R);
    fclose(out);

notes/ecc_tv.txt

@@ -487,6 +487,34 @@
 #ifdef LTC_MECC
 /* Supported ECC Key Sizes */
 #ifndef LTC_NO_CURVES
+   #define LTC_ECC_SECP112R1
+   #define LTC_ECC_SECP112R2
+   #define LTC_ECC_SECP128R1
+   #define LTC_ECC_SECP128R2
+   #define LTC_ECC_SECP160R1
+   #define LTC_ECC_SECP160R2
+   #define LTC_ECC_SECP160K1
+   #define LTC_ECC_BRAINPOOLP160R1
+   #define LTC_ECC_SECP192R1
+   #define LTC_ECC_PRIME192V2
+   #define LTC_ECC_PRIME192V3
+   #define LTC_ECC_SECP192K1
+   #define LTC_ECC_BRAINPOOLP192R1
+   #define LTC_ECC_SECP224R1
+   #define LTC_ECC_SECP224K1
+   #define LTC_ECC_BRAINPOOLP224R1
+   #define LTC_ECC_PRIME239V1
+   #define LTC_ECC_PRIME239V2
+   #define LTC_ECC_PRIME239V3
+   #define LTC_ECC_SECP256R1
+   #define LTC_ECC_SECP256K1
+   #define LTC_ECC_BRAINPOOLP256R1
+   #define LTC_ECC_BRAINPOOLP320R1
+   #define LTC_ECC_SECP384R1
+   #define LTC_ECC_BRAINPOOLP384R1
+   #define LTC_ECC_BRAINPOOLP512R1
+   #define LTC_ECC_SECP521R1
+   /* OLD deprecated (but still working) defines */
    #define LTC_ECC112
    #define LTC_ECC128
    #define LTC_ECC160

src/headers/tomcrypt_custom.h

@@ -243,6 +243,14 @@ typedef struct {
    */
    int (*sqr)(void *a, void *b);
 
+   /** Square root (mod prime)
+     @param a    The integer to compute square root mod prime from
+     @param b    The prime
+     @param c    The destination
+     @return CRYPT_OK on success
+   */
+   int (*sqrtmod_prime)(void *a, void *b, void *c);
+
    /** Divide an integer
      @param a    The dividend
      @param b    The divisor
@@ -363,6 +371,7 @@ typedef struct {
        @param k   The integer to multiply the point by
        @param G   The point to multiply
        @param R   The destination for kG
+       @param a   ECC curve parameter a (if NULL we assume a == -3)
        @param modulus  The modulus for the field
        @param map Boolean indicated whether to map back to affine or not
                   (can be ignored if you work in affine only)
@@ -371,32 +380,37 @@ typedef struct {
    int (*ecc_ptmul)(     void *k,
                     ecc_point *G,
                     ecc_point *R,
+                         void *a,
                          void *modulus,
                           int  map);
 
    /** ECC GF(p) point addition
        @param P    The first point
        @param Q    The second point
        @param R    The destination of P + Q
+       @param a    ECC curve parameter a (if NULL we assume a == -3)
        @param modulus  The modulus
        @param mp   The "b" value from montgomery_setup()
        @return CRYPT_OK on success
    */
    int (*ecc_ptadd)(ecc_point *P,
                     ecc_point *Q,
                     ecc_point *R,
+                         void *a,
                          void *modulus,
                          void *mp);
 
    /** ECC GF(p) point double
        @param P    The first point
        @param R    The destination of 2P
+       @param a    ECC curve parameter a (if NULL we assume a == -3)
        @param modulus  The modulus
        @param mp   The "b" value from montgomery_setup()
        @return CRYPT_OK on success
    */
    int (*ecc_ptdbl)(ecc_point *P,
                     ecc_point *R,
+                         void *a,
                          void *modulus,
                          void *mp);
 
@@ -424,6 +438,7 @@ typedef struct {
    int (*ecc_mul2add)(ecc_point *A, void *kA,
                       ecc_point *B, void *kB,
                       ecc_point *C,
+                           void *a,
                            void *modulus);
 
 /* ---- (optional) rsa optimized math (for internal CRT) ---- */
@@ -542,6 +557,7 @@ extern const ltc_math_descriptor gmp_desc;
 #define mp_mul(a, b, c)              ltc_mp.mul(a, b, c)
 #define mp_mul_d(a, b, c)            ltc_mp.muli(a, b, c)
 #define mp_sqr(a, b)                 ltc_mp.sqr(a, b)
+#define mp_sqrtmod_prime(a, b, c)    ltc_mp.sqrtmod_prime(a, b, c)
 #define mp_div(a, b, c, d)           ltc_mp.mpdiv(a, b, c, d)
 #define mp_div_2(a, b)               ltc_mp.div_2(a, b)
 #define mp_mod(a, b, c)              ltc_mp.mpdiv(a, b, NULL, c)

src/headers/tomcrypt_math.h

@@ -11,7 +11,8 @@
 
 enum {
    PK_PUBLIC=0,
-   PK_PRIVATE=1
+   PK_PRIVATE=1,
+   PK_PUBLIC_COMPRESSED=2 /* used only when exporting public ECC key */
 };
 
 /* Indicates standard output formats that can be read e.g. by OpenSSL or GnuTLS */
@@ -242,6 +243,9 @@ typedef struct {
    /** The prime that defines the field the curve is in (encoded in hex) */
    char *prime;
 
+   /** The fields A param (hex) */
+   char *A;
+
    /** The fields B param (hex) */
    char *B;
 
@@ -253,6 +257,12 @@ typedef struct {
 
    /** The y co-ordinate of the base point on the curve (hex) */
    char *Gy;
+
+   /** The co-factor */
+   unsigned long cofactor;
+
+   /** The OID stucture */
+   oid_st oid;
 } ltc_ecc_set_type;
 
 /** A point on a ECC curve, stored in Jacbobian format such that (x,y,z) => (x/z^2, y/z^3, 1) when interpretted as affine */
@@ -292,13 +302,19 @@ int  ecc_test(void);
 void ecc_sizes(int *low, int *high);
 int  ecc_get_size(ecc_key *key);
 
+ltc_ecc_set_type* ecc_dp_find_by_oid(unsigned long *oid, unsigned long oidsize);
+ltc_ecc_set_type* ecc_dp_find_by_name(char *curve_name);
+ltc_ecc_set_type* ecc_dp_find_by_params(char *hex_prime, char *hex_A, char *hex_B, char *hex_order, char *hex_Gx, char *hex_Gy, unsigned long cofactor);
+
 int  ecc_make_key(prng_state *prng, int wprng, int keysize, ecc_key *key);
 int  ecc_make_key_ex(prng_state *prng, int wprng, ecc_key *key, const ltc_ecc_set_type *dp);
 void ecc_free(ecc_key *key);
 
 int  ecc_export(unsigned char *out, unsigned long *outlen, int type, ecc_key *key);
 int  ecc_import(const unsigned char *in, unsigned long inlen, ecc_key *key);
 int  ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, const ltc_ecc_set_type *dp);
+int  ecc_export_raw(unsigned char *out, unsigned long *outlen, int type, ecc_key *key);
+int  ecc_import_raw(const unsigned char *in, unsigned long inlen, ecc_key *key, ltc_ecc_set_type *dp);
 
 int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen);
 int ecc_ansi_x963_import(const unsigned char *in, unsigned long inlen, ecc_key *key);
@@ -332,23 +348,32 @@ int  ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
                      const unsigned char *hash, unsigned long hashlen,
                      int *stat, ecc_key *key);
 
+int  ecc_verify_key(ecc_key *key);
+
+#ifdef LTC_SOURCE
+/* INTERNAL ONLY - it should be later moved to src/headers/tomcrypt_internal.h */
+
 /* low level functions */
 ecc_point *ltc_ecc_new_point(void);
 void       ltc_ecc_del_point(ecc_point *p);
 int        ltc_ecc_is_valid_idx(int n);
+int        ltc_ecc_is_point(const ltc_ecc_set_type *dp, void *x, void *y);
+int        ltc_ecc_is_point_at_infinity(ecc_point *p, void *modulus);
+int        ltc_ecc_import_point(const unsigned char *in, unsigned long inlen, void *prime, void *a, void *b, void *x, void *y);
+int        ltc_ecc_export_point(unsigned char *out, unsigned long *outlen, void *x, void *y, unsigned long size, int compressed);
 
 /* point ops (mp == montgomery digit) */
 #if !defined(LTC_MECC_ACCEL) || defined(LTM_DESC) || defined(GMP_DESC)
 /* R = 2P */
-int ltc_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulus, void *mp);
+int ltc_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *a, void *modulus, void *mp);
 
 /* R = P + Q */
-int ltc_ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, void *modulus, void *mp);
+int ltc_ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, void *a, void *modulus, void *mp);
 #endif
 
 #if defined(LTC_MECC_FP)
 /* optimized point multiplication using fixed point cache (HAC algorithm 14.117) */
-int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map);
+int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *a, void *modulus, int map);
 
 /* functions for saving/loading/freeing/adding to fixed point cache */
 int ltc_ecc_fp_save_state(unsigned char **out, unsigned long *outlen);
@@ -361,20 +386,23 @@ void ltc_ecc_fp_tablelock(int lock);
 #endif
 
 /* R = kG */
-int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map);
+int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *a, void *modulus, int map);
 
 #ifdef LTC_ECC_SHAMIR
 /* kA*A + kB*B = C */
 int ltc_ecc_mul2add(ecc_point *A, void *kA,
                     ecc_point *B, void *kB,
                     ecc_point *C,
+                         void *a,
                          void *modulus);
 
 #ifdef LTC_MECC_FP
 /* Shamir's trick with optimized point multiplication using fixed point cache */
 int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
                        ecc_point *B, void *kB,
-                       ecc_point *C, void *modulus);
+                       ecc_point *C,
+                            void *a,
+                            void *modulus);
 #endif
 
 #endif
@@ -383,6 +411,8 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
 /* map P to affine from projective */
 int ltc_ecc_map(ecc_point *P, void *modulus, void *mp);
 
+#endif /* LTC_SOURCE */
+
 #endif
 
 #ifdef LTC_MDSA