ECC curves y^2 = x^3 + ax + b

Author: karel-m

.travis.yml

@@ -20,7 +20,7 @@ before_script:
   - curl http://ftp.de.debian.org/debian/pool/main/l/lcov/lcov_1.11.orig.tar.gz | tar xz
   - export PATH=$PATH:`pwd`/lcov-1.11/bin
   - curl -s https://packagecloud.io/install/repositories/libtom/packages/script.deb.sh | sudo bash
-  - sudo apt-get install libtfm-dev=0.13-5
+  - sudo apt-get install libtfm-dev=0.13-5 libtommath-dev=1.0-5
 
 matrix:
   fast_finish: true

demos/timing.c

@@ -947,28 +947,28 @@ static void time_ecc(void)
    unsigned long i, w, x, y, z;
    int           err, stat;
    static unsigned long sizes[] = {
-#ifdef LTC_ECC112
+#ifdef LTC_ECC_SECP112R1
 112/8,
 #endif
-#ifdef LTC_ECC128
+#ifdef LTC_ECC_SECP128R1
 128/8,
 #endif
-#ifdef LTC_ECC160
+#ifdef LTC_ECC_SECP160R1
 160/8,
 #endif
-#ifdef LTC_ECC192
+#ifdef LTC_ECC_SECP192R1
 192/8,
 #endif
-#ifdef LTC_ECC224
+#ifdef LTC_ECC_SECP224R1
 224/8,
 #endif
-#ifdef LTC_ECC256
+#ifdef LTC_ECC_SECP256R1
 256/8,
 #endif
-#ifdef LTC_ECC384
+#ifdef LTC_ECC_SECP384R1
 384/8,
 #endif
-#ifdef LTC_ECC521
+#ifdef LTC_ECC_SECP512R1
 521/8,
 #endif
 100000};

demos/tv_gen.c

@@ -663,7 +663,7 @@ void ecc_gen(void)
 {
    FILE         *out;
    unsigned char str[512];
-   void          *k, *order, *modulus;
+   void          *k, *order, *modulus, *a;
    ecc_point    *G, *R;
    int           x;
 
@@ -674,26 +674,28 @@ void ecc_gen(void)
    mp_init(&k);
    mp_init(&order);
    mp_init(&modulus);
+   mp_init(&a);
 
-   for (x = 0; ltc_ecc_sets[x].size != 0; x++) {
-        fprintf(out, "ECC-%d\n", ltc_ecc_sets[x].size*8);
+   for (x = 0; ltc_ecc_curves[x].prime != NULL; x++) {
+        fprintf(out, "%s\n", ltc_ecc_curves[x].OID);
         mp_set(k, 1);
 
-        mp_read_radix(order,   (char *)ltc_ecc_sets[x].order, 16);
-        mp_read_radix(modulus, (char *)ltc_ecc_sets[x].prime, 16);
-        mp_read_radix(G->x,    (char *)ltc_ecc_sets[x].Gx,    16);
-        mp_read_radix(G->y,    (char *)ltc_ecc_sets[x].Gy,    16);
+        mp_read_radix(order,   (char *)ltc_ecc_curves[x].order, 16);
+        mp_read_radix(modulus, (char *)ltc_ecc_curves[x].prime, 16);
+        mp_read_radix(a,       (char *)ltc_ecc_curves[x].A,     16);
+        mp_read_radix(G->x,    (char *)ltc_ecc_curves[x].Gx,    16);
+        mp_read_radix(G->y,    (char *)ltc_ecc_curves[x].Gy,    16);
         mp_set(G->z, 1);
 
         while (mp_cmp(k, order) == LTC_MP_LT) {
-            ltc_mp.ecc_ptmul(k, G, R, modulus, 1);
+            ltc_mp.ecc_ptmul(k, G, R, a, modulus, 1);
             mp_tohex(k,    (char*)str); fprintf(out, "%s, ", (char*)str);
             mp_tohex(R->x, (char*)str); fprintf(out, "%s, ", (char*)str);
             mp_tohex(R->y, (char*)str); fprintf(out, "%s\n", (char*)str);
             mp_mul_d(k, 3, k);
         }
    }
-   mp_clear_multi(k, order, modulus, NULL);
+   mp_clear_multi(k, order, modulus, a, NULL);
    ltc_ecc_del_point(G);
    ltc_ecc_del_point(R);
    fclose(out);

notes/ecc_tv.txt

@@ -503,14 +503,40 @@
 #ifdef LTC_MECC
 /* Supported ECC Key Sizes */
 #ifndef LTC_NO_CURVES
-   #define LTC_ECC112
-   #define LTC_ECC128
-   #define LTC_ECC160
-   #define LTC_ECC192
-   #define LTC_ECC224
-   #define LTC_ECC256
-   #define LTC_ECC384
-   #define LTC_ECC521
+   #define LTC_ECC_BRAINPOOLP160R1
+   #define LTC_ECC_BRAINPOOLP160T1
+   #define LTC_ECC_BRAINPOOLP192R1
+   #define LTC_ECC_BRAINPOOLP192T1
+   #define LTC_ECC_BRAINPOOLP224R1
+   #define LTC_ECC_BRAINPOOLP224T1
+   #define LTC_ECC_BRAINPOOLP256R1
+   #define LTC_ECC_BRAINPOOLP256T1
+   #define LTC_ECC_BRAINPOOLP320R1
+   #define LTC_ECC_BRAINPOOLP320T1
+   #define LTC_ECC_BRAINPOOLP384R1
+   #define LTC_ECC_BRAINPOOLP384T1
+   #define LTC_ECC_BRAINPOOLP512R1
+   #define LTC_ECC_BRAINPOOLP512T1
+   #define LTC_ECC_PRIME192V2
+   #define LTC_ECC_PRIME192V3
+   #define LTC_ECC_PRIME239V1
+   #define LTC_ECC_PRIME239V2
+   #define LTC_ECC_PRIME239V3
+   #define LTC_ECC_SECP112R1
+   #define LTC_ECC_SECP112R2
+   #define LTC_ECC_SECP128R1
+   #define LTC_ECC_SECP128R2
+   #define LTC_ECC_SECP160K1
+   #define LTC_ECC_SECP160R1
+   #define LTC_ECC_SECP160R2
+   #define LTC_ECC_SECP192K1
+   #define LTC_ECC_SECP192R1
+   #define LTC_ECC_SECP224K1
+   #define LTC_ECC_SECP224R1
+   #define LTC_ECC_SECP256K1
+   #define LTC_ECC_SECP256R1
+   #define LTC_ECC_SECP384R1
+   #define LTC_ECC_SECP521R1
 #endif
 #endif
 
@@ -627,6 +653,40 @@
    #endif
 #endif
 
+/* ECC backwards compatibility */
+#if !defined(LTC_ECC_SECP112R1) && defined(LTC_ECC112)
+#define LTC_ECC_SECP112R1
+#undef LTC_ECC112
+#endif
+#if !defined(LTC_ECC_SECP128R1) && defined(LTC_ECC128)
+#define LTC_ECC_SECP128R1
+#undef LTC_ECC128
+#endif
+#if !defined(LTC_ECC_SECP160R1) && defined(LTC_ECC160)
+#define LTC_ECC_SECP160R1
+#undef LTC_ECC160
+#endif
+#if !defined(LTC_ECC_SECP192R1) && defined(LTC_ECC192)
+#define LTC_ECC_SECP192R1
+#undef LTC_ECC192
+#endif
+#if !defined(LTC_ECC_SECP224R1) && defined(LTC_ECC224)
+#define LTC_ECC_SECP224R1
+#undef LTC_ECC224
+#endif
+#if !defined(LTC_ECC_SECP256R1) && defined(LTC_ECC256)
+#define LTC_ECC_SECP256R1
+#undef LTC_ECC256
+#endif
+#if !defined(LTC_ECC_SECP384R1) && defined(LTC_ECC384)
+#define LTC_ECC_SECP384R1
+#undef LTC_ECC384
+#endif
+#if !defined(LTC_ECC_SECP512R1) && defined(LTC_ECC521)
+#define LTC_ECC_SECP521R1
+#undef LTC_ECC521
+#endif
+
 /* ref:         $Format:%D$ */
 /* git commit:  $Format:%H$ */
 /* commit time: $Format:%ai$ */

src/headers/tomcrypt_custom.h

@@ -246,6 +246,14 @@ typedef struct {
    */
    int (*sqr)(void *a, void *b);
 
+   /** Square root (mod prime)
+     @param a    The integer to compute square root mod prime from
+     @param b    The prime
+     @param c    The destination
+     @return CRYPT_OK on success
+   */
+   int (*sqrtmod_prime)(void *a, void *b, void *c);
+
    /** Divide an integer
      @param a    The dividend
      @param b    The divisor
@@ -366,42 +374,48 @@ typedef struct {
        @param k   The integer to multiply the point by
        @param G   The point to multiply
        @param R   The destination for kG
+       @param a   ECC curve parameter a
        @param modulus  The modulus for the field
        @param map Boolean indicated whether to map back to affine or not
                   (can be ignored if you work in affine only)
        @return CRYPT_OK on success
    */
    int (*ecc_ptmul)(     void *k,
-                    ecc_point *G,
-                    ecc_point *R,
-                         void *modulus,
-                          int  map);
+                    const ecc_point *G,
+                          ecc_point *R,
+                               void *a,
+                               void *modulus,
+                                int  map);
 
    /** ECC GF(p) point addition
        @param P    The first point
        @param Q    The second point
        @param R    The destination of P + Q
+       @param ma   The curve parameter "a" in montgomery form
        @param modulus  The modulus
        @param mp   The "b" value from montgomery_setup()
        @return CRYPT_OK on success
    */
-   int (*ecc_ptadd)(ecc_point *P,
-                    ecc_point *Q,
-                    ecc_point *R,
-                         void *modulus,
-                         void *mp);
+   int (*ecc_ptadd)(const ecc_point *P,
+                    const ecc_point *Q,
+                          ecc_point *R,
+                               void *ma,
+                               void *modulus,
+                               void *mp);
 
    /** ECC GF(p) point double
        @param P    The first point
        @param R    The destination of 2P
+       @param ma   The curve parameter "a" in montgomery form
        @param modulus  The modulus
        @param mp   The "b" value from montgomery_setup()
        @return CRYPT_OK on success
    */
-   int (*ecc_ptdbl)(ecc_point *P,
-                    ecc_point *R,
-                         void *modulus,
-                         void *mp);
+   int (*ecc_ptdbl)(const ecc_point *P,
+                          ecc_point *R,
+                               void *ma,
+                               void *modulus,
+                               void *mp);
 
    /** ECC mapping from projective to affine,
        currently uses (x,y,z) => (x/z^2, y/z^3, 1)
@@ -421,13 +435,15 @@ typedef struct {
        @param B        Second point to multiply
        @param kB       What to multiple B by
        @param C        [out] Destination point (can overlap with A or B)
+       @param ma       The curve parameter "a" in montgomery form
        @param modulus  Modulus for curve
        @return CRYPT_OK on success
    */
-   int (*ecc_mul2add)(ecc_point *A, void *kA,
-                      ecc_point *B, void *kB,
-                      ecc_point *C,
-                           void *modulus);
+   int (*ecc_mul2add)(const ecc_point *A, void *kA,
+                      const ecc_point *B, void *kB,
+                            ecc_point *C,
+                                 void *ma,
+                                 void *modulus);
 
 /* ---- (optional) rsa optimized math (for internal CRT) ---- */
 
@@ -547,6 +563,7 @@ extern const ltc_math_descriptor gmp_desc;
 #define mp_mul(a, b, c)              ltc_mp.mul(a, b, c)
 #define mp_mul_d(a, b, c)            ltc_mp.muli(a, b, c)
 #define mp_sqr(a, b)                 ltc_mp.sqr(a, b)
+#define mp_sqrtmod_prime(a, b, c)    ltc_mp.sqrtmod_prime(a, b, c)
 #define mp_div(a, b, c, d)           ltc_mp.mpdiv(a, b, c, d)
 #define mp_div_2(a, b)               ltc_mp.div_2(a, b)
 #define mp_mod(a, b, c)              ltc_mp.mpdiv(a, b, NULL, c)