Skip to content

Commit eed5bf7

Browse files
karel-mkarel-m
committed
ECC enhancements
1 parent ede958b commit eed5bf7

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

49 files changed

+5148
-556
lines changed

demos/test.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ static const struct {
2121
LTC_TEST_FN(pkcs_1_eme_test),
2222
LTC_TEST_FN(rsa_test),
2323
LTC_TEST_FN(dh_test),
24-
LTC_TEST_FN(ecc_tests),
24+
LTC_TEST_FN(ecc_test),
2525
LTC_TEST_FN(dsa_test),
2626
LTC_TEST_FN(katja_test),
2727
};

demos/tv_gen.c

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -747,7 +747,7 @@ void ecc_gen(void)
747747
{
748748
FILE *out;
749749
unsigned char str[512];
750-
void *k, *order, *modulus;
750+
void *k, *order, *modulus, *a;
751751
ecc_point *G, *R;
752752
int x;
753753

@@ -758,26 +758,29 @@ void ecc_gen(void)
758758
mp_init(&k);
759759
mp_init(&order);
760760
mp_init(&modulus);
761+
mp_init(&a);
761762

762763
for (x = 0; ltc_ecc_sets[x].size != 0; x++) {
763-
fprintf(out, "ECC-%d\n", ltc_ecc_sets[x].size*8);
764+
765+
fprintf(out, "%s\n", ltc_ecc_sets[x].name);
764766
mp_set(k, 1);
765767

766768
mp_read_radix(order, (char *)ltc_ecc_sets[x].order, 16);
767769
mp_read_radix(modulus, (char *)ltc_ecc_sets[x].prime, 16);
770+
mp_read_radix(a, (char *)ltc_ecc_sets[x].A, 16);
768771
mp_read_radix(G->x, (char *)ltc_ecc_sets[x].Gx, 16);
769772
mp_read_radix(G->y, (char *)ltc_ecc_sets[x].Gy, 16);
770773
mp_set(G->z, 1);
771774

772775
while (mp_cmp(k, order) == LTC_MP_LT) {
773-
ltc_mp.ecc_ptmul(k, G, R, modulus, 1);
776+
ltc_mp.ecc_ptmul(k, G, R, a, modulus, 1);
774777
mp_tohex(k, (char*)str); fprintf(out, "%s, ", (char*)str);
775778
mp_tohex(R->x, (char*)str); fprintf(out, "%s, ", (char*)str);
776779
mp_tohex(R->y, (char*)str); fprintf(out, "%s\n", (char*)str);
777780
mp_mul_d(k, 3, k);
778781
}
779782
}
780-
mp_clear_multi(k, order, modulus, NULL);
783+
mp_clear_multi(k, order, modulus, a, NULL);
781784
ltc_ecc_del_point(G);
782785
ltc_ecc_del_point(R);
783786
fclose(out);

notes/ecc_tv.txt

Lines changed: 2795 additions & 8 deletions
Large diffs are not rendered by default.

src/headers/tomcrypt_custom.h

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -466,6 +466,34 @@
466466
#ifdef LTC_MECC
467467
/* Supported ECC Key Sizes */
468468
#ifndef LTC_NO_CURVES
469+
#define LTC_ECC_SECP112R1
470+
#define LTC_ECC_SECP112R2
471+
#define LTC_ECC_SECP128R1
472+
#define LTC_ECC_SECP128R2
473+
#define LTC_ECC_SECP160R1
474+
#define LTC_ECC_SECP160R2
475+
#define LTC_ECC_SECP160K1
476+
#define LTC_ECC_BRAINPOOLP160R1
477+
#define LTC_ECC_SECP192R1
478+
#define LTC_ECC_PRIME192V2
479+
#define LTC_ECC_PRIME192V3
480+
#define LTC_ECC_SECP192K1
481+
#define LTC_ECC_BRAINPOOLP192R1
482+
#define LTC_ECC_SECP224R1
483+
#define LTC_ECC_SECP224K1
484+
#define LTC_ECC_BRAINPOOLP224R1
485+
#define LTC_ECC_PRIME239V1
486+
#define LTC_ECC_PRIME239V2
487+
#define LTC_ECC_PRIME239V3
488+
#define LTC_ECC_SECP256R1
489+
#define LTC_ECC_SECP256K1
490+
#define LTC_ECC_BRAINPOOLP256R1
491+
#define LTC_ECC_BRAINPOOLP320R1
492+
#define LTC_ECC_SECP384R1
493+
#define LTC_ECC_BRAINPOOLP384R1
494+
#define LTC_ECC_BRAINPOOLP512R1
495+
#define LTC_ECC_SECP521R1
496+
/* OLD deprecated (but still working) defines */
469497
#define LTC_ECC112
470498
#define LTC_ECC128
471499
#define LTC_ECC160

src/headers/tomcrypt_math.h

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -218,6 +218,14 @@ typedef struct {
218218
*/
219219
int (*sqr)(void *a, void *b);
220220

221+
/** Square root (mod prime)
222+
@param a The integer to compute square root mod prime from
223+
@param b The prime
224+
@param c The destination
225+
@return CRYPT_OK on success
226+
*/
227+
int (*sqrtmod_prime)(void *a, void *b, void *c);
228+
221229
/** Divide an integer
222230
@param a The dividend
223231
@param b The divisor
@@ -338,30 +346,33 @@ typedef struct {
338346
@param k The integer to multiply the point by
339347
@param G The point to multiply
340348
@param R The destination for kG
349+
@param a ECC curve parameter a (if NULL we assume a == -3)
341350
@param modulus The modulus for the field
342351
@param map Boolean indicated whether to map back to affine or not (can be ignored if you work in affine only)
343352
@return CRYPT_OK on success
344353
*/
345-
int (*ecc_ptmul)(void *k, ecc_point *G, ecc_point *R, void *modulus, int map);
354+
int (*ecc_ptmul)(void *k, ecc_point *G, ecc_point *R, void *a, void *modulus, int map);
346355

347356
/** ECC GF(p) point addition
348357
@param P The first point
349358
@param Q The second point
350359
@param R The destination of P + Q
360+
@param a ECC curve parameter a (if NULL we assume a == -3)
351361
@param modulus The modulus
352362
@param mp The "b" value from montgomery_setup()
353363
@return CRYPT_OK on success
354364
*/
355-
int (*ecc_ptadd)(ecc_point *P, ecc_point *Q, ecc_point *R, void *modulus, void *mp);
365+
int (*ecc_ptadd)(ecc_point *P, ecc_point *Q, ecc_point *R, void *a, void *modulus, void *mp);
356366

357367
/** ECC GF(p) point double
358368
@param P The first point
359369
@param R The destination of 2P
370+
@param a ECC curve parameter a (if NULL we assume a == -3)
360371
@param modulus The modulus
361372
@param mp The "b" value from montgomery_setup()
362373
@return CRYPT_OK on success
363374
*/
364-
int (*ecc_ptdbl)(ecc_point *P, ecc_point *R, void *modulus, void *mp);
375+
int (*ecc_ptdbl)(ecc_point *P, ecc_point *R, void *a, void *modulus, void *mp);
365376

366377
/** ECC mapping from projective to affine, currently uses (x,y,z) => (x/z^2, y/z^3, 1)
367378
@param P The point to map
@@ -385,6 +396,7 @@ typedef struct {
385396
int (*ecc_mul2add)(ecc_point *A, void *kA,
386397
ecc_point *B, void *kB,
387398
ecc_point *C,
399+
void *a,
388400
void *modulus);
389401

390402
/* ---- (optional) rsa optimized math (for internal CRT) ---- */
@@ -498,6 +510,7 @@ extern const ltc_math_descriptor gmp_desc;
498510
#define mp_mul(a, b, c) ltc_mp.mul(a, b, c)
499511
#define mp_mul_d(a, b, c) ltc_mp.muli(a, b, c)
500512
#define mp_sqr(a, b) ltc_mp.sqr(a, b)
513+
#define mp_sqrtmod_prime(a, b, c) ltc_mp.sqrtmod_prime(a, b, c)
501514
#define mp_div(a, b, c, d) ltc_mp.mpdiv(a, b, c, d)
502515
#define mp_div_2(a, b) ltc_mp.div_2(a, b)
503516
#define mp_mod(a, b, c) ltc_mp.mpdiv(a, b, NULL, c)

src/math/fp/ltc_ecc_fp_mulmod.c

Lines changed: 24 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -670,7 +670,7 @@ static int add_entry(int idx, ecc_point *g)
670670
* The algorithm builds patterns in increasing bit order by first making all
671671
* single bit input patterns, then all two bit input patterns and so on
672672
*/
673-
static int build_lut(int idx, void *modulus, void *mp, void *mu)
673+
static int build_lut(int idx, void *a, void *modulus, void *mp, void *mu)
674674
{
675675
unsigned x, y, err, bitlen, lut_gap;
676676
void *tmp;
@@ -709,7 +709,7 @@ static int build_lut(int idx, void *modulus, void *mp, void *mu)
709709

710710
/* now double it bitlen/FP_LUT times */
711711
for (y = 0; y < lut_gap; y++) {
712-
if ((err = ltc_mp.ecc_ptdbl(fp_cache[idx].LUT[1<<x], fp_cache[idx].LUT[1<<x], modulus, mp)) != CRYPT_OK) {
712+
if ((err = ltc_mp.ecc_ptdbl(fp_cache[idx].LUT[1<<x], fp_cache[idx].LUT[1<<x], a, modulus, mp)) != CRYPT_OK) {
713713
goto ERR;
714714
}
715715
}
@@ -722,7 +722,7 @@ static int build_lut(int idx, void *modulus, void *mp, void *mu)
722722

723723
/* perform the add */
724724
if ((err = ltc_mp.ecc_ptadd(fp_cache[idx].LUT[lut_orders[y].terma], fp_cache[idx].LUT[lut_orders[y].termb],
725-
fp_cache[idx].LUT[y], modulus, mp)) != CRYPT_OK) {
725+
fp_cache[idx].LUT[y], a, modulus, mp)) != CRYPT_OK) {
726726
goto ERR;
727727
}
728728
}
@@ -777,7 +777,7 @@ static int build_lut(int idx, void *modulus, void *mp, void *mu)
777777
}
778778

779779
/* perform a fixed point ECC mulmod */
780-
static int accel_fp_mul(int idx, void *k, ecc_point *R, void *modulus, void *mp, int map)
780+
static int accel_fp_mul(int idx, void *k, ecc_point *R, void *a, void *modulus, void *mp, int map)
781781
{
782782
unsigned char kb[128];
783783
int x;
@@ -870,14 +870,14 @@ static int accel_fp_mul(int idx, void *k, ecc_point *R, void *modulus, void *mp,
870870

871871
/* double if not first */
872872
if (!first) {
873-
if ((err = ltc_mp.ecc_ptdbl(R, R, modulus, mp)) != CRYPT_OK) {
873+
if ((err = ltc_mp.ecc_ptdbl(R, R, a, modulus, mp)) != CRYPT_OK) {
874874
return err;
875875
}
876876
}
877877

878878
/* add if not first, otherwise copy */
879879
if (!first && z) {
880-
if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx].LUT[z], R, modulus, mp)) != CRYPT_OK) {
880+
if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx].LUT[z], R, a, modulus, mp)) != CRYPT_OK) {
881881
return err;
882882
}
883883
} else if (z) {
@@ -902,7 +902,7 @@ static int accel_fp_mul(int idx, void *k, ecc_point *R, void *modulus, void *mp,
902902
/* perform a fixed point ECC mulmod */
903903
static int accel_fp_mul2add(int idx1, int idx2,
904904
void *kA, void *kB,
905-
ecc_point *R, void *modulus, void *mp)
905+
ecc_point *R, void *a, void *modulus, void *mp)
906906
{
907907
unsigned char kb[2][128];
908908
int x;
@@ -1058,20 +1058,20 @@ static int accel_fp_mul2add(int idx1, int idx2,
10581058

10591059
/* double if not first */
10601060
if (!first) {
1061-
if ((err = ltc_mp.ecc_ptdbl(R, R, modulus, mp)) != CRYPT_OK) {
1061+
if ((err = ltc_mp.ecc_ptdbl(R, R, a, modulus, mp)) != CRYPT_OK) {
10621062
return err;
10631063
}
10641064
}
10651065

10661066
/* add if not first, otherwise copy */
10671067
if (!first) {
10681068
if (zA) {
1069-
if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx1].LUT[zA], R, modulus, mp)) != CRYPT_OK) {
1069+
if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx1].LUT[zA], R, a, modulus, mp)) != CRYPT_OK) {
10701070
return err;
10711071
}
10721072
}
10731073
if (zB) {
1074-
if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx2].LUT[zB], R, modulus, mp)) != CRYPT_OK) {
1074+
if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx2].LUT[zB], R, a, modulus, mp)) != CRYPT_OK) {
10751075
return err;
10761076
}
10771077
}
@@ -1084,7 +1084,7 @@ static int accel_fp_mul2add(int idx1, int idx2,
10841084
}
10851085
if (zB && first == 0) {
10861086
if (zB) {
1087-
if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx2].LUT[zB], R, modulus, mp)) != CRYPT_OK) {
1087+
if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx2].LUT[zB], R, a, modulus, mp)) != CRYPT_OK) {
10881088
return err;
10891089
}
10901090
}
@@ -1112,7 +1112,9 @@ static int accel_fp_mul2add(int idx1, int idx2,
11121112
*/
11131113
int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
11141114
ecc_point *B, void *kB,
1115-
ecc_point *C, void *modulus)
1115+
ecc_point *C,
1116+
void *a,
1117+
void *modulus)
11161118
{
11171119
int idx1, idx2, err;
11181120
void *mp, *mu;
@@ -1168,7 +1170,7 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
11681170
}
11691171

11701172
/* build the LUT */
1171-
if ((err = build_lut(idx1, modulus, mp, mu)) != CRYPT_OK) {
1173+
if ((err = build_lut(idx1, a, modulus, mp, mu)) != CRYPT_OK) {
11721174
goto LBL_ERR;;
11731175
}
11741176
}
@@ -1189,7 +1191,7 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
11891191
}
11901192

11911193
/* build the LUT */
1192-
if ((err = build_lut(idx2, modulus, mp, mu)) != CRYPT_OK) {
1194+
if ((err = build_lut(idx2, a, modulus, mp, mu)) != CRYPT_OK) {
11931195
goto LBL_ERR;;
11941196
}
11951197
}
@@ -1200,9 +1202,9 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
12001202
/* compute mp */
12011203
if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK) { goto LBL_ERR; }
12021204
}
1203-
err = accel_fp_mul2add(idx1, idx2, kA, kB, C, modulus, mp);
1205+
err = accel_fp_mul2add(idx1, idx2, kA, kB, C, a, modulus, mp);
12041206
} else {
1205-
err = ltc_ecc_mul2add(A, kA, B, kB, C, modulus);
1207+
err = ltc_ecc_mul2add(A, kA, B, kB, C, a, modulus);
12061208
}
12071209
LBL_ERR:
12081210
LTC_MUTEX_UNLOCK(&ltc_ecc_fp_lock);
@@ -1220,11 +1222,12 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
12201222
@param k The multiplicand
12211223
@param G Base point to multiply
12221224
@param R [out] Destination of product
1225+
@param a ECC curve parameter a
12231226
@param modulus The modulus for the curve
12241227
@param map [boolean] If non-zero maps the point back to affine co-ordinates, otherwise it's left in jacobian-montgomery form
12251228
@return CRYPT_OK if successful
12261229
*/
1227-
int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
1230+
int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *a, void *modulus, int map)
12281231
{
12291232
int idx, err;
12301233
void *mp, *mu;
@@ -1266,7 +1269,7 @@ int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int ma
12661269
}
12671270

12681271
/* build the LUT */
1269-
if ((err = build_lut(idx, modulus, mp, mu)) != CRYPT_OK) {
1272+
if ((err = build_lut(idx, a, modulus, mp, mu)) != CRYPT_OK) {
12701273
goto LBL_ERR;;
12711274
}
12721275
}
@@ -1276,9 +1279,9 @@ int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int ma
12761279
/* compute mp */
12771280
if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK) { goto LBL_ERR; }
12781281
}
1279-
err = accel_fp_mul(idx, k, R, modulus, mp, map);
1282+
err = accel_fp_mul(idx, k, R, a, modulus, mp, map);
12801283
} else {
1281-
err = ltc_ecc_mulmod(k, G, R, modulus, map);
1284+
err = ltc_ecc_mulmod(k, G, R, a, modulus, map);
12821285
}
12831286
LBL_ERR:
12841287
LTC_MUTEX_UNLOCK(&ltc_ecc_fp_lock);
@@ -1365,7 +1368,7 @@ ltc_ecc_fp_add_point(ecc_point *g, void *modulus, int lock)
13651368
}
13661369

13671370
/* build the LUT */
1368-
if ((err = build_lut(idx, modulus, mp, mu)) != CRYPT_OK) {
1371+
if ((err = build_lut(idx, a, modulus, mp, mu)) != CRYPT_OK) {
13691372
goto LBL_ERR;
13701373
}
13711374
fp_cache[idx].lru_count = 2;

src/math/gmp_desc.c

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,6 +288,16 @@ static int sqr(void *a, void *b)
288288
return CRYPT_OK;
289289
}
290290

291+
/* sqrtmod_prime */
292+
static int sqrtmod_prime(void *a, void *b, void *c)
293+
{
294+
LTC_ARGCHK(a != NULL);
295+
LTC_ARGCHK(b != NULL);
296+
LTC_ARGCHK(c != NULL);
297+
fprintf(stderr, "GMP does not support sqrtmod_prime\n"); /* XXX-FIXME */
298+
return CRYPT_ERROR;
299+
}
300+
291301
/* div */
292302
static int divide(void *a, void *b, void *c, void *d)
293303
{
@@ -495,6 +505,7 @@ const ltc_math_descriptor gmp_desc = {
495505
&mul,
496506
&muli,
497507
&sqr,
508+
&sqrtmod_prime,
498509
&divide,
499510
&div_2,
500511
&modi,

src/math/ltm_desc.c

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -259,6 +259,15 @@ static int sqr(void *a, void *b)
259259
return mpi_to_ltc_error(mp_sqr(a, b));
260260
}
261261

262+
/* sqrtmod_prime */
263+
static int sqrtmod_prime(void *a, void *b, void *c)
264+
{
265+
LTC_ARGCHK(a != NULL);
266+
LTC_ARGCHK(b != NULL);
267+
LTC_ARGCHK(c != NULL);
268+
return mpi_to_ltc_error(mp_sqrtmod_prime(a, b, c));
269+
}
270+
262271
/* div */
263272
static int divide(void *a, void *b, void *c, void *d)
264273
{
@@ -454,6 +463,7 @@ const ltc_math_descriptor ltm_desc = {
454463
&mul,
455464
&muli,
456465
&sqr,
466+
&sqrtmod_prime,
457467
&divide,
458468
&div_2,
459469
&modi,

src/math/rand_bn.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
*/
1010
#include "tomcrypt.h"
1111

12-
#ifdef LTC_MDSA
12+
#if defined(LTC_MDSA) || defined(LTC_MECC)
1313
/**
1414
Generate a random number N with given bitlength (note: MSB can be 0)
1515
*/

0 commit comments

Comments
 (0)