ECC curves y^2 = x^3 + ax + b

Author: karel-m

.travis.yml

@@ -13,14 +13,13 @@ addons:
 
 install:
     - sudo apt-get update -qq
-    - sudo apt-get install libtommath-dev
 
 before_script:
   - gem install coveralls-lcov
   - curl http://ftp.de.debian.org/debian/pool/main/l/lcov/lcov_1.11.orig.tar.gz | tar xz
   - export PATH=$PATH:`pwd`/lcov-1.11/bin
   - curl -s https://packagecloud.io/install/repositories/libtom/packages/script.deb.sh | sudo bash
-  - sudo apt-get install libtfm-dev=0.13-5
+  - sudo apt-get install libtfm-dev=0.13-5 libtommath-dev=1.0-5
 
 matrix:
   fast_finish: true

demos/tv_gen.c

@@ -642,7 +642,7 @@ void ecc_gen(void)
 {
    FILE         *out;
    unsigned char str[512];
-   void          *k, *order, *modulus;
+   void          *k, *order, *modulus, *a;
    ecc_point    *G, *R;
    int           x;
 
@@ -653,26 +653,29 @@ void ecc_gen(void)
    mp_init(&k);
    mp_init(&order);
    mp_init(&modulus);
+   mp_init(&a);
 
    for (x = 0; ltc_ecc_sets[x].size != 0; x++) {
-        fprintf(out, "ECC-%d\n", ltc_ecc_sets[x].size*8);
+
+        fprintf(out, "%s\n", ltc_ecc_sets[x].name);
         mp_set(k, 1);
 
         mp_read_radix(order,   (char *)ltc_ecc_sets[x].order, 16);
         mp_read_radix(modulus, (char *)ltc_ecc_sets[x].prime, 16);
+        mp_read_radix(a,       (char *)ltc_ecc_sets[x].A,     16);
         mp_read_radix(G->x,    (char *)ltc_ecc_sets[x].Gx,    16);
         mp_read_radix(G->y,    (char *)ltc_ecc_sets[x].Gy,    16);
         mp_set(G->z, 1);
 
         while (mp_cmp(k, order) == LTC_MP_LT) {
-            ltc_mp.ecc_ptmul(k, G, R, modulus, 1);
+            ltc_mp.ecc_ptmul(k, G, R, a, modulus, 1);
             mp_tohex(k,    (char*)str); fprintf(out, "%s, ", (char*)str);
             mp_tohex(R->x, (char*)str); fprintf(out, "%s, ", (char*)str);
             mp_tohex(R->y, (char*)str); fprintf(out, "%s\n", (char*)str);
             mp_mul_d(k, 3, k);
         }
    }
-   mp_clear_multi(k, order, modulus, NULL);
+   mp_clear_multi(k, order, modulus, a, NULL);
    ltc_ecc_del_point(G);
    ltc_ecc_del_point(R);
    fclose(out);

notes/ecc_tv.txt

@@ -461,6 +461,34 @@
 #ifdef LTC_MECC
 /* Supported ECC Key Sizes */
 #ifndef LTC_NO_CURVES
+   #define LTC_ECC_SECP112R1
+   #define LTC_ECC_SECP112R2
+   #define LTC_ECC_SECP128R1
+   #define LTC_ECC_SECP128R2
+   #define LTC_ECC_SECP160R1
+   #define LTC_ECC_SECP160R2
+   #define LTC_ECC_SECP160K1
+   #define LTC_ECC_BRAINPOOLP160R1
+   #define LTC_ECC_SECP192R1
+   #define LTC_ECC_PRIME192V2
+   #define LTC_ECC_PRIME192V3
+   #define LTC_ECC_SECP192K1
+   #define LTC_ECC_BRAINPOOLP192R1
+   #define LTC_ECC_SECP224R1
+   #define LTC_ECC_SECP224K1
+   #define LTC_ECC_BRAINPOOLP224R1
+   #define LTC_ECC_PRIME239V1
+   #define LTC_ECC_PRIME239V2
+   #define LTC_ECC_PRIME239V3
+   #define LTC_ECC_SECP256R1
+   #define LTC_ECC_SECP256K1
+   #define LTC_ECC_BRAINPOOLP256R1
+   #define LTC_ECC_BRAINPOOLP320R1
+   #define LTC_ECC_SECP384R1
+   #define LTC_ECC_BRAINPOOLP384R1
+   #define LTC_ECC_BRAINPOOLP512R1
+   #define LTC_ECC_SECP521R1
+   /* OLD deprecated (but still working) defines */
    #define LTC_ECC112
    #define LTC_ECC128
    #define LTC_ECC160

src/headers/tomcrypt_custom.h

@@ -246,6 +246,14 @@ typedef struct {
    */
    int (*sqr)(void *a, void *b);
 
+   /** Square root (mod prime)
+     @param a    The integer to compute square root mod prime from
+     @param b    The prime
+     @param c    The destination
+     @return CRYPT_OK on success
+   */
+   int (*sqrtmod_prime)(void *a, void *b, void *c);
+
    /** Divide an integer
      @param a    The dividend
      @param b    The divisor
@@ -366,42 +374,48 @@ typedef struct {
        @param k   The integer to multiply the point by
        @param G   The point to multiply
        @param R   The destination for kG
+       @param a   ECC curve parameter a (if NULL we assume a == -3)
        @param modulus  The modulus for the field
        @param map Boolean indicated whether to map back to affine or not
                   (can be ignored if you work in affine only)
        @return CRYPT_OK on success
    */
    int (*ecc_ptmul)(     void *k,
-                    ecc_point *G,
-                    ecc_point *R,
-                         void *modulus,
-                          int  map);
+                    const ecc_point *G,
+                          ecc_point *R,
+                               void *a,
+                               void *modulus,
+                                int  map);
 
    /** ECC GF(p) point addition
        @param P    The first point
        @param Q    The second point
        @param R    The destination of P + Q
+       @param a    ECC curve parameter a (if NULL we assume a == -3)
        @param modulus  The modulus
        @param mp   The "b" value from montgomery_setup()
        @return CRYPT_OK on success
    */
-   int (*ecc_ptadd)(ecc_point *P,
-                    ecc_point *Q,
-                    ecc_point *R,
-                         void *modulus,
-                         void *mp);
+   int (*ecc_ptadd)(const ecc_point *P,
+                    const ecc_point *Q,
+                          ecc_point *R,
+                               void *a,
+                               void *modulus,
+                               void *mp);
 
    /** ECC GF(p) point double
        @param P    The first point
        @param R    The destination of 2P
+       @param a    ECC curve parameter a (if NULL we assume a == -3)
        @param modulus  The modulus
        @param mp   The "b" value from montgomery_setup()
        @return CRYPT_OK on success
    */
-   int (*ecc_ptdbl)(ecc_point *P,
-                    ecc_point *R,
-                         void *modulus,
-                         void *mp);
+   int (*ecc_ptdbl)(const ecc_point *P,
+                          ecc_point *R,
+                               void *a,
+                               void *modulus,
+                               void *mp);
 
    /** ECC mapping from projective to affine,
        currently uses (x,y,z) => (x/z^2, y/z^3, 1)
@@ -424,10 +438,11 @@ typedef struct {
        @param modulus  Modulus for curve
        @return CRYPT_OK on success
    */
-   int (*ecc_mul2add)(ecc_point *A, void *kA,
-                      ecc_point *B, void *kB,
-                      ecc_point *C,
-                           void *modulus);
+   int (*ecc_mul2add)(const ecc_point *A, void *kA,
+                      const ecc_point *B, void *kB,
+                            ecc_point *C,
+                                 void *a,
+                                 void *modulus);
 
 /* ---- (optional) rsa optimized math (for internal CRT) ---- */
 
@@ -547,6 +562,7 @@ extern const ltc_math_descriptor gmp_desc;
 #define mp_mul(a, b, c)              ltc_mp.mul(a, b, c)
 #define mp_mul_d(a, b, c)            ltc_mp.muli(a, b, c)
 #define mp_sqr(a, b)                 ltc_mp.sqr(a, b)
+#define mp_sqrtmod_prime(a, b, c)    ltc_mp.sqrtmod_prime(a, b, c)
 #define mp_div(a, b, c, d)           ltc_mp.mpdiv(a, b, c, d)
 #define mp_div_2(a, b)               ltc_mp.div_2(a, b)
 #define mp_mod(a, b, c)              ltc_mp.mpdiv(a, b, NULL, c)

src/headers/tomcrypt_math.h

@@ -11,7 +11,8 @@
 
 enum {
    PK_PUBLIC=0,
-   PK_PRIVATE=1
+   PK_PRIVATE=1,
+   PK_PUBLIC_COMPRESSED=2 /* used only when exporting public ECC key */
 };
 
 /* Indicates standard output formats that can be read e.g. by OpenSSL or GnuTLS */
@@ -248,7 +249,7 @@ int dh_check_pubkey(dh_key *key);
 /* max private key size */
 #define ECC_MAXSIZE  66
 
-/** Structure defines a NIST GF(p) curve */
+/** Structure defines a GF(p) curve */
 typedef struct {
    /** The size of the curve in octets */
    int size;
@@ -259,6 +260,9 @@ typedef struct {
    /** The prime that defines the field the curve is in (encoded in hex) */
    const char *prime;
 
+   /** The fields A param (hex) */
+   const char *A;
+
    /** The fields B param (hex) */
    const char *B;
 
@@ -270,6 +274,12 @@ typedef struct {
 
    /** The y co-ordinate of the base point on the curve (hex) */
    const char *Gy;
+
+   /** The co-factor */
+   unsigned long cofactor;
+
+   /** The OID stucture */
+   oid_st oid;
 } ltc_ecc_set_type;
 
 /** A point on a ECC curve, stored in Jacbobian format such that (x,y,z) => (x/z^2, y/z^3, 1) when interpretted as affine */
@@ -284,18 +294,35 @@ typedef struct {
     void *z;
 } ecc_point;
 
+/** ECC key's domain parameters */
+typedef struct {
+   /** The size of the curve in octets */
+   int size;
+   /** The prime that defines the field the curve is in */
+   void *prime;
+   /** The fields A param */
+   void *A;
+   /** The fields B param */
+   void *B;
+   /** The order of the curve */
+   void *order;
+   /** The base point G on the curve */
+   ecc_point base;
+   /** The co-factor */
+   unsigned long cofactor;
+   /** The OID structure */
+   oid_st oid;
+} ltc_ecc_dp;
+
 /** An ECC key */
 typedef struct {
     /** Type of key, PK_PRIVATE or PK_PUBLIC */
     int type;
 
-    /** Index into the ltc_ecc_sets[] for the parameters of this curve; if -1, then this key is using user supplied curve in dp */
-    int idx;
-
-    /** pointer to domain parameters; either points to NIST curves (identified by idx >= 0) or user supplied curve */
-    const ltc_ecc_set_type *dp;
+    /** Structure with domain parameters */
+    ltc_ecc_dp dp;
 
-    /** The public key */
+    /** Structure with the public key */
     ecc_point pubkey;
 
     /** The private key */
@@ -309,6 +336,12 @@ int  ecc_test(void);
 void ecc_sizes(int *low, int *high);
 int  ecc_get_size(ecc_key *key);
 
+int  ecc_get_set_by_name(const char* name, const ltc_ecc_set_type** dp);
+int  ecc_set_dp(const ltc_ecc_set_type *set, ecc_key *key);
+int  ecc_generate_key(prng_state *prng, int wprng, ecc_key *key);
+int  ecc_set_key(const unsigned char *in, unsigned long inlen, int type, ecc_key *key);
+int  ecc_get_key(unsigned char *out, unsigned long *outlen, int type, ecc_key *key);
+
 int  ecc_make_key(prng_state *prng, int wprng, int keysize, ecc_key *key);
 int  ecc_make_key_ex(prng_state *prng, int wprng, ecc_key *key, const ltc_ecc_set_type *dp);
 void ecc_free(ecc_key *key);
@@ -319,7 +352,7 @@ int  ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, c
 
 int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen);
 int ecc_ansi_x963_import(const unsigned char *in, unsigned long inlen, ecc_key *key);
-int ecc_ansi_x963_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, ltc_ecc_set_type *dp);
+int ecc_ansi_x963_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, const ltc_ecc_set_type *dp);
 
 int  ecc_shared_secret(ecc_key *private_key, ecc_key *public_key,
                        unsigned char *out, unsigned long *outlen);
@@ -349,23 +382,36 @@ int  ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
                      const unsigned char *hash, unsigned long hashlen,
                      int *stat, ecc_key *key);
 
+
+#ifdef LTC_SOURCE
+/* INTERNAL ONLY - it should be later moved to src/headers/tomcrypt_internal.h */
+
+int ecc_set_dp_bn(void *a, void *b, void *prime, void *order, void *gx, void *gy, unsigned long cofactor, ecc_key *key);
+int ecc_set_dp_oid(unsigned long *oid, unsigned long oidsize, ecc_key *key);
+int ecc_set_dp_copy(ecc_key *srckey, ecc_key *key);
+int ecc_set_dp_size(int size, ecc_key *key);
+
 /* low level functions */
 ecc_point *ltc_ecc_new_point(void);
 void       ltc_ecc_del_point(ecc_point *p);
-int        ltc_ecc_is_valid_idx(int n);
+int        ltc_ecc_is_point(const ltc_ecc_dp *dp, void *x, void *y);
+int        ltc_ecc_is_point_at_infinity(const ecc_point *p, void *modulus);
+int        ltc_ecc_import_point(const unsigned char *in, unsigned long inlen, void *prime, void *a, void *b, void *x, void *y);
+int        ltc_ecc_export_point(unsigned char *out, unsigned long *outlen, void *x, void *y, unsigned long size, int compressed);
+int        ltc_ecc_verify_key(ecc_key *key);
 
 /* point ops (mp == montgomery digit) */
 #if !defined(LTC_MECC_ACCEL) || defined(LTM_DESC) || defined(GMP_DESC)
 /* R = 2P */
-int ltc_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulus, void *mp);
+int ltc_ecc_projective_dbl_point(const ecc_point *P, ecc_point *R, void *a, void *modulus, void *mp);
 
 /* R = P + Q */
-int ltc_ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, void *modulus, void *mp);
+int ltc_ecc_projective_add_point(const ecc_point *P, const ecc_point *Q, ecc_point *R, void *a, void *modulus, void *mp);
 #endif
 
 #if defined(LTC_MECC_FP)
 /* optimized point multiplication using fixed point cache (HAC algorithm 14.117) */
-int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map);
+int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *a, void *modulus, int map);
 
 /* functions for saving/loading/freeing/adding to fixed point cache */
 int ltc_ecc_fp_save_state(unsigned char **out, unsigned long *outlen);
@@ -378,20 +424,23 @@ void ltc_ecc_fp_tablelock(int lock);
 #endif
 
 /* R = kG */
-int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map);
+int ltc_ecc_mulmod(void *k, const ecc_point *G, ecc_point *R, void *a, void *modulus, int map);
 
 #ifdef LTC_ECC_SHAMIR
 /* kA*A + kB*B = C */
-int ltc_ecc_mul2add(ecc_point *A, void *kA,
-                    ecc_point *B, void *kB,
-                    ecc_point *C,
-                         void *modulus);
+int ltc_ecc_mul2add(const ecc_point *A, void *kA,
+                    const ecc_point *B, void *kB,
+                          ecc_point *C,
+                               void *a,
+                               void *modulus);
 
 #ifdef LTC_MECC_FP
 /* Shamir's trick with optimized point multiplication using fixed point cache */
-int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
-                       ecc_point *B, void *kB,
-                       ecc_point *C, void *modulus);
+int ltc_ecc_fp_mul2add(const ecc_point *A, void *kA,
+                       const ecc_point *B, void *kB,
+                             ecc_point *C,
+                                  void *a,
+                                  void *modulus);
 #endif
 
 #endif
@@ -400,6 +449,8 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
 /* map P to affine from projective */
 int ltc_ecc_map(ecc_point *P, void *modulus, void *mp);
 
+#endif /* LTC_SOURCE */
+
 #endif
 
 #ifdef LTC_MDSA