2018-02-01 21:49:18 +00:00
|
|
|
/*
|
|
|
|
* Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
|
2016-10-25 01:02:26 +01:00
|
|
|
*
|
2018-02-01 21:49:18 +00:00
|
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
* https://www.openssl.org/source/license.html
|
2016-10-25 01:02:26 +01:00
|
|
|
*
|
2018-02-01 21:49:18 +00:00
|
|
|
* Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)
|
|
|
|
* (1) Intel Corporation, Israel Development Center, Haifa, Israel
|
|
|
|
* (2) University of Haifa, Israel
|
|
|
|
*
|
|
|
|
* Reference:
|
|
|
|
* S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with
|
|
|
|
* 256 Bit Primes"
|
|
|
|
*/
|
2016-10-25 01:02:26 +01:00
|
|
|
|
|
|
|
#ifndef OPENSSL_HEADER_EC_P256_X86_64_H
|
|
|
|
#define OPENSSL_HEADER_EC_P256_X86_64_H
|
|
|
|
|
|
|
|
#include <openssl/base.h>
|
|
|
|
|
|
|
|
#include <openssl/bn.h>
|
|
|
|
|
|
|
|
#if defined(__cplusplus)
|
|
|
|
extern "C" {
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
|
|
|
|
!defined(OPENSSL_SMALL)
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// P-256 field operations.
|
|
|
|
//
|
|
|
|
// An element mod P in P-256 is represented as a little-endian array of
|
|
|
|
// |P256_LIMBS| |BN_ULONG|s, spanning the full range of values.
|
|
|
|
//
|
|
|
|
// The following functions take fully-reduced inputs mod P and give
|
|
|
|
// fully-reduced outputs. They may be used in-place.
|
2016-10-25 01:02:26 +01:00
|
|
|
|
|
|
|
#define P256_LIMBS (256 / BN_BITS2)
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// ecp_nistz256_neg sets |res| to -|a| mod P.
|
2016-10-25 01:02:26 +01:00
|
|
|
void ecp_nistz256_neg(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS]);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// ecp_nistz256_mul_mont sets |res| to |a| * |b| * 2^-256 mod P.
|
2016-10-25 01:02:26 +01:00
|
|
|
void ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS],
|
|
|
|
const BN_ULONG a[P256_LIMBS],
|
|
|
|
const BN_ULONG b[P256_LIMBS]);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// ecp_nistz256_sqr_mont sets |res| to |a| * |a| * 2^-256 mod P.
|
2016-10-25 01:02:26 +01:00
|
|
|
void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS],
|
|
|
|
const BN_ULONG a[P256_LIMBS]);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain
|
|
|
|
// by multiplying with 1.
|
2016-12-22 08:01:40 +00:00
|
|
|
static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS],
|
|
|
|
const BN_ULONG in[P256_LIMBS]) {
|
|
|
|
static const BN_ULONG ONE[P256_LIMBS] = { 1 };
|
|
|
|
ecp_nistz256_mul_mont(res, in, ONE);
|
|
|
|
}
|
2016-10-25 01:02:26 +01:00
|
|
|
|
2018-08-24 08:18:09 +01:00
|
|
|
// ecp_nistz256_to_mont sets |res| to |in|, converted to Montgomery domain
|
|
|
|
// by multiplying with RR = 2^512 mod P precomputed for NIST P256 curve.
|
|
|
|
static inline void ecp_nistz256_to_mont(BN_ULONG res[P256_LIMBS],
|
|
|
|
const BN_ULONG in[P256_LIMBS]) {
|
|
|
|
static const BN_ULONG RR[P256_LIMBS] = {
|
|
|
|
TOBN(0x00000000, 0x00000003), TOBN(0xfffffffb, 0xffffffff),
|
|
|
|
TOBN(0xffffffff, 0xfffffffe), TOBN(0x00000004, 0xfffffffd)};
|
|
|
|
ecp_nistz256_mul_mont(res, in, RR);
|
|
|
|
}
|
|
|
|
|
2016-10-25 01:02:26 +01:00
|
|
|
|
2018-04-21 06:20:15 +01:00
|
|
|
// P-256 scalar operations.
|
|
|
|
//
|
|
|
|
// The following functions compute modulo N, where N is the order of P-256. They
|
|
|
|
// take fully-reduced inputs and give fully-reduced outputs.
|
|
|
|
|
|
|
|
// ecp_nistz256_ord_mul_mont sets |res| to |a| * |b| where inputs and outputs
|
|
|
|
// are in Montgomery form. That is, |res| is |a| * |b| * 2^-256 mod N.
|
|
|
|
void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS],
|
|
|
|
const BN_ULONG a[P256_LIMBS],
|
|
|
|
const BN_ULONG b[P256_LIMBS]);
|
|
|
|
|
|
|
|
// ecp_nistz256_ord_sqr_mont sets |res| to |a|^(2*|rep|) where inputs and
|
|
|
|
// outputs are in Montgomery form. That is, |res| is
|
|
|
|
// (|a| * 2^-256)^(2*|rep|) * 2^256 mod N.
|
|
|
|
void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS],
|
|
|
|
const BN_ULONG a[P256_LIMBS], int rep);
|
|
|
|
|
2018-08-24 08:18:09 +01:00
|
|
|
// beeu_mod_inverse_vartime sets out = a^-1 mod p using a Euclidean algorithm.
|
|
|
|
// Assumption: 0 < a < p < 2^(256) and p is odd.
|
|
|
|
int beeu_mod_inverse_vartime(BN_ULONG out[P256_LIMBS],
|
|
|
|
const BN_ULONG a[P256_LIMBS],
|
|
|
|
const BN_ULONG p[P256_LIMBS]);
|
|
|
|
|
2018-04-21 06:20:15 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// P-256 point operations.
|
|
|
|
//
|
|
|
|
// The following functions may be used in-place. All coordinates are in the
|
|
|
|
// Montgomery domain.
|
2016-10-25 01:02:26 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// A P256_POINT represents a P-256 point in Jacobian coordinates.
|
2016-10-25 01:02:26 +01:00
|
|
|
typedef struct {
|
|
|
|
BN_ULONG X[P256_LIMBS];
|
|
|
|
BN_ULONG Y[P256_LIMBS];
|
|
|
|
BN_ULONG Z[P256_LIMBS];
|
|
|
|
} P256_POINT;
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// A P256_POINT_AFFINE represents a P-256 point in affine coordinates. Infinity
|
|
|
|
// is encoded as (0, 0).
|
2016-10-25 01:02:26 +01:00
|
|
|
typedef struct {
|
|
|
|
BN_ULONG X[P256_LIMBS];
|
|
|
|
BN_ULONG Y[P256_LIMBS];
|
|
|
|
} P256_POINT_AFFINE;
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// ecp_nistz256_select_w5 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 16
|
|
|
|
// and all zeros (the point at infinity) if |index| is 0. This is done in
|
|
|
|
// constant time.
|
2016-10-25 01:02:26 +01:00
|
|
|
void ecp_nistz256_select_w5(P256_POINT *val, const P256_POINT in_t[16],
|
|
|
|
int index);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// ecp_nistz256_select_w7 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 64
|
|
|
|
// and all zeros (the point at infinity) if |index| is 0. This is done in
|
|
|
|
// constant time.
|
2016-10-25 01:02:26 +01:00
|
|
|
void ecp_nistz256_select_w7(P256_POINT_AFFINE *val,
|
|
|
|
const P256_POINT_AFFINE in_t[64], int index);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// ecp_nistz256_point_double sets |r| to |a| doubled.
|
2016-10-25 01:02:26 +01:00
|
|
|
void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// ecp_nistz256_point_add adds |a| to |b| and places the result in |r|.
|
2016-10-25 01:02:26 +01:00
|
|
|
void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a,
|
|
|
|
const P256_POINT *b);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// ecp_nistz256_point_add_affine adds |a| to |b| and places the result in
|
|
|
|
// |r|. |a| and |b| must not represent the same point unless they are both
|
|
|
|
// infinity.
|
2016-10-25 01:02:26 +01:00
|
|
|
void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a,
|
|
|
|
const P256_POINT_AFFINE *b);
|
|
|
|
|
|
|
|
#endif /* !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
|
|
|
|
!defined(OPENSSL_SMALL) */
|
|
|
|
|
|
|
|
|
|
|
|
#if defined(__cplusplus)
|
2017-08-18 19:06:02 +01:00
|
|
|
} // extern C++
|
2016-10-25 01:02:26 +01:00
|
|
|
#endif
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
#endif // OPENSSL_HEADER_EC_P256_X86_64_H
|