diff options
Diffstat (limited to 'lib/nettle/gost/ecc-internal.h')
-rw-r--r-- | lib/nettle/gost/ecc-internal.h | 298 |
1 files changed, 0 insertions, 298 deletions
diff --git a/lib/nettle/gost/ecc-internal.h b/lib/nettle/gost/ecc-internal.h deleted file mode 100644 index 2cf6645c23..0000000000 --- a/lib/nettle/gost/ecc-internal.h +++ /dev/null @@ -1,298 +0,0 @@ -/* ecc-internal.h - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see https://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#ifndef GNUTLS_LIB_NETTLE_GOST_ECC_INTERNAL_H -#define GNUTLS_LIB_NETTLE_GOST_ECC_INTERNAL_H - -#ifdef HAVE_CONFIG_H -# include "config.h" -#endif - -#include <nettle/nettle-types.h> -#include <nettle/bignum.h> -#include <nettle/ecc-curve.h> -#include "gmp-glue.h" - -#define ecc_mod_add _nettle_ecc_mod_add -#define ecc_mod_mul _nettle_ecc_mod_mul -#define ecc_mod_random _nettle_ecc_mod_random -#define ecc_mod _nettle_ecc_mod -#define ecc_mod_inv _nettle_ecc_mod_inv -#define gost_hash _gnutls_gost_hash -#define ecc_j_to_a _nettle_ecc_j_to_a -#define ecc_dup_jj _nettle_ecc_dup_jj -#define ecc_add_jja _nettle_ecc_add_jja -#define ecc_add_jjj _nettle_ecc_add_jjj -#define ecc_mul_g _nettle_ecc_mul_g -#define ecc_mul_a _nettle_ecc_mul_a -#define cnd_copy _nettle_cnd_copy - -/* Window size for ecc_mul_a. Using 4 bits seems like a good choice, - for both Intel x86_64 and ARM Cortex A9. For the larger curves, of - 384 and 521 bits, we could improve speed by a few percent if we go - up to 5 bits, but I don't think that's worth doubling the - storage. */ -#define ECC_MUL_A_WBITS 4 - -struct ecc_modulo; - -/* Reduces from 2*ecc->size to ecc->size. */ -/* Required to return a result < 2q. This property is inherited by - mod_mul and mod_sqr. */ -typedef void ecc_mod_func (const struct ecc_modulo *m, mp_limb_t *rp); - -typedef void ecc_mod_inv_func (const struct ecc_modulo *m, - mp_limb_t *vp, const mp_limb_t *ap, - mp_limb_t *scratch); - -/* Computes the square root of (u/v) (mod p) */ -typedef int ecc_mod_sqrt_func (const struct ecc_modulo *m, - mp_limb_t *rp, - const mp_limb_t *up, const mp_limb_t *vp, - mp_limb_t *scratch); - -typedef void ecc_add_func (const struct ecc_curve *ecc, - mp_limb_t *r, - const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch); - -typedef void ecc_dup_func (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch); - -typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r, - const mp_limb_t *np, mp_limb_t *scratch); - -typedef void ecc_mul_func (const struct ecc_curve *ecc, - mp_limb_t *r, - const mp_limb_t *np, const mp_limb_t *p, - mp_limb_t *scratch); - -typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, - int flags, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch); - -struct ecc_modulo -{ - unsigned short bit_size; - unsigned short size; - unsigned short B_size; - unsigned short redc_size; - unsigned short invert_itch; - unsigned short sqrt_itch; - - const mp_limb_t *m; - /* B^size mod m. Expected to have at least 32 leading zeros - (equality for secp_256r1). */ - const mp_limb_t *B; - /* 2^{bit_size} - p, same value as above, but shifted. */ - const mp_limb_t *B_shifted; - /* m +/- 1, for redc, excluding redc_size low limbs. */ - const mp_limb_t *redc_mpm1; - /* (m+1)/2 */ - const mp_limb_t *mp1h; - - ecc_mod_func *mod; - ecc_mod_func *reduce; - ecc_mod_inv_func *invert; - ecc_mod_sqrt_func *sqrt; -}; - -/* Represents an elliptic curve of the form - - y^2 = x^3 - 3x + b (mod p) -*/ -struct ecc_curve -{ - /* The prime p. */ - struct ecc_modulo p; - /* Group order. FIXME: Currently, many functions rely on q.size == - p.size. This has to change for radix-51 implementation of - curve25519 mod p arithmetic. */ - struct ecc_modulo q; - - unsigned short use_redc; - unsigned short pippenger_k; - unsigned short pippenger_c; - -#ifdef HAVE_NETTLE_CURVE448_MUL - unsigned short add_hh_itch; -#endif - unsigned short add_hhh_itch; -#ifdef HAVE_NETTLE_CURVE448_MUL - unsigned short dup_itch; -#endif - unsigned short mul_itch; - unsigned short mul_g_itch; - unsigned short h_to_a_itch; - -#ifdef HAVE_NETTLE_CURVE448_MUL - ecc_add_func *add_hh; -#endif - ecc_add_func *add_hhh; -#ifdef HAVE_NETTLE_CURVE448_MUL - ecc_dup_func *dup; -#endif - ecc_mul_func *mul; - ecc_mul_g_func *mul_g; - ecc_h_to_a_func *h_to_a; - - /* Curve constant */ - const mp_limb_t *b; - /* Generator, x coordinate followed by y (affine coordinates). - Currently used only by the test suite. */ - const mp_limb_t *g; - /* If non-NULL, the constant needed for transformation to the - equivalent Edwards curve. */ -#ifndef HAVE_NETTLE_CURVE448_MUL - const mp_limb_t *edwards_root; -#endif - - /* For redc, same as B mod p, otherwise 1. */ - const mp_limb_t *unit; - - /* Tables for multiplying by the generator, size determined by k and - c. The first 2^c entries are defined by - - T[ j_0 + j_1 2 + ... + j_{c-1} 2^{c-1} ] - = j_0 g + j_1 2^k g + ... + j_{c-1} 2^{k(c-1)} g - - The following entries differ by powers of 2^{kc}, - - T[i] = 2^{kc} T[i-2^c] - */ - const mp_limb_t *pippenger_table; -}; - -/* In-place reduction. */ -ecc_mod_func ecc_mod; - -ecc_mod_inv_func ecc_mod_inv; - -void -ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp); - -/* NOTE: mul and sqr needs 2*ecc->size limbs at rp */ -void -ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp); - -#define ecc_modq_add(ecc, r, a, b) \ - ecc_mod_add (&(ecc)->q, (r), (a), (b)) -#define ecc_modq_mul(ecc, r, a, b) \ - ecc_mod_mul (&(ecc)->q, (r), (a), (b)) - -/* mod q operations. */ -void -ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, - void *ctx, nettle_random_func *random, mp_limb_t *scratch); - -void -gost_hash (const struct ecc_modulo *m, - mp_limb_t *hp, - size_t length, const uint8_t *digest); - -/* Converts a point P in jacobian coordinates into a point R in affine - coordinates. If op == 1, produce x coordinate only. If op == 2, - produce the x coordinate only, and in also it modulo q. FIXME: For - the public interface, have separate for the three cases, and use - this flag argument only for the internal ecc->h_to_a function. */ -void -ecc_j_to_a (const struct ecc_curve *ecc, - int op, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch); - -/* Point doubling, with jacobian input and output. Corner cases: - Correctly sets R = 0 (r_Z = 0) if p = 0 or 2p = 0. */ -void -ecc_dup_jj (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch); - -/* Point addition, with jacobian output, one jacobian input and one - affine input. Corner cases: Fails for the cases - - P = Q != 0 Duplication of non-zero point - P = 0, Q != 0 or P != 0, Q = 0 One input zero - - Correctly gives R = 0 if P = Q = 0 or P = -Q. */ -void -ecc_add_jja (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch); - -/* Point addition with Jacobian input and output. */ -void -ecc_add_jjj (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch); - -/* Computes N * the group generator. N is an array of ecc_size() - limbs. It must be in the range 0 < N < group order, then R != 0, - and the algorithm can work without any intermediate values getting - to zero. */ -void -ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, - const mp_limb_t *np, mp_limb_t *scratch); - -/* Computes N * P. The scalar N is the same as for ecc_mul_g. P is a - non-zero point on the curve, in affine coordinates. Output R is a - non-zero point, in Jacobian coordinates. */ -void -ecc_mul_a (const struct ecc_curve *ecc, - mp_limb_t *r, - const mp_limb_t *np, const mp_limb_t *p, - mp_limb_t *scratch); - -void -cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n); - -/* Current scratch needs: */ -#define ECC_MOD_INV_ITCH(size) (2*(size)) -#define ECC_J_TO_A_ITCH(size) (5*(size)) -#define ECC_DUP_JJ_ITCH(size) (5*(size)) -#define ECC_ADD_JJA_ITCH(size) (6*(size)) -#define ECC_ADD_JJJ_ITCH(size) (8*(size)) -#define ECC_MUL_G_ITCH(size) (9*(size)) -#if ECC_MUL_A_WBITS == 0 -#define ECC_MUL_A_ITCH(size) (12*(size)) -#else -#define ECC_MUL_A_ITCH(size) \ - (((3 << ECC_MUL_A_WBITS) + 11) * (size)) -#endif -#define ECC_GOSTDSA_SIGN_ITCH(size) (12*(size)) - -#endif /* GNUTLS_LIB_NETTLE_GOST_ECC_INTERNAL_H */ |