void eb_curve_set_ordin(fb_t a, fb_t b, eb_t g, bn_t r, bn_t h) {
fb_copy(curve_a, a);
fb_copy(curve_b, b);
detect_opt(&curve_opt_a, curve_a);
detect_opt(&curve_opt_b, curve_b);
curve_is_super = 0;
if (fb_cmp_dig(curve_b, 1) == CMP_EQ) {
curve_is_kbltz = 1;
} else {
curve_is_kbltz = 0;
}
#if defined(EB_KBLTZ) && (EB_MUL == LWNAF || EB_FIX == LWNAF || EB_SIM == INTER || !defined(STRIP))
if (curve_is_kbltz) {
compute_kbltz();
}
#endif
eb_norm(g, g);
eb_copy(&curve_g, g);
bn_copy(&curve_r, r);
bn_copy(&curve_h, h);
#if defined(EB_PRECO)
eb_mul_pre(eb_curve_get_tab(), &curve_g);
#endif
}
void eb_curve_set_ordin(const fb_t a, const fb_t b, const eb_t g, const bn_t r,
const bn_t h) {
ctx_t *ctx = core_get();
fb_copy(ctx->eb_a, a);
fb_copy(ctx->eb_b, b);
detect_opt(&(ctx->eb_opt_a), ctx->eb_a);
detect_opt(&(ctx->eb_opt_b), ctx->eb_b);
ctx->eb_is_super = 0;
if (fb_cmp_dig(ctx->eb_b, 1) == CMP_EQ) {
ctx->eb_is_kbltz = 1;
} else {
ctx->eb_is_kbltz = 0;
}
#if defined(EB_KBLTZ) && (EB_MUL == LWNAF || EB_FIX == LWNAF || EB_SIM == INTER || !defined(STRIP))
if (ctx->eb_is_kbltz) {
compute_kbltz();
}
#endif
eb_norm(&(ctx->eb_g), g);
bn_copy(&(ctx->eb_r), r);
bn_copy(&(ctx->eb_h), h);
#if defined(EB_PRECO)
eb_mul_pre((eb_t *)eb_curve_get_tab(), &(ctx->eb_g));
#endif
}
/**
* Computes c = a ^ b mod m.
*
* @param c - the result.
* @param a - the basis.
* @param b - the exponent.
* @param m - the modulus.
*/
static void bn_exp(bn_t c, const bn_t a, const bn_t b, const bn_t m) {
int i, l;
bn_t t;
bn_null(t);
TRY {
bn_new(t);
l = bn_bits(b);
bn_copy(t, a);
for (i = l - 2; i >= 0; i--) {
bn_sqr(t, t);
bn_mod(t, t, m);
if (bn_get_bit(b, i)) {
bn_mul(t, t, a);
bn_mod(t, t, m);
}
}
bn_copy(c, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t);
}
}
int cp_rsa_gen_basic(rsa_t pub, rsa_t prv, int bits) {
bn_t t, r;
int result = STS_OK;
if (pub == NULL || prv == NULL || bits == 0) {
return STS_ERR;
}
bn_null(t);
bn_null(r);
TRY {
bn_new(t);
bn_new(r);
/* Generate different primes p and q. */
do {
bn_gen_prime(prv->p, bits / 2);
bn_gen_prime(prv->q, bits / 2);
} while (bn_cmp(prv->p, prv->q) == CMP_EQ);
/* Swap p and q so that p is smaller. */
if (bn_cmp(prv->p, prv->q) == CMP_LT) {
bn_copy(t, prv->p);
bn_copy(prv->p, prv->q);
bn_copy(prv->q, t);
}
bn_mul(pub->n, prv->p, prv->q);
bn_copy(prv->n, pub->n);
bn_sub_dig(prv->p, prv->p, 1);
bn_sub_dig(prv->q, prv->q, 1);
bn_mul(t, prv->p, prv->q);
bn_set_2b(pub->e, 16);
bn_add_dig(pub->e, pub->e, 1);
bn_gcd_ext(r, prv->d, NULL, pub->e, t);
if (bn_sign(prv->d) == BN_NEG) {
bn_add(prv->d, prv->d, t);
}
if (bn_cmp_dig(r, 1) == CMP_EQ) {
bn_add_dig(prv->p, prv->p, 1);
bn_add_dig(prv->q, prv->q, 1);
}
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(t);
bn_free(r);
}
return result;
}
void bn_mxp_monty(bn_t c, const bn_t a, const bn_t b, const bn_t m) {
bn_t tab[2], u;
dig_t mask;
int t;
bn_null(tab[0]);
bn_null(tab[1]);
bn_null(u);
TRY {
bn_new(u);
bn_mod_pre(u, m);
bn_new(tab[0]);
bn_new(tab[1]);
#if BN_MOD == MONTY
bn_set_dig(tab[0], 1);
bn_mod_monty_conv(tab[0], tab[0], m);
bn_mod_monty_conv(tab[1], a, m);
#else
bn_set_dig(tab[0], 1);
bn_copy(tab[1], a);
#endif
for (int i = bn_bits(b) - 1; i >= 0; i--) {
int j = bn_get_bit(b, i);
dv_swap_cond(tab[0]->dp, tab[1]->dp, BN_DIGS, j ^ 1);
mask = -(j ^ 1);
t = (tab[0]->used ^ tab[1]->used) & mask;
tab[0]->used ^= t;
tab[1]->used ^= t;
bn_mul(tab[0], tab[0], tab[1]);
bn_mod(tab[0], tab[0], m, u);
bn_sqr(tab[1], tab[1]);
bn_mod(tab[1], tab[1], m, u);
dv_swap_cond(tab[0]->dp, tab[1]->dp, BN_DIGS, j ^ 1);
mask = -(j ^ 1);
t = (tab[0]->used ^ tab[1]->used) & mask;
tab[0]->used ^= t;
tab[1]->used ^= t;
}
#if BN_MOD == MONTY
bn_mod_monty_back(c, tab[0], m);
#else
bn_copy(c, tab[0]);
#endif
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(tab[1]);
bn_free(tab[0]);
bn_free(u);
}
}
void ep_curve_set_endom(const fp_t b, const ep_t g, const bn_t r, const bn_t h,
const fp_t beta, const bn_t l) {
int bits = bn_bits(r);
ctx_t *ctx = core_get();
ctx->ep_is_endom = 1;
ctx->ep_is_super = 0;
fp_zero(ctx->ep_a);
fp_copy(ctx->ep_b, b);
detect_opt(&(ctx->ep_opt_a), ctx->ep_a);
detect_opt(&(ctx->ep_opt_b), ctx->ep_b);
#if EP_MUL == LWNAF || EP_FIX == COMBS || EP_FIX == LWNAF || EP_SIM == INTER || !defined(STRIP)
fp_copy(ctx->beta, beta);
bn_gcd_ext_mid(&(ctx->ep_v1[1]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1]),
&(ctx->ep_v2[2]), l, r);
/* l = v1[1] * v2[2] - v1[2] * v2[1], r = l / 2. */
bn_mul(&(ctx->ep_v1[0]), &(ctx->ep_v1[1]), &(ctx->ep_v2[2]));
bn_mul(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1]));
bn_sub(&(ctx->ep_r), &(ctx->ep_v1[0]), &(ctx->ep_v2[0]));
bn_hlv(&(ctx->ep_r), &(ctx->ep_r));
/* v1[0] = round(v2[2] * 2^|n| / l). */
bn_lsh(&(ctx->ep_v1[0]), &(ctx->ep_v2[2]), bits + 1);
if (bn_sign(&(ctx->ep_v1[0])) == BN_POS) {
bn_add(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), &(ctx->ep_r));
} else {
bn_sub(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), &(ctx->ep_r));
}
bn_dbl(&(ctx->ep_r), &(ctx->ep_r));
bn_div(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), &(ctx->ep_r));
if (bn_sign(&ctx->ep_v1[0]) == BN_NEG) {
bn_add_dig(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), 1);
}
/* v2[0] = round(v1[2] * 2^|n| / l). */
bn_lsh(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), bits + 1);
if (bn_sign(&(ctx->ep_v2[0])) == BN_POS) {
bn_add(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), &(ctx->ep_r));
} else {
bn_sub(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), &(ctx->ep_r));
}
bn_div(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), &(ctx->ep_r));
if (bn_sign(&ctx->ep_v2[0]) == BN_NEG) {
bn_add_dig(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), 1);
}
bn_neg(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]));
#endif
ep_norm(&(ctx->ep_g), g);
bn_copy(&(ctx->ep_r), r);
bn_copy(&(ctx->ep_h), h);
#if defined(EP_PRECO)
ep_mul_pre((ep_t *)ep_curve_get_tab(), &(ctx->ep_g));
#endif
}
uint32_t eccutils_affine_to_projective(bn_uint_t *ax, bn_uint_t *ay,
bn_uint_t *px, bn_uint_t *py,
bn_uint_t *pz, ecc_curve_t *curve) {
(void)(curve);
//trying to create (X,Y,Z) => (X,Y,1) from (x,y)
bn_copy(ax, px, ax->length);
bn_copy(ay, py, ay->length);
bn_zero(pz);
pz->number[0] = 1;
return 0;
}
void bn_mxp_basic(bn_t c, const bn_t a, const bn_t b, const bn_t m) {
int i, l;
bn_t t, u, r;
if (bn_is_zero(b)) {
bn_set_dig(c, 1);
return;
}
bn_null(t);
bn_null(u);
bn_null(r);
TRY {
bn_new(t);
bn_new(u);
bn_new(r);
bn_mod_pre(u, m);
l = bn_bits(b);
#if BN_MOD == MONTY
bn_mod_monty_conv(t, a, m);
#else
bn_copy(t, a);
#endif
bn_copy(r, t);
for (i = l - 2; i >= 0; i--) {
bn_sqr(r, r);
bn_mod(r, r, m, u);
if (bn_get_bit(b, i)) {
bn_mul(r, r, t);
bn_mod(r, r, m, u);
}
}
#if BN_MOD == MONTY
bn_mod_monty_back(c, r, m);
#else
bn_copy(c, r);
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t);
bn_free(u);
bn_free(r);
}
}
void ep2_curve_set(fp2_t a, fp2_t b, ep2_t g, bn_t r, bn_t h) {
ctx_t *ctx = core_get();
ctx->ep2_is_twist = 0;
fp2_copy(ctx->ep2_a, a);
fp2_copy(ctx->ep2_b, b);
ep2_norm(&(ctx->ep2_g), g);
bn_copy(&(ctx->ep2_r), r);
bn_copy(&(ctx->ep2_h), h);
#if defined(EP_PRECO)
ep2_mul_pre((ep2_t *)ep2_curve_get_tab(), &(ctx->ep2_g));
#endif
}
void eb_curve_get_s1(bn_t s1) {
if (core_get()->eb_is_kbltz) {
bn_copy(s1, &(core_get()->eb_s1));
} else {
bn_zero(s1);
}
}
void eb_curve_get_s0(bn_t s0) {
if (core_get()->eb_is_kbltz) {
bn_copy(s0, &(core_get()->eb_s0));
} else {
bn_zero(s0);
}
}
void eb_curve_get_vm(bn_t vm) {
if (core_get()->eb_is_kbltz) {
bn_copy(vm, &(core_get()->eb_vm));
} else {
bn_zero(vm);
}
}
void bn_sqr_comba(bn_t c, const bn_t a) {
int digits;
bn_t t;
bn_null(t);
digits = 2 * a->used;
TRY {
/* We need a temporary variable so that c can be a or b. */
bn_new_size(t, digits);
t->used = digits;
bn_sqrn_low(t->dp, a->dp, a->used);
t->sign = BN_POS;
bn_trim(t);
bn_copy(c, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t);
}
}
void bn_sqr_basic(bn_t c, const bn_t a) {
int i, digits;
bn_t t;
bn_null(t);
digits = 2 * a->used;
TRY {
bn_new_size(t, digits);
bn_zero(t);
t->used = digits;
for (i = 0; i < a->used; i++) {
bn_sqra_low(t->dp + (2 * i), a->dp + i, a->used - i);
}
t->sign = BN_POS;
bn_trim(t);
bn_copy(c, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t);
}
}
void bn_rsh(bn_t c, bn_t a, int bits) {
int digits = 0;
if (bits <= 0) {
bn_copy(c, a);
return;
}
SPLIT(bits, digits, bits, BN_DIG_LOG);
if (digits > 0) {
bn_rshd_low(c->dp, a->dp, a->used, digits);
}
c->used = a->used - digits;
c->sign = a->sign;
if (c->used > 0 && bits > 0) {
if (digits == 0 && c != a) {
bn_rshb_low(c->dp, a->dp + digits, a->used - digits, bits);
} else {
bn_rshb_low(c->dp, c->dp, c->used, bits);
}
}
bn_trim(c);
}
uint32_t test_gen_proj_key(bn_uint_t *d, bn_uint_t *exp_pub_k_x, bn_uint_t *exp_pub_k_y, ecc_curve_t *curve)
{
BN_CREATE_VARIABLE(dtmp, d->length);
void prgn(bn_uint_t *output)
{
bn_copy(d, output, output->length);
}
void eb_curve_get_s1(bn_t s1) {
if (curve_is_kbltz) {
bn_copy(s1, &curve_s1);
} else {
bn_zero(s1);
}
}
void eb_curve_get_s0(bn_t s0) {
if (curve_is_kbltz) {
bn_copy(s0, &curve_s0);
} else {
bn_zero(s0);
}
}
void eb_curve_get_vm(bn_t vm) {
if (curve_is_kbltz) {
bn_copy(vm, &curve_vm);
} else {
bn_zero(vm);
}
}
void ep2_curve_get_ord(bn_t n) {
ctx_t *ctx = core_get();
if (ctx->ep2_is_twist) {
ep_curve_get_ord(n);
} else {
bn_copy(n, &(ctx->ep2_r));
}
}
void bn_neg(bn_t c, const bn_t a) {
if (c->dp != a->dp) {
bn_copy(c, a);
}
if (!bn_is_zero(c)) {
c->sign = a->sign ^ 1;
}
}
void bn_div_rem_dig(bn_t c, dig_t *d, const bn_t a, dig_t b) {
bn_t q;
dig_t r;
bn_null(q);
if (b == 0) {
THROW(ERR_NO_VALID);
}
if (b == 1 || bn_is_zero(a) == 1) {
if (d != NULL) {
*d = 0;
}
if (c != NULL) {
bn_copy(c, a);
}
return;
}
TRY {
bn_new(q);
int size = a->used;
const dig_t *ap = a->dp;
bn_div1_low(q->dp, &r, ap, size, b);
if (c != NULL) {
q->used = a->used;
q->sign = a->sign;
bn_trim(q);
bn_copy(c, q);
}
if (d != NULL) {
*d = r;
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(q);
}
}
int kx_init(kx_t *kx, bn_t *P, bn_t *Q, bn_t *G)
{
kx_init_common(kx);
if (bn_copy(&kx->P, P) != SUCCESS)
goto fail;
if (bn_copy(&kx->Q, Q) != SUCCESS)
goto fail;
if (bn_copy(&kx->G, G) != SUCCESS)
goto fail;
return SUCCESS;
fail:
bn_destroy(&kx->P);
bn_destroy(&kx->Q);
bn_destroy(&kx->G);
return FAILURE;
}
// copy x into e
status_t element_set_int(element_t e, integer_t x)
{
LEAVE_IF(e->isInitialized != TRUE, "uninitialized argument.");
if(e->type == ZR) {
bn_copy(e->bn, x);
return ELEMENT_OK;
}
return ELEMENT_INVALID_TYPES;
}
// only for prime N -- stupid but lazy, see if I care
void bn_inv(u8 *d, u8 *a, u8 *N, u32 n)
{
u8 t[512], s[512];
bn_copy(t, N, n);
bn_zero(s, n);
s[n-1] = 2;
bn_sub_modulus(t, s, n);
bn_exp(d, a, N, n, t, n);
}
void ep2_curve_get_vs(bn_t *v) {
bn_t x, t;
bn_null(x);
bn_null(t);
TRY {
bn_new(x);
bn_new(t);
fp_param_get_var(x);
bn_mul_dig(v[0], x, 3);
bn_add_dig(v[0], v[0], 1);
bn_copy(v[1], x);
bn_copy(v[2], x);
bn_copy(v[3], x);
bn_sqr(x, x);
bn_lsh(t, x, 1);
bn_add(v[0], v[0], t);
bn_add(v[3], v[3], t);
bn_lsh(t, t, 1);
bn_add(v[2], v[2], t);
bn_lsh(t, t, 1);
bn_add(v[1], v[1], t);
fp_param_get_var(t);
bn_mul(x, x, t);
bn_mul_dig(t, x, 6);
bn_add(v[2], v[2], t);
bn_lsh(t, t, 1);
bn_add(v[1], v[1], t);
bn_neg(v[3], v[3]);
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
bn_free(x);
bn_free(t);
}
}
void ep_curve_set_super(const fp_t a, const fp_t b, const ep_t g, const bn_t r,
const bn_t h) {
ctx_t *ctx = core_get();
ctx->ep_is_endom = 0;
ctx->ep_is_super = 1;
fp_copy(ctx->ep_a, a);
fp_copy(ctx->ep_b, b);
detect_opt(&(ctx->ep_opt_a), ctx->ep_a);
detect_opt(&(ctx->ep_opt_b), ctx->ep_b);
ep_norm(&(ctx->ep_g), g);
bn_copy(&(ctx->ep_r), r);
bn_copy(&(ctx->ep_h), h);
#if defined(EP_PRECO)
ep_mul_pre((ep_t *)ep_curve_get_tab(), &(ctx->ep_g));
#endif
}
uint32_t eccutils_projective_to_affine(bn_uint_t *px, bn_uint_t *py,
bn_uint_t *pz, bn_uint_t *ax,
bn_uint_t *ay, ecc_curve_t *curve) {
BN_CREATE_VARIABLE(invz, pz->length);
BN_CREATE_VARIABLE(invztmp, pz->length);
BN_CREATE_VARIABLE(invztmp2, pz->length);
bn_zero(&invz);
invz.number[0] = 1;
if (bn_compare(&invz, pz) == 0) {
bn_copy(px, ax, px->length);
bn_copy(py, ay, py->length);
return 0;
}
bn_field_inverse(pz, curve->p, &invz);
bn_field_mul_barret(&invz, &invz, curve->barret_mi, curve->p, &invztmp); //now we've got z^2
bn_field_mul_barret(&invztmp, px, curve->barret_mi, curve->p, ax); //now we've got affine x
bn_field_mul_barret(&invztmp, &invz, curve->barret_mi, curve->p, &invztmp2); //now we've got z^3
bn_field_mul_barret(&invztmp2, py, curve->barret_mi, curve->p, ay); //now we've got affine y
return 0;
}
void eb_curve_set_super(fb_t a, fb_t b, fb_t c, eb_t g, bn_t r, bn_t h) {
curve_is_kbltz = 0;
curve_is_super = 1;
fb_copy(curve_a, a);
fb_copy(curve_b, b);
fb_copy(curve_c, c);
detect_opt(&curve_opt_a, curve_a);
detect_opt(&curve_opt_b, curve_b);
detect_opt(&curve_opt_c, curve_c);
eb_norm(g, g);
eb_copy(&curve_g, g);
bn_copy(&curve_r, r);
bn_copy(&curve_h, h);
#if defined(EB_PRECO)
eb_mul_pre(eb_curve_get_tab(), &curve_g);
#endif
}
void bn_mon_mul(u8 *d, u8 *a, u8 *b, u8 *N, u32 n)
{
u8 t[512];
u32 i;
bn_zero(t, n);
for (i = n - 1; i < n; i--)
bn_mon_muladd_dig(t, a, b[i], N, n);
bn_copy(d, t, n);
}
