/* return P = P + Q, Q = 2Q */
void ecp_Mont(XZ_POINT *P, XZ_POINT *Q, IN const U_WORD *Base)
{
U_WORD A[K_WORDS], B[K_WORDS], C[K_WORDS], D[K_WORDS], E[K_WORDS];
/* x3 = ((x1-z1)(x2+z2) + (x1+z1)(x2-z2))^2*zb zb=1 */
/* z3 = ((x1-z1)(x2+z2) - (x1+z1)(x2-z2))^2*xb xb=Base */
ecp_SubReduce(A, P->X, P->Z); /* A = x1-z1 */
ecp_AddReduce(B, P->X, P->Z); /* B = x1+z1 */
ecp_SubReduce(C, Q->X, Q->Z); /* C = x2-z2 */
ecp_AddReduce(D, Q->X, Q->Z); /* D = x2+z2 */
ecp_MulReduce(A, A, D); /* A = (x1-z1)(x2+z2) */
ecp_MulReduce(B, B, C); /* B = (x1+z1)(x2-z2) */
ecp_AddReduce(E, A, B); /* E = (x1-z1)(x2+z2) + (x1+z1)(x2-z2) */
ecp_SubReduce(B, A, B); /* B = (x1-z1)(x2+z2) - (x1+z1)(x2-z2) */
ecp_SqrReduce(P->X, E); /* x3 = ((x1-z1)(x2+z2) + (x1+z1)(x2-z2))^2 */
ecp_SqrReduce(A, B); /* A = ((x1-z1)(x2+z2) - (x1+z1)(x2-z2))^2 */
ecp_MulReduce(P->Z, A, Base); /* z3 = ((x1-z1)(x2+z2) - (x1+z1)(x2-z2))^2*Base */
/* x4 = (x2+z2)^2 * (x2-z2)^2 */
/* z4 = ((x2+z2)^2 - (x2-z2)^2)*((x2+z2)^2 + 121665((x2+z2)^2 - (x2-z2)^2)) */
/* C = (x2-z2) */
/* D = (x2+z2) */
ecp_SqrReduce(A, D); /* A = (x2+z2)^2 */
ecp_SqrReduce(B, C); /* B = (x2-z2)^2 */
ecp_MulReduce(Q->X, A, B); /* x4 = (x2+z2)^2 * (x2-z2)^2 */
ecp_SubReduce(B, A, B); /* B = (x2+z2)^2 - (x2-z2)^2 */
ecp_WordMulAddReduce(A, A, 121665, B);
ecp_MulReduce(Q->Z, A, B); /* z4 = B*((x2+z2)^2 + 121665*B) */
}
/* Y = X + X */
void ecp_MontDouble(XZ_POINT *Y, const XZ_POINT *X)
{
U_WORD A[K_WORDS], B[K_WORDS];
/* x2 = (x+z)^2 * (x-z)^2 */
/* z2 = ((x+z)^2 - (x-z)^2)*((x+z)^2 + ((A-2)/4)((x+z)^2 - (x-z)^2)) */
ecp_AddReduce(A, X->X, X->Z); /* A = (x+z) */
ecp_SubReduce(B, X->X, X->Z); /* B = (x-z) */
ecp_SqrReduce(A, A); /* A = (x+z)^2 */
ecp_SqrReduce(B, B); /* B = (x-z)^2 */
ecp_MulReduce(Y->X, A, B); /* x2 = (x+z)^2 * (x-z)^2 */
ecp_SubReduce(B, A, B); /* B = (x+z)^2 - (x-z)^2 */
/* (486662-2)/4 = 121665 */
ecp_WordMulAddReduce(A, A, 121665, B);
ecp_MulReduce(Y->Z, A, B); /* z2 = (B)*((x+z)^2 + ((A-2)/4)(B)) */
}
/*
Reference: http://eprint.iacr.org/2008/522
Cost: 4M + 4S + 7add
Return: P = 2*P
*/
void edp_DoublePoint(Ext_POINT *p)
{
U_WORD a[K_WORDS], b[K_WORDS], c[K_WORDS], d[K_WORDS], e[K_WORDS];
ecp_SqrReduce(a, p->x); /* A = X1^2 */
ecp_SqrReduce(b, p->y); /* B = Y1^2 */
ecp_SqrReduce(c, p->z); /* C = 2*Z1^2 */
ecp_AddReduce(c, c, c);
ecp_SubReduce(d, _w_maxP, a); /* D = -A */
ecp_SubReduce(a, d, b); /* H = D-B */
ecp_AddReduce(d, d, b); /* G = D+B */
ecp_SubReduce(b, d, c); /* F = G-C */
ecp_AddReduce(e, p->x, p->y); /* E = (X1+Y1)^2-A-B = (X1+Y1)^2+H */
ecp_SqrReduce(e, e);
ecp_AddReduce(e, e, a);
ecp_MulReduce(p->x, e, b); /* E*F */
ecp_MulReduce(p->y, a, d); /* H*G */
ecp_MulReduce(p->z, d, b); /* G*F */
ecp_MulReduce(p->t, e, a); /* E*H */
}
int curve25519_SelfTest(int level)
{
int rc = 0;
U64 A[4], B[4], C[4];
U8 a[32], b[32], c[32], d[32];
ecp_AddReduce(A, _w_I, _w_P);
ECP_MOD(A);
if (ecp_Cmp(A, _w_I) != 0)
{
rc++;
printf("assert I+p == I mod p FAILED!!\n");
ecp_PrintHexWords("A_1", A, 4);
}
if (ecp_Cmp(_w_I, _w_P) >= 0)
{
rc++;
printf("assert I < P FAILED!!\n");
}
if (ecp_Cmp(_w_P, _w_I) <= 0)
{
rc++;
printf("assert P > I FAILED!!\n");
}
ecp_MulReduce(B, _w_I, _w_D);
ECP_MOD(B);
if (ecp_Cmp(B, _w_IxD) != 0)
{
rc++;
printf("assert I*D FAILED!!\n");
ecp_PrintHexWords("A_2", B, 4);
}
// assert I*I == p-1
ecp_MulMod(A, _w_I, _w_I);
if (ecp_Cmp(A, _w_Pm1) != 0)
{
rc++;
printf("assert mul(I,I) == p-1 FAILED!!\n");
ecp_PrintHexWords("A_3", A, 4);
}
// assert I**2 == p-1
ecp_SqrReduce(B, _w_I);
ECP_MOD(B);
if (ecp_Cmp(B, _w_Pm1) != 0)
{
rc++;
printf("assert square(I) == p-1 FAILED!!\n");
ecp_PrintHexWords("B_4", B, 4);
}
// assert (-I)*(-I) == p-1
ecp_Sub(B, _w_P, _w_I);
ecp_MulMod(A, B, B);
if (ecp_Cmp(A, _w_Pm1) != 0)
{
rc++;
printf("assert mul(-I,-I) == p-1 FAILED!!\n");
ecp_PrintHexWords("A_5", A, 4);
ecp_PrintHexWords("B_5", B, 4);
}
ecp_SetValue(A, 50153);
ecp_Inverse(B, A);
ecp_MulMod(A, A, B);
if (ecp_Cmp(A, _w_One) != 0)
{
rc++;
printf("invmod FAILED!!\n");
ecp_PrintHexWords("inv_50153", B, 4);
ecp_PrintHexWords("expected_1", A, 4);
}
// assert expmod(d,(p-1)/2,p) == p-1
ecp_ExpMod(A, _w_D, _b_Pm1d2, 32);
if (ecp_Cmp(A, _w_Pm1) != 0)
{
rc++;
printf("assert expmod(d,(p-1)/2,p) == p-1 FAILED!!\n");
ecp_PrintHexWords("A_3", A, 4);
}
ecp_CalculateY(a, ecp_BasePoint);
ecp_BytesToWords(A, a);
if (ecp_Cmp(A, _w_Gy) != 0)
{
rc++;
printf("assert clacY(Base) == Base.y FAILED!!\n");
ecp_PrintHexBytes("Calculated_Base.y", a, 32);
}
ecp_PointMultiply(a, ecp_BasePoint, _b_Om1, 32);
if (memcmp(a, ecp_BasePoint, 32) != 0)
{
rc++;
printf("assert (l-1).Base == Base FAILED!!\n");
ecp_PrintHexBytes("A_5", a, 32);
}
ecp_PointMultiply(a, ecp_BasePoint, _b_O, 32);
ecp_BytesToWords(A, a);
if (!ecp_IsZero(A))
{
rc++;
printf("assert l.Base == 0 FAILED!!\n");
ecp_PrintHexBytes("A_6", a, 32);
}
// Key generation
ecp_PointMultiply(a, ecp_BasePoint, pk1, 32);
ecp_PrintHexBytes("PublicKey1", a, 32);
ecp_PointMultiply(b, ecp_BasePoint, pk2, 32);
ecp_PrintHexBytes("PublicKey2", b, 32);
// ECDH - key exchange
ecp_PointMultiply(c, b, pk1, 32);
ecp_PrintHexBytes("SharedKey1", c, 32);
ecp_PointMultiply(d, a, pk2, 32);
ecp_PrintHexBytes("SharedKey2", d, 32);
if (memcmp(c, d, 32) != 0)
{
rc++;
printf("ECDH key exchange FAILED!!\n");
}
memset(a, 0x44, 32); // our secret key
ecp_PointMultiply(b, ecp_BasePoint, a, 32); // public key
ecp_PointMultiply(c, b, _b_k1, 32);
ecp_PointMultiply(d, c, _b_k2, 32);
if (memcmp(d, b, 32) != 0)
{
rc++;
printf("assert k1.k2.D == D FAILED!!\n");
ecp_PrintHexBytes("D", d, 4);
ecp_PrintHexBytes("C", c, 4);
ecp_PrintHexBytes("A", a, 4);
}
ecp_BytesToWords(A, _b_k1);
ecp_BytesToWords(B, _b_k2);
eco_InvModBPO(C, A);
if (ecp_Cmp(C, B) != 0)
{
rc++;
printf("assert 1/k1 == k2 mod BPO FAILED!!\n");
ecp_PrintHexWords("Calc", C, 4);
ecp_PrintHexWords("Expt", B, 4);
}
eco_MulMod(C, A, B);
if (ecp_Cmp(C, _w_One) != 0)
{
rc++;
printf("assert k1*k2 == 1 mod BPO FAILED!!\n");
ecp_PrintHexWords("Calc", C, 4);
}
return rc;
}
