void
gmersennemod(
int n,
giant g
)
/* g := g (mod 2^n - 1) */
{
int the_sign;
giant scratch3 = borrowGiant(g->capacity);
giant scratch4 = borrowGiant(1);
if ((the_sign = gsign(g)) < 0) absg(g);
while (bitlen(g) > n) {
gtog(g,scratch3);
gshiftright(n,scratch3);
addg(scratch3,g);
gshiftleft(n,scratch3);
subg(scratch3,g);
}
if(isZero(g)) goto out;
int_to_giant(1,scratch3);
gshiftleft(n,scratch3);
int_to_giant(1,scratch4);
subg(scratch4,scratch3);
if(gcompg(g,scratch3) >= 0) subg(scratch3,g);
if (the_sign < 0) {
g->sign = -g->sign;
addg(scratch3,g);
}
out:
returnGiant(scratch3);
returnGiant(scratch4);
}
int binvaux(giant p, giant x)
/* Binary inverse method.
Returns zero if no inverse exists, in which case x becomes
GCD(x,p). */
{
giant scratch7;
giant u0;
giant u1;
giant v0;
giant v1;
int result = 1;
int giantSize;
PROF_START;
if(isone(x)) return(result);
giantSize = 4 * abs(p->sign);
scratch7 = borrowGiant(giantSize);
u0 = borrowGiant(giantSize);
u1 = borrowGiant(giantSize);
v0 = borrowGiant(giantSize);
v1 = borrowGiant(giantSize);
int_to_giant(1, v0); gtog(x, v1);
int_to_giant(0,x); gtog(p, u1);
while(!isZero(v1)) {
gtog(u1, u0); bdivg(v1, u0);
gtog(x, scratch7);
gtog(v0, x);
mulg(u0, v0);
subg(v0,scratch7);
gtog(scratch7, v0);
gtog(u1, scratch7);
gtog(v1, u1);
mulg(u0, v1);
subg(v1,scratch7);
gtog(scratch7, v1);
}
if (!isone(u1)) {
gtog(u1,x);
if(x->sign<0) addg(p, x);
result = 0;
goto done;
}
if (x->sign<0) addg(p, x);
done:
returnGiant(scratch7);
returnGiant(u0);
returnGiant(u1);
returnGiant(v0);
returnGiant(v1);
PROF_END(binvauxTime);
return(result);
}
void make_base_prim(curveParams *cp)
/* Jams cp->basePrime with 2^q-k. Assumes valid maxDigits, q, k. */
{
giant tmp = borrowGiant(cp->maxDigits);
CKASSERT(cp->primeType != FPT_General);
int_to_giant(1, cp->basePrime);
gshiftleft((int)cp->q, cp->basePrime);
int_to_giant(cp->k, tmp);
subg(tmp, cp->basePrime);
returnGiant(tmp);
}
int signature_compare(giant p0x, giant p1x, giant p2x, curveParams *par)
/* Returns non-zero iff p0x cannot be the x-coordinate of the sum of two points whose respective x-coordinates are p1x, p2x. */
{
int ret = 0;
giant t1;
giant t2;
giant t3;
giant t4;
giant t5;
PROF_START;
t1 = borrowGiant(par->maxDigits);
t2 = borrowGiant(par->maxDigits);
t3 = borrowGiant(par->maxDigits);
t4 = borrowGiant(par->maxDigits);
t5 = borrowGiant(par->maxDigits);
if(gcompg(p1x, p2x) == 0) {
int_to_giant(1, t1);
numer_double(p1x, t1, t2, par);
denom_double(p1x, t1, t3, par);
mulg(p0x, t3); subg(t3, t2);
feemod(par, t2);
} else {
numer_plus(p1x, p2x, t1, par);
gshiftleft(1, t1); feemod(par, t1);
int_to_giant(1, t3);
numer_times(p1x, t3, p2x, t3, t2, par);
int_to_giant(1, t4); int_to_giant(1, t5);
denom_times(p1x, t4 , p2x, t5, t3, par);
/* Now we require t3 x0^2 - t1 x0 + t2 == 0. */
mulg(p0x, t3); feemod(par, t3);
subg(t1, t3); mulg(p0x, t3);
feemod(par, t3);
addg(t3, t2);
feemod(par, t2);
}
if(!isZero(t2)) ret = SIGNATURE_INVALID;
returnGiant(t1);
returnGiant(t2);
returnGiant(t3);
returnGiant(t4);
returnGiant(t5);
PROF_END(sigCompTime);
return(ret);
}
/*
* New, 13 Jan 1997.
*/
static void feepowermodg(curveParams *par, giant x, giant n)
/* Power ladder.
x := x^n (mod 2^q-k)
*/
{
int len, pos;
giant t1;
PROF_START;
t1 = borrowGiant(par->maxDigits);
gtog(x, t1);
int_to_giant(1, x);
len = bitlen(n);
pos = 0;
while(1) {
if(bitval(n, pos++)) {
mulg(t1, x);
feemod(par, x);
}
if(pos>=len) break;
gsquare(t1);
feemod(par, t1);
}
returnGiant(t1);
PROF_END(powerModTime);
}
static void
powermodg(
giant x,
giant n,
curveParams *cp
)
/* x becomes x^n (mod basePrime). */
{
int len, pos;
giant scratch2 = borrowGiant(cp->maxDigits);
gtog(x, scratch2);
int_to_giant(1, x);
len = bitlen(n);
pos = 0;
while (1)
{
if (bitval(n, pos++))
{
mulg(scratch2, x);
feemod(cp, x);
}
if (pos>=len)
break;
gsquare(scratch2);
feemod(cp, scratch2);
}
returnGiant(scratch2);
}
static void numer_plus(giant x1, giant x2, giant res, curveParams *par)
/* Numerator algebra.
res = (x1 x2 + a)(x1 + x2) + 2(c x1 x2 + b).
*/
{
giant t1;
giant t2;
PROF_START;
t1 = borrowGiant(par->maxDigits);
t2 = borrowGiant(par->maxDigits);
gtog(x1, t1); mulg(x2, t1); feemod(par, t1);
gtog(x2, t2); addg(x1, t2); feemod(par, t2);
gtog(t1, res);
if(!isZero(par->a))
addg(par->a, res);
mulg(t2, res); feemod(par, res);
if(par->curveType == FCT_Weierstrass) { // i.e., isZero(par->c)
int_to_giant(0, t1);
}
else {
mulg(par->c, t1); feemod(par, t1);
}
if(!isZero(par->b))
addg(par->b, t1);
gshiftleft(1, t1);
addg(t1, res); feemod(par, res);
returnGiant(t1);
returnGiant(t2);
PROF_END(numerPlusTime);
}
/*
* g *= (int n)
*
* FIXME - we can improve this...
*/
void imulg(unsigned n, giant g)
{
giant tmp = borrowGiant(abs(g->sign) + sizeof(int));
int_to_giant(n, tmp);
mulg(tmp, g);
returnGiant(tmp);
}
static void
powFp2(giant a, giant b, giant w2, giant n, curveParams *cp)
/* Perform powering in the field F_p^2:
a + b w := (a + b w)^n (mod p), where parameter w2 is a quadratic
nonresidue (formally equal to w^2).
*/
{
int j;
giant t6;
giant t7;
giant t8;
giant t9;
if(isZero(n)) {
int_to_giant(1,a);
int_to_giant(0,b);
return;
}
t6 = borrowGiant(cp->maxDigits);
t7 = borrowGiant(cp->maxDigits);
t8 = borrowGiant(cp->maxDigits);
t9 = borrowGiant(cp->maxDigits);
gtog(a, t8); gtog(b, t9);
for(j = bitlen(n)-2; j >= 0; j--) {
gtog(b, t6);
mulg(a, b); addg(b,b); feemod(cp, b); /* b := 2 a b. */
gsquare(t6); feemod(cp, t6);
mulg(w2, t6); feemod(cp, t6);
gsquare(a); addg(t6, a); feemod(cp, a);
/* a := a^2 + b^2 w2. */
if(bitval(n, j)) {
gtog(b, t6); mulg(t8, b); feemod(cp, b);
gtog(a, t7); mulg(t9, a); addg(a, b); feemod(cp, b);
mulg(t9, t6); feemod(cp, t6);
mulg(w2, t6); feemod(cp, t6);
mulg(t8, a); addg(t6, a); feemod(cp, a);
}
}
returnGiant(t6);
returnGiant(t7);
returnGiant(t8);
returnGiant(t9);
return;
}
void ellDoubleProj(pointProj pt, curveParams *cp)
/* pt := 2 pt on the curve. */
{
giant x = pt->x, y = pt->y, z = pt->z;
giant t1;
giant t2;
giant t3;
if(isZero(y) || isZero(z)) {
int_to_giant(1,x); int_to_giant(1,y); int_to_giant(0,z);
return;
}
t1 = borrowGiant(cp->maxDigits);
t2 = borrowGiant(cp->maxDigits);
t3 = borrowGiant(cp->maxDigits);
if((cp->a->sign >= 0) || (cp->a->n[0] != 3)) { /* Path prior to Apr2001. */
gtog(z,t1); gsquare(t1); feemod(cp, t1);
gsquare(t1); feemod(cp, t1);
mulg(cp->a, t1); feemod(cp, t1); /* t1 := a z^4. */
gtog(x, t2); gsquare(t2); feemod(cp, t2);
smulg(3, t2); /* t2 := 3x^2. */
addg(t2, t1); feemod(cp, t1); /* t1 := slope m. */
} else { /* New optimization for a = -3 (post Apr 2001). */
gtog(z, t1); gsquare(t1); feemod(cp, t1); /* t1 := z^2. */
gtog(x, t2); subg(t1, t2); /* t2 := x-z^2. */
addg(x, t1); smulg(3, t1); /* t1 := 3(x+z^2). */
mulg(t2, t1); feemod(cp, t1); /* t1 := slope m. */
}
mulg(y, z); addg(z,z); feemod(cp, z); /* z := 2 y z. */
gtog(y, t2); gsquare(t2); feemod(cp, t2); /* t2 := y^2. */
gtog(t2, t3); gsquare(t3); feemod(cp, t3); /* t3 := y^4. */
gshiftleft(3, t3); /* t3 := 8 y^4. */
mulg(x, t2); gshiftleft(2, t2); feemod(cp, t2); /* t2 := 4xy^2. */
gtog(t1, x); gsquare(x); feemod(cp, x);
subg(t2, x); subg(t2, x); feemod(cp, x); /* x done. */
gtog(t1, y); subg(x, t2); mulg(t2, y); subg(t3, y);
feemod(cp, y);
returnGiant(t1);
returnGiant(t2);
returnGiant(t3);
}
void ellMulProj(pointProj pt0, pointProj pt1, giant k, curveParams *cp)
/* General elliptic multiplication;
pt1 := k*pt0 on the curve,
with k an arbitrary integer.
*/
{
giant x = pt0->x, y = pt0->y, z = pt0->z,
xx = pt1->x, yy = pt1->y, zz = pt1->z;
int ksign, hlen, klen, b, hb, kb;
giant t0;
CKASSERT(cp->curveType == FCT_Weierstrass);
if(isZero(k)) {
int_to_giant(1, xx);
int_to_giant(1, yy);
int_to_giant(0, zz);
return;
}
t0 = borrowGiant(cp->maxDigits);
ksign = k->sign;
if(ksign < 0) negg(k);
gtog(x,xx); gtog(y,yy); gtog(z,zz);
gtog(k, t0); addg(t0, t0); addg(k, t0); /* t0 := 3k. */
hlen = bitlen(t0);
klen = bitlen(k);
for(b = hlen-2; b > 0; b--) {
ellDoubleProj(pt1,cp);
hb = bitval(t0, b);
if(b < klen) kb = bitval(k, b); else kb = 0;
if((hb != 0) && (kb == 0))
ellAddProj(pt1, pt0, cp);
else if((hb == 0) && (kb !=0))
ellSubProj(pt1, pt0, cp);
}
if(ksign < 0) {
ellNegProj(pt1, cp);
k->sign = -k->sign;
}
returnGiant(t0);
}
/*
* Specify private data for key created by new_public().
* Generates k->x.
*/
void set_priv_key_giant(key k, giant privGiant)
{
curveParams *cp = k->cp;
/* elliptiy multiply of initial public point times private key */
#if CRYPTKIT_ELL_PROJ_ENABLE
if((k->twist == CURVE_PLUS) && (cp->curveType == FCT_Weierstrass)) {
/* projective */
pointProj pt1 = newPointProj(cp->maxDigits);
CKASSERT((cp->y1Plus != NULL) && (!isZero(cp->y1Plus)));
CKASSERT(k->y != NULL);
/* pt1 := {x1Plus, y1Plus, 1} */
gtog(cp->x1Plus, pt1->x);
gtog(cp->y1Plus, pt1->y);
int_to_giant(1, pt1->z);
/* pt1 := pt1 * privateKey */
ellMulProjSimple(pt1, privGiant, cp);
/* result back to {k->x, k->y} */
gtog(pt1->x, k->x);
gtog(pt1->y, k->y);
freePointProj(pt1); // FIXME - clear the giants
}
else {
#else
{
#endif /* CRYPTKIT_ELL_PROJ_ENABLE */
/* FEE */
if(k->twist == CURVE_PLUS) {
gtog(cp->x1Plus, k->x);
}
else {
gtog(cp->x1Minus, k->x);
}
elliptic_simple(k->x, privGiant, k->cp);
}
}
int key_equal(key one, key two) {
if (keys_inconsistent(one, two)) return 0;
return !gcompg(one->x, two->x);
}
static void make_base(curveParams *par, giant result)
/* Jams result with 2^q-k. */
{
gtog(par->basePrime, result);
}
void normalizeProj(pointProj pt, curveParams *cp)
/* Obtain actual x,y coords via normalization:
{x,y,z} := {x/z^2, y/z^3, 1}.
*/
{ giant x = pt->x, y = pt->y, z = pt->z;
giant t1;
CKASSERT(cp->curveType == FCT_Weierstrass);
if(isZero(z)) {
int_to_giant(1,x); int_to_giant(1,y);
return;
}
t1 = borrowGiant(cp->maxDigits);
binvg_cp(cp, z); // was binvaux(p, z);
gtog(z, t1);
gsquare(z); feemod(cp, z);
mulg(z, x); feemod(cp, x);
mulg(t1, z); mulg(z, y); feemod(cp, y);
int_to_giant(1, z);
returnGiant(t1);
}
/*
* New optimzation of curveOrderJustify using known reciprocal, 11 June 1997.
* g is set to be within [2, curveOrder-2].
*/
static void curveOrderJustifyWithRecip(giant g, giant curveOrder, giant recip)
{
giant tmp;
CKASSERT(!isZero(curveOrder));
modg_via_recip(curveOrder, recip, g); // g now in [0, curveOrder-1]
if(isZero(g)) {
/*
* First degenerate case - (g == 0) : set g := 2
*/
dbgLog(("curveOrderJustify: case 1\n"));
int_to_giant(2, g);
return;
}
if(isone(g)) {
/*
* Second case - (g == 1) : set g := 2
*/
dbgLog(("curveOrderJustify: case 2\n"));
int_to_giant(2, g);
return;
}
tmp = borrowGiant(g->capacity);
gtog(g, tmp);
iaddg(1, tmp);
if(gcompg(tmp, curveOrder) == 0) {
/*
* Third degenerate case - (g == (curveOrder-1)) : set g -= 1
*/
dbgLog(("curveOrderJustify: case 3\n"));
int_to_giant(1, tmp);
subg(tmp, g);
}
returnGiant(tmp);
return;
}
static void bdivg(giant v, giant u)
/* u becomes greatest power of two not exceeding u/v. */
{
int diff = bitlen(u) - bitlen(v);
giant scratch7;
if (diff<0) {
int_to_giant(0,u);
return;
}
scratch7 = borrowGiant(u->capacity);
gtog(v, scratch7);
gshiftleft(diff,scratch7);
if(gcompg(u,scratch7) < 0) diff--;
if(diff<0) {
int_to_giant(0,u);
returnGiant(scratch7);
return;
}
int_to_giant(1,u);
gshiftleft(diff,u);
returnGiant(scratch7);
}
/*
* Elliptic multiply: x := n * {x, 1}
*/
void elliptic_simple(giant x, giant n, curveParams *par) {
giant ztmp = borrowGiant(par->maxDigits);
giant cur_n = borrowGiant(par->maxDigits);
START_ELL_MEASURE(n);
int_to_giant(1, ztmp);
elliptic(x, ztmp, n, par);
binvg_cp(par, ztmp);
mulg(ztmp, x);
feemod(par, x);
END_ELL_MEASURE;
returnGiant(cur_n);
returnGiant(ztmp);
}
static void numer_times(giant x1, giant z1, giant x2, giant z2, giant res,
curveParams *par)
/* Numerator algebra.
res := (x1 x2 - a z1 z2)^2 -
4 b(x1 z2 + x2 z1 + c z1 z2) z1 z2
*/
{
giant t1;
giant t2;
giant t3;
giant t4;
PROF_START;
t1 = borrowGiant(par->maxDigits);
t2 = borrowGiant(par->maxDigits);
t3 = borrowGiant(par->maxDigits);
t4 = borrowGiant(par->maxDigits);
gtog(x1, t1); mulg(x2, t1); feemod(par, t1);
gtog(z1, t2); mulg(z2, t2); feemod(par, t2);
gtog(t1, res);
if(!isZero(par->a)) {
gtog(par->a, t3);
mulg(t2, t3); feemod(par, t3);
subg(t3, res);
}
gsquare(res); feemod(par, res);
if(isZero(par->b))
goto done;
if(par->curveType != FCT_Weierstrass) { // i.e., !isZero(par->c)
gtog(par->c, t3);
mulg(t2, t3); feemod(par, t3);
} else int_to_giant(0, t3);
gtog(z1, t4); mulg(x2, t4); feemod(par, t4);
addg(t4, t3);
gtog(x1, t4); mulg(z2, t4); feemod(par, t4);
addg(t4, t3); mulg(par->b, t3); feemod(par, t3);
mulg(t2, t3); gshiftleft(2, t3); feemod(par, t3);
subg(t3, res);
feemod(par, res);
done:
returnGiant(t1);
returnGiant(t2);
returnGiant(t3);
returnGiant(t4);
PROF_END(numerTimesTime);
}
static void numer_double(giant x, giant z, giant res, curveParams *par)
/* Numerator algebra.
res := (x^2 - a z^2)^2 - 4 b (2 x + c z) z^3.
*/
{
giant t1;
giant t2;
PROF_START;
t1 = borrowGiant(par->maxDigits);
t2 = borrowGiant(par->maxDigits);
gtog(x, t1); gsquare(t1); feemod(par, t1);
gtog(z, res); gsquare(res); feemod(par, res);
gtog(res, t2);
if(!isZero(par->a) ) {
if(!isone(par->a)) { /* Speedup - REC 17 Jan 1997. */
mulg(par->a, res); feemod(par, res);
}
subg(res, t1); feemod(par, t1);
}
gsquare(t1); feemod(par, t1);
/* t1 := (x^2 - a z^2)^2. */
if(isZero(par->b)) { /* Speedup - REC 17 Jan 1997. */
gtog(t1, res);
goto done;
}
if(par->curveType != FCT_Weierstrass) { // i.e., !isZero(par->c)
// Speedup - REC 17 Jan 1997.
gtog(z, res); mulg(par->c, res); feemod(par, res);
} else {
int_to_giant(0, res);
}
addg(x, res); addg(x, res); mulg(par->b, res);
feemod(par, res);
gshiftleft(2, res); mulg(z, res); feemod(par, res);
mulg(t2, res); feemod(par, res);
negg(res); addg(t1, res);
feemod(par, res);
done:
returnGiant(t1);
returnGiant(t2);
PROF_END(numerDoubleTime);
}
/*
* Init an empty feePubKey from a DER-encoded blob, public and private key versions.
*/
feeReturn feePubKeyInitFromDERPubBlob(feePubKey pubKey,
unsigned char *keyBlob,
size_t keyBlobLen)
{
pubKeyInst *pkinst = (pubKeyInst *) pubKey;
feeReturn frtn;
int version;
if(pkinst == NULL) {
return FR_BadPubKey;
}
/* kind of messy, maybe we should clean this up. But new_public() does too
* much - e.g., it allocates the x and y which we really don't want */
memset(pkinst, 0, sizeof(pubKeyInst));
pkinst->plus = (key) fmalloc(sizeof(keystruct));
pkinst->minus = (key) fmalloc(sizeof(keystruct));
if((pkinst->plus == NULL) || (pkinst->minus == NULL)) {
return FR_Memory;
}
memset(pkinst->plus, 0, sizeof(keystruct));
memset(pkinst->minus, 0, sizeof(keystruct));
pkinst->cp = NULL;
pkinst->privGiant = NULL;
pkinst->plus->twist = CURVE_PLUS;
pkinst->minus->twist = CURVE_MINUS;
frtn = feeDERDecodePublicKey(keyBlob,
(unsigned)keyBlobLen,
&version, // currently unused
&pkinst->cp,
&pkinst->plus->x,
&pkinst->minus->x,
&pkinst->plus->y);
if(frtn) {
return frtn;
}
/* minus curve, y is not used */
pkinst->minus->y = newGiant(1);
int_to_giant(0, pkinst->minus->y);
pkinst->plus->cp = pkinst->minus->cp = pkinst->cp;
return FR_Success;
}
void iaddg(int i, giant g) { /* positive g becomes g + (int)i */
int j;
giantDigit carry;
int size = abs(g->sign);
if (isZero(g)) {
int_to_giant(i,g);
}
else {
carry = i;
for(j=0; ((j<size) && (carry != 0)); j++) {
g->n[j] = giantAddDigits(g->n[j], carry, &carry);
}
if(carry) {
++g->sign;
// realloc
if (g->sign > (int)g->capacity) CKRaise("iaddg overflow!");
g->n[size] = carry;
}
}
}
void findPointProj(pointProj pt, giant seed, curveParams *cp)
/* Starting with seed, finds a random (projective) point {x,y,1} on curve.
*/
{
giant x = pt->x, y = pt->y, z = pt->z;
CKASSERT(cp->curveType == FCT_Weierstrass);
feemod(cp, seed);
while(1) {
gtog(seed, x);
gsquare(x); feemod(cp, x); // x := seed^2
addg(cp->a, x); // x := seed^2 + a
mulg(seed,x); // x := seed^3 + a*seed
addg(cp->b, x);
feemod(cp, x); // x := seed^3 + a seed + b.
/* test cubic form for having root. */
if(sqrtmod(x, cp)) break;
iaddg(1, seed);
}
gtog(x, y);
gtog(seed,x);
int_to_giant(1, z);
}
/*
* Create new feeSig object, including a random large integer 'randGiant' for
* possible use in salting a feeHash object, and 'PmX', equal to
* randGiant 'o' P1. Note that this is not called when *verifying* a
* signature, only when signing.
*/
feeSig feeSigNewWithKey(
feePubKey pubKey,
feeRandFcn randFcn, /* optional */
void *randRef)
{
sigInst *sinst = sinstAlloc();
feeRand frand;
unsigned char *randBytes;
unsigned randBytesLen;
curveParams *cp;
if(pubKey == NULL) {
return NULL;
}
cp = feePubKeyCurveParams(pubKey);
if(cp == NULL) {
return NULL;
}
/*
* Generate random m, a little larger than key size, save as randGiant
*/
randBytesLen = (feePubKeyBitsize(pubKey) / 8) + 1;
randBytes = (unsigned char*) fmalloc(randBytesLen);
if(randFcn) {
randFcn(randRef, randBytes, randBytesLen);
}
else {
frand = feeRandAlloc();
feeRandBytes(frand, randBytes, randBytesLen);
feeRandFree(frand);
}
sinst->randGiant = giant_with_data(randBytes, randBytesLen);
memset(randBytes, 0, randBytesLen);
ffree(randBytes);
#if FEE_DEBUG
if(isZero(sinst->randGiant)) {
printf("feeSigNewWithKey: randGiant = 0!\n");
}
#endif // FEE_DEBUG
/*
* Justify randGiant to be in [2, x1OrderPlus]
*/
x1OrderPlusJustify(sinst->randGiant, cp);
/* PmX := randGiant 'o' P1 */
sinst->PmX = newGiant(cp->maxDigits);
#if CRYPTKIT_ELL_PROJ_ENABLE
if(cp->curveType == FCT_Weierstrass) {
pointProjStruct pt0;
sinst->PmY = newGiant(cp->maxDigits);
/* cook up pt0 as P1 */
pt0.x = sinst->PmX;
pt0.y = sinst->PmY;
pt0.z = borrowGiant(cp->maxDigits);
gtog(cp->x1Plus, pt0.x);
gtog(cp->y1Plus, pt0.y);
int_to_giant(1, pt0.z);
/* pt0 := P1 'o' randGiant */
ellMulProjSimple(&pt0, sinst->randGiant, cp);
returnGiant(pt0.z);
}
else {
if(SIG_CURVE == CURVE_PLUS) {
gtog(cp->x1Plus, sinst->PmX);
}
else {
gtog(cp->x1Minus, sinst->PmX);
}
elliptic_simple(sinst->PmX, sinst->randGiant, cp);
}
#else /* CRYPTKIT_ELL_PROJ_ENABLE */
if(SIG_CURVE == CURVE_PLUS) {
gtog(cp->x1Plus, sinst->PmX);
}
else {
gtog(cp->x1Minus, sinst->PmX);
}
elliptic_simple(sinst->PmX, sinst->randGiant, cp);
#endif /* CRYPTKIT_ELL_PROJ_ENABLE */
return sinst;
}
feeReturn feeSigVerify(feeSig sig,
const unsigned char *data,
unsigned dataLen,
feePubKey pubKey)
{
pointProjStruct Q;
giant messageGiant = NULL;
pointProjStruct scratch;
sigInst *sinst = (sigInst*) sig;
feeReturn frtn;
curveParams *cp;
key origKey; // may be plus or minus key
if(sinst->PmX == NULL) {
dbgLog(("sigVerify without parse!\n"));
return FR_IllegalArg;
}
cp = feePubKeyCurveParams(pubKey);
if(cp->curveType != FCT_Weierstrass) {
return feeSigVerifyNoProj(sig, data, dataLen, pubKey);
}
borrowPointProj(&Q, cp->maxDigits);
borrowPointProj(&scratch, cp->maxDigits);
/*
* Q := P1
*/
gtog(cp->x1Plus, Q.x);
gtog(cp->y1Plus, Q.y);
int_to_giant(1, Q.z);
messageGiant = giant_with_data(data, dataLen); // M(ciphertext)
/* Q := u 'o' P1 */
ellMulProjSimple(&Q, sinst->u, cp);
/* scratch := theirPub */
origKey = feePubKeyPlusCurve(pubKey);
gtog(origKey->x, scratch.x);
gtog(origKey->y, scratch.y);
int_to_giant(1, scratch.z);
#if SIG_DEBUG
if(sigDebug) {
printf("verify origKey:\n");
printKey(origKey);
printf("messageGiant: ");
printGiant(messageGiant);
printf("curveParams:\n");
printCurveParams(cp);
}
#endif // SIG_DEBUG
/* scratch := M 'o' theirPub */
ellMulProjSimple(&scratch, messageGiant, cp);
#if SIG_DEBUG
if(sigDebug) {
printf("signature_compare, with\n");
printf("p0 = Q:\n");
printGiant(Q.x);
printf("p1 = Pm:\n");
printGiant(sinst->PmX);
printf("p2 = scratch = R:\n");
printGiant(scratch.x);
}
#endif // SIG_DEBUG
if(signature_compare(Q.x, sinst->PmX, scratch.x, cp)) {
frtn = FR_InvalidSignature;
#if LOG_BAD_SIG
printf("***yup, bad sig***\n");
#endif // LOG_BAD_SIG
}
else {
frtn = FR_Success;
}
freeGiant(messageGiant);
returnPointProj(&Q);
returnPointProj(&scratch);
return frtn;
}
/*
* Completely rewritten in CryptKit-18, 13 Jan 1997, for new IEEE-style
* curveParameters.
*/
void elliptic_add(giant x1, giant x2, giant x3, curveParams *par, int s) {
/* Addition algorithm for x3 = x1 + x2 on the curve, with sign ambiguity s.
From theory, we know that if {x1,1} and {x2,1} are on a curve, then
their elliptic sum (x1,1} + {x2,1} = {x3,1} must have x3 as one of two
values:
x3 = U/2 + s*Sqrt[U^2/4 - V]
where sign s = +-1, and U,V are functions of x1,x2. Tho present function
is called a maximum of twice, to settle which of +- is s. When a call
is made, it is guaranteed already that x1, x2 both lie on the same curve
(+- curve); i.e., which curve (+-) is not connected at all with sign s of
the x3 relation.
*/
giant cur_n;
giant t1;
giant t2;
giant t3;
giant t4;
giant t5;
PROF_START;
cur_n = borrowGiant(par->maxDigits);
t1 = borrowGiant(par->maxDigits);
t2 = borrowGiant(par->maxDigits);
t3 = borrowGiant(par->maxDigits);
t4 = borrowGiant(par->maxDigits);
t5 = borrowGiant(par->maxDigits);
if(gcompg(x1, x2)==0) {
int_to_giant(1, t1);
numer_double(x1, t1, x3, par);
denom_double(x1, t1, t2, par);
binvg_cp(par, t2);
mulg(t2, x3); feemod(par, x3);
goto out;
}
numer_plus(x1, x2, t1, par);
int_to_giant(1, t3);
numer_times(x1, t3, x2, t3, t2, par);
int_to_giant(1, t4); int_to_giant(1, t5);
denom_times(x1, t4, x2, t5, t3, par);
binvg_cp(par, t3);
mulg(t3, t1); feemod(par, t1); /* t1 := U/2. */
mulg(t3, t2); feemod(par, t2); /* t2 := V. */
/* Now x3 will be t1 +- Sqrt[t1^2 - t2]. */
gtog(t1, t4); gsquare(t4); feemod(par, t4);
subg(t2, t4);
make_base(par, cur_n); iaddg(1, cur_n); gshiftright(2, cur_n);
/* cur_n := (p+1)/4. */
feepowermodg(par, t4, cur_n); /* t4 := t2^((p+1)/4) (mod p). */
gtog(t1, x3);
if(s != SIGN_PLUS) negg(t4);
addg(t4, x3);
feemod(par, x3);
out:
returnGiant(cur_n);
returnGiant(t1);
returnGiant(t2);
returnGiant(t3);
returnGiant(t4);
returnGiant(t5);
PROF_END(ellAddTime);
}
static int sqrtmod(giant x, curveParams *cp)
/* If Sqrt[x] (mod p) exists, function returns 1, else 0.
In either case x is modified, but if 1 is returned,
x:= Sqrt[x] (mod p).
*/
{
int rtn;
giant t0 = borrowGiant(cp->maxDigits);
giant t1 = borrowGiant(cp->maxDigits);
giant t2 = borrowGiant(cp->maxDigits);
giant t3 = borrowGiant(cp->maxDigits);
giant t4 = borrowGiant(cp->maxDigits);
giant p = cp->basePrime;
feemod(cp, x); /* Justify the argument. */
gtog(x, t0); /* Store x for eventual validity check on square root. */
if((p->n[0] & 3) == 3) { /* The case p = 3 (mod 4). */
gtog(p, t1);
iaddg(1, t1); gshiftright(2, t1);
powermodg(x, t1, cp);
goto resolve;
}
/* Next, handle case p = 5 (mod 8). */
if((p->n[0] & 7) == 5) {
gtog(p, t1); int_to_giant(1, t2);
subg(t2, t1); gshiftright(2, t1);
gtog(x, t2);
powermodg(t2, t1, cp); /* t2 := x^((p-1)/4) % p. */
iaddg(1, t1);
gshiftright(1, t1); /* t1 := (p+3)/8. */
if(isone(t2)) {
powermodg(x, t1, cp); /* x^((p+3)/8) is root. */
goto resolve;
} else {
int_to_giant(1, t2); subg(t2, t1);
/* t1 := (p-5)/8. */
gshiftleft(2,x);
powermodg(x, t1, cp);
mulg(t0, x); addg(x, x); feemod(cp, x);
/* 2x (4x)^((p-5)/8. */
goto resolve;
}
}
/* Next, handle tougher case: p = 1 (mod 8). */
int_to_giant(2, t1);
while(1) { /* Find appropriate nonresidue. */
gtog(t1, t2);
gsquare(t2); subg(x, t2); feemod(cp, t2);
if(jacobi_symbol(t2, cp) == -1) break;
iaddg(1, t1);
} /* t2 is now w^2 in F_p^2. */
int_to_giant(1, t3);
gtog(p, t4); iaddg(1, t4); gshiftright(1, t4);
powFp2(t1, t3, t2, t4, cp);
gtog(t1, x);
resolve:
gtog(x,t1); gsquare(t1); feemod(cp, t1);
if(gcompg(t0, t1) == 0) {
rtn = 1; /* Success. */
}
else {
rtn = 0; /* no square root */
}
returnGiant(t0);
returnGiant(t1);
returnGiant(t2);
returnGiant(t3);
returnGiant(t4);
return rtn;
}
feeReturn feeECDSASign(
feePubKey pubKey,
feeSigFormat format, // Signature format DER 9.62 / RAW
const unsigned char *data, // data to be signed
unsigned dataLen, // in bytes
feeRandFcn randFcn, // optional
void *randRef, // optional
unsigned char **sigData, // malloc'd and RETURNED
unsigned *sigDataLen) // RETURNED
{
curveParams *cp;
/* giant integers per IEEE P1363 notation */
giant c; // both 1363 'c' and 'i'
// i.e., x-coord of u's pub key
giant d;
giant u; // random private key
giant s; // private key as giant
giant f; // data (message) as giant
feeReturn frtn = FR_Success;
feeRand frand;
unsigned char *randBytes;
unsigned randBytesLen;
unsigned groupBytesLen;
giant privGiant;
#if ECDSA_SIGN_USE_PROJ
pointProjStruct pt; // pt->x = c
giant pty; // pt->y
giant ptz; // pt->z
#endif // ECDSA_SIGN_USE_PROJ
if(pubKey == NULL) {
return FR_BadPubKey;
}
cp = feePubKeyCurveParams(pubKey);
if(cp == NULL) {
return FR_BadPubKey;
}
if(cp->curveType != FCT_Weierstrass) {
return FR_IllegalCurve;
}
CKASSERT(!isZero(cp->x1OrderPlus));
/*
* Private key and message to be signed as giants
*/
privGiant = feePubKeyPrivData(pubKey);
if(privGiant == NULL) {
dbgLog(("Attempt to Sign without private data\n"));
return FR_IllegalArg;
}
s = borrowGiant(cp->maxDigits);
gtog(privGiant, s);
if(dataLen > (cp->maxDigits * GIANT_BYTES_PER_DIGIT)) {
f = borrowGiant(BYTES_TO_GIANT_DIGITS(dataLen));
}
else {
f = borrowGiant(cp->maxDigits);
}
deserializeGiant(data, f, dataLen);
/*
* Certicom SEC1 states that if the digest is larger than the modulus,
* use the left q bits of the digest.
*/
unsigned hashBits = dataLen * 8;
if(hashBits > cp->q) {
gshiftright(hashBits - cp->q, f);
}
sigDbg(("ECDSA sign:\n"));
sigLogGiant(" s : ", s);
sigLogGiant(" f : ", f);
c = borrowGiant(cp->maxDigits);
d = borrowGiant(cp->maxDigits);
u = borrowGiant(cp->maxDigits);
if(randFcn == NULL) {
frand = feeRandAlloc();
}
else {
frand = NULL;
}
/*
* Random size is just larger than base prime
*/
groupBytesLen = ((feePubKeyBitsize(pubKey)+7) / 8);
randBytesLen = groupBytesLen+8; // +8bytes (64bits) to reduce the biais when with reduction mod prime. Per FIPS186-4 - "Using Extra Random Bits"
randBytes = (unsigned char*) fmalloc(randBytesLen);
#if ECDSA_SIGN_USE_PROJ
/* quick temp pointProj */
pty = borrowGiant(cp->maxDigits);
ptz = borrowGiant(cp->maxDigits);
pt.x = c;
pt.y = pty;
pt.z = ptz;
#endif // ECDSA_SIGN_USE_PROJ
while(1) {
/* Repeat this loop until we have a non-zero c and d */
/*
* 1) Obtain random u in [2, x1OrderPlus-2]
*/
SIGPROF_START;
if(randFcn) {
randFcn(randRef, randBytes, randBytesLen);
}
else {
feeRandBytes(frand, randBytes, randBytesLen);
}
deserializeGiant(randBytes, u, randBytesLen);
sigLogGiant(" raw u : ", u);
sigLogGiant(" order : ", cp->x1OrderPlus);
x1OrderPlusJustify(u, cp);
SIGPROF_END(signStep1);
sigLogGiant(" in range u : ", u);
/*
* note 'o' indicates elliptic multiply, * is integer mult.
*
* 2) Compute x coordinate, call it c, of u 'o' G
* 3) Reduce: c := c mod x1OrderPlus;
* 4) If c == 0, goto (1);
*/
SIGPROF_START;
gtog(cp->x1Plus, c);
#if ECDSA_SIGN_USE_PROJ
/* projective coordinates */
gtog(cp->y1Plus, pty);
int_to_giant(1, ptz);
ellMulProjSimple(&pt, u, cp);
#else /* ECDSA_SIGN_USE_PROJ */
/* the FEE way */
elliptic_simple(c, u, cp);
#endif /* ECDSA_SIGN_USE_PROJ */
SIGPROF_END(signStep2);
SIGPROF_START;
x1OrderPlusMod(c, cp);
SIGPROF_END(signStep34);
if(isZero(c)) {
dbgLog(("feeECDSASign: zero modulo (1)\n"));
continue;
}
/*
* 5) Compute u^(-1) mod x1OrderPlus;
*/
SIGPROF_START;
gtog(u, d);
binvg_x1OrderPlus(cp, d);
SIGPROF_END(signStep5);
sigLogGiant(" u^(-1) : ", d);
/*
* 6) Compute signature d as:
* d = [u^(-1) (f + s*c)] (mod x1OrderPlus)
*/
SIGPROF_START;
mulg(c, s); // s *= c
x1OrderPlusMod(s, cp);
addg(f, s); // s := f + (s * c)
x1OrderPlusMod(s, cp);
mulg(s, d); // d := u^(-1) (f + (s * c))
x1OrderPlusMod(d, cp);
SIGPROF_END(signStep67);
/*
* 7) If d = 0, goto (1);
*/
if(isZero(d)) {
dbgLog(("feeECDSASign: zero modulo (2)\n"));
continue;
}
sigLogGiant(" c : ", c);
sigLogGiant(" d : ", d);
break; // normal successful exit
}
/*
* 8) signature is now the integer pair (c, d).
*/
/*
* Cook up raw data representing the signature.
*/
SIGPROF_START;
ECDSA_encode(format,groupBytesLen, c, d, sigData, sigDataLen);
SIGPROF_END(signStep8);
if(frand != NULL) {
feeRandFree(frand);
}
ffree(randBytes);
returnGiant(u);
returnGiant(d);
returnGiant(c);
returnGiant(f);
returnGiant(s);
#if ECDSA_SIGN_USE_PROJ
returnGiant(pty);
returnGiant(ptz);
#endif /* ECDSA_SIGN_USE_PROJ */
return frtn;
}
feeReturn feeECDSAVerify(const unsigned char *sigData,
size_t sigDataLen,
const unsigned char *data,
unsigned dataLen,
feePubKey pubKey,
feeSigFormat format)
{
/* giant integers per IEEE P1363 notation */
giant h; // s^(-1)
giant h1; // f h
giant h2; // c times h
giant littleC; // newGiant from ECDSA_decode
giant littleD; // ditto
giant c; // borrowed, full size
giant d; // ditto
giant cPrime = NULL; // i mod r
pointProj h1G = NULL; // h1 'o' G
pointProj h2W = NULL; // h2 'o' W
key W; // i.e., their public key
unsigned version;
feeReturn frtn;
curveParams *cp = feePubKeyCurveParams(pubKey);
unsigned groupBytesLen = ((feePubKeyBitsize(pubKey)+7) / 8);
int result;
if(cp == NULL) {
return FR_BadPubKey;
}
/*
* First decode the byteRep string.
*/
frtn = ECDSA_decode(
format,
groupBytesLen,
sigData,
sigDataLen,
&littleC,
&littleD,
&version);
if(frtn) {
return frtn;
}
/*
* littleC and littleD have capacity = abs(sign), probably
* not big enough....
*/
c = borrowGiant(cp->maxDigits);
d = borrowGiant(cp->maxDigits);
gtog(littleC, c);
gtog(littleD, d);
freeGiant(littleC);
freeGiant(littleD);
sigDbg(("ECDSA verify:\n"));
/*
* Verify that c and d are within [1,group_order-1]
*/
if((gcompg(cp->cOrderPlus, c) != 1) || (gcompg(cp->cOrderPlus, d) != 1) ||
isZero(c) || isZero(d))
{
returnGiant(c);
returnGiant(d);
return FR_InvalidSignature;
}
/*
* W = signer's public key
*/
W = feePubKeyPlusCurve(pubKey);
/*
* 1) Compute h = d^(-1) (mod x1OrderPlus);
*/
SIGPROF_START;
h = borrowGiant(cp->maxDigits);
gtog(d, h);
binvg_x1OrderPlus(cp, h);
SIGPROF_END(vfyStep1);
/*
* 2) h1 = digest as giant (skips assigning to 'f' in P1363)
*/
if(dataLen > (cp->maxDigits * GIANT_BYTES_PER_DIGIT)) {
h1 = borrowGiant(BYTES_TO_GIANT_DIGITS(dataLen));
}
else {
h1 = borrowGiant(cp->maxDigits);
}
deserializeGiant(data, h1, dataLen);
/*
* Certicom SEC1 states that if the digest is larger than the modulus,
* use the left q bits of the digest.
*/
unsigned hashBits = dataLen * 8;
if(hashBits > cp->q) {
gshiftright(hashBits - cp->q, h1);
}
sigLogGiant(" Wx : ", W->x);
sigLogGiant(" f : ", h1);
sigLogGiant(" c : ", c);
sigLogGiant(" d : ", d);
sigLogGiant(" s^(-1) : ", h);
/*
* 3) Compute h1 = f * h mod x1OrderPlus;
*/
SIGPROF_START;
mulg(h, h1); // h1 := f * h
x1OrderPlusMod(h1, cp);
SIGPROF_END(vfyStep3);
/*
* 4) Compute h2 = c * h (mod x1OrderPlus);
*/
SIGPROF_START;
h2 = borrowGiant(cp->maxDigits);
gtog(c, h2);
mulg(h, h2); // h2 := c * h
x1OrderPlusMod(h2, cp);
SIGPROF_END(vfyStep4);
/*
* 5) Compute h2W = h2 'o' W (W = theirPub)
*/
CKASSERT((W->y != NULL) && !isZero(W->y));
h2W = newPointProj(cp->maxDigits);
gtog(W->x, h2W->x);
gtog(W->y, h2W->y);
int_to_giant(1, h2W->z);
ellMulProjSimple(h2W, h2, cp);
/*
* 6) Compute h1G = h1 'o' G (G = {x1Plus, y1Plus, 1} )
*/
CKASSERT((cp->y1Plus != NULL) && !isZero(cp->y1Plus));
h1G = newPointProj(cp->maxDigits);
gtog(cp->x1Plus, h1G->x);
gtog(cp->y1Plus, h1G->y);
int_to_giant(1, h1G->z);
ellMulProjSimple(h1G, h1, cp);
/*
* 7) h1G := (h1 'o' G) + (h2 'o' W)
*/
ellAddProj(h1G, h2W, cp);
/*
* 8) If elliptic sum is point at infinity, signature is bad; stop.
*/
if(isZero(h1G->z)) {
dbgLog(("feeECDSAVerify: h1 * G = point at infinity\n"));
result = 1;
goto vfyDone;
}
normalizeProj(h1G, cp);
/*
* 9) cPrime = x coordinate of elliptic sum, mod x1OrderPlus
*/
cPrime = borrowGiant(cp->maxDigits);
gtog(h1G->x, cPrime);
x1OrderPlusMod(cPrime, cp);
/*
* 10) Good sig iff cPrime == c
*/
result = gcompg(c, cPrime);
vfyDone:
if(result) {
frtn = FR_InvalidSignature;
#if LOG_BAD_SIG
printf("***yup, bad sig***\n");
#endif // LOG_BAD_SIG
}
else {
frtn = FR_Success;
}
returnGiant(c);
returnGiant(d);
returnGiant(h);
returnGiant(h1);
returnGiant(h2);
if(h1G != NULL) {
freePointProj(h1G);
}
if(h2W != NULL) {
freePointProj(h2W);
}
if(cPrime != NULL) {
returnGiant(cPrime);
}
return frtn;
}
void ellAddProj(pointProj pt0, pointProj pt1, curveParams *cp)
/* pt0 := pt0 + pt1 on the curve. */
{
giant x0 = pt0->x, y0 = pt0->y, z0 = pt0->z,
x1 = pt1->x, y1 = pt1->y, z1 = pt1->z;
giant t1;
giant t2;
giant t3;
giant t4;
giant t5;
giant t6;
giant t7;
if(isZero(z0)) {
gtog(x1,x0); gtog(y1,y0); gtog(z1,z0);
return;
}
if(isZero(z1)) return;
t1 = borrowGiant(cp->maxDigits);
t2 = borrowGiant(cp->maxDigits);
t3 = borrowGiant(cp->maxDigits);
t4 = borrowGiant(cp->maxDigits);
t5 = borrowGiant(cp->maxDigits);
t6 = borrowGiant(cp->maxDigits);
t7 = borrowGiant(cp->maxDigits);
gtog(x0, t1); gtog(y0,t2); gtog(z0, t3);
gtog(x1, t4); gtog(y1, t5);
if(!isone(z1)) {
gtog(z1, t6);
gtog(t6, t7); gsquare(t7); feemod(cp, t7);
mulg(t7, t1); feemod(cp, t1);
mulg(t6, t7); feemod(cp, t7);
mulg(t7, t2); feemod(cp, t2);
}
gtog(t3, t7); gsquare(t7); feemod(cp, t7);
mulg(t7, t4); feemod(cp, t4);
mulg(t3, t7); feemod(cp, t7);
mulg(t7, t5); feemod(cp, t5);
negg(t4); addg(t1, t4); feemod(cp, t4);
negg(t5); addg(t2, t5); feemod(cp, t5);
if(isZero(t4)) {
if(isZero(t5)) {
ellDoubleProj(pt0, cp);
} else {
int_to_giant(1, x0); int_to_giant(1, y0);
int_to_giant(0, z0);
}
goto out;
}
addg(t1, t1); subg(t4, t1); feemod(cp, t1);
addg(t2, t2); subg(t5, t2); feemod(cp, t2);
if(!isone(z1)) {
mulg(t6, t3); feemod(cp, t3);
}
mulg(t4, t3); feemod(cp, t3);
gtog(t4, t7); gsquare(t7); feemod(cp, t7);
mulg(t7, t4); feemod(cp, t4);
mulg(t1, t7); feemod(cp, t7);
gtog(t5, t1); gsquare(t1); feemod(cp, t1);
subg(t7, t1); feemod(cp, t1);
subg(t1, t7); subg(t1, t7); feemod(cp, t7);
mulg(t7, t5); feemod(cp, t5);
mulg(t2, t4); feemod(cp, t4);
gtog(t5, t2); subg(t4,t2); feemod(cp, t2);
if(t2->n[0] & 1) { /* Test if t2 is odd. */
addg(cp->basePrime, t2);
}
gshiftright(1, t2);
gtog(t1, x0); gtog(t2, y0); gtog(t3, z0);
out:
returnGiant(t1);
returnGiant(t2);
returnGiant(t3);
returnGiant(t4);
returnGiant(t5);
returnGiant(t6);
returnGiant(t7);
}
