/* Construct a generic GFMethod for arithmetic over prime fields with * irreducible irr. */ GFMethod * GFMethod_consGFp(const mp_int *irr) { mp_err res = MP_OKAY; GFMethod *meth = NULL; meth = GFMethod_new(); if (meth == NULL) return NULL; MP_CHECKOK(mp_copy(irr, &meth->irr)); meth->irr_arr[0] = mpl_significant_bits(irr); meth->irr_arr[1] = meth->irr_arr[2] = meth->irr_arr[3] = meth->irr_arr[4] = 0; switch (MP_USED(&meth->irr)) { /* maybe we need 1 and 2 words here as well?*/ case 3: meth->field_add = &ec_GFp_add_3; meth->field_sub = &ec_GFp_sub_3; break; case 4: meth->field_add = &ec_GFp_add_4; meth->field_sub = &ec_GFp_sub_4; break; case 5: meth->field_add = &ec_GFp_add_5; meth->field_sub = &ec_GFp_sub_5; break; case 6: meth->field_add = &ec_GFp_add_6; meth->field_sub = &ec_GFp_sub_6; break; default: meth->field_add = &ec_GFp_add; meth->field_sub = &ec_GFp_sub; } meth->field_neg = &ec_GFp_neg; meth->field_mod = &ec_GFp_mod; meth->field_mul = &ec_GFp_mul; meth->field_sqr = &ec_GFp_sqr; meth->field_div = &ec_GFp_div; meth->field_enc = NULL; meth->field_dec = NULL; meth->extra1 = NULL; meth->extra2 = NULL; meth->extra_free = NULL; CLEANUP: if (res != MP_OKAY) { GFMethod_free(meth); return NULL; } return meth; }
/* Tests the time required for a point multiplication */ mp_err testPointMulTime(ECGroup *ecgroup) { mp_err res = MP_OKAY; mp_int rx, ry, n; int size; MP_DIGITS(&rx) = 0; MP_DIGITS(&ry) = 0; MP_DIGITS(&n) = 0; MP_CHECKOK(mp_init(&rx)); MP_CHECKOK(mp_init(&ry)); MP_CHECKOK(mp_init(&n)); /* compute random scalar */ size = mpl_significant_bits(&ecgroup->meth->irr); if (size < MP_OKAY) { res = MP_NO; goto CLEANUP; } MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS)); MP_CHECKOK(ecgroup->meth->field_mod(&n, &n, ecgroup->meth)); M_TimeOperation(ec_GFp_pt_mul_jac_fp (&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry, ecgroup), 1000); M_TimeOperation(ec_GFp_point_mul_jac_4w_fp (&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry, ecgroup), 1000); M_TimeOperation(ec_GFp_point_mul_wNAF_fp (&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry, ecgroup), 1000); M_TimeOperation(ec_GFp_pt_mul_jac (&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry, ecgroup), 100); CLEANUP: if (res == MP_OKAY) printf(" Test Passed - Point Multiplication Timing\n"); else printf("TEST FAILED - Point Multiplication Timing\n"); mp_clear(&rx); mp_clear(&ry); mp_clear(&n); return res; }
/* Construct a generic GFMethod for arithmetic over prime fields with * irreducible irr. */ GFMethod * GFMethod_consGFp_mont(const mp_int *irr) { mp_err res = MP_OKAY; int i; GFMethod *meth = NULL; mp_mont_modulus *mmm; meth = GFMethod_consGFp(irr); if (meth == NULL) return NULL; mmm = (mp_mont_modulus *) malloc(sizeof(mp_mont_modulus)); if (mmm == NULL) { res = MP_MEM; goto CLEANUP; } meth->field_mul = &ec_GFp_mul_mont; meth->field_sqr = &ec_GFp_sqr_mont; meth->field_div = &ec_GFp_div_mont; meth->field_enc = &ec_GFp_enc_mont; meth->field_dec = &ec_GFp_dec_mont; meth->extra1 = mmm; meth->extra2 = NULL; meth->extra_free = &ec_GFp_extra_free_mont; mmm->N = meth->irr; i = mpl_significant_bits(&meth->irr); i += MP_DIGIT_BIT - 1; mmm->b = i - i % MP_DIGIT_BIT; mmm->n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(&meth->irr, 0)); CLEANUP: if (res != MP_OKAY) { GFMethod_free(meth); return NULL; } return meth; }
/* Tests point multiplication with a random scalar repeatedly, comparing * for consistency within different algorithms. */ mp_err testPointMulRandom(ECGroup *ecgroup) { mp_err res; mp_int rx, ry, rx2, ry2, n; int i, size; EC_group_fp *group = (EC_group_fp *) ecgroup->extra1; MP_DIGITS(&rx) = 0; MP_DIGITS(&ry) = 0; MP_DIGITS(&rx2) = 0; MP_DIGITS(&ry2) = 0; MP_DIGITS(&n) = 0; MP_CHECKOK(mp_init(&rx)); MP_CHECKOK(mp_init(&ry)); MP_CHECKOK(mp_init(&rx2)); MP_CHECKOK(mp_init(&ry2)); MP_CHECKOK(mp_init(&n)); for (i = 0; i < 100; i++) { /* compute random scalar */ size = mpl_significant_bits(&ecgroup->meth->irr); if (size < MP_OKAY) { res = MP_NO; goto CLEANUP; } MP_CHECKOK(mpp_random_size(&n, group->orderBitSize)); MP_CHECKOK(mp_mod(&n, &ecgroup->order, &n)); ec_GFp_pt_mul_jac(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry, ecgroup); ec_GFp_pt_mul_jac_fp(&n, &ecgroup->genx, &ecgroup->geny, &rx2, &ry2, ecgroup); if ((mp_cmp(&rx, &rx2) != 0) || (mp_cmp(&ry, &ry2) != 0)) { printf (" Error: different results for Point Multiplication - Double & Add.\n"); res = MP_NO; goto CLEANUP; } ec_GFp_point_mul_wNAF_fp(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry, ecgroup); if ((mp_cmp(&rx, &rx2) != 0) || (mp_cmp(&ry, &ry2) != 0)) { printf (" Error: different results for Point Multiplication - wNAF.\n"); res = MP_NO; goto CLEANUP; } ec_GFp_point_mul_jac_4w_fp(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry, ecgroup); if ((mp_cmp(&rx, &rx2) != 0) || (mp_cmp(&ry, &ry2) != 0)) { printf (" Error: different results for Point Multiplication - 4 bit window.\n"); res = MP_NO; goto CLEANUP; } } CLEANUP: if (res == MP_OKAY) printf(" Test Passed - Point Random Multiplication\n"); else printf("TEST FAILED - Point Random Multiplication\n"); mp_clear(&rx); mp_clear(&ry); mp_clear(&rx2); mp_clear(&ry2); mp_clear(&n); return res; }
/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + * k2 * P(x, y), where G is the generator (base point) of the group of * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL. * Uses mixed Jacobian-affine coordinates. Input and output values are * assumed to be NOT field-encoded. Uses algorithm 15 (simultaneous * multiple point multiplication) from Brown, Hankerson, Lopez, Menezes. * Software Implementation of the NIST Elliptic Curves over Prime Fields. */ mp_err ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group) { mp_err res = MP_OKAY; mp_int precomp[4][4][2]; mp_int rz; const mp_int *a, *b; unsigned int i, j; int ai, bi, d; for (i = 0; i < 4; i++) { for (j = 0; j < 4; j++) { MP_DIGITS(&precomp[i][j][0]) = 0; MP_DIGITS(&precomp[i][j][1]) = 0; } } MP_DIGITS(&rz) = 0; ARGCHK(group != NULL, MP_BADARG); ARGCHK(!((k1 == NULL) && ((k2 == NULL) || (px == NULL) || (py == NULL))), MP_BADARG); /* if some arguments are not defined used ECPoint_mul */ if (k1 == NULL) { return ECPoint_mul(group, k2, px, py, rx, ry); } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) { return ECPoint_mul(group, k1, NULL, NULL, rx, ry); } /* initialize precomputation table */ for (i = 0; i < 4; i++) { for (j = 0; j < 4; j++) { MP_CHECKOK(mp_init(&precomp[i][j][0])); MP_CHECKOK(mp_init(&precomp[i][j][1])); } } /* fill precomputation table */ /* assign {k1, k2} = {a, b} such that len(a) >= len(b) */ if (mpl_significant_bits(k1) < mpl_significant_bits(k2)) { a = k2; b = k1; if (group->meth->field_enc) { MP_CHECKOK(group->meth-> field_enc(px, &precomp[1][0][0], group->meth)); MP_CHECKOK(group->meth-> field_enc(py, &precomp[1][0][1], group->meth)); } else { MP_CHECKOK(mp_copy(px, &precomp[1][0][0])); MP_CHECKOK(mp_copy(py, &precomp[1][0][1])); } MP_CHECKOK(mp_copy(&group->genx, &precomp[0][1][0])); MP_CHECKOK(mp_copy(&group->geny, &precomp[0][1][1])); } else { a = k1; b = k2; MP_CHECKOK(mp_copy(&group->genx, &precomp[1][0][0])); MP_CHECKOK(mp_copy(&group->geny, &precomp[1][0][1])); if (group->meth->field_enc) { MP_CHECKOK(group->meth-> field_enc(px, &precomp[0][1][0], group->meth)); MP_CHECKOK(group->meth-> field_enc(py, &precomp[0][1][1], group->meth)); } else { MP_CHECKOK(mp_copy(px, &precomp[0][1][0])); MP_CHECKOK(mp_copy(py, &precomp[0][1][1])); } } /* precompute [*][0][*] */ mp_zero(&precomp[0][0][0]); mp_zero(&precomp[0][0][1]); MP_CHECKOK(group-> point_dbl(&precomp[1][0][0], &precomp[1][0][1], &precomp[2][0][0], &precomp[2][0][1], group)); MP_CHECKOK(group-> point_add(&precomp[1][0][0], &precomp[1][0][1], &precomp[2][0][0], &precomp[2][0][1], &precomp[3][0][0], &precomp[3][0][1], group)); /* precompute [*][1][*] */ for (i = 1; i < 4; i++) { MP_CHECKOK(group-> point_add(&precomp[0][1][0], &precomp[0][1][1], &precomp[i][0][0], &precomp[i][0][1], &precomp[i][1][0], &precomp[i][1][1], group)); } /* precompute [*][2][*] */ MP_CHECKOK(group-> point_dbl(&precomp[0][1][0], &precomp[0][1][1], &precomp[0][2][0], &precomp[0][2][1], group)); for (i = 1; i < 4; i++) { MP_CHECKOK(group-> point_add(&precomp[0][2][0], &precomp[0][2][1], &precomp[i][0][0], &precomp[i][0][1], &precomp[i][2][0], &precomp[i][2][1], group)); } /* precompute [*][3][*] */ MP_CHECKOK(group-> point_add(&precomp[0][1][0], &precomp[0][1][1], &precomp[0][2][0], &precomp[0][2][1], &precomp[0][3][0], &precomp[0][3][1], group)); for (i = 1; i < 4; i++) { MP_CHECKOK(group-> point_add(&precomp[0][3][0], &precomp[0][3][1], &precomp[i][0][0], &precomp[i][0][1], &precomp[i][3][0], &precomp[i][3][1], group)); } d = (mpl_significant_bits(a) + 1) / 2; /* R = inf */ MP_CHECKOK(mp_init(&rz)); MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz)); for (i = d; i-- > 0;) { ai = MP_GET_BIT(a, 2 * i + 1); ai <<= 1; ai |= MP_GET_BIT(a, 2 * i); bi = MP_GET_BIT(b, 2 * i + 1); bi <<= 1; bi |= MP_GET_BIT(b, 2 * i); /* R = 2^2 * R */ MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); /* R = R + (ai * A + bi * B) */ MP_CHECKOK(ec_GFp_pt_add_jac_aff (rx, ry, &rz, &precomp[ai][bi][0], &precomp[ai][bi][1], rx, ry, &rz, group)); } MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group)); if (group->meth->field_dec) { MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth)); MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth)); } CLEANUP: mp_clear(&rz); for (i = 0; i < 4; i++) { for (j = 0; j < 4; j++) { mp_clear(&precomp[i][j][0]); mp_clear(&precomp[i][j][1]); } } return res; }
/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters * a, b and p are the elliptic curve coefficients and the prime that * determines the field GFp. Elliptic curve points P and R can be * identical. Uses mixed Jacobian-affine coordinates. Assumes input is * already field-encoded using field_enc, and returns output that is still * field-encoded. Uses 4-bit window method. */ mp_err ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group) { mp_err res = MP_OKAY; mp_int precomp[16][2], rz; int i, ni, d; MP_DIGITS(&rz) = 0; for (i = 0; i < 16; i++) { MP_DIGITS(&precomp[i][0]) = 0; MP_DIGITS(&precomp[i][1]) = 0; } ARGCHK(group != NULL, MP_BADARG); ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG); /* initialize precomputation table */ for (i = 0; i < 16; i++) { MP_CHECKOK(mp_init(&precomp[i][0])); MP_CHECKOK(mp_init(&precomp[i][1])); } /* fill precomputation table */ mp_zero(&precomp[0][0]); mp_zero(&precomp[0][1]); MP_CHECKOK(mp_copy(px, &precomp[1][0])); MP_CHECKOK(mp_copy(py, &precomp[1][1])); for (i = 2; i < 16; i++) { MP_CHECKOK(group-> point_add(&precomp[1][0], &precomp[1][1], &precomp[i - 1][0], &precomp[i - 1][1], &precomp[i][0], &precomp[i][1], group)); } d = (mpl_significant_bits(n) + 3) / 4; /* R = inf */ MP_CHECKOK(mp_init(&rz)); MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz)); for (i = d - 1; i >= 0; i--) { /* compute window ni */ ni = MP_GET_BIT(n, 4 * i + 3); ni <<= 1; ni |= MP_GET_BIT(n, 4 * i + 2); ni <<= 1; ni |= MP_GET_BIT(n, 4 * i + 1); ni <<= 1; ni |= MP_GET_BIT(n, 4 * i); /* R = 2^4 * R */ MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group)); /* R = R + (ni * P) */ MP_CHECKOK(ec_GFp_pt_add_jac_aff (rx, ry, &rz, &precomp[ni][0], &precomp[ni][1], rx, ry, &rz, group)); } /* convert result S to affine coordinates */ MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group)); CLEANUP: mp_clear(&rz); for (i = 0; i < 16; i++) { mp_clear(&precomp[i][0]); mp_clear(&precomp[i][1]); } return res; }
/* Construct ECGroup from hex parameters and name, if any. Called by * ECGroup_fromHex and ECGroup_fromName. */ ECGroup * ecgroup_fromNameAndHex(const ECCurveName name, const ECCurveParams * params) { mp_int irr, curvea, curveb, genx, geny, order; int bits; ECGroup *group = NULL; mp_err res = MP_OKAY; /* initialize values */ MP_DIGITS(&irr) = 0; MP_DIGITS(&curvea) = 0; MP_DIGITS(&curveb) = 0; MP_DIGITS(&genx) = 0; MP_DIGITS(&geny) = 0; MP_DIGITS(&order) = 0; MP_CHECKOK(mp_init(&irr)); MP_CHECKOK(mp_init(&curvea)); MP_CHECKOK(mp_init(&curveb)); MP_CHECKOK(mp_init(&genx)); MP_CHECKOK(mp_init(&geny)); MP_CHECKOK(mp_init(&order)); MP_CHECKOK(mp_read_radix(&irr, params->irr, 16)); MP_CHECKOK(mp_read_radix(&curvea, params->curvea, 16)); MP_CHECKOK(mp_read_radix(&curveb, params->curveb, 16)); MP_CHECKOK(mp_read_radix(&genx, params->genx, 16)); MP_CHECKOK(mp_read_radix(&geny, params->geny, 16)); MP_CHECKOK(mp_read_radix(&order, params->order, 16)); /* determine number of bits */ bits = mpl_significant_bits(&irr) - 1; if (bits < MP_OKAY) { res = bits; goto CLEANUP; } /* determine which optimizations (if any) to use */ if (params->field == ECField_GFp) { switch (name) { #ifdef NSS_ECC_MORE_THAN_SUITE_B #ifdef ECL_USE_FP case ECCurve_SECG_PRIME_160R1: group = ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, &order, params->cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } MP_CHECKOK(ec_group_set_secp160r1_fp(group)); break; #endif case ECCurve_SECG_PRIME_192R1: #ifdef ECL_USE_FP group = ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, &order, params->cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } MP_CHECKOK(ec_group_set_nistp192_fp(group)); #else group = ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, &order, params->cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } MP_CHECKOK(ec_group_set_gfp192(group, name)); #endif break; case ECCurve_SECG_PRIME_224R1: #ifdef ECL_USE_FP group = ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, &order, params->cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } MP_CHECKOK(ec_group_set_nistp224_fp(group)); #else group = ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, &order, params->cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } MP_CHECKOK(ec_group_set_gfp224(group, name)); #endif break; #endif /* NSS_ECC_MORE_THAN_SUITE_B */ case ECCurve_SECG_PRIME_256R1: group = ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, &order, params->cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } MP_CHECKOK(ec_group_set_gfp256(group, name)); MP_CHECKOK(ec_group_set_gfp256_32(group, name)); break; case ECCurve_SECG_PRIME_521R1: group = ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, &order, params->cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } MP_CHECKOK(ec_group_set_gfp521(group, name)); break; default: /* use generic arithmetic */ group = ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny, &order, params->cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } } #ifdef NSS_ECC_MORE_THAN_SUITE_B } else if (params->field == ECField_GF2m) { group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx, &geny, &order, params->cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } if ((name == ECCurve_NIST_K163) || (name == ECCurve_NIST_B163) || (name == ECCurve_SECG_CHAR2_163R1)) { MP_CHECKOK(ec_group_set_gf2m163(group, name)); } else if ((name == ECCurve_SECG_CHAR2_193R1) || (name == ECCurve_SECG_CHAR2_193R2)) { MP_CHECKOK(ec_group_set_gf2m193(group, name)); } else if ((name == ECCurve_NIST_K233) || (name == ECCurve_NIST_B233)) { MP_CHECKOK(ec_group_set_gf2m233(group, name)); } #endif } else { res = MP_UNDEF; goto CLEANUP; } /* set name, if any */ if ((group != NULL) && (params->text != NULL)) { group->text = strdup(params->text); if (group->text == NULL) { res = MP_MEM; } } CLEANUP: mp_clear(&irr); mp_clear(&curvea); mp_clear(&curveb); mp_clear(&genx); mp_clear(&geny); mp_clear(&order); if (res != MP_OKAY) { ECGroup_free(group); return NULL; } return group; }
static SECStatus rsa_build_from_primes(mp_int *p, mp_int *q, mp_int *e, PRBool needPublicExponent, mp_int *d, PRBool needPrivateExponent, RSAPrivateKey *key, unsigned int keySizeInBits) { mp_int n, phi; mp_int psub1, qsub1, tmp; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; MP_DIGITS(&n) = 0; MP_DIGITS(&phi) = 0; MP_DIGITS(&psub1) = 0; MP_DIGITS(&qsub1) = 0; MP_DIGITS(&tmp) = 0; CHECK_MPI_OK( mp_init(&n) ); CHECK_MPI_OK( mp_init(&phi) ); CHECK_MPI_OK( mp_init(&psub1) ); CHECK_MPI_OK( mp_init(&qsub1) ); CHECK_MPI_OK( mp_init(&tmp) ); /* 1. Compute n = p*q */ CHECK_MPI_OK( mp_mul(p, q, &n) ); /* verify that the modulus has the desired number of bits */ if ((unsigned)mpl_significant_bits(&n) != keySizeInBits) { PORT_SetError(SEC_ERROR_NEED_RANDOM); rv = SECFailure; goto cleanup; } /* at least one exponent must be given */ PORT_Assert(!(needPublicExponent && needPrivateExponent)); /* 2. Compute phi = (p-1)*(q-1) */ CHECK_MPI_OK( mp_sub_d(p, 1, &psub1) ); CHECK_MPI_OK( mp_sub_d(q, 1, &qsub1) ); if (needPublicExponent || needPrivateExponent) { CHECK_MPI_OK( mp_mul(&psub1, &qsub1, &phi) ); /* 3. Compute d = e**-1 mod(phi) */ /* or e = d**-1 mod(phi) as necessary */ if (needPublicExponent) { err = mp_invmod(d, &phi, e); } else { err = mp_invmod(e, &phi, d); } } else { err = MP_OKAY; } /* Verify that phi(n) and e have no common divisors */ if (err != MP_OKAY) { if (err == MP_UNDEF) { PORT_SetError(SEC_ERROR_NEED_RANDOM); err = MP_OKAY; /* to keep PORT_SetError from being called again */ rv = SECFailure; } goto cleanup; } /* 4. Compute exponent1 = d mod (p-1) */ CHECK_MPI_OK( mp_mod(d, &psub1, &tmp) ); MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena); /* 5. Compute exponent2 = d mod (q-1) */ CHECK_MPI_OK( mp_mod(d, &qsub1, &tmp) ); MPINT_TO_SECITEM(&tmp, &key->exponent2, key->arena); /* 6. Compute coefficient = q**-1 mod p */ CHECK_MPI_OK( mp_invmod(q, p, &tmp) ); MPINT_TO_SECITEM(&tmp, &key->coefficient, key->arena); /* copy our calculated results, overwrite what is there */ key->modulus.data = NULL; MPINT_TO_SECITEM(&n, &key->modulus, key->arena); key->privateExponent.data = NULL; MPINT_TO_SECITEM(d, &key->privateExponent, key->arena); key->publicExponent.data = NULL; MPINT_TO_SECITEM(e, &key->publicExponent, key->arena); key->prime1.data = NULL; MPINT_TO_SECITEM(p, &key->prime1, key->arena); key->prime2.data = NULL; MPINT_TO_SECITEM(q, &key->prime2, key->arena); cleanup: mp_clear(&n); mp_clear(&phi); mp_clear(&psub1); mp_clear(&qsub1); mp_clear(&tmp); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } return rv; }
static SECStatus rsa_keygen_from_primes(mp_int *p, mp_int *q, mp_int *e, RSAPrivateKey *key, unsigned int keySizeInBits) { mp_int n, d, phi; mp_int psub1, qsub1, tmp; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; MP_DIGITS(&n) = 0; MP_DIGITS(&d) = 0; MP_DIGITS(&phi) = 0; MP_DIGITS(&psub1) = 0; MP_DIGITS(&qsub1) = 0; MP_DIGITS(&tmp) = 0; CHECK_MPI_OK( mp_init(&n) ); CHECK_MPI_OK( mp_init(&d) ); CHECK_MPI_OK( mp_init(&phi) ); CHECK_MPI_OK( mp_init(&psub1) ); CHECK_MPI_OK( mp_init(&qsub1) ); CHECK_MPI_OK( mp_init(&tmp) ); /* 1. Compute n = p*q */ CHECK_MPI_OK( mp_mul(p, q, &n) ); /* verify that the modulus has the desired number of bits */ if ((unsigned)mpl_significant_bits(&n) != keySizeInBits) { PORT_SetError(SEC_ERROR_NEED_RANDOM); rv = SECFailure; goto cleanup; } /* 2. Compute phi = (p-1)*(q-1) */ CHECK_MPI_OK( mp_sub_d(p, 1, &psub1) ); CHECK_MPI_OK( mp_sub_d(q, 1, &qsub1) ); CHECK_MPI_OK( mp_mul(&psub1, &qsub1, &phi) ); /* 3. Compute d = e**-1 mod(phi) */ err = mp_invmod(e, &phi, &d); /* Verify that phi(n) and e have no common divisors */ if (err != MP_OKAY) { if (err == MP_UNDEF) { PORT_SetError(SEC_ERROR_NEED_RANDOM); err = MP_OKAY; /* to keep PORT_SetError from being called again */ rv = SECFailure; } goto cleanup; } MPINT_TO_SECITEM(&n, &key->modulus, key->arena); MPINT_TO_SECITEM(&d, &key->privateExponent, key->arena); /* 4. Compute exponent1 = d mod (p-1) */ CHECK_MPI_OK( mp_mod(&d, &psub1, &tmp) ); MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena); /* 5. Compute exponent2 = d mod (q-1) */ CHECK_MPI_OK( mp_mod(&d, &qsub1, &tmp) ); MPINT_TO_SECITEM(&tmp, &key->exponent2, key->arena); /* 6. Compute coefficient = q**-1 mod p */ CHECK_MPI_OK( mp_invmod(q, p, &tmp) ); MPINT_TO_SECITEM(&tmp, &key->coefficient, key->arena); cleanup: mp_clear(&n); mp_clear(&d); mp_clear(&phi); mp_clear(&psub1); mp_clear(&qsub1); mp_clear(&tmp); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } return rv; }
/* ** Checks the signature on the given digest using the key provided. */ SECStatus ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, const SECItem *digest) { SECStatus rv = SECFailure; #ifndef NSS_DISABLE_ECC mp_int r_, s_; /* tuple (r', s') is received signature) */ mp_int c, u1, u2, v; /* intermediate values used in verification */ mp_int x1; mp_int n; mp_err err = MP_OKAY; ECParams *ecParams = NULL; SECItem pointC = { siBuffer, NULL, 0 }; int slen; /* length in bytes of a half signature (r or s) */ int flen; /* length in bytes of the field size */ unsigned olen; /* length in bytes of the base point order */ unsigned obits; /* length in bits of the base point order */ #if EC_DEBUG char mpstr[256]; printf("ECDSA verification called\n"); #endif /* Initialize MPI integers. */ /* must happen before the first potential call to cleanup */ MP_DIGITS(&r_) = 0; MP_DIGITS(&s_) = 0; MP_DIGITS(&c) = 0; MP_DIGITS(&u1) = 0; MP_DIGITS(&u2) = 0; MP_DIGITS(&x1) = 0; MP_DIGITS(&v) = 0; MP_DIGITS(&n) = 0; /* Check args */ if (!key || !signature || !digest) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; } ecParams = &(key->ecParams); flen = (ecParams->fieldID.size + 7) >> 3; olen = ecParams->order.len; if (signature->len == 0 || signature->len%2 != 0 || signature->len > 2*olen) { PORT_SetError(SEC_ERROR_INPUT_LEN); goto cleanup; } slen = signature->len/2; SECITEM_AllocItem(NULL, &pointC, 2*flen + 1); if (pointC.data == NULL) goto cleanup; CHECK_MPI_OK( mp_init(&r_) ); CHECK_MPI_OK( mp_init(&s_) ); CHECK_MPI_OK( mp_init(&c) ); CHECK_MPI_OK( mp_init(&u1) ); CHECK_MPI_OK( mp_init(&u2) ); CHECK_MPI_OK( mp_init(&x1) ); CHECK_MPI_OK( mp_init(&v) ); CHECK_MPI_OK( mp_init(&n) ); /* ** Convert received signature (r', s') into MPI integers. */ CHECK_MPI_OK( mp_read_unsigned_octets(&r_, signature->data, slen) ); CHECK_MPI_OK( mp_read_unsigned_octets(&s_, signature->data + slen, slen) ); /* ** ANSI X9.62, Section 5.4.2, Steps 1 and 2 ** ** Verify that 0 < r' < n and 0 < s' < n */ SECITEM_TO_MPINT(ecParams->order, &n); if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 || mp_cmp(&r_, &n) >= 0 || mp_cmp(&s_, &n) >= 0) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); goto cleanup; /* will return rv == SECFailure */ } /* ** ANSI X9.62, Section 5.4.2, Step 3 ** ** c = (s')**-1 mod n */ CHECK_MPI_OK( mp_invmod(&s_, &n, &c) ); /* c = (s')**-1 mod n */ /* ** ANSI X9.62, Section 5.4.2, Step 4 ** ** u1 = ((HASH(M')) * c) mod n */ SECITEM_TO_MPINT(*digest, &u1); /* u1 = HASH(M) */ /* In the definition of EC signing, digests are truncated * to the length of n in bits. * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) ); if (digest->len*8 > obits) { /* u1 = HASH(M') */ mpl_rsh(&u1,&u1,digest->len*8 - obits); } #if EC_DEBUG mp_todecimal(&r_, mpstr); printf("r_: %s (dec)\n", mpstr); mp_todecimal(&s_, mpstr); printf("s_: %s (dec)\n", mpstr); mp_todecimal(&c, mpstr); printf("c : %s (dec)\n", mpstr); mp_todecimal(&u1, mpstr); printf("digest: %s (dec)\n", mpstr); #endif CHECK_MPI_OK( mp_mulmod(&u1, &c, &n, &u1) ); /* u1 = u1 * c mod n */ /* ** ANSI X9.62, Section 5.4.2, Step 4 ** ** u2 = ((r') * c) mod n */ CHECK_MPI_OK( mp_mulmod(&r_, &c, &n, &u2) ); /* ** ANSI X9.62, Section 5.4.3, Step 1 ** ** Compute u1*G + u2*Q ** Here, A = u1.G B = u2.Q and C = A + B ** If the result, C, is the point at infinity, reject the signature */ if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC) != SECSuccess) { rv = SECFailure; goto cleanup; } if (ec_point_at_infinity(&pointC)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); rv = SECFailure; goto cleanup; } CHECK_MPI_OK( mp_read_unsigned_octets(&x1, pointC.data + 1, flen) ); /* ** ANSI X9.62, Section 5.4.4, Step 2 ** ** v = x1 mod n */ CHECK_MPI_OK( mp_mod(&x1, &n, &v) ); #if EC_DEBUG mp_todecimal(&r_, mpstr); printf("r_: %s (dec)\n", mpstr); mp_todecimal(&v, mpstr); printf("v : %s (dec)\n", mpstr); #endif /* ** ANSI X9.62, Section 5.4.4, Step 3 ** ** Verification: v == r' */ if (mp_cmp(&v, &r_)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); rv = SECFailure; /* Signature failed to verify. */ } else { rv = SECSuccess; /* Signature verified. */ } #if EC_DEBUG mp_todecimal(&u1, mpstr); printf("u1: %s (dec)\n", mpstr); mp_todecimal(&u2, mpstr); printf("u2: %s (dec)\n", mpstr); mp_tohex(&x1, mpstr); printf("x1: %s\n", mpstr); mp_todecimal(&v, mpstr); printf("v : %s (dec)\n", mpstr); #endif cleanup: mp_clear(&r_); mp_clear(&s_); mp_clear(&c); mp_clear(&u1); mp_clear(&u2); mp_clear(&x1); mp_clear(&v); mp_clear(&n); if (pointC.data) SECITEM_FreeItem(&pointC, PR_FALSE); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } #if EC_DEBUG printf("ECDSA verification %s\n", (rv == SECSuccess) ? "succeeded" : "failed"); #endif #else PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); #endif /* NSS_DISABLE_ECC */ return rv; }
/* Performs basic tests of elliptic curve cryptography over prime fields. * If tests fail, then it prints an error message, aborts, and returns an * error code. Otherwise, returns 0. */ int ectest_curve_GFp(ECGroup *group, int ectestPrint, int ectestTime, int generic) { mp_int one, order_1, gx, gy, rx, ry, n; int size; mp_err res; char s[1000]; /* initialize values */ MP_CHECKOK(mp_init(&one)); MP_CHECKOK(mp_init(&order_1)); MP_CHECKOK(mp_init(&gx)); MP_CHECKOK(mp_init(&gy)); MP_CHECKOK(mp_init(&rx)); MP_CHECKOK(mp_init(&ry)); MP_CHECKOK(mp_init(&n)); MP_CHECKOK(mp_set_int(&one, 1)); MP_CHECKOK(mp_sub(&group->order, &one, &order_1)); /* encode base point */ if (group->meth->field_dec) { MP_CHECKOK(group->meth->field_dec(&group->genx, &gx, group->meth)); MP_CHECKOK(group->meth->field_dec(&group->geny, &gy, group->meth)); } else { MP_CHECKOK(mp_copy(&group->genx, &gx)); MP_CHECKOK(mp_copy(&group->geny, &gy)); } if (ectestPrint) { /* output base point */ printf(" base point P:\n"); MP_CHECKOK(mp_toradix(&gx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&gy, s, 16)); printf(" %s\n", s); if (group->meth->field_enc) { printf(" base point P (encoded):\n"); MP_CHECKOK(mp_toradix(&group->genx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&group->geny, s, 16)); printf(" %s\n", s); } } #ifdef ECL_ENABLE_GFP_PT_MUL_AFF /* multiply base point by order - 1 and check for negative of base * point */ MP_CHECKOK(ec_GFp_pt_mul_aff(&order_1, &group->genx, &group->geny, &rx, &ry, group)); if (ectestPrint) { printf(" (order-1)*P (affine):\n"); MP_CHECKOK(mp_toradix(&rx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&ry, s, 16)); printf(" %s\n", s); } MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth)); if ((mp_cmp(&rx, &group->genx) != 0) || (mp_cmp(&ry, &group->geny) != 0)) { printf(" Error: invalid result (expected (- base point)).\n"); res = MP_NO; goto CLEANUP; } #endif #ifdef ECL_ENABLE_GFP_PT_MUL_AFF /* multiply base point by order - 1 and check for negative of base * point */ MP_CHECKOK(ec_GFp_pt_mul_jac(&order_1, &group->genx, &group->geny, &rx, &ry, group)); if (ectestPrint) { printf(" (order-1)*P (jacobian):\n"); MP_CHECKOK(mp_toradix(&rx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&ry, s, 16)); printf(" %s\n", s); } MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth)); if ((mp_cmp(&rx, &group->genx) != 0) || (mp_cmp(&ry, &group->geny) != 0)) { printf(" Error: invalid result (expected (- base point)).\n"); res = MP_NO; goto CLEANUP; } #endif /* multiply base point by order - 1 and check for negative of base * point */ MP_CHECKOK(ECPoint_mul(group, &order_1, NULL, NULL, &rx, &ry)); if (ectestPrint) { printf(" (order-1)*P (ECPoint_mul):\n"); MP_CHECKOK(mp_toradix(&rx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&ry, s, 16)); printf(" %s\n", s); } MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry)); if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) { printf(" Error: invalid result (expected (- base point)).\n"); res = MP_NO; goto CLEANUP; } /* multiply base point by order - 1 and check for negative of base * point */ MP_CHECKOK(ECPoint_mul(group, &order_1, &gx, &gy, &rx, &ry)); if (ectestPrint) { printf(" (order-1)*P (ECPoint_mul):\n"); MP_CHECKOK(mp_toradix(&rx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&ry, s, 16)); printf(" %s\n", s); } MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry)); if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) { printf(" Error: invalid result (expected (- base point)).\n"); res = MP_NO; goto CLEANUP; } #ifdef ECL_ENABLE_GFP_PT_MUL_AFF /* multiply base point by order and check for point at infinity */ MP_CHECKOK(ec_GFp_pt_mul_aff(&group->order, &group->genx, &group->geny, &rx, &ry, group)); if (ectestPrint) { printf(" (order)*P (affine):\n"); MP_CHECKOK(mp_toradix(&rx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&ry, s, 16)); printf(" %s\n", s); } if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) { printf(" Error: invalid result (expected point at infinity).\n"); res = MP_NO; goto CLEANUP; } #endif #ifdef ECL_ENABLE_GFP_PT_MUL_JAC /* multiply base point by order and check for point at infinity */ MP_CHECKOK(ec_GFp_pt_mul_jac(&group->order, &group->genx, &group->geny, &rx, &ry, group)); if (ectestPrint) { printf(" (order)*P (jacobian):\n"); MP_CHECKOK(mp_toradix(&rx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&ry, s, 16)); printf(" %s\n", s); } if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) { printf(" Error: invalid result (expected point at infinity).\n"); res = MP_NO; goto CLEANUP; } #endif /* multiply base point by order and check for point at infinity */ MP_CHECKOK(ECPoint_mul(group, &group->order, NULL, NULL, &rx, &ry)); if (ectestPrint) { printf(" (order)*P (ECPoint_mul):\n"); MP_CHECKOK(mp_toradix(&rx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&ry, s, 16)); printf(" %s\n", s); } if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) { printf(" Error: invalid result (expected point at infinity).\n"); res = MP_NO; goto CLEANUP; } /* multiply base point by order and check for point at infinity */ MP_CHECKOK(ECPoint_mul(group, &group->order, &gx, &gy, &rx, &ry)); if (ectestPrint) { printf(" (order)*P (ECPoint_mul):\n"); MP_CHECKOK(mp_toradix(&rx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&ry, s, 16)); printf(" %s\n", s); } if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) { printf(" Error: invalid result (expected point at infinity).\n"); res = MP_NO; goto CLEANUP; } /* check that (order-1)P + (order-1)P + P == (order-1)P */ MP_CHECKOK(ECPoints_mul(group, &order_1, &order_1, &gx, &gy, &rx, &ry)); MP_CHECKOK(ECPoints_mul(group, &one, &one, &rx, &ry, &rx, &ry)); if (ectestPrint) { printf(" (order-1)*P + (order-1)*P + P == (order-1)*P (ECPoints_mul):\n"); MP_CHECKOK(mp_toradix(&rx, s, 16)); printf(" %s\n", s); MP_CHECKOK(mp_toradix(&ry, s, 16)); printf(" %s\n", s); } MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry)); if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) { printf(" Error: invalid result (expected (- base point)).\n"); res = MP_NO; goto CLEANUP; } /* test validate_point function */ if (ECPoint_validate(group, &gx, &gy) != MP_YES) { printf(" Error: validate point on base point failed.\n"); res = MP_NO; goto CLEANUP; } MP_CHECKOK(mp_add_d(&gy, 1, &ry)); if (ECPoint_validate(group, &gx, &ry) != MP_NO) { printf(" Error: validate point on invalid point passed.\n"); res = MP_NO; goto CLEANUP; } if (ectestTime) { /* compute random scalar */ size = mpl_significant_bits(&group->meth->irr); if (size < MP_OKAY) { goto CLEANUP; } MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS)); MP_CHECKOK(group->meth->field_mod(&n, &n, group->meth)); /* timed test */ if (generic) { #ifdef ECL_ENABLE_GFP_PT_MUL_AFF M_TimeOperation(MP_CHECKOK(ec_GFp_pt_mul_aff(&n, &group->genx, &group->geny, &rx, &ry, group)), 100); #endif M_TimeOperation(MP_CHECKOK(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)), 100); M_TimeOperation(MP_CHECKOK(ECPoints_mul(group, &n, &n, &gx, &gy, &rx, &ry)), 100); } else { M_TimeOperation(MP_CHECKOK(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)), 100); M_TimeOperation(MP_CHECKOK(ECPoint_mul(group, &n, &gx, &gy, &rx, &ry)), 100); M_TimeOperation(MP_CHECKOK(ECPoints_mul(group, &n, &n, &gx, &gy, &rx, &ry)), 100); } } CLEANUP: mp_clear(&one); mp_clear(&order_1); mp_clear(&gx); mp_clear(&gy); mp_clear(&rx); mp_clear(&ry); mp_clear(&n); if (res != MP_OKAY) { printf(" Error: exiting with error value %i\n", res); } return res; }
/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and * R can be identical. Uses affine coordinates. Assumes input is already * field-encoded using field_enc, and returns output that is still * field-encoded. */ mp_err ec_GFp_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group) { mp_err res = MP_OKAY; mp_int k, k3, qx, qy, sx, sy; int b1, b3, i, l; MP_DIGITS(&k) = 0; MP_DIGITS(&k3) = 0; MP_DIGITS(&qx) = 0; MP_DIGITS(&qy) = 0; MP_DIGITS(&sx) = 0; MP_DIGITS(&sy) = 0; MP_CHECKOK(mp_init(&k)); MP_CHECKOK(mp_init(&k3)); MP_CHECKOK(mp_init(&qx)); MP_CHECKOK(mp_init(&qy)); MP_CHECKOK(mp_init(&sx)); MP_CHECKOK(mp_init(&sy)); /* if n = 0 then r = inf */ if (mp_cmp_z(n) == 0) { mp_zero(rx); mp_zero(ry); res = MP_OKAY; goto CLEANUP; } /* Q = P, k = n */ MP_CHECKOK(mp_copy(px, &qx)); MP_CHECKOK(mp_copy(py, &qy)); MP_CHECKOK(mp_copy(n, &k)); /* if n < 0 then Q = -Q, k = -k */ if (mp_cmp_z(n) < 0) { MP_CHECKOK(group->meth->field_neg(&qy, &qy, group->meth)); MP_CHECKOK(mp_neg(&k, &k)); } #ifdef ECL_DEBUG /* basic double and add method */ l = mpl_significant_bits(&k) - 1; MP_CHECKOK(mp_copy(&qx, &sx)); MP_CHECKOK(mp_copy(&qy, &sy)); for (i = l - 1; i >= 0; i--) { /* S = 2S */ MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group)); /* if k_i = 1, then S = S + Q */ if (mpl_get_bit(&k, i) != 0) { MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group)); } } #else /* double and add/subtract method from \ * standard */ /* k3 = 3 * k */ MP_CHECKOK(mp_set_int(&k3, 3)); MP_CHECKOK(mp_mul(&k, &k3, &k3)); /* S = Q */ MP_CHECKOK(mp_copy(&qx, &sx)); MP_CHECKOK(mp_copy(&qy, &sy)); /* l = index of high order bit in binary representation of 3*k */ l = mpl_significant_bits(&k3) - 1; /* for i = l-1 downto 1 */ for (i = l - 1; i >= 1; i--) { /* S = 2S */ MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group)); b3 = MP_GET_BIT(&k3, i); b1 = MP_GET_BIT(&k, i); /* if k3_i = 1 and k_i = 0, then S = S + Q */ if ((b3 == 1) && (b1 == 0)) { MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group)); /* if k3_i = 0 and k_i = 1, then S = S - Q */ } else if ((b3 == 0) && (b1 == 1)) { MP_CHECKOK(group->point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group)); } } #endif /* output S */ MP_CHECKOK(mp_copy(&sx, rx)); MP_CHECKOK(mp_copy(&sy, ry)); CLEANUP: mp_clear(&k); mp_clear(&k3); mp_clear(&qx); mp_clear(&qy); mp_clear(&sx); mp_clear(&sy); return res; }
/* Uses mixed Jacobian-affine coordinates to perform a point * multiplication: R = n * P, n scalar. Uses mixed Jacobian-affine * coordinates (Jacobian coordinates for doubles and affine coordinates * for additions; based on recommendation from Brown et al.). Not very * time efficient but quite space efficient, no precomputation needed. * group contains the elliptic curve coefficients and the prime that * determines the field GFp. Elliptic curve points P and R can be * identical. Performs calculations in floating point number format, since * this is faster than the integer operations on the ULTRASPARC III. * Uses left-to-right binary method (double & add) (algorithm 9) for * scalar-point multiplication from Brown, Hankerson, Lopez, Menezes. * Software Implementation of the NIST Elliptic Curves Over Prime Fields. */ mp_err ec_GFp_pt_mul_jac_fp(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *ecgroup) { mp_err res; mp_int sx, sy, sz; ecfp_aff_pt p; ecfp_jac_pt r; EC_group_fp *group = (EC_group_fp *) ecgroup->extra1; int i, l; MP_DIGITS(&sx) = 0; MP_DIGITS(&sy) = 0; MP_DIGITS(&sz) = 0; MP_CHECKOK(mp_init(&sx)); MP_CHECKOK(mp_init(&sy)); MP_CHECKOK(mp_init(&sz)); /* if n = 0 then r = inf */ if (mp_cmp_z(n) == 0) { mp_zero(rx); mp_zero(ry); res = MP_OKAY; goto CLEANUP; /* if n < 0 then out of range error */ } else if (mp_cmp_z(n) < 0) { res = MP_RANGE; goto CLEANUP; } /* Convert from integer to floating point */ ecfp_i2fp(p.x, px, ecgroup); ecfp_i2fp(p.y, py, ecgroup); ecfp_i2fp(group->curvea, &(ecgroup->curvea), ecgroup); /* Init r to point at infinity */ for (i = 0; i < group->numDoubles; i++) { r.z[i] = 0; } /* double and add method */ l = mpl_significant_bits(n) - 1; for (i = l; i >= 0; i--) { /* R = 2R */ group->pt_dbl_jac(&r, &r, group); /* if n_i = 1, then R = R + Q */ if (MP_GET_BIT(n, i) != 0) { group->pt_add_jac_aff(&r, &p, &r, group); } } /* Convert from floating point to integer */ ecfp_fp2i(&sx, r.x, ecgroup); ecfp_fp2i(&sy, r.y, ecgroup); ecfp_fp2i(&sz, r.z, ecgroup); /* convert result R to affine coordinates */ MP_CHECKOK(ec_GFp_pt_jac2aff(&sx, &sy, &sz, rx, ry, ecgroup)); CLEANUP: mp_clear(&sx); mp_clear(&sy); mp_clear(&sz); return res; }
/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters * a, b and p are the elliptic curve coefficients and the prime that * determines the field GFp. Elliptic curve points P and R can be * identical. Uses Jacobian coordinates. Uses 4-bit window method. */ mp_err ec_GFp_point_mul_jac_4w_fp(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *ecgroup) { mp_err res = MP_OKAY; ecfp_jac_pt precomp[16], r; ecfp_aff_pt p; EC_group_fp *group; mp_int rz; int i, ni, d; ARGCHK(ecgroup != NULL, MP_BADARG); ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG); group = (EC_group_fp *) ecgroup->extra1; MP_DIGITS(&rz) = 0; MP_CHECKOK(mp_init(&rz)); /* init p, da */ ecfp_i2fp(p.x, px, ecgroup); ecfp_i2fp(p.y, py, ecgroup); ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup); /* Do precomputation */ group->precompute_jac(precomp, &p, group); /* Do main body of calculations */ d = (mpl_significant_bits(n) + 3) / 4; /* R = inf */ for (i = 0; i < group->numDoubles; i++) { r.z[i] = 0; } for (i = d - 1; i >= 0; i--) { /* compute window ni */ ni = MP_GET_BIT(n, 4 * i + 3); ni <<= 1; ni |= MP_GET_BIT(n, 4 * i + 2); ni <<= 1; ni |= MP_GET_BIT(n, 4 * i + 1); ni <<= 1; ni |= MP_GET_BIT(n, 4 * i); /* R = 2^4 * R */ group->pt_dbl_jac(&r, &r, group); group->pt_dbl_jac(&r, &r, group); group->pt_dbl_jac(&r, &r, group); group->pt_dbl_jac(&r, &r, group); /* R = R + (ni * P) */ group->pt_add_jac(&r, &precomp[ni], &r, group); } /* Convert back to integer */ ecfp_fp2i(rx, r.x, ecgroup); ecfp_fp2i(ry, r.y, ecgroup); ecfp_fp2i(&rz, r.z, ecgroup); /* convert result S to affine coordinates */ MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, ecgroup)); CLEANUP: mp_clear(&rz); return res; }
mp_err mp_exptmod(const mp_int *inBase, const mp_int *exponent, const mp_int *modulus, mp_int *result) { const mp_int *base; mp_size bits_in_exponent, i, window_bits, odd_ints; mp_err res; int nLen; mp_int montBase, goodBase; mp_mont_modulus mmm; #ifdef MP_USING_CACHE_SAFE_MOD_EXP static unsigned int max_window_bits; #endif /* function for computing n0prime only works if n0 is odd */ if (!mp_isodd(modulus)) return s_mp_exptmod(inBase, exponent, modulus, result); MP_DIGITS(&montBase) = 0; MP_DIGITS(&goodBase) = 0; if (mp_cmp(inBase, modulus) < 0) { base = inBase; } else { MP_CHECKOK( mp_init(&goodBase) ); base = &goodBase; MP_CHECKOK( mp_mod(inBase, modulus, &goodBase) ); } nLen = MP_USED(modulus); MP_CHECKOK( mp_init_size(&montBase, 2 * nLen + 2) ); mmm.N = *modulus; /* a copy of the mp_int struct */ /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX ** where n0 = least significant mp_digit of N, the modulus. */ mmm.n0prime = 0 - s_mp_invmod_radix( MP_DIGIT(modulus, 0) ); MP_CHECKOK( s_mp_to_mont(base, &mmm, &montBase) ); bits_in_exponent = mpl_significant_bits(exponent); #ifdef MP_USING_CACHE_SAFE_MOD_EXP if (mp_using_cache_safe_exp) { if (bits_in_exponent > 780) window_bits = 6; else if (bits_in_exponent > 256) window_bits = 5; else if (bits_in_exponent > 20) window_bits = 4; /* RSA public key exponents are typically under 20 bits (common values * are: 3, 17, 65537) and a 4-bit window is inefficient */ else window_bits = 1; } else #endif if (bits_in_exponent > 480) window_bits = 6; else if (bits_in_exponent > 160) window_bits = 5; else if (bits_in_exponent > 20) window_bits = 4; /* RSA public key exponents are typically under 20 bits (common values * are: 3, 17, 65537) and a 4-bit window is inefficient */ else window_bits = 1; #ifdef MP_USING_CACHE_SAFE_MOD_EXP /* * clamp the window size based on * the cache line size. */ if (!max_window_bits) { unsigned long cache_size = s_mpi_getProcessorLineSize(); /* processor has no cache, use 'fast' code always */ if (cache_size == 0) { mp_using_cache_safe_exp = 0; } if ((cache_size == 0) || (cache_size >= 64)) { max_window_bits = 6; } else if (cache_size >= 32) { max_window_bits = 5; } else if (cache_size >= 16) { max_window_bits = 4; } else max_window_bits = 1; /* should this be an assert? */ } /* clamp the window size down before we caclulate bits_in_exponent */ if (mp_using_cache_safe_exp) { if (window_bits > max_window_bits) { window_bits = max_window_bits; } } #endif odd_ints = 1 << (window_bits - 1); i = bits_in_exponent % window_bits; if (i != 0) { bits_in_exponent += window_bits - i; } #ifdef MP_USING_MONT_MULF if (mp_using_mont_mulf) { MP_CHECKOK( s_mp_pad(&montBase, nLen) ); res = mp_exptmod_f(&montBase, exponent, modulus, result, &mmm, nLen, bits_in_exponent, window_bits, odd_ints); } else #endif #ifdef MP_USING_CACHE_SAFE_MOD_EXP if (mp_using_cache_safe_exp) { res = mp_exptmod_safe_i(&montBase, exponent, modulus, result, &mmm, nLen, bits_in_exponent, window_bits, 1 << window_bits); } else #endif res = mp_exptmod_i(&montBase, exponent, modulus, result, &mmm, nLen, bits_in_exponent, window_bits, odd_ints); CLEANUP: mp_clear(&montBase); mp_clear(&goodBase); /* Don't mp_clear mmm.N because it is merely a copy of modulus. ** Just zap it. */ memset(&mmm, 0, sizeof mmm); return res; }
/* Computes the ECDSA signature (a concatenation of two values r and s) * on the digest using the given key and the random value kb (used in * computing s). */ SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb, const int kblen) { SECStatus rv = SECFailure; #ifndef NSS_DISABLE_ECC mp_int x1; mp_int d, k; /* private key, random integer */ mp_int r, s; /* tuple (r, s) is the signature */ mp_int n; mp_err err = MP_OKAY; ECParams *ecParams = NULL; SECItem kGpoint = { siBuffer, NULL, 0}; int flen = 0; /* length in bytes of the field size */ unsigned olen; /* length in bytes of the base point order */ unsigned obits; /* length in bits of the base point order */ #if EC_DEBUG char mpstr[256]; #endif /* Initialize MPI integers. */ /* must happen before the first potential call to cleanup */ MP_DIGITS(&x1) = 0; MP_DIGITS(&d) = 0; MP_DIGITS(&k) = 0; MP_DIGITS(&r) = 0; MP_DIGITS(&s) = 0; MP_DIGITS(&n) = 0; /* Check args */ if (!key || !signature || !digest || !kb || (kblen < 0)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; } ecParams = &(key->ecParams); flen = (ecParams->fieldID.size + 7) >> 3; olen = ecParams->order.len; if (signature->data == NULL) { /* a call to get the signature length only */ goto finish; } if (signature->len < 2*olen) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); goto cleanup; } CHECK_MPI_OK( mp_init(&x1) ); CHECK_MPI_OK( mp_init(&d) ); CHECK_MPI_OK( mp_init(&k) ); CHECK_MPI_OK( mp_init(&r) ); CHECK_MPI_OK( mp_init(&s) ); CHECK_MPI_OK( mp_init(&n) ); SECITEM_TO_MPINT( ecParams->order, &n ); SECITEM_TO_MPINT( key->privateValue, &d ); CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) ); /* Make sure k is in the interval [1, n-1] */ if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) { #if EC_DEBUG printf("k is outside [1, n-1]\n"); mp_tohex(&k, mpstr); printf("k : %s \n", mpstr); mp_tohex(&n, mpstr); printf("n : %s \n", mpstr); #endif PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* ** We do not want timing information to leak the length of k, ** so we compute k*G using an equivalent scalar of fixed ** bit-length. ** Fix based on patch for ECDSA timing attack in the paper ** by Billy Bob Brumley and Nicola Tuveri at ** http://eprint.iacr.org/2011/232 ** ** How do we convert k to a value of a fixed bit-length? ** k starts off as an integer satisfying 0 <= k < n. Hence, ** n <= k+n < 2n, which means k+n has either the same number ** of bits as n or one more bit than n. If k+n has the same ** number of bits as n, the second addition ensures that the ** final value has exactly one more bit than n. Thus, we ** always end up with a value that exactly one more bit than n. */ CHECK_MPI_OK( mp_add(&k, &n, &k) ); if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) { CHECK_MPI_OK( mp_add(&k, &n, &k) ); } /* ** ANSI X9.62, Section 5.3.2, Step 2 ** ** Compute kG */ kGpoint.len = 2*flen + 1; kGpoint.data = PORT_Alloc(2*flen + 1); if ((kGpoint.data == NULL) || (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint) != SECSuccess)) goto cleanup; /* ** ANSI X9.62, Section 5.3.3, Step 1 ** ** Extract the x co-ordinate of kG into x1 */ CHECK_MPI_OK( mp_read_unsigned_octets(&x1, kGpoint.data + 1, (mp_size) flen) ); /* ** ANSI X9.62, Section 5.3.3, Step 2 ** ** r = x1 mod n NOTE: n is the order of the curve */ CHECK_MPI_OK( mp_mod(&x1, &n, &r) ); /* ** ANSI X9.62, Section 5.3.3, Step 3 ** ** verify r != 0 */ if (mp_cmp_z(&r) == 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* ** ANSI X9.62, Section 5.3.3, Step 4 ** ** s = (k**-1 * (HASH(M) + d*r)) mod n */ SECITEM_TO_MPINT(*digest, &s); /* s = HASH(M) */ /* In the definition of EC signing, digests are truncated * to the length of n in bits. * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) ); if (digest->len*8 > obits) { mpl_rsh(&s,&s,digest->len*8 - obits); } #if EC_DEBUG mp_todecimal(&n, mpstr); printf("n : %s (dec)\n", mpstr); mp_todecimal(&d, mpstr); printf("d : %s (dec)\n", mpstr); mp_tohex(&x1, mpstr); printf("x1: %s\n", mpstr); mp_todecimal(&s, mpstr); printf("digest: %s (decimal)\n", mpstr); mp_todecimal(&r, mpstr); printf("r : %s (dec)\n", mpstr); mp_tohex(&r, mpstr); printf("r : %s\n", mpstr); #endif CHECK_MPI_OK( mp_invmod(&k, &n, &k) ); /* k = k**-1 mod n */ CHECK_MPI_OK( mp_mulmod(&d, &r, &n, &d) ); /* d = d * r mod n */ CHECK_MPI_OK( mp_addmod(&s, &d, &n, &s) ); /* s = s + d mod n */ CHECK_MPI_OK( mp_mulmod(&s, &k, &n, &s) ); /* s = s * k mod n */ #if EC_DEBUG mp_todecimal(&s, mpstr); printf("s : %s (dec)\n", mpstr); mp_tohex(&s, mpstr); printf("s : %s\n", mpstr); #endif /* ** ANSI X9.62, Section 5.3.3, Step 5 ** ** verify s != 0 */ if (mp_cmp_z(&s) == 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); goto cleanup; } /* ** ** Signature is tuple (r, s) */ CHECK_MPI_OK( mp_to_fixlen_octets(&r, signature->data, olen) ); CHECK_MPI_OK( mp_to_fixlen_octets(&s, signature->data + olen, olen) ); finish: signature->len = 2*olen; rv = SECSuccess; err = MP_OKAY; cleanup: mp_clear(&x1); mp_clear(&d); mp_clear(&k); mp_clear(&r); mp_clear(&s); mp_clear(&n); if (kGpoint.data) { PORT_ZFree(kGpoint.data, 2*flen + 1); } if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } #if EC_DEBUG printf("ECDSA signing with seed %s\n", (rv == SECSuccess) ? "succeeded" : "failed"); #endif #else PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); #endif /* NSS_DISABLE_ECC */ return rv; }
mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong, unsigned long * nTries) { mp_digit np; mp_err res; int i = 0; mp_int trial; mp_int q; mp_size num_tests; unsigned char *sieve; ARGCHK(start != 0, MP_BADARG); ARGCHK(nBits > 16, MP_RANGE); sieve = malloc(SIEVE_SIZE); ARGCHK(sieve != NULL, MP_MEM); MP_DIGITS(&trial) = 0; MP_DIGITS(&q) = 0; MP_CHECKOK( mp_init(&trial) ); MP_CHECKOK( mp_init(&q) ); /* values taken from table 4.4, HandBook of Applied Cryptography */ if (nBits >= 1300) { num_tests = 2; } else if (nBits >= 850) { num_tests = 3; } else if (nBits >= 650) { num_tests = 4; } else if (nBits >= 550) { num_tests = 5; } else if (nBits >= 450) { num_tests = 6; } else if (nBits >= 400) { num_tests = 7; } else if (nBits >= 350) { num_tests = 8; } else if (nBits >= 300) { num_tests = 9; } else if (nBits >= 250) { num_tests = 12; } else if (nBits >= 200) { num_tests = 15; } else if (nBits >= 150) { num_tests = 18; } else if (nBits >= 100) { num_tests = 27; } else num_tests = 50; if (strong) --nBits; MP_CHECKOK( mpl_set_bit(start, nBits - 1, 1) ); MP_CHECKOK( mpl_set_bit(start, 0, 1) ); for (i = mpl_significant_bits(start) - 1; i >= nBits; --i) { MP_CHECKOK( mpl_set_bit(start, i, 0) ); } /* start sieveing with prime value of 3. */ MP_CHECKOK(mpp_sieve(start, prime_tab + 1, prime_tab_size - 1, sieve, SIEVE_SIZE) ); #ifdef DEBUG_SIEVE res = 0; for (i = 0; i < SIEVE_SIZE; ++i) { if (!sieve[i]) ++res; } fprintf(stderr,"sieve found %d potential primes.\n", res); #define FPUTC(x,y) fputc(x,y) #else #define FPUTC(x,y) #endif res = MP_NO; for(i = 0; i < SIEVE_SIZE; ++i) { if (sieve[i]) /* this number is composite */ continue; MP_CHECKOK( mp_add_d(start, 2 * i, &trial) ); FPUTC('.', stderr); /* run a Fermat test */ res = mpp_fermat(&trial, 2); if (res != MP_OKAY) { if (res == MP_NO) continue; /* was composite */ goto CLEANUP; } FPUTC('+', stderr); /* If that passed, run some Miller-Rabin tests */ res = mpp_pprime(&trial, num_tests); if (res != MP_OKAY) { if (res == MP_NO) continue; /* was composite */ goto CLEANUP; } FPUTC('!', stderr); if (!strong) break; /* success !! */ /* At this point, we have strong evidence that our candidate is itself prime. If we want a strong prime, we need now to test q = 2p + 1 for primality... */ MP_CHECKOK( mp_mul_2(&trial, &q) ); MP_CHECKOK( mp_add_d(&q, 1, &q) ); /* Test q for small prime divisors ... */ np = prime_tab_size; res = mpp_divis_primes(&q, &np); if (res == MP_YES) { /* is composite */ mp_clear(&q); continue; } if (res != MP_NO) goto CLEANUP; /* And test with Fermat, as with its parent ... */ res = mpp_fermat(&q, 2); if (res != MP_YES) { mp_clear(&q); if (res == MP_NO) continue; /* was composite */ goto CLEANUP; } /* And test with Miller-Rabin, as with its parent ... */ res = mpp_pprime(&q, num_tests); if (res != MP_YES) { mp_clear(&q); if (res == MP_NO) continue; /* was composite */ goto CLEANUP; } /* If it passed, we've got a winner */ mp_exch(&q, &trial); mp_clear(&q); break; } /* end of loop through sieved values */ if (res == MP_YES) mp_exch(&trial, start); CLEANUP: mp_clear(&trial); mp_clear(&q); if (nTries) *nTries += i; if (sieve != NULL) { memset(sieve, 0, SIEVE_SIZE); free (sieve); } return res; }
/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic * curve points P and R can be identical. Uses mixed Modified-Jacobian * co-ordinates for doubling and Chudnovsky Jacobian coordinates for * additions. Assumes input is already field-encoded using field_enc, and * returns output that is still field-encoded. Uses 5-bit window NAF * method (algorithm 11) for scalar-point multiplication from Brown, * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic * Curves Over Prime Fields. */ mp_err ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group) { mp_err res = MP_OKAY; mp_int precomp[16][2], rz, tpx, tpy; mp_int raz4; mp_int scratch[MAX_SCRATCH]; signed char *naf = NULL; int i, orderBitSize; MP_DIGITS(&rz) = 0; MP_DIGITS(&raz4) = 0; MP_DIGITS(&tpx) = 0; MP_DIGITS(&tpy) = 0; for (i = 0; i < 16; i++) { MP_DIGITS(&precomp[i][0]) = 0; MP_DIGITS(&precomp[i][1]) = 0; } for (i = 0; i < MAX_SCRATCH; i++) { MP_DIGITS(&scratch[i]) = 0; } ARGCHK(group != NULL, MP_BADARG); ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG); /* initialize precomputation table */ MP_CHECKOK(mp_init(&tpx, FLAG(n))); MP_CHECKOK(mp_init(&tpy, FLAG(n)));; MP_CHECKOK(mp_init(&rz, FLAG(n))); MP_CHECKOK(mp_init(&raz4, FLAG(n))); for (i = 0; i < 16; i++) { MP_CHECKOK(mp_init(&precomp[i][0], FLAG(n))); MP_CHECKOK(mp_init(&precomp[i][1], FLAG(n))); } for (i = 0; i < MAX_SCRATCH; i++) { MP_CHECKOK(mp_init(&scratch[i], FLAG(n))); } /* Set out[8] = P */ MP_CHECKOK(mp_copy(px, &precomp[8][0])); MP_CHECKOK(mp_copy(py, &precomp[8][1])); /* Set (tpx, tpy) = 2P */ MP_CHECKOK(group-> point_dbl(&precomp[8][0], &precomp[8][1], &tpx, &tpy, group)); /* Set 3P, 5P, ..., 15P */ for (i = 8; i < 15; i++) { MP_CHECKOK(group-> point_add(&precomp[i][0], &precomp[i][1], &tpx, &tpy, &precomp[i + 1][0], &precomp[i + 1][1], group)); } /* Set -15P, -13P, ..., -P */ for (i = 0; i < 8; i++) { MP_CHECKOK(mp_copy(&precomp[15 - i][0], &precomp[i][0])); MP_CHECKOK(group->meth-> field_neg(&precomp[15 - i][1], &precomp[i][1], group->meth)); } /* R = inf */ MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz)); orderBitSize = mpl_significant_bits(&group->order); /* Allocate memory for NAF */ #ifdef _KERNEL naf = (signed char *) kmem_alloc((orderBitSize + 1), FLAG(n)); #else naf = (signed char *) malloc(sizeof(signed char) * (orderBitSize + 1)); if (naf == NULL) { res = MP_MEM; goto CLEANUP; } #endif /* Compute 5NAF */ ec_compute_wNAF(naf, orderBitSize, n, 5); /* wNAF method */ for (i = orderBitSize; i >= 0; i--) { /* R = 2R */ ec_GFp_pt_dbl_jm(rx, ry, &rz, &raz4, rx, ry, &rz, &raz4, scratch, group); if (naf[i] != 0) { ec_GFp_pt_add_jm_aff(rx, ry, &rz, &raz4, &precomp[(naf[i] + 15) / 2][0], &precomp[(naf[i] + 15) / 2][1], rx, ry, &rz, &raz4, scratch, group); } } /* convert result S to affine coordinates */ MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group)); CLEANUP: for (i = 0; i < MAX_SCRATCH; i++) { mp_clear(&scratch[i]); } for (i = 0; i < 16; i++) { mp_clear(&precomp[i][0]); mp_clear(&precomp[i][1]); } mp_clear(&tpx); mp_clear(&tpy); mp_clear(&rz); mp_clear(&raz4); #ifdef _KERNEL kmem_free(naf, (orderBitSize + 1)); #else free(naf); #endif return res; }
/* * Try to find the two primes based on 2 exponents plus either a prime * or a modulus. * * In: e, d and either p or n (depending on the setting of hasModulus). * Out: p,q. * * Step 1, Since d = e**-1 mod phi, we know that d*e == 1 mod phi, or * d*e = 1+k*phi, or d*e-1 = k*phi. since d is less than phi and e is * usually less than d, then k must be an integer between e-1 and 1 * (probably on the order of e). * Step 1a, If we were passed just a prime, we can divide k*phi by that * prime-1 and get k*(q-1). This will reduce the size of our division * through the rest of the loop. * Step 2, Loop through the values k=e-1 to 1 looking for k. k should be on * the order or e, and e is typically small. This may take a while for * a large random e. We are looking for a k that divides kphi * evenly. Once we find a k that divides kphi evenly, we assume it * is the true k. It's possible this k is not the 'true' k but has * swapped factors of p-1 and/or q-1. Because of this, we * tentatively continue Steps 3-6 inside this loop, and may return looking * for another k on failure. * Step 3, Calculate are tentative phi=kphi/k. Note: real phi is (p-1)*(q-1). * Step 4a, if we have a prime, kphi is already k*(q-1), so phi is or tenative * q-1. q = phi+1. If k is correct, q should be the right length and * prime. * Step 4b, It's possible q-1 and k could have swapped factors. We now have a * possible solution that meets our criteria. It may not be the only * solution, however, so we keep looking. If we find more than one, * we will fail since we cannot determine which is the correct * solution, and returning the wrong modulus will compromise both * moduli. If no other solution is found, we return the unique solution. * Step 5a, If we have the modulus (n=pq), then use the following formula to * calculate s=(p+q): , phi = (p-1)(q-1) = pq -p-q +1 = n-s+1. so * s=n-phi+1. * Step 5b, Use n=pq and s=p+q to solve for p and q as follows: * since q=s-p, then n=p*(s-p)= sp - p^2, rearranging p^2-s*p+n = 0. * from the quadratic equation we have p=1/2*(s+sqrt(s*s-4*n)) and * q=1/2*(s-sqrt(s*s-4*n)) if s*s-4*n is a perfect square, we are DONE. * If it is not, continue in our look looking for another k. NOTE: the * code actually distributes the 1/2 and results in the equations: * sqrt = sqrt(s/2*s/2-n), p=s/2+sqrt, q=s/2-sqrt. The algebra saves us * and extra divide by 2 and a multiply by 4. * * This will return p & q. q may be larger than p in the case that p was given * and it was the smaller prime. */ static mp_err rsa_get_primes_from_exponents(mp_int *e, mp_int *d, mp_int *p, mp_int *q, mp_int *n, PRBool hasModulus, unsigned int keySizeInBits) { mp_int kphi; /* k*phi */ mp_int k; /* current guess at 'k' */ mp_int phi; /* (p-1)(q-1) */ mp_int s; /* p+q/2 (s/2 in the algebra) */ mp_int r; /* remainder */ mp_int tmp; /* p-1 if p is given, n+1 is modulus is given */ mp_int sqrt; /* sqrt(s/2*s/2-n) */ mp_err err = MP_OKAY; unsigned int order_k; MP_DIGITS(&kphi) = 0; MP_DIGITS(&phi) = 0; MP_DIGITS(&s) = 0; MP_DIGITS(&k) = 0; MP_DIGITS(&r) = 0; MP_DIGITS(&tmp) = 0; MP_DIGITS(&sqrt) = 0; CHECK_MPI_OK( mp_init(&kphi) ); CHECK_MPI_OK( mp_init(&phi) ); CHECK_MPI_OK( mp_init(&s) ); CHECK_MPI_OK( mp_init(&k) ); CHECK_MPI_OK( mp_init(&r) ); CHECK_MPI_OK( mp_init(&tmp) ); CHECK_MPI_OK( mp_init(&sqrt) ); /* our algorithm looks for a factor k whose maximum size is dependent * on the size of our smallest exponent, which had better be the public * exponent (if it's the private, the key is vulnerable to a brute force * attack). * * since our factor search is linear, we need to limit the maximum * size of the public key. this should not be a problem normally, since * public keys are usually small. * * if we want to handle larger public key sizes, we should have * a version which tries to 'completely' factor k*phi (where completely * means 'factor into primes, or composites with which are products of * large primes). Once we have all the factors, we can sort them out and * try different combinations to form our phi. The risk is if (p-1)/2, * (q-1)/2, and k are all large primes. In any case if the public key * is small (order of 20 some bits), then a linear search for k is * manageable. */ if (mpl_significant_bits(e) > 23) { err=MP_RANGE; goto cleanup; } /* calculate k*phi = e*d - 1 */ CHECK_MPI_OK( mp_mul(e, d, &kphi) ); CHECK_MPI_OK( mp_sub_d(&kphi, 1, &kphi) ); /* kphi is (e*d)-1, which is the same as k*(p-1)(q-1) * d < (p-1)(q-1), therefor k must be less than e-1 * We can narrow down k even more, though. Since p and q are odd and both * have their high bit set, then we know that phi must be on order of * keySizeBits. */ order_k = (unsigned)mpl_significant_bits(&kphi) - keySizeInBits; /* for (k=kinit; order(k) >= order_k; k--) { */ /* k=kinit: k can't be bigger than kphi/2^(keySizeInBits -1) */ CHECK_MPI_OK( mp_2expt(&k,keySizeInBits-1) ); CHECK_MPI_OK( mp_div(&kphi, &k, &k, NULL)); if (mp_cmp(&k,e) >= 0) { /* also can't be bigger then e-1 */ CHECK_MPI_OK( mp_sub_d(e, 1, &k) ); } /* calculate our temp value */ /* This saves recalculating this value when the k guess is wrong, which * is reasonably frequent. */ /* for the modulus case, tmp = n+1 (used to calculate p+q = tmp - phi) */ /* for the prime case, tmp = p-1 (used to calculate q-1= phi/tmp) */ if (hasModulus) { CHECK_MPI_OK( mp_add_d(n, 1, &tmp) ); } else { CHECK_MPI_OK( mp_sub_d(p, 1, &tmp) ); CHECK_MPI_OK(mp_div(&kphi,&tmp,&kphi,&r)); if (mp_cmp_z(&r) != 0) { /* p-1 doesn't divide kphi, some parameter wasn't correct */ err=MP_RANGE; goto cleanup; } mp_zero(q); /* kphi is now k*(q-1) */ } /* rest of the for loop */ for (; (err == MP_OKAY) && (mpl_significant_bits(&k) >= order_k); err = mp_sub_d(&k, 1, &k)) { /* looking for k as a factor of kphi */ CHECK_MPI_OK(mp_div(&kphi,&k,&phi,&r)); if (mp_cmp_z(&r) != 0) { /* not a factor, try the next one */ continue; } /* we have a possible phi, see if it works */ if (!hasModulus) { if ((unsigned)mpl_significant_bits(&phi) != keySizeInBits/2) { /* phi is not the right size */ continue; } /* phi should be divisible by 2, since * q is odd and phi=(q-1). */ if (mpp_divis_d(&phi,2) == MP_NO) { /* phi is not divisible by 4 */ continue; } /* we now have a candidate for the second prime */ CHECK_MPI_OK(mp_add_d(&phi, 1, &tmp)); /* check to make sure it is prime */ err = rsa_is_prime(&tmp); if (err != MP_OKAY) { if (err == MP_NO) { /* No, then we still have the wrong phi */ err = MP_OKAY; continue; } goto cleanup; } /* * It is possible that we have the wrong phi if * k_guess*(q_guess-1) = k*(q-1) (k and q-1 have swapped factors). * since our q_quess is prime, however. We have found a valid * rsa key because: * q is the correct order of magnitude. * phi = (p-1)(q-1) where p and q are both primes. * e*d mod phi = 1. * There is no way to know from the info given if this is the * original key. We never want to return the wrong key because if * two moduli with the same factor is known, then euclid's gcd * algorithm can be used to find that factor. Even though the * caller didn't pass the original modulus, it doesn't mean the * modulus wasn't known or isn't available somewhere. So to be safe * if we can't be sure we have the right q, we don't return any. * * So to make sure we continue looking for other valid q's. If none * are found, then we can safely return this one, otherwise we just * fail */ if (mp_cmp_z(q) != 0) { /* this is the second valid q, don't return either, * just fail */ err = MP_RANGE; break; } /* we only have one q so far, save it and if no others are found, * it's safe to return it */ CHECK_MPI_OK(mp_copy(&tmp, q)); continue; } /* test our tentative phi */ /* phi should be the correct order */ if ((unsigned)mpl_significant_bits(&phi) != keySizeInBits) { /* phi is not the right size */ continue; } /* phi should be divisible by 4, since * p and q are odd and phi=(p-1)(q-1). */ if (mpp_divis_d(&phi,4) == MP_NO) { /* phi is not divisible by 4 */ continue; } /* n was given, calculate s/2=(p+q)/2 */ CHECK_MPI_OK( mp_sub(&tmp, &phi, &s) ); CHECK_MPI_OK( mp_div_2(&s, &s) ); /* calculate sqrt(s/2*s/2-n) */ CHECK_MPI_OK(mp_sqr(&s,&sqrt)); CHECK_MPI_OK(mp_sub(&sqrt,n,&r)); /* r as a tmp */ CHECK_MPI_OK(mp_sqrt(&r,&sqrt)); /* make sure it's a perfect square */ /* r is our original value we took the square root of */ /* q is the square of our tentative square root. They should be equal*/ CHECK_MPI_OK(mp_sqr(&sqrt,q)); /* q as a tmp */ if (mp_cmp(&r,q) != 0) { /* sigh according to the doc, mp_sqrt could return sqrt-1 */ CHECK_MPI_OK(mp_add_d(&sqrt,1,&sqrt)); CHECK_MPI_OK(mp_sqr(&sqrt,q)); if (mp_cmp(&r,q) != 0) { /* s*s-n not a perfect square, this phi isn't valid, find * another.*/ continue; } } /* NOTE: In this case we know we have the one and only answer. * "Why?", you ask. Because: * 1) n is a composite of two large primes (or it wasn't a * valid RSA modulus). * 2) If we know any number such that x^2-n is a perfect square * and x is not (n+1)/2, then we can calculate 2 non-trivial * factors of n. * 3) Since we know that n has only 2 non-trivial prime factors, * we know the two factors we have are the only possible factors. */ /* Now we are home free to calculate p and q */ /* p = s/2 + sqrt, q= s/2 - sqrt */ CHECK_MPI_OK(mp_add(&s,&sqrt,p)); CHECK_MPI_OK(mp_sub(&s,&sqrt,q)); break; } if ((unsigned)mpl_significant_bits(&k) < order_k) { if (hasModulus || (mp_cmp_z(q) == 0)) { /* If we get here, something was wrong with the parameters we * were given */ err = MP_RANGE; } } cleanup: mp_clear(&kphi); mp_clear(&phi); mp_clear(&s); mp_clear(&k); mp_clear(&r); mp_clear(&tmp); mp_clear(&sqrt); return err; }