2002-08-02 14:28:37 +00:00
|
|
|
/*
|
2018-01-09 04:49:01 +00:00
|
|
|
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
2017-06-15 14:16:46 +00:00
|
|
|
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
2001-03-05 20:13:37 +00:00
|
|
|
*
|
2018-12-06 12:38:06 +00:00
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-17 19:38:09 +00:00
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
2001-03-05 20:13:37 +00:00
|
|
|
*/
|
2016-05-17 19:38:09 +00:00
|
|
|
|
2001-03-05 21:54:39 +00:00
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
2002-06-10 12:18:21 +00:00
|
|
|
#include <openssl/obj_mac.h>
|
2001-03-05 20:31:49 +00:00
|
|
|
#include <openssl/ec.h>
|
2004-05-17 19:14:22 +00:00
|
|
|
#include <openssl/bn.h>
|
2016-08-27 14:01:08 +00:00
|
|
|
#include "internal/refcount.h"
|
2018-06-21 16:08:50 +00:00
|
|
|
#include "internal/ec_int.h"
|
2018-02-28 14:59:44 +00:00
|
|
|
#include "curve448/curve448_lcl.h"
|
2001-03-05 21:54:39 +00:00
|
|
|
|
2004-01-24 16:31:21 +00:00
|
|
|
#if defined(__SUNPRO_C)
|
|
|
|
|
# if __SUNPRO_C >= 0x520
|
2015-01-22 03:40:55 +00:00
|
|
|
# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
|
2004-01-24 16:31:21 +00:00
|
|
|
# endif
|
|
|
|
|
#endif
|
2001-03-05 21:54:39 +00:00
|
|
|
|
2011-02-14 16:52:12 +00:00
|
|
|
/* Use default functions for poin2oct, oct2point and compressed coordinates */
|
2015-01-22 03:40:55 +00:00
|
|
|
#define EC_FLAGS_DEFAULT_OCT 0x1
|
2011-02-14 16:52:12 +00:00
|
|
|
|
2016-02-01 17:57:01 +00:00
|
|
|
/* Use custom formats for EC_GROUP, EC_POINT and EC_KEY */
|
|
|
|
|
#define EC_FLAGS_CUSTOM_CURVE 0x2
|
|
|
|
|
|
2016-02-23 15:02:34 +00:00
|
|
|
/* Curve does not support signing operations */
|
|
|
|
|
#define EC_FLAGS_NO_SIGN 0x4
|
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/*
|
|
|
|
|
* Structure details are not part of the exported interface, so all this may
|
|
|
|
|
* change in future versions.
|
|
|
|
|
*/
|
2001-03-05 21:54:39 +00:00
|
|
|
|
|
|
|
|
struct ec_method_st {
|
2015-01-22 03:40:55 +00:00
|
|
|
/* Various method flags */
|
|
|
|
|
int flags;
|
|
|
|
|
/* used by EC_METHOD_get_field_type: */
|
|
|
|
|
int field_type; /* a NID */
|
|
|
|
|
/*
|
|
|
|
|
* used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free,
|
|
|
|
|
* EC_GROUP_copy:
|
|
|
|
|
*/
|
|
|
|
|
int (*group_init) (EC_GROUP *);
|
|
|
|
|
void (*group_finish) (EC_GROUP *);
|
|
|
|
|
void (*group_clear_finish) (EC_GROUP *);
|
|
|
|
|
int (*group_copy) (EC_GROUP *, const EC_GROUP *);
|
2018-07-30 15:40:18 +00:00
|
|
|
/* used by EC_GROUP_set_curve, EC_GROUP_get_curve: */
|
2015-01-22 03:40:55 +00:00
|
|
|
int (*group_set_curve) (EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
|
int (*group_get_curve) (const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
/* used by EC_GROUP_get_degree: */
|
|
|
|
|
int (*group_get_degree) (const EC_GROUP *);
|
2016-02-01 18:52:41 +00:00
|
|
|
int (*group_order_bits) (const EC_GROUP *);
|
2015-01-22 03:40:55 +00:00
|
|
|
/* used by EC_GROUP_check: */
|
|
|
|
|
int (*group_check_discriminant) (const EC_GROUP *, BN_CTX *);
|
|
|
|
|
/*
|
|
|
|
|
* used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free,
|
|
|
|
|
* EC_POINT_copy:
|
|
|
|
|
*/
|
|
|
|
|
int (*point_init) (EC_POINT *);
|
|
|
|
|
void (*point_finish) (EC_POINT *);
|
|
|
|
|
void (*point_clear_finish) (EC_POINT *);
|
|
|
|
|
int (*point_copy) (EC_POINT *, const EC_POINT *);
|
2015-01-05 11:30:03 +00:00
|
|
|
/*-
|
|
|
|
|
* used by EC_POINT_set_to_infinity,
|
|
|
|
|
* EC_POINT_set_Jprojective_coordinates_GFp,
|
|
|
|
|
* EC_POINT_get_Jprojective_coordinates_GFp,
|
2018-07-30 15:40:18 +00:00
|
|
|
* EC_POINT_set_affine_coordinates,
|
|
|
|
|
* EC_POINT_get_affine_coordinates,
|
|
|
|
|
* EC_POINT_set_compressed_coordinates:
|
2015-01-05 11:30:03 +00:00
|
|
|
*/
|
2015-01-22 03:40:55 +00:00
|
|
|
int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *);
|
|
|
|
|
int (*point_set_Jprojective_coordinates_GFp) (const EC_GROUP *,
|
|
|
|
|
EC_POINT *, const BIGNUM *x,
|
|
|
|
|
const BIGNUM *y,
|
|
|
|
|
const BIGNUM *z, BN_CTX *);
|
|
|
|
|
int (*point_get_Jprojective_coordinates_GFp) (const EC_GROUP *,
|
|
|
|
|
const EC_POINT *, BIGNUM *x,
|
|
|
|
|
BIGNUM *y, BIGNUM *z,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int (*point_set_affine_coordinates) (const EC_GROUP *, EC_POINT *,
|
|
|
|
|
const BIGNUM *x, const BIGNUM *y,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int (*point_get_affine_coordinates) (const EC_GROUP *, const EC_POINT *,
|
|
|
|
|
BIGNUM *x, BIGNUM *y, BN_CTX *);
|
|
|
|
|
int (*point_set_compressed_coordinates) (const EC_GROUP *, EC_POINT *,
|
|
|
|
|
const BIGNUM *x, int y_bit,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
/* used by EC_POINT_point2oct, EC_POINT_oct2point: */
|
|
|
|
|
size_t (*point2oct) (const EC_GROUP *, const EC_POINT *,
|
|
|
|
|
point_conversion_form_t form, unsigned char *buf,
|
|
|
|
|
size_t len, BN_CTX *);
|
|
|
|
|
int (*oct2point) (const EC_GROUP *, EC_POINT *, const unsigned char *buf,
|
|
|
|
|
size_t len, BN_CTX *);
|
|
|
|
|
/* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */
|
|
|
|
|
int (*add) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
|
|
|
|
|
const EC_POINT *b, BN_CTX *);
|
|
|
|
|
int (*dbl) (const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
|
|
|
|
|
int (*invert) (const EC_GROUP *, EC_POINT *, BN_CTX *);
|
|
|
|
|
/*
|
|
|
|
|
* used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp:
|
|
|
|
|
*/
|
|
|
|
|
int (*is_at_infinity) (const EC_GROUP *, const EC_POINT *);
|
|
|
|
|
int (*is_on_curve) (const EC_GROUP *, const EC_POINT *, BN_CTX *);
|
|
|
|
|
int (*point_cmp) (const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
/* used by EC_POINT_make_affine, EC_POINTs_make_affine: */
|
|
|
|
|
int (*make_affine) (const EC_GROUP *, EC_POINT *, BN_CTX *);
|
|
|
|
|
int (*points_make_affine) (const EC_GROUP *, size_t num, EC_POINT *[],
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
/*
|
|
|
|
|
* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult,
|
|
|
|
|
* EC_POINT_have_precompute_mult (default implementations are used if the
|
|
|
|
|
* 'mul' pointer is 0):
|
|
|
|
|
*/
|
2018-04-24 13:00:08 +00:00
|
|
|
/*-
|
|
|
|
|
* mul() calculates the value
|
|
|
|
|
*
|
|
|
|
|
* r := generator * scalar
|
|
|
|
|
* + points[0] * scalars[0]
|
|
|
|
|
* + ...
|
|
|
|
|
* + points[num-1] * scalars[num-1].
|
|
|
|
|
*
|
|
|
|
|
* For a fixed point multiplication (scalar != NULL, num == 0)
|
|
|
|
|
* or a variable point multiplication (scalar == NULL, num == 1),
|
|
|
|
|
* mul() must use a constant time algorithm: in both cases callers
|
|
|
|
|
* should provide an input scalar (either scalar or scalars[0])
|
|
|
|
|
* in the range [0, ec_group_order); for robustness, implementers
|
|
|
|
|
* should handle the case when the scalar has not been reduced, but
|
|
|
|
|
* may treat it as an unusual input, without any constant-timeness
|
|
|
|
|
* guarantee.
|
|
|
|
|
*/
|
2015-01-22 03:40:55 +00:00
|
|
|
int (*mul) (const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
|
|
|
|
size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int (*precompute_mult) (EC_GROUP *group, BN_CTX *);
|
|
|
|
|
int (*have_precompute_mult) (const EC_GROUP *group);
|
|
|
|
|
/* internal functions */
|
|
|
|
|
/*
|
|
|
|
|
* 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and
|
|
|
|
|
* 'dbl' so that the same implementations of point operations can be used
|
|
|
|
|
* with different optimized implementations of expensive field
|
|
|
|
|
* operations:
|
|
|
|
|
*/
|
|
|
|
|
int (*field_mul) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
|
int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
|
|
|
|
|
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
SCA hardening for mod. field inversion in EC_GROUP
This commit adds a dedicated function in `EC_METHOD` to access a modular
field inversion implementation suitable for the specifics of the
implemented curve, featuring SCA countermeasures.
The new pointer is defined as:
`int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
and computes the multiplicative inverse of `a` in the underlying field,
storing the result in `r`.
Three implementations are included, each including specific SCA
countermeasures:
- `ec_GFp_simple_field_inv()`, featuring SCA hardening through
blinding.
- `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
Little Theorem (FLT) inversion.
- `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
already features SCA hardening through blinding.
From a security point of view, this also helps addressing a leakage
previously affecting conversions from projective to affine coordinates.
This commit also adds a new error reason code (i.e.,
`EC_R_CANNOT_INVERT`) to improve consistency between the three
implementations as all of them could fail for the same reason but
through different code paths resulting in inconsistent error stack
states.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8254)
2019-02-02 08:53:29 +00:00
|
|
|
/*-
|
|
|
|
|
* 'field_inv' computes the multipicative inverse of a in the field,
|
|
|
|
|
* storing the result in r.
|
|
|
|
|
*
|
|
|
|
|
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
|
|
|
|
|
*/
|
|
|
|
|
int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
|
2015-01-22 03:40:55 +00:00
|
|
|
/* e.g. to Montgomery */
|
|
|
|
|
int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
/* e.g. from Montgomery */
|
|
|
|
|
int (*field_decode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int (*field_set_to_one) (const EC_GROUP *, BIGNUM *r, BN_CTX *);
|
2016-02-01 17:57:01 +00:00
|
|
|
/* private key operations */
|
|
|
|
|
size_t (*priv2oct)(const EC_KEY *eckey, unsigned char *buf, size_t len);
|
2016-06-19 16:54:50 +00:00
|
|
|
int (*oct2priv)(EC_KEY *eckey, const unsigned char *buf, size_t len);
|
2016-02-01 17:57:01 +00:00
|
|
|
int (*set_private)(EC_KEY *eckey, const BIGNUM *priv_key);
|
|
|
|
|
int (*keygen)(EC_KEY *eckey);
|
|
|
|
|
int (*keycheck)(const EC_KEY *eckey);
|
|
|
|
|
int (*keygenpub)(EC_KEY *eckey);
|
|
|
|
|
int (*keycopy)(EC_KEY *dst, const EC_KEY *src);
|
|
|
|
|
void (*keyfinish)(EC_KEY *eckey);
|
|
|
|
|
/* custom ECDH operation */
|
2016-02-29 14:12:11 +00:00
|
|
|
int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
|
|
|
|
|
const EC_POINT *pub_key, const EC_KEY *ecdh);
|
2017-12-30 14:08:31 +00:00
|
|
|
/* Inverse modulo order */
|
2018-05-08 11:00:30 +00:00
|
|
|
int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r,
|
|
|
|
|
const BIGNUM *x, BN_CTX *);
|
Implement coordinate blinding for EC_POINT
This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.
This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.
Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.
For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.
For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6501)
2018-06-16 14:07:40 +00:00
|
|
|
int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
|
EC point multiplication: add `ladder` scaffold
for specialized Montgomery ladder implementations
PR #6009 and #6070 replaced the default EC point multiplication path for
prime and binary curves with a unified Montgomery ladder implementation
with various timing attack defenses (for the common paths when a secret
scalar is feed to the point multiplication).
The newly introduced default implementation directly used
EC_POINT_add/dbl in the main loop.
The scaffolding introduced by this commit allows EC_METHODs to define a
specialized `ladder_step` function to improve performances by taking
advantage of efficient formulas for differential addition-and-doubling
and different coordinate systems.
- `ladder_pre` is executed before the main loop of the ladder: by
default it copies the input point P into S, and doubles it into R.
Specialized implementations could, e.g., use this hook to transition
to different coordinate systems before copying and doubling;
- `ladder_step` is the core of the Montgomery ladder loop: by default it
computes `S := R+S; R := 2R;`, but specific implementations could,
e.g., implement a more efficient formula for differential
addition-and-doubling;
- `ladder_post` is executed after the Montgomery ladder loop: by default
it's a noop, but specialized implementations could, e.g., use this
hook to transition back from the coordinate system used for optimizing
the differential addition-and-doubling or recover the y coordinate of
the result point.
This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
as it better corresponds to what this function does: nothing can be
truly said about the constant-timeness of the overall execution of this
function, given that the underlying operations are not necessarily
constant-time themselves.
What this implementation ensures is that the same fixed sequence of
operations is executed for each scalar multiplication (for a given
EC_GROUP), with no dependency on the value of the input scalar.
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)
2018-07-07 21:50:49 +00:00
|
|
|
int (*ladder_pre)(const EC_GROUP *group,
|
|
|
|
|
EC_POINT *r, EC_POINT *s,
|
|
|
|
|
EC_POINT *p, BN_CTX *ctx);
|
|
|
|
|
int (*ladder_step)(const EC_GROUP *group,
|
|
|
|
|
EC_POINT *r, EC_POINT *s,
|
|
|
|
|
EC_POINT *p, BN_CTX *ctx);
|
|
|
|
|
int (*ladder_post)(const EC_GROUP *group,
|
|
|
|
|
EC_POINT *r, EC_POINT *s,
|
|
|
|
|
EC_POINT *p, BN_CTX *ctx);
|
2016-08-29 13:07:38 +00:00
|
|
|
};
|
2001-03-05 21:54:39 +00:00
|
|
|
|
2016-01-05 18:06:03 +00:00
|
|
|
/*
|
|
|
|
|
* Types and functions to manipulate pre-computed values.
|
|
|
|
|
*/
|
|
|
|
|
typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP;
|
|
|
|
|
typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP;
|
2016-01-13 22:19:42 +00:00
|
|
|
typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP;
|
2016-01-05 18:06:03 +00:00
|
|
|
typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP;
|
|
|
|
|
typedef struct ec_pre_comp_st EC_PRE_COMP;
|
2001-03-05 21:54:39 +00:00
|
|
|
|
|
|
|
|
struct ec_group_st {
|
2015-01-22 03:40:55 +00:00
|
|
|
const EC_METHOD *meth;
|
|
|
|
|
EC_POINT *generator; /* optional */
|
|
|
|
|
BIGNUM *order, *cofactor;
|
|
|
|
|
int curve_name; /* optional NID for named curve */
|
|
|
|
|
int asn1_flag; /* flag to control the asn1 encoding */
|
|
|
|
|
point_conversion_form_t asn1_form;
|
|
|
|
|
unsigned char *seed; /* optional seed for parameters (appears in
|
|
|
|
|
* ASN1) */
|
|
|
|
|
size_t seed_len;
|
|
|
|
|
/*
|
|
|
|
|
* The following members are handled by the method functions, even if
|
|
|
|
|
* they appear generic
|
|
|
|
|
*/
|
|
|
|
|
/*
|
|
|
|
|
* Field specification. For curves over GF(p), this is the modulus; for
|
|
|
|
|
* curves over GF(2^m), this is the irreducible polynomial defining the
|
|
|
|
|
* field.
|
|
|
|
|
*/
|
|
|
|
|
BIGNUM *field;
|
|
|
|
|
/*
|
|
|
|
|
* Field specification for curves over GF(2^m). The irreducible f(t) is
|
|
|
|
|
* then of the form: t^poly[0] + t^poly[1] + ... + t^poly[k] where m =
|
|
|
|
|
* poly[0] > poly[1] > ... > poly[k] = 0. The array is terminated with
|
|
|
|
|
* poly[k+1]=-1. All elliptic curve irreducibles have at most 5 non-zero
|
|
|
|
|
* terms.
|
|
|
|
|
*/
|
|
|
|
|
int poly[6];
|
|
|
|
|
/*
|
|
|
|
|
* Curve coefficients. (Here the assumption is that BIGNUMs can be used
|
|
|
|
|
* or abused for all kinds of fields, not just GF(p).) For characteristic
|
|
|
|
|
* > 3, the curve is defined by a Weierstrass equation of the form y^2 =
|
|
|
|
|
* x^3 + a*x + b. For characteristic 2, the curve is defined by an
|
|
|
|
|
* equation of the form y^2 + x*y = x^3 + a*x^2 + b.
|
|
|
|
|
*/
|
|
|
|
|
BIGNUM *a, *b;
|
|
|
|
|
/* enable optimized point arithmetics for special case */
|
|
|
|
|
int a_is_minus3;
|
|
|
|
|
/* method-specific (e.g., Montgomery structure) */
|
|
|
|
|
void *field_data1;
|
|
|
|
|
/* method-specific */
|
|
|
|
|
void *field_data2;
|
|
|
|
|
/* method-specific */
|
|
|
|
|
int (*field_mod_func) (BIGNUM *, const BIGNUM *, const BIGNUM *,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
/* data for ECDSA inverse */
|
|
|
|
|
BN_MONT_CTX *mont_data;
|
2016-01-05 18:06:03 +00:00
|
|
|
|
2016-08-29 12:23:25 +00:00
|
|
|
/*
|
|
|
|
|
* Precomputed values for speed. The PCT_xxx names match the
|
|
|
|
|
* pre_comp.xxx union names; see the SETPRECOMP and HAVEPRECOMP
|
|
|
|
|
* macros, below.
|
|
|
|
|
*/
|
2016-01-05 18:06:03 +00:00
|
|
|
enum {
|
2016-08-29 12:23:25 +00:00
|
|
|
PCT_none,
|
|
|
|
|
PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256,
|
|
|
|
|
PCT_ec
|
|
|
|
|
} pre_comp_type;
|
2016-01-05 18:06:03 +00:00
|
|
|
union {
|
|
|
|
|
NISTP224_PRE_COMP *nistp224;
|
|
|
|
|
NISTP256_PRE_COMP *nistp256;
|
|
|
|
|
NISTP521_PRE_COMP *nistp521;
|
|
|
|
|
NISTZ256_PRE_COMP *nistz256;
|
|
|
|
|
EC_PRE_COMP *ec;
|
|
|
|
|
} pre_comp;
|
2016-08-29 13:07:38 +00:00
|
|
|
};
|
2001-03-05 21:54:39 +00:00
|
|
|
|
2016-01-05 18:06:03 +00:00
|
|
|
#define SETPRECOMP(g, type, pre) \
|
2016-08-29 12:23:25 +00:00
|
|
|
g->pre_comp_type = PCT_##type, g->pre_comp.type = pre
|
2016-01-05 18:06:03 +00:00
|
|
|
#define HAVEPRECOMP(g, type) \
|
2016-08-29 12:23:25 +00:00
|
|
|
g->pre_comp_type == PCT_##type && g->pre_comp.type != NULL
|
2016-01-05 18:06:03 +00:00
|
|
|
|
2005-05-16 10:11:04 +00:00
|
|
|
struct ec_key_st {
|
2015-10-19 13:38:43 +00:00
|
|
|
const EC_KEY_METHOD *meth;
|
|
|
|
|
ENGINE *engine;
|
2015-01-22 03:40:55 +00:00
|
|
|
int version;
|
|
|
|
|
EC_GROUP *group;
|
|
|
|
|
EC_POINT *pub_key;
|
|
|
|
|
BIGNUM *priv_key;
|
|
|
|
|
unsigned int enc_flag;
|
|
|
|
|
point_conversion_form_t conv_form;
|
2016-08-27 14:01:08 +00:00
|
|
|
CRYPTO_REF_COUNT references;
|
2015-01-22 03:40:55 +00:00
|
|
|
int flags;
|
2016-01-05 18:06:03 +00:00
|
|
|
CRYPTO_EX_DATA ex_data;
|
2016-02-29 16:57:11 +00:00
|
|
|
CRYPTO_RWLOCK *lock;
|
2016-08-29 13:07:38 +00:00
|
|
|
};
|
2005-05-16 10:11:04 +00:00
|
|
|
|
2001-03-05 21:54:39 +00:00
|
|
|
struct ec_point_st {
|
2015-01-22 03:40:55 +00:00
|
|
|
const EC_METHOD *meth;
|
2018-05-21 14:24:56 +00:00
|
|
|
/* NID for the curve if known */
|
|
|
|
|
int curve_name;
|
2015-01-22 03:40:55 +00:00
|
|
|
/*
|
|
|
|
|
* All members except 'meth' are handled by the method functions, even if
|
|
|
|
|
* they appear generic
|
|
|
|
|
*/
|
|
|
|
|
BIGNUM *X;
|
|
|
|
|
BIGNUM *Y;
|
|
|
|
|
BIGNUM *Z; /* Jacobian projective coordinates: * (X, Y,
|
|
|
|
|
* Z) represents (X/Z^2, Y/Z^3) if Z != 0 */
|
|
|
|
|
int Z_is_one; /* enable optimized point arithmetics for
|
|
|
|
|
* special case */
|
2016-08-29 13:07:38 +00:00
|
|
|
};
|
2001-03-07 09:29:45 +00:00
|
|
|
|
2018-05-21 14:24:56 +00:00
|
|
|
static ossl_inline int ec_point_is_compat(const EC_POINT *point,
|
|
|
|
|
const EC_GROUP *group)
|
|
|
|
|
{
|
|
|
|
|
if (group->meth != point->meth
|
|
|
|
|
|| (group->curve_name != 0
|
|
|
|
|
&& point->curve_name != 0
|
|
|
|
|
&& group->curve_name != point->curve_name))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-05 18:06:03 +00:00
|
|
|
NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *);
|
|
|
|
|
NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *);
|
|
|
|
|
NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *);
|
|
|
|
|
NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *);
|
|
|
|
|
NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *);
|
|
|
|
|
EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *);
|
2016-01-14 02:26:00 +00:00
|
|
|
|
|
|
|
|
void EC_pre_comp_free(EC_GROUP *group);
|
2016-01-05 18:06:03 +00:00
|
|
|
void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *);
|
|
|
|
|
void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *);
|
|
|
|
|
void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *);
|
|
|
|
|
void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *);
|
|
|
|
|
void EC_ec_pre_comp_free(EC_PRE_COMP *);
|
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/*
|
|
|
|
|
* method functions in ec_mult.c (ec_lib.c uses these as defaults if
|
|
|
|
|
* group->method->mul is 0)
|
|
|
|
|
*/
|
2002-08-02 13:42:24 +00:00
|
|
|
int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
2015-01-22 03:40:55 +00:00
|
|
|
size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
|
|
|
|
|
BN_CTX *);
|
2002-08-02 13:42:24 +00:00
|
|
|
int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *);
|
2003-02-06 19:25:12 +00:00
|
|
|
int ec_wNAF_have_precompute_mult(const EC_GROUP *group);
|
|
|
|
|
|
2001-03-07 09:29:45 +00:00
|
|
|
/* method functions in ecp_smpl.c */
|
|
|
|
|
int ec_GFp_simple_group_init(EC_GROUP *);
|
|
|
|
|
void ec_GFp_simple_group_finish(EC_GROUP *);
|
|
|
|
|
void ec_GFp_simple_group_clear_finish(EC_GROUP *);
|
|
|
|
|
int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p,
|
|
|
|
|
const BIGNUM *a, const BIGNUM *b, BN_CTX *);
|
|
|
|
|
int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
|
|
|
|
|
BIGNUM *b, BN_CTX *);
|
2002-08-02 13:42:24 +00:00
|
|
|
int ec_GFp_simple_group_get_degree(const EC_GROUP *);
|
2002-03-20 10:18:07 +00:00
|
|
|
int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
|
2001-03-07 09:29:45 +00:00
|
|
|
int ec_GFp_simple_point_init(EC_POINT *);
|
|
|
|
|
void ec_GFp_simple_point_finish(EC_POINT *);
|
|
|
|
|
void ec_GFp_simple_point_clear_finish(EC_POINT *);
|
|
|
|
|
int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);
|
2001-03-08 01:23:28 +00:00
|
|
|
int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *,
|
|
|
|
|
EC_POINT *, const BIGNUM *x,
|
|
|
|
|
const BIGNUM *y,
|
|
|
|
|
const BIGNUM *z, BN_CTX *);
|
|
|
|
|
int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *,
|
|
|
|
|
const EC_POINT *, BIGNUM *x,
|
|
|
|
|
BIGNUM *y, BIGNUM *z,
|
|
|
|
|
BN_CTX *);
|
2002-08-02 14:28:37 +00:00
|
|
|
int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
|
2015-01-22 03:40:55 +00:00
|
|
|
const BIGNUM *x,
|
|
|
|
|
const BIGNUM *y, BN_CTX *);
|
|
|
|
|
int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *,
|
|
|
|
|
const EC_POINT *, BIGNUM *x,
|
|
|
|
|
BIGNUM *y, BN_CTX *);
|
2002-08-02 14:28:37 +00:00
|
|
|
int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
|
2015-01-22 03:40:55 +00:00
|
|
|
const BIGNUM *x, int y_bit,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *,
|
|
|
|
|
point_conversion_form_t form,
|
|
|
|
|
unsigned char *buf, size_t len, BN_CTX *);
|
2001-03-07 09:29:45 +00:00
|
|
|
int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *,
|
2015-01-22 03:40:55 +00:00
|
|
|
const unsigned char *buf, size_t len, BN_CTX *);
|
|
|
|
|
int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
|
|
|
|
|
const EC_POINT *b, BN_CTX *);
|
|
|
|
|
int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
|
|
|
|
|
BN_CTX *);
|
2001-03-08 11:16:33 +00:00
|
|
|
int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
|
2001-03-07 09:29:45 +00:00
|
|
|
int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
|
|
|
|
|
int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
|
|
|
|
|
BN_CTX *);
|
2001-03-07 20:56:48 +00:00
|
|
|
int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num,
|
|
|
|
|
EC_POINT *[], BN_CTX *);
|
|
|
|
|
int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
|
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
SCA hardening for mod. field inversion in EC_GROUP
This commit adds a dedicated function in `EC_METHOD` to access a modular
field inversion implementation suitable for the specifics of the
implemented curve, featuring SCA countermeasures.
The new pointer is defined as:
`int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
and computes the multiplicative inverse of `a` in the underlying field,
storing the result in `r`.
Three implementations are included, each including specific SCA
countermeasures:
- `ec_GFp_simple_field_inv()`, featuring SCA hardening through
blinding.
- `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
Little Theorem (FLT) inversion.
- `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
already features SCA hardening through blinding.
From a security point of view, this also helps addressing a leakage
previously affecting conversions from projective to affine coordinates.
This commit also adds a new error reason code (i.e.,
`EC_R_CANNOT_INVERT`) to improve consistency between the three
implementations as all of them could fail for the same reason but
through different code paths resulting in inconsistent error stack
states.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8254)
2019-02-02 08:53:29 +00:00
|
|
|
int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
Implement coordinate blinding for EC_POINT
This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.
This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.
Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.
For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.
For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6501)
2018-06-16 14:07:40 +00:00
|
|
|
int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
|
2018-07-19 08:16:07 +00:00
|
|
|
BN_CTX *ctx);
|
|
|
|
|
int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
|
|
|
|
|
EC_POINT *r, EC_POINT *s,
|
|
|
|
|
EC_POINT *p, BN_CTX *ctx);
|
|
|
|
|
int ec_GFp_simple_ladder_step(const EC_GROUP *group,
|
|
|
|
|
EC_POINT *r, EC_POINT *s,
|
|
|
|
|
EC_POINT *p, BN_CTX *ctx);
|
|
|
|
|
int ec_GFp_simple_ladder_post(const EC_GROUP *group,
|
|
|
|
|
EC_POINT *r, EC_POINT *s,
|
|
|
|
|
EC_POINT *p, BN_CTX *ctx);
|
2001-03-07 09:29:45 +00:00
|
|
|
|
|
|
|
|
/* method functions in ecp_mont.c */
|
2001-03-07 09:53:41 +00:00
|
|
|
int ec_GFp_mont_group_init(EC_GROUP *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
2001-03-07 09:48:38 +00:00
|
|
|
void ec_GFp_mont_group_finish(EC_GROUP *);
|
|
|
|
|
void ec_GFp_mont_group_clear_finish(EC_GROUP *);
|
2001-03-07 19:54:35 +00:00
|
|
|
int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
|
int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
SCA hardening for mod. field inversion in EC_GROUP
This commit adds a dedicated function in `EC_METHOD` to access a modular
field inversion implementation suitable for the specifics of the
implemented curve, featuring SCA countermeasures.
The new pointer is defined as:
`int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
and computes the multiplicative inverse of `a` in the underlying field,
storing the result in `r`.
Three implementations are included, each including specific SCA
countermeasures:
- `ec_GFp_simple_field_inv()`, featuring SCA hardening through
blinding.
- `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
Little Theorem (FLT) inversion.
- `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
already features SCA hardening through blinding.
From a security point of view, this also helps addressing a leakage
previously affecting conversions from projective to affine coordinates.
This commit also adds a new error reason code (i.e.,
`EC_R_CANNOT_INVERT`) to improve consistency between the three
implementations as all of them could fail for the same reason but
through different code paths resulting in inconsistent error stack
states.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8254)
2019-02-02 08:53:29 +00:00
|
|
|
int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
2001-03-10 23:18:35 +00:00
|
|
|
int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
|
2001-03-07 09:29:45 +00:00
|
|
|
|
|
|
|
|
/* method functions in ecp_nist.c */
|
2003-02-08 19:51:37 +00:00
|
|
|
int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
|
int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
|
int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
2002-08-02 13:42:24 +00:00
|
|
|
|
|
|
|
|
/* method functions in ec2_smpl.c */
|
|
|
|
|
int ec_GF2m_simple_group_init(EC_GROUP *);
|
|
|
|
|
void ec_GF2m_simple_group_finish(EC_GROUP *);
|
|
|
|
|
void ec_GF2m_simple_group_clear_finish(EC_GROUP *);
|
|
|
|
|
int ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p,
|
|
|
|
|
const BIGNUM *a, const BIGNUM *b,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
|
|
|
|
|
BIGNUM *b, BN_CTX *);
|
2002-08-02 13:42:24 +00:00
|
|
|
int ec_GF2m_simple_group_get_degree(const EC_GROUP *);
|
|
|
|
|
int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
|
|
|
|
|
int ec_GF2m_simple_point_init(EC_POINT *);
|
|
|
|
|
void ec_GF2m_simple_point_finish(EC_POINT *);
|
|
|
|
|
void ec_GF2m_simple_point_clear_finish(EC_POINT *);
|
|
|
|
|
int ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *);
|
|
|
|
|
int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
|
2002-08-02 14:28:37 +00:00
|
|
|
int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
|
2015-01-22 03:40:55 +00:00
|
|
|
const BIGNUM *x,
|
|
|
|
|
const BIGNUM *y, BN_CTX *);
|
|
|
|
|
int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *,
|
|
|
|
|
const EC_POINT *, BIGNUM *x,
|
|
|
|
|
BIGNUM *y, BN_CTX *);
|
2002-08-02 14:28:37 +00:00
|
|
|
int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
|
2015-01-22 03:40:55 +00:00
|
|
|
const BIGNUM *x, int y_bit,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
size_t ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *,
|
|
|
|
|
point_conversion_form_t form,
|
|
|
|
|
unsigned char *buf, size_t len, BN_CTX *);
|
2002-08-02 13:42:24 +00:00
|
|
|
int ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *,
|
2015-01-22 03:40:55 +00:00
|
|
|
const unsigned char *buf, size_t len, BN_CTX *);
|
|
|
|
|
int ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
|
|
|
|
|
const EC_POINT *b, BN_CTX *);
|
|
|
|
|
int ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
|
|
|
|
|
BN_CTX *);
|
2002-08-02 13:42:24 +00:00
|
|
|
int ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
|
|
|
|
|
int ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
|
|
|
|
|
int ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
|
|
|
|
|
BN_CTX *);
|
2002-08-02 13:42:24 +00:00
|
|
|
int ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num,
|
|
|
|
|
EC_POINT *[], BN_CTX *);
|
|
|
|
|
int ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
|
int ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
2002-08-02 13:42:24 +00:00
|
|
|
|
2014-06-03 22:14:40 +00:00
|
|
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
2010-08-26 14:29:55 +00:00
|
|
|
/* method functions in ecp_nistp224.c */
|
|
|
|
|
int ec_GFp_nistp224_group_init(EC_GROUP *group);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p,
|
|
|
|
|
const BIGNUM *a, const BIGNUM *n,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
|
|
|
|
|
const EC_POINT *point,
|
|
|
|
|
BIGNUM *x, BIGNUM *y,
|
|
|
|
|
BN_CTX *ctx);
|
|
|
|
|
int ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
|
const BIGNUM *scalar, size_t num,
|
|
|
|
|
const EC_POINT *points[], const BIGNUM *scalars[],
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
|
const BIGNUM *scalar, size_t num,
|
|
|
|
|
const EC_POINT *points[],
|
|
|
|
|
const BIGNUM *scalars[], BN_CTX *ctx);
|
2010-08-26 14:29:55 +00:00
|
|
|
int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
|
|
|
|
|
int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group);
|
2011-10-18 19:43:16 +00:00
|
|
|
|
|
|
|
|
/* method functions in ecp_nistp256.c */
|
|
|
|
|
int ec_GFp_nistp256_group_init(EC_GROUP *group);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p,
|
|
|
|
|
const BIGNUM *a, const BIGNUM *n,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,
|
|
|
|
|
const EC_POINT *point,
|
|
|
|
|
BIGNUM *x, BIGNUM *y,
|
|
|
|
|
BN_CTX *ctx);
|
|
|
|
|
int ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
|
const BIGNUM *scalar, size_t num,
|
|
|
|
|
const EC_POINT *points[], const BIGNUM *scalars[],
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
|
const BIGNUM *scalar, size_t num,
|
|
|
|
|
const EC_POINT *points[],
|
|
|
|
|
const BIGNUM *scalars[], BN_CTX *ctx);
|
2011-10-18 19:43:16 +00:00
|
|
|
int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
|
|
|
|
|
int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group);
|
|
|
|
|
|
|
|
|
|
/* method functions in ecp_nistp521.c */
|
|
|
|
|
int ec_GFp_nistp521_group_init(EC_GROUP *group);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p,
|
|
|
|
|
const BIGNUM *a, const BIGNUM *n,
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group,
|
|
|
|
|
const EC_POINT *point,
|
|
|
|
|
BIGNUM *x, BIGNUM *y,
|
|
|
|
|
BN_CTX *ctx);
|
|
|
|
|
int ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
|
const BIGNUM *scalar, size_t num,
|
|
|
|
|
const EC_POINT *points[], const BIGNUM *scalars[],
|
|
|
|
|
BN_CTX *);
|
|
|
|
|
int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
|
const BIGNUM *scalar, size_t num,
|
|
|
|
|
const EC_POINT *points[],
|
|
|
|
|
const BIGNUM *scalars[], BN_CTX *ctx);
|
2011-10-18 19:43:16 +00:00
|
|
|
int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
|
|
|
|
|
int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group);
|
|
|
|
|
|
|
|
|
|
/* utility functions in ecp_nistputil.c */
|
|
|
|
|
void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
|
2015-01-22 03:40:55 +00:00
|
|
|
size_t felem_size,
|
|
|
|
|
void *tmp_felems,
|
|
|
|
|
void (*felem_one) (void *out),
|
|
|
|
|
int (*felem_is_zero) (const void
|
|
|
|
|
*in),
|
|
|
|
|
void (*felem_assign) (void *out,
|
|
|
|
|
const void
|
|
|
|
|
*in),
|
|
|
|
|
void (*felem_square) (void *out,
|
|
|
|
|
const void
|
|
|
|
|
*in),
|
|
|
|
|
void (*felem_mul) (void *out,
|
|
|
|
|
const void
|
|
|
|
|
*in1,
|
|
|
|
|
const void
|
|
|
|
|
*in2),
|
|
|
|
|
void (*felem_inv) (void *out,
|
|
|
|
|
const void
|
|
|
|
|
*in),
|
|
|
|
|
void (*felem_contract) (void
|
|
|
|
|
*out,
|
|
|
|
|
const
|
|
|
|
|
void
|
|
|
|
|
*in));
|
|
|
|
|
void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign,
|
|
|
|
|
unsigned char *digit, unsigned char in);
|
2010-08-26 14:29:55 +00:00
|
|
|
#endif
|
2016-02-28 17:47:06 +00:00
|
|
|
int ec_group_simple_order_bits(const EC_GROUP *group);
|
2014-09-11 22:13:20 +00:00
|
|
|
|
|
|
|
|
#ifdef ECP_NISTZ256_ASM
|
|
|
|
|
/** Returns GFp methods using montgomery multiplication, with x86-64 optimized
|
|
|
|
|
* P256. See http://eprint.iacr.org/2013/816.
|
|
|
|
|
* \return EC_METHOD object
|
|
|
|
|
*/
|
|
|
|
|
const EC_METHOD *EC_GFp_nistz256_method(void);
|
|
|
|
|
#endif
|
2015-10-19 13:38:43 +00:00
|
|
|
|
2016-02-28 17:47:06 +00:00
|
|
|
size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
|
|
|
|
|
unsigned char *buf, size_t len);
|
2016-06-19 16:54:50 +00:00
|
|
|
int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len);
|
2016-02-28 17:47:06 +00:00
|
|
|
int ec_key_simple_generate_key(EC_KEY *eckey);
|
|
|
|
|
int ec_key_simple_generate_public_key(EC_KEY *eckey);
|
|
|
|
|
int ec_key_simple_check_key(const EC_KEY *eckey);
|
|
|
|
|
|
2015-10-19 13:38:43 +00:00
|
|
|
/* EC_METHOD definitions */
|
|
|
|
|
|
|
|
|
|
struct ec_key_method_st {
|
|
|
|
|
const char *name;
|
|
|
|
|
int32_t flags;
|
2015-10-23 18:10:24 +00:00
|
|
|
int (*init)(EC_KEY *key);
|
|
|
|
|
void (*finish)(EC_KEY *key);
|
2015-10-23 18:19:57 +00:00
|
|
|
int (*copy)(EC_KEY *dest, const EC_KEY *src);
|
2015-10-25 13:09:50 +00:00
|
|
|
int (*set_group)(EC_KEY *key, const EC_GROUP *grp);
|
|
|
|
|
int (*set_private)(EC_KEY *key, const BIGNUM *priv_key);
|
|
|
|
|
int (*set_public)(EC_KEY *key, const EC_POINT *pub_key);
|
2015-10-22 13:53:23 +00:00
|
|
|
int (*keygen)(EC_KEY *key);
|
2016-02-29 14:12:11 +00:00
|
|
|
int (*compute_key)(unsigned char **pout, size_t *poutlen,
|
|
|
|
|
const EC_POINT *pub_key, const EC_KEY *ecdh);
|
2015-10-28 16:57:51 +00:00
|
|
|
int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char
|
|
|
|
|
*sig, unsigned int *siglen, const BIGNUM *kinv,
|
|
|
|
|
const BIGNUM *r, EC_KEY *eckey);
|
2015-10-27 18:29:41 +00:00
|
|
|
int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|
|
|
|
BIGNUM **rp);
|
|
|
|
|
ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len,
|
|
|
|
|
const BIGNUM *in_kinv, const BIGNUM *in_r,
|
|
|
|
|
EC_KEY *eckey);
|
2015-10-28 16:57:51 +00:00
|
|
|
|
|
|
|
|
int (*verify)(int type, const unsigned char *dgst, int dgst_len,
|
|
|
|
|
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
|
2015-10-27 18:29:41 +00:00
|
|
|
int (*verify_sig)(const unsigned char *dgst, int dgst_len,
|
|
|
|
|
const ECDSA_SIG *sig, EC_KEY *eckey);
|
2016-08-29 13:07:38 +00:00
|
|
|
};
|
2015-10-19 13:38:43 +00:00
|
|
|
|
|
|
|
|
#define EC_KEY_METHOD_DYNAMIC 1
|
2015-10-22 13:53:23 +00:00
|
|
|
|
|
|
|
|
int ossl_ec_key_gen(EC_KEY *eckey);
|
2016-02-29 14:12:11 +00:00
|
|
|
int ossl_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
|
|
|
|
|
const EC_POINT *pub_key, const EC_KEY *ecdh);
|
|
|
|
|
int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
|
|
|
|
|
const EC_POINT *pub_key, const EC_KEY *ecdh);
|
2015-10-27 18:18:18 +00:00
|
|
|
|
|
|
|
|
struct ECDSA_SIG_st {
|
|
|
|
|
BIGNUM *r;
|
|
|
|
|
BIGNUM *s;
|
|
|
|
|
};
|
2015-10-27 18:29:41 +00:00
|
|
|
|
|
|
|
|
int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|
|
|
|
BIGNUM **rp);
|
2015-10-28 16:57:51 +00:00
|
|
|
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
|
|
|
|
|
unsigned char *sig, unsigned int *siglen,
|
|
|
|
|
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey);
|
2015-10-27 18:29:41 +00:00
|
|
|
ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
|
|
|
const BIGNUM *in_kinv, const BIGNUM *in_r,
|
|
|
|
|
EC_KEY *eckey);
|
2015-10-28 16:57:51 +00:00
|
|
|
int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
|
|
|
|
|
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
|
2015-10-27 18:29:41 +00:00
|
|
|
int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
|
|
|
const ECDSA_SIG *sig, EC_KEY *eckey);
|
2016-02-02 14:50:10 +00:00
|
|
|
|
2017-04-04 21:56:41 +00:00
|
|
|
int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
|
2017-04-05 15:09:57 +00:00
|
|
|
const uint8_t public_key[32], const uint8_t private_key[32]);
|
2017-04-04 21:56:41 +00:00
|
|
|
int ED25519_verify(const uint8_t *message, size_t message_len,
|
|
|
|
|
const uint8_t signature[64], const uint8_t public_key[32]);
|
2017-04-05 15:09:57 +00:00
|
|
|
void ED25519_public_from_private(uint8_t out_public_key[32],
|
|
|
|
|
const uint8_t private_key[32]);
|
2017-04-04 21:56:41 +00:00
|
|
|
|
2016-02-02 14:50:10 +00:00
|
|
|
int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
|
|
|
|
|
const uint8_t peer_public_value[32]);
|
|
|
|
|
void X25519_public_from_private(uint8_t out_public_value[32],
|
|
|
|
|
const uint8_t private_key[32]);
|
2017-12-30 14:08:31 +00:00
|
|
|
|
2018-07-08 07:39:39 +00:00
|
|
|
/*-
|
|
|
|
|
* This functions computes a single point multiplication over the EC group,
|
|
|
|
|
* using, at a high level, a Montgomery ladder with conditional swaps, with
|
|
|
|
|
* various timing attack defenses.
|
|
|
|
|
*
|
|
|
|
|
* It performs either a fixed point multiplication
|
|
|
|
|
* (scalar * generator)
|
|
|
|
|
* when point is NULL, or a variable point multiplication
|
|
|
|
|
* (scalar * point)
|
|
|
|
|
* when point is not NULL.
|
|
|
|
|
*
|
|
|
|
|
* `scalar` cannot be NULL and should be in the range [0,n) otherwise all
|
|
|
|
|
* constant time bets are off (where n is the cardinality of the EC group).
|
|
|
|
|
*
|
|
|
|
|
* This function expects `group->order` and `group->cardinality` to be well
|
|
|
|
|
* defined and non-zero: it fails with an error code otherwise.
|
|
|
|
|
*
|
|
|
|
|
* NB: This says nothing about the constant-timeness of the ladder step
|
|
|
|
|
* implementation (i.e., the default implementation is based on EC_POINT_add and
|
|
|
|
|
* EC_POINT_dbl, which of course are not constant time themselves) or the
|
|
|
|
|
* underlying multiprecision arithmetic.
|
|
|
|
|
*
|
|
|
|
|
* The product is stored in `r`.
|
|
|
|
|
*
|
|
|
|
|
* This is an internal function: callers are in charge of ensuring that the
|
|
|
|
|
* input parameters `group`, `r`, `scalar` and `ctx` are not NULL.
|
|
|
|
|
*
|
|
|
|
|
* Returns 1 on success, 0 otherwise.
|
|
|
|
|
*/
|
|
|
|
|
int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
|
const BIGNUM *scalar, const EC_POINT *point,
|
|
|
|
|
BN_CTX *ctx);
|
|
|
|
|
|
Implement coordinate blinding for EC_POINT
This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.
This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.
Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.
For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.
For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6501)
2018-06-16 14:07:40 +00:00
|
|
|
int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
|
EC point multiplication: add `ladder` scaffold
for specialized Montgomery ladder implementations
PR #6009 and #6070 replaced the default EC point multiplication path for
prime and binary curves with a unified Montgomery ladder implementation
with various timing attack defenses (for the common paths when a secret
scalar is feed to the point multiplication).
The newly introduced default implementation directly used
EC_POINT_add/dbl in the main loop.
The scaffolding introduced by this commit allows EC_METHODs to define a
specialized `ladder_step` function to improve performances by taking
advantage of efficient formulas for differential addition-and-doubling
and different coordinate systems.
- `ladder_pre` is executed before the main loop of the ladder: by
default it copies the input point P into S, and doubles it into R.
Specialized implementations could, e.g., use this hook to transition
to different coordinate systems before copying and doubling;
- `ladder_step` is the core of the Montgomery ladder loop: by default it
computes `S := R+S; R := 2R;`, but specific implementations could,
e.g., implement a more efficient formula for differential
addition-and-doubling;
- `ladder_post` is executed after the Montgomery ladder loop: by default
it's a noop, but specialized implementations could, e.g., use this
hook to transition back from the coordinate system used for optimizing
the differential addition-and-doubling or recover the y coordinate of
the result point.
This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
as it better corresponds to what this function does: nothing can be
truly said about the constant-timeness of the overall execution of this
function, given that the underlying operations are not necessarily
constant-time themselves.
What this implementation ensures is that the same fixed sequence of
operations is executed for each scalar multiplication (for a given
EC_GROUP), with no dependency on the value of the input scalar.
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)
2018-07-07 21:50:49 +00:00
|
|
|
|
2018-07-19 12:45:06 +00:00
|
|
|
static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group,
|
|
|
|
|
EC_POINT *r, EC_POINT *s,
|
|
|
|
|
EC_POINT *p, BN_CTX *ctx)
|
EC point multiplication: add `ladder` scaffold
for specialized Montgomery ladder implementations
PR #6009 and #6070 replaced the default EC point multiplication path for
prime and binary curves with a unified Montgomery ladder implementation
with various timing attack defenses (for the common paths when a secret
scalar is feed to the point multiplication).
The newly introduced default implementation directly used
EC_POINT_add/dbl in the main loop.
The scaffolding introduced by this commit allows EC_METHODs to define a
specialized `ladder_step` function to improve performances by taking
advantage of efficient formulas for differential addition-and-doubling
and different coordinate systems.
- `ladder_pre` is executed before the main loop of the ladder: by
default it copies the input point P into S, and doubles it into R.
Specialized implementations could, e.g., use this hook to transition
to different coordinate systems before copying and doubling;
- `ladder_step` is the core of the Montgomery ladder loop: by default it
computes `S := R+S; R := 2R;`, but specific implementations could,
e.g., implement a more efficient formula for differential
addition-and-doubling;
- `ladder_post` is executed after the Montgomery ladder loop: by default
it's a noop, but specialized implementations could, e.g., use this
hook to transition back from the coordinate system used for optimizing
the differential addition-and-doubling or recover the y coordinate of
the result point.
This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
as it better corresponds to what this function does: nothing can be
truly said about the constant-timeness of the overall execution of this
function, given that the underlying operations are not necessarily
constant-time themselves.
What this implementation ensures is that the same fixed sequence of
operations is executed for each scalar multiplication (for a given
EC_GROUP), with no dependency on the value of the input scalar.
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)
2018-07-07 21:50:49 +00:00
|
|
|
{
|
|
|
|
|
if (group->meth->ladder_pre != NULL)
|
|
|
|
|
return group->meth->ladder_pre(group, r, s, p, ctx);
|
|
|
|
|
|
|
|
|
|
if (!EC_POINT_copy(s, p)
|
|
|
|
|
|| !EC_POINT_dbl(group, r, s, ctx))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-19 12:45:06 +00:00
|
|
|
static ossl_inline int ec_point_ladder_step(const EC_GROUP *group,
|
|
|
|
|
EC_POINT *r, EC_POINT *s,
|
|
|
|
|
EC_POINT *p, BN_CTX *ctx)
|
EC point multiplication: add `ladder` scaffold
for specialized Montgomery ladder implementations
PR #6009 and #6070 replaced the default EC point multiplication path for
prime and binary curves with a unified Montgomery ladder implementation
with various timing attack defenses (for the common paths when a secret
scalar is feed to the point multiplication).
The newly introduced default implementation directly used
EC_POINT_add/dbl in the main loop.
The scaffolding introduced by this commit allows EC_METHODs to define a
specialized `ladder_step` function to improve performances by taking
advantage of efficient formulas for differential addition-and-doubling
and different coordinate systems.
- `ladder_pre` is executed before the main loop of the ladder: by
default it copies the input point P into S, and doubles it into R.
Specialized implementations could, e.g., use this hook to transition
to different coordinate systems before copying and doubling;
- `ladder_step` is the core of the Montgomery ladder loop: by default it
computes `S := R+S; R := 2R;`, but specific implementations could,
e.g., implement a more efficient formula for differential
addition-and-doubling;
- `ladder_post` is executed after the Montgomery ladder loop: by default
it's a noop, but specialized implementations could, e.g., use this
hook to transition back from the coordinate system used for optimizing
the differential addition-and-doubling or recover the y coordinate of
the result point.
This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
as it better corresponds to what this function does: nothing can be
truly said about the constant-timeness of the overall execution of this
function, given that the underlying operations are not necessarily
constant-time themselves.
What this implementation ensures is that the same fixed sequence of
operations is executed for each scalar multiplication (for a given
EC_GROUP), with no dependency on the value of the input scalar.
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)
2018-07-07 21:50:49 +00:00
|
|
|
{
|
|
|
|
|
if (group->meth->ladder_step != NULL)
|
|
|
|
|
return group->meth->ladder_step(group, r, s, p, ctx);
|
|
|
|
|
|
|
|
|
|
if (!EC_POINT_add(group, s, r, s, ctx)
|
|
|
|
|
|| !EC_POINT_dbl(group, r, r, ctx))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-19 12:45:06 +00:00
|
|
|
static ossl_inline int ec_point_ladder_post(const EC_GROUP *group,
|
|
|
|
|
EC_POINT *r, EC_POINT *s,
|
|
|
|
|
EC_POINT *p, BN_CTX *ctx)
|
EC point multiplication: add `ladder` scaffold
for specialized Montgomery ladder implementations
PR #6009 and #6070 replaced the default EC point multiplication path for
prime and binary curves with a unified Montgomery ladder implementation
with various timing attack defenses (for the common paths when a secret
scalar is feed to the point multiplication).
The newly introduced default implementation directly used
EC_POINT_add/dbl in the main loop.
The scaffolding introduced by this commit allows EC_METHODs to define a
specialized `ladder_step` function to improve performances by taking
advantage of efficient formulas for differential addition-and-doubling
and different coordinate systems.
- `ladder_pre` is executed before the main loop of the ladder: by
default it copies the input point P into S, and doubles it into R.
Specialized implementations could, e.g., use this hook to transition
to different coordinate systems before copying and doubling;
- `ladder_step` is the core of the Montgomery ladder loop: by default it
computes `S := R+S; R := 2R;`, but specific implementations could,
e.g., implement a more efficient formula for differential
addition-and-doubling;
- `ladder_post` is executed after the Montgomery ladder loop: by default
it's a noop, but specialized implementations could, e.g., use this
hook to transition back from the coordinate system used for optimizing
the differential addition-and-doubling or recover the y coordinate of
the result point.
This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
as it better corresponds to what this function does: nothing can be
truly said about the constant-timeness of the overall execution of this
function, given that the underlying operations are not necessarily
constant-time themselves.
What this implementation ensures is that the same fixed sequence of
operations is executed for each scalar multiplication (for a given
EC_GROUP), with no dependency on the value of the input scalar.
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)
2018-07-07 21:50:49 +00:00
|
|
|
{
|
|
|
|
|
if (group->meth->ladder_post != NULL)
|
|
|
|
|
return group->meth->ladder_post(group, r, s, p, ctx);
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|