[apple/security.git] / libsecurity_cryptkit / lib / ellipticProj.c

/* Copyright (c) 1998 Apple Computer, Inc.  All rights reserved.
 *
 * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT
 * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE
 * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE COMPUTER, INC. AND THE
 * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE COMPUTER,
 * INC.  ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL
 * EXPOSE YOU TO LIABILITY.
 ***************************************************************************
 *
 * ellipticProj.c - elliptic projective algebra routines.
 *
 * Revision History
 * ----------------
 * 1 Sep 1998	Doug Mitchell and Richard Crandall at Apple
 *	Created.
 *
 **************************************************************

   PROJECTIVE FORMAT

   Functions are supplied herein for projective format
   of points.  Alternative formats differ in their
   range of applicability, efficiency, and so on.
   Primary advantages of the projective format herein are:
    -- No explicit inversions (until perhaps one such at the end of
       an elliptic multiply operation)
    -- Fairly low operation count (~11 muls for point doubling,
       ~16 muls for point addition)

   The elliptic curve is over F_p, with p > 3 prime, and Weierstrass
   parameterization:

      y^2 = x^3 + a x + b

   The projective-format coordinates are actually stored in
   the form {X, Y, Z}, with true x,y
   coordinates on the curve given by {x,y} = {X/Z^2, Y/Z^3}.
   The function normalizeProj() performs the
   transformation from projective->true.
   (The other direction is trivial, i.e. {x,y} -> {x,y,1} will do.)
   The basic point multiplication function is

      ellMulProj()

   which obtains the result k * P for given point P and integer
   multiplier k.  If true {x,y} are required for a multiple, one
   passes a point P = {X, Y, 1} to ellMulProj(), then afterwards
   calls normalizeProj(),

   Projective format is an answer to the typical sluggishness of
   standard elliptic arithmetic, whose explicit inversion in the
   field is, depending of course on the machinery and programmer,
   costly.  Projective format is thus especially interesting for
   cryptography.

   REFERENCES

   Crandall R and Pomerance C 1998, "Prime numbers: a computational
		perspective," Springer-Verlag, manuscript

   Solinas J 1998, IEEE P1363 Annex A (draft standard)

***********************************************************/

#include "ckconfig.h"
#if CRYPTKIT_ELL_PROJ_ENABLE

#include "ellipticProj.h"
#include "falloc.h"
#include "curveParams.h"
#include "elliptic.h"
#include "feeDebug.h"

/*
 * convert REC-style smulg to generic imulg
 */
#define smulg(s, g) imulg((unsigned)s, g)

pointProj newPointProj(unsigned numDigits)
{
	pointProj pt;

	pt = (pointProj) fmalloc(sizeof(pointProjStruct));
	pt->x = newGiant(numDigits);
	pt->y = newGiant(numDigits);
	pt->z = newGiant(numDigits);
	return(pt);
}

void freePointProj(pointProj pt)
{
	clearGiant(pt->x); freeGiant(pt->x);
	clearGiant(pt->y); freeGiant(pt->y);
	clearGiant(pt->z); freeGiant(pt->z);
	ffree(pt);
}

void ptopProj(pointProj pt1, pointProj pt2)
{
	gtog(pt1->x, pt2->x);
	gtog(pt1->y, pt2->y);
	gtog(pt1->z, pt2->z);
}

/**************************************************************
 *
 *	Elliptic curve operations
 *
 **************************************************************/

/* Begin projective-format functions for

   y^2 = x^3 + a x + b.

   These are useful in elliptic curve cryptography (ECC).
   A point is kept as a triple {X,Y,Z}, with the true (x,y)
   coordinates given by

	{x,y} = {X/Z^2, Y/Z^3}

   The function normalizeProj() performs the inverse conversion to get
   the true (x,y) pair.
 */

void ellDoubleProj(pointProj pt, curveParams *cp)
/* pt := 2 pt on the curve. */
{
	giant x = pt->x, y = pt->y, z = pt->z;
	giant t1;
	giant t2;
	giant t3;

	if(isZero(y) || isZero(z)) {
		int_to_giant(1,x); int_to_giant(1,y); int_to_giant(0,z);
		return;
	}
	t1 = borrowGiant(cp->maxDigits);
	t2 = borrowGiant(cp->maxDigits);
	t3 = borrowGiant(cp->maxDigits);

	if((cp->a->sign >= 0) || (cp->a->n[0] != 3)) { /* Path prior to Apr2001. */
		gtog(z,t1); gsquare(t1); feemod(cp, t1);
		gsquare(t1); feemod(cp, t1);
		mulg(cp->a, t1); feemod(cp, t1);			/* t1 := a z^4. */
		gtog(x, t2); gsquare(t2); feemod(cp, t2);
			smulg(3, t2);                           /* t2 := 3x^2. */
		addg(t2, t1); feemod(cp, t1);	 			/* t1 := slope m. */
	} else { /* New optimization for a = -3 (post Apr 2001). */
		gtog(z, t1); gsquare(t1); feemod(cp, t1);   /* t1 := z^2. */
		gtog(x, t2); subg(t1, t2);                  /* t2 := x-z^2. */
		addg(x, t1); smulg(3, t1);                  /* t1 := 3(x+z^2). */
		mulg(t2, t1); feemod(cp, t1);               /* t1 := slope m. */
	}
	mulg(y, z); addg(z,z); feemod(cp, z);	  	/* z := 2 y z. */
	gtog(y, t2); gsquare(t2); feemod(cp, t2); 	/* t2 := y^2. */
	gtog(t2, t3); gsquare(t3); feemod(cp, t3);	/* t3 := y^4. */
	gshiftleft(3, t3);  				/* t3 := 8 y^4. */
	mulg(x, t2); gshiftleft(2, t2); feemod(cp, t2);	/* t2 := 4xy^2. */
	gtog(t1, x); gsquare(x); feemod(cp, x);
	subg(t2, x); subg(t2, x); feemod(cp, x);	/* x done. */
	gtog(t1, y); subg(x, t2); mulg(t2, y); subg(t3, y);
	feemod(cp, y);
	returnGiant(t1);
	returnGiant(t2);
	returnGiant(t3);
}

void ellAddProj(pointProj pt0, pointProj pt1, curveParams *cp)
/* pt0 := pt0 + pt1 on the curve. */
{
	giant x0 = pt0->x, y0 = pt0->y, z0 = pt0->z,
		  x1 = pt1->x, y1 = pt1->y, z1 = pt1->z;
	giant t1;
	giant t2;
	giant t3;
	giant t4;
	giant t5;
	giant t6;
	giant t7;

	if(isZero(z0)) {
		gtog(x1,x0); gtog(y1,y0); gtog(z1,z0);
		return;
	}
	if(isZero(z1)) return;

	t1 = borrowGiant(cp->maxDigits);
	t2 = borrowGiant(cp->maxDigits);
	t3 = borrowGiant(cp->maxDigits);
	t4 = borrowGiant(cp->maxDigits);
	t5 = borrowGiant(cp->maxDigits);
	t6 = borrowGiant(cp->maxDigits);
	t7 = borrowGiant(cp->maxDigits);

	gtog(x0, t1); gtog(y0,t2); gtog(z0, t3);
	gtog(x1, t4); gtog(y1, t5);
	if(!isone(z1)) {
		gtog(z1, t6);
		gtog(t6, t7); gsquare(t7); feemod(cp, t7);
		mulg(t7, t1); feemod(cp, t1);
		mulg(t6, t7); feemod(cp, t7);
		mulg(t7, t2); feemod(cp, t2);
	}
	gtog(t3, t7); gsquare(t7); feemod(cp, t7);
	mulg(t7, t4); feemod(cp, t4);
	mulg(t3, t7); feemod(cp, t7);
	mulg(t7, t5); feemod(cp, t5);
	negg(t4); addg(t1, t4); feemod(cp, t4);
	negg(t5); addg(t2, t5); feemod(cp, t5);
	if(isZero(t4)) {
		if(isZero(t5)) {
			ellDoubleProj(pt0, cp);
	    	} else {
			int_to_giant(1, x0); int_to_giant(1, y0);
			int_to_giant(0, z0);
		}
		goto out;
	}
	addg(t1, t1); subg(t4, t1); feemod(cp, t1);
	addg(t2, t2); subg(t5, t2); feemod(cp, t2);
	if(!isone(z1)) {
		mulg(t6, t3); feemod(cp, t3);
	}
	mulg(t4, t3); feemod(cp, t3);
	gtog(t4, t7); gsquare(t7); feemod(cp, t7);
	mulg(t7, t4); feemod(cp, t4);
	mulg(t1, t7); feemod(cp, t7);
	gtog(t5, t1); gsquare(t1); feemod(cp, t1);
	subg(t7, t1); feemod(cp, t1);
	subg(t1, t7); subg(t1, t7); feemod(cp, t7);
	mulg(t7, t5); feemod(cp, t5);
	mulg(t2, t4); feemod(cp, t4);
	gtog(t5, t2); subg(t4,t2); feemod(cp, t2);
	if(t2->n[0] & 1) { /* Test if t2 is odd. */
		addg(cp->basePrime, t2);
	}
	gshiftright(1, t2);
	gtog(t1, x0); gtog(t2, y0); gtog(t3, z0);
out:
	returnGiant(t1);
	returnGiant(t2);
	returnGiant(t3);
	returnGiant(t4);
	returnGiant(t5);
	returnGiant(t6);
	returnGiant(t7);
}


void ellNegProj(pointProj pt, curveParams *cp)
/* pt := -pt on the curve. */
{
	negg(pt->y); feemod(cp, pt->y);
}

void ellSubProj(pointProj pt0, pointProj pt1, curveParams *cp)
/* pt0 := pt0 - pt1 on the curve. */
{
	ellNegProj(pt1, cp);
	ellAddProj(pt0, pt1,cp);
	ellNegProj(pt1, cp);
}

/*
 * Simple projective multiply.
 *
 * pt := pt * k, result normalized.
 */
void ellMulProjSimple(pointProj pt0, giant k, curveParams *cp)
{
	pointProjStruct pt1;	// local, giants borrowed

	CKASSERT(isone(pt0->z));
	CKASSERT(cp->curveType == FCT_Weierstrass);

	/* ellMulProj assumes constant pt0, can't pass as src and dst */
	pt1.x = borrowGiant(cp->maxDigits);
	pt1.y = borrowGiant(cp->maxDigits);
	pt1.z = borrowGiant(cp->maxDigits);
	ellMulProj(pt0, &pt1, k, cp);
	normalizeProj(&pt1, cp);
	CKASSERT(isone(pt1.z));

	ptopProj(&pt1, pt0);
	returnGiant(pt1.x);
	returnGiant(pt1.y);
	returnGiant(pt1.z);
}

void ellMulProj(pointProj pt0, pointProj pt1, giant k, curveParams *cp)
/* General elliptic multiplication;
   pt1 := k*pt0 on the curve,
   with k an arbitrary integer.
 */
{
	giant x = pt0->x, y = pt0->y, z = pt0->z,
		  xx = pt1->x, yy = pt1->y, zz = pt1->z;
	int ksign, hlen, klen, b, hb, kb;
    	giant t0;

	CKASSERT(cp->curveType == FCT_Weierstrass);
	if(isZero(k)) {
		int_to_giant(1, xx);
		int_to_giant(1, yy);
		int_to_giant(0, zz);
		return;
	}
	t0 = borrowGiant(cp->maxDigits);
    	ksign = k->sign;
	if(ksign < 0) negg(k);
	gtog(x,xx); gtog(y,yy); gtog(z,zz);
	gtog(k, t0); addg(t0, t0); addg(k, t0); /* t0 := 3k. */
	hlen = bitlen(t0);
	klen = bitlen(k);
	for(b = hlen-2; b > 0; b--) {
		ellDoubleProj(pt1,cp);
		hb = bitval(t0, b);
		if(b < klen) kb = bitval(k, b); else kb = 0;
		if((hb != 0) && (kb == 0))
			ellAddProj(pt1, pt0, cp);
		else if((hb == 0) && (kb !=0))
			ellSubProj(pt1, pt0, cp);
	}
	if(ksign < 0) {
		ellNegProj(pt1, cp);
		k->sign = -k->sign;
	}
	returnGiant(t0);
}

void normalizeProj(pointProj pt, curveParams *cp)
/* Obtain actual x,y coords via normalization:
   {x,y,z} := {x/z^2, y/z^3, 1}.
 */

{	giant x = pt->x, y = pt->y, z = pt->z;
	giant t1;

	CKASSERT(cp->curveType == FCT_Weierstrass);
	if(isZero(z)) {
		int_to_giant(1,x); int_to_giant(1,y);
		return;
	}
	t1 = borrowGiant(cp->maxDigits);
	binvg_cp(cp, z);		// was binvaux(p, z);
		gtog(z, t1);
	gsquare(z); feemod(cp, z);
	mulg(z, x); feemod(cp, x);
	mulg(t1, z); mulg(z, y); feemod(cp, y);
	int_to_giant(1, z);
	returnGiant(t1);
}

static int
jacobi_symbol(giant a, curveParams *cp)
/* Standard Jacobi symbol (a/cp->basePrime).
  basePrime must be odd, positive. */
{
	int t = 1, u;
	giant t5 = borrowGiant(cp->maxDigits);
	giant t6 = borrowGiant(cp->maxDigits);
	giant t7 = borrowGiant(cp->maxDigits);
	int rtn;

	gtog(a, t5); feemod(cp, t5);
	gtog(cp->basePrime, t6);
	while(!isZero(t5)) {
	    u = (t6->n[0]) & 7;
		while((t5->n[0] & 1) == 0) {
			gshiftright(1, t5);
			if((u==3) || (u==5)) t = -t;
		}
		gtog(t5, t7); gtog(t6, t5); gtog(t7, t6);
		u = (t6->n[0]) & 3;
		if(((t5->n[0] & 3) == 3) && ((u & 3) == 3)) t = -t;
		modg(t6, t5);
	}
	if(isone(t6)) {
		rtn = t;
	}
	else {
		rtn = 0;
	}
	returnGiant(t5);
	returnGiant(t6);
	returnGiant(t7);

	return rtn;
}

static void
powFp2(giant a, giant b, giant w2, giant n, curveParams *cp)
/* Perform powering in the field F_p^2:
   a + b w := (a + b w)^n (mod p), where parameter w2 is a quadratic
   nonresidue (formally equal to w^2).
 */
{
	int j;
	giant t6;
	giant t7;
	giant t8;
	giant t9;

	if(isZero(n)) {
		int_to_giant(1,a);
		int_to_giant(0,b);
		return;
	}
    	t6 = borrowGiant(cp->maxDigits);
    	t7 = borrowGiant(cp->maxDigits);
    	t8 = borrowGiant(cp->maxDigits);
    	t9 = borrowGiant(cp->maxDigits);
	gtog(a, t8); gtog(b, t9);
	for(j = bitlen(n)-2; j >= 0; j--) {
		gtog(b, t6);
		mulg(a, b); addg(b,b); feemod(cp, b);  /* b := 2 a b. */
		gsquare(t6); feemod(cp, t6);
		mulg(w2, t6); feemod(cp, t6);
		gsquare(a); addg(t6, a); feemod(cp, a);
						/* a := a^2 + b^2 w2. */
		if(bitval(n, j)) {
			gtog(b, t6); mulg(t8, b); feemod(cp, b);
			gtog(a, t7); mulg(t9, a); addg(a, b); feemod(cp, b);
			mulg(t9, t6); feemod(cp, t6);
			mulg(w2, t6); feemod(cp, t6);
			mulg(t8, a); addg(t6, a); feemod(cp, a);
		}
	}
	returnGiant(t6);
	returnGiant(t7);
	returnGiant(t8);
	returnGiant(t9);
	return;
}

static void
powermodg(
	giant		x,
	giant		n,
	curveParams	*cp
)
/* x becomes x^n (mod basePrime). */
{
	int 		len, pos;
	giant		scratch2 = borrowGiant(cp->maxDigits);

	gtog(x, scratch2);
	int_to_giant(1, x);
	len = bitlen(n);
	pos = 0;
	while (1)
	{
		if (bitval(n, pos++))
		{
			mulg(scratch2, x);
			feemod(cp, x);
		}
		if (pos>=len)
			break;
		gsquare(scratch2);
		feemod(cp, scratch2);
	}
	returnGiant(scratch2);
}

static int sqrtmod(giant x, curveParams *cp)
/* If Sqrt[x] (mod p) exists, function returns 1, else 0.
   In either case x is modified, but if 1 is returned,
   x:= Sqrt[x] (mod p).
 */
{
	int rtn;
	giant t0 = borrowGiant(cp->maxDigits);
	giant t1 = borrowGiant(cp->maxDigits);
	giant t2 = borrowGiant(cp->maxDigits);
	giant t3 = borrowGiant(cp->maxDigits);
	giant t4 = borrowGiant(cp->maxDigits);

	giant p = cp->basePrime;

    	feemod(cp, x);			/* Justify the argument. */
    	gtog(x, t0);  /* Store x for eventual validity check on square root. */
    	if((p->n[0] & 3) == 3) {  /* The case p = 3 (mod 4). */
		gtog(p, t1);
		iaddg(1, t1); gshiftright(2, t1);
		powermodg(x, t1, cp);
		goto resolve;
    	}
	/* Next, handle case p = 5 (mod 8). */
    	if((p->n[0] & 7) == 5) {
		gtog(p, t1); int_to_giant(1, t2);
		subg(t2, t1); gshiftright(2, t1);
		gtog(x, t2);
		powermodg(t2, t1, cp);  /* t2 := x^((p-1)/4) % p. */
		iaddg(1, t1);
		gshiftright(1, t1); /* t1 := (p+3)/8. */
		if(isone(t2)) {
			powermodg(x, t1, cp);  /* x^((p+3)/8) is root. */
			goto resolve;
		} else {
			int_to_giant(1, t2); subg(t2, t1);
				/* t1 := (p-5)/8. */
			gshiftleft(2,x);
			powermodg(x, t1, cp);
			mulg(t0, x); addg(x, x); feemod(cp, x);
				/* 2x (4x)^((p-5)/8. */
			goto resolve;
		}
	}

	/* Next, handle tougher case: p = 1 (mod 8). */
	int_to_giant(2, t1);
	while(1) {  /* Find appropriate nonresidue. */
		gtog(t1, t2);
		gsquare(t2); subg(x, t2); feemod(cp, t2);
		if(jacobi_symbol(t2, cp) == -1) break;
		iaddg(1, t1);
	}  /* t2 is now w^2 in F_p^2. */
   	int_to_giant(1, t3);
   	gtog(p, t4); iaddg(1, t4); gshiftright(1, t4);
	powFp2(t1, t3, t2, t4, cp);
	gtog(t1, x);

resolve:
   	gtog(x,t1); gsquare(t1); feemod(cp, t1);
    	if(gcompg(t0, t1) == 0) {
		rtn = 1; 	/* Success. */
	}
	else {
		rtn = 0;	/* no square root */
	}
	returnGiant(t0);
	returnGiant(t1);
	returnGiant(t2);
	returnGiant(t3);
	returnGiant(t4);
	return rtn;
}


void findPointProj(pointProj pt, giant seed, curveParams *cp)
/* Starting with seed, finds a random (projective) point {x,y,1} on curve.
 */
{
	giant x = pt->x, y = pt->y, z = pt->z;

	CKASSERT(cp->curveType == FCT_Weierstrass);
	feemod(cp, seed);
    	while(1) {
		gtog(seed, x);
		gsquare(x); feemod(cp, x);	// x := seed^2
		addg(cp->a, x);			// x := seed^2 + a
		mulg(seed,x); 			// x := seed^3 + a*seed
		addg(cp->b, x);
		feemod(cp, x);			// x := seed^3 + a seed + b.
		/* test cubic form for having root. */
		if(sqrtmod(x, cp)) break;
		iaddg(1, seed);
	}
	gtog(x, y);
    	gtog(seed,x);
	int_to_giant(1, z);
}

#endif	/* CRYPTKIT_ELL_PROJ_ENABLE */
Commit	Line	Data
b1ab9ed8 A	1	/* Copyright (c) 1998 Apple Computer, Inc. All rights reserved.
	2	*
	3	* NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT
	4	* TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE
	5	* SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE COMPUTER, INC. AND THE
	6	* ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE COMPUTER,
	7	* INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL
	8	* EXPOSE YOU TO LIABILITY.
	9	***************************************************************************
	10	*
	11	* ellipticProj.c - elliptic projective algebra routines.
	12	*
	13	* Revision History
	14	* ----------------
	15	* 1 Sep 1998 Doug Mitchell and Richard Crandall at Apple
	16	* Created.
	17	*
	18	**************************************************************
	19
	20	PROJECTIVE FORMAT
	21
	22	Functions are supplied herein for projective format
	23	of points. Alternative formats differ in their
	24	range of applicability, efficiency, and so on.
	25	Primary advantages of the projective format herein are:
	26	-- No explicit inversions (until perhaps one such at the end of
	27	an elliptic multiply operation)
	28	-- Fairly low operation count (~11 muls for point doubling,
	29	~16 muls for point addition)
	30
	31	The elliptic curve is over F_p, with p > 3 prime, and Weierstrass
	32	parameterization:
	33
	34	y^2 = x^3 + a x + b
	35
	36	The projective-format coordinates are actually stored in
	37	the form {X, Y, Z}, with true x,y
	38	coordinates on the curve given by {x,y} = {X/Z^2, Y/Z^3}.
	39	The function normalizeProj() performs the
	40	transformation from projective->true.
	41	(The other direction is trivial, i.e. {x,y} -> {x,y,1} will do.)
	42	The basic point multiplication function is
	43
	44	ellMulProj()
	45
	46	which obtains the result k * P for given point P and integer
	47	multiplier k. If true {x,y} are required for a multiple, one
	48	passes a point P = {X, Y, 1} to ellMulProj(), then afterwards
	49	calls normalizeProj(),
	50
	51	Projective format is an answer to the typical sluggishness of
	52	standard elliptic arithmetic, whose explicit inversion in the
	53	field is, depending of course on the machinery and programmer,
	54	costly. Projective format is thus especially interesting for
	55	cryptography.
	56
	57	REFERENCES
	58
	59	Crandall R and Pomerance C 1998, "Prime numbers: a computational
	60	perspective," Springer-Verlag, manuscript
	61
	62	Solinas J 1998, IEEE P1363 Annex A (draft standard)
	63
	64	***********************************************************/
65
66	#include "ckconfig.h"
67	#if CRYPTKIT_ELL_PROJ_ENABLE
68
69	#include "ellipticProj.h"
70	#include "falloc.h"
71	#include "curveParams.h"
72	#include "elliptic.h"
73	#include "feeDebug.h"
74
75	/*
76	* convert REC-style smulg to generic imulg
77	*/
78	#define smulg(s, g) imulg((unsigned)s, g)
79
80	pointProj newPointProj(unsigned numDigits)
81	{
82	pointProj pt;
83
84	pt = (pointProj) fmalloc(sizeof(pointProjStruct));
85	pt->x = newGiant(numDigits);
86	pt->y = newGiant(numDigits);
87	pt->z = newGiant(numDigits);
88	return(pt);
89	}
90
91	void freePointProj(pointProj pt)
92	{
93	clearGiant(pt->x); freeGiant(pt->x);
94	clearGiant(pt->y); freeGiant(pt->y);
95	clearGiant(pt->z); freeGiant(pt->z);
96	ffree(pt);
97	}
98
99	void ptopProj(pointProj pt1, pointProj pt2)
100	{
101	gtog(pt1->x, pt2->x);
102	gtog(pt1->y, pt2->y);
103	gtog(pt1->z, pt2->z);
104	}
105
106	/**************************************************************
107	*
108	* Elliptic curve operations
109	*
110	**************************************************************/
111
112	/* Begin projective-format functions for
113
114	y^2 = x^3 + a x + b.
115
116	These are useful in elliptic curve cryptography (ECC).
117	A point is kept as a triple {X,Y,Z}, with the true (x,y)
118	coordinates given by
119
120	{x,y} = {X/Z^2, Y/Z^3}
121
122	The function normalizeProj() performs the inverse conversion to get
123	the true (x,y) pair.
124	*/
125
126	void ellDoubleProj(pointProj pt, curveParams *cp)
127	/* pt := 2 pt on the curve. */
128	{
129	giant x = pt->x, y = pt->y, z = pt->z;
130	giant t1;
131	giant t2;
132	giant t3;
133
134	if(isZero(y) \|\| isZero(z)) {
135	int_to_giant(1,x); int_to_giant(1,y); int_to_giant(0,z);
136	return;
137	}
138	t1 = borrowGiant(cp->maxDigits);
139	t2 = borrowGiant(cp->maxDigits);
140	t3 = borrowGiant(cp->maxDigits);
141
142	if((cp->a->sign >= 0) \|\| (cp->a->n[0] != 3)) { /* Path prior to Apr2001. */
143	gtog(z,t1); gsquare(t1); feemod(cp, t1);
144	gsquare(t1); feemod(cp, t1);
145	mulg(cp->a, t1); feemod(cp, t1); /* t1 := a z^4. */
146	gtog(x, t2); gsquare(t2); feemod(cp, t2);
147	smulg(3, t2); /* t2 := 3x^2. */
148	addg(t2, t1); feemod(cp, t1); /* t1 := slope m. */
149	} else { /* New optimization for a = -3 (post Apr 2001). */
150	gtog(z, t1); gsquare(t1); feemod(cp, t1); /* t1 := z^2. */
151	gtog(x, t2); subg(t1, t2); /* t2 := x-z^2. */
152	addg(x, t1); smulg(3, t1); /* t1 := 3(x+z^2). */
153	mulg(t2, t1); feemod(cp, t1); /* t1 := slope m. */
154	}
155	mulg(y, z); addg(z,z); feemod(cp, z); /* z := 2 y z. */
156	gtog(y, t2); gsquare(t2); feemod(cp, t2); /* t2 := y^2. */
157	gtog(t2, t3); gsquare(t3); feemod(cp, t3); /* t3 := y^4. */
158	gshiftleft(3, t3); /* t3 := 8 y^4. */
159	mulg(x, t2); gshiftleft(2, t2); feemod(cp, t2); /* t2 := 4xy^2. */
160	gtog(t1, x); gsquare(x); feemod(cp, x);
161	subg(t2, x); subg(t2, x); feemod(cp, x); /* x done. */
162	gtog(t1, y); subg(x, t2); mulg(t2, y); subg(t3, y);
163	feemod(cp, y);
164	returnGiant(t1);
165	returnGiant(t2);
166	returnGiant(t3);
167	}
168
169	void ellAddProj(pointProj pt0, pointProj pt1, curveParams *cp)
170	/* pt0 := pt0 + pt1 on the curve. */
171	{
172	giant x0 = pt0->x, y0 = pt0->y, z0 = pt0->z,
173	x1 = pt1->x, y1 = pt1->y, z1 = pt1->z;
174	giant t1;
175	giant t2;
176	giant t3;
177	giant t4;
178	giant t5;
179	giant t6;
180	giant t7;
181
182	if(isZero(z0)) {
183	gtog(x1,x0); gtog(y1,y0); gtog(z1,z0);
184	return;
185	}
186	if(isZero(z1)) return;
187
188	t1 = borrowGiant(cp->maxDigits);
189	t2 = borrowGiant(cp->maxDigits);
190	t3 = borrowGiant(cp->maxDigits);
191	t4 = borrowGiant(cp->maxDigits);
192	t5 = borrowGiant(cp->maxDigits);
193	t6 = borrowGiant(cp->maxDigits);
194	t7 = borrowGiant(cp->maxDigits);
195
196	gtog(x0, t1); gtog(y0,t2); gtog(z0, t3);
197	gtog(x1, t4); gtog(y1, t5);
198	if(!isone(z1)) {
199	gtog(z1, t6);
200	gtog(t6, t7); gsquare(t7); feemod(cp, t7);
201	mulg(t7, t1); feemod(cp, t1);
202	mulg(t6, t7); feemod(cp, t7);
203	mulg(t7, t2); feemod(cp, t2);
204	}
205	gtog(t3, t7); gsquare(t7); feemod(cp, t7);
206	mulg(t7, t4); feemod(cp, t4);
207	mulg(t3, t7); feemod(cp, t7);
208	mulg(t7, t5); feemod(cp, t5);
209	negg(t4); addg(t1, t4); feemod(cp, t4);
210	negg(t5); addg(t2, t5); feemod(cp, t5);
211	if(isZero(t4)) {
212	if(isZero(t5)) {
213	ellDoubleProj(pt0, cp);
214	} else {
215	int_to_giant(1, x0); int_to_giant(1, y0);
216	int_to_giant(0, z0);
217	}
218	goto out;
219	}
220	addg(t1, t1); subg(t4, t1); feemod(cp, t1);
221	addg(t2, t2); subg(t5, t2); feemod(cp, t2);
222	if(!isone(z1)) {
223	mulg(t6, t3); feemod(cp, t3);
224	}
225	mulg(t4, t3); feemod(cp, t3);
226	gtog(t4, t7); gsquare(t7); feemod(cp, t7);
227	mulg(t7, t4); feemod(cp, t4);
228	mulg(t1, t7); feemod(cp, t7);
229	gtog(t5, t1); gsquare(t1); feemod(cp, t1);
230	subg(t7, t1); feemod(cp, t1);
231	subg(t1, t7); subg(t1, t7); feemod(cp, t7);
232	mulg(t7, t5); feemod(cp, t5);
233	mulg(t2, t4); feemod(cp, t4);
234	gtog(t5, t2); subg(t4,t2); feemod(cp, t2);
235	if(t2->n[0] & 1) { /* Test if t2 is odd. */
236	addg(cp->basePrime, t2);
237	}
238	gshiftright(1, t2);
239	gtog(t1, x0); gtog(t2, y0); gtog(t3, z0);
240	out:
241	returnGiant(t1);
242	returnGiant(t2);
243	returnGiant(t3);
244	returnGiant(t4);
245	returnGiant(t5);
246	returnGiant(t6);
247	returnGiant(t7);
248	}
249
250
251	void ellNegProj(pointProj pt, curveParams *cp)
252	/* pt := -pt on the curve. */
253	{
254	negg(pt->y); feemod(cp, pt->y);
255	}
256
257	void ellSubProj(pointProj pt0, pointProj pt1, curveParams *cp)
258	/* pt0 := pt0 - pt1 on the curve. */
259	{
260	ellNegProj(pt1, cp);
261	ellAddProj(pt0, pt1,cp);
262	ellNegProj(pt1, cp);
263	}
264
265	/*
266	* Simple projective multiply.
267	*
268	* pt := pt * k, result normalized.
269	*/
270	void ellMulProjSimple(pointProj pt0, giant k, curveParams *cp)
271	{
272	pointProjStruct pt1; // local, giants borrowed
273
274	CKASSERT(isone(pt0->z));
275	CKASSERT(cp->curveType == FCT_Weierstrass);
276
277	/* ellMulProj assumes constant pt0, can't pass as src and dst */
278	pt1.x = borrowGiant(cp->maxDigits);
279	pt1.y = borrowGiant(cp->maxDigits);
280	pt1.z = borrowGiant(cp->maxDigits);
281	ellMulProj(pt0, &pt1, k, cp);
282	normalizeProj(&pt1, cp);
283	CKASSERT(isone(pt1.z));
284
285	ptopProj(&pt1, pt0);
286	returnGiant(pt1.x);
287	returnGiant(pt1.y);
288	returnGiant(pt1.z);
289	}
290
291	void ellMulProj(pointProj pt0, pointProj pt1, giant k, curveParams *cp)
292	/* General elliptic multiplication;
293	pt1 := k*pt0 on the curve,
294	with k an arbitrary integer.
295	*/
296	{
297	giant x = pt0->x, y = pt0->y, z = pt0->z,
298	xx = pt1->x, yy = pt1->y, zz = pt1->z;
299	int ksign, hlen, klen, b, hb, kb;
300	giant t0;
301
302	CKASSERT(cp->curveType == FCT_Weierstrass);
303	if(isZero(k)) {
304	int_to_giant(1, xx);
305	int_to_giant(1, yy);
306	int_to_giant(0, zz);
307	return;
308	}
309	t0 = borrowGiant(cp->maxDigits);
310	ksign = k->sign;
311	if(ksign < 0) negg(k);
312	gtog(x,xx); gtog(y,yy); gtog(z,zz);
313	gtog(k, t0); addg(t0, t0); addg(k, t0); /* t0 := 3k. */
314	hlen = bitlen(t0);
315	klen = bitlen(k);
316	for(b = hlen-2; b > 0; b--) {
317	ellDoubleProj(pt1,cp);
318	hb = bitval(t0, b);
319	if(b < klen) kb = bitval(k, b); else kb = 0;
320	if((hb != 0) && (kb == 0))
321	ellAddProj(pt1, pt0, cp);
322	else if((hb == 0) && (kb !=0))
323	ellSubProj(pt1, pt0, cp);
324	}
325	if(ksign < 0) {
326	ellNegProj(pt1, cp);
327	k->sign = -k->sign;
328	}
329	returnGiant(t0);
330	}
331
332	void normalizeProj(pointProj pt, curveParams *cp)
333	/* Obtain actual x,y coords via normalization:
334	{x,y,z} := {x/z^2, y/z^3, 1}.
335	*/
336
337	{ giant x = pt->x, y = pt->y, z = pt->z;
338	giant t1;
339
340	CKASSERT(cp->curveType == FCT_Weierstrass);
341	if(isZero(z)) {
342	int_to_giant(1,x); int_to_giant(1,y);
343	return;
344	}
345	t1 = borrowGiant(cp->maxDigits);
346	binvg_cp(cp, z); // was binvaux(p, z);
347	gtog(z, t1);
348	gsquare(z); feemod(cp, z);
349	mulg(z, x); feemod(cp, x);
350	mulg(t1, z); mulg(z, y); feemod(cp, y);
351	int_to_giant(1, z);
352	returnGiant(t1);
353	}
354
355	static int
356	jacobi_symbol(giant a, curveParams *cp)
357	/* Standard Jacobi symbol (a/cp->basePrime).
358	basePrime must be odd, positive. */
359	{
360	int t = 1, u;
361	giant t5 = borrowGiant(cp->maxDigits);
362	giant t6 = borrowGiant(cp->maxDigits);
363	giant t7 = borrowGiant(cp->maxDigits);
364	int rtn;
365
366	gtog(a, t5); feemod(cp, t5);
367	gtog(cp->basePrime, t6);
368	while(!isZero(t5)) {
369	u = (t6->n[0]) & 7;
370	while((t5->n[0] & 1) == 0) {
371	gshiftright(1, t5);
372	if((u==3) \|\| (u==5)) t = -t;
373	}
374	gtog(t5, t7); gtog(t6, t5); gtog(t7, t6);
375	u = (t6->n[0]) & 3;
376	if(((t5->n[0] & 3) == 3) && ((u & 3) == 3)) t = -t;
377	modg(t6, t5);
378	}
379	if(isone(t6)) {
380	rtn = t;
381	}
382	else {
383	rtn = 0;
384	}
385	returnGiant(t5);
386	returnGiant(t6);
387	returnGiant(t7);
388
389	return rtn;
390	}
391
392	static void
393	powFp2(giant a, giant b, giant w2, giant n, curveParams *cp)
394	/* Perform powering in the field F_p^2:
395	a + b w := (a + b w)^n (mod p), where parameter w2 is a quadratic
396	nonresidue (formally equal to w^2).
397	*/
398	{
399	int j;
400	giant t6;
401	giant t7;
402	giant t8;
403	giant t9;
404
405	if(isZero(n)) {
406	int_to_giant(1,a);
407	int_to_giant(0,b);
408	return;
409	}
410	t6 = borrowGiant(cp->maxDigits);
411	t7 = borrowGiant(cp->maxDigits);
412	t8 = borrowGiant(cp->maxDigits);
413	t9 = borrowGiant(cp->maxDigits);
414	gtog(a, t8); gtog(b, t9);
415	for(j = bitlen(n)-2; j >= 0; j--) {
416	gtog(b, t6);
417	mulg(a, b); addg(b,b); feemod(cp, b); /* b := 2 a b. */
418	gsquare(t6); feemod(cp, t6);
419	mulg(w2, t6); feemod(cp, t6);
420	gsquare(a); addg(t6, a); feemod(cp, a);
421	/* a := a^2 + b^2 w2. */
422	if(bitval(n, j)) {
423	gtog(b, t6); mulg(t8, b); feemod(cp, b);
424	gtog(a, t7); mulg(t9, a); addg(a, b); feemod(cp, b);
425	mulg(t9, t6); feemod(cp, t6);
426	mulg(w2, t6); feemod(cp, t6);
427	mulg(t8, a); addg(t6, a); feemod(cp, a);
428	}
429	}
430	returnGiant(t6);
431	returnGiant(t7);
432	returnGiant(t8);
433	returnGiant(t9);
434	return;
435	}
436
437	static void
438	powermodg(
439	giant x,
440	giant n,
441	curveParams *cp
442	)
443	/* x becomes x^n (mod basePrime). */
444	{
445	int len, pos;
446	giant scratch2 = borrowGiant(cp->maxDigits);
447
448	gtog(x, scratch2);
449	int_to_giant(1, x);
450	len = bitlen(n);
451	pos = 0;
452	while (1)
453	{
454	if (bitval(n, pos++))
455	{
456	mulg(scratch2, x);
457	feemod(cp, x);
458	}
459	if (pos>=len)
460	break;
461	gsquare(scratch2);
462	feemod(cp, scratch2);
463	}
464	returnGiant(scratch2);
465	}
466
467	static int sqrtmod(giant x, curveParams *cp)
468	/* If Sqrt[x] (mod p) exists, function returns 1, else 0.
469	In either case x is modified, but if 1 is returned,
470	x:= Sqrt[x] (mod p).
471	*/
472	{
473	int rtn;
474	giant t0 = borrowGiant(cp->maxDigits);
475	giant t1 = borrowGiant(cp->maxDigits);
476	giant t2 = borrowGiant(cp->maxDigits);
477	giant t3 = borrowGiant(cp->maxDigits);
478	giant t4 = borrowGiant(cp->maxDigits);
479
480	giant p = cp->basePrime;
481
482	feemod(cp, x); /* Justify the argument. */
483	gtog(x, t0); /* Store x for eventual validity check on square root. */
484	if((p->n[0] & 3) == 3) { /* The case p = 3 (mod 4). */
485	gtog(p, t1);
486	iaddg(1, t1); gshiftright(2, t1);
487	powermodg(x, t1, cp);
488	goto resolve;
489	}
490	/* Next, handle case p = 5 (mod 8). */
491	if((p->n[0] & 7) == 5) {
492	gtog(p, t1); int_to_giant(1, t2);
493	subg(t2, t1); gshiftright(2, t1);
494	gtog(x, t2);
495	powermodg(t2, t1, cp); /* t2 := x^((p-1)/4) % p. */
496	iaddg(1, t1);
497	gshiftright(1, t1); /* t1 := (p+3)/8. */
498	if(isone(t2)) {
499	powermodg(x, t1, cp); /* x^((p+3)/8) is root. */
500	goto resolve;
501	} else {
502	int_to_giant(1, t2); subg(t2, t1);
503	/* t1 := (p-5)/8. */
504	gshiftleft(2,x);
505	powermodg(x, t1, cp);
506	mulg(t0, x); addg(x, x); feemod(cp, x);
507	/* 2x (4x)^((p-5)/8. */
508	goto resolve;
509	}
510	}
511
512	/* Next, handle tougher case: p = 1 (mod 8). */
513	int_to_giant(2, t1);
514	while(1) { /* Find appropriate nonresidue. */
515	gtog(t1, t2);
516	gsquare(t2); subg(x, t2); feemod(cp, t2);
517	if(jacobi_symbol(t2, cp) == -1) break;
518	iaddg(1, t1);
519	} /* t2 is now w^2 in F_p^2. */
520	int_to_giant(1, t3);
521	gtog(p, t4); iaddg(1, t4); gshiftright(1, t4);
522	powFp2(t1, t3, t2, t4, cp);
523	gtog(t1, x);
524
525	resolve:
526	gtog(x,t1); gsquare(t1); feemod(cp, t1);
527	if(gcompg(t0, t1) == 0) {
528	rtn = 1; /* Success. */
529	}
530	else {
531	rtn = 0; /* no square root */
532	}
533	returnGiant(t0);
534	returnGiant(t1);
535	returnGiant(t2);
536	returnGiant(t3);
537	returnGiant(t4);
538	return rtn;
539	}
540
541
542	void findPointProj(pointProj pt, giant seed, curveParams *cp)
543	/* Starting with seed, finds a random (projective) point {x,y,1} on curve.
544	*/
545	{
546	giant x = pt->x, y = pt->y, z = pt->z;
547
548	CKASSERT(cp->curveType == FCT_Weierstrass);
549	feemod(cp, seed);
550	while(1) {
551	gtog(seed, x);
552	gsquare(x); feemod(cp, x); // x := seed^2
553	addg(cp->a, x); // x := seed^2 + a
554	mulg(seed,x); // x := seed^3 + a*seed
555	addg(cp->b, x);
556	feemod(cp, x); // x := seed^3 + a seed + b.
557	/* test cubic form for having root. */
558	if(sqrtmod(x, cp)) break;
559	iaddg(1, seed);
560	}
561	gtog(x, y);
562	gtog(seed,x);
563	int_to_giant(1, z);
564	}
565
566	#endif /* CRYPTKIT_ELL_PROJ_ENABLE */