]>
git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_cryptkit/lib/engineNSA127.c
1 /* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved.
3 * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT
4 * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE
5 * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE
6 * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE,
7 * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL
8 * EXPOSE YOU TO LIABILITY.
9 ***************************************************************************
11 CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL
14 Security Engine code, to be compiled prior to software
15 distribution. The code performs the
16 elliptic curve algebra fundamental to the patented FEE
19 This Engine is designed to be virtually nonmalleable
20 with respect to key size. This is achieved herein
21 via hard-coding of numerical algorithms with respect to
22 the DEPTH = 4 security level (127 bit Mersenne prime).
24 In meetings between the NSA and NeXT Software, Inc. in
25 1995-1996, the notion of Security Engine emerged as a
26 means by which one could discourage disassembly of
27 FEE compilations, especially when such disassembly
28 has the sinister goal of modifying encryption depth.
30 DO NOT EVEN THINK ABOUT READING THE SOURCE CODE
31 BELOW UNLESS YOU ARE EXPLICITLY AUTHORIZED TO DO SO
32 BY NeXT OR ITS DESIGNEE.
34 c. 1996, NeXT Software, Inc.
38 /* This engine requires no initialization. There is one
39 function to becalled externally, namely elliptic().
64 * Changed to compile with C++.
66 * 'a' argument to elliptic() and ell_even() is now a giant.
68 * Wrapped ENGINEmul() with gmersennemod(127,.) to guarantee no
69 * overflow in the hard-coded mul.
70 * Fixed sign calculation bug in ENGINEmul().
72 * Made conditional on ENGINE_127_BITS.
73 * Made all functions except for elliptic() static.
74 * Renamed some giants function calls via #define.
75 * Deleted use of array of static pseudo-giants.
76 * Cosmetic changes for debuggability.
85 * This file is obsolete as of 8 January 1997.
87 #error Hey! New curveParam-dependent 127-bit elliptic() needed!
88 #warning Using NSA-approved 127-bit security engine...
90 #include "NSGiantIntegers.h"
96 * Size of 127-bit giantstruct n[] array, in shorts.
98 #define SHORTCOUNT (8 * 2)
103 ENGINEmul(giant a
, giant b
) {
104 int a0
,a1
,a2
,a3
,a4
,a5
,a6
,a7
,
105 b0
,b1
,b2
,b3
,b4
,b5
,b6
,b7
;
111 gmersennemod(127, a
);
112 gmersennemod(127, b
);
116 for(j
= abs(asign
); j
< SHORTCOUNT
; j
++) a
->n
[j
] = 0;
117 for(j
= abs(bsign
); j
< SHORTCOUNT
; j
++) b
->n
[j
] = 0;
134 for(j
= 0; j
< SHORTCOUNT
; j
++) b
->n
[j
] = 0;
140 prod
= a0
* mult
+ b
->n
[i
] + car
;
141 b
->n
[i
++] = prod
& DM
;
144 prod
= a1
* mult
+ b
->n
[i
] + car
;
145 b
->n
[i
++] = prod
& DM
;
148 prod
= a2
* mult
+ b
->n
[i
] + car
;
149 b
->n
[i
++] = prod
& DM
;
152 prod
= a3
* mult
+ b
->n
[i
] + car
;
153 b
->n
[i
++] = prod
& DM
;
156 prod
= a4
* mult
+ b
->n
[i
] + car
;
157 b
->n
[i
++] = prod
& DM
;
160 prod
= a5
* mult
+ b
->n
[i
] + car
;
161 b
->n
[i
++] = prod
& DM
;
164 prod
= a6
* mult
+ b
->n
[i
] + car
;
165 b
->n
[i
++] = prod
& DM
;
168 prod
= a7
* mult
+ b
->n
[i
] + car
;
169 b
->n
[i
++] = prod
& DM
;
178 prod
= a0
* mult
+ b
->n
[i
] + car
;
179 b
->n
[i
++] = prod
& DM
;
182 prod
= a1
* mult
+ b
->n
[i
] + car
;
183 b
->n
[i
++] = prod
& DM
;
186 prod
= a2
* mult
+ b
->n
[i
] + car
;
187 b
->n
[i
++] = prod
& DM
;
190 prod
= a3
* mult
+ b
->n
[i
] + car
;
191 b
->n
[i
++] = prod
& DM
;
194 prod
= a4
* mult
+ b
->n
[i
] + car
;
195 b
->n
[i
++] = prod
& DM
;
198 prod
= a5
* mult
+ b
->n
[i
] + car
;
199 b
->n
[i
++] = prod
& DM
;
202 prod
= a6
* mult
+ b
->n
[i
] + car
;
203 b
->n
[i
++] = prod
& DM
;
206 prod
= a7
* mult
+ b
->n
[i
] + car
;
207 b
->n
[i
++] = prod
& DM
;
216 prod
= a0
* mult
+ b
->n
[i
] + car
;
217 b
->n
[i
++] = prod
& DM
;
220 prod
= a1
* mult
+ b
->n
[i
] + car
;
221 b
->n
[i
++] = prod
& DM
;
224 prod
= a2
* mult
+ b
->n
[i
] + car
;
225 b
->n
[i
++] = prod
& DM
;
228 prod
= a3
* mult
+ b
->n
[i
] + car
;
229 b
->n
[i
++] = prod
& DM
;
232 prod
= a4
* mult
+ b
->n
[i
] + car
;
233 b
->n
[i
++] = prod
& DM
;
236 prod
= a5
* mult
+ b
->n
[i
] + car
;
237 b
->n
[i
++] = prod
& DM
;
240 prod
= a6
* mult
+ b
->n
[i
] + car
;
241 b
->n
[i
++] = prod
& DM
;
244 prod
= a7
* mult
+ b
->n
[i
] + car
;
245 b
->n
[i
++] = prod
& DM
;
254 prod
= a0
* mult
+ b
->n
[i
] + car
;
255 b
->n
[i
++] = prod
& DM
;
258 prod
= a1
* mult
+ b
->n
[i
] + car
;
259 b
->n
[i
++] = prod
& DM
;
262 prod
= a2
* mult
+ b
->n
[i
] + car
;
263 b
->n
[i
++] = prod
& DM
;
266 prod
= a3
* mult
+ b
->n
[i
] + car
;
267 b
->n
[i
++] = prod
& DM
;
270 prod
= a4
* mult
+ b
->n
[i
] + car
;
271 b
->n
[i
++] = prod
& DM
;
274 prod
= a5
* mult
+ b
->n
[i
] + car
;
275 b
->n
[i
++] = prod
& DM
;
278 prod
= a6
* mult
+ b
->n
[i
] + car
;
279 b
->n
[i
++] = prod
& DM
;
282 prod
= a7
* mult
+ b
->n
[i
] + car
;
283 b
->n
[i
++] = prod
& DM
;
292 prod
= a0
* mult
+ b
->n
[i
] + car
;
293 b
->n
[i
++] = prod
& DM
;
296 prod
= a1
* mult
+ b
->n
[i
] + car
;
297 b
->n
[i
++] = prod
& DM
;
300 prod
= a2
* mult
+ b
->n
[i
] + car
;
301 b
->n
[i
++] = prod
& DM
;
304 prod
= a3
* mult
+ b
->n
[i
] + car
;
305 b
->n
[i
++] = prod
& DM
;
308 prod
= a4
* mult
+ b
->n
[i
] + car
;
309 b
->n
[i
++] = prod
& DM
;
312 prod
= a5
* mult
+ b
->n
[i
] + car
;
313 b
->n
[i
++] = prod
& DM
;
316 prod
= a6
* mult
+ b
->n
[i
] + car
;
317 b
->n
[i
++] = prod
& DM
;
320 prod
= a7
* mult
+ b
->n
[i
] + car
;
321 b
->n
[i
++] = prod
& DM
;
330 prod
= a0
* mult
+ b
->n
[i
] + car
;
331 b
->n
[i
++] = prod
& DM
;
334 prod
= a1
* mult
+ b
->n
[i
] + car
;
335 b
->n
[i
++] = prod
& DM
;
338 prod
= a2
* mult
+ b
->n
[i
] + car
;
339 b
->n
[i
++] = prod
& DM
;
342 prod
= a3
* mult
+ b
->n
[i
] + car
;
343 b
->n
[i
++] = prod
& DM
;
346 prod
= a4
* mult
+ b
->n
[i
] + car
;
347 b
->n
[i
++] = prod
& DM
;
350 prod
= a5
* mult
+ b
->n
[i
] + car
;
351 b
->n
[i
++] = prod
& DM
;
354 prod
= a6
* mult
+ b
->n
[i
] + car
;
355 b
->n
[i
++] = prod
& DM
;
358 prod
= a7
* mult
+ b
->n
[i
] + car
;
359 b
->n
[i
++] = prod
& DM
;
368 prod
= a0
* mult
+ b
->n
[i
] + car
;
369 b
->n
[i
++] = prod
& DM
;
372 prod
= a1
* mult
+ b
->n
[i
] + car
;
373 b
->n
[i
++] = prod
& DM
;
376 prod
= a2
* mult
+ b
->n
[i
] + car
;
377 b
->n
[i
++] = prod
& DM
;
380 prod
= a3
* mult
+ b
->n
[i
] + car
;
381 b
->n
[i
++] = prod
& DM
;
384 prod
= a4
* mult
+ b
->n
[i
] + car
;
385 b
->n
[i
++] = prod
& DM
;
388 prod
= a5
* mult
+ b
->n
[i
] + car
;
389 b
->n
[i
++] = prod
& DM
;
392 prod
= a6
* mult
+ b
->n
[i
] + car
;
393 b
->n
[i
++] = prod
& DM
;
396 prod
= a7
* mult
+ b
->n
[i
] + car
;
397 b
->n
[i
++] = prod
& DM
;
406 prod
= a0
* mult
+ b
->n
[i
] + car
;
407 b
->n
[i
++] = prod
& DM
;
410 prod
= a1
* mult
+ b
->n
[i
] + car
;
411 b
->n
[i
++] = prod
& DM
;
414 prod
= a2
* mult
+ b
->n
[i
] + car
;
415 b
->n
[i
++] = prod
& DM
;
418 prod
= a3
* mult
+ b
->n
[i
] + car
;
419 b
->n
[i
++] = prod
& DM
;
422 prod
= a4
* mult
+ b
->n
[i
] + car
;
423 b
->n
[i
++] = prod
& DM
;
426 prod
= a5
* mult
+ b
->n
[i
] + car
;
427 b
->n
[i
++] = prod
& DM
;
430 prod
= a6
* mult
+ b
->n
[i
] + car
;
431 b
->n
[i
++] = prod
& DM
;
434 prod
= a7
* mult
+ b
->n
[i
] + car
;
435 b
->n
[i
++] = prod
& DM
;
439 b
->sign
= abs(b
->sign
) + abs(a
->sign
);
440 for(j
= (b
->sign
)-1; j
>= 0; j
--) {
450 ell_even(giant x1
, giant z1
, giant x2
, giant z2
, giant a
, int q
)
454 t1
= borrowGiant(BORROW_SIZE
);
455 t2
= borrowGiant(BORROW_SIZE
);
456 t3
= borrowGiant(BORROW_SIZE
);
458 gtog(x1
, t1
); gsquare(t1
); gmersennemod(q
, t1
);
459 gtog(z1
, t2
); gsquare(t2
); gmersennemod(q
, t2
);
460 gtog(x1
, t3
); ENGINEmul(z1
, t3
);
461 gtog(t1
, x2
); subg(t2
, x2
); gsquare(x2
); gmersennemod(q
, x2
);
464 addg(t1
, z2
); addg(t2
, z2
); ENGINEmul(t3
, z2
);
474 ell_odd(giant x1
, giant z1
, giant x2
, giant z2
, giant
xor, giant zor
, int q
)
478 t1
= borrowGiant(BORROW_SIZE
);
479 t2
= borrowGiant(BORROW_SIZE
);
480 t3
= borrowGiant(BORROW_SIZE
);
482 gtog(x1
, t1
); subg(z1
, t1
);
483 gtog(x2
, t2
); addg(z2
, t2
);
485 gtog(x1
, t1
); addg(z1
, t1
);
486 gtog(x2
, t3
); subg(z2
, t3
);
488 gtog(t2
, x2
); addg(t1
, x2
);
489 gsquare(x2
); gmersennemod(q
, x2
); //?
490 gtog(t2
, z2
); subg(t1
, z2
);
491 gsquare(z2
); gmersennemod(q
, z2
); //?
500 /* Elliptic multiply.
501 For given curve parameter a and given prime p = 2^q-1,
502 the point (xx,zz) becomes k * (xx,zz), in place.
505 elliptic(giant xx
, giant zz
, giant k
, giant a
, int q
)
507 int len
= bitlen(k
), pos
= len
-2;
513 if(scompg(1,k
)) return;
515 ell_even(xx
, zz
, xx
, zz
, a
, q
);
519 zs
= borrowGiant(BORROW_SIZE
);
520 xs
= borrowGiant(BORROW_SIZE
);
521 zorg
= borrowGiant(BORROW_SIZE
);
522 xorg
= borrowGiant(BORROW_SIZE
);
524 gtog(xx
, xorg
); gtog(zz
, zorg
);
525 ell_even(xx
, zz
, xs
, zs
, a
, q
);
527 if(bitval(k
, pos
--)) {
528 ell_odd(xs
, zs
, xx
, zz
, xorg
, zorg
, q
);
529 ell_even(xs
, zs
, xs
, zs
, a
, q
);
531 ell_odd(xx
, zz
, xs
, zs
, xorg
, zorg
, q
);
532 ell_even(xx
, zz
, xx
, zz
, a
, q
);
542 #endif /* ENGINE_127_BITS */
projects / apple / security.git / blob