1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/freebl/ecl/ecl-priv.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,249 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#ifndef __ecl_priv_h_
1.9 +#define __ecl_priv_h_
1.10 +
1.11 +#include "ecl.h"
1.12 +#include "mpi.h"
1.13 +#include "mplogic.h"
1.14 +
1.15 +/* MAX_FIELD_SIZE_DIGITS is the maximum size of field element supported */
1.16 +/* the following needs to go away... */
1.17 +#if defined(MP_USE_LONG_LONG_DIGIT) || defined(MP_USE_LONG_DIGIT)
1.18 +#define ECL_SIXTY_FOUR_BIT
1.19 +#else
1.20 +#define ECL_THIRTY_TWO_BIT
1.21 +#endif
1.22 +
1.23 +#define ECL_CURVE_DIGITS(curve_size_in_bits) \
1.24 + (((curve_size_in_bits)+(sizeof(mp_digit)*8-1))/(sizeof(mp_digit)*8))
1.25 +#define ECL_BITS (sizeof(mp_digit)*8)
1.26 +#define ECL_MAX_FIELD_SIZE_DIGITS (80/sizeof(mp_digit))
1.27 +
1.28 +/* Gets the i'th bit in the binary representation of a. If i >= length(a),
1.29 + * then return 0. (The above behaviour differs from mpl_get_bit, which
1.30 + * causes an error if i >= length(a).) */
1.31 +#define MP_GET_BIT(a, i) \
1.32 + ((i) >= mpl_significant_bits((a))) ? 0 : mpl_get_bit((a), (i))
1.33 +
1.34 +#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
1.35 +#define MP_ADD_CARRY(a1, a2, s, cin, cout) \
1.36 + { mp_word w; \
1.37 + w = ((mp_word)(cin)) + (a1) + (a2); \
1.38 + s = ACCUM(w); \
1.39 + cout = CARRYOUT(w); }
1.40 +
1.41 +#define MP_SUB_BORROW(a1, a2, s, bin, bout) \
1.42 + { mp_word w; \
1.43 + w = ((mp_word)(a1)) - (a2) - (bin); \
1.44 + s = ACCUM(w); \
1.45 + bout = (w >> MP_DIGIT_BIT) & 1; }
1.46 +
1.47 +#else
1.48 +/* NOTE,
1.49 + * cin and cout could be the same variable.
1.50 + * bin and bout could be the same variable.
1.51 + * a1 or a2 and s could be the same variable.
1.52 + * don't trash those outputs until their respective inputs have
1.53 + * been read. */
1.54 +#define MP_ADD_CARRY(a1, a2, s, cin, cout) \
1.55 + { mp_digit tmp,sum; \
1.56 + tmp = (a1); \
1.57 + sum = tmp + (a2); \
1.58 + tmp = (sum < tmp); /* detect overflow */ \
1.59 + s = sum += (cin); \
1.60 + cout = tmp + (sum < (cin)); }
1.61 +
1.62 +#define MP_SUB_BORROW(a1, a2, s, bin, bout) \
1.63 + { mp_digit tmp; \
1.64 + tmp = (a1); \
1.65 + s = tmp - (a2); \
1.66 + tmp = (s > tmp); /* detect borrow */ \
1.67 + if ((bin) && !s--) tmp++; \
1.68 + bout = tmp; }
1.69 +#endif
1.70 +
1.71 +
1.72 +struct GFMethodStr;
1.73 +typedef struct GFMethodStr GFMethod;
1.74 +struct GFMethodStr {
1.75 + /* Indicates whether the structure was constructed from dynamic memory
1.76 + * or statically created. */
1.77 + int constructed;
1.78 + /* Irreducible that defines the field. For prime fields, this is the
1.79 + * prime p. For binary polynomial fields, this is the bitstring
1.80 + * representation of the irreducible polynomial. */
1.81 + mp_int irr;
1.82 + /* For prime fields, the value irr_arr[0] is the number of bits in the
1.83 + * field. For binary polynomial fields, the irreducible polynomial
1.84 + * f(t) is represented as an array of unsigned int[], where f(t) is
1.85 + * of the form: f(t) = t^p[0] + t^p[1] + ... + t^p[4] where m = p[0]
1.86 + * > p[1] > ... > p[4] = 0. */
1.87 + unsigned int irr_arr[5];
1.88 + /* Field arithmetic methods. All methods (except field_enc and
1.89 + * field_dec) are assumed to take field-encoded parameters and return
1.90 + * field-encoded values. All methods (except field_enc and field_dec)
1.91 + * are required to be implemented. */
1.92 + mp_err (*field_add) (const mp_int *a, const mp_int *b, mp_int *r,
1.93 + const GFMethod *meth);
1.94 + mp_err (*field_neg) (const mp_int *a, mp_int *r, const GFMethod *meth);
1.95 + mp_err (*field_sub) (const mp_int *a, const mp_int *b, mp_int *r,
1.96 + const GFMethod *meth);
1.97 + mp_err (*field_mod) (const mp_int *a, mp_int *r, const GFMethod *meth);
1.98 + mp_err (*field_mul) (const mp_int *a, const mp_int *b, mp_int *r,
1.99 + const GFMethod *meth);
1.100 + mp_err (*field_sqr) (const mp_int *a, mp_int *r, const GFMethod *meth);
1.101 + mp_err (*field_div) (const mp_int *a, const mp_int *b, mp_int *r,
1.102 + const GFMethod *meth);
1.103 + mp_err (*field_enc) (const mp_int *a, mp_int *r, const GFMethod *meth);
1.104 + mp_err (*field_dec) (const mp_int *a, mp_int *r, const GFMethod *meth);
1.105 + /* Extra storage for implementation-specific data. Any memory
1.106 + * allocated to these extra fields will be cleared by extra_free. */
1.107 + void *extra1;
1.108 + void *extra2;
1.109 + void (*extra_free) (GFMethod *meth);
1.110 +};
1.111 +
1.112 +/* Construct generic GFMethods. */
1.113 +GFMethod *GFMethod_consGFp(const mp_int *irr);
1.114 +GFMethod *GFMethod_consGFp_mont(const mp_int *irr);
1.115 +GFMethod *GFMethod_consGF2m(const mp_int *irr,
1.116 + const unsigned int irr_arr[5]);
1.117 +/* Free the memory allocated (if any) to a GFMethod object. */
1.118 +void GFMethod_free(GFMethod *meth);
1.119 +
1.120 +struct ECGroupStr {
1.121 + /* Indicates whether the structure was constructed from dynamic memory
1.122 + * or statically created. */
1.123 + int constructed;
1.124 + /* Field definition and arithmetic. */
1.125 + GFMethod *meth;
1.126 + /* Textual representation of curve name, if any. */
1.127 + char *text;
1.128 + /* Curve parameters, field-encoded. */
1.129 + mp_int curvea, curveb;
1.130 + /* x and y coordinates of the base point, field-encoded. */
1.131 + mp_int genx, geny;
1.132 + /* Order and cofactor of the base point. */
1.133 + mp_int order;
1.134 + int cofactor;
1.135 + /* Point arithmetic methods. All methods are assumed to take
1.136 + * field-encoded parameters and return field-encoded values. All
1.137 + * methods (except base_point_mul and points_mul) are required to be
1.138 + * implemented. */
1.139 + mp_err (*point_add) (const mp_int *px, const mp_int *py,
1.140 + const mp_int *qx, const mp_int *qy, mp_int *rx,
1.141 + mp_int *ry, const ECGroup *group);
1.142 + mp_err (*point_sub) (const mp_int *px, const mp_int *py,
1.143 + const mp_int *qx, const mp_int *qy, mp_int *rx,
1.144 + mp_int *ry, const ECGroup *group);
1.145 + mp_err (*point_dbl) (const mp_int *px, const mp_int *py, mp_int *rx,
1.146 + mp_int *ry, const ECGroup *group);
1.147 + mp_err (*point_mul) (const mp_int *n, const mp_int *px,
1.148 + const mp_int *py, mp_int *rx, mp_int *ry,
1.149 + const ECGroup *group);
1.150 + mp_err (*base_point_mul) (const mp_int *n, mp_int *rx, mp_int *ry,
1.151 + const ECGroup *group);
1.152 + mp_err (*points_mul) (const mp_int *k1, const mp_int *k2,
1.153 + const mp_int *px, const mp_int *py, mp_int *rx,
1.154 + mp_int *ry, const ECGroup *group);
1.155 + mp_err (*validate_point) (const mp_int *px, const mp_int *py, const ECGroup *group);
1.156 + /* Extra storage for implementation-specific data. Any memory
1.157 + * allocated to these extra fields will be cleared by extra_free. */
1.158 + void *extra1;
1.159 + void *extra2;
1.160 + void (*extra_free) (ECGroup *group);
1.161 +};
1.162 +
1.163 +/* Wrapper functions for generic prime field arithmetic. */
1.164 +mp_err ec_GFp_add(const mp_int *a, const mp_int *b, mp_int *r,
1.165 + const GFMethod *meth);
1.166 +mp_err ec_GFp_neg(const mp_int *a, mp_int *r, const GFMethod *meth);
1.167 +mp_err ec_GFp_sub(const mp_int *a, const mp_int *b, mp_int *r,
1.168 + const GFMethod *meth);
1.169 +
1.170 +/* fixed length in-line adds. Count is in words */
1.171 +mp_err ec_GFp_add_3(const mp_int *a, const mp_int *b, mp_int *r,
1.172 + const GFMethod *meth);
1.173 +mp_err ec_GFp_add_4(const mp_int *a, const mp_int *b, mp_int *r,
1.174 + const GFMethod *meth);
1.175 +mp_err ec_GFp_add_5(const mp_int *a, const mp_int *b, mp_int *r,
1.176 + const GFMethod *meth);
1.177 +mp_err ec_GFp_add_6(const mp_int *a, const mp_int *b, mp_int *r,
1.178 + const GFMethod *meth);
1.179 +mp_err ec_GFp_sub_3(const mp_int *a, const mp_int *b, mp_int *r,
1.180 + const GFMethod *meth);
1.181 +mp_err ec_GFp_sub_4(const mp_int *a, const mp_int *b, mp_int *r,
1.182 + const GFMethod *meth);
1.183 +mp_err ec_GFp_sub_5(const mp_int *a, const mp_int *b, mp_int *r,
1.184 + const GFMethod *meth);
1.185 +mp_err ec_GFp_sub_6(const mp_int *a, const mp_int *b, mp_int *r,
1.186 + const GFMethod *meth);
1.187 +
1.188 +mp_err ec_GFp_mod(const mp_int *a, mp_int *r, const GFMethod *meth);
1.189 +mp_err ec_GFp_mul(const mp_int *a, const mp_int *b, mp_int *r,
1.190 + const GFMethod *meth);
1.191 +mp_err ec_GFp_sqr(const mp_int *a, mp_int *r, const GFMethod *meth);
1.192 +mp_err ec_GFp_div(const mp_int *a, const mp_int *b, mp_int *r,
1.193 + const GFMethod *meth);
1.194 +/* Wrapper functions for generic binary polynomial field arithmetic. */
1.195 +mp_err ec_GF2m_add(const mp_int *a, const mp_int *b, mp_int *r,
1.196 + const GFMethod *meth);
1.197 +mp_err ec_GF2m_neg(const mp_int *a, mp_int *r, const GFMethod *meth);
1.198 +mp_err ec_GF2m_mod(const mp_int *a, mp_int *r, const GFMethod *meth);
1.199 +mp_err ec_GF2m_mul(const mp_int *a, const mp_int *b, mp_int *r,
1.200 + const GFMethod *meth);
1.201 +mp_err ec_GF2m_sqr(const mp_int *a, mp_int *r, const GFMethod *meth);
1.202 +mp_err ec_GF2m_div(const mp_int *a, const mp_int *b, mp_int *r,
1.203 + const GFMethod *meth);
1.204 +
1.205 +/* Montgomery prime field arithmetic. */
1.206 +mp_err ec_GFp_mul_mont(const mp_int *a, const mp_int *b, mp_int *r,
1.207 + const GFMethod *meth);
1.208 +mp_err ec_GFp_sqr_mont(const mp_int *a, mp_int *r, const GFMethod *meth);
1.209 +mp_err ec_GFp_div_mont(const mp_int *a, const mp_int *b, mp_int *r,
1.210 + const GFMethod *meth);
1.211 +mp_err ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth);
1.212 +mp_err ec_GFp_dec_mont(const mp_int *a, mp_int *r, const GFMethod *meth);
1.213 +void ec_GFp_extra_free_mont(GFMethod *meth);
1.214 +
1.215 +/* point multiplication */
1.216 +mp_err ec_pts_mul_basic(const mp_int *k1, const mp_int *k2,
1.217 + const mp_int *px, const mp_int *py, mp_int *rx,
1.218 + mp_int *ry, const ECGroup *group);
1.219 +mp_err ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2,
1.220 + const mp_int *px, const mp_int *py, mp_int *rx,
1.221 + mp_int *ry, const ECGroup *group);
1.222 +
1.223 +/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should
1.224 + * be an array of signed char's to output to, bitsize should be the number
1.225 + * of bits of out, in is the original scalar, and w is the window size.
1.226 + * NAF is discussed in the paper: D. Hankerson, J. Hernandez and A.
1.227 + * Menezes, "Software implementation of elliptic curve cryptography over
1.228 + * binary fields", Proc. CHES 2000. */
1.229 +mp_err ec_compute_wNAF(signed char *out, int bitsize, const mp_int *in,
1.230 + int w);
1.231 +
1.232 +/* Optimized field arithmetic */
1.233 +mp_err ec_group_set_gfp192(ECGroup *group, ECCurveName);
1.234 +mp_err ec_group_set_gfp224(ECGroup *group, ECCurveName);
1.235 +mp_err ec_group_set_gfp256(ECGroup *group, ECCurveName);
1.236 +mp_err ec_group_set_gfp384(ECGroup *group, ECCurveName);
1.237 +mp_err ec_group_set_gfp521(ECGroup *group, ECCurveName);
1.238 +mp_err ec_group_set_gf2m163(ECGroup *group, ECCurveName name);
1.239 +mp_err ec_group_set_gf2m193(ECGroup *group, ECCurveName name);
1.240 +mp_err ec_group_set_gf2m233(ECGroup *group, ECCurveName name);
1.241 +
1.242 +/* Optimized point multiplication */
1.243 +mp_err ec_group_set_gfp256_32(ECGroup *group, ECCurveName name);
1.244 +
1.245 +/* Optimized floating-point arithmetic */
1.246 +#ifdef ECL_USE_FP
1.247 +mp_err ec_group_set_secp160r1_fp(ECGroup *group);
1.248 +mp_err ec_group_set_nistp192_fp(ECGroup *group);
1.249 +mp_err ec_group_set_nistp224_fp(ECGroup *group);
1.250 +#endif
1.251 +
1.252 +#endif /* __ecl_priv_h_ */
