The Tor Browser / file revision

 ***** BEGIN LICENSE BLOCK *****

 Version: MPL 1.1/GPL 2.0/LGPL 2.1

 The contents of this file are subject to the Mozilla Public License Version

 1.1 (the "License"); you may not use this file except in compliance with

 the License. You may obtain a copy of the License at

 http://www.mozilla.org/MPL/

 Software distributed under the License is distributed on an "AS IS" basis,

 WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License

 for the specific language governing rights and limitations under the

 License.

 The Original Code is the elliptic curve math library.

 The Initial Developer of the Original Code is Sun Microsystems, Inc.

 Portions created by Sun Microsystems, Inc. are Copyright (C) 2003

 Sun Microsystems, Inc. All Rights Reserved.

 Contributor(s):

     Stephen Fung <fungstep@hotmail.com> and

     Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories

 Alternatively, the contents of this file may be used under the terms of

 either the GNU General Public License Version 2 or later (the "GPL"), or

 the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),

 in which case the provisions of the GPL or the LGPL are applicable instead

 of those above. If you wish to allow use of your version of this file only

 under the terms of either the GPL or the LGPL, and not to allow others to

 use your version of this file under the terms of the MPL, indicate your

 decision by deleting the provisions above and replace them with the notice

 and other provisions required by the GPL or the LGPL. If you do not delete

 the provisions above, a recipient may use your version of this file under

 the terms of any one of the MPL, the GPL or the LGPL.

 ***** END LICENSE BLOCK *****

 The ECL exposes routines for constructing and converting curve

 parameters for internal use.

 HEADER FILES

 ============

 ecl-exp.h - Exports data structures and curve names. For use by code

 that does not have access to mp_ints.

 ecl-curve.h - Provides hex encodings (in the form of ECCurveParams

 structs) of standardizes elliptic curve domain parameters and mappings

 from ECCurveName to ECCurveParams. For use by code that does not have

 access to mp_ints.

 ecl.h - Interface to constructors for curve parameters and group object,

 and point multiplication operations. Used by higher level algorithms

 (like ECDH and ECDSA) to actually perform elliptic curve cryptography.

 ecl-priv.h - Data structures and functions for internal use within the

 library.

 ec2.h - Internal header file that contains all functions for point

 arithmetic over binary polynomial fields.

 ecp.h - Internal header file that contains all functions for point

 arithmetic over prime fields.

 DATA STRUCTURES AND TYPES

 =========================

 ECCurveName (from ecl-exp.h) - Opaque name for standardized elliptic

 curve domain parameters.

 ECCurveParams (from ecl-exp.h) - Provides hexadecimal encoding

 of elliptic curve domain parameters. Can be generated by a user

 and passed to ECGroup_fromHex or can be generated from a name by

 EC_GetNamedCurveParams. ecl-curve.h contains ECCurveParams structs for

 the standardized curves defined by ECCurveName.

 ECGroup (from ecl.h and ecl-priv.h) - Opaque data structure that

 represents a group of elliptic curve points for a particular set of

 elliptic curve domain parameters. Contains all domain parameters (curve

 a and b, field, base point) as well as pointers to the functions that

 should be used for point arithmetic and the underlying field GFMethod.

 Generated by either ECGroup_fromHex or ECGroup_fromName.

 GFMethod (from ecl-priv.h) - Represents a field underlying a set of

 elliptic curve domain parameters. Contains the irreducible that defines

 the field (either the prime or the binary polynomial) as well as

 pointers to the functions that should be used for field arithmetic.

 ARITHMETIC FUNCTIONS

 ====================

 Higher-level algorithms (like ECDH and ECDSA) should call ECPoint_mul

 or ECPoints_mul (from ecl.h) to do point arithmetic. These functions

 will choose which underlying algorithms to use, based on the ECGroup

 structure.

 Point Multiplication

 --------------------

 ecl_mult.c provides the ECPoints_mul and ECPoint_mul wrappers.

 It also provides two implementations for the pts_mul operation -

 ec_pts_mul_basic (which computes kP, lQ, and then adds kP + lQ) and

 ec_pts_mul_simul_w2 (which does a simultaneous point multiplication

 using a table with window size 2*2).

 ec_naf.c provides an implementation of an algorithm to calculate a

 non-adjacent form of a scalar, minimizing the number of point

 additions that need to be done in a point multiplication.

 Point Arithmetic over Prime Fields

 ----------------------------------

 ecp_aff.c provides point arithmetic using affine coordinates.

 ecp_jac.c provides point arithmetic using Jacobian projective

 coordinates and mixed Jacobian-affine coordinates. (Jacobian projective

 coordinates represent a point (x, y) as (X, Y, Z), where x=X/Z^2,

 y=Y/Z^3).

 ecp_jm.c provides point arithmetic using Modified Jacobian

 coordinates and mixed Modified_Jacobian-affine coordinates.

 (Modified Jacobian coordinates represent a point (x, y)

 as (X, Y, Z, a*Z^4), where x=X/Z^2, y=Y/Z^3, and a is

 the linear coefficient in the curve defining equation).

 ecp_192.c and ecp_224.c provide optimized field arithmetic.

 Point Arithmetic over Binary Polynomial Fields

 ----------------------------------------------

 ec2_aff.c provides point arithmetic using affine coordinates.

 ec2_proj.c provides point arithmetic using projective coordinates.

 (Projective coordinates represent a point (x, y) as (X, Y, Z), where

 x=X/Z, y=Y/Z^2).

 ec2_mont.c provides point multiplication using Montgomery projective

 coordinates.

 ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field arithmetic.

 Field Arithmetic

 ----------------

 ecl_gf.c provides constructors for field objects (GFMethod) with the

 functions GFMethod_cons*. It also provides wrappers around the basic

 field operations.

 Prime Field Arithmetic

 ----------------------

 The mpi library provides the basic prime field arithmetic.

 ecp_mont.c provides wrappers around the Montgomery multiplication

 functions from the mpi library and adds encoding and decoding functions.

 It also provides the function to construct a GFMethod object using

 Montgomery multiplication.

 ecp_192.c and ecp_224.c provide optimized modular reduction for the

 fields defined by nistp192 and nistp224 primes.

 ecl_gf.c provides wrappers around the basic field operations.

 Binary Polynomial Field Arithmetic

 ----------------------------------

 ../mpi/mp_gf2m.c provides basic binary polynomial field arithmetic,

 including addition, multiplication, squaring, mod, and division, as well

 as conversion ob polynomial representations between bitstring and int[].

 ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field mod, mul,

 and sqr operations.

 ecl_gf.c provides wrappers around the basic field operations.

 Field Encoding

 --------------

 By default, field elements are encoded in their basic form. It is

 possible to use an alternative encoding, however. For example, it is

 possible to Montgomery representation of prime field elements and

 take advantage of the fast modular multiplication that Montgomery

 representation provides. The process of converting from basic form to

 Montgomery representation is called field encoding, and the opposite

 process would be field decoding. All internal point operations assume

 that the operands are field encoded as appropriate. By rewiring the

 underlying field arithmetic to perform operations on these encoded

 values, the same overlying point arithmetic operations can be used

 regardless of field representation.

 ALGORITHM WIRING

 ================

 The EC library allows point and field arithmetic algorithms to be

 substituted ("wired-in") on a fine-grained basis. This allows for

 generic algorithms and algorithms that are optimized for a particular

 curve, field, or architecture, to coexist and to be automatically

 selected at runtime.

 Wiring Mechanism

 ----------------

 The ECGroup and GFMethod structure contain pointers to the point and

 field arithmetic functions, respectively, that are to be used in

 operations.

 The selection of algorithms to use is handled in the function

 ecgroup_fromNameAndHex in ecl.c.

 Default Wiring

 --------------

 Curves over prime fields by default use montgomery field arithmetic,

 point multiplication using 5-bit window non-adjacent-form with 

 Modified Jacobian coordinates, and 2*2-bit simultaneous point 

 multiplication using Jacobian coordinates.

 (Wiring in function ECGroup_consGFp_mont in ecl.c.)

 Curves over prime fields that have optimized modular reduction (i.e.,

 secp160r1, nistp192, and nistp224) do not use Montgomery field

 arithmetic. Instead, they use basic field arithmetic with their

 optimized reduction (as in ecp_192.c and ecp_224.c). They

 use the same point multiplication and simultaneous point multiplication

 algorithms as other curves over prime fields.

 Curves over binary polynomial fields by default use generic field

 arithmetic with montgomery point multiplication and basic kP + lQ

 computation (multiply, multiply, and add). (Wiring in function

 ECGroup_cons_GF2m in ecl.c.)

 Curves over binary polynomial fields that have optimized field

 arithmetic (i.e., any 163-, 193, or 233-bit field) use their optimized

 field arithmetic. They use the same point multiplication and

 simultaneous point multiplication algorithms as other curves over binary

 fields.

 Example

 -------

 We provide an example for plugging in an optimized implementation for

 the Koblitz curve nistk163.

 Suppose the file ec2_k163.c contains the optimized implementation. In

 particular it contains a point multiplication function:

 	mp_err ec_GF2m_nistk163_pt_mul(const mp_int *n, const mp_int *px, 

 		const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group);

 Since only a pt_mul function is provided, the generic pt_add function

 will be used.

 There are two options for handling the optimized field arithmetic used

 by the ..._pt_mul function. Say the optimized field arithmetic includes

 the following functions:

 	mp_err ec_GF2m_nistk163_add(const mp_int *a, const mp_int *b,

 		mp_int *r, const GFMethod *meth);

 	mp_err ec_GF2m_nistk163_mul(const mp_int *a, const mp_int *b,

 		mp_int *r, const GFMethod *meth);

 	mp_err ec_GF2m_nistk163_sqr(const mp_int *a, const mp_int *b,

 		mp_int *r, const GFMethod *meth);

 	mp_err ec_GF2m_nistk163_div(const mp_int *a, const mp_int *b,

 		mp_int *r, const GFMethod *meth);

 First, the optimized field arithmetic could simply be called directly

 by the ..._pt_mul function. This would be accomplished by changing

 the ecgroup_fromNameAndHex function in ecl.c to include the following

 statements:

 	if (name == ECCurve_NIST_K163) {

 		group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx,

 			&geny, &order, params->cofactor);

 		if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }

 		MP_CHECKOK( ec_group_set_nistk163(group) );

 	}

 and including in ec2_k163.c the following function:

 	mp_err ec_group_set_nistk163(ECGroup *group) {

 		group->point_mul = &ec_GF2m_nistk163_pt_mul;

 		return MP_OKAY;

 	}

 As a result, ec_GF2m_pt_add and similar functions would use the

 basic binary polynomial field arithmetic ec_GF2m_add, ec_GF2m_mul,

 ec_GF2m_sqr, and ec_GF2m_div.

 Alternatively, the optimized field arithmetic could be wired into the

 group's GFMethod. This would be accomplished by putting the following

 function in ec2_k163.c:

 	mp_err ec_group_set_nistk163(ECGroup *group) {

 		group->meth->field_add = &ec_GF2m_nistk163_add;

 		group->meth->field_mul = &ec_GF2m_nistk163_mul;

 		group->meth->field_sqr = &ec_GF2m_nistk163_sqr;

 		group->meth->field_div = &ec_GF2m_nistk163_div;

 		group->point_mul = &ec_GF2m_nistk163_pt_mul;

 		return MP_OKAY;

 	}

 For an example of functions that use special field encodings, take a

 look at ecp_mont.c.

 TESTING

 =======

 The ecl/tests directory contains a collection of standalone tests that

 verify the correctness of the elliptic curve library.

 Both ecp_test and ec2_test take the following arguments:

 	--print     Print out results of each point arithmetic test.

 	--time      Benchmark point operations and print results.

 The set of curves over which ecp_test and ec2_test run is coded into the

 program, but can be changed by editing the source files.

 BUILDING

 ========

 The ecl can be built as a standalone library, separate from NSS,

 dependent only on the mpi library. To build the library:

 	> cd ../mpi

 	> make libs

 	> cd ../ecl

 	> make libs

 	> make tests # to build test files

 	> make test  # to run automated tests