2014-09-17 Niels Möller <nisse@lysator.liu.se>
+ * testsuite/ecdh-test.c (test_main): Update curve25519 test to use
+ Edwards coordinates.
+ * testsuite/ecdsa-sign-test.c (test_main): Likewise.
+ * testsuite/ecdsa-verify-test.c (test_main): Likewise.
+
+ * ecc-point.c (ecc_point_set): Use Edwards rather than Montgomery
+ curve.
+
+ * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init): Take an Edwards point
+ as input, not a Montgomery point. Hence, use ecc_a_to_j, not
+ ecc_a_to_eh.
+
+ * ecc-eh-to-a.c (ecc_eh_to_a): Just convert to affine coordinates,
+ don't transform from Edwards to Montgomery form. Also reduces
+ scratch need slightly.
+ * ecc-internal.h (ECC_EH_TO_A_ITCH): Reduced.
+
* ecdsa-keygen.c (ecdsa_generate_keypair): Use struct ecc_curve
function pointers.
mp_size_t
ecc_eh_to_a_itch (const struct ecc_curve *ecc)
{
- /* Needs 2*ecc->size + scratch for ecc_modq_inv */
+ /* Needs ecc->size + scratch for ecc_modq_inv */
return ECC_EH_TO_A_ITCH (ecc->size);
}
/* Convert from homogeneous coordinates on the Edwards curve to affine
- coordinates on the corresponding Montgomery curve. */
+ coordinates. */
void
ecc_eh_to_a (const struct ecc_curve *ecc,
int op,
mp_limb_t *scratch)
{
#define izp scratch
-#define sp (scratch + ecc->size)
-#define tp (scratch + 2*ecc->size)
+#define tp (scratch + ecc->size)
-#define xp r
-#define yp (r + ecc->size)
-#define up p
-#define vp (p + ecc->size)
-#define wp (p + 2*ecc->size)
- /* x = (1+v)/(1-v), y = t x / u (with t = sqrt(b+2))
- In homogeneous coordinates,
-
- X = (W + V) U
- Y = t (W + V) W
- Z = (W - V) U
- */
- /* FIXME: Simplify for common case that only x-coordinate is wanted. */
+#define xp p
+#define yp (p + ecc->size)
+#define zp (p + 2*ecc->size)
mp_limb_t cy;
- /* NOTE: For the infinity point, this subtraction gives zero (mod
- p), which isn't invertible. For curve25519, the desired output is
- x = 0, and we should be fine, since ecc_modp_inv returns 0
- in this case. */
- ecc_modp_sub (ecc, izp, wp, vp);
- ecc_modp_mul (ecc, izp + ecc->size, izp, up);
+ mpn_copyi (tp, zp, ecc->size);
/* Needs 3*size scratch */
- ecc_modp_inv (ecc, izp, izp + ecc->size, izp + 2*ecc->size);
+ ecc_modp_inv (ecc, izp, tp, tp + ecc->size);
- ecc_modp_add (ecc, sp, wp, vp);
- ecc_modp_mul (ecc, tp, sp, up);
- mpn_copyi (sp, tp, ecc->size); /* FIXME: Eliminate copy */
- ecc_modp_mul (ecc, tp, sp, izp);
- cy = mpn_sub_n (xp, tp, ecc->p, ecc->size);
- cnd_copy (cy, xp, tp, ecc->size);
+ ecc_modp_mul (ecc, tp, xp, izp);
+ cy = mpn_sub_n (r, tp, ecc->p, ecc->size);
+ cnd_copy (cy, r, tp, ecc->size);
if (op)
{
if (op > 1)
{
/* Reduce modulo q. FIXME: Hardcoded for curve25519,
- duplicates end of ecc_25519_modq. */
+ duplicates end of ecc_25519_modq. FIXME: Is this needed
+ at all? Full reduction mod p is maybe sufficient. */
mp_limb_t cy;
unsigned shift;
assert (ecc->bit_size == 255);
shift = 252 - GMP_NUMB_BITS * (ecc->size - 1);
- cy = mpn_submul_1 (xp, ecc->q, ecc->size,
- xp[ecc->size-1] >> shift);
+ cy = mpn_submul_1 (r, ecc->q, ecc->size,
+ r[ecc->size-1] >> shift);
assert (cy < 2);
- cnd_add_n (cy, xp, ecc->q, ecc->size);
+ cnd_add_n (cy, r, ecc->q, ecc->size);
}
return;
}
- ecc_modp_add (ecc, sp, wp, vp); /* FIXME: Redundant. Also the (W +
- V) Z^-1 multiplication is
- redundant. */
- ecc_modp_mul (ecc, tp, sp, wp);
- mpn_copyi (sp, tp, ecc->size); /* FIXME: Eliminate copy */
- ecc_modp_mul (ecc, tp, sp, ecc->edwards_root);
- mpn_copyi (sp, tp, ecc->size); /* FIXME: Eliminate copy */
- ecc_modp_mul (ecc, tp, sp, izp);
- cy = mpn_sub_n (yp, tp, ecc->p, ecc->size);
- cnd_copy (cy, yp, tp, ecc->size);
+ ecc_modp_mul (ecc, tp, yp, izp);
+ cy = mpn_sub_n (r + ecc->size, tp, ecc->p, ecc->size);
+ cnd_copy (cy, r + ecc->size, tp, ecc->size);
}
/* Current scratch needs: */
#define ECC_MODINV_ITCH(size) (3*(size))
#define ECC_J_TO_A_ITCH(size) (5*(size))
-#define ECC_EH_TO_A_ITCH(size) (5*(size))
+#define ECC_EH_TO_A_ITCH(size) (4*(size))
#define ECC_A_TO_EH_ITCH(size) (2*(size))
#define ECC_DUP_JJ_ITCH(size) (5*(size))
#define ECC_DUP_EH_ITCH(size) (5*(size))
unsigned i;
- ecc_a_to_eh (ecc, pe, p, pe + 3*ecc->size);
+ ecc_a_to_j (ecc, pe, p);
/* x = 0, y = 1, z = 1 */
mpn_zero (r, 3*ecc->size);
mpn_zero (TABLE(0), 3*ecc->size);
TABLE(0)[ecc->size] = TABLE(0)[2*ecc->size] = 1;
- ecc_a_to_eh (ecc, TABLE(1), p, scratch);
+ ecc_a_to_j (ecc, TABLE(1), p);
for (j = 2; j < size; j += 2)
{
/* ecc-point.c
- Copyright (C) 2013 Niels Möller
+ Copyright (C) 2013, 2014 Niels Möller
This file is part of GNU Nettle.
mpz_init (lhs);
mpz_init (rhs);
+ mpz_mul (lhs, y, y);
+
if (p->ecc->bit_size == 255)
{
- /* curve25519 special case. FIXME: Do in some cleaner way? */
-
- /* Check that y^2 = x^3 + 486662 x^2 + x (mod p)*/
- mpz_mul (lhs, x, x); /* Reuse lhs as a temporary */
- mpz_add_ui (rhs, x, 486662);
- mpz_mul (rhs, rhs, lhs);
- mpz_add (rhs, rhs, x);
+ /* ed25519 special case. FIXME: Do in some cleaner way? */
+ mpz_t x2;
+ mpz_init (x2);
+ mpz_mul (x2, x, x);
+ mpz_mul (rhs, x2, lhs);
+ /* Check that -x^2 + y^2 = 1 - (121665/121666) x^2 y^2
+ or 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */
+ mpz_sub (lhs, x2, lhs);
+ mpz_add_ui (lhs, lhs, 1);
+ mpz_mul_ui (lhs, lhs, 121666);
+ mpz_mul_ui (rhs, rhs, 121665);
+ mpz_clear (x2);
}
else
{
mpz_add (rhs, rhs, mpz_roinit_n (t, p->ecc->b, size));
}
- mpz_mul (lhs, y, y);
-
res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, p->ecc->p, size));
mpz_clear (lhs);
also with curve25519. */
test_dh ("curve25519", &nettle_curve25519,
"238301186166219052901200372289459967515481170332211409964804596991365959539",
- "16689431791973914300519294566135927090340942991104989847654071982531922134636",
- "20308418066388251043787233144732111482161260158474210903552303016733832642783",
+ "14283836751943535877833976277675258994717521964638468784408792140505262281235",
+ "43912344711849354965202408139054167824861850336739416536288592824181793690574",
"3795950278952272509684177709511717492358770264218705926196469999516028451559",
- "33748673775975978547568270043630771161978032265709185964960751948965332685487",
- "45040108202870901856797106334440548809561721639881101469282515918034252408802",
- "12684624775789228333626692483521764247362476074160626230698999100180553618972",
- "22635121008463339848034566659860493350277619617839914078958064757823336329514");
+ "9468726108732441384988851273894214794301501512287024874346147472389705411936",
+ "38072138078045635808869930165213470653418146012939584392304609812494425185763",
+ "10481077163111981870382976851703705086808805457403127024129174358161599078055",
+ "29260211489972704256554624312266763530759418996739976957020673870747051409679");
}
"e62e1706f54037ff 8486e26153b0fa79", /* k */
SHEX("e99df2a098c3c590 ea1e1db6d9547339"
"ae760d5331496119 5d967fd881e3b0f5"), /* h */
- " 62cbc248a549765 3641d1cbedda2733"
- "a7357821dca43727 d8081448d608030d", /* r */
- " 14726f472f44f84 63fe82c2712231cd"
- "937f2aecdcfe9c39 e2ab0d68c390ccf4"); /* s */
+ " 515c3a485f57432 0daf3353a0d08110"
+ "64157c556296de09 4132f74865961b37", /* r */
+ " 9ddd3e2fa87328c 372e28ac7a1c0c65"
+ "697196d643238fd0 c4caa4d1d88a62fe"); /* s */
}
test_ecdsa (&nettle_curve25519,
/* Public key corresponding to the key in ecdsa-sign-test */
- " eb07d9c7931d614 2669124e12273e1f"
- "b9f9555f52bed369 a71cdac173da0ceb", /* x */
- "2e726b0b1ff3abc4 d50798ebc246399e"
- "365777c0900a0d5b 425f819278d4281d", /* y */
+ "59f8f317fd5f4e82 c02f8d4dec665fe1"
+ "230f83b8572638e1 b2ac34a30028e24d", /* x */
+ "1902a72dc1a6525a 811b9c1845978d56"
+ "fd97dce5e278ebdd ec695349d7e41498", /* y */
SHEX("e99df2a098c3c590 ea1e1db6d9547339"
"ae760d5331496119 5d967fd881e3b0f5"), /* h */
- " 62cbc248a549765 3641d1cbedda2733"
- "a7357821dca43727 d8081448d608030d", /* r */
- " 14726f472f44f84 63fe82c2712231cd"
- "937f2aecdcfe9c39 e2ab0d68c390ccf4"); /* s */
+ " 515c3a485f57432 0daf3353a0d08110"
+ "64157c556296de09 4132f74865961b37", /* r */
+ " 9ddd3e2fa87328c 372e28ac7a1c0c65"
+ "697196d643238fd0 c4caa4d1d88a62fe"); /* s */
}
projects / thirdparty / nettle.git / commitdiff
