PolarSSL v1.3.3
ecp_curves.c
Go to the documentation of this file.
1 /*
2  * Elliptic curves over GF(p): curve-specific data and functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_ECP_C)
29 
30 #include "polarssl/ecp.h"
31 
32 #if defined(_MSC_VER) && !defined(inline)
33 #define inline _inline
34 #else
35 #if defined(__ARMCC_VERSION) && !defined(inline)
36 #define inline __inline
37 #endif /* __ARMCC_VERSION */
38 #endif /*_MSC_VER */
39 
40 /*
41  * Conversion macros for embedded constants:
42  * build lists of t_uint's from lists of unsigned char's grouped by 8, 4 or 2
43  */
44 #if defined(POLARSSL_HAVE_INT8)
45 
46 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
47  a, b, c, d, e, f, g, h
48 
49 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
50  a, b, c, d
51 
52 #define BYTES_TO_T_UINT_2( a, b ) \
53  a, b
54 
55 #elif defined(POLARSSL_HAVE_INT16)
56 
57 #define BYTES_TO_T_UINT_2( a, b ) \
58  ( (t_uint) a << 0 ) | \
59  ( (t_uint) b << 8 )
60 
61 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
62  BYTES_TO_T_UINT_2( a, b ), \
63  BYTES_TO_T_UINT_2( c, d )
64 
65 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
66  BYTES_TO_T_UINT_2( a, b ), \
67  BYTES_TO_T_UINT_2( c, d ), \
68  BYTES_TO_T_UINT_2( e, f ), \
69  BYTES_TO_T_UINT_2( g, h )
70 
71 #elif defined(POLARSSL_HAVE_INT32)
72 
73 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
74  ( (t_uint) a << 0 ) | \
75  ( (t_uint) b << 8 ) | \
76  ( (t_uint) c << 16 ) | \
77  ( (t_uint) d << 24 )
78 
79 #define BYTES_TO_T_UINT_2( a, b ) \
80  BYTES_TO_T_UINT_4( a, b, 0, 0 )
81 
82 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
83  BYTES_TO_T_UINT_4( a, b, c, d ), \
84  BYTES_TO_T_UINT_4( e, f, g, h )
85 
86 #else /* 64-bits */
87 
88 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
89  ( (t_uint) a << 0 ) | \
90  ( (t_uint) b << 8 ) | \
91  ( (t_uint) c << 16 ) | \
92  ( (t_uint) d << 24 ) | \
93  ( (t_uint) e << 32 ) | \
94  ( (t_uint) f << 40 ) | \
95  ( (t_uint) g << 48 ) | \
96  ( (t_uint) h << 56 )
97 
98 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
99  BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
100 
101 #define BYTES_TO_T_UINT_2( a, b ) \
102  BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
103 
104 #endif /* bits in t_uint */
105 
106 /*
107  * Note: the constants are in little-endian order
108  * to be directly usable in MPIs
109  */
110 
111 /*
112  * Domain parameters for secp192r1
113  */
114 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
115 static t_uint secp192r1_p[] = {
116  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
117  BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
118  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
119 };
120 static t_uint secp192r1_b[] = {
121  BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
122  BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
123  BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
124 };
125 static t_uint secp192r1_gx[] = {
126  BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
127  BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
128  BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
129 };
130 static t_uint secp192r1_gy[] = {
131  BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
132  BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
133  BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
134 };
135 static t_uint secp192r1_n[] = {
136  BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
137  BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
138  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
139 };
140 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
141 
142 /*
143  * Domain parameters for secp224r1
144  */
145 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
146 static t_uint secp224r1_p[] = {
147  BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
148  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
149  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
150  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
151 };
152 static t_uint secp224r1_b[] = {
153  BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
154  BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
155  BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
156  BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
157 };
158 static t_uint secp224r1_gx[] = {
159  BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
160  BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
161  BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
162  BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
163 };
164 static t_uint secp224r1_gy[] = {
165  BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
166  BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
167  BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
168  BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
169 };
170 static t_uint secp224r1_n[] = {
171  BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
172  BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
173  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
174  BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
175 };
176 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
177 
178 /*
179  * Domain parameters for secp256r1
180  */
181 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
182 static t_uint secp256r1_p[] = {
183  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
184  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
185  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
186  BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
187 };
188 static t_uint secp256r1_b[] = {
189  BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
190  BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
191  BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
192  BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
193 };
194 static t_uint secp256r1_gx[] = {
195  BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
196  BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
197  BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
198  BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
199 };
200 static t_uint secp256r1_gy[] = {
201  BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
202  BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
203  BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
204  BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
205 };
206 static t_uint secp256r1_n[] = {
207  BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
208  BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
209  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
210  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
211 };
212 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
213 
214 /*
215  * Domain parameters for secp384r1
216  */
217 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
218 static t_uint secp384r1_p[] = {
219  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
220  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
221  BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
222  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
223  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
224  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
225 };
226 static t_uint secp384r1_b[] = {
227  BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
228  BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
229  BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
230  BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
231  BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
232  BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
233 };
234 static t_uint secp384r1_gx[] = {
235  BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
236  BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
237  BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
238  BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
239  BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
240  BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
241 };
242 static t_uint secp384r1_gy[] = {
243  BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
244  BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
245  BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
246  BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
247  BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
248  BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
249 };
250 static t_uint secp384r1_n[] = {
251  BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
252  BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
253  BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
254  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
255  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
256  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
257 };
258 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
259 
260 /*
261  * Domain parameters for secp521r1
262  */
263 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
264 static t_uint secp521r1_p[] = {
265  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
266  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
267  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
268  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
269  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
270  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
271  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
272  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
273  BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
274 };
275 static t_uint secp521r1_b[] = {
276  BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
277  BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
278  BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
279  BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
280  BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
281  BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
282  BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
283  BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
284  BYTES_TO_T_UINT_2( 0x51, 0x00 ),
285 };
286 static t_uint secp521r1_gx[] = {
287  BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
288  BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
289  BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
290  BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
291  BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
292  BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
293  BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
294  BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
295  BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
296 };
297 static t_uint secp521r1_gy[] = {
298  BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
299  BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
300  BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
301  BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
302  BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
303  BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
304  BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
305  BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
306  BYTES_TO_T_UINT_2( 0x18, 0x01 ),
307 };
308 static t_uint secp521r1_n[] = {
309  BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
310  BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
311  BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
312  BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
313  BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
314  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
315  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
316  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
317  BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
318 };
319 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
320 
321 /*
322  * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
323  */
324 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
325 static t_uint brainpoolP256r1_p[] = {
326  BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
327  BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
328  BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
329  BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
330 };
331 static t_uint brainpoolP256r1_a[] = {
332  BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
333  BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
334  BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
335  BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
336 };
337 static t_uint brainpoolP256r1_b[] = {
338  BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
339  BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
340  BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
341  BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
342 };
343 static t_uint brainpoolP256r1_gx[] = {
344  BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
345  BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
346  BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
347  BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
348 };
349 static t_uint brainpoolP256r1_gy[] = {
350  BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
351  BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
352  BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
353  BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
354 };
355 static t_uint brainpoolP256r1_n[] = {
356  BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
357  BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
358  BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
359  BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
360 };
361 #endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */
362 
363 /*
364  * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
365  */
366 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
367 static t_uint brainpoolP384r1_p[] = {
368  BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
369  BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
370  BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
371  BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
372  BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
373  BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
374 };
375 static t_uint brainpoolP384r1_a[] = {
376  BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
377  BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
378  BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
379  BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
380  BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
381  BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
382 };
383 static t_uint brainpoolP384r1_b[] = {
384  BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
385  BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
386  BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
387  BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
388  BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
389  BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
390 };
391 static t_uint brainpoolP384r1_gx[] = {
392  BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
393  BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
394  BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
395  BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
396  BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
397  BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
398 };
399 static t_uint brainpoolP384r1_gy[] = {
400  BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
401  BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
402  BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
403  BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
404  BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
405  BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
406 };
407 static t_uint brainpoolP384r1_n[] = {
408  BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
409  BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
410  BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
411  BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
412  BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
413  BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
414 };
415 #endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */
416 
417 /*
418  * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
419  */
420 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
421 static t_uint brainpoolP512r1_p[] = {
422  BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
423  BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
424  BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
425  BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
426  BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
427  BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
428  BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
429  BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
430 };
431 static t_uint brainpoolP512r1_a[] = {
432  BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
433  BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
434  BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
435  BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
436  BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
437  BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
438  BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
439  BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
440 };
441 static t_uint brainpoolP512r1_b[] = {
442  BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
443  BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
444  BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
445  BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
446  BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
447  BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
448  BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
449  BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
450 };
451 static t_uint brainpoolP512r1_gx[] = {
452  BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
453  BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
454  BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
455  BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
456  BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
457  BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
458  BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
459  BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
460 };
461 static t_uint brainpoolP512r1_gy[] = {
462  BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
463  BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
464  BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
465  BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
466  BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
467  BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
468  BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
469  BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
470 };
471 static t_uint brainpoolP512r1_n[] = {
472  BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
473  BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
474  BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
475  BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
476  BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
477  BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
478  BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
479  BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
480 };
481 #endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */
482 
483 /*
484  * Create an MPI from embedded constants
485  * (assumes len is an exact multiple of sizeof t_uint)
486  */
487 static inline void ecp_mpi_load( mpi *X, const t_uint *p, size_t len )
488 {
489  X->s = 1;
490  X->n = len / sizeof( t_uint );
491  X->p = (t_uint *) p;
492 }
493 
494 /*
495  * Set an MPI to static value 1
496  */
497 static inline void ecp_mpi_set1( mpi *X )
498 {
499  static t_uint one[] = { 1 };
500  X->s = 1;
501  X->n = 1;
502  X->p = one;
503 }
504 
505 /*
506  * Make group available from embedded constants
507  */
508 static int ecp_group_load( ecp_group *grp,
509  const t_uint *p, size_t plen,
510  const t_uint *a, size_t alen,
511  const t_uint *b, size_t blen,
512  const t_uint *gx, size_t gxlen,
513  const t_uint *gy, size_t gylen,
514  const t_uint *n, size_t nlen)
515 {
516  ecp_mpi_load( &grp->P, p, plen );
517  if( a != NULL )
518  ecp_mpi_load( &grp->A, a, alen );
519  ecp_mpi_load( &grp->B, b, blen );
520  ecp_mpi_load( &grp->N, n, nlen );
521 
522  ecp_mpi_load( &grp->G.X, gx, gxlen );
523  ecp_mpi_load( &grp->G.Y, gy, gylen );
524  ecp_mpi_set1( &grp->G.Z );
525 
526  grp->pbits = mpi_msb( &grp->P );
527  grp->nbits = mpi_msb( &grp->N );
528 
529  grp->h = 1;
530 
531  return( 0 );
532 }
533 
534 #if defined(POLARSSL_ECP_NIST_OPTIM)
535 /* Forward declarations */
536 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
537 static int ecp_mod_p192( mpi * );
538 #endif
539 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
540 static int ecp_mod_p224( mpi * );
541 #endif
542 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
543 static int ecp_mod_p256( mpi * );
544 #endif
545 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
546 static int ecp_mod_p384( mpi * );
547 #endif
548 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
549 static int ecp_mod_p521( mpi * );
550 #endif
551 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
552 static int ecp_mod_p255( mpi * );
553 #endif
554 
555 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
556 #else
557 #define NIST_MODP( P )
558 #endif /* POLARSSL_ECP_NIST_OPTIM */
559 
560 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \
561  G ## _p, sizeof( G ## _p ), \
562  G ## _a, sizeof( G ## _a ), \
563  G ## _b, sizeof( G ## _b ), \
564  G ## _gx, sizeof( G ## _gx ), \
565  G ## _gy, sizeof( G ## _gy ), \
566  G ## _n, sizeof( G ## _n ) )
567 
568 #define LOAD_GROUP( G ) ecp_group_load( grp, \
569  G ## _p, sizeof( G ## _p ), \
570  NULL, 0, \
571  G ## _b, sizeof( G ## _b ), \
572  G ## _gx, sizeof( G ## _gx ), \
573  G ## _gy, sizeof( G ## _gy ), \
574  G ## _n, sizeof( G ## _n ) )
575 
576 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
577 /*
578  * Specialized function for creating the Curve25519 group
579  */
580 static int ecp_use_curve25519( ecp_group *grp )
581 {
582  int ret;
583 
584  /* Actually ( A + 2 ) / 4 */
585  MPI_CHK( mpi_read_string( &grp->A, 16, "01DB42" ) );
586 
587  /* P = 2^255 - 19 */
588  MPI_CHK( mpi_lset( &grp->P, 1 ) );
589  MPI_CHK( mpi_shift_l( &grp->P, 255 ) );
590  MPI_CHK( mpi_sub_int( &grp->P, &grp->P, 19 ) );
591  grp->pbits = mpi_msb( &grp->P );
592 
593  /* Y intentionaly not set, since we use x/z coordinates.
594  * This is used as a marker to identify Montgomery curves! */
595  MPI_CHK( mpi_lset( &grp->G.X, 9 ) );
596  MPI_CHK( mpi_lset( &grp->G.Z, 1 ) );
597  mpi_free( &grp->G.Y );
598 
599  /* Actually, the required msb for private keys */
600  grp->nbits = 254;
601 
602 cleanup:
603  if( ret != 0 )
604  ecp_group_free( grp );
605 
606  return( ret );
607 }
608 #endif /* POLARSSL_ECP_DP_M255_ENABLED */
609 
610 /*
611  * Set a group using well-known domain parameters
612  */
614 {
615  ecp_group_free( grp );
616 
617  grp->id = id;
618 
619  switch( id )
620  {
621 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
623  NIST_MODP( p192 );
624  return( LOAD_GROUP( secp192r1 ) );
625 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
626 
627 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
629  NIST_MODP( p224 );
630  return( LOAD_GROUP( secp224r1 ) );
631 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
632 
633 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
635  NIST_MODP( p256 );
636  return( LOAD_GROUP( secp256r1 ) );
637 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
638 
639 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
641  NIST_MODP( p384 );
642  return( LOAD_GROUP( secp384r1 ) );
643 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
644 
645 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
647  NIST_MODP( p521 );
648  return( LOAD_GROUP( secp521r1 ) );
649 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
650 
651 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
653  return( LOAD_GROUP_A( brainpoolP256r1 ) );
654 #endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */
655 
656 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
658  return( LOAD_GROUP_A( brainpoolP384r1 ) );
659 #endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */
660 
661 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
663  return( LOAD_GROUP_A( brainpoolP512r1 ) );
664 #endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */
665 
666 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
668  grp->modp = ecp_mod_p255;
669  return( ecp_use_curve25519( grp ) );
670 #endif /* POLARSSL_ECP_DP_M255_ENABLED */
671 
672  default:
673  ecp_group_free( grp );
675  }
676 }
677 
678 #if defined(POLARSSL_ECP_NIST_OPTIM)
679 /*
680  * Fast reduction modulo the primes used by the NIST curves.
681  *
682  * These functions are critical for speed, but not needed for correct
683  * operations. So, we make the choice to heavily rely on the internals of our
684  * bignum library, which creates a tight coupling between these functions and
685  * our MPI implementation. However, the coupling between the ECP module and
686  * MPI remains loose, since these functions can be deactivated at will.
687  */
688 
689 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
690 /*
691  * Compared to the way things are presented in FIPS 186-3 D.2,
692  * we proceed in columns, from right (least significant chunk) to left,
693  * adding chunks to N in place, and keeping a carry for the next chunk.
694  * This avoids moving things around in memory, and uselessly adding zeros,
695  * compared to the more straightforward, line-oriented approach.
696  *
697  * For this prime we need to handle data in chunks of 64 bits.
698  * Since this is always a multiple of our basic t_uint, we can
699  * use a t_uint * to designate such a chunk, and small loops to handle it.
700  */
701 
702 /* Add 64-bit chunks (dst += src) and update carry */
703 static inline void add64( t_uint *dst, t_uint *src, t_uint *carry )
704 {
705  unsigned char i;
706  t_uint c = 0;
707  for( i = 0; i < 8 / sizeof( t_uint ); i++, dst++, src++ )
708  {
709  *dst += c; c = ( *dst < c );
710  *dst += *src; c += ( *dst < *src );
711  }
712  *carry += c;
713 }
714 
715 /* Add carry to a 64-bit chunk and update carry */
716 static inline void carry64( t_uint *dst, t_uint *carry )
717 {
718  unsigned char i;
719  for( i = 0; i < 8 / sizeof( t_uint ); i++, dst++ )
720  {
721  *dst += *carry;
722  *carry = ( *dst < *carry );
723  }
724 }
725 
726 #define WIDTH 8 / sizeof( t_uint )
727 #define A( i ) N->p + i * WIDTH
728 #define ADD( i ) add64( p, A( i ), &c )
729 #define NEXT p += WIDTH; carry64( p, &c )
730 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0
731 
732 /*
733  * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
734  */
735 static int ecp_mod_p192( mpi *N )
736 {
737  int ret;
738  t_uint c = 0;
739  t_uint *p, *end;
740 
741  /* Make sure we have enough blocks so that A(5) is legal */
742  MPI_CHK( mpi_grow( N, 6 * WIDTH ) );
743 
744  p = N->p;
745  end = p + N->n;
746 
747  ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5
748  ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5
749  ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5
750 
751 cleanup:
752  return( ret );
753 }
754 
755 #undef WIDTH
756 #undef A
757 #undef ADD
758 #undef NEXT
759 #undef LAST
760 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
761 
762 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) || \
763  defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) || \
764  defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
765 /*
766  * The reader is advised to first understand ecp_mod_p192() since the same
767  * general structure is used here, but with additional complications:
768  * (1) chunks of 32 bits, and (2) subtractions.
769  */
770 
771 /*
772  * For these primes, we need to handle data in chunks of 32 bits.
773  * This makes it more complicated if we use 64 bits limbs in MPI,
774  * which prevents us from using a uniform access method as for p192.
775  *
776  * So, we define a mini abstraction layer to access 32 bit chunks,
777  * load them in 'cur' for work, and store them back from 'cur' when done.
778  *
779  * While at it, also define the size of N in terms of 32-bit chunks.
780  */
781 #define LOAD32 cur = A( i );
782 
783 #if defined(POLARSSL_HAVE_INT8) /* 8 bit */
784 
785 #define MAX32 N->n / 4
786 #define A( j ) (uint32_t)( N->p[4*j+0] ) | \
787  ( N->p[4*j+1] << 8 ) | \
788  ( N->p[4*j+2] << 16 ) | \
789  ( N->p[4*j+3] << 24 )
790 #define STORE32 N->p[4*i+0] = (t_uint)( cur ); \
791  N->p[4*i+1] = (t_uint)( cur >> 8 ); \
792  N->p[4*i+2] = (t_uint)( cur >> 16 ); \
793  N->p[4*i+3] = (t_uint)( cur >> 24 );
794 
795 #elif defined(POLARSSL_HAVE_INT16) /* 16 bit */
796 
797 #define MAX32 N->n / 2
798 #define A( j ) (uint32_t)( N->p[2*j] ) | ( N->p[2*j+1] << 16 )
799 #define STORE32 N->p[2*i+0] = (t_uint)( cur ); \
800  N->p[2*i+1] = (t_uint)( cur >> 16 );
801 
802 #elif defined(POLARSSL_HAVE_INT32) /* 32 bit */
803 
804 #define MAX32 N->n
805 #define A( j ) N->p[j]
806 #define STORE32 N->p[i] = cur;
807 
808 #else /* 64-bit */
809 
810 #define MAX32 N->n * 2
811 #define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] )
812 #define STORE32 \
813  if( i % 2 ) { \
814  N->p[i/2] &= 0x00000000FFFFFFFF; \
815  N->p[i/2] |= ((t_uint) cur) << 32; \
816  } else { \
817  N->p[i/2] &= 0xFFFFFFFF00000000; \
818  N->p[i/2] |= (t_uint) cur; \
819  }
820 
821 #endif /* sizeof( t_uint ) */
822 
823 /*
824  * Helpers for addition and subtraction of chunks, with signed carry.
825  */
826 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
827 {
828  *dst += src;
829  *carry += ( *dst < src );
830 }
831 
832 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
833 {
834  *carry -= ( *dst < src );
835  *dst -= src;
836 }
837 
838 #define ADD( j ) add32( &cur, A( j ), &c );
839 #define SUB( j ) sub32( &cur, A( j ), &c );
840 
841 /*
842  * Helpers for the main 'loop'
843  * (see fix_negative for the motivation of C)
844  */
845 #define INIT( b ) \
846  int ret; \
847  signed char c = 0, cc; \
848  uint32_t cur; \
849  size_t i = 0, bits = b; \
850  mpi C; \
851  t_uint Cp[ b / 8 / sizeof( t_uint) + 1 ]; \
852  \
853  C.s = 1; \
854  C.n = b / 8 / sizeof( t_uint) + 1; \
855  C.p = Cp; \
856  memset( Cp, 0, C.n * sizeof( t_uint ) ); \
857  \
858  MPI_CHK( mpi_grow( N, b * 2 / 8 / sizeof( t_uint ) ) ); \
859  LOAD32;
860 
861 #define NEXT \
862  STORE32; i++; LOAD32; \
863  cc = c; c = 0; \
864  if( cc < 0 ) \
865  sub32( &cur, -cc, &c ); \
866  else \
867  add32( &cur, cc, &c ); \
868 
869 #define LAST \
870  STORE32; i++; \
871  cur = c > 0 ? c : 0; STORE32; \
872  cur = 0; while( ++i < MAX32 ) { STORE32; } \
873  if( c < 0 ) fix_negative( N, c, &C, bits );
874 
875 /*
876  * If the result is negative, we get it in the form
877  * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
878  */
879 static inline int fix_negative( mpi *N, signed char c, mpi *C, size_t bits )
880 {
881  int ret;
882 
883  /* C = - c * 2^(bits + 32) */
884 #if !defined(POLARSSL_HAVE_INT64)
885  ((void) bits);
886 #else
887  if( bits == 224 )
888  C->p[ C->n - 1 ] = ((t_uint) -c) << 32;
889  else
890 #endif
891  C->p[ C->n - 1 ] = (t_uint) -c;
892 
893  /* N = - ( C - N ) */
894  MPI_CHK( mpi_sub_abs( N, C, N ) );
895  N->s = -1;
896 
897 cleanup:
898 
899  return( ret );
900 }
901 
902 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
903 /*
904  * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
905  */
906 static int ecp_mod_p224( mpi *N )
907 {
908  INIT( 224 );
909 
910  SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11
911  SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12
912  SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13
913  SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11
914  SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12
915  SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13
916  SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10
917 
918 cleanup:
919  return( ret );
920 }
921 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
922 
923 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
924 /*
925  * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
926  */
927 static int ecp_mod_p256( mpi *N )
928 {
929  INIT( 256 );
930 
931  ADD( 8 ); ADD( 9 );
932  SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0
933 
934  ADD( 9 ); ADD( 10 );
935  SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1
936 
937  ADD( 10 ); ADD( 11 );
938  SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2
939 
940  ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
941  SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3
942 
943  ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
944  SUB( 9 ); SUB( 10 ); NEXT; // A4
945 
946  ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
947  SUB( 10 ); SUB( 11 ); NEXT; // A5
948 
949  ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
950  SUB( 8 ); SUB( 9 ); NEXT; // A6
951 
952  ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
953  SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7
954 
955 cleanup:
956  return( ret );
957 }
958 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
959 
960 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
961 /*
962  * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
963  */
964 static int ecp_mod_p384( mpi *N )
965 {
966  INIT( 384 );
967 
968  ADD( 12 ); ADD( 21 ); ADD( 20 );
969  SUB( 23 ); NEXT; // A0
970 
971  ADD( 13 ); ADD( 22 ); ADD( 23 );
972  SUB( 12 ); SUB( 20 ); NEXT; // A2
973 
974  ADD( 14 ); ADD( 23 );
975  SUB( 13 ); SUB( 21 ); NEXT; // A2
976 
977  ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
978  SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3
979 
980  ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
981  SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4
982 
983  ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
984  SUB( 16 ); NEXT; // A5
985 
986  ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
987  SUB( 17 ); NEXT; // A6
988 
989  ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
990  SUB( 18 ); NEXT; // A7
991 
992  ADD( 20 ); ADD( 17 ); ADD( 16 );
993  SUB( 19 ); NEXT; // A8
994 
995  ADD( 21 ); ADD( 18 ); ADD( 17 );
996  SUB( 20 ); NEXT; // A9
997 
998  ADD( 22 ); ADD( 19 ); ADD( 18 );
999  SUB( 21 ); NEXT; // A10
1000 
1001  ADD( 23 ); ADD( 20 ); ADD( 19 );
1002  SUB( 22 ); LAST; // A11
1003 
1004 cleanup:
1005  return( ret );
1006 }
1007 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
1008 
1009 #undef A
1010 #undef LOAD32
1011 #undef STORE32
1012 #undef MAX32
1013 #undef INIT
1014 #undef NEXT
1015 #undef LAST
1016 
1017 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED ||
1018  POLARSSL_ECP_DP_SECP256R1_ENABLED ||
1019  POLARSSL_ECP_DP_SECP384R1_ENABLED */
1020 
1021 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
1022 /*
1023  * Here we have an actual Mersenne prime, so things are more straightforward.
1024  * However, chunks are aligned on a 'weird' boundary (521 bits).
1025  */
1026 
1027 /* Size of p521 in terms of t_uint */
1028 #define P521_WIDTH ( 521 / 8 / sizeof( t_uint ) + 1 )
1029 
1030 /* Bits to keep in the most significant t_uint */
1031 #if defined(POLARSSL_HAVE_INT8)
1032 #define P521_MASK 0x01
1033 #else
1034 #define P521_MASK 0x01FF
1035 #endif
1036 
1037 /*
1038  * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
1039  * Write N as A1 + 2^521 A0, return A0 + A1
1040  */
1041 static int ecp_mod_p521( mpi *N )
1042 {
1043  int ret;
1044  size_t i;
1045  mpi M;
1046  t_uint Mp[P521_WIDTH + 1];
1047  /* Worst case for the size of M is when t_uint is 16 bits:
1048  * we need to hold bits 513 to 1056, which is 34 limbs, that is
1049  * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
1050 
1051  if( N->n < P521_WIDTH )
1052  return( 0 );
1053 
1054  /* M = A1 */
1055  M.s = 1;
1056  M.n = N->n - ( P521_WIDTH - 1 );
1057  if( M.n > P521_WIDTH + 1 )
1058  M.n = P521_WIDTH + 1;
1059  M.p = Mp;
1060  memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( t_uint ) );
1061  MPI_CHK( mpi_shift_r( &M, 521 % ( 8 * sizeof( t_uint ) ) ) );
1062 
1063  /* N = A0 */
1064  N->p[P521_WIDTH - 1] &= P521_MASK;
1065  for( i = P521_WIDTH; i < N->n; i++ )
1066  N->p[i] = 0;
1067 
1068  /* N = A0 + A1 */
1069  MPI_CHK( mpi_add_abs( N, N, &M ) );
1070 
1071 cleanup:
1072  return( ret );
1073 }
1074 
1075 #undef P521_WIDTH
1076 #undef P521_MASK
1077 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
1078 
1079 #endif /* POLARSSL_ECP_NIST_OPTIM */
1080 
1081 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
1082 
1083 /* Size of p255 in terms of t_uint */
1084 #define P255_WIDTH ( 255 / 8 / sizeof( t_uint ) + 1 )
1085 
1086 /*
1087  * Fast quasi-reduction modulo p255 = 2^255 - 19
1088  * Write N as A1 + 2^255 A1, return A0 + 19 * A1
1089  */
1090 static int ecp_mod_p255( mpi *N )
1091 {
1092  int ret;
1093  size_t i;
1094  mpi M;
1095  t_uint Mp[P255_WIDTH + 2];
1096 
1097  if( N->n < P255_WIDTH )
1098  return( 0 );
1099 
1100  /* M = A1 */
1101  M.s = 1;
1102  M.n = N->n - ( P255_WIDTH - 1 );
1103  if( M.n > P255_WIDTH + 1 )
1104  M.n = P255_WIDTH + 1;
1105  M.p = Mp;
1106  memset( Mp, 0, sizeof Mp );
1107  memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( t_uint ) );
1108  MPI_CHK( mpi_shift_r( &M, 255 % ( 8 * sizeof( t_uint ) ) ) );
1109  M.n++; /* Make room for multiplication by 19 */
1110 
1111  /* N = A0 */
1112  mpi_set_bit( N, 255, 0 );
1113  for( i = P255_WIDTH; i < N->n; i++ )
1114  N->p[i] = 0;
1115 
1116  /* N = A0 + 19 * A1 */
1117  MPI_CHK( mpi_mul_int( &M, &M, 19 ) );
1118  MPI_CHK( mpi_add_abs( N, N, &M ) );
1119 
1120 cleanup:
1121  return( ret );
1122 }
1123 #endif /* POLARSSL_ECP_DP_M255_ENABLED */
1124 
1125 #endif
size_t pbits
Definition: ecp.h:137
uint32_t t_uint
Definition: bignum.h:155
Elliptic curves over GF(p)
int s
Definition: bignum.h:179
int mpi_sub_abs(mpi *X, const mpi *A, const mpi *B)
Unsigned subtraction: X = |A| - |B|.
mpi P
Definition: ecp.h:132
int(* modp)(mpi *)
Definition: ecp.h:140
ECP group structure.
Definition: ecp.h:129
Configuration options (set of defines)
unsigned int h
Definition: ecp.h:139
int mpi_lset(mpi *X, t_sint z)
Set value from integer.
MPI structure.
Definition: bignum.h:177
#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE
Requested curve not available.
Definition: ecp.h:37
mpi X
Definition: ecp.h:102
int mpi_shift_r(mpi *X, size_t count)
Right-shift: X &gt;&gt;= count.
ecp_point G
Definition: ecp.h:135
ecp_group_id id
Definition: ecp.h:131
mpi B
Definition: ecp.h:134
mpi N
Definition: ecp.h:136
void mpi_free(mpi *X)
Unallocate one MPI.
int mpi_mul_int(mpi *X, const mpi *A, t_sint b)
Baseline multiplication: X = A * b Note: despite the functon signature, b is treated as a t_uint...
void ecp_group_free(ecp_group *grp)
Free the components of an ECP group.
int mpi_grow(mpi *X, size_t nblimbs)
Enlarge to the specified number of limbs.
size_t mpi_msb(const mpi *X)
Return the number of bits up to and including the most significant &#39;1&#39; bit&#39;.
int ecp_use_known_dp(ecp_group *grp, ecp_group_id index)
Set a group using well-known domain parameters.
int mpi_add_abs(mpi *X, const mpi *A, const mpi *B)
Unsigned addition: X = |A| + |B|.
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
t_uint * p
Definition: bignum.h:181
mpi A
Definition: ecp.h:133
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:56
size_t nbits
Definition: ecp.h:138
mpi Y
Definition: ecp.h:103
size_t n
Definition: bignum.h:180
mpi Z
Definition: ecp.h:104
int mpi_shift_l(mpi *X, size_t count)
Left-shift: X &lt;&lt;= count.
int mpi_set_bit(mpi *X, size_t pos, unsigned char val)
Set a bit of X to a specific value of 0 or 1.
int mpi_sub_int(mpi *X, const mpi *A, t_sint b)
Signed subtraction: X = A - b.
#define MPI_CHK(f)
Definition: bignum.h:61