PolarSSL v1.3.4
ecp_curves.c
Go to the documentation of this file.
1 /*
2  * Elliptic curves over GF(p): curve-specific data and functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_ECP_C)
29 
30 #include "polarssl/ecp.h"
31 
32 #if defined(_MSC_VER) && !defined(inline)
33 #define inline _inline
34 #else
35 #if defined(__ARMCC_VERSION) && !defined(inline)
36 #define inline __inline
37 #endif /* __ARMCC_VERSION */
38 #endif /*_MSC_VER */
39 
40 /*
41  * Conversion macros for embedded constants:
42  * build lists of t_uint's from lists of unsigned char's grouped by 8, 4 or 2
43  */
44 #if defined(POLARSSL_HAVE_INT8)
45 
46 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
47  a, b, c, d, e, f, g, h
48 
49 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
50  a, b, c, d
51 
52 #define BYTES_TO_T_UINT_2( a, b ) \
53  a, b
54 
55 #elif defined(POLARSSL_HAVE_INT16)
56 
57 #define BYTES_TO_T_UINT_2( a, b ) \
58  ( (t_uint) a << 0 ) | \
59  ( (t_uint) b << 8 )
60 
61 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
62  BYTES_TO_T_UINT_2( a, b ), \
63  BYTES_TO_T_UINT_2( c, d )
64 
65 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
66  BYTES_TO_T_UINT_2( a, b ), \
67  BYTES_TO_T_UINT_2( c, d ), \
68  BYTES_TO_T_UINT_2( e, f ), \
69  BYTES_TO_T_UINT_2( g, h )
70 
71 #elif defined(POLARSSL_HAVE_INT32)
72 
73 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
74  ( (t_uint) a << 0 ) | \
75  ( (t_uint) b << 8 ) | \
76  ( (t_uint) c << 16 ) | \
77  ( (t_uint) d << 24 )
78 
79 #define BYTES_TO_T_UINT_2( a, b ) \
80  BYTES_TO_T_UINT_4( a, b, 0, 0 )
81 
82 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
83  BYTES_TO_T_UINT_4( a, b, c, d ), \
84  BYTES_TO_T_UINT_4( e, f, g, h )
85 
86 #else /* 64-bits */
87 
88 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
89  ( (t_uint) a << 0 ) | \
90  ( (t_uint) b << 8 ) | \
91  ( (t_uint) c << 16 ) | \
92  ( (t_uint) d << 24 ) | \
93  ( (t_uint) e << 32 ) | \
94  ( (t_uint) f << 40 ) | \
95  ( (t_uint) g << 48 ) | \
96  ( (t_uint) h << 56 )
97 
98 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
99  BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
100 
101 #define BYTES_TO_T_UINT_2( a, b ) \
102  BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
103 
104 #endif /* bits in t_uint */
105 
106 /*
107  * Note: the constants are in little-endian order
108  * to be directly usable in MPIs
109  */
110 
111 /*
112  * Domain parameters for secp192r1
113  */
114 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
115 static t_uint secp192r1_p[] = {
116  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
117  BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
118  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
119 };
120 static t_uint secp192r1_b[] = {
121  BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
122  BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
123  BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
124 };
125 static t_uint secp192r1_gx[] = {
126  BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
127  BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
128  BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
129 };
130 static t_uint secp192r1_gy[] = {
131  BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
132  BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
133  BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
134 };
135 static t_uint secp192r1_n[] = {
136  BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
137  BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
138  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
139 };
140 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
141 
142 /*
143  * Domain parameters for secp224r1
144  */
145 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
146 static t_uint secp224r1_p[] = {
147  BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
148  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
149  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
150  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
151 };
152 static t_uint secp224r1_b[] = {
153  BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
154  BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
155  BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
156  BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
157 };
158 static t_uint secp224r1_gx[] = {
159  BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
160  BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
161  BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
162  BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
163 };
164 static t_uint secp224r1_gy[] = {
165  BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
166  BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
167  BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
168  BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
169 };
170 static t_uint secp224r1_n[] = {
171  BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
172  BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
173  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
174  BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
175 };
176 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
177 
178 /*
179  * Domain parameters for secp256r1
180  */
181 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
182 static t_uint secp256r1_p[] = {
183  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
184  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
185  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
186  BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
187 };
188 static t_uint secp256r1_b[] = {
189  BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
190  BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
191  BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
192  BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
193 };
194 static t_uint secp256r1_gx[] = {
195  BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
196  BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
197  BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
198  BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
199 };
200 static t_uint secp256r1_gy[] = {
201  BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
202  BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
203  BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
204  BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
205 };
206 static t_uint secp256r1_n[] = {
207  BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
208  BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
209  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
210  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
211 };
212 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
213 
214 /*
215  * Domain parameters for secp384r1
216  */
217 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
218 static t_uint secp384r1_p[] = {
219  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
220  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
221  BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
222  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
223  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
224  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
225 };
226 static t_uint secp384r1_b[] = {
227  BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
228  BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
229  BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
230  BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
231  BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
232  BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
233 };
234 static t_uint secp384r1_gx[] = {
235  BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
236  BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
237  BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
238  BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
239  BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
240  BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
241 };
242 static t_uint secp384r1_gy[] = {
243  BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
244  BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
245  BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
246  BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
247  BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
248  BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
249 };
250 static t_uint secp384r1_n[] = {
251  BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
252  BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
253  BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
254  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
255  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
256  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
257 };
258 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
259 
260 /*
261  * Domain parameters for secp521r1
262  */
263 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
264 static t_uint secp521r1_p[] = {
265  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
266  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
267  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
268  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
269  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
270  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
271  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
272  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
273  BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
274 };
275 static t_uint secp521r1_b[] = {
276  BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
277  BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
278  BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
279  BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
280  BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
281  BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
282  BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
283  BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
284  BYTES_TO_T_UINT_2( 0x51, 0x00 ),
285 };
286 static t_uint secp521r1_gx[] = {
287  BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
288  BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
289  BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
290  BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
291  BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
292  BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
293  BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
294  BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
295  BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
296 };
297 static t_uint secp521r1_gy[] = {
298  BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
299  BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
300  BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
301  BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
302  BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
303  BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
304  BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
305  BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
306  BYTES_TO_T_UINT_2( 0x18, 0x01 ),
307 };
308 static t_uint secp521r1_n[] = {
309  BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
310  BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
311  BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
312  BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
313  BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
314  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
315  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
316  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
317  BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
318 };
319 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
320 
321 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED)
322 static t_uint secp192k1_p[] = {
323  BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
324  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
325  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
326 };
327 static t_uint secp192k1_a[] = {
328  BYTES_TO_T_UINT_2( 0x00, 0x00 ),
329 };
330 static t_uint secp192k1_b[] = {
331  BYTES_TO_T_UINT_2( 0x03, 0x00 ),
332 };
333 static t_uint secp192k1_gx[] = {
334  BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
335  BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
336  BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
337 };
338 static t_uint secp192k1_gy[] = {
339  BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
340  BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
341  BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
342 };
343 static t_uint secp192k1_n[] = {
344  BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
345  BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
346  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
347 };
348 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED */
349 
350 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED)
351 static t_uint secp224k1_p[] = {
352  BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
353  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
354  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
355  BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
356 };
357 static t_uint secp224k1_a[] = {
358  BYTES_TO_T_UINT_2( 0x00, 0x00 ),
359 };
360 static t_uint secp224k1_b[] = {
361  BYTES_TO_T_UINT_2( 0x05, 0x00 ),
362 };
363 static t_uint secp224k1_gx[] = {
364  BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
365  BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
366  BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
367  BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
368 };
369 static t_uint secp224k1_gy[] = {
370  BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
371  BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
372  BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
373  BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
374 };
375 static t_uint secp224k1_n[] = {
376  BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
377  BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
378  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
379  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
380 };
381 #endif /* POLARSSL_ECP_DP_SECP224K1_ENABLED */
382 
383 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
384 static t_uint secp256k1_p[] = {
385  BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
386  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
387  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
388  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
389 };
390 static t_uint secp256k1_a[] = {
391  BYTES_TO_T_UINT_2( 0x00, 0x00 ),
392 };
393 static t_uint secp256k1_b[] = {
394  BYTES_TO_T_UINT_2( 0x07, 0x00 ),
395 };
396 static t_uint secp256k1_gx[] = {
397  BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
398  BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
399  BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
400  BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
401 };
402 static t_uint secp256k1_gy[] = {
403  BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
404  BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
405  BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
406  BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
407 };
408 static t_uint secp256k1_n[] = {
409  BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
410  BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
411  BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
412  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
413 };
414 #endif /* POLARSSL_ECP_DP_SECP256K1_ENABLED */
415 
416 /*
417  * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
418  */
419 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
420 static t_uint brainpoolP256r1_p[] = {
421  BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
422  BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
423  BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
424  BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
425 };
426 static t_uint brainpoolP256r1_a[] = {
427  BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
428  BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
429  BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
430  BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
431 };
432 static t_uint brainpoolP256r1_b[] = {
433  BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
434  BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
435  BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
436  BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
437 };
438 static t_uint brainpoolP256r1_gx[] = {
439  BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
440  BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
441  BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
442  BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
443 };
444 static t_uint brainpoolP256r1_gy[] = {
445  BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
446  BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
447  BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
448  BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
449 };
450 static t_uint brainpoolP256r1_n[] = {
451  BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
452  BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
453  BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
454  BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
455 };
456 #endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */
457 
458 /*
459  * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
460  */
461 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
462 static t_uint brainpoolP384r1_p[] = {
463  BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
464  BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
465  BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
466  BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
467  BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
468  BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
469 };
470 static t_uint brainpoolP384r1_a[] = {
471  BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
472  BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
473  BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
474  BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
475  BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
476  BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
477 };
478 static t_uint brainpoolP384r1_b[] = {
479  BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
480  BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
481  BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
482  BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
483  BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
484  BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
485 };
486 static t_uint brainpoolP384r1_gx[] = {
487  BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
488  BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
489  BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
490  BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
491  BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
492  BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
493 };
494 static t_uint brainpoolP384r1_gy[] = {
495  BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
496  BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
497  BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
498  BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
499  BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
500  BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
501 };
502 static t_uint brainpoolP384r1_n[] = {
503  BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
504  BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
505  BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
506  BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
507  BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
508  BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
509 };
510 #endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */
511 
512 /*
513  * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
514  */
515 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
516 static t_uint brainpoolP512r1_p[] = {
517  BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
518  BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
519  BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
520  BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
521  BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
522  BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
523  BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
524  BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
525 };
526 static t_uint brainpoolP512r1_a[] = {
527  BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
528  BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
529  BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
530  BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
531  BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
532  BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
533  BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
534  BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
535 };
536 static t_uint brainpoolP512r1_b[] = {
537  BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
538  BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
539  BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
540  BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
541  BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
542  BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
543  BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
544  BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
545 };
546 static t_uint brainpoolP512r1_gx[] = {
547  BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
548  BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
549  BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
550  BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
551  BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
552  BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
553  BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
554  BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
555 };
556 static t_uint brainpoolP512r1_gy[] = {
557  BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
558  BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
559  BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
560  BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
561  BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
562  BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
563  BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
564  BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
565 };
566 static t_uint brainpoolP512r1_n[] = {
567  BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
568  BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
569  BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
570  BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
571  BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
572  BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
573  BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
574  BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
575 };
576 #endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */
577 
578 /*
579  * Create an MPI from embedded constants
580  * (assumes len is an exact multiple of sizeof t_uint)
581  */
582 static inline void ecp_mpi_load( mpi *X, const t_uint *p, size_t len )
583 {
584  X->s = 1;
585  X->n = len / sizeof( t_uint );
586  X->p = (t_uint *) p;
587 }
588 
589 /*
590  * Set an MPI to static value 1
591  */
592 static inline void ecp_mpi_set1( mpi *X )
593 {
594  static t_uint one[] = { 1 };
595  X->s = 1;
596  X->n = 1;
597  X->p = one;
598 }
599 
600 /*
601  * Make group available from embedded constants
602  */
603 static int ecp_group_load( ecp_group *grp,
604  const t_uint *p, size_t plen,
605  const t_uint *a, size_t alen,
606  const t_uint *b, size_t blen,
607  const t_uint *gx, size_t gxlen,
608  const t_uint *gy, size_t gylen,
609  const t_uint *n, size_t nlen)
610 {
611  ecp_mpi_load( &grp->P, p, plen );
612  if( a != NULL )
613  ecp_mpi_load( &grp->A, a, alen );
614  ecp_mpi_load( &grp->B, b, blen );
615  ecp_mpi_load( &grp->N, n, nlen );
616 
617  ecp_mpi_load( &grp->G.X, gx, gxlen );
618  ecp_mpi_load( &grp->G.Y, gy, gylen );
619  ecp_mpi_set1( &grp->G.Z );
620 
621  grp->pbits = mpi_msb( &grp->P );
622  grp->nbits = mpi_msb( &grp->N );
623 
624  grp->h = 1;
625 
626  return( 0 );
627 }
628 
629 #if defined(POLARSSL_ECP_NIST_OPTIM)
630 /* Forward declarations */
631 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
632 static int ecp_mod_p192( mpi * );
633 #endif
634 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
635 static int ecp_mod_p224( mpi * );
636 #endif
637 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
638 static int ecp_mod_p256( mpi * );
639 #endif
640 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
641 static int ecp_mod_p384( mpi * );
642 #endif
643 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
644 static int ecp_mod_p521( mpi * );
645 #endif
646 
647 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
648 #else
649 #define NIST_MODP( P )
650 #endif /* POLARSSL_ECP_NIST_OPTIM */
651 
652 /* Additional forward declarations */
653 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
654 static int ecp_mod_p255( mpi * );
655 #endif
656 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED)
657 static int ecp_mod_p192k1( mpi * );
658 #endif
659 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED)
660 static int ecp_mod_p224k1( mpi * );
661 #endif
662 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
663 static int ecp_mod_p256k1( mpi * );
664 #endif
665 
666 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \
667  G ## _p, sizeof( G ## _p ), \
668  G ## _a, sizeof( G ## _a ), \
669  G ## _b, sizeof( G ## _b ), \
670  G ## _gx, sizeof( G ## _gx ), \
671  G ## _gy, sizeof( G ## _gy ), \
672  G ## _n, sizeof( G ## _n ) )
673 
674 #define LOAD_GROUP( G ) ecp_group_load( grp, \
675  G ## _p, sizeof( G ## _p ), \
676  NULL, 0, \
677  G ## _b, sizeof( G ## _b ), \
678  G ## _gx, sizeof( G ## _gx ), \
679  G ## _gy, sizeof( G ## _gy ), \
680  G ## _n, sizeof( G ## _n ) )
681 
682 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
683 /*
684  * Specialized function for creating the Curve25519 group
685  */
686 static int ecp_use_curve25519( ecp_group *grp )
687 {
688  int ret;
689 
690  /* Actually ( A + 2 ) / 4 */
691  MPI_CHK( mpi_read_string( &grp->A, 16, "01DB42" ) );
692 
693  /* P = 2^255 - 19 */
694  MPI_CHK( mpi_lset( &grp->P, 1 ) );
695  MPI_CHK( mpi_shift_l( &grp->P, 255 ) );
696  MPI_CHK( mpi_sub_int( &grp->P, &grp->P, 19 ) );
697  grp->pbits = mpi_msb( &grp->P );
698 
699  /* Y intentionaly not set, since we use x/z coordinates.
700  * This is used as a marker to identify Montgomery curves! */
701  MPI_CHK( mpi_lset( &grp->G.X, 9 ) );
702  MPI_CHK( mpi_lset( &grp->G.Z, 1 ) );
703  mpi_free( &grp->G.Y );
704 
705  /* Actually, the required msb for private keys */
706  grp->nbits = 254;
707 
708 cleanup:
709  if( ret != 0 )
710  ecp_group_free( grp );
711 
712  return( ret );
713 }
714 #endif /* POLARSSL_ECP_DP_M255_ENABLED */
715 
716 /*
717  * Set a group using well-known domain parameters
718  */
720 {
721  ecp_group_free( grp );
722 
723  grp->id = id;
724 
725  switch( id )
726  {
727 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
729  NIST_MODP( p192 );
730  return( LOAD_GROUP( secp192r1 ) );
731 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
732 
733 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
735  NIST_MODP( p224 );
736  return( LOAD_GROUP( secp224r1 ) );
737 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
738 
739 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
741  NIST_MODP( p256 );
742  return( LOAD_GROUP( secp256r1 ) );
743 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
744 
745 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
747  NIST_MODP( p384 );
748  return( LOAD_GROUP( secp384r1 ) );
749 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
750 
751 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
753  NIST_MODP( p521 );
754  return( LOAD_GROUP( secp521r1 ) );
755 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
756 
757 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED)
759  grp->modp = ecp_mod_p192k1;
760  return( LOAD_GROUP_A( secp192k1 ) );
761 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED */
762 
763 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED)
765  grp->modp = ecp_mod_p224k1;
766  return( LOAD_GROUP_A( secp224k1 ) );
767 #endif /* POLARSSL_ECP_DP_SECP224K1_ENABLED */
768 
769 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
771  grp->modp = ecp_mod_p256k1;
772  return( LOAD_GROUP_A( secp256k1 ) );
773 #endif /* POLARSSL_ECP_DP_SECP256K1_ENABLED */
774 
775 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
777  return( LOAD_GROUP_A( brainpoolP256r1 ) );
778 #endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */
779 
780 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
782  return( LOAD_GROUP_A( brainpoolP384r1 ) );
783 #endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */
784 
785 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
787  return( LOAD_GROUP_A( brainpoolP512r1 ) );
788 #endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */
789 
790 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
792  grp->modp = ecp_mod_p255;
793  return( ecp_use_curve25519( grp ) );
794 #endif /* POLARSSL_ECP_DP_M255_ENABLED */
795 
796  default:
797  ecp_group_free( grp );
799  }
800 }
801 
802 #if defined(POLARSSL_ECP_NIST_OPTIM)
803 /*
804  * Fast reduction modulo the primes used by the NIST curves.
805  *
806  * These functions are critical for speed, but not needed for correct
807  * operations. So, we make the choice to heavily rely on the internals of our
808  * bignum library, which creates a tight coupling between these functions and
809  * our MPI implementation. However, the coupling between the ECP module and
810  * MPI remains loose, since these functions can be deactivated at will.
811  */
812 
813 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
814 /*
815  * Compared to the way things are presented in FIPS 186-3 D.2,
816  * we proceed in columns, from right (least significant chunk) to left,
817  * adding chunks to N in place, and keeping a carry for the next chunk.
818  * This avoids moving things around in memory, and uselessly adding zeros,
819  * compared to the more straightforward, line-oriented approach.
820  *
821  * For this prime we need to handle data in chunks of 64 bits.
822  * Since this is always a multiple of our basic t_uint, we can
823  * use a t_uint * to designate such a chunk, and small loops to handle it.
824  */
825 
826 /* Add 64-bit chunks (dst += src) and update carry */
827 static inline void add64( t_uint *dst, t_uint *src, t_uint *carry )
828 {
829  unsigned char i;
830  t_uint c = 0;
831  for( i = 0; i < 8 / sizeof( t_uint ); i++, dst++, src++ )
832  {
833  *dst += c; c = ( *dst < c );
834  *dst += *src; c += ( *dst < *src );
835  }
836  *carry += c;
837 }
838 
839 /* Add carry to a 64-bit chunk and update carry */
840 static inline void carry64( t_uint *dst, t_uint *carry )
841 {
842  unsigned char i;
843  for( i = 0; i < 8 / sizeof( t_uint ); i++, dst++ )
844  {
845  *dst += *carry;
846  *carry = ( *dst < *carry );
847  }
848 }
849 
850 #define WIDTH 8 / sizeof( t_uint )
851 #define A( i ) N->p + i * WIDTH
852 #define ADD( i ) add64( p, A( i ), &c )
853 #define NEXT p += WIDTH; carry64( p, &c )
854 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0
855 
856 /*
857  * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
858  */
859 static int ecp_mod_p192( mpi *N )
860 {
861  int ret;
862  t_uint c = 0;
863  t_uint *p, *end;
864 
865  /* Make sure we have enough blocks so that A(5) is legal */
866  MPI_CHK( mpi_grow( N, 6 * WIDTH ) );
867 
868  p = N->p;
869  end = p + N->n;
870 
871  ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5
872  ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5
873  ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5
874 
875 cleanup:
876  return( ret );
877 }
878 
879 #undef WIDTH
880 #undef A
881 #undef ADD
882 #undef NEXT
883 #undef LAST
884 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
885 
886 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) || \
887  defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) || \
888  defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
889 /*
890  * The reader is advised to first understand ecp_mod_p192() since the same
891  * general structure is used here, but with additional complications:
892  * (1) chunks of 32 bits, and (2) subtractions.
893  */
894 
895 /*
896  * For these primes, we need to handle data in chunks of 32 bits.
897  * This makes it more complicated if we use 64 bits limbs in MPI,
898  * which prevents us from using a uniform access method as for p192.
899  *
900  * So, we define a mini abstraction layer to access 32 bit chunks,
901  * load them in 'cur' for work, and store them back from 'cur' when done.
902  *
903  * While at it, also define the size of N in terms of 32-bit chunks.
904  */
905 #define LOAD32 cur = A( i );
906 
907 #if defined(POLARSSL_HAVE_INT8) /* 8 bit */
908 
909 #define MAX32 N->n / 4
910 #define A( j ) (uint32_t)( N->p[4*j+0] ) | \
911  ( N->p[4*j+1] << 8 ) | \
912  ( N->p[4*j+2] << 16 ) | \
913  ( N->p[4*j+3] << 24 )
914 #define STORE32 N->p[4*i+0] = (t_uint)( cur ); \
915  N->p[4*i+1] = (t_uint)( cur >> 8 ); \
916  N->p[4*i+2] = (t_uint)( cur >> 16 ); \
917  N->p[4*i+3] = (t_uint)( cur >> 24 );
918 
919 #elif defined(POLARSSL_HAVE_INT16) /* 16 bit */
920 
921 #define MAX32 N->n / 2
922 #define A( j ) (uint32_t)( N->p[2*j] ) | ( N->p[2*j+1] << 16 )
923 #define STORE32 N->p[2*i+0] = (t_uint)( cur ); \
924  N->p[2*i+1] = (t_uint)( cur >> 16 );
925 
926 #elif defined(POLARSSL_HAVE_INT32) /* 32 bit */
927 
928 #define MAX32 N->n
929 #define A( j ) N->p[j]
930 #define STORE32 N->p[i] = cur;
931 
932 #else /* 64-bit */
933 
934 #define MAX32 N->n * 2
935 #define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] )
936 #define STORE32 \
937  if( i % 2 ) { \
938  N->p[i/2] &= 0x00000000FFFFFFFF; \
939  N->p[i/2] |= ((t_uint) cur) << 32; \
940  } else { \
941  N->p[i/2] &= 0xFFFFFFFF00000000; \
942  N->p[i/2] |= (t_uint) cur; \
943  }
944 
945 #endif /* sizeof( t_uint ) */
946 
947 /*
948  * Helpers for addition and subtraction of chunks, with signed carry.
949  */
950 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
951 {
952  *dst += src;
953  *carry += ( *dst < src );
954 }
955 
956 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
957 {
958  *carry -= ( *dst < src );
959  *dst -= src;
960 }
961 
962 #define ADD( j ) add32( &cur, A( j ), &c );
963 #define SUB( j ) sub32( &cur, A( j ), &c );
964 
965 /*
966  * Helpers for the main 'loop'
967  * (see fix_negative for the motivation of C)
968  */
969 #define INIT( b ) \
970  int ret; \
971  signed char c = 0, cc; \
972  uint32_t cur; \
973  size_t i = 0, bits = b; \
974  mpi C; \
975  t_uint Cp[ b / 8 / sizeof( t_uint) + 1 ]; \
976  \
977  C.s = 1; \
978  C.n = b / 8 / sizeof( t_uint) + 1; \
979  C.p = Cp; \
980  memset( Cp, 0, C.n * sizeof( t_uint ) ); \
981  \
982  MPI_CHK( mpi_grow( N, b * 2 / 8 / sizeof( t_uint ) ) ); \
983  LOAD32;
984 
985 #define NEXT \
986  STORE32; i++; LOAD32; \
987  cc = c; c = 0; \
988  if( cc < 0 ) \
989  sub32( &cur, -cc, &c ); \
990  else \
991  add32( &cur, cc, &c ); \
992 
993 #define LAST \
994  STORE32; i++; \
995  cur = c > 0 ? c : 0; STORE32; \
996  cur = 0; while( ++i < MAX32 ) { STORE32; } \
997  if( c < 0 ) fix_negative( N, c, &C, bits );
998 
999 /*
1000  * If the result is negative, we get it in the form
1001  * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
1002  */
1003 static inline int fix_negative( mpi *N, signed char c, mpi *C, size_t bits )
1004 {
1005  int ret;
1006 
1007  /* C = - c * 2^(bits + 32) */
1008 #if !defined(POLARSSL_HAVE_INT64)
1009  ((void) bits);
1010 #else
1011  if( bits == 224 )
1012  C->p[ C->n - 1 ] = ((t_uint) -c) << 32;
1013  else
1014 #endif
1015  C->p[ C->n - 1 ] = (t_uint) -c;
1016 
1017  /* N = - ( C - N ) */
1018  MPI_CHK( mpi_sub_abs( N, C, N ) );
1019  N->s = -1;
1020 
1021 cleanup:
1022 
1023  return( ret );
1024 }
1025 
1026 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
1027 /*
1028  * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
1029  */
1030 static int ecp_mod_p224( mpi *N )
1031 {
1032  INIT( 224 );
1033 
1034  SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11
1035  SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12
1036  SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13
1037  SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11
1038  SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12
1039  SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13
1040  SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10
1041 
1042 cleanup:
1043  return( ret );
1044 }
1045 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
1046 
1047 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
1048 /*
1049  * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
1050  */
1051 static int ecp_mod_p256( mpi *N )
1052 {
1053  INIT( 256 );
1054 
1055  ADD( 8 ); ADD( 9 );
1056  SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0
1057 
1058  ADD( 9 ); ADD( 10 );
1059  SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1
1060 
1061  ADD( 10 ); ADD( 11 );
1062  SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2
1063 
1064  ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
1065  SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3
1066 
1067  ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
1068  SUB( 9 ); SUB( 10 ); NEXT; // A4
1069 
1070  ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
1071  SUB( 10 ); SUB( 11 ); NEXT; // A5
1072 
1073  ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
1074  SUB( 8 ); SUB( 9 ); NEXT; // A6
1075 
1076  ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
1077  SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7
1078 
1079 cleanup:
1080  return( ret );
1081 }
1082 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
1083 
1084 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
1085 /*
1086  * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
1087  */
1088 static int ecp_mod_p384( mpi *N )
1089 {
1090  INIT( 384 );
1091 
1092  ADD( 12 ); ADD( 21 ); ADD( 20 );
1093  SUB( 23 ); NEXT; // A0
1094 
1095  ADD( 13 ); ADD( 22 ); ADD( 23 );
1096  SUB( 12 ); SUB( 20 ); NEXT; // A2
1097 
1098  ADD( 14 ); ADD( 23 );
1099  SUB( 13 ); SUB( 21 ); NEXT; // A2
1100 
1101  ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
1102  SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3
1103 
1104  ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
1105  SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4
1106 
1107  ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
1108  SUB( 16 ); NEXT; // A5
1109 
1110  ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
1111  SUB( 17 ); NEXT; // A6
1112 
1113  ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
1114  SUB( 18 ); NEXT; // A7
1115 
1116  ADD( 20 ); ADD( 17 ); ADD( 16 );
1117  SUB( 19 ); NEXT; // A8
1118 
1119  ADD( 21 ); ADD( 18 ); ADD( 17 );
1120  SUB( 20 ); NEXT; // A9
1121 
1122  ADD( 22 ); ADD( 19 ); ADD( 18 );
1123  SUB( 21 ); NEXT; // A10
1124 
1125  ADD( 23 ); ADD( 20 ); ADD( 19 );
1126  SUB( 22 ); LAST; // A11
1127 
1128 cleanup:
1129  return( ret );
1130 }
1131 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
1132 
1133 #undef A
1134 #undef LOAD32
1135 #undef STORE32
1136 #undef MAX32
1137 #undef INIT
1138 #undef NEXT
1139 #undef LAST
1140 
1141 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED ||
1142  POLARSSL_ECP_DP_SECP256R1_ENABLED ||
1143  POLARSSL_ECP_DP_SECP384R1_ENABLED */
1144 
1145 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
1146 /*
1147  * Here we have an actual Mersenne prime, so things are more straightforward.
1148  * However, chunks are aligned on a 'weird' boundary (521 bits).
1149  */
1150 
1151 /* Size of p521 in terms of t_uint */
1152 #define P521_WIDTH ( 521 / 8 / sizeof( t_uint ) + 1 )
1153 
1154 /* Bits to keep in the most significant t_uint */
1155 #if defined(POLARSSL_HAVE_INT8)
1156 #define P521_MASK 0x01
1157 #else
1158 #define P521_MASK 0x01FF
1159 #endif
1160 
1161 /*
1162  * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
1163  * Write N as A1 + 2^521 A0, return A0 + A1
1164  */
1165 static int ecp_mod_p521( mpi *N )
1166 {
1167  int ret;
1168  size_t i;
1169  mpi M;
1170  t_uint Mp[P521_WIDTH + 1];
1171  /* Worst case for the size of M is when t_uint is 16 bits:
1172  * we need to hold bits 513 to 1056, which is 34 limbs, that is
1173  * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
1174 
1175  if( N->n < P521_WIDTH )
1176  return( 0 );
1177 
1178  /* M = A1 */
1179  M.s = 1;
1180  M.n = N->n - ( P521_WIDTH - 1 );
1181  if( M.n > P521_WIDTH + 1 )
1182  M.n = P521_WIDTH + 1;
1183  M.p = Mp;
1184  memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( t_uint ) );
1185  MPI_CHK( mpi_shift_r( &M, 521 % ( 8 * sizeof( t_uint ) ) ) );
1186 
1187  /* N = A0 */
1188  N->p[P521_WIDTH - 1] &= P521_MASK;
1189  for( i = P521_WIDTH; i < N->n; i++ )
1190  N->p[i] = 0;
1191 
1192  /* N = A0 + A1 */
1193  MPI_CHK( mpi_add_abs( N, N, &M ) );
1194 
1195 cleanup:
1196  return( ret );
1197 }
1198 
1199 #undef P521_WIDTH
1200 #undef P521_MASK
1201 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
1202 
1203 #endif /* POLARSSL_ECP_NIST_OPTIM */
1204 
1205 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
1206 
1207 /* Size of p255 in terms of t_uint */
1208 #define P255_WIDTH ( 255 / 8 / sizeof( t_uint ) + 1 )
1209 
1210 /*
1211  * Fast quasi-reduction modulo p255 = 2^255 - 19
1212  * Write N as A0 + 2^255 A1, return A0 + 19 * A1
1213  */
1214 static int ecp_mod_p255( mpi *N )
1215 {
1216  int ret;
1217  size_t i;
1218  mpi M;
1219  t_uint Mp[P255_WIDTH + 2];
1220 
1221  if( N->n < P255_WIDTH )
1222  return( 0 );
1223 
1224  /* M = A1 */
1225  M.s = 1;
1226  M.n = N->n - ( P255_WIDTH - 1 );
1227  if( M.n > P255_WIDTH + 1 )
1228  M.n = P255_WIDTH + 1;
1229  M.p = Mp;
1230  memset( Mp, 0, sizeof Mp );
1231  memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( t_uint ) );
1232  MPI_CHK( mpi_shift_r( &M, 255 % ( 8 * sizeof( t_uint ) ) ) );
1233  M.n++; /* Make room for multiplication by 19 */
1234 
1235  /* N = A0 */
1236  mpi_set_bit( N, 255, 0 );
1237  for( i = P255_WIDTH; i < N->n; i++ )
1238  N->p[i] = 0;
1239 
1240  /* N = A0 + 19 * A1 */
1241  MPI_CHK( mpi_mul_int( &M, &M, 19 ) );
1242  MPI_CHK( mpi_add_abs( N, N, &M ) );
1243 
1244 cleanup:
1245  return( ret );
1246 }
1247 #endif /* POLARSSL_ECP_DP_M255_ENABLED */
1248 
1249 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED) || \
1250  defined(POLARSSL_ECP_DP_SECP224K1_ENABLED) || \
1251  defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
1252 /*
1253  * Fast quasi-reduction modulo P = 2^s - R,
1254  * with R about 33 bits, used by the Koblitz curves.
1255  *
1256  * Write N as A0 + 2^224 A1, return A0 + R * A1.
1257  * Actually do two passes, since R is big.
1258  */
1259 #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( t_uint ) ) // Max limbs in P
1260 #define P_KOBLITZ_R ( 8 / sizeof( t_uint ) ) // Limbs in R
1261 static inline int ecp_mod_koblitz( mpi *N, t_uint *Rp, size_t p_limbs,
1262  size_t adjust, size_t shift, t_uint mask )
1263 {
1264  int ret;
1265  size_t i;
1266  mpi M, R;
1267  t_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R];
1268 
1269  if( N->n < p_limbs )
1270  return( 0 );
1271 
1272  /* Init R */
1273  R.s = 1;
1274  R.p = Rp;
1275  R.n = P_KOBLITZ_R;
1276 
1277  /* Common setup for M */
1278  M.s = 1;
1279  M.p = Mp;
1280 
1281  /* M = A1 */
1282  M.n = N->n - ( p_limbs - adjust );
1283  if( M.n > p_limbs + adjust )
1284  M.n = p_limbs + adjust;
1285  memset( Mp, 0, sizeof Mp );
1286  memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) );
1287  if (shift != 0 )
1288  MPI_CHK( mpi_shift_r( &M, shift ) );
1289  M.n += R.n - adjust; /* Make room for multiplication by R */
1290 
1291  /* N = A0 */
1292  if (mask != 0 )
1293  N->p[p_limbs - 1] &= mask;
1294  for( i = p_limbs; i < N->n; i++ )
1295  N->p[i] = 0;
1296 
1297  /* N = A0 + R * A1 */
1298  MPI_CHK( mpi_mul_mpi( &M, &M, &R ) );
1299  MPI_CHK( mpi_add_abs( N, N, &M ) );
1300 
1301  /* Second pass */
1302 
1303  /* M = A1 */
1304  M.n = N->n - ( p_limbs - adjust );
1305  if( M.n > p_limbs + adjust )
1306  M.n = p_limbs + adjust;
1307  memset( Mp, 0, sizeof Mp );
1308  memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) );
1309  if (shift != 0 )
1310  MPI_CHK( mpi_shift_r( &M, shift ) );
1311  M.n += R.n - adjust; /* Make room for multiplication by R */
1312 
1313  /* N = A0 */
1314  if (mask != 0 )
1315  N->p[p_limbs - 1] &= mask;
1316  for( i = p_limbs; i < N->n; i++ )
1317  N->p[i] = 0;
1318 
1319  /* N = A0 + R * A1 */
1320  MPI_CHK( mpi_mul_mpi( &M, &M, &R ) );
1321  MPI_CHK( mpi_add_abs( N, N, &M ) );
1322 
1323 cleanup:
1324  return( ret );
1325 }
1326 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED) ||
1327  POLARSSL_ECP_DP_SECP224K1_ENABLED) ||
1328  POLARSSL_ECP_DP_SECP256K1_ENABLED) */
1329 
1330 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED)
1331 /*
1332  * Fast quasi-reduction modulo p192k1 = 2^192 - R,
1333  * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
1334  */
1335 static int ecp_mod_p192k1( mpi *N )
1336 {
1337  static t_uint Rp[] = {
1338  BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1339 
1340  return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( t_uint ), 0, 0, 0 ) );
1341 }
1342 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED */
1343 
1344 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED)
1345 /*
1346  * Fast quasi-reduction modulo p224k1 = 2^224 - R,
1347  * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
1348  */
1349 static int ecp_mod_p224k1( mpi *N )
1350 {
1351  static t_uint Rp[] = {
1352  BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1353 
1354 #if defined(POLARSSL_HAVE_INT64)
1355  return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
1356 #else
1357  return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( t_uint ), 0, 0, 0 ) );
1358 #endif
1359 }
1360 
1361 #endif /* POLARSSL_ECP_DP_SECP224K1_ENABLED */
1362 
1363 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
1364 /*
1365  * Fast quasi-reduction modulo p256k1 = 2^256 - R,
1366  * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
1367  */
1368 static int ecp_mod_p256k1( mpi *N )
1369 {
1370  static t_uint Rp[] = {
1371  BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1372  return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( t_uint ), 0, 0, 0 ) );
1373 }
1374 #endif /* POLARSSL_ECP_DP_SECP256K1_ENABLED */
1375 
1376 #endif
size_t pbits
Definition: ecp.h:140
uint32_t t_uint
Definition: bignum.h:155
Elliptic curves over GF(p)
int s
Definition: bignum.h:179
int mpi_sub_abs(mpi *X, const mpi *A, const mpi *B)
Unsigned subtraction: X = |A| - |B|.
mpi P
Definition: ecp.h:135
int(* modp)(mpi *)
Definition: ecp.h:143
ECP group structure.
Definition: ecp.h:132
Configuration options (set of defines)
unsigned int h
Definition: ecp.h:142
int mpi_lset(mpi *X, t_sint z)
Set value from integer.
MPI structure.
Definition: bignum.h:177
#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE
Requested curve not available.
Definition: ecp.h:37
mpi X
Definition: ecp.h:105
int mpi_shift_r(mpi *X, size_t count)
Right-shift: X &gt;&gt;= count.
ecp_point G
Definition: ecp.h:138
ecp_group_id id
Definition: ecp.h:134
mpi B
Definition: ecp.h:137
mpi N
Definition: ecp.h:139
void mpi_free(mpi *X)
Unallocate one MPI.
int mpi_mul_int(mpi *X, const mpi *A, t_sint b)
Baseline multiplication: X = A * b Note: despite the functon signature, b is treated as a t_uint...
void ecp_group_free(ecp_group *grp)
Free the components of an ECP group.
int mpi_grow(mpi *X, size_t nblimbs)
Enlarge to the specified number of limbs.
size_t mpi_msb(const mpi *X)
Return the number of bits up to and including the most significant &#39;1&#39; bit&#39;.
int ecp_use_known_dp(ecp_group *grp, ecp_group_id index)
Set a group using well-known domain parameters.
int mpi_add_abs(mpi *X, const mpi *A, const mpi *B)
Unsigned addition: X = |A| + |B|.
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
t_uint * p
Definition: bignum.h:181
mpi A
Definition: ecp.h:136
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:56
size_t nbits
Definition: ecp.h:141
mpi Y
Definition: ecp.h:106
size_t n
Definition: bignum.h:180
mpi Z
Definition: ecp.h:107
int mpi_shift_l(mpi *X, size_t count)
Left-shift: X &lt;&lt;= count.
int mpi_mul_mpi(mpi *X, const mpi *A, const mpi *B)
Baseline multiplication: X = A * B.
int mpi_set_bit(mpi *X, size_t pos, unsigned char val)
Set a bit of X to a specific value of 0 or 1.
int mpi_sub_int(mpi *X, const mpi *A, t_sint b)
Signed subtraction: X = A - b.
#define MPI_CHK(f)
Definition: bignum.h:61