nettle-bugs November 2019

nettle-bugs@lists.lysator.liu.se

4 participants
8 discussions

Curve point decompression
by Wim Lewis 10 Nov '21

10 Nov '21

I'm looking at implementing elliptic curve point compression a la SEC1 (admittedly, mostly to reduce the number of "feature not supported" code paths in a library, but it seems like a somewhat useful ability). Nettle/Hogweed already implements it internally for curve25519, but I want to implement it for the "secp" curves as well. Point compression is easy enough, but point decompression requires some curve math, potentially dependent on the specific curve, and some of it is redundant with what's already done in ecc_point_set(). So I was thinking about moving this functionality into Hogweed as a function along the lines of ecc_point_set_compressed(), which would take, instead of a y-coordinate, an int containing the sign/parity of the y-coordinate. So my question for the list and for the maintainers is, is this a reasonable API to add to Hogweed? Is there interest in including it in Hogweed if I were to take the time to turn it into a tidy patch?

3 10

[PATCH 1/6] Start separating GOST 28147-89 from GOST R 34.11-94
by Dmitry Eremin-Solenikov 19 Apr '20

19 Apr '20

Hash function GOST R 34.11-94 (gosthash94) in its compression function uses Russian block cipher (GOST 28147-89, Magma). Start separating block cipher code from hash function code. For now there is no public interface for this cipher, it will be added later. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- Makefile.in | 4 +- gost28147.c | 342 +++++++++++++++++++++++++++++++++++++++++++++++++++ gost28147.h | 63 ++++++++++ gosthash94.c | 245 +----------------------------------- 4 files changed, 412 insertions(+), 242 deletions(-) create mode 100644 gost28147.c create mode 100644 gost28147.h diff --git a/Makefile.in b/Makefile.in index 537e97d19bea..795d66edb2c8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -102,7 +102,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ cmac.c cmac-aes128.c cmac-aes256.c \ - gosthash94.c gosthash94-meta.c \ + gost28147.c gosthash94.c gosthash94-meta.c \ hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \ hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \ knuth-lfib.c hkdf.c \ @@ -195,7 +195,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gosthash94.h hmac.h \ + gcm.h gost28147.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h \ diff --git a/gost28147.c b/gost28147.c new file mode 100644 index 000000000000..c734c4365fa7 --- /dev/null +++ b/gost28147.c @@ -0,0 +1,342 @@ +/* gost28147.c - GOST 28147-89 cipher implementation + * + * based on Russian standard GOST 28147-89 + * For English description, check RFC 5830. + * S-Boxes are expanded from the tables defined in RFC4357: + * https://tools.ietf.org/html/rfc4357 + * + * Copyright: 2019 Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> + * Copyright: 2009-2012 Aleksey Kravchenko <rhash.admin(a)gmail.com> + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#if HAVE_CONFIG_H +#include "config.h" +#endif + +#include "macros.h" +#include "gost28147.h" + +/* pre-initialized GOST lookup tables based on rotated S-Box */ +const struct gost28147_param gost28147_param_test_3411 = +{ + { + /* 0 */ + 0x00072000, 0x00075000, 0x00074800, 0x00071000, + 0x00076800, 0x00074000, 0x00070000, 0x00077000, + 0x00073000, 0x00075800, 0x00070800, 0x00076000, + 0x00073800, 0x00077800, 0x00072800, 0x00071800, + 0x0005a000, 0x0005d000, 0x0005c800, 0x00059000, + 0x0005e800, 0x0005c000, 0x00058000, 0x0005f000, + 0x0005b000, 0x0005d800, 0x00058800, 0x0005e000, + 0x0005b800, 0x0005f800, 0x0005a800, 0x00059800, + 0x00022000, 0x00025000, 0x00024800, 0x00021000, + 0x00026800, 0x00024000, 0x00020000, 0x00027000, + 0x00023000, 0x00025800, 0x00020800, 0x00026000, + 0x00023800, 0x00027800, 0x00022800, 0x00021800, + 0x00062000, 0x00065000, 0x00064800, 0x00061000, + 0x00066800, 0x00064000, 0x00060000, 0x00067000, + 0x00063000, 0x00065800, 0x00060800, 0x00066000, + 0x00063800, 0x00067800, 0x00062800, 0x00061800, + 0x00032000, 0x00035000, 0x00034800, 0x00031000, + 0x00036800, 0x00034000, 0x00030000, 0x00037000, + 0x00033000, 0x00035800, 0x00030800, 0x00036000, + 0x00033800, 0x00037800, 0x00032800, 0x00031800, + 0x0006a000, 0x0006d000, 0x0006c800, 0x00069000, + 0x0006e800, 0x0006c000, 0x00068000, 0x0006f000, + 0x0006b000, 0x0006d800, 0x00068800, 0x0006e000, + 0x0006b800, 0x0006f800, 0x0006a800, 0x00069800, + 0x0007a000, 0x0007d000, 0x0007c800, 0x00079000, + 0x0007e800, 0x0007c000, 0x00078000, 0x0007f000, + 0x0007b000, 0x0007d800, 0x00078800, 0x0007e000, + 0x0007b800, 0x0007f800, 0x0007a800, 0x00079800, + 0x00052000, 0x00055000, 0x00054800, 0x00051000, + 0x00056800, 0x00054000, 0x00050000, 0x00057000, + 0x00053000, 0x00055800, 0x00050800, 0x00056000, + 0x00053800, 0x00057800, 0x00052800, 0x00051800, + 0x00012000, 0x00015000, 0x00014800, 0x00011000, + 0x00016800, 0x00014000, 0x00010000, 0x00017000, + 0x00013000, 0x00015800, 0x00010800, 0x00016000, + 0x00013800, 0x00017800, 0x00012800, 0x00011800, + 0x0001a000, 0x0001d000, 0x0001c800, 0x00019000, + 0x0001e800, 0x0001c000, 0x00018000, 0x0001f000, + 0x0001b000, 0x0001d800, 0x00018800, 0x0001e000, + 0x0001b800, 0x0001f800, 0x0001a800, 0x00019800, + 0x00042000, 0x00045000, 0x00044800, 0x00041000, + 0x00046800, 0x00044000, 0x00040000, 0x00047000, + 0x00043000, 0x00045800, 0x00040800, 0x00046000, + 0x00043800, 0x00047800, 0x00042800, 0x00041800, + 0x0000a000, 0x0000d000, 0x0000c800, 0x00009000, + 0x0000e800, 0x0000c000, 0x00008000, 0x0000f000, + 0x0000b000, 0x0000d800, 0x00008800, 0x0000e000, + 0x0000b800, 0x0000f800, 0x0000a800, 0x00009800, + 0x00002000, 0x00005000, 0x00004800, 0x00001000, + 0x00006800, 0x00004000, 0x00000000, 0x00007000, + 0x00003000, 0x00005800, 0x00000800, 0x00006000, + 0x00003800, 0x00007800, 0x00002800, 0x00001800, + 0x0003a000, 0x0003d000, 0x0003c800, 0x00039000, + 0x0003e800, 0x0003c000, 0x00038000, 0x0003f000, + 0x0003b000, 0x0003d800, 0x00038800, 0x0003e000, + 0x0003b800, 0x0003f800, 0x0003a800, 0x00039800, + 0x0002a000, 0x0002d000, 0x0002c800, 0x00029000, + 0x0002e800, 0x0002c000, 0x00028000, 0x0002f000, + 0x0002b000, 0x0002d800, 0x00028800, 0x0002e000, + 0x0002b800, 0x0002f800, 0x0002a800, 0x00029800, + 0x0004a000, 0x0004d000, 0x0004c800, 0x00049000, + 0x0004e800, 0x0004c000, 0x00048000, 0x0004f000, + 0x0004b000, 0x0004d800, 0x00048800, 0x0004e000, + 0x0004b800, 0x0004f800, 0x0004a800, 0x00049800, + /* 1 */ + 0x03a80000, 0x03c00000, 0x03880000, 0x03e80000, + 0x03d00000, 0x03980000, 0x03a00000, 0x03900000, + 0x03f00000, 0x03f80000, 0x03e00000, 0x03b80000, + 0x03b00000, 0x03800000, 0x03c80000, 0x03d80000, + 0x06a80000, 0x06c00000, 0x06880000, 0x06e80000, + 0x06d00000, 0x06980000, 0x06a00000, 0x06900000, + 0x06f00000, 0x06f80000, 0x06e00000, 0x06b80000, + 0x06b00000, 0x06800000, 0x06c80000, 0x06d80000, + 0x05280000, 0x05400000, 0x05080000, 0x05680000, + 0x05500000, 0x05180000, 0x05200000, 0x05100000, + 0x05700000, 0x05780000, 0x05600000, 0x05380000, + 0x05300000, 0x05000000, 0x05480000, 0x05580000, + 0x00a80000, 0x00c00000, 0x00880000, 0x00e80000, + 0x00d00000, 0x00980000, 0x00a00000, 0x00900000, + 0x00f00000, 0x00f80000, 0x00e00000, 0x00b80000, + 0x00b00000, 0x00800000, 0x00c80000, 0x00d80000, + 0x00280000, 0x00400000, 0x00080000, 0x00680000, + 0x00500000, 0x00180000, 0x00200000, 0x00100000, + 0x00700000, 0x00780000, 0x00600000, 0x00380000, + 0x00300000, 0x00000000, 0x00480000, 0x00580000, + 0x04280000, 0x04400000, 0x04080000, 0x04680000, + 0x04500000, 0x04180000, 0x04200000, 0x04100000, + 0x04700000, 0x04780000, 0x04600000, 0x04380000, + 0x04300000, 0x04000000, 0x04480000, 0x04580000, + 0x04a80000, 0x04c00000, 0x04880000, 0x04e80000, + 0x04d00000, 0x04980000, 0x04a00000, 0x04900000, + 0x04f00000, 0x04f80000, 0x04e00000, 0x04b80000, + 0x04b00000, 0x04800000, 0x04c80000, 0x04d80000, + 0x07a80000, 0x07c00000, 0x07880000, 0x07e80000, + 0x07d00000, 0x07980000, 0x07a00000, 0x07900000, + 0x07f00000, 0x07f80000, 0x07e00000, 0x07b80000, + 0x07b00000, 0x07800000, 0x07c80000, 0x07d80000, + 0x07280000, 0x07400000, 0x07080000, 0x07680000, + 0x07500000, 0x07180000, 0x07200000, 0x07100000, + 0x07700000, 0x07780000, 0x07600000, 0x07380000, + 0x07300000, 0x07000000, 0x07480000, 0x07580000, + 0x02280000, 0x02400000, 0x02080000, 0x02680000, + 0x02500000, 0x02180000, 0x02200000, 0x02100000, + 0x02700000, 0x02780000, 0x02600000, 0x02380000, + 0x02300000, 0x02000000, 0x02480000, 0x02580000, + 0x03280000, 0x03400000, 0x03080000, 0x03680000, + 0x03500000, 0x03180000, 0x03200000, 0x03100000, + 0x03700000, 0x03780000, 0x03600000, 0x03380000, + 0x03300000, 0x03000000, 0x03480000, 0x03580000, + 0x06280000, 0x06400000, 0x06080000, 0x06680000, + 0x06500000, 0x06180000, 0x06200000, 0x06100000, + 0x06700000, 0x06780000, 0x06600000, 0x06380000, + 0x06300000, 0x06000000, 0x06480000, 0x06580000, + 0x05a80000, 0x05c00000, 0x05880000, 0x05e80000, + 0x05d00000, 0x05980000, 0x05a00000, 0x05900000, + 0x05f00000, 0x05f80000, 0x05e00000, 0x05b80000, + 0x05b00000, 0x05800000, 0x05c80000, 0x05d80000, + 0x01280000, 0x01400000, 0x01080000, 0x01680000, + 0x01500000, 0x01180000, 0x01200000, 0x01100000, + 0x01700000, 0x01780000, 0x01600000, 0x01380000, + 0x01300000, 0x01000000, 0x01480000, 0x01580000, + 0x02a80000, 0x02c00000, 0x02880000, 0x02e80000, + 0x02d00000, 0x02980000, 0x02a00000, 0x02900000, + 0x02f00000, 0x02f80000, 0x02e00000, 0x02b80000, + 0x02b00000, 0x02800000, 0x02c80000, 0x02d80000, + 0x01a80000, 0x01c00000, 0x01880000, 0x01e80000, + 0x01d00000, 0x01980000, 0x01a00000, 0x01900000, + 0x01f00000, 0x01f80000, 0x01e00000, 0x01b80000, + 0x01b00000, 0x01800000, 0x01c80000, 0x01d80000, + /* 2 */ + 0x30000002, 0x60000002, 0x38000002, 0x08000002, + 0x28000002, 0x78000002, 0x68000002, 0x40000002, + 0x20000002, 0x50000002, 0x48000002, 0x70000002, + 0x00000002, 0x18000002, 0x58000002, 0x10000002, + 0xb0000005, 0xe0000005, 0xb8000005, 0x88000005, + 0xa8000005, 0xf8000005, 0xe8000005, 0xc0000005, + 0xa0000005, 0xd0000005, 0xc8000005, 0xf0000005, + 0x80000005, 0x98000005, 0xd8000005, 0x90000005, + 0x30000005, 0x60000005, 0x38000005, 0x08000005, + 0x28000005, 0x78000005, 0x68000005, 0x40000005, + 0x20000005, 0x50000005, 0x48000005, 0x70000005, + 0x00000005, 0x18000005, 0x58000005, 0x10000005, + 0x30000000, 0x60000000, 0x38000000, 0x08000000, + 0x28000000, 0x78000000, 0x68000000, 0x40000000, + 0x20000000, 0x50000000, 0x48000000, 0x70000000, + 0x00000000, 0x18000000, 0x58000000, 0x10000000, + 0xb0000003, 0xe0000003, 0xb8000003, 0x88000003, + 0xa8000003, 0xf8000003, 0xe8000003, 0xc0000003, + 0xa0000003, 0xd0000003, 0xc8000003, 0xf0000003, + 0x80000003, 0x98000003, 0xd8000003, 0x90000003, + 0x30000001, 0x60000001, 0x38000001, 0x08000001, + 0x28000001, 0x78000001, 0x68000001, 0x40000001, + 0x20000001, 0x50000001, 0x48000001, 0x70000001, + 0x00000001, 0x18000001, 0x58000001, 0x10000001, + 0xb0000000, 0xe0000000, 0xb8000000, 0x88000000, + 0xa8000000, 0xf8000000, 0xe8000000, 0xc0000000, + 0xa0000000, 0xd0000000, 0xc8000000, 0xf0000000, + 0x80000000, 0x98000000, 0xd8000000, 0x90000000, + 0xb0000006, 0xe0000006, 0xb8000006, 0x88000006, + 0xa8000006, 0xf8000006, 0xe8000006, 0xc0000006, + 0xa0000006, 0xd0000006, 0xc8000006, 0xf0000006, + 0x80000006, 0x98000006, 0xd8000006, 0x90000006, + 0xb0000001, 0xe0000001, 0xb8000001, 0x88000001, + 0xa8000001, 0xf8000001, 0xe8000001, 0xc0000001, + 0xa0000001, 0xd0000001, 0xc8000001, 0xf0000001, + 0x80000001, 0x98000001, 0xd8000001, 0x90000001, + 0x30000003, 0x60000003, 0x38000003, 0x08000003, + 0x28000003, 0x78000003, 0x68000003, 0x40000003, + 0x20000003, 0x50000003, 0x48000003, 0x70000003, + 0x00000003, 0x18000003, 0x58000003, 0x10000003, + 0x30000004, 0x60000004, 0x38000004, 0x08000004, + 0x28000004, 0x78000004, 0x68000004, 0x40000004, + 0x20000004, 0x50000004, 0x48000004, 0x70000004, + 0x00000004, 0x18000004, 0x58000004, 0x10000004, + 0xb0000002, 0xe0000002, 0xb8000002, 0x88000002, + 0xa8000002, 0xf8000002, 0xe8000002, 0xc0000002, + 0xa0000002, 0xd0000002, 0xc8000002, 0xf0000002, + 0x80000002, 0x98000002, 0xd8000002, 0x90000002, + 0xb0000004, 0xe0000004, 0xb8000004, 0x88000004, + 0xa8000004, 0xf8000004, 0xe8000004, 0xc0000004, + 0xa0000004, 0xd0000004, 0xc8000004, 0xf0000004, + 0x80000004, 0x98000004, 0xd8000004, 0x90000004, + 0x30000006, 0x60000006, 0x38000006, 0x08000006, + 0x28000006, 0x78000006, 0x68000006, 0x40000006, + 0x20000006, 0x50000006, 0x48000006, 0x70000006, + 0x00000006, 0x18000006, 0x58000006, 0x10000006, + 0xb0000007, 0xe0000007, 0xb8000007, 0x88000007, + 0xa8000007, 0xf8000007, 0xe8000007, 0xc0000007, + 0xa0000007, 0xd0000007, 0xc8000007, 0xf0000007, + 0x80000007, 0x98000007, 0xd8000007, 0x90000007, + 0x30000007, 0x60000007, 0x38000007, 0x08000007, + 0x28000007, 0x78000007, 0x68000007, 0x40000007, + 0x20000007, 0x50000007, 0x48000007, 0x70000007, + 0x00000007, 0x18000007, 0x58000007, 0x10000007, + /* 3 */ + 0x000000e8, 0x000000d8, 0x000000a0, 0x00000088, + 0x00000098, 0x000000f8, 0x000000a8, 0x000000c8, + 0x00000080, 0x000000d0, 0x000000f0, 0x000000b8, + 0x000000b0, 0x000000c0, 0x00000090, 0x000000e0, + 0x000007e8, 0x000007d8, 0x000007a0, 0x00000788, + 0x00000798, 0x000007f8, 0x000007a8, 0x000007c8, + 0x00000780, 0x000007d0, 0x000007f0, 0x000007b8, + 0x000007b0, 0x000007c0, 0x00000790, 0x000007e0, + 0x000006e8, 0x000006d8, 0x000006a0, 0x00000688, + 0x00000698, 0x000006f8, 0x000006a8, 0x000006c8, + 0x00000680, 0x000006d0, 0x000006f0, 0x000006b8, + 0x000006b0, 0x000006c0, 0x00000690, 0x000006e0, + 0x00000068, 0x00000058, 0x00000020, 0x00000008, + 0x00000018, 0x00000078, 0x00000028, 0x00000048, + 0x00000000, 0x00000050, 0x00000070, 0x00000038, + 0x00000030, 0x00000040, 0x00000010, 0x00000060, + 0x000002e8, 0x000002d8, 0x000002a0, 0x00000288, + 0x00000298, 0x000002f8, 0x000002a8, 0x000002c8, + 0x00000280, 0x000002d0, 0x000002f0, 0x000002b8, + 0x000002b0, 0x000002c0, 0x00000290, 0x000002e0, + 0x000003e8, 0x000003d8, 0x000003a0, 0x00000388, + 0x00000398, 0x000003f8, 0x000003a8, 0x000003c8, + 0x00000380, 0x000003d0, 0x000003f0, 0x000003b8, + 0x000003b0, 0x000003c0, 0x00000390, 0x000003e0, + 0x00000568, 0x00000558, 0x00000520, 0x00000508, + 0x00000518, 0x00000578, 0x00000528, 0x00000548, + 0x00000500, 0x00000550, 0x00000570, 0x00000538, + 0x00000530, 0x00000540, 0x00000510, 0x00000560, + 0x00000268, 0x00000258, 0x00000220, 0x00000208, + 0x00000218, 0x00000278, 0x00000228, 0x00000248, + 0x00000200, 0x00000250, 0x00000270, 0x00000238, + 0x00000230, 0x00000240, 0x00000210, 0x00000260, + 0x000004e8, 0x000004d8, 0x000004a0, 0x00000488, + 0x00000498, 0x000004f8, 0x000004a8, 0x000004c8, + 0x00000480, 0x000004d0, 0x000004f0, 0x000004b8, + 0x000004b0, 0x000004c0, 0x00000490, 0x000004e0, + 0x00000168, 0x00000158, 0x00000120, 0x00000108, + 0x00000118, 0x00000178, 0x00000128, 0x00000148, + 0x00000100, 0x00000150, 0x00000170, 0x00000138, + 0x00000130, 0x00000140, 0x00000110, 0x00000160, + 0x000001e8, 0x000001d8, 0x000001a0, 0x00000188, + 0x00000198, 0x000001f8, 0x000001a8, 0x000001c8, + 0x00000180, 0x000001d0, 0x000001f0, 0x000001b8, + 0x000001b0, 0x000001c0, 0x00000190, 0x000001e0, + 0x00000768, 0x00000758, 0x00000720, 0x00000708, + 0x00000718, 0x00000778, 0x00000728, 0x00000748, + 0x00000700, 0x00000750, 0x00000770, 0x00000738, + 0x00000730, 0x00000740, 0x00000710, 0x00000760, + 0x00000368, 0x00000358, 0x00000320, 0x00000308, + 0x00000318, 0x00000378, 0x00000328, 0x00000348, + 0x00000300, 0x00000350, 0x00000370, 0x00000338, + 0x00000330, 0x00000340, 0x00000310, 0x00000360, + 0x000005e8, 0x000005d8, 0x000005a0, 0x00000588, + 0x00000598, 0x000005f8, 0x000005a8, 0x000005c8, + 0x00000580, 0x000005d0, 0x000005f0, 0x000005b8, + 0x000005b0, 0x000005c0, 0x00000590, 0x000005e0, + 0x00000468, 0x00000458, 0x00000420, 0x00000408, + 0x00000418, 0x00000478, 0x00000428, 0x00000448, + 0x00000400, 0x00000450, 0x00000470, 0x00000438, + 0x00000430, 0x00000440, 0x00000410, 0x00000460, + 0x00000668, 0x00000658, 0x00000620, 0x00000608, + 0x00000618, 0x00000678, 0x00000628, 0x00000648, + 0x00000600, 0x00000650, 0x00000670, 0x00000638, + 0x00000630, 0x00000640, 0x00000610, 0x00000660, + } +}; + +/* + * A macro that performs a full encryption round of GOST 28147-89. + * Temporary variables tmp assumed and variables r and l for left and right + * blocks. + */ +#define GOST_ENCRYPT_ROUND(key1, key2, sbox) \ + tmp = (key1) + r; \ + l ^= (sbox)[0*256 + (tmp & 0xff)] ^ (sbox)[1*256 + ((tmp >> 8) & 0xff)] ^ \ + (sbox)[2*256 + ((tmp >> 16) & 0xff)] ^ (sbox)[3*256 + (tmp >> 24)]; \ + tmp = (key2) + l; \ + r ^= (sbox)[0*256 + (tmp & 0xff)] ^ (sbox)[1*256 + ((tmp >> 8) & 0xff)] ^ \ + (sbox)[2*256 + ((tmp >> 16) & 0xff)] ^ (sbox)[3*256 + (tmp >> 24)]; + +/* encrypt a block with the given key */ +void gost28147_encrypt_simple (const uint32_t *key, const uint32_t *sbox, + const uint32_t *in, uint32_t *out) +{ + uint32_t l, r, tmp; + + r = in[0], l = in[1]; + GOST_ENCRYPT_ROUND(key[0], key[1], sbox) + GOST_ENCRYPT_ROUND(key[2], key[3], sbox) + GOST_ENCRYPT_ROUND(key[4], key[5], sbox) + GOST_ENCRYPT_ROUND(key[6], key[7], sbox) + GOST_ENCRYPT_ROUND(key[0], key[1], sbox) + GOST_ENCRYPT_ROUND(key[2], key[3], sbox) + GOST_ENCRYPT_ROUND(key[4], key[5], sbox) + GOST_ENCRYPT_ROUND(key[6], key[7], sbox) + GOST_ENCRYPT_ROUND(key[0], key[1], sbox) + GOST_ENCRYPT_ROUND(key[2], key[3], sbox) + GOST_ENCRYPT_ROUND(key[4], key[5], sbox) + GOST_ENCRYPT_ROUND(key[6], key[7], sbox) + GOST_ENCRYPT_ROUND(key[7], key[6], sbox) + GOST_ENCRYPT_ROUND(key[5], key[4], sbox) + GOST_ENCRYPT_ROUND(key[3], key[2], sbox) + GOST_ENCRYPT_ROUND(key[1], key[0], sbox) + *out = l, *(out + 1) = r; +} diff --git a/gost28147.h b/gost28147.h new file mode 100644 index 000000000000..83d8915b9d38 --- /dev/null +++ b/gost28147.h @@ -0,0 +1,63 @@ +/* gost28147.h + + The GOST 28147-89 cipher function, described in RFC 5831. + + Copyright (C) 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_GOST28147_H_INCLUDED +#define NETTLE_GOST28147_H_INCLUDED + +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define gost28147_param_test_3411 nettle_gost28147_param_test_3411 + +/* Private */ +#define gost28147_encrypt_simple nettle_gost28147_encrypt_simple + +struct gost28147_param +{ + uint32_t sbox[4*256]; +}; + +extern const struct gost28147_param gost28147_param_test_3411; + +/* Internal interface for use by GOST R 34.11-94 */ +void gost28147_encrypt_simple (const uint32_t *key, const uint32_t *sbox, + const uint32_t *in, uint32_t *out); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_GOST28147_H_INCLUDED */ diff --git a/gosthash94.c b/gosthash94.c index e60c9ae5cddf..870235eefa34 100644 --- a/gosthash94.c +++ b/gosthash94.c @@ -1,5 +1,7 @@ -/* gost.c - an implementation of GOST Hash Function +/* gosthash94.c - an implementation of GOST Hash Function + * * based on the Russian Standard GOST R 34.11-94. + * English description in RFC 5831. * See also RFC 4357. * * Copyright: 2009-2012 Aleksey Kravchenko <rhash.admin(a)gmail.com> @@ -38,209 +40,7 @@ #include "macros.h" #include "nettle-write.h" #include "gosthash94.h" - -/* pre-initialized GOST lookup tables based on rotated S-Box */ -static const uint32_t gosthash94_sbox[4][256] = { - { - 0x72000, 0x75000, 0x74800, 0x71000, 0x76800, - 0x74000, 0x70000, 0x77000, 0x73000, 0x75800, - 0x70800, 0x76000, 0x73800, 0x77800, 0x72800, - 0x71800, 0x5A000, 0x5D000, 0x5C800, 0x59000, - 0x5E800, 0x5C000, 0x58000, 0x5F000, 0x5B000, - 0x5D800, 0x58800, 0x5E000, 0x5B800, 0x5F800, - 0x5A800, 0x59800, 0x22000, 0x25000, 0x24800, - 0x21000, 0x26800, 0x24000, 0x20000, 0x27000, - 0x23000, 0x25800, 0x20800, 0x26000, 0x23800, - 0x27800, 0x22800, 0x21800, 0x62000, 0x65000, - 0x64800, 0x61000, 0x66800, 0x64000, 0x60000, - 0x67000, 0x63000, 0x65800, 0x60800, 0x66000, - 0x63800, 0x67800, 0x62800, 0x61800, 0x32000, - 0x35000, 0x34800, 0x31000, 0x36800, 0x34000, - 0x30000, 0x37000, 0x33000, 0x35800, 0x30800, - 0x36000, 0x33800, 0x37800, 0x32800, 0x31800, - 0x6A000, 0x6D000, 0x6C800, 0x69000, 0x6E800, - 0x6C000, 0x68000, 0x6F000, 0x6B000, 0x6D800, - 0x68800, 0x6E000, 0x6B800, 0x6F800, 0x6A800, - 0x69800, 0x7A000, 0x7D000, 0x7C800, 0x79000, - 0x7E800, 0x7C000, 0x78000, 0x7F000, 0x7B000, - 0x7D800, 0x78800, 0x7E000, 0x7B800, 0x7F800, - 0x7A800, 0x79800, 0x52000, 0x55000, 0x54800, - 0x51000, 0x56800, 0x54000, 0x50000, 0x57000, - 0x53000, 0x55800, 0x50800, 0x56000, 0x53800, - 0x57800, 0x52800, 0x51800, 0x12000, 0x15000, - 0x14800, 0x11000, 0x16800, 0x14000, 0x10000, - 0x17000, 0x13000, 0x15800, 0x10800, 0x16000, - 0x13800, 0x17800, 0x12800, 0x11800, 0x1A000, - 0x1D000, 0x1C800, 0x19000, 0x1E800, 0x1C000, - 0x18000, 0x1F000, 0x1B000, 0x1D800, 0x18800, - 0x1E000, 0x1B800, 0x1F800, 0x1A800, 0x19800, - 0x42000, 0x45000, 0x44800, 0x41000, 0x46800, - 0x44000, 0x40000, 0x47000, 0x43000, 0x45800, - 0x40800, 0x46000, 0x43800, 0x47800, 0x42800, - 0x41800, 0xA000, 0xD000, 0xC800, 0x9000, - 0xE800, 0xC000, 0x8000, 0xF000, 0xB000, - 0xD800, 0x8800, 0xE000, 0xB800, 0xF800, - 0xA800, 0x9800, 0x2000, 0x5000, 0x4800, - 0x1000, 0x6800, 0x4000, 0x0, 0x7000, - 0x3000, 0x5800, 0x800, 0x6000, 0x3800, - 0x7800, 0x2800, 0x1800, 0x3A000, 0x3D000, - 0x3C800, 0x39000, 0x3E800, 0x3C000, 0x38000, - 0x3F000, 0x3B000, 0x3D800, 0x38800, 0x3E000, - 0x3B800, 0x3F800, 0x3A800, 0x39800, 0x2A000, - 0x2D000, 0x2C800, 0x29000, 0x2E800, 0x2C000, - 0x28000, 0x2F000, 0x2B000, 0x2D800, 0x28800, - 0x2E000, 0x2B800, 0x2F800, 0x2A800, 0x29800, - 0x4A000, 0x4D000, 0x4C800, 0x49000, 0x4E800, - 0x4C000, 0x48000, 0x4F000, 0x4B000, 0x4D800, - 0x48800, 0x4E000, 0x4B800, 0x4F800, 0x4A800, - 0x49800 - }, { - 0x3A80000, 0x3C00000, 0x3880000, 0x3E80000, 0x3D00000, - 0x3980000, 0x3A00000, 0x3900000, 0x3F00000, 0x3F80000, - 0x3E00000, 0x3B80000, 0x3B00000, 0x3800000, 0x3C80000, - 0x3D80000, 0x6A80000, 0x6C00000, 0x6880000, 0x6E80000, - 0x6D00000, 0x6980000, 0x6A00000, 0x6900000, 0x6F00000, - 0x6F80000, 0x6E00000, 0x6B80000, 0x6B00000, 0x6800000, - 0x6C80000, 0x6D80000, 0x5280000, 0x5400000, 0x5080000, - 0x5680000, 0x5500000, 0x5180000, 0x5200000, 0x5100000, - 0x5700000, 0x5780000, 0x5600000, 0x5380000, 0x5300000, - 0x5000000, 0x5480000, 0x5580000, 0xA80000, 0xC00000, - 0x880000, 0xE80000, 0xD00000, 0x980000, 0xA00000, - 0x900000, 0xF00000, 0xF80000, 0xE00000, 0xB80000, - 0xB00000, 0x800000, 0xC80000, 0xD80000, 0x280000, - 0x400000, 0x80000, 0x680000, 0x500000, 0x180000, - 0x200000, 0x100000, 0x700000, 0x780000, 0x600000, - 0x380000, 0x300000, 0x0, 0x480000, 0x580000, - 0x4280000, 0x4400000, 0x4080000, 0x4680000, 0x4500000, - 0x4180000, 0x4200000, 0x4100000, 0x4700000, 0x4780000, - 0x4600000, 0x4380000, 0x4300000, 0x4000000, 0x4480000, - 0x4580000, 0x4A80000, 0x4C00000, 0x4880000, 0x4E80000, - 0x4D00000, 0x4980000, 0x4A00000, 0x4900000, 0x4F00000, - 0x4F80000, 0x4E00000, 0x4B80000, 0x4B00000, 0x4800000, - 0x4C80000, 0x4D80000, 0x7A80000, 0x7C00000, 0x7880000, - 0x7E80000, 0x7D00000, 0x7980000, 0x7A00000, 0x7900000, - 0x7F00000, 0x7F80000, 0x7E00000, 0x7B80000, 0x7B00000, - 0x7800000, 0x7C80000, 0x7D80000, 0x7280000, 0x7400000, - 0x7080000, 0x7680000, 0x7500000, 0x7180000, 0x7200000, - 0x7100000, 0x7700000, 0x7780000, 0x7600000, 0x7380000, - 0x7300000, 0x7000000, 0x7480000, 0x7580000, 0x2280000, - 0x2400000, 0x2080000, 0x2680000, 0x2500000, 0x2180000, - 0x2200000, 0x2100000, 0x2700000, 0x2780000, 0x2600000, - 0x2380000, 0x2300000, 0x2000000, 0x2480000, 0x2580000, - 0x3280000, 0x3400000, 0x3080000, 0x3680000, 0x3500000, - 0x3180000, 0x3200000, 0x3100000, 0x3700000, 0x3780000, - 0x3600000, 0x3380000, 0x3300000, 0x3000000, 0x3480000, - 0x3580000, 0x6280000, 0x6400000, 0x6080000, 0x6680000, - 0x6500000, 0x6180000, 0x6200000, 0x6100000, 0x6700000, - 0x6780000, 0x6600000, 0x6380000, 0x6300000, 0x6000000, - 0x6480000, 0x6580000, 0x5A80000, 0x5C00000, 0x5880000, - 0x5E80000, 0x5D00000, 0x5980000, 0x5A00000, 0x5900000, - 0x5F00000, 0x5F80000, 0x5E00000, 0x5B80000, 0x5B00000, - 0x5800000, 0x5C80000, 0x5D80000, 0x1280000, 0x1400000, - 0x1080000, 0x1680000, 0x1500000, 0x1180000, 0x1200000, - 0x1100000, 0x1700000, 0x1780000, 0x1600000, 0x1380000, - 0x1300000, 0x1000000, 0x1480000, 0x1580000, 0x2A80000, - 0x2C00000, 0x2880000, 0x2E80000, 0x2D00000, 0x2980000, - 0x2A00000, 0x2900000, 0x2F00000, 0x2F80000, 0x2E00000, - 0x2B80000, 0x2B00000, 0x2800000, 0x2C80000, 0x2D80000, - 0x1A80000, 0x1C00000, 0x1880000, 0x1E80000, 0x1D00000, - 0x1980000, 0x1A00000, 0x1900000, 0x1F00000, 0x1F80000, - 0x1E00000, 0x1B80000, 0x1B00000, 0x1800000, 0x1C80000, - 0x1D80000 - }, { - 0x30000002, 0x60000002, 0x38000002, 0x8000002, - 0x28000002, 0x78000002, 0x68000002, 0x40000002, - 0x20000002, 0x50000002, 0x48000002, 0x70000002, - 0x2, 0x18000002, 0x58000002, 0x10000002, - 0xB0000005, 0xE0000005, 0xB8000005, 0x88000005, - 0xA8000005, 0xF8000005, 0xE8000005, 0xC0000005, - 0xA0000005, 0xD0000005, 0xC8000005, 0xF0000005, - 0x80000005, 0x98000005, 0xD8000005, 0x90000005, - 0x30000005, 0x60000005, 0x38000005, 0x8000005, - 0x28000005, 0x78000005, 0x68000005, 0x40000005, - 0x20000005, 0x50000005, 0x48000005, 0x70000005, - 0x5, 0x18000005, 0x58000005, 0x10000005, - 0x30000000, 0x60000000, 0x38000000, 0x8000000, - 0x28000000, 0x78000000, 0x68000000, 0x40000000, - 0x20000000, 0x50000000, 0x48000000, 0x70000000, - 0x0, 0x18000000, 0x58000000, 0x10000000, - 0xB0000003, 0xE0000003, 0xB8000003, 0x88000003, - 0xA8000003, 0xF8000003, 0xE8000003, 0xC0000003, - 0xA0000003, 0xD0000003, 0xC8000003, 0xF0000003, - 0x80000003, 0x98000003, 0xD8000003, 0x90000003, - 0x30000001, 0x60000001, 0x38000001, 0x8000001, - 0x28000001, 0x78000001, 0x68000001, 0x40000001, - 0x20000001, 0x50000001, 0x48000001, 0x70000001, - 0x1, 0x18000001, 0x58000001, 0x10000001, - 0xB0000000, 0xE0000000, 0xB8000000, 0x88000000, - 0xA8000000, 0xF8000000, 0xE8000000, 0xC0000000, - 0xA0000000, 0xD0000000, 0xC8000000, 0xF0000000, - 0x80000000, 0x98000000, 0xD8000000, 0x90000000, - 0xB0000006, 0xE0000006, 0xB8000006, 0x88000006, - 0xA8000006, 0xF8000006, 0xE8000006, 0xC0000006, - 0xA0000006, 0xD0000006, 0xC8000006, 0xF0000006, - 0x80000006, 0x98000006, 0xD8000006, 0x90000006, - 0xB0000001, 0xE0000001, 0xB8000001, 0x88000001, - 0xA8000001, 0xF8000001, 0xE8000001, 0xC0000001, - 0xA0000001, 0xD0000001, 0xC8000001, 0xF0000001, - 0x80000001, 0x98000001, 0xD8000001, 0x90000001, - 0x30000003, 0x60000003, 0x38000003, 0x8000003, - 0x28000003, 0x78000003, 0x68000003, 0x40000003, - 0x20000003, 0x50000003, 0x48000003, 0x70000003, - 0x3, 0x18000003, 0x58000003, 0x10000003, - 0x30000004, 0x60000004, 0x38000004, 0x8000004, - 0x28000004, 0x78000004, 0x68000004, 0x40000004, - 0x20000004, 0x50000004, 0x48000004, 0x70000004, - 0x4, 0x18000004, 0x58000004, 0x10000004, - 0xB0000002, 0xE0000002, 0xB8000002, 0x88000002, - 0xA8000002, 0xF8000002, 0xE8000002, 0xC0000002, - 0xA0000002, 0xD0000002, 0xC8000002, 0xF0000002, - 0x80000002, 0x98000002, 0xD8000002, 0x90000002, - 0xB0000004, 0xE0000004, 0xB8000004, 0x88000004, - 0xA8000004, 0xF8000004, 0xE8000004, 0xC0000004, - 0xA0000004, 0xD0000004, 0xC8000004, 0xF0000004, - 0x80000004, 0x98000004, 0xD8000004, 0x90000004, - 0x30000006, 0x60000006, 0x38000006, 0x8000006, - 0x28000006, 0x78000006, 0x68000006, 0x40000006, - 0x20000006, 0x50000006, 0x48000006, 0x70000006, - 0x6, 0x18000006, 0x58000006, 0x10000006, - 0xB0000007, 0xE0000007, 0xB8000007, 0x88000007, - 0xA8000007, 0xF8000007, 0xE8000007, 0xC0000007, - 0xA0000007, 0xD0000007, 0xC8000007, 0xF0000007, - 0x80000007, 0x98000007, 0xD8000007, 0x90000007, - 0x30000007, 0x60000007, 0x38000007, 0x8000007, - 0x28000007, 0x78000007, 0x68000007, 0x40000007, - 0x20000007, 0x50000007, 0x48000007, 0x70000007, - 0x7, 0x18000007, 0x58000007, 0x10000007 - }, { - 0xE8, 0xD8, 0xA0, 0x88, 0x98, 0xF8, 0xA8, 0xC8, 0x80, 0xD0, - 0xF0, 0xB8, 0xB0, 0xC0, 0x90, 0xE0, 0x7E8, 0x7D8, 0x7A0, 0x788, - 0x798, 0x7F8, 0x7A8, 0x7C8, 0x780, 0x7D0, 0x7F0, 0x7B8, 0x7B0, 0x7C0, - 0x790, 0x7E0, 0x6E8, 0x6D8, 0x6A0, 0x688, 0x698, 0x6F8, 0x6A8, 0x6C8, - 0x680, 0x6D0, 0x6F0, 0x6B8, 0x6B0, 0x6C0, 0x690, 0x6E0, 0x68, 0x58, - 0x20, 0x8, 0x18, 0x78, 0x28, 0x48, 0x0, 0x50, 0x70, 0x38, - 0x30, 0x40, 0x10, 0x60, 0x2E8, 0x2D8, 0x2A0, 0x288, 0x298, 0x2F8, - 0x2A8, 0x2C8, 0x280, 0x2D0, 0x2F0, 0x2B8, 0x2B0, 0x2C0, 0x290, 0x2E0, - 0x3E8, 0x3D8, 0x3A0, 0x388, 0x398, 0x3F8, 0x3A8, 0x3C8, 0x380, 0x3D0, - 0x3F0, 0x3B8, 0x3B0, 0x3C0, 0x390, 0x3E0, 0x568, 0x558, 0x520, 0x508, - 0x518, 0x578, 0x528, 0x548, 0x500, 0x550, 0x570, 0x538, 0x530, 0x540, - 0x510, 0x560, 0x268, 0x258, 0x220, 0x208, 0x218, 0x278, 0x228, 0x248, - 0x200, 0x250, 0x270, 0x238, 0x230, 0x240, 0x210, 0x260, 0x4E8, 0x4D8, - 0x4A0, 0x488, 0x498, 0x4F8, 0x4A8, 0x4C8, 0x480, 0x4D0, 0x4F0, 0x4B8, - 0x4B0, 0x4C0, 0x490, 0x4E0, 0x168, 0x158, 0x120, 0x108, 0x118, 0x178, - 0x128, 0x148, 0x100, 0x150, 0x170, 0x138, 0x130, 0x140, 0x110, 0x160, - 0x1E8, 0x1D8, 0x1A0, 0x188, 0x198, 0x1F8, 0x1A8, 0x1C8, 0x180, 0x1D0, - 0x1F0, 0x1B8, 0x1B0, 0x1C0, 0x190, 0x1E0, 0x768, 0x758, 0x720, 0x708, - 0x718, 0x778, 0x728, 0x748, 0x700, 0x750, 0x770, 0x738, 0x730, 0x740, - 0x710, 0x760, 0x368, 0x358, 0x320, 0x308, 0x318, 0x378, 0x328, 0x348, - 0x300, 0x350, 0x370, 0x338, 0x330, 0x340, 0x310, 0x360, 0x5E8, 0x5D8, - 0x5A0, 0x588, 0x598, 0x5F8, 0x5A8, 0x5C8, 0x580, 0x5D0, 0x5F0, 0x5B8, - 0x5B0, 0x5C0, 0x590, 0x5E0, 0x468, 0x458, 0x420, 0x408, 0x418, 0x478, - 0x428, 0x448, 0x400, 0x450, 0x470, 0x438, 0x430, 0x440, 0x410, 0x460, - 0x668, 0x658, 0x620, 0x608, 0x618, 0x678, 0x628, 0x648, 0x600, 0x650, - 0x670, 0x638, 0x630, 0x640, 0x610, 0x660 - } -}; +#include "gost28147.h" /** * Initialize algorithm context before calculating hash @@ -254,40 +54,6 @@ gosthash94_init (struct gosthash94_ctx *ctx) memset (ctx, 0, sizeof (struct gosthash94_ctx)); } -/* - * A macro that performs a full encryption round of GOST 28147-89. - * Temporary variables tmp assumed and variables r and l for left and right - * blocks. - */ -#define GOST_ENCRYPT_ROUND(key1, key2, sbox) \ - tmp = (key1) + r; \ - l ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ - (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; \ - tmp = (key2) + l; \ - r ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ - (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; - -/* encrypt a block with the given key */ -#define GOST_ENCRYPT(result, i, key, hash, sbox) \ - r = hash[i], l = hash[i + 1]; \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[7], key[6], sbox) \ - GOST_ENCRYPT_ROUND(key[5], key[4], sbox) \ - GOST_ENCRYPT_ROUND(key[3], key[2], sbox) \ - GOST_ENCRYPT_ROUND(key[1], key[0], sbox) \ - result[i] = l, result[i + 1] = r; - /** * The core transformation. Process a 512-bit block. * @@ -299,7 +65,6 @@ gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block) { unsigned i; uint32_t key[8], u[8], v[8], w[8], s[8]; - uint32_t l, r, tmp; /* u := hash, v := <256-bit message block> */ memcpy (u, ctx->hash, sizeof (u)); @@ -341,7 +106,7 @@ gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block) ((w[5] & 0xff000000) >> 8) | (w[7] & 0xff000000); /* encryption: s_i := E_{key_i} (h_i) */ - GOST_ENCRYPT (s, i, key, ctx->hash, gosthash94_sbox); + gost28147_encrypt_simple (key, gost28147_param_test_3411.sbox, &ctx->hash[i], &s[i]); if (i == 0) { -- 2.20.1

2 8

[PATCH v2 0/6] Add meta interface for MAC algorithms
by Daiki Ueno 09 Feb '20

09 Feb '20

From: Daiki Ueno <dueno(a)redhat.com> The changes from the previous series are: - remove the global hmac_*_set_key_expanded functions - leave out set_nonce member if the operation is not supported For the latter, I was wondering whether it is better to define a no-op set_nonce, but given the fact that that the caller nevertheless checks nonce_size, I chose to make the field blank. Daiki Ueno (6): nettle-meta: Move struct nettle_mac to nettle-meta.h nettle-meta: Add meta interface for CMAC functions nettle-meta: Add meta interface for HMAC functions nettle-meta: Add meta interface for UMAC functions nettle-meta: Expose all defined MACs through nettle_macs tests: Add test for meta interface for MAC algorithms Makefile.in | 7 +++- cmac-aes128-meta.c | 43 ++++++++++++++++++++ cmac-aes256-meta.c | 43 ++++++++++++++++++++ hmac-md5-meta.c | 47 ++++++++++++++++++++++ hmac-ripemd160-meta.c | 47 ++++++++++++++++++++++ hmac-sha1-meta.c | 47 ++++++++++++++++++++++ hmac-sha224-meta.c | 47 ++++++++++++++++++++++ hmac-sha256-meta.c | 47 ++++++++++++++++++++++ hmac-sha384-meta.c | 47 ++++++++++++++++++++++ hmac-sha512-meta.c | 47 ++++++++++++++++++++++ nettle-meta-macs.c | 61 ++++++++++++++++++++++++++++ nettle-meta.h | 81 ++++++++++++++++++++++++++++++++++++++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 2 +- testsuite/cmac-test.c | 24 ----------- testsuite/meta-mac-test.c | 43 ++++++++++++++++++++ testsuite/testutils.h | 29 -------------- umac128-meta.c | 47 ++++++++++++++++++++++ umac32-meta.c | 47 ++++++++++++++++++++++ umac64-meta.c | 47 ++++++++++++++++++++++ umac96-meta.c | 47 ++++++++++++++++++++++ 22 files changed, 799 insertions(+), 55 deletions(-) create mode 100644 cmac-aes128-meta.c create mode 100644 cmac-aes256-meta.c create mode 100644 hmac-md5-meta.c create mode 100644 hmac-ripemd160-meta.c create mode 100644 hmac-sha1-meta.c create mode 100644 hmac-sha224-meta.c create mode 100644 hmac-sha256-meta.c create mode 100644 hmac-sha384-meta.c create mode 100644 hmac-sha512-meta.c create mode 100644 nettle-meta-macs.c create mode 100644 testsuite/meta-mac-test.c create mode 100644 umac128-meta.c create mode 100644 umac32-meta.c create mode 100644 umac64-meta.c create mode 100644 umac96-meta.c -- 2.21.0

3 18

[PATCH 0/8] Implement Curve448 ECDH and Ed448
by Daiki Ueno 02 Jan '20

02 Jan '20

Hello, This patch series implements the Curve448 Diffie-Hellman protocol (RFC 7748) and the Ed448 signature scheme (RFC 8032). Although I tried to make it as close as possible to the Curve25519 and Ed25519 implementations, I had to add a few special cases, namely: - for Curve448, eccdata directly calculates points on the Edwards curve instead of the equivalent Montgomery curve - untwisted versions of ecc_add_eh* and ecc_dup_eh are added - the point decoding for Ed448 uses a different formula to recover u and v Also, optimized implementation of modular reduction is currently missing, which is beyond my expertise. I would appreciate any suggestions regarding that. The patches are also available on: https://gitlab.com/dueno/nettle/commits/wip/dueno/ed448 Thanks to Hubert Kario and Nikos Mavrogiannopoulos for initial reviews. Daiki Ueno (8): ecc-mul-test: Fix mpn_cmp calls eccdata: Emit correct ecc_Bmodq_shifted for curve448 eccdata: Redirect ecc_point_out to given stream, instead of stderr ecc: Add add_hh and dup members to ecc_curve ecc-eh-to-a, eddsa-sign: Parameterize hard-coded value Implement curve448 primitives Implement SHAKE128/256 functions Implement Ed448 signature scheme .gitignore | 1 + Makefile.in | 18 +- curve448-eh-to-x.c | 73 + curve448-mul-g.c | 74 + curve448-mul.c | 148 + curve448.h | 58 + ecc-192.c | 5 + ecc-224.c | 5 + ecc-25519.c | 5 + ecc-256.c | 5 + ecc-384.c | 5 + ecc-448.c | 273 ++ ecc-521.c | 5 + ecc-add-eh.c | 74 +- ecc-add-ehh.c | 77 +- ecc-dup-eh.c | 55 +- ecc-eh-to-a.c | 4 +- ecc-internal.h | 57 +- ecc-mul-a-eh.c | 12 +- ecc-mul-g-eh.c | 4 +- ecc-point-mul-g.c | 7 +- ecc-point-mul.c | 2 +- ecc-point.c | 15 + eccdata.c | 183 +- ecdsa-keygen.c | 4 +- ed25519-sha512-sign.c | 15 + ed448-shake256-pubkey.c | 60 + ed448-shake256-sign.c | 92 + ed448-shake256-verify.c | 66 + eddsa-compress.c | 11 +- eddsa-decompress.c | 15 +- eddsa-expand.c | 20 +- eddsa-hash.c | 35 + eddsa-pubkey.c | 2 +- eddsa-sign.c | 18 +- eddsa-verify.c | 16 +- eddsa.h | 24 + examples/ecc-benchmark.c | 1 + nettle-internal.h | 2 +- nettle-meta-hashes.c | 2 + nettle-meta.h | 2 + nettle.texinfo | 152 +- sha3.c | 13 + sha3.h | 56 + shake128-meta.c | 42 + shake128.c | 84 + shake256-meta.c | 42 + shake256.c | 84 + testsuite/.test-rules.make | 12 + testsuite/Makefile.in | 5 +- testsuite/curve448-dh-test.c | 100 + testsuite/ecc-add-test.c | 48 +- testsuite/ecc-dup-test.c | 12 +- testsuite/ecc-mul-a-test.c | 6 +- testsuite/ecc-mul-g-test.c | 6 +- testsuite/ecdh-test.c | 16 +- testsuite/ecdsa-keygen-test.c | 16 + testsuite/ed448-test.c | 240 ++ testsuite/eddsa-compress-test.c | 137 +- testsuite/eddsa-sign-test.c | 66 +- testsuite/eddsa-verify-test.c | 49 +- testsuite/meta-hash-test.c | 2 + testsuite/shake.awk | 14 + testsuite/shake128-test.c | 6183 +++++++++++++++++++++++++++++++++++++++ testsuite/shake256-test.c | 6183 +++++++++++++++++++++++++++++++++++++++ testsuite/testutils.c | 57 +- 66 files changed, 14976 insertions(+), 199 deletions(-) create mode 100644 curve448-eh-to-x.c create mode 100644 curve448-mul-g.c create mode 100644 curve448-mul.c create mode 100644 curve448.h create mode 100644 ecc-448.c create mode 100644 ed448-shake256-pubkey.c create mode 100644 ed448-shake256-sign.c create mode 100644 ed448-shake256-verify.c create mode 100644 shake128-meta.c create mode 100644 shake128.c create mode 100644 shake256-meta.c create mode 100644 shake256.c create mode 100644 testsuite/curve448-dh-test.c create mode 100644 testsuite/ed448-test.c create mode 100755 testsuite/shake.awk create mode 100644 testsuite/shake128-test.c create mode 100644 testsuite/shake256-test.c -- 2.13.3

2 35

[PATCH] ecc: rename source files with curves data
by dbaryshkov＠gmail.com 07 Dec '19

07 Dec '19

From: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> In preparation to adding GOST curves support, rename source files and use curve name as eccdata parameter. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- .gitignore | 12 ++--- Makefile.in | 45 ++++++++-------- ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0 configure.ac | 5 +- ecc-25519.c => ecc-curve25519.c | 4 +- ecc-192.c => ecc-secp192r1.c | 4 +- ecc-224.c => ecc-secp224r1.c | 4 +- ecc-256.c => ecc-secp256r1.c | 4 +- ecc-384.c => ecc-secp384r1.c | 4 +- ecc-521.c => ecc-secp521r1.c | 4 +- eccdata.c | 51 +++++++++++-------- ...25519-modp.asm => ecc-curve25519-modp.asm} | 0 ...cc-192-modp.asm => ecc-secp192r1-modp.asm} | 0 ...cc-224-modp.asm => ecc-secp224r1-modp.asm} | 0 ...cc-256-redc.asm => ecc-secp256r1-redc.asm} | 0 ...cc-384-modp.asm => ecc-secp384r1-modp.asm} | 0 ...cc-521-modp.asm => ecc-secp521r1-modp.asm} | 0 21 files changed, 74 insertions(+), 63 deletions(-) rename arm/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%) rename arm/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%) rename arm/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%) rename arm/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%) rename arm/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%) rename ecc-25519.c => ecc-curve25519.c (99%) rename ecc-192.c => ecc-secp192r1.c (98%) rename ecc-224.c => ecc-secp224r1.c (98%) rename ecc-256.c => ecc-secp256r1.c (99%) rename ecc-384.c => ecc-secp384r1.c (99%) rename ecc-521.c => ecc-secp521r1.c (98%) rename x86_64/{ecc-25519-modp.asm => ecc-curve25519-modp.asm} (100%) rename x86_64/{ecc-192-modp.asm => ecc-secp192r1-modp.asm} (100%) rename x86_64/{ecc-224-modp.asm => ecc-secp224r1-modp.asm} (100%) rename x86_64/{ecc-256-redc.asm => ecc-secp256r1-redc.asm} (100%) rename x86_64/{ecc-384-modp.asm => ecc-secp384r1-modp.asm} (100%) rename x86_64/{ecc-521-modp.asm => ecc-secp521r1-modp.asm} (100%) diff --git a/.gitignore b/.gitignore index b79c53f535ff..be10fbe959cc 100644 --- a/.gitignore +++ b/.gitignore @@ -43,12 +43,12 @@ core /keymap.h /parity.h /rotors.h -/ecc-192.h -/ecc-224.h -/ecc-256.h -/ecc-384.h -/ecc-521.h -/ecc-25519.h +/ecc-curve25519.h +/ecc-secp192r1.h +/ecc-secp224r1.h +/ecc-secp256r1.h +/ecc-secp384r1.h +/ecc-secp521r1.h /version.h /nettle.aux /nettle.cp diff --git a/Makefile.in b/Makefile.in index 9f5b065a706a..89066ec6c3c2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -174,8 +174,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ - ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ - ecc-25519.c \ + ecc-curve25519.c ecc-secp192r1.c ecc-secp224r1.c \ + ecc-secp256r1.c ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ ecc-eh-to-a.c \ @@ -345,24 +345,24 @@ des.$(OBJEXT): des.c des.h $(des_headers) # k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB # k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB # k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB -ecc-192.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 192 8 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp192r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 224: # k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB # k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB # k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB # k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB -ecc-224.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 224 16 7 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp224r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB -ecc-256.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 256 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp256r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp256r1 11 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 384: # k = 16, c = 6, S = 256, T = 80 ( 64 A + 16 D) 24 KB @@ -372,31 +372,31 @@ ecc-256.h: eccdata.stamp # k = 13, c = 5, S = 192, T = 91 ( 78 A + 13 D) 18 KB # k = 16, c = 5, S = 160, T = 96 ( 80 A + 16 D) 15 KB # k = 32, c = 6, S = 128, T = 96 ( 64 A + 32 D) 12 KB -ecc-384.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 384 32 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp384r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp384r1 32 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 521: # k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) ~27 KB # k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) ~23 KB # k = 44, c = 6, S = 128, T = 132 ( 88 A + 44 D) ~18 KB # k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) ~14 KB -ecc-521.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 521 44 6 $(NUMB_BITS) > $@T && mv $@T $@ +ecc-secp521r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp521r1 44 6 $(NUMB_BITS) > $@T && mv $@T $@ -# Parameter choices mostly the same as for ecc-256.h. -ecc-25519.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 255 11 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Parameter choices mostly the same as for ecc-secp256r1.h. +ecc-curve25519.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) curve25519 11 6 $(NUMB_BITS) > $@T && mv $@T $@ eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp -ecc-192.$(OBJEXT): ecc-192.h -ecc-224.$(OBJEXT): ecc-224.h -ecc-256.$(OBJEXT): ecc-256.h -ecc-384.$(OBJEXT): ecc-384.h -ecc-521.$(OBJEXT): ecc-521.h -ecc-25519.$(OBJEXT): ecc-25519.h +ecc-curve25519.$(OBJEXT): ecc-curve25519.h +ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h +ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h +ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h +ecc-secp384r1.$(OBJEXT): ecc-secp384r1.h +ecc-secp521r1.$(OBJEXT): ecc-secp521r1.h .asm.$(OBJEXT): $(srcdir)/asm.m4 machine.m4 config.m4 $(M4) $(srcdir)/asm.m4 machine.m4 config.m4 $< >$*.s @@ -649,7 +649,8 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ - ecc-192.h ecc-224.h ecc-256.h ecc-384.h ecc-521.h ecc-25519.h \ + ecc-curve25519.h ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ + ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ desdata$(EXEEXT_FOR_BUILD) \ twofishdata$(EXEEXT_FOR_BUILD) \ diff --git a/arm/ecc-192-modp.asm b/arm/ecc-secp192r1-modp.asm similarity index 100% rename from arm/ecc-192-modp.asm rename to arm/ecc-secp192r1-modp.asm diff --git a/arm/ecc-224-modp.asm b/arm/ecc-secp224r1-modp.asm similarity index 100% rename from arm/ecc-224-modp.asm rename to arm/ecc-secp224r1-modp.asm diff --git a/arm/ecc-256-redc.asm b/arm/ecc-secp256r1-redc.asm similarity index 100% rename from arm/ecc-256-redc.asm rename to arm/ecc-secp256r1-redc.asm diff --git a/arm/ecc-384-modp.asm b/arm/ecc-secp384r1-modp.asm similarity index 100% rename from arm/ecc-384-modp.asm rename to arm/ecc-secp384r1-modp.asm diff --git a/arm/ecc-521-modp.asm b/arm/ecc-secp521r1-modp.asm similarity index 100% rename from arm/ecc-521-modp.asm rename to arm/ecc-secp521r1-modp.asm diff --git a/configure.ac b/configure.ac index 3547cae4ee15..cbc914dbf14b 100644 --- a/configure.ac +++ b/configure.ac @@ -475,8 +475,9 @@ asm_nettle_optional_list="gcm-hash8.asm cpuid.asm \ asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then - asm_hogweed_optional_list="ecc-192-modp.asm ecc-224-modp.asm \ - ecc-25519-modp.asm ecc-256-redc.asm ecc-384-modp.asm ecc-521-modp.asm" + asm_hogweed_optional_list="ecc-curve25519-modp.asm \ + ecc-secp192r1-modp.asm ecc-secp224r1-modp.asm \ + ecc-secp256r1-redc.asm ecc-secp384r1-modp.asm ecc-secp521r1-modp.asm" fi OPT_NETTLE_OBJS="" diff --git a/ecc-25519.c b/ecc-curve25519.c similarity index 99% rename from ecc-25519.c rename to ecc-curve25519.c index 105ce0f4fbc1..e6a1b325be66 100644 --- a/ecc-25519.c +++ b/ecc-curve25519.c @@ -1,4 +1,4 @@ -/* ecc-25519.c +/* ecc-curve25519.c Arithmetic and tables for curve25519, @@ -42,7 +42,7 @@ #define USE_REDC 0 -#include "ecc-25519.h" +#include "ecc-curve25519.h" #define PHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 255) diff --git a/ecc-192.c b/ecc-secp192r1.c similarity index 98% rename from ecc-192.c rename to ecc-secp192r1.c index 4b756ffd7e8f..858a1b7554ce 100644 --- a/ecc-192.c +++ b/ecc-secp192r1.c @@ -1,4 +1,4 @@ -/* ecc-192.c +/* ecc-secp192r1.c Compile time constant (but machine dependent) tables. @@ -46,7 +46,7 @@ #define USE_REDC 0 -#include "ecc-192.h" +#include "ecc-secp192r1.h" #if HAVE_NATIVE_ecc_192_modp diff --git a/ecc-224.c b/ecc-secp224r1.c similarity index 98% rename from ecc-224.c rename to ecc-secp224r1.c index bf90f848c1b2..4d82f54b57fd 100644 --- a/ecc-224.c +++ b/ecc-secp224r1.c @@ -1,4 +1,4 @@ -/* ecc-224.c +/* ecc-secp224r1.c Compile time constant (but machine dependent) tables. @@ -52,7 +52,7 @@ ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp); #define ecc_224_modp ecc_mod #endif -#include "ecc-224.h" +#include "ecc-secp224r1.h" #if ECC_REDC_SIZE < 0 # define ecc_224_redc ecc_pm1_redc diff --git a/ecc-256.c b/ecc-secp256r1.c similarity index 99% rename from ecc-256.c rename to ecc-secp256r1.c index 3e6ae4e2a8b6..7b873b5f7724 100644 --- a/ecc-256.c +++ b/ecc-secp256r1.c @@ -1,4 +1,4 @@ -/* ecc-256.c +/* ecc-secp256r1.c Compile time constant (but machine dependent) tables. @@ -48,7 +48,7 @@ # define USE_REDC (ECC_REDC_SIZE != 0) #endif -#include "ecc-256.h" +#include "ecc-secp256r1.h" #if HAVE_NATIVE_ecc_256_redc # define ecc_256_redc nettle_ecc_256_redc diff --git a/ecc-384.c b/ecc-secp384r1.c similarity index 99% rename from ecc-384.c rename to ecc-secp384r1.c index 5bb2a2476eec..248b1cf3ef2b 100644 --- a/ecc-384.c +++ b/ecc-secp384r1.c @@ -1,4 +1,4 @@ -/* ecc-384.c +/* ecc-secp384r1.c Compile time constant (but machine dependent) tables. @@ -44,7 +44,7 @@ #define USE_REDC 0 -#include "ecc-384.h" +#include "ecc-secp384r1.h" #if HAVE_NATIVE_ecc_384_modp #define ecc_384_modp nettle_ecc_384_modp diff --git a/ecc-521.c b/ecc-secp521r1.c similarity index 98% rename from ecc-521.c rename to ecc-secp521r1.c index 8ca0e6d2dd64..cc7473035cff 100644 --- a/ecc-521.c +++ b/ecc-secp521r1.c @@ -1,4 +1,4 @@ -/* ecc-521.c +/* ecc-secp521r1.c Compile time constant (but machine dependent) tables. @@ -42,7 +42,7 @@ #define USE_REDC 0 -#include "ecc-521.h" +#include "ecc-secp521r1.h" #if HAVE_NATIVE_ecc_521_modp #define ecc_521_modp nettle_ecc_521_modp diff --git a/eccdata.c b/eccdata.c index 7cfc33cabc14..243c161a8cb8 100644 --- a/eccdata.c +++ b/eccdata.c @@ -386,11 +386,10 @@ ecc_curve_init_str (struct ecc_curve *ecc, enum ecc_type type, } static void -ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) +ecc_curve_init (struct ecc_curve *ecc, const char *curve) { - switch (bit_size) + if (!strcmp (curve, "secp192r1")) { - case 192: ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{192} - 2^{64} - 1 */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" @@ -420,8 +419,9 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "35433907297cc378b0015703374729d7a4fe46647084e4ba", "a2649984f2135c301ea3acb0776cd4f125389b311db3be32"); - break; - case 224: + } + else if (!strcmp (curve, "secp224r1")) + { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{224} - 2^{96} + 1 */ "ffffffffffffffffffffffffffffffff" @@ -452,8 +452,9 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9"); - break; - case 256: + } + else if (!strcmp (curve, "secp256r1")) + { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1 */ "FFFFFFFF000000010000000000000000" @@ -484,8 +485,9 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6"); - break; - case 384: + } + else if (!strcmp (curve, "secp384r1")) + { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 1 */ "ffffffffffffffffffffffffffffffff" @@ -521,8 +523,9 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d1589a1597e3a5120e1efd631c63e1835", "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dced7387be37bba569549f1c02b270ed67"); - break; - case 521: + } + else if (!strcmp (curve, "secp521r1")) + { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, "1ff" /* p = 2^{521} - 1 */ "ffffffffffffffffffffffffffffffff" @@ -567,9 +570,15 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "35b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3", "82096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f279f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d"); - break; - case 255: - /* Edwards curve used for eddsa25519 and curve25519, + } + else if (!strcmp (curve, "curve25519")) + { + /* curve25519, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^{255} - 19. + + According to http://cr.yp.to/papers.html#newelliptic, this + is birationally equivalent to the Edwards curve + + x^2 + y^2 = 1 + (121665/121666) x^2 y^2 (mod p). -x^2 + y^2 = 1 - (121665/121666) x^2 y^2, with p = 2^{255} - 19. @@ -618,13 +627,13 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "1a739ec193ce1547493aa657c4c9f870", "47d0e827cb1595e1470eb88580d5716c" "4cf22832ea2f0ff0df38ab61ca32112f"); - break; - - default: - fprintf (stderr, "No known curve for size %d\n", bit_size); - exit(EXIT_FAILURE); } - ecc->bit_size = bit_size; + else + { + fprintf (stderr, "No known curve with name %s\n", curve); + exit(EXIT_FAILURE); + } + ecc->bit_size = mpz_sizeinbase (ecc->p, 2); } static void @@ -1184,7 +1193,7 @@ main (int argc, char **argv) return EXIT_FAILURE; } - ecc_curve_init (&ecc, atoi(argv[1])); + ecc_curve_init (&ecc, argv[1]); ecc_pippenger_precompute (&ecc, atoi(argv[2]), atoi(argv[3])); diff --git a/x86_64/ecc-25519-modp.asm b/x86_64/ecc-curve25519-modp.asm similarity index 100% rename from x86_64/ecc-25519-modp.asm rename to x86_64/ecc-curve25519-modp.asm diff --git a/x86_64/ecc-192-modp.asm b/x86_64/ecc-secp192r1-modp.asm similarity index 100% rename from x86_64/ecc-192-modp.asm rename to x86_64/ecc-secp192r1-modp.asm diff --git a/x86_64/ecc-224-modp.asm b/x86_64/ecc-secp224r1-modp.asm similarity index 100% rename from x86_64/ecc-224-modp.asm rename to x86_64/ecc-secp224r1-modp.asm diff --git a/x86_64/ecc-256-redc.asm b/x86_64/ecc-secp256r1-redc.asm similarity index 100% rename from x86_64/ecc-256-redc.asm rename to x86_64/ecc-secp256r1-redc.asm diff --git a/x86_64/ecc-384-modp.asm b/x86_64/ecc-secp384r1-modp.asm similarity index 100% rename from x86_64/ecc-384-modp.asm rename to x86_64/ecc-secp384r1-modp.asm diff --git a/x86_64/ecc-521-modp.asm b/x86_64/ecc-secp521r1-modp.asm similarity index 100% rename from x86_64/ecc-521-modp.asm rename to x86_64/ecc-secp521r1-modp.asm -- 2.24.0

3 3

[RFC] ecc: switch away from affine points representation
by dbaryshkov＠gmail.com 05 Dec '19

05 Dec '19

From: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> Use jacobian/harmonized representation in ecc_point structure. This is an RFC patch for now, j_to_a/eh_to_a are not modified to produce y coordinate only, more tests are necessary most probably. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov(a)gmail.com> --- ecc-a-to-j.c | 12 +++++++---- ecc-ecdsa-sign.c | 2 +- ecc-ecdsa-verify.c | 4 ++-- ecc-eh-to-a.c | 17 ++++++++------- ecc-internal.h | 20 ++++++++++------- ecc-j-to-a.c | 15 +++++++------ ecc-mul-a-eh.c | 13 +++++------ ecc-mul-a.c | 18 +++++++--------- ecc-point-mul-g.c | 8 +++---- ecc-point-mul.c | 2 +- ecc-point.c | 36 +++++++++++++++++++++++++------ ecdsa-keygen.c | 7 +++--- eddsa-compress.c | 2 +- eddsa-decompress.c | 1 + eddsa-verify.c | 2 +- testsuite/ecc-add-test.c | 5 ++++- testsuite/ecc-dup-test.c | 10 ++++----- testsuite/ecc-mul-a-test.c | 22 ++++++++++++------- testsuite/ecc-mul-g-test.c | 4 ++-- testsuite/ecdsa-keygen-test.c | 38 ++++++++++++++++++++++----------- testsuite/eddsa-compress-test.c | 8 +++++-- testsuite/eddsa-verify-test.c | 2 +- testsuite/testutils.c | 2 +- 23 files changed, 152 insertions(+), 98 deletions(-) diff --git a/ecc-a-to-j.c b/ecc-a-to-j.c index 9fb0d2b80c41..895502e0fe20 100644 --- a/ecc-a-to-j.c +++ b/ecc-a-to-j.c @@ -40,11 +40,12 @@ void ecc_a_to_j (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p) + mp_limb_t *r, const mpz_t x, const mpz_t y) { if (ecc->use_redc) { - mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size); + mpz_limbs_copy (r + ecc->p.size, x, ecc->p.size); + mpz_limbs_copy (r + 2 * ecc->p.size, y, ecc->p.size); mpn_zero (r, ecc->p.size); ecc->p.mod (&ecc->p, r); @@ -52,8 +53,11 @@ ecc_a_to_j (const struct ecc_curve *ecc, mpn_zero (r + ecc->p.size, ecc->p.size); ecc->p.mod (&ecc->p, r + ecc->p.size); } - else if (r != p) - mpn_copyi (r, p, 2*ecc->p.size); + else + { + mpz_limbs_copy (r, x, ecc->p.size); + mpz_limbs_copy (r + ecc->p.size, y, ecc->p.size); + } mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size); } diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c index 3b9e9cc1a35d..87239b7cccb6 100644 --- a/ecc-ecdsa-sign.c +++ b/ecc-ecdsa-sign.c @@ -80,7 +80,7 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size); /* x coordinate only, modulo q */ - ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); + ecc->h_to_a (ecc, 2, rp, NULL, P, P + 3*ecc->p.size); /* Invert k, uses 4 * ecc->p.size including scratch */ ecc->q.invert (&ecc->q, kinv, kp, tp); /* NOTE: Also clobbers hp */ diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c index d7f5b684841a..120b12965fd5 100644 --- a/ecc-ecdsa-verify.c +++ b/ecc-ecdsa-verify.c @@ -64,7 +64,7 @@ mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc) { /* Largest storage need is for the ecc->mul call. */ - return 5*ecc->p.size + ecc->mul_itch; + return 6*ecc->p.size + ecc->mul_itch; } /* FIXME: Use faster primitives, not requiring side-channel silence. */ @@ -145,7 +145,7 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, ecc->add_hhh (ecc, P1, P1, P2, P1 + 3*ecc->p.size); } /* x coordinate only, modulo q */ - ecc->h_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size); + ecc->h_to_a (ecc, 2, P2, NULL, P1, P1 + 3*ecc->p.size); return (mpn_cmp (rp, P2, ecc->p.size) == 0); #undef P2 diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c index 8173b887d59d..851dcb8d592a 100644 --- a/ecc-eh-to-a.c +++ b/ecc-eh-to-a.c @@ -43,7 +43,8 @@ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, - mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *x, mp_limb_t *y, + const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch @@ -60,8 +61,8 @@ ecc_eh_to_a (const struct ecc_curve *ecc, ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); ecc_modp_mul (ecc, tp, xp, izp); - cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, tp, ecc->p.size); + cy = mpn_sub_n (x, tp, ecc->p.m, ecc->p.size); + cnd_copy (cy, x, tp, ecc->p.size); if (op) { @@ -75,14 +76,14 @@ ecc_eh_to_a (const struct ecc_curve *ecc, unsigned shift; assert (ecc->p.bit_size == 255); shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1); - cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size, - r[ecc->p.size-1] >> shift); + cy = mpn_submul_1 (x, ecc->q.m, ecc->p.size, + x[ecc->p.size-1] >> shift); assert (cy < 2); - cnd_add_n (cy, r, ecc->q.m, ecc->p.size); + cnd_add_n (cy, x, ecc->q.m, ecc->p.size); } return; } ecc_modp_mul (ecc, tp, yp, izp); - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); + cy = mpn_sub_n (y, tp, ecc->p.m, ecc->p.size); + cnd_copy (cy, y, tp, ecc->p.size); } diff --git a/ecc-internal.h b/ecc-internal.h index 18c1bf7d8cee..5854a3247306 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -132,7 +132,8 @@ typedef void ecc_mul_func (const struct ecc_curve *ecc, typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, int flags, - mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *x, mp_limb_t *y, + const mp_limb_t *p, mp_limb_t *scratch); struct ecc_modulo @@ -278,19 +279,21 @@ ecc_hash (const struct ecc_modulo *m, mp_limb_t *hp, size_t length, const uint8_t *digest); -/* Converts a point P in affine coordinates into a point R in jacobian +/* Converts a point x,y in affine coordinates into a point R in jacobian coordinates. */ void ecc_a_to_j (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p); + mp_limb_t *r, const mpz_t x, const mpz_t y); /* Converts a point P in jacobian coordinates into a point R in affine coordinates. If op == 1, produce x coordinate only. If op == 2, - produce the x coordinate only, and also reduce it modulo q. */ + produce the x coordinate only, and also reduce it modulo q. If op == 3 + produce the y coordinate only. */ void ecc_j_to_a (const struct ecc_curve *ecc, int op, - mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *x, mp_limb_t *y, + const mp_limb_t *p, mp_limb_t *scratch); /* Converts a point P in homogeneous coordinates on an Edwards curve @@ -299,7 +302,8 @@ ecc_j_to_a (const struct ecc_curve *ecc, void ecc_eh_to_a (const struct ecc_curve *ecc, int op, - mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *x, mp_limb_t *y, + const mp_limb_t *p, mp_limb_t *scratch); /* Group operations */ @@ -404,13 +408,13 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, #define ECC_MUL_G_ITCH(size) (9*(size)) #define ECC_MUL_G_EH_ITCH(size) (9*(size)) #if ECC_MUL_A_WBITS == 0 -#define ECC_MUL_A_ITCH(size) (12*(size)) +#define ECC_MUL_A_ITCH(size) (3*(size) + ECC_ADD_JJJ_ITCH(size)) #else #define ECC_MUL_A_ITCH(size) \ (((3 << ECC_MUL_A_WBITS) + 11) * (size)) #endif #if ECC_MUL_A_EH_WBITS == 0 -#define ECC_MUL_A_EH_ITCH(size) (13*(size)) +#define ECC_MUL_A_EH_ITCH(size) (3*(size) + ECC_ADD_EHH_ITCH(size)) #else #define ECC_MUL_A_EH_ITCH(size) \ (((3 << ECC_MUL_A_EH_WBITS) + 10) * (size)) diff --git a/ecc-j-to-a.c b/ecc-j-to-a.c index eca10f0fac9e..1ce2e43a5b31 100644 --- a/ecc-j-to-a.c +++ b/ecc-j-to-a.c @@ -41,7 +41,8 @@ void ecc_j_to_a (const struct ecc_curve *ecc, int op, - mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *x, mp_limb_t *y, + const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch @@ -89,8 +90,8 @@ ecc_j_to_a (const struct ecc_curve *ecc, ecc_modp_mul (ecc, iz3p, iz2p, p); /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so do a conditional subtraction. */ - cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, iz3p, ecc->p.size); + cy = mpn_sub_n (x, iz3p, ecc->p.m, ecc->p.size); + cnd_copy (cy, x, iz3p, ecc->p.size); if (op) { @@ -100,16 +101,16 @@ ecc_j_to_a (const struct ecc_curve *ecc, /* Also reduce the x coordinate mod ecc->q. It should already be < 2*ecc->q, so one subtraction should suffice. */ - cy = mpn_sub_n (scratch, r, ecc->q.m, ecc->p.size); - cnd_copy (cy == 0, r, scratch, ecc->p.size); + cy = mpn_sub_n (scratch, x, ecc->q.m, ecc->p.size); + cnd_copy (cy == 0, x, scratch, ecc->p.size); } return; } ecc_modp_mul (ecc, iz3p, iz2p, izp); ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); /* And a similar subtraction. */ - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); + cy = mpn_sub_n (y, tp, ecc->p.m, ecc->p.size); + cnd_copy (cy, y, tp, ecc->p.size); #undef izp #undef up diff --git a/ecc-mul-a-eh.c b/ecc-mul-a-eh.c index e9b22cd4c1e7..73657c87d58e 100644 --- a/ecc-mul-a-eh.c +++ b/ecc-mul-a-eh.c @@ -38,7 +38,7 @@ #include "ecc.h" #include "ecc-internal.h" -/* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_ehh, +/* Binary algorithm needs 3*ecc->p.size + scratch for ecc_add_ehh, total 13 ecc->p.size Window algorithm needs (3<<w) * ecc->p.size for the table, @@ -52,14 +52,11 @@ ecc_mul_a_eh (const struct ecc_curve *ecc, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { -#define pe scratch -#define tp (scratch + 3*ecc->p.size) -#define scratch_out (scratch + 6*ecc->p.size) +#define tp (scratch) +#define scratch_out (scratch + 3*ecc->p.size) unsigned i; - ecc_a_to_j (ecc, pe, p); - /* x = 0, y = 1, z = 1 */ mpn_zero (r, 3*ecc->p.size); r[ecc->p.size] = r[2*ecc->p.size] = 1; @@ -76,7 +73,7 @@ ecc_mul_a_eh (const struct ecc_curve *ecc, int digit; ecc->dup (ecc, r, r, scratch_out); - ecc->add_hhh (ecc, tp, r, pe, scratch_out); + ecc->add_hhh (ecc, tp, r, p, scratch_out); digit = (w & bit) > 0; /* If we had a one-bit, use the sum. */ @@ -103,7 +100,7 @@ table_init (const struct ecc_curve *ecc, mpn_zero (TABLE(0), 3*ecc->p.size); TABLE(0)[ecc->p.size] = TABLE(0)[2*ecc->p.size] = 1; - ecc_a_to_j (ecc, TABLE(1), p); + mpn_copyi (TABLE(1), p, 3*ecc->p.size); for (j = 2; j < size; j += 2) { diff --git a/ecc-mul-a.c b/ecc-mul-a.c index cb9c7d418633..6f0c19bcd004 100644 --- a/ecc-mul-a.c +++ b/ecc-mul-a.c @@ -40,8 +40,8 @@ #include "ecc.h" #include "ecc-internal.h" -/* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_jja. - Current total is 12 ecc->p.size, at most 864 bytes. +/* Binary algorithm needs 3*ecc->p.size + scratch for ecc_add_jjj. + Current total is 11 ecc->p.size, at most 792 bytes. Window algorithm needs (3<<w) * ecc->p.size for the table, 3*ecc->p.size for a temporary point, and scratch for @@ -55,14 +55,12 @@ ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *scratch) { #define tp scratch -#define pj (scratch + 3*ecc->p.size) -#define scratch_out (scratch + 6*ecc->p.size) +#define scratch_out (scratch + 3*ecc->p.size) int is_zero; unsigned i; - ecc_a_to_j (ecc, pj, p); mpn_zero (r, 3*ecc->p.size); for (i = ecc->p.size, is_zero = 1; i-- > 0; ) @@ -77,12 +75,12 @@ ecc_mul_a (const struct ecc_curve *ecc, int digit; ecc_dup_jj (ecc, r, r, scratch_out); - ecc_add_jja (ecc, tp, r, pj, scratch_out); + ecc_add_jjj (ecc, tp, r, p, scratch_out); digit = (w & bit) > 0; /* If is_zero is set, r is the zero point, - and ecc_add_jja produced garbage. */ - cnd_copy (is_zero, tp, pj, 3*ecc->p.size); + and ecc_add_jjj produced garbage. */ + cnd_copy (is_zero, tp, p, 3*ecc->p.size); is_zero &= ~digit; /* If we had a one-bit, use the sum. */ cnd_copy (digit, r, tp, 3*ecc->p.size); @@ -106,12 +104,12 @@ table_init (const struct ecc_curve *ecc, unsigned j; mpn_zero (TABLE(0), 3*ecc->p.size); - ecc_a_to_j (ecc, TABLE(1), p); + mpn_copyi (TABLE(1), p, 3*ecc->p.size); for (j = 2; j < size; j += 2) { ecc_dup_jj (ecc, TABLE(j), TABLE(j/2), scratch); - ecc_add_jja (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); + ecc_add_jjj (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); } } diff --git a/ecc-point-mul-g.c b/ecc-point-mul-g.c index 46fceb81ea45..e38f161bcdff 100644 --- a/ecc-point-mul-g.c +++ b/ecc-point-mul-g.c @@ -44,15 +44,13 @@ void ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n) { - TMP_DECL(scratch, mp_limb_t, 3*ECC_MAX_SIZE + ECC_MUL_G_ITCH (ECC_MAX_SIZE)); + TMP_DECL(scratch, mp_limb_t, ECC_MUL_G_ITCH (ECC_MAX_SIZE)); const struct ecc_curve *ecc = r->ecc; - mp_limb_t size = ecc->p.size; - mp_size_t itch = 3*size + ecc->mul_g_itch; + mp_size_t itch = ecc->mul_g_itch; assert (n->ecc == ecc); TMP_ALLOC (scratch, itch); - ecc->mul_g (ecc, scratch, n->p, scratch + 3*size); - ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); + ecc->mul_g (ecc, r->p, n->p, scratch); } diff --git a/ecc-point-mul.c b/ecc-point-mul.c index 2be1c5c41d3d..97755ea9b8ec 100644 --- a/ecc-point-mul.c +++ b/ecc-point-mul.c @@ -53,6 +53,6 @@ ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n, assert (p->ecc == ecc); ecc->mul (ecc, scratch, n->p, p->p, scratch + 3*size); - ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); + mpn_copyi (r->p, scratch, 3*size); gmp_free_limbs (scratch, itch); } diff --git a/ecc-point.c b/ecc-point.c index 31e3115abbbc..e4feb129927b 100644 --- a/ecc-point.c +++ b/ecc-point.c @@ -42,13 +42,13 @@ void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc) { p->ecc = ecc; - p->p = gmp_alloc_limbs (2*ecc->p.size); + p->p = gmp_alloc_limbs (3*ecc->p.size); } void ecc_point_clear (struct ecc_point *p) { - gmp_free_limbs (p->p, 2*p->ecc->p.size); + gmp_free_limbs (p->p, 3*p->ecc->p.size); } int @@ -102,8 +102,7 @@ ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y) if (!res) return 0; - mpz_limbs_copy (p->p, x, size); - mpz_limbs_copy (p->p + size, y, size); + ecc_a_to_j (p->ecc, p->p, x, y); return 1; } @@ -112,8 +111,33 @@ void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y) { mp_size_t size = p->ecc->p.size; + mp_limb_t *xp = NULL, *yp = NULL; + mp_limb_t *scratch = gmp_alloc_limbs(p->ecc->h_to_a_itch); + int op; + + if (x) + { + if (y) + op = 0; + else + op = 1; + } + else + { + if (y) + op = 3; + else + return; + } + if (x) + xp = mpz_limbs_write (x, size); + if (y) + yp = mpz_limbs_write (y, size); + p->ecc->h_to_a (p->ecc, op, xp, yp, p->p, scratch); + gmp_free_limbs (scratch, p->ecc->h_to_a_itch); + if (x) - mpz_set_n (x, p->p, size); + mpz_limbs_finish (x, size); if (y) - mpz_set_n (y, p->p + size, size); + mpz_limbs_finish (y, size); } diff --git a/ecdsa-keygen.c b/ecdsa-keygen.c index fa559a9e3b43..3cf0bd3c485a 100644 --- a/ecdsa-keygen.c +++ b/ecdsa-keygen.c @@ -47,15 +47,14 @@ ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random) { - TMP_DECL(p, mp_limb_t, 3*ECC_MAX_SIZE + ECC_MUL_G_ITCH (ECC_MAX_SIZE)); + TMP_DECL(p, mp_limb_t, ECC_MUL_G_ITCH (ECC_MAX_SIZE)); const struct ecc_curve *ecc = pub->ecc; - mp_size_t itch = 3*ecc->p.size + ecc->mul_g_itch; + mp_size_t itch = ecc->mul_g_itch; assert (key->ecc == ecc); TMP_ALLOC (p, itch); ecc_mod_random (&ecc->q, key->p, random_ctx, random, p); - ecc->mul_g (ecc, p, key->p, p + 3*ecc->p.size); - ecc->h_to_a (ecc, 0, pub->p, p, p + 3*ecc->p.size); + ecc->mul_g (ecc, pub->p, key->p, p); } diff --git a/eddsa-compress.c b/eddsa-compress.c index 547ba736dc7b..3fe2a9bdbc34 100644 --- a/eddsa-compress.c +++ b/eddsa-compress.c @@ -53,7 +53,7 @@ _eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, #define yp (scratch + ecc->p.size) #define scratch_out (scratch + 2*ecc->p.size) - ecc->h_to_a (ecc, 0, xp, p, scratch_out); + ecc->h_to_a (ecc, 0, xp, yp, p, scratch_out); /* Encoding is the y coordinate and an appended "sign" bit, which is the low bit of x. Bit order is not specified explicitly, but for little-endian encoding, it makes most sense to append the bit diff --git a/eddsa-decompress.c b/eddsa-decompress.c index f114b576fffe..0b3119acc890 100644 --- a/eddsa-decompress.c +++ b/eddsa-decompress.c @@ -80,5 +80,6 @@ _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, sign ^= xp[0] & 1; mpn_sub_n (tp, ecc->p.m, xp, ecc->p.size); cnd_copy (sign, xp, tp, ecc->p.size); + mpn_copyi (p + 2*ecc->p.size, ecc->unit, ecc->p.size); return res; } diff --git a/eddsa-verify.c b/eddsa-verify.c index 7718a1260463..9b596c517fb9 100644 --- a/eddsa-verify.c +++ b/eddsa-verify.c @@ -97,7 +97,7 @@ _eddsa_verify (const struct ecc_curve *ecc, /* Could maybe save some storage by delaying the R and S operations, but it makes sense to check them for validity up front. */ - if (!_eddsa_decompress (ecc, R, signature, R+2*ecc->p.size)) + if (!_eddsa_decompress (ecc, R, signature, R+3*ecc->p.size)) return 0; mpn_set_base256_le (sp, ecc->q.size, signature + nbytes, nbytes); diff --git a/testsuite/ecc-add-test.c b/testsuite/ecc-add-test.c index ad2bd29230ee..144111695a27 100644 --- a/testsuite/ecc-add-test.c +++ b/testsuite/ecc-add-test.c @@ -5,6 +5,7 @@ void test_main (void) { unsigned i; + mpz_t x, y; for (i = 0; ecc_curves[i]; i++) { @@ -17,7 +18,9 @@ test_main (void) ASSERT (ecc->dup_itch <= ecc->add_hhh_itch); - ecc_a_to_j (ecc, g, ecc->g); + ecc_a_to_j (ecc, g, + mpz_roinit_n (x, ecc->g, ecc->p.size), + mpz_roinit_n (y, ecc->g + ecc->p.size, ecc->p.size)); if (ecc->p.bit_size == 255) { diff --git a/testsuite/ecc-dup-test.c b/testsuite/ecc-dup-test.c index 0ae4444a7cb0..eede76f24487 100644 --- a/testsuite/ecc-dup-test.c +++ b/testsuite/ecc-dup-test.c @@ -3,17 +3,15 @@ void test_main (void) { + mpz_t x, y; unsigned i; for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; - mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *scratch = xalloc_limbs (ecc->dup_itch); - ecc_a_to_j (ecc, g, ecc->g); - if (ecc->p.bit_size == 255) { mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); @@ -32,14 +30,16 @@ test_main (void) else ASSERT (ecc->dup == ecc_dup_jj); - ecc->dup (ecc, p, g, scratch); + ecc_a_to_j (ecc, p, + mpz_roinit_n (x, ecc->g, ecc->p.size), + mpz_roinit_n (y, ecc->g + ecc->p.size, ecc->p.size)); + ecc->dup (ecc, p, p, scratch); test_ecc_mul_h (i, 2, p); ecc->dup (ecc, p, p, scratch); test_ecc_mul_h (i, 4, p); free (p); - free (g); free (scratch); } } diff --git a/testsuite/ecc-mul-a-test.c b/testsuite/ecc-mul-a-test.c index 245016aafc78..af62e7d5c498 100644 --- a/testsuite/ecc-mul-a-test.c +++ b/testsuite/ecc-mul-a-test.c @@ -14,6 +14,8 @@ test_main (void) { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size = ecc_size (ecc); + mpz_t x, y; + mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); @@ -22,23 +24,26 @@ test_main (void) mpn_zero (n, size); + ecc_a_to_j (ecc, g, + mpz_roinit_n (x, ecc->g, size), + mpz_roinit_n (y, ecc->g + size, size)); n[0] = 1; - ecc->mul (ecc, p, n, ecc->g, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); + ecc->mul (ecc, p, n, g, scratch); + ecc->h_to_a (ecc, 0, p, p + size, p, scratch); if (mpn_cmp (p, ecc->g, 2*size) != 0) die ("curve %d: ecc->mul with n = 1 failed.\n", ecc->p.bit_size); for (n[0] = 2; n[0] <= 4; n[0]++) { - ecc->mul (ecc, p, n, ecc->g, scratch); + ecc->mul (ecc, p, n, g, scratch); test_ecc_mul_h (i, n[0], p); } /* (order - 1) * g = - g */ mpn_sub_1 (n, ecc->q.m, size, 1); - ecc->mul (ecc, p, n, ecc->g, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); + ecc->mul (ecc, p, n, g, scratch); + ecc->h_to_a (ecc, 0, p, p + size, p, scratch); if (ecc->p.bit_size == 255) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ @@ -64,11 +69,11 @@ test_main (void) mpz_limbs_copy (n, r, size); n[size - 1] %= ecc->q.m[size - 1]; - ecc->mul (ecc, p, n, ecc->g, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); + ecc->mul (ecc, p, n, g, scratch); + ecc->h_to_a (ecc, 0, p, p + size, p, scratch); ecc->mul_g (ecc, q, n, scratch); - ecc->h_to_a (ecc, 0, q, q, scratch); + ecc->h_to_a (ecc, 0, q, q + size, q, scratch); if (mpn_cmp (p, q, 2*size)) { @@ -92,6 +97,7 @@ test_main (void) abort (); } } + free (g); free (n); free (p); free (q); diff --git a/testsuite/ecc-mul-g-test.c b/testsuite/ecc-mul-g-test.c index 272394847f3a..c6b7374e82d8 100644 --- a/testsuite/ecc-mul-g-test.c +++ b/testsuite/ecc-mul-g-test.c @@ -23,7 +23,7 @@ test_main (void) n[0] = 1; ecc->mul_g (ecc, p, n, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); + ecc->h_to_a (ecc, 0, p, p + size, p, scratch); if (mpn_cmp (p, ecc->g, 2*size) != 0) { @@ -40,7 +40,7 @@ test_main (void) /* (order - 1) * g = - g */ mpn_sub_1 (n, ecc->q.m, size, 1); ecc->mul_g (ecc, p, n, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); + ecc->h_to_a (ecc, 0, p, p + size, p, scratch); if (ecc->p.bit_size == 255) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ diff --git a/testsuite/ecdsa-keygen-test.c b/testsuite/ecdsa-keygen-test.c index a96c09effeef..21b43623a8a2 100644 --- a/testsuite/ecdsa-keygen-test.c +++ b/testsuite/ecdsa-keygen-test.c @@ -12,17 +12,32 @@ ecc_valid_p (struct ecc_point *pub) size = pub->ecc->p.size; - /* First check range */ - if (mpn_cmp (pub->p, pub->ecc->p.m, size) >= 0 - || mpn_cmp (pub->p + size, pub->ecc->p.m, size) >= 0) - return 0; + mpz_init (x); + mpz_init (y); + + ecc_point_get (pub, x, y); + + if (verbose) + { + fprintf (stderr, "Public key:\nx = "); + mpz_out_str (stderr, 16, x); + fprintf (stderr, "\ny = "); + mpz_out_str (stderr, 16, y); + fprintf (stderr, "\n"); + } + + if (mpz_sgn (x) < 0 || mpz_limbs_cmp (x, pub->ecc->p.m, size) >= 0 + || mpz_sgn (y) < 0 || mpz_limbs_cmp (y, pub->ecc->p.m, size) >= 0) + { + mpz_clear (x); + mpz_clear (y); + + return 0; + } mpz_init (lhs); mpz_init (rhs); - mpz_roinit_n (x, pub->p, size); - mpz_roinit_n (y, pub->p + size, size); - mpz_mul (lhs, y, y); if (pub->ecc->p.bit_size == 255) @@ -53,6 +68,9 @@ ecc_valid_p (struct ecc_point *pub) mpz_clear (lhs); mpz_clear (rhs); + mpz_clear (x); + mpz_clear (y); + return res; } @@ -90,11 +108,7 @@ test_main (void) if (verbose) { - fprintf (stderr, "Public key:\nx = "); - write_mpn (stderr, 16, pub.p, ecc->p.size); - fprintf (stderr, "\ny = "); - write_mpn (stderr, 16, pub.p + ecc->p.size, ecc->p.size); - fprintf (stderr, "\nPrivate key: "); + fprintf (stderr, "Private key: "); write_mpn (stderr, 16, key.p, ecc->p.size); fprintf (stderr, "\n"); } diff --git a/testsuite/eddsa-compress-test.c b/testsuite/eddsa-compress-test.c index f95da870967e..812a085c9040 100644 --- a/testsuite/eddsa-compress-test.c +++ b/testsuite/eddsa-compress-test.c @@ -44,6 +44,7 @@ void test_main (void) mpz_t zp, t; mp_limb_t *s; mp_limb_t *p; + mp_limb_t *p2; mp_limb_t *pa1; mp_limb_t *pa2; mp_limb_t *scratch; @@ -61,6 +62,7 @@ void test_main (void) mpz_init (t); s = xalloc_limbs (size); p = xalloc_limbs (ecc_size_j (ecc)); + p2 = xalloc_limbs (ecc_size_j (ecc)); pa1 = xalloc_limbs (ecc_size_a (ecc)); pa2 = xalloc_limbs (ecc_size_a (ecc)); c = xalloc (clen); @@ -79,8 +81,9 @@ void test_main (void) mpz_limbs_copy (s, t, ecc->q.size); ecc->mul_g (ecc, p, s, scratch); _eddsa_compress (ecc, c, p, scratch); - ecc->h_to_a (ecc, 0, pa1, p, scratch); - _eddsa_decompress (ecc, pa2, c, scratch); + ecc->h_to_a (ecc, 0, pa1, pa1 + size, p, scratch); + _eddsa_decompress (ecc, p2, c, scratch); + ecc->h_to_a (ecc, 0, pa2, pa2 + size, p2, scratch); mpz_roinit_n (x1, pa1, size); mpz_roinit_n (y1, pa1 + size, size); mpz_roinit_n (x2, pa2, size); @@ -105,6 +108,7 @@ void test_main (void) mpz_clear (t); free (s); free (p); + free (p2); free (c); free (pa1); free (pa2); diff --git a/testsuite/eddsa-verify-test.c b/testsuite/eddsa-verify-test.c index 770080591b13..d58095b900ed 100644 --- a/testsuite/eddsa-verify-test.c +++ b/testsuite/eddsa-verify-test.c @@ -41,7 +41,7 @@ test_eddsa (const struct ecc_curve *ecc, const struct tstring *msg, const uint8_t *signature) { - mp_limb_t *A = xalloc_limbs (ecc_size_a (ecc)); + mp_limb_t *A = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *scratch = xalloc_limbs (_eddsa_verify_itch (ecc)); size_t nbytes = 1 + ecc->p.bit_size / 8; uint8_t *cmsg = xalloc (msg->length); diff --git a/testsuite/testutils.c b/testsuite/testutils.c index c9f21bab2346..e999044614a2 100644 --- a/testsuite/testutils.c +++ b/testsuite/testutils.c @@ -1838,7 +1838,7 @@ test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p) const struct ecc_curve *ecc = ecc_curves[curve]; mp_limb_t *np = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *scratch = xalloc_limbs (ecc->h_to_a_itch); - ecc->h_to_a (ecc, 0, np, p, scratch); + ecc->h_to_a (ecc, 0, np, np + ecc->p.size, p, scratch); test_ecc_mul_a (curve, n, np); -- 2.24.0

3 6

git clone is unreliable for nettle
by Tim Rühsen 27 Nov '19

27 Nov '19

Hi Niels, since a while (max a few weeks), I see sporadic failures when cloning nettle. E.g. when building nettle on the OSS-Fuzz platform: Step #1: [0m[91mfatal: unable to access 'https://git.lysator.liu.se/nettle/nettle.git/': Couldn't connect to server Step #1: The command '/bin/sh -c git clone --depth=1 https://git.lysator.liu.se/nettle/nettle.git' returned a non-zero code: 128 Is there an access limit for IP address or something like that ? And if yes, do you recommend to set up a mirror ? Regards, Tim

3 3

ECC code rework
by Dmitry Eremin-Solenikov 24 Nov '19

24 Nov '19

Hello colleagues, I have been working on support for two particularly strange GOST curves, which are defined in Weierstrass form, but there exists a birationally equivalent Untwisted Edwards form (so all sign/verify calculations should be done in Edwards form). Major issues came from the fact that I have tried defining generator point in Edwards form (which is more logical). During this rework I thought about switching ecc_point from bearing just x and y coordinates to have per-curve defined coordinates (like projectile or inverted). WDYT? -- With best wishes Dmitry

2 10

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs November 2019