[PATCH v4 2/4] Add support for GOST GC512A curve

From: Dmitry Eremin-Solenikov dbaryshkov@gmail.com

Add support for GC512A curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as tc26-gost-3410-12-512-paramSetA (RFC 7836).

Signed-off-by: Dmitry Eremin-Solenikov dbaryshkov@gmail.com --- .gitignore | 1 + Makefile.in | 14 ++++- ecc-curve.h | 1 + ecc-gost-gc512a.c | 128 +++++++++++++++++++++++++++++++++++++++ ecc-internal.h | 1 + eccdata.c | 38 ++++++++++++ examples/ecc-benchmark.c | 1 + testsuite/testutils.c | 18 +++++- 8 files changed, 198 insertions(+), 4 deletions(-) create mode 100644 ecc-gost-gc512a.c

diff --git a/.gitignore b/.gitignore index 4454ade5a950..2e64c187574f 100644 --- a/.gitignore +++ b/.gitignore @@ -46,6 +46,7 @@ core /ecc-curve25519.h /ecc-curve448.h /ecc-gc256b.h +/ecc-gc512a.h /ecc-secp192r1.h /ecc-secp224r1.h /ecc-secp256r1.h diff --git a/Makefile.in b/Makefile.in index 9c1a925462aa..a08dfe4da481 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,7 +176,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ - ecc-gost-gc256b.c \ + ecc-gost-gc256b.c ecc-gost-gc512a.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -405,6 +405,15 @@ ecc-curve448.h: eccdata.stamp ecc-gost-gc256b.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@

+# Some reasonable choices for 512: +# k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) 20 KB +# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) 16 KB +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) 12 KB +ecc-gost-gc512a.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gost_gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@ + eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp @@ -412,6 +421,7 @@ eccdata.stamp: eccdata.c ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h +ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h @@ -670,7 +680,7 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ - ecc-gost-gc256b.h \ + ecc-gost-gc256b.h ecc-gost-gc512a.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index da07b0232d42..8f050404a944 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -44,6 +44,7 @@ extern "C" { struct ecc_curve;

const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c new file mode 100644 index 000000000000..4baec1f5945d --- /dev/null +++ b/ecc-gost-gc512a.c @@ -0,0 +1,128 @@ +/* ecc-gost-gc512a.c + + Copyright (C) 2016-2020 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-gost-gc512a.h" + +static void +ecc_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp) +{ + mp_size_t mn = m->size; + mp_limb_t hi; + + hi = mpn_addmul_1(rp, rp + mn, mn, 0x239); + hi = sec_add_1 (rp, rp, mn, hi * 0x239); + hi = sec_add_1 (rp, rp, mn, hi * 0x239); + assert(hi == 0); +} + +#define ecc_gc512a_modp ecc_gc512a_modp +#define ecc_gc512a_modq ecc_mod + +const struct ecc_curve _nettle_gost_gc512a = +{ + { + 512, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_REDC_SIZE, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_redc_ppm1, + + ecc_pp1h, + ecc_gc512a_modp, + ecc_gc512a_modp, + ecc_mod_inv, + NULL, + }, + { + 512, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_gc512a_modq, + ecc_gc512a_modq, + ecc_mod_inv, + NULL, + }, + + USE_REDC, + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), + ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_ITCH (ECC_LIMB_SIZE), + ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), + + ecc_add_jja, + ecc_add_jjj, + ecc_dup_jj, + ecc_mul_a, + ecc_mul_g, + ecc_j_to_a, + + ecc_b, + ecc_g, + ecc_unit, + ecc_table +}; + +const struct ecc_curve *nettle_get_gost_gc512a(void) +{ + return &_nettle_gost_gc512a; +} diff --git a/ecc-internal.h b/ecc-internal.h index 53305bc08404..cef1366545e0 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -93,6 +93,7 @@ extern const struct ecc_curve _nettle_curve448;

/* GOST curves, visible with underscore prefix for now */ extern const struct ecc_curve _nettle_gost_gc256b; +extern const struct ecc_curve _nettle_gost_gc512a;

#define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)

diff --git a/eccdata.c b/eccdata.c index fd27d56aebdf..06b6937aebc5 100644 --- a/eccdata.c +++ b/eccdata.c @@ -705,6 +705,44 @@ ecc_curve_init (struct ecc_curve *ecc, const char *curve) "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741");

+ } + else if (!strcmp (curve, "gost_gc512a")) + { + ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffdc7", + "e8c2505dedfc86ddc1bd0b2b6667f1da" + "34b82574761cb0e879bd081cfd0b6265" + "ee3cb090f30d27614cb4574010da90dd" + "862ef9d4ebee4761503190785a71c760", + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "27e69532f48d89116ff22b8d4e056060" + "9b4b38abfad2b85dcacdb1411f10b275", + "00000000000000000000000000000000" + "00000000000000000000000000000000" + "00000000000000000000000000000000" + "00000000000000000000000000000003", + "7503cfe87a836ae3a61b8816e25450e6" + "ce5e1c93acf1abc1778064fdcbefa921" + "df1626be4fd036e93d75e6a50e3a41e9" + "8028fe5fc235f5b889a589cb5215f2a4"); + + ecc->ref = ecc_alloc (3); + ecc_set_str (&ecc->ref[0], /* 2 g */ + "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c", + "c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051"); + + ecc_set_str (&ecc->ref[1], /* 3 g */ + "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba543d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3", + "3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb311d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6"); + + ecc_set_str (&ecc->ref[2], /* 4 g */ + "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef257452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16", + "3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929"); + } else if (!strcmp (curve, "curve448")) { diff --git a/examples/ecc-benchmark.c b/examples/ecc-benchmark.c index 42035ca0fc8d..a529cf16ab3a 100644 --- a/examples/ecc-benchmark.c +++ b/examples/ecc-benchmark.c @@ -315,6 +315,7 @@ const struct ecc_curve * const curves[] = { &_nettle_curve448, &_nettle_secp_521r1, &_nettle_gost_gc256b, + &_nettle_gost_gc512a, };

#define numberof(x) (sizeof (x) / sizeof ((x)[0])) diff --git a/testsuite/testutils.c b/testsuite/testutils.c index 086bcbc860c7..61d52d92fc04 100644 --- a/testsuite/testutils.c +++ b/testsuite/testutils.c @@ -1678,6 +1678,7 @@ const struct ecc_curve * const ecc_curves[] = { &_nettle_curve25519, &_nettle_curve448, &_nettle_gost_gc256b, + &_nettle_gost_gc512a, NULL };

@@ -1729,7 +1730,7 @@ void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) { /* For each curve, the points 2 g, 3 g and 4 g */ - static const struct ecc_ref_point ref[8][3] = { + static const struct ecc_ref_point ref[9][3] = { { { "dafebf5828783f2ad35534631588a3f629a70fb16982a888", "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab" }, { "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", @@ -1804,9 +1805,22 @@ test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) "76bcd1ca9a23b041d4d9baf507a6cd821267a94c838768e8486117796b788a51" }, { "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741" }, + }, + { { "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f" + "4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c", + "c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92" + "ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051" }, + { "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba5" + "43d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3", + "3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb3" + "11d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6" }, + { "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef25" + "7452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16", + "3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850" + "da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929" }, } }; - assert (curve < 8); + assert (curve < 9); assert (n <= 4); if (n == 0) {