From: Dmitry Baryshkov dbaryshkov@gmail.com
GOST curves will require different "fixups" for fast (mul X mod p) operations. Move these operations to ecc_modulo structure and call them via function pointer.
Signed-off-by: Dmitry Baryshkov dbaryshkov@gmail.com --- ecc-add-jja.c | 8 ++++---- ecc-add-jjj.c | 8 ++++---- ecc-curve25519.c | 6 ++++++ ecc-curve448.c | 6 ++++++ ecc-dup-jj.c | 8 ++++---- ecc-gost-gc256b.c | 6 ++++++ ecc-gost-gc512a.c | 6 ++++++ ecc-internal.h | 25 ++++++++++++++++--------- ecc-mod-arith.c | 12 ++++++------ ecc-mul-m.c | 6 +++--- ecc-secp192r1.c | 6 ++++++ ecc-secp224r1.c | 6 ++++++ ecc-secp256r1.c | 6 ++++++ ecc-secp384r1.c | 6 ++++++ ecc-secp521r1.c | 6 ++++++ 15 files changed, 91 insertions(+), 30 deletions(-)
diff --git a/ecc-add-jja.c b/ecc-add-jja.c index 037711d38249..55ad954587da 100644 --- a/ecc-add-jja.c +++ b/ecc-add-jja.c @@ -102,10 +102,10 @@ ecc_add_jja (const struct ecc_curve *ecc, /* w */ ecc_mod_mul (&ecc->p, j, y2, w); ecc_mod_sub (&ecc->p, w, j, y1); - ecc_mod_mul_1 (&ecc->p, w, w, 2); + ecc->p.mul_1 (&ecc->p, w, w, 2);
/* i replaces hh, j */ - ecc_mod_mul_1 (&ecc->p, hh, hh, 4); + ecc->p.mul_1 (&ecc->p, hh, hh, 4); ecc_mod_mul (&ecc->p, j, hh, h);
/* v */ @@ -114,12 +114,12 @@ ecc_add_jja (const struct ecc_curve *ecc, /* x_3, use (h, hh) as sqratch */ ecc_mod_sqr (&ecc->p, h, w); ecc_mod_sub (&ecc->p, r, h, j); - ecc_mod_submul_1 (&ecc->p, r, v, 2); + ecc->p.submul_1 (&ecc->p, r, v, 2);
/* y_3, use (h, hh) as sqratch */ ecc_mod_mul (&ecc->p, h, y1, j); /* frees j */ ecc_mod_sub (&ecc->p, r + ecc->p.size, v, r); ecc_mod_mul (&ecc->p, j, r + ecc->p.size, w); - ecc_mod_submul_1 (&ecc->p, j, h, 2); + ecc->p.submul_1 (&ecc->p, j, h, 2); mpn_copyi (r + ecc->p.size, j, ecc->p.size); } diff --git a/ecc-add-jjj.c b/ecc-add-jjj.c index 54b2246aeb24..cad26193234a 100644 --- a/ecc-add-jjj.c +++ b/ecc-add-jjj.c @@ -94,14 +94,14 @@ ecc_add_jjj (const struct ecc_curve *ecc, ecc_mod_mul (&ecc->p, s1, p + ecc->p.size, v); ecc_mod_mul (&ecc->p, v, j, q + ecc->p.size); ecc_mod_sub (&ecc->p, s2, v, s1); - ecc_mod_mul_1 (&ecc->p, s2, s2, 2); + ecc->p.mul_1 (&ecc->p, s2, s2, 2);
/* Store z3 */ mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size);
/* i, j, v */ ecc_mod_sqr (&ecc->p, i, u2); - ecc_mod_mul_1 (&ecc->p, i, i, 4); + ecc->p.mul_1 (&ecc->p, i, i, 4); ecc_mod_mul (&ecc->p, j, u2, i); ecc_mod_mul (&ecc->p, v, u1, i);
@@ -109,12 +109,12 @@ ecc_add_jjj (const struct ecc_curve *ecc, /* x3, use u1, u2 as scratch */ ecc_mod_sqr (&ecc->p, u1, s2); ecc_mod_sub (&ecc->p, r, u1, j); - ecc_mod_submul_1 (&ecc->p, r, v, 2); + ecc->p.submul_1 (&ecc->p, r, v, 2);
/* y3 */ ecc_mod_mul (&ecc->p, u1, s1, j); /* Frees j */ ecc_mod_sub (&ecc->p, u2, v, r); /* Frees v */ ecc_mod_mul (&ecc->p, i, s2, u2); - ecc_mod_submul_1 (&ecc->p, i, u1, 2); + ecc->p.submul_1 (&ecc->p, i, u1, 2); mpn_copyi (r + ecc->p.size, i, ecc->p.size); } diff --git a/ecc-curve25519.c b/ecc-curve25519.c index f8f2c64af868..04df696f7357 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -310,6 +310,9 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modp, ecc_curve25519_inv, ecc_curve25519_sqrt, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 253, @@ -329,6 +332,9 @@ const struct ecc_curve _nettle_curve25519 = ecc_curve25519_modq, ecc_mod_inv, NULL, + + NULL, + NULL, },
0, /* No redc */ diff --git a/ecc-curve448.c b/ecc-curve448.c index 484b7d1e0870..ce7a25d14c4e 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -288,6 +288,9 @@ const struct ecc_curve _nettle_curve448 = ecc_curve448_modp, ecc_curve448_inv, ecc_curve448_sqrt, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 446, @@ -307,6 +310,9 @@ const struct ecc_curve _nettle_curve448 = ecc_mod, /* FIXME: Implement optimized reduce function */ ecc_mod_inv, NULL, + + NULL, + NULL, },
0, /* No redc */ diff --git a/ecc-dup-jj.c b/ecc-dup-jj.c index 2247e8fdfd5a..4bbd5163c0e3 100644 --- a/ecc-dup-jj.c +++ b/ecc-dup-jj.c @@ -87,7 +87,7 @@ ecc_dup_jj (const struct ecc_curve *ecc, ecc_mod_add (&ecc->p, sum, xp, delta); ecc_mod_sub (&ecc->p, delta, xp, delta); ecc_mod_mul (&ecc->p, beta, sum, delta); - ecc_mod_mul_1 (&ecc->p, alpha, beta, 3); + ecc->p.mul_1 (&ecc->p, alpha, beta, 3);
/* beta */ ecc_mod_mul (&ecc->p, beta, xp, gamma); @@ -95,16 +95,16 @@ ecc_dup_jj (const struct ecc_curve *ecc, /* Do gamma^2 and 4*beta early, to get them out of the way. We can then use the old area at gamma as scratch. */ ecc_mod_sqr (&ecc->p, g2, gamma); - ecc_mod_mul_1 (&ecc->p, sum, beta, 4); + ecc->p.mul_1 (&ecc->p, sum, beta, 4);
/* x' */ ecc_mod_sqr (&ecc->p, gamma, alpha); /* Overwrites gamma and beta */ - ecc_mod_submul_1 (&ecc->p, gamma, sum, 2); + ecc->p.submul_1 (&ecc->p, gamma, sum, 2); mpn_copyi (r, gamma, ecc->p.size);
/* y' */ ecc_mod_sub (&ecc->p, sum, sum, r); ecc_mod_mul (&ecc->p, gamma, sum, alpha); - ecc_mod_submul_1 (&ecc->p, gamma, g2, 8); + ecc->p.submul_1 (&ecc->p, gamma, g2, 8); mpn_copyi (r + ecc->p.size, gamma, ecc->p.size); } diff --git a/ecc-gost-gc256b.c b/ecc-gost-gc256b.c index a23d46fc8af6..24e1ac6c99a7 100644 --- a/ecc-gost-gc256b.c +++ b/ecc-gost-gc256b.c @@ -77,6 +77,9 @@ const struct ecc_curve _nettle_gost_gc256b = ecc_gost_gc256b_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 256, @@ -96,6 +99,9 @@ const struct ecc_curve _nettle_gost_gc256b = ecc_gost_gc256b_modq, ecc_mod_inv, NULL, + + NULL, + NULL, },
USE_REDC, diff --git a/ecc-gost-gc512a.c b/ecc-gost-gc512a.c index 398762c337d6..5de4eda85d9c 100644 --- a/ecc-gost-gc512a.c +++ b/ecc-gost-gc512a.c @@ -77,6 +77,9 @@ const struct ecc_curve _nettle_gost_gc512a = ecc_gost_gc512a_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 512, @@ -96,6 +99,9 @@ const struct ecc_curve _nettle_gost_gc512a = ecc_gost_gc512a_modq, ecc_mod_inv, NULL, + + NULL, + NULL, },
USE_REDC, diff --git a/ecc-internal.h b/ecc-internal.h index 9e24e0ce4521..e1380bfb2b20 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -44,9 +44,9 @@ #define ecc_pm1_redc _nettle_ecc_pm1_redc #define ecc_mod_add _nettle_ecc_mod_add #define ecc_mod_sub _nettle_ecc_mod_sub -#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1 -#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1 -#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 +#define ecc_mod_mul_1_std _nettle_ecc_mod_mul_1_std +#define ecc_mod_addmul_1_std _nettle_ecc_mod_addmul_1_std +#define ecc_mod_submul_1_std _nettle_ecc_mod_submul_1_std #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr #define ecc_mod_random _nettle_ecc_mod_random @@ -146,6 +146,10 @@ typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch);
+typedef void ecc_mod_mul_1_func (const struct ecc_modulo *m, + mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); + struct ecc_modulo { unsigned short bit_size; @@ -170,6 +174,9 @@ struct ecc_modulo ecc_mod_func *reduce; ecc_mod_inv_func *invert; ecc_mod_sqrt_func *sqrt; + + ecc_mod_mul_1_func *mul_1; + ecc_mod_mul_1_func *submul_1; };
/* Represents an elliptic curve of the form @@ -237,15 +244,15 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp);
void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t b); +ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t b);
void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); +ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); void -ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); +ecc_mod_submul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b);
/* The mul and sqr functions need 2*m->size limbs at rp */ void diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c index f2e47f6747c1..0399a2cdd7c5 100644 --- a/ecc-mod-arith.c +++ b/ecc-mod-arith.c @@ -65,8 +65,8 @@ ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, }
void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) +ecc_mod_mul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi;
@@ -80,8 +80,8 @@ ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, }
void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) +ecc_mod_addmul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi;
@@ -95,8 +95,8 @@ ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, }
void -ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) +ecc_mod_submul_1_std (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi;
diff --git a/ecc-mul-m.c b/ecc-mul-m.c index 68bdd16e8e94..539b9d0677e7 100644 --- a/ecc-mul-m.c +++ b/ecc-mul-m.c @@ -80,7 +80,7 @@ ecc_mul_m (const struct ecc_modulo *m, ecc_mod_sqr (m, BB, B); ecc_mod_mul (m, x3, AA, BB); ecc_mod_sub (m, E, AA, BB); - ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_addmul_1_std (m, AA, E, a24); ecc_mod_mul (m, z3, E, AA);
for (i = bit_high; i >= bit_low; i--) @@ -98,7 +98,7 @@ ecc_mul_m (const struct ecc_modulo *m, ecc_mod_sqr (m, BB, B); ecc_mod_mul (m, x2, AA, BB); /* Last use of BB */ ecc_mod_sub (m, E, AA, BB); - ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_addmul_1_std (m, AA, E, a24); ecc_mod_add (m, C, x3, z3); ecc_mod_sub (m, D, x3, z3); ecc_mod_mul (m, z2, E, AA); /* Last use of E and AA */ @@ -124,7 +124,7 @@ ecc_mul_m (const struct ecc_modulo *m, ecc_mod_sqr (m, BB, B); ecc_mod_mul (m, x2, AA, BB); ecc_mod_sub (m, E, AA, BB); - ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_addmul_1_std (m, AA, E, a24); ecc_mod_mul (m, z2, E, AA); } assert (m->invert_itch <= 7 * m->size); diff --git a/ecc-secp192r1.c b/ecc-secp192r1.c index 046026f3f697..79080495ec7e 100644 --- a/ecc-secp192r1.c +++ b/ecc-secp192r1.c @@ -130,6 +130,9 @@ const struct ecc_curve _nettle_secp_192r1 = ecc_secp192r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 192, @@ -149,6 +152,9 @@ const struct ecc_curve _nettle_secp_192r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, },
USE_REDC, diff --git a/ecc-secp224r1.c b/ecc-secp224r1.c index 05d84017a68a..064a9e2f7fd4 100644 --- a/ecc-secp224r1.c +++ b/ecc-secp224r1.c @@ -82,6 +82,9 @@ const struct ecc_curve _nettle_secp_224r1 = USE_REDC ? ecc_secp224r1_redc : ecc_secp224r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 224, @@ -101,6 +104,9 @@ const struct ecc_curve _nettle_secp_224r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, },
USE_REDC, diff --git a/ecc-secp256r1.c b/ecc-secp256r1.c index d399642453d5..0a25a086f3fe 100644 --- a/ecc-secp256r1.c +++ b/ecc-secp256r1.c @@ -259,6 +259,9 @@ const struct ecc_curve _nettle_secp_256r1 = USE_REDC ? ecc_secp256r1_redc : ecc_secp256r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 256, @@ -278,6 +281,9 @@ const struct ecc_curve _nettle_secp_256r1 = ecc_secp256r1_modq, ecc_mod_inv, NULL, + + NULL, + NULL, },
USE_REDC, diff --git a/ecc-secp384r1.c b/ecc-secp384r1.c index 54bcd1128d39..5a9131f72c98 100644 --- a/ecc-secp384r1.c +++ b/ecc-secp384r1.c @@ -167,6 +167,9 @@ const struct ecc_curve _nettle_secp_384r1 = ecc_secp384r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 384, @@ -186,6 +189,9 @@ const struct ecc_curve _nettle_secp_384r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, },
USE_REDC, diff --git a/ecc-secp521r1.c b/ecc-secp521r1.c index 776f7ae03e27..f01a97537eb8 100644 --- a/ecc-secp521r1.c +++ b/ecc-secp521r1.c @@ -95,6 +95,9 @@ const struct ecc_curve _nettle_secp_521r1 = ecc_secp521r1_modp, ecc_mod_inv, NULL, + + ecc_mod_mul_1_std, + ecc_mod_submul_1_std, }, { 521, @@ -114,6 +117,9 @@ const struct ecc_curve _nettle_secp_521r1 = ecc_mod, ecc_mod_inv, NULL, + + NULL, + NULL, },
USE_REDC,
From: Dmitry Baryshkov dbaryshkov@gmail.com
Add support for GC256C curve ("TLS Supported Groups" registry, draft-smyshlyaev-tls12-gost-suites) also known as GostR3410-2001-CryptoPro-B (RFC 4357).
Signed-off-by: Dmitry Baryshkov dbaryshkov@gmail.com --- .gitignore | 1 + Makefile.in | 10 +- ecc-curve.h | 1 + ecc-gost-gc256c.c | 174 ++++++++++++++++++++++++++++++++ ecc-internal.h | 1 + eccdata.c | 32 ++++++ examples/ecc-benchmark.c | 1 + nettle.texinfo | 8 ++ testsuite/gostdsa-sign-test.c | 11 ++ testsuite/gostdsa-verify-test.c | 11 ++ testsuite/testutils.c | 14 ++- 11 files changed, 260 insertions(+), 4 deletions(-) create mode 100644 ecc-gost-gc256c.c
diff --git a/.gitignore b/.gitignore index 48e2b7f464da..a94d279e5d18 100644 --- a/.gitignore +++ b/.gitignore @@ -46,6 +46,7 @@ core /ecc-curve25519.h /ecc-curve448.h /ecc-gost-gc256b.h +/ecc-gost-gc256c.h /ecc-gost-gc512a.h /ecc-secp192r1.h /ecc-secp224r1.h diff --git a/Makefile.in b/Makefile.in index d4fcb81302a2..7330ab893131 100644 --- a/Makefile.in +++ b/Makefile.in @@ -180,7 +180,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ - ecc-gost-gc256b.c ecc-gost-gc512a.c \ + ecc-gost-gc256b.c ecc-gost-gc256c.c \ + ecc-gost-gc512a.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ @@ -391,6 +392,9 @@ ecc-curve448.h: eccdata.stamp ecc-gost-gc256b.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@
+ecc-gost-gc256c.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256c 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + # Some reasonable choices for 512: # k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB # k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB @@ -407,6 +411,7 @@ eccdata.stamp: eccdata.c ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h +ecc-gost-gc256c.$(OBJEXT): ecc-gost-gc256c.h ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h @@ -661,7 +666,8 @@ distcheck: dist clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ - ecc-gost-gc256b.h ecc-gost-gc512a.h \ + ecc-gost-gc256b.h ecc-gost-gc256c.h \ + ecc-gost-gc512a.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ diff --git a/ecc-curve.h b/ecc-curve.h index 8f050404a944..30a33d43782b 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -44,6 +44,7 @@ extern "C" { struct ecc_curve;
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256c(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); diff --git a/ecc-gost-gc256c.c b/ecc-gost-gc256c.c new file mode 100644 index 000000000000..258cf75a26bc --- /dev/null +++ b/ecc-gost-gc256c.c @@ -0,0 +1,174 @@ +/* ecc-gost-gc256c.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-gost-gc256c.h" + +static void +ecc_gost_gc256c_modp (const struct ecc_modulo *m, mp_limb_t *rp) +{ + mp_size_t mn = m->size; + mp_limb_t hi; + + hi = mpn_submul_1(rp, rp + mn, mn, 0xc99 * 2); + hi = sec_add_1 (rp, rp, mn, hi * 0xc99 * 2); + hi = sec_sub_1 (rp, rp, mn, hi * 0xc99 * 2); + assert(hi <= 1); + hi = cnd_sub_n (hi, rp, m->B, mn); + assert(hi == 0); +} + +static void +ecc_gost_gc256c_modq (const struct ecc_modulo *p, mp_limb_t *rp) +{ + mp_size_t mn = p->size; + mpz_t r, a, m; + mpz_init (r); + mpz_mod (r, mpz_roinit_n (a, rp, 2*mn), mpz_roinit_n (m, p->m, mn)); + mpz_limbs_copy (rp, r, mn); + + mpz_clear (r); +} + +static void +ecc_gost_gc256c_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) +{ + mp_limb_t hi; + + assert (b <= 0xffffffff); + hi = mpn_mul_1 (rp, ap, m->size, b); + hi = mpn_sub_1 (rp, rp, m->size, hi * 0xc99 * 2); + assert(hi <= 1); + hi = cnd_add_n (hi, rp, m->B, m->size); + assert(hi == 0); +} + +static void +ecc_gost_gc256c_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) +{ + mp_limb_t hi; + + assert (b <= 0xffffffff); + hi = mpn_submul_1 (rp, ap, m->size, b); + hi = mpn_add_1 (rp, rp, m->size, hi * 0xc99 * 2); + assert(hi <= 1); + hi = cnd_sub_n (hi, rp, m->B, m->size); + assert(hi == 0); +} + +const struct ecc_curve _nettle_gost_gc256c = +{ + { + 256, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_REDC_SIZE, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_redc_ppm1, + + ecc_pp1h, + ecc_gost_gc256c_modp, + ecc_gost_gc256c_modp, + ecc_mod_inv, + NULL, + + ecc_gost_gc256c_mod_mul_1, + ecc_gost_gc256c_mod_submul_1, + }, + { + 256, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_gost_gc256c_modq, + ecc_gost_gc256c_modq, + ecc_mod_inv, + NULL, + + NULL, + NULL, + }, + + USE_REDC, + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), + ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_ITCH (ECC_LIMB_SIZE), + ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), + + ecc_add_jja, + ecc_add_jjj, + ecc_dup_jj, + ecc_mul_a, + ecc_mul_g, + ecc_j_to_a, + + ecc_b, + ecc_unit, + ecc_table +}; + +const struct ecc_curve *nettle_get_gost_gc256c(void) +{ + return &_nettle_gost_gc256c; +} diff --git a/ecc-internal.h b/ecc-internal.h index e1380bfb2b20..6b84ba6fb2f4 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -94,6 +94,7 @@ extern const struct ecc_curve _nettle_curve448;
/* GOST curves, visible with underscore prefix for now */ extern const struct ecc_curve _nettle_gost_gc256b; +extern const struct ecc_curve _nettle_gost_gc256c; extern const struct ecc_curve _nettle_gost_gc512a;
#define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) diff --git a/eccdata.c b/eccdata.c index 1b4cb0b5083e..182d4982e849 100644 --- a/eccdata.c +++ b/eccdata.c @@ -705,6 +705,38 @@ ecc_curve_init (struct ecc_curve *ecc, const char *curve) "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741");
+ } + else if (!strcmp (curve, "gost_gc256c")) + { + ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, + "80000000000000000000000000000000" + "00000000000000000000000000000c99", + + "3e1af419a269a5f866a7d3c25c3df80a" + "e979259373ff2b182f49d4ce7e1bbc8b", + + "80000000000000000000000000000001" + "5f700cfff1a624e5e497161bcc8a198f", + + "00000000000000000000000000000000" + "00000000000000000000000000000001", + + "3fa8124359f96680b83d1c3eb2c070e5" + "c545c9858d03ecfb744bf8d717717efc"); + + ecc->ref = ecc_alloc (3); + ecc_set_str (&ecc->ref[0], /* 2 g */ + "8000000000000000000000000000000000000000000000000000000000000c97", + "4057edbca606997f47c2e3c14d3f8f1a3aba367a72fc13048bb40728e88e8d9d"); + + ecc_set_str (&ecc->ref[1], /* 3 g */ + "1b9a33999d8449c3bbd8cfe49ac6355a2ee0827a6c71687c86cb7b0670efe205", + "1876d998a19da37a120e76cb42f4f5225197279b612f712171a4648fe4a3ff12"); + + ecc_set_str (&ecc->ref[2], /* 4 g */ + "5fa13ecfadd7ae00c2e65d0ac6cac1deda6d60e577afe90915671b08bbb9065e", + "1b3c2859166129ac6dafee570ab9d40d33fdc25c7253c72f4e3fa77223ab016a"); + } else if (!strcmp (curve, "gost_gc512a")) { diff --git a/examples/ecc-benchmark.c b/examples/ecc-benchmark.c index a529cf16ab3a..b774d046ea20 100644 --- a/examples/ecc-benchmark.c +++ b/examples/ecc-benchmark.c @@ -315,6 +315,7 @@ const struct ecc_curve * const curves[] = { &_nettle_curve448, &_nettle_secp_521r1, &_nettle_gost_gc256b, + &_nettle_gost_gc256c, &_nettle_gost_gc512a, };
diff --git a/nettle.texinfo b/nettle.texinfo index 19eb6d3472a2..a576c0417c4a 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -5112,6 +5112,14 @@ Returns curve corresponding to following identifiers: @end itemize @end deftypefun
+@deftypefun {const struct ecc_curve} nettle_get_gost_gc256c(void) +Returns curve corresponding to following identifiers: +@itemize +@item id-GostR3410-2001-CryptoPro-B-ParamSet (@cite{RFC 4357}) +@item id-tc26-gost-3410-12-256-paramSetC +@end itemize +@end deftypefun + @deftypefun {const struct ecc_curve} nettle_get_gost_gc512a(void) Returns curve corresponding to following identifiers: @itemize diff --git a/testsuite/gostdsa-sign-test.c b/testsuite/gostdsa-sign-test.c index 0e2e0420a313..4d25f9521d37 100644 --- a/testsuite/gostdsa-sign-test.c +++ b/testsuite/gostdsa-sign-test.c @@ -70,6 +70,17 @@ test_main (void)
"5E5B9B805B01147A8492C4A162643AC615DC777B9174108F3DC276A41F987AF3"); /* s */
+ test_gostdsa (nettle_get_gost_gc256c(), + "3FCF1D623E5CDD3032A7C6EABB4A923C46E43D640FFEAAF2C3ED39A8FA399924", /* z */ + + "5782C53F110C596F9155D35EBD25A06A89C50391850A8FEFE33B0E270318857C", /* k */ + + SHEX("1C067E20EA6CB183F22EFB0F3C6FD2A4E6A02821CB7A1B17FACD5E1F7AA76F70"), /* h */ + + "4E8F9973B31A134CE0942421573B0529B07EC96B835A07856C16CE8070C62547", /* r */ + + "10CE0EFA72741D5EB24837563AAB9369781D6F487ACF88BBEE3E49EC239F6A90"); /* s */ + test_gostdsa (nettle_get_gost_gc512a(), "3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435" "757530E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B", /* z */ diff --git a/testsuite/gostdsa-verify-test.c b/testsuite/gostdsa-verify-test.c index 7279f5f46c5b..66660a2c0ad7 100644 --- a/testsuite/gostdsa-verify-test.c +++ b/testsuite/gostdsa-verify-test.c @@ -93,6 +93,17 @@ test_main (void)
"5E5B9B805B01147A8492C4A162643AC615DC777B9174108F3DC276A41F987AF3"); /* s */
+ test_gostdsa (nettle_get_gost_gc256c(), + "347E354F60B8DA8DE659B432600418C7D0E70F01622477579FAB36A066B9B8FD", /* x */ + + "1DD2E31CF7840A5109DFAB561E15D42BC3CE2E64995FB70F3B86679655A1BAA1", /* y */ + + SHEX("1C067E20EA6CB183F22EFB0F3C6FD2A4E6A02821CB7A1B17FACD5E1F7AA76F70"), /* h */ + + "4E8F9973B31A134CE0942421573B0529B07EC96B835A07856C16CE8070C62547", /* r */ + + "10CE0EFA72741D5EB24837563AAB9369781D6F487ACF88BBEE3E49EC239F6A90"); /* s */ + test_gostdsa (nettle_get_gost_gc512a(), "03A36340A95BB5F93D131961B5B1C1B3213DF7FF3B5A30376407E2A65C441BC6" "D1B34662317083243F007B15A8512B526606D3B172B606DCE86DBD6F82DA3D40", /* x */ diff --git a/testsuite/testutils.c b/testsuite/testutils.c index 187da0efda29..81952055c8d3 100644 --- a/testsuite/testutils.c +++ b/testsuite/testutils.c @@ -1677,6 +1677,7 @@ const struct ecc_curve * const ecc_curves[] = { &_nettle_curve25519, &_nettle_curve448, &_nettle_gost_gc256b, + &_nettle_gost_gc256c, &_nettle_gost_gc512a, NULL }; @@ -1726,7 +1727,7 @@ test_ecc_point (const struct ecc_curve *ecc, }
/* For each curve, the points g, 2 g, 3 g and 4 g */ -static const struct ecc_ref_point ecc_ref[9][4] = { +static const struct ecc_ref_point ecc_ref[10][4] = { { { "188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012", "07192b95ffc8da78631011ed6b24cdd573f977a11e794811" }, { "dafebf5828783f2ad35534631588a3f629a70fb16982a888", @@ -1824,6 +1825,15 @@ static const struct ecc_ref_point ecc_ref[9][4] = { { "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741" }, }, + { { "0000000000000000000000000000000000000000000000000000000000000001", + "3fa8124359f96680b83d1c3eb2c070e5c545c9858d03ecfb744bf8d717717efc" }, + { "8000000000000000000000000000000000000000000000000000000000000c97", + "4057edbca606997f47c2e3c14d3f8f1a3aba367a72fc13048bb40728e88e8d9d" }, + { "1b9a33999d8449c3bbd8cfe49ac6355a2ee0827a6c71687c86cb7b0670efe205", + "1876d998a19da37a120e76cb42f4f5225197279b612f712171a4648fe4a3ff12" }, + { "5fa13ecfadd7ae00c2e65d0ac6cac1deda6d60e577afe90915671b08bbb9065e", + "1b3c2859166129ac6dafee570ab9d40d33fdc25c7253c72f4e3fa77223ab016a" }, + }, { { "0000000000000000000000000000000000000000000000000000000000000000" "0000000000000000000000000000000000000000000000000000000000000003", "7503cfe87a836ae3a61b8816e25450e6ce5e1c93acf1abc1778064fdcbefa921" @@ -1852,7 +1862,7 @@ test_ecc_ga (unsigned curve, const mp_limb_t *p) void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) { - assert (curve < 9); + assert (curve < 10); assert (n <= 4); if (n == 0) {
Hello,
вс, 16 февр. 2020 г. в 00:00, dbaryshkov@gmail.com:
From: Dmitry Baryshkov dbaryshkov@gmail.com
GOST curves will require different "fixups" for fast (mul X mod p) operations. Move these operations to ecc_modulo structure and call them via function pointer.
These two patches were postponed till 3.6 release. Any chance to get them reviewed/merged?
nettle-bugs@lists.lysator.liu.se
-
dbaryshkov@gmail.com -
Dmitry Baryshkov