mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

EC2M Lopez-Dahab ladder implementation

Browse Source 
This commit uses the new ladder scaffold to implement a specialized
ladder step based on differential addition-and-doubling in mixed
Lopez-Dahab projective coordinates, modified to independently blind the
operands.

The arithmetic in `ladder_pre`, `ladder_step` and `ladder_post` is
auto generated with tooling:
- see, e.g., "Guide to ECC" Alg 3.40 for reference about the
  `ladder_pre` implementation;
- see https://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
  for the differential addition-and-doubling formulas implemented in
  `ladder_step`;
- see, e.g., "Fast Multiplication on Elliptic Curves over GF(2**m)
  without Precomputation" (Lopez and Dahab, CHES 1999) Appendix Alg Mxy
  for the `ladder_post` implementation to recover the `(x,y)` result in
  affine coordinates.

Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)
This commit is contained in:
Nicola Tuveri 2018-07-14 00:55:01 +03:00 committed by Matt Caswell
parent 66b0bca887
commit f45846f500
5 changed files with 228 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES
View File

@ -9,6 +9,12 @@
Changes between 1.1.0h and 1.1.1 [xx XXX xxxx]
*) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
step for binary curves. The new implementation is based on formulas from
differential addition-and-doubling in mixed Lopez-Dahab projective
coordinates, modified to independently blind the operands.
[Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
*) Add a scaffold to optionally enhance the Montgomery ladder implementation
for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
EC_METHODs to implement their own specialized "ladder step", to take

274
crypto/ec/ec2_smpl.c
View File

@ -15,66 +15,6 @@
#ifndef OPENSSL_NO_EC2M
const EC_METHOD *EC_GF2m_simple_method(void)
{
static const EC_METHOD ret = {
EC_FLAGS_DEFAULT_OCT,
NID_X9_62_characteristic_two_field,
ec_GF2m_simple_group_init,
ec_GF2m_simple_group_finish,
ec_GF2m_simple_group_clear_finish,
ec_GF2m_simple_group_copy,
ec_GF2m_simple_group_set_curve,
ec_GF2m_simple_group_get_curve,
ec_GF2m_simple_group_get_degree,
ec_group_simple_order_bits,
ec_GF2m_simple_group_check_discriminant,
ec_GF2m_simple_point_init,
ec_GF2m_simple_point_finish,
ec_GF2m_simple_point_clear_finish,
ec_GF2m_simple_point_copy,
ec_GF2m_simple_point_set_to_infinity,
0 /* set_Jprojective_coordinates_GFp */ ,
0 /* get_Jprojective_coordinates_GFp */ ,
ec_GF2m_simple_point_set_affine_coordinates,
ec_GF2m_simple_point_get_affine_coordinates,
0, 0, 0,
ec_GF2m_simple_add,
ec_GF2m_simple_dbl,
ec_GF2m_simple_invert,
ec_GF2m_simple_is_at_infinity,
ec_GF2m_simple_is_on_curve,
ec_GF2m_simple_cmp,
ec_GF2m_simple_make_affine,
ec_GF2m_simple_points_make_affine,
0 /* mul */,
0 /* precompute_mul */,
0 /* have_precompute_mul */,
ec_GF2m_simple_field_mul,
ec_GF2m_simple_field_sqr,
ec_GF2m_simple_field_div,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
ec_key_simple_priv2oct,
ec_key_simple_oct2priv,
0, /* set private */
ec_key_simple_generate_key,
ec_key_simple_check_key,
ec_key_simple_generate_public_key,
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
0, /* ladder_step */
0 /* ladder_post */
};
return &ret;
}
/*
* Initialize a GF(2^m)-based EC_GROUP structure. Note that all other members
* are handled by EC_GROUP_new.
@ -740,4 +680,218 @@ int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r,
return BN_GF2m_mod_div(r, a, b, group->field, ctx);
}
/*-
* Lopez-Dahab ladder, pre step.
* See e.g. "Guide to ECC" Alg 3.40.
* Modified to blind s and r independently.
* s:= p, r := 2p
*/
static
int ec_GF2m_simple_ladder_pre(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
/* if p is not affine, something is wrong */
if (p->Z_is_one == 0)
return 0;
/* s blinding: make sure lambda (s->Z here) is not zero */
do {
if (!BN_priv_rand(s->Z, BN_num_bits(group->field) - 1,
BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);
return 0;
}
} while (BN_is_zero(s->Z));
/* if field_encode defined convert between representations */
if ((group->meth->field_encode != NULL
&& !group->meth->field_encode(group, s->Z, s->Z, ctx))
|| !group->meth->field_mul(group, s->X, p->X, s->Z, ctx))
return 0;
/* r blinding: make sure lambda (r->Y here for storage) is not zero */
do {
if (!BN_priv_rand(r->Y, BN_num_bits(group->field) - 1,
BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);
return 0;
}
} while (BN_is_zero(r->Y));
if ((group->meth->field_encode != NULL
&& !group->meth->field_encode(group, r->Y, r->Y, ctx))
|| !group->meth->field_sqr(group, r->Z, p->X, ctx)
|| !group->meth->field_sqr(group, r->X, r->Z, ctx)
|| !BN_GF2m_add(r->X, r->X, group->b)
|| !group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
|| !group->meth->field_mul(group, r->X, r->X, r->Y, ctx))
return 0;
s->Z_is_one = 0;
r->Z_is_one = 0;
return 1;
}
/*-
* Ladder step: differential addition-and-doubling, mixed Lopez-Dahab coords.
* http://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
* s := r + s, r := 2r
*/
static
int ec_GF2m_simple_ladder_step(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
if (!group->meth->field_mul(group, r->Y, r->Z, s->X, ctx)
|| !group->meth->field_mul(group, s->X, r->X, s->Z, ctx)
|| !group->meth->field_sqr(group, s->Y, r->Z, ctx)
|| !group->meth->field_sqr(group, r->Z, r->X, ctx)
|| !BN_GF2m_add(s->Z, r->Y, s->X)
|| !group->meth->field_sqr(group, s->Z, s->Z, ctx)
|| !group->meth->field_mul(group, s->X, r->Y, s->X, ctx)
|| !group->meth->field_mul(group, r->Y, s->Z, p->X, ctx)
|| !BN_GF2m_add(s->X, s->X, r->Y)
|| !group->meth->field_sqr(group, r->Y, r->Z, ctx)
|| !group->meth->field_mul(group, r->Z, r->Z, s->Y, ctx)
|| !group->meth->field_sqr(group, s->Y, s->Y, ctx)
|| !group->meth->field_mul(group, s->Y, s->Y, group->b, ctx)
|| !BN_GF2m_add(r->X, r->Y, s->Y))
return 0;
return 1;
}
/*-
* Recover affine (x,y) result from Lopez-Dahab r and s, affine p.
* See e.g. "Fast Multiplication on Elliptic Curves over GF(2**m)
* without Precomputation" (Lopez and Dahab, CHES 1999),
* Appendix Alg Mxy.
*/
static
int ec_GF2m_simple_ladder_post(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
int ret = 0;
BIGNUM *t0, *t1, *t2 = NULL;
if (BN_is_zero(r->Z))
return EC_POINT_set_to_infinity(group, r);
if (BN_is_zero(s->Z)) {
if (!EC_POINT_copy(r, p)
|| !EC_POINT_invert(group, r, ctx)) {
ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_POST, ERR_R_EC_LIB);
return 0;
}
return 1;
}
BN_CTX_start(ctx);
t0 = BN_CTX_get(ctx);
t1 = BN_CTX_get(ctx);
t2 = BN_CTX_get(ctx);
if (t2 == NULL) {
ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_POST, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
|| !group->meth->field_mul(group, t1, p->X, r->Z, ctx)
|| !BN_GF2m_add(t1, r->X, t1)
|| !group->meth->field_mul(group, t2, p->X, s->Z, ctx)
|| !group->meth->field_mul(group, r->Z, r->X, t2, ctx)
|| !BN_GF2m_add(t2, t2, s->X)
|| !group->meth->field_mul(group, t1, t1, t2, ctx)
|| !group->meth->field_sqr(group, t2, p->X, ctx)
|| !BN_GF2m_add(t2, p->Y, t2)
|| !group->meth->field_mul(group, t2, t2, t0, ctx)
|| !BN_GF2m_add(t1, t2, t1)
|| !group->meth->field_mul(group, t2, p->X, t0, ctx)
|| !BN_GF2m_mod_inv(t2, t2, group->field, ctx)
|| !group->meth->field_mul(group, t1, t1, t2, ctx)
|| !group->meth->field_mul(group, r->X, r->Z, t2, ctx)
|| !BN_GF2m_add(t2, p->X, r->X)
|| !group->meth->field_mul(group, t2, t2, t1, ctx)
|| !BN_GF2m_add(r->Y, p->Y, t2)
|| !BN_one(r->Z))
goto err;
r->Z_is_one = 1;
/* GF(2^m) field elements should always have BIGNUM::neg = 0 */
BN_set_negative(r->X, 0);
BN_set_negative(r->Y, 0);
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
const EC_METHOD *EC_GF2m_simple_method(void)
{
static const EC_METHOD ret = {
EC_FLAGS_DEFAULT_OCT,
NID_X9_62_characteristic_two_field,
ec_GF2m_simple_group_init,
ec_GF2m_simple_group_finish,
ec_GF2m_simple_group_clear_finish,
ec_GF2m_simple_group_copy,
ec_GF2m_simple_group_set_curve,
ec_GF2m_simple_group_get_curve,
ec_GF2m_simple_group_get_degree,
ec_group_simple_order_bits,
ec_GF2m_simple_group_check_discriminant,
ec_GF2m_simple_point_init,
ec_GF2m_simple_point_finish,
ec_GF2m_simple_point_clear_finish,
ec_GF2m_simple_point_copy,
ec_GF2m_simple_point_set_to_infinity,
0, /* set_Jprojective_coordinates_GFp */
0, /* get_Jprojective_coordinates_GFp */
ec_GF2m_simple_point_set_affine_coordinates,
ec_GF2m_simple_point_get_affine_coordinates,
0, /* point_set_compressed_coordinates */
0, /* point2oct */
0, /* oct2point */
ec_GF2m_simple_add,
ec_GF2m_simple_dbl,
ec_GF2m_simple_invert,
ec_GF2m_simple_is_at_infinity,
ec_GF2m_simple_is_on_curve,
ec_GF2m_simple_cmp,
ec_GF2m_simple_make_affine,
ec_GF2m_simple_points_make_affine,
0, /* mul */
0, /* precompute_mult */
0, /* have_precompute_mult */
ec_GF2m_simple_field_mul,
ec_GF2m_simple_field_sqr,
ec_GF2m_simple_field_div,
0, /* field_encode */
0, /* field_decode */
0, /* field_set_to_one */
ec_key_simple_priv2oct,
ec_key_simple_oct2priv,
0, /* set private */
ec_key_simple_generate_key,
ec_key_simple_check_key,
ec_key_simple_generate_public_key,
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
ec_GF2m_simple_ladder_pre,
ec_GF2m_simple_ladder_step,
ec_GF2m_simple_ladder_post
};
return &ret;
}
#endif

4
crypto/ec/ec_err.c
View File

@ -70,6 +70,10 @@ static const ERR_STRING_DATA EC_str_functs[] = {
"ec_GF2m_simple_group_check_discriminant"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, 0),
"ec_GF2m_simple_group_set_curve"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_LADDER_POST, 0),
"ec_GF2m_simple_ladder_post"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_LADDER_PRE, 0),
"ec_GF2m_simple_ladder_pre"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_OCT2POINT, 0),
"ec_GF2m_simple_oct2point"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_POINT2OCT, 0),

2
crypto/err/openssl.txt
View File

@ -521,6 +521,8 @@ EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY:208:ec_GF2m_montgomery_point_multiply
EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT:159:\
ec_GF2m_simple_group_check_discriminant
EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE:195:ec_GF2m_simple_group_set_curve
EC_F_EC_GF2M_SIMPLE_LADDER_POST:285:ec_GF2m_simple_ladder_post
EC_F_EC_GF2M_SIMPLE_LADDER_PRE:288:ec_GF2m_simple_ladder_pre
EC_F_EC_GF2M_SIMPLE_OCT2POINT:160:ec_GF2m_simple_oct2point
EC_F_EC_GF2M_SIMPLE_POINT2OCT:161:ec_GF2m_simple_point2oct
EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES:162:\

2
include/openssl/ecerr.h
View File

@ -64,6 +64,8 @@ int ERR_load_EC_strings(void);
# define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY 208
# define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT 159
# define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE 195
# define EC_F_EC_GF2M_SIMPLE_LADDER_POST 285
# define EC_F_EC_GF2M_SIMPLE_LADDER_PRE 288
# define EC_F_EC_GF2M_SIMPLE_OCT2POINT 160
# define EC_F_EC_GF2M_SIMPLE_POINT2OCT 161
# define EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES 162