EC2M Lopez-Dahab ladder implementation

This commit uses the new ladder scaffold to implement a specialized
ladder step based on differential addition-and-doubling in mixed
Lopez-Dahab projective coordinates, modified to independently blind the
operands.

The arithmetic in `ladder_pre`, `ladder_step` and `ladder_post` is
auto generated with tooling:
- see, e.g., "Guide to ECC" Alg 3.40 for reference about the
  `ladder_pre` implementation;
- see https://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
  for the differential addition-and-doubling formulas implemented in
  `ladder_step`;
- see, e.g., "Fast Multiplication on Elliptic Curves over GF(2**m)
  without Precomputation" (Lopez and Dahab, CHES 1999) Appendix Alg Mxy
  for the `ladder_post` implementation to recover the `(x,y)` result in
  affine coordinates.

Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)

CHANGES

@@ -9,6 +9,12 @@
 
  Changes between 1.1.0h and 1.1.1 [xx XXX xxxx]
 
+  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
+     step for binary curves. The new implementation is based on formulas from
+     differential addition-and-doubling in mixed Lopez-Dahab projective
+     coordinates, modified to independently blind the operands.
+     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
+
   *) Add a scaffold to optionally enhance the Montgomery ladder implementation
      for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
      EC_METHODs to implement their own specialized "ladder step", to take

crypto/ec/ec2_smpl.c

@@ -15,66 +15,6 @@
 
 #ifndef OPENSSL_NO_EC2M
 
-const EC_METHOD *EC_GF2m_simple_method(void)
-{
-    static const EC_METHOD ret = {
-        EC_FLAGS_DEFAULT_OCT,
-        NID_X9_62_characteristic_two_field,
-        ec_GF2m_simple_group_init,
-        ec_GF2m_simple_group_finish,
-        ec_GF2m_simple_group_clear_finish,
-        ec_GF2m_simple_group_copy,
-        ec_GF2m_simple_group_set_curve,
-        ec_GF2m_simple_group_get_curve,
-        ec_GF2m_simple_group_get_degree,
-        ec_group_simple_order_bits,
-        ec_GF2m_simple_group_check_discriminant,
-        ec_GF2m_simple_point_init,
-        ec_GF2m_simple_point_finish,
-        ec_GF2m_simple_point_clear_finish,
-        ec_GF2m_simple_point_copy,
-        ec_GF2m_simple_point_set_to_infinity,
-        0 /* set_Jprojective_coordinates_GFp */ ,
-        0 /* get_Jprojective_coordinates_GFp */ ,
-        ec_GF2m_simple_point_set_affine_coordinates,
-        ec_GF2m_simple_point_get_affine_coordinates,
-        0, 0, 0,
-        ec_GF2m_simple_add,
-        ec_GF2m_simple_dbl,
-        ec_GF2m_simple_invert,
-        ec_GF2m_simple_is_at_infinity,
-        ec_GF2m_simple_is_on_curve,
-        ec_GF2m_simple_cmp,
-        ec_GF2m_simple_make_affine,
-        ec_GF2m_simple_points_make_affine,
-        0 /* mul */,
-        0 /* precompute_mul */,
-        0 /* have_precompute_mul */,
-        ec_GF2m_simple_field_mul,
-        ec_GF2m_simple_field_sqr,
-        ec_GF2m_simple_field_div,
-        0 /* field_encode */ ,
-        0 /* field_decode */ ,
-        0,                      /* field_set_to_one */
-        ec_key_simple_priv2oct,
-        ec_key_simple_oct2priv,
-        0, /* set private */
-        ec_key_simple_generate_key,
-        ec_key_simple_check_key,
-        ec_key_simple_generate_public_key,
-        0, /* keycopy */
-        0, /* keyfinish */
-        ecdh_simple_compute_key,
-        0, /* field_inverse_mod_ord */
-        0, /* blind_coordinates */
-        0, /* ladder_pre */
-        0, /* ladder_step */
-        0  /* ladder_post */
-    };
-
-    return &ret;
-}
-
 /*
  * Initialize a GF(2^m)-based EC_GROUP structure. Note that all other members
  * are handled by EC_GROUP_new.
@@ -740,4 +680,218 @@ int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r,
     return BN_GF2m_mod_div(r, a, b, group->field, ctx);
 }
 
+/*-
+ * Lopez-Dahab ladder, pre step.
+ * See e.g. "Guide to ECC" Alg 3.40.
+ * Modified to blind s and r independently.
+ * s:= p, r := 2p
+ */
+static
+int ec_GF2m_simple_ladder_pre(const EC_GROUP *group,
+                              EC_POINT *r, EC_POINT *s,
+                              EC_POINT *p, BN_CTX *ctx)
+{
+    /* if p is not affine, something is wrong */
+    if (p->Z_is_one == 0)
+        return 0;
+
+    /* s blinding: make sure lambda (s->Z here) is not zero */
+    do {
+        if (!BN_priv_rand(s->Z, BN_num_bits(group->field) - 1,
+                          BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
+            ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);
+            return 0;
+        }
+    } while (BN_is_zero(s->Z));
+
+    /* if field_encode defined convert between representations */
+    if ((group->meth->field_encode != NULL
+         && !group->meth->field_encode(group, s->Z, s->Z, ctx))
+        || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx))
+        return 0;
+
+    /* r blinding: make sure lambda (r->Y here for storage) is not zero */
+    do {
+        if (!BN_priv_rand(r->Y, BN_num_bits(group->field) - 1,
+                          BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
+            ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);
+            return 0;
+        }
+    } while (BN_is_zero(r->Y));
+
+    if ((group->meth->field_encode != NULL
+         && !group->meth->field_encode(group, r->Y, r->Y, ctx))
+        || !group->meth->field_sqr(group, r->Z, p->X, ctx)
+        || !group->meth->field_sqr(group, r->X, r->Z, ctx)
+        || !BN_GF2m_add(r->X, r->X, group->b)
+        || !group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
+        || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx))
+        return 0;
+
+    s->Z_is_one = 0;
+    r->Z_is_one = 0;
+
+    return 1;
+}
+
+/*-
+ * Ladder step: differential addition-and-doubling, mixed Lopez-Dahab coords.
+ * http://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
+ * s := r + s, r := 2r
+ */
+static
+int ec_GF2m_simple_ladder_step(const EC_GROUP *group,
+                               EC_POINT *r, EC_POINT *s,
+                               EC_POINT *p, BN_CTX *ctx)
+{
+    if (!group->meth->field_mul(group, r->Y, r->Z, s->X, ctx)
+        || !group->meth->field_mul(group, s->X, r->X, s->Z, ctx)
+        || !group->meth->field_sqr(group, s->Y, r->Z, ctx)
+        || !group->meth->field_sqr(group, r->Z, r->X, ctx)
+        || !BN_GF2m_add(s->Z, r->Y, s->X)
+        || !group->meth->field_sqr(group, s->Z, s->Z, ctx)
+        || !group->meth->field_mul(group, s->X, r->Y, s->X, ctx)
+        || !group->meth->field_mul(group, r->Y, s->Z, p->X, ctx)
+        || !BN_GF2m_add(s->X, s->X, r->Y)
+        || !group->meth->field_sqr(group, r->Y, r->Z, ctx)
+        || !group->meth->field_mul(group, r->Z, r->Z, s->Y, ctx)
+        || !group->meth->field_sqr(group, s->Y, s->Y, ctx)
+        || !group->meth->field_mul(group, s->Y, s->Y, group->b, ctx)
+        || !BN_GF2m_add(r->X, r->Y, s->Y))
+        return 0;
+
+    return 1;
+}
+
+/*-
+ * Recover affine (x,y) result from Lopez-Dahab r and s, affine p.
+ * See e.g. "Fast Multiplication on Elliptic Curves over GF(2**m)
+ * without Precomputation" (Lopez and Dahab, CHES 1999),
+ * Appendix Alg Mxy.
+ */
+static
+int ec_GF2m_simple_ladder_post(const EC_GROUP *group,
+                               EC_POINT *r, EC_POINT *s,
+                               EC_POINT *p, BN_CTX *ctx)
+{
+    int ret = 0;
+    BIGNUM *t0, *t1, *t2 = NULL;
+
+    if (BN_is_zero(r->Z))
+        return EC_POINT_set_to_infinity(group, r);
+
+    if (BN_is_zero(s->Z)) {
+        if (!EC_POINT_copy(r, p)
+            || !EC_POINT_invert(group, r, ctx)) {
+            ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_POST, ERR_R_EC_LIB);
+            return 0;
+        }
+        return 1;
+    }
+
+    BN_CTX_start(ctx);
+    t0 = BN_CTX_get(ctx);
+    t1 = BN_CTX_get(ctx);
+    t2 = BN_CTX_get(ctx);
+    if (t2 == NULL) {
+        ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_POST, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    if (!group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
+        || !group->meth->field_mul(group, t1, p->X, r->Z, ctx)
+        || !BN_GF2m_add(t1, r->X, t1)
+        || !group->meth->field_mul(group, t2, p->X, s->Z, ctx)
+        || !group->meth->field_mul(group, r->Z, r->X, t2, ctx)
+        || !BN_GF2m_add(t2, t2, s->X)
+        || !group->meth->field_mul(group, t1, t1, t2, ctx)
+        || !group->meth->field_sqr(group, t2, p->X, ctx)
+        || !BN_GF2m_add(t2, p->Y, t2)
+        || !group->meth->field_mul(group, t2, t2, t0, ctx)
+        || !BN_GF2m_add(t1, t2, t1)
+        || !group->meth->field_mul(group, t2, p->X, t0, ctx)
+        || !BN_GF2m_mod_inv(t2, t2, group->field, ctx)
+        || !group->meth->field_mul(group, t1, t1, t2, ctx)
+        || !group->meth->field_mul(group, r->X, r->Z, t2, ctx)
+        || !BN_GF2m_add(t2, p->X, r->X)
+        || !group->meth->field_mul(group, t2, t2, t1, ctx)
+        || !BN_GF2m_add(r->Y, p->Y, t2)
+        || !BN_one(r->Z))
+        goto err;
+
+    r->Z_is_one = 1;
+
+    /* GF(2^m) field elements should always have BIGNUM::neg = 0 */
+    BN_set_negative(r->X, 0);
+    BN_set_negative(r->Y, 0);
+
+    ret = 1;
+
+ err:
+    BN_CTX_end(ctx);
+    return ret;
+}
+
+const EC_METHOD *EC_GF2m_simple_method(void)
+{
+    static const EC_METHOD ret = {
+        EC_FLAGS_DEFAULT_OCT,
+        NID_X9_62_characteristic_two_field,
+        ec_GF2m_simple_group_init,
+        ec_GF2m_simple_group_finish,
+        ec_GF2m_simple_group_clear_finish,
+        ec_GF2m_simple_group_copy,
+        ec_GF2m_simple_group_set_curve,
+        ec_GF2m_simple_group_get_curve,
+        ec_GF2m_simple_group_get_degree,
+        ec_group_simple_order_bits,
+        ec_GF2m_simple_group_check_discriminant,
+        ec_GF2m_simple_point_init,
+        ec_GF2m_simple_point_finish,
+        ec_GF2m_simple_point_clear_finish,
+        ec_GF2m_simple_point_copy,
+        ec_GF2m_simple_point_set_to_infinity,
+        0, /* set_Jprojective_coordinates_GFp */
+        0, /* get_Jprojective_coordinates_GFp */
+        ec_GF2m_simple_point_set_affine_coordinates,
+        ec_GF2m_simple_point_get_affine_coordinates,
+        0, /* point_set_compressed_coordinates */
+        0, /* point2oct */
+        0, /* oct2point */
+        ec_GF2m_simple_add,
+        ec_GF2m_simple_dbl,
+        ec_GF2m_simple_invert,
+        ec_GF2m_simple_is_at_infinity,
+        ec_GF2m_simple_is_on_curve,
+        ec_GF2m_simple_cmp,
+        ec_GF2m_simple_make_affine,
+        ec_GF2m_simple_points_make_affine,
+        0, /* mul */
+        0, /* precompute_mult */
+        0, /* have_precompute_mult */
+        ec_GF2m_simple_field_mul,
+        ec_GF2m_simple_field_sqr,
+        ec_GF2m_simple_field_div,
+        0, /* field_encode */
+        0, /* field_decode */
+        0, /* field_set_to_one */
+        ec_key_simple_priv2oct,
+        ec_key_simple_oct2priv,
+        0, /* set private */
+        ec_key_simple_generate_key,
+        ec_key_simple_check_key,
+        ec_key_simple_generate_public_key,
+        0, /* keycopy */
+        0, /* keyfinish */
+        ecdh_simple_compute_key,
+        0, /* field_inverse_mod_ord */
+        0, /* blind_coordinates */
+        ec_GF2m_simple_ladder_pre,
+        ec_GF2m_simple_ladder_step,
+        ec_GF2m_simple_ladder_post
+    };
+
+    return &ret;
+}
+
 #endif

crypto/ec/ec_err.c

@@ -70,6 +70,10 @@ static const ERR_STRING_DATA EC_str_functs[] = {
      "ec_GF2m_simple_group_check_discriminant"},
     {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, 0),
      "ec_GF2m_simple_group_set_curve"},
+    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_LADDER_POST, 0),
+     "ec_GF2m_simple_ladder_post"},
+    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_LADDER_PRE, 0),
+     "ec_GF2m_simple_ladder_pre"},
     {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_OCT2POINT, 0),
      "ec_GF2m_simple_oct2point"},
     {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_POINT2OCT, 0),

crypto/err/openssl.txt

@@ -521,6 +521,8 @@ EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY:208:ec_GF2m_montgomery_point_multiply
 EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT:159:\
 	ec_GF2m_simple_group_check_discriminant
 EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE:195:ec_GF2m_simple_group_set_curve
+EC_F_EC_GF2M_SIMPLE_LADDER_POST:285:ec_GF2m_simple_ladder_post
+EC_F_EC_GF2M_SIMPLE_LADDER_PRE:288:ec_GF2m_simple_ladder_pre
 EC_F_EC_GF2M_SIMPLE_OCT2POINT:160:ec_GF2m_simple_oct2point
 EC_F_EC_GF2M_SIMPLE_POINT2OCT:161:ec_GF2m_simple_point2oct
 EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES:162:\

include/openssl/ecerr.h

@@ -64,6 +64,8 @@ int ERR_load_EC_strings(void);
 #  define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY           208
 #  define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT     159
 #  define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE              195
+#  define EC_F_EC_GF2M_SIMPLE_LADDER_POST                  285
+#  define EC_F_EC_GF2M_SIMPLE_LADDER_PRE                   288
 #  define EC_F_EC_GF2M_SIMPLE_OCT2POINT                    160
 #  define EC_F_EC_GF2M_SIMPLE_POINT2OCT                    161
 #  define EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES 162