00001
00002
00003 #include "pch.h"
00004 #include "ecp.h"
00005 #include "asn.h"
00006 #include "nbtheory.h"
00007
00008 #include "algebra.cpp"
00009 #include "eprecomp.cpp"
00010
00011 NAMESPACE_BEGIN(CryptoPP)
00012
00013 ANONYMOUS_NAMESPACE_BEGIN
00014 static inline ECP::Point ToMontgomery(const MontgomeryRepresentation &mr, const ECP::Point &P)
00015 {
00016 return P.identity ? P : ECP::Point(mr.ConvertIn(P.x), mr.ConvertIn(P.y));
00017 }
00018
00019 static inline ECP::Point FromMontgomery(const MontgomeryRepresentation &mr, const ECP::Point &P)
00020 {
00021 return P.identity ? P : ECP::Point(mr.ConvertOut(P.x), mr.ConvertOut(P.y));
00022 }
00023 NAMESPACE_END
00024
00025 ECP::ECP(BufferedTransformation &bt)
00026 : m_fieldPtr(new Field(bt)), m_field(*m_fieldPtr)
00027 {
00028 BERSequenceDecoder seq(bt);
00029 m_field.BERDecodeElement(seq, m_a);
00030 m_field.BERDecodeElement(seq, m_b);
00031
00032 if (!seq.EndReached())
00033 BERDecodeOctetString(seq, g_bitBucket);
00034 seq.MessageEnd();
00035 }
00036
00037 void ECP::DEREncode(BufferedTransformation &bt) const
00038 {
00039 m_field.DEREncode(bt);
00040 DERSequenceEncoder seq(bt);
00041 m_field.DEREncodeElement(seq, m_a);
00042 m_field.DEREncodeElement(seq, m_b);
00043 seq.MessageEnd();
00044 }
00045
00046 bool ECP::DecodePoint(ECP::Point &P, const byte *encodedPoint, unsigned int encodedPointLen) const
00047 {
00048 StringStore store(encodedPoint, encodedPointLen);
00049 return DecodePoint(P, store, encodedPointLen);
00050 }
00051
00052 bool ECP::DecodePoint(ECP::Point &P, BufferedTransformation &bt, unsigned int encodedPointLen) const
00053 {
00054 byte type;
00055 if (encodedPointLen < 1 || !bt.Get(type))
00056 return false;
00057
00058 switch (type)
00059 {
00060 case 0:
00061 P.identity = true;
00062 return true;
00063 case 2:
00064 case 3:
00065 {
00066 if (encodedPointLen != EncodedPointSize(true))
00067 return false;
00068
00069 Integer p = FieldSize();
00070
00071 P.identity = false;
00072 P.x.Decode(bt, m_field.MaxElementByteLength());
00073 P.y = ((P.x*P.x+m_a)*P.x+m_b) % p;
00074
00075 if (Jacobi(P.y, p) !=1)
00076 return false;
00077
00078 P.y = ModularSquareRoot(P.y, p);
00079
00080 if ((type & 1) != P.y.GetBit(0))
00081 P.y = p-P.y;
00082
00083 return true;
00084 }
00085 case 4:
00086 {
00087 if (encodedPointLen != EncodedPointSize(false))
00088 return false;
00089
00090 unsigned int len = m_field.MaxElementByteLength();
00091 P.identity = false;
00092 P.x.Decode(bt, len);
00093 P.y.Decode(bt, len);
00094 return true;
00095 }
00096 default:
00097 return false;
00098 }
00099 }
00100
00101 void ECP::EncodePoint(byte *encodedPoint, const Point &P, bool compressed) const
00102 {
00103 if (P.identity)
00104 memset(encodedPoint, 0, EncodedPointSize(compressed));
00105 else if (compressed)
00106 {
00107 encodedPoint[0] = 2 + P.y.GetBit(0);
00108 P.x.Encode(encodedPoint+1, m_field.MaxElementByteLength());
00109 }
00110 else
00111 {
00112 unsigned int len = m_field.MaxElementByteLength();
00113 encodedPoint[0] = 4;
00114 P.x.Encode(encodedPoint+1, len);
00115 P.y.Encode(encodedPoint+1+len, len);
00116 }
00117 }
00118
00119 ECP::Point ECP::BERDecodePoint(BufferedTransformation &bt) const
00120 {
00121 SecByteBlock str;
00122 BERDecodeOctetString(bt, str);
00123 Point P;
00124 if (!DecodePoint(P, str, str.size))
00125 BERDecodeError();
00126 return P;
00127 }
00128
00129 void ECP::DEREncodePoint(BufferedTransformation &bt, const Point &P, bool compressed) const
00130 {
00131 SecByteBlock str(EncodedPointSize(compressed));
00132 EncodePoint(str, P, compressed);
00133 DEREncodeOctetString(bt, str);
00134 }
00135
00136 bool ECP::ValidateParameters(RandomNumberGenerator &rng) const
00137 {
00138 Integer p = FieldSize();
00139 return p.IsOdd() && VerifyPrime(rng, p)
00140 && !m_a.IsNegative() && m_a<p && !m_b.IsNegative() && m_b<p
00141 && ((4*m_a*m_a*m_a+27*m_b*m_b)%p).IsPositive();
00142 }
00143
00144 bool ECP::VerifyPoint(const Point &P) const
00145 {
00146 const FieldElement &x = P.x, &y = P.y;
00147 Integer p = FieldSize();
00148 return P.identity ||
00149 (!x.IsNegative() && x<p && !y.IsNegative() && y<p
00150 && !(((x*x+m_a)*x+m_b-y*y)%p));
00151 }
00152
00153 bool ECP::Equal(const Point &P, const Point &Q) const
00154 {
00155 if (P.identity && Q.identity)
00156 return true;
00157
00158 if (P.identity && !Q.identity)
00159 return false;
00160
00161 if (!P.identity && Q.identity)
00162 return false;
00163
00164 return (m_field.Equal(P.x,Q.x) && m_field.Equal(P.y,Q.y));
00165 }
00166
00167 const ECP::Point& ECP::Inverse(const Point &P) const
00168 {
00169 if (P.identity)
00170 return P;
00171 else
00172 {
00173 m_R.identity = false;
00174 m_R.x = P.x;
00175 m_R.y = m_field.Inverse(P.y);
00176 return m_R;
00177 }
00178 }
00179
00180 const ECP::Point& ECP::Add(const Point &P, const Point &Q) const
00181 {
00182 if (P.identity) return Q;
00183 if (Q.identity) return P;
00184 if (m_field.Equal(P.x, Q.x))
00185 return m_field.Equal(P.y, Q.y) ? Double(P) : Zero();
00186
00187 FieldElement t = m_field.Subtract(Q.y, P.y);
00188 t = m_field.Divide(t, m_field.Subtract(Q.x, P.x));
00189 FieldElement x = m_field.Subtract(m_field.Subtract(m_field.Square(t), P.x), Q.x);
00190 m_R.y = m_field.Subtract(m_field.Multiply(t, m_field.Subtract(P.x, x)), P.y);
00191
00192 m_R.x.swap(x);
00193 m_R.identity = false;
00194 return m_R;
00195 }
00196
00197 const ECP::Point& ECP::Double(const Point &P) const
00198 {
00199 if (P.identity || P.y==m_field.Zero()) return Zero();
00200
00201 FieldElement t = m_field.Square(P.x);
00202 t = m_field.Add(m_field.Add(m_field.Double(t), t), m_a);
00203 t = m_field.Divide(t, m_field.Double(P.y));
00204 FieldElement x = m_field.Subtract(m_field.Subtract(m_field.Square(t), P.x), P.x);
00205 m_R.y = m_field.Subtract(m_field.Multiply(t, m_field.Subtract(P.x, x)), P.y);
00206
00207 m_R.x.swap(x);
00208 m_R.identity = false;
00209 return m_R;
00210 }
00211
00212 template <class T, class Iterator> void ParallelInvert(const AbstractRing<T> &ring, Iterator begin, Iterator end)
00213 {
00214 unsigned int n = end-begin;
00215 if (n == 1)
00216 *begin = ring.MultiplicativeInverse(*begin);
00217 else if (n > 1)
00218 {
00219 std::vector<T> vec((n+1)/2);
00220 unsigned int i;
00221 Iterator it;
00222
00223 for (i=0, it=begin; i<n/2; i++, it+=2)
00224 vec[i] = ring.Multiply(*it, *(it+1));
00225 if (n%2 == 1)
00226 vec[n/2] = *it;
00227
00228 ParallelInvert(ring, vec.begin(), vec.end());
00229
00230 for (i=0, it=begin; i<n/2; i++, it+=2)
00231 {
00232 if (!vec[i])
00233 {
00234 *it = ring.MultiplicativeInverse(*it);
00235 *(it+1) = ring.MultiplicativeInverse(*(it+1));
00236 }
00237 else
00238 {
00239 std::swap(*it, *(it+1));
00240 *it = ring.Multiply(*it, vec[i]);
00241 *(it+1) = ring.Multiply(*(it+1), vec[i]);
00242 }
00243 }
00244 if (n%2 == 1)
00245 *it = vec[n/2];
00246 }
00247 }
00248
00249 struct ProjectivePoint
00250 {
00251 ProjectivePoint() {}
00252 ProjectivePoint(const Integer &x, const Integer &y, const Integer &z)
00253 : x(x), y(y), z(z) {}
00254
00255 Integer x,y,z;
00256 };
00257
00258 class ProjectiveDoubling
00259 {
00260 public:
00261 ProjectiveDoubling(const ModularArithmetic &mr, const Integer &m_a, const Integer &m_b, const ECPPoint &Q)
00262 : mr(mr), firstDoubling(true), negated(false)
00263 {
00264 if (Q.identity)
00265 {
00266 sixteenY4 = P.x = P.y = mr.One();
00267 aZ4 = P.z = mr.Zero();
00268 }
00269 else
00270 {
00271 P.x = Q.x;
00272 P.y = Q.y;
00273 sixteenY4 = P.z = mr.One();
00274 aZ4 = m_a;
00275 }
00276 }
00277
00278 void Double()
00279 {
00280 twoY = mr.Double(P.y);
00281 P.z = mr.Multiply(P.z, twoY);
00282 fourY2 = mr.Square(twoY);
00283 S = mr.Multiply(fourY2, P.x);
00284 aZ4 = mr.Multiply(aZ4, sixteenY4);
00285 M = mr.Square(P.x);
00286 M = mr.Add(mr.Add(mr.Double(M), M), aZ4);
00287 P.x = mr.Square(M);
00288 mr.Reduce(P.x, S);
00289 mr.Reduce(P.x, S);
00290 mr.Reduce(S, P.x);
00291 P.y = mr.Multiply(M, S);
00292 sixteenY4 = mr.Square(fourY2);
00293 mr.Reduce(P.y, mr.Half(sixteenY4));
00294 }
00295
00296 const ModularArithmetic &mr;
00297 ProjectivePoint P;
00298 bool firstDoubling, negated;
00299 Integer sixteenY4, aZ4, twoY, fourY2, S, M;
00300 };
00301
00302 struct ZIterator
00303 {
00304 ZIterator() {}
00305 ZIterator(std::vector<ProjectivePoint>::iterator it) : it(it) {}
00306 Integer& operator*() {return it->z;}
00307 int operator-(ZIterator it2) {return it-it2.it;}
00308 ZIterator operator+(int i) {return ZIterator(it+i);}
00309 ZIterator& operator+=(int i) {it+=i; return *this;}
00310 std::vector<ProjectivePoint>::iterator it;
00311 };
00312
00313 ECP::Point ECP::ScalarMultiply(const Point &P, const Integer &k) const
00314 {
00315 Element result;
00316 if (k.BitCount() <= 5)
00317 AbstractGroup<ECPPoint>::SimultaneousMultiply(&result, P, &k, 1);
00318 else
00319 ECP::SimultaneousMultiply(&result, P, &k, 1);
00320 return result;
00321 }
00322
00323 void ECP::SimultaneousMultiply(ECP::Point *results, const ECP::Point &P, const Integer *expBegin, unsigned int expCount) const
00324 {
00325 if (m_fieldPtr.get())
00326 {
00327 MontgomeryRepresentation mr(m_field.GetModulus());
00328 ECP ecpmr(mr, mr.ConvertIn(m_a), mr.ConvertIn(m_b));
00329 ecpmr.SimultaneousMultiply(results, ToMontgomery(mr, P), expBegin, expCount);
00330 for (unsigned int i=0; i<expCount; i++)
00331 results[i] = FromMontgomery(mr, results[i]);
00332 return;
00333 }
00334
00335 ProjectiveDoubling rd(m_field, m_a, m_b, P);
00336 std::vector<ProjectivePoint> bases;
00337 std::vector<WindowSlider> exponents;
00338 exponents.reserve(expCount);
00339 std::vector<std::vector<unsigned int> > baseIndices(expCount);
00340 std::vector<std::vector<bool> > negateBase(expCount);
00341 std::vector<std::vector<unsigned int> > exponentWindows(expCount);
00342 unsigned int i;
00343
00344 for (i=0; i<expCount; i++)
00345 {
00346 assert(expBegin->NotNegative());
00347 exponents.push_back(WindowSlider(*expBegin++, InversionIsFast(), 5));
00348 exponents[i].FindNextWindow();
00349 }
00350
00351 unsigned int expBitPosition = 0;
00352 bool notDone = true;
00353
00354 while (notDone)
00355 {
00356 notDone = false;
00357 bool baseAdded = false;
00358 for (i=0; i<expCount; i++)
00359 {
00360 if (!exponents[i].finished && expBitPosition == exponents[i].windowBegin)
00361 {
00362 if (!baseAdded)
00363 {
00364 bases.push_back(rd.P);
00365 baseAdded =true;
00366 }
00367
00368 exponentWindows[i].push_back(exponents[i].expWindow);
00369 baseIndices[i].push_back(bases.size()-1);
00370 negateBase[i].push_back(exponents[i].negateNext);
00371
00372 exponents[i].FindNextWindow();
00373 }
00374 notDone = notDone || !exponents[i].finished;
00375 }
00376
00377 if (notDone)
00378 {
00379 rd.Double();
00380 expBitPosition++;
00381 }
00382 }
00383
00384
00385 ParallelInvert(m_field, ZIterator(bases.begin()), ZIterator(bases.end()));
00386 for (i=0; i<bases.size(); i++)
00387 {
00388 if (bases[i].z.NotZero())
00389 {
00390 bases[i].y = m_field.Multiply(bases[i].y, bases[i].z);
00391 bases[i].z = m_field.Square(bases[i].z);
00392 bases[i].x = m_field.Multiply(bases[i].x, bases[i].z);
00393 bases[i].y = m_field.Multiply(bases[i].y, bases[i].z);
00394 }
00395 }
00396
00397 std::vector<BaseAndExponent<Point, word> > finalCascade;
00398 for (i=0; i<expCount; i++)
00399 {
00400 finalCascade.resize(baseIndices[i].size());
00401 for (unsigned int j=0; j<baseIndices[i].size(); j++)
00402 {
00403 ProjectivePoint &base = bases[baseIndices[i][j]];
00404 if (base.z.IsZero())
00405 finalCascade[j].base.identity = true;
00406 else
00407 {
00408 finalCascade[j].base.identity = false;
00409 finalCascade[j].base.x = base.x;
00410 if (negateBase[i][j])
00411 finalCascade[j].base.y = m_field.Inverse(base.y);
00412 else
00413 finalCascade[j].base.y = base.y;
00414 }
00415 finalCascade[j].exponent = exponentWindows[i][j];
00416 }
00417 results[i] = GeneralCascadeMultiplication(*this, finalCascade.begin(), finalCascade.end());
00418 }
00419 }
00420
00421 ECP::Point ECP::CascadeScalarMultiply(const Point &P, const Integer &k1, const Point &Q, const Integer &k2) const
00422 {
00423 if (m_fieldPtr.get())
00424 {
00425 MontgomeryRepresentation mr(m_field.GetModulus());
00426 ECP ecpmr(mr, mr.ConvertIn(m_a), mr.ConvertIn(m_b));
00427 return FromMontgomery(mr, ecpmr.CascadeScalarMultiply(ToMontgomery(mr, P), k1, ToMontgomery(mr, Q), k2));
00428 }
00429 else
00430 return AbstractGroup<Point>::CascadeScalarMultiply(P, k1, Q, k2);
00431 }
00432
00433
00434
00435 EcPrecomputation<ECP>& EcPrecomputation<ECP>::operator=(const EcPrecomputation<ECP> &rhs)
00436 {
00437 m_mr = rhs.m_mr;
00438 m_ec.reset(new ECP(*m_mr, rhs.m_ec->GetA(), rhs.m_ec->GetB()));
00439 m_ep = rhs.m_ep;
00440 m_ep.m_group = m_ec.get();
00441 return *this;
00442 }
00443
00444 void EcPrecomputation<ECP>::SetCurveAndBase(const ECP &ec, const ECP::Point &base)
00445 {
00446 m_mr.reset(new MontgomeryRepresentation(ec.GetField().GetModulus()));
00447 m_ec.reset(new ECP(*m_mr, m_mr->ConvertIn(ec.GetA()), m_mr->ConvertIn(ec.GetB())));
00448 m_ep.SetGroupAndBase(*m_ec, ToMontgomery(*m_mr, base));
00449 }
00450
00451 void EcPrecomputation<ECP>::Precompute(unsigned int maxExpBits, unsigned int storage)
00452 {
00453 m_ep.Precompute(maxExpBits, storage);
00454 }
00455
00456 void EcPrecomputation<ECP>::Load(BufferedTransformation &bt)
00457 {
00458 BERSequenceDecoder seq(bt);
00459 word32 version;
00460 BERDecodeUnsigned<word32>(seq, version, INTEGER, 1, 1);
00461 m_ep.m_exponentBase.BERDecode(seq);
00462 m_ep.m_windowSize = m_ep.m_exponentBase.BitCount() - 1;
00463 m_ep.m_bases.clear();
00464 while (!seq.EndReached())
00465 m_ep.m_bases.push_back(m_ec->BERDecodePoint(seq));
00466 seq.MessageEnd();
00467 }
00468
00469 void EcPrecomputation<ECP>::Save(BufferedTransformation &bt) const
00470 {
00471 DERSequenceEncoder seq(bt);
00472 DEREncodeUnsigned<word32>(seq, 1);
00473 m_ep.m_exponentBase.DEREncode(seq);
00474 for (unsigned i=0; i<m_ep.m_bases.size(); i++)
00475 m_ec->DEREncodePoint(seq, m_ep.m_bases[i]);
00476 seq.MessageEnd();
00477 }
00478
00479 ECP::Point EcPrecomputation<ECP>::Multiply(const Integer &exponent) const
00480 {
00481 return FromMontgomery(*m_mr, m_ep.Exponentiate(exponent));
00482 }
00483
00484 ECP::Point EcPrecomputation<ECP>::CascadeMultiply(const Integer &exponent, const EcPrecomputation<ECP> &pc2, const Integer &exponent2) const
00485 {
00486 return FromMontgomery(*m_mr, m_ep.CascadeExponentiate(exponent, pc2.m_ep, exponent2));
00487 }
00488
00489 NAMESPACE_END
