1 /* 2 * Copyright 2013 The Android Open Source Project 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * * Redistributions of source code must retain the above copyright 7 * notice, this list of conditions and the following disclaimer. 8 * * Redistributions in binary form must reproduce the above copyright 9 * notice, this list of conditions and the following disclaimer in the 10 * documentation and/or other materials provided with the distribution. 11 * * Neither the name of Google Inc. nor the names of its contributors may 12 * be used to endorse or promote products derived from this software 13 * without specific prior written permission. 14 * 15 * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 17 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 18 * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 21 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 22 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 23 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 24 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #ifndef SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_ 28 #define SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_ 29 30 // Collection of routines manipulating 256 bit unsigned integers. 31 // Just enough to implement ecdsa-p256 and related algorithms. 32 33 #include <stdint.h> 34 35 #ifdef __cplusplus 36 extern "C" { 37 #endif 38 39 #define P256_BITSPERDIGIT 64 40 #define P256_NDIGITS 4 41 #define P256_NBYTES 32 42 43 // n' such as n * n' = -1 mod (2^64) 44 #define P256_MONTGOMERY_FACTOR 0xCCD1C8AAEE00BC4F 45 46 #define P256_LITERAL(lo,hi) (((uint32_t) (lo)) + (((uint64_t) (hi)) << 32)) 47 48 typedef int cryptonite_p256_err; 49 typedef uint64_t cryptonite_p256_digit; 50 typedef int64_t cryptonite_p256_sdigit; 51 typedef __uint128_t cryptonite_p256_ddigit; 52 typedef __int128_t cryptonite_p256_sddigit; 53 54 // Defining cryptonite_p256_int as struct to leverage struct assigment. 55 typedef struct { 56 cryptonite_p256_digit a[P256_NDIGITS]; 57 } cryptonite_p256_int; 58 59 extern const cryptonite_p256_int cryptonite_SECP256r1_n; // Curve order 60 extern const cryptonite_p256_int cryptonite_SECP256r1_p; // Curve prime 61 extern const cryptonite_p256_int cryptonite_SECP256r1_b; // Curve param 62 63 // Initialize a cryptonite_p256_int to zero. 64 void cryptonite_p256_init(cryptonite_p256_int* a); 65 66 // Clear a cryptonite_p256_int to zero. 67 void cryptonite_p256_clear(cryptonite_p256_int* a); 68 69 // Return bit. Index 0 is least significant. 70 int cryptonite_p256_get_bit(const cryptonite_p256_int* a, int index); 71 72 // b := a % MOD 73 void cryptonite_p256_mod( 74 const cryptonite_p256_int* MOD, 75 const cryptonite_p256_int* a, 76 cryptonite_p256_int* b); 77 78 // c := a * (top_b | b) % MOD 79 void cryptonite_p256_modmul( 80 const cryptonite_p256_int* MOD, 81 const cryptonite_p256_int* a, 82 const cryptonite_p256_digit top_b, 83 const cryptonite_p256_int* b, 84 cryptonite_p256_int* c); 85 86 // b := 1 / a % MOD 87 // MOD best be SECP256r1_n 88 void cryptonite_p256_modinv( 89 const cryptonite_p256_int* MOD, 90 const cryptonite_p256_int* a, 91 cryptonite_p256_int* b); 92 93 // b := 1 / a % MOD 94 // MOD best be SECP256r1_n 95 // Faster than cryptonite_p256_modinv() 96 void cryptonite_p256_modinv_vartime( 97 const cryptonite_p256_int* MOD, 98 const cryptonite_p256_int* a, 99 cryptonite_p256_int* b); 100 101 // b := a << (n % P256_BITSPERDIGIT) 102 // Returns the bits shifted out of most significant digit. 103 cryptonite_p256_digit cryptonite_p256_shl(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b); 104 105 // b := a >> (n % P256_BITSPERDIGIT) 106 void cryptonite_p256_shr(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b); 107 108 int cryptonite_p256_is_zero(const cryptonite_p256_int* a); 109 int cryptonite_p256_is_odd(const cryptonite_p256_int* a); 110 int cryptonite_p256_is_even(const cryptonite_p256_int* a); 111 112 // Returns -1, 0 or 1. 113 int cryptonite_p256_cmp(const cryptonite_p256_int* a, const cryptonite_p256_int *b); 114 115 // c: = a - b 116 // Returns -1 on borrow. 117 int cryptonite_p256_sub(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c); 118 119 // c := a + b 120 // Returns 1 on carry. 121 int cryptonite_p256_add(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c); 122 123 // c := a + (single digit)b 124 // Returns carry 1 on carry. 125 int cryptonite_p256_add_d(const cryptonite_p256_int* a, cryptonite_p256_digit b, cryptonite_p256_int* c); 126 127 // ec routines. 128 129 // {out_x,out_y} := nG 130 void cryptonite_p256_base_point_mul(const cryptonite_p256_int *n, 131 cryptonite_p256_int *out_x, 132 cryptonite_p256_int *out_y); 133 134 // {out_x,out_y} := n{in_x,in_y} 135 void cryptonite_p256_point_mul(const cryptonite_p256_int *n, 136 const cryptonite_p256_int *in_x, 137 const cryptonite_p256_int *in_y, 138 cryptonite_p256_int *out_x, 139 cryptonite_p256_int *out_y); 140 141 // {out_x,out_y} := n1G + n2{in_x,in_y} 142 void cryptonite_p256_points_mul_vartime( 143 const cryptonite_p256_int *n1, const cryptonite_p256_int *n2, 144 const cryptonite_p256_int *in_x, const cryptonite_p256_int *in_y, 145 cryptonite_p256_int *out_x, cryptonite_p256_int *out_y); 146 147 // Return whether point {x,y} is on curve. 148 int cryptonite_p256_is_valid_point(const cryptonite_p256_int* x, const cryptonite_p256_int* y); 149 150 // Outputs big-endian binary form. No leading zero skips. 151 void cryptonite_p256_to_bin(const cryptonite_p256_int* src, uint8_t dst[P256_NBYTES]); 152 153 // Reads from big-endian binary form, 154 // thus pre-pad with leading zeros if short. 155 void cryptonite_p256_from_bin(const uint8_t src[P256_NBYTES], cryptonite_p256_int* dst); 156 157 #define P256_DIGITS(x) ((x)->a) 158 #define P256_DIGIT(x,y) ((x)->a[y]) 159 160 #define P256_ZERO {{0}} 161 #define P256_ONE {{1}} 162 163 #ifdef __cplusplus 164 } 165 #endif 166 167 #endif // SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_ 168