1 /* crypto/bn/bn_gf2m.c */
2 /* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
7 * to the OpenSSL project.
9 * The ECC Code is licensed pursuant to the OpenSSL open source
10 * license provided below.
12 * In addition, Sun covenants to all licensees who provide a reciprocal
13 * covenant with respect to their own patents if any, not to sue under
14 * current and future patent claims necessarily infringed by the making,
15 * using, practicing, selling, offering for sale and/or otherwise
16 * disposing of the ECC Code as delivered hereunder (or portions thereof),
17 * provided that such covenant shall not apply:
18 * 1) for code that a licensee deletes from the ECC Code;
19 * 2) separates from the ECC Code; or
20 * 3) for infringements caused by:
21 * i) the modification of the ECC Code or
22 * ii) the combination of the ECC Code with other software or
23 * devices where such combination causes the infringement.
25 * The software is originally written by Sheueling Chang Shantz and
26 * Douglas Stebila of Sun Microsystems Laboratories.
30 /* NOTE: This file is licensed pursuant to the OpenSSL license below
31 * and may be modified; but after modifications, the above covenant
32 * may no longer apply! In such cases, the corresponding paragraph
33 * ["In addition, Sun covenants ... causes the infringement."] and
34 * this note can be edited out; but please keep the Sun copyright
35 * notice and attribution. */
37 /* ====================================================================
38 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
40 * Redistribution and use in source and binary forms, with or without
41 * modification, are permitted provided that the following conditions
44 * 1. Redistributions of source code must retain the above copyright
45 * notice, this list of conditions and the following disclaimer.
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in
49 * the documentation and/or other materials provided with the
52 * 3. All advertising materials mentioning features or use of this
53 * software must display the following acknowledgment:
54 * "This product includes software developed by the OpenSSL Project
55 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
57 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
58 * endorse or promote products derived from this software without
59 * prior written permission. For written permission, please contact
60 * openssl-core@openssl.org.
62 * 5. Products derived from this software may not be called "OpenSSL"
63 * nor may "OpenSSL" appear in their names without prior written
64 * permission of the OpenSSL Project.
66 * 6. Redistributions of any form whatsoever must retain the following
68 * "This product includes software developed by the OpenSSL Project
69 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
71 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
72 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
73 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
74 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
75 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
76 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
77 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
78 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
79 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
80 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
81 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
82 * OF THE POSSIBILITY OF SUCH DAMAGE.
83 * ====================================================================
85 * This product includes cryptographic software written by Eric Young
86 * (eay@cryptsoft.com). This product includes software written by Tim
87 * Hudson (tjh@cryptsoft.com).
97 /* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should fail. */
98 #define MAX_ITERATIONS 50
100 static const BN_ULONG SQR_tb[16] =
101 { 0, 1, 4, 5, 16, 17, 20, 21,
102 64, 65, 68, 69, 80, 81, 84, 85 };
103 /* Platform-specific macros to accelerate squaring. */
104 #if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
106 SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
107 SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
108 SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
109 SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF]
111 SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
112 SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
113 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
114 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
116 #ifdef THIRTY_TWO_BIT
118 SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
119 SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF]
121 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
122 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
126 SQR_tb[(w) >> 12 & 0xF] << 8 | SQR_tb[(w) >> 8 & 0xF]
128 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
132 SQR_tb[(w) >> 4 & 0xF]
137 /* Product of two polynomials a, b each with degree < BN_BITS2 - 1,
138 * result is a polynomial r with degree < 2 * BN_BITS - 1
139 * The caller MUST ensure that the variables have the right amount
140 * of space allocated.
143 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
145 register BN_ULONG h, l, s;
146 BN_ULONG tab[4], top1b = a >> 7;
147 register BN_ULONG a1, a2;
149 a1 = a & (0x7F); a2 = a1 << 1;
151 tab[0] = 0; tab[1] = a1; tab[2] = a2; tab[3] = a1^a2;
153 s = tab[b & 0x3]; l = s;
154 s = tab[b >> 2 & 0x3]; l ^= s << 2; h = s >> 6;
155 s = tab[b >> 4 & 0x3]; l ^= s << 4; h ^= s >> 4;
156 s = tab[b >> 6 ]; l ^= s << 6; h ^= s >> 2;
158 /* compensate for the top bit of a */
160 if (top1b & 01) { l ^= b << 7; h ^= b >> 1; }
166 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
168 register BN_ULONG h, l, s;
169 BN_ULONG tab[4], top1b = a >> 15;
170 register BN_ULONG a1, a2;
172 a1 = a & (0x7FFF); a2 = a1 << 1;
174 tab[0] = 0; tab[1] = a1; tab[2] = a2; tab[3] = a1^a2;
176 s = tab[b & 0x3]; l = s;
177 s = tab[b >> 2 & 0x3]; l ^= s << 2; h = s >> 14;
178 s = tab[b >> 4 & 0x3]; l ^= s << 4; h ^= s >> 12;
179 s = tab[b >> 6 & 0x3]; l ^= s << 6; h ^= s >> 10;
180 s = tab[b >> 8 & 0x3]; l ^= s << 8; h ^= s >> 8;
181 s = tab[b >>10 & 0x3]; l ^= s << 10; h ^= s >> 6;
182 s = tab[b >>12 & 0x3]; l ^= s << 12; h ^= s >> 4;
183 s = tab[b >>14 ]; l ^= s << 14; h ^= s >> 2;
185 /* compensate for the top bit of a */
187 if (top1b & 01) { l ^= b << 15; h ^= b >> 1; }
192 #ifdef THIRTY_TWO_BIT
193 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
195 register BN_ULONG h, l, s;
196 BN_ULONG tab[8], top2b = a >> 30;
197 register BN_ULONG a1, a2, a4;
199 a1 = a & (0x3FFFFFFF); a2 = a1 << 1; a4 = a2 << 1;
201 tab[0] = 0; tab[1] = a1; tab[2] = a2; tab[3] = a1^a2;
202 tab[4] = a4; tab[5] = a1^a4; tab[6] = a2^a4; tab[7] = a1^a2^a4;
204 s = tab[b & 0x7]; l = s;
205 s = tab[b >> 3 & 0x7]; l ^= s << 3; h = s >> 29;
206 s = tab[b >> 6 & 0x7]; l ^= s << 6; h ^= s >> 26;
207 s = tab[b >> 9 & 0x7]; l ^= s << 9; h ^= s >> 23;
208 s = tab[b >> 12 & 0x7]; l ^= s << 12; h ^= s >> 20;
209 s = tab[b >> 15 & 0x7]; l ^= s << 15; h ^= s >> 17;
210 s = tab[b >> 18 & 0x7]; l ^= s << 18; h ^= s >> 14;
211 s = tab[b >> 21 & 0x7]; l ^= s << 21; h ^= s >> 11;
212 s = tab[b >> 24 & 0x7]; l ^= s << 24; h ^= s >> 8;
213 s = tab[b >> 27 & 0x7]; l ^= s << 27; h ^= s >> 5;
214 s = tab[b >> 30 ]; l ^= s << 30; h ^= s >> 2;
216 /* compensate for the top two bits of a */
218 if (top2b & 01) { l ^= b << 30; h ^= b >> 2; }
219 if (top2b & 02) { l ^= b << 31; h ^= b >> 1; }
224 #if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
225 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
227 register BN_ULONG h, l, s;
228 BN_ULONG tab[16], top3b = a >> 61;
229 register BN_ULONG a1, a2, a4, a8;
231 a1 = a & (0x1FFFFFFFFFFFFFFFULL); a2 = a1 << 1; a4 = a2 << 1; a8 = a4 << 1;
233 tab[ 0] = 0; tab[ 1] = a1; tab[ 2] = a2; tab[ 3] = a1^a2;
234 tab[ 4] = a4; tab[ 5] = a1^a4; tab[ 6] = a2^a4; tab[ 7] = a1^a2^a4;
235 tab[ 8] = a8; tab[ 9] = a1^a8; tab[10] = a2^a8; tab[11] = a1^a2^a8;
236 tab[12] = a4^a8; tab[13] = a1^a4^a8; tab[14] = a2^a4^a8; tab[15] = a1^a2^a4^a8;
238 s = tab[b & 0xF]; l = s;
239 s = tab[b >> 4 & 0xF]; l ^= s << 4; h = s >> 60;
240 s = tab[b >> 8 & 0xF]; l ^= s << 8; h ^= s >> 56;
241 s = tab[b >> 12 & 0xF]; l ^= s << 12; h ^= s >> 52;
242 s = tab[b >> 16 & 0xF]; l ^= s << 16; h ^= s >> 48;
243 s = tab[b >> 20 & 0xF]; l ^= s << 20; h ^= s >> 44;
244 s = tab[b >> 24 & 0xF]; l ^= s << 24; h ^= s >> 40;
245 s = tab[b >> 28 & 0xF]; l ^= s << 28; h ^= s >> 36;
246 s = tab[b >> 32 & 0xF]; l ^= s << 32; h ^= s >> 32;
247 s = tab[b >> 36 & 0xF]; l ^= s << 36; h ^= s >> 28;
248 s = tab[b >> 40 & 0xF]; l ^= s << 40; h ^= s >> 24;
249 s = tab[b >> 44 & 0xF]; l ^= s << 44; h ^= s >> 20;
250 s = tab[b >> 48 & 0xF]; l ^= s << 48; h ^= s >> 16;
251 s = tab[b >> 52 & 0xF]; l ^= s << 52; h ^= s >> 12;
252 s = tab[b >> 56 & 0xF]; l ^= s << 56; h ^= s >> 8;
253 s = tab[b >> 60 ]; l ^= s << 60; h ^= s >> 4;
255 /* compensate for the top three bits of a */
257 if (top3b & 01) { l ^= b << 61; h ^= b >> 3; }
258 if (top3b & 02) { l ^= b << 62; h ^= b >> 2; }
259 if (top3b & 04) { l ^= b << 63; h ^= b >> 1; }
265 /* Product of two polynomials a, b each with degree < 2 * BN_BITS2 - 1,
266 * result is a polynomial r with degree < 4 * BN_BITS2 - 1
267 * The caller MUST ensure that the variables have the right amount
268 * of space allocated.
270 static void bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0, const BN_ULONG b1, const BN_ULONG b0)
273 /* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */
274 bn_GF2m_mul_1x1(r+3, r+2, a1, b1);
275 bn_GF2m_mul_1x1(r+1, r, a0, b0);
276 bn_GF2m_mul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1);
277 /* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */
278 r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */
279 r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */
283 /* Add polynomials a and b and store result in r; r could be a or b, a and b
284 * could be equal; r is the bitwise XOR of a and b.
286 EXPORT_C int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
289 const BIGNUM *at, *bt;
294 if (a->top < b->top) { at = b; bt = a; }
295 else { at = a; bt = b; }
297 bn_wexpand(r, at->top);
299 for (i = 0; i < bt->top; i++)
301 r->d[i] = at->d[i] ^ bt->d[i];
303 for (; i < at->top; i++)
315 /* Some functions allow for representation of the irreducible polynomials
316 * as an int[], say p. The irreducible f(t) is then of the form:
317 * t^p[0] + t^p[1] + ... + t^p[k]
318 * where m = p[0] > p[1] > ... > p[k] = 0.
322 /* Performs modular reduction of a and store result in r. r could be a. */
323 EXPORT_C int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
333 /* reduction mod 1 => return 0 */
338 /* Since the algorithm does reduction in the r value, if a != r, copy
339 * the contents of a into r so we can do reduction in r.
343 if (!bn_wexpand(r, a->top)) return 0;
344 for (j = 0; j < a->top; j++)
352 /* start reduction */
353 dN = p[0] / BN_BITS2;
354 for (j = r->top - 1; j > dN;)
357 if (z[j] == 0) { j--; continue; }
360 for (k = 1; p[k] != 0; k++)
362 /* reducing component t^p[k] */
364 d0 = n % BN_BITS2; d1 = BN_BITS2 - d0;
367 if (d0) z[j-n-1] ^= (zz<<d1);
370 /* reducing component t^0 */
372 d0 = p[0] % BN_BITS2;
374 z[j-n] ^= (zz >> d0);
375 if (d0) z[j-n-1] ^= (zz << d1);
378 /* final round of reduction */
382 d0 = p[0] % BN_BITS2;
387 if (d0) z[dN] = (z[dN] << d1) >> d1; /* clear up the top d1 bits */
388 z[0] ^= zz; /* reduction t^0 component */
390 for (k = 1; p[k] != 0; k++)
394 /* reducing component t^p[k]*/
396 d0 = p[k] % BN_BITS2;
399 tmp_ulong = zz >> d1;
411 /* Performs modular reduction of a by p and store result in r. r could be a.
413 * This function calls down to the BN_GF2m_mod_arr implementation; this wrapper
414 * function is only provided for convenience; for best performance, use the
415 * BN_GF2m_mod_arr function.
417 EXPORT_C int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
420 const int max = BN_num_bits(p);
421 unsigned int *arr=NULL;
424 if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
425 ret = BN_GF2m_poly2arr(p, arr, max);
426 if (!ret || ret > max)
428 BNerr(BN_F_BN_GF2M_MOD,BN_R_INVALID_LENGTH);
431 ret = BN_GF2m_mod_arr(r, a, arr);
434 if (arr) OPENSSL_free(arr);
439 /* Compute the product of two polynomials a and b, reduce modulo p, and store
440 * the result in r. r could be a or b; a could be b.
442 EXPORT_C int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx)
444 int zlen, i, j, k, ret = 0;
446 BN_ULONG x1, x0, y1, y0, zz[4];
453 return BN_GF2m_mod_sqr_arr(r, a, p, ctx);
457 if ((s = BN_CTX_get(ctx)) == NULL) goto err;
459 zlen = a->top + b->top + 4;
460 if (!bn_wexpand(s, zlen)) goto err;
463 for (i = 0; i < zlen; i++) s->d[i] = 0;
465 for (j = 0; j < b->top; j += 2)
468 y1 = ((j+1) == b->top) ? 0 : b->d[j+1];
469 for (i = 0; i < a->top; i += 2)
472 x1 = ((i+1) == a->top) ? 0 : a->d[i+1];
473 bn_GF2m_mul_2x2(zz, x1, x0, y1, y0);
474 for (k = 0; k < 4; k++) s->d[i+j+k] ^= zz[k];
479 if (BN_GF2m_mod_arr(r, s, p))
488 /* Compute the product of two polynomials a and b, reduce modulo p, and store
489 * the result in r. r could be a or b; a could equal b.
491 * This function calls down to the BN_GF2m_mod_mul_arr implementation; this wrapper
492 * function is only provided for convenience; for best performance, use the
493 * BN_GF2m_mod_mul_arr function.
495 EXPORT_C int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx)
498 const int max = BN_num_bits(p);
499 unsigned int *arr=NULL;
503 if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
504 ret = BN_GF2m_poly2arr(p, arr, max);
505 if (!ret || ret > max)
507 BNerr(BN_F_BN_GF2M_MOD_MUL,BN_R_INVALID_LENGTH);
510 ret = BN_GF2m_mod_mul_arr(r, a, b, arr, ctx);
513 if (arr) OPENSSL_free(arr);
518 /* Square a, reduce the result mod p, and store it in a. r could be a. */
519 EXPORT_C int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx)
526 if ((s = BN_CTX_get(ctx)) == NULL) return 0;
527 if (!bn_wexpand(s, 2 * a->top)) goto err;
529 for (i = a->top - 1; i >= 0; i--)
531 s->d[2*i+1] = SQR1(a->d[i]);
532 s->d[2*i ] = SQR0(a->d[i]);
537 if (!BN_GF2m_mod_arr(r, s, p)) goto err;
545 /* Square a, reduce the result mod p, and store it in a. r could be a.
547 * This function calls down to the BN_GF2m_mod_sqr_arr implementation; this wrapper
548 * function is only provided for convenience; for best performance, use the
549 * BN_GF2m_mod_sqr_arr function.
551 EXPORT_C int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
554 const int max = BN_num_bits(p);
555 unsigned int *arr=NULL;
559 if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
560 ret = BN_GF2m_poly2arr(p, arr, max);
561 if (!ret || ret > max)
563 BNerr(BN_F_BN_GF2M_MOD_SQR,BN_R_INVALID_LENGTH);
566 ret = BN_GF2m_mod_sqr_arr(r, a, arr, ctx);
569 if (arr) OPENSSL_free(arr);
574 /* Invert a, reduce modulo p, and store the result in r. r could be a.
575 * Uses Modified Almost Inverse Algorithm (Algorithm 10) from
576 * Hankerson, D., Hernandez, J.L., and Menezes, A. "Software Implementation
577 * of Elliptic Curve Cryptography Over Binary Fields".
579 EXPORT_C int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
581 BIGNUM *b, *c, *u, *v, *tmp;
593 if (v == NULL) goto err;
595 if (!BN_one(b)) goto err;
596 if (!BN_GF2m_mod(u, a, p)) goto err;
597 if (!BN_copy(v, p)) goto err;
599 if (BN_is_zero(u)) goto err;
603 while (!BN_is_odd(u))
605 if (!BN_rshift1(u, u)) goto err;
608 if (!BN_GF2m_add(b, b, p)) goto err;
610 if (!BN_rshift1(b, b)) goto err;
613 if (BN_abs_is_word(u, 1)) break;
615 if (BN_num_bits(u) < BN_num_bits(v))
617 tmp = u; u = v; v = tmp;
618 tmp = b; b = c; c = tmp;
621 if (!BN_GF2m_add(u, u, v)) goto err;
622 if (!BN_GF2m_add(b, b, c)) goto err;
626 if (!BN_copy(r, b)) goto err;
635 /* Invert xx, reduce modulo p, and store the result in r. r could be xx.
637 * This function calls down to the BN_GF2m_mod_inv implementation; this wrapper
638 * function is only provided for convenience; for best performance, use the
639 * BN_GF2m_mod_inv function.
641 EXPORT_C int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const unsigned int p[], BN_CTX *ctx)
648 if ((field = BN_CTX_get(ctx)) == NULL) goto err;
649 if (!BN_GF2m_arr2poly(p, field)) goto err;
651 ret = BN_GF2m_mod_inv(r, xx, field, ctx);
660 #ifndef OPENSSL_SUN_GF2M_DIV
661 /* Divide y by x, reduce modulo p, and store the result in r. r could be x
662 * or y, x could equal y.
664 EXPORT_C int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p, BN_CTX *ctx)
674 xinv = BN_CTX_get(ctx);
675 if (xinv == NULL) goto err;
677 if (!BN_GF2m_mod_inv(xinv, x, p, ctx)) goto err;
678 if (!BN_GF2m_mod_mul(r, y, xinv, p, ctx)) goto err;
687 /* Divide y by x, reduce modulo p, and store the result in r. r could be x
688 * or y, x could equal y.
689 * Uses algorithm Modular_Division_GF(2^m) from
690 * Chang-Shantz, S. "From Euclid's GCD to Montgomery Multiplication to
693 EXPORT_C int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p, BN_CTX *ctx)
695 BIGNUM *a, *b, *u, *v;
708 if (v == NULL) goto err;
710 /* reduce x and y mod p */
711 if (!BN_GF2m_mod(u, y, p)) goto err;
712 if (!BN_GF2m_mod(a, x, p)) goto err;
713 if (!BN_copy(b, p)) goto err;
715 while (!BN_is_odd(a))
717 if (!BN_rshift1(a, a)) goto err;
718 if (BN_is_odd(u)) if (!BN_GF2m_add(u, u, p)) goto err;
719 if (!BN_rshift1(u, u)) goto err;
724 if (BN_GF2m_cmp(b, a) > 0)
726 if (!BN_GF2m_add(b, b, a)) goto err;
727 if (!BN_GF2m_add(v, v, u)) goto err;
730 if (!BN_rshift1(b, b)) goto err;
731 if (BN_is_odd(v)) if (!BN_GF2m_add(v, v, p)) goto err;
732 if (!BN_rshift1(v, v)) goto err;
733 } while (!BN_is_odd(b));
735 else if (BN_abs_is_word(a, 1))
739 if (!BN_GF2m_add(a, a, b)) goto err;
740 if (!BN_GF2m_add(u, u, v)) goto err;
743 if (!BN_rshift1(a, a)) goto err;
744 if (BN_is_odd(u)) if (!BN_GF2m_add(u, u, p)) goto err;
745 if (!BN_rshift1(u, u)) goto err;
746 } while (!BN_is_odd(a));
750 if (!BN_copy(r, u)) goto err;
760 /* Divide yy by xx, reduce modulo p, and store the result in r. r could be xx
761 * or yy, xx could equal yy.
763 * This function calls down to the BN_GF2m_mod_div implementation; this wrapper
764 * function is only provided for convenience; for best performance, use the
765 * BN_GF2m_mod_div function.
767 EXPORT_C int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx, const unsigned int p[], BN_CTX *ctx)
776 if ((field = BN_CTX_get(ctx)) == NULL) goto err;
777 if (!BN_GF2m_arr2poly(p, field)) goto err;
779 ret = BN_GF2m_mod_div(r, yy, xx, field, ctx);
788 /* Compute the bth power of a, reduce modulo p, and store
789 * the result in r. r could be a.
790 * Uses simple square-and-multiply algorithm A.5.1 from IEEE P1363.
792 EXPORT_C int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx)
803 if (BN_abs_is_word(b, 1))
804 return (BN_copy(r, a) != NULL);
807 if ((u = BN_CTX_get(ctx)) == NULL) goto err;
809 if (!BN_GF2m_mod_arr(u, a, p)) goto err;
811 n = BN_num_bits(b) - 1;
812 for (i = n - 1; i >= 0; i--)
814 if (!BN_GF2m_mod_sqr_arr(u, u, p, ctx)) goto err;
815 if (BN_is_bit_set(b, i))
817 if (!BN_GF2m_mod_mul_arr(u, u, a, p, ctx)) goto err;
820 if (!BN_copy(r, u)) goto err;
828 /* Compute the bth power of a, reduce modulo p, and store
829 * the result in r. r could be a.
831 * This function calls down to the BN_GF2m_mod_exp_arr implementation; this wrapper
832 * function is only provided for convenience; for best performance, use the
833 * BN_GF2m_mod_exp_arr function.
835 EXPORT_C int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx)
838 const int max = BN_num_bits(p);
839 unsigned int *arr=NULL;
843 if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
844 ret = BN_GF2m_poly2arr(p, arr, max);
845 if (!ret || ret > max)
847 BNerr(BN_F_BN_GF2M_MOD_EXP,BN_R_INVALID_LENGTH);
850 ret = BN_GF2m_mod_exp_arr(r, a, b, arr, ctx);
853 if (arr) OPENSSL_free(arr);
857 /* Compute the square root of a, reduce modulo p, and store
858 * the result in r. r could be a.
859 * Uses exponentiation as in algorithm A.4.1 from IEEE P1363.
861 EXPORT_C int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx)
870 /* reduction mod 1 => return 0 */
876 if ((u = BN_CTX_get(ctx)) == NULL) goto err;
878 if (!BN_set_bit(u, p[0] - 1)) goto err;
879 ret = BN_GF2m_mod_exp_arr(r, a, u, p, ctx);
887 /* Compute the square root of a, reduce modulo p, and store
888 * the result in r. r could be a.
890 * This function calls down to the BN_GF2m_mod_sqrt_arr implementation; this wrapper
891 * function is only provided for convenience; for best performance, use the
892 * BN_GF2m_mod_sqrt_arr function.
894 EXPORT_C int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
897 const int max = BN_num_bits(p);
898 unsigned int *arr=NULL;
901 if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
902 ret = BN_GF2m_poly2arr(p, arr, max);
903 if (!ret || ret > max)
905 BNerr(BN_F_BN_GF2M_MOD_SQRT,BN_R_INVALID_LENGTH);
908 ret = BN_GF2m_mod_sqrt_arr(r, a, arr, ctx);
911 if (arr) OPENSSL_free(arr);
915 /* Find r such that r^2 + r = a mod p. r could be a. If no r exists returns 0.
916 * Uses algorithms A.4.7 and A.4.6 from IEEE P1363.
918 EXPORT_C int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const unsigned int p[], BN_CTX *ctx)
920 int ret = 0, count = 0;
922 BIGNUM *a, *z, *rho, *w, *w2, *tmp;
928 /* reduction mod 1 => return 0 */
937 if (w == NULL) goto err;
939 if (!BN_GF2m_mod_arr(a, a_, p)) goto err;
948 if (p[0] & 0x1) /* m is odd */
950 /* compute half-trace of a */
951 if (!BN_copy(z, a)) goto err;
952 for (j = 1; j <= (p[0] - 1) / 2; j++)
954 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) goto err;
955 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) goto err;
956 if (!BN_GF2m_add(z, z, a)) goto err;
962 rho = BN_CTX_get(ctx);
963 w2 = BN_CTX_get(ctx);
964 tmp = BN_CTX_get(ctx);
965 if (tmp == NULL) goto err;
968 if (!BN_rand(rho, p[0], 0, 0)) goto err;
969 if (!BN_GF2m_mod_arr(rho, rho, p)) goto err;
971 if (!BN_copy(w, rho)) goto err;
972 for (j = 1; j <= p[0] - 1; j++)
974 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) goto err;
975 if (!BN_GF2m_mod_sqr_arr(w2, w, p, ctx)) goto err;
976 if (!BN_GF2m_mod_mul_arr(tmp, w2, a, p, ctx)) goto err;
977 if (!BN_GF2m_add(z, z, tmp)) goto err;
978 if (!BN_GF2m_add(w, w2, rho)) goto err;
981 } while (BN_is_zero(w) && (count < MAX_ITERATIONS));
984 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR,BN_R_TOO_MANY_ITERATIONS);
989 if (!BN_GF2m_mod_sqr_arr(w, z, p, ctx)) goto err;
990 if (!BN_GF2m_add(w, z, w)) goto err;
991 if (BN_GF2m_cmp(w, a))
993 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR, BN_R_NO_SOLUTION);
997 if (!BN_copy(r, z)) goto err;
1007 /* Find r such that r^2 + r = a mod p. r could be a. If no r exists returns 0.
1009 * This function calls down to the BN_GF2m_mod_solve_quad_arr implementation; this wrapper
1010 * function is only provided for convenience; for best performance, use the
1011 * BN_GF2m_mod_solve_quad_arr function.
1013 EXPORT_C int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
1016 const int max = BN_num_bits(p);
1017 unsigned int *arr=NULL;
1020 if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) *
1021 max)) == NULL) goto err;
1022 ret = BN_GF2m_poly2arr(p, arr, max);
1023 if (!ret || ret > max)
1025 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD,BN_R_INVALID_LENGTH);
1028 ret = BN_GF2m_mod_solve_quad_arr(r, a, arr, ctx);
1031 if (arr) OPENSSL_free(arr);
1035 /* Convert the bit-string representation of a polynomial
1036 * ( \sum_{i=0}^n a_i * x^i , where a_0 is *not* zero) into an array
1037 * of integers corresponding to the bits with non-zero coefficient.
1038 * Up to max elements of the array will be filled. Return value is total
1039 * number of coefficients that would be extracted if array was large enough.
1041 EXPORT_C int BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max)
1046 if (BN_is_zero(a) || !BN_is_bit_set(a, 0))
1047 /* a_0 == 0 => return error (the unsigned int array
1048 * must be terminated by 0)
1052 for (i = a->top - 1; i >= 0; i--)
1055 /* skip word if a->d[i] == 0 */
1058 for (j = BN_BITS2 - 1; j >= 0; j--)
1062 if (k < max) p[k] = BN_BITS2 * i + j;
1072 /* Convert the coefficient array representation of a polynomial to a
1073 * bit-string. The array must be terminated by 0.
1075 EXPORT_C int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a)
1081 for (i = 0; p[i] != 0; i++)
1083 if (BN_set_bit(a, p[i]) == 0)