fe_operations.h

00001 /* fe_operations.h
00002  *
00003  * Copyright (C) 2006-2016 wolfSSL Inc.
00004  *
00005  * This file is part of wolfSSL.
00006  *
00007  * wolfSSL is free software; you can redistribute it and/or modify
00008  * it under the terms of the GNU General Public License as published by
00009  * the Free Software Foundation; either version 2 of the License, or
00010  * (at your option) any later version.
00011  *
00012  * wolfSSL is distributed in the hope that it will be useful,
00013  * but WITHOUT ANY WARRANTY; without even the implied warranty of
00014  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00015  * GNU General Public License for more details.
00016  *
00017  * You should have received a copy of the GNU General Public License
00018  * along with this program; if not, write to the Free Software
00019  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
00020  */
00021 
00022 
00023 #ifndef WOLF_CRYPT_FE_OPERATIONS_H
00024 #define WOLF_CRYPT_FE_OPERATIONS_H
00025 
00026 #include <wolfssl/wolfcrypt/settings.h>
00027 
00028 #if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
00029 
00030 #ifndef CURVED25519_SMALL
00031     #include <stdint.h>
00032 #endif
00033 #include <wolfssl/wolfcrypt/types.h>
00034 
00035 /*
00036 fe means field element.
00037 Here the field is \Z/(2^255-19).
00038 An element t, entries t[0]...t[9], represents the integer
00039 t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
00040 Bounds on each t[i] vary depending on context.
00041 */
00042 
00043 #ifdef CURVED25519_SMALL
00044     #define F25519_SIZE 32
00045     typedef byte     fe[32];
00046 #else
00047     typedef int32_t  fe[10];
00048 #endif
00049 
00050 WOLFSSL_LOCAL int  curve25519(byte * q, byte * n, byte * p);
00051 WOLFSSL_LOCAL void fe_copy(fe, const fe);
00052 WOLFSSL_LOCAL void fe_add(fe, const fe, const fe);
00053 WOLFSSL_LOCAL void fe_neg(fe,const fe);
00054 WOLFSSL_LOCAL void fe_sub(fe, const fe, const fe);
00055 WOLFSSL_LOCAL void fe_invert(fe, const fe);
00056 WOLFSSL_LOCAL void fe_mul(fe,const fe,const fe);
00057 
00058 /* default to be faster but take more memory */
00059 #ifndef CURVED25519_SMALL
00060 
00061 /* Based On Daniel J Bernstein's curve25519 and ed25519 Public Domain ref10
00062    work. */
00063 
00064 WOLFSSL_LOCAL void fe_0(fe);
00065 WOLFSSL_LOCAL void fe_1(fe);
00066 WOLFSSL_LOCAL int  fe_isnonzero(const fe);
00067 WOLFSSL_LOCAL int  fe_isnegative(const fe);
00068 WOLFSSL_LOCAL void fe_tobytes(unsigned char *, const fe);
00069 WOLFSSL_LOCAL void fe_sq(fe, const fe);
00070 WOLFSSL_LOCAL void fe_sq2(fe,const fe);
00071 WOLFSSL_LOCAL void fe_frombytes(fe,const unsigned char *);
00072 WOLFSSL_LOCAL void fe_cswap(fe,fe,unsigned int);
00073 WOLFSSL_LOCAL void fe_mul121666(fe,fe);
00074 WOLFSSL_LOCAL void fe_cmov(fe,const fe,unsigned int);
00075 WOLFSSL_LOCAL void fe_pow22523(fe,const fe);
00076 
00077 /* 64 type needed for SHA512 */
00078 WOLFSSL_LOCAL uint64_t load_3(const unsigned char *in);
00079 WOLFSSL_LOCAL uint64_t load_4(const unsigned char *in);
00080 #endif /* not defined CURVED25519_SMALL */
00081 
00082 /* Use less memory and only 32bit types or less, but is slower
00083    Based on Daniel Beer's public domain work. */
00084 #ifdef CURVED25519_SMALL
00085 static const byte c25519_base_x[F25519_SIZE] = {9};
00086 static const byte f25519_zero[F25519_SIZE]   = {0};
00087 static const byte f25519_one[F25519_SIZE]    = {1};
00088 static const byte fprime_zero[F25519_SIZE]   = {0};
00089 static const byte fprime_one[F25519_SIZE]    = {1};
00090 
00091 WOLFSSL_LOCAL void fe_load(byte *x, word32 c);
00092 WOLFSSL_LOCAL void fe_normalize(byte *x);
00093 WOLFSSL_LOCAL void fe_inv__distinct(byte *r, const byte *x);
00094 
00095 /* Conditional copy. If condition == 0, then zero is copied to dst. If
00096  * condition == 1, then one is copied to dst. Any other value results in
00097  * undefined behavior.
00098  */
00099 WOLFSSL_LOCAL void fe_select(byte *dst, const byte *zero, const byte *one,
00100            byte condition);
00101 
00102 /* Multiply a point by a small constant. The two pointers are not
00103  * required to be distinct.
00104  *
00105  * The constant must be less than 2^24.
00106  */
00107 WOLFSSL_LOCAL void fe_mul_c(byte *r, const byte *a, word32 b);
00108 WOLFSSL_LOCAL void fe_mul__distinct(byte *r, const byte *a, const byte *b);
00109 
00110 /* Compute one of the square roots of the field element, if the element
00111  * is square. The other square is -r.
00112  *
00113  * If the input is not square, the returned value is a valid field
00114  * element, but not the correct answer. If you don't already know that
00115  * your element is square, you should square the return value and test.
00116  */
00117 WOLFSSL_LOCAL void fe_sqrt(byte *r, const byte *x);
00118 
00119 /* Conditional copy. If condition == 0, then zero is copied to dst. If
00120  * condition == 1, then one is copied to dst. Any other value results in
00121  * undefined behavior.
00122  */
00123 WOLFSSL_LOCAL void fprime_select(byte *dst, const byte *zero, const byte *one,
00124                                  byte condition);
00125 WOLFSSL_LOCAL void fprime_add(byte *r, const byte *a, const byte *modulus);
00126 WOLFSSL_LOCAL void fprime_sub(byte *r, const byte *a, const byte *modulus);
00127 WOLFSSL_LOCAL void fprime_mul(byte *r, const byte *a, const byte *b,
00128                               const byte *modulus);
00129 WOLFSSL_LOCAL void fprime_copy(byte *x, const byte *a);
00130 #endif /* CURVED25519_SMALL */
00131 #endif /* HAVE_CURVE25519 or HAVE_ED25519 */
00132 #endif /* WOLF_CRYPT_FE_OPERATIONS_H */
00133 
00134