fe_operations.h

00001 /* fe_operations.h
00002  *
00003  * Copyright (C) 2006-2016 wolfSSL Inc.
00004  *
00005  * This file is part of wolfSSL.
00006  *
00007  * wolfSSL is free software; you can redistribute it and/or modify
00008  * it under the terms of the GNU General Public License as published by
00009  * the Free Software Foundation; either version 2 of the License, or
00010  * (at your option) any later version.
00011  *
00012  * wolfSSL is distributed in the hope that it will be useful,
00013  * but WITHOUT ANY WARRANTY; without even the implied warranty of
00014  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00015  * GNU General Public License for more details.
00016  *
00017  * You should have received a copy of the GNU General Public License
00018  * along with this program; if not, write to the Free Software
00019  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
00020  */
00021 
00022 
00023 #ifndef WOLF_CRYPT_FE_OPERATIONS_H
00024 #define WOLF_CRYPT_FE_OPERATIONS_H
00025 
00026 #include <wolfssl/wolfcrypt/settings.h>
00027 
00028 #if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
00029 
00030 #ifndef CURVED25519_SMALL
00031     #include <stdint.h>
00032 #endif
00033 #include <wolfssl/wolfcrypt/types.h>
00034 
00035 /*
00036 fe means field element.
00037 Here the field is \Z/(2^255-19).
00038 An element t, entries t[0]...t[9], represents the integer
00039 t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
00040 Bounds on each t[i] vary depending on context.
00041 */
00042 
00043 #ifdef CURVED25519_SMALL
00044     #define F25519_SIZE 32
00045     typedef byte     fe[32];
00046 #elif defined(HAVE___UINT128_T)
00047     typedef int64_t  fe[5];
00048 #else
00049     typedef int32_t  fe[10];
00050 #endif
00051 
00052 #if! defined FREESCALE_LTC_ECC
00053 WOLFSSL_LOCAL int  curve25519(byte * q, byte * n, byte * p);
00054 #endif
00055 WOLFSSL_LOCAL void fe_copy(fe, const fe);
00056 WOLFSSL_LOCAL void fe_add(fe, const fe, const fe);
00057 WOLFSSL_LOCAL void fe_neg(fe,const fe);
00058 WOLFSSL_LOCAL void fe_sub(fe, const fe, const fe);
00059 WOLFSSL_LOCAL void fe_invert(fe, const fe);
00060 WOLFSSL_LOCAL void fe_mul(fe,const fe,const fe);
00061 
00062 /* default to be faster but take more memory */
00063 #ifndef CURVED25519_SMALL
00064 
00065 /* Based On Daniel J Bernstein's curve25519 and ed25519 Public Domain ref10
00066    work. */
00067 
00068 WOLFSSL_LOCAL void fe_0(fe);
00069 WOLFSSL_LOCAL void fe_1(fe);
00070 WOLFSSL_LOCAL int  fe_isnonzero(const fe);
00071 WOLFSSL_LOCAL int  fe_isnegative(const fe);
00072 WOLFSSL_LOCAL void fe_tobytes(unsigned char *, const fe);
00073 WOLFSSL_LOCAL void fe_sq(fe, const fe);
00074 WOLFSSL_LOCAL void fe_sq2(fe,const fe);
00075 WOLFSSL_LOCAL void fe_frombytes(fe,const unsigned char *);
00076 WOLFSSL_LOCAL void fe_cswap(fe, fe, int);
00077 WOLFSSL_LOCAL void fe_mul121666(fe,fe);
00078 WOLFSSL_LOCAL void fe_cmov(fe,const fe, int);
00079 WOLFSSL_LOCAL void fe_pow22523(fe,const fe);
00080 
00081 /* 64 type needed for SHA512 */
00082 WOLFSSL_LOCAL uint64_t load_3(const unsigned char *in);
00083 WOLFSSL_LOCAL uint64_t load_4(const unsigned char *in);
00084 #endif /* not defined CURVED25519_SMALL */
00085 
00086 /* Use less memory and only 32bit types or less, but is slower
00087    Based on Daniel Beer's public domain work. */
00088 #ifdef CURVED25519_SMALL
00089 static const byte c25519_base_x[F25519_SIZE] = {9};
00090 static const byte f25519_zero[F25519_SIZE]   = {0};
00091 static const byte f25519_one[F25519_SIZE]    = {1};
00092 static const byte fprime_zero[F25519_SIZE]   = {0};
00093 static const byte fprime_one[F25519_SIZE]    = {1};
00094 
00095 WOLFSSL_LOCAL void fe_load(byte *x, word32 c);
00096 WOLFSSL_LOCAL void fe_normalize(byte *x);
00097 WOLFSSL_LOCAL void fe_inv__distinct(byte *r, const byte *x);
00098 
00099 /* Conditional copy. If condition == 0, then zero is copied to dst. If
00100  * condition == 1, then one is copied to dst. Any other value results in
00101  * undefined behavior.
00102  */
00103 WOLFSSL_LOCAL void fe_select(byte *dst, const byte *zero, const byte *one,
00104            byte condition);
00105 
00106 /* Multiply a point by a small constant. The two pointers are not
00107  * required to be distinct.
00108  *
00109  * The constant must be less than 2^24.
00110  */
00111 WOLFSSL_LOCAL void fe_mul_c(byte *r, const byte *a, word32 b);
00112 WOLFSSL_LOCAL void fe_mul__distinct(byte *r, const byte *a, const byte *b);
00113 
00114 /* Compute one of the square roots of the field element, if the element
00115  * is square. The other square is -r.
00116  *
00117  * If the input is not square, the returned value is a valid field
00118  * element, but not the correct answer. If you don't already know that
00119  * your element is square, you should square the return value and test.
00120  */
00121 WOLFSSL_LOCAL void fe_sqrt(byte *r, const byte *x);
00122 
00123 /* Conditional copy. If condition == 0, then zero is copied to dst. If
00124  * condition == 1, then one is copied to dst. Any other value results in
00125  * undefined behavior.
00126  */
00127 WOLFSSL_LOCAL void fprime_select(byte *dst, const byte *zero, const byte *one,
00128                                  byte condition);
00129 WOLFSSL_LOCAL void fprime_add(byte *r, const byte *a, const byte *modulus);
00130 WOLFSSL_LOCAL void fprime_sub(byte *r, const byte *a, const byte *modulus);
00131 WOLFSSL_LOCAL void fprime_mul(byte *r, const byte *a, const byte *b,
00132                               const byte *modulus);
00133 WOLFSSL_LOCAL void fprime_copy(byte *x, const byte *a);
00134 #endif /* CURVED25519_SMALL */
00135 #endif /* HAVE_CURVE25519 or HAVE_ED25519 */
00136 #endif /* WOLF_CRYPT_FE_OPERATIONS_H */
00137 
00138