EC2M Lopez-Dahab ladder implementation

 Changes between 1.1.0h and 1.1.1 [xx XXX xxxx]

  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder

     step for binary curves. The new implementation is based on formulas from

     differential addition-and-doubling in mixed Lopez-Dahab projective

     coordinates, modified to independently blind the operands.

     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

  *) Add a scaffold to optionally enhance the Montgomery ladder implementation

     for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing

     EC_METHODs to implement their own specialized "ladder step", to take

#ifndef OPENSSL_NO_EC2M

const EC_METHOD *EC_GF2m_simple_method(void)

{

    static const EC_METHOD ret = {

        EC_FLAGS_DEFAULT_OCT,

        NID_X9_62_characteristic_two_field,

        ec_GF2m_simple_group_init,

        ec_GF2m_simple_group_finish,

        ec_GF2m_simple_group_clear_finish,

        ec_GF2m_simple_group_copy,

        ec_GF2m_simple_group_set_curve,

        ec_GF2m_simple_group_get_curve,

        ec_GF2m_simple_group_get_degree,

        ec_group_simple_order_bits,

        ec_GF2m_simple_group_check_discriminant,

        ec_GF2m_simple_point_init,

        ec_GF2m_simple_point_finish,

        ec_GF2m_simple_point_clear_finish,

        ec_GF2m_simple_point_copy,

        ec_GF2m_simple_point_set_to_infinity,

        0 /* set_Jprojective_coordinates_GFp */ ,

        0 /* get_Jprojective_coordinates_GFp */ ,

        ec_GF2m_simple_point_set_affine_coordinates,

        ec_GF2m_simple_point_get_affine_coordinates,

        0, 0, 0,

        ec_GF2m_simple_add,

        ec_GF2m_simple_dbl,

        ec_GF2m_simple_invert,

        ec_GF2m_simple_is_at_infinity,

        ec_GF2m_simple_is_on_curve,

        ec_GF2m_simple_cmp,

        ec_GF2m_simple_make_affine,

        ec_GF2m_simple_points_make_affine,

        0 /* mul */,

        0 /* precompute_mul */,

        0 /* have_precompute_mul */,

        ec_GF2m_simple_field_mul,

        ec_GF2m_simple_field_sqr,

        ec_GF2m_simple_field_div,

        0 /* field_encode */ ,

        0 /* field_decode */ ,

        0,                      /* field_set_to_one */

        ec_key_simple_priv2oct,

        ec_key_simple_oct2priv,

        0, /* set private */

        ec_key_simple_generate_key,

        ec_key_simple_check_key,

        ec_key_simple_generate_public_key,

        0, /* keycopy */

        0, /* keyfinish */

        ecdh_simple_compute_key,

        0, /* field_inverse_mod_ord */

        0, /* blind_coordinates */

        0, /* ladder_pre */

        0, /* ladder_step */

        0  /* ladder_post */

    };

    return &ret;

}

/*

 * Initialize a GF(2^m)-based EC_GROUP structure. Note that all other members

 * are handled by EC_GROUP_new.

    return BN_GF2m_mod_div(r, a, b, group->field, ctx);

}

/*-

 * Lopez-Dahab ladder, pre step.

 * See e.g. "Guide to ECC" Alg 3.40.

 * Modified to blind s and r independently.

 * s:= p, r := 2p

 */

static

int ec_GF2m_simple_ladder_pre(const EC_GROUP *group,

                              EC_POINT *r, EC_POINT *s,

                              EC_POINT *p, BN_CTX *ctx)

{

    /* if p is not affine, something is wrong */

    if (p->Z_is_one == 0)

        return 0;

    /* s blinding: make sure lambda (s->Z here) is not zero */

    do {

        if (!BN_priv_rand(s->Z, BN_num_bits(group->field) - 1,

                          BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {

            ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);

            return 0;

        }

    } while (BN_is_zero(s->Z));

    /* if field_encode defined convert between representations */

    if ((group->meth->field_encode != NULL

         && !group->meth->field_encode(group, s->Z, s->Z, ctx))

        || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx))

        return 0;

    /* r blinding: make sure lambda (r->Y here for storage) is not zero */

    do {

        if (!BN_priv_rand(r->Y, BN_num_bits(group->field) - 1,

                          BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {

            ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_PRE, ERR_R_BN_LIB);

            return 0;

        }

    } while (BN_is_zero(r->Y));

    if ((group->meth->field_encode != NULL

         && !group->meth->field_encode(group, r->Y, r->Y, ctx))

        || !group->meth->field_sqr(group, r->Z, p->X, ctx)

        || !group->meth->field_sqr(group, r->X, r->Z, ctx)

        || !BN_GF2m_add(r->X, r->X, group->b)

        || !group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)

        || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx))

        return 0;

    s->Z_is_one = 0;

    r->Z_is_one = 0;

    return 1;

}

/*-

 * Ladder step: differential addition-and-doubling, mixed Lopez-Dahab coords.

 * http://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3

 * s := r + s, r := 2r

 */

static

int ec_GF2m_simple_ladder_step(const EC_GROUP *group,

                               EC_POINT *r, EC_POINT *s,

                               EC_POINT *p, BN_CTX *ctx)

{

    if (!group->meth->field_mul(group, r->Y, r->Z, s->X, ctx)

        || !group->meth->field_mul(group, s->X, r->X, s->Z, ctx)

        || !group->meth->field_sqr(group, s->Y, r->Z, ctx)

        || !group->meth->field_sqr(group, r->Z, r->X, ctx)

        || !BN_GF2m_add(s->Z, r->Y, s->X)

        || !group->meth->field_sqr(group, s->Z, s->Z, ctx)

        || !group->meth->field_mul(group, s->X, r->Y, s->X, ctx)

        || !group->meth->field_mul(group, r->Y, s->Z, p->X, ctx)

        || !BN_GF2m_add(s->X, s->X, r->Y)

        || !group->meth->field_sqr(group, r->Y, r->Z, ctx)

        || !group->meth->field_mul(group, r->Z, r->Z, s->Y, ctx)

        || !group->meth->field_sqr(group, s->Y, s->Y, ctx)

        || !group->meth->field_mul(group, s->Y, s->Y, group->b, ctx)

        || !BN_GF2m_add(r->X, r->Y, s->Y))

        return 0;

    return 1;

}

/*-

 * Recover affine (x,y) result from Lopez-Dahab r and s, affine p.

 * See e.g. "Fast Multiplication on Elliptic Curves over GF(2**m)

 * without Precomputation" (Lopez and Dahab, CHES 1999),

 * Appendix Alg Mxy.

 */

static

int ec_GF2m_simple_ladder_post(const EC_GROUP *group,

                               EC_POINT *r, EC_POINT *s,

                               EC_POINT *p, BN_CTX *ctx)

{

    int ret = 0;

    BIGNUM *t0, *t1, *t2 = NULL;

    if (BN_is_zero(r->Z))

        return EC_POINT_set_to_infinity(group, r);

    if (BN_is_zero(s->Z)) {

        if (!EC_POINT_copy(r, p)

            || !EC_POINT_invert(group, r, ctx)) {

            ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_POST, ERR_R_EC_LIB);

            return 0;

        }

        return 1;

    }

    BN_CTX_start(ctx);

    t0 = BN_CTX_get(ctx);

    t1 = BN_CTX_get(ctx);

    t2 = BN_CTX_get(ctx);

    if (t2 == NULL) {

        ECerr(EC_F_EC_GF2M_SIMPLE_LADDER_POST, ERR_R_MALLOC_FAILURE);

        goto err;

    }

    if (!group->meth->field_mul(group, t0, r->Z, s->Z, ctx)

        || !group->meth->field_mul(group, t1, p->X, r->Z, ctx)

        || !BN_GF2m_add(t1, r->X, t1)

        || !group->meth->field_mul(group, t2, p->X, s->Z, ctx)

        || !group->meth->field_mul(group, r->Z, r->X, t2, ctx)

        || !BN_GF2m_add(t2, t2, s->X)

        || !group->meth->field_mul(group, t1, t1, t2, ctx)

        || !group->meth->field_sqr(group, t2, p->X, ctx)

        || !BN_GF2m_add(t2, p->Y, t2)

        || !group->meth->field_mul(group, t2, t2, t0, ctx)

        || !BN_GF2m_add(t1, t2, t1)

        || !group->meth->field_mul(group, t2, p->X, t0, ctx)

        || !BN_GF2m_mod_inv(t2, t2, group->field, ctx)

        || !group->meth->field_mul(group, t1, t1, t2, ctx)

        || !group->meth->field_mul(group, r->X, r->Z, t2, ctx)

        || !BN_GF2m_add(t2, p->X, r->X)

        || !group->meth->field_mul(group, t2, t2, t1, ctx)

        || !BN_GF2m_add(r->Y, p->Y, t2)

        || !BN_one(r->Z))

        goto err;

    r->Z_is_one = 1;

    /* GF(2^m) field elements should always have BIGNUM::neg = 0 */

    BN_set_negative(r->X, 0);

    BN_set_negative(r->Y, 0);

    ret = 1;

 err:

    BN_CTX_end(ctx);

    return ret;

}

const EC_METHOD *EC_GF2m_simple_method(void)

{

    static const EC_METHOD ret = {

        EC_FLAGS_DEFAULT_OCT,

        NID_X9_62_characteristic_two_field,

        ec_GF2m_simple_group_init,

        ec_GF2m_simple_group_finish,

        ec_GF2m_simple_group_clear_finish,

        ec_GF2m_simple_group_copy,

        ec_GF2m_simple_group_set_curve,

        ec_GF2m_simple_group_get_curve,

        ec_GF2m_simple_group_get_degree,

        ec_group_simple_order_bits,

        ec_GF2m_simple_group_check_discriminant,

        ec_GF2m_simple_point_init,

        ec_GF2m_simple_point_finish,

        ec_GF2m_simple_point_clear_finish,

        ec_GF2m_simple_point_copy,

        ec_GF2m_simple_point_set_to_infinity,

        0, /* set_Jprojective_coordinates_GFp */

        0, /* get_Jprojective_coordinates_GFp */

        ec_GF2m_simple_point_set_affine_coordinates,

        ec_GF2m_simple_point_get_affine_coordinates,

        0, /* point_set_compressed_coordinates */

        0, /* point2oct */

        0, /* oct2point */

        ec_GF2m_simple_add,

        ec_GF2m_simple_dbl,

        ec_GF2m_simple_invert,

        ec_GF2m_simple_is_at_infinity,

        ec_GF2m_simple_is_on_curve,

        ec_GF2m_simple_cmp,

        ec_GF2m_simple_make_affine,

        ec_GF2m_simple_points_make_affine,

        0, /* mul */

        0, /* precompute_mult */

        0, /* have_precompute_mult */

        ec_GF2m_simple_field_mul,

        ec_GF2m_simple_field_sqr,

        ec_GF2m_simple_field_div,

        0, /* field_encode */

        0, /* field_decode */

        0, /* field_set_to_one */

        ec_key_simple_priv2oct,

        ec_key_simple_oct2priv,

        0, /* set private */

        ec_key_simple_generate_key,

        ec_key_simple_check_key,

        ec_key_simple_generate_public_key,

        0, /* keycopy */

        0, /* keyfinish */

        ecdh_simple_compute_key,

        0, /* field_inverse_mod_ord */

        0, /* blind_coordinates */

        ec_GF2m_simple_ladder_pre,

        ec_GF2m_simple_ladder_step,

        ec_GF2m_simple_ladder_post

    };

    return &ret;

}

#endif

     "ec_GF2m_simple_group_check_discriminant"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, 0),

     "ec_GF2m_simple_group_set_curve"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_LADDER_POST, 0),

     "ec_GF2m_simple_ladder_post"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_LADDER_PRE, 0),

     "ec_GF2m_simple_ladder_pre"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_OCT2POINT, 0),

     "ec_GF2m_simple_oct2point"},

    {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_POINT2OCT, 0),

EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT:159:\

	ec_GF2m_simple_group_check_discriminant

EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE:195:ec_GF2m_simple_group_set_curve

EC_F_EC_GF2M_SIMPLE_LADDER_POST:285:ec_GF2m_simple_ladder_post

EC_F_EC_GF2M_SIMPLE_LADDER_PRE:288:ec_GF2m_simple_ladder_pre

EC_F_EC_GF2M_SIMPLE_OCT2POINT:160:ec_GF2m_simple_oct2point

EC_F_EC_GF2M_SIMPLE_POINT2OCT:161:ec_GF2m_simple_point2oct

EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES:162:\

#  define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY           208

#  define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT     159

#  define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE              195

#  define EC_F_EC_GF2M_SIMPLE_LADDER_POST                  285

#  define EC_F_EC_GF2M_SIMPLE_LADDER_PRE                   288

#  define EC_F_EC_GF2M_SIMPLE_OCT2POINT                    160

#  define EC_F_EC_GF2M_SIMPLE_POINT2OCT                    161

#  define EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES 162