[PATCH 1/2] Change ecc_mod_*mul_1 to be per-module callbacks
From: Dmitry Baryshkov
GOST curves will require different "fixups" for fast (mul X mod p)
operations. Move these operations to ecc_modulo structure and call them
via function pointer.
Signed-off-by: Dmitry Baryshkov
---
ecc-add-jja.c | 8
ecc-add-jjj.c | 8
ecc-curve25519.c | 6 ++
ecc-curve448.c| 6 ++
ecc-dup-jj.c | 8
ecc-gost-gc256b.c | 6 ++
ecc-gost-gc512a.c | 6 ++
ecc-internal.h| 25 -
ecc-mod-arith.c | 12 ++--
ecc-mul-m.c | 6 +++---
ecc-secp192r1.c | 6 ++
ecc-secp224r1.c | 6 ++
ecc-secp256r1.c | 6 ++
ecc-secp384r1.c | 6 ++
ecc-secp521r1.c | 6 ++
15 files changed, 91 insertions(+), 30 deletions(-)
diff --git a/ecc-add-jja.c b/ecc-add-jja.c
index 037711d38249..55ad954587da 100644
--- a/ecc-add-jja.c
+++ b/ecc-add-jja.c
@@ -102,10 +102,10 @@ ecc_add_jja (const struct ecc_curve *ecc,
/* w */
ecc_mod_mul (&ecc->p, j, y2, w);
ecc_mod_sub (&ecc->p, w, j, y1);
- ecc_mod_mul_1 (&ecc->p, w, w, 2);
+ ecc->p.mul_1 (&ecc->p, w, w, 2);
/* i replaces hh, j */
- ecc_mod_mul_1 (&ecc->p, hh, hh, 4);
+ ecc->p.mul_1 (&ecc->p, hh, hh, 4);
ecc_mod_mul (&ecc->p, j, hh, h);
/* v */
@@ -114,12 +114,12 @@ ecc_add_jja (const struct ecc_curve *ecc,
/* x_3, use (h, hh) as sqratch */
ecc_mod_sqr (&ecc->p, h, w);
ecc_mod_sub (&ecc->p, r, h, j);
- ecc_mod_submul_1 (&ecc->p, r, v, 2);
+ ecc->p.submul_1 (&ecc->p, r, v, 2);
/* y_3, use (h, hh) as sqratch */
ecc_mod_mul (&ecc->p, h, y1, j); /* frees j */
ecc_mod_sub (&ecc->p, r + ecc->p.size, v, r);
ecc_mod_mul (&ecc->p, j, r + ecc->p.size, w);
- ecc_mod_submul_1 (&ecc->p, j, h, 2);
+ ecc->p.submul_1 (&ecc->p, j, h, 2);
mpn_copyi (r + ecc->p.size, j, ecc->p.size);
}
diff --git a/ecc-add-jjj.c b/ecc-add-jjj.c
index 54b2246aeb24..cad26193234a 100644
--- a/ecc-add-jjj.c
+++ b/ecc-add-jjj.c
@@ -94,14 +94,14 @@ ecc_add_jjj (const struct ecc_curve *ecc,
ecc_mod_mul (&ecc->p, s1, p + ecc->p.size, v);
ecc_mod_mul (&ecc->p, v, j, q + ecc->p.size);
ecc_mod_sub (&ecc->p, s2, v, s1);
- ecc_mod_mul_1 (&ecc->p, s2, s2, 2);
+ ecc->p.mul_1 (&ecc->p, s2, s2, 2);
/* Store z3 */
mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size);
/* i, j, v */
ecc_mod_sqr (&ecc->p, i, u2);
- ecc_mod_mul_1 (&ecc->p, i, i, 4);
+ ecc->p.mul_1 (&ecc->p, i, i, 4);
ecc_mod_mul (&ecc->p, j, u2, i);
ecc_mod_mul (&ecc->p, v, u1, i);
@@ -109,12 +109,12 @@ ecc_add_jjj (const struct ecc_curve *ecc,
/* x3, use u1, u2 as scratch */
ecc_mod_sqr (&ecc->p, u1, s2);
ecc_mod_sub (&ecc->p, r, u1, j);
- ecc_mod_submul_1 (&ecc->p, r, v, 2);
+ ecc->p.submul_1 (&ecc->p, r, v, 2);
/* y3 */
ecc_mod_mul (&ecc->p, u1, s1, j); /* Frees j */
ecc_mod_sub (&ecc->p, u2, v, r); /* Frees v */
ecc_mod_mul (&ecc->p, i, s2, u2);
- ecc_mod_submul_1 (&ecc->p, i, u1, 2);
+ ecc->p.submul_1 (&ecc->p, i, u1, 2);
mpn_copyi (r + ecc->p.size, i, ecc->p.size);
}
diff --git a/ecc-curve25519.c b/ecc-curve25519.c
index f8f2c64af868..04df696f7357 100644
--- a/ecc-curve25519.c
+++ b/ecc-curve25519.c
@@ -310,6 +310,9 @@ const struct ecc_curve _nettle_curve25519 =
ecc_curve25519_modp,
ecc_curve25519_inv,
ecc_curve25519_sqrt,
+
+ecc_mod_mul_1_std,
+ecc_mod_submul_1_std,
},
{
253,
@@ -329,6 +332,9 @@ const struct ecc_curve _nettle_curve25519 =
ecc_curve25519_modq,
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
},
0, /* No redc */
diff --git a/ecc-curve448.c b/ecc-curve448.c
index 484b7d1e0870..ce7a25d14c4e 100644
--- a/ecc-curve448.c
+++ b/ecc-curve448.c
@@ -288,6 +288,9 @@ const struct ecc_curve _nettle_curve448 =
ecc_curve448_modp,
ecc_curve448_inv,
ecc_curve448_sqrt,
+
+ecc_mod_mul_1_std,
+ecc_mod_submul_1_std,
},
{
446,
@@ -307,6 +310,9 @@ const struct ecc_curve _nettle_curve448 =
ecc_mod, /* FIXME: Implement optimized reduce function */
ecc_mod_inv,
NULL,
+
+NULL,
+NULL,
},
0, /* No redc */
diff --git a/ecc-dup-jj.c b/ecc-dup-jj.c
index 2247e8fdfd5a..4bbd5163c0e3 100644
--- a/ecc-dup-jj.c
+++ b/ecc-dup-jj.c
@@ -87,7 +87,7 @@ ecc_dup_jj (const struct ecc_curve *ecc,
ecc_mod_add (&ecc->p, sum, xp, delta);
ecc_mod_sub (&ecc->p, delta, xp, delta);
ecc_mod_mul (&ecc->p, beta, sum, delta);
- ecc_mod_mul_1 (&ecc->p, alpha, beta, 3);
+ ecc->p.mul_1 (&ecc->p, alpha, beta, 3);
/* beta */
ecc_mod_mul (&ecc->p, beta, xp, gamma);
@@ -95,16 +95,16 @@ ecc_dup_jj (const struct ecc_curve *ecc,
/* Do gamma^2 and 4*beta early, to get them out of the way. We can
then use the old area at gamma as scratch. */
ecc_mod_sqr (&ecc->p, g2, gamma);
- ecc_mod_mul_1 (&ecc->p, sum, beta, 4);
+ ecc->p.mul_1 (&ecc->p, sum, beta, 4);
/* x' */
ecc_mod_sqr (&ecc->p, gamma, alpha); /* Overwrites gamma and beta */
- ecc_mod_submul_1 (&ecc->p, gamma, sum, 2)
[PATCH 2/2] Add support for GOST GC256C curve
From: Dmitry Baryshkov
Add support for GC256C curve ("TLS Supported Groups" registry,
draft-smyshlyaev-tls12-gost-suites) also known as
GostR3410-2001-CryptoPro-B (RFC 4357).
Signed-off-by: Dmitry Baryshkov
---
.gitignore | 1 +
Makefile.in | 10 +-
ecc-curve.h | 1 +
ecc-gost-gc256c.c | 174
ecc-internal.h | 1 +
eccdata.c | 32 ++
examples/ecc-benchmark.c| 1 +
nettle.texinfo | 8 ++
testsuite/gostdsa-sign-test.c | 11 ++
testsuite/gostdsa-verify-test.c | 11 ++
testsuite/testutils.c | 14 ++-
11 files changed, 260 insertions(+), 4 deletions(-)
create mode 100644 ecc-gost-gc256c.c
diff --git a/.gitignore b/.gitignore
index 48e2b7f464da..a94d279e5d18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ core
/ecc-curve25519.h
/ecc-curve448.h
/ecc-gost-gc256b.h
+/ecc-gost-gc256c.h
/ecc-gost-gc512a.h
/ecc-secp192r1.h
/ecc-secp224r1.h
diff --git a/Makefile.in b/Makefile.in
index d4fcb81302a2..7330ab893131 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -180,7 +180,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-mod.c ecc-mod-inv.c \
ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \
ecc-curve25519.c ecc-curve448.c \
- ecc-gost-gc256b.c ecc-gost-gc512a.c \
+ ecc-gost-gc256b.c ecc-gost-gc256c.c \
+ ecc-gost-gc512a.c \
ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \
ecc-secp384r1.c ecc-secp521r1.c \
ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \
@@ -391,6 +392,9 @@ ecc-curve448.h: eccdata.stamp
ecc-gost-gc256b.h: eccdata.stamp
./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv
$@T $@
+ecc-gost-gc256c.h: eccdata.stamp
+ ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256c 11 6 $(NUMB_BITS) > $@T && mv
$@T $@
+
# Some reasonable choices for 512:
# k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB
# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB
@@ -407,6 +411,7 @@ eccdata.stamp: eccdata.c
ecc-curve25519.$(OBJEXT): ecc-curve25519.h
ecc-curve448.$(OBJEXT): ecc-curve448.h
ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h
+ecc-gost-gc256c.$(OBJEXT): ecc-gost-gc256c.h
ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h
ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h
ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h
@@ -661,7 +666,8 @@ distcheck: dist
clean-here:
-rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \
ecc-curve25519.h ecc-curve448.h \
- ecc-gost-gc256b.h ecc-gost-gc512a.h \
+ ecc-gost-gc256b.h ecc-gost-gc256c.h \
+ ecc-gost-gc512a.h \
ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \
ecc-secp384r1.h ecc-secp521r1.h \
aesdata$(EXEEXT_FOR_BUILD) \
diff --git a/ecc-curve.h b/ecc-curve.h
index 8f050404a944..30a33d43782b 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -44,6 +44,7 @@ extern "C" {
struct ecc_curve;
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256c(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
diff --git a/ecc-gost-gc256c.c b/ecc-gost-gc256c.c
new file mode 100644
index ..258cf75a26bc
--- /dev/null
+++ b/ecc-gost-gc256c.c
@@ -0,0 +1,174 @@
+/* ecc-gost-gc256c.c
+
+ Compile time constant (but machine dependent) tables.
+
+ Copyright (C) 2016, 2019 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+
+#include "ecc.h"
+#include "ecc-internal.h"
+
+#define USE_REDC 0
+
+#include
[PATCH] Implement GOST VKO key derivation algorithm
From: Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov
---
Makefile.in | 2 +-
gostdsa-vko.c| 77 ++
gostdsa.h| 7 +++
testsuite/.gitignore | 1 +
testsuite/.test-rules.make | 3 ++
testsuite/Makefile.in| 2 +-
testsuite/gostdsa-vko-test.c | 92
7 files changed, 182 insertions(+), 2 deletions(-)
create mode 100644 gostdsa-vko.c
create mode 100644 testsuite/gostdsa-vko-test.c
diff --git a/Makefile.in b/Makefile.in
index d4fcb81302a2..8f031d7a580d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -194,7 +194,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
ecc-ecdsa-sign.c ecdsa-sign.c \
ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \
ecc-gostdsa-sign.c gostdsa-sign.c \
- ecc-gostdsa-verify.c gostdsa-verify.c \
+ ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \
curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \
curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \
eddsa-compress.c eddsa-decompress.c eddsa-expand.c \
diff --git a/gostdsa-vko.c b/gostdsa-vko.c
new file mode 100644
index ..f78159a736b3
--- /dev/null
+++ b/gostdsa-vko.c
@@ -0,0 +1,77 @@
+/* gostdsa-vko.c
+
+ Copyright (C) 2016 Dmitry Eremin-Solenikov
+
+ This file is part of GNU Nettle.
+
+ GNU Nettle is free software: you can redistribute it and/or
+ modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+ Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+
+ or
+
+ * the GNU General Public License as published by the Free
+ Software Foundation; either version 2 of the License, or (at your
+ option) any later version.
+
+ or both in parallel, as here.
+
+ GNU Nettle is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received copies of the GNU General Public License and
+ the GNU Lesser General Public License along with this program. If
+ not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include
+#include
+
+#include "ecc-internal.h"
+#include "gostdsa.h"
+
+int
+gostdsa_vko(const struct ecc_scalar *key,
+ const struct ecc_point *pub,
+ size_t ukm_length, const uint8_t *ukm,
+ size_t out_length, uint8_t *out)
+{
+ const struct ecc_curve *ecc = key->ecc;
+ unsigned bsize = (ecc_bit_size(ecc) + 7) / 8;
+ mp_size_t size = ecc->p.size;
+ mp_size_t itch = 4*size + ecc->mul_itch;
+ mp_limb_t *scratch;
+
+ if (itch < 5*size + ecc->h_to_a_itch)
+ itch = 5*size + ecc->h_to_a_itch;
+
+ if (pub->ecc != ecc)
+ return 0;
+
+ if (out_length < 2 * bsize) {
+ return 0;
+ }
+
+ scratch = gmp_alloc_limbs (itch);
+
+ mpn_set_base256_le (scratch, size, ukm, ukm_length);
+ if (mpn_zero_p (scratch, size))
+mpn_add_1 (scratch, scratch, size, 1);
+ ecc_mod_mul (&ecc->q, scratch + 3*size, key->p, scratch);
+ ecc->mul (ecc, scratch, scratch + 3*size, pub->p, scratch + 4*size);
+ ecc->h_to_a (ecc, 0, scratch + 3*size, scratch, scratch + 5*size);
+ mpn_get_base256_le (out, bsize, scratch + 3*size, size);
+ mpn_get_base256_le (out+bsize, bsize, scratch + 4*size, size);
+ gmp_free_limbs (scratch, itch);
+
+ return 2 * bsize;
+}
diff --git a/gostdsa.h b/gostdsa.h
index c92dfd1e1dd6..6667d0f1d3a8 100644
--- a/gostdsa.h
+++ b/gostdsa.h
@@ -44,6 +44,7 @@ extern "C" {
/* Name mangling */
#define gostdsa_sign nettle_gostdsa_sign
#define gostdsa_verify nettle_gostdsa_verify
+#define gostdsa_vko nettle_gostdsa_vko
#define ecc_gostdsa_sign nettle_ecc_gostdsa_sign
#define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch
#define ecc_gostdsa_verify nettle_ecc_gostdsa_verify
@@ -68,6 +69,12 @@ gostdsa_verify (const struct ecc_point *pub,
size_t length, const uint8_t *digest,
const struct dsa_signature *signature);
+int
+gostdsa_vko(const struct ecc_scalar *key,
+ const struct ecc_point *pub,
+ size_t ukm_length, const uint8_t *ukm,
+ size_t out_length, uint8_t *out);
+
/* Low-level GOSTDSA functions. */
mp_size_t
ecc_gostdsa_sign_itch (const struct ecc_curve *ecc);
diff --git a/testsuite/.gitignore b/testsuite/.gitignore
index b8b36c2accc2..a2b3d52312cd 100644
--- a/testsuite/.gitignore
+++ b/testsuite/.gitignore
@@ -46,6 +46,7 @@
/gostdsa-keygen-test
/gostdsa-sign-test
/gostdsa-verify-test
+/gostdsa-vko-test
/gosthash94-test
/hkdf-test
/hmac-test
diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make
index 922a2c7f135
Re: [PATCH] ecc: remove ecc_modp_foo/ecc_modq_foo macros
dbarysh...@gmail.com writes: > From: Dmitry Baryshkov > > To make ecc functions usage more obvious remove ecc_modp_foo() and > ecc_modq_foo() wrapper macros. Thanks, applied. Regards,, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. ___ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
