API tools faq
paste
Advertisement
FlyFar

libs/TinyECDH/ecdh.cpp

FlyFar
Mar 24th, 2024
683
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 24.79 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /*
  2.  
  3.   Crypto using elliptic curves defined over the finite binary field GF(2^m) where m is prime.
  4.  
  5.   The curves used are the anomalous binary curves (ABC-curves) or also called Koblitz curves.
  6.  
  7.   This class of curves was chosen because it yields efficient implementation of operations.
  8.  
  9.  
  10.  
  11.   Curves available - their different NIST/SECG names and eqivalent symmetric security level:
  12.  
  13.       NIST      SEC Group     strength
  14.     ------------------------------------
  15.       K-163     sect163k1      80 bit
  16.       B-163     sect163r2      80 bit
  17.       K-233     sect233k1     112 bit
  18.       B-233     sect233r1     112 bit
  19.       K-283     sect283k1     128 bit
  20.       B-283     sect283r1     128 bit
  21.       K-409     sect409k1     192 bit
  22.       B-409     sect409r1     192 bit
  23.       K-571     sect571k1     256 bit
  24.       B-571     sect571r1     256 bit
  25.  
  26.  
  27.  
  28.   Curve parameters from:
  29.  
  30.     http://www.secg.org/sec2-v2.pdf
  31.     http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
  32.  
  33.  
  34.   Reference:
  35.  
  36.     https://www.ietf.org/rfc/rfc4492.txt
  37. */
  38.  
  39. #include <stdint.h>
  40. #include "ecdh.h"
  41.  
  42.  
  43. /* margin for overhead needed in intermediate calculations */
  44. #define BITVEC_MARGIN     3
  45. #define BITVEC_NBITS      (CURVE_DEGREE + BITVEC_MARGIN)
  46. #define BITVEC_NWORDS     ((BITVEC_NBITS + 31) / 32)
  47. #define BITVEC_NBYTES     (sizeof(uint32_t) * BITVEC_NWORDS)
  48.  
  49.  
  50. /* Disable assertions? */
  51. #ifndef DISABLE_ASSERT
  52.  #define DISABLE_ASSERT 0
  53. #endif
  54.  
  55. #if defined(DISABLE_ASSERT) && (DISABLE_ASSERT == 1)
  56.  #define assert(...)
  57. #else
  58.  #include <assert.h>
  59. #endif
  60.  
  61. /* Default to a (somewhat) constant-time mode?
  62.    NOTE: The library is _not_ capable of operating in constant-time and leaks information via timing.
  63.          Even if all operations are written const-time-style, it requires the hardware is able to multiply in constant time.
  64.          Multiplication on ARM Cortex-M processors takes a variable number of cycles depending on the operands...
  65. */
  66. #ifndef CONST_TIME
  67.   #define CONST_TIME 0
  68. #endif
  69.  
  70. /* Default to using ECC_CDH (cofactor multiplication-variation) ? */
  71. #ifndef ECDH_COFACTOR_VARIANT
  72.   #define ECDH_COFACTOR_VARIANT 0
  73. #endif
  74.  
  75. /******************************************************************************/
  76.  
  77.  
  78. /* the following type will represent bit vectors of length (CURVE_DEGREE+MARGIN) */
  79. typedef uint32_t bitvec_t[BITVEC_NWORDS];
  80. typedef bitvec_t gf2elem_t;           /* this type will represent field elements */
  81. typedef bitvec_t scalar_t;
  82.  
  83.  
  84. /******************************************************************************/
  85.  
  86. /* Here the curve parameters are defined. */
  87.  
  88. #if defined (ECC_CURVE) && (ECC_CURVE != 0)
  89.  #if (ECC_CURVE == NIST_K163)
  90.   #define coeff_a  1
  91.   #define cofactor 2
  92. /* NIST K-163 */
  93. const gf2elem_t polynomial = { 0x000000c9, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000008 };
  94. const gf2elem_t coeff_b    = { 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000 };
  95. const gf2elem_t base_x     = { 0x5c94eee8, 0xde4e6d5e, 0xaa07d793, 0x7bbc11ac, 0xfe13c053, 0x00000002 };
  96. const gf2elem_t base_y     = { 0xccdaa3d9, 0x0536d538, 0x321f2e80, 0x5d38ff58, 0x89070fb0, 0x00000002 };
  97. const scalar_t  base_order = { 0x99f8a5ef, 0xa2e0cc0d, 0x00020108, 0x00000000, 0x00000000, 0x00000004 };
  98.  #endif
  99.  
  100.  #if (ECC_CURVE == NIST_B163)
  101.   #define coeff_a  1
  102.   #define cofactor 2
  103. /* NIST B-163 */
  104. const gf2elem_t polynomial = { 0x000000c9, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000008 };
  105. const gf2elem_t coeff_b    = { 0x4a3205fd, 0x512f7874, 0x1481eb10, 0xb8c953ca, 0x0a601907, 0x00000002 };
  106. const gf2elem_t base_x     = { 0xe8343e36, 0xd4994637, 0xa0991168, 0x86a2d57e, 0xf0eba162, 0x00000003 };
  107. const gf2elem_t base_y     = { 0x797324f1, 0xb11c5c0c, 0xa2cdd545, 0x71a0094f, 0xd51fbc6c, 0x00000000 };
  108. const scalar_t  base_order = { 0xa4234c33, 0x77e70c12, 0x000292fe, 0x00000000, 0x00000000, 0x00000004 };
  109.  #endif
  110.  
  111.  #if (ECC_CURVE == NIST_K233)
  112.   #define coeff_a  0
  113.   #define cofactor 4
  114. /* NIST K-233 */
  115. const gf2elem_t polynomial = { 0x00000001, 0x00000000, 0x00000400, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000200 };
  116. const gf2elem_t coeff_b    = { 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000 };
  117. const gf2elem_t base_x     = { 0xefad6126, 0x0a4c9d6e, 0x19c26bf5, 0x149563a4, 0x29f22ff4, 0x7e731af1, 0x32ba853a, 0x00000172 };
  118. const gf2elem_t base_y     = { 0x56fae6a3, 0x56e0c110, 0xf18aeb9b, 0x27a8cd9b, 0x555a67c4, 0x19b7f70f, 0x537dece8, 0x000001db };
  119. const scalar_t  base_order = { 0xf173abdf, 0x6efb1ad5, 0xb915bcd4, 0x00069d5b, 0x00000000, 0x00000000, 0x00000000, 0x00000080 };
  120.  #endif
  121.  
  122.  #if (ECC_CURVE == NIST_B233)
  123.   #define coeff_a  1
  124.   #define cofactor 2
  125. /* NIST B-233 */
  126. const gf2elem_t polynomial = { 0x00000001, 0x00000000, 0x00000400, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000200 };
  127. const gf2elem_t coeff_b    = { 0x7d8f90ad, 0x81fe115f, 0x20e9ce42, 0x213b333b, 0x0923bb58, 0x332c7f8c, 0x647ede6c, 0x00000066 };
  128. const gf2elem_t base_x     = { 0x71fd558b, 0xf8f8eb73, 0x391f8b36, 0x5fef65bc, 0x39f1bb75, 0x8313bb21, 0xc9dfcbac, 0x000000fa };
  129. const gf2elem_t base_y     = { 0x01f81052, 0x36716f7e, 0xf867a7ca, 0xbf8a0bef, 0xe58528be, 0x03350678, 0x6a08a419, 0x00000100 };
  130. const scalar_t  base_order = { 0x03cfe0d7, 0x22031d26, 0xe72f8a69, 0x0013e974, 0x00000000, 0x00000000, 0x00000000, 0x00000100 };
  131.  #endif
  132.  
  133.  #if (ECC_CURVE == NIST_K283)
  134.   #define coeff_a  0
  135.   #define cofactor 4
  136. /* NIST K-283 */
  137. const gf2elem_t polynomial = { 0x000010a1, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x08000000 };
  138. const gf2elem_t coeff_b    = { 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000 };
  139. const gf2elem_t base_x     = { 0x58492836, 0xb0c2ac24, 0x16876913, 0x23c1567a, 0x53cd265f, 0x62f188e5, 0x3f1a3b81, 0x78ca4488, 0x0503213f };
  140. const gf2elem_t base_y     = { 0x77dd2259, 0x4e341161, 0xe4596236, 0xe8184698, 0xe87e45c0, 0x07e5426f, 0x8d90f95d, 0x0f1c9e31, 0x01ccda38 };
  141. const scalar_t  base_order = { 0x1e163c61, 0x94451e06, 0x265dff7f, 0x2ed07577, 0xffffe9ae, 0xffffffff, 0xffffffff, 0xffffffff, 0x01ffffff };
  142.  #endif
  143.  
  144.  #if (ECC_CURVE == NIST_B283)
  145.   #define coeff_a  1
  146.   #define cofactor 2
  147. /* NIST B-283 */
  148. const gf2elem_t polynomial = { 0x000010a1, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x08000000 };
  149. const gf2elem_t coeff_b    = { 0x3b79a2f5, 0xf6263e31, 0xa581485a, 0x45309fa2, 0xca97fd76, 0x19a0303f, 0xa5a4af8a, 0xc8b8596d, 0x027b680a };
  150. const gf2elem_t base_x     = { 0x86b12053, 0xf8cdbecd, 0x80e2e198, 0x557eac9c, 0x2eed25b8, 0x70b0dfec, 0xe1934f8c, 0x8db7dd90, 0x05f93925 };
  151. const gf2elem_t base_y     = { 0xbe8112f4, 0x13f0df45, 0x826779c8, 0x350eddb0, 0x516ff702, 0xb20d02b4, 0xb98fe6d4, 0xfe24141c, 0x03676854 };
  152. const scalar_t  base_order = { 0xefadb307, 0x5b042a7c, 0x938a9016, 0x399660fc, 0xffffef90, 0xffffffff, 0xffffffff, 0xffffffff, 0x03ffffff };
  153.  #endif
  154.  
  155.  #if (ECC_CURVE == NIST_K409)
  156.   #define coeff_a  0
  157.   #define cofactor 4
  158. /* NIST K-409 */
  159. const gf2elem_t polynomial = { 0x00000001, 0x00000000, 0x00800000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x02000000 };
  160. const gf2elem_t coeff_b    = { 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000 };
  161. const gf2elem_t base_x     = { 0xe9023746, 0xb35540cf, 0xee222eb1, 0xb5aaaa62, 0xc460189e, 0xf9f67cc2, 0x27accfb8, 0xe307c84c, 0x0efd0987, 0x0f718421, 0xad3ab189, 0x658f49c1, 0x0060f05f };
  162. const gf2elem_t base_y     = { 0xd8e0286b, 0x5863ec48, 0xaa9ca27a, 0xe9c55215, 0xda5f6c42, 0xe9ea10e3, 0xe6325165, 0x918ea427, 0x3460782f, 0xbf04299c, 0xacba1dac, 0x0b7c4e42, 0x01e36905 };
  163. const scalar_t  base_order = { 0xe01e5fcf, 0x4b5c83b8, 0xe3e7ca5b, 0x557d5ed3, 0x20400ec4, 0x83b2d4ea, 0xfffffe5f, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x007fffff };
  164.  #endif
  165.  
  166.  #if (ECC_CURVE == NIST_B409)
  167.   #define coeff_a  1
  168.   #define cofactor 2
  169. /* NIST B-409 */
  170. const gf2elem_t polynomial = { 0x00000001, 0x00000000, 0x00800000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x02000000 };
  171. const gf2elem_t coeff_b    = { 0x7b13545f, 0x4f50ae31, 0xd57a55aa, 0x72822f6c, 0xa9a197b2, 0xd6ac27c8, 0x4761fa99, 0xf1f3dd67, 0x7fd6422e, 0x3b7b476b, 0x5c4b9a75, 0xc8ee9feb, 0x0021a5c2 };
  172. const gf2elem_t base_x     = { 0xbb7996a7, 0x60794e54, 0x5603aeab, 0x8a118051, 0xdc255a86, 0x34e59703, 0xb01ffe5b, 0xf1771d4d, 0x441cde4a, 0x64756260, 0x496b0c60, 0xd088ddb3, 0x015d4860 };
  173. const gf2elem_t base_y     = { 0x0273c706, 0x81c364ba, 0xd2181b36, 0xdf4b4f40, 0x38514f1f, 0x5488d08f, 0x0158aa4f, 0xa7bd198d, 0x7636b9c5, 0x24ed106a, 0x2bbfa783, 0xab6be5f3, 0x0061b1cf };
  174. const scalar_t  base_order = { 0xd9a21173, 0x8164cd37, 0x9e052f83, 0x5fa47c3c, 0xf33307be, 0xaad6a612, 0x000001e2, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x01000000 };
  175.  #endif
  176.  
  177.  #if (ECC_CURVE == NIST_K571)
  178.   #define coeff_a  0
  179.   #define cofactor 4
  180. /* NIST K-571 */
  181. const gf2elem_t polynomial = { 0x00000425, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x08000000 };
  182. const gf2elem_t coeff_b    = { 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000 };
  183. const gf2elem_t base_x     = { 0xa01c8972, 0xe2945283, 0x4dca88c7, 0x988b4717, 0x494776fb, 0xbbd1ba39, 0xb4ceb08c, 0x47da304d, 0x93b205e6, 0x43709584, 0x01841ca4, 0x60248048, 0x0012d5d4, 0xac9ca297, 0xf8103fe4, 0x82189631, 0x59923fbc, 0x026eb7a8 };
  184. const gf2elem_t base_y     = { 0x3ef1c7a3, 0x01cd4c14, 0x591984f6, 0x320430c8, 0x7ba7af1b, 0xb620b01a, 0xf772aedc, 0x4fbebbb9, 0xac44aea7, 0x9d4979c0, 0x006d8a2c, 0xffc61efc, 0x9f307a54, 0x4dd58cec, 0x3bca9531, 0x4f4aeade, 0x7f4fbf37, 0x0349dc80 };
  185. const scalar_t  base_order = { 0x637c1001, 0x5cfe778f, 0x1e91deb4, 0xe5d63938, 0xb630d84b, 0x917f4138, 0xb391a8db, 0xf19a63e4, 0x131850e1, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x02000000 };
  186.  #endif
  187.  
  188.  #if (ECC_CURVE == NIST_B571)
  189.   #define coeff_a  1
  190.   #define cofactor 2
  191. /* NIST B-571 */
  192. const gf2elem_t polynomial = { 0x00000425, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x08000000 };
  193. const gf2elem_t coeff_b    = { 0x2955727a, 0x7ffeff7f, 0x39baca0c, 0x520e4de7, 0x78ff12aa, 0x4afd185a, 0x56a66e29, 0x2be7ad67, 0x8efa5933, 0x84ffabbd, 0x4a9a18ad, 0xcd6ba8ce, 0xcb8ceff1, 0x5c6a97ff, 0xb7f3d62f, 0xde297117, 0x2221f295, 0x02f40e7e };
  194. const gf2elem_t base_x     = { 0x8eec2d19, 0xe1e7769c, 0xc850d927, 0x4abfa3b4, 0x8614f139, 0x99ae6003, 0x5b67fb14, 0xcdd711a3, 0xf4c0d293, 0xbde53950, 0xdb7b2abd, 0xa5f40fc8, 0x955fa80a, 0x0a93d1d2, 0x0d3cd775, 0x6c16c0d4, 0x34b85629, 0x0303001d };
  195. const gf2elem_t base_y     = { 0x1b8ac15b, 0x1a4827af, 0x6e23dd3c, 0x16e2f151, 0x0485c19b, 0xb3531d2f, 0x461bb2a8, 0x6291af8f, 0xbab08a57, 0x84423e43, 0x3921e8a6, 0x1980f853, 0x009cbbca, 0x8c6c27a6, 0xb73d69d7, 0x6dccfffe, 0x42da639b, 0x037bf273 };
  196. const scalar_t  base_order = { 0x2fe84e47, 0x8382e9bb, 0x5174d66e, 0x161de93d, 0xc7dd9ca1, 0x6823851e, 0x08059b18, 0xff559873, 0xe661ce18, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x03ffffff };
  197.  #endif
  198. #endif
  199.  
  200.  
  201.  
  202. /*************************************************************************************************/
  203.  
  204. /* Private / static functions: */
  205.  
  206.  
  207. /* some basic bit-manipulation routines that act on bit-vectors follow */
  208. static int bitvec_get_bit(const bitvec_t x, const uint32_t idx)
  209. {
  210.   return ((x[idx / 32U] >> (idx & 31U) & 1U));
  211. }
  212.  
  213. static void bitvec_clr_bit(bitvec_t x, const uint32_t idx)
  214. {
  215.   x[idx / 32U] &= ~(1U << (idx & 31U));
  216. }
  217.  
  218. static void bitvec_copy(bitvec_t x, const bitvec_t y)
  219. {
  220.   int i;
  221.   for (i = 0; i < BITVEC_NWORDS; ++i)
  222.   {
  223.     x[i] = y[i];
  224.   }
  225. }
  226.  
  227. static void bitvec_swap(bitvec_t x, bitvec_t y)
  228. {
  229.   bitvec_t tmp;
  230.   bitvec_copy(tmp, x);
  231.   bitvec_copy(x, y);
  232.   bitvec_copy(y, tmp);
  233. }
  234.  
  235. #if defined(CONST_TIME) && (CONST_TIME == 0)
  236. /* fast version of equality test */
  237. static int bitvec_equal(const bitvec_t x, const bitvec_t y)
  238. {
  239.   int i;
  240.   for (i = 0; i < BITVEC_NWORDS; ++i)
  241.   {
  242.     if (x[i] != y[i])
  243.     {
  244.       return 0;
  245.     }
  246.   }
  247.   return 1;
  248. }
  249. #else
  250. /* constant time version of equality test */
  251. static int bitvec_equal(const bitvec_t x, const bitvec_t y)
  252. {
  253.   int ret = 1;
  254.   int i;
  255.   for (i = 0; i < BITVEC_NWORDS; ++i)
  256.   {
  257.     ret &= (x[i] == y[i]);
  258.   }
  259.   return ret;
  260. }
  261. #endif
  262.  
  263. static void bitvec_set_zero(bitvec_t x)
  264. {
  265.   int i;
  266.   for (i = 0; i < BITVEC_NWORDS; ++i)
  267.   {
  268.     x[i] = 0;
  269.   }
  270. }
  271.  
  272. #if defined(CONST_TIME) && (CONST_TIME == 0)
  273. /* fast implementation */
  274. static int bitvec_is_zero(const bitvec_t x)
  275. {
  276.   uint32_t i = 0;
  277.   while (i < BITVEC_NWORDS)
  278.   {
  279.     if (x[i] != 0)
  280.     {
  281.       break;
  282.     }
  283.     i += 1;
  284.   }
  285.   return (i == BITVEC_NWORDS);
  286. }
  287. #else
  288. /* constant-time implementation */
  289. static int bitvec_is_zero(const bitvec_t x)
  290. {
  291.   int ret = 1;
  292.   int i = 0;
  293.   for (i = 0; i < BITVEC_NWORDS; ++i)
  294.   {
  295.     ret &= (x[i] == 0);
  296.   }
  297.   return ret;
  298. }
  299. #endif
  300.  
  301. /* return the number of the highest one-bit + 1 */
  302. static int bitvec_degree(const bitvec_t x)
  303. {
  304.   int i = BITVEC_NWORDS * 32;
  305.  
  306.   /* Start at the back of the vector (MSB) */
  307.   x += BITVEC_NWORDS;
  308.  
  309.   /* Skip empty / zero words */
  310.   while (    (i > 0)
  311.           && (*(--x)) == 0)
  312.   {
  313.     i -= 32;
  314.   }
  315.   /* Run through rest if count is not multiple of bitsize of DTYPE */
  316.   if (i != 0)
  317.   {
  318.     uint32_t u32mask = ((uint32_t)1 << 31);
  319.     while (((*x) & u32mask) == 0)
  320.     {
  321.       u32mask >>= 1;
  322.       i -= 1;
  323.     }
  324.   }
  325.   return i;
  326. }
  327.  
  328. /* left-shift by 'count' digits */
  329. static void bitvec_lshift(bitvec_t x, const bitvec_t y, int nbits)
  330. {
  331.   int nwords = (nbits / 32);
  332.  
  333.   /* Shift whole words first if nwords > 0 */
  334.   int i,j;
  335.   for (i = 0; i < nwords; ++i)
  336.   {
  337.     /* Zero-initialize from least-significant word until offset reached */
  338.     x[i] = 0;
  339.   }
  340.   j = 0;
  341.   /* Copy to x output */
  342.   while (i < BITVEC_NWORDS)
  343.   {
  344.     x[i] = y[j];
  345.     i += 1;
  346.     j += 1;
  347.   }
  348.  
  349.   /* Shift the rest if count was not multiple of bitsize of DTYPE */
  350.   nbits &= 31;
  351.   if (nbits != 0)
  352.   {
  353.     /* Left shift rest */
  354.     int i;
  355.     for (i = (BITVEC_NWORDS - 1); i > 0; --i)
  356.     {
  357.       x[i]  = (x[i] << nbits) | (x[i - 1] >> (32 - nbits));
  358.     }
  359.     x[0] <<= nbits;
  360.   }
  361. }
  362.  
  363.  
  364. /*************************************************************************************************/
  365. /*
  366.   Code that does arithmetic on bit-vectors in the Galois Field GF(2^CURVE_DEGREE).
  367. */
  368. /*************************************************************************************************/
  369.  
  370.  
  371. static void gf2field_set_one(gf2elem_t x)
  372. {
  373.   /* Set first word to one */
  374.   x[0] = 1;
  375.   /* .. and the rest to zero */
  376.   int i;
  377.   for (i = 1; i < BITVEC_NWORDS; ++i)
  378.   {
  379.     x[i] = 0;
  380.   }
  381. }
  382.  
  383. #if defined(CONST_TIME) && (CONST_TIME == 0)
  384. /* fastest check if x == 1 */
  385. static int gf2field_is_one(const gf2elem_t x)
  386. {
  387.   /* Check if first word == 1 */
  388.   if (x[0] != 1)
  389.   {
  390.     return 0;
  391.   }
  392.   /* ...and if rest of words == 0 */
  393.   int i;
  394.   for (i = 1; i < BITVEC_NWORDS; ++i)
  395.   {
  396.     if (x[i] != 0)
  397.     {
  398.       break;
  399.     }
  400.   }
  401.   return (i == BITVEC_NWORDS);
  402. }
  403. #else
  404. /* constant-time check */
  405. static int gf2field_is_one(const gf2elem_t x)
  406. {
  407.   int ret = 0;
  408.   /* Check if first word == 1 */
  409.   if (x[0] == 1)
  410.   {
  411.     ret = 1;
  412.   }
  413.   /* ...and if rest of words == 0 */
  414.   int i;
  415.   for (i = 1; i < BITVEC_NWORDS; ++i)
  416.   {
  417.     ret &= (x[i] == 0);
  418.   }
  419.   return ret; //(i == BITVEC_NWORDS);
  420. }
  421. #endif
  422.  
  423.  
  424. /* galois field(2^m) addition is modulo 2, so XOR is used instead - 'z := a + b' */
  425. static void gf2field_add(gf2elem_t z, const gf2elem_t x, const gf2elem_t y)
  426. {
  427.   int i;
  428.   for (i = 0; i < BITVEC_NWORDS; ++i)
  429.   {
  430.     z[i] = (x[i] ^ y[i]);
  431.   }
  432. }
  433.  
  434. /* increment element */
  435. static void gf2field_inc(gf2elem_t x)
  436. {
  437.   x[0] ^= 1;
  438. }
  439.  
  440.  
  441. /* field multiplication 'z := (x * y)' */
  442. static void gf2field_mul(gf2elem_t z, const gf2elem_t x, const gf2elem_t y)
  443. {
  444.   int i;
  445.   gf2elem_t tmp;
  446. #if defined(CONST_TIME) && (CONST_TIME == 1)
  447.   gf2elem_t blind;
  448.   bitvec_set_zero(blind);
  449. #endif
  450.   assert(z != y);
  451.  
  452.   bitvec_copy(tmp, x);
  453.  
  454.   /* LSB set? Then start with x */
  455.   if (bitvec_get_bit(y, 0) != 0)
  456.   {
  457.     bitvec_copy(z, x);
  458.   }
  459.   else /* .. or else start with zero */
  460.   {
  461.     bitvec_set_zero(z);
  462.   }
  463.  
  464.   /* Then add 2^i * x for the rest */
  465.   for (i = 1; i < CURVE_DEGREE; ++i)
  466.   {
  467.     /* lshift 1 - doubling the value of tmp */
  468.     bitvec_lshift(tmp, tmp, 1);
  469.  
  470.     /* Modulo reduction polynomial if degree(tmp) > CURVE_DEGREE */
  471.     if (bitvec_get_bit(tmp, CURVE_DEGREE))
  472.     {
  473.       gf2field_add(tmp, tmp, polynomial);
  474.     }
  475. #if defined(CONST_TIME) && (CONST_TIME == 1)
  476.     else /* blinding operation */
  477.     {
  478.       gf2field_add(tmp, tmp, blind);
  479.     }
  480. #endif
  481.  
  482.     /* Add 2^i * tmp if this factor in y is non-zero */
  483.     if (bitvec_get_bit(y, i))
  484.     {
  485.       gf2field_add(z, z, tmp);
  486.     }
  487. #if defined(CONST_TIME) && (CONST_TIME == 1)
  488.     else /* blinding operation */
  489.     {
  490.       gf2field_add(z, z, blind);
  491.     }
  492. #endif
  493.   }
  494. }
  495.  
  496. /* field inversion 'z := 1/x' */
  497. static void gf2field_inv(gf2elem_t z, const gf2elem_t x)
  498. {
  499.   gf2elem_t u, v, g, h;
  500.   int i;
  501.  
  502.   bitvec_copy(u, x);
  503.   bitvec_copy(v, polynomial);
  504.   bitvec_set_zero(g);
  505.   gf2field_set_one(z);
  506.  
  507.   while (!gf2field_is_one(u))
  508.   {
  509.     i = (bitvec_degree(u) - bitvec_degree(v));
  510.  
  511.     if (i < 0)
  512.     {
  513.       bitvec_swap(u, v);
  514.       bitvec_swap(g, z);
  515.       i = -i;
  516.     }
  517. #if defined(CONST_TIME) && (CONST_TIME == 1)
  518.     else
  519.     {
  520.       bitvec_swap(u, v);
  521.       bitvec_swap(v, u);
  522.     }
  523. #endif
  524.     bitvec_lshift(h, v, i);
  525.     gf2field_add(u, u, h);
  526.     bitvec_lshift(h, g, i);
  527.     gf2field_add(z, z, h);
  528.   }
  529. }
  530.  
  531. /*************************************************************************************************/
  532. /*
  533.    The following code takes care of Galois-Field arithmetic.
  534.    Elliptic curve points are represented  by pairs (x,y) of bitvec_t.
  535.    It is assumed that curve coefficient 'a' is {0,1}
  536.    This is the case for all NIST binary curves.
  537.    Coefficient 'b' is given in 'coeff_b'.
  538.    '(base_x, base_y)' is a point that generates a large prime order group.
  539. */
  540. /*************************************************************************************************/
  541.  
  542.  
  543. static void gf2point_copy(gf2elem_t x1, gf2elem_t y1, const gf2elem_t x2, const gf2elem_t y2)
  544. {
  545.   bitvec_copy(x1, x2);
  546.   bitvec_copy(y1, y2);
  547. }
  548.  
  549. static void gf2point_set_zero(gf2elem_t x, gf2elem_t y)
  550. {
  551.   bitvec_set_zero(x);
  552.   bitvec_set_zero(y);
  553. }
  554.  
  555. static int gf2point_is_zero(const gf2elem_t x, const gf2elem_t y)
  556. {
  557.   return (    bitvec_is_zero(x)
  558.            && bitvec_is_zero(y));
  559. }
  560.  
  561. /* double the point (x,y) */
  562. static void gf2point_double(gf2elem_t x, gf2elem_t y)
  563. {
  564.   /* iff P = O (zero or infinity): 2 * P = P */
  565.   if (bitvec_is_zero(x))
  566.   {
  567.     bitvec_set_zero(y);
  568.   }
  569.   else
  570.   {
  571.     gf2elem_t l;
  572.  
  573.     gf2field_inv(l, x);
  574.     gf2field_mul(l, l, y);
  575.     gf2field_add(l, l, x);
  576.     gf2field_mul(y, x, x);
  577.     gf2field_mul(x, l, l);
  578. #if (coeff_a == 1)
  579.     gf2field_inc(l);
  580. #endif
  581.     gf2field_add(x, x, l);
  582.     gf2field_mul(l, l, x);
  583.     gf2field_add(y, y, l);
  584.   }
  585. }
  586.  
  587.  
  588. /* add two points together (x1, y1) := (x1, y1) + (x2, y2) */
  589. static void gf2point_add(gf2elem_t x1, gf2elem_t y1, const gf2elem_t x2, const gf2elem_t y2)
  590. {
  591.   if (!gf2point_is_zero(x2, y2))
  592.   {
  593.     if (gf2point_is_zero(x1, y1))
  594.     {
  595.       gf2point_copy(x1, y1, x2, y2);
  596.     }
  597.     else
  598.     {
  599.       if (bitvec_equal(x1, x2))
  600.       {
  601.         if (bitvec_equal(y1, y2))
  602.         {
  603.           gf2point_double(x1, y1);
  604.         }
  605.         else
  606.         {
  607.           gf2point_set_zero(x1, y1);
  608.         }
  609.       }
  610.       else
  611.       {
  612.         /* Arithmetic with temporary variables */
  613.         gf2elem_t a, b, c, d;
  614.  
  615.         gf2field_add(a, y1, y2);
  616.         gf2field_add(b, x1, x2);
  617.         gf2field_inv(c, b);
  618.         gf2field_mul(c, c, a);
  619.         gf2field_mul(d, c, c);
  620.         gf2field_add(d, d, c);
  621.         gf2field_add(d, d, b);
  622. #if (coeff_a == 1)
  623.         gf2field_inc(d);
  624. #endif
  625.         gf2field_add(x1, x1, d);
  626.         gf2field_mul(a, x1, c);
  627.         gf2field_add(a, a, d);
  628.         gf2field_add(y1, y1, a);
  629.         bitvec_copy(x1, d);
  630.       }
  631.     }
  632.   }
  633. }
  634.  
  635.  
  636.  
  637. #if defined(CONST_TIME) && (CONST_TIME == 0)
  638. /* point multiplication via double-and-add algorithm */
  639. static void gf2point_mul(gf2elem_t x, gf2elem_t y, const scalar_t exp)
  640. {
  641.   gf2elem_t tmpx, tmpy;
  642.   int i;
  643.   int nbits = bitvec_degree(exp);
  644.  
  645.   gf2point_set_zero(tmpx, tmpy);
  646.  
  647.   for (i = (nbits - 1); i >= 0; --i)
  648.   {
  649.     gf2point_double(tmpx, tmpy);
  650.     if (bitvec_get_bit(exp, i))
  651.     {
  652.       gf2point_add(tmpx, tmpy, x, y);
  653.     }
  654.   }
  655.   gf2point_copy(x, y, tmpx, tmpy);
  656. }
  657. #else
  658. /* point multiplication via double-and-add-always algorithm using scalar blinding */
  659. static void gf2point_mul(gf2elem_t x, gf2elem_t y, const scalar_t exp)
  660. {
  661.   gf2elem_t tmpx, tmpy;
  662.   gf2elem_t dummyx, dummyy;
  663.   int i;
  664.   int nbits = bitvec_degree(exp);
  665.  
  666.   gf2point_set_zero(tmpx, tmpy);
  667.   gf2point_set_zero(dummyx, dummyy);
  668.  
  669.   for (i = (nbits - 1); i >= 0; --i)
  670.   {
  671.     gf2point_double(tmpx, tmpy);
  672.  
  673.     /* Add point if bit(i) is set in exp */
  674.     if (bitvec_get_bit(exp, i))
  675.     {
  676.       gf2point_add(tmpx, tmpy, x, y);
  677.     }
  678.     /* .. or add the neutral element to keep operation constant-time */
  679.     else
  680.     {
  681.       gf2point_add(tmpx, tmpy, dummyx, dummyy);
  682.     }
  683.   }
  684.   gf2point_copy(x, y, tmpx, tmpy);
  685. }
  686. #endif
  687.  
  688.  
  689.  
  690. /* check if y^2 + x*y = x^3 + a*x^2 + coeff_b holds */
  691. static int gf2point_on_curve(const gf2elem_t x, const gf2elem_t y)
  692. {
  693.   gf2elem_t a, b;
  694.  
  695.   if (gf2point_is_zero(x, y))
  696.   {
  697.     return 1;
  698.   }
  699.   else
  700.   {
  701.     gf2field_mul(a, x, x);
  702. #if (coeff_a == 0)
  703.     gf2field_mul(a, a, x);
  704. #else
  705.     gf2field_mul(b, a, x);
  706.     gf2field_add(a, a, b);
  707. #endif
  708.     gf2field_add(a, a, coeff_b);
  709.     gf2field_mul(b, y, y);
  710.     gf2field_add(a, a, b);
  711.     gf2field_mul(b, x, y);
  712.  
  713.     return bitvec_equal(a, b);
  714.   }
  715. }
  716.  
  717.  
  718. /*************************************************************************************************/
  719. /*
  720.   Elliptic Curve Diffie-Hellman key exchange protocol.
  721. */
  722. /*************************************************************************************************/
  723.  
  724.  
  725.  
  726. /* NOTE: private should contain random data a-priori! */
  727. int ecdh_generate_keys(uint8_t* public_key, uint8_t* private_key)
  728. {
  729.   /* Get copy of "base" point 'G' */
  730.   gf2point_copy((uint32_t*)public_key, (uint32_t*)(public_key + BITVEC_NBYTES), base_x, base_y);
  731.  
  732.   /* Abort key generation if random number is too small */
  733.   if (bitvec_degree((uint32_t*)private_key) < (CURVE_DEGREE / 2))
  734.   {
  735.     return 0;
  736.   }
  737.   else
  738.   {
  739.     /* Clear bits > CURVE_DEGREE in highest word to satisfy constraint 1 <= exp < n. */
  740.     int nbits = bitvec_degree(base_order);
  741.     int i;
  742.  
  743.     for (i = (nbits - 1); i < (BITVEC_NWORDS * 32); ++i)
  744.     {
  745.       bitvec_clr_bit((uint32_t*)private_key, i);
  746.     }
  747.  
  748.     /* Multiply base-point with scalar (private-key) */
  749.     gf2point_mul((uint32_t*)public_key, (uint32_t*)(public_key + BITVEC_NBYTES), (uint32_t*)private_key);
  750.  
  751.     return 1;
  752.   }
  753. }
  754.  
  755.  
  756.  
  757. int ecdh_shared_secret(const uint8_t* private_key, const uint8_t* others_pub, uint8_t* output)
  758. {
  759.   /* Do some basic validation of other party's public key */
  760.   if (    !gf2point_is_zero ((uint32_t*)others_pub, (uint32_t*)(others_pub + BITVEC_NBYTES))
  761.        &&  gf2point_on_curve((uint32_t*)others_pub, (uint32_t*)(others_pub + BITVEC_NBYTES)) )
  762.   {
  763.     /* Copy other side's public key to output */
  764.     unsigned int i;
  765.     for (i = 0; i < (BITVEC_NBYTES * 2); ++i)
  766.     {
  767.       output[i] = others_pub[i];
  768.     }
  769.  
  770.     /* Multiply other side's public key with own private key */
  771.     gf2point_mul((uint32_t*)output,(uint32_t*)(output + BITVEC_NBYTES), (const uint32_t*)private_key);
  772.  
  773.     /* Multiply outcome by cofactor if using ECC CDH-variant: */
  774. #if defined(ECDH_COFACTOR_VARIANT) && (ECDH_COFACTOR_VARIANT == 1)
  775.  #if   (cofactor == 2)
  776.     gf2point_double((uint32_t*)output, (uint32_t*)(output + BITVEC_NBYTES));
  777.  #elif (cofactor == 4)
  778.     gf2point_double((uint32_t*)output, (uint32_t*)(output + BITVEC_NBYTES));
  779.     gf2point_double((uint32_t*)output, (uint32_t*)(output + BITVEC_NBYTES));
  780.  #endif
  781. #endif
  782.    
  783.     return 1;
  784.   }
  785.   else
  786.   {
  787.     return 0;
  788.   }
  789. }
Tags: source code ransomware BabukRansomware reversed ECDH TinyECDH
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!