fe_operations.h
1 /* fe_operations.h
2  *
3  * Copyright (C) 2006-2020 wolfSSL Inc.
4  *
5  * This file is part of wolfSSL.
6  *
7  * wolfSSL is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation; either version 2 of the License, or
10  * (at your option) any later version.
11  *
12  * wolfSSL is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20  */
21 
22 
23 #ifndef WOLF_CRYPT_FE_OPERATIONS_H
24 #define WOLF_CRYPT_FE_OPERATIONS_H
25 
26 #include <wolfssl/wolfcrypt/settings.h>
27 
28 #if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
29 
30 #if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL)
31  #include <stdint.h>
32 #endif
33 
34 #include <wolfssl/wolfcrypt/types.h>
35 
36 #if defined(USE_INTEL_SPEEDUP) && !defined(NO_CURVED25519_X64)
37  #define CURVED25519_X64
38 #elif defined(HAVE___UINT128_T) && !defined(NO_CURVED25519_128BIT)
39  #define CURVED25519_128BIT
40 #endif
41 
42 #if defined(CURVED25519_X64)
43  #define CURVED25519_ASM_64BIT
44  #define CURVED25519_ASM
45 #endif
46 #if defined(WOLFSSL_ARMASM)
47  #ifdef __aarch64__
48  #define CURVED25519_ASM_64BIT
49  #else
50  #define CURVED25519_ASM_32BIT
51  #endif
52  #define CURVED25519_ASM
53 #endif
54 
55 /*
56 fe means field element.
57 Here the field is \Z/(2^255-19).
58 An element t, entries t[0]...t[9], represents the integer
59 t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
60 Bounds on each t[i] vary depending on context.
61 */
62 
63 #ifdef __cplusplus
64  extern "C" {
65 #endif
66 
67 #if defined(CURVE25519_SMALL) || defined(ED25519_SMALL)
68  #define F25519_SIZE 32
69 
70  WOLFSSL_LOCAL void lm_copy(byte*, const byte*);
71  WOLFSSL_LOCAL void lm_add(byte*, const byte*, const byte*);
72  WOLFSSL_LOCAL void lm_sub(byte*, const byte*, const byte*);
73  WOLFSSL_LOCAL void lm_neg(byte*,const byte*);
74  WOLFSSL_LOCAL void lm_invert(byte*, const byte*);
75  WOLFSSL_LOCAL void lm_mul(byte*,const byte*,const byte*);
76 #endif
77 
78 
79 #if !defined(FREESCALE_LTC_ECC)
80 WOLFSSL_LOCAL void fe_init(void);
81 
82 WOLFSSL_LOCAL int curve25519(byte * q, byte * n, byte * p);
83 #endif
84 
85 /* default to be faster but take more memory */
86 #if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL)
87 
88 #ifdef CURVED25519_ASM_64BIT
89  typedef int64_t fe[4];
90 #elif defined(CURVED25519_ASM_32BIT)
91  typedef int32_t fe[8];
92 #elif defined(CURVED25519_128BIT)
93  typedef int64_t fe[5];
94 #else
95  typedef int32_t fe[10];
96 #endif
97 
98 WOLFSSL_LOCAL void fe_copy(fe, const fe);
99 WOLFSSL_LOCAL void fe_add(fe, const fe, const fe);
100 WOLFSSL_LOCAL void fe_neg(fe,const fe);
101 WOLFSSL_LOCAL void fe_sub(fe, const fe, const fe);
102 WOLFSSL_LOCAL void fe_invert(fe, const fe);
103 WOLFSSL_LOCAL void fe_mul(fe,const fe,const fe);
104 
105 
106 /* Based On Daniel J Bernstein's curve25519 and ed25519 Public Domain ref10
107  work. */
108 
109 WOLFSSL_LOCAL void fe_0(fe);
110 WOLFSSL_LOCAL void fe_1(fe);
111 WOLFSSL_LOCAL int fe_isnonzero(const fe);
112 WOLFSSL_LOCAL int fe_isnegative(const fe);
113 WOLFSSL_LOCAL void fe_tobytes(unsigned char *, const fe);
114 WOLFSSL_LOCAL void fe_sq(fe, const fe);
115 WOLFSSL_LOCAL void fe_sq2(fe,const fe);
116 WOLFSSL_LOCAL void fe_frombytes(fe,const unsigned char *);
117 WOLFSSL_LOCAL void fe_cswap(fe, fe, int);
118 WOLFSSL_LOCAL void fe_mul121666(fe,fe);
119 WOLFSSL_LOCAL void fe_cmov(fe,const fe, int);
120 WOLFSSL_LOCAL void fe_pow22523(fe,const fe);
121 
122 /* 64 type needed for SHA512 */
123 WOLFSSL_LOCAL uint64_t load_3(const unsigned char *in);
124 WOLFSSL_LOCAL uint64_t load_4(const unsigned char *in);
125 
126 #ifdef CURVED25519_ASM
127 WOLFSSL_LOCAL void fe_ge_to_p2(fe rx, fe ry, fe rz, const fe px, const fe py,
128  const fe pz, const fe pt);
129 WOLFSSL_LOCAL void fe_ge_to_p3(fe rx, fe ry, fe rz, fe rt, const fe px,
130  const fe py, const fe pz, const fe pt);
131 WOLFSSL_LOCAL void fe_ge_dbl(fe rx, fe ry, fe rz, fe rt, const fe px,
132  const fe py, const fe pz);
133 WOLFSSL_LOCAL void fe_ge_madd(fe rx, fe ry, fe rz, fe rt, const fe px,
134  const fe py, const fe pz, const fe pt,
135  const fe qxy2d, const fe qyplusx,
136  const fe qyminusx);
137 WOLFSSL_LOCAL void fe_ge_msub(fe rx, fe ry, fe rz, fe rt, const fe px,
138  const fe py, const fe pz, const fe pt,
139  const fe qxy2d, const fe qyplusx,
140  const fe qyminusx);
141 WOLFSSL_LOCAL void fe_ge_add(fe rx, fe ry, fe rz, fe rt, const fe px,
142  const fe py, const fe pz, const fe pt, const fe qz,
143  const fe qt2d, const fe qyplusx,
144  const fe qyminusx);
145 WOLFSSL_LOCAL void fe_ge_sub(fe rx, fe ry, fe rz, fe rt, const fe px,
146  const fe py, const fe pz, const fe pt, const fe qz,
147  const fe qt2d, const fe qyplusx,
148  const fe qyminusx);
149 WOLFSSL_LOCAL void fe_cmov_table(fe* r, fe* base, signed char b);
150 #endif /* CURVED25519_ASM */
151 #endif /* !CURVE25519_SMALL || !ED25519_SMALL */
152 
153 /* Use less memory and only 32bit types or less, but is slower
154  Based on Daniel Beer's public domain work. */
155 #if defined(CURVE25519_SMALL) || defined(ED25519_SMALL)
156 static const byte c25519_base_x[F25519_SIZE] = {9};
157 static const byte f25519_zero[F25519_SIZE] = {0};
158 static const byte f25519_one[F25519_SIZE] = {1};
159 static const byte fprime_zero[F25519_SIZE] = {0};
160 static const byte fprime_one[F25519_SIZE] = {1};
161 
162 WOLFSSL_LOCAL void fe_load(byte *x, word32 c);
163 WOLFSSL_LOCAL void fe_normalize(byte *x);
164 WOLFSSL_LOCAL void fe_inv__distinct(byte *r, const byte *x);
165 
166 /* Conditional copy. If condition == 0, then zero is copied to dst. If
167  * condition == 1, then one is copied to dst. Any other value results in
168  * undefined behavior.
169  */
170 WOLFSSL_LOCAL void fe_select(byte *dst, const byte *zero, const byte *one,
171  byte condition);
172 
173 /* Multiply a point by a small constant. The two pointers are not
174  * required to be distinct.
175  *
176  * The constant must be less than 2^24.
177  */
178 WOLFSSL_LOCAL void fe_mul_c(byte *r, const byte *a, word32 b);
179 WOLFSSL_LOCAL void fe_mul__distinct(byte *r, const byte *a, const byte *b);
180 
181 /* Compute one of the square roots of the field element, if the element
182  * is square. The other square is -r.
183  *
184  * If the input is not square, the returned value is a valid field
185  * element, but not the correct answer. If you don't already know that
186  * your element is square, you should square the return value and test.
187  */
188 WOLFSSL_LOCAL void fe_sqrt(byte *r, const byte *x);
189 
190 /* Conditional copy. If condition == 0, then zero is copied to dst. If
191  * condition == 1, then one is copied to dst. Any other value results in
192  * undefined behavior.
193  */
194 WOLFSSL_LOCAL void fprime_select(byte *dst, const byte *zero, const byte *one,
195  byte condition);
196 WOLFSSL_LOCAL void fprime_add(byte *r, const byte *a, const byte *modulus);
197 WOLFSSL_LOCAL void fprime_sub(byte *r, const byte *a, const byte *modulus);
198 WOLFSSL_LOCAL void fprime_mul(byte *r, const byte *a, const byte *b,
199  const byte *modulus);
200 WOLFSSL_LOCAL void fprime_copy(byte *x, const byte *a);
201 
202 #endif /* CURVE25519_SMALL || ED25519_SMALL */
203 
204 #ifdef __cplusplus
205  } /* extern "C" */
206 #endif
207 
208 #endif /* HAVE_CURVE25519 || HAVE_ED25519 */
209 
210 #endif /* WOLF_CRYPT_FE_OPERATIONS_H */