1 /* 2 * Copyright 2013 The Android Open Source Project 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * * Redistributions of source code must retain the above copyright 7 * notice, this list of conditions and the following disclaimer. 8 * * Redistributions in binary form must reproduce the above copyright 9 * notice, this list of conditions and the following disclaimer in the 10 * documentation and/or other materials provided with the distribution. 11 * * Neither the name of Google Inc. nor the names of its contributors may 12 * be used to endorse or promote products derived from this software 13 * without specific prior written permission. 14 * 15 * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 17 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 18 * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 21 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 22 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 23 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 24 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #ifndef CONSTRAINEDCRYPTO_LITE_P256_H_ 28 #define CONSTRAINEDCRYPTO_LITE_P256_H_ 29 30 // Collection of routines manipulating 256 bit unsigned integers. 31 // Just enough to implement ecdsa-p256 and related algorithms. 32 33 #include <stdint.h> 34 35 #ifdef __cplusplus 36 extern "C" { 37 #endif 38 39 #define P256_BITSPERDIGIT 32 40 #define P256_NDIGITS 8 41 #define P256_NBYTES 32 42 43 typedef int p256_err; 44 typedef uint32_t p256_digit; 45 typedef int32_t p256_sdigit; 46 typedef uint64_t p256_ddigit; 47 typedef int64_t p256_sddigit; 48 49 // Defining p256_int as struct to leverage struct assigment. 50 typedef struct { 51 p256_digit a[P256_NDIGITS]; 52 } p256_int; 53 54 extern const p256_int SECP256r1_n; // Curve order 55 extern const p256_int SECP256r1_p; // Curve prime 56 extern const p256_int SECP256r1_b; // Curve param 57 58 // Initialize a p256_int to zero. 59 void p256_init(p256_int* a); 60 61 // Clear a p256_int to zero. 62 void p256_clear(p256_int* a); 63 64 // Return bit. Index 0 is least significant. 65 int p256_get_bit(const p256_int* a, int index); 66 67 // b := a % MOD 68 void p256_mod( 69 const p256_int* MOD, 70 const p256_int* a, 71 p256_int* b); 72 73 // c := a * (top_b | b) % MOD 74 void p256_modmul( 75 const p256_int* MOD, 76 const p256_int* a, 77 const p256_digit top_b, 78 const p256_int* b, 79 p256_int* c); 80 81 // b := 1 / a % MOD 82 // MOD best be SECP256r1_n 83 void p256_modinv( 84 const p256_int* MOD, 85 const p256_int* a, 86 p256_int* b); 87 88 // b := 1 / a % MOD 89 // MOD best be SECP256r1_n 90 // Faster than p256_modinv() 91 void p256_modinv_vartime( 92 const p256_int* MOD, 93 const p256_int* a, 94 p256_int* b); 95 96 // b := a << (n % P256_BITSPERDIGIT) 97 // Returns the bits shifted out of most significant digit. 98 p256_digit p256_shl(const p256_int* a, int n, p256_int* b); 99 100 // b := a >> (n % P256_BITSPERDIGIT) 101 void p256_shr(const p256_int* a, int n, p256_int* b); 102 103 int p256_is_zero(const p256_int* a); 104 int p256_is_odd(const p256_int* a); 105 int p256_is_even(const p256_int* a); 106 107 // Returns -1, 0 or 1. 108 int p256_cmp(const p256_int* a, const p256_int *b); 109 110 // c: = a - b 111 // Returns -1 on borrow. 112 int p256_sub(const p256_int* a, const p256_int* b, p256_int* c); 113 114 // c := a + b 115 // Returns 1 on carry. 116 int p256_add(const p256_int* a, const p256_int* b, p256_int* c); 117 118 // c := a + (single digit)b 119 // Returns carry 1 on carry. 120 int p256_add_d(const p256_int* a, p256_digit b, p256_int* c); 121 122 // ec routines. 123 124 // {out_x,out_y} := nG 125 void p256_base_point_mul(const p256_int *n, 126 p256_int *out_x, 127 p256_int *out_y); 128 129 // {out_x,out_y} := n{in_x,in_y} 130 void p256_point_mul(const p256_int *n, 131 const p256_int *in_x, 132 const p256_int *in_y, 133 p256_int *out_x, 134 p256_int *out_y); 135 136 // {out_x,out_y} := n1G + n2{in_x,in_y} 137 void p256_points_mul_vartime( 138 const p256_int *n1, const p256_int *n2, 139 const p256_int *in_x, const p256_int *in_y, 140 p256_int *out_x, p256_int *out_y); 141 142 // Return whether point {x,y} is on curve. 143 int p256_is_valid_point(const p256_int* x, const p256_int* y); 144 145 // Outputs big-endian binary form. No leading zero skips. 146 void p256_to_bin(const p256_int* src, uint8_t dst[P256_NBYTES]); 147 148 // Reads from big-endian binary form, 149 // thus pre-pad with leading zeros if short. 150 void p256_from_bin(const uint8_t src[P256_NBYTES], p256_int* dst); 151 152 #define P256_DIGITS(x) ((x)->a) 153 #define P256_DIGIT(x,y) ((x)->a[y]) 154 155 #define P256_ZERO {{0}} 156 #define P256_ONE {{1}} 157 158 #ifdef __cplusplus 159 } 160 #endif 161 162 #endif // CONSTRAINEDCRYPTO_LITE_P256_H_ 163
