mirror of
https://github.com/taigrr/arduinolibs
synced 2025-01-18 04:33:12 -08:00
1342 lines
181 KiB
HTML
1342 lines
181 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
|
|
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
|
|
<meta name="generator" content="Doxygen 1.8.6"/>
|
|
<title>Arduino Cryptography Library: P521.cpp Source File</title>
|
|
<link href="tabs.css" rel="stylesheet" type="text/css"/>
|
|
<script type="text/javascript" src="jquery.js"></script>
|
|
<script type="text/javascript" src="dynsections.js"></script>
|
|
<link href="search/search.css" rel="stylesheet" type="text/css"/>
|
|
<script type="text/javascript" src="search/search.js"></script>
|
|
<script type="text/javascript">
|
|
$(document).ready(function() { searchBox.OnSelectItem(0); });
|
|
</script>
|
|
<link href="doxygen.css" rel="stylesheet" type="text/css" />
|
|
</head>
|
|
<body>
|
|
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
|
|
<div id="titlearea">
|
|
<table cellspacing="0" cellpadding="0">
|
|
<tbody>
|
|
<tr style="height: 56px;">
|
|
<td style="padding-left: 0.5em;">
|
|
<div id="projectname">Arduino Cryptography Library
|
|
</div>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<!-- end header part -->
|
|
<!-- Generated by Doxygen 1.8.6 -->
|
|
<script type="text/javascript">
|
|
var searchBox = new SearchBox("searchBox", "search",false,'Search');
|
|
</script>
|
|
<div id="navrow1" class="tabs">
|
|
<ul class="tablist">
|
|
<li><a href="index.html"><span>Main Page</span></a></li>
|
|
<li><a href="pages.html"><span>Related Pages</span></a></li>
|
|
<li><a href="annotated.html"><span>Classes</span></a></li>
|
|
<li class="current"><a href="files.html"><span>Files</span></a></li>
|
|
<li>
|
|
<div id="MSearchBox" class="MSearchBoxInactive">
|
|
<span class="left">
|
|
<img id="MSearchSelect" src="search/mag_sel.png"
|
|
onmouseover="return searchBox.OnSearchSelectShow()"
|
|
onmouseout="return searchBox.OnSearchSelectHide()"
|
|
alt=""/>
|
|
<input type="text" id="MSearchField" value="Search" accesskey="S"
|
|
onfocus="searchBox.OnSearchFieldFocus(true)"
|
|
onblur="searchBox.OnSearchFieldFocus(false)"
|
|
onkeyup="searchBox.OnSearchFieldChange(event)"/>
|
|
</span><span class="right">
|
|
<a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
|
|
</span>
|
|
</div>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div id="navrow2" class="tabs2">
|
|
<ul class="tablist">
|
|
<li><a href="files.html"><span>File List</span></a></li>
|
|
</ul>
|
|
</div>
|
|
<!-- window showing the filter options -->
|
|
<div id="MSearchSelectWindow"
|
|
onmouseover="return searchBox.OnSearchSelectShow()"
|
|
onmouseout="return searchBox.OnSearchSelectHide()"
|
|
onkeydown="return searchBox.OnSearchSelectKey(event)">
|
|
<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark"> </span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark"> </span>Classes</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark"> </span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark"> </span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark"> </span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark"> </span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark"> </span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark"> </span>Pages</a></div>
|
|
|
|
<!-- iframe showing the search results (closed by default) -->
|
|
<div id="MSearchResultsWindow">
|
|
<iframe src="javascript:void(0)" frameborder="0"
|
|
name="MSearchResults" id="MSearchResults">
|
|
</iframe>
|
|
</div>
|
|
|
|
<div id="nav-path" class="navpath">
|
|
<ul>
|
|
<li class="navelem"><a class="el" href="dir_bc0718b08fb2015b8e59c47b2805f60c.html">libraries</a></li><li class="navelem"><a class="el" href="dir_e2ce51835550ba18edf07a8311722290.html">Crypto</a></li> </ul>
|
|
</div>
|
|
</div><!-- top -->
|
|
<div class="header">
|
|
<div class="headertitle">
|
|
<div class="title">P521.cpp</div> </div>
|
|
</div><!--header-->
|
|
<div class="contents">
|
|
<div class="fragment"><div class="line"><a name="l00001"></a><span class="lineno"> 1</span> <span class="comment">/*</span></div>
|
|
<div class="line"><a name="l00002"></a><span class="lineno"> 2</span> <span class="comment"> * Copyright (C) 2016 Southern Storm Software, Pty Ltd.</span></div>
|
|
<div class="line"><a name="l00003"></a><span class="lineno"> 3</span> <span class="comment"> *</span></div>
|
|
<div class="line"><a name="l00004"></a><span class="lineno"> 4</span> <span class="comment"> * Permission is hereby granted, free of charge, to any person obtaining a</span></div>
|
|
<div class="line"><a name="l00005"></a><span class="lineno"> 5</span> <span class="comment"> * copy of this software and associated documentation files (the "Software"),</span></div>
|
|
<div class="line"><a name="l00006"></a><span class="lineno"> 6</span> <span class="comment"> * to deal in the Software without restriction, including without limitation</span></div>
|
|
<div class="line"><a name="l00007"></a><span class="lineno"> 7</span> <span class="comment"> * the rights to use, copy, modify, merge, publish, distribute, sublicense,</span></div>
|
|
<div class="line"><a name="l00008"></a><span class="lineno"> 8</span> <span class="comment"> * and/or sell copies of the Software, and to permit persons to whom the</span></div>
|
|
<div class="line"><a name="l00009"></a><span class="lineno"> 9</span> <span class="comment"> * Software is furnished to do so, subject to the following conditions:</span></div>
|
|
<div class="line"><a name="l00010"></a><span class="lineno"> 10</span> <span class="comment"> *</span></div>
|
|
<div class="line"><a name="l00011"></a><span class="lineno"> 11</span> <span class="comment"> * The above copyright notice and this permission notice shall be included</span></div>
|
|
<div class="line"><a name="l00012"></a><span class="lineno"> 12</span> <span class="comment"> * in all copies or substantial portions of the Software.</span></div>
|
|
<div class="line"><a name="l00013"></a><span class="lineno"> 13</span> <span class="comment"> *</span></div>
|
|
<div class="line"><a name="l00014"></a><span class="lineno"> 14</span> <span class="comment"> * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS</span></div>
|
|
<div class="line"><a name="l00015"></a><span class="lineno"> 15</span> <span class="comment"> * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,</span></div>
|
|
<div class="line"><a name="l00016"></a><span class="lineno"> 16</span> <span class="comment"> * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE</span></div>
|
|
<div class="line"><a name="l00017"></a><span class="lineno"> 17</span> <span class="comment"> * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER</span></div>
|
|
<div class="line"><a name="l00018"></a><span class="lineno"> 18</span> <span class="comment"> * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING</span></div>
|
|
<div class="line"><a name="l00019"></a><span class="lineno"> 19</span> <span class="comment"> * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER</span></div>
|
|
<div class="line"><a name="l00020"></a><span class="lineno"> 20</span> <span class="comment"> * DEALINGS IN THE SOFTWARE.</span></div>
|
|
<div class="line"><a name="l00021"></a><span class="lineno"> 21</span> <span class="comment"> */</span></div>
|
|
<div class="line"><a name="l00022"></a><span class="lineno"> 22</span> </div>
|
|
<div class="line"><a name="l00023"></a><span class="lineno"> 23</span> <span class="preprocessor">#include "P521.h"</span></div>
|
|
<div class="line"><a name="l00024"></a><span class="lineno"> 24</span> <span class="preprocessor">#include "Crypto.h"</span></div>
|
|
<div class="line"><a name="l00025"></a><span class="lineno"> 25</span> <span class="preprocessor">#include "RNG.h"</span></div>
|
|
<div class="line"><a name="l00026"></a><span class="lineno"> 26</span> <span class="preprocessor">#include "SHA512.h"</span></div>
|
|
<div class="line"><a name="l00027"></a><span class="lineno"> 27</span> <span class="preprocessor">#include "utility/LimbUtil.h"</span></div>
|
|
<div class="line"><a name="l00028"></a><span class="lineno"> 28</span> <span class="preprocessor">#include <string.h></span></div>
|
|
<div class="line"><a name="l00029"></a><span class="lineno"> 29</span> </div>
|
|
<div class="line"><a name="l00048"></a><span class="lineno"> 48</span> <span class="comment">// Number of limbs that are needed to represent a 521-bit number.</span></div>
|
|
<div class="line"><a name="l00049"></a><span class="lineno"> 49</span> <span class="preprocessor">#define NUM_LIMBS_521BIT NUM_LIMBS_BITS(521)</span></div>
|
|
<div class="line"><a name="l00050"></a><span class="lineno"> 50</span> <span class="preprocessor"></span></div>
|
|
<div class="line"><a name="l00051"></a><span class="lineno"> 51</span> <span class="comment">// Number of limbs that are needed to represent a 1042-bit number.</span></div>
|
|
<div class="line"><a name="l00052"></a><span class="lineno"> 52</span> <span class="comment">// To simply things we also require that this be twice the size of</span></div>
|
|
<div class="line"><a name="l00053"></a><span class="lineno"> 53</span> <span class="comment">// NUM_LIMB_521BIT which involves a little wastage at the high end</span></div>
|
|
<div class="line"><a name="l00054"></a><span class="lineno"> 54</span> <span class="comment">// of one extra limb for 8-bit and 32-bit limbs. There is no</span></div>
|
|
<div class="line"><a name="l00055"></a><span class="lineno"> 55</span> <span class="comment">// wastage for 16-bit limbs.</span></div>
|
|
<div class="line"><a name="l00056"></a><span class="lineno"> 56</span> <span class="preprocessor">#define NUM_LIMBS_1042BIT (NUM_LIMBS_BITS(521) * 2)</span></div>
|
|
<div class="line"><a name="l00057"></a><span class="lineno"> 57</span> <span class="preprocessor"></span></div>
|
|
<div class="line"><a name="l00058"></a><span class="lineno"> 58</span> <span class="comment">// The overhead of clean() calls in mul(), etc can add up to a lot of</span></div>
|
|
<div class="line"><a name="l00059"></a><span class="lineno"> 59</span> <span class="comment">// processing time. Only do such cleanups if strict mode has been enabled.</span></div>
|
|
<div class="line"><a name="l00060"></a><span class="lineno"> 60</span> <span class="preprocessor">#if defined(P521_STRICT_CLEAN)</span></div>
|
|
<div class="line"><a name="l00061"></a><span class="lineno"> 61</span> <span class="preprocessor"></span><span class="preprocessor">#define strict_clean(x) clean(x)</span></div>
|
|
<div class="line"><a name="l00062"></a><span class="lineno"> 62</span> <span class="preprocessor"></span><span class="preprocessor">#else</span></div>
|
|
<div class="line"><a name="l00063"></a><span class="lineno"> 63</span> <span class="preprocessor"></span><span class="preprocessor">#define strict_clean(x) do { ; } while (0)</span></div>
|
|
<div class="line"><a name="l00064"></a><span class="lineno"> 64</span> <span class="preprocessor"></span><span class="preprocessor">#endif</span></div>
|
|
<div class="line"><a name="l00065"></a><span class="lineno"> 65</span> <span class="preprocessor"></span></div>
|
|
<div class="line"><a name="l00066"></a><span class="lineno"> 66</span> <span class="comment">// Expand the partial 9-bit left over limb at the top of a 521-bit number.</span></div>
|
|
<div class="line"><a name="l00067"></a><span class="lineno"> 67</span> <span class="preprocessor">#if BIGNUMBER_LIMB_8BIT</span></div>
|
|
<div class="line"><a name="l00068"></a><span class="lineno"> 68</span> <span class="preprocessor"></span><span class="preprocessor">#define LIMB_PARTIAL(value) ((uint8_t)(value)), \</span></div>
|
|
<div class="line"><a name="l00069"></a><span class="lineno"> 69</span> <span class="preprocessor"> ((uint8_t)((value) >> 8))</span></div>
|
|
<div class="line"><a name="l00070"></a><span class="lineno"> 70</span> <span class="preprocessor"></span><span class="preprocessor">#else</span></div>
|
|
<div class="line"><a name="l00071"></a><span class="lineno"> 71</span> <span class="preprocessor"></span><span class="preprocessor">#define LIMB_PARTIAL(value) (value)</span></div>
|
|
<div class="line"><a name="l00072"></a><span class="lineno"> 72</span> <span class="preprocessor"></span><span class="preprocessor">#endif</span></div>
|
|
<div class="line"><a name="l00073"></a><span class="lineno"> 73</span> <span class="preprocessor"></span></div>
|
|
<div class="line"><a name="l00076"></a><span class="lineno"> 76</span> <span class="comment">// The group order "q" value from RFC 4754 and RFC 5903. This is the</span></div>
|
|
<div class="line"><a name="l00077"></a><span class="lineno"> 77</span> <span class="comment">// same as the "n" value from Appendix D.1.2.5 of NIST FIPS 186-4.</span></div>
|
|
<div class="line"><a name="l00078"></a><span class="lineno"> 78</span> <span class="keyword">static</span> limb_t <span class="keyword">const</span> P521_q[NUM_LIMBS_521BIT] PROGMEM = {</div>
|
|
<div class="line"><a name="l00079"></a><span class="lineno"> 79</span>  LIMB_PAIR(0x91386409, 0xbb6fb71e), LIMB_PAIR(0x899c47ae, 0x3bb5c9b8),</div>
|
|
<div class="line"><a name="l00080"></a><span class="lineno"> 80</span>  LIMB_PAIR(0xf709a5d0, 0x7fcc0148), LIMB_PAIR(0xbf2f966b, 0x51868783),</div>
|
|
<div class="line"><a name="l00081"></a><span class="lineno"> 81</span>  LIMB_PAIR(0xfffffffa, 0xffffffff), LIMB_PAIR(0xffffffff, 0xffffffff),</div>
|
|
<div class="line"><a name="l00082"></a><span class="lineno"> 82</span>  LIMB_PAIR(0xffffffff, 0xffffffff), LIMB_PAIR(0xffffffff, 0xffffffff),</div>
|
|
<div class="line"><a name="l00083"></a><span class="lineno"> 83</span>  LIMB_PARTIAL(0x1ff)</div>
|
|
<div class="line"><a name="l00084"></a><span class="lineno"> 84</span> };</div>
|
|
<div class="line"><a name="l00085"></a><span class="lineno"> 85</span> </div>
|
|
<div class="line"><a name="l00086"></a><span class="lineno"> 86</span> <span class="comment">// The "b" value from Appendix D.1.2.5 of NIST FIPS 186-4.</span></div>
|
|
<div class="line"><a name="l00087"></a><span class="lineno"> 87</span> <span class="keyword">static</span> limb_t <span class="keyword">const</span> P521_b[NUM_LIMBS_521BIT] PROGMEM = {</div>
|
|
<div class="line"><a name="l00088"></a><span class="lineno"> 88</span>  LIMB_PAIR(0x6b503f00, 0xef451fd4), LIMB_PAIR(0x3d2c34f1, 0x3573df88),</div>
|
|
<div class="line"><a name="l00089"></a><span class="lineno"> 89</span>  LIMB_PAIR(0x3bb1bf07, 0x1652c0bd), LIMB_PAIR(0xec7e937b, 0x56193951),</div>
|
|
<div class="line"><a name="l00090"></a><span class="lineno"> 90</span>  LIMB_PAIR(0x8ef109e1, 0xb8b48991), LIMB_PAIR(0x99b315f3, 0xa2da725b),</div>
|
|
<div class="line"><a name="l00091"></a><span class="lineno"> 91</span>  LIMB_PAIR(0xb68540ee, 0x929a21a0), LIMB_PAIR(0x8e1c9a1f, 0x953eb961),</div>
|
|
<div class="line"><a name="l00092"></a><span class="lineno"> 92</span>  LIMB_PARTIAL(0x051)</div>
|
|
<div class="line"><a name="l00093"></a><span class="lineno"> 93</span> };</div>
|
|
<div class="line"><a name="l00094"></a><span class="lineno"> 94</span> </div>
|
|
<div class="line"><a name="l00095"></a><span class="lineno"> 95</span> <span class="comment">// The "Gx" value from Appendix D.1.2.5 of NIST FIPS 186-4.</span></div>
|
|
<div class="line"><a name="l00096"></a><span class="lineno"> 96</span> <span class="keyword">static</span> limb_t <span class="keyword">const</span> P521_Gx[NUM_LIMBS_521BIT] PROGMEM = {</div>
|
|
<div class="line"><a name="l00097"></a><span class="lineno"> 97</span>  LIMB_PAIR(0xc2e5bd66, 0xf97e7e31), LIMB_PAIR(0x856a429b, 0x3348b3c1),</div>
|
|
<div class="line"><a name="l00098"></a><span class="lineno"> 98</span>  LIMB_PAIR(0xa2ffa8de, 0xfe1dc127), LIMB_PAIR(0xefe75928, 0xa14b5e77),</div>
|
|
<div class="line"><a name="l00099"></a><span class="lineno"> 99</span>  LIMB_PAIR(0x6b4d3dba, 0xf828af60), LIMB_PAIR(0x053fb521, 0x9c648139),</div>
|
|
<div class="line"><a name="l00100"></a><span class="lineno"> 100</span>  LIMB_PAIR(0x2395b442, 0x9e3ecb66), LIMB_PAIR(0x0404e9cd, 0x858e06b7),</div>
|
|
<div class="line"><a name="l00101"></a><span class="lineno"> 101</span>  LIMB_PARTIAL(0x0c6)</div>
|
|
<div class="line"><a name="l00102"></a><span class="lineno"> 102</span> };</div>
|
|
<div class="line"><a name="l00103"></a><span class="lineno"> 103</span> </div>
|
|
<div class="line"><a name="l00104"></a><span class="lineno"> 104</span> <span class="comment">// The "Gy" value from Appendix D.1.2.5 of NIST FIPS 186-4.</span></div>
|
|
<div class="line"><a name="l00105"></a><span class="lineno"> 105</span> <span class="keyword">static</span> limb_t <span class="keyword">const</span> P521_Gy[NUM_LIMBS_521BIT] PROGMEM = {</div>
|
|
<div class="line"><a name="l00106"></a><span class="lineno"> 106</span>  LIMB_PAIR(0x9fd16650, 0x88be9476), LIMB_PAIR(0xa272c240, 0x353c7086),</div>
|
|
<div class="line"><a name="l00107"></a><span class="lineno"> 107</span>  LIMB_PAIR(0x3fad0761, 0xc550b901), LIMB_PAIR(0x5ef42640, 0x97ee7299),</div>
|
|
<div class="line"><a name="l00108"></a><span class="lineno"> 108</span>  LIMB_PAIR(0x273e662c, 0x17afbd17), LIMB_PAIR(0x579b4468, 0x98f54449),</div>
|
|
<div class="line"><a name="l00109"></a><span class="lineno"> 109</span>  LIMB_PAIR(0x2c7d1bd9, 0x5c8a5fb4), LIMB_PAIR(0x9a3bc004, 0x39296a78),</div>
|
|
<div class="line"><a name="l00110"></a><span class="lineno"> 110</span>  LIMB_PARTIAL(0x118)</div>
|
|
<div class="line"><a name="l00111"></a><span class="lineno"> 111</span> };</div>
|
|
<div class="line"><a name="l00112"></a><span class="lineno"> 112</span> </div>
|
|
<div class="line"><a name="l00135"></a><span class="lineno"><a class="line" href="classP521.html#ac2e07ce7e846ba180938b41b4a2ae563"> 135</a></span> <span class="keywordtype">bool</span> <a class="code" href="classP521.html#ac2e07ce7e846ba180938b41b4a2ae563">P521::eval</a>(uint8_t result[132], <span class="keyword">const</span> uint8_t f[66], <span class="keyword">const</span> uint8_t point[132])</div>
|
|
<div class="line"><a name="l00136"></a><span class="lineno"> 136</span> {</div>
|
|
<div class="line"><a name="l00137"></a><span class="lineno"> 137</span>  limb_t x[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00138"></a><span class="lineno"> 138</span>  limb_t y[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00139"></a><span class="lineno"> 139</span>  <span class="keywordtype">bool</span> ok;</div>
|
|
<div class="line"><a name="l00140"></a><span class="lineno"> 140</span> </div>
|
|
<div class="line"><a name="l00141"></a><span class="lineno"> 141</span>  <span class="comment">// Unpack the curve point from the parameters and validate it.</span></div>
|
|
<div class="line"><a name="l00142"></a><span class="lineno"> 142</span>  <span class="keywordflow">if</span> (point) {</div>
|
|
<div class="line"><a name="l00143"></a><span class="lineno"> 143</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(x, NUM_LIMBS_521BIT, point, 66);</div>
|
|
<div class="line"><a name="l00144"></a><span class="lineno"> 144</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(y, NUM_LIMBS_521BIT, point + 66, 66);</div>
|
|
<div class="line"><a name="l00145"></a><span class="lineno"> 145</span>  ok = validate(x, y);</div>
|
|
<div class="line"><a name="l00146"></a><span class="lineno"> 146</span>  } <span class="keywordflow">else</span> {</div>
|
|
<div class="line"><a name="l00147"></a><span class="lineno"> 147</span>  memcpy_P(x, P521_Gx, <span class="keyword">sizeof</span>(x));</div>
|
|
<div class="line"><a name="l00148"></a><span class="lineno"> 148</span>  memcpy_P(y, P521_Gy, <span class="keyword">sizeof</span>(y));</div>
|
|
<div class="line"><a name="l00149"></a><span class="lineno"> 149</span>  ok = <span class="keyword">true</span>;</div>
|
|
<div class="line"><a name="l00150"></a><span class="lineno"> 150</span>  }</div>
|
|
<div class="line"><a name="l00151"></a><span class="lineno"> 151</span> </div>
|
|
<div class="line"><a name="l00152"></a><span class="lineno"> 152</span>  <span class="comment">// Evaluate the curve function.</span></div>
|
|
<div class="line"><a name="l00153"></a><span class="lineno"> 153</span>  evaluate(x, y, f);</div>
|
|
<div class="line"><a name="l00154"></a><span class="lineno"> 154</span> </div>
|
|
<div class="line"><a name="l00155"></a><span class="lineno"> 155</span>  <span class="comment">// Pack the answer into the result array.</span></div>
|
|
<div class="line"><a name="l00156"></a><span class="lineno"> 156</span>  <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(result, 66, x, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00157"></a><span class="lineno"> 157</span>  <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(result + 66, 66, y, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00158"></a><span class="lineno"> 158</span> </div>
|
|
<div class="line"><a name="l00159"></a><span class="lineno"> 159</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l00160"></a><span class="lineno"> 160</span>  clean(x);</div>
|
|
<div class="line"><a name="l00161"></a><span class="lineno"> 161</span>  clean(y);</div>
|
|
<div class="line"><a name="l00162"></a><span class="lineno"> 162</span>  <span class="keywordflow">return</span> ok;</div>
|
|
<div class="line"><a name="l00163"></a><span class="lineno"> 163</span> }</div>
|
|
<div class="line"><a name="l00164"></a><span class="lineno"> 164</span> </div>
|
|
<div class="line"><a name="l00208"></a><span class="lineno"><a class="line" href="classP521.html#ae04c439804f445535295bf44ae56afbf"> 208</a></span> <span class="keywordtype">void</span> <a class="code" href="classP521.html#ae04c439804f445535295bf44ae56afbf">P521::dh1</a>(uint8_t k[132], uint8_t f[66])</div>
|
|
<div class="line"><a name="l00209"></a><span class="lineno"> 209</span> {</div>
|
|
<div class="line"><a name="l00210"></a><span class="lineno"> 210</span>  <a class="code" href="classP521.html#ae5b727018648e4a165f504024c4ccc45">generatePrivateKey</a>(f);</div>
|
|
<div class="line"><a name="l00211"></a><span class="lineno"> 211</span>  <a class="code" href="classP521.html#a15ca802e298c7ff3be06924b0edb7daa">derivePublicKey</a>(k, f);</div>
|
|
<div class="line"><a name="l00212"></a><span class="lineno"> 212</span> }</div>
|
|
<div class="line"><a name="l00213"></a><span class="lineno"> 213</span> </div>
|
|
<div class="line"><a name="l00229"></a><span class="lineno"><a class="line" href="classP521.html#a7b9d4f74cc2d71a488a33ab165537491"> 229</a></span> <span class="keywordtype">bool</span> <a class="code" href="classP521.html#a7b9d4f74cc2d71a488a33ab165537491">P521::dh2</a>(<span class="keyword">const</span> uint8_t k[132], uint8_t f[66])</div>
|
|
<div class="line"><a name="l00230"></a><span class="lineno"> 230</span> {</div>
|
|
<div class="line"><a name="l00231"></a><span class="lineno"> 231</span>  <span class="comment">// Unpack the (x, y) point from k.</span></div>
|
|
<div class="line"><a name="l00232"></a><span class="lineno"> 232</span>  limb_t x[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00233"></a><span class="lineno"> 233</span>  limb_t y[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00234"></a><span class="lineno"> 234</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(x, NUM_LIMBS_521BIT, k, 66);</div>
|
|
<div class="line"><a name="l00235"></a><span class="lineno"> 235</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(y, NUM_LIMBS_521BIT, k + 66, 66);</div>
|
|
<div class="line"><a name="l00236"></a><span class="lineno"> 236</span> </div>
|
|
<div class="line"><a name="l00237"></a><span class="lineno"> 237</span>  <span class="comment">// Validate the curve point. We keep going to preserve the timing.</span></div>
|
|
<div class="line"><a name="l00238"></a><span class="lineno"> 238</span>  <span class="keywordtype">bool</span> ok = validate(x, y);</div>
|
|
<div class="line"><a name="l00239"></a><span class="lineno"> 239</span> </div>
|
|
<div class="line"><a name="l00240"></a><span class="lineno"> 240</span>  <span class="comment">// Evaluate the curve function.</span></div>
|
|
<div class="line"><a name="l00241"></a><span class="lineno"> 241</span>  evaluate(x, y, f);</div>
|
|
<div class="line"><a name="l00242"></a><span class="lineno"> 242</span> </div>
|
|
<div class="line"><a name="l00243"></a><span class="lineno"> 243</span>  <span class="comment">// The secret key is the x component of the final value.</span></div>
|
|
<div class="line"><a name="l00244"></a><span class="lineno"> 244</span>  <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(f, 66, x, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00245"></a><span class="lineno"> 245</span> </div>
|
|
<div class="line"><a name="l00246"></a><span class="lineno"> 246</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l00247"></a><span class="lineno"> 247</span>  clean(x);</div>
|
|
<div class="line"><a name="l00248"></a><span class="lineno"> 248</span>  clean(y);</div>
|
|
<div class="line"><a name="l00249"></a><span class="lineno"> 249</span>  <span class="keywordflow">return</span> ok;</div>
|
|
<div class="line"><a name="l00250"></a><span class="lineno"> 250</span> }</div>
|
|
<div class="line"><a name="l00251"></a><span class="lineno"> 251</span> </div>
|
|
<div class="line"><a name="l00276"></a><span class="lineno"><a class="line" href="classP521.html#ab050ceff65e49b646b8157fe1474288a"> 276</a></span> <span class="keywordtype">void</span> <a class="code" href="classP521.html#ab050ceff65e49b646b8157fe1474288a">P521::sign</a>(uint8_t signature[132], <span class="keyword">const</span> uint8_t privateKey[66],</div>
|
|
<div class="line"><a name="l00277"></a><span class="lineno"> 277</span>  <span class="keyword">const</span> <span class="keywordtype">void</span> *message, <span class="keywordtype">size_t</span> len, <a class="code" href="classHash.html">Hash</a> *hash)</div>
|
|
<div class="line"><a name="l00278"></a><span class="lineno"> 278</span> {</div>
|
|
<div class="line"><a name="l00279"></a><span class="lineno"> 279</span>  uint8_t hm[66];</div>
|
|
<div class="line"><a name="l00280"></a><span class="lineno"> 280</span>  uint8_t k[66];</div>
|
|
<div class="line"><a name="l00281"></a><span class="lineno"> 281</span>  limb_t x[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00282"></a><span class="lineno"> 282</span>  limb_t y[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00283"></a><span class="lineno"> 283</span>  limb_t t[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00284"></a><span class="lineno"> 284</span>  uint64_t count = 0;</div>
|
|
<div class="line"><a name="l00285"></a><span class="lineno"> 285</span> </div>
|
|
<div class="line"><a name="l00286"></a><span class="lineno"> 286</span>  <span class="comment">// Format the incoming message, hashing it if necessary.</span></div>
|
|
<div class="line"><a name="l00287"></a><span class="lineno"> 287</span>  <span class="keywordflow">if</span> (hash) {</div>
|
|
<div class="line"><a name="l00288"></a><span class="lineno"> 288</span>  <span class="comment">// Hash the message.</span></div>
|
|
<div class="line"><a name="l00289"></a><span class="lineno"> 289</span>  hash-><a class="code" href="classHash.html#a7b94309acaa5f52386785fb780e5be61">reset</a>();</div>
|
|
<div class="line"><a name="l00290"></a><span class="lineno"> 290</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(message, len);</div>
|
|
<div class="line"><a name="l00291"></a><span class="lineno"> 291</span>  len = hash-><a class="code" href="classHash.html#adcdd30de3e5ecaa2f798c0c5644d9ef8">hashSize</a>();</div>
|
|
<div class="line"><a name="l00292"></a><span class="lineno"> 292</span>  <span class="keywordflow">if</span> (len > 64)</div>
|
|
<div class="line"><a name="l00293"></a><span class="lineno"> 293</span>  len = 64;</div>
|
|
<div class="line"><a name="l00294"></a><span class="lineno"> 294</span>  memset(hm, 0, 66 - len);</div>
|
|
<div class="line"><a name="l00295"></a><span class="lineno"> 295</span>  hash-><a class="code" href="classHash.html#a09b3ccec22763fc86b1415695862977c">finalize</a>(hm + 66 - len, len);</div>
|
|
<div class="line"><a name="l00296"></a><span class="lineno"> 296</span>  } <span class="keywordflow">else</span> {</div>
|
|
<div class="line"><a name="l00297"></a><span class="lineno"> 297</span>  <span class="comment">// The message is the hash.</span></div>
|
|
<div class="line"><a name="l00298"></a><span class="lineno"> 298</span>  <span class="keywordflow">if</span> (len > 64)</div>
|
|
<div class="line"><a name="l00299"></a><span class="lineno"> 299</span>  len = 64;</div>
|
|
<div class="line"><a name="l00300"></a><span class="lineno"> 300</span>  memset(hm, 0, 66 - len);</div>
|
|
<div class="line"><a name="l00301"></a><span class="lineno"> 301</span>  memcpy(hm + 66 - len, message, len);</div>
|
|
<div class="line"><a name="l00302"></a><span class="lineno"> 302</span>  }</div>
|
|
<div class="line"><a name="l00303"></a><span class="lineno"> 303</span> </div>
|
|
<div class="line"><a name="l00304"></a><span class="lineno"> 304</span>  <span class="comment">// Keep generating k values until both r and s are non-zero.</span></div>
|
|
<div class="line"><a name="l00305"></a><span class="lineno"> 305</span>  <span class="keywordflow">for</span> (;;) {</div>
|
|
<div class="line"><a name="l00306"></a><span class="lineno"> 306</span>  <span class="comment">// Generate the k value deterministically according to RFC 6979.</span></div>
|
|
<div class="line"><a name="l00307"></a><span class="lineno"> 307</span>  <span class="keywordflow">if</span> (hash)</div>
|
|
<div class="line"><a name="l00308"></a><span class="lineno"> 308</span>  generateK(k, hm, privateKey, hash, count);</div>
|
|
<div class="line"><a name="l00309"></a><span class="lineno"> 309</span>  <span class="keywordflow">else</span></div>
|
|
<div class="line"><a name="l00310"></a><span class="lineno"> 310</span>  generateK(k, hm, privateKey, count);</div>
|
|
<div class="line"><a name="l00311"></a><span class="lineno"> 311</span> </div>
|
|
<div class="line"><a name="l00312"></a><span class="lineno"> 312</span>  <span class="comment">// Generate r = kG.x mod q.</span></div>
|
|
<div class="line"><a name="l00313"></a><span class="lineno"> 313</span>  memcpy_P(x, P521_Gx, <span class="keyword">sizeof</span>(x));</div>
|
|
<div class="line"><a name="l00314"></a><span class="lineno"> 314</span>  memcpy_P(y, P521_Gy, <span class="keyword">sizeof</span>(y));</div>
|
|
<div class="line"><a name="l00315"></a><span class="lineno"> 315</span>  evaluate(x, y, k);</div>
|
|
<div class="line"><a name="l00316"></a><span class="lineno"> 316</span>  <a class="code" href="classBigNumberUtil.html#a00c9cde0b626788a60552a6bc9ce058b">BigNumberUtil::reduceQuick_P</a>(x, x, P521_q, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00317"></a><span class="lineno"> 317</span>  <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(signature, 66, x, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00318"></a><span class="lineno"> 318</span> </div>
|
|
<div class="line"><a name="l00319"></a><span class="lineno"> 319</span>  <span class="comment">// If r is zero, then we need to generate a new k value.</span></div>
|
|
<div class="line"><a name="l00320"></a><span class="lineno"> 320</span>  <span class="comment">// This is utterly improbable, but let's be safe anyway.</span></div>
|
|
<div class="line"><a name="l00321"></a><span class="lineno"> 321</span>  <span class="keywordflow">if</span> (<a class="code" href="classBigNumberUtil.html#ad0aafacd8e224bd543341973c62ff1dd">BigNumberUtil::isZero</a>(x, NUM_LIMBS_521BIT)) {</div>
|
|
<div class="line"><a name="l00322"></a><span class="lineno"> 322</span>  ++count;</div>
|
|
<div class="line"><a name="l00323"></a><span class="lineno"> 323</span>  <span class="keywordflow">continue</span>;</div>
|
|
<div class="line"><a name="l00324"></a><span class="lineno"> 324</span>  }</div>
|
|
<div class="line"><a name="l00325"></a><span class="lineno"> 325</span> </div>
|
|
<div class="line"><a name="l00326"></a><span class="lineno"> 326</span>  <span class="comment">// Generate s = (privateKey * r + hm) / k mod q.</span></div>
|
|
<div class="line"><a name="l00327"></a><span class="lineno"> 327</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(y, NUM_LIMBS_521BIT, privateKey, 66);</div>
|
|
<div class="line"><a name="l00328"></a><span class="lineno"> 328</span>  mulQ(y, y, x);</div>
|
|
<div class="line"><a name="l00329"></a><span class="lineno"> 329</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(x, NUM_LIMBS_521BIT, hm, 66);</div>
|
|
<div class="line"><a name="l00330"></a><span class="lineno"> 330</span>  <a class="code" href="classBigNumberUtil.html#aa6904b2727af6b767fe041b1b7f27414">BigNumberUtil::add</a>(x, x, y, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00331"></a><span class="lineno"> 331</span>  <a class="code" href="classBigNumberUtil.html#a00c9cde0b626788a60552a6bc9ce058b">BigNumberUtil::reduceQuick_P</a>(x, x, P521_q, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00332"></a><span class="lineno"> 332</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(y, NUM_LIMBS_521BIT, k, 66);</div>
|
|
<div class="line"><a name="l00333"></a><span class="lineno"> 333</span>  recipQ(t, y);</div>
|
|
<div class="line"><a name="l00334"></a><span class="lineno"> 334</span>  mulQ(x, x, t);</div>
|
|
<div class="line"><a name="l00335"></a><span class="lineno"> 335</span>  <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(signature + 66, 66, x, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00336"></a><span class="lineno"> 336</span> </div>
|
|
<div class="line"><a name="l00337"></a><span class="lineno"> 337</span>  <span class="comment">// Exit the loop if s is non-zero.</span></div>
|
|
<div class="line"><a name="l00338"></a><span class="lineno"> 338</span>  <span class="keywordflow">if</span> (!<a class="code" href="classBigNumberUtil.html#ad0aafacd8e224bd543341973c62ff1dd">BigNumberUtil::isZero</a>(x, NUM_LIMBS_521BIT))</div>
|
|
<div class="line"><a name="l00339"></a><span class="lineno"> 339</span>  <span class="keywordflow">break</span>;</div>
|
|
<div class="line"><a name="l00340"></a><span class="lineno"> 340</span> </div>
|
|
<div class="line"><a name="l00341"></a><span class="lineno"> 341</span>  <span class="comment">// We need to generate a new k value according to RFC 6979.</span></div>
|
|
<div class="line"><a name="l00342"></a><span class="lineno"> 342</span>  <span class="comment">// This is utterly improbable, but let's be safe anyway.</span></div>
|
|
<div class="line"><a name="l00343"></a><span class="lineno"> 343</span>  ++count;</div>
|
|
<div class="line"><a name="l00344"></a><span class="lineno"> 344</span>  }</div>
|
|
<div class="line"><a name="l00345"></a><span class="lineno"> 345</span> </div>
|
|
<div class="line"><a name="l00346"></a><span class="lineno"> 346</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l00347"></a><span class="lineno"> 347</span>  clean(hm);</div>
|
|
<div class="line"><a name="l00348"></a><span class="lineno"> 348</span>  clean(k);</div>
|
|
<div class="line"><a name="l00349"></a><span class="lineno"> 349</span>  clean(x);</div>
|
|
<div class="line"><a name="l00350"></a><span class="lineno"> 350</span>  clean(y);</div>
|
|
<div class="line"><a name="l00351"></a><span class="lineno"> 351</span>  clean(t);</div>
|
|
<div class="line"><a name="l00352"></a><span class="lineno"> 352</span> }</div>
|
|
<div class="line"><a name="l00353"></a><span class="lineno"> 353</span> </div>
|
|
<div class="line"><a name="l00373"></a><span class="lineno"><a class="line" href="classP521.html#ab075909f5cecbb801c6b7c41f20de223"> 373</a></span> <span class="keywordtype">bool</span> <a class="code" href="classP521.html#ab075909f5cecbb801c6b7c41f20de223">P521::verify</a>(<span class="keyword">const</span> uint8_t signature[132],</div>
|
|
<div class="line"><a name="l00374"></a><span class="lineno"> 374</span>  <span class="keyword">const</span> uint8_t publicKey[132],</div>
|
|
<div class="line"><a name="l00375"></a><span class="lineno"> 375</span>  <span class="keyword">const</span> <span class="keywordtype">void</span> *message, <span class="keywordtype">size_t</span> len, <a class="code" href="classHash.html">Hash</a> *hash)</div>
|
|
<div class="line"><a name="l00376"></a><span class="lineno"> 376</span> {</div>
|
|
<div class="line"><a name="l00377"></a><span class="lineno"> 377</span>  limb_t x[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00378"></a><span class="lineno"> 378</span>  limb_t y[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00379"></a><span class="lineno"> 379</span>  limb_t r[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00380"></a><span class="lineno"> 380</span>  limb_t s[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00381"></a><span class="lineno"> 381</span>  limb_t u1[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00382"></a><span class="lineno"> 382</span>  limb_t u2[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00383"></a><span class="lineno"> 383</span>  uint8_t t[66];</div>
|
|
<div class="line"><a name="l00384"></a><span class="lineno"> 384</span>  <span class="keywordtype">bool</span> ok = <span class="keyword">false</span>;</div>
|
|
<div class="line"><a name="l00385"></a><span class="lineno"> 385</span> </div>
|
|
<div class="line"><a name="l00386"></a><span class="lineno"> 386</span>  <span class="comment">// Because we are operating on public values, we don't need to</span></div>
|
|
<div class="line"><a name="l00387"></a><span class="lineno"> 387</span>  <span class="comment">// be as strict about constant time. Bail out early if there</span></div>
|
|
<div class="line"><a name="l00388"></a><span class="lineno"> 388</span>  <span class="comment">// is a problem with the parameters.</span></div>
|
|
<div class="line"><a name="l00389"></a><span class="lineno"> 389</span> </div>
|
|
<div class="line"><a name="l00390"></a><span class="lineno"> 390</span>  <span class="comment">// Unpack the signature. The values must be between 1 and q - 1.</span></div>
|
|
<div class="line"><a name="l00391"></a><span class="lineno"> 391</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(r, NUM_LIMBS_521BIT, signature, 66);</div>
|
|
<div class="line"><a name="l00392"></a><span class="lineno"> 392</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(s, NUM_LIMBS_521BIT, signature + 66, 66);</div>
|
|
<div class="line"><a name="l00393"></a><span class="lineno"> 393</span>  <span class="keywordflow">if</span> (<a class="code" href="classBigNumberUtil.html#ad0aafacd8e224bd543341973c62ff1dd">BigNumberUtil::isZero</a>(r, NUM_LIMBS_521BIT) ||</div>
|
|
<div class="line"><a name="l00394"></a><span class="lineno"> 394</span>  <a class="code" href="classBigNumberUtil.html#ad0aafacd8e224bd543341973c62ff1dd">BigNumberUtil::isZero</a>(s, NUM_LIMBS_521BIT) ||</div>
|
|
<div class="line"><a name="l00395"></a><span class="lineno"> 395</span>  !<a class="code" href="classBigNumberUtil.html#af0fa1527647af42b65eda6b0aab982b3">BigNumberUtil::sub_P</a>(x, r, P521_q, NUM_LIMBS_521BIT) ||</div>
|
|
<div class="line"><a name="l00396"></a><span class="lineno"> 396</span>  !<a class="code" href="classBigNumberUtil.html#af0fa1527647af42b65eda6b0aab982b3">BigNumberUtil::sub_P</a>(x, s, P521_q, NUM_LIMBS_521BIT)) {</div>
|
|
<div class="line"><a name="l00397"></a><span class="lineno"> 397</span>  <span class="keywordflow">goto</span> failed;</div>
|
|
<div class="line"><a name="l00398"></a><span class="lineno"> 398</span>  }</div>
|
|
<div class="line"><a name="l00399"></a><span class="lineno"> 399</span> </div>
|
|
<div class="line"><a name="l00400"></a><span class="lineno"> 400</span>  <span class="comment">// Unpack the public key and check that it is a valid curve point.</span></div>
|
|
<div class="line"><a name="l00401"></a><span class="lineno"> 401</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(x, NUM_LIMBS_521BIT, publicKey, 66);</div>
|
|
<div class="line"><a name="l00402"></a><span class="lineno"> 402</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(y, NUM_LIMBS_521BIT, publicKey + 66, 66);</div>
|
|
<div class="line"><a name="l00403"></a><span class="lineno"> 403</span>  <span class="keywordflow">if</span> (!validate(x, y)) {</div>
|
|
<div class="line"><a name="l00404"></a><span class="lineno"> 404</span>  <span class="keywordflow">goto</span> failed;</div>
|
|
<div class="line"><a name="l00405"></a><span class="lineno"> 405</span>  }</div>
|
|
<div class="line"><a name="l00406"></a><span class="lineno"> 406</span> </div>
|
|
<div class="line"><a name="l00407"></a><span class="lineno"> 407</span>  <span class="comment">// Hash the message to generate hm, which we store into u1.</span></div>
|
|
<div class="line"><a name="l00408"></a><span class="lineno"> 408</span>  <span class="keywordflow">if</span> (hash) {</div>
|
|
<div class="line"><a name="l00409"></a><span class="lineno"> 409</span>  <span class="comment">// Hash the message.</span></div>
|
|
<div class="line"><a name="l00410"></a><span class="lineno"> 410</span>  hash-><a class="code" href="classHash.html#a7b94309acaa5f52386785fb780e5be61">reset</a>();</div>
|
|
<div class="line"><a name="l00411"></a><span class="lineno"> 411</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(message, len);</div>
|
|
<div class="line"><a name="l00412"></a><span class="lineno"> 412</span>  len = hash-><a class="code" href="classHash.html#adcdd30de3e5ecaa2f798c0c5644d9ef8">hashSize</a>();</div>
|
|
<div class="line"><a name="l00413"></a><span class="lineno"> 413</span>  <span class="keywordflow">if</span> (len > 64)</div>
|
|
<div class="line"><a name="l00414"></a><span class="lineno"> 414</span>  len = 64;</div>
|
|
<div class="line"><a name="l00415"></a><span class="lineno"> 415</span>  hash-><a class="code" href="classHash.html#a09b3ccec22763fc86b1415695862977c">finalize</a>(u2, len);</div>
|
|
<div class="line"><a name="l00416"></a><span class="lineno"> 416</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(u1, NUM_LIMBS_521BIT, (uint8_t *)u2, len);</div>
|
|
<div class="line"><a name="l00417"></a><span class="lineno"> 417</span>  } <span class="keywordflow">else</span> {</div>
|
|
<div class="line"><a name="l00418"></a><span class="lineno"> 418</span>  <span class="comment">// The message is the hash.</span></div>
|
|
<div class="line"><a name="l00419"></a><span class="lineno"> 419</span>  <span class="keywordflow">if</span> (len > 64)</div>
|
|
<div class="line"><a name="l00420"></a><span class="lineno"> 420</span>  len = 64;</div>
|
|
<div class="line"><a name="l00421"></a><span class="lineno"> 421</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(u1, NUM_LIMBS_521BIT, (uint8_t *)message, len);</div>
|
|
<div class="line"><a name="l00422"></a><span class="lineno"> 422</span>  }</div>
|
|
<div class="line"><a name="l00423"></a><span class="lineno"> 423</span> </div>
|
|
<div class="line"><a name="l00424"></a><span class="lineno"> 424</span>  <span class="comment">// Compute u1 = hm * s^-1 mod q and u2 = r * s^-1 mod q.</span></div>
|
|
<div class="line"><a name="l00425"></a><span class="lineno"> 425</span>  recipQ(u2, s);</div>
|
|
<div class="line"><a name="l00426"></a><span class="lineno"> 426</span>  mulQ(u1, u1, u2);</div>
|
|
<div class="line"><a name="l00427"></a><span class="lineno"> 427</span>  mulQ(u2, r, u2);</div>
|
|
<div class="line"><a name="l00428"></a><span class="lineno"> 428</span> </div>
|
|
<div class="line"><a name="l00429"></a><span class="lineno"> 429</span>  <span class="comment">// Compute the curve point R = u2 * publicKey + u1 * G.</span></div>
|
|
<div class="line"><a name="l00430"></a><span class="lineno"> 430</span>  <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(t, 66, u2, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00431"></a><span class="lineno"> 431</span>  evaluate(x, y, t);</div>
|
|
<div class="line"><a name="l00432"></a><span class="lineno"> 432</span>  memcpy_P(u2, P521_Gx, <span class="keyword">sizeof</span>(x));</div>
|
|
<div class="line"><a name="l00433"></a><span class="lineno"> 433</span>  memcpy_P(s, P521_Gy, <span class="keyword">sizeof</span>(y));</div>
|
|
<div class="line"><a name="l00434"></a><span class="lineno"> 434</span>  <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(t, 66, u1, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00435"></a><span class="lineno"> 435</span>  evaluate(u2, s, t);</div>
|
|
<div class="line"><a name="l00436"></a><span class="lineno"> 436</span>  addAffine(u2, s, x, y);</div>
|
|
<div class="line"><a name="l00437"></a><span class="lineno"> 437</span> </div>
|
|
<div class="line"><a name="l00438"></a><span class="lineno"> 438</span>  <span class="comment">// If R.x = r mod q, then the signature is valid.</span></div>
|
|
<div class="line"><a name="l00439"></a><span class="lineno"> 439</span>  <a class="code" href="classBigNumberUtil.html#a00c9cde0b626788a60552a6bc9ce058b">BigNumberUtil::reduceQuick_P</a>(u1, u2, P521_q, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00440"></a><span class="lineno"> 440</span>  ok = secure_compare(u1, r, NUM_LIMBS_521BIT * <span class="keyword">sizeof</span>(limb_t));</div>
|
|
<div class="line"><a name="l00441"></a><span class="lineno"> 441</span> </div>
|
|
<div class="line"><a name="l00442"></a><span class="lineno"> 442</span>  <span class="comment">// Clean up and exit.</span></div>
|
|
<div class="line"><a name="l00443"></a><span class="lineno"> 443</span> failed:</div>
|
|
<div class="line"><a name="l00444"></a><span class="lineno"> 444</span>  clean(x);</div>
|
|
<div class="line"><a name="l00445"></a><span class="lineno"> 445</span>  clean(y);</div>
|
|
<div class="line"><a name="l00446"></a><span class="lineno"> 446</span>  clean(r);</div>
|
|
<div class="line"><a name="l00447"></a><span class="lineno"> 447</span>  clean(s);</div>
|
|
<div class="line"><a name="l00448"></a><span class="lineno"> 448</span>  clean(u1);</div>
|
|
<div class="line"><a name="l00449"></a><span class="lineno"> 449</span>  clean(u2);</div>
|
|
<div class="line"><a name="l00450"></a><span class="lineno"> 450</span>  clean(t);</div>
|
|
<div class="line"><a name="l00451"></a><span class="lineno"> 451</span>  <span class="keywordflow">return</span> ok;</div>
|
|
<div class="line"><a name="l00452"></a><span class="lineno"> 452</span> }</div>
|
|
<div class="line"><a name="l00453"></a><span class="lineno"> 453</span> </div>
|
|
<div class="line"><a name="l00466"></a><span class="lineno"><a class="line" href="classP521.html#ae5b727018648e4a165f504024c4ccc45"> 466</a></span> <span class="keywordtype">void</span> <a class="code" href="classP521.html#ae5b727018648e4a165f504024c4ccc45">P521::generatePrivateKey</a>(uint8_t privateKey[66])</div>
|
|
<div class="line"><a name="l00467"></a><span class="lineno"> 467</span> {</div>
|
|
<div class="line"><a name="l00468"></a><span class="lineno"> 468</span>  <span class="comment">// Generate a random 521-bit value for the private key. The value</span></div>
|
|
<div class="line"><a name="l00469"></a><span class="lineno"> 469</span>  <span class="comment">// must be generated uniformly at random between 1 and q - 1 where q</span></div>
|
|
<div class="line"><a name="l00470"></a><span class="lineno"> 470</span>  <span class="comment">// is the group order (RFC 6090). We use the recommended algorithm</span></div>
|
|
<div class="line"><a name="l00471"></a><span class="lineno"> 471</span>  <span class="comment">// from Appendix B of RFC 6090: generate a random 521-bit value</span></div>
|
|
<div class="line"><a name="l00472"></a><span class="lineno"> 472</span>  <span class="comment">// and discard it if it is not within the range 1 to q - 1.</span></div>
|
|
<div class="line"><a name="l00473"></a><span class="lineno"> 473</span>  limb_t x[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00474"></a><span class="lineno"> 474</span>  <span class="keywordflow">do</span> {</div>
|
|
<div class="line"><a name="l00475"></a><span class="lineno"> 475</span>  RNG.<a class="code" href="classRNGClass.html#a418a833cf18198fd7e5d6dbd78c99c29">rand</a>((uint8_t *)x, <span class="keyword">sizeof</span>(x));</div>
|
|
<div class="line"><a name="l00476"></a><span class="lineno"> 476</span> <span class="preprocessor">#if BIGNUMBER_LIMB_8BIT</span></div>
|
|
<div class="line"><a name="l00477"></a><span class="lineno"> 477</span> <span class="preprocessor"></span> x[NUM_LIMBS_521BIT - 1] &= 0x01;</div>
|
|
<div class="line"><a name="l00478"></a><span class="lineno"> 478</span> <span class="preprocessor">#else</span></div>
|
|
<div class="line"><a name="l00479"></a><span class="lineno"> 479</span> <span class="preprocessor"></span> x[NUM_LIMBS_521BIT - 1] &= 0x1FF;</div>
|
|
<div class="line"><a name="l00480"></a><span class="lineno"> 480</span> <span class="preprocessor">#endif</span></div>
|
|
<div class="line"><a name="l00481"></a><span class="lineno"> 481</span> <span class="preprocessor"></span> <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(privateKey, 66, x, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00482"></a><span class="lineno"> 482</span>  } <span class="keywordflow">while</span> (<a class="code" href="classBigNumberUtil.html#ad0aafacd8e224bd543341973c62ff1dd">BigNumberUtil::isZero</a>(x, NUM_LIMBS_521BIT) ||</div>
|
|
<div class="line"><a name="l00483"></a><span class="lineno"> 483</span>  !<a class="code" href="classBigNumberUtil.html#af0fa1527647af42b65eda6b0aab982b3">BigNumberUtil::sub_P</a>(x, x, P521_q, NUM_LIMBS_521BIT));</div>
|
|
<div class="line"><a name="l00484"></a><span class="lineno"> 484</span>  clean(x);</div>
|
|
<div class="line"><a name="l00485"></a><span class="lineno"> 485</span> }</div>
|
|
<div class="line"><a name="l00486"></a><span class="lineno"> 486</span> </div>
|
|
<div class="line"><a name="l00497"></a><span class="lineno"><a class="line" href="classP521.html#a15ca802e298c7ff3be06924b0edb7daa"> 497</a></span> <span class="keywordtype">void</span> <a class="code" href="classP521.html#a15ca802e298c7ff3be06924b0edb7daa">P521::derivePublicKey</a>(uint8_t publicKey[132], <span class="keyword">const</span> uint8_t privateKey[66])</div>
|
|
<div class="line"><a name="l00498"></a><span class="lineno"> 498</span> {</div>
|
|
<div class="line"><a name="l00499"></a><span class="lineno"> 499</span>  <span class="comment">// Evaluate the curve function starting with the generator.</span></div>
|
|
<div class="line"><a name="l00500"></a><span class="lineno"> 500</span>  limb_t x[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00501"></a><span class="lineno"> 501</span>  limb_t y[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00502"></a><span class="lineno"> 502</span>  memcpy_P(x, P521_Gx, <span class="keyword">sizeof</span>(x));</div>
|
|
<div class="line"><a name="l00503"></a><span class="lineno"> 503</span>  memcpy_P(y, P521_Gy, <span class="keyword">sizeof</span>(y));</div>
|
|
<div class="line"><a name="l00504"></a><span class="lineno"> 504</span>  evaluate(x, y, privateKey);</div>
|
|
<div class="line"><a name="l00505"></a><span class="lineno"> 505</span> </div>
|
|
<div class="line"><a name="l00506"></a><span class="lineno"> 506</span>  <span class="comment">// Pack the (x, y) point into the public key.</span></div>
|
|
<div class="line"><a name="l00507"></a><span class="lineno"> 507</span>  <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(publicKey, 66, x, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00508"></a><span class="lineno"> 508</span>  <a class="code" href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a>(publicKey + 66, 66, y, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l00509"></a><span class="lineno"> 509</span> </div>
|
|
<div class="line"><a name="l00510"></a><span class="lineno"> 510</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l00511"></a><span class="lineno"> 511</span>  clean(x);</div>
|
|
<div class="line"><a name="l00512"></a><span class="lineno"> 512</span>  clean(y);</div>
|
|
<div class="line"><a name="l00513"></a><span class="lineno"> 513</span> }</div>
|
|
<div class="line"><a name="l00514"></a><span class="lineno"> 514</span> </div>
|
|
<div class="line"><a name="l00524"></a><span class="lineno"><a class="line" href="classP521.html#a5802ebd25142789bb2df930ecd765d39"> 524</a></span> <span class="keywordtype">bool</span> <a class="code" href="classP521.html#a5802ebd25142789bb2df930ecd765d39">P521::isValidPrivateKey</a>(<span class="keyword">const</span> uint8_t privateKey[66])</div>
|
|
<div class="line"><a name="l00525"></a><span class="lineno"> 525</span> {</div>
|
|
<div class="line"><a name="l00526"></a><span class="lineno"> 526</span>  <span class="comment">// The value "q" as a byte array from most to least significant.</span></div>
|
|
<div class="line"><a name="l00527"></a><span class="lineno"> 527</span>  <span class="keyword">static</span> uint8_t <span class="keyword">const</span> P521_q_bytes[66] PROGMEM = {</div>
|
|
<div class="line"><a name="l00528"></a><span class="lineno"> 528</span>  0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,</div>
|
|
<div class="line"><a name="l00529"></a><span class="lineno"> 529</span>  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,</div>
|
|
<div class="line"><a name="l00530"></a><span class="lineno"> 530</span>  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,</div>
|
|
<div class="line"><a name="l00531"></a><span class="lineno"> 531</span>  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,</div>
|
|
<div class="line"><a name="l00532"></a><span class="lineno"> 532</span>  0xFF, 0xFA, 0x51, 0x86, 0x87, 0x83, 0xBF, 0x2F,</div>
|
|
<div class="line"><a name="l00533"></a><span class="lineno"> 533</span>  0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,</div>
|
|
<div class="line"><a name="l00534"></a><span class="lineno"> 534</span>  0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C,</div>
|
|
<div class="line"><a name="l00535"></a><span class="lineno"> 535</span>  0x47, 0xAE, 0xBB, 0x6F, 0xB7, 0x1E, 0x91, 0x38,</div>
|
|
<div class="line"><a name="l00536"></a><span class="lineno"> 536</span>  0x64, 0x09</div>
|
|
<div class="line"><a name="l00537"></a><span class="lineno"> 537</span>  };</div>
|
|
<div class="line"><a name="l00538"></a><span class="lineno"> 538</span>  uint8_t zeroTest = 0;</div>
|
|
<div class="line"><a name="l00539"></a><span class="lineno"> 539</span>  uint8_t posn = 66;</div>
|
|
<div class="line"><a name="l00540"></a><span class="lineno"> 540</span>  uint16_t borrow = 0;</div>
|
|
<div class="line"><a name="l00541"></a><span class="lineno"> 541</span>  <span class="keywordflow">while</span> (posn > 0) {</div>
|
|
<div class="line"><a name="l00542"></a><span class="lineno"> 542</span>  --posn;</div>
|
|
<div class="line"><a name="l00543"></a><span class="lineno"> 543</span> </div>
|
|
<div class="line"><a name="l00544"></a><span class="lineno"> 544</span>  <span class="comment">// Check for zero.</span></div>
|
|
<div class="line"><a name="l00545"></a><span class="lineno"> 545</span>  zeroTest |= privateKey[posn];</div>
|
|
<div class="line"><a name="l00546"></a><span class="lineno"> 546</span> </div>
|
|
<div class="line"><a name="l00547"></a><span class="lineno"> 547</span>  <span class="comment">// Subtract P521_q_bytes from the key. If there is no borrow,</span></div>
|
|
<div class="line"><a name="l00548"></a><span class="lineno"> 548</span>  <span class="comment">// then the key value was greater than or equal to q.</span></div>
|
|
<div class="line"><a name="l00549"></a><span class="lineno"> 549</span>  borrow = ((uint16_t)(privateKey[posn])) -</div>
|
|
<div class="line"><a name="l00550"></a><span class="lineno"> 550</span>  pgm_read_byte(&(P521_q_bytes[posn])) -</div>
|
|
<div class="line"><a name="l00551"></a><span class="lineno"> 551</span>  ((borrow >> 8) & 0x01);</div>
|
|
<div class="line"><a name="l00552"></a><span class="lineno"> 552</span>  }</div>
|
|
<div class="line"><a name="l00553"></a><span class="lineno"> 553</span>  <span class="keywordflow">return</span> zeroTest != 0 && borrow != 0;</div>
|
|
<div class="line"><a name="l00554"></a><span class="lineno"> 554</span> }</div>
|
|
<div class="line"><a name="l00555"></a><span class="lineno"> 555</span> </div>
|
|
<div class="line"><a name="l00564"></a><span class="lineno"><a class="line" href="classP521.html#af0bd7851bb15b737a821320b394aec96"> 564</a></span> <span class="keywordtype">bool</span> <a class="code" href="classP521.html#af0bd7851bb15b737a821320b394aec96">P521::isValidPublicKey</a>(<span class="keyword">const</span> uint8_t publicKey[132])</div>
|
|
<div class="line"><a name="l00565"></a><span class="lineno"> 565</span> {</div>
|
|
<div class="line"><a name="l00566"></a><span class="lineno"> 566</span>  limb_t x[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00567"></a><span class="lineno"> 567</span>  limb_t y[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00568"></a><span class="lineno"> 568</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(x, NUM_LIMBS_521BIT, publicKey, 66);</div>
|
|
<div class="line"><a name="l00569"></a><span class="lineno"> 569</span>  <a class="code" href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a>(y, NUM_LIMBS_521BIT, publicKey + 66, 66);</div>
|
|
<div class="line"><a name="l00570"></a><span class="lineno"> 570</span>  <span class="keywordtype">bool</span> ok = validate(x, y);</div>
|
|
<div class="line"><a name="l00571"></a><span class="lineno"> 571</span>  clean(x);</div>
|
|
<div class="line"><a name="l00572"></a><span class="lineno"> 572</span>  clean(y);</div>
|
|
<div class="line"><a name="l00573"></a><span class="lineno"> 573</span>  <span class="keywordflow">return</span> ok;</div>
|
|
<div class="line"><a name="l00574"></a><span class="lineno"> 574</span> }</div>
|
|
<div class="line"><a name="l00575"></a><span class="lineno"> 575</span> </div>
|
|
<div class="line"><a name="l00597"></a><span class="lineno"> 597</span> <span class="keywordtype">void</span> P521::evaluate(limb_t *x, limb_t *y, <span class="keyword">const</span> uint8_t f[66])</div>
|
|
<div class="line"><a name="l00598"></a><span class="lineno"> 598</span> {</div>
|
|
<div class="line"><a name="l00599"></a><span class="lineno"> 599</span>  limb_t x1[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00600"></a><span class="lineno"> 600</span>  limb_t y1[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00601"></a><span class="lineno"> 601</span>  limb_t z1[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00602"></a><span class="lineno"> 602</span>  limb_t x2[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00603"></a><span class="lineno"> 603</span>  limb_t y2[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00604"></a><span class="lineno"> 604</span>  limb_t z2[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00605"></a><span class="lineno"> 605</span> </div>
|
|
<div class="line"><a name="l00606"></a><span class="lineno"> 606</span>  <span class="comment">// We want the input in Jacobian co-ordinates. The point (x, y, z)</span></div>
|
|
<div class="line"><a name="l00607"></a><span class="lineno"> 607</span>  <span class="comment">// corresponds to the affine point (x / z^2, y / z^3), so if we set z</span></div>
|
|
<div class="line"><a name="l00608"></a><span class="lineno"> 608</span>  <span class="comment">// to 1 we end up with Jacobian co-ordinates. Remember that z is 1</span></div>
|
|
<div class="line"><a name="l00609"></a><span class="lineno"> 609</span>  <span class="comment">// and continue on.</span></div>
|
|
<div class="line"><a name="l00610"></a><span class="lineno"> 610</span> </div>
|
|
<div class="line"><a name="l00611"></a><span class="lineno"> 611</span>  <span class="comment">// Set the answer to the point-at-infinity initially (z = 0).</span></div>
|
|
<div class="line"><a name="l00612"></a><span class="lineno"> 612</span>  memset(x1, 0, <span class="keyword">sizeof</span>(x1));</div>
|
|
<div class="line"><a name="l00613"></a><span class="lineno"> 613</span>  memset(y1, 0, <span class="keyword">sizeof</span>(y1));</div>
|
|
<div class="line"><a name="l00614"></a><span class="lineno"> 614</span>  memset(z1, 0, <span class="keyword">sizeof</span>(z1));</div>
|
|
<div class="line"><a name="l00615"></a><span class="lineno"> 615</span> </div>
|
|
<div class="line"><a name="l00616"></a><span class="lineno"> 616</span>  <span class="comment">// Special handling for the highest bit. We can skip dblPoint()/addPoint()</span></div>
|
|
<div class="line"><a name="l00617"></a><span class="lineno"> 617</span>  <span class="comment">// and simply conditionally move (x, y, z) into (x1, y1, z1).</span></div>
|
|
<div class="line"><a name="l00618"></a><span class="lineno"> 618</span>  uint8_t select = (f[0] & 0x01);</div>
|
|
<div class="line"><a name="l00619"></a><span class="lineno"> 619</span>  cmove(select, x1, x);</div>
|
|
<div class="line"><a name="l00620"></a><span class="lineno"> 620</span>  cmove(select, y1, y);</div>
|
|
<div class="line"><a name="l00621"></a><span class="lineno"> 621</span>  cmove1(select, z1); <span class="comment">// z = 1</span></div>
|
|
<div class="line"><a name="l00622"></a><span class="lineno"> 622</span> </div>
|
|
<div class="line"><a name="l00623"></a><span class="lineno"> 623</span>  <span class="comment">// Iterate over the remaining 520 bits of f from highest to lowest.</span></div>
|
|
<div class="line"><a name="l00624"></a><span class="lineno"> 624</span>  uint8_t mask = 0x80;</div>
|
|
<div class="line"><a name="l00625"></a><span class="lineno"> 625</span>  uint8_t fposn = 1;</div>
|
|
<div class="line"><a name="l00626"></a><span class="lineno"> 626</span>  <span class="keywordflow">for</span> (uint16_t t = 520; t > 0; --t) {</div>
|
|
<div class="line"><a name="l00627"></a><span class="lineno"> 627</span>  <span class="comment">// Double the answer.</span></div>
|
|
<div class="line"><a name="l00628"></a><span class="lineno"> 628</span>  dblPoint(x1, y1, z1, x1, y1, z1);</div>
|
|
<div class="line"><a name="l00629"></a><span class="lineno"> 629</span> </div>
|
|
<div class="line"><a name="l00630"></a><span class="lineno"> 630</span>  <span class="comment">// Add (x, y, z) to (x1, y1, z1) for the next 1 bit.</span></div>
|
|
<div class="line"><a name="l00631"></a><span class="lineno"> 631</span>  <span class="comment">// We must always do this to preserve the overall timing.</span></div>
|
|
<div class="line"><a name="l00632"></a><span class="lineno"> 632</span>  <span class="comment">// The z value is always 1 so we can omit that argument.</span></div>
|
|
<div class="line"><a name="l00633"></a><span class="lineno"> 633</span>  addPoint(x2, y2, z2, x1, y1, z1, x, y<span class="comment">/*, z*/</span>);</div>
|
|
<div class="line"><a name="l00634"></a><span class="lineno"> 634</span> </div>
|
|
<div class="line"><a name="l00635"></a><span class="lineno"> 635</span>  <span class="comment">// If the bit was 1, then move (x2, y2, z2) into (x1, y1, z1).</span></div>
|
|
<div class="line"><a name="l00636"></a><span class="lineno"> 636</span>  select = (f[fposn] & mask);</div>
|
|
<div class="line"><a name="l00637"></a><span class="lineno"> 637</span>  cmove(select, x1, x2);</div>
|
|
<div class="line"><a name="l00638"></a><span class="lineno"> 638</span>  cmove(select, y1, y2);</div>
|
|
<div class="line"><a name="l00639"></a><span class="lineno"> 639</span>  cmove(select, z1, z2);</div>
|
|
<div class="line"><a name="l00640"></a><span class="lineno"> 640</span> </div>
|
|
<div class="line"><a name="l00641"></a><span class="lineno"> 641</span>  <span class="comment">// Move onto the next bit.</span></div>
|
|
<div class="line"><a name="l00642"></a><span class="lineno"> 642</span>  mask >>= 1;</div>
|
|
<div class="line"><a name="l00643"></a><span class="lineno"> 643</span>  <span class="keywordflow">if</span> (!mask) {</div>
|
|
<div class="line"><a name="l00644"></a><span class="lineno"> 644</span>  ++fposn;</div>
|
|
<div class="line"><a name="l00645"></a><span class="lineno"> 645</span>  mask = 0x80;</div>
|
|
<div class="line"><a name="l00646"></a><span class="lineno"> 646</span>  }</div>
|
|
<div class="line"><a name="l00647"></a><span class="lineno"> 647</span>  }</div>
|
|
<div class="line"><a name="l00648"></a><span class="lineno"> 648</span> </div>
|
|
<div class="line"><a name="l00649"></a><span class="lineno"> 649</span>  <span class="comment">// Convert from Jacobian co-ordinates back into affine co-ordinates.</span></div>
|
|
<div class="line"><a name="l00650"></a><span class="lineno"> 650</span>  <span class="comment">// x = x1 * (z1^2)^-1, y = y1 * (z1^3)^-1.</span></div>
|
|
<div class="line"><a name="l00651"></a><span class="lineno"> 651</span>  recip(x2, z1);</div>
|
|
<div class="line"><a name="l00652"></a><span class="lineno"> 652</span>  square(y2, x2);</div>
|
|
<div class="line"><a name="l00653"></a><span class="lineno"> 653</span>  mul(x, x1, y2);</div>
|
|
<div class="line"><a name="l00654"></a><span class="lineno"> 654</span>  mul(y2, y2, x2);</div>
|
|
<div class="line"><a name="l00655"></a><span class="lineno"> 655</span>  mul(y, y1, y2);</div>
|
|
<div class="line"><a name="l00656"></a><span class="lineno"> 656</span> </div>
|
|
<div class="line"><a name="l00657"></a><span class="lineno"> 657</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l00658"></a><span class="lineno"> 658</span>  clean(x1);</div>
|
|
<div class="line"><a name="l00659"></a><span class="lineno"> 659</span>  clean(y1);</div>
|
|
<div class="line"><a name="l00660"></a><span class="lineno"> 660</span>  clean(z1);</div>
|
|
<div class="line"><a name="l00661"></a><span class="lineno"> 661</span>  clean(x2);</div>
|
|
<div class="line"><a name="l00662"></a><span class="lineno"> 662</span>  clean(y2);</div>
|
|
<div class="line"><a name="l00663"></a><span class="lineno"> 663</span>  clean(z2);</div>
|
|
<div class="line"><a name="l00664"></a><span class="lineno"> 664</span> }</div>
|
|
<div class="line"><a name="l00665"></a><span class="lineno"> 665</span> </div>
|
|
<div class="line"><a name="l00676"></a><span class="lineno"> 676</span> <span class="keywordtype">void</span> P521::addAffine(limb_t *x1, limb_t *y1, <span class="keyword">const</span> limb_t *x2, <span class="keyword">const</span> limb_t *y2)</div>
|
|
<div class="line"><a name="l00677"></a><span class="lineno"> 677</span> {</div>
|
|
<div class="line"><a name="l00678"></a><span class="lineno"> 678</span>  limb_t xout[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00679"></a><span class="lineno"> 679</span>  limb_t yout[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00680"></a><span class="lineno"> 680</span>  limb_t zout[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00681"></a><span class="lineno"> 681</span>  limb_t z1[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00682"></a><span class="lineno"> 682</span> </div>
|
|
<div class="line"><a name="l00683"></a><span class="lineno"> 683</span>  <span class="comment">// z1 = 1</span></div>
|
|
<div class="line"><a name="l00684"></a><span class="lineno"> 684</span>  z1[0] = 1;</div>
|
|
<div class="line"><a name="l00685"></a><span class="lineno"> 685</span>  memset(z1 + 1, 0, (NUM_LIMBS_521BIT - 1) * <span class="keyword">sizeof</span>(limb_t));</div>
|
|
<div class="line"><a name="l00686"></a><span class="lineno"> 686</span> </div>
|
|
<div class="line"><a name="l00687"></a><span class="lineno"> 687</span>  <span class="comment">// Add the two points.</span></div>
|
|
<div class="line"><a name="l00688"></a><span class="lineno"> 688</span>  addPoint(xout, yout, zout, x1, y1, z1, x2, y2<span class="comment">/*, z2*/</span>);</div>
|
|
<div class="line"><a name="l00689"></a><span class="lineno"> 689</span> </div>
|
|
<div class="line"><a name="l00690"></a><span class="lineno"> 690</span>  <span class="comment">// Convert from Jacobian co-ordinates back into affine co-ordinates.</span></div>
|
|
<div class="line"><a name="l00691"></a><span class="lineno"> 691</span>  <span class="comment">// x1 = xout * (zout^2)^-1, y1 = yout * (zout^3)^-1.</span></div>
|
|
<div class="line"><a name="l00692"></a><span class="lineno"> 692</span>  recip(z1, zout);</div>
|
|
<div class="line"><a name="l00693"></a><span class="lineno"> 693</span>  square(zout, z1);</div>
|
|
<div class="line"><a name="l00694"></a><span class="lineno"> 694</span>  mul(x1, xout, zout);</div>
|
|
<div class="line"><a name="l00695"></a><span class="lineno"> 695</span>  mul(zout, zout, z1);</div>
|
|
<div class="line"><a name="l00696"></a><span class="lineno"> 696</span>  mul(y1, yout, zout);</div>
|
|
<div class="line"><a name="l00697"></a><span class="lineno"> 697</span> </div>
|
|
<div class="line"><a name="l00698"></a><span class="lineno"> 698</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l00699"></a><span class="lineno"> 699</span>  clean(xout);</div>
|
|
<div class="line"><a name="l00700"></a><span class="lineno"> 700</span>  clean(yout);</div>
|
|
<div class="line"><a name="l00701"></a><span class="lineno"> 701</span>  clean(zout);</div>
|
|
<div class="line"><a name="l00702"></a><span class="lineno"> 702</span>  clean(z1);</div>
|
|
<div class="line"><a name="l00703"></a><span class="lineno"> 703</span> }</div>
|
|
<div class="line"><a name="l00704"></a><span class="lineno"> 704</span> </div>
|
|
<div class="line"><a name="l00714"></a><span class="lineno"> 714</span> <span class="keywordtype">bool</span> P521::validate(<span class="keyword">const</span> limb_t *x, <span class="keyword">const</span> limb_t *y)</div>
|
|
<div class="line"><a name="l00715"></a><span class="lineno"> 715</span> {</div>
|
|
<div class="line"><a name="l00716"></a><span class="lineno"> 716</span>  <span class="keywordtype">bool</span> result;</div>
|
|
<div class="line"><a name="l00717"></a><span class="lineno"> 717</span> </div>
|
|
<div class="line"><a name="l00718"></a><span class="lineno"> 718</span>  <span class="comment">// If x or y is greater than or equal to 2^521 - 1, then the</span></div>
|
|
<div class="line"><a name="l00719"></a><span class="lineno"> 719</span>  <span class="comment">// point is definitely not on the curve. Preserve timing by</span></div>
|
|
<div class="line"><a name="l00720"></a><span class="lineno"> 720</span>  <span class="comment">// delaying the reporting of the result until later.</span></div>
|
|
<div class="line"><a name="l00721"></a><span class="lineno"> 721</span>  result = inRange(x);</div>
|
|
<div class="line"><a name="l00722"></a><span class="lineno"> 722</span>  result &= inRange(y);</div>
|
|
<div class="line"><a name="l00723"></a><span class="lineno"> 723</span> </div>
|
|
<div class="line"><a name="l00724"></a><span class="lineno"> 724</span>  <span class="comment">// We need to check that y^2 = x^3 - 3 * x + b mod 2^521 - 1.</span></div>
|
|
<div class="line"><a name="l00725"></a><span class="lineno"> 725</span>  limb_t t1[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00726"></a><span class="lineno"> 726</span>  limb_t t2[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l00727"></a><span class="lineno"> 727</span>  square(t1, x);</div>
|
|
<div class="line"><a name="l00728"></a><span class="lineno"> 728</span>  mul(t1, t1, x);</div>
|
|
<div class="line"><a name="l00729"></a><span class="lineno"> 729</span>  mulLiteral(t2, x, 3);</div>
|
|
<div class="line"><a name="l00730"></a><span class="lineno"> 730</span>  sub(t1, t1, t2);</div>
|
|
<div class="line"><a name="l00731"></a><span class="lineno"> 731</span>  memcpy_P(t2, P521_b, <span class="keyword">sizeof</span>(t2));</div>
|
|
<div class="line"><a name="l00732"></a><span class="lineno"> 732</span>  add(t1, t1, t2);</div>
|
|
<div class="line"><a name="l00733"></a><span class="lineno"> 733</span>  square(t2, y);</div>
|
|
<div class="line"><a name="l00734"></a><span class="lineno"> 734</span>  result &= secure_compare(t1, t2, <span class="keyword">sizeof</span>(t1));</div>
|
|
<div class="line"><a name="l00735"></a><span class="lineno"> 735</span>  clean(t1);</div>
|
|
<div class="line"><a name="l00736"></a><span class="lineno"> 736</span>  clean(t2);</div>
|
|
<div class="line"><a name="l00737"></a><span class="lineno"> 737</span>  <span class="keywordflow">return</span> result;</div>
|
|
<div class="line"><a name="l00738"></a><span class="lineno"> 738</span> }</div>
|
|
<div class="line"><a name="l00739"></a><span class="lineno"> 739</span> </div>
|
|
<div class="line"><a name="l00748"></a><span class="lineno"> 748</span> <span class="keywordtype">bool</span> P521::inRange(<span class="keyword">const</span> limb_t *x)</div>
|
|
<div class="line"><a name="l00749"></a><span class="lineno"> 749</span> {</div>
|
|
<div class="line"><a name="l00750"></a><span class="lineno"> 750</span>  <span class="comment">// Do a trial subtraction of 2^521 - 1 from x, which is equivalent</span></div>
|
|
<div class="line"><a name="l00751"></a><span class="lineno"> 751</span>  <span class="comment">// to adding 1 and subtracting 2^521. We only need the carry.</span></div>
|
|
<div class="line"><a name="l00752"></a><span class="lineno"> 752</span>  dlimb_t carry = 1;</div>
|
|
<div class="line"><a name="l00753"></a><span class="lineno"> 753</span>  limb_t word = 0;</div>
|
|
<div class="line"><a name="l00754"></a><span class="lineno"> 754</span>  <span class="keywordflow">for</span> (uint8_t index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l00755"></a><span class="lineno"> 755</span>  carry += *x++;</div>
|
|
<div class="line"><a name="l00756"></a><span class="lineno"> 756</span>  word = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00757"></a><span class="lineno"> 757</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l00758"></a><span class="lineno"> 758</span>  }</div>
|
|
<div class="line"><a name="l00759"></a><span class="lineno"> 759</span> </div>
|
|
<div class="line"><a name="l00760"></a><span class="lineno"> 760</span>  <span class="comment">// Determine the carry out from the low 521 bits.</span></div>
|
|
<div class="line"><a name="l00761"></a><span class="lineno"> 761</span> <span class="preprocessor">#if BIGNUMBER_LIMB_8BIT</span></div>
|
|
<div class="line"><a name="l00762"></a><span class="lineno"> 762</span> <span class="preprocessor"></span> carry = (carry << 7) + (word >> 1);</div>
|
|
<div class="line"><a name="l00763"></a><span class="lineno"> 763</span> <span class="preprocessor">#else</span></div>
|
|
<div class="line"><a name="l00764"></a><span class="lineno"> 764</span> <span class="preprocessor"></span> carry = (carry << (LIMB_BITS - 9)) + (word >> 9);</div>
|
|
<div class="line"><a name="l00765"></a><span class="lineno"> 765</span> <span class="preprocessor">#endif</span></div>
|
|
<div class="line"><a name="l00766"></a><span class="lineno"> 766</span> <span class="preprocessor"></span></div>
|
|
<div class="line"><a name="l00767"></a><span class="lineno"> 767</span>  <span class="comment">// If the carry is zero, then x was in range. Otherwise it is out</span></div>
|
|
<div class="line"><a name="l00768"></a><span class="lineno"> 768</span>  <span class="comment">// of range. Check for zero in a way that preserves constant timing.</span></div>
|
|
<div class="line"><a name="l00769"></a><span class="lineno"> 769</span>  word = (limb_t)(carry | (carry >> LIMB_BITS));</div>
|
|
<div class="line"><a name="l00770"></a><span class="lineno"> 770</span>  word = (limb_t)(((((dlimb_t)1) << LIMB_BITS) - word) >> LIMB_BITS);</div>
|
|
<div class="line"><a name="l00771"></a><span class="lineno"> 771</span>  <span class="keywordflow">return</span> (<span class="keywordtype">bool</span>)word;</div>
|
|
<div class="line"><a name="l00772"></a><span class="lineno"> 772</span> }</div>
|
|
<div class="line"><a name="l00773"></a><span class="lineno"> 773</span> </div>
|
|
<div class="line"><a name="l00783"></a><span class="lineno"> 783</span> <span class="keywordtype">void</span> P521::reduce(limb_t *result, <span class="keyword">const</span> limb_t *x)</div>
|
|
<div class="line"><a name="l00784"></a><span class="lineno"> 784</span> {</div>
|
|
<div class="line"><a name="l00785"></a><span class="lineno"> 785</span> <span class="preprocessor">#if BIGNUMBER_LIMB_16BIT || BIGNUMBER_LIMB_32BIT || BIGNUMBER_LIMB_64BIT</span></div>
|
|
<div class="line"><a name="l00786"></a><span class="lineno"> 786</span> <span class="preprocessor"></span> <span class="comment">// According to NIST FIPS 186-4, we add the high 521 bits to the</span></div>
|
|
<div class="line"><a name="l00787"></a><span class="lineno"> 787</span>  <span class="comment">// low 521 bits and then do a trial subtraction of 2^521 - 1.</span></div>
|
|
<div class="line"><a name="l00788"></a><span class="lineno"> 788</span>  <span class="comment">// We do both in a single step. Subtracting 2^521 - 1 is equivalent</span></div>
|
|
<div class="line"><a name="l00789"></a><span class="lineno"> 789</span>  <span class="comment">// to adding 1 and subtracting 2^521.</span></div>
|
|
<div class="line"><a name="l00790"></a><span class="lineno"> 790</span>  uint8_t index;</div>
|
|
<div class="line"><a name="l00791"></a><span class="lineno"> 791</span>  <span class="keyword">const</span> limb_t *xl = x;</div>
|
|
<div class="line"><a name="l00792"></a><span class="lineno"> 792</span>  <span class="keyword">const</span> limb_t *xh = x + NUM_LIMBS_521BIT;</div>
|
|
<div class="line"><a name="l00793"></a><span class="lineno"> 793</span>  limb_t *rr = result;</div>
|
|
<div class="line"><a name="l00794"></a><span class="lineno"> 794</span>  dlimb_t carry;</div>
|
|
<div class="line"><a name="l00795"></a><span class="lineno"> 795</span>  limb_t word = x[NUM_LIMBS_521BIT - 1];</div>
|
|
<div class="line"><a name="l00796"></a><span class="lineno"> 796</span>  carry = (word >> 9) + 1;</div>
|
|
<div class="line"><a name="l00797"></a><span class="lineno"> 797</span>  word &= 0x1FF;</div>
|
|
<div class="line"><a name="l00798"></a><span class="lineno"> 798</span>  <span class="keywordflow">for</span> (index = 0; index < (NUM_LIMBS_521BIT - 1); ++index) {</div>
|
|
<div class="line"><a name="l00799"></a><span class="lineno"> 799</span>  carry += *xl++;</div>
|
|
<div class="line"><a name="l00800"></a><span class="lineno"> 800</span>  carry += ((dlimb_t)(*xh++)) << (LIMB_BITS - 9);</div>
|
|
<div class="line"><a name="l00801"></a><span class="lineno"> 801</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00802"></a><span class="lineno"> 802</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l00803"></a><span class="lineno"> 803</span>  }</div>
|
|
<div class="line"><a name="l00804"></a><span class="lineno"> 804</span>  carry += word;</div>
|
|
<div class="line"><a name="l00805"></a><span class="lineno"> 805</span>  carry += ((dlimb_t)(x[NUM_LIMBS_1042BIT - 1])) << (LIMB_BITS - 9);</div>
|
|
<div class="line"><a name="l00806"></a><span class="lineno"> 806</span>  word = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00807"></a><span class="lineno"> 807</span>  *rr = word;</div>
|
|
<div class="line"><a name="l00808"></a><span class="lineno"> 808</span> </div>
|
|
<div class="line"><a name="l00809"></a><span class="lineno"> 809</span>  <span class="comment">// If the carry out was 1, then mask it off and we have the answer.</span></div>
|
|
<div class="line"><a name="l00810"></a><span class="lineno"> 810</span>  <span class="comment">// If the carry out was 0, then we need to add 2^521 - 1 back again.</span></div>
|
|
<div class="line"><a name="l00811"></a><span class="lineno"> 811</span>  <span class="comment">// To preserve the timing we perform a conditional subtract of 1 and</span></div>
|
|
<div class="line"><a name="l00812"></a><span class="lineno"> 812</span>  <span class="comment">// then mask off the high bits.</span></div>
|
|
<div class="line"><a name="l00813"></a><span class="lineno"> 813</span>  carry = ((word >> 9) ^ 0x01) & 0x01;</div>
|
|
<div class="line"><a name="l00814"></a><span class="lineno"> 814</span>  rr = result;</div>
|
|
<div class="line"><a name="l00815"></a><span class="lineno"> 815</span>  <span class="keywordflow">for</span> (index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l00816"></a><span class="lineno"> 816</span>  carry = ((dlimb_t)(*rr)) - carry;</div>
|
|
<div class="line"><a name="l00817"></a><span class="lineno"> 817</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00818"></a><span class="lineno"> 818</span>  carry = (carry >> LIMB_BITS) & 0x01;</div>
|
|
<div class="line"><a name="l00819"></a><span class="lineno"> 819</span>  }</div>
|
|
<div class="line"><a name="l00820"></a><span class="lineno"> 820</span>  *(--rr) &= 0x1FF;</div>
|
|
<div class="line"><a name="l00821"></a><span class="lineno"> 821</span> <span class="preprocessor">#elif BIGNUMBER_LIMB_8BIT</span></div>
|
|
<div class="line"><a name="l00822"></a><span class="lineno"> 822</span> <span class="preprocessor"></span> <span class="comment">// Same as above, but for 8-bit limbs.</span></div>
|
|
<div class="line"><a name="l00823"></a><span class="lineno"> 823</span>  uint8_t index;</div>
|
|
<div class="line"><a name="l00824"></a><span class="lineno"> 824</span>  <span class="keyword">const</span> limb_t *xl = x;</div>
|
|
<div class="line"><a name="l00825"></a><span class="lineno"> 825</span>  <span class="keyword">const</span> limb_t *xh = x + NUM_LIMBS_521BIT;</div>
|
|
<div class="line"><a name="l00826"></a><span class="lineno"> 826</span>  limb_t *rr = result;</div>
|
|
<div class="line"><a name="l00827"></a><span class="lineno"> 827</span>  dlimb_t carry;</div>
|
|
<div class="line"><a name="l00828"></a><span class="lineno"> 828</span>  limb_t word = x[NUM_LIMBS_521BIT - 1];</div>
|
|
<div class="line"><a name="l00829"></a><span class="lineno"> 829</span>  carry = (word >> 1) + 1;</div>
|
|
<div class="line"><a name="l00830"></a><span class="lineno"> 830</span>  word &= 0x01;</div>
|
|
<div class="line"><a name="l00831"></a><span class="lineno"> 831</span>  <span class="keywordflow">for</span> (index = 0; index < (NUM_LIMBS_521BIT - 1); ++index) {</div>
|
|
<div class="line"><a name="l00832"></a><span class="lineno"> 832</span>  carry += *xl++;</div>
|
|
<div class="line"><a name="l00833"></a><span class="lineno"> 833</span>  carry += ((dlimb_t)(*xh++)) << 7;</div>
|
|
<div class="line"><a name="l00834"></a><span class="lineno"> 834</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00835"></a><span class="lineno"> 835</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l00836"></a><span class="lineno"> 836</span>  }</div>
|
|
<div class="line"><a name="l00837"></a><span class="lineno"> 837</span>  carry += word;</div>
|
|
<div class="line"><a name="l00838"></a><span class="lineno"> 838</span>  carry += ((dlimb_t)(x[NUM_LIMBS_1042BIT - 1])) << 1;</div>
|
|
<div class="line"><a name="l00839"></a><span class="lineno"> 839</span>  word = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00840"></a><span class="lineno"> 840</span>  *rr = word;</div>
|
|
<div class="line"><a name="l00841"></a><span class="lineno"> 841</span>  carry = ((word >> 1) ^ 0x01) & 0x01;</div>
|
|
<div class="line"><a name="l00842"></a><span class="lineno"> 842</span>  rr = result;</div>
|
|
<div class="line"><a name="l00843"></a><span class="lineno"> 843</span>  <span class="keywordflow">for</span> (index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l00844"></a><span class="lineno"> 844</span>  carry = ((dlimb_t)(*rr)) - carry;</div>
|
|
<div class="line"><a name="l00845"></a><span class="lineno"> 845</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00846"></a><span class="lineno"> 846</span>  carry = (carry >> LIMB_BITS) & 0x01;</div>
|
|
<div class="line"><a name="l00847"></a><span class="lineno"> 847</span>  }</div>
|
|
<div class="line"><a name="l00848"></a><span class="lineno"> 848</span>  *(--rr) &= 0x01;</div>
|
|
<div class="line"><a name="l00849"></a><span class="lineno"> 849</span> <span class="preprocessor">#else</span></div>
|
|
<div class="line"><a name="l00850"></a><span class="lineno"> 850</span> <span class="preprocessor"></span><span class="preprocessor"> #error "Don't know how to reduce values mod 2^521 - 1"</span></div>
|
|
<div class="line"><a name="l00851"></a><span class="lineno"> 851</span> <span class="preprocessor"></span><span class="preprocessor">#endif</span></div>
|
|
<div class="line"><a name="l00852"></a><span class="lineno"> 852</span> <span class="preprocessor"></span>}</div>
|
|
<div class="line"><a name="l00853"></a><span class="lineno"> 853</span> </div>
|
|
<div class="line"><a name="l00866"></a><span class="lineno"> 866</span> <span class="keywordtype">void</span> P521::reduceQuick(limb_t *x)</div>
|
|
<div class="line"><a name="l00867"></a><span class="lineno"> 867</span> {</div>
|
|
<div class="line"><a name="l00868"></a><span class="lineno"> 868</span>  <span class="comment">// Perform a trial subtraction of 2^521 - 1 from x. This is</span></div>
|
|
<div class="line"><a name="l00869"></a><span class="lineno"> 869</span>  <span class="comment">// equivalent to adding 1 and subtracting 2^521 - 1.</span></div>
|
|
<div class="line"><a name="l00870"></a><span class="lineno"> 870</span>  uint8_t index;</div>
|
|
<div class="line"><a name="l00871"></a><span class="lineno"> 871</span>  limb_t *xx = x;</div>
|
|
<div class="line"><a name="l00872"></a><span class="lineno"> 872</span>  dlimb_t carry = 1;</div>
|
|
<div class="line"><a name="l00873"></a><span class="lineno"> 873</span>  <span class="keywordflow">for</span> (index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l00874"></a><span class="lineno"> 874</span>  carry += *xx;</div>
|
|
<div class="line"><a name="l00875"></a><span class="lineno"> 875</span>  *xx++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00876"></a><span class="lineno"> 876</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l00877"></a><span class="lineno"> 877</span>  }</div>
|
|
<div class="line"><a name="l00878"></a><span class="lineno"> 878</span> </div>
|
|
<div class="line"><a name="l00879"></a><span class="lineno"> 879</span>  <span class="comment">// If the carry out was 1, then mask it off and we have the answer.</span></div>
|
|
<div class="line"><a name="l00880"></a><span class="lineno"> 880</span>  <span class="comment">// If the carry out was 0, then we need to add 2^521 - 1 back again.</span></div>
|
|
<div class="line"><a name="l00881"></a><span class="lineno"> 881</span>  <span class="comment">// To preserve the timing we perform a conditional subtract of 1 and</span></div>
|
|
<div class="line"><a name="l00882"></a><span class="lineno"> 882</span>  <span class="comment">// then mask off the high bits.</span></div>
|
|
<div class="line"><a name="l00883"></a><span class="lineno"> 883</span> <span class="preprocessor">#if BIGNUMBER_LIMB_16BIT || BIGNUMBER_LIMB_32BIT || BIGNUMBER_LIMB_64BIT</span></div>
|
|
<div class="line"><a name="l00884"></a><span class="lineno"> 884</span> <span class="preprocessor"></span> carry = ((x[NUM_LIMBS_521BIT - 1] >> 9) ^ 0x01) & 0x01;</div>
|
|
<div class="line"><a name="l00885"></a><span class="lineno"> 885</span>  xx = x;</div>
|
|
<div class="line"><a name="l00886"></a><span class="lineno"> 886</span>  <span class="keywordflow">for</span> (index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l00887"></a><span class="lineno"> 887</span>  carry = ((dlimb_t)(*xx)) - carry;</div>
|
|
<div class="line"><a name="l00888"></a><span class="lineno"> 888</span>  *xx++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00889"></a><span class="lineno"> 889</span>  carry = (carry >> LIMB_BITS) & 0x01;</div>
|
|
<div class="line"><a name="l00890"></a><span class="lineno"> 890</span>  }</div>
|
|
<div class="line"><a name="l00891"></a><span class="lineno"> 891</span>  *(--xx) &= 0x1FF;</div>
|
|
<div class="line"><a name="l00892"></a><span class="lineno"> 892</span> <span class="preprocessor">#elif BIGNUMBER_LIMB_8BIT</span></div>
|
|
<div class="line"><a name="l00893"></a><span class="lineno"> 893</span> <span class="preprocessor"></span> carry = ((x[NUM_LIMBS_521BIT - 1] >> 1) ^ 0x01) & 0x01;</div>
|
|
<div class="line"><a name="l00894"></a><span class="lineno"> 894</span>  xx = x;</div>
|
|
<div class="line"><a name="l00895"></a><span class="lineno"> 895</span>  <span class="keywordflow">for</span> (index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l00896"></a><span class="lineno"> 896</span>  carry = ((dlimb_t)(*xx)) - carry;</div>
|
|
<div class="line"><a name="l00897"></a><span class="lineno"> 897</span>  *xx++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00898"></a><span class="lineno"> 898</span>  carry = (carry >> LIMB_BITS) & 0x01;</div>
|
|
<div class="line"><a name="l00899"></a><span class="lineno"> 899</span>  }</div>
|
|
<div class="line"><a name="l00900"></a><span class="lineno"> 900</span>  *(--xx) &= 0x01;</div>
|
|
<div class="line"><a name="l00901"></a><span class="lineno"> 901</span> <span class="preprocessor">#endif</span></div>
|
|
<div class="line"><a name="l00902"></a><span class="lineno"> 902</span> <span class="preprocessor"></span>}</div>
|
|
<div class="line"><a name="l00903"></a><span class="lineno"> 903</span> </div>
|
|
<div class="line"><a name="l00916"></a><span class="lineno"> 916</span> <span class="keywordtype">void</span> P521::mulNoReduce(limb_t *result, <span class="keyword">const</span> limb_t *x, <span class="keyword">const</span> limb_t *y)</div>
|
|
<div class="line"><a name="l00917"></a><span class="lineno"> 917</span> {</div>
|
|
<div class="line"><a name="l00918"></a><span class="lineno"> 918</span>  uint8_t i, j;</div>
|
|
<div class="line"><a name="l00919"></a><span class="lineno"> 919</span>  dlimb_t carry;</div>
|
|
<div class="line"><a name="l00920"></a><span class="lineno"> 920</span>  limb_t word;</div>
|
|
<div class="line"><a name="l00921"></a><span class="lineno"> 921</span>  <span class="keyword">const</span> limb_t *yy;</div>
|
|
<div class="line"><a name="l00922"></a><span class="lineno"> 922</span>  limb_t *rr;</div>
|
|
<div class="line"><a name="l00923"></a><span class="lineno"> 923</span> </div>
|
|
<div class="line"><a name="l00924"></a><span class="lineno"> 924</span>  <span class="comment">// Multiply the lowest word of x by y.</span></div>
|
|
<div class="line"><a name="l00925"></a><span class="lineno"> 925</span>  carry = 0;</div>
|
|
<div class="line"><a name="l00926"></a><span class="lineno"> 926</span>  word = x[0];</div>
|
|
<div class="line"><a name="l00927"></a><span class="lineno"> 927</span>  yy = y;</div>
|
|
<div class="line"><a name="l00928"></a><span class="lineno"> 928</span>  rr = result;</div>
|
|
<div class="line"><a name="l00929"></a><span class="lineno"> 929</span>  <span class="keywordflow">for</span> (i = 0; i < NUM_LIMBS_521BIT; ++i) {</div>
|
|
<div class="line"><a name="l00930"></a><span class="lineno"> 930</span>  carry += ((dlimb_t)(*yy++)) * word;</div>
|
|
<div class="line"><a name="l00931"></a><span class="lineno"> 931</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00932"></a><span class="lineno"> 932</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l00933"></a><span class="lineno"> 933</span>  }</div>
|
|
<div class="line"><a name="l00934"></a><span class="lineno"> 934</span>  *rr = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00935"></a><span class="lineno"> 935</span> </div>
|
|
<div class="line"><a name="l00936"></a><span class="lineno"> 936</span>  <span class="comment">// Multiply and add the remaining words of x by y.</span></div>
|
|
<div class="line"><a name="l00937"></a><span class="lineno"> 937</span>  <span class="keywordflow">for</span> (i = 1; i < NUM_LIMBS_521BIT; ++i) {</div>
|
|
<div class="line"><a name="l00938"></a><span class="lineno"> 938</span>  word = x[i];</div>
|
|
<div class="line"><a name="l00939"></a><span class="lineno"> 939</span>  carry = 0;</div>
|
|
<div class="line"><a name="l00940"></a><span class="lineno"> 940</span>  yy = y;</div>
|
|
<div class="line"><a name="l00941"></a><span class="lineno"> 941</span>  rr = result + i;</div>
|
|
<div class="line"><a name="l00942"></a><span class="lineno"> 942</span>  <span class="keywordflow">for</span> (j = 0; j < NUM_LIMBS_521BIT; ++j) {</div>
|
|
<div class="line"><a name="l00943"></a><span class="lineno"> 943</span>  carry += ((dlimb_t)(*yy++)) * word;</div>
|
|
<div class="line"><a name="l00944"></a><span class="lineno"> 944</span>  carry += *rr;</div>
|
|
<div class="line"><a name="l00945"></a><span class="lineno"> 945</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00946"></a><span class="lineno"> 946</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l00947"></a><span class="lineno"> 947</span>  }</div>
|
|
<div class="line"><a name="l00948"></a><span class="lineno"> 948</span>  *rr = (limb_t)carry;</div>
|
|
<div class="line"><a name="l00949"></a><span class="lineno"> 949</span>  }</div>
|
|
<div class="line"><a name="l00950"></a><span class="lineno"> 950</span> }</div>
|
|
<div class="line"><a name="l00951"></a><span class="lineno"> 951</span> </div>
|
|
<div class="line"><a name="l00962"></a><span class="lineno"> 962</span> <span class="keywordtype">void</span> P521::mul(limb_t *result, <span class="keyword">const</span> limb_t *x, <span class="keyword">const</span> limb_t *y)</div>
|
|
<div class="line"><a name="l00963"></a><span class="lineno"> 963</span> {</div>
|
|
<div class="line"><a name="l00964"></a><span class="lineno"> 964</span>  limb_t temp[NUM_LIMBS_1042BIT];</div>
|
|
<div class="line"><a name="l00965"></a><span class="lineno"> 965</span>  mulNoReduce(temp, x, y);</div>
|
|
<div class="line"><a name="l00966"></a><span class="lineno"> 966</span>  reduce(result, temp);</div>
|
|
<div class="line"><a name="l00967"></a><span class="lineno"> 967</span>  strict_clean(temp);</div>
|
|
<div class="line"><a name="l00968"></a><span class="lineno"> 968</span>  crypto_feed_watchdog();</div>
|
|
<div class="line"><a name="l00969"></a><span class="lineno"> 969</span> }</div>
|
|
<div class="line"><a name="l00970"></a><span class="lineno"> 970</span> </div>
|
|
<div class="line"><a name="l00990"></a><span class="lineno"> 990</span> <span class="keywordtype">void</span> P521::mulLiteral(limb_t *result, <span class="keyword">const</span> limb_t *x, limb_t y)</div>
|
|
<div class="line"><a name="l00991"></a><span class="lineno"> 991</span> {</div>
|
|
<div class="line"><a name="l00992"></a><span class="lineno"> 992</span>  uint8_t index;</div>
|
|
<div class="line"><a name="l00993"></a><span class="lineno"> 993</span>  dlimb_t carry = 0;</div>
|
|
<div class="line"><a name="l00994"></a><span class="lineno"> 994</span>  <span class="keyword">const</span> limb_t *xx = x;</div>
|
|
<div class="line"><a name="l00995"></a><span class="lineno"> 995</span>  limb_t *rr = result;</div>
|
|
<div class="line"><a name="l00996"></a><span class="lineno"> 996</span> </div>
|
|
<div class="line"><a name="l00997"></a><span class="lineno"> 997</span>  <span class="comment">// Multiply x by the literal and put it into the result array.</span></div>
|
|
<div class="line"><a name="l00998"></a><span class="lineno"> 998</span>  <span class="comment">// We assume that y is small enough that overflow from the</span></div>
|
|
<div class="line"><a name="l00999"></a><span class="lineno"> 999</span>  <span class="comment">// highest limb will not occur during this process.</span></div>
|
|
<div class="line"><a name="l01000"></a><span class="lineno"> 1000</span>  <span class="keywordflow">for</span> (index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l01001"></a><span class="lineno"> 1001</span>  carry += ((dlimb_t)(*xx++)) * y;</div>
|
|
<div class="line"><a name="l01002"></a><span class="lineno"> 1002</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01003"></a><span class="lineno"> 1003</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l01004"></a><span class="lineno"> 1004</span>  }</div>
|
|
<div class="line"><a name="l01005"></a><span class="lineno"> 1005</span> </div>
|
|
<div class="line"><a name="l01006"></a><span class="lineno"> 1006</span>  <span class="comment">// Reduce the value modulo 2^521 - 1. The high half is only a</span></div>
|
|
<div class="line"><a name="l01007"></a><span class="lineno"> 1007</span>  <span class="comment">// single limb, so we can short-cut some of reduce() here.</span></div>
|
|
<div class="line"><a name="l01008"></a><span class="lineno"> 1008</span> <span class="preprocessor">#if BIGNUMBER_LIMB_16BIT || BIGNUMBER_LIMB_32BIT || BIGNUMBER_LIMB_64BIT</span></div>
|
|
<div class="line"><a name="l01009"></a><span class="lineno"> 1009</span> <span class="preprocessor"></span> limb_t word = result[NUM_LIMBS_521BIT - 1];</div>
|
|
<div class="line"><a name="l01010"></a><span class="lineno"> 1010</span>  carry = (word >> 9) + 1;</div>
|
|
<div class="line"><a name="l01011"></a><span class="lineno"> 1011</span>  word &= 0x1FF;</div>
|
|
<div class="line"><a name="l01012"></a><span class="lineno"> 1012</span>  rr = result;</div>
|
|
<div class="line"><a name="l01013"></a><span class="lineno"> 1013</span>  <span class="keywordflow">for</span> (index = 0; index < (NUM_LIMBS_521BIT - 1); ++index) {</div>
|
|
<div class="line"><a name="l01014"></a><span class="lineno"> 1014</span>  carry += *rr;</div>
|
|
<div class="line"><a name="l01015"></a><span class="lineno"> 1015</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01016"></a><span class="lineno"> 1016</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l01017"></a><span class="lineno"> 1017</span>  }</div>
|
|
<div class="line"><a name="l01018"></a><span class="lineno"> 1018</span>  carry += word;</div>
|
|
<div class="line"><a name="l01019"></a><span class="lineno"> 1019</span>  word = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01020"></a><span class="lineno"> 1020</span>  *rr = word;</div>
|
|
<div class="line"><a name="l01021"></a><span class="lineno"> 1021</span> </div>
|
|
<div class="line"><a name="l01022"></a><span class="lineno"> 1022</span>  <span class="comment">// If the carry out was 1, then mask it off and we have the answer.</span></div>
|
|
<div class="line"><a name="l01023"></a><span class="lineno"> 1023</span>  <span class="comment">// If the carry out was 0, then we need to add 2^521 - 1 back again.</span></div>
|
|
<div class="line"><a name="l01024"></a><span class="lineno"> 1024</span>  <span class="comment">// To preserve the timing we perform a conditional subtract of 1 and</span></div>
|
|
<div class="line"><a name="l01025"></a><span class="lineno"> 1025</span>  <span class="comment">// then mask off the high bits.</span></div>
|
|
<div class="line"><a name="l01026"></a><span class="lineno"> 1026</span>  carry = ((word >> 9) ^ 0x01) & 0x01;</div>
|
|
<div class="line"><a name="l01027"></a><span class="lineno"> 1027</span>  rr = result;</div>
|
|
<div class="line"><a name="l01028"></a><span class="lineno"> 1028</span>  <span class="keywordflow">for</span> (index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l01029"></a><span class="lineno"> 1029</span>  carry = ((dlimb_t)(*rr)) - carry;</div>
|
|
<div class="line"><a name="l01030"></a><span class="lineno"> 1030</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01031"></a><span class="lineno"> 1031</span>  carry = (carry >> LIMB_BITS) & 0x01;</div>
|
|
<div class="line"><a name="l01032"></a><span class="lineno"> 1032</span>  }</div>
|
|
<div class="line"><a name="l01033"></a><span class="lineno"> 1033</span>  *(--rr) &= 0x1FF;</div>
|
|
<div class="line"><a name="l01034"></a><span class="lineno"> 1034</span> <span class="preprocessor">#elif BIGNUMBER_LIMB_8BIT</span></div>
|
|
<div class="line"><a name="l01035"></a><span class="lineno"> 1035</span> <span class="preprocessor"></span> <span class="comment">// Same as above, but for 8-bit limbs.</span></div>
|
|
<div class="line"><a name="l01036"></a><span class="lineno"> 1036</span>  limb_t word = result[NUM_LIMBS_521BIT - 1];</div>
|
|
<div class="line"><a name="l01037"></a><span class="lineno"> 1037</span>  carry = (word >> 1) + 1;</div>
|
|
<div class="line"><a name="l01038"></a><span class="lineno"> 1038</span>  word &= 0x01;</div>
|
|
<div class="line"><a name="l01039"></a><span class="lineno"> 1039</span>  rr = result;</div>
|
|
<div class="line"><a name="l01040"></a><span class="lineno"> 1040</span>  <span class="keywordflow">for</span> (index = 0; index < (NUM_LIMBS_521BIT - 1); ++index) {</div>
|
|
<div class="line"><a name="l01041"></a><span class="lineno"> 1041</span>  carry += *rr;</div>
|
|
<div class="line"><a name="l01042"></a><span class="lineno"> 1042</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01043"></a><span class="lineno"> 1043</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l01044"></a><span class="lineno"> 1044</span>  }</div>
|
|
<div class="line"><a name="l01045"></a><span class="lineno"> 1045</span>  carry += word;</div>
|
|
<div class="line"><a name="l01046"></a><span class="lineno"> 1046</span>  word = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01047"></a><span class="lineno"> 1047</span>  *rr = word;</div>
|
|
<div class="line"><a name="l01048"></a><span class="lineno"> 1048</span>  carry = ((word >> 1) ^ 0x01) & 0x01;</div>
|
|
<div class="line"><a name="l01049"></a><span class="lineno"> 1049</span>  rr = result;</div>
|
|
<div class="line"><a name="l01050"></a><span class="lineno"> 1050</span>  <span class="keywordflow">for</span> (index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l01051"></a><span class="lineno"> 1051</span>  carry = ((dlimb_t)(*rr)) - carry;</div>
|
|
<div class="line"><a name="l01052"></a><span class="lineno"> 1052</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01053"></a><span class="lineno"> 1053</span>  carry = (carry >> LIMB_BITS) & 0x01;</div>
|
|
<div class="line"><a name="l01054"></a><span class="lineno"> 1054</span>  }</div>
|
|
<div class="line"><a name="l01055"></a><span class="lineno"> 1055</span>  *(--rr) &= 0x01;</div>
|
|
<div class="line"><a name="l01056"></a><span class="lineno"> 1056</span> <span class="preprocessor">#endif</span></div>
|
|
<div class="line"><a name="l01057"></a><span class="lineno"> 1057</span> <span class="preprocessor"></span>}</div>
|
|
<div class="line"><a name="l01058"></a><span class="lineno"> 1058</span> </div>
|
|
<div class="line"><a name="l01069"></a><span class="lineno"> 1069</span> <span class="keywordtype">void</span> P521::add(limb_t *result, <span class="keyword">const</span> limb_t *x, <span class="keyword">const</span> limb_t *y)</div>
|
|
<div class="line"><a name="l01070"></a><span class="lineno"> 1070</span> {</div>
|
|
<div class="line"><a name="l01071"></a><span class="lineno"> 1071</span>  dlimb_t carry = 0;</div>
|
|
<div class="line"><a name="l01072"></a><span class="lineno"> 1072</span>  limb_t *rr = result;</div>
|
|
<div class="line"><a name="l01073"></a><span class="lineno"> 1073</span>  <span class="keywordflow">for</span> (uint8_t posn = 0; posn < NUM_LIMBS_521BIT; ++posn) {</div>
|
|
<div class="line"><a name="l01074"></a><span class="lineno"> 1074</span>  carry += *x++;</div>
|
|
<div class="line"><a name="l01075"></a><span class="lineno"> 1075</span>  carry += *y++;</div>
|
|
<div class="line"><a name="l01076"></a><span class="lineno"> 1076</span>  *rr++ = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01077"></a><span class="lineno"> 1077</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l01078"></a><span class="lineno"> 1078</span>  }</div>
|
|
<div class="line"><a name="l01079"></a><span class="lineno"> 1079</span>  reduceQuick(result);</div>
|
|
<div class="line"><a name="l01080"></a><span class="lineno"> 1080</span> }</div>
|
|
<div class="line"><a name="l01081"></a><span class="lineno"> 1081</span> </div>
|
|
<div class="line"><a name="l01092"></a><span class="lineno"> 1092</span> <span class="keywordtype">void</span> P521::sub(limb_t *result, <span class="keyword">const</span> limb_t *x, <span class="keyword">const</span> limb_t *y)</div>
|
|
<div class="line"><a name="l01093"></a><span class="lineno"> 1093</span> {</div>
|
|
<div class="line"><a name="l01094"></a><span class="lineno"> 1094</span>  dlimb_t borrow;</div>
|
|
<div class="line"><a name="l01095"></a><span class="lineno"> 1095</span>  uint8_t posn;</div>
|
|
<div class="line"><a name="l01096"></a><span class="lineno"> 1096</span>  limb_t *rr = result;</div>
|
|
<div class="line"><a name="l01097"></a><span class="lineno"> 1097</span> </div>
|
|
<div class="line"><a name="l01098"></a><span class="lineno"> 1098</span>  <span class="comment">// Subtract y from x to generate the intermediate result.</span></div>
|
|
<div class="line"><a name="l01099"></a><span class="lineno"> 1099</span>  borrow = 0;</div>
|
|
<div class="line"><a name="l01100"></a><span class="lineno"> 1100</span>  <span class="keywordflow">for</span> (posn = 0; posn < NUM_LIMBS_521BIT; ++posn) {</div>
|
|
<div class="line"><a name="l01101"></a><span class="lineno"> 1101</span>  borrow = ((dlimb_t)(*x++)) - (*y++) - ((borrow >> LIMB_BITS) & 0x01);</div>
|
|
<div class="line"><a name="l01102"></a><span class="lineno"> 1102</span>  *rr++ = (limb_t)borrow;</div>
|
|
<div class="line"><a name="l01103"></a><span class="lineno"> 1103</span>  }</div>
|
|
<div class="line"><a name="l01104"></a><span class="lineno"> 1104</span> </div>
|
|
<div class="line"><a name="l01105"></a><span class="lineno"> 1105</span>  <span class="comment">// If we had a borrow, then the result has gone negative and we</span></div>
|
|
<div class="line"><a name="l01106"></a><span class="lineno"> 1106</span>  <span class="comment">// have to add 2^521 - 1 to the result to make it positive again.</span></div>
|
|
<div class="line"><a name="l01107"></a><span class="lineno"> 1107</span>  <span class="comment">// The top bits of "borrow" will be all 1's if there is a borrow</span></div>
|
|
<div class="line"><a name="l01108"></a><span class="lineno"> 1108</span>  <span class="comment">// or it will be all 0's if there was no borrow. Easiest is to</span></div>
|
|
<div class="line"><a name="l01109"></a><span class="lineno"> 1109</span>  <span class="comment">// conditionally subtract 1 and then mask off the high bits.</span></div>
|
|
<div class="line"><a name="l01110"></a><span class="lineno"> 1110</span>  rr = result;</div>
|
|
<div class="line"><a name="l01111"></a><span class="lineno"> 1111</span>  borrow = (borrow >> LIMB_BITS) & 1U;</div>
|
|
<div class="line"><a name="l01112"></a><span class="lineno"> 1112</span>  borrow = ((dlimb_t)(*rr)) - borrow;</div>
|
|
<div class="line"><a name="l01113"></a><span class="lineno"> 1113</span>  *rr++ = (limb_t)borrow;</div>
|
|
<div class="line"><a name="l01114"></a><span class="lineno"> 1114</span>  <span class="keywordflow">for</span> (posn = 1; posn < NUM_LIMBS_521BIT; ++posn) {</div>
|
|
<div class="line"><a name="l01115"></a><span class="lineno"> 1115</span>  borrow = ((dlimb_t)(*rr)) - ((borrow >> LIMB_BITS) & 0x01);</div>
|
|
<div class="line"><a name="l01116"></a><span class="lineno"> 1116</span>  *rr++ = (limb_t)borrow;</div>
|
|
<div class="line"><a name="l01117"></a><span class="lineno"> 1117</span>  }</div>
|
|
<div class="line"><a name="l01118"></a><span class="lineno"> 1118</span> <span class="preprocessor">#if BIGNUMBER_LIMB_8BIT</span></div>
|
|
<div class="line"><a name="l01119"></a><span class="lineno"> 1119</span> <span class="preprocessor"></span> *(--rr) &= 0x01;</div>
|
|
<div class="line"><a name="l01120"></a><span class="lineno"> 1120</span> <span class="preprocessor">#else</span></div>
|
|
<div class="line"><a name="l01121"></a><span class="lineno"> 1121</span> <span class="preprocessor"></span> *(--rr) &= 0x1FF;</div>
|
|
<div class="line"><a name="l01122"></a><span class="lineno"> 1122</span> <span class="preprocessor">#endif</span></div>
|
|
<div class="line"><a name="l01123"></a><span class="lineno"> 1123</span> <span class="preprocessor"></span>}</div>
|
|
<div class="line"><a name="l01124"></a><span class="lineno"> 1124</span> </div>
|
|
<div class="line"><a name="l01140"></a><span class="lineno"> 1140</span> <span class="keywordtype">void</span> P521::dblPoint(limb_t *xout, limb_t *yout, limb_t *zout,</div>
|
|
<div class="line"><a name="l01141"></a><span class="lineno"> 1141</span>  <span class="keyword">const</span> limb_t *xin, <span class="keyword">const</span> limb_t *yin,</div>
|
|
<div class="line"><a name="l01142"></a><span class="lineno"> 1142</span>  <span class="keyword">const</span> limb_t *zin)</div>
|
|
<div class="line"><a name="l01143"></a><span class="lineno"> 1143</span> {</div>
|
|
<div class="line"><a name="l01144"></a><span class="lineno"> 1144</span>  limb_t alpha[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01145"></a><span class="lineno"> 1145</span>  limb_t beta[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01146"></a><span class="lineno"> 1146</span>  limb_t gamma[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01147"></a><span class="lineno"> 1147</span>  limb_t delta[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01148"></a><span class="lineno"> 1148</span>  limb_t tmp[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01149"></a><span class="lineno"> 1149</span> </div>
|
|
<div class="line"><a name="l01150"></a><span class="lineno"> 1150</span>  <span class="comment">// Double the point. If it is the point at infinity (z = 0),</span></div>
|
|
<div class="line"><a name="l01151"></a><span class="lineno"> 1151</span>  <span class="comment">// then zout will still be zero at the end of this process so</span></div>
|
|
<div class="line"><a name="l01152"></a><span class="lineno"> 1152</span>  <span class="comment">// we don't need any special handling for that case.</span></div>
|
|
<div class="line"><a name="l01153"></a><span class="lineno"> 1153</span>  square(delta, zin); <span class="comment">// delta = z^2</span></div>
|
|
<div class="line"><a name="l01154"></a><span class="lineno"> 1154</span>  square(gamma, yin); <span class="comment">// gamma = y^2</span></div>
|
|
<div class="line"><a name="l01155"></a><span class="lineno"> 1155</span>  mul(beta, xin, gamma); <span class="comment">// beta = x * gamma</span></div>
|
|
<div class="line"><a name="l01156"></a><span class="lineno"> 1156</span>  sub(tmp, xin, delta); <span class="comment">// alpha = 3 * (x - delta) * (x + delta)</span></div>
|
|
<div class="line"><a name="l01157"></a><span class="lineno"> 1157</span>  mulLiteral(alpha, tmp, 3);</div>
|
|
<div class="line"><a name="l01158"></a><span class="lineno"> 1158</span>  add(tmp, xin, delta);</div>
|
|
<div class="line"><a name="l01159"></a><span class="lineno"> 1159</span>  mul(alpha, alpha, tmp);</div>
|
|
<div class="line"><a name="l01160"></a><span class="lineno"> 1160</span>  square(xout, alpha); <span class="comment">// xout = alpha^2 - 8 * beta</span></div>
|
|
<div class="line"><a name="l01161"></a><span class="lineno"> 1161</span>  mulLiteral(tmp, beta, 8);</div>
|
|
<div class="line"><a name="l01162"></a><span class="lineno"> 1162</span>  sub(xout, xout, tmp);</div>
|
|
<div class="line"><a name="l01163"></a><span class="lineno"> 1163</span>  add(zout, yin, zin); <span class="comment">// zout = (y + z)^2 - gamma - delta</span></div>
|
|
<div class="line"><a name="l01164"></a><span class="lineno"> 1164</span>  square(zout, zout);</div>
|
|
<div class="line"><a name="l01165"></a><span class="lineno"> 1165</span>  sub(zout, zout, gamma);</div>
|
|
<div class="line"><a name="l01166"></a><span class="lineno"> 1166</span>  sub(zout, zout, delta);</div>
|
|
<div class="line"><a name="l01167"></a><span class="lineno"> 1167</span>  mulLiteral(yout, beta, 4);<span class="comment">// yout = alpha * (4 * beta - xout) - 8 * gamma^2</span></div>
|
|
<div class="line"><a name="l01168"></a><span class="lineno"> 1168</span>  sub(yout, yout, xout);</div>
|
|
<div class="line"><a name="l01169"></a><span class="lineno"> 1169</span>  mul(yout, alpha, yout);</div>
|
|
<div class="line"><a name="l01170"></a><span class="lineno"> 1170</span>  square(gamma, gamma);</div>
|
|
<div class="line"><a name="l01171"></a><span class="lineno"> 1171</span>  mulLiteral(gamma, gamma, 8);</div>
|
|
<div class="line"><a name="l01172"></a><span class="lineno"> 1172</span>  sub(yout, yout, gamma);</div>
|
|
<div class="line"><a name="l01173"></a><span class="lineno"> 1173</span> </div>
|
|
<div class="line"><a name="l01174"></a><span class="lineno"> 1174</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l01175"></a><span class="lineno"> 1175</span>  strict_clean(alpha);</div>
|
|
<div class="line"><a name="l01176"></a><span class="lineno"> 1176</span>  strict_clean(beta);</div>
|
|
<div class="line"><a name="l01177"></a><span class="lineno"> 1177</span>  strict_clean(gamma);</div>
|
|
<div class="line"><a name="l01178"></a><span class="lineno"> 1178</span>  strict_clean(delta);</div>
|
|
<div class="line"><a name="l01179"></a><span class="lineno"> 1179</span>  strict_clean(tmp);</div>
|
|
<div class="line"><a name="l01180"></a><span class="lineno"> 1180</span> }</div>
|
|
<div class="line"><a name="l01181"></a><span class="lineno"> 1181</span> </div>
|
|
<div class="line"><a name="l01201"></a><span class="lineno"> 1201</span> <span class="keywordtype">void</span> P521::addPoint(limb_t *xout, limb_t *yout, limb_t *zout,</div>
|
|
<div class="line"><a name="l01202"></a><span class="lineno"> 1202</span>  <span class="keyword">const</span> limb_t *x1, <span class="keyword">const</span> limb_t *y1,</div>
|
|
<div class="line"><a name="l01203"></a><span class="lineno"> 1203</span>  <span class="keyword">const</span> limb_t *z1, <span class="keyword">const</span> limb_t *x2,</div>
|
|
<div class="line"><a name="l01204"></a><span class="lineno"> 1204</span>  <span class="keyword">const</span> limb_t *y2)</div>
|
|
<div class="line"><a name="l01205"></a><span class="lineno"> 1205</span> {</div>
|
|
<div class="line"><a name="l01206"></a><span class="lineno"> 1206</span>  limb_t z1z1[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01207"></a><span class="lineno"> 1207</span>  limb_t u2[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01208"></a><span class="lineno"> 1208</span>  limb_t s2[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01209"></a><span class="lineno"> 1209</span>  limb_t h[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01210"></a><span class="lineno"> 1210</span>  limb_t i[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01211"></a><span class="lineno"> 1211</span>  limb_t j[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01212"></a><span class="lineno"> 1212</span>  limb_t r[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01213"></a><span class="lineno"> 1213</span>  limb_t v[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01214"></a><span class="lineno"> 1214</span> </div>
|
|
<div class="line"><a name="l01215"></a><span class="lineno"> 1215</span>  <span class="comment">// Determine if the first value is the point-at-infinity identity element.</span></div>
|
|
<div class="line"><a name="l01216"></a><span class="lineno"> 1216</span>  <span class="comment">// The second z value is always 1 so it cannot be the point-at-infinity.</span></div>
|
|
<div class="line"><a name="l01217"></a><span class="lineno"> 1217</span>  limb_t p1IsIdentity = <a class="code" href="classBigNumberUtil.html#ad0aafacd8e224bd543341973c62ff1dd">BigNumberUtil::isZero</a>(z1, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l01218"></a><span class="lineno"> 1218</span> </div>
|
|
<div class="line"><a name="l01219"></a><span class="lineno"> 1219</span>  <span class="comment">// Multiply the points, assuming that z2 = 1.</span></div>
|
|
<div class="line"><a name="l01220"></a><span class="lineno"> 1220</span>  square(z1z1, z1); <span class="comment">// z1z1 = z1^2</span></div>
|
|
<div class="line"><a name="l01221"></a><span class="lineno"> 1221</span>  mul(u2, x2, z1z1); <span class="comment">// u2 = x2 * z1z1</span></div>
|
|
<div class="line"><a name="l01222"></a><span class="lineno"> 1222</span>  mul(s2, y2, z1); <span class="comment">// s2 = y2 * z1 * z1z1</span></div>
|
|
<div class="line"><a name="l01223"></a><span class="lineno"> 1223</span>  mul(s2, s2, z1z1);</div>
|
|
<div class="line"><a name="l01224"></a><span class="lineno"> 1224</span>  sub(h, u2, x1); <span class="comment">// h = u2 - x1</span></div>
|
|
<div class="line"><a name="l01225"></a><span class="lineno"> 1225</span>  mulLiteral(i, h, 2); <span class="comment">// i = (2 * h)^2</span></div>
|
|
<div class="line"><a name="l01226"></a><span class="lineno"> 1226</span>  square(i, i);</div>
|
|
<div class="line"><a name="l01227"></a><span class="lineno"> 1227</span>  sub(r, s2, y1); <span class="comment">// r = 2 * (s2 - y1)</span></div>
|
|
<div class="line"><a name="l01228"></a><span class="lineno"> 1228</span>  add(r, r, r);</div>
|
|
<div class="line"><a name="l01229"></a><span class="lineno"> 1229</span>  mul(j, h, i); <span class="comment">// j = h * i</span></div>
|
|
<div class="line"><a name="l01230"></a><span class="lineno"> 1230</span>  mul(v, x1, i); <span class="comment">// v = x1 * i</span></div>
|
|
<div class="line"><a name="l01231"></a><span class="lineno"> 1231</span>  square(xout, r); <span class="comment">// xout = r^2 - j - 2 * v</span></div>
|
|
<div class="line"><a name="l01232"></a><span class="lineno"> 1232</span>  sub(xout, xout, j);</div>
|
|
<div class="line"><a name="l01233"></a><span class="lineno"> 1233</span>  sub(xout, xout, v);</div>
|
|
<div class="line"><a name="l01234"></a><span class="lineno"> 1234</span>  sub(xout, xout, v);</div>
|
|
<div class="line"><a name="l01235"></a><span class="lineno"> 1235</span>  sub(yout, v, xout); <span class="comment">// yout = r * (v - xout) - 2 * y1 * j</span></div>
|
|
<div class="line"><a name="l01236"></a><span class="lineno"> 1236</span>  mul(yout, r, yout);</div>
|
|
<div class="line"><a name="l01237"></a><span class="lineno"> 1237</span>  mul(j, y1, j);</div>
|
|
<div class="line"><a name="l01238"></a><span class="lineno"> 1238</span>  sub(yout, yout, j);</div>
|
|
<div class="line"><a name="l01239"></a><span class="lineno"> 1239</span>  sub(yout, yout, j);</div>
|
|
<div class="line"><a name="l01240"></a><span class="lineno"> 1240</span>  mul(zout, z1, h); <span class="comment">// zout = 2 * z1 * h</span></div>
|
|
<div class="line"><a name="l01241"></a><span class="lineno"> 1241</span>  add(zout, zout, zout);</div>
|
|
<div class="line"><a name="l01242"></a><span class="lineno"> 1242</span> </div>
|
|
<div class="line"><a name="l01243"></a><span class="lineno"> 1243</span>  <span class="comment">// Select the answer to return. If (x1, y1, z1) was the identity,</span></div>
|
|
<div class="line"><a name="l01244"></a><span class="lineno"> 1244</span>  <span class="comment">// then the answer is (x2, y2, z2). Otherwise it is (xout, yout, zout).</span></div>
|
|
<div class="line"><a name="l01245"></a><span class="lineno"> 1245</span>  <span class="comment">// Conditionally move the second argument over the output if necessary.</span></div>
|
|
<div class="line"><a name="l01246"></a><span class="lineno"> 1246</span>  cmove(p1IsIdentity, xout, x2);</div>
|
|
<div class="line"><a name="l01247"></a><span class="lineno"> 1247</span>  cmove(p1IsIdentity, yout, y2);</div>
|
|
<div class="line"><a name="l01248"></a><span class="lineno"> 1248</span>  cmove1(p1IsIdentity, zout); <span class="comment">// z2 = 1</span></div>
|
|
<div class="line"><a name="l01249"></a><span class="lineno"> 1249</span> </div>
|
|
<div class="line"><a name="l01250"></a><span class="lineno"> 1250</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l01251"></a><span class="lineno"> 1251</span>  strict_clean(z1z1);</div>
|
|
<div class="line"><a name="l01252"></a><span class="lineno"> 1252</span>  strict_clean(u2);</div>
|
|
<div class="line"><a name="l01253"></a><span class="lineno"> 1253</span>  strict_clean(s2);</div>
|
|
<div class="line"><a name="l01254"></a><span class="lineno"> 1254</span>  strict_clean(h);</div>
|
|
<div class="line"><a name="l01255"></a><span class="lineno"> 1255</span>  strict_clean(i);</div>
|
|
<div class="line"><a name="l01256"></a><span class="lineno"> 1256</span>  strict_clean(j);</div>
|
|
<div class="line"><a name="l01257"></a><span class="lineno"> 1257</span>  strict_clean(r);</div>
|
|
<div class="line"><a name="l01258"></a><span class="lineno"> 1258</span>  strict_clean(v);</div>
|
|
<div class="line"><a name="l01259"></a><span class="lineno"> 1259</span> }</div>
|
|
<div class="line"><a name="l01260"></a><span class="lineno"> 1260</span> </div>
|
|
<div class="line"><a name="l01273"></a><span class="lineno"> 1273</span> <span class="keywordtype">void</span> P521::cmove(limb_t select, limb_t *x, <span class="keyword">const</span> limb_t *y)</div>
|
|
<div class="line"><a name="l01274"></a><span class="lineno"> 1274</span> {</div>
|
|
<div class="line"><a name="l01275"></a><span class="lineno"> 1275</span>  uint8_t posn;</div>
|
|
<div class="line"><a name="l01276"></a><span class="lineno"> 1276</span>  limb_t dummy;</div>
|
|
<div class="line"><a name="l01277"></a><span class="lineno"> 1277</span>  limb_t sel;</div>
|
|
<div class="line"><a name="l01278"></a><span class="lineno"> 1278</span> </div>
|
|
<div class="line"><a name="l01279"></a><span class="lineno"> 1279</span>  <span class="comment">// Turn "select" into an all-zeroes or all-ones mask. We don't care</span></div>
|
|
<div class="line"><a name="l01280"></a><span class="lineno"> 1280</span>  <span class="comment">// which bit or bits is set in the original "select" value.</span></div>
|
|
<div class="line"><a name="l01281"></a><span class="lineno"> 1281</span>  sel = (limb_t)(((((dlimb_t)1) << LIMB_BITS) - select) >> LIMB_BITS);</div>
|
|
<div class="line"><a name="l01282"></a><span class="lineno"> 1282</span>  --sel;</div>
|
|
<div class="line"><a name="l01283"></a><span class="lineno"> 1283</span> </div>
|
|
<div class="line"><a name="l01284"></a><span class="lineno"> 1284</span>  <span class="comment">// Move y into x based on "select".</span></div>
|
|
<div class="line"><a name="l01285"></a><span class="lineno"> 1285</span>  <span class="keywordflow">for</span> (posn = 0; posn < NUM_LIMBS_521BIT; ++posn) {</div>
|
|
<div class="line"><a name="l01286"></a><span class="lineno"> 1286</span>  dummy = sel & (*x ^ *y++);</div>
|
|
<div class="line"><a name="l01287"></a><span class="lineno"> 1287</span>  *x++ ^= dummy;</div>
|
|
<div class="line"><a name="l01288"></a><span class="lineno"> 1288</span>  }</div>
|
|
<div class="line"><a name="l01289"></a><span class="lineno"> 1289</span> }</div>
|
|
<div class="line"><a name="l01290"></a><span class="lineno"> 1290</span> </div>
|
|
<div class="line"><a name="l01302"></a><span class="lineno"> 1302</span> <span class="keywordtype">void</span> P521::cmove1(limb_t select, limb_t *x)</div>
|
|
<div class="line"><a name="l01303"></a><span class="lineno"> 1303</span> {</div>
|
|
<div class="line"><a name="l01304"></a><span class="lineno"> 1304</span>  uint8_t posn;</div>
|
|
<div class="line"><a name="l01305"></a><span class="lineno"> 1305</span>  limb_t dummy;</div>
|
|
<div class="line"><a name="l01306"></a><span class="lineno"> 1306</span>  limb_t sel;</div>
|
|
<div class="line"><a name="l01307"></a><span class="lineno"> 1307</span> </div>
|
|
<div class="line"><a name="l01308"></a><span class="lineno"> 1308</span>  <span class="comment">// Turn "select" into an all-zeroes or all-ones mask. We don't care</span></div>
|
|
<div class="line"><a name="l01309"></a><span class="lineno"> 1309</span>  <span class="comment">// which bit or bits is set in the original "select" value.</span></div>
|
|
<div class="line"><a name="l01310"></a><span class="lineno"> 1310</span>  sel = (limb_t)(((((dlimb_t)1) << LIMB_BITS) - select) >> LIMB_BITS);</div>
|
|
<div class="line"><a name="l01311"></a><span class="lineno"> 1311</span>  --sel;</div>
|
|
<div class="line"><a name="l01312"></a><span class="lineno"> 1312</span> </div>
|
|
<div class="line"><a name="l01313"></a><span class="lineno"> 1313</span>  <span class="comment">// Move 1 into x based on "select".</span></div>
|
|
<div class="line"><a name="l01314"></a><span class="lineno"> 1314</span>  dummy = sel & (*x ^ 1);</div>
|
|
<div class="line"><a name="l01315"></a><span class="lineno"> 1315</span>  *x++ ^= dummy;</div>
|
|
<div class="line"><a name="l01316"></a><span class="lineno"> 1316</span>  <span class="keywordflow">for</span> (posn = 1; posn < NUM_LIMBS_521BIT; ++posn) {</div>
|
|
<div class="line"><a name="l01317"></a><span class="lineno"> 1317</span>  dummy = sel & *x;</div>
|
|
<div class="line"><a name="l01318"></a><span class="lineno"> 1318</span>  *x++ ^= dummy;</div>
|
|
<div class="line"><a name="l01319"></a><span class="lineno"> 1319</span>  }</div>
|
|
<div class="line"><a name="l01320"></a><span class="lineno"> 1320</span> }</div>
|
|
<div class="line"><a name="l01321"></a><span class="lineno"> 1321</span> </div>
|
|
<div class="line"><a name="l01330"></a><span class="lineno"> 1330</span> <span class="keywordtype">void</span> P521::recip(limb_t *result, <span class="keyword">const</span> limb_t *x)</div>
|
|
<div class="line"><a name="l01331"></a><span class="lineno"> 1331</span> {</div>
|
|
<div class="line"><a name="l01332"></a><span class="lineno"> 1332</span>  limb_t t1[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01333"></a><span class="lineno"> 1333</span> </div>
|
|
<div class="line"><a name="l01334"></a><span class="lineno"> 1334</span>  <span class="comment">// The reciprocal is the same as x ^ (p - 2) where p = 2^521 - 1.</span></div>
|
|
<div class="line"><a name="l01335"></a><span class="lineno"> 1335</span>  <span class="comment">// The big-endian hexadecimal expansion of (p - 2) is:</span></div>
|
|
<div class="line"><a name="l01336"></a><span class="lineno"> 1336</span>  <span class="comment">// 01FF FFFFFFF FFFFFFFF ... FFFFFFFF FFFFFFFD</span></div>
|
|
<div class="line"><a name="l01337"></a><span class="lineno"> 1337</span>  <span class="comment">//</span></div>
|
|
<div class="line"><a name="l01338"></a><span class="lineno"> 1338</span>  <span class="comment">// The naive implementation needs to do 2 multiplications per 1 bit and</span></div>
|
|
<div class="line"><a name="l01339"></a><span class="lineno"> 1339</span>  <span class="comment">// 1 multiplication per 0 bit. We can improve upon this by creating a</span></div>
|
|
<div class="line"><a name="l01340"></a><span class="lineno"> 1340</span>  <span class="comment">// pattern 1111 and then shifting and multiplying to create 11111111,</span></div>
|
|
<div class="line"><a name="l01341"></a><span class="lineno"> 1341</span>  <span class="comment">// and then 1111111111111111, and so on for the top 512-bits.</span></div>
|
|
<div class="line"><a name="l01342"></a><span class="lineno"> 1342</span> </div>
|
|
<div class="line"><a name="l01343"></a><span class="lineno"> 1343</span>  <span class="comment">// Build a 4-bit pattern 1111 in the result.</span></div>
|
|
<div class="line"><a name="l01344"></a><span class="lineno"> 1344</span>  square(result, x);</div>
|
|
<div class="line"><a name="l01345"></a><span class="lineno"> 1345</span>  mul(result, result, x);</div>
|
|
<div class="line"><a name="l01346"></a><span class="lineno"> 1346</span>  square(result, result);</div>
|
|
<div class="line"><a name="l01347"></a><span class="lineno"> 1347</span>  mul(result, result, x);</div>
|
|
<div class="line"><a name="l01348"></a><span class="lineno"> 1348</span>  square(result, result);</div>
|
|
<div class="line"><a name="l01349"></a><span class="lineno"> 1349</span>  mul(result, result, x);</div>
|
|
<div class="line"><a name="l01350"></a><span class="lineno"> 1350</span> </div>
|
|
<div class="line"><a name="l01351"></a><span class="lineno"> 1351</span>  <span class="comment">// Shift and multiply by increasing powers of two. This turns</span></div>
|
|
<div class="line"><a name="l01352"></a><span class="lineno"> 1352</span>  <span class="comment">// 1111 into 11111111, and then 1111111111111111, and so on.</span></div>
|
|
<div class="line"><a name="l01353"></a><span class="lineno"> 1353</span>  <span class="keywordflow">for</span> (<span class="keywordtype">size_t</span> power = 4; power <= 256; power <<= 1) {</div>
|
|
<div class="line"><a name="l01354"></a><span class="lineno"> 1354</span>  square(t1, result);</div>
|
|
<div class="line"><a name="l01355"></a><span class="lineno"> 1355</span>  <span class="keywordflow">for</span> (<span class="keywordtype">size_t</span> temp = 1; temp < power; ++temp)</div>
|
|
<div class="line"><a name="l01356"></a><span class="lineno"> 1356</span>  square(t1, t1);</div>
|
|
<div class="line"><a name="l01357"></a><span class="lineno"> 1357</span>  mul(result, result, t1);</div>
|
|
<div class="line"><a name="l01358"></a><span class="lineno"> 1358</span>  }</div>
|
|
<div class="line"><a name="l01359"></a><span class="lineno"> 1359</span> </div>
|
|
<div class="line"><a name="l01360"></a><span class="lineno"> 1360</span>  <span class="comment">// Handle the 9 lowest bits of (p - 2), 111111101, from highest to lowest.</span></div>
|
|
<div class="line"><a name="l01361"></a><span class="lineno"> 1361</span>  <span class="keywordflow">for</span> (uint8_t index = 0; index < 7; ++index) {</div>
|
|
<div class="line"><a name="l01362"></a><span class="lineno"> 1362</span>  square(result, result);</div>
|
|
<div class="line"><a name="l01363"></a><span class="lineno"> 1363</span>  mul(result, result, x);</div>
|
|
<div class="line"><a name="l01364"></a><span class="lineno"> 1364</span>  }</div>
|
|
<div class="line"><a name="l01365"></a><span class="lineno"> 1365</span>  square(result, result);</div>
|
|
<div class="line"><a name="l01366"></a><span class="lineno"> 1366</span>  square(result, result);</div>
|
|
<div class="line"><a name="l01367"></a><span class="lineno"> 1367</span>  mul(result, result, x);</div>
|
|
<div class="line"><a name="l01368"></a><span class="lineno"> 1368</span> </div>
|
|
<div class="line"><a name="l01369"></a><span class="lineno"> 1369</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l01370"></a><span class="lineno"> 1370</span>  clean(t1);</div>
|
|
<div class="line"><a name="l01371"></a><span class="lineno"> 1371</span> }</div>
|
|
<div class="line"><a name="l01372"></a><span class="lineno"> 1372</span> </div>
|
|
<div class="line"><a name="l01381"></a><span class="lineno"> 1381</span> <span class="keywordtype">void</span> P521::reduceQ(limb_t *result, <span class="keyword">const</span> limb_t *r)</div>
|
|
<div class="line"><a name="l01382"></a><span class="lineno"> 1382</span> {</div>
|
|
<div class="line"><a name="l01383"></a><span class="lineno"> 1383</span>  <span class="comment">// Algorithm from: http://en.wikipedia.org/wiki/Barrett_reduction</span></div>
|
|
<div class="line"><a name="l01384"></a><span class="lineno"> 1384</span>  <span class="comment">//</span></div>
|
|
<div class="line"><a name="l01385"></a><span class="lineno"> 1385</span>  <span class="comment">// We assume that r is less than or equal to (q - 1)^2.</span></div>
|
|
<div class="line"><a name="l01386"></a><span class="lineno"> 1386</span>  <span class="comment">//</span></div>
|
|
<div class="line"><a name="l01387"></a><span class="lineno"> 1387</span>  <span class="comment">// We want to compute result = r mod q. Find the smallest k such</span></div>
|
|
<div class="line"><a name="l01388"></a><span class="lineno"> 1388</span>  <span class="comment">// that 2^k > q. In our case, k = 521. Then set m = floor(4^k / q)</span></div>
|
|
<div class="line"><a name="l01389"></a><span class="lineno"> 1389</span>  <span class="comment">// and let r = r - q * floor(m * r / 4^k). This will be the result</span></div>
|
|
<div class="line"><a name="l01390"></a><span class="lineno"> 1390</span>  <span class="comment">// or it will be at most one subtraction of q away from the result.</span></div>
|
|
<div class="line"><a name="l01391"></a><span class="lineno"> 1391</span>  <span class="comment">//</span></div>
|
|
<div class="line"><a name="l01392"></a><span class="lineno"> 1392</span>  <span class="comment">// Note: m is a 522-bit number, which fits in the same number of limbs</span></div>
|
|
<div class="line"><a name="l01393"></a><span class="lineno"> 1393</span>  <span class="comment">// as a 521-bit number assuming that limbs are 8 bits or more in size.</span></div>
|
|
<div class="line"><a name="l01394"></a><span class="lineno"> 1394</span>  <span class="keyword">static</span> limb_t <span class="keyword">const</span> numM[NUM_LIMBS_521BIT] PROGMEM = {</div>
|
|
<div class="line"><a name="l01395"></a><span class="lineno"> 1395</span>  LIMB_PAIR(0x6EC79BF7, 0x449048E1), LIMB_PAIR(0x7663B851, 0xC44A3647),</div>
|
|
<div class="line"><a name="l01396"></a><span class="lineno"> 1396</span>  LIMB_PAIR(0x08F65A2F, 0x8033FEB7), LIMB_PAIR(0x40D06994, 0xAE79787C),</div>
|
|
<div class="line"><a name="l01397"></a><span class="lineno"> 1397</span>  LIMB_PAIR(0x00000005, 0x00000000), LIMB_PAIR(0x00000000, 0x00000000),</div>
|
|
<div class="line"><a name="l01398"></a><span class="lineno"> 1398</span>  LIMB_PAIR(0x00000000, 0x00000000), LIMB_PAIR(0x00000000, 0x00000000),</div>
|
|
<div class="line"><a name="l01399"></a><span class="lineno"> 1399</span>  LIMB_PARTIAL(0x200)</div>
|
|
<div class="line"><a name="l01400"></a><span class="lineno"> 1400</span>  };</div>
|
|
<div class="line"><a name="l01401"></a><span class="lineno"> 1401</span>  limb_t temp[NUM_LIMBS_1042BIT + NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01402"></a><span class="lineno"> 1402</span>  limb_t temp2[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01403"></a><span class="lineno"> 1403</span> </div>
|
|
<div class="line"><a name="l01404"></a><span class="lineno"> 1404</span>  <span class="comment">// Multiply r by m.</span></div>
|
|
<div class="line"><a name="l01405"></a><span class="lineno"> 1405</span>  <a class="code" href="classBigNumberUtil.html#aacdee1806a239eb9e58753ef1ddb964a">BigNumberUtil::mul_P</a>(temp, r, NUM_LIMBS_1042BIT, numM, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l01406"></a><span class="lineno"> 1406</span> </div>
|
|
<div class="line"><a name="l01407"></a><span class="lineno"> 1407</span>  <span class="comment">// Compute (m * r / 4^521) = (m * r / 2^1042).</span></div>
|
|
<div class="line"><a name="l01408"></a><span class="lineno"> 1408</span> <span class="preprocessor">#if BIGNUMBER_LIMB_8BIT || BIGNUMBER_LIMB_16BIT</span></div>
|
|
<div class="line"><a name="l01409"></a><span class="lineno"> 1409</span> <span class="preprocessor"></span> dlimb_t carry = temp[NUM_LIMBS_BITS(1040)] >> 2;</div>
|
|
<div class="line"><a name="l01410"></a><span class="lineno"> 1410</span>  <span class="keywordflow">for</span> (uint8_t index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l01411"></a><span class="lineno"> 1411</span>  carry += ((dlimb_t)(temp[NUM_LIMBS_BITS(1040) + index + 1])) << (LIMB_BITS - 2);</div>
|
|
<div class="line"><a name="l01412"></a><span class="lineno"> 1412</span>  temp2[index] = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01413"></a><span class="lineno"> 1413</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l01414"></a><span class="lineno"> 1414</span>  }</div>
|
|
<div class="line"><a name="l01415"></a><span class="lineno"> 1415</span> <span class="preprocessor">#elif BIGNUMBER_LIMB_32BIT || BIGNUMBER_LIMB_64BIT</span></div>
|
|
<div class="line"><a name="l01416"></a><span class="lineno"> 1416</span> <span class="preprocessor"></span> dlimb_t carry = temp[NUM_LIMBS_BITS(1024)] >> 18;</div>
|
|
<div class="line"><a name="l01417"></a><span class="lineno"> 1417</span>  <span class="keywordflow">for</span> (uint8_t index = 0; index < NUM_LIMBS_521BIT; ++index) {</div>
|
|
<div class="line"><a name="l01418"></a><span class="lineno"> 1418</span>  carry += ((dlimb_t)(temp[NUM_LIMBS_BITS(1024) + index + 1])) << (LIMB_BITS - 18);</div>
|
|
<div class="line"><a name="l01419"></a><span class="lineno"> 1419</span>  temp2[index] = (limb_t)carry;</div>
|
|
<div class="line"><a name="l01420"></a><span class="lineno"> 1420</span>  carry >>= LIMB_BITS;</div>
|
|
<div class="line"><a name="l01421"></a><span class="lineno"> 1421</span>  }</div>
|
|
<div class="line"><a name="l01422"></a><span class="lineno"> 1422</span> <span class="preprocessor">#endif</span></div>
|
|
<div class="line"><a name="l01423"></a><span class="lineno"> 1423</span> <span class="preprocessor"></span></div>
|
|
<div class="line"><a name="l01424"></a><span class="lineno"> 1424</span>  <span class="comment">// Multiply (m * r) / 2^1042 by q and subtract it from r.</span></div>
|
|
<div class="line"><a name="l01425"></a><span class="lineno"> 1425</span>  <span class="comment">// We can ignore the high words of the subtraction result</span></div>
|
|
<div class="line"><a name="l01426"></a><span class="lineno"> 1426</span>  <span class="comment">// because they will all turn into zero after the subtraction.</span></div>
|
|
<div class="line"><a name="l01427"></a><span class="lineno"> 1427</span>  <a class="code" href="classBigNumberUtil.html#aacdee1806a239eb9e58753ef1ddb964a">BigNumberUtil::mul_P</a>(temp, temp2, NUM_LIMBS_521BIT,</div>
|
|
<div class="line"><a name="l01428"></a><span class="lineno"> 1428</span>  P521_q, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l01429"></a><span class="lineno"> 1429</span>  <a class="code" href="classBigNumberUtil.html#a6618e03bfcb3086961df508b40cc1e67">BigNumberUtil::sub</a>(result, r, temp, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l01430"></a><span class="lineno"> 1430</span> </div>
|
|
<div class="line"><a name="l01431"></a><span class="lineno"> 1431</span>  <span class="comment">// Perform a trial subtraction of q from the result to reduce it.</span></div>
|
|
<div class="line"><a name="l01432"></a><span class="lineno"> 1432</span>  <a class="code" href="classBigNumberUtil.html#a00c9cde0b626788a60552a6bc9ce058b">BigNumberUtil::reduceQuick_P</a>(result, result, P521_q, NUM_LIMBS_521BIT);</div>
|
|
<div class="line"><a name="l01433"></a><span class="lineno"> 1433</span> </div>
|
|
<div class="line"><a name="l01434"></a><span class="lineno"> 1434</span>  <span class="comment">// Clean up and exit.</span></div>
|
|
<div class="line"><a name="l01435"></a><span class="lineno"> 1435</span>  clean(temp);</div>
|
|
<div class="line"><a name="l01436"></a><span class="lineno"> 1436</span>  clean(temp2);</div>
|
|
<div class="line"><a name="l01437"></a><span class="lineno"> 1437</span> }</div>
|
|
<div class="line"><a name="l01438"></a><span class="lineno"> 1438</span> </div>
|
|
<div class="line"><a name="l01449"></a><span class="lineno"> 1449</span> <span class="keywordtype">void</span> P521::mulQ(limb_t *result, <span class="keyword">const</span> limb_t *x, <span class="keyword">const</span> limb_t *y)</div>
|
|
<div class="line"><a name="l01450"></a><span class="lineno"> 1450</span> {</div>
|
|
<div class="line"><a name="l01451"></a><span class="lineno"> 1451</span>  limb_t temp[NUM_LIMBS_1042BIT];</div>
|
|
<div class="line"><a name="l01452"></a><span class="lineno"> 1452</span>  mulNoReduce(temp, x, y);</div>
|
|
<div class="line"><a name="l01453"></a><span class="lineno"> 1453</span>  reduceQ(result, temp);</div>
|
|
<div class="line"><a name="l01454"></a><span class="lineno"> 1454</span>  strict_clean(temp);</div>
|
|
<div class="line"><a name="l01455"></a><span class="lineno"> 1455</span> }</div>
|
|
<div class="line"><a name="l01456"></a><span class="lineno"> 1456</span> </div>
|
|
<div class="line"><a name="l01465"></a><span class="lineno"> 1465</span> <span class="keywordtype">void</span> P521::recipQ(limb_t *result, <span class="keyword">const</span> limb_t *x)</div>
|
|
<div class="line"><a name="l01466"></a><span class="lineno"> 1466</span> {</div>
|
|
<div class="line"><a name="l01467"></a><span class="lineno"> 1467</span>  <span class="comment">// Bottom 265 bits of q - 2. The top 256 bits are all-1's.</span></div>
|
|
<div class="line"><a name="l01468"></a><span class="lineno"> 1468</span>  <span class="keyword">static</span> limb_t <span class="keyword">const</span> P521_q_m2[] PROGMEM = {</div>
|
|
<div class="line"><a name="l01469"></a><span class="lineno"> 1469</span>  LIMB_PAIR(0x91386407, 0xbb6fb71e), LIMB_PAIR(0x899c47ae, 0x3bb5c9b8),</div>
|
|
<div class="line"><a name="l01470"></a><span class="lineno"> 1470</span>  LIMB_PAIR(0xf709a5d0, 0x7fcc0148), LIMB_PAIR(0xbf2f966b, 0x51868783),</div>
|
|
<div class="line"><a name="l01471"></a><span class="lineno"> 1471</span>  LIMB_PARTIAL(0x1fa)</div>
|
|
<div class="line"><a name="l01472"></a><span class="lineno"> 1472</span>  };</div>
|
|
<div class="line"><a name="l01473"></a><span class="lineno"> 1473</span> </div>
|
|
<div class="line"><a name="l01474"></a><span class="lineno"> 1474</span>  <span class="comment">// Raise x to the power of q - 2, mod q. We start with the top</span></div>
|
|
<div class="line"><a name="l01475"></a><span class="lineno"> 1475</span>  <span class="comment">// 256 bits which are all-1's, using a similar technique to recip().</span></div>
|
|
<div class="line"><a name="l01476"></a><span class="lineno"> 1476</span>  limb_t t1[NUM_LIMBS_521BIT];</div>
|
|
<div class="line"><a name="l01477"></a><span class="lineno"> 1477</span>  mulQ(result, x, x);</div>
|
|
<div class="line"><a name="l01478"></a><span class="lineno"> 1478</span>  mulQ(result, result, x);</div>
|
|
<div class="line"><a name="l01479"></a><span class="lineno"> 1479</span>  mulQ(result, result, result);</div>
|
|
<div class="line"><a name="l01480"></a><span class="lineno"> 1480</span>  mulQ(result, result, x);</div>
|
|
<div class="line"><a name="l01481"></a><span class="lineno"> 1481</span>  mulQ(result, result, result);</div>
|
|
<div class="line"><a name="l01482"></a><span class="lineno"> 1482</span>  mulQ(result, result, x);</div>
|
|
<div class="line"><a name="l01483"></a><span class="lineno"> 1483</span>  <span class="keywordflow">for</span> (<span class="keywordtype">size_t</span> power = 4; power <= 128; power <<= 1) {</div>
|
|
<div class="line"><a name="l01484"></a><span class="lineno"> 1484</span>  mulQ(t1, result, result);</div>
|
|
<div class="line"><a name="l01485"></a><span class="lineno"> 1485</span>  <span class="keywordflow">for</span> (<span class="keywordtype">size_t</span> temp = 1; temp < power; ++temp)</div>
|
|
<div class="line"><a name="l01486"></a><span class="lineno"> 1486</span>  mulQ(t1, t1, t1);</div>
|
|
<div class="line"><a name="l01487"></a><span class="lineno"> 1487</span>  mulQ(result, result, t1);</div>
|
|
<div class="line"><a name="l01488"></a><span class="lineno"> 1488</span>  }</div>
|
|
<div class="line"><a name="l01489"></a><span class="lineno"> 1489</span>  clean(t1);</div>
|
|
<div class="line"><a name="l01490"></a><span class="lineno"> 1490</span> </div>
|
|
<div class="line"><a name="l01491"></a><span class="lineno"> 1491</span>  <span class="comment">// Deal with the bottom 265 bits from highest to lowest. Square for</span></div>
|
|
<div class="line"><a name="l01492"></a><span class="lineno"> 1492</span>  <span class="comment">// each bit and multiply in x whenever there is a 1 bit. The timing</span></div>
|
|
<div class="line"><a name="l01493"></a><span class="lineno"> 1493</span>  <span class="comment">// is based on the publicly-known constant q - 2, not on the value of x.</span></div>
|
|
<div class="line"><a name="l01494"></a><span class="lineno"> 1494</span>  <span class="keywordtype">size_t</span> bit = 265;</div>
|
|
<div class="line"><a name="l01495"></a><span class="lineno"> 1495</span>  <span class="keywordflow">while</span> (bit > 0) {</div>
|
|
<div class="line"><a name="l01496"></a><span class="lineno"> 1496</span>  --bit;</div>
|
|
<div class="line"><a name="l01497"></a><span class="lineno"> 1497</span>  mulQ(result, result, result);</div>
|
|
<div class="line"><a name="l01498"></a><span class="lineno"> 1498</span>  <span class="keywordflow">if</span> (pgm_read_limb(&(P521_q_m2[bit / LIMB_BITS])) &</div>
|
|
<div class="line"><a name="l01499"></a><span class="lineno"> 1499</span>  (((limb_t)1) << (bit % LIMB_BITS))) {</div>
|
|
<div class="line"><a name="l01500"></a><span class="lineno"> 1500</span>  mulQ(result, result, x);</div>
|
|
<div class="line"><a name="l01501"></a><span class="lineno"> 1501</span>  }</div>
|
|
<div class="line"><a name="l01502"></a><span class="lineno"> 1502</span>  }</div>
|
|
<div class="line"><a name="l01503"></a><span class="lineno"> 1503</span> }</div>
|
|
<div class="line"><a name="l01504"></a><span class="lineno"> 1504</span> </div>
|
|
<div class="line"><a name="l01515"></a><span class="lineno"> 1515</span> <span class="keywordtype">void</span> P521::generateK(uint8_t k[66], <span class="keyword">const</span> uint8_t hm[66],</div>
|
|
<div class="line"><a name="l01516"></a><span class="lineno"> 1516</span>  <span class="keyword">const</span> uint8_t x[66], <a class="code" href="classHash.html">Hash</a> *hash, uint64_t count)</div>
|
|
<div class="line"><a name="l01517"></a><span class="lineno"> 1517</span> {</div>
|
|
<div class="line"><a name="l01518"></a><span class="lineno"> 1518</span>  <span class="keywordtype">size_t</span> hlen = hash-><a class="code" href="classHash.html#adcdd30de3e5ecaa2f798c0c5644d9ef8">hashSize</a>();</div>
|
|
<div class="line"><a name="l01519"></a><span class="lineno"> 1519</span>  uint8_t V[64];</div>
|
|
<div class="line"><a name="l01520"></a><span class="lineno"> 1520</span>  uint8_t K[64];</div>
|
|
<div class="line"><a name="l01521"></a><span class="lineno"> 1521</span>  uint8_t marker;</div>
|
|
<div class="line"><a name="l01522"></a><span class="lineno"> 1522</span> </div>
|
|
<div class="line"><a name="l01523"></a><span class="lineno"> 1523</span>  <span class="comment">// If for some reason a hash function was supplied with more than</span></div>
|
|
<div class="line"><a name="l01524"></a><span class="lineno"> 1524</span>  <span class="comment">// 512 bits of output, truncate hash values to the first 512 bits.</span></div>
|
|
<div class="line"><a name="l01525"></a><span class="lineno"> 1525</span>  <span class="comment">// We cannot support more than this yet.</span></div>
|
|
<div class="line"><a name="l01526"></a><span class="lineno"> 1526</span>  <span class="keywordflow">if</span> (hlen > 64)</div>
|
|
<div class="line"><a name="l01527"></a><span class="lineno"> 1527</span>  hlen = 64;</div>
|
|
<div class="line"><a name="l01528"></a><span class="lineno"> 1528</span> </div>
|
|
<div class="line"><a name="l01529"></a><span class="lineno"> 1529</span>  <span class="comment">// RFC 6979, Section 3.2, Step a. Hash the message, reduce modulo q,</span></div>
|
|
<div class="line"><a name="l01530"></a><span class="lineno"> 1530</span>  <span class="comment">// and produce an octet string the same length as q, bits2octets(H(m)).</span></div>
|
|
<div class="line"><a name="l01531"></a><span class="lineno"> 1531</span>  <span class="comment">// We support hashes up to 512 bits and q is a 521-bit number, so "hm"</span></div>
|
|
<div class="line"><a name="l01532"></a><span class="lineno"> 1532</span>  <span class="comment">// is already the bits2octets(H(m)) value that we need.</span></div>
|
|
<div class="line"><a name="l01533"></a><span class="lineno"> 1533</span> </div>
|
|
<div class="line"><a name="l01534"></a><span class="lineno"> 1534</span>  <span class="comment">// Steps b and c. Set V to all-ones and K to all-zeroes.</span></div>
|
|
<div class="line"><a name="l01535"></a><span class="lineno"> 1535</span>  memset(V, 0x01, hlen);</div>
|
|
<div class="line"><a name="l01536"></a><span class="lineno"> 1536</span>  memset(K, 0x00, hlen);</div>
|
|
<div class="line"><a name="l01537"></a><span class="lineno"> 1537</span> </div>
|
|
<div class="line"><a name="l01538"></a><span class="lineno"> 1538</span>  <span class="comment">// Step d. K = HMAC_K(V || 0x00 || x || hm). We make a small</span></div>
|
|
<div class="line"><a name="l01539"></a><span class="lineno"> 1539</span>  <span class="comment">// modification here to append the count value if it is non-zero.</span></div>
|
|
<div class="line"><a name="l01540"></a><span class="lineno"> 1540</span>  <span class="comment">// We use this to generate a new k if we have to re-enter this</span></div>
|
|
<div class="line"><a name="l01541"></a><span class="lineno"> 1541</span>  <span class="comment">// function because the previous one was rejected by sign().</span></div>
|
|
<div class="line"><a name="l01542"></a><span class="lineno"> 1542</span>  <span class="comment">// This is slightly different to RFC 6979 which says that the</span></div>
|
|
<div class="line"><a name="l01543"></a><span class="lineno"> 1543</span>  <span class="comment">// loop in step h below should be continued. That code path is</span></div>
|
|
<div class="line"><a name="l01544"></a><span class="lineno"> 1544</span>  <span class="comment">// difficult to access, so instead modify K and V in steps d and f.</span></div>
|
|
<div class="line"><a name="l01545"></a><span class="lineno"> 1545</span>  <span class="comment">// This alternative construction is compatible with the second</span></div>
|
|
<div class="line"><a name="l01546"></a><span class="lineno"> 1546</span>  <span class="comment">// variant described in section 3.6 of RFC 6979.</span></div>
|
|
<div class="line"><a name="l01547"></a><span class="lineno"> 1547</span>  hash-><a class="code" href="classHash.html#adf50359c1f525af884721cc9034e7945">resetHMAC</a>(K, hlen);</div>
|
|
<div class="line"><a name="l01548"></a><span class="lineno"> 1548</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(V, hlen);</div>
|
|
<div class="line"><a name="l01549"></a><span class="lineno"> 1549</span>  marker = 0x00;</div>
|
|
<div class="line"><a name="l01550"></a><span class="lineno"> 1550</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(&marker, 1);</div>
|
|
<div class="line"><a name="l01551"></a><span class="lineno"> 1551</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(x, 66);</div>
|
|
<div class="line"><a name="l01552"></a><span class="lineno"> 1552</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(hm, 66);</div>
|
|
<div class="line"><a name="l01553"></a><span class="lineno"> 1553</span>  <span class="keywordflow">if</span> (count)</div>
|
|
<div class="line"><a name="l01554"></a><span class="lineno"> 1554</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(&count, <span class="keyword">sizeof</span>(count));</div>
|
|
<div class="line"><a name="l01555"></a><span class="lineno"> 1555</span>  hash-><a class="code" href="classHash.html#aab42fa5420cc0bda4321a3d3866cfd06">finalizeHMAC</a>(K, hlen, K, hlen);</div>
|
|
<div class="line"><a name="l01556"></a><span class="lineno"> 1556</span> </div>
|
|
<div class="line"><a name="l01557"></a><span class="lineno"> 1557</span>  <span class="comment">// Step e. V = HMAC_K(V)</span></div>
|
|
<div class="line"><a name="l01558"></a><span class="lineno"> 1558</span>  hash-><a class="code" href="classHash.html#adf50359c1f525af884721cc9034e7945">resetHMAC</a>(K, hlen);</div>
|
|
<div class="line"><a name="l01559"></a><span class="lineno"> 1559</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(V, hlen);</div>
|
|
<div class="line"><a name="l01560"></a><span class="lineno"> 1560</span>  hash-><a class="code" href="classHash.html#aab42fa5420cc0bda4321a3d3866cfd06">finalizeHMAC</a>(K, hlen, V, hlen);</div>
|
|
<div class="line"><a name="l01561"></a><span class="lineno"> 1561</span> </div>
|
|
<div class="line"><a name="l01562"></a><span class="lineno"> 1562</span>  <span class="comment">// Step f. K = HMAC_K(V || 0x01 || x || hm)</span></div>
|
|
<div class="line"><a name="l01563"></a><span class="lineno"> 1563</span>  hash-><a class="code" href="classHash.html#adf50359c1f525af884721cc9034e7945">resetHMAC</a>(K, hlen);</div>
|
|
<div class="line"><a name="l01564"></a><span class="lineno"> 1564</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(V, hlen);</div>
|
|
<div class="line"><a name="l01565"></a><span class="lineno"> 1565</span>  marker = 0x01;</div>
|
|
<div class="line"><a name="l01566"></a><span class="lineno"> 1566</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(&marker, 1);</div>
|
|
<div class="line"><a name="l01567"></a><span class="lineno"> 1567</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(x, 66);</div>
|
|
<div class="line"><a name="l01568"></a><span class="lineno"> 1568</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(hm, 66);</div>
|
|
<div class="line"><a name="l01569"></a><span class="lineno"> 1569</span>  <span class="keywordflow">if</span> (count)</div>
|
|
<div class="line"><a name="l01570"></a><span class="lineno"> 1570</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(&count, <span class="keyword">sizeof</span>(count));</div>
|
|
<div class="line"><a name="l01571"></a><span class="lineno"> 1571</span>  hash-><a class="code" href="classHash.html#aab42fa5420cc0bda4321a3d3866cfd06">finalizeHMAC</a>(K, hlen, K, hlen);</div>
|
|
<div class="line"><a name="l01572"></a><span class="lineno"> 1572</span> </div>
|
|
<div class="line"><a name="l01573"></a><span class="lineno"> 1573</span>  <span class="comment">// Step g. V = HMAC_K(V)</span></div>
|
|
<div class="line"><a name="l01574"></a><span class="lineno"> 1574</span>  hash-><a class="code" href="classHash.html#adf50359c1f525af884721cc9034e7945">resetHMAC</a>(K, hlen);</div>
|
|
<div class="line"><a name="l01575"></a><span class="lineno"> 1575</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(V, hlen);</div>
|
|
<div class="line"><a name="l01576"></a><span class="lineno"> 1576</span>  hash-><a class="code" href="classHash.html#aab42fa5420cc0bda4321a3d3866cfd06">finalizeHMAC</a>(K, hlen, V, hlen);</div>
|
|
<div class="line"><a name="l01577"></a><span class="lineno"> 1577</span> </div>
|
|
<div class="line"><a name="l01578"></a><span class="lineno"> 1578</span>  <span class="comment">// Step h. Generate candidate k values until we find what we want.</span></div>
|
|
<div class="line"><a name="l01579"></a><span class="lineno"> 1579</span>  <span class="keywordflow">for</span> (;;) {</div>
|
|
<div class="line"><a name="l01580"></a><span class="lineno"> 1580</span>  <span class="comment">// Step h.1 and h.2. Generate a string of 66 bytes in length.</span></div>
|
|
<div class="line"><a name="l01581"></a><span class="lineno"> 1581</span>  <span class="comment">// T = empty</span></div>
|
|
<div class="line"><a name="l01582"></a><span class="lineno"> 1582</span>  <span class="comment">// while (len(T) < 66)</span></div>
|
|
<div class="line"><a name="l01583"></a><span class="lineno"> 1583</span>  <span class="comment">// V = HMAC_K(V)</span></div>
|
|
<div class="line"><a name="l01584"></a><span class="lineno"> 1584</span>  <span class="comment">// T = T || V</span></div>
|
|
<div class="line"><a name="l01585"></a><span class="lineno"> 1585</span>  <span class="keywordtype">size_t</span> posn = 0;</div>
|
|
<div class="line"><a name="l01586"></a><span class="lineno"> 1586</span>  <span class="keywordflow">while</span> (posn < 66) {</div>
|
|
<div class="line"><a name="l01587"></a><span class="lineno"> 1587</span>  <span class="keywordtype">size_t</span> temp = 66 - posn;</div>
|
|
<div class="line"><a name="l01588"></a><span class="lineno"> 1588</span>  <span class="keywordflow">if</span> (temp > hlen)</div>
|
|
<div class="line"><a name="l01589"></a><span class="lineno"> 1589</span>  temp = hlen;</div>
|
|
<div class="line"><a name="l01590"></a><span class="lineno"> 1590</span>  hash-><a class="code" href="classHash.html#adf50359c1f525af884721cc9034e7945">resetHMAC</a>(K, hlen);</div>
|
|
<div class="line"><a name="l01591"></a><span class="lineno"> 1591</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(V, hlen);</div>
|
|
<div class="line"><a name="l01592"></a><span class="lineno"> 1592</span>  hash-><a class="code" href="classHash.html#aab42fa5420cc0bda4321a3d3866cfd06">finalizeHMAC</a>(K, hlen, V, hlen);</div>
|
|
<div class="line"><a name="l01593"></a><span class="lineno"> 1593</span>  memcpy(k + posn, V, temp);</div>
|
|
<div class="line"><a name="l01594"></a><span class="lineno"> 1594</span>  posn += temp;</div>
|
|
<div class="line"><a name="l01595"></a><span class="lineno"> 1595</span>  }</div>
|
|
<div class="line"><a name="l01596"></a><span class="lineno"> 1596</span> </div>
|
|
<div class="line"><a name="l01597"></a><span class="lineno"> 1597</span>  <span class="comment">// Step h.3. k = bits2int(T) and exit the loop if k is not in</span></div>
|
|
<div class="line"><a name="l01598"></a><span class="lineno"> 1598</span>  <span class="comment">// the range 1 to q - 1. Note: We have to extract the 521 most</span></div>
|
|
<div class="line"><a name="l01599"></a><span class="lineno"> 1599</span>  <span class="comment">// significant bits of T, which means shifting it right by seven</span></div>
|
|
<div class="line"><a name="l01600"></a><span class="lineno"> 1600</span>  <span class="comment">// bits to put it into the correct form.</span></div>
|
|
<div class="line"><a name="l01601"></a><span class="lineno"> 1601</span>  <span class="keywordflow">for</span> (posn = 65; posn > 0; --posn)</div>
|
|
<div class="line"><a name="l01602"></a><span class="lineno"> 1602</span>  k[posn] = (k[posn - 1] << 1) | (k[posn] >> 7);</div>
|
|
<div class="line"><a name="l01603"></a><span class="lineno"> 1603</span>  k[0] >>= 7;</div>
|
|
<div class="line"><a name="l01604"></a><span class="lineno"> 1604</span>  <span class="keywordflow">if</span> (<a class="code" href="classP521.html#a5802ebd25142789bb2df930ecd765d39">isValidPrivateKey</a>(k))</div>
|
|
<div class="line"><a name="l01605"></a><span class="lineno"> 1605</span>  <span class="keywordflow">break</span>;</div>
|
|
<div class="line"><a name="l01606"></a><span class="lineno"> 1606</span> </div>
|
|
<div class="line"><a name="l01607"></a><span class="lineno"> 1607</span>  <span class="comment">// Generate new K and V values and try again.</span></div>
|
|
<div class="line"><a name="l01608"></a><span class="lineno"> 1608</span>  <span class="comment">// K = HMAC_K(V || 0x00)</span></div>
|
|
<div class="line"><a name="l01609"></a><span class="lineno"> 1609</span>  <span class="comment">// V = HMAC_K(V)</span></div>
|
|
<div class="line"><a name="l01610"></a><span class="lineno"> 1610</span>  hash-><a class="code" href="classHash.html#adf50359c1f525af884721cc9034e7945">resetHMAC</a>(K, hlen);</div>
|
|
<div class="line"><a name="l01611"></a><span class="lineno"> 1611</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(V, hlen);</div>
|
|
<div class="line"><a name="l01612"></a><span class="lineno"> 1612</span>  marker = 0x00;</div>
|
|
<div class="line"><a name="l01613"></a><span class="lineno"> 1613</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(&marker, 1);</div>
|
|
<div class="line"><a name="l01614"></a><span class="lineno"> 1614</span>  hash-><a class="code" href="classHash.html#aab42fa5420cc0bda4321a3d3866cfd06">finalizeHMAC</a>(K, hlen, K, hlen);</div>
|
|
<div class="line"><a name="l01615"></a><span class="lineno"> 1615</span>  hash-><a class="code" href="classHash.html#adf50359c1f525af884721cc9034e7945">resetHMAC</a>(K, hlen);</div>
|
|
<div class="line"><a name="l01616"></a><span class="lineno"> 1616</span>  hash-><a class="code" href="classHash.html#aec9761ee427d122e7450de8df200265c">update</a>(V, hlen);</div>
|
|
<div class="line"><a name="l01617"></a><span class="lineno"> 1617</span>  hash-><a class="code" href="classHash.html#aab42fa5420cc0bda4321a3d3866cfd06">finalizeHMAC</a>(K, hlen, V, hlen);</div>
|
|
<div class="line"><a name="l01618"></a><span class="lineno"> 1618</span>  }</div>
|
|
<div class="line"><a name="l01619"></a><span class="lineno"> 1619</span> </div>
|
|
<div class="line"><a name="l01620"></a><span class="lineno"> 1620</span>  <span class="comment">// Clean up.</span></div>
|
|
<div class="line"><a name="l01621"></a><span class="lineno"> 1621</span>  clean(V);</div>
|
|
<div class="line"><a name="l01622"></a><span class="lineno"> 1622</span>  clean(K);</div>
|
|
<div class="line"><a name="l01623"></a><span class="lineno"> 1623</span> }</div>
|
|
<div class="line"><a name="l01624"></a><span class="lineno"> 1624</span> </div>
|
|
<div class="line"><a name="l01637"></a><span class="lineno"> 1637</span> <span class="keywordtype">void</span> P521::generateK(uint8_t k[66], <span class="keyword">const</span> uint8_t hm[66],</div>
|
|
<div class="line"><a name="l01638"></a><span class="lineno"> 1638</span>  <span class="keyword">const</span> uint8_t x[66], uint64_t count)</div>
|
|
<div class="line"><a name="l01639"></a><span class="lineno"> 1639</span> {</div>
|
|
<div class="line"><a name="l01640"></a><span class="lineno"> 1640</span>  <a class="code" href="classSHA512.html">SHA512</a> hash;</div>
|
|
<div class="line"><a name="l01641"></a><span class="lineno"> 1641</span>  generateK(k, hm, x, &hash, count);</div>
|
|
<div class="line"><a name="l01642"></a><span class="lineno"> 1642</span> }</div>
|
|
<div class="ttc" id="classBigNumberUtil_html_a00c9cde0b626788a60552a6bc9ce058b"><div class="ttname"><a href="classBigNumberUtil.html#a00c9cde0b626788a60552a6bc9ce058b">BigNumberUtil::reduceQuick_P</a></div><div class="ttdeci">static void reduceQuick_P(limb_t *result, const limb_t *x, const limb_t *y, size_t size)</div><div class="ttdoc">Reduces x modulo y using subtraction where y is in program memory. </div><div class="ttdef"><b>Definition:</b> <a href="BigNumberUtil_8cpp_source.html#l00734">BigNumberUtil.cpp:734</a></div></div>
|
|
<div class="ttc" id="classP521_html_ac2e07ce7e846ba180938b41b4a2ae563"><div class="ttname"><a href="classP521.html#ac2e07ce7e846ba180938b41b4a2ae563">P521::eval</a></div><div class="ttdeci">static bool eval(uint8_t result[132], const uint8_t f[66], const uint8_t point[132])</div><div class="ttdoc">Evaluates the curve function. </div><div class="ttdef"><b>Definition:</b> <a href="P521_8cpp_source.html#l00135">P521.cpp:135</a></div></div>
|
|
<div class="ttc" id="classBigNumberUtil_html_aa6904b2727af6b767fe041b1b7f27414"><div class="ttname"><a href="classBigNumberUtil.html#aa6904b2727af6b767fe041b1b7f27414">BigNumberUtil::add</a></div><div class="ttdeci">static limb_t add(limb_t *result, const limb_t *x, const limb_t *y, size_t size)</div><div class="ttdoc">Adds two big numbers. </div><div class="ttdef"><b>Definition:</b> <a href="BigNumberUtil_8cpp_source.html#l00495">BigNumberUtil.cpp:495</a></div></div>
|
|
<div class="ttc" id="classP521_html_ae5b727018648e4a165f504024c4ccc45"><div class="ttname"><a href="classP521.html#ae5b727018648e4a165f504024c4ccc45">P521::generatePrivateKey</a></div><div class="ttdeci">static void generatePrivateKey(uint8_t privateKey[66])</div><div class="ttdoc">Generates a private key for P-521 signing operations. </div><div class="ttdef"><b>Definition:</b> <a href="P521_8cpp_source.html#l00466">P521.cpp:466</a></div></div>
|
|
<div class="ttc" id="classBigNumberUtil_html_af0fa1527647af42b65eda6b0aab982b3"><div class="ttname"><a href="classBigNumberUtil.html#af0fa1527647af42b65eda6b0aab982b3">BigNumberUtil::sub_P</a></div><div class="ttdeci">static limb_t sub_P(limb_t *result, const limb_t *x, const limb_t *y, size_t size)</div><div class="ttdoc">Subtracts one big number from another where one is in program memory. </div><div class="ttdef"><b>Definition:</b> <a href="BigNumberUtil_8cpp_source.html#l00655">BigNumberUtil.cpp:655</a></div></div>
|
|
<div class="ttc" id="classRNGClass_html_a418a833cf18198fd7e5d6dbd78c99c29"><div class="ttname"><a href="classRNGClass.html#a418a833cf18198fd7e5d6dbd78c99c29">RNGClass::rand</a></div><div class="ttdeci">void rand(uint8_t *data, size_t len)</div><div class="ttdoc">Generates random bytes into a caller-supplied buffer. </div><div class="ttdef"><b>Definition:</b> <a href="RNG_8cpp_source.html#l00566">RNG.cpp:566</a></div></div>
|
|
<div class="ttc" id="classP521_html_a7b9d4f74cc2d71a488a33ab165537491"><div class="ttname"><a href="classP521.html#a7b9d4f74cc2d71a488a33ab165537491">P521::dh2</a></div><div class="ttdeci">static bool dh2(const uint8_t k[132], uint8_t f[66])</div><div class="ttdoc">Performs phase 2 of an ECDH key exchange using P-521. </div><div class="ttdef"><b>Definition:</b> <a href="P521_8cpp_source.html#l00229">P521.cpp:229</a></div></div>
|
|
<div class="ttc" id="classHash_html"><div class="ttname"><a href="classHash.html">Hash</a></div><div class="ttdoc">Abstract base class for cryptographic hash algorithms. </div><div class="ttdef"><b>Definition:</b> <a href="Hash_8h_source.html#l00029">Hash.h:29</a></div></div>
|
|
<div class="ttc" id="classHash_html_aab42fa5420cc0bda4321a3d3866cfd06"><div class="ttname"><a href="classHash.html#aab42fa5420cc0bda4321a3d3866cfd06">Hash::finalizeHMAC</a></div><div class="ttdeci">virtual void finalizeHMAC(const void *key, size_t keyLen, void *hash, size_t hashLen)=0</div><div class="ttdoc">Finalizes the HMAC hashing process and returns the hash. </div></div>
|
|
<div class="ttc" id="classP521_html_a5802ebd25142789bb2df930ecd765d39"><div class="ttname"><a href="classP521.html#a5802ebd25142789bb2df930ecd765d39">P521::isValidPrivateKey</a></div><div class="ttdeci">static bool isValidPrivateKey(const uint8_t privateKey[66])</div><div class="ttdoc">Validates a private key value to ensure that it is between 1 and q - 1. </div><div class="ttdef"><b>Definition:</b> <a href="P521_8cpp_source.html#l00524">P521.cpp:524</a></div></div>
|
|
<div class="ttc" id="classSHA512_html"><div class="ttname"><a href="classSHA512.html">SHA512</a></div><div class="ttdoc">SHA-512 hash algorithm. </div><div class="ttdef"><b>Definition:</b> <a href="SHA512_8h_source.html#l00030">SHA512.h:30</a></div></div>
|
|
<div class="ttc" id="classP521_html_a15ca802e298c7ff3be06924b0edb7daa"><div class="ttname"><a href="classP521.html#a15ca802e298c7ff3be06924b0edb7daa">P521::derivePublicKey</a></div><div class="ttdeci">static void derivePublicKey(uint8_t publicKey[132], const uint8_t privateKey[66])</div><div class="ttdoc">Derives the public key from a private key for P-521 signing operations. </div><div class="ttdef"><b>Definition:</b> <a href="P521_8cpp_source.html#l00497">P521.cpp:497</a></div></div>
|
|
<div class="ttc" id="classP521_html_ab050ceff65e49b646b8157fe1474288a"><div class="ttname"><a href="classP521.html#ab050ceff65e49b646b8157fe1474288a">P521::sign</a></div><div class="ttdeci">static void sign(uint8_t signature[132], const uint8_t privateKey[66], const void *message, size_t len, Hash *hash=0)</div><div class="ttdoc">Signs a message using a specific P-521 private key. </div><div class="ttdef"><b>Definition:</b> <a href="P521_8cpp_source.html#l00276">P521.cpp:276</a></div></div>
|
|
<div class="ttc" id="classBigNumberUtil_html_a6618e03bfcb3086961df508b40cc1e67"><div class="ttname"><a href="classBigNumberUtil.html#a6618e03bfcb3086961df508b40cc1e67">BigNumberUtil::sub</a></div><div class="ttdeci">static limb_t sub(limb_t *result, const limb_t *x, const limb_t *y, size_t size)</div><div class="ttdoc">Subtracts one big number from another. </div><div class="ttdef"><b>Definition:</b> <a href="BigNumberUtil_8cpp_source.html#l00522">BigNumberUtil.cpp:522</a></div></div>
|
|
<div class="ttc" id="classHash_html_a7b94309acaa5f52386785fb780e5be61"><div class="ttname"><a href="classHash.html#a7b94309acaa5f52386785fb780e5be61">Hash::reset</a></div><div class="ttdeci">virtual void reset()=0</div><div class="ttdoc">Resets the hash ready for a new hashing process. </div></div>
|
|
<div class="ttc" id="classP521_html_ae04c439804f445535295bf44ae56afbf"><div class="ttname"><a href="classP521.html#ae04c439804f445535295bf44ae56afbf">P521::dh1</a></div><div class="ttdeci">static void dh1(uint8_t k[132], uint8_t f[66])</div><div class="ttdoc">Performs phase 1 of an ECDH key exchange using P-521. </div><div class="ttdef"><b>Definition:</b> <a href="P521_8cpp_source.html#l00208">P521.cpp:208</a></div></div>
|
|
<div class="ttc" id="classBigNumberUtil_html_aacdee1806a239eb9e58753ef1ddb964a"><div class="ttname"><a href="classBigNumberUtil.html#aacdee1806a239eb9e58753ef1ddb964a">BigNumberUtil::mul_P</a></div><div class="ttdeci">static void mul_P(limb_t *result, const limb_t *x, size_t xcount, const limb_t *y, size_t ycount)</div><div class="ttdoc">Multiplies two big numbers where one is in program memory. </div><div class="ttdef"><b>Definition:</b> <a href="BigNumberUtil_8cpp_source.html#l00680">BigNumberUtil.cpp:680</a></div></div>
|
|
<div class="ttc" id="classBigNumberUtil_html_af49dd38173ea0310776d283aabea2ba0"><div class="ttname"><a href="classBigNumberUtil.html#af49dd38173ea0310776d283aabea2ba0">BigNumberUtil::packBE</a></div><div class="ttdeci">static void packBE(uint8_t *bytes, size_t len, const limb_t *limbs, size_t count)</div><div class="ttdoc">Packs the big-endian byte representation of a big number into a byte array. </div><div class="ttdef"><b>Definition:</b> <a href="BigNumberUtil_8cpp_source.html#l00375">BigNumberUtil.cpp:375</a></div></div>
|
|
<div class="ttc" id="classHash_html_adf50359c1f525af884721cc9034e7945"><div class="ttname"><a href="classHash.html#adf50359c1f525af884721cc9034e7945">Hash::resetHMAC</a></div><div class="ttdeci">virtual void resetHMAC(const void *key, size_t keyLen)=0</div><div class="ttdoc">Resets the hash ready for a new HMAC hashing process. </div></div>
|
|
<div class="ttc" id="classP521_html_ab075909f5cecbb801c6b7c41f20de223"><div class="ttname"><a href="classP521.html#ab075909f5cecbb801c6b7c41f20de223">P521::verify</a></div><div class="ttdeci">static bool verify(const uint8_t signature[132], const uint8_t publicKey[132], const void *message, size_t len, Hash *hash=0)</div><div class="ttdoc">Verifies a signature using a specific P-521 public key. </div><div class="ttdef"><b>Definition:</b> <a href="P521_8cpp_source.html#l00373">P521.cpp:373</a></div></div>
|
|
<div class="ttc" id="classP521_html_af0bd7851bb15b737a821320b394aec96"><div class="ttname"><a href="classP521.html#af0bd7851bb15b737a821320b394aec96">P521::isValidPublicKey</a></div><div class="ttdeci">static bool isValidPublicKey(const uint8_t publicKey[132])</div><div class="ttdoc">Validates a public key to ensure that it is a valid curve point. </div><div class="ttdef"><b>Definition:</b> <a href="P521_8cpp_source.html#l00564">P521.cpp:564</a></div></div>
|
|
<div class="ttc" id="classBigNumberUtil_html_a63f9d7884eb36227d39e1b95e219d865"><div class="ttname"><a href="classBigNumberUtil.html#a63f9d7884eb36227d39e1b95e219d865">BigNumberUtil::unpackBE</a></div><div class="ttdeci">static void unpackBE(limb_t *limbs, size_t count, const uint8_t *bytes, size_t len)</div><div class="ttdoc">Unpacks the big-endian byte representation of a big number into a limb array. </div><div class="ttdef"><b>Definition:</b> <a href="BigNumberUtil_8cpp_source.html#l00163">BigNumberUtil.cpp:163</a></div></div>
|
|
<div class="ttc" id="classHash_html_adcdd30de3e5ecaa2f798c0c5644d9ef8"><div class="ttname"><a href="classHash.html#adcdd30de3e5ecaa2f798c0c5644d9ef8">Hash::hashSize</a></div><div class="ttdeci">virtual size_t hashSize() const =0</div><div class="ttdoc">Size of the hash result from finalize(). </div></div>
|
|
<div class="ttc" id="classHash_html_aec9761ee427d122e7450de8df200265c"><div class="ttname"><a href="classHash.html#aec9761ee427d122e7450de8df200265c">Hash::update</a></div><div class="ttdeci">virtual void update(const void *data, size_t len)=0</div><div class="ttdoc">Updates the hash with more data. </div></div>
|
|
<div class="ttc" id="classHash_html_a09b3ccec22763fc86b1415695862977c"><div class="ttname"><a href="classHash.html#a09b3ccec22763fc86b1415695862977c">Hash::finalize</a></div><div class="ttdeci">virtual void finalize(void *hash, size_t len)=0</div><div class="ttdoc">Finalizes the hashing process and returns the hash. </div></div>
|
|
<div class="ttc" id="classBigNumberUtil_html_ad0aafacd8e224bd543341973c62ff1dd"><div class="ttname"><a href="classBigNumberUtil.html#ad0aafacd8e224bd543341973c62ff1dd">BigNumberUtil::isZero</a></div><div class="ttdeci">static limb_t isZero(const limb_t *x, size_t size)</div><div class="ttdoc">Determine if a big number is zero. </div><div class="ttdef"><b>Definition:</b> <a href="BigNumberUtil_8cpp_source.html#l00761">BigNumberUtil.cpp:761</a></div></div>
|
|
</div><!-- fragment --></div><!-- contents -->
|
|
<!-- start footer part -->
|
|
<hr class="footer"/><address class="footer"><small>
|
|
Generated on Thu Apr 26 2018 08:02:04 for Arduino Cryptography Library by  <a href="http://www.doxygen.org/index.html">
|
|
<img class="footer" src="doxygen.png" alt="doxygen"/>
|
|
</a> 1.8.6
|
|
</small></address>
|
|
</body>
|
|
</html>
|