PolarSSL v1.3.8
ecp_curves.c
Go to the documentation of this file.
1 /*
2  * Elliptic curves over GF(p): curve-specific data and functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #if !defined(POLARSSL_CONFIG_FILE)
27 #include "polarssl/config.h"
28 #else
29 #include POLARSSL_CONFIG_FILE
30 #endif
31 
32 #if defined(POLARSSL_ECP_C)
33 
34 #include "polarssl/ecp.h"
35 
36 #if defined(_MSC_VER) && !defined(inline)
37 #define inline _inline
38 #else
39 #if defined(__ARMCC_VERSION) && !defined(inline)
40 #define inline __inline
41 #endif /* __ARMCC_VERSION */
42 #endif /*_MSC_VER */
43 
44 /*
45  * Conversion macros for embedded constants:
46  * build lists of t_uint's from lists of unsigned char's grouped by 8, 4 or 2
47  */
48 #if defined(POLARSSL_HAVE_INT8)
49 
50 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
51  a, b, c, d, e, f, g, h
52 
53 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
54  a, b, c, d
55 
56 #define BYTES_TO_T_UINT_2( a, b ) \
57  a, b
58 
59 #elif defined(POLARSSL_HAVE_INT16)
60 
61 #define BYTES_TO_T_UINT_2( a, b ) \
62  ( (t_uint) a << 0 ) | \
63  ( (t_uint) b << 8 )
64 
65 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
66  BYTES_TO_T_UINT_2( a, b ), \
67  BYTES_TO_T_UINT_2( c, d )
68 
69 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
70  BYTES_TO_T_UINT_2( a, b ), \
71  BYTES_TO_T_UINT_2( c, d ), \
72  BYTES_TO_T_UINT_2( e, f ), \
73  BYTES_TO_T_UINT_2( g, h )
74 
75 #elif defined(POLARSSL_HAVE_INT32)
76 
77 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
78  ( (t_uint) a << 0 ) | \
79  ( (t_uint) b << 8 ) | \
80  ( (t_uint) c << 16 ) | \
81  ( (t_uint) d << 24 )
82 
83 #define BYTES_TO_T_UINT_2( a, b ) \
84  BYTES_TO_T_UINT_4( a, b, 0, 0 )
85 
86 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
87  BYTES_TO_T_UINT_4( a, b, c, d ), \
88  BYTES_TO_T_UINT_4( e, f, g, h )
89 
90 #else /* 64-bits */
91 
92 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
93  ( (t_uint) a << 0 ) | \
94  ( (t_uint) b << 8 ) | \
95  ( (t_uint) c << 16 ) | \
96  ( (t_uint) d << 24 ) | \
97  ( (t_uint) e << 32 ) | \
98  ( (t_uint) f << 40 ) | \
99  ( (t_uint) g << 48 ) | \
100  ( (t_uint) h << 56 )
101 
102 #define BYTES_TO_T_UINT_4( a, b, c, d ) \
103  BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
104 
105 #define BYTES_TO_T_UINT_2( a, b ) \
106  BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
107 
108 #endif /* bits in t_uint */
109 
110 /*
111  * Note: the constants are in little-endian order
112  * to be directly usable in MPIs
113  */
114 
115 /*
116  * Domain parameters for secp192r1
117  */
118 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
119 static const t_uint secp192r1_p[] = {
120  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
121  BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
122  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
123 };
124 static const t_uint secp192r1_b[] = {
125  BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
126  BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
127  BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
128 };
129 static const t_uint secp192r1_gx[] = {
130  BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
131  BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
132  BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
133 };
134 static const t_uint secp192r1_gy[] = {
135  BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
136  BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
137  BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
138 };
139 static const t_uint secp192r1_n[] = {
140  BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
141  BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
142  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
143 };
144 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
145 
146 /*
147  * Domain parameters for secp224r1
148  */
149 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
150 static const t_uint secp224r1_p[] = {
151  BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
152  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
153  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
154  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
155 };
156 static const t_uint secp224r1_b[] = {
157  BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
158  BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
159  BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
160  BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
161 };
162 static const t_uint secp224r1_gx[] = {
163  BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
164  BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
165  BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
166  BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
167 };
168 static const t_uint secp224r1_gy[] = {
169  BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
170  BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
171  BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
172  BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
173 };
174 static const t_uint secp224r1_n[] = {
175  BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
176  BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
177  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
178  BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
179 };
180 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
181 
182 /*
183  * Domain parameters for secp256r1
184  */
185 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
186 static const t_uint secp256r1_p[] = {
187  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
188  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
189  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
190  BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
191 };
192 static const t_uint secp256r1_b[] = {
193  BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
194  BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
195  BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
196  BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
197 };
198 static const t_uint secp256r1_gx[] = {
199  BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
200  BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
201  BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
202  BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
203 };
204 static const t_uint secp256r1_gy[] = {
205  BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
206  BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
207  BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
208  BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
209 };
210 static const t_uint secp256r1_n[] = {
211  BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
212  BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
213  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
214  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
215 };
216 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
217 
218 /*
219  * Domain parameters for secp384r1
220  */
221 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
222 static const t_uint secp384r1_p[] = {
223  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
224  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
225  BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
226  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
227  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
228  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
229 };
230 static const t_uint secp384r1_b[] = {
231  BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
232  BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
233  BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
234  BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
235  BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
236  BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
237 };
238 static const t_uint secp384r1_gx[] = {
239  BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
240  BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
241  BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
242  BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
243  BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
244  BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
245 };
246 static const t_uint secp384r1_gy[] = {
247  BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
248  BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
249  BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
250  BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
251  BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
252  BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
253 };
254 static const t_uint secp384r1_n[] = {
255  BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
256  BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
257  BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
258  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
259  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
260  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
261 };
262 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
263 
264 /*
265  * Domain parameters for secp521r1
266  */
267 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
268 static const t_uint secp521r1_p[] = {
269  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
270  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
271  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
272  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
273  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
274  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
275  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
276  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
277  BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
278 };
279 static const t_uint secp521r1_b[] = {
280  BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
281  BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
282  BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
283  BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
284  BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
285  BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
286  BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
287  BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
288  BYTES_TO_T_UINT_2( 0x51, 0x00 ),
289 };
290 static const t_uint secp521r1_gx[] = {
291  BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
292  BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
293  BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
294  BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
295  BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
296  BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
297  BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
298  BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
299  BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
300 };
301 static const t_uint secp521r1_gy[] = {
302  BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
303  BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
304  BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
305  BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
306  BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
307  BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
308  BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
309  BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
310  BYTES_TO_T_UINT_2( 0x18, 0x01 ),
311 };
312 static const t_uint secp521r1_n[] = {
313  BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
314  BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
315  BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
316  BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
317  BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
318  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
319  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
320  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
321  BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
322 };
323 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
324 
325 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED)
326 static const t_uint secp192k1_p[] = {
327  BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
328  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
329  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
330 };
331 static const t_uint secp192k1_a[] = {
332  BYTES_TO_T_UINT_2( 0x00, 0x00 ),
333 };
334 static const t_uint secp192k1_b[] = {
335  BYTES_TO_T_UINT_2( 0x03, 0x00 ),
336 };
337 static const t_uint secp192k1_gx[] = {
338  BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
339  BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
340  BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
341 };
342 static const t_uint secp192k1_gy[] = {
343  BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
344  BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
345  BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
346 };
347 static const t_uint secp192k1_n[] = {
348  BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
349  BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
350  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
351 };
352 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED */
353 
354 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED)
355 static const t_uint secp224k1_p[] = {
356  BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
357  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
358  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
359  BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
360 };
361 static const t_uint secp224k1_a[] = {
362  BYTES_TO_T_UINT_2( 0x00, 0x00 ),
363 };
364 static const t_uint secp224k1_b[] = {
365  BYTES_TO_T_UINT_2( 0x05, 0x00 ),
366 };
367 static const t_uint secp224k1_gx[] = {
368  BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
369  BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
370  BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
371  BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
372 };
373 static const t_uint secp224k1_gy[] = {
374  BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
375  BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
376  BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
377  BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
378 };
379 static const t_uint secp224k1_n[] = {
380  BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
381  BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
382  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
383  BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
384 };
385 #endif /* POLARSSL_ECP_DP_SECP224K1_ENABLED */
386 
387 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
388 static const t_uint secp256k1_p[] = {
389  BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
390  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
391  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
392  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
393 };
394 static const t_uint secp256k1_a[] = {
395  BYTES_TO_T_UINT_2( 0x00, 0x00 ),
396 };
397 static const t_uint secp256k1_b[] = {
398  BYTES_TO_T_UINT_2( 0x07, 0x00 ),
399 };
400 static const t_uint secp256k1_gx[] = {
401  BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
402  BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
403  BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
404  BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
405 };
406 static const t_uint secp256k1_gy[] = {
407  BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
408  BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
409  BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
410  BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
411 };
412 static const t_uint secp256k1_n[] = {
413  BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
414  BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
415  BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
416  BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
417 };
418 #endif /* POLARSSL_ECP_DP_SECP256K1_ENABLED */
419 
420 /*
421  * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
422  */
423 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
424 static const t_uint brainpoolP256r1_p[] = {
425  BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
426  BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
427  BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
428  BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
429 };
430 static const t_uint brainpoolP256r1_a[] = {
431  BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
432  BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
433  BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
434  BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
435 };
436 static const t_uint brainpoolP256r1_b[] = {
437  BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
438  BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
439  BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
440  BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
441 };
442 static const t_uint brainpoolP256r1_gx[] = {
443  BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
444  BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
445  BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
446  BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
447 };
448 static const t_uint brainpoolP256r1_gy[] = {
449  BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
450  BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
451  BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
452  BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
453 };
454 static const t_uint brainpoolP256r1_n[] = {
455  BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
456  BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
457  BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
458  BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
459 };
460 #endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */
461 
462 /*
463  * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
464  */
465 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
466 static const t_uint brainpoolP384r1_p[] = {
467  BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
468  BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
469  BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
470  BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
471  BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
472  BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
473 };
474 static const t_uint brainpoolP384r1_a[] = {
475  BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
476  BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
477  BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
478  BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
479  BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
480  BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
481 };
482 static const t_uint brainpoolP384r1_b[] = {
483  BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
484  BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
485  BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
486  BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
487  BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
488  BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
489 };
490 static const t_uint brainpoolP384r1_gx[] = {
491  BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
492  BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
493  BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
494  BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
495  BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
496  BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
497 };
498 static const t_uint brainpoolP384r1_gy[] = {
499  BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
500  BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
501  BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
502  BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
503  BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
504  BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
505 };
506 static const t_uint brainpoolP384r1_n[] = {
507  BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
508  BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
509  BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
510  BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
511  BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
512  BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
513 };
514 #endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */
515 
516 /*
517  * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
518  */
519 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
520 static const t_uint brainpoolP512r1_p[] = {
521  BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
522  BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
523  BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
524  BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
525  BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
526  BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
527  BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
528  BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
529 };
530 static const t_uint brainpoolP512r1_a[] = {
531  BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
532  BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
533  BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
534  BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
535  BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
536  BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
537  BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
538  BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
539 };
540 static const t_uint brainpoolP512r1_b[] = {
541  BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
542  BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
543  BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
544  BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
545  BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
546  BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
547  BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
548  BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
549 };
550 static const t_uint brainpoolP512r1_gx[] = {
551  BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
552  BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
553  BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
554  BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
555  BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
556  BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
557  BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
558  BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
559 };
560 static const t_uint brainpoolP512r1_gy[] = {
561  BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
562  BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
563  BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
564  BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
565  BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
566  BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
567  BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
568  BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
569 };
570 static const t_uint brainpoolP512r1_n[] = {
571  BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
572  BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
573  BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
574  BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
575  BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
576  BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
577  BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
578  BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
579 };
580 #endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */
581 
582 /*
583  * Create an MPI from embedded constants
584  * (assumes len is an exact multiple of sizeof t_uint)
585  */
586 static inline void ecp_mpi_load( mpi *X, const t_uint *p, size_t len )
587 {
588  X->s = 1;
589  X->n = len / sizeof( t_uint );
590  X->p = (t_uint *) p;
591 }
592 
593 /*
594  * Set an MPI to static value 1
595  */
596 static inline void ecp_mpi_set1( mpi *X )
597 {
598  static t_uint one[] = { 1 };
599  X->s = 1;
600  X->n = 1;
601  X->p = one;
602 }
603 
604 /*
605  * Make group available from embedded constants
606  */
607 static int ecp_group_load( ecp_group *grp,
608  const t_uint *p, size_t plen,
609  const t_uint *a, size_t alen,
610  const t_uint *b, size_t blen,
611  const t_uint *gx, size_t gxlen,
612  const t_uint *gy, size_t gylen,
613  const t_uint *n, size_t nlen)
614 {
615  ecp_mpi_load( &grp->P, p, plen );
616  if( a != NULL )
617  ecp_mpi_load( &grp->A, a, alen );
618  ecp_mpi_load( &grp->B, b, blen );
619  ecp_mpi_load( &grp->N, n, nlen );
620 
621  ecp_mpi_load( &grp->G.X, gx, gxlen );
622  ecp_mpi_load( &grp->G.Y, gy, gylen );
623  ecp_mpi_set1( &grp->G.Z );
624 
625  grp->pbits = mpi_msb( &grp->P );
626  grp->nbits = mpi_msb( &grp->N );
627 
628  grp->h = 1;
629 
630  return( 0 );
631 }
632 
633 #if defined(POLARSSL_ECP_NIST_OPTIM)
634 /* Forward declarations */
635 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
636 static int ecp_mod_p192( mpi * );
637 #endif
638 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
639 static int ecp_mod_p224( mpi * );
640 #endif
641 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
642 static int ecp_mod_p256( mpi * );
643 #endif
644 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
645 static int ecp_mod_p384( mpi * );
646 #endif
647 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
648 static int ecp_mod_p521( mpi * );
649 #endif
650 
651 #define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
652 #else
653 #define NIST_MODP( P )
654 #endif /* POLARSSL_ECP_NIST_OPTIM */
655 
656 /* Additional forward declarations */
657 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
658 static int ecp_mod_p255( mpi * );
659 #endif
660 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED)
661 static int ecp_mod_p192k1( mpi * );
662 #endif
663 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED)
664 static int ecp_mod_p224k1( mpi * );
665 #endif
666 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
667 static int ecp_mod_p256k1( mpi * );
668 #endif
669 
670 #define LOAD_GROUP_A( G ) ecp_group_load( grp, \
671  G ## _p, sizeof( G ## _p ), \
672  G ## _a, sizeof( G ## _a ), \
673  G ## _b, sizeof( G ## _b ), \
674  G ## _gx, sizeof( G ## _gx ), \
675  G ## _gy, sizeof( G ## _gy ), \
676  G ## _n, sizeof( G ## _n ) )
677 
678 #define LOAD_GROUP( G ) ecp_group_load( grp, \
679  G ## _p, sizeof( G ## _p ), \
680  NULL, 0, \
681  G ## _b, sizeof( G ## _b ), \
682  G ## _gx, sizeof( G ## _gx ), \
683  G ## _gy, sizeof( G ## _gy ), \
684  G ## _n, sizeof( G ## _n ) )
685 
686 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
687 /*
688  * Specialized function for creating the Curve25519 group
689  */
690 static int ecp_use_curve25519( ecp_group *grp )
691 {
692  int ret;
693 
694  /* Actually ( A + 2 ) / 4 */
695  MPI_CHK( mpi_read_string( &grp->A, 16, "01DB42" ) );
696 
697  /* P = 2^255 - 19 */
698  MPI_CHK( mpi_lset( &grp->P, 1 ) );
699  MPI_CHK( mpi_shift_l( &grp->P, 255 ) );
700  MPI_CHK( mpi_sub_int( &grp->P, &grp->P, 19 ) );
701  grp->pbits = mpi_msb( &grp->P );
702 
703  /* Y intentionaly not set, since we use x/z coordinates.
704  * This is used as a marker to identify Montgomery curves! */
705  MPI_CHK( mpi_lset( &grp->G.X, 9 ) );
706  MPI_CHK( mpi_lset( &grp->G.Z, 1 ) );
707  mpi_free( &grp->G.Y );
708 
709  /* Actually, the required msb for private keys */
710  grp->nbits = 254;
711 
712 cleanup:
713  if( ret != 0 )
714  ecp_group_free( grp );
715 
716  return( ret );
717 }
718 #endif /* POLARSSL_ECP_DP_M255_ENABLED */
719 
720 /*
721  * Set a group using well-known domain parameters
722  */
724 {
725  ecp_group_free( grp );
726 
727  grp->id = id;
728 
729  switch( id )
730  {
731 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
733  NIST_MODP( p192 );
734  return( LOAD_GROUP( secp192r1 ) );
735 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
736 
737 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
739  NIST_MODP( p224 );
740  return( LOAD_GROUP( secp224r1 ) );
741 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
742 
743 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
745  NIST_MODP( p256 );
746  return( LOAD_GROUP( secp256r1 ) );
747 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
748 
749 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
751  NIST_MODP( p384 );
752  return( LOAD_GROUP( secp384r1 ) );
753 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
754 
755 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
757  NIST_MODP( p521 );
758  return( LOAD_GROUP( secp521r1 ) );
759 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
760 
761 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED)
763  grp->modp = ecp_mod_p192k1;
764  return( LOAD_GROUP_A( secp192k1 ) );
765 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED */
766 
767 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED)
769  grp->modp = ecp_mod_p224k1;
770  return( LOAD_GROUP_A( secp224k1 ) );
771 #endif /* POLARSSL_ECP_DP_SECP224K1_ENABLED */
772 
773 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
775  grp->modp = ecp_mod_p256k1;
776  return( LOAD_GROUP_A( secp256k1 ) );
777 #endif /* POLARSSL_ECP_DP_SECP256K1_ENABLED */
778 
779 #if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
781  return( LOAD_GROUP_A( brainpoolP256r1 ) );
782 #endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */
783 
784 #if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
786  return( LOAD_GROUP_A( brainpoolP384r1 ) );
787 #endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */
788 
789 #if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
791  return( LOAD_GROUP_A( brainpoolP512r1 ) );
792 #endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */
793 
794 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
796  grp->modp = ecp_mod_p255;
797  return( ecp_use_curve25519( grp ) );
798 #endif /* POLARSSL_ECP_DP_M255_ENABLED */
799 
800  default:
801  ecp_group_free( grp );
803  }
804 }
805 
806 #if defined(POLARSSL_ECP_NIST_OPTIM)
807 /*
808  * Fast reduction modulo the primes used by the NIST curves.
809  *
810  * These functions are critical for speed, but not needed for correct
811  * operations. So, we make the choice to heavily rely on the internals of our
812  * bignum library, which creates a tight coupling between these functions and
813  * our MPI implementation. However, the coupling between the ECP module and
814  * MPI remains loose, since these functions can be deactivated at will.
815  */
816 
817 #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
818 /*
819  * Compared to the way things are presented in FIPS 186-3 D.2,
820  * we proceed in columns, from right (least significant chunk) to left,
821  * adding chunks to N in place, and keeping a carry for the next chunk.
822  * This avoids moving things around in memory, and uselessly adding zeros,
823  * compared to the more straightforward, line-oriented approach.
824  *
825  * For this prime we need to handle data in chunks of 64 bits.
826  * Since this is always a multiple of our basic t_uint, we can
827  * use a t_uint * to designate such a chunk, and small loops to handle it.
828  */
829 
830 /* Add 64-bit chunks (dst += src) and update carry */
831 static inline void add64( t_uint *dst, t_uint *src, t_uint *carry )
832 {
833  unsigned char i;
834  t_uint c = 0;
835  for( i = 0; i < 8 / sizeof( t_uint ); i++, dst++, src++ )
836  {
837  *dst += c; c = ( *dst < c );
838  *dst += *src; c += ( *dst < *src );
839  }
840  *carry += c;
841 }
842 
843 /* Add carry to a 64-bit chunk and update carry */
844 static inline void carry64( t_uint *dst, t_uint *carry )
845 {
846  unsigned char i;
847  for( i = 0; i < 8 / sizeof( t_uint ); i++, dst++ )
848  {
849  *dst += *carry;
850  *carry = ( *dst < *carry );
851  }
852 }
853 
854 #define WIDTH 8 / sizeof( t_uint )
855 #define A( i ) N->p + i * WIDTH
856 #define ADD( i ) add64( p, A( i ), &c )
857 #define NEXT p += WIDTH; carry64( p, &c )
858 #define LAST p += WIDTH; *p = c; while( ++p < end ) *p = 0
859 
860 /*
861  * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
862  */
863 static int ecp_mod_p192( mpi *N )
864 {
865  int ret;
866  t_uint c = 0;
867  t_uint *p, *end;
868 
869  /* Make sure we have enough blocks so that A(5) is legal */
870  MPI_CHK( mpi_grow( N, 6 * WIDTH ) );
871 
872  p = N->p;
873  end = p + N->n;
874 
875  ADD( 3 ); ADD( 5 ); NEXT; // A0 += A3 + A5
876  ADD( 3 ); ADD( 4 ); ADD( 5 ); NEXT; // A1 += A3 + A4 + A5
877  ADD( 4 ); ADD( 5 ); LAST; // A2 += A4 + A5
878 
879 cleanup:
880  return( ret );
881 }
882 
883 #undef WIDTH
884 #undef A
885 #undef ADD
886 #undef NEXT
887 #undef LAST
888 #endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
889 
890 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) || \
891  defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) || \
892  defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
893 /*
894  * The reader is advised to first understand ecp_mod_p192() since the same
895  * general structure is used here, but with additional complications:
896  * (1) chunks of 32 bits, and (2) subtractions.
897  */
898 
899 /*
900  * For these primes, we need to handle data in chunks of 32 bits.
901  * This makes it more complicated if we use 64 bits limbs in MPI,
902  * which prevents us from using a uniform access method as for p192.
903  *
904  * So, we define a mini abstraction layer to access 32 bit chunks,
905  * load them in 'cur' for work, and store them back from 'cur' when done.
906  *
907  * While at it, also define the size of N in terms of 32-bit chunks.
908  */
909 #define LOAD32 cur = A( i );
910 
911 #if defined(POLARSSL_HAVE_INT8) /* 8 bit */
912 
913 #define MAX32 N->n / 4
914 #define A( j ) (uint32_t)( N->p[4*j+0] ) | \
915  ( N->p[4*j+1] << 8 ) | \
916  ( N->p[4*j+2] << 16 ) | \
917  ( N->p[4*j+3] << 24 )
918 #define STORE32 N->p[4*i+0] = (t_uint)( cur ); \
919  N->p[4*i+1] = (t_uint)( cur >> 8 ); \
920  N->p[4*i+2] = (t_uint)( cur >> 16 ); \
921  N->p[4*i+3] = (t_uint)( cur >> 24 );
922 
923 #elif defined(POLARSSL_HAVE_INT16) /* 16 bit */
924 
925 #define MAX32 N->n / 2
926 #define A( j ) (uint32_t)( N->p[2*j] ) | ( N->p[2*j+1] << 16 )
927 #define STORE32 N->p[2*i+0] = (t_uint)( cur ); \
928  N->p[2*i+1] = (t_uint)( cur >> 16 );
929 
930 #elif defined(POLARSSL_HAVE_INT32) /* 32 bit */
931 
932 #define MAX32 N->n
933 #define A( j ) N->p[j]
934 #define STORE32 N->p[i] = cur;
935 
936 #else /* 64-bit */
937 
938 #define MAX32 N->n * 2
939 #define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] )
940 #define STORE32 \
941  if( i % 2 ) { \
942  N->p[i/2] &= 0x00000000FFFFFFFF; \
943  N->p[i/2] |= ((t_uint) cur) << 32; \
944  } else { \
945  N->p[i/2] &= 0xFFFFFFFF00000000; \
946  N->p[i/2] |= (t_uint) cur; \
947  }
948 
949 #endif /* sizeof( t_uint ) */
950 
951 /*
952  * Helpers for addition and subtraction of chunks, with signed carry.
953  */
954 static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
955 {
956  *dst += src;
957  *carry += ( *dst < src );
958 }
959 
960 static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
961 {
962  *carry -= ( *dst < src );
963  *dst -= src;
964 }
965 
966 #define ADD( j ) add32( &cur, A( j ), &c );
967 #define SUB( j ) sub32( &cur, A( j ), &c );
968 
969 /*
970  * Helpers for the main 'loop'
971  * (see fix_negative for the motivation of C)
972  */
973 #define INIT( b ) \
974  int ret; \
975  signed char c = 0, cc; \
976  uint32_t cur; \
977  size_t i = 0, bits = b; \
978  mpi C; \
979  t_uint Cp[ b / 8 / sizeof( t_uint) + 1 ]; \
980  \
981  C.s = 1; \
982  C.n = b / 8 / sizeof( t_uint) + 1; \
983  C.p = Cp; \
984  memset( Cp, 0, C.n * sizeof( t_uint ) ); \
985  \
986  MPI_CHK( mpi_grow( N, b * 2 / 8 / sizeof( t_uint ) ) ); \
987  LOAD32;
988 
989 #define NEXT \
990  STORE32; i++; LOAD32; \
991  cc = c; c = 0; \
992  if( cc < 0 ) \
993  sub32( &cur, -cc, &c ); \
994  else \
995  add32( &cur, cc, &c ); \
996 
997 #define LAST \
998  STORE32; i++; \
999  cur = c > 0 ? c : 0; STORE32; \
1000  cur = 0; while( ++i < MAX32 ) { STORE32; } \
1001  if( c < 0 ) fix_negative( N, c, &C, bits );
1002 
1003 /*
1004  * If the result is negative, we get it in the form
1005  * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
1006  */
1007 static inline int fix_negative( mpi *N, signed char c, mpi *C, size_t bits )
1008 {
1009  int ret;
1010 
1011  /* C = - c * 2^(bits + 32) */
1012 #if !defined(POLARSSL_HAVE_INT64)
1013  ((void) bits);
1014 #else
1015  if( bits == 224 )
1016  C->p[ C->n - 1 ] = ((t_uint) -c) << 32;
1017  else
1018 #endif
1019  C->p[ C->n - 1 ] = (t_uint) -c;
1020 
1021  /* N = - ( C - N ) */
1022  MPI_CHK( mpi_sub_abs( N, C, N ) );
1023  N->s = -1;
1024 
1025 cleanup:
1026 
1027  return( ret );
1028 }
1029 
1030 #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
1031 /*
1032  * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
1033  */
1034 static int ecp_mod_p224( mpi *N )
1035 {
1036  INIT( 224 );
1037 
1038  SUB( 7 ); SUB( 11 ); NEXT; // A0 += -A7 - A11
1039  SUB( 8 ); SUB( 12 ); NEXT; // A1 += -A8 - A12
1040  SUB( 9 ); SUB( 13 ); NEXT; // A2 += -A9 - A13
1041  SUB( 10 ); ADD( 7 ); ADD( 11 ); NEXT; // A3 += -A10 + A7 + A11
1042  SUB( 11 ); ADD( 8 ); ADD( 12 ); NEXT; // A4 += -A11 + A8 + A12
1043  SUB( 12 ); ADD( 9 ); ADD( 13 ); NEXT; // A5 += -A12 + A9 + A13
1044  SUB( 13 ); ADD( 10 ); LAST; // A6 += -A13 + A10
1045 
1046 cleanup:
1047  return( ret );
1048 }
1049 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
1050 
1051 #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
1052 /*
1053  * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
1054  */
1055 static int ecp_mod_p256( mpi *N )
1056 {
1057  INIT( 256 );
1058 
1059  ADD( 8 ); ADD( 9 );
1060  SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 ); NEXT; // A0
1061 
1062  ADD( 9 ); ADD( 10 );
1063  SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A1
1064 
1065  ADD( 10 ); ADD( 11 );
1066  SUB( 13 ); SUB( 14 ); SUB( 15 ); NEXT; // A2
1067 
1068  ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
1069  SUB( 15 ); SUB( 8 ); SUB( 9 ); NEXT; // A3
1070 
1071  ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
1072  SUB( 9 ); SUB( 10 ); NEXT; // A4
1073 
1074  ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
1075  SUB( 10 ); SUB( 11 ); NEXT; // A5
1076 
1077  ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
1078  SUB( 8 ); SUB( 9 ); NEXT; // A6
1079 
1080  ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
1081  SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 ); LAST; // A7
1082 
1083 cleanup:
1084  return( ret );
1085 }
1086 #endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
1087 
1088 #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
1089 /*
1090  * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
1091  */
1092 static int ecp_mod_p384( mpi *N )
1093 {
1094  INIT( 384 );
1095 
1096  ADD( 12 ); ADD( 21 ); ADD( 20 );
1097  SUB( 23 ); NEXT; // A0
1098 
1099  ADD( 13 ); ADD( 22 ); ADD( 23 );
1100  SUB( 12 ); SUB( 20 ); NEXT; // A2
1101 
1102  ADD( 14 ); ADD( 23 );
1103  SUB( 13 ); SUB( 21 ); NEXT; // A2
1104 
1105  ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
1106  SUB( 14 ); SUB( 22 ); SUB( 23 ); NEXT; // A3
1107 
1108  ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
1109  SUB( 15 ); SUB( 23 ); SUB( 23 ); NEXT; // A4
1110 
1111  ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
1112  SUB( 16 ); NEXT; // A5
1113 
1114  ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
1115  SUB( 17 ); NEXT; // A6
1116 
1117  ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
1118  SUB( 18 ); NEXT; // A7
1119 
1120  ADD( 20 ); ADD( 17 ); ADD( 16 );
1121  SUB( 19 ); NEXT; // A8
1122 
1123  ADD( 21 ); ADD( 18 ); ADD( 17 );
1124  SUB( 20 ); NEXT; // A9
1125 
1126  ADD( 22 ); ADD( 19 ); ADD( 18 );
1127  SUB( 21 ); NEXT; // A10
1128 
1129  ADD( 23 ); ADD( 20 ); ADD( 19 );
1130  SUB( 22 ); LAST; // A11
1131 
1132 cleanup:
1133  return( ret );
1134 }
1135 #endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
1136 
1137 #undef A
1138 #undef LOAD32
1139 #undef STORE32
1140 #undef MAX32
1141 #undef INIT
1142 #undef NEXT
1143 #undef LAST
1144 
1145 #endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED ||
1146  POLARSSL_ECP_DP_SECP256R1_ENABLED ||
1147  POLARSSL_ECP_DP_SECP384R1_ENABLED */
1148 
1149 #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
1150 /*
1151  * Here we have an actual Mersenne prime, so things are more straightforward.
1152  * However, chunks are aligned on a 'weird' boundary (521 bits).
1153  */
1154 
1155 /* Size of p521 in terms of t_uint */
1156 #define P521_WIDTH ( 521 / 8 / sizeof( t_uint ) + 1 )
1157 
1158 /* Bits to keep in the most significant t_uint */
1159 #if defined(POLARSSL_HAVE_INT8)
1160 #define P521_MASK 0x01
1161 #else
1162 #define P521_MASK 0x01FF
1163 #endif
1164 
1165 /*
1166  * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
1167  * Write N as A1 + 2^521 A0, return A0 + A1
1168  */
1169 static int ecp_mod_p521( mpi *N )
1170 {
1171  int ret;
1172  size_t i;
1173  mpi M;
1174  t_uint Mp[P521_WIDTH + 1];
1175  /* Worst case for the size of M is when t_uint is 16 bits:
1176  * we need to hold bits 513 to 1056, which is 34 limbs, that is
1177  * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
1178 
1179  if( N->n < P521_WIDTH )
1180  return( 0 );
1181 
1182  /* M = A1 */
1183  M.s = 1;
1184  M.n = N->n - ( P521_WIDTH - 1 );
1185  if( M.n > P521_WIDTH + 1 )
1186  M.n = P521_WIDTH + 1;
1187  M.p = Mp;
1188  memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( t_uint ) );
1189  MPI_CHK( mpi_shift_r( &M, 521 % ( 8 * sizeof( t_uint ) ) ) );
1190 
1191  /* N = A0 */
1192  N->p[P521_WIDTH - 1] &= P521_MASK;
1193  for( i = P521_WIDTH; i < N->n; i++ )
1194  N->p[i] = 0;
1195 
1196  /* N = A0 + A1 */
1197  MPI_CHK( mpi_add_abs( N, N, &M ) );
1198 
1199 cleanup:
1200  return( ret );
1201 }
1202 
1203 #undef P521_WIDTH
1204 #undef P521_MASK
1205 #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
1206 
1207 #endif /* POLARSSL_ECP_NIST_OPTIM */
1208 
1209 #if defined(POLARSSL_ECP_DP_M255_ENABLED)
1210 
1211 /* Size of p255 in terms of t_uint */
1212 #define P255_WIDTH ( 255 / 8 / sizeof( t_uint ) + 1 )
1213 
1214 /*
1215  * Fast quasi-reduction modulo p255 = 2^255 - 19
1216  * Write N as A0 + 2^255 A1, return A0 + 19 * A1
1217  */
1218 static int ecp_mod_p255( mpi *N )
1219 {
1220  int ret;
1221  size_t i;
1222  mpi M;
1223  t_uint Mp[P255_WIDTH + 2];
1224 
1225  if( N->n < P255_WIDTH )
1226  return( 0 );
1227 
1228  /* M = A1 */
1229  M.s = 1;
1230  M.n = N->n - ( P255_WIDTH - 1 );
1231  if( M.n > P255_WIDTH + 1 )
1232  M.n = P255_WIDTH + 1;
1233  M.p = Mp;
1234  memset( Mp, 0, sizeof Mp );
1235  memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( t_uint ) );
1236  MPI_CHK( mpi_shift_r( &M, 255 % ( 8 * sizeof( t_uint ) ) ) );
1237  M.n++; /* Make room for multiplication by 19 */
1238 
1239  /* N = A0 */
1240  MPI_CHK( mpi_set_bit( N, 255, 0 ) );
1241  for( i = P255_WIDTH; i < N->n; i++ )
1242  N->p[i] = 0;
1243 
1244  /* N = A0 + 19 * A1 */
1245  MPI_CHK( mpi_mul_int( &M, &M, 19 ) );
1246  MPI_CHK( mpi_add_abs( N, N, &M ) );
1247 
1248 cleanup:
1249  return( ret );
1250 }
1251 #endif /* POLARSSL_ECP_DP_M255_ENABLED */
1252 
1253 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED) || \
1254  defined(POLARSSL_ECP_DP_SECP224K1_ENABLED) || \
1255  defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
1256 /*
1257  * Fast quasi-reduction modulo P = 2^s - R,
1258  * with R about 33 bits, used by the Koblitz curves.
1259  *
1260  * Write N as A0 + 2^224 A1, return A0 + R * A1.
1261  * Actually do two passes, since R is big.
1262  */
1263 #define P_KOBLITZ_MAX ( 256 / 8 / sizeof( t_uint ) ) // Max limbs in P
1264 #define P_KOBLITZ_R ( 8 / sizeof( t_uint ) ) // Limbs in R
1265 static inline int ecp_mod_koblitz( mpi *N, t_uint *Rp, size_t p_limbs,
1266  size_t adjust, size_t shift, t_uint mask )
1267 {
1268  int ret;
1269  size_t i;
1270  mpi M, R;
1271  t_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R];
1272 
1273  if( N->n < p_limbs )
1274  return( 0 );
1275 
1276  /* Init R */
1277  R.s = 1;
1278  R.p = Rp;
1279  R.n = P_KOBLITZ_R;
1280 
1281  /* Common setup for M */
1282  M.s = 1;
1283  M.p = Mp;
1284 
1285  /* M = A1 */
1286  M.n = N->n - ( p_limbs - adjust );
1287  if( M.n > p_limbs + adjust )
1288  M.n = p_limbs + adjust;
1289  memset( Mp, 0, sizeof Mp );
1290  memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) );
1291  if( shift != 0 )
1292  MPI_CHK( mpi_shift_r( &M, shift ) );
1293  M.n += R.n - adjust; /* Make room for multiplication by R */
1294 
1295  /* N = A0 */
1296  if( mask != 0 )
1297  N->p[p_limbs - 1] &= mask;
1298  for( i = p_limbs; i < N->n; i++ )
1299  N->p[i] = 0;
1300 
1301  /* N = A0 + R * A1 */
1302  MPI_CHK( mpi_mul_mpi( &M, &M, &R ) );
1303  MPI_CHK( mpi_add_abs( N, N, &M ) );
1304 
1305  /* Second pass */
1306 
1307  /* M = A1 */
1308  M.n = N->n - ( p_limbs - adjust );
1309  if( M.n > p_limbs + adjust )
1310  M.n = p_limbs + adjust;
1311  memset( Mp, 0, sizeof Mp );
1312  memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) );
1313  if( shift != 0 )
1314  MPI_CHK( mpi_shift_r( &M, shift ) );
1315  M.n += R.n - adjust; /* Make room for multiplication by R */
1316 
1317  /* N = A0 */
1318  if( mask != 0 )
1319  N->p[p_limbs - 1] &= mask;
1320  for( i = p_limbs; i < N->n; i++ )
1321  N->p[i] = 0;
1322 
1323  /* N = A0 + R * A1 */
1324  MPI_CHK( mpi_mul_mpi( &M, &M, &R ) );
1325  MPI_CHK( mpi_add_abs( N, N, &M ) );
1326 
1327 cleanup:
1328  return( ret );
1329 }
1330 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED) ||
1331  POLARSSL_ECP_DP_SECP224K1_ENABLED) ||
1332  POLARSSL_ECP_DP_SECP256K1_ENABLED) */
1333 
1334 #if defined(POLARSSL_ECP_DP_SECP192K1_ENABLED)
1335 /*
1336  * Fast quasi-reduction modulo p192k1 = 2^192 - R,
1337  * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
1338  */
1339 static int ecp_mod_p192k1( mpi *N )
1340 {
1341  static t_uint Rp[] = {
1342  BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1343 
1344  return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( t_uint ), 0, 0, 0 ) );
1345 }
1346 #endif /* POLARSSL_ECP_DP_SECP192K1_ENABLED */
1347 
1348 #if defined(POLARSSL_ECP_DP_SECP224K1_ENABLED)
1349 /*
1350  * Fast quasi-reduction modulo p224k1 = 2^224 - R,
1351  * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
1352  */
1353 static int ecp_mod_p224k1( mpi *N )
1354 {
1355  static t_uint Rp[] = {
1356  BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1357 
1358 #if defined(POLARSSL_HAVE_INT64)
1359  return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
1360 #else
1361  return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( t_uint ), 0, 0, 0 ) );
1362 #endif
1363 }
1364 
1365 #endif /* POLARSSL_ECP_DP_SECP224K1_ENABLED */
1366 
1367 #if defined(POLARSSL_ECP_DP_SECP256K1_ENABLED)
1368 /*
1369  * Fast quasi-reduction modulo p256k1 = 2^256 - R,
1370  * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
1371  */
1372 static int ecp_mod_p256k1( mpi *N )
1373 {
1374  static t_uint Rp[] = {
1375  BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
1376  return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( t_uint ), 0, 0, 0 ) );
1377 }
1378 #endif /* POLARSSL_ECP_DP_SECP256K1_ENABLED */
1379 
1380 #endif /* POLARSSL_ECP_C */
size_t pbits
Definition: ecp.h:144
uint32_t t_uint
Definition: bignum.h:160
Elliptic curves over GF(p)
int s
Definition: bignum.h:184
int mpi_sub_abs(mpi *X, const mpi *A, const mpi *B)
Unsigned subtraction: X = |A| - |B|.
mpi P
Definition: ecp.h:139
int(* modp)(mpi *)
Definition: ecp.h:147
ECP group structure.
Definition: ecp.h:136
Configuration options (set of defines)
unsigned int h
Definition: ecp.h:146
int mpi_lset(mpi *X, t_sint z)
Set value from integer.
MPI structure.
Definition: bignum.h:182
#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE
Requested curve not available.
Definition: ecp.h:37
mpi X
Definition: ecp.h:106
int mpi_shift_r(mpi *X, size_t count)
Right-shift: X &gt;&gt;= count.
ecp_point G
Definition: ecp.h:142
ecp_group_id id
Definition: ecp.h:138
mpi B
Definition: ecp.h:141
mpi N
Definition: ecp.h:143
void mpi_free(mpi *X)
Unallocate one MPI.
int mpi_mul_int(mpi *X, const mpi *A, t_sint b)
Baseline multiplication: X = A * b Note: despite the functon signature, b is treated as a t_uint...
void ecp_group_free(ecp_group *grp)
Free the components of an ECP group.
int mpi_grow(mpi *X, size_t nblimbs)
Enlarge to the specified number of limbs.
size_t mpi_msb(const mpi *X)
Return the number of bits up to and including the most significant &#39;1&#39; bit&#39;.
int ecp_use_known_dp(ecp_group *grp, ecp_group_id index)
Set a group using well-known domain parameters.
int mpi_add_abs(mpi *X, const mpi *A, const mpi *B)
Unsigned addition: X = |A| + |B|.
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
t_uint * p
Definition: bignum.h:186
mpi A
Definition: ecp.h:140
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:57
size_t nbits
Definition: ecp.h:145
mpi Y
Definition: ecp.h:107
size_t n
Definition: bignum.h:185
mpi Z
Definition: ecp.h:108
int mpi_shift_l(mpi *X, size_t count)
Left-shift: X &lt;&lt;= count.
int mpi_mul_mpi(mpi *X, const mpi *A, const mpi *B)
Baseline multiplication: X = A * B.
int mpi_set_bit(mpi *X, size_t pos, unsigned char val)
Set a bit of X to a specific value of 0 or 1.
int mpi_sub_int(mpi *X, const mpi *A, t_sint b)
Signed subtraction: X = A - b.
#define MPI_CHK(f)
Definition: bignum.h:65