Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
folium-app
GitHub Repository: folium-app/Folium
 Path: blob/a-new-beginning/SharedDependencies/Sources/cryptopp/ecp.cpp
2 views
1
// ecp.cpp - originally written and placed in the public domain by Wei Dai

2


3
#include "pch.h"

4


5
#ifndef CRYPTOPP_IMPORTS

6


7
#include "ecp.h"

8
#include "asn.h"

9
#include "integer.h"

10
#include "nbtheory.h"

11
#include "modarith.h"

12
#include "filters.h"

13
#include "algebra.cpp"

14


15
ANONYMOUS_NAMESPACE_BEGIN

16


17
using CryptoPP::ECP;

18
using CryptoPP::Integer;

19
using CryptoPP::ModularArithmetic;

20


21
#if defined(HAVE_GCC_INIT_PRIORITY)

22
	#define INIT_ATTRIBUTE __attribute__ ((init_priority (CRYPTOPP_INIT_PRIORITY + 50)))

23
	const ECP::Point g_identity INIT_ATTRIBUTE = ECP::Point();

24
#elif defined(HAVE_MSC_INIT_PRIORITY)

25
	#pragma warning(disable: 4075)

26
	#pragma init_seg(".CRT$XCU")

27
	const ECP::Point g_identity;

28
	#pragma warning(default: 4075)

29
#elif defined(HAVE_XLC_INIT_PRIORITY)

30
	#pragma priority(290)

31
	const ECP::Point g_identity;

32
#endif

33


34
inline ECP::Point ToMontgomery(const ModularArithmetic &mr, const ECP::Point &P)

35
{

36
	return P.identity ? P : ECP::Point(mr.ConvertIn(P.x), mr.ConvertIn(P.y));

37
}

38


39
inline ECP::Point FromMontgomery(const ModularArithmetic &mr, const ECP::Point &P)

40
{

41
	return P.identity ? P : ECP::Point(mr.ConvertOut(P.x), mr.ConvertOut(P.y));

42
}

43


44
inline Integer IdentityToInteger(bool val)

45
{

46
	return val ? Integer::One() : Integer::Zero();

47
}

48


49
struct ProjectivePoint

50
{

51
	ProjectivePoint() {}

52
	ProjectivePoint(const Integer &x, const Integer &y, const Integer &z)

53
		: x(x), y(y), z(z)	{}

54


55
	Integer x, y, z;

56
};

57


58
ANONYMOUS_NAMESPACE_END

59


60
NAMESPACE_BEGIN(CryptoPP)

61


62
ECP::ECP(const ECP &ecp, bool convertToMontgomeryRepresentation)

63
{

64
	if (convertToMontgomeryRepresentation && !ecp.GetField().IsMontgomeryRepresentation())

65
	{

66
		m_fieldPtr.reset(new MontgomeryRepresentation(ecp.GetField().GetModulus()));

67
		m_a = GetField().ConvertIn(ecp.m_a);

68
		m_b = GetField().ConvertIn(ecp.m_b);

69
	}

70
	else

71
		operator=(ecp);

72
}

73


74
ECP::ECP(BufferedTransformation &bt)

75
	: m_fieldPtr(new Field(bt))

76
{

77
	BERSequenceDecoder seq(bt);

78
	GetField().BERDecodeElement(seq, m_a);

79
	GetField().BERDecodeElement(seq, m_b);

80
	// skip optional seed

81
	if (!seq.EndReached())

82
	{

83
		SecByteBlock seed;

84
		unsigned int unused;

85
		BERDecodeBitString(seq, seed, unused);

86
	}

87
	seq.MessageEnd();

88
}

89


90
void ECP::DEREncode(BufferedTransformation &bt) const

91
{

92
	GetField().DEREncode(bt);

93
	DERSequenceEncoder seq(bt);

94
	GetField().DEREncodeElement(seq, m_a);

95
	GetField().DEREncodeElement(seq, m_b);

96
	seq.MessageEnd();

97
}

98


99
bool ECP::DecodePoint(ECP::Point &P, const byte *encodedPoint, size_t encodedPointLen) const

100
{

101
	StringStore store(encodedPoint, encodedPointLen);

102
	return DecodePoint(P, store, encodedPointLen);

103
}

104


105
bool ECP::DecodePoint(ECP::Point &P, BufferedTransformation &bt, size_t encodedPointLen) const

106
{

107
	byte type;

108
	if (encodedPointLen < 1 || !bt.Get(type))

109
		return false;

110


111
	switch (type)

112
	{

113
	case 0:

114
		P.identity = true;

115
		return true;

116
	case 2:

117
	case 3:

118
	{

119
		if (encodedPointLen != EncodedPointSize(true))

120
			return false;

121


122
		// Check for p is prime due to GH #1249

123
		const Integer p = FieldSize();

124
		CRYPTOPP_ASSERT(IsPrime(p));

125
		if (!IsPrime(p))

126
			return false;

127


128
		P.identity = false;

129
		P.x.Decode(bt, GetField().MaxElementByteLength());

130
		P.y = ((P.x*P.x+m_a)*P.x+m_b) % p;

131


132
		if (Jacobi(P.y, p) !=1)

133
			return false;

134


135
		// Callers must ensure p is prime, GH #1249

136
		P.y = ModularSquareRoot(P.y, p);

137


138
		if ((type & 1) != P.y.GetBit(0))

139
			P.y = p-P.y;

140


141
		return true;

142
	}

143
	case 4:

144
	{

145
		if (encodedPointLen != EncodedPointSize(false))

146
			return false;

147


148
		unsigned int len = GetField().MaxElementByteLength();

149
		P.identity = false;

150
		P.x.Decode(bt, len);

151
		P.y.Decode(bt, len);

152
		return true;

153
	}

154
	default:

155
		return false;

156
	}

157
}

158


159
void ECP::EncodePoint(BufferedTransformation &bt, const Point &P, bool compressed) const

160
{

161
	if (P.identity)

162
		NullStore().TransferTo(bt, EncodedPointSize(compressed));

163
	else if (compressed)

164
	{

165
		bt.Put((byte)(2U + P.y.GetBit(0)));

166
		P.x.Encode(bt, GetField().MaxElementByteLength());

167
	}

168
	else

169
	{

170
		unsigned int len = GetField().MaxElementByteLength();

171
		bt.Put(4U);	// uncompressed

172
		P.x.Encode(bt, len);

173
		P.y.Encode(bt, len);

174
	}

175
}

176


177
void ECP::EncodePoint(byte *encodedPoint, const Point &P, bool compressed) const

178
{

179
	ArraySink sink(encodedPoint, EncodedPointSize(compressed));

180
	EncodePoint(sink, P, compressed);

181
	CRYPTOPP_ASSERT(sink.TotalPutLength() == EncodedPointSize(compressed));

182
}

183


184
ECP::Point ECP::BERDecodePoint(BufferedTransformation &bt) const

185
{

186
	SecByteBlock str;

187
	BERDecodeOctetString(bt, str);

188
	Point P;

189
	if (!DecodePoint(P, str, str.size()))

190
		BERDecodeError();

191
	return P;

192
}

193


194
void ECP::DEREncodePoint(BufferedTransformation &bt, const Point &P, bool compressed) const

195
{

196
	SecByteBlock str(EncodedPointSize(compressed));

197
	EncodePoint(str, P, compressed);

198
	DEREncodeOctetString(bt, str);

199
}

200


201
bool ECP::ValidateParameters(RandomNumberGenerator &rng, unsigned int level) const

202
{

203
	Integer p = FieldSize();

204


205
	bool pass = p.IsOdd();

206
	pass = pass && !m_a.IsNegative() && m_a<p && !m_b.IsNegative() && m_b<p;

207


208
	if (level >= 1)

209
		pass = pass && ((4*m_a*m_a*m_a+27*m_b*m_b)%p).IsPositive();

210


211
	if (level >= 2)

212
		pass = pass && VerifyPrime(rng, p);

213


214
	return pass;

215
}

216


217
bool ECP::VerifyPoint(const Point &P) const

218
{

219
	const FieldElement &x = P.x, &y = P.y;

220
	Integer p = FieldSize();

221
	return P.identity ||

222
		(!x.IsNegative() && x<p && !y.IsNegative() && y<p

223
		&& !(((x*x+m_a)*x+m_b-y*y)%p));

224
}

225


226
bool ECP::Equal(const Point &P, const Point &Q) const

227
{

228
	if (P.identity && Q.identity)

229
		return true;

230


231
	if (P.identity && !Q.identity)

232
		return false;

233


234
	if (!P.identity && Q.identity)

235
		return false;

236


237
	return (GetField().Equal(P.x,Q.x) && GetField().Equal(P.y,Q.y));

238
}

239


240
const ECP::Point& ECP::Identity() const

241
{

242
#if defined(HAVE_GCC_INIT_PRIORITY) || defined(HAVE_MSC_INIT_PRIORITY) || defined(HAVE_XLC_INIT_PRIORITY)

243
	return g_identity;

244
#elif defined(CRYPTOPP_CXX11_STATIC_INIT)

245
	static const ECP::Point g_identity;

246
	return g_identity;

247
#else

248
	return Singleton<Point>().Ref();

249
#endif

250
}

251


252
const ECP::Point& ECP::Inverse(const Point &P) const

253
{

254
	if (P.identity)

255
		return P;

256
	else

257
	{

258
		m_R.identity = false;

259
		m_R.x = P.x;

260
		m_R.y = GetField().Inverse(P.y);

261
		return m_R;

262
	}

263
}

264


265
const ECP::Point& ECP::Add(const Point &P, const Point &Q) const

266
{

267
	if (P.identity) return Q;

268
	if (Q.identity) return P;

269
	if (GetField().Equal(P.x, Q.x))

270
		return GetField().Equal(P.y, Q.y) ? Double(P) : Identity();

271


272
	FieldElement t = GetField().Subtract(Q.y, P.y);

273
	t = GetField().Divide(t, GetField().Subtract(Q.x, P.x));

274
	FieldElement x = GetField().Subtract(GetField().Subtract(GetField().Square(t), P.x), Q.x);

275
	m_R.y = GetField().Subtract(GetField().Multiply(t, GetField().Subtract(P.x, x)), P.y);

276


277
	m_R.x.swap(x);

278
	m_R.identity = false;

279
	return m_R;

280
}

281


282
const ECP::Point& ECP::Double(const Point &P) const

283
{

284
	if (P.identity || P.y==GetField().Identity()) return Identity();

285


286
	FieldElement t = GetField().Square(P.x);

287
	t = GetField().Add(GetField().Add(GetField().Double(t), t), m_a);

288
	t = GetField().Divide(t, GetField().Double(P.y));

289
	FieldElement x = GetField().Subtract(GetField().Subtract(GetField().Square(t), P.x), P.x);

290
	m_R.y = GetField().Subtract(GetField().Multiply(t, GetField().Subtract(P.x, x)), P.y);

291


292
	m_R.x.swap(x);

293
	m_R.identity = false;

294
	return m_R;

295
}

296


297
template <class T, class Iterator> void ParallelInvert(const AbstractRing<T> &ring, Iterator begin, Iterator end)

298
{

299
	size_t n = end-begin;

300
	if (n == 1)

301
		*begin = ring.MultiplicativeInverse(*begin);

302
	else if (n > 1)

303
	{

304
		std::vector<T> vec((n+1)/2);

305
		unsigned int i;

306
		Iterator it;

307


308
		for (i=0, it=begin; i<n/2; i++, it+=2)

309
			vec[i] = ring.Multiply(*it, *(it+1));

310
		if (n%2 == 1)

311
			vec[n/2] = *it;

312


313
		ParallelInvert(ring, vec.begin(), vec.end());

314


315
		for (i=0, it=begin; i<n/2; i++, it+=2)

316
		{

317
			if (!vec[i])

318
			{

319
				*it = ring.MultiplicativeInverse(*it);

320
				*(it+1) = ring.MultiplicativeInverse(*(it+1));

321
			}

322
			else

323
			{

324
				std::swap(*it, *(it+1));

325
				*it = ring.Multiply(*it, vec[i]);

326
				*(it+1) = ring.Multiply(*(it+1), vec[i]);

327
			}

328
		}

329
		if (n%2 == 1)

330
			*it = vec[n/2];

331
	}

332
}

333


334
class ProjectiveDoubling

335
{

336
public:

337
	ProjectiveDoubling(const ModularArithmetic &m_mr, const Integer &m_a, const Integer &m_b, const ECPPoint &Q)

338
		: mr(m_mr)

339
	{

340
		CRYPTOPP_UNUSED(m_b);

341
		if (Q.identity)

342
		{

343
			sixteenY4 = P.x = P.y = mr.MultiplicativeIdentity();

344
			aZ4 = P.z = mr.Identity();

345
		}

346
		else

347
		{

348
			P.x = Q.x;

349
			P.y = Q.y;

350
			sixteenY4 = P.z = mr.MultiplicativeIdentity();

351
			aZ4 = m_a;

352
		}

353
	}

354


355
	void Double()

356
	{

357
		twoY = mr.Double(P.y);

358
		P.z = mr.Multiply(P.z, twoY);

359
		fourY2 = mr.Square(twoY);

360
		S = mr.Multiply(fourY2, P.x);

361
		aZ4 = mr.Multiply(aZ4, sixteenY4);

362
		M = mr.Square(P.x);

363
		M = mr.Add(mr.Add(mr.Double(M), M), aZ4);

364
		P.x = mr.Square(M);

365
		mr.Reduce(P.x, S);

366
		mr.Reduce(P.x, S);

367
		mr.Reduce(S, P.x);

368
		P.y = mr.Multiply(M, S);

369
		sixteenY4 = mr.Square(fourY2);

370
		mr.Reduce(P.y, mr.Half(sixteenY4));

371
	}

372


373
	const ModularArithmetic &mr;

374
	ProjectivePoint P;

375
	Integer sixteenY4, aZ4, twoY, fourY2, S, M;

376
};

377


378
struct ZIterator

379
{

380
	ZIterator() {}

381
	ZIterator(std::vector<ProjectivePoint>::iterator it) : it(it) {}

382
	Integer& operator*() {return it->z;}

383
	int operator-(ZIterator it2) {return int(it-it2.it);}

384
	ZIterator operator+(int i) {return ZIterator(it+i);}

385
	ZIterator& operator+=(int i) {it+=i; return *this;}

386
	std::vector<ProjectivePoint>::iterator it;

387
};

388


389
ECP::Point ECP::ScalarMultiply(const Point &P, const Integer &k) const

390
{

391
	Element result;

392
	if (k.BitCount() <= 5)

393
		AbstractGroup<ECPPoint>::SimultaneousMultiply(&result, P, &k, 1);

394
	else

395
		ECP::SimultaneousMultiply(&result, P, &k, 1);

396
	return result;

397
}

398


399
void ECP::SimultaneousMultiply(ECP::Point *results, const ECP::Point &P, const Integer *expBegin, unsigned int expCount) const

400
{

401
	if (!GetField().IsMontgomeryRepresentation())

402
	{

403
		ECP ecpmr(*this, true);

404
		const ModularArithmetic &mr = ecpmr.GetField();

405
		ecpmr.SimultaneousMultiply(results, ToMontgomery(mr, P), expBegin, expCount);

406
		for (unsigned int i=0; i<expCount; i++)

407
			results[i] = FromMontgomery(mr, results[i]);

408
		return;

409
	}

410


411
	ProjectiveDoubling rd(GetField(), m_a, m_b, P);

412
	std::vector<ProjectivePoint> bases;

413
	std::vector<WindowSlider> exponents;

414
	exponents.reserve(expCount);

415
	std::vector<std::vector<word32> > baseIndices(expCount);

416
	std::vector<std::vector<bool> > negateBase(expCount);

417
	std::vector<std::vector<word32> > exponentWindows(expCount);

418
	unsigned int i;

419


420
	for (i=0; i<expCount; i++)

421
	{

422
		CRYPTOPP_ASSERT(expBegin->NotNegative());

423
		exponents.push_back(WindowSlider(*expBegin++, InversionIsFast(), 5));

424
		exponents[i].FindNextWindow();

425
	}

426


427
	unsigned int expBitPosition = 0;

428
	bool notDone = true;

429


430
	while (notDone)

431
	{

432
		notDone = false;

433
		bool baseAdded = false;

434
		for (i=0; i<expCount; i++)

435
		{

436
			if (!exponents[i].finished && expBitPosition == exponents[i].windowBegin)

437
			{

438
				if (!baseAdded)

439
				{

440
					bases.push_back(rd.P);

441
					baseAdded =true;

442
				}

443


444
				exponentWindows[i].push_back(exponents[i].expWindow);

445
				baseIndices[i].push_back((word32)bases.size()-1);

446
				negateBase[i].push_back(exponents[i].negateNext);

447


448
				exponents[i].FindNextWindow();

449
			}

450
			notDone = notDone || !exponents[i].finished;

451
		}

452


453
		if (notDone)

454
		{

455
			rd.Double();

456
			expBitPosition++;

457
		}

458
	}

459


460
	// convert from projective to affine coordinates

461
	ParallelInvert(GetField(), ZIterator(bases.begin()), ZIterator(bases.end()));

462
	for (i=0; i<bases.size(); i++)

463
	{

464
		if (bases[i].z.NotZero())

465
		{

466
			bases[i].y = GetField().Multiply(bases[i].y, bases[i].z);

467
			bases[i].z = GetField().Square(bases[i].z);

468
			bases[i].x = GetField().Multiply(bases[i].x, bases[i].z);

469
			bases[i].y = GetField().Multiply(bases[i].y, bases[i].z);

470
		}

471
	}

472


473
	std::vector<BaseAndExponent<Point, Integer> > finalCascade;

474
	for (i=0; i<expCount; i++)

475
	{

476
		finalCascade.resize(baseIndices[i].size());

477
		for (unsigned int j=0; j<baseIndices[i].size(); j++)

478
		{

479
			ProjectivePoint &base = bases[baseIndices[i][j]];

480
			if (base.z.IsZero())

481
				finalCascade[j].base.identity = true;

482
			else

483
			{

484
				finalCascade[j].base.identity = false;

485
				finalCascade[j].base.x = base.x;

486
				if (negateBase[i][j])

487
					finalCascade[j].base.y = GetField().Inverse(base.y);

488
				else

489
					finalCascade[j].base.y = base.y;

490
			}

491
			finalCascade[j].exponent = Integer(Integer::POSITIVE, 0, exponentWindows[i][j]);

492
		}

493
		results[i] = GeneralCascadeMultiplication(*this, finalCascade.begin(), finalCascade.end());

494
	}

495
}

496


497
ECP::Point ECP::CascadeScalarMultiply(const Point &P, const Integer &k1, const Point &Q, const Integer &k2) const

498
{

499
	if (!GetField().IsMontgomeryRepresentation())

500
	{

501
		ECP ecpmr(*this, true);

502
		const ModularArithmetic &mr = ecpmr.GetField();

503
		return FromMontgomery(mr, ecpmr.CascadeScalarMultiply(ToMontgomery(mr, P), k1, ToMontgomery(mr, Q), k2));

504
	}

505
	else

506
		return AbstractGroup<Point>::CascadeScalarMultiply(P, k1, Q, k2);

507
}

508


509
NAMESPACE_END

510


511
#endif

512


513