Lines Matching +full:compute +full:-
2 * Copyright (C) 2017 - This file is part of libecc project
7 * Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr>
45 q = &(in_priv->params->ec_gen_order); in ecgdsa_init_pub_key()
48 MUST_HAVE((!nn_cmp(&(in_priv->x), q, &cmp)) && (cmp < 0), ret, err); in ecgdsa_init_pub_key()
50 /* Y = (x^-1)G */ in ecgdsa_init_pub_key()
51 G = &(in_priv->params->ec_gen); in ecgdsa_init_pub_key()
55 ret = nn_modinv_fermat(&xinv, &(in_priv->x), &(in_priv->params->ec_gen_order)); EG(ret, err); in ecgdsa_init_pub_key()
57 ret = prj_pt_mul_blind(&(out_pub->y), &xinv, G); EG(ret, err); in ecgdsa_init_pub_key()
59 out_pub->key_type = ECGDSA; in ecgdsa_init_pub_key()
60 out_pub->params = in_priv->params; in ecgdsa_init_pub_key()
61 out_pub->magic = PUB_KEY_MAGIC; in ecgdsa_init_pub_key()
87 * Generic *internal* EC-GDSA signature functions (init, update and finalize).
93 * Global EC-GDSA signature process is as follows (I,U,F provides
97 *| IUF - EC-GDSA signature
99 *| UF 1. Compute h = H(m). If |h| > bitlen(q), set h to bitlen(q)
101 *| F 2. Compute e = - OS2I(h) mod q
103 *| F 4. Compute W = (W_x,W_y) = kG
104 *| F 5. Compute r = W_x mod q
106 *| F 7. Compute s = x(kr + e) mod q
112 * a) Usually (this is for instance the case in ISO 14888-3 and X9.62), the
121 * c) in EC-GDSA, the public part of the key is not needed per se during the
122 * signature but - as it is needed in other signature algs implemented
123 * in the library - the whole key pair is passed instead of just the
130 ((A)->magic == ECGDSA_SIGN_MAGIC), ret, err)
140 ret = key_pair_check_initialized_and_type(ctx->key_pair, ECGDSA); EG(ret, err); in _ecgdsa_sign_init()
141 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in _ecgdsa_sign_init()
142 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _ecgdsa_sign_init()
149 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecgdsa_sign_init()
150 ret = ctx->h->hfunc_init(&(ctx->sign_data.ecgdsa.h_ctx)); EG(ret, err); in _ecgdsa_sign_init()
152 ctx->sign_data.ecgdsa.magic = ECGDSA_SIGN_MAGIC; in _ecgdsa_sign_init()
165 * part too. This guarantees the context is an EC-GDSA in _ecgdsa_sign_update()
170 ECGDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecgdsa), ret, err); in _ecgdsa_sign_update()
172 /* 1. Compute h = H(m) */ in _ecgdsa_sign_update()
174 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecgdsa_sign_update()
175 ret = ctx->h->hfunc_update(&(ctx->sign_data.ecgdsa.h_ctx), chunk, chunklen); in _ecgdsa_sign_update()
204 * part too. This guarantees the context is an EC-GDSA in _ecgdsa_sign_finalize()
208 ECGDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecgdsa), ret, err); in _ecgdsa_sign_finalize()
215 priv_key = &(ctx->key_pair->priv_key); in _ecgdsa_sign_finalize()
216 G = &(priv_key->params->ec_gen); in _ecgdsa_sign_finalize()
217 q = &(priv_key->params->ec_gen_order); in _ecgdsa_sign_finalize()
218 x = &(priv_key->x); in _ecgdsa_sign_finalize()
219 q_bit_len = priv_key->params->ec_gen_order_bitlen; in _ecgdsa_sign_finalize()
220 p_bit_len = priv_key->params->ec_fp.p_bitlen; in _ecgdsa_sign_finalize()
224 hsize = ctx->h->digest_size; in _ecgdsa_sign_finalize()
235 dbg_nn_print("p", &(priv_key->params->ec_fp.p)); in _ecgdsa_sign_finalize()
239 dbg_pub_key_print("Y", &(ctx->key_pair->pub_key)); in _ecgdsa_sign_finalize()
241 /* 1. Compute h = H(m) */ in _ecgdsa_sign_finalize()
244 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecgdsa_sign_finalize()
245 ret = ctx->h->hfunc_finalize(&(ctx->sign_data.ecgdsa.h_ctx), e_buf); EG(ret, err); in _ecgdsa_sign_finalize()
255 rshift = (bitcnt_t)((hsize * 8) - q_bit_len); in _ecgdsa_sign_finalize()
265 * 2. Convert h to an integer and then compute e = -h mod q, in _ecgdsa_sign_finalize()
266 * i.e. compute e = - OS2I(h) mod q in _ecgdsa_sign_finalize()
268 * Because we only support positive integers, we compute in _ecgdsa_sign_finalize()
269 * e = q - (h mod q) (except when h is 0). in _ecgdsa_sign_finalize()
282 MUST_HAVE(ctx->rand == nn_get_random_mod, ret, err); in _ecgdsa_sign_finalize()
284 MUST_HAVE(ctx->rand != NULL, ret, err); in _ecgdsa_sign_finalize()
286 ret = ctx->rand(&k, q); EG(ret, err); in _ecgdsa_sign_finalize()
295 /* 4. Compute W = kG = (Wx, Wy) */ in _ecgdsa_sign_finalize()
307 /* 5. Compute r = Wx mod q */ in _ecgdsa_sign_finalize()
325 /* 7. Compute s = x(kr + e) mod q */ in _ecgdsa_sign_finalize()
366 IGNORE_RET_VAL(local_memset(&(ctx->sign_data.ecgdsa), 0, sizeof(ecgdsa_sign_data))); in _ecgdsa_sign_finalize()
384 * Generic *internal* EC-GDSA verification functions (init, update and finalize).
390 * Global EC-GDSA verification process is as follows (I,U,F provides
394 *| IUF - EC-GDSA verification
397 *| UF 2. Compute h = H(m). If |h| > bitlen(q), set h to bitlen(q)
399 *| F 3. Compute e = OS2I(h) mod q
400 *| F 4. Compute u = ((r^-1)e mod q)
401 *| F 5. Compute v = ((r^-1)s mod q)
402 *| F 6. Compute W' = uG + vY
403 *| F 7. Compute r' = W'_x mod q
411 ((A)->magic == ECGDSA_VERIFY_MAGIC), ret, err)
426 ret = pub_key_check_initialized_and_type(ctx->pub_key, ECGDSA); EG(ret, err); in _ecgdsa_verify_init()
427 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in _ecgdsa_verify_init()
428 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _ecgdsa_verify_init()
432 q = &(ctx->pub_key->params->ec_gen_order); in _ecgdsa_verify_init()
433 q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen; in _ecgdsa_verify_init()
434 r = &(ctx->verify_data.ecgdsa.r); in _ecgdsa_verify_init()
435 s = &(ctx->verify_data.ecgdsa.s); in _ecgdsa_verify_init()
460 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecgdsa_verify_init()
461 ret = ctx->h->hfunc_init(&(ctx->verify_data.ecgdsa.h_ctx)); EG(ret, err); in _ecgdsa_verify_init()
463 ctx->verify_data.ecgdsa.magic = ECGDSA_VERIFY_MAGIC; in _ecgdsa_verify_init()
483 * part too. This guarantees the context is an EC-GDSA in _ecgdsa_verify_update()
488 ECGDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecgdsa), ret, err); in _ecgdsa_verify_update()
490 /* 2. Compute h = H(m) */ in _ecgdsa_verify_update()
492 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecgdsa_verify_update()
493 ret = ctx->h->hfunc_update(&(ctx->verify_data.ecgdsa.h_ctx), chunk, in _ecgdsa_verify_update()
521 * part too. This guarantees the context is an EC-GDSA in _ecgdsa_verify_finalize()
525 ECGDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecgdsa), ret, err); in _ecgdsa_verify_finalize()
532 G = &(ctx->pub_key->params->ec_gen); in _ecgdsa_verify_finalize()
533 Y = &(ctx->pub_key->y); in _ecgdsa_verify_finalize()
534 q = &(ctx->pub_key->params->ec_gen_order); in _ecgdsa_verify_finalize()
535 r = &(ctx->verify_data.ecgdsa.r); in _ecgdsa_verify_finalize()
536 s = &(ctx->verify_data.ecgdsa.s); in _ecgdsa_verify_finalize()
537 q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen; in _ecgdsa_verify_finalize()
538 hsize = ctx->h->digest_size; in _ecgdsa_verify_finalize()
540 /* 2. Compute h = H(m) */ in _ecgdsa_verify_finalize()
542 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecgdsa_verify_finalize()
543 ret = ctx->h->hfunc_finalize(&(ctx->verify_data.ecgdsa.h_ctx), e_buf); EG(ret, err); in _ecgdsa_verify_finalize()
553 rshift = (bitcnt_t)((hsize * 8) - q_bit_len); in _ecgdsa_verify_finalize()
562 /* 3. Compute e by converting h to an integer and reducing it mod q */ in _ecgdsa_verify_finalize()
565 /* 4. Compute u = (r^-1)e mod q */ in _ecgdsa_verify_finalize()
566 ret = nn_modinv(&rinv, r, q); EG(ret, err); /* r^-1 */ in _ecgdsa_verify_finalize()
570 /* 5. Compute v = (r^-1)s mod q */ in _ecgdsa_verify_finalize()
574 /* 6. Compute W' = uG + vY */ in _ecgdsa_verify_finalize()
577 /* 7. Compute r' = W'_x mod q */ in _ecgdsa_verify_finalize()
579 dbg_nn_print("W'_x", &(Wprime->X.fp_val)); in _ecgdsa_verify_finalize()
580 dbg_nn_print("W'_y", &(Wprime->Y.fp_val)); in _ecgdsa_verify_finalize()
581 ret = nn_mod(&r_prime, &(Wprime->X.fp_val), q); EG(ret, err); in _ecgdsa_verify_finalize()
585 ret = (cmp != 0) ? -1 : 0; in _ecgdsa_verify_finalize()
600 IGNORE_RET_VAL(local_memset(&(ctx->verify_data.ecgdsa), 0, in _ecgdsa_verify_finalize()