Lines Matching +full:compute +full:-
2 * Copyright (C) 2021 - This file is part of libecc project
29 * other EC*DSA style signature algorithms described in ISO14888-3:
30 * the private key x MUST be in ]0, q-1[ instead of ]0, q[ (this is actually
45 /* Get a random value in ]0,q-1[ where q is the group generator order */ in sm2_gen_priv_key()
47 ret = nn_dec(&tmp, &(priv_key->params->ec_gen_order)); EG(ret, err); in sm2_gen_priv_key()
48 ret = nn_get_random_mod(&(priv_key->x), &tmp); in sm2_gen_priv_key()
69 * ]0, q-1[. This excluded q-1 is an oddity but is what the in sm2_init_pub_key()
70 * ISO14888-3:2018 has. in sm2_init_pub_key()
73 ret = nn_dec(&tmp, &in_priv->params->ec_gen_order); EG(ret, err); in sm2_init_pub_key()
74 /* If x >= (q - 1), this is an error */ in sm2_init_pub_key()
75 MUST_HAVE((!nn_cmp(&(in_priv->x), &tmp, &cmp)) && (cmp < 0), ret, err); in sm2_init_pub_key()
78 G = &(in_priv->params->ec_gen); in sm2_init_pub_key()
84 ret = prj_pt_mul_blind(&(out_pub->y), &(in_priv->x), G); EG(ret, err); in sm2_init_pub_key()
86 out_pub->key_type = SM2; in sm2_init_pub_key()
87 out_pub->params = in_priv->params; in sm2_init_pub_key()
88 out_pub->magic = PUB_KEY_MAGIC; in sm2_init_pub_key()
113 * Helper to compute Z from user ID, curve parameters, public key and hash
114 * function as defined in section 6.12.4.3 of ISO14888-3:2018. The function
115 * returns 0 on success, -1 on error. On success, the number of bytes
126 * - GF(p), Finite field of cardinality p.
127 * - Curve Weierstrass Equation y^2 = x^3 + a * x + b.
128 * - ID string containing an identifier of the signer
129 * - G = (Gx, Gy) an element of order q in E.
130 * - entlen is the bit-length of ID and ENTL the two bytes string transformed
158 hsize = hm->digest_size; in sm2_compute_Z()
162 G = &(pub_key->params->ec_gen); in sm2_compute_Z()
163 Y = &(pub_key->y); in sm2_compute_Z()
164 p_bit_len = pub_key->params->ec_fp.p_bitlen; in sm2_compute_Z()
167 a = &(pub_key->params->ec_curve.a); in sm2_compute_Z()
168 b = &(pub_key->params->ec_curve.b); in sm2_compute_Z()
172 ret = hm->hfunc_init(&hctx); EG(ret, err); in sm2_compute_Z()
177 ret = hm->hfunc_update(&hctx, buf, 2); EG(ret, err); in sm2_compute_Z()
180 ret = hm->hfunc_update(&hctx, id, id_len); EG(ret, err); in sm2_compute_Z()
184 ret = hm->hfunc_update(&hctx, buf, p_len); EG(ret, err); in sm2_compute_Z()
188 ret = hm->hfunc_update(&hctx, buf, p_len); EG(ret, err); in sm2_compute_Z()
192 ret = hm->hfunc_update(&hctx, buf, (u32)(2 * p_len)); EG(ret, err); in sm2_compute_Z()
196 ret = hm->hfunc_update(&hctx, buf, (u32)(2 * p_len)); EG(ret, err); in sm2_compute_Z()
199 ret = hm->hfunc_finalize(&hctx, Z); EG(ret, err); in sm2_compute_Z()
226 *| IUF - SM2 signature
229 *| F 2. Compute H = h(M1)
231 *| F 4. Compute W = (W_x,W_y) = kG
232 *| F 5. Compute r = (OS2I(H) + Wx) mod q
235 *| F 8. Compute s = ((1 + x)^(-1) * (k - rx)) mod q
245 MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == SM2_SIGN_MAGIC), ret, err)
257 ret = key_pair_check_initialized_and_type(ctx->key_pair, SM2); EG(ret, err); in _sm2_sign_init()
258 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in _sm2_sign_init()
259 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _sm2_sign_init()
266 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _sm2_sign_init()
267 ret = ctx->h->hfunc_init(&(ctx->sign_data.sm2.h_ctx)); EG(ret, err); in _sm2_sign_init()
269 /* Compute Z from the ID */ in _sm2_sign_init()
272 ret = sm2_compute_Z(Z, &Zlen, ctx->adata, ctx->adata_len, in _sm2_sign_init()
273 &(ctx->key_pair->pub_key), ctx->h->type); EG(ret, err); in _sm2_sign_init()
277 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _sm2_sign_init()
278 ret = ctx->h->hfunc_update(&(ctx->sign_data.sm2.h_ctx), Z, Zlen); EG(ret, err); in _sm2_sign_init()
280 ctx->sign_data.sm2.magic = SM2_SIGN_MAGIC; in _sm2_sign_init()
299 SM2_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.sm2), ret, err); in _sm2_sign_update()
301 /* 1. Compute h = H(m) */ in _sm2_sign_update()
303 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _sm2_sign_update()
304 ret = ctx->h->hfunc_update(&(ctx->sign_data.sm2.h_ctx), chunk, chunklen); in _sm2_sign_update()
335 SM2_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.sm2), ret, err); in _sm2_sign_finalize()
342 priv_key = &(ctx->key_pair->priv_key); in _sm2_sign_finalize()
343 q = &(priv_key->params->ec_gen_order); in _sm2_sign_finalize()
344 q_bit_len = priv_key->params->ec_gen_order_bitlen; in _sm2_sign_finalize()
345 G = &(priv_key->params->ec_gen); in _sm2_sign_finalize()
347 x = &(priv_key->x); in _sm2_sign_finalize()
348 hsize = ctx->h->digest_size; in _sm2_sign_finalize()
350 dbg_nn_print("p", &(priv_key->params->ec_fp.p)); in _sm2_sign_finalize()
351 dbg_nn_print("q", &(priv_key->params->ec_gen_order)); in _sm2_sign_finalize()
353 dbg_ec_point_print("G", &(priv_key->params->ec_gen)); in _sm2_sign_finalize()
354 dbg_pub_key_print("Y", &(ctx->key_pair->pub_key)); in _sm2_sign_finalize()
361 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _sm2_sign_finalize()
363 /* 2. Compute H = h(M1) */ in _sm2_sign_finalize()
364 ret = ctx->h->hfunc_finalize(&(ctx->sign_data.sm2.h_ctx), hash); EG(ret, err); in _sm2_sign_finalize()
376 MUST_HAVE(ctx->rand == nn_get_random_mod, ret, err); in _sm2_sign_finalize()
378 ret = ctx->rand(&k, q); EG(ret, err); in _sm2_sign_finalize()
381 /* 4. Compute W = (W_x,W_y) = kG */ in _sm2_sign_finalize()
392 /* 5. Compute r = (OS2I(H) + Wx) mod q */ in _sm2_sign_finalize()
413 /* 8. Compute s = ((1 + x)^(-1) * (k - rx)) mod q */ in _sm2_sign_finalize()
417 * following way s = ((b*(1 + x))^(-1) * (kb - (br)x)) mod q in _sm2_sign_finalize()
426 ret = nn_modinv_fermat(&tmp, &tmp2, q); EG(ret, err); /* tmp = (b*(1 + x))^(-1) */ in _sm2_sign_finalize()
427 dbg_nn_print("(b*(1 + x))^(-1)", &tmp); in _sm2_sign_finalize()
431 ret = nn_mod_sub(&tmp2, &k, &tmp3, q); EG(ret, err); /* tmp2 = (kb - (rb)x) mod q */ in _sm2_sign_finalize()
439 ret = nn_modinv_fermat(&tmp, &tmp2, q); EG(ret, err); /* tmp = (1 + x)^(-1) */ in _sm2_sign_finalize()
440 dbg_nn_print("(1 + x)^(-1)", &tmp); in _sm2_sign_finalize()
442 ret = nn_mod_sub(&tmp2, &k, &tmp3, q); EG(ret, err); /* tmp2 = (k - rx) mod q */ in _sm2_sign_finalize()
472 IGNORE_RET_VAL(local_memset(&(ctx->sign_data.sm2), 0, sizeof(sm2_sign_data))); in _sm2_sign_finalize()
498 *| IUF - SM2 verification
501 *| UF 2. Compute h = H(M1) w/ M1 = Z || M (See (*) below)
502 *| F 3. Compute t = r + s mod q
504 *| F 5. Compute e = OS2I(h) mod q
505 *| F 6. Compute W' = sG + tY
507 *| F 8. Compute r' = (e + W'_x) mod q
516 MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == SM2_VERIFY_MAGIC), ret, err)
533 ret = pub_key_check_initialized_and_type(ctx->pub_key, SM2); EG(ret, err); in _sm2_verify_init()
534 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in _sm2_verify_init()
535 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _sm2_verify_init()
539 q = &(ctx->pub_key->params->ec_gen_order); in _sm2_verify_init()
540 q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen; in _sm2_verify_init()
542 r = &(ctx->verify_data.sm2.r); in _sm2_verify_init()
543 s = &(ctx->verify_data.sm2.s); in _sm2_verify_init()
563 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _sm2_verify_init()
564 ret = ctx->h->hfunc_init(&(ctx->verify_data.sm2.h_ctx)); EG(ret, err); in _sm2_verify_init()
566 /* Compute Z from the ID */ in _sm2_verify_init()
569 …ret = sm2_compute_Z(Z, &Zlen, ctx->adata, ctx->adata_len, ctx->pub_key, ctx->h->type); EG(ret, err… in _sm2_verify_init()
572 ret = ctx->h->hfunc_update(&(ctx->verify_data.sm2.h_ctx), Z, Zlen); EG(ret, err); in _sm2_verify_init()
574 ctx->verify_data.sm2.magic = SM2_VERIFY_MAGIC; in _sm2_verify_init()
599 SM2_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.sm2), ret, err); in _sm2_verify_update()
601 /* 2. Compute h = H(M1) w/ M1 = Z || M */ in _sm2_verify_update()
603 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _sm2_verify_update()
604 ret = ctx->h->hfunc_update(&(ctx->verify_data.sm2.h_ctx), chunk, chunklen); in _sm2_verify_update()
635 SM2_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.sm2), ret, err); in _sm2_verify_finalize()
642 G = &(ctx->pub_key->params->ec_gen); in _sm2_verify_finalize()
643 Y = &(ctx->pub_key->y); in _sm2_verify_finalize()
644 q = &(ctx->pub_key->params->ec_gen_order); in _sm2_verify_finalize()
645 hsize = ctx->h->digest_size; in _sm2_verify_finalize()
646 r = &(ctx->verify_data.sm2.r); in _sm2_verify_finalize()
647 s = &(ctx->verify_data.sm2.s); in _sm2_verify_finalize()
649 /* 2. Compute h = H(M1) w/ M1 = Z || M */ in _sm2_verify_finalize()
651 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _sm2_verify_finalize()
652 ret = ctx->h->hfunc_finalize(&(ctx->verify_data.sm2.h_ctx), hash); EG(ret, err); in _sm2_verify_finalize()
655 /* 3. Compute t = r + s mod q */ in _sm2_verify_finalize()
662 /* 5. Compute e = OS2I(h) mod q */ in _sm2_verify_finalize()
669 /* 6. Compute W' = sG + tY */ in _sm2_verify_finalize()
678 /* 8. Compute r' = (e + W'_x) mod q */ in _sm2_verify_finalize()
680 dbg_nn_print("W'_x", &(W_prime->X.fp_val)); in _sm2_verify_finalize()
681 dbg_nn_print("W'_y", &(W_prime->Y.fp_val)); in _sm2_verify_finalize()
684 ret = nn_mod(&r_prime, &(W_prime->X.fp_val), q); EG(ret, err); in _sm2_verify_finalize()
685 /* Then compute r' = (e + W'_x) mod q */ in _sm2_verify_finalize()
690 ret = (cmp != 0) ? -1 : 0; in _sm2_verify_finalize()
704 IGNORE_RET_VAL(local_memset(&(ctx->verify_data.sm2), 0, sizeof(sm2_verify_data))); in _sm2_verify_finalize()