[gostls13.git] / src / crypto / elliptic / params.go

// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package elliptic

import "math/big"

// CurveParams contains the parameters of an elliptic curve and also provides
// a generic, non-constant time implementation of Curve.
//
// Note: Custom curves (those not returned by P224(), P256(), P384(), and P521())
// are not guaranteed to provide any security property.
type CurveParams struct {
        P       *big.Int // the order of the underlying field
        N       *big.Int // the order of the base point
        B       *big.Int // the constant of the curve equation
        Gx, Gy  *big.Int // (x,y) of the base point
        BitSize int      // the size of the underlying field
        Name    string   // the canonical name of the curve
}

func (curve *CurveParams) Params() *CurveParams {
        return curve
}

// CurveParams operates, internally, on Jacobian coordinates. For a given
// (x, y) position on the curve, the Jacobian coordinates are (x1, y1, z1)
// where x = x1/z1² and y = y1/z1³. The greatest speedups come when the whole
// calculation can be performed within the transform (as in ScalarMult and
// ScalarBaseMult). But even for Add and Double, it's faster to apply and
// reverse the transform than to operate in affine coordinates.

// polynomial returns x³ - 3x + b.
func (curve *CurveParams) polynomial(x *big.Int) *big.Int {
        x3 := new(big.Int).Mul(x, x)
        x3.Mul(x3, x)

        threeX := new(big.Int).Lsh(x, 1)
        threeX.Add(threeX, x)

        x3.Sub(x3, threeX)
        x3.Add(x3, curve.B)
        x3.Mod(x3, curve.P)

        return x3
}

// IsOnCurve implements Curve.IsOnCurve.
//
// Note: the CurveParams methods are not guaranteed to
// provide any security property. For ECDH, use the crypto/ecdh package.
// For ECDSA, use the crypto/ecdsa package with a Curve value returned directly
// from P224(), P256(), P384(), or P521().
func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool {
        // If there is a dedicated constant-time implementation for this curve operation,
        // use that instead of the generic one.
        if specific, ok := matchesSpecificCurve(curve); ok {
                return specific.IsOnCurve(x, y)
        }

        if x.Sign() < 0 || x.Cmp(curve.P) >= 0 ||
                y.Sign() < 0 || y.Cmp(curve.P) >= 0 {
                return false
        }

        // y² = x³ - 3x + b
        y2 := new(big.Int).Mul(y, y)
        y2.Mod(y2, curve.P)

        return curve.polynomial(x).Cmp(y2) == 0
}

// zForAffine returns a Jacobian Z value for the affine point (x, y). If x and
// y are zero, it assumes that they represent the point at infinity because (0,
// 0) is not on the any of the curves handled here.
func zForAffine(x, y *big.Int) *big.Int {
        z := new(big.Int)
        if x.Sign() != 0 || y.Sign() != 0 {
                z.SetInt64(1)
        }
        return z
}

// affineFromJacobian reverses the Jacobian transform. See the comment at the
// top of the file. If the point is ∞ it returns 0, 0.
func (curve *CurveParams) affineFromJacobian(x, y, z *big.Int) (xOut, yOut *big.Int) {
        if z.Sign() == 0 {
                return new(big.Int), new(big.Int)
        }

        zinv := new(big.Int).ModInverse(z, curve.P)
        zinvsq := new(big.Int).Mul(zinv, zinv)

        xOut = new(big.Int).Mul(x, zinvsq)
        xOut.Mod(xOut, curve.P)
        zinvsq.Mul(zinvsq, zinv)
        yOut = new(big.Int).Mul(y, zinvsq)
        yOut.Mod(yOut, curve.P)
        return
}

// Add implements Curve.Add.
//
// Note: the CurveParams methods are not guaranteed to
// provide any security property. For ECDH, use the crypto/ecdh package.
// For ECDSA, use the crypto/ecdsa package with a Curve value returned directly
// from P224(), P256(), P384(), or P521().
func (curve *CurveParams) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
        // If there is a dedicated constant-time implementation for this curve operation,
        // use that instead of the generic one.
        if specific, ok := matchesSpecificCurve(curve); ok {
                return specific.Add(x1, y1, x2, y2)
        }
        panicIfNotOnCurve(curve, x1, y1)
        panicIfNotOnCurve(curve, x2, y2)

        z1 := zForAffine(x1, y1)
        z2 := zForAffine(x2, y2)
        return curve.affineFromJacobian(curve.addJacobian(x1, y1, z1, x2, y2, z2))
}

// addJacobian takes two points in Jacobian coordinates, (x1, y1, z1) and
// (x2, y2, z2) and returns their sum, also in Jacobian form.
func (curve *CurveParams) addJacobian(x1, y1, z1, x2, y2, z2 *big.Int) (*big.Int, *big.Int, *big.Int) {
        // See https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl
        x3, y3, z3 := new(big.Int), new(big.Int), new(big.Int)
        if z1.Sign() == 0 {
                x3.Set(x2)
                y3.Set(y2)
                z3.Set(z2)
                return x3, y3, z3
        }
        if z2.Sign() == 0 {
                x3.Set(x1)
                y3.Set(y1)
                z3.Set(z1)
                return x3, y3, z3
        }

        z1z1 := new(big.Int).Mul(z1, z1)
        z1z1.Mod(z1z1, curve.P)
        z2z2 := new(big.Int).Mul(z2, z2)
        z2z2.Mod(z2z2, curve.P)

        u1 := new(big.Int).Mul(x1, z2z2)
        u1.Mod(u1, curve.P)
        u2 := new(big.Int).Mul(x2, z1z1)
        u2.Mod(u2, curve.P)
        h := new(big.Int).Sub(u2, u1)
        xEqual := h.Sign() == 0
        if h.Sign() == -1 {
                h.Add(h, curve.P)
        }
        i := new(big.Int).Lsh(h, 1)
        i.Mul(i, i)
        j := new(big.Int).Mul(h, i)

        s1 := new(big.Int).Mul(y1, z2)
        s1.Mul(s1, z2z2)
        s1.Mod(s1, curve.P)
        s2 := new(big.Int).Mul(y2, z1)
        s2.Mul(s2, z1z1)
        s2.Mod(s2, curve.P)
        r := new(big.Int).Sub(s2, s1)
        if r.Sign() == -1 {
                r.Add(r, curve.P)
        }
        yEqual := r.Sign() == 0
        if xEqual && yEqual {
                return curve.doubleJacobian(x1, y1, z1)
        }
        r.Lsh(r, 1)
        v := new(big.Int).Mul(u1, i)

        x3.Set(r)
        x3.Mul(x3, x3)
        x3.Sub(x3, j)
        x3.Sub(x3, v)
        x3.Sub(x3, v)
        x3.Mod(x3, curve.P)

        y3.Set(r)
        v.Sub(v, x3)
        y3.Mul(y3, v)
        s1.Mul(s1, j)
        s1.Lsh(s1, 1)
        y3.Sub(y3, s1)
        y3.Mod(y3, curve.P)

        z3.Add(z1, z2)
        z3.Mul(z3, z3)
        z3.Sub(z3, z1z1)
        z3.Sub(z3, z2z2)
        z3.Mul(z3, h)
        z3.Mod(z3, curve.P)

        return x3, y3, z3
}

// Double implements Curve.Double.
//
// Note: the CurveParams methods are not guaranteed to
// provide any security property. For ECDH, use the crypto/ecdh package.
// For ECDSA, use the crypto/ecdsa package with a Curve value returned directly
// from P224(), P256(), P384(), or P521().
func (curve *CurveParams) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
        // If there is a dedicated constant-time implementation for this curve operation,
        // use that instead of the generic one.
        if specific, ok := matchesSpecificCurve(curve); ok {
                return specific.Double(x1, y1)
        }
        panicIfNotOnCurve(curve, x1, y1)

        z1 := zForAffine(x1, y1)
        return curve.affineFromJacobian(curve.doubleJacobian(x1, y1, z1))
}

// doubleJacobian takes a point in Jacobian coordinates, (x, y, z), and
// returns its double, also in Jacobian form.
func (curve *CurveParams) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int, *big.Int) {
        // See https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
        delta := new(big.Int).Mul(z, z)
        delta.Mod(delta, curve.P)
        gamma := new(big.Int).Mul(y, y)
        gamma.Mod(gamma, curve.P)
        alpha := new(big.Int).Sub(x, delta)
        if alpha.Sign() == -1 {
                alpha.Add(alpha, curve.P)
        }
        alpha2 := new(big.Int).Add(x, delta)
        alpha.Mul(alpha, alpha2)
        alpha2.Set(alpha)
        alpha.Lsh(alpha, 1)
        alpha.Add(alpha, alpha2)

        beta := alpha2.Mul(x, gamma)

        x3 := new(big.Int).Mul(alpha, alpha)
        beta8 := new(big.Int).Lsh(beta, 3)
        beta8.Mod(beta8, curve.P)
        x3.Sub(x3, beta8)
        if x3.Sign() == -1 {
                x3.Add(x3, curve.P)
        }
        x3.Mod(x3, curve.P)

        z3 := new(big.Int).Add(y, z)
        z3.Mul(z3, z3)
        z3.Sub(z3, gamma)
        if z3.Sign() == -1 {
                z3.Add(z3, curve.P)
        }
        z3.Sub(z3, delta)
        if z3.Sign() == -1 {
                z3.Add(z3, curve.P)
        }
        z3.Mod(z3, curve.P)

        beta.Lsh(beta, 2)
        beta.Sub(beta, x3)
        if beta.Sign() == -1 {
                beta.Add(beta, curve.P)
        }
        y3 := alpha.Mul(alpha, beta)

        gamma.Mul(gamma, gamma)
        gamma.Lsh(gamma, 3)
        gamma.Mod(gamma, curve.P)

        y3.Sub(y3, gamma)
        if y3.Sign() == -1 {
                y3.Add(y3, curve.P)
        }
        y3.Mod(y3, curve.P)

        return x3, y3, z3
}

// ScalarMult implements Curve.ScalarMult.
//
// Note: the CurveParams methods are not guaranteed to
// provide any security property. For ECDH, use the crypto/ecdh package.
// For ECDSA, use the crypto/ecdsa package with a Curve value returned directly
// from P224(), P256(), P384(), or P521().
func (curve *CurveParams) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int) {
        // If there is a dedicated constant-time implementation for this curve operation,
        // use that instead of the generic one.
        if specific, ok := matchesSpecificCurve(curve); ok {
                return specific.ScalarMult(Bx, By, k)
        }
        panicIfNotOnCurve(curve, Bx, By)

        Bz := new(big.Int).SetInt64(1)
        x, y, z := new(big.Int), new(big.Int), new(big.Int)

        for _, byte := range k {
                for bitNum := 0; bitNum < 8; bitNum++ {
                        x, y, z = curve.doubleJacobian(x, y, z)
                        if byte&0x80 == 0x80 {
                                x, y, z = curve.addJacobian(Bx, By, Bz, x, y, z)
                        }
                        byte <<= 1
                }
        }

        return curve.affineFromJacobian(x, y, z)
}

// ScalarBaseMult implements Curve.ScalarBaseMult.
//
// Note: the CurveParams methods are not guaranteed to
// provide any security property. For ECDH, use the crypto/ecdh package.
// For ECDSA, use the crypto/ecdsa package with a Curve value returned directly
// from P224(), P256(), P384(), or P521().
func (curve *CurveParams) ScalarBaseMult(k []byte) (*big.Int, *big.Int) {
        // If there is a dedicated constant-time implementation for this curve operation,
        // use that instead of the generic one.
        if specific, ok := matchesSpecificCurve(curve); ok {
                return specific.ScalarBaseMult(k)
        }

        return curve.ScalarMult(curve.Gx, curve.Gy, k)
}

func matchesSpecificCurve(params *CurveParams) (Curve, bool) {
        for _, c := range []Curve{p224, p256, p384, p521} {
                if params == c.Params() {
                        return c, true
                }
        }
        return nil, false
}