xref: /aosp_15_r20/external/boringssl/src/crypto/fipsmodule/ec/p256-nistz.h (revision 8fb009dc861624b67b6cdb62ea21f0f22d0c584b) 
1 /*
2  * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2014, Intel Corporation. All Rights Reserved.
4  *
5  * Licensed under the OpenSSL license (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  *
10  * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)
11  * (1) Intel Corporation, Israel Development Center, Haifa, Israel
12  * (2) University of Haifa, Israel
13  *
14  * Reference:
15  * S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with
16  *                          256 Bit Primes"
17  */
18 
19 #ifndef OPENSSL_HEADER_EC_P256_X86_64_H
20 #define OPENSSL_HEADER_EC_P256_X86_64_H
21 
22 #include <openssl/base.h>
23 
24 #include <openssl/bn.h>
25 
26 #include "../bn/internal.h"
27 
28 #if defined(__cplusplus)
29 extern "C" {
30 #endif
31 
32 
33 #if !defined(OPENSSL_NO_ASM) && \
34     (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) &&   \
35     !defined(OPENSSL_SMALL)
36 
37 // P-256 field operations.
38 //
39 // An element mod P in P-256 is represented as a little-endian array of
40 // |P256_LIMBS| |BN_ULONG|s, spanning the full range of values.
41 //
42 // The following functions take fully-reduced inputs mod P and give
43 // fully-reduced outputs. They may be used in-place.
44 
45 #define P256_LIMBS (256 / BN_BITS2)
46 
47 // ecp_nistz256_neg sets |res| to -|a| mod P.
48 void ecp_nistz256_neg(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS]);
49 
50 // ecp_nistz256_mul_mont sets |res| to |a| * |b| * 2^-256 mod P.
51 void ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS],
52                            const BN_ULONG a[P256_LIMBS],
53                            const BN_ULONG b[P256_LIMBS]);
54 
55 // ecp_nistz256_sqr_mont sets |res| to |a| * |a| * 2^-256 mod P.
56 void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS],
57                            const BN_ULONG a[P256_LIMBS]);
58 
59 // ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain
60 // by multiplying with 1.
ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS],const BN_ULONG in[P256_LIMBS])61 static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS],
62                                           const BN_ULONG in[P256_LIMBS]) {
63   static const BN_ULONG ONE[P256_LIMBS] = { 1 };
64   ecp_nistz256_mul_mont(res, in, ONE);
65 }
66 
67 
68 // P-256 scalar operations.
69 //
70 // The following functions compute modulo N, where N is the order of P-256. They
71 // take fully-reduced inputs and give fully-reduced outputs.
72 
73 // ecp_nistz256_ord_mul_mont sets |res| to |a| * |b| where inputs and outputs
74 // are in Montgomery form. That is, |res| is |a| * |b| * 2^-256 mod N.
75 void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS],
76                                const BN_ULONG a[P256_LIMBS],
77                                const BN_ULONG b[P256_LIMBS]);
78 
79 // ecp_nistz256_ord_sqr_mont sets |res| to |a|^(2*|rep|) where inputs and
80 // outputs are in Montgomery form. That is, |res| is
81 // (|a| * 2^-256)^(2*|rep|) * 2^256 mod N.
82 void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS],
83                                const BN_ULONG a[P256_LIMBS], BN_ULONG rep);
84 
85 // beeu_mod_inverse_vartime sets out = a^-1 mod p using a Euclidean algorithm.
86 // Assumption: 0 < a < p < 2^(256) and p is odd.
87 int beeu_mod_inverse_vartime(BN_ULONG out[P256_LIMBS],
88                              const BN_ULONG a[P256_LIMBS],
89                              const BN_ULONG p[P256_LIMBS]);
90 
91 
92 // P-256 point operations.
93 //
94 // The following functions may be used in-place. All coordinates are in the
95 // Montgomery domain.
96 
97 // A P256_POINT represents a P-256 point in Jacobian coordinates.
98 typedef struct {
99   BN_ULONG X[P256_LIMBS];
100   BN_ULONG Y[P256_LIMBS];
101   BN_ULONG Z[P256_LIMBS];
102 } P256_POINT;
103 
104 // A P256_POINT_AFFINE represents a P-256 point in affine coordinates. Infinity
105 // is encoded as (0, 0).
106 typedef struct {
107   BN_ULONG X[P256_LIMBS];
108   BN_ULONG Y[P256_LIMBS];
109 } P256_POINT_AFFINE;
110 
111 // ecp_nistz256_select_w5 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 16
112 // and all zeros (the point at infinity) if |index| is 0. This is done in
113 // constant time.
114 void ecp_nistz256_select_w5(P256_POINT *val, const P256_POINT in_t[16],
115                             int index);
116 
117 // ecp_nistz256_select_w7 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 64
118 // and all zeros (the point at infinity) if |index| is 0. This is done in
119 // constant time.
120 void ecp_nistz256_select_w7(P256_POINT_AFFINE *val,
121                             const P256_POINT_AFFINE in_t[64], int index);
122 
123 // ecp_nistz256_point_double sets |r| to |a| doubled.
124 void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a);
125 
126 // ecp_nistz256_point_add adds |a| to |b| and places the result in |r|.
127 void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a,
128                             const P256_POINT *b);
129 
130 // ecp_nistz256_point_add_affine adds |a| to |b| and places the result in
131 // |r|. |a| and |b| must not represent the same point unless they are both
132 // infinity.
133 void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a,
134                                    const P256_POINT_AFFINE *b);
135 
136 #endif /* !defined(OPENSSL_NO_ASM) && \
137           (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) &&   \
138           !defined(OPENSSL_SMALL) */
139 
140 
141 #if defined(__cplusplus)
142 }  // extern C++
143 #endif
144 
145 #endif  // OPENSSL_HEADER_EC_P256_X86_64_H
146