x448.go 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
  1. // The MIT License (MIT)
  2. //
  3. // Copyright (c) 2014-2015 Cryptography Research, Inc.
  4. // Copyright (c) 2015 Yawning Angel.
  5. //
  6. // Permission is hereby granted, free of charge, to any person obtaining a copy
  7. // of this software and associated documentation files (the "Software"), to deal
  8. // in the Software without restriction, including without limitation the rights
  9. // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  10. // copies of the Software, and to permit persons to whom the Software is
  11. // furnished to do so, subject to the following conditions:
  12. //
  13. // The above copyright notice and this permission notice shall be included in
  14. // all copies or substantial portions of the Software.
  15. //
  16. // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  17. // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  18. // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  19. // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  20. // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  21. // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  22. // THE SOFTWARE.
  23. // Package x448 provides an implementation of scalar multiplication on the
  24. // elliptic curve known as curve448.
  25. //
  26. // See https://tools.ietf.org/html/draft-irtf-cfrg-curves-11
  27. package x448 // import "git.schwanenlied.me/yawning/x448.git"
  28. const (
  29. x448Bytes = 56
  30. edwardsD = -39081
  31. )
  32. var basePoint = [56]byte{
  33. 5, 0, 0, 0, 0, 0,
  34. 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
  35. 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
  36. 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
  37. }
  38. func ScalarMult(out, scalar, base *[56]byte) int {
  39. var x1, x2, z2, x3, z3, t1, t2 gf
  40. x1.deser(base)
  41. x2.cpy(&one)
  42. z2.cpy(&zero)
  43. x3.cpy(&x1)
  44. z3.cpy(&one)
  45. var swap limbUint
  46. for t := int(448 - 1); t >= 0; t-- {
  47. sb := scalar[t/8]
  48. // Scalar conditioning.
  49. if t/8 == 0 {
  50. sb &= 0xFC
  51. } else if t/8 == x448Bytes-1 {
  52. sb |= 0x80
  53. }
  54. kT := (limbUint)((sb >> ((uint)(t) % 8)) & 1)
  55. kT = -kT // Set to all 0s or all 1s
  56. swap ^= kT
  57. x2.condSwap(&x3, swap)
  58. z2.condSwap(&z3, swap)
  59. swap = kT
  60. t1.add(&x2, &z2) // A = x2 + z2
  61. t2.sub(&x2, &z2) // B = x2 - z2
  62. z2.sub(&x3, &z3) // D = x3 - z3
  63. x2.mul(&t1, &z2) // DA
  64. z2.add(&z3, &x3) // C = x3 + z3
  65. x3.mul(&t2, &z2) // CB
  66. z3.sub(&x2, &x3) // DA-CB
  67. z2.sqr(&z3) // (DA-CB)^2
  68. z3.mul(&x1, &z2) // z3 = x1(DA-CB)^2
  69. z2.add(&x2, &x3) // (DA+CB)
  70. x3.sqr(&z2) // x3 = (DA+CB)^2
  71. z2.sqr(&t1) // AA = A^2
  72. t1.sqr(&t2) // BB = B^2
  73. x2.mul(&z2, &t1) // x2 = AA*BB
  74. t2.sub(&z2, &t1) // E = AA-BB
  75. t1.mlw(&t2, -edwardsD) // E*-d = a24*E
  76. t1.add(&t1, &z2) // AA + a24*E
  77. z2.mul(&t2, &t1) // z2 = E(AA+a24*E)
  78. }
  79. // Finish
  80. x2.condSwap(&x3, swap)
  81. z2.condSwap(&x3, swap)
  82. z2.inv(&z2)
  83. x1.mul(&x2, &z2)
  84. x1.ser(out)
  85. // As with X25519, both sides MUST check, without leaking extra
  86. // information about the value of K, whether the resulting shared K is
  87. // the all-zero value and abort if so.
  88. var nz limbSint
  89. for _, v := range out {
  90. nz |= (limbSint)(v)
  91. }
  92. nz = (nz - 1) >> 8 // 0 = succ, -1 = fail
  93. // return value: 0 = succ, -1 = fail
  94. return (int)(nz)
  95. }
  96. func ScalarBaseMult(out, scalar *[56]byte) int {
  97. return ScalarMult(out, scalar, &basePoint)
  98. }