core/lib/libtomcrypt/src/pk/ecc/ltc_ecc_mulmod_timing.c - optee-os-mtk - Git at Google

 // SPDX-License-Identifier: BSD-2-Clause
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
  *
  * LibTomCrypt is a library that provides various cryptographic
  * algorithms in a highly modular and flexible manner.
  *
  * The library is free for all purposes without any express
  * guarantee it works.
  */

 #include "tomcrypt_private.h"

 /**
   @file ltc_ecc_mulmod_timing.c
   ECC Crypto, Tom St Denis
 */

 #ifdef LTC_MECC

 #ifdef LTC_ECC_TIMING_RESISTANT

 /**
    Perform a point multiplication  (timing resistant)
    @param k    The scalar to multiply by
    @param G    The base point
    @param R    [out] Destination for kG
    @param a    ECC curve parameter a
    @param modulus  The modulus of the field the ECC curve is in
    @param map      Boolean whether to map back to affine or not (1==map, 0 == leave in projective)
    @return CRYPT_OK on success
 */
 int ltc_ecc_mulmod(void *k, const ecc_point *G, ecc_point *R, void *a, void *modulus, int map)
 {
    ecc_point *tG, *M[3];
    int        i, j, err, inf;
    void       *mp = NULL, *mu = NULL, *ma = NULL, *a_plus3 = NULL;
    ltc_mp_digit buf;
    int        bitcnt, mode, digidx;

    LTC_ARGCHK(k       != NULL);
    LTC_ARGCHK(G       != NULL);
    LTC_ARGCHK(R       != NULL);
    LTC_ARGCHK(modulus != NULL);

    if ((err = ltc_ecc_is_point_at_infinity(G, modulus, &inf)) != CRYPT_OK) return err;
    if (inf) {
       /* return the point at infinity */
       return ltc_ecc_set_point_xyz(1, 1, 0, R);
    }

    /* init montgomery reduction */
    if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK)        { goto error; }
    if ((err = mp_init(&mu)) != CRYPT_OK)                             { goto error; }
    if ((err = mp_montgomery_normalization(mu, modulus)) != CRYPT_OK) { goto error; }

    /* for curves with a == -3 keep ma == NULL */
    if ((err = mp_init(&a_plus3)) != CRYPT_OK)                        { goto error; }
    if ((err = mp_add_d(a, 3, a_plus3)) != CRYPT_OK)                  { goto error; }
    if (mp_cmp(a_plus3, modulus) != LTC_MP_EQ) {
       if ((err = mp_init(&ma)) != CRYPT_OK)                          { goto error; }
       if ((err = mp_mulmod(a, mu, modulus, ma)) != CRYPT_OK)         { goto error; }
    }

    /* alloc ram for window temps */
    for (i = 0; i < 3; i++) {
       M[i] = ltc_ecc_new_point();
       if (M[i] == NULL) {
          for (j = 0; j < i; j++) {
              ltc_ecc_del_point(M[j]);
          }
          mp_clear(mu);
          mp_montgomery_free(mp);
          return CRYPT_MEM;
       }
    }

    /* make a copy of G incase R==G */
    tG = ltc_ecc_new_point();
    if (tG == NULL)                                                                   { err = CRYPT_MEM; goto done; }

    /* tG = G  and convert to montgomery */
    if ((err = mp_mulmod(G->x, mu, modulus, tG->x)) != CRYPT_OK)                      { goto done; }
    if ((err = mp_mulmod(G->y, mu, modulus, tG->y)) != CRYPT_OK)                      { goto done; }
    if ((err = mp_mulmod(G->z, mu, modulus, tG->z)) != CRYPT_OK)                      { goto done; }
    mp_clear(mu);
    mu = NULL;

    /* calc the M tab */
    /* M[0] == G */
    if ((err = ltc_ecc_copy_point(tG, M[0])) != CRYPT_OK)                             { goto done; }
    /* M[1] == 2G */
    if ((err = ltc_mp.ecc_ptdbl(tG, M[1], ma, modulus, mp)) != CRYPT_OK)              { goto done; }

    /* setup sliding window */
    mode   = 0;
    bitcnt = 1;
    buf    = 0;
    digidx = mp_get_digit_count(k) - 1;

    /* perform ops */
    for (;;) {
      /* grab next digit as required */
       if (--bitcnt == 0) {
          if (digidx == -1) {
             break;
          }
          buf    = mp_get_digit(k, digidx);
          bitcnt = (int) MP_DIGIT_BIT;
          --digidx;
       }

       /* grab the next msb from the ltiplicand */
       i = (int)((buf >> (MP_DIGIT_BIT - 1)) & 1);
       buf <<= 1;

       if (mode == 0 && i == 0) {
          /* dummy operations */
          if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], ma, modulus, mp)) != CRYPT_OK) { goto done; }
          if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], ma, modulus, mp)) != CRYPT_OK)       { goto done; }
          continue;
       }

       if (mode == 0 && i == 1) {
          mode = 1;
          /* dummy operations */
          if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], ma, modulus, mp)) != CRYPT_OK) { goto done; }
          if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], ma, modulus, mp)) != CRYPT_OK)       { goto done; }
          continue;
       }

       if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[i^1], ma, modulus, mp)) != CRYPT_OK)  { goto done; }
       if ((err = ltc_mp.ecc_ptdbl(M[i], M[i], ma, modulus, mp)) != CRYPT_OK)          { goto done; }
    }

    /* copy result out */
    if ((err = ltc_ecc_copy_point(M[0], R)) != CRYPT_OK)                              { goto done; }

    /* map R back from projective space */
    if (map) {
       err = ltc_ecc_map(R, modulus, mp);
    } else {
       err = CRYPT_OK;
    }
 done:
    ltc_ecc_del_point(tG);
    for (i = 0; i < 3; i++) {
        ltc_ecc_del_point(M[i]);
    }
 error:
    if (ma != NULL) mp_clear(ma);
    if (a_plus3 != NULL) mp_clear(a_plus3);
    if (mu != NULL) mp_clear(mu);
    if (mp != NULL) mp_montgomery_free(mp);
    return err;
 }

 #endif
 #endif
 /* ref:         $Format:%D$ */
 /* git commit:  $Format:%H$ */
 /* commit time: $Format:%ai$ */
	// SPDX-License-Identifier: BSD-2-Clause
	/* LibTomCrypt, modular cryptographic library -- Tom St Denis
	*
	* LibTomCrypt is a library that provides various cryptographic
	* algorithms in a highly modular and flexible manner.
	*
	* The library is free for all purposes without any express
	* guarantee it works.
	*/

	#include "tomcrypt_private.h"

	/**
	@file ltc_ecc_mulmod_timing.c
	ECC Crypto, Tom St Denis
	*/

	#ifdef LTC_MECC

	#ifdef LTC_ECC_TIMING_RESISTANT

	/**
	Perform a point multiplication (timing resistant)
	@param k The scalar to multiply by
	@param G The base point
	@param R [out] Destination for kG
	@param a ECC curve parameter a
	@param modulus The modulus of the field the ECC curve is in
	@param map Boolean whether to map back to affine or not (1==map, 0 == leave in projective)
	@return CRYPT_OK on success
	*/
	int ltc_ecc_mulmod(void k, const ecc_point G, ecc_point R, void a, void *modulus, int map)
	{
	ecc_point tG, M[3];
	int i, j, err, inf;
	void mp = NULL, mu = NULL, ma = NULL, a_plus3 = NULL;
	ltc_mp_digit buf;
	int bitcnt, mode, digidx;

	LTC_ARGCHK(k != NULL);
	LTC_ARGCHK(G != NULL);
	LTC_ARGCHK(R != NULL);
	LTC_ARGCHK(modulus != NULL);

	if ((err = ltc_ecc_is_point_at_infinity(G, modulus, &inf)) != CRYPT_OK) return err;
	if (inf) {
	/* return the point at infinity */
	return ltc_ecc_set_point_xyz(1, 1, 0, R);
	}

	/* init montgomery reduction */
	if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK) { goto error; }
	if ((err = mp_init(&mu)) != CRYPT_OK) { goto error; }
	if ((err = mp_montgomery_normalization(mu, modulus)) != CRYPT_OK) { goto error; }

	/* for curves with a == -3 keep ma == NULL */
	if ((err = mp_init(&a_plus3)) != CRYPT_OK) { goto error; }
	if ((err = mp_add_d(a, 3, a_plus3)) != CRYPT_OK) { goto error; }
	if (mp_cmp(a_plus3, modulus) != LTC_MP_EQ) {
	if ((err = mp_init(&ma)) != CRYPT_OK) { goto error; }
	if ((err = mp_mulmod(a, mu, modulus, ma)) != CRYPT_OK) { goto error; }
	}

	/* alloc ram for window temps */
	for (i = 0; i < 3; i++) {
	M[i] = ltc_ecc_new_point();
	if (M[i] == NULL) {
	for (j = 0; j < i; j++) {
	ltc_ecc_del_point(M[j]);
	}
	mp_clear(mu);
	mp_montgomery_free(mp);
	return CRYPT_MEM;
	}
	}

	/* make a copy of G incase R==G */
	tG = ltc_ecc_new_point();
	if (tG == NULL) { err = CRYPT_MEM; goto done; }

	/* tG = G and convert to montgomery */
	if ((err = mp_mulmod(G->x, mu, modulus, tG->x)) != CRYPT_OK) { goto done; }
	if ((err = mp_mulmod(G->y, mu, modulus, tG->y)) != CRYPT_OK) { goto done; }
	if ((err = mp_mulmod(G->z, mu, modulus, tG->z)) != CRYPT_OK) { goto done; }
	mp_clear(mu);
	mu = NULL;

	/* calc the M tab */
	/* M[0] == G */
	if ((err = ltc_ecc_copy_point(tG, M[0])) != CRYPT_OK) { goto done; }
	/* M[1] == 2G */
	if ((err = ltc_mp.ecc_ptdbl(tG, M[1], ma, modulus, mp)) != CRYPT_OK) { goto done; }

	/* setup sliding window */
	mode = 0;
	bitcnt = 1;
	buf = 0;
	digidx = mp_get_digit_count(k) - 1;

	/* perform ops */
	for (;;) {
	/* grab next digit as required */
	if (--bitcnt == 0) {
	if (digidx == -1) {
	break;
	}
	buf = mp_get_digit(k, digidx);
	bitcnt = (int) MP_DIGIT_BIT;
	--digidx;
	}

	/* grab the next msb from the ltiplicand */
	i = (int)((buf >> (MP_DIGIT_BIT - 1)) & 1);
	buf <<= 1;

	if (mode == 0 && i == 0) {
	/* dummy operations */
	if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], ma, modulus, mp)) != CRYPT_OK) { goto done; }
	if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], ma, modulus, mp)) != CRYPT_OK) { goto done; }
	continue;
	}

	if (mode == 0 && i == 1) {
	mode = 1;
	/* dummy operations */
	if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], ma, modulus, mp)) != CRYPT_OK) { goto done; }
	if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], ma, modulus, mp)) != CRYPT_OK) { goto done; }
	continue;
	}

	if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[i^1], ma, modulus, mp)) != CRYPT_OK) { goto done; }
	if ((err = ltc_mp.ecc_ptdbl(M[i], M[i], ma, modulus, mp)) != CRYPT_OK) { goto done; }
	}

	/* copy result out */
	if ((err = ltc_ecc_copy_point(M[0], R)) != CRYPT_OK) { goto done; }

	/* map R back from projective space */
	if (map) {
	err = ltc_ecc_map(R, modulus, mp);
	} else {
	err = CRYPT_OK;
	}
	done:
	ltc_ecc_del_point(tG);
	for (i = 0; i < 3; i++) {
	ltc_ecc_del_point(M[i]);
	}
	error:
	if (ma != NULL) mp_clear(ma);
	if (a_plus3 != NULL) mp_clear(a_plus3);
	if (mu != NULL) mp_clear(mu);
	if (mp != NULL) mp_montgomery_free(mp);
	return err;
	}

	#endif
	#endif
	/* ref: $Format:%D$ */
	/* git commit: $Format:%H$ */
	/* commit time: $Format:%ai$ */