Added new define (uECC_SUPPORT_COMPRESSED_POINT) and new API functions.
diff --git a/curve-specific.inc b/curve-specific.inc
index 23a2395..60f5d18 100644
--- a/curve-specific.inc
+++ b/curve-specific.inc
@@ -97,6 +97,7 @@
vli_set(Y1, t4, curve->num_words);
}
+#if uECC_SUPPORT_COMPRESSED_POINT
/* Compute a = sqrt(a) (mod curve_p). */
static void mod_sqrt_default(uECC_word_t *a, uECC_Curve curve) {
bitcount_t i;
@@ -114,6 +115,7 @@
}
vli_set(a, l_result, curve->num_words);
}
+#endif
/* Computes result = x^3 + ax + b. result must not overlap x. */
static void x_side_default(uECC_word_t *result, const uECC_word_t *x, uECC_Curve curve) {
@@ -152,7 +154,9 @@
BYTES_TO_WORDS_8(9F, F8, AC, 65, 8B, 7A, BD, 54),
BYTES_TO_WORDS_4(FC, BE, 97, 1C) },
&double_jacobian_default,
+#if uECC_SUPPORT_COMPRESSED_POINT
&mod_sqrt_default,
+#endif
&x_side_default,
#if (uECC_OPTIMIZATION_LEVEL > 0)
&vli_mmod_fast_secp160r1
@@ -295,7 +299,9 @@
BYTES_TO_WORDS_8(49, 30, 24, 72, AB, E9, A7, 0F),
BYTES_TO_WORDS_8(E7, 80, 9C, E5, 19, 05, 21, 64) },
&double_jacobian_default,
+#if uECC_SUPPORT_COMPRESSED_POINT
&mod_sqrt_default,
+#endif
&x_side_default,
#if (uECC_OPTIMIZATION_LEVEL > 0)
&vli_mmod_fast_secp192r1
@@ -395,7 +401,9 @@
#if uECC_SUPPORTS_secp224r1
+#if uECC_SUPPORT_COMPRESSED_POINT
static void mod_sqrt_secp224r1(uECC_word_t *a, uECC_Curve curve);
+#endif
#if (uECC_OPTIMIZATION_LEVEL > 0)
static void vli_mmod_fast_secp224r1(uECC_word_t *result, uECC_word_t *product);
#endif
@@ -426,7 +434,9 @@
BYTES_TO_WORDS_8(56, 32, 41, F5, AB, B3, 04, 0C),
BYTES_TO_WORDS_4(85, 0A, 05, B4) },
&double_jacobian_default,
+#if uECC_SUPPORT_COMPRESSED_POINT
&mod_sqrt_secp224r1,
+#endif
&x_side_default,
#if (uECC_OPTIMIZATION_LEVEL > 0)
&vli_mmod_fast_secp224r1
@@ -436,6 +446,7 @@
uECC_Curve uECC_secp224r1(void) { return &curve_secp224r1; }
+#if uECC_SUPPORT_COMPRESSED_POINT
/* Routine 3.2.4 RS; from http://www.nsa.gov/ia/_files/nist-routines.pdf */
static void mod_sqrt_secp224r1_rs(uECC_word_t *d1,
uECC_word_t *e1,
@@ -536,7 +547,7 @@
uECC_word_t f0[num_words_secp224r1];
uECC_word_t d1[num_words_secp224r1];
- // s = a; using constant instead of random value
+ /* s = a; using constant instead of random value */
mod_sqrt_secp224r1_rp(d0, e0, f0, a, a); /* RP (d0, e0, f0, c, s) */
mod_sqrt_secp224r1_rs(d1, e1, f1, d0, e0, f0); /* RS (d1, e1, f1, d0, e0, f0) */
for (i = 1; i <= 95; i++) {
@@ -545,12 +556,13 @@
vli_set(f0, f1, num_words_secp224r1); /* f0 <-- f1 */
mod_sqrt_secp224r1_rs(d1, e1, f1, d0, e0, f0); /* RS (d1, e1, f1, d0, e0, f0) */
if (vli_isZero(d1, num_words_secp224r1)) { /* if d1 == 0 */
- break;
+ break;
}
}
vli_modInv(f1, e0, curve_secp224r1.p, num_words_secp224r1); /* f1 <-- 1 / e0 */
vli_modMult_fast(a, d0, f1, &curve_secp224r1); /* a <-- d0 / e0 */
}
+#endif /* uECC_SUPPORT_COMPRESSED_POINT */
#if (uECC_OPTIMIZATION_LEVEL > 0)
/* Computes result = product % curve_p
@@ -744,7 +756,9 @@
BYTES_TO_WORDS_8(BC, 86, 98, 76, 55, BD, EB, B3),
BYTES_TO_WORDS_8(E7, 93, 3A, AA, D8, 35, C6, 5A) },
&double_jacobian_default,
+#if uECC_SUPPORT_COMPRESSED_POINT
&mod_sqrt_default,
+#endif
&x_side_default,
#if (uECC_OPTIMIZATION_LEVEL > 0)
&vli_mmod_fast_secp256r1
@@ -1077,7 +1091,9 @@
BYTES_TO_WORDS_8(00, 00, 00, 00, 00, 00, 00, 00),
BYTES_TO_WORDS_8(00, 00, 00, 00, 00, 00, 00, 00) },
&double_jacobian_secp256k1,
+#if uECC_SUPPORT_COMPRESSED_POINT
&mod_sqrt_default,
+#endif
&x_side_secp256k1,
#if (uECC_OPTIMIZATION_LEVEL > 0)
&vli_mmod_fast_secp256k1
diff --git a/uECC.c b/uECC.c
index 8d8ad9f..534a80e 100644
--- a/uECC.c
+++ b/uECC.c
@@ -42,7 +42,9 @@
uECC_word_t * Y1,
uECC_word_t * Z1,
uECC_Curve curve);
+#if uECC_SUPPORT_COMPRESSED_POINT
void (*mod_sqrt)(uECC_word_t *a, uECC_Curve curve);
+#endif
void (*x_side)(uECC_word_t *result, const uECC_word_t *x, uECC_Curve curve);
#if (uECC_OPTIMIZATION_LEVEL > 0)
void (*mmod_fast)(uECC_word_t *result, uECC_word_t *product);
@@ -71,6 +73,7 @@
}
}
+/* Constant-time comparison to zero - secure way to compare long integers */
/* Returns 1 if vli == 0, 0 otherwise. */
static uECC_word_t vli_isZero(const uECC_word_t *vli, wordcount_t num_words) {
uECC_word_t bits = 0;
@@ -138,6 +141,8 @@
return 0;
}
+/* Constant-time comparison function - secure way to compare long integers */
+/* Returns one if left == right, zero otherwise */
static uECC_word_t vli_equal(const uECC_word_t *left,
const uECC_word_t *right,
wordcount_t num_words) {
@@ -200,7 +205,7 @@
}
#endif /* !asm_sub */
-#if !asm_mult || !asm_square || \
+#if !asm_mult || (uECC_SQUARE_FUNC && !asm_square) || \
(uECC_SUPPORTS_secp256k1 && (uECC_OPTIMIZATION_LEVEL > 0) && \
((uECC_WORD_SIZE == 1) || (uECC_WORD_SIZE == 8)))
static void muladd(uECC_word_t a,
@@ -569,9 +574,7 @@
#include "curve-specific.inc"
/* Returns 1 if 'point' is the point at infinity, 0 otherwise. */
-static cmpresult_t EccPoint_isZero(const uECC_word_t *point, uECC_Curve curve) {
- return vli_isZero(point, curve->num_words * 2);
-}
+#define EccPoint_isZero(point, curve) vli_isZero((point), (curve)->num_words * 2)
/* Point multiplication algorithm using Montgomery's ladder with co-Z coordinates.
From http://eprint.iacr.org/2011/338.pdf
@@ -854,7 +857,7 @@
if (!generate_random_int(private, curve->num_words, curve->num_bytes * 8)) {
return 0;
}
-
+
if (EccPoint_compute_public_key(public, private, curve)) {
vli_nativeToBytes(private_key, private, curve);
vli_nativeToBytes(public_key, public, curve);
@@ -911,6 +914,7 @@
return !EccPoint_isZero(public, curve);
}
+#if uECC_SUPPORT_COMPRESSED_POINT
void uECC_compress(const uint8_t *public_key, uint8_t *compressed, uECC_Curve curve) {
wordcount_t i;
for (i = 0; i < curve->num_bytes; ++i) {
@@ -933,33 +937,38 @@
vli_nativeToBytes(public_key, point, curve);
vli_nativeToBytes(public_key + curve->num_bytes, y, curve);
}
+#endif /* uECC_SUPPORT_COMPRESSED_POINT */
-int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve) {
+int uECC_valid_point(const uECC_word_t *point, uECC_Curve curve) {
uECC_word_t tmp1[uECC_MAX_WORDS];
uECC_word_t tmp2[uECC_MAX_WORDS];
- uECC_word_t public[uECC_MAX_WORDS * 2];
-
- vli_bytesToNative(public, public_key, curve);
- vli_bytesToNative(public + curve->num_words, public_key + curve->num_bytes, curve);
-
+
/* The point at infinity is invalid. */
- if (EccPoint_isZero(public, curve)) {
+ if (EccPoint_isZero(point, curve)) {
return 0;
}
/* x and y must be smaller than p. */
- if (vli_cmp(curve->p, public, curve->num_words) != 1 ||
- vli_cmp(curve->p, public + curve->num_words, curve->num_words) != 1) {
+ if (vli_cmp(curve->p, point, curve->num_words) != 1 ||
+ vli_cmp(curve->p, point + curve->num_words, curve->num_words) != 1) {
return 0;
}
- vli_modSquare_fast(tmp1, public + curve->num_words, curve);
- curve->x_side(tmp2, public, curve); /* tmp2 = x^3 + ax + b */
+ vli_modSquare_fast(tmp1, point + curve->num_words, curve);
+ curve->x_side(tmp2, point, curve); /* tmp2 = x^3 + ax + b */
/* Make sure that y^2 == x^3 + ax + b */
return (vli_equal(tmp1, tmp2, curve->num_words));
}
+int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve) {
+ uECC_word_t public[uECC_MAX_WORDS * 2];
+
+ vli_bytesToNative(public, public_key, curve);
+ vli_bytesToNative(public + curve->num_words, public_key + curve->num_bytes, curve);
+ return uECC_valid_point(public, curve);
+}
+
int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key, uECC_Curve curve) {
uECC_word_t private[uECC_MAX_WORDS];
uECC_word_t public[uECC_MAX_WORDS * 2];
@@ -1315,10 +1324,12 @@
return curve->b;
}
+#if uECC_SUPPORT_COMPRESSED_POINT
/* Calculates a = sqrt(a) (mod curve->p) */
void uECC_mod_sqrt(uECC_word_t *a, uECC_Curve curve) {
curve->mod_sqrt(a, curve);
}
+#endif
/* Calculates result = product (mod curve->p), where product is up to
2 * curve->num_words long. */
@@ -1330,6 +1341,14 @@
#endif
}
+void uECC_vli_nativeToBytes(uint8_t * dest, const uECC_word_t * src, uECC_Curve curve) {
+ vli_nativeToBytes(dest, src, curve);
+}
+
+void uECC_vli_bytesToNative(uECC_word_t * dest, const uint8_t * src, uECC_Curve curve) {
+ vli_bytesToNative(dest, src, curve);
+}
+
void uECC_vli_clear(uECC_word_t *vli, unsigned num_words) {
vli_clear(vli, num_words);
}
@@ -1432,8 +1451,8 @@
the Y coordinate in the same array, both coordinates are curve->num_words long. Note
that scalar must be curve->num_n_words long (NOT curve->num_words). */
void uECC_point_mult(uECC_word_t *result,
- uECC_word_t *point,
- uECC_word_t *scalar,
+ const uECC_word_t *point,
+ const uECC_word_t *scalar,
uECC_Curve curve) {
uECC_word_t tmp1[uECC_MAX_WORDS];
uECC_word_t tmp2[uECC_MAX_WORDS];
@@ -1444,3 +1463,25 @@
vli_numBits(curve->n, curve->num_n_words) + 1,
curve);
}
+
+/* Calculates result = product (mod curve->n), where product is up to
+ 2 * curve->num_n_words long. */
+void uECC_vli_mmod_n(uECC_word_t *result, uECC_word_t *product, uECC_Curve curve) {
+ vli_mmod(result, product, curve->n, curve->num_n_words);
+}
+
+/* Computes result = (left * right) % (curve->n). */
+void uECC_vli_modMult_n(uECC_word_t *result,
+ const uECC_word_t *left,
+ const uECC_word_t *right,
+ uECC_Curve curve) {
+ vli_modMult(result, left, right, curve->n, curve->num_n_words);
+}
+
+/* Computes result = (left * right) % (curve->p). */
+void uECC_vli_modMult_fast(uECC_word_t *result,
+ const uECC_word_t *left,
+ const uECC_word_t *right,
+ uECC_Curve curve) {
+ vli_modMult_fast(result, left, right, curve);
+}
diff --git a/uECC.h b/uECC.h
index 20d26d8..a5e97a0 100644
--- a/uECC.h
+++ b/uECC.h
@@ -49,6 +49,12 @@
#define uECC_SUPPORTS_secp256k1 1
#endif
+/* Specifies whether compressed point format is supported.
+ Set to 0 if compressed point is not supported. That saves code size. */
+#ifndef uECC_SUPPORT_COMPRESSED_POINT
+ #define uECC_SUPPORT_COMPRESSED_POINT 0
+#endif
+
struct uECC_Curve_t;
typedef const struct uECC_Curve_t * uECC_Curve;
@@ -133,6 +139,7 @@
uint8_t *secret,
uECC_Curve curve);
+#if uECC_SUPPORT_COMPRESSED_POINT
/* uECC_compress() function.
Compress a public key.
@@ -154,6 +161,7 @@
public_key - Will be filled in with the decompressed public key.
*/
void uECC_decompress(const uint8_t *compressed, uint8_t *public_key, uECC_Curve curve);
+#endif /* uECC_SUPPORT_COMPRESSED_POINT */
/* uECC_valid_public_key() function.
Check to see if a public key is valid.