donna.cpp

Go to the documentation of this file.

/*
* Based on curve25519-donna-c64.c from https://github.com/agl/curve25519-donna
* revision 80ad9b9930c9baef5829dd2a235b6b7646d32a8e
*
* Further changes
* (C) 2014,2018 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
 
/* Copyright 2008, Google Inc.
* All rights reserved.
*
* Code released into the public domain.
*
* curve25519-donna: Curve25519 elliptic curve, public key function
*
* https://code.google.com/p/curve25519-donna/
*
* Adam Langley <agl@imperialviolet.org>
*
* Derived from public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
*
* More information about curve25519 can be found here
*   https://cr.yp.to/ecdh.html
*
* djb's sample implementation of curve25519 is written in a special assembly
* language called qhasm and uses the floating point registers.
*
* This is, almost, a clean room reimplementation from the curve25519 paper. It
* uses many of the tricks described therein. Only the crecip function is taken
* from the sample implementation.
*/
 
#include <botan/x25519.h>
 
#include <botan/internal/ct_utils.h>
#include <botan/internal/donna128.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/mul128.h>
 
namespace Botan {
 
namespace {
 
#if !defined(BOTAN_TARGET_HAS_NATIVE_UINT128)
typedef donna128 uint128_t;
#endif
 
/* Sum two numbers: output += in */
inline void fsum(uint64_t out[5], const uint64_t in[5]) {
   out[0] += in[0];
   out[1] += in[1];
   out[2] += in[2];
   out[3] += in[3];
   out[4] += in[4];
}
 
/* Find the difference of two numbers: out = in - out
* (note the order of the arguments!)
*
* Assumes that out[i] < 2**52
* On return, out[i] < 2**55
*/
inline void fdifference_backwards(uint64_t out[5], const uint64_t in[5]) {
   /* 152 is 19 << 3 */
   const uint64_t two54m152 = (static_cast<uint64_t>(1) << 54) - 152;
   const uint64_t two54m8 = (static_cast<uint64_t>(1) << 54) - 8;
 
   out[0] = in[0] + two54m152 - out[0];
   out[1] = in[1] + two54m8 - out[1];
   out[2] = in[2] + two54m8 - out[2];
   out[3] = in[3] + two54m8 - out[3];
   out[4] = in[4] + two54m8 - out[4];
}
 
inline void fadd_sub(uint64_t x[5], uint64_t y[5]) {
   // TODO merge these and avoid the tmp array
   uint64_t tmp[5];
   copy_mem(tmp, y, 5);
   fsum(y, x);
   fdifference_backwards(x, tmp);  // does x - z
}
 
const uint64_t MASK_63 = 0x7ffffffffffff;
 
/* Multiply a number by a scalar: out = in * scalar */
inline void fscalar_product(uint64_t out[5], const uint64_t in[5], const uint64_t scalar) {
   uint128_t a = uint128_t(in[0]) * scalar;
   out[0] = a & MASK_63;
 
   a = uint128_t(in[1]) * scalar + carry_shift(a, 51);
   out[1] = a & MASK_63;
 
   a = uint128_t(in[2]) * scalar + carry_shift(a, 51);
   out[2] = a & MASK_63;
 
   a = uint128_t(in[3]) * scalar + carry_shift(a, 51);
   out[3] = a & MASK_63;
 
   a = uint128_t(in[4]) * scalar + carry_shift(a, 51);
   out[4] = a & MASK_63;
 
   out[0] += carry_shift(a, 51) * 19;
}
 
/* Multiply two numbers: out = in2 * in
*
* out must be distinct to both inputs. The inputs are reduced coefficient
* form, the output is not.
*
* Assumes that in[i] < 2**55 and likewise for in2.
* On return, out[i] < 2**52
*/
inline void fmul(uint64_t out[5], const uint64_t in[5], const uint64_t in2[5]) {
   const uint128_t s0 = in2[0];
   const uint128_t s1 = in2[1];
   const uint128_t s2 = in2[2];
   const uint128_t s3 = in2[3];
   const uint128_t s4 = in2[4];
 
   uint64_t r0 = in[0];
   uint64_t r1 = in[1];
   uint64_t r2 = in[2];
   uint64_t r3 = in[3];
   uint64_t r4 = in[4];
 
   uint128_t t0 = r0 * s0;
   uint128_t t1 = r0 * s1 + r1 * s0;
   uint128_t t2 = r0 * s2 + r2 * s0 + r1 * s1;
   uint128_t t3 = r0 * s3 + r3 * s0 + r1 * s2 + r2 * s1;
   uint128_t t4 = r0 * s4 + r4 * s0 + r3 * s1 + r1 * s3 + r2 * s2;
 
   r4 *= 19;
   r1 *= 19;
   r2 *= 19;
   r3 *= 19;
 
   t0 += r4 * s1 + r1 * s4 + r2 * s3 + r3 * s2;
   t1 += r4 * s2 + r2 * s4 + r3 * s3;
   t2 += r4 * s3 + r3 * s4;
   t3 += r4 * s4;
 
   r0 = t0 & MASK_63;
   t1 += carry_shift(t0, 51);
   r1 = t1 & MASK_63;
   t2 += carry_shift(t1, 51);
   r2 = t2 & MASK_63;
   t3 += carry_shift(t2, 51);
   r3 = t3 & MASK_63;
   t4 += carry_shift(t3, 51);
   r4 = t4 & MASK_63;
   uint64_t c = carry_shift(t4, 51);
 
   r0 += c * 19;
   c = r0 >> 51;
   r0 = r0 & MASK_63;
   r1 += c;
   c = r1 >> 51;
   r1 = r1 & MASK_63;
   r2 += c;
 
   out[0] = r0;
   out[1] = r1;
   out[2] = r2;
   out[3] = r3;
   out[4] = r4;
}
 
inline void fsquare(uint64_t out[5], const uint64_t in[5], size_t count = 1) {
   uint64_t r0 = in[0];
   uint64_t r1 = in[1];
   uint64_t r2 = in[2];
   uint64_t r3 = in[3];
   uint64_t r4 = in[4];
 
   for(size_t i = 0; i != count; ++i) {
      const uint64_t d0 = r0 * 2;
      const uint64_t d1 = r1 * 2;
      const uint64_t d2 = r2 * 2 * 19;
      const uint64_t d419 = r4 * 19;
      const uint64_t d4 = d419 * 2;
 
      uint128_t t0 = uint128_t(r0) * r0 + uint128_t(d4) * r1 + uint128_t(d2) * (r3);
      uint128_t t1 = uint128_t(d0) * r1 + uint128_t(d4) * r2 + uint128_t(r3) * (r3 * 19);
      uint128_t t2 = uint128_t(d0) * r2 + uint128_t(r1) * r1 + uint128_t(d4) * (r3);
      uint128_t t3 = uint128_t(d0) * r3 + uint128_t(d1) * r2 + uint128_t(r4) * (d419);
      uint128_t t4 = uint128_t(d0) * r4 + uint128_t(d1) * r3 + uint128_t(r2) * (r2);
 
      r0 = t0 & MASK_63;
      t1 += carry_shift(t0, 51);
      r1 = t1 & MASK_63;
      t2 += carry_shift(t1, 51);
      r2 = t2 & MASK_63;
      t3 += carry_shift(t2, 51);
      r3 = t3 & MASK_63;
      t4 += carry_shift(t3, 51);
      r4 = t4 & MASK_63;
      uint64_t c = carry_shift(t4, 51);
 
      r0 += c * 19;
      c = r0 >> 51;
      r0 = r0 & MASK_63;
      r1 += c;
      c = r1 >> 51;
      r1 = r1 & MASK_63;
      r2 += c;
   }
 
   out[0] = r0;
   out[1] = r1;
   out[2] = r2;
   out[3] = r3;
   out[4] = r4;
}
 
/* Take a little-endian, 32-byte number and expand it into polynomial form */
inline void fexpand(uint64_t* out, const uint8_t* in) {
   out[0] = load_le<uint64_t>(in, 0) & MASK_63;
   out[1] = (load_le<uint64_t>(in + 6, 0) >> 3) & MASK_63;
   out[2] = (load_le<uint64_t>(in + 12, 0) >> 6) & MASK_63;
   out[3] = (load_le<uint64_t>(in + 19, 0) >> 1) & MASK_63;
   out[4] = (load_le<uint64_t>(in + 24, 0) >> 12) & MASK_63;
}
 
/* Take a fully reduced polynomial form number and contract it into a
* little-endian, 32-byte array
*/
inline void fcontract(uint8_t* out, const uint64_t input[5]) {
   uint128_t t0 = input[0];
   uint128_t t1 = input[1];
   uint128_t t2 = input[2];
   uint128_t t3 = input[3];
   uint128_t t4 = input[4];
 
   for(size_t i = 0; i != 2; ++i) {
      t1 += t0 >> 51;
      t0 &= MASK_63;
      t2 += t1 >> 51;
      t1 &= MASK_63;
      t3 += t2 >> 51;
      t2 &= MASK_63;
      t4 += t3 >> 51;
      t3 &= MASK_63;
      t0 += (t4 >> 51) * 19;
      t4 &= MASK_63;
   }
 
   /* now t is between 0 and 2^255-1, properly carried. */
   /* case 1: between 0 and 2^255-20. case 2: between 2^255-19 and 2^255-1. */
 
   t0 += 19;
 
   t1 += t0 >> 51;
   t0 &= MASK_63;
   t2 += t1 >> 51;
   t1 &= MASK_63;
   t3 += t2 >> 51;
   t2 &= MASK_63;
   t4 += t3 >> 51;
   t3 &= MASK_63;
   t0 += (t4 >> 51) * 19;
   t4 &= MASK_63;
 
   /* now between 19 and 2^255-1 in both cases, and offset by 19. */
 
   t0 += 0x8000000000000 - 19;
   t1 += 0x8000000000000 - 1;
   t2 += 0x8000000000000 - 1;
   t3 += 0x8000000000000 - 1;
   t4 += 0x8000000000000 - 1;
 
   /* now between 2^255 and 2^256-20, and offset by 2^255. */
 
   t1 += t0 >> 51;
   t0 &= MASK_63;
   t2 += t1 >> 51;
   t1 &= MASK_63;
   t3 += t2 >> 51;
   t2 &= MASK_63;
   t4 += t3 >> 51;
   t3 &= MASK_63;
   t4 &= MASK_63;
 
   store_le(out,
            combine_lower(t0, 0, t1, 51),
            combine_lower(t1, 13, t2, 38),
            combine_lower(t2, 26, t3, 25),
            combine_lower(t3, 39, t4, 12));
}
 
/* Input: Q, Q', Q-Q'
* Out: 2Q, Q+Q'
*
*   result.two_q (2*Q): long form
*   result.q_plus_q_dash (Q + Q): long form
*   in_q: short form, destroyed
*   in_q_dash: short form, destroyed
*   in_q_minus_q_dash: short form, preserved
*/
void fmonty(uint64_t result_two_q_x[5],
            uint64_t result_two_q_z[5],
            uint64_t result_q_plus_q_dash_x[5],
            uint64_t result_q_plus_q_dash_z[5],
            uint64_t in_q_x[5],
            uint64_t in_q_z[5],
            uint64_t in_q_dash_x[5],
            uint64_t in_q_dash_z[5],
            const uint64_t q_minus_q_dash[5]) {
   uint64_t zzz[5];
   uint64_t xx[5];
   uint64_t zz[5];
   uint64_t xxprime[5];
   uint64_t zzprime[5];
   uint64_t zzzprime[5];
 
   fadd_sub(in_q_z, in_q_x);
   fadd_sub(in_q_dash_z, in_q_dash_x);
 
   fmul(xxprime, in_q_dash_x, in_q_z);
   fmul(zzprime, in_q_dash_z, in_q_x);
 
   fadd_sub(zzprime, xxprime);
 
   fsquare(result_q_plus_q_dash_x, xxprime);
   fsquare(zzzprime, zzprime);
   fmul(result_q_plus_q_dash_z, zzzprime, q_minus_q_dash);
 
   fsquare(xx, in_q_x);
   fsquare(zz, in_q_z);
   fmul(result_two_q_x, xx, zz);
 
   fdifference_backwards(zz, xx);  // does zz = xx - zz
   fscalar_product(zzz, zz, 121665);
   fsum(zzz, xx);
 
   fmul(result_two_q_z, zz, zzz);
}
 
/*
* Maybe swap the contents of two uint64_t arrays (@a and @b),
* Param @iswap is assumed to be either 0 or 1
*
* This function performs the swap without leaking any side-channel
* information.
*/
inline void swap_conditional(uint64_t a[5], uint64_t b[5], uint64_t c[5], uint64_t d[5], CT::Mask<uint64_t> swap) {
   for(size_t i = 0; i < 5; ++i) {
      const uint64_t x0 = swap.if_set_return(a[i] ^ b[i]);
      a[i] ^= x0;
      b[i] ^= x0;
 
      const uint64_t x1 = swap.if_set_return(c[i] ^ d[i]);
      c[i] ^= x1;
      d[i] ^= x1;
   }
}
 
/* Calculates nQ where Q is the x-coordinate of a point on the curve
*
*   resultx/resultz: the x/z coordinate of the resulting curve point (short form)
*   n: a little endian, 32-byte number
*   q: a point of the curve (short form)
*/
void cmult(uint64_t resultx[5], uint64_t resultz[5], const uint8_t n[32], const uint64_t q[5]) {
   uint64_t a[5] = {0};  // nqpqx
   uint64_t b[5] = {1};  // npqpz
   uint64_t c[5] = {1};  // nqx
   uint64_t d[5] = {0};  // nqz
   uint64_t e[5] = {0};  // npqqx2
   uint64_t f[5] = {1};  // npqqz2
   uint64_t g[5] = {0};  // nqx2
   uint64_t h[5] = {1};  // nqz2
 
   copy_mem(a, q, 5);
 
   for(size_t i = 0; i < 32; ++i) {
      const uint64_t si = n[31 - i];
      const auto bit0 = CT::Mask<uint64_t>::expand_bit(si, 7);
      const auto bit1 = CT::Mask<uint64_t>::expand_bit(si, 6);
      const auto bit2 = CT::Mask<uint64_t>::expand_bit(si, 5);
      const auto bit3 = CT::Mask<uint64_t>::expand_bit(si, 4);
      const auto bit4 = CT::Mask<uint64_t>::expand_bit(si, 3);
      const auto bit5 = CT::Mask<uint64_t>::expand_bit(si, 2);
      const auto bit6 = CT::Mask<uint64_t>::expand_bit(si, 1);
      const auto bit7 = CT::Mask<uint64_t>::expand_bit(si, 0);
 
      swap_conditional(c, a, d, b, bit0);
      fmonty(g, h, e, f, c, d, a, b, q);
 
      swap_conditional(g, e, h, f, bit0 ^ bit1);
      fmonty(c, d, a, b, g, h, e, f, q);
 
      swap_conditional(c, a, d, b, bit1 ^ bit2);
      fmonty(g, h, e, f, c, d, a, b, q);
 
      swap_conditional(g, e, h, f, bit2 ^ bit3);
      fmonty(c, d, a, b, g, h, e, f, q);
 
      swap_conditional(c, a, d, b, bit3 ^ bit4);
      fmonty(g, h, e, f, c, d, a, b, q);
 
      swap_conditional(g, e, h, f, bit4 ^ bit5);
      fmonty(c, d, a, b, g, h, e, f, q);
 
      swap_conditional(c, a, d, b, bit5 ^ bit6);
      fmonty(g, h, e, f, c, d, a, b, q);
 
      swap_conditional(g, e, h, f, bit6 ^ bit7);
      fmonty(c, d, a, b, g, h, e, f, q);
 
      swap_conditional(c, a, d, b, bit7);
   }
 
   copy_mem(resultx, c, 5);
   copy_mem(resultz, d, 5);
}
 
// -----------------------------------------------------------------------------
// Shamelessly copied from djb's code, tightened a little
// -----------------------------------------------------------------------------
void crecip(uint64_t out[5], const uint64_t z[5]) {
   uint64_t a[5];
   uint64_t b[5];
   uint64_t c[5];
   uint64_t t0[5];
 
   fsquare(a, z);        // 2
   fsquare(t0, a, 2);    // 8
   fmul(b, t0, z);       // 9
   fmul(a, b, a);        // 11
   fsquare(t0, a);       // 22
   fmul(b, t0, b);       // 2^5 - 2^0 = 31
   fsquare(t0, b, 5);    // 2^10 - 2^5
   fmul(b, t0, b);       // 2^10 - 2^0
   fsquare(t0, b, 10);   // 2^20 - 2^10
   fmul(c, t0, b);       // 2^20 - 2^0
   fsquare(t0, c, 20);   // 2^40 - 2^20
   fmul(t0, t0, c);      // 2^40 - 2^0
   fsquare(t0, t0, 10);  // 2^50 - 2^10
   fmul(b, t0, b);       // 2^50 - 2^0
   fsquare(t0, b, 50);   // 2^100 - 2^50
   fmul(c, t0, b);       // 2^100 - 2^0
   fsquare(t0, c, 100);  // 2^200 - 2^100
   fmul(t0, t0, c);      // 2^200 - 2^0
   fsquare(t0, t0, 50);  // 2^250 - 2^50
   fmul(t0, t0, b);      // 2^250 - 2^0
   fsquare(t0, t0, 5);   // 2^255 - 2^5
   fmul(out, t0, a);     // 2^255 - 21
}
 
}  // namespace
 
void curve25519_donna(uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32]) {
   CT::poison(secret, 32);
   CT::poison(basepoint, 32);
 
   uint64_t bp[5], x[5], z[5], zmone[5];
   uint8_t e[32];
 
   copy_mem(e, secret, 32);
   e[0] &= 248;
   e[31] &= 127;
   e[31] |= 64;
 
   fexpand(bp, basepoint);
   cmult(x, z, e, bp);
   crecip(zmone, z);
   fmul(z, x, zmone);
   fcontract(mypublic, z);
 
   CT::unpoison(secret, 32);
   CT::unpoison(basepoint, 32);
   CT::unpoison(mypublic, 32);
}
 
}  // namespace Botan