165 lines
5.1 KiB
Go
165 lines
5.1 KiB
Go
// Copyright 2013 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package elliptic
|
|
|
|
import (
|
|
"crypto/elliptic/internal/nistec"
|
|
"crypto/rand"
|
|
"math/big"
|
|
)
|
|
|
|
// p521Curve is a Curve implementation based on nistec.P521Point.
|
|
//
|
|
// It's a wrapper that exposes the big.Int-based Curve interface and encodes the
|
|
// legacy idiosyncrasies it requires, such as invalid and infinity point
|
|
// handling.
|
|
//
|
|
// To interact with the nistec package, points are encoded into and decoded from
|
|
// properly formatted byte slices. All big.Int use is limited to this package.
|
|
// Encoding and decoding is 1/1000th of the runtime of a scalar multiplication,
|
|
// so the overhead is acceptable.
|
|
type p521Curve struct {
|
|
params *CurveParams
|
|
}
|
|
|
|
var p521 p521Curve
|
|
var _ Curve = p521
|
|
|
|
func initP521() {
|
|
p521.params = &CurveParams{
|
|
Name: "P-521",
|
|
BitSize: 521,
|
|
// FIPS 186-4, section D.1.2.5
|
|
P: bigFromDecimal("68647976601306097149819007990813932172694353001433" +
|
|
"0540939446345918554318339765605212255964066145455497729631139148" +
|
|
"0858037121987999716643812574028291115057151"),
|
|
N: bigFromDecimal("68647976601306097149819007990813932172694353001433" +
|
|
"0540939446345918554318339765539424505774633321719753296399637136" +
|
|
"3321113864768612440380340372808892707005449"),
|
|
B: bigFromHex("0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8" +
|
|
"b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef" +
|
|
"451fd46b503f00"),
|
|
Gx: bigFromHex("00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f8" +
|
|
"28af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf9" +
|
|
"7e7e31c2e5bd66"),
|
|
Gy: bigFromHex("011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817" +
|
|
"afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088" +
|
|
"be94769fd16650"),
|
|
}
|
|
}
|
|
|
|
func (curve p521Curve) Params() *CurveParams {
|
|
return curve.params
|
|
}
|
|
|
|
func (curve p521Curve) IsOnCurve(x, y *big.Int) bool {
|
|
// IsOnCurve is documented to reject (0, 0), the conventional point at
|
|
// infinity, which however is accepted by p521PointFromAffine.
|
|
if x.Sign() == 0 && y.Sign() == 0 {
|
|
return false
|
|
}
|
|
_, ok := p521PointFromAffine(x, y)
|
|
return ok
|
|
}
|
|
|
|
func p521PointFromAffine(x, y *big.Int) (p *nistec.P521Point, ok bool) {
|
|
// (0, 0) is by convention the point at infinity, which can't be represented
|
|
// in affine coordinates. Marshal incorrectly encodes it as an uncompressed
|
|
// point, which SetBytes would correctly reject. See Issue 37294.
|
|
if x.Sign() == 0 && y.Sign() == 0 {
|
|
return nistec.NewP521Point(), true
|
|
}
|
|
if x.Sign() < 0 || y.Sign() < 0 {
|
|
return nil, false
|
|
}
|
|
if x.BitLen() > 521 || y.BitLen() > 521 {
|
|
return nil, false
|
|
}
|
|
p, err := nistec.NewP521Point().SetBytes(Marshal(P521(), x, y))
|
|
if err != nil {
|
|
return nil, false
|
|
}
|
|
return p, true
|
|
}
|
|
|
|
func p521PointToAffine(p *nistec.P521Point) (x, y *big.Int) {
|
|
out := p.Bytes()
|
|
if len(out) == 1 && out[0] == 0 {
|
|
// This is the correct encoding of the point at infinity, which
|
|
// Unmarshal does not support. See Issue 37294.
|
|
return new(big.Int), new(big.Int)
|
|
}
|
|
x, y = Unmarshal(P521(), out)
|
|
if x == nil {
|
|
panic("crypto/elliptic: internal error: Unmarshal rejected a valid point encoding")
|
|
}
|
|
return x, y
|
|
}
|
|
|
|
// p521RandomPoint returns a random point on the curve. It's used when Add,
|
|
// Double, or ScalarMult are fed a point not on the curve, which is undefined
|
|
// behavior. Originally, we used to do the math on it anyway (which allows
|
|
// invalid curve attacks) and relied on the caller and Unmarshal to avoid this
|
|
// happening in the first place. Now, we just can't construct a nistec.P521Point
|
|
// for an invalid pair of coordinates, because that API is safer. If we panic,
|
|
// we risk introducing a DoS. If we return nil, we risk a panic. If we return
|
|
// the input, ecdsa.Verify might fail open. The safest course seems to be to
|
|
// return a valid, random point, which hopefully won't help the attacker.
|
|
func p521RandomPoint() (x, y *big.Int) {
|
|
_, x, y, err := GenerateKey(P521(), rand.Reader)
|
|
if err != nil {
|
|
panic("crypto/elliptic: failed to generate random point")
|
|
}
|
|
return x, y
|
|
}
|
|
|
|
func (p521Curve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
|
|
p1, ok := p521PointFromAffine(x1, y1)
|
|
if !ok {
|
|
return p521RandomPoint()
|
|
}
|
|
p2, ok := p521PointFromAffine(x2, y2)
|
|
if !ok {
|
|
return p521RandomPoint()
|
|
}
|
|
return p521PointToAffine(p1.Add(p1, p2))
|
|
}
|
|
|
|
func (p521Curve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
|
|
p, ok := p521PointFromAffine(x1, y1)
|
|
if !ok {
|
|
return p521RandomPoint()
|
|
}
|
|
return p521PointToAffine(p.Double(p))
|
|
}
|
|
|
|
func (p521Curve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int, *big.Int) {
|
|
p, ok := p521PointFromAffine(Bx, By)
|
|
if !ok {
|
|
return p521RandomPoint()
|
|
}
|
|
return p521PointToAffine(p.ScalarMult(p, scalar))
|
|
}
|
|
|
|
func (p521Curve) ScalarBaseMult(scalar []byte) (*big.Int, *big.Int) {
|
|
p := nistec.NewP521Generator()
|
|
return p521PointToAffine(p.ScalarMult(p, scalar))
|
|
}
|
|
|
|
func bigFromDecimal(s string) *big.Int {
|
|
b, ok := new(big.Int).SetString(s, 10)
|
|
if !ok {
|
|
panic("invalid encoding")
|
|
}
|
|
return b
|
|
}
|
|
|
|
func bigFromHex(s string) *big.Int {
|
|
b, ok := new(big.Int).SetString(s, 16)
|
|
if !ok {
|
|
panic("invalid encoding")
|
|
}
|
|
return b
|
|
}
|