summary refs log tree commit diff
path: root/crypto/src/math
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/src/math')
-rw-r--r--crypto/src/math/ec/rfc7748/X25519Field.cs34
-rw-r--r--crypto/src/math/ec/rfc7748/X448Field.cs34
-rw-r--r--crypto/src/math/ec/rfc8032/Ed25519.cs81
-rw-r--r--crypto/src/math/ec/rfc8032/Ed448.cs74
4 files changed, 217 insertions, 6 deletions
diff --git a/crypto/src/math/ec/rfc7748/X25519Field.cs b/crypto/src/math/ec/rfc7748/X25519Field.cs
index ffede563b..d0b835226 100644
--- a/crypto/src/math/ec/rfc7748/X25519Field.cs
+++ b/crypto/src/math/ec/rfc7748/X25519Field.cs
@@ -48,6 +48,23 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
             }
         }
 
+        public static int AreEqual(int[] x, int[] y)
+        {
+            int d = 0;
+            for (int i = 0; i < Size; ++i)
+            {
+                d |= x[i] ^ y[i];
+            }
+            d |= d >> 16;
+            d &= 0xFFFF;
+            return (d - 1) >> 31;
+        }
+
+        public static bool AreEqualVar(int[] x, int[] y)
+        {
+            return 0 != AreEqual(x, y);
+        }
+
         public static void Carry(int[] z)
         {
             int z0 = z[0], z1 = z[1], z2 = z[2], z3 = z[3], z4 = z[4];
@@ -258,6 +275,23 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
             Decode(u, 0, z);
         }
 
+        public static int IsOne(int[] x)
+        {
+            int d = x[0] ^ 1;
+            for (int i = 1; i < Size; ++i)
+            {
+                d |= x[i];
+            }
+            d |= d >> 16;
+            d &= 0xFFFF;
+            return (d - 1) >> 31;
+        }
+
+        public static bool IsOneVar(int[] x)
+        {
+            return 0 != IsOne(x);
+        }
+
         public static int IsZero(int[] x)
         {
             int d = 0;
diff --git a/crypto/src/math/ec/rfc7748/X448Field.cs b/crypto/src/math/ec/rfc7748/X448Field.cs
index ef4fd4627..6d8c60e78 100644
--- a/crypto/src/math/ec/rfc7748/X448Field.cs
+++ b/crypto/src/math/ec/rfc7748/X448Field.cs
@@ -46,6 +46,23 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
         //    }
         //}
 
+        public static int AreEqual(uint[] x, uint[] y)
+        {
+            uint d = 0;
+            for (int i = 0; i < Size; ++i)
+            {
+                d |= x[i] ^ y[i];
+            }
+            d |= d >> 16;
+            d &= 0xFFFF;
+            return ((int)d - 1) >> 31;
+        }
+
+        public static bool AreEqualVar(uint[] x, uint[] y)
+        {
+            return 0 != AreEqual(x, y);
+        }
+
         public static void Carry(uint[] z)
         {
             uint z0 = z[0], z1 = z[1], z2 = z[2], z3 = z[3], z4 = z[4], z5 = z[5], z6 = z[6], z7 = z[7];
@@ -285,6 +302,23 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
             Decode(u, 0, z);
         }
 
+        public static int IsOne(uint[] x)
+        {
+            uint d = x[0] ^ 1;
+            for (int i = 1; i < Size; ++i)
+            {
+                d |= x[i];
+            }
+            d |= d >> 16;
+            d &= 0xFFFF;
+            return ((int)d - 1) >> 31;
+        }
+
+        public static bool IsOneVar(uint[] x)
+        {
+            return 0 != IsOne(x);
+        }
+
         public static int IsZero(uint[] x)
         {
             uint d = 0;
diff --git a/crypto/src/math/ec/rfc8032/Ed25519.cs b/crypto/src/math/ec/rfc8032/Ed25519.cs
index bdbe47e50..cc351bc45 100644
--- a/crypto/src/math/ec/rfc8032/Ed25519.cs
+++ b/crypto/src/math/ec/rfc8032/Ed25519.cs
@@ -183,6 +183,13 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return !Nat256.Gte(n, L);
         }
 
+        private static byte[] Copy(byte[] buf, int off, int len)
+        {
+            byte[] result = new byte[len];
+            Array.Copy(buf, off, result, 0, len);
+            return result;
+        }
+
         private static IDigest CreateDigest()
         {
             return new Sha512Digest();
@@ -220,7 +227,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
         private static bool DecodePointVar(byte[] p, int pOff, bool negate, PointAffine r)
         {
-            byte[] py = Arrays.CopyOfRange(p, pOff, pOff + PointBytes);
+            byte[] py = Copy(p, pOff, PointBytes);
             if (!CheckPointVar(py))
                 return false;
 
@@ -461,8 +468,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             if (!CheckContextVar(ctx, phflag))
                 throw new ArgumentException("ctx");
 
-            byte[] R = Arrays.CopyOfRange(sig, sigOff, sigOff + PointBytes);
-            byte[] S = Arrays.CopyOfRange(sig, sigOff + PointBytes, sigOff + SignatureSize);
+            byte[] R = Copy(sig, sigOff, PointBytes);
+            byte[] S = Copy(sig, sigOff + PointBytes, ScalarBytes);
 
             if (!CheckPointVar(R))
                 return false;
@@ -498,6 +505,16 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return 0 != EncodePoint(pR, check, 0) && Arrays.AreEqual(check, R);
         }
 
+        private static bool IsNeutralElementVar(int[] x, int[] y)
+        {
+            return F.IsZeroVar(x) && F.IsOneVar(y);
+        }
+
+        private static bool IsNeutralElementVar(int[] x, int[] y, int[] z)
+        {
+            return F.IsZeroVar(x) && F.AreEqualVar(y, z);
+        }
+
         private static void PointAdd(PointExt p, PointAccum r)
         {
             int[] a = F.Create();
@@ -1234,6 +1251,36 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             F.Copy(p.z, 0, z, 0);
         }
 
+        private static void ScalarMultOrder(PointAffine p, PointAccum r)
+        {
+            uint[] n = new uint[ScalarUints];
+            Nat.ShiftDownBit(ScalarUints, L, 0, n);
+            n[ScalarUints - 1] |= 1U << 28;
+
+            int[] table = PointPrecompute(p, 8);
+            PointExt q = new PointExt();
+
+            // Replace first 4 doublings (2^4 * P) with 1 addition (P + 15 * P)
+            PointCopy(p, r);
+            PointLookup(table, 7, q);
+            PointAdd(q, r);
+
+            int w = 62;
+            for (;;)
+            {
+                PointLookup(n, w, table, q);
+                PointAdd(q, r);
+
+                if (--w < 0)
+                    break;
+
+                for (int i = 0; i < 4; ++i)
+                {
+                    PointDouble(r);
+                }
+            }
+        }
+
         private static void ScalarMultStrausVar(uint[] nb, uint[] np, PointAffine p, PointAccum r)
         {
             Precompute();
@@ -1340,6 +1387,34 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(sk, skOff, pk, pkOff, ctx, phflag, m, 0, m.Length, sig, sigOff);
         }
 
+        public static bool ValidatePublicKeyFull(byte[] pk, int pkOff)
+        {
+            PointAffine p = new PointAffine();
+            if (!DecodePointVar(pk, pkOff, false, p))
+                return false;
+
+            F.Normalize(p.x);
+            F.Normalize(p.y);
+
+            if (IsNeutralElementVar(p.x, p.y))
+                return false;
+
+            PointAccum r = new PointAccum();
+            ScalarMultOrder(p, r);
+
+            F.Normalize(r.x);
+            F.Normalize(r.y);
+            F.Normalize(r.z);
+
+            return IsNeutralElementVar(r.x, r.y, r.z);
+        }
+
+        public static bool ValidatePublicKeyPartial(byte[] pk, int pkOff)
+        {
+            PointAffine p = new PointAffine();
+            return DecodePointVar(pk, pkOff, false, p);
+        }
+
         public static bool Verify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] m, int mOff, int mLen)
         {
             byte[] ctx = null;
diff --git a/crypto/src/math/ec/rfc8032/Ed448.cs b/crypto/src/math/ec/rfc8032/Ed448.cs
index bbe1bb444..28ee546d1 100644
--- a/crypto/src/math/ec/rfc8032/Ed448.cs
+++ b/crypto/src/math/ec/rfc8032/Ed448.cs
@@ -173,6 +173,13 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return !Nat.Gte(ScalarUints, n, L);
         }
 
+        private static byte[] Copy(byte[] buf, int off, int len)
+        {
+            byte[] result = new byte[len];
+            Array.Copy(buf, off, result, 0, len);
+            return result;
+        }
+
         public static IXof CreatePrehash()
         {
             return CreateXof();
@@ -217,7 +224,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
         private static bool DecodePointVar(byte[] p, int pOff, bool negate, PointExt r)
         {
-            byte[] py = Arrays.CopyOfRange(p, pOff, pOff + PointBytes);
+            byte[] py = Copy(p, pOff, PointBytes);
             if (!CheckPointVar(py))
                 return false;
 
@@ -459,8 +466,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             if (!CheckContextVar(ctx))
                 throw new ArgumentException("ctx");
 
-            byte[] R = Arrays.CopyOfRange(sig, sigOff, sigOff + PointBytes);
-            byte[] S = Arrays.CopyOfRange(sig, sigOff + PointBytes, sigOff + SignatureSize);
+            byte[] R = Copy(sig, sigOff, PointBytes);
+            byte[] S = Copy(sig, sigOff + PointBytes, ScalarBytes);
 
             if (!CheckPointVar(R))
                 return false;
@@ -496,6 +503,16 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return 0 != EncodePoint(pR, check, 0) && Arrays.AreEqual(check, R);
         }
 
+        private static bool IsNeutralElementVar(uint[] x, uint[] y)
+        {
+            return F.IsZeroVar(x) && F.IsOneVar(y);
+        }
+
+        private static bool IsNeutralElementVar(uint[] x, uint[] y, uint[] z)
+        {
+            return F.IsZeroVar(x) && F.AreEqualVar(y, z);
+        }
+
         private static void PointAdd(PointExt p, PointExt r)
         {
             uint[] a = F.Create();
@@ -1255,6 +1272,28 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             F.Copy(p.y, 0, y, 0);
         }
 
+        private static void ScalarMultOrder(PointExt p, PointExt r)
+        {
+            uint[] n = new uint[ScalarUints];
+            Nat.ShiftDownBit(ScalarUints, L, 1, n);
+
+            uint[] table = PointPrecompute(p, 8);
+            PointExt q = new PointExt();
+
+            PointLookup(n, 111, table, r);
+
+            for (int w = 110; w >= 0; --w)
+            {
+                for (int i = 0; i < 4; ++i)
+                {
+                    PointDouble(r);
+                }
+
+                PointLookup(n, w, table, q);
+                PointAdd(q, r);
+            }
+        }
+
         private static void ScalarMultStrausVar(uint[] nb, uint[] np, PointExt p, PointExt r)
         {
             Precompute();
@@ -1345,6 +1384,35 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(sk, skOff, pk, pkOff, ctx, phflag, m, 0, m.Length, sig, sigOff);
         }
 
+        public static bool ValidatePublicKeyFull(byte[] pk, int pkOff)
+        {
+            PointExt p = new PointExt();
+            if (!DecodePointVar(pk, pkOff, false, p))
+                return false;
+
+            F.Normalize(p.x);
+            F.Normalize(p.y);
+            F.Normalize(p.z);
+
+            if (IsNeutralElementVar(p.x, p.y, p.z))
+                return false;
+
+            PointExt r = new PointExt();
+            ScalarMultOrder(p, r);
+
+            F.Normalize(r.x);
+            F.Normalize(r.y);
+            F.Normalize(r.z);
+
+            return IsNeutralElementVar(r.x, r.y, r.z);
+        }
+
+        public static bool ValidatePublicKeyPartial(byte[] pk, int pkOff)
+        {
+            PointExt p = new PointExt();
+            return DecodePointVar(pk, pkOff, false, p);
+        }
+
         public static bool Verify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen)
         {
             byte phflag = 0x00;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-10 09:46:48 +0000