ext/lib/crypto/tinycrypt/source/ecc_dsa.c - third_party/github/zephyrproject-rtos/zephyr - Git at Google

 /* ec_dsa.c - TinyCrypt implementation of EC-DSA */

 /*
  *  Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
  *
  *  Redistribution and use in source and binary forms, with or without
  *  modification, are permitted provided that the following conditions are met:
  *
  *    - Redistributions of source code must retain the above copyright notice,
  *     this list of conditions and the following disclaimer.
  *
  *    - Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  *    - Neither the name of Intel Corporation nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  *  POSSIBILITY OF SUCH DAMAGE.
  */

 #include <tinycrypt/constants.h>
 #include <tinycrypt/ecc.h>

 extern uint32_t curve_n[NUM_ECC_DIGITS];
 extern EccPoint curve_G;
 extern uint32_t curve_nb[NUM_ECC_DIGITS + 1];

 int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
 		   uint32_t p_privateKey[NUM_ECC_DIGITS], uint32_t p_random[NUM_ECC_DIGITS],
 		   uint32_t p_hash[NUM_ECC_DIGITS])
 {

 	uint32_t k[NUM_ECC_DIGITS], tmp[NUM_ECC_DIGITS];
 	EccPoint p_point;
 	EccPointJacobi P;

 	if (vli_isZero(p_random)) {
 		return TC_CRYPTO_FAIL; /* The random number must not be 0. */
 	}

 	vli_set(k, p_random);

 	vli_sub(tmp, k, curve_n, NUM_ECC_DIGITS);
 	vli_cond_set(k, k, tmp, vli_cmp(curve_n, k, NUM_ECC_DIGITS) == 1);

 	/* tmp = k * G */
 	EccPoint_mult(&P, &curve_G, k);
 	EccPoint_toAffine(&p_point, &P);

 	/* r = x1 (mod n) */
 	vli_set(r, p_point.x);
 	if (vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) {
 		vli_sub(r, r, curve_n, NUM_ECC_DIGITS);
 	}

 	if (vli_isZero(r)) {
 		return TC_CRYPTO_FAIL; /* If r == 0, fail (need a different random number). */
 	}

 	vli_modMult(s, r, p_privateKey, curve_n, curve_nb); /* s = r*d */
 	vli_modAdd(s, p_hash, s, curve_n); /* s = e + r*d */
 	vli_modInv(k, k, curve_n, curve_nb); /* k = 1 / k */
 	vli_modMult(s, s, k, curve_n, curve_nb); /* s = (e + r*d) / k */

 	return TC_CRYPTO_SUCCESS;
 }

 int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS],
 		     uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS])
 {

 	uint32_t u1[NUM_ECC_DIGITS], u2[NUM_ECC_DIGITS];
 	uint32_t z[NUM_ECC_DIGITS];
 	EccPointJacobi P, R;
 	EccPoint p_point;

 	if (vli_isZero(r) || vli_isZero(s)) {
 		return TC_CRYPTO_FAIL; /* r, s must not be 0. */
 	}

 	if ((vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) ||
 	   (vli_cmp(curve_n, s, NUM_ECC_DIGITS) != 1)) {
 		return TC_CRYPTO_FAIL; /* r, s must be < n. */
 	}

 	/* Calculate u1 and u2. */
 	vli_modInv(z, s, curve_n, curve_nb); /* Z = s^-1 */
 	vli_modMult(u1, p_hash, z, curve_n, curve_nb); /* u1 = e/s */
 	vli_modMult(u2, r, z, curve_n, curve_nb); /* u2 = r/s */

 	/* calculate P = u1*G + u2*Q */
 	EccPoint_mult(&P, &curve_G, u1);
 	EccPoint_mult(&R, p_publicKey, u2);
 	EccPoint_add(&P, &R);
 	EccPoint_toAffine(&p_point, &P);

 	/* Accept only if P.x == r. */
 	vli_cond_set(
 		p_point.x,
 		p_point.x,
 		z,
 		vli_sub(z, p_point.x, curve_n, NUM_ECC_DIGITS));

 	return (vli_cmp(p_point.x, r, NUM_ECC_DIGITS) == 0);
 }
	/* ec_dsa.c - TinyCrypt implementation of EC-DSA */

	/*
	* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions are met:
	*
	* - Redistributions of source code must retain the above copyright notice,
	* this list of conditions and the following disclaimer.
	*
	* - Redistributions in binary form must reproduce the above copyright
	* notice, this list of conditions and the following disclaimer in the
	* documentation and/or other materials provided with the distribution.
	*
	* - Neither the name of Intel Corporation nor the names of its contributors
	* may be used to endorse or promote products derived from this software
	* without specific prior written permission.
	*
	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
	* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	* POSSIBILITY OF SUCH DAMAGE.
	*/

	#include <tinycrypt/constants.h>
	#include <tinycrypt/ecc.h>

	extern uint32_t curve_n[NUM_ECC_DIGITS];
	extern EccPoint curve_G;
	extern uint32_t curve_nb[NUM_ECC_DIGITS + 1];

	int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
	uint32_t p_privateKey[NUM_ECC_DIGITS], uint32_t p_random[NUM_ECC_DIGITS],
	uint32_t p_hash[NUM_ECC_DIGITS])
	{

	uint32_t k[NUM_ECC_DIGITS], tmp[NUM_ECC_DIGITS];
	EccPoint p_point;
	EccPointJacobi P;

	if (vli_isZero(p_random)) {
	return TC_CRYPTO_FAIL; /* The random number must not be 0. */
	}

	vli_set(k, p_random);

	vli_sub(tmp, k, curve_n, NUM_ECC_DIGITS);
	vli_cond_set(k, k, tmp, vli_cmp(curve_n, k, NUM_ECC_DIGITS) == 1);

	/* tmp = k * G */
	EccPoint_mult(&P, &curve_G, k);
	EccPoint_toAffine(&p_point, &P);

	/* r = x1 (mod n) */
	vli_set(r, p_point.x);
	if (vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) {
	vli_sub(r, r, curve_n, NUM_ECC_DIGITS);
	}

	if (vli_isZero(r)) {
	return TC_CRYPTO_FAIL; /* If r == 0, fail (need a different random number). */
	}

	vli_modMult(s, r, p_privateKey, curve_n, curve_nb); /* s = rd /
	vli_modAdd(s, p_hash, s, curve_n); /* s = e + rd /
	vli_modInv(k, k, curve_n, curve_nb); /* k = 1 / k */
	vli_modMult(s, s, k, curve_n, curve_nb); /* s = (e + rd) / k /

	return TC_CRYPTO_SUCCESS;
	}

	int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS],
	uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS])
	{

	uint32_t u1[NUM_ECC_DIGITS], u2[NUM_ECC_DIGITS];
	uint32_t z[NUM_ECC_DIGITS];
	EccPointJacobi P, R;
	EccPoint p_point;

	if (vli_isZero(r) \|\| vli_isZero(s)) {
	return TC_CRYPTO_FAIL; /* r, s must not be 0. */
	}

	if ((vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) \|\|
	(vli_cmp(curve_n, s, NUM_ECC_DIGITS) != 1)) {
	return TC_CRYPTO_FAIL; /* r, s must be < n. */
	}

	/* Calculate u1 and u2. */
	vli_modInv(z, s, curve_n, curve_nb); /* Z = s^-1 */
	vli_modMult(u1, p_hash, z, curve_n, curve_nb); /* u1 = e/s */
	vli_modMult(u2, r, z, curve_n, curve_nb); /* u2 = r/s */

	/* calculate P = u1G + u2Q */
	EccPoint_mult(&P, &curve_G, u1);
	EccPoint_mult(&R, p_publicKey, u2);
	EccPoint_add(&P, &R);
	EccPoint_toAffine(&p_point, &P);

	/* Accept only if P.x == r. */
	vli_cond_set(
	p_point.x,
	p_point.x,
	z,
	vli_sub(z, p_point.x, curve_n, NUM_ECC_DIGITS));

	return (vli_cmp(p_point.x, r, NUM_ECC_DIGITS) == 0);
	}