1 /*
2 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ec;
27
28 import sun.security.util.math.IntegerFieldModuloP;
29 import sun.security.util.math.IntegerModuloP;
30 import sun.security.util.math.IntegerModuloP_Base;
31 import sun.security.util.math.MutableIntegerModuloP;
32 import sun.security.util.math.SmallValue;
33 import sun.security.util.math.intpoly.IntegerPolynomial25519;
34 import sun.security.util.math.intpoly.IntegerPolynomial448;
35
36 import java.math.BigInteger;
37 import java.security.ProviderException;
38 import java.security.SecureRandom;
39
40 public class XECOperations {
41
42 private final XECParameters params;
43 private final IntegerFieldModuloP field;
44 private final IntegerModuloP zero;
45 private final IntegerModuloP one;
46 private final SmallValue a24;
47 private final IntegerModuloP basePoint;
48
49 public XECOperations(XECParameters c) {
50 this.params = c;
51
52 BigInteger p = params.getP();
53 this.field = getIntegerFieldModulo(p);
54 this.zero = field.getElement(BigInteger.ZERO).fixed();
55 this.one = field.get1().fixed();
56 this.a24 = field.getSmallValue(params.getA24());
57 this.basePoint = field.getElement(
58 BigInteger.valueOf(c.getBasePoint()));
59 }
60
61 public XECParameters getParameters() {
62 return params;
63 }
64
65 public byte[] generatePrivate(SecureRandom random) {
66 byte[] result = new byte[this.params.getBytes()];
67 random.nextBytes(result);
68 return result;
69 }
70
71 /**
72 * Compute a public key from an encoded private key. This method will
73 * modify the supplied array in order to prune it.
74 */
75 public BigInteger computePublic(byte[] k) {
76 pruneK(k);
77 return pointMultiply(k, this.basePoint).asBigInteger();
78 }
79
80 /**
81 *
82 * Multiply an encoded scalar with a point as a BigInteger and return an
83 * encoded point. The array k holding the scalar will be pruned by
84 * modifying it in place.
85 *
86 * @param k an encoded scalar
87 * @param u the u-coordinate of a point as a BigInteger
88 * @return the encoded product
89 */
90 public byte[] encodedPointMultiply(byte[] k, BigInteger u) {
91 pruneK(k);
92 IntegerModuloP elemU = field.getElement(u);
93 return pointMultiply(k, elemU).asByteArray(params.getBytes());
94 }
95
96 /**
97 *
98 * Multiply an encoded scalar with an encoded point and return an encoded
99 * point. The array k holding the scalar will be pruned by
100 * modifying it in place.
101 *
102 * @param k an encoded scalar
103 * @param u an encoded point
104 * @return the encoded product
105 */
106 public byte[] encodedPointMultiply(byte[] k, byte[] u) {
107 pruneK(k);
108 IntegerModuloP elemU = decodeU(u);
109 return pointMultiply(k, elemU).asByteArray(params.getBytes());
110 }
111
112 /**
113 * Return the field element corresponding to an encoded u-coordinate.
114 * This method prunes u by modifying it in place.
115 *
116 * @param u
117 * @param bits
118 * @return
119 */
120 private IntegerModuloP decodeU(byte[] u, int bits) {
121
122 maskHighOrder(u, bits);
123
124 return field.getElement(u);
125 }
126
127 /**
128 * Mask off the high order bits of an encoded integer in an array. The
129 * array is modified in place.
130 *
131 * @param arr an array containing an encoded integer
132 * @param bits the number of bits to keep
133 * @return the number, in range [1,8], of bits kept in the highest byte
134 */
135 private static byte maskHighOrder(byte[] arr, int bits) {
136
137 int lastByteIndex = arr.length - 1;
138 byte bitsMod8 = (byte) (bits % 8);
139 byte highBits = bitsMod8 == 0 ? 8 : bitsMod8;
140 byte msbMaskOff = (byte) ((1 << highBits) - 1);
141 arr[lastByteIndex] &= msbMaskOff;
142
143 return highBits;
144 }
145
146 /**
147 * Prune an encoded scalar value by modifying it in place. The extra
148 * high-order bits are masked off, the highest valid bit it set, and the
149 * number is rounded down to a multiple of the cofactor.
150 *
151 * @param k an encoded scalar value
152 * @param bits the number of bits in the scalar
153 * @param logCofactor the base-2 logarithm of the cofactor
154 */
155 private static void pruneK(byte[] k, int bits, int logCofactor) {
156
157 int lastByteIndex = k.length - 1;
158
159 // mask off unused high-order bits
160 byte highBits = maskHighOrder(k, bits);
161
162 // set the highest bit
163 byte msbMaskOn = (byte) (1 << (highBits - 1));
164 k[lastByteIndex] |= msbMaskOn;
165
166 // round down to a multiple of the cofactor
167 byte lsbMaskOff = (byte) (0xFF << logCofactor);
168 k[0] &= lsbMaskOff;
169 }
170
171 private void pruneK(byte[] k) {
172 pruneK(k, params.getBits(), params.getLogCofactor());
173 }
174
175 private IntegerModuloP decodeU(byte [] u) {
176 return decodeU(u, params.getBits());
177 }
178
179 // Constant-time conditional swap
180 private static void cswap(int swap, MutableIntegerModuloP x1,
181 MutableIntegerModuloP x2) {
182
183 x1.conditionalSwapWith(x2, swap);
184 }
185
186 private static IntegerFieldModuloP getIntegerFieldModulo(BigInteger p) {
187
188 if (p.equals(IntegerPolynomial25519.MODULUS)) {
189 return new IntegerPolynomial25519();
190 }
191 else if (p.equals(IntegerPolynomial448.MODULUS)) {
192 return new IntegerPolynomial448();
193 }
194
195 throw new ProviderException("Unsupported prime: " + p.toString());
196 }
197
198 private int bitAt(byte[] arr, int index) {
199 int byteIndex = index / 8;
200 int bitIndex = index % 8;
201 return (arr[byteIndex] & (1 << bitIndex)) >> bitIndex;
202 }
203
204 /*
205 * Constant-time Montgomery ladder that computes k*u and returns the
206 * result as a field element.
207 */
208 private IntegerModuloP_Base pointMultiply(byte[] k, IntegerModuloP u) {
209
210 IntegerModuloP x_1 = u;
211 MutableIntegerModuloP x_2 = this.one.mutable();
212 MutableIntegerModuloP z_2 = this.zero.mutable();
213 MutableIntegerModuloP x_3 = u.mutable();
214 MutableIntegerModuloP z_3 = this.one.mutable();
215 int swap = 0;
216
217 // Variables below are reused to avoid unnecessary allocation
218 // They will be assigned in the loop, so initial value doesn't matter
219 MutableIntegerModuloP m1 = this.zero.mutable();
220 MutableIntegerModuloP DA = this.zero.mutable();
221 MutableIntegerModuloP E = this.zero.mutable();
222 MutableIntegerModuloP a24_times_E = this.zero.mutable();
223
224 // Comments describe the equivalent operations from RFC 7748
225 // In comments, A(m1) means the variable m1 holds the value A
226 for (int t = params.getBits() - 1; t >= 0; t--) {
227 int k_t = bitAt(k, t);
228 swap = swap ^ k_t;
229 cswap(swap, x_2, x_3);
230 cswap(swap, z_2, z_3);
231 swap = k_t;
232
233 // A(m1) = x_2 + z_2
234 m1.setValue(x_2).setSum(z_2);
235 // D = x_3 - z_3
236 // DA = D * A(m1)
237 DA.setValue(x_3).setDifference(z_3).setProduct(m1);
238 // AA(m1) = A(m1)^2
239 m1.setSquare();
240 // B(x_2) = x_2 - z_2
241 x_2.setDifference(z_2);
242 // C = x_3 + z_3
243 // CB(x_3) = C * B(x_2)
244 x_3.setSum(z_3).setProduct(x_2);
245 // BB(x_2) = B^2
246 x_2.setSquare();
247 // E = AA(m1) - BB(x_2)
248 E.setValue(m1).setDifference(x_2);
249 // compute a24 * E using SmallValue
250 a24_times_E.setValue(E);
251 a24_times_E.setProduct(this.a24);
252
253 // assign results to x_3, z_3, x_2, z_2
254 // x_2 = AA(m1) * BB
255 x_2.setProduct(m1);
256 // z_2 = E * (AA(m1) + a24 * E)
257 z_2.setValue(m1).setSum(a24_times_E).setProduct(E);
258 // z_3 = x_1*(DA - CB(x_3))^2
259 z_3.setValue(DA).setDifference(x_3).setSquare().setProduct(x_1);
260 // x_3 = (CB(x_3) + DA)^2
261 x_3.setSum(DA).setSquare();
262 }
263
264 cswap(swap, x_2, x_3);
265 cswap(swap, z_2, z_3);
266
267 // return (x_2 * z_2^(p - 2))
268 return x_2.setProduct(z_2.multiplicativeInverse());
269 }
270 }