Elliptic curve implementation (WIP)

Author: tuokri

Classes/FCryptoEC_Prime.uc

@@ -82,6 +82,11 @@ struct Jacobian
     var _Monty C[3];
 };
 
+// TODO: not needed?
+// const SIZEOF_JACOBIAN = 222;
+
+var const Jacobian ZERO_JACOBIAN;
+
 /*
  * We use a custom interpreter that uses a dozen registers, and
  * only six operations:
@@ -511,6 +516,7 @@ static final function SetOne(
 
     PLen = (P[0] + 31) >>> 4;
     // memset(x, 0, plen * sizeof *x);
+    class'FCryptoMemory'.static.MemSet_UInt16_Static37(X, 0, PLen * SIZEOF_UINT16_T);
     X[0] = P[0];
     X[1] = 0x0001;
 }
@@ -521,6 +527,9 @@ static final function PointZero(
 )
 {
     // memset(P, 0, sizeof *P);
+    // `ZERO_JACOBIAN(P); <-- this is much slower than assignment.
+    P = default.ZERO_JACOBIAN;
+
     P.C[0].X[0] = Cc.P[0];
     P.C[1].X[0] = Cc.P[0];
     P.C[2].X[0] = Cc.P[0];
@@ -554,6 +563,7 @@ static final function PointMul(
     local int K;
     local int Bits;
     local int Bnz;
+    local int XOffset;
     local Jacobian P2;
     local Jacobian P3;
     local Jacobian Q;
@@ -582,22 +592,97 @@ static final function PointMul(
 
     PointZero(Q, Cc);
     Qz = 1;
+    XOffset = 0;
     while (XLen-- > 0)
     {
         for (K = 6; K >= 0; K -= 2)
         {
             PointDouble(Q, Cc);
             PointDouble(Q, Cc);
             // memcpy(&T, P, sizeof T);
-			// memcpy(&U, &Q, sizeof U);
+            // memcpy(&U, &Q, sizeof U);
             // TODO: offset parameter needed for X?
-            Bits = (X[0] >>> K) & 3;
+            Bits = (X[XOffset] >>> K) & 3;
             Bnz = class'FCryptoBigInt'.static.NEQ(Bits, 0);
             // TODO:
             // class'FCryptoBigInt'.static.CCOPY(class'FCryptoBigInt'.static.EQ(Bits, 2), T, P2, 0 /* sizeof T */);
             // class'FCryptoBigInt'.static.CCOPY(class'FCryptoBigInt'.static.EQ(Bits, 3), T, P3, 0 /* sizeof T */);
+            PointAdd(U, T, Cc);
+            // CCOPY(bnz & qz, &Q, &T, sizeof Q);
+            // CCOPY(bnz & ~qz, &Q, &U, sizeof Q);
+            Qz = Qz & (~Bnz);
         }
+        ++XOffset;
     }
+    // memcpy(P, &Q, sizeof Q);
+}
+
+static final function int PointDecode(
+    out Jacobian P,
+    const out array<byte> Src,
+    int Len,
+    const out CurveParams Cc
+)
+{
+    local int PLen;
+    local int ZLen;
+    local int R;
+    local Jacobian Q;
+
+    /*
+     * Points must use uncompressed format:
+     * -- first byte is 0x04;
+     * -- coordinates X and Y use unsigned big-endian, with the same
+     *    length as the field modulus.
+     *
+     * We don't support hybrid format (uncompressed, but first byte
+     * has value 0x06 or 0x07, depending on the least significant bit
+     * of Y) because it is rather useless, and explicitly forbidden
+     * by PKIX (RFC 5480, section 2.2).
+     *
+     * We don't support compressed format either, because it is not
+     * much used in practice (there are or were patent-related
+     * concerns about point compression, which explains the lack of
+     * generalised support). Also, point compression support would
+     * need a bit more code.
+     */
+
+    PointZero(P, Cc);
+    PLen = (CC.P[0] - (CC.P[0] >>> 4) + 7) >>> 3;
+    if (Len != 1 + (PLen << 1))
+    {
+        return 0;
+    }
+    // R = class'FCryptoBigInt'.static.DecodeMod(P.C[0], Buf + 1, PLen, CC.P);
+    // R = R & class'FCryptoBigInt'.static.DecodeMod(P.C[0], Buf + 1 + PLen, PLen, Cc.P);
+
+    /*
+     * Check first byte.
+     */
+    R = R & class'FCryptoBigInt'.static.EQ(Src[0], 0x04);
+
+    /*
+     * Convert coordinates and check that the point is valid.
+     */
+    // ZLen = ((Cc.P[0] + 31) >>> 4) * SIZEOF_UINT16_T;
+    // memcpy(Q.c[0], cc->R2, zlen);
+	// memcpy(Q.c[1], cc->b, zlen);
+	// SetOne(Q.C[2], Cc.P); TODO: need another variant for this.
+	R = R & ~RunCode(P, Q, Cc, default.CodeCheck);
+    return R;
+}
+
+/*
+ * Encode a point. This method assumes that the point is correct and is
+ * not the point at infinity. Encoded size is always 1+2*plen, where
+ * plen is the field modulus length, in bytes.
+ */
+static final function PointEncode(
+    out array<byte> Dst,
+    const out Jacobian P,
+    const out CurveParams Cc
+)
+{
 }
 
 // Differs from C version: const out param for performance.
@@ -667,15 +752,15 @@ static function int MulAdd(
 DefaultProperties
 {
     // TODO: are these needed?
-    P256_P={(`P256_P_VALUES)}
-    P256_R2={(`P256_R2_VALUES)}
-    P256_B={(`P256_B_VALUES)}
-    P384_P={(`P384_P_VALUES)}
-    P384_R2={(`P384_R2_VALUES)}
-    P384_B={(`P384_B_VALUES)}
-    P521_P={(`P521_P_VALUES)}
-    P521_R2={(`P521_R2_VALUES)}
-    P521_B={(`P521_B_VALUES)}
+    P256_P  = {(`P256_P_VALUES)}
+    P256_R2 = {(`P256_R2_VALUES)}
+    P256_B  = {(`P256_B_VALUES)}
+    P384_P  = {(`P384_P_VALUES)}
+    P384_R2 = {(`P384_R2_VALUES)}
+    P384_B  = {(`P384_B_VALUES)}
+    P521_P  = {(`P521_P_VALUES)}
+    P521_R2 = {(`P521_R2_VALUES)}
+    P521_B  = {(`P521_B_VALUES)}
 
     _PP(0)={(P=(`P256_P_VALUES), B=(`P256_B_VALUES), R2=(`P256_R2_VALUES), P0i=0x001, PointLen=65)}
     _PP(1)={(P=(`P384_P_VALUES), B=(`P384_B_VALUES), R2=(`P384_R2_VALUES), P0i=0x001, PointLen=97)}
@@ -762,9 +847,11 @@ DefaultProperties
 
     CodeAdd={(
 
+        `ENCODE
     )}
 
     CodeCheck={(
 
+        `ENCODE
     )}
 }

Classes/FCryptoEllipticCurveMacros.uci

@@ -62,3 +62,42 @@
     0x6193, 0x3C2A, 0x3C42, 0x48C7, 0x3489, 0x6771, 0x4C57, 0x5CCD,     \
     0x2725, 0x545B, 0x503B, 0x5B42, 0x21A0, 0x2534, 0x687E, 0x70E4,     \
     0x1618, 0x27D7, 0x0465
+
+`define ZERO_JACOBIAN(P)                                        \
+    `P.C[0].X[ 0] = 0; `P.C[1].X[ 0] = 0; `P.C[2].X[ 0] = 0;    \
+    `P.C[0].X[ 1] = 0; `P.C[1].X[ 1] = 0; `P.C[2].X[ 1] = 0;    \
+    `P.C[0].X[ 2] = 0; `P.C[1].X[ 2] = 0; `P.C[2].X[ 2] = 0;    \
+    `P.C[0].X[ 3] = 0; `P.C[1].X[ 3] = 0; `P.C[2].X[ 3] = 0;    \
+    `P.C[0].X[ 4] = 0; `P.C[1].X[ 4] = 0; `P.C[2].X[ 4] = 0;    \
+    `P.C[0].X[ 5] = 0; `P.C[1].X[ 5] = 0; `P.C[2].X[ 5] = 0;    \
+    `P.C[0].X[ 6] = 0; `P.C[1].X[ 6] = 0; `P.C[2].X[ 6] = 0;    \
+    `P.C[0].X[ 7] = 0; `P.C[1].X[ 7] = 0; `P.C[2].X[ 7] = 0;    \
+    `P.C[0].X[ 8] = 0; `P.C[1].X[ 8] = 0; `P.C[2].X[ 8] = 0;    \
+    `P.C[0].X[ 9] = 0; `P.C[1].X[ 9] = 0; `P.C[2].X[ 9] = 0;    \
+    `P.C[0].X[10] = 0; `P.C[1].X[10] = 0; `P.C[2].X[10] = 0;    \
+    `P.C[0].X[11] = 0; `P.C[1].X[11] = 0; `P.C[2].X[11] = 0;    \
+    `P.C[0].X[12] = 0; `P.C[1].X[12] = 0; `P.C[2].X[12] = 0;    \
+    `P.C[0].X[13] = 0; `P.C[1].X[13] = 0; `P.C[2].X[13] = 0;    \
+    `P.C[0].X[14] = 0; `P.C[1].X[14] = 0; `P.C[2].X[14] = 0;    \
+    `P.C[0].X[15] = 0; `P.C[1].X[15] = 0; `P.C[2].X[15] = 0;    \
+    `P.C[0].X[16] = 0; `P.C[1].X[16] = 0; `P.C[2].X[16] = 0;    \
+    `P.C[0].X[17] = 0; `P.C[1].X[17] = 0; `P.C[2].X[17] = 0;    \
+    `P.C[0].X[18] = 0; `P.C[1].X[18] = 0; `P.C[2].X[18] = 0;    \
+    `P.C[0].X[19] = 0; `P.C[1].X[19] = 0; `P.C[2].X[19] = 0;    \
+    `P.C[0].X[20] = 0; `P.C[1].X[20] = 0; `P.C[2].X[20] = 0;    \
+    `P.C[0].X[21] = 0; `P.C[1].X[21] = 0; `P.C[2].X[21] = 0;    \
+    `P.C[0].X[22] = 0; `P.C[1].X[22] = 0; `P.C[2].X[22] = 0;    \
+    `P.C[0].X[23] = 0; `P.C[1].X[23] = 0; `P.C[2].X[23] = 0;    \
+    `P.C[0].X[24] = 0; `P.C[1].X[24] = 0; `P.C[2].X[24] = 0;    \
+    `P.C[0].X[25] = 0; `P.C[1].X[25] = 0; `P.C[2].X[25] = 0;    \
+    `P.C[0].X[26] = 0; `P.C[1].X[26] = 0; `P.C[2].X[26] = 0;    \
+    `P.C[0].X[27] = 0; `P.C[1].X[27] = 0; `P.C[2].X[27] = 0;    \
+    `P.C[0].X[28] = 0; `P.C[1].X[28] = 0; `P.C[2].X[28] = 0;    \
+    `P.C[0].X[29] = 0; `P.C[1].X[29] = 0; `P.C[2].X[29] = 0;    \
+    `P.C[0].X[30] = 0; `P.C[1].X[30] = 0; `P.C[2].X[30] = 0;    \
+    `P.C[0].X[31] = 0; `P.C[1].X[31] = 0; `P.C[2].X[31] = 0;    \
+    `P.C[0].X[32] = 0; `P.C[1].X[32] = 0; `P.C[2].X[32] = 0;    \
+    `P.C[0].X[33] = 0; `P.C[1].X[33] = 0; `P.C[2].X[33] = 0;    \
+    `P.C[0].X[34] = 0; `P.C[1].X[34] = 0; `P.C[2].X[34] = 0;    \
+    `P.C[0].X[35] = 0; `P.C[1].X[35] = 0; `P.C[2].X[35] = 0;    \
+    `P.C[0].X[36] = 0; `P.C[1].X[36] = 0; `P.C[2].X[36] = 0;

Classes/FCryptoMemory.uc

@@ -176,6 +176,32 @@ static final function MemSet_SBytes64(
     }
 }
 
+static final function MemSet_UInt16_Static37(
+    out int S[37],
+    byte C,
+    int NumBytes,
+    optional int Offset = 0
+)
+{
+    local int IntIndex;
+    local int ByteIndex;
+    local int Shift;
+    local int Mask;
+
+    Shift = 8;
+    Mask = 0xff << Shift;
+    IntIndex = Offset;
+    for (ByteIndex = 0; ByteIndex < NumBytes; ++ByteIndex)
+    {
+        S[IntIndex] = (S[IntIndex] & ~Mask) | ((C & 0xff) << Shift);
+        // Shift = (Shift + 8) % 16;
+        Shift = (Shift + 8) & 15;
+        // IntIndex += ByteIndex % 2;
+        IntIndex += ByteIndex & 1;
+        Mask = 0xff << Shift;
+    }
+}
+
 // TODO: is this even needed?
 // // Specialized for FCryptoEC_Prime.Jacobian 2D arrays.
 // static final function MemCpy_Jacobian_Monty(

Classes/FCryptoTestMutator.uc

@@ -45,6 +45,7 @@ class FCryptoTestMutator extends Mutator
     config(Mutator_FCryptoTest);
 
 `include(FCrypto\Classes\FCryptoMacros.uci);
+`include(FCrypto\Classes\FCryptoEllipticCurveMacros.uci);
 
 var private FCryptoGMPClient GMPClient;
 var private FCryptoUtils Utils;
@@ -131,6 +132,8 @@ var(FCryptoTests) editconst const array<string> KAT_AES_CBC;
  */
 var(FCryptoTests) editconst const array<string> KAT_AES_CTR;
 
+var const FCryptoEC_Prime.Jacobian ZERO_JACOBIAN;
+
 // Callback to FCryptoGMPClient::RandPrime.
 final simulated function AddRandomPrime(
     const out array<byte> P
@@ -196,7 +199,7 @@ simulated event PreBeginPlay()
 {
     Utils = new (self) class'FCryptoUtils';
 
-    TestDelegatesToRun.Length = 5;
+    TestDelegatesToRun.Length = 7;
     TestDelegatesToRun[0].TestDelegate = TestMemory;
     TestDelegatesToRun[0].TestName = NameOf(TestMemory);
     TestDelegatesToRun[1].TestDelegate = TestOperations;
@@ -205,8 +208,13 @@ simulated event PreBeginPlay()
     TestDelegatesToRun[2].TestName = NameOf(TestMath);
     TestDelegatesToRun[3].TestDelegate = TestAesCt;
     TestDelegatesToRun[3].TestName = NameOf(TestAesCt);
+
     TestDelegatesToRun[4].TestDelegate = TestSpeed;
     TestDelegatesToRun[4].TestName = NameOf(TestSpeed);
+    TestDelegatesToRun[5].TestDelegate = TestSpeed;
+    TestDelegatesToRun[5].TestName = NameOf(TestSpeed);
+    TestDelegatesToRun[6].TestDelegate = TestSpeed;
+    TestDelegatesToRun[6].TestName = NameOf(TestSpeed);
 
     super.PreBeginPlay();
 }
@@ -1406,6 +1414,13 @@ private final simulated function int TestSpeed()
     local int BenchmarkRound;
     local array<int> X;
     local array<int> Y;
+    local FCryptoEC_Prime.Jacobian Jacobian1;
+    local FCryptoEC_Prime.Jacobian Jacobian2;
+
+    // TODO: need to benchmark whether using static arrays in some places
+    // actually offers a performance benefit over just using dynamic
+    // arrays everywhere. FCryptoEC_Prime would be a good candidate
+    // for such benchmarks.
 
     // TODO: Design for FCQWORD arithmetic.
     Dummy = 0xFFFFFFFF;
@@ -1576,7 +1591,7 @@ private final simulated function int TestSpeed()
     Y.Length = 0;
     Y.Length = 1024;
     Clock(Q);
-    for (BenchmarkRound = 0; BenchmarkRound < 512; ++BenchmarkRound)
+    for (BenchmarkRound = 0; BenchmarkRound < 1024; ++BenchmarkRound)
     {
         class'FCryptoAES'.static.AddRoundKey(X, Y);
     }
@@ -1589,13 +1604,35 @@ private final simulated function int TestSpeed()
     Y.Length = 0;
     Y.Length = 1024;
     Clock(Q);
-    for (BenchmarkRound = 0; BenchmarkRound < 512; ++BenchmarkRound)
+    for (BenchmarkRound = 0; BenchmarkRound < 1024; ++BenchmarkRound)
     {
         class'FCryptoAES'.static.AddRoundKey_NoTempVars(X, Y);
     }
     UnClock(Q);
     `fclog("Qclock (AddRoundKey (no temp vars))=" $ Q);
 
+    Q = 0;
+    Clock(Q);
+    for (BenchmarkRound = 0; BenchmarkRound < 512; ++BenchmarkRound)
+    {
+        `ZERO_JACOBIAN(Jacobian1);
+    }
+    UnClock(Q);
+    `fclog("Qclock (zero jacobian (macro)     )=" $ Q);
+
+    Q = 0;
+    Clock(Q);
+    for (BenchmarkRound = 0; BenchmarkRound < 512; ++BenchmarkRound)
+    {
+        Jacobian2 = default.ZERO_JACOBIAN;
+    }
+    UnClock(Q);
+    `fclog("Qclock (zero jacobian (assignment))=" $ Q);
+
+    // Silence unused variable warnings.
+    Jacobian1.C[0].X[0] = Jacobian2.C[0].X[0];
+    Jacobian2.C[0].X[0] = Jacobian1.C[0].X[0];
+
     return 0;
 }