summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJussi Kivilinna <jussi.kivilinna@iki.fi>2021-06-28 21:01:32 +0300
committerJussi Kivilinna <jussi.kivilinna@iki.fi>2021-06-30 17:57:30 +0300
commitfc92c609dfdbcf59a09ca3aaf53a1c1b8408c351 (patch)
tree71e4c149f795f1750dec9b9b73836c404b8bcbdb
parent6dfab8cfb94ccb485a15b13df3c499cbb06fddf2 (diff)
downloadlibgcrypt-fc92c609dfdbcf59a09ca3aaf53a1c1b8408c351.tar.gz
ec-nist: fix 'mod p' carry adjustment and output masking
* mpi/ec-inline.h (MASK_AND64, LIMB_OR64): New. [__x86_64__]: Use "rme" operand type instead of "g" to fix use of large 32-bit constants. * mpi/ec-nist.c (_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod) (_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod): At end, check if 's[]' is negative instead result of last addition, for output masks; Use 'p_mult' table entry for P instead of 'ctx->p'. (_gcry_mpi_ec_nist256_mod): Handle corner case were 2*P needs to be added after carry based subtraction. * tests/t-mpi-point.c (check_ec_mul_reduction): New. (main): Call 'check_ec_mul_reduction'. -- GnuPG-bug-id: T5510 Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Diffstat
-rw-r--r--mpi/ec-inline.h66
-rw-r--r--mpi/ec-nist.c86
-rw-r--r--tests/t-mpi-point.c738
3 files changed, 837 insertions, 53 deletions
diff --git a/mpi/ec-inline.h b/mpi/ec-inline.h
index 25c3b40d..a07826e3 100644
--- a/mpi/ec-inline.h
+++ b/mpi/ec-inline.h
@@ -40,6 +40,8 @@
#define HI32_LIMB64(v) (u32)((mpi_limb_t)(v) >> (BITS_PER_MPI_LIMB - 32))
#define LO32_LIMB64(v) ((u32)(v))
#define LIMB64_C(hi, lo) (((mpi_limb_t)(u32)(hi) << 32) | (u32)(lo))
+#define MASK_AND64(mask, val) ((mask) & (val))
+#define LIMB_OR64(val1, val2) ((val1) | (val2))
#define STORE64_COND(x, pos, mask1, val1, mask2, val2) \
((x)[(pos)] = ((mask1) & (val1)) | ((mask2) & (val2)))
@@ -73,9 +75,9 @@ LIMB64_HILO(u32 hi, u32 lo)
: "0" ((mpi_limb_t)(B2)), \
"1" ((mpi_limb_t)(B1)), \
"2" ((mpi_limb_t)(B0)), \
- "g" ((mpi_limb_t)(C2)), \
- "g" ((mpi_limb_t)(C1)), \
- "g" ((mpi_limb_t)(C0)) \
+ "rme" ((mpi_limb_t)(C2)), \
+ "rme" ((mpi_limb_t)(C1)), \
+ "rme" ((mpi_limb_t)(C0)) \
: "cc")
#define SUB3_LIMB64(A3, A2, A1, A0, B2, B1, B0, C2, C1, C0) \
@@ -88,9 +90,9 @@ LIMB64_HILO(u32 hi, u32 lo)
: "0" ((mpi_limb_t)(B2)), \
"1" ((mpi_limb_t)(B1)), \
"2" ((mpi_limb_t)(B0)), \
- "g" ((mpi_limb_t)(C2)), \
- "g" ((mpi_limb_t)(C1)), \
- "g" ((mpi_limb_t)(C0)) \
+ "rme" ((mpi_limb_t)(C2)), \
+ "rme" ((mpi_limb_t)(C1)), \
+ "rme" ((mpi_limb_t)(C0)) \
: "cc")
#define ADD4_LIMB64(A3, A2, A1, A0, B3, B2, B1, B0, C3, C2, C1, C0) \
@@ -106,10 +108,10 @@ LIMB64_HILO(u32 hi, u32 lo)
"1" ((mpi_limb_t)(B2)), \
"2" ((mpi_limb_t)(B1)), \
"3" ((mpi_limb_t)(B0)), \
- "g" ((mpi_limb_t)(C3)), \
- "g" ((mpi_limb_t)(C2)), \
- "g" ((mpi_limb_t)(C1)), \
- "g" ((mpi_limb_t)(C0)) \
+ "rme" ((mpi_limb_t)(C3)), \
+ "rme" ((mpi_limb_t)(C2)), \
+ "rme" ((mpi_limb_t)(C1)), \
+ "rme" ((mpi_limb_t)(C0)) \
: "cc")
#define SUB4_LIMB64(A3, A2, A1, A0, B3, B2, B1, B0, C3, C2, C1, C0) \
@@ -125,10 +127,10 @@ LIMB64_HILO(u32 hi, u32 lo)
"1" ((mpi_limb_t)(B2)), \
"2" ((mpi_limb_t)(B1)), \
"3" ((mpi_limb_t)(B0)), \
- "g" ((mpi_limb_t)(C3)), \
- "g" ((mpi_limb_t)(C2)), \
- "g" ((mpi_limb_t)(C1)), \
- "g" ((mpi_limb_t)(C0)) \
+ "rme" ((mpi_limb_t)(C3)), \
+ "rme" ((mpi_limb_t)(C2)), \
+ "rme" ((mpi_limb_t)(C1)), \
+ "rme" ((mpi_limb_t)(C0)) \
: "cc")
#define ADD5_LIMB64(A4, A3, A2, A1, A0, B4, B3, B2, B1, B0, \
@@ -148,11 +150,11 @@ LIMB64_HILO(u32 hi, u32 lo)
"2" ((mpi_limb_t)(B2)), \
"3" ((mpi_limb_t)(B1)), \
"4" ((mpi_limb_t)(B0)), \
- "g" ((mpi_limb_t)(C4)), \
- "g" ((mpi_limb_t)(C3)), \
- "g" ((mpi_limb_t)(C2)), \
- "g" ((mpi_limb_t)(C1)), \
- "g" ((mpi_limb_t)(C0)) \
+ "rme" ((mpi_limb_t)(C4)), \
+ "rme" ((mpi_limb_t)(C3)), \
+ "rme" ((mpi_limb_t)(C2)), \
+ "rme" ((mpi_limb_t)(C1)), \
+ "rme" ((mpi_limb_t)(C0)) \
: "cc")
#define SUB5_LIMB64(A4, A3, A2, A1, A0, B4, B3, B2, B1, B0, \
@@ -172,11 +174,11 @@ LIMB64_HILO(u32 hi, u32 lo)
"2" ((mpi_limb_t)(B2)), \
"3" ((mpi_limb_t)(B1)), \
"4" ((mpi_limb_t)(B0)), \
- "g" ((mpi_limb_t)(C4)), \
- "g" ((mpi_limb_t)(C3)), \
- "g" ((mpi_limb_t)(C2)), \
- "g" ((mpi_limb_t)(C1)), \
- "g" ((mpi_limb_t)(C0)) \
+ "rme" ((mpi_limb_t)(C4)), \
+ "rme" ((mpi_limb_t)(C3)), \
+ "rme" ((mpi_limb_t)(C2)), \
+ "rme" ((mpi_limb_t)(C1)), \
+ "rme" ((mpi_limb_t)(C0)) \
: "cc")
#endif /* __x86_64__ */
@@ -593,6 +595,22 @@ STORE64(mpi_ptr_t x, unsigned int pos, mpi_limb64_t v)
x[pos * 2 + 1] = v.hi;
}
+static inline mpi_limb64_t
+MASK_AND64(mpi_limb_t mask, mpi_limb64_t val)
+{
+ val.lo &= mask;
+ val.hi &= mask;
+ return val;
+}
+
+static inline mpi_limb64_t
+LIMB_OR64(mpi_limb64_t val1, mpi_limb64_t val2)
+{
+ val1.lo |= val2.lo;
+ val1.hi |= val2.hi;
+ return val1;
+}
+
static inline void
STORE64_COND(mpi_ptr_t x, unsigned int pos, mpi_limb_t mask1,
mpi_limb64_t val1, mpi_limb_t mask2, mpi_limb64_t val2)
diff --git a/mpi/ec-nist.c b/mpi/ec-nist.c
index 955d2b7c..69b05a6d 100644
--- a/mpi/ec-nist.c
+++ b/mpi/ec-nist.c
@@ -94,12 +94,12 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx)
};
const mpi_limb64_t zero = LIMB_TO64(0);
mpi_ptr_t wp;
- mpi_ptr_t pp;
mpi_size_t wsize = 192 / BITS_PER_MPI_LIMB64;
mpi_limb64_t s[wsize + 1];
mpi_limb64_t o[wsize + 1];
mpi_limb_t mask1;
mpi_limb_t mask2;
+ mpi_limb_t s_is_negative;
int carry;
MPN_NORMALIZE (w->d, w->nlimbs);
@@ -109,7 +109,6 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx)
RESIZE_AND_CLEAR_IF_NEEDED (w, wsize * 2 * LIMBS_PER_LIMB64);
RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64);
- pp = ctx->p->d;
wp = w->d;
prefetch (p_mult, sizeof(p_mult));
@@ -143,9 +142,13 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx)
ADD4_LIMB64 (o[3], o[2], o[1], o[0],
s[3], s[2], s[1], s[0],
- zero, LOAD64(pp, 2), LOAD64(pp, 1), LOAD64(pp, 0));
- mask1 = vzero - (LO32_LIMB64(o[3]) >> 31);
- mask2 = (LO32_LIMB64(o[3]) >> 31) - vone;
+ zero,
+ p_mult[0][2], p_mult[0][1], p_mult[0][0]);
+
+ s_is_negative = LO32_LIMB64(s[3]) >> 31;
+
+ mask2 = vzero - s_is_negative;
+ mask1 = s_is_negative - vone;
STORE64_COND(wp, 0, mask2, o[0], mask1, s[0]);
STORE64_COND(wp, 1, mask2, o[1], mask1, s[1]);
@@ -183,13 +186,13 @@ _gcry_mpi_ec_nist224_mod (gcry_mpi_t w, mpi_ec_t ctx)
};
const mpi_limb64_t zero = LIMB_TO64(0);
mpi_ptr_t wp;
- mpi_ptr_t pp;
mpi_size_t wsize = (224 + BITS_PER_MPI_LIMB64 - 1) / BITS_PER_MPI_LIMB64;
mpi_size_t psize = ctx->p->nlimbs;
mpi_limb64_t s[wsize];
mpi_limb64_t d[wsize];
mpi_limb_t mask1;
mpi_limb_t mask2;
+ mpi_limb_t s_is_negative;
int carry;
MPN_NORMALIZE (w->d, w->nlimbs);
@@ -200,7 +203,6 @@ _gcry_mpi_ec_nist224_mod (gcry_mpi_t w, mpi_ec_t ctx)
RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64);
ctx->p->nlimbs = psize;
- pp = ctx->p->d;
wp = w->d;
prefetch (p_mult, sizeof(p_mult));
@@ -263,10 +265,13 @@ _gcry_mpi_ec_nist224_mod (gcry_mpi_t w, mpi_ec_t ctx)
ADD4_LIMB64 (d[3], d[2], d[1], d[0],
s[3], s[2], s[1], s[0],
- LOAD64(pp, 3), LOAD64(pp, 2), LOAD64(pp, 1), LOAD64(pp, 0));
+ p_mult[0 + 2][3], p_mult[0 + 2][2],
+ p_mult[0 + 2][1], p_mult[0 + 2][0]);
- mask1 = vzero - (HI32_LIMB64(d[3]) >> 31);
- mask2 = (HI32_LIMB64(d[3]) >> 31) - vone;
+ s_is_negative = (HI32_LIMB64(s[3]) >> 31);
+
+ mask2 = vzero - s_is_negative;
+ mask1 = s_is_negative - vone;
STORE64_COND(wp, 0, mask2, d[0], mask1, s[0]);
STORE64_COND(wp, 1, mask2, d[1], mask1, s[1]);
@@ -280,7 +285,7 @@ _gcry_mpi_ec_nist224_mod (gcry_mpi_t w, mpi_ec_t ctx)
void
_gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx)
{
- static const mpi_limb64_t p_mult[11][5] =
+ static const mpi_limb64_t p_mult[12][5] =
{
{ /* P * -3 */
LIMB64_C(0x00000000U, 0x00000003U), LIMB64_C(0xfffffffdU, 0x00000000U),
@@ -340,14 +345,17 @@ _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx)
};
const mpi_limb64_t zero = LIMB_TO64(0);
mpi_ptr_t wp;
- mpi_ptr_t pp;
mpi_size_t wsize = (256 + BITS_PER_MPI_LIMB64 - 1) / BITS_PER_MPI_LIMB64;
mpi_size_t psize = ctx->p->nlimbs;
mpi_limb64_t s[wsize + 1];
mpi_limb64_t t[wsize + 1];
mpi_limb64_t d[wsize + 1];
+ mpi_limb64_t e[wsize + 1];
mpi_limb_t mask1;
mpi_limb_t mask2;
+ mpi_limb_t mask3;
+ mpi_limb_t s_is_negative;
+ mpi_limb_t d_is_negative;
int carry;
MPN_NORMALIZE (w->d, w->nlimbs);
@@ -358,7 +366,6 @@ _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx)
RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64);
ctx->p->nlimbs = psize;
- pp = ctx->p->d;
wp = w->d;
prefetch (p_mult, sizeof(p_mult));
@@ -465,7 +472,7 @@ _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx)
/* mod p:
* 's[4]' holds carry value (-4..6). Subtract (carry + 1) * p. Result
- * will be with in range -p...p. Handle result being negative with
+ * will be with in range -2*p...p. Handle result being negative with
* addition and conditional store. */
carry = LO32_LIMB64(s[4]);
@@ -476,18 +483,39 @@ _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx)
p_mult[carry + 4][2], p_mult[carry + 4][1],
p_mult[carry + 4][0]);
+ /* Add 1*P */
ADD5_LIMB64 (d[4], d[3], d[2], d[1], d[0],
s[4], s[3], s[2], s[1], s[0],
zero,
- LOAD64(pp, 3), LOAD64(pp, 2), LOAD64(pp, 1), LOAD64(pp, 0));
-
- mask1 = vzero - (LO32_LIMB64(d[4]) >> 31);
- mask2 = (LO32_LIMB64(d[4]) >> 31) - vone;
+ p_mult[0 + 4][3], p_mult[0 + 4][2],
+ p_mult[0 + 4][1], p_mult[0 + 4][0]);
- STORE64_COND(wp, 0, mask2, d[0], mask1, s[0]);
- STORE64_COND(wp, 1, mask2, d[1], mask1, s[1]);
- STORE64_COND(wp, 2, mask2, d[2], mask1, s[2]);
- STORE64_COND(wp, 3, mask2, d[3], mask1, s[3]);
+ /* Add 2*P */
+ ADD5_LIMB64 (e[4], e[3], e[2], e[1], e[0],
+ s[4], s[3], s[2], s[1], s[0],
+ zero,
+ p_mult[1 + 4][3], p_mult[1 + 4][2],
+ p_mult[1 + 4][1], p_mult[1 + 4][0]);
+
+ s_is_negative = LO32_LIMB64(s[4]) >> 31;
+ d_is_negative = LO32_LIMB64(d[4]) >> 31;
+ mask3 = vzero - d_is_negative;
+ mask2 = (vzero - s_is_negative) & ~mask3;
+ mask1 = (s_is_negative - vone) & ~mask3;
+
+ s[0] = LIMB_OR64(MASK_AND64(mask2, d[0]), MASK_AND64(mask1, s[0]));
+ s[1] = LIMB_OR64(MASK_AND64(mask2, d[1]), MASK_AND64(mask1, s[1]));
+ s[2] = LIMB_OR64(MASK_AND64(mask2, d[2]), MASK_AND64(mask1, s[2]));
+ s[3] = LIMB_OR64(MASK_AND64(mask2, d[3]), MASK_AND64(mask1, s[3]));
+ s[0] = LIMB_OR64(MASK_AND64(mask3, e[0]), s[0]);
+ s[1] = LIMB_OR64(MASK_AND64(mask3, e[1]), s[1]);
+ s[2] = LIMB_OR64(MASK_AND64(mask3, e[2]), s[2]);
+ s[3] = LIMB_OR64(MASK_AND64(mask3, e[3]), s[3]);
+
+ STORE64(wp, 0, s[0]);
+ STORE64(wp, 1, s[1]);
+ STORE64(wp, 2, s[2]);
+ STORE64(wp, 3, s[3]);
w->nlimbs = wsize * LIMBS_PER_LIMB64;
MPN_NORMALIZE (wp, w->nlimbs);
@@ -567,7 +595,6 @@ _gcry_mpi_ec_nist384_mod (gcry_mpi_t w, mpi_ec_t ctx)
};
const mpi_limb64_t zero = LIMB_TO64(0);
mpi_ptr_t wp;
- mpi_ptr_t pp;
mpi_size_t wsize = (384 + BITS_PER_MPI_LIMB64 - 1) / BITS_PER_MPI_LIMB64;
mpi_size_t psize = ctx->p->nlimbs;
#if (BITS_PER_MPI_LIMB64 == BITS_PER_MPI_LIMB) && defined(WORDS_BIGENDIAN)
@@ -579,6 +606,7 @@ _gcry_mpi_ec_nist384_mod (gcry_mpi_t w, mpi_ec_t ctx)
mpi_limb64_t x[wsize + 1];
mpi_limb_t mask1;
mpi_limb_t mask2;
+ mpi_limb_t s_is_negative;
int carry;
MPN_NORMALIZE (w->d, w->nlimbs);
@@ -589,7 +617,6 @@ _gcry_mpi_ec_nist384_mod (gcry_mpi_t w, mpi_ec_t ctx)
RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64);
ctx->p->nlimbs = psize;
- pp = ctx->p->d;
wp = w->d;
prefetch (p_mult, sizeof(p_mult));
@@ -738,12 +765,13 @@ _gcry_mpi_ec_nist384_mod (gcry_mpi_t w, mpi_ec_t ctx)
ADD7_LIMB64 (d[6], d[5], d[4], d[3], d[2], d[1], d[0],
s[6], s[5], s[4], s[3], s[2], s[1], s[0],
zero,
- LOAD64(pp, 5), LOAD64(pp, 4),
- LOAD64(pp, 3), LOAD64(pp, 2),
- LOAD64(pp, 1), LOAD64(pp, 0));
+ p_mult[0 + 3][5], p_mult[0 + 3][4],
+ p_mult[0 + 3][3], p_mult[0 + 3][2],
+ p_mult[0 + 3][1], p_mult[0 + 3][0]);
- mask1 = vzero - (LO32_LIMB64(d[6]) >> 31);
- mask2 = (LO32_LIMB64(d[6]) >> 31) - vone;
+ s_is_negative = LO32_LIMB64(s[6]) >> 31;
+ mask2 = vzero - s_is_negative;
+ mask1 = s_is_negative - vone;
STORE64_COND(wp, 0, mask2, d[0], mask1, s[0]);
STORE64_COND(wp, 1, mask2, d[1], mask1, s[1]);
diff --git a/tests/t-mpi-point.c b/tests/t-mpi-point.c
index 6cd030f1..6e4deba6 100644
--- a/tests/t-mpi-point.c
+++ b/tests/t-mpi-point.c
@@ -3586,6 +3586,743 @@ check_ec_mul (void)
}
+static void
+check_ec_mul_reduction (void)
+{
+ static struct
+ {
+ const char *curve;
+ const char *scalar;
+ const char *ux;
+ const char *uy;
+ const char *uz;
+ const char *qx;
+ const char *qy;
+ } tv[] =
+ {
+ /* --- NIST P-192 --- */
+
+ /* Bug report: https://dev.gnupg.org/T5510 */
+ {
+ "NIST P-192",
+ "0FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830",
+ "000000000000000000000000000000000FFFFFFFFFFFFFF00",
+ "030A893B61A4E76AF2B682FDB86E043C427C1AD2DFDABB62E",
+ NULL,
+ "000000000000000000000000000000000FFFFFFFFFFFFFF00",
+ "0CF576C49E5B18950D497D024791FBC3AD83E52D2025449D1"
+ },
+ {
+ "NIST P-192",
+ "0FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830",
+ "000000000000000000000000000000000FFFFFFFFFFFFFF00",
+ "0CF576C49E5B18950D497D024791FBC3AD83E52D2025449D1",
+ NULL,
+ "000000000000000000000000000000000FFFFFFFFFFFFFF00",
+ "030A893B61A4E76AF2B682FDB86E043C427C1AD2DFDABB62E"
+ },
+
+ /* Test #1 for NIST P-192 fast reduction */
+ {
+ "NIST P-192",
+ "09977FBFF49FFB1F115C20E3378819ACCFB2A2A19EF9D00C2",
+ "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F",
+ "0000000000000000000000000000000000000000000000001",
+ NULL,
+ "019298C549B3982415E831422E8FF991D25C589B214B3EC20",
+ "09CF5FFD92F0218F704E1F5D4F888FEB1AE5C09674428D9FE"
+ },
+ {
+ "NIST P-192",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCD",
+ "019298C549B3982415E831422E8FF991D25C589B214B3EC20",
+ "09CF5FFD92F0218F704E1F5D4F888FEB1AE5C09674428D9FE",
+ NULL,
+ "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F",
+ "0000000000000000000000000000000000000000000000001"
+ },
+
+ /* Test #2 for NIST P-192 fast reduction */
+ {
+ "NIST P-192",
+ "09977FBFF49FFB1F115C20E3378819ACCFB2A2A19EF9D00C2",
+ "03DA9DE5C6BFA357FDAD6F1B64479BFF526480BF1647D1DDE",
+ "0000000000000000000000000000000010000000000000001",
+ NULL,
+ "0FA56FFAE18551DEC7B10335F9E4D9844B11EEF9C3124B7CF",
+ "06EC4073A143832560600767FDDC0499A1721BE8C2DEE9B68"
+ },
+ {
+ "NIST P-192",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCD",
+ "0FA56FFAE18551DEC7B10335F9E4D9844B11EEF9C3124B7CF",
+ "06EC4073A143832560600767FDDC0499A1721BE8C2DEE9B68",
+ NULL,
+ "03DA9DE5C6BFA357FDAD6F1B64479BFF526480BF1647D1DDE",
+ "0000000000000000000000000000000010000000000000001"
+ },
+
+ /* Test #3 for NIST P-192 fast reduction */
+ {
+ "NIST P-192",
+ "09977FBFF49FFB1F115C20E3378819ACCFB2A2A19EF9D00C2",
+ "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFE",
+ NULL,
+ "019298C549B3982415E831422E8FF991D25C589B214B3EC20",
+ "0630A0026D0FDE708FB1E0A2B0777014D51A3F698BBD72601"
+ },
+ {
+ "NIST P-192",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCD",
+ "019298C549B3982415E831422E8FF991D25C589B214B3EC20",
+ "0630A0026D0FDE708FB1E0A2B0777014D51A3F698BBD72601",
+ NULL,
+ "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFE"
+ },
+
+ /* Test #4 for NIST P-192 fast reduction */
+ {
+ "NIST P-192",
+ "0FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830",
+ "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F",
+ "0000000000000000000000000000000000000000000000001",
+ NULL,
+ "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFE"
+ },
+ {
+ "NIST P-192",
+ "0FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830",
+ "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFE",
+ NULL,
+ "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F",
+ "0000000000000000000000000000000000000000000000001"
+ },
+
+ /* --- NIST P-224 --- */
+
+ /* Test #1 for NIST P-224 fast reduction */
+ {
+ "NIST P-224",
+ "05793BE916A89FC5475A3267BE6F3530901AEC6010E8C2EA2D79F9EE8",
+ "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5",
+ "000000000000000000000000000000000000000000000000000000001",
+ NULL,
+ "0B5457C849D65FBA90C724C9528F500C10930B744F1ECFF60015238D7",
+ "05BBF4A452ADCAFB15484C0E3AAEBF37153543DA0785EBB61A8F2A1B9"
+ },
+ {
+ "NIST P-224",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF012345",
+ "0B5457C849D65FBA90C724C9528F500C10930B744F1ECFF60015238D7",
+ "05BBF4A452ADCAFB15484C0E3AAEBF37153543DA0785EBB61A8F2A1B9",
+ NULL,
+ "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5",
+ "000000000000000000000000000000000000000000000000000000001"
+ },
+
+ /* Test #2 for NIST P-224 fast reduction */
+ {
+ "NIST P-224",
+ "05793BE916A89FC5475A3267BE6F3530901AEC6010E8C2EA2D79F9EE8",
+ "02FEB134F401D499197917C3470242239093606F5B8EA463A763C3AC4",
+ "0C0000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
+ NULL,
+ "0384BD56C5E3FA9C109C841485CCB0B8C90FB5928A87388A658E164AA",
+ "04701B697F333FD522787DF61F3CDB3F964FF43F288858BC4524CA3CD"
+ },
+ {
+ "NIST P-224",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF012345",
+ "0384BD56C5E3FA9C109C841485CCB0B8C90FB5928A87388A658E164AA",
+ "04701B697F333FD522787DF61F3CDB3F964FF43F288858BC4524CA3CD",
+ NULL,
+ "02FEB134F401D499197917C3470242239093606F5B8EA463A763C3AC4",
+ "0C0000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"
+ },
+
+ /* Test #3 for NIST P-224 fast reduction */
+ {
+ "NIST P-224",
+ "05793BE916A89FC5475A3267BE6F3530901AEC6010E8C2EA2D79F9EE8",
+ "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000",
+ NULL,
+ "0B5457C849D65FBA90C724C9528F500C10930B744F1ECFF60015238D7",
+ "0A440B5BAD523504EAB7B3F1C55140C8DACABC25F87A1449E570D5E48"
+ },
+ {
+ "NIST P-224",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF012345",
+ "0B5457C849D65FBA90C724C9528F500C10930B744F1ECFF60015238D7",
+ "0A440B5BAD523504EAB7B3F1C55140C8DACABC25F87A1449E570D5E48",
+ NULL,
+ "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000"
+ },
+
+ /* Test #4 for NIST P-224 fast reduction */
+ {
+ "NIST P-224",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3C",
+ "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5",
+ "000000000000000000000000000000000000000000000000000000001",
+ NULL,
+ "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000"
+ },
+ {
+ "NIST P-224",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3C",
+ "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000",
+ NULL,
+ "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5",
+ "000000000000000000000000000000000000000000000000000000001"
+ },
+
+ /* --- NIST P-256 --- */
+
+ /* Bug report: https://dev.gnupg.org/T5510 */
+ {
+ "NIST P-256",
+ "00000000000FF0000000400000000000000000000005D00003277002000010000",
+ "00000FFFFFFFF0000000000000000000000000000000000000000000000000000",
+ "0CFE26D107A5134D6FEB38CE3577075BDC7AA70FF7523D3B203C8A973F2D3DC8E",
+ NULL,
+ "0FD351B304AD50F36153D8193C4BBF7D4C3BEE26E5AF52A9C70133EDFA62C273E",
+ "005DA8312615436E9C81B5B0624E68667233ACE6307AFC8056EAE85049CA63226"
+ },
+ {
+ "NIST P-256",
+ "096D8332E8F1265354CB7D213EF7809BA2D9639DFA634F321420C238CD2ED1830",
+ "0FD351B304AD50F36153D8193C4BBF7D4C3BEE26E5AF52A9C70133EDFA62C273E",
+ "005DA8312615436E9C81B5B0624E68667233ACE6307AFC8056EAE85049CA63226",
+ NULL,
+ "00000FFFFFFFF0000000000000000000000000000000000000000000000000000",
+ "0CFE26D107A5134D6FEB38CE3577075BDC7AA70FF7523D3B203C8A973F2D3DC8E"
+ },
+
+ /* Test #1 for NIST P-256 fast reduction */
+ {
+ "NIST P-256",
+ "0F14DE6DA4CBA6F4C7B7E988EEF4D168088B6300BAB207054AA24E6D3019D5A23",
+ "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7",
+ "00000000000000000000000000000000000000000000000000000000000000001",
+ NULL,
+ "0688856989B61877BC62ED4D2EE8E0FCA4588D90C2F9A282FA4AD6ACCFBAA95DF",
+ "0D2B9F7FA3982EE114FBBA108E132CECB5A605520661B3C4F7CF2906714B400E2"
+ },
+ {
+ "NIST P-256",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC",
+ "0688856989B61877BC62ED4D2EE8E0FCA4588D90C2F9A282FA4AD6ACCFBAA95DF",
+ "0D2B9F7FA3982EE114FBBA108E132CECB5A605520661B3C4F7CF2906714B400E2",
+ NULL,
+ "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7",
+ "00000000000000000000000000000000000000000000000000000000000000001"
+ },
+
+ /* Test #2 for NIST P-256 fast reduction */
+ {
+ "NIST P-256",
+ "0F14DE6DA4CBA6F4C7B7E988EEF4D168088B6300BAB207054AA24E6D3019D5A23",
+ "0F650B5048E7DE9587399E64274C008A4CA0992BA29DC05F7E51243D34C2949EC",
+ "0FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
+ NULL,
+ "0BEF9CCBF964B86724C97CF35D3890CAB3E9802EDAD1A3D9070695FD04C640087",
+ "0E540F49BAC4AA879B7A1D7C40CE03F7097A910B77F098DA2F7C441407BAD119B"
+ },
+ {
+ "NIST P-256",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC",
+ "0BEF9CCBF964B86724C97CF35D3890CAB3E9802EDAD1A3D9070695FD04C640087",
+ "0E540F49BAC4AA879B7A1D7C40CE03F7097A910B77F098DA2F7C441407BAD119B",
+ NULL,
+ "0F650B5048E7DE9587399E64274C008A4CA0992BA29DC05F7E51243D34C2949EC",
+ "0FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001"
+ },
+
+ /* Test #3 for NIST P-256 fast reduction */
+ {
+ "NIST P-256",
+ "0F14DE6DA4CBA6F4C7B7E988EEF4D168088B6300BAB207054AA24E6D3019D5A23",
+ "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7",
+ "0FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFE",
+ NULL,
+ "0688856989B61877BC62ED4D2EE8E0FCA4588D90C2F9A282FA4AD6ACCFBAA95DF",
+ "02D460804C67D11EFB0445EF71ECD3134A59FAAE099E4C3B0830D6F98EB4BFF1D"
+ },
+ {
+ "NIST P-256",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC",
+ "0688856989B61877BC62ED4D2EE8E0FCA4588D90C2F9A282FA4AD6ACCFBAA95DF",
+ "02D460804C67D11EFB0445EF71ECD3134A59FAAE099E4C3B0830D6F98EB4BFF1D",
+ NULL,
+ "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7",
+ "0FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFE"
+ },
+
+ /* Test #4 for NIST P-256 fast reduction */
+ {
+ "NIST P-256",
+ "0FD1AEFA76594FC4D14169064B1AE89B2224AEB9F9C314E21BDCFEB5F2AFB3B81",
+ "0FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
+ "0AFE89640E5A59FE8F69ADB58DB0059E522E5CC1D0CEDAB7AC6F8455F49AADED2",
+ NULL,
+ "0063257268860D4F13CFC6071CE09E3D1BD8B77B08A0714CFF42880F430A4F1CE",
+ "09665C75111B793CE3BF6E2BF45F9B55E065D22F93C4063A79DF8C9D139E83173"
+ },
+ {
+ "NIST P-256",
+ "0C0DE4C0FFEE1111C0DE4C0FFEE1111C0DE4C0FFEE1111C0DE4C0FFEE1111C0DE",
+ "0063257268860D4F13CFC6071CE09E3D1BD8B77B08A0714CFF42880F430A4F1CE",
+ "09665C75111B793CE3BF6E2BF45F9B55E065D22F93C4063A79DF8C9D139E83173",
+ NULL,
+ "0FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
+ "0AFE89640E5A59FE8F69ADB58DB0059E522E5CC1D0CEDAB7AC6F8455F49AADED2"
+ },
+
+ /* Test #5 for NIST P-256 fast reduction */
+ {
+ "NIST P-256",
+ "0FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550",
+ "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7",
+ "00000000000000000000000000000000000000000000000000000000000000001",
+ NULL,
+ "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7",
+ "0FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFE"
+ },
+ {
+ "NIST P-256",
+ "0FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550",
+ "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7",
+ "0FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFE",
+ NULL,
+ "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7",
+ "00000000000000000000000000000000000000000000000000000000000000001"
+ },
+
+ /* --- NIST P-384 --- */
+
+ /* Bug report: https://dev.gnupg.org/T5510 */
+ {
+ "NIST P-384",
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF"
+ "581A0DB248B0A77AECEC196ACCC52972",
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000FFFFFFFFFFFFFFFFFFFFFC",
+ "1B0D6F8FB7F2DE5B8875645B64042AE20F119F3E1CFEFC0215857EEAE5F4A8FC"
+ "A737057D69A42C44D958E7CFCC77CE6B",
+ NULL,
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000FFFFFFFFFFFFFFFFFFFFFC",
+ "E4F29070480D21A4778A9BA49BFBD51DF0EE60C1E30103FDEA7A81151A0B5702"
+ "58C8FA81965BD3BB26A7183133883194"
+ },
+ {
+ "NIST P-384",
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF"
+ "581A0DB248B0A77AECEC196ACCC52972",
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000FFFFFFFFFFFFFFFFFFFFFC",
+ "E4F29070480D21A4778A9BA49BFBD51DF0EE60C1E30103FDEA7A81151A0B5702"
+ "58C8FA81965BD3BB26A7183133883194",
+ NULL,
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000FFFFFFFFFFFFFFFFFFFFFC",
+ "1B0D6F8FB7F2DE5B8875645B64042AE20F119F3E1CFEFC0215857EEAE5F4A8FC"
+ "A737057D69A42C44D958E7CFCC77CE6B"
+ },
+
+ /* Test #1 for NIST P-384 fast reduction */
+ {
+ "NIST P-384",
+ "0739C89BDC9F071F1DC8391A52A0764EE0E15387DBB56E4FDAD647993F52C9121"
+ "D2DCE779834057EEAE390D113E337DDB",
+ "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2"
+ "7F0A104C89704773A81FDABEE6AB5C78",
+ "00000000000000000000000000000000000000000000000000000000000000000"
+ "00000000000000000000000000000001",
+ NULL,
+ "041CF9FB4C86482B7EC4850FB8AA31771D5F2D3944168B16D47C307468929A860"
+ "B21334F09C2F33AAA565E7190225C793",
+ "00512D4C3F17BA90EEDBCC74C7CBA4410A4F68C8FC0EFB9B981501B454F574744"
+ "8947DFC29E4BAEE30439A84D455627C6"
+ },
+ {
+ "NIST P-384",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC"
+ "DEF01234567890ABCDEF01234567890A",
+ "041CF9FB4C86482B7EC4850FB8AA31771D5F2D3944168B16D47C307468929A860"
+ "B21334F09C2F33AAA565E7190225C793",
+ "00512D4C3F17BA90EEDBCC74C7CBA4410A4F68C8FC0EFB9B981501B454F574744"
+ "8947DFC29E4BAEE30439A84D455627C6",
+ NULL,
+ "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2"
+ "7F0A104C89704773A81FDABEE6AB5C78",
+ "00000000000000000000000000000000000000000000000000000000000000000"
+ "00000000000000000000000000000001"
+ },
+
+ /* Test #2 for NIST P-384 fast reduction */
+ {
+ "NIST P-384",
+ "0739C89BDC9F071F1DC8391A52A0764EE0E15387DBB56E4FDAD647993F52C9121"
+ "D2DCE779834057EEAE390D113E337DDB",
+ "0C4A2DEA4D2A725EAEEFA6CA6FA301155510309F46EA1C70C909B988B49E1D612"
+ "468051EB758869259D1BF892E0A555C2",
+ "00000000000000000000000000000000000000000000000000000000000000001"
+ "00000000FFFFFFFFFFFFFFFF00000001",
+ NULL,
+ "0ED97AD545DB70C379C94BDA35926921F26FA9B9B338D32D8F2A163DBBEC5CFAF"
+ "600830D133A14C0B599B53E57D206DE2",
+ "069B72397B725CA8FA7A59173D4F588273C8303B5F6A5AFD8ACBD6B56CC7CCF32"
+ "B6FCE2DBB991DE4C6E9CCFAF21B8ECCF"
+ },
+ {
+ "NIST P-384",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC"
+ "DEF01234567890ABCDEF01234567890A",
+ "0ED97AD545DB70C379C94BDA35926921F26FA9B9B338D32D8F2A163DBBEC5CFAF"
+ "600830D133A14C0B599B53E57D206DE2",
+ "069B72397B725CA8FA7A59173D4F588273C8303B5F6A5AFD8ACBD6B56CC7CCF32"
+ "B6FCE2DBB991DE4C6E9CCFAF21B8ECCF",
+ NULL,
+ "0C4A2DEA4D2A725EAEEFA6CA6FA301155510309F46EA1C70C909B988B49E1D612"
+ "468051EB758869259D1BF892E0A555C2",
+ "00000000000000000000000000000000000000000000000000000000000000001"
+ "00000000FFFFFFFFFFFFFFFF00000001"
+ },
+
+ /* Test #3 for NIST P-384 fast reduction */
+ {
+ "NIST P-384",
+ "0739C89BDC9F071F1DC8391A52A0764EE0E15387DBB56E4FDAD647993F52C9121"
+ "D2DCE779834057EEAE390D113E337DDB",
+ "05ADE55A6BD4FA27FCA00D1C38653843E3E8421E018DFC7DDAD34076C4D41A621"
+ "980D62417D12330DAE5948C2C6D7D347",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFD",
+ NULL,
+ "0A85779C7427F50E92166268399F4ABEDDAA7B8866B0A495ED603BE80A8900786"
+ "DD287FF5C28708D039AF02DD1FC197CC",
+ "0CB97C2A5822A86B82DFE300E7F6278A087506A718EBD4FF317D7529581E98470"
+ "56FCE58652AA1B6D6FBB62851099A9FF"
+ },
+ {
+ "NIST P-384",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC"
+ "DEF01234567890ABCDEF01234567890A",
+ "0A85779C7427F50E92166268399F4ABEDDAA7B8866B0A495ED603BE80A8900786"
+ "DD287FF5C28708D039AF02DD1FC197CC",
+ "0CB97C2A5822A86B82DFE300E7F6278A087506A718EBD4FF317D7529581E98470"
+ "56FCE58652AA1B6D6FBB62851099A9FF",
+ NULL,
+ "05ADE55A6BD4FA27FCA00D1C38653843E3E8421E018DFC7DDAD34076C4D41A621"
+ "980D62417D12330DAE5948C2C6D7D347",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFD"
+ },
+
+ /* Test #4 for NIST P-384 fast reduction */
+ {
+ "NIST P-384",
+ "0739C89BDC9F071F1DC8391A52A0764EE0E15387DBB56E4FDAD647993F52C9121"
+ "D2DCE779834057EEAE390D113E337DDB",
+ "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2"
+ "7F0A104C89704773A81FDABEE6AB5C78",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ "FFFFFFFF0000000000000000FFFFFFFE",
+ NULL,
+ "041CF9FB4C86482B7EC4850FB8AA31771D5F2D3944168B16D47C307468929A860"
+ "B21334F09C2F33AAA565E7190225C793",
+ "0FAED2B3C0E8456F1124338B38345BBEF5B0973703F1046467EAFE4BAB0A8B8BA"
+ "76B8203C61B4511CFBC657B3BAA9D839"
+ },
+ {
+ "NIST P-384",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC"
+ "DEF01234567890ABCDEF01234567890A",
+ "041CF9FB4C86482B7EC4850FB8AA31771D5F2D3944168B16D47C307468929A860"
+ "B21334F09C2F33AAA565E7190225C793",
+ "0FAED2B3C0E8456F1124338B38345BBEF5B0973703F1046467EAFE4BAB0A8B8BA"
+ "76B8203C61B4511CFBC657B3BAA9D839",
+ NULL,
+ "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2"
+ "7F0A104C89704773A81FDABEE6AB5C78",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ "FFFFFFFF0000000000000000FFFFFFFE"
+ },
+
+ /* Test #5 for NIST P-384 fast reduction */
+ {
+ "NIST P-384",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF"
+ "581A0DB248B0A77AECEC196ACCC52972",
+ "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2"
+ "7F0A104C89704773A81FDABEE6AB5C78",
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "00000000000000000000000000000001",
+ NULL,
+ "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2"
+ "7F0A104C89704773A81FDABEE6AB5C78",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ "FFFFFFFF0000000000000000FFFFFFFE"
+ },
+ {
+ "NIST P-384",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF"
+ "581A0DB248B0A77AECEC196ACCC52972",
+ "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2"
+ "7F0A104C89704773A81FDABEE6AB5C78",
+ "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ "FFFFFFFF0000000000000000FFFFFFFE",
+ NULL,
+ "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2"
+ "7F0A104C89704773A81FDABEE6AB5C78",
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "00000000000000000000000000000001",
+ },
+
+ /* --- NIST P-521 --- */
+
+ /* Test #1 for NIST P-521 fast reduction */
+ {
+ "NIST P-521",
+ "014395758AE77FEE059DA0B5ABC00C374ACA51984B95451C08AD8309DC8CEFB9F"
+ "0B7D03950131E54E63319D4592D679C1F8CFD610289F7B791D5C1C09B7BC5122195",
+ "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC"
+ "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018",
+ "00000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000001",
+ NULL,
+ "0091EC67F53DC1C752724942D6B94A3D66D91C16C997F42524400D3CD10074C07"
+ "FF6F7981A44292B25B478AE551DE980999404EC9221FD3FACE26C40FE783576EF1B",
+ "00534EE41FFDDCE7E171AF630593437896A4C0344900671D1886ED21EF61AC26D"
+ "A3DF4C6D7F1330B3EA25ABB6CA2127A605A650F2A6E916EAB757FE8B43116227FA1"
+ },
+ {
+ "NIST P-521",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC"
+ "DEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890AB",
+ "0091EC67F53DC1C752724942D6B94A3D66D91C16C997F42524400D3CD10074C07"
+ "FF6F7981A44292B25B478AE551DE980999404EC9221FD3FACE26C40FE783576EF1B",
+ "00534EE41FFDDCE7E171AF630593437896A4C0344900671D1886ED21EF61AC26D"
+ "A3DF4C6D7F1330B3EA25ABB6CA2127A605A650F2A6E916EAB757FE8B43116227FA1",
+ NULL,
+ "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC"
+ "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018",
+ "00000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000001"
+ },
+
+ /* Test #2 for NIST P-521 fast reduction */
+ {
+ "NIST P-521",
+ "014395758AE77FEE059DA0B5ABC00C374ACA51984B95451C08AD8309DC8CEFB9F"
+ "0B7D03950131E54E63319D4592D679C1F8CFD610289F7B791D5C1C09B7BC5122195",
+ "01A255D0D3B19B08BE171002C6D73096CA0E41498E805ABF61016EBF1A41E8018"
+ "D5F876D2870BFF35AA254BE8D6A303A79C4E4A3427AA4BDF8EE59DCAC22F4C83CD6",
+ "01000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000003",
+ NULL,
+ "00CEA3C8CE463F76789E7B0FCBEE5253E64BFA0FCBE101944CEFFC04D1786FF88"
+ "C9EC5650BFAC13D4037C34064E6E0CE00AA666EAC026F7EE4CE6F7805A10AD9C743",
+ "01F2D67A2DD50C916C48011BEE7BADFA488CD8C4F8BD69064C8BB454579E7B2FB"
+ "EDE9B52418239251C5B81638970916D1B3CACD25487927978CE7B0CD2A25916F9FE"
+ },
+ {
+ "NIST P-521",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC"
+ "DEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890AB",
+ "00CEA3C8CE463F76789E7B0FCBEE5253E64BFA0FCBE101944CEFFC04D1786FF88"
+ "C9EC5650BFAC13D4037C34064E6E0CE00AA666EAC026F7EE4CE6F7805A10AD9C743",
+ "01F2D67A2DD50C916C48011BEE7BADFA488CD8C4F8BD69064C8BB454579E7B2FB"
+ "EDE9B52418239251C5B81638970916D1B3CACD25487927978CE7B0CD2A25916F9FE",
+ NULL,
+ "01A255D0D3B19B08BE171002C6D73096CA0E41498E805ABF61016EBF1A41E8018"
+ "D5F876D2870BFF35AA254BE8D6A303A79C4E4A3427AA4BDF8EE59DCAC22F4C83CD6",
+ "01000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000003"
+ },
+
+ /* Test #3 for NIST P-521 fast reduction */
+ {
+ "NIST P-521",
+ "014395758AE77FEE059DA0B5ABC00C374ACA51984B95451C08AD8309DC8CEFB9F"
+ "0B7D03950131E54E63319D4592D679C1F8CFD610289F7B791D5C1C09B7BC5122195",
+ "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC"
+ "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018",
+ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE",
+ NULL,
+ "0091EC67F53DC1C752724942D6B94A3D66D91C16C997F42524400D3CD10074C07"
+ "FF6F7981A44292B25B478AE551DE980999404EC9221FD3FACE26C40FE783576EF1B",
+ "01ACB11BE00223181E8E509CFA6CBC87695B3FCBB6FF98E2E77912DE109E53D92"
+ "5C20B39280ECCF4C15DA544935DED859FA59AF0D5916E91548A80174BCEE9DD805E"
+ },
+ {
+ "NIST P-521",
+ "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC"
+ "DEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890AB",
+ "0091EC67F53DC1C752724942D6B94A3D66D91C16C997F42524400D3CD10074C07"
+ "FF6F7981A44292B25B478AE551DE980999404EC9221FD3FACE26C40FE783576EF1B",
+ "01ACB11BE00223181E8E509CFA6CBC87695B3FCBB6FF98E2E77912DE109E53D92"
+ "5C20B39280ECCF4C15DA544935DED859FA59AF0D5916E91548A80174BCEE9DD805E",
+ NULL,
+ "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC"
+ "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018",
+ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ },
+
+ /* Test #4 for NIST P-521 fast reduction */
+ {
+ "NIST P-521",
+ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386408",
+ "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC"
+ "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018",
+ "00000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000001",
+ NULL,
+ "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC"
+ "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018",
+ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ },
+ {
+ "NIST P-521",
+ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386408",
+ "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC"
+ "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018",
+ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE",
+ NULL,
+ "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC"
+ "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018",
+ "00000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000001"
+ },
+
+ { NULL, NULL, NULL, NULL, NULL, NULL }
+ };
+ gpg_error_t err;
+ gcry_ctx_t ctx;
+ gcry_mpi_t scalar, ux, uy, uz, x, y;
+ gcry_mpi_point_t U, Q;
+ int idx;
+
+ for (idx = 0; tv[idx].curve; idx++)
+ {
+ /* P-192 is not supported in fips mode */
+ if (gcry_fips_mode_active())
+ {
+ if (!strcmp(tv[idx].curve, "NIST P-192"))
+ {
+ static int once;
+ if (!once)
+ info ("skipping %s in fips mode\n", tv[idx].curve);
+ once = 1;
+ continue;
+ }
+ if (!strcmp(tv[idx].curve, "secp256k1"))
+ {
+ static int once;
+ if (!once)
+ info ("skipping %s in fips mode\n", tv[idx].curve);
+ once = 1;
+ continue;
+ }
+ }
+
+ err = gcry_mpi_ec_new (&ctx, NULL, tv[idx].curve);
+ if (err)
+ {
+ fail ("tv[%d].'%s': can't create context: %s\n",
+ idx, tv[idx].curve, gpg_strerror (err));
+ return;
+ }
+
+ if (tv[idx].ux)
+ ux = hex2mpi (tv[idx].ux);
+ else
+ die ("tv[%d].'%s': missing 'ux'\n", idx, tv[idx].curve);
+
+ if (tv[idx].uy)
+ uy = hex2mpi (tv[idx].uy);
+ else
+ die ("tv[%d].'%s': missing 'uy'\n", idx, tv[idx].curve);
+
+ if (tv[idx].uz)
+ uz = hex2mpi (tv[idx].uz);
+ else
+ uz = gcry_mpi_set_ui(NULL, 1);
+
+ if (tv[idx].scalar)
+ scalar = hex2mpi (tv[idx].scalar);
+ else
+ die ("tv[%d].'%s': missing 'scalar'\n", idx, tv[idx].curve);
+
+ U = gcry_mpi_point_new (0);
+ gcry_mpi_point_set (U, ux, uy, uz);
+ Q = gcry_mpi_point_new (0);
+ x = gcry_mpi_new (0);
+ y = gcry_mpi_new (0);
+
+ if (!gcry_mpi_ec_curve_point (U, ctx))
+ {
+ print_point (" U", U);
+ die ("tv[%d].'%s': point expected on curve but not "
+ "identified as such\n", idx, tv[idx].curve);
+ }
+
+ gcry_mpi_ec_mul (Q, scalar, U, ctx);
+
+ if (!gcry_mpi_ec_curve_point (Q, ctx))
+ {
+ print_point (" Q", Q);
+ die ("tv[%d].'%s': point expected on curve but not "
+ "identified as such\n", idx, tv[idx].curve);
+ }
+
+ if (gcry_mpi_ec_get_affine (x, y, Q, ctx))
+ {
+ fail ("tv[%d].'%s': failed to get affine coordinates\n",
+ idx, tv[idx].curve);
+ return;
+ }
+
+ if ((tv[idx].qx != NULL && tv[idx].qy != NULL)
+ && (cmp_mpihex (x, tv[idx].qx) || cmp_mpihex (y, tv[idx].qy)))
+ {
+ fail ("tv[%d].'%s': sample point multiply failed:\n",
+ idx, tv[idx].curve);
+ print_mpi (" scalar", scalar);
+ print_mpi (" Qx", x);
+ printf ("expected Qx: %s\n", tv[idx].qx);
+ print_mpi (" Qy", y);
+ printf ("expected Qy: %s\n", tv[idx].qy);
+ }
+
+ gcry_mpi_release (uy);
+ gcry_mpi_release (ux);
+ gcry_mpi_release (uz);
+ gcry_mpi_release (scalar);
+ gcry_mpi_release (y);
+ gcry_mpi_release (x);
+ gcry_mpi_point_release (Q);
+ gcry_mpi_point_release (U);
+ gcry_ctx_release (ctx);
+ }
+}
+
+
int
main (int argc, char **argv)
{
@@ -3610,6 +4347,7 @@ main (int argc, char **argv)
basic_ec_math ();
point_on_curve ();
check_ec_mul ();
+ check_ec_mul_reduction ();
/* The tests are for P-192 and ed25519 which are not supported in
FIPS mode. */
View Lorry Controller Status